1
/*
2
   BlueZ - Bluetooth protocol stack for Linux
3
   Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4

5
   This program is free software; you can redistribute it and/or modify
6
   it under the terms of the GNU General Public License version 2 as
7
   published by the Free Software Foundation;
8

9
   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17

18
   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20
   SOFTWARE IS DISCLAIMED.
21
*/
22

23
#include <linux/debugfs.h>
24
#include <linux/scatterlist.h>
25
#include <crypto/aes.h>
26
#include <crypto/hash.h>
27
#include <crypto/kpp.h>
28
#include <crypto/utils.h>
29

30
#include <net/bluetooth/bluetooth.h>
31
#include <net/bluetooth/hci_core.h>
32
#include <net/bluetooth/l2cap.h>
33
#include <net/bluetooth/mgmt.h>
34

35
#include "ecdh_helper.h"
36
#include "smp.h"
37

38
#define SMP_DEV(hdev) \
39
	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
40

41
/* Low-level debug macros to be used for stuff that we don't want
42
 * accidentally in dmesg, i.e. the values of the various crypto keys
43
 * and the inputs & outputs of crypto functions.
44
 */
45
#ifdef DEBUG
46
#define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
47
				 ##__VA_ARGS__)
48
#else
49
#define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
50
				    ##__VA_ARGS__)
51
#endif
52

53
#define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
54

55
/* Keys which are not distributed with Secure Connections */
56
#define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY)
57

58
#define SMP_TIMEOUT	secs_to_jiffies(30)
59

60
#define ID_ADDR_TIMEOUT	msecs_to_jiffies(200)
61

62
#define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
63
				 0x3f : 0x07)
64
#define KEY_DIST_MASK		0x07
65

66
/* Maximum message length that can be passed to aes_cmac */
67
#define CMAC_MSG_MAX	80
68

69
enum {
70
	SMP_FLAG_TK_VALID,
71
	SMP_FLAG_CFM_PENDING,
72
	SMP_FLAG_MITM_AUTH,
73
	SMP_FLAG_COMPLETE,
74
	SMP_FLAG_INITIATOR,
75
	SMP_FLAG_SC,
76
	SMP_FLAG_REMOTE_PK,
77
	SMP_FLAG_DEBUG_KEY,
78
	SMP_FLAG_WAIT_USER,
79
	SMP_FLAG_DHKEY_PENDING,
80
	SMP_FLAG_REMOTE_OOB,
81
	SMP_FLAG_LOCAL_OOB,
82
	SMP_FLAG_CT2,
83
};
84

85
struct smp_dev {
86
	/* Secure Connections OOB data */
87
	bool			local_oob;
88
	u8			local_pk[64];
89
	u8			local_rand[16];
90
	bool			debug_key;
91

92
	struct crypto_shash	*tfm_cmac;
93
	struct crypto_kpp	*tfm_ecdh;
94
};
95

96
struct smp_chan {
97
	struct l2cap_conn	*conn;
98
	struct delayed_work	security_timer;
99
	unsigned long           allow_cmd; /* Bitmask of allowed commands */
100

101
	u8		preq[7]; /* SMP Pairing Request */
102
	u8		prsp[7]; /* SMP Pairing Response */
103
	u8		prnd[16]; /* SMP Pairing Random (local) */
104
	u8		rrnd[16]; /* SMP Pairing Random (remote) */
105
	u8		pcnf[16]; /* SMP Pairing Confirm */
106
	u8		tk[16]; /* SMP Temporary Key */
107
	u8		rr[16]; /* Remote OOB ra/rb value */
108
	u8		lr[16]; /* Local OOB ra/rb value */
109
	u8		enc_key_size;
110
	u8		remote_key_dist;
111
	bdaddr_t	id_addr;
112
	u8		id_addr_type;
113
	u8		irk[16];
114
	struct smp_csrk	*csrk;
115
	struct smp_csrk	*responder_csrk;
116
	struct smp_ltk	*ltk;
117
	struct smp_ltk	*responder_ltk;
118
	struct smp_irk	*remote_irk;
119
	u8		*link_key;
120
	unsigned long	flags;
121
	u8		method;
122
	u8		passkey_round;
123

124
	/* Secure Connections variables */
125
	u8			local_pk[64];
126
	u8			remote_pk[64];
127
	u8			dhkey[32];
128
	u8			mackey[16];
129

130
	struct crypto_shash	*tfm_cmac;
131
	struct crypto_kpp	*tfm_ecdh;
132
};
133

134
/* These debug key values are defined in the SMP section of the core
135
 * specification. debug_pk is the public debug key and debug_sk the
136
 * private debug key.
137
 */
138
static const u8 debug_pk[64] = {
139
		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
140
		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
141
		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
142
		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
143

144
		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
145
		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
146
		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
147
		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
148
};
149

150
static const u8 debug_sk[32] = {
151
		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
152
		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
153
		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
154
		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
155
};
156

157
static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
158
{
159
	size_t i;
160

161
	for (i = 0; i < len; i++)
162
		dst[len - 1 - i] = src[i];
163
}
164

165
/* The following functions map to the LE SC SMP crypto functions
166
 * AES-CMAC, f4, f5, f6, g2 and h6.
167
 */
168

169
static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
170
		    size_t len, u8 mac[16])
171
{
172
	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
173
	int err;
174

175
	if (len > CMAC_MSG_MAX)
176
		return -EFBIG;
177

178
	if (!tfm) {
179
		BT_ERR("tfm %p", tfm);
180
		return -EINVAL;
181
	}
182

183
	/* Swap key and message from LSB to MSB */
184
	swap_buf(k, tmp, 16);
185
	swap_buf(m, msg_msb, len);
186

187
	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
188
	SMP_DBG("key %16phN", k);
189

190
	err = crypto_shash_setkey(tfm, tmp, 16);
191
	if (err) {
192
		BT_ERR("cipher setkey failed: %d", err);
193
		return err;
194
	}
195

196
	err = crypto_shash_tfm_digest(tfm, msg_msb, len, mac_msb);
197
	if (err) {
198
		BT_ERR("Hash computation error %d", err);
199
		return err;
200
	}
201

202
	swap_buf(mac_msb, mac, 16);
203

204
	SMP_DBG("mac %16phN", mac);
205

206
	return 0;
207
}
208

209
static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
210
		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
211
{
212
	u8 m[65];
213
	int err;
214

215
	SMP_DBG("u %32phN", u);
216
	SMP_DBG("v %32phN", v);
217
	SMP_DBG("x %16phN z %02x", x, z);
218

219
	m[0] = z;
220
	memcpy(m + 1, v, 32);
221
	memcpy(m + 33, u, 32);
222

223
	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
224
	if (err)
225
		return err;
226

227
	SMP_DBG("res %16phN", res);
228

229
	return err;
230
}
231

232
static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
233
		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
234
		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
235
{
236
	/* The btle, salt and length "magic" values are as defined in
237
	 * the SMP section of the Bluetooth core specification. In ASCII
238
	 * the btle value ends up being 'btle'. The salt is just a
239
	 * random number whereas length is the value 256 in little
240
	 * endian format.
241
	 */
242
	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
243
	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
244
			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
245
	const u8 length[2] = { 0x00, 0x01 };
246
	u8 m[53], t[16];
247
	int err;
248

249
	SMP_DBG("w %32phN", w);
250
	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
251
	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
252

253
	err = aes_cmac(tfm_cmac, salt, w, 32, t);
254
	if (err)
255
		return err;
256

257
	SMP_DBG("t %16phN", t);
258

259
	memcpy(m, length, 2);
260
	memcpy(m + 2, a2, 7);
261
	memcpy(m + 9, a1, 7);
262
	memcpy(m + 16, n2, 16);
263
	memcpy(m + 32, n1, 16);
264
	memcpy(m + 48, btle, 4);
265

266
	m[52] = 0; /* Counter */
267

268
	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
269
	if (err)
270
		return err;
271

272
	SMP_DBG("mackey %16phN", mackey);
273

274
	m[52] = 1; /* Counter */
275

276
	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
277
	if (err)
278
		return err;
279

280
	SMP_DBG("ltk %16phN", ltk);
281

282
	return 0;
283
}
284

285
static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
286
		  const u8 n1[16], const u8 n2[16], const u8 r[16],
287
		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
288
		  u8 res[16])
289
{
290
	u8 m[65];
291
	int err;
292

293
	SMP_DBG("w %16phN", w);
294
	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
295
	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
296

297
	memcpy(m, a2, 7);
298
	memcpy(m + 7, a1, 7);
299
	memcpy(m + 14, io_cap, 3);
300
	memcpy(m + 17, r, 16);
301
	memcpy(m + 33, n2, 16);
302
	memcpy(m + 49, n1, 16);
303

304
	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
305
	if (err)
306
		return err;
307

308
	SMP_DBG("res %16phN", res);
309

310
	return err;
311
}
312

313
static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
314
		  const u8 x[16], const u8 y[16], u32 *val)
315
{
316
	u8 m[80], tmp[16];
317
	int err;
318

319
	SMP_DBG("u %32phN", u);
320
	SMP_DBG("v %32phN", v);
321
	SMP_DBG("x %16phN y %16phN", x, y);
322

323
	memcpy(m, y, 16);
324
	memcpy(m + 16, v, 32);
325
	memcpy(m + 48, u, 32);
326

327
	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
328
	if (err)
329
		return err;
330

331
	*val = get_unaligned_le32(tmp);
332
	*val %= 1000000;
333

334
	SMP_DBG("val %06u", *val);
335

336
	return 0;
337
}
338

339
static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
340
		  const u8 key_id[4], u8 res[16])
341
{
342
	int err;
343

344
	SMP_DBG("w %16phN key_id %4phN", w, key_id);
345

346
	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
347
	if (err)
348
		return err;
349

350
	SMP_DBG("res %16phN", res);
351

352
	return err;
353
}
354

355
static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
356
		  const u8 salt[16], u8 res[16])
357
{
358
	int err;
359

360
	SMP_DBG("w %16phN salt %16phN", w, salt);
361

362
	err = aes_cmac(tfm_cmac, salt, w, 16, res);
363
	if (err)
364
		return err;
365

366
	SMP_DBG("res %16phN", res);
367

368
	return err;
369
}
370

371
/* The following functions map to the legacy SMP crypto functions e, c1,
372
 * s1 and ah.
373
 */
374

375
static int smp_e(const u8 *k, u8 *r)
376
{
377
	struct crypto_aes_ctx ctx;
378
	uint8_t tmp[16], data[16];
379
	int err;
380

381
	SMP_DBG("k %16phN r %16phN", k, r);
382

383
	/* The most significant octet of key corresponds to k[0] */
384
	swap_buf(k, tmp, 16);
385

386
	err = aes_expandkey(&ctx, tmp, 16);
387
	if (err) {
388
		BT_ERR("cipher setkey failed: %d", err);
389
		return err;
390
	}
391

392
	/* Most significant octet of plaintextData corresponds to data[0] */
393
	swap_buf(r, data, 16);
394

395
	aes_encrypt(&ctx, data, data);
396

397
	/* Most significant octet of encryptedData corresponds to data[0] */
398
	swap_buf(data, r, 16);
399

400
	SMP_DBG("r %16phN", r);
401

402
	memzero_explicit(&ctx, sizeof(ctx));
403
	return err;
404
}
405

406
static int smp_c1(const u8 k[16],
407
		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
408
		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
409
{
410
	u8 p1[16], p2[16];
411
	int err;
412

413
	SMP_DBG("k %16phN r %16phN", k, r);
414
	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
415
	SMP_DBG("preq %7phN pres %7phN", preq, pres);
416

417
	memset(p1, 0, 16);
418

419
	/* p1 = pres || preq || _rat || _iat */
420
	p1[0] = _iat;
421
	p1[1] = _rat;
422
	memcpy(p1 + 2, preq, 7);
423
	memcpy(p1 + 9, pres, 7);
424

425
	SMP_DBG("p1 %16phN", p1);
426

427
	/* res = r XOR p1 */
428
	crypto_xor_cpy(res, r, p1, sizeof(p1));
429

430
	/* res = e(k, res) */
431
	err = smp_e(k, res);
432
	if (err) {
433
		BT_ERR("Encrypt data error");
434
		return err;
435
	}
436

437
	/* p2 = padding || ia || ra */
438
	memcpy(p2, ra, 6);
439
	memcpy(p2 + 6, ia, 6);
440
	memset(p2 + 12, 0, 4);
441

442
	SMP_DBG("p2 %16phN", p2);
443

444
	/* res = res XOR p2 */
445
	crypto_xor(res, p2, sizeof(p2));
446

447
	/* res = e(k, res) */
448
	err = smp_e(k, res);
449
	if (err)
450
		BT_ERR("Encrypt data error");
451

452
	return err;
453
}
454

455
static int smp_s1(const u8 k[16],
456
		  const u8 r1[16], const u8 r2[16], u8 _r[16])
457
{
458
	int err;
459

460
	/* Just least significant octets from r1 and r2 are considered */
461
	memcpy(_r, r2, 8);
462
	memcpy(_r + 8, r1, 8);
463

464
	err = smp_e(k, _r);
465
	if (err)
466
		BT_ERR("Encrypt data error");
467

468
	return err;
469
}
470

471
static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
472
{
473
	u8 _res[16];
474
	int err;
475

476
	/* r' = padding || r */
477
	memcpy(_res, r, 3);
478
	memset(_res + 3, 0, 13);
479

480
	err = smp_e(irk, _res);
481
	if (err) {
482
		BT_ERR("Encrypt error");
483
		return err;
484
	}
485

486
	/* The output of the random address function ah is:
487
	 *	ah(k, r) = e(k, r') mod 2^24
488
	 * The output of the security function e is then truncated to 24 bits
489
	 * by taking the least significant 24 bits of the output of e as the
490
	 * result of ah.
491
	 */
492
	memcpy(res, _res, 3);
493

494
	return 0;
495
}
496

497
bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
498
		     const bdaddr_t *bdaddr)
499
{
500
	struct l2cap_chan *chan = hdev->smp_data;
501
	u8 hash[3];
502
	int err;
503

504
	if (!chan || !chan->data)
505
		return false;
506

507
	bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk);
508

509
	err = smp_ah(irk, &bdaddr->b[3], hash);
510
	if (err)
511
		return false;
512

513
	return !crypto_memneq(bdaddr->b, hash, 3);
514
}
515

516
int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
517
{
518
	struct l2cap_chan *chan = hdev->smp_data;
519
	int err;
520

521
	if (!chan || !chan->data)
522
		return -EOPNOTSUPP;
523

524
	get_random_bytes(&rpa->b[3], 3);
525

526
	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
527
	rpa->b[5] |= 0x40;	/* Set second most significant bit */
528

529
	err = smp_ah(irk, &rpa->b[3], rpa->b);
530
	if (err < 0)
531
		return err;
532

533
	bt_dev_dbg(hdev, "RPA %pMR", rpa);
534

535
	return 0;
536
}
537

538
int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
539
{
540
	struct l2cap_chan *chan = hdev->smp_data;
541
	struct smp_dev *smp;
542
	int err;
543

544
	if (!chan || !chan->data)
545
		return -EOPNOTSUPP;
546

547
	smp = chan->data;
548

549
	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
550
		bt_dev_dbg(hdev, "Using debug keys");
551
		err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
552
		if (err)
553
			return err;
554
		memcpy(smp->local_pk, debug_pk, 64);
555
		smp->debug_key = true;
556
	} else {
557
		while (true) {
558
			/* Generate key pair for Secure Connections */
559
			err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
560
			if (err)
561
				return err;
562

563
			/* This is unlikely, but we need to check that
564
			 * we didn't accidentally generate a debug key.
565
			 */
566
			if (crypto_memneq(smp->local_pk, debug_pk, 64))
567
				break;
568
		}
569
		smp->debug_key = false;
570
	}
571

572
	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
573
	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
574

575
	get_random_bytes(smp->local_rand, 16);
576

577
	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
578
		     smp->local_rand, 0, hash);
579
	if (err < 0)
580
		return err;
581

582
	memcpy(rand, smp->local_rand, 16);
583

584
	smp->local_oob = true;
585

586
	return 0;
587
}
588

589
static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
590
{
591
	struct l2cap_chan *chan = conn->smp;
592
	struct smp_chan *smp;
593
	struct kvec iv[2];
594
	struct msghdr msg;
595

596
	if (!chan)
597
		return;
598

599
	bt_dev_dbg(conn->hcon->hdev, "code 0x%2.2x", code);
600

601
	iv[0].iov_base = &code;
602
	iv[0].iov_len = 1;
603

604
	iv[1].iov_base = data;
605
	iv[1].iov_len = len;
606

607
	memset(&msg, 0, sizeof(msg));
608

609
	iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, iv, 2, 1 + len);
610

611
	l2cap_chan_send(chan, &msg, 1 + len, NULL);
612

613
	if (!chan->data)
614
		return;
615

616
	smp = chan->data;
617

618
	cancel_delayed_work_sync(&smp->security_timer);
619
	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
620
}
621

622
static u8 authreq_to_seclevel(u8 authreq)
623
{
624
	if (authreq & SMP_AUTH_MITM) {
625
		if (authreq & SMP_AUTH_SC)
626
			return BT_SECURITY_FIPS;
627
		else
628
			return BT_SECURITY_HIGH;
629
	} else {
630
		return BT_SECURITY_MEDIUM;
631
	}
632
}
633

634
static __u8 seclevel_to_authreq(__u8 sec_level)
635
{
636
	switch (sec_level) {
637
	case BT_SECURITY_FIPS:
638
	case BT_SECURITY_HIGH:
639
		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
640
	case BT_SECURITY_MEDIUM:
641
		return SMP_AUTH_BONDING;
642
	default:
643
		return SMP_AUTH_NONE;
644
	}
645
}
646

647
static void build_pairing_cmd(struct l2cap_conn *conn,
648
			      struct smp_cmd_pairing *req,
649
			      struct smp_cmd_pairing *rsp, __u8 authreq)
650
{
651
	struct l2cap_chan *chan = conn->smp;
652
	struct smp_chan *smp = chan->data;
653
	struct hci_conn *hcon = conn->hcon;
654
	struct hci_dev *hdev = hcon->hdev;
655
	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
656

657
	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
658
		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
659
		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
660
		authreq |= SMP_AUTH_BONDING;
661
	} else {
662
		authreq &= ~SMP_AUTH_BONDING;
663
	}
664

665
	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
666
		remote_dist |= SMP_DIST_ID_KEY;
667

668
	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
669
		local_dist |= SMP_DIST_ID_KEY;
670

671
	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
672
	    (authreq & SMP_AUTH_SC)) {
673
		struct oob_data *oob_data;
674
		u8 bdaddr_type;
675

676
		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
677
			local_dist |= SMP_DIST_LINK_KEY;
678
			remote_dist |= SMP_DIST_LINK_KEY;
679
		}
680

681
		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
682
			bdaddr_type = BDADDR_LE_PUBLIC;
683
		else
684
			bdaddr_type = BDADDR_LE_RANDOM;
685

686
		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
687
						    bdaddr_type);
688
		if (oob_data && oob_data->present) {
689
			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
690
			oob_flag = SMP_OOB_PRESENT;
691
			memcpy(smp->rr, oob_data->rand256, 16);
692
			memcpy(smp->pcnf, oob_data->hash256, 16);
693
			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
694
			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
695
		}
696

697
	} else {
698
		authreq &= ~SMP_AUTH_SC;
699
	}
700

701
	if (rsp == NULL) {
702
		req->io_capability = conn->hcon->io_capability;
703
		req->oob_flag = oob_flag;
704
		req->max_key_size = hdev->le_max_key_size;
705
		req->init_key_dist = local_dist;
706
		req->resp_key_dist = remote_dist;
707
		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
708

709
		smp->remote_key_dist = remote_dist;
710
		return;
711
	}
712

713
	rsp->io_capability = conn->hcon->io_capability;
714
	rsp->oob_flag = oob_flag;
715
	rsp->max_key_size = hdev->le_max_key_size;
716
	rsp->init_key_dist = req->init_key_dist & remote_dist;
717
	rsp->resp_key_dist = req->resp_key_dist & local_dist;
718
	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
719

720
	smp->remote_key_dist = rsp->init_key_dist;
721
}
722

723
static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
724
{
725
	struct l2cap_chan *chan = conn->smp;
726
	struct hci_dev *hdev = conn->hcon->hdev;
727
	struct smp_chan *smp = chan->data;
728

729
	if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS &&
730
	    max_key_size != SMP_MAX_ENC_KEY_SIZE)
731
		return SMP_ENC_KEY_SIZE;
732

733
	if (max_key_size > hdev->le_max_key_size ||
734
	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
735
		return SMP_ENC_KEY_SIZE;
736

737
	smp->enc_key_size = max_key_size;
738

739
	return 0;
740
}
741

742
static void smp_chan_destroy(struct l2cap_conn *conn)
743
{
744
	struct l2cap_chan *chan = conn->smp;
745
	struct smp_chan *smp = chan->data;
746
	struct hci_conn *hcon = conn->hcon;
747
	bool complete;
748

749
	BUG_ON(!smp);
750

751
	cancel_delayed_work_sync(&smp->security_timer);
752

753
	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
754
	mgmt_smp_complete(hcon, complete);
755

756
	kfree_sensitive(smp->csrk);
757
	kfree_sensitive(smp->responder_csrk);
758
	kfree_sensitive(smp->link_key);
759

760
	crypto_free_shash(smp->tfm_cmac);
761
	crypto_free_kpp(smp->tfm_ecdh);
762

763
	/* Ensure that we don't leave any debug key around if debug key
764
	 * support hasn't been explicitly enabled.
765
	 */
766
	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
767
	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
768
		list_del_rcu(&smp->ltk->list);
769
		kfree_rcu(smp->ltk, rcu);
770
		smp->ltk = NULL;
771
	}
772

773
	/* If pairing failed clean up any keys we might have */
774
	if (!complete) {
775
		if (smp->ltk) {
776
			list_del_rcu(&smp->ltk->list);
777
			kfree_rcu(smp->ltk, rcu);
778
		}
779

780
		if (smp->responder_ltk) {
781
			list_del_rcu(&smp->responder_ltk->list);
782
			kfree_rcu(smp->responder_ltk, rcu);
783
		}
784

785
		if (smp->remote_irk) {
786
			list_del_rcu(&smp->remote_irk->list);
787
			kfree_rcu(smp->remote_irk, rcu);
788
		}
789
	}
790

791
	chan->data = NULL;
792
	kfree_sensitive(smp);
793
	hci_conn_drop(hcon);
794
}
795

796
static void smp_failure(struct l2cap_conn *conn, u8 reason)
797
{
798
	struct hci_conn *hcon = conn->hcon;
799
	struct l2cap_chan *chan = conn->smp;
800

801
	if (reason)
802
		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
803
			     &reason);
804

805
	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
806

807
	if (chan->data)
808
		smp_chan_destroy(conn);
809
}
810

811
#define JUST_WORKS	0x00
812
#define JUST_CFM	0x01
813
#define REQ_PASSKEY	0x02
814
#define CFM_PASSKEY	0x03
815
#define REQ_OOB		0x04
816
#define DSP_PASSKEY	0x05
817
#define OVERLAP		0xFF
818

819
static const u8 gen_method[5][5] = {
820
	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
821
	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
822
	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
823
	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
824
	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
825
};
826

827
static const u8 sc_method[5][5] = {
828
	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
829
	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
830
	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
831
	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
832
	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
833
};
834

835
static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
836
{
837
	/* If either side has unknown io_caps, use JUST_CFM (which gets
838
	 * converted later to JUST_WORKS if we're initiators.
839
	 */
840
	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
841
	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
842
		return JUST_CFM;
843

844
	if (test_bit(SMP_FLAG_SC, &smp->flags))
845
		return sc_method[remote_io][local_io];
846

847
	return gen_method[remote_io][local_io];
848
}
849

850
static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
851
						u8 local_io, u8 remote_io)
852
{
853
	struct hci_conn *hcon = conn->hcon;
854
	struct l2cap_chan *chan = conn->smp;
855
	struct smp_chan *smp = chan->data;
856
	u32 passkey = 0;
857
	int ret;
858

859
	/* Initialize key for JUST WORKS */
860
	memset(smp->tk, 0, sizeof(smp->tk));
861
	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
862

863
	bt_dev_dbg(hcon->hdev, "auth:%u lcl:%u rem:%u", auth, local_io,
864
		   remote_io);
865

866
	/* If neither side wants MITM, either "just" confirm an incoming
867
	 * request or use just-works for outgoing ones. The JUST_CFM
868
	 * will be converted to JUST_WORKS if necessary later in this
869
	 * function. If either side has MITM look up the method from the
870
	 * table.
871
	 */
872
	if (!(auth & SMP_AUTH_MITM))
873
		smp->method = JUST_CFM;
874
	else
875
		smp->method = get_auth_method(smp, local_io, remote_io);
876

877
	/* Don't confirm locally initiated pairing attempts */
878
	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
879
						&smp->flags))
880
		smp->method = JUST_WORKS;
881

882
	/* Don't bother user space with no IO capabilities */
883
	if (smp->method == JUST_CFM &&
884
	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
885
		smp->method = JUST_WORKS;
886

887
	/* If Just Works, Continue with Zero TK and ask user-space for
888
	 * confirmation */
889
	if (smp->method == JUST_WORKS) {
890
		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
891
						hcon->type,
892
						hcon->dst_type,
893
						passkey, 1);
894
		if (ret)
895
			return ret;
896
		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
897
		return 0;
898
	}
899

900
	/* If this function is used for SC -> legacy fallback we
901
	 * can only recover the just-works case.
902
	 */
903
	if (test_bit(SMP_FLAG_SC, &smp->flags))
904
		return -EINVAL;
905

906
	/* Not Just Works/Confirm results in MITM Authentication */
907
	if (smp->method != JUST_CFM) {
908
		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
909
		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
910
			hcon->pending_sec_level = BT_SECURITY_HIGH;
911
	}
912

913
	/* If both devices have Keyboard-Display I/O, the initiator
914
	 * Confirms and the responder Enters the passkey.
915
	 */
916
	if (smp->method == OVERLAP) {
917
		if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
918
			smp->method = CFM_PASSKEY;
919
		else
920
			smp->method = REQ_PASSKEY;
921
	}
922

923
	/* Generate random passkey. */
924
	if (smp->method == CFM_PASSKEY) {
925
		memset(smp->tk, 0, sizeof(smp->tk));
926
		get_random_bytes(&passkey, sizeof(passkey));
927
		passkey %= 1000000;
928
		put_unaligned_le32(passkey, smp->tk);
929
		bt_dev_dbg(hcon->hdev, "PassKey: %u", passkey);
930
		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
931
	}
932

933
	if (smp->method == REQ_PASSKEY)
934
		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
935
						hcon->type, hcon->dst_type);
936
	else if (smp->method == JUST_CFM)
937
		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
938
						hcon->type, hcon->dst_type,
939
						passkey, 1);
940
	else
941
		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
942
						hcon->type, hcon->dst_type,
943
						passkey, 0);
944

945
	return ret;
946
}
947

948
static u8 smp_confirm(struct smp_chan *smp)
949
{
950
	struct l2cap_conn *conn = smp->conn;
951
	struct smp_cmd_pairing_confirm cp;
952
	int ret;
953

954
	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
955

956
	ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
957
		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
958
		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
959
		     cp.confirm_val);
960
	if (ret)
961
		return SMP_UNSPECIFIED;
962

963
	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
964

965
	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
966

967
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
968
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
969
	else
970
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
971

972
	return 0;
973
}
974

975
static u8 smp_random(struct smp_chan *smp)
976
{
977
	struct l2cap_conn *conn = smp->conn;
978
	struct hci_conn *hcon = conn->hcon;
979
	u8 confirm[16];
980
	int ret;
981

982
	bt_dev_dbg(conn->hcon->hdev, "conn %p %s", conn,
983
		   test_bit(SMP_FLAG_INITIATOR, &smp->flags) ? "initiator" :
984
		   "responder");
985

986
	ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
987
		     hcon->init_addr_type, &hcon->init_addr,
988
		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
989
	if (ret)
990
		return SMP_UNSPECIFIED;
991

992
	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
993
		bt_dev_err(hcon->hdev, "pairing failed "
994
			   "(confirmation values mismatch)");
995
		return SMP_CONFIRM_FAILED;
996
	}
997

998
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
999
		u8 stk[16];
1000
		__le64 rand = 0;
1001
		__le16 ediv = 0;
1002

1003
		smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
1004

1005
		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1006
			return SMP_UNSPECIFIED;
1007

1008
		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1009
		hcon->enc_key_size = smp->enc_key_size;
1010
		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1011
	} else {
1012
		u8 stk[16], auth;
1013
		__le64 rand = 0;
1014
		__le16 ediv = 0;
1015

1016
		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1017
			     smp->prnd);
1018

1019
		smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
1020

1021
		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1022
			auth = 1;
1023
		else
1024
			auth = 0;
1025

1026
		/* Even though there's no _RESPONDER suffix this is the
1027
		 * responder STK we're adding for later lookup (the initiator
1028
		 * STK never needs to be stored).
1029
		 */
1030
		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1031
			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1032
	}
1033

1034
	return 0;
1035
}
1036

1037
static void smp_notify_keys(struct l2cap_conn *conn)
1038
{
1039
	struct l2cap_chan *chan = conn->smp;
1040
	struct smp_chan *smp = chan->data;
1041
	struct hci_conn *hcon = conn->hcon;
1042
	struct hci_dev *hdev = hcon->hdev;
1043
	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1044
	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1045
	bool persistent;
1046

1047
	if (hcon->type == ACL_LINK) {
1048
		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1049
			persistent = false;
1050
		else
1051
			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1052
					       &hcon->flags);
1053
	} else {
1054
		/* The LTKs, IRKs and CSRKs should be persistent only if
1055
		 * both sides had the bonding bit set in their
1056
		 * authentication requests.
1057
		 */
1058
		persistent = !!((req->auth_req & rsp->auth_req) &
1059
				SMP_AUTH_BONDING);
1060
	}
1061

1062
	if (smp->remote_irk) {
1063
		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1064

1065
		/* Now that user space can be considered to know the
1066
		 * identity address track the connection based on it
1067
		 * from now on (assuming this is an LE link).
1068
		 */
1069
		if (hcon->type == LE_LINK) {
1070
			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1071
			hcon->dst_type = smp->remote_irk->addr_type;
1072
			/* Use a short delay to make sure the new address is
1073
			 * propagated _before_ the channels.
1074
			 */
1075
			queue_delayed_work(hdev->workqueue,
1076
					   &conn->id_addr_timer,
1077
					   ID_ADDR_TIMEOUT);
1078
		}
1079
	}
1080

1081
	if (smp->csrk) {
1082
		smp->csrk->bdaddr_type = hcon->dst_type;
1083
		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1084
		mgmt_new_csrk(hdev, smp->csrk, persistent);
1085
	}
1086

1087
	if (smp->responder_csrk) {
1088
		smp->responder_csrk->bdaddr_type = hcon->dst_type;
1089
		bacpy(&smp->responder_csrk->bdaddr, &hcon->dst);
1090
		mgmt_new_csrk(hdev, smp->responder_csrk, persistent);
1091
	}
1092

1093
	if (smp->ltk) {
1094
		smp->ltk->bdaddr_type = hcon->dst_type;
1095
		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1096
		mgmt_new_ltk(hdev, smp->ltk, persistent);
1097
	}
1098

1099
	if (smp->responder_ltk) {
1100
		smp->responder_ltk->bdaddr_type = hcon->dst_type;
1101
		bacpy(&smp->responder_ltk->bdaddr, &hcon->dst);
1102
		mgmt_new_ltk(hdev, smp->responder_ltk, persistent);
1103
	}
1104

1105
	if (smp->link_key) {
1106
		struct link_key *key;
1107
		u8 type;
1108

1109
		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1110
			type = HCI_LK_DEBUG_COMBINATION;
1111
		else if (hcon->sec_level == BT_SECURITY_FIPS)
1112
			type = HCI_LK_AUTH_COMBINATION_P256;
1113
		else
1114
			type = HCI_LK_UNAUTH_COMBINATION_P256;
1115

1116
		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1117
				       smp->link_key, type, 0, &persistent);
1118
		if (key) {
1119
			mgmt_new_link_key(hdev, key, persistent);
1120

1121
			/* Don't keep debug keys around if the relevant
1122
			 * flag is not set.
1123
			 */
1124
			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1125
			    key->type == HCI_LK_DEBUG_COMBINATION) {
1126
				list_del_rcu(&key->list);
1127
				kfree_rcu(key, rcu);
1128
			}
1129
		}
1130
	}
1131
}
1132

1133
static void sc_add_ltk(struct smp_chan *smp)
1134
{
1135
	struct hci_conn *hcon = smp->conn->hcon;
1136
	u8 key_type, auth;
1137

1138
	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1139
		key_type = SMP_LTK_P256_DEBUG;
1140
	else
1141
		key_type = SMP_LTK_P256;
1142

1143
	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1144
		auth = 1;
1145
	else
1146
		auth = 0;
1147

1148
	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1149
			       key_type, auth, smp->tk, smp->enc_key_size,
1150
			       0, 0);
1151
}
1152

1153
static void sc_generate_link_key(struct smp_chan *smp)
1154
{
1155
	/* From core spec. Spells out in ASCII as 'lebr'. */
1156
	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1157

1158
	smp->link_key = kzalloc(16, GFP_KERNEL);
1159
	if (!smp->link_key)
1160
		return;
1161

1162
	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1163
		/* SALT = 0x000000000000000000000000746D7031 */
1164
		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1165

1166
		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1167
			kfree_sensitive(smp->link_key);
1168
			smp->link_key = NULL;
1169
			return;
1170
		}
1171
	} else {
1172
		/* From core spec. Spells out in ASCII as 'tmp1'. */
1173
		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1174

1175
		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1176
			kfree_sensitive(smp->link_key);
1177
			smp->link_key = NULL;
1178
			return;
1179
		}
1180
	}
1181

1182
	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1183
		kfree_sensitive(smp->link_key);
1184
		smp->link_key = NULL;
1185
		return;
1186
	}
1187
}
1188

1189
static void smp_allow_key_dist(struct smp_chan *smp)
1190
{
1191
	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1192
	 * will be allowed in each PDU handler to ensure we receive
1193
	 * them in the correct order.
1194
	 */
1195
	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1196
		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1197
	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1198
		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1199
	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1200
		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1201
}
1202

1203
static void sc_generate_ltk(struct smp_chan *smp)
1204
{
1205
	/* From core spec. Spells out in ASCII as 'brle'. */
1206
	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1207
	struct hci_conn *hcon = smp->conn->hcon;
1208
	struct hci_dev *hdev = hcon->hdev;
1209
	struct link_key *key;
1210

1211
	key = hci_find_link_key(hdev, &hcon->dst);
1212
	if (!key) {
1213
		bt_dev_err(hdev, "no Link Key found to generate LTK");
1214
		return;
1215
	}
1216

1217
	if (key->type == HCI_LK_DEBUG_COMBINATION)
1218
		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1219

1220
	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1221
		/* SALT = 0x000000000000000000000000746D7032 */
1222
		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1223

1224
		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1225
			return;
1226
	} else {
1227
		/* From core spec. Spells out in ASCII as 'tmp2'. */
1228
		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1229

1230
		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1231
			return;
1232
	}
1233

1234
	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1235
		return;
1236

1237
	sc_add_ltk(smp);
1238
}
1239

1240
static void smp_distribute_keys(struct smp_chan *smp)
1241
{
1242
	struct smp_cmd_pairing *req, *rsp;
1243
	struct l2cap_conn *conn = smp->conn;
1244
	struct hci_conn *hcon = conn->hcon;
1245
	struct hci_dev *hdev = hcon->hdev;
1246
	__u8 *keydist;
1247

1248
	bt_dev_dbg(hdev, "conn %p", conn);
1249

1250
	rsp = (void *) &smp->prsp[1];
1251

1252
	/* The responder sends its keys first */
1253
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags) &&
1254
	    (smp->remote_key_dist & KEY_DIST_MASK)) {
1255
		smp_allow_key_dist(smp);
1256
		return;
1257
	}
1258

1259
	req = (void *) &smp->preq[1];
1260

1261
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1262
		keydist = &rsp->init_key_dist;
1263
		*keydist &= req->init_key_dist;
1264
	} else {
1265
		keydist = &rsp->resp_key_dist;
1266
		*keydist &= req->resp_key_dist;
1267
	}
1268

1269
	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1270
		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1271
			sc_generate_link_key(smp);
1272
		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1273
			sc_generate_ltk(smp);
1274

1275
		/* Clear the keys which are generated but not distributed */
1276
		*keydist &= ~SMP_SC_NO_DIST;
1277
	}
1278

1279
	bt_dev_dbg(hdev, "keydist 0x%x", *keydist);
1280

1281
	if (*keydist & SMP_DIST_ENC_KEY) {
1282
		struct smp_cmd_encrypt_info enc;
1283
		struct smp_cmd_initiator_ident ident;
1284
		struct smp_ltk *ltk;
1285
		u8 authenticated;
1286
		__le16 ediv;
1287
		__le64 rand;
1288

1289
		/* Make sure we generate only the significant amount of
1290
		 * bytes based on the encryption key size, and set the rest
1291
		 * of the value to zeroes.
1292
		 */
1293
		get_random_bytes(enc.ltk, smp->enc_key_size);
1294
		memset(enc.ltk + smp->enc_key_size, 0,
1295
		       sizeof(enc.ltk) - smp->enc_key_size);
1296

1297
		get_random_bytes(&ediv, sizeof(ediv));
1298
		get_random_bytes(&rand, sizeof(rand));
1299

1300
		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1301

1302
		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1303
		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1304
				  SMP_LTK_RESPONDER, authenticated, enc.ltk,
1305
				  smp->enc_key_size, ediv, rand);
1306
		smp->responder_ltk = ltk;
1307

1308
		ident.ediv = ediv;
1309
		ident.rand = rand;
1310

1311
		smp_send_cmd(conn, SMP_CMD_INITIATOR_IDENT, sizeof(ident),
1312
			     &ident);
1313

1314
		*keydist &= ~SMP_DIST_ENC_KEY;
1315
	}
1316

1317
	if (*keydist & SMP_DIST_ID_KEY) {
1318
		struct smp_cmd_ident_addr_info addrinfo;
1319
		struct smp_cmd_ident_info idinfo;
1320

1321
		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1322

1323
		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1324

1325
		/* The hci_conn contains the local identity address
1326
		 * after the connection has been established.
1327
		 *
1328
		 * This is true even when the connection has been
1329
		 * established using a resolvable random address.
1330
		 */
1331
		bacpy(&addrinfo.bdaddr, &hcon->src);
1332
		addrinfo.addr_type = hcon->src_type;
1333

1334
		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1335
			     &addrinfo);
1336

1337
		*keydist &= ~SMP_DIST_ID_KEY;
1338
	}
1339

1340
	if (*keydist & SMP_DIST_SIGN) {
1341
		struct smp_cmd_sign_info sign;
1342
		struct smp_csrk *csrk;
1343

1344
		/* Generate a new random key */
1345
		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1346

1347
		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1348
		if (csrk) {
1349
			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1350
				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1351
			else
1352
				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1353
			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1354
		}
1355
		smp->responder_csrk = csrk;
1356

1357
		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1358

1359
		*keydist &= ~SMP_DIST_SIGN;
1360
	}
1361

1362
	/* If there are still keys to be received wait for them */
1363
	if (smp->remote_key_dist & KEY_DIST_MASK) {
1364
		smp_allow_key_dist(smp);
1365
		return;
1366
	}
1367

1368
	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1369
	smp_notify_keys(conn);
1370

1371
	smp_chan_destroy(conn);
1372
}
1373

1374
static void smp_timeout(struct work_struct *work)
1375
{
1376
	struct smp_chan *smp = container_of(work, struct smp_chan,
1377
					    security_timer.work);
1378
	struct l2cap_conn *conn = smp->conn;
1379

1380
	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
1381

1382
	hci_disconnect(conn->hcon, HCI_ERROR_AUTH_FAILURE);
1383
}
1384

1385
static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1386
{
1387
	struct hci_conn *hcon = conn->hcon;
1388
	struct l2cap_chan *chan = conn->smp;
1389
	struct smp_chan *smp;
1390

1391
	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1392
	if (!smp)
1393
		return NULL;
1394

1395
	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1396
	if (IS_ERR(smp->tfm_cmac)) {
1397
		bt_dev_err(hcon->hdev, "Unable to create CMAC crypto context");
1398
		goto zfree_smp;
1399
	}
1400

1401
	smp->tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
1402
	if (IS_ERR(smp->tfm_ecdh)) {
1403
		bt_dev_err(hcon->hdev, "Unable to create ECDH crypto context");
1404
		goto free_shash;
1405
	}
1406

1407
	smp->conn = conn;
1408
	chan->data = smp;
1409

1410
	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1411

1412
	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1413

1414
	hci_conn_hold(hcon);
1415

1416
	return smp;
1417

1418
free_shash:
1419
	crypto_free_shash(smp->tfm_cmac);
1420
zfree_smp:
1421
	kfree_sensitive(smp);
1422
	return NULL;
1423
}
1424

1425
static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1426
{
1427
	struct hci_conn *hcon = smp->conn->hcon;
1428
	u8 *na, *nb, a[7], b[7];
1429

1430
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1431
		na   = smp->prnd;
1432
		nb   = smp->rrnd;
1433
	} else {
1434
		na   = smp->rrnd;
1435
		nb   = smp->prnd;
1436
	}
1437

1438
	memcpy(a, &hcon->init_addr, 6);
1439
	memcpy(b, &hcon->resp_addr, 6);
1440
	a[6] = hcon->init_addr_type;
1441
	b[6] = hcon->resp_addr_type;
1442

1443
	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1444
}
1445

1446
static void sc_dhkey_check(struct smp_chan *smp)
1447
{
1448
	struct hci_conn *hcon = smp->conn->hcon;
1449
	struct smp_cmd_dhkey_check check;
1450
	u8 a[7], b[7], *local_addr, *remote_addr;
1451
	u8 io_cap[3], r[16];
1452

1453
	memcpy(a, &hcon->init_addr, 6);
1454
	memcpy(b, &hcon->resp_addr, 6);
1455
	a[6] = hcon->init_addr_type;
1456
	b[6] = hcon->resp_addr_type;
1457

1458
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1459
		local_addr = a;
1460
		remote_addr = b;
1461
		memcpy(io_cap, &smp->preq[1], 3);
1462
	} else {
1463
		local_addr = b;
1464
		remote_addr = a;
1465
		memcpy(io_cap, &smp->prsp[1], 3);
1466
	}
1467

1468
	memset(r, 0, sizeof(r));
1469

1470
	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1471
		put_unaligned_le32(hcon->passkey_notify, r);
1472

1473
	if (smp->method == REQ_OOB)
1474
		memcpy(r, smp->rr, 16);
1475

1476
	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1477
	       local_addr, remote_addr, check.e);
1478

1479
	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1480
}
1481

1482
static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1483
{
1484
	struct l2cap_conn *conn = smp->conn;
1485
	struct hci_conn *hcon = conn->hcon;
1486
	struct smp_cmd_pairing_confirm cfm;
1487
	u8 r;
1488

1489
	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1490
	r |= 0x80;
1491

1492
	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1493

1494
	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1495
		   cfm.confirm_val))
1496
		return SMP_UNSPECIFIED;
1497

1498
	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1499

1500
	return 0;
1501
}
1502

1503
static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1504
{
1505
	struct l2cap_conn *conn = smp->conn;
1506
	struct hci_conn *hcon = conn->hcon;
1507
	struct hci_dev *hdev = hcon->hdev;
1508
	u8 cfm[16], r;
1509

1510
	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1511
	if (smp->passkey_round >= 20)
1512
		return 0;
1513

1514
	switch (smp_op) {
1515
	case SMP_CMD_PAIRING_RANDOM:
1516
		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1517
		r |= 0x80;
1518

1519
		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1520
			   smp->rrnd, r, cfm))
1521
			return SMP_UNSPECIFIED;
1522

1523
		if (crypto_memneq(smp->pcnf, cfm, 16))
1524
			return SMP_CONFIRM_FAILED;
1525

1526
		smp->passkey_round++;
1527

1528
		if (smp->passkey_round == 20) {
1529
			/* Generate MacKey and LTK */
1530
			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1531
				return SMP_UNSPECIFIED;
1532
		}
1533

1534
		/* The round is only complete when the initiator
1535
		 * receives pairing random.
1536
		 */
1537
		if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1538
			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1539
				     sizeof(smp->prnd), smp->prnd);
1540
			if (smp->passkey_round == 20)
1541
				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1542
			else
1543
				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1544
			return 0;
1545
		}
1546

1547
		/* Start the next round */
1548
		if (smp->passkey_round != 20)
1549
			return sc_passkey_round(smp, 0);
1550

1551
		/* Passkey rounds are complete - start DHKey Check */
1552
		sc_dhkey_check(smp);
1553
		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1554

1555
		break;
1556

1557
	case SMP_CMD_PAIRING_CONFIRM:
1558
		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1559
			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1560
			return 0;
1561
		}
1562

1563
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1564

1565
		if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1566
			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1567
				     sizeof(smp->prnd), smp->prnd);
1568
			return 0;
1569
		}
1570

1571
		return sc_passkey_send_confirm(smp);
1572

1573
	case SMP_CMD_PUBLIC_KEY:
1574
	default:
1575
		/* Initiating device starts the round */
1576
		if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags))
1577
			return 0;
1578

1579
		bt_dev_dbg(hdev, "Starting passkey round %u",
1580
			   smp->passkey_round + 1);
1581

1582
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1583

1584
		return sc_passkey_send_confirm(smp);
1585
	}
1586

1587
	return 0;
1588
}
1589

1590
static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1591
{
1592
	struct l2cap_conn *conn = smp->conn;
1593
	struct hci_conn *hcon = conn->hcon;
1594
	u8 smp_op;
1595

1596
	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1597

1598
	switch (mgmt_op) {
1599
	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1600
		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1601
		return 0;
1602
	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1603
		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1604
		return 0;
1605
	case MGMT_OP_USER_PASSKEY_REPLY:
1606
		hcon->passkey_notify = le32_to_cpu(passkey);
1607
		smp->passkey_round = 0;
1608

1609
		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1610
			smp_op = SMP_CMD_PAIRING_CONFIRM;
1611
		else
1612
			smp_op = 0;
1613

1614
		if (sc_passkey_round(smp, smp_op))
1615
			return -EIO;
1616

1617
		return 0;
1618
	}
1619

1620
	/* Initiator sends DHKey check first */
1621
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1622
		sc_dhkey_check(smp);
1623
		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1624
	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1625
		sc_dhkey_check(smp);
1626
		sc_add_ltk(smp);
1627
	}
1628

1629
	return 0;
1630
}
1631

1632
int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1633
{
1634
	struct l2cap_conn *conn = hcon->l2cap_data;
1635
	struct l2cap_chan *chan;
1636
	struct smp_chan *smp;
1637
	u32 value;
1638
	int err;
1639

1640
	if (!conn)
1641
		return -ENOTCONN;
1642

1643
	bt_dev_dbg(conn->hcon->hdev, "");
1644

1645
	chan = conn->smp;
1646
	if (!chan)
1647
		return -ENOTCONN;
1648

1649
	l2cap_chan_lock(chan);
1650
	if (!chan->data) {
1651
		err = -ENOTCONN;
1652
		goto unlock;
1653
	}
1654

1655
	smp = chan->data;
1656

1657
	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1658
		err = sc_user_reply(smp, mgmt_op, passkey);
1659
		goto unlock;
1660
	}
1661

1662
	switch (mgmt_op) {
1663
	case MGMT_OP_USER_PASSKEY_REPLY:
1664
		value = le32_to_cpu(passkey);
1665
		memset(smp->tk, 0, sizeof(smp->tk));
1666
		bt_dev_dbg(conn->hcon->hdev, "PassKey: %u", value);
1667
		put_unaligned_le32(value, smp->tk);
1668
		fallthrough;
1669
	case MGMT_OP_USER_CONFIRM_REPLY:
1670
		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1671
		break;
1672
	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1673
	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1674
		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1675
		err = 0;
1676
		goto unlock;
1677
	default:
1678
		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1679
		err = -EOPNOTSUPP;
1680
		goto unlock;
1681
	}
1682

1683
	err = 0;
1684

1685
	/* If it is our turn to send Pairing Confirm, do so now */
1686
	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1687
		u8 rsp = smp_confirm(smp);
1688
		if (rsp)
1689
			smp_failure(conn, rsp);
1690
	}
1691

1692
unlock:
1693
	l2cap_chan_unlock(chan);
1694
	return err;
1695
}
1696

1697
static void build_bredr_pairing_cmd(struct smp_chan *smp,
1698
				    struct smp_cmd_pairing *req,
1699
				    struct smp_cmd_pairing *rsp)
1700
{
1701
	struct l2cap_conn *conn = smp->conn;
1702
	struct hci_dev *hdev = conn->hcon->hdev;
1703
	u8 local_dist = 0, remote_dist = 0;
1704

1705
	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1706
		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1707
		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1708
	}
1709

1710
	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1711
		remote_dist |= SMP_DIST_ID_KEY;
1712

1713
	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1714
		local_dist |= SMP_DIST_ID_KEY;
1715

1716
	if (!rsp) {
1717
		memset(req, 0, sizeof(*req));
1718

1719
		req->auth_req        = SMP_AUTH_CT2;
1720
		req->init_key_dist   = local_dist;
1721
		req->resp_key_dist   = remote_dist;
1722
		req->max_key_size    = conn->hcon->enc_key_size;
1723

1724
		smp->remote_key_dist = remote_dist;
1725

1726
		return;
1727
	}
1728

1729
	memset(rsp, 0, sizeof(*rsp));
1730

1731
	rsp->auth_req        = SMP_AUTH_CT2;
1732
	rsp->max_key_size    = conn->hcon->enc_key_size;
1733
	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1734
	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1735

1736
	smp->remote_key_dist = rsp->init_key_dist;
1737
}
1738

1739
static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1740
{
1741
	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1742
	struct l2cap_chan *chan = conn->smp;
1743
	struct hci_dev *hdev = conn->hcon->hdev;
1744
	struct smp_chan *smp = chan->data;
1745
	u8 key_size, auth, sec_level;
1746
	int ret;
1747

1748
	bt_dev_dbg(hdev, "conn %p", conn);
1749

1750
	if (skb->len < sizeof(*req))
1751
		return SMP_INVALID_PARAMS;
1752

1753
	if (smp && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
1754
		return SMP_CMD_NOTSUPP;
1755

1756
	if (!smp) {
1757
		smp = smp_chan_create(conn);
1758
		if (!smp)
1759
			return SMP_UNSPECIFIED;
1760
	}
1761

1762
	/* We didn't start the pairing, so match remote */
1763
	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1764

1765
	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1766
	    (auth & SMP_AUTH_BONDING))
1767
		return SMP_PAIRING_NOTSUPP;
1768

1769
	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1770
		return SMP_AUTH_REQUIREMENTS;
1771

1772
	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1773
	memcpy(&smp->preq[1], req, sizeof(*req));
1774
	skb_pull(skb, sizeof(*req));
1775

1776
	/* If the remote side's OOB flag is set it means it has
1777
	 * successfully received our local OOB data - therefore set the
1778
	 * flag to indicate that local OOB is in use.
1779
	 */
1780
	if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1781
		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1782

1783
	/* SMP over BR/EDR requires special treatment */
1784
	if (conn->hcon->type == ACL_LINK) {
1785
		/* We must have a BR/EDR SC link */
1786
		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1787
		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1788
			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1789

1790
		set_bit(SMP_FLAG_SC, &smp->flags);
1791

1792
		build_bredr_pairing_cmd(smp, req, &rsp);
1793

1794
		if (req->auth_req & SMP_AUTH_CT2)
1795
			set_bit(SMP_FLAG_CT2, &smp->flags);
1796

1797
		key_size = min(req->max_key_size, rsp.max_key_size);
1798
		if (check_enc_key_size(conn, key_size))
1799
			return SMP_ENC_KEY_SIZE;
1800

1801
		/* Clear bits which are generated but not distributed */
1802
		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1803

1804
		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1805
		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1806
		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1807

1808
		smp_distribute_keys(smp);
1809
		return 0;
1810
	}
1811

1812
	build_pairing_cmd(conn, req, &rsp, auth);
1813

1814
	if (rsp.auth_req & SMP_AUTH_SC) {
1815
		set_bit(SMP_FLAG_SC, &smp->flags);
1816

1817
		if (rsp.auth_req & SMP_AUTH_CT2)
1818
			set_bit(SMP_FLAG_CT2, &smp->flags);
1819
	}
1820

1821
	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1822
		sec_level = BT_SECURITY_MEDIUM;
1823
	else
1824
		sec_level = authreq_to_seclevel(auth);
1825

1826
	if (sec_level > conn->hcon->pending_sec_level)
1827
		conn->hcon->pending_sec_level = sec_level;
1828

1829
	/* If we need MITM check that it can be achieved */
1830
	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1831
		u8 method;
1832

1833
		method = get_auth_method(smp, conn->hcon->io_capability,
1834
					 req->io_capability);
1835
		if (method == JUST_WORKS || method == JUST_CFM)
1836
			return SMP_AUTH_REQUIREMENTS;
1837
	}
1838

1839
	key_size = min(req->max_key_size, rsp.max_key_size);
1840
	if (check_enc_key_size(conn, key_size))
1841
		return SMP_ENC_KEY_SIZE;
1842

1843
	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1844

1845
	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1846
	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1847

1848
	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1849

1850
	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1851

1852
	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1853
	 * SC case, however some implementations incorrectly copy RFU auth
1854
	 * req bits from our security request, which may create a false
1855
	 * positive SC enablement.
1856
	 */
1857
	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1858

1859
	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1860
		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1861
		/* Clear bits which are generated but not distributed */
1862
		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1863
		/* Wait for Public Key from Initiating Device */
1864
		return 0;
1865
	}
1866

1867
	/* Request setup of TK */
1868
	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1869
	if (ret)
1870
		return SMP_UNSPECIFIED;
1871

1872
	return 0;
1873
}
1874

1875
static u8 sc_send_public_key(struct smp_chan *smp)
1876
{
1877
	struct hci_dev *hdev = smp->conn->hcon->hdev;
1878

1879
	bt_dev_dbg(hdev, "");
1880

1881
	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1882
		struct l2cap_chan *chan = hdev->smp_data;
1883
		struct smp_dev *smp_dev;
1884

1885
		if (!chan || !chan->data)
1886
			return SMP_UNSPECIFIED;
1887

1888
		smp_dev = chan->data;
1889

1890
		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1891
		memcpy(smp->lr, smp_dev->local_rand, 16);
1892

1893
		if (smp_dev->debug_key)
1894
			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1895

1896
		goto done;
1897
	}
1898

1899
	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1900
		bt_dev_dbg(hdev, "Using debug keys");
1901
		if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1902
			return SMP_UNSPECIFIED;
1903
		memcpy(smp->local_pk, debug_pk, 64);
1904
		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1905
	} else {
1906
		while (true) {
1907
			/* Generate key pair for Secure Connections */
1908
			if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1909
				return SMP_UNSPECIFIED;
1910

1911
			/* This is unlikely, but we need to check that
1912
			 * we didn't accidentally generate a debug key.
1913
			 */
1914
			if (crypto_memneq(smp->local_pk, debug_pk, 64))
1915
				break;
1916
		}
1917
	}
1918

1919
done:
1920
	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1921
	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1922

1923
	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1924

1925
	return 0;
1926
}
1927

1928
static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1929
{
1930
	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1931
	struct l2cap_chan *chan = conn->smp;
1932
	struct smp_chan *smp = chan->data;
1933
	struct hci_dev *hdev = conn->hcon->hdev;
1934
	u8 key_size, auth;
1935
	int ret;
1936

1937
	bt_dev_dbg(hdev, "conn %p", conn);
1938

1939
	if (skb->len < sizeof(*rsp))
1940
		return SMP_INVALID_PARAMS;
1941

1942
	if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags))
1943
		return SMP_CMD_NOTSUPP;
1944

1945
	skb_pull(skb, sizeof(*rsp));
1946

1947
	req = (void *) &smp->preq[1];
1948

1949
	key_size = min(req->max_key_size, rsp->max_key_size);
1950
	if (check_enc_key_size(conn, key_size))
1951
		return SMP_ENC_KEY_SIZE;
1952

1953
	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1954

1955
	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1956
		return SMP_AUTH_REQUIREMENTS;
1957

1958
	/* If the remote side's OOB flag is set it means it has
1959
	 * successfully received our local OOB data - therefore set the
1960
	 * flag to indicate that local OOB is in use.
1961
	 */
1962
	if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1963
		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1964

1965
	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1966
	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1967

1968
	/* Update remote key distribution in case the remote cleared
1969
	 * some bits that we had enabled in our request.
1970
	 */
1971
	smp->remote_key_dist &= rsp->resp_key_dist;
1972

1973
	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1974
		set_bit(SMP_FLAG_CT2, &smp->flags);
1975

1976
	/* For BR/EDR this means we're done and can start phase 3 */
1977
	if (conn->hcon->type == ACL_LINK) {
1978
		/* Clear bits which are generated but not distributed */
1979
		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1980
		smp_distribute_keys(smp);
1981
		return 0;
1982
	}
1983

1984
	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1985
		set_bit(SMP_FLAG_SC, &smp->flags);
1986
	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1987
		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1988

1989
	/* If we need MITM check that it can be achieved */
1990
	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1991
		u8 method;
1992

1993
		method = get_auth_method(smp, req->io_capability,
1994
					 rsp->io_capability);
1995
		if (method == JUST_WORKS || method == JUST_CFM)
1996
			return SMP_AUTH_REQUIREMENTS;
1997
	}
1998

1999
	get_random_bytes(smp->prnd, sizeof(smp->prnd));
2000

2001
	/* Update remote key distribution in case the remote cleared
2002
	 * some bits that we had enabled in our request.
2003
	 */
2004
	smp->remote_key_dist &= rsp->resp_key_dist;
2005

2006
	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2007
		/* Clear bits which are generated but not distributed */
2008
		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2009
		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2010
		return sc_send_public_key(smp);
2011
	}
2012

2013
	auth |= req->auth_req;
2014

2015
	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2016
	if (ret)
2017
		return SMP_UNSPECIFIED;
2018

2019
	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2020

2021
	/* Can't compose response until we have been confirmed */
2022
	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2023
		return smp_confirm(smp);
2024

2025
	return 0;
2026
}
2027

2028
static u8 sc_check_confirm(struct smp_chan *smp)
2029
{
2030
	struct l2cap_conn *conn = smp->conn;
2031

2032
	bt_dev_dbg(conn->hcon->hdev, "");
2033

2034
	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2035
		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2036

2037
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2038
		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2039
			     smp->prnd);
2040
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2041
	}
2042

2043
	return 0;
2044
}
2045

2046
/* Work-around for some implementations that incorrectly copy RFU bits
2047
 * from our security request and thereby create the impression that
2048
 * we're doing SC when in fact the remote doesn't support it.
2049
 */
2050
static int fixup_sc_false_positive(struct smp_chan *smp)
2051
{
2052
	struct l2cap_conn *conn = smp->conn;
2053
	struct hci_conn *hcon = conn->hcon;
2054
	struct hci_dev *hdev = hcon->hdev;
2055
	struct smp_cmd_pairing *req, *rsp;
2056
	u8 auth;
2057

2058
	/* The issue is only observed when we're in responder role */
2059
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2060
		return SMP_UNSPECIFIED;
2061

2062
	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2063
		bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2064
		return SMP_UNSPECIFIED;
2065
	}
2066

2067
	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2068

2069
	req = (void *) &smp->preq[1];
2070
	rsp = (void *) &smp->prsp[1];
2071

2072
	/* Rebuild key dist flags which may have been cleared for SC */
2073
	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2074

2075
	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2076

2077
	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2078
		bt_dev_err(hdev, "failed to fall back to legacy SMP");
2079
		return SMP_UNSPECIFIED;
2080
	}
2081

2082
	clear_bit(SMP_FLAG_SC, &smp->flags);
2083

2084
	return 0;
2085
}
2086

2087
static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2088
{
2089
	struct l2cap_chan *chan = conn->smp;
2090
	struct smp_chan *smp = chan->data;
2091
	struct hci_conn *hcon = conn->hcon;
2092
	struct hci_dev *hdev = hcon->hdev;
2093

2094
	bt_dev_dbg(hdev, "conn %p %s", conn,
2095
		   test_bit(SMP_FLAG_INITIATOR, &smp->flags) ? "initiator" :
2096
		   "responder");
2097

2098
	if (skb->len < sizeof(smp->pcnf))
2099
		return SMP_INVALID_PARAMS;
2100

2101
	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2102
	skb_pull(skb, sizeof(smp->pcnf));
2103

2104
	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2105
		int ret;
2106

2107
		/* Public Key exchange must happen before any other steps */
2108
		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2109
			return sc_check_confirm(smp);
2110

2111
		bt_dev_err(hdev, "Unexpected SMP Pairing Confirm");
2112

2113
		ret = fixup_sc_false_positive(smp);
2114
		if (ret)
2115
			return ret;
2116
	}
2117

2118
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2119
		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2120
			     smp->prnd);
2121
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2122
		return 0;
2123
	}
2124

2125
	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2126
		return smp_confirm(smp);
2127

2128
	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2129

2130
	return 0;
2131
}
2132

2133
static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2134
{
2135
	struct l2cap_chan *chan = conn->smp;
2136
	struct smp_chan *smp = chan->data;
2137
	struct hci_conn *hcon = conn->hcon;
2138
	u8 *pkax, *pkbx, *na, *nb, confirm_hint;
2139
	u32 passkey;
2140
	int err;
2141

2142
	bt_dev_dbg(hcon->hdev, "conn %p", conn);
2143

2144
	if (skb->len < sizeof(smp->rrnd))
2145
		return SMP_INVALID_PARAMS;
2146

2147
	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2148
	skb_pull(skb, sizeof(smp->rrnd));
2149

2150
	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2151
		return smp_random(smp);
2152

2153
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2154
		pkax = smp->local_pk;
2155
		pkbx = smp->remote_pk;
2156
		na   = smp->prnd;
2157
		nb   = smp->rrnd;
2158
	} else {
2159
		pkax = smp->remote_pk;
2160
		pkbx = smp->local_pk;
2161
		na   = smp->rrnd;
2162
		nb   = smp->prnd;
2163
	}
2164

2165
	if (smp->method == REQ_OOB) {
2166
		if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2167
			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2168
				     sizeof(smp->prnd), smp->prnd);
2169
		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2170
		goto mackey_and_ltk;
2171
	}
2172

2173
	/* Passkey entry has special treatment */
2174
	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2175
		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2176

2177
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2178
		u8 cfm[16];
2179

2180
		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2181
			     smp->rrnd, 0, cfm);
2182
		if (err)
2183
			return SMP_UNSPECIFIED;
2184

2185
		if (crypto_memneq(smp->pcnf, cfm, 16))
2186
			return SMP_CONFIRM_FAILED;
2187
	} else {
2188
		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2189
			     smp->prnd);
2190
		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2191

2192
		/* Only Just-Works pairing requires extra checks */
2193
		if (smp->method != JUST_WORKS)
2194
			goto mackey_and_ltk;
2195

2196
		/* If there already exists long term key in local host, leave
2197
		 * the decision to user space since the remote device could
2198
		 * be legitimate or malicious.
2199
		 */
2200
		if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2201
				 hcon->role)) {
2202
			/* Set passkey to 0. The value can be any number since
2203
			 * it'll be ignored anyway.
2204
			 */
2205
			passkey = 0;
2206
			confirm_hint = 1;
2207
			goto confirm;
2208
		}
2209
	}
2210

2211
mackey_and_ltk:
2212
	/* Generate MacKey and LTK */
2213
	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2214
	if (err)
2215
		return SMP_UNSPECIFIED;
2216

2217
	if (smp->method == REQ_OOB) {
2218
		if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2219
			sc_dhkey_check(smp);
2220
			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2221
		}
2222
		return 0;
2223
	}
2224

2225
	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2226
	if (err)
2227
		return SMP_UNSPECIFIED;
2228

2229
	confirm_hint = 0;
2230

2231
confirm:
2232
	if (smp->method == JUST_WORKS)
2233
		confirm_hint = 1;
2234

2235
	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2236
					hcon->dst_type, passkey, confirm_hint);
2237
	if (err)
2238
		return SMP_UNSPECIFIED;
2239

2240
	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2241

2242
	return 0;
2243
}
2244

2245
static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2246
{
2247
	struct smp_ltk *key;
2248
	struct hci_conn *hcon = conn->hcon;
2249

2250
	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2251
	if (!key)
2252
		return false;
2253

2254
	if (smp_ltk_sec_level(key) < sec_level)
2255
		return false;
2256

2257
	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2258
		return true;
2259

2260
	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2261
	hcon->enc_key_size = key->enc_size;
2262

2263
	/* We never store STKs for initiator role, so clear this flag */
2264
	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2265

2266
	return true;
2267
}
2268

2269
bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2270
			     enum smp_key_pref key_pref)
2271
{
2272
	if (sec_level == BT_SECURITY_LOW)
2273
		return true;
2274

2275
	/* If we're encrypted with an STK but the caller prefers using
2276
	 * LTK claim insufficient security. This way we allow the
2277
	 * connection to be re-encrypted with an LTK, even if the LTK
2278
	 * provides the same level of security. Only exception is if we
2279
	 * don't have an LTK (e.g. because of key distribution bits).
2280
	 */
2281
	if (key_pref == SMP_USE_LTK &&
2282
	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2283
	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2284
		return false;
2285

2286
	if (hcon->sec_level >= sec_level)
2287
		return true;
2288

2289
	return false;
2290
}
2291

2292
static void smp_send_pairing_req(struct smp_chan *smp, __u8 auth)
2293
{
2294
	struct smp_cmd_pairing cp;
2295

2296
	if (smp->conn->hcon->type == ACL_LINK)
2297
		build_bredr_pairing_cmd(smp, &cp, NULL);
2298
	else
2299
		build_pairing_cmd(smp->conn, &cp, NULL, auth);
2300

2301
	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2302
	memcpy(&smp->preq[1], &cp, sizeof(cp));
2303

2304
	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2305
	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2306

2307
	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2308
}
2309

2310
static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2311
{
2312
	struct smp_cmd_security_req *rp = (void *) skb->data;
2313
	struct hci_conn *hcon = conn->hcon;
2314
	struct hci_dev *hdev = hcon->hdev;
2315
	struct smp_chan *smp;
2316
	u8 sec_level, auth;
2317

2318
	bt_dev_dbg(hdev, "conn %p", conn);
2319

2320
	if (skb->len < sizeof(*rp))
2321
		return SMP_INVALID_PARAMS;
2322

2323
	if (hcon->role != HCI_ROLE_MASTER)
2324
		return SMP_CMD_NOTSUPP;
2325

2326
	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2327

2328
	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2329
		return SMP_AUTH_REQUIREMENTS;
2330

2331
	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2332
		sec_level = BT_SECURITY_MEDIUM;
2333
	else
2334
		sec_level = authreq_to_seclevel(auth);
2335

2336
	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2337
		/* If link is already encrypted with sufficient security we
2338
		 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2339
		 * Part H 2.4.6
2340
		 */
2341
		smp_ltk_encrypt(conn, hcon->sec_level);
2342
		return 0;
2343
	}
2344

2345
	if (sec_level > hcon->pending_sec_level)
2346
		hcon->pending_sec_level = sec_level;
2347

2348
	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2349
		return 0;
2350

2351
	smp = smp_chan_create(conn);
2352
	if (!smp)
2353
		return SMP_UNSPECIFIED;
2354

2355
	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2356
	    (auth & SMP_AUTH_BONDING))
2357
		return SMP_PAIRING_NOTSUPP;
2358

2359
	skb_pull(skb, sizeof(*rp));
2360

2361
	smp_send_pairing_req(smp, auth);
2362

2363
	return 0;
2364
}
2365

2366
static void smp_send_security_req(struct smp_chan *smp, __u8 auth)
2367
{
2368
	struct smp_cmd_security_req cp;
2369

2370
	cp.auth_req = auth;
2371
	smp_send_cmd(smp->conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2372
	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2373

2374
	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
2375
}
2376

2377
int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2378
{
2379
	struct l2cap_conn *conn = hcon->l2cap_data;
2380
	struct l2cap_chan *chan;
2381
	struct smp_chan *smp;
2382
	__u8 authreq;
2383
	int ret;
2384

2385
	bt_dev_dbg(hcon->hdev, "conn %p hcon %p level 0x%2.2x", conn, hcon,
2386
		   sec_level);
2387

2388
	/* This may be NULL if there's an unexpected disconnection */
2389
	if (!conn)
2390
		return 1;
2391

2392
	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2393
		return 1;
2394

2395
	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2396
		return 1;
2397

2398
	if (sec_level > hcon->pending_sec_level)
2399
		hcon->pending_sec_level = sec_level;
2400

2401
	if (hcon->role == HCI_ROLE_MASTER)
2402
		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2403
			return 0;
2404

2405
	chan = conn->smp;
2406
	if (!chan) {
2407
		bt_dev_err(hcon->hdev, "security requested but not available");
2408
		return 1;
2409
	}
2410

2411
	l2cap_chan_lock(chan);
2412

2413
	/* If SMP is already in progress ignore this request */
2414
	if (chan->data) {
2415
		ret = 0;
2416
		goto unlock;
2417
	}
2418

2419
	smp = smp_chan_create(conn);
2420
	if (!smp) {
2421
		ret = 1;
2422
		goto unlock;
2423
	}
2424

2425
	authreq = seclevel_to_authreq(sec_level);
2426

2427
	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2428
		authreq |= SMP_AUTH_SC;
2429
		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2430
			authreq |= SMP_AUTH_CT2;
2431
	}
2432

2433
	/* Don't attempt to set MITM if setting is overridden by debugfs
2434
	 * Needed to pass certification test SM/MAS/PKE/BV-01-C
2435
	 */
2436
	if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) {
2437
		/* Require MITM if IO Capability allows or the security level
2438
		 * requires it.
2439
		 */
2440
		if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2441
		    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2442
			authreq |= SMP_AUTH_MITM;
2443
	}
2444

2445
	if (hcon->role == HCI_ROLE_MASTER)
2446
		smp_send_pairing_req(smp, authreq);
2447
	else
2448
		smp_send_security_req(smp, authreq);
2449

2450
	ret = 0;
2451

2452
unlock:
2453
	l2cap_chan_unlock(chan);
2454
	return ret;
2455
}
2456

2457
int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2458
				  u8 addr_type)
2459
{
2460
	struct hci_conn *hcon;
2461
	struct l2cap_conn *conn;
2462
	struct l2cap_chan *chan;
2463
	struct smp_chan *smp;
2464
	int err;
2465

2466
	err = hci_remove_ltk(hdev, bdaddr, addr_type);
2467
	hci_remove_irk(hdev, bdaddr, addr_type);
2468

2469
	hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2470
	if (!hcon)
2471
		goto done;
2472

2473
	conn = hcon->l2cap_data;
2474
	if (!conn)
2475
		goto done;
2476

2477
	chan = conn->smp;
2478
	if (!chan)
2479
		goto done;
2480

2481
	l2cap_chan_lock(chan);
2482

2483
	smp = chan->data;
2484
	if (smp) {
2485
		/* Set keys to NULL to make sure smp_failure() does not try to
2486
		 * remove and free already invalidated rcu list entries. */
2487
		smp->ltk = NULL;
2488
		smp->responder_ltk = NULL;
2489
		smp->remote_irk = NULL;
2490

2491
		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2492
			smp_failure(conn, 0);
2493
		else
2494
			smp_failure(conn, SMP_UNSPECIFIED);
2495
		err = 0;
2496
	}
2497

2498
	l2cap_chan_unlock(chan);
2499

2500
done:
2501
	return err;
2502
}
2503

2504
static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2505
{
2506
	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2507
	struct l2cap_chan *chan = conn->smp;
2508
	struct smp_chan *smp = chan->data;
2509

2510
	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2511

2512
	if (skb->len < sizeof(*rp))
2513
		return SMP_INVALID_PARAMS;
2514

2515
	/* Pairing is aborted if any blocked keys are distributed */
2516
	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2517
			       rp->ltk)) {
2518
		bt_dev_warn_ratelimited(conn->hcon->hdev,
2519
					"LTK blocked for %pMR",
2520
					&conn->hcon->dst);
2521
		return SMP_INVALID_PARAMS;
2522
	}
2523

2524
	SMP_ALLOW_CMD(smp, SMP_CMD_INITIATOR_IDENT);
2525

2526
	skb_pull(skb, sizeof(*rp));
2527

2528
	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2529

2530
	return 0;
2531
}
2532

2533
static int smp_cmd_initiator_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2534
{
2535
	struct smp_cmd_initiator_ident *rp = (void *)skb->data;
2536
	struct l2cap_chan *chan = conn->smp;
2537
	struct smp_chan *smp = chan->data;
2538
	struct hci_dev *hdev = conn->hcon->hdev;
2539
	struct hci_conn *hcon = conn->hcon;
2540
	struct smp_ltk *ltk;
2541
	u8 authenticated;
2542

2543
	bt_dev_dbg(hdev, "conn %p", conn);
2544

2545
	if (skb->len < sizeof(*rp))
2546
		return SMP_INVALID_PARAMS;
2547

2548
	/* Mark the information as received */
2549
	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2550

2551
	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2552
		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2553
	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2554
		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2555

2556
	skb_pull(skb, sizeof(*rp));
2557

2558
	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2559
	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2560
			  authenticated, smp->tk, smp->enc_key_size,
2561
			  rp->ediv, rp->rand);
2562
	smp->ltk = ltk;
2563
	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2564
		smp_distribute_keys(smp);
2565

2566
	return 0;
2567
}
2568

2569
static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2570
{
2571
	struct smp_cmd_ident_info *info = (void *) skb->data;
2572
	struct l2cap_chan *chan = conn->smp;
2573
	struct smp_chan *smp = chan->data;
2574

2575
	bt_dev_dbg(conn->hcon->hdev, "");
2576

2577
	if (skb->len < sizeof(*info))
2578
		return SMP_INVALID_PARAMS;
2579

2580
	/* Pairing is aborted if any blocked keys are distributed */
2581
	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2582
			       info->irk)) {
2583
		bt_dev_warn_ratelimited(conn->hcon->hdev,
2584
					"Identity key blocked for %pMR",
2585
					&conn->hcon->dst);
2586
		return SMP_INVALID_PARAMS;
2587
	}
2588

2589
	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2590

2591
	skb_pull(skb, sizeof(*info));
2592

2593
	memcpy(smp->irk, info->irk, 16);
2594

2595
	return 0;
2596
}
2597

2598
static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2599
				   struct sk_buff *skb)
2600
{
2601
	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2602
	struct l2cap_chan *chan = conn->smp;
2603
	struct smp_chan *smp = chan->data;
2604
	struct hci_conn *hcon = conn->hcon;
2605
	bdaddr_t rpa;
2606

2607
	bt_dev_dbg(hcon->hdev, "");
2608

2609
	if (skb->len < sizeof(*info))
2610
		return SMP_INVALID_PARAMS;
2611

2612
	/* Mark the information as received */
2613
	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2614

2615
	if (smp->remote_key_dist & SMP_DIST_SIGN)
2616
		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2617

2618
	skb_pull(skb, sizeof(*info));
2619

2620
	/* Strictly speaking the Core Specification (4.1) allows sending
2621
	 * an empty address which would force us to rely on just the IRK
2622
	 * as "identity information". However, since such
2623
	 * implementations are not known of and in order to not over
2624
	 * complicate our implementation, simply pretend that we never
2625
	 * received an IRK for such a device.
2626
	 *
2627
	 * The Identity Address must also be a Static Random or Public
2628
	 * Address, which hci_is_identity_address() checks for.
2629
	 */
2630
	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2631
	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2632
		bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2633
		goto distribute;
2634
	}
2635

2636
	/* Drop IRK if peer is using identity address during pairing but is
2637
	 * providing different address as identity information.
2638
	 *
2639
	 * Microsoft Surface Precision Mouse is known to have this bug.
2640
	 */
2641
	if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2642
	    (bacmp(&info->bdaddr, &hcon->dst) ||
2643
	     info->addr_type != hcon->dst_type)) {
2644
		bt_dev_err(hcon->hdev,
2645
			   "ignoring IRK with invalid identity address");
2646
		goto distribute;
2647
	}
2648

2649
	bacpy(&smp->id_addr, &info->bdaddr);
2650
	smp->id_addr_type = info->addr_type;
2651

2652
	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2653
		bacpy(&rpa, &hcon->dst);
2654
	else
2655
		bacpy(&rpa, BDADDR_ANY);
2656

2657
	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2658
				      smp->id_addr_type, smp->irk, &rpa);
2659

2660
distribute:
2661
	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2662
		smp_distribute_keys(smp);
2663

2664
	return 0;
2665
}
2666

2667
static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2668
{
2669
	struct smp_cmd_sign_info *rp = (void *) skb->data;
2670
	struct l2cap_chan *chan = conn->smp;
2671
	struct smp_chan *smp = chan->data;
2672
	struct smp_csrk *csrk;
2673

2674
	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2675

2676
	if (skb->len < sizeof(*rp))
2677
		return SMP_INVALID_PARAMS;
2678

2679
	/* Mark the information as received */
2680
	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2681

2682
	skb_pull(skb, sizeof(*rp));
2683

2684
	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2685
	if (csrk) {
2686
		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2687
			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2688
		else
2689
			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2690
		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2691
	}
2692
	smp->csrk = csrk;
2693
	smp_distribute_keys(smp);
2694

2695
	return 0;
2696
}
2697

2698
static u8 sc_select_method(struct smp_chan *smp)
2699
{
2700
	struct smp_cmd_pairing *local, *remote;
2701
	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2702

2703
	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2704
	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2705
		return REQ_OOB;
2706

2707
	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2708
	 * which are needed as inputs to some crypto functions. To get
2709
	 * the "struct smp_cmd_pairing" from them we need to skip the
2710
	 * first byte which contains the opcode.
2711
	 */
2712
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2713
		local = (void *) &smp->preq[1];
2714
		remote = (void *) &smp->prsp[1];
2715
	} else {
2716
		local = (void *) &smp->prsp[1];
2717
		remote = (void *) &smp->preq[1];
2718
	}
2719

2720
	local_io = local->io_capability;
2721
	remote_io = remote->io_capability;
2722

2723
	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2724
	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2725

2726
	/* If either side wants MITM, look up the method from the table,
2727
	 * otherwise use JUST WORKS.
2728
	 */
2729
	if (local_mitm || remote_mitm)
2730
		method = get_auth_method(smp, local_io, remote_io);
2731
	else
2732
		method = JUST_WORKS;
2733

2734
	/* Don't confirm locally initiated pairing attempts */
2735
	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2736
		method = JUST_WORKS;
2737

2738
	return method;
2739
}
2740

2741
static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2742
{
2743
	struct smp_cmd_public_key *key = (void *) skb->data;
2744
	struct hci_conn *hcon = conn->hcon;
2745
	struct l2cap_chan *chan = conn->smp;
2746
	struct smp_chan *smp = chan->data;
2747
	struct hci_dev *hdev = hcon->hdev;
2748
	struct crypto_kpp *tfm_ecdh;
2749
	struct smp_cmd_pairing_confirm cfm;
2750
	int err;
2751

2752
	bt_dev_dbg(hdev, "conn %p", conn);
2753

2754
	if (skb->len < sizeof(*key))
2755
		return SMP_INVALID_PARAMS;
2756

2757
	/* Check if remote and local public keys are the same and debug key is
2758
	 * not in use.
2759
	 */
2760
	if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
2761
	    !crypto_memneq(key, smp->local_pk, 64)) {
2762
		bt_dev_err(hdev, "Remote and local public keys are identical");
2763
		return SMP_UNSPECIFIED;
2764
	}
2765

2766
	memcpy(smp->remote_pk, key, 64);
2767

2768
	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2769
		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2770
			     smp->rr, 0, cfm.confirm_val);
2771
		if (err)
2772
			return SMP_UNSPECIFIED;
2773

2774
		if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2775
			return SMP_CONFIRM_FAILED;
2776
	}
2777

2778
	/* Non-initiating device sends its public key after receiving
2779
	 * the key from the initiating device.
2780
	 */
2781
	if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2782
		err = sc_send_public_key(smp);
2783
		if (err)
2784
			return err;
2785
	}
2786

2787
	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2788
	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2789

2790
	/* Compute the shared secret on the same crypto tfm on which the private
2791
	 * key was set/generated.
2792
	 */
2793
	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2794
		struct l2cap_chan *hchan = hdev->smp_data;
2795
		struct smp_dev *smp_dev;
2796

2797
		if (!hchan || !hchan->data)
2798
			return SMP_UNSPECIFIED;
2799

2800
		smp_dev = hchan->data;
2801

2802
		tfm_ecdh = smp_dev->tfm_ecdh;
2803
	} else {
2804
		tfm_ecdh = smp->tfm_ecdh;
2805
	}
2806

2807
	if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2808
		return SMP_UNSPECIFIED;
2809

2810
	SMP_DBG("DHKey %32phN", smp->dhkey);
2811

2812
	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2813

2814
	smp->method = sc_select_method(smp);
2815

2816
	bt_dev_dbg(hdev, "selected method 0x%02x", smp->method);
2817

2818
	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2819
	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2820
		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2821
	else
2822
		hcon->pending_sec_level = BT_SECURITY_FIPS;
2823

2824
	if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2825
		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2826

2827
	if (smp->method == DSP_PASSKEY) {
2828
		get_random_bytes(&hcon->passkey_notify,
2829
				 sizeof(hcon->passkey_notify));
2830
		hcon->passkey_notify %= 1000000;
2831
		hcon->passkey_entered = 0;
2832
		smp->passkey_round = 0;
2833
		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2834
					     hcon->dst_type,
2835
					     hcon->passkey_notify,
2836
					     hcon->passkey_entered))
2837
			return SMP_UNSPECIFIED;
2838
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2839
		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2840
	}
2841

2842
	if (smp->method == REQ_OOB) {
2843
		if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2844
			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2845
				     sizeof(smp->prnd), smp->prnd);
2846

2847
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2848

2849
		return 0;
2850
	}
2851

2852
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2853
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2854

2855
	if (smp->method == REQ_PASSKEY) {
2856
		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2857
					      hcon->dst_type))
2858
			return SMP_UNSPECIFIED;
2859
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2860
		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2861
		return 0;
2862
	}
2863

2864
	/* The Initiating device waits for the non-initiating device to
2865
	 * send the confirm value.
2866
	 */
2867
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2868
		return 0;
2869

2870
	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2871
		     0, cfm.confirm_val);
2872
	if (err)
2873
		return SMP_UNSPECIFIED;
2874

2875
	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2876
	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2877

2878
	return 0;
2879
}
2880

2881
static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2882
{
2883
	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2884
	struct l2cap_chan *chan = conn->smp;
2885
	struct hci_conn *hcon = conn->hcon;
2886
	struct smp_chan *smp = chan->data;
2887
	u8 a[7], b[7], *local_addr, *remote_addr;
2888
	u8 io_cap[3], r[16], e[16];
2889
	int err;
2890

2891
	bt_dev_dbg(hcon->hdev, "conn %p", conn);
2892

2893
	if (skb->len < sizeof(*check))
2894
		return SMP_INVALID_PARAMS;
2895

2896
	memcpy(a, &hcon->init_addr, 6);
2897
	memcpy(b, &hcon->resp_addr, 6);
2898
	a[6] = hcon->init_addr_type;
2899
	b[6] = hcon->resp_addr_type;
2900

2901
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2902
		local_addr = a;
2903
		remote_addr = b;
2904
		memcpy(io_cap, &smp->prsp[1], 3);
2905
	} else {
2906
		local_addr = b;
2907
		remote_addr = a;
2908
		memcpy(io_cap, &smp->preq[1], 3);
2909
	}
2910

2911
	memset(r, 0, sizeof(r));
2912

2913
	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2914
		put_unaligned_le32(hcon->passkey_notify, r);
2915
	else if (smp->method == REQ_OOB)
2916
		memcpy(r, smp->lr, 16);
2917

2918
	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2919
		     io_cap, remote_addr, local_addr, e);
2920
	if (err)
2921
		return SMP_UNSPECIFIED;
2922

2923
	if (crypto_memneq(check->e, e, 16))
2924
		return SMP_DHKEY_CHECK_FAILED;
2925

2926
	if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2927
		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2928
			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2929
			return 0;
2930
		}
2931

2932
		/* Responder sends DHKey check as response to initiator */
2933
		sc_dhkey_check(smp);
2934
	}
2935

2936
	sc_add_ltk(smp);
2937

2938
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2939
		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2940
		hcon->enc_key_size = smp->enc_key_size;
2941
	}
2942

2943
	return 0;
2944
}
2945

2946
static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2947
				   struct sk_buff *skb)
2948
{
2949
	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2950

2951
	bt_dev_dbg(conn->hcon->hdev, "value 0x%02x", kp->value);
2952

2953
	return 0;
2954
}
2955

2956
static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2957
{
2958
	struct l2cap_conn *conn = chan->conn;
2959
	struct hci_conn *hcon = conn->hcon;
2960
	struct smp_chan *smp;
2961
	__u8 code, reason;
2962
	int err = 0;
2963

2964
	if (skb->len < 1)
2965
		return -EILSEQ;
2966

2967
	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2968
		reason = SMP_PAIRING_NOTSUPP;
2969
		goto done;
2970
	}
2971

2972
	code = skb->data[0];
2973
	skb_pull(skb, sizeof(code));
2974

2975
	smp = chan->data;
2976

2977
	if (code > SMP_CMD_MAX)
2978
		goto drop;
2979

2980
	if (smp && !test_and_clear_bit(code, &smp->allow_cmd)) {
2981
		/* If there is a context and the command is not allowed consider
2982
		 * it a failure so the session is cleanup properly.
2983
		 */
2984
		switch (code) {
2985
		case SMP_CMD_IDENT_INFO:
2986
		case SMP_CMD_IDENT_ADDR_INFO:
2987
		case SMP_CMD_SIGN_INFO:
2988
			/* 3.6.1. Key distribution and generation
2989
			 *
2990
			 * A device may reject a distributed key by sending the
2991
			 * Pairing Failed command with the reason set to
2992
			 * "Key Rejected".
2993
			 */
2994
			smp_failure(conn, SMP_KEY_REJECTED);
2995
			break;
2996
		}
2997
		goto drop;
2998
	}
2999

3000
	/* If we don't have a context the only allowed commands are
3001
	 * pairing request and security request.
3002
	 */
3003
	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
3004
		goto drop;
3005

3006
	switch (code) {
3007
	case SMP_CMD_PAIRING_REQ:
3008
		reason = smp_cmd_pairing_req(conn, skb);
3009
		break;
3010

3011
	case SMP_CMD_PAIRING_FAIL:
3012
		smp_failure(conn, 0);
3013
		err = -EPERM;
3014
		break;
3015

3016
	case SMP_CMD_PAIRING_RSP:
3017
		reason = smp_cmd_pairing_rsp(conn, skb);
3018
		break;
3019

3020
	case SMP_CMD_SECURITY_REQ:
3021
		reason = smp_cmd_security_req(conn, skb);
3022
		break;
3023

3024
	case SMP_CMD_PAIRING_CONFIRM:
3025
		reason = smp_cmd_pairing_confirm(conn, skb);
3026
		break;
3027

3028
	case SMP_CMD_PAIRING_RANDOM:
3029
		reason = smp_cmd_pairing_random(conn, skb);
3030
		break;
3031

3032
	case SMP_CMD_ENCRYPT_INFO:
3033
		reason = smp_cmd_encrypt_info(conn, skb);
3034
		break;
3035

3036
	case SMP_CMD_INITIATOR_IDENT:
3037
		reason = smp_cmd_initiator_ident(conn, skb);
3038
		break;
3039

3040
	case SMP_CMD_IDENT_INFO:
3041
		reason = smp_cmd_ident_info(conn, skb);
3042
		break;
3043

3044
	case SMP_CMD_IDENT_ADDR_INFO:
3045
		reason = smp_cmd_ident_addr_info(conn, skb);
3046
		break;
3047

3048
	case SMP_CMD_SIGN_INFO:
3049
		reason = smp_cmd_sign_info(conn, skb);
3050
		break;
3051

3052
	case SMP_CMD_PUBLIC_KEY:
3053
		reason = smp_cmd_public_key(conn, skb);
3054
		break;
3055

3056
	case SMP_CMD_DHKEY_CHECK:
3057
		reason = smp_cmd_dhkey_check(conn, skb);
3058
		break;
3059

3060
	case SMP_CMD_KEYPRESS_NOTIFY:
3061
		reason = smp_cmd_keypress_notify(conn, skb);
3062
		break;
3063

3064
	default:
3065
		bt_dev_dbg(hcon->hdev, "Unknown command code 0x%2.2x", code);
3066
		reason = SMP_CMD_NOTSUPP;
3067
		goto done;
3068
	}
3069

3070
done:
3071
	if (!err) {
3072
		if (reason)
3073
			smp_failure(conn, reason);
3074
		kfree_skb(skb);
3075
	}
3076

3077
	return err;
3078

3079
drop:
3080
	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3081
		   code, &hcon->dst);
3082
	kfree_skb(skb);
3083
	return 0;
3084
}
3085

3086
static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3087
{
3088
	struct l2cap_conn *conn = chan->conn;
3089

3090
	bt_dev_dbg(conn->hcon->hdev, "chan %p", chan);
3091

3092
	if (chan->data)
3093
		smp_chan_destroy(conn);
3094

3095
	conn->smp = NULL;
3096
	l2cap_chan_put(chan);
3097
}
3098

3099
static void bredr_pairing(struct l2cap_chan *chan)
3100
{
3101
	struct l2cap_conn *conn = chan->conn;
3102
	struct hci_conn *hcon = conn->hcon;
3103
	struct hci_dev *hdev = hcon->hdev;
3104
	struct smp_chan *smp;
3105

3106
	bt_dev_dbg(hdev, "chan %p", chan);
3107

3108
	/* Only new pairings are interesting */
3109
	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3110
		return;
3111

3112
	/* Don't bother if we're not encrypted */
3113
	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3114
		return;
3115

3116
	/* Only initiator may initiate SMP over BR/EDR */
3117
	if (hcon->role != HCI_ROLE_MASTER)
3118
		return;
3119

3120
	/* Secure Connections support must be enabled */
3121
	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3122
		return;
3123

3124
	/* BR/EDR must use Secure Connections for SMP */
3125
	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3126
	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3127
		return;
3128

3129
	/* If our LE support is not enabled don't do anything */
3130
	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3131
		return;
3132

3133
	/* Don't bother if remote LE support is not enabled */
3134
	if (!lmp_host_le_capable(hcon))
3135
		return;
3136

3137
	/* Remote must support SMP fixed chan for BR/EDR */
3138
	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3139
		return;
3140

3141
	/* Don't bother if SMP is already ongoing */
3142
	if (chan->data)
3143
		return;
3144

3145
	smp = smp_chan_create(conn);
3146
	if (!smp) {
3147
		bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3148
		return;
3149
	}
3150

3151
	set_bit(SMP_FLAG_SC, &smp->flags);
3152

3153
	bt_dev_dbg(hdev, "starting SMP over BR/EDR");
3154

3155
	smp_send_pairing_req(smp, 0x00);
3156
}
3157

3158
static void smp_resume_cb(struct l2cap_chan *chan)
3159
{
3160
	struct smp_chan *smp = chan->data;
3161
	struct l2cap_conn *conn = chan->conn;
3162
	struct hci_conn *hcon = conn->hcon;
3163

3164
	bt_dev_dbg(hcon->hdev, "chan %p", chan);
3165

3166
	if (hcon->type == ACL_LINK) {
3167
		bredr_pairing(chan);
3168
		return;
3169
	}
3170

3171
	if (!smp)
3172
		return;
3173

3174
	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3175
		return;
3176

3177
	cancel_delayed_work(&smp->security_timer);
3178

3179
	smp_distribute_keys(smp);
3180
}
3181

3182
static void smp_ready_cb(struct l2cap_chan *chan)
3183
{
3184
	struct l2cap_conn *conn = chan->conn;
3185
	struct hci_conn *hcon = conn->hcon;
3186

3187
	bt_dev_dbg(hcon->hdev, "chan %p", chan);
3188

3189
	/* No need to call l2cap_chan_hold() here since we already own
3190
	 * the reference taken in smp_new_conn_cb(). This is just the
3191
	 * first time that we tie it to a specific pointer. The code in
3192
	 * l2cap_core.c ensures that there's no risk this function won't
3193
	 * get called if smp_new_conn_cb was previously called.
3194
	 */
3195
	conn->smp = chan;
3196

3197
	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3198
		bredr_pairing(chan);
3199
}
3200

3201
static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3202
{
3203
	int err;
3204

3205
	bt_dev_dbg(chan->conn->hcon->hdev, "chan %p", chan);
3206

3207
	err = smp_sig_channel(chan, skb);
3208
	if (err) {
3209
		struct smp_chan *smp = chan->data;
3210

3211
		if (smp)
3212
			cancel_delayed_work_sync(&smp->security_timer);
3213

3214
		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3215
	}
3216

3217
	return err;
3218
}
3219

3220
static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3221
					unsigned long hdr_len,
3222
					unsigned long len, int nb)
3223
{
3224
	struct sk_buff *skb;
3225

3226
	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3227
	if (!skb)
3228
		return ERR_PTR(-ENOMEM);
3229

3230
	skb->priority = HCI_PRIO_MAX;
3231
	bt_cb(skb)->l2cap.chan = chan;
3232

3233
	return skb;
3234
}
3235

3236
static const struct l2cap_ops smp_chan_ops = {
3237
	.name			= "Security Manager",
3238
	.ready			= smp_ready_cb,
3239
	.recv			= smp_recv_cb,
3240
	.alloc_skb		= smp_alloc_skb_cb,
3241
	.teardown		= smp_teardown_cb,
3242
	.resume			= smp_resume_cb,
3243

3244
	.new_connection		= l2cap_chan_no_new_connection,
3245
	.state_change		= l2cap_chan_no_state_change,
3246
	.close			= l2cap_chan_no_close,
3247
	.defer			= l2cap_chan_no_defer,
3248
	.suspend		= l2cap_chan_no_suspend,
3249
	.set_shutdown		= l2cap_chan_no_set_shutdown,
3250
	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3251
};
3252

3253
static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3254
{
3255
	struct l2cap_chan *chan;
3256

3257
	BT_DBG("pchan %p", pchan);
3258

3259
	chan = l2cap_chan_create();
3260
	if (!chan)
3261
		return NULL;
3262

3263
	chan->chan_type	= pchan->chan_type;
3264
	chan->ops	= &smp_chan_ops;
3265
	chan->scid	= pchan->scid;
3266
	chan->dcid	= chan->scid;
3267
	chan->imtu	= pchan->imtu;
3268
	chan->omtu	= pchan->omtu;
3269
	chan->mode	= pchan->mode;
3270

3271
	/* Other L2CAP channels may request SMP routines in order to
3272
	 * change the security level. This means that the SMP channel
3273
	 * lock must be considered in its own category to avoid lockdep
3274
	 * warnings.
3275
	 */
3276
	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3277

3278
	BT_DBG("created chan %p", chan);
3279

3280
	return chan;
3281
}
3282

3283
static const struct l2cap_ops smp_root_chan_ops = {
3284
	.name			= "Security Manager Root",
3285
	.new_connection		= smp_new_conn_cb,
3286

3287
	/* None of these are implemented for the root channel */
3288
	.close			= l2cap_chan_no_close,
3289
	.alloc_skb		= l2cap_chan_no_alloc_skb,
3290
	.recv			= l2cap_chan_no_recv,
3291
	.state_change		= l2cap_chan_no_state_change,
3292
	.teardown		= l2cap_chan_no_teardown,
3293
	.ready			= l2cap_chan_no_ready,
3294
	.defer			= l2cap_chan_no_defer,
3295
	.suspend		= l2cap_chan_no_suspend,
3296
	.resume			= l2cap_chan_no_resume,
3297
	.set_shutdown		= l2cap_chan_no_set_shutdown,
3298
	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3299
};
3300

3301
static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3302
{
3303
	struct l2cap_chan *chan;
3304
	struct smp_dev *smp;
3305
	struct crypto_shash *tfm_cmac;
3306
	struct crypto_kpp *tfm_ecdh;
3307

3308
	if (cid == L2CAP_CID_SMP_BREDR) {
3309
		smp = NULL;
3310
		goto create_chan;
3311
	}
3312

3313
	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3314
	if (!smp)
3315
		return ERR_PTR(-ENOMEM);
3316

3317
	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3318
	if (IS_ERR(tfm_cmac)) {
3319
		bt_dev_err(hdev, "Unable to create CMAC crypto context");
3320
		kfree_sensitive(smp);
3321
		return ERR_CAST(tfm_cmac);
3322
	}
3323

3324
	tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3325
	if (IS_ERR(tfm_ecdh)) {
3326
		bt_dev_err(hdev, "Unable to create ECDH crypto context");
3327
		crypto_free_shash(tfm_cmac);
3328
		kfree_sensitive(smp);
3329
		return ERR_CAST(tfm_ecdh);
3330
	}
3331

3332
	smp->local_oob = false;
3333
	smp->tfm_cmac = tfm_cmac;
3334
	smp->tfm_ecdh = tfm_ecdh;
3335

3336
create_chan:
3337
	chan = l2cap_chan_create();
3338
	if (!chan) {
3339
		if (smp) {
3340
			crypto_free_shash(smp->tfm_cmac);
3341
			crypto_free_kpp(smp->tfm_ecdh);
3342
			kfree_sensitive(smp);
3343
		}
3344
		return ERR_PTR(-ENOMEM);
3345
	}
3346

3347
	chan->data = smp;
3348

3349
	l2cap_add_scid(chan, cid);
3350

3351
	l2cap_chan_set_defaults(chan);
3352

3353
	if (cid == L2CAP_CID_SMP) {
3354
		u8 bdaddr_type;
3355

3356
		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3357

3358
		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3359
			chan->src_type = BDADDR_LE_PUBLIC;
3360
		else
3361
			chan->src_type = BDADDR_LE_RANDOM;
3362
	} else {
3363
		bacpy(&chan->src, &hdev->bdaddr);
3364
		chan->src_type = BDADDR_BREDR;
3365
	}
3366

3367
	chan->state = BT_LISTEN;
3368
	chan->mode = L2CAP_MODE_BASIC;
3369
	chan->imtu = L2CAP_DEFAULT_MTU;
3370
	chan->ops = &smp_root_chan_ops;
3371

3372
	/* Set correct nesting level for a parent/listening channel */
3373
	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3374

3375
	return chan;
3376
}
3377

3378
static void smp_del_chan(struct l2cap_chan *chan)
3379
{
3380
	struct smp_dev *smp;
3381

3382
	BT_DBG("chan %p", chan);
3383

3384
	smp = chan->data;
3385
	if (smp) {
3386
		chan->data = NULL;
3387
		crypto_free_shash(smp->tfm_cmac);
3388
		crypto_free_kpp(smp->tfm_ecdh);
3389
		kfree_sensitive(smp);
3390
	}
3391

3392
	l2cap_chan_put(chan);
3393
}
3394

3395
int smp_force_bredr(struct hci_dev *hdev, bool enable)
3396
{
3397
	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3398
		return -EALREADY;
3399

3400
	if (enable) {
3401
		struct l2cap_chan *chan;
3402

3403
		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3404
		if (IS_ERR(chan))
3405
			return PTR_ERR(chan);
3406

3407
		hdev->smp_bredr_data = chan;
3408
	} else {
3409
		struct l2cap_chan *chan;
3410

3411
		chan = hdev->smp_bredr_data;
3412
		hdev->smp_bredr_data = NULL;
3413
		smp_del_chan(chan);
3414
	}
3415

3416
	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3417

3418
	return 0;
3419
}
3420

3421
int smp_register(struct hci_dev *hdev)
3422
{
3423
	struct l2cap_chan *chan;
3424

3425
	bt_dev_dbg(hdev, "");
3426

3427
	/* If the controller does not support Low Energy operation, then
3428
	 * there is also no need to register any SMP channel.
3429
	 */
3430
	if (!lmp_le_capable(hdev))
3431
		return 0;
3432

3433
	if (WARN_ON(hdev->smp_data)) {
3434
		chan = hdev->smp_data;
3435
		hdev->smp_data = NULL;
3436
		smp_del_chan(chan);
3437
	}
3438

3439
	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3440
	if (IS_ERR(chan))
3441
		return PTR_ERR(chan);
3442

3443
	hdev->smp_data = chan;
3444

3445
	if (!lmp_sc_capable(hdev)) {
3446
		/* Flag can be already set here (due to power toggle) */
3447
		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3448
			return 0;
3449
	}
3450

3451
	if (WARN_ON(hdev->smp_bredr_data)) {
3452
		chan = hdev->smp_bredr_data;
3453
		hdev->smp_bredr_data = NULL;
3454
		smp_del_chan(chan);
3455
	}
3456

3457
	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3458
	if (IS_ERR(chan)) {
3459
		int err = PTR_ERR(chan);
3460
		chan = hdev->smp_data;
3461
		hdev->smp_data = NULL;
3462
		smp_del_chan(chan);
3463
		return err;
3464
	}
3465

3466
	hdev->smp_bredr_data = chan;
3467

3468
	return 0;
3469
}
3470

3471
void smp_unregister(struct hci_dev *hdev)
3472
{
3473
	struct l2cap_chan *chan;
3474

3475
	if (hdev->smp_bredr_data) {
3476
		chan = hdev->smp_bredr_data;
3477
		hdev->smp_bredr_data = NULL;
3478
		smp_del_chan(chan);
3479
	}
3480

3481
	if (hdev->smp_data) {
3482
		chan = hdev->smp_data;
3483
		hdev->smp_data = NULL;
3484
		smp_del_chan(chan);
3485
	}
3486
}
3487

3488
#if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3489

3490
static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3491
{
3492
	u8 pk[64];
3493
	int err;
3494

3495
	err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3496
	if (err)
3497
		return err;
3498

3499
	err = generate_ecdh_public_key(tfm_ecdh, pk);
3500
	if (err)
3501
		return err;
3502

3503
	if (crypto_memneq(pk, debug_pk, 64))
3504
		return -EINVAL;
3505

3506
	return 0;
3507
}
3508

3509
static int __init test_ah(void)
3510
{
3511
	const u8 irk[16] = {
3512
			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3513
			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3514
	const u8 r[3] = { 0x94, 0x81, 0x70 };
3515
	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3516
	u8 res[3];
3517
	int err;
3518

3519
	err = smp_ah(irk, r, res);
3520
	if (err)
3521
		return err;
3522

3523
	if (crypto_memneq(res, exp, 3))
3524
		return -EINVAL;
3525

3526
	return 0;
3527
}
3528

3529
static int __init test_c1(void)
3530
{
3531
	const u8 k[16] = {
3532
			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3533
			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3534
	const u8 r[16] = {
3535
			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3536
			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3537
	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3538
	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3539
	const u8 _iat = 0x01;
3540
	const u8 _rat = 0x00;
3541
	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3542
	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3543
	const u8 exp[16] = {
3544
			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3545
			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3546
	u8 res[16];
3547
	int err;
3548

3549
	err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3550
	if (err)
3551
		return err;
3552

3553
	if (crypto_memneq(res, exp, 16))
3554
		return -EINVAL;
3555

3556
	return 0;
3557
}
3558

3559
static int __init test_s1(void)
3560
{
3561
	const u8 k[16] = {
3562
			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3563
			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3564
	const u8 r1[16] = {
3565
			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3566
	const u8 r2[16] = {
3567
			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3568
	const u8 exp[16] = {
3569
			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3570
			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3571
	u8 res[16];
3572
	int err;
3573

3574
	err = smp_s1(k, r1, r2, res);
3575
	if (err)
3576
		return err;
3577

3578
	if (crypto_memneq(res, exp, 16))
3579
		return -EINVAL;
3580

3581
	return 0;
3582
}
3583

3584
static int __init test_f4(struct crypto_shash *tfm_cmac)
3585
{
3586
	const u8 u[32] = {
3587
			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3588
			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3589
			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3590
			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3591
	const u8 v[32] = {
3592
			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3593
			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3594
			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3595
			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3596
	const u8 x[16] = {
3597
			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3598
			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3599
	const u8 z = 0x00;
3600
	const u8 exp[16] = {
3601
			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3602
			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3603
	u8 res[16];
3604
	int err;
3605

3606
	err = smp_f4(tfm_cmac, u, v, x, z, res);
3607
	if (err)
3608
		return err;
3609

3610
	if (crypto_memneq(res, exp, 16))
3611
		return -EINVAL;
3612

3613
	return 0;
3614
}
3615

3616
static int __init test_f5(struct crypto_shash *tfm_cmac)
3617
{
3618
	const u8 w[32] = {
3619
			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3620
			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3621
			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3622
			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3623
	const u8 n1[16] = {
3624
			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3625
			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3626
	const u8 n2[16] = {
3627
			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3628
			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3629
	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3630
	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3631
	const u8 exp_ltk[16] = {
3632
			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3633
			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3634
	const u8 exp_mackey[16] = {
3635
			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3636
			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3637
	u8 mackey[16], ltk[16];
3638
	int err;
3639

3640
	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3641
	if (err)
3642
		return err;
3643

3644
	if (crypto_memneq(mackey, exp_mackey, 16))
3645
		return -EINVAL;
3646

3647
	if (crypto_memneq(ltk, exp_ltk, 16))
3648
		return -EINVAL;
3649

3650
	return 0;
3651
}
3652

3653
static int __init test_f6(struct crypto_shash *tfm_cmac)
3654
{
3655
	const u8 w[16] = {
3656
			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3657
			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3658
	const u8 n1[16] = {
3659
			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3660
			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3661
	const u8 n2[16] = {
3662
			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3663
			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3664
	const u8 r[16] = {
3665
			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3666
			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3667
	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3668
	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3669
	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3670
	const u8 exp[16] = {
3671
			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3672
			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3673
	u8 res[16];
3674
	int err;
3675

3676
	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3677
	if (err)
3678
		return err;
3679

3680
	if (crypto_memneq(res, exp, 16))
3681
		return -EINVAL;
3682

3683
	return 0;
3684
}
3685

3686
static int __init test_g2(struct crypto_shash *tfm_cmac)
3687
{
3688
	const u8 u[32] = {
3689
			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3690
			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3691
			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3692
			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3693
	const u8 v[32] = {
3694
			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3695
			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3696
			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3697
			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3698
	const u8 x[16] = {
3699
			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3700
			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3701
	const u8 y[16] = {
3702
			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3703
			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3704
	const u32 exp_val = 0x2f9ed5ba % 1000000;
3705
	u32 val;
3706
	int err;
3707

3708
	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3709
	if (err)
3710
		return err;
3711

3712
	if (val != exp_val)
3713
		return -EINVAL;
3714

3715
	return 0;
3716
}
3717

3718
static int __init test_h6(struct crypto_shash *tfm_cmac)
3719
{
3720
	const u8 w[16] = {
3721
			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3722
			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3723
	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3724
	const u8 exp[16] = {
3725
			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3726
			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3727
	u8 res[16];
3728
	int err;
3729

3730
	err = smp_h6(tfm_cmac, w, key_id, res);
3731
	if (err)
3732
		return err;
3733

3734
	if (crypto_memneq(res, exp, 16))
3735
		return -EINVAL;
3736

3737
	return 0;
3738
}
3739

3740
static char test_smp_buffer[32];
3741

3742
static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3743
			     size_t count, loff_t *ppos)
3744
{
3745
	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3746
				       strlen(test_smp_buffer));
3747
}
3748

3749
static const struct file_operations test_smp_fops = {
3750
	.open		= simple_open,
3751
	.read		= test_smp_read,
3752
	.llseek		= default_llseek,
3753
};
3754

3755
static int __init run_selftests(struct crypto_shash *tfm_cmac,
3756
				struct crypto_kpp *tfm_ecdh)
3757
{
3758
	ktime_t calltime, delta, rettime;
3759
	unsigned long long duration;
3760
	int err;
3761

3762
	calltime = ktime_get();
3763

3764
	err = test_debug_key(tfm_ecdh);
3765
	if (err) {
3766
		BT_ERR("debug_key test failed");
3767
		goto done;
3768
	}
3769

3770
	err = test_ah();
3771
	if (err) {
3772
		BT_ERR("smp_ah test failed");
3773
		goto done;
3774
	}
3775

3776
	err = test_c1();
3777
	if (err) {
3778
		BT_ERR("smp_c1 test failed");
3779
		goto done;
3780
	}
3781

3782
	err = test_s1();
3783
	if (err) {
3784
		BT_ERR("smp_s1 test failed");
3785
		goto done;
3786
	}
3787

3788
	err = test_f4(tfm_cmac);
3789
	if (err) {
3790
		BT_ERR("smp_f4 test failed");
3791
		goto done;
3792
	}
3793

3794
	err = test_f5(tfm_cmac);
3795
	if (err) {
3796
		BT_ERR("smp_f5 test failed");
3797
		goto done;
3798
	}
3799

3800
	err = test_f6(tfm_cmac);
3801
	if (err) {
3802
		BT_ERR("smp_f6 test failed");
3803
		goto done;
3804
	}
3805

3806
	err = test_g2(tfm_cmac);
3807
	if (err) {
3808
		BT_ERR("smp_g2 test failed");
3809
		goto done;
3810
	}
3811

3812
	err = test_h6(tfm_cmac);
3813
	if (err) {
3814
		BT_ERR("smp_h6 test failed");
3815
		goto done;
3816
	}
3817

3818
	rettime = ktime_get();
3819
	delta = ktime_sub(rettime, calltime);
3820
	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3821

3822
	BT_INFO("SMP test passed in %llu usecs", duration);
3823

3824
done:
3825
	if (!err)
3826
		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3827
			 "PASS (%llu usecs)\n", duration);
3828
	else
3829
		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3830

3831
	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3832
			    &test_smp_fops);
3833

3834
	return err;
3835
}
3836

3837
int __init bt_selftest_smp(void)
3838
{
3839
	struct crypto_shash *tfm_cmac;
3840
	struct crypto_kpp *tfm_ecdh;
3841
	int err;
3842

3843
	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3844
	if (IS_ERR(tfm_cmac)) {
3845
		BT_ERR("Unable to create CMAC crypto context");
3846
		return PTR_ERR(tfm_cmac);
3847
	}
3848

3849
	tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3850
	if (IS_ERR(tfm_ecdh)) {
3851
		BT_ERR("Unable to create ECDH crypto context");
3852
		crypto_free_shash(tfm_cmac);
3853
		return PTR_ERR(tfm_ecdh);
3854
	}
3855

3856
	err = run_selftests(tfm_cmac, tfm_ecdh);
3857

3858
	crypto_free_shash(tfm_cmac);
3859
	crypto_free_kpp(tfm_ecdh);
3860

3861
	return err;
3862
}
3863

3864
#endif
3865

3866