xref: /linux/net/bluetooth/smp.c (revision 3027ce13e04eee76539ca65c2cb1028a01c8c508)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <crypto/aes.h>
26 #include <crypto/hash.h>
27 #include <crypto/kpp.h>
28 #include <crypto/utils.h>
29 
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/l2cap.h>
33 #include <net/bluetooth/mgmt.h>
34 
35 #include "ecdh_helper.h"
36 #include "smp.h"
37 
38 #define SMP_DEV(hdev) \
39 	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
40 
41 /* Low-level debug macros to be used for stuff that we don't want
42  * accidentally in dmesg, i.e. the values of the various crypto keys
43  * and the inputs & outputs of crypto functions.
44  */
45 #ifdef DEBUG
46 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
47 				 ##__VA_ARGS__)
48 #else
49 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
50 				    ##__VA_ARGS__)
51 #endif
52 
53 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
54 
55 /* Keys which are not distributed with Secure Connections */
56 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY)
57 
58 #define SMP_TIMEOUT	msecs_to_jiffies(30000)
59 
60 #define ID_ADDR_TIMEOUT	msecs_to_jiffies(200)
61 
62 #define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
63 				 0x3f : 0x07)
64 #define KEY_DIST_MASK		0x07
65 
66 /* Maximum message length that can be passed to aes_cmac */
67 #define CMAC_MSG_MAX	80
68 
69 enum {
70 	SMP_FLAG_TK_VALID,
71 	SMP_FLAG_CFM_PENDING,
72 	SMP_FLAG_MITM_AUTH,
73 	SMP_FLAG_COMPLETE,
74 	SMP_FLAG_INITIATOR,
75 	SMP_FLAG_SC,
76 	SMP_FLAG_REMOTE_PK,
77 	SMP_FLAG_DEBUG_KEY,
78 	SMP_FLAG_WAIT_USER,
79 	SMP_FLAG_DHKEY_PENDING,
80 	SMP_FLAG_REMOTE_OOB,
81 	SMP_FLAG_LOCAL_OOB,
82 	SMP_FLAG_CT2,
83 };
84 
85 struct smp_dev {
86 	/* Secure Connections OOB data */
87 	bool			local_oob;
88 	u8			local_pk[64];
89 	u8			local_rand[16];
90 	bool			debug_key;
91 
92 	struct crypto_shash	*tfm_cmac;
93 	struct crypto_kpp	*tfm_ecdh;
94 };
95 
96 struct smp_chan {
97 	struct l2cap_conn	*conn;
98 	struct delayed_work	security_timer;
99 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
100 
101 	u8		preq[7]; /* SMP Pairing Request */
102 	u8		prsp[7]; /* SMP Pairing Response */
103 	u8		prnd[16]; /* SMP Pairing Random (local) */
104 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
105 	u8		pcnf[16]; /* SMP Pairing Confirm */
106 	u8		tk[16]; /* SMP Temporary Key */
107 	u8		rr[16]; /* Remote OOB ra/rb value */
108 	u8		lr[16]; /* Local OOB ra/rb value */
109 	u8		enc_key_size;
110 	u8		remote_key_dist;
111 	bdaddr_t	id_addr;
112 	u8		id_addr_type;
113 	u8		irk[16];
114 	struct smp_csrk	*csrk;
115 	struct smp_csrk	*responder_csrk;
116 	struct smp_ltk	*ltk;
117 	struct smp_ltk	*responder_ltk;
118 	struct smp_irk	*remote_irk;
119 	u8		*link_key;
120 	unsigned long	flags;
121 	u8		method;
122 	u8		passkey_round;
123 
124 	/* Secure Connections variables */
125 	u8			local_pk[64];
126 	u8			remote_pk[64];
127 	u8			dhkey[32];
128 	u8			mackey[16];
129 
130 	struct crypto_shash	*tfm_cmac;
131 	struct crypto_kpp	*tfm_ecdh;
132 };
133 
134 /* These debug key values are defined in the SMP section of the core
135  * specification. debug_pk is the public debug key and debug_sk the
136  * private debug key.
137  */
138 static const u8 debug_pk[64] = {
139 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
140 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
141 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
142 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
143 
144 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
145 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
146 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
147 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
148 };
149 
150 static const u8 debug_sk[32] = {
151 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
152 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
153 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
154 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
155 };
156 
157 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
158 {
159 	size_t i;
160 
161 	for (i = 0; i < len; i++)
162 		dst[len - 1 - i] = src[i];
163 }
164 
165 /* The following functions map to the LE SC SMP crypto functions
166  * AES-CMAC, f4, f5, f6, g2 and h6.
167  */
168 
169 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
170 		    size_t len, u8 mac[16])
171 {
172 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
173 	int err;
174 
175 	if (len > CMAC_MSG_MAX)
176 		return -EFBIG;
177 
178 	if (!tfm) {
179 		BT_ERR("tfm %p", tfm);
180 		return -EINVAL;
181 	}
182 
183 	/* Swap key and message from LSB to MSB */
184 	swap_buf(k, tmp, 16);
185 	swap_buf(m, msg_msb, len);
186 
187 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
188 	SMP_DBG("key %16phN", k);
189 
190 	err = crypto_shash_setkey(tfm, tmp, 16);
191 	if (err) {
192 		BT_ERR("cipher setkey failed: %d", err);
193 		return err;
194 	}
195 
196 	err = crypto_shash_tfm_digest(tfm, msg_msb, len, mac_msb);
197 	if (err) {
198 		BT_ERR("Hash computation error %d", err);
199 		return err;
200 	}
201 
202 	swap_buf(mac_msb, mac, 16);
203 
204 	SMP_DBG("mac %16phN", mac);
205 
206 	return 0;
207 }
208 
209 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
210 		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
211 {
212 	u8 m[65];
213 	int err;
214 
215 	SMP_DBG("u %32phN", u);
216 	SMP_DBG("v %32phN", v);
217 	SMP_DBG("x %16phN z %02x", x, z);
218 
219 	m[0] = z;
220 	memcpy(m + 1, v, 32);
221 	memcpy(m + 33, u, 32);
222 
223 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
224 	if (err)
225 		return err;
226 
227 	SMP_DBG("res %16phN", res);
228 
229 	return err;
230 }
231 
232 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
233 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
234 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
235 {
236 	/* The btle, salt and length "magic" values are as defined in
237 	 * the SMP section of the Bluetooth core specification. In ASCII
238 	 * the btle value ends up being 'btle'. The salt is just a
239 	 * random number whereas length is the value 256 in little
240 	 * endian format.
241 	 */
242 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
243 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
244 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
245 	const u8 length[2] = { 0x00, 0x01 };
246 	u8 m[53], t[16];
247 	int err;
248 
249 	SMP_DBG("w %32phN", w);
250 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
251 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
252 
253 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
254 	if (err)
255 		return err;
256 
257 	SMP_DBG("t %16phN", t);
258 
259 	memcpy(m, length, 2);
260 	memcpy(m + 2, a2, 7);
261 	memcpy(m + 9, a1, 7);
262 	memcpy(m + 16, n2, 16);
263 	memcpy(m + 32, n1, 16);
264 	memcpy(m + 48, btle, 4);
265 
266 	m[52] = 0; /* Counter */
267 
268 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
269 	if (err)
270 		return err;
271 
272 	SMP_DBG("mackey %16phN", mackey);
273 
274 	m[52] = 1; /* Counter */
275 
276 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
277 	if (err)
278 		return err;
279 
280 	SMP_DBG("ltk %16phN", ltk);
281 
282 	return 0;
283 }
284 
285 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
286 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
287 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
288 		  u8 res[16])
289 {
290 	u8 m[65];
291 	int err;
292 
293 	SMP_DBG("w %16phN", w);
294 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
295 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
296 
297 	memcpy(m, a2, 7);
298 	memcpy(m + 7, a1, 7);
299 	memcpy(m + 14, io_cap, 3);
300 	memcpy(m + 17, r, 16);
301 	memcpy(m + 33, n2, 16);
302 	memcpy(m + 49, n1, 16);
303 
304 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
305 	if (err)
306 		return err;
307 
308 	SMP_DBG("res %16phN", res);
309 
310 	return err;
311 }
312 
313 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
314 		  const u8 x[16], const u8 y[16], u32 *val)
315 {
316 	u8 m[80], tmp[16];
317 	int err;
318 
319 	SMP_DBG("u %32phN", u);
320 	SMP_DBG("v %32phN", v);
321 	SMP_DBG("x %16phN y %16phN", x, y);
322 
323 	memcpy(m, y, 16);
324 	memcpy(m + 16, v, 32);
325 	memcpy(m + 48, u, 32);
326 
327 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
328 	if (err)
329 		return err;
330 
331 	*val = get_unaligned_le32(tmp);
332 	*val %= 1000000;
333 
334 	SMP_DBG("val %06u", *val);
335 
336 	return 0;
337 }
338 
339 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
340 		  const u8 key_id[4], u8 res[16])
341 {
342 	int err;
343 
344 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
345 
346 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
347 	if (err)
348 		return err;
349 
350 	SMP_DBG("res %16phN", res);
351 
352 	return err;
353 }
354 
355 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
356 		  const u8 salt[16], u8 res[16])
357 {
358 	int err;
359 
360 	SMP_DBG("w %16phN salt %16phN", w, salt);
361 
362 	err = aes_cmac(tfm_cmac, salt, w, 16, res);
363 	if (err)
364 		return err;
365 
366 	SMP_DBG("res %16phN", res);
367 
368 	return err;
369 }
370 
371 /* The following functions map to the legacy SMP crypto functions e, c1,
372  * s1 and ah.
373  */
374 
375 static int smp_e(const u8 *k, u8 *r)
376 {
377 	struct crypto_aes_ctx ctx;
378 	uint8_t tmp[16], data[16];
379 	int err;
380 
381 	SMP_DBG("k %16phN r %16phN", k, r);
382 
383 	/* The most significant octet of key corresponds to k[0] */
384 	swap_buf(k, tmp, 16);
385 
386 	err = aes_expandkey(&ctx, tmp, 16);
387 	if (err) {
388 		BT_ERR("cipher setkey failed: %d", err);
389 		return err;
390 	}
391 
392 	/* Most significant octet of plaintextData corresponds to data[0] */
393 	swap_buf(r, data, 16);
394 
395 	aes_encrypt(&ctx, data, data);
396 
397 	/* Most significant octet of encryptedData corresponds to data[0] */
398 	swap_buf(data, r, 16);
399 
400 	SMP_DBG("r %16phN", r);
401 
402 	memzero_explicit(&ctx, sizeof(ctx));
403 	return err;
404 }
405 
406 static int smp_c1(const u8 k[16],
407 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
408 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
409 {
410 	u8 p1[16], p2[16];
411 	int err;
412 
413 	SMP_DBG("k %16phN r %16phN", k, r);
414 	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
415 	SMP_DBG("preq %7phN pres %7phN", preq, pres);
416 
417 	memset(p1, 0, 16);
418 
419 	/* p1 = pres || preq || _rat || _iat */
420 	p1[0] = _iat;
421 	p1[1] = _rat;
422 	memcpy(p1 + 2, preq, 7);
423 	memcpy(p1 + 9, pres, 7);
424 
425 	SMP_DBG("p1 %16phN", p1);
426 
427 	/* res = r XOR p1 */
428 	crypto_xor_cpy(res, r, p1, sizeof(p1));
429 
430 	/* res = e(k, res) */
431 	err = smp_e(k, res);
432 	if (err) {
433 		BT_ERR("Encrypt data error");
434 		return err;
435 	}
436 
437 	/* p2 = padding || ia || ra */
438 	memcpy(p2, ra, 6);
439 	memcpy(p2 + 6, ia, 6);
440 	memset(p2 + 12, 0, 4);
441 
442 	SMP_DBG("p2 %16phN", p2);
443 
444 	/* res = res XOR p2 */
445 	crypto_xor(res, p2, sizeof(p2));
446 
447 	/* res = e(k, res) */
448 	err = smp_e(k, res);
449 	if (err)
450 		BT_ERR("Encrypt data error");
451 
452 	return err;
453 }
454 
455 static int smp_s1(const u8 k[16],
456 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
457 {
458 	int err;
459 
460 	/* Just least significant octets from r1 and r2 are considered */
461 	memcpy(_r, r2, 8);
462 	memcpy(_r + 8, r1, 8);
463 
464 	err = smp_e(k, _r);
465 	if (err)
466 		BT_ERR("Encrypt data error");
467 
468 	return err;
469 }
470 
471 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
472 {
473 	u8 _res[16];
474 	int err;
475 
476 	/* r' = padding || r */
477 	memcpy(_res, r, 3);
478 	memset(_res + 3, 0, 13);
479 
480 	err = smp_e(irk, _res);
481 	if (err) {
482 		BT_ERR("Encrypt error");
483 		return err;
484 	}
485 
486 	/* The output of the random address function ah is:
487 	 *	ah(k, r) = e(k, r') mod 2^24
488 	 * The output of the security function e is then truncated to 24 bits
489 	 * by taking the least significant 24 bits of the output of e as the
490 	 * result of ah.
491 	 */
492 	memcpy(res, _res, 3);
493 
494 	return 0;
495 }
496 
497 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
498 		     const bdaddr_t *bdaddr)
499 {
500 	struct l2cap_chan *chan = hdev->smp_data;
501 	u8 hash[3];
502 	int err;
503 
504 	if (!chan || !chan->data)
505 		return false;
506 
507 	bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk);
508 
509 	err = smp_ah(irk, &bdaddr->b[3], hash);
510 	if (err)
511 		return false;
512 
513 	return !crypto_memneq(bdaddr->b, hash, 3);
514 }
515 
516 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
517 {
518 	struct l2cap_chan *chan = hdev->smp_data;
519 	int err;
520 
521 	if (!chan || !chan->data)
522 		return -EOPNOTSUPP;
523 
524 	get_random_bytes(&rpa->b[3], 3);
525 
526 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
527 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
528 
529 	err = smp_ah(irk, &rpa->b[3], rpa->b);
530 	if (err < 0)
531 		return err;
532 
533 	bt_dev_dbg(hdev, "RPA %pMR", rpa);
534 
535 	return 0;
536 }
537 
538 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
539 {
540 	struct l2cap_chan *chan = hdev->smp_data;
541 	struct smp_dev *smp;
542 	int err;
543 
544 	if (!chan || !chan->data)
545 		return -EOPNOTSUPP;
546 
547 	smp = chan->data;
548 
549 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
550 		bt_dev_dbg(hdev, "Using debug keys");
551 		err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
552 		if (err)
553 			return err;
554 		memcpy(smp->local_pk, debug_pk, 64);
555 		smp->debug_key = true;
556 	} else {
557 		while (true) {
558 			/* Generate key pair for Secure Connections */
559 			err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
560 			if (err)
561 				return err;
562 
563 			/* This is unlikely, but we need to check that
564 			 * we didn't accidentally generate a debug key.
565 			 */
566 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
567 				break;
568 		}
569 		smp->debug_key = false;
570 	}
571 
572 	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
573 	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
574 
575 	get_random_bytes(smp->local_rand, 16);
576 
577 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
578 		     smp->local_rand, 0, hash);
579 	if (err < 0)
580 		return err;
581 
582 	memcpy(rand, smp->local_rand, 16);
583 
584 	smp->local_oob = true;
585 
586 	return 0;
587 }
588 
589 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
590 {
591 	struct l2cap_chan *chan = conn->smp;
592 	struct smp_chan *smp;
593 	struct kvec iv[2];
594 	struct msghdr msg;
595 
596 	if (!chan)
597 		return;
598 
599 	bt_dev_dbg(conn->hcon->hdev, "code 0x%2.2x", code);
600 
601 	iv[0].iov_base = &code;
602 	iv[0].iov_len = 1;
603 
604 	iv[1].iov_base = data;
605 	iv[1].iov_len = len;
606 
607 	memset(&msg, 0, sizeof(msg));
608 
609 	iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, iv, 2, 1 + len);
610 
611 	l2cap_chan_send(chan, &msg, 1 + len);
612 
613 	if (!chan->data)
614 		return;
615 
616 	smp = chan->data;
617 
618 	cancel_delayed_work_sync(&smp->security_timer);
619 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
620 }
621 
622 static u8 authreq_to_seclevel(u8 authreq)
623 {
624 	if (authreq & SMP_AUTH_MITM) {
625 		if (authreq & SMP_AUTH_SC)
626 			return BT_SECURITY_FIPS;
627 		else
628 			return BT_SECURITY_HIGH;
629 	} else {
630 		return BT_SECURITY_MEDIUM;
631 	}
632 }
633 
634 static __u8 seclevel_to_authreq(__u8 sec_level)
635 {
636 	switch (sec_level) {
637 	case BT_SECURITY_FIPS:
638 	case BT_SECURITY_HIGH:
639 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
640 	case BT_SECURITY_MEDIUM:
641 		return SMP_AUTH_BONDING;
642 	default:
643 		return SMP_AUTH_NONE;
644 	}
645 }
646 
647 static void build_pairing_cmd(struct l2cap_conn *conn,
648 			      struct smp_cmd_pairing *req,
649 			      struct smp_cmd_pairing *rsp, __u8 authreq)
650 {
651 	struct l2cap_chan *chan = conn->smp;
652 	struct smp_chan *smp = chan->data;
653 	struct hci_conn *hcon = conn->hcon;
654 	struct hci_dev *hdev = hcon->hdev;
655 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
656 
657 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
658 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
659 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
660 		authreq |= SMP_AUTH_BONDING;
661 	} else {
662 		authreq &= ~SMP_AUTH_BONDING;
663 	}
664 
665 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
666 		remote_dist |= SMP_DIST_ID_KEY;
667 
668 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
669 		local_dist |= SMP_DIST_ID_KEY;
670 
671 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
672 	    (authreq & SMP_AUTH_SC)) {
673 		struct oob_data *oob_data;
674 		u8 bdaddr_type;
675 
676 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
677 			local_dist |= SMP_DIST_LINK_KEY;
678 			remote_dist |= SMP_DIST_LINK_KEY;
679 		}
680 
681 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
682 			bdaddr_type = BDADDR_LE_PUBLIC;
683 		else
684 			bdaddr_type = BDADDR_LE_RANDOM;
685 
686 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
687 						    bdaddr_type);
688 		if (oob_data && oob_data->present) {
689 			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
690 			oob_flag = SMP_OOB_PRESENT;
691 			memcpy(smp->rr, oob_data->rand256, 16);
692 			memcpy(smp->pcnf, oob_data->hash256, 16);
693 			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
694 			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
695 		}
696 
697 	} else {
698 		authreq &= ~SMP_AUTH_SC;
699 	}
700 
701 	if (rsp == NULL) {
702 		req->io_capability = conn->hcon->io_capability;
703 		req->oob_flag = oob_flag;
704 		req->max_key_size = hdev->le_max_key_size;
705 		req->init_key_dist = local_dist;
706 		req->resp_key_dist = remote_dist;
707 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
708 
709 		smp->remote_key_dist = remote_dist;
710 		return;
711 	}
712 
713 	rsp->io_capability = conn->hcon->io_capability;
714 	rsp->oob_flag = oob_flag;
715 	rsp->max_key_size = hdev->le_max_key_size;
716 	rsp->init_key_dist = req->init_key_dist & remote_dist;
717 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
718 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
719 
720 	smp->remote_key_dist = rsp->init_key_dist;
721 }
722 
723 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
724 {
725 	struct l2cap_chan *chan = conn->smp;
726 	struct hci_dev *hdev = conn->hcon->hdev;
727 	struct smp_chan *smp = chan->data;
728 
729 	if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS &&
730 	    max_key_size != SMP_MAX_ENC_KEY_SIZE)
731 		return SMP_ENC_KEY_SIZE;
732 
733 	if (max_key_size > hdev->le_max_key_size ||
734 	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
735 		return SMP_ENC_KEY_SIZE;
736 
737 	smp->enc_key_size = max_key_size;
738 
739 	return 0;
740 }
741 
742 static void smp_chan_destroy(struct l2cap_conn *conn)
743 {
744 	struct l2cap_chan *chan = conn->smp;
745 	struct smp_chan *smp = chan->data;
746 	struct hci_conn *hcon = conn->hcon;
747 	bool complete;
748 
749 	BUG_ON(!smp);
750 
751 	cancel_delayed_work_sync(&smp->security_timer);
752 
753 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
754 	mgmt_smp_complete(hcon, complete);
755 
756 	kfree_sensitive(smp->csrk);
757 	kfree_sensitive(smp->responder_csrk);
758 	kfree_sensitive(smp->link_key);
759 
760 	crypto_free_shash(smp->tfm_cmac);
761 	crypto_free_kpp(smp->tfm_ecdh);
762 
763 	/* Ensure that we don't leave any debug key around if debug key
764 	 * support hasn't been explicitly enabled.
765 	 */
766 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
767 	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
768 		list_del_rcu(&smp->ltk->list);
769 		kfree_rcu(smp->ltk, rcu);
770 		smp->ltk = NULL;
771 	}
772 
773 	/* If pairing failed clean up any keys we might have */
774 	if (!complete) {
775 		if (smp->ltk) {
776 			list_del_rcu(&smp->ltk->list);
777 			kfree_rcu(smp->ltk, rcu);
778 		}
779 
780 		if (smp->responder_ltk) {
781 			list_del_rcu(&smp->responder_ltk->list);
782 			kfree_rcu(smp->responder_ltk, rcu);
783 		}
784 
785 		if (smp->remote_irk) {
786 			list_del_rcu(&smp->remote_irk->list);
787 			kfree_rcu(smp->remote_irk, rcu);
788 		}
789 	}
790 
791 	chan->data = NULL;
792 	kfree_sensitive(smp);
793 	hci_conn_drop(hcon);
794 }
795 
796 static void smp_failure(struct l2cap_conn *conn, u8 reason)
797 {
798 	struct hci_conn *hcon = conn->hcon;
799 	struct l2cap_chan *chan = conn->smp;
800 
801 	if (reason)
802 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
803 			     &reason);
804 
805 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
806 
807 	if (chan->data)
808 		smp_chan_destroy(conn);
809 }
810 
811 #define JUST_WORKS	0x00
812 #define JUST_CFM	0x01
813 #define REQ_PASSKEY	0x02
814 #define CFM_PASSKEY	0x03
815 #define REQ_OOB		0x04
816 #define DSP_PASSKEY	0x05
817 #define OVERLAP		0xFF
818 
819 static const u8 gen_method[5][5] = {
820 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
821 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
822 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
823 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
824 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
825 };
826 
827 static const u8 sc_method[5][5] = {
828 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
829 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
830 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
831 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
832 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
833 };
834 
835 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
836 {
837 	/* If either side has unknown io_caps, use JUST_CFM (which gets
838 	 * converted later to JUST_WORKS if we're initiators.
839 	 */
840 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
841 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
842 		return JUST_CFM;
843 
844 	if (test_bit(SMP_FLAG_SC, &smp->flags))
845 		return sc_method[remote_io][local_io];
846 
847 	return gen_method[remote_io][local_io];
848 }
849 
850 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
851 						u8 local_io, u8 remote_io)
852 {
853 	struct hci_conn *hcon = conn->hcon;
854 	struct l2cap_chan *chan = conn->smp;
855 	struct smp_chan *smp = chan->data;
856 	u32 passkey = 0;
857 	int ret;
858 
859 	/* Initialize key for JUST WORKS */
860 	memset(smp->tk, 0, sizeof(smp->tk));
861 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
862 
863 	bt_dev_dbg(hcon->hdev, "auth:%u lcl:%u rem:%u", auth, local_io,
864 		   remote_io);
865 
866 	/* If neither side wants MITM, either "just" confirm an incoming
867 	 * request or use just-works for outgoing ones. The JUST_CFM
868 	 * will be converted to JUST_WORKS if necessary later in this
869 	 * function. If either side has MITM look up the method from the
870 	 * table.
871 	 */
872 	if (!(auth & SMP_AUTH_MITM))
873 		smp->method = JUST_CFM;
874 	else
875 		smp->method = get_auth_method(smp, local_io, remote_io);
876 
877 	/* Don't confirm locally initiated pairing attempts */
878 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
879 						&smp->flags))
880 		smp->method = JUST_WORKS;
881 
882 	/* Don't bother user space with no IO capabilities */
883 	if (smp->method == JUST_CFM &&
884 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
885 		smp->method = JUST_WORKS;
886 
887 	/* If Just Works, Continue with Zero TK and ask user-space for
888 	 * confirmation */
889 	if (smp->method == JUST_WORKS) {
890 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
891 						hcon->type,
892 						hcon->dst_type,
893 						passkey, 1);
894 		if (ret)
895 			return ret;
896 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
897 		return 0;
898 	}
899 
900 	/* If this function is used for SC -> legacy fallback we
901 	 * can only recover the just-works case.
902 	 */
903 	if (test_bit(SMP_FLAG_SC, &smp->flags))
904 		return -EINVAL;
905 
906 	/* Not Just Works/Confirm results in MITM Authentication */
907 	if (smp->method != JUST_CFM) {
908 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
909 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
910 			hcon->pending_sec_level = BT_SECURITY_HIGH;
911 	}
912 
913 	/* If both devices have Keyboard-Display I/O, the initiator
914 	 * Confirms and the responder Enters the passkey.
915 	 */
916 	if (smp->method == OVERLAP) {
917 		if (hcon->role == HCI_ROLE_MASTER)
918 			smp->method = CFM_PASSKEY;
919 		else
920 			smp->method = REQ_PASSKEY;
921 	}
922 
923 	/* Generate random passkey. */
924 	if (smp->method == CFM_PASSKEY) {
925 		memset(smp->tk, 0, sizeof(smp->tk));
926 		get_random_bytes(&passkey, sizeof(passkey));
927 		passkey %= 1000000;
928 		put_unaligned_le32(passkey, smp->tk);
929 		bt_dev_dbg(hcon->hdev, "PassKey: %u", passkey);
930 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
931 	}
932 
933 	if (smp->method == REQ_PASSKEY)
934 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
935 						hcon->type, hcon->dst_type);
936 	else if (smp->method == JUST_CFM)
937 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
938 						hcon->type, hcon->dst_type,
939 						passkey, 1);
940 	else
941 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
942 						hcon->type, hcon->dst_type,
943 						passkey, 0);
944 
945 	return ret;
946 }
947 
948 static u8 smp_confirm(struct smp_chan *smp)
949 {
950 	struct l2cap_conn *conn = smp->conn;
951 	struct smp_cmd_pairing_confirm cp;
952 	int ret;
953 
954 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
955 
956 	ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
957 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
958 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
959 		     cp.confirm_val);
960 	if (ret)
961 		return SMP_UNSPECIFIED;
962 
963 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
964 
965 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
966 
967 	if (conn->hcon->out)
968 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
969 	else
970 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
971 
972 	return 0;
973 }
974 
975 static u8 smp_random(struct smp_chan *smp)
976 {
977 	struct l2cap_conn *conn = smp->conn;
978 	struct hci_conn *hcon = conn->hcon;
979 	u8 confirm[16];
980 	int ret;
981 
982 	bt_dev_dbg(conn->hcon->hdev, "conn %p %s", conn,
983 		   conn->hcon->out ? "initiator" : "responder");
984 
985 	ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
986 		     hcon->init_addr_type, &hcon->init_addr,
987 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
988 	if (ret)
989 		return SMP_UNSPECIFIED;
990 
991 	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
992 		bt_dev_err(hcon->hdev, "pairing failed "
993 			   "(confirmation values mismatch)");
994 		return SMP_CONFIRM_FAILED;
995 	}
996 
997 	if (hcon->out) {
998 		u8 stk[16];
999 		__le64 rand = 0;
1000 		__le16 ediv = 0;
1001 
1002 		smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
1003 
1004 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1005 			return SMP_UNSPECIFIED;
1006 
1007 		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1008 		hcon->enc_key_size = smp->enc_key_size;
1009 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1010 	} else {
1011 		u8 stk[16], auth;
1012 		__le64 rand = 0;
1013 		__le16 ediv = 0;
1014 
1015 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1016 			     smp->prnd);
1017 
1018 		smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
1019 
1020 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1021 			auth = 1;
1022 		else
1023 			auth = 0;
1024 
1025 		/* Even though there's no _RESPONDER suffix this is the
1026 		 * responder STK we're adding for later lookup (the initiator
1027 		 * STK never needs to be stored).
1028 		 */
1029 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1030 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1031 	}
1032 
1033 	return 0;
1034 }
1035 
1036 static void smp_notify_keys(struct l2cap_conn *conn)
1037 {
1038 	struct l2cap_chan *chan = conn->smp;
1039 	struct smp_chan *smp = chan->data;
1040 	struct hci_conn *hcon = conn->hcon;
1041 	struct hci_dev *hdev = hcon->hdev;
1042 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1043 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1044 	bool persistent;
1045 
1046 	if (hcon->type == ACL_LINK) {
1047 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1048 			persistent = false;
1049 		else
1050 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1051 					       &hcon->flags);
1052 	} else {
1053 		/* The LTKs, IRKs and CSRKs should be persistent only if
1054 		 * both sides had the bonding bit set in their
1055 		 * authentication requests.
1056 		 */
1057 		persistent = !!((req->auth_req & rsp->auth_req) &
1058 				SMP_AUTH_BONDING);
1059 	}
1060 
1061 	if (smp->remote_irk) {
1062 		smp->remote_irk->link_type = hcon->type;
1063 		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1064 
1065 		/* Now that user space can be considered to know the
1066 		 * identity address track the connection based on it
1067 		 * from now on (assuming this is an LE link).
1068 		 */
1069 		if (hcon->type == LE_LINK) {
1070 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1071 			hcon->dst_type = smp->remote_irk->addr_type;
1072 			/* Use a short delay to make sure the new address is
1073 			 * propagated _before_ the channels.
1074 			 */
1075 			queue_delayed_work(hdev->workqueue,
1076 					   &conn->id_addr_timer,
1077 					   ID_ADDR_TIMEOUT);
1078 		}
1079 	}
1080 
1081 	if (smp->csrk) {
1082 		smp->csrk->link_type = hcon->type;
1083 		smp->csrk->bdaddr_type = hcon->dst_type;
1084 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1085 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1086 	}
1087 
1088 	if (smp->responder_csrk) {
1089 		smp->responder_csrk->link_type = hcon->type;
1090 		smp->responder_csrk->bdaddr_type = hcon->dst_type;
1091 		bacpy(&smp->responder_csrk->bdaddr, &hcon->dst);
1092 		mgmt_new_csrk(hdev, smp->responder_csrk, persistent);
1093 	}
1094 
1095 	if (smp->ltk) {
1096 		smp->ltk->link_type = hcon->type;
1097 		smp->ltk->bdaddr_type = hcon->dst_type;
1098 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1099 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1100 	}
1101 
1102 	if (smp->responder_ltk) {
1103 		smp->responder_ltk->link_type = hcon->type;
1104 		smp->responder_ltk->bdaddr_type = hcon->dst_type;
1105 		bacpy(&smp->responder_ltk->bdaddr, &hcon->dst);
1106 		mgmt_new_ltk(hdev, smp->responder_ltk, persistent);
1107 	}
1108 
1109 	if (smp->link_key) {
1110 		struct link_key *key;
1111 		u8 type;
1112 
1113 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1114 			type = HCI_LK_DEBUG_COMBINATION;
1115 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1116 			type = HCI_LK_AUTH_COMBINATION_P256;
1117 		else
1118 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1119 
1120 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1121 				       smp->link_key, type, 0, &persistent);
1122 		if (key) {
1123 			key->link_type = hcon->type;
1124 			key->bdaddr_type = hcon->dst_type;
1125 			mgmt_new_link_key(hdev, key, persistent);
1126 
1127 			/* Don't keep debug keys around if the relevant
1128 			 * flag is not set.
1129 			 */
1130 			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1131 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1132 				list_del_rcu(&key->list);
1133 				kfree_rcu(key, rcu);
1134 			}
1135 		}
1136 	}
1137 }
1138 
1139 static void sc_add_ltk(struct smp_chan *smp)
1140 {
1141 	struct hci_conn *hcon = smp->conn->hcon;
1142 	u8 key_type, auth;
1143 
1144 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1145 		key_type = SMP_LTK_P256_DEBUG;
1146 	else
1147 		key_type = SMP_LTK_P256;
1148 
1149 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1150 		auth = 1;
1151 	else
1152 		auth = 0;
1153 
1154 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1155 			       key_type, auth, smp->tk, smp->enc_key_size,
1156 			       0, 0);
1157 }
1158 
1159 static void sc_generate_link_key(struct smp_chan *smp)
1160 {
1161 	/* From core spec. Spells out in ASCII as 'lebr'. */
1162 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1163 
1164 	smp->link_key = kzalloc(16, GFP_KERNEL);
1165 	if (!smp->link_key)
1166 		return;
1167 
1168 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1169 		/* SALT = 0x000000000000000000000000746D7031 */
1170 		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1171 
1172 		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1173 			kfree_sensitive(smp->link_key);
1174 			smp->link_key = NULL;
1175 			return;
1176 		}
1177 	} else {
1178 		/* From core spec. Spells out in ASCII as 'tmp1'. */
1179 		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1180 
1181 		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1182 			kfree_sensitive(smp->link_key);
1183 			smp->link_key = NULL;
1184 			return;
1185 		}
1186 	}
1187 
1188 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1189 		kfree_sensitive(smp->link_key);
1190 		smp->link_key = NULL;
1191 		return;
1192 	}
1193 }
1194 
1195 static void smp_allow_key_dist(struct smp_chan *smp)
1196 {
1197 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1198 	 * will be allowed in each PDU handler to ensure we receive
1199 	 * them in the correct order.
1200 	 */
1201 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1202 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1203 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1204 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1205 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1206 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1207 }
1208 
1209 static void sc_generate_ltk(struct smp_chan *smp)
1210 {
1211 	/* From core spec. Spells out in ASCII as 'brle'. */
1212 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1213 	struct hci_conn *hcon = smp->conn->hcon;
1214 	struct hci_dev *hdev = hcon->hdev;
1215 	struct link_key *key;
1216 
1217 	key = hci_find_link_key(hdev, &hcon->dst);
1218 	if (!key) {
1219 		bt_dev_err(hdev, "no Link Key found to generate LTK");
1220 		return;
1221 	}
1222 
1223 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1224 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1225 
1226 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1227 		/* SALT = 0x000000000000000000000000746D7032 */
1228 		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1229 
1230 		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1231 			return;
1232 	} else {
1233 		/* From core spec. Spells out in ASCII as 'tmp2'. */
1234 		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1235 
1236 		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1237 			return;
1238 	}
1239 
1240 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1241 		return;
1242 
1243 	sc_add_ltk(smp);
1244 }
1245 
1246 static void smp_distribute_keys(struct smp_chan *smp)
1247 {
1248 	struct smp_cmd_pairing *req, *rsp;
1249 	struct l2cap_conn *conn = smp->conn;
1250 	struct hci_conn *hcon = conn->hcon;
1251 	struct hci_dev *hdev = hcon->hdev;
1252 	__u8 *keydist;
1253 
1254 	bt_dev_dbg(hdev, "conn %p", conn);
1255 
1256 	rsp = (void *) &smp->prsp[1];
1257 
1258 	/* The responder sends its keys first */
1259 	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1260 		smp_allow_key_dist(smp);
1261 		return;
1262 	}
1263 
1264 	req = (void *) &smp->preq[1];
1265 
1266 	if (hcon->out) {
1267 		keydist = &rsp->init_key_dist;
1268 		*keydist &= req->init_key_dist;
1269 	} else {
1270 		keydist = &rsp->resp_key_dist;
1271 		*keydist &= req->resp_key_dist;
1272 	}
1273 
1274 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1275 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1276 			sc_generate_link_key(smp);
1277 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1278 			sc_generate_ltk(smp);
1279 
1280 		/* Clear the keys which are generated but not distributed */
1281 		*keydist &= ~SMP_SC_NO_DIST;
1282 	}
1283 
1284 	bt_dev_dbg(hdev, "keydist 0x%x", *keydist);
1285 
1286 	if (*keydist & SMP_DIST_ENC_KEY) {
1287 		struct smp_cmd_encrypt_info enc;
1288 		struct smp_cmd_initiator_ident ident;
1289 		struct smp_ltk *ltk;
1290 		u8 authenticated;
1291 		__le16 ediv;
1292 		__le64 rand;
1293 
1294 		/* Make sure we generate only the significant amount of
1295 		 * bytes based on the encryption key size, and set the rest
1296 		 * of the value to zeroes.
1297 		 */
1298 		get_random_bytes(enc.ltk, smp->enc_key_size);
1299 		memset(enc.ltk + smp->enc_key_size, 0,
1300 		       sizeof(enc.ltk) - smp->enc_key_size);
1301 
1302 		get_random_bytes(&ediv, sizeof(ediv));
1303 		get_random_bytes(&rand, sizeof(rand));
1304 
1305 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1306 
1307 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1308 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1309 				  SMP_LTK_RESPONDER, authenticated, enc.ltk,
1310 				  smp->enc_key_size, ediv, rand);
1311 		smp->responder_ltk = ltk;
1312 
1313 		ident.ediv = ediv;
1314 		ident.rand = rand;
1315 
1316 		smp_send_cmd(conn, SMP_CMD_INITIATOR_IDENT, sizeof(ident),
1317 			     &ident);
1318 
1319 		*keydist &= ~SMP_DIST_ENC_KEY;
1320 	}
1321 
1322 	if (*keydist & SMP_DIST_ID_KEY) {
1323 		struct smp_cmd_ident_addr_info addrinfo;
1324 		struct smp_cmd_ident_info idinfo;
1325 
1326 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1327 
1328 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1329 
1330 		/* The hci_conn contains the local identity address
1331 		 * after the connection has been established.
1332 		 *
1333 		 * This is true even when the connection has been
1334 		 * established using a resolvable random address.
1335 		 */
1336 		bacpy(&addrinfo.bdaddr, &hcon->src);
1337 		addrinfo.addr_type = hcon->src_type;
1338 
1339 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1340 			     &addrinfo);
1341 
1342 		*keydist &= ~SMP_DIST_ID_KEY;
1343 	}
1344 
1345 	if (*keydist & SMP_DIST_SIGN) {
1346 		struct smp_cmd_sign_info sign;
1347 		struct smp_csrk *csrk;
1348 
1349 		/* Generate a new random key */
1350 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1351 
1352 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1353 		if (csrk) {
1354 			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1355 				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1356 			else
1357 				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1358 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1359 		}
1360 		smp->responder_csrk = csrk;
1361 
1362 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1363 
1364 		*keydist &= ~SMP_DIST_SIGN;
1365 	}
1366 
1367 	/* If there are still keys to be received wait for them */
1368 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1369 		smp_allow_key_dist(smp);
1370 		return;
1371 	}
1372 
1373 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1374 	smp_notify_keys(conn);
1375 
1376 	smp_chan_destroy(conn);
1377 }
1378 
1379 static void smp_timeout(struct work_struct *work)
1380 {
1381 	struct smp_chan *smp = container_of(work, struct smp_chan,
1382 					    security_timer.work);
1383 	struct l2cap_conn *conn = smp->conn;
1384 
1385 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
1386 
1387 	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1388 }
1389 
1390 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1391 {
1392 	struct hci_conn *hcon = conn->hcon;
1393 	struct l2cap_chan *chan = conn->smp;
1394 	struct smp_chan *smp;
1395 
1396 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1397 	if (!smp)
1398 		return NULL;
1399 
1400 	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1401 	if (IS_ERR(smp->tfm_cmac)) {
1402 		bt_dev_err(hcon->hdev, "Unable to create CMAC crypto context");
1403 		goto zfree_smp;
1404 	}
1405 
1406 	smp->tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
1407 	if (IS_ERR(smp->tfm_ecdh)) {
1408 		bt_dev_err(hcon->hdev, "Unable to create ECDH crypto context");
1409 		goto free_shash;
1410 	}
1411 
1412 	smp->conn = conn;
1413 	chan->data = smp;
1414 
1415 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1416 
1417 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1418 
1419 	hci_conn_hold(hcon);
1420 
1421 	return smp;
1422 
1423 free_shash:
1424 	crypto_free_shash(smp->tfm_cmac);
1425 zfree_smp:
1426 	kfree_sensitive(smp);
1427 	return NULL;
1428 }
1429 
1430 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1431 {
1432 	struct hci_conn *hcon = smp->conn->hcon;
1433 	u8 *na, *nb, a[7], b[7];
1434 
1435 	if (hcon->out) {
1436 		na   = smp->prnd;
1437 		nb   = smp->rrnd;
1438 	} else {
1439 		na   = smp->rrnd;
1440 		nb   = smp->prnd;
1441 	}
1442 
1443 	memcpy(a, &hcon->init_addr, 6);
1444 	memcpy(b, &hcon->resp_addr, 6);
1445 	a[6] = hcon->init_addr_type;
1446 	b[6] = hcon->resp_addr_type;
1447 
1448 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1449 }
1450 
1451 static void sc_dhkey_check(struct smp_chan *smp)
1452 {
1453 	struct hci_conn *hcon = smp->conn->hcon;
1454 	struct smp_cmd_dhkey_check check;
1455 	u8 a[7], b[7], *local_addr, *remote_addr;
1456 	u8 io_cap[3], r[16];
1457 
1458 	memcpy(a, &hcon->init_addr, 6);
1459 	memcpy(b, &hcon->resp_addr, 6);
1460 	a[6] = hcon->init_addr_type;
1461 	b[6] = hcon->resp_addr_type;
1462 
1463 	if (hcon->out) {
1464 		local_addr = a;
1465 		remote_addr = b;
1466 		memcpy(io_cap, &smp->preq[1], 3);
1467 	} else {
1468 		local_addr = b;
1469 		remote_addr = a;
1470 		memcpy(io_cap, &smp->prsp[1], 3);
1471 	}
1472 
1473 	memset(r, 0, sizeof(r));
1474 
1475 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1476 		put_unaligned_le32(hcon->passkey_notify, r);
1477 
1478 	if (smp->method == REQ_OOB)
1479 		memcpy(r, smp->rr, 16);
1480 
1481 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1482 	       local_addr, remote_addr, check.e);
1483 
1484 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1485 }
1486 
1487 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1488 {
1489 	struct l2cap_conn *conn = smp->conn;
1490 	struct hci_conn *hcon = conn->hcon;
1491 	struct smp_cmd_pairing_confirm cfm;
1492 	u8 r;
1493 
1494 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1495 	r |= 0x80;
1496 
1497 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1498 
1499 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1500 		   cfm.confirm_val))
1501 		return SMP_UNSPECIFIED;
1502 
1503 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1504 
1505 	return 0;
1506 }
1507 
1508 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1509 {
1510 	struct l2cap_conn *conn = smp->conn;
1511 	struct hci_conn *hcon = conn->hcon;
1512 	struct hci_dev *hdev = hcon->hdev;
1513 	u8 cfm[16], r;
1514 
1515 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1516 	if (smp->passkey_round >= 20)
1517 		return 0;
1518 
1519 	switch (smp_op) {
1520 	case SMP_CMD_PAIRING_RANDOM:
1521 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1522 		r |= 0x80;
1523 
1524 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1525 			   smp->rrnd, r, cfm))
1526 			return SMP_UNSPECIFIED;
1527 
1528 		if (crypto_memneq(smp->pcnf, cfm, 16))
1529 			return SMP_CONFIRM_FAILED;
1530 
1531 		smp->passkey_round++;
1532 
1533 		if (smp->passkey_round == 20) {
1534 			/* Generate MacKey and LTK */
1535 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1536 				return SMP_UNSPECIFIED;
1537 		}
1538 
1539 		/* The round is only complete when the initiator
1540 		 * receives pairing random.
1541 		 */
1542 		if (!hcon->out) {
1543 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1544 				     sizeof(smp->prnd), smp->prnd);
1545 			if (smp->passkey_round == 20)
1546 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1547 			else
1548 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1549 			return 0;
1550 		}
1551 
1552 		/* Start the next round */
1553 		if (smp->passkey_round != 20)
1554 			return sc_passkey_round(smp, 0);
1555 
1556 		/* Passkey rounds are complete - start DHKey Check */
1557 		sc_dhkey_check(smp);
1558 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1559 
1560 		break;
1561 
1562 	case SMP_CMD_PAIRING_CONFIRM:
1563 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1564 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1565 			return 0;
1566 		}
1567 
1568 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1569 
1570 		if (hcon->out) {
1571 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1572 				     sizeof(smp->prnd), smp->prnd);
1573 			return 0;
1574 		}
1575 
1576 		return sc_passkey_send_confirm(smp);
1577 
1578 	case SMP_CMD_PUBLIC_KEY:
1579 	default:
1580 		/* Initiating device starts the round */
1581 		if (!hcon->out)
1582 			return 0;
1583 
1584 		bt_dev_dbg(hdev, "Starting passkey round %u",
1585 			   smp->passkey_round + 1);
1586 
1587 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1588 
1589 		return sc_passkey_send_confirm(smp);
1590 	}
1591 
1592 	return 0;
1593 }
1594 
1595 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1596 {
1597 	struct l2cap_conn *conn = smp->conn;
1598 	struct hci_conn *hcon = conn->hcon;
1599 	u8 smp_op;
1600 
1601 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1602 
1603 	switch (mgmt_op) {
1604 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1605 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1606 		return 0;
1607 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1608 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1609 		return 0;
1610 	case MGMT_OP_USER_PASSKEY_REPLY:
1611 		hcon->passkey_notify = le32_to_cpu(passkey);
1612 		smp->passkey_round = 0;
1613 
1614 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1615 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1616 		else
1617 			smp_op = 0;
1618 
1619 		if (sc_passkey_round(smp, smp_op))
1620 			return -EIO;
1621 
1622 		return 0;
1623 	}
1624 
1625 	/* Initiator sends DHKey check first */
1626 	if (hcon->out) {
1627 		sc_dhkey_check(smp);
1628 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1629 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1630 		sc_dhkey_check(smp);
1631 		sc_add_ltk(smp);
1632 	}
1633 
1634 	return 0;
1635 }
1636 
1637 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1638 {
1639 	struct l2cap_conn *conn = hcon->l2cap_data;
1640 	struct l2cap_chan *chan;
1641 	struct smp_chan *smp;
1642 	u32 value;
1643 	int err;
1644 
1645 	if (!conn)
1646 		return -ENOTCONN;
1647 
1648 	bt_dev_dbg(conn->hcon->hdev, "");
1649 
1650 	chan = conn->smp;
1651 	if (!chan)
1652 		return -ENOTCONN;
1653 
1654 	l2cap_chan_lock(chan);
1655 	if (!chan->data) {
1656 		err = -ENOTCONN;
1657 		goto unlock;
1658 	}
1659 
1660 	smp = chan->data;
1661 
1662 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1663 		err = sc_user_reply(smp, mgmt_op, passkey);
1664 		goto unlock;
1665 	}
1666 
1667 	switch (mgmt_op) {
1668 	case MGMT_OP_USER_PASSKEY_REPLY:
1669 		value = le32_to_cpu(passkey);
1670 		memset(smp->tk, 0, sizeof(smp->tk));
1671 		bt_dev_dbg(conn->hcon->hdev, "PassKey: %u", value);
1672 		put_unaligned_le32(value, smp->tk);
1673 		fallthrough;
1674 	case MGMT_OP_USER_CONFIRM_REPLY:
1675 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1676 		break;
1677 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1678 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1679 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1680 		err = 0;
1681 		goto unlock;
1682 	default:
1683 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1684 		err = -EOPNOTSUPP;
1685 		goto unlock;
1686 	}
1687 
1688 	err = 0;
1689 
1690 	/* If it is our turn to send Pairing Confirm, do so now */
1691 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1692 		u8 rsp = smp_confirm(smp);
1693 		if (rsp)
1694 			smp_failure(conn, rsp);
1695 	}
1696 
1697 unlock:
1698 	l2cap_chan_unlock(chan);
1699 	return err;
1700 }
1701 
1702 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1703 				    struct smp_cmd_pairing *req,
1704 				    struct smp_cmd_pairing *rsp)
1705 {
1706 	struct l2cap_conn *conn = smp->conn;
1707 	struct hci_dev *hdev = conn->hcon->hdev;
1708 	u8 local_dist = 0, remote_dist = 0;
1709 
1710 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1711 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1712 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1713 	}
1714 
1715 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1716 		remote_dist |= SMP_DIST_ID_KEY;
1717 
1718 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1719 		local_dist |= SMP_DIST_ID_KEY;
1720 
1721 	if (!rsp) {
1722 		memset(req, 0, sizeof(*req));
1723 
1724 		req->auth_req        = SMP_AUTH_CT2;
1725 		req->init_key_dist   = local_dist;
1726 		req->resp_key_dist   = remote_dist;
1727 		req->max_key_size    = conn->hcon->enc_key_size;
1728 
1729 		smp->remote_key_dist = remote_dist;
1730 
1731 		return;
1732 	}
1733 
1734 	memset(rsp, 0, sizeof(*rsp));
1735 
1736 	rsp->auth_req        = SMP_AUTH_CT2;
1737 	rsp->max_key_size    = conn->hcon->enc_key_size;
1738 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1739 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1740 
1741 	smp->remote_key_dist = rsp->init_key_dist;
1742 }
1743 
1744 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1745 {
1746 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1747 	struct l2cap_chan *chan = conn->smp;
1748 	struct hci_dev *hdev = conn->hcon->hdev;
1749 	struct smp_chan *smp;
1750 	u8 key_size, auth, sec_level;
1751 	int ret;
1752 
1753 	bt_dev_dbg(hdev, "conn %p", conn);
1754 
1755 	if (skb->len < sizeof(*req))
1756 		return SMP_INVALID_PARAMS;
1757 
1758 	if (conn->hcon->role != HCI_ROLE_SLAVE)
1759 		return SMP_CMD_NOTSUPP;
1760 
1761 	if (!chan->data)
1762 		smp = smp_chan_create(conn);
1763 	else
1764 		smp = chan->data;
1765 
1766 	if (!smp)
1767 		return SMP_UNSPECIFIED;
1768 
1769 	/* We didn't start the pairing, so match remote */
1770 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1771 
1772 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1773 	    (auth & SMP_AUTH_BONDING))
1774 		return SMP_PAIRING_NOTSUPP;
1775 
1776 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1777 		return SMP_AUTH_REQUIREMENTS;
1778 
1779 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1780 	memcpy(&smp->preq[1], req, sizeof(*req));
1781 	skb_pull(skb, sizeof(*req));
1782 
1783 	/* If the remote side's OOB flag is set it means it has
1784 	 * successfully received our local OOB data - therefore set the
1785 	 * flag to indicate that local OOB is in use.
1786 	 */
1787 	if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1788 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1789 
1790 	/* SMP over BR/EDR requires special treatment */
1791 	if (conn->hcon->type == ACL_LINK) {
1792 		/* We must have a BR/EDR SC link */
1793 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1794 		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1795 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1796 
1797 		set_bit(SMP_FLAG_SC, &smp->flags);
1798 
1799 		build_bredr_pairing_cmd(smp, req, &rsp);
1800 
1801 		if (req->auth_req & SMP_AUTH_CT2)
1802 			set_bit(SMP_FLAG_CT2, &smp->flags);
1803 
1804 		key_size = min(req->max_key_size, rsp.max_key_size);
1805 		if (check_enc_key_size(conn, key_size))
1806 			return SMP_ENC_KEY_SIZE;
1807 
1808 		/* Clear bits which are generated but not distributed */
1809 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1810 
1811 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1812 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1813 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1814 
1815 		smp_distribute_keys(smp);
1816 		return 0;
1817 	}
1818 
1819 	build_pairing_cmd(conn, req, &rsp, auth);
1820 
1821 	if (rsp.auth_req & SMP_AUTH_SC) {
1822 		set_bit(SMP_FLAG_SC, &smp->flags);
1823 
1824 		if (rsp.auth_req & SMP_AUTH_CT2)
1825 			set_bit(SMP_FLAG_CT2, &smp->flags);
1826 	}
1827 
1828 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1829 		sec_level = BT_SECURITY_MEDIUM;
1830 	else
1831 		sec_level = authreq_to_seclevel(auth);
1832 
1833 	if (sec_level > conn->hcon->pending_sec_level)
1834 		conn->hcon->pending_sec_level = sec_level;
1835 
1836 	/* If we need MITM check that it can be achieved */
1837 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1838 		u8 method;
1839 
1840 		method = get_auth_method(smp, conn->hcon->io_capability,
1841 					 req->io_capability);
1842 		if (method == JUST_WORKS || method == JUST_CFM)
1843 			return SMP_AUTH_REQUIREMENTS;
1844 	}
1845 
1846 	key_size = min(req->max_key_size, rsp.max_key_size);
1847 	if (check_enc_key_size(conn, key_size))
1848 		return SMP_ENC_KEY_SIZE;
1849 
1850 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1851 
1852 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1853 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1854 
1855 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1856 
1857 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1858 
1859 	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1860 	 * SC case, however some implementations incorrectly copy RFU auth
1861 	 * req bits from our security request, which may create a false
1862 	 * positive SC enablement.
1863 	 */
1864 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1865 
1866 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1867 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1868 		/* Clear bits which are generated but not distributed */
1869 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1870 		/* Wait for Public Key from Initiating Device */
1871 		return 0;
1872 	}
1873 
1874 	/* Request setup of TK */
1875 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1876 	if (ret)
1877 		return SMP_UNSPECIFIED;
1878 
1879 	return 0;
1880 }
1881 
1882 static u8 sc_send_public_key(struct smp_chan *smp)
1883 {
1884 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1885 
1886 	bt_dev_dbg(hdev, "");
1887 
1888 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1889 		struct l2cap_chan *chan = hdev->smp_data;
1890 		struct smp_dev *smp_dev;
1891 
1892 		if (!chan || !chan->data)
1893 			return SMP_UNSPECIFIED;
1894 
1895 		smp_dev = chan->data;
1896 
1897 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1898 		memcpy(smp->lr, smp_dev->local_rand, 16);
1899 
1900 		if (smp_dev->debug_key)
1901 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1902 
1903 		goto done;
1904 	}
1905 
1906 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1907 		bt_dev_dbg(hdev, "Using debug keys");
1908 		if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1909 			return SMP_UNSPECIFIED;
1910 		memcpy(smp->local_pk, debug_pk, 64);
1911 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1912 	} else {
1913 		while (true) {
1914 			/* Generate key pair for Secure Connections */
1915 			if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1916 				return SMP_UNSPECIFIED;
1917 
1918 			/* This is unlikely, but we need to check that
1919 			 * we didn't accidentally generate a debug key.
1920 			 */
1921 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
1922 				break;
1923 		}
1924 	}
1925 
1926 done:
1927 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1928 	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1929 
1930 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1931 
1932 	return 0;
1933 }
1934 
1935 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1936 {
1937 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1938 	struct l2cap_chan *chan = conn->smp;
1939 	struct smp_chan *smp = chan->data;
1940 	struct hci_dev *hdev = conn->hcon->hdev;
1941 	u8 key_size, auth;
1942 	int ret;
1943 
1944 	bt_dev_dbg(hdev, "conn %p", conn);
1945 
1946 	if (skb->len < sizeof(*rsp))
1947 		return SMP_INVALID_PARAMS;
1948 
1949 	if (conn->hcon->role != HCI_ROLE_MASTER)
1950 		return SMP_CMD_NOTSUPP;
1951 
1952 	skb_pull(skb, sizeof(*rsp));
1953 
1954 	req = (void *) &smp->preq[1];
1955 
1956 	key_size = min(req->max_key_size, rsp->max_key_size);
1957 	if (check_enc_key_size(conn, key_size))
1958 		return SMP_ENC_KEY_SIZE;
1959 
1960 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1961 
1962 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1963 		return SMP_AUTH_REQUIREMENTS;
1964 
1965 	/* If the remote side's OOB flag is set it means it has
1966 	 * successfully received our local OOB data - therefore set the
1967 	 * flag to indicate that local OOB is in use.
1968 	 */
1969 	if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1970 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1971 
1972 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1973 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1974 
1975 	/* Update remote key distribution in case the remote cleared
1976 	 * some bits that we had enabled in our request.
1977 	 */
1978 	smp->remote_key_dist &= rsp->resp_key_dist;
1979 
1980 	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1981 		set_bit(SMP_FLAG_CT2, &smp->flags);
1982 
1983 	/* For BR/EDR this means we're done and can start phase 3 */
1984 	if (conn->hcon->type == ACL_LINK) {
1985 		/* Clear bits which are generated but not distributed */
1986 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1987 		smp_distribute_keys(smp);
1988 		return 0;
1989 	}
1990 
1991 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1992 		set_bit(SMP_FLAG_SC, &smp->flags);
1993 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1994 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1995 
1996 	/* If we need MITM check that it can be achieved */
1997 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1998 		u8 method;
1999 
2000 		method = get_auth_method(smp, req->io_capability,
2001 					 rsp->io_capability);
2002 		if (method == JUST_WORKS || method == JUST_CFM)
2003 			return SMP_AUTH_REQUIREMENTS;
2004 	}
2005 
2006 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
2007 
2008 	/* Update remote key distribution in case the remote cleared
2009 	 * some bits that we had enabled in our request.
2010 	 */
2011 	smp->remote_key_dist &= rsp->resp_key_dist;
2012 
2013 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2014 		/* Clear bits which are generated but not distributed */
2015 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2016 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2017 		return sc_send_public_key(smp);
2018 	}
2019 
2020 	auth |= req->auth_req;
2021 
2022 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2023 	if (ret)
2024 		return SMP_UNSPECIFIED;
2025 
2026 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2027 
2028 	/* Can't compose response until we have been confirmed */
2029 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2030 		return smp_confirm(smp);
2031 
2032 	return 0;
2033 }
2034 
2035 static u8 sc_check_confirm(struct smp_chan *smp)
2036 {
2037 	struct l2cap_conn *conn = smp->conn;
2038 
2039 	bt_dev_dbg(conn->hcon->hdev, "");
2040 
2041 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2042 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2043 
2044 	if (conn->hcon->out) {
2045 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2046 			     smp->prnd);
2047 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2048 	}
2049 
2050 	return 0;
2051 }
2052 
2053 /* Work-around for some implementations that incorrectly copy RFU bits
2054  * from our security request and thereby create the impression that
2055  * we're doing SC when in fact the remote doesn't support it.
2056  */
2057 static int fixup_sc_false_positive(struct smp_chan *smp)
2058 {
2059 	struct l2cap_conn *conn = smp->conn;
2060 	struct hci_conn *hcon = conn->hcon;
2061 	struct hci_dev *hdev = hcon->hdev;
2062 	struct smp_cmd_pairing *req, *rsp;
2063 	u8 auth;
2064 
2065 	/* The issue is only observed when we're in responder role */
2066 	if (hcon->out)
2067 		return SMP_UNSPECIFIED;
2068 
2069 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2070 		bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2071 		return SMP_UNSPECIFIED;
2072 	}
2073 
2074 	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2075 
2076 	req = (void *) &smp->preq[1];
2077 	rsp = (void *) &smp->prsp[1];
2078 
2079 	/* Rebuild key dist flags which may have been cleared for SC */
2080 	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2081 
2082 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2083 
2084 	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2085 		bt_dev_err(hdev, "failed to fall back to legacy SMP");
2086 		return SMP_UNSPECIFIED;
2087 	}
2088 
2089 	clear_bit(SMP_FLAG_SC, &smp->flags);
2090 
2091 	return 0;
2092 }
2093 
2094 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2095 {
2096 	struct l2cap_chan *chan = conn->smp;
2097 	struct smp_chan *smp = chan->data;
2098 	struct hci_conn *hcon = conn->hcon;
2099 	struct hci_dev *hdev = hcon->hdev;
2100 
2101 	bt_dev_dbg(hdev, "conn %p %s", conn,
2102 		   hcon->out ? "initiator" : "responder");
2103 
2104 	if (skb->len < sizeof(smp->pcnf))
2105 		return SMP_INVALID_PARAMS;
2106 
2107 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2108 	skb_pull(skb, sizeof(smp->pcnf));
2109 
2110 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2111 		int ret;
2112 
2113 		/* Public Key exchange must happen before any other steps */
2114 		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2115 			return sc_check_confirm(smp);
2116 
2117 		bt_dev_err(hdev, "Unexpected SMP Pairing Confirm");
2118 
2119 		ret = fixup_sc_false_positive(smp);
2120 		if (ret)
2121 			return ret;
2122 	}
2123 
2124 	if (conn->hcon->out) {
2125 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2126 			     smp->prnd);
2127 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2128 		return 0;
2129 	}
2130 
2131 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2132 		return smp_confirm(smp);
2133 
2134 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2135 
2136 	return 0;
2137 }
2138 
2139 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2140 {
2141 	struct l2cap_chan *chan = conn->smp;
2142 	struct smp_chan *smp = chan->data;
2143 	struct hci_conn *hcon = conn->hcon;
2144 	u8 *pkax, *pkbx, *na, *nb, confirm_hint;
2145 	u32 passkey;
2146 	int err;
2147 
2148 	bt_dev_dbg(hcon->hdev, "conn %p", conn);
2149 
2150 	if (skb->len < sizeof(smp->rrnd))
2151 		return SMP_INVALID_PARAMS;
2152 
2153 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2154 	skb_pull(skb, sizeof(smp->rrnd));
2155 
2156 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2157 		return smp_random(smp);
2158 
2159 	if (hcon->out) {
2160 		pkax = smp->local_pk;
2161 		pkbx = smp->remote_pk;
2162 		na   = smp->prnd;
2163 		nb   = smp->rrnd;
2164 	} else {
2165 		pkax = smp->remote_pk;
2166 		pkbx = smp->local_pk;
2167 		na   = smp->rrnd;
2168 		nb   = smp->prnd;
2169 	}
2170 
2171 	if (smp->method == REQ_OOB) {
2172 		if (!hcon->out)
2173 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2174 				     sizeof(smp->prnd), smp->prnd);
2175 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2176 		goto mackey_and_ltk;
2177 	}
2178 
2179 	/* Passkey entry has special treatment */
2180 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2181 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2182 
2183 	if (hcon->out) {
2184 		u8 cfm[16];
2185 
2186 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2187 			     smp->rrnd, 0, cfm);
2188 		if (err)
2189 			return SMP_UNSPECIFIED;
2190 
2191 		if (crypto_memneq(smp->pcnf, cfm, 16))
2192 			return SMP_CONFIRM_FAILED;
2193 	} else {
2194 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2195 			     smp->prnd);
2196 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2197 
2198 		/* Only Just-Works pairing requires extra checks */
2199 		if (smp->method != JUST_WORKS)
2200 			goto mackey_and_ltk;
2201 
2202 		/* If there already exists long term key in local host, leave
2203 		 * the decision to user space since the remote device could
2204 		 * be legitimate or malicious.
2205 		 */
2206 		if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2207 				 hcon->role)) {
2208 			/* Set passkey to 0. The value can be any number since
2209 			 * it'll be ignored anyway.
2210 			 */
2211 			passkey = 0;
2212 			confirm_hint = 1;
2213 			goto confirm;
2214 		}
2215 	}
2216 
2217 mackey_and_ltk:
2218 	/* Generate MacKey and LTK */
2219 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2220 	if (err)
2221 		return SMP_UNSPECIFIED;
2222 
2223 	if (smp->method == REQ_OOB) {
2224 		if (hcon->out) {
2225 			sc_dhkey_check(smp);
2226 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2227 		}
2228 		return 0;
2229 	}
2230 
2231 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2232 	if (err)
2233 		return SMP_UNSPECIFIED;
2234 
2235 	confirm_hint = 0;
2236 
2237 confirm:
2238 	if (smp->method == JUST_WORKS)
2239 		confirm_hint = 1;
2240 
2241 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2242 					hcon->dst_type, passkey, confirm_hint);
2243 	if (err)
2244 		return SMP_UNSPECIFIED;
2245 
2246 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2247 
2248 	return 0;
2249 }
2250 
2251 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2252 {
2253 	struct smp_ltk *key;
2254 	struct hci_conn *hcon = conn->hcon;
2255 
2256 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2257 	if (!key)
2258 		return false;
2259 
2260 	if (smp_ltk_sec_level(key) < sec_level)
2261 		return false;
2262 
2263 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2264 		return true;
2265 
2266 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2267 	hcon->enc_key_size = key->enc_size;
2268 
2269 	/* We never store STKs for initiator role, so clear this flag */
2270 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2271 
2272 	return true;
2273 }
2274 
2275 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2276 			     enum smp_key_pref key_pref)
2277 {
2278 	if (sec_level == BT_SECURITY_LOW)
2279 		return true;
2280 
2281 	/* If we're encrypted with an STK but the caller prefers using
2282 	 * LTK claim insufficient security. This way we allow the
2283 	 * connection to be re-encrypted with an LTK, even if the LTK
2284 	 * provides the same level of security. Only exception is if we
2285 	 * don't have an LTK (e.g. because of key distribution bits).
2286 	 */
2287 	if (key_pref == SMP_USE_LTK &&
2288 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2289 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2290 		return false;
2291 
2292 	if (hcon->sec_level >= sec_level)
2293 		return true;
2294 
2295 	return false;
2296 }
2297 
2298 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2299 {
2300 	struct smp_cmd_security_req *rp = (void *) skb->data;
2301 	struct smp_cmd_pairing cp;
2302 	struct hci_conn *hcon = conn->hcon;
2303 	struct hci_dev *hdev = hcon->hdev;
2304 	struct smp_chan *smp;
2305 	u8 sec_level, auth;
2306 
2307 	bt_dev_dbg(hdev, "conn %p", conn);
2308 
2309 	if (skb->len < sizeof(*rp))
2310 		return SMP_INVALID_PARAMS;
2311 
2312 	if (hcon->role != HCI_ROLE_MASTER)
2313 		return SMP_CMD_NOTSUPP;
2314 
2315 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2316 
2317 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2318 		return SMP_AUTH_REQUIREMENTS;
2319 
2320 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2321 		sec_level = BT_SECURITY_MEDIUM;
2322 	else
2323 		sec_level = authreq_to_seclevel(auth);
2324 
2325 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2326 		/* If link is already encrypted with sufficient security we
2327 		 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2328 		 * Part H 2.4.6
2329 		 */
2330 		smp_ltk_encrypt(conn, hcon->sec_level);
2331 		return 0;
2332 	}
2333 
2334 	if (sec_level > hcon->pending_sec_level)
2335 		hcon->pending_sec_level = sec_level;
2336 
2337 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2338 		return 0;
2339 
2340 	smp = smp_chan_create(conn);
2341 	if (!smp)
2342 		return SMP_UNSPECIFIED;
2343 
2344 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2345 	    (auth & SMP_AUTH_BONDING))
2346 		return SMP_PAIRING_NOTSUPP;
2347 
2348 	skb_pull(skb, sizeof(*rp));
2349 
2350 	memset(&cp, 0, sizeof(cp));
2351 	build_pairing_cmd(conn, &cp, NULL, auth);
2352 
2353 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2354 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2355 
2356 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2357 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2358 
2359 	return 0;
2360 }
2361 
2362 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2363 {
2364 	struct l2cap_conn *conn = hcon->l2cap_data;
2365 	struct l2cap_chan *chan;
2366 	struct smp_chan *smp;
2367 	__u8 authreq;
2368 	int ret;
2369 
2370 	bt_dev_dbg(hcon->hdev, "conn %p hcon %p level 0x%2.2x", conn, hcon,
2371 		   sec_level);
2372 
2373 	/* This may be NULL if there's an unexpected disconnection */
2374 	if (!conn)
2375 		return 1;
2376 
2377 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2378 		return 1;
2379 
2380 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2381 		return 1;
2382 
2383 	if (sec_level > hcon->pending_sec_level)
2384 		hcon->pending_sec_level = sec_level;
2385 
2386 	if (hcon->role == HCI_ROLE_MASTER)
2387 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2388 			return 0;
2389 
2390 	chan = conn->smp;
2391 	if (!chan) {
2392 		bt_dev_err(hcon->hdev, "security requested but not available");
2393 		return 1;
2394 	}
2395 
2396 	l2cap_chan_lock(chan);
2397 
2398 	/* If SMP is already in progress ignore this request */
2399 	if (chan->data) {
2400 		ret = 0;
2401 		goto unlock;
2402 	}
2403 
2404 	smp = smp_chan_create(conn);
2405 	if (!smp) {
2406 		ret = 1;
2407 		goto unlock;
2408 	}
2409 
2410 	authreq = seclevel_to_authreq(sec_level);
2411 
2412 	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2413 		authreq |= SMP_AUTH_SC;
2414 		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2415 			authreq |= SMP_AUTH_CT2;
2416 	}
2417 
2418 	/* Don't attempt to set MITM if setting is overridden by debugfs
2419 	 * Needed to pass certification test SM/MAS/PKE/BV-01-C
2420 	 */
2421 	if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) {
2422 		/* Require MITM if IO Capability allows or the security level
2423 		 * requires it.
2424 		 */
2425 		if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2426 		    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2427 			authreq |= SMP_AUTH_MITM;
2428 	}
2429 
2430 	if (hcon->role == HCI_ROLE_MASTER) {
2431 		struct smp_cmd_pairing cp;
2432 
2433 		build_pairing_cmd(conn, &cp, NULL, authreq);
2434 		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2435 		memcpy(&smp->preq[1], &cp, sizeof(cp));
2436 
2437 		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2438 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2439 	} else {
2440 		struct smp_cmd_security_req cp;
2441 		cp.auth_req = authreq;
2442 		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2443 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2444 	}
2445 
2446 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2447 	ret = 0;
2448 
2449 unlock:
2450 	l2cap_chan_unlock(chan);
2451 	return ret;
2452 }
2453 
2454 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2455 				  u8 addr_type)
2456 {
2457 	struct hci_conn *hcon;
2458 	struct l2cap_conn *conn;
2459 	struct l2cap_chan *chan;
2460 	struct smp_chan *smp;
2461 	int err;
2462 
2463 	err = hci_remove_ltk(hdev, bdaddr, addr_type);
2464 	hci_remove_irk(hdev, bdaddr, addr_type);
2465 
2466 	hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2467 	if (!hcon)
2468 		goto done;
2469 
2470 	conn = hcon->l2cap_data;
2471 	if (!conn)
2472 		goto done;
2473 
2474 	chan = conn->smp;
2475 	if (!chan)
2476 		goto done;
2477 
2478 	l2cap_chan_lock(chan);
2479 
2480 	smp = chan->data;
2481 	if (smp) {
2482 		/* Set keys to NULL to make sure smp_failure() does not try to
2483 		 * remove and free already invalidated rcu list entries. */
2484 		smp->ltk = NULL;
2485 		smp->responder_ltk = NULL;
2486 		smp->remote_irk = NULL;
2487 
2488 		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2489 			smp_failure(conn, 0);
2490 		else
2491 			smp_failure(conn, SMP_UNSPECIFIED);
2492 		err = 0;
2493 	}
2494 
2495 	l2cap_chan_unlock(chan);
2496 
2497 done:
2498 	return err;
2499 }
2500 
2501 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2502 {
2503 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2504 	struct l2cap_chan *chan = conn->smp;
2505 	struct smp_chan *smp = chan->data;
2506 
2507 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2508 
2509 	if (skb->len < sizeof(*rp))
2510 		return SMP_INVALID_PARAMS;
2511 
2512 	/* Pairing is aborted if any blocked keys are distributed */
2513 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2514 			       rp->ltk)) {
2515 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2516 					"LTK blocked for %pMR",
2517 					&conn->hcon->dst);
2518 		return SMP_INVALID_PARAMS;
2519 	}
2520 
2521 	SMP_ALLOW_CMD(smp, SMP_CMD_INITIATOR_IDENT);
2522 
2523 	skb_pull(skb, sizeof(*rp));
2524 
2525 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2526 
2527 	return 0;
2528 }
2529 
2530 static int smp_cmd_initiator_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2531 {
2532 	struct smp_cmd_initiator_ident *rp = (void *)skb->data;
2533 	struct l2cap_chan *chan = conn->smp;
2534 	struct smp_chan *smp = chan->data;
2535 	struct hci_dev *hdev = conn->hcon->hdev;
2536 	struct hci_conn *hcon = conn->hcon;
2537 	struct smp_ltk *ltk;
2538 	u8 authenticated;
2539 
2540 	bt_dev_dbg(hdev, "conn %p", conn);
2541 
2542 	if (skb->len < sizeof(*rp))
2543 		return SMP_INVALID_PARAMS;
2544 
2545 	/* Mark the information as received */
2546 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2547 
2548 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2549 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2550 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2551 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2552 
2553 	skb_pull(skb, sizeof(*rp));
2554 
2555 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2556 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2557 			  authenticated, smp->tk, smp->enc_key_size,
2558 			  rp->ediv, rp->rand);
2559 	smp->ltk = ltk;
2560 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2561 		smp_distribute_keys(smp);
2562 
2563 	return 0;
2564 }
2565 
2566 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2567 {
2568 	struct smp_cmd_ident_info *info = (void *) skb->data;
2569 	struct l2cap_chan *chan = conn->smp;
2570 	struct smp_chan *smp = chan->data;
2571 
2572 	bt_dev_dbg(conn->hcon->hdev, "");
2573 
2574 	if (skb->len < sizeof(*info))
2575 		return SMP_INVALID_PARAMS;
2576 
2577 	/* Pairing is aborted if any blocked keys are distributed */
2578 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2579 			       info->irk)) {
2580 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2581 					"Identity key blocked for %pMR",
2582 					&conn->hcon->dst);
2583 		return SMP_INVALID_PARAMS;
2584 	}
2585 
2586 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2587 
2588 	skb_pull(skb, sizeof(*info));
2589 
2590 	memcpy(smp->irk, info->irk, 16);
2591 
2592 	return 0;
2593 }
2594 
2595 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2596 				   struct sk_buff *skb)
2597 {
2598 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2599 	struct l2cap_chan *chan = conn->smp;
2600 	struct smp_chan *smp = chan->data;
2601 	struct hci_conn *hcon = conn->hcon;
2602 	bdaddr_t rpa;
2603 
2604 	bt_dev_dbg(hcon->hdev, "");
2605 
2606 	if (skb->len < sizeof(*info))
2607 		return SMP_INVALID_PARAMS;
2608 
2609 	/* Mark the information as received */
2610 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2611 
2612 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2613 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2614 
2615 	skb_pull(skb, sizeof(*info));
2616 
2617 	/* Strictly speaking the Core Specification (4.1) allows sending
2618 	 * an empty address which would force us to rely on just the IRK
2619 	 * as "identity information". However, since such
2620 	 * implementations are not known of and in order to not over
2621 	 * complicate our implementation, simply pretend that we never
2622 	 * received an IRK for such a device.
2623 	 *
2624 	 * The Identity Address must also be a Static Random or Public
2625 	 * Address, which hci_is_identity_address() checks for.
2626 	 */
2627 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2628 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2629 		bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2630 		goto distribute;
2631 	}
2632 
2633 	/* Drop IRK if peer is using identity address during pairing but is
2634 	 * providing different address as identity information.
2635 	 *
2636 	 * Microsoft Surface Precision Mouse is known to have this bug.
2637 	 */
2638 	if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2639 	    (bacmp(&info->bdaddr, &hcon->dst) ||
2640 	     info->addr_type != hcon->dst_type)) {
2641 		bt_dev_err(hcon->hdev,
2642 			   "ignoring IRK with invalid identity address");
2643 		goto distribute;
2644 	}
2645 
2646 	bacpy(&smp->id_addr, &info->bdaddr);
2647 	smp->id_addr_type = info->addr_type;
2648 
2649 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2650 		bacpy(&rpa, &hcon->dst);
2651 	else
2652 		bacpy(&rpa, BDADDR_ANY);
2653 
2654 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2655 				      smp->id_addr_type, smp->irk, &rpa);
2656 
2657 distribute:
2658 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2659 		smp_distribute_keys(smp);
2660 
2661 	return 0;
2662 }
2663 
2664 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2665 {
2666 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2667 	struct l2cap_chan *chan = conn->smp;
2668 	struct smp_chan *smp = chan->data;
2669 	struct smp_csrk *csrk;
2670 
2671 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2672 
2673 	if (skb->len < sizeof(*rp))
2674 		return SMP_INVALID_PARAMS;
2675 
2676 	/* Mark the information as received */
2677 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2678 
2679 	skb_pull(skb, sizeof(*rp));
2680 
2681 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2682 	if (csrk) {
2683 		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2684 			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2685 		else
2686 			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2687 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2688 	}
2689 	smp->csrk = csrk;
2690 	smp_distribute_keys(smp);
2691 
2692 	return 0;
2693 }
2694 
2695 static u8 sc_select_method(struct smp_chan *smp)
2696 {
2697 	struct l2cap_conn *conn = smp->conn;
2698 	struct hci_conn *hcon = conn->hcon;
2699 	struct smp_cmd_pairing *local, *remote;
2700 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2701 
2702 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2703 	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2704 		return REQ_OOB;
2705 
2706 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2707 	 * which are needed as inputs to some crypto functions. To get
2708 	 * the "struct smp_cmd_pairing" from them we need to skip the
2709 	 * first byte which contains the opcode.
2710 	 */
2711 	if (hcon->out) {
2712 		local = (void *) &smp->preq[1];
2713 		remote = (void *) &smp->prsp[1];
2714 	} else {
2715 		local = (void *) &smp->prsp[1];
2716 		remote = (void *) &smp->preq[1];
2717 	}
2718 
2719 	local_io = local->io_capability;
2720 	remote_io = remote->io_capability;
2721 
2722 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2723 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2724 
2725 	/* If either side wants MITM, look up the method from the table,
2726 	 * otherwise use JUST WORKS.
2727 	 */
2728 	if (local_mitm || remote_mitm)
2729 		method = get_auth_method(smp, local_io, remote_io);
2730 	else
2731 		method = JUST_WORKS;
2732 
2733 	/* Don't confirm locally initiated pairing attempts */
2734 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2735 		method = JUST_WORKS;
2736 
2737 	return method;
2738 }
2739 
2740 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2741 {
2742 	struct smp_cmd_public_key *key = (void *) skb->data;
2743 	struct hci_conn *hcon = conn->hcon;
2744 	struct l2cap_chan *chan = conn->smp;
2745 	struct smp_chan *smp = chan->data;
2746 	struct hci_dev *hdev = hcon->hdev;
2747 	struct crypto_kpp *tfm_ecdh;
2748 	struct smp_cmd_pairing_confirm cfm;
2749 	int err;
2750 
2751 	bt_dev_dbg(hdev, "conn %p", conn);
2752 
2753 	if (skb->len < sizeof(*key))
2754 		return SMP_INVALID_PARAMS;
2755 
2756 	/* Check if remote and local public keys are the same and debug key is
2757 	 * not in use.
2758 	 */
2759 	if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
2760 	    !crypto_memneq(key, smp->local_pk, 64)) {
2761 		bt_dev_err(hdev, "Remote and local public keys are identical");
2762 		return SMP_UNSPECIFIED;
2763 	}
2764 
2765 	memcpy(smp->remote_pk, key, 64);
2766 
2767 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2768 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2769 			     smp->rr, 0, cfm.confirm_val);
2770 		if (err)
2771 			return SMP_UNSPECIFIED;
2772 
2773 		if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2774 			return SMP_CONFIRM_FAILED;
2775 	}
2776 
2777 	/* Non-initiating device sends its public key after receiving
2778 	 * the key from the initiating device.
2779 	 */
2780 	if (!hcon->out) {
2781 		err = sc_send_public_key(smp);
2782 		if (err)
2783 			return err;
2784 	}
2785 
2786 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2787 	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2788 
2789 	/* Compute the shared secret on the same crypto tfm on which the private
2790 	 * key was set/generated.
2791 	 */
2792 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2793 		struct l2cap_chan *hchan = hdev->smp_data;
2794 		struct smp_dev *smp_dev;
2795 
2796 		if (!hchan || !hchan->data)
2797 			return SMP_UNSPECIFIED;
2798 
2799 		smp_dev = hchan->data;
2800 
2801 		tfm_ecdh = smp_dev->tfm_ecdh;
2802 	} else {
2803 		tfm_ecdh = smp->tfm_ecdh;
2804 	}
2805 
2806 	if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2807 		return SMP_UNSPECIFIED;
2808 
2809 	SMP_DBG("DHKey %32phN", smp->dhkey);
2810 
2811 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2812 
2813 	smp->method = sc_select_method(smp);
2814 
2815 	bt_dev_dbg(hdev, "selected method 0x%02x", smp->method);
2816 
2817 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2818 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2819 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2820 	else
2821 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2822 
2823 	if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2824 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2825 
2826 	if (smp->method == DSP_PASSKEY) {
2827 		get_random_bytes(&hcon->passkey_notify,
2828 				 sizeof(hcon->passkey_notify));
2829 		hcon->passkey_notify %= 1000000;
2830 		hcon->passkey_entered = 0;
2831 		smp->passkey_round = 0;
2832 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2833 					     hcon->dst_type,
2834 					     hcon->passkey_notify,
2835 					     hcon->passkey_entered))
2836 			return SMP_UNSPECIFIED;
2837 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2838 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2839 	}
2840 
2841 	if (smp->method == REQ_OOB) {
2842 		if (hcon->out)
2843 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2844 				     sizeof(smp->prnd), smp->prnd);
2845 
2846 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2847 
2848 		return 0;
2849 	}
2850 
2851 	if (hcon->out)
2852 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2853 
2854 	if (smp->method == REQ_PASSKEY) {
2855 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2856 					      hcon->dst_type))
2857 			return SMP_UNSPECIFIED;
2858 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2859 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2860 		return 0;
2861 	}
2862 
2863 	/* The Initiating device waits for the non-initiating device to
2864 	 * send the confirm value.
2865 	 */
2866 	if (conn->hcon->out)
2867 		return 0;
2868 
2869 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2870 		     0, cfm.confirm_val);
2871 	if (err)
2872 		return SMP_UNSPECIFIED;
2873 
2874 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2875 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2876 
2877 	return 0;
2878 }
2879 
2880 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2881 {
2882 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2883 	struct l2cap_chan *chan = conn->smp;
2884 	struct hci_conn *hcon = conn->hcon;
2885 	struct smp_chan *smp = chan->data;
2886 	u8 a[7], b[7], *local_addr, *remote_addr;
2887 	u8 io_cap[3], r[16], e[16];
2888 	int err;
2889 
2890 	bt_dev_dbg(hcon->hdev, "conn %p", conn);
2891 
2892 	if (skb->len < sizeof(*check))
2893 		return SMP_INVALID_PARAMS;
2894 
2895 	memcpy(a, &hcon->init_addr, 6);
2896 	memcpy(b, &hcon->resp_addr, 6);
2897 	a[6] = hcon->init_addr_type;
2898 	b[6] = hcon->resp_addr_type;
2899 
2900 	if (hcon->out) {
2901 		local_addr = a;
2902 		remote_addr = b;
2903 		memcpy(io_cap, &smp->prsp[1], 3);
2904 	} else {
2905 		local_addr = b;
2906 		remote_addr = a;
2907 		memcpy(io_cap, &smp->preq[1], 3);
2908 	}
2909 
2910 	memset(r, 0, sizeof(r));
2911 
2912 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2913 		put_unaligned_le32(hcon->passkey_notify, r);
2914 	else if (smp->method == REQ_OOB)
2915 		memcpy(r, smp->lr, 16);
2916 
2917 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2918 		     io_cap, remote_addr, local_addr, e);
2919 	if (err)
2920 		return SMP_UNSPECIFIED;
2921 
2922 	if (crypto_memneq(check->e, e, 16))
2923 		return SMP_DHKEY_CHECK_FAILED;
2924 
2925 	if (!hcon->out) {
2926 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2927 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2928 			return 0;
2929 		}
2930 
2931 		/* Responder sends DHKey check as response to initiator */
2932 		sc_dhkey_check(smp);
2933 	}
2934 
2935 	sc_add_ltk(smp);
2936 
2937 	if (hcon->out) {
2938 		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2939 		hcon->enc_key_size = smp->enc_key_size;
2940 	}
2941 
2942 	return 0;
2943 }
2944 
2945 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2946 				   struct sk_buff *skb)
2947 {
2948 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2949 
2950 	bt_dev_dbg(conn->hcon->hdev, "value 0x%02x", kp->value);
2951 
2952 	return 0;
2953 }
2954 
2955 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2956 {
2957 	struct l2cap_conn *conn = chan->conn;
2958 	struct hci_conn *hcon = conn->hcon;
2959 	struct smp_chan *smp;
2960 	__u8 code, reason;
2961 	int err = 0;
2962 
2963 	if (skb->len < 1)
2964 		return -EILSEQ;
2965 
2966 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2967 		reason = SMP_PAIRING_NOTSUPP;
2968 		goto done;
2969 	}
2970 
2971 	code = skb->data[0];
2972 	skb_pull(skb, sizeof(code));
2973 
2974 	smp = chan->data;
2975 
2976 	if (code > SMP_CMD_MAX)
2977 		goto drop;
2978 
2979 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2980 		goto drop;
2981 
2982 	/* If we don't have a context the only allowed commands are
2983 	 * pairing request and security request.
2984 	 */
2985 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2986 		goto drop;
2987 
2988 	switch (code) {
2989 	case SMP_CMD_PAIRING_REQ:
2990 		reason = smp_cmd_pairing_req(conn, skb);
2991 		break;
2992 
2993 	case SMP_CMD_PAIRING_FAIL:
2994 		smp_failure(conn, 0);
2995 		err = -EPERM;
2996 		break;
2997 
2998 	case SMP_CMD_PAIRING_RSP:
2999 		reason = smp_cmd_pairing_rsp(conn, skb);
3000 		break;
3001 
3002 	case SMP_CMD_SECURITY_REQ:
3003 		reason = smp_cmd_security_req(conn, skb);
3004 		break;
3005 
3006 	case SMP_CMD_PAIRING_CONFIRM:
3007 		reason = smp_cmd_pairing_confirm(conn, skb);
3008 		break;
3009 
3010 	case SMP_CMD_PAIRING_RANDOM:
3011 		reason = smp_cmd_pairing_random(conn, skb);
3012 		break;
3013 
3014 	case SMP_CMD_ENCRYPT_INFO:
3015 		reason = smp_cmd_encrypt_info(conn, skb);
3016 		break;
3017 
3018 	case SMP_CMD_INITIATOR_IDENT:
3019 		reason = smp_cmd_initiator_ident(conn, skb);
3020 		break;
3021 
3022 	case SMP_CMD_IDENT_INFO:
3023 		reason = smp_cmd_ident_info(conn, skb);
3024 		break;
3025 
3026 	case SMP_CMD_IDENT_ADDR_INFO:
3027 		reason = smp_cmd_ident_addr_info(conn, skb);
3028 		break;
3029 
3030 	case SMP_CMD_SIGN_INFO:
3031 		reason = smp_cmd_sign_info(conn, skb);
3032 		break;
3033 
3034 	case SMP_CMD_PUBLIC_KEY:
3035 		reason = smp_cmd_public_key(conn, skb);
3036 		break;
3037 
3038 	case SMP_CMD_DHKEY_CHECK:
3039 		reason = smp_cmd_dhkey_check(conn, skb);
3040 		break;
3041 
3042 	case SMP_CMD_KEYPRESS_NOTIFY:
3043 		reason = smp_cmd_keypress_notify(conn, skb);
3044 		break;
3045 
3046 	default:
3047 		bt_dev_dbg(hcon->hdev, "Unknown command code 0x%2.2x", code);
3048 		reason = SMP_CMD_NOTSUPP;
3049 		goto done;
3050 	}
3051 
3052 done:
3053 	if (!err) {
3054 		if (reason)
3055 			smp_failure(conn, reason);
3056 		kfree_skb(skb);
3057 	}
3058 
3059 	return err;
3060 
3061 drop:
3062 	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3063 		   code, &hcon->dst);
3064 	kfree_skb(skb);
3065 	return 0;
3066 }
3067 
3068 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3069 {
3070 	struct l2cap_conn *conn = chan->conn;
3071 
3072 	bt_dev_dbg(conn->hcon->hdev, "chan %p", chan);
3073 
3074 	if (chan->data)
3075 		smp_chan_destroy(conn);
3076 
3077 	conn->smp = NULL;
3078 	l2cap_chan_put(chan);
3079 }
3080 
3081 static void bredr_pairing(struct l2cap_chan *chan)
3082 {
3083 	struct l2cap_conn *conn = chan->conn;
3084 	struct hci_conn *hcon = conn->hcon;
3085 	struct hci_dev *hdev = hcon->hdev;
3086 	struct smp_cmd_pairing req;
3087 	struct smp_chan *smp;
3088 
3089 	bt_dev_dbg(hdev, "chan %p", chan);
3090 
3091 	/* Only new pairings are interesting */
3092 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3093 		return;
3094 
3095 	/* Don't bother if we're not encrypted */
3096 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3097 		return;
3098 
3099 	/* Only initiator may initiate SMP over BR/EDR */
3100 	if (hcon->role != HCI_ROLE_MASTER)
3101 		return;
3102 
3103 	/* Secure Connections support must be enabled */
3104 	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3105 		return;
3106 
3107 	/* BR/EDR must use Secure Connections for SMP */
3108 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3109 	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3110 		return;
3111 
3112 	/* If our LE support is not enabled don't do anything */
3113 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3114 		return;
3115 
3116 	/* Don't bother if remote LE support is not enabled */
3117 	if (!lmp_host_le_capable(hcon))
3118 		return;
3119 
3120 	/* Remote must support SMP fixed chan for BR/EDR */
3121 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3122 		return;
3123 
3124 	/* Don't bother if SMP is already ongoing */
3125 	if (chan->data)
3126 		return;
3127 
3128 	smp = smp_chan_create(conn);
3129 	if (!smp) {
3130 		bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3131 		return;
3132 	}
3133 
3134 	set_bit(SMP_FLAG_SC, &smp->flags);
3135 
3136 	bt_dev_dbg(hdev, "starting SMP over BR/EDR");
3137 
3138 	/* Prepare and send the BR/EDR SMP Pairing Request */
3139 	build_bredr_pairing_cmd(smp, &req, NULL);
3140 
3141 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
3142 	memcpy(&smp->preq[1], &req, sizeof(req));
3143 
3144 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3145 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3146 }
3147 
3148 static void smp_resume_cb(struct l2cap_chan *chan)
3149 {
3150 	struct smp_chan *smp = chan->data;
3151 	struct l2cap_conn *conn = chan->conn;
3152 	struct hci_conn *hcon = conn->hcon;
3153 
3154 	bt_dev_dbg(hcon->hdev, "chan %p", chan);
3155 
3156 	if (hcon->type == ACL_LINK) {
3157 		bredr_pairing(chan);
3158 		return;
3159 	}
3160 
3161 	if (!smp)
3162 		return;
3163 
3164 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3165 		return;
3166 
3167 	cancel_delayed_work(&smp->security_timer);
3168 
3169 	smp_distribute_keys(smp);
3170 }
3171 
3172 static void smp_ready_cb(struct l2cap_chan *chan)
3173 {
3174 	struct l2cap_conn *conn = chan->conn;
3175 	struct hci_conn *hcon = conn->hcon;
3176 
3177 	bt_dev_dbg(hcon->hdev, "chan %p", chan);
3178 
3179 	/* No need to call l2cap_chan_hold() here since we already own
3180 	 * the reference taken in smp_new_conn_cb(). This is just the
3181 	 * first time that we tie it to a specific pointer. The code in
3182 	 * l2cap_core.c ensures that there's no risk this function wont
3183 	 * get called if smp_new_conn_cb was previously called.
3184 	 */
3185 	conn->smp = chan;
3186 
3187 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3188 		bredr_pairing(chan);
3189 }
3190 
3191 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3192 {
3193 	int err;
3194 
3195 	bt_dev_dbg(chan->conn->hcon->hdev, "chan %p", chan);
3196 
3197 	err = smp_sig_channel(chan, skb);
3198 	if (err) {
3199 		struct smp_chan *smp = chan->data;
3200 
3201 		if (smp)
3202 			cancel_delayed_work_sync(&smp->security_timer);
3203 
3204 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3205 	}
3206 
3207 	return err;
3208 }
3209 
3210 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3211 					unsigned long hdr_len,
3212 					unsigned long len, int nb)
3213 {
3214 	struct sk_buff *skb;
3215 
3216 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3217 	if (!skb)
3218 		return ERR_PTR(-ENOMEM);
3219 
3220 	skb->priority = HCI_PRIO_MAX;
3221 	bt_cb(skb)->l2cap.chan = chan;
3222 
3223 	return skb;
3224 }
3225 
3226 static const struct l2cap_ops smp_chan_ops = {
3227 	.name			= "Security Manager",
3228 	.ready			= smp_ready_cb,
3229 	.recv			= smp_recv_cb,
3230 	.alloc_skb		= smp_alloc_skb_cb,
3231 	.teardown		= smp_teardown_cb,
3232 	.resume			= smp_resume_cb,
3233 
3234 	.new_connection		= l2cap_chan_no_new_connection,
3235 	.state_change		= l2cap_chan_no_state_change,
3236 	.close			= l2cap_chan_no_close,
3237 	.defer			= l2cap_chan_no_defer,
3238 	.suspend		= l2cap_chan_no_suspend,
3239 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3240 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3241 };
3242 
3243 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3244 {
3245 	struct l2cap_chan *chan;
3246 
3247 	BT_DBG("pchan %p", pchan);
3248 
3249 	chan = l2cap_chan_create();
3250 	if (!chan)
3251 		return NULL;
3252 
3253 	chan->chan_type	= pchan->chan_type;
3254 	chan->ops	= &smp_chan_ops;
3255 	chan->scid	= pchan->scid;
3256 	chan->dcid	= chan->scid;
3257 	chan->imtu	= pchan->imtu;
3258 	chan->omtu	= pchan->omtu;
3259 	chan->mode	= pchan->mode;
3260 
3261 	/* Other L2CAP channels may request SMP routines in order to
3262 	 * change the security level. This means that the SMP channel
3263 	 * lock must be considered in its own category to avoid lockdep
3264 	 * warnings.
3265 	 */
3266 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3267 
3268 	BT_DBG("created chan %p", chan);
3269 
3270 	return chan;
3271 }
3272 
3273 static const struct l2cap_ops smp_root_chan_ops = {
3274 	.name			= "Security Manager Root",
3275 	.new_connection		= smp_new_conn_cb,
3276 
3277 	/* None of these are implemented for the root channel */
3278 	.close			= l2cap_chan_no_close,
3279 	.alloc_skb		= l2cap_chan_no_alloc_skb,
3280 	.recv			= l2cap_chan_no_recv,
3281 	.state_change		= l2cap_chan_no_state_change,
3282 	.teardown		= l2cap_chan_no_teardown,
3283 	.ready			= l2cap_chan_no_ready,
3284 	.defer			= l2cap_chan_no_defer,
3285 	.suspend		= l2cap_chan_no_suspend,
3286 	.resume			= l2cap_chan_no_resume,
3287 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3288 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3289 };
3290 
3291 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3292 {
3293 	struct l2cap_chan *chan;
3294 	struct smp_dev *smp;
3295 	struct crypto_shash *tfm_cmac;
3296 	struct crypto_kpp *tfm_ecdh;
3297 
3298 	if (cid == L2CAP_CID_SMP_BREDR) {
3299 		smp = NULL;
3300 		goto create_chan;
3301 	}
3302 
3303 	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3304 	if (!smp)
3305 		return ERR_PTR(-ENOMEM);
3306 
3307 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3308 	if (IS_ERR(tfm_cmac)) {
3309 		bt_dev_err(hdev, "Unable to create CMAC crypto context");
3310 		kfree_sensitive(smp);
3311 		return ERR_CAST(tfm_cmac);
3312 	}
3313 
3314 	tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3315 	if (IS_ERR(tfm_ecdh)) {
3316 		bt_dev_err(hdev, "Unable to create ECDH crypto context");
3317 		crypto_free_shash(tfm_cmac);
3318 		kfree_sensitive(smp);
3319 		return ERR_CAST(tfm_ecdh);
3320 	}
3321 
3322 	smp->local_oob = false;
3323 	smp->tfm_cmac = tfm_cmac;
3324 	smp->tfm_ecdh = tfm_ecdh;
3325 
3326 create_chan:
3327 	chan = l2cap_chan_create();
3328 	if (!chan) {
3329 		if (smp) {
3330 			crypto_free_shash(smp->tfm_cmac);
3331 			crypto_free_kpp(smp->tfm_ecdh);
3332 			kfree_sensitive(smp);
3333 		}
3334 		return ERR_PTR(-ENOMEM);
3335 	}
3336 
3337 	chan->data = smp;
3338 
3339 	l2cap_add_scid(chan, cid);
3340 
3341 	l2cap_chan_set_defaults(chan);
3342 
3343 	if (cid == L2CAP_CID_SMP) {
3344 		u8 bdaddr_type;
3345 
3346 		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3347 
3348 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3349 			chan->src_type = BDADDR_LE_PUBLIC;
3350 		else
3351 			chan->src_type = BDADDR_LE_RANDOM;
3352 	} else {
3353 		bacpy(&chan->src, &hdev->bdaddr);
3354 		chan->src_type = BDADDR_BREDR;
3355 	}
3356 
3357 	chan->state = BT_LISTEN;
3358 	chan->mode = L2CAP_MODE_BASIC;
3359 	chan->imtu = L2CAP_DEFAULT_MTU;
3360 	chan->ops = &smp_root_chan_ops;
3361 
3362 	/* Set correct nesting level for a parent/listening channel */
3363 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3364 
3365 	return chan;
3366 }
3367 
3368 static void smp_del_chan(struct l2cap_chan *chan)
3369 {
3370 	struct smp_dev *smp;
3371 
3372 	BT_DBG("chan %p", chan);
3373 
3374 	smp = chan->data;
3375 	if (smp) {
3376 		chan->data = NULL;
3377 		crypto_free_shash(smp->tfm_cmac);
3378 		crypto_free_kpp(smp->tfm_ecdh);
3379 		kfree_sensitive(smp);
3380 	}
3381 
3382 	l2cap_chan_put(chan);
3383 }
3384 
3385 int smp_force_bredr(struct hci_dev *hdev, bool enable)
3386 {
3387 	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3388 		return -EALREADY;
3389 
3390 	if (enable) {
3391 		struct l2cap_chan *chan;
3392 
3393 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3394 		if (IS_ERR(chan))
3395 			return PTR_ERR(chan);
3396 
3397 		hdev->smp_bredr_data = chan;
3398 	} else {
3399 		struct l2cap_chan *chan;
3400 
3401 		chan = hdev->smp_bredr_data;
3402 		hdev->smp_bredr_data = NULL;
3403 		smp_del_chan(chan);
3404 	}
3405 
3406 	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3407 
3408 	return 0;
3409 }
3410 
3411 int smp_register(struct hci_dev *hdev)
3412 {
3413 	struct l2cap_chan *chan;
3414 
3415 	bt_dev_dbg(hdev, "");
3416 
3417 	/* If the controller does not support Low Energy operation, then
3418 	 * there is also no need to register any SMP channel.
3419 	 */
3420 	if (!lmp_le_capable(hdev))
3421 		return 0;
3422 
3423 	if (WARN_ON(hdev->smp_data)) {
3424 		chan = hdev->smp_data;
3425 		hdev->smp_data = NULL;
3426 		smp_del_chan(chan);
3427 	}
3428 
3429 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3430 	if (IS_ERR(chan))
3431 		return PTR_ERR(chan);
3432 
3433 	hdev->smp_data = chan;
3434 
3435 	if (!lmp_sc_capable(hdev)) {
3436 		/* Flag can be already set here (due to power toggle) */
3437 		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3438 			return 0;
3439 	}
3440 
3441 	if (WARN_ON(hdev->smp_bredr_data)) {
3442 		chan = hdev->smp_bredr_data;
3443 		hdev->smp_bredr_data = NULL;
3444 		smp_del_chan(chan);
3445 	}
3446 
3447 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3448 	if (IS_ERR(chan)) {
3449 		int err = PTR_ERR(chan);
3450 		chan = hdev->smp_data;
3451 		hdev->smp_data = NULL;
3452 		smp_del_chan(chan);
3453 		return err;
3454 	}
3455 
3456 	hdev->smp_bredr_data = chan;
3457 
3458 	return 0;
3459 }
3460 
3461 void smp_unregister(struct hci_dev *hdev)
3462 {
3463 	struct l2cap_chan *chan;
3464 
3465 	if (hdev->smp_bredr_data) {
3466 		chan = hdev->smp_bredr_data;
3467 		hdev->smp_bredr_data = NULL;
3468 		smp_del_chan(chan);
3469 	}
3470 
3471 	if (hdev->smp_data) {
3472 		chan = hdev->smp_data;
3473 		hdev->smp_data = NULL;
3474 		smp_del_chan(chan);
3475 	}
3476 }
3477 
3478 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3479 
3480 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3481 {
3482 	u8 pk[64];
3483 	int err;
3484 
3485 	err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3486 	if (err)
3487 		return err;
3488 
3489 	err = generate_ecdh_public_key(tfm_ecdh, pk);
3490 	if (err)
3491 		return err;
3492 
3493 	if (crypto_memneq(pk, debug_pk, 64))
3494 		return -EINVAL;
3495 
3496 	return 0;
3497 }
3498 
3499 static int __init test_ah(void)
3500 {
3501 	const u8 irk[16] = {
3502 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3503 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3504 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3505 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3506 	u8 res[3];
3507 	int err;
3508 
3509 	err = smp_ah(irk, r, res);
3510 	if (err)
3511 		return err;
3512 
3513 	if (crypto_memneq(res, exp, 3))
3514 		return -EINVAL;
3515 
3516 	return 0;
3517 }
3518 
3519 static int __init test_c1(void)
3520 {
3521 	const u8 k[16] = {
3522 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3523 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3524 	const u8 r[16] = {
3525 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3526 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3527 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3528 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3529 	const u8 _iat = 0x01;
3530 	const u8 _rat = 0x00;
3531 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3532 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3533 	const u8 exp[16] = {
3534 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3535 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3536 	u8 res[16];
3537 	int err;
3538 
3539 	err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3540 	if (err)
3541 		return err;
3542 
3543 	if (crypto_memneq(res, exp, 16))
3544 		return -EINVAL;
3545 
3546 	return 0;
3547 }
3548 
3549 static int __init test_s1(void)
3550 {
3551 	const u8 k[16] = {
3552 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3553 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3554 	const u8 r1[16] = {
3555 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3556 	const u8 r2[16] = {
3557 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3558 	const u8 exp[16] = {
3559 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3560 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3561 	u8 res[16];
3562 	int err;
3563 
3564 	err = smp_s1(k, r1, r2, res);
3565 	if (err)
3566 		return err;
3567 
3568 	if (crypto_memneq(res, exp, 16))
3569 		return -EINVAL;
3570 
3571 	return 0;
3572 }
3573 
3574 static int __init test_f4(struct crypto_shash *tfm_cmac)
3575 {
3576 	const u8 u[32] = {
3577 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3578 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3579 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3580 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3581 	const u8 v[32] = {
3582 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3583 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3584 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3585 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3586 	const u8 x[16] = {
3587 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3588 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3589 	const u8 z = 0x00;
3590 	const u8 exp[16] = {
3591 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3592 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3593 	u8 res[16];
3594 	int err;
3595 
3596 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3597 	if (err)
3598 		return err;
3599 
3600 	if (crypto_memneq(res, exp, 16))
3601 		return -EINVAL;
3602 
3603 	return 0;
3604 }
3605 
3606 static int __init test_f5(struct crypto_shash *tfm_cmac)
3607 {
3608 	const u8 w[32] = {
3609 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3610 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3611 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3612 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3613 	const u8 n1[16] = {
3614 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3615 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3616 	const u8 n2[16] = {
3617 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3618 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3619 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3620 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3621 	const u8 exp_ltk[16] = {
3622 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3623 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3624 	const u8 exp_mackey[16] = {
3625 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3626 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3627 	u8 mackey[16], ltk[16];
3628 	int err;
3629 
3630 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3631 	if (err)
3632 		return err;
3633 
3634 	if (crypto_memneq(mackey, exp_mackey, 16))
3635 		return -EINVAL;
3636 
3637 	if (crypto_memneq(ltk, exp_ltk, 16))
3638 		return -EINVAL;
3639 
3640 	return 0;
3641 }
3642 
3643 static int __init test_f6(struct crypto_shash *tfm_cmac)
3644 {
3645 	const u8 w[16] = {
3646 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3647 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3648 	const u8 n1[16] = {
3649 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3650 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3651 	const u8 n2[16] = {
3652 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3653 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3654 	const u8 r[16] = {
3655 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3656 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3657 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3658 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3659 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3660 	const u8 exp[16] = {
3661 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3662 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3663 	u8 res[16];
3664 	int err;
3665 
3666 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3667 	if (err)
3668 		return err;
3669 
3670 	if (crypto_memneq(res, exp, 16))
3671 		return -EINVAL;
3672 
3673 	return 0;
3674 }
3675 
3676 static int __init test_g2(struct crypto_shash *tfm_cmac)
3677 {
3678 	const u8 u[32] = {
3679 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3680 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3681 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3682 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3683 	const u8 v[32] = {
3684 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3685 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3686 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3687 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3688 	const u8 x[16] = {
3689 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3690 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3691 	const u8 y[16] = {
3692 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3693 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3694 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3695 	u32 val;
3696 	int err;
3697 
3698 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3699 	if (err)
3700 		return err;
3701 
3702 	if (val != exp_val)
3703 		return -EINVAL;
3704 
3705 	return 0;
3706 }
3707 
3708 static int __init test_h6(struct crypto_shash *tfm_cmac)
3709 {
3710 	const u8 w[16] = {
3711 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3712 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3713 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3714 	const u8 exp[16] = {
3715 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3716 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3717 	u8 res[16];
3718 	int err;
3719 
3720 	err = smp_h6(tfm_cmac, w, key_id, res);
3721 	if (err)
3722 		return err;
3723 
3724 	if (crypto_memneq(res, exp, 16))
3725 		return -EINVAL;
3726 
3727 	return 0;
3728 }
3729 
3730 static char test_smp_buffer[32];
3731 
3732 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3733 			     size_t count, loff_t *ppos)
3734 {
3735 	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3736 				       strlen(test_smp_buffer));
3737 }
3738 
3739 static const struct file_operations test_smp_fops = {
3740 	.open		= simple_open,
3741 	.read		= test_smp_read,
3742 	.llseek		= default_llseek,
3743 };
3744 
3745 static int __init run_selftests(struct crypto_shash *tfm_cmac,
3746 				struct crypto_kpp *tfm_ecdh)
3747 {
3748 	ktime_t calltime, delta, rettime;
3749 	unsigned long long duration;
3750 	int err;
3751 
3752 	calltime = ktime_get();
3753 
3754 	err = test_debug_key(tfm_ecdh);
3755 	if (err) {
3756 		BT_ERR("debug_key test failed");
3757 		goto done;
3758 	}
3759 
3760 	err = test_ah();
3761 	if (err) {
3762 		BT_ERR("smp_ah test failed");
3763 		goto done;
3764 	}
3765 
3766 	err = test_c1();
3767 	if (err) {
3768 		BT_ERR("smp_c1 test failed");
3769 		goto done;
3770 	}
3771 
3772 	err = test_s1();
3773 	if (err) {
3774 		BT_ERR("smp_s1 test failed");
3775 		goto done;
3776 	}
3777 
3778 	err = test_f4(tfm_cmac);
3779 	if (err) {
3780 		BT_ERR("smp_f4 test failed");
3781 		goto done;
3782 	}
3783 
3784 	err = test_f5(tfm_cmac);
3785 	if (err) {
3786 		BT_ERR("smp_f5 test failed");
3787 		goto done;
3788 	}
3789 
3790 	err = test_f6(tfm_cmac);
3791 	if (err) {
3792 		BT_ERR("smp_f6 test failed");
3793 		goto done;
3794 	}
3795 
3796 	err = test_g2(tfm_cmac);
3797 	if (err) {
3798 		BT_ERR("smp_g2 test failed");
3799 		goto done;
3800 	}
3801 
3802 	err = test_h6(tfm_cmac);
3803 	if (err) {
3804 		BT_ERR("smp_h6 test failed");
3805 		goto done;
3806 	}
3807 
3808 	rettime = ktime_get();
3809 	delta = ktime_sub(rettime, calltime);
3810 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3811 
3812 	BT_INFO("SMP test passed in %llu usecs", duration);
3813 
3814 done:
3815 	if (!err)
3816 		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3817 			 "PASS (%llu usecs)\n", duration);
3818 	else
3819 		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3820 
3821 	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3822 			    &test_smp_fops);
3823 
3824 	return err;
3825 }
3826 
3827 int __init bt_selftest_smp(void)
3828 {
3829 	struct crypto_shash *tfm_cmac;
3830 	struct crypto_kpp *tfm_ecdh;
3831 	int err;
3832 
3833 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3834 	if (IS_ERR(tfm_cmac)) {
3835 		BT_ERR("Unable to create CMAC crypto context");
3836 		return PTR_ERR(tfm_cmac);
3837 	}
3838 
3839 	tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3840 	if (IS_ERR(tfm_ecdh)) {
3841 		BT_ERR("Unable to create ECDH crypto context");
3842 		crypto_free_shash(tfm_cmac);
3843 		return PTR_ERR(tfm_ecdh);
3844 	}
3845 
3846 	err = run_selftests(tfm_cmac, tfm_ecdh);
3847 
3848 	crypto_free_shash(tfm_cmac);
3849 	crypto_free_kpp(tfm_ecdh);
3850 
3851 	return err;
3852 }
3853 
3854 #endif
3855