1	/*
2	BlueZ - Bluetooth protocol stack for Linux
3	Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5	This program is free software; you can redistribute it and/or modify
6	it under the terms of the GNU General Public License version 2 as
7	published by the Free Software Foundation;
8
9	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10	OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12	IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13	CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14	WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15	ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16	OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18	ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19	COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20	SOFTWARE IS DISCLAIMED.
21	*/
22
23	#include <linux/debugfs.h>
24	#include <linux/scatterlist.h>
25	#include <crypto/aes.h>
26	#include <crypto/hash.h>
27	#include <crypto/kpp.h>
28	#include <crypto/utils.h>
29
30	#include <net/bluetooth/bluetooth.h>
31	#include <net/bluetooth/hci_core.h>
32	#include <net/bluetooth/l2cap.h>
33	#include <net/bluetooth/mgmt.h>
34
35	#include "ecdh_helper.h"
36	#include "smp.h"
37
38	#define SMP_DEV(hdev) \
39	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
40
41	/* Low-level debug macros to be used for stuff that we don't want
42	* accidentally in dmesg, i.e. the values of the various crypto keys
43	* and the inputs & outputs of crypto functions.
44	*/
45	#ifdef DEBUG
46	#define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
47	##__VA_ARGS__)
48	#else
49	#define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
50	##__VA_ARGS__)
51	#endif
52
53	#define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
54
55	/* Keys which are not distributed with Secure Connections */
56	#define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY)
57
58	#define SMP_TIMEOUT msecs_to_jiffies(30000)
59
60	#define ID_ADDR_TIMEOUT msecs_to_jiffies(200)
61
62	#define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
63	0x3f : 0x07)
64	#define KEY_DIST_MASK 0x07
65
66	/* Maximum message length that can be passed to aes_cmac */
67	#define CMAC_MSG_MAX 80
68
69	enum {
70	SMP_FLAG_TK_VALID,
71	SMP_FLAG_CFM_PENDING,
72	SMP_FLAG_MITM_AUTH,
73	SMP_FLAG_COMPLETE,
74	SMP_FLAG_INITIATOR,
75	SMP_FLAG_SC,
76	SMP_FLAG_REMOTE_PK,
77	SMP_FLAG_DEBUG_KEY,
78	SMP_FLAG_WAIT_USER,
79	SMP_FLAG_DHKEY_PENDING,
80	SMP_FLAG_REMOTE_OOB,
81	SMP_FLAG_LOCAL_OOB,
82	SMP_FLAG_CT2,
83	};
84
85	struct smp_dev {
86	/* Secure Connections OOB data */
87	bool local_oob;
88	u8 local_pk[64];
89	u8 local_rand[16];
90	bool debug_key;
91
92	struct crypto_shash *tfm_cmac;
93	struct crypto_kpp *tfm_ecdh;
94	};
95
96	struct smp_chan {
97	struct l2cap_conn *conn;
98	struct delayed_work security_timer;
99	unsigned long allow_cmd; /* Bitmask of allowed commands */
100
101	u8 preq[7]; /* SMP Pairing Request */
102	u8 prsp[7]; /* SMP Pairing Response */
103	u8 prnd[16]; /* SMP Pairing Random (local) */
104	u8 rrnd[16]; /* SMP Pairing Random (remote) */
105	u8 pcnf[16]; /* SMP Pairing Confirm */
106	u8 tk[16]; /* SMP Temporary Key */
107	u8 rr[16]; /* Remote OOB ra/rb value */
108	u8 lr[16]; /* Local OOB ra/rb value */
109	u8 enc_key_size;
110	u8 remote_key_dist;
111	bdaddr_t id_addr;
112	u8 id_addr_type;
113	u8 irk[16];
114	struct smp_csrk *csrk;
115	struct smp_csrk *responder_csrk;
116	struct smp_ltk *ltk;
117	struct smp_ltk *responder_ltk;
118	struct smp_irk *remote_irk;
119	u8 *link_key;
120	unsigned long flags;
121	u8 method;
122	u8 passkey_round;
123
124	/* Secure Connections variables */
125	u8 local_pk[64];
126	u8 remote_pk[64];
127	u8 dhkey[32];
128	u8 mackey[16];
129
130	struct crypto_shash *tfm_cmac;
131	struct crypto_kpp *tfm_ecdh;
132	};
133
134	/* These debug key values are defined in the SMP section of the core
135	* specification. debug_pk is the public debug key and debug_sk the
136	* private debug key.
137	*/
138	static const u8 debug_pk[64] = {
139	0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
140	0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
141	0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
142	0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
143
144	0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
145	0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
146	0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
147	0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
148	};
149
150	static const u8 debug_sk[32] = {
151	0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
152	0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
153	0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
154	0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
155	};
156
157	static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
158	{
159	size_t i;
160
161	for (i = 0; i < len; i++)
162	dst[len - 1 - i] = src[i];
163	}
164
165	/* The following functions map to the LE SC SMP crypto functions
166	* AES-CMAC, f4, f5, f6, g2 and h6.
167	*/
168
169	static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
170	size_t len, u8 mac[16])
171	{
172	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
173	int err;
174
175	if (len > CMAC_MSG_MAX)
176	return -EFBIG;
177
178	if (!tfm) {
179	BT_ERR("tfm %p", tfm);
180	return -EINVAL;
181	}
182
183	/* Swap key and message from LSB to MSB */
184	swap_buf(src: k, dst: tmp, len: 16);
185	swap_buf(src: m, dst: msg_msb, len);
186
187	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
188	SMP_DBG("key %16phN", k);
189
190	err = crypto_shash_setkey(tfm, key: tmp, keylen: 16);
191	if (err) {
192	BT_ERR("cipher setkey failed: %d", err);
193	return err;
194	}
195
196	err = crypto_shash_tfm_digest(tfm, data: msg_msb, len, out: mac_msb);
197	if (err) {
198	BT_ERR("Hash computation error %d", err);
199	return err;
200	}
201
202	swap_buf(src: mac_msb, dst: mac, len: 16);
203
204	SMP_DBG("mac %16phN", mac);
205
206	return 0;
207	}
208
209	static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
210	const u8 v[32], const u8 x[16], u8 z, u8 res[16])
211	{
212	u8 m[65];
213	int err;
214
215	SMP_DBG("u %32phN", u);
216	SMP_DBG("v %32phN", v);
217	SMP_DBG("x %16phN z %02x", x, z);
218
219	m[0] = z;
220	memcpy(m + 1, v, 32);
221	memcpy(m + 33, u, 32);
222
223	err = aes_cmac(tfm: tfm_cmac, k: x, m, len: sizeof(m), mac: res);
224	if (err)
225	return err;
226
227	SMP_DBG("res %16phN", res);
228
229	return err;
230	}
231
232	static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
233	const u8 n1[16], const u8 n2[16], const u8 a1[7],
234	const u8 a2[7], u8 mackey[16], u8 ltk[16])
235	{
236	/* The btle, salt and length "magic" values are as defined in
237	* the SMP section of the Bluetooth core specification. In ASCII
238	* the btle value ends up being 'btle'. The salt is just a
239	* random number whereas length is the value 256 in little
240	* endian format.
241	*/
242	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
243	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
244	0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
245	const u8 length[2] = { 0x00, 0x01 };
246	u8 m[53], t[16];
247	int err;
248
249	SMP_DBG("w %32phN", w);
250	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
251	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
252
253	err = aes_cmac(tfm: tfm_cmac, k: salt, m: w, len: 32, mac: t);
254	if (err)
255	return err;
256
257	SMP_DBG("t %16phN", t);
258
259	memcpy(m, length, 2);
260	memcpy(m + 2, a2, 7);
261	memcpy(m + 9, a1, 7);
262	memcpy(m + 16, n2, 16);
263	memcpy(m + 32, n1, 16);
264	memcpy(m + 48, btle, 4);
265
266	m[52] = 0; /* Counter */
267
268	err = aes_cmac(tfm: tfm_cmac, k: t, m, len: sizeof(m), mac: mackey);
269	if (err)
270	return err;
271
272	SMP_DBG("mackey %16phN", mackey);
273
274	m[52] = 1; /* Counter */
275
276	err = aes_cmac(tfm: tfm_cmac, k: t, m, len: sizeof(m), mac: ltk);
277	if (err)
278	return err;
279
280	SMP_DBG("ltk %16phN", ltk);
281
282	return 0;
283	}
284
285	static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
286	const u8 n1[16], const u8 n2[16], const u8 r[16],
287	const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
288	u8 res[16])
289	{
290	u8 m[65];
291	int err;
292
293	SMP_DBG("w %16phN", w);
294	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
295	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
296
297	memcpy(m, a2, 7);
298	memcpy(m + 7, a1, 7);
299	memcpy(m + 14, io_cap, 3);
300	memcpy(m + 17, r, 16);
301	memcpy(m + 33, n2, 16);
302	memcpy(m + 49, n1, 16);
303
304	err = aes_cmac(tfm: tfm_cmac, k: w, m, len: sizeof(m), mac: res);
305	if (err)
306	return err;
307
308	SMP_DBG("res %16phN", res);
309
310	return err;
311	}
312
313	static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
314	const u8 x[16], const u8 y[16], u32 *val)
315	{
316	u8 m[80], tmp[16];
317	int err;
318
319	SMP_DBG("u %32phN", u);
320	SMP_DBG("v %32phN", v);
321	SMP_DBG("x %16phN y %16phN", x, y);
322
323	memcpy(m, y, 16);
324	memcpy(m + 16, v, 32);
325	memcpy(m + 48, u, 32);
326
327	err = aes_cmac(tfm: tfm_cmac, k: x, m, len: sizeof(m), mac: tmp);
328	if (err)
329	return err;
330
331	*val = get_unaligned_le32(p: tmp);
332	*val %= 1000000;
333
334	SMP_DBG("val %06u", *val);
335
336	return 0;
337	}
338
339	static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
340	const u8 key_id[4], u8 res[16])
341	{
342	int err;
343
344	SMP_DBG("w %16phN key_id %4phN", w, key_id);
345
346	err = aes_cmac(tfm: tfm_cmac, k: w, m: key_id, len: 4, mac: res);
347	if (err)
348	return err;
349
350	SMP_DBG("res %16phN", res);
351
352	return err;
353	}
354
355	static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
356	const u8 salt[16], u8 res[16])
357	{
358	int err;
359
360	SMP_DBG("w %16phN salt %16phN", w, salt);
361
362	err = aes_cmac(tfm: tfm_cmac, k: salt, m: w, len: 16, mac: res);
363	if (err)
364	return err;
365
366	SMP_DBG("res %16phN", res);
367
368	return err;
369	}
370
371	/* The following functions map to the legacy SMP crypto functions e, c1,
372	* s1 and ah.
373	*/
374
375	static int smp_e(const u8 *k, u8 *r)
376	{
377	struct crypto_aes_ctx ctx;
378	uint8_t tmp[16], data[16];
379	int err;
380
381	SMP_DBG("k %16phN r %16phN", k, r);
382
383	/* The most significant octet of key corresponds to k[0] */
384	swap_buf(src: k, dst: tmp, len: 16);
385
386	err = aes_expandkey(ctx: &ctx, in_key: tmp, key_len: 16);
387	if (err) {
388	BT_ERR("cipher setkey failed: %d", err);
389	return err;
390	}
391
392	/* Most significant octet of plaintextData corresponds to data[0] */
393	swap_buf(src: r, dst: data, len: 16);
394
395	aes_encrypt(ctx: &ctx, out: data, in: data);
396
397	/* Most significant octet of encryptedData corresponds to data[0] */
398	swap_buf(src: data, dst: r, len: 16);
399
400	SMP_DBG("r %16phN", r);
401
402	memzero_explicit(s: &ctx, count: sizeof(ctx));
403	return err;
404	}
405
406	static int smp_c1(const u8 k[16],
407	const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
408	const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
409	{
410	u8 p1[16], p2[16];
411	int err;
412
413	SMP_DBG("k %16phN r %16phN", k, r);
414	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
415	SMP_DBG("preq %7phN pres %7phN", preq, pres);
416
417	memset(p1, 0, 16);
418
419	/* p1 = pres || preq || _rat || _iat */
420	p1[0] = _iat;
421	p1[1] = _rat;
422	memcpy(p1 + 2, preq, 7);
423	memcpy(p1 + 9, pres, 7);
424
425	SMP_DBG("p1 %16phN", p1);
426
427	/* res = r XOR p1 */
428	crypto_xor_cpy(dst: res, src1: r, src2: p1, size: sizeof(p1));
429
430	/* res = e(k, res) */
431	err = smp_e(k, r: res);
432	if (err) {
433	BT_ERR("Encrypt data error");
434	return err;
435	}
436
437	/* p2 = padding || ia || ra */
438	memcpy(p2, ra, 6);
439	memcpy(p2 + 6, ia, 6);
440	memset(p2 + 12, 0, 4);
441
442	SMP_DBG("p2 %16phN", p2);
443
444	/* res = res XOR p2 */
445	crypto_xor(dst: res, src: p2, size: sizeof(p2));
446
447	/* res = e(k, res) */
448	err = smp_e(k, r: res);
449	if (err)
450	BT_ERR("Encrypt data error");
451
452	return err;
453	}
454
455	static int smp_s1(const u8 k[16],
456	const u8 r1[16], const u8 r2[16], u8 _r[16])
457	{
458	int err;
459
460	/* Just least significant octets from r1 and r2 are considered */
461	memcpy(_r, r2, 8);
462	memcpy(_r + 8, r1, 8);
463
464	err = smp_e(k, r: _r);
465	if (err)
466	BT_ERR("Encrypt data error");
467
468	return err;
469	}
470
471	static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
472	{
473	u8 _res[16];
474	int err;
475
476	/* r' = padding || r */
477	memcpy(_res, r, 3);
478	memset(_res + 3, 0, 13);
479
480	err = smp_e(k: irk, r: _res);
481	if (err) {
482	BT_ERR("Encrypt error");
483	return err;
484	}
485
486	/* The output of the random address function ah is:
487	* ah(k, r) = e(k, r') mod 2^24
488	* The output of the security function e is then truncated to 24 bits
489	* by taking the least significant 24 bits of the output of e as the
490	* result of ah.
491	*/
492	memcpy(res, _res, 3);
493
494	return 0;
495	}
496
497	bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
498	const bdaddr_t *bdaddr)
499	{
500	struct l2cap_chan *chan = hdev->smp_data;
501	u8 hash[3];
502	int err;
503
504	if (!chan || !chan->data)
505	return false;
506
507	bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk);
508
509	err = smp_ah(irk, r: &bdaddr->b[3], res: hash);
510	if (err)
511	return false;
512
513	return !crypto_memneq(a: bdaddr->b, b: hash, size: 3);
514	}
515
516	int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
517	{
518	struct l2cap_chan *chan = hdev->smp_data;
519	int err;
520
521	if (!chan || !chan->data)
522	return -EOPNOTSUPP;
523
524	get_random_bytes(buf: &rpa->b[3], len: 3);
525
526	rpa->b[5] &= 0x3f; /* Clear two most significant bits */
527	rpa->b[5] |= 0x40; /* Set second most significant bit */
528
529	err = smp_ah(irk, r: &rpa->b[3], res: rpa->b);
530	if (err < 0)
531	return err;
532
533	bt_dev_dbg(hdev, "RPA %pMR", rpa);
534
535	return 0;
536	}
537
538	int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
539	{
540	struct l2cap_chan *chan = hdev->smp_data;
541	struct smp_dev *smp;
542	int err;
543
544	if (!chan || !chan->data)
545	return -EOPNOTSUPP;
546
547	smp = chan->data;
548
549	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
550	bt_dev_dbg(hdev, "Using debug keys");
551	err = set_ecdh_privkey(tfm: smp->tfm_ecdh, private_key: debug_sk);
552	if (err)
553	return err;
554	memcpy(smp->local_pk, debug_pk, 64);
555	smp->debug_key = true;
556	} else {
557	while (true) {
558	/* Generate key pair for Secure Connections */
559	err = generate_ecdh_keys(tfm: smp->tfm_ecdh, public_key: smp->local_pk);
560	if (err)
561	return err;
562
563	/* This is unlikely, but we need to check that
564	* we didn't accidentally generate a debug key.
565	*/
566	if (crypto_memneq(a: smp->local_pk, b: debug_pk, size: 64))
567	break;
568	}
569	smp->debug_key = false;
570	}
571
572	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
573	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
574
575	get_random_bytes(buf: smp->local_rand, len: 16);
576
577	err = smp_f4(tfm_cmac: smp->tfm_cmac, u: smp->local_pk, v: smp->local_pk,
578	x: smp->local_rand, z: 0, res: hash);
579	if (err < 0)
580	return err;
581
582	memcpy(rand, smp->local_rand, 16);
583
584	smp->local_oob = true;
585
586	return 0;
587	}
588
589	static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
590	{
591	struct l2cap_chan *chan = conn->smp;
592	struct smp_chan *smp;
593	struct kvec iv[2];
594	struct msghdr msg;
595
596	if (!chan)
597	return;
598
599	bt_dev_dbg(conn->hcon->hdev, "code 0x%2.2x", code);
600
601	iv[0].iov_base = &code;
602	iv[0].iov_len = 1;
603
604	iv[1].iov_base = data;
605	iv[1].iov_len = len;
606
607	memset(&msg, 0, sizeof(msg));
608
609	iov_iter_kvec(i: &msg.msg_iter, ITER_SOURCE, kvec: iv, nr_segs: 2, count: 1 + len);
610
611	l2cap_chan_send(chan, msg: &msg, len: 1 + len);
612
613	if (!chan->data)
614	return;
615
616	smp = chan->data;
617
618	cancel_delayed_work_sync(dwork: &smp->security_timer);
619	schedule_delayed_work(dwork: &smp->security_timer, SMP_TIMEOUT);
620	}
621
622	static u8 authreq_to_seclevel(u8 authreq)
623	{
624	if (authreq & SMP_AUTH_MITM) {
625	if (authreq & SMP_AUTH_SC)
626	return BT_SECURITY_FIPS;
627	else
628	return BT_SECURITY_HIGH;
629	} else {
630	return BT_SECURITY_MEDIUM;
631	}
632	}
633
634	static __u8 seclevel_to_authreq(__u8 sec_level)
635	{
636	switch (sec_level) {
637	case BT_SECURITY_FIPS:
638	case BT_SECURITY_HIGH:
639	return SMP_AUTH_MITM | SMP_AUTH_BONDING;
640	case BT_SECURITY_MEDIUM:
641	return SMP_AUTH_BONDING;
642	default:
643	return SMP_AUTH_NONE;
644	}
645	}
646
647	static void build_pairing_cmd(struct l2cap_conn *conn,
648	struct smp_cmd_pairing *req,
649	struct smp_cmd_pairing *rsp, __u8 authreq)
650	{
651	struct l2cap_chan *chan = conn->smp;
652	struct smp_chan *smp = chan->data;
653	struct hci_conn *hcon = conn->hcon;
654	struct hci_dev *hdev = hcon->hdev;
655	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
656
657	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
658	local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
659	remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
660	authreq |= SMP_AUTH_BONDING;
661	} else {
662	authreq &= ~SMP_AUTH_BONDING;
663	}
664
665	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
666	remote_dist |= SMP_DIST_ID_KEY;
667
668	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
669	local_dist |= SMP_DIST_ID_KEY;
670
671	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
672	(authreq & SMP_AUTH_SC)) {
673	struct oob_data *oob_data;
674	u8 bdaddr_type;
675
676	if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
677	local_dist |= SMP_DIST_LINK_KEY;
678	remote_dist |= SMP_DIST_LINK_KEY;
679	}
680
681	if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
682	bdaddr_type = BDADDR_LE_PUBLIC;
683	else
684	bdaddr_type = BDADDR_LE_RANDOM;
685
686	oob_data = hci_find_remote_oob_data(hdev, bdaddr: &hcon->dst,
687	bdaddr_type);
688	if (oob_data && oob_data->present) {
689	set_bit(nr: SMP_FLAG_REMOTE_OOB, addr: &smp->flags);
690	oob_flag = SMP_OOB_PRESENT;
691	memcpy(smp->rr, oob_data->rand256, 16);
692	memcpy(smp->pcnf, oob_data->hash256, 16);
693	SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
694	SMP_DBG("OOB Remote Random: %16phN", smp->rr);
695	}
696
697	} else {
698	authreq &= ~SMP_AUTH_SC;
699	}
700
701	if (rsp == NULL) {
702	req->io_capability = conn->hcon->io_capability;
703	req->oob_flag = oob_flag;
704	req->max_key_size = hdev->le_max_key_size;
705	req->init_key_dist = local_dist;
706	req->resp_key_dist = remote_dist;
707	req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
708
709	smp->remote_key_dist = remote_dist;
710	return;
711	}
712
713	rsp->io_capability = conn->hcon->io_capability;
714	rsp->oob_flag = oob_flag;
715	rsp->max_key_size = hdev->le_max_key_size;
716	rsp->init_key_dist = req->init_key_dist & remote_dist;
717	rsp->resp_key_dist = req->resp_key_dist & local_dist;
718	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
719
720	smp->remote_key_dist = rsp->init_key_dist;
721	}
722
723	static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
724	{
725	struct l2cap_chan *chan = conn->smp;
726	struct hci_dev *hdev = conn->hcon->hdev;
727	struct smp_chan *smp = chan->data;
728
729	if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS &&
730	max_key_size != SMP_MAX_ENC_KEY_SIZE)
731	return SMP_ENC_KEY_SIZE;
732
733	if (max_key_size > hdev->le_max_key_size ||
734	max_key_size < SMP_MIN_ENC_KEY_SIZE)
735	return SMP_ENC_KEY_SIZE;
736
737	smp->enc_key_size = max_key_size;
738
739	return 0;
740	}
741
742	static void smp_chan_destroy(struct l2cap_conn *conn)
743	{
744	struct l2cap_chan *chan = conn->smp;
745	struct smp_chan *smp = chan->data;
746	struct hci_conn *hcon = conn->hcon;
747	bool complete;
748
749	BUG_ON(!smp);
750
751	cancel_delayed_work_sync(dwork: &smp->security_timer);
752
753	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
754	mgmt_smp_complete(conn: hcon, complete);
755
756	kfree_sensitive(objp: smp->csrk);
757	kfree_sensitive(objp: smp->responder_csrk);
758	kfree_sensitive(objp: smp->link_key);
759
760	crypto_free_shash(tfm: smp->tfm_cmac);
761	crypto_free_kpp(tfm: smp->tfm_ecdh);
762
763	/* Ensure that we don't leave any debug key around if debug key
764	* support hasn't been explicitly enabled.
765	*/
766	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
767	!hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
768	list_del_rcu(entry: &smp->ltk->list);
769	kfree_rcu(smp->ltk, rcu);
770	smp->ltk = NULL;
771	}
772
773	/* If pairing failed clean up any keys we might have */
774	if (!complete) {
775	if (smp->ltk) {
776	list_del_rcu(entry: &smp->ltk->list);
777	kfree_rcu(smp->ltk, rcu);
778	}
779
780	if (smp->responder_ltk) {
781	list_del_rcu(entry: &smp->responder_ltk->list);
782	kfree_rcu(smp->responder_ltk, rcu);
783	}
784
785	if (smp->remote_irk) {
786	list_del_rcu(entry: &smp->remote_irk->list);
787	kfree_rcu(smp->remote_irk, rcu);
788	}
789	}
790
791	chan->data = NULL;
792	kfree_sensitive(objp: smp);
793	hci_conn_drop(conn: hcon);
794	}
795
796	static void smp_failure(struct l2cap_conn *conn, u8 reason)
797	{
798	struct hci_conn *hcon = conn->hcon;
799	struct l2cap_chan *chan = conn->smp;
800
801	if (reason)
802	smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, len: sizeof(reason),
803	data: &reason);
804
805	mgmt_auth_failed(conn: hcon, HCI_ERROR_AUTH_FAILURE);
806
807	if (chan->data)
808	smp_chan_destroy(conn);
809	}
810
811	#define JUST_WORKS 0x00
812	#define JUST_CFM 0x01
813	#define REQ_PASSKEY 0x02
814	#define CFM_PASSKEY 0x03
815	#define REQ_OOB 0x04
816	#define DSP_PASSKEY 0x05
817	#define OVERLAP 0xFF
818
819	static const u8 gen_method[5][5] = {
820	{ JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
821	{ JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
822	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
823	{ JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
824	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
825	};
826
827	static const u8 sc_method[5][5] = {
828	{ JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
829	{ JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
830	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
831	{ JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
832	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
833	};
834
835	static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
836	{
837	/* If either side has unknown io_caps, use JUST_CFM (which gets
838	* converted later to JUST_WORKS if we're initiators.
839	*/
840	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
841	remote_io > SMP_IO_KEYBOARD_DISPLAY)
842	return JUST_CFM;
843
844	if (test_bit(SMP_FLAG_SC, &smp->flags))
845	return sc_method[remote_io][local_io];
846
847	return gen_method[remote_io][local_io];
848	}
849
850	static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
851	u8 local_io, u8 remote_io)
852	{
853	struct hci_conn *hcon = conn->hcon;
854	struct l2cap_chan *chan = conn->smp;
855	struct smp_chan *smp = chan->data;
856	u32 passkey = 0;
857	int ret;
858
859	/* Initialize key for JUST WORKS */
860	memset(smp->tk, 0, sizeof(smp->tk));
861	clear_bit(nr: SMP_FLAG_TK_VALID, addr: &smp->flags);
862
863	bt_dev_dbg(hcon->hdev, "auth:%u lcl:%u rem:%u", auth, local_io,
864	remote_io);
865
866	/* If neither side wants MITM, either "just" confirm an incoming
867	* request or use just-works for outgoing ones. The JUST_CFM
868	* will be converted to JUST_WORKS if necessary later in this
869	* function. If either side has MITM look up the method from the
870	* table.
871	*/
872	if (!(auth & SMP_AUTH_MITM))
873	smp->method = JUST_CFM;
874	else
875	smp->method = get_auth_method(smp, local_io, remote_io);
876
877	/* Don't confirm locally initiated pairing attempts */
878	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
879	&smp->flags))
880	smp->method = JUST_WORKS;
881
882	/* Don't bother user space with no IO capabilities */
883	if (smp->method == JUST_CFM &&
884	hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
885	smp->method = JUST_WORKS;
886
887	/* If Just Works, Continue with Zero TK and ask user-space for
888	* confirmation */
889	if (smp->method == JUST_WORKS) {
890	ret = mgmt_user_confirm_request(hdev: hcon->hdev, bdaddr: &hcon->dst,
891	link_type: hcon->type,
892	addr_type: hcon->dst_type,
893	value: passkey, confirm_hint: 1);
894	if (ret)
895	return ret;
896	set_bit(nr: SMP_FLAG_WAIT_USER, addr: &smp->flags);
897	return 0;
898	}
899
900	/* If this function is used for SC -> legacy fallback we
901	* can only recover the just-works case.
902	*/
903	if (test_bit(SMP_FLAG_SC, &smp->flags))
904	return -EINVAL;
905
906	/* Not Just Works/Confirm results in MITM Authentication */
907	if (smp->method != JUST_CFM) {
908	set_bit(nr: SMP_FLAG_MITM_AUTH, addr: &smp->flags);
909	if (hcon->pending_sec_level < BT_SECURITY_HIGH)
910	hcon->pending_sec_level = BT_SECURITY_HIGH;
911	}
912
913	/* If both devices have Keyboard-Display I/O, the initiator
914	* Confirms and the responder Enters the passkey.
915	*/
916	if (smp->method == OVERLAP) {
917	if (hcon->role == HCI_ROLE_MASTER)
918	smp->method = CFM_PASSKEY;
919	else
920	smp->method = REQ_PASSKEY;
921	}
922
923	/* Generate random passkey. */
924	if (smp->method == CFM_PASSKEY) {
925	memset(smp->tk, 0, sizeof(smp->tk));
926	get_random_bytes(buf: &passkey, len: sizeof(passkey));
927	passkey %= 1000000;
928	put_unaligned_le32(val: passkey, p: smp->tk);
929	bt_dev_dbg(hcon->hdev, "PassKey: %u", passkey);
930	set_bit(nr: SMP_FLAG_TK_VALID, addr: &smp->flags);
931	}
932
933	if (smp->method == REQ_PASSKEY)
934	ret = mgmt_user_passkey_request(hdev: hcon->hdev, bdaddr: &hcon->dst,
935	link_type: hcon->type, addr_type: hcon->dst_type);
936	else if (smp->method == JUST_CFM)
937	ret = mgmt_user_confirm_request(hdev: hcon->hdev, bdaddr: &hcon->dst,
938	link_type: hcon->type, addr_type: hcon->dst_type,
939	value: passkey, confirm_hint: 1);
940	else
941	ret = mgmt_user_passkey_notify(hdev: hcon->hdev, bdaddr: &hcon->dst,
942	link_type: hcon->type, addr_type: hcon->dst_type,
943	passkey, entered: 0);
944
945	return ret;
946	}
947
948	static u8 smp_confirm(struct smp_chan *smp)
949	{
950	struct l2cap_conn *conn = smp->conn;
951	struct smp_cmd_pairing_confirm cp;
952	int ret;
953
954	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
955
956	ret = smp_c1(k: smp->tk, r: smp->prnd, preq: smp->preq, pres: smp->prsp,
957	iat: conn->hcon->init_addr_type, ia: &conn->hcon->init_addr,
958	rat: conn->hcon->resp_addr_type, ra: &conn->hcon->resp_addr,
959	res: cp.confirm_val);
960	if (ret)
961	return SMP_UNSPECIFIED;
962
963	clear_bit(nr: SMP_FLAG_CFM_PENDING, addr: &smp->flags);
964
965	smp_send_cmd(conn: smp->conn, SMP_CMD_PAIRING_CONFIRM, len: sizeof(cp), data: &cp);
966
967	if (conn->hcon->out)
968	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
969	else
970	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
971
972	return 0;
973	}
974
975	static u8 smp_random(struct smp_chan *smp)
976	{
977	struct l2cap_conn *conn = smp->conn;
978	struct hci_conn *hcon = conn->hcon;
979	u8 confirm[16];
980	int ret;
981
982	bt_dev_dbg(conn->hcon->hdev, "conn %p %s", conn,
983	conn->hcon->out ? "initiator" : "responder");
984
985	ret = smp_c1(k: smp->tk, r: smp->rrnd, preq: smp->preq, pres: smp->prsp,
986	iat: hcon->init_addr_type, ia: &hcon->init_addr,
987	rat: hcon->resp_addr_type, ra: &hcon->resp_addr, res: confirm);
988	if (ret)
989	return SMP_UNSPECIFIED;
990
991	if (crypto_memneq(a: smp->pcnf, b: confirm, size: sizeof(smp->pcnf))) {
992	bt_dev_err(hcon->hdev, "pairing failed "
993	"(confirmation values mismatch)");
994	return SMP_CONFIRM_FAILED;
995	}
996
997	if (hcon->out) {
998	u8 stk[16];
999	__le64 rand = 0;
1000	__le16 ediv = 0;
1001
1002	smp_s1(k: smp->tk, r1: smp->rrnd, r2: smp->prnd, r: stk);
1003
1004	if (test_and_set_bit(nr: HCI_CONN_ENCRYPT_PEND, addr: &hcon->flags))
1005	return SMP_UNSPECIFIED;
1006
1007	hci_le_start_enc(conn: hcon, ediv, rand, ltk: stk, key_size: smp->enc_key_size);
1008	hcon->enc_key_size = smp->enc_key_size;
1009	set_bit(nr: HCI_CONN_STK_ENCRYPT, addr: &hcon->flags);
1010	} else {
1011	u8 stk[16], auth;
1012	__le64 rand = 0;
1013	__le16 ediv = 0;
1014
1015	smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, len: sizeof(smp->prnd),
1016	data: smp->prnd);
1017
1018	smp_s1(k: smp->tk, r1: smp->prnd, r2: smp->rrnd, r: stk);
1019
1020	if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1021	auth = 1;
1022	else
1023	auth = 0;
1024
1025	/* Even though there's no _RESPONDER suffix this is the
1026	* responder STK we're adding for later lookup (the initiator
1027	* STK never needs to be stored).
1028	*/
1029	hci_add_ltk(hdev: hcon->hdev, bdaddr: &hcon->dst, addr_type: hcon->dst_type,
1030	type: SMP_STK, authenticated: auth, tk: stk, enc_size: smp->enc_key_size, ediv, rand);
1031	}
1032
1033	return 0;
1034	}
1035
1036	static void smp_notify_keys(struct l2cap_conn *conn)
1037	{
1038	struct l2cap_chan *chan = conn->smp;
1039	struct smp_chan *smp = chan->data;
1040	struct hci_conn *hcon = conn->hcon;
1041	struct hci_dev *hdev = hcon->hdev;
1042	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1043	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1044	bool persistent;
1045
1046	if (hcon->type == ACL_LINK) {
1047	if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1048	persistent = false;
1049	else
1050	persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1051	&hcon->flags);
1052	} else {
1053	/* The LTKs, IRKs and CSRKs should be persistent only if
1054	* both sides had the bonding bit set in their
1055	* authentication requests.
1056	*/
1057	persistent = !!((req->auth_req & rsp->auth_req) &
1058	SMP_AUTH_BONDING);
1059	}
1060
1061	if (smp->remote_irk) {
1062	mgmt_new_irk(hdev, irk: smp->remote_irk, persistent);
1063
1064	/* Now that user space can be considered to know the
1065	* identity address track the connection based on it
1066	* from now on (assuming this is an LE link).
1067	*/
1068	if (hcon->type == LE_LINK) {
1069	bacpy(dst: &hcon->dst, src: &smp->remote_irk->bdaddr);
1070	hcon->dst_type = smp->remote_irk->addr_type;
1071	/* Use a short delay to make sure the new address is
1072	* propagated _before_ the channels.
1073	*/
1074	queue_delayed_work(wq: hdev->workqueue,
1075	dwork: &conn->id_addr_timer,
1076	ID_ADDR_TIMEOUT);
1077	}
1078	}
1079
1080	if (smp->csrk) {
1081	smp->csrk->bdaddr_type = hcon->dst_type;
1082	bacpy(dst: &smp->csrk->bdaddr, src: &hcon->dst);
1083	mgmt_new_csrk(hdev, csrk: smp->csrk, persistent);
1084	}
1085
1086	if (smp->responder_csrk) {
1087	smp->responder_csrk->bdaddr_type = hcon->dst_type;
1088	bacpy(dst: &smp->responder_csrk->bdaddr, src: &hcon->dst);
1089	mgmt_new_csrk(hdev, csrk: smp->responder_csrk, persistent);
1090	}
1091
1092	if (smp->ltk) {
1093	smp->ltk->bdaddr_type = hcon->dst_type;
1094	bacpy(dst: &smp->ltk->bdaddr, src: &hcon->dst);
1095	mgmt_new_ltk(hdev, key: smp->ltk, persistent);
1096	}
1097
1098	if (smp->responder_ltk) {
1099	smp->responder_ltk->bdaddr_type = hcon->dst_type;
1100	bacpy(dst: &smp->responder_ltk->bdaddr, src: &hcon->dst);
1101	mgmt_new_ltk(hdev, key: smp->responder_ltk, persistent);
1102	}
1103
1104	if (smp->link_key) {
1105	struct link_key *key;
1106	u8 type;
1107
1108	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1109	type = HCI_LK_DEBUG_COMBINATION;
1110	else if (hcon->sec_level == BT_SECURITY_FIPS)
1111	type = HCI_LK_AUTH_COMBINATION_P256;
1112	else
1113	type = HCI_LK_UNAUTH_COMBINATION_P256;
1114
1115	key = hci_add_link_key(hdev, conn: smp->conn->hcon, bdaddr: &hcon->dst,
1116	val: smp->link_key, type, pin_len: 0, persistent: &persistent);
1117	if (key) {
1118	mgmt_new_link_key(hdev, key, persistent);
1119
1120	/* Don't keep debug keys around if the relevant
1121	* flag is not set.
1122	*/
1123	if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1124	key->type == HCI_LK_DEBUG_COMBINATION) {
1125	list_del_rcu(entry: &key->list);
1126	kfree_rcu(key, rcu);
1127	}
1128	}
1129	}
1130	}
1131
1132	static void sc_add_ltk(struct smp_chan *smp)
1133	{
1134	struct hci_conn *hcon = smp->conn->hcon;
1135	u8 key_type, auth;
1136
1137	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1138	key_type = SMP_LTK_P256_DEBUG;
1139	else
1140	key_type = SMP_LTK_P256;
1141
1142	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1143	auth = 1;
1144	else
1145	auth = 0;
1146
1147	smp->ltk = hci_add_ltk(hdev: hcon->hdev, bdaddr: &hcon->dst, addr_type: hcon->dst_type,
1148	type: key_type, authenticated: auth, tk: smp->tk, enc_size: smp->enc_key_size,
1149	ediv: 0, rand: 0);
1150	}
1151
1152	static void sc_generate_link_key(struct smp_chan *smp)
1153	{
1154	/* From core spec. Spells out in ASCII as 'lebr'. */
1155	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1156
1157	smp->link_key = kzalloc(size: 16, GFP_KERNEL);
1158	if (!smp->link_key)
1159	return;
1160
1161	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1162	/* SALT = 0x000000000000000000000000746D7031 */
1163	const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1164
1165	if (smp_h7(tfm_cmac: smp->tfm_cmac, w: smp->tk, salt, res: smp->link_key)) {
1166	kfree_sensitive(objp: smp->link_key);
1167	smp->link_key = NULL;
1168	return;
1169	}
1170	} else {
1171	/* From core spec. Spells out in ASCII as 'tmp1'. */
1172	const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1173
1174	if (smp_h6(tfm_cmac: smp->tfm_cmac, w: smp->tk, key_id: tmp1, res: smp->link_key)) {
1175	kfree_sensitive(objp: smp->link_key);
1176	smp->link_key = NULL;
1177	return;
1178	}
1179	}
1180
1181	if (smp_h6(tfm_cmac: smp->tfm_cmac, w: smp->link_key, key_id: lebr, res: smp->link_key)) {
1182	kfree_sensitive(objp: smp->link_key);
1183	smp->link_key = NULL;
1184	return;
1185	}
1186	}
1187
1188	static void smp_allow_key_dist(struct smp_chan *smp)
1189	{
1190	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1191	* will be allowed in each PDU handler to ensure we receive
1192	* them in the correct order.
1193	*/
1194	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1195	SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1196	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1197	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1198	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1199	SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1200	}
1201
1202	static void sc_generate_ltk(struct smp_chan *smp)
1203	{
1204	/* From core spec. Spells out in ASCII as 'brle'. */
1205	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1206	struct hci_conn *hcon = smp->conn->hcon;
1207	struct hci_dev *hdev = hcon->hdev;
1208	struct link_key *key;
1209
1210	key = hci_find_link_key(hdev, bdaddr: &hcon->dst);
1211	if (!key) {
1212	bt_dev_err(hdev, "no Link Key found to generate LTK");
1213	return;
1214	}
1215
1216	if (key->type == HCI_LK_DEBUG_COMBINATION)
1217	set_bit(nr: SMP_FLAG_DEBUG_KEY, addr: &smp->flags);
1218
1219	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1220	/* SALT = 0x000000000000000000000000746D7032 */
1221	const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1222
1223	if (smp_h7(tfm_cmac: smp->tfm_cmac, w: key->val, salt, res: smp->tk))
1224	return;
1225	} else {
1226	/* From core spec. Spells out in ASCII as 'tmp2'. */
1227	const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1228
1229	if (smp_h6(tfm_cmac: smp->tfm_cmac, w: key->val, key_id: tmp2, res: smp->tk))
1230	return;
1231	}
1232
1233	if (smp_h6(tfm_cmac: smp->tfm_cmac, w: smp->tk, key_id: brle, res: smp->tk))
1234	return;
1235
1236	sc_add_ltk(smp);
1237	}
1238
1239	static void smp_distribute_keys(struct smp_chan *smp)
1240	{
1241	struct smp_cmd_pairing *req, *rsp;
1242	struct l2cap_conn *conn = smp->conn;
1243	struct hci_conn *hcon = conn->hcon;
1244	struct hci_dev *hdev = hcon->hdev;
1245	__u8 *keydist;
1246
1247	bt_dev_dbg(hdev, "conn %p", conn);
1248
1249	rsp = (void *) &smp->prsp[1];
1250
1251	/* The responder sends its keys first */
1252	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1253	smp_allow_key_dist(smp);
1254	return;
1255	}
1256
1257	req = (void *) &smp->preq[1];
1258
1259	if (hcon->out) {
1260	keydist = &rsp->init_key_dist;
1261	*keydist &= req->init_key_dist;
1262	} else {
1263	keydist = &rsp->resp_key_dist;
1264	*keydist &= req->resp_key_dist;
1265	}
1266
1267	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1268	if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1269	sc_generate_link_key(smp);
1270	if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1271	sc_generate_ltk(smp);
1272
1273	/* Clear the keys which are generated but not distributed */
1274	*keydist &= ~SMP_SC_NO_DIST;
1275	}
1276
1277	bt_dev_dbg(hdev, "keydist 0x%x", *keydist);
1278
1279	if (*keydist & SMP_DIST_ENC_KEY) {
1280	struct smp_cmd_encrypt_info enc;
1281	struct smp_cmd_initiator_ident ident;
1282	struct smp_ltk *ltk;
1283	u8 authenticated;
1284	__le16 ediv;
1285	__le64 rand;
1286
1287	/* Make sure we generate only the significant amount of
1288	* bytes based on the encryption key size, and set the rest
1289	* of the value to zeroes.
1290	*/
1291	get_random_bytes(buf: enc.ltk, len: smp->enc_key_size);
1292	memset(enc.ltk + smp->enc_key_size, 0,
1293	sizeof(enc.ltk) - smp->enc_key_size);
1294
1295	get_random_bytes(buf: &ediv, len: sizeof(ediv));
1296	get_random_bytes(buf: &rand, len: sizeof(rand));
1297
1298	smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, len: sizeof(enc), data: &enc);
1299
1300	authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1301	ltk = hci_add_ltk(hdev, bdaddr: &hcon->dst, addr_type: hcon->dst_type,
1302	type: SMP_LTK_RESPONDER, authenticated, tk: enc.ltk,
1303	enc_size: smp->enc_key_size, ediv, rand);
1304	smp->responder_ltk = ltk;
1305
1306	ident.ediv = ediv;
1307	ident.rand = rand;
1308
1309	smp_send_cmd(conn, SMP_CMD_INITIATOR_IDENT, len: sizeof(ident),
1310	data: &ident);
1311
1312	*keydist &= ~SMP_DIST_ENC_KEY;
1313	}
1314
1315	if (*keydist & SMP_DIST_ID_KEY) {
1316	struct smp_cmd_ident_addr_info addrinfo;
1317	struct smp_cmd_ident_info idinfo;
1318
1319	memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1320
1321	smp_send_cmd(conn, SMP_CMD_IDENT_INFO, len: sizeof(idinfo), data: &idinfo);
1322
1323	/* The hci_conn contains the local identity address
1324	* after the connection has been established.
1325	*
1326	* This is true even when the connection has been
1327	* established using a resolvable random address.
1328	*/
1329	bacpy(dst: &addrinfo.bdaddr, src: &hcon->src);
1330	addrinfo.addr_type = hcon->src_type;
1331
1332	smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, len: sizeof(addrinfo),
1333	data: &addrinfo);
1334
1335	*keydist &= ~SMP_DIST_ID_KEY;
1336	}
1337
1338	if (*keydist & SMP_DIST_SIGN) {
1339	struct smp_cmd_sign_info sign;
1340	struct smp_csrk *csrk;
1341
1342	/* Generate a new random key */
1343	get_random_bytes(buf: sign.csrk, len: sizeof(sign.csrk));
1344
1345	csrk = kzalloc(size: sizeof(*csrk), GFP_KERNEL);
1346	if (csrk) {
1347	if (hcon->sec_level > BT_SECURITY_MEDIUM)
1348	csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1349	else
1350	csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1351	memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1352	}
1353	smp->responder_csrk = csrk;
1354
1355	smp_send_cmd(conn, SMP_CMD_SIGN_INFO, len: sizeof(sign), data: &sign);
1356
1357	*keydist &= ~SMP_DIST_SIGN;
1358	}
1359
1360	/* If there are still keys to be received wait for them */
1361	if (smp->remote_key_dist & KEY_DIST_MASK) {
1362	smp_allow_key_dist(smp);
1363	return;
1364	}
1365
1366	set_bit(nr: SMP_FLAG_COMPLETE, addr: &smp->flags);
1367	smp_notify_keys(conn);
1368
1369	smp_chan_destroy(conn);
1370	}
1371
1372	static void smp_timeout(struct work_struct *work)
1373	{
1374	struct smp_chan *smp = container_of(work, struct smp_chan,
1375	security_timer.work);
1376	struct l2cap_conn *conn = smp->conn;
1377
1378	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
1379
1380	hci_disconnect(conn: conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1381	}
1382
1383	static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1384	{
1385	struct hci_conn *hcon = conn->hcon;
1386	struct l2cap_chan *chan = conn->smp;
1387	struct smp_chan *smp;
1388
1389	smp = kzalloc(size: sizeof(*smp), GFP_ATOMIC);
1390	if (!smp)
1391	return NULL;
1392
1393	smp->tfm_cmac = crypto_alloc_shash(alg_name: "cmac(aes)", type: 0, mask: 0);
1394	if (IS_ERR(ptr: smp->tfm_cmac)) {
1395	bt_dev_err(hcon->hdev, "Unable to create CMAC crypto context");
1396	goto zfree_smp;
1397	}
1398
1399	smp->tfm_ecdh = crypto_alloc_kpp(alg_name: "ecdh-nist-p256", type: 0, mask: 0);
1400	if (IS_ERR(ptr: smp->tfm_ecdh)) {
1401	bt_dev_err(hcon->hdev, "Unable to create ECDH crypto context");
1402	goto free_shash;
1403	}
1404
1405	smp->conn = conn;
1406	chan->data = smp;
1407
1408	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1409
1410	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1411
1412	hci_conn_hold(conn: hcon);
1413
1414	return smp;
1415
1416	free_shash:
1417	crypto_free_shash(tfm: smp->tfm_cmac);
1418	zfree_smp:
1419	kfree_sensitive(objp: smp);
1420	return NULL;
1421	}
1422
1423	static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1424	{
1425	struct hci_conn *hcon = smp->conn->hcon;
1426	u8 *na, *nb, a[7], b[7];
1427
1428	if (hcon->out) {
1429	na = smp->prnd;
1430	nb = smp->rrnd;
1431	} else {
1432	na = smp->rrnd;
1433	nb = smp->prnd;
1434	}
1435
1436	memcpy(a, &hcon->init_addr, 6);
1437	memcpy(b, &hcon->resp_addr, 6);
1438	a[6] = hcon->init_addr_type;
1439	b[6] = hcon->resp_addr_type;
1440
1441	return smp_f5(tfm_cmac: smp->tfm_cmac, w: smp->dhkey, n1: na, n2: nb, a1: a, a2: b, mackey, ltk);
1442	}
1443
1444	static void sc_dhkey_check(struct smp_chan *smp)
1445	{
1446	struct hci_conn *hcon = smp->conn->hcon;
1447	struct smp_cmd_dhkey_check check;
1448	u8 a[7], b[7], *local_addr, *remote_addr;
1449	u8 io_cap[3], r[16];
1450
1451	memcpy(a, &hcon->init_addr, 6);
1452	memcpy(b, &hcon->resp_addr, 6);
1453	a[6] = hcon->init_addr_type;
1454	b[6] = hcon->resp_addr_type;
1455
1456	if (hcon->out) {
1457	local_addr = a;
1458	remote_addr = b;
1459	memcpy(io_cap, &smp->preq[1], 3);
1460	} else {
1461	local_addr = b;
1462	remote_addr = a;
1463	memcpy(io_cap, &smp->prsp[1], 3);
1464	}
1465
1466	memset(r, 0, sizeof(r));
1467
1468	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1469	put_unaligned_le32(val: hcon->passkey_notify, p: r);
1470
1471	if (smp->method == REQ_OOB)
1472	memcpy(r, smp->rr, 16);
1473
1474	smp_f6(tfm_cmac: smp->tfm_cmac, w: smp->mackey, n1: smp->prnd, n2: smp->rrnd, r, io_cap,
1475	a1: local_addr, a2: remote_addr, res: check.e);
1476
1477	smp_send_cmd(conn: smp->conn, SMP_CMD_DHKEY_CHECK, len: sizeof(check), data: &check);
1478	}
1479
1480	static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1481	{
1482	struct l2cap_conn *conn = smp->conn;
1483	struct hci_conn *hcon = conn->hcon;
1484	struct smp_cmd_pairing_confirm cfm;
1485	u8 r;
1486
1487	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1488	r |= 0x80;
1489
1490	get_random_bytes(buf: smp->prnd, len: sizeof(smp->prnd));
1491
1492	if (smp_f4(tfm_cmac: smp->tfm_cmac, u: smp->local_pk, v: smp->remote_pk, x: smp->prnd, z: r,
1493	res: cfm.confirm_val))
1494	return SMP_UNSPECIFIED;
1495
1496	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, len: sizeof(cfm), data: &cfm);
1497
1498	return 0;
1499	}
1500
1501	static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1502	{
1503	struct l2cap_conn *conn = smp->conn;
1504	struct hci_conn *hcon = conn->hcon;
1505	struct hci_dev *hdev = hcon->hdev;
1506	u8 cfm[16], r;
1507
1508	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1509	if (smp->passkey_round >= 20)
1510	return 0;
1511
1512	switch (smp_op) {
1513	case SMP_CMD_PAIRING_RANDOM:
1514	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1515	r |= 0x80;
1516
1517	if (smp_f4(tfm_cmac: smp->tfm_cmac, u: smp->remote_pk, v: smp->local_pk,
1518	x: smp->rrnd, z: r, res: cfm))
1519	return SMP_UNSPECIFIED;
1520
1521	if (crypto_memneq(a: smp->pcnf, b: cfm, size: 16))
1522	return SMP_CONFIRM_FAILED;
1523
1524	smp->passkey_round++;
1525
1526	if (smp->passkey_round == 20) {
1527	/* Generate MacKey and LTK */
1528	if (sc_mackey_and_ltk(smp, mackey: smp->mackey, ltk: smp->tk))
1529	return SMP_UNSPECIFIED;
1530	}
1531
1532	/* The round is only complete when the initiator
1533	* receives pairing random.
1534	*/
1535	if (!hcon->out) {
1536	smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1537	len: sizeof(smp->prnd), data: smp->prnd);
1538	if (smp->passkey_round == 20)
1539	SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1540	else
1541	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1542	return 0;
1543	}
1544
1545	/* Start the next round */
1546	if (smp->passkey_round != 20)
1547	return sc_passkey_round(smp, smp_op: 0);
1548
1549	/* Passkey rounds are complete - start DHKey Check */
1550	sc_dhkey_check(smp);
1551	SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1552
1553	break;
1554
1555	case SMP_CMD_PAIRING_CONFIRM:
1556	if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1557	set_bit(nr: SMP_FLAG_CFM_PENDING, addr: &smp->flags);
1558	return 0;
1559	}
1560
1561	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1562
1563	if (hcon->out) {
1564	smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1565	len: sizeof(smp->prnd), data: smp->prnd);
1566	return 0;
1567	}
1568
1569	return sc_passkey_send_confirm(smp);
1570
1571	case SMP_CMD_PUBLIC_KEY:
1572	default:
1573	/* Initiating device starts the round */
1574	if (!hcon->out)
1575	return 0;
1576
1577	bt_dev_dbg(hdev, "Starting passkey round %u",
1578	smp->passkey_round + 1);
1579
1580	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1581
1582	return sc_passkey_send_confirm(smp);
1583	}
1584
1585	return 0;
1586	}
1587
1588	static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1589	{
1590	struct l2cap_conn *conn = smp->conn;
1591	struct hci_conn *hcon = conn->hcon;
1592	u8 smp_op;
1593
1594	clear_bit(nr: SMP_FLAG_WAIT_USER, addr: &smp->flags);
1595
1596	switch (mgmt_op) {
1597	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1598	smp_failure(conn: smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1599	return 0;
1600	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1601	smp_failure(conn: smp->conn, SMP_NUMERIC_COMP_FAILED);
1602	return 0;
1603	case MGMT_OP_USER_PASSKEY_REPLY:
1604	hcon->passkey_notify = le32_to_cpu(passkey);
1605	smp->passkey_round = 0;
1606
1607	if (test_and_clear_bit(nr: SMP_FLAG_CFM_PENDING, addr: &smp->flags))
1608	smp_op = SMP_CMD_PAIRING_CONFIRM;
1609	else
1610	smp_op = 0;
1611
1612	if (sc_passkey_round(smp, smp_op))
1613	return -EIO;
1614
1615	return 0;
1616	}
1617
1618	/* Initiator sends DHKey check first */
1619	if (hcon->out) {
1620	sc_dhkey_check(smp);
1621	SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1622	} else if (test_and_clear_bit(nr: SMP_FLAG_DHKEY_PENDING, addr: &smp->flags)) {
1623	sc_dhkey_check(smp);
1624	sc_add_ltk(smp);
1625	}
1626
1627	return 0;
1628	}
1629
1630	int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1631	{
1632	struct l2cap_conn *conn = hcon->l2cap_data;
1633	struct l2cap_chan *chan;
1634	struct smp_chan *smp;
1635	u32 value;
1636	int err;
1637
1638	if (!conn)
1639	return -ENOTCONN;
1640
1641	bt_dev_dbg(conn->hcon->hdev, "");
1642
1643	chan = conn->smp;
1644	if (!chan)
1645	return -ENOTCONN;
1646
1647	l2cap_chan_lock(chan);
1648	if (!chan->data) {
1649	err = -ENOTCONN;
1650	goto unlock;
1651	}
1652
1653	smp = chan->data;
1654
1655	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1656	err = sc_user_reply(smp, mgmt_op, passkey);
1657	goto unlock;
1658	}
1659
1660	switch (mgmt_op) {
1661	case MGMT_OP_USER_PASSKEY_REPLY:
1662	value = le32_to_cpu(passkey);
1663	memset(smp->tk, 0, sizeof(smp->tk));
1664	bt_dev_dbg(conn->hcon->hdev, "PassKey: %u", value);
1665	put_unaligned_le32(val: value, p: smp->tk);
1666	fallthrough;
1667	case MGMT_OP_USER_CONFIRM_REPLY:
1668	set_bit(nr: SMP_FLAG_TK_VALID, addr: &smp->flags);
1669	break;
1670	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1671	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1672	smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1673	err = 0;
1674	goto unlock;
1675	default:
1676	smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1677	err = -EOPNOTSUPP;
1678	goto unlock;
1679	}
1680
1681	err = 0;
1682
1683	/* If it is our turn to send Pairing Confirm, do so now */
1684	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1685	u8 rsp = smp_confirm(smp);
1686	if (rsp)
1687	smp_failure(conn, reason: rsp);
1688	}
1689
1690	unlock:
1691	l2cap_chan_unlock(chan);
1692	return err;
1693	}
1694
1695	static void build_bredr_pairing_cmd(struct smp_chan *smp,
1696	struct smp_cmd_pairing *req,
1697	struct smp_cmd_pairing *rsp)
1698	{
1699	struct l2cap_conn *conn = smp->conn;
1700	struct hci_dev *hdev = conn->hcon->hdev;
1701	u8 local_dist = 0, remote_dist = 0;
1702
1703	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1704	local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1705	remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1706	}
1707
1708	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1709	remote_dist |= SMP_DIST_ID_KEY;
1710
1711	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1712	local_dist |= SMP_DIST_ID_KEY;
1713
1714	if (!rsp) {
1715	memset(req, 0, sizeof(*req));
1716
1717	req->auth_req = SMP_AUTH_CT2;
1718	req->init_key_dist = local_dist;
1719	req->resp_key_dist = remote_dist;
1720	req->max_key_size = conn->hcon->enc_key_size;
1721
1722	smp->remote_key_dist = remote_dist;
1723
1724	return;
1725	}
1726
1727	memset(rsp, 0, sizeof(*rsp));
1728
1729	rsp->auth_req = SMP_AUTH_CT2;
1730	rsp->max_key_size = conn->hcon->enc_key_size;
1731	rsp->init_key_dist = req->init_key_dist & remote_dist;
1732	rsp->resp_key_dist = req->resp_key_dist & local_dist;
1733
1734	smp->remote_key_dist = rsp->init_key_dist;
1735	}
1736
1737	static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1738	{
1739	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1740	struct l2cap_chan *chan = conn->smp;
1741	struct hci_dev *hdev = conn->hcon->hdev;
1742	struct smp_chan *smp;
1743	u8 key_size, auth, sec_level;
1744	int ret;
1745
1746	bt_dev_dbg(hdev, "conn %p", conn);
1747
1748	if (skb->len < sizeof(*req))
1749	return SMP_INVALID_PARAMS;
1750
1751	if (conn->hcon->role != HCI_ROLE_SLAVE)
1752	return SMP_CMD_NOTSUPP;
1753
1754	if (!chan->data)
1755	smp = smp_chan_create(conn);
1756	else
1757	smp = chan->data;
1758
1759	if (!smp)
1760	return SMP_UNSPECIFIED;
1761
1762	/* We didn't start the pairing, so match remote */
1763	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1764
1765	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1766	(auth & SMP_AUTH_BONDING))
1767	return SMP_PAIRING_NOTSUPP;
1768
1769	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1770	return SMP_AUTH_REQUIREMENTS;
1771
1772	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1773	memcpy(&smp->preq[1], req, sizeof(*req));
1774	skb_pull(skb, len: sizeof(*req));
1775
1776	/* If the remote side's OOB flag is set it means it has
1777	* successfully received our local OOB data - therefore set the
1778	* flag to indicate that local OOB is in use.
1779	*/
1780	if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1781	set_bit(nr: SMP_FLAG_LOCAL_OOB, addr: &smp->flags);
1782
1783	/* SMP over BR/EDR requires special treatment */
1784	if (conn->hcon->type == ACL_LINK) {
1785	/* We must have a BR/EDR SC link */
1786	if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1787	!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1788	return SMP_CROSS_TRANSP_NOT_ALLOWED;
1789
1790	set_bit(nr: SMP_FLAG_SC, addr: &smp->flags);
1791
1792	build_bredr_pairing_cmd(smp, req, rsp: &rsp);
1793
1794	if (req->auth_req & SMP_AUTH_CT2)
1795	set_bit(nr: SMP_FLAG_CT2, addr: &smp->flags);
1796
1797	key_size = min(req->max_key_size, rsp.max_key_size);
1798	if (check_enc_key_size(conn, max_key_size: key_size))
1799	return SMP_ENC_KEY_SIZE;
1800
1801	/* Clear bits which are generated but not distributed */
1802	smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1803
1804	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1805	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1806	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, len: sizeof(rsp), data: &rsp);
1807
1808	smp_distribute_keys(smp);
1809	return 0;
1810	}
1811
1812	build_pairing_cmd(conn, req, rsp: &rsp, authreq: auth);
1813
1814	if (rsp.auth_req & SMP_AUTH_SC) {
1815	set_bit(nr: SMP_FLAG_SC, addr: &smp->flags);
1816
1817	if (rsp.auth_req & SMP_AUTH_CT2)
1818	set_bit(nr: SMP_FLAG_CT2, addr: &smp->flags);
1819	}
1820
1821	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1822	sec_level = BT_SECURITY_MEDIUM;
1823	else
1824	sec_level = authreq_to_seclevel(authreq: auth);
1825
1826	if (sec_level > conn->hcon->pending_sec_level)
1827	conn->hcon->pending_sec_level = sec_level;
1828
1829	/* If we need MITM check that it can be achieved */
1830	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1831	u8 method;
1832
1833	method = get_auth_method(smp, local_io: conn->hcon->io_capability,
1834	remote_io: req->io_capability);
1835	if (method == JUST_WORKS || method == JUST_CFM)
1836	return SMP_AUTH_REQUIREMENTS;
1837	}
1838
1839	key_size = min(req->max_key_size, rsp.max_key_size);
1840	if (check_enc_key_size(conn, max_key_size: key_size))
1841	return SMP_ENC_KEY_SIZE;
1842
1843	get_random_bytes(buf: smp->prnd, len: sizeof(smp->prnd));
1844
1845	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1846	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1847
1848	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, len: sizeof(rsp), data: &rsp);
1849
1850	clear_bit(nr: SMP_FLAG_INITIATOR, addr: &smp->flags);
1851
1852	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1853	* SC case, however some implementations incorrectly copy RFU auth
1854	* req bits from our security request, which may create a false
1855	* positive SC enablement.
1856	*/
1857	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1858
1859	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1860	SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1861	/* Clear bits which are generated but not distributed */
1862	smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1863	/* Wait for Public Key from Initiating Device */
1864	return 0;
1865	}
1866
1867	/* Request setup of TK */
1868	ret = tk_request(conn, remote_oob: 0, auth, local_io: rsp.io_capability, remote_io: req->io_capability);
1869	if (ret)
1870	return SMP_UNSPECIFIED;
1871
1872	return 0;
1873	}
1874
1875	static u8 sc_send_public_key(struct smp_chan *smp)
1876	{
1877	struct hci_dev *hdev = smp->conn->hcon->hdev;
1878
1879	bt_dev_dbg(hdev, "");
1880
1881	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1882	struct l2cap_chan *chan = hdev->smp_data;
1883	struct smp_dev *smp_dev;
1884
1885	if (!chan || !chan->data)
1886	return SMP_UNSPECIFIED;
1887
1888	smp_dev = chan->data;
1889
1890	memcpy(smp->local_pk, smp_dev->local_pk, 64);
1891	memcpy(smp->lr, smp_dev->local_rand, 16);
1892
1893	if (smp_dev->debug_key)
1894	set_bit(nr: SMP_FLAG_DEBUG_KEY, addr: &smp->flags);
1895
1896	goto done;
1897	}
1898
1899	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1900	bt_dev_dbg(hdev, "Using debug keys");
1901	if (set_ecdh_privkey(tfm: smp->tfm_ecdh, private_key: debug_sk))
1902	return SMP_UNSPECIFIED;
1903	memcpy(smp->local_pk, debug_pk, 64);
1904	set_bit(nr: SMP_FLAG_DEBUG_KEY, addr: &smp->flags);
1905	} else {
1906	while (true) {
1907	/* Generate key pair for Secure Connections */
1908	if (generate_ecdh_keys(tfm: smp->tfm_ecdh, public_key: smp->local_pk))
1909	return SMP_UNSPECIFIED;
1910
1911	/* This is unlikely, but we need to check that
1912	* we didn't accidentally generate a debug key.
1913	*/
1914	if (crypto_memneq(a: smp->local_pk, b: debug_pk, size: 64))
1915	break;
1916	}
1917	}
1918
1919	done:
1920	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1921	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1922
1923	smp_send_cmd(conn: smp->conn, SMP_CMD_PUBLIC_KEY, len: 64, data: smp->local_pk);
1924
1925	return 0;
1926	}
1927
1928	static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1929	{
1930	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1931	struct l2cap_chan *chan = conn->smp;
1932	struct smp_chan *smp = chan->data;
1933	struct hci_dev *hdev = conn->hcon->hdev;
1934	u8 key_size, auth;
1935	int ret;
1936
1937	bt_dev_dbg(hdev, "conn %p", conn);
1938
1939	if (skb->len < sizeof(*rsp))
1940	return SMP_INVALID_PARAMS;
1941
1942	if (conn->hcon->role != HCI_ROLE_MASTER)
1943	return SMP_CMD_NOTSUPP;
1944
1945	skb_pull(skb, len: sizeof(*rsp));
1946
1947	req = (void *) &smp->preq[1];
1948
1949	key_size = min(req->max_key_size, rsp->max_key_size);
1950	if (check_enc_key_size(conn, max_key_size: key_size))
1951	return SMP_ENC_KEY_SIZE;
1952
1953	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1954
1955	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1956	return SMP_AUTH_REQUIREMENTS;
1957
1958	/* If the remote side's OOB flag is set it means it has
1959	* successfully received our local OOB data - therefore set the
1960	* flag to indicate that local OOB is in use.
1961	*/
1962	if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1963	set_bit(nr: SMP_FLAG_LOCAL_OOB, addr: &smp->flags);
1964
1965	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1966	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1967
1968	/* Update remote key distribution in case the remote cleared
1969	* some bits that we had enabled in our request.
1970	*/
1971	smp->remote_key_dist &= rsp->resp_key_dist;
1972
1973	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1974	set_bit(nr: SMP_FLAG_CT2, addr: &smp->flags);
1975
1976	/* For BR/EDR this means we're done and can start phase 3 */
1977	if (conn->hcon->type == ACL_LINK) {
1978	/* Clear bits which are generated but not distributed */
1979	smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1980	smp_distribute_keys(smp);
1981	return 0;
1982	}
1983
1984	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1985	set_bit(nr: SMP_FLAG_SC, addr: &smp->flags);
1986	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1987	conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1988
1989	/* If we need MITM check that it can be achieved */
1990	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1991	u8 method;
1992
1993	method = get_auth_method(smp, local_io: req->io_capability,
1994	remote_io: rsp->io_capability);
1995	if (method == JUST_WORKS || method == JUST_CFM)
1996	return SMP_AUTH_REQUIREMENTS;
1997	}
1998
1999	get_random_bytes(buf: smp->prnd, len: sizeof(smp->prnd));
2000
2001	/* Update remote key distribution in case the remote cleared
2002	* some bits that we had enabled in our request.
2003	*/
2004	smp->remote_key_dist &= rsp->resp_key_dist;
2005
2006	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2007	/* Clear bits which are generated but not distributed */
2008	smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2009	SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2010	return sc_send_public_key(smp);
2011	}
2012
2013	auth |= req->auth_req;
2014
2015	ret = tk_request(conn, remote_oob: 0, auth, local_io: req->io_capability, remote_io: rsp->io_capability);
2016	if (ret)
2017	return SMP_UNSPECIFIED;
2018
2019	set_bit(nr: SMP_FLAG_CFM_PENDING, addr: &smp->flags);
2020
2021	/* Can't compose response until we have been confirmed */
2022	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2023	return smp_confirm(smp);
2024
2025	return 0;
2026	}
2027
2028	static u8 sc_check_confirm(struct smp_chan *smp)
2029	{
2030	struct l2cap_conn *conn = smp->conn;
2031
2032	bt_dev_dbg(conn->hcon->hdev, "");
2033
2034	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2035	return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2036
2037	if (conn->hcon->out) {
2038	smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, len: sizeof(smp->prnd),
2039	data: smp->prnd);
2040	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2041	}
2042
2043	return 0;
2044	}
2045
2046	/* Work-around for some implementations that incorrectly copy RFU bits
2047	* from our security request and thereby create the impression that
2048	* we're doing SC when in fact the remote doesn't support it.
2049	*/
2050	static int fixup_sc_false_positive(struct smp_chan *smp)
2051	{
2052	struct l2cap_conn *conn = smp->conn;
2053	struct hci_conn *hcon = conn->hcon;
2054	struct hci_dev *hdev = hcon->hdev;
2055	struct smp_cmd_pairing *req, *rsp;
2056	u8 auth;
2057
2058	/* The issue is only observed when we're in responder role */
2059	if (hcon->out)
2060	return SMP_UNSPECIFIED;
2061
2062	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2063	bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2064	return SMP_UNSPECIFIED;
2065	}
2066
2067	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2068
2069	req = (void *) &smp->preq[1];
2070	rsp = (void *) &smp->prsp[1];
2071
2072	/* Rebuild key dist flags which may have been cleared for SC */
2073	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2074
2075	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2076
2077	if (tk_request(conn, remote_oob: 0, auth, local_io: rsp->io_capability, remote_io: req->io_capability)) {
2078	bt_dev_err(hdev, "failed to fall back to legacy SMP");
2079	return SMP_UNSPECIFIED;
2080	}
2081
2082	clear_bit(nr: SMP_FLAG_SC, addr: &smp->flags);
2083
2084	return 0;
2085	}
2086
2087	static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2088	{
2089	struct l2cap_chan *chan = conn->smp;
2090	struct smp_chan *smp = chan->data;
2091	struct hci_conn *hcon = conn->hcon;
2092	struct hci_dev *hdev = hcon->hdev;
2093
2094	bt_dev_dbg(hdev, "conn %p %s", conn,
2095	hcon->out ? "initiator" : "responder");
2096
2097	if (skb->len < sizeof(smp->pcnf))
2098	return SMP_INVALID_PARAMS;
2099
2100	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2101	skb_pull(skb, len: sizeof(smp->pcnf));
2102
2103	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2104	int ret;
2105
2106	/* Public Key exchange must happen before any other steps */
2107	if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2108	return sc_check_confirm(smp);
2109
2110	bt_dev_err(hdev, "Unexpected SMP Pairing Confirm");
2111
2112	ret = fixup_sc_false_positive(smp);
2113	if (ret)
2114	return ret;
2115	}
2116
2117	if (conn->hcon->out) {
2118	smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, len: sizeof(smp->prnd),
2119	data: smp->prnd);
2120	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2121	return 0;
2122	}
2123
2124	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2125	return smp_confirm(smp);
2126
2127	set_bit(nr: SMP_FLAG_CFM_PENDING, addr: &smp->flags);
2128
2129	return 0;
2130	}
2131
2132	static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2133	{
2134	struct l2cap_chan *chan = conn->smp;
2135	struct smp_chan *smp = chan->data;
2136	struct hci_conn *hcon = conn->hcon;
2137	u8 *pkax, *pkbx, *na, *nb, confirm_hint;
2138	u32 passkey;
2139	int err;
2140
2141	bt_dev_dbg(hcon->hdev, "conn %p", conn);
2142
2143	if (skb->len < sizeof(smp->rrnd))
2144	return SMP_INVALID_PARAMS;
2145
2146	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2147	skb_pull(skb, len: sizeof(smp->rrnd));
2148
2149	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2150	return smp_random(smp);
2151
2152	if (hcon->out) {
2153	pkax = smp->local_pk;
2154	pkbx = smp->remote_pk;
2155	na = smp->prnd;
2156	nb = smp->rrnd;
2157	} else {
2158	pkax = smp->remote_pk;
2159	pkbx = smp->local_pk;
2160	na = smp->rrnd;
2161	nb = smp->prnd;
2162	}
2163
2164	if (smp->method == REQ_OOB) {
2165	if (!hcon->out)
2166	smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2167	len: sizeof(smp->prnd), data: smp->prnd);
2168	SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2169	goto mackey_and_ltk;
2170	}
2171
2172	/* Passkey entry has special treatment */
2173	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2174	return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2175
2176	if (hcon->out) {
2177	u8 cfm[16];
2178
2179	err = smp_f4(tfm_cmac: smp->tfm_cmac, u: smp->remote_pk, v: smp->local_pk,
2180	x: smp->rrnd, z: 0, res: cfm);
2181	if (err)
2182	return SMP_UNSPECIFIED;
2183
2184	if (crypto_memneq(a: smp->pcnf, b: cfm, size: 16))
2185	return SMP_CONFIRM_FAILED;
2186	} else {
2187	smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, len: sizeof(smp->prnd),
2188	data: smp->prnd);
2189	SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2190
2191	/* Only Just-Works pairing requires extra checks */
2192	if (smp->method != JUST_WORKS)
2193	goto mackey_and_ltk;
2194
2195	/* If there already exists long term key in local host, leave
2196	* the decision to user space since the remote device could
2197	* be legitimate or malicious.
2198	*/
2199	if (hci_find_ltk(hdev: hcon->hdev, bdaddr: &hcon->dst, addr_type: hcon->dst_type,
2200	role: hcon->role)) {
2201	/* Set passkey to 0. The value can be any number since
2202	* it'll be ignored anyway.
2203	*/
2204	passkey = 0;
2205	confirm_hint = 1;
2206	goto confirm;
2207	}
2208	}
2209
2210	mackey_and_ltk:
2211	/* Generate MacKey and LTK */
2212	err = sc_mackey_and_ltk(smp, mackey: smp->mackey, ltk: smp->tk);
2213	if (err)
2214	return SMP_UNSPECIFIED;
2215
2216	if (smp->method == REQ_OOB) {
2217	if (hcon->out) {
2218	sc_dhkey_check(smp);
2219	SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2220	}
2221	return 0;
2222	}
2223
2224	err = smp_g2(tfm_cmac: smp->tfm_cmac, u: pkax, v: pkbx, x: na, y: nb, val: &passkey);
2225	if (err)
2226	return SMP_UNSPECIFIED;
2227
2228	confirm_hint = 0;
2229
2230	confirm:
2231	if (smp->method == JUST_WORKS)
2232	confirm_hint = 1;
2233
2234	err = mgmt_user_confirm_request(hdev: hcon->hdev, bdaddr: &hcon->dst, link_type: hcon->type,
2235	addr_type: hcon->dst_type, value: passkey, confirm_hint);
2236	if (err)
2237	return SMP_UNSPECIFIED;
2238
2239	set_bit(nr: SMP_FLAG_WAIT_USER, addr: &smp->flags);
2240
2241	return 0;
2242	}
2243
2244	static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2245	{
2246	struct smp_ltk *key;
2247	struct hci_conn *hcon = conn->hcon;
2248
2249	key = hci_find_ltk(hdev: hcon->hdev, bdaddr: &hcon->dst, addr_type: hcon->dst_type, role: hcon->role);
2250	if (!key)
2251	return false;
2252
2253	if (smp_ltk_sec_level(key) < sec_level)
2254	return false;
2255
2256	if (test_and_set_bit(nr: HCI_CONN_ENCRYPT_PEND, addr: &hcon->flags))
2257	return true;
2258
2259	hci_le_start_enc(conn: hcon, ediv: key->ediv, rand: key->rand, ltk: key->val, key_size: key->enc_size);
2260	hcon->enc_key_size = key->enc_size;
2261
2262	/* We never store STKs for initiator role, so clear this flag */
2263	clear_bit(nr: HCI_CONN_STK_ENCRYPT, addr: &hcon->flags);
2264
2265	return true;
2266	}
2267
2268	bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2269	enum smp_key_pref key_pref)
2270	{
2271	if (sec_level == BT_SECURITY_LOW)
2272	return true;
2273
2274	/* If we're encrypted with an STK but the caller prefers using
2275	* LTK claim insufficient security. This way we allow the
2276	* connection to be re-encrypted with an LTK, even if the LTK
2277	* provides the same level of security. Only exception is if we
2278	* don't have an LTK (e.g. because of key distribution bits).
2279	*/
2280	if (key_pref == SMP_USE_LTK &&
2281	test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2282	hci_find_ltk(hdev: hcon->hdev, bdaddr: &hcon->dst, addr_type: hcon->dst_type, role: hcon->role))
2283	return false;
2284
2285	if (hcon->sec_level >= sec_level)
2286	return true;
2287
2288	return false;
2289	}
2290
2291	static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2292	{
2293	struct smp_cmd_security_req *rp = (void *) skb->data;
2294	struct smp_cmd_pairing cp;
2295	struct hci_conn *hcon = conn->hcon;
2296	struct hci_dev *hdev = hcon->hdev;
2297	struct smp_chan *smp;
2298	u8 sec_level, auth;
2299
2300	bt_dev_dbg(hdev, "conn %p", conn);
2301
2302	if (skb->len < sizeof(*rp))
2303	return SMP_INVALID_PARAMS;
2304
2305	if (hcon->role != HCI_ROLE_MASTER)
2306	return SMP_CMD_NOTSUPP;
2307
2308	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2309
2310	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2311	return SMP_AUTH_REQUIREMENTS;
2312
2313	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2314	sec_level = BT_SECURITY_MEDIUM;
2315	else
2316	sec_level = authreq_to_seclevel(authreq: auth);
2317
2318	if (smp_sufficient_security(hcon, sec_level, key_pref: SMP_USE_LTK)) {
2319	/* If link is already encrypted with sufficient security we
2320	* still need refresh encryption as per Core Spec 5.0 Vol 3,
2321	* Part H 2.4.6
2322	*/
2323	smp_ltk_encrypt(conn, sec_level: hcon->sec_level);
2324	return 0;
2325	}
2326
2327	if (sec_level > hcon->pending_sec_level)
2328	hcon->pending_sec_level = sec_level;
2329
2330	if (smp_ltk_encrypt(conn, sec_level: hcon->pending_sec_level))
2331	return 0;
2332
2333	smp = smp_chan_create(conn);
2334	if (!smp)
2335	return SMP_UNSPECIFIED;
2336
2337	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2338	(auth & SMP_AUTH_BONDING))
2339	return SMP_PAIRING_NOTSUPP;
2340
2341	skb_pull(skb, len: sizeof(*rp));
2342
2343	memset(&cp, 0, sizeof(cp));
2344	build_pairing_cmd(conn, req: &cp, NULL, authreq: auth);
2345
2346	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2347	memcpy(&smp->preq[1], &cp, sizeof(cp));
2348
2349	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, len: sizeof(cp), data: &cp);
2350	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2351
2352	return 0;
2353	}
2354
2355	int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2356	{
2357	struct l2cap_conn *conn = hcon->l2cap_data;
2358	struct l2cap_chan *chan;
2359	struct smp_chan *smp;
2360	__u8 authreq;
2361	int ret;
2362
2363	bt_dev_dbg(hcon->hdev, "conn %p hcon %p level 0x%2.2x", conn, hcon,
2364	sec_level);
2365
2366	/* This may be NULL if there's an unexpected disconnection */
2367	if (!conn)
2368	return 1;
2369
2370	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2371	return 1;
2372
2373	if (smp_sufficient_security(hcon, sec_level, key_pref: SMP_USE_LTK))
2374	return 1;
2375
2376	if (sec_level > hcon->pending_sec_level)
2377	hcon->pending_sec_level = sec_level;
2378
2379	if (hcon->role == HCI_ROLE_MASTER)
2380	if (smp_ltk_encrypt(conn, sec_level: hcon->pending_sec_level))
2381	return 0;
2382
2383	chan = conn->smp;
2384	if (!chan) {
2385	bt_dev_err(hcon->hdev, "security requested but not available");
2386	return 1;
2387	}
2388
2389	l2cap_chan_lock(chan);
2390
2391	/* If SMP is already in progress ignore this request */
2392	if (chan->data) {
2393	ret = 0;
2394	goto unlock;
2395	}
2396
2397	smp = smp_chan_create(conn);
2398	if (!smp) {
2399	ret = 1;
2400	goto unlock;
2401	}
2402
2403	authreq = seclevel_to_authreq(sec_level);
2404
2405	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2406	authreq |= SMP_AUTH_SC;
2407	if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2408	authreq |= SMP_AUTH_CT2;
2409	}
2410
2411	/* Don't attempt to set MITM if setting is overridden by debugfs
2412	* Needed to pass certification test SM/MAS/PKE/BV-01-C
2413	*/
2414	if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) {
2415	/* Require MITM if IO Capability allows or the security level
2416	* requires it.
2417	*/
2418	if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2419	hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2420	authreq |= SMP_AUTH_MITM;
2421	}
2422
2423	if (hcon->role == HCI_ROLE_MASTER) {
2424	struct smp_cmd_pairing cp;
2425
2426	build_pairing_cmd(conn, req: &cp, NULL, authreq);
2427	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2428	memcpy(&smp->preq[1], &cp, sizeof(cp));
2429
2430	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, len: sizeof(cp), data: &cp);
2431	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2432	} else {
2433	struct smp_cmd_security_req cp;
2434	cp.auth_req = authreq;
2435	smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, len: sizeof(cp), data: &cp);
2436	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2437	}
2438
2439	set_bit(nr: SMP_FLAG_INITIATOR, addr: &smp->flags);
2440	ret = 0;
2441
2442	unlock:
2443	l2cap_chan_unlock(chan);
2444	return ret;
2445	}
2446
2447	int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2448	u8 addr_type)
2449	{
2450	struct hci_conn *hcon;
2451	struct l2cap_conn *conn;
2452	struct l2cap_chan *chan;
2453	struct smp_chan *smp;
2454	int err;
2455
2456	err = hci_remove_ltk(hdev, bdaddr, bdaddr_type: addr_type);
2457	hci_remove_irk(hdev, bdaddr, addr_type);
2458
2459	hcon = hci_conn_hash_lookup_le(hdev, ba: bdaddr, ba_type: addr_type);
2460	if (!hcon)
2461	goto done;
2462
2463	conn = hcon->l2cap_data;
2464	if (!conn)
2465	goto done;
2466
2467	chan = conn->smp;
2468	if (!chan)
2469	goto done;
2470
2471	l2cap_chan_lock(chan);
2472
2473	smp = chan->data;
2474	if (smp) {
2475	/* Set keys to NULL to make sure smp_failure() does not try to
2476	* remove and free already invalidated rcu list entries. */
2477	smp->ltk = NULL;
2478	smp->responder_ltk = NULL;
2479	smp->remote_irk = NULL;
2480
2481	if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2482	smp_failure(conn, reason: 0);
2483	else
2484	smp_failure(conn, SMP_UNSPECIFIED);
2485	err = 0;
2486	}
2487
2488	l2cap_chan_unlock(chan);
2489
2490	done:
2491	return err;
2492	}
2493
2494	static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2495	{
2496	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2497	struct l2cap_chan *chan = conn->smp;
2498	struct smp_chan *smp = chan->data;
2499
2500	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2501
2502	if (skb->len < sizeof(*rp))
2503	return SMP_INVALID_PARAMS;
2504
2505	/* Pairing is aborted if any blocked keys are distributed */
2506	if (hci_is_blocked_key(hdev: conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2507	val: rp->ltk)) {
2508	bt_dev_warn_ratelimited(conn->hcon->hdev,
2509	"LTK blocked for %pMR",
2510	&conn->hcon->dst);
2511	return SMP_INVALID_PARAMS;
2512	}
2513
2514	SMP_ALLOW_CMD(smp, SMP_CMD_INITIATOR_IDENT);
2515
2516	skb_pull(skb, len: sizeof(*rp));
2517
2518	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2519
2520	return 0;
2521	}
2522
2523	static int smp_cmd_initiator_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2524	{
2525	struct smp_cmd_initiator_ident *rp = (void *)skb->data;
2526	struct l2cap_chan *chan = conn->smp;
2527	struct smp_chan *smp = chan->data;
2528	struct hci_dev *hdev = conn->hcon->hdev;
2529	struct hci_conn *hcon = conn->hcon;
2530	struct smp_ltk *ltk;
2531	u8 authenticated;
2532
2533	bt_dev_dbg(hdev, "conn %p", conn);
2534
2535	if (skb->len < sizeof(*rp))
2536	return SMP_INVALID_PARAMS;
2537
2538	/* Mark the information as received */
2539	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2540
2541	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2542	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2543	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2544	SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2545
2546	skb_pull(skb, len: sizeof(*rp));
2547
2548	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2549	ltk = hci_add_ltk(hdev, bdaddr: &hcon->dst, addr_type: hcon->dst_type, type: SMP_LTK,
2550	authenticated, tk: smp->tk, enc_size: smp->enc_key_size,
2551	ediv: rp->ediv, rand: rp->rand);
2552	smp->ltk = ltk;
2553	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2554	smp_distribute_keys(smp);
2555
2556	return 0;
2557	}
2558
2559	static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2560	{
2561	struct smp_cmd_ident_info *info = (void *) skb->data;
2562	struct l2cap_chan *chan = conn->smp;
2563	struct smp_chan *smp = chan->data;
2564
2565	bt_dev_dbg(conn->hcon->hdev, "");
2566
2567	if (skb->len < sizeof(*info))
2568	return SMP_INVALID_PARAMS;
2569
2570	/* Pairing is aborted if any blocked keys are distributed */
2571	if (hci_is_blocked_key(hdev: conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2572	val: info->irk)) {
2573	bt_dev_warn_ratelimited(conn->hcon->hdev,
2574	"Identity key blocked for %pMR",
2575	&conn->hcon->dst);
2576	return SMP_INVALID_PARAMS;
2577	}
2578
2579	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2580
2581	skb_pull(skb, len: sizeof(*info));
2582
2583	memcpy(smp->irk, info->irk, 16);
2584
2585	return 0;
2586	}
2587
2588	static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2589	struct sk_buff *skb)
2590	{
2591	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2592	struct l2cap_chan *chan = conn->smp;
2593	struct smp_chan *smp = chan->data;
2594	struct hci_conn *hcon = conn->hcon;
2595	bdaddr_t rpa;
2596
2597	bt_dev_dbg(hcon->hdev, "");
2598
2599	if (skb->len < sizeof(*info))
2600	return SMP_INVALID_PARAMS;
2601
2602	/* Mark the information as received */
2603	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2604
2605	if (smp->remote_key_dist & SMP_DIST_SIGN)
2606	SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2607
2608	skb_pull(skb, len: sizeof(*info));
2609
2610	/* Strictly speaking the Core Specification (4.1) allows sending
2611	* an empty address which would force us to rely on just the IRK
2612	* as "identity information". However, since such
2613	* implementations are not known of and in order to not over
2614	* complicate our implementation, simply pretend that we never
2615	* received an IRK for such a device.
2616	*
2617	* The Identity Address must also be a Static Random or Public
2618	* Address, which hci_is_identity_address() checks for.
2619	*/
2620	if (!bacmp(ba1: &info->bdaddr, BDADDR_ANY) ||
2621	!hci_is_identity_address(addr: &info->bdaddr, addr_type: info->addr_type)) {
2622	bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2623	goto distribute;
2624	}
2625
2626	/* Drop IRK if peer is using identity address during pairing but is
2627	* providing different address as identity information.
2628	*
2629	* Microsoft Surface Precision Mouse is known to have this bug.
2630	*/
2631	if (hci_is_identity_address(addr: &hcon->dst, addr_type: hcon->dst_type) &&
2632	(bacmp(ba1: &info->bdaddr, ba2: &hcon->dst) ||
2633	info->addr_type != hcon->dst_type)) {
2634	bt_dev_err(hcon->hdev,
2635	"ignoring IRK with invalid identity address");
2636	goto distribute;
2637	}
2638
2639	bacpy(dst: &smp->id_addr, src: &info->bdaddr);
2640	smp->id_addr_type = info->addr_type;
2641
2642	if (hci_bdaddr_is_rpa(bdaddr: &hcon->dst, addr_type: hcon->dst_type))
2643	bacpy(dst: &rpa, src: &hcon->dst);
2644	else
2645	bacpy(dst: &rpa, BDADDR_ANY);
2646
2647	smp->remote_irk = hci_add_irk(hdev: conn->hcon->hdev, bdaddr: &smp->id_addr,
2648	addr_type: smp->id_addr_type, val: smp->irk, rpa: &rpa);
2649
2650	distribute:
2651	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2652	smp_distribute_keys(smp);
2653
2654	return 0;
2655	}
2656
2657	static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2658	{
2659	struct smp_cmd_sign_info *rp = (void *) skb->data;
2660	struct l2cap_chan *chan = conn->smp;
2661	struct smp_chan *smp = chan->data;
2662	struct smp_csrk *csrk;
2663
2664	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2665
2666	if (skb->len < sizeof(*rp))
2667	return SMP_INVALID_PARAMS;
2668
2669	/* Mark the information as received */
2670	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2671
2672	skb_pull(skb, len: sizeof(*rp));
2673
2674	csrk = kzalloc(size: sizeof(*csrk), GFP_KERNEL);
2675	if (csrk) {
2676	if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2677	csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2678	else
2679	csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2680	memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2681	}
2682	smp->csrk = csrk;
2683	smp_distribute_keys(smp);
2684
2685	return 0;
2686	}
2687
2688	static u8 sc_select_method(struct smp_chan *smp)
2689	{
2690	struct l2cap_conn *conn = smp->conn;
2691	struct hci_conn *hcon = conn->hcon;
2692	struct smp_cmd_pairing *local, *remote;
2693	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2694
2695	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2696	test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2697	return REQ_OOB;
2698
2699	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2700	* which are needed as inputs to some crypto functions. To get
2701	* the "struct smp_cmd_pairing" from them we need to skip the
2702	* first byte which contains the opcode.
2703	*/
2704	if (hcon->out) {
2705	local = (void *) &smp->preq[1];
2706	remote = (void *) &smp->prsp[1];
2707	} else {
2708	local = (void *) &smp->prsp[1];
2709	remote = (void *) &smp->preq[1];
2710	}
2711
2712	local_io = local->io_capability;
2713	remote_io = remote->io_capability;
2714
2715	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2716	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2717
2718	/* If either side wants MITM, look up the method from the table,
2719	* otherwise use JUST WORKS.
2720	*/
2721	if (local_mitm || remote_mitm)
2722	method = get_auth_method(smp, local_io, remote_io);
2723	else
2724	method = JUST_WORKS;
2725
2726	/* Don't confirm locally initiated pairing attempts */
2727	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2728	method = JUST_WORKS;
2729
2730	return method;
2731	}
2732
2733	static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2734	{
2735	struct smp_cmd_public_key *key = (void *) skb->data;
2736	struct hci_conn *hcon = conn->hcon;
2737	struct l2cap_chan *chan = conn->smp;
2738	struct smp_chan *smp = chan->data;
2739	struct hci_dev *hdev = hcon->hdev;
2740	struct crypto_kpp *tfm_ecdh;
2741	struct smp_cmd_pairing_confirm cfm;
2742	int err;
2743
2744	bt_dev_dbg(hdev, "conn %p", conn);
2745
2746	if (skb->len < sizeof(*key))
2747	return SMP_INVALID_PARAMS;
2748
2749	/* Check if remote and local public keys are the same and debug key is
2750	* not in use.
2751	*/
2752	if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
2753	!crypto_memneq(a: key, b: smp->local_pk, size: 64)) {
2754	bt_dev_err(hdev, "Remote and local public keys are identical");
2755	return SMP_UNSPECIFIED;
2756	}
2757
2758	memcpy(smp->remote_pk, key, 64);
2759
2760	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2761	err = smp_f4(tfm_cmac: smp->tfm_cmac, u: smp->remote_pk, v: smp->remote_pk,
2762	x: smp->rr, z: 0, res: cfm.confirm_val);
2763	if (err)
2764	return SMP_UNSPECIFIED;
2765
2766	if (crypto_memneq(a: cfm.confirm_val, b: smp->pcnf, size: 16))
2767	return SMP_CONFIRM_FAILED;
2768	}
2769
2770	/* Non-initiating device sends its public key after receiving
2771	* the key from the initiating device.
2772	*/
2773	if (!hcon->out) {
2774	err = sc_send_public_key(smp);
2775	if (err)
2776	return err;
2777	}
2778
2779	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2780	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2781
2782	/* Compute the shared secret on the same crypto tfm on which the private
2783	* key was set/generated.
2784	*/
2785	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2786	struct l2cap_chan *hchan = hdev->smp_data;
2787	struct smp_dev *smp_dev;
2788
2789	if (!hchan || !hchan->data)
2790	return SMP_UNSPECIFIED;
2791
2792	smp_dev = hchan->data;
2793
2794	tfm_ecdh = smp_dev->tfm_ecdh;
2795	} else {
2796	tfm_ecdh = smp->tfm_ecdh;
2797	}
2798
2799	if (compute_ecdh_secret(tfm: tfm_ecdh, pair_public_key: smp->remote_pk, secret: smp->dhkey))
2800	return SMP_UNSPECIFIED;
2801
2802	SMP_DBG("DHKey %32phN", smp->dhkey);
2803
2804	set_bit(nr: SMP_FLAG_REMOTE_PK, addr: &smp->flags);
2805
2806	smp->method = sc_select_method(smp);
2807
2808	bt_dev_dbg(hdev, "selected method 0x%02x", smp->method);
2809
2810	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2811	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2812	hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2813	else
2814	hcon->pending_sec_level = BT_SECURITY_FIPS;
2815
2816	if (!crypto_memneq(a: debug_pk, b: smp->remote_pk, size: 64))
2817	set_bit(nr: SMP_FLAG_DEBUG_KEY, addr: &smp->flags);
2818
2819	if (smp->method == DSP_PASSKEY) {
2820	get_random_bytes(buf: &hcon->passkey_notify,
2821	len: sizeof(hcon->passkey_notify));
2822	hcon->passkey_notify %= 1000000;
2823	hcon->passkey_entered = 0;
2824	smp->passkey_round = 0;
2825	if (mgmt_user_passkey_notify(hdev, bdaddr: &hcon->dst, link_type: hcon->type,
2826	addr_type: hcon->dst_type,
2827	passkey: hcon->passkey_notify,
2828	entered: hcon->passkey_entered))
2829	return SMP_UNSPECIFIED;
2830	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2831	return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2832	}
2833
2834	if (smp->method == REQ_OOB) {
2835	if (hcon->out)
2836	smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2837	len: sizeof(smp->prnd), data: smp->prnd);
2838
2839	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2840
2841	return 0;
2842	}
2843
2844	if (hcon->out)
2845	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2846
2847	if (smp->method == REQ_PASSKEY) {
2848	if (mgmt_user_passkey_request(hdev, bdaddr: &hcon->dst, link_type: hcon->type,
2849	addr_type: hcon->dst_type))
2850	return SMP_UNSPECIFIED;
2851	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2852	set_bit(nr: SMP_FLAG_WAIT_USER, addr: &smp->flags);
2853	return 0;
2854	}
2855
2856	/* The Initiating device waits for the non-initiating device to
2857	* send the confirm value.
2858	*/
2859	if (conn->hcon->out)
2860	return 0;
2861
2862	err = smp_f4(tfm_cmac: smp->tfm_cmac, u: smp->local_pk, v: smp->remote_pk, x: smp->prnd,
2863	z: 0, res: cfm.confirm_val);
2864	if (err)
2865	return SMP_UNSPECIFIED;
2866
2867	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, len: sizeof(cfm), data: &cfm);
2868	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2869
2870	return 0;
2871	}
2872
2873	static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2874	{
2875	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2876	struct l2cap_chan *chan = conn->smp;
2877	struct hci_conn *hcon = conn->hcon;
2878	struct smp_chan *smp = chan->data;
2879	u8 a[7], b[7], *local_addr, *remote_addr;
2880	u8 io_cap[3], r[16], e[16];
2881	int err;
2882
2883	bt_dev_dbg(hcon->hdev, "conn %p", conn);
2884
2885	if (skb->len < sizeof(*check))
2886	return SMP_INVALID_PARAMS;
2887
2888	memcpy(a, &hcon->init_addr, 6);
2889	memcpy(b, &hcon->resp_addr, 6);
2890	a[6] = hcon->init_addr_type;
2891	b[6] = hcon->resp_addr_type;
2892
2893	if (hcon->out) {
2894	local_addr = a;
2895	remote_addr = b;
2896	memcpy(io_cap, &smp->prsp[1], 3);
2897	} else {
2898	local_addr = b;
2899	remote_addr = a;
2900	memcpy(io_cap, &smp->preq[1], 3);
2901	}
2902
2903	memset(r, 0, sizeof(r));
2904
2905	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2906	put_unaligned_le32(val: hcon->passkey_notify, p: r);
2907	else if (smp->method == REQ_OOB)
2908	memcpy(r, smp->lr, 16);
2909
2910	err = smp_f6(tfm_cmac: smp->tfm_cmac, w: smp->mackey, n1: smp->rrnd, n2: smp->prnd, r,
2911	io_cap, a1: remote_addr, a2: local_addr, res: e);
2912	if (err)
2913	return SMP_UNSPECIFIED;
2914
2915	if (crypto_memneq(a: check->e, b: e, size: 16))
2916	return SMP_DHKEY_CHECK_FAILED;
2917
2918	if (!hcon->out) {
2919	if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2920	set_bit(nr: SMP_FLAG_DHKEY_PENDING, addr: &smp->flags);
2921	return 0;
2922	}
2923
2924	/* Responder sends DHKey check as response to initiator */
2925	sc_dhkey_check(smp);
2926	}
2927
2928	sc_add_ltk(smp);
2929
2930	if (hcon->out) {
2931	hci_le_start_enc(conn: hcon, ediv: 0, rand: 0, ltk: smp->tk, key_size: smp->enc_key_size);
2932	hcon->enc_key_size = smp->enc_key_size;
2933	}
2934
2935	return 0;
2936	}
2937
2938	static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2939	struct sk_buff *skb)
2940	{
2941	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2942
2943	bt_dev_dbg(conn->hcon->hdev, "value 0x%02x", kp->value);
2944
2945	return 0;
2946	}
2947
2948	static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2949	{
2950	struct l2cap_conn *conn = chan->conn;
2951	struct hci_conn *hcon = conn->hcon;
2952	struct smp_chan *smp;
2953	__u8 code, reason;
2954	int err = 0;
2955
2956	if (skb->len < 1)
2957	return -EILSEQ;
2958
2959	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2960	reason = SMP_PAIRING_NOTSUPP;
2961	goto done;
2962	}
2963
2964	code = skb->data[0];
2965	skb_pull(skb, len: sizeof(code));
2966
2967	smp = chan->data;
2968
2969	if (code > SMP_CMD_MAX)
2970	goto drop;
2971
2972	if (smp && !test_and_clear_bit(nr: code, addr: &smp->allow_cmd))
2973	goto drop;
2974
2975	/* If we don't have a context the only allowed commands are
2976	* pairing request and security request.
2977	*/
2978	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2979	goto drop;
2980
2981	switch (code) {
2982	case SMP_CMD_PAIRING_REQ:
2983	reason = smp_cmd_pairing_req(conn, skb);
2984	break;
2985
2986	case SMP_CMD_PAIRING_FAIL:
2987	smp_failure(conn, reason: 0);
2988	err = -EPERM;
2989	break;
2990
2991	case SMP_CMD_PAIRING_RSP:
2992	reason = smp_cmd_pairing_rsp(conn, skb);
2993	break;
2994
2995	case SMP_CMD_SECURITY_REQ:
2996	reason = smp_cmd_security_req(conn, skb);
2997	break;
2998
2999	case SMP_CMD_PAIRING_CONFIRM:
3000	reason = smp_cmd_pairing_confirm(conn, skb);
3001	break;
3002
3003	case SMP_CMD_PAIRING_RANDOM:
3004	reason = smp_cmd_pairing_random(conn, skb);
3005	break;
3006
3007	case SMP_CMD_ENCRYPT_INFO:
3008	reason = smp_cmd_encrypt_info(conn, skb);
3009	break;
3010
3011	case SMP_CMD_INITIATOR_IDENT:
3012	reason = smp_cmd_initiator_ident(conn, skb);
3013	break;
3014
3015	case SMP_CMD_IDENT_INFO:
3016	reason = smp_cmd_ident_info(conn, skb);
3017	break;
3018
3019	case SMP_CMD_IDENT_ADDR_INFO:
3020	reason = smp_cmd_ident_addr_info(conn, skb);
3021	break;
3022
3023	case SMP_CMD_SIGN_INFO:
3024	reason = smp_cmd_sign_info(conn, skb);
3025	break;
3026
3027	case SMP_CMD_PUBLIC_KEY:
3028	reason = smp_cmd_public_key(conn, skb);
3029	break;
3030
3031	case SMP_CMD_DHKEY_CHECK:
3032	reason = smp_cmd_dhkey_check(conn, skb);
3033	break;
3034
3035	case SMP_CMD_KEYPRESS_NOTIFY:
3036	reason = smp_cmd_keypress_notify(conn, skb);
3037	break;
3038
3039	default:
3040	bt_dev_dbg(hcon->hdev, "Unknown command code 0x%2.2x", code);
3041	reason = SMP_CMD_NOTSUPP;
3042	goto done;
3043	}
3044
3045	done:
3046	if (!err) {
3047	if (reason)
3048	smp_failure(conn, reason);
3049	kfree_skb(skb);
3050	}
3051
3052	return err;
3053
3054	drop:
3055	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3056	code, &hcon->dst);
3057	kfree_skb(skb);
3058	return 0;
3059	}
3060
3061	static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3062	{
3063	struct l2cap_conn *conn = chan->conn;
3064
3065	bt_dev_dbg(conn->hcon->hdev, "chan %p", chan);
3066
3067	if (chan->data)
3068	smp_chan_destroy(conn);
3069
3070	conn->smp = NULL;
3071	l2cap_chan_put(c: chan);
3072	}
3073
3074	static void bredr_pairing(struct l2cap_chan *chan)
3075	{
3076	struct l2cap_conn *conn = chan->conn;
3077	struct hci_conn *hcon = conn->hcon;
3078	struct hci_dev *hdev = hcon->hdev;
3079	struct smp_cmd_pairing req;
3080	struct smp_chan *smp;
3081
3082	bt_dev_dbg(hdev, "chan %p", chan);
3083
3084	/* Only new pairings are interesting */
3085	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3086	return;
3087
3088	/* Don't bother if we're not encrypted */
3089	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3090	return;
3091
3092	/* Only initiator may initiate SMP over BR/EDR */
3093	if (hcon->role != HCI_ROLE_MASTER)
3094	return;
3095
3096	/* Secure Connections support must be enabled */
3097	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3098	return;
3099
3100	/* BR/EDR must use Secure Connections for SMP */
3101	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3102	!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3103	return;
3104
3105	/* If our LE support is not enabled don't do anything */
3106	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3107	return;
3108
3109	/* Don't bother if remote LE support is not enabled */
3110	if (!lmp_host_le_capable(hcon))
3111	return;
3112
3113	/* Remote must support SMP fixed chan for BR/EDR */
3114	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3115	return;
3116
3117	/* Don't bother if SMP is already ongoing */
3118	if (chan->data)
3119	return;
3120
3121	smp = smp_chan_create(conn);
3122	if (!smp) {
3123	bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3124	return;
3125	}
3126
3127	set_bit(nr: SMP_FLAG_SC, addr: &smp->flags);
3128
3129	bt_dev_dbg(hdev, "starting SMP over BR/EDR");
3130
3131	/* Prepare and send the BR/EDR SMP Pairing Request */
3132	build_bredr_pairing_cmd(smp, req: &req, NULL);
3133
3134	smp->preq[0] = SMP_CMD_PAIRING_REQ;
3135	memcpy(&smp->preq[1], &req, sizeof(req));
3136
3137	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, len: sizeof(req), data: &req);
3138	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3139	}
3140
3141	static void smp_resume_cb(struct l2cap_chan *chan)
3142	{
3143	struct smp_chan *smp = chan->data;
3144	struct l2cap_conn *conn = chan->conn;
3145	struct hci_conn *hcon = conn->hcon;
3146
3147	bt_dev_dbg(hcon->hdev, "chan %p", chan);
3148
3149	if (hcon->type == ACL_LINK) {
3150	bredr_pairing(chan);
3151	return;
3152	}
3153
3154	if (!smp)
3155	return;
3156
3157	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3158	return;
3159
3160	cancel_delayed_work(dwork: &smp->security_timer);
3161
3162	smp_distribute_keys(smp);
3163	}
3164
3165	static void smp_ready_cb(struct l2cap_chan *chan)
3166	{
3167	struct l2cap_conn *conn = chan->conn;
3168	struct hci_conn *hcon = conn->hcon;
3169
3170	bt_dev_dbg(hcon->hdev, "chan %p", chan);
3171
3172	/* No need to call l2cap_chan_hold() here since we already own
3173	* the reference taken in smp_new_conn_cb(). This is just the
3174	* first time that we tie it to a specific pointer. The code in
3175	* l2cap_core.c ensures that there's no risk this function wont
3176	* get called if smp_new_conn_cb was previously called.
3177	*/
3178	conn->smp = chan;
3179
3180	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3181	bredr_pairing(chan);
3182	}
3183
3184	static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3185	{
3186	int err;
3187
3188	bt_dev_dbg(chan->conn->hcon->hdev, "chan %p", chan);
3189
3190	err = smp_sig_channel(chan, skb);
3191	if (err) {
3192	struct smp_chan *smp = chan->data;
3193
3194	if (smp)
3195	cancel_delayed_work_sync(dwork: &smp->security_timer);
3196
3197	hci_disconnect(conn: chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3198	}
3199
3200	return err;
3201	}
3202
3203	static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3204	unsigned long hdr_len,
3205	unsigned long len, int nb)
3206	{
3207	struct sk_buff *skb;
3208
3209	skb = bt_skb_alloc(len: hdr_len + len, GFP_KERNEL);
3210	if (!skb)
3211	return ERR_PTR(error: -ENOMEM);
3212
3213	skb->priority = HCI_PRIO_MAX;
3214	bt_cb(skb)->l2cap.chan = chan;
3215
3216	return skb;
3217	}
3218
3219	static const struct l2cap_ops smp_chan_ops = {
3220	.name = "Security Manager",
3221	.ready = smp_ready_cb,
3222	.recv = smp_recv_cb,
3223	.alloc_skb = smp_alloc_skb_cb,
3224	.teardown = smp_teardown_cb,
3225	.resume = smp_resume_cb,
3226
3227	.new_connection = l2cap_chan_no_new_connection,
3228	.state_change = l2cap_chan_no_state_change,
3229	.close = l2cap_chan_no_close,
3230	.defer = l2cap_chan_no_defer,
3231	.suspend = l2cap_chan_no_suspend,
3232	.set_shutdown = l2cap_chan_no_set_shutdown,
3233	.get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3234	};
3235
3236	static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3237	{
3238	struct l2cap_chan *chan;
3239
3240	BT_DBG("pchan %p", pchan);
3241
3242	chan = l2cap_chan_create();
3243	if (!chan)
3244	return NULL;
3245
3246	chan->chan_type = pchan->chan_type;
3247	chan->ops = &smp_chan_ops;
3248	chan->scid = pchan->scid;
3249	chan->dcid = chan->scid;
3250	chan->imtu = pchan->imtu;
3251	chan->omtu = pchan->omtu;
3252	chan->mode = pchan->mode;
3253
3254	/* Other L2CAP channels may request SMP routines in order to
3255	* change the security level. This means that the SMP channel
3256	* lock must be considered in its own category to avoid lockdep
3257	* warnings.
3258	*/
3259	atomic_set(v: &chan->nesting, i: L2CAP_NESTING_SMP);
3260
3261	BT_DBG("created chan %p", chan);
3262
3263	return chan;
3264	}
3265
3266	static const struct l2cap_ops smp_root_chan_ops = {
3267	.name = "Security Manager Root",
3268	.new_connection = smp_new_conn_cb,
3269
3270	/* None of these are implemented for the root channel */
3271	.close = l2cap_chan_no_close,
3272	.alloc_skb = l2cap_chan_no_alloc_skb,
3273	.recv = l2cap_chan_no_recv,
3274	.state_change = l2cap_chan_no_state_change,
3275	.teardown = l2cap_chan_no_teardown,
3276	.ready = l2cap_chan_no_ready,
3277	.defer = l2cap_chan_no_defer,
3278	.suspend = l2cap_chan_no_suspend,
3279	.resume = l2cap_chan_no_resume,
3280	.set_shutdown = l2cap_chan_no_set_shutdown,
3281	.get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3282	};
3283
3284	static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3285	{
3286	struct l2cap_chan *chan;
3287	struct smp_dev *smp;
3288	struct crypto_shash *tfm_cmac;
3289	struct crypto_kpp *tfm_ecdh;
3290
3291	if (cid == L2CAP_CID_SMP_BREDR) {
3292	smp = NULL;
3293	goto create_chan;
3294	}
3295
3296	smp = kzalloc(size: sizeof(*smp), GFP_KERNEL);
3297	if (!smp)
3298	return ERR_PTR(error: -ENOMEM);
3299
3300	tfm_cmac = crypto_alloc_shash(alg_name: "cmac(aes)", type: 0, mask: 0);
3301	if (IS_ERR(ptr: tfm_cmac)) {
3302	bt_dev_err(hdev, "Unable to create CMAC crypto context");
3303	kfree_sensitive(objp: smp);
3304	return ERR_CAST(ptr: tfm_cmac);
3305	}
3306
3307	tfm_ecdh = crypto_alloc_kpp(alg_name: "ecdh-nist-p256", type: 0, mask: 0);
3308	if (IS_ERR(ptr: tfm_ecdh)) {
3309	bt_dev_err(hdev, "Unable to create ECDH crypto context");
3310	crypto_free_shash(tfm: tfm_cmac);
3311	kfree_sensitive(objp: smp);
3312	return ERR_CAST(ptr: tfm_ecdh);
3313	}
3314
3315	smp->local_oob = false;
3316	smp->tfm_cmac = tfm_cmac;
3317	smp->tfm_ecdh = tfm_ecdh;
3318
3319	create_chan:
3320	chan = l2cap_chan_create();
3321	if (!chan) {
3322	if (smp) {
3323	crypto_free_shash(tfm: smp->tfm_cmac);
3324	crypto_free_kpp(tfm: smp->tfm_ecdh);
3325	kfree_sensitive(objp: smp);
3326	}
3327	return ERR_PTR(error: -ENOMEM);
3328	}
3329
3330	chan->data = smp;
3331
3332	l2cap_add_scid(chan, scid: cid);
3333
3334	l2cap_chan_set_defaults(chan);
3335
3336	if (cid == L2CAP_CID_SMP) {
3337	u8 bdaddr_type;
3338
3339	hci_copy_identity_address(hdev, bdaddr: &chan->src, bdaddr_type: &bdaddr_type);
3340
3341	if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3342	chan->src_type = BDADDR_LE_PUBLIC;
3343	else
3344	chan->src_type = BDADDR_LE_RANDOM;
3345	} else {
3346	bacpy(dst: &chan->src, src: &hdev->bdaddr);
3347	chan->src_type = BDADDR_BREDR;
3348	}
3349
3350	chan->state = BT_LISTEN;
3351	chan->mode = L2CAP_MODE_BASIC;
3352	chan->imtu = L2CAP_DEFAULT_MTU;
3353	chan->ops = &smp_root_chan_ops;
3354
3355	/* Set correct nesting level for a parent/listening channel */
3356	atomic_set(v: &chan->nesting, i: L2CAP_NESTING_PARENT);
3357
3358	return chan;
3359	}
3360
3361	static void smp_del_chan(struct l2cap_chan *chan)
3362	{
3363	struct smp_dev *smp;
3364
3365	BT_DBG("chan %p", chan);
3366
3367	smp = chan->data;
3368	if (smp) {
3369	chan->data = NULL;
3370	crypto_free_shash(tfm: smp->tfm_cmac);
3371	crypto_free_kpp(tfm: smp->tfm_ecdh);
3372	kfree_sensitive(objp: smp);
3373	}
3374
3375	l2cap_chan_put(c: chan);
3376	}
3377
3378	int smp_force_bredr(struct hci_dev *hdev, bool enable)
3379	{
3380	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3381	return -EALREADY;
3382
3383	if (enable) {
3384	struct l2cap_chan *chan;
3385
3386	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3387	if (IS_ERR(ptr: chan))
3388	return PTR_ERR(ptr: chan);
3389
3390	hdev->smp_bredr_data = chan;
3391	} else {
3392	struct l2cap_chan *chan;
3393
3394	chan = hdev->smp_bredr_data;
3395	hdev->smp_bredr_data = NULL;
3396	smp_del_chan(chan);
3397	}
3398
3399	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3400
3401	return 0;
3402	}
3403
3404	int smp_register(struct hci_dev *hdev)
3405	{
3406	struct l2cap_chan *chan;
3407
3408	bt_dev_dbg(hdev, "");
3409
3410	/* If the controller does not support Low Energy operation, then
3411	* there is also no need to register any SMP channel.
3412	*/
3413	if (!lmp_le_capable(hdev))
3414	return 0;
3415
3416	if (WARN_ON(hdev->smp_data)) {
3417	chan = hdev->smp_data;
3418	hdev->smp_data = NULL;
3419	smp_del_chan(chan);
3420	}
3421
3422	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3423	if (IS_ERR(ptr: chan))
3424	return PTR_ERR(ptr: chan);
3425
3426	hdev->smp_data = chan;
3427
3428	if (!lmp_sc_capable(hdev)) {
3429	/* Flag can be already set here (due to power toggle) */
3430	if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3431	return 0;
3432	}
3433
3434	if (WARN_ON(hdev->smp_bredr_data)) {
3435	chan = hdev->smp_bredr_data;
3436	hdev->smp_bredr_data = NULL;
3437	smp_del_chan(chan);
3438	}
3439
3440	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3441	if (IS_ERR(ptr: chan)) {
3442	int err = PTR_ERR(ptr: chan);
3443	chan = hdev->smp_data;
3444	hdev->smp_data = NULL;
3445	smp_del_chan(chan);
3446	return err;
3447	}
3448
3449	hdev->smp_bredr_data = chan;
3450
3451	return 0;
3452	}
3453
3454	void smp_unregister(struct hci_dev *hdev)
3455	{
3456	struct l2cap_chan *chan;
3457
3458	if (hdev->smp_bredr_data) {
3459	chan = hdev->smp_bredr_data;
3460	hdev->smp_bredr_data = NULL;
3461	smp_del_chan(chan);
3462	}
3463
3464	if (hdev->smp_data) {
3465	chan = hdev->smp_data;
3466	hdev->smp_data = NULL;
3467	smp_del_chan(chan);
3468	}
3469	}
3470
3471	#if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3472
3473	static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3474	{
3475	u8 pk[64];
3476	int err;
3477
3478	err = set_ecdh_privkey(tfm: tfm_ecdh, private_key: debug_sk);
3479	if (err)
3480	return err;
3481
3482	err = generate_ecdh_public_key(tfm: tfm_ecdh, public_key: pk);
3483	if (err)
3484	return err;
3485
3486	if (crypto_memneq(a: pk, b: debug_pk, size: 64))
3487	return -EINVAL;
3488
3489	return 0;
3490	}
3491
3492	static int __init test_ah(void)
3493	{
3494	const u8 irk[16] = {
3495	0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3496	0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3497	const u8 r[3] = { 0x94, 0x81, 0x70 };
3498	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3499	u8 res[3];
3500	int err;
3501
3502	err = smp_ah(irk, r, res);
3503	if (err)
3504	return err;
3505
3506	if (crypto_memneq(a: res, b: exp, size: 3))
3507	return -EINVAL;
3508
3509	return 0;
3510	}
3511
3512	static int __init test_c1(void)
3513	{
3514	const u8 k[16] = {
3515	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3516	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3517	const u8 r[16] = {
3518	0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3519	0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3520	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3521	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3522	const u8 _iat = 0x01;
3523	const u8 _rat = 0x00;
3524	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3525	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3526	const u8 exp[16] = {
3527	0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3528	0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3529	u8 res[16];
3530	int err;
3531
3532	err = smp_c1(k, r, preq, pres, _iat, ia: &ia, _rat, ra: &ra, res);
3533	if (err)
3534	return err;
3535
3536	if (crypto_memneq(a: res, b: exp, size: 16))
3537	return -EINVAL;
3538
3539	return 0;
3540	}
3541
3542	static int __init test_s1(void)
3543	{
3544	const u8 k[16] = {
3545	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3546	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3547	const u8 r1[16] = {
3548	0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3549	const u8 r2[16] = {
3550	0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3551	const u8 exp[16] = {
3552	0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3553	0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3554	u8 res[16];
3555	int err;
3556
3557	err = smp_s1(k, r1, r2, r: res);
3558	if (err)
3559	return err;
3560
3561	if (crypto_memneq(a: res, b: exp, size: 16))
3562	return -EINVAL;
3563
3564	return 0;
3565	}
3566
3567	static int __init test_f4(struct crypto_shash *tfm_cmac)
3568	{
3569	const u8 u[32] = {
3570	0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3571	0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3572	0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3573	0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3574	const u8 v[32] = {
3575	0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3576	0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3577	0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3578	0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3579	const u8 x[16] = {
3580	0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3581	0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3582	const u8 z = 0x00;
3583	const u8 exp[16] = {
3584	0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3585	0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3586	u8 res[16];
3587	int err;
3588
3589	err = smp_f4(tfm_cmac, u, v, x, z, res);
3590	if (err)
3591	return err;
3592
3593	if (crypto_memneq(a: res, b: exp, size: 16))
3594	return -EINVAL;
3595
3596	return 0;
3597	}
3598
3599	static int __init test_f5(struct crypto_shash *tfm_cmac)
3600	{
3601	const u8 w[32] = {
3602	0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3603	0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3604	0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3605	0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3606	const u8 n1[16] = {
3607	0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3608	0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3609	const u8 n2[16] = {
3610	0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3611	0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3612	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3613	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3614	const u8 exp_ltk[16] = {
3615	0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3616	0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3617	const u8 exp_mackey[16] = {
3618	0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3619	0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3620	u8 mackey[16], ltk[16];
3621	int err;
3622
3623	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3624	if (err)
3625	return err;
3626
3627	if (crypto_memneq(a: mackey, b: exp_mackey, size: 16))
3628	return -EINVAL;
3629
3630	if (crypto_memneq(a: ltk, b: exp_ltk, size: 16))
3631	return -EINVAL;
3632
3633	return 0;
3634	}
3635
3636	static int __init test_f6(struct crypto_shash *tfm_cmac)
3637	{
3638	const u8 w[16] = {
3639	0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3640	0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3641	const u8 n1[16] = {
3642	0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3643	0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3644	const u8 n2[16] = {
3645	0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3646	0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3647	const u8 r[16] = {
3648	0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3649	0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3650	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3651	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3652	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3653	const u8 exp[16] = {
3654	0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3655	0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3656	u8 res[16];
3657	int err;
3658
3659	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3660	if (err)
3661	return err;
3662
3663	if (crypto_memneq(a: res, b: exp, size: 16))
3664	return -EINVAL;
3665
3666	return 0;
3667	}
3668
3669	static int __init test_g2(struct crypto_shash *tfm_cmac)
3670	{
3671	const u8 u[32] = {
3672	0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3673	0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3674	0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3675	0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3676	const u8 v[32] = {
3677	0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3678	0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3679	0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3680	0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3681	const u8 x[16] = {
3682	0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3683	0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3684	const u8 y[16] = {
3685	0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3686	0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3687	const u32 exp_val = 0x2f9ed5ba % 1000000;
3688	u32 val;
3689	int err;
3690
3691	err = smp_g2(tfm_cmac, u, v, x, y, val: &val);
3692	if (err)
3693	return err;
3694
3695	if (val != exp_val)
3696	return -EINVAL;
3697
3698	return 0;
3699	}
3700
3701	static int __init test_h6(struct crypto_shash *tfm_cmac)
3702	{
3703	const u8 w[16] = {
3704	0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3705	0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3706	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3707	const u8 exp[16] = {
3708	0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3709	0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3710	u8 res[16];
3711	int err;
3712
3713	err = smp_h6(tfm_cmac, w, key_id, res);
3714	if (err)
3715	return err;
3716
3717	if (crypto_memneq(a: res, b: exp, size: 16))
3718	return -EINVAL;
3719
3720	return 0;
3721	}
3722
3723	static char test_smp_buffer[32];
3724
3725	static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3726	size_t count, loff_t *ppos)
3727	{
3728	return simple_read_from_buffer(to: user_buf, count, ppos, from: test_smp_buffer,
3729	strlen(test_smp_buffer));
3730	}
3731
3732	static const struct file_operations test_smp_fops = {
3733	.open = simple_open,
3734	.read = test_smp_read,
3735	.llseek = default_llseek,
3736	};
3737
3738	static int __init run_selftests(struct crypto_shash *tfm_cmac,
3739	struct crypto_kpp *tfm_ecdh)
3740	{
3741	ktime_t calltime, delta, rettime;
3742	unsigned long long duration;
3743	int err;
3744
3745	calltime = ktime_get();
3746
3747	err = test_debug_key(tfm_ecdh);
3748	if (err) {
3749	BT_ERR("debug_key test failed");
3750	goto done;
3751	}
3752
3753	err = test_ah();
3754	if (err) {
3755	BT_ERR("smp_ah test failed");
3756	goto done;
3757	}
3758
3759	err = test_c1();
3760	if (err) {
3761	BT_ERR("smp_c1 test failed");
3762	goto done;
3763	}
3764
3765	err = test_s1();
3766	if (err) {
3767	BT_ERR("smp_s1 test failed");
3768	goto done;
3769	}
3770
3771	err = test_f4(tfm_cmac);
3772	if (err) {
3773	BT_ERR("smp_f4 test failed");
3774	goto done;
3775	}
3776
3777	err = test_f5(tfm_cmac);
3778	if (err) {
3779	BT_ERR("smp_f5 test failed");
3780	goto done;
3781	}
3782
3783	err = test_f6(tfm_cmac);
3784	if (err) {
3785	BT_ERR("smp_f6 test failed");
3786	goto done;
3787	}
3788
3789	err = test_g2(tfm_cmac);
3790	if (err) {
3791	BT_ERR("smp_g2 test failed");
3792	goto done;
3793	}
3794
3795	err = test_h6(tfm_cmac);
3796	if (err) {
3797	BT_ERR("smp_h6 test failed");
3798	goto done;
3799	}
3800
3801	rettime = ktime_get();
3802	delta = ktime_sub(rettime, calltime);
3803	duration = (unsigned long long) ktime_to_ns(kt: delta) >> 10;
3804
3805	BT_INFO("SMP test passed in %llu usecs", duration);
3806
3807	done:
3808	if (!err)
3809	snprintf(buf: test_smp_buffer, size: sizeof(test_smp_buffer),
3810	fmt: "PASS (%llu usecs)\n", duration);
3811	else
3812	snprintf(buf: test_smp_buffer, size: sizeof(test_smp_buffer), fmt: "FAIL\n");
3813
3814	debugfs_create_file(name: "selftest_smp", mode: 0444, parent: bt_debugfs, NULL,
3815	fops: &test_smp_fops);
3816
3817	return err;
3818	}
3819
3820	int __init bt_selftest_smp(void)
3821	{
3822	struct crypto_shash *tfm_cmac;
3823	struct crypto_kpp *tfm_ecdh;
3824	int err;
3825
3826	tfm_cmac = crypto_alloc_shash(alg_name: "cmac(aes)", type: 0, mask: 0);
3827	if (IS_ERR(ptr: tfm_cmac)) {
3828	BT_ERR("Unable to create CMAC crypto context");
3829	return PTR_ERR(ptr: tfm_cmac);
3830	}
3831
3832	tfm_ecdh = crypto_alloc_kpp(alg_name: "ecdh-nist-p256", type: 0, mask: 0);
3833	if (IS_ERR(ptr: tfm_ecdh)) {
3834	BT_ERR("Unable to create ECDH crypto context");
3835	crypto_free_shash(tfm: tfm_cmac);
3836	return PTR_ERR(ptr: tfm_ecdh);
3837	}
3838
3839	err = run_selftests(tfm_cmac, tfm_ecdh);
3840
3841	crypto_free_shash(tfm: tfm_cmac);
3842	crypto_free_kpp(tfm: tfm_ecdh);
3843
3844	return err;
3845	}
3846
3847	#endif
3848