xref: /openbmc/linux/net/bluetooth/smp.c (revision 35d4a3c6)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/aes.h>
27 #include <crypto/algapi.h>
28 #include <crypto/hash.h>
29 #include <crypto/kpp.h>
30 
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/mgmt.h>
35 
36 #include "ecdh_helper.h"
37 #include "smp.h"
38 
39 #define SMP_DEV(hdev) \
40 	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
41 
42 /* Low-level debug macros to be used for stuff that we don't want
43  * accidentally in dmesg, i.e. the values of the various crypto keys
44  * and the inputs & outputs of crypto functions.
45  */
46 #ifdef DEBUG
47 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
48 				 ##__VA_ARGS__)
49 #else
50 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
51 				    ##__VA_ARGS__)
52 #endif
53 
54 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
55 
56 /* Keys which are not distributed with Secure Connections */
57 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY)
58 
59 #define SMP_TIMEOUT	msecs_to_jiffies(30000)
60 
61 #define ID_ADDR_TIMEOUT	msecs_to_jiffies(200)
62 
63 #define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
64 				 0x3f : 0x07)
65 #define KEY_DIST_MASK		0x07
66 
67 /* Maximum message length that can be passed to aes_cmac */
68 #define CMAC_MSG_MAX	80
69 
70 enum {
71 	SMP_FLAG_TK_VALID,
72 	SMP_FLAG_CFM_PENDING,
73 	SMP_FLAG_MITM_AUTH,
74 	SMP_FLAG_COMPLETE,
75 	SMP_FLAG_INITIATOR,
76 	SMP_FLAG_SC,
77 	SMP_FLAG_REMOTE_PK,
78 	SMP_FLAG_DEBUG_KEY,
79 	SMP_FLAG_WAIT_USER,
80 	SMP_FLAG_DHKEY_PENDING,
81 	SMP_FLAG_REMOTE_OOB,
82 	SMP_FLAG_LOCAL_OOB,
83 	SMP_FLAG_CT2,
84 };
85 
86 struct smp_dev {
87 	/* Secure Connections OOB data */
88 	bool			local_oob;
89 	u8			local_pk[64];
90 	u8			local_rand[16];
91 	bool			debug_key;
92 
93 	struct crypto_shash	*tfm_cmac;
94 	struct crypto_kpp	*tfm_ecdh;
95 };
96 
97 struct smp_chan {
98 	struct l2cap_conn	*conn;
99 	struct delayed_work	security_timer;
100 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
101 
102 	u8		preq[7]; /* SMP Pairing Request */
103 	u8		prsp[7]; /* SMP Pairing Response */
104 	u8		prnd[16]; /* SMP Pairing Random (local) */
105 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
106 	u8		pcnf[16]; /* SMP Pairing Confirm */
107 	u8		tk[16]; /* SMP Temporary Key */
108 	u8		rr[16]; /* Remote OOB ra/rb value */
109 	u8		lr[16]; /* Local OOB ra/rb value */
110 	u8		enc_key_size;
111 	u8		remote_key_dist;
112 	bdaddr_t	id_addr;
113 	u8		id_addr_type;
114 	u8		irk[16];
115 	struct smp_csrk	*csrk;
116 	struct smp_csrk	*responder_csrk;
117 	struct smp_ltk	*ltk;
118 	struct smp_ltk	*responder_ltk;
119 	struct smp_irk	*remote_irk;
120 	u8		*link_key;
121 	unsigned long	flags;
122 	u8		method;
123 	u8		passkey_round;
124 
125 	/* Secure Connections variables */
126 	u8			local_pk[64];
127 	u8			remote_pk[64];
128 	u8			dhkey[32];
129 	u8			mackey[16];
130 
131 	struct crypto_shash	*tfm_cmac;
132 	struct crypto_kpp	*tfm_ecdh;
133 };
134 
135 /* These debug key values are defined in the SMP section of the core
136  * specification. debug_pk is the public debug key and debug_sk the
137  * private debug key.
138  */
139 static const u8 debug_pk[64] = {
140 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
141 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
142 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
143 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
144 
145 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
146 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
147 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
148 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
149 };
150 
151 static const u8 debug_sk[32] = {
152 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
153 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
154 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
155 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
156 };
157 
158 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
159 {
160 	size_t i;
161 
162 	for (i = 0; i < len; i++)
163 		dst[len - 1 - i] = src[i];
164 }
165 
166 /* The following functions map to the LE SC SMP crypto functions
167  * AES-CMAC, f4, f5, f6, g2 and h6.
168  */
169 
170 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
171 		    size_t len, u8 mac[16])
172 {
173 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
174 	int err;
175 
176 	if (len > CMAC_MSG_MAX)
177 		return -EFBIG;
178 
179 	if (!tfm) {
180 		BT_ERR("tfm %p", tfm);
181 		return -EINVAL;
182 	}
183 
184 	/* Swap key and message from LSB to MSB */
185 	swap_buf(k, tmp, 16);
186 	swap_buf(m, msg_msb, len);
187 
188 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
189 	SMP_DBG("key %16phN", k);
190 
191 	err = crypto_shash_setkey(tfm, tmp, 16);
192 	if (err) {
193 		BT_ERR("cipher setkey failed: %d", err);
194 		return err;
195 	}
196 
197 	err = crypto_shash_tfm_digest(tfm, msg_msb, len, mac_msb);
198 	if (err) {
199 		BT_ERR("Hash computation error %d", err);
200 		return err;
201 	}
202 
203 	swap_buf(mac_msb, mac, 16);
204 
205 	SMP_DBG("mac %16phN", mac);
206 
207 	return 0;
208 }
209 
210 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
211 		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
212 {
213 	u8 m[65];
214 	int err;
215 
216 	SMP_DBG("u %32phN", u);
217 	SMP_DBG("v %32phN", v);
218 	SMP_DBG("x %16phN z %02x", x, z);
219 
220 	m[0] = z;
221 	memcpy(m + 1, v, 32);
222 	memcpy(m + 33, u, 32);
223 
224 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
225 	if (err)
226 		return err;
227 
228 	SMP_DBG("res %16phN", res);
229 
230 	return err;
231 }
232 
233 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
234 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
235 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
236 {
237 	/* The btle, salt and length "magic" values are as defined in
238 	 * the SMP section of the Bluetooth core specification. In ASCII
239 	 * the btle value ends up being 'btle'. The salt is just a
240 	 * random number whereas length is the value 256 in little
241 	 * endian format.
242 	 */
243 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
244 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
245 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
246 	const u8 length[2] = { 0x00, 0x01 };
247 	u8 m[53], t[16];
248 	int err;
249 
250 	SMP_DBG("w %32phN", w);
251 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
252 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
253 
254 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
255 	if (err)
256 		return err;
257 
258 	SMP_DBG("t %16phN", t);
259 
260 	memcpy(m, length, 2);
261 	memcpy(m + 2, a2, 7);
262 	memcpy(m + 9, a1, 7);
263 	memcpy(m + 16, n2, 16);
264 	memcpy(m + 32, n1, 16);
265 	memcpy(m + 48, btle, 4);
266 
267 	m[52] = 0; /* Counter */
268 
269 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
270 	if (err)
271 		return err;
272 
273 	SMP_DBG("mackey %16phN", mackey);
274 
275 	m[52] = 1; /* Counter */
276 
277 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
278 	if (err)
279 		return err;
280 
281 	SMP_DBG("ltk %16phN", ltk);
282 
283 	return 0;
284 }
285 
286 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
287 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
288 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
289 		  u8 res[16])
290 {
291 	u8 m[65];
292 	int err;
293 
294 	SMP_DBG("w %16phN", w);
295 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
296 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
297 
298 	memcpy(m, a2, 7);
299 	memcpy(m + 7, a1, 7);
300 	memcpy(m + 14, io_cap, 3);
301 	memcpy(m + 17, r, 16);
302 	memcpy(m + 33, n2, 16);
303 	memcpy(m + 49, n1, 16);
304 
305 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
306 	if (err)
307 		return err;
308 
309 	SMP_DBG("res %16phN", res);
310 
311 	return err;
312 }
313 
314 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
315 		  const u8 x[16], const u8 y[16], u32 *val)
316 {
317 	u8 m[80], tmp[16];
318 	int err;
319 
320 	SMP_DBG("u %32phN", u);
321 	SMP_DBG("v %32phN", v);
322 	SMP_DBG("x %16phN y %16phN", x, y);
323 
324 	memcpy(m, y, 16);
325 	memcpy(m + 16, v, 32);
326 	memcpy(m + 48, u, 32);
327 
328 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
329 	if (err)
330 		return err;
331 
332 	*val = get_unaligned_le32(tmp);
333 	*val %= 1000000;
334 
335 	SMP_DBG("val %06u", *val);
336 
337 	return 0;
338 }
339 
340 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
341 		  const u8 key_id[4], u8 res[16])
342 {
343 	int err;
344 
345 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
346 
347 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
348 	if (err)
349 		return err;
350 
351 	SMP_DBG("res %16phN", res);
352 
353 	return err;
354 }
355 
356 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
357 		  const u8 salt[16], u8 res[16])
358 {
359 	int err;
360 
361 	SMP_DBG("w %16phN salt %16phN", w, salt);
362 
363 	err = aes_cmac(tfm_cmac, salt, w, 16, res);
364 	if (err)
365 		return err;
366 
367 	SMP_DBG("res %16phN", res);
368 
369 	return err;
370 }
371 
372 /* The following functions map to the legacy SMP crypto functions e, c1,
373  * s1 and ah.
374  */
375 
376 static int smp_e(const u8 *k, u8 *r)
377 {
378 	struct crypto_aes_ctx ctx;
379 	uint8_t tmp[16], data[16];
380 	int err;
381 
382 	SMP_DBG("k %16phN r %16phN", k, r);
383 
384 	/* The most significant octet of key corresponds to k[0] */
385 	swap_buf(k, tmp, 16);
386 
387 	err = aes_expandkey(&ctx, tmp, 16);
388 	if (err) {
389 		BT_ERR("cipher setkey failed: %d", err);
390 		return err;
391 	}
392 
393 	/* Most significant octet of plaintextData corresponds to data[0] */
394 	swap_buf(r, data, 16);
395 
396 	aes_encrypt(&ctx, data, data);
397 
398 	/* Most significant octet of encryptedData corresponds to data[0] */
399 	swap_buf(data, r, 16);
400 
401 	SMP_DBG("r %16phN", r);
402 
403 	memzero_explicit(&ctx, sizeof(ctx));
404 	return err;
405 }
406 
407 static int smp_c1(const u8 k[16],
408 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
409 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
410 {
411 	u8 p1[16], p2[16];
412 	int err;
413 
414 	SMP_DBG("k %16phN r %16phN", k, r);
415 	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
416 	SMP_DBG("preq %7phN pres %7phN", preq, pres);
417 
418 	memset(p1, 0, 16);
419 
420 	/* p1 = pres || preq || _rat || _iat */
421 	p1[0] = _iat;
422 	p1[1] = _rat;
423 	memcpy(p1 + 2, preq, 7);
424 	memcpy(p1 + 9, pres, 7);
425 
426 	SMP_DBG("p1 %16phN", p1);
427 
428 	/* res = r XOR p1 */
429 	crypto_xor_cpy(res, r, p1, sizeof(p1));
430 
431 	/* res = e(k, res) */
432 	err = smp_e(k, res);
433 	if (err) {
434 		BT_ERR("Encrypt data error");
435 		return err;
436 	}
437 
438 	/* p2 = padding || ia || ra */
439 	memcpy(p2, ra, 6);
440 	memcpy(p2 + 6, ia, 6);
441 	memset(p2 + 12, 0, 4);
442 
443 	SMP_DBG("p2 %16phN", p2);
444 
445 	/* res = res XOR p2 */
446 	crypto_xor(res, p2, sizeof(p2));
447 
448 	/* res = e(k, res) */
449 	err = smp_e(k, res);
450 	if (err)
451 		BT_ERR("Encrypt data error");
452 
453 	return err;
454 }
455 
456 static int smp_s1(const u8 k[16],
457 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
458 {
459 	int err;
460 
461 	/* Just least significant octets from r1 and r2 are considered */
462 	memcpy(_r, r2, 8);
463 	memcpy(_r + 8, r1, 8);
464 
465 	err = smp_e(k, _r);
466 	if (err)
467 		BT_ERR("Encrypt data error");
468 
469 	return err;
470 }
471 
472 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
473 {
474 	u8 _res[16];
475 	int err;
476 
477 	/* r' = padding || r */
478 	memcpy(_res, r, 3);
479 	memset(_res + 3, 0, 13);
480 
481 	err = smp_e(irk, _res);
482 	if (err) {
483 		BT_ERR("Encrypt error");
484 		return err;
485 	}
486 
487 	/* The output of the random address function ah is:
488 	 *	ah(k, r) = e(k, r') mod 2^24
489 	 * The output of the security function e is then truncated to 24 bits
490 	 * by taking the least significant 24 bits of the output of e as the
491 	 * result of ah.
492 	 */
493 	memcpy(res, _res, 3);
494 
495 	return 0;
496 }
497 
498 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
499 		     const bdaddr_t *bdaddr)
500 {
501 	struct l2cap_chan *chan = hdev->smp_data;
502 	u8 hash[3];
503 	int err;
504 
505 	if (!chan || !chan->data)
506 		return false;
507 
508 	bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk);
509 
510 	err = smp_ah(irk, &bdaddr->b[3], hash);
511 	if (err)
512 		return false;
513 
514 	return !crypto_memneq(bdaddr->b, hash, 3);
515 }
516 
517 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
518 {
519 	struct l2cap_chan *chan = hdev->smp_data;
520 	int err;
521 
522 	if (!chan || !chan->data)
523 		return -EOPNOTSUPP;
524 
525 	get_random_bytes(&rpa->b[3], 3);
526 
527 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
528 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
529 
530 	err = smp_ah(irk, &rpa->b[3], rpa->b);
531 	if (err < 0)
532 		return err;
533 
534 	bt_dev_dbg(hdev, "RPA %pMR", rpa);
535 
536 	return 0;
537 }
538 
539 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
540 {
541 	struct l2cap_chan *chan = hdev->smp_data;
542 	struct smp_dev *smp;
543 	int err;
544 
545 	if (!chan || !chan->data)
546 		return -EOPNOTSUPP;
547 
548 	smp = chan->data;
549 
550 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
551 		bt_dev_dbg(hdev, "Using debug keys");
552 		err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
553 		if (err)
554 			return err;
555 		memcpy(smp->local_pk, debug_pk, 64);
556 		smp->debug_key = true;
557 	} else {
558 		while (true) {
559 			/* Generate key pair for Secure Connections */
560 			err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
561 			if (err)
562 				return err;
563 
564 			/* This is unlikely, but we need to check that
565 			 * we didn't accidentally generate a debug key.
566 			 */
567 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
568 				break;
569 		}
570 		smp->debug_key = false;
571 	}
572 
573 	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
574 	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
575 
576 	get_random_bytes(smp->local_rand, 16);
577 
578 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
579 		     smp->local_rand, 0, hash);
580 	if (err < 0)
581 		return err;
582 
583 	memcpy(rand, smp->local_rand, 16);
584 
585 	smp->local_oob = true;
586 
587 	return 0;
588 }
589 
590 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
591 {
592 	struct l2cap_chan *chan = conn->smp;
593 	struct smp_chan *smp;
594 	struct kvec iv[2];
595 	struct msghdr msg;
596 
597 	if (!chan)
598 		return;
599 
600 	bt_dev_dbg(conn->hcon->hdev, "code 0x%2.2x", code);
601 
602 	iv[0].iov_base = &code;
603 	iv[0].iov_len = 1;
604 
605 	iv[1].iov_base = data;
606 	iv[1].iov_len = len;
607 
608 	memset(&msg, 0, sizeof(msg));
609 
610 	iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, iv, 2, 1 + len);
611 
612 	l2cap_chan_send(chan, &msg, 1 + len);
613 
614 	if (!chan->data)
615 		return;
616 
617 	smp = chan->data;
618 
619 	cancel_delayed_work_sync(&smp->security_timer);
620 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
621 }
622 
623 static u8 authreq_to_seclevel(u8 authreq)
624 {
625 	if (authreq & SMP_AUTH_MITM) {
626 		if (authreq & SMP_AUTH_SC)
627 			return BT_SECURITY_FIPS;
628 		else
629 			return BT_SECURITY_HIGH;
630 	} else {
631 		return BT_SECURITY_MEDIUM;
632 	}
633 }
634 
635 static __u8 seclevel_to_authreq(__u8 sec_level)
636 {
637 	switch (sec_level) {
638 	case BT_SECURITY_FIPS:
639 	case BT_SECURITY_HIGH:
640 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
641 	case BT_SECURITY_MEDIUM:
642 		return SMP_AUTH_BONDING;
643 	default:
644 		return SMP_AUTH_NONE;
645 	}
646 }
647 
648 static void build_pairing_cmd(struct l2cap_conn *conn,
649 			      struct smp_cmd_pairing *req,
650 			      struct smp_cmd_pairing *rsp, __u8 authreq)
651 {
652 	struct l2cap_chan *chan = conn->smp;
653 	struct smp_chan *smp = chan->data;
654 	struct hci_conn *hcon = conn->hcon;
655 	struct hci_dev *hdev = hcon->hdev;
656 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
657 
658 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
659 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
660 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
661 		authreq |= SMP_AUTH_BONDING;
662 	} else {
663 		authreq &= ~SMP_AUTH_BONDING;
664 	}
665 
666 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
667 		remote_dist |= SMP_DIST_ID_KEY;
668 
669 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
670 		local_dist |= SMP_DIST_ID_KEY;
671 
672 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
673 	    (authreq & SMP_AUTH_SC)) {
674 		struct oob_data *oob_data;
675 		u8 bdaddr_type;
676 
677 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
678 			local_dist |= SMP_DIST_LINK_KEY;
679 			remote_dist |= SMP_DIST_LINK_KEY;
680 		}
681 
682 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
683 			bdaddr_type = BDADDR_LE_PUBLIC;
684 		else
685 			bdaddr_type = BDADDR_LE_RANDOM;
686 
687 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
688 						    bdaddr_type);
689 		if (oob_data && oob_data->present) {
690 			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
691 			oob_flag = SMP_OOB_PRESENT;
692 			memcpy(smp->rr, oob_data->rand256, 16);
693 			memcpy(smp->pcnf, oob_data->hash256, 16);
694 			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
695 			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
696 		}
697 
698 	} else {
699 		authreq &= ~SMP_AUTH_SC;
700 	}
701 
702 	if (rsp == NULL) {
703 		req->io_capability = conn->hcon->io_capability;
704 		req->oob_flag = oob_flag;
705 		req->max_key_size = hdev->le_max_key_size;
706 		req->init_key_dist = local_dist;
707 		req->resp_key_dist = remote_dist;
708 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
709 
710 		smp->remote_key_dist = remote_dist;
711 		return;
712 	}
713 
714 	rsp->io_capability = conn->hcon->io_capability;
715 	rsp->oob_flag = oob_flag;
716 	rsp->max_key_size = hdev->le_max_key_size;
717 	rsp->init_key_dist = req->init_key_dist & remote_dist;
718 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
719 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
720 
721 	smp->remote_key_dist = rsp->init_key_dist;
722 }
723 
724 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
725 {
726 	struct l2cap_chan *chan = conn->smp;
727 	struct hci_dev *hdev = conn->hcon->hdev;
728 	struct smp_chan *smp = chan->data;
729 
730 	if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS &&
731 	    max_key_size != SMP_MAX_ENC_KEY_SIZE)
732 		return SMP_ENC_KEY_SIZE;
733 
734 	if (max_key_size > hdev->le_max_key_size ||
735 	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
736 		return SMP_ENC_KEY_SIZE;
737 
738 	smp->enc_key_size = max_key_size;
739 
740 	return 0;
741 }
742 
743 static void smp_chan_destroy(struct l2cap_conn *conn)
744 {
745 	struct l2cap_chan *chan = conn->smp;
746 	struct smp_chan *smp = chan->data;
747 	struct hci_conn *hcon = conn->hcon;
748 	bool complete;
749 
750 	BUG_ON(!smp);
751 
752 	cancel_delayed_work_sync(&smp->security_timer);
753 
754 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
755 	mgmt_smp_complete(hcon, complete);
756 
757 	kfree_sensitive(smp->csrk);
758 	kfree_sensitive(smp->responder_csrk);
759 	kfree_sensitive(smp->link_key);
760 
761 	crypto_free_shash(smp->tfm_cmac);
762 	crypto_free_kpp(smp->tfm_ecdh);
763 
764 	/* Ensure that we don't leave any debug key around if debug key
765 	 * support hasn't been explicitly enabled.
766 	 */
767 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
768 	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
769 		list_del_rcu(&smp->ltk->list);
770 		kfree_rcu(smp->ltk, rcu);
771 		smp->ltk = NULL;
772 	}
773 
774 	/* If pairing failed clean up any keys we might have */
775 	if (!complete) {
776 		if (smp->ltk) {
777 			list_del_rcu(&smp->ltk->list);
778 			kfree_rcu(smp->ltk, rcu);
779 		}
780 
781 		if (smp->responder_ltk) {
782 			list_del_rcu(&smp->responder_ltk->list);
783 			kfree_rcu(smp->responder_ltk, rcu);
784 		}
785 
786 		if (smp->remote_irk) {
787 			list_del_rcu(&smp->remote_irk->list);
788 			kfree_rcu(smp->remote_irk, rcu);
789 		}
790 	}
791 
792 	chan->data = NULL;
793 	kfree_sensitive(smp);
794 	hci_conn_drop(hcon);
795 }
796 
797 static void smp_failure(struct l2cap_conn *conn, u8 reason)
798 {
799 	struct hci_conn *hcon = conn->hcon;
800 	struct l2cap_chan *chan = conn->smp;
801 
802 	if (reason)
803 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
804 			     &reason);
805 
806 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
807 
808 	if (chan->data)
809 		smp_chan_destroy(conn);
810 }
811 
812 #define JUST_WORKS	0x00
813 #define JUST_CFM	0x01
814 #define REQ_PASSKEY	0x02
815 #define CFM_PASSKEY	0x03
816 #define REQ_OOB		0x04
817 #define DSP_PASSKEY	0x05
818 #define OVERLAP		0xFF
819 
820 static const u8 gen_method[5][5] = {
821 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
822 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
823 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
824 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
825 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
826 };
827 
828 static const u8 sc_method[5][5] = {
829 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
830 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
831 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
832 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
833 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
834 };
835 
836 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
837 {
838 	/* If either side has unknown io_caps, use JUST_CFM (which gets
839 	 * converted later to JUST_WORKS if we're initiators.
840 	 */
841 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
842 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
843 		return JUST_CFM;
844 
845 	if (test_bit(SMP_FLAG_SC, &smp->flags))
846 		return sc_method[remote_io][local_io];
847 
848 	return gen_method[remote_io][local_io];
849 }
850 
851 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
852 						u8 local_io, u8 remote_io)
853 {
854 	struct hci_conn *hcon = conn->hcon;
855 	struct l2cap_chan *chan = conn->smp;
856 	struct smp_chan *smp = chan->data;
857 	u32 passkey = 0;
858 	int ret;
859 
860 	/* Initialize key for JUST WORKS */
861 	memset(smp->tk, 0, sizeof(smp->tk));
862 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
863 
864 	bt_dev_dbg(hcon->hdev, "auth:%u lcl:%u rem:%u", auth, local_io,
865 		   remote_io);
866 
867 	/* If neither side wants MITM, either "just" confirm an incoming
868 	 * request or use just-works for outgoing ones. The JUST_CFM
869 	 * will be converted to JUST_WORKS if necessary later in this
870 	 * function. If either side has MITM look up the method from the
871 	 * table.
872 	 */
873 	if (!(auth & SMP_AUTH_MITM))
874 		smp->method = JUST_CFM;
875 	else
876 		smp->method = get_auth_method(smp, local_io, remote_io);
877 
878 	/* Don't confirm locally initiated pairing attempts */
879 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
880 						&smp->flags))
881 		smp->method = JUST_WORKS;
882 
883 	/* Don't bother user space with no IO capabilities */
884 	if (smp->method == JUST_CFM &&
885 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
886 		smp->method = JUST_WORKS;
887 
888 	/* If Just Works, Continue with Zero TK and ask user-space for
889 	 * confirmation */
890 	if (smp->method == JUST_WORKS) {
891 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
892 						hcon->type,
893 						hcon->dst_type,
894 						passkey, 1);
895 		if (ret)
896 			return ret;
897 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
898 		return 0;
899 	}
900 
901 	/* If this function is used for SC -> legacy fallback we
902 	 * can only recover the just-works case.
903 	 */
904 	if (test_bit(SMP_FLAG_SC, &smp->flags))
905 		return -EINVAL;
906 
907 	/* Not Just Works/Confirm results in MITM Authentication */
908 	if (smp->method != JUST_CFM) {
909 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
910 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
911 			hcon->pending_sec_level = BT_SECURITY_HIGH;
912 	}
913 
914 	/* If both devices have Keyboard-Display I/O, the initiator
915 	 * Confirms and the responder Enters the passkey.
916 	 */
917 	if (smp->method == OVERLAP) {
918 		if (hcon->role == HCI_ROLE_MASTER)
919 			smp->method = CFM_PASSKEY;
920 		else
921 			smp->method = REQ_PASSKEY;
922 	}
923 
924 	/* Generate random passkey. */
925 	if (smp->method == CFM_PASSKEY) {
926 		memset(smp->tk, 0, sizeof(smp->tk));
927 		get_random_bytes(&passkey, sizeof(passkey));
928 		passkey %= 1000000;
929 		put_unaligned_le32(passkey, smp->tk);
930 		bt_dev_dbg(hcon->hdev, "PassKey: %u", passkey);
931 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
932 	}
933 
934 	if (smp->method == REQ_PASSKEY)
935 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
936 						hcon->type, hcon->dst_type);
937 	else if (smp->method == JUST_CFM)
938 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
939 						hcon->type, hcon->dst_type,
940 						passkey, 1);
941 	else
942 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
943 						hcon->type, hcon->dst_type,
944 						passkey, 0);
945 
946 	return ret;
947 }
948 
949 static u8 smp_confirm(struct smp_chan *smp)
950 {
951 	struct l2cap_conn *conn = smp->conn;
952 	struct smp_cmd_pairing_confirm cp;
953 	int ret;
954 
955 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
956 
957 	ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
958 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
959 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
960 		     cp.confirm_val);
961 	if (ret)
962 		return SMP_UNSPECIFIED;
963 
964 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
965 
966 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
967 
968 	if (conn->hcon->out)
969 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
970 	else
971 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
972 
973 	return 0;
974 }
975 
976 static u8 smp_random(struct smp_chan *smp)
977 {
978 	struct l2cap_conn *conn = smp->conn;
979 	struct hci_conn *hcon = conn->hcon;
980 	u8 confirm[16];
981 	int ret;
982 
983 	bt_dev_dbg(conn->hcon->hdev, "conn %p %s", conn,
984 		   conn->hcon->out ? "initiator" : "responder");
985 
986 	ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
987 		     hcon->init_addr_type, &hcon->init_addr,
988 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
989 	if (ret)
990 		return SMP_UNSPECIFIED;
991 
992 	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
993 		bt_dev_err(hcon->hdev, "pairing failed "
994 			   "(confirmation values mismatch)");
995 		return SMP_CONFIRM_FAILED;
996 	}
997 
998 	if (hcon->out) {
999 		u8 stk[16];
1000 		__le64 rand = 0;
1001 		__le16 ediv = 0;
1002 
1003 		smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
1004 
1005 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1006 			return SMP_UNSPECIFIED;
1007 
1008 		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1009 		hcon->enc_key_size = smp->enc_key_size;
1010 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1011 	} else {
1012 		u8 stk[16], auth;
1013 		__le64 rand = 0;
1014 		__le16 ediv = 0;
1015 
1016 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1017 			     smp->prnd);
1018 
1019 		smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
1020 
1021 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1022 			auth = 1;
1023 		else
1024 			auth = 0;
1025 
1026 		/* Even though there's no _RESPONDER suffix this is the
1027 		 * responder STK we're adding for later lookup (the initiator
1028 		 * STK never needs to be stored).
1029 		 */
1030 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1031 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1032 	}
1033 
1034 	return 0;
1035 }
1036 
1037 static void smp_notify_keys(struct l2cap_conn *conn)
1038 {
1039 	struct l2cap_chan *chan = conn->smp;
1040 	struct smp_chan *smp = chan->data;
1041 	struct hci_conn *hcon = conn->hcon;
1042 	struct hci_dev *hdev = hcon->hdev;
1043 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1044 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1045 	bool persistent;
1046 
1047 	if (hcon->type == ACL_LINK) {
1048 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1049 			persistent = false;
1050 		else
1051 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1052 					       &hcon->flags);
1053 	} else {
1054 		/* The LTKs, IRKs and CSRKs should be persistent only if
1055 		 * both sides had the bonding bit set in their
1056 		 * authentication requests.
1057 		 */
1058 		persistent = !!((req->auth_req & rsp->auth_req) &
1059 				SMP_AUTH_BONDING);
1060 	}
1061 
1062 	if (smp->remote_irk) {
1063 		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1064 
1065 		/* Now that user space can be considered to know the
1066 		 * identity address track the connection based on it
1067 		 * from now on (assuming this is an LE link).
1068 		 */
1069 		if (hcon->type == LE_LINK) {
1070 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1071 			hcon->dst_type = smp->remote_irk->addr_type;
1072 			/* Use a short delay to make sure the new address is
1073 			 * propagated _before_ the channels.
1074 			 */
1075 			queue_delayed_work(hdev->workqueue,
1076 					   &conn->id_addr_timer,
1077 					   ID_ADDR_TIMEOUT);
1078 		}
1079 	}
1080 
1081 	if (smp->csrk) {
1082 		smp->csrk->bdaddr_type = hcon->dst_type;
1083 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1084 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1085 	}
1086 
1087 	if (smp->responder_csrk) {
1088 		smp->responder_csrk->bdaddr_type = hcon->dst_type;
1089 		bacpy(&smp->responder_csrk->bdaddr, &hcon->dst);
1090 		mgmt_new_csrk(hdev, smp->responder_csrk, persistent);
1091 	}
1092 
1093 	if (smp->ltk) {
1094 		smp->ltk->bdaddr_type = hcon->dst_type;
1095 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1096 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1097 	}
1098 
1099 	if (smp->responder_ltk) {
1100 		smp->responder_ltk->bdaddr_type = hcon->dst_type;
1101 		bacpy(&smp->responder_ltk->bdaddr, &hcon->dst);
1102 		mgmt_new_ltk(hdev, smp->responder_ltk, persistent);
1103 	}
1104 
1105 	if (smp->link_key) {
1106 		struct link_key *key;
1107 		u8 type;
1108 
1109 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1110 			type = HCI_LK_DEBUG_COMBINATION;
1111 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1112 			type = HCI_LK_AUTH_COMBINATION_P256;
1113 		else
1114 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1115 
1116 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1117 				       smp->link_key, type, 0, &persistent);
1118 		if (key) {
1119 			mgmt_new_link_key(hdev, key, persistent);
1120 
1121 			/* Don't keep debug keys around if the relevant
1122 			 * flag is not set.
1123 			 */
1124 			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1125 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1126 				list_del_rcu(&key->list);
1127 				kfree_rcu(key, rcu);
1128 			}
1129 		}
1130 	}
1131 }
1132 
1133 static void sc_add_ltk(struct smp_chan *smp)
1134 {
1135 	struct hci_conn *hcon = smp->conn->hcon;
1136 	u8 key_type, auth;
1137 
1138 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1139 		key_type = SMP_LTK_P256_DEBUG;
1140 	else
1141 		key_type = SMP_LTK_P256;
1142 
1143 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1144 		auth = 1;
1145 	else
1146 		auth = 0;
1147 
1148 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1149 			       key_type, auth, smp->tk, smp->enc_key_size,
1150 			       0, 0);
1151 }
1152 
1153 static void sc_generate_link_key(struct smp_chan *smp)
1154 {
1155 	/* From core spec. Spells out in ASCII as 'lebr'. */
1156 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1157 
1158 	smp->link_key = kzalloc(16, GFP_KERNEL);
1159 	if (!smp->link_key)
1160 		return;
1161 
1162 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1163 		/* SALT = 0x000000000000000000000000746D7031 */
1164 		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1165 
1166 		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1167 			kfree_sensitive(smp->link_key);
1168 			smp->link_key = NULL;
1169 			return;
1170 		}
1171 	} else {
1172 		/* From core spec. Spells out in ASCII as 'tmp1'. */
1173 		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1174 
1175 		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1176 			kfree_sensitive(smp->link_key);
1177 			smp->link_key = NULL;
1178 			return;
1179 		}
1180 	}
1181 
1182 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1183 		kfree_sensitive(smp->link_key);
1184 		smp->link_key = NULL;
1185 		return;
1186 	}
1187 }
1188 
1189 static void smp_allow_key_dist(struct smp_chan *smp)
1190 {
1191 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1192 	 * will be allowed in each PDU handler to ensure we receive
1193 	 * them in the correct order.
1194 	 */
1195 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1196 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1197 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1198 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1199 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1200 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1201 }
1202 
1203 static void sc_generate_ltk(struct smp_chan *smp)
1204 {
1205 	/* From core spec. Spells out in ASCII as 'brle'. */
1206 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1207 	struct hci_conn *hcon = smp->conn->hcon;
1208 	struct hci_dev *hdev = hcon->hdev;
1209 	struct link_key *key;
1210 
1211 	key = hci_find_link_key(hdev, &hcon->dst);
1212 	if (!key) {
1213 		bt_dev_err(hdev, "no Link Key found to generate LTK");
1214 		return;
1215 	}
1216 
1217 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1218 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1219 
1220 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1221 		/* SALT = 0x000000000000000000000000746D7032 */
1222 		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1223 
1224 		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1225 			return;
1226 	} else {
1227 		/* From core spec. Spells out in ASCII as 'tmp2'. */
1228 		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1229 
1230 		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1231 			return;
1232 	}
1233 
1234 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1235 		return;
1236 
1237 	sc_add_ltk(smp);
1238 }
1239 
1240 static void smp_distribute_keys(struct smp_chan *smp)
1241 {
1242 	struct smp_cmd_pairing *req, *rsp;
1243 	struct l2cap_conn *conn = smp->conn;
1244 	struct hci_conn *hcon = conn->hcon;
1245 	struct hci_dev *hdev = hcon->hdev;
1246 	__u8 *keydist;
1247 
1248 	bt_dev_dbg(hdev, "conn %p", conn);
1249 
1250 	rsp = (void *) &smp->prsp[1];
1251 
1252 	/* The responder sends its keys first */
1253 	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1254 		smp_allow_key_dist(smp);
1255 		return;
1256 	}
1257 
1258 	req = (void *) &smp->preq[1];
1259 
1260 	if (hcon->out) {
1261 		keydist = &rsp->init_key_dist;
1262 		*keydist &= req->init_key_dist;
1263 	} else {
1264 		keydist = &rsp->resp_key_dist;
1265 		*keydist &= req->resp_key_dist;
1266 	}
1267 
1268 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1269 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1270 			sc_generate_link_key(smp);
1271 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1272 			sc_generate_ltk(smp);
1273 
1274 		/* Clear the keys which are generated but not distributed */
1275 		*keydist &= ~SMP_SC_NO_DIST;
1276 	}
1277 
1278 	bt_dev_dbg(hdev, "keydist 0x%x", *keydist);
1279 
1280 	if (*keydist & SMP_DIST_ENC_KEY) {
1281 		struct smp_cmd_encrypt_info enc;
1282 		struct smp_cmd_initiator_ident ident;
1283 		struct smp_ltk *ltk;
1284 		u8 authenticated;
1285 		__le16 ediv;
1286 		__le64 rand;
1287 
1288 		/* Make sure we generate only the significant amount of
1289 		 * bytes based on the encryption key size, and set the rest
1290 		 * of the value to zeroes.
1291 		 */
1292 		get_random_bytes(enc.ltk, smp->enc_key_size);
1293 		memset(enc.ltk + smp->enc_key_size, 0,
1294 		       sizeof(enc.ltk) - smp->enc_key_size);
1295 
1296 		get_random_bytes(&ediv, sizeof(ediv));
1297 		get_random_bytes(&rand, sizeof(rand));
1298 
1299 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1300 
1301 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1302 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1303 				  SMP_LTK_RESPONDER, authenticated, enc.ltk,
1304 				  smp->enc_key_size, ediv, rand);
1305 		smp->responder_ltk = ltk;
1306 
1307 		ident.ediv = ediv;
1308 		ident.rand = rand;
1309 
1310 		smp_send_cmd(conn, SMP_CMD_INITIATOR_IDENT, sizeof(ident),
1311 			     &ident);
1312 
1313 		*keydist &= ~SMP_DIST_ENC_KEY;
1314 	}
1315 
1316 	if (*keydist & SMP_DIST_ID_KEY) {
1317 		struct smp_cmd_ident_addr_info addrinfo;
1318 		struct smp_cmd_ident_info idinfo;
1319 
1320 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1321 
1322 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1323 
1324 		/* The hci_conn contains the local identity address
1325 		 * after the connection has been established.
1326 		 *
1327 		 * This is true even when the connection has been
1328 		 * established using a resolvable random address.
1329 		 */
1330 		bacpy(&addrinfo.bdaddr, &hcon->src);
1331 		addrinfo.addr_type = hcon->src_type;
1332 
1333 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1334 			     &addrinfo);
1335 
1336 		*keydist &= ~SMP_DIST_ID_KEY;
1337 	}
1338 
1339 	if (*keydist & SMP_DIST_SIGN) {
1340 		struct smp_cmd_sign_info sign;
1341 		struct smp_csrk *csrk;
1342 
1343 		/* Generate a new random key */
1344 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1345 
1346 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1347 		if (csrk) {
1348 			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1349 				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1350 			else
1351 				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1352 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1353 		}
1354 		smp->responder_csrk = csrk;
1355 
1356 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1357 
1358 		*keydist &= ~SMP_DIST_SIGN;
1359 	}
1360 
1361 	/* If there are still keys to be received wait for them */
1362 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1363 		smp_allow_key_dist(smp);
1364 		return;
1365 	}
1366 
1367 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1368 	smp_notify_keys(conn);
1369 
1370 	smp_chan_destroy(conn);
1371 }
1372 
1373 static void smp_timeout(struct work_struct *work)
1374 {
1375 	struct smp_chan *smp = container_of(work, struct smp_chan,
1376 					    security_timer.work);
1377 	struct l2cap_conn *conn = smp->conn;
1378 
1379 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
1380 
1381 	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1382 }
1383 
1384 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1385 {
1386 	struct hci_conn *hcon = conn->hcon;
1387 	struct l2cap_chan *chan = conn->smp;
1388 	struct smp_chan *smp;
1389 
1390 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1391 	if (!smp)
1392 		return NULL;
1393 
1394 	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1395 	if (IS_ERR(smp->tfm_cmac)) {
1396 		bt_dev_err(hcon->hdev, "Unable to create CMAC crypto context");
1397 		goto zfree_smp;
1398 	}
1399 
1400 	smp->tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
1401 	if (IS_ERR(smp->tfm_ecdh)) {
1402 		bt_dev_err(hcon->hdev, "Unable to create ECDH crypto context");
1403 		goto free_shash;
1404 	}
1405 
1406 	smp->conn = conn;
1407 	chan->data = smp;
1408 
1409 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1410 
1411 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1412 
1413 	hci_conn_hold(hcon);
1414 
1415 	return smp;
1416 
1417 free_shash:
1418 	crypto_free_shash(smp->tfm_cmac);
1419 zfree_smp:
1420 	kfree_sensitive(smp);
1421 	return NULL;
1422 }
1423 
1424 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1425 {
1426 	struct hci_conn *hcon = smp->conn->hcon;
1427 	u8 *na, *nb, a[7], b[7];
1428 
1429 	if (hcon->out) {
1430 		na   = smp->prnd;
1431 		nb   = smp->rrnd;
1432 	} else {
1433 		na   = smp->rrnd;
1434 		nb   = smp->prnd;
1435 	}
1436 
1437 	memcpy(a, &hcon->init_addr, 6);
1438 	memcpy(b, &hcon->resp_addr, 6);
1439 	a[6] = hcon->init_addr_type;
1440 	b[6] = hcon->resp_addr_type;
1441 
1442 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1443 }
1444 
1445 static void sc_dhkey_check(struct smp_chan *smp)
1446 {
1447 	struct hci_conn *hcon = smp->conn->hcon;
1448 	struct smp_cmd_dhkey_check check;
1449 	u8 a[7], b[7], *local_addr, *remote_addr;
1450 	u8 io_cap[3], r[16];
1451 
1452 	memcpy(a, &hcon->init_addr, 6);
1453 	memcpy(b, &hcon->resp_addr, 6);
1454 	a[6] = hcon->init_addr_type;
1455 	b[6] = hcon->resp_addr_type;
1456 
1457 	if (hcon->out) {
1458 		local_addr = a;
1459 		remote_addr = b;
1460 		memcpy(io_cap, &smp->preq[1], 3);
1461 	} else {
1462 		local_addr = b;
1463 		remote_addr = a;
1464 		memcpy(io_cap, &smp->prsp[1], 3);
1465 	}
1466 
1467 	memset(r, 0, sizeof(r));
1468 
1469 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1470 		put_unaligned_le32(hcon->passkey_notify, r);
1471 
1472 	if (smp->method == REQ_OOB)
1473 		memcpy(r, smp->rr, 16);
1474 
1475 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1476 	       local_addr, remote_addr, check.e);
1477 
1478 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1479 }
1480 
1481 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1482 {
1483 	struct l2cap_conn *conn = smp->conn;
1484 	struct hci_conn *hcon = conn->hcon;
1485 	struct smp_cmd_pairing_confirm cfm;
1486 	u8 r;
1487 
1488 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1489 	r |= 0x80;
1490 
1491 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1492 
1493 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1494 		   cfm.confirm_val))
1495 		return SMP_UNSPECIFIED;
1496 
1497 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1498 
1499 	return 0;
1500 }
1501 
1502 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1503 {
1504 	struct l2cap_conn *conn = smp->conn;
1505 	struct hci_conn *hcon = conn->hcon;
1506 	struct hci_dev *hdev = hcon->hdev;
1507 	u8 cfm[16], r;
1508 
1509 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1510 	if (smp->passkey_round >= 20)
1511 		return 0;
1512 
1513 	switch (smp_op) {
1514 	case SMP_CMD_PAIRING_RANDOM:
1515 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1516 		r |= 0x80;
1517 
1518 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1519 			   smp->rrnd, r, cfm))
1520 			return SMP_UNSPECIFIED;
1521 
1522 		if (crypto_memneq(smp->pcnf, cfm, 16))
1523 			return SMP_CONFIRM_FAILED;
1524 
1525 		smp->passkey_round++;
1526 
1527 		if (smp->passkey_round == 20) {
1528 			/* Generate MacKey and LTK */
1529 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1530 				return SMP_UNSPECIFIED;
1531 		}
1532 
1533 		/* The round is only complete when the initiator
1534 		 * receives pairing random.
1535 		 */
1536 		if (!hcon->out) {
1537 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1538 				     sizeof(smp->prnd), smp->prnd);
1539 			if (smp->passkey_round == 20)
1540 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1541 			else
1542 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1543 			return 0;
1544 		}
1545 
1546 		/* Start the next round */
1547 		if (smp->passkey_round != 20)
1548 			return sc_passkey_round(smp, 0);
1549 
1550 		/* Passkey rounds are complete - start DHKey Check */
1551 		sc_dhkey_check(smp);
1552 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1553 
1554 		break;
1555 
1556 	case SMP_CMD_PAIRING_CONFIRM:
1557 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1558 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1559 			return 0;
1560 		}
1561 
1562 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1563 
1564 		if (hcon->out) {
1565 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1566 				     sizeof(smp->prnd), smp->prnd);
1567 			return 0;
1568 		}
1569 
1570 		return sc_passkey_send_confirm(smp);
1571 
1572 	case SMP_CMD_PUBLIC_KEY:
1573 	default:
1574 		/* Initiating device starts the round */
1575 		if (!hcon->out)
1576 			return 0;
1577 
1578 		bt_dev_dbg(hdev, "Starting passkey round %u",
1579 			   smp->passkey_round + 1);
1580 
1581 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1582 
1583 		return sc_passkey_send_confirm(smp);
1584 	}
1585 
1586 	return 0;
1587 }
1588 
1589 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1590 {
1591 	struct l2cap_conn *conn = smp->conn;
1592 	struct hci_conn *hcon = conn->hcon;
1593 	u8 smp_op;
1594 
1595 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1596 
1597 	switch (mgmt_op) {
1598 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1599 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1600 		return 0;
1601 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1602 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1603 		return 0;
1604 	case MGMT_OP_USER_PASSKEY_REPLY:
1605 		hcon->passkey_notify = le32_to_cpu(passkey);
1606 		smp->passkey_round = 0;
1607 
1608 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1609 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1610 		else
1611 			smp_op = 0;
1612 
1613 		if (sc_passkey_round(smp, smp_op))
1614 			return -EIO;
1615 
1616 		return 0;
1617 	}
1618 
1619 	/* Initiator sends DHKey check first */
1620 	if (hcon->out) {
1621 		sc_dhkey_check(smp);
1622 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1623 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1624 		sc_dhkey_check(smp);
1625 		sc_add_ltk(smp);
1626 	}
1627 
1628 	return 0;
1629 }
1630 
1631 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1632 {
1633 	struct l2cap_conn *conn = hcon->l2cap_data;
1634 	struct l2cap_chan *chan;
1635 	struct smp_chan *smp;
1636 	u32 value;
1637 	int err;
1638 
1639 	if (!conn)
1640 		return -ENOTCONN;
1641 
1642 	bt_dev_dbg(conn->hcon->hdev, "");
1643 
1644 	chan = conn->smp;
1645 	if (!chan)
1646 		return -ENOTCONN;
1647 
1648 	l2cap_chan_lock(chan);
1649 	if (!chan->data) {
1650 		err = -ENOTCONN;
1651 		goto unlock;
1652 	}
1653 
1654 	smp = chan->data;
1655 
1656 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1657 		err = sc_user_reply(smp, mgmt_op, passkey);
1658 		goto unlock;
1659 	}
1660 
1661 	switch (mgmt_op) {
1662 	case MGMT_OP_USER_PASSKEY_REPLY:
1663 		value = le32_to_cpu(passkey);
1664 		memset(smp->tk, 0, sizeof(smp->tk));
1665 		bt_dev_dbg(conn->hcon->hdev, "PassKey: %u", value);
1666 		put_unaligned_le32(value, smp->tk);
1667 		fallthrough;
1668 	case MGMT_OP_USER_CONFIRM_REPLY:
1669 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1670 		break;
1671 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1672 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1673 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1674 		err = 0;
1675 		goto unlock;
1676 	default:
1677 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1678 		err = -EOPNOTSUPP;
1679 		goto unlock;
1680 	}
1681 
1682 	err = 0;
1683 
1684 	/* If it is our turn to send Pairing Confirm, do so now */
1685 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1686 		u8 rsp = smp_confirm(smp);
1687 		if (rsp)
1688 			smp_failure(conn, rsp);
1689 	}
1690 
1691 unlock:
1692 	l2cap_chan_unlock(chan);
1693 	return err;
1694 }
1695 
1696 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1697 				    struct smp_cmd_pairing *req,
1698 				    struct smp_cmd_pairing *rsp)
1699 {
1700 	struct l2cap_conn *conn = smp->conn;
1701 	struct hci_dev *hdev = conn->hcon->hdev;
1702 	u8 local_dist = 0, remote_dist = 0;
1703 
1704 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1705 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1706 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1707 	}
1708 
1709 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1710 		remote_dist |= SMP_DIST_ID_KEY;
1711 
1712 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1713 		local_dist |= SMP_DIST_ID_KEY;
1714 
1715 	if (!rsp) {
1716 		memset(req, 0, sizeof(*req));
1717 
1718 		req->auth_req        = SMP_AUTH_CT2;
1719 		req->init_key_dist   = local_dist;
1720 		req->resp_key_dist   = remote_dist;
1721 		req->max_key_size    = conn->hcon->enc_key_size;
1722 
1723 		smp->remote_key_dist = remote_dist;
1724 
1725 		return;
1726 	}
1727 
1728 	memset(rsp, 0, sizeof(*rsp));
1729 
1730 	rsp->auth_req        = SMP_AUTH_CT2;
1731 	rsp->max_key_size    = conn->hcon->enc_key_size;
1732 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1733 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1734 
1735 	smp->remote_key_dist = rsp->init_key_dist;
1736 }
1737 
1738 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1739 {
1740 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1741 	struct l2cap_chan *chan = conn->smp;
1742 	struct hci_dev *hdev = conn->hcon->hdev;
1743 	struct smp_chan *smp;
1744 	u8 key_size, auth, sec_level;
1745 	int ret;
1746 
1747 	bt_dev_dbg(hdev, "conn %p", conn);
1748 
1749 	if (skb->len < sizeof(*req))
1750 		return SMP_INVALID_PARAMS;
1751 
1752 	if (conn->hcon->role != HCI_ROLE_SLAVE)
1753 		return SMP_CMD_NOTSUPP;
1754 
1755 	if (!chan->data)
1756 		smp = smp_chan_create(conn);
1757 	else
1758 		smp = chan->data;
1759 
1760 	if (!smp)
1761 		return SMP_UNSPECIFIED;
1762 
1763 	/* We didn't start the pairing, so match remote */
1764 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1765 
1766 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1767 	    (auth & SMP_AUTH_BONDING))
1768 		return SMP_PAIRING_NOTSUPP;
1769 
1770 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1771 		return SMP_AUTH_REQUIREMENTS;
1772 
1773 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1774 	memcpy(&smp->preq[1], req, sizeof(*req));
1775 	skb_pull(skb, sizeof(*req));
1776 
1777 	/* If the remote side's OOB flag is set it means it has
1778 	 * successfully received our local OOB data - therefore set the
1779 	 * flag to indicate that local OOB is in use.
1780 	 */
1781 	if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1782 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1783 
1784 	/* SMP over BR/EDR requires special treatment */
1785 	if (conn->hcon->type == ACL_LINK) {
1786 		/* We must have a BR/EDR SC link */
1787 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1788 		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1789 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1790 
1791 		set_bit(SMP_FLAG_SC, &smp->flags);
1792 
1793 		build_bredr_pairing_cmd(smp, req, &rsp);
1794 
1795 		if (req->auth_req & SMP_AUTH_CT2)
1796 			set_bit(SMP_FLAG_CT2, &smp->flags);
1797 
1798 		key_size = min(req->max_key_size, rsp.max_key_size);
1799 		if (check_enc_key_size(conn, key_size))
1800 			return SMP_ENC_KEY_SIZE;
1801 
1802 		/* Clear bits which are generated but not distributed */
1803 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1804 
1805 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1806 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1807 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1808 
1809 		smp_distribute_keys(smp);
1810 		return 0;
1811 	}
1812 
1813 	build_pairing_cmd(conn, req, &rsp, auth);
1814 
1815 	if (rsp.auth_req & SMP_AUTH_SC) {
1816 		set_bit(SMP_FLAG_SC, &smp->flags);
1817 
1818 		if (rsp.auth_req & SMP_AUTH_CT2)
1819 			set_bit(SMP_FLAG_CT2, &smp->flags);
1820 	}
1821 
1822 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1823 		sec_level = BT_SECURITY_MEDIUM;
1824 	else
1825 		sec_level = authreq_to_seclevel(auth);
1826 
1827 	if (sec_level > conn->hcon->pending_sec_level)
1828 		conn->hcon->pending_sec_level = sec_level;
1829 
1830 	/* If we need MITM check that it can be achieved */
1831 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1832 		u8 method;
1833 
1834 		method = get_auth_method(smp, conn->hcon->io_capability,
1835 					 req->io_capability);
1836 		if (method == JUST_WORKS || method == JUST_CFM)
1837 			return SMP_AUTH_REQUIREMENTS;
1838 	}
1839 
1840 	key_size = min(req->max_key_size, rsp.max_key_size);
1841 	if (check_enc_key_size(conn, key_size))
1842 		return SMP_ENC_KEY_SIZE;
1843 
1844 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1845 
1846 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1847 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1848 
1849 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1850 
1851 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1852 
1853 	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1854 	 * SC case, however some implementations incorrectly copy RFU auth
1855 	 * req bits from our security request, which may create a false
1856 	 * positive SC enablement.
1857 	 */
1858 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1859 
1860 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1861 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1862 		/* Clear bits which are generated but not distributed */
1863 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1864 		/* Wait for Public Key from Initiating Device */
1865 		return 0;
1866 	}
1867 
1868 	/* Request setup of TK */
1869 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1870 	if (ret)
1871 		return SMP_UNSPECIFIED;
1872 
1873 	return 0;
1874 }
1875 
1876 static u8 sc_send_public_key(struct smp_chan *smp)
1877 {
1878 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1879 
1880 	bt_dev_dbg(hdev, "");
1881 
1882 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1883 		struct l2cap_chan *chan = hdev->smp_data;
1884 		struct smp_dev *smp_dev;
1885 
1886 		if (!chan || !chan->data)
1887 			return SMP_UNSPECIFIED;
1888 
1889 		smp_dev = chan->data;
1890 
1891 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1892 		memcpy(smp->lr, smp_dev->local_rand, 16);
1893 
1894 		if (smp_dev->debug_key)
1895 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1896 
1897 		goto done;
1898 	}
1899 
1900 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1901 		bt_dev_dbg(hdev, "Using debug keys");
1902 		if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1903 			return SMP_UNSPECIFIED;
1904 		memcpy(smp->local_pk, debug_pk, 64);
1905 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1906 	} else {
1907 		while (true) {
1908 			/* Generate key pair for Secure Connections */
1909 			if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1910 				return SMP_UNSPECIFIED;
1911 
1912 			/* This is unlikely, but we need to check that
1913 			 * we didn't accidentally generate a debug key.
1914 			 */
1915 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
1916 				break;
1917 		}
1918 	}
1919 
1920 done:
1921 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1922 	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1923 
1924 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1925 
1926 	return 0;
1927 }
1928 
1929 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1930 {
1931 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1932 	struct l2cap_chan *chan = conn->smp;
1933 	struct smp_chan *smp = chan->data;
1934 	struct hci_dev *hdev = conn->hcon->hdev;
1935 	u8 key_size, auth;
1936 	int ret;
1937 
1938 	bt_dev_dbg(hdev, "conn %p", conn);
1939 
1940 	if (skb->len < sizeof(*rsp))
1941 		return SMP_INVALID_PARAMS;
1942 
1943 	if (conn->hcon->role != HCI_ROLE_MASTER)
1944 		return SMP_CMD_NOTSUPP;
1945 
1946 	skb_pull(skb, sizeof(*rsp));
1947 
1948 	req = (void *) &smp->preq[1];
1949 
1950 	key_size = min(req->max_key_size, rsp->max_key_size);
1951 	if (check_enc_key_size(conn, key_size))
1952 		return SMP_ENC_KEY_SIZE;
1953 
1954 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1955 
1956 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1957 		return SMP_AUTH_REQUIREMENTS;
1958 
1959 	/* If the remote side's OOB flag is set it means it has
1960 	 * successfully received our local OOB data - therefore set the
1961 	 * flag to indicate that local OOB is in use.
1962 	 */
1963 	if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1964 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1965 
1966 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1967 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1968 
1969 	/* Update remote key distribution in case the remote cleared
1970 	 * some bits that we had enabled in our request.
1971 	 */
1972 	smp->remote_key_dist &= rsp->resp_key_dist;
1973 
1974 	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1975 		set_bit(SMP_FLAG_CT2, &smp->flags);
1976 
1977 	/* For BR/EDR this means we're done and can start phase 3 */
1978 	if (conn->hcon->type == ACL_LINK) {
1979 		/* Clear bits which are generated but not distributed */
1980 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1981 		smp_distribute_keys(smp);
1982 		return 0;
1983 	}
1984 
1985 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1986 		set_bit(SMP_FLAG_SC, &smp->flags);
1987 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1988 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1989 
1990 	/* If we need MITM check that it can be achieved */
1991 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1992 		u8 method;
1993 
1994 		method = get_auth_method(smp, req->io_capability,
1995 					 rsp->io_capability);
1996 		if (method == JUST_WORKS || method == JUST_CFM)
1997 			return SMP_AUTH_REQUIREMENTS;
1998 	}
1999 
2000 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
2001 
2002 	/* Update remote key distribution in case the remote cleared
2003 	 * some bits that we had enabled in our request.
2004 	 */
2005 	smp->remote_key_dist &= rsp->resp_key_dist;
2006 
2007 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2008 		/* Clear bits which are generated but not distributed */
2009 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2010 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2011 		return sc_send_public_key(smp);
2012 	}
2013 
2014 	auth |= req->auth_req;
2015 
2016 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2017 	if (ret)
2018 		return SMP_UNSPECIFIED;
2019 
2020 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2021 
2022 	/* Can't compose response until we have been confirmed */
2023 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2024 		return smp_confirm(smp);
2025 
2026 	return 0;
2027 }
2028 
2029 static u8 sc_check_confirm(struct smp_chan *smp)
2030 {
2031 	struct l2cap_conn *conn = smp->conn;
2032 
2033 	bt_dev_dbg(conn->hcon->hdev, "");
2034 
2035 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2036 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2037 
2038 	if (conn->hcon->out) {
2039 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2040 			     smp->prnd);
2041 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2042 	}
2043 
2044 	return 0;
2045 }
2046 
2047 /* Work-around for some implementations that incorrectly copy RFU bits
2048  * from our security request and thereby create the impression that
2049  * we're doing SC when in fact the remote doesn't support it.
2050  */
2051 static int fixup_sc_false_positive(struct smp_chan *smp)
2052 {
2053 	struct l2cap_conn *conn = smp->conn;
2054 	struct hci_conn *hcon = conn->hcon;
2055 	struct hci_dev *hdev = hcon->hdev;
2056 	struct smp_cmd_pairing *req, *rsp;
2057 	u8 auth;
2058 
2059 	/* The issue is only observed when we're in responder role */
2060 	if (hcon->out)
2061 		return SMP_UNSPECIFIED;
2062 
2063 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2064 		bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2065 		return SMP_UNSPECIFIED;
2066 	}
2067 
2068 	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2069 
2070 	req = (void *) &smp->preq[1];
2071 	rsp = (void *) &smp->prsp[1];
2072 
2073 	/* Rebuild key dist flags which may have been cleared for SC */
2074 	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2075 
2076 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2077 
2078 	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2079 		bt_dev_err(hdev, "failed to fall back to legacy SMP");
2080 		return SMP_UNSPECIFIED;
2081 	}
2082 
2083 	clear_bit(SMP_FLAG_SC, &smp->flags);
2084 
2085 	return 0;
2086 }
2087 
2088 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2089 {
2090 	struct l2cap_chan *chan = conn->smp;
2091 	struct smp_chan *smp = chan->data;
2092 	struct hci_conn *hcon = conn->hcon;
2093 	struct hci_dev *hdev = hcon->hdev;
2094 
2095 	bt_dev_dbg(hdev, "conn %p %s", conn,
2096 		   hcon->out ? "initiator" : "responder");
2097 
2098 	if (skb->len < sizeof(smp->pcnf))
2099 		return SMP_INVALID_PARAMS;
2100 
2101 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2102 	skb_pull(skb, sizeof(smp->pcnf));
2103 
2104 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2105 		int ret;
2106 
2107 		/* Public Key exchange must happen before any other steps */
2108 		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2109 			return sc_check_confirm(smp);
2110 
2111 		bt_dev_err(hdev, "Unexpected SMP Pairing Confirm");
2112 
2113 		ret = fixup_sc_false_positive(smp);
2114 		if (ret)
2115 			return ret;
2116 	}
2117 
2118 	if (conn->hcon->out) {
2119 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2120 			     smp->prnd);
2121 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2122 		return 0;
2123 	}
2124 
2125 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2126 		return smp_confirm(smp);
2127 
2128 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2129 
2130 	return 0;
2131 }
2132 
2133 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2134 {
2135 	struct l2cap_chan *chan = conn->smp;
2136 	struct smp_chan *smp = chan->data;
2137 	struct hci_conn *hcon = conn->hcon;
2138 	u8 *pkax, *pkbx, *na, *nb, confirm_hint;
2139 	u32 passkey;
2140 	int err;
2141 
2142 	bt_dev_dbg(hcon->hdev, "conn %p", conn);
2143 
2144 	if (skb->len < sizeof(smp->rrnd))
2145 		return SMP_INVALID_PARAMS;
2146 
2147 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2148 	skb_pull(skb, sizeof(smp->rrnd));
2149 
2150 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2151 		return smp_random(smp);
2152 
2153 	if (hcon->out) {
2154 		pkax = smp->local_pk;
2155 		pkbx = smp->remote_pk;
2156 		na   = smp->prnd;
2157 		nb   = smp->rrnd;
2158 	} else {
2159 		pkax = smp->remote_pk;
2160 		pkbx = smp->local_pk;
2161 		na   = smp->rrnd;
2162 		nb   = smp->prnd;
2163 	}
2164 
2165 	if (smp->method == REQ_OOB) {
2166 		if (!hcon->out)
2167 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2168 				     sizeof(smp->prnd), smp->prnd);
2169 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2170 		goto mackey_and_ltk;
2171 	}
2172 
2173 	/* Passkey entry has special treatment */
2174 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2175 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2176 
2177 	if (hcon->out) {
2178 		u8 cfm[16];
2179 
2180 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2181 			     smp->rrnd, 0, cfm);
2182 		if (err)
2183 			return SMP_UNSPECIFIED;
2184 
2185 		if (crypto_memneq(smp->pcnf, cfm, 16))
2186 			return SMP_CONFIRM_FAILED;
2187 	} else {
2188 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2189 			     smp->prnd);
2190 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2191 
2192 		/* Only Just-Works pairing requires extra checks */
2193 		if (smp->method != JUST_WORKS)
2194 			goto mackey_and_ltk;
2195 
2196 		/* If there already exists long term key in local host, leave
2197 		 * the decision to user space since the remote device could
2198 		 * be legitimate or malicious.
2199 		 */
2200 		if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2201 				 hcon->role)) {
2202 			/* Set passkey to 0. The value can be any number since
2203 			 * it'll be ignored anyway.
2204 			 */
2205 			passkey = 0;
2206 			confirm_hint = 1;
2207 			goto confirm;
2208 		}
2209 	}
2210 
2211 mackey_and_ltk:
2212 	/* Generate MacKey and LTK */
2213 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2214 	if (err)
2215 		return SMP_UNSPECIFIED;
2216 
2217 	if (smp->method == REQ_OOB) {
2218 		if (hcon->out) {
2219 			sc_dhkey_check(smp);
2220 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2221 		}
2222 		return 0;
2223 	}
2224 
2225 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2226 	if (err)
2227 		return SMP_UNSPECIFIED;
2228 
2229 	confirm_hint = 0;
2230 
2231 confirm:
2232 	if (smp->method == JUST_WORKS)
2233 		confirm_hint = 1;
2234 
2235 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2236 					hcon->dst_type, passkey, confirm_hint);
2237 	if (err)
2238 		return SMP_UNSPECIFIED;
2239 
2240 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2241 
2242 	return 0;
2243 }
2244 
2245 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2246 {
2247 	struct smp_ltk *key;
2248 	struct hci_conn *hcon = conn->hcon;
2249 
2250 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2251 	if (!key)
2252 		return false;
2253 
2254 	if (smp_ltk_sec_level(key) < sec_level)
2255 		return false;
2256 
2257 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2258 		return true;
2259 
2260 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2261 	hcon->enc_key_size = key->enc_size;
2262 
2263 	/* We never store STKs for initiator role, so clear this flag */
2264 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2265 
2266 	return true;
2267 }
2268 
2269 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2270 			     enum smp_key_pref key_pref)
2271 {
2272 	if (sec_level == BT_SECURITY_LOW)
2273 		return true;
2274 
2275 	/* If we're encrypted with an STK but the caller prefers using
2276 	 * LTK claim insufficient security. This way we allow the
2277 	 * connection to be re-encrypted with an LTK, even if the LTK
2278 	 * provides the same level of security. Only exception is if we
2279 	 * don't have an LTK (e.g. because of key distribution bits).
2280 	 */
2281 	if (key_pref == SMP_USE_LTK &&
2282 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2283 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2284 		return false;
2285 
2286 	if (hcon->sec_level >= sec_level)
2287 		return true;
2288 
2289 	return false;
2290 }
2291 
2292 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2293 {
2294 	struct smp_cmd_security_req *rp = (void *) skb->data;
2295 	struct smp_cmd_pairing cp;
2296 	struct hci_conn *hcon = conn->hcon;
2297 	struct hci_dev *hdev = hcon->hdev;
2298 	struct smp_chan *smp;
2299 	u8 sec_level, auth;
2300 
2301 	bt_dev_dbg(hdev, "conn %p", conn);
2302 
2303 	if (skb->len < sizeof(*rp))
2304 		return SMP_INVALID_PARAMS;
2305 
2306 	if (hcon->role != HCI_ROLE_MASTER)
2307 		return SMP_CMD_NOTSUPP;
2308 
2309 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2310 
2311 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2312 		return SMP_AUTH_REQUIREMENTS;
2313 
2314 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2315 		sec_level = BT_SECURITY_MEDIUM;
2316 	else
2317 		sec_level = authreq_to_seclevel(auth);
2318 
2319 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2320 		/* If link is already encrypted with sufficient security we
2321 		 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2322 		 * Part H 2.4.6
2323 		 */
2324 		smp_ltk_encrypt(conn, hcon->sec_level);
2325 		return 0;
2326 	}
2327 
2328 	if (sec_level > hcon->pending_sec_level)
2329 		hcon->pending_sec_level = sec_level;
2330 
2331 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2332 		return 0;
2333 
2334 	smp = smp_chan_create(conn);
2335 	if (!smp)
2336 		return SMP_UNSPECIFIED;
2337 
2338 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2339 	    (auth & SMP_AUTH_BONDING))
2340 		return SMP_PAIRING_NOTSUPP;
2341 
2342 	skb_pull(skb, sizeof(*rp));
2343 
2344 	memset(&cp, 0, sizeof(cp));
2345 	build_pairing_cmd(conn, &cp, NULL, auth);
2346 
2347 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2348 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2349 
2350 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2351 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2352 
2353 	return 0;
2354 }
2355 
2356 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2357 {
2358 	struct l2cap_conn *conn = hcon->l2cap_data;
2359 	struct l2cap_chan *chan;
2360 	struct smp_chan *smp;
2361 	__u8 authreq;
2362 	int ret;
2363 
2364 	bt_dev_dbg(hcon->hdev, "conn %p hcon %p level 0x%2.2x", conn, hcon,
2365 		   sec_level);
2366 
2367 	/* This may be NULL if there's an unexpected disconnection */
2368 	if (!conn)
2369 		return 1;
2370 
2371 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2372 		return 1;
2373 
2374 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2375 		return 1;
2376 
2377 	if (sec_level > hcon->pending_sec_level)
2378 		hcon->pending_sec_level = sec_level;
2379 
2380 	if (hcon->role == HCI_ROLE_MASTER)
2381 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2382 			return 0;
2383 
2384 	chan = conn->smp;
2385 	if (!chan) {
2386 		bt_dev_err(hcon->hdev, "security requested but not available");
2387 		return 1;
2388 	}
2389 
2390 	l2cap_chan_lock(chan);
2391 
2392 	/* If SMP is already in progress ignore this request */
2393 	if (chan->data) {
2394 		ret = 0;
2395 		goto unlock;
2396 	}
2397 
2398 	smp = smp_chan_create(conn);
2399 	if (!smp) {
2400 		ret = 1;
2401 		goto unlock;
2402 	}
2403 
2404 	authreq = seclevel_to_authreq(sec_level);
2405 
2406 	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2407 		authreq |= SMP_AUTH_SC;
2408 		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2409 			authreq |= SMP_AUTH_CT2;
2410 	}
2411 
2412 	/* Don't attempt to set MITM if setting is overridden by debugfs
2413 	 * Needed to pass certification test SM/MAS/PKE/BV-01-C
2414 	 */
2415 	if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) {
2416 		/* Require MITM if IO Capability allows or the security level
2417 		 * requires it.
2418 		 */
2419 		if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2420 		    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2421 			authreq |= SMP_AUTH_MITM;
2422 	}
2423 
2424 	if (hcon->role == HCI_ROLE_MASTER) {
2425 		struct smp_cmd_pairing cp;
2426 
2427 		build_pairing_cmd(conn, &cp, NULL, authreq);
2428 		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2429 		memcpy(&smp->preq[1], &cp, sizeof(cp));
2430 
2431 		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2432 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2433 	} else {
2434 		struct smp_cmd_security_req cp;
2435 		cp.auth_req = authreq;
2436 		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2437 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2438 	}
2439 
2440 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2441 	ret = 0;
2442 
2443 unlock:
2444 	l2cap_chan_unlock(chan);
2445 	return ret;
2446 }
2447 
2448 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2449 				  u8 addr_type)
2450 {
2451 	struct hci_conn *hcon;
2452 	struct l2cap_conn *conn;
2453 	struct l2cap_chan *chan;
2454 	struct smp_chan *smp;
2455 	int err;
2456 
2457 	err = hci_remove_ltk(hdev, bdaddr, addr_type);
2458 	hci_remove_irk(hdev, bdaddr, addr_type);
2459 
2460 	hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2461 	if (!hcon)
2462 		goto done;
2463 
2464 	conn = hcon->l2cap_data;
2465 	if (!conn)
2466 		goto done;
2467 
2468 	chan = conn->smp;
2469 	if (!chan)
2470 		goto done;
2471 
2472 	l2cap_chan_lock(chan);
2473 
2474 	smp = chan->data;
2475 	if (smp) {
2476 		/* Set keys to NULL to make sure smp_failure() does not try to
2477 		 * remove and free already invalidated rcu list entries. */
2478 		smp->ltk = NULL;
2479 		smp->responder_ltk = NULL;
2480 		smp->remote_irk = NULL;
2481 
2482 		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2483 			smp_failure(conn, 0);
2484 		else
2485 			smp_failure(conn, SMP_UNSPECIFIED);
2486 		err = 0;
2487 	}
2488 
2489 	l2cap_chan_unlock(chan);
2490 
2491 done:
2492 	return err;
2493 }
2494 
2495 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2496 {
2497 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2498 	struct l2cap_chan *chan = conn->smp;
2499 	struct smp_chan *smp = chan->data;
2500 
2501 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2502 
2503 	if (skb->len < sizeof(*rp))
2504 		return SMP_INVALID_PARAMS;
2505 
2506 	/* Pairing is aborted if any blocked keys are distributed */
2507 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2508 			       rp->ltk)) {
2509 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2510 					"LTK blocked for %pMR",
2511 					&conn->hcon->dst);
2512 		return SMP_INVALID_PARAMS;
2513 	}
2514 
2515 	SMP_ALLOW_CMD(smp, SMP_CMD_INITIATOR_IDENT);
2516 
2517 	skb_pull(skb, sizeof(*rp));
2518 
2519 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2520 
2521 	return 0;
2522 }
2523 
2524 static int smp_cmd_initiator_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2525 {
2526 	struct smp_cmd_initiator_ident *rp = (void *)skb->data;
2527 	struct l2cap_chan *chan = conn->smp;
2528 	struct smp_chan *smp = chan->data;
2529 	struct hci_dev *hdev = conn->hcon->hdev;
2530 	struct hci_conn *hcon = conn->hcon;
2531 	struct smp_ltk *ltk;
2532 	u8 authenticated;
2533 
2534 	bt_dev_dbg(hdev, "conn %p", conn);
2535 
2536 	if (skb->len < sizeof(*rp))
2537 		return SMP_INVALID_PARAMS;
2538 
2539 	/* Mark the information as received */
2540 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2541 
2542 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2543 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2544 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2545 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2546 
2547 	skb_pull(skb, sizeof(*rp));
2548 
2549 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2550 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2551 			  authenticated, smp->tk, smp->enc_key_size,
2552 			  rp->ediv, rp->rand);
2553 	smp->ltk = ltk;
2554 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2555 		smp_distribute_keys(smp);
2556 
2557 	return 0;
2558 }
2559 
2560 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2561 {
2562 	struct smp_cmd_ident_info *info = (void *) skb->data;
2563 	struct l2cap_chan *chan = conn->smp;
2564 	struct smp_chan *smp = chan->data;
2565 
2566 	bt_dev_dbg(conn->hcon->hdev, "");
2567 
2568 	if (skb->len < sizeof(*info))
2569 		return SMP_INVALID_PARAMS;
2570 
2571 	/* Pairing is aborted if any blocked keys are distributed */
2572 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2573 			       info->irk)) {
2574 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2575 					"Identity key blocked for %pMR",
2576 					&conn->hcon->dst);
2577 		return SMP_INVALID_PARAMS;
2578 	}
2579 
2580 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2581 
2582 	skb_pull(skb, sizeof(*info));
2583 
2584 	memcpy(smp->irk, info->irk, 16);
2585 
2586 	return 0;
2587 }
2588 
2589 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2590 				   struct sk_buff *skb)
2591 {
2592 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2593 	struct l2cap_chan *chan = conn->smp;
2594 	struct smp_chan *smp = chan->data;
2595 	struct hci_conn *hcon = conn->hcon;
2596 	bdaddr_t rpa;
2597 
2598 	bt_dev_dbg(hcon->hdev, "");
2599 
2600 	if (skb->len < sizeof(*info))
2601 		return SMP_INVALID_PARAMS;
2602 
2603 	/* Mark the information as received */
2604 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2605 
2606 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2607 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2608 
2609 	skb_pull(skb, sizeof(*info));
2610 
2611 	/* Strictly speaking the Core Specification (4.1) allows sending
2612 	 * an empty address which would force us to rely on just the IRK
2613 	 * as "identity information". However, since such
2614 	 * implementations are not known of and in order to not over
2615 	 * complicate our implementation, simply pretend that we never
2616 	 * received an IRK for such a device.
2617 	 *
2618 	 * The Identity Address must also be a Static Random or Public
2619 	 * Address, which hci_is_identity_address() checks for.
2620 	 */
2621 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2622 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2623 		bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2624 		goto distribute;
2625 	}
2626 
2627 	/* Drop IRK if peer is using identity address during pairing but is
2628 	 * providing different address as identity information.
2629 	 *
2630 	 * Microsoft Surface Precision Mouse is known to have this bug.
2631 	 */
2632 	if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2633 	    (bacmp(&info->bdaddr, &hcon->dst) ||
2634 	     info->addr_type != hcon->dst_type)) {
2635 		bt_dev_err(hcon->hdev,
2636 			   "ignoring IRK with invalid identity address");
2637 		goto distribute;
2638 	}
2639 
2640 	bacpy(&smp->id_addr, &info->bdaddr);
2641 	smp->id_addr_type = info->addr_type;
2642 
2643 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2644 		bacpy(&rpa, &hcon->dst);
2645 	else
2646 		bacpy(&rpa, BDADDR_ANY);
2647 
2648 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2649 				      smp->id_addr_type, smp->irk, &rpa);
2650 
2651 distribute:
2652 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2653 		smp_distribute_keys(smp);
2654 
2655 	return 0;
2656 }
2657 
2658 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2659 {
2660 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2661 	struct l2cap_chan *chan = conn->smp;
2662 	struct smp_chan *smp = chan->data;
2663 	struct smp_csrk *csrk;
2664 
2665 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2666 
2667 	if (skb->len < sizeof(*rp))
2668 		return SMP_INVALID_PARAMS;
2669 
2670 	/* Mark the information as received */
2671 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2672 
2673 	skb_pull(skb, sizeof(*rp));
2674 
2675 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2676 	if (csrk) {
2677 		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2678 			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2679 		else
2680 			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2681 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2682 	}
2683 	smp->csrk = csrk;
2684 	smp_distribute_keys(smp);
2685 
2686 	return 0;
2687 }
2688 
2689 static u8 sc_select_method(struct smp_chan *smp)
2690 {
2691 	struct l2cap_conn *conn = smp->conn;
2692 	struct hci_conn *hcon = conn->hcon;
2693 	struct smp_cmd_pairing *local, *remote;
2694 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2695 
2696 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2697 	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2698 		return REQ_OOB;
2699 
2700 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2701 	 * which are needed as inputs to some crypto functions. To get
2702 	 * the "struct smp_cmd_pairing" from them we need to skip the
2703 	 * first byte which contains the opcode.
2704 	 */
2705 	if (hcon->out) {
2706 		local = (void *) &smp->preq[1];
2707 		remote = (void *) &smp->prsp[1];
2708 	} else {
2709 		local = (void *) &smp->prsp[1];
2710 		remote = (void *) &smp->preq[1];
2711 	}
2712 
2713 	local_io = local->io_capability;
2714 	remote_io = remote->io_capability;
2715 
2716 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2717 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2718 
2719 	/* If either side wants MITM, look up the method from the table,
2720 	 * otherwise use JUST WORKS.
2721 	 */
2722 	if (local_mitm || remote_mitm)
2723 		method = get_auth_method(smp, local_io, remote_io);
2724 	else
2725 		method = JUST_WORKS;
2726 
2727 	/* Don't confirm locally initiated pairing attempts */
2728 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2729 		method = JUST_WORKS;
2730 
2731 	return method;
2732 }
2733 
2734 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2735 {
2736 	struct smp_cmd_public_key *key = (void *) skb->data;
2737 	struct hci_conn *hcon = conn->hcon;
2738 	struct l2cap_chan *chan = conn->smp;
2739 	struct smp_chan *smp = chan->data;
2740 	struct hci_dev *hdev = hcon->hdev;
2741 	struct crypto_kpp *tfm_ecdh;
2742 	struct smp_cmd_pairing_confirm cfm;
2743 	int err;
2744 
2745 	bt_dev_dbg(hdev, "conn %p", conn);
2746 
2747 	if (skb->len < sizeof(*key))
2748 		return SMP_INVALID_PARAMS;
2749 
2750 	/* Check if remote and local public keys are the same and debug key is
2751 	 * not in use.
2752 	 */
2753 	if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
2754 	    !crypto_memneq(key, smp->local_pk, 64)) {
2755 		bt_dev_err(hdev, "Remote and local public keys are identical");
2756 		return SMP_UNSPECIFIED;
2757 	}
2758 
2759 	memcpy(smp->remote_pk, key, 64);
2760 
2761 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2762 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2763 			     smp->rr, 0, cfm.confirm_val);
2764 		if (err)
2765 			return SMP_UNSPECIFIED;
2766 
2767 		if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2768 			return SMP_CONFIRM_FAILED;
2769 	}
2770 
2771 	/* Non-initiating device sends its public key after receiving
2772 	 * the key from the initiating device.
2773 	 */
2774 	if (!hcon->out) {
2775 		err = sc_send_public_key(smp);
2776 		if (err)
2777 			return err;
2778 	}
2779 
2780 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2781 	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2782 
2783 	/* Compute the shared secret on the same crypto tfm on which the private
2784 	 * key was set/generated.
2785 	 */
2786 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2787 		struct l2cap_chan *hchan = hdev->smp_data;
2788 		struct smp_dev *smp_dev;
2789 
2790 		if (!hchan || !hchan->data)
2791 			return SMP_UNSPECIFIED;
2792 
2793 		smp_dev = hchan->data;
2794 
2795 		tfm_ecdh = smp_dev->tfm_ecdh;
2796 	} else {
2797 		tfm_ecdh = smp->tfm_ecdh;
2798 	}
2799 
2800 	if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2801 		return SMP_UNSPECIFIED;
2802 
2803 	SMP_DBG("DHKey %32phN", smp->dhkey);
2804 
2805 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2806 
2807 	smp->method = sc_select_method(smp);
2808 
2809 	bt_dev_dbg(hdev, "selected method 0x%02x", smp->method);
2810 
2811 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2812 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2813 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2814 	else
2815 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2816 
2817 	if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2818 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2819 
2820 	if (smp->method == DSP_PASSKEY) {
2821 		get_random_bytes(&hcon->passkey_notify,
2822 				 sizeof(hcon->passkey_notify));
2823 		hcon->passkey_notify %= 1000000;
2824 		hcon->passkey_entered = 0;
2825 		smp->passkey_round = 0;
2826 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2827 					     hcon->dst_type,
2828 					     hcon->passkey_notify,
2829 					     hcon->passkey_entered))
2830 			return SMP_UNSPECIFIED;
2831 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2832 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2833 	}
2834 
2835 	if (smp->method == REQ_OOB) {
2836 		if (hcon->out)
2837 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2838 				     sizeof(smp->prnd), smp->prnd);
2839 
2840 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2841 
2842 		return 0;
2843 	}
2844 
2845 	if (hcon->out)
2846 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2847 
2848 	if (smp->method == REQ_PASSKEY) {
2849 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2850 					      hcon->dst_type))
2851 			return SMP_UNSPECIFIED;
2852 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2853 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2854 		return 0;
2855 	}
2856 
2857 	/* The Initiating device waits for the non-initiating device to
2858 	 * send the confirm value.
2859 	 */
2860 	if (conn->hcon->out)
2861 		return 0;
2862 
2863 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2864 		     0, cfm.confirm_val);
2865 	if (err)
2866 		return SMP_UNSPECIFIED;
2867 
2868 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2869 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2870 
2871 	return 0;
2872 }
2873 
2874 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2875 {
2876 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2877 	struct l2cap_chan *chan = conn->smp;
2878 	struct hci_conn *hcon = conn->hcon;
2879 	struct smp_chan *smp = chan->data;
2880 	u8 a[7], b[7], *local_addr, *remote_addr;
2881 	u8 io_cap[3], r[16], e[16];
2882 	int err;
2883 
2884 	bt_dev_dbg(hcon->hdev, "conn %p", conn);
2885 
2886 	if (skb->len < sizeof(*check))
2887 		return SMP_INVALID_PARAMS;
2888 
2889 	memcpy(a, &hcon->init_addr, 6);
2890 	memcpy(b, &hcon->resp_addr, 6);
2891 	a[6] = hcon->init_addr_type;
2892 	b[6] = hcon->resp_addr_type;
2893 
2894 	if (hcon->out) {
2895 		local_addr = a;
2896 		remote_addr = b;
2897 		memcpy(io_cap, &smp->prsp[1], 3);
2898 	} else {
2899 		local_addr = b;
2900 		remote_addr = a;
2901 		memcpy(io_cap, &smp->preq[1], 3);
2902 	}
2903 
2904 	memset(r, 0, sizeof(r));
2905 
2906 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2907 		put_unaligned_le32(hcon->passkey_notify, r);
2908 	else if (smp->method == REQ_OOB)
2909 		memcpy(r, smp->lr, 16);
2910 
2911 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2912 		     io_cap, remote_addr, local_addr, e);
2913 	if (err)
2914 		return SMP_UNSPECIFIED;
2915 
2916 	if (crypto_memneq(check->e, e, 16))
2917 		return SMP_DHKEY_CHECK_FAILED;
2918 
2919 	if (!hcon->out) {
2920 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2921 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2922 			return 0;
2923 		}
2924 
2925 		/* Responder sends DHKey check as response to initiator */
2926 		sc_dhkey_check(smp);
2927 	}
2928 
2929 	sc_add_ltk(smp);
2930 
2931 	if (hcon->out) {
2932 		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2933 		hcon->enc_key_size = smp->enc_key_size;
2934 	}
2935 
2936 	return 0;
2937 }
2938 
2939 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2940 				   struct sk_buff *skb)
2941 {
2942 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2943 
2944 	bt_dev_dbg(conn->hcon->hdev, "value 0x%02x", kp->value);
2945 
2946 	return 0;
2947 }
2948 
2949 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2950 {
2951 	struct l2cap_conn *conn = chan->conn;
2952 	struct hci_conn *hcon = conn->hcon;
2953 	struct smp_chan *smp;
2954 	__u8 code, reason;
2955 	int err = 0;
2956 
2957 	if (skb->len < 1)
2958 		return -EILSEQ;
2959 
2960 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2961 		reason = SMP_PAIRING_NOTSUPP;
2962 		goto done;
2963 	}
2964 
2965 	code = skb->data[0];
2966 	skb_pull(skb, sizeof(code));
2967 
2968 	smp = chan->data;
2969 
2970 	if (code > SMP_CMD_MAX)
2971 		goto drop;
2972 
2973 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2974 		goto drop;
2975 
2976 	/* If we don't have a context the only allowed commands are
2977 	 * pairing request and security request.
2978 	 */
2979 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2980 		goto drop;
2981 
2982 	switch (code) {
2983 	case SMP_CMD_PAIRING_REQ:
2984 		reason = smp_cmd_pairing_req(conn, skb);
2985 		break;
2986 
2987 	case SMP_CMD_PAIRING_FAIL:
2988 		smp_failure(conn, 0);
2989 		err = -EPERM;
2990 		break;
2991 
2992 	case SMP_CMD_PAIRING_RSP:
2993 		reason = smp_cmd_pairing_rsp(conn, skb);
2994 		break;
2995 
2996 	case SMP_CMD_SECURITY_REQ:
2997 		reason = smp_cmd_security_req(conn, skb);
2998 		break;
2999 
3000 	case SMP_CMD_PAIRING_CONFIRM:
3001 		reason = smp_cmd_pairing_confirm(conn, skb);
3002 		break;
3003 
3004 	case SMP_CMD_PAIRING_RANDOM:
3005 		reason = smp_cmd_pairing_random(conn, skb);
3006 		break;
3007 
3008 	case SMP_CMD_ENCRYPT_INFO:
3009 		reason = smp_cmd_encrypt_info(conn, skb);
3010 		break;
3011 
3012 	case SMP_CMD_INITIATOR_IDENT:
3013 		reason = smp_cmd_initiator_ident(conn, skb);
3014 		break;
3015 
3016 	case SMP_CMD_IDENT_INFO:
3017 		reason = smp_cmd_ident_info(conn, skb);
3018 		break;
3019 
3020 	case SMP_CMD_IDENT_ADDR_INFO:
3021 		reason = smp_cmd_ident_addr_info(conn, skb);
3022 		break;
3023 
3024 	case SMP_CMD_SIGN_INFO:
3025 		reason = smp_cmd_sign_info(conn, skb);
3026 		break;
3027 
3028 	case SMP_CMD_PUBLIC_KEY:
3029 		reason = smp_cmd_public_key(conn, skb);
3030 		break;
3031 
3032 	case SMP_CMD_DHKEY_CHECK:
3033 		reason = smp_cmd_dhkey_check(conn, skb);
3034 		break;
3035 
3036 	case SMP_CMD_KEYPRESS_NOTIFY:
3037 		reason = smp_cmd_keypress_notify(conn, skb);
3038 		break;
3039 
3040 	default:
3041 		bt_dev_dbg(hcon->hdev, "Unknown command code 0x%2.2x", code);
3042 		reason = SMP_CMD_NOTSUPP;
3043 		goto done;
3044 	}
3045 
3046 done:
3047 	if (!err) {
3048 		if (reason)
3049 			smp_failure(conn, reason);
3050 		kfree_skb(skb);
3051 	}
3052 
3053 	return err;
3054 
3055 drop:
3056 	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3057 		   code, &hcon->dst);
3058 	kfree_skb(skb);
3059 	return 0;
3060 }
3061 
3062 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3063 {
3064 	struct l2cap_conn *conn = chan->conn;
3065 
3066 	bt_dev_dbg(conn->hcon->hdev, "chan %p", chan);
3067 
3068 	if (chan->data)
3069 		smp_chan_destroy(conn);
3070 
3071 	conn->smp = NULL;
3072 	l2cap_chan_put(chan);
3073 }
3074 
3075 static void bredr_pairing(struct l2cap_chan *chan)
3076 {
3077 	struct l2cap_conn *conn = chan->conn;
3078 	struct hci_conn *hcon = conn->hcon;
3079 	struct hci_dev *hdev = hcon->hdev;
3080 	struct smp_cmd_pairing req;
3081 	struct smp_chan *smp;
3082 
3083 	bt_dev_dbg(hdev, "chan %p", chan);
3084 
3085 	/* Only new pairings are interesting */
3086 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3087 		return;
3088 
3089 	/* Don't bother if we're not encrypted */
3090 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3091 		return;
3092 
3093 	/* Only initiator may initiate SMP over BR/EDR */
3094 	if (hcon->role != HCI_ROLE_MASTER)
3095 		return;
3096 
3097 	/* Secure Connections support must be enabled */
3098 	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3099 		return;
3100 
3101 	/* BR/EDR must use Secure Connections for SMP */
3102 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3103 	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3104 		return;
3105 
3106 	/* If our LE support is not enabled don't do anything */
3107 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3108 		return;
3109 
3110 	/* Don't bother if remote LE support is not enabled */
3111 	if (!lmp_host_le_capable(hcon))
3112 		return;
3113 
3114 	/* Remote must support SMP fixed chan for BR/EDR */
3115 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3116 		return;
3117 
3118 	/* Don't bother if SMP is already ongoing */
3119 	if (chan->data)
3120 		return;
3121 
3122 	smp = smp_chan_create(conn);
3123 	if (!smp) {
3124 		bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3125 		return;
3126 	}
3127 
3128 	set_bit(SMP_FLAG_SC, &smp->flags);
3129 
3130 	bt_dev_dbg(hdev, "starting SMP over BR/EDR");
3131 
3132 	/* Prepare and send the BR/EDR SMP Pairing Request */
3133 	build_bredr_pairing_cmd(smp, &req, NULL);
3134 
3135 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
3136 	memcpy(&smp->preq[1], &req, sizeof(req));
3137 
3138 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3139 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3140 }
3141 
3142 static void smp_resume_cb(struct l2cap_chan *chan)
3143 {
3144 	struct smp_chan *smp = chan->data;
3145 	struct l2cap_conn *conn = chan->conn;
3146 	struct hci_conn *hcon = conn->hcon;
3147 
3148 	bt_dev_dbg(hcon->hdev, "chan %p", chan);
3149 
3150 	if (hcon->type == ACL_LINK) {
3151 		bredr_pairing(chan);
3152 		return;
3153 	}
3154 
3155 	if (!smp)
3156 		return;
3157 
3158 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3159 		return;
3160 
3161 	cancel_delayed_work(&smp->security_timer);
3162 
3163 	smp_distribute_keys(smp);
3164 }
3165 
3166 static void smp_ready_cb(struct l2cap_chan *chan)
3167 {
3168 	struct l2cap_conn *conn = chan->conn;
3169 	struct hci_conn *hcon = conn->hcon;
3170 
3171 	bt_dev_dbg(hcon->hdev, "chan %p", chan);
3172 
3173 	/* No need to call l2cap_chan_hold() here since we already own
3174 	 * the reference taken in smp_new_conn_cb(). This is just the
3175 	 * first time that we tie it to a specific pointer. The code in
3176 	 * l2cap_core.c ensures that there's no risk this function wont
3177 	 * get called if smp_new_conn_cb was previously called.
3178 	 */
3179 	conn->smp = chan;
3180 
3181 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3182 		bredr_pairing(chan);
3183 }
3184 
3185 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3186 {
3187 	int err;
3188 
3189 	bt_dev_dbg(chan->conn->hcon->hdev, "chan %p", chan);
3190 
3191 	err = smp_sig_channel(chan, skb);
3192 	if (err) {
3193 		struct smp_chan *smp = chan->data;
3194 
3195 		if (smp)
3196 			cancel_delayed_work_sync(&smp->security_timer);
3197 
3198 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3199 	}
3200 
3201 	return err;
3202 }
3203 
3204 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3205 					unsigned long hdr_len,
3206 					unsigned long len, int nb)
3207 {
3208 	struct sk_buff *skb;
3209 
3210 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3211 	if (!skb)
3212 		return ERR_PTR(-ENOMEM);
3213 
3214 	skb->priority = HCI_PRIO_MAX;
3215 	bt_cb(skb)->l2cap.chan = chan;
3216 
3217 	return skb;
3218 }
3219 
3220 static const struct l2cap_ops smp_chan_ops = {
3221 	.name			= "Security Manager",
3222 	.ready			= smp_ready_cb,
3223 	.recv			= smp_recv_cb,
3224 	.alloc_skb		= smp_alloc_skb_cb,
3225 	.teardown		= smp_teardown_cb,
3226 	.resume			= smp_resume_cb,
3227 
3228 	.new_connection		= l2cap_chan_no_new_connection,
3229 	.state_change		= l2cap_chan_no_state_change,
3230 	.close			= l2cap_chan_no_close,
3231 	.defer			= l2cap_chan_no_defer,
3232 	.suspend		= l2cap_chan_no_suspend,
3233 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3234 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3235 };
3236 
3237 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3238 {
3239 	struct l2cap_chan *chan;
3240 
3241 	BT_DBG("pchan %p", pchan);
3242 
3243 	chan = l2cap_chan_create();
3244 	if (!chan)
3245 		return NULL;
3246 
3247 	chan->chan_type	= pchan->chan_type;
3248 	chan->ops	= &smp_chan_ops;
3249 	chan->scid	= pchan->scid;
3250 	chan->dcid	= chan->scid;
3251 	chan->imtu	= pchan->imtu;
3252 	chan->omtu	= pchan->omtu;
3253 	chan->mode	= pchan->mode;
3254 
3255 	/* Other L2CAP channels may request SMP routines in order to
3256 	 * change the security level. This means that the SMP channel
3257 	 * lock must be considered in its own category to avoid lockdep
3258 	 * warnings.
3259 	 */
3260 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3261 
3262 	BT_DBG("created chan %p", chan);
3263 
3264 	return chan;
3265 }
3266 
3267 static const struct l2cap_ops smp_root_chan_ops = {
3268 	.name			= "Security Manager Root",
3269 	.new_connection		= smp_new_conn_cb,
3270 
3271 	/* None of these are implemented for the root channel */
3272 	.close			= l2cap_chan_no_close,
3273 	.alloc_skb		= l2cap_chan_no_alloc_skb,
3274 	.recv			= l2cap_chan_no_recv,
3275 	.state_change		= l2cap_chan_no_state_change,
3276 	.teardown		= l2cap_chan_no_teardown,
3277 	.ready			= l2cap_chan_no_ready,
3278 	.defer			= l2cap_chan_no_defer,
3279 	.suspend		= l2cap_chan_no_suspend,
3280 	.resume			= l2cap_chan_no_resume,
3281 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3282 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3283 };
3284 
3285 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3286 {
3287 	struct l2cap_chan *chan;
3288 	struct smp_dev *smp;
3289 	struct crypto_shash *tfm_cmac;
3290 	struct crypto_kpp *tfm_ecdh;
3291 
3292 	if (cid == L2CAP_CID_SMP_BREDR) {
3293 		smp = NULL;
3294 		goto create_chan;
3295 	}
3296 
3297 	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3298 	if (!smp)
3299 		return ERR_PTR(-ENOMEM);
3300 
3301 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3302 	if (IS_ERR(tfm_cmac)) {
3303 		bt_dev_err(hdev, "Unable to create CMAC crypto context");
3304 		kfree_sensitive(smp);
3305 		return ERR_CAST(tfm_cmac);
3306 	}
3307 
3308 	tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3309 	if (IS_ERR(tfm_ecdh)) {
3310 		bt_dev_err(hdev, "Unable to create ECDH crypto context");
3311 		crypto_free_shash(tfm_cmac);
3312 		kfree_sensitive(smp);
3313 		return ERR_CAST(tfm_ecdh);
3314 	}
3315 
3316 	smp->local_oob = false;
3317 	smp->tfm_cmac = tfm_cmac;
3318 	smp->tfm_ecdh = tfm_ecdh;
3319 
3320 create_chan:
3321 	chan = l2cap_chan_create();
3322 	if (!chan) {
3323 		if (smp) {
3324 			crypto_free_shash(smp->tfm_cmac);
3325 			crypto_free_kpp(smp->tfm_ecdh);
3326 			kfree_sensitive(smp);
3327 		}
3328 		return ERR_PTR(-ENOMEM);
3329 	}
3330 
3331 	chan->data = smp;
3332 
3333 	l2cap_add_scid(chan, cid);
3334 
3335 	l2cap_chan_set_defaults(chan);
3336 
3337 	if (cid == L2CAP_CID_SMP) {
3338 		u8 bdaddr_type;
3339 
3340 		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3341 
3342 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3343 			chan->src_type = BDADDR_LE_PUBLIC;
3344 		else
3345 			chan->src_type = BDADDR_LE_RANDOM;
3346 	} else {
3347 		bacpy(&chan->src, &hdev->bdaddr);
3348 		chan->src_type = BDADDR_BREDR;
3349 	}
3350 
3351 	chan->state = BT_LISTEN;
3352 	chan->mode = L2CAP_MODE_BASIC;
3353 	chan->imtu = L2CAP_DEFAULT_MTU;
3354 	chan->ops = &smp_root_chan_ops;
3355 
3356 	/* Set correct nesting level for a parent/listening channel */
3357 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3358 
3359 	return chan;
3360 }
3361 
3362 static void smp_del_chan(struct l2cap_chan *chan)
3363 {
3364 	struct smp_dev *smp;
3365 
3366 	BT_DBG("chan %p", chan);
3367 
3368 	smp = chan->data;
3369 	if (smp) {
3370 		chan->data = NULL;
3371 		crypto_free_shash(smp->tfm_cmac);
3372 		crypto_free_kpp(smp->tfm_ecdh);
3373 		kfree_sensitive(smp);
3374 	}
3375 
3376 	l2cap_chan_put(chan);
3377 }
3378 
3379 int smp_force_bredr(struct hci_dev *hdev, bool enable)
3380 {
3381 	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3382 		return -EALREADY;
3383 
3384 	if (enable) {
3385 		struct l2cap_chan *chan;
3386 
3387 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3388 		if (IS_ERR(chan))
3389 			return PTR_ERR(chan);
3390 
3391 		hdev->smp_bredr_data = chan;
3392 	} else {
3393 		struct l2cap_chan *chan;
3394 
3395 		chan = hdev->smp_bredr_data;
3396 		hdev->smp_bredr_data = NULL;
3397 		smp_del_chan(chan);
3398 	}
3399 
3400 	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3401 
3402 	return 0;
3403 }
3404 
3405 int smp_register(struct hci_dev *hdev)
3406 {
3407 	struct l2cap_chan *chan;
3408 
3409 	bt_dev_dbg(hdev, "");
3410 
3411 	/* If the controller does not support Low Energy operation, then
3412 	 * there is also no need to register any SMP channel.
3413 	 */
3414 	if (!lmp_le_capable(hdev))
3415 		return 0;
3416 
3417 	if (WARN_ON(hdev->smp_data)) {
3418 		chan = hdev->smp_data;
3419 		hdev->smp_data = NULL;
3420 		smp_del_chan(chan);
3421 	}
3422 
3423 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3424 	if (IS_ERR(chan))
3425 		return PTR_ERR(chan);
3426 
3427 	hdev->smp_data = chan;
3428 
3429 	if (!lmp_sc_capable(hdev)) {
3430 		/* Flag can be already set here (due to power toggle) */
3431 		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3432 			return 0;
3433 	}
3434 
3435 	if (WARN_ON(hdev->smp_bredr_data)) {
3436 		chan = hdev->smp_bredr_data;
3437 		hdev->smp_bredr_data = NULL;
3438 		smp_del_chan(chan);
3439 	}
3440 
3441 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3442 	if (IS_ERR(chan)) {
3443 		int err = PTR_ERR(chan);
3444 		chan = hdev->smp_data;
3445 		hdev->smp_data = NULL;
3446 		smp_del_chan(chan);
3447 		return err;
3448 	}
3449 
3450 	hdev->smp_bredr_data = chan;
3451 
3452 	return 0;
3453 }
3454 
3455 void smp_unregister(struct hci_dev *hdev)
3456 {
3457 	struct l2cap_chan *chan;
3458 
3459 	if (hdev->smp_bredr_data) {
3460 		chan = hdev->smp_bredr_data;
3461 		hdev->smp_bredr_data = NULL;
3462 		smp_del_chan(chan);
3463 	}
3464 
3465 	if (hdev->smp_data) {
3466 		chan = hdev->smp_data;
3467 		hdev->smp_data = NULL;
3468 		smp_del_chan(chan);
3469 	}
3470 }
3471 
3472 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3473 
3474 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3475 {
3476 	u8 pk[64];
3477 	int err;
3478 
3479 	err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3480 	if (err)
3481 		return err;
3482 
3483 	err = generate_ecdh_public_key(tfm_ecdh, pk);
3484 	if (err)
3485 		return err;
3486 
3487 	if (crypto_memneq(pk, debug_pk, 64))
3488 		return -EINVAL;
3489 
3490 	return 0;
3491 }
3492 
3493 static int __init test_ah(void)
3494 {
3495 	const u8 irk[16] = {
3496 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3497 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3498 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3499 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3500 	u8 res[3];
3501 	int err;
3502 
3503 	err = smp_ah(irk, r, res);
3504 	if (err)
3505 		return err;
3506 
3507 	if (crypto_memneq(res, exp, 3))
3508 		return -EINVAL;
3509 
3510 	return 0;
3511 }
3512 
3513 static int __init test_c1(void)
3514 {
3515 	const u8 k[16] = {
3516 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3517 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3518 	const u8 r[16] = {
3519 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3520 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3521 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3522 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3523 	const u8 _iat = 0x01;
3524 	const u8 _rat = 0x00;
3525 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3526 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3527 	const u8 exp[16] = {
3528 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3529 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3530 	u8 res[16];
3531 	int err;
3532 
3533 	err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3534 	if (err)
3535 		return err;
3536 
3537 	if (crypto_memneq(res, exp, 16))
3538 		return -EINVAL;
3539 
3540 	return 0;
3541 }
3542 
3543 static int __init test_s1(void)
3544 {
3545 	const u8 k[16] = {
3546 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3547 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3548 	const u8 r1[16] = {
3549 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3550 	const u8 r2[16] = {
3551 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3552 	const u8 exp[16] = {
3553 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3554 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3555 	u8 res[16];
3556 	int err;
3557 
3558 	err = smp_s1(k, r1, r2, res);
3559 	if (err)
3560 		return err;
3561 
3562 	if (crypto_memneq(res, exp, 16))
3563 		return -EINVAL;
3564 
3565 	return 0;
3566 }
3567 
3568 static int __init test_f4(struct crypto_shash *tfm_cmac)
3569 {
3570 	const u8 u[32] = {
3571 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3572 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3573 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3574 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3575 	const u8 v[32] = {
3576 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3577 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3578 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3579 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3580 	const u8 x[16] = {
3581 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3582 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3583 	const u8 z = 0x00;
3584 	const u8 exp[16] = {
3585 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3586 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3587 	u8 res[16];
3588 	int err;
3589 
3590 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3591 	if (err)
3592 		return err;
3593 
3594 	if (crypto_memneq(res, exp, 16))
3595 		return -EINVAL;
3596 
3597 	return 0;
3598 }
3599 
3600 static int __init test_f5(struct crypto_shash *tfm_cmac)
3601 {
3602 	const u8 w[32] = {
3603 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3604 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3605 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3606 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3607 	const u8 n1[16] = {
3608 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3609 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3610 	const u8 n2[16] = {
3611 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3612 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3613 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3614 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3615 	const u8 exp_ltk[16] = {
3616 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3617 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3618 	const u8 exp_mackey[16] = {
3619 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3620 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3621 	u8 mackey[16], ltk[16];
3622 	int err;
3623 
3624 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3625 	if (err)
3626 		return err;
3627 
3628 	if (crypto_memneq(mackey, exp_mackey, 16))
3629 		return -EINVAL;
3630 
3631 	if (crypto_memneq(ltk, exp_ltk, 16))
3632 		return -EINVAL;
3633 
3634 	return 0;
3635 }
3636 
3637 static int __init test_f6(struct crypto_shash *tfm_cmac)
3638 {
3639 	const u8 w[16] = {
3640 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3641 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3642 	const u8 n1[16] = {
3643 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3644 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3645 	const u8 n2[16] = {
3646 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3647 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3648 	const u8 r[16] = {
3649 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3650 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3651 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3652 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3653 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3654 	const u8 exp[16] = {
3655 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3656 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3657 	u8 res[16];
3658 	int err;
3659 
3660 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3661 	if (err)
3662 		return err;
3663 
3664 	if (crypto_memneq(res, exp, 16))
3665 		return -EINVAL;
3666 
3667 	return 0;
3668 }
3669 
3670 static int __init test_g2(struct crypto_shash *tfm_cmac)
3671 {
3672 	const u8 u[32] = {
3673 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3674 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3675 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3676 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3677 	const u8 v[32] = {
3678 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3679 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3680 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3681 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3682 	const u8 x[16] = {
3683 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3684 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3685 	const u8 y[16] = {
3686 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3687 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3688 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3689 	u32 val;
3690 	int err;
3691 
3692 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3693 	if (err)
3694 		return err;
3695 
3696 	if (val != exp_val)
3697 		return -EINVAL;
3698 
3699 	return 0;
3700 }
3701 
3702 static int __init test_h6(struct crypto_shash *tfm_cmac)
3703 {
3704 	const u8 w[16] = {
3705 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3706 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3707 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3708 	const u8 exp[16] = {
3709 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3710 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3711 	u8 res[16];
3712 	int err;
3713 
3714 	err = smp_h6(tfm_cmac, w, key_id, res);
3715 	if (err)
3716 		return err;
3717 
3718 	if (crypto_memneq(res, exp, 16))
3719 		return -EINVAL;
3720 
3721 	return 0;
3722 }
3723 
3724 static char test_smp_buffer[32];
3725 
3726 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3727 			     size_t count, loff_t *ppos)
3728 {
3729 	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3730 				       strlen(test_smp_buffer));
3731 }
3732 
3733 static const struct file_operations test_smp_fops = {
3734 	.open		= simple_open,
3735 	.read		= test_smp_read,
3736 	.llseek		= default_llseek,
3737 };
3738 
3739 static int __init run_selftests(struct crypto_shash *tfm_cmac,
3740 				struct crypto_kpp *tfm_ecdh)
3741 {
3742 	ktime_t calltime, delta, rettime;
3743 	unsigned long long duration;
3744 	int err;
3745 
3746 	calltime = ktime_get();
3747 
3748 	err = test_debug_key(tfm_ecdh);
3749 	if (err) {
3750 		BT_ERR("debug_key test failed");
3751 		goto done;
3752 	}
3753 
3754 	err = test_ah();
3755 	if (err) {
3756 		BT_ERR("smp_ah test failed");
3757 		goto done;
3758 	}
3759 
3760 	err = test_c1();
3761 	if (err) {
3762 		BT_ERR("smp_c1 test failed");
3763 		goto done;
3764 	}
3765 
3766 	err = test_s1();
3767 	if (err) {
3768 		BT_ERR("smp_s1 test failed");
3769 		goto done;
3770 	}
3771 
3772 	err = test_f4(tfm_cmac);
3773 	if (err) {
3774 		BT_ERR("smp_f4 test failed");
3775 		goto done;
3776 	}
3777 
3778 	err = test_f5(tfm_cmac);
3779 	if (err) {
3780 		BT_ERR("smp_f5 test failed");
3781 		goto done;
3782 	}
3783 
3784 	err = test_f6(tfm_cmac);
3785 	if (err) {
3786 		BT_ERR("smp_f6 test failed");
3787 		goto done;
3788 	}
3789 
3790 	err = test_g2(tfm_cmac);
3791 	if (err) {
3792 		BT_ERR("smp_g2 test failed");
3793 		goto done;
3794 	}
3795 
3796 	err = test_h6(tfm_cmac);
3797 	if (err) {
3798 		BT_ERR("smp_h6 test failed");
3799 		goto done;
3800 	}
3801 
3802 	rettime = ktime_get();
3803 	delta = ktime_sub(rettime, calltime);
3804 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3805 
3806 	BT_INFO("SMP test passed in %llu usecs", duration);
3807 
3808 done:
3809 	if (!err)
3810 		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3811 			 "PASS (%llu usecs)\n", duration);
3812 	else
3813 		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3814 
3815 	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3816 			    &test_smp_fops);
3817 
3818 	return err;
3819 }
3820 
3821 int __init bt_selftest_smp(void)
3822 {
3823 	struct crypto_shash *tfm_cmac;
3824 	struct crypto_kpp *tfm_ecdh;
3825 	int err;
3826 
3827 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3828 	if (IS_ERR(tfm_cmac)) {
3829 		BT_ERR("Unable to create CMAC crypto context");
3830 		return PTR_ERR(tfm_cmac);
3831 	}
3832 
3833 	tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3834 	if (IS_ERR(tfm_ecdh)) {
3835 		BT_ERR("Unable to create ECDH crypto context");
3836 		crypto_free_shash(tfm_cmac);
3837 		return PTR_ERR(tfm_ecdh);
3838 	}
3839 
3840 	err = run_selftests(tfm_cmac, tfm_ecdh);
3841 
3842 	crypto_free_shash(tfm_cmac);
3843 	crypto_free_kpp(tfm_ecdh);
3844 
3845 	return err;
3846 }
3847 
3848 #endif
3849