xref: /linux/net/bluetooth/smp.c (revision ab475966455ce285c2c9978a3e3bfe97d75ff8d4)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <crypto/aes.h>
26 #include <crypto/hash.h>
27 #include <crypto/kpp.h>
28 #include <crypto/utils.h>
29 
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/l2cap.h>
33 #include <net/bluetooth/mgmt.h>
34 
35 #include "ecdh_helper.h"
36 #include "smp.h"
37 
38 #define SMP_DEV(hdev) \
39 	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
40 
41 /* Low-level debug macros to be used for stuff that we don't want
42  * accidentally in dmesg, i.e. the values of the various crypto keys
43  * and the inputs & outputs of crypto functions.
44  */
45 #ifdef DEBUG
46 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
47 				 ##__VA_ARGS__)
48 #else
49 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
50 				    ##__VA_ARGS__)
51 #endif
52 
53 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
54 
55 /* Keys which are not distributed with Secure Connections */
56 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY)
57 
58 #define SMP_TIMEOUT	msecs_to_jiffies(30000)
59 
60 #define ID_ADDR_TIMEOUT	msecs_to_jiffies(200)
61 
62 #define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
63 				 0x3f : 0x07)
64 #define KEY_DIST_MASK		0x07
65 
66 /* Maximum message length that can be passed to aes_cmac */
67 #define CMAC_MSG_MAX	80
68 
69 enum {
70 	SMP_FLAG_TK_VALID,
71 	SMP_FLAG_CFM_PENDING,
72 	SMP_FLAG_MITM_AUTH,
73 	SMP_FLAG_COMPLETE,
74 	SMP_FLAG_INITIATOR,
75 	SMP_FLAG_SC,
76 	SMP_FLAG_REMOTE_PK,
77 	SMP_FLAG_DEBUG_KEY,
78 	SMP_FLAG_WAIT_USER,
79 	SMP_FLAG_DHKEY_PENDING,
80 	SMP_FLAG_REMOTE_OOB,
81 	SMP_FLAG_LOCAL_OOB,
82 	SMP_FLAG_CT2,
83 };
84 
85 struct smp_dev {
86 	/* Secure Connections OOB data */
87 	bool			local_oob;
88 	u8			local_pk[64];
89 	u8			local_rand[16];
90 	bool			debug_key;
91 
92 	struct crypto_shash	*tfm_cmac;
93 	struct crypto_kpp	*tfm_ecdh;
94 };
95 
96 struct smp_chan {
97 	struct l2cap_conn	*conn;
98 	struct delayed_work	security_timer;
99 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
100 
101 	u8		preq[7]; /* SMP Pairing Request */
102 	u8		prsp[7]; /* SMP Pairing Response */
103 	u8		prnd[16]; /* SMP Pairing Random (local) */
104 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
105 	u8		pcnf[16]; /* SMP Pairing Confirm */
106 	u8		tk[16]; /* SMP Temporary Key */
107 	u8		rr[16]; /* Remote OOB ra/rb value */
108 	u8		lr[16]; /* Local OOB ra/rb value */
109 	u8		enc_key_size;
110 	u8		remote_key_dist;
111 	bdaddr_t	id_addr;
112 	u8		id_addr_type;
113 	u8		irk[16];
114 	struct smp_csrk	*csrk;
115 	struct smp_csrk	*responder_csrk;
116 	struct smp_ltk	*ltk;
117 	struct smp_ltk	*responder_ltk;
118 	struct smp_irk	*remote_irk;
119 	u8		*link_key;
120 	unsigned long	flags;
121 	u8		method;
122 	u8		passkey_round;
123 
124 	/* Secure Connections variables */
125 	u8			local_pk[64];
126 	u8			remote_pk[64];
127 	u8			dhkey[32];
128 	u8			mackey[16];
129 
130 	struct crypto_shash	*tfm_cmac;
131 	struct crypto_kpp	*tfm_ecdh;
132 };
133 
134 /* These debug key values are defined in the SMP section of the core
135  * specification. debug_pk is the public debug key and debug_sk the
136  * private debug key.
137  */
138 static const u8 debug_pk[64] = {
139 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
140 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
141 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
142 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
143 
144 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
145 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
146 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
147 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
148 };
149 
150 static const u8 debug_sk[32] = {
151 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
152 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
153 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
154 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
155 };
156 
157 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
158 {
159 	size_t i;
160 
161 	for (i = 0; i < len; i++)
162 		dst[len - 1 - i] = src[i];
163 }
164 
165 /* The following functions map to the LE SC SMP crypto functions
166  * AES-CMAC, f4, f5, f6, g2 and h6.
167  */
168 
169 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
170 		    size_t len, u8 mac[16])
171 {
172 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
173 	int err;
174 
175 	if (len > CMAC_MSG_MAX)
176 		return -EFBIG;
177 
178 	if (!tfm) {
179 		BT_ERR("tfm %p", tfm);
180 		return -EINVAL;
181 	}
182 
183 	/* Swap key and message from LSB to MSB */
184 	swap_buf(k, tmp, 16);
185 	swap_buf(m, msg_msb, len);
186 
187 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
188 	SMP_DBG("key %16phN", k);
189 
190 	err = crypto_shash_setkey(tfm, tmp, 16);
191 	if (err) {
192 		BT_ERR("cipher setkey failed: %d", err);
193 		return err;
194 	}
195 
196 	err = crypto_shash_tfm_digest(tfm, msg_msb, len, mac_msb);
197 	if (err) {
198 		BT_ERR("Hash computation error %d", err);
199 		return err;
200 	}
201 
202 	swap_buf(mac_msb, mac, 16);
203 
204 	SMP_DBG("mac %16phN", mac);
205 
206 	return 0;
207 }
208 
209 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
210 		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
211 {
212 	u8 m[65];
213 	int err;
214 
215 	SMP_DBG("u %32phN", u);
216 	SMP_DBG("v %32phN", v);
217 	SMP_DBG("x %16phN z %02x", x, z);
218 
219 	m[0] = z;
220 	memcpy(m + 1, v, 32);
221 	memcpy(m + 33, u, 32);
222 
223 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
224 	if (err)
225 		return err;
226 
227 	SMP_DBG("res %16phN", res);
228 
229 	return err;
230 }
231 
232 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
233 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
234 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
235 {
236 	/* The btle, salt and length "magic" values are as defined in
237 	 * the SMP section of the Bluetooth core specification. In ASCII
238 	 * the btle value ends up being 'btle'. The salt is just a
239 	 * random number whereas length is the value 256 in little
240 	 * endian format.
241 	 */
242 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
243 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
244 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
245 	const u8 length[2] = { 0x00, 0x01 };
246 	u8 m[53], t[16];
247 	int err;
248 
249 	SMP_DBG("w %32phN", w);
250 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
251 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
252 
253 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
254 	if (err)
255 		return err;
256 
257 	SMP_DBG("t %16phN", t);
258 
259 	memcpy(m, length, 2);
260 	memcpy(m + 2, a2, 7);
261 	memcpy(m + 9, a1, 7);
262 	memcpy(m + 16, n2, 16);
263 	memcpy(m + 32, n1, 16);
264 	memcpy(m + 48, btle, 4);
265 
266 	m[52] = 0; /* Counter */
267 
268 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
269 	if (err)
270 		return err;
271 
272 	SMP_DBG("mackey %16phN", mackey);
273 
274 	m[52] = 1; /* Counter */
275 
276 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
277 	if (err)
278 		return err;
279 
280 	SMP_DBG("ltk %16phN", ltk);
281 
282 	return 0;
283 }
284 
285 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
286 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
287 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
288 		  u8 res[16])
289 {
290 	u8 m[65];
291 	int err;
292 
293 	SMP_DBG("w %16phN", w);
294 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
295 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
296 
297 	memcpy(m, a2, 7);
298 	memcpy(m + 7, a1, 7);
299 	memcpy(m + 14, io_cap, 3);
300 	memcpy(m + 17, r, 16);
301 	memcpy(m + 33, n2, 16);
302 	memcpy(m + 49, n1, 16);
303 
304 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
305 	if (err)
306 		return err;
307 
308 	SMP_DBG("res %16phN", res);
309 
310 	return err;
311 }
312 
313 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
314 		  const u8 x[16], const u8 y[16], u32 *val)
315 {
316 	u8 m[80], tmp[16];
317 	int err;
318 
319 	SMP_DBG("u %32phN", u);
320 	SMP_DBG("v %32phN", v);
321 	SMP_DBG("x %16phN y %16phN", x, y);
322 
323 	memcpy(m, y, 16);
324 	memcpy(m + 16, v, 32);
325 	memcpy(m + 48, u, 32);
326 
327 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
328 	if (err)
329 		return err;
330 
331 	*val = get_unaligned_le32(tmp);
332 	*val %= 1000000;
333 
334 	SMP_DBG("val %06u", *val);
335 
336 	return 0;
337 }
338 
339 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
340 		  const u8 key_id[4], u8 res[16])
341 {
342 	int err;
343 
344 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
345 
346 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
347 	if (err)
348 		return err;
349 
350 	SMP_DBG("res %16phN", res);
351 
352 	return err;
353 }
354 
355 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
356 		  const u8 salt[16], u8 res[16])
357 {
358 	int err;
359 
360 	SMP_DBG("w %16phN salt %16phN", w, salt);
361 
362 	err = aes_cmac(tfm_cmac, salt, w, 16, res);
363 	if (err)
364 		return err;
365 
366 	SMP_DBG("res %16phN", res);
367 
368 	return err;
369 }
370 
371 /* The following functions map to the legacy SMP crypto functions e, c1,
372  * s1 and ah.
373  */
374 
375 static int smp_e(const u8 *k, u8 *r)
376 {
377 	struct crypto_aes_ctx ctx;
378 	uint8_t tmp[16], data[16];
379 	int err;
380 
381 	SMP_DBG("k %16phN r %16phN", k, r);
382 
383 	/* The most significant octet of key corresponds to k[0] */
384 	swap_buf(k, tmp, 16);
385 
386 	err = aes_expandkey(&ctx, tmp, 16);
387 	if (err) {
388 		BT_ERR("cipher setkey failed: %d", err);
389 		return err;
390 	}
391 
392 	/* Most significant octet of plaintextData corresponds to data[0] */
393 	swap_buf(r, data, 16);
394 
395 	aes_encrypt(&ctx, data, data);
396 
397 	/* Most significant octet of encryptedData corresponds to data[0] */
398 	swap_buf(data, r, 16);
399 
400 	SMP_DBG("r %16phN", r);
401 
402 	memzero_explicit(&ctx, sizeof(ctx));
403 	return err;
404 }
405 
406 static int smp_c1(const u8 k[16],
407 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
408 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
409 {
410 	u8 p1[16], p2[16];
411 	int err;
412 
413 	SMP_DBG("k %16phN r %16phN", k, r);
414 	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
415 	SMP_DBG("preq %7phN pres %7phN", preq, pres);
416 
417 	memset(p1, 0, 16);
418 
419 	/* p1 = pres || preq || _rat || _iat */
420 	p1[0] = _iat;
421 	p1[1] = _rat;
422 	memcpy(p1 + 2, preq, 7);
423 	memcpy(p1 + 9, pres, 7);
424 
425 	SMP_DBG("p1 %16phN", p1);
426 
427 	/* res = r XOR p1 */
428 	crypto_xor_cpy(res, r, p1, sizeof(p1));
429 
430 	/* res = e(k, res) */
431 	err = smp_e(k, res);
432 	if (err) {
433 		BT_ERR("Encrypt data error");
434 		return err;
435 	}
436 
437 	/* p2 = padding || ia || ra */
438 	memcpy(p2, ra, 6);
439 	memcpy(p2 + 6, ia, 6);
440 	memset(p2 + 12, 0, 4);
441 
442 	SMP_DBG("p2 %16phN", p2);
443 
444 	/* res = res XOR p2 */
445 	crypto_xor(res, p2, sizeof(p2));
446 
447 	/* res = e(k, res) */
448 	err = smp_e(k, res);
449 	if (err)
450 		BT_ERR("Encrypt data error");
451 
452 	return err;
453 }
454 
455 static int smp_s1(const u8 k[16],
456 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
457 {
458 	int err;
459 
460 	/* Just least significant octets from r1 and r2 are considered */
461 	memcpy(_r, r2, 8);
462 	memcpy(_r + 8, r1, 8);
463 
464 	err = smp_e(k, _r);
465 	if (err)
466 		BT_ERR("Encrypt data error");
467 
468 	return err;
469 }
470 
471 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
472 {
473 	u8 _res[16];
474 	int err;
475 
476 	/* r' = padding || r */
477 	memcpy(_res, r, 3);
478 	memset(_res + 3, 0, 13);
479 
480 	err = smp_e(irk, _res);
481 	if (err) {
482 		BT_ERR("Encrypt error");
483 		return err;
484 	}
485 
486 	/* The output of the random address function ah is:
487 	 *	ah(k, r) = e(k, r') mod 2^24
488 	 * The output of the security function e is then truncated to 24 bits
489 	 * by taking the least significant 24 bits of the output of e as the
490 	 * result of ah.
491 	 */
492 	memcpy(res, _res, 3);
493 
494 	return 0;
495 }
496 
497 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
498 		     const bdaddr_t *bdaddr)
499 {
500 	struct l2cap_chan *chan = hdev->smp_data;
501 	u8 hash[3];
502 	int err;
503 
504 	if (!chan || !chan->data)
505 		return false;
506 
507 	bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk);
508 
509 	err = smp_ah(irk, &bdaddr->b[3], hash);
510 	if (err)
511 		return false;
512 
513 	return !crypto_memneq(bdaddr->b, hash, 3);
514 }
515 
516 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
517 {
518 	struct l2cap_chan *chan = hdev->smp_data;
519 	int err;
520 
521 	if (!chan || !chan->data)
522 		return -EOPNOTSUPP;
523 
524 	get_random_bytes(&rpa->b[3], 3);
525 
526 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
527 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
528 
529 	err = smp_ah(irk, &rpa->b[3], rpa->b);
530 	if (err < 0)
531 		return err;
532 
533 	bt_dev_dbg(hdev, "RPA %pMR", rpa);
534 
535 	return 0;
536 }
537 
538 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
539 {
540 	struct l2cap_chan *chan = hdev->smp_data;
541 	struct smp_dev *smp;
542 	int err;
543 
544 	if (!chan || !chan->data)
545 		return -EOPNOTSUPP;
546 
547 	smp = chan->data;
548 
549 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
550 		bt_dev_dbg(hdev, "Using debug keys");
551 		err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
552 		if (err)
553 			return err;
554 		memcpy(smp->local_pk, debug_pk, 64);
555 		smp->debug_key = true;
556 	} else {
557 		while (true) {
558 			/* Generate key pair for Secure Connections */
559 			err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
560 			if (err)
561 				return err;
562 
563 			/* This is unlikely, but we need to check that
564 			 * we didn't accidentally generate a debug key.
565 			 */
566 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
567 				break;
568 		}
569 		smp->debug_key = false;
570 	}
571 
572 	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
573 	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
574 
575 	get_random_bytes(smp->local_rand, 16);
576 
577 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
578 		     smp->local_rand, 0, hash);
579 	if (err < 0)
580 		return err;
581 
582 	memcpy(rand, smp->local_rand, 16);
583 
584 	smp->local_oob = true;
585 
586 	return 0;
587 }
588 
589 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
590 {
591 	struct l2cap_chan *chan = conn->smp;
592 	struct smp_chan *smp;
593 	struct kvec iv[2];
594 	struct msghdr msg;
595 
596 	if (!chan)
597 		return;
598 
599 	bt_dev_dbg(conn->hcon->hdev, "code 0x%2.2x", code);
600 
601 	iv[0].iov_base = &code;
602 	iv[0].iov_len = 1;
603 
604 	iv[1].iov_base = data;
605 	iv[1].iov_len = len;
606 
607 	memset(&msg, 0, sizeof(msg));
608 
609 	iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, iv, 2, 1 + len);
610 
611 	l2cap_chan_send(chan, &msg, 1 + len);
612 
613 	if (!chan->data)
614 		return;
615 
616 	smp = chan->data;
617 
618 	cancel_delayed_work_sync(&smp->security_timer);
619 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
620 }
621 
622 static u8 authreq_to_seclevel(u8 authreq)
623 {
624 	if (authreq & SMP_AUTH_MITM) {
625 		if (authreq & SMP_AUTH_SC)
626 			return BT_SECURITY_FIPS;
627 		else
628 			return BT_SECURITY_HIGH;
629 	} else {
630 		return BT_SECURITY_MEDIUM;
631 	}
632 }
633 
634 static __u8 seclevel_to_authreq(__u8 sec_level)
635 {
636 	switch (sec_level) {
637 	case BT_SECURITY_FIPS:
638 	case BT_SECURITY_HIGH:
639 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
640 	case BT_SECURITY_MEDIUM:
641 		return SMP_AUTH_BONDING;
642 	default:
643 		return SMP_AUTH_NONE;
644 	}
645 }
646 
647 static void build_pairing_cmd(struct l2cap_conn *conn,
648 			      struct smp_cmd_pairing *req,
649 			      struct smp_cmd_pairing *rsp, __u8 authreq)
650 {
651 	struct l2cap_chan *chan = conn->smp;
652 	struct smp_chan *smp = chan->data;
653 	struct hci_conn *hcon = conn->hcon;
654 	struct hci_dev *hdev = hcon->hdev;
655 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
656 
657 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
658 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
659 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
660 		authreq |= SMP_AUTH_BONDING;
661 	} else {
662 		authreq &= ~SMP_AUTH_BONDING;
663 	}
664 
665 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
666 		remote_dist |= SMP_DIST_ID_KEY;
667 
668 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
669 		local_dist |= SMP_DIST_ID_KEY;
670 
671 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
672 	    (authreq & SMP_AUTH_SC)) {
673 		struct oob_data *oob_data;
674 		u8 bdaddr_type;
675 
676 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
677 			local_dist |= SMP_DIST_LINK_KEY;
678 			remote_dist |= SMP_DIST_LINK_KEY;
679 		}
680 
681 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
682 			bdaddr_type = BDADDR_LE_PUBLIC;
683 		else
684 			bdaddr_type = BDADDR_LE_RANDOM;
685 
686 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
687 						    bdaddr_type);
688 		if (oob_data && oob_data->present) {
689 			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
690 			oob_flag = SMP_OOB_PRESENT;
691 			memcpy(smp->rr, oob_data->rand256, 16);
692 			memcpy(smp->pcnf, oob_data->hash256, 16);
693 			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
694 			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
695 		}
696 
697 	} else {
698 		authreq &= ~SMP_AUTH_SC;
699 	}
700 
701 	if (rsp == NULL) {
702 		req->io_capability = conn->hcon->io_capability;
703 		req->oob_flag = oob_flag;
704 		req->max_key_size = hdev->le_max_key_size;
705 		req->init_key_dist = local_dist;
706 		req->resp_key_dist = remote_dist;
707 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
708 
709 		smp->remote_key_dist = remote_dist;
710 		return;
711 	}
712 
713 	rsp->io_capability = conn->hcon->io_capability;
714 	rsp->oob_flag = oob_flag;
715 	rsp->max_key_size = hdev->le_max_key_size;
716 	rsp->init_key_dist = req->init_key_dist & remote_dist;
717 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
718 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
719 
720 	smp->remote_key_dist = rsp->init_key_dist;
721 }
722 
723 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
724 {
725 	struct l2cap_chan *chan = conn->smp;
726 	struct hci_dev *hdev = conn->hcon->hdev;
727 	struct smp_chan *smp = chan->data;
728 
729 	if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS &&
730 	    max_key_size != SMP_MAX_ENC_KEY_SIZE)
731 		return SMP_ENC_KEY_SIZE;
732 
733 	if (max_key_size > hdev->le_max_key_size ||
734 	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
735 		return SMP_ENC_KEY_SIZE;
736 
737 	smp->enc_key_size = max_key_size;
738 
739 	return 0;
740 }
741 
742 static void smp_chan_destroy(struct l2cap_conn *conn)
743 {
744 	struct l2cap_chan *chan = conn->smp;
745 	struct smp_chan *smp = chan->data;
746 	struct hci_conn *hcon = conn->hcon;
747 	bool complete;
748 
749 	BUG_ON(!smp);
750 
751 	cancel_delayed_work_sync(&smp->security_timer);
752 
753 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
754 	mgmt_smp_complete(hcon, complete);
755 
756 	kfree_sensitive(smp->csrk);
757 	kfree_sensitive(smp->responder_csrk);
758 	kfree_sensitive(smp->link_key);
759 
760 	crypto_free_shash(smp->tfm_cmac);
761 	crypto_free_kpp(smp->tfm_ecdh);
762 
763 	/* Ensure that we don't leave any debug key around if debug key
764 	 * support hasn't been explicitly enabled.
765 	 */
766 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
767 	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
768 		list_del_rcu(&smp->ltk->list);
769 		kfree_rcu(smp->ltk, rcu);
770 		smp->ltk = NULL;
771 	}
772 
773 	/* If pairing failed clean up any keys we might have */
774 	if (!complete) {
775 		if (smp->ltk) {
776 			list_del_rcu(&smp->ltk->list);
777 			kfree_rcu(smp->ltk, rcu);
778 		}
779 
780 		if (smp->responder_ltk) {
781 			list_del_rcu(&smp->responder_ltk->list);
782 			kfree_rcu(smp->responder_ltk, rcu);
783 		}
784 
785 		if (smp->remote_irk) {
786 			list_del_rcu(&smp->remote_irk->list);
787 			kfree_rcu(smp->remote_irk, rcu);
788 		}
789 	}
790 
791 	chan->data = NULL;
792 	kfree_sensitive(smp);
793 	hci_conn_drop(hcon);
794 }
795 
796 static void smp_failure(struct l2cap_conn *conn, u8 reason)
797 {
798 	struct hci_conn *hcon = conn->hcon;
799 	struct l2cap_chan *chan = conn->smp;
800 
801 	if (reason)
802 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
803 			     &reason);
804 
805 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
806 
807 	if (chan->data)
808 		smp_chan_destroy(conn);
809 }
810 
811 #define JUST_WORKS	0x00
812 #define JUST_CFM	0x01
813 #define REQ_PASSKEY	0x02
814 #define CFM_PASSKEY	0x03
815 #define REQ_OOB		0x04
816 #define DSP_PASSKEY	0x05
817 #define OVERLAP		0xFF
818 
819 static const u8 gen_method[5][5] = {
820 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
821 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
822 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
823 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
824 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
825 };
826 
827 static const u8 sc_method[5][5] = {
828 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
829 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
830 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
831 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
832 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
833 };
834 
835 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
836 {
837 	/* If either side has unknown io_caps, use JUST_CFM (which gets
838 	 * converted later to JUST_WORKS if we're initiators.
839 	 */
840 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
841 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
842 		return JUST_CFM;
843 
844 	if (test_bit(SMP_FLAG_SC, &smp->flags))
845 		return sc_method[remote_io][local_io];
846 
847 	return gen_method[remote_io][local_io];
848 }
849 
850 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
851 						u8 local_io, u8 remote_io)
852 {
853 	struct hci_conn *hcon = conn->hcon;
854 	struct l2cap_chan *chan = conn->smp;
855 	struct smp_chan *smp = chan->data;
856 	u32 passkey = 0;
857 	int ret;
858 
859 	/* Initialize key for JUST WORKS */
860 	memset(smp->tk, 0, sizeof(smp->tk));
861 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
862 
863 	bt_dev_dbg(hcon->hdev, "auth:%u lcl:%u rem:%u", auth, local_io,
864 		   remote_io);
865 
866 	/* If neither side wants MITM, either "just" confirm an incoming
867 	 * request or use just-works for outgoing ones. The JUST_CFM
868 	 * will be converted to JUST_WORKS if necessary later in this
869 	 * function. If either side has MITM look up the method from the
870 	 * table.
871 	 */
872 	if (!(auth & SMP_AUTH_MITM))
873 		smp->method = JUST_CFM;
874 	else
875 		smp->method = get_auth_method(smp, local_io, remote_io);
876 
877 	/* Don't confirm locally initiated pairing attempts */
878 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
879 						&smp->flags))
880 		smp->method = JUST_WORKS;
881 
882 	/* Don't bother user space with no IO capabilities */
883 	if (smp->method == JUST_CFM &&
884 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
885 		smp->method = JUST_WORKS;
886 
887 	/* If Just Works, Continue with Zero TK and ask user-space for
888 	 * confirmation */
889 	if (smp->method == JUST_WORKS) {
890 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
891 						hcon->type,
892 						hcon->dst_type,
893 						passkey, 1);
894 		if (ret)
895 			return ret;
896 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
897 		return 0;
898 	}
899 
900 	/* If this function is used for SC -> legacy fallback we
901 	 * can only recover the just-works case.
902 	 */
903 	if (test_bit(SMP_FLAG_SC, &smp->flags))
904 		return -EINVAL;
905 
906 	/* Not Just Works/Confirm results in MITM Authentication */
907 	if (smp->method != JUST_CFM) {
908 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
909 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
910 			hcon->pending_sec_level = BT_SECURITY_HIGH;
911 	}
912 
913 	/* If both devices have Keyboard-Display I/O, the initiator
914 	 * Confirms and the responder Enters the passkey.
915 	 */
916 	if (smp->method == OVERLAP) {
917 		if (hcon->role == HCI_ROLE_MASTER)
918 			smp->method = CFM_PASSKEY;
919 		else
920 			smp->method = REQ_PASSKEY;
921 	}
922 
923 	/* Generate random passkey. */
924 	if (smp->method == CFM_PASSKEY) {
925 		memset(smp->tk, 0, sizeof(smp->tk));
926 		get_random_bytes(&passkey, sizeof(passkey));
927 		passkey %= 1000000;
928 		put_unaligned_le32(passkey, smp->tk);
929 		bt_dev_dbg(hcon->hdev, "PassKey: %u", passkey);
930 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
931 	}
932 
933 	if (smp->method == REQ_PASSKEY)
934 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
935 						hcon->type, hcon->dst_type);
936 	else if (smp->method == JUST_CFM)
937 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
938 						hcon->type, hcon->dst_type,
939 						passkey, 1);
940 	else
941 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
942 						hcon->type, hcon->dst_type,
943 						passkey, 0);
944 
945 	return ret;
946 }
947 
948 static u8 smp_confirm(struct smp_chan *smp)
949 {
950 	struct l2cap_conn *conn = smp->conn;
951 	struct smp_cmd_pairing_confirm cp;
952 	int ret;
953 
954 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
955 
956 	ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
957 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
958 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
959 		     cp.confirm_val);
960 	if (ret)
961 		return SMP_UNSPECIFIED;
962 
963 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
964 
965 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
966 
967 	if (conn->hcon->out)
968 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
969 	else
970 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
971 
972 	return 0;
973 }
974 
975 static u8 smp_random(struct smp_chan *smp)
976 {
977 	struct l2cap_conn *conn = smp->conn;
978 	struct hci_conn *hcon = conn->hcon;
979 	u8 confirm[16];
980 	int ret;
981 
982 	bt_dev_dbg(conn->hcon->hdev, "conn %p %s", conn,
983 		   conn->hcon->out ? "initiator" : "responder");
984 
985 	ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
986 		     hcon->init_addr_type, &hcon->init_addr,
987 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
988 	if (ret)
989 		return SMP_UNSPECIFIED;
990 
991 	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
992 		bt_dev_err(hcon->hdev, "pairing failed "
993 			   "(confirmation values mismatch)");
994 		return SMP_CONFIRM_FAILED;
995 	}
996 
997 	if (hcon->out) {
998 		u8 stk[16];
999 		__le64 rand = 0;
1000 		__le16 ediv = 0;
1001 
1002 		smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
1003 
1004 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1005 			return SMP_UNSPECIFIED;
1006 
1007 		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1008 		hcon->enc_key_size = smp->enc_key_size;
1009 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1010 	} else {
1011 		u8 stk[16], auth;
1012 		__le64 rand = 0;
1013 		__le16 ediv = 0;
1014 
1015 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1016 			     smp->prnd);
1017 
1018 		smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
1019 
1020 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1021 			auth = 1;
1022 		else
1023 			auth = 0;
1024 
1025 		/* Even though there's no _RESPONDER suffix this is the
1026 		 * responder STK we're adding for later lookup (the initiator
1027 		 * STK never needs to be stored).
1028 		 */
1029 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1030 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1031 	}
1032 
1033 	return 0;
1034 }
1035 
1036 static void smp_notify_keys(struct l2cap_conn *conn)
1037 {
1038 	struct l2cap_chan *chan = conn->smp;
1039 	struct smp_chan *smp = chan->data;
1040 	struct hci_conn *hcon = conn->hcon;
1041 	struct hci_dev *hdev = hcon->hdev;
1042 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1043 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1044 	bool persistent;
1045 
1046 	if (hcon->type == ACL_LINK) {
1047 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1048 			persistent = false;
1049 		else
1050 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1051 					       &hcon->flags);
1052 	} else {
1053 		/* The LTKs, IRKs and CSRKs should be persistent only if
1054 		 * both sides had the bonding bit set in their
1055 		 * authentication requests.
1056 		 */
1057 		persistent = !!((req->auth_req & rsp->auth_req) &
1058 				SMP_AUTH_BONDING);
1059 	}
1060 
1061 	if (smp->remote_irk) {
1062 		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1063 
1064 		/* Now that user space can be considered to know the
1065 		 * identity address track the connection based on it
1066 		 * from now on (assuming this is an LE link).
1067 		 */
1068 		if (hcon->type == LE_LINK) {
1069 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1070 			hcon->dst_type = smp->remote_irk->addr_type;
1071 			/* Use a short delay to make sure the new address is
1072 			 * propagated _before_ the channels.
1073 			 */
1074 			queue_delayed_work(hdev->workqueue,
1075 					   &conn->id_addr_timer,
1076 					   ID_ADDR_TIMEOUT);
1077 		}
1078 	}
1079 
1080 	if (smp->csrk) {
1081 		smp->csrk->bdaddr_type = hcon->dst_type;
1082 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1083 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1084 	}
1085 
1086 	if (smp->responder_csrk) {
1087 		smp->responder_csrk->bdaddr_type = hcon->dst_type;
1088 		bacpy(&smp->responder_csrk->bdaddr, &hcon->dst);
1089 		mgmt_new_csrk(hdev, smp->responder_csrk, persistent);
1090 	}
1091 
1092 	if (smp->ltk) {
1093 		smp->ltk->bdaddr_type = hcon->dst_type;
1094 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1095 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1096 	}
1097 
1098 	if (smp->responder_ltk) {
1099 		smp->responder_ltk->bdaddr_type = hcon->dst_type;
1100 		bacpy(&smp->responder_ltk->bdaddr, &hcon->dst);
1101 		mgmt_new_ltk(hdev, smp->responder_ltk, persistent);
1102 	}
1103 
1104 	if (smp->link_key) {
1105 		struct link_key *key;
1106 		u8 type;
1107 
1108 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1109 			type = HCI_LK_DEBUG_COMBINATION;
1110 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1111 			type = HCI_LK_AUTH_COMBINATION_P256;
1112 		else
1113 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1114 
1115 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1116 				       smp->link_key, type, 0, &persistent);
1117 		if (key) {
1118 			mgmt_new_link_key(hdev, key, persistent);
1119 
1120 			/* Don't keep debug keys around if the relevant
1121 			 * flag is not set.
1122 			 */
1123 			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1124 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1125 				list_del_rcu(&key->list);
1126 				kfree_rcu(key, rcu);
1127 			}
1128 		}
1129 	}
1130 }
1131 
1132 static void sc_add_ltk(struct smp_chan *smp)
1133 {
1134 	struct hci_conn *hcon = smp->conn->hcon;
1135 	u8 key_type, auth;
1136 
1137 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1138 		key_type = SMP_LTK_P256_DEBUG;
1139 	else
1140 		key_type = SMP_LTK_P256;
1141 
1142 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1143 		auth = 1;
1144 	else
1145 		auth = 0;
1146 
1147 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1148 			       key_type, auth, smp->tk, smp->enc_key_size,
1149 			       0, 0);
1150 }
1151 
1152 static void sc_generate_link_key(struct smp_chan *smp)
1153 {
1154 	/* From core spec. Spells out in ASCII as 'lebr'. */
1155 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1156 
1157 	smp->link_key = kzalloc(16, GFP_KERNEL);
1158 	if (!smp->link_key)
1159 		return;
1160 
1161 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1162 		/* SALT = 0x000000000000000000000000746D7031 */
1163 		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1164 
1165 		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1166 			kfree_sensitive(smp->link_key);
1167 			smp->link_key = NULL;
1168 			return;
1169 		}
1170 	} else {
1171 		/* From core spec. Spells out in ASCII as 'tmp1'. */
1172 		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1173 
1174 		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1175 			kfree_sensitive(smp->link_key);
1176 			smp->link_key = NULL;
1177 			return;
1178 		}
1179 	}
1180 
1181 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1182 		kfree_sensitive(smp->link_key);
1183 		smp->link_key = NULL;
1184 		return;
1185 	}
1186 }
1187 
1188 static void smp_allow_key_dist(struct smp_chan *smp)
1189 {
1190 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1191 	 * will be allowed in each PDU handler to ensure we receive
1192 	 * them in the correct order.
1193 	 */
1194 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1195 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1196 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1197 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1198 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1199 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1200 }
1201 
1202 static void sc_generate_ltk(struct smp_chan *smp)
1203 {
1204 	/* From core spec. Spells out in ASCII as 'brle'. */
1205 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1206 	struct hci_conn *hcon = smp->conn->hcon;
1207 	struct hci_dev *hdev = hcon->hdev;
1208 	struct link_key *key;
1209 
1210 	key = hci_find_link_key(hdev, &hcon->dst);
1211 	if (!key) {
1212 		bt_dev_err(hdev, "no Link Key found to generate LTK");
1213 		return;
1214 	}
1215 
1216 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1217 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1218 
1219 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1220 		/* SALT = 0x000000000000000000000000746D7032 */
1221 		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1222 
1223 		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1224 			return;
1225 	} else {
1226 		/* From core spec. Spells out in ASCII as 'tmp2'. */
1227 		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1228 
1229 		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1230 			return;
1231 	}
1232 
1233 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1234 		return;
1235 
1236 	sc_add_ltk(smp);
1237 }
1238 
1239 static void smp_distribute_keys(struct smp_chan *smp)
1240 {
1241 	struct smp_cmd_pairing *req, *rsp;
1242 	struct l2cap_conn *conn = smp->conn;
1243 	struct hci_conn *hcon = conn->hcon;
1244 	struct hci_dev *hdev = hcon->hdev;
1245 	__u8 *keydist;
1246 
1247 	bt_dev_dbg(hdev, "conn %p", conn);
1248 
1249 	rsp = (void *) &smp->prsp[1];
1250 
1251 	/* The responder sends its keys first */
1252 	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1253 		smp_allow_key_dist(smp);
1254 		return;
1255 	}
1256 
1257 	req = (void *) &smp->preq[1];
1258 
1259 	if (hcon->out) {
1260 		keydist = &rsp->init_key_dist;
1261 		*keydist &= req->init_key_dist;
1262 	} else {
1263 		keydist = &rsp->resp_key_dist;
1264 		*keydist &= req->resp_key_dist;
1265 	}
1266 
1267 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1268 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1269 			sc_generate_link_key(smp);
1270 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1271 			sc_generate_ltk(smp);
1272 
1273 		/* Clear the keys which are generated but not distributed */
1274 		*keydist &= ~SMP_SC_NO_DIST;
1275 	}
1276 
1277 	bt_dev_dbg(hdev, "keydist 0x%x", *keydist);
1278 
1279 	if (*keydist & SMP_DIST_ENC_KEY) {
1280 		struct smp_cmd_encrypt_info enc;
1281 		struct smp_cmd_initiator_ident ident;
1282 		struct smp_ltk *ltk;
1283 		u8 authenticated;
1284 		__le16 ediv;
1285 		__le64 rand;
1286 
1287 		/* Make sure we generate only the significant amount of
1288 		 * bytes based on the encryption key size, and set the rest
1289 		 * of the value to zeroes.
1290 		 */
1291 		get_random_bytes(enc.ltk, smp->enc_key_size);
1292 		memset(enc.ltk + smp->enc_key_size, 0,
1293 		       sizeof(enc.ltk) - smp->enc_key_size);
1294 
1295 		get_random_bytes(&ediv, sizeof(ediv));
1296 		get_random_bytes(&rand, sizeof(rand));
1297 
1298 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1299 
1300 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1301 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1302 				  SMP_LTK_RESPONDER, authenticated, enc.ltk,
1303 				  smp->enc_key_size, ediv, rand);
1304 		smp->responder_ltk = ltk;
1305 
1306 		ident.ediv = ediv;
1307 		ident.rand = rand;
1308 
1309 		smp_send_cmd(conn, SMP_CMD_INITIATOR_IDENT, sizeof(ident),
1310 			     &ident);
1311 
1312 		*keydist &= ~SMP_DIST_ENC_KEY;
1313 	}
1314 
1315 	if (*keydist & SMP_DIST_ID_KEY) {
1316 		struct smp_cmd_ident_addr_info addrinfo;
1317 		struct smp_cmd_ident_info idinfo;
1318 
1319 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1320 
1321 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1322 
1323 		/* The hci_conn contains the local identity address
1324 		 * after the connection has been established.
1325 		 *
1326 		 * This is true even when the connection has been
1327 		 * established using a resolvable random address.
1328 		 */
1329 		bacpy(&addrinfo.bdaddr, &hcon->src);
1330 		addrinfo.addr_type = hcon->src_type;
1331 
1332 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1333 			     &addrinfo);
1334 
1335 		*keydist &= ~SMP_DIST_ID_KEY;
1336 	}
1337 
1338 	if (*keydist & SMP_DIST_SIGN) {
1339 		struct smp_cmd_sign_info sign;
1340 		struct smp_csrk *csrk;
1341 
1342 		/* Generate a new random key */
1343 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1344 
1345 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1346 		if (csrk) {
1347 			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1348 				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1349 			else
1350 				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1351 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1352 		}
1353 		smp->responder_csrk = csrk;
1354 
1355 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1356 
1357 		*keydist &= ~SMP_DIST_SIGN;
1358 	}
1359 
1360 	/* If there are still keys to be received wait for them */
1361 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1362 		smp_allow_key_dist(smp);
1363 		return;
1364 	}
1365 
1366 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1367 	smp_notify_keys(conn);
1368 
1369 	smp_chan_destroy(conn);
1370 }
1371 
1372 static void smp_timeout(struct work_struct *work)
1373 {
1374 	struct smp_chan *smp = container_of(work, struct smp_chan,
1375 					    security_timer.work);
1376 	struct l2cap_conn *conn = smp->conn;
1377 
1378 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
1379 
1380 	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1381 }
1382 
1383 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1384 {
1385 	struct hci_conn *hcon = conn->hcon;
1386 	struct l2cap_chan *chan = conn->smp;
1387 	struct smp_chan *smp;
1388 
1389 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1390 	if (!smp)
1391 		return NULL;
1392 
1393 	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1394 	if (IS_ERR(smp->tfm_cmac)) {
1395 		bt_dev_err(hcon->hdev, "Unable to create CMAC crypto context");
1396 		goto zfree_smp;
1397 	}
1398 
1399 	smp->tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
1400 	if (IS_ERR(smp->tfm_ecdh)) {
1401 		bt_dev_err(hcon->hdev, "Unable to create ECDH crypto context");
1402 		goto free_shash;
1403 	}
1404 
1405 	smp->conn = conn;
1406 	chan->data = smp;
1407 
1408 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1409 
1410 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1411 
1412 	hci_conn_hold(hcon);
1413 
1414 	return smp;
1415 
1416 free_shash:
1417 	crypto_free_shash(smp->tfm_cmac);
1418 zfree_smp:
1419 	kfree_sensitive(smp);
1420 	return NULL;
1421 }
1422 
1423 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1424 {
1425 	struct hci_conn *hcon = smp->conn->hcon;
1426 	u8 *na, *nb, a[7], b[7];
1427 
1428 	if (hcon->out) {
1429 		na   = smp->prnd;
1430 		nb   = smp->rrnd;
1431 	} else {
1432 		na   = smp->rrnd;
1433 		nb   = smp->prnd;
1434 	}
1435 
1436 	memcpy(a, &hcon->init_addr, 6);
1437 	memcpy(b, &hcon->resp_addr, 6);
1438 	a[6] = hcon->init_addr_type;
1439 	b[6] = hcon->resp_addr_type;
1440 
1441 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1442 }
1443 
1444 static void sc_dhkey_check(struct smp_chan *smp)
1445 {
1446 	struct hci_conn *hcon = smp->conn->hcon;
1447 	struct smp_cmd_dhkey_check check;
1448 	u8 a[7], b[7], *local_addr, *remote_addr;
1449 	u8 io_cap[3], r[16];
1450 
1451 	memcpy(a, &hcon->init_addr, 6);
1452 	memcpy(b, &hcon->resp_addr, 6);
1453 	a[6] = hcon->init_addr_type;
1454 	b[6] = hcon->resp_addr_type;
1455 
1456 	if (hcon->out) {
1457 		local_addr = a;
1458 		remote_addr = b;
1459 		memcpy(io_cap, &smp->preq[1], 3);
1460 	} else {
1461 		local_addr = b;
1462 		remote_addr = a;
1463 		memcpy(io_cap, &smp->prsp[1], 3);
1464 	}
1465 
1466 	memset(r, 0, sizeof(r));
1467 
1468 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1469 		put_unaligned_le32(hcon->passkey_notify, r);
1470 
1471 	if (smp->method == REQ_OOB)
1472 		memcpy(r, smp->rr, 16);
1473 
1474 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1475 	       local_addr, remote_addr, check.e);
1476 
1477 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1478 }
1479 
1480 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1481 {
1482 	struct l2cap_conn *conn = smp->conn;
1483 	struct hci_conn *hcon = conn->hcon;
1484 	struct smp_cmd_pairing_confirm cfm;
1485 	u8 r;
1486 
1487 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1488 	r |= 0x80;
1489 
1490 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1491 
1492 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1493 		   cfm.confirm_val))
1494 		return SMP_UNSPECIFIED;
1495 
1496 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1497 
1498 	return 0;
1499 }
1500 
1501 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1502 {
1503 	struct l2cap_conn *conn = smp->conn;
1504 	struct hci_conn *hcon = conn->hcon;
1505 	struct hci_dev *hdev = hcon->hdev;
1506 	u8 cfm[16], r;
1507 
1508 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1509 	if (smp->passkey_round >= 20)
1510 		return 0;
1511 
1512 	switch (smp_op) {
1513 	case SMP_CMD_PAIRING_RANDOM:
1514 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1515 		r |= 0x80;
1516 
1517 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1518 			   smp->rrnd, r, cfm))
1519 			return SMP_UNSPECIFIED;
1520 
1521 		if (crypto_memneq(smp->pcnf, cfm, 16))
1522 			return SMP_CONFIRM_FAILED;
1523 
1524 		smp->passkey_round++;
1525 
1526 		if (smp->passkey_round == 20) {
1527 			/* Generate MacKey and LTK */
1528 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1529 				return SMP_UNSPECIFIED;
1530 		}
1531 
1532 		/* The round is only complete when the initiator
1533 		 * receives pairing random.
1534 		 */
1535 		if (!hcon->out) {
1536 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1537 				     sizeof(smp->prnd), smp->prnd);
1538 			if (smp->passkey_round == 20)
1539 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1540 			else
1541 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1542 			return 0;
1543 		}
1544 
1545 		/* Start the next round */
1546 		if (smp->passkey_round != 20)
1547 			return sc_passkey_round(smp, 0);
1548 
1549 		/* Passkey rounds are complete - start DHKey Check */
1550 		sc_dhkey_check(smp);
1551 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1552 
1553 		break;
1554 
1555 	case SMP_CMD_PAIRING_CONFIRM:
1556 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1557 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1558 			return 0;
1559 		}
1560 
1561 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1562 
1563 		if (hcon->out) {
1564 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1565 				     sizeof(smp->prnd), smp->prnd);
1566 			return 0;
1567 		}
1568 
1569 		return sc_passkey_send_confirm(smp);
1570 
1571 	case SMP_CMD_PUBLIC_KEY:
1572 	default:
1573 		/* Initiating device starts the round */
1574 		if (!hcon->out)
1575 			return 0;
1576 
1577 		bt_dev_dbg(hdev, "Starting passkey round %u",
1578 			   smp->passkey_round + 1);
1579 
1580 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1581 
1582 		return sc_passkey_send_confirm(smp);
1583 	}
1584 
1585 	return 0;
1586 }
1587 
1588 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1589 {
1590 	struct l2cap_conn *conn = smp->conn;
1591 	struct hci_conn *hcon = conn->hcon;
1592 	u8 smp_op;
1593 
1594 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1595 
1596 	switch (mgmt_op) {
1597 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1598 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1599 		return 0;
1600 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1601 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1602 		return 0;
1603 	case MGMT_OP_USER_PASSKEY_REPLY:
1604 		hcon->passkey_notify = le32_to_cpu(passkey);
1605 		smp->passkey_round = 0;
1606 
1607 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1608 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1609 		else
1610 			smp_op = 0;
1611 
1612 		if (sc_passkey_round(smp, smp_op))
1613 			return -EIO;
1614 
1615 		return 0;
1616 	}
1617 
1618 	/* Initiator sends DHKey check first */
1619 	if (hcon->out) {
1620 		sc_dhkey_check(smp);
1621 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1622 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1623 		sc_dhkey_check(smp);
1624 		sc_add_ltk(smp);
1625 	}
1626 
1627 	return 0;
1628 }
1629 
1630 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1631 {
1632 	struct l2cap_conn *conn = hcon->l2cap_data;
1633 	struct l2cap_chan *chan;
1634 	struct smp_chan *smp;
1635 	u32 value;
1636 	int err;
1637 
1638 	if (!conn)
1639 		return -ENOTCONN;
1640 
1641 	bt_dev_dbg(conn->hcon->hdev, "");
1642 
1643 	chan = conn->smp;
1644 	if (!chan)
1645 		return -ENOTCONN;
1646 
1647 	l2cap_chan_lock(chan);
1648 	if (!chan->data) {
1649 		err = -ENOTCONN;
1650 		goto unlock;
1651 	}
1652 
1653 	smp = chan->data;
1654 
1655 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1656 		err = sc_user_reply(smp, mgmt_op, passkey);
1657 		goto unlock;
1658 	}
1659 
1660 	switch (mgmt_op) {
1661 	case MGMT_OP_USER_PASSKEY_REPLY:
1662 		value = le32_to_cpu(passkey);
1663 		memset(smp->tk, 0, sizeof(smp->tk));
1664 		bt_dev_dbg(conn->hcon->hdev, "PassKey: %u", value);
1665 		put_unaligned_le32(value, smp->tk);
1666 		fallthrough;
1667 	case MGMT_OP_USER_CONFIRM_REPLY:
1668 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1669 		break;
1670 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1671 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1672 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1673 		err = 0;
1674 		goto unlock;
1675 	default:
1676 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1677 		err = -EOPNOTSUPP;
1678 		goto unlock;
1679 	}
1680 
1681 	err = 0;
1682 
1683 	/* If it is our turn to send Pairing Confirm, do so now */
1684 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1685 		u8 rsp = smp_confirm(smp);
1686 		if (rsp)
1687 			smp_failure(conn, rsp);
1688 	}
1689 
1690 unlock:
1691 	l2cap_chan_unlock(chan);
1692 	return err;
1693 }
1694 
1695 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1696 				    struct smp_cmd_pairing *req,
1697 				    struct smp_cmd_pairing *rsp)
1698 {
1699 	struct l2cap_conn *conn = smp->conn;
1700 	struct hci_dev *hdev = conn->hcon->hdev;
1701 	u8 local_dist = 0, remote_dist = 0;
1702 
1703 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1704 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1705 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1706 	}
1707 
1708 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1709 		remote_dist |= SMP_DIST_ID_KEY;
1710 
1711 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1712 		local_dist |= SMP_DIST_ID_KEY;
1713 
1714 	if (!rsp) {
1715 		memset(req, 0, sizeof(*req));
1716 
1717 		req->auth_req        = SMP_AUTH_CT2;
1718 		req->init_key_dist   = local_dist;
1719 		req->resp_key_dist   = remote_dist;
1720 		req->max_key_size    = conn->hcon->enc_key_size;
1721 
1722 		smp->remote_key_dist = remote_dist;
1723 
1724 		return;
1725 	}
1726 
1727 	memset(rsp, 0, sizeof(*rsp));
1728 
1729 	rsp->auth_req        = SMP_AUTH_CT2;
1730 	rsp->max_key_size    = conn->hcon->enc_key_size;
1731 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1732 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1733 
1734 	smp->remote_key_dist = rsp->init_key_dist;
1735 }
1736 
1737 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1738 {
1739 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1740 	struct l2cap_chan *chan = conn->smp;
1741 	struct hci_dev *hdev = conn->hcon->hdev;
1742 	struct smp_chan *smp;
1743 	u8 key_size, auth, sec_level;
1744 	int ret;
1745 
1746 	bt_dev_dbg(hdev, "conn %p", conn);
1747 
1748 	if (skb->len < sizeof(*req))
1749 		return SMP_INVALID_PARAMS;
1750 
1751 	if (conn->hcon->role != HCI_ROLE_SLAVE)
1752 		return SMP_CMD_NOTSUPP;
1753 
1754 	if (!chan->data)
1755 		smp = smp_chan_create(conn);
1756 	else
1757 		smp = chan->data;
1758 
1759 	if (!smp)
1760 		return SMP_UNSPECIFIED;
1761 
1762 	/* We didn't start the pairing, so match remote */
1763 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1764 
1765 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1766 	    (auth & SMP_AUTH_BONDING))
1767 		return SMP_PAIRING_NOTSUPP;
1768 
1769 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1770 		return SMP_AUTH_REQUIREMENTS;
1771 
1772 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1773 	memcpy(&smp->preq[1], req, sizeof(*req));
1774 	skb_pull(skb, sizeof(*req));
1775 
1776 	/* If the remote side's OOB flag is set it means it has
1777 	 * successfully received our local OOB data - therefore set the
1778 	 * flag to indicate that local OOB is in use.
1779 	 */
1780 	if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1781 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1782 
1783 	/* SMP over BR/EDR requires special treatment */
1784 	if (conn->hcon->type == ACL_LINK) {
1785 		/* We must have a BR/EDR SC link */
1786 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1787 		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1788 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1789 
1790 		set_bit(SMP_FLAG_SC, &smp->flags);
1791 
1792 		build_bredr_pairing_cmd(smp, req, &rsp);
1793 
1794 		if (req->auth_req & SMP_AUTH_CT2)
1795 			set_bit(SMP_FLAG_CT2, &smp->flags);
1796 
1797 		key_size = min(req->max_key_size, rsp.max_key_size);
1798 		if (check_enc_key_size(conn, key_size))
1799 			return SMP_ENC_KEY_SIZE;
1800 
1801 		/* Clear bits which are generated but not distributed */
1802 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1803 
1804 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1805 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1806 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1807 
1808 		smp_distribute_keys(smp);
1809 		return 0;
1810 	}
1811 
1812 	build_pairing_cmd(conn, req, &rsp, auth);
1813 
1814 	if (rsp.auth_req & SMP_AUTH_SC) {
1815 		set_bit(SMP_FLAG_SC, &smp->flags);
1816 
1817 		if (rsp.auth_req & SMP_AUTH_CT2)
1818 			set_bit(SMP_FLAG_CT2, &smp->flags);
1819 	}
1820 
1821 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1822 		sec_level = BT_SECURITY_MEDIUM;
1823 	else
1824 		sec_level = authreq_to_seclevel(auth);
1825 
1826 	if (sec_level > conn->hcon->pending_sec_level)
1827 		conn->hcon->pending_sec_level = sec_level;
1828 
1829 	/* If we need MITM check that it can be achieved */
1830 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1831 		u8 method;
1832 
1833 		method = get_auth_method(smp, conn->hcon->io_capability,
1834 					 req->io_capability);
1835 		if (method == JUST_WORKS || method == JUST_CFM)
1836 			return SMP_AUTH_REQUIREMENTS;
1837 	}
1838 
1839 	key_size = min(req->max_key_size, rsp.max_key_size);
1840 	if (check_enc_key_size(conn, key_size))
1841 		return SMP_ENC_KEY_SIZE;
1842 
1843 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1844 
1845 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1846 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1847 
1848 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1849 
1850 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1851 
1852 	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1853 	 * SC case, however some implementations incorrectly copy RFU auth
1854 	 * req bits from our security request, which may create a false
1855 	 * positive SC enablement.
1856 	 */
1857 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1858 
1859 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1860 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1861 		/* Clear bits which are generated but not distributed */
1862 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1863 		/* Wait for Public Key from Initiating Device */
1864 		return 0;
1865 	}
1866 
1867 	/* Request setup of TK */
1868 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1869 	if (ret)
1870 		return SMP_UNSPECIFIED;
1871 
1872 	return 0;
1873 }
1874 
1875 static u8 sc_send_public_key(struct smp_chan *smp)
1876 {
1877 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1878 
1879 	bt_dev_dbg(hdev, "");
1880 
1881 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1882 		struct l2cap_chan *chan = hdev->smp_data;
1883 		struct smp_dev *smp_dev;
1884 
1885 		if (!chan || !chan->data)
1886 			return SMP_UNSPECIFIED;
1887 
1888 		smp_dev = chan->data;
1889 
1890 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1891 		memcpy(smp->lr, smp_dev->local_rand, 16);
1892 
1893 		if (smp_dev->debug_key)
1894 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1895 
1896 		goto done;
1897 	}
1898 
1899 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1900 		bt_dev_dbg(hdev, "Using debug keys");
1901 		if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1902 			return SMP_UNSPECIFIED;
1903 		memcpy(smp->local_pk, debug_pk, 64);
1904 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1905 	} else {
1906 		while (true) {
1907 			/* Generate key pair for Secure Connections */
1908 			if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1909 				return SMP_UNSPECIFIED;
1910 
1911 			/* This is unlikely, but we need to check that
1912 			 * we didn't accidentally generate a debug key.
1913 			 */
1914 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
1915 				break;
1916 		}
1917 	}
1918 
1919 done:
1920 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1921 	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1922 
1923 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1924 
1925 	return 0;
1926 }
1927 
1928 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1929 {
1930 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1931 	struct l2cap_chan *chan = conn->smp;
1932 	struct smp_chan *smp = chan->data;
1933 	struct hci_dev *hdev = conn->hcon->hdev;
1934 	u8 key_size, auth;
1935 	int ret;
1936 
1937 	bt_dev_dbg(hdev, "conn %p", conn);
1938 
1939 	if (skb->len < sizeof(*rsp))
1940 		return SMP_INVALID_PARAMS;
1941 
1942 	if (conn->hcon->role != HCI_ROLE_MASTER)
1943 		return SMP_CMD_NOTSUPP;
1944 
1945 	skb_pull(skb, sizeof(*rsp));
1946 
1947 	req = (void *) &smp->preq[1];
1948 
1949 	key_size = min(req->max_key_size, rsp->max_key_size);
1950 	if (check_enc_key_size(conn, key_size))
1951 		return SMP_ENC_KEY_SIZE;
1952 
1953 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1954 
1955 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1956 		return SMP_AUTH_REQUIREMENTS;
1957 
1958 	/* If the remote side's OOB flag is set it means it has
1959 	 * successfully received our local OOB data - therefore set the
1960 	 * flag to indicate that local OOB is in use.
1961 	 */
1962 	if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1963 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1964 
1965 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1966 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1967 
1968 	/* Update remote key distribution in case the remote cleared
1969 	 * some bits that we had enabled in our request.
1970 	 */
1971 	smp->remote_key_dist &= rsp->resp_key_dist;
1972 
1973 	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1974 		set_bit(SMP_FLAG_CT2, &smp->flags);
1975 
1976 	/* For BR/EDR this means we're done and can start phase 3 */
1977 	if (conn->hcon->type == ACL_LINK) {
1978 		/* Clear bits which are generated but not distributed */
1979 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1980 		smp_distribute_keys(smp);
1981 		return 0;
1982 	}
1983 
1984 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1985 		set_bit(SMP_FLAG_SC, &smp->flags);
1986 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1987 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1988 
1989 	/* If we need MITM check that it can be achieved */
1990 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1991 		u8 method;
1992 
1993 		method = get_auth_method(smp, req->io_capability,
1994 					 rsp->io_capability);
1995 		if (method == JUST_WORKS || method == JUST_CFM)
1996 			return SMP_AUTH_REQUIREMENTS;
1997 	}
1998 
1999 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
2000 
2001 	/* Update remote key distribution in case the remote cleared
2002 	 * some bits that we had enabled in our request.
2003 	 */
2004 	smp->remote_key_dist &= rsp->resp_key_dist;
2005 
2006 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2007 		/* Clear bits which are generated but not distributed */
2008 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2009 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2010 		return sc_send_public_key(smp);
2011 	}
2012 
2013 	auth |= req->auth_req;
2014 
2015 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2016 	if (ret)
2017 		return SMP_UNSPECIFIED;
2018 
2019 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2020 
2021 	/* Can't compose response until we have been confirmed */
2022 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2023 		return smp_confirm(smp);
2024 
2025 	return 0;
2026 }
2027 
2028 static u8 sc_check_confirm(struct smp_chan *smp)
2029 {
2030 	struct l2cap_conn *conn = smp->conn;
2031 
2032 	bt_dev_dbg(conn->hcon->hdev, "");
2033 
2034 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2035 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2036 
2037 	if (conn->hcon->out) {
2038 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2039 			     smp->prnd);
2040 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2041 	}
2042 
2043 	return 0;
2044 }
2045 
2046 /* Work-around for some implementations that incorrectly copy RFU bits
2047  * from our security request and thereby create the impression that
2048  * we're doing SC when in fact the remote doesn't support it.
2049  */
2050 static int fixup_sc_false_positive(struct smp_chan *smp)
2051 {
2052 	struct l2cap_conn *conn = smp->conn;
2053 	struct hci_conn *hcon = conn->hcon;
2054 	struct hci_dev *hdev = hcon->hdev;
2055 	struct smp_cmd_pairing *req, *rsp;
2056 	u8 auth;
2057 
2058 	/* The issue is only observed when we're in responder role */
2059 	if (hcon->out)
2060 		return SMP_UNSPECIFIED;
2061 
2062 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2063 		bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2064 		return SMP_UNSPECIFIED;
2065 	}
2066 
2067 	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2068 
2069 	req = (void *) &smp->preq[1];
2070 	rsp = (void *) &smp->prsp[1];
2071 
2072 	/* Rebuild key dist flags which may have been cleared for SC */
2073 	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2074 
2075 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2076 
2077 	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2078 		bt_dev_err(hdev, "failed to fall back to legacy SMP");
2079 		return SMP_UNSPECIFIED;
2080 	}
2081 
2082 	clear_bit(SMP_FLAG_SC, &smp->flags);
2083 
2084 	return 0;
2085 }
2086 
2087 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2088 {
2089 	struct l2cap_chan *chan = conn->smp;
2090 	struct smp_chan *smp = chan->data;
2091 	struct hci_conn *hcon = conn->hcon;
2092 	struct hci_dev *hdev = hcon->hdev;
2093 
2094 	bt_dev_dbg(hdev, "conn %p %s", conn,
2095 		   hcon->out ? "initiator" : "responder");
2096 
2097 	if (skb->len < sizeof(smp->pcnf))
2098 		return SMP_INVALID_PARAMS;
2099 
2100 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2101 	skb_pull(skb, sizeof(smp->pcnf));
2102 
2103 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2104 		int ret;
2105 
2106 		/* Public Key exchange must happen before any other steps */
2107 		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2108 			return sc_check_confirm(smp);
2109 
2110 		bt_dev_err(hdev, "Unexpected SMP Pairing Confirm");
2111 
2112 		ret = fixup_sc_false_positive(smp);
2113 		if (ret)
2114 			return ret;
2115 	}
2116 
2117 	if (conn->hcon->out) {
2118 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2119 			     smp->prnd);
2120 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2121 		return 0;
2122 	}
2123 
2124 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2125 		return smp_confirm(smp);
2126 
2127 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2128 
2129 	return 0;
2130 }
2131 
2132 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2133 {
2134 	struct l2cap_chan *chan = conn->smp;
2135 	struct smp_chan *smp = chan->data;
2136 	struct hci_conn *hcon = conn->hcon;
2137 	u8 *pkax, *pkbx, *na, *nb, confirm_hint;
2138 	u32 passkey;
2139 	int err;
2140 
2141 	bt_dev_dbg(hcon->hdev, "conn %p", conn);
2142 
2143 	if (skb->len < sizeof(smp->rrnd))
2144 		return SMP_INVALID_PARAMS;
2145 
2146 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2147 	skb_pull(skb, sizeof(smp->rrnd));
2148 
2149 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2150 		return smp_random(smp);
2151 
2152 	if (hcon->out) {
2153 		pkax = smp->local_pk;
2154 		pkbx = smp->remote_pk;
2155 		na   = smp->prnd;
2156 		nb   = smp->rrnd;
2157 	} else {
2158 		pkax = smp->remote_pk;
2159 		pkbx = smp->local_pk;
2160 		na   = smp->rrnd;
2161 		nb   = smp->prnd;
2162 	}
2163 
2164 	if (smp->method == REQ_OOB) {
2165 		if (!hcon->out)
2166 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2167 				     sizeof(smp->prnd), smp->prnd);
2168 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2169 		goto mackey_and_ltk;
2170 	}
2171 
2172 	/* Passkey entry has special treatment */
2173 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2174 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2175 
2176 	if (hcon->out) {
2177 		u8 cfm[16];
2178 
2179 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2180 			     smp->rrnd, 0, cfm);
2181 		if (err)
2182 			return SMP_UNSPECIFIED;
2183 
2184 		if (crypto_memneq(smp->pcnf, cfm, 16))
2185 			return SMP_CONFIRM_FAILED;
2186 	} else {
2187 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2188 			     smp->prnd);
2189 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2190 
2191 		/* Only Just-Works pairing requires extra checks */
2192 		if (smp->method != JUST_WORKS)
2193 			goto mackey_and_ltk;
2194 
2195 		/* If there already exists long term key in local host, leave
2196 		 * the decision to user space since the remote device could
2197 		 * be legitimate or malicious.
2198 		 */
2199 		if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2200 				 hcon->role)) {
2201 			/* Set passkey to 0. The value can be any number since
2202 			 * it'll be ignored anyway.
2203 			 */
2204 			passkey = 0;
2205 			confirm_hint = 1;
2206 			goto confirm;
2207 		}
2208 	}
2209 
2210 mackey_and_ltk:
2211 	/* Generate MacKey and LTK */
2212 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2213 	if (err)
2214 		return SMP_UNSPECIFIED;
2215 
2216 	if (smp->method == REQ_OOB) {
2217 		if (hcon->out) {
2218 			sc_dhkey_check(smp);
2219 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2220 		}
2221 		return 0;
2222 	}
2223 
2224 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2225 	if (err)
2226 		return SMP_UNSPECIFIED;
2227 
2228 	confirm_hint = 0;
2229 
2230 confirm:
2231 	if (smp->method == JUST_WORKS)
2232 		confirm_hint = 1;
2233 
2234 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2235 					hcon->dst_type, passkey, confirm_hint);
2236 	if (err)
2237 		return SMP_UNSPECIFIED;
2238 
2239 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2240 
2241 	return 0;
2242 }
2243 
2244 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2245 {
2246 	struct smp_ltk *key;
2247 	struct hci_conn *hcon = conn->hcon;
2248 
2249 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2250 	if (!key)
2251 		return false;
2252 
2253 	if (smp_ltk_sec_level(key) < sec_level)
2254 		return false;
2255 
2256 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2257 		return true;
2258 
2259 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2260 	hcon->enc_key_size = key->enc_size;
2261 
2262 	/* We never store STKs for initiator role, so clear this flag */
2263 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2264 
2265 	return true;
2266 }
2267 
2268 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2269 			     enum smp_key_pref key_pref)
2270 {
2271 	if (sec_level == BT_SECURITY_LOW)
2272 		return true;
2273 
2274 	/* If we're encrypted with an STK but the caller prefers using
2275 	 * LTK claim insufficient security. This way we allow the
2276 	 * connection to be re-encrypted with an LTK, even if the LTK
2277 	 * provides the same level of security. Only exception is if we
2278 	 * don't have an LTK (e.g. because of key distribution bits).
2279 	 */
2280 	if (key_pref == SMP_USE_LTK &&
2281 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2282 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2283 		return false;
2284 
2285 	if (hcon->sec_level >= sec_level)
2286 		return true;
2287 
2288 	return false;
2289 }
2290 
2291 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2292 {
2293 	struct smp_cmd_security_req *rp = (void *) skb->data;
2294 	struct smp_cmd_pairing cp;
2295 	struct hci_conn *hcon = conn->hcon;
2296 	struct hci_dev *hdev = hcon->hdev;
2297 	struct smp_chan *smp;
2298 	u8 sec_level, auth;
2299 
2300 	bt_dev_dbg(hdev, "conn %p", conn);
2301 
2302 	if (skb->len < sizeof(*rp))
2303 		return SMP_INVALID_PARAMS;
2304 
2305 	if (hcon->role != HCI_ROLE_MASTER)
2306 		return SMP_CMD_NOTSUPP;
2307 
2308 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2309 
2310 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2311 		return SMP_AUTH_REQUIREMENTS;
2312 
2313 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2314 		sec_level = BT_SECURITY_MEDIUM;
2315 	else
2316 		sec_level = authreq_to_seclevel(auth);
2317 
2318 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2319 		/* If link is already encrypted with sufficient security we
2320 		 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2321 		 * Part H 2.4.6
2322 		 */
2323 		smp_ltk_encrypt(conn, hcon->sec_level);
2324 		return 0;
2325 	}
2326 
2327 	if (sec_level > hcon->pending_sec_level)
2328 		hcon->pending_sec_level = sec_level;
2329 
2330 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2331 		return 0;
2332 
2333 	smp = smp_chan_create(conn);
2334 	if (!smp)
2335 		return SMP_UNSPECIFIED;
2336 
2337 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2338 	    (auth & SMP_AUTH_BONDING))
2339 		return SMP_PAIRING_NOTSUPP;
2340 
2341 	skb_pull(skb, sizeof(*rp));
2342 
2343 	memset(&cp, 0, sizeof(cp));
2344 	build_pairing_cmd(conn, &cp, NULL, auth);
2345 
2346 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2347 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2348 
2349 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2350 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2351 
2352 	return 0;
2353 }
2354 
2355 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2356 {
2357 	struct l2cap_conn *conn = hcon->l2cap_data;
2358 	struct l2cap_chan *chan;
2359 	struct smp_chan *smp;
2360 	__u8 authreq;
2361 	int ret;
2362 
2363 	bt_dev_dbg(hcon->hdev, "conn %p hcon %p level 0x%2.2x", conn, hcon,
2364 		   sec_level);
2365 
2366 	/* This may be NULL if there's an unexpected disconnection */
2367 	if (!conn)
2368 		return 1;
2369 
2370 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2371 		return 1;
2372 
2373 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2374 		return 1;
2375 
2376 	if (sec_level > hcon->pending_sec_level)
2377 		hcon->pending_sec_level = sec_level;
2378 
2379 	if (hcon->role == HCI_ROLE_MASTER)
2380 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2381 			return 0;
2382 
2383 	chan = conn->smp;
2384 	if (!chan) {
2385 		bt_dev_err(hcon->hdev, "security requested but not available");
2386 		return 1;
2387 	}
2388 
2389 	l2cap_chan_lock(chan);
2390 
2391 	/* If SMP is already in progress ignore this request */
2392 	if (chan->data) {
2393 		ret = 0;
2394 		goto unlock;
2395 	}
2396 
2397 	smp = smp_chan_create(conn);
2398 	if (!smp) {
2399 		ret = 1;
2400 		goto unlock;
2401 	}
2402 
2403 	authreq = seclevel_to_authreq(sec_level);
2404 
2405 	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2406 		authreq |= SMP_AUTH_SC;
2407 		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2408 			authreq |= SMP_AUTH_CT2;
2409 	}
2410 
2411 	/* Don't attempt to set MITM if setting is overridden by debugfs
2412 	 * Needed to pass certification test SM/MAS/PKE/BV-01-C
2413 	 */
2414 	if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) {
2415 		/* Require MITM if IO Capability allows or the security level
2416 		 * requires it.
2417 		 */
2418 		if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2419 		    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2420 			authreq |= SMP_AUTH_MITM;
2421 	}
2422 
2423 	if (hcon->role == HCI_ROLE_MASTER) {
2424 		struct smp_cmd_pairing cp;
2425 
2426 		build_pairing_cmd(conn, &cp, NULL, authreq);
2427 		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2428 		memcpy(&smp->preq[1], &cp, sizeof(cp));
2429 
2430 		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2431 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2432 	} else {
2433 		struct smp_cmd_security_req cp;
2434 		cp.auth_req = authreq;
2435 		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2436 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2437 	}
2438 
2439 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2440 	ret = 0;
2441 
2442 unlock:
2443 	l2cap_chan_unlock(chan);
2444 	return ret;
2445 }
2446 
2447 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2448 				  u8 addr_type)
2449 {
2450 	struct hci_conn *hcon;
2451 	struct l2cap_conn *conn;
2452 	struct l2cap_chan *chan;
2453 	struct smp_chan *smp;
2454 	int err;
2455 
2456 	err = hci_remove_ltk(hdev, bdaddr, addr_type);
2457 	hci_remove_irk(hdev, bdaddr, addr_type);
2458 
2459 	hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2460 	if (!hcon)
2461 		goto done;
2462 
2463 	conn = hcon->l2cap_data;
2464 	if (!conn)
2465 		goto done;
2466 
2467 	chan = conn->smp;
2468 	if (!chan)
2469 		goto done;
2470 
2471 	l2cap_chan_lock(chan);
2472 
2473 	smp = chan->data;
2474 	if (smp) {
2475 		/* Set keys to NULL to make sure smp_failure() does not try to
2476 		 * remove and free already invalidated rcu list entries. */
2477 		smp->ltk = NULL;
2478 		smp->responder_ltk = NULL;
2479 		smp->remote_irk = NULL;
2480 
2481 		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2482 			smp_failure(conn, 0);
2483 		else
2484 			smp_failure(conn, SMP_UNSPECIFIED);
2485 		err = 0;
2486 	}
2487 
2488 	l2cap_chan_unlock(chan);
2489 
2490 done:
2491 	return err;
2492 }
2493 
2494 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2495 {
2496 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2497 	struct l2cap_chan *chan = conn->smp;
2498 	struct smp_chan *smp = chan->data;
2499 
2500 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2501 
2502 	if (skb->len < sizeof(*rp))
2503 		return SMP_INVALID_PARAMS;
2504 
2505 	/* Pairing is aborted if any blocked keys are distributed */
2506 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2507 			       rp->ltk)) {
2508 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2509 					"LTK blocked for %pMR",
2510 					&conn->hcon->dst);
2511 		return SMP_INVALID_PARAMS;
2512 	}
2513 
2514 	SMP_ALLOW_CMD(smp, SMP_CMD_INITIATOR_IDENT);
2515 
2516 	skb_pull(skb, sizeof(*rp));
2517 
2518 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2519 
2520 	return 0;
2521 }
2522 
2523 static int smp_cmd_initiator_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2524 {
2525 	struct smp_cmd_initiator_ident *rp = (void *)skb->data;
2526 	struct l2cap_chan *chan = conn->smp;
2527 	struct smp_chan *smp = chan->data;
2528 	struct hci_dev *hdev = conn->hcon->hdev;
2529 	struct hci_conn *hcon = conn->hcon;
2530 	struct smp_ltk *ltk;
2531 	u8 authenticated;
2532 
2533 	bt_dev_dbg(hdev, "conn %p", conn);
2534 
2535 	if (skb->len < sizeof(*rp))
2536 		return SMP_INVALID_PARAMS;
2537 
2538 	/* Mark the information as received */
2539 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2540 
2541 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2542 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2543 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2544 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2545 
2546 	skb_pull(skb, sizeof(*rp));
2547 
2548 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2549 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2550 			  authenticated, smp->tk, smp->enc_key_size,
2551 			  rp->ediv, rp->rand);
2552 	smp->ltk = ltk;
2553 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2554 		smp_distribute_keys(smp);
2555 
2556 	return 0;
2557 }
2558 
2559 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2560 {
2561 	struct smp_cmd_ident_info *info = (void *) skb->data;
2562 	struct l2cap_chan *chan = conn->smp;
2563 	struct smp_chan *smp = chan->data;
2564 
2565 	bt_dev_dbg(conn->hcon->hdev, "");
2566 
2567 	if (skb->len < sizeof(*info))
2568 		return SMP_INVALID_PARAMS;
2569 
2570 	/* Pairing is aborted if any blocked keys are distributed */
2571 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2572 			       info->irk)) {
2573 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2574 					"Identity key blocked for %pMR",
2575 					&conn->hcon->dst);
2576 		return SMP_INVALID_PARAMS;
2577 	}
2578 
2579 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2580 
2581 	skb_pull(skb, sizeof(*info));
2582 
2583 	memcpy(smp->irk, info->irk, 16);
2584 
2585 	return 0;
2586 }
2587 
2588 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2589 				   struct sk_buff *skb)
2590 {
2591 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2592 	struct l2cap_chan *chan = conn->smp;
2593 	struct smp_chan *smp = chan->data;
2594 	struct hci_conn *hcon = conn->hcon;
2595 	bdaddr_t rpa;
2596 
2597 	bt_dev_dbg(hcon->hdev, "");
2598 
2599 	if (skb->len < sizeof(*info))
2600 		return SMP_INVALID_PARAMS;
2601 
2602 	/* Mark the information as received */
2603 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2604 
2605 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2606 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2607 
2608 	skb_pull(skb, sizeof(*info));
2609 
2610 	/* Strictly speaking the Core Specification (4.1) allows sending
2611 	 * an empty address which would force us to rely on just the IRK
2612 	 * as "identity information". However, since such
2613 	 * implementations are not known of and in order to not over
2614 	 * complicate our implementation, simply pretend that we never
2615 	 * received an IRK for such a device.
2616 	 *
2617 	 * The Identity Address must also be a Static Random or Public
2618 	 * Address, which hci_is_identity_address() checks for.
2619 	 */
2620 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2621 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2622 		bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2623 		goto distribute;
2624 	}
2625 
2626 	/* Drop IRK if peer is using identity address during pairing but is
2627 	 * providing different address as identity information.
2628 	 *
2629 	 * Microsoft Surface Precision Mouse is known to have this bug.
2630 	 */
2631 	if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2632 	    (bacmp(&info->bdaddr, &hcon->dst) ||
2633 	     info->addr_type != hcon->dst_type)) {
2634 		bt_dev_err(hcon->hdev,
2635 			   "ignoring IRK with invalid identity address");
2636 		goto distribute;
2637 	}
2638 
2639 	bacpy(&smp->id_addr, &info->bdaddr);
2640 	smp->id_addr_type = info->addr_type;
2641 
2642 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2643 		bacpy(&rpa, &hcon->dst);
2644 	else
2645 		bacpy(&rpa, BDADDR_ANY);
2646 
2647 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2648 				      smp->id_addr_type, smp->irk, &rpa);
2649 
2650 distribute:
2651 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2652 		smp_distribute_keys(smp);
2653 
2654 	return 0;
2655 }
2656 
2657 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2658 {
2659 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2660 	struct l2cap_chan *chan = conn->smp;
2661 	struct smp_chan *smp = chan->data;
2662 	struct smp_csrk *csrk;
2663 
2664 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2665 
2666 	if (skb->len < sizeof(*rp))
2667 		return SMP_INVALID_PARAMS;
2668 
2669 	/* Mark the information as received */
2670 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2671 
2672 	skb_pull(skb, sizeof(*rp));
2673 
2674 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2675 	if (csrk) {
2676 		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2677 			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2678 		else
2679 			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2680 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2681 	}
2682 	smp->csrk = csrk;
2683 	smp_distribute_keys(smp);
2684 
2685 	return 0;
2686 }
2687 
2688 static u8 sc_select_method(struct smp_chan *smp)
2689 {
2690 	struct l2cap_conn *conn = smp->conn;
2691 	struct hci_conn *hcon = conn->hcon;
2692 	struct smp_cmd_pairing *local, *remote;
2693 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2694 
2695 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2696 	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2697 		return REQ_OOB;
2698 
2699 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2700 	 * which are needed as inputs to some crypto functions. To get
2701 	 * the "struct smp_cmd_pairing" from them we need to skip the
2702 	 * first byte which contains the opcode.
2703 	 */
2704 	if (hcon->out) {
2705 		local = (void *) &smp->preq[1];
2706 		remote = (void *) &smp->prsp[1];
2707 	} else {
2708 		local = (void *) &smp->prsp[1];
2709 		remote = (void *) &smp->preq[1];
2710 	}
2711 
2712 	local_io = local->io_capability;
2713 	remote_io = remote->io_capability;
2714 
2715 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2716 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2717 
2718 	/* If either side wants MITM, look up the method from the table,
2719 	 * otherwise use JUST WORKS.
2720 	 */
2721 	if (local_mitm || remote_mitm)
2722 		method = get_auth_method(smp, local_io, remote_io);
2723 	else
2724 		method = JUST_WORKS;
2725 
2726 	/* Don't confirm locally initiated pairing attempts */
2727 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2728 		method = JUST_WORKS;
2729 
2730 	return method;
2731 }
2732 
2733 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2734 {
2735 	struct smp_cmd_public_key *key = (void *) skb->data;
2736 	struct hci_conn *hcon = conn->hcon;
2737 	struct l2cap_chan *chan = conn->smp;
2738 	struct smp_chan *smp = chan->data;
2739 	struct hci_dev *hdev = hcon->hdev;
2740 	struct crypto_kpp *tfm_ecdh;
2741 	struct smp_cmd_pairing_confirm cfm;
2742 	int err;
2743 
2744 	bt_dev_dbg(hdev, "conn %p", conn);
2745 
2746 	if (skb->len < sizeof(*key))
2747 		return SMP_INVALID_PARAMS;
2748 
2749 	/* Check if remote and local public keys are the same and debug key is
2750 	 * not in use.
2751 	 */
2752 	if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
2753 	    !crypto_memneq(key, smp->local_pk, 64)) {
2754 		bt_dev_err(hdev, "Remote and local public keys are identical");
2755 		return SMP_UNSPECIFIED;
2756 	}
2757 
2758 	memcpy(smp->remote_pk, key, 64);
2759 
2760 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2761 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2762 			     smp->rr, 0, cfm.confirm_val);
2763 		if (err)
2764 			return SMP_UNSPECIFIED;
2765 
2766 		if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2767 			return SMP_CONFIRM_FAILED;
2768 	}
2769 
2770 	/* Non-initiating device sends its public key after receiving
2771 	 * the key from the initiating device.
2772 	 */
2773 	if (!hcon->out) {
2774 		err = sc_send_public_key(smp);
2775 		if (err)
2776 			return err;
2777 	}
2778 
2779 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2780 	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2781 
2782 	/* Compute the shared secret on the same crypto tfm on which the private
2783 	 * key was set/generated.
2784 	 */
2785 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2786 		struct l2cap_chan *hchan = hdev->smp_data;
2787 		struct smp_dev *smp_dev;
2788 
2789 		if (!hchan || !hchan->data)
2790 			return SMP_UNSPECIFIED;
2791 
2792 		smp_dev = hchan->data;
2793 
2794 		tfm_ecdh = smp_dev->tfm_ecdh;
2795 	} else {
2796 		tfm_ecdh = smp->tfm_ecdh;
2797 	}
2798 
2799 	if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2800 		return SMP_UNSPECIFIED;
2801 
2802 	SMP_DBG("DHKey %32phN", smp->dhkey);
2803 
2804 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2805 
2806 	smp->method = sc_select_method(smp);
2807 
2808 	bt_dev_dbg(hdev, "selected method 0x%02x", smp->method);
2809 
2810 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2811 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2812 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2813 	else
2814 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2815 
2816 	if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2817 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2818 
2819 	if (smp->method == DSP_PASSKEY) {
2820 		get_random_bytes(&hcon->passkey_notify,
2821 				 sizeof(hcon->passkey_notify));
2822 		hcon->passkey_notify %= 1000000;
2823 		hcon->passkey_entered = 0;
2824 		smp->passkey_round = 0;
2825 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2826 					     hcon->dst_type,
2827 					     hcon->passkey_notify,
2828 					     hcon->passkey_entered))
2829 			return SMP_UNSPECIFIED;
2830 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2831 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2832 	}
2833 
2834 	if (smp->method == REQ_OOB) {
2835 		if (hcon->out)
2836 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2837 				     sizeof(smp->prnd), smp->prnd);
2838 
2839 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2840 
2841 		return 0;
2842 	}
2843 
2844 	if (hcon->out)
2845 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2846 
2847 	if (smp->method == REQ_PASSKEY) {
2848 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2849 					      hcon->dst_type))
2850 			return SMP_UNSPECIFIED;
2851 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2852 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2853 		return 0;
2854 	}
2855 
2856 	/* The Initiating device waits for the non-initiating device to
2857 	 * send the confirm value.
2858 	 */
2859 	if (conn->hcon->out)
2860 		return 0;
2861 
2862 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2863 		     0, cfm.confirm_val);
2864 	if (err)
2865 		return SMP_UNSPECIFIED;
2866 
2867 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2868 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2869 
2870 	return 0;
2871 }
2872 
2873 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2874 {
2875 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2876 	struct l2cap_chan *chan = conn->smp;
2877 	struct hci_conn *hcon = conn->hcon;
2878 	struct smp_chan *smp = chan->data;
2879 	u8 a[7], b[7], *local_addr, *remote_addr;
2880 	u8 io_cap[3], r[16], e[16];
2881 	int err;
2882 
2883 	bt_dev_dbg(hcon->hdev, "conn %p", conn);
2884 
2885 	if (skb->len < sizeof(*check))
2886 		return SMP_INVALID_PARAMS;
2887 
2888 	memcpy(a, &hcon->init_addr, 6);
2889 	memcpy(b, &hcon->resp_addr, 6);
2890 	a[6] = hcon->init_addr_type;
2891 	b[6] = hcon->resp_addr_type;
2892 
2893 	if (hcon->out) {
2894 		local_addr = a;
2895 		remote_addr = b;
2896 		memcpy(io_cap, &smp->prsp[1], 3);
2897 	} else {
2898 		local_addr = b;
2899 		remote_addr = a;
2900 		memcpy(io_cap, &smp->preq[1], 3);
2901 	}
2902 
2903 	memset(r, 0, sizeof(r));
2904 
2905 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2906 		put_unaligned_le32(hcon->passkey_notify, r);
2907 	else if (smp->method == REQ_OOB)
2908 		memcpy(r, smp->lr, 16);
2909 
2910 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2911 		     io_cap, remote_addr, local_addr, e);
2912 	if (err)
2913 		return SMP_UNSPECIFIED;
2914 
2915 	if (crypto_memneq(check->e, e, 16))
2916 		return SMP_DHKEY_CHECK_FAILED;
2917 
2918 	if (!hcon->out) {
2919 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2920 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2921 			return 0;
2922 		}
2923 
2924 		/* Responder sends DHKey check as response to initiator */
2925 		sc_dhkey_check(smp);
2926 	}
2927 
2928 	sc_add_ltk(smp);
2929 
2930 	if (hcon->out) {
2931 		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2932 		hcon->enc_key_size = smp->enc_key_size;
2933 	}
2934 
2935 	return 0;
2936 }
2937 
2938 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2939 				   struct sk_buff *skb)
2940 {
2941 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2942 
2943 	bt_dev_dbg(conn->hcon->hdev, "value 0x%02x", kp->value);
2944 
2945 	return 0;
2946 }
2947 
2948 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2949 {
2950 	struct l2cap_conn *conn = chan->conn;
2951 	struct hci_conn *hcon = conn->hcon;
2952 	struct smp_chan *smp;
2953 	__u8 code, reason;
2954 	int err = 0;
2955 
2956 	if (skb->len < 1)
2957 		return -EILSEQ;
2958 
2959 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2960 		reason = SMP_PAIRING_NOTSUPP;
2961 		goto done;
2962 	}
2963 
2964 	code = skb->data[0];
2965 	skb_pull(skb, sizeof(code));
2966 
2967 	smp = chan->data;
2968 
2969 	if (code > SMP_CMD_MAX)
2970 		goto drop;
2971 
2972 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2973 		goto drop;
2974 
2975 	/* If we don't have a context the only allowed commands are
2976 	 * pairing request and security request.
2977 	 */
2978 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2979 		goto drop;
2980 
2981 	switch (code) {
2982 	case SMP_CMD_PAIRING_REQ:
2983 		reason = smp_cmd_pairing_req(conn, skb);
2984 		break;
2985 
2986 	case SMP_CMD_PAIRING_FAIL:
2987 		smp_failure(conn, 0);
2988 		err = -EPERM;
2989 		break;
2990 
2991 	case SMP_CMD_PAIRING_RSP:
2992 		reason = smp_cmd_pairing_rsp(conn, skb);
2993 		break;
2994 
2995 	case SMP_CMD_SECURITY_REQ:
2996 		reason = smp_cmd_security_req(conn, skb);
2997 		break;
2998 
2999 	case SMP_CMD_PAIRING_CONFIRM:
3000 		reason = smp_cmd_pairing_confirm(conn, skb);
3001 		break;
3002 
3003 	case SMP_CMD_PAIRING_RANDOM:
3004 		reason = smp_cmd_pairing_random(conn, skb);
3005 		break;
3006 
3007 	case SMP_CMD_ENCRYPT_INFO:
3008 		reason = smp_cmd_encrypt_info(conn, skb);
3009 		break;
3010 
3011 	case SMP_CMD_INITIATOR_IDENT:
3012 		reason = smp_cmd_initiator_ident(conn, skb);
3013 		break;
3014 
3015 	case SMP_CMD_IDENT_INFO:
3016 		reason = smp_cmd_ident_info(conn, skb);
3017 		break;
3018 
3019 	case SMP_CMD_IDENT_ADDR_INFO:
3020 		reason = smp_cmd_ident_addr_info(conn, skb);
3021 		break;
3022 
3023 	case SMP_CMD_SIGN_INFO:
3024 		reason = smp_cmd_sign_info(conn, skb);
3025 		break;
3026 
3027 	case SMP_CMD_PUBLIC_KEY:
3028 		reason = smp_cmd_public_key(conn, skb);
3029 		break;
3030 
3031 	case SMP_CMD_DHKEY_CHECK:
3032 		reason = smp_cmd_dhkey_check(conn, skb);
3033 		break;
3034 
3035 	case SMP_CMD_KEYPRESS_NOTIFY:
3036 		reason = smp_cmd_keypress_notify(conn, skb);
3037 		break;
3038 
3039 	default:
3040 		bt_dev_dbg(hcon->hdev, "Unknown command code 0x%2.2x", code);
3041 		reason = SMP_CMD_NOTSUPP;
3042 		goto done;
3043 	}
3044 
3045 done:
3046 	if (!err) {
3047 		if (reason)
3048 			smp_failure(conn, reason);
3049 		kfree_skb(skb);
3050 	}
3051 
3052 	return err;
3053 
3054 drop:
3055 	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3056 		   code, &hcon->dst);
3057 	kfree_skb(skb);
3058 	return 0;
3059 }
3060 
3061 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3062 {
3063 	struct l2cap_conn *conn = chan->conn;
3064 
3065 	bt_dev_dbg(conn->hcon->hdev, "chan %p", chan);
3066 
3067 	if (chan->data)
3068 		smp_chan_destroy(conn);
3069 
3070 	conn->smp = NULL;
3071 	l2cap_chan_put(chan);
3072 }
3073 
3074 static void bredr_pairing(struct l2cap_chan *chan)
3075 {
3076 	struct l2cap_conn *conn = chan->conn;
3077 	struct hci_conn *hcon = conn->hcon;
3078 	struct hci_dev *hdev = hcon->hdev;
3079 	struct smp_cmd_pairing req;
3080 	struct smp_chan *smp;
3081 
3082 	bt_dev_dbg(hdev, "chan %p", chan);
3083 
3084 	/* Only new pairings are interesting */
3085 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3086 		return;
3087 
3088 	/* Don't bother if we're not encrypted */
3089 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3090 		return;
3091 
3092 	/* Only initiator may initiate SMP over BR/EDR */
3093 	if (hcon->role != HCI_ROLE_MASTER)
3094 		return;
3095 
3096 	/* Secure Connections support must be enabled */
3097 	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3098 		return;
3099 
3100 	/* BR/EDR must use Secure Connections for SMP */
3101 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3102 	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3103 		return;
3104 
3105 	/* If our LE support is not enabled don't do anything */
3106 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3107 		return;
3108 
3109 	/* Don't bother if remote LE support is not enabled */
3110 	if (!lmp_host_le_capable(hcon))
3111 		return;
3112 
3113 	/* Remote must support SMP fixed chan for BR/EDR */
3114 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3115 		return;
3116 
3117 	/* Don't bother if SMP is already ongoing */
3118 	if (chan->data)
3119 		return;
3120 
3121 	smp = smp_chan_create(conn);
3122 	if (!smp) {
3123 		bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3124 		return;
3125 	}
3126 
3127 	set_bit(SMP_FLAG_SC, &smp->flags);
3128 
3129 	bt_dev_dbg(hdev, "starting SMP over BR/EDR");
3130 
3131 	/* Prepare and send the BR/EDR SMP Pairing Request */
3132 	build_bredr_pairing_cmd(smp, &req, NULL);
3133 
3134 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
3135 	memcpy(&smp->preq[1], &req, sizeof(req));
3136 
3137 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3138 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3139 }
3140 
3141 static void smp_resume_cb(struct l2cap_chan *chan)
3142 {
3143 	struct smp_chan *smp = chan->data;
3144 	struct l2cap_conn *conn = chan->conn;
3145 	struct hci_conn *hcon = conn->hcon;
3146 
3147 	bt_dev_dbg(hcon->hdev, "chan %p", chan);
3148 
3149 	if (hcon->type == ACL_LINK) {
3150 		bredr_pairing(chan);
3151 		return;
3152 	}
3153 
3154 	if (!smp)
3155 		return;
3156 
3157 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3158 		return;
3159 
3160 	cancel_delayed_work(&smp->security_timer);
3161 
3162 	smp_distribute_keys(smp);
3163 }
3164 
3165 static void smp_ready_cb(struct l2cap_chan *chan)
3166 {
3167 	struct l2cap_conn *conn = chan->conn;
3168 	struct hci_conn *hcon = conn->hcon;
3169 
3170 	bt_dev_dbg(hcon->hdev, "chan %p", chan);
3171 
3172 	/* No need to call l2cap_chan_hold() here since we already own
3173 	 * the reference taken in smp_new_conn_cb(). This is just the
3174 	 * first time that we tie it to a specific pointer. The code in
3175 	 * l2cap_core.c ensures that there's no risk this function wont
3176 	 * get called if smp_new_conn_cb was previously called.
3177 	 */
3178 	conn->smp = chan;
3179 
3180 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3181 		bredr_pairing(chan);
3182 }
3183 
3184 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3185 {
3186 	int err;
3187 
3188 	bt_dev_dbg(chan->conn->hcon->hdev, "chan %p", chan);
3189 
3190 	err = smp_sig_channel(chan, skb);
3191 	if (err) {
3192 		struct smp_chan *smp = chan->data;
3193 
3194 		if (smp)
3195 			cancel_delayed_work_sync(&smp->security_timer);
3196 
3197 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3198 	}
3199 
3200 	return err;
3201 }
3202 
3203 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3204 					unsigned long hdr_len,
3205 					unsigned long len, int nb)
3206 {
3207 	struct sk_buff *skb;
3208 
3209 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3210 	if (!skb)
3211 		return ERR_PTR(-ENOMEM);
3212 
3213 	skb->priority = HCI_PRIO_MAX;
3214 	bt_cb(skb)->l2cap.chan = chan;
3215 
3216 	return skb;
3217 }
3218 
3219 static const struct l2cap_ops smp_chan_ops = {
3220 	.name			= "Security Manager",
3221 	.ready			= smp_ready_cb,
3222 	.recv			= smp_recv_cb,
3223 	.alloc_skb		= smp_alloc_skb_cb,
3224 	.teardown		= smp_teardown_cb,
3225 	.resume			= smp_resume_cb,
3226 
3227 	.new_connection		= l2cap_chan_no_new_connection,
3228 	.state_change		= l2cap_chan_no_state_change,
3229 	.close			= l2cap_chan_no_close,
3230 	.defer			= l2cap_chan_no_defer,
3231 	.suspend		= l2cap_chan_no_suspend,
3232 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3233 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3234 };
3235 
3236 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3237 {
3238 	struct l2cap_chan *chan;
3239 
3240 	BT_DBG("pchan %p", pchan);
3241 
3242 	chan = l2cap_chan_create();
3243 	if (!chan)
3244 		return NULL;
3245 
3246 	chan->chan_type	= pchan->chan_type;
3247 	chan->ops	= &smp_chan_ops;
3248 	chan->scid	= pchan->scid;
3249 	chan->dcid	= chan->scid;
3250 	chan->imtu	= pchan->imtu;
3251 	chan->omtu	= pchan->omtu;
3252 	chan->mode	= pchan->mode;
3253 
3254 	/* Other L2CAP channels may request SMP routines in order to
3255 	 * change the security level. This means that the SMP channel
3256 	 * lock must be considered in its own category to avoid lockdep
3257 	 * warnings.
3258 	 */
3259 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3260 
3261 	BT_DBG("created chan %p", chan);
3262 
3263 	return chan;
3264 }
3265 
3266 static const struct l2cap_ops smp_root_chan_ops = {
3267 	.name			= "Security Manager Root",
3268 	.new_connection		= smp_new_conn_cb,
3269 
3270 	/* None of these are implemented for the root channel */
3271 	.close			= l2cap_chan_no_close,
3272 	.alloc_skb		= l2cap_chan_no_alloc_skb,
3273 	.recv			= l2cap_chan_no_recv,
3274 	.state_change		= l2cap_chan_no_state_change,
3275 	.teardown		= l2cap_chan_no_teardown,
3276 	.ready			= l2cap_chan_no_ready,
3277 	.defer			= l2cap_chan_no_defer,
3278 	.suspend		= l2cap_chan_no_suspend,
3279 	.resume			= l2cap_chan_no_resume,
3280 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3281 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3282 };
3283 
3284 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3285 {
3286 	struct l2cap_chan *chan;
3287 	struct smp_dev *smp;
3288 	struct crypto_shash *tfm_cmac;
3289 	struct crypto_kpp *tfm_ecdh;
3290 
3291 	if (cid == L2CAP_CID_SMP_BREDR) {
3292 		smp = NULL;
3293 		goto create_chan;
3294 	}
3295 
3296 	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3297 	if (!smp)
3298 		return ERR_PTR(-ENOMEM);
3299 
3300 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3301 	if (IS_ERR(tfm_cmac)) {
3302 		bt_dev_err(hdev, "Unable to create CMAC crypto context");
3303 		kfree_sensitive(smp);
3304 		return ERR_CAST(tfm_cmac);
3305 	}
3306 
3307 	tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3308 	if (IS_ERR(tfm_ecdh)) {
3309 		bt_dev_err(hdev, "Unable to create ECDH crypto context");
3310 		crypto_free_shash(tfm_cmac);
3311 		kfree_sensitive(smp);
3312 		return ERR_CAST(tfm_ecdh);
3313 	}
3314 
3315 	smp->local_oob = false;
3316 	smp->tfm_cmac = tfm_cmac;
3317 	smp->tfm_ecdh = tfm_ecdh;
3318 
3319 create_chan:
3320 	chan = l2cap_chan_create();
3321 	if (!chan) {
3322 		if (smp) {
3323 			crypto_free_shash(smp->tfm_cmac);
3324 			crypto_free_kpp(smp->tfm_ecdh);
3325 			kfree_sensitive(smp);
3326 		}
3327 		return ERR_PTR(-ENOMEM);
3328 	}
3329 
3330 	chan->data = smp;
3331 
3332 	l2cap_add_scid(chan, cid);
3333 
3334 	l2cap_chan_set_defaults(chan);
3335 
3336 	if (cid == L2CAP_CID_SMP) {
3337 		u8 bdaddr_type;
3338 
3339 		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3340 
3341 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3342 			chan->src_type = BDADDR_LE_PUBLIC;
3343 		else
3344 			chan->src_type = BDADDR_LE_RANDOM;
3345 	} else {
3346 		bacpy(&chan->src, &hdev->bdaddr);
3347 		chan->src_type = BDADDR_BREDR;
3348 	}
3349 
3350 	chan->state = BT_LISTEN;
3351 	chan->mode = L2CAP_MODE_BASIC;
3352 	chan->imtu = L2CAP_DEFAULT_MTU;
3353 	chan->ops = &smp_root_chan_ops;
3354 
3355 	/* Set correct nesting level for a parent/listening channel */
3356 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3357 
3358 	return chan;
3359 }
3360 
3361 static void smp_del_chan(struct l2cap_chan *chan)
3362 {
3363 	struct smp_dev *smp;
3364 
3365 	BT_DBG("chan %p", chan);
3366 
3367 	smp = chan->data;
3368 	if (smp) {
3369 		chan->data = NULL;
3370 		crypto_free_shash(smp->tfm_cmac);
3371 		crypto_free_kpp(smp->tfm_ecdh);
3372 		kfree_sensitive(smp);
3373 	}
3374 
3375 	l2cap_chan_put(chan);
3376 }
3377 
3378 int smp_force_bredr(struct hci_dev *hdev, bool enable)
3379 {
3380 	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3381 		return -EALREADY;
3382 
3383 	if (enable) {
3384 		struct l2cap_chan *chan;
3385 
3386 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3387 		if (IS_ERR(chan))
3388 			return PTR_ERR(chan);
3389 
3390 		hdev->smp_bredr_data = chan;
3391 	} else {
3392 		struct l2cap_chan *chan;
3393 
3394 		chan = hdev->smp_bredr_data;
3395 		hdev->smp_bredr_data = NULL;
3396 		smp_del_chan(chan);
3397 	}
3398 
3399 	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3400 
3401 	return 0;
3402 }
3403 
3404 int smp_register(struct hci_dev *hdev)
3405 {
3406 	struct l2cap_chan *chan;
3407 
3408 	bt_dev_dbg(hdev, "");
3409 
3410 	/* If the controller does not support Low Energy operation, then
3411 	 * there is also no need to register any SMP channel.
3412 	 */
3413 	if (!lmp_le_capable(hdev))
3414 		return 0;
3415 
3416 	if (WARN_ON(hdev->smp_data)) {
3417 		chan = hdev->smp_data;
3418 		hdev->smp_data = NULL;
3419 		smp_del_chan(chan);
3420 	}
3421 
3422 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3423 	if (IS_ERR(chan))
3424 		return PTR_ERR(chan);
3425 
3426 	hdev->smp_data = chan;
3427 
3428 	if (!lmp_sc_capable(hdev)) {
3429 		/* Flag can be already set here (due to power toggle) */
3430 		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3431 			return 0;
3432 	}
3433 
3434 	if (WARN_ON(hdev->smp_bredr_data)) {
3435 		chan = hdev->smp_bredr_data;
3436 		hdev->smp_bredr_data = NULL;
3437 		smp_del_chan(chan);
3438 	}
3439 
3440 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3441 	if (IS_ERR(chan)) {
3442 		int err = PTR_ERR(chan);
3443 		chan = hdev->smp_data;
3444 		hdev->smp_data = NULL;
3445 		smp_del_chan(chan);
3446 		return err;
3447 	}
3448 
3449 	hdev->smp_bredr_data = chan;
3450 
3451 	return 0;
3452 }
3453 
3454 void smp_unregister(struct hci_dev *hdev)
3455 {
3456 	struct l2cap_chan *chan;
3457 
3458 	if (hdev->smp_bredr_data) {
3459 		chan = hdev->smp_bredr_data;
3460 		hdev->smp_bredr_data = NULL;
3461 		smp_del_chan(chan);
3462 	}
3463 
3464 	if (hdev->smp_data) {
3465 		chan = hdev->smp_data;
3466 		hdev->smp_data = NULL;
3467 		smp_del_chan(chan);
3468 	}
3469 }
3470 
3471 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3472 
3473 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3474 {
3475 	u8 pk[64];
3476 	int err;
3477 
3478 	err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3479 	if (err)
3480 		return err;
3481 
3482 	err = generate_ecdh_public_key(tfm_ecdh, pk);
3483 	if (err)
3484 		return err;
3485 
3486 	if (crypto_memneq(pk, debug_pk, 64))
3487 		return -EINVAL;
3488 
3489 	return 0;
3490 }
3491 
3492 static int __init test_ah(void)
3493 {
3494 	const u8 irk[16] = {
3495 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3496 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3497 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3498 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3499 	u8 res[3];
3500 	int err;
3501 
3502 	err = smp_ah(irk, r, res);
3503 	if (err)
3504 		return err;
3505 
3506 	if (crypto_memneq(res, exp, 3))
3507 		return -EINVAL;
3508 
3509 	return 0;
3510 }
3511 
3512 static int __init test_c1(void)
3513 {
3514 	const u8 k[16] = {
3515 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3516 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3517 	const u8 r[16] = {
3518 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3519 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3520 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3521 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3522 	const u8 _iat = 0x01;
3523 	const u8 _rat = 0x00;
3524 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3525 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3526 	const u8 exp[16] = {
3527 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3528 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3529 	u8 res[16];
3530 	int err;
3531 
3532 	err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3533 	if (err)
3534 		return err;
3535 
3536 	if (crypto_memneq(res, exp, 16))
3537 		return -EINVAL;
3538 
3539 	return 0;
3540 }
3541 
3542 static int __init test_s1(void)
3543 {
3544 	const u8 k[16] = {
3545 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3546 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3547 	const u8 r1[16] = {
3548 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3549 	const u8 r2[16] = {
3550 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3551 	const u8 exp[16] = {
3552 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3553 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3554 	u8 res[16];
3555 	int err;
3556 
3557 	err = smp_s1(k, r1, r2, res);
3558 	if (err)
3559 		return err;
3560 
3561 	if (crypto_memneq(res, exp, 16))
3562 		return -EINVAL;
3563 
3564 	return 0;
3565 }
3566 
3567 static int __init test_f4(struct crypto_shash *tfm_cmac)
3568 {
3569 	const u8 u[32] = {
3570 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3571 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3572 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3573 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3574 	const u8 v[32] = {
3575 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3576 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3577 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3578 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3579 	const u8 x[16] = {
3580 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3581 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3582 	const u8 z = 0x00;
3583 	const u8 exp[16] = {
3584 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3585 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3586 	u8 res[16];
3587 	int err;
3588 
3589 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3590 	if (err)
3591 		return err;
3592 
3593 	if (crypto_memneq(res, exp, 16))
3594 		return -EINVAL;
3595 
3596 	return 0;
3597 }
3598 
3599 static int __init test_f5(struct crypto_shash *tfm_cmac)
3600 {
3601 	const u8 w[32] = {
3602 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3603 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3604 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3605 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3606 	const u8 n1[16] = {
3607 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3608 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3609 	const u8 n2[16] = {
3610 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3611 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3612 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3613 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3614 	const u8 exp_ltk[16] = {
3615 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3616 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3617 	const u8 exp_mackey[16] = {
3618 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3619 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3620 	u8 mackey[16], ltk[16];
3621 	int err;
3622 
3623 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3624 	if (err)
3625 		return err;
3626 
3627 	if (crypto_memneq(mackey, exp_mackey, 16))
3628 		return -EINVAL;
3629 
3630 	if (crypto_memneq(ltk, exp_ltk, 16))
3631 		return -EINVAL;
3632 
3633 	return 0;
3634 }
3635 
3636 static int __init test_f6(struct crypto_shash *tfm_cmac)
3637 {
3638 	const u8 w[16] = {
3639 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3640 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3641 	const u8 n1[16] = {
3642 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3643 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3644 	const u8 n2[16] = {
3645 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3646 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3647 	const u8 r[16] = {
3648 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3649 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3650 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3651 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3652 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3653 	const u8 exp[16] = {
3654 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3655 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3656 	u8 res[16];
3657 	int err;
3658 
3659 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3660 	if (err)
3661 		return err;
3662 
3663 	if (crypto_memneq(res, exp, 16))
3664 		return -EINVAL;
3665 
3666 	return 0;
3667 }
3668 
3669 static int __init test_g2(struct crypto_shash *tfm_cmac)
3670 {
3671 	const u8 u[32] = {
3672 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3673 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3674 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3675 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3676 	const u8 v[32] = {
3677 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3678 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3679 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3680 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3681 	const u8 x[16] = {
3682 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3683 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3684 	const u8 y[16] = {
3685 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3686 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3687 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3688 	u32 val;
3689 	int err;
3690 
3691 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3692 	if (err)
3693 		return err;
3694 
3695 	if (val != exp_val)
3696 		return -EINVAL;
3697 
3698 	return 0;
3699 }
3700 
3701 static int __init test_h6(struct crypto_shash *tfm_cmac)
3702 {
3703 	const u8 w[16] = {
3704 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3705 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3706 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3707 	const u8 exp[16] = {
3708 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3709 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3710 	u8 res[16];
3711 	int err;
3712 
3713 	err = smp_h6(tfm_cmac, w, key_id, res);
3714 	if (err)
3715 		return err;
3716 
3717 	if (crypto_memneq(res, exp, 16))
3718 		return -EINVAL;
3719 
3720 	return 0;
3721 }
3722 
3723 static char test_smp_buffer[32];
3724 
3725 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3726 			     size_t count, loff_t *ppos)
3727 {
3728 	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3729 				       strlen(test_smp_buffer));
3730 }
3731 
3732 static const struct file_operations test_smp_fops = {
3733 	.open		= simple_open,
3734 	.read		= test_smp_read,
3735 	.llseek		= default_llseek,
3736 };
3737 
3738 static int __init run_selftests(struct crypto_shash *tfm_cmac,
3739 				struct crypto_kpp *tfm_ecdh)
3740 {
3741 	ktime_t calltime, delta, rettime;
3742 	unsigned long long duration;
3743 	int err;
3744 
3745 	calltime = ktime_get();
3746 
3747 	err = test_debug_key(tfm_ecdh);
3748 	if (err) {
3749 		BT_ERR("debug_key test failed");
3750 		goto done;
3751 	}
3752 
3753 	err = test_ah();
3754 	if (err) {
3755 		BT_ERR("smp_ah test failed");
3756 		goto done;
3757 	}
3758 
3759 	err = test_c1();
3760 	if (err) {
3761 		BT_ERR("smp_c1 test failed");
3762 		goto done;
3763 	}
3764 
3765 	err = test_s1();
3766 	if (err) {
3767 		BT_ERR("smp_s1 test failed");
3768 		goto done;
3769 	}
3770 
3771 	err = test_f4(tfm_cmac);
3772 	if (err) {
3773 		BT_ERR("smp_f4 test failed");
3774 		goto done;
3775 	}
3776 
3777 	err = test_f5(tfm_cmac);
3778 	if (err) {
3779 		BT_ERR("smp_f5 test failed");
3780 		goto done;
3781 	}
3782 
3783 	err = test_f6(tfm_cmac);
3784 	if (err) {
3785 		BT_ERR("smp_f6 test failed");
3786 		goto done;
3787 	}
3788 
3789 	err = test_g2(tfm_cmac);
3790 	if (err) {
3791 		BT_ERR("smp_g2 test failed");
3792 		goto done;
3793 	}
3794 
3795 	err = test_h6(tfm_cmac);
3796 	if (err) {
3797 		BT_ERR("smp_h6 test failed");
3798 		goto done;
3799 	}
3800 
3801 	rettime = ktime_get();
3802 	delta = ktime_sub(rettime, calltime);
3803 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3804 
3805 	BT_INFO("SMP test passed in %llu usecs", duration);
3806 
3807 done:
3808 	if (!err)
3809 		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3810 			 "PASS (%llu usecs)\n", duration);
3811 	else
3812 		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3813 
3814 	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3815 			    &test_smp_fops);
3816 
3817 	return err;
3818 }
3819 
3820 int __init bt_selftest_smp(void)
3821 {
3822 	struct crypto_shash *tfm_cmac;
3823 	struct crypto_kpp *tfm_ecdh;
3824 	int err;
3825 
3826 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3827 	if (IS_ERR(tfm_cmac)) {
3828 		BT_ERR("Unable to create CMAC crypto context");
3829 		return PTR_ERR(tfm_cmac);
3830 	}
3831 
3832 	tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3833 	if (IS_ERR(tfm_ecdh)) {
3834 		BT_ERR("Unable to create ECDH crypto context");
3835 		crypto_free_shash(tfm_cmac);
3836 		return PTR_ERR(tfm_ecdh);
3837 	}
3838 
3839 	err = run_selftests(tfm_cmac, tfm_ecdh);
3840 
3841 	crypto_free_shash(tfm_cmac);
3842 	crypto_free_kpp(tfm_ecdh);
3843 
3844 	return err;
3845 }
3846 
3847 #endif
3848