aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorJohn W. Linville <linville@tuxdriver.com>2014-12-05 14:12:24 -0500
committerJohn W. Linville <linville@tuxdriver.com>2014-12-05 14:12:24 -0500
commitf700076a9d1024a8184a7b6642edebd53a46a481 (patch)
tree4383ac2a2e624a0757f658b406ac335d89c829c9 /net
parent7be6ff65ce7df4fc6bfd87d261a723a5558fee72 (diff)
parent5a34bd5f5d8119def4feb1d2b4e3906b71059416 (diff)
Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next
Diffstat (limited to 'net')
-rw-r--r--net/6lowpan/iphc.c3
-rw-r--r--net/bluetooth/Kconfig1
-rw-r--r--net/bluetooth/Makefile2
-rw-r--r--net/bluetooth/af_bluetooth.c2
-rw-r--r--net/bluetooth/ecc.c816
-rw-r--r--net/bluetooth/ecc.h54
-rw-r--r--net/bluetooth/hci_conn.c1
-rw-r--r--net/bluetooth/hci_core.c200
-rw-r--r--net/bluetooth/hci_event.c110
-rw-r--r--net/bluetooth/l2cap_core.c41
-rw-r--r--net/bluetooth/mgmt.c869
-rw-r--r--net/bluetooth/smp.c1543
-rw-r--r--net/bluetooth/smp.h51
-rw-r--r--net/ieee802154/6lowpan_rtnl.c1
-rw-r--r--net/ieee802154/af_ieee802154.c4
-rw-r--r--net/ieee802154/dgram.c1
-rw-r--r--net/ieee802154/netlink.c3
-rw-r--r--net/ieee802154/nl-mac.c14
-rw-r--r--net/ieee802154/nl-phy.c1
-rw-r--r--net/ieee802154/raw.c1
-rw-r--r--net/mac802154/llsec.c19
-rw-r--r--net/mac802154/mib.c6
-rw-r--r--net/mac802154/rx.c3
23 files changed, 3129 insertions, 617 deletions
diff --git a/net/6lowpan/iphc.c b/net/6lowpan/iphc.c
index aced97db62f0..32ffec6ef164 100644
--- a/net/6lowpan/iphc.c
+++ b/net/6lowpan/iphc.c
@@ -15,9 +15,6 @@
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details. 16 * GNU General Public License for more details.
17 * 17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */ 18 */
22 19
23/* Jon's code is based on 6lowpan implementation for Contiki which is: 20/* Jon's code is based on 6lowpan implementation for Contiki which is:
diff --git a/net/bluetooth/Kconfig b/net/bluetooth/Kconfig
index 5e97a8ff850b..29bcafc41adf 100644
--- a/net/bluetooth/Kconfig
+++ b/net/bluetooth/Kconfig
@@ -10,6 +10,7 @@ menuconfig BT
10 select CRYPTO 10 select CRYPTO
11 select CRYPTO_BLKCIPHER 11 select CRYPTO_BLKCIPHER
12 select CRYPTO_AES 12 select CRYPTO_AES
13 select CRYPTO_CMAC
13 select CRYPTO_ECB 14 select CRYPTO_ECB
14 select CRYPTO_SHA256 15 select CRYPTO_SHA256
15 help 16 help
diff --git a/net/bluetooth/Makefile b/net/bluetooth/Makefile
index 886e9aa3ecf1..a5432a6a0ae6 100644
--- a/net/bluetooth/Makefile
+++ b/net/bluetooth/Makefile
@@ -13,6 +13,6 @@ bluetooth_6lowpan-y := 6lowpan.o
13 13
14bluetooth-y := af_bluetooth.o hci_core.o hci_conn.o hci_event.o mgmt.o \ 14bluetooth-y := af_bluetooth.o hci_core.o hci_conn.o hci_event.o mgmt.o \
15 hci_sock.o hci_sysfs.o l2cap_core.o l2cap_sock.o smp.o sco.o lib.o \ 15 hci_sock.o hci_sysfs.o l2cap_core.o l2cap_sock.o smp.o sco.o lib.o \
16 a2mp.o amp.o 16 a2mp.o amp.o ecc.o
17 17
18subdir-ccflags-y += -D__CHECK_ENDIAN__ 18subdir-ccflags-y += -D__CHECK_ENDIAN__
diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index 339c74ad4553..4ba15917da5e 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -31,7 +31,7 @@
31#include <net/bluetooth/bluetooth.h> 31#include <net/bluetooth/bluetooth.h>
32#include <linux/proc_fs.h> 32#include <linux/proc_fs.h>
33 33
34#define VERSION "2.19" 34#define VERSION "2.20"
35 35
36/* Bluetooth sockets */ 36/* Bluetooth sockets */
37#define BT_MAX_PROTO 8 37#define BT_MAX_PROTO 8
diff --git a/net/bluetooth/ecc.c b/net/bluetooth/ecc.c
new file mode 100644
index 000000000000..e1709f8467ac
--- /dev/null
+++ b/net/bluetooth/ecc.c
@@ -0,0 +1,816 @@
1/*
2 * Copyright (c) 2013, Kenneth MacKay
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are
7 * met:
8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
15 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
16 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
17 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
18 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
19 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
20 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
24 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27#include <linux/random.h>
28
29#include "ecc.h"
30
31/* 256-bit curve */
32#define ECC_BYTES 32
33
34#define MAX_TRIES 16
35
36/* Number of u64's needed */
37#define NUM_ECC_DIGITS (ECC_BYTES / 8)
38
39struct ecc_point {
40 u64 x[NUM_ECC_DIGITS];
41 u64 y[NUM_ECC_DIGITS];
42};
43
44typedef struct {
45 u64 m_low;
46 u64 m_high;
47} uint128_t;
48
49#define CURVE_P_32 { 0xFFFFFFFFFFFFFFFFull, 0x00000000FFFFFFFFull, \
50 0x0000000000000000ull, 0xFFFFFFFF00000001ull }
51
52#define CURVE_G_32 { \
53 { 0xF4A13945D898C296ull, 0x77037D812DEB33A0ull, \
54 0xF8BCE6E563A440F2ull, 0x6B17D1F2E12C4247ull }, \
55 { 0xCBB6406837BF51F5ull, 0x2BCE33576B315ECEull, \
56 0x8EE7EB4A7C0F9E16ull, 0x4FE342E2FE1A7F9Bull } \
57}
58
59#define CURVE_N_32 { 0xF3B9CAC2FC632551ull, 0xBCE6FAADA7179E84ull, \
60 0xFFFFFFFFFFFFFFFFull, 0xFFFFFFFF00000000ull }
61
62static u64 curve_p[NUM_ECC_DIGITS] = CURVE_P_32;
63static struct ecc_point curve_g = CURVE_G_32;
64static u64 curve_n[NUM_ECC_DIGITS] = CURVE_N_32;
65
66static void vli_clear(u64 *vli)
67{
68 int i;
69
70 for (i = 0; i < NUM_ECC_DIGITS; i++)
71 vli[i] = 0;
72}
73
74/* Returns true if vli == 0, false otherwise. */
75static bool vli_is_zero(const u64 *vli)
76{
77 int i;
78
79 for (i = 0; i < NUM_ECC_DIGITS; i++) {
80 if (vli[i])
81 return false;
82 }
83
84 return true;
85}
86
87/* Returns nonzero if bit bit of vli is set. */
88static u64 vli_test_bit(const u64 *vli, unsigned int bit)
89{
90 return (vli[bit / 64] & ((u64) 1 << (bit % 64)));
91}
92
93/* Counts the number of 64-bit "digits" in vli. */
94static unsigned int vli_num_digits(const u64 *vli)
95{
96 int i;
97
98 /* Search from the end until we find a non-zero digit.
99 * We do it in reverse because we expect that most digits will
100 * be nonzero.
101 */
102 for (i = NUM_ECC_DIGITS - 1; i >= 0 && vli[i] == 0; i--);
103
104 return (i + 1);
105}
106
107/* Counts the number of bits required for vli. */
108static unsigned int vli_num_bits(const u64 *vli)
109{
110 unsigned int i, num_digits;
111 u64 digit;
112
113 num_digits = vli_num_digits(vli);
114 if (num_digits == 0)
115 return 0;
116
117 digit = vli[num_digits - 1];
118 for (i = 0; digit; i++)
119 digit >>= 1;
120
121 return ((num_digits - 1) * 64 + i);
122}
123
124/* Sets dest = src. */
125static void vli_set(u64 *dest, const u64 *src)
126{
127 int i;
128
129 for (i = 0; i < NUM_ECC_DIGITS; i++)
130 dest[i] = src[i];
131}
132
133/* Returns sign of left - right. */
134static int vli_cmp(const u64 *left, const u64 *right)
135{
136 int i;
137
138 for (i = NUM_ECC_DIGITS - 1; i >= 0; i--) {
139 if (left[i] > right[i])
140 return 1;
141 else if (left[i] < right[i])
142 return -1;
143 }
144
145 return 0;
146}
147
148/* Computes result = in << c, returning carry. Can modify in place
149 * (if result == in). 0 < shift < 64.
150 */
151static u64 vli_lshift(u64 *result, const u64 *in,
152 unsigned int shift)
153{
154 u64 carry = 0;
155 int i;
156
157 for (i = 0; i < NUM_ECC_DIGITS; i++) {
158 u64 temp = in[i];
159
160 result[i] = (temp << shift) | carry;
161 carry = temp >> (64 - shift);
162 }
163
164 return carry;
165}
166
167/* Computes vli = vli >> 1. */
168static void vli_rshift1(u64 *vli)
169{
170 u64 *end = vli;
171 u64 carry = 0;
172
173 vli += NUM_ECC_DIGITS;
174
175 while (vli-- > end) {
176 u64 temp = *vli;
177 *vli = (temp >> 1) | carry;
178 carry = temp << 63;
179 }
180}
181
182/* Computes result = left + right, returning carry. Can modify in place. */
183static u64 vli_add(u64 *result, const u64 *left,
184 const u64 *right)
185{
186 u64 carry = 0;
187 int i;
188
189 for (i = 0; i < NUM_ECC_DIGITS; i++) {
190 u64 sum;
191
192 sum = left[i] + right[i] + carry;
193 if (sum != left[i])
194 carry = (sum < left[i]);
195
196 result[i] = sum;
197 }
198
199 return carry;
200}
201
202/* Computes result = left - right, returning borrow. Can modify in place. */
203static u64 vli_sub(u64 *result, const u64 *left, const u64 *right)
204{
205 u64 borrow = 0;
206 int i;
207
208 for (i = 0; i < NUM_ECC_DIGITS; i++) {
209 u64 diff;
210
211 diff = left[i] - right[i] - borrow;
212 if (diff != left[i])
213 borrow = (diff > left[i]);
214
215 result[i] = diff;
216 }
217
218 return borrow;
219}
220
221static uint128_t mul_64_64(u64 left, u64 right)
222{
223 u64 a0 = left & 0xffffffffull;
224 u64 a1 = left >> 32;
225 u64 b0 = right & 0xffffffffull;
226 u64 b1 = right >> 32;
227 u64 m0 = a0 * b0;
228 u64 m1 = a0 * b1;
229 u64 m2 = a1 * b0;
230 u64 m3 = a1 * b1;
231 uint128_t result;
232
233 m2 += (m0 >> 32);
234 m2 += m1;
235
236 /* Overflow */
237 if (m2 < m1)
238 m3 += 0x100000000ull;
239
240 result.m_low = (m0 & 0xffffffffull) | (m2 << 32);
241 result.m_high = m3 + (m2 >> 32);
242
243 return result;
244}
245
246static uint128_t add_128_128(uint128_t a, uint128_t b)
247{
248 uint128_t result;
249
250 result.m_low = a.m_low + b.m_low;
251 result.m_high = a.m_high + b.m_high + (result.m_low < a.m_low);
252
253 return result;
254}
255
256static void vli_mult(u64 *result, const u64 *left, const u64 *right)
257{
258 uint128_t r01 = { 0, 0 };
259 u64 r2 = 0;
260 unsigned int i, k;
261
262 /* Compute each digit of result in sequence, maintaining the
263 * carries.
264 */
265 for (k = 0; k < NUM_ECC_DIGITS * 2 - 1; k++) {
266 unsigned int min;
267
268 if (k < NUM_ECC_DIGITS)
269 min = 0;
270 else
271 min = (k + 1) - NUM_ECC_DIGITS;
272
273 for (i = min; i <= k && i < NUM_ECC_DIGITS; i++) {
274 uint128_t product;
275
276 product = mul_64_64(left[i], right[k - i]);
277
278 r01 = add_128_128(r01, product);
279 r2 += (r01.m_high < product.m_high);
280 }
281
282 result[k] = r01.m_low;
283 r01.m_low = r01.m_high;
284 r01.m_high = r2;
285 r2 = 0;
286 }
287
288 result[NUM_ECC_DIGITS * 2 - 1] = r01.m_low;
289}
290
291static void vli_square(u64 *result, const u64 *left)
292{
293 uint128_t r01 = { 0, 0 };
294 u64 r2 = 0;
295 int i, k;
296
297 for (k = 0; k < NUM_ECC_DIGITS * 2 - 1; k++) {
298 unsigned int min;
299
300 if (k < NUM_ECC_DIGITS)
301 min = 0;
302 else
303 min = (k + 1) - NUM_ECC_DIGITS;
304
305 for (i = min; i <= k && i <= k - i; i++) {
306 uint128_t product;
307
308 product = mul_64_64(left[i], left[k - i]);
309
310 if (i < k - i) {
311 r2 += product.m_high >> 63;
312 product.m_high = (product.m_high << 1) |
313 (product.m_low >> 63);
314 product.m_low <<= 1;
315 }
316
317 r01 = add_128_128(r01, product);
318 r2 += (r01.m_high < product.m_high);
319 }
320
321 result[k] = r01.m_low;
322 r01.m_low = r01.m_high;
323 r01.m_high = r2;
324 r2 = 0;
325 }
326
327 result[NUM_ECC_DIGITS * 2 - 1] = r01.m_low;
328}
329
330/* Computes result = (left + right) % mod.
331 * Assumes that left < mod and right < mod, result != mod.
332 */
333static void vli_mod_add(u64 *result, const u64 *left, const u64 *right,
334 const u64 *mod)
335{
336 u64 carry;
337
338 carry = vli_add(result, left, right);
339
340 /* result > mod (result = mod + remainder), so subtract mod to
341 * get remainder.
342 */
343 if (carry || vli_cmp(result, mod) >= 0)
344 vli_sub(result, result, mod);
345}
346
347/* Computes result = (left - right) % mod.
348 * Assumes that left < mod and right < mod, result != mod.
349 */
350static void vli_mod_sub(u64 *result, const u64 *left, const u64 *right,
351 const u64 *mod)
352{
353 u64 borrow = vli_sub(result, left, right);
354
355 /* In this case, p_result == -diff == (max int) - diff.
356 * Since -x % d == d - x, we can get the correct result from
357 * result + mod (with overflow).
358 */
359 if (borrow)
360 vli_add(result, result, mod);
361}
362
363/* Computes result = product % curve_p
364 from http://www.nsa.gov/ia/_files/nist-routines.pdf */
365static void vli_mmod_fast(u64 *result, const u64 *product)
366{
367 u64 tmp[NUM_ECC_DIGITS];
368 int carry;
369
370 /* t */
371 vli_set(result, product);
372
373 /* s1 */
374 tmp[0] = 0;
375 tmp[1] = product[5] & 0xffffffff00000000ull;
376 tmp[2] = product[6];
377 tmp[3] = product[7];
378 carry = vli_lshift(tmp, tmp, 1);
379 carry += vli_add(result, result, tmp);
380
381 /* s2 */
382 tmp[1] = product[6] << 32;
383 tmp[2] = (product[6] >> 32) | (product[7] << 32);
384 tmp[3] = product[7] >> 32;
385 carry += vli_lshift(tmp, tmp, 1);
386 carry += vli_add(result, result, tmp);
387
388 /* s3 */
389 tmp[0] = product[4];
390 tmp[1] = product[5] & 0xffffffff;
391 tmp[2] = 0;
392 tmp[3] = product[7];
393 carry += vli_add(result, result, tmp);
394
395 /* s4 */
396 tmp[0] = (product[4] >> 32) | (product[5] << 32);
397 tmp[1] = (product[5] >> 32) | (product[6] & 0xffffffff00000000ull);
398 tmp[2] = product[7];
399 tmp[3] = (product[6] >> 32) | (product[4] << 32);
400 carry += vli_add(result, result, tmp);
401
402 /* d1 */
403 tmp[0] = (product[5] >> 32) | (product[6] << 32);
404 tmp[1] = (product[6] >> 32);
405 tmp[2] = 0;
406 tmp[3] = (product[4] & 0xffffffff) | (product[5] << 32);
407 carry -= vli_sub(result, result, tmp);
408
409 /* d2 */
410 tmp[0] = product[6];
411 tmp[1] = product[7];
412 tmp[2] = 0;
413 tmp[3] = (product[4] >> 32) | (product[5] & 0xffffffff00000000ull);
414 carry -= vli_sub(result, result, tmp);
415
416 /* d3 */
417 tmp[0] = (product[6] >> 32) | (product[7] << 32);
418 tmp[1] = (product[7] >> 32) | (product[4] << 32);
419 tmp[2] = (product[4] >> 32) | (product[5] << 32);
420 tmp[3] = (product[6] << 32);
421 carry -= vli_sub(result, result, tmp);
422
423 /* d4 */
424 tmp[0] = product[7];
425 tmp[1] = product[4] & 0xffffffff00000000ull;
426 tmp[2] = product[5];
427 tmp[3] = product[6] & 0xffffffff00000000ull;
428 carry -= vli_sub(result, result, tmp);
429
430 if (carry < 0) {
431 do {
432 carry += vli_add(result, result, curve_p);
433 } while (carry < 0);
434 } else {
435 while (carry || vli_cmp(curve_p, result) != 1)
436 carry -= vli_sub(result, result, curve_p);
437 }
438}
439
440/* Computes result = (left * right) % curve_p. */
441static void vli_mod_mult_fast(u64 *result, const u64 *left, const u64 *right)
442{
443 u64 product[2 * NUM_ECC_DIGITS];
444
445 vli_mult(product, left, right);
446 vli_mmod_fast(result, product);
447}
448
449/* Computes result = left^2 % curve_p. */
450static void vli_mod_square_fast(u64 *result, const u64 *left)
451{
452 u64 product[2 * NUM_ECC_DIGITS];
453
454 vli_square(product, left);
455 vli_mmod_fast(result, product);
456}
457
458#define EVEN(vli) (!(vli[0] & 1))
459/* Computes result = (1 / p_input) % mod. All VLIs are the same size.
460 * See "From Euclid's GCD to Montgomery Multiplication to the Great Divide"
461 * https://labs.oracle.com/techrep/2001/smli_tr-2001-95.pdf
462 */
463static void vli_mod_inv(u64 *result, const u64 *input, const u64 *mod)
464{
465 u64 a[NUM_ECC_DIGITS], b[NUM_ECC_DIGITS];
466 u64 u[NUM_ECC_DIGITS], v[NUM_ECC_DIGITS];
467 u64 carry;
468 int cmp_result;
469
470 if (vli_is_zero(input)) {
471 vli_clear(result);
472 return;
473 }
474
475 vli_set(a, input);
476 vli_set(b, mod);
477 vli_clear(u);
478 u[0] = 1;
479 vli_clear(v);
480
481 while ((cmp_result = vli_cmp(a, b)) != 0) {
482 carry = 0;
483
484 if (EVEN(a)) {
485 vli_rshift1(a);
486
487 if (!EVEN(u))
488 carry = vli_add(u, u, mod);
489
490 vli_rshift1(u);
491 if (carry)
492 u[NUM_ECC_DIGITS - 1] |= 0x8000000000000000ull;
493 } else if (EVEN(b)) {
494 vli_rshift1(b);
495
496 if (!EVEN(v))
497 carry = vli_add(v, v, mod);
498
499 vli_rshift1(v);
500 if (carry)
501 v[NUM_ECC_DIGITS - 1] |= 0x8000000000000000ull;
502 } else if (cmp_result > 0) {
503 vli_sub(a, a, b);
504 vli_rshift1(a);
505
506 if (vli_cmp(u, v) < 0)
507 vli_add(u, u, mod);
508
509 vli_sub(u, u, v);
510 if (!EVEN(u))
511 carry = vli_add(u, u, mod);
512
513 vli_rshift1(u);
514 if (carry)
515 u[NUM_ECC_DIGITS - 1] |= 0x8000000000000000ull;
516 } else {
517 vli_sub(b, b, a);
518 vli_rshift1(b);
519
520 if (vli_cmp(v, u) < 0)
521 vli_add(v, v, mod);
522
523 vli_sub(v, v, u);
524 if (!EVEN(v))
525 carry = vli_add(v, v, mod);
526
527 vli_rshift1(v);
528 if (carry)
529 v[NUM_ECC_DIGITS - 1] |= 0x8000000000000000ull;
530 }
531 }
532
533 vli_set(result, u);
534}
535
536/* ------ Point operations ------ */
537
538/* Returns true if p_point is the point at infinity, false otherwise. */
539static bool ecc_point_is_zero(const struct ecc_point *point)
540{
541 return (vli_is_zero(point->x) && vli_is_zero(point->y));
542}
543
544/* Point multiplication algorithm using Montgomery's ladder with co-Z
545 * coordinates. From http://eprint.iacr.org/2011/338.pdf
546 */
547
548/* Double in place */
549static void ecc_point_double_jacobian(u64 *x1, u64 *y1, u64 *z1)
550{
551 /* t1 = x, t2 = y, t3 = z */
552 u64 t4[NUM_ECC_DIGITS];
553 u64 t5[NUM_ECC_DIGITS];
554
555 if (vli_is_zero(z1))
556 return;
557
558 vli_mod_square_fast(t4, y1); /* t4 = y1^2 */
559 vli_mod_mult_fast(t5, x1, t4); /* t5 = x1*y1^2 = A */
560 vli_mod_square_fast(t4, t4); /* t4 = y1^4 */
561 vli_mod_mult_fast(y1, y1, z1); /* t2 = y1*z1 = z3 */
562 vli_mod_square_fast(z1, z1); /* t3 = z1^2 */
563
564 vli_mod_add(x1, x1, z1, curve_p); /* t1 = x1 + z1^2 */
565 vli_mod_add(z1, z1, z1, curve_p); /* t3 = 2*z1^2 */
566 vli_mod_sub(z1, x1, z1, curve_p); /* t3 = x1 - z1^2 */
567 vli_mod_mult_fast(x1, x1, z1); /* t1 = x1^2 - z1^4 */
568
569 vli_mod_add(z1, x1, x1, curve_p); /* t3 = 2*(x1^2 - z1^4) */
570 vli_mod_add(x1, x1, z1, curve_p); /* t1 = 3*(x1^2 - z1^4) */
571 if (vli_test_bit(x1, 0)) {
572 u64 carry = vli_add(x1, x1, curve_p);
573 vli_rshift1(x1);
574 x1[NUM_ECC_DIGITS - 1] |= carry << 63;
575 } else {
576 vli_rshift1(x1);
577 }
578 /* t1 = 3/2*(x1^2 - z1^4) = B */
579
580 vli_mod_square_fast(z1, x1); /* t3 = B^2 */
581 vli_mod_sub(z1, z1, t5, curve_p); /* t3 = B^2 - A */
582 vli_mod_sub(z1, z1, t5, curve_p); /* t3 = B^2 - 2A = x3 */
583 vli_mod_sub(t5, t5, z1, curve_p); /* t5 = A - x3 */
584 vli_mod_mult_fast(x1, x1, t5); /* t1 = B * (A - x3) */
585 vli_mod_sub(t4, x1, t4, curve_p); /* t4 = B * (A - x3) - y1^4 = y3 */
586
587 vli_set(x1, z1);
588 vli_set(z1, y1);
589 vli_set(y1, t4);
590}
591
592/* Modify (x1, y1) => (x1 * z^2, y1 * z^3) */
593static void apply_z(u64 *x1, u64 *y1, u64 *z)
594{
595 u64 t1[NUM_ECC_DIGITS];
596
597 vli_mod_square_fast(t1, z); /* z^2 */
598 vli_mod_mult_fast(x1, x1, t1); /* x1 * z^2 */
599 vli_mod_mult_fast(t1, t1, z); /* z^3 */
600 vli_mod_mult_fast(y1, y1, t1); /* y1 * z^3 */
601}
602
603/* P = (x1, y1) => 2P, (x2, y2) => P' */
604static void xycz_initial_double(u64 *x1, u64 *y1, u64 *x2, u64 *y2,
605 u64 *p_initial_z)
606{
607 u64 z[NUM_ECC_DIGITS];
608
609 vli_set(x2, x1);
610 vli_set(y2, y1);
611
612 vli_clear(z);
613 z[0] = 1;
614
615 if (p_initial_z)
616 vli_set(z, p_initial_z);
617
618 apply_z(x1, y1, z);
619
620 ecc_point_double_jacobian(x1, y1, z);
621
622 apply_z(x2, y2, z);
623}
624
625/* Input P = (x1, y1, Z), Q = (x2, y2, Z)
626 * Output P' = (x1', y1', Z3), P + Q = (x3, y3, Z3)
627 * or P => P', Q => P + Q
628 */
629static void xycz_add(u64 *x1, u64 *y1, u64 *x2, u64 *y2)
630{
631 /* t1 = X1, t2 = Y1, t3 = X2, t4 = Y2 */
632 u64 t5[NUM_ECC_DIGITS];
633
634 vli_mod_sub(t5, x2, x1, curve_p); /* t5 = x2 - x1 */
635 vli_mod_square_fast(t5, t5); /* t5 = (x2 - x1)^2 = A */
636 vli_mod_mult_fast(x1, x1, t5); /* t1 = x1*A = B */
637 vli_mod_mult_fast(x2, x2, t5); /* t3 = x2*A = C */
638 vli_mod_sub(y2, y2, y1, curve_p); /* t4 = y2 - y1 */
639 vli_mod_square_fast(t5, y2); /* t5 = (y2 - y1)^2 = D */
640
641 vli_mod_sub(t5, t5, x1, curve_p); /* t5 = D - B */
642 vli_mod_sub(t5, t5, x2, curve_p); /* t5 = D - B - C = x3 */
643 vli_mod_sub(x2, x2, x1, curve_p); /* t3 = C - B */
644 vli_mod_mult_fast(y1, y1, x2); /* t2 = y1*(C - B) */
645 vli_mod_sub(x2, x1, t5, curve_p); /* t3 = B - x3 */
646 vli_mod_mult_fast(y2, y2, x2); /* t4 = (y2 - y1)*(B - x3) */
647 vli_mod_sub(y2, y2, y1, curve_p); /* t4 = y3 */
648
649 vli_set(x2, t5);
650}
651
652/* Input P = (x1, y1, Z), Q = (x2, y2, Z)
653 * Output P + Q = (x3, y3, Z3), P - Q = (x3', y3', Z3)
654 * or P => P - Q, Q => P + Q
655 */
656static void xycz_add_c(u64 *x1, u64 *y1, u64 *x2, u64 *y2)
657{
658 /* t1 = X1, t2 = Y1, t3 = X2, t4 = Y2 */
659 u64 t5[NUM_ECC_DIGITS];
660 u64 t6[NUM_ECC_DIGITS];
661 u64 t7[NUM_ECC_DIGITS];
662
663 vli_mod_sub(t5, x2, x1, curve_p); /* t5 = x2 - x1 */
664 vli_mod_square_fast(t5, t5); /* t5 = (x2 - x1)^2 = A */
665 vli_mod_mult_fast(x1, x1, t5); /* t1 = x1*A = B */
666 vli_mod_mult_fast(x2, x2, t5); /* t3 = x2*A = C */
667 vli_mod_add(t5, y2, y1, curve_p); /* t4 = y2 + y1 */
668 vli_mod_sub(y2, y2, y1, curve_p); /* t4 = y2 - y1 */
669
670 vli_mod_sub(t6, x2, x1, curve_p); /* t6 = C - B */
671 vli_mod_mult_fast(y1, y1, t6); /* t2 = y1 * (C - B) */
672 vli_mod_add(t6, x1, x2, curve_p); /* t6 = B + C */
673 vli_mod_square_fast(x2, y2); /* t3 = (y2 - y1)^2 */
674 vli_mod_sub(x2, x2, t6, curve_p); /* t3 = x3 */
675
676 vli_mod_sub(t7, x1, x2, curve_p); /* t7 = B - x3 */
677 vli_mod_mult_fast(y2, y2, t7); /* t4 = (y2 - y1)*(B - x3) */
678 vli_mod_sub(y2, y2, y1, curve_p); /* t4 = y3 */
679
680 vli_mod_square_fast(t7, t5); /* t7 = (y2 + y1)^2 = F */
681 vli_mod_sub(t7, t7, t6, curve_p); /* t7 = x3' */
682 vli_mod_sub(t6, t7, x1, curve_p); /* t6 = x3' - B */
683 vli_mod_mult_fast(t6, t6, t5); /* t6 = (y2 + y1)*(x3' - B) */
684 vli_mod_sub(y1, t6, y1, curve_p); /* t2 = y3' */
685
686 vli_set(x1, t7);
687}
688
689static void ecc_point_mult(struct ecc_point *result,
690 const struct ecc_point *point, u64 *scalar,
691 u64 *initial_z, int num_bits)
692{
693 /* R0 and R1 */
694 u64 rx[2][NUM_ECC_DIGITS];
695 u64 ry[2][NUM_ECC_DIGITS];
696 u64 z[NUM_ECC_DIGITS];
697 int i, nb;
698
699 vli_set(rx[1], point->x);
700 vli_set(ry[1], point->y);
701
702 xycz_initial_double(rx[1], ry[1], rx[0], ry[0], initial_z);
703
704 for (i = num_bits - 2; i > 0; i--) {
705 nb = !vli_test_bit(scalar, i);
706 xycz_add_c(rx[1 - nb], ry[1 - nb], rx[nb], ry[nb]);
707 xycz_add(rx[nb], ry[nb], rx[1 - nb], ry[1 - nb]);
708 }
709
710 nb = !vli_test_bit(scalar, 0);
711 xycz_add_c(rx[1 - nb], ry[1 - nb], rx[nb], ry[nb]);
712
713 /* Find final 1/Z value. */
714 vli_mod_sub(z, rx[1], rx[0], curve_p); /* X1 - X0 */
715 vli_mod_mult_fast(z, z, ry[1 - nb]); /* Yb * (X1 - X0) */
716 vli_mod_mult_fast(z, z, point->x); /* xP * Yb * (X1 - X0) */
717 vli_mod_inv(z, z, curve_p); /* 1 / (xP * Yb * (X1 - X0)) */
718 vli_mod_mult_fast(z, z, point->y); /* yP / (xP * Yb * (X1 - X0)) */
719 vli_mod_mult_fast(z, z, rx[1 - nb]); /* Xb * yP / (xP * Yb * (X1 - X0)) */
720 /* End 1/Z calculation */
721
722 xycz_add(rx[nb], ry[nb], rx[1 - nb], ry[1 - nb]);
723
724 apply_z(rx[0], ry[0], z);
725
726 vli_set(result->x, rx[0]);
727 vli_set(result->y, ry[0]);
728}
729
730static void ecc_bytes2native(const u8 bytes[ECC_BYTES],
731 u64 native[NUM_ECC_DIGITS])
732{
733 int i;
734
735 for (i = 0; i < NUM_ECC_DIGITS; i++) {
736 const u8 *digit = bytes + 8 * (NUM_ECC_DIGITS - 1 - i);
737
738 native[NUM_ECC_DIGITS - 1 - i] =
739 ((u64) digit[0] << 0) |
740 ((u64) digit[1] << 8) |
741 ((u64) digit[2] << 16) |
742 ((u64) digit[3] << 24) |
743 ((u64) digit[4] << 32) |
744 ((u64) digit[5] << 40) |
745 ((u64) digit[6] << 48) |
746 ((u64) digit[7] << 56);
747 }
748}
749
750static void ecc_native2bytes(const u64 native[NUM_ECC_DIGITS],
751 u8 bytes[ECC_BYTES])
752{
753 int i;
754
755 for (i = 0; i < NUM_ECC_DIGITS; i++) {
756 u8 *digit = bytes + 8 * (NUM_ECC_DIGITS - 1 - i);
757
758 digit[0] = native[NUM_ECC_DIGITS - 1 - i] >> 0;
759 digit[1] = native[NUM_ECC_DIGITS - 1 - i] >> 8;
760 digit[2] = native[NUM_ECC_DIGITS - 1 - i] >> 16;
761 digit[3] = native[NUM_ECC_DIGITS - 1 - i] >> 24;
762 digit[4] = native[NUM_ECC_DIGITS - 1 - i] >> 32;
763 digit[5] = native[NUM_ECC_DIGITS - 1 - i] >> 40;
764 digit[6] = native[NUM_ECC_DIGITS - 1 - i] >> 48;
765 digit[7] = native[NUM_ECC_DIGITS - 1 - i] >> 56;
766 }
767}
768
769bool ecc_make_key(u8 public_key[64], u8 private_key[32])
770{
771 struct ecc_point pk;
772 u64 priv[NUM_ECC_DIGITS];
773 unsigned int tries = 0;
774
775 do {
776 if (tries++ >= MAX_TRIES)
777 return false;
778
779 get_random_bytes(priv, ECC_BYTES);
780
781 if (vli_is_zero(priv))
782 continue;
783
784 /* Make sure the private key is in the range [1, n-1]. */
785 if (vli_cmp(curve_n, priv) != 1)
786 continue;
787
788 ecc_point_mult(&pk, &curve_g, priv, NULL, vli_num_bits(priv));
789 } while (ecc_point_is_zero(&pk));
790
791 ecc_native2bytes(priv, private_key);
792 ecc_native2bytes(pk.x, public_key);
793 ecc_native2bytes(pk.y, &public_key[32]);
794
795 return true;
796}
797
798bool ecdh_shared_secret(const u8 public_key[64], const u8 private_key[32],
799 u8 secret[32])
800{
801 u64 priv[NUM_ECC_DIGITS];
802 u64 rand[NUM_ECC_DIGITS];
803 struct ecc_point product, pk;
804
805 get_random_bytes(rand, ECC_BYTES);
806
807 ecc_bytes2native(public_key, pk.x);
808 ecc_bytes2native(&public_key[32], pk.y);
809 ecc_bytes2native(private_key, priv);
810
811 ecc_point_mult(&product, &pk, priv, rand, vli_num_bits(priv));
812
813 ecc_native2bytes(product.x, secret);
814
815 return !ecc_point_is_zero(&product);
816}
diff --git a/net/bluetooth/ecc.h b/net/bluetooth/ecc.h
new file mode 100644
index 000000000000..8d6a2f4d1905
--- /dev/null
+++ b/net/bluetooth/ecc.h
@@ -0,0 +1,54 @@
1/*
2 * Copyright (c) 2013, Kenneth MacKay
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are
7 * met:
8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
15 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
16 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
17 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
18 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
19 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
20 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
24 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27/* Create a public/private key pair.
28 * Outputs:
29 * public_key - Will be filled in with the public key.
30 * private_key - Will be filled in with the private key.
31 *
32 * Returns true if the key pair was generated successfully, false
33 * if an error occurred. The keys are with the LSB first.
34 */
35bool ecc_make_key(u8 public_key[64], u8 private_key[32]);
36
37/* Compute a shared secret given your secret key and someone else's
38 * public key.
39 * Note: It is recommended that you hash the result of ecdh_shared_secret
40 * before using it for symmetric encryption or HMAC.
41 *
42 * Inputs:
43 * public_key - The public key of the remote party
44 * private_key - Your private key.
45 *
46 * Outputs:
47 * secret - Will be filled in with the shared secret value.
48 *
49 * Returns true if the shared secret was generated successfully, false
50 * if an error occurred. Both input and output parameters are with the
51 * LSB first.
52 */
53bool ecdh_shared_secret(const u8 public_key[64], const u8 private_key[32],
54 u8 secret[32]);
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 96887ae8375b..79d84b88b8f0 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -449,6 +449,7 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
449 conn->io_capability = hdev->io_capability; 449 conn->io_capability = hdev->io_capability;
450 conn->remote_auth = 0xff; 450 conn->remote_auth = 0xff;
451 conn->key_type = 0xff; 451 conn->key_type = 0xff;
452 conn->rssi = HCI_RSSI_INVALID;
452 conn->tx_power = HCI_TX_POWER_INVALID; 453 conn->tx_power = HCI_TX_POWER_INVALID;
453 conn->max_tx_power = HCI_TX_POWER_INVALID; 454 conn->max_tx_power = HCI_TX_POWER_INVALID;
454 455
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 5c319a49a5a4..93f92a085506 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -406,6 +406,49 @@ static const struct file_operations force_sc_support_fops = {
406 .llseek = default_llseek, 406 .llseek = default_llseek,
407}; 407};
408 408
409static ssize_t force_lesc_support_read(struct file *file, char __user *user_buf,
410 size_t count, loff_t *ppos)
411{
412 struct hci_dev *hdev = file->private_data;
413 char buf[3];
414
415 buf[0] = test_bit(HCI_FORCE_LESC, &hdev->dbg_flags) ? 'Y': 'N';
416 buf[1] = '\n';
417 buf[2] = '\0';
418 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
419}
420
421static ssize_t force_lesc_support_write(struct file *file,
422 const char __user *user_buf,
423 size_t count, loff_t *ppos)
424{
425 struct hci_dev *hdev = file->private_data;
426 char buf[32];
427 size_t buf_size = min(count, (sizeof(buf)-1));
428 bool enable;
429
430 if (copy_from_user(buf, user_buf, buf_size))
431 return -EFAULT;
432
433 buf[buf_size] = '\0';
434 if (strtobool(buf, &enable))
435 return -EINVAL;
436
437 if (enable == test_bit(HCI_FORCE_LESC, &hdev->dbg_flags))
438 return -EALREADY;
439
440 change_bit(HCI_FORCE_LESC, &hdev->dbg_flags);
441
442 return count;
443}
444
445static const struct file_operations force_lesc_support_fops = {
446 .open = simple_open,
447 .read = force_lesc_support_read,
448 .write = force_lesc_support_write,
449 .llseek = default_llseek,
450};
451
409static ssize_t sc_only_mode_read(struct file *file, char __user *user_buf, 452static ssize_t sc_only_mode_read(struct file *file, char __user *user_buf,
410 size_t count, loff_t *ppos) 453 size_t count, loff_t *ppos)
411{ 454{
@@ -1692,6 +1735,28 @@ static void hci_init3_req(struct hci_request *req, unsigned long opt)
1692 * Parameter Request 1735 * Parameter Request
1693 */ 1736 */
1694 1737
1738 /* If the controller supports Extended Scanner Filter
1739 * Policies, enable the correspondig event.
1740 */
1741 if (hdev->le_features[0] & HCI_LE_EXT_SCAN_POLICY)
1742 events[1] |= 0x04; /* LE Direct Advertising
1743 * Report
1744 */
1745
1746 /* If the controller supports the LE Read Local P-256
1747 * Public Key command, enable the corresponding event.
1748 */
1749 if (hdev->commands[34] & 0x02)
1750 events[0] |= 0x80; /* LE Read Local P-256
1751 * Public Key Complete
1752 */
1753
1754 /* If the controller supports the LE Generate DHKey
1755 * command, enable the corresponding event.
1756 */
1757 if (hdev->commands[34] & 0x04)
1758 events[1] |= 0x01; /* LE Generate DHKey Complete */
1759
1695 hci_req_add(req, HCI_OP_LE_SET_EVENT_MASK, sizeof(events), 1760 hci_req_add(req, HCI_OP_LE_SET_EVENT_MASK, sizeof(events),
1696 events); 1761 events);
1697 1762
@@ -1734,9 +1799,7 @@ static void hci_init4_req(struct hci_request *req, unsigned long opt)
1734 hci_req_add(req, HCI_OP_READ_SYNC_TRAIN_PARAMS, 0, NULL); 1799 hci_req_add(req, HCI_OP_READ_SYNC_TRAIN_PARAMS, 0, NULL);
1735 1800
1736 /* Enable Secure Connections if supported and configured */ 1801 /* Enable Secure Connections if supported and configured */
1737 if ((lmp_sc_capable(hdev) || 1802 if (bredr_sc_enabled(hdev)) {
1738 test_bit(HCI_FORCE_SC, &hdev->dbg_flags)) &&
1739 test_bit(HCI_SC_ENABLED, &hdev->dev_flags)) {
1740 u8 support = 0x01; 1803 u8 support = 0x01;
1741 hci_req_add(req, HCI_OP_WRITE_SC_SUPPORT, 1804 hci_req_add(req, HCI_OP_WRITE_SC_SUPPORT,
1742 sizeof(support), &support); 1805 sizeof(support), &support);
@@ -1819,6 +1882,10 @@ static int __hci_init(struct hci_dev *hdev)
1819 hdev, &force_sc_support_fops); 1882 hdev, &force_sc_support_fops);
1820 debugfs_create_file("sc_only_mode", 0444, hdev->debugfs, 1883 debugfs_create_file("sc_only_mode", 0444, hdev->debugfs,
1821 hdev, &sc_only_mode_fops); 1884 hdev, &sc_only_mode_fops);
1885 if (lmp_le_capable(hdev))
1886 debugfs_create_file("force_lesc_support", 0644,
1887 hdev->debugfs, hdev,
1888 &force_lesc_support_fops);
1822 } 1889 }
1823 1890
1824 if (lmp_sniff_capable(hdev)) { 1891 if (lmp_sniff_capable(hdev)) {
@@ -2115,7 +2182,7 @@ u32 hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
2115 2182
2116 BT_DBG("cache %p, %pMR", cache, &data->bdaddr); 2183 BT_DBG("cache %p, %pMR", cache, &data->bdaddr);
2117 2184
2118 hci_remove_remote_oob_data(hdev, &data->bdaddr); 2185 hci_remove_remote_oob_data(hdev, &data->bdaddr, BDADDR_BREDR);
2119 2186
2120 if (!data->ssp_mode) 2187 if (!data->ssp_mode)
2121 flags |= MGMT_DEV_FOUND_LEGACY_PAIRING; 2188 flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
@@ -3162,6 +3229,10 @@ static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
3162 if (!conn) 3229 if (!conn)
3163 return true; 3230 return true;
3164 3231
3232 /* BR/EDR key derived using SC from an LE link */
3233 if (conn->type == LE_LINK)
3234 return true;
3235
3165 /* Neither local nor remote side had no-bonding as requirement */ 3236 /* Neither local nor remote side had no-bonding as requirement */
3166 if (conn->auth_type > 0x01 && conn->remote_auth > 0x01) 3237 if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
3167 return true; 3238 return true;
@@ -3187,37 +3258,17 @@ static u8 ltk_role(u8 type)
3187 return HCI_ROLE_SLAVE; 3258 return HCI_ROLE_SLAVE;
3188} 3259}
3189 3260
3190struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, __le64 rand, 3261struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
3191 u8 role) 3262 u8 addr_type, u8 role)
3192{ 3263{
3193 struct smp_ltk *k; 3264 struct smp_ltk *k;
3194 3265
3195 rcu_read_lock(); 3266 rcu_read_lock();
3196 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) { 3267 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
3197 if (k->ediv != ediv || k->rand != rand) 3268 if (addr_type != k->bdaddr_type || bacmp(bdaddr, &k->bdaddr))
3198 continue; 3269 continue;
3199 3270
3200 if (ltk_role(k->type) != role) 3271 if (smp_ltk_is_sc(k) || ltk_role(k->type) == role) {
3201 continue;
3202
3203 rcu_read_unlock();
3204 return k;
3205 }
3206 rcu_read_unlock();
3207
3208 return NULL;
3209}
3210
3211struct smp_ltk *hci_find_ltk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
3212 u8 addr_type, u8 role)
3213{
3214 struct smp_ltk *k;
3215
3216 rcu_read_lock();
3217 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
3218 if (addr_type == k->bdaddr_type &&
3219 bacmp(bdaddr, &k->bdaddr) == 0 &&
3220 ltk_role(k->type) == role) {
3221 rcu_read_unlock(); 3272 rcu_read_unlock();
3222 return k; 3273 return k;
3223 } 3274 }
@@ -3327,7 +3378,7 @@ struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
3327 struct smp_ltk *key, *old_key; 3378 struct smp_ltk *key, *old_key;
3328 u8 role = ltk_role(type); 3379 u8 role = ltk_role(type);
3329 3380
3330 old_key = hci_find_ltk_by_addr(hdev, bdaddr, addr_type, role); 3381 old_key = hci_find_ltk(hdev, bdaddr, addr_type, role);
3331 if (old_key) 3382 if (old_key)
3332 key = old_key; 3383 key = old_key;
3333 else { 3384 else {
@@ -3442,26 +3493,31 @@ static void hci_cmd_timeout(struct work_struct *work)
3442} 3493}
3443 3494
3444struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev, 3495struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
3445 bdaddr_t *bdaddr) 3496 bdaddr_t *bdaddr, u8 bdaddr_type)
3446{ 3497{
3447 struct oob_data *data; 3498 struct oob_data *data;
3448 3499
3449 list_for_each_entry(data, &hdev->remote_oob_data, list) 3500 list_for_each_entry(data, &hdev->remote_oob_data, list) {
3450 if (bacmp(bdaddr, &data->bdaddr) == 0) 3501 if (bacmp(bdaddr, &data->bdaddr) != 0)
3451 return data; 3502 continue;
3503 if (data->bdaddr_type != bdaddr_type)
3504 continue;
3505 return data;
3506 }
3452 3507
3453 return NULL; 3508 return NULL;
3454} 3509}
3455 3510
3456int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr) 3511int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
3512 u8 bdaddr_type)
3457{ 3513{
3458 struct oob_data *data; 3514 struct oob_data *data;
3459 3515
3460 data = hci_find_remote_oob_data(hdev, bdaddr); 3516 data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
3461 if (!data) 3517 if (!data)
3462 return -ENOENT; 3518 return -ENOENT;
3463 3519
3464 BT_DBG("%s removing %pMR", hdev->name, bdaddr); 3520 BT_DBG("%s removing %pMR (%u)", hdev->name, bdaddr, bdaddr_type);
3465 3521
3466 list_del(&data->list); 3522 list_del(&data->list);
3467 kfree(data); 3523 kfree(data);
@@ -3480,52 +3536,37 @@ void hci_remote_oob_data_clear(struct hci_dev *hdev)
3480} 3536}
3481 3537
3482int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, 3538int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
3483 u8 *hash, u8 *rand) 3539 u8 bdaddr_type, u8 *hash192, u8 *rand192,
3540 u8 *hash256, u8 *rand256)
3484{ 3541{
3485 struct oob_data *data; 3542 struct oob_data *data;
3486 3543
3487 data = hci_find_remote_oob_data(hdev, bdaddr); 3544 data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
3488 if (!data) { 3545 if (!data) {
3489 data = kmalloc(sizeof(*data), GFP_KERNEL); 3546 data = kmalloc(sizeof(*data), GFP_KERNEL);
3490 if (!data) 3547 if (!data)
3491 return -ENOMEM; 3548 return -ENOMEM;
3492 3549
3493 bacpy(&data->bdaddr, bdaddr); 3550 bacpy(&data->bdaddr, bdaddr);
3551 data->bdaddr_type = bdaddr_type;
3494 list_add(&data->list, &hdev->remote_oob_data); 3552 list_add(&data->list, &hdev->remote_oob_data);
3495 } 3553 }
3496 3554
3497 memcpy(data->hash192, hash, sizeof(data->hash192)); 3555 if (hash192 && rand192) {
3498 memcpy(data->rand192, rand, sizeof(data->rand192)); 3556 memcpy(data->hash192, hash192, sizeof(data->hash192));
3499 3557 memcpy(data->rand192, rand192, sizeof(data->rand192));
3500 memset(data->hash256, 0, sizeof(data->hash256)); 3558 } else {
3501 memset(data->rand256, 0, sizeof(data->rand256)); 3559 memset(data->hash192, 0, sizeof(data->hash192));
3502 3560 memset(data->rand192, 0, sizeof(data->rand192));
3503 BT_DBG("%s for %pMR", hdev->name, bdaddr);
3504
3505 return 0;
3506}
3507
3508int hci_add_remote_oob_ext_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
3509 u8 *hash192, u8 *rand192,
3510 u8 *hash256, u8 *rand256)
3511{
3512 struct oob_data *data;
3513
3514 data = hci_find_remote_oob_data(hdev, bdaddr);
3515 if (!data) {
3516 data = kmalloc(sizeof(*data), GFP_KERNEL);
3517 if (!data)
3518 return -ENOMEM;
3519
3520 bacpy(&data->bdaddr, bdaddr);
3521 list_add(&data->list, &hdev->remote_oob_data);
3522 } 3561 }
3523 3562
3524 memcpy(data->hash192, hash192, sizeof(data->hash192)); 3563 if (hash256 && rand256) {
3525 memcpy(data->rand192, rand192, sizeof(data->rand192)); 3564 memcpy(data->hash256, hash256, sizeof(data->hash256));
3526 3565 memcpy(data->rand256, rand256, sizeof(data->rand256));
3527 memcpy(data->hash256, hash256, sizeof(data->hash256)); 3566 } else {
3528 memcpy(data->rand256, rand256, sizeof(data->rand256)); 3567 memset(data->hash256, 0, sizeof(data->hash256));
3568 memset(data->rand256, 0, sizeof(data->rand256));
3569 }
3529 3570
3530 BT_DBG("%s for %pMR", hdev->name, bdaddr); 3571 BT_DBG("%s for %pMR", hdev->name, bdaddr);
3531 3572
@@ -4225,6 +4266,7 @@ void hci_unregister_dev(struct hci_dev *hdev)
4225 hci_remote_oob_data_clear(hdev); 4266 hci_remote_oob_data_clear(hdev);
4226 hci_bdaddr_list_clear(&hdev->le_white_list); 4267 hci_bdaddr_list_clear(&hdev->le_white_list);
4227 hci_conn_params_clear_all(hdev); 4268 hci_conn_params_clear_all(hdev);
4269 hci_discovery_filter_clear(hdev);
4228 hci_dev_unlock(hdev); 4270 hci_dev_unlock(hdev);
4229 4271
4230 hci_dev_put(hdev); 4272 hci_dev_put(hdev);
@@ -5597,6 +5639,19 @@ void hci_req_add_le_passive_scan(struct hci_request *req)
5597 */ 5639 */
5598 filter_policy = update_white_list(req); 5640 filter_policy = update_white_list(req);
5599 5641
5642 /* When the controller is using random resolvable addresses and
5643 * with that having LE privacy enabled, then controllers with
5644 * Extended Scanner Filter Policies support can now enable support
5645 * for handling directed advertising.
5646 *
5647 * So instead of using filter polices 0x00 (no whitelist)
5648 * and 0x01 (whitelist enabled) use the new filter policies
5649 * 0x02 (no whitelist) and 0x03 (whitelist enabled).
5650 */
5651 if (test_bit(HCI_PRIVACY, &hdev->dev_flags) &&
5652 (hdev->le_features[0] & HCI_LE_EXT_SCAN_POLICY))
5653 filter_policy |= 0x02;
5654
5600 memset(&param_cp, 0, sizeof(param_cp)); 5655 memset(&param_cp, 0, sizeof(param_cp));
5601 param_cp.type = LE_SCAN_PASSIVE; 5656 param_cp.type = LE_SCAN_PASSIVE;
5602 param_cp.interval = cpu_to_le16(hdev->le_scan_interval); 5657 param_cp.interval = cpu_to_le16(hdev->le_scan_interval);
@@ -5648,6 +5703,15 @@ void hci_update_background_scan(struct hci_dev *hdev)
5648 if (hdev->discovery.state != DISCOVERY_STOPPED) 5703 if (hdev->discovery.state != DISCOVERY_STOPPED)
5649 return; 5704 return;
5650 5705
5706 /* Reset RSSI and UUID filters when starting background scanning
5707 * since these filters are meant for service discovery only.
5708 *
5709 * The Start Discovery and Start Service Discovery operations
5710 * ensure to set proper values for RSSI threshold and UUID
5711 * filter list. So it is safe to just reset them here.
5712 */
5713 hci_discovery_filter_clear(hdev);
5714
5651 hci_req_init(&req, hdev); 5715 hci_req_init(&req, hdev);
5652 5716
5653 if (list_empty(&hdev->pend_le_conns) && 5717 if (list_empty(&hdev->pend_le_conns) &&
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index bd0a80120665..322abbbbcef9 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2043,13 +2043,14 @@ static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2043 data.pscan_mode = info->pscan_mode; 2043 data.pscan_mode = info->pscan_mode;
2044 memcpy(data.dev_class, info->dev_class, 3); 2044 memcpy(data.dev_class, info->dev_class, 3);
2045 data.clock_offset = info->clock_offset; 2045 data.clock_offset = info->clock_offset;
2046 data.rssi = 0x00; 2046 data.rssi = HCI_RSSI_INVALID;
2047 data.ssp_mode = 0x00; 2047 data.ssp_mode = 0x00;
2048 2048
2049 flags = hci_inquiry_cache_update(hdev, &data, false); 2049 flags = hci_inquiry_cache_update(hdev, &data, false);
2050 2050
2051 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 2051 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2052 info->dev_class, 0, flags, NULL, 0, NULL, 0); 2052 info->dev_class, HCI_RSSI_INVALID,
2053 flags, NULL, 0, NULL, 0);
2053 } 2054 }
2054 2055
2055 hci_dev_unlock(hdev); 2056 hci_dev_unlock(hdev);
@@ -3249,6 +3250,8 @@ static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3249 3250
3250 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3251 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3251 if (conn) { 3252 if (conn) {
3253 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3254
3252 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 || 3255 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3253 key->type == HCI_LK_UNAUTH_COMBINATION_P256) && 3256 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3254 conn->auth_type != 0xff && (conn->auth_type & 0x01)) { 3257 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
@@ -3294,12 +3297,15 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3294 hci_dev_lock(hdev); 3297 hci_dev_lock(hdev);
3295 3298
3296 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3299 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3297 if (conn) { 3300 if (!conn)
3298 hci_conn_hold(conn); 3301 goto unlock;
3299 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3302
3300 hci_conn_drop(conn); 3303 hci_conn_hold(conn);
3301 conn_set_key(conn, ev->key_type, conn->pin_length); 3304 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3302 } 3305 hci_conn_drop(conn);
3306
3307 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3308 conn_set_key(conn, ev->key_type, conn->pin_length);
3303 3309
3304 if (!test_bit(HCI_MGMT, &hdev->dev_flags)) 3310 if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3305 goto unlock; 3311 goto unlock;
@@ -3326,13 +3332,14 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3326 !test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags)) { 3332 !test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags)) {
3327 list_del_rcu(&key->list); 3333 list_del_rcu(&key->list);
3328 kfree_rcu(key, rcu); 3334 kfree_rcu(key, rcu);
3329 } else if (conn) { 3335 goto unlock;
3330 if (persistent)
3331 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3332 else
3333 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3334 } 3336 }
3335 3337
3338 if (persistent)
3339 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3340 else
3341 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3342
3336unlock: 3343unlock:
3337 hci_dev_unlock(hdev); 3344 hci_dev_unlock(hdev);
3338} 3345}
@@ -3767,7 +3774,7 @@ static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3767 3774
3768 cp.authentication = conn->auth_type; 3775 cp.authentication = conn->auth_type;
3769 3776
3770 if (hci_find_remote_oob_data(hdev, &conn->dst) && 3777 if (hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR) &&
3771 (conn->out || test_bit(HCI_CONN_REMOTE_OOB, &conn->flags))) 3778 (conn->out || test_bit(HCI_CONN_REMOTE_OOB, &conn->flags)))
3772 cp.oob_data = 0x01; 3779 cp.oob_data = 0x01;
3773 else 3780 else
@@ -4022,9 +4029,9 @@ static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4022 if (!test_bit(HCI_MGMT, &hdev->dev_flags)) 4029 if (!test_bit(HCI_MGMT, &hdev->dev_flags))
4023 goto unlock; 4030 goto unlock;
4024 4031
4025 data = hci_find_remote_oob_data(hdev, &ev->bdaddr); 4032 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4026 if (data) { 4033 if (data) {
4027 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags)) { 4034 if (bredr_sc_enabled(hdev)) {
4028 struct hci_cp_remote_oob_ext_data_reply cp; 4035 struct hci_cp_remote_oob_ext_data_reply cp;
4029 4036
4030 bacpy(&cp.bdaddr, &ev->bdaddr); 4037 bacpy(&cp.bdaddr, &ev->bdaddr);
@@ -4419,7 +4426,8 @@ static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
4419} 4426}
4420 4427
4421static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, 4428static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4422 u8 bdaddr_type, s8 rssi, u8 *data, u8 len) 4429 u8 bdaddr_type, bdaddr_t *direct_addr,
4430 u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
4423{ 4431{
4424 struct discovery_state *d = &hdev->discovery; 4432 struct discovery_state *d = &hdev->discovery;
4425 struct smp_irk *irk; 4433 struct smp_irk *irk;
@@ -4427,6 +4435,32 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4427 bool match; 4435 bool match;
4428 u32 flags; 4436 u32 flags;
4429 4437
4438 /* If the direct address is present, then this report is from
4439 * a LE Direct Advertising Report event. In that case it is
4440 * important to see if the address is matching the local
4441 * controller address.
4442 */
4443 if (direct_addr) {
4444 /* Only resolvable random addresses are valid for these
4445 * kind of reports and others can be ignored.
4446 */
4447 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
4448 return;
4449
4450 /* If the controller is not using resolvable random
4451 * addresses, then this report can be ignored.
4452 */
4453 if (!test_bit(HCI_PRIVACY, &hdev->dev_flags))
4454 return;
4455
4456 /* If the local IRK of the controller does not match
4457 * with the resolvable random address provided, then
4458 * this report can be ignored.
4459 */
4460 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
4461 return;
4462 }
4463
4430 /* Check if we need to convert to identity address */ 4464 /* Check if we need to convert to identity address */
4431 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 4465 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
4432 if (irk) { 4466 if (irk) {
@@ -4563,7 +4597,8 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
4563 4597
4564 rssi = ev->data[ev->length]; 4598 rssi = ev->data[ev->length];
4565 process_adv_report(hdev, ev->evt_type, &ev->bdaddr, 4599 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4566 ev->bdaddr_type, rssi, ev->data, ev->length); 4600 ev->bdaddr_type, NULL, 0, rssi,
4601 ev->data, ev->length);
4567 4602
4568 ptr += sizeof(*ev) + ev->length + 1; 4603 ptr += sizeof(*ev) + ev->length + 1;
4569 } 4604 }
@@ -4587,10 +4622,20 @@ static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4587 if (conn == NULL) 4622 if (conn == NULL)
4588 goto not_found; 4623 goto not_found;
4589 4624
4590 ltk = hci_find_ltk(hdev, ev->ediv, ev->rand, conn->role); 4625 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
4591 if (ltk == NULL) 4626 if (!ltk)
4592 goto not_found; 4627 goto not_found;
4593 4628
4629 if (smp_ltk_is_sc(ltk)) {
4630 /* With SC both EDiv and Rand are set to zero */
4631 if (ev->ediv || ev->rand)
4632 goto not_found;
4633 } else {
4634 /* For non-SC keys check that EDiv and Rand match */
4635 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
4636 goto not_found;
4637 }
4638
4594 memcpy(cp.ltk, ltk->val, sizeof(ltk->val)); 4639 memcpy(cp.ltk, ltk->val, sizeof(ltk->val));
4595 cp.handle = cpu_to_le16(conn->handle); 4640 cp.handle = cpu_to_le16(conn->handle);
4596 4641
@@ -4694,6 +4739,27 @@ static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
4694 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp); 4739 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
4695} 4740}
4696 4741
4742static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
4743 struct sk_buff *skb)
4744{
4745 u8 num_reports = skb->data[0];
4746 void *ptr = &skb->data[1];
4747
4748 hci_dev_lock(hdev);
4749
4750 while (num_reports--) {
4751 struct hci_ev_le_direct_adv_info *ev = ptr;
4752
4753 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4754 ev->bdaddr_type, &ev->direct_addr,
4755 ev->direct_addr_type, ev->rssi, NULL, 0);
4756
4757 ptr += sizeof(*ev);
4758 }
4759
4760 hci_dev_unlock(hdev);
4761}
4762
4697static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb) 4763static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
4698{ 4764{
4699 struct hci_ev_le_meta *le_ev = (void *) skb->data; 4765 struct hci_ev_le_meta *le_ev = (void *) skb->data;
@@ -4721,6 +4787,10 @@ static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
4721 hci_le_remote_conn_param_req_evt(hdev, skb); 4787 hci_le_remote_conn_param_req_evt(hdev, skb);
4722 break; 4788 break;
4723 4789
4790 case HCI_EV_LE_DIRECT_ADV_REPORT:
4791 hci_le_direct_adv_report_evt(hdev, skb);
4792 break;
4793
4724 default: 4794 default:
4725 break; 4795 break;
4726 } 4796 }
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index c2d1489c228c..a8da7ea9c2c0 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -46,7 +46,6 @@
46bool disable_ertm; 46bool disable_ertm;
47 47
48static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD; 48static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
49static u8 l2cap_fixed_chan[8] = { L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS, };
50 49
51static LIST_HEAD(chan_list); 50static LIST_HEAD(chan_list);
52static DEFINE_RWLOCK(chan_list_lock); 51static DEFINE_RWLOCK(chan_list_lock);
@@ -1120,10 +1119,10 @@ static bool __amp_capable(struct l2cap_chan *chan)
1120 struct hci_dev *hdev; 1119 struct hci_dev *hdev;
1121 bool amp_available = false; 1120 bool amp_available = false;
1122 1121
1123 if (!conn->hs_enabled) 1122 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1124 return false; 1123 return false;
1125 1124
1126 if (!(conn->fixed_chan_mask & L2CAP_FC_A2MP)) 1125 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1127 return false; 1126 return false;
1128 1127
1129 read_lock(&hci_dev_list_lock); 1128 read_lock(&hci_dev_list_lock);
@@ -3096,12 +3095,14 @@ static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3096 3095
3097static inline bool __l2cap_ews_supported(struct l2cap_conn *conn) 3096static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3098{ 3097{
3099 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW; 3098 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3099 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
3100} 3100}
3101 3101
3102static inline bool __l2cap_efs_supported(struct l2cap_conn *conn) 3102static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3103{ 3103{
3104 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW; 3104 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3105 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
3105} 3106}
3106 3107
3107static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan, 3108static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
@@ -3330,7 +3331,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
3330 break; 3331 break;
3331 3332
3332 case L2CAP_CONF_EWS: 3333 case L2CAP_CONF_EWS:
3333 if (!chan->conn->hs_enabled) 3334 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
3334 return -ECONNREFUSED; 3335 return -ECONNREFUSED;
3335 3336
3336 set_bit(FLAG_EXT_CTRL, &chan->flags); 3337 set_bit(FLAG_EXT_CTRL, &chan->flags);
@@ -4334,7 +4335,7 @@ static inline int l2cap_information_req(struct l2cap_conn *conn,
4334 if (!disable_ertm) 4335 if (!disable_ertm)
4335 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING 4336 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4336 | L2CAP_FEAT_FCS; 4337 | L2CAP_FEAT_FCS;
4337 if (conn->hs_enabled) 4338 if (conn->local_fixed_chan & L2CAP_FC_A2MP)
4338 feat_mask |= L2CAP_FEAT_EXT_FLOW 4339 feat_mask |= L2CAP_FEAT_EXT_FLOW
4339 | L2CAP_FEAT_EXT_WINDOW; 4340 | L2CAP_FEAT_EXT_WINDOW;
4340 4341
@@ -4345,14 +4346,10 @@ static inline int l2cap_information_req(struct l2cap_conn *conn,
4345 u8 buf[12]; 4346 u8 buf[12];
4346 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf; 4347 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4347 4348
4348 if (conn->hs_enabled)
4349 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4350 else
4351 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4352
4353 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN); 4349 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4354 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS); 4350 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4355 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan)); 4351 rsp->data[0] = conn->local_fixed_chan;
4352 memset(rsp->data + 1, 0, 7);
4356 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf), 4353 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4357 buf); 4354 buf);
4358 } else { 4355 } else {
@@ -4418,7 +4415,7 @@ static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4418 break; 4415 break;
4419 4416
4420 case L2CAP_IT_FIXED_CHAN: 4417 case L2CAP_IT_FIXED_CHAN:
4421 conn->fixed_chan_mask = rsp->data[0]; 4418 conn->remote_fixed_chan = rsp->data[0];
4422 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 4419 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4423 conn->info_ident = 0; 4420 conn->info_ident = 0;
4424 4421
@@ -4442,7 +4439,7 @@ static int l2cap_create_channel_req(struct l2cap_conn *conn,
4442 if (cmd_len != sizeof(*req)) 4439 if (cmd_len != sizeof(*req))
4443 return -EPROTO; 4440 return -EPROTO;
4444 4441
4445 if (!conn->hs_enabled) 4442 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4446 return -EINVAL; 4443 return -EINVAL;
4447 4444
4448 psm = le16_to_cpu(req->psm); 4445 psm = le16_to_cpu(req->psm);
@@ -4872,7 +4869,7 @@ static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4872 4869
4873 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id); 4870 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
4874 4871
4875 if (!conn->hs_enabled) 4872 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4876 return -EINVAL; 4873 return -EINVAL;
4877 4874
4878 chan = l2cap_get_chan_by_dcid(conn, icid); 4875 chan = l2cap_get_chan_by_dcid(conn, icid);
@@ -6964,9 +6961,15 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6964 6961
6965 conn->feat_mask = 0; 6962 conn->feat_mask = 0;
6966 6963
6967 if (hcon->type == ACL_LINK) 6964 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
6968 conn->hs_enabled = test_bit(HCI_HS_ENABLED, 6965
6969 &hcon->hdev->dev_flags); 6966 if (hcon->type == ACL_LINK &&
6967 test_bit(HCI_HS_ENABLED, &hcon->hdev->dev_flags))
6968 conn->local_fixed_chan |= L2CAP_FC_A2MP;
6969
6970 if (bredr_sc_enabled(hcon->hdev) &&
6971 test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
6972 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
6970 6973
6971 mutex_init(&conn->ident_lock); 6974 mutex_init(&conn->ident_lock);
6972 mutex_init(&conn->chan_lock); 6975 mutex_init(&conn->chan_lock);
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index cbeef5f62f3b..a91e484886fe 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -35,7 +35,7 @@
35#include "smp.h" 35#include "smp.h"
36 36
37#define MGMT_VERSION 1 37#define MGMT_VERSION 1
38#define MGMT_REVISION 7 38#define MGMT_REVISION 8
39 39
40static const u16 mgmt_commands[] = { 40static const u16 mgmt_commands[] = {
41 MGMT_OP_READ_INDEX_LIST, 41 MGMT_OP_READ_INDEX_LIST,
@@ -93,6 +93,7 @@ static const u16 mgmt_commands[] = {
93 MGMT_OP_READ_CONFIG_INFO, 93 MGMT_OP_READ_CONFIG_INFO,
94 MGMT_OP_SET_EXTERNAL_CONFIG, 94 MGMT_OP_SET_EXTERNAL_CONFIG,
95 MGMT_OP_SET_PUBLIC_ADDRESS, 95 MGMT_OP_SET_PUBLIC_ADDRESS,
96 MGMT_OP_START_SERVICE_DISCOVERY,
96}; 97};
97 98
98static const u16 mgmt_events[] = { 99static const u16 mgmt_events[] = {
@@ -134,8 +135,10 @@ struct pending_cmd {
134 u16 opcode; 135 u16 opcode;
135 int index; 136 int index;
136 void *param; 137 void *param;
138 size_t param_len;
137 struct sock *sk; 139 struct sock *sk;
138 void *user_data; 140 void *user_data;
141 void (*cmd_complete)(struct pending_cmd *cmd, u8 status);
139}; 142};
140 143
141/* HCI to MGMT error code conversion table */ 144/* HCI to MGMT error code conversion table */
@@ -574,6 +577,7 @@ static u32 get_supported_settings(struct hci_dev *hdev)
574 if (lmp_le_capable(hdev)) { 577 if (lmp_le_capable(hdev)) {
575 settings |= MGMT_SETTING_LE; 578 settings |= MGMT_SETTING_LE;
576 settings |= MGMT_SETTING_ADVERTISING; 579 settings |= MGMT_SETTING_ADVERTISING;
580 settings |= MGMT_SETTING_SECURE_CONN;
577 settings |= MGMT_SETTING_PRIVACY; 581 settings |= MGMT_SETTING_PRIVACY;
578 } 582 }
579 583
@@ -1202,14 +1206,13 @@ static struct pending_cmd *mgmt_pending_add(struct sock *sk, u16 opcode,
1202 cmd->opcode = opcode; 1206 cmd->opcode = opcode;
1203 cmd->index = hdev->id; 1207 cmd->index = hdev->id;
1204 1208
1205 cmd->param = kmalloc(len, GFP_KERNEL); 1209 cmd->param = kmemdup(data, len, GFP_KERNEL);
1206 if (!cmd->param) { 1210 if (!cmd->param) {
1207 kfree(cmd); 1211 kfree(cmd);
1208 return NULL; 1212 return NULL;
1209 } 1213 }
1210 1214
1211 if (data) 1215 cmd->param_len = len;
1212 memcpy(cmd->param, data, len);
1213 1216
1214 cmd->sk = sk; 1217 cmd->sk = sk;
1215 sock_hold(sk); 1218 sock_hold(sk);
@@ -1469,6 +1472,32 @@ static void cmd_status_rsp(struct pending_cmd *cmd, void *data)
1469 mgmt_pending_remove(cmd); 1472 mgmt_pending_remove(cmd);
1470} 1473}
1471 1474
1475static void cmd_complete_rsp(struct pending_cmd *cmd, void *data)
1476{
1477 if (cmd->cmd_complete) {
1478 u8 *status = data;
1479
1480 cmd->cmd_complete(cmd, *status);
1481 mgmt_pending_remove(cmd);
1482
1483 return;
1484 }
1485
1486 cmd_status_rsp(cmd, data);
1487}
1488
1489static void generic_cmd_complete(struct pending_cmd *cmd, u8 status)
1490{
1491 cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, cmd->param,
1492 cmd->param_len);
1493}
1494
1495static void addr_cmd_complete(struct pending_cmd *cmd, u8 status)
1496{
1497 cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, cmd->param,
1498 sizeof(struct mgmt_addr_info));
1499}
1500
1472static u8 mgmt_bredr_support(struct hci_dev *hdev) 1501static u8 mgmt_bredr_support(struct hci_dev *hdev)
1473{ 1502{
1474 if (!lmp_bredr_capable(hdev)) 1503 if (!lmp_bredr_capable(hdev))
@@ -2792,6 +2821,8 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2792 goto unlock; 2821 goto unlock;
2793 } 2822 }
2794 2823
2824 cmd->cmd_complete = addr_cmd_complete;
2825
2795 dc.handle = cpu_to_le16(conn->handle); 2826 dc.handle = cpu_to_le16(conn->handle);
2796 dc.reason = 0x13; /* Remote User Terminated Connection */ 2827 dc.reason = 0x13; /* Remote User Terminated Connection */
2797 err = hci_send_cmd(hdev, HCI_OP_DISCONNECT, sizeof(dc), &dc); 2828 err = hci_send_cmd(hdev, HCI_OP_DISCONNECT, sizeof(dc), &dc);
@@ -2855,6 +2886,8 @@ static int disconnect(struct sock *sk, struct hci_dev *hdev, void *data,
2855 goto failed; 2886 goto failed;
2856 } 2887 }
2857 2888
2889 cmd->cmd_complete = generic_cmd_complete;
2890
2858 err = hci_disconnect(conn, HCI_ERROR_REMOTE_USER_TERM); 2891 err = hci_disconnect(conn, HCI_ERROR_REMOTE_USER_TERM);
2859 if (err < 0) 2892 if (err < 0)
2860 mgmt_pending_remove(cmd); 2893 mgmt_pending_remove(cmd);
@@ -3007,6 +3040,8 @@ static int pin_code_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3007 goto failed; 3040 goto failed;
3008 } 3041 }
3009 3042
3043 cmd->cmd_complete = addr_cmd_complete;
3044
3010 bacpy(&reply.bdaddr, &cp->addr.bdaddr); 3045 bacpy(&reply.bdaddr, &cp->addr.bdaddr);
3011 reply.pin_len = cp->pin_len; 3046 reply.pin_len = cp->pin_len;
3012 memcpy(reply.pin_code, cp->pin_code, sizeof(reply.pin_code)); 3047 memcpy(reply.pin_code, cp->pin_code, sizeof(reply.pin_code));
@@ -3096,7 +3131,7 @@ void mgmt_smp_complete(struct hci_conn *conn, bool complete)
3096 3131
3097 cmd = find_pairing(conn); 3132 cmd = find_pairing(conn);
3098 if (cmd) 3133 if (cmd)
3099 pairing_complete(cmd, status); 3134 cmd->cmd_complete(cmd, status);
3100} 3135}
3101 3136
3102static void pairing_complete_cb(struct hci_conn *conn, u8 status) 3137static void pairing_complete_cb(struct hci_conn *conn, u8 status)
@@ -3109,7 +3144,7 @@ static void pairing_complete_cb(struct hci_conn *conn, u8 status)
3109 if (!cmd) 3144 if (!cmd)
3110 BT_DBG("Unable to find a pending command"); 3145 BT_DBG("Unable to find a pending command");
3111 else 3146 else
3112 pairing_complete(cmd, mgmt_status(status)); 3147 cmd->cmd_complete(cmd, mgmt_status(status));
3113} 3148}
3114 3149
3115static void le_pairing_complete_cb(struct hci_conn *conn, u8 status) 3150static void le_pairing_complete_cb(struct hci_conn *conn, u8 status)
@@ -3125,7 +3160,7 @@ static void le_pairing_complete_cb(struct hci_conn *conn, u8 status)
3125 if (!cmd) 3160 if (!cmd)
3126 BT_DBG("Unable to find a pending command"); 3161 BT_DBG("Unable to find a pending command");
3127 else 3162 else
3128 pairing_complete(cmd, mgmt_status(status)); 3163 cmd->cmd_complete(cmd, mgmt_status(status));
3129} 3164}
3130 3165
3131static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data, 3166static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
@@ -3222,6 +3257,8 @@ static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
3222 goto unlock; 3257 goto unlock;
3223 } 3258 }
3224 3259
3260 cmd->cmd_complete = pairing_complete;
3261
3225 /* For LE, just connecting isn't a proof that the pairing finished */ 3262 /* For LE, just connecting isn't a proof that the pairing finished */
3226 if (cp->addr.type == BDADDR_BREDR) { 3263 if (cp->addr.type == BDADDR_BREDR) {
3227 conn->connect_cfm_cb = pairing_complete_cb; 3264 conn->connect_cfm_cb = pairing_complete_cb;
@@ -3338,6 +3375,8 @@ static int user_pairing_resp(struct sock *sk, struct hci_dev *hdev,
3338 goto done; 3375 goto done;
3339 } 3376 }
3340 3377
3378 cmd->cmd_complete = addr_cmd_complete;
3379
3341 /* Continue with pairing via HCI */ 3380 /* Continue with pairing via HCI */
3342 if (hci_op == HCI_OP_USER_PASSKEY_REPLY) { 3381 if (hci_op == HCI_OP_USER_PASSKEY_REPLY) {
3343 struct hci_cp_user_passkey_reply cp; 3382 struct hci_cp_user_passkey_reply cp;
@@ -3562,7 +3601,7 @@ static int read_local_oob_data(struct sock *sk, struct hci_dev *hdev,
3562 goto unlock; 3601 goto unlock;
3563 } 3602 }
3564 3603
3565 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags)) 3604 if (bredr_sc_enabled(hdev))
3566 err = hci_send_cmd(hdev, HCI_OP_READ_LOCAL_OOB_EXT_DATA, 3605 err = hci_send_cmd(hdev, HCI_OP_READ_LOCAL_OOB_EXT_DATA,
3567 0, NULL); 3606 0, NULL);
3568 else 3607 else
@@ -3598,7 +3637,8 @@ static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
3598 } 3637 }
3599 3638
3600 err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr, 3639 err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
3601 cp->hash, cp->rand); 3640 cp->addr.type, cp->hash,
3641 cp->rand, NULL, NULL);
3602 if (err < 0) 3642 if (err < 0)
3603 status = MGMT_STATUS_FAILED; 3643 status = MGMT_STATUS_FAILED;
3604 else 3644 else
@@ -3608,6 +3648,7 @@ static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
3608 status, &cp->addr, sizeof(cp->addr)); 3648 status, &cp->addr, sizeof(cp->addr));
3609 } else if (len == MGMT_ADD_REMOTE_OOB_EXT_DATA_SIZE) { 3649 } else if (len == MGMT_ADD_REMOTE_OOB_EXT_DATA_SIZE) {
3610 struct mgmt_cp_add_remote_oob_ext_data *cp = data; 3650 struct mgmt_cp_add_remote_oob_ext_data *cp = data;
3651 u8 *rand192, *hash192;
3611 u8 status; 3652 u8 status;
3612 3653
3613 if (cp->addr.type != BDADDR_BREDR) { 3654 if (cp->addr.type != BDADDR_BREDR) {
@@ -3618,9 +3659,17 @@ static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
3618 goto unlock; 3659 goto unlock;
3619 } 3660 }
3620 3661
3621 err = hci_add_remote_oob_ext_data(hdev, &cp->addr.bdaddr, 3662 if (bdaddr_type_is_le(cp->addr.type)) {
3622 cp->hash192, cp->rand192, 3663 rand192 = NULL;
3623 cp->hash256, cp->rand256); 3664 hash192 = NULL;
3665 } else {
3666 rand192 = cp->rand192;
3667 hash192 = cp->hash192;
3668 }
3669
3670 err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
3671 cp->addr.type, hash192, rand192,
3672 cp->hash256, cp->rand256);
3624 if (err < 0) 3673 if (err < 0)
3625 status = MGMT_STATUS_FAILED; 3674 status = MGMT_STATUS_FAILED;
3626 else 3675 else
@@ -3661,7 +3710,7 @@ static int remove_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
3661 goto done; 3710 goto done;
3662 } 3711 }
3663 3712
3664 err = hci_remove_remote_oob_data(hdev, &cp->addr.bdaddr); 3713 err = hci_remove_remote_oob_data(hdev, &cp->addr.bdaddr, cp->addr.type);
3665 if (err < 0) 3714 if (err < 0)
3666 status = MGMT_STATUS_INVALID_PARAMS; 3715 status = MGMT_STATUS_INVALID_PARAMS;
3667 else 3716 else
@@ -3675,64 +3724,150 @@ done:
3675 return err; 3724 return err;
3676} 3725}
3677 3726
3678static int mgmt_start_discovery_failed(struct hci_dev *hdev, u8 status) 3727static bool trigger_discovery(struct hci_request *req, u8 *status)
3679{ 3728{
3680 struct pending_cmd *cmd; 3729 struct hci_dev *hdev = req->hdev;
3681 u8 type; 3730 struct hci_cp_le_set_scan_param param_cp;
3731 struct hci_cp_le_set_scan_enable enable_cp;
3732 struct hci_cp_inquiry inq_cp;
3733 /* General inquiry access code (GIAC) */
3734 u8 lap[3] = { 0x33, 0x8b, 0x9e };
3735 u8 own_addr_type;
3682 int err; 3736 int err;
3683 3737
3684 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 3738 switch (hdev->discovery.type) {
3739 case DISCOV_TYPE_BREDR:
3740 *status = mgmt_bredr_support(hdev);
3741 if (*status)
3742 return false;
3685 3743
3686 cmd = mgmt_pending_find(MGMT_OP_START_DISCOVERY, hdev); 3744 if (test_bit(HCI_INQUIRY, &hdev->flags)) {
3687 if (!cmd) 3745 *status = MGMT_STATUS_BUSY;
3688 return -ENOENT; 3746 return false;
3747 }
3689 3748
3690 type = hdev->discovery.type; 3749 hci_inquiry_cache_flush(hdev);
3691 3750
3692 err = cmd_complete(cmd->sk, hdev->id, cmd->opcode, mgmt_status(status), 3751 memset(&inq_cp, 0, sizeof(inq_cp));
3693 &type, sizeof(type)); 3752 memcpy(&inq_cp.lap, lap, sizeof(inq_cp.lap));
3694 mgmt_pending_remove(cmd); 3753 inq_cp.length = DISCOV_BREDR_INQUIRY_LEN;
3754 hci_req_add(req, HCI_OP_INQUIRY, sizeof(inq_cp), &inq_cp);
3755 break;
3695 3756
3696 return err; 3757 case DISCOV_TYPE_LE:
3758 case DISCOV_TYPE_INTERLEAVED:
3759 *status = mgmt_le_support(hdev);
3760 if (*status)
3761 return false;
3762
3763 if (hdev->discovery.type == DISCOV_TYPE_INTERLEAVED &&
3764 !test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) {
3765 *status = MGMT_STATUS_NOT_SUPPORTED;
3766 return false;
3767 }
3768
3769 if (test_bit(HCI_LE_ADV, &hdev->dev_flags)) {
3770 /* Don't let discovery abort an outgoing
3771 * connection attempt that's using directed
3772 * advertising.
3773 */
3774 if (hci_conn_hash_lookup_state(hdev, LE_LINK,
3775 BT_CONNECT)) {
3776 *status = MGMT_STATUS_REJECTED;
3777 return false;
3778 }
3779
3780 disable_advertising(req);
3781 }
3782
3783 /* If controller is scanning, it means the background scanning
3784 * is running. Thus, we should temporarily stop it in order to
3785 * set the discovery scanning parameters.
3786 */
3787 if (test_bit(HCI_LE_SCAN, &hdev->dev_flags))
3788 hci_req_add_le_scan_disable(req);
3789
3790 memset(&param_cp, 0, sizeof(param_cp));
3791
3792 /* All active scans will be done with either a resolvable
3793 * private address (when privacy feature has been enabled)
3794 * or unresolvable private address.
3795 */
3796 err = hci_update_random_address(req, true, &own_addr_type);
3797 if (err < 0) {
3798 *status = MGMT_STATUS_FAILED;
3799 return false;
3800 }
3801
3802 param_cp.type = LE_SCAN_ACTIVE;
3803 param_cp.interval = cpu_to_le16(DISCOV_LE_SCAN_INT);
3804 param_cp.window = cpu_to_le16(DISCOV_LE_SCAN_WIN);
3805 param_cp.own_address_type = own_addr_type;
3806 hci_req_add(req, HCI_OP_LE_SET_SCAN_PARAM, sizeof(param_cp),
3807 &param_cp);
3808
3809 memset(&enable_cp, 0, sizeof(enable_cp));
3810 enable_cp.enable = LE_SCAN_ENABLE;
3811 enable_cp.filter_dup = LE_SCAN_FILTER_DUP_ENABLE;
3812 hci_req_add(req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(enable_cp),
3813 &enable_cp);
3814 break;
3815
3816 default:
3817 *status = MGMT_STATUS_INVALID_PARAMS;
3818 return false;
3819 }
3820
3821 return true;
3697} 3822}
3698 3823
3699static void start_discovery_complete(struct hci_dev *hdev, u8 status) 3824static void start_discovery_complete(struct hci_dev *hdev, u8 status)
3700{ 3825{
3701 unsigned long timeout = 0; 3826 struct pending_cmd *cmd;
3827 unsigned long timeout;
3702 3828
3703 BT_DBG("status %d", status); 3829 BT_DBG("status %d", status);
3704 3830
3831 hci_dev_lock(hdev);
3832
3833 cmd = mgmt_pending_find(MGMT_OP_START_DISCOVERY, hdev);
3834 if (!cmd)
3835 cmd = mgmt_pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev);
3836
3837 if (cmd) {
3838 cmd->cmd_complete(cmd, mgmt_status(status));
3839 mgmt_pending_remove(cmd);
3840 }
3841
3705 if (status) { 3842 if (status) {
3706 hci_dev_lock(hdev); 3843 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3707 mgmt_start_discovery_failed(hdev, status); 3844 goto unlock;
3708 hci_dev_unlock(hdev);
3709 return;
3710 } 3845 }
3711 3846
3712 hci_dev_lock(hdev);
3713 hci_discovery_set_state(hdev, DISCOVERY_FINDING); 3847 hci_discovery_set_state(hdev, DISCOVERY_FINDING);
3714 hci_dev_unlock(hdev);
3715 3848
3716 switch (hdev->discovery.type) { 3849 switch (hdev->discovery.type) {
3717 case DISCOV_TYPE_LE: 3850 case DISCOV_TYPE_LE:
3718 timeout = msecs_to_jiffies(DISCOV_LE_TIMEOUT); 3851 timeout = msecs_to_jiffies(DISCOV_LE_TIMEOUT);
3719 break; 3852 break;
3720
3721 case DISCOV_TYPE_INTERLEAVED: 3853 case DISCOV_TYPE_INTERLEAVED:
3722 timeout = msecs_to_jiffies(hdev->discov_interleaved_timeout); 3854 timeout = msecs_to_jiffies(hdev->discov_interleaved_timeout);
3723 break; 3855 break;
3724
3725 case DISCOV_TYPE_BREDR: 3856 case DISCOV_TYPE_BREDR:
3857 timeout = 0;
3726 break; 3858 break;
3727
3728 default: 3859 default:
3729 BT_ERR("Invalid discovery type %d", hdev->discovery.type); 3860 BT_ERR("Invalid discovery type %d", hdev->discovery.type);
3861 timeout = 0;
3862 break;
3730 } 3863 }
3731 3864
3732 if (!timeout) 3865 if (timeout)
3733 return; 3866 queue_delayed_work(hdev->workqueue,
3867 &hdev->le_scan_disable, timeout);
3734 3868
3735 queue_delayed_work(hdev->workqueue, &hdev->le_scan_disable, timeout); 3869unlock:
3870 hci_dev_unlock(hdev);
3736} 3871}
3737 3872
3738static int start_discovery(struct sock *sk, struct hci_dev *hdev, 3873static int start_discovery(struct sock *sk, struct hci_dev *hdev,
@@ -3740,13 +3875,8 @@ static int start_discovery(struct sock *sk, struct hci_dev *hdev,
3740{ 3875{
3741 struct mgmt_cp_start_discovery *cp = data; 3876 struct mgmt_cp_start_discovery *cp = data;
3742 struct pending_cmd *cmd; 3877 struct pending_cmd *cmd;
3743 struct hci_cp_le_set_scan_param param_cp;
3744 struct hci_cp_le_set_scan_enable enable_cp;
3745 struct hci_cp_inquiry inq_cp;
3746 struct hci_request req; 3878 struct hci_request req;
3747 /* General inquiry access code (GIAC) */ 3879 u8 status;
3748 u8 lap[3] = { 0x33, 0x8b, 0x9e };
3749 u8 status, own_addr_type;
3750 int err; 3880 int err;
3751 3881
3752 BT_DBG("%s", hdev->name); 3882 BT_DBG("%s", hdev->name);
@@ -3760,184 +3890,182 @@ static int start_discovery(struct sock *sk, struct hci_dev *hdev,
3760 goto failed; 3890 goto failed;
3761 } 3891 }
3762 3892
3763 if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags)) { 3893 if (hdev->discovery.state != DISCOVERY_STOPPED ||
3894 test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags)) {
3764 err = cmd_complete(sk, hdev->id, MGMT_OP_START_DISCOVERY, 3895 err = cmd_complete(sk, hdev->id, MGMT_OP_START_DISCOVERY,
3765 MGMT_STATUS_BUSY, &cp->type, 3896 MGMT_STATUS_BUSY, &cp->type,
3766 sizeof(cp->type)); 3897 sizeof(cp->type));
3767 goto failed; 3898 goto failed;
3768 } 3899 }
3769 3900
3770 if (hdev->discovery.state != DISCOVERY_STOPPED) { 3901 cmd = mgmt_pending_add(sk, MGMT_OP_START_DISCOVERY, hdev, data, len);
3771 err = cmd_complete(sk, hdev->id, MGMT_OP_START_DISCOVERY,
3772 MGMT_STATUS_BUSY, &cp->type,
3773 sizeof(cp->type));
3774 goto failed;
3775 }
3776
3777 cmd = mgmt_pending_add(sk, MGMT_OP_START_DISCOVERY, hdev, NULL, 0);
3778 if (!cmd) { 3902 if (!cmd) {
3779 err = -ENOMEM; 3903 err = -ENOMEM;
3780 goto failed; 3904 goto failed;
3781 } 3905 }
3782 3906
3907 cmd->cmd_complete = generic_cmd_complete;
3908
3909 /* Clear the discovery filter first to free any previously
3910 * allocated memory for the UUID list.
3911 */
3912 hci_discovery_filter_clear(hdev);
3913
3783 hdev->discovery.type = cp->type; 3914 hdev->discovery.type = cp->type;
3915 hdev->discovery.report_invalid_rssi = false;
3784 3916
3785 hci_req_init(&req, hdev); 3917 hci_req_init(&req, hdev);
3786 3918
3787 switch (hdev->discovery.type) { 3919 if (!trigger_discovery(&req, &status)) {
3788 case DISCOV_TYPE_BREDR: 3920 err = cmd_complete(sk, hdev->id, MGMT_OP_START_DISCOVERY,
3789 status = mgmt_bredr_support(hdev); 3921 status, &cp->type, sizeof(cp->type));
3790 if (status) { 3922 mgmt_pending_remove(cmd);
3791 err = cmd_complete(sk, hdev->id, 3923 goto failed;
3792 MGMT_OP_START_DISCOVERY, status, 3924 }
3793 &cp->type, sizeof(cp->type));
3794 mgmt_pending_remove(cmd);
3795 goto failed;
3796 }
3797 3925
3798 if (test_bit(HCI_INQUIRY, &hdev->flags)) { 3926 err = hci_req_run(&req, start_discovery_complete);
3799 err = cmd_complete(sk, hdev->id, 3927 if (err < 0) {
3800 MGMT_OP_START_DISCOVERY, 3928 mgmt_pending_remove(cmd);
3801 MGMT_STATUS_BUSY, &cp->type, 3929 goto failed;
3802 sizeof(cp->type)); 3930 }
3803 mgmt_pending_remove(cmd);
3804 goto failed;
3805 }
3806 3931
3807 hci_inquiry_cache_flush(hdev); 3932 hci_discovery_set_state(hdev, DISCOVERY_STARTING);
3808 3933
3809 memset(&inq_cp, 0, sizeof(inq_cp)); 3934failed:
3810 memcpy(&inq_cp.lap, lap, sizeof(inq_cp.lap)); 3935 hci_dev_unlock(hdev);
3811 inq_cp.length = DISCOV_BREDR_INQUIRY_LEN; 3936 return err;
3812 hci_req_add(&req, HCI_OP_INQUIRY, sizeof(inq_cp), &inq_cp); 3937}
3813 break;
3814 3938
3815 case DISCOV_TYPE_LE: 3939static void service_discovery_cmd_complete(struct pending_cmd *cmd, u8 status)
3816 case DISCOV_TYPE_INTERLEAVED: 3940{
3817 status = mgmt_le_support(hdev); 3941 cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, cmd->param, 1);
3818 if (status) { 3942}
3819 err = cmd_complete(sk, hdev->id,
3820 MGMT_OP_START_DISCOVERY, status,
3821 &cp->type, sizeof(cp->type));
3822 mgmt_pending_remove(cmd);
3823 goto failed;
3824 }
3825 3943
3826 if (hdev->discovery.type == DISCOV_TYPE_INTERLEAVED && 3944static int start_service_discovery(struct sock *sk, struct hci_dev *hdev,
3827 !test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) { 3945 void *data, u16 len)
3828 err = cmd_complete(sk, hdev->id, 3946{
3829 MGMT_OP_START_DISCOVERY, 3947 struct mgmt_cp_start_service_discovery *cp = data;
3830 MGMT_STATUS_NOT_SUPPORTED, 3948 struct pending_cmd *cmd;
3831 &cp->type, sizeof(cp->type)); 3949 struct hci_request req;
3832 mgmt_pending_remove(cmd); 3950 const u16 max_uuid_count = ((U16_MAX - sizeof(*cp)) / 16);
3833 goto failed; 3951 u16 uuid_count, expected_len;
3834 } 3952 u8 status;
3953 int err;
3835 3954
3836 if (test_bit(HCI_LE_ADV, &hdev->dev_flags)) { 3955 BT_DBG("%s", hdev->name);
3837 /* Don't let discovery abort an outgoing
3838 * connection attempt that's using directed
3839 * advertising.
3840 */
3841 if (hci_conn_hash_lookup_state(hdev, LE_LINK,
3842 BT_CONNECT)) {
3843 err = cmd_complete(sk, hdev->id,
3844 MGMT_OP_START_DISCOVERY,
3845 MGMT_STATUS_REJECTED,
3846 &cp->type,
3847 sizeof(cp->type));
3848 mgmt_pending_remove(cmd);
3849 goto failed;
3850 }
3851 3956
3852 disable_advertising(&req); 3957 hci_dev_lock(hdev);
3853 }
3854 3958
3855 /* If controller is scanning, it means the background scanning 3959 if (!hdev_is_powered(hdev)) {
3856 * is running. Thus, we should temporarily stop it in order to 3960 err = cmd_complete(sk, hdev->id,
3857 * set the discovery scanning parameters. 3961 MGMT_OP_START_SERVICE_DISCOVERY,
3858 */ 3962 MGMT_STATUS_NOT_POWERED,
3859 if (test_bit(HCI_LE_SCAN, &hdev->dev_flags)) 3963 &cp->type, sizeof(cp->type));
3860 hci_req_add_le_scan_disable(&req); 3964 goto failed;
3965 }
3861 3966
3862 memset(&param_cp, 0, sizeof(param_cp)); 3967 if (hdev->discovery.state != DISCOVERY_STOPPED ||
3968 test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags)) {
3969 err = cmd_complete(sk, hdev->id,
3970 MGMT_OP_START_SERVICE_DISCOVERY,
3971 MGMT_STATUS_BUSY, &cp->type,
3972 sizeof(cp->type));
3973 goto failed;
3974 }
3863 3975
3864 /* All active scans will be done with either a resolvable 3976 uuid_count = __le16_to_cpu(cp->uuid_count);
3865 * private address (when privacy feature has been enabled) 3977 if (uuid_count > max_uuid_count) {
3866 * or unresolvable private address. 3978 BT_ERR("service_discovery: too big uuid_count value %u",
3867 */ 3979 uuid_count);
3868 err = hci_update_random_address(&req, true, &own_addr_type); 3980 err = cmd_complete(sk, hdev->id,
3869 if (err < 0) { 3981 MGMT_OP_START_SERVICE_DISCOVERY,
3982 MGMT_STATUS_INVALID_PARAMS, &cp->type,
3983 sizeof(cp->type));
3984 goto failed;
3985 }
3986
3987 expected_len = sizeof(*cp) + uuid_count * 16;
3988 if (expected_len != len) {
3989 BT_ERR("service_discovery: expected %u bytes, got %u bytes",
3990 expected_len, len);
3991 err = cmd_complete(sk, hdev->id,
3992 MGMT_OP_START_SERVICE_DISCOVERY,
3993 MGMT_STATUS_INVALID_PARAMS, &cp->type,
3994 sizeof(cp->type));
3995 goto failed;
3996 }
3997
3998 cmd = mgmt_pending_add(sk, MGMT_OP_START_SERVICE_DISCOVERY,
3999 hdev, data, len);
4000 if (!cmd) {
4001 err = -ENOMEM;
4002 goto failed;
4003 }
4004
4005 cmd->cmd_complete = service_discovery_cmd_complete;
4006
4007 /* Clear the discovery filter first to free any previously
4008 * allocated memory for the UUID list.
4009 */
4010 hci_discovery_filter_clear(hdev);
4011
4012 hdev->discovery.type = cp->type;
4013 hdev->discovery.rssi = cp->rssi;
4014 hdev->discovery.uuid_count = uuid_count;
4015
4016 if (uuid_count > 0) {
4017 hdev->discovery.uuids = kmemdup(cp->uuids, uuid_count * 16,
4018 GFP_KERNEL);
4019 if (!hdev->discovery.uuids) {
3870 err = cmd_complete(sk, hdev->id, 4020 err = cmd_complete(sk, hdev->id,
3871 MGMT_OP_START_DISCOVERY, 4021 MGMT_OP_START_SERVICE_DISCOVERY,
3872 MGMT_STATUS_FAILED, 4022 MGMT_STATUS_FAILED,
3873 &cp->type, sizeof(cp->type)); 4023 &cp->type, sizeof(cp->type));
3874 mgmt_pending_remove(cmd); 4024 mgmt_pending_remove(cmd);
3875 goto failed; 4025 goto failed;
3876 } 4026 }
4027 }
3877 4028
3878 param_cp.type = LE_SCAN_ACTIVE; 4029 hci_req_init(&req, hdev);
3879 param_cp.interval = cpu_to_le16(DISCOV_LE_SCAN_INT);
3880 param_cp.window = cpu_to_le16(DISCOV_LE_SCAN_WIN);
3881 param_cp.own_address_type = own_addr_type;
3882 hci_req_add(&req, HCI_OP_LE_SET_SCAN_PARAM, sizeof(param_cp),
3883 &param_cp);
3884
3885 memset(&enable_cp, 0, sizeof(enable_cp));
3886 enable_cp.enable = LE_SCAN_ENABLE;
3887 enable_cp.filter_dup = LE_SCAN_FILTER_DUP_ENABLE;
3888 hci_req_add(&req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(enable_cp),
3889 &enable_cp);
3890 break;
3891 4030
3892 default: 4031 if (!trigger_discovery(&req, &status)) {
3893 err = cmd_complete(sk, hdev->id, MGMT_OP_START_DISCOVERY, 4032 err = cmd_complete(sk, hdev->id,
3894 MGMT_STATUS_INVALID_PARAMS, 4033 MGMT_OP_START_SERVICE_DISCOVERY,
3895 &cp->type, sizeof(cp->type)); 4034 status, &cp->type, sizeof(cp->type));
3896 mgmt_pending_remove(cmd); 4035 mgmt_pending_remove(cmd);
3897 goto failed; 4036 goto failed;
3898 } 4037 }
3899 4038
3900 err = hci_req_run(&req, start_discovery_complete); 4039 err = hci_req_run(&req, start_discovery_complete);
3901 if (err < 0) 4040 if (err < 0) {
3902 mgmt_pending_remove(cmd); 4041 mgmt_pending_remove(cmd);
3903 else 4042 goto failed;
3904 hci_discovery_set_state(hdev, DISCOVERY_STARTING); 4043 }
4044
4045 hci_discovery_set_state(hdev, DISCOVERY_STARTING);
3905 4046
3906failed: 4047failed:
3907 hci_dev_unlock(hdev); 4048 hci_dev_unlock(hdev);
3908 return err; 4049 return err;
3909} 4050}
3910 4051
3911static int mgmt_stop_discovery_failed(struct hci_dev *hdev, u8 status) 4052static void stop_discovery_complete(struct hci_dev *hdev, u8 status)
3912{ 4053{
3913 struct pending_cmd *cmd; 4054 struct pending_cmd *cmd;
3914 int err;
3915 4055
3916 cmd = mgmt_pending_find(MGMT_OP_STOP_DISCOVERY, hdev);
3917 if (!cmd)
3918 return -ENOENT;
3919
3920 err = cmd_complete(cmd->sk, hdev->id, cmd->opcode, mgmt_status(status),
3921 &hdev->discovery.type, sizeof(hdev->discovery.type));
3922 mgmt_pending_remove(cmd);
3923
3924 return err;
3925}
3926
3927static void stop_discovery_complete(struct hci_dev *hdev, u8 status)
3928{
3929 BT_DBG("status %d", status); 4056 BT_DBG("status %d", status);
3930 4057
3931 hci_dev_lock(hdev); 4058 hci_dev_lock(hdev);
3932 4059
3933 if (status) { 4060 cmd = mgmt_pending_find(MGMT_OP_STOP_DISCOVERY, hdev);
3934 mgmt_stop_discovery_failed(hdev, status); 4061 if (cmd) {
3935 goto unlock; 4062 cmd->cmd_complete(cmd, mgmt_status(status));
4063 mgmt_pending_remove(cmd);
3936 } 4064 }
3937 4065
3938 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 4066 if (!status)
4067 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3939 4068
3940unlock:
3941 hci_dev_unlock(hdev); 4069 hci_dev_unlock(hdev);
3942} 4070}
3943 4071
@@ -3967,12 +4095,14 @@ static int stop_discovery(struct sock *sk, struct hci_dev *hdev, void *data,
3967 goto unlock; 4095 goto unlock;
3968 } 4096 }
3969 4097
3970 cmd = mgmt_pending_add(sk, MGMT_OP_STOP_DISCOVERY, hdev, NULL, 0); 4098 cmd = mgmt_pending_add(sk, MGMT_OP_STOP_DISCOVERY, hdev, data, len);
3971 if (!cmd) { 4099 if (!cmd) {
3972 err = -ENOMEM; 4100 err = -ENOMEM;
3973 goto unlock; 4101 goto unlock;
3974 } 4102 }
3975 4103
4104 cmd->cmd_complete = generic_cmd_complete;
4105
3976 hci_req_init(&req, hdev); 4106 hci_req_init(&req, hdev);
3977 4107
3978 hci_stop_discovery(&req); 4108 hci_stop_discovery(&req);
@@ -4572,18 +4702,13 @@ static int set_secure_conn(struct sock *sk, struct hci_dev *hdev,
4572{ 4702{
4573 struct mgmt_mode *cp = data; 4703 struct mgmt_mode *cp = data;
4574 struct pending_cmd *cmd; 4704 struct pending_cmd *cmd;
4575 u8 val, status; 4705 u8 val;
4576 int err; 4706 int err;
4577 4707
4578 BT_DBG("request for %s", hdev->name); 4708 BT_DBG("request for %s", hdev->name);
4579 4709
4580 status = mgmt_bredr_support(hdev); 4710 if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags) &&
4581 if (status) 4711 !lmp_sc_capable(hdev) && !test_bit(HCI_FORCE_SC, &hdev->dbg_flags))
4582 return cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4583 status);
4584
4585 if (!lmp_sc_capable(hdev) &&
4586 !test_bit(HCI_FORCE_SC, &hdev->dbg_flags))
4587 return cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN, 4712 return cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4588 MGMT_STATUS_NOT_SUPPORTED); 4713 MGMT_STATUS_NOT_SUPPORTED);
4589 4714
@@ -4593,7 +4718,10 @@ static int set_secure_conn(struct sock *sk, struct hci_dev *hdev,
4593 4718
4594 hci_dev_lock(hdev); 4719 hci_dev_lock(hdev);
4595 4720
4596 if (!hdev_is_powered(hdev)) { 4721 if (!hdev_is_powered(hdev) ||
4722 (!lmp_sc_capable(hdev) &&
4723 !test_bit(HCI_FORCE_SC, &hdev->dbg_flags)) ||
4724 !test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) {
4597 bool changed; 4725 bool changed;
4598 4726
4599 if (cp->val) { 4727 if (cp->val) {
@@ -4910,18 +5038,26 @@ static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
4910 else 5038 else
4911 addr_type = ADDR_LE_DEV_RANDOM; 5039 addr_type = ADDR_LE_DEV_RANDOM;
4912 5040
4913 if (key->master)
4914 type = SMP_LTK;
4915 else
4916 type = SMP_LTK_SLAVE;
4917
4918 switch (key->type) { 5041 switch (key->type) {
4919 case MGMT_LTK_UNAUTHENTICATED: 5042 case MGMT_LTK_UNAUTHENTICATED:
4920 authenticated = 0x00; 5043 authenticated = 0x00;
5044 type = key->master ? SMP_LTK : SMP_LTK_SLAVE;
4921 break; 5045 break;
4922 case MGMT_LTK_AUTHENTICATED: 5046 case MGMT_LTK_AUTHENTICATED:
4923 authenticated = 0x01; 5047 authenticated = 0x01;
5048 type = key->master ? SMP_LTK : SMP_LTK_SLAVE;
5049 break;
5050 case MGMT_LTK_P256_UNAUTH:
5051 authenticated = 0x00;
5052 type = SMP_LTK_P256;
4924 break; 5053 break;
5054 case MGMT_LTK_P256_AUTH:
5055 authenticated = 0x01;
5056 type = SMP_LTK_P256;
5057 break;
5058 case MGMT_LTK_P256_DEBUG:
5059 authenticated = 0x00;
5060 type = SMP_LTK_P256_DEBUG;
4925 default: 5061 default:
4926 continue; 5062 continue;
4927 } 5063 }
@@ -4939,67 +5075,42 @@ static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
4939 return err; 5075 return err;
4940} 5076}
4941 5077
4942struct cmd_conn_lookup { 5078static void conn_info_cmd_complete(struct pending_cmd *cmd, u8 status)
4943 struct hci_conn *conn;
4944 bool valid_tx_power;
4945 u8 mgmt_status;
4946};
4947
4948static void get_conn_info_complete(struct pending_cmd *cmd, void *data)
4949{ 5079{
4950 struct cmd_conn_lookup *match = data;
4951 struct mgmt_cp_get_conn_info *cp;
4952 struct mgmt_rp_get_conn_info rp;
4953 struct hci_conn *conn = cmd->user_data; 5080 struct hci_conn *conn = cmd->user_data;
5081 struct mgmt_rp_get_conn_info rp;
4954 5082
4955 if (conn != match->conn) 5083 memcpy(&rp.addr, cmd->param, sizeof(rp.addr));
4956 return;
4957
4958 cp = (struct mgmt_cp_get_conn_info *) cmd->param;
4959
4960 memset(&rp, 0, sizeof(rp));
4961 bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
4962 rp.addr.type = cp->addr.type;
4963 5084
4964 if (!match->mgmt_status) { 5085 if (status == MGMT_STATUS_SUCCESS) {
4965 rp.rssi = conn->rssi; 5086 rp.rssi = conn->rssi;
4966 5087 rp.tx_power = conn->tx_power;
4967 if (match->valid_tx_power) { 5088 rp.max_tx_power = conn->max_tx_power;
4968 rp.tx_power = conn->tx_power; 5089 } else {
4969 rp.max_tx_power = conn->max_tx_power; 5090 rp.rssi = HCI_RSSI_INVALID;
4970 } else { 5091 rp.tx_power = HCI_TX_POWER_INVALID;
4971 rp.tx_power = HCI_TX_POWER_INVALID; 5092 rp.max_tx_power = HCI_TX_POWER_INVALID;
4972 rp.max_tx_power = HCI_TX_POWER_INVALID;
4973 }
4974 } 5093 }
4975 5094
4976 cmd_complete(cmd->sk, cmd->index, MGMT_OP_GET_CONN_INFO, 5095 cmd_complete(cmd->sk, cmd->index, MGMT_OP_GET_CONN_INFO, status,
4977 match->mgmt_status, &rp, sizeof(rp)); 5096 &rp, sizeof(rp));
4978 5097
4979 hci_conn_drop(conn); 5098 hci_conn_drop(conn);
4980 hci_conn_put(conn); 5099 hci_conn_put(conn);
4981
4982 mgmt_pending_remove(cmd);
4983} 5100}
4984 5101
4985static void conn_info_refresh_complete(struct hci_dev *hdev, u8 status) 5102static void conn_info_refresh_complete(struct hci_dev *hdev, u8 hci_status)
4986{ 5103{
4987 struct hci_cp_read_rssi *cp; 5104 struct hci_cp_read_rssi *cp;
5105 struct pending_cmd *cmd;
4988 struct hci_conn *conn; 5106 struct hci_conn *conn;
4989 struct cmd_conn_lookup match;
4990 u16 handle; 5107 u16 handle;
5108 u8 status;
4991 5109
4992 BT_DBG("status 0x%02x", status); 5110 BT_DBG("status 0x%02x", hci_status);
4993 5111
4994 hci_dev_lock(hdev); 5112 hci_dev_lock(hdev);
4995 5113
4996 /* TX power data is valid in case request completed successfully,
4997 * otherwise we assume it's not valid. At the moment we assume that
4998 * either both or none of current and max values are valid to keep code
4999 * simple.
5000 */
5001 match.valid_tx_power = !status;
5002
5003 /* Commands sent in request are either Read RSSI or Read Transmit Power 5114 /* Commands sent in request are either Read RSSI or Read Transmit Power
5004 * Level so we check which one was last sent to retrieve connection 5115 * Level so we check which one was last sent to retrieve connection
5005 * handle. Both commands have handle as first parameter so it's safe to 5116 * handle. Both commands have handle as first parameter so it's safe to
@@ -5012,29 +5123,29 @@ static void conn_info_refresh_complete(struct hci_dev *hdev, u8 status)
5012 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_RSSI); 5123 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_RSSI);
5013 if (!cp) { 5124 if (!cp) {
5014 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER); 5125 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
5015 status = 0; 5126 status = MGMT_STATUS_SUCCESS;
5127 } else {
5128 status = mgmt_status(hci_status);
5016 } 5129 }
5017 5130
5018 if (!cp) { 5131 if (!cp) {
5019 BT_ERR("invalid sent_cmd in response"); 5132 BT_ERR("invalid sent_cmd in conn_info response");
5020 goto unlock; 5133 goto unlock;
5021 } 5134 }
5022 5135
5023 handle = __le16_to_cpu(cp->handle); 5136 handle = __le16_to_cpu(cp->handle);
5024 conn = hci_conn_hash_lookup_handle(hdev, handle); 5137 conn = hci_conn_hash_lookup_handle(hdev, handle);
5025 if (!conn) { 5138 if (!conn) {
5026 BT_ERR("unknown handle (%d) in response", handle); 5139 BT_ERR("unknown handle (%d) in conn_info response", handle);
5027 goto unlock; 5140 goto unlock;
5028 } 5141 }
5029 5142
5030 match.conn = conn; 5143 cmd = mgmt_pending_find_data(MGMT_OP_GET_CONN_INFO, hdev, conn);
5031 match.mgmt_status = mgmt_status(status); 5144 if (!cmd)
5145 goto unlock;
5032 5146
5033 /* Cache refresh is complete, now reply for mgmt request for given 5147 cmd->cmd_complete(cmd, status);
5034 * connection only. 5148 mgmt_pending_remove(cmd);
5035 */
5036 mgmt_pending_foreach(MGMT_OP_GET_CONN_INFO, hdev,
5037 get_conn_info_complete, &match);
5038 5149
5039unlock: 5150unlock:
5040 hci_dev_unlock(hdev); 5151 hci_dev_unlock(hdev);
@@ -5080,6 +5191,12 @@ static int get_conn_info(struct sock *sk, struct hci_dev *hdev, void *data,
5080 goto unlock; 5191 goto unlock;
5081 } 5192 }
5082 5193
5194 if (mgmt_pending_find_data(MGMT_OP_GET_CONN_INFO, hdev, conn)) {
5195 err = cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
5196 MGMT_STATUS_BUSY, &rp, sizeof(rp));
5197 goto unlock;
5198 }
5199
5083 /* To avoid client trying to guess when to poll again for information we 5200 /* To avoid client trying to guess when to poll again for information we
5084 * calculate conn info age as random value between min/max set in hdev. 5201 * calculate conn info age as random value between min/max set in hdev.
5085 */ 5202 */
@@ -5135,6 +5252,7 @@ static int get_conn_info(struct sock *sk, struct hci_dev *hdev, void *data,
5135 5252
5136 hci_conn_hold(conn); 5253 hci_conn_hold(conn);
5137 cmd->user_data = hci_conn_get(conn); 5254 cmd->user_data = hci_conn_get(conn);
5255 cmd->cmd_complete = conn_info_cmd_complete;
5138 5256
5139 conn->conn_info_timestamp = jiffies; 5257 conn->conn_info_timestamp = jiffies;
5140 } else { 5258 } else {
@@ -5152,10 +5270,40 @@ unlock:
5152 return err; 5270 return err;
5153} 5271}
5154 5272
5155static void get_clock_info_complete(struct hci_dev *hdev, u8 status) 5273static void clock_info_cmd_complete(struct pending_cmd *cmd, u8 status)
5156{ 5274{
5157 struct mgmt_cp_get_clock_info *cp; 5275 struct hci_conn *conn = cmd->user_data;
5158 struct mgmt_rp_get_clock_info rp; 5276 struct mgmt_rp_get_clock_info rp;
5277 struct hci_dev *hdev;
5278
5279 memset(&rp, 0, sizeof(rp));
5280 memcpy(&rp.addr, &cmd->param, sizeof(rp.addr));
5281
5282 if (status)
5283 goto complete;
5284
5285 hdev = hci_dev_get(cmd->index);
5286 if (hdev) {
5287 rp.local_clock = cpu_to_le32(hdev->clock);
5288 hci_dev_put(hdev);
5289 }
5290
5291 if (conn) {
5292 rp.piconet_clock = cpu_to_le32(conn->clock);
5293 rp.accuracy = cpu_to_le16(conn->clock_accuracy);
5294 }
5295
5296complete:
5297 cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, &rp, sizeof(rp));
5298
5299 if (conn) {
5300 hci_conn_drop(conn);
5301 hci_conn_put(conn);
5302 }
5303}
5304
5305static void get_clock_info_complete(struct hci_dev *hdev, u8 status)
5306{
5159 struct hci_cp_read_clock *hci_cp; 5307 struct hci_cp_read_clock *hci_cp;
5160 struct pending_cmd *cmd; 5308 struct pending_cmd *cmd;
5161 struct hci_conn *conn; 5309 struct hci_conn *conn;
@@ -5179,29 +5327,8 @@ static void get_clock_info_complete(struct hci_dev *hdev, u8 status)
5179 if (!cmd) 5327 if (!cmd)
5180 goto unlock; 5328 goto unlock;
5181 5329
5182 cp = cmd->param; 5330 cmd->cmd_complete(cmd, mgmt_status(status));
5183
5184 memset(&rp, 0, sizeof(rp));
5185 memcpy(&rp.addr, &cp->addr, sizeof(rp.addr));
5186
5187 if (status)
5188 goto send_rsp;
5189
5190 rp.local_clock = cpu_to_le32(hdev->clock);
5191
5192 if (conn) {
5193 rp.piconet_clock = cpu_to_le32(conn->clock);
5194 rp.accuracy = cpu_to_le16(conn->clock_accuracy);
5195 }
5196
5197send_rsp:
5198 cmd_complete(cmd->sk, cmd->index, cmd->opcode, mgmt_status(status),
5199 &rp, sizeof(rp));
5200 mgmt_pending_remove(cmd); 5331 mgmt_pending_remove(cmd);
5201 if (conn) {
5202 hci_conn_drop(conn);
5203 hci_conn_put(conn);
5204 }
5205 5332
5206unlock: 5333unlock:
5207 hci_dev_unlock(hdev); 5334 hci_dev_unlock(hdev);
@@ -5257,6 +5384,8 @@ static int get_clock_info(struct sock *sk, struct hci_dev *hdev, void *data,
5257 goto unlock; 5384 goto unlock;
5258 } 5385 }
5259 5386
5387 cmd->cmd_complete = clock_info_cmd_complete;
5388
5260 hci_req_init(&req, hdev); 5389 hci_req_init(&req, hdev);
5261 5390
5262 memset(&hci_cp, 0, sizeof(hci_cp)); 5391 memset(&hci_cp, 0, sizeof(hci_cp));
@@ -5746,6 +5875,7 @@ static const struct mgmt_handler {
5746 { read_config_info, false, MGMT_READ_CONFIG_INFO_SIZE }, 5875 { read_config_info, false, MGMT_READ_CONFIG_INFO_SIZE },
5747 { set_external_config, false, MGMT_SET_EXTERNAL_CONFIG_SIZE }, 5876 { set_external_config, false, MGMT_SET_EXTERNAL_CONFIG_SIZE },
5748 { set_public_address, false, MGMT_SET_PUBLIC_ADDRESS_SIZE }, 5877 { set_public_address, false, MGMT_SET_PUBLIC_ADDRESS_SIZE },
5878 { start_service_discovery,true, MGMT_START_SERVICE_DISCOVERY_SIZE },
5749}; 5879};
5750 5880
5751int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen) 5881int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
@@ -5882,7 +6012,7 @@ void mgmt_index_removed(struct hci_dev *hdev)
5882 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks)) 6012 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
5883 return; 6013 return;
5884 6014
5885 mgmt_pending_foreach(0, hdev, cmd_status_rsp, &status); 6015 mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
5886 6016
5887 if (test_bit(HCI_UNCONFIGURED, &hdev->dev_flags)) 6017 if (test_bit(HCI_UNCONFIGURED, &hdev->dev_flags))
5888 mgmt_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev, NULL, 0, NULL); 6018 mgmt_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev, NULL, 0, NULL);
@@ -6017,7 +6147,7 @@ int mgmt_powered(struct hci_dev *hdev, u8 powered)
6017 } 6147 }
6018 6148
6019 mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match); 6149 mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
6020 mgmt_pending_foreach(0, hdev, cmd_status_rsp, &status_not_powered); 6150 mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status_not_powered);
6021 6151
6022 if (memcmp(hdev->dev_class, zero_cod, sizeof(zero_cod)) != 0) 6152 if (memcmp(hdev->dev_class, zero_cod, sizeof(zero_cod)) != 0)
6023 mgmt_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev, 6153 mgmt_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev,
@@ -6101,8 +6231,19 @@ void mgmt_new_link_key(struct hci_dev *hdev, struct link_key *key,
6101 6231
6102static u8 mgmt_ltk_type(struct smp_ltk *ltk) 6232static u8 mgmt_ltk_type(struct smp_ltk *ltk)
6103{ 6233{
6104 if (ltk->authenticated) 6234 switch (ltk->type) {
6105 return MGMT_LTK_AUTHENTICATED; 6235 case SMP_LTK:
6236 case SMP_LTK_SLAVE:
6237 if (ltk->authenticated)
6238 return MGMT_LTK_AUTHENTICATED;
6239 return MGMT_LTK_UNAUTHENTICATED;
6240 case SMP_LTK_P256:
6241 if (ltk->authenticated)
6242 return MGMT_LTK_P256_AUTH;
6243 return MGMT_LTK_P256_UNAUTH;
6244 case SMP_LTK_P256_DEBUG:
6245 return MGMT_LTK_P256_DEBUG;
6246 }
6106 6247
6107 return MGMT_LTK_UNAUTHENTICATED; 6248 return MGMT_LTK_UNAUTHENTICATED;
6108} 6249}
@@ -6276,15 +6417,9 @@ void mgmt_device_connected(struct hci_dev *hdev, struct hci_conn *conn,
6276 6417
6277static void disconnect_rsp(struct pending_cmd *cmd, void *data) 6418static void disconnect_rsp(struct pending_cmd *cmd, void *data)
6278{ 6419{
6279 struct mgmt_cp_disconnect *cp = cmd->param;
6280 struct sock **sk = data; 6420 struct sock **sk = data;
6281 struct mgmt_rp_disconnect rp;
6282 6421
6283 bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr); 6422 cmd->cmd_complete(cmd, 0);
6284 rp.addr.type = cp->addr.type;
6285
6286 cmd_complete(cmd->sk, cmd->index, MGMT_OP_DISCONNECT, 0, &rp,
6287 sizeof(rp));
6288 6423
6289 *sk = cmd->sk; 6424 *sk = cmd->sk;
6290 sock_hold(*sk); 6425 sock_hold(*sk);
@@ -6296,16 +6431,10 @@ static void unpair_device_rsp(struct pending_cmd *cmd, void *data)
6296{ 6431{
6297 struct hci_dev *hdev = data; 6432 struct hci_dev *hdev = data;
6298 struct mgmt_cp_unpair_device *cp = cmd->param; 6433 struct mgmt_cp_unpair_device *cp = cmd->param;
6299 struct mgmt_rp_unpair_device rp;
6300
6301 memset(&rp, 0, sizeof(rp));
6302 bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
6303 rp.addr.type = cp->addr.type;
6304 6434
6305 device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, cmd->sk); 6435 device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, cmd->sk);
6306 6436
6307 cmd_complete(cmd->sk, cmd->index, cmd->opcode, 0, &rp, sizeof(rp)); 6437 cmd->cmd_complete(cmd, 0);
6308
6309 mgmt_pending_remove(cmd); 6438 mgmt_pending_remove(cmd);
6310} 6439}
6311 6440
@@ -6366,7 +6495,6 @@ void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
6366{ 6495{
6367 u8 bdaddr_type = link_to_bdaddr(link_type, addr_type); 6496 u8 bdaddr_type = link_to_bdaddr(link_type, addr_type);
6368 struct mgmt_cp_disconnect *cp; 6497 struct mgmt_cp_disconnect *cp;
6369 struct mgmt_rp_disconnect rp;
6370 struct pending_cmd *cmd; 6498 struct pending_cmd *cmd;
6371 6499
6372 mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp, 6500 mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
@@ -6384,12 +6512,7 @@ void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
6384 if (cp->addr.type != bdaddr_type) 6512 if (cp->addr.type != bdaddr_type)
6385 return; 6513 return;
6386 6514
6387 bacpy(&rp.addr.bdaddr, bdaddr); 6515 cmd->cmd_complete(cmd, mgmt_status(status));
6388 rp.addr.type = bdaddr_type;
6389
6390 cmd_complete(cmd->sk, cmd->index, MGMT_OP_DISCONNECT,
6391 mgmt_status(status), &rp, sizeof(rp));
6392
6393 mgmt_pending_remove(cmd); 6516 mgmt_pending_remove(cmd);
6394} 6517}
6395 6518
@@ -6428,18 +6551,12 @@ void mgmt_pin_code_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
6428 u8 status) 6551 u8 status)
6429{ 6552{
6430 struct pending_cmd *cmd; 6553 struct pending_cmd *cmd;
6431 struct mgmt_rp_pin_code_reply rp;
6432 6554
6433 cmd = mgmt_pending_find(MGMT_OP_PIN_CODE_REPLY, hdev); 6555 cmd = mgmt_pending_find(MGMT_OP_PIN_CODE_REPLY, hdev);
6434 if (!cmd) 6556 if (!cmd)
6435 return; 6557 return;
6436 6558
6437 bacpy(&rp.addr.bdaddr, bdaddr); 6559 cmd->cmd_complete(cmd, mgmt_status(status));
6438 rp.addr.type = BDADDR_BREDR;
6439
6440 cmd_complete(cmd->sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
6441 mgmt_status(status), &rp, sizeof(rp));
6442
6443 mgmt_pending_remove(cmd); 6560 mgmt_pending_remove(cmd);
6444} 6561}
6445 6562
@@ -6447,18 +6564,12 @@ void mgmt_pin_code_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
6447 u8 status) 6564 u8 status)
6448{ 6565{
6449 struct pending_cmd *cmd; 6566 struct pending_cmd *cmd;
6450 struct mgmt_rp_pin_code_reply rp;
6451 6567
6452 cmd = mgmt_pending_find(MGMT_OP_PIN_CODE_NEG_REPLY, hdev); 6568 cmd = mgmt_pending_find(MGMT_OP_PIN_CODE_NEG_REPLY, hdev);
6453 if (!cmd) 6569 if (!cmd)
6454 return; 6570 return;
6455 6571
6456 bacpy(&rp.addr.bdaddr, bdaddr); 6572 cmd->cmd_complete(cmd, mgmt_status(status));
6457 rp.addr.type = BDADDR_BREDR;
6458
6459 cmd_complete(cmd->sk, hdev->id, MGMT_OP_PIN_CODE_NEG_REPLY,
6460 mgmt_status(status), &rp, sizeof(rp));
6461
6462 mgmt_pending_remove(cmd); 6573 mgmt_pending_remove(cmd);
6463} 6574}
6464 6575
@@ -6498,21 +6609,15 @@ static int user_pairing_resp_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
6498 u8 opcode) 6609 u8 opcode)
6499{ 6610{
6500 struct pending_cmd *cmd; 6611 struct pending_cmd *cmd;
6501 struct mgmt_rp_user_confirm_reply rp;
6502 int err;
6503 6612
6504 cmd = mgmt_pending_find(opcode, hdev); 6613 cmd = mgmt_pending_find(opcode, hdev);
6505 if (!cmd) 6614 if (!cmd)
6506 return -ENOENT; 6615 return -ENOENT;
6507 6616
6508 bacpy(&rp.addr.bdaddr, bdaddr); 6617 cmd->cmd_complete(cmd, mgmt_status(status));
6509 rp.addr.type = link_to_bdaddr(link_type, addr_type);
6510 err = cmd_complete(cmd->sk, hdev->id, opcode, mgmt_status(status),
6511 &rp, sizeof(rp));
6512
6513 mgmt_pending_remove(cmd); 6618 mgmt_pending_remove(cmd);
6514 6619
6515 return err; 6620 return 0;
6516} 6621}
6517 6622
6518int mgmt_user_confirm_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr, 6623int mgmt_user_confirm_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
@@ -6784,8 +6889,7 @@ void mgmt_read_local_oob_data_complete(struct hci_dev *hdev, u8 *hash192,
6784 cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA, 6889 cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
6785 mgmt_status(status)); 6890 mgmt_status(status));
6786 } else { 6891 } else {
6787 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags) && 6892 if (bredr_sc_enabled(hdev) && hash256 && rand256) {
6788 hash256 && rand256) {
6789 struct mgmt_rp_read_local_oob_ext_data rp; 6893 struct mgmt_rp_read_local_oob_ext_data rp;
6790 6894
6791 memcpy(rp.hash192, hash192, sizeof(rp.hash192)); 6895 memcpy(rp.hash192, hash192, sizeof(rp.hash192));
@@ -6812,6 +6916,73 @@ void mgmt_read_local_oob_data_complete(struct hci_dev *hdev, u8 *hash192,
6812 mgmt_pending_remove(cmd); 6916 mgmt_pending_remove(cmd);
6813} 6917}
6814 6918
6919static inline bool has_uuid(u8 *uuid, u16 uuid_count, u8 (*uuids)[16])
6920{
6921 int i;
6922
6923 for (i = 0; i < uuid_count; i++) {
6924 if (!memcmp(uuid, uuids[i], 16))
6925 return true;
6926 }
6927
6928 return false;
6929}
6930
6931static bool eir_has_uuids(u8 *eir, u16 eir_len, u16 uuid_count, u8 (*uuids)[16])
6932{
6933 u16 parsed = 0;
6934
6935 while (parsed < eir_len) {
6936 u8 field_len = eir[0];
6937 u8 uuid[16];
6938 int i;
6939
6940 if (field_len == 0)
6941 break;
6942
6943 if (eir_len - parsed < field_len + 1)
6944 break;
6945
6946 switch (eir[1]) {
6947 case EIR_UUID16_ALL:
6948 case EIR_UUID16_SOME:
6949 for (i = 0; i + 3 <= field_len; i += 2) {
6950 memcpy(uuid, bluetooth_base_uuid, 16);
6951 uuid[13] = eir[i + 3];
6952 uuid[12] = eir[i + 2];
6953 if (has_uuid(uuid, uuid_count, uuids))
6954 return true;
6955 }
6956 break;
6957 case EIR_UUID32_ALL:
6958 case EIR_UUID32_SOME:
6959 for (i = 0; i + 5 <= field_len; i += 4) {
6960 memcpy(uuid, bluetooth_base_uuid, 16);
6961 uuid[15] = eir[i + 5];
6962 uuid[14] = eir[i + 4];
6963 uuid[13] = eir[i + 3];
6964 uuid[12] = eir[i + 2];
6965 if (has_uuid(uuid, uuid_count, uuids))
6966 return true;
6967 }
6968 break;
6969 case EIR_UUID128_ALL:
6970 case EIR_UUID128_SOME:
6971 for (i = 0; i + 17 <= field_len; i += 16) {
6972 memcpy(uuid, eir + i + 2, 16);
6973 if (has_uuid(uuid, uuid_count, uuids))
6974 return true;
6975 }
6976 break;
6977 }
6978
6979 parsed += field_len + 1;
6980 eir += field_len + 1;
6981 }
6982
6983 return false;
6984}
6985
6815void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type, 6986void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
6816 u8 addr_type, u8 *dev_class, s8 rssi, u32 flags, 6987 u8 addr_type, u8 *dev_class, s8 rssi, u32 flags,
6817 u8 *eir, u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len) 6988 u8 *eir, u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len)
@@ -6819,6 +6990,7 @@ void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
6819 char buf[512]; 6990 char buf[512];
6820 struct mgmt_ev_device_found *ev = (void *) buf; 6991 struct mgmt_ev_device_found *ev = (void *) buf;
6821 size_t ev_size; 6992 size_t ev_size;
6993 bool match;
6822 6994
6823 /* Don't send events for a non-kernel initiated discovery. With 6995 /* Don't send events for a non-kernel initiated discovery. With
6824 * LE one exception is if we have pend_le_reports > 0 in which 6996 * LE one exception is if we have pend_le_reports > 0 in which
@@ -6831,6 +7003,18 @@ void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
6831 return; 7003 return;
6832 } 7004 }
6833 7005
7006 /* When using service discovery with a RSSI threshold, then check
7007 * if such a RSSI threshold is specified. If a RSSI threshold has
7008 * been specified, then all results with a RSSI smaller than the
7009 * RSSI threshold will be dropped.
7010 *
7011 * For BR/EDR devices (pre 1.2) providing no RSSI during inquiry,
7012 * the results are also dropped.
7013 */
7014 if (hdev->discovery.rssi != HCI_RSSI_INVALID &&
7015 (rssi < hdev->discovery.rssi || rssi == HCI_RSSI_INVALID))
7016 return;
7017
6834 /* Make sure that the buffer is big enough. The 5 extra bytes 7018 /* Make sure that the buffer is big enough. The 5 extra bytes
6835 * are for the potential CoD field. 7019 * are for the potential CoD field.
6836 */ 7020 */
@@ -6839,20 +7023,75 @@ void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
6839 7023
6840 memset(buf, 0, sizeof(buf)); 7024 memset(buf, 0, sizeof(buf));
6841 7025
7026 /* In case of device discovery with BR/EDR devices (pre 1.2), the
7027 * RSSI value was reported as 0 when not available. This behavior
7028 * is kept when using device discovery. This is required for full
7029 * backwards compatibility with the API.
7030 *
7031 * However when using service discovery, the value 127 will be
7032 * returned when the RSSI is not available.
7033 */
7034 if (rssi == HCI_RSSI_INVALID && !hdev->discovery.report_invalid_rssi)
7035 rssi = 0;
7036
6842 bacpy(&ev->addr.bdaddr, bdaddr); 7037 bacpy(&ev->addr.bdaddr, bdaddr);
6843 ev->addr.type = link_to_bdaddr(link_type, addr_type); 7038 ev->addr.type = link_to_bdaddr(link_type, addr_type);
6844 ev->rssi = rssi; 7039 ev->rssi = rssi;
6845 ev->flags = cpu_to_le32(flags); 7040 ev->flags = cpu_to_le32(flags);
6846 7041
6847 if (eir_len > 0) 7042 if (eir_len > 0) {
7043 /* When using service discovery and a list of UUID is
7044 * provided, results with no matching UUID should be
7045 * dropped. In case there is a match the result is
7046 * kept and checking possible scan response data
7047 * will be skipped.
7048 */
7049 if (hdev->discovery.uuid_count > 0) {
7050 match = eir_has_uuids(eir, eir_len,
7051 hdev->discovery.uuid_count,
7052 hdev->discovery.uuids);
7053 if (!match)
7054 return;
7055 }
7056
7057 /* Copy EIR or advertising data into event */
6848 memcpy(ev->eir, eir, eir_len); 7058 memcpy(ev->eir, eir, eir_len);
7059 } else {
7060 /* When using service discovery and a list of UUID is
7061 * provided, results with empty EIR or advertising data
7062 * should be dropped since they do not match any UUID.
7063 */
7064 if (hdev->discovery.uuid_count > 0)
7065 return;
7066 }
6849 7067
6850 if (dev_class && !eir_has_data_type(ev->eir, eir_len, EIR_CLASS_OF_DEV)) 7068 if (dev_class && !eir_has_data_type(ev->eir, eir_len, EIR_CLASS_OF_DEV))
6851 eir_len = eir_append_data(ev->eir, eir_len, EIR_CLASS_OF_DEV, 7069 eir_len = eir_append_data(ev->eir, eir_len, EIR_CLASS_OF_DEV,
6852 dev_class, 3); 7070 dev_class, 3);
6853 7071
6854 if (scan_rsp_len > 0) 7072 if (scan_rsp_len > 0) {
7073 /* When using service discovery and a list of UUID is
7074 * provided, results with no matching UUID should be
7075 * dropped if there is no previous match from the
7076 * advertising data.
7077 */
7078 if (hdev->discovery.uuid_count > 0) {
7079 if (!match && !eir_has_uuids(scan_rsp, scan_rsp_len,
7080 hdev->discovery.uuid_count,
7081 hdev->discovery.uuids))
7082 return;
7083 }
7084
7085 /* Append scan response data to event */
6855 memcpy(ev->eir + eir_len, scan_rsp, scan_rsp_len); 7086 memcpy(ev->eir + eir_len, scan_rsp, scan_rsp_len);
7087 } else {
7088 /* When using service discovery and a list of UUID is
7089 * provided, results with empty scan response and no
7090 * previous matched advertising data should be dropped.
7091 */
7092 if (hdev->discovery.uuid_count > 0 && !match)
7093 return;
7094 }
6856 7095
6857 ev->eir_len = cpu_to_le16(eir_len + scan_rsp_len); 7096 ev->eir_len = cpu_to_le16(eir_len + scan_rsp_len);
6858 ev_size = sizeof(*ev) + eir_len + scan_rsp_len; 7097 ev_size = sizeof(*ev) + eir_len + scan_rsp_len;
@@ -6886,23 +7125,9 @@ void mgmt_remote_name(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
6886void mgmt_discovering(struct hci_dev *hdev, u8 discovering) 7125void mgmt_discovering(struct hci_dev *hdev, u8 discovering)
6887{ 7126{
6888 struct mgmt_ev_discovering ev; 7127 struct mgmt_ev_discovering ev;
6889 struct pending_cmd *cmd;
6890 7128
6891 BT_DBG("%s discovering %u", hdev->name, discovering); 7129 BT_DBG("%s discovering %u", hdev->name, discovering);
6892 7130
6893 if (discovering)
6894 cmd = mgmt_pending_find(MGMT_OP_START_DISCOVERY, hdev);
6895 else
6896 cmd = mgmt_pending_find(MGMT_OP_STOP_DISCOVERY, hdev);
6897
6898 if (cmd != NULL) {
6899 u8 type = hdev->discovery.type;
6900
6901 cmd_complete(cmd->sk, hdev->id, cmd->opcode, 0, &type,
6902 sizeof(type));
6903 mgmt_pending_remove(cmd);
6904 }
6905
6906 memset(&ev, 0, sizeof(ev)); 7131 memset(&ev, 0, sizeof(ev));
6907 ev.type = hdev->discovery.type; 7132 ev.type = hdev->discovery.type;
6908 ev.discovering = discovering; 7133 ev.discovering = discovering;
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 069b76e03b57..96bf16dcd9e9 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -29,14 +29,34 @@
29#include <net/bluetooth/l2cap.h> 29#include <net/bluetooth/l2cap.h>
30#include <net/bluetooth/mgmt.h> 30#include <net/bluetooth/mgmt.h>
31 31
32#include "ecc.h"
32#include "smp.h" 33#include "smp.h"
33 34
35/* Low-level debug macros to be used for stuff that we don't want
36 * accidentially in dmesg, i.e. the values of the various crypto keys
37 * and the inputs & outputs of crypto functions.
38 */
39#ifdef DEBUG
40#define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
41 ##__VA_ARGS__)
42#else
43#define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
44 ##__VA_ARGS__)
45#endif
46
34#define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd) 47#define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
35 48
49/* Keys which are not distributed with Secure Connections */
50#define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
51
36#define SMP_TIMEOUT msecs_to_jiffies(30000) 52#define SMP_TIMEOUT msecs_to_jiffies(30000)
37 53
38#define AUTH_REQ_MASK 0x07 54#define AUTH_REQ_MASK(dev) (test_bit(HCI_SC_ENABLED, &(dev)->dev_flags) ? \
39#define KEY_DIST_MASK 0x07 55 0x1f : 0x07)
56#define KEY_DIST_MASK 0x07
57
58/* Maximum message length that can be passed to aes_cmac */
59#define CMAC_MSG_MAX 80
40 60
41enum { 61enum {
42 SMP_FLAG_TK_VALID, 62 SMP_FLAG_TK_VALID,
@@ -44,6 +64,12 @@ enum {
44 SMP_FLAG_MITM_AUTH, 64 SMP_FLAG_MITM_AUTH,
45 SMP_FLAG_COMPLETE, 65 SMP_FLAG_COMPLETE,
46 SMP_FLAG_INITIATOR, 66 SMP_FLAG_INITIATOR,
67 SMP_FLAG_SC,
68 SMP_FLAG_REMOTE_PK,
69 SMP_FLAG_DEBUG_KEY,
70 SMP_FLAG_WAIT_USER,
71 SMP_FLAG_DHKEY_PENDING,
72 SMP_FLAG_OOB,
47}; 73};
48 74
49struct smp_chan { 75struct smp_chan {
@@ -57,6 +83,7 @@ struct smp_chan {
57 u8 rrnd[16]; /* SMP Pairing Random (remote) */ 83 u8 rrnd[16]; /* SMP Pairing Random (remote) */
58 u8 pcnf[16]; /* SMP Pairing Confirm */ 84 u8 pcnf[16]; /* SMP Pairing Confirm */
59 u8 tk[16]; /* SMP Temporary Key */ 85 u8 tk[16]; /* SMP Temporary Key */
86 u8 rr[16];
60 u8 enc_key_size; 87 u8 enc_key_size;
61 u8 remote_key_dist; 88 u8 remote_key_dist;
62 bdaddr_t id_addr; 89 bdaddr_t id_addr;
@@ -67,9 +94,43 @@ struct smp_chan {
67 struct smp_ltk *ltk; 94 struct smp_ltk *ltk;
68 struct smp_ltk *slave_ltk; 95 struct smp_ltk *slave_ltk;
69 struct smp_irk *remote_irk; 96 struct smp_irk *remote_irk;
97 u8 *link_key;
70 unsigned long flags; 98 unsigned long flags;
99 u8 method;
100 u8 passkey_round;
101
102 /* Secure Connections variables */
103 u8 local_pk[64];
104 u8 local_sk[32];
105 u8 remote_pk[64];
106 u8 dhkey[32];
107 u8 mackey[16];
71 108
72 struct crypto_blkcipher *tfm_aes; 109 struct crypto_blkcipher *tfm_aes;
110 struct crypto_hash *tfm_cmac;
111};
112
113/* These debug key values are defined in the SMP section of the core
114 * specification. debug_pk is the public debug key and debug_sk the
115 * private debug key.
116 */
117static const u8 debug_pk[64] = {
118 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
119 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
120 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
121 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
122
123 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
124 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
125 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
126 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
127};
128
129static const u8 debug_sk[32] = {
130 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
131 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
132 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
133 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
73}; 134};
74 135
75static inline void swap_buf(const u8 *src, u8 *dst, size_t len) 136static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
@@ -80,14 +141,22 @@ static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
80 dst[len - 1 - i] = src[i]; 141 dst[len - 1 - i] = src[i];
81} 142}
82 143
83static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r) 144/* The following functions map to the LE SC SMP crypto functions
145 * AES-CMAC, f4, f5, f6, g2 and h6.
146 */
147
148static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
149 size_t len, u8 mac[16])
84{ 150{
85 struct blkcipher_desc desc; 151 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
152 struct hash_desc desc;
86 struct scatterlist sg; 153 struct scatterlist sg;
87 uint8_t tmp[16], data[16];
88 int err; 154 int err;
89 155
90 if (tfm == NULL) { 156 if (len > CMAC_MSG_MAX)
157 return -EFBIG;
158
159 if (!tfm) {
91 BT_ERR("tfm %p", tfm); 160 BT_ERR("tfm %p", tfm);
92 return -EINVAL; 161 return -EINVAL;
93 } 162 }
@@ -95,105 +164,233 @@ static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
95 desc.tfm = tfm; 164 desc.tfm = tfm;
96 desc.flags = 0; 165 desc.flags = 0;
97 166
98 /* The most significant octet of key corresponds to k[0] */ 167 crypto_hash_init(&desc);
168
169 /* Swap key and message from LSB to MSB */
99 swap_buf(k, tmp, 16); 170 swap_buf(k, tmp, 16);
171 swap_buf(m, msg_msb, len);
100 172
101 err = crypto_blkcipher_setkey(tfm, tmp, 16); 173 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
174 SMP_DBG("key %16phN", k);
175
176 err = crypto_hash_setkey(tfm, tmp, 16);
102 if (err) { 177 if (err) {
103 BT_ERR("cipher setkey failed: %d", err); 178 BT_ERR("cipher setkey failed: %d", err);
104 return err; 179 return err;
105 } 180 }
106 181
107 /* Most significant octet of plaintextData corresponds to data[0] */ 182 sg_init_one(&sg, msg_msb, len);
108 swap_buf(r, data, 16);
109 183
110 sg_init_one(&sg, data, 16); 184 err = crypto_hash_update(&desc, &sg, len);
185 if (err) {
186 BT_ERR("Hash update error %d", err);
187 return err;
188 }
111 189
112 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16); 190 err = crypto_hash_final(&desc, mac_msb);
191 if (err) {
192 BT_ERR("Hash final error %d", err);
193 return err;
194 }
195
196 swap_buf(mac_msb, mac, 16);
197
198 SMP_DBG("mac %16phN", mac);
199
200 return 0;
201}
202
203static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
204 const u8 x[16], u8 z, u8 res[16])
205{
206 u8 m[65];
207 int err;
208
209 SMP_DBG("u %32phN", u);
210 SMP_DBG("v %32phN", v);
211 SMP_DBG("x %16phN z %02x", x, z);
212
213 m[0] = z;
214 memcpy(m + 1, v, 32);
215 memcpy(m + 33, u, 32);
216
217 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
113 if (err) 218 if (err)
114 BT_ERR("Encrypt data error %d", err); 219 return err;
115 220
116 /* Most significant octet of encryptedData corresponds to data[0] */ 221 SMP_DBG("res %16phN", res);
117 swap_buf(data, r, 16);
118 222
119 return err; 223 return err;
120} 224}
121 225
122static int smp_ah(struct crypto_blkcipher *tfm, u8 irk[16], u8 r[3], u8 res[3]) 226static int smp_f5(struct crypto_hash *tfm_cmac, u8 w[32], u8 n1[16], u8 n2[16],
227 u8 a1[7], u8 a2[7], u8 mackey[16], u8 ltk[16])
123{ 228{
124 u8 _res[16]; 229 /* The btle, salt and length "magic" values are as defined in
230 * the SMP section of the Bluetooth core specification. In ASCII
231 * the btle value ends up being 'btle'. The salt is just a
232 * random number whereas length is the value 256 in little
233 * endian format.
234 */
235 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
236 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
237 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
238 const u8 length[2] = { 0x00, 0x01 };
239 u8 m[53], t[16];
125 int err; 240 int err;
126 241
127 /* r' = padding || r */ 242 SMP_DBG("w %32phN", w);
128 memcpy(_res, r, 3); 243 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
129 memset(_res + 3, 0, 13); 244 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
130 245
131 err = smp_e(tfm, irk, _res); 246 err = aes_cmac(tfm_cmac, salt, w, 32, t);
132 if (err) { 247 if (err)
133 BT_ERR("Encrypt error");
134 return err; 248 return err;
135 }
136 249
137 /* The output of the random address function ah is: 250 SMP_DBG("t %16phN", t);
138 * ah(h, r) = e(k, r') mod 2^24 251
139 * The output of the security function e is then truncated to 24 bits 252 memcpy(m, length, 2);
140 * by taking the least significant 24 bits of the output of e as the 253 memcpy(m + 2, a2, 7);
141 * result of ah. 254 memcpy(m + 9, a1, 7);
142 */ 255 memcpy(m + 16, n2, 16);
143 memcpy(res, _res, 3); 256 memcpy(m + 32, n1, 16);
257 memcpy(m + 48, btle, 4);
258
259 m[52] = 0; /* Counter */
260
261 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
262 if (err)
263 return err;
264
265 SMP_DBG("mackey %16phN", mackey);
266
267 m[52] = 1; /* Counter */
268
269 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
270 if (err)
271 return err;
272
273 SMP_DBG("ltk %16phN", ltk);
144 274
145 return 0; 275 return 0;
146} 276}
147 277
148bool smp_irk_matches(struct hci_dev *hdev, u8 irk[16], bdaddr_t *bdaddr) 278static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
279 const u8 n1[16], u8 n2[16], const u8 r[16],
280 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
281 u8 res[16])
149{ 282{
150 struct l2cap_chan *chan = hdev->smp_data; 283 u8 m[65];
151 struct crypto_blkcipher *tfm;
152 u8 hash[3];
153 int err; 284 int err;
154 285
155 if (!chan || !chan->data) 286 SMP_DBG("w %16phN", w);
156 return false; 287 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
288 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
157 289
158 tfm = chan->data; 290 memcpy(m, a2, 7);
291 memcpy(m + 7, a1, 7);
292 memcpy(m + 14, io_cap, 3);
293 memcpy(m + 17, r, 16);
294 memcpy(m + 33, n2, 16);
295 memcpy(m + 49, n1, 16);
159 296
160 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk); 297 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
298 if (err)
299 return err;
161 300
162 err = smp_ah(tfm, irk, &bdaddr->b[3], hash); 301 BT_DBG("res %16phN", res);
302
303 return err;
304}
305
306static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
307 const u8 x[16], const u8 y[16], u32 *val)
308{
309 u8 m[80], tmp[16];
310 int err;
311
312 SMP_DBG("u %32phN", u);
313 SMP_DBG("v %32phN", v);
314 SMP_DBG("x %16phN y %16phN", x, y);
315
316 memcpy(m, y, 16);
317 memcpy(m + 16, v, 32);
318 memcpy(m + 48, u, 32);
319
320 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
163 if (err) 321 if (err)
164 return false; 322 return err;
165 323
166 return !memcmp(bdaddr->b, hash, 3); 324 *val = get_unaligned_le32(tmp);
325 *val %= 1000000;
326
327 SMP_DBG("val %06u", *val);
328
329 return 0;
167} 330}
168 331
169int smp_generate_rpa(struct hci_dev *hdev, u8 irk[16], bdaddr_t *rpa) 332static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
333 const u8 key_id[4], u8 res[16])
170{ 334{
171 struct l2cap_chan *chan = hdev->smp_data;
172 struct crypto_blkcipher *tfm;
173 int err; 335 int err;
174 336
175 if (!chan || !chan->data) 337 SMP_DBG("w %16phN key_id %4phN", w, key_id);
176 return -EOPNOTSUPP;
177 338
178 tfm = chan->data; 339 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
340 if (err)
341 return err;
179 342
180 get_random_bytes(&rpa->b[3], 3); 343 SMP_DBG("res %16phN", res);
181 344
182 rpa->b[5] &= 0x3f; /* Clear two most significant bits */ 345 return err;
183 rpa->b[5] |= 0x40; /* Set second most significant bit */ 346}
184 347
185 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b); 348/* The following functions map to the legacy SMP crypto functions e, c1,
186 if (err < 0) 349 * s1 and ah.
350 */
351
352static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
353{
354 struct blkcipher_desc desc;
355 struct scatterlist sg;
356 uint8_t tmp[16], data[16];
357 int err;
358
359 if (!tfm) {
360 BT_ERR("tfm %p", tfm);
361 return -EINVAL;
362 }
363
364 desc.tfm = tfm;
365 desc.flags = 0;
366
367 /* The most significant octet of key corresponds to k[0] */
368 swap_buf(k, tmp, 16);
369
370 err = crypto_blkcipher_setkey(tfm, tmp, 16);
371 if (err) {
372 BT_ERR("cipher setkey failed: %d", err);
187 return err; 373 return err;
374 }
188 375
189 BT_DBG("RPA %pMR", rpa); 376 /* Most significant octet of plaintextData corresponds to data[0] */
377 swap_buf(r, data, 16);
190 378
191 return 0; 379 sg_init_one(&sg, data, 16);
380
381 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
382 if (err)
383 BT_ERR("Encrypt data error %d", err);
384
385 /* Most significant octet of encryptedData corresponds to data[0] */
386 swap_buf(data, r, 16);
387
388 return err;
192} 389}
193 390
194static int smp_c1(struct crypto_blkcipher *tfm_aes, u8 k[16], u8 r[16], 391static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
195 u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia, u8 _rat, 392 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
196 bdaddr_t *ra, u8 res[16]) 393 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
197{ 394{
198 u8 p1[16], p2[16]; 395 u8 p1[16], p2[16];
199 int err; 396 int err;
@@ -232,8 +429,8 @@ static int smp_c1(struct crypto_blkcipher *tfm_aes, u8 k[16], u8 r[16],
232 return err; 429 return err;
233} 430}
234 431
235static int smp_s1(struct crypto_blkcipher *tfm_aes, u8 k[16], u8 r1[16], 432static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
236 u8 r2[16], u8 _r[16]) 433 const u8 r1[16], const u8 r2[16], u8 _r[16])
237{ 434{
238 int err; 435 int err;
239 436
@@ -248,6 +445,80 @@ static int smp_s1(struct crypto_blkcipher *tfm_aes, u8 k[16], u8 r1[16],
248 return err; 445 return err;
249} 446}
250 447
448static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
449 const u8 r[3], u8 res[3])
450{
451 u8 _res[16];
452 int err;
453
454 /* r' = padding || r */
455 memcpy(_res, r, 3);
456 memset(_res + 3, 0, 13);
457
458 err = smp_e(tfm, irk, _res);
459 if (err) {
460 BT_ERR("Encrypt error");
461 return err;
462 }
463
464 /* The output of the random address function ah is:
465 * ah(h, r) = e(k, r') mod 2^24
466 * The output of the security function e is then truncated to 24 bits
467 * by taking the least significant 24 bits of the output of e as the
468 * result of ah.
469 */
470 memcpy(res, _res, 3);
471
472 return 0;
473}
474
475bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
476 const bdaddr_t *bdaddr)
477{
478 struct l2cap_chan *chan = hdev->smp_data;
479 struct crypto_blkcipher *tfm;
480 u8 hash[3];
481 int err;
482
483 if (!chan || !chan->data)
484 return false;
485
486 tfm = chan->data;
487
488 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
489
490 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
491 if (err)
492 return false;
493
494 return !memcmp(bdaddr->b, hash, 3);
495}
496
497int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
498{
499 struct l2cap_chan *chan = hdev->smp_data;
500 struct crypto_blkcipher *tfm;
501 int err;
502
503 if (!chan || !chan->data)
504 return -EOPNOTSUPP;
505
506 tfm = chan->data;
507
508 get_random_bytes(&rpa->b[3], 3);
509
510 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
511 rpa->b[5] |= 0x40; /* Set second most significant bit */
512
513 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
514 if (err < 0)
515 return err;
516
517 BT_DBG("RPA %pMR", rpa);
518
519 return 0;
520}
521
251static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data) 522static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
252{ 523{
253 struct l2cap_chan *chan = conn->smp; 524 struct l2cap_chan *chan = conn->smp;
@@ -282,17 +553,22 @@ static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
282 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT); 553 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
283} 554}
284 555
285static __u8 authreq_to_seclevel(__u8 authreq) 556static u8 authreq_to_seclevel(u8 authreq)
286{ 557{
287 if (authreq & SMP_AUTH_MITM) 558 if (authreq & SMP_AUTH_MITM) {
288 return BT_SECURITY_HIGH; 559 if (authreq & SMP_AUTH_SC)
289 else 560 return BT_SECURITY_FIPS;
561 else
562 return BT_SECURITY_HIGH;
563 } else {
290 return BT_SECURITY_MEDIUM; 564 return BT_SECURITY_MEDIUM;
565 }
291} 566}
292 567
293static __u8 seclevel_to_authreq(__u8 sec_level) 568static __u8 seclevel_to_authreq(__u8 sec_level)
294{ 569{
295 switch (sec_level) { 570 switch (sec_level) {
571 case BT_SECURITY_FIPS:
296 case BT_SECURITY_HIGH: 572 case BT_SECURITY_HIGH:
297 return SMP_AUTH_MITM | SMP_AUTH_BONDING; 573 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
298 case BT_SECURITY_MEDIUM: 574 case BT_SECURITY_MEDIUM:
@@ -310,7 +586,7 @@ static void build_pairing_cmd(struct l2cap_conn *conn,
310 struct smp_chan *smp = chan->data; 586 struct smp_chan *smp = chan->data;
311 struct hci_conn *hcon = conn->hcon; 587 struct hci_conn *hcon = conn->hcon;
312 struct hci_dev *hdev = hcon->hdev; 588 struct hci_dev *hdev = hcon->hdev;
313 u8 local_dist = 0, remote_dist = 0; 589 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
314 590
315 if (test_bit(HCI_BONDABLE, &conn->hcon->hdev->dev_flags)) { 591 if (test_bit(HCI_BONDABLE, &conn->hcon->hdev->dev_flags)) {
316 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 592 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
@@ -326,24 +602,52 @@ static void build_pairing_cmd(struct l2cap_conn *conn,
326 if (test_bit(HCI_PRIVACY, &hdev->dev_flags)) 602 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
327 local_dist |= SMP_DIST_ID_KEY; 603 local_dist |= SMP_DIST_ID_KEY;
328 604
605 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags) &&
606 (authreq & SMP_AUTH_SC)) {
607 struct oob_data *oob_data;
608 u8 bdaddr_type;
609
610 if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
611 local_dist |= SMP_DIST_LINK_KEY;
612 remote_dist |= SMP_DIST_LINK_KEY;
613 }
614
615 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
616 bdaddr_type = BDADDR_LE_PUBLIC;
617 else
618 bdaddr_type = BDADDR_LE_RANDOM;
619
620 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
621 bdaddr_type);
622 if (oob_data) {
623 set_bit(SMP_FLAG_OOB, &smp->flags);
624 oob_flag = SMP_OOB_PRESENT;
625 memcpy(smp->rr, oob_data->rand256, 16);
626 memcpy(smp->pcnf, oob_data->hash256, 16);
627 }
628
629 } else {
630 authreq &= ~SMP_AUTH_SC;
631 }
632
329 if (rsp == NULL) { 633 if (rsp == NULL) {
330 req->io_capability = conn->hcon->io_capability; 634 req->io_capability = conn->hcon->io_capability;
331 req->oob_flag = SMP_OOB_NOT_PRESENT; 635 req->oob_flag = oob_flag;
332 req->max_key_size = SMP_MAX_ENC_KEY_SIZE; 636 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
333 req->init_key_dist = local_dist; 637 req->init_key_dist = local_dist;
334 req->resp_key_dist = remote_dist; 638 req->resp_key_dist = remote_dist;
335 req->auth_req = (authreq & AUTH_REQ_MASK); 639 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
336 640
337 smp->remote_key_dist = remote_dist; 641 smp->remote_key_dist = remote_dist;
338 return; 642 return;
339 } 643 }
340 644
341 rsp->io_capability = conn->hcon->io_capability; 645 rsp->io_capability = conn->hcon->io_capability;
342 rsp->oob_flag = SMP_OOB_NOT_PRESENT; 646 rsp->oob_flag = oob_flag;
343 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE; 647 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
344 rsp->init_key_dist = req->init_key_dist & remote_dist; 648 rsp->init_key_dist = req->init_key_dist & remote_dist;
345 rsp->resp_key_dist = req->resp_key_dist & local_dist; 649 rsp->resp_key_dist = req->resp_key_dist & local_dist;
346 rsp->auth_req = (authreq & AUTH_REQ_MASK); 650 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
347 651
348 smp->remote_key_dist = rsp->init_key_dist; 652 smp->remote_key_dist = rsp->init_key_dist;
349} 653}
@@ -366,6 +670,7 @@ static void smp_chan_destroy(struct l2cap_conn *conn)
366{ 670{
367 struct l2cap_chan *chan = conn->smp; 671 struct l2cap_chan *chan = conn->smp;
368 struct smp_chan *smp = chan->data; 672 struct smp_chan *smp = chan->data;
673 struct hci_conn *hcon = conn->hcon;
369 bool complete; 674 bool complete;
370 675
371 BUG_ON(!smp); 676 BUG_ON(!smp);
@@ -373,12 +678,24 @@ static void smp_chan_destroy(struct l2cap_conn *conn)
373 cancel_delayed_work_sync(&smp->security_timer); 678 cancel_delayed_work_sync(&smp->security_timer);
374 679
375 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags); 680 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
376 mgmt_smp_complete(conn->hcon, complete); 681 mgmt_smp_complete(hcon, complete);
377 682
378 kfree(smp->csrk); 683 kfree(smp->csrk);
379 kfree(smp->slave_csrk); 684 kfree(smp->slave_csrk);
685 kfree(smp->link_key);
380 686
381 crypto_free_blkcipher(smp->tfm_aes); 687 crypto_free_blkcipher(smp->tfm_aes);
688 crypto_free_hash(smp->tfm_cmac);
689
690 /* Ensure that we don't leave any debug key around if debug key
691 * support hasn't been explicitly enabled.
692 */
693 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
694 !test_bit(HCI_KEEP_DEBUG_KEYS, &hcon->hdev->dev_flags)) {
695 list_del_rcu(&smp->ltk->list);
696 kfree_rcu(smp->ltk, rcu);
697 smp->ltk = NULL;
698 }
382 699
383 /* If pairing failed clean up any keys we might have */ 700 /* If pairing failed clean up any keys we might have */
384 if (!complete) { 701 if (!complete) {
@@ -400,7 +717,7 @@ static void smp_chan_destroy(struct l2cap_conn *conn)
400 717
401 chan->data = NULL; 718 chan->data = NULL;
402 kfree(smp); 719 kfree(smp);
403 hci_conn_drop(conn->hcon); 720 hci_conn_drop(hcon);
404} 721}
405 722
406static void smp_failure(struct l2cap_conn *conn, u8 reason) 723static void smp_failure(struct l2cap_conn *conn, u8 reason)
@@ -424,6 +741,7 @@ static void smp_failure(struct l2cap_conn *conn, u8 reason)
424#define REQ_PASSKEY 0x02 741#define REQ_PASSKEY 0x02
425#define CFM_PASSKEY 0x03 742#define CFM_PASSKEY 0x03
426#define REQ_OOB 0x04 743#define REQ_OOB 0x04
744#define DSP_PASSKEY 0x05
427#define OVERLAP 0xFF 745#define OVERLAP 0xFF
428 746
429static const u8 gen_method[5][5] = { 747static const u8 gen_method[5][5] = {
@@ -434,6 +752,14 @@ static const u8 gen_method[5][5] = {
434 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP }, 752 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
435}; 753};
436 754
755static const u8 sc_method[5][5] = {
756 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
757 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
758 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
759 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
760 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
761};
762
437static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io) 763static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
438{ 764{
439 /* If either side has unknown io_caps, use JUST_CFM (which gets 765 /* If either side has unknown io_caps, use JUST_CFM (which gets
@@ -443,6 +769,9 @@ static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
443 remote_io > SMP_IO_KEYBOARD_DISPLAY) 769 remote_io > SMP_IO_KEYBOARD_DISPLAY)
444 return JUST_CFM; 770 return JUST_CFM;
445 771
772 if (test_bit(SMP_FLAG_SC, &smp->flags))
773 return sc_method[remote_io][local_io];
774
446 return gen_method[remote_io][local_io]; 775 return gen_method[remote_io][local_io];
447} 776}
448 777
@@ -452,7 +781,6 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
452 struct hci_conn *hcon = conn->hcon; 781 struct hci_conn *hcon = conn->hcon;
453 struct l2cap_chan *chan = conn->smp; 782 struct l2cap_chan *chan = conn->smp;
454 struct smp_chan *smp = chan->data; 783 struct smp_chan *smp = chan->data;
455 u8 method;
456 u32 passkey = 0; 784 u32 passkey = 0;
457 int ret = 0; 785 int ret = 0;
458 786
@@ -469,26 +797,28 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
469 * table. 797 * table.
470 */ 798 */
471 if (!(auth & SMP_AUTH_MITM)) 799 if (!(auth & SMP_AUTH_MITM))
472 method = JUST_CFM; 800 smp->method = JUST_CFM;
473 else 801 else
474 method = get_auth_method(smp, local_io, remote_io); 802 smp->method = get_auth_method(smp, local_io, remote_io);
475 803
476 /* Don't confirm locally initiated pairing attempts */ 804 /* Don't confirm locally initiated pairing attempts */
477 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 805 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
478 method = JUST_WORKS; 806 &smp->flags))
807 smp->method = JUST_WORKS;
479 808
480 /* Don't bother user space with no IO capabilities */ 809 /* Don't bother user space with no IO capabilities */
481 if (method == JUST_CFM && hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 810 if (smp->method == JUST_CFM &&
482 method = JUST_WORKS; 811 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
812 smp->method = JUST_WORKS;
483 813
484 /* If Just Works, Continue with Zero TK */ 814 /* If Just Works, Continue with Zero TK */
485 if (method == JUST_WORKS) { 815 if (smp->method == JUST_WORKS) {
486 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 816 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
487 return 0; 817 return 0;
488 } 818 }
489 819
490 /* Not Just Works/Confirm results in MITM Authentication */ 820 /* Not Just Works/Confirm results in MITM Authentication */
491 if (method != JUST_CFM) { 821 if (smp->method != JUST_CFM) {
492 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags); 822 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
493 if (hcon->pending_sec_level < BT_SECURITY_HIGH) 823 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
494 hcon->pending_sec_level = BT_SECURITY_HIGH; 824 hcon->pending_sec_level = BT_SECURITY_HIGH;
@@ -497,15 +827,15 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
497 /* If both devices have Keyoard-Display I/O, the master 827 /* If both devices have Keyoard-Display I/O, the master
498 * Confirms and the slave Enters the passkey. 828 * Confirms and the slave Enters the passkey.
499 */ 829 */
500 if (method == OVERLAP) { 830 if (smp->method == OVERLAP) {
501 if (hcon->role == HCI_ROLE_MASTER) 831 if (hcon->role == HCI_ROLE_MASTER)
502 method = CFM_PASSKEY; 832 smp->method = CFM_PASSKEY;
503 else 833 else
504 method = REQ_PASSKEY; 834 smp->method = REQ_PASSKEY;
505 } 835 }
506 836
507 /* Generate random passkey. */ 837 /* Generate random passkey. */
508 if (method == CFM_PASSKEY) { 838 if (smp->method == CFM_PASSKEY) {
509 memset(smp->tk, 0, sizeof(smp->tk)); 839 memset(smp->tk, 0, sizeof(smp->tk));
510 get_random_bytes(&passkey, sizeof(passkey)); 840 get_random_bytes(&passkey, sizeof(passkey));
511 passkey %= 1000000; 841 passkey %= 1000000;
@@ -514,10 +844,10 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
514 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 844 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
515 } 845 }
516 846
517 if (method == REQ_PASSKEY) 847 if (smp->method == REQ_PASSKEY)
518 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst, 848 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
519 hcon->type, hcon->dst_type); 849 hcon->type, hcon->dst_type);
520 else if (method == JUST_CFM) 850 else if (smp->method == JUST_CFM)
521 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, 851 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
522 hcon->type, hcon->dst_type, 852 hcon->type, hcon->dst_type,
523 passkey, 1); 853 passkey, 1);
@@ -638,11 +968,13 @@ static void smp_notify_keys(struct l2cap_conn *conn)
638 mgmt_new_irk(hdev, smp->remote_irk); 968 mgmt_new_irk(hdev, smp->remote_irk);
639 /* Now that user space can be considered to know the 969 /* Now that user space can be considered to know the
640 * identity address track the connection based on it 970 * identity address track the connection based on it
641 * from now on. 971 * from now on (assuming this is an LE link).
642 */ 972 */
643 bacpy(&hcon->dst, &smp->remote_irk->bdaddr); 973 if (hcon->type == LE_LINK) {
644 hcon->dst_type = smp->remote_irk->addr_type; 974 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
645 queue_work(hdev->workqueue, &conn->id_addr_update_work); 975 hcon->dst_type = smp->remote_irk->addr_type;
976 queue_work(hdev->workqueue, &conn->id_addr_update_work);
977 }
646 978
647 /* When receiving an indentity resolving key for 979 /* When receiving an indentity resolving key for
648 * a remote device that does not use a resolvable 980 * a remote device that does not use a resolvable
@@ -661,10 +993,20 @@ static void smp_notify_keys(struct l2cap_conn *conn)
661 } 993 }
662 } 994 }
663 995
664 /* The LTKs and CSRKs should be persistent only if both sides 996 if (hcon->type == ACL_LINK) {
665 * had the bonding bit set in their authentication requests. 997 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
666 */ 998 persistent = false;
667 persistent = !!((req->auth_req & rsp->auth_req) & SMP_AUTH_BONDING); 999 else
1000 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1001 &hcon->flags);
1002 } else {
1003 /* The LTKs and CSRKs should be persistent only if both sides
1004 * had the bonding bit set in their authentication requests.
1005 */
1006 persistent = !!((req->auth_req & rsp->auth_req) &
1007 SMP_AUTH_BONDING);
1008 }
1009
668 1010
669 if (smp->csrk) { 1011 if (smp->csrk) {
670 smp->csrk->bdaddr_type = hcon->dst_type; 1012 smp->csrk->bdaddr_type = hcon->dst_type;
@@ -689,6 +1031,81 @@ static void smp_notify_keys(struct l2cap_conn *conn)
689 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst); 1031 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
690 mgmt_new_ltk(hdev, smp->slave_ltk, persistent); 1032 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
691 } 1033 }
1034
1035 if (smp->link_key) {
1036 struct link_key *key;
1037 u8 type;
1038
1039 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1040 type = HCI_LK_DEBUG_COMBINATION;
1041 else if (hcon->sec_level == BT_SECURITY_FIPS)
1042 type = HCI_LK_AUTH_COMBINATION_P256;
1043 else
1044 type = HCI_LK_UNAUTH_COMBINATION_P256;
1045
1046 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1047 smp->link_key, type, 0, &persistent);
1048 if (key) {
1049 mgmt_new_link_key(hdev, key, persistent);
1050
1051 /* Don't keep debug keys around if the relevant
1052 * flag is not set.
1053 */
1054 if (!test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags) &&
1055 key->type == HCI_LK_DEBUG_COMBINATION) {
1056 list_del_rcu(&key->list);
1057 kfree_rcu(key, rcu);
1058 }
1059 }
1060 }
1061}
1062
1063static void sc_add_ltk(struct smp_chan *smp)
1064{
1065 struct hci_conn *hcon = smp->conn->hcon;
1066 u8 key_type, auth;
1067
1068 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1069 key_type = SMP_LTK_P256_DEBUG;
1070 else
1071 key_type = SMP_LTK_P256;
1072
1073 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1074 auth = 1;
1075 else
1076 auth = 0;
1077
1078 memset(smp->tk + smp->enc_key_size, 0,
1079 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1080
1081 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1082 key_type, auth, smp->tk, smp->enc_key_size,
1083 0, 0);
1084}
1085
1086static void sc_generate_link_key(struct smp_chan *smp)
1087{
1088 /* These constants are as specified in the core specification.
1089 * In ASCII they spell out to 'tmp1' and 'lebr'.
1090 */
1091 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1092 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1093
1094 smp->link_key = kzalloc(16, GFP_KERNEL);
1095 if (!smp->link_key)
1096 return;
1097
1098 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1099 kfree(smp->link_key);
1100 smp->link_key = NULL;
1101 return;
1102 }
1103
1104 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1105 kfree(smp->link_key);
1106 smp->link_key = NULL;
1107 return;
1108 }
692} 1109}
693 1110
694static void smp_allow_key_dist(struct smp_chan *smp) 1111static void smp_allow_key_dist(struct smp_chan *smp)
@@ -705,6 +1122,35 @@ static void smp_allow_key_dist(struct smp_chan *smp)
705 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 1122 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
706} 1123}
707 1124
1125static void sc_generate_ltk(struct smp_chan *smp)
1126{
1127 /* These constants are as specified in the core specification.
1128 * In ASCII they spell out to 'tmp2' and 'brle'.
1129 */
1130 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1131 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1132 struct hci_conn *hcon = smp->conn->hcon;
1133 struct hci_dev *hdev = hcon->hdev;
1134 struct link_key *key;
1135
1136 key = hci_find_link_key(hdev, &hcon->dst);
1137 if (!key) {
1138 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1139 return;
1140 }
1141
1142 if (key->type == HCI_LK_DEBUG_COMBINATION)
1143 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1144
1145 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1146 return;
1147
1148 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1149 return;
1150
1151 sc_add_ltk(smp);
1152}
1153
708static void smp_distribute_keys(struct smp_chan *smp) 1154static void smp_distribute_keys(struct smp_chan *smp)
709{ 1155{
710 struct smp_cmd_pairing *req, *rsp; 1156 struct smp_cmd_pairing *req, *rsp;
@@ -733,6 +1179,16 @@ static void smp_distribute_keys(struct smp_chan *smp)
733 *keydist &= req->resp_key_dist; 1179 *keydist &= req->resp_key_dist;
734 } 1180 }
735 1181
1182 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1183 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1184 sc_generate_link_key(smp);
1185 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1186 sc_generate_ltk(smp);
1187
1188 /* Clear the keys which are generated but not distributed */
1189 *keydist &= ~SMP_SC_NO_DIST;
1190 }
1191
736 BT_DBG("keydist 0x%x", *keydist); 1192 BT_DBG("keydist 0x%x", *keydist);
737 1193
738 if (*keydist & SMP_DIST_ENC_KEY) { 1194 if (*keydist & SMP_DIST_ENC_KEY) {
@@ -844,6 +1300,14 @@ static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
844 return NULL; 1300 return NULL;
845 } 1301 }
846 1302
1303 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1304 if (IS_ERR(smp->tfm_cmac)) {
1305 BT_ERR("Unable to create CMAC crypto context");
1306 crypto_free_blkcipher(smp->tfm_aes);
1307 kfree(smp);
1308 return NULL;
1309 }
1310
847 smp->conn = conn; 1311 smp->conn = conn;
848 chan->data = smp; 1312 chan->data = smp;
849 1313
@@ -856,6 +1320,213 @@ static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
856 return smp; 1320 return smp;
857} 1321}
858 1322
1323static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1324{
1325 struct hci_conn *hcon = smp->conn->hcon;
1326 u8 *na, *nb, a[7], b[7];
1327
1328 if (hcon->out) {
1329 na = smp->prnd;
1330 nb = smp->rrnd;
1331 } else {
1332 na = smp->rrnd;
1333 nb = smp->prnd;
1334 }
1335
1336 memcpy(a, &hcon->init_addr, 6);
1337 memcpy(b, &hcon->resp_addr, 6);
1338 a[6] = hcon->init_addr_type;
1339 b[6] = hcon->resp_addr_type;
1340
1341 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1342}
1343
1344static void sc_dhkey_check(struct smp_chan *smp)
1345{
1346 struct hci_conn *hcon = smp->conn->hcon;
1347 struct smp_cmd_dhkey_check check;
1348 u8 a[7], b[7], *local_addr, *remote_addr;
1349 u8 io_cap[3], r[16];
1350
1351 memcpy(a, &hcon->init_addr, 6);
1352 memcpy(b, &hcon->resp_addr, 6);
1353 a[6] = hcon->init_addr_type;
1354 b[6] = hcon->resp_addr_type;
1355
1356 if (hcon->out) {
1357 local_addr = a;
1358 remote_addr = b;
1359 memcpy(io_cap, &smp->preq[1], 3);
1360 } else {
1361 local_addr = b;
1362 remote_addr = a;
1363 memcpy(io_cap, &smp->prsp[1], 3);
1364 }
1365
1366 memset(r, 0, sizeof(r));
1367
1368 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1369 put_unaligned_le32(hcon->passkey_notify, r);
1370
1371 if (smp->method == REQ_OOB)
1372 memcpy(r, smp->rr, 16);
1373
1374 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1375 local_addr, remote_addr, check.e);
1376
1377 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1378}
1379
1380static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1381{
1382 struct l2cap_conn *conn = smp->conn;
1383 struct hci_conn *hcon = conn->hcon;
1384 struct smp_cmd_pairing_confirm cfm;
1385 u8 r;
1386
1387 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1388 r |= 0x80;
1389
1390 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1391
1392 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1393 cfm.confirm_val))
1394 return SMP_UNSPECIFIED;
1395
1396 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1397
1398 return 0;
1399}
1400
1401static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1402{
1403 struct l2cap_conn *conn = smp->conn;
1404 struct hci_conn *hcon = conn->hcon;
1405 struct hci_dev *hdev = hcon->hdev;
1406 u8 cfm[16], r;
1407
1408 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1409 if (smp->passkey_round >= 20)
1410 return 0;
1411
1412 switch (smp_op) {
1413 case SMP_CMD_PAIRING_RANDOM:
1414 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1415 r |= 0x80;
1416
1417 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1418 smp->rrnd, r, cfm))
1419 return SMP_UNSPECIFIED;
1420
1421 if (memcmp(smp->pcnf, cfm, 16))
1422 return SMP_CONFIRM_FAILED;
1423
1424 smp->passkey_round++;
1425
1426 if (smp->passkey_round == 20) {
1427 /* Generate MacKey and LTK */
1428 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1429 return SMP_UNSPECIFIED;
1430 }
1431
1432 /* The round is only complete when the initiator
1433 * receives pairing random.
1434 */
1435 if (!hcon->out) {
1436 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1437 sizeof(smp->prnd), smp->prnd);
1438 if (smp->passkey_round == 20)
1439 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1440 else
1441 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1442 return 0;
1443 }
1444
1445 /* Start the next round */
1446 if (smp->passkey_round != 20)
1447 return sc_passkey_round(smp, 0);
1448
1449 /* Passkey rounds are complete - start DHKey Check */
1450 sc_dhkey_check(smp);
1451 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1452
1453 break;
1454
1455 case SMP_CMD_PAIRING_CONFIRM:
1456 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1457 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1458 return 0;
1459 }
1460
1461 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1462
1463 if (hcon->out) {
1464 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1465 sizeof(smp->prnd), smp->prnd);
1466 return 0;
1467 }
1468
1469 return sc_passkey_send_confirm(smp);
1470
1471 case SMP_CMD_PUBLIC_KEY:
1472 default:
1473 /* Initiating device starts the round */
1474 if (!hcon->out)
1475 return 0;
1476
1477 BT_DBG("%s Starting passkey round %u", hdev->name,
1478 smp->passkey_round + 1);
1479
1480 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1481
1482 return sc_passkey_send_confirm(smp);
1483 }
1484
1485 return 0;
1486}
1487
1488static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1489{
1490 struct l2cap_conn *conn = smp->conn;
1491 struct hci_conn *hcon = conn->hcon;
1492 u8 smp_op;
1493
1494 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1495
1496 switch (mgmt_op) {
1497 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1498 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1499 return 0;
1500 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1501 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1502 return 0;
1503 case MGMT_OP_USER_PASSKEY_REPLY:
1504 hcon->passkey_notify = le32_to_cpu(passkey);
1505 smp->passkey_round = 0;
1506
1507 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1508 smp_op = SMP_CMD_PAIRING_CONFIRM;
1509 else
1510 smp_op = 0;
1511
1512 if (sc_passkey_round(smp, smp_op))
1513 return -EIO;
1514
1515 return 0;
1516 }
1517
1518 /* Initiator sends DHKey check first */
1519 if (hcon->out) {
1520 sc_dhkey_check(smp);
1521 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1522 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1523 sc_dhkey_check(smp);
1524 sc_add_ltk(smp);
1525 }
1526
1527 return 0;
1528}
1529
859int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey) 1530int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
860{ 1531{
861 struct l2cap_conn *conn = hcon->l2cap_data; 1532 struct l2cap_conn *conn = hcon->l2cap_data;
@@ -881,6 +1552,11 @@ int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
881 1552
882 smp = chan->data; 1553 smp = chan->data;
883 1554
1555 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1556 err = sc_user_reply(smp, mgmt_op, passkey);
1557 goto unlock;
1558 }
1559
884 switch (mgmt_op) { 1560 switch (mgmt_op) {
885 case MGMT_OP_USER_PASSKEY_REPLY: 1561 case MGMT_OP_USER_PASSKEY_REPLY:
886 value = le32_to_cpu(passkey); 1562 value = le32_to_cpu(passkey);
@@ -916,6 +1592,46 @@ unlock:
916 return err; 1592 return err;
917} 1593}
918 1594
1595static void build_bredr_pairing_cmd(struct smp_chan *smp,
1596 struct smp_cmd_pairing *req,
1597 struct smp_cmd_pairing *rsp)
1598{
1599 struct l2cap_conn *conn = smp->conn;
1600 struct hci_dev *hdev = conn->hcon->hdev;
1601 u8 local_dist = 0, remote_dist = 0;
1602
1603 if (test_bit(HCI_BONDABLE, &hdev->dev_flags)) {
1604 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1605 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1606 }
1607
1608 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
1609 remote_dist |= SMP_DIST_ID_KEY;
1610
1611 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
1612 local_dist |= SMP_DIST_ID_KEY;
1613
1614 if (!rsp) {
1615 memset(req, 0, sizeof(*req));
1616
1617 req->init_key_dist = local_dist;
1618 req->resp_key_dist = remote_dist;
1619 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1620
1621 smp->remote_key_dist = remote_dist;
1622
1623 return;
1624 }
1625
1626 memset(rsp, 0, sizeof(*rsp));
1627
1628 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1629 rsp->init_key_dist = req->init_key_dist & remote_dist;
1630 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1631
1632 smp->remote_key_dist = rsp->init_key_dist;
1633}
1634
919static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb) 1635static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
920{ 1636{
921 struct smp_cmd_pairing rsp, *req = (void *) skb->data; 1637 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
@@ -942,16 +1658,49 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
942 return SMP_UNSPECIFIED; 1658 return SMP_UNSPECIFIED;
943 1659
944 /* We didn't start the pairing, so match remote */ 1660 /* We didn't start the pairing, so match remote */
945 auth = req->auth_req & AUTH_REQ_MASK; 1661 auth = req->auth_req & AUTH_REQ_MASK(hdev);
946 1662
947 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) && 1663 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
948 (auth & SMP_AUTH_BONDING)) 1664 (auth & SMP_AUTH_BONDING))
949 return SMP_PAIRING_NOTSUPP; 1665 return SMP_PAIRING_NOTSUPP;
950 1666
1667 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1668 return SMP_AUTH_REQUIREMENTS;
1669
951 smp->preq[0] = SMP_CMD_PAIRING_REQ; 1670 smp->preq[0] = SMP_CMD_PAIRING_REQ;
952 memcpy(&smp->preq[1], req, sizeof(*req)); 1671 memcpy(&smp->preq[1], req, sizeof(*req));
953 skb_pull(skb, sizeof(*req)); 1672 skb_pull(skb, sizeof(*req));
954 1673
1674 /* SMP over BR/EDR requires special treatment */
1675 if (conn->hcon->type == ACL_LINK) {
1676 /* We must have a BR/EDR SC link */
1677 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags))
1678 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1679
1680 set_bit(SMP_FLAG_SC, &smp->flags);
1681
1682 build_bredr_pairing_cmd(smp, req, &rsp);
1683
1684 key_size = min(req->max_key_size, rsp.max_key_size);
1685 if (check_enc_key_size(conn, key_size))
1686 return SMP_ENC_KEY_SIZE;
1687
1688 /* Clear bits which are generated but not distributed */
1689 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1690
1691 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1692 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1693 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1694
1695 smp_distribute_keys(smp);
1696 return 0;
1697 }
1698
1699 build_pairing_cmd(conn, req, &rsp, auth);
1700
1701 if (rsp.auth_req & SMP_AUTH_SC)
1702 set_bit(SMP_FLAG_SC, &smp->flags);
1703
955 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 1704 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
956 sec_level = BT_SECURITY_MEDIUM; 1705 sec_level = BT_SECURITY_MEDIUM;
957 else 1706 else
@@ -970,8 +1719,6 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
970 return SMP_AUTH_REQUIREMENTS; 1719 return SMP_AUTH_REQUIREMENTS;
971 } 1720 }
972 1721
973 build_pairing_cmd(conn, req, &rsp, auth);
974
975 key_size = min(req->max_key_size, rsp.max_key_size); 1722 key_size = min(req->max_key_size, rsp.max_key_size);
976 if (check_enc_key_size(conn, key_size)) 1723 if (check_enc_key_size(conn, key_size))
977 return SMP_ENC_KEY_SIZE; 1724 return SMP_ENC_KEY_SIZE;
@@ -982,7 +1729,18 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
982 memcpy(&smp->prsp[1], &rsp, sizeof(rsp)); 1729 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
983 1730
984 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); 1731 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
985 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1732
1733 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1734
1735 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1736 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1737 /* Clear bits which are generated but not distributed */
1738 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1739 /* Wait for Public Key from Initiating Device */
1740 return 0;
1741 } else {
1742 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1743 }
986 1744
987 /* Request setup of TK */ 1745 /* Request setup of TK */
988 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability); 1746 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
@@ -992,11 +1750,46 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
992 return 0; 1750 return 0;
993} 1751}
994 1752
1753static u8 sc_send_public_key(struct smp_chan *smp)
1754{
1755 struct hci_dev *hdev = smp->conn->hcon->hdev;
1756
1757 BT_DBG("");
1758
1759 if (test_bit(HCI_USE_DEBUG_KEYS, &hdev->dev_flags)) {
1760 BT_DBG("Using debug keys");
1761 memcpy(smp->local_pk, debug_pk, 64);
1762 memcpy(smp->local_sk, debug_sk, 32);
1763 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1764 } else {
1765 while (true) {
1766 /* Generate local key pair for Secure Connections */
1767 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1768 return SMP_UNSPECIFIED;
1769
1770 /* This is unlikely, but we need to check that
1771 * we didn't accidentially generate a debug key.
1772 */
1773 if (memcmp(smp->local_sk, debug_sk, 32))
1774 break;
1775 }
1776 }
1777
1778 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1779 SMP_DBG("Local Public Key Y: %32phN", &smp->local_pk[32]);
1780 SMP_DBG("Local Private Key: %32phN", smp->local_sk);
1781
1782 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1783
1784 return 0;
1785}
1786
995static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb) 1787static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
996{ 1788{
997 struct smp_cmd_pairing *req, *rsp = (void *) skb->data; 1789 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
998 struct l2cap_chan *chan = conn->smp; 1790 struct l2cap_chan *chan = conn->smp;
999 struct smp_chan *smp = chan->data; 1791 struct smp_chan *smp = chan->data;
1792 struct hci_dev *hdev = conn->hcon->hdev;
1000 u8 key_size, auth; 1793 u8 key_size, auth;
1001 int ret; 1794 int ret;
1002 1795
@@ -1016,7 +1809,31 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1016 if (check_enc_key_size(conn, key_size)) 1809 if (check_enc_key_size(conn, key_size))
1017 return SMP_ENC_KEY_SIZE; 1810 return SMP_ENC_KEY_SIZE;
1018 1811
1019 auth = rsp->auth_req & AUTH_REQ_MASK; 1812 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1813
1814 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1815 return SMP_AUTH_REQUIREMENTS;
1816
1817 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1818 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1819
1820 /* Update remote key distribution in case the remote cleared
1821 * some bits that we had enabled in our request.
1822 */
1823 smp->remote_key_dist &= rsp->resp_key_dist;
1824
1825 /* For BR/EDR this means we're done and can start phase 3 */
1826 if (conn->hcon->type == ACL_LINK) {
1827 /* Clear bits which are generated but not distributed */
1828 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1829 smp_distribute_keys(smp);
1830 return 0;
1831 }
1832
1833 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1834 set_bit(SMP_FLAG_SC, &smp->flags);
1835 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1836 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1020 1837
1021 /* If we need MITM check that it can be achieved */ 1838 /* If we need MITM check that it can be achieved */
1022 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) { 1839 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
@@ -1030,14 +1847,18 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1030 1847
1031 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1848 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1032 1849
1033 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1034 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1035
1036 /* Update remote key distribution in case the remote cleared 1850 /* Update remote key distribution in case the remote cleared
1037 * some bits that we had enabled in our request. 1851 * some bits that we had enabled in our request.
1038 */ 1852 */
1039 smp->remote_key_dist &= rsp->resp_key_dist; 1853 smp->remote_key_dist &= rsp->resp_key_dist;
1040 1854
1855 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1856 /* Clear bits which are generated but not distributed */
1857 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1858 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1859 return sc_send_public_key(smp);
1860 }
1861
1041 auth |= req->auth_req; 1862 auth |= req->auth_req;
1042 1863
1043 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability); 1864 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
@@ -1053,6 +1874,28 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1053 return 0; 1874 return 0;
1054} 1875}
1055 1876
1877static u8 sc_check_confirm(struct smp_chan *smp)
1878{
1879 struct l2cap_conn *conn = smp->conn;
1880
1881 BT_DBG("");
1882
1883 /* Public Key exchange must happen before any other steps */
1884 if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
1885 return SMP_UNSPECIFIED;
1886
1887 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1888 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1889
1890 if (conn->hcon->out) {
1891 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1892 smp->prnd);
1893 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1894 }
1895
1896 return 0;
1897}
1898
1056static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb) 1899static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1057{ 1900{
1058 struct l2cap_chan *chan = conn->smp; 1901 struct l2cap_chan *chan = conn->smp;
@@ -1066,6 +1909,9 @@ static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1066 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf)); 1909 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1067 skb_pull(skb, sizeof(smp->pcnf)); 1910 skb_pull(skb, sizeof(smp->pcnf));
1068 1911
1912 if (test_bit(SMP_FLAG_SC, &smp->flags))
1913 return sc_check_confirm(smp);
1914
1069 if (conn->hcon->out) { 1915 if (conn->hcon->out) {
1070 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 1916 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1071 smp->prnd); 1917 smp->prnd);
@@ -1085,6 +1931,10 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
1085{ 1931{
1086 struct l2cap_chan *chan = conn->smp; 1932 struct l2cap_chan *chan = conn->smp;
1087 struct smp_chan *smp = chan->data; 1933 struct smp_chan *smp = chan->data;
1934 struct hci_conn *hcon = conn->hcon;
1935 u8 *pkax, *pkbx, *na, *nb;
1936 u32 passkey;
1937 int err;
1088 1938
1089 BT_DBG("conn %p", conn); 1939 BT_DBG("conn %p", conn);
1090 1940
@@ -1094,7 +1944,75 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
1094 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd)); 1944 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
1095 skb_pull(skb, sizeof(smp->rrnd)); 1945 skb_pull(skb, sizeof(smp->rrnd));
1096 1946
1097 return smp_random(smp); 1947 if (!test_bit(SMP_FLAG_SC, &smp->flags))
1948 return smp_random(smp);
1949
1950 if (hcon->out) {
1951 pkax = smp->local_pk;
1952 pkbx = smp->remote_pk;
1953 na = smp->prnd;
1954 nb = smp->rrnd;
1955 } else {
1956 pkax = smp->remote_pk;
1957 pkbx = smp->local_pk;
1958 na = smp->rrnd;
1959 nb = smp->prnd;
1960 }
1961
1962 if (smp->method == REQ_OOB) {
1963 if (!hcon->out)
1964 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1965 sizeof(smp->prnd), smp->prnd);
1966 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1967 goto mackey_and_ltk;
1968 }
1969
1970 /* Passkey entry has special treatment */
1971 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1972 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
1973
1974 if (hcon->out) {
1975 u8 cfm[16];
1976
1977 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1978 smp->rrnd, 0, cfm);
1979 if (err)
1980 return SMP_UNSPECIFIED;
1981
1982 if (memcmp(smp->pcnf, cfm, 16))
1983 return SMP_CONFIRM_FAILED;
1984 } else {
1985 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1986 smp->prnd);
1987 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1988 }
1989
1990mackey_and_ltk:
1991 /* Generate MacKey and LTK */
1992 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
1993 if (err)
1994 return SMP_UNSPECIFIED;
1995
1996 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
1997 if (hcon->out) {
1998 sc_dhkey_check(smp);
1999 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2000 }
2001 return 0;
2002 }
2003
2004 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2005 if (err)
2006 return SMP_UNSPECIFIED;
2007
2008 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2009 hcon->dst_type, passkey, 0);
2010 if (err)
2011 return SMP_UNSPECIFIED;
2012
2013 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2014
2015 return 0;
1098} 2016}
1099 2017
1100static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level) 2018static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
@@ -1102,8 +2020,7 @@ static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
1102 struct smp_ltk *key; 2020 struct smp_ltk *key;
1103 struct hci_conn *hcon = conn->hcon; 2021 struct hci_conn *hcon = conn->hcon;
1104 2022
1105 key = hci_find_ltk_by_addr(hcon->hdev, &hcon->dst, hcon->dst_type, 2023 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
1106 hcon->role);
1107 if (!key) 2024 if (!key)
1108 return false; 2025 return false;
1109 2026
@@ -1136,8 +2053,7 @@ bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
1136 */ 2053 */
1137 if (key_pref == SMP_USE_LTK && 2054 if (key_pref == SMP_USE_LTK &&
1138 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) && 2055 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
1139 hci_find_ltk_by_addr(hcon->hdev, &hcon->dst, hcon->dst_type, 2056 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
1140 hcon->role))
1141 return false; 2057 return false;
1142 2058
1143 if (hcon->sec_level >= sec_level) 2059 if (hcon->sec_level >= sec_level)
@@ -1151,6 +2067,7 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
1151 struct smp_cmd_security_req *rp = (void *) skb->data; 2067 struct smp_cmd_security_req *rp = (void *) skb->data;
1152 struct smp_cmd_pairing cp; 2068 struct smp_cmd_pairing cp;
1153 struct hci_conn *hcon = conn->hcon; 2069 struct hci_conn *hcon = conn->hcon;
2070 struct hci_dev *hdev = hcon->hdev;
1154 struct smp_chan *smp; 2071 struct smp_chan *smp;
1155 u8 sec_level, auth; 2072 u8 sec_level, auth;
1156 2073
@@ -1162,7 +2079,10 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
1162 if (hcon->role != HCI_ROLE_MASTER) 2079 if (hcon->role != HCI_ROLE_MASTER)
1163 return SMP_CMD_NOTSUPP; 2080 return SMP_CMD_NOTSUPP;
1164 2081
1165 auth = rp->auth_req & AUTH_REQ_MASK; 2082 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2083
2084 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
2085 return SMP_AUTH_REQUIREMENTS;
1166 2086
1167 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 2087 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1168 sec_level = BT_SECURITY_MEDIUM; 2088 sec_level = BT_SECURITY_MEDIUM;
@@ -1245,6 +2165,9 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
1245 2165
1246 authreq = seclevel_to_authreq(sec_level); 2166 authreq = seclevel_to_authreq(sec_level);
1247 2167
2168 if (test_bit(HCI_SC_ENABLED, &hcon->hdev->dev_flags))
2169 authreq |= SMP_AUTH_SC;
2170
1248 /* Require MITM if IO Capability allows or the security level 2171 /* Require MITM if IO Capability allows or the security level
1249 * requires it. 2172 * requires it.
1250 */ 2173 */
@@ -1432,6 +2355,234 @@ static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
1432 return 0; 2355 return 0;
1433} 2356}
1434 2357
2358static u8 sc_select_method(struct smp_chan *smp)
2359{
2360 struct l2cap_conn *conn = smp->conn;
2361 struct hci_conn *hcon = conn->hcon;
2362 struct smp_cmd_pairing *local, *remote;
2363 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2364
2365 if (test_bit(SMP_FLAG_OOB, &smp->flags))
2366 return REQ_OOB;
2367
2368 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2369 * which are needed as inputs to some crypto functions. To get
2370 * the "struct smp_cmd_pairing" from them we need to skip the
2371 * first byte which contains the opcode.
2372 */
2373 if (hcon->out) {
2374 local = (void *) &smp->preq[1];
2375 remote = (void *) &smp->prsp[1];
2376 } else {
2377 local = (void *) &smp->prsp[1];
2378 remote = (void *) &smp->preq[1];
2379 }
2380
2381 local_io = local->io_capability;
2382 remote_io = remote->io_capability;
2383
2384 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2385 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2386
2387 /* If either side wants MITM, look up the method from the table,
2388 * otherwise use JUST WORKS.
2389 */
2390 if (local_mitm || remote_mitm)
2391 method = get_auth_method(smp, local_io, remote_io);
2392 else
2393 method = JUST_WORKS;
2394
2395 /* Don't confirm locally initiated pairing attempts */
2396 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2397 method = JUST_WORKS;
2398
2399 return method;
2400}
2401
2402static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2403{
2404 struct smp_cmd_public_key *key = (void *) skb->data;
2405 struct hci_conn *hcon = conn->hcon;
2406 struct l2cap_chan *chan = conn->smp;
2407 struct smp_chan *smp = chan->data;
2408 struct hci_dev *hdev = hcon->hdev;
2409 struct smp_cmd_pairing_confirm cfm;
2410 int err;
2411
2412 BT_DBG("conn %p", conn);
2413
2414 if (skb->len < sizeof(*key))
2415 return SMP_INVALID_PARAMS;
2416
2417 memcpy(smp->remote_pk, key, 64);
2418
2419 /* Non-initiating device sends its public key after receiving
2420 * the key from the initiating device.
2421 */
2422 if (!hcon->out) {
2423 err = sc_send_public_key(smp);
2424 if (err)
2425 return err;
2426 }
2427
2428 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2429 SMP_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]);
2430
2431 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2432 return SMP_UNSPECIFIED;
2433
2434 SMP_DBG("DHKey %32phN", smp->dhkey);
2435
2436 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2437
2438 smp->method = sc_select_method(smp);
2439
2440 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2441
2442 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2443 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2444 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2445 else
2446 hcon->pending_sec_level = BT_SECURITY_FIPS;
2447
2448 if (!memcmp(debug_pk, smp->remote_pk, 64))
2449 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2450
2451 if (smp->method == DSP_PASSKEY) {
2452 get_random_bytes(&hcon->passkey_notify,
2453 sizeof(hcon->passkey_notify));
2454 hcon->passkey_notify %= 1000000;
2455 hcon->passkey_entered = 0;
2456 smp->passkey_round = 0;
2457 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2458 hcon->dst_type,
2459 hcon->passkey_notify,
2460 hcon->passkey_entered))
2461 return SMP_UNSPECIFIED;
2462 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2463 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2464 }
2465
2466 if (smp->method == REQ_OOB) {
2467 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2468 smp->rr, 0, cfm.confirm_val);
2469 if (err)
2470 return SMP_UNSPECIFIED;
2471
2472 if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2473 return SMP_CONFIRM_FAILED;
2474
2475 if (hcon->out)
2476 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2477 sizeof(smp->prnd), smp->prnd);
2478
2479 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2480
2481 return 0;
2482 }
2483
2484 if (hcon->out)
2485 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2486
2487 if (smp->method == REQ_PASSKEY) {
2488 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2489 hcon->dst_type))
2490 return SMP_UNSPECIFIED;
2491 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2492 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2493 return 0;
2494 }
2495
2496 /* The Initiating device waits for the non-initiating device to
2497 * send the confirm value.
2498 */
2499 if (conn->hcon->out)
2500 return 0;
2501
2502 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2503 0, cfm.confirm_val);
2504 if (err)
2505 return SMP_UNSPECIFIED;
2506
2507 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2508 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2509
2510 return 0;
2511}
2512
2513static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2514{
2515 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2516 struct l2cap_chan *chan = conn->smp;
2517 struct hci_conn *hcon = conn->hcon;
2518 struct smp_chan *smp = chan->data;
2519 u8 a[7], b[7], *local_addr, *remote_addr;
2520 u8 io_cap[3], r[16], e[16];
2521 int err;
2522
2523 BT_DBG("conn %p", conn);
2524
2525 if (skb->len < sizeof(*check))
2526 return SMP_INVALID_PARAMS;
2527
2528 memcpy(a, &hcon->init_addr, 6);
2529 memcpy(b, &hcon->resp_addr, 6);
2530 a[6] = hcon->init_addr_type;
2531 b[6] = hcon->resp_addr_type;
2532
2533 if (hcon->out) {
2534 local_addr = a;
2535 remote_addr = b;
2536 memcpy(io_cap, &smp->prsp[1], 3);
2537 } else {
2538 local_addr = b;
2539 remote_addr = a;
2540 memcpy(io_cap, &smp->preq[1], 3);
2541 }
2542
2543 memset(r, 0, sizeof(r));
2544
2545 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2546 put_unaligned_le32(hcon->passkey_notify, r);
2547
2548 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2549 io_cap, remote_addr, local_addr, e);
2550 if (err)
2551 return SMP_UNSPECIFIED;
2552
2553 if (memcmp(check->e, e, 16))
2554 return SMP_DHKEY_CHECK_FAILED;
2555
2556 if (!hcon->out) {
2557 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2558 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2559 return 0;
2560 }
2561
2562 /* Slave sends DHKey check as response to master */
2563 sc_dhkey_check(smp);
2564 }
2565
2566 sc_add_ltk(smp);
2567
2568 if (hcon->out) {
2569 hci_le_start_enc(hcon, 0, 0, smp->tk);
2570 hcon->enc_key_size = smp->enc_key_size;
2571 }
2572
2573 return 0;
2574}
2575
2576static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2577 struct sk_buff *skb)
2578{
2579 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2580
2581 BT_DBG("value 0x%02x", kp->value);
2582
2583 return 0;
2584}
2585
1435static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb) 2586static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
1436{ 2587{
1437 struct l2cap_conn *conn = chan->conn; 2588 struct l2cap_conn *conn = chan->conn;
@@ -1440,11 +2591,6 @@ static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
1440 __u8 code, reason; 2591 __u8 code, reason;
1441 int err = 0; 2592 int err = 0;
1442 2593
1443 if (hcon->type != LE_LINK) {
1444 kfree_skb(skb);
1445 return 0;
1446 }
1447
1448 if (skb->len < 1) 2594 if (skb->len < 1)
1449 return -EILSEQ; 2595 return -EILSEQ;
1450 2596
@@ -1516,6 +2662,18 @@ static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
1516 reason = smp_cmd_sign_info(conn, skb); 2662 reason = smp_cmd_sign_info(conn, skb);
1517 break; 2663 break;
1518 2664
2665 case SMP_CMD_PUBLIC_KEY:
2666 reason = smp_cmd_public_key(conn, skb);
2667 break;
2668
2669 case SMP_CMD_DHKEY_CHECK:
2670 reason = smp_cmd_dhkey_check(conn, skb);
2671 break;
2672
2673 case SMP_CMD_KEYPRESS_NOTIFY:
2674 reason = smp_cmd_keypress_notify(conn, skb);
2675 break;
2676
1519 default: 2677 default:
1520 BT_DBG("Unknown command code 0x%2.2x", code); 2678 BT_DBG("Unknown command code 0x%2.2x", code);
1521 reason = SMP_CMD_NOTSUPP; 2679 reason = SMP_CMD_NOTSUPP;
@@ -1551,6 +2709,74 @@ static void smp_teardown_cb(struct l2cap_chan *chan, int err)
1551 l2cap_chan_put(chan); 2709 l2cap_chan_put(chan);
1552} 2710}
1553 2711
2712static void bredr_pairing(struct l2cap_chan *chan)
2713{
2714 struct l2cap_conn *conn = chan->conn;
2715 struct hci_conn *hcon = conn->hcon;
2716 struct hci_dev *hdev = hcon->hdev;
2717 struct smp_cmd_pairing req;
2718 struct smp_chan *smp;
2719
2720 BT_DBG("chan %p", chan);
2721
2722 /* Only new pairings are interesting */
2723 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2724 return;
2725
2726 /* Don't bother if we're not encrypted */
2727 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2728 return;
2729
2730 /* Only master may initiate SMP over BR/EDR */
2731 if (hcon->role != HCI_ROLE_MASTER)
2732 return;
2733
2734 /* Secure Connections support must be enabled */
2735 if (!test_bit(HCI_SC_ENABLED, &hdev->dev_flags))
2736 return;
2737
2738 /* BR/EDR must use Secure Connections for SMP */
2739 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2740 !test_bit(HCI_FORCE_LESC, &hdev->dbg_flags))
2741 return;
2742
2743 /* If our LE support is not enabled don't do anything */
2744 if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags))
2745 return;
2746
2747 /* Don't bother if remote LE support is not enabled */
2748 if (!lmp_host_le_capable(hcon))
2749 return;
2750
2751 /* Remote must support SMP fixed chan for BR/EDR */
2752 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2753 return;
2754
2755 /* Don't bother if SMP is already ongoing */
2756 if (chan->data)
2757 return;
2758
2759 smp = smp_chan_create(conn);
2760 if (!smp) {
2761 BT_ERR("%s unable to create SMP context for BR/EDR",
2762 hdev->name);
2763 return;
2764 }
2765
2766 set_bit(SMP_FLAG_SC, &smp->flags);
2767
2768 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2769
2770 /* Prepare and send the BR/EDR SMP Pairing Request */
2771 build_bredr_pairing_cmd(smp, &req, NULL);
2772
2773 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2774 memcpy(&smp->preq[1], &req, sizeof(req));
2775
2776 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2777 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2778}
2779
1554static void smp_resume_cb(struct l2cap_chan *chan) 2780static void smp_resume_cb(struct l2cap_chan *chan)
1555{ 2781{
1556 struct smp_chan *smp = chan->data; 2782 struct smp_chan *smp = chan->data;
@@ -1559,6 +2785,11 @@ static void smp_resume_cb(struct l2cap_chan *chan)
1559 2785
1560 BT_DBG("chan %p", chan); 2786 BT_DBG("chan %p", chan);
1561 2787
2788 if (hcon->type == ACL_LINK) {
2789 bredr_pairing(chan);
2790 return;
2791 }
2792
1562 if (!smp) 2793 if (!smp)
1563 return; 2794 return;
1564 2795
@@ -1573,11 +2804,15 @@ static void smp_resume_cb(struct l2cap_chan *chan)
1573static void smp_ready_cb(struct l2cap_chan *chan) 2804static void smp_ready_cb(struct l2cap_chan *chan)
1574{ 2805{
1575 struct l2cap_conn *conn = chan->conn; 2806 struct l2cap_conn *conn = chan->conn;
2807 struct hci_conn *hcon = conn->hcon;
1576 2808
1577 BT_DBG("chan %p", chan); 2809 BT_DBG("chan %p", chan);
1578 2810
1579 conn->smp = chan; 2811 conn->smp = chan;
1580 l2cap_chan_hold(chan); 2812 l2cap_chan_hold(chan);
2813
2814 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2815 bredr_pairing(chan);
1581} 2816}
1582 2817
1583static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) 2818static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
@@ -1682,34 +2917,40 @@ static const struct l2cap_ops smp_root_chan_ops = {
1682 .memcpy_fromiovec = l2cap_chan_no_memcpy_fromiovec, 2917 .memcpy_fromiovec = l2cap_chan_no_memcpy_fromiovec,
1683}; 2918};
1684 2919
1685int smp_register(struct hci_dev *hdev) 2920static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
1686{ 2921{
1687 struct l2cap_chan *chan; 2922 struct l2cap_chan *chan;
1688 struct crypto_blkcipher *tfm_aes; 2923 struct crypto_blkcipher *tfm_aes;
1689 2924
1690 BT_DBG("%s", hdev->name); 2925 if (cid == L2CAP_CID_SMP_BREDR) {
2926 tfm_aes = NULL;
2927 goto create_chan;
2928 }
1691 2929
1692 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, 0); 2930 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, 0);
1693 if (IS_ERR(tfm_aes)) { 2931 if (IS_ERR(tfm_aes)) {
1694 int err = PTR_ERR(tfm_aes);
1695 BT_ERR("Unable to create crypto context"); 2932 BT_ERR("Unable to create crypto context");
1696 return err; 2933 return ERR_PTR(PTR_ERR(tfm_aes));
1697 } 2934 }
1698 2935
2936create_chan:
1699 chan = l2cap_chan_create(); 2937 chan = l2cap_chan_create();
1700 if (!chan) { 2938 if (!chan) {
1701 crypto_free_blkcipher(tfm_aes); 2939 crypto_free_blkcipher(tfm_aes);
1702 return -ENOMEM; 2940 return ERR_PTR(-ENOMEM);
1703 } 2941 }
1704 2942
1705 chan->data = tfm_aes; 2943 chan->data = tfm_aes;
1706 2944
1707 l2cap_add_scid(chan, L2CAP_CID_SMP); 2945 l2cap_add_scid(chan, cid);
1708 2946
1709 l2cap_chan_set_defaults(chan); 2947 l2cap_chan_set_defaults(chan);
1710 2948
1711 bacpy(&chan->src, &hdev->bdaddr); 2949 bacpy(&chan->src, &hdev->bdaddr);
1712 chan->src_type = BDADDR_LE_PUBLIC; 2950 if (cid == L2CAP_CID_SMP)
2951 chan->src_type = BDADDR_LE_PUBLIC;
2952 else
2953 chan->src_type = BDADDR_BREDR;
1713 chan->state = BT_LISTEN; 2954 chan->state = BT_LISTEN;
1714 chan->mode = L2CAP_MODE_BASIC; 2955 chan->mode = L2CAP_MODE_BASIC;
1715 chan->imtu = L2CAP_DEFAULT_MTU; 2956 chan->imtu = L2CAP_DEFAULT_MTU;
@@ -1718,20 +2959,14 @@ int smp_register(struct hci_dev *hdev)
1718 /* Set correct nesting level for a parent/listening channel */ 2959 /* Set correct nesting level for a parent/listening channel */
1719 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT); 2960 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
1720 2961
1721 hdev->smp_data = chan; 2962 return chan;
1722
1723 return 0;
1724} 2963}
1725 2964
1726void smp_unregister(struct hci_dev *hdev) 2965static void smp_del_chan(struct l2cap_chan *chan)
1727{ 2966{
1728 struct l2cap_chan *chan = hdev->smp_data; 2967 struct crypto_blkcipher *tfm_aes;
1729 struct crypto_blkcipher *tfm_aes;
1730
1731 if (!chan)
1732 return;
1733 2968
1734 BT_DBG("%s chan %p", hdev->name, chan); 2969 BT_DBG("chan %p", chan);
1735 2970
1736 tfm_aes = chan->data; 2971 tfm_aes = chan->data;
1737 if (tfm_aes) { 2972 if (tfm_aes) {
@@ -1739,6 +2974,52 @@ void smp_unregister(struct hci_dev *hdev)
1739 crypto_free_blkcipher(tfm_aes); 2974 crypto_free_blkcipher(tfm_aes);
1740 } 2975 }
1741 2976
1742 hdev->smp_data = NULL;
1743 l2cap_chan_put(chan); 2977 l2cap_chan_put(chan);
1744} 2978}
2979
2980int smp_register(struct hci_dev *hdev)
2981{
2982 struct l2cap_chan *chan;
2983
2984 BT_DBG("%s", hdev->name);
2985
2986 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
2987 if (IS_ERR(chan))
2988 return PTR_ERR(chan);
2989
2990 hdev->smp_data = chan;
2991
2992 if (!lmp_sc_capable(hdev) &&
2993 !test_bit(HCI_FORCE_LESC, &hdev->dbg_flags))
2994 return 0;
2995
2996 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
2997 if (IS_ERR(chan)) {
2998 int err = PTR_ERR(chan);
2999 chan = hdev->smp_data;
3000 hdev->smp_data = NULL;
3001 smp_del_chan(chan);
3002 return err;
3003 }
3004
3005 hdev->smp_bredr_data = chan;
3006
3007 return 0;
3008}
3009
3010void smp_unregister(struct hci_dev *hdev)
3011{
3012 struct l2cap_chan *chan;
3013
3014 if (hdev->smp_bredr_data) {
3015 chan = hdev->smp_bredr_data;
3016 hdev->smp_bredr_data = NULL;
3017 smp_del_chan(chan);
3018 }
3019
3020 if (hdev->smp_data) {
3021 chan = hdev->smp_data;
3022 hdev->smp_data = NULL;
3023 smp_del_chan(chan);
3024 }
3025}
diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h
index f76083b85005..3296bf42ae80 100644
--- a/net/bluetooth/smp.h
+++ b/net/bluetooth/smp.h
@@ -50,10 +50,13 @@ struct smp_cmd_pairing {
50#define SMP_DIST_ENC_KEY 0x01 50#define SMP_DIST_ENC_KEY 0x01
51#define SMP_DIST_ID_KEY 0x02 51#define SMP_DIST_ID_KEY 0x02
52#define SMP_DIST_SIGN 0x04 52#define SMP_DIST_SIGN 0x04
53#define SMP_DIST_LINK_KEY 0x08
53 54
54#define SMP_AUTH_NONE 0x00 55#define SMP_AUTH_NONE 0x00
55#define SMP_AUTH_BONDING 0x01 56#define SMP_AUTH_BONDING 0x01
56#define SMP_AUTH_MITM 0x04 57#define SMP_AUTH_MITM 0x04
58#define SMP_AUTH_SC 0x08
59#define SMP_AUTH_KEYPRESS 0x10
57 60
58#define SMP_CMD_PAIRING_CONFIRM 0x03 61#define SMP_CMD_PAIRING_CONFIRM 0x03
59struct smp_cmd_pairing_confirm { 62struct smp_cmd_pairing_confirm {
@@ -102,7 +105,23 @@ struct smp_cmd_security_req {
102 __u8 auth_req; 105 __u8 auth_req;
103} __packed; 106} __packed;
104 107
105#define SMP_CMD_MAX 0x0b 108#define SMP_CMD_PUBLIC_KEY 0x0c
109struct smp_cmd_public_key {
110 __u8 x[32];
111 __u8 y[32];
112} __packed;
113
114#define SMP_CMD_DHKEY_CHECK 0x0d
115struct smp_cmd_dhkey_check {
116 __u8 e[16];
117} __packed;
118
119#define SMP_CMD_KEYPRESS_NOTIFY 0x0e
120struct smp_cmd_keypress_notify {
121 __u8 value;
122} __packed;
123
124#define SMP_CMD_MAX 0x0e
106 125
107#define SMP_PASSKEY_ENTRY_FAILED 0x01 126#define SMP_PASSKEY_ENTRY_FAILED 0x01
108#define SMP_OOB_NOT_AVAIL 0x02 127#define SMP_OOB_NOT_AVAIL 0x02
@@ -114,6 +133,10 @@ struct smp_cmd_security_req {
114#define SMP_UNSPECIFIED 0x08 133#define SMP_UNSPECIFIED 0x08
115#define SMP_REPEATED_ATTEMPTS 0x09 134#define SMP_REPEATED_ATTEMPTS 0x09
116#define SMP_INVALID_PARAMS 0x0a 135#define SMP_INVALID_PARAMS 0x0a
136#define SMP_DHKEY_CHECK_FAILED 0x0b
137#define SMP_NUMERIC_COMP_FAILED 0x0c
138#define SMP_BREDR_PAIRING_IN_PROGRESS 0x0d
139#define SMP_CROSS_TRANSP_NOT_ALLOWED 0x0e
117 140
118#define SMP_MIN_ENC_KEY_SIZE 7 141#define SMP_MIN_ENC_KEY_SIZE 7
119#define SMP_MAX_ENC_KEY_SIZE 16 142#define SMP_MAX_ENC_KEY_SIZE 16
@@ -123,12 +146,29 @@ enum {
123 SMP_STK, 146 SMP_STK,
124 SMP_LTK, 147 SMP_LTK,
125 SMP_LTK_SLAVE, 148 SMP_LTK_SLAVE,
149 SMP_LTK_P256,
150 SMP_LTK_P256_DEBUG,
126}; 151};
127 152
153static inline bool smp_ltk_is_sc(struct smp_ltk *key)
154{
155 switch (key->type) {
156 case SMP_LTK_P256:
157 case SMP_LTK_P256_DEBUG:
158 return true;
159 }
160
161 return false;
162}
163
128static inline u8 smp_ltk_sec_level(struct smp_ltk *key) 164static inline u8 smp_ltk_sec_level(struct smp_ltk *key)
129{ 165{
130 if (key->authenticated) 166 if (key->authenticated) {
131 return BT_SECURITY_HIGH; 167 if (smp_ltk_is_sc(key))
168 return BT_SECURITY_FIPS;
169 else
170 return BT_SECURITY_HIGH;
171 }
132 172
133 return BT_SECURITY_MEDIUM; 173 return BT_SECURITY_MEDIUM;
134} 174}
@@ -145,8 +185,9 @@ bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
145int smp_conn_security(struct hci_conn *hcon, __u8 sec_level); 185int smp_conn_security(struct hci_conn *hcon, __u8 sec_level);
146int smp_user_confirm_reply(struct hci_conn *conn, u16 mgmt_op, __le32 passkey); 186int smp_user_confirm_reply(struct hci_conn *conn, u16 mgmt_op, __le32 passkey);
147 187
148bool smp_irk_matches(struct hci_dev *hdev, u8 irk[16], bdaddr_t *bdaddr); 188bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
149int smp_generate_rpa(struct hci_dev *hdev, u8 irk[16], bdaddr_t *rpa); 189 const bdaddr_t *bdaddr);
190int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa);
150 191
151int smp_register(struct hci_dev *hdev); 192int smp_register(struct hci_dev *hdev);
152void smp_unregister(struct hci_dev *hdev); 193void smp_unregister(struct hci_dev *hdev);
diff --git a/net/ieee802154/6lowpan_rtnl.c b/net/ieee802154/6lowpan_rtnl.c
index 16f5e91bd390..27eaa65e88e1 100644
--- a/net/ieee802154/6lowpan_rtnl.c
+++ b/net/ieee802154/6lowpan_rtnl.c
@@ -439,7 +439,6 @@ static void lowpan_set_lockdep_class_one(struct net_device *dev,
439 &lowpan_netdev_xmit_lock_key); 439 &lowpan_netdev_xmit_lock_key);
440} 440}
441 441
442
443static int lowpan_dev_init(struct net_device *dev) 442static int lowpan_dev_init(struct net_device *dev)
444{ 443{
445 netdev_for_each_tx_queue(dev, lowpan_set_lockdep_class_one, NULL); 444 netdev_for_each_tx_queue(dev, lowpan_set_lockdep_class_one, NULL);
diff --git a/net/ieee802154/af_ieee802154.c b/net/ieee802154/af_ieee802154.c
index 26da1e179737..d0a1282cdf43 100644
--- a/net/ieee802154/af_ieee802154.c
+++ b/net/ieee802154/af_ieee802154.c
@@ -99,6 +99,7 @@ static int ieee802154_sock_release(struct socket *sock)
99 } 99 }
100 return 0; 100 return 0;
101} 101}
102
102static int ieee802154_sock_sendmsg(struct kiocb *iocb, struct socket *sock, 103static int ieee802154_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
103 struct msghdr *msg, size_t len) 104 struct msghdr *msg, size_t len)
104{ 105{
@@ -231,7 +232,6 @@ static const struct proto_ops ieee802154_dgram_ops = {
231#endif 232#endif
232}; 233};
233 234
234
235/* Create a socket. Initialise the socket, blank the addresses 235/* Create a socket. Initialise the socket, blank the addresses
236 * set the state. 236 * set the state.
237 */ 237 */
@@ -320,7 +320,6 @@ drop:
320 return NET_RX_DROP; 320 return NET_RX_DROP;
321} 321}
322 322
323
324static struct packet_type ieee802154_packet_type = { 323static struct packet_type ieee802154_packet_type = {
325 .type = htons(ETH_P_IEEE802154), 324 .type = htons(ETH_P_IEEE802154),
326 .func = ieee802154_rcv, 325 .func = ieee802154_rcv,
@@ -354,6 +353,7 @@ err_dgram:
354out: 353out:
355 return rc; 354 return rc;
356} 355}
356
357static void __exit af_ieee802154_remove(void) 357static void __exit af_ieee802154_remove(void)
358{ 358{
359 dev_remove_pack(&ieee802154_packet_type); 359 dev_remove_pack(&ieee802154_packet_type);
diff --git a/net/ieee802154/dgram.c b/net/ieee802154/dgram.c
index 3d58befef467..8db240b0f82b 100644
--- a/net/ieee802154/dgram.c
+++ b/net/ieee802154/dgram.c
@@ -154,7 +154,6 @@ static int dgram_ioctl(struct sock *sk, int cmd, unsigned long arg)
154 spin_unlock_bh(&sk->sk_receive_queue.lock); 154 spin_unlock_bh(&sk->sk_receive_queue.lock);
155 return put_user(amount, (int __user *)arg); 155 return put_user(amount, (int __user *)arg);
156 } 156 }
157
158 } 157 }
159 158
160 return -ENOIOCTLCMD; 159 return -ENOIOCTLCMD;
diff --git a/net/ieee802154/netlink.c b/net/ieee802154/netlink.c
index 6ad0da38ba9d..fa1464762d0d 100644
--- a/net/ieee802154/netlink.c
+++ b/net/ieee802154/netlink.c
@@ -73,7 +73,7 @@ out:
73} 73}
74 74
75struct sk_buff *ieee802154_nl_new_reply(struct genl_info *info, 75struct sk_buff *ieee802154_nl_new_reply(struct genl_info *info,
76 int flags, u8 req) 76 int flags, u8 req)
77{ 77{
78 void *hdr; 78 void *hdr;
79 struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 79 struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
@@ -147,7 +147,6 @@ static const struct genl_multicast_group ieee802154_mcgrps[] = {
147 [IEEE802154_BEACON_MCGRP] = { .name = IEEE802154_MCAST_BEACON_NAME, }, 147 [IEEE802154_BEACON_MCGRP] = { .name = IEEE802154_MCAST_BEACON_NAME, },
148}; 148};
149 149
150
151int __init ieee802154_nl_init(void) 150int __init ieee802154_nl_init(void)
152{ 151{
153 return genl_register_family_with_ops_groups(&nl802154_family, 152 return genl_register_family_with_ops_groups(&nl802154_family,
diff --git a/net/ieee802154/nl-mac.c b/net/ieee802154/nl-mac.c
index 1f085ed944d2..cd919493c976 100644
--- a/net/ieee802154/nl-mac.c
+++ b/net/ieee802154/nl-mac.c
@@ -346,7 +346,6 @@ int ieee802154_start_req(struct sk_buff *skb, struct genl_info *info)
346 else 346 else
347 page = 0; 347 page = 0;
348 348
349
350 if (addr.short_addr == cpu_to_le16(IEEE802154_ADDR_BROADCAST)) { 349 if (addr.short_addr == cpu_to_le16(IEEE802154_ADDR_BROADCAST)) {
351 ieee802154_nl_start_confirm(dev, IEEE802154_NO_SHORT_ADDRESS); 350 ieee802154_nl_start_confirm(dev, IEEE802154_NO_SHORT_ADDRESS);
352 dev_put(dev); 351 dev_put(dev);
@@ -397,7 +396,6 @@ int ieee802154_scan_req(struct sk_buff *skb, struct genl_info *info)
397 else 396 else
398 page = 0; 397 page = 0;
399 398
400
401 ret = ieee802154_mlme_ops(dev)->scan_req(dev, type, channels, 399 ret = ieee802154_mlme_ops(dev)->scan_req(dev, type, channels,
402 page, duration); 400 page, duration);
403 401
@@ -548,8 +546,6 @@ out:
548 return rc; 546 return rc;
549} 547}
550 548
551
552
553static int 549static int
554ieee802154_llsec_parse_key_id(struct genl_info *info, 550ieee802154_llsec_parse_key_id(struct genl_info *info,
555 struct ieee802154_llsec_key_id *desc) 551 struct ieee802154_llsec_key_id *desc)
@@ -765,8 +761,6 @@ out:
765 return rc; 761 return rc;
766} 762}
767 763
768
769
770struct llsec_dump_data { 764struct llsec_dump_data {
771 struct sk_buff *skb; 765 struct sk_buff *skb;
772 int s_idx, s_idx2; 766 int s_idx, s_idx2;
@@ -843,8 +837,6 @@ ieee802154_nl_llsec_change(struct sk_buff *skb, struct genl_info *info,
843 return rc; 837 return rc;
844} 838}
845 839
846
847
848static int 840static int
849ieee802154_llsec_parse_key(struct genl_info *info, 841ieee802154_llsec_parse_key(struct genl_info *info,
850 struct ieee802154_llsec_key *key) 842 struct ieee802154_llsec_key *key)
@@ -989,8 +981,6 @@ int ieee802154_llsec_dump_keys(struct sk_buff *skb, struct netlink_callback *cb)
989 return ieee802154_llsec_dump_table(skb, cb, llsec_iter_keys); 981 return ieee802154_llsec_dump_table(skb, cb, llsec_iter_keys);
990} 982}
991 983
992
993
994static int 984static int
995llsec_parse_dev(struct genl_info *info, 985llsec_parse_dev(struct genl_info *info,
996 struct ieee802154_llsec_device *dev) 986 struct ieee802154_llsec_device *dev)
@@ -1121,8 +1111,6 @@ int ieee802154_llsec_dump_devs(struct sk_buff *skb, struct netlink_callback *cb)
1121 return ieee802154_llsec_dump_table(skb, cb, llsec_iter_devs); 1111 return ieee802154_llsec_dump_table(skb, cb, llsec_iter_devs);
1122} 1112}
1123 1113
1124
1125
1126static int llsec_add_devkey(struct net_device *dev, struct genl_info *info) 1114static int llsec_add_devkey(struct net_device *dev, struct genl_info *info)
1127{ 1115{
1128 struct ieee802154_mlme_ops *ops = ieee802154_mlme_ops(dev); 1116 struct ieee802154_mlme_ops *ops = ieee802154_mlme_ops(dev);
@@ -1237,8 +1225,6 @@ int ieee802154_llsec_dump_devkeys(struct sk_buff *skb,
1237 return ieee802154_llsec_dump_table(skb, cb, llsec_iter_devkeys); 1225 return ieee802154_llsec_dump_table(skb, cb, llsec_iter_devkeys);
1238} 1226}
1239 1227
1240
1241
1242static int 1228static int
1243llsec_parse_seclevel(struct genl_info *info, 1229llsec_parse_seclevel(struct genl_info *info,
1244 struct ieee802154_llsec_seclevel *sl) 1230 struct ieee802154_llsec_seclevel *sl)
diff --git a/net/ieee802154/nl-phy.c b/net/ieee802154/nl-phy.c
index 62463544d056..7baf98b14611 100644
--- a/net/ieee802154/nl-phy.c
+++ b/net/ieee802154/nl-phy.c
@@ -94,7 +94,6 @@ int ieee802154_list_phy(struct sk_buff *skb, struct genl_info *info)
94 if (name[nla_len(info->attrs[IEEE802154_ATTR_PHY_NAME]) - 1] != '\0') 94 if (name[nla_len(info->attrs[IEEE802154_ATTR_PHY_NAME]) - 1] != '\0')
95 return -EINVAL; /* phy name should be null-terminated */ 95 return -EINVAL; /* phy name should be null-terminated */
96 96
97
98 phy = wpan_phy_find(name); 97 phy = wpan_phy_find(name);
99 if (!phy) 98 if (!phy)
100 return -ENODEV; 99 return -ENODEV;
diff --git a/net/ieee802154/raw.c b/net/ieee802154/raw.c
index 3ffcf4a9de01..f0c61e5b806e 100644
--- a/net/ieee802154/raw.c
+++ b/net/ieee802154/raw.c
@@ -221,7 +221,6 @@ static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb)
221 return NET_RX_SUCCESS; 221 return NET_RX_SUCCESS;
222} 222}
223 223
224
225void ieee802154_raw_deliver(struct net_device *dev, struct sk_buff *skb) 224void ieee802154_raw_deliver(struct net_device *dev, struct sk_buff *skb)
226{ 225{
227 struct sock *sk; 226 struct sock *sk;
diff --git a/net/mac802154/llsec.c b/net/mac802154/llsec.c
index fa0d5237c2e0..dcf73958133a 100644
--- a/net/mac802154/llsec.c
+++ b/net/mac802154/llsec.c
@@ -75,8 +75,6 @@ void mac802154_llsec_destroy(struct mac802154_llsec *sec)
75 } 75 }
76} 76}
77 77
78
79
80int mac802154_llsec_get_params(struct mac802154_llsec *sec, 78int mac802154_llsec_get_params(struct mac802154_llsec *sec,
81 struct ieee802154_llsec_params *params) 79 struct ieee802154_llsec_params *params)
82{ 80{
@@ -117,8 +115,6 @@ int mac802154_llsec_set_params(struct mac802154_llsec *sec,
117 return 0; 115 return 0;
118} 116}
119 117
120
121
122static struct mac802154_llsec_key* 118static struct mac802154_llsec_key*
123llsec_key_alloc(const struct ieee802154_llsec_key *template) 119llsec_key_alloc(const struct ieee802154_llsec_key *template)
124{ 120{
@@ -294,8 +290,6 @@ int mac802154_llsec_key_del(struct mac802154_llsec *sec,
294 return -ENOENT; 290 return -ENOENT;
295} 291}
296 292
297
298
299static bool llsec_dev_use_shortaddr(__le16 short_addr) 293static bool llsec_dev_use_shortaddr(__le16 short_addr)
300{ 294{
301 return short_addr != cpu_to_le16(IEEE802154_ADDR_UNDEF) && 295 return short_addr != cpu_to_le16(IEEE802154_ADDR_UNDEF) &&
@@ -304,12 +298,12 @@ static bool llsec_dev_use_shortaddr(__le16 short_addr)
304 298
305static u32 llsec_dev_hash_short(__le16 short_addr, __le16 pan_id) 299static u32 llsec_dev_hash_short(__le16 short_addr, __le16 pan_id)
306{ 300{
307 return ((__force u16) short_addr) << 16 | (__force u16) pan_id; 301 return ((__force u16)short_addr) << 16 | (__force u16)pan_id;
308} 302}
309 303
310static u64 llsec_dev_hash_long(__le64 hwaddr) 304static u64 llsec_dev_hash_long(__le64 hwaddr)
311{ 305{
312 return (__force u64) hwaddr; 306 return (__force u64)hwaddr;
313} 307}
314 308
315static struct mac802154_llsec_device* 309static struct mac802154_llsec_device*
@@ -411,8 +405,6 @@ int mac802154_llsec_dev_del(struct mac802154_llsec *sec, __le64 device_addr)
411 return 0; 405 return 0;
412} 406}
413 407
414
415
416static struct mac802154_llsec_device_key* 408static struct mac802154_llsec_device_key*
417llsec_devkey_find(struct mac802154_llsec_device *dev, 409llsec_devkey_find(struct mac802154_llsec_device *dev,
418 const struct ieee802154_llsec_key_id *key) 410 const struct ieee802154_llsec_key_id *key)
@@ -475,8 +467,6 @@ int mac802154_llsec_devkey_del(struct mac802154_llsec *sec,
475 return 0; 467 return 0;
476} 468}
477 469
478
479
480static struct mac802154_llsec_seclevel* 470static struct mac802154_llsec_seclevel*
481llsec_find_seclevel(const struct mac802154_llsec *sec, 471llsec_find_seclevel(const struct mac802154_llsec *sec,
482 const struct ieee802154_llsec_seclevel *sl) 472 const struct ieee802154_llsec_seclevel *sl)
@@ -532,8 +522,6 @@ int mac802154_llsec_seclevel_del(struct mac802154_llsec *sec,
532 return 0; 522 return 0;
533} 523}
534 524
535
536
537static int llsec_recover_addr(struct mac802154_llsec *sec, 525static int llsec_recover_addr(struct mac802154_llsec *sec,
538 struct ieee802154_addr *addr) 526 struct ieee802154_addr *addr)
539{ 527{
@@ -609,7 +597,6 @@ found:
609 return llsec_key_get(key); 597 return llsec_key_get(key);
610} 598}
611 599
612
613static void llsec_geniv(u8 iv[16], __le64 addr, 600static void llsec_geniv(u8 iv[16], __le64 addr,
614 const struct ieee802154_sechdr *sec) 601 const struct ieee802154_sechdr *sec)
615{ 602{
@@ -786,8 +773,6 @@ fail:
786 return rc; 773 return rc;
787} 774}
788 775
789
790
791static struct mac802154_llsec_device* 776static struct mac802154_llsec_device*
792llsec_lookup_dev(struct mac802154_llsec *sec, 777llsec_lookup_dev(struct mac802154_llsec *sec,
793 const struct ieee802154_addr *addr) 778 const struct ieee802154_addr *addr)
diff --git a/net/mac802154/mib.c b/net/mac802154/mib.c
index 3596b29ead6b..5cf019a57fd7 100644
--- a/net/mac802154/mib.c
+++ b/net/mac802154/mib.c
@@ -104,7 +104,6 @@ void mac802154_dev_set_page_channel(struct net_device *dev, u8 page, u8 chan)
104 } 104 }
105} 105}
106 106
107
108int mac802154_get_params(struct net_device *dev, 107int mac802154_get_params(struct net_device *dev,
109 struct ieee802154_llsec_params *params) 108 struct ieee802154_llsec_params *params)
110{ 109{
@@ -136,7 +135,6 @@ int mac802154_set_params(struct net_device *dev,
136 return res; 135 return res;
137} 136}
138 137
139
140int mac802154_add_key(struct net_device *dev, 138int mac802154_add_key(struct net_device *dev,
141 const struct ieee802154_llsec_key_id *id, 139 const struct ieee802154_llsec_key_id *id,
142 const struct ieee802154_llsec_key *key) 140 const struct ieee802154_llsec_key *key)
@@ -168,7 +166,6 @@ int mac802154_del_key(struct net_device *dev,
168 return res; 166 return res;
169} 167}
170 168
171
172int mac802154_add_dev(struct net_device *dev, 169int mac802154_add_dev(struct net_device *dev,
173 const struct ieee802154_llsec_device *llsec_dev) 170 const struct ieee802154_llsec_device *llsec_dev)
174{ 171{
@@ -198,7 +195,6 @@ int mac802154_del_dev(struct net_device *dev, __le64 dev_addr)
198 return res; 195 return res;
199} 196}
200 197
201
202int mac802154_add_devkey(struct net_device *dev, 198int mac802154_add_devkey(struct net_device *dev,
203 __le64 device_addr, 199 __le64 device_addr,
204 const struct ieee802154_llsec_device_key *key) 200 const struct ieee802154_llsec_device_key *key)
@@ -231,7 +227,6 @@ int mac802154_del_devkey(struct net_device *dev,
231 return res; 227 return res;
232} 228}
233 229
234
235int mac802154_add_seclevel(struct net_device *dev, 230int mac802154_add_seclevel(struct net_device *dev,
236 const struct ieee802154_llsec_seclevel *sl) 231 const struct ieee802154_llsec_seclevel *sl)
237{ 232{
@@ -262,7 +257,6 @@ int mac802154_del_seclevel(struct net_device *dev,
262 return res; 257 return res;
263} 258}
264 259
265
266void mac802154_lock_table(struct net_device *dev) 260void mac802154_lock_table(struct net_device *dev)
267{ 261{
268 struct ieee802154_sub_if_data *sdata = IEEE802154_DEV_TO_SUB_IF(dev); 262 struct ieee802154_sub_if_data *sdata = IEEE802154_DEV_TO_SUB_IF(dev);
diff --git a/net/mac802154/rx.c b/net/mac802154/rx.c
index 041dbd5958d4..c0d67b2b4132 100644
--- a/net/mac802154/rx.c
+++ b/net/mac802154/rx.c
@@ -85,8 +85,7 @@ ieee802154_subif_frame(struct ieee802154_sub_if_data *sdata,
85 default: 85 default:
86 spin_unlock_bh(&sdata->mib_lock); 86 spin_unlock_bh(&sdata->mib_lock);
87 pr_debug("invalid dest mode\n"); 87 pr_debug("invalid dest mode\n");
88 kfree_skb(skb); 88 goto fail;
89 return NET_RX_DROP;
90 } 89 }
91 90
92 spin_unlock_bh(&sdata->mib_lock); 91 spin_unlock_bh(&sdata->mib_lock);
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-04 20:38:38 -0500