net/bluetooth/smp.c

0001 /*
0002    BlueZ - Bluetooth protocol stack for Linux
0003    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
0004
0005    This program is free software; you can redistribute it and/or modify
0006    it under the terms of the GNU General Public License version 2 as
0007    published by the Free Software Foundation;
0008
0009    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
0010    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
0011    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
0012    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
0013    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
0014    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
0015    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
0016    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
0017
0018    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
0019    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
0020    SOFTWARE IS DISCLAIMED.
0021 */
0022
0023 #include <linux/debugfs.h>
0024 #include <linux/scatterlist.h>
0025 #include <linux/crypto.h>
0026 #include <crypto/aes.h>
0027 #include <crypto/algapi.h>
0028 #include <crypto/hash.h>
0029 #include <crypto/kpp.h>
0030
0031 #include <net/bluetooth/bluetooth.h>
0032 #include <net/bluetooth/hci_core.h>
0033 #include <net/bluetooth/l2cap.h>
0034 #include <net/bluetooth/mgmt.h>
0035
0036 #include "ecdh_helper.h"
0037 #include "smp.h"
0038
0039 #define SMP_DEV(hdev) \
0040     ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
0041
0042 /* Low-level debug macros to be used for stuff that we don't want
0043  * accidentally in dmesg, i.e. the values of the various crypto keys
0044  * and the inputs & outputs of crypto functions.
0045  */
0046 #ifdef DEBUG
0047 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
0048                  ##__VA_ARGS__)
0049 #else
0050 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
0051                     ##__VA_ARGS__)
0052 #endif
0053
0054 #define SMP_ALLOW_CMD(smp, code)    set_bit(code, &smp->allow_cmd)
0055
0056 /* Keys which are not distributed with Secure Connections */
0057 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY)
0058
0059 #define SMP_TIMEOUT msecs_to_jiffies(30000)
0060
0061 #define AUTH_REQ_MASK(dev)  (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
0062                  0x3f : 0x07)
0063 #define KEY_DIST_MASK       0x07
0064
0065 /* Maximum message length that can be passed to aes_cmac */
0066 #define CMAC_MSG_MAX    80
0067
0068 enum {
0069     SMP_FLAG_TK_VALID,
0070     SMP_FLAG_CFM_PENDING,
0071     SMP_FLAG_MITM_AUTH,
0072     SMP_FLAG_COMPLETE,
0073     SMP_FLAG_INITIATOR,
0074     SMP_FLAG_SC,
0075     SMP_FLAG_REMOTE_PK,
0076     SMP_FLAG_DEBUG_KEY,
0077     SMP_FLAG_WAIT_USER,
0078     SMP_FLAG_DHKEY_PENDING,
0079     SMP_FLAG_REMOTE_OOB,
0080     SMP_FLAG_LOCAL_OOB,
0081     SMP_FLAG_CT2,
0082 };
0083
0084 struct smp_dev {
0085     /* Secure Connections OOB data */
0086     bool            local_oob;
0087     u8          local_pk[64];
0088     u8          local_rand[16];
0089     bool            debug_key;
0090
0091     struct crypto_shash *tfm_cmac;
0092     struct crypto_kpp   *tfm_ecdh;
0093 };
0094
0095 struct smp_chan {
0096     struct l2cap_conn   *conn;
0097     struct delayed_work security_timer;
0098     unsigned long           allow_cmd; /* Bitmask of allowed commands */
0099
0100     u8      preq[7]; /* SMP Pairing Request */
0101     u8      prsp[7]; /* SMP Pairing Response */
0102     u8      prnd[16]; /* SMP Pairing Random (local) */
0103     u8      rrnd[16]; /* SMP Pairing Random (remote) */
0104     u8      pcnf[16]; /* SMP Pairing Confirm */
0105     u8      tk[16]; /* SMP Temporary Key */
0106     u8      rr[16]; /* Remote OOB ra/rb value */
0107     u8      lr[16]; /* Local OOB ra/rb value */
0108     u8      enc_key_size;
0109     u8      remote_key_dist;
0110     bdaddr_t    id_addr;
0111     u8      id_addr_type;
0112     u8      irk[16];
0113     struct smp_csrk *csrk;
0114     struct smp_csrk *responder_csrk;
0115     struct smp_ltk  *ltk;
0116     struct smp_ltk  *responder_ltk;
0117     struct smp_irk  *remote_irk;
0118     u8      *link_key;
0119     unsigned long   flags;
0120     u8      method;
0121     u8      passkey_round;
0122
0123     /* Secure Connections variables */
0124     u8          local_pk[64];
0125     u8          remote_pk[64];
0126     u8          dhkey[32];
0127     u8          mackey[16];
0128
0129     struct crypto_shash *tfm_cmac;
0130     struct crypto_kpp   *tfm_ecdh;
0131 };
0132
0133 /* These debug key values are defined in the SMP section of the core
0134  * specification. debug_pk is the public debug key and debug_sk the
0135  * private debug key.
0136  */
0137 static const u8 debug_pk[64] = {
0138         0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
0139         0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
0140         0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
0141         0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
0142
0143         0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
0144         0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
0145         0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
0146         0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
0147 };
0148
0149 static const u8 debug_sk[32] = {
0150         0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
0151         0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
0152         0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
0153         0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
0154 };
0155
0156 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
0157 {
0158     size_t i;
0159
0160     for (i = 0; i < len; i++)
0161         dst[len - 1 - i] = src[i];
0162 }
0163
0164 /* The following functions map to the LE SC SMP crypto functions
0165  * AES-CMAC, f4, f5, f6, g2 and h6.
0166  */
0167
0168 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
0169             size_t len, u8 mac[16])
0170 {
0171     uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
0172     int err;
0173
0174     if (len > CMAC_MSG_MAX)
0175         return -EFBIG;
0176
0177     if (!tfm) {
0178         BT_ERR("tfm %p", tfm);
0179         return -EINVAL;
0180     }
0181
0182     /* Swap key and message from LSB to MSB */
0183     swap_buf(k, tmp, 16);
0184     swap_buf(m, msg_msb, len);
0185
0186     SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
0187     SMP_DBG("key %16phN", k);
0188
0189     err = crypto_shash_setkey(tfm, tmp, 16);
0190     if (err) {
0191         BT_ERR("cipher setkey failed: %d", err);
0192         return err;
0193     }
0194
0195     err = crypto_shash_tfm_digest(tfm, msg_msb, len, mac_msb);
0196     if (err) {
0197         BT_ERR("Hash computation error %d", err);
0198         return err;
0199     }
0200
0201     swap_buf(mac_msb, mac, 16);
0202
0203     SMP_DBG("mac %16phN", mac);
0204
0205     return 0;
0206 }
0207
0208 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
0209           const u8 v[32], const u8 x[16], u8 z, u8 res[16])
0210 {
0211     u8 m[65];
0212     int err;
0213
0214     SMP_DBG("u %32phN", u);
0215     SMP_DBG("v %32phN", v);
0216     SMP_DBG("x %16phN z %02x", x, z);
0217
0218     m[0] = z;
0219     memcpy(m + 1, v, 32);
0220     memcpy(m + 33, u, 32);
0221
0222     err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
0223     if (err)
0224         return err;
0225
0226     SMP_DBG("res %16phN", res);
0227
0228     return err;
0229 }
0230
0231 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
0232           const u8 n1[16], const u8 n2[16], const u8 a1[7],
0233           const u8 a2[7], u8 mackey[16], u8 ltk[16])
0234 {
0235     /* The btle, salt and length "magic" values are as defined in
0236      * the SMP section of the Bluetooth core specification. In ASCII
0237      * the btle value ends up being 'btle'. The salt is just a
0238      * random number whereas length is the value 256 in little
0239      * endian format.
0240      */
0241     const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
0242     const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
0243                   0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
0244     const u8 length[2] = { 0x00, 0x01 };
0245     u8 m[53], t[16];
0246     int err;
0247
0248     SMP_DBG("w %32phN", w);
0249     SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
0250     SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
0251
0252     err = aes_cmac(tfm_cmac, salt, w, 32, t);
0253     if (err)
0254         return err;
0255
0256     SMP_DBG("t %16phN", t);
0257
0258     memcpy(m, length, 2);
0259     memcpy(m + 2, a2, 7);
0260     memcpy(m + 9, a1, 7);
0261     memcpy(m + 16, n2, 16);
0262     memcpy(m + 32, n1, 16);
0263     memcpy(m + 48, btle, 4);
0264
0265     m[52] = 0; /* Counter */
0266
0267     err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
0268     if (err)
0269         return err;
0270
0271     SMP_DBG("mackey %16phN", mackey);
0272
0273     m[52] = 1; /* Counter */
0274
0275     err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
0276     if (err)
0277         return err;
0278
0279     SMP_DBG("ltk %16phN", ltk);
0280
0281     return 0;
0282 }
0283
0284 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
0285           const u8 n1[16], const u8 n2[16], const u8 r[16],
0286           const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
0287           u8 res[16])
0288 {
0289     u8 m[65];
0290     int err;
0291
0292     SMP_DBG("w %16phN", w);
0293     SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
0294     SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
0295
0296     memcpy(m, a2, 7);
0297     memcpy(m + 7, a1, 7);
0298     memcpy(m + 14, io_cap, 3);
0299     memcpy(m + 17, r, 16);
0300     memcpy(m + 33, n2, 16);
0301     memcpy(m + 49, n1, 16);
0302
0303     err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
0304     if (err)
0305         return err;
0306
0307     SMP_DBG("res %16phN", res);
0308
0309     return err;
0310 }
0311
0312 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
0313           const u8 x[16], const u8 y[16], u32 *val)
0314 {
0315     u8 m[80], tmp[16];
0316     int err;
0317
0318     SMP_DBG("u %32phN", u);
0319     SMP_DBG("v %32phN", v);
0320     SMP_DBG("x %16phN y %16phN", x, y);
0321
0322     memcpy(m, y, 16);
0323     memcpy(m + 16, v, 32);
0324     memcpy(m + 48, u, 32);
0325
0326     err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
0327     if (err)
0328         return err;
0329
0330     *val = get_unaligned_le32(tmp);
0331     *val %= 1000000;
0332
0333     SMP_DBG("val %06u", *val);
0334
0335     return 0;
0336 }
0337
0338 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
0339           const u8 key_id[4], u8 res[16])
0340 {
0341     int err;
0342
0343     SMP_DBG("w %16phN key_id %4phN", w, key_id);
0344
0345     err = aes_cmac(tfm_cmac, w, key_id, 4, res);
0346     if (err)
0347         return err;
0348
0349     SMP_DBG("res %16phN", res);
0350
0351     return err;
0352 }
0353
0354 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
0355           const u8 salt[16], u8 res[16])
0356 {
0357     int err;
0358
0359     SMP_DBG("w %16phN salt %16phN", w, salt);
0360
0361     err = aes_cmac(tfm_cmac, salt, w, 16, res);
0362     if (err)
0363         return err;
0364
0365     SMP_DBG("res %16phN", res);
0366
0367     return err;
0368 }
0369
0370 /* The following functions map to the legacy SMP crypto functions e, c1,
0371  * s1 and ah.
0372  */
0373
0374 static int smp_e(const u8 *k, u8 *r)
0375 {
0376     struct crypto_aes_ctx ctx;
0377     uint8_t tmp[16], data[16];
0378     int err;
0379
0380     SMP_DBG("k %16phN r %16phN", k, r);
0381
0382     /* The most significant octet of key corresponds to k[0] */
0383     swap_buf(k, tmp, 16);
0384
0385     err = aes_expandkey(&ctx, tmp, 16);
0386     if (err) {
0387         BT_ERR("cipher setkey failed: %d", err);
0388         return err;
0389     }
0390
0391     /* Most significant octet of plaintextData corresponds to data[0] */
0392     swap_buf(r, data, 16);
0393
0394     aes_encrypt(&ctx, data, data);
0395
0396     /* Most significant octet of encryptedData corresponds to data[0] */
0397     swap_buf(data, r, 16);
0398
0399     SMP_DBG("r %16phN", r);
0400
0401     memzero_explicit(&ctx, sizeof(ctx));
0402     return err;
0403 }
0404
0405 static int smp_c1(const u8 k[16],
0406           const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
0407           const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
0408 {
0409     u8 p1[16], p2[16];
0410     int err;
0411
0412     SMP_DBG("k %16phN r %16phN", k, r);
0413     SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
0414     SMP_DBG("preq %7phN pres %7phN", preq, pres);
0415
0416     memset(p1, 0, 16);
0417
0418     /* p1 = pres || preq || _rat || _iat */
0419     p1[0] = _iat;
0420     p1[1] = _rat;
0421     memcpy(p1 + 2, preq, 7);
0422     memcpy(p1 + 9, pres, 7);
0423
0424     SMP_DBG("p1 %16phN", p1);
0425
0426     /* res = r XOR p1 */
0427     crypto_xor_cpy(res, r, p1, sizeof(p1));
0428
0429     /* res = e(k, res) */
0430     err = smp_e(k, res);
0431     if (err) {
0432         BT_ERR("Encrypt data error");
0433         return err;
0434     }
0435
0436     /* p2 = padding || ia || ra */
0437     memcpy(p2, ra, 6);
0438     memcpy(p2 + 6, ia, 6);
0439     memset(p2 + 12, 0, 4);
0440
0441     SMP_DBG("p2 %16phN", p2);
0442
0443     /* res = res XOR p2 */
0444     crypto_xor(res, p2, sizeof(p2));
0445
0446     /* res = e(k, res) */
0447     err = smp_e(k, res);
0448     if (err)
0449         BT_ERR("Encrypt data error");
0450
0451     return err;
0452 }
0453
0454 static int smp_s1(const u8 k[16],
0455           const u8 r1[16], const u8 r2[16], u8 _r[16])
0456 {
0457     int err;
0458
0459     /* Just least significant octets from r1 and r2 are considered */
0460     memcpy(_r, r2, 8);
0461     memcpy(_r + 8, r1, 8);
0462
0463     err = smp_e(k, _r);
0464     if (err)
0465         BT_ERR("Encrypt data error");
0466
0467     return err;
0468 }
0469
0470 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
0471 {
0472     u8 _res[16];
0473     int err;
0474
0475     /* r' = padding || r */
0476     memcpy(_res, r, 3);
0477     memset(_res + 3, 0, 13);
0478
0479     err = smp_e(irk, _res);
0480     if (err) {
0481         BT_ERR("Encrypt error");
0482         return err;
0483     }
0484
0485     /* The output of the random address function ah is:
0486      *  ah(k, r) = e(k, r') mod 2^24
0487      * The output of the security function e is then truncated to 24 bits
0488      * by taking the least significant 24 bits of the output of e as the
0489      * result of ah.
0490      */
0491     memcpy(res, _res, 3);
0492
0493     return 0;
0494 }
0495
0496 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
0497              const bdaddr_t *bdaddr)
0498 {
0499     struct l2cap_chan *chan = hdev->smp_data;
0500     u8 hash[3];
0501     int err;
0502
0503     if (!chan || !chan->data)
0504         return false;
0505
0506     bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk);
0507
0508     err = smp_ah(irk, &bdaddr->b[3], hash);
0509     if (err)
0510         return false;
0511
0512     return !crypto_memneq(bdaddr->b, hash, 3);
0513 }
0514
0515 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
0516 {
0517     struct l2cap_chan *chan = hdev->smp_data;
0518     int err;
0519
0520     if (!chan || !chan->data)
0521         return -EOPNOTSUPP;
0522
0523     get_random_bytes(&rpa->b[3], 3);
0524
0525     rpa->b[5] &= 0x3f;  /* Clear two most significant bits */
0526     rpa->b[5] |= 0x40;  /* Set second most significant bit */
0527
0528     err = smp_ah(irk, &rpa->b[3], rpa->b);
0529     if (err < 0)
0530         return err;
0531
0532     bt_dev_dbg(hdev, "RPA %pMR", rpa);
0533
0534     return 0;
0535 }
0536
0537 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
0538 {
0539     struct l2cap_chan *chan = hdev->smp_data;
0540     struct smp_dev *smp;
0541     int err;
0542
0543     if (!chan || !chan->data)
0544         return -EOPNOTSUPP;
0545
0546     smp = chan->data;
0547
0548     if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
0549         bt_dev_dbg(hdev, "Using debug keys");
0550         err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
0551         if (err)
0552             return err;
0553         memcpy(smp->local_pk, debug_pk, 64);
0554         smp->debug_key = true;
0555     } else {
0556         while (true) {
0557             /* Generate key pair for Secure Connections */
0558             err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
0559             if (err)
0560                 return err;
0561
0562             /* This is unlikely, but we need to check that
0563              * we didn't accidentally generate a debug key.
0564              */
0565             if (crypto_memneq(smp->local_pk, debug_pk, 64))
0566                 break;
0567         }
0568         smp->debug_key = false;
0569     }
0570
0571     SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
0572     SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
0573
0574     get_random_bytes(smp->local_rand, 16);
0575
0576     err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
0577              smp->local_rand, 0, hash);
0578     if (err < 0)
0579         return err;
0580
0581     memcpy(rand, smp->local_rand, 16);
0582
0583     smp->local_oob = true;
0584
0585     return 0;
0586 }
0587
0588 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
0589 {
0590     struct l2cap_chan *chan = conn->smp;
0591     struct smp_chan *smp;
0592     struct kvec iv[2];
0593     struct msghdr msg;
0594
0595     if (!chan)
0596         return;
0597
0598     bt_dev_dbg(conn->hcon->hdev, "code 0x%2.2x", code);
0599
0600     iv[0].iov_base = &code;
0601     iv[0].iov_len = 1;
0602
0603     iv[1].iov_base = data;
0604     iv[1].iov_len = len;
0605
0606     memset(&msg, 0, sizeof(msg));
0607
0608     iov_iter_kvec(&msg.msg_iter, WRITE, iv, 2, 1 + len);
0609
0610     l2cap_chan_send(chan, &msg, 1 + len);
0611
0612     if (!chan->data)
0613         return;
0614
0615     smp = chan->data;
0616
0617     cancel_delayed_work_sync(&smp->security_timer);
0618     schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
0619 }
0620
0621 static u8 authreq_to_seclevel(u8 authreq)
0622 {
0623     if (authreq & SMP_AUTH_MITM) {
0624         if (authreq & SMP_AUTH_SC)
0625             return BT_SECURITY_FIPS;
0626         else
0627             return BT_SECURITY_HIGH;
0628     } else {
0629         return BT_SECURITY_MEDIUM;
0630     }
0631 }
0632
0633 static __u8 seclevel_to_authreq(__u8 sec_level)
0634 {
0635     switch (sec_level) {
0636     case BT_SECURITY_FIPS:
0637     case BT_SECURITY_HIGH:
0638         return SMP_AUTH_MITM | SMP_AUTH_BONDING;
0639     case BT_SECURITY_MEDIUM:
0640         return SMP_AUTH_BONDING;
0641     default:
0642         return SMP_AUTH_NONE;
0643     }
0644 }
0645
0646 static void build_pairing_cmd(struct l2cap_conn *conn,
0647                   struct smp_cmd_pairing *req,
0648                   struct smp_cmd_pairing *rsp, __u8 authreq)
0649 {
0650     struct l2cap_chan *chan = conn->smp;
0651     struct smp_chan *smp = chan->data;
0652     struct hci_conn *hcon = conn->hcon;
0653     struct hci_dev *hdev = hcon->hdev;
0654     u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
0655
0656     if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
0657         local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
0658         remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
0659         authreq |= SMP_AUTH_BONDING;
0660     } else {
0661         authreq &= ~SMP_AUTH_BONDING;
0662     }
0663
0664     if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
0665         remote_dist |= SMP_DIST_ID_KEY;
0666
0667     if (hci_dev_test_flag(hdev, HCI_PRIVACY))
0668         local_dist |= SMP_DIST_ID_KEY;
0669
0670     if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
0671         (authreq & SMP_AUTH_SC)) {
0672         struct oob_data *oob_data;
0673         u8 bdaddr_type;
0674
0675         if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
0676             local_dist |= SMP_DIST_LINK_KEY;
0677             remote_dist |= SMP_DIST_LINK_KEY;
0678         }
0679
0680         if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
0681             bdaddr_type = BDADDR_LE_PUBLIC;
0682         else
0683             bdaddr_type = BDADDR_LE_RANDOM;
0684
0685         oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
0686                             bdaddr_type);
0687         if (oob_data && oob_data->present) {
0688             set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
0689             oob_flag = SMP_OOB_PRESENT;
0690             memcpy(smp->rr, oob_data->rand256, 16);
0691             memcpy(smp->pcnf, oob_data->hash256, 16);
0692             SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
0693             SMP_DBG("OOB Remote Random: %16phN", smp->rr);
0694         }
0695
0696     } else {
0697         authreq &= ~SMP_AUTH_SC;
0698     }
0699
0700     if (rsp == NULL) {
0701         req->io_capability = conn->hcon->io_capability;
0702         req->oob_flag = oob_flag;
0703         req->max_key_size = hdev->le_max_key_size;
0704         req->init_key_dist = local_dist;
0705         req->resp_key_dist = remote_dist;
0706         req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
0707
0708         smp->remote_key_dist = remote_dist;
0709         return;
0710     }
0711
0712     rsp->io_capability = conn->hcon->io_capability;
0713     rsp->oob_flag = oob_flag;
0714     rsp->max_key_size = hdev->le_max_key_size;
0715     rsp->init_key_dist = req->init_key_dist & remote_dist;
0716     rsp->resp_key_dist = req->resp_key_dist & local_dist;
0717     rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
0718
0719     smp->remote_key_dist = rsp->init_key_dist;
0720 }
0721
0722 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
0723 {
0724     struct l2cap_chan *chan = conn->smp;
0725     struct hci_dev *hdev = conn->hcon->hdev;
0726     struct smp_chan *smp = chan->data;
0727
0728     if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS &&
0729         max_key_size != SMP_MAX_ENC_KEY_SIZE)
0730         return SMP_ENC_KEY_SIZE;
0731
0732     if (max_key_size > hdev->le_max_key_size ||
0733         max_key_size < SMP_MIN_ENC_KEY_SIZE)
0734         return SMP_ENC_KEY_SIZE;
0735
0736     smp->enc_key_size = max_key_size;
0737
0738     return 0;
0739 }
0740
0741 static void smp_chan_destroy(struct l2cap_conn *conn)
0742 {
0743     struct l2cap_chan *chan = conn->smp;
0744     struct smp_chan *smp = chan->data;
0745     struct hci_conn *hcon = conn->hcon;
0746     bool complete;
0747
0748     BUG_ON(!smp);
0749
0750     cancel_delayed_work_sync(&smp->security_timer);
0751
0752     complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
0753     mgmt_smp_complete(hcon, complete);
0754
0755     kfree_sensitive(smp->csrk);
0756     kfree_sensitive(smp->responder_csrk);
0757     kfree_sensitive(smp->link_key);
0758
0759     crypto_free_shash(smp->tfm_cmac);
0760     crypto_free_kpp(smp->tfm_ecdh);
0761
0762     /* Ensure that we don't leave any debug key around if debug key
0763      * support hasn't been explicitly enabled.
0764      */
0765     if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
0766         !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
0767         list_del_rcu(&smp->ltk->list);
0768         kfree_rcu(smp->ltk, rcu);
0769         smp->ltk = NULL;
0770     }
0771
0772     /* If pairing failed clean up any keys we might have */
0773     if (!complete) {
0774         if (smp->ltk) {
0775             list_del_rcu(&smp->ltk->list);
0776             kfree_rcu(smp->ltk, rcu);
0777         }
0778
0779         if (smp->responder_ltk) {
0780             list_del_rcu(&smp->responder_ltk->list);
0781             kfree_rcu(smp->responder_ltk, rcu);
0782         }
0783
0784         if (smp->remote_irk) {
0785             list_del_rcu(&smp->remote_irk->list);
0786             kfree_rcu(smp->remote_irk, rcu);
0787         }
0788     }
0789
0790     chan->data = NULL;
0791     kfree_sensitive(smp);
0792     hci_conn_drop(hcon);
0793 }
0794
0795 static void smp_failure(struct l2cap_conn *conn, u8 reason)
0796 {
0797     struct hci_conn *hcon = conn->hcon;
0798     struct l2cap_chan *chan = conn->smp;
0799
0800     if (reason)
0801         smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
0802                  &reason);
0803
0804     mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
0805
0806     if (chan->data)
0807         smp_chan_destroy(conn);
0808 }
0809
0810 #define JUST_WORKS  0x00
0811 #define JUST_CFM    0x01
0812 #define REQ_PASSKEY 0x02
0813 #define CFM_PASSKEY 0x03
0814 #define REQ_OOB     0x04
0815 #define DSP_PASSKEY 0x05
0816 #define OVERLAP     0xFF
0817
0818 static const u8 gen_method[5][5] = {
0819     { JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
0820     { JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
0821     { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
0822     { JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
0823     { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
0824 };
0825
0826 static const u8 sc_method[5][5] = {
0827     { JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
0828     { JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
0829     { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
0830     { JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
0831     { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
0832 };
0833
0834 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
0835 {
0836     /* If either side has unknown io_caps, use JUST_CFM (which gets
0837      * converted later to JUST_WORKS if we're initiators.
0838      */
0839     if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
0840         remote_io > SMP_IO_KEYBOARD_DISPLAY)
0841         return JUST_CFM;
0842
0843     if (test_bit(SMP_FLAG_SC, &smp->flags))
0844         return sc_method[remote_io][local_io];
0845
0846     return gen_method[remote_io][local_io];
0847 }
0848
0849 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
0850                         u8 local_io, u8 remote_io)
0851 {
0852     struct hci_conn *hcon = conn->hcon;
0853     struct l2cap_chan *chan = conn->smp;
0854     struct smp_chan *smp = chan->data;
0855     u32 passkey = 0;
0856     int ret;
0857
0858     /* Initialize key for JUST WORKS */
0859     memset(smp->tk, 0, sizeof(smp->tk));
0860     clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
0861
0862     bt_dev_dbg(hcon->hdev, "auth:%u lcl:%u rem:%u", auth, local_io,
0863            remote_io);
0864
0865     /* If neither side wants MITM, either "just" confirm an incoming
0866      * request or use just-works for outgoing ones. The JUST_CFM
0867      * will be converted to JUST_WORKS if necessary later in this
0868      * function. If either side has MITM look up the method from the
0869      * table.
0870      */
0871     if (!(auth & SMP_AUTH_MITM))
0872         smp->method = JUST_CFM;
0873     else
0874         smp->method = get_auth_method(smp, local_io, remote_io);
0875
0876     /* Don't confirm locally initiated pairing attempts */
0877     if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
0878                         &smp->flags))
0879         smp->method = JUST_WORKS;
0880
0881     /* Don't bother user space with no IO capabilities */
0882     if (smp->method == JUST_CFM &&
0883         hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
0884         smp->method = JUST_WORKS;
0885
0886     /* If Just Works, Continue with Zero TK and ask user-space for
0887      * confirmation */
0888     if (smp->method == JUST_WORKS) {
0889         ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
0890                         hcon->type,
0891                         hcon->dst_type,
0892                         passkey, 1);
0893         if (ret)
0894             return ret;
0895         set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
0896         return 0;
0897     }
0898
0899     /* If this function is used for SC -> legacy fallback we
0900      * can only recover the just-works case.
0901      */
0902     if (test_bit(SMP_FLAG_SC, &smp->flags))
0903         return -EINVAL;
0904
0905     /* Not Just Works/Confirm results in MITM Authentication */
0906     if (smp->method != JUST_CFM) {
0907         set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
0908         if (hcon->pending_sec_level < BT_SECURITY_HIGH)
0909             hcon->pending_sec_level = BT_SECURITY_HIGH;
0910     }
0911
0912     /* If both devices have Keyboard-Display I/O, the initiator
0913      * Confirms and the responder Enters the passkey.
0914      */
0915     if (smp->method == OVERLAP) {
0916         if (hcon->role == HCI_ROLE_MASTER)
0917             smp->method = CFM_PASSKEY;
0918         else
0919             smp->method = REQ_PASSKEY;
0920     }
0921
0922     /* Generate random passkey. */
0923     if (smp->method == CFM_PASSKEY) {
0924         memset(smp->tk, 0, sizeof(smp->tk));
0925         get_random_bytes(&passkey, sizeof(passkey));
0926         passkey %= 1000000;
0927         put_unaligned_le32(passkey, smp->tk);
0928         bt_dev_dbg(hcon->hdev, "PassKey: %u", passkey);
0929         set_bit(SMP_FLAG_TK_VALID, &smp->flags);
0930     }
0931
0932     if (smp->method == REQ_PASSKEY)
0933         ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
0934                         hcon->type, hcon->dst_type);
0935     else if (smp->method == JUST_CFM)
0936         ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
0937                         hcon->type, hcon->dst_type,
0938                         passkey, 1);
0939     else
0940         ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
0941                         hcon->type, hcon->dst_type,
0942                         passkey, 0);
0943
0944     return ret;
0945 }
0946
0947 static u8 smp_confirm(struct smp_chan *smp)
0948 {
0949     struct l2cap_conn *conn = smp->conn;
0950     struct smp_cmd_pairing_confirm cp;
0951     int ret;
0952
0953     bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
0954
0955     ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
0956              conn->hcon->init_addr_type, &conn->hcon->init_addr,
0957              conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
0958              cp.confirm_val);
0959     if (ret)
0960         return SMP_UNSPECIFIED;
0961
0962     clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
0963
0964     smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
0965
0966     if (conn->hcon->out)
0967         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
0968     else
0969         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
0970
0971     return 0;
0972 }
0973
0974 static u8 smp_random(struct smp_chan *smp)
0975 {
0976     struct l2cap_conn *conn = smp->conn;
0977     struct hci_conn *hcon = conn->hcon;
0978     u8 confirm[16];
0979     int ret;
0980
0981     bt_dev_dbg(conn->hcon->hdev, "conn %p %s", conn,
0982            conn->hcon->out ? "initiator" : "responder");
0983
0984     ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
0985              hcon->init_addr_type, &hcon->init_addr,
0986              hcon->resp_addr_type, &hcon->resp_addr, confirm);
0987     if (ret)
0988         return SMP_UNSPECIFIED;
0989
0990     if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
0991         bt_dev_err(hcon->hdev, "pairing failed "
0992                "(confirmation values mismatch)");
0993         return SMP_CONFIRM_FAILED;
0994     }
0995
0996     if (hcon->out) {
0997         u8 stk[16];
0998         __le64 rand = 0;
0999         __le16 ediv = 0;
1000
1001         smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
1002
1003         if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1004             return SMP_UNSPECIFIED;
1005
1006         hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1007         hcon->enc_key_size = smp->enc_key_size;
1008         set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1009     } else {
1010         u8 stk[16], auth;
1011         __le64 rand = 0;
1012         __le16 ediv = 0;
1013
1014         smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1015                  smp->prnd);
1016
1017         smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
1018
1019         if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1020             auth = 1;
1021         else
1022             auth = 0;
1023
1024         /* Even though there's no _RESPONDER suffix this is the
1025          * responder STK we're adding for later lookup (the initiator
1026          * STK never needs to be stored).
1027          */
1028         hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1029                 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1030     }
1031
1032     return 0;
1033 }
1034
1035 static void smp_notify_keys(struct l2cap_conn *conn)
1036 {
1037     struct l2cap_chan *chan = conn->smp;
1038     struct smp_chan *smp = chan->data;
1039     struct hci_conn *hcon = conn->hcon;
1040     struct hci_dev *hdev = hcon->hdev;
1041     struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1042     struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1043     bool persistent;
1044
1045     if (hcon->type == ACL_LINK) {
1046         if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1047             persistent = false;
1048         else
1049             persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1050                            &hcon->flags);
1051     } else {
1052         /* The LTKs, IRKs and CSRKs should be persistent only if
1053          * both sides had the bonding bit set in their
1054          * authentication requests.
1055          */
1056         persistent = !!((req->auth_req & rsp->auth_req) &
1057                 SMP_AUTH_BONDING);
1058     }
1059
1060     if (smp->remote_irk) {
1061         mgmt_new_irk(hdev, smp->remote_irk, persistent);
1062
1063         /* Now that user space can be considered to know the
1064          * identity address track the connection based on it
1065          * from now on (assuming this is an LE link).
1066          */
1067         if (hcon->type == LE_LINK) {
1068             bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1069             hcon->dst_type = smp->remote_irk->addr_type;
1070             queue_work(hdev->workqueue, &conn->id_addr_update_work);
1071         }
1072     }
1073
1074     if (smp->csrk) {
1075         smp->csrk->bdaddr_type = hcon->dst_type;
1076         bacpy(&smp->csrk->bdaddr, &hcon->dst);
1077         mgmt_new_csrk(hdev, smp->csrk, persistent);
1078     }
1079
1080     if (smp->responder_csrk) {
1081         smp->responder_csrk->bdaddr_type = hcon->dst_type;
1082         bacpy(&smp->responder_csrk->bdaddr, &hcon->dst);
1083         mgmt_new_csrk(hdev, smp->responder_csrk, persistent);
1084     }
1085
1086     if (smp->ltk) {
1087         smp->ltk->bdaddr_type = hcon->dst_type;
1088         bacpy(&smp->ltk->bdaddr, &hcon->dst);
1089         mgmt_new_ltk(hdev, smp->ltk, persistent);
1090     }
1091
1092     if (smp->responder_ltk) {
1093         smp->responder_ltk->bdaddr_type = hcon->dst_type;
1094         bacpy(&smp->responder_ltk->bdaddr, &hcon->dst);
1095         mgmt_new_ltk(hdev, smp->responder_ltk, persistent);
1096     }
1097
1098     if (smp->link_key) {
1099         struct link_key *key;
1100         u8 type;
1101
1102         if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1103             type = HCI_LK_DEBUG_COMBINATION;
1104         else if (hcon->sec_level == BT_SECURITY_FIPS)
1105             type = HCI_LK_AUTH_COMBINATION_P256;
1106         else
1107             type = HCI_LK_UNAUTH_COMBINATION_P256;
1108
1109         key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1110                        smp->link_key, type, 0, &persistent);
1111         if (key) {
1112             mgmt_new_link_key(hdev, key, persistent);
1113
1114             /* Don't keep debug keys around if the relevant
1115              * flag is not set.
1116              */
1117             if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1118                 key->type == HCI_LK_DEBUG_COMBINATION) {
1119                 list_del_rcu(&key->list);
1120                 kfree_rcu(key, rcu);
1121             }
1122         }
1123     }
1124 }
1125
1126 static void sc_add_ltk(struct smp_chan *smp)
1127 {
1128     struct hci_conn *hcon = smp->conn->hcon;
1129     u8 key_type, auth;
1130
1131     if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1132         key_type = SMP_LTK_P256_DEBUG;
1133     else
1134         key_type = SMP_LTK_P256;
1135
1136     if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1137         auth = 1;
1138     else
1139         auth = 0;
1140
1141     smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1142                    key_type, auth, smp->tk, smp->enc_key_size,
1143                    0, 0);
1144 }
1145
1146 static void sc_generate_link_key(struct smp_chan *smp)
1147 {
1148     /* From core spec. Spells out in ASCII as 'lebr'. */
1149     const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1150
1151     smp->link_key = kzalloc(16, GFP_KERNEL);
1152     if (!smp->link_key)
1153         return;
1154
1155     if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1156         /* SALT = 0x000000000000000000000000746D7031 */
1157         const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1158
1159         if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1160             kfree_sensitive(smp->link_key);
1161             smp->link_key = NULL;
1162             return;
1163         }
1164     } else {
1165         /* From core spec. Spells out in ASCII as 'tmp1'. */
1166         const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1167
1168         if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1169             kfree_sensitive(smp->link_key);
1170             smp->link_key = NULL;
1171             return;
1172         }
1173     }
1174
1175     if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1176         kfree_sensitive(smp->link_key);
1177         smp->link_key = NULL;
1178         return;
1179     }
1180 }
1181
1182 static void smp_allow_key_dist(struct smp_chan *smp)
1183 {
1184     /* Allow the first expected phase 3 PDU. The rest of the PDUs
1185      * will be allowed in each PDU handler to ensure we receive
1186      * them in the correct order.
1187      */
1188     if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1189         SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1190     else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1191         SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1192     else if (smp->remote_key_dist & SMP_DIST_SIGN)
1193         SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1194 }
1195
1196 static void sc_generate_ltk(struct smp_chan *smp)
1197 {
1198     /* From core spec. Spells out in ASCII as 'brle'. */
1199     const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1200     struct hci_conn *hcon = smp->conn->hcon;
1201     struct hci_dev *hdev = hcon->hdev;
1202     struct link_key *key;
1203
1204     key = hci_find_link_key(hdev, &hcon->dst);
1205     if (!key) {
1206         bt_dev_err(hdev, "no Link Key found to generate LTK");
1207         return;
1208     }
1209
1210     if (key->type == HCI_LK_DEBUG_COMBINATION)
1211         set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1212
1213     if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1214         /* SALT = 0x000000000000000000000000746D7032 */
1215         const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1216
1217         if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1218             return;
1219     } else {
1220         /* From core spec. Spells out in ASCII as 'tmp2'. */
1221         const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1222
1223         if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1224             return;
1225     }
1226
1227     if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1228         return;
1229
1230     sc_add_ltk(smp);
1231 }
1232
1233 static void smp_distribute_keys(struct smp_chan *smp)
1234 {
1235     struct smp_cmd_pairing *req, *rsp;
1236     struct l2cap_conn *conn = smp->conn;
1237     struct hci_conn *hcon = conn->hcon;
1238     struct hci_dev *hdev = hcon->hdev;
1239     __u8 *keydist;
1240
1241     bt_dev_dbg(hdev, "conn %p", conn);
1242
1243     rsp = (void *) &smp->prsp[1];
1244
1245     /* The responder sends its keys first */
1246     if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1247         smp_allow_key_dist(smp);
1248         return;
1249     }
1250
1251     req = (void *) &smp->preq[1];
1252
1253     if (hcon->out) {
1254         keydist = &rsp->init_key_dist;
1255         *keydist &= req->init_key_dist;
1256     } else {
1257         keydist = &rsp->resp_key_dist;
1258         *keydist &= req->resp_key_dist;
1259     }
1260
1261     if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1262         if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1263             sc_generate_link_key(smp);
1264         if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1265             sc_generate_ltk(smp);
1266
1267         /* Clear the keys which are generated but not distributed */
1268         *keydist &= ~SMP_SC_NO_DIST;
1269     }
1270
1271     bt_dev_dbg(hdev, "keydist 0x%x", *keydist);
1272
1273     if (*keydist & SMP_DIST_ENC_KEY) {
1274         struct smp_cmd_encrypt_info enc;
1275         struct smp_cmd_initiator_ident ident;
1276         struct smp_ltk *ltk;
1277         u8 authenticated;
1278         __le16 ediv;
1279         __le64 rand;
1280
1281         /* Make sure we generate only the significant amount of
1282          * bytes based on the encryption key size, and set the rest
1283          * of the value to zeroes.
1284          */
1285         get_random_bytes(enc.ltk, smp->enc_key_size);
1286         memset(enc.ltk + smp->enc_key_size, 0,
1287                sizeof(enc.ltk) - smp->enc_key_size);
1288
1289         get_random_bytes(&ediv, sizeof(ediv));
1290         get_random_bytes(&rand, sizeof(rand));
1291
1292         smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1293
1294         authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1295         ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1296                   SMP_LTK_RESPONDER, authenticated, enc.ltk,
1297                   smp->enc_key_size, ediv, rand);
1298         smp->responder_ltk = ltk;
1299
1300         ident.ediv = ediv;
1301         ident.rand = rand;
1302
1303         smp_send_cmd(conn, SMP_CMD_INITIATOR_IDENT, sizeof(ident),
1304                  &ident);
1305
1306         *keydist &= ~SMP_DIST_ENC_KEY;
1307     }
1308
1309     if (*keydist & SMP_DIST_ID_KEY) {
1310         struct smp_cmd_ident_addr_info addrinfo;
1311         struct smp_cmd_ident_info idinfo;
1312
1313         memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1314
1315         smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1316
1317         /* The hci_conn contains the local identity address
1318          * after the connection has been established.
1319          *
1320          * This is true even when the connection has been
1321          * established using a resolvable random address.
1322          */
1323         bacpy(&addrinfo.bdaddr, &hcon->src);
1324         addrinfo.addr_type = hcon->src_type;
1325
1326         smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1327                  &addrinfo);
1328
1329         *keydist &= ~SMP_DIST_ID_KEY;
1330     }
1331
1332     if (*keydist & SMP_DIST_SIGN) {
1333         struct smp_cmd_sign_info sign;
1334         struct smp_csrk *csrk;
1335
1336         /* Generate a new random key */
1337         get_random_bytes(sign.csrk, sizeof(sign.csrk));
1338
1339         csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1340         if (csrk) {
1341             if (hcon->sec_level > BT_SECURITY_MEDIUM)
1342                 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1343             else
1344                 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1345             memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1346         }
1347         smp->responder_csrk = csrk;
1348
1349         smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1350
1351         *keydist &= ~SMP_DIST_SIGN;
1352     }
1353
1354     /* If there are still keys to be received wait for them */
1355     if (smp->remote_key_dist & KEY_DIST_MASK) {
1356         smp_allow_key_dist(smp);
1357         return;
1358     }
1359
1360     set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1361     smp_notify_keys(conn);
1362
1363     smp_chan_destroy(conn);
1364 }
1365
1366 static void smp_timeout(struct work_struct *work)
1367 {
1368     struct smp_chan *smp = container_of(work, struct smp_chan,
1369                         security_timer.work);
1370     struct l2cap_conn *conn = smp->conn;
1371
1372     bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
1373
1374     hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1375 }
1376
1377 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1378 {
1379     struct hci_conn *hcon = conn->hcon;
1380     struct l2cap_chan *chan = conn->smp;
1381     struct smp_chan *smp;
1382
1383     smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1384     if (!smp)
1385         return NULL;
1386
1387     smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1388     if (IS_ERR(smp->tfm_cmac)) {
1389         bt_dev_err(hcon->hdev, "Unable to create CMAC crypto context");
1390         goto zfree_smp;
1391     }
1392
1393     smp->tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
1394     if (IS_ERR(smp->tfm_ecdh)) {
1395         bt_dev_err(hcon->hdev, "Unable to create ECDH crypto context");
1396         goto free_shash;
1397     }
1398
1399     smp->conn = conn;
1400     chan->data = smp;
1401
1402     SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1403
1404     INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1405
1406     hci_conn_hold(hcon);
1407
1408     return smp;
1409
1410 free_shash:
1411     crypto_free_shash(smp->tfm_cmac);
1412 zfree_smp:
1413     kfree_sensitive(smp);
1414     return NULL;
1415 }
1416
1417 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1418 {
1419     struct hci_conn *hcon = smp->conn->hcon;
1420     u8 *na, *nb, a[7], b[7];
1421
1422     if (hcon->out) {
1423         na   = smp->prnd;
1424         nb   = smp->rrnd;
1425     } else {
1426         na   = smp->rrnd;
1427         nb   = smp->prnd;
1428     }
1429
1430     memcpy(a, &hcon->init_addr, 6);
1431     memcpy(b, &hcon->resp_addr, 6);
1432     a[6] = hcon->init_addr_type;
1433     b[6] = hcon->resp_addr_type;
1434
1435     return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1436 }
1437
1438 static void sc_dhkey_check(struct smp_chan *smp)
1439 {
1440     struct hci_conn *hcon = smp->conn->hcon;
1441     struct smp_cmd_dhkey_check check;
1442     u8 a[7], b[7], *local_addr, *remote_addr;
1443     u8 io_cap[3], r[16];
1444
1445     memcpy(a, &hcon->init_addr, 6);
1446     memcpy(b, &hcon->resp_addr, 6);
1447     a[6] = hcon->init_addr_type;
1448     b[6] = hcon->resp_addr_type;
1449
1450     if (hcon->out) {
1451         local_addr = a;
1452         remote_addr = b;
1453         memcpy(io_cap, &smp->preq[1], 3);
1454     } else {
1455         local_addr = b;
1456         remote_addr = a;
1457         memcpy(io_cap, &smp->prsp[1], 3);
1458     }
1459
1460     memset(r, 0, sizeof(r));
1461
1462     if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1463         put_unaligned_le32(hcon->passkey_notify, r);
1464
1465     if (smp->method == REQ_OOB)
1466         memcpy(r, smp->rr, 16);
1467
1468     smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1469            local_addr, remote_addr, check.e);
1470
1471     smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1472 }
1473
1474 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1475 {
1476     struct l2cap_conn *conn = smp->conn;
1477     struct hci_conn *hcon = conn->hcon;
1478     struct smp_cmd_pairing_confirm cfm;
1479     u8 r;
1480
1481     r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1482     r |= 0x80;
1483
1484     get_random_bytes(smp->prnd, sizeof(smp->prnd));
1485
1486     if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1487            cfm.confirm_val))
1488         return SMP_UNSPECIFIED;
1489
1490     smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1491
1492     return 0;
1493 }
1494
1495 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1496 {
1497     struct l2cap_conn *conn = smp->conn;
1498     struct hci_conn *hcon = conn->hcon;
1499     struct hci_dev *hdev = hcon->hdev;
1500     u8 cfm[16], r;
1501
1502     /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1503     if (smp->passkey_round >= 20)
1504         return 0;
1505
1506     switch (smp_op) {
1507     case SMP_CMD_PAIRING_RANDOM:
1508         r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1509         r |= 0x80;
1510
1511         if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1512                smp->rrnd, r, cfm))
1513             return SMP_UNSPECIFIED;
1514
1515         if (crypto_memneq(smp->pcnf, cfm, 16))
1516             return SMP_CONFIRM_FAILED;
1517
1518         smp->passkey_round++;
1519
1520         if (smp->passkey_round == 20) {
1521             /* Generate MacKey and LTK */
1522             if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1523                 return SMP_UNSPECIFIED;
1524         }
1525
1526         /* The round is only complete when the initiator
1527          * receives pairing random.
1528          */
1529         if (!hcon->out) {
1530             smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1531                      sizeof(smp->prnd), smp->prnd);
1532             if (smp->passkey_round == 20)
1533                 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1534             else
1535                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1536             return 0;
1537         }
1538
1539         /* Start the next round */
1540         if (smp->passkey_round != 20)
1541             return sc_passkey_round(smp, 0);
1542
1543         /* Passkey rounds are complete - start DHKey Check */
1544         sc_dhkey_check(smp);
1545         SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1546
1547         break;
1548
1549     case SMP_CMD_PAIRING_CONFIRM:
1550         if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1551             set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1552             return 0;
1553         }
1554
1555         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1556
1557         if (hcon->out) {
1558             smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1559                      sizeof(smp->prnd), smp->prnd);
1560             return 0;
1561         }
1562
1563         return sc_passkey_send_confirm(smp);
1564
1565     case SMP_CMD_PUBLIC_KEY:
1566     default:
1567         /* Initiating device starts the round */
1568         if (!hcon->out)
1569             return 0;
1570
1571         bt_dev_dbg(hdev, "Starting passkey round %u",
1572                smp->passkey_round + 1);
1573
1574         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1575
1576         return sc_passkey_send_confirm(smp);
1577     }
1578
1579     return 0;
1580 }
1581
1582 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1583 {
1584     struct l2cap_conn *conn = smp->conn;
1585     struct hci_conn *hcon = conn->hcon;
1586     u8 smp_op;
1587
1588     clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1589
1590     switch (mgmt_op) {
1591     case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1592         smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1593         return 0;
1594     case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1595         smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1596         return 0;
1597     case MGMT_OP_USER_PASSKEY_REPLY:
1598         hcon->passkey_notify = le32_to_cpu(passkey);
1599         smp->passkey_round = 0;
1600
1601         if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1602             smp_op = SMP_CMD_PAIRING_CONFIRM;
1603         else
1604             smp_op = 0;
1605
1606         if (sc_passkey_round(smp, smp_op))
1607             return -EIO;
1608
1609         return 0;
1610     }
1611
1612     /* Initiator sends DHKey check first */
1613     if (hcon->out) {
1614         sc_dhkey_check(smp);
1615         SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1616     } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1617         sc_dhkey_check(smp);
1618         sc_add_ltk(smp);
1619     }
1620
1621     return 0;
1622 }
1623
1624 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1625 {
1626     struct l2cap_conn *conn = hcon->l2cap_data;
1627     struct l2cap_chan *chan;
1628     struct smp_chan *smp;
1629     u32 value;
1630     int err;
1631
1632     if (!conn)
1633         return -ENOTCONN;
1634
1635     bt_dev_dbg(conn->hcon->hdev, "");
1636
1637     chan = conn->smp;
1638     if (!chan)
1639         return -ENOTCONN;
1640
1641     l2cap_chan_lock(chan);
1642     if (!chan->data) {
1643         err = -ENOTCONN;
1644         goto unlock;
1645     }
1646
1647     smp = chan->data;
1648
1649     if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1650         err = sc_user_reply(smp, mgmt_op, passkey);
1651         goto unlock;
1652     }
1653
1654     switch (mgmt_op) {
1655     case MGMT_OP_USER_PASSKEY_REPLY:
1656         value = le32_to_cpu(passkey);
1657         memset(smp->tk, 0, sizeof(smp->tk));
1658         bt_dev_dbg(conn->hcon->hdev, "PassKey: %u", value);
1659         put_unaligned_le32(value, smp->tk);
1660         fallthrough;
1661     case MGMT_OP_USER_CONFIRM_REPLY:
1662         set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1663         break;
1664     case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1665     case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1666         smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1667         err = 0;
1668         goto unlock;
1669     default:
1670         smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1671         err = -EOPNOTSUPP;
1672         goto unlock;
1673     }
1674
1675     err = 0;
1676
1677     /* If it is our turn to send Pairing Confirm, do so now */
1678     if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1679         u8 rsp = smp_confirm(smp);
1680         if (rsp)
1681             smp_failure(conn, rsp);
1682     }
1683
1684 unlock:
1685     l2cap_chan_unlock(chan);
1686     return err;
1687 }
1688
1689 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1690                     struct smp_cmd_pairing *req,
1691                     struct smp_cmd_pairing *rsp)
1692 {
1693     struct l2cap_conn *conn = smp->conn;
1694     struct hci_dev *hdev = conn->hcon->hdev;
1695     u8 local_dist = 0, remote_dist = 0;
1696
1697     if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1698         local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1699         remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1700     }
1701
1702     if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1703         remote_dist |= SMP_DIST_ID_KEY;
1704
1705     if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1706         local_dist |= SMP_DIST_ID_KEY;
1707
1708     if (!rsp) {
1709         memset(req, 0, sizeof(*req));
1710
1711         req->auth_req        = SMP_AUTH_CT2;
1712         req->init_key_dist   = local_dist;
1713         req->resp_key_dist   = remote_dist;
1714         req->max_key_size    = conn->hcon->enc_key_size;
1715
1716         smp->remote_key_dist = remote_dist;
1717
1718         return;
1719     }
1720
1721     memset(rsp, 0, sizeof(*rsp));
1722
1723     rsp->auth_req        = SMP_AUTH_CT2;
1724     rsp->max_key_size    = conn->hcon->enc_key_size;
1725     rsp->init_key_dist   = req->init_key_dist & remote_dist;
1726     rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1727
1728     smp->remote_key_dist = rsp->init_key_dist;
1729 }
1730
1731 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1732 {
1733     struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1734     struct l2cap_chan *chan = conn->smp;
1735     struct hci_dev *hdev = conn->hcon->hdev;
1736     struct smp_chan *smp;
1737     u8 key_size, auth, sec_level;
1738     int ret;
1739
1740     bt_dev_dbg(hdev, "conn %p", conn);
1741
1742     if (skb->len < sizeof(*req))
1743         return SMP_INVALID_PARAMS;
1744
1745     if (conn->hcon->role != HCI_ROLE_SLAVE)
1746         return SMP_CMD_NOTSUPP;
1747
1748     if (!chan->data)
1749         smp = smp_chan_create(conn);
1750     else
1751         smp = chan->data;
1752
1753     if (!smp)
1754         return SMP_UNSPECIFIED;
1755
1756     /* We didn't start the pairing, so match remote */
1757     auth = req->auth_req & AUTH_REQ_MASK(hdev);
1758
1759     if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1760         (auth & SMP_AUTH_BONDING))
1761         return SMP_PAIRING_NOTSUPP;
1762
1763     if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1764         return SMP_AUTH_REQUIREMENTS;
1765
1766     smp->preq[0] = SMP_CMD_PAIRING_REQ;
1767     memcpy(&smp->preq[1], req, sizeof(*req));
1768     skb_pull(skb, sizeof(*req));
1769
1770     /* If the remote side's OOB flag is set it means it has
1771      * successfully received our local OOB data - therefore set the
1772      * flag to indicate that local OOB is in use.
1773      */
1774     if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1775         set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1776
1777     /* SMP over BR/EDR requires special treatment */
1778     if (conn->hcon->type == ACL_LINK) {
1779         /* We must have a BR/EDR SC link */
1780         if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1781             !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1782             return SMP_CROSS_TRANSP_NOT_ALLOWED;
1783
1784         set_bit(SMP_FLAG_SC, &smp->flags);
1785
1786         build_bredr_pairing_cmd(smp, req, &rsp);
1787
1788         if (req->auth_req & SMP_AUTH_CT2)
1789             set_bit(SMP_FLAG_CT2, &smp->flags);
1790
1791         key_size = min(req->max_key_size, rsp.max_key_size);
1792         if (check_enc_key_size(conn, key_size))
1793             return SMP_ENC_KEY_SIZE;
1794
1795         /* Clear bits which are generated but not distributed */
1796         smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1797
1798         smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1799         memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1800         smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1801
1802         smp_distribute_keys(smp);
1803         return 0;
1804     }
1805
1806     build_pairing_cmd(conn, req, &rsp, auth);
1807
1808     if (rsp.auth_req & SMP_AUTH_SC) {
1809         set_bit(SMP_FLAG_SC, &smp->flags);
1810
1811         if (rsp.auth_req & SMP_AUTH_CT2)
1812             set_bit(SMP_FLAG_CT2, &smp->flags);
1813     }
1814
1815     if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1816         sec_level = BT_SECURITY_MEDIUM;
1817     else
1818         sec_level = authreq_to_seclevel(auth);
1819
1820     if (sec_level > conn->hcon->pending_sec_level)
1821         conn->hcon->pending_sec_level = sec_level;
1822
1823     /* If we need MITM check that it can be achieved */
1824     if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1825         u8 method;
1826
1827         method = get_auth_method(smp, conn->hcon->io_capability,
1828                      req->io_capability);
1829         if (method == JUST_WORKS || method == JUST_CFM)
1830             return SMP_AUTH_REQUIREMENTS;
1831     }
1832
1833     key_size = min(req->max_key_size, rsp.max_key_size);
1834     if (check_enc_key_size(conn, key_size))
1835         return SMP_ENC_KEY_SIZE;
1836
1837     get_random_bytes(smp->prnd, sizeof(smp->prnd));
1838
1839     smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1840     memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1841
1842     smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1843
1844     clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1845
1846     /* Strictly speaking we shouldn't allow Pairing Confirm for the
1847      * SC case, however some implementations incorrectly copy RFU auth
1848      * req bits from our security request, which may create a false
1849      * positive SC enablement.
1850      */
1851     SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1852
1853     if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1854         SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1855         /* Clear bits which are generated but not distributed */
1856         smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1857         /* Wait for Public Key from Initiating Device */
1858         return 0;
1859     }
1860
1861     /* Request setup of TK */
1862     ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1863     if (ret)
1864         return SMP_UNSPECIFIED;
1865
1866     return 0;
1867 }
1868
1869 static u8 sc_send_public_key(struct smp_chan *smp)
1870 {
1871     struct hci_dev *hdev = smp->conn->hcon->hdev;
1872
1873     bt_dev_dbg(hdev, "");
1874
1875     if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1876         struct l2cap_chan *chan = hdev->smp_data;
1877         struct smp_dev *smp_dev;
1878
1879         if (!chan || !chan->data)
1880             return SMP_UNSPECIFIED;
1881
1882         smp_dev = chan->data;
1883
1884         memcpy(smp->local_pk, smp_dev->local_pk, 64);
1885         memcpy(smp->lr, smp_dev->local_rand, 16);
1886
1887         if (smp_dev->debug_key)
1888             set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1889
1890         goto done;
1891     }
1892
1893     if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1894         bt_dev_dbg(hdev, "Using debug keys");
1895         if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1896             return SMP_UNSPECIFIED;
1897         memcpy(smp->local_pk, debug_pk, 64);
1898         set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1899     } else {
1900         while (true) {
1901             /* Generate key pair for Secure Connections */
1902             if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1903                 return SMP_UNSPECIFIED;
1904
1905             /* This is unlikely, but we need to check that
1906              * we didn't accidentally generate a debug key.
1907              */
1908             if (crypto_memneq(smp->local_pk, debug_pk, 64))
1909                 break;
1910         }
1911     }
1912
1913 done:
1914     SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1915     SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1916
1917     smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1918
1919     return 0;
1920 }
1921
1922 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1923 {
1924     struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1925     struct l2cap_chan *chan = conn->smp;
1926     struct smp_chan *smp = chan->data;
1927     struct hci_dev *hdev = conn->hcon->hdev;
1928     u8 key_size, auth;
1929     int ret;
1930
1931     bt_dev_dbg(hdev, "conn %p", conn);
1932
1933     if (skb->len < sizeof(*rsp))
1934         return SMP_INVALID_PARAMS;
1935
1936     if (conn->hcon->role != HCI_ROLE_MASTER)
1937         return SMP_CMD_NOTSUPP;
1938
1939     skb_pull(skb, sizeof(*rsp));
1940
1941     req = (void *) &smp->preq[1];
1942
1943     key_size = min(req->max_key_size, rsp->max_key_size);
1944     if (check_enc_key_size(conn, key_size))
1945         return SMP_ENC_KEY_SIZE;
1946
1947     auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1948
1949     if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1950         return SMP_AUTH_REQUIREMENTS;
1951
1952     /* If the remote side's OOB flag is set it means it has
1953      * successfully received our local OOB data - therefore set the
1954      * flag to indicate that local OOB is in use.
1955      */
1956     if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1957         set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1958
1959     smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1960     memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1961
1962     /* Update remote key distribution in case the remote cleared
1963      * some bits that we had enabled in our request.
1964      */
1965     smp->remote_key_dist &= rsp->resp_key_dist;
1966
1967     if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1968         set_bit(SMP_FLAG_CT2, &smp->flags);
1969
1970     /* For BR/EDR this means we're done and can start phase 3 */
1971     if (conn->hcon->type == ACL_LINK) {
1972         /* Clear bits which are generated but not distributed */
1973         smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1974         smp_distribute_keys(smp);
1975         return 0;
1976     }
1977
1978     if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1979         set_bit(SMP_FLAG_SC, &smp->flags);
1980     else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1981         conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1982
1983     /* If we need MITM check that it can be achieved */
1984     if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1985         u8 method;
1986
1987         method = get_auth_method(smp, req->io_capability,
1988                      rsp->io_capability);
1989         if (method == JUST_WORKS || method == JUST_CFM)
1990             return SMP_AUTH_REQUIREMENTS;
1991     }
1992
1993     get_random_bytes(smp->prnd, sizeof(smp->prnd));
1994
1995     /* Update remote key distribution in case the remote cleared
1996      * some bits that we had enabled in our request.
1997      */
1998     smp->remote_key_dist &= rsp->resp_key_dist;
1999
2000     if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2001         /* Clear bits which are generated but not distributed */
2002         smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2003         SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2004         return sc_send_public_key(smp);
2005     }
2006
2007     auth |= req->auth_req;
2008
2009     ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2010     if (ret)
2011         return SMP_UNSPECIFIED;
2012
2013     set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2014
2015     /* Can't compose response until we have been confirmed */
2016     if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2017         return smp_confirm(smp);
2018
2019     return 0;
2020 }
2021
2022 static u8 sc_check_confirm(struct smp_chan *smp)
2023 {
2024     struct l2cap_conn *conn = smp->conn;
2025
2026     bt_dev_dbg(conn->hcon->hdev, "");
2027
2028     if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2029         return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2030
2031     if (conn->hcon->out) {
2032         smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2033                  smp->prnd);
2034         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2035     }
2036
2037     return 0;
2038 }
2039
2040 /* Work-around for some implementations that incorrectly copy RFU bits
2041  * from our security request and thereby create the impression that
2042  * we're doing SC when in fact the remote doesn't support it.
2043  */
2044 static int fixup_sc_false_positive(struct smp_chan *smp)
2045 {
2046     struct l2cap_conn *conn = smp->conn;
2047     struct hci_conn *hcon = conn->hcon;
2048     struct hci_dev *hdev = hcon->hdev;
2049     struct smp_cmd_pairing *req, *rsp;
2050     u8 auth;
2051
2052     /* The issue is only observed when we're in responder role */
2053     if (hcon->out)
2054         return SMP_UNSPECIFIED;
2055
2056     if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2057         bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2058         return SMP_UNSPECIFIED;
2059     }
2060
2061     bt_dev_err(hdev, "trying to fall back to legacy SMP");
2062
2063     req = (void *) &smp->preq[1];
2064     rsp = (void *) &smp->prsp[1];
2065
2066     /* Rebuild key dist flags which may have been cleared for SC */
2067     smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2068
2069     auth = req->auth_req & AUTH_REQ_MASK(hdev);
2070
2071     if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2072         bt_dev_err(hdev, "failed to fall back to legacy SMP");
2073         return SMP_UNSPECIFIED;
2074     }
2075
2076     clear_bit(SMP_FLAG_SC, &smp->flags);
2077
2078     return 0;
2079 }
2080
2081 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2082 {
2083     struct l2cap_chan *chan = conn->smp;
2084     struct smp_chan *smp = chan->data;
2085     struct hci_conn *hcon = conn->hcon;
2086     struct hci_dev *hdev = hcon->hdev;
2087
2088     bt_dev_dbg(hdev, "conn %p %s", conn,
2089            hcon->out ? "initiator" : "responder");
2090
2091     if (skb->len < sizeof(smp->pcnf))
2092         return SMP_INVALID_PARAMS;
2093
2094     memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2095     skb_pull(skb, sizeof(smp->pcnf));
2096
2097     if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2098         int ret;
2099
2100         /* Public Key exchange must happen before any other steps */
2101         if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2102             return sc_check_confirm(smp);
2103
2104         bt_dev_err(hdev, "Unexpected SMP Pairing Confirm");
2105
2106         ret = fixup_sc_false_positive(smp);
2107         if (ret)
2108             return ret;
2109     }
2110
2111     if (conn->hcon->out) {
2112         smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2113                  smp->prnd);
2114         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2115         return 0;
2116     }
2117
2118     if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2119         return smp_confirm(smp);
2120
2121     set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2122
2123     return 0;
2124 }
2125
2126 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2127 {
2128     struct l2cap_chan *chan = conn->smp;
2129     struct smp_chan *smp = chan->data;
2130     struct hci_conn *hcon = conn->hcon;
2131     u8 *pkax, *pkbx, *na, *nb, confirm_hint;
2132     u32 passkey;
2133     int err;
2134
2135     bt_dev_dbg(hcon->hdev, "conn %p", conn);
2136
2137     if (skb->len < sizeof(smp->rrnd))
2138         return SMP_INVALID_PARAMS;
2139
2140     memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2141     skb_pull(skb, sizeof(smp->rrnd));
2142
2143     if (!test_bit(SMP_FLAG_SC, &smp->flags))
2144         return smp_random(smp);
2145
2146     if (hcon->out) {
2147         pkax = smp->local_pk;
2148         pkbx = smp->remote_pk;
2149         na   = smp->prnd;
2150         nb   = smp->rrnd;
2151     } else {
2152         pkax = smp->remote_pk;
2153         pkbx = smp->local_pk;
2154         na   = smp->rrnd;
2155         nb   = smp->prnd;
2156     }
2157
2158     if (smp->method == REQ_OOB) {
2159         if (!hcon->out)
2160             smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2161                      sizeof(smp->prnd), smp->prnd);
2162         SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2163         goto mackey_and_ltk;
2164     }
2165
2166     /* Passkey entry has special treatment */
2167     if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2168         return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2169
2170     if (hcon->out) {
2171         u8 cfm[16];
2172
2173         err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2174                  smp->rrnd, 0, cfm);
2175         if (err)
2176             return SMP_UNSPECIFIED;
2177
2178         if (crypto_memneq(smp->pcnf, cfm, 16))
2179             return SMP_CONFIRM_FAILED;
2180     } else {
2181         smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2182                  smp->prnd);
2183         SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2184
2185         /* Only Just-Works pairing requires extra checks */
2186         if (smp->method != JUST_WORKS)
2187             goto mackey_and_ltk;
2188
2189         /* If there already exists long term key in local host, leave
2190          * the decision to user space since the remote device could
2191          * be legitimate or malicious.
2192          */
2193         if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2194                  hcon->role)) {
2195             /* Set passkey to 0. The value can be any number since
2196              * it'll be ignored anyway.
2197              */
2198             passkey = 0;
2199             confirm_hint = 1;
2200             goto confirm;
2201         }
2202     }
2203
2204 mackey_and_ltk:
2205     /* Generate MacKey and LTK */
2206     err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2207     if (err)
2208         return SMP_UNSPECIFIED;
2209
2210     if (smp->method == REQ_OOB) {
2211         if (hcon->out) {
2212             sc_dhkey_check(smp);
2213             SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2214         }
2215         return 0;
2216     }
2217
2218     err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2219     if (err)
2220         return SMP_UNSPECIFIED;
2221
2222     confirm_hint = 0;
2223
2224 confirm:
2225     if (smp->method == JUST_WORKS)
2226         confirm_hint = 1;
2227
2228     err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2229                     hcon->dst_type, passkey, confirm_hint);
2230     if (err)
2231         return SMP_UNSPECIFIED;
2232
2233     set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2234
2235     return 0;
2236 }
2237
2238 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2239 {
2240     struct smp_ltk *key;
2241     struct hci_conn *hcon = conn->hcon;
2242
2243     key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2244     if (!key)
2245         return false;
2246
2247     if (smp_ltk_sec_level(key) < sec_level)
2248         return false;
2249
2250     if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2251         return true;
2252
2253     hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2254     hcon->enc_key_size = key->enc_size;
2255
2256     /* We never store STKs for initiator role, so clear this flag */
2257     clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2258
2259     return true;
2260 }
2261
2262 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2263                  enum smp_key_pref key_pref)
2264 {
2265     if (sec_level == BT_SECURITY_LOW)
2266         return true;
2267
2268     /* If we're encrypted with an STK but the caller prefers using
2269      * LTK claim insufficient security. This way we allow the
2270      * connection to be re-encrypted with an LTK, even if the LTK
2271      * provides the same level of security. Only exception is if we
2272      * don't have an LTK (e.g. because of key distribution bits).
2273      */
2274     if (key_pref == SMP_USE_LTK &&
2275         test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2276         hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2277         return false;
2278
2279     if (hcon->sec_level >= sec_level)
2280         return true;
2281
2282     return false;
2283 }
2284
2285 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2286 {
2287     struct smp_cmd_security_req *rp = (void *) skb->data;
2288     struct smp_cmd_pairing cp;
2289     struct hci_conn *hcon = conn->hcon;
2290     struct hci_dev *hdev = hcon->hdev;
2291     struct smp_chan *smp;
2292     u8 sec_level, auth;
2293
2294     bt_dev_dbg(hdev, "conn %p", conn);
2295
2296     if (skb->len < sizeof(*rp))
2297         return SMP_INVALID_PARAMS;
2298
2299     if (hcon->role != HCI_ROLE_MASTER)
2300         return SMP_CMD_NOTSUPP;
2301
2302     auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2303
2304     if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2305         return SMP_AUTH_REQUIREMENTS;
2306
2307     if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2308         sec_level = BT_SECURITY_MEDIUM;
2309     else
2310         sec_level = authreq_to_seclevel(auth);
2311
2312     if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2313         /* If link is already encrypted with sufficient security we
2314          * still need refresh encryption as per Core Spec 5.0 Vol 3,
2315          * Part H 2.4.6
2316          */
2317         smp_ltk_encrypt(conn, hcon->sec_level);
2318         return 0;
2319     }
2320
2321     if (sec_level > hcon->pending_sec_level)
2322         hcon->pending_sec_level = sec_level;
2323
2324     if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2325         return 0;
2326
2327     smp = smp_chan_create(conn);
2328     if (!smp)
2329         return SMP_UNSPECIFIED;
2330
2331     if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2332         (auth & SMP_AUTH_BONDING))
2333         return SMP_PAIRING_NOTSUPP;
2334
2335     skb_pull(skb, sizeof(*rp));
2336
2337     memset(&cp, 0, sizeof(cp));
2338     build_pairing_cmd(conn, &cp, NULL, auth);
2339
2340     smp->preq[0] = SMP_CMD_PAIRING_REQ;
2341     memcpy(&smp->preq[1], &cp, sizeof(cp));
2342
2343     smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2344     SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2345
2346     return 0;
2347 }
2348
2349 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2350 {
2351     struct l2cap_conn *conn = hcon->l2cap_data;
2352     struct l2cap_chan *chan;
2353     struct smp_chan *smp;
2354     __u8 authreq;
2355     int ret;
2356
2357     bt_dev_dbg(hcon->hdev, "conn %p hcon %p level 0x%2.2x", conn, hcon,
2358            sec_level);
2359
2360     /* This may be NULL if there's an unexpected disconnection */
2361     if (!conn)
2362         return 1;
2363
2364     if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2365         return 1;
2366
2367     if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2368         return 1;
2369
2370     if (sec_level > hcon->pending_sec_level)
2371         hcon->pending_sec_level = sec_level;
2372
2373     if (hcon->role == HCI_ROLE_MASTER)
2374         if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2375             return 0;
2376
2377     chan = conn->smp;
2378     if (!chan) {
2379         bt_dev_err(hcon->hdev, "security requested but not available");
2380         return 1;
2381     }
2382
2383     l2cap_chan_lock(chan);
2384
2385     /* If SMP is already in progress ignore this request */
2386     if (chan->data) {
2387         ret = 0;
2388         goto unlock;
2389     }
2390
2391     smp = smp_chan_create(conn);
2392     if (!smp) {
2393         ret = 1;
2394         goto unlock;
2395     }
2396
2397     authreq = seclevel_to_authreq(sec_level);
2398
2399     if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2400         authreq |= SMP_AUTH_SC;
2401         if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2402             authreq |= SMP_AUTH_CT2;
2403     }
2404
2405     /* Don't attempt to set MITM if setting is overridden by debugfs
2406      * Needed to pass certification test SM/MAS/PKE/BV-01-C
2407      */
2408     if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) {
2409         /* Require MITM if IO Capability allows or the security level
2410          * requires it.
2411          */
2412         if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2413             hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2414             authreq |= SMP_AUTH_MITM;
2415     }
2416
2417     if (hcon->role == HCI_ROLE_MASTER) {
2418         struct smp_cmd_pairing cp;
2419
2420         build_pairing_cmd(conn, &cp, NULL, authreq);
2421         smp->preq[0] = SMP_CMD_PAIRING_REQ;
2422         memcpy(&smp->preq[1], &cp, sizeof(cp));
2423
2424         smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2425         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2426     } else {
2427         struct smp_cmd_security_req cp;
2428         cp.auth_req = authreq;
2429         smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2430         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2431     }
2432
2433     set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2434     ret = 0;
2435
2436 unlock:
2437     l2cap_chan_unlock(chan);
2438     return ret;
2439 }
2440
2441 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2442                   u8 addr_type)
2443 {
2444     struct hci_conn *hcon;
2445     struct l2cap_conn *conn;
2446     struct l2cap_chan *chan;
2447     struct smp_chan *smp;
2448     int err;
2449
2450     err = hci_remove_ltk(hdev, bdaddr, addr_type);
2451     hci_remove_irk(hdev, bdaddr, addr_type);
2452
2453     hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2454     if (!hcon)
2455         goto done;
2456
2457     conn = hcon->l2cap_data;
2458     if (!conn)
2459         goto done;
2460
2461     chan = conn->smp;
2462     if (!chan)
2463         goto done;
2464
2465     l2cap_chan_lock(chan);
2466
2467     smp = chan->data;
2468     if (smp) {
2469         /* Set keys to NULL to make sure smp_failure() does not try to
2470          * remove and free already invalidated rcu list entries. */
2471         smp->ltk = NULL;
2472         smp->responder_ltk = NULL;
2473         smp->remote_irk = NULL;
2474
2475         if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2476             smp_failure(conn, 0);
2477         else
2478             smp_failure(conn, SMP_UNSPECIFIED);
2479         err = 0;
2480     }
2481
2482     l2cap_chan_unlock(chan);
2483
2484 done:
2485     return err;
2486 }
2487
2488 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2489 {
2490     struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2491     struct l2cap_chan *chan = conn->smp;
2492     struct smp_chan *smp = chan->data;
2493
2494     bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2495
2496     if (skb->len < sizeof(*rp))
2497         return SMP_INVALID_PARAMS;
2498
2499     /* Pairing is aborted if any blocked keys are distributed */
2500     if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2501                    rp->ltk)) {
2502         bt_dev_warn_ratelimited(conn->hcon->hdev,
2503                     "LTK blocked for %pMR",
2504                     &conn->hcon->dst);
2505         return SMP_INVALID_PARAMS;
2506     }
2507
2508     SMP_ALLOW_CMD(smp, SMP_CMD_INITIATOR_IDENT);
2509
2510     skb_pull(skb, sizeof(*rp));
2511
2512     memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2513
2514     return 0;
2515 }
2516
2517 static int smp_cmd_initiator_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2518 {
2519     struct smp_cmd_initiator_ident *rp = (void *)skb->data;
2520     struct l2cap_chan *chan = conn->smp;
2521     struct smp_chan *smp = chan->data;
2522     struct hci_dev *hdev = conn->hcon->hdev;
2523     struct hci_conn *hcon = conn->hcon;
2524     struct smp_ltk *ltk;
2525     u8 authenticated;
2526
2527     bt_dev_dbg(hdev, "conn %p", conn);
2528
2529     if (skb->len < sizeof(*rp))
2530         return SMP_INVALID_PARAMS;
2531
2532     /* Mark the information as received */
2533     smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2534
2535     if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2536         SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2537     else if (smp->remote_key_dist & SMP_DIST_SIGN)
2538         SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2539
2540     skb_pull(skb, sizeof(*rp));
2541
2542     authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2543     ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2544               authenticated, smp->tk, smp->enc_key_size,
2545               rp->ediv, rp->rand);
2546     smp->ltk = ltk;
2547     if (!(smp->remote_key_dist & KEY_DIST_MASK))
2548         smp_distribute_keys(smp);
2549
2550     return 0;
2551 }
2552
2553 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2554 {
2555     struct smp_cmd_ident_info *info = (void *) skb->data;
2556     struct l2cap_chan *chan = conn->smp;
2557     struct smp_chan *smp = chan->data;
2558
2559     bt_dev_dbg(conn->hcon->hdev, "");
2560
2561     if (skb->len < sizeof(*info))
2562         return SMP_INVALID_PARAMS;
2563
2564     /* Pairing is aborted if any blocked keys are distributed */
2565     if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2566                    info->irk)) {
2567         bt_dev_warn_ratelimited(conn->hcon->hdev,
2568                     "Identity key blocked for %pMR",
2569                     &conn->hcon->dst);
2570         return SMP_INVALID_PARAMS;
2571     }
2572
2573     SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2574
2575     skb_pull(skb, sizeof(*info));
2576
2577     memcpy(smp->irk, info->irk, 16);
2578
2579     return 0;
2580 }
2581
2582 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2583                    struct sk_buff *skb)
2584 {
2585     struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2586     struct l2cap_chan *chan = conn->smp;
2587     struct smp_chan *smp = chan->data;
2588     struct hci_conn *hcon = conn->hcon;
2589     bdaddr_t rpa;
2590
2591     bt_dev_dbg(hcon->hdev, "");
2592
2593     if (skb->len < sizeof(*info))
2594         return SMP_INVALID_PARAMS;
2595
2596     /* Mark the information as received */
2597     smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2598
2599     if (smp->remote_key_dist & SMP_DIST_SIGN)
2600         SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2601
2602     skb_pull(skb, sizeof(*info));
2603
2604     /* Strictly speaking the Core Specification (4.1) allows sending
2605      * an empty address which would force us to rely on just the IRK
2606      * as "identity information". However, since such
2607      * implementations are not known of and in order to not over
2608      * complicate our implementation, simply pretend that we never
2609      * received an IRK for such a device.
2610      *
2611      * The Identity Address must also be a Static Random or Public
2612      * Address, which hci_is_identity_address() checks for.
2613      */
2614     if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2615         !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2616         bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2617         goto distribute;
2618     }
2619
2620     /* Drop IRK if peer is using identity address during pairing but is
2621      * providing different address as identity information.
2622      *
2623      * Microsoft Surface Precision Mouse is known to have this bug.
2624      */
2625     if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2626         (bacmp(&info->bdaddr, &hcon->dst) ||
2627          info->addr_type != hcon->dst_type)) {
2628         bt_dev_err(hcon->hdev,
2629                "ignoring IRK with invalid identity address");
2630         goto distribute;
2631     }
2632
2633     bacpy(&smp->id_addr, &info->bdaddr);
2634     smp->id_addr_type = info->addr_type;
2635
2636     if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2637         bacpy(&rpa, &hcon->dst);
2638     else
2639         bacpy(&rpa, BDADDR_ANY);
2640
2641     smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2642                       smp->id_addr_type, smp->irk, &rpa);
2643
2644 distribute:
2645     if (!(smp->remote_key_dist & KEY_DIST_MASK))
2646         smp_distribute_keys(smp);
2647
2648     return 0;
2649 }
2650
2651 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2652 {
2653     struct smp_cmd_sign_info *rp = (void *) skb->data;
2654     struct l2cap_chan *chan = conn->smp;
2655     struct smp_chan *smp = chan->data;
2656     struct smp_csrk *csrk;
2657
2658     bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2659
2660     if (skb->len < sizeof(*rp))
2661         return SMP_INVALID_PARAMS;
2662
2663     /* Mark the information as received */
2664     smp->remote_key_dist &= ~SMP_DIST_SIGN;
2665
2666     skb_pull(skb, sizeof(*rp));
2667
2668     csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2669     if (csrk) {
2670         if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2671             csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2672         else
2673             csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2674         memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2675     }
2676     smp->csrk = csrk;
2677     smp_distribute_keys(smp);
2678
2679     return 0;
2680 }
2681
2682 static u8 sc_select_method(struct smp_chan *smp)
2683 {
2684     struct l2cap_conn *conn = smp->conn;
2685     struct hci_conn *hcon = conn->hcon;
2686     struct smp_cmd_pairing *local, *remote;
2687     u8 local_mitm, remote_mitm, local_io, remote_io, method;
2688
2689     if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2690         test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2691         return REQ_OOB;
2692
2693     /* The preq/prsp contain the raw Pairing Request/Response PDUs
2694      * which are needed as inputs to some crypto functions. To get
2695      * the "struct smp_cmd_pairing" from them we need to skip the
2696      * first byte which contains the opcode.
2697      */
2698     if (hcon->out) {
2699         local = (void *) &smp->preq[1];
2700         remote = (void *) &smp->prsp[1];
2701     } else {
2702         local = (void *) &smp->prsp[1];
2703         remote = (void *) &smp->preq[1];
2704     }
2705
2706     local_io = local->io_capability;
2707     remote_io = remote->io_capability;
2708
2709     local_mitm = (local->auth_req & SMP_AUTH_MITM);
2710     remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2711
2712     /* If either side wants MITM, look up the method from the table,
2713      * otherwise use JUST WORKS.
2714      */
2715     if (local_mitm || remote_mitm)
2716         method = get_auth_method(smp, local_io, remote_io);
2717     else
2718         method = JUST_WORKS;
2719
2720     /* Don't confirm locally initiated pairing attempts */
2721     if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2722         method = JUST_WORKS;
2723
2724     return method;
2725 }
2726
2727 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2728 {
2729     struct smp_cmd_public_key *key = (void *) skb->data;
2730     struct hci_conn *hcon = conn->hcon;
2731     struct l2cap_chan *chan = conn->smp;
2732     struct smp_chan *smp = chan->data;
2733     struct hci_dev *hdev = hcon->hdev;
2734     struct crypto_kpp *tfm_ecdh;
2735     struct smp_cmd_pairing_confirm cfm;
2736     int err;
2737
2738     bt_dev_dbg(hdev, "conn %p", conn);
2739
2740     if (skb->len < sizeof(*key))
2741         return SMP_INVALID_PARAMS;
2742
2743     /* Check if remote and local public keys are the same and debug key is
2744      * not in use.
2745      */
2746     if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
2747         !crypto_memneq(key, smp->local_pk, 64)) {
2748         bt_dev_err(hdev, "Remote and local public keys are identical");
2749         return SMP_UNSPECIFIED;
2750     }
2751
2752     memcpy(smp->remote_pk, key, 64);
2753
2754     if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2755         err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2756                  smp->rr, 0, cfm.confirm_val);
2757         if (err)
2758             return SMP_UNSPECIFIED;
2759
2760         if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2761             return SMP_CONFIRM_FAILED;
2762     }
2763
2764     /* Non-initiating device sends its public key after receiving
2765      * the key from the initiating device.
2766      */
2767     if (!hcon->out) {
2768         err = sc_send_public_key(smp);
2769         if (err)
2770             return err;
2771     }
2772
2773     SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2774     SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2775
2776     /* Compute the shared secret on the same crypto tfm on which the private
2777      * key was set/generated.
2778      */
2779     if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2780         struct l2cap_chan *hchan = hdev->smp_data;
2781         struct smp_dev *smp_dev;
2782
2783         if (!hchan || !hchan->data)
2784             return SMP_UNSPECIFIED;
2785
2786         smp_dev = hchan->data;
2787
2788         tfm_ecdh = smp_dev->tfm_ecdh;
2789     } else {
2790         tfm_ecdh = smp->tfm_ecdh;
2791     }
2792
2793     if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2794         return SMP_UNSPECIFIED;
2795
2796     SMP_DBG("DHKey %32phN", smp->dhkey);
2797
2798     set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2799
2800     smp->method = sc_select_method(smp);
2801
2802     bt_dev_dbg(hdev, "selected method 0x%02x", smp->method);
2803
2804     /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2805     if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2806         hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2807     else
2808         hcon->pending_sec_level = BT_SECURITY_FIPS;
2809
2810     if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2811         set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2812
2813     if (smp->method == DSP_PASSKEY) {
2814         get_random_bytes(&hcon->passkey_notify,
2815                  sizeof(hcon->passkey_notify));
2816         hcon->passkey_notify %= 1000000;
2817         hcon->passkey_entered = 0;
2818         smp->passkey_round = 0;
2819         if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2820                          hcon->dst_type,
2821                          hcon->passkey_notify,
2822                          hcon->passkey_entered))
2823             return SMP_UNSPECIFIED;
2824         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2825         return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2826     }
2827
2828     if (smp->method == REQ_OOB) {
2829         if (hcon->out)
2830             smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2831                      sizeof(smp->prnd), smp->prnd);
2832
2833         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2834
2835         return 0;
2836     }
2837
2838     if (hcon->out)
2839         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2840
2841     if (smp->method == REQ_PASSKEY) {
2842         if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2843                           hcon->dst_type))
2844             return SMP_UNSPECIFIED;
2845         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2846         set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2847         return 0;
2848     }
2849
2850     /* The Initiating device waits for the non-initiating device to
2851      * send the confirm value.
2852      */
2853     if (conn->hcon->out)
2854         return 0;
2855
2856     err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2857              0, cfm.confirm_val);
2858     if (err)
2859         return SMP_UNSPECIFIED;
2860
2861     smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2862     SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2863
2864     return 0;
2865 }
2866
2867 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2868 {
2869     struct smp_cmd_dhkey_check *check = (void *) skb->data;
2870     struct l2cap_chan *chan = conn->smp;
2871     struct hci_conn *hcon = conn->hcon;
2872     struct smp_chan *smp = chan->data;
2873     u8 a[7], b[7], *local_addr, *remote_addr;
2874     u8 io_cap[3], r[16], e[16];
2875     int err;
2876
2877     bt_dev_dbg(hcon->hdev, "conn %p", conn);
2878
2879     if (skb->len < sizeof(*check))
2880         return SMP_INVALID_PARAMS;
2881
2882     memcpy(a, &hcon->init_addr, 6);
2883     memcpy(b, &hcon->resp_addr, 6);
2884     a[6] = hcon->init_addr_type;
2885     b[6] = hcon->resp_addr_type;
2886
2887     if (hcon->out) {
2888         local_addr = a;
2889         remote_addr = b;
2890         memcpy(io_cap, &smp->prsp[1], 3);
2891     } else {
2892         local_addr = b;
2893         remote_addr = a;
2894         memcpy(io_cap, &smp->preq[1], 3);
2895     }
2896
2897     memset(r, 0, sizeof(r));
2898
2899     if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2900         put_unaligned_le32(hcon->passkey_notify, r);
2901     else if (smp->method == REQ_OOB)
2902         memcpy(r, smp->lr, 16);
2903
2904     err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2905              io_cap, remote_addr, local_addr, e);
2906     if (err)
2907         return SMP_UNSPECIFIED;
2908
2909     if (crypto_memneq(check->e, e, 16))
2910         return SMP_DHKEY_CHECK_FAILED;
2911
2912     if (!hcon->out) {
2913         if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2914             set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2915             return 0;
2916         }
2917
2918         /* Responder sends DHKey check as response to initiator */
2919         sc_dhkey_check(smp);
2920     }
2921
2922     sc_add_ltk(smp);
2923
2924     if (hcon->out) {
2925         hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2926         hcon->enc_key_size = smp->enc_key_size;
2927     }
2928
2929     return 0;
2930 }
2931
2932 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2933                    struct sk_buff *skb)
2934 {
2935     struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2936
2937     bt_dev_dbg(conn->hcon->hdev, "value 0x%02x", kp->value);
2938
2939     return 0;
2940 }
2941
2942 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2943 {
2944     struct l2cap_conn *conn = chan->conn;
2945     struct hci_conn *hcon = conn->hcon;
2946     struct smp_chan *smp;
2947     __u8 code, reason;
2948     int err = 0;
2949
2950     if (skb->len < 1)
2951         return -EILSEQ;
2952
2953     if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2954         reason = SMP_PAIRING_NOTSUPP;
2955         goto done;
2956     }
2957
2958     code = skb->data[0];
2959     skb_pull(skb, sizeof(code));
2960
2961     smp = chan->data;
2962
2963     if (code > SMP_CMD_MAX)
2964         goto drop;
2965
2966     if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2967         goto drop;
2968
2969     /* If we don't have a context the only allowed commands are
2970      * pairing request and security request.
2971      */
2972     if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2973         goto drop;
2974
2975     switch (code) {
2976     case SMP_CMD_PAIRING_REQ:
2977         reason = smp_cmd_pairing_req(conn, skb);
2978         break;
2979
2980     case SMP_CMD_PAIRING_FAIL:
2981         smp_failure(conn, 0);
2982         err = -EPERM;
2983         break;
2984
2985     case SMP_CMD_PAIRING_RSP:
2986         reason = smp_cmd_pairing_rsp(conn, skb);
2987         break;
2988
2989     case SMP_CMD_SECURITY_REQ:
2990         reason = smp_cmd_security_req(conn, skb);
2991         break;
2992
2993     case SMP_CMD_PAIRING_CONFIRM:
2994         reason = smp_cmd_pairing_confirm(conn, skb);
2995         break;
2996
2997     case SMP_CMD_PAIRING_RANDOM:
2998         reason = smp_cmd_pairing_random(conn, skb);
2999         break;
3000
3001     case SMP_CMD_ENCRYPT_INFO:
3002         reason = smp_cmd_encrypt_info(conn, skb);
3003         break;
3004
3005     case SMP_CMD_INITIATOR_IDENT:
3006         reason = smp_cmd_initiator_ident(conn, skb);
3007         break;
3008
3009     case SMP_CMD_IDENT_INFO:
3010         reason = smp_cmd_ident_info(conn, skb);
3011         break;
3012
3013     case SMP_CMD_IDENT_ADDR_INFO:
3014         reason = smp_cmd_ident_addr_info(conn, skb);
3015         break;
3016
3017     case SMP_CMD_SIGN_INFO:
3018         reason = smp_cmd_sign_info(conn, skb);
3019         break;
3020
3021     case SMP_CMD_PUBLIC_KEY:
3022         reason = smp_cmd_public_key(conn, skb);
3023         break;
3024
3025     case SMP_CMD_DHKEY_CHECK:
3026         reason = smp_cmd_dhkey_check(conn, skb);
3027         break;
3028
3029     case SMP_CMD_KEYPRESS_NOTIFY:
3030         reason = smp_cmd_keypress_notify(conn, skb);
3031         break;
3032
3033     default:
3034         bt_dev_dbg(hcon->hdev, "Unknown command code 0x%2.2x", code);
3035         reason = SMP_CMD_NOTSUPP;
3036         goto done;
3037     }
3038
3039 done:
3040     if (!err) {
3041         if (reason)
3042             smp_failure(conn, reason);
3043         kfree_skb(skb);
3044     }
3045
3046     return err;
3047
3048 drop:
3049     bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3050            code, &hcon->dst);
3051     kfree_skb(skb);
3052     return 0;
3053 }
3054
3055 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3056 {
3057     struct l2cap_conn *conn = chan->conn;
3058
3059     bt_dev_dbg(conn->hcon->hdev, "chan %p", chan);
3060
3061     if (chan->data)
3062         smp_chan_destroy(conn);
3063
3064     conn->smp = NULL;
3065     l2cap_chan_put(chan);
3066 }
3067
3068 static void bredr_pairing(struct l2cap_chan *chan)
3069 {
3070     struct l2cap_conn *conn = chan->conn;
3071     struct hci_conn *hcon = conn->hcon;
3072     struct hci_dev *hdev = hcon->hdev;
3073     struct smp_cmd_pairing req;
3074     struct smp_chan *smp;
3075
3076     bt_dev_dbg(hdev, "chan %p", chan);
3077
3078     /* Only new pairings are interesting */
3079     if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3080         return;
3081
3082     /* Don't bother if we're not encrypted */
3083     if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3084         return;
3085
3086     /* Only initiator may initiate SMP over BR/EDR */
3087     if (hcon->role != HCI_ROLE_MASTER)
3088         return;
3089
3090     /* Secure Connections support must be enabled */
3091     if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3092         return;
3093
3094     /* BR/EDR must use Secure Connections for SMP */
3095     if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3096         !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3097         return;
3098
3099     /* If our LE support is not enabled don't do anything */
3100     if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3101         return;
3102
3103     /* Don't bother if remote LE support is not enabled */
3104     if (!lmp_host_le_capable(hcon))
3105         return;
3106
3107     /* Remote must support SMP fixed chan for BR/EDR */
3108     if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3109         return;
3110
3111     /* Don't bother if SMP is already ongoing */
3112     if (chan->data)
3113         return;
3114
3115     smp = smp_chan_create(conn);
3116     if (!smp) {
3117         bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3118         return;
3119     }
3120
3121     set_bit(SMP_FLAG_SC, &smp->flags);
3122
3123     bt_dev_dbg(hdev, "starting SMP over BR/EDR");
3124
3125     /* Prepare and send the BR/EDR SMP Pairing Request */
3126     build_bredr_pairing_cmd(smp, &req, NULL);
3127
3128     smp->preq[0] = SMP_CMD_PAIRING_REQ;
3129     memcpy(&smp->preq[1], &req, sizeof(req));
3130
3131     smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3132     SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3133 }
3134
3135 static void smp_resume_cb(struct l2cap_chan *chan)
3136 {
3137     struct smp_chan *smp = chan->data;
3138     struct l2cap_conn *conn = chan->conn;
3139     struct hci_conn *hcon = conn->hcon;
3140
3141     bt_dev_dbg(hcon->hdev, "chan %p", chan);
3142
3143     if (hcon->type == ACL_LINK) {
3144         bredr_pairing(chan);
3145         return;
3146     }
3147
3148     if (!smp)
3149         return;
3150
3151     if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3152         return;
3153
3154     cancel_delayed_work(&smp->security_timer);
3155
3156     smp_distribute_keys(smp);
3157 }
3158
3159 static void smp_ready_cb(struct l2cap_chan *chan)
3160 {
3161     struct l2cap_conn *conn = chan->conn;
3162     struct hci_conn *hcon = conn->hcon;
3163
3164     bt_dev_dbg(hcon->hdev, "chan %p", chan);
3165
3166     /* No need to call l2cap_chan_hold() here since we already own
3167      * the reference taken in smp_new_conn_cb(). This is just the
3168      * first time that we tie it to a specific pointer. The code in
3169      * l2cap_core.c ensures that there's no risk this function wont
3170      * get called if smp_new_conn_cb was previously called.
3171      */
3172     conn->smp = chan;
3173
3174     if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3175         bredr_pairing(chan);
3176 }
3177
3178 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3179 {
3180     int err;
3181
3182     bt_dev_dbg(chan->conn->hcon->hdev, "chan %p", chan);
3183
3184     err = smp_sig_channel(chan, skb);
3185     if (err) {
3186         struct smp_chan *smp = chan->data;
3187
3188         if (smp)
3189             cancel_delayed_work_sync(&smp->security_timer);
3190
3191         hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3192     }
3193
3194     return err;
3195 }
3196
3197 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3198                     unsigned long hdr_len,
3199                     unsigned long len, int nb)
3200 {
3201     struct sk_buff *skb;
3202
3203     skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3204     if (!skb)
3205         return ERR_PTR(-ENOMEM);
3206
3207     skb->priority = HCI_PRIO_MAX;
3208     bt_cb(skb)->l2cap.chan = chan;
3209
3210     return skb;
3211 }
3212
3213 static const struct l2cap_ops smp_chan_ops = {
3214     .name           = "Security Manager",
3215     .ready          = smp_ready_cb,
3216     .recv           = smp_recv_cb,
3217     .alloc_skb      = smp_alloc_skb_cb,
3218     .teardown       = smp_teardown_cb,
3219     .resume         = smp_resume_cb,
3220
3221     .new_connection     = l2cap_chan_no_new_connection,
3222     .state_change       = l2cap_chan_no_state_change,
3223     .close          = l2cap_chan_no_close,
3224     .defer          = l2cap_chan_no_defer,
3225     .suspend        = l2cap_chan_no_suspend,
3226     .set_shutdown       = l2cap_chan_no_set_shutdown,
3227     .get_sndtimeo       = l2cap_chan_no_get_sndtimeo,
3228 };
3229
3230 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3231 {
3232     struct l2cap_chan *chan;
3233
3234     BT_DBG("pchan %p", pchan);
3235
3236     chan = l2cap_chan_create();
3237     if (!chan)
3238         return NULL;
3239
3240     chan->chan_type = pchan->chan_type;
3241     chan->ops   = &smp_chan_ops;
3242     chan->scid  = pchan->scid;
3243     chan->dcid  = chan->scid;
3244     chan->imtu  = pchan->imtu;
3245     chan->omtu  = pchan->omtu;
3246     chan->mode  = pchan->mode;
3247
3248     /* Other L2CAP channels may request SMP routines in order to
3249      * change the security level. This means that the SMP channel
3250      * lock must be considered in its own category to avoid lockdep
3251      * warnings.
3252      */
3253     atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3254
3255     BT_DBG("created chan %p", chan);
3256
3257     return chan;
3258 }
3259
3260 static const struct l2cap_ops smp_root_chan_ops = {
3261     .name           = "Security Manager Root",
3262     .new_connection     = smp_new_conn_cb,
3263
3264     /* None of these are implemented for the root channel */
3265     .close          = l2cap_chan_no_close,
3266     .alloc_skb      = l2cap_chan_no_alloc_skb,
3267     .recv           = l2cap_chan_no_recv,
3268     .state_change       = l2cap_chan_no_state_change,
3269     .teardown       = l2cap_chan_no_teardown,
3270     .ready          = l2cap_chan_no_ready,
3271     .defer          = l2cap_chan_no_defer,
3272     .suspend        = l2cap_chan_no_suspend,
3273     .resume         = l2cap_chan_no_resume,
3274     .set_shutdown       = l2cap_chan_no_set_shutdown,
3275     .get_sndtimeo       = l2cap_chan_no_get_sndtimeo,
3276 };
3277
3278 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3279 {
3280     struct l2cap_chan *chan;
3281     struct smp_dev *smp;
3282     struct crypto_shash *tfm_cmac;
3283     struct crypto_kpp *tfm_ecdh;
3284
3285     if (cid == L2CAP_CID_SMP_BREDR) {
3286         smp = NULL;
3287         goto create_chan;
3288     }
3289
3290     smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3291     if (!smp)
3292         return ERR_PTR(-ENOMEM);
3293
3294     tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3295     if (IS_ERR(tfm_cmac)) {
3296         bt_dev_err(hdev, "Unable to create CMAC crypto context");
3297         kfree_sensitive(smp);
3298         return ERR_CAST(tfm_cmac);
3299     }
3300
3301     tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3302     if (IS_ERR(tfm_ecdh)) {
3303         bt_dev_err(hdev, "Unable to create ECDH crypto context");
3304         crypto_free_shash(tfm_cmac);
3305         kfree_sensitive(smp);
3306         return ERR_CAST(tfm_ecdh);
3307     }
3308
3309     smp->local_oob = false;
3310     smp->tfm_cmac = tfm_cmac;
3311     smp->tfm_ecdh = tfm_ecdh;
3312
3313 create_chan:
3314     chan = l2cap_chan_create();
3315     if (!chan) {
3316         if (smp) {
3317             crypto_free_shash(smp->tfm_cmac);
3318             crypto_free_kpp(smp->tfm_ecdh);
3319             kfree_sensitive(smp);
3320         }
3321         return ERR_PTR(-ENOMEM);
3322     }
3323
3324     chan->data = smp;
3325
3326     l2cap_add_scid(chan, cid);
3327
3328     l2cap_chan_set_defaults(chan);
3329
3330     if (cid == L2CAP_CID_SMP) {
3331         u8 bdaddr_type;
3332
3333         hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3334
3335         if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3336             chan->src_type = BDADDR_LE_PUBLIC;
3337         else
3338             chan->src_type = BDADDR_LE_RANDOM;
3339     } else {
3340         bacpy(&chan->src, &hdev->bdaddr);
3341         chan->src_type = BDADDR_BREDR;
3342     }
3343
3344     chan->state = BT_LISTEN;
3345     chan->mode = L2CAP_MODE_BASIC;
3346     chan->imtu = L2CAP_DEFAULT_MTU;
3347     chan->ops = &smp_root_chan_ops;
3348
3349     /* Set correct nesting level for a parent/listening channel */
3350     atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3351
3352     return chan;
3353 }
3354
3355 static void smp_del_chan(struct l2cap_chan *chan)
3356 {
3357     struct smp_dev *smp;
3358
3359     BT_DBG("chan %p", chan);
3360
3361     smp = chan->data;
3362     if (smp) {
3363         chan->data = NULL;
3364         crypto_free_shash(smp->tfm_cmac);
3365         crypto_free_kpp(smp->tfm_ecdh);
3366         kfree_sensitive(smp);
3367     }
3368
3369     l2cap_chan_put(chan);
3370 }
3371
3372 int smp_force_bredr(struct hci_dev *hdev, bool enable)
3373 {
3374     if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3375         return -EALREADY;
3376
3377     if (enable) {
3378         struct l2cap_chan *chan;
3379
3380         chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3381         if (IS_ERR(chan))
3382             return PTR_ERR(chan);
3383
3384         hdev->smp_bredr_data = chan;
3385     } else {
3386         struct l2cap_chan *chan;
3387
3388         chan = hdev->smp_bredr_data;
3389         hdev->smp_bredr_data = NULL;
3390         smp_del_chan(chan);
3391     }
3392
3393     hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3394
3395     return 0;
3396 }
3397
3398 int smp_register(struct hci_dev *hdev)
3399 {
3400     struct l2cap_chan *chan;
3401
3402     bt_dev_dbg(hdev, "");
3403
3404     /* If the controller does not support Low Energy operation, then
3405      * there is also no need to register any SMP channel.
3406      */
3407     if (!lmp_le_capable(hdev))
3408         return 0;
3409
3410     if (WARN_ON(hdev->smp_data)) {
3411         chan = hdev->smp_data;
3412         hdev->smp_data = NULL;
3413         smp_del_chan(chan);
3414     }
3415
3416     chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3417     if (IS_ERR(chan))
3418         return PTR_ERR(chan);
3419
3420     hdev->smp_data = chan;
3421
3422     if (!lmp_sc_capable(hdev)) {
3423         /* Flag can be already set here (due to power toggle) */
3424         if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3425             return 0;
3426     }
3427
3428     if (WARN_ON(hdev->smp_bredr_data)) {
3429         chan = hdev->smp_bredr_data;
3430         hdev->smp_bredr_data = NULL;
3431         smp_del_chan(chan);
3432     }
3433
3434     chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3435     if (IS_ERR(chan)) {
3436         int err = PTR_ERR(chan);
3437         chan = hdev->smp_data;
3438         hdev->smp_data = NULL;
3439         smp_del_chan(chan);
3440         return err;
3441     }
3442
3443     hdev->smp_bredr_data = chan;
3444
3445     return 0;
3446 }
3447
3448 void smp_unregister(struct hci_dev *hdev)
3449 {
3450     struct l2cap_chan *chan;
3451
3452     if (hdev->smp_bredr_data) {
3453         chan = hdev->smp_bredr_data;
3454         hdev->smp_bredr_data = NULL;
3455         smp_del_chan(chan);
3456     }
3457
3458     if (hdev->smp_data) {
3459         chan = hdev->smp_data;
3460         hdev->smp_data = NULL;
3461         smp_del_chan(chan);
3462     }
3463 }
3464
3465 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3466
3467 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3468 {
3469     u8 pk[64];
3470     int err;
3471
3472     err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3473     if (err)
3474         return err;
3475
3476     err = generate_ecdh_public_key(tfm_ecdh, pk);
3477     if (err)
3478         return err;
3479
3480     if (crypto_memneq(pk, debug_pk, 64))
3481         return -EINVAL;
3482
3483     return 0;
3484 }
3485
3486 static int __init test_ah(void)
3487 {
3488     const u8 irk[16] = {
3489             0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3490             0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3491     const u8 r[3] = { 0x94, 0x81, 0x70 };
3492     const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3493     u8 res[3];
3494     int err;
3495
3496     err = smp_ah(irk, r, res);
3497     if (err)
3498         return err;
3499
3500     if (crypto_memneq(res, exp, 3))
3501         return -EINVAL;
3502
3503     return 0;
3504 }
3505
3506 static int __init test_c1(void)
3507 {
3508     const u8 k[16] = {
3509             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3510             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3511     const u8 r[16] = {
3512             0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3513             0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3514     const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3515     const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3516     const u8 _iat = 0x01;
3517     const u8 _rat = 0x00;
3518     const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3519     const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3520     const u8 exp[16] = {
3521             0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3522             0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3523     u8 res[16];
3524     int err;
3525
3526     err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3527     if (err)
3528         return err;
3529
3530     if (crypto_memneq(res, exp, 16))
3531         return -EINVAL;
3532
3533     return 0;
3534 }
3535
3536 static int __init test_s1(void)
3537 {
3538     const u8 k[16] = {
3539             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3540             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3541     const u8 r1[16] = {
3542             0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3543     const u8 r2[16] = {
3544             0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3545     const u8 exp[16] = {
3546             0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3547             0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3548     u8 res[16];
3549     int err;
3550
3551     err = smp_s1(k, r1, r2, res);
3552     if (err)
3553         return err;
3554
3555     if (crypto_memneq(res, exp, 16))
3556         return -EINVAL;
3557
3558     return 0;
3559 }
3560
3561 static int __init test_f4(struct crypto_shash *tfm_cmac)
3562 {
3563     const u8 u[32] = {
3564             0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3565             0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3566             0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3567             0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3568     const u8 v[32] = {
3569             0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3570             0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3571             0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3572             0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3573     const u8 x[16] = {
3574             0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3575             0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3576     const u8 z = 0x00;
3577     const u8 exp[16] = {
3578             0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3579             0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3580     u8 res[16];
3581     int err;
3582
3583     err = smp_f4(tfm_cmac, u, v, x, z, res);
3584     if (err)
3585         return err;
3586
3587     if (crypto_memneq(res, exp, 16))
3588         return -EINVAL;
3589
3590     return 0;
3591 }
3592
3593 static int __init test_f5(struct crypto_shash *tfm_cmac)
3594 {
3595     const u8 w[32] = {
3596             0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3597             0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3598             0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3599             0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3600     const u8 n1[16] = {
3601             0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3602             0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3603     const u8 n2[16] = {
3604             0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3605             0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3606     const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3607     const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3608     const u8 exp_ltk[16] = {
3609             0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3610             0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3611     const u8 exp_mackey[16] = {
3612             0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3613             0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3614     u8 mackey[16], ltk[16];
3615     int err;
3616
3617     err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3618     if (err)
3619         return err;
3620
3621     if (crypto_memneq(mackey, exp_mackey, 16))
3622         return -EINVAL;
3623
3624     if (crypto_memneq(ltk, exp_ltk, 16))
3625         return -EINVAL;
3626
3627     return 0;
3628 }
3629
3630 static int __init test_f6(struct crypto_shash *tfm_cmac)
3631 {
3632     const u8 w[16] = {
3633             0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3634             0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3635     const u8 n1[16] = {
3636             0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3637             0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3638     const u8 n2[16] = {
3639             0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3640             0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3641     const u8 r[16] = {
3642             0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3643             0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3644     const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3645     const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3646     const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3647     const u8 exp[16] = {
3648             0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3649             0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3650     u8 res[16];
3651     int err;
3652
3653     err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3654     if (err)
3655         return err;
3656
3657     if (crypto_memneq(res, exp, 16))
3658         return -EINVAL;
3659
3660     return 0;
3661 }
3662
3663 static int __init test_g2(struct crypto_shash *tfm_cmac)
3664 {
3665     const u8 u[32] = {
3666             0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3667             0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3668             0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3669             0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3670     const u8 v[32] = {
3671             0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3672             0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3673             0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3674             0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3675     const u8 x[16] = {
3676             0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3677             0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3678     const u8 y[16] = {
3679             0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3680             0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3681     const u32 exp_val = 0x2f9ed5ba % 1000000;
3682     u32 val;
3683     int err;
3684
3685     err = smp_g2(tfm_cmac, u, v, x, y, &val);
3686     if (err)
3687         return err;
3688
3689     if (val != exp_val)
3690         return -EINVAL;
3691
3692     return 0;
3693 }
3694
3695 static int __init test_h6(struct crypto_shash *tfm_cmac)
3696 {
3697     const u8 w[16] = {
3698             0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3699             0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3700     const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3701     const u8 exp[16] = {
3702             0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3703             0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3704     u8 res[16];
3705     int err;
3706
3707     err = smp_h6(tfm_cmac, w, key_id, res);
3708     if (err)
3709         return err;
3710
3711     if (crypto_memneq(res, exp, 16))
3712         return -EINVAL;
3713
3714     return 0;
3715 }
3716
3717 static char test_smp_buffer[32];
3718
3719 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3720                  size_t count, loff_t *ppos)
3721 {
3722     return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3723                        strlen(test_smp_buffer));
3724 }
3725
3726 static const struct file_operations test_smp_fops = {
3727     .open       = simple_open,
3728     .read       = test_smp_read,
3729     .llseek     = default_llseek,
3730 };
3731
3732 static int __init run_selftests(struct crypto_shash *tfm_cmac,
3733                 struct crypto_kpp *tfm_ecdh)
3734 {
3735     ktime_t calltime, delta, rettime;
3736     unsigned long long duration;
3737     int err;
3738
3739     calltime = ktime_get();
3740
3741     err = test_debug_key(tfm_ecdh);
3742     if (err) {
3743         BT_ERR("debug_key test failed");
3744         goto done;
3745     }
3746
3747     err = test_ah();
3748     if (err) {
3749         BT_ERR("smp_ah test failed");
3750         goto done;
3751     }
3752
3753     err = test_c1();
3754     if (err) {
3755         BT_ERR("smp_c1 test failed");
3756         goto done;
3757     }
3758
3759     err = test_s1();
3760     if (err) {
3761         BT_ERR("smp_s1 test failed");
3762         goto done;
3763     }
3764
3765     err = test_f4(tfm_cmac);
3766     if (err) {
3767         BT_ERR("smp_f4 test failed");
3768         goto done;
3769     }
3770
3771     err = test_f5(tfm_cmac);
3772     if (err) {
3773         BT_ERR("smp_f5 test failed");
3774         goto done;
3775     }
3776
3777     err = test_f6(tfm_cmac);
3778     if (err) {
3779         BT_ERR("smp_f6 test failed");
3780         goto done;
3781     }
3782
3783     err = test_g2(tfm_cmac);
3784     if (err) {
3785         BT_ERR("smp_g2 test failed");
3786         goto done;
3787     }
3788
3789     err = test_h6(tfm_cmac);
3790     if (err) {
3791         BT_ERR("smp_h6 test failed");
3792         goto done;
3793     }
3794
3795     rettime = ktime_get();
3796     delta = ktime_sub(rettime, calltime);
3797     duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3798
3799     BT_INFO("SMP test passed in %llu usecs", duration);
3800
3801 done:
3802     if (!err)
3803         snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3804              "PASS (%llu usecs)\n", duration);
3805     else
3806         snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3807
3808     debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3809                 &test_smp_fops);
3810
3811     return err;
3812 }
3813
3814 int __init bt_selftest_smp(void)
3815 {
3816     struct crypto_shash *tfm_cmac;
3817     struct crypto_kpp *tfm_ecdh;
3818     int err;
3819
3820     tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3821     if (IS_ERR(tfm_cmac)) {
3822         BT_ERR("Unable to create CMAC crypto context");
3823         return PTR_ERR(tfm_cmac);
3824     }
3825
3826     tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3827     if (IS_ERR(tfm_ecdh)) {
3828         BT_ERR("Unable to create ECDH crypto context");
3829         crypto_free_shash(tfm_cmac);
3830         return PTR_ERR(tfm_ecdh);
3831     }
3832
3833     err = run_selftests(tfm_cmac, tfm_ecdh);
3834
3835     crypto_free_shash(tfm_cmac);
3836     crypto_free_kpp(tfm_ecdh);
3837
3838     return err;
3839 }
3840
3841 #endif