xref: /linux/net/bluetooth/smp.c (revision 300a0cfe9f375b2843bcb331bcfa7503475ef5dd)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <crypto/aes.h>
26 #include <crypto/hash.h>
27 #include <crypto/kpp.h>
28 #include <crypto/utils.h>
29 
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/l2cap.h>
33 #include <net/bluetooth/mgmt.h>
34 
35 #include "ecdh_helper.h"
36 #include "smp.h"
37 
38 #define SMP_DEV(hdev) \
39 	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
40 
41 /* Low-level debug macros to be used for stuff that we don't want
42  * accidentally in dmesg, i.e. the values of the various crypto keys
43  * and the inputs & outputs of crypto functions.
44  */
45 #ifdef DEBUG
46 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
47 				 ##__VA_ARGS__)
48 #else
49 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
50 				    ##__VA_ARGS__)
51 #endif
52 
53 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
54 
55 /* Keys which are not distributed with Secure Connections */
56 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY)
57 
58 #define SMP_TIMEOUT	secs_to_jiffies(30)
59 
60 #define ID_ADDR_TIMEOUT	msecs_to_jiffies(200)
61 
62 #define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
63 				 0x3f : 0x07)
64 #define KEY_DIST_MASK		0x07
65 
66 /* Maximum message length that can be passed to aes_cmac */
67 #define CMAC_MSG_MAX	80
68 
69 enum {
70 	SMP_FLAG_TK_VALID,
71 	SMP_FLAG_CFM_PENDING,
72 	SMP_FLAG_MITM_AUTH,
73 	SMP_FLAG_COMPLETE,
74 	SMP_FLAG_INITIATOR,
75 	SMP_FLAG_SC,
76 	SMP_FLAG_REMOTE_PK,
77 	SMP_FLAG_DEBUG_KEY,
78 	SMP_FLAG_WAIT_USER,
79 	SMP_FLAG_DHKEY_PENDING,
80 	SMP_FLAG_REMOTE_OOB,
81 	SMP_FLAG_LOCAL_OOB,
82 	SMP_FLAG_CT2,
83 };
84 
85 struct smp_dev {
86 	/* Secure Connections OOB data */
87 	bool			local_oob;
88 	u8			local_pk[64];
89 	u8			local_rand[16];
90 	bool			debug_key;
91 
92 	struct crypto_shash	*tfm_cmac;
93 	struct crypto_kpp	*tfm_ecdh;
94 };
95 
96 struct smp_chan {
97 	struct l2cap_conn	*conn;
98 	struct delayed_work	security_timer;
99 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
100 
101 	u8		preq[7]; /* SMP Pairing Request */
102 	u8		prsp[7]; /* SMP Pairing Response */
103 	u8		prnd[16]; /* SMP Pairing Random (local) */
104 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
105 	u8		pcnf[16]; /* SMP Pairing Confirm */
106 	u8		tk[16]; /* SMP Temporary Key */
107 	u8		rr[16]; /* Remote OOB ra/rb value */
108 	u8		lr[16]; /* Local OOB ra/rb value */
109 	u8		enc_key_size;
110 	u8		remote_key_dist;
111 	bdaddr_t	id_addr;
112 	u8		id_addr_type;
113 	u8		irk[16];
114 	struct smp_csrk	*csrk;
115 	struct smp_csrk	*responder_csrk;
116 	struct smp_ltk	*ltk;
117 	struct smp_ltk	*responder_ltk;
118 	struct smp_irk	*remote_irk;
119 	u8		*link_key;
120 	unsigned long	flags;
121 	u8		method;
122 	u8		passkey_round;
123 
124 	/* Secure Connections variables */
125 	u8			local_pk[64];
126 	u8			remote_pk[64];
127 	u8			dhkey[32];
128 	u8			mackey[16];
129 
130 	struct crypto_shash	*tfm_cmac;
131 	struct crypto_kpp	*tfm_ecdh;
132 };
133 
134 /* These debug key values are defined in the SMP section of the core
135  * specification. debug_pk is the public debug key and debug_sk the
136  * private debug key.
137  */
138 static const u8 debug_pk[64] = {
139 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
140 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
141 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
142 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
143 
144 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
145 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
146 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
147 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
148 };
149 
150 static const u8 debug_sk[32] = {
151 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
152 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
153 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
154 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
155 };
156 
157 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
158 {
159 	size_t i;
160 
161 	for (i = 0; i < len; i++)
162 		dst[len - 1 - i] = src[i];
163 }
164 
165 /* The following functions map to the LE SC SMP crypto functions
166  * AES-CMAC, f4, f5, f6, g2 and h6.
167  */
168 
169 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
170 		    size_t len, u8 mac[16])
171 {
172 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
173 	int err;
174 
175 	if (len > CMAC_MSG_MAX)
176 		return -EFBIG;
177 
178 	if (!tfm) {
179 		BT_ERR("tfm %p", tfm);
180 		return -EINVAL;
181 	}
182 
183 	/* Swap key and message from LSB to MSB */
184 	swap_buf(k, tmp, 16);
185 	swap_buf(m, msg_msb, len);
186 
187 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
188 	SMP_DBG("key %16phN", k);
189 
190 	err = crypto_shash_setkey(tfm, tmp, 16);
191 	if (err) {
192 		BT_ERR("cipher setkey failed: %d", err);
193 		return err;
194 	}
195 
196 	err = crypto_shash_tfm_digest(tfm, msg_msb, len, mac_msb);
197 	if (err) {
198 		BT_ERR("Hash computation error %d", err);
199 		return err;
200 	}
201 
202 	swap_buf(mac_msb, mac, 16);
203 
204 	SMP_DBG("mac %16phN", mac);
205 
206 	return 0;
207 }
208 
209 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
210 		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
211 {
212 	u8 m[65];
213 	int err;
214 
215 	SMP_DBG("u %32phN", u);
216 	SMP_DBG("v %32phN", v);
217 	SMP_DBG("x %16phN z %02x", x, z);
218 
219 	m[0] = z;
220 	memcpy(m + 1, v, 32);
221 	memcpy(m + 33, u, 32);
222 
223 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
224 	if (err)
225 		return err;
226 
227 	SMP_DBG("res %16phN", res);
228 
229 	return err;
230 }
231 
232 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
233 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
234 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
235 {
236 	/* The btle, salt and length "magic" values are as defined in
237 	 * the SMP section of the Bluetooth core specification. In ASCII
238 	 * the btle value ends up being 'btle'. The salt is just a
239 	 * random number whereas length is the value 256 in little
240 	 * endian format.
241 	 */
242 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
243 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
244 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
245 	const u8 length[2] = { 0x00, 0x01 };
246 	u8 m[53], t[16];
247 	int err;
248 
249 	SMP_DBG("w %32phN", w);
250 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
251 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
252 
253 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
254 	if (err)
255 		return err;
256 
257 	SMP_DBG("t %16phN", t);
258 
259 	memcpy(m, length, 2);
260 	memcpy(m + 2, a2, 7);
261 	memcpy(m + 9, a1, 7);
262 	memcpy(m + 16, n2, 16);
263 	memcpy(m + 32, n1, 16);
264 	memcpy(m + 48, btle, 4);
265 
266 	m[52] = 0; /* Counter */
267 
268 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
269 	if (err)
270 		return err;
271 
272 	SMP_DBG("mackey %16phN", mackey);
273 
274 	m[52] = 1; /* Counter */
275 
276 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
277 	if (err)
278 		return err;
279 
280 	SMP_DBG("ltk %16phN", ltk);
281 
282 	return 0;
283 }
284 
285 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
286 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
287 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
288 		  u8 res[16])
289 {
290 	u8 m[65];
291 	int err;
292 
293 	SMP_DBG("w %16phN", w);
294 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
295 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
296 
297 	memcpy(m, a2, 7);
298 	memcpy(m + 7, a1, 7);
299 	memcpy(m + 14, io_cap, 3);
300 	memcpy(m + 17, r, 16);
301 	memcpy(m + 33, n2, 16);
302 	memcpy(m + 49, n1, 16);
303 
304 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
305 	if (err)
306 		return err;
307 
308 	SMP_DBG("res %16phN", res);
309 
310 	return err;
311 }
312 
313 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
314 		  const u8 x[16], const u8 y[16], u32 *val)
315 {
316 	u8 m[80], tmp[16];
317 	int err;
318 
319 	SMP_DBG("u %32phN", u);
320 	SMP_DBG("v %32phN", v);
321 	SMP_DBG("x %16phN y %16phN", x, y);
322 
323 	memcpy(m, y, 16);
324 	memcpy(m + 16, v, 32);
325 	memcpy(m + 48, u, 32);
326 
327 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
328 	if (err)
329 		return err;
330 
331 	*val = get_unaligned_le32(tmp);
332 	*val %= 1000000;
333 
334 	SMP_DBG("val %06u", *val);
335 
336 	return 0;
337 }
338 
339 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
340 		  const u8 key_id[4], u8 res[16])
341 {
342 	int err;
343 
344 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
345 
346 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
347 	if (err)
348 		return err;
349 
350 	SMP_DBG("res %16phN", res);
351 
352 	return err;
353 }
354 
355 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
356 		  const u8 salt[16], u8 res[16])
357 {
358 	int err;
359 
360 	SMP_DBG("w %16phN salt %16phN", w, salt);
361 
362 	err = aes_cmac(tfm_cmac, salt, w, 16, res);
363 	if (err)
364 		return err;
365 
366 	SMP_DBG("res %16phN", res);
367 
368 	return err;
369 }
370 
371 /* The following functions map to the legacy SMP crypto functions e, c1,
372  * s1 and ah.
373  */
374 
375 static int smp_e(const u8 *k, u8 *r)
376 {
377 	struct crypto_aes_ctx ctx;
378 	uint8_t tmp[16], data[16];
379 	int err;
380 
381 	SMP_DBG("k %16phN r %16phN", k, r);
382 
383 	/* The most significant octet of key corresponds to k[0] */
384 	swap_buf(k, tmp, 16);
385 
386 	err = aes_expandkey(&ctx, tmp, 16);
387 	if (err) {
388 		BT_ERR("cipher setkey failed: %d", err);
389 		return err;
390 	}
391 
392 	/* Most significant octet of plaintextData corresponds to data[0] */
393 	swap_buf(r, data, 16);
394 
395 	aes_encrypt(&ctx, data, data);
396 
397 	/* Most significant octet of encryptedData corresponds to data[0] */
398 	swap_buf(data, r, 16);
399 
400 	SMP_DBG("r %16phN", r);
401 
402 	memzero_explicit(&ctx, sizeof(ctx));
403 	return err;
404 }
405 
406 static int smp_c1(const u8 k[16],
407 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
408 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
409 {
410 	u8 p1[16], p2[16];
411 	int err;
412 
413 	SMP_DBG("k %16phN r %16phN", k, r);
414 	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
415 	SMP_DBG("preq %7phN pres %7phN", preq, pres);
416 
417 	memset(p1, 0, 16);
418 
419 	/* p1 = pres || preq || _rat || _iat */
420 	p1[0] = _iat;
421 	p1[1] = _rat;
422 	memcpy(p1 + 2, preq, 7);
423 	memcpy(p1 + 9, pres, 7);
424 
425 	SMP_DBG("p1 %16phN", p1);
426 
427 	/* res = r XOR p1 */
428 	crypto_xor_cpy(res, r, p1, sizeof(p1));
429 
430 	/* res = e(k, res) */
431 	err = smp_e(k, res);
432 	if (err) {
433 		BT_ERR("Encrypt data error");
434 		return err;
435 	}
436 
437 	/* p2 = padding || ia || ra */
438 	memcpy(p2, ra, 6);
439 	memcpy(p2 + 6, ia, 6);
440 	memset(p2 + 12, 0, 4);
441 
442 	SMP_DBG("p2 %16phN", p2);
443 
444 	/* res = res XOR p2 */
445 	crypto_xor(res, p2, sizeof(p2));
446 
447 	/* res = e(k, res) */
448 	err = smp_e(k, res);
449 	if (err)
450 		BT_ERR("Encrypt data error");
451 
452 	return err;
453 }
454 
455 static int smp_s1(const u8 k[16],
456 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
457 {
458 	int err;
459 
460 	/* Just least significant octets from r1 and r2 are considered */
461 	memcpy(_r, r2, 8);
462 	memcpy(_r + 8, r1, 8);
463 
464 	err = smp_e(k, _r);
465 	if (err)
466 		BT_ERR("Encrypt data error");
467 
468 	return err;
469 }
470 
471 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
472 {
473 	u8 _res[16];
474 	int err;
475 
476 	/* r' = padding || r */
477 	memcpy(_res, r, 3);
478 	memset(_res + 3, 0, 13);
479 
480 	err = smp_e(irk, _res);
481 	if (err) {
482 		BT_ERR("Encrypt error");
483 		return err;
484 	}
485 
486 	/* The output of the random address function ah is:
487 	 *	ah(k, r) = e(k, r') mod 2^24
488 	 * The output of the security function e is then truncated to 24 bits
489 	 * by taking the least significant 24 bits of the output of e as the
490 	 * result of ah.
491 	 */
492 	memcpy(res, _res, 3);
493 
494 	return 0;
495 }
496 
497 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
498 		     const bdaddr_t *bdaddr)
499 {
500 	struct l2cap_chan *chan = hdev->smp_data;
501 	u8 hash[3];
502 	int err;
503 
504 	if (!chan || !chan->data)
505 		return false;
506 
507 	bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk);
508 
509 	err = smp_ah(irk, &bdaddr->b[3], hash);
510 	if (err)
511 		return false;
512 
513 	return !crypto_memneq(bdaddr->b, hash, 3);
514 }
515 
516 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
517 {
518 	struct l2cap_chan *chan = hdev->smp_data;
519 	int err;
520 
521 	if (!chan || !chan->data)
522 		return -EOPNOTSUPP;
523 
524 	get_random_bytes(&rpa->b[3], 3);
525 
526 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
527 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
528 
529 	err = smp_ah(irk, &rpa->b[3], rpa->b);
530 	if (err < 0)
531 		return err;
532 
533 	bt_dev_dbg(hdev, "RPA %pMR", rpa);
534 
535 	return 0;
536 }
537 
538 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
539 {
540 	struct l2cap_chan *chan = hdev->smp_data;
541 	struct smp_dev *smp;
542 	int err;
543 
544 	if (!chan || !chan->data)
545 		return -EOPNOTSUPP;
546 
547 	smp = chan->data;
548 
549 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
550 		bt_dev_dbg(hdev, "Using debug keys");
551 		err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
552 		if (err)
553 			return err;
554 		memcpy(smp->local_pk, debug_pk, 64);
555 		smp->debug_key = true;
556 	} else {
557 		while (true) {
558 			/* Generate key pair for Secure Connections */
559 			err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
560 			if (err)
561 				return err;
562 
563 			/* This is unlikely, but we need to check that
564 			 * we didn't accidentally generate a debug key.
565 			 */
566 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
567 				break;
568 		}
569 		smp->debug_key = false;
570 	}
571 
572 	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
573 	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
574 
575 	get_random_bytes(smp->local_rand, 16);
576 
577 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
578 		     smp->local_rand, 0, hash);
579 	if (err < 0)
580 		return err;
581 
582 	memcpy(rand, smp->local_rand, 16);
583 
584 	smp->local_oob = true;
585 
586 	return 0;
587 }
588 
589 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
590 {
591 	struct l2cap_chan *chan = conn->smp;
592 	struct smp_chan *smp;
593 	struct kvec iv[2];
594 	struct msghdr msg;
595 
596 	if (!chan)
597 		return;
598 
599 	bt_dev_dbg(conn->hcon->hdev, "code 0x%2.2x", code);
600 
601 	iv[0].iov_base = &code;
602 	iv[0].iov_len = 1;
603 
604 	iv[1].iov_base = data;
605 	iv[1].iov_len = len;
606 
607 	memset(&msg, 0, sizeof(msg));
608 
609 	iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, iv, 2, 1 + len);
610 
611 	l2cap_chan_send(chan, &msg, 1 + len, NULL);
612 
613 	if (!chan->data)
614 		return;
615 
616 	smp = chan->data;
617 
618 	cancel_delayed_work_sync(&smp->security_timer);
619 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
620 }
621 
622 static u8 authreq_to_seclevel(u8 authreq)
623 {
624 	if (authreq & SMP_AUTH_MITM) {
625 		if (authreq & SMP_AUTH_SC)
626 			return BT_SECURITY_FIPS;
627 		else
628 			return BT_SECURITY_HIGH;
629 	} else {
630 		return BT_SECURITY_MEDIUM;
631 	}
632 }
633 
634 static __u8 seclevel_to_authreq(__u8 sec_level)
635 {
636 	switch (sec_level) {
637 	case BT_SECURITY_FIPS:
638 	case BT_SECURITY_HIGH:
639 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
640 	case BT_SECURITY_MEDIUM:
641 		return SMP_AUTH_BONDING;
642 	default:
643 		return SMP_AUTH_NONE;
644 	}
645 }
646 
647 static void build_pairing_cmd(struct l2cap_conn *conn,
648 			      struct smp_cmd_pairing *req,
649 			      struct smp_cmd_pairing *rsp, __u8 authreq)
650 {
651 	struct l2cap_chan *chan = conn->smp;
652 	struct smp_chan *smp = chan->data;
653 	struct hci_conn *hcon = conn->hcon;
654 	struct hci_dev *hdev = hcon->hdev;
655 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
656 
657 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
658 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
659 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
660 		authreq |= SMP_AUTH_BONDING;
661 	} else {
662 		authreq &= ~SMP_AUTH_BONDING;
663 	}
664 
665 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
666 		remote_dist |= SMP_DIST_ID_KEY;
667 
668 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
669 		local_dist |= SMP_DIST_ID_KEY;
670 
671 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
672 	    (authreq & SMP_AUTH_SC)) {
673 		struct oob_data *oob_data;
674 		u8 bdaddr_type;
675 
676 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
677 			local_dist |= SMP_DIST_LINK_KEY;
678 			remote_dist |= SMP_DIST_LINK_KEY;
679 		}
680 
681 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
682 			bdaddr_type = BDADDR_LE_PUBLIC;
683 		else
684 			bdaddr_type = BDADDR_LE_RANDOM;
685 
686 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
687 						    bdaddr_type);
688 		if (oob_data && oob_data->present) {
689 			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
690 			oob_flag = SMP_OOB_PRESENT;
691 			memcpy(smp->rr, oob_data->rand256, 16);
692 			memcpy(smp->pcnf, oob_data->hash256, 16);
693 			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
694 			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
695 		}
696 
697 	} else {
698 		authreq &= ~SMP_AUTH_SC;
699 	}
700 
701 	if (rsp == NULL) {
702 		req->io_capability = conn->hcon->io_capability;
703 		req->oob_flag = oob_flag;
704 		req->max_key_size = hdev->le_max_key_size;
705 		req->init_key_dist = local_dist;
706 		req->resp_key_dist = remote_dist;
707 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
708 
709 		smp->remote_key_dist = remote_dist;
710 		return;
711 	}
712 
713 	rsp->io_capability = conn->hcon->io_capability;
714 	rsp->oob_flag = oob_flag;
715 	rsp->max_key_size = hdev->le_max_key_size;
716 	rsp->init_key_dist = req->init_key_dist & remote_dist;
717 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
718 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
719 
720 	smp->remote_key_dist = rsp->init_key_dist;
721 }
722 
723 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
724 {
725 	struct l2cap_chan *chan = conn->smp;
726 	struct hci_dev *hdev = conn->hcon->hdev;
727 	struct smp_chan *smp = chan->data;
728 
729 	if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS &&
730 	    max_key_size != SMP_MAX_ENC_KEY_SIZE)
731 		return SMP_ENC_KEY_SIZE;
732 
733 	if (max_key_size > hdev->le_max_key_size ||
734 	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
735 		return SMP_ENC_KEY_SIZE;
736 
737 	smp->enc_key_size = max_key_size;
738 
739 	return 0;
740 }
741 
742 static void smp_chan_destroy(struct l2cap_conn *conn)
743 {
744 	struct l2cap_chan *chan = conn->smp;
745 	struct smp_chan *smp = chan->data;
746 	struct hci_conn *hcon = conn->hcon;
747 	bool complete;
748 
749 	BUG_ON(!smp);
750 
751 	cancel_delayed_work_sync(&smp->security_timer);
752 
753 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
754 	mgmt_smp_complete(hcon, complete);
755 
756 	kfree_sensitive(smp->csrk);
757 	kfree_sensitive(smp->responder_csrk);
758 	kfree_sensitive(smp->link_key);
759 
760 	crypto_free_shash(smp->tfm_cmac);
761 	crypto_free_kpp(smp->tfm_ecdh);
762 
763 	/* Ensure that we don't leave any debug key around if debug key
764 	 * support hasn't been explicitly enabled.
765 	 */
766 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
767 	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
768 		list_del_rcu(&smp->ltk->list);
769 		kfree_rcu(smp->ltk, rcu);
770 		smp->ltk = NULL;
771 	}
772 
773 	/* If pairing failed clean up any keys we might have */
774 	if (!complete) {
775 		if (smp->ltk) {
776 			list_del_rcu(&smp->ltk->list);
777 			kfree_rcu(smp->ltk, rcu);
778 		}
779 
780 		if (smp->responder_ltk) {
781 			list_del_rcu(&smp->responder_ltk->list);
782 			kfree_rcu(smp->responder_ltk, rcu);
783 		}
784 
785 		if (smp->remote_irk) {
786 			list_del_rcu(&smp->remote_irk->list);
787 			kfree_rcu(smp->remote_irk, rcu);
788 		}
789 	}
790 
791 	chan->data = NULL;
792 	kfree_sensitive(smp);
793 	hci_conn_drop(hcon);
794 }
795 
796 static void smp_failure(struct l2cap_conn *conn, u8 reason)
797 {
798 	struct hci_conn *hcon = conn->hcon;
799 	struct l2cap_chan *chan = conn->smp;
800 
801 	if (reason)
802 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
803 			     &reason);
804 
805 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
806 
807 	if (chan->data)
808 		smp_chan_destroy(conn);
809 }
810 
811 #define JUST_WORKS	0x00
812 #define JUST_CFM	0x01
813 #define REQ_PASSKEY	0x02
814 #define CFM_PASSKEY	0x03
815 #define REQ_OOB		0x04
816 #define DSP_PASSKEY	0x05
817 #define OVERLAP		0xFF
818 
819 static const u8 gen_method[5][5] = {
820 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
821 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
822 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
823 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
824 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
825 };
826 
827 static const u8 sc_method[5][5] = {
828 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
829 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
830 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
831 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
832 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
833 };
834 
835 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
836 {
837 	/* If either side has unknown io_caps, use JUST_CFM (which gets
838 	 * converted later to JUST_WORKS if we're initiators.
839 	 */
840 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
841 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
842 		return JUST_CFM;
843 
844 	if (test_bit(SMP_FLAG_SC, &smp->flags))
845 		return sc_method[remote_io][local_io];
846 
847 	return gen_method[remote_io][local_io];
848 }
849 
850 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
851 						u8 local_io, u8 remote_io)
852 {
853 	struct hci_conn *hcon = conn->hcon;
854 	struct l2cap_chan *chan = conn->smp;
855 	struct smp_chan *smp = chan->data;
856 	u32 passkey = 0;
857 	int ret;
858 
859 	/* Initialize key for JUST WORKS */
860 	memset(smp->tk, 0, sizeof(smp->tk));
861 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
862 
863 	bt_dev_dbg(hcon->hdev, "auth:%u lcl:%u rem:%u", auth, local_io,
864 		   remote_io);
865 
866 	/* If neither side wants MITM, either "just" confirm an incoming
867 	 * request or use just-works for outgoing ones. The JUST_CFM
868 	 * will be converted to JUST_WORKS if necessary later in this
869 	 * function. If either side has MITM look up the method from the
870 	 * table.
871 	 */
872 	if (!(auth & SMP_AUTH_MITM))
873 		smp->method = JUST_CFM;
874 	else
875 		smp->method = get_auth_method(smp, local_io, remote_io);
876 
877 	/* Don't confirm locally initiated pairing attempts */
878 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
879 						&smp->flags))
880 		smp->method = JUST_WORKS;
881 
882 	/* Don't bother user space with no IO capabilities */
883 	if (smp->method == JUST_CFM &&
884 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
885 		smp->method = JUST_WORKS;
886 
887 	/* If Just Works, Continue with Zero TK and ask user-space for
888 	 * confirmation */
889 	if (smp->method == JUST_WORKS) {
890 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
891 						hcon->type,
892 						hcon->dst_type,
893 						passkey, 1);
894 		if (ret)
895 			return ret;
896 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
897 		return 0;
898 	}
899 
900 	/* If this function is used for SC -> legacy fallback we
901 	 * can only recover the just-works case.
902 	 */
903 	if (test_bit(SMP_FLAG_SC, &smp->flags))
904 		return -EINVAL;
905 
906 	/* Not Just Works/Confirm results in MITM Authentication */
907 	if (smp->method != JUST_CFM) {
908 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
909 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
910 			hcon->pending_sec_level = BT_SECURITY_HIGH;
911 	}
912 
913 	/* If both devices have Keyboard-Display I/O, the initiator
914 	 * Confirms and the responder Enters the passkey.
915 	 */
916 	if (smp->method == OVERLAP) {
917 		if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
918 			smp->method = CFM_PASSKEY;
919 		else
920 			smp->method = REQ_PASSKEY;
921 	}
922 
923 	/* Generate random passkey. */
924 	if (smp->method == CFM_PASSKEY) {
925 		memset(smp->tk, 0, sizeof(smp->tk));
926 		get_random_bytes(&passkey, sizeof(passkey));
927 		passkey %= 1000000;
928 		put_unaligned_le32(passkey, smp->tk);
929 		bt_dev_dbg(hcon->hdev, "PassKey: %u", passkey);
930 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
931 	}
932 
933 	if (smp->method == REQ_PASSKEY)
934 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
935 						hcon->type, hcon->dst_type);
936 	else if (smp->method == JUST_CFM)
937 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
938 						hcon->type, hcon->dst_type,
939 						passkey, 1);
940 	else
941 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
942 						hcon->type, hcon->dst_type,
943 						passkey, 0);
944 
945 	return ret;
946 }
947 
948 static u8 smp_confirm(struct smp_chan *smp)
949 {
950 	struct l2cap_conn *conn = smp->conn;
951 	struct smp_cmd_pairing_confirm cp;
952 	int ret;
953 
954 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
955 
956 	ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
957 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
958 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
959 		     cp.confirm_val);
960 	if (ret)
961 		return SMP_UNSPECIFIED;
962 
963 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
964 
965 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
966 
967 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
968 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
969 	else
970 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
971 
972 	return 0;
973 }
974 
975 static u8 smp_random(struct smp_chan *smp)
976 {
977 	struct l2cap_conn *conn = smp->conn;
978 	struct hci_conn *hcon = conn->hcon;
979 	u8 confirm[16];
980 	int ret;
981 
982 	bt_dev_dbg(conn->hcon->hdev, "conn %p %s", conn,
983 		   test_bit(SMP_FLAG_INITIATOR, &smp->flags) ? "initiator" :
984 		   "responder");
985 
986 	ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
987 		     hcon->init_addr_type, &hcon->init_addr,
988 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
989 	if (ret)
990 		return SMP_UNSPECIFIED;
991 
992 	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
993 		bt_dev_err(hcon->hdev, "pairing failed "
994 			   "(confirmation values mismatch)");
995 		return SMP_CONFIRM_FAILED;
996 	}
997 
998 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
999 		u8 stk[16];
1000 		__le64 rand = 0;
1001 		__le16 ediv = 0;
1002 
1003 		smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
1004 
1005 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1006 			return SMP_UNSPECIFIED;
1007 
1008 		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1009 		hcon->enc_key_size = smp->enc_key_size;
1010 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1011 	} else {
1012 		u8 stk[16], auth;
1013 		__le64 rand = 0;
1014 		__le16 ediv = 0;
1015 
1016 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1017 			     smp->prnd);
1018 
1019 		smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
1020 
1021 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1022 			auth = 1;
1023 		else
1024 			auth = 0;
1025 
1026 		/* Even though there's no _RESPONDER suffix this is the
1027 		 * responder STK we're adding for later lookup (the initiator
1028 		 * STK never needs to be stored).
1029 		 */
1030 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1031 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1032 	}
1033 
1034 	return 0;
1035 }
1036 
1037 static void smp_notify_keys(struct l2cap_conn *conn)
1038 {
1039 	struct l2cap_chan *chan = conn->smp;
1040 	struct smp_chan *smp = chan->data;
1041 	struct hci_conn *hcon = conn->hcon;
1042 	struct hci_dev *hdev = hcon->hdev;
1043 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1044 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1045 	bool persistent;
1046 
1047 	if (hcon->type == ACL_LINK) {
1048 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1049 			persistent = false;
1050 		else
1051 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1052 					       &hcon->flags);
1053 	} else {
1054 		/* The LTKs, IRKs and CSRKs should be persistent only if
1055 		 * both sides had the bonding bit set in their
1056 		 * authentication requests.
1057 		 */
1058 		persistent = !!((req->auth_req & rsp->auth_req) &
1059 				SMP_AUTH_BONDING);
1060 	}
1061 
1062 	if (smp->remote_irk) {
1063 		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1064 
1065 		/* Now that user space can be considered to know the
1066 		 * identity address track the connection based on it
1067 		 * from now on (assuming this is an LE link).
1068 		 */
1069 		if (hcon->type == LE_LINK) {
1070 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1071 			hcon->dst_type = smp->remote_irk->addr_type;
1072 			/* Use a short delay to make sure the new address is
1073 			 * propagated _before_ the channels.
1074 			 */
1075 			queue_delayed_work(hdev->workqueue,
1076 					   &conn->id_addr_timer,
1077 					   ID_ADDR_TIMEOUT);
1078 		}
1079 	}
1080 
1081 	if (smp->csrk) {
1082 		smp->csrk->bdaddr_type = hcon->dst_type;
1083 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1084 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1085 	}
1086 
1087 	if (smp->responder_csrk) {
1088 		smp->responder_csrk->bdaddr_type = hcon->dst_type;
1089 		bacpy(&smp->responder_csrk->bdaddr, &hcon->dst);
1090 		mgmt_new_csrk(hdev, smp->responder_csrk, persistent);
1091 	}
1092 
1093 	if (smp->ltk) {
1094 		smp->ltk->bdaddr_type = hcon->dst_type;
1095 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1096 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1097 	}
1098 
1099 	if (smp->responder_ltk) {
1100 		smp->responder_ltk->bdaddr_type = hcon->dst_type;
1101 		bacpy(&smp->responder_ltk->bdaddr, &hcon->dst);
1102 		mgmt_new_ltk(hdev, smp->responder_ltk, persistent);
1103 	}
1104 
1105 	if (smp->link_key) {
1106 		struct link_key *key;
1107 		u8 type;
1108 
1109 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1110 			type = HCI_LK_DEBUG_COMBINATION;
1111 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1112 			type = HCI_LK_AUTH_COMBINATION_P256;
1113 		else
1114 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1115 
1116 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1117 				       smp->link_key, type, 0, &persistent);
1118 		if (key) {
1119 			mgmt_new_link_key(hdev, key, persistent);
1120 
1121 			/* Don't keep debug keys around if the relevant
1122 			 * flag is not set.
1123 			 */
1124 			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1125 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1126 				list_del_rcu(&key->list);
1127 				kfree_rcu(key, rcu);
1128 			}
1129 		}
1130 	}
1131 }
1132 
1133 static void sc_add_ltk(struct smp_chan *smp)
1134 {
1135 	struct hci_conn *hcon = smp->conn->hcon;
1136 	u8 key_type, auth;
1137 
1138 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1139 		key_type = SMP_LTK_P256_DEBUG;
1140 	else
1141 		key_type = SMP_LTK_P256;
1142 
1143 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1144 		auth = 1;
1145 	else
1146 		auth = 0;
1147 
1148 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1149 			       key_type, auth, smp->tk, smp->enc_key_size,
1150 			       0, 0);
1151 }
1152 
1153 static void sc_generate_link_key(struct smp_chan *smp)
1154 {
1155 	/* From core spec. Spells out in ASCII as 'lebr'. */
1156 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1157 
1158 	smp->link_key = kzalloc(16, GFP_KERNEL);
1159 	if (!smp->link_key)
1160 		return;
1161 
1162 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1163 		/* SALT = 0x000000000000000000000000746D7031 */
1164 		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1165 
1166 		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1167 			kfree_sensitive(smp->link_key);
1168 			smp->link_key = NULL;
1169 			return;
1170 		}
1171 	} else {
1172 		/* From core spec. Spells out in ASCII as 'tmp1'. */
1173 		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1174 
1175 		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1176 			kfree_sensitive(smp->link_key);
1177 			smp->link_key = NULL;
1178 			return;
1179 		}
1180 	}
1181 
1182 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1183 		kfree_sensitive(smp->link_key);
1184 		smp->link_key = NULL;
1185 		return;
1186 	}
1187 }
1188 
1189 static void smp_allow_key_dist(struct smp_chan *smp)
1190 {
1191 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1192 	 * will be allowed in each PDU handler to ensure we receive
1193 	 * them in the correct order.
1194 	 */
1195 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1196 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1197 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1198 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1199 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1200 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1201 }
1202 
1203 static void sc_generate_ltk(struct smp_chan *smp)
1204 {
1205 	/* From core spec. Spells out in ASCII as 'brle'. */
1206 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1207 	struct hci_conn *hcon = smp->conn->hcon;
1208 	struct hci_dev *hdev = hcon->hdev;
1209 	struct link_key *key;
1210 
1211 	key = hci_find_link_key(hdev, &hcon->dst);
1212 	if (!key) {
1213 		bt_dev_err(hdev, "no Link Key found to generate LTK");
1214 		return;
1215 	}
1216 
1217 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1218 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1219 
1220 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1221 		/* SALT = 0x000000000000000000000000746D7032 */
1222 		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1223 
1224 		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1225 			return;
1226 	} else {
1227 		/* From core spec. Spells out in ASCII as 'tmp2'. */
1228 		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1229 
1230 		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1231 			return;
1232 	}
1233 
1234 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1235 		return;
1236 
1237 	sc_add_ltk(smp);
1238 }
1239 
1240 static void smp_distribute_keys(struct smp_chan *smp)
1241 {
1242 	struct smp_cmd_pairing *req, *rsp;
1243 	struct l2cap_conn *conn = smp->conn;
1244 	struct hci_conn *hcon = conn->hcon;
1245 	struct hci_dev *hdev = hcon->hdev;
1246 	__u8 *keydist;
1247 
1248 	bt_dev_dbg(hdev, "conn %p", conn);
1249 
1250 	rsp = (void *) &smp->prsp[1];
1251 
1252 	/* The responder sends its keys first */
1253 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags) &&
1254 	    (smp->remote_key_dist & KEY_DIST_MASK)) {
1255 		smp_allow_key_dist(smp);
1256 		return;
1257 	}
1258 
1259 	req = (void *) &smp->preq[1];
1260 
1261 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1262 		keydist = &rsp->init_key_dist;
1263 		*keydist &= req->init_key_dist;
1264 	} else {
1265 		keydist = &rsp->resp_key_dist;
1266 		*keydist &= req->resp_key_dist;
1267 	}
1268 
1269 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1270 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1271 			sc_generate_link_key(smp);
1272 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1273 			sc_generate_ltk(smp);
1274 
1275 		/* Clear the keys which are generated but not distributed */
1276 		*keydist &= ~SMP_SC_NO_DIST;
1277 	}
1278 
1279 	bt_dev_dbg(hdev, "keydist 0x%x", *keydist);
1280 
1281 	if (*keydist & SMP_DIST_ENC_KEY) {
1282 		struct smp_cmd_encrypt_info enc;
1283 		struct smp_cmd_initiator_ident ident;
1284 		struct smp_ltk *ltk;
1285 		u8 authenticated;
1286 		__le16 ediv;
1287 		__le64 rand;
1288 
1289 		/* Make sure we generate only the significant amount of
1290 		 * bytes based on the encryption key size, and set the rest
1291 		 * of the value to zeroes.
1292 		 */
1293 		get_random_bytes(enc.ltk, smp->enc_key_size);
1294 		memset(enc.ltk + smp->enc_key_size, 0,
1295 		       sizeof(enc.ltk) - smp->enc_key_size);
1296 
1297 		get_random_bytes(&ediv, sizeof(ediv));
1298 		get_random_bytes(&rand, sizeof(rand));
1299 
1300 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1301 
1302 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1303 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1304 				  SMP_LTK_RESPONDER, authenticated, enc.ltk,
1305 				  smp->enc_key_size, ediv, rand);
1306 		smp->responder_ltk = ltk;
1307 
1308 		ident.ediv = ediv;
1309 		ident.rand = rand;
1310 
1311 		smp_send_cmd(conn, SMP_CMD_INITIATOR_IDENT, sizeof(ident),
1312 			     &ident);
1313 
1314 		*keydist &= ~SMP_DIST_ENC_KEY;
1315 	}
1316 
1317 	if (*keydist & SMP_DIST_ID_KEY) {
1318 		struct smp_cmd_ident_addr_info addrinfo;
1319 		struct smp_cmd_ident_info idinfo;
1320 
1321 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1322 
1323 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1324 
1325 		/* The hci_conn contains the local identity address
1326 		 * after the connection has been established.
1327 		 *
1328 		 * This is true even when the connection has been
1329 		 * established using a resolvable random address.
1330 		 */
1331 		bacpy(&addrinfo.bdaddr, &hcon->src);
1332 		addrinfo.addr_type = hcon->src_type;
1333 
1334 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1335 			     &addrinfo);
1336 
1337 		*keydist &= ~SMP_DIST_ID_KEY;
1338 	}
1339 
1340 	if (*keydist & SMP_DIST_SIGN) {
1341 		struct smp_cmd_sign_info sign;
1342 		struct smp_csrk *csrk;
1343 
1344 		/* Generate a new random key */
1345 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1346 
1347 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1348 		if (csrk) {
1349 			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1350 				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1351 			else
1352 				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1353 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1354 		}
1355 		smp->responder_csrk = csrk;
1356 
1357 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1358 
1359 		*keydist &= ~SMP_DIST_SIGN;
1360 	}
1361 
1362 	/* If there are still keys to be received wait for them */
1363 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1364 		smp_allow_key_dist(smp);
1365 		return;
1366 	}
1367 
1368 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1369 	smp_notify_keys(conn);
1370 
1371 	smp_chan_destroy(conn);
1372 }
1373 
1374 static void smp_timeout(struct work_struct *work)
1375 {
1376 	struct smp_chan *smp = container_of(work, struct smp_chan,
1377 					    security_timer.work);
1378 	struct l2cap_conn *conn = smp->conn;
1379 
1380 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
1381 
1382 	hci_disconnect(conn->hcon, HCI_ERROR_AUTH_FAILURE);
1383 }
1384 
1385 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1386 {
1387 	struct hci_conn *hcon = conn->hcon;
1388 	struct l2cap_chan *chan = conn->smp;
1389 	struct smp_chan *smp;
1390 
1391 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1392 	if (!smp)
1393 		return NULL;
1394 
1395 	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1396 	if (IS_ERR(smp->tfm_cmac)) {
1397 		bt_dev_err(hcon->hdev, "Unable to create CMAC crypto context");
1398 		goto zfree_smp;
1399 	}
1400 
1401 	smp->tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
1402 	if (IS_ERR(smp->tfm_ecdh)) {
1403 		bt_dev_err(hcon->hdev, "Unable to create ECDH crypto context");
1404 		goto free_shash;
1405 	}
1406 
1407 	smp->conn = conn;
1408 	chan->data = smp;
1409 
1410 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1411 
1412 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1413 
1414 	hci_conn_hold(hcon);
1415 
1416 	return smp;
1417 
1418 free_shash:
1419 	crypto_free_shash(smp->tfm_cmac);
1420 zfree_smp:
1421 	kfree_sensitive(smp);
1422 	return NULL;
1423 }
1424 
1425 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1426 {
1427 	struct hci_conn *hcon = smp->conn->hcon;
1428 	u8 *na, *nb, a[7], b[7];
1429 
1430 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1431 		na   = smp->prnd;
1432 		nb   = smp->rrnd;
1433 	} else {
1434 		na   = smp->rrnd;
1435 		nb   = smp->prnd;
1436 	}
1437 
1438 	memcpy(a, &hcon->init_addr, 6);
1439 	memcpy(b, &hcon->resp_addr, 6);
1440 	a[6] = hcon->init_addr_type;
1441 	b[6] = hcon->resp_addr_type;
1442 
1443 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1444 }
1445 
1446 static void sc_dhkey_check(struct smp_chan *smp)
1447 {
1448 	struct hci_conn *hcon = smp->conn->hcon;
1449 	struct smp_cmd_dhkey_check check;
1450 	u8 a[7], b[7], *local_addr, *remote_addr;
1451 	u8 io_cap[3], r[16];
1452 
1453 	memcpy(a, &hcon->init_addr, 6);
1454 	memcpy(b, &hcon->resp_addr, 6);
1455 	a[6] = hcon->init_addr_type;
1456 	b[6] = hcon->resp_addr_type;
1457 
1458 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1459 		local_addr = a;
1460 		remote_addr = b;
1461 		memcpy(io_cap, &smp->preq[1], 3);
1462 	} else {
1463 		local_addr = b;
1464 		remote_addr = a;
1465 		memcpy(io_cap, &smp->prsp[1], 3);
1466 	}
1467 
1468 	memset(r, 0, sizeof(r));
1469 
1470 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1471 		put_unaligned_le32(hcon->passkey_notify, r);
1472 
1473 	if (smp->method == REQ_OOB)
1474 		memcpy(r, smp->rr, 16);
1475 
1476 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1477 	       local_addr, remote_addr, check.e);
1478 
1479 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1480 }
1481 
1482 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1483 {
1484 	struct l2cap_conn *conn = smp->conn;
1485 	struct hci_conn *hcon = conn->hcon;
1486 	struct smp_cmd_pairing_confirm cfm;
1487 	u8 r;
1488 
1489 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1490 	r |= 0x80;
1491 
1492 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1493 
1494 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1495 		   cfm.confirm_val))
1496 		return SMP_UNSPECIFIED;
1497 
1498 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1499 
1500 	return 0;
1501 }
1502 
1503 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1504 {
1505 	struct l2cap_conn *conn = smp->conn;
1506 	struct hci_conn *hcon = conn->hcon;
1507 	struct hci_dev *hdev = hcon->hdev;
1508 	u8 cfm[16], r;
1509 
1510 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1511 	if (smp->passkey_round >= 20)
1512 		return 0;
1513 
1514 	switch (smp_op) {
1515 	case SMP_CMD_PAIRING_RANDOM:
1516 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1517 		r |= 0x80;
1518 
1519 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1520 			   smp->rrnd, r, cfm))
1521 			return SMP_UNSPECIFIED;
1522 
1523 		if (crypto_memneq(smp->pcnf, cfm, 16))
1524 			return SMP_CONFIRM_FAILED;
1525 
1526 		smp->passkey_round++;
1527 
1528 		if (smp->passkey_round == 20) {
1529 			/* Generate MacKey and LTK */
1530 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1531 				return SMP_UNSPECIFIED;
1532 		}
1533 
1534 		/* The round is only complete when the initiator
1535 		 * receives pairing random.
1536 		 */
1537 		if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1538 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1539 				     sizeof(smp->prnd), smp->prnd);
1540 			if (smp->passkey_round == 20)
1541 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1542 			else
1543 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1544 			return 0;
1545 		}
1546 
1547 		/* Start the next round */
1548 		if (smp->passkey_round != 20)
1549 			return sc_passkey_round(smp, 0);
1550 
1551 		/* Passkey rounds are complete - start DHKey Check */
1552 		sc_dhkey_check(smp);
1553 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1554 
1555 		break;
1556 
1557 	case SMP_CMD_PAIRING_CONFIRM:
1558 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1559 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1560 			return 0;
1561 		}
1562 
1563 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1564 
1565 		if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1566 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1567 				     sizeof(smp->prnd), smp->prnd);
1568 			return 0;
1569 		}
1570 
1571 		return sc_passkey_send_confirm(smp);
1572 
1573 	case SMP_CMD_PUBLIC_KEY:
1574 	default:
1575 		/* Initiating device starts the round */
1576 		if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags))
1577 			return 0;
1578 
1579 		bt_dev_dbg(hdev, "Starting passkey round %u",
1580 			   smp->passkey_round + 1);
1581 
1582 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1583 
1584 		return sc_passkey_send_confirm(smp);
1585 	}
1586 
1587 	return 0;
1588 }
1589 
1590 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1591 {
1592 	struct l2cap_conn *conn = smp->conn;
1593 	struct hci_conn *hcon = conn->hcon;
1594 	u8 smp_op;
1595 
1596 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1597 
1598 	switch (mgmt_op) {
1599 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1600 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1601 		return 0;
1602 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1603 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1604 		return 0;
1605 	case MGMT_OP_USER_PASSKEY_REPLY:
1606 		hcon->passkey_notify = le32_to_cpu(passkey);
1607 		smp->passkey_round = 0;
1608 
1609 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1610 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1611 		else
1612 			smp_op = 0;
1613 
1614 		if (sc_passkey_round(smp, smp_op))
1615 			return -EIO;
1616 
1617 		return 0;
1618 	}
1619 
1620 	/* Initiator sends DHKey check first */
1621 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1622 		sc_dhkey_check(smp);
1623 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1624 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1625 		sc_dhkey_check(smp);
1626 		sc_add_ltk(smp);
1627 	}
1628 
1629 	return 0;
1630 }
1631 
1632 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1633 {
1634 	struct l2cap_conn *conn = hcon->l2cap_data;
1635 	struct l2cap_chan *chan;
1636 	struct smp_chan *smp;
1637 	u32 value;
1638 	int err;
1639 
1640 	if (!conn)
1641 		return -ENOTCONN;
1642 
1643 	bt_dev_dbg(conn->hcon->hdev, "");
1644 
1645 	chan = conn->smp;
1646 	if (!chan)
1647 		return -ENOTCONN;
1648 
1649 	l2cap_chan_lock(chan);
1650 	if (!chan->data) {
1651 		err = -ENOTCONN;
1652 		goto unlock;
1653 	}
1654 
1655 	smp = chan->data;
1656 
1657 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1658 		err = sc_user_reply(smp, mgmt_op, passkey);
1659 		goto unlock;
1660 	}
1661 
1662 	switch (mgmt_op) {
1663 	case MGMT_OP_USER_PASSKEY_REPLY:
1664 		value = le32_to_cpu(passkey);
1665 		memset(smp->tk, 0, sizeof(smp->tk));
1666 		bt_dev_dbg(conn->hcon->hdev, "PassKey: %u", value);
1667 		put_unaligned_le32(value, smp->tk);
1668 		fallthrough;
1669 	case MGMT_OP_USER_CONFIRM_REPLY:
1670 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1671 		break;
1672 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1673 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1674 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1675 		err = 0;
1676 		goto unlock;
1677 	default:
1678 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1679 		err = -EOPNOTSUPP;
1680 		goto unlock;
1681 	}
1682 
1683 	err = 0;
1684 
1685 	/* If it is our turn to send Pairing Confirm, do so now */
1686 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1687 		u8 rsp = smp_confirm(smp);
1688 		if (rsp)
1689 			smp_failure(conn, rsp);
1690 	}
1691 
1692 unlock:
1693 	l2cap_chan_unlock(chan);
1694 	return err;
1695 }
1696 
1697 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1698 				    struct smp_cmd_pairing *req,
1699 				    struct smp_cmd_pairing *rsp)
1700 {
1701 	struct l2cap_conn *conn = smp->conn;
1702 	struct hci_dev *hdev = conn->hcon->hdev;
1703 	u8 local_dist = 0, remote_dist = 0;
1704 
1705 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1706 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1707 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1708 	}
1709 
1710 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1711 		remote_dist |= SMP_DIST_ID_KEY;
1712 
1713 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1714 		local_dist |= SMP_DIST_ID_KEY;
1715 
1716 	if (!rsp) {
1717 		memset(req, 0, sizeof(*req));
1718 
1719 		req->auth_req        = SMP_AUTH_CT2;
1720 		req->init_key_dist   = local_dist;
1721 		req->resp_key_dist   = remote_dist;
1722 		req->max_key_size    = conn->hcon->enc_key_size;
1723 
1724 		smp->remote_key_dist = remote_dist;
1725 
1726 		return;
1727 	}
1728 
1729 	memset(rsp, 0, sizeof(*rsp));
1730 
1731 	rsp->auth_req        = SMP_AUTH_CT2;
1732 	rsp->max_key_size    = conn->hcon->enc_key_size;
1733 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1734 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1735 
1736 	smp->remote_key_dist = rsp->init_key_dist;
1737 }
1738 
1739 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1740 {
1741 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1742 	struct l2cap_chan *chan = conn->smp;
1743 	struct hci_dev *hdev = conn->hcon->hdev;
1744 	struct smp_chan *smp = chan->data;
1745 	u8 key_size, auth, sec_level;
1746 	int ret;
1747 
1748 	bt_dev_dbg(hdev, "conn %p", conn);
1749 
1750 	if (skb->len < sizeof(*req))
1751 		return SMP_INVALID_PARAMS;
1752 
1753 	if (smp && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
1754 		return SMP_CMD_NOTSUPP;
1755 
1756 	if (!smp) {
1757 		smp = smp_chan_create(conn);
1758 		if (!smp)
1759 			return SMP_UNSPECIFIED;
1760 	}
1761 
1762 	/* We didn't start the pairing, so match remote */
1763 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1764 
1765 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1766 	    (auth & SMP_AUTH_BONDING))
1767 		return SMP_PAIRING_NOTSUPP;
1768 
1769 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1770 		return SMP_AUTH_REQUIREMENTS;
1771 
1772 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1773 	memcpy(&smp->preq[1], req, sizeof(*req));
1774 	skb_pull(skb, sizeof(*req));
1775 
1776 	/* If the remote side's OOB flag is set it means it has
1777 	 * successfully received our local OOB data - therefore set the
1778 	 * flag to indicate that local OOB is in use.
1779 	 */
1780 	if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1781 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1782 
1783 	/* SMP over BR/EDR requires special treatment */
1784 	if (conn->hcon->type == ACL_LINK) {
1785 		/* We must have a BR/EDR SC link */
1786 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1787 		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1788 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1789 
1790 		set_bit(SMP_FLAG_SC, &smp->flags);
1791 
1792 		build_bredr_pairing_cmd(smp, req, &rsp);
1793 
1794 		if (req->auth_req & SMP_AUTH_CT2)
1795 			set_bit(SMP_FLAG_CT2, &smp->flags);
1796 
1797 		key_size = min(req->max_key_size, rsp.max_key_size);
1798 		if (check_enc_key_size(conn, key_size))
1799 			return SMP_ENC_KEY_SIZE;
1800 
1801 		/* Clear bits which are generated but not distributed */
1802 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1803 
1804 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1805 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1806 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1807 
1808 		smp_distribute_keys(smp);
1809 		return 0;
1810 	}
1811 
1812 	build_pairing_cmd(conn, req, &rsp, auth);
1813 
1814 	if (rsp.auth_req & SMP_AUTH_SC) {
1815 		set_bit(SMP_FLAG_SC, &smp->flags);
1816 
1817 		if (rsp.auth_req & SMP_AUTH_CT2)
1818 			set_bit(SMP_FLAG_CT2, &smp->flags);
1819 	}
1820 
1821 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1822 		sec_level = BT_SECURITY_MEDIUM;
1823 	else
1824 		sec_level = authreq_to_seclevel(auth);
1825 
1826 	if (sec_level > conn->hcon->pending_sec_level)
1827 		conn->hcon->pending_sec_level = sec_level;
1828 
1829 	/* If we need MITM check that it can be achieved */
1830 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1831 		u8 method;
1832 
1833 		method = get_auth_method(smp, conn->hcon->io_capability,
1834 					 req->io_capability);
1835 		if (method == JUST_WORKS || method == JUST_CFM)
1836 			return SMP_AUTH_REQUIREMENTS;
1837 	}
1838 
1839 	key_size = min(req->max_key_size, rsp.max_key_size);
1840 	if (check_enc_key_size(conn, key_size))
1841 		return SMP_ENC_KEY_SIZE;
1842 
1843 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1844 
1845 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1846 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1847 
1848 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1849 
1850 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1851 
1852 	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1853 	 * SC case, however some implementations incorrectly copy RFU auth
1854 	 * req bits from our security request, which may create a false
1855 	 * positive SC enablement.
1856 	 */
1857 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1858 
1859 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1860 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1861 		/* Clear bits which are generated but not distributed */
1862 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1863 		/* Wait for Public Key from Initiating Device */
1864 		return 0;
1865 	}
1866 
1867 	/* Request setup of TK */
1868 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1869 	if (ret)
1870 		return SMP_UNSPECIFIED;
1871 
1872 	return 0;
1873 }
1874 
1875 static u8 sc_send_public_key(struct smp_chan *smp)
1876 {
1877 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1878 
1879 	bt_dev_dbg(hdev, "");
1880 
1881 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1882 		struct l2cap_chan *chan = hdev->smp_data;
1883 		struct smp_dev *smp_dev;
1884 
1885 		if (!chan || !chan->data)
1886 			return SMP_UNSPECIFIED;
1887 
1888 		smp_dev = chan->data;
1889 
1890 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1891 		memcpy(smp->lr, smp_dev->local_rand, 16);
1892 
1893 		if (smp_dev->debug_key)
1894 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1895 
1896 		goto done;
1897 	}
1898 
1899 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1900 		bt_dev_dbg(hdev, "Using debug keys");
1901 		if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1902 			return SMP_UNSPECIFIED;
1903 		memcpy(smp->local_pk, debug_pk, 64);
1904 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1905 	} else {
1906 		while (true) {
1907 			/* Generate key pair for Secure Connections */
1908 			if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1909 				return SMP_UNSPECIFIED;
1910 
1911 			/* This is unlikely, but we need to check that
1912 			 * we didn't accidentally generate a debug key.
1913 			 */
1914 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
1915 				break;
1916 		}
1917 	}
1918 
1919 done:
1920 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1921 	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1922 
1923 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1924 
1925 	return 0;
1926 }
1927 
1928 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1929 {
1930 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1931 	struct l2cap_chan *chan = conn->smp;
1932 	struct smp_chan *smp = chan->data;
1933 	struct hci_dev *hdev = conn->hcon->hdev;
1934 	u8 key_size, auth;
1935 	int ret;
1936 
1937 	bt_dev_dbg(hdev, "conn %p", conn);
1938 
1939 	if (skb->len < sizeof(*rsp))
1940 		return SMP_INVALID_PARAMS;
1941 
1942 	if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags))
1943 		return SMP_CMD_NOTSUPP;
1944 
1945 	skb_pull(skb, sizeof(*rsp));
1946 
1947 	req = (void *) &smp->preq[1];
1948 
1949 	key_size = min(req->max_key_size, rsp->max_key_size);
1950 	if (check_enc_key_size(conn, key_size))
1951 		return SMP_ENC_KEY_SIZE;
1952 
1953 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1954 
1955 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1956 		return SMP_AUTH_REQUIREMENTS;
1957 
1958 	/* If the remote side's OOB flag is set it means it has
1959 	 * successfully received our local OOB data - therefore set the
1960 	 * flag to indicate that local OOB is in use.
1961 	 */
1962 	if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1963 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1964 
1965 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1966 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1967 
1968 	/* Update remote key distribution in case the remote cleared
1969 	 * some bits that we had enabled in our request.
1970 	 */
1971 	smp->remote_key_dist &= rsp->resp_key_dist;
1972 
1973 	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1974 		set_bit(SMP_FLAG_CT2, &smp->flags);
1975 
1976 	/* For BR/EDR this means we're done and can start phase 3 */
1977 	if (conn->hcon->type == ACL_LINK) {
1978 		/* Clear bits which are generated but not distributed */
1979 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1980 		smp_distribute_keys(smp);
1981 		return 0;
1982 	}
1983 
1984 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1985 		set_bit(SMP_FLAG_SC, &smp->flags);
1986 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1987 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1988 
1989 	/* If we need MITM check that it can be achieved */
1990 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1991 		u8 method;
1992 
1993 		method = get_auth_method(smp, req->io_capability,
1994 					 rsp->io_capability);
1995 		if (method == JUST_WORKS || method == JUST_CFM)
1996 			return SMP_AUTH_REQUIREMENTS;
1997 	}
1998 
1999 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
2000 
2001 	/* Update remote key distribution in case the remote cleared
2002 	 * some bits that we had enabled in our request.
2003 	 */
2004 	smp->remote_key_dist &= rsp->resp_key_dist;
2005 
2006 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2007 		/* Clear bits which are generated but not distributed */
2008 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2009 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2010 		return sc_send_public_key(smp);
2011 	}
2012 
2013 	auth |= req->auth_req;
2014 
2015 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2016 	if (ret)
2017 		return SMP_UNSPECIFIED;
2018 
2019 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2020 
2021 	/* Can't compose response until we have been confirmed */
2022 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2023 		return smp_confirm(smp);
2024 
2025 	return 0;
2026 }
2027 
2028 static u8 sc_check_confirm(struct smp_chan *smp)
2029 {
2030 	struct l2cap_conn *conn = smp->conn;
2031 
2032 	bt_dev_dbg(conn->hcon->hdev, "");
2033 
2034 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2035 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2036 
2037 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2038 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2039 			     smp->prnd);
2040 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2041 	}
2042 
2043 	return 0;
2044 }
2045 
2046 /* Work-around for some implementations that incorrectly copy RFU bits
2047  * from our security request and thereby create the impression that
2048  * we're doing SC when in fact the remote doesn't support it.
2049  */
2050 static int fixup_sc_false_positive(struct smp_chan *smp)
2051 {
2052 	struct l2cap_conn *conn = smp->conn;
2053 	struct hci_conn *hcon = conn->hcon;
2054 	struct hci_dev *hdev = hcon->hdev;
2055 	struct smp_cmd_pairing *req, *rsp;
2056 	u8 auth;
2057 
2058 	/* The issue is only observed when we're in responder role */
2059 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2060 		return SMP_UNSPECIFIED;
2061 
2062 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2063 		bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2064 		return SMP_UNSPECIFIED;
2065 	}
2066 
2067 	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2068 
2069 	req = (void *) &smp->preq[1];
2070 	rsp = (void *) &smp->prsp[1];
2071 
2072 	/* Rebuild key dist flags which may have been cleared for SC */
2073 	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2074 
2075 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2076 
2077 	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2078 		bt_dev_err(hdev, "failed to fall back to legacy SMP");
2079 		return SMP_UNSPECIFIED;
2080 	}
2081 
2082 	clear_bit(SMP_FLAG_SC, &smp->flags);
2083 
2084 	return 0;
2085 }
2086 
2087 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2088 {
2089 	struct l2cap_chan *chan = conn->smp;
2090 	struct smp_chan *smp = chan->data;
2091 	struct hci_conn *hcon = conn->hcon;
2092 	struct hci_dev *hdev = hcon->hdev;
2093 
2094 	bt_dev_dbg(hdev, "conn %p %s", conn,
2095 		   test_bit(SMP_FLAG_INITIATOR, &smp->flags) ? "initiator" :
2096 		   "responder");
2097 
2098 	if (skb->len < sizeof(smp->pcnf))
2099 		return SMP_INVALID_PARAMS;
2100 
2101 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2102 	skb_pull(skb, sizeof(smp->pcnf));
2103 
2104 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2105 		int ret;
2106 
2107 		/* Public Key exchange must happen before any other steps */
2108 		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2109 			return sc_check_confirm(smp);
2110 
2111 		bt_dev_err(hdev, "Unexpected SMP Pairing Confirm");
2112 
2113 		ret = fixup_sc_false_positive(smp);
2114 		if (ret)
2115 			return ret;
2116 	}
2117 
2118 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2119 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2120 			     smp->prnd);
2121 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2122 		return 0;
2123 	}
2124 
2125 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2126 		return smp_confirm(smp);
2127 
2128 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2129 
2130 	return 0;
2131 }
2132 
2133 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2134 {
2135 	struct l2cap_chan *chan = conn->smp;
2136 	struct smp_chan *smp = chan->data;
2137 	struct hci_conn *hcon = conn->hcon;
2138 	u8 *pkax, *pkbx, *na, *nb, confirm_hint;
2139 	u32 passkey;
2140 	int err;
2141 
2142 	bt_dev_dbg(hcon->hdev, "conn %p", conn);
2143 
2144 	if (skb->len < sizeof(smp->rrnd))
2145 		return SMP_INVALID_PARAMS;
2146 
2147 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2148 	skb_pull(skb, sizeof(smp->rrnd));
2149 
2150 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2151 		return smp_random(smp);
2152 
2153 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2154 		pkax = smp->local_pk;
2155 		pkbx = smp->remote_pk;
2156 		na   = smp->prnd;
2157 		nb   = smp->rrnd;
2158 	} else {
2159 		pkax = smp->remote_pk;
2160 		pkbx = smp->local_pk;
2161 		na   = smp->rrnd;
2162 		nb   = smp->prnd;
2163 	}
2164 
2165 	if (smp->method == REQ_OOB) {
2166 		if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2167 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2168 				     sizeof(smp->prnd), smp->prnd);
2169 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2170 		goto mackey_and_ltk;
2171 	}
2172 
2173 	/* Passkey entry has special treatment */
2174 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2175 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2176 
2177 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2178 		u8 cfm[16];
2179 
2180 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2181 			     smp->rrnd, 0, cfm);
2182 		if (err)
2183 			return SMP_UNSPECIFIED;
2184 
2185 		if (crypto_memneq(smp->pcnf, cfm, 16))
2186 			return SMP_CONFIRM_FAILED;
2187 	} else {
2188 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2189 			     smp->prnd);
2190 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2191 
2192 		/* Only Just-Works pairing requires extra checks */
2193 		if (smp->method != JUST_WORKS)
2194 			goto mackey_and_ltk;
2195 
2196 		/* If there already exists long term key in local host, leave
2197 		 * the decision to user space since the remote device could
2198 		 * be legitimate or malicious.
2199 		 */
2200 		if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2201 				 hcon->role)) {
2202 			/* Set passkey to 0. The value can be any number since
2203 			 * it'll be ignored anyway.
2204 			 */
2205 			passkey = 0;
2206 			confirm_hint = 1;
2207 			goto confirm;
2208 		}
2209 	}
2210 
2211 mackey_and_ltk:
2212 	/* Generate MacKey and LTK */
2213 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2214 	if (err)
2215 		return SMP_UNSPECIFIED;
2216 
2217 	if (smp->method == REQ_OOB) {
2218 		if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2219 			sc_dhkey_check(smp);
2220 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2221 		}
2222 		return 0;
2223 	}
2224 
2225 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2226 	if (err)
2227 		return SMP_UNSPECIFIED;
2228 
2229 	confirm_hint = 0;
2230 
2231 confirm:
2232 	if (smp->method == JUST_WORKS)
2233 		confirm_hint = 1;
2234 
2235 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2236 					hcon->dst_type, passkey, confirm_hint);
2237 	if (err)
2238 		return SMP_UNSPECIFIED;
2239 
2240 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2241 
2242 	return 0;
2243 }
2244 
2245 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2246 {
2247 	struct smp_ltk *key;
2248 	struct hci_conn *hcon = conn->hcon;
2249 
2250 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2251 	if (!key)
2252 		return false;
2253 
2254 	if (smp_ltk_sec_level(key) < sec_level)
2255 		return false;
2256 
2257 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2258 		return true;
2259 
2260 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2261 	hcon->enc_key_size = key->enc_size;
2262 
2263 	/* We never store STKs for initiator role, so clear this flag */
2264 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2265 
2266 	return true;
2267 }
2268 
2269 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2270 			     enum smp_key_pref key_pref)
2271 {
2272 	if (sec_level == BT_SECURITY_LOW)
2273 		return true;
2274 
2275 	/* If we're encrypted with an STK but the caller prefers using
2276 	 * LTK claim insufficient security. This way we allow the
2277 	 * connection to be re-encrypted with an LTK, even if the LTK
2278 	 * provides the same level of security. Only exception is if we
2279 	 * don't have an LTK (e.g. because of key distribution bits).
2280 	 */
2281 	if (key_pref == SMP_USE_LTK &&
2282 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2283 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2284 		return false;
2285 
2286 	if (hcon->sec_level >= sec_level)
2287 		return true;
2288 
2289 	return false;
2290 }
2291 
2292 static void smp_send_pairing_req(struct smp_chan *smp, __u8 auth)
2293 {
2294 	struct smp_cmd_pairing cp;
2295 
2296 	if (smp->conn->hcon->type == ACL_LINK)
2297 		build_bredr_pairing_cmd(smp, &cp, NULL);
2298 	else
2299 		build_pairing_cmd(smp->conn, &cp, NULL, auth);
2300 
2301 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2302 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2303 
2304 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2305 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2306 
2307 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2308 }
2309 
2310 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2311 {
2312 	struct smp_cmd_security_req *rp = (void *) skb->data;
2313 	struct hci_conn *hcon = conn->hcon;
2314 	struct hci_dev *hdev = hcon->hdev;
2315 	struct smp_chan *smp;
2316 	u8 sec_level, auth;
2317 
2318 	bt_dev_dbg(hdev, "conn %p", conn);
2319 
2320 	if (skb->len < sizeof(*rp))
2321 		return SMP_INVALID_PARAMS;
2322 
2323 	if (hcon->role != HCI_ROLE_MASTER)
2324 		return SMP_CMD_NOTSUPP;
2325 
2326 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2327 
2328 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2329 		return SMP_AUTH_REQUIREMENTS;
2330 
2331 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2332 		sec_level = BT_SECURITY_MEDIUM;
2333 	else
2334 		sec_level = authreq_to_seclevel(auth);
2335 
2336 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2337 		/* If link is already encrypted with sufficient security we
2338 		 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2339 		 * Part H 2.4.6
2340 		 */
2341 		smp_ltk_encrypt(conn, hcon->sec_level);
2342 		return 0;
2343 	}
2344 
2345 	if (sec_level > hcon->pending_sec_level)
2346 		hcon->pending_sec_level = sec_level;
2347 
2348 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2349 		return 0;
2350 
2351 	smp = smp_chan_create(conn);
2352 	if (!smp)
2353 		return SMP_UNSPECIFIED;
2354 
2355 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2356 	    (auth & SMP_AUTH_BONDING))
2357 		return SMP_PAIRING_NOTSUPP;
2358 
2359 	skb_pull(skb, sizeof(*rp));
2360 
2361 	smp_send_pairing_req(smp, auth);
2362 
2363 	return 0;
2364 }
2365 
2366 static void smp_send_security_req(struct smp_chan *smp, __u8 auth)
2367 {
2368 	struct smp_cmd_security_req cp;
2369 
2370 	cp.auth_req = auth;
2371 	smp_send_cmd(smp->conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2372 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2373 
2374 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
2375 }
2376 
2377 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2378 {
2379 	struct l2cap_conn *conn = hcon->l2cap_data;
2380 	struct l2cap_chan *chan;
2381 	struct smp_chan *smp;
2382 	__u8 authreq;
2383 	int ret;
2384 
2385 	bt_dev_dbg(hcon->hdev, "conn %p hcon %p level 0x%2.2x", conn, hcon,
2386 		   sec_level);
2387 
2388 	/* This may be NULL if there's an unexpected disconnection */
2389 	if (!conn)
2390 		return 1;
2391 
2392 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2393 		return 1;
2394 
2395 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2396 		return 1;
2397 
2398 	if (sec_level > hcon->pending_sec_level)
2399 		hcon->pending_sec_level = sec_level;
2400 
2401 	if (hcon->role == HCI_ROLE_MASTER)
2402 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2403 			return 0;
2404 
2405 	chan = conn->smp;
2406 	if (!chan) {
2407 		bt_dev_err(hcon->hdev, "security requested but not available");
2408 		return 1;
2409 	}
2410 
2411 	l2cap_chan_lock(chan);
2412 
2413 	/* If SMP is already in progress ignore this request */
2414 	if (chan->data) {
2415 		ret = 0;
2416 		goto unlock;
2417 	}
2418 
2419 	smp = smp_chan_create(conn);
2420 	if (!smp) {
2421 		ret = 1;
2422 		goto unlock;
2423 	}
2424 
2425 	authreq = seclevel_to_authreq(sec_level);
2426 
2427 	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2428 		authreq |= SMP_AUTH_SC;
2429 		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2430 			authreq |= SMP_AUTH_CT2;
2431 	}
2432 
2433 	/* Don't attempt to set MITM if setting is overridden by debugfs
2434 	 * Needed to pass certification test SM/MAS/PKE/BV-01-C
2435 	 */
2436 	if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) {
2437 		/* Require MITM if IO Capability allows or the security level
2438 		 * requires it.
2439 		 */
2440 		if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2441 		    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2442 			authreq |= SMP_AUTH_MITM;
2443 	}
2444 
2445 	if (hcon->role == HCI_ROLE_MASTER)
2446 		smp_send_pairing_req(smp, authreq);
2447 	else
2448 		smp_send_security_req(smp, authreq);
2449 
2450 	ret = 0;
2451 
2452 unlock:
2453 	l2cap_chan_unlock(chan);
2454 	return ret;
2455 }
2456 
2457 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2458 				  u8 addr_type)
2459 {
2460 	struct hci_conn *hcon;
2461 	struct l2cap_conn *conn;
2462 	struct l2cap_chan *chan;
2463 	struct smp_chan *smp;
2464 	int err;
2465 
2466 	err = hci_remove_ltk(hdev, bdaddr, addr_type);
2467 	hci_remove_irk(hdev, bdaddr, addr_type);
2468 
2469 	hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2470 	if (!hcon)
2471 		goto done;
2472 
2473 	conn = hcon->l2cap_data;
2474 	if (!conn)
2475 		goto done;
2476 
2477 	chan = conn->smp;
2478 	if (!chan)
2479 		goto done;
2480 
2481 	l2cap_chan_lock(chan);
2482 
2483 	smp = chan->data;
2484 	if (smp) {
2485 		/* Set keys to NULL to make sure smp_failure() does not try to
2486 		 * remove and free already invalidated rcu list entries. */
2487 		smp->ltk = NULL;
2488 		smp->responder_ltk = NULL;
2489 		smp->remote_irk = NULL;
2490 
2491 		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2492 			smp_failure(conn, 0);
2493 		else
2494 			smp_failure(conn, SMP_UNSPECIFIED);
2495 		err = 0;
2496 	}
2497 
2498 	l2cap_chan_unlock(chan);
2499 
2500 done:
2501 	return err;
2502 }
2503 
2504 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2505 {
2506 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2507 	struct l2cap_chan *chan = conn->smp;
2508 	struct smp_chan *smp = chan->data;
2509 
2510 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2511 
2512 	if (skb->len < sizeof(*rp))
2513 		return SMP_INVALID_PARAMS;
2514 
2515 	/* Pairing is aborted if any blocked keys are distributed */
2516 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2517 			       rp->ltk)) {
2518 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2519 					"LTK blocked for %pMR",
2520 					&conn->hcon->dst);
2521 		return SMP_INVALID_PARAMS;
2522 	}
2523 
2524 	SMP_ALLOW_CMD(smp, SMP_CMD_INITIATOR_IDENT);
2525 
2526 	skb_pull(skb, sizeof(*rp));
2527 
2528 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2529 
2530 	return 0;
2531 }
2532 
2533 static int smp_cmd_initiator_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2534 {
2535 	struct smp_cmd_initiator_ident *rp = (void *)skb->data;
2536 	struct l2cap_chan *chan = conn->smp;
2537 	struct smp_chan *smp = chan->data;
2538 	struct hci_dev *hdev = conn->hcon->hdev;
2539 	struct hci_conn *hcon = conn->hcon;
2540 	struct smp_ltk *ltk;
2541 	u8 authenticated;
2542 
2543 	bt_dev_dbg(hdev, "conn %p", conn);
2544 
2545 	if (skb->len < sizeof(*rp))
2546 		return SMP_INVALID_PARAMS;
2547 
2548 	/* Mark the information as received */
2549 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2550 
2551 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2552 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2553 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2554 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2555 
2556 	skb_pull(skb, sizeof(*rp));
2557 
2558 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2559 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2560 			  authenticated, smp->tk, smp->enc_key_size,
2561 			  rp->ediv, rp->rand);
2562 	smp->ltk = ltk;
2563 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2564 		smp_distribute_keys(smp);
2565 
2566 	return 0;
2567 }
2568 
2569 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2570 {
2571 	struct smp_cmd_ident_info *info = (void *) skb->data;
2572 	struct l2cap_chan *chan = conn->smp;
2573 	struct smp_chan *smp = chan->data;
2574 
2575 	bt_dev_dbg(conn->hcon->hdev, "");
2576 
2577 	if (skb->len < sizeof(*info))
2578 		return SMP_INVALID_PARAMS;
2579 
2580 	/* Pairing is aborted if any blocked keys are distributed */
2581 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2582 			       info->irk)) {
2583 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2584 					"Identity key blocked for %pMR",
2585 					&conn->hcon->dst);
2586 		return SMP_INVALID_PARAMS;
2587 	}
2588 
2589 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2590 
2591 	skb_pull(skb, sizeof(*info));
2592 
2593 	memcpy(smp->irk, info->irk, 16);
2594 
2595 	return 0;
2596 }
2597 
2598 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2599 				   struct sk_buff *skb)
2600 {
2601 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2602 	struct l2cap_chan *chan = conn->smp;
2603 	struct smp_chan *smp = chan->data;
2604 	struct hci_conn *hcon = conn->hcon;
2605 	bdaddr_t rpa;
2606 
2607 	bt_dev_dbg(hcon->hdev, "");
2608 
2609 	if (skb->len < sizeof(*info))
2610 		return SMP_INVALID_PARAMS;
2611 
2612 	/* Mark the information as received */
2613 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2614 
2615 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2616 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2617 
2618 	skb_pull(skb, sizeof(*info));
2619 
2620 	/* Strictly speaking the Core Specification (4.1) allows sending
2621 	 * an empty address which would force us to rely on just the IRK
2622 	 * as "identity information". However, since such
2623 	 * implementations are not known of and in order to not over
2624 	 * complicate our implementation, simply pretend that we never
2625 	 * received an IRK for such a device.
2626 	 *
2627 	 * The Identity Address must also be a Static Random or Public
2628 	 * Address, which hci_is_identity_address() checks for.
2629 	 */
2630 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2631 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2632 		bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2633 		goto distribute;
2634 	}
2635 
2636 	/* Drop IRK if peer is using identity address during pairing but is
2637 	 * providing different address as identity information.
2638 	 *
2639 	 * Microsoft Surface Precision Mouse is known to have this bug.
2640 	 */
2641 	if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2642 	    (bacmp(&info->bdaddr, &hcon->dst) ||
2643 	     info->addr_type != hcon->dst_type)) {
2644 		bt_dev_err(hcon->hdev,
2645 			   "ignoring IRK with invalid identity address");
2646 		goto distribute;
2647 	}
2648 
2649 	bacpy(&smp->id_addr, &info->bdaddr);
2650 	smp->id_addr_type = info->addr_type;
2651 
2652 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2653 		bacpy(&rpa, &hcon->dst);
2654 	else
2655 		bacpy(&rpa, BDADDR_ANY);
2656 
2657 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2658 				      smp->id_addr_type, smp->irk, &rpa);
2659 
2660 distribute:
2661 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2662 		smp_distribute_keys(smp);
2663 
2664 	return 0;
2665 }
2666 
2667 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2668 {
2669 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2670 	struct l2cap_chan *chan = conn->smp;
2671 	struct smp_chan *smp = chan->data;
2672 	struct smp_csrk *csrk;
2673 
2674 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2675 
2676 	if (skb->len < sizeof(*rp))
2677 		return SMP_INVALID_PARAMS;
2678 
2679 	/* Mark the information as received */
2680 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2681 
2682 	skb_pull(skb, sizeof(*rp));
2683 
2684 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2685 	if (csrk) {
2686 		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2687 			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2688 		else
2689 			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2690 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2691 	}
2692 	smp->csrk = csrk;
2693 	smp_distribute_keys(smp);
2694 
2695 	return 0;
2696 }
2697 
2698 static u8 sc_select_method(struct smp_chan *smp)
2699 {
2700 	struct smp_cmd_pairing *local, *remote;
2701 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2702 
2703 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2704 	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2705 		return REQ_OOB;
2706 
2707 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2708 	 * which are needed as inputs to some crypto functions. To get
2709 	 * the "struct smp_cmd_pairing" from them we need to skip the
2710 	 * first byte which contains the opcode.
2711 	 */
2712 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2713 		local = (void *) &smp->preq[1];
2714 		remote = (void *) &smp->prsp[1];
2715 	} else {
2716 		local = (void *) &smp->prsp[1];
2717 		remote = (void *) &smp->preq[1];
2718 	}
2719 
2720 	local_io = local->io_capability;
2721 	remote_io = remote->io_capability;
2722 
2723 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2724 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2725 
2726 	/* If either side wants MITM, look up the method from the table,
2727 	 * otherwise use JUST WORKS.
2728 	 */
2729 	if (local_mitm || remote_mitm)
2730 		method = get_auth_method(smp, local_io, remote_io);
2731 	else
2732 		method = JUST_WORKS;
2733 
2734 	/* Don't confirm locally initiated pairing attempts */
2735 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2736 		method = JUST_WORKS;
2737 
2738 	return method;
2739 }
2740 
2741 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2742 {
2743 	struct smp_cmd_public_key *key = (void *) skb->data;
2744 	struct hci_conn *hcon = conn->hcon;
2745 	struct l2cap_chan *chan = conn->smp;
2746 	struct smp_chan *smp = chan->data;
2747 	struct hci_dev *hdev = hcon->hdev;
2748 	struct crypto_kpp *tfm_ecdh;
2749 	struct smp_cmd_pairing_confirm cfm;
2750 	int err;
2751 
2752 	bt_dev_dbg(hdev, "conn %p", conn);
2753 
2754 	if (skb->len < sizeof(*key))
2755 		return SMP_INVALID_PARAMS;
2756 
2757 	/* Check if remote and local public keys are the same and debug key is
2758 	 * not in use.
2759 	 */
2760 	if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
2761 	    !crypto_memneq(key, smp->local_pk, 64)) {
2762 		bt_dev_err(hdev, "Remote and local public keys are identical");
2763 		return SMP_UNSPECIFIED;
2764 	}
2765 
2766 	memcpy(smp->remote_pk, key, 64);
2767 
2768 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2769 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2770 			     smp->rr, 0, cfm.confirm_val);
2771 		if (err)
2772 			return SMP_UNSPECIFIED;
2773 
2774 		if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2775 			return SMP_CONFIRM_FAILED;
2776 	}
2777 
2778 	/* Non-initiating device sends its public key after receiving
2779 	 * the key from the initiating device.
2780 	 */
2781 	if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2782 		err = sc_send_public_key(smp);
2783 		if (err)
2784 			return err;
2785 	}
2786 
2787 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2788 	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2789 
2790 	/* Compute the shared secret on the same crypto tfm on which the private
2791 	 * key was set/generated.
2792 	 */
2793 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2794 		struct l2cap_chan *hchan = hdev->smp_data;
2795 		struct smp_dev *smp_dev;
2796 
2797 		if (!hchan || !hchan->data)
2798 			return SMP_UNSPECIFIED;
2799 
2800 		smp_dev = hchan->data;
2801 
2802 		tfm_ecdh = smp_dev->tfm_ecdh;
2803 	} else {
2804 		tfm_ecdh = smp->tfm_ecdh;
2805 	}
2806 
2807 	if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2808 		return SMP_UNSPECIFIED;
2809 
2810 	SMP_DBG("DHKey %32phN", smp->dhkey);
2811 
2812 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2813 
2814 	smp->method = sc_select_method(smp);
2815 
2816 	bt_dev_dbg(hdev, "selected method 0x%02x", smp->method);
2817 
2818 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2819 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2820 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2821 	else
2822 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2823 
2824 	if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2825 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2826 
2827 	if (smp->method == DSP_PASSKEY) {
2828 		get_random_bytes(&hcon->passkey_notify,
2829 				 sizeof(hcon->passkey_notify));
2830 		hcon->passkey_notify %= 1000000;
2831 		hcon->passkey_entered = 0;
2832 		smp->passkey_round = 0;
2833 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2834 					     hcon->dst_type,
2835 					     hcon->passkey_notify,
2836 					     hcon->passkey_entered))
2837 			return SMP_UNSPECIFIED;
2838 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2839 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2840 	}
2841 
2842 	if (smp->method == REQ_OOB) {
2843 		if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2844 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2845 				     sizeof(smp->prnd), smp->prnd);
2846 
2847 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2848 
2849 		return 0;
2850 	}
2851 
2852 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2853 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2854 
2855 	if (smp->method == REQ_PASSKEY) {
2856 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2857 					      hcon->dst_type))
2858 			return SMP_UNSPECIFIED;
2859 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2860 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2861 		return 0;
2862 	}
2863 
2864 	/* The Initiating device waits for the non-initiating device to
2865 	 * send the confirm value.
2866 	 */
2867 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2868 		return 0;
2869 
2870 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2871 		     0, cfm.confirm_val);
2872 	if (err)
2873 		return SMP_UNSPECIFIED;
2874 
2875 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2876 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2877 
2878 	return 0;
2879 }
2880 
2881 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2882 {
2883 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2884 	struct l2cap_chan *chan = conn->smp;
2885 	struct hci_conn *hcon = conn->hcon;
2886 	struct smp_chan *smp = chan->data;
2887 	u8 a[7], b[7], *local_addr, *remote_addr;
2888 	u8 io_cap[3], r[16], e[16];
2889 	int err;
2890 
2891 	bt_dev_dbg(hcon->hdev, "conn %p", conn);
2892 
2893 	if (skb->len < sizeof(*check))
2894 		return SMP_INVALID_PARAMS;
2895 
2896 	memcpy(a, &hcon->init_addr, 6);
2897 	memcpy(b, &hcon->resp_addr, 6);
2898 	a[6] = hcon->init_addr_type;
2899 	b[6] = hcon->resp_addr_type;
2900 
2901 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2902 		local_addr = a;
2903 		remote_addr = b;
2904 		memcpy(io_cap, &smp->prsp[1], 3);
2905 	} else {
2906 		local_addr = b;
2907 		remote_addr = a;
2908 		memcpy(io_cap, &smp->preq[1], 3);
2909 	}
2910 
2911 	memset(r, 0, sizeof(r));
2912 
2913 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2914 		put_unaligned_le32(hcon->passkey_notify, r);
2915 	else if (smp->method == REQ_OOB)
2916 		memcpy(r, smp->lr, 16);
2917 
2918 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2919 		     io_cap, remote_addr, local_addr, e);
2920 	if (err)
2921 		return SMP_UNSPECIFIED;
2922 
2923 	if (crypto_memneq(check->e, e, 16))
2924 		return SMP_DHKEY_CHECK_FAILED;
2925 
2926 	if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2927 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2928 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2929 			return 0;
2930 		}
2931 
2932 		/* Responder sends DHKey check as response to initiator */
2933 		sc_dhkey_check(smp);
2934 	}
2935 
2936 	sc_add_ltk(smp);
2937 
2938 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2939 		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2940 		hcon->enc_key_size = smp->enc_key_size;
2941 	}
2942 
2943 	return 0;
2944 }
2945 
2946 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2947 				   struct sk_buff *skb)
2948 {
2949 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2950 
2951 	bt_dev_dbg(conn->hcon->hdev, "value 0x%02x", kp->value);
2952 
2953 	return 0;
2954 }
2955 
2956 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2957 {
2958 	struct l2cap_conn *conn = chan->conn;
2959 	struct hci_conn *hcon = conn->hcon;
2960 	struct smp_chan *smp;
2961 	__u8 code, reason;
2962 	int err = 0;
2963 
2964 	if (skb->len < 1)
2965 		return -EILSEQ;
2966 
2967 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2968 		reason = SMP_PAIRING_NOTSUPP;
2969 		goto done;
2970 	}
2971 
2972 	code = skb->data[0];
2973 	skb_pull(skb, sizeof(code));
2974 
2975 	smp = chan->data;
2976 
2977 	if (code > SMP_CMD_MAX)
2978 		goto drop;
2979 
2980 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd)) {
2981 		/* If there is a context and the command is not allowed consider
2982 		 * it a failure so the session is cleanup properly.
2983 		 */
2984 		switch (code) {
2985 		case SMP_CMD_IDENT_INFO:
2986 		case SMP_CMD_IDENT_ADDR_INFO:
2987 		case SMP_CMD_SIGN_INFO:
2988 			/* 3.6.1. Key distribution and generation
2989 			 *
2990 			 * A device may reject a distributed key by sending the
2991 			 * Pairing Failed command with the reason set to
2992 			 * "Key Rejected".
2993 			 */
2994 			smp_failure(conn, SMP_KEY_REJECTED);
2995 			break;
2996 		}
2997 		goto drop;
2998 	}
2999 
3000 	/* If we don't have a context the only allowed commands are
3001 	 * pairing request and security request.
3002 	 */
3003 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
3004 		goto drop;
3005 
3006 	switch (code) {
3007 	case SMP_CMD_PAIRING_REQ:
3008 		reason = smp_cmd_pairing_req(conn, skb);
3009 		break;
3010 
3011 	case SMP_CMD_PAIRING_FAIL:
3012 		smp_failure(conn, 0);
3013 		err = -EPERM;
3014 		break;
3015 
3016 	case SMP_CMD_PAIRING_RSP:
3017 		reason = smp_cmd_pairing_rsp(conn, skb);
3018 		break;
3019 
3020 	case SMP_CMD_SECURITY_REQ:
3021 		reason = smp_cmd_security_req(conn, skb);
3022 		break;
3023 
3024 	case SMP_CMD_PAIRING_CONFIRM:
3025 		reason = smp_cmd_pairing_confirm(conn, skb);
3026 		break;
3027 
3028 	case SMP_CMD_PAIRING_RANDOM:
3029 		reason = smp_cmd_pairing_random(conn, skb);
3030 		break;
3031 
3032 	case SMP_CMD_ENCRYPT_INFO:
3033 		reason = smp_cmd_encrypt_info(conn, skb);
3034 		break;
3035 
3036 	case SMP_CMD_INITIATOR_IDENT:
3037 		reason = smp_cmd_initiator_ident(conn, skb);
3038 		break;
3039 
3040 	case SMP_CMD_IDENT_INFO:
3041 		reason = smp_cmd_ident_info(conn, skb);
3042 		break;
3043 
3044 	case SMP_CMD_IDENT_ADDR_INFO:
3045 		reason = smp_cmd_ident_addr_info(conn, skb);
3046 		break;
3047 
3048 	case SMP_CMD_SIGN_INFO:
3049 		reason = smp_cmd_sign_info(conn, skb);
3050 		break;
3051 
3052 	case SMP_CMD_PUBLIC_KEY:
3053 		reason = smp_cmd_public_key(conn, skb);
3054 		break;
3055 
3056 	case SMP_CMD_DHKEY_CHECK:
3057 		reason = smp_cmd_dhkey_check(conn, skb);
3058 		break;
3059 
3060 	case SMP_CMD_KEYPRESS_NOTIFY:
3061 		reason = smp_cmd_keypress_notify(conn, skb);
3062 		break;
3063 
3064 	default:
3065 		bt_dev_dbg(hcon->hdev, "Unknown command code 0x%2.2x", code);
3066 		reason = SMP_CMD_NOTSUPP;
3067 		goto done;
3068 	}
3069 
3070 done:
3071 	if (!err) {
3072 		if (reason)
3073 			smp_failure(conn, reason);
3074 		kfree_skb(skb);
3075 	}
3076 
3077 	return err;
3078 
3079 drop:
3080 	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3081 		   code, &hcon->dst);
3082 	kfree_skb(skb);
3083 	return 0;
3084 }
3085 
3086 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3087 {
3088 	struct l2cap_conn *conn = chan->conn;
3089 
3090 	bt_dev_dbg(conn->hcon->hdev, "chan %p", chan);
3091 
3092 	if (chan->data)
3093 		smp_chan_destroy(conn);
3094 
3095 	conn->smp = NULL;
3096 	l2cap_chan_put(chan);
3097 }
3098 
3099 static void bredr_pairing(struct l2cap_chan *chan)
3100 {
3101 	struct l2cap_conn *conn = chan->conn;
3102 	struct hci_conn *hcon = conn->hcon;
3103 	struct hci_dev *hdev = hcon->hdev;
3104 	struct smp_chan *smp;
3105 
3106 	bt_dev_dbg(hdev, "chan %p", chan);
3107 
3108 	/* Only new pairings are interesting */
3109 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3110 		return;
3111 
3112 	/* Don't bother if we're not encrypted */
3113 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3114 		return;
3115 
3116 	/* Only initiator may initiate SMP over BR/EDR */
3117 	if (hcon->role != HCI_ROLE_MASTER)
3118 		return;
3119 
3120 	/* Secure Connections support must be enabled */
3121 	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3122 		return;
3123 
3124 	/* BR/EDR must use Secure Connections for SMP */
3125 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3126 	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3127 		return;
3128 
3129 	/* If our LE support is not enabled don't do anything */
3130 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3131 		return;
3132 
3133 	/* Don't bother if remote LE support is not enabled */
3134 	if (!lmp_host_le_capable(hcon))
3135 		return;
3136 
3137 	/* Remote must support SMP fixed chan for BR/EDR */
3138 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3139 		return;
3140 
3141 	/* Don't bother if SMP is already ongoing */
3142 	if (chan->data)
3143 		return;
3144 
3145 	smp = smp_chan_create(conn);
3146 	if (!smp) {
3147 		bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3148 		return;
3149 	}
3150 
3151 	set_bit(SMP_FLAG_SC, &smp->flags);
3152 
3153 	bt_dev_dbg(hdev, "starting SMP over BR/EDR");
3154 
3155 	smp_send_pairing_req(smp, 0x00);
3156 }
3157 
3158 static void smp_resume_cb(struct l2cap_chan *chan)
3159 {
3160 	struct smp_chan *smp = chan->data;
3161 	struct l2cap_conn *conn = chan->conn;
3162 	struct hci_conn *hcon = conn->hcon;
3163 
3164 	bt_dev_dbg(hcon->hdev, "chan %p", chan);
3165 
3166 	if (hcon->type == ACL_LINK) {
3167 		bredr_pairing(chan);
3168 		return;
3169 	}
3170 
3171 	if (!smp)
3172 		return;
3173 
3174 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3175 		return;
3176 
3177 	cancel_delayed_work(&smp->security_timer);
3178 
3179 	smp_distribute_keys(smp);
3180 }
3181 
3182 static void smp_ready_cb(struct l2cap_chan *chan)
3183 {
3184 	struct l2cap_conn *conn = chan->conn;
3185 	struct hci_conn *hcon = conn->hcon;
3186 
3187 	bt_dev_dbg(hcon->hdev, "chan %p", chan);
3188 
3189 	/* No need to call l2cap_chan_hold() here since we already own
3190 	 * the reference taken in smp_new_conn_cb(). This is just the
3191 	 * first time that we tie it to a specific pointer. The code in
3192 	 * l2cap_core.c ensures that there's no risk this function won't
3193 	 * get called if smp_new_conn_cb was previously called.
3194 	 */
3195 	conn->smp = chan;
3196 
3197 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3198 		bredr_pairing(chan);
3199 }
3200 
3201 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3202 {
3203 	int err;
3204 
3205 	bt_dev_dbg(chan->conn->hcon->hdev, "chan %p", chan);
3206 
3207 	err = smp_sig_channel(chan, skb);
3208 	if (err) {
3209 		struct smp_chan *smp = chan->data;
3210 
3211 		if (smp)
3212 			cancel_delayed_work_sync(&smp->security_timer);
3213 
3214 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3215 	}
3216 
3217 	return err;
3218 }
3219 
3220 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3221 					unsigned long hdr_len,
3222 					unsigned long len, int nb)
3223 {
3224 	struct sk_buff *skb;
3225 
3226 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3227 	if (!skb)
3228 		return ERR_PTR(-ENOMEM);
3229 
3230 	skb->priority = HCI_PRIO_MAX;
3231 	bt_cb(skb)->l2cap.chan = chan;
3232 
3233 	return skb;
3234 }
3235 
3236 static const struct l2cap_ops smp_chan_ops = {
3237 	.name			= "Security Manager",
3238 	.ready			= smp_ready_cb,
3239 	.recv			= smp_recv_cb,
3240 	.alloc_skb		= smp_alloc_skb_cb,
3241 	.teardown		= smp_teardown_cb,
3242 	.resume			= smp_resume_cb,
3243 
3244 	.new_connection		= l2cap_chan_no_new_connection,
3245 	.state_change		= l2cap_chan_no_state_change,
3246 	.close			= l2cap_chan_no_close,
3247 	.defer			= l2cap_chan_no_defer,
3248 	.suspend		= l2cap_chan_no_suspend,
3249 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3250 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3251 };
3252 
3253 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3254 {
3255 	struct l2cap_chan *chan;
3256 
3257 	BT_DBG("pchan %p", pchan);
3258 
3259 	chan = l2cap_chan_create();
3260 	if (!chan)
3261 		return NULL;
3262 
3263 	chan->chan_type	= pchan->chan_type;
3264 	chan->ops	= &smp_chan_ops;
3265 	chan->scid	= pchan->scid;
3266 	chan->dcid	= chan->scid;
3267 	chan->imtu	= pchan->imtu;
3268 	chan->omtu	= pchan->omtu;
3269 	chan->mode	= pchan->mode;
3270 
3271 	/* Other L2CAP channels may request SMP routines in order to
3272 	 * change the security level. This means that the SMP channel
3273 	 * lock must be considered in its own category to avoid lockdep
3274 	 * warnings.
3275 	 */
3276 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3277 
3278 	BT_DBG("created chan %p", chan);
3279 
3280 	return chan;
3281 }
3282 
3283 static const struct l2cap_ops smp_root_chan_ops = {
3284 	.name			= "Security Manager Root",
3285 	.new_connection		= smp_new_conn_cb,
3286 
3287 	/* None of these are implemented for the root channel */
3288 	.close			= l2cap_chan_no_close,
3289 	.alloc_skb		= l2cap_chan_no_alloc_skb,
3290 	.recv			= l2cap_chan_no_recv,
3291 	.state_change		= l2cap_chan_no_state_change,
3292 	.teardown		= l2cap_chan_no_teardown,
3293 	.ready			= l2cap_chan_no_ready,
3294 	.defer			= l2cap_chan_no_defer,
3295 	.suspend		= l2cap_chan_no_suspend,
3296 	.resume			= l2cap_chan_no_resume,
3297 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3298 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3299 };
3300 
3301 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3302 {
3303 	struct l2cap_chan *chan;
3304 	struct smp_dev *smp;
3305 	struct crypto_shash *tfm_cmac;
3306 	struct crypto_kpp *tfm_ecdh;
3307 
3308 	if (cid == L2CAP_CID_SMP_BREDR) {
3309 		smp = NULL;
3310 		goto create_chan;
3311 	}
3312 
3313 	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3314 	if (!smp)
3315 		return ERR_PTR(-ENOMEM);
3316 
3317 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3318 	if (IS_ERR(tfm_cmac)) {
3319 		bt_dev_err(hdev, "Unable to create CMAC crypto context");
3320 		kfree_sensitive(smp);
3321 		return ERR_CAST(tfm_cmac);
3322 	}
3323 
3324 	tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3325 	if (IS_ERR(tfm_ecdh)) {
3326 		bt_dev_err(hdev, "Unable to create ECDH crypto context");
3327 		crypto_free_shash(tfm_cmac);
3328 		kfree_sensitive(smp);
3329 		return ERR_CAST(tfm_ecdh);
3330 	}
3331 
3332 	smp->local_oob = false;
3333 	smp->tfm_cmac = tfm_cmac;
3334 	smp->tfm_ecdh = tfm_ecdh;
3335 
3336 create_chan:
3337 	chan = l2cap_chan_create();
3338 	if (!chan) {
3339 		if (smp) {
3340 			crypto_free_shash(smp->tfm_cmac);
3341 			crypto_free_kpp(smp->tfm_ecdh);
3342 			kfree_sensitive(smp);
3343 		}
3344 		return ERR_PTR(-ENOMEM);
3345 	}
3346 
3347 	chan->data = smp;
3348 
3349 	l2cap_add_scid(chan, cid);
3350 
3351 	l2cap_chan_set_defaults(chan);
3352 
3353 	if (cid == L2CAP_CID_SMP) {
3354 		u8 bdaddr_type;
3355 
3356 		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3357 
3358 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3359 			chan->src_type = BDADDR_LE_PUBLIC;
3360 		else
3361 			chan->src_type = BDADDR_LE_RANDOM;
3362 	} else {
3363 		bacpy(&chan->src, &hdev->bdaddr);
3364 		chan->src_type = BDADDR_BREDR;
3365 	}
3366 
3367 	chan->state = BT_LISTEN;
3368 	chan->mode = L2CAP_MODE_BASIC;
3369 	chan->imtu = L2CAP_DEFAULT_MTU;
3370 	chan->ops = &smp_root_chan_ops;
3371 
3372 	/* Set correct nesting level for a parent/listening channel */
3373 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3374 
3375 	return chan;
3376 }
3377 
3378 static void smp_del_chan(struct l2cap_chan *chan)
3379 {
3380 	struct smp_dev *smp;
3381 
3382 	BT_DBG("chan %p", chan);
3383 
3384 	smp = chan->data;
3385 	if (smp) {
3386 		chan->data = NULL;
3387 		crypto_free_shash(smp->tfm_cmac);
3388 		crypto_free_kpp(smp->tfm_ecdh);
3389 		kfree_sensitive(smp);
3390 	}
3391 
3392 	l2cap_chan_put(chan);
3393 }
3394 
3395 int smp_force_bredr(struct hci_dev *hdev, bool enable)
3396 {
3397 	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3398 		return -EALREADY;
3399 
3400 	if (enable) {
3401 		struct l2cap_chan *chan;
3402 
3403 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3404 		if (IS_ERR(chan))
3405 			return PTR_ERR(chan);
3406 
3407 		hdev->smp_bredr_data = chan;
3408 	} else {
3409 		struct l2cap_chan *chan;
3410 
3411 		chan = hdev->smp_bredr_data;
3412 		hdev->smp_bredr_data = NULL;
3413 		smp_del_chan(chan);
3414 	}
3415 
3416 	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3417 
3418 	return 0;
3419 }
3420 
3421 int smp_register(struct hci_dev *hdev)
3422 {
3423 	struct l2cap_chan *chan;
3424 
3425 	bt_dev_dbg(hdev, "");
3426 
3427 	/* If the controller does not support Low Energy operation, then
3428 	 * there is also no need to register any SMP channel.
3429 	 */
3430 	if (!lmp_le_capable(hdev))
3431 		return 0;
3432 
3433 	if (WARN_ON(hdev->smp_data)) {
3434 		chan = hdev->smp_data;
3435 		hdev->smp_data = NULL;
3436 		smp_del_chan(chan);
3437 	}
3438 
3439 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3440 	if (IS_ERR(chan))
3441 		return PTR_ERR(chan);
3442 
3443 	hdev->smp_data = chan;
3444 
3445 	if (!lmp_sc_capable(hdev)) {
3446 		/* Flag can be already set here (due to power toggle) */
3447 		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3448 			return 0;
3449 	}
3450 
3451 	if (WARN_ON(hdev->smp_bredr_data)) {
3452 		chan = hdev->smp_bredr_data;
3453 		hdev->smp_bredr_data = NULL;
3454 		smp_del_chan(chan);
3455 	}
3456 
3457 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3458 	if (IS_ERR(chan)) {
3459 		int err = PTR_ERR(chan);
3460 		chan = hdev->smp_data;
3461 		hdev->smp_data = NULL;
3462 		smp_del_chan(chan);
3463 		return err;
3464 	}
3465 
3466 	hdev->smp_bredr_data = chan;
3467 
3468 	return 0;
3469 }
3470 
3471 void smp_unregister(struct hci_dev *hdev)
3472 {
3473 	struct l2cap_chan *chan;
3474 
3475 	if (hdev->smp_bredr_data) {
3476 		chan = hdev->smp_bredr_data;
3477 		hdev->smp_bredr_data = NULL;
3478 		smp_del_chan(chan);
3479 	}
3480 
3481 	if (hdev->smp_data) {
3482 		chan = hdev->smp_data;
3483 		hdev->smp_data = NULL;
3484 		smp_del_chan(chan);
3485 	}
3486 }
3487 
3488 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3489 
3490 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3491 {
3492 	u8 pk[64];
3493 	int err;
3494 
3495 	err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3496 	if (err)
3497 		return err;
3498 
3499 	err = generate_ecdh_public_key(tfm_ecdh, pk);
3500 	if (err)
3501 		return err;
3502 
3503 	if (crypto_memneq(pk, debug_pk, 64))
3504 		return -EINVAL;
3505 
3506 	return 0;
3507 }
3508 
3509 static int __init test_ah(void)
3510 {
3511 	const u8 irk[16] = {
3512 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3513 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3514 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3515 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3516 	u8 res[3];
3517 	int err;
3518 
3519 	err = smp_ah(irk, r, res);
3520 	if (err)
3521 		return err;
3522 
3523 	if (crypto_memneq(res, exp, 3))
3524 		return -EINVAL;
3525 
3526 	return 0;
3527 }
3528 
3529 static int __init test_c1(void)
3530 {
3531 	const u8 k[16] = {
3532 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3533 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3534 	const u8 r[16] = {
3535 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3536 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3537 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3538 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3539 	const u8 _iat = 0x01;
3540 	const u8 _rat = 0x00;
3541 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3542 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3543 	const u8 exp[16] = {
3544 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3545 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3546 	u8 res[16];
3547 	int err;
3548 
3549 	err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3550 	if (err)
3551 		return err;
3552 
3553 	if (crypto_memneq(res, exp, 16))
3554 		return -EINVAL;
3555 
3556 	return 0;
3557 }
3558 
3559 static int __init test_s1(void)
3560 {
3561 	const u8 k[16] = {
3562 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3563 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3564 	const u8 r1[16] = {
3565 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3566 	const u8 r2[16] = {
3567 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3568 	const u8 exp[16] = {
3569 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3570 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3571 	u8 res[16];
3572 	int err;
3573 
3574 	err = smp_s1(k, r1, r2, res);
3575 	if (err)
3576 		return err;
3577 
3578 	if (crypto_memneq(res, exp, 16))
3579 		return -EINVAL;
3580 
3581 	return 0;
3582 }
3583 
3584 static int __init test_f4(struct crypto_shash *tfm_cmac)
3585 {
3586 	const u8 u[32] = {
3587 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3588 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3589 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3590 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3591 	const u8 v[32] = {
3592 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3593 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3594 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3595 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3596 	const u8 x[16] = {
3597 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3598 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3599 	const u8 z = 0x00;
3600 	const u8 exp[16] = {
3601 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3602 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3603 	u8 res[16];
3604 	int err;
3605 
3606 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3607 	if (err)
3608 		return err;
3609 
3610 	if (crypto_memneq(res, exp, 16))
3611 		return -EINVAL;
3612 
3613 	return 0;
3614 }
3615 
3616 static int __init test_f5(struct crypto_shash *tfm_cmac)
3617 {
3618 	const u8 w[32] = {
3619 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3620 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3621 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3622 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3623 	const u8 n1[16] = {
3624 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3625 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3626 	const u8 n2[16] = {
3627 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3628 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3629 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3630 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3631 	const u8 exp_ltk[16] = {
3632 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3633 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3634 	const u8 exp_mackey[16] = {
3635 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3636 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3637 	u8 mackey[16], ltk[16];
3638 	int err;
3639 
3640 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3641 	if (err)
3642 		return err;
3643 
3644 	if (crypto_memneq(mackey, exp_mackey, 16))
3645 		return -EINVAL;
3646 
3647 	if (crypto_memneq(ltk, exp_ltk, 16))
3648 		return -EINVAL;
3649 
3650 	return 0;
3651 }
3652 
3653 static int __init test_f6(struct crypto_shash *tfm_cmac)
3654 {
3655 	const u8 w[16] = {
3656 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3657 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3658 	const u8 n1[16] = {
3659 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3660 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3661 	const u8 n2[16] = {
3662 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3663 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3664 	const u8 r[16] = {
3665 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3666 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3667 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3668 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3669 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3670 	const u8 exp[16] = {
3671 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3672 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3673 	u8 res[16];
3674 	int err;
3675 
3676 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3677 	if (err)
3678 		return err;
3679 
3680 	if (crypto_memneq(res, exp, 16))
3681 		return -EINVAL;
3682 
3683 	return 0;
3684 }
3685 
3686 static int __init test_g2(struct crypto_shash *tfm_cmac)
3687 {
3688 	const u8 u[32] = {
3689 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3690 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3691 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3692 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3693 	const u8 v[32] = {
3694 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3695 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3696 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3697 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3698 	const u8 x[16] = {
3699 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3700 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3701 	const u8 y[16] = {
3702 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3703 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3704 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3705 	u32 val;
3706 	int err;
3707 
3708 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3709 	if (err)
3710 		return err;
3711 
3712 	if (val != exp_val)
3713 		return -EINVAL;
3714 
3715 	return 0;
3716 }
3717 
3718 static int __init test_h6(struct crypto_shash *tfm_cmac)
3719 {
3720 	const u8 w[16] = {
3721 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3722 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3723 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3724 	const u8 exp[16] = {
3725 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3726 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3727 	u8 res[16];
3728 	int err;
3729 
3730 	err = smp_h6(tfm_cmac, w, key_id, res);
3731 	if (err)
3732 		return err;
3733 
3734 	if (crypto_memneq(res, exp, 16))
3735 		return -EINVAL;
3736 
3737 	return 0;
3738 }
3739 
3740 static char test_smp_buffer[32];
3741 
3742 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3743 			     size_t count, loff_t *ppos)
3744 {
3745 	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3746 				       strlen(test_smp_buffer));
3747 }
3748 
3749 static const struct file_operations test_smp_fops = {
3750 	.open		= simple_open,
3751 	.read		= test_smp_read,
3752 	.llseek		= default_llseek,
3753 };
3754 
3755 static int __init run_selftests(struct crypto_shash *tfm_cmac,
3756 				struct crypto_kpp *tfm_ecdh)
3757 {
3758 	ktime_t calltime, delta, rettime;
3759 	unsigned long long duration;
3760 	int err;
3761 
3762 	calltime = ktime_get();
3763 
3764 	err = test_debug_key(tfm_ecdh);
3765 	if (err) {
3766 		BT_ERR("debug_key test failed");
3767 		goto done;
3768 	}
3769 
3770 	err = test_ah();
3771 	if (err) {
3772 		BT_ERR("smp_ah test failed");
3773 		goto done;
3774 	}
3775 
3776 	err = test_c1();
3777 	if (err) {
3778 		BT_ERR("smp_c1 test failed");
3779 		goto done;
3780 	}
3781 
3782 	err = test_s1();
3783 	if (err) {
3784 		BT_ERR("smp_s1 test failed");
3785 		goto done;
3786 	}
3787 
3788 	err = test_f4(tfm_cmac);
3789 	if (err) {
3790 		BT_ERR("smp_f4 test failed");
3791 		goto done;
3792 	}
3793 
3794 	err = test_f5(tfm_cmac);
3795 	if (err) {
3796 		BT_ERR("smp_f5 test failed");
3797 		goto done;
3798 	}
3799 
3800 	err = test_f6(tfm_cmac);
3801 	if (err) {
3802 		BT_ERR("smp_f6 test failed");
3803 		goto done;
3804 	}
3805 
3806 	err = test_g2(tfm_cmac);
3807 	if (err) {
3808 		BT_ERR("smp_g2 test failed");
3809 		goto done;
3810 	}
3811 
3812 	err = test_h6(tfm_cmac);
3813 	if (err) {
3814 		BT_ERR("smp_h6 test failed");
3815 		goto done;
3816 	}
3817 
3818 	rettime = ktime_get();
3819 	delta = ktime_sub(rettime, calltime);
3820 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3821 
3822 	BT_INFO("SMP test passed in %llu usecs", duration);
3823 
3824 done:
3825 	if (!err)
3826 		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3827 			 "PASS (%llu usecs)\n", duration);
3828 	else
3829 		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3830 
3831 	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3832 			    &test_smp_fops);
3833 
3834 	return err;
3835 }
3836 
3837 int __init bt_selftest_smp(void)
3838 {
3839 	struct crypto_shash *tfm_cmac;
3840 	struct crypto_kpp *tfm_ecdh;
3841 	int err;
3842 
3843 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3844 	if (IS_ERR(tfm_cmac)) {
3845 		BT_ERR("Unable to create CMAC crypto context");
3846 		return PTR_ERR(tfm_cmac);
3847 	}
3848 
3849 	tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3850 	if (IS_ERR(tfm_ecdh)) {
3851 		BT_ERR("Unable to create ECDH crypto context");
3852 		crypto_free_shash(tfm_cmac);
3853 		return PTR_ERR(tfm_ecdh);
3854 	}
3855 
3856 	err = run_selftests(tfm_cmac, tfm_ecdh);
3857 
3858 	crypto_free_shash(tfm_cmac);
3859 	crypto_free_kpp(tfm_ecdh);
3860 
3861 	return err;
3862 }
3863 
3864 #endif
3865