xref: /openbmc/linux/net/bluetooth/smp.c (revision cd1e565a5b7fa60c349ca8a16db1e61715fe8230)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/aes.h>
27 #include <crypto/algapi.h>
28 #include <crypto/hash.h>
29 #include <crypto/kpp.h>
30 
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/mgmt.h>
35 
36 #include "ecdh_helper.h"
37 #include "smp.h"
38 
39 #define SMP_DEV(hdev) \
40 	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
41 
42 /* Low-level debug macros to be used for stuff that we don't want
43  * accidentally in dmesg, i.e. the values of the various crypto keys
44  * and the inputs & outputs of crypto functions.
45  */
46 #ifdef DEBUG
47 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
48 				 ##__VA_ARGS__)
49 #else
50 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
51 				    ##__VA_ARGS__)
52 #endif
53 
54 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
55 
56 /* Keys which are not distributed with Secure Connections */
57 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY)
58 
59 #define SMP_TIMEOUT	msecs_to_jiffies(30000)
60 
61 #define ID_ADDR_TIMEOUT	msecs_to_jiffies(200)
62 
63 #define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
64 				 0x3f : 0x07)
65 #define KEY_DIST_MASK		0x07
66 
67 /* Maximum message length that can be passed to aes_cmac */
68 #define CMAC_MSG_MAX	80
69 
70 enum {
71 	SMP_FLAG_TK_VALID,
72 	SMP_FLAG_CFM_PENDING,
73 	SMP_FLAG_MITM_AUTH,
74 	SMP_FLAG_COMPLETE,
75 	SMP_FLAG_INITIATOR,
76 	SMP_FLAG_SC,
77 	SMP_FLAG_REMOTE_PK,
78 	SMP_FLAG_DEBUG_KEY,
79 	SMP_FLAG_WAIT_USER,
80 	SMP_FLAG_DHKEY_PENDING,
81 	SMP_FLAG_REMOTE_OOB,
82 	SMP_FLAG_LOCAL_OOB,
83 	SMP_FLAG_CT2,
84 };
85 
86 struct smp_dev {
87 	/* Secure Connections OOB data */
88 	bool			local_oob;
89 	u8			local_pk[64];
90 	u8			local_rand[16];
91 	bool			debug_key;
92 
93 	struct crypto_shash	*tfm_cmac;
94 	struct crypto_kpp	*tfm_ecdh;
95 };
96 
97 struct smp_chan {
98 	struct l2cap_conn	*conn;
99 	struct delayed_work	security_timer;
100 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
101 
102 	u8		preq[7]; /* SMP Pairing Request */
103 	u8		prsp[7]; /* SMP Pairing Response */
104 	u8		prnd[16]; /* SMP Pairing Random (local) */
105 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
106 	u8		pcnf[16]; /* SMP Pairing Confirm */
107 	u8		tk[16]; /* SMP Temporary Key */
108 	u8		rr[16]; /* Remote OOB ra/rb value */
109 	u8		lr[16]; /* Local OOB ra/rb value */
110 	u8		enc_key_size;
111 	u8		remote_key_dist;
112 	bdaddr_t	id_addr;
113 	u8		id_addr_type;
114 	u8		irk[16];
115 	struct smp_csrk	*csrk;
116 	struct smp_csrk	*responder_csrk;
117 	struct smp_ltk	*ltk;
118 	struct smp_ltk	*responder_ltk;
119 	struct smp_irk	*remote_irk;
120 	u8		*link_key;
121 	unsigned long	flags;
122 	u8		method;
123 	u8		passkey_round;
124 
125 	/* Secure Connections variables */
126 	u8			local_pk[64];
127 	u8			remote_pk[64];
128 	u8			dhkey[32];
129 	u8			mackey[16];
130 
131 	struct crypto_shash	*tfm_cmac;
132 	struct crypto_kpp	*tfm_ecdh;
133 };
134 
135 /* These debug key values are defined in the SMP section of the core
136  * specification. debug_pk is the public debug key and debug_sk the
137  * private debug key.
138  */
139 static const u8 debug_pk[64] = {
140 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
141 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
142 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
143 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
144 
145 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
146 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
147 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
148 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
149 };
150 
151 static const u8 debug_sk[32] = {
152 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
153 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
154 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
155 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
156 };
157 
158 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
159 {
160 	size_t i;
161 
162 	for (i = 0; i < len; i++)
163 		dst[len - 1 - i] = src[i];
164 }
165 
166 /* The following functions map to the LE SC SMP crypto functions
167  * AES-CMAC, f4, f5, f6, g2 and h6.
168  */
169 
170 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
171 		    size_t len, u8 mac[16])
172 {
173 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
174 	int err;
175 
176 	if (len > CMAC_MSG_MAX)
177 		return -EFBIG;
178 
179 	if (!tfm) {
180 		BT_ERR("tfm %p", tfm);
181 		return -EINVAL;
182 	}
183 
184 	/* Swap key and message from LSB to MSB */
185 	swap_buf(k, tmp, 16);
186 	swap_buf(m, msg_msb, len);
187 
188 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
189 	SMP_DBG("key %16phN", k);
190 
191 	err = crypto_shash_setkey(tfm, tmp, 16);
192 	if (err) {
193 		BT_ERR("cipher setkey failed: %d", err);
194 		return err;
195 	}
196 
197 	err = crypto_shash_tfm_digest(tfm, msg_msb, len, mac_msb);
198 	if (err) {
199 		BT_ERR("Hash computation error %d", err);
200 		return err;
201 	}
202 
203 	swap_buf(mac_msb, mac, 16);
204 
205 	SMP_DBG("mac %16phN", mac);
206 
207 	return 0;
208 }
209 
210 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
211 		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
212 {
213 	u8 m[65];
214 	int err;
215 
216 	SMP_DBG("u %32phN", u);
217 	SMP_DBG("v %32phN", v);
218 	SMP_DBG("x %16phN z %02x", x, z);
219 
220 	m[0] = z;
221 	memcpy(m + 1, v, 32);
222 	memcpy(m + 33, u, 32);
223 
224 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
225 	if (err)
226 		return err;
227 
228 	SMP_DBG("res %16phN", res);
229 
230 	return err;
231 }
232 
233 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
234 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
235 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
236 {
237 	/* The btle, salt and length "magic" values are as defined in
238 	 * the SMP section of the Bluetooth core specification. In ASCII
239 	 * the btle value ends up being 'btle'. The salt is just a
240 	 * random number whereas length is the value 256 in little
241 	 * endian format.
242 	 */
243 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
244 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
245 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
246 	const u8 length[2] = { 0x00, 0x01 };
247 	u8 m[53], t[16];
248 	int err;
249 
250 	SMP_DBG("w %32phN", w);
251 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
252 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
253 
254 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
255 	if (err)
256 		return err;
257 
258 	SMP_DBG("t %16phN", t);
259 
260 	memcpy(m, length, 2);
261 	memcpy(m + 2, a2, 7);
262 	memcpy(m + 9, a1, 7);
263 	memcpy(m + 16, n2, 16);
264 	memcpy(m + 32, n1, 16);
265 	memcpy(m + 48, btle, 4);
266 
267 	m[52] = 0; /* Counter */
268 
269 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
270 	if (err)
271 		return err;
272 
273 	SMP_DBG("mackey %16phN", mackey);
274 
275 	m[52] = 1; /* Counter */
276 
277 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
278 	if (err)
279 		return err;
280 
281 	SMP_DBG("ltk %16phN", ltk);
282 
283 	return 0;
284 }
285 
286 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
287 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
288 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
289 		  u8 res[16])
290 {
291 	u8 m[65];
292 	int err;
293 
294 	SMP_DBG("w %16phN", w);
295 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
296 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
297 
298 	memcpy(m, a2, 7);
299 	memcpy(m + 7, a1, 7);
300 	memcpy(m + 14, io_cap, 3);
301 	memcpy(m + 17, r, 16);
302 	memcpy(m + 33, n2, 16);
303 	memcpy(m + 49, n1, 16);
304 
305 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
306 	if (err)
307 		return err;
308 
309 	SMP_DBG("res %16phN", res);
310 
311 	return err;
312 }
313 
314 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
315 		  const u8 x[16], const u8 y[16], u32 *val)
316 {
317 	u8 m[80], tmp[16];
318 	int err;
319 
320 	SMP_DBG("u %32phN", u);
321 	SMP_DBG("v %32phN", v);
322 	SMP_DBG("x %16phN y %16phN", x, y);
323 
324 	memcpy(m, y, 16);
325 	memcpy(m + 16, v, 32);
326 	memcpy(m + 48, u, 32);
327 
328 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
329 	if (err)
330 		return err;
331 
332 	*val = get_unaligned_le32(tmp);
333 	*val %= 1000000;
334 
335 	SMP_DBG("val %06u", *val);
336 
337 	return 0;
338 }
339 
340 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
341 		  const u8 key_id[4], u8 res[16])
342 {
343 	int err;
344 
345 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
346 
347 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
348 	if (err)
349 		return err;
350 
351 	SMP_DBG("res %16phN", res);
352 
353 	return err;
354 }
355 
356 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
357 		  const u8 salt[16], u8 res[16])
358 {
359 	int err;
360 
361 	SMP_DBG("w %16phN salt %16phN", w, salt);
362 
363 	err = aes_cmac(tfm_cmac, salt, w, 16, res);
364 	if (err)
365 		return err;
366 
367 	SMP_DBG("res %16phN", res);
368 
369 	return err;
370 }
371 
372 /* The following functions map to the legacy SMP crypto functions e, c1,
373  * s1 and ah.
374  */
375 
376 static int smp_e(const u8 *k, u8 *r)
377 {
378 	struct crypto_aes_ctx ctx;
379 	uint8_t tmp[16], data[16];
380 	int err;
381 
382 	SMP_DBG("k %16phN r %16phN", k, r);
383 
384 	/* The most significant octet of key corresponds to k[0] */
385 	swap_buf(k, tmp, 16);
386 
387 	err = aes_expandkey(&ctx, tmp, 16);
388 	if (err) {
389 		BT_ERR("cipher setkey failed: %d", err);
390 		return err;
391 	}
392 
393 	/* Most significant octet of plaintextData corresponds to data[0] */
394 	swap_buf(r, data, 16);
395 
396 	aes_encrypt(&ctx, data, data);
397 
398 	/* Most significant octet of encryptedData corresponds to data[0] */
399 	swap_buf(data, r, 16);
400 
401 	SMP_DBG("r %16phN", r);
402 
403 	memzero_explicit(&ctx, sizeof(ctx));
404 	return err;
405 }
406 
407 static int smp_c1(const u8 k[16],
408 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
409 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
410 {
411 	u8 p1[16], p2[16];
412 	int err;
413 
414 	SMP_DBG("k %16phN r %16phN", k, r);
415 	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
416 	SMP_DBG("preq %7phN pres %7phN", preq, pres);
417 
418 	memset(p1, 0, 16);
419 
420 	/* p1 = pres || preq || _rat || _iat */
421 	p1[0] = _iat;
422 	p1[1] = _rat;
423 	memcpy(p1 + 2, preq, 7);
424 	memcpy(p1 + 9, pres, 7);
425 
426 	SMP_DBG("p1 %16phN", p1);
427 
428 	/* res = r XOR p1 */
429 	crypto_xor_cpy(res, r, p1, sizeof(p1));
430 
431 	/* res = e(k, res) */
432 	err = smp_e(k, res);
433 	if (err) {
434 		BT_ERR("Encrypt data error");
435 		return err;
436 	}
437 
438 	/* p2 = padding || ia || ra */
439 	memcpy(p2, ra, 6);
440 	memcpy(p2 + 6, ia, 6);
441 	memset(p2 + 12, 0, 4);
442 
443 	SMP_DBG("p2 %16phN", p2);
444 
445 	/* res = res XOR p2 */
446 	crypto_xor(res, p2, sizeof(p2));
447 
448 	/* res = e(k, res) */
449 	err = smp_e(k, res);
450 	if (err)
451 		BT_ERR("Encrypt data error");
452 
453 	return err;
454 }
455 
456 static int smp_s1(const u8 k[16],
457 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
458 {
459 	int err;
460 
461 	/* Just least significant octets from r1 and r2 are considered */
462 	memcpy(_r, r2, 8);
463 	memcpy(_r + 8, r1, 8);
464 
465 	err = smp_e(k, _r);
466 	if (err)
467 		BT_ERR("Encrypt data error");
468 
469 	return err;
470 }
471 
472 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
473 {
474 	u8 _res[16];
475 	int err;
476 
477 	/* r' = padding || r */
478 	memcpy(_res, r, 3);
479 	memset(_res + 3, 0, 13);
480 
481 	err = smp_e(irk, _res);
482 	if (err) {
483 		BT_ERR("Encrypt error");
484 		return err;
485 	}
486 
487 	/* The output of the random address function ah is:
488 	 *	ah(k, r) = e(k, r') mod 2^24
489 	 * The output of the security function e is then truncated to 24 bits
490 	 * by taking the least significant 24 bits of the output of e as the
491 	 * result of ah.
492 	 */
493 	memcpy(res, _res, 3);
494 
495 	return 0;
496 }
497 
498 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
499 		     const bdaddr_t *bdaddr)
500 {
501 	struct l2cap_chan *chan = hdev->smp_data;
502 	u8 hash[3];
503 	int err;
504 
505 	if (!chan || !chan->data)
506 		return false;
507 
508 	bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk);
509 
510 	err = smp_ah(irk, &bdaddr->b[3], hash);
511 	if (err)
512 		return false;
513 
514 	return !crypto_memneq(bdaddr->b, hash, 3);
515 }
516 
517 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
518 {
519 	struct l2cap_chan *chan = hdev->smp_data;
520 	int err;
521 
522 	if (!chan || !chan->data)
523 		return -EOPNOTSUPP;
524 
525 	get_random_bytes(&rpa->b[3], 3);
526 
527 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
528 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
529 
530 	err = smp_ah(irk, &rpa->b[3], rpa->b);
531 	if (err < 0)
532 		return err;
533 
534 	bt_dev_dbg(hdev, "RPA %pMR", rpa);
535 
536 	return 0;
537 }
538 
539 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
540 {
541 	struct l2cap_chan *chan = hdev->smp_data;
542 	struct smp_dev *smp;
543 	int err;
544 
545 	if (!chan || !chan->data)
546 		return -EOPNOTSUPP;
547 
548 	smp = chan->data;
549 
550 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
551 		bt_dev_dbg(hdev, "Using debug keys");
552 		err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
553 		if (err)
554 			return err;
555 		memcpy(smp->local_pk, debug_pk, 64);
556 		smp->debug_key = true;
557 	} else {
558 		while (true) {
559 			/* Generate key pair for Secure Connections */
560 			err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
561 			if (err)
562 				return err;
563 
564 			/* This is unlikely, but we need to check that
565 			 * we didn't accidentally generate a debug key.
566 			 */
567 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
568 				break;
569 		}
570 		smp->debug_key = false;
571 	}
572 
573 	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
574 	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
575 
576 	get_random_bytes(smp->local_rand, 16);
577 
578 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
579 		     smp->local_rand, 0, hash);
580 	if (err < 0)
581 		return err;
582 
583 	memcpy(rand, smp->local_rand, 16);
584 
585 	smp->local_oob = true;
586 
587 	return 0;
588 }
589 
590 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
591 {
592 	struct l2cap_chan *chan = conn->smp;
593 	struct smp_chan *smp;
594 	struct kvec iv[2];
595 	struct msghdr msg;
596 
597 	if (!chan)
598 		return;
599 
600 	bt_dev_dbg(conn->hcon->hdev, "code 0x%2.2x", code);
601 
602 	iv[0].iov_base = &code;
603 	iv[0].iov_len = 1;
604 
605 	iv[1].iov_base = data;
606 	iv[1].iov_len = len;
607 
608 	memset(&msg, 0, sizeof(msg));
609 
610 	iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, iv, 2, 1 + len);
611 
612 	l2cap_chan_send(chan, &msg, 1 + len);
613 
614 	if (!chan->data)
615 		return;
616 
617 	smp = chan->data;
618 
619 	cancel_delayed_work_sync(&smp->security_timer);
620 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
621 }
622 
623 static u8 authreq_to_seclevel(u8 authreq)
624 {
625 	if (authreq & SMP_AUTH_MITM) {
626 		if (authreq & SMP_AUTH_SC)
627 			return BT_SECURITY_FIPS;
628 		else
629 			return BT_SECURITY_HIGH;
630 	} else {
631 		return BT_SECURITY_MEDIUM;
632 	}
633 }
634 
635 static __u8 seclevel_to_authreq(__u8 sec_level)
636 {
637 	switch (sec_level) {
638 	case BT_SECURITY_FIPS:
639 	case BT_SECURITY_HIGH:
640 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
641 	case BT_SECURITY_MEDIUM:
642 		return SMP_AUTH_BONDING;
643 	default:
644 		return SMP_AUTH_NONE;
645 	}
646 }
647 
648 static void build_pairing_cmd(struct l2cap_conn *conn,
649 			      struct smp_cmd_pairing *req,
650 			      struct smp_cmd_pairing *rsp, __u8 authreq)
651 {
652 	struct l2cap_chan *chan = conn->smp;
653 	struct smp_chan *smp = chan->data;
654 	struct hci_conn *hcon = conn->hcon;
655 	struct hci_dev *hdev = hcon->hdev;
656 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
657 
658 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
659 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
660 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
661 		authreq |= SMP_AUTH_BONDING;
662 	} else {
663 		authreq &= ~SMP_AUTH_BONDING;
664 	}
665 
666 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
667 		remote_dist |= SMP_DIST_ID_KEY;
668 
669 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
670 		local_dist |= SMP_DIST_ID_KEY;
671 
672 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
673 	    (authreq & SMP_AUTH_SC)) {
674 		struct oob_data *oob_data;
675 		u8 bdaddr_type;
676 
677 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
678 			local_dist |= SMP_DIST_LINK_KEY;
679 			remote_dist |= SMP_DIST_LINK_KEY;
680 		}
681 
682 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
683 			bdaddr_type = BDADDR_LE_PUBLIC;
684 		else
685 			bdaddr_type = BDADDR_LE_RANDOM;
686 
687 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
688 						    bdaddr_type);
689 		if (oob_data && oob_data->present) {
690 			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
691 			oob_flag = SMP_OOB_PRESENT;
692 			memcpy(smp->rr, oob_data->rand256, 16);
693 			memcpy(smp->pcnf, oob_data->hash256, 16);
694 			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
695 			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
696 		}
697 
698 	} else {
699 		authreq &= ~SMP_AUTH_SC;
700 	}
701 
702 	if (rsp == NULL) {
703 		req->io_capability = conn->hcon->io_capability;
704 		req->oob_flag = oob_flag;
705 		req->max_key_size = hdev->le_max_key_size;
706 		req->init_key_dist = local_dist;
707 		req->resp_key_dist = remote_dist;
708 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
709 
710 		smp->remote_key_dist = remote_dist;
711 		return;
712 	}
713 
714 	rsp->io_capability = conn->hcon->io_capability;
715 	rsp->oob_flag = oob_flag;
716 	rsp->max_key_size = hdev->le_max_key_size;
717 	rsp->init_key_dist = req->init_key_dist & remote_dist;
718 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
719 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
720 
721 	smp->remote_key_dist = rsp->init_key_dist;
722 }
723 
724 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
725 {
726 	struct l2cap_chan *chan = conn->smp;
727 	struct hci_dev *hdev = conn->hcon->hdev;
728 	struct smp_chan *smp = chan->data;
729 
730 	if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS &&
731 	    max_key_size != SMP_MAX_ENC_KEY_SIZE)
732 		return SMP_ENC_KEY_SIZE;
733 
734 	if (max_key_size > hdev->le_max_key_size ||
735 	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
736 		return SMP_ENC_KEY_SIZE;
737 
738 	smp->enc_key_size = max_key_size;
739 
740 	return 0;
741 }
742 
743 static void smp_chan_destroy(struct l2cap_conn *conn)
744 {
745 	struct l2cap_chan *chan = conn->smp;
746 	struct smp_chan *smp = chan->data;
747 	struct hci_conn *hcon = conn->hcon;
748 	bool complete;
749 
750 	BUG_ON(!smp);
751 
752 	cancel_delayed_work_sync(&smp->security_timer);
753 
754 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
755 	mgmt_smp_complete(hcon, complete);
756 
757 	kfree_sensitive(smp->csrk);
758 	kfree_sensitive(smp->responder_csrk);
759 	kfree_sensitive(smp->link_key);
760 
761 	crypto_free_shash(smp->tfm_cmac);
762 	crypto_free_kpp(smp->tfm_ecdh);
763 
764 	/* Ensure that we don't leave any debug key around if debug key
765 	 * support hasn't been explicitly enabled.
766 	 */
767 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
768 	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
769 		list_del_rcu(&smp->ltk->list);
770 		kfree_rcu(smp->ltk, rcu);
771 		smp->ltk = NULL;
772 	}
773 
774 	/* If pairing failed clean up any keys we might have */
775 	if (!complete) {
776 		if (smp->ltk) {
777 			list_del_rcu(&smp->ltk->list);
778 			kfree_rcu(smp->ltk, rcu);
779 		}
780 
781 		if (smp->responder_ltk) {
782 			list_del_rcu(&smp->responder_ltk->list);
783 			kfree_rcu(smp->responder_ltk, rcu);
784 		}
785 
786 		if (smp->remote_irk) {
787 			list_del_rcu(&smp->remote_irk->list);
788 			kfree_rcu(smp->remote_irk, rcu);
789 		}
790 	}
791 
792 	chan->data = NULL;
793 	kfree_sensitive(smp);
794 	hci_conn_drop(hcon);
795 }
796 
797 static void smp_failure(struct l2cap_conn *conn, u8 reason)
798 {
799 	struct hci_conn *hcon = conn->hcon;
800 	struct l2cap_chan *chan = conn->smp;
801 
802 	if (reason)
803 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
804 			     &reason);
805 
806 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
807 
808 	if (chan->data)
809 		smp_chan_destroy(conn);
810 }
811 
812 #define JUST_WORKS	0x00
813 #define JUST_CFM	0x01
814 #define REQ_PASSKEY	0x02
815 #define CFM_PASSKEY	0x03
816 #define REQ_OOB		0x04
817 #define DSP_PASSKEY	0x05
818 #define OVERLAP		0xFF
819 
820 static const u8 gen_method[5][5] = {
821 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
822 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
823 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
824 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
825 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
826 };
827 
828 static const u8 sc_method[5][5] = {
829 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
830 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
831 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
832 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
833 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
834 };
835 
836 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
837 {
838 	/* If either side has unknown io_caps, use JUST_CFM (which gets
839 	 * converted later to JUST_WORKS if we're initiators.
840 	 */
841 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
842 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
843 		return JUST_CFM;
844 
845 	if (test_bit(SMP_FLAG_SC, &smp->flags))
846 		return sc_method[remote_io][local_io];
847 
848 	return gen_method[remote_io][local_io];
849 }
850 
851 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
852 						u8 local_io, u8 remote_io)
853 {
854 	struct hci_conn *hcon = conn->hcon;
855 	struct l2cap_chan *chan = conn->smp;
856 	struct smp_chan *smp = chan->data;
857 	u32 passkey = 0;
858 	int ret;
859 
860 	/* Initialize key for JUST WORKS */
861 	memset(smp->tk, 0, sizeof(smp->tk));
862 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
863 
864 	bt_dev_dbg(hcon->hdev, "auth:%u lcl:%u rem:%u", auth, local_io,
865 		   remote_io);
866 
867 	/* If neither side wants MITM, either "just" confirm an incoming
868 	 * request or use just-works for outgoing ones. The JUST_CFM
869 	 * will be converted to JUST_WORKS if necessary later in this
870 	 * function. If either side has MITM look up the method from the
871 	 * table.
872 	 */
873 	if (!(auth & SMP_AUTH_MITM))
874 		smp->method = JUST_CFM;
875 	else
876 		smp->method = get_auth_method(smp, local_io, remote_io);
877 
878 	/* Don't confirm locally initiated pairing attempts */
879 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
880 						&smp->flags))
881 		smp->method = JUST_WORKS;
882 
883 	/* Don't bother user space with no IO capabilities */
884 	if (smp->method == JUST_CFM &&
885 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
886 		smp->method = JUST_WORKS;
887 
888 	/* If Just Works, Continue with Zero TK and ask user-space for
889 	 * confirmation */
890 	if (smp->method == JUST_WORKS) {
891 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
892 						hcon->type,
893 						hcon->dst_type,
894 						passkey, 1);
895 		if (ret)
896 			return ret;
897 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
898 		return 0;
899 	}
900 
901 	/* If this function is used for SC -> legacy fallback we
902 	 * can only recover the just-works case.
903 	 */
904 	if (test_bit(SMP_FLAG_SC, &smp->flags))
905 		return -EINVAL;
906 
907 	/* Not Just Works/Confirm results in MITM Authentication */
908 	if (smp->method != JUST_CFM) {
909 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
910 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
911 			hcon->pending_sec_level = BT_SECURITY_HIGH;
912 	}
913 
914 	/* If both devices have Keyboard-Display I/O, the initiator
915 	 * Confirms and the responder Enters the passkey.
916 	 */
917 	if (smp->method == OVERLAP) {
918 		if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
919 			smp->method = CFM_PASSKEY;
920 		else
921 			smp->method = REQ_PASSKEY;
922 	}
923 
924 	/* Generate random passkey. */
925 	if (smp->method == CFM_PASSKEY) {
926 		memset(smp->tk, 0, sizeof(smp->tk));
927 		get_random_bytes(&passkey, sizeof(passkey));
928 		passkey %= 1000000;
929 		put_unaligned_le32(passkey, smp->tk);
930 		bt_dev_dbg(hcon->hdev, "PassKey: %u", passkey);
931 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
932 	}
933 
934 	if (smp->method == REQ_PASSKEY)
935 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
936 						hcon->type, hcon->dst_type);
937 	else if (smp->method == JUST_CFM)
938 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
939 						hcon->type, hcon->dst_type,
940 						passkey, 1);
941 	else
942 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
943 						hcon->type, hcon->dst_type,
944 						passkey, 0);
945 
946 	return ret;
947 }
948 
949 static u8 smp_confirm(struct smp_chan *smp)
950 {
951 	struct l2cap_conn *conn = smp->conn;
952 	struct smp_cmd_pairing_confirm cp;
953 	int ret;
954 
955 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
956 
957 	ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
958 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
959 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
960 		     cp.confirm_val);
961 	if (ret)
962 		return SMP_UNSPECIFIED;
963 
964 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
965 
966 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
967 
968 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
969 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
970 	else
971 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
972 
973 	return 0;
974 }
975 
976 static u8 smp_random(struct smp_chan *smp)
977 {
978 	struct l2cap_conn *conn = smp->conn;
979 	struct hci_conn *hcon = conn->hcon;
980 	u8 confirm[16];
981 	int ret;
982 
983 	bt_dev_dbg(conn->hcon->hdev, "conn %p %s", conn,
984 		   test_bit(SMP_FLAG_INITIATOR, &smp->flags) ? "initiator" :
985 		   "responder");
986 
987 	ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
988 		     hcon->init_addr_type, &hcon->init_addr,
989 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
990 	if (ret)
991 		return SMP_UNSPECIFIED;
992 
993 	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
994 		bt_dev_err(hcon->hdev, "pairing failed "
995 			   "(confirmation values mismatch)");
996 		return SMP_CONFIRM_FAILED;
997 	}
998 
999 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1000 		u8 stk[16];
1001 		__le64 rand = 0;
1002 		__le16 ediv = 0;
1003 
1004 		smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
1005 
1006 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1007 			return SMP_UNSPECIFIED;
1008 
1009 		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1010 		hcon->enc_key_size = smp->enc_key_size;
1011 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1012 	} else {
1013 		u8 stk[16], auth;
1014 		__le64 rand = 0;
1015 		__le16 ediv = 0;
1016 
1017 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1018 			     smp->prnd);
1019 
1020 		smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
1021 
1022 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1023 			auth = 1;
1024 		else
1025 			auth = 0;
1026 
1027 		/* Even though there's no _RESPONDER suffix this is the
1028 		 * responder STK we're adding for later lookup (the initiator
1029 		 * STK never needs to be stored).
1030 		 */
1031 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1032 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1033 	}
1034 
1035 	return 0;
1036 }
1037 
1038 static void smp_notify_keys(struct l2cap_conn *conn)
1039 {
1040 	struct l2cap_chan *chan = conn->smp;
1041 	struct smp_chan *smp = chan->data;
1042 	struct hci_conn *hcon = conn->hcon;
1043 	struct hci_dev *hdev = hcon->hdev;
1044 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1045 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1046 	bool persistent;
1047 
1048 	if (hcon->type == ACL_LINK) {
1049 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1050 			persistent = false;
1051 		else
1052 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1053 					       &hcon->flags);
1054 	} else {
1055 		/* The LTKs, IRKs and CSRKs should be persistent only if
1056 		 * both sides had the bonding bit set in their
1057 		 * authentication requests.
1058 		 */
1059 		persistent = !!((req->auth_req & rsp->auth_req) &
1060 				SMP_AUTH_BONDING);
1061 	}
1062 
1063 	if (smp->remote_irk) {
1064 		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1065 
1066 		/* Now that user space can be considered to know the
1067 		 * identity address track the connection based on it
1068 		 * from now on (assuming this is an LE link).
1069 		 */
1070 		if (hcon->type == LE_LINK) {
1071 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1072 			hcon->dst_type = smp->remote_irk->addr_type;
1073 			/* Use a short delay to make sure the new address is
1074 			 * propagated _before_ the channels.
1075 			 */
1076 			queue_delayed_work(hdev->workqueue,
1077 					   &conn->id_addr_timer,
1078 					   ID_ADDR_TIMEOUT);
1079 		}
1080 	}
1081 
1082 	if (smp->csrk) {
1083 		smp->csrk->bdaddr_type = hcon->dst_type;
1084 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1085 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1086 	}
1087 
1088 	if (smp->responder_csrk) {
1089 		smp->responder_csrk->bdaddr_type = hcon->dst_type;
1090 		bacpy(&smp->responder_csrk->bdaddr, &hcon->dst);
1091 		mgmt_new_csrk(hdev, smp->responder_csrk, persistent);
1092 	}
1093 
1094 	if (smp->ltk) {
1095 		smp->ltk->bdaddr_type = hcon->dst_type;
1096 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1097 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1098 	}
1099 
1100 	if (smp->responder_ltk) {
1101 		smp->responder_ltk->bdaddr_type = hcon->dst_type;
1102 		bacpy(&smp->responder_ltk->bdaddr, &hcon->dst);
1103 		mgmt_new_ltk(hdev, smp->responder_ltk, persistent);
1104 	}
1105 
1106 	if (smp->link_key) {
1107 		struct link_key *key;
1108 		u8 type;
1109 
1110 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1111 			type = HCI_LK_DEBUG_COMBINATION;
1112 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1113 			type = HCI_LK_AUTH_COMBINATION_P256;
1114 		else
1115 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1116 
1117 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1118 				       smp->link_key, type, 0, &persistent);
1119 		if (key) {
1120 			mgmt_new_link_key(hdev, key, persistent);
1121 
1122 			/* Don't keep debug keys around if the relevant
1123 			 * flag is not set.
1124 			 */
1125 			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1126 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1127 				list_del_rcu(&key->list);
1128 				kfree_rcu(key, rcu);
1129 			}
1130 		}
1131 	}
1132 }
1133 
1134 static void sc_add_ltk(struct smp_chan *smp)
1135 {
1136 	struct hci_conn *hcon = smp->conn->hcon;
1137 	u8 key_type, auth;
1138 
1139 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1140 		key_type = SMP_LTK_P256_DEBUG;
1141 	else
1142 		key_type = SMP_LTK_P256;
1143 
1144 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1145 		auth = 1;
1146 	else
1147 		auth = 0;
1148 
1149 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1150 			       key_type, auth, smp->tk, smp->enc_key_size,
1151 			       0, 0);
1152 }
1153 
1154 static void sc_generate_link_key(struct smp_chan *smp)
1155 {
1156 	/* From core spec. Spells out in ASCII as 'lebr'. */
1157 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1158 
1159 	smp->link_key = kzalloc(16, GFP_KERNEL);
1160 	if (!smp->link_key)
1161 		return;
1162 
1163 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1164 		/* SALT = 0x000000000000000000000000746D7031 */
1165 		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1166 
1167 		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1168 			kfree_sensitive(smp->link_key);
1169 			smp->link_key = NULL;
1170 			return;
1171 		}
1172 	} else {
1173 		/* From core spec. Spells out in ASCII as 'tmp1'. */
1174 		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1175 
1176 		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1177 			kfree_sensitive(smp->link_key);
1178 			smp->link_key = NULL;
1179 			return;
1180 		}
1181 	}
1182 
1183 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1184 		kfree_sensitive(smp->link_key);
1185 		smp->link_key = NULL;
1186 		return;
1187 	}
1188 }
1189 
1190 static void smp_allow_key_dist(struct smp_chan *smp)
1191 {
1192 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1193 	 * will be allowed in each PDU handler to ensure we receive
1194 	 * them in the correct order.
1195 	 */
1196 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1197 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1198 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1199 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1200 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1201 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1202 }
1203 
1204 static void sc_generate_ltk(struct smp_chan *smp)
1205 {
1206 	/* From core spec. Spells out in ASCII as 'brle'. */
1207 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1208 	struct hci_conn *hcon = smp->conn->hcon;
1209 	struct hci_dev *hdev = hcon->hdev;
1210 	struct link_key *key;
1211 
1212 	key = hci_find_link_key(hdev, &hcon->dst);
1213 	if (!key) {
1214 		bt_dev_err(hdev, "no Link Key found to generate LTK");
1215 		return;
1216 	}
1217 
1218 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1219 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1220 
1221 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1222 		/* SALT = 0x000000000000000000000000746D7032 */
1223 		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1224 
1225 		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1226 			return;
1227 	} else {
1228 		/* From core spec. Spells out in ASCII as 'tmp2'. */
1229 		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1230 
1231 		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1232 			return;
1233 	}
1234 
1235 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1236 		return;
1237 
1238 	sc_add_ltk(smp);
1239 }
1240 
1241 static void smp_distribute_keys(struct smp_chan *smp)
1242 {
1243 	struct smp_cmd_pairing *req, *rsp;
1244 	struct l2cap_conn *conn = smp->conn;
1245 	struct hci_conn *hcon = conn->hcon;
1246 	struct hci_dev *hdev = hcon->hdev;
1247 	__u8 *keydist;
1248 
1249 	bt_dev_dbg(hdev, "conn %p", conn);
1250 
1251 	rsp = (void *) &smp->prsp[1];
1252 
1253 	/* The responder sends its keys first */
1254 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags) &&
1255 	    (smp->remote_key_dist & KEY_DIST_MASK)) {
1256 		smp_allow_key_dist(smp);
1257 		return;
1258 	}
1259 
1260 	req = (void *) &smp->preq[1];
1261 
1262 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1263 		keydist = &rsp->init_key_dist;
1264 		*keydist &= req->init_key_dist;
1265 	} else {
1266 		keydist = &rsp->resp_key_dist;
1267 		*keydist &= req->resp_key_dist;
1268 	}
1269 
1270 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1271 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1272 			sc_generate_link_key(smp);
1273 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1274 			sc_generate_ltk(smp);
1275 
1276 		/* Clear the keys which are generated but not distributed */
1277 		*keydist &= ~SMP_SC_NO_DIST;
1278 	}
1279 
1280 	bt_dev_dbg(hdev, "keydist 0x%x", *keydist);
1281 
1282 	if (*keydist & SMP_DIST_ENC_KEY) {
1283 		struct smp_cmd_encrypt_info enc;
1284 		struct smp_cmd_initiator_ident ident;
1285 		struct smp_ltk *ltk;
1286 		u8 authenticated;
1287 		__le16 ediv;
1288 		__le64 rand;
1289 
1290 		/* Make sure we generate only the significant amount of
1291 		 * bytes based on the encryption key size, and set the rest
1292 		 * of the value to zeroes.
1293 		 */
1294 		get_random_bytes(enc.ltk, smp->enc_key_size);
1295 		memset(enc.ltk + smp->enc_key_size, 0,
1296 		       sizeof(enc.ltk) - smp->enc_key_size);
1297 
1298 		get_random_bytes(&ediv, sizeof(ediv));
1299 		get_random_bytes(&rand, sizeof(rand));
1300 
1301 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1302 
1303 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1304 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1305 				  SMP_LTK_RESPONDER, authenticated, enc.ltk,
1306 				  smp->enc_key_size, ediv, rand);
1307 		smp->responder_ltk = ltk;
1308 
1309 		ident.ediv = ediv;
1310 		ident.rand = rand;
1311 
1312 		smp_send_cmd(conn, SMP_CMD_INITIATOR_IDENT, sizeof(ident),
1313 			     &ident);
1314 
1315 		*keydist &= ~SMP_DIST_ENC_KEY;
1316 	}
1317 
1318 	if (*keydist & SMP_DIST_ID_KEY) {
1319 		struct smp_cmd_ident_addr_info addrinfo;
1320 		struct smp_cmd_ident_info idinfo;
1321 
1322 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1323 
1324 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1325 
1326 		/* The hci_conn contains the local identity address
1327 		 * after the connection has been established.
1328 		 *
1329 		 * This is true even when the connection has been
1330 		 * established using a resolvable random address.
1331 		 */
1332 		bacpy(&addrinfo.bdaddr, &hcon->src);
1333 		addrinfo.addr_type = hcon->src_type;
1334 
1335 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1336 			     &addrinfo);
1337 
1338 		*keydist &= ~SMP_DIST_ID_KEY;
1339 	}
1340 
1341 	if (*keydist & SMP_DIST_SIGN) {
1342 		struct smp_cmd_sign_info sign;
1343 		struct smp_csrk *csrk;
1344 
1345 		/* Generate a new random key */
1346 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1347 
1348 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1349 		if (csrk) {
1350 			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1351 				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1352 			else
1353 				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1354 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1355 		}
1356 		smp->responder_csrk = csrk;
1357 
1358 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1359 
1360 		*keydist &= ~SMP_DIST_SIGN;
1361 	}
1362 
1363 	/* If there are still keys to be received wait for them */
1364 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1365 		smp_allow_key_dist(smp);
1366 		return;
1367 	}
1368 
1369 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1370 	smp_notify_keys(conn);
1371 
1372 	smp_chan_destroy(conn);
1373 }
1374 
1375 static void smp_timeout(struct work_struct *work)
1376 {
1377 	struct smp_chan *smp = container_of(work, struct smp_chan,
1378 					    security_timer.work);
1379 	struct l2cap_conn *conn = smp->conn;
1380 
1381 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
1382 
1383 	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1384 }
1385 
1386 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1387 {
1388 	struct hci_conn *hcon = conn->hcon;
1389 	struct l2cap_chan *chan = conn->smp;
1390 	struct smp_chan *smp;
1391 
1392 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1393 	if (!smp)
1394 		return NULL;
1395 
1396 	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1397 	if (IS_ERR(smp->tfm_cmac)) {
1398 		bt_dev_err(hcon->hdev, "Unable to create CMAC crypto context");
1399 		goto zfree_smp;
1400 	}
1401 
1402 	smp->tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
1403 	if (IS_ERR(smp->tfm_ecdh)) {
1404 		bt_dev_err(hcon->hdev, "Unable to create ECDH crypto context");
1405 		goto free_shash;
1406 	}
1407 
1408 	smp->conn = conn;
1409 	chan->data = smp;
1410 
1411 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1412 
1413 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1414 
1415 	hci_conn_hold(hcon);
1416 
1417 	return smp;
1418 
1419 free_shash:
1420 	crypto_free_shash(smp->tfm_cmac);
1421 zfree_smp:
1422 	kfree_sensitive(smp);
1423 	return NULL;
1424 }
1425 
1426 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1427 {
1428 	struct hci_conn *hcon = smp->conn->hcon;
1429 	u8 *na, *nb, a[7], b[7];
1430 
1431 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1432 		na   = smp->prnd;
1433 		nb   = smp->rrnd;
1434 	} else {
1435 		na   = smp->rrnd;
1436 		nb   = smp->prnd;
1437 	}
1438 
1439 	memcpy(a, &hcon->init_addr, 6);
1440 	memcpy(b, &hcon->resp_addr, 6);
1441 	a[6] = hcon->init_addr_type;
1442 	b[6] = hcon->resp_addr_type;
1443 
1444 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1445 }
1446 
1447 static void sc_dhkey_check(struct smp_chan *smp)
1448 {
1449 	struct hci_conn *hcon = smp->conn->hcon;
1450 	struct smp_cmd_dhkey_check check;
1451 	u8 a[7], b[7], *local_addr, *remote_addr;
1452 	u8 io_cap[3], r[16];
1453 
1454 	memcpy(a, &hcon->init_addr, 6);
1455 	memcpy(b, &hcon->resp_addr, 6);
1456 	a[6] = hcon->init_addr_type;
1457 	b[6] = hcon->resp_addr_type;
1458 
1459 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1460 		local_addr = a;
1461 		remote_addr = b;
1462 		memcpy(io_cap, &smp->preq[1], 3);
1463 	} else {
1464 		local_addr = b;
1465 		remote_addr = a;
1466 		memcpy(io_cap, &smp->prsp[1], 3);
1467 	}
1468 
1469 	memset(r, 0, sizeof(r));
1470 
1471 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1472 		put_unaligned_le32(hcon->passkey_notify, r);
1473 
1474 	if (smp->method == REQ_OOB)
1475 		memcpy(r, smp->rr, 16);
1476 
1477 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1478 	       local_addr, remote_addr, check.e);
1479 
1480 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1481 }
1482 
1483 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1484 {
1485 	struct l2cap_conn *conn = smp->conn;
1486 	struct hci_conn *hcon = conn->hcon;
1487 	struct smp_cmd_pairing_confirm cfm;
1488 	u8 r;
1489 
1490 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1491 	r |= 0x80;
1492 
1493 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1494 
1495 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1496 		   cfm.confirm_val))
1497 		return SMP_UNSPECIFIED;
1498 
1499 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1500 
1501 	return 0;
1502 }
1503 
1504 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1505 {
1506 	struct l2cap_conn *conn = smp->conn;
1507 	struct hci_conn *hcon = conn->hcon;
1508 	struct hci_dev *hdev = hcon->hdev;
1509 	u8 cfm[16], r;
1510 
1511 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1512 	if (smp->passkey_round >= 20)
1513 		return 0;
1514 
1515 	switch (smp_op) {
1516 	case SMP_CMD_PAIRING_RANDOM:
1517 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1518 		r |= 0x80;
1519 
1520 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1521 			   smp->rrnd, r, cfm))
1522 			return SMP_UNSPECIFIED;
1523 
1524 		if (crypto_memneq(smp->pcnf, cfm, 16))
1525 			return SMP_CONFIRM_FAILED;
1526 
1527 		smp->passkey_round++;
1528 
1529 		if (smp->passkey_round == 20) {
1530 			/* Generate MacKey and LTK */
1531 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1532 				return SMP_UNSPECIFIED;
1533 		}
1534 
1535 		/* The round is only complete when the initiator
1536 		 * receives pairing random.
1537 		 */
1538 		if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1539 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1540 				     sizeof(smp->prnd), smp->prnd);
1541 			if (smp->passkey_round == 20)
1542 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1543 			else
1544 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1545 			return 0;
1546 		}
1547 
1548 		/* Start the next round */
1549 		if (smp->passkey_round != 20)
1550 			return sc_passkey_round(smp, 0);
1551 
1552 		/* Passkey rounds are complete - start DHKey Check */
1553 		sc_dhkey_check(smp);
1554 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1555 
1556 		break;
1557 
1558 	case SMP_CMD_PAIRING_CONFIRM:
1559 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1560 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1561 			return 0;
1562 		}
1563 
1564 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1565 
1566 		if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1567 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1568 				     sizeof(smp->prnd), smp->prnd);
1569 			return 0;
1570 		}
1571 
1572 		return sc_passkey_send_confirm(smp);
1573 
1574 	case SMP_CMD_PUBLIC_KEY:
1575 	default:
1576 		/* Initiating device starts the round */
1577 		if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags))
1578 			return 0;
1579 
1580 		bt_dev_dbg(hdev, "Starting passkey round %u",
1581 			   smp->passkey_round + 1);
1582 
1583 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1584 
1585 		return sc_passkey_send_confirm(smp);
1586 	}
1587 
1588 	return 0;
1589 }
1590 
1591 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1592 {
1593 	struct l2cap_conn *conn = smp->conn;
1594 	struct hci_conn *hcon = conn->hcon;
1595 	u8 smp_op;
1596 
1597 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1598 
1599 	switch (mgmt_op) {
1600 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1601 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1602 		return 0;
1603 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1604 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1605 		return 0;
1606 	case MGMT_OP_USER_PASSKEY_REPLY:
1607 		hcon->passkey_notify = le32_to_cpu(passkey);
1608 		smp->passkey_round = 0;
1609 
1610 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1611 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1612 		else
1613 			smp_op = 0;
1614 
1615 		if (sc_passkey_round(smp, smp_op))
1616 			return -EIO;
1617 
1618 		return 0;
1619 	}
1620 
1621 	/* Initiator sends DHKey check first */
1622 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1623 		sc_dhkey_check(smp);
1624 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1625 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1626 		sc_dhkey_check(smp);
1627 		sc_add_ltk(smp);
1628 	}
1629 
1630 	return 0;
1631 }
1632 
1633 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1634 {
1635 	struct l2cap_conn *conn = hcon->l2cap_data;
1636 	struct l2cap_chan *chan;
1637 	struct smp_chan *smp;
1638 	u32 value;
1639 	int err;
1640 
1641 	if (!conn)
1642 		return -ENOTCONN;
1643 
1644 	bt_dev_dbg(conn->hcon->hdev, "");
1645 
1646 	chan = conn->smp;
1647 	if (!chan)
1648 		return -ENOTCONN;
1649 
1650 	l2cap_chan_lock(chan);
1651 	if (!chan->data) {
1652 		err = -ENOTCONN;
1653 		goto unlock;
1654 	}
1655 
1656 	smp = chan->data;
1657 
1658 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1659 		err = sc_user_reply(smp, mgmt_op, passkey);
1660 		goto unlock;
1661 	}
1662 
1663 	switch (mgmt_op) {
1664 	case MGMT_OP_USER_PASSKEY_REPLY:
1665 		value = le32_to_cpu(passkey);
1666 		memset(smp->tk, 0, sizeof(smp->tk));
1667 		bt_dev_dbg(conn->hcon->hdev, "PassKey: %u", value);
1668 		put_unaligned_le32(value, smp->tk);
1669 		fallthrough;
1670 	case MGMT_OP_USER_CONFIRM_REPLY:
1671 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1672 		break;
1673 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1674 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1675 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1676 		err = 0;
1677 		goto unlock;
1678 	default:
1679 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1680 		err = -EOPNOTSUPP;
1681 		goto unlock;
1682 	}
1683 
1684 	err = 0;
1685 
1686 	/* If it is our turn to send Pairing Confirm, do so now */
1687 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1688 		u8 rsp = smp_confirm(smp);
1689 		if (rsp)
1690 			smp_failure(conn, rsp);
1691 	}
1692 
1693 unlock:
1694 	l2cap_chan_unlock(chan);
1695 	return err;
1696 }
1697 
1698 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1699 				    struct smp_cmd_pairing *req,
1700 				    struct smp_cmd_pairing *rsp)
1701 {
1702 	struct l2cap_conn *conn = smp->conn;
1703 	struct hci_dev *hdev = conn->hcon->hdev;
1704 	u8 local_dist = 0, remote_dist = 0;
1705 
1706 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1707 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1708 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1709 	}
1710 
1711 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1712 		remote_dist |= SMP_DIST_ID_KEY;
1713 
1714 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1715 		local_dist |= SMP_DIST_ID_KEY;
1716 
1717 	if (!rsp) {
1718 		memset(req, 0, sizeof(*req));
1719 
1720 		req->auth_req        = SMP_AUTH_CT2;
1721 		req->init_key_dist   = local_dist;
1722 		req->resp_key_dist   = remote_dist;
1723 		req->max_key_size    = conn->hcon->enc_key_size;
1724 
1725 		smp->remote_key_dist = remote_dist;
1726 
1727 		return;
1728 	}
1729 
1730 	memset(rsp, 0, sizeof(*rsp));
1731 
1732 	rsp->auth_req        = SMP_AUTH_CT2;
1733 	rsp->max_key_size    = conn->hcon->enc_key_size;
1734 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1735 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1736 
1737 	smp->remote_key_dist = rsp->init_key_dist;
1738 }
1739 
1740 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1741 {
1742 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1743 	struct l2cap_chan *chan = conn->smp;
1744 	struct hci_dev *hdev = conn->hcon->hdev;
1745 	struct smp_chan *smp = chan->data;
1746 	u8 key_size, auth, sec_level;
1747 	int ret;
1748 
1749 	bt_dev_dbg(hdev, "conn %p", conn);
1750 
1751 	if (skb->len < sizeof(*req))
1752 		return SMP_INVALID_PARAMS;
1753 
1754 	if (smp && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
1755 		return SMP_CMD_NOTSUPP;
1756 
1757 	if (!smp) {
1758 		smp = smp_chan_create(conn);
1759 		if (!smp)
1760 			return SMP_UNSPECIFIED;
1761 	}
1762 
1763 	/* We didn't start the pairing, so match remote */
1764 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1765 
1766 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1767 	    (auth & SMP_AUTH_BONDING))
1768 		return SMP_PAIRING_NOTSUPP;
1769 
1770 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1771 		return SMP_AUTH_REQUIREMENTS;
1772 
1773 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1774 	memcpy(&smp->preq[1], req, sizeof(*req));
1775 	skb_pull(skb, sizeof(*req));
1776 
1777 	/* If the remote side's OOB flag is set it means it has
1778 	 * successfully received our local OOB data - therefore set the
1779 	 * flag to indicate that local OOB is in use.
1780 	 */
1781 	if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1782 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1783 
1784 	/* SMP over BR/EDR requires special treatment */
1785 	if (conn->hcon->type == ACL_LINK) {
1786 		/* We must have a BR/EDR SC link */
1787 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1788 		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1789 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1790 
1791 		set_bit(SMP_FLAG_SC, &smp->flags);
1792 
1793 		build_bredr_pairing_cmd(smp, req, &rsp);
1794 
1795 		if (req->auth_req & SMP_AUTH_CT2)
1796 			set_bit(SMP_FLAG_CT2, &smp->flags);
1797 
1798 		key_size = min(req->max_key_size, rsp.max_key_size);
1799 		if (check_enc_key_size(conn, key_size))
1800 			return SMP_ENC_KEY_SIZE;
1801 
1802 		/* Clear bits which are generated but not distributed */
1803 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1804 
1805 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1806 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1807 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1808 
1809 		smp_distribute_keys(smp);
1810 		return 0;
1811 	}
1812 
1813 	build_pairing_cmd(conn, req, &rsp, auth);
1814 
1815 	if (rsp.auth_req & SMP_AUTH_SC) {
1816 		set_bit(SMP_FLAG_SC, &smp->flags);
1817 
1818 		if (rsp.auth_req & SMP_AUTH_CT2)
1819 			set_bit(SMP_FLAG_CT2, &smp->flags);
1820 	}
1821 
1822 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1823 		sec_level = BT_SECURITY_MEDIUM;
1824 	else
1825 		sec_level = authreq_to_seclevel(auth);
1826 
1827 	if (sec_level > conn->hcon->pending_sec_level)
1828 		conn->hcon->pending_sec_level = sec_level;
1829 
1830 	/* If we need MITM check that it can be achieved */
1831 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1832 		u8 method;
1833 
1834 		method = get_auth_method(smp, conn->hcon->io_capability,
1835 					 req->io_capability);
1836 		if (method == JUST_WORKS || method == JUST_CFM)
1837 			return SMP_AUTH_REQUIREMENTS;
1838 	}
1839 
1840 	key_size = min(req->max_key_size, rsp.max_key_size);
1841 	if (check_enc_key_size(conn, key_size))
1842 		return SMP_ENC_KEY_SIZE;
1843 
1844 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1845 
1846 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1847 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1848 
1849 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1850 
1851 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1852 
1853 	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1854 	 * SC case, however some implementations incorrectly copy RFU auth
1855 	 * req bits from our security request, which may create a false
1856 	 * positive SC enablement.
1857 	 */
1858 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1859 
1860 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1861 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1862 		/* Clear bits which are generated but not distributed */
1863 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1864 		/* Wait for Public Key from Initiating Device */
1865 		return 0;
1866 	}
1867 
1868 	/* Request setup of TK */
1869 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1870 	if (ret)
1871 		return SMP_UNSPECIFIED;
1872 
1873 	return 0;
1874 }
1875 
1876 static u8 sc_send_public_key(struct smp_chan *smp)
1877 {
1878 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1879 
1880 	bt_dev_dbg(hdev, "");
1881 
1882 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1883 		struct l2cap_chan *chan = hdev->smp_data;
1884 		struct smp_dev *smp_dev;
1885 
1886 		if (!chan || !chan->data)
1887 			return SMP_UNSPECIFIED;
1888 
1889 		smp_dev = chan->data;
1890 
1891 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1892 		memcpy(smp->lr, smp_dev->local_rand, 16);
1893 
1894 		if (smp_dev->debug_key)
1895 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1896 
1897 		goto done;
1898 	}
1899 
1900 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1901 		bt_dev_dbg(hdev, "Using debug keys");
1902 		if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1903 			return SMP_UNSPECIFIED;
1904 		memcpy(smp->local_pk, debug_pk, 64);
1905 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1906 	} else {
1907 		while (true) {
1908 			/* Generate key pair for Secure Connections */
1909 			if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1910 				return SMP_UNSPECIFIED;
1911 
1912 			/* This is unlikely, but we need to check that
1913 			 * we didn't accidentally generate a debug key.
1914 			 */
1915 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
1916 				break;
1917 		}
1918 	}
1919 
1920 done:
1921 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1922 	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1923 
1924 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1925 
1926 	return 0;
1927 }
1928 
1929 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1930 {
1931 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1932 	struct l2cap_chan *chan = conn->smp;
1933 	struct smp_chan *smp = chan->data;
1934 	struct hci_dev *hdev = conn->hcon->hdev;
1935 	u8 key_size, auth;
1936 	int ret;
1937 
1938 	bt_dev_dbg(hdev, "conn %p", conn);
1939 
1940 	if (skb->len < sizeof(*rsp))
1941 		return SMP_INVALID_PARAMS;
1942 
1943 	if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags))
1944 		return SMP_CMD_NOTSUPP;
1945 
1946 	skb_pull(skb, sizeof(*rsp));
1947 
1948 	req = (void *) &smp->preq[1];
1949 
1950 	key_size = min(req->max_key_size, rsp->max_key_size);
1951 	if (check_enc_key_size(conn, key_size))
1952 		return SMP_ENC_KEY_SIZE;
1953 
1954 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1955 
1956 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1957 		return SMP_AUTH_REQUIREMENTS;
1958 
1959 	/* If the remote side's OOB flag is set it means it has
1960 	 * successfully received our local OOB data - therefore set the
1961 	 * flag to indicate that local OOB is in use.
1962 	 */
1963 	if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1964 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1965 
1966 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1967 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1968 
1969 	/* Update remote key distribution in case the remote cleared
1970 	 * some bits that we had enabled in our request.
1971 	 */
1972 	smp->remote_key_dist &= rsp->resp_key_dist;
1973 
1974 	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1975 		set_bit(SMP_FLAG_CT2, &smp->flags);
1976 
1977 	/* For BR/EDR this means we're done and can start phase 3 */
1978 	if (conn->hcon->type == ACL_LINK) {
1979 		/* Clear bits which are generated but not distributed */
1980 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1981 		smp_distribute_keys(smp);
1982 		return 0;
1983 	}
1984 
1985 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1986 		set_bit(SMP_FLAG_SC, &smp->flags);
1987 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1988 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1989 
1990 	/* If we need MITM check that it can be achieved */
1991 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1992 		u8 method;
1993 
1994 		method = get_auth_method(smp, req->io_capability,
1995 					 rsp->io_capability);
1996 		if (method == JUST_WORKS || method == JUST_CFM)
1997 			return SMP_AUTH_REQUIREMENTS;
1998 	}
1999 
2000 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
2001 
2002 	/* Update remote key distribution in case the remote cleared
2003 	 * some bits that we had enabled in our request.
2004 	 */
2005 	smp->remote_key_dist &= rsp->resp_key_dist;
2006 
2007 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2008 		/* Clear bits which are generated but not distributed */
2009 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2010 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2011 		return sc_send_public_key(smp);
2012 	}
2013 
2014 	auth |= req->auth_req;
2015 
2016 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2017 	if (ret)
2018 		return SMP_UNSPECIFIED;
2019 
2020 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2021 
2022 	/* Can't compose response until we have been confirmed */
2023 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2024 		return smp_confirm(smp);
2025 
2026 	return 0;
2027 }
2028 
2029 static u8 sc_check_confirm(struct smp_chan *smp)
2030 {
2031 	struct l2cap_conn *conn = smp->conn;
2032 
2033 	bt_dev_dbg(conn->hcon->hdev, "");
2034 
2035 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2036 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2037 
2038 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2039 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2040 			     smp->prnd);
2041 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2042 	}
2043 
2044 	return 0;
2045 }
2046 
2047 /* Work-around for some implementations that incorrectly copy RFU bits
2048  * from our security request and thereby create the impression that
2049  * we're doing SC when in fact the remote doesn't support it.
2050  */
2051 static int fixup_sc_false_positive(struct smp_chan *smp)
2052 {
2053 	struct l2cap_conn *conn = smp->conn;
2054 	struct hci_conn *hcon = conn->hcon;
2055 	struct hci_dev *hdev = hcon->hdev;
2056 	struct smp_cmd_pairing *req, *rsp;
2057 	u8 auth;
2058 
2059 	/* The issue is only observed when we're in responder role */
2060 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2061 		return SMP_UNSPECIFIED;
2062 
2063 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2064 		bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2065 		return SMP_UNSPECIFIED;
2066 	}
2067 
2068 	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2069 
2070 	req = (void *) &smp->preq[1];
2071 	rsp = (void *) &smp->prsp[1];
2072 
2073 	/* Rebuild key dist flags which may have been cleared for SC */
2074 	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2075 
2076 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2077 
2078 	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2079 		bt_dev_err(hdev, "failed to fall back to legacy SMP");
2080 		return SMP_UNSPECIFIED;
2081 	}
2082 
2083 	clear_bit(SMP_FLAG_SC, &smp->flags);
2084 
2085 	return 0;
2086 }
2087 
2088 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2089 {
2090 	struct l2cap_chan *chan = conn->smp;
2091 	struct smp_chan *smp = chan->data;
2092 	struct hci_conn *hcon = conn->hcon;
2093 	struct hci_dev *hdev = hcon->hdev;
2094 
2095 	bt_dev_dbg(hdev, "conn %p %s", conn,
2096 		   test_bit(SMP_FLAG_INITIATOR, &smp->flags) ? "initiator" :
2097 		   "responder");
2098 
2099 	if (skb->len < sizeof(smp->pcnf))
2100 		return SMP_INVALID_PARAMS;
2101 
2102 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2103 	skb_pull(skb, sizeof(smp->pcnf));
2104 
2105 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2106 		int ret;
2107 
2108 		/* Public Key exchange must happen before any other steps */
2109 		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2110 			return sc_check_confirm(smp);
2111 
2112 		bt_dev_err(hdev, "Unexpected SMP Pairing Confirm");
2113 
2114 		ret = fixup_sc_false_positive(smp);
2115 		if (ret)
2116 			return ret;
2117 	}
2118 
2119 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2120 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2121 			     smp->prnd);
2122 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2123 		return 0;
2124 	}
2125 
2126 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2127 		return smp_confirm(smp);
2128 
2129 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2130 
2131 	return 0;
2132 }
2133 
2134 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2135 {
2136 	struct l2cap_chan *chan = conn->smp;
2137 	struct smp_chan *smp = chan->data;
2138 	struct hci_conn *hcon = conn->hcon;
2139 	u8 *pkax, *pkbx, *na, *nb, confirm_hint;
2140 	u32 passkey;
2141 	int err;
2142 
2143 	bt_dev_dbg(hcon->hdev, "conn %p", conn);
2144 
2145 	if (skb->len < sizeof(smp->rrnd))
2146 		return SMP_INVALID_PARAMS;
2147 
2148 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2149 	skb_pull(skb, sizeof(smp->rrnd));
2150 
2151 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2152 		return smp_random(smp);
2153 
2154 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2155 		pkax = smp->local_pk;
2156 		pkbx = smp->remote_pk;
2157 		na   = smp->prnd;
2158 		nb   = smp->rrnd;
2159 	} else {
2160 		pkax = smp->remote_pk;
2161 		pkbx = smp->local_pk;
2162 		na   = smp->rrnd;
2163 		nb   = smp->prnd;
2164 	}
2165 
2166 	if (smp->method == REQ_OOB) {
2167 		if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2168 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2169 				     sizeof(smp->prnd), smp->prnd);
2170 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2171 		goto mackey_and_ltk;
2172 	}
2173 
2174 	/* Passkey entry has special treatment */
2175 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2176 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2177 
2178 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2179 		u8 cfm[16];
2180 
2181 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2182 			     smp->rrnd, 0, cfm);
2183 		if (err)
2184 			return SMP_UNSPECIFIED;
2185 
2186 		if (crypto_memneq(smp->pcnf, cfm, 16))
2187 			return SMP_CONFIRM_FAILED;
2188 	} else {
2189 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2190 			     smp->prnd);
2191 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2192 
2193 		/* Only Just-Works pairing requires extra checks */
2194 		if (smp->method != JUST_WORKS)
2195 			goto mackey_and_ltk;
2196 
2197 		/* If there already exists long term key in local host, leave
2198 		 * the decision to user space since the remote device could
2199 		 * be legitimate or malicious.
2200 		 */
2201 		if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2202 				 hcon->role)) {
2203 			/* Set passkey to 0. The value can be any number since
2204 			 * it'll be ignored anyway.
2205 			 */
2206 			passkey = 0;
2207 			confirm_hint = 1;
2208 			goto confirm;
2209 		}
2210 	}
2211 
2212 mackey_and_ltk:
2213 	/* Generate MacKey and LTK */
2214 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2215 	if (err)
2216 		return SMP_UNSPECIFIED;
2217 
2218 	if (smp->method == REQ_OOB) {
2219 		if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2220 			sc_dhkey_check(smp);
2221 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2222 		}
2223 		return 0;
2224 	}
2225 
2226 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2227 	if (err)
2228 		return SMP_UNSPECIFIED;
2229 
2230 	confirm_hint = 0;
2231 
2232 confirm:
2233 	if (smp->method == JUST_WORKS)
2234 		confirm_hint = 1;
2235 
2236 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2237 					hcon->dst_type, passkey, confirm_hint);
2238 	if (err)
2239 		return SMP_UNSPECIFIED;
2240 
2241 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2242 
2243 	return 0;
2244 }
2245 
2246 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2247 {
2248 	struct smp_ltk *key;
2249 	struct hci_conn *hcon = conn->hcon;
2250 
2251 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2252 	if (!key)
2253 		return false;
2254 
2255 	if (smp_ltk_sec_level(key) < sec_level)
2256 		return false;
2257 
2258 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2259 		return true;
2260 
2261 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2262 	hcon->enc_key_size = key->enc_size;
2263 
2264 	/* We never store STKs for initiator role, so clear this flag */
2265 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2266 
2267 	return true;
2268 }
2269 
2270 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2271 			     enum smp_key_pref key_pref)
2272 {
2273 	if (sec_level == BT_SECURITY_LOW)
2274 		return true;
2275 
2276 	/* If we're encrypted with an STK but the caller prefers using
2277 	 * LTK claim insufficient security. This way we allow the
2278 	 * connection to be re-encrypted with an LTK, even if the LTK
2279 	 * provides the same level of security. Only exception is if we
2280 	 * don't have an LTK (e.g. because of key distribution bits).
2281 	 */
2282 	if (key_pref == SMP_USE_LTK &&
2283 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2284 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2285 		return false;
2286 
2287 	if (hcon->sec_level >= sec_level)
2288 		return true;
2289 
2290 	return false;
2291 }
2292 
2293 static void smp_send_pairing_req(struct smp_chan *smp, __u8 auth)
2294 {
2295 	struct smp_cmd_pairing cp;
2296 
2297 	if (smp->conn->hcon->type == ACL_LINK)
2298 		build_bredr_pairing_cmd(smp, &cp, NULL);
2299 	else
2300 		build_pairing_cmd(smp->conn, &cp, NULL, auth);
2301 
2302 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2303 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2304 
2305 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2306 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2307 
2308 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2309 }
2310 
2311 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2312 {
2313 	struct smp_cmd_security_req *rp = (void *) skb->data;
2314 	struct hci_conn *hcon = conn->hcon;
2315 	struct hci_dev *hdev = hcon->hdev;
2316 	struct smp_chan *smp;
2317 	u8 sec_level, auth;
2318 
2319 	bt_dev_dbg(hdev, "conn %p", conn);
2320 
2321 	if (skb->len < sizeof(*rp))
2322 		return SMP_INVALID_PARAMS;
2323 
2324 	if (hcon->role != HCI_ROLE_MASTER)
2325 		return SMP_CMD_NOTSUPP;
2326 
2327 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2328 
2329 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2330 		return SMP_AUTH_REQUIREMENTS;
2331 
2332 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2333 		sec_level = BT_SECURITY_MEDIUM;
2334 	else
2335 		sec_level = authreq_to_seclevel(auth);
2336 
2337 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2338 		/* If link is already encrypted with sufficient security we
2339 		 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2340 		 * Part H 2.4.6
2341 		 */
2342 		smp_ltk_encrypt(conn, hcon->sec_level);
2343 		return 0;
2344 	}
2345 
2346 	if (sec_level > hcon->pending_sec_level)
2347 		hcon->pending_sec_level = sec_level;
2348 
2349 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2350 		return 0;
2351 
2352 	smp = smp_chan_create(conn);
2353 	if (!smp)
2354 		return SMP_UNSPECIFIED;
2355 
2356 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2357 	    (auth & SMP_AUTH_BONDING))
2358 		return SMP_PAIRING_NOTSUPP;
2359 
2360 	skb_pull(skb, sizeof(*rp));
2361 
2362 	smp_send_pairing_req(smp, auth);
2363 
2364 	return 0;
2365 }
2366 
2367 static void smp_send_security_req(struct smp_chan *smp, __u8 auth)
2368 {
2369 	struct smp_cmd_security_req cp;
2370 
2371 	cp.auth_req = auth;
2372 	smp_send_cmd(smp->conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2373 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2374 
2375 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
2376 }
2377 
2378 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2379 {
2380 	struct l2cap_conn *conn = hcon->l2cap_data;
2381 	struct l2cap_chan *chan;
2382 	struct smp_chan *smp;
2383 	__u8 authreq;
2384 	int ret;
2385 
2386 	bt_dev_dbg(hcon->hdev, "conn %p hcon %p level 0x%2.2x", conn, hcon,
2387 		   sec_level);
2388 
2389 	/* This may be NULL if there's an unexpected disconnection */
2390 	if (!conn)
2391 		return 1;
2392 
2393 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2394 		return 1;
2395 
2396 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2397 		return 1;
2398 
2399 	if (sec_level > hcon->pending_sec_level)
2400 		hcon->pending_sec_level = sec_level;
2401 
2402 	if (hcon->role == HCI_ROLE_MASTER)
2403 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2404 			return 0;
2405 
2406 	chan = conn->smp;
2407 	if (!chan) {
2408 		bt_dev_err(hcon->hdev, "security requested but not available");
2409 		return 1;
2410 	}
2411 
2412 	l2cap_chan_lock(chan);
2413 
2414 	/* If SMP is already in progress ignore this request */
2415 	if (chan->data) {
2416 		ret = 0;
2417 		goto unlock;
2418 	}
2419 
2420 	smp = smp_chan_create(conn);
2421 	if (!smp) {
2422 		ret = 1;
2423 		goto unlock;
2424 	}
2425 
2426 	authreq = seclevel_to_authreq(sec_level);
2427 
2428 	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2429 		authreq |= SMP_AUTH_SC;
2430 		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2431 			authreq |= SMP_AUTH_CT2;
2432 	}
2433 
2434 	/* Don't attempt to set MITM if setting is overridden by debugfs
2435 	 * Needed to pass certification test SM/MAS/PKE/BV-01-C
2436 	 */
2437 	if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) {
2438 		/* Require MITM if IO Capability allows or the security level
2439 		 * requires it.
2440 		 */
2441 		if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2442 		    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2443 			authreq |= SMP_AUTH_MITM;
2444 	}
2445 
2446 	if (hcon->role == HCI_ROLE_MASTER)
2447 		smp_send_pairing_req(smp, authreq);
2448 	else
2449 		smp_send_security_req(smp, authreq);
2450 
2451 	ret = 0;
2452 
2453 unlock:
2454 	l2cap_chan_unlock(chan);
2455 	return ret;
2456 }
2457 
2458 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2459 				  u8 addr_type)
2460 {
2461 	struct hci_conn *hcon;
2462 	struct l2cap_conn *conn;
2463 	struct l2cap_chan *chan;
2464 	struct smp_chan *smp;
2465 	int err;
2466 
2467 	err = hci_remove_ltk(hdev, bdaddr, addr_type);
2468 	hci_remove_irk(hdev, bdaddr, addr_type);
2469 
2470 	hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2471 	if (!hcon)
2472 		goto done;
2473 
2474 	conn = hcon->l2cap_data;
2475 	if (!conn)
2476 		goto done;
2477 
2478 	chan = conn->smp;
2479 	if (!chan)
2480 		goto done;
2481 
2482 	l2cap_chan_lock(chan);
2483 
2484 	smp = chan->data;
2485 	if (smp) {
2486 		/* Set keys to NULL to make sure smp_failure() does not try to
2487 		 * remove and free already invalidated rcu list entries. */
2488 		smp->ltk = NULL;
2489 		smp->responder_ltk = NULL;
2490 		smp->remote_irk = NULL;
2491 
2492 		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2493 			smp_failure(conn, 0);
2494 		else
2495 			smp_failure(conn, SMP_UNSPECIFIED);
2496 		err = 0;
2497 	}
2498 
2499 	l2cap_chan_unlock(chan);
2500 
2501 done:
2502 	return err;
2503 }
2504 
2505 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2506 {
2507 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2508 	struct l2cap_chan *chan = conn->smp;
2509 	struct smp_chan *smp = chan->data;
2510 
2511 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2512 
2513 	if (skb->len < sizeof(*rp))
2514 		return SMP_INVALID_PARAMS;
2515 
2516 	/* Pairing is aborted if any blocked keys are distributed */
2517 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2518 			       rp->ltk)) {
2519 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2520 					"LTK blocked for %pMR",
2521 					&conn->hcon->dst);
2522 		return SMP_INVALID_PARAMS;
2523 	}
2524 
2525 	SMP_ALLOW_CMD(smp, SMP_CMD_INITIATOR_IDENT);
2526 
2527 	skb_pull(skb, sizeof(*rp));
2528 
2529 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2530 
2531 	return 0;
2532 }
2533 
2534 static int smp_cmd_initiator_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2535 {
2536 	struct smp_cmd_initiator_ident *rp = (void *)skb->data;
2537 	struct l2cap_chan *chan = conn->smp;
2538 	struct smp_chan *smp = chan->data;
2539 	struct hci_dev *hdev = conn->hcon->hdev;
2540 	struct hci_conn *hcon = conn->hcon;
2541 	struct smp_ltk *ltk;
2542 	u8 authenticated;
2543 
2544 	bt_dev_dbg(hdev, "conn %p", conn);
2545 
2546 	if (skb->len < sizeof(*rp))
2547 		return SMP_INVALID_PARAMS;
2548 
2549 	/* Mark the information as received */
2550 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2551 
2552 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2553 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2554 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2555 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2556 
2557 	skb_pull(skb, sizeof(*rp));
2558 
2559 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2560 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2561 			  authenticated, smp->tk, smp->enc_key_size,
2562 			  rp->ediv, rp->rand);
2563 	smp->ltk = ltk;
2564 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2565 		smp_distribute_keys(smp);
2566 
2567 	return 0;
2568 }
2569 
2570 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2571 {
2572 	struct smp_cmd_ident_info *info = (void *) skb->data;
2573 	struct l2cap_chan *chan = conn->smp;
2574 	struct smp_chan *smp = chan->data;
2575 
2576 	bt_dev_dbg(conn->hcon->hdev, "");
2577 
2578 	if (skb->len < sizeof(*info))
2579 		return SMP_INVALID_PARAMS;
2580 
2581 	/* Pairing is aborted if any blocked keys are distributed */
2582 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2583 			       info->irk)) {
2584 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2585 					"Identity key blocked for %pMR",
2586 					&conn->hcon->dst);
2587 		return SMP_INVALID_PARAMS;
2588 	}
2589 
2590 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2591 
2592 	skb_pull(skb, sizeof(*info));
2593 
2594 	memcpy(smp->irk, info->irk, 16);
2595 
2596 	return 0;
2597 }
2598 
2599 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2600 				   struct sk_buff *skb)
2601 {
2602 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2603 	struct l2cap_chan *chan = conn->smp;
2604 	struct smp_chan *smp = chan->data;
2605 	struct hci_conn *hcon = conn->hcon;
2606 	bdaddr_t rpa;
2607 
2608 	bt_dev_dbg(hcon->hdev, "");
2609 
2610 	if (skb->len < sizeof(*info))
2611 		return SMP_INVALID_PARAMS;
2612 
2613 	/* Mark the information as received */
2614 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2615 
2616 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2617 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2618 
2619 	skb_pull(skb, sizeof(*info));
2620 
2621 	/* Strictly speaking the Core Specification (4.1) allows sending
2622 	 * an empty address which would force us to rely on just the IRK
2623 	 * as "identity information". However, since such
2624 	 * implementations are not known of and in order to not over
2625 	 * complicate our implementation, simply pretend that we never
2626 	 * received an IRK for such a device.
2627 	 *
2628 	 * The Identity Address must also be a Static Random or Public
2629 	 * Address, which hci_is_identity_address() checks for.
2630 	 */
2631 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2632 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2633 		bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2634 		goto distribute;
2635 	}
2636 
2637 	/* Drop IRK if peer is using identity address during pairing but is
2638 	 * providing different address as identity information.
2639 	 *
2640 	 * Microsoft Surface Precision Mouse is known to have this bug.
2641 	 */
2642 	if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2643 	    (bacmp(&info->bdaddr, &hcon->dst) ||
2644 	     info->addr_type != hcon->dst_type)) {
2645 		bt_dev_err(hcon->hdev,
2646 			   "ignoring IRK with invalid identity address");
2647 		goto distribute;
2648 	}
2649 
2650 	bacpy(&smp->id_addr, &info->bdaddr);
2651 	smp->id_addr_type = info->addr_type;
2652 
2653 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2654 		bacpy(&rpa, &hcon->dst);
2655 	else
2656 		bacpy(&rpa, BDADDR_ANY);
2657 
2658 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2659 				      smp->id_addr_type, smp->irk, &rpa);
2660 
2661 distribute:
2662 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2663 		smp_distribute_keys(smp);
2664 
2665 	return 0;
2666 }
2667 
2668 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2669 {
2670 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2671 	struct l2cap_chan *chan = conn->smp;
2672 	struct smp_chan *smp = chan->data;
2673 	struct smp_csrk *csrk;
2674 
2675 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2676 
2677 	if (skb->len < sizeof(*rp))
2678 		return SMP_INVALID_PARAMS;
2679 
2680 	/* Mark the information as received */
2681 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2682 
2683 	skb_pull(skb, sizeof(*rp));
2684 
2685 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2686 	if (csrk) {
2687 		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2688 			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2689 		else
2690 			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2691 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2692 	}
2693 	smp->csrk = csrk;
2694 	smp_distribute_keys(smp);
2695 
2696 	return 0;
2697 }
2698 
2699 static u8 sc_select_method(struct smp_chan *smp)
2700 {
2701 	struct smp_cmd_pairing *local, *remote;
2702 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2703 
2704 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2705 	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2706 		return REQ_OOB;
2707 
2708 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2709 	 * which are needed as inputs to some crypto functions. To get
2710 	 * the "struct smp_cmd_pairing" from them we need to skip the
2711 	 * first byte which contains the opcode.
2712 	 */
2713 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2714 		local = (void *) &smp->preq[1];
2715 		remote = (void *) &smp->prsp[1];
2716 	} else {
2717 		local = (void *) &smp->prsp[1];
2718 		remote = (void *) &smp->preq[1];
2719 	}
2720 
2721 	local_io = local->io_capability;
2722 	remote_io = remote->io_capability;
2723 
2724 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2725 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2726 
2727 	/* If either side wants MITM, look up the method from the table,
2728 	 * otherwise use JUST WORKS.
2729 	 */
2730 	if (local_mitm || remote_mitm)
2731 		method = get_auth_method(smp, local_io, remote_io);
2732 	else
2733 		method = JUST_WORKS;
2734 
2735 	/* Don't confirm locally initiated pairing attempts */
2736 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2737 		method = JUST_WORKS;
2738 
2739 	return method;
2740 }
2741 
2742 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2743 {
2744 	struct smp_cmd_public_key *key = (void *) skb->data;
2745 	struct hci_conn *hcon = conn->hcon;
2746 	struct l2cap_chan *chan = conn->smp;
2747 	struct smp_chan *smp = chan->data;
2748 	struct hci_dev *hdev = hcon->hdev;
2749 	struct crypto_kpp *tfm_ecdh;
2750 	struct smp_cmd_pairing_confirm cfm;
2751 	int err;
2752 
2753 	bt_dev_dbg(hdev, "conn %p", conn);
2754 
2755 	if (skb->len < sizeof(*key))
2756 		return SMP_INVALID_PARAMS;
2757 
2758 	/* Check if remote and local public keys are the same and debug key is
2759 	 * not in use.
2760 	 */
2761 	if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
2762 	    !crypto_memneq(key, smp->local_pk, 64)) {
2763 		bt_dev_err(hdev, "Remote and local public keys are identical");
2764 		return SMP_UNSPECIFIED;
2765 	}
2766 
2767 	memcpy(smp->remote_pk, key, 64);
2768 
2769 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2770 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2771 			     smp->rr, 0, cfm.confirm_val);
2772 		if (err)
2773 			return SMP_UNSPECIFIED;
2774 
2775 		if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2776 			return SMP_CONFIRM_FAILED;
2777 	}
2778 
2779 	/* Non-initiating device sends its public key after receiving
2780 	 * the key from the initiating device.
2781 	 */
2782 	if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2783 		err = sc_send_public_key(smp);
2784 		if (err)
2785 			return err;
2786 	}
2787 
2788 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2789 	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2790 
2791 	/* Compute the shared secret on the same crypto tfm on which the private
2792 	 * key was set/generated.
2793 	 */
2794 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2795 		struct l2cap_chan *hchan = hdev->smp_data;
2796 		struct smp_dev *smp_dev;
2797 
2798 		if (!hchan || !hchan->data)
2799 			return SMP_UNSPECIFIED;
2800 
2801 		smp_dev = hchan->data;
2802 
2803 		tfm_ecdh = smp_dev->tfm_ecdh;
2804 	} else {
2805 		tfm_ecdh = smp->tfm_ecdh;
2806 	}
2807 
2808 	if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2809 		return SMP_UNSPECIFIED;
2810 
2811 	SMP_DBG("DHKey %32phN", smp->dhkey);
2812 
2813 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2814 
2815 	smp->method = sc_select_method(smp);
2816 
2817 	bt_dev_dbg(hdev, "selected method 0x%02x", smp->method);
2818 
2819 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2820 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2821 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2822 	else
2823 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2824 
2825 	if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2826 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2827 
2828 	if (smp->method == DSP_PASSKEY) {
2829 		get_random_bytes(&hcon->passkey_notify,
2830 				 sizeof(hcon->passkey_notify));
2831 		hcon->passkey_notify %= 1000000;
2832 		hcon->passkey_entered = 0;
2833 		smp->passkey_round = 0;
2834 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2835 					     hcon->dst_type,
2836 					     hcon->passkey_notify,
2837 					     hcon->passkey_entered))
2838 			return SMP_UNSPECIFIED;
2839 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2840 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2841 	}
2842 
2843 	if (smp->method == REQ_OOB) {
2844 		if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2845 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2846 				     sizeof(smp->prnd), smp->prnd);
2847 
2848 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2849 
2850 		return 0;
2851 	}
2852 
2853 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2854 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2855 
2856 	if (smp->method == REQ_PASSKEY) {
2857 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2858 					      hcon->dst_type))
2859 			return SMP_UNSPECIFIED;
2860 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2861 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2862 		return 0;
2863 	}
2864 
2865 	/* The Initiating device waits for the non-initiating device to
2866 	 * send the confirm value.
2867 	 */
2868 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2869 		return 0;
2870 
2871 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2872 		     0, cfm.confirm_val);
2873 	if (err)
2874 		return SMP_UNSPECIFIED;
2875 
2876 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2877 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2878 
2879 	return 0;
2880 }
2881 
2882 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2883 {
2884 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2885 	struct l2cap_chan *chan = conn->smp;
2886 	struct hci_conn *hcon = conn->hcon;
2887 	struct smp_chan *smp = chan->data;
2888 	u8 a[7], b[7], *local_addr, *remote_addr;
2889 	u8 io_cap[3], r[16], e[16];
2890 	int err;
2891 
2892 	bt_dev_dbg(hcon->hdev, "conn %p", conn);
2893 
2894 	if (skb->len < sizeof(*check))
2895 		return SMP_INVALID_PARAMS;
2896 
2897 	memcpy(a, &hcon->init_addr, 6);
2898 	memcpy(b, &hcon->resp_addr, 6);
2899 	a[6] = hcon->init_addr_type;
2900 	b[6] = hcon->resp_addr_type;
2901 
2902 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2903 		local_addr = a;
2904 		remote_addr = b;
2905 		memcpy(io_cap, &smp->prsp[1], 3);
2906 	} else {
2907 		local_addr = b;
2908 		remote_addr = a;
2909 		memcpy(io_cap, &smp->preq[1], 3);
2910 	}
2911 
2912 	memset(r, 0, sizeof(r));
2913 
2914 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2915 		put_unaligned_le32(hcon->passkey_notify, r);
2916 	else if (smp->method == REQ_OOB)
2917 		memcpy(r, smp->lr, 16);
2918 
2919 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2920 		     io_cap, remote_addr, local_addr, e);
2921 	if (err)
2922 		return SMP_UNSPECIFIED;
2923 
2924 	if (crypto_memneq(check->e, e, 16))
2925 		return SMP_DHKEY_CHECK_FAILED;
2926 
2927 	if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2928 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2929 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2930 			return 0;
2931 		}
2932 
2933 		/* Responder sends DHKey check as response to initiator */
2934 		sc_dhkey_check(smp);
2935 	}
2936 
2937 	sc_add_ltk(smp);
2938 
2939 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2940 		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2941 		hcon->enc_key_size = smp->enc_key_size;
2942 	}
2943 
2944 	return 0;
2945 }
2946 
2947 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2948 				   struct sk_buff *skb)
2949 {
2950 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2951 
2952 	bt_dev_dbg(conn->hcon->hdev, "value 0x%02x", kp->value);
2953 
2954 	return 0;
2955 }
2956 
2957 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2958 {
2959 	struct l2cap_conn *conn = chan->conn;
2960 	struct hci_conn *hcon = conn->hcon;
2961 	struct smp_chan *smp;
2962 	__u8 code, reason;
2963 	int err = 0;
2964 
2965 	if (skb->len < 1)
2966 		return -EILSEQ;
2967 
2968 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2969 		reason = SMP_PAIRING_NOTSUPP;
2970 		goto done;
2971 	}
2972 
2973 	code = skb->data[0];
2974 	skb_pull(skb, sizeof(code));
2975 
2976 	smp = chan->data;
2977 
2978 	if (code > SMP_CMD_MAX)
2979 		goto drop;
2980 
2981 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2982 		goto drop;
2983 
2984 	/* If we don't have a context the only allowed commands are
2985 	 * pairing request and security request.
2986 	 */
2987 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2988 		goto drop;
2989 
2990 	switch (code) {
2991 	case SMP_CMD_PAIRING_REQ:
2992 		reason = smp_cmd_pairing_req(conn, skb);
2993 		break;
2994 
2995 	case SMP_CMD_PAIRING_FAIL:
2996 		smp_failure(conn, 0);
2997 		err = -EPERM;
2998 		break;
2999 
3000 	case SMP_CMD_PAIRING_RSP:
3001 		reason = smp_cmd_pairing_rsp(conn, skb);
3002 		break;
3003 
3004 	case SMP_CMD_SECURITY_REQ:
3005 		reason = smp_cmd_security_req(conn, skb);
3006 		break;
3007 
3008 	case SMP_CMD_PAIRING_CONFIRM:
3009 		reason = smp_cmd_pairing_confirm(conn, skb);
3010 		break;
3011 
3012 	case SMP_CMD_PAIRING_RANDOM:
3013 		reason = smp_cmd_pairing_random(conn, skb);
3014 		break;
3015 
3016 	case SMP_CMD_ENCRYPT_INFO:
3017 		reason = smp_cmd_encrypt_info(conn, skb);
3018 		break;
3019 
3020 	case SMP_CMD_INITIATOR_IDENT:
3021 		reason = smp_cmd_initiator_ident(conn, skb);
3022 		break;
3023 
3024 	case SMP_CMD_IDENT_INFO:
3025 		reason = smp_cmd_ident_info(conn, skb);
3026 		break;
3027 
3028 	case SMP_CMD_IDENT_ADDR_INFO:
3029 		reason = smp_cmd_ident_addr_info(conn, skb);
3030 		break;
3031 
3032 	case SMP_CMD_SIGN_INFO:
3033 		reason = smp_cmd_sign_info(conn, skb);
3034 		break;
3035 
3036 	case SMP_CMD_PUBLIC_KEY:
3037 		reason = smp_cmd_public_key(conn, skb);
3038 		break;
3039 
3040 	case SMP_CMD_DHKEY_CHECK:
3041 		reason = smp_cmd_dhkey_check(conn, skb);
3042 		break;
3043 
3044 	case SMP_CMD_KEYPRESS_NOTIFY:
3045 		reason = smp_cmd_keypress_notify(conn, skb);
3046 		break;
3047 
3048 	default:
3049 		bt_dev_dbg(hcon->hdev, "Unknown command code 0x%2.2x", code);
3050 		reason = SMP_CMD_NOTSUPP;
3051 		goto done;
3052 	}
3053 
3054 done:
3055 	if (!err) {
3056 		if (reason)
3057 			smp_failure(conn, reason);
3058 		kfree_skb(skb);
3059 	}
3060 
3061 	return err;
3062 
3063 drop:
3064 	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3065 		   code, &hcon->dst);
3066 	kfree_skb(skb);
3067 	return 0;
3068 }
3069 
3070 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3071 {
3072 	struct l2cap_conn *conn = chan->conn;
3073 
3074 	bt_dev_dbg(conn->hcon->hdev, "chan %p", chan);
3075 
3076 	if (chan->data)
3077 		smp_chan_destroy(conn);
3078 
3079 	conn->smp = NULL;
3080 	l2cap_chan_put(chan);
3081 }
3082 
3083 static void bredr_pairing(struct l2cap_chan *chan)
3084 {
3085 	struct l2cap_conn *conn = chan->conn;
3086 	struct hci_conn *hcon = conn->hcon;
3087 	struct hci_dev *hdev = hcon->hdev;
3088 	struct smp_chan *smp;
3089 
3090 	bt_dev_dbg(hdev, "chan %p", chan);
3091 
3092 	/* Only new pairings are interesting */
3093 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3094 		return;
3095 
3096 	/* Don't bother if we're not encrypted */
3097 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3098 		return;
3099 
3100 	/* Only initiator may initiate SMP over BR/EDR */
3101 	if (hcon->role != HCI_ROLE_MASTER)
3102 		return;
3103 
3104 	/* Secure Connections support must be enabled */
3105 	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3106 		return;
3107 
3108 	/* BR/EDR must use Secure Connections for SMP */
3109 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3110 	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3111 		return;
3112 
3113 	/* If our LE support is not enabled don't do anything */
3114 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3115 		return;
3116 
3117 	/* Don't bother if remote LE support is not enabled */
3118 	if (!lmp_host_le_capable(hcon))
3119 		return;
3120 
3121 	/* Remote must support SMP fixed chan for BR/EDR */
3122 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3123 		return;
3124 
3125 	/* Don't bother if SMP is already ongoing */
3126 	if (chan->data)
3127 		return;
3128 
3129 	smp = smp_chan_create(conn);
3130 	if (!smp) {
3131 		bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3132 		return;
3133 	}
3134 
3135 	set_bit(SMP_FLAG_SC, &smp->flags);
3136 
3137 	bt_dev_dbg(hdev, "starting SMP over BR/EDR");
3138 
3139 	smp_send_pairing_req(smp, 0x00);
3140 }
3141 
3142 static void smp_resume_cb(struct l2cap_chan *chan)
3143 {
3144 	struct smp_chan *smp = chan->data;
3145 	struct l2cap_conn *conn = chan->conn;
3146 	struct hci_conn *hcon = conn->hcon;
3147 
3148 	bt_dev_dbg(hcon->hdev, "chan %p", chan);
3149 
3150 	if (hcon->type == ACL_LINK) {
3151 		bredr_pairing(chan);
3152 		return;
3153 	}
3154 
3155 	if (!smp)
3156 		return;
3157 
3158 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3159 		return;
3160 
3161 	cancel_delayed_work(&smp->security_timer);
3162 
3163 	smp_distribute_keys(smp);
3164 }
3165 
3166 static void smp_ready_cb(struct l2cap_chan *chan)
3167 {
3168 	struct l2cap_conn *conn = chan->conn;
3169 	struct hci_conn *hcon = conn->hcon;
3170 
3171 	bt_dev_dbg(hcon->hdev, "chan %p", chan);
3172 
3173 	/* No need to call l2cap_chan_hold() here since we already own
3174 	 * the reference taken in smp_new_conn_cb(). This is just the
3175 	 * first time that we tie it to a specific pointer. The code in
3176 	 * l2cap_core.c ensures that there's no risk this function wont
3177 	 * get called if smp_new_conn_cb was previously called.
3178 	 */
3179 	conn->smp = chan;
3180 
3181 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3182 		bredr_pairing(chan);
3183 }
3184 
3185 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3186 {
3187 	int err;
3188 
3189 	bt_dev_dbg(chan->conn->hcon->hdev, "chan %p", chan);
3190 
3191 	err = smp_sig_channel(chan, skb);
3192 	if (err) {
3193 		struct smp_chan *smp = chan->data;
3194 
3195 		if (smp)
3196 			cancel_delayed_work_sync(&smp->security_timer);
3197 
3198 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3199 	}
3200 
3201 	return err;
3202 }
3203 
3204 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3205 					unsigned long hdr_len,
3206 					unsigned long len, int nb)
3207 {
3208 	struct sk_buff *skb;
3209 
3210 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3211 	if (!skb)
3212 		return ERR_PTR(-ENOMEM);
3213 
3214 	skb->priority = HCI_PRIO_MAX;
3215 	bt_cb(skb)->l2cap.chan = chan;
3216 
3217 	return skb;
3218 }
3219 
3220 static const struct l2cap_ops smp_chan_ops = {
3221 	.name			= "Security Manager",
3222 	.ready			= smp_ready_cb,
3223 	.recv			= smp_recv_cb,
3224 	.alloc_skb		= smp_alloc_skb_cb,
3225 	.teardown		= smp_teardown_cb,
3226 	.resume			= smp_resume_cb,
3227 
3228 	.new_connection		= l2cap_chan_no_new_connection,
3229 	.state_change		= l2cap_chan_no_state_change,
3230 	.close			= l2cap_chan_no_close,
3231 	.defer			= l2cap_chan_no_defer,
3232 	.suspend		= l2cap_chan_no_suspend,
3233 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3234 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3235 };
3236 
3237 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3238 {
3239 	struct l2cap_chan *chan;
3240 
3241 	BT_DBG("pchan %p", pchan);
3242 
3243 	chan = l2cap_chan_create();
3244 	if (!chan)
3245 		return NULL;
3246 
3247 	chan->chan_type	= pchan->chan_type;
3248 	chan->ops	= &smp_chan_ops;
3249 	chan->scid	= pchan->scid;
3250 	chan->dcid	= chan->scid;
3251 	chan->imtu	= pchan->imtu;
3252 	chan->omtu	= pchan->omtu;
3253 	chan->mode	= pchan->mode;
3254 
3255 	/* Other L2CAP channels may request SMP routines in order to
3256 	 * change the security level. This means that the SMP channel
3257 	 * lock must be considered in its own category to avoid lockdep
3258 	 * warnings.
3259 	 */
3260 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3261 
3262 	BT_DBG("created chan %p", chan);
3263 
3264 	return chan;
3265 }
3266 
3267 static const struct l2cap_ops smp_root_chan_ops = {
3268 	.name			= "Security Manager Root",
3269 	.new_connection		= smp_new_conn_cb,
3270 
3271 	/* None of these are implemented for the root channel */
3272 	.close			= l2cap_chan_no_close,
3273 	.alloc_skb		= l2cap_chan_no_alloc_skb,
3274 	.recv			= l2cap_chan_no_recv,
3275 	.state_change		= l2cap_chan_no_state_change,
3276 	.teardown		= l2cap_chan_no_teardown,
3277 	.ready			= l2cap_chan_no_ready,
3278 	.defer			= l2cap_chan_no_defer,
3279 	.suspend		= l2cap_chan_no_suspend,
3280 	.resume			= l2cap_chan_no_resume,
3281 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3282 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3283 };
3284 
3285 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3286 {
3287 	struct l2cap_chan *chan;
3288 	struct smp_dev *smp;
3289 	struct crypto_shash *tfm_cmac;
3290 	struct crypto_kpp *tfm_ecdh;
3291 
3292 	if (cid == L2CAP_CID_SMP_BREDR) {
3293 		smp = NULL;
3294 		goto create_chan;
3295 	}
3296 
3297 	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3298 	if (!smp)
3299 		return ERR_PTR(-ENOMEM);
3300 
3301 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3302 	if (IS_ERR(tfm_cmac)) {
3303 		bt_dev_err(hdev, "Unable to create CMAC crypto context");
3304 		kfree_sensitive(smp);
3305 		return ERR_CAST(tfm_cmac);
3306 	}
3307 
3308 	tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3309 	if (IS_ERR(tfm_ecdh)) {
3310 		bt_dev_err(hdev, "Unable to create ECDH crypto context");
3311 		crypto_free_shash(tfm_cmac);
3312 		kfree_sensitive(smp);
3313 		return ERR_CAST(tfm_ecdh);
3314 	}
3315 
3316 	smp->local_oob = false;
3317 	smp->tfm_cmac = tfm_cmac;
3318 	smp->tfm_ecdh = tfm_ecdh;
3319 
3320 create_chan:
3321 	chan = l2cap_chan_create();
3322 	if (!chan) {
3323 		if (smp) {
3324 			crypto_free_shash(smp->tfm_cmac);
3325 			crypto_free_kpp(smp->tfm_ecdh);
3326 			kfree_sensitive(smp);
3327 		}
3328 		return ERR_PTR(-ENOMEM);
3329 	}
3330 
3331 	chan->data = smp;
3332 
3333 	l2cap_add_scid(chan, cid);
3334 
3335 	l2cap_chan_set_defaults(chan);
3336 
3337 	if (cid == L2CAP_CID_SMP) {
3338 		u8 bdaddr_type;
3339 
3340 		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3341 
3342 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3343 			chan->src_type = BDADDR_LE_PUBLIC;
3344 		else
3345 			chan->src_type = BDADDR_LE_RANDOM;
3346 	} else {
3347 		bacpy(&chan->src, &hdev->bdaddr);
3348 		chan->src_type = BDADDR_BREDR;
3349 	}
3350 
3351 	chan->state = BT_LISTEN;
3352 	chan->mode = L2CAP_MODE_BASIC;
3353 	chan->imtu = L2CAP_DEFAULT_MTU;
3354 	chan->ops = &smp_root_chan_ops;
3355 
3356 	/* Set correct nesting level for a parent/listening channel */
3357 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3358 
3359 	return chan;
3360 }
3361 
3362 static void smp_del_chan(struct l2cap_chan *chan)
3363 {
3364 	struct smp_dev *smp;
3365 
3366 	BT_DBG("chan %p", chan);
3367 
3368 	smp = chan->data;
3369 	if (smp) {
3370 		chan->data = NULL;
3371 		crypto_free_shash(smp->tfm_cmac);
3372 		crypto_free_kpp(smp->tfm_ecdh);
3373 		kfree_sensitive(smp);
3374 	}
3375 
3376 	l2cap_chan_put(chan);
3377 }
3378 
3379 int smp_force_bredr(struct hci_dev *hdev, bool enable)
3380 {
3381 	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3382 		return -EALREADY;
3383 
3384 	if (enable) {
3385 		struct l2cap_chan *chan;
3386 
3387 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3388 		if (IS_ERR(chan))
3389 			return PTR_ERR(chan);
3390 
3391 		hdev->smp_bredr_data = chan;
3392 	} else {
3393 		struct l2cap_chan *chan;
3394 
3395 		chan = hdev->smp_bredr_data;
3396 		hdev->smp_bredr_data = NULL;
3397 		smp_del_chan(chan);
3398 	}
3399 
3400 	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3401 
3402 	return 0;
3403 }
3404 
3405 int smp_register(struct hci_dev *hdev)
3406 {
3407 	struct l2cap_chan *chan;
3408 
3409 	bt_dev_dbg(hdev, "");
3410 
3411 	/* If the controller does not support Low Energy operation, then
3412 	 * there is also no need to register any SMP channel.
3413 	 */
3414 	if (!lmp_le_capable(hdev))
3415 		return 0;
3416 
3417 	if (WARN_ON(hdev->smp_data)) {
3418 		chan = hdev->smp_data;
3419 		hdev->smp_data = NULL;
3420 		smp_del_chan(chan);
3421 	}
3422 
3423 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3424 	if (IS_ERR(chan))
3425 		return PTR_ERR(chan);
3426 
3427 	hdev->smp_data = chan;
3428 
3429 	if (!lmp_sc_capable(hdev)) {
3430 		/* Flag can be already set here (due to power toggle) */
3431 		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3432 			return 0;
3433 	}
3434 
3435 	if (WARN_ON(hdev->smp_bredr_data)) {
3436 		chan = hdev->smp_bredr_data;
3437 		hdev->smp_bredr_data = NULL;
3438 		smp_del_chan(chan);
3439 	}
3440 
3441 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3442 	if (IS_ERR(chan)) {
3443 		int err = PTR_ERR(chan);
3444 		chan = hdev->smp_data;
3445 		hdev->smp_data = NULL;
3446 		smp_del_chan(chan);
3447 		return err;
3448 	}
3449 
3450 	hdev->smp_bredr_data = chan;
3451 
3452 	return 0;
3453 }
3454 
3455 void smp_unregister(struct hci_dev *hdev)
3456 {
3457 	struct l2cap_chan *chan;
3458 
3459 	if (hdev->smp_bredr_data) {
3460 		chan = hdev->smp_bredr_data;
3461 		hdev->smp_bredr_data = NULL;
3462 		smp_del_chan(chan);
3463 	}
3464 
3465 	if (hdev->smp_data) {
3466 		chan = hdev->smp_data;
3467 		hdev->smp_data = NULL;
3468 		smp_del_chan(chan);
3469 	}
3470 }
3471 
3472 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3473 
3474 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3475 {
3476 	u8 pk[64];
3477 	int err;
3478 
3479 	err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3480 	if (err)
3481 		return err;
3482 
3483 	err = generate_ecdh_public_key(tfm_ecdh, pk);
3484 	if (err)
3485 		return err;
3486 
3487 	if (crypto_memneq(pk, debug_pk, 64))
3488 		return -EINVAL;
3489 
3490 	return 0;
3491 }
3492 
3493 static int __init test_ah(void)
3494 {
3495 	const u8 irk[16] = {
3496 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3497 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3498 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3499 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3500 	u8 res[3];
3501 	int err;
3502 
3503 	err = smp_ah(irk, r, res);
3504 	if (err)
3505 		return err;
3506 
3507 	if (crypto_memneq(res, exp, 3))
3508 		return -EINVAL;
3509 
3510 	return 0;
3511 }
3512 
3513 static int __init test_c1(void)
3514 {
3515 	const u8 k[16] = {
3516 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3517 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3518 	const u8 r[16] = {
3519 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3520 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3521 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3522 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3523 	const u8 _iat = 0x01;
3524 	const u8 _rat = 0x00;
3525 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3526 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3527 	const u8 exp[16] = {
3528 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3529 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3530 	u8 res[16];
3531 	int err;
3532 
3533 	err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3534 	if (err)
3535 		return err;
3536 
3537 	if (crypto_memneq(res, exp, 16))
3538 		return -EINVAL;
3539 
3540 	return 0;
3541 }
3542 
3543 static int __init test_s1(void)
3544 {
3545 	const u8 k[16] = {
3546 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3547 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3548 	const u8 r1[16] = {
3549 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3550 	const u8 r2[16] = {
3551 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3552 	const u8 exp[16] = {
3553 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3554 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3555 	u8 res[16];
3556 	int err;
3557 
3558 	err = smp_s1(k, r1, r2, res);
3559 	if (err)
3560 		return err;
3561 
3562 	if (crypto_memneq(res, exp, 16))
3563 		return -EINVAL;
3564 
3565 	return 0;
3566 }
3567 
3568 static int __init test_f4(struct crypto_shash *tfm_cmac)
3569 {
3570 	const u8 u[32] = {
3571 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3572 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3573 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3574 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3575 	const u8 v[32] = {
3576 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3577 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3578 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3579 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3580 	const u8 x[16] = {
3581 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3582 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3583 	const u8 z = 0x00;
3584 	const u8 exp[16] = {
3585 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3586 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3587 	u8 res[16];
3588 	int err;
3589 
3590 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3591 	if (err)
3592 		return err;
3593 
3594 	if (crypto_memneq(res, exp, 16))
3595 		return -EINVAL;
3596 
3597 	return 0;
3598 }
3599 
3600 static int __init test_f5(struct crypto_shash *tfm_cmac)
3601 {
3602 	const u8 w[32] = {
3603 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3604 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3605 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3606 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3607 	const u8 n1[16] = {
3608 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3609 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3610 	const u8 n2[16] = {
3611 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3612 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3613 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3614 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3615 	const u8 exp_ltk[16] = {
3616 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3617 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3618 	const u8 exp_mackey[16] = {
3619 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3620 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3621 	u8 mackey[16], ltk[16];
3622 	int err;
3623 
3624 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3625 	if (err)
3626 		return err;
3627 
3628 	if (crypto_memneq(mackey, exp_mackey, 16))
3629 		return -EINVAL;
3630 
3631 	if (crypto_memneq(ltk, exp_ltk, 16))
3632 		return -EINVAL;
3633 
3634 	return 0;
3635 }
3636 
3637 static int __init test_f6(struct crypto_shash *tfm_cmac)
3638 {
3639 	const u8 w[16] = {
3640 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3641 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3642 	const u8 n1[16] = {
3643 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3644 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3645 	const u8 n2[16] = {
3646 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3647 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3648 	const u8 r[16] = {
3649 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3650 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3651 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3652 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3653 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3654 	const u8 exp[16] = {
3655 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3656 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3657 	u8 res[16];
3658 	int err;
3659 
3660 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3661 	if (err)
3662 		return err;
3663 
3664 	if (crypto_memneq(res, exp, 16))
3665 		return -EINVAL;
3666 
3667 	return 0;
3668 }
3669 
3670 static int __init test_g2(struct crypto_shash *tfm_cmac)
3671 {
3672 	const u8 u[32] = {
3673 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3674 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3675 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3676 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3677 	const u8 v[32] = {
3678 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3679 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3680 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3681 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3682 	const u8 x[16] = {
3683 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3684 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3685 	const u8 y[16] = {
3686 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3687 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3688 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3689 	u32 val;
3690 	int err;
3691 
3692 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3693 	if (err)
3694 		return err;
3695 
3696 	if (val != exp_val)
3697 		return -EINVAL;
3698 
3699 	return 0;
3700 }
3701 
3702 static int __init test_h6(struct crypto_shash *tfm_cmac)
3703 {
3704 	const u8 w[16] = {
3705 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3706 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3707 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3708 	const u8 exp[16] = {
3709 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3710 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3711 	u8 res[16];
3712 	int err;
3713 
3714 	err = smp_h6(tfm_cmac, w, key_id, res);
3715 	if (err)
3716 		return err;
3717 
3718 	if (crypto_memneq(res, exp, 16))
3719 		return -EINVAL;
3720 
3721 	return 0;
3722 }
3723 
3724 static char test_smp_buffer[32];
3725 
3726 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3727 			     size_t count, loff_t *ppos)
3728 {
3729 	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3730 				       strlen(test_smp_buffer));
3731 }
3732 
3733 static const struct file_operations test_smp_fops = {
3734 	.open		= simple_open,
3735 	.read		= test_smp_read,
3736 	.llseek		= default_llseek,
3737 };
3738 
3739 static int __init run_selftests(struct crypto_shash *tfm_cmac,
3740 				struct crypto_kpp *tfm_ecdh)
3741 {
3742 	ktime_t calltime, delta, rettime;
3743 	unsigned long long duration;
3744 	int err;
3745 
3746 	calltime = ktime_get();
3747 
3748 	err = test_debug_key(tfm_ecdh);
3749 	if (err) {
3750 		BT_ERR("debug_key test failed");
3751 		goto done;
3752 	}
3753 
3754 	err = test_ah();
3755 	if (err) {
3756 		BT_ERR("smp_ah test failed");
3757 		goto done;
3758 	}
3759 
3760 	err = test_c1();
3761 	if (err) {
3762 		BT_ERR("smp_c1 test failed");
3763 		goto done;
3764 	}
3765 
3766 	err = test_s1();
3767 	if (err) {
3768 		BT_ERR("smp_s1 test failed");
3769 		goto done;
3770 	}
3771 
3772 	err = test_f4(tfm_cmac);
3773 	if (err) {
3774 		BT_ERR("smp_f4 test failed");
3775 		goto done;
3776 	}
3777 
3778 	err = test_f5(tfm_cmac);
3779 	if (err) {
3780 		BT_ERR("smp_f5 test failed");
3781 		goto done;
3782 	}
3783 
3784 	err = test_f6(tfm_cmac);
3785 	if (err) {
3786 		BT_ERR("smp_f6 test failed");
3787 		goto done;
3788 	}
3789 
3790 	err = test_g2(tfm_cmac);
3791 	if (err) {
3792 		BT_ERR("smp_g2 test failed");
3793 		goto done;
3794 	}
3795 
3796 	err = test_h6(tfm_cmac);
3797 	if (err) {
3798 		BT_ERR("smp_h6 test failed");
3799 		goto done;
3800 	}
3801 
3802 	rettime = ktime_get();
3803 	delta = ktime_sub(rettime, calltime);
3804 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3805 
3806 	BT_INFO("SMP test passed in %llu usecs", duration);
3807 
3808 done:
3809 	if (!err)
3810 		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3811 			 "PASS (%llu usecs)\n", duration);
3812 	else
3813 		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3814 
3815 	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3816 			    &test_smp_fops);
3817 
3818 	return err;
3819 }
3820 
3821 int __init bt_selftest_smp(void)
3822 {
3823 	struct crypto_shash *tfm_cmac;
3824 	struct crypto_kpp *tfm_ecdh;
3825 	int err;
3826 
3827 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3828 	if (IS_ERR(tfm_cmac)) {
3829 		BT_ERR("Unable to create CMAC crypto context");
3830 		return PTR_ERR(tfm_cmac);
3831 	}
3832 
3833 	tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3834 	if (IS_ERR(tfm_ecdh)) {
3835 		BT_ERR("Unable to create ECDH crypto context");
3836 		crypto_free_shash(tfm_cmac);
3837 		return PTR_ERR(tfm_ecdh);
3838 	}
3839 
3840 	err = run_selftests(tfm_cmac, tfm_ecdh);
3841 
3842 	crypto_free_shash(tfm_cmac);
3843 	crypto_free_kpp(tfm_ecdh);
3844 
3845 	return err;
3846 }
3847 
3848 #endif
3849