1	/*
2	BlueZ - Bluetooth protocol stack for Linux
3	Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5	This program is free software; you can redistribute it and/or modify
6	it under the terms of the GNU General Public License version 2 as
7	published by the Free Software Foundation;
8
9	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10	OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12	IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13	CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14	WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15	ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16	OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18	ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19	COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20	SOFTWARE IS DISCLAIMED.
21	*/
22
23	#include <linux/debugfs.h>
24	#include <linux/scatterlist.h>
25	#include <crypto/aes.h>
26	#include <crypto/hash.h>
27	#include <crypto/kpp.h>
28	#include <crypto/utils.h>
29
30	#include <net/bluetooth/bluetooth.h>
31	#include <net/bluetooth/hci_core.h>
32	#include <net/bluetooth/l2cap.h>
33	#include <net/bluetooth/mgmt.h>
34
35	#include "ecdh_helper.h"
36	#include "smp.h"
37
38	#define SMP_DEV(hdev) \
39	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
40
41	/* Low-level debug macros to be used for stuff that we don't want
42	* accidentally in dmesg, i.e. the values of the various crypto keys
43	* and the inputs & outputs of crypto functions.
44	*/
45	#ifdef DEBUG
46	#define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
47	##__VA_ARGS__)
48	#else
49	#define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
50	##__VA_ARGS__)
51	#endif
52
53	#define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
54
55	/* Keys which are not distributed with Secure Connections */
56	#define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY)
57
58	#define SMP_TIMEOUT msecs_to_jiffies(30000)
59
60	#define ID_ADDR_TIMEOUT msecs_to_jiffies(200)
61
62	#define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
63	0x3f : 0x07)
64	#define KEY_DIST_MASK 0x07
65
66	/* Maximum message length that can be passed to aes_cmac */
67	#define CMAC_MSG_MAX 80
68
69	enum {
70	SMP_FLAG_TK_VALID,
71	SMP_FLAG_CFM_PENDING,
72	SMP_FLAG_MITM_AUTH,
73	SMP_FLAG_COMPLETE,
74	SMP_FLAG_INITIATOR,
75	SMP_FLAG_SC,
76	SMP_FLAG_REMOTE_PK,
77	SMP_FLAG_DEBUG_KEY,
78	SMP_FLAG_WAIT_USER,
79	SMP_FLAG_DHKEY_PENDING,
80	SMP_FLAG_REMOTE_OOB,
81	SMP_FLAG_LOCAL_OOB,
82	SMP_FLAG_CT2,
83	};
84
85	struct smp_dev {
86	/* Secure Connections OOB data */
87	bool local_oob;
88	u8 local_pk[64];
89	u8 local_rand[16];
90	bool debug_key;
91
92	struct crypto_shash *tfm_cmac;
93	struct crypto_kpp *tfm_ecdh;
94	};
95
96	struct smp_chan {
97	struct l2cap_conn *conn;
98	struct delayed_work security_timer;
99	unsigned long allow_cmd; /* Bitmask of allowed commands */
100
101	u8 preq[7]; /* SMP Pairing Request */
102	u8 prsp[7]; /* SMP Pairing Response */
103	u8 prnd[16]; /* SMP Pairing Random (local) */
104	u8 rrnd[16]; /* SMP Pairing Random (remote) */
105	u8 pcnf[16]; /* SMP Pairing Confirm */
106	u8 tk[16]; /* SMP Temporary Key */
107	u8 rr[16]; /* Remote OOB ra/rb value */
108	u8 lr[16]; /* Local OOB ra/rb value */
109	u8 enc_key_size;
110	u8 remote_key_dist;
111	bdaddr_t id_addr;
112	u8 id_addr_type;
113	u8 irk[16];
114	struct smp_csrk *csrk;
115	struct smp_csrk *responder_csrk;
116	struct smp_ltk *ltk;
117	struct smp_ltk *responder_ltk;
118	struct smp_irk *remote_irk;
119	u8 *link_key;
120	unsigned long flags;
121	u8 method;
122	u8 passkey_round;
123
124	/* Secure Connections variables */
125	u8 local_pk[64];
126	u8 remote_pk[64];
127	u8 dhkey[32];
128	u8 mackey[16];
129
130	struct crypto_shash *tfm_cmac;
131	struct crypto_kpp *tfm_ecdh;
132	};
133
134	/* These debug key values are defined in the SMP section of the core
135	* specification. debug_pk is the public debug key and debug_sk the
136	* private debug key.
137	*/
138	static const u8 debug_pk[64] = {
139	0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
140	0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
141	0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
142	0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
143
144	0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
145	0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
146	0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
147	0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
148	};
149
150	static const u8 debug_sk[32] = {
151	0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
152	0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
153	0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
154	0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
155	};
156
157	static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
158	{
159	size_t i;
160
161	for (i = 0; i < len; i++)
162	dst[len - 1 - i] = src[i];
163	}
164
165	/* The following functions map to the LE SC SMP crypto functions
166	* AES-CMAC, f4, f5, f6, g2 and h6.
167	*/
168
169	static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
170	size_t len, u8 mac[16])
171	{
172	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
173	int err;
174
175	if (len > CMAC_MSG_MAX)
176	return -EFBIG;
177
178	if (!tfm) {
179	BT_ERR("tfm %p", tfm);
180	return -EINVAL;
181	}
182
183	/* Swap key and message from LSB to MSB */
184	swap_buf(src: k, dst: tmp, len: 16);
185	swap_buf(src: m, dst: msg_msb, len);
186
187	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
188	SMP_DBG("key %16phN", k);
189
190	err = crypto_shash_setkey(tfm, key: tmp, keylen: 16);
191	if (err) {
192	BT_ERR("cipher setkey failed: %d", err);
193	return err;
194	}
195
196	err = crypto_shash_tfm_digest(tfm, data: msg_msb, len, out: mac_msb);
197	if (err) {
198	BT_ERR("Hash computation error %d", err);
199	return err;
200	}
201
202	swap_buf(src: mac_msb, dst: mac, len: 16);
203
204	SMP_DBG("mac %16phN", mac);
205
206	return 0;
207	}
208
209	static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
210	const u8 v[32], const u8 x[16], u8 z, u8 res[16])
211	{
212	u8 m[65];
213	int err;
214
215	SMP_DBG("u %32phN", u);
216	SMP_DBG("v %32phN", v);
217	SMP_DBG("x %16phN z %02x", x, z);
218
219	m[0] = z;
220	memcpy(m + 1, v, 32);
221	memcpy(m + 33, u, 32);
222
223	err = aes_cmac(tfm: tfm_cmac, k: x, m, len: sizeof(m), mac: res);
224	if (err)
225	return err;
226
227	SMP_DBG("res %16phN", res);
228
229	return err;
230	}
231
232	static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
233	const u8 n1[16], const u8 n2[16], const u8 a1[7],
234	const u8 a2[7], u8 mackey[16], u8 ltk[16])
235	{
236	/* The btle, salt and length "magic" values are as defined in
237	* the SMP section of the Bluetooth core specification. In ASCII
238	* the btle value ends up being 'btle'. The salt is just a
239	* random number whereas length is the value 256 in little
240	* endian format.
241	*/
242	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
243	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
244	0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
245	const u8 length[2] = { 0x00, 0x01 };
246	u8 m[53], t[16];
247	int err;
248
249	SMP_DBG("w %32phN", w);
250	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
251	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
252
253	err = aes_cmac(tfm: tfm_cmac, k: salt, m: w, len: 32, mac: t);
254	if (err)
255	return err;
256
257	SMP_DBG("t %16phN", t);
258
259	memcpy(m, length, 2);
260	memcpy(m + 2, a2, 7);
261	memcpy(m + 9, a1, 7);
262	memcpy(m + 16, n2, 16);
263	memcpy(m + 32, n1, 16);
264	memcpy(m + 48, btle, 4);
265
266	m[52] = 0; /* Counter */
267
268	err = aes_cmac(tfm: tfm_cmac, k: t, m, len: sizeof(m), mac: mackey);
269	if (err)
270	return err;
271
272	SMP_DBG("mackey %16phN", mackey);
273
274	m[52] = 1; /* Counter */
275
276	err = aes_cmac(tfm: tfm_cmac, k: t, m, len: sizeof(m), mac: ltk);
277	if (err)
278	return err;
279
280	SMP_DBG("ltk %16phN", ltk);
281
282	return 0;
283	}
284
285	static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
286	const u8 n1[16], const u8 n2[16], const u8 r[16],
287	const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
288	u8 res[16])
289	{
290	u8 m[65];
291	int err;
292
293	SMP_DBG("w %16phN", w);
294	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
295	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
296
297	memcpy(m, a2, 7);
298	memcpy(m + 7, a1, 7);
299	memcpy(m + 14, io_cap, 3);
300	memcpy(m + 17, r, 16);
301	memcpy(m + 33, n2, 16);
302	memcpy(m + 49, n1, 16);
303
304	err = aes_cmac(tfm: tfm_cmac, k: w, m, len: sizeof(m), mac: res);
305	if (err)
306	return err;
307
308	SMP_DBG("res %16phN", res);
309
310	return err;
311	}
312
313	static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
314	const u8 x[16], const u8 y[16], u32 *val)
315	{
316	u8 m[80], tmp[16];
317	int err;
318
319	SMP_DBG("u %32phN", u);
320	SMP_DBG("v %32phN", v);
321	SMP_DBG("x %16phN y %16phN", x, y);
322
323	memcpy(m, y, 16);
324	memcpy(m + 16, v, 32);
325	memcpy(m + 48, u, 32);
326
327	err = aes_cmac(tfm: tfm_cmac, k: x, m, len: sizeof(m), mac: tmp);
328	if (err)
329	return err;
330
331	*val = get_unaligned_le32(p: tmp);
332	*val %= 1000000;
333
334	SMP_DBG("val %06u", *val);
335
336	return 0;
337	}
338
339	static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
340	const u8 key_id[4], u8 res[16])
341	{
342	int err;
343
344	SMP_DBG("w %16phN key_id %4phN", w, key_id);
345
346	err = aes_cmac(tfm: tfm_cmac, k: w, m: key_id, len: 4, mac: res);
347	if (err)
348	return err;
349
350	SMP_DBG("res %16phN", res);
351
352	return err;
353	}
354
355	static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
356	const u8 salt[16], u8 res[16])
357	{
358	int err;
359
360	SMP_DBG("w %16phN salt %16phN", w, salt);
361
362	err = aes_cmac(tfm: tfm_cmac, k: salt, m: w, len: 16, mac: res);
363	if (err)
364	return err;
365
366	SMP_DBG("res %16phN", res);
367
368	return err;
369	}
370
371	/* The following functions map to the legacy SMP crypto functions e, c1,
372	* s1 and ah.
373	*/
374
375	static int smp_e(const u8 *k, u8 *r)
376	{
377	struct crypto_aes_ctx ctx;
378	uint8_t tmp[16], data[16];
379	int err;
380
381	SMP_DBG("k %16phN r %16phN", k, r);
382
383	/* The most significant octet of key corresponds to k[0] */
384	swap_buf(src: k, dst: tmp, len: 16);
385
386	err = aes_expandkey(ctx: &ctx, in_key: tmp, key_len: 16);
387	if (err) {
388	BT_ERR("cipher setkey failed: %d", err);
389	return err;
390	}
391
392	/* Most significant octet of plaintextData corresponds to data[0] */
393	swap_buf(src: r, dst: data, len: 16);
394
395	aes_encrypt(ctx: &ctx, out: data, in: data);
396
397	/* Most significant octet of encryptedData corresponds to data[0] */
398	swap_buf(src: data, dst: r, len: 16);
399
400	SMP_DBG("r %16phN", r);
401
402	memzero_explicit(s: &ctx, count: sizeof(ctx));
403	return err;
404	}
405
406	static int smp_c1(const u8 k[16],
407	const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
408	const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
409	{
410	u8 p1[16], p2[16];
411	int err;
412
413	SMP_DBG("k %16phN r %16phN", k, r);
414	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
415	SMP_DBG("preq %7phN pres %7phN", preq, pres);
416
417	memset(p1, 0, 16);
418
419	/* p1 = pres || preq || _rat || _iat */
420	p1[0] = _iat;
421	p1[1] = _rat;
422	memcpy(p1 + 2, preq, 7);
423	memcpy(p1 + 9, pres, 7);
424
425	SMP_DBG("p1 %16phN", p1);
426
427	/* res = r XOR p1 */
428	crypto_xor_cpy(dst: res, src1: r, src2: p1, size: sizeof(p1));
429
430	/* res = e(k, res) */
431	err = smp_e(k, r: res);
432	if (err) {
433	BT_ERR("Encrypt data error");
434	return err;
435	}
436
437	/* p2 = padding || ia || ra */
438	memcpy(p2, ra, 6);
439	memcpy(p2 + 6, ia, 6);
440	memset(p2 + 12, 0, 4);
441
442	SMP_DBG("p2 %16phN", p2);
443
444	/* res = res XOR p2 */
445	crypto_xor(dst: res, src: p2, size: sizeof(p2));
446
447	/* res = e(k, res) */
448	err = smp_e(k, r: res);
449	if (err)
450	BT_ERR("Encrypt data error");
451
452	return err;
453	}
454
455	static int smp_s1(const u8 k[16],
456	const u8 r1[16], const u8 r2[16], u8 _r[16])
457	{
458	int err;
459
460	/* Just least significant octets from r1 and r2 are considered */
461	memcpy(_r, r2, 8);
462	memcpy(_r + 8, r1, 8);
463
464	err = smp_e(k, r: _r);
465	if (err)
466	BT_ERR("Encrypt data error");
467
468	return err;
469	}
470
471	static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
472	{
473	u8 _res[16];
474	int err;
475
476	/* r' = padding || r */
477	memcpy(_res, r, 3);
478	memset(_res + 3, 0, 13);
479
480	err = smp_e(k: irk, r: _res);
481	if (err) {
482	BT_ERR("Encrypt error");
483	return err;
484	}
485
486	/* The output of the random address function ah is:
487	* ah(k, r) = e(k, r') mod 2^24
488	* The output of the security function e is then truncated to 24 bits
489	* by taking the least significant 24 bits of the output of e as the
490	* result of ah.
491	*/
492	memcpy(res, _res, 3);
493
494	return 0;
495	}
496
497	bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
498	const bdaddr_t *bdaddr)
499	{
500	struct l2cap_chan *chan = hdev->smp_data;
501	u8 hash[3];
502	int err;
503
504	if (!chan || !chan->data)
505	return false;
506
507	bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk);
508
509	err = smp_ah(irk, r: &bdaddr->b[3], res: hash);
510	if (err)
511	return false;
512
513	return !crypto_memneq(a: bdaddr->b, b: hash, size: 3);
514	}
515
516	int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
517	{
518	struct l2cap_chan *chan = hdev->smp_data;
519	int err;
520
521	if (!chan || !chan->data)
522	return -EOPNOTSUPP;
523
524	get_random_bytes(buf: &rpa->b[3], len: 3);
525
526	rpa->b[5] &= 0x3f; /* Clear two most significant bits */
527	rpa->b[5] |= 0x40; /* Set second most significant bit */
528
529	err = smp_ah(irk, r: &rpa->b[3], res: rpa->b);
530	if (err < 0)
531	return err;
532
533	bt_dev_dbg(hdev, "RPA %pMR", rpa);
534
535	return 0;
536	}
537
538	int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
539	{
540	struct l2cap_chan *chan = hdev->smp_data;
541	struct smp_dev *smp;
542	int err;
543
544	if (!chan || !chan->data)
545	return -EOPNOTSUPP;
546
547	smp = chan->data;
548
549	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
550	bt_dev_dbg(hdev, "Using debug keys");
551	err = set_ecdh_privkey(tfm: smp->tfm_ecdh, private_key: debug_sk);
552	if (err)
553	return err;
554	memcpy(smp->local_pk, debug_pk, 64);
555	smp->debug_key = true;
556	} else {
557	while (true) {
558	/* Generate key pair for Secure Connections */
559	err = generate_ecdh_keys(tfm: smp->tfm_ecdh, public_key: smp->local_pk);
560	if (err)
561	return err;
562
563	/* This is unlikely, but we need to check that
564	* we didn't accidentally generate a debug key.
565	*/
566	if (crypto_memneq(a: smp->local_pk, b: debug_pk, size: 64))
567	break;
568	}
569	smp->debug_key = false;
570	}
571
572	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
573	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
574
575	get_random_bytes(buf: smp->local_rand, len: 16);
576
577	err = smp_f4(tfm_cmac: smp->tfm_cmac, u: smp->local_pk, v: smp->local_pk,
578	x: smp->local_rand, z: 0, res: hash);
579	if (err < 0)
580	return err;
581
582	memcpy(rand, smp->local_rand, 16);
583
584	smp->local_oob = true;
585
586	return 0;
587	}
588
589	static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
590	{
591	struct l2cap_chan *chan = conn->smp;
592	struct smp_chan *smp;
593	struct kvec iv[2];
594	struct msghdr msg;
595
596	if (!chan)
597	return;
598
599	bt_dev_dbg(conn->hcon->hdev, "code 0x%2.2x", code);
600
601	iv[0].iov_base = &code;
602	iv[0].iov_len = 1;
603
604	iv[1].iov_base = data;
605	iv[1].iov_len = len;
606
607	memset(&msg, 0, sizeof(msg));
608
609	iov_iter_kvec(i: &msg.msg_iter, ITER_SOURCE, kvec: iv, nr_segs: 2, count: 1 + len);
610
611	l2cap_chan_send(chan, msg: &msg, len: 1 + len);
612
613	if (!chan->data)
614	return;
615
616	smp = chan->data;
617
618	cancel_delayed_work_sync(dwork: &smp->security_timer);
619	schedule_delayed_work(dwork: &smp->security_timer, SMP_TIMEOUT);
620	}
621
622	static u8 authreq_to_seclevel(u8 authreq)
623	{
624	if (authreq & SMP_AUTH_MITM) {
625	if (authreq & SMP_AUTH_SC)
626	return BT_SECURITY_FIPS;
627	else
628	return BT_SECURITY_HIGH;
629	} else {
630	return BT_SECURITY_MEDIUM;
631	}
632	}
633
634	static __u8 seclevel_to_authreq(__u8 sec_level)
635	{
636	switch (sec_level) {
637	case BT_SECURITY_FIPS:
638	case BT_SECURITY_HIGH:
639	return SMP_AUTH_MITM | SMP_AUTH_BONDING;
640	case BT_SECURITY_MEDIUM:
641	return SMP_AUTH_BONDING;
642	default:
643	return SMP_AUTH_NONE;
644	}
645	}
646
647	static void build_pairing_cmd(struct l2cap_conn *conn,
648	struct smp_cmd_pairing *req,
649	struct smp_cmd_pairing *rsp, __u8 authreq)
650	{
651	struct l2cap_chan *chan = conn->smp;
652	struct smp_chan *smp = chan->data;
653	struct hci_conn *hcon = conn->hcon;
654	struct hci_dev *hdev = hcon->hdev;
655	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
656
657	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
658	local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
659	remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
660	authreq |= SMP_AUTH_BONDING;
661	} else {
662	authreq &= ~SMP_AUTH_BONDING;
663	}
664
665	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
666	remote_dist |= SMP_DIST_ID_KEY;
667
668	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
669	local_dist |= SMP_DIST_ID_KEY;
670
671	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
672	(authreq & SMP_AUTH_SC)) {
673	struct oob_data *oob_data;
674	u8 bdaddr_type;
675
676	if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
677	local_dist |= SMP_DIST_LINK_KEY;
678	remote_dist |= SMP_DIST_LINK_KEY;
679	}
680
681	if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
682	bdaddr_type = BDADDR_LE_PUBLIC;
683	else
684	bdaddr_type = BDADDR_LE_RANDOM;
685
686	oob_data = hci_find_remote_oob_data(hdev, bdaddr: &hcon->dst,
687	bdaddr_type);
688	if (oob_data && oob_data->present) {
689	set_bit(nr: SMP_FLAG_REMOTE_OOB, addr: &smp->flags);
690	oob_flag = SMP_OOB_PRESENT;
691	memcpy(smp->rr, oob_data->rand256, 16);
692	memcpy(smp->pcnf, oob_data->hash256, 16);
693	SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
694	SMP_DBG("OOB Remote Random: %16phN", smp->rr);
695	}
696
697	} else {
698	authreq &= ~SMP_AUTH_SC;
699	}
700
701	if (rsp == NULL) {
702	req->io_capability = conn->hcon->io_capability;
703	req->oob_flag = oob_flag;
704	req->max_key_size = hdev->le_max_key_size;
705	req->init_key_dist = local_dist;
706	req->resp_key_dist = remote_dist;
707	req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
708
709	smp->remote_key_dist = remote_dist;
710	return;
711	}
712
713	rsp->io_capability = conn->hcon->io_capability;
714	rsp->oob_flag = oob_flag;
715	rsp->max_key_size = hdev->le_max_key_size;
716	rsp->init_key_dist = req->init_key_dist & remote_dist;
717	rsp->resp_key_dist = req->resp_key_dist & local_dist;
718	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
719
720	smp->remote_key_dist = rsp->init_key_dist;
721	}
722
723	static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
724	{
725	struct l2cap_chan *chan = conn->smp;
726	struct hci_dev *hdev = conn->hcon->hdev;
727	struct smp_chan *smp = chan->data;
728
729	if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS &&
730	max_key_size != SMP_MAX_ENC_KEY_SIZE)
731	return SMP_ENC_KEY_SIZE;
732
733	if (max_key_size > hdev->le_max_key_size ||
734	max_key_size < SMP_MIN_ENC_KEY_SIZE)
735	return SMP_ENC_KEY_SIZE;
736
737	smp->enc_key_size = max_key_size;
738
739	return 0;
740	}
741
742	static void smp_chan_destroy(struct l2cap_conn *conn)
743	{
744	struct l2cap_chan *chan = conn->smp;
745	struct smp_chan *smp = chan->data;
746	struct hci_conn *hcon = conn->hcon;
747	bool complete;
748
749	BUG_ON(!smp);
750
751	cancel_delayed_work_sync(dwork: &smp->security_timer);
752
753	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
754	mgmt_smp_complete(conn: hcon, complete);
755
756	kfree_sensitive(objp: smp->csrk);
757	kfree_sensitive(objp: smp->responder_csrk);
758	kfree_sensitive(objp: smp->link_key);
759
760	crypto_free_shash(tfm: smp->tfm_cmac);
761	crypto_free_kpp(tfm: smp->tfm_ecdh);
762
763	/* Ensure that we don't leave any debug key around if debug key
764	* support hasn't been explicitly enabled.
765	*/
766	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
767	!hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
768	list_del_rcu(entry: &smp->ltk->list);
769	kfree_rcu(smp->ltk, rcu);
770	smp->ltk = NULL;
771	}
772
773	/* If pairing failed clean up any keys we might have */
774	if (!complete) {
775	if (smp->ltk) {
776	list_del_rcu(entry: &smp->ltk->list);
777	kfree_rcu(smp->ltk, rcu);
778	}
779
780	if (smp->responder_ltk) {
781	list_del_rcu(entry: &smp->responder_ltk->list);
782	kfree_rcu(smp->responder_ltk, rcu);
783	}
784
785	if (smp->remote_irk) {
786	list_del_rcu(entry: &smp->remote_irk->list);
787	kfree_rcu(smp->remote_irk, rcu);
788	}
789	}
790
791	chan->data = NULL;
792	kfree_sensitive(objp: smp);
793	hci_conn_drop(conn: hcon);
794	}
795
796	static void smp_failure(struct l2cap_conn *conn, u8 reason)
797	{
798	struct hci_conn *hcon = conn->hcon;
799	struct l2cap_chan *chan = conn->smp;
800
801	if (reason)
802	smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, len: sizeof(reason),
803	data: &reason);
804
805	mgmt_auth_failed(conn: hcon, HCI_ERROR_AUTH_FAILURE);
806
807	if (chan->data)
808	smp_chan_destroy(conn);
809	}
810
811	#define JUST_WORKS 0x00
812	#define JUST_CFM 0x01
813	#define REQ_PASSKEY 0x02
814	#define CFM_PASSKEY 0x03
815	#define REQ_OOB 0x04
816	#define DSP_PASSKEY 0x05
817	#define OVERLAP 0xFF
818
819	static const u8 gen_method[5][5] = {
820	{ JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
821	{ JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
822	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
823	{ JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
824	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
825	};
826
827	static const u8 sc_method[5][5] = {
828	{ JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
829	{ JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
830	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
831	{ JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
832	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
833	};
834
835	static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
836	{
837	/* If either side has unknown io_caps, use JUST_CFM (which gets
838	* converted later to JUST_WORKS if we're initiators.
839	*/
840	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
841	remote_io > SMP_IO_KEYBOARD_DISPLAY)
842	return JUST_CFM;
843
844	if (test_bit(SMP_FLAG_SC, &smp->flags))
845	return sc_method[remote_io][local_io];
846
847	return gen_method[remote_io][local_io];
848	}
849
850	static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
851	u8 local_io, u8 remote_io)
852	{
853	struct hci_conn *hcon = conn->hcon;
854	struct l2cap_chan *chan = conn->smp;
855	struct smp_chan *smp = chan->data;
856	u32 passkey = 0;
857	int ret;
858
859	/* Initialize key for JUST WORKS */
860	memset(smp->tk, 0, sizeof(smp->tk));
861	clear_bit(nr: SMP_FLAG_TK_VALID, addr: &smp->flags);
862
863	bt_dev_dbg(hcon->hdev, "auth:%u lcl:%u rem:%u", auth, local_io,
864	remote_io);
865
866	/* If neither side wants MITM, either "just" confirm an incoming
867	* request or use just-works for outgoing ones. The JUST_CFM
868	* will be converted to JUST_WORKS if necessary later in this
869	* function. If either side has MITM look up the method from the
870	* table.
871	*/
872	if (!(auth & SMP_AUTH_MITM))
873	smp->method = JUST_CFM;
874	else
875	smp->method = get_auth_method(smp, local_io, remote_io);
876
877	/* Don't confirm locally initiated pairing attempts */
878	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
879	&smp->flags))
880	smp->method = JUST_WORKS;
881
882	/* Don't bother user space with no IO capabilities */
883	if (smp->method == JUST_CFM &&
884	hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
885	smp->method = JUST_WORKS;
886
887	/* If Just Works, Continue with Zero TK and ask user-space for
888	* confirmation */
889	if (smp->method == JUST_WORKS) {
890	ret = mgmt_user_confirm_request(hdev: hcon->hdev, bdaddr: &hcon->dst,
891	link_type: hcon->type,
892	addr_type: hcon->dst_type,
893	value: passkey, confirm_hint: 1);
894	if (ret)
895	return ret;
896	set_bit(nr: SMP_FLAG_WAIT_USER, addr: &smp->flags);
897	return 0;
898	}
899
900	/* If this function is used for SC -> legacy fallback we
901	* can only recover the just-works case.
902	*/
903	if (test_bit(SMP_FLAG_SC, &smp->flags))
904	return -EINVAL;
905
906	/* Not Just Works/Confirm results in MITM Authentication */
907	if (smp->method != JUST_CFM) {
908	set_bit(nr: SMP_FLAG_MITM_AUTH, addr: &smp->flags);
909	if (hcon->pending_sec_level < BT_SECURITY_HIGH)
910	hcon->pending_sec_level = BT_SECURITY_HIGH;
911	}
912
913	/* If both devices have Keyboard-Display I/O, the initiator
914	* Confirms and the responder Enters the passkey.
915	*/
916	if (smp->method == OVERLAP) {
917	if (hcon->role == HCI_ROLE_MASTER)
918	smp->method = CFM_PASSKEY;
919	else
920	smp->method = REQ_PASSKEY;
921	}
922
923	/* Generate random passkey. */
924	if (smp->method == CFM_PASSKEY) {
925	memset(smp->tk, 0, sizeof(smp->tk));
926	get_random_bytes(buf: &passkey, len: sizeof(passkey));
927	passkey %= 1000000;
928	put_unaligned_le32(val: passkey, p: smp->tk);
929	bt_dev_dbg(hcon->hdev, "PassKey: %u", passkey);
930	set_bit(nr: SMP_FLAG_TK_VALID, addr: &smp->flags);
931	}
932
933	if (smp->method == REQ_PASSKEY)
934	ret = mgmt_user_passkey_request(hdev: hcon->hdev, bdaddr: &hcon->dst,
935	link_type: hcon->type, addr_type: hcon->dst_type);
936	else if (smp->method == JUST_CFM)
937	ret = mgmt_user_confirm_request(hdev: hcon->hdev, bdaddr: &hcon->dst,
938	link_type: hcon->type, addr_type: hcon->dst_type,
939	value: passkey, confirm_hint: 1);
940	else
941	ret = mgmt_user_passkey_notify(hdev: hcon->hdev, bdaddr: &hcon->dst,
942	link_type: hcon->type, addr_type: hcon->dst_type,
943	passkey, entered: 0);
944
945	return ret;
946	}
947
948	static u8 smp_confirm(struct smp_chan *smp)
949	{
950	struct l2cap_conn *conn = smp->conn;
951	struct smp_cmd_pairing_confirm cp;
952	int ret;
953
954	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
955
956	ret = smp_c1(k: smp->tk, r: smp->prnd, preq: smp->preq, pres: smp->prsp,
957	iat: conn->hcon->init_addr_type, ia: &conn->hcon->init_addr,
958	rat: conn->hcon->resp_addr_type, ra: &conn->hcon->resp_addr,
959	res: cp.confirm_val);
960	if (ret)
961	return SMP_UNSPECIFIED;
962
963	clear_bit(nr: SMP_FLAG_CFM_PENDING, addr: &smp->flags);
964
965	smp_send_cmd(conn: smp->conn, SMP_CMD_PAIRING_CONFIRM, len: sizeof(cp), data: &cp);
966
967	if (conn->hcon->out)
968	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
969	else
970	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
971
972	return 0;
973	}
974
975	static u8 smp_random(struct smp_chan *smp)
976	{
977	struct l2cap_conn *conn = smp->conn;
978	struct hci_conn *hcon = conn->hcon;
979	u8 confirm[16];
980	int ret;
981
982	bt_dev_dbg(conn->hcon->hdev, "conn %p %s", conn,
983	conn->hcon->out ? "initiator" : "responder");
984
985	ret = smp_c1(k: smp->tk, r: smp->rrnd, preq: smp->preq, pres: smp->prsp,
986	iat: hcon->init_addr_type, ia: &hcon->init_addr,
987	rat: hcon->resp_addr_type, ra: &hcon->resp_addr, res: confirm);
988	if (ret)
989	return SMP_UNSPECIFIED;
990
991	if (crypto_memneq(a: smp->pcnf, b: confirm, size: sizeof(smp->pcnf))) {
992	bt_dev_err(hcon->hdev, "pairing failed "
993	"(confirmation values mismatch)");
994	return SMP_CONFIRM_FAILED;
995	}
996
997	if (hcon->out) {
998	u8 stk[16];
999	__le64 rand = 0;
1000	__le16 ediv = 0;
1001
1002	smp_s1(k: smp->tk, r1: smp->rrnd, r2: smp->prnd, r: stk);
1003
1004	if (test_and_set_bit(nr: HCI_CONN_ENCRYPT_PEND, addr: &hcon->flags))
1005	return SMP_UNSPECIFIED;
1006
1007	hci_le_start_enc(conn: hcon, ediv, rand, ltk: stk, key_size: smp->enc_key_size);
1008	hcon->enc_key_size = smp->enc_key_size;
1009	set_bit(nr: HCI_CONN_STK_ENCRYPT, addr: &hcon->flags);
1010	} else {
1011	u8 stk[16], auth;
1012	__le64 rand = 0;
1013	__le16 ediv = 0;
1014
1015	smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, len: sizeof(smp->prnd),
1016	data: smp->prnd);
1017
1018	smp_s1(k: smp->tk, r1: smp->prnd, r2: smp->rrnd, r: stk);
1019
1020	if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1021	auth = 1;
1022	else
1023	auth = 0;
1024
1025	/* Even though there's no _RESPONDER suffix this is the
1026	* responder STK we're adding for later lookup (the initiator
1027	* STK never needs to be stored).
1028	*/
1029	hci_add_ltk(hdev: hcon->hdev, bdaddr: &hcon->dst, addr_type: hcon->dst_type,
1030	type: SMP_STK, authenticated: auth, tk: stk, enc_size: smp->enc_key_size, ediv, rand);
1031	}
1032
1033	return 0;
1034	}
1035
1036	static void smp_notify_keys(struct l2cap_conn *conn)
1037	{
1038	struct l2cap_chan *chan = conn->smp;
1039	struct smp_chan *smp = chan->data;
1040	struct hci_conn *hcon = conn->hcon;
1041	struct hci_dev *hdev = hcon->hdev;
1042	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1043	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1044	bool persistent;
1045
1046	if (hcon->type == ACL_LINK) {
1047	if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1048	persistent = false;
1049	else
1050	persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1051	&hcon->flags);
1052	} else {
1053	/* The LTKs, IRKs and CSRKs should be persistent only if
1054	* both sides had the bonding bit set in their
1055	* authentication requests.
1056	*/
1057	persistent = !!((req->auth_req & rsp->auth_req) &
1058	SMP_AUTH_BONDING);
1059	}
1060
1061	if (smp->remote_irk) {
1062	smp->remote_irk->link_type = hcon->type;
1063	mgmt_new_irk(hdev, irk: smp->remote_irk, persistent);
1064
1065	/* Now that user space can be considered to know the
1066	* identity address track the connection based on it
1067	* from now on (assuming this is an LE link).
1068	*/
1069	if (hcon->type == LE_LINK) {
1070	bacpy(dst: &hcon->dst, src: &smp->remote_irk->bdaddr);
1071	hcon->dst_type = smp->remote_irk->addr_type;
1072	/* Use a short delay to make sure the new address is
1073	* propagated _before_ the channels.
1074	*/
1075	queue_delayed_work(wq: hdev->workqueue,
1076	dwork: &conn->id_addr_timer,
1077	ID_ADDR_TIMEOUT);
1078	}
1079	}
1080
1081	if (smp->csrk) {
1082	smp->csrk->link_type = hcon->type;
1083	smp->csrk->bdaddr_type = hcon->dst_type;
1084	bacpy(dst: &smp->csrk->bdaddr, src: &hcon->dst);
1085	mgmt_new_csrk(hdev, csrk: smp->csrk, persistent);
1086	}
1087
1088	if (smp->responder_csrk) {
1089	smp->responder_csrk->link_type = hcon->type;
1090	smp->responder_csrk->bdaddr_type = hcon->dst_type;
1091	bacpy(dst: &smp->responder_csrk->bdaddr, src: &hcon->dst);
1092	mgmt_new_csrk(hdev, csrk: smp->responder_csrk, persistent);
1093	}
1094
1095	if (smp->ltk) {
1096	smp->ltk->link_type = hcon->type;
1097	smp->ltk->bdaddr_type = hcon->dst_type;
1098	bacpy(dst: &smp->ltk->bdaddr, src: &hcon->dst);
1099	mgmt_new_ltk(hdev, key: smp->ltk, persistent);
1100	}
1101
1102	if (smp->responder_ltk) {
1103	smp->responder_ltk->link_type = hcon->type;
1104	smp->responder_ltk->bdaddr_type = hcon->dst_type;
1105	bacpy(dst: &smp->responder_ltk->bdaddr, src: &hcon->dst);
1106	mgmt_new_ltk(hdev, key: smp->responder_ltk, persistent);
1107	}
1108
1109	if (smp->link_key) {
1110	struct link_key *key;
1111	u8 type;
1112
1113	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1114	type = HCI_LK_DEBUG_COMBINATION;
1115	else if (hcon->sec_level == BT_SECURITY_FIPS)
1116	type = HCI_LK_AUTH_COMBINATION_P256;
1117	else
1118	type = HCI_LK_UNAUTH_COMBINATION_P256;
1119
1120	key = hci_add_link_key(hdev, conn: smp->conn->hcon, bdaddr: &hcon->dst,
1121	val: smp->link_key, type, pin_len: 0, persistent: &persistent);
1122	if (key) {
1123	key->link_type = hcon->type;
1124	key->bdaddr_type = hcon->dst_type;
1125	mgmt_new_link_key(hdev, key, persistent);
1126
1127	/* Don't keep debug keys around if the relevant
1128	* flag is not set.
1129	*/
1130	if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1131	key->type == HCI_LK_DEBUG_COMBINATION) {
1132	list_del_rcu(entry: &key->list);
1133	kfree_rcu(key, rcu);
1134	}
1135	}
1136	}
1137	}
1138
1139	static void sc_add_ltk(struct smp_chan *smp)
1140	{
1141	struct hci_conn *hcon = smp->conn->hcon;
1142	u8 key_type, auth;
1143
1144	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1145	key_type = SMP_LTK_P256_DEBUG;
1146	else
1147	key_type = SMP_LTK_P256;
1148
1149	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1150	auth = 1;
1151	else
1152	auth = 0;
1153
1154	smp->ltk = hci_add_ltk(hdev: hcon->hdev, bdaddr: &hcon->dst, addr_type: hcon->dst_type,
1155	type: key_type, authenticated: auth, tk: smp->tk, enc_size: smp->enc_key_size,
1156	ediv: 0, rand: 0);
1157	}
1158
1159	static void sc_generate_link_key(struct smp_chan *smp)
1160	{
1161	/* From core spec. Spells out in ASCII as 'lebr'. */
1162	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1163
1164	smp->link_key = kzalloc(size: 16, GFP_KERNEL);
1165	if (!smp->link_key)
1166	return;
1167
1168	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1169	/* SALT = 0x000000000000000000000000746D7031 */
1170	const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1171
1172	if (smp_h7(tfm_cmac: smp->tfm_cmac, w: smp->tk, salt, res: smp->link_key)) {
1173	kfree_sensitive(objp: smp->link_key);
1174	smp->link_key = NULL;
1175	return;
1176	}
1177	} else {
1178	/* From core spec. Spells out in ASCII as 'tmp1'. */
1179	const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1180
1181	if (smp_h6(tfm_cmac: smp->tfm_cmac, w: smp->tk, key_id: tmp1, res: smp->link_key)) {
1182	kfree_sensitive(objp: smp->link_key);
1183	smp->link_key = NULL;
1184	return;
1185	}
1186	}
1187
1188	if (smp_h6(tfm_cmac: smp->tfm_cmac, w: smp->link_key, key_id: lebr, res: smp->link_key)) {
1189	kfree_sensitive(objp: smp->link_key);
1190	smp->link_key = NULL;
1191	return;
1192	}
1193	}
1194
1195	static void smp_allow_key_dist(struct smp_chan *smp)
1196	{
1197	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1198	* will be allowed in each PDU handler to ensure we receive
1199	* them in the correct order.
1200	*/
1201	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1202	SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1203	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1204	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1205	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1206	SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1207	}
1208
1209	static void sc_generate_ltk(struct smp_chan *smp)
1210	{
1211	/* From core spec. Spells out in ASCII as 'brle'. */
1212	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1213	struct hci_conn *hcon = smp->conn->hcon;
1214	struct hci_dev *hdev = hcon->hdev;
1215	struct link_key *key;
1216
1217	key = hci_find_link_key(hdev, bdaddr: &hcon->dst);
1218	if (!key) {
1219	bt_dev_err(hdev, "no Link Key found to generate LTK");
1220	return;
1221	}
1222
1223	if (key->type == HCI_LK_DEBUG_COMBINATION)
1224	set_bit(nr: SMP_FLAG_DEBUG_KEY, addr: &smp->flags);
1225
1226	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1227	/* SALT = 0x000000000000000000000000746D7032 */
1228	const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1229
1230	if (smp_h7(tfm_cmac: smp->tfm_cmac, w: key->val, salt, res: smp->tk))
1231	return;
1232	} else {
1233	/* From core spec. Spells out in ASCII as 'tmp2'. */
1234	const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1235
1236	if (smp_h6(tfm_cmac: smp->tfm_cmac, w: key->val, key_id: tmp2, res: smp->tk))
1237	return;
1238	}
1239
1240	if (smp_h6(tfm_cmac: smp->tfm_cmac, w: smp->tk, key_id: brle, res: smp->tk))
1241	return;
1242
1243	sc_add_ltk(smp);
1244	}
1245
1246	static void smp_distribute_keys(struct smp_chan *smp)
1247	{
1248	struct smp_cmd_pairing *req, *rsp;
1249	struct l2cap_conn *conn = smp->conn;
1250	struct hci_conn *hcon = conn->hcon;
1251	struct hci_dev *hdev = hcon->hdev;
1252	__u8 *keydist;
1253
1254	bt_dev_dbg(hdev, "conn %p", conn);
1255
1256	rsp = (void *) &smp->prsp[1];
1257
1258	/* The responder sends its keys first */
1259	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1260	smp_allow_key_dist(smp);
1261	return;
1262	}
1263
1264	req = (void *) &smp->preq[1];
1265
1266	if (hcon->out) {
1267	keydist = &rsp->init_key_dist;
1268	*keydist &= req->init_key_dist;
1269	} else {
1270	keydist = &rsp->resp_key_dist;
1271	*keydist &= req->resp_key_dist;
1272	}
1273
1274	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1275	if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1276	sc_generate_link_key(smp);
1277	if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1278	sc_generate_ltk(smp);
1279
1280	/* Clear the keys which are generated but not distributed */
1281	*keydist &= ~SMP_SC_NO_DIST;
1282	}
1283
1284	bt_dev_dbg(hdev, "keydist 0x%x", *keydist);
1285
1286	if (*keydist & SMP_DIST_ENC_KEY) {
1287	struct smp_cmd_encrypt_info enc;
1288	struct smp_cmd_initiator_ident ident;
1289	struct smp_ltk *ltk;
1290	u8 authenticated;
1291	__le16 ediv;
1292	__le64 rand;
1293
1294	/* Make sure we generate only the significant amount of
1295	* bytes based on the encryption key size, and set the rest
1296	* of the value to zeroes.
1297	*/
1298	get_random_bytes(buf: enc.ltk, len: smp->enc_key_size);
1299	memset(enc.ltk + smp->enc_key_size, 0,
1300	sizeof(enc.ltk) - smp->enc_key_size);
1301
1302	get_random_bytes(buf: &ediv, len: sizeof(ediv));
1303	get_random_bytes(buf: &rand, len: sizeof(rand));
1304
1305	smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, len: sizeof(enc), data: &enc);
1306
1307	authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1308	ltk = hci_add_ltk(hdev, bdaddr: &hcon->dst, addr_type: hcon->dst_type,
1309	type: SMP_LTK_RESPONDER, authenticated, tk: enc.ltk,
1310	enc_size: smp->enc_key_size, ediv, rand);
1311	smp->responder_ltk = ltk;
1312
1313	ident.ediv = ediv;
1314	ident.rand = rand;
1315
1316	smp_send_cmd(conn, SMP_CMD_INITIATOR_IDENT, len: sizeof(ident),
1317	data: &ident);
1318
1319	*keydist &= ~SMP_DIST_ENC_KEY;
1320	}
1321
1322	if (*keydist & SMP_DIST_ID_KEY) {
1323	struct smp_cmd_ident_addr_info addrinfo;
1324	struct smp_cmd_ident_info idinfo;
1325
1326	memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1327
1328	smp_send_cmd(conn, SMP_CMD_IDENT_INFO, len: sizeof(idinfo), data: &idinfo);
1329
1330	/* The hci_conn contains the local identity address
1331	* after the connection has been established.
1332	*
1333	* This is true even when the connection has been
1334	* established using a resolvable random address.
1335	*/
1336	bacpy(dst: &addrinfo.bdaddr, src: &hcon->src);
1337	addrinfo.addr_type = hcon->src_type;
1338
1339	smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, len: sizeof(addrinfo),
1340	data: &addrinfo);
1341
1342	*keydist &= ~SMP_DIST_ID_KEY;
1343	}
1344
1345	if (*keydist & SMP_DIST_SIGN) {
1346	struct smp_cmd_sign_info sign;
1347	struct smp_csrk *csrk;
1348
1349	/* Generate a new random key */
1350	get_random_bytes(buf: sign.csrk, len: sizeof(sign.csrk));
1351
1352	csrk = kzalloc(size: sizeof(*csrk), GFP_KERNEL);
1353	if (csrk) {
1354	if (hcon->sec_level > BT_SECURITY_MEDIUM)
1355	csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1356	else
1357	csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1358	memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1359	}
1360	smp->responder_csrk = csrk;
1361
1362	smp_send_cmd(conn, SMP_CMD_SIGN_INFO, len: sizeof(sign), data: &sign);
1363
1364	*keydist &= ~SMP_DIST_SIGN;
1365	}
1366
1367	/* If there are still keys to be received wait for them */
1368	if (smp->remote_key_dist & KEY_DIST_MASK) {
1369	smp_allow_key_dist(smp);
1370	return;
1371	}
1372
1373	set_bit(nr: SMP_FLAG_COMPLETE, addr: &smp->flags);
1374	smp_notify_keys(conn);
1375
1376	smp_chan_destroy(conn);
1377	}
1378
1379	static void smp_timeout(struct work_struct *work)
1380	{
1381	struct smp_chan *smp = container_of(work, struct smp_chan,
1382	security_timer.work);
1383	struct l2cap_conn *conn = smp->conn;
1384
1385	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
1386
1387	hci_disconnect(conn: conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1388	}
1389
1390	static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1391	{
1392	struct hci_conn *hcon = conn->hcon;
1393	struct l2cap_chan *chan = conn->smp;
1394	struct smp_chan *smp;
1395
1396	smp = kzalloc(size: sizeof(*smp), GFP_ATOMIC);
1397	if (!smp)
1398	return NULL;
1399
1400	smp->tfm_cmac = crypto_alloc_shash(alg_name: "cmac(aes)", type: 0, mask: 0);
1401	if (IS_ERR(ptr: smp->tfm_cmac)) {
1402	bt_dev_err(hcon->hdev, "Unable to create CMAC crypto context");
1403	goto zfree_smp;
1404	}
1405
1406	smp->tfm_ecdh = crypto_alloc_kpp(alg_name: "ecdh-nist-p256", type: 0, mask: 0);
1407	if (IS_ERR(ptr: smp->tfm_ecdh)) {
1408	bt_dev_err(hcon->hdev, "Unable to create ECDH crypto context");
1409	goto free_shash;
1410	}
1411
1412	smp->conn = conn;
1413	chan->data = smp;
1414
1415	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1416
1417	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1418
1419	hci_conn_hold(conn: hcon);
1420
1421	return smp;
1422
1423	free_shash:
1424	crypto_free_shash(tfm: smp->tfm_cmac);
1425	zfree_smp:
1426	kfree_sensitive(objp: smp);
1427	return NULL;
1428	}
1429
1430	static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1431	{
1432	struct hci_conn *hcon = smp->conn->hcon;
1433	u8 *na, *nb, a[7], b[7];
1434
1435	if (hcon->out) {
1436	na = smp->prnd;
1437	nb = smp->rrnd;
1438	} else {
1439	na = smp->rrnd;
1440	nb = smp->prnd;
1441	}
1442
1443	memcpy(a, &hcon->init_addr, 6);
1444	memcpy(b, &hcon->resp_addr, 6);
1445	a[6] = hcon->init_addr_type;
1446	b[6] = hcon->resp_addr_type;
1447
1448	return smp_f5(tfm_cmac: smp->tfm_cmac, w: smp->dhkey, n1: na, n2: nb, a1: a, a2: b, mackey, ltk);
1449	}
1450
1451	static void sc_dhkey_check(struct smp_chan *smp)
1452	{
1453	struct hci_conn *hcon = smp->conn->hcon;
1454	struct smp_cmd_dhkey_check check;
1455	u8 a[7], b[7], *local_addr, *remote_addr;
1456	u8 io_cap[3], r[16];
1457
1458	memcpy(a, &hcon->init_addr, 6);
1459	memcpy(b, &hcon->resp_addr, 6);
1460	a[6] = hcon->init_addr_type;
1461	b[6] = hcon->resp_addr_type;
1462
1463	if (hcon->out) {
1464	local_addr = a;
1465	remote_addr = b;
1466	memcpy(io_cap, &smp->preq[1], 3);
1467	} else {
1468	local_addr = b;
1469	remote_addr = a;
1470	memcpy(io_cap, &smp->prsp[1], 3);
1471	}
1472
1473	memset(r, 0, sizeof(r));
1474
1475	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1476	put_unaligned_le32(val: hcon->passkey_notify, p: r);
1477
1478	if (smp->method == REQ_OOB)
1479	memcpy(r, smp->rr, 16);
1480
1481	smp_f6(tfm_cmac: smp->tfm_cmac, w: smp->mackey, n1: smp->prnd, n2: smp->rrnd, r, io_cap,
1482	a1: local_addr, a2: remote_addr, res: check.e);
1483
1484	smp_send_cmd(conn: smp->conn, SMP_CMD_DHKEY_CHECK, len: sizeof(check), data: &check);
1485	}
1486
1487	static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1488	{
1489	struct l2cap_conn *conn = smp->conn;
1490	struct hci_conn *hcon = conn->hcon;
1491	struct smp_cmd_pairing_confirm cfm;
1492	u8 r;
1493
1494	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1495	r |= 0x80;
1496
1497	get_random_bytes(buf: smp->prnd, len: sizeof(smp->prnd));
1498
1499	if (smp_f4(tfm_cmac: smp->tfm_cmac, u: smp->local_pk, v: smp->remote_pk, x: smp->prnd, z: r,
1500	res: cfm.confirm_val))
1501	return SMP_UNSPECIFIED;
1502
1503	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, len: sizeof(cfm), data: &cfm);
1504
1505	return 0;
1506	}
1507
1508	static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1509	{
1510	struct l2cap_conn *conn = smp->conn;
1511	struct hci_conn *hcon = conn->hcon;
1512	struct hci_dev *hdev = hcon->hdev;
1513	u8 cfm[16], r;
1514
1515	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1516	if (smp->passkey_round >= 20)
1517	return 0;
1518
1519	switch (smp_op) {
1520	case SMP_CMD_PAIRING_RANDOM:
1521	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1522	r |= 0x80;
1523
1524	if (smp_f4(tfm_cmac: smp->tfm_cmac, u: smp->remote_pk, v: smp->local_pk,
1525	x: smp->rrnd, z: r, res: cfm))
1526	return SMP_UNSPECIFIED;
1527
1528	if (crypto_memneq(a: smp->pcnf, b: cfm, size: 16))
1529	return SMP_CONFIRM_FAILED;
1530
1531	smp->passkey_round++;
1532
1533	if (smp->passkey_round == 20) {
1534	/* Generate MacKey and LTK */
1535	if (sc_mackey_and_ltk(smp, mackey: smp->mackey, ltk: smp->tk))
1536	return SMP_UNSPECIFIED;
1537	}
1538
1539	/* The round is only complete when the initiator
1540	* receives pairing random.
1541	*/
1542	if (!hcon->out) {
1543	smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1544	len: sizeof(smp->prnd), data: smp->prnd);
1545	if (smp->passkey_round == 20)
1546	SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1547	else
1548	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1549	return 0;
1550	}
1551
1552	/* Start the next round */
1553	if (smp->passkey_round != 20)
1554	return sc_passkey_round(smp, smp_op: 0);
1555
1556	/* Passkey rounds are complete - start DHKey Check */
1557	sc_dhkey_check(smp);
1558	SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1559
1560	break;
1561
1562	case SMP_CMD_PAIRING_CONFIRM:
1563	if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1564	set_bit(nr: SMP_FLAG_CFM_PENDING, addr: &smp->flags);
1565	return 0;
1566	}
1567
1568	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1569
1570	if (hcon->out) {
1571	smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1572	len: sizeof(smp->prnd), data: smp->prnd);
1573	return 0;
1574	}
1575
1576	return sc_passkey_send_confirm(smp);
1577
1578	case SMP_CMD_PUBLIC_KEY:
1579	default:
1580	/* Initiating device starts the round */
1581	if (!hcon->out)
1582	return 0;
1583
1584	bt_dev_dbg(hdev, "Starting passkey round %u",
1585	smp->passkey_round + 1);
1586
1587	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1588
1589	return sc_passkey_send_confirm(smp);
1590	}
1591
1592	return 0;
1593	}
1594
1595	static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1596	{
1597	struct l2cap_conn *conn = smp->conn;
1598	struct hci_conn *hcon = conn->hcon;
1599	u8 smp_op;
1600
1601	clear_bit(nr: SMP_FLAG_WAIT_USER, addr: &smp->flags);
1602
1603	switch (mgmt_op) {
1604	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1605	smp_failure(conn: smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1606	return 0;
1607	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1608	smp_failure(conn: smp->conn, SMP_NUMERIC_COMP_FAILED);
1609	return 0;
1610	case MGMT_OP_USER_PASSKEY_REPLY:
1611	hcon->passkey_notify = le32_to_cpu(passkey);
1612	smp->passkey_round = 0;
1613
1614	if (test_and_clear_bit(nr: SMP_FLAG_CFM_PENDING, addr: &smp->flags))
1615	smp_op = SMP_CMD_PAIRING_CONFIRM;
1616	else
1617	smp_op = 0;
1618
1619	if (sc_passkey_round(smp, smp_op))
1620	return -EIO;
1621
1622	return 0;
1623	}
1624
1625	/* Initiator sends DHKey check first */
1626	if (hcon->out) {
1627	sc_dhkey_check(smp);
1628	SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1629	} else if (test_and_clear_bit(nr: SMP_FLAG_DHKEY_PENDING, addr: &smp->flags)) {
1630	sc_dhkey_check(smp);
1631	sc_add_ltk(smp);
1632	}
1633
1634	return 0;
1635	}
1636
1637	int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1638	{
1639	struct l2cap_conn *conn = hcon->l2cap_data;
1640	struct l2cap_chan *chan;
1641	struct smp_chan *smp;
1642	u32 value;
1643	int err;
1644
1645	if (!conn)
1646	return -ENOTCONN;
1647
1648	bt_dev_dbg(conn->hcon->hdev, "");
1649
1650	chan = conn->smp;
1651	if (!chan)
1652	return -ENOTCONN;
1653
1654	l2cap_chan_lock(chan);
1655	if (!chan->data) {
1656	err = -ENOTCONN;
1657	goto unlock;
1658	}
1659
1660	smp = chan->data;
1661
1662	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1663	err = sc_user_reply(smp, mgmt_op, passkey);
1664	goto unlock;
1665	}
1666
1667	switch (mgmt_op) {
1668	case MGMT_OP_USER_PASSKEY_REPLY:
1669	value = le32_to_cpu(passkey);
1670	memset(smp->tk, 0, sizeof(smp->tk));
1671	bt_dev_dbg(conn->hcon->hdev, "PassKey: %u", value);
1672	put_unaligned_le32(val: value, p: smp->tk);
1673	fallthrough;
1674	case MGMT_OP_USER_CONFIRM_REPLY:
1675	set_bit(nr: SMP_FLAG_TK_VALID, addr: &smp->flags);
1676	break;
1677	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1678	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1679	smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1680	err = 0;
1681	goto unlock;
1682	default:
1683	smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1684	err = -EOPNOTSUPP;
1685	goto unlock;
1686	}
1687
1688	err = 0;
1689
1690	/* If it is our turn to send Pairing Confirm, do so now */
1691	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1692	u8 rsp = smp_confirm(smp);
1693	if (rsp)
1694	smp_failure(conn, reason: rsp);
1695	}
1696
1697	unlock:
1698	l2cap_chan_unlock(chan);
1699	return err;
1700	}
1701
1702	static void build_bredr_pairing_cmd(struct smp_chan *smp,
1703	struct smp_cmd_pairing *req,
1704	struct smp_cmd_pairing *rsp)
1705	{
1706	struct l2cap_conn *conn = smp->conn;
1707	struct hci_dev *hdev = conn->hcon->hdev;
1708	u8 local_dist = 0, remote_dist = 0;
1709
1710	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1711	local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1712	remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1713	}
1714
1715	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1716	remote_dist |= SMP_DIST_ID_KEY;
1717
1718	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1719	local_dist |= SMP_DIST_ID_KEY;
1720
1721	if (!rsp) {
1722	memset(req, 0, sizeof(*req));
1723
1724	req->auth_req = SMP_AUTH_CT2;
1725	req->init_key_dist = local_dist;
1726	req->resp_key_dist = remote_dist;
1727	req->max_key_size = conn->hcon->enc_key_size;
1728
1729	smp->remote_key_dist = remote_dist;
1730
1731	return;
1732	}
1733
1734	memset(rsp, 0, sizeof(*rsp));
1735
1736	rsp->auth_req = SMP_AUTH_CT2;
1737	rsp->max_key_size = conn->hcon->enc_key_size;
1738	rsp->init_key_dist = req->init_key_dist & remote_dist;
1739	rsp->resp_key_dist = req->resp_key_dist & local_dist;
1740
1741	smp->remote_key_dist = rsp->init_key_dist;
1742	}
1743
1744	static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1745	{
1746	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1747	struct l2cap_chan *chan = conn->smp;
1748	struct hci_dev *hdev = conn->hcon->hdev;
1749	struct smp_chan *smp;
1750	u8 key_size, auth, sec_level;
1751	int ret;
1752
1753	bt_dev_dbg(hdev, "conn %p", conn);
1754
1755	if (skb->len < sizeof(*req))
1756	return SMP_INVALID_PARAMS;
1757
1758	if (conn->hcon->role != HCI_ROLE_SLAVE)
1759	return SMP_CMD_NOTSUPP;
1760
1761	if (!chan->data)
1762	smp = smp_chan_create(conn);
1763	else
1764	smp = chan->data;
1765
1766	if (!smp)
1767	return SMP_UNSPECIFIED;
1768
1769	/* We didn't start the pairing, so match remote */
1770	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1771
1772	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1773	(auth & SMP_AUTH_BONDING))
1774	return SMP_PAIRING_NOTSUPP;
1775
1776	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1777	return SMP_AUTH_REQUIREMENTS;
1778
1779	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1780	memcpy(&smp->preq[1], req, sizeof(*req));
1781	skb_pull(skb, len: sizeof(*req));
1782
1783	/* If the remote side's OOB flag is set it means it has
1784	* successfully received our local OOB data - therefore set the
1785	* flag to indicate that local OOB is in use.
1786	*/
1787	if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1788	set_bit(nr: SMP_FLAG_LOCAL_OOB, addr: &smp->flags);
1789
1790	/* SMP over BR/EDR requires special treatment */
1791	if (conn->hcon->type == ACL_LINK) {
1792	/* We must have a BR/EDR SC link */
1793	if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1794	!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1795	return SMP_CROSS_TRANSP_NOT_ALLOWED;
1796
1797	set_bit(nr: SMP_FLAG_SC, addr: &smp->flags);
1798
1799	build_bredr_pairing_cmd(smp, req, rsp: &rsp);
1800
1801	if (req->auth_req & SMP_AUTH_CT2)
1802	set_bit(nr: SMP_FLAG_CT2, addr: &smp->flags);
1803
1804	key_size = min(req->max_key_size, rsp.max_key_size);
1805	if (check_enc_key_size(conn, max_key_size: key_size))
1806	return SMP_ENC_KEY_SIZE;
1807
1808	/* Clear bits which are generated but not distributed */
1809	smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1810
1811	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1812	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1813	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, len: sizeof(rsp), data: &rsp);
1814
1815	smp_distribute_keys(smp);
1816	return 0;
1817	}
1818
1819	build_pairing_cmd(conn, req, rsp: &rsp, authreq: auth);
1820
1821	if (rsp.auth_req & SMP_AUTH_SC) {
1822	set_bit(nr: SMP_FLAG_SC, addr: &smp->flags);
1823
1824	if (rsp.auth_req & SMP_AUTH_CT2)
1825	set_bit(nr: SMP_FLAG_CT2, addr: &smp->flags);
1826	}
1827
1828	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1829	sec_level = BT_SECURITY_MEDIUM;
1830	else
1831	sec_level = authreq_to_seclevel(authreq: auth);
1832
1833	if (sec_level > conn->hcon->pending_sec_level)
1834	conn->hcon->pending_sec_level = sec_level;
1835
1836	/* If we need MITM check that it can be achieved */
1837	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1838	u8 method;
1839
1840	method = get_auth_method(smp, local_io: conn->hcon->io_capability,
1841	remote_io: req->io_capability);
1842	if (method == JUST_WORKS || method == JUST_CFM)
1843	return SMP_AUTH_REQUIREMENTS;
1844	}
1845
1846	key_size = min(req->max_key_size, rsp.max_key_size);
1847	if (check_enc_key_size(conn, max_key_size: key_size))
1848	return SMP_ENC_KEY_SIZE;
1849
1850	get_random_bytes(buf: smp->prnd, len: sizeof(smp->prnd));
1851
1852	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1853	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1854
1855	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, len: sizeof(rsp), data: &rsp);
1856
1857	clear_bit(nr: SMP_FLAG_INITIATOR, addr: &smp->flags);
1858
1859	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1860	* SC case, however some implementations incorrectly copy RFU auth
1861	* req bits from our security request, which may create a false
1862	* positive SC enablement.
1863	*/
1864	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1865
1866	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1867	SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1868	/* Clear bits which are generated but not distributed */
1869	smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1870	/* Wait for Public Key from Initiating Device */
1871	return 0;
1872	}
1873
1874	/* Request setup of TK */
1875	ret = tk_request(conn, remote_oob: 0, auth, local_io: rsp.io_capability, remote_io: req->io_capability);
1876	if (ret)
1877	return SMP_UNSPECIFIED;
1878
1879	return 0;
1880	}
1881
1882	static u8 sc_send_public_key(struct smp_chan *smp)
1883	{
1884	struct hci_dev *hdev = smp->conn->hcon->hdev;
1885
1886	bt_dev_dbg(hdev, "");
1887
1888	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1889	struct l2cap_chan *chan = hdev->smp_data;
1890	struct smp_dev *smp_dev;
1891
1892	if (!chan || !chan->data)
1893	return SMP_UNSPECIFIED;
1894
1895	smp_dev = chan->data;
1896
1897	memcpy(smp->local_pk, smp_dev->local_pk, 64);
1898	memcpy(smp->lr, smp_dev->local_rand, 16);
1899
1900	if (smp_dev->debug_key)
1901	set_bit(nr: SMP_FLAG_DEBUG_KEY, addr: &smp->flags);
1902
1903	goto done;
1904	}
1905
1906	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1907	bt_dev_dbg(hdev, "Using debug keys");
1908	if (set_ecdh_privkey(tfm: smp->tfm_ecdh, private_key: debug_sk))
1909	return SMP_UNSPECIFIED;
1910	memcpy(smp->local_pk, debug_pk, 64);
1911	set_bit(nr: SMP_FLAG_DEBUG_KEY, addr: &smp->flags);
1912	} else {
1913	while (true) {
1914	/* Generate key pair for Secure Connections */
1915	if (generate_ecdh_keys(tfm: smp->tfm_ecdh, public_key: smp->local_pk))
1916	return SMP_UNSPECIFIED;
1917
1918	/* This is unlikely, but we need to check that
1919	* we didn't accidentally generate a debug key.
1920	*/
1921	if (crypto_memneq(a: smp->local_pk, b: debug_pk, size: 64))
1922	break;
1923	}
1924	}
1925
1926	done:
1927	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1928	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1929
1930	smp_send_cmd(conn: smp->conn, SMP_CMD_PUBLIC_KEY, len: 64, data: smp->local_pk);
1931
1932	return 0;
1933	}
1934
1935	static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1936	{
1937	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1938	struct l2cap_chan *chan = conn->smp;
1939	struct smp_chan *smp = chan->data;
1940	struct hci_dev *hdev = conn->hcon->hdev;
1941	u8 key_size, auth;
1942	int ret;
1943
1944	bt_dev_dbg(hdev, "conn %p", conn);
1945
1946	if (skb->len < sizeof(*rsp))
1947	return SMP_INVALID_PARAMS;
1948
1949	if (conn->hcon->role != HCI_ROLE_MASTER)
1950	return SMP_CMD_NOTSUPP;
1951
1952	skb_pull(skb, len: sizeof(*rsp));
1953
1954	req = (void *) &smp->preq[1];
1955
1956	key_size = min(req->max_key_size, rsp->max_key_size);
1957	if (check_enc_key_size(conn, max_key_size: key_size))
1958	return SMP_ENC_KEY_SIZE;
1959
1960	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1961
1962	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1963	return SMP_AUTH_REQUIREMENTS;
1964
1965	/* If the remote side's OOB flag is set it means it has
1966	* successfully received our local OOB data - therefore set the
1967	* flag to indicate that local OOB is in use.
1968	*/
1969	if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1970	set_bit(nr: SMP_FLAG_LOCAL_OOB, addr: &smp->flags);
1971
1972	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1973	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1974
1975	/* Update remote key distribution in case the remote cleared
1976	* some bits that we had enabled in our request.
1977	*/
1978	smp->remote_key_dist &= rsp->resp_key_dist;
1979
1980	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1981	set_bit(nr: SMP_FLAG_CT2, addr: &smp->flags);
1982
1983	/* For BR/EDR this means we're done and can start phase 3 */
1984	if (conn->hcon->type == ACL_LINK) {
1985	/* Clear bits which are generated but not distributed */
1986	smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1987	smp_distribute_keys(smp);
1988	return 0;
1989	}
1990
1991	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1992	set_bit(nr: SMP_FLAG_SC, addr: &smp->flags);
1993	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1994	conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1995
1996	/* If we need MITM check that it can be achieved */
1997	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1998	u8 method;
1999
2000	method = get_auth_method(smp, local_io: req->io_capability,
2001	remote_io: rsp->io_capability);
2002	if (method == JUST_WORKS || method == JUST_CFM)
2003	return SMP_AUTH_REQUIREMENTS;
2004	}
2005
2006	get_random_bytes(buf: smp->prnd, len: sizeof(smp->prnd));
2007
2008	/* Update remote key distribution in case the remote cleared
2009	* some bits that we had enabled in our request.
2010	*/
2011	smp->remote_key_dist &= rsp->resp_key_dist;
2012
2013	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2014	/* Clear bits which are generated but not distributed */
2015	smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2016	SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2017	return sc_send_public_key(smp);
2018	}
2019
2020	auth |= req->auth_req;
2021
2022	ret = tk_request(conn, remote_oob: 0, auth, local_io: req->io_capability, remote_io: rsp->io_capability);
2023	if (ret)
2024	return SMP_UNSPECIFIED;
2025
2026	set_bit(nr: SMP_FLAG_CFM_PENDING, addr: &smp->flags);
2027
2028	/* Can't compose response until we have been confirmed */
2029	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2030	return smp_confirm(smp);
2031
2032	return 0;
2033	}
2034
2035	static u8 sc_check_confirm(struct smp_chan *smp)
2036	{
2037	struct l2cap_conn *conn = smp->conn;
2038
2039	bt_dev_dbg(conn->hcon->hdev, "");
2040
2041	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2042	return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2043
2044	if (conn->hcon->out) {
2045	smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, len: sizeof(smp->prnd),
2046	data: smp->prnd);
2047	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2048	}
2049
2050	return 0;
2051	}
2052
2053	/* Work-around for some implementations that incorrectly copy RFU bits
2054	* from our security request and thereby create the impression that
2055	* we're doing SC when in fact the remote doesn't support it.
2056	*/
2057	static int fixup_sc_false_positive(struct smp_chan *smp)
2058	{
2059	struct l2cap_conn *conn = smp->conn;
2060	struct hci_conn *hcon = conn->hcon;
2061	struct hci_dev *hdev = hcon->hdev;
2062	struct smp_cmd_pairing *req, *rsp;
2063	u8 auth;
2064
2065	/* The issue is only observed when we're in responder role */
2066	if (hcon->out)
2067	return SMP_UNSPECIFIED;
2068
2069	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2070	bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2071	return SMP_UNSPECIFIED;
2072	}
2073
2074	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2075
2076	req = (void *) &smp->preq[1];
2077	rsp = (void *) &smp->prsp[1];
2078
2079	/* Rebuild key dist flags which may have been cleared for SC */
2080	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2081
2082	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2083
2084	if (tk_request(conn, remote_oob: 0, auth, local_io: rsp->io_capability, remote_io: req->io_capability)) {
2085	bt_dev_err(hdev, "failed to fall back to legacy SMP");
2086	return SMP_UNSPECIFIED;
2087	}
2088
2089	clear_bit(nr: SMP_FLAG_SC, addr: &smp->flags);
2090
2091	return 0;
2092	}
2093
2094	static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2095	{
2096	struct l2cap_chan *chan = conn->smp;
2097	struct smp_chan *smp = chan->data;
2098	struct hci_conn *hcon = conn->hcon;
2099	struct hci_dev *hdev = hcon->hdev;
2100
2101	bt_dev_dbg(hdev, "conn %p %s", conn,
2102	hcon->out ? "initiator" : "responder");
2103
2104	if (skb->len < sizeof(smp->pcnf))
2105	return SMP_INVALID_PARAMS;
2106
2107	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2108	skb_pull(skb, len: sizeof(smp->pcnf));
2109
2110	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2111	int ret;
2112
2113	/* Public Key exchange must happen before any other steps */
2114	if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2115	return sc_check_confirm(smp);
2116
2117	bt_dev_err(hdev, "Unexpected SMP Pairing Confirm");
2118
2119	ret = fixup_sc_false_positive(smp);
2120	if (ret)
2121	return ret;
2122	}
2123
2124	if (conn->hcon->out) {
2125	smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, len: sizeof(smp->prnd),
2126	data: smp->prnd);
2127	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2128	return 0;
2129	}
2130
2131	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2132	return smp_confirm(smp);
2133
2134	set_bit(nr: SMP_FLAG_CFM_PENDING, addr: &smp->flags);
2135
2136	return 0;
2137	}
2138
2139	static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2140	{
2141	struct l2cap_chan *chan = conn->smp;
2142	struct smp_chan *smp = chan->data;
2143	struct hci_conn *hcon = conn->hcon;
2144	u8 *pkax, *pkbx, *na, *nb, confirm_hint;
2145	u32 passkey;
2146	int err;
2147
2148	bt_dev_dbg(hcon->hdev, "conn %p", conn);
2149
2150	if (skb->len < sizeof(smp->rrnd))
2151	return SMP_INVALID_PARAMS;
2152
2153	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2154	skb_pull(skb, len: sizeof(smp->rrnd));
2155
2156	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2157	return smp_random(smp);
2158
2159	if (hcon->out) {
2160	pkax = smp->local_pk;
2161	pkbx = smp->remote_pk;
2162	na = smp->prnd;
2163	nb = smp->rrnd;
2164	} else {
2165	pkax = smp->remote_pk;
2166	pkbx = smp->local_pk;
2167	na = smp->rrnd;
2168	nb = smp->prnd;
2169	}
2170
2171	if (smp->method == REQ_OOB) {
2172	if (!hcon->out)
2173	smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2174	len: sizeof(smp->prnd), data: smp->prnd);
2175	SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2176	goto mackey_and_ltk;
2177	}
2178
2179	/* Passkey entry has special treatment */
2180	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2181	return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2182
2183	if (hcon->out) {
2184	u8 cfm[16];
2185
2186	err = smp_f4(tfm_cmac: smp->tfm_cmac, u: smp->remote_pk, v: smp->local_pk,
2187	x: smp->rrnd, z: 0, res: cfm);
2188	if (err)
2189	return SMP_UNSPECIFIED;
2190
2191	if (crypto_memneq(a: smp->pcnf, b: cfm, size: 16))
2192	return SMP_CONFIRM_FAILED;
2193	} else {
2194	smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, len: sizeof(smp->prnd),
2195	data: smp->prnd);
2196	SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2197
2198	/* Only Just-Works pairing requires extra checks */
2199	if (smp->method != JUST_WORKS)
2200	goto mackey_and_ltk;
2201
2202	/* If there already exists long term key in local host, leave
2203	* the decision to user space since the remote device could
2204	* be legitimate or malicious.
2205	*/
2206	if (hci_find_ltk(hdev: hcon->hdev, bdaddr: &hcon->dst, addr_type: hcon->dst_type,
2207	role: hcon->role)) {
2208	/* Set passkey to 0. The value can be any number since
2209	* it'll be ignored anyway.
2210	*/
2211	passkey = 0;
2212	confirm_hint = 1;
2213	goto confirm;
2214	}
2215	}
2216
2217	mackey_and_ltk:
2218	/* Generate MacKey and LTK */
2219	err = sc_mackey_and_ltk(smp, mackey: smp->mackey, ltk: smp->tk);
2220	if (err)
2221	return SMP_UNSPECIFIED;
2222
2223	if (smp->method == REQ_OOB) {
2224	if (hcon->out) {
2225	sc_dhkey_check(smp);
2226	SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2227	}
2228	return 0;
2229	}
2230
2231	err = smp_g2(tfm_cmac: smp->tfm_cmac, u: pkax, v: pkbx, x: na, y: nb, val: &passkey);
2232	if (err)
2233	return SMP_UNSPECIFIED;
2234
2235	confirm_hint = 0;
2236
2237	confirm:
2238	if (smp->method == JUST_WORKS)
2239	confirm_hint = 1;
2240
2241	err = mgmt_user_confirm_request(hdev: hcon->hdev, bdaddr: &hcon->dst, link_type: hcon->type,
2242	addr_type: hcon->dst_type, value: passkey, confirm_hint);
2243	if (err)
2244	return SMP_UNSPECIFIED;
2245
2246	set_bit(nr: SMP_FLAG_WAIT_USER, addr: &smp->flags);
2247
2248	return 0;
2249	}
2250
2251	static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2252	{
2253	struct smp_ltk *key;
2254	struct hci_conn *hcon = conn->hcon;
2255
2256	key = hci_find_ltk(hdev: hcon->hdev, bdaddr: &hcon->dst, addr_type: hcon->dst_type, role: hcon->role);
2257	if (!key)
2258	return false;
2259
2260	if (smp_ltk_sec_level(key) < sec_level)
2261	return false;
2262
2263	if (test_and_set_bit(nr: HCI_CONN_ENCRYPT_PEND, addr: &hcon->flags))
2264	return true;
2265
2266	hci_le_start_enc(conn: hcon, ediv: key->ediv, rand: key->rand, ltk: key->val, key_size: key->enc_size);
2267	hcon->enc_key_size = key->enc_size;
2268
2269	/* We never store STKs for initiator role, so clear this flag */
2270	clear_bit(nr: HCI_CONN_STK_ENCRYPT, addr: &hcon->flags);
2271
2272	return true;
2273	}
2274
2275	bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2276	enum smp_key_pref key_pref)
2277	{
2278	if (sec_level == BT_SECURITY_LOW)
2279	return true;
2280
2281	/* If we're encrypted with an STK but the caller prefers using
2282	* LTK claim insufficient security. This way we allow the
2283	* connection to be re-encrypted with an LTK, even if the LTK
2284	* provides the same level of security. Only exception is if we
2285	* don't have an LTK (e.g. because of key distribution bits).
2286	*/
2287	if (key_pref == SMP_USE_LTK &&
2288	test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2289	hci_find_ltk(hdev: hcon->hdev, bdaddr: &hcon->dst, addr_type: hcon->dst_type, role: hcon->role))
2290	return false;
2291
2292	if (hcon->sec_level >= sec_level)
2293	return true;
2294
2295	return false;
2296	}
2297
2298	static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2299	{
2300	struct smp_cmd_security_req *rp = (void *) skb->data;
2301	struct smp_cmd_pairing cp;
2302	struct hci_conn *hcon = conn->hcon;
2303	struct hci_dev *hdev = hcon->hdev;
2304	struct smp_chan *smp;
2305	u8 sec_level, auth;
2306
2307	bt_dev_dbg(hdev, "conn %p", conn);
2308
2309	if (skb->len < sizeof(*rp))
2310	return SMP_INVALID_PARAMS;
2311
2312	if (hcon->role != HCI_ROLE_MASTER)
2313	return SMP_CMD_NOTSUPP;
2314
2315	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2316
2317	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2318	return SMP_AUTH_REQUIREMENTS;
2319
2320	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2321	sec_level = BT_SECURITY_MEDIUM;
2322	else
2323	sec_level = authreq_to_seclevel(authreq: auth);
2324
2325	if (smp_sufficient_security(hcon, sec_level, key_pref: SMP_USE_LTK)) {
2326	/* If link is already encrypted with sufficient security we
2327	* still need refresh encryption as per Core Spec 5.0 Vol 3,
2328	* Part H 2.4.6
2329	*/
2330	smp_ltk_encrypt(conn, sec_level: hcon->sec_level);
2331	return 0;
2332	}
2333
2334	if (sec_level > hcon->pending_sec_level)
2335	hcon->pending_sec_level = sec_level;
2336
2337	if (smp_ltk_encrypt(conn, sec_level: hcon->pending_sec_level))
2338	return 0;
2339
2340	smp = smp_chan_create(conn);
2341	if (!smp)
2342	return SMP_UNSPECIFIED;
2343
2344	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2345	(auth & SMP_AUTH_BONDING))
2346	return SMP_PAIRING_NOTSUPP;
2347
2348	skb_pull(skb, len: sizeof(*rp));
2349
2350	memset(&cp, 0, sizeof(cp));
2351	build_pairing_cmd(conn, req: &cp, NULL, authreq: auth);
2352
2353	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2354	memcpy(&smp->preq[1], &cp, sizeof(cp));
2355
2356	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, len: sizeof(cp), data: &cp);
2357	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2358
2359	return 0;
2360	}
2361
2362	int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2363	{
2364	struct l2cap_conn *conn = hcon->l2cap_data;
2365	struct l2cap_chan *chan;
2366	struct smp_chan *smp;
2367	__u8 authreq;
2368	int ret;
2369
2370	bt_dev_dbg(hcon->hdev, "conn %p hcon %p level 0x%2.2x", conn, hcon,
2371	sec_level);
2372
2373	/* This may be NULL if there's an unexpected disconnection */
2374	if (!conn)
2375	return 1;
2376
2377	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2378	return 1;
2379
2380	if (smp_sufficient_security(hcon, sec_level, key_pref: SMP_USE_LTK))
2381	return 1;
2382
2383	if (sec_level > hcon->pending_sec_level)
2384	hcon->pending_sec_level = sec_level;
2385
2386	if (hcon->role == HCI_ROLE_MASTER)
2387	if (smp_ltk_encrypt(conn, sec_level: hcon->pending_sec_level))
2388	return 0;
2389
2390	chan = conn->smp;
2391	if (!chan) {
2392	bt_dev_err(hcon->hdev, "security requested but not available");
2393	return 1;
2394	}
2395
2396	l2cap_chan_lock(chan);
2397
2398	/* If SMP is already in progress ignore this request */
2399	if (chan->data) {
2400	ret = 0;
2401	goto unlock;
2402	}
2403
2404	smp = smp_chan_create(conn);
2405	if (!smp) {
2406	ret = 1;
2407	goto unlock;
2408	}
2409
2410	authreq = seclevel_to_authreq(sec_level);
2411
2412	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2413	authreq |= SMP_AUTH_SC;
2414	if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2415	authreq |= SMP_AUTH_CT2;
2416	}
2417
2418	/* Don't attempt to set MITM if setting is overridden by debugfs
2419	* Needed to pass certification test SM/MAS/PKE/BV-01-C
2420	*/
2421	if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) {
2422	/* Require MITM if IO Capability allows or the security level
2423	* requires it.
2424	*/
2425	if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2426	hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2427	authreq |= SMP_AUTH_MITM;
2428	}
2429
2430	if (hcon->role == HCI_ROLE_MASTER) {
2431	struct smp_cmd_pairing cp;
2432
2433	build_pairing_cmd(conn, req: &cp, NULL, authreq);
2434	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2435	memcpy(&smp->preq[1], &cp, sizeof(cp));
2436
2437	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, len: sizeof(cp), data: &cp);
2438	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2439	} else {
2440	struct smp_cmd_security_req cp;
2441	cp.auth_req = authreq;
2442	smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, len: sizeof(cp), data: &cp);
2443	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2444	}
2445
2446	set_bit(nr: SMP_FLAG_INITIATOR, addr: &smp->flags);
2447	ret = 0;
2448
2449	unlock:
2450	l2cap_chan_unlock(chan);
2451	return ret;
2452	}
2453
2454	int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2455	u8 addr_type)
2456	{
2457	struct hci_conn *hcon;
2458	struct l2cap_conn *conn;
2459	struct l2cap_chan *chan;
2460	struct smp_chan *smp;
2461	int err;
2462
2463	err = hci_remove_ltk(hdev, bdaddr, bdaddr_type: addr_type);
2464	hci_remove_irk(hdev, bdaddr, addr_type);
2465
2466	hcon = hci_conn_hash_lookup_le(hdev, ba: bdaddr, ba_type: addr_type);
2467	if (!hcon)
2468	goto done;
2469
2470	conn = hcon->l2cap_data;
2471	if (!conn)
2472	goto done;
2473
2474	chan = conn->smp;
2475	if (!chan)
2476	goto done;
2477
2478	l2cap_chan_lock(chan);
2479
2480	smp = chan->data;
2481	if (smp) {
2482	/* Set keys to NULL to make sure smp_failure() does not try to
2483	* remove and free already invalidated rcu list entries. */
2484	smp->ltk = NULL;
2485	smp->responder_ltk = NULL;
2486	smp->remote_irk = NULL;
2487
2488	if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2489	smp_failure(conn, reason: 0);
2490	else
2491	smp_failure(conn, SMP_UNSPECIFIED);
2492	err = 0;
2493	}
2494
2495	l2cap_chan_unlock(chan);
2496
2497	done:
2498	return err;
2499	}
2500
2501	static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2502	{
2503	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2504	struct l2cap_chan *chan = conn->smp;
2505	struct smp_chan *smp = chan->data;
2506
2507	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2508
2509	if (skb->len < sizeof(*rp))
2510	return SMP_INVALID_PARAMS;
2511
2512	/* Pairing is aborted if any blocked keys are distributed */
2513	if (hci_is_blocked_key(hdev: conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2514	val: rp->ltk)) {
2515	bt_dev_warn_ratelimited(conn->hcon->hdev,
2516	"LTK blocked for %pMR",
2517	&conn->hcon->dst);
2518	return SMP_INVALID_PARAMS;
2519	}
2520
2521	SMP_ALLOW_CMD(smp, SMP_CMD_INITIATOR_IDENT);
2522
2523	skb_pull(skb, len: sizeof(*rp));
2524
2525	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2526
2527	return 0;
2528	}
2529
2530	static int smp_cmd_initiator_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2531	{
2532	struct smp_cmd_initiator_ident *rp = (void *)skb->data;
2533	struct l2cap_chan *chan = conn->smp;
2534	struct smp_chan *smp = chan->data;
2535	struct hci_dev *hdev = conn->hcon->hdev;
2536	struct hci_conn *hcon = conn->hcon;
2537	struct smp_ltk *ltk;
2538	u8 authenticated;
2539
2540	bt_dev_dbg(hdev, "conn %p", conn);
2541
2542	if (skb->len < sizeof(*rp))
2543	return SMP_INVALID_PARAMS;
2544
2545	/* Mark the information as received */
2546	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2547
2548	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2549	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2550	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2551	SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2552
2553	skb_pull(skb, len: sizeof(*rp));
2554
2555	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2556	ltk = hci_add_ltk(hdev, bdaddr: &hcon->dst, addr_type: hcon->dst_type, type: SMP_LTK,
2557	authenticated, tk: smp->tk, enc_size: smp->enc_key_size,
2558	ediv: rp->ediv, rand: rp->rand);
2559	smp->ltk = ltk;
2560	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2561	smp_distribute_keys(smp);
2562
2563	return 0;
2564	}
2565
2566	static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2567	{
2568	struct smp_cmd_ident_info *info = (void *) skb->data;
2569	struct l2cap_chan *chan = conn->smp;
2570	struct smp_chan *smp = chan->data;
2571
2572	bt_dev_dbg(conn->hcon->hdev, "");
2573
2574	if (skb->len < sizeof(*info))
2575	return SMP_INVALID_PARAMS;
2576
2577	/* Pairing is aborted if any blocked keys are distributed */
2578	if (hci_is_blocked_key(hdev: conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2579	val: info->irk)) {
2580	bt_dev_warn_ratelimited(conn->hcon->hdev,
2581	"Identity key blocked for %pMR",
2582	&conn->hcon->dst);
2583	return SMP_INVALID_PARAMS;
2584	}
2585
2586	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2587
2588	skb_pull(skb, len: sizeof(*info));
2589
2590	memcpy(smp->irk, info->irk, 16);
2591
2592	return 0;
2593	}
2594
2595	static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2596	struct sk_buff *skb)
2597	{
2598	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2599	struct l2cap_chan *chan = conn->smp;
2600	struct smp_chan *smp = chan->data;
2601	struct hci_conn *hcon = conn->hcon;
2602	bdaddr_t rpa;
2603
2604	bt_dev_dbg(hcon->hdev, "");
2605
2606	if (skb->len < sizeof(*info))
2607	return SMP_INVALID_PARAMS;
2608
2609	/* Mark the information as received */
2610	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2611
2612	if (smp->remote_key_dist & SMP_DIST_SIGN)
2613	SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2614
2615	skb_pull(skb, len: sizeof(*info));
2616
2617	/* Strictly speaking the Core Specification (4.1) allows sending
2618	* an empty address which would force us to rely on just the IRK
2619	* as "identity information". However, since such
2620	* implementations are not known of and in order to not over
2621	* complicate our implementation, simply pretend that we never
2622	* received an IRK for such a device.
2623	*
2624	* The Identity Address must also be a Static Random or Public
2625	* Address, which hci_is_identity_address() checks for.
2626	*/
2627	if (!bacmp(ba1: &info->bdaddr, BDADDR_ANY) ||
2628	!hci_is_identity_address(addr: &info->bdaddr, addr_type: info->addr_type)) {
2629	bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2630	goto distribute;
2631	}
2632
2633	/* Drop IRK if peer is using identity address during pairing but is
2634	* providing different address as identity information.
2635	*
2636	* Microsoft Surface Precision Mouse is known to have this bug.
2637	*/
2638	if (hci_is_identity_address(addr: &hcon->dst, addr_type: hcon->dst_type) &&
2639	(bacmp(ba1: &info->bdaddr, ba2: &hcon->dst) ||
2640	info->addr_type != hcon->dst_type)) {
2641	bt_dev_err(hcon->hdev,
2642	"ignoring IRK with invalid identity address");
2643	goto distribute;
2644	}
2645
2646	bacpy(dst: &smp->id_addr, src: &info->bdaddr);
2647	smp->id_addr_type = info->addr_type;
2648
2649	if (hci_bdaddr_is_rpa(bdaddr: &hcon->dst, addr_type: hcon->dst_type))
2650	bacpy(dst: &rpa, src: &hcon->dst);
2651	else
2652	bacpy(dst: &rpa, BDADDR_ANY);
2653
2654	smp->remote_irk = hci_add_irk(hdev: conn->hcon->hdev, bdaddr: &smp->id_addr,
2655	addr_type: smp->id_addr_type, val: smp->irk, rpa: &rpa);
2656
2657	distribute:
2658	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2659	smp_distribute_keys(smp);
2660
2661	return 0;
2662	}
2663
2664	static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2665	{
2666	struct smp_cmd_sign_info *rp = (void *) skb->data;
2667	struct l2cap_chan *chan = conn->smp;
2668	struct smp_chan *smp = chan->data;
2669	struct smp_csrk *csrk;
2670
2671	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2672
2673	if (skb->len < sizeof(*rp))
2674	return SMP_INVALID_PARAMS;
2675
2676	/* Mark the information as received */
2677	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2678
2679	skb_pull(skb, len: sizeof(*rp));
2680
2681	csrk = kzalloc(size: sizeof(*csrk), GFP_KERNEL);
2682	if (csrk) {
2683	if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2684	csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2685	else
2686	csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2687	memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2688	}
2689	smp->csrk = csrk;
2690	smp_distribute_keys(smp);
2691
2692	return 0;
2693	}
2694
2695	static u8 sc_select_method(struct smp_chan *smp)
2696	{
2697	struct l2cap_conn *conn = smp->conn;
2698	struct hci_conn *hcon = conn->hcon;
2699	struct smp_cmd_pairing *local, *remote;
2700	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2701
2702	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2703	test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2704	return REQ_OOB;
2705
2706	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2707	* which are needed as inputs to some crypto functions. To get
2708	* the "struct smp_cmd_pairing" from them we need to skip the
2709	* first byte which contains the opcode.
2710	*/
2711	if (hcon->out) {
2712	local = (void *) &smp->preq[1];
2713	remote = (void *) &smp->prsp[1];
2714	} else {
2715	local = (void *) &smp->prsp[1];
2716	remote = (void *) &smp->preq[1];
2717	}
2718
2719	local_io = local->io_capability;
2720	remote_io = remote->io_capability;
2721
2722	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2723	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2724
2725	/* If either side wants MITM, look up the method from the table,
2726	* otherwise use JUST WORKS.
2727	*/
2728	if (local_mitm || remote_mitm)
2729	method = get_auth_method(smp, local_io, remote_io);
2730	else
2731	method = JUST_WORKS;
2732
2733	/* Don't confirm locally initiated pairing attempts */
2734	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2735	method = JUST_WORKS;
2736
2737	return method;
2738	}
2739
2740	static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2741	{
2742	struct smp_cmd_public_key *key = (void *) skb->data;
2743	struct hci_conn *hcon = conn->hcon;
2744	struct l2cap_chan *chan = conn->smp;
2745	struct smp_chan *smp = chan->data;
2746	struct hci_dev *hdev = hcon->hdev;
2747	struct crypto_kpp *tfm_ecdh;
2748	struct smp_cmd_pairing_confirm cfm;
2749	int err;
2750
2751	bt_dev_dbg(hdev, "conn %p", conn);
2752
2753	if (skb->len < sizeof(*key))
2754	return SMP_INVALID_PARAMS;
2755
2756	/* Check if remote and local public keys are the same and debug key is
2757	* not in use.
2758	*/
2759	if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
2760	!crypto_memneq(a: key, b: smp->local_pk, size: 64)) {
2761	bt_dev_err(hdev, "Remote and local public keys are identical");
2762	return SMP_UNSPECIFIED;
2763	}
2764
2765	memcpy(smp->remote_pk, key, 64);
2766
2767	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2768	err = smp_f4(tfm_cmac: smp->tfm_cmac, u: smp->remote_pk, v: smp->remote_pk,
2769	x: smp->rr, z: 0, res: cfm.confirm_val);
2770	if (err)
2771	return SMP_UNSPECIFIED;
2772
2773	if (crypto_memneq(a: cfm.confirm_val, b: smp->pcnf, size: 16))
2774	return SMP_CONFIRM_FAILED;
2775	}
2776
2777	/* Non-initiating device sends its public key after receiving
2778	* the key from the initiating device.
2779	*/
2780	if (!hcon->out) {
2781	err = sc_send_public_key(smp);
2782	if (err)
2783	return err;
2784	}
2785
2786	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2787	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2788
2789	/* Compute the shared secret on the same crypto tfm on which the private
2790	* key was set/generated.
2791	*/
2792	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2793	struct l2cap_chan *hchan = hdev->smp_data;
2794	struct smp_dev *smp_dev;
2795
2796	if (!hchan || !hchan->data)
2797	return SMP_UNSPECIFIED;
2798
2799	smp_dev = hchan->data;
2800
2801	tfm_ecdh = smp_dev->tfm_ecdh;
2802	} else {
2803	tfm_ecdh = smp->tfm_ecdh;
2804	}
2805
2806	if (compute_ecdh_secret(tfm: tfm_ecdh, pair_public_key: smp->remote_pk, secret: smp->dhkey))
2807	return SMP_UNSPECIFIED;
2808
2809	SMP_DBG("DHKey %32phN", smp->dhkey);
2810
2811	set_bit(nr: SMP_FLAG_REMOTE_PK, addr: &smp->flags);
2812
2813	smp->method = sc_select_method(smp);
2814
2815	bt_dev_dbg(hdev, "selected method 0x%02x", smp->method);
2816
2817	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2818	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2819	hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2820	else
2821	hcon->pending_sec_level = BT_SECURITY_FIPS;
2822
2823	if (!crypto_memneq(a: debug_pk, b: smp->remote_pk, size: 64))
2824	set_bit(nr: SMP_FLAG_DEBUG_KEY, addr: &smp->flags);
2825
2826	if (smp->method == DSP_PASSKEY) {
2827	get_random_bytes(buf: &hcon->passkey_notify,
2828	len: sizeof(hcon->passkey_notify));
2829	hcon->passkey_notify %= 1000000;
2830	hcon->passkey_entered = 0;
2831	smp->passkey_round = 0;
2832	if (mgmt_user_passkey_notify(hdev, bdaddr: &hcon->dst, link_type: hcon->type,
2833	addr_type: hcon->dst_type,
2834	passkey: hcon->passkey_notify,
2835	entered: hcon->passkey_entered))
2836	return SMP_UNSPECIFIED;
2837	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2838	return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2839	}
2840
2841	if (smp->method == REQ_OOB) {
2842	if (hcon->out)
2843	smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2844	len: sizeof(smp->prnd), data: smp->prnd);
2845
2846	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2847
2848	return 0;
2849	}
2850
2851	if (hcon->out)
2852	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2853
2854	if (smp->method == REQ_PASSKEY) {
2855	if (mgmt_user_passkey_request(hdev, bdaddr: &hcon->dst, link_type: hcon->type,
2856	addr_type: hcon->dst_type))
2857	return SMP_UNSPECIFIED;
2858	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2859	set_bit(nr: SMP_FLAG_WAIT_USER, addr: &smp->flags);
2860	return 0;
2861	}
2862
2863	/* The Initiating device waits for the non-initiating device to
2864	* send the confirm value.
2865	*/
2866	if (conn->hcon->out)
2867	return 0;
2868
2869	err = smp_f4(tfm_cmac: smp->tfm_cmac, u: smp->local_pk, v: smp->remote_pk, x: smp->prnd,
2870	z: 0, res: cfm.confirm_val);
2871	if (err)
2872	return SMP_UNSPECIFIED;
2873
2874	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, len: sizeof(cfm), data: &cfm);
2875	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2876
2877	return 0;
2878	}
2879
2880	static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2881	{
2882	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2883	struct l2cap_chan *chan = conn->smp;
2884	struct hci_conn *hcon = conn->hcon;
2885	struct smp_chan *smp = chan->data;
2886	u8 a[7], b[7], *local_addr, *remote_addr;
2887	u8 io_cap[3], r[16], e[16];
2888	int err;
2889
2890	bt_dev_dbg(hcon->hdev, "conn %p", conn);
2891
2892	if (skb->len < sizeof(*check))
2893	return SMP_INVALID_PARAMS;
2894
2895	memcpy(a, &hcon->init_addr, 6);
2896	memcpy(b, &hcon->resp_addr, 6);
2897	a[6] = hcon->init_addr_type;
2898	b[6] = hcon->resp_addr_type;
2899
2900	if (hcon->out) {
2901	local_addr = a;
2902	remote_addr = b;
2903	memcpy(io_cap, &smp->prsp[1], 3);
2904	} else {
2905	local_addr = b;
2906	remote_addr = a;
2907	memcpy(io_cap, &smp->preq[1], 3);
2908	}
2909
2910	memset(r, 0, sizeof(r));
2911
2912	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2913	put_unaligned_le32(val: hcon->passkey_notify, p: r);
2914	else if (smp->method == REQ_OOB)
2915	memcpy(r, smp->lr, 16);
2916
2917	err = smp_f6(tfm_cmac: smp->tfm_cmac, w: smp->mackey, n1: smp->rrnd, n2: smp->prnd, r,
2918	io_cap, a1: remote_addr, a2: local_addr, res: e);
2919	if (err)
2920	return SMP_UNSPECIFIED;
2921
2922	if (crypto_memneq(a: check->e, b: e, size: 16))
2923	return SMP_DHKEY_CHECK_FAILED;
2924
2925	if (!hcon->out) {
2926	if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2927	set_bit(nr: SMP_FLAG_DHKEY_PENDING, addr: &smp->flags);
2928	return 0;
2929	}
2930
2931	/* Responder sends DHKey check as response to initiator */
2932	sc_dhkey_check(smp);
2933	}
2934
2935	sc_add_ltk(smp);
2936
2937	if (hcon->out) {
2938	hci_le_start_enc(conn: hcon, ediv: 0, rand: 0, ltk: smp->tk, key_size: smp->enc_key_size);
2939	hcon->enc_key_size = smp->enc_key_size;
2940	}
2941
2942	return 0;
2943	}
2944
2945	static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2946	struct sk_buff *skb)
2947	{
2948	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2949
2950	bt_dev_dbg(conn->hcon->hdev, "value 0x%02x", kp->value);
2951
2952	return 0;
2953	}
2954
2955	static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2956	{
2957	struct l2cap_conn *conn = chan->conn;
2958	struct hci_conn *hcon = conn->hcon;
2959	struct smp_chan *smp;
2960	__u8 code, reason;
2961	int err = 0;
2962
2963	if (skb->len < 1)
2964	return -EILSEQ;
2965
2966	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2967	reason = SMP_PAIRING_NOTSUPP;
2968	goto done;
2969	}
2970
2971	code = skb->data[0];
2972	skb_pull(skb, len: sizeof(code));
2973
2974	smp = chan->data;
2975
2976	if (code > SMP_CMD_MAX)
2977	goto drop;
2978
2979	if (smp && !test_and_clear_bit(nr: code, addr: &smp->allow_cmd))
2980	goto drop;
2981
2982	/* If we don't have a context the only allowed commands are
2983	* pairing request and security request.
2984	*/
2985	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2986	goto drop;
2987
2988	switch (code) {
2989	case SMP_CMD_PAIRING_REQ:
2990	reason = smp_cmd_pairing_req(conn, skb);
2991	break;
2992
2993	case SMP_CMD_PAIRING_FAIL:
2994	smp_failure(conn, reason: 0);
2995	err = -EPERM;
2996	break;
2997
2998	case SMP_CMD_PAIRING_RSP:
2999	reason = smp_cmd_pairing_rsp(conn, skb);
3000	break;
3001
3002	case SMP_CMD_SECURITY_REQ:
3003	reason = smp_cmd_security_req(conn, skb);
3004	break;
3005
3006	case SMP_CMD_PAIRING_CONFIRM:
3007	reason = smp_cmd_pairing_confirm(conn, skb);
3008	break;
3009
3010	case SMP_CMD_PAIRING_RANDOM:
3011	reason = smp_cmd_pairing_random(conn, skb);
3012	break;
3013
3014	case SMP_CMD_ENCRYPT_INFO:
3015	reason = smp_cmd_encrypt_info(conn, skb);
3016	break;
3017
3018	case SMP_CMD_INITIATOR_IDENT:
3019	reason = smp_cmd_initiator_ident(conn, skb);
3020	break;
3021
3022	case SMP_CMD_IDENT_INFO:
3023	reason = smp_cmd_ident_info(conn, skb);
3024	break;
3025
3026	case SMP_CMD_IDENT_ADDR_INFO:
3027	reason = smp_cmd_ident_addr_info(conn, skb);
3028	break;
3029
3030	case SMP_CMD_SIGN_INFO:
3031	reason = smp_cmd_sign_info(conn, skb);
3032	break;
3033
3034	case SMP_CMD_PUBLIC_KEY:
3035	reason = smp_cmd_public_key(conn, skb);
3036	break;
3037
3038	case SMP_CMD_DHKEY_CHECK:
3039	reason = smp_cmd_dhkey_check(conn, skb);
3040	break;
3041
3042	case SMP_CMD_KEYPRESS_NOTIFY:
3043	reason = smp_cmd_keypress_notify(conn, skb);
3044	break;
3045
3046	default:
3047	bt_dev_dbg(hcon->hdev, "Unknown command code 0x%2.2x", code);
3048	reason = SMP_CMD_NOTSUPP;
3049	goto done;
3050	}
3051
3052	done:
3053	if (!err) {
3054	if (reason)
3055	smp_failure(conn, reason);
3056	kfree_skb(skb);
3057	}
3058
3059	return err;
3060
3061	drop:
3062	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3063	code, &hcon->dst);
3064	kfree_skb(skb);
3065	return 0;
3066	}
3067
3068	static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3069	{
3070	struct l2cap_conn *conn = chan->conn;
3071
3072	bt_dev_dbg(conn->hcon->hdev, "chan %p", chan);
3073
3074	if (chan->data)
3075	smp_chan_destroy(conn);
3076
3077	conn->smp = NULL;
3078	l2cap_chan_put(c: chan);
3079	}
3080
3081	static void bredr_pairing(struct l2cap_chan *chan)
3082	{
3083	struct l2cap_conn *conn = chan->conn;
3084	struct hci_conn *hcon = conn->hcon;
3085	struct hci_dev *hdev = hcon->hdev;
3086	struct smp_cmd_pairing req;
3087	struct smp_chan *smp;
3088
3089	bt_dev_dbg(hdev, "chan %p", chan);
3090
3091	/* Only new pairings are interesting */
3092	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3093	return;
3094
3095	/* Don't bother if we're not encrypted */
3096	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3097	return;
3098
3099	/* Only initiator may initiate SMP over BR/EDR */
3100	if (hcon->role != HCI_ROLE_MASTER)
3101	return;
3102
3103	/* Secure Connections support must be enabled */
3104	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3105	return;
3106
3107	/* BR/EDR must use Secure Connections for SMP */
3108	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3109	!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3110	return;
3111
3112	/* If our LE support is not enabled don't do anything */
3113	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3114	return;
3115
3116	/* Don't bother if remote LE support is not enabled */
3117	if (!lmp_host_le_capable(hcon))
3118	return;
3119
3120	/* Remote must support SMP fixed chan for BR/EDR */
3121	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3122	return;
3123
3124	/* Don't bother if SMP is already ongoing */
3125	if (chan->data)
3126	return;
3127
3128	smp = smp_chan_create(conn);
3129	if (!smp) {
3130	bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3131	return;
3132	}
3133
3134	set_bit(nr: SMP_FLAG_SC, addr: &smp->flags);
3135
3136	bt_dev_dbg(hdev, "starting SMP over BR/EDR");
3137
3138	/* Prepare and send the BR/EDR SMP Pairing Request */
3139	build_bredr_pairing_cmd(smp, req: &req, NULL);
3140
3141	smp->preq[0] = SMP_CMD_PAIRING_REQ;
3142	memcpy(&smp->preq[1], &req, sizeof(req));
3143
3144	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, len: sizeof(req), data: &req);
3145	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3146	}
3147
3148	static void smp_resume_cb(struct l2cap_chan *chan)
3149	{
3150	struct smp_chan *smp = chan->data;
3151	struct l2cap_conn *conn = chan->conn;
3152	struct hci_conn *hcon = conn->hcon;
3153
3154	bt_dev_dbg(hcon->hdev, "chan %p", chan);
3155
3156	if (hcon->type == ACL_LINK) {
3157	bredr_pairing(chan);
3158	return;
3159	}
3160
3161	if (!smp)
3162	return;
3163
3164	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3165	return;
3166
3167	cancel_delayed_work(dwork: &smp->security_timer);
3168
3169	smp_distribute_keys(smp);
3170	}
3171
3172	static void smp_ready_cb(struct l2cap_chan *chan)
3173	{
3174	struct l2cap_conn *conn = chan->conn;
3175	struct hci_conn *hcon = conn->hcon;
3176
3177	bt_dev_dbg(hcon->hdev, "chan %p", chan);
3178
3179	/* No need to call l2cap_chan_hold() here since we already own
3180	* the reference taken in smp_new_conn_cb(). This is just the
3181	* first time that we tie it to a specific pointer. The code in
3182	* l2cap_core.c ensures that there's no risk this function wont
3183	* get called if smp_new_conn_cb was previously called.
3184	*/
3185	conn->smp = chan;
3186
3187	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3188	bredr_pairing(chan);
3189	}
3190
3191	static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3192	{
3193	int err;
3194
3195	bt_dev_dbg(chan->conn->hcon->hdev, "chan %p", chan);
3196
3197	err = smp_sig_channel(chan, skb);
3198	if (err) {
3199	struct smp_chan *smp = chan->data;
3200
3201	if (smp)
3202	cancel_delayed_work_sync(dwork: &smp->security_timer);
3203
3204	hci_disconnect(conn: chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3205	}
3206
3207	return err;
3208	}
3209
3210	static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3211	unsigned long hdr_len,
3212	unsigned long len, int nb)
3213	{
3214	struct sk_buff *skb;
3215
3216	skb = bt_skb_alloc(len: hdr_len + len, GFP_KERNEL);
3217	if (!skb)
3218	return ERR_PTR(error: -ENOMEM);
3219
3220	skb->priority = HCI_PRIO_MAX;
3221	bt_cb(skb)->l2cap.chan = chan;
3222
3223	return skb;
3224	}
3225
3226	static const struct l2cap_ops smp_chan_ops = {
3227	.name = "Security Manager",
3228	.ready = smp_ready_cb,
3229	.recv = smp_recv_cb,
3230	.alloc_skb = smp_alloc_skb_cb,
3231	.teardown = smp_teardown_cb,
3232	.resume = smp_resume_cb,
3233
3234	.new_connection = l2cap_chan_no_new_connection,
3235	.state_change = l2cap_chan_no_state_change,
3236	.close = l2cap_chan_no_close,
3237	.defer = l2cap_chan_no_defer,
3238	.suspend = l2cap_chan_no_suspend,
3239	.set_shutdown = l2cap_chan_no_set_shutdown,
3240	.get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3241	};
3242
3243	static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3244	{
3245	struct l2cap_chan *chan;
3246
3247	BT_DBG("pchan %p", pchan);
3248
3249	chan = l2cap_chan_create();
3250	if (!chan)
3251	return NULL;
3252
3253	chan->chan_type = pchan->chan_type;
3254	chan->ops = &smp_chan_ops;
3255	chan->scid = pchan->scid;
3256	chan->dcid = chan->scid;
3257	chan->imtu = pchan->imtu;
3258	chan->omtu = pchan->omtu;
3259	chan->mode = pchan->mode;
3260
3261	/* Other L2CAP channels may request SMP routines in order to
3262	* change the security level. This means that the SMP channel
3263	* lock must be considered in its own category to avoid lockdep
3264	* warnings.
3265	*/
3266	atomic_set(v: &chan->nesting, i: L2CAP_NESTING_SMP);
3267
3268	BT_DBG("created chan %p", chan);
3269
3270	return chan;
3271	}
3272
3273	static const struct l2cap_ops smp_root_chan_ops = {
3274	.name = "Security Manager Root",
3275	.new_connection = smp_new_conn_cb,
3276
3277	/* None of these are implemented for the root channel */
3278	.close = l2cap_chan_no_close,
3279	.alloc_skb = l2cap_chan_no_alloc_skb,
3280	.recv = l2cap_chan_no_recv,
3281	.state_change = l2cap_chan_no_state_change,
3282	.teardown = l2cap_chan_no_teardown,
3283	.ready = l2cap_chan_no_ready,
3284	.defer = l2cap_chan_no_defer,
3285	.suspend = l2cap_chan_no_suspend,
3286	.resume = l2cap_chan_no_resume,
3287	.set_shutdown = l2cap_chan_no_set_shutdown,
3288	.get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3289	};
3290
3291	static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3292	{
3293	struct l2cap_chan *chan;
3294	struct smp_dev *smp;
3295	struct crypto_shash *tfm_cmac;
3296	struct crypto_kpp *tfm_ecdh;
3297
3298	if (cid == L2CAP_CID_SMP_BREDR) {
3299	smp = NULL;
3300	goto create_chan;
3301	}
3302
3303	smp = kzalloc(size: sizeof(*smp), GFP_KERNEL);
3304	if (!smp)
3305	return ERR_PTR(error: -ENOMEM);
3306
3307	tfm_cmac = crypto_alloc_shash(alg_name: "cmac(aes)", type: 0, mask: 0);
3308	if (IS_ERR(ptr: tfm_cmac)) {
3309	bt_dev_err(hdev, "Unable to create CMAC crypto context");
3310	kfree_sensitive(objp: smp);
3311	return ERR_CAST(ptr: tfm_cmac);
3312	}
3313
3314	tfm_ecdh = crypto_alloc_kpp(alg_name: "ecdh-nist-p256", type: 0, mask: 0);
3315	if (IS_ERR(ptr: tfm_ecdh)) {
3316	bt_dev_err(hdev, "Unable to create ECDH crypto context");
3317	crypto_free_shash(tfm: tfm_cmac);
3318	kfree_sensitive(objp: smp);
3319	return ERR_CAST(ptr: tfm_ecdh);
3320	}
3321
3322	smp->local_oob = false;
3323	smp->tfm_cmac = tfm_cmac;
3324	smp->tfm_ecdh = tfm_ecdh;
3325
3326	create_chan:
3327	chan = l2cap_chan_create();
3328	if (!chan) {
3329	if (smp) {
3330	crypto_free_shash(tfm: smp->tfm_cmac);
3331	crypto_free_kpp(tfm: smp->tfm_ecdh);
3332	kfree_sensitive(objp: smp);
3333	}
3334	return ERR_PTR(error: -ENOMEM);
3335	}
3336
3337	chan->data = smp;
3338
3339	l2cap_add_scid(chan, scid: cid);
3340
3341	l2cap_chan_set_defaults(chan);
3342
3343	if (cid == L2CAP_CID_SMP) {
3344	u8 bdaddr_type;
3345
3346	hci_copy_identity_address(hdev, bdaddr: &chan->src, bdaddr_type: &bdaddr_type);
3347
3348	if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3349	chan->src_type = BDADDR_LE_PUBLIC;
3350	else
3351	chan->src_type = BDADDR_LE_RANDOM;
3352	} else {
3353	bacpy(dst: &chan->src, src: &hdev->bdaddr);
3354	chan->src_type = BDADDR_BREDR;
3355	}
3356
3357	chan->state = BT_LISTEN;
3358	chan->mode = L2CAP_MODE_BASIC;
3359	chan->imtu = L2CAP_DEFAULT_MTU;
3360	chan->ops = &smp_root_chan_ops;
3361
3362	/* Set correct nesting level for a parent/listening channel */
3363	atomic_set(v: &chan->nesting, i: L2CAP_NESTING_PARENT);
3364
3365	return chan;
3366	}
3367
3368	static void smp_del_chan(struct l2cap_chan *chan)
3369	{
3370	struct smp_dev *smp;
3371
3372	BT_DBG("chan %p", chan);
3373
3374	smp = chan->data;
3375	if (smp) {
3376	chan->data = NULL;
3377	crypto_free_shash(tfm: smp->tfm_cmac);
3378	crypto_free_kpp(tfm: smp->tfm_ecdh);
3379	kfree_sensitive(objp: smp);
3380	}
3381
3382	l2cap_chan_put(c: chan);
3383	}
3384
3385	int smp_force_bredr(struct hci_dev *hdev, bool enable)
3386	{
3387	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3388	return -EALREADY;
3389
3390	if (enable) {
3391	struct l2cap_chan *chan;
3392
3393	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3394	if (IS_ERR(ptr: chan))
3395	return PTR_ERR(ptr: chan);
3396
3397	hdev->smp_bredr_data = chan;
3398	} else {
3399	struct l2cap_chan *chan;
3400
3401	chan = hdev->smp_bredr_data;
3402	hdev->smp_bredr_data = NULL;
3403	smp_del_chan(chan);
3404	}
3405
3406	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3407
3408	return 0;
3409	}
3410
3411	int smp_register(struct hci_dev *hdev)
3412	{
3413	struct l2cap_chan *chan;
3414
3415	bt_dev_dbg(hdev, "");
3416
3417	/* If the controller does not support Low Energy operation, then
3418	* there is also no need to register any SMP channel.
3419	*/
3420	if (!lmp_le_capable(hdev))
3421	return 0;
3422
3423	if (WARN_ON(hdev->smp_data)) {
3424	chan = hdev->smp_data;
3425	hdev->smp_data = NULL;
3426	smp_del_chan(chan);
3427	}
3428
3429	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3430	if (IS_ERR(ptr: chan))
3431	return PTR_ERR(ptr: chan);
3432
3433	hdev->smp_data = chan;
3434
3435	if (!lmp_sc_capable(hdev)) {
3436	/* Flag can be already set here (due to power toggle) */
3437	if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3438	return 0;
3439	}
3440
3441	if (WARN_ON(hdev->smp_bredr_data)) {
3442	chan = hdev->smp_bredr_data;
3443	hdev->smp_bredr_data = NULL;
3444	smp_del_chan(chan);
3445	}
3446
3447	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3448	if (IS_ERR(ptr: chan)) {
3449	int err = PTR_ERR(ptr: chan);
3450	chan = hdev->smp_data;
3451	hdev->smp_data = NULL;
3452	smp_del_chan(chan);
3453	return err;
3454	}
3455
3456	hdev->smp_bredr_data = chan;
3457
3458	return 0;
3459	}
3460
3461	void smp_unregister(struct hci_dev *hdev)
3462	{
3463	struct l2cap_chan *chan;
3464
3465	if (hdev->smp_bredr_data) {
3466	chan = hdev->smp_bredr_data;
3467	hdev->smp_bredr_data = NULL;
3468	smp_del_chan(chan);
3469	}
3470
3471	if (hdev->smp_data) {
3472	chan = hdev->smp_data;
3473	hdev->smp_data = NULL;
3474	smp_del_chan(chan);
3475	}
3476	}
3477
3478	#if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3479
3480	static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3481	{
3482	u8 pk[64];
3483	int err;
3484
3485	err = set_ecdh_privkey(tfm: tfm_ecdh, private_key: debug_sk);
3486	if (err)
3487	return err;
3488
3489	err = generate_ecdh_public_key(tfm: tfm_ecdh, public_key: pk);
3490	if (err)
3491	return err;
3492
3493	if (crypto_memneq(a: pk, b: debug_pk, size: 64))
3494	return -EINVAL;
3495
3496	return 0;
3497	}
3498
3499	static int __init test_ah(void)
3500	{
3501	const u8 irk[16] = {
3502	0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3503	0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3504	const u8 r[3] = { 0x94, 0x81, 0x70 };
3505	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3506	u8 res[3];
3507	int err;
3508
3509	err = smp_ah(irk, r, res);
3510	if (err)
3511	return err;
3512
3513	if (crypto_memneq(a: res, b: exp, size: 3))
3514	return -EINVAL;
3515
3516	return 0;
3517	}
3518
3519	static int __init test_c1(void)
3520	{
3521	const u8 k[16] = {
3522	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3523	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3524	const u8 r[16] = {
3525	0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3526	0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3527	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3528	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3529	const u8 _iat = 0x01;
3530	const u8 _rat = 0x00;
3531	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3532	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3533	const u8 exp[16] = {
3534	0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3535	0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3536	u8 res[16];
3537	int err;
3538
3539	err = smp_c1(k, r, preq, pres, _iat, ia: &ia, _rat, ra: &ra, res);
3540	if (err)
3541	return err;
3542
3543	if (crypto_memneq(a: res, b: exp, size: 16))
3544	return -EINVAL;
3545
3546	return 0;
3547	}
3548
3549	static int __init test_s1(void)
3550	{
3551	const u8 k[16] = {
3552	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3553	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3554	const u8 r1[16] = {
3555	0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3556	const u8 r2[16] = {
3557	0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3558	const u8 exp[16] = {
3559	0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3560	0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3561	u8 res[16];
3562	int err;
3563
3564	err = smp_s1(k, r1, r2, r: res);
3565	if (err)
3566	return err;
3567
3568	if (crypto_memneq(a: res, b: exp, size: 16))
3569	return -EINVAL;
3570
3571	return 0;
3572	}
3573
3574	static int __init test_f4(struct crypto_shash *tfm_cmac)
3575	{
3576	const u8 u[32] = {
3577	0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3578	0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3579	0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3580	0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3581	const u8 v[32] = {
3582	0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3583	0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3584	0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3585	0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3586	const u8 x[16] = {
3587	0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3588	0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3589	const u8 z = 0x00;
3590	const u8 exp[16] = {
3591	0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3592	0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3593	u8 res[16];
3594	int err;
3595
3596	err = smp_f4(tfm_cmac, u, v, x, z, res);
3597	if (err)
3598	return err;
3599
3600	if (crypto_memneq(a: res, b: exp, size: 16))
3601	return -EINVAL;
3602
3603	return 0;
3604	}
3605
3606	static int __init test_f5(struct crypto_shash *tfm_cmac)
3607	{
3608	const u8 w[32] = {
3609	0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3610	0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3611	0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3612	0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3613	const u8 n1[16] = {
3614	0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3615	0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3616	const u8 n2[16] = {
3617	0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3618	0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3619	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3620	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3621	const u8 exp_ltk[16] = {
3622	0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3623	0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3624	const u8 exp_mackey[16] = {
3625	0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3626	0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3627	u8 mackey[16], ltk[16];
3628	int err;
3629
3630	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3631	if (err)
3632	return err;
3633
3634	if (crypto_memneq(a: mackey, b: exp_mackey, size: 16))
3635	return -EINVAL;
3636
3637	if (crypto_memneq(a: ltk, b: exp_ltk, size: 16))
3638	return -EINVAL;
3639
3640	return 0;
3641	}
3642
3643	static int __init test_f6(struct crypto_shash *tfm_cmac)
3644	{
3645	const u8 w[16] = {
3646	0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3647	0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3648	const u8 n1[16] = {
3649	0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3650	0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3651	const u8 n2[16] = {
3652	0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3653	0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3654	const u8 r[16] = {
3655	0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3656	0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3657	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3658	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3659	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3660	const u8 exp[16] = {
3661	0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3662	0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3663	u8 res[16];
3664	int err;
3665
3666	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3667	if (err)
3668	return err;
3669
3670	if (crypto_memneq(a: res, b: exp, size: 16))
3671	return -EINVAL;
3672
3673	return 0;
3674	}
3675
3676	static int __init test_g2(struct crypto_shash *tfm_cmac)
3677	{
3678	const u8 u[32] = {
3679	0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3680	0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3681	0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3682	0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3683	const u8 v[32] = {
3684	0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3685	0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3686	0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3687	0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3688	const u8 x[16] = {
3689	0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3690	0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3691	const u8 y[16] = {
3692	0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3693	0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3694	const u32 exp_val = 0x2f9ed5ba % 1000000;
3695	u32 val;
3696	int err;
3697
3698	err = smp_g2(tfm_cmac, u, v, x, y, val: &val);
3699	if (err)
3700	return err;
3701
3702	if (val != exp_val)
3703	return -EINVAL;
3704
3705	return 0;
3706	}
3707
3708	static int __init test_h6(struct crypto_shash *tfm_cmac)
3709	{
3710	const u8 w[16] = {
3711	0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3712	0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3713	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3714	const u8 exp[16] = {
3715	0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3716	0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3717	u8 res[16];
3718	int err;
3719
3720	err = smp_h6(tfm_cmac, w, key_id, res);
3721	if (err)
3722	return err;
3723
3724	if (crypto_memneq(a: res, b: exp, size: 16))
3725	return -EINVAL;
3726
3727	return 0;
3728	}
3729
3730	static char test_smp_buffer[32];
3731
3732	static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3733	size_t count, loff_t *ppos)
3734	{
3735	return simple_read_from_buffer(to: user_buf, count, ppos, from: test_smp_buffer,
3736	strlen(test_smp_buffer));
3737	}
3738
3739	static const struct file_operations test_smp_fops = {
3740	.open = simple_open,
3741	.read = test_smp_read,
3742	.llseek = default_llseek,
3743	};
3744
3745	static int __init run_selftests(struct crypto_shash *tfm_cmac,
3746	struct crypto_kpp *tfm_ecdh)
3747	{
3748	ktime_t calltime, delta, rettime;
3749	unsigned long long duration;
3750	int err;
3751
3752	calltime = ktime_get();
3753
3754	err = test_debug_key(tfm_ecdh);
3755	if (err) {
3756	BT_ERR("debug_key test failed");
3757	goto done;
3758	}
3759
3760	err = test_ah();
3761	if (err) {
3762	BT_ERR("smp_ah test failed");
3763	goto done;
3764	}
3765
3766	err = test_c1();
3767	if (err) {
3768	BT_ERR("smp_c1 test failed");
3769	goto done;
3770	}
3771
3772	err = test_s1();
3773	if (err) {
3774	BT_ERR("smp_s1 test failed");
3775	goto done;
3776	}
3777
3778	err = test_f4(tfm_cmac);
3779	if (err) {
3780	BT_ERR("smp_f4 test failed");
3781	goto done;
3782	}
3783
3784	err = test_f5(tfm_cmac);
3785	if (err) {
3786	BT_ERR("smp_f5 test failed");
3787	goto done;
3788	}
3789
3790	err = test_f6(tfm_cmac);
3791	if (err) {
3792	BT_ERR("smp_f6 test failed");
3793	goto done;
3794	}
3795
3796	err = test_g2(tfm_cmac);
3797	if (err) {
3798	BT_ERR("smp_g2 test failed");
3799	goto done;
3800	}
3801
3802	err = test_h6(tfm_cmac);
3803	if (err) {
3804	BT_ERR("smp_h6 test failed");
3805	goto done;
3806	}
3807
3808	rettime = ktime_get();
3809	delta = ktime_sub(rettime, calltime);
3810	duration = (unsigned long long) ktime_to_ns(kt: delta) >> 10;
3811
3812	BT_INFO("SMP test passed in %llu usecs", duration);
3813
3814	done:
3815	if (!err)
3816	snprintf(buf: test_smp_buffer, size: sizeof(test_smp_buffer),
3817	fmt: "PASS (%llu usecs)\n", duration);
3818	else
3819	snprintf(buf: test_smp_buffer, size: sizeof(test_smp_buffer), fmt: "FAIL\n");
3820
3821	debugfs_create_file(name: "selftest_smp", mode: 0444, parent: bt_debugfs, NULL,
3822	fops: &test_smp_fops);
3823
3824	return err;
3825	}
3826
3827	int __init bt_selftest_smp(void)
3828	{
3829	struct crypto_shash *tfm_cmac;
3830	struct crypto_kpp *tfm_ecdh;
3831	int err;
3832
3833	tfm_cmac = crypto_alloc_shash(alg_name: "cmac(aes)", type: 0, mask: 0);
3834	if (IS_ERR(ptr: tfm_cmac)) {
3835	BT_ERR("Unable to create CMAC crypto context");
3836	return PTR_ERR(ptr: tfm_cmac);
3837	}
3838
3839	tfm_ecdh = crypto_alloc_kpp(alg_name: "ecdh-nist-p256", type: 0, mask: 0);
3840	if (IS_ERR(ptr: tfm_ecdh)) {
3841	BT_ERR("Unable to create ECDH crypto context");
3842	crypto_free_shash(tfm: tfm_cmac);
3843	return PTR_ERR(ptr: tfm_ecdh);
3844	}
3845
3846	err = run_selftests(tfm_cmac, tfm_ecdh);
3847
3848	crypto_free_shash(tfm: tfm_cmac);
3849	crypto_free_kpp(tfm: tfm_ecdh);
3850
3851	return err;
3852	}
3853
3854	#endif
3855