xref: /linux/net/bluetooth/smp.c (revision 088e88be5a380cc4e81963a9a02815da465d144f)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/algapi.h>
27 #include <crypto/b128ops.h>
28 #include <crypto/hash.h>
29 #include <crypto/kpp.h>
30 
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/mgmt.h>
35 
36 #include "ecdh_helper.h"
37 #include "smp.h"
38 
39 #define SMP_DEV(hdev) \
40 	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
41 
42 /* Low-level debug macros to be used for stuff that we don't want
43  * accidentially in dmesg, i.e. the values of the various crypto keys
44  * and the inputs & outputs of crypto functions.
45  */
46 #ifdef DEBUG
47 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
48 				 ##__VA_ARGS__)
49 #else
50 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
51 				    ##__VA_ARGS__)
52 #endif
53 
54 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
55 
56 /* Keys which are not distributed with Secure Connections */
57 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
58 
59 #define SMP_TIMEOUT	msecs_to_jiffies(30000)
60 
61 #define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
62 				 0x3f : 0x07)
63 #define KEY_DIST_MASK		0x07
64 
65 /* Maximum message length that can be passed to aes_cmac */
66 #define CMAC_MSG_MAX	80
67 
68 enum {
69 	SMP_FLAG_TK_VALID,
70 	SMP_FLAG_CFM_PENDING,
71 	SMP_FLAG_MITM_AUTH,
72 	SMP_FLAG_COMPLETE,
73 	SMP_FLAG_INITIATOR,
74 	SMP_FLAG_SC,
75 	SMP_FLAG_REMOTE_PK,
76 	SMP_FLAG_DEBUG_KEY,
77 	SMP_FLAG_WAIT_USER,
78 	SMP_FLAG_DHKEY_PENDING,
79 	SMP_FLAG_REMOTE_OOB,
80 	SMP_FLAG_LOCAL_OOB,
81 	SMP_FLAG_CT2,
82 };
83 
84 struct smp_dev {
85 	/* Secure Connections OOB data */
86 	bool			local_oob;
87 	u8			local_pk[64];
88 	u8			local_rand[16];
89 	bool			debug_key;
90 
91 	struct crypto_cipher	*tfm_aes;
92 	struct crypto_shash	*tfm_cmac;
93 	struct crypto_kpp	*tfm_ecdh;
94 };
95 
96 struct smp_chan {
97 	struct l2cap_conn	*conn;
98 	struct delayed_work	security_timer;
99 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
100 
101 	u8		preq[7]; /* SMP Pairing Request */
102 	u8		prsp[7]; /* SMP Pairing Response */
103 	u8		prnd[16]; /* SMP Pairing Random (local) */
104 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
105 	u8		pcnf[16]; /* SMP Pairing Confirm */
106 	u8		tk[16]; /* SMP Temporary Key */
107 	u8		rr[16]; /* Remote OOB ra/rb value */
108 	u8		lr[16]; /* Local OOB ra/rb value */
109 	u8		enc_key_size;
110 	u8		remote_key_dist;
111 	bdaddr_t	id_addr;
112 	u8		id_addr_type;
113 	u8		irk[16];
114 	struct smp_csrk	*csrk;
115 	struct smp_csrk	*slave_csrk;
116 	struct smp_ltk	*ltk;
117 	struct smp_ltk	*slave_ltk;
118 	struct smp_irk	*remote_irk;
119 	u8		*link_key;
120 	unsigned long	flags;
121 	u8		method;
122 	u8		passkey_round;
123 
124 	/* Secure Connections variables */
125 	u8			local_pk[64];
126 	u8			remote_pk[64];
127 	u8			dhkey[32];
128 	u8			mackey[16];
129 
130 	struct crypto_cipher	*tfm_aes;
131 	struct crypto_shash	*tfm_cmac;
132 	struct crypto_kpp	*tfm_ecdh;
133 };
134 
135 /* These debug key values are defined in the SMP section of the core
136  * specification. debug_pk is the public debug key and debug_sk the
137  * private debug key.
138  */
139 static const u8 debug_pk[64] = {
140 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
141 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
142 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
143 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
144 
145 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
146 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
147 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
148 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
149 };
150 
151 static const u8 debug_sk[32] = {
152 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
153 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
154 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
155 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
156 };
157 
158 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
159 {
160 	size_t i;
161 
162 	for (i = 0; i < len; i++)
163 		dst[len - 1 - i] = src[i];
164 }
165 
166 /* The following functions map to the LE SC SMP crypto functions
167  * AES-CMAC, f4, f5, f6, g2 and h6.
168  */
169 
170 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
171 		    size_t len, u8 mac[16])
172 {
173 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
174 	SHASH_DESC_ON_STACK(desc, tfm);
175 	int err;
176 
177 	if (len > CMAC_MSG_MAX)
178 		return -EFBIG;
179 
180 	if (!tfm) {
181 		BT_ERR("tfm %p", tfm);
182 		return -EINVAL;
183 	}
184 
185 	desc->tfm = tfm;
186 
187 	/* Swap key and message from LSB to MSB */
188 	swap_buf(k, tmp, 16);
189 	swap_buf(m, msg_msb, len);
190 
191 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
192 	SMP_DBG("key %16phN", k);
193 
194 	err = crypto_shash_setkey(tfm, tmp, 16);
195 	if (err) {
196 		BT_ERR("cipher setkey failed: %d", err);
197 		return err;
198 	}
199 
200 	err = crypto_shash_digest(desc, msg_msb, len, mac_msb);
201 	shash_desc_zero(desc);
202 	if (err) {
203 		BT_ERR("Hash computation error %d", err);
204 		return err;
205 	}
206 
207 	swap_buf(mac_msb, mac, 16);
208 
209 	SMP_DBG("mac %16phN", mac);
210 
211 	return 0;
212 }
213 
214 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
215 		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
216 {
217 	u8 m[65];
218 	int err;
219 
220 	SMP_DBG("u %32phN", u);
221 	SMP_DBG("v %32phN", v);
222 	SMP_DBG("x %16phN z %02x", x, z);
223 
224 	m[0] = z;
225 	memcpy(m + 1, v, 32);
226 	memcpy(m + 33, u, 32);
227 
228 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
229 	if (err)
230 		return err;
231 
232 	SMP_DBG("res %16phN", res);
233 
234 	return err;
235 }
236 
237 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
238 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
239 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
240 {
241 	/* The btle, salt and length "magic" values are as defined in
242 	 * the SMP section of the Bluetooth core specification. In ASCII
243 	 * the btle value ends up being 'btle'. The salt is just a
244 	 * random number whereas length is the value 256 in little
245 	 * endian format.
246 	 */
247 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
248 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
249 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
250 	const u8 length[2] = { 0x00, 0x01 };
251 	u8 m[53], t[16];
252 	int err;
253 
254 	SMP_DBG("w %32phN", w);
255 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
256 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
257 
258 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
259 	if (err)
260 		return err;
261 
262 	SMP_DBG("t %16phN", t);
263 
264 	memcpy(m, length, 2);
265 	memcpy(m + 2, a2, 7);
266 	memcpy(m + 9, a1, 7);
267 	memcpy(m + 16, n2, 16);
268 	memcpy(m + 32, n1, 16);
269 	memcpy(m + 48, btle, 4);
270 
271 	m[52] = 0; /* Counter */
272 
273 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
274 	if (err)
275 		return err;
276 
277 	SMP_DBG("mackey %16phN", mackey);
278 
279 	m[52] = 1; /* Counter */
280 
281 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
282 	if (err)
283 		return err;
284 
285 	SMP_DBG("ltk %16phN", ltk);
286 
287 	return 0;
288 }
289 
290 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
291 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
292 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
293 		  u8 res[16])
294 {
295 	u8 m[65];
296 	int err;
297 
298 	SMP_DBG("w %16phN", w);
299 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
300 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
301 
302 	memcpy(m, a2, 7);
303 	memcpy(m + 7, a1, 7);
304 	memcpy(m + 14, io_cap, 3);
305 	memcpy(m + 17, r, 16);
306 	memcpy(m + 33, n2, 16);
307 	memcpy(m + 49, n1, 16);
308 
309 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
310 	if (err)
311 		return err;
312 
313 	SMP_DBG("res %16phN", res);
314 
315 	return err;
316 }
317 
318 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
319 		  const u8 x[16], const u8 y[16], u32 *val)
320 {
321 	u8 m[80], tmp[16];
322 	int err;
323 
324 	SMP_DBG("u %32phN", u);
325 	SMP_DBG("v %32phN", v);
326 	SMP_DBG("x %16phN y %16phN", x, y);
327 
328 	memcpy(m, y, 16);
329 	memcpy(m + 16, v, 32);
330 	memcpy(m + 48, u, 32);
331 
332 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
333 	if (err)
334 		return err;
335 
336 	*val = get_unaligned_le32(tmp);
337 	*val %= 1000000;
338 
339 	SMP_DBG("val %06u", *val);
340 
341 	return 0;
342 }
343 
344 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
345 		  const u8 key_id[4], u8 res[16])
346 {
347 	int err;
348 
349 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
350 
351 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
352 	if (err)
353 		return err;
354 
355 	SMP_DBG("res %16phN", res);
356 
357 	return err;
358 }
359 
360 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
361 		  const u8 salt[16], u8 res[16])
362 {
363 	int err;
364 
365 	SMP_DBG("w %16phN salt %16phN", w, salt);
366 
367 	err = aes_cmac(tfm_cmac, salt, w, 16, res);
368 	if (err)
369 		return err;
370 
371 	SMP_DBG("res %16phN", res);
372 
373 	return err;
374 }
375 
376 /* The following functions map to the legacy SMP crypto functions e, c1,
377  * s1 and ah.
378  */
379 
380 static int smp_e(struct crypto_cipher *tfm, const u8 *k, u8 *r)
381 {
382 	uint8_t tmp[16], data[16];
383 	int err;
384 
385 	SMP_DBG("k %16phN r %16phN", k, r);
386 
387 	if (!tfm) {
388 		BT_ERR("tfm %p", tfm);
389 		return -EINVAL;
390 	}
391 
392 	/* The most significant octet of key corresponds to k[0] */
393 	swap_buf(k, tmp, 16);
394 
395 	err = crypto_cipher_setkey(tfm, tmp, 16);
396 	if (err) {
397 		BT_ERR("cipher setkey failed: %d", err);
398 		return err;
399 	}
400 
401 	/* Most significant octet of plaintextData corresponds to data[0] */
402 	swap_buf(r, data, 16);
403 
404 	crypto_cipher_encrypt_one(tfm, data, data);
405 
406 	/* Most significant octet of encryptedData corresponds to data[0] */
407 	swap_buf(data, r, 16);
408 
409 	SMP_DBG("r %16phN", r);
410 
411 	return err;
412 }
413 
414 static int smp_c1(struct crypto_cipher *tfm_aes, const u8 k[16],
415 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
416 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
417 {
418 	u8 p1[16], p2[16];
419 	int err;
420 
421 	SMP_DBG("k %16phN r %16phN", k, r);
422 	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
423 	SMP_DBG("preq %7phN pres %7phN", preq, pres);
424 
425 	memset(p1, 0, 16);
426 
427 	/* p1 = pres || preq || _rat || _iat */
428 	p1[0] = _iat;
429 	p1[1] = _rat;
430 	memcpy(p1 + 2, preq, 7);
431 	memcpy(p1 + 9, pres, 7);
432 
433 	SMP_DBG("p1 %16phN", p1);
434 
435 	/* res = r XOR p1 */
436 	u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
437 
438 	/* res = e(k, res) */
439 	err = smp_e(tfm_aes, k, res);
440 	if (err) {
441 		BT_ERR("Encrypt data error");
442 		return err;
443 	}
444 
445 	/* p2 = padding || ia || ra */
446 	memcpy(p2, ra, 6);
447 	memcpy(p2 + 6, ia, 6);
448 	memset(p2 + 12, 0, 4);
449 
450 	SMP_DBG("p2 %16phN", p2);
451 
452 	/* res = res XOR p2 */
453 	u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
454 
455 	/* res = e(k, res) */
456 	err = smp_e(tfm_aes, k, res);
457 	if (err)
458 		BT_ERR("Encrypt data error");
459 
460 	return err;
461 }
462 
463 static int smp_s1(struct crypto_cipher *tfm_aes, const u8 k[16],
464 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
465 {
466 	int err;
467 
468 	/* Just least significant octets from r1 and r2 are considered */
469 	memcpy(_r, r2, 8);
470 	memcpy(_r + 8, r1, 8);
471 
472 	err = smp_e(tfm_aes, k, _r);
473 	if (err)
474 		BT_ERR("Encrypt data error");
475 
476 	return err;
477 }
478 
479 static int smp_ah(struct crypto_cipher *tfm, const u8 irk[16],
480 		  const u8 r[3], u8 res[3])
481 {
482 	u8 _res[16];
483 	int err;
484 
485 	/* r' = padding || r */
486 	memcpy(_res, r, 3);
487 	memset(_res + 3, 0, 13);
488 
489 	err = smp_e(tfm, irk, _res);
490 	if (err) {
491 		BT_ERR("Encrypt error");
492 		return err;
493 	}
494 
495 	/* The output of the random address function ah is:
496 	 *	ah(k, r) = e(k, r') mod 2^24
497 	 * The output of the security function e is then truncated to 24 bits
498 	 * by taking the least significant 24 bits of the output of e as the
499 	 * result of ah.
500 	 */
501 	memcpy(res, _res, 3);
502 
503 	return 0;
504 }
505 
506 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
507 		     const bdaddr_t *bdaddr)
508 {
509 	struct l2cap_chan *chan = hdev->smp_data;
510 	struct smp_dev *smp;
511 	u8 hash[3];
512 	int err;
513 
514 	if (!chan || !chan->data)
515 		return false;
516 
517 	smp = chan->data;
518 
519 	BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
520 
521 	err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
522 	if (err)
523 		return false;
524 
525 	return !crypto_memneq(bdaddr->b, hash, 3);
526 }
527 
528 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
529 {
530 	struct l2cap_chan *chan = hdev->smp_data;
531 	struct smp_dev *smp;
532 	int err;
533 
534 	if (!chan || !chan->data)
535 		return -EOPNOTSUPP;
536 
537 	smp = chan->data;
538 
539 	get_random_bytes(&rpa->b[3], 3);
540 
541 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
542 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
543 
544 	err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
545 	if (err < 0)
546 		return err;
547 
548 	BT_DBG("RPA %pMR", rpa);
549 
550 	return 0;
551 }
552 
553 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
554 {
555 	struct l2cap_chan *chan = hdev->smp_data;
556 	struct smp_dev *smp;
557 	int err;
558 
559 	if (!chan || !chan->data)
560 		return -EOPNOTSUPP;
561 
562 	smp = chan->data;
563 
564 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
565 		BT_DBG("Using debug keys");
566 		err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
567 		if (err)
568 			return err;
569 		memcpy(smp->local_pk, debug_pk, 64);
570 		smp->debug_key = true;
571 	} else {
572 		while (true) {
573 			/* Generate key pair for Secure Connections */
574 			err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
575 			if (err)
576 				return err;
577 
578 			/* This is unlikely, but we need to check that
579 			 * we didn't accidentially generate a debug key.
580 			 */
581 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
582 				break;
583 		}
584 		smp->debug_key = false;
585 	}
586 
587 	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
588 	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
589 
590 	get_random_bytes(smp->local_rand, 16);
591 
592 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
593 		     smp->local_rand, 0, hash);
594 	if (err < 0)
595 		return err;
596 
597 	memcpy(rand, smp->local_rand, 16);
598 
599 	smp->local_oob = true;
600 
601 	return 0;
602 }
603 
604 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
605 {
606 	struct l2cap_chan *chan = conn->smp;
607 	struct smp_chan *smp;
608 	struct kvec iv[2];
609 	struct msghdr msg;
610 
611 	if (!chan)
612 		return;
613 
614 	BT_DBG("code 0x%2.2x", code);
615 
616 	iv[0].iov_base = &code;
617 	iv[0].iov_len = 1;
618 
619 	iv[1].iov_base = data;
620 	iv[1].iov_len = len;
621 
622 	memset(&msg, 0, sizeof(msg));
623 
624 	iov_iter_kvec(&msg.msg_iter, WRITE, iv, 2, 1 + len);
625 
626 	l2cap_chan_send(chan, &msg, 1 + len);
627 
628 	if (!chan->data)
629 		return;
630 
631 	smp = chan->data;
632 
633 	cancel_delayed_work_sync(&smp->security_timer);
634 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
635 }
636 
637 static u8 authreq_to_seclevel(u8 authreq)
638 {
639 	if (authreq & SMP_AUTH_MITM) {
640 		if (authreq & SMP_AUTH_SC)
641 			return BT_SECURITY_FIPS;
642 		else
643 			return BT_SECURITY_HIGH;
644 	} else {
645 		return BT_SECURITY_MEDIUM;
646 	}
647 }
648 
649 static __u8 seclevel_to_authreq(__u8 sec_level)
650 {
651 	switch (sec_level) {
652 	case BT_SECURITY_FIPS:
653 	case BT_SECURITY_HIGH:
654 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
655 	case BT_SECURITY_MEDIUM:
656 		return SMP_AUTH_BONDING;
657 	default:
658 		return SMP_AUTH_NONE;
659 	}
660 }
661 
662 static void build_pairing_cmd(struct l2cap_conn *conn,
663 			      struct smp_cmd_pairing *req,
664 			      struct smp_cmd_pairing *rsp, __u8 authreq)
665 {
666 	struct l2cap_chan *chan = conn->smp;
667 	struct smp_chan *smp = chan->data;
668 	struct hci_conn *hcon = conn->hcon;
669 	struct hci_dev *hdev = hcon->hdev;
670 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
671 
672 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
673 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
674 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
675 		authreq |= SMP_AUTH_BONDING;
676 	} else {
677 		authreq &= ~SMP_AUTH_BONDING;
678 	}
679 
680 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
681 		remote_dist |= SMP_DIST_ID_KEY;
682 
683 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
684 		local_dist |= SMP_DIST_ID_KEY;
685 
686 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
687 	    (authreq & SMP_AUTH_SC)) {
688 		struct oob_data *oob_data;
689 		u8 bdaddr_type;
690 
691 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
692 			local_dist |= SMP_DIST_LINK_KEY;
693 			remote_dist |= SMP_DIST_LINK_KEY;
694 		}
695 
696 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
697 			bdaddr_type = BDADDR_LE_PUBLIC;
698 		else
699 			bdaddr_type = BDADDR_LE_RANDOM;
700 
701 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
702 						    bdaddr_type);
703 		if (oob_data && oob_data->present) {
704 			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
705 			oob_flag = SMP_OOB_PRESENT;
706 			memcpy(smp->rr, oob_data->rand256, 16);
707 			memcpy(smp->pcnf, oob_data->hash256, 16);
708 			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
709 			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
710 		}
711 
712 	} else {
713 		authreq &= ~SMP_AUTH_SC;
714 	}
715 
716 	if (rsp == NULL) {
717 		req->io_capability = conn->hcon->io_capability;
718 		req->oob_flag = oob_flag;
719 		req->max_key_size = hdev->le_max_key_size;
720 		req->init_key_dist = local_dist;
721 		req->resp_key_dist = remote_dist;
722 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
723 
724 		smp->remote_key_dist = remote_dist;
725 		return;
726 	}
727 
728 	rsp->io_capability = conn->hcon->io_capability;
729 	rsp->oob_flag = oob_flag;
730 	rsp->max_key_size = hdev->le_max_key_size;
731 	rsp->init_key_dist = req->init_key_dist & remote_dist;
732 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
733 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
734 
735 	smp->remote_key_dist = rsp->init_key_dist;
736 }
737 
738 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
739 {
740 	struct l2cap_chan *chan = conn->smp;
741 	struct hci_dev *hdev = conn->hcon->hdev;
742 	struct smp_chan *smp = chan->data;
743 
744 	if (max_key_size > hdev->le_max_key_size ||
745 	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
746 		return SMP_ENC_KEY_SIZE;
747 
748 	smp->enc_key_size = max_key_size;
749 
750 	return 0;
751 }
752 
753 static void smp_chan_destroy(struct l2cap_conn *conn)
754 {
755 	struct l2cap_chan *chan = conn->smp;
756 	struct smp_chan *smp = chan->data;
757 	struct hci_conn *hcon = conn->hcon;
758 	bool complete;
759 
760 	BUG_ON(!smp);
761 
762 	cancel_delayed_work_sync(&smp->security_timer);
763 
764 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
765 	mgmt_smp_complete(hcon, complete);
766 
767 	kzfree(smp->csrk);
768 	kzfree(smp->slave_csrk);
769 	kzfree(smp->link_key);
770 
771 	crypto_free_cipher(smp->tfm_aes);
772 	crypto_free_shash(smp->tfm_cmac);
773 	crypto_free_kpp(smp->tfm_ecdh);
774 
775 	/* Ensure that we don't leave any debug key around if debug key
776 	 * support hasn't been explicitly enabled.
777 	 */
778 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
779 	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
780 		list_del_rcu(&smp->ltk->list);
781 		kfree_rcu(smp->ltk, rcu);
782 		smp->ltk = NULL;
783 	}
784 
785 	/* If pairing failed clean up any keys we might have */
786 	if (!complete) {
787 		if (smp->ltk) {
788 			list_del_rcu(&smp->ltk->list);
789 			kfree_rcu(smp->ltk, rcu);
790 		}
791 
792 		if (smp->slave_ltk) {
793 			list_del_rcu(&smp->slave_ltk->list);
794 			kfree_rcu(smp->slave_ltk, rcu);
795 		}
796 
797 		if (smp->remote_irk) {
798 			list_del_rcu(&smp->remote_irk->list);
799 			kfree_rcu(smp->remote_irk, rcu);
800 		}
801 	}
802 
803 	chan->data = NULL;
804 	kzfree(smp);
805 	hci_conn_drop(hcon);
806 }
807 
808 static void smp_failure(struct l2cap_conn *conn, u8 reason)
809 {
810 	struct hci_conn *hcon = conn->hcon;
811 	struct l2cap_chan *chan = conn->smp;
812 
813 	if (reason)
814 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
815 			     &reason);
816 
817 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
818 
819 	if (chan->data)
820 		smp_chan_destroy(conn);
821 }
822 
823 #define JUST_WORKS	0x00
824 #define JUST_CFM	0x01
825 #define REQ_PASSKEY	0x02
826 #define CFM_PASSKEY	0x03
827 #define REQ_OOB		0x04
828 #define DSP_PASSKEY	0x05
829 #define OVERLAP		0xFF
830 
831 static const u8 gen_method[5][5] = {
832 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
833 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
834 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
835 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
836 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
837 };
838 
839 static const u8 sc_method[5][5] = {
840 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
841 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
842 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
843 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
844 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
845 };
846 
847 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
848 {
849 	/* If either side has unknown io_caps, use JUST_CFM (which gets
850 	 * converted later to JUST_WORKS if we're initiators.
851 	 */
852 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
853 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
854 		return JUST_CFM;
855 
856 	if (test_bit(SMP_FLAG_SC, &smp->flags))
857 		return sc_method[remote_io][local_io];
858 
859 	return gen_method[remote_io][local_io];
860 }
861 
862 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
863 						u8 local_io, u8 remote_io)
864 {
865 	struct hci_conn *hcon = conn->hcon;
866 	struct l2cap_chan *chan = conn->smp;
867 	struct smp_chan *smp = chan->data;
868 	u32 passkey = 0;
869 	int ret = 0;
870 
871 	/* Initialize key for JUST WORKS */
872 	memset(smp->tk, 0, sizeof(smp->tk));
873 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
874 
875 	BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
876 
877 	/* If neither side wants MITM, either "just" confirm an incoming
878 	 * request or use just-works for outgoing ones. The JUST_CFM
879 	 * will be converted to JUST_WORKS if necessary later in this
880 	 * function. If either side has MITM look up the method from the
881 	 * table.
882 	 */
883 	if (!(auth & SMP_AUTH_MITM))
884 		smp->method = JUST_CFM;
885 	else
886 		smp->method = get_auth_method(smp, local_io, remote_io);
887 
888 	/* Don't confirm locally initiated pairing attempts */
889 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
890 						&smp->flags))
891 		smp->method = JUST_WORKS;
892 
893 	/* Don't bother user space with no IO capabilities */
894 	if (smp->method == JUST_CFM &&
895 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
896 		smp->method = JUST_WORKS;
897 
898 	/* If Just Works, Continue with Zero TK */
899 	if (smp->method == JUST_WORKS) {
900 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
901 		return 0;
902 	}
903 
904 	/* If this function is used for SC -> legacy fallback we
905 	 * can only recover the just-works case.
906 	 */
907 	if (test_bit(SMP_FLAG_SC, &smp->flags))
908 		return -EINVAL;
909 
910 	/* Not Just Works/Confirm results in MITM Authentication */
911 	if (smp->method != JUST_CFM) {
912 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
913 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
914 			hcon->pending_sec_level = BT_SECURITY_HIGH;
915 	}
916 
917 	/* If both devices have Keyoard-Display I/O, the master
918 	 * Confirms and the slave Enters the passkey.
919 	 */
920 	if (smp->method == OVERLAP) {
921 		if (hcon->role == HCI_ROLE_MASTER)
922 			smp->method = CFM_PASSKEY;
923 		else
924 			smp->method = REQ_PASSKEY;
925 	}
926 
927 	/* Generate random passkey. */
928 	if (smp->method == CFM_PASSKEY) {
929 		memset(smp->tk, 0, sizeof(smp->tk));
930 		get_random_bytes(&passkey, sizeof(passkey));
931 		passkey %= 1000000;
932 		put_unaligned_le32(passkey, smp->tk);
933 		BT_DBG("PassKey: %d", passkey);
934 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
935 	}
936 
937 	if (smp->method == REQ_PASSKEY)
938 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
939 						hcon->type, hcon->dst_type);
940 	else if (smp->method == JUST_CFM)
941 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
942 						hcon->type, hcon->dst_type,
943 						passkey, 1);
944 	else
945 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
946 						hcon->type, hcon->dst_type,
947 						passkey, 0);
948 
949 	return ret;
950 }
951 
952 static u8 smp_confirm(struct smp_chan *smp)
953 {
954 	struct l2cap_conn *conn = smp->conn;
955 	struct smp_cmd_pairing_confirm cp;
956 	int ret;
957 
958 	BT_DBG("conn %p", conn);
959 
960 	ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
961 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
962 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
963 		     cp.confirm_val);
964 	if (ret)
965 		return SMP_UNSPECIFIED;
966 
967 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
968 
969 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
970 
971 	if (conn->hcon->out)
972 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
973 	else
974 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
975 
976 	return 0;
977 }
978 
979 static u8 smp_random(struct smp_chan *smp)
980 {
981 	struct l2cap_conn *conn = smp->conn;
982 	struct hci_conn *hcon = conn->hcon;
983 	u8 confirm[16];
984 	int ret;
985 
986 	if (IS_ERR_OR_NULL(smp->tfm_aes))
987 		return SMP_UNSPECIFIED;
988 
989 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
990 
991 	ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
992 		     hcon->init_addr_type, &hcon->init_addr,
993 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
994 	if (ret)
995 		return SMP_UNSPECIFIED;
996 
997 	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
998 		bt_dev_err(hcon->hdev, "pairing failed "
999 			   "(confirmation values mismatch)");
1000 		return SMP_CONFIRM_FAILED;
1001 	}
1002 
1003 	if (hcon->out) {
1004 		u8 stk[16];
1005 		__le64 rand = 0;
1006 		__le16 ediv = 0;
1007 
1008 		smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
1009 
1010 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1011 			return SMP_UNSPECIFIED;
1012 
1013 		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1014 		hcon->enc_key_size = smp->enc_key_size;
1015 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1016 	} else {
1017 		u8 stk[16], auth;
1018 		__le64 rand = 0;
1019 		__le16 ediv = 0;
1020 
1021 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1022 			     smp->prnd);
1023 
1024 		smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
1025 
1026 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1027 			auth = 1;
1028 		else
1029 			auth = 0;
1030 
1031 		/* Even though there's no _SLAVE suffix this is the
1032 		 * slave STK we're adding for later lookup (the master
1033 		 * STK never needs to be stored).
1034 		 */
1035 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1036 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1037 	}
1038 
1039 	return 0;
1040 }
1041 
1042 static void smp_notify_keys(struct l2cap_conn *conn)
1043 {
1044 	struct l2cap_chan *chan = conn->smp;
1045 	struct smp_chan *smp = chan->data;
1046 	struct hci_conn *hcon = conn->hcon;
1047 	struct hci_dev *hdev = hcon->hdev;
1048 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1049 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1050 	bool persistent;
1051 
1052 	if (hcon->type == ACL_LINK) {
1053 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1054 			persistent = false;
1055 		else
1056 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1057 					       &hcon->flags);
1058 	} else {
1059 		/* The LTKs, IRKs and CSRKs should be persistent only if
1060 		 * both sides had the bonding bit set in their
1061 		 * authentication requests.
1062 		 */
1063 		persistent = !!((req->auth_req & rsp->auth_req) &
1064 				SMP_AUTH_BONDING);
1065 	}
1066 
1067 	if (smp->remote_irk) {
1068 		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1069 
1070 		/* Now that user space can be considered to know the
1071 		 * identity address track the connection based on it
1072 		 * from now on (assuming this is an LE link).
1073 		 */
1074 		if (hcon->type == LE_LINK) {
1075 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1076 			hcon->dst_type = smp->remote_irk->addr_type;
1077 			queue_work(hdev->workqueue, &conn->id_addr_update_work);
1078 		}
1079 	}
1080 
1081 	if (smp->csrk) {
1082 		smp->csrk->bdaddr_type = hcon->dst_type;
1083 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1084 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1085 	}
1086 
1087 	if (smp->slave_csrk) {
1088 		smp->slave_csrk->bdaddr_type = hcon->dst_type;
1089 		bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1090 		mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1091 	}
1092 
1093 	if (smp->ltk) {
1094 		smp->ltk->bdaddr_type = hcon->dst_type;
1095 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1096 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1097 	}
1098 
1099 	if (smp->slave_ltk) {
1100 		smp->slave_ltk->bdaddr_type = hcon->dst_type;
1101 		bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1102 		mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1103 	}
1104 
1105 	if (smp->link_key) {
1106 		struct link_key *key;
1107 		u8 type;
1108 
1109 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1110 			type = HCI_LK_DEBUG_COMBINATION;
1111 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1112 			type = HCI_LK_AUTH_COMBINATION_P256;
1113 		else
1114 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1115 
1116 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1117 				       smp->link_key, type, 0, &persistent);
1118 		if (key) {
1119 			mgmt_new_link_key(hdev, key, persistent);
1120 
1121 			/* Don't keep debug keys around if the relevant
1122 			 * flag is not set.
1123 			 */
1124 			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1125 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1126 				list_del_rcu(&key->list);
1127 				kfree_rcu(key, rcu);
1128 			}
1129 		}
1130 	}
1131 }
1132 
1133 static void sc_add_ltk(struct smp_chan *smp)
1134 {
1135 	struct hci_conn *hcon = smp->conn->hcon;
1136 	u8 key_type, auth;
1137 
1138 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1139 		key_type = SMP_LTK_P256_DEBUG;
1140 	else
1141 		key_type = SMP_LTK_P256;
1142 
1143 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1144 		auth = 1;
1145 	else
1146 		auth = 0;
1147 
1148 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1149 			       key_type, auth, smp->tk, smp->enc_key_size,
1150 			       0, 0);
1151 }
1152 
1153 static void sc_generate_link_key(struct smp_chan *smp)
1154 {
1155 	/* From core spec. Spells out in ASCII as 'lebr'. */
1156 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1157 
1158 	smp->link_key = kzalloc(16, GFP_KERNEL);
1159 	if (!smp->link_key)
1160 		return;
1161 
1162 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1163 		/* SALT = 0x00000000000000000000000000000000746D7031 */
1164 		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1165 
1166 		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1167 			kzfree(smp->link_key);
1168 			smp->link_key = NULL;
1169 			return;
1170 		}
1171 	} else {
1172 		/* From core spec. Spells out in ASCII as 'tmp1'. */
1173 		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1174 
1175 		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1176 			kzfree(smp->link_key);
1177 			smp->link_key = NULL;
1178 			return;
1179 		}
1180 	}
1181 
1182 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1183 		kzfree(smp->link_key);
1184 		smp->link_key = NULL;
1185 		return;
1186 	}
1187 }
1188 
1189 static void smp_allow_key_dist(struct smp_chan *smp)
1190 {
1191 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1192 	 * will be allowed in each PDU handler to ensure we receive
1193 	 * them in the correct order.
1194 	 */
1195 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1196 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1197 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1198 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1199 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1200 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1201 }
1202 
1203 static void sc_generate_ltk(struct smp_chan *smp)
1204 {
1205 	/* From core spec. Spells out in ASCII as 'brle'. */
1206 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1207 	struct hci_conn *hcon = smp->conn->hcon;
1208 	struct hci_dev *hdev = hcon->hdev;
1209 	struct link_key *key;
1210 
1211 	key = hci_find_link_key(hdev, &hcon->dst);
1212 	if (!key) {
1213 		bt_dev_err(hdev, "no Link Key found to generate LTK");
1214 		return;
1215 	}
1216 
1217 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1218 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1219 
1220 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1221 		/* SALT = 0x00000000000000000000000000000000746D7032 */
1222 		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1223 
1224 		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1225 			return;
1226 	} else {
1227 		/* From core spec. Spells out in ASCII as 'tmp2'. */
1228 		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1229 
1230 		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1231 			return;
1232 	}
1233 
1234 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1235 		return;
1236 
1237 	sc_add_ltk(smp);
1238 }
1239 
1240 static void smp_distribute_keys(struct smp_chan *smp)
1241 {
1242 	struct smp_cmd_pairing *req, *rsp;
1243 	struct l2cap_conn *conn = smp->conn;
1244 	struct hci_conn *hcon = conn->hcon;
1245 	struct hci_dev *hdev = hcon->hdev;
1246 	__u8 *keydist;
1247 
1248 	BT_DBG("conn %p", conn);
1249 
1250 	rsp = (void *) &smp->prsp[1];
1251 
1252 	/* The responder sends its keys first */
1253 	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1254 		smp_allow_key_dist(smp);
1255 		return;
1256 	}
1257 
1258 	req = (void *) &smp->preq[1];
1259 
1260 	if (hcon->out) {
1261 		keydist = &rsp->init_key_dist;
1262 		*keydist &= req->init_key_dist;
1263 	} else {
1264 		keydist = &rsp->resp_key_dist;
1265 		*keydist &= req->resp_key_dist;
1266 	}
1267 
1268 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1269 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1270 			sc_generate_link_key(smp);
1271 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1272 			sc_generate_ltk(smp);
1273 
1274 		/* Clear the keys which are generated but not distributed */
1275 		*keydist &= ~SMP_SC_NO_DIST;
1276 	}
1277 
1278 	BT_DBG("keydist 0x%x", *keydist);
1279 
1280 	if (*keydist & SMP_DIST_ENC_KEY) {
1281 		struct smp_cmd_encrypt_info enc;
1282 		struct smp_cmd_master_ident ident;
1283 		struct smp_ltk *ltk;
1284 		u8 authenticated;
1285 		__le16 ediv;
1286 		__le64 rand;
1287 
1288 		/* Make sure we generate only the significant amount of
1289 		 * bytes based on the encryption key size, and set the rest
1290 		 * of the value to zeroes.
1291 		 */
1292 		get_random_bytes(enc.ltk, smp->enc_key_size);
1293 		memset(enc.ltk + smp->enc_key_size, 0,
1294 		       sizeof(enc.ltk) - smp->enc_key_size);
1295 
1296 		get_random_bytes(&ediv, sizeof(ediv));
1297 		get_random_bytes(&rand, sizeof(rand));
1298 
1299 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1300 
1301 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1302 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1303 				  SMP_LTK_SLAVE, authenticated, enc.ltk,
1304 				  smp->enc_key_size, ediv, rand);
1305 		smp->slave_ltk = ltk;
1306 
1307 		ident.ediv = ediv;
1308 		ident.rand = rand;
1309 
1310 		smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1311 
1312 		*keydist &= ~SMP_DIST_ENC_KEY;
1313 	}
1314 
1315 	if (*keydist & SMP_DIST_ID_KEY) {
1316 		struct smp_cmd_ident_addr_info addrinfo;
1317 		struct smp_cmd_ident_info idinfo;
1318 
1319 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1320 
1321 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1322 
1323 		/* The hci_conn contains the local identity address
1324 		 * after the connection has been established.
1325 		 *
1326 		 * This is true even when the connection has been
1327 		 * established using a resolvable random address.
1328 		 */
1329 		bacpy(&addrinfo.bdaddr, &hcon->src);
1330 		addrinfo.addr_type = hcon->src_type;
1331 
1332 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1333 			     &addrinfo);
1334 
1335 		*keydist &= ~SMP_DIST_ID_KEY;
1336 	}
1337 
1338 	if (*keydist & SMP_DIST_SIGN) {
1339 		struct smp_cmd_sign_info sign;
1340 		struct smp_csrk *csrk;
1341 
1342 		/* Generate a new random key */
1343 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1344 
1345 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1346 		if (csrk) {
1347 			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1348 				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1349 			else
1350 				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1351 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1352 		}
1353 		smp->slave_csrk = csrk;
1354 
1355 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1356 
1357 		*keydist &= ~SMP_DIST_SIGN;
1358 	}
1359 
1360 	/* If there are still keys to be received wait for them */
1361 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1362 		smp_allow_key_dist(smp);
1363 		return;
1364 	}
1365 
1366 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1367 	smp_notify_keys(conn);
1368 
1369 	smp_chan_destroy(conn);
1370 }
1371 
1372 static void smp_timeout(struct work_struct *work)
1373 {
1374 	struct smp_chan *smp = container_of(work, struct smp_chan,
1375 					    security_timer.work);
1376 	struct l2cap_conn *conn = smp->conn;
1377 
1378 	BT_DBG("conn %p", conn);
1379 
1380 	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1381 }
1382 
1383 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1384 {
1385 	struct l2cap_chan *chan = conn->smp;
1386 	struct smp_chan *smp;
1387 
1388 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1389 	if (!smp)
1390 		return NULL;
1391 
1392 	smp->tfm_aes = crypto_alloc_cipher("aes", 0, 0);
1393 	if (IS_ERR(smp->tfm_aes)) {
1394 		BT_ERR("Unable to create AES crypto context");
1395 		goto zfree_smp;
1396 	}
1397 
1398 	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1399 	if (IS_ERR(smp->tfm_cmac)) {
1400 		BT_ERR("Unable to create CMAC crypto context");
1401 		goto free_cipher;
1402 	}
1403 
1404 	smp->tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
1405 	if (IS_ERR(smp->tfm_ecdh)) {
1406 		BT_ERR("Unable to create ECDH crypto context");
1407 		goto free_shash;
1408 	}
1409 
1410 	smp->conn = conn;
1411 	chan->data = smp;
1412 
1413 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1414 
1415 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1416 
1417 	hci_conn_hold(conn->hcon);
1418 
1419 	return smp;
1420 
1421 free_shash:
1422 	crypto_free_shash(smp->tfm_cmac);
1423 free_cipher:
1424 	crypto_free_cipher(smp->tfm_aes);
1425 zfree_smp:
1426 	kzfree(smp);
1427 	return NULL;
1428 }
1429 
1430 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1431 {
1432 	struct hci_conn *hcon = smp->conn->hcon;
1433 	u8 *na, *nb, a[7], b[7];
1434 
1435 	if (hcon->out) {
1436 		na   = smp->prnd;
1437 		nb   = smp->rrnd;
1438 	} else {
1439 		na   = smp->rrnd;
1440 		nb   = smp->prnd;
1441 	}
1442 
1443 	memcpy(a, &hcon->init_addr, 6);
1444 	memcpy(b, &hcon->resp_addr, 6);
1445 	a[6] = hcon->init_addr_type;
1446 	b[6] = hcon->resp_addr_type;
1447 
1448 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1449 }
1450 
1451 static void sc_dhkey_check(struct smp_chan *smp)
1452 {
1453 	struct hci_conn *hcon = smp->conn->hcon;
1454 	struct smp_cmd_dhkey_check check;
1455 	u8 a[7], b[7], *local_addr, *remote_addr;
1456 	u8 io_cap[3], r[16];
1457 
1458 	memcpy(a, &hcon->init_addr, 6);
1459 	memcpy(b, &hcon->resp_addr, 6);
1460 	a[6] = hcon->init_addr_type;
1461 	b[6] = hcon->resp_addr_type;
1462 
1463 	if (hcon->out) {
1464 		local_addr = a;
1465 		remote_addr = b;
1466 		memcpy(io_cap, &smp->preq[1], 3);
1467 	} else {
1468 		local_addr = b;
1469 		remote_addr = a;
1470 		memcpy(io_cap, &smp->prsp[1], 3);
1471 	}
1472 
1473 	memset(r, 0, sizeof(r));
1474 
1475 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1476 		put_unaligned_le32(hcon->passkey_notify, r);
1477 
1478 	if (smp->method == REQ_OOB)
1479 		memcpy(r, smp->rr, 16);
1480 
1481 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1482 	       local_addr, remote_addr, check.e);
1483 
1484 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1485 }
1486 
1487 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1488 {
1489 	struct l2cap_conn *conn = smp->conn;
1490 	struct hci_conn *hcon = conn->hcon;
1491 	struct smp_cmd_pairing_confirm cfm;
1492 	u8 r;
1493 
1494 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1495 	r |= 0x80;
1496 
1497 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1498 
1499 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1500 		   cfm.confirm_val))
1501 		return SMP_UNSPECIFIED;
1502 
1503 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1504 
1505 	return 0;
1506 }
1507 
1508 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1509 {
1510 	struct l2cap_conn *conn = smp->conn;
1511 	struct hci_conn *hcon = conn->hcon;
1512 	struct hci_dev *hdev = hcon->hdev;
1513 	u8 cfm[16], r;
1514 
1515 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1516 	if (smp->passkey_round >= 20)
1517 		return 0;
1518 
1519 	switch (smp_op) {
1520 	case SMP_CMD_PAIRING_RANDOM:
1521 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1522 		r |= 0x80;
1523 
1524 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1525 			   smp->rrnd, r, cfm))
1526 			return SMP_UNSPECIFIED;
1527 
1528 		if (crypto_memneq(smp->pcnf, cfm, 16))
1529 			return SMP_CONFIRM_FAILED;
1530 
1531 		smp->passkey_round++;
1532 
1533 		if (smp->passkey_round == 20) {
1534 			/* Generate MacKey and LTK */
1535 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1536 				return SMP_UNSPECIFIED;
1537 		}
1538 
1539 		/* The round is only complete when the initiator
1540 		 * receives pairing random.
1541 		 */
1542 		if (!hcon->out) {
1543 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1544 				     sizeof(smp->prnd), smp->prnd);
1545 			if (smp->passkey_round == 20)
1546 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1547 			else
1548 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1549 			return 0;
1550 		}
1551 
1552 		/* Start the next round */
1553 		if (smp->passkey_round != 20)
1554 			return sc_passkey_round(smp, 0);
1555 
1556 		/* Passkey rounds are complete - start DHKey Check */
1557 		sc_dhkey_check(smp);
1558 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1559 
1560 		break;
1561 
1562 	case SMP_CMD_PAIRING_CONFIRM:
1563 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1564 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1565 			return 0;
1566 		}
1567 
1568 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1569 
1570 		if (hcon->out) {
1571 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1572 				     sizeof(smp->prnd), smp->prnd);
1573 			return 0;
1574 		}
1575 
1576 		return sc_passkey_send_confirm(smp);
1577 
1578 	case SMP_CMD_PUBLIC_KEY:
1579 	default:
1580 		/* Initiating device starts the round */
1581 		if (!hcon->out)
1582 			return 0;
1583 
1584 		BT_DBG("%s Starting passkey round %u", hdev->name,
1585 		       smp->passkey_round + 1);
1586 
1587 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1588 
1589 		return sc_passkey_send_confirm(smp);
1590 	}
1591 
1592 	return 0;
1593 }
1594 
1595 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1596 {
1597 	struct l2cap_conn *conn = smp->conn;
1598 	struct hci_conn *hcon = conn->hcon;
1599 	u8 smp_op;
1600 
1601 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1602 
1603 	switch (mgmt_op) {
1604 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1605 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1606 		return 0;
1607 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1608 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1609 		return 0;
1610 	case MGMT_OP_USER_PASSKEY_REPLY:
1611 		hcon->passkey_notify = le32_to_cpu(passkey);
1612 		smp->passkey_round = 0;
1613 
1614 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1615 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1616 		else
1617 			smp_op = 0;
1618 
1619 		if (sc_passkey_round(smp, smp_op))
1620 			return -EIO;
1621 
1622 		return 0;
1623 	}
1624 
1625 	/* Initiator sends DHKey check first */
1626 	if (hcon->out) {
1627 		sc_dhkey_check(smp);
1628 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1629 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1630 		sc_dhkey_check(smp);
1631 		sc_add_ltk(smp);
1632 	}
1633 
1634 	return 0;
1635 }
1636 
1637 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1638 {
1639 	struct l2cap_conn *conn = hcon->l2cap_data;
1640 	struct l2cap_chan *chan;
1641 	struct smp_chan *smp;
1642 	u32 value;
1643 	int err;
1644 
1645 	BT_DBG("");
1646 
1647 	if (!conn)
1648 		return -ENOTCONN;
1649 
1650 	chan = conn->smp;
1651 	if (!chan)
1652 		return -ENOTCONN;
1653 
1654 	l2cap_chan_lock(chan);
1655 	if (!chan->data) {
1656 		err = -ENOTCONN;
1657 		goto unlock;
1658 	}
1659 
1660 	smp = chan->data;
1661 
1662 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1663 		err = sc_user_reply(smp, mgmt_op, passkey);
1664 		goto unlock;
1665 	}
1666 
1667 	switch (mgmt_op) {
1668 	case MGMT_OP_USER_PASSKEY_REPLY:
1669 		value = le32_to_cpu(passkey);
1670 		memset(smp->tk, 0, sizeof(smp->tk));
1671 		BT_DBG("PassKey: %d", value);
1672 		put_unaligned_le32(value, smp->tk);
1673 		/* Fall Through */
1674 	case MGMT_OP_USER_CONFIRM_REPLY:
1675 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1676 		break;
1677 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1678 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1679 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1680 		err = 0;
1681 		goto unlock;
1682 	default:
1683 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1684 		err = -EOPNOTSUPP;
1685 		goto unlock;
1686 	}
1687 
1688 	err = 0;
1689 
1690 	/* If it is our turn to send Pairing Confirm, do so now */
1691 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1692 		u8 rsp = smp_confirm(smp);
1693 		if (rsp)
1694 			smp_failure(conn, rsp);
1695 	}
1696 
1697 unlock:
1698 	l2cap_chan_unlock(chan);
1699 	return err;
1700 }
1701 
1702 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1703 				    struct smp_cmd_pairing *req,
1704 				    struct smp_cmd_pairing *rsp)
1705 {
1706 	struct l2cap_conn *conn = smp->conn;
1707 	struct hci_dev *hdev = conn->hcon->hdev;
1708 	u8 local_dist = 0, remote_dist = 0;
1709 
1710 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1711 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1712 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1713 	}
1714 
1715 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1716 		remote_dist |= SMP_DIST_ID_KEY;
1717 
1718 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1719 		local_dist |= SMP_DIST_ID_KEY;
1720 
1721 	if (!rsp) {
1722 		memset(req, 0, sizeof(*req));
1723 
1724 		req->auth_req        = SMP_AUTH_CT2;
1725 		req->init_key_dist   = local_dist;
1726 		req->resp_key_dist   = remote_dist;
1727 		req->max_key_size    = conn->hcon->enc_key_size;
1728 
1729 		smp->remote_key_dist = remote_dist;
1730 
1731 		return;
1732 	}
1733 
1734 	memset(rsp, 0, sizeof(*rsp));
1735 
1736 	rsp->auth_req        = SMP_AUTH_CT2;
1737 	rsp->max_key_size    = conn->hcon->enc_key_size;
1738 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1739 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1740 
1741 	smp->remote_key_dist = rsp->init_key_dist;
1742 }
1743 
1744 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1745 {
1746 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1747 	struct l2cap_chan *chan = conn->smp;
1748 	struct hci_dev *hdev = conn->hcon->hdev;
1749 	struct smp_chan *smp;
1750 	u8 key_size, auth, sec_level;
1751 	int ret;
1752 
1753 	BT_DBG("conn %p", conn);
1754 
1755 	if (skb->len < sizeof(*req))
1756 		return SMP_INVALID_PARAMS;
1757 
1758 	if (conn->hcon->role != HCI_ROLE_SLAVE)
1759 		return SMP_CMD_NOTSUPP;
1760 
1761 	if (!chan->data)
1762 		smp = smp_chan_create(conn);
1763 	else
1764 		smp = chan->data;
1765 
1766 	if (!smp)
1767 		return SMP_UNSPECIFIED;
1768 
1769 	/* We didn't start the pairing, so match remote */
1770 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1771 
1772 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1773 	    (auth & SMP_AUTH_BONDING))
1774 		return SMP_PAIRING_NOTSUPP;
1775 
1776 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1777 		return SMP_AUTH_REQUIREMENTS;
1778 
1779 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1780 	memcpy(&smp->preq[1], req, sizeof(*req));
1781 	skb_pull(skb, sizeof(*req));
1782 
1783 	/* If the remote side's OOB flag is set it means it has
1784 	 * successfully received our local OOB data - therefore set the
1785 	 * flag to indicate that local OOB is in use.
1786 	 */
1787 	if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1788 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1789 
1790 	/* SMP over BR/EDR requires special treatment */
1791 	if (conn->hcon->type == ACL_LINK) {
1792 		/* We must have a BR/EDR SC link */
1793 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1794 		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1795 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1796 
1797 		set_bit(SMP_FLAG_SC, &smp->flags);
1798 
1799 		build_bredr_pairing_cmd(smp, req, &rsp);
1800 
1801 		if (req->auth_req & SMP_AUTH_CT2)
1802 			set_bit(SMP_FLAG_CT2, &smp->flags);
1803 
1804 		key_size = min(req->max_key_size, rsp.max_key_size);
1805 		if (check_enc_key_size(conn, key_size))
1806 			return SMP_ENC_KEY_SIZE;
1807 
1808 		/* Clear bits which are generated but not distributed */
1809 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1810 
1811 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1812 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1813 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1814 
1815 		smp_distribute_keys(smp);
1816 		return 0;
1817 	}
1818 
1819 	build_pairing_cmd(conn, req, &rsp, auth);
1820 
1821 	if (rsp.auth_req & SMP_AUTH_SC) {
1822 		set_bit(SMP_FLAG_SC, &smp->flags);
1823 
1824 		if (rsp.auth_req & SMP_AUTH_CT2)
1825 			set_bit(SMP_FLAG_CT2, &smp->flags);
1826 	}
1827 
1828 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1829 		sec_level = BT_SECURITY_MEDIUM;
1830 	else
1831 		sec_level = authreq_to_seclevel(auth);
1832 
1833 	if (sec_level > conn->hcon->pending_sec_level)
1834 		conn->hcon->pending_sec_level = sec_level;
1835 
1836 	/* If we need MITM check that it can be achieved */
1837 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1838 		u8 method;
1839 
1840 		method = get_auth_method(smp, conn->hcon->io_capability,
1841 					 req->io_capability);
1842 		if (method == JUST_WORKS || method == JUST_CFM)
1843 			return SMP_AUTH_REQUIREMENTS;
1844 	}
1845 
1846 	key_size = min(req->max_key_size, rsp.max_key_size);
1847 	if (check_enc_key_size(conn, key_size))
1848 		return SMP_ENC_KEY_SIZE;
1849 
1850 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1851 
1852 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1853 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1854 
1855 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1856 
1857 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1858 
1859 	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1860 	 * SC case, however some implementations incorrectly copy RFU auth
1861 	 * req bits from our security request, which may create a false
1862 	 * positive SC enablement.
1863 	 */
1864 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1865 
1866 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1867 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1868 		/* Clear bits which are generated but not distributed */
1869 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1870 		/* Wait for Public Key from Initiating Device */
1871 		return 0;
1872 	}
1873 
1874 	/* Request setup of TK */
1875 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1876 	if (ret)
1877 		return SMP_UNSPECIFIED;
1878 
1879 	return 0;
1880 }
1881 
1882 static u8 sc_send_public_key(struct smp_chan *smp)
1883 {
1884 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1885 
1886 	BT_DBG("");
1887 
1888 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1889 		struct l2cap_chan *chan = hdev->smp_data;
1890 		struct smp_dev *smp_dev;
1891 
1892 		if (!chan || !chan->data)
1893 			return SMP_UNSPECIFIED;
1894 
1895 		smp_dev = chan->data;
1896 
1897 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1898 		memcpy(smp->lr, smp_dev->local_rand, 16);
1899 
1900 		if (smp_dev->debug_key)
1901 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1902 
1903 		goto done;
1904 	}
1905 
1906 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1907 		BT_DBG("Using debug keys");
1908 		if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1909 			return SMP_UNSPECIFIED;
1910 		memcpy(smp->local_pk, debug_pk, 64);
1911 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1912 	} else {
1913 		while (true) {
1914 			/* Generate key pair for Secure Connections */
1915 			if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1916 				return SMP_UNSPECIFIED;
1917 
1918 			/* This is unlikely, but we need to check that
1919 			 * we didn't accidentially generate a debug key.
1920 			 */
1921 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
1922 				break;
1923 		}
1924 	}
1925 
1926 done:
1927 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1928 	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1929 
1930 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1931 
1932 	return 0;
1933 }
1934 
1935 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1936 {
1937 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1938 	struct l2cap_chan *chan = conn->smp;
1939 	struct smp_chan *smp = chan->data;
1940 	struct hci_dev *hdev = conn->hcon->hdev;
1941 	u8 key_size, auth;
1942 	int ret;
1943 
1944 	BT_DBG("conn %p", conn);
1945 
1946 	if (skb->len < sizeof(*rsp))
1947 		return SMP_INVALID_PARAMS;
1948 
1949 	if (conn->hcon->role != HCI_ROLE_MASTER)
1950 		return SMP_CMD_NOTSUPP;
1951 
1952 	skb_pull(skb, sizeof(*rsp));
1953 
1954 	req = (void *) &smp->preq[1];
1955 
1956 	key_size = min(req->max_key_size, rsp->max_key_size);
1957 	if (check_enc_key_size(conn, key_size))
1958 		return SMP_ENC_KEY_SIZE;
1959 
1960 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1961 
1962 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1963 		return SMP_AUTH_REQUIREMENTS;
1964 
1965 	/* If the remote side's OOB flag is set it means it has
1966 	 * successfully received our local OOB data - therefore set the
1967 	 * flag to indicate that local OOB is in use.
1968 	 */
1969 	if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1970 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1971 
1972 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1973 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1974 
1975 	/* Update remote key distribution in case the remote cleared
1976 	 * some bits that we had enabled in our request.
1977 	 */
1978 	smp->remote_key_dist &= rsp->resp_key_dist;
1979 
1980 	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1981 		set_bit(SMP_FLAG_CT2, &smp->flags);
1982 
1983 	/* For BR/EDR this means we're done and can start phase 3 */
1984 	if (conn->hcon->type == ACL_LINK) {
1985 		/* Clear bits which are generated but not distributed */
1986 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1987 		smp_distribute_keys(smp);
1988 		return 0;
1989 	}
1990 
1991 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1992 		set_bit(SMP_FLAG_SC, &smp->flags);
1993 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1994 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1995 
1996 	/* If we need MITM check that it can be achieved */
1997 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1998 		u8 method;
1999 
2000 		method = get_auth_method(smp, req->io_capability,
2001 					 rsp->io_capability);
2002 		if (method == JUST_WORKS || method == JUST_CFM)
2003 			return SMP_AUTH_REQUIREMENTS;
2004 	}
2005 
2006 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
2007 
2008 	/* Update remote key distribution in case the remote cleared
2009 	 * some bits that we had enabled in our request.
2010 	 */
2011 	smp->remote_key_dist &= rsp->resp_key_dist;
2012 
2013 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2014 		/* Clear bits which are generated but not distributed */
2015 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2016 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2017 		return sc_send_public_key(smp);
2018 	}
2019 
2020 	auth |= req->auth_req;
2021 
2022 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2023 	if (ret)
2024 		return SMP_UNSPECIFIED;
2025 
2026 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2027 
2028 	/* Can't compose response until we have been confirmed */
2029 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2030 		return smp_confirm(smp);
2031 
2032 	return 0;
2033 }
2034 
2035 static u8 sc_check_confirm(struct smp_chan *smp)
2036 {
2037 	struct l2cap_conn *conn = smp->conn;
2038 
2039 	BT_DBG("");
2040 
2041 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2042 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2043 
2044 	if (conn->hcon->out) {
2045 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2046 			     smp->prnd);
2047 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2048 	}
2049 
2050 	return 0;
2051 }
2052 
2053 /* Work-around for some implementations that incorrectly copy RFU bits
2054  * from our security request and thereby create the impression that
2055  * we're doing SC when in fact the remote doesn't support it.
2056  */
2057 static int fixup_sc_false_positive(struct smp_chan *smp)
2058 {
2059 	struct l2cap_conn *conn = smp->conn;
2060 	struct hci_conn *hcon = conn->hcon;
2061 	struct hci_dev *hdev = hcon->hdev;
2062 	struct smp_cmd_pairing *req, *rsp;
2063 	u8 auth;
2064 
2065 	/* The issue is only observed when we're in slave role */
2066 	if (hcon->out)
2067 		return SMP_UNSPECIFIED;
2068 
2069 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2070 		bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2071 		return SMP_UNSPECIFIED;
2072 	}
2073 
2074 	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2075 
2076 	req = (void *) &smp->preq[1];
2077 	rsp = (void *) &smp->prsp[1];
2078 
2079 	/* Rebuild key dist flags which may have been cleared for SC */
2080 	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2081 
2082 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2083 
2084 	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2085 		bt_dev_err(hdev, "failed to fall back to legacy SMP");
2086 		return SMP_UNSPECIFIED;
2087 	}
2088 
2089 	clear_bit(SMP_FLAG_SC, &smp->flags);
2090 
2091 	return 0;
2092 }
2093 
2094 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2095 {
2096 	struct l2cap_chan *chan = conn->smp;
2097 	struct smp_chan *smp = chan->data;
2098 
2099 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2100 
2101 	if (skb->len < sizeof(smp->pcnf))
2102 		return SMP_INVALID_PARAMS;
2103 
2104 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2105 	skb_pull(skb, sizeof(smp->pcnf));
2106 
2107 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2108 		int ret;
2109 
2110 		/* Public Key exchange must happen before any other steps */
2111 		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2112 			return sc_check_confirm(smp);
2113 
2114 		BT_ERR("Unexpected SMP Pairing Confirm");
2115 
2116 		ret = fixup_sc_false_positive(smp);
2117 		if (ret)
2118 			return ret;
2119 	}
2120 
2121 	if (conn->hcon->out) {
2122 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2123 			     smp->prnd);
2124 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2125 		return 0;
2126 	}
2127 
2128 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2129 		return smp_confirm(smp);
2130 
2131 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2132 
2133 	return 0;
2134 }
2135 
2136 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2137 {
2138 	struct l2cap_chan *chan = conn->smp;
2139 	struct smp_chan *smp = chan->data;
2140 	struct hci_conn *hcon = conn->hcon;
2141 	u8 *pkax, *pkbx, *na, *nb;
2142 	u32 passkey;
2143 	int err;
2144 
2145 	BT_DBG("conn %p", conn);
2146 
2147 	if (skb->len < sizeof(smp->rrnd))
2148 		return SMP_INVALID_PARAMS;
2149 
2150 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2151 	skb_pull(skb, sizeof(smp->rrnd));
2152 
2153 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2154 		return smp_random(smp);
2155 
2156 	if (hcon->out) {
2157 		pkax = smp->local_pk;
2158 		pkbx = smp->remote_pk;
2159 		na   = smp->prnd;
2160 		nb   = smp->rrnd;
2161 	} else {
2162 		pkax = smp->remote_pk;
2163 		pkbx = smp->local_pk;
2164 		na   = smp->rrnd;
2165 		nb   = smp->prnd;
2166 	}
2167 
2168 	if (smp->method == REQ_OOB) {
2169 		if (!hcon->out)
2170 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2171 				     sizeof(smp->prnd), smp->prnd);
2172 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2173 		goto mackey_and_ltk;
2174 	}
2175 
2176 	/* Passkey entry has special treatment */
2177 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2178 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2179 
2180 	if (hcon->out) {
2181 		u8 cfm[16];
2182 
2183 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2184 			     smp->rrnd, 0, cfm);
2185 		if (err)
2186 			return SMP_UNSPECIFIED;
2187 
2188 		if (crypto_memneq(smp->pcnf, cfm, 16))
2189 			return SMP_CONFIRM_FAILED;
2190 	} else {
2191 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2192 			     smp->prnd);
2193 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2194 	}
2195 
2196 mackey_and_ltk:
2197 	/* Generate MacKey and LTK */
2198 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2199 	if (err)
2200 		return SMP_UNSPECIFIED;
2201 
2202 	if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2203 		if (hcon->out) {
2204 			sc_dhkey_check(smp);
2205 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2206 		}
2207 		return 0;
2208 	}
2209 
2210 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2211 	if (err)
2212 		return SMP_UNSPECIFIED;
2213 
2214 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2215 					hcon->dst_type, passkey, 0);
2216 	if (err)
2217 		return SMP_UNSPECIFIED;
2218 
2219 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2220 
2221 	return 0;
2222 }
2223 
2224 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2225 {
2226 	struct smp_ltk *key;
2227 	struct hci_conn *hcon = conn->hcon;
2228 
2229 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2230 	if (!key)
2231 		return false;
2232 
2233 	if (smp_ltk_sec_level(key) < sec_level)
2234 		return false;
2235 
2236 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2237 		return true;
2238 
2239 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2240 	hcon->enc_key_size = key->enc_size;
2241 
2242 	/* We never store STKs for master role, so clear this flag */
2243 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2244 
2245 	return true;
2246 }
2247 
2248 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2249 			     enum smp_key_pref key_pref)
2250 {
2251 	if (sec_level == BT_SECURITY_LOW)
2252 		return true;
2253 
2254 	/* If we're encrypted with an STK but the caller prefers using
2255 	 * LTK claim insufficient security. This way we allow the
2256 	 * connection to be re-encrypted with an LTK, even if the LTK
2257 	 * provides the same level of security. Only exception is if we
2258 	 * don't have an LTK (e.g. because of key distribution bits).
2259 	 */
2260 	if (key_pref == SMP_USE_LTK &&
2261 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2262 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2263 		return false;
2264 
2265 	if (hcon->sec_level >= sec_level)
2266 		return true;
2267 
2268 	return false;
2269 }
2270 
2271 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2272 {
2273 	struct smp_cmd_security_req *rp = (void *) skb->data;
2274 	struct smp_cmd_pairing cp;
2275 	struct hci_conn *hcon = conn->hcon;
2276 	struct hci_dev *hdev = hcon->hdev;
2277 	struct smp_chan *smp;
2278 	u8 sec_level, auth;
2279 
2280 	BT_DBG("conn %p", conn);
2281 
2282 	if (skb->len < sizeof(*rp))
2283 		return SMP_INVALID_PARAMS;
2284 
2285 	if (hcon->role != HCI_ROLE_MASTER)
2286 		return SMP_CMD_NOTSUPP;
2287 
2288 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2289 
2290 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2291 		return SMP_AUTH_REQUIREMENTS;
2292 
2293 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2294 		sec_level = BT_SECURITY_MEDIUM;
2295 	else
2296 		sec_level = authreq_to_seclevel(auth);
2297 
2298 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2299 		/* If link is already encrypted with sufficient security we
2300 		 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2301 		 * Part H 2.4.6
2302 		 */
2303 		smp_ltk_encrypt(conn, hcon->sec_level);
2304 		return 0;
2305 	}
2306 
2307 	if (sec_level > hcon->pending_sec_level)
2308 		hcon->pending_sec_level = sec_level;
2309 
2310 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2311 		return 0;
2312 
2313 	smp = smp_chan_create(conn);
2314 	if (!smp)
2315 		return SMP_UNSPECIFIED;
2316 
2317 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2318 	    (auth & SMP_AUTH_BONDING))
2319 		return SMP_PAIRING_NOTSUPP;
2320 
2321 	skb_pull(skb, sizeof(*rp));
2322 
2323 	memset(&cp, 0, sizeof(cp));
2324 	build_pairing_cmd(conn, &cp, NULL, auth);
2325 
2326 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2327 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2328 
2329 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2330 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2331 
2332 	return 0;
2333 }
2334 
2335 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2336 {
2337 	struct l2cap_conn *conn = hcon->l2cap_data;
2338 	struct l2cap_chan *chan;
2339 	struct smp_chan *smp;
2340 	__u8 authreq;
2341 	int ret;
2342 
2343 	BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2344 
2345 	/* This may be NULL if there's an unexpected disconnection */
2346 	if (!conn)
2347 		return 1;
2348 
2349 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2350 		return 1;
2351 
2352 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2353 		return 1;
2354 
2355 	if (sec_level > hcon->pending_sec_level)
2356 		hcon->pending_sec_level = sec_level;
2357 
2358 	if (hcon->role == HCI_ROLE_MASTER)
2359 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2360 			return 0;
2361 
2362 	chan = conn->smp;
2363 	if (!chan) {
2364 		bt_dev_err(hcon->hdev, "security requested but not available");
2365 		return 1;
2366 	}
2367 
2368 	l2cap_chan_lock(chan);
2369 
2370 	/* If SMP is already in progress ignore this request */
2371 	if (chan->data) {
2372 		ret = 0;
2373 		goto unlock;
2374 	}
2375 
2376 	smp = smp_chan_create(conn);
2377 	if (!smp) {
2378 		ret = 1;
2379 		goto unlock;
2380 	}
2381 
2382 	authreq = seclevel_to_authreq(sec_level);
2383 
2384 	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2385 		authreq |= SMP_AUTH_SC;
2386 		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2387 			authreq |= SMP_AUTH_CT2;
2388 	}
2389 
2390 	/* Require MITM if IO Capability allows or the security level
2391 	 * requires it.
2392 	 */
2393 	if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2394 	    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2395 		authreq |= SMP_AUTH_MITM;
2396 
2397 	if (hcon->role == HCI_ROLE_MASTER) {
2398 		struct smp_cmd_pairing cp;
2399 
2400 		build_pairing_cmd(conn, &cp, NULL, authreq);
2401 		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2402 		memcpy(&smp->preq[1], &cp, sizeof(cp));
2403 
2404 		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2405 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2406 	} else {
2407 		struct smp_cmd_security_req cp;
2408 		cp.auth_req = authreq;
2409 		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2410 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2411 	}
2412 
2413 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2414 	ret = 0;
2415 
2416 unlock:
2417 	l2cap_chan_unlock(chan);
2418 	return ret;
2419 }
2420 
2421 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2422 				  u8 addr_type)
2423 {
2424 	struct hci_conn *hcon;
2425 	struct l2cap_conn *conn;
2426 	struct l2cap_chan *chan;
2427 	struct smp_chan *smp;
2428 	int err;
2429 
2430 	err = hci_remove_ltk(hdev, bdaddr, addr_type);
2431 	hci_remove_irk(hdev, bdaddr, addr_type);
2432 
2433 	hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2434 	if (!hcon)
2435 		goto done;
2436 
2437 	conn = hcon->l2cap_data;
2438 	if (!conn)
2439 		goto done;
2440 
2441 	chan = conn->smp;
2442 	if (!chan)
2443 		goto done;
2444 
2445 	l2cap_chan_lock(chan);
2446 
2447 	smp = chan->data;
2448 	if (smp) {
2449 		/* Set keys to NULL to make sure smp_failure() does not try to
2450 		 * remove and free already invalidated rcu list entries. */
2451 		smp->ltk = NULL;
2452 		smp->slave_ltk = NULL;
2453 		smp->remote_irk = NULL;
2454 
2455 		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2456 			smp_failure(conn, 0);
2457 		else
2458 			smp_failure(conn, SMP_UNSPECIFIED);
2459 		err = 0;
2460 	}
2461 
2462 	l2cap_chan_unlock(chan);
2463 
2464 done:
2465 	return err;
2466 }
2467 
2468 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2469 {
2470 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2471 	struct l2cap_chan *chan = conn->smp;
2472 	struct smp_chan *smp = chan->data;
2473 
2474 	BT_DBG("conn %p", conn);
2475 
2476 	if (skb->len < sizeof(*rp))
2477 		return SMP_INVALID_PARAMS;
2478 
2479 	SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2480 
2481 	skb_pull(skb, sizeof(*rp));
2482 
2483 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2484 
2485 	return 0;
2486 }
2487 
2488 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2489 {
2490 	struct smp_cmd_master_ident *rp = (void *) skb->data;
2491 	struct l2cap_chan *chan = conn->smp;
2492 	struct smp_chan *smp = chan->data;
2493 	struct hci_dev *hdev = conn->hcon->hdev;
2494 	struct hci_conn *hcon = conn->hcon;
2495 	struct smp_ltk *ltk;
2496 	u8 authenticated;
2497 
2498 	BT_DBG("conn %p", conn);
2499 
2500 	if (skb->len < sizeof(*rp))
2501 		return SMP_INVALID_PARAMS;
2502 
2503 	/* Mark the information as received */
2504 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2505 
2506 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2507 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2508 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2509 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2510 
2511 	skb_pull(skb, sizeof(*rp));
2512 
2513 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2514 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2515 			  authenticated, smp->tk, smp->enc_key_size,
2516 			  rp->ediv, rp->rand);
2517 	smp->ltk = ltk;
2518 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2519 		smp_distribute_keys(smp);
2520 
2521 	return 0;
2522 }
2523 
2524 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2525 {
2526 	struct smp_cmd_ident_info *info = (void *) skb->data;
2527 	struct l2cap_chan *chan = conn->smp;
2528 	struct smp_chan *smp = chan->data;
2529 
2530 	BT_DBG("");
2531 
2532 	if (skb->len < sizeof(*info))
2533 		return SMP_INVALID_PARAMS;
2534 
2535 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2536 
2537 	skb_pull(skb, sizeof(*info));
2538 
2539 	memcpy(smp->irk, info->irk, 16);
2540 
2541 	return 0;
2542 }
2543 
2544 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2545 				   struct sk_buff *skb)
2546 {
2547 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2548 	struct l2cap_chan *chan = conn->smp;
2549 	struct smp_chan *smp = chan->data;
2550 	struct hci_conn *hcon = conn->hcon;
2551 	bdaddr_t rpa;
2552 
2553 	BT_DBG("");
2554 
2555 	if (skb->len < sizeof(*info))
2556 		return SMP_INVALID_PARAMS;
2557 
2558 	/* Mark the information as received */
2559 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2560 
2561 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2562 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2563 
2564 	skb_pull(skb, sizeof(*info));
2565 
2566 	/* Strictly speaking the Core Specification (4.1) allows sending
2567 	 * an empty address which would force us to rely on just the IRK
2568 	 * as "identity information". However, since such
2569 	 * implementations are not known of and in order to not over
2570 	 * complicate our implementation, simply pretend that we never
2571 	 * received an IRK for such a device.
2572 	 *
2573 	 * The Identity Address must also be a Static Random or Public
2574 	 * Address, which hci_is_identity_address() checks for.
2575 	 */
2576 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2577 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2578 		bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2579 		goto distribute;
2580 	}
2581 
2582 	/* Drop IRK if peer is using identity address during pairing but is
2583 	 * providing different address as identity information.
2584 	 *
2585 	 * Microsoft Surface Precision Mouse is known to have this bug.
2586 	 */
2587 	if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2588 	    (bacmp(&info->bdaddr, &hcon->dst) ||
2589 	     info->addr_type != hcon->dst_type)) {
2590 		bt_dev_err(hcon->hdev,
2591 			   "ignoring IRK with invalid identity address");
2592 		goto distribute;
2593 	}
2594 
2595 	bacpy(&smp->id_addr, &info->bdaddr);
2596 	smp->id_addr_type = info->addr_type;
2597 
2598 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2599 		bacpy(&rpa, &hcon->dst);
2600 	else
2601 		bacpy(&rpa, BDADDR_ANY);
2602 
2603 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2604 				      smp->id_addr_type, smp->irk, &rpa);
2605 
2606 distribute:
2607 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2608 		smp_distribute_keys(smp);
2609 
2610 	return 0;
2611 }
2612 
2613 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2614 {
2615 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2616 	struct l2cap_chan *chan = conn->smp;
2617 	struct smp_chan *smp = chan->data;
2618 	struct smp_csrk *csrk;
2619 
2620 	BT_DBG("conn %p", conn);
2621 
2622 	if (skb->len < sizeof(*rp))
2623 		return SMP_INVALID_PARAMS;
2624 
2625 	/* Mark the information as received */
2626 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2627 
2628 	skb_pull(skb, sizeof(*rp));
2629 
2630 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2631 	if (csrk) {
2632 		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2633 			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2634 		else
2635 			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2636 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2637 	}
2638 	smp->csrk = csrk;
2639 	smp_distribute_keys(smp);
2640 
2641 	return 0;
2642 }
2643 
2644 static u8 sc_select_method(struct smp_chan *smp)
2645 {
2646 	struct l2cap_conn *conn = smp->conn;
2647 	struct hci_conn *hcon = conn->hcon;
2648 	struct smp_cmd_pairing *local, *remote;
2649 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2650 
2651 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2652 	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2653 		return REQ_OOB;
2654 
2655 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2656 	 * which are needed as inputs to some crypto functions. To get
2657 	 * the "struct smp_cmd_pairing" from them we need to skip the
2658 	 * first byte which contains the opcode.
2659 	 */
2660 	if (hcon->out) {
2661 		local = (void *) &smp->preq[1];
2662 		remote = (void *) &smp->prsp[1];
2663 	} else {
2664 		local = (void *) &smp->prsp[1];
2665 		remote = (void *) &smp->preq[1];
2666 	}
2667 
2668 	local_io = local->io_capability;
2669 	remote_io = remote->io_capability;
2670 
2671 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2672 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2673 
2674 	/* If either side wants MITM, look up the method from the table,
2675 	 * otherwise use JUST WORKS.
2676 	 */
2677 	if (local_mitm || remote_mitm)
2678 		method = get_auth_method(smp, local_io, remote_io);
2679 	else
2680 		method = JUST_WORKS;
2681 
2682 	/* Don't confirm locally initiated pairing attempts */
2683 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2684 		method = JUST_WORKS;
2685 
2686 	return method;
2687 }
2688 
2689 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2690 {
2691 	struct smp_cmd_public_key *key = (void *) skb->data;
2692 	struct hci_conn *hcon = conn->hcon;
2693 	struct l2cap_chan *chan = conn->smp;
2694 	struct smp_chan *smp = chan->data;
2695 	struct hci_dev *hdev = hcon->hdev;
2696 	struct crypto_kpp *tfm_ecdh;
2697 	struct smp_cmd_pairing_confirm cfm;
2698 	int err;
2699 
2700 	BT_DBG("conn %p", conn);
2701 
2702 	if (skb->len < sizeof(*key))
2703 		return SMP_INVALID_PARAMS;
2704 
2705 	memcpy(smp->remote_pk, key, 64);
2706 
2707 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2708 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2709 			     smp->rr, 0, cfm.confirm_val);
2710 		if (err)
2711 			return SMP_UNSPECIFIED;
2712 
2713 		if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2714 			return SMP_CONFIRM_FAILED;
2715 	}
2716 
2717 	/* Non-initiating device sends its public key after receiving
2718 	 * the key from the initiating device.
2719 	 */
2720 	if (!hcon->out) {
2721 		err = sc_send_public_key(smp);
2722 		if (err)
2723 			return err;
2724 	}
2725 
2726 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2727 	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2728 
2729 	/* Compute the shared secret on the same crypto tfm on which the private
2730 	 * key was set/generated.
2731 	 */
2732 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2733 		struct l2cap_chan *hchan = hdev->smp_data;
2734 		struct smp_dev *smp_dev;
2735 
2736 		if (!hchan || !hchan->data)
2737 			return SMP_UNSPECIFIED;
2738 
2739 		smp_dev = hchan->data;
2740 
2741 		tfm_ecdh = smp_dev->tfm_ecdh;
2742 	} else {
2743 		tfm_ecdh = smp->tfm_ecdh;
2744 	}
2745 
2746 	if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2747 		return SMP_UNSPECIFIED;
2748 
2749 	SMP_DBG("DHKey %32phN", smp->dhkey);
2750 
2751 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2752 
2753 	smp->method = sc_select_method(smp);
2754 
2755 	BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2756 
2757 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2758 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2759 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2760 	else
2761 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2762 
2763 	if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2764 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2765 
2766 	if (smp->method == DSP_PASSKEY) {
2767 		get_random_bytes(&hcon->passkey_notify,
2768 				 sizeof(hcon->passkey_notify));
2769 		hcon->passkey_notify %= 1000000;
2770 		hcon->passkey_entered = 0;
2771 		smp->passkey_round = 0;
2772 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2773 					     hcon->dst_type,
2774 					     hcon->passkey_notify,
2775 					     hcon->passkey_entered))
2776 			return SMP_UNSPECIFIED;
2777 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2778 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2779 	}
2780 
2781 	if (smp->method == REQ_OOB) {
2782 		if (hcon->out)
2783 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2784 				     sizeof(smp->prnd), smp->prnd);
2785 
2786 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2787 
2788 		return 0;
2789 	}
2790 
2791 	if (hcon->out)
2792 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2793 
2794 	if (smp->method == REQ_PASSKEY) {
2795 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2796 					      hcon->dst_type))
2797 			return SMP_UNSPECIFIED;
2798 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2799 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2800 		return 0;
2801 	}
2802 
2803 	/* The Initiating device waits for the non-initiating device to
2804 	 * send the confirm value.
2805 	 */
2806 	if (conn->hcon->out)
2807 		return 0;
2808 
2809 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2810 		     0, cfm.confirm_val);
2811 	if (err)
2812 		return SMP_UNSPECIFIED;
2813 
2814 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2815 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2816 
2817 	return 0;
2818 }
2819 
2820 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2821 {
2822 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2823 	struct l2cap_chan *chan = conn->smp;
2824 	struct hci_conn *hcon = conn->hcon;
2825 	struct smp_chan *smp = chan->data;
2826 	u8 a[7], b[7], *local_addr, *remote_addr;
2827 	u8 io_cap[3], r[16], e[16];
2828 	int err;
2829 
2830 	BT_DBG("conn %p", conn);
2831 
2832 	if (skb->len < sizeof(*check))
2833 		return SMP_INVALID_PARAMS;
2834 
2835 	memcpy(a, &hcon->init_addr, 6);
2836 	memcpy(b, &hcon->resp_addr, 6);
2837 	a[6] = hcon->init_addr_type;
2838 	b[6] = hcon->resp_addr_type;
2839 
2840 	if (hcon->out) {
2841 		local_addr = a;
2842 		remote_addr = b;
2843 		memcpy(io_cap, &smp->prsp[1], 3);
2844 	} else {
2845 		local_addr = b;
2846 		remote_addr = a;
2847 		memcpy(io_cap, &smp->preq[1], 3);
2848 	}
2849 
2850 	memset(r, 0, sizeof(r));
2851 
2852 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2853 		put_unaligned_le32(hcon->passkey_notify, r);
2854 	else if (smp->method == REQ_OOB)
2855 		memcpy(r, smp->lr, 16);
2856 
2857 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2858 		     io_cap, remote_addr, local_addr, e);
2859 	if (err)
2860 		return SMP_UNSPECIFIED;
2861 
2862 	if (crypto_memneq(check->e, e, 16))
2863 		return SMP_DHKEY_CHECK_FAILED;
2864 
2865 	if (!hcon->out) {
2866 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2867 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2868 			return 0;
2869 		}
2870 
2871 		/* Slave sends DHKey check as response to master */
2872 		sc_dhkey_check(smp);
2873 	}
2874 
2875 	sc_add_ltk(smp);
2876 
2877 	if (hcon->out) {
2878 		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2879 		hcon->enc_key_size = smp->enc_key_size;
2880 	}
2881 
2882 	return 0;
2883 }
2884 
2885 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2886 				   struct sk_buff *skb)
2887 {
2888 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2889 
2890 	BT_DBG("value 0x%02x", kp->value);
2891 
2892 	return 0;
2893 }
2894 
2895 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2896 {
2897 	struct l2cap_conn *conn = chan->conn;
2898 	struct hci_conn *hcon = conn->hcon;
2899 	struct smp_chan *smp;
2900 	__u8 code, reason;
2901 	int err = 0;
2902 
2903 	if (skb->len < 1)
2904 		return -EILSEQ;
2905 
2906 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2907 		reason = SMP_PAIRING_NOTSUPP;
2908 		goto done;
2909 	}
2910 
2911 	code = skb->data[0];
2912 	skb_pull(skb, sizeof(code));
2913 
2914 	smp = chan->data;
2915 
2916 	if (code > SMP_CMD_MAX)
2917 		goto drop;
2918 
2919 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2920 		goto drop;
2921 
2922 	/* If we don't have a context the only allowed commands are
2923 	 * pairing request and security request.
2924 	 */
2925 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2926 		goto drop;
2927 
2928 	switch (code) {
2929 	case SMP_CMD_PAIRING_REQ:
2930 		reason = smp_cmd_pairing_req(conn, skb);
2931 		break;
2932 
2933 	case SMP_CMD_PAIRING_FAIL:
2934 		smp_failure(conn, 0);
2935 		err = -EPERM;
2936 		break;
2937 
2938 	case SMP_CMD_PAIRING_RSP:
2939 		reason = smp_cmd_pairing_rsp(conn, skb);
2940 		break;
2941 
2942 	case SMP_CMD_SECURITY_REQ:
2943 		reason = smp_cmd_security_req(conn, skb);
2944 		break;
2945 
2946 	case SMP_CMD_PAIRING_CONFIRM:
2947 		reason = smp_cmd_pairing_confirm(conn, skb);
2948 		break;
2949 
2950 	case SMP_CMD_PAIRING_RANDOM:
2951 		reason = smp_cmd_pairing_random(conn, skb);
2952 		break;
2953 
2954 	case SMP_CMD_ENCRYPT_INFO:
2955 		reason = smp_cmd_encrypt_info(conn, skb);
2956 		break;
2957 
2958 	case SMP_CMD_MASTER_IDENT:
2959 		reason = smp_cmd_master_ident(conn, skb);
2960 		break;
2961 
2962 	case SMP_CMD_IDENT_INFO:
2963 		reason = smp_cmd_ident_info(conn, skb);
2964 		break;
2965 
2966 	case SMP_CMD_IDENT_ADDR_INFO:
2967 		reason = smp_cmd_ident_addr_info(conn, skb);
2968 		break;
2969 
2970 	case SMP_CMD_SIGN_INFO:
2971 		reason = smp_cmd_sign_info(conn, skb);
2972 		break;
2973 
2974 	case SMP_CMD_PUBLIC_KEY:
2975 		reason = smp_cmd_public_key(conn, skb);
2976 		break;
2977 
2978 	case SMP_CMD_DHKEY_CHECK:
2979 		reason = smp_cmd_dhkey_check(conn, skb);
2980 		break;
2981 
2982 	case SMP_CMD_KEYPRESS_NOTIFY:
2983 		reason = smp_cmd_keypress_notify(conn, skb);
2984 		break;
2985 
2986 	default:
2987 		BT_DBG("Unknown command code 0x%2.2x", code);
2988 		reason = SMP_CMD_NOTSUPP;
2989 		goto done;
2990 	}
2991 
2992 done:
2993 	if (!err) {
2994 		if (reason)
2995 			smp_failure(conn, reason);
2996 		kfree_skb(skb);
2997 	}
2998 
2999 	return err;
3000 
3001 drop:
3002 	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3003 		   code, &hcon->dst);
3004 	kfree_skb(skb);
3005 	return 0;
3006 }
3007 
3008 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3009 {
3010 	struct l2cap_conn *conn = chan->conn;
3011 
3012 	BT_DBG("chan %p", chan);
3013 
3014 	if (chan->data)
3015 		smp_chan_destroy(conn);
3016 
3017 	conn->smp = NULL;
3018 	l2cap_chan_put(chan);
3019 }
3020 
3021 static void bredr_pairing(struct l2cap_chan *chan)
3022 {
3023 	struct l2cap_conn *conn = chan->conn;
3024 	struct hci_conn *hcon = conn->hcon;
3025 	struct hci_dev *hdev = hcon->hdev;
3026 	struct smp_cmd_pairing req;
3027 	struct smp_chan *smp;
3028 
3029 	BT_DBG("chan %p", chan);
3030 
3031 	/* Only new pairings are interesting */
3032 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3033 		return;
3034 
3035 	/* Don't bother if we're not encrypted */
3036 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3037 		return;
3038 
3039 	/* Only master may initiate SMP over BR/EDR */
3040 	if (hcon->role != HCI_ROLE_MASTER)
3041 		return;
3042 
3043 	/* Secure Connections support must be enabled */
3044 	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3045 		return;
3046 
3047 	/* BR/EDR must use Secure Connections for SMP */
3048 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3049 	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3050 		return;
3051 
3052 	/* If our LE support is not enabled don't do anything */
3053 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3054 		return;
3055 
3056 	/* Don't bother if remote LE support is not enabled */
3057 	if (!lmp_host_le_capable(hcon))
3058 		return;
3059 
3060 	/* Remote must support SMP fixed chan for BR/EDR */
3061 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3062 		return;
3063 
3064 	/* Don't bother if SMP is already ongoing */
3065 	if (chan->data)
3066 		return;
3067 
3068 	smp = smp_chan_create(conn);
3069 	if (!smp) {
3070 		bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3071 		return;
3072 	}
3073 
3074 	set_bit(SMP_FLAG_SC, &smp->flags);
3075 
3076 	BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3077 
3078 	/* Prepare and send the BR/EDR SMP Pairing Request */
3079 	build_bredr_pairing_cmd(smp, &req, NULL);
3080 
3081 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
3082 	memcpy(&smp->preq[1], &req, sizeof(req));
3083 
3084 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3085 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3086 }
3087 
3088 static void smp_resume_cb(struct l2cap_chan *chan)
3089 {
3090 	struct smp_chan *smp = chan->data;
3091 	struct l2cap_conn *conn = chan->conn;
3092 	struct hci_conn *hcon = conn->hcon;
3093 
3094 	BT_DBG("chan %p", chan);
3095 
3096 	if (hcon->type == ACL_LINK) {
3097 		bredr_pairing(chan);
3098 		return;
3099 	}
3100 
3101 	if (!smp)
3102 		return;
3103 
3104 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3105 		return;
3106 
3107 	cancel_delayed_work(&smp->security_timer);
3108 
3109 	smp_distribute_keys(smp);
3110 }
3111 
3112 static void smp_ready_cb(struct l2cap_chan *chan)
3113 {
3114 	struct l2cap_conn *conn = chan->conn;
3115 	struct hci_conn *hcon = conn->hcon;
3116 
3117 	BT_DBG("chan %p", chan);
3118 
3119 	/* No need to call l2cap_chan_hold() here since we already own
3120 	 * the reference taken in smp_new_conn_cb(). This is just the
3121 	 * first time that we tie it to a specific pointer. The code in
3122 	 * l2cap_core.c ensures that there's no risk this function wont
3123 	 * get called if smp_new_conn_cb was previously called.
3124 	 */
3125 	conn->smp = chan;
3126 
3127 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3128 		bredr_pairing(chan);
3129 }
3130 
3131 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3132 {
3133 	int err;
3134 
3135 	BT_DBG("chan %p", chan);
3136 
3137 	err = smp_sig_channel(chan, skb);
3138 	if (err) {
3139 		struct smp_chan *smp = chan->data;
3140 
3141 		if (smp)
3142 			cancel_delayed_work_sync(&smp->security_timer);
3143 
3144 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3145 	}
3146 
3147 	return err;
3148 }
3149 
3150 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3151 					unsigned long hdr_len,
3152 					unsigned long len, int nb)
3153 {
3154 	struct sk_buff *skb;
3155 
3156 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3157 	if (!skb)
3158 		return ERR_PTR(-ENOMEM);
3159 
3160 	skb->priority = HCI_PRIO_MAX;
3161 	bt_cb(skb)->l2cap.chan = chan;
3162 
3163 	return skb;
3164 }
3165 
3166 static const struct l2cap_ops smp_chan_ops = {
3167 	.name			= "Security Manager",
3168 	.ready			= smp_ready_cb,
3169 	.recv			= smp_recv_cb,
3170 	.alloc_skb		= smp_alloc_skb_cb,
3171 	.teardown		= smp_teardown_cb,
3172 	.resume			= smp_resume_cb,
3173 
3174 	.new_connection		= l2cap_chan_no_new_connection,
3175 	.state_change		= l2cap_chan_no_state_change,
3176 	.close			= l2cap_chan_no_close,
3177 	.defer			= l2cap_chan_no_defer,
3178 	.suspend		= l2cap_chan_no_suspend,
3179 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3180 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3181 };
3182 
3183 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3184 {
3185 	struct l2cap_chan *chan;
3186 
3187 	BT_DBG("pchan %p", pchan);
3188 
3189 	chan = l2cap_chan_create();
3190 	if (!chan)
3191 		return NULL;
3192 
3193 	chan->chan_type	= pchan->chan_type;
3194 	chan->ops	= &smp_chan_ops;
3195 	chan->scid	= pchan->scid;
3196 	chan->dcid	= chan->scid;
3197 	chan->imtu	= pchan->imtu;
3198 	chan->omtu	= pchan->omtu;
3199 	chan->mode	= pchan->mode;
3200 
3201 	/* Other L2CAP channels may request SMP routines in order to
3202 	 * change the security level. This means that the SMP channel
3203 	 * lock must be considered in its own category to avoid lockdep
3204 	 * warnings.
3205 	 */
3206 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3207 
3208 	BT_DBG("created chan %p", chan);
3209 
3210 	return chan;
3211 }
3212 
3213 static const struct l2cap_ops smp_root_chan_ops = {
3214 	.name			= "Security Manager Root",
3215 	.new_connection		= smp_new_conn_cb,
3216 
3217 	/* None of these are implemented for the root channel */
3218 	.close			= l2cap_chan_no_close,
3219 	.alloc_skb		= l2cap_chan_no_alloc_skb,
3220 	.recv			= l2cap_chan_no_recv,
3221 	.state_change		= l2cap_chan_no_state_change,
3222 	.teardown		= l2cap_chan_no_teardown,
3223 	.ready			= l2cap_chan_no_ready,
3224 	.defer			= l2cap_chan_no_defer,
3225 	.suspend		= l2cap_chan_no_suspend,
3226 	.resume			= l2cap_chan_no_resume,
3227 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3228 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3229 };
3230 
3231 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3232 {
3233 	struct l2cap_chan *chan;
3234 	struct smp_dev *smp;
3235 	struct crypto_cipher *tfm_aes;
3236 	struct crypto_shash *tfm_cmac;
3237 	struct crypto_kpp *tfm_ecdh;
3238 
3239 	if (cid == L2CAP_CID_SMP_BREDR) {
3240 		smp = NULL;
3241 		goto create_chan;
3242 	}
3243 
3244 	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3245 	if (!smp)
3246 		return ERR_PTR(-ENOMEM);
3247 
3248 	tfm_aes = crypto_alloc_cipher("aes", 0, 0);
3249 	if (IS_ERR(tfm_aes)) {
3250 		BT_ERR("Unable to create AES crypto context");
3251 		kzfree(smp);
3252 		return ERR_CAST(tfm_aes);
3253 	}
3254 
3255 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3256 	if (IS_ERR(tfm_cmac)) {
3257 		BT_ERR("Unable to create CMAC crypto context");
3258 		crypto_free_cipher(tfm_aes);
3259 		kzfree(smp);
3260 		return ERR_CAST(tfm_cmac);
3261 	}
3262 
3263 	tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3264 	if (IS_ERR(tfm_ecdh)) {
3265 		BT_ERR("Unable to create ECDH crypto context");
3266 		crypto_free_shash(tfm_cmac);
3267 		crypto_free_cipher(tfm_aes);
3268 		kzfree(smp);
3269 		return ERR_CAST(tfm_ecdh);
3270 	}
3271 
3272 	smp->local_oob = false;
3273 	smp->tfm_aes = tfm_aes;
3274 	smp->tfm_cmac = tfm_cmac;
3275 	smp->tfm_ecdh = tfm_ecdh;
3276 
3277 create_chan:
3278 	chan = l2cap_chan_create();
3279 	if (!chan) {
3280 		if (smp) {
3281 			crypto_free_cipher(smp->tfm_aes);
3282 			crypto_free_shash(smp->tfm_cmac);
3283 			crypto_free_kpp(smp->tfm_ecdh);
3284 			kzfree(smp);
3285 		}
3286 		return ERR_PTR(-ENOMEM);
3287 	}
3288 
3289 	chan->data = smp;
3290 
3291 	l2cap_add_scid(chan, cid);
3292 
3293 	l2cap_chan_set_defaults(chan);
3294 
3295 	if (cid == L2CAP_CID_SMP) {
3296 		u8 bdaddr_type;
3297 
3298 		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3299 
3300 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3301 			chan->src_type = BDADDR_LE_PUBLIC;
3302 		else
3303 			chan->src_type = BDADDR_LE_RANDOM;
3304 	} else {
3305 		bacpy(&chan->src, &hdev->bdaddr);
3306 		chan->src_type = BDADDR_BREDR;
3307 	}
3308 
3309 	chan->state = BT_LISTEN;
3310 	chan->mode = L2CAP_MODE_BASIC;
3311 	chan->imtu = L2CAP_DEFAULT_MTU;
3312 	chan->ops = &smp_root_chan_ops;
3313 
3314 	/* Set correct nesting level for a parent/listening channel */
3315 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3316 
3317 	return chan;
3318 }
3319 
3320 static void smp_del_chan(struct l2cap_chan *chan)
3321 {
3322 	struct smp_dev *smp;
3323 
3324 	BT_DBG("chan %p", chan);
3325 
3326 	smp = chan->data;
3327 	if (smp) {
3328 		chan->data = NULL;
3329 		crypto_free_cipher(smp->tfm_aes);
3330 		crypto_free_shash(smp->tfm_cmac);
3331 		crypto_free_kpp(smp->tfm_ecdh);
3332 		kzfree(smp);
3333 	}
3334 
3335 	l2cap_chan_put(chan);
3336 }
3337 
3338 static ssize_t force_bredr_smp_read(struct file *file,
3339 				    char __user *user_buf,
3340 				    size_t count, loff_t *ppos)
3341 {
3342 	struct hci_dev *hdev = file->private_data;
3343 	char buf[3];
3344 
3345 	buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3346 	buf[1] = '\n';
3347 	buf[2] = '\0';
3348 	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3349 }
3350 
3351 static ssize_t force_bredr_smp_write(struct file *file,
3352 				     const char __user *user_buf,
3353 				     size_t count, loff_t *ppos)
3354 {
3355 	struct hci_dev *hdev = file->private_data;
3356 	bool enable;
3357 	int err;
3358 
3359 	err = kstrtobool_from_user(user_buf, count, &enable);
3360 	if (err)
3361 		return err;
3362 
3363 	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3364 		return -EALREADY;
3365 
3366 	if (enable) {
3367 		struct l2cap_chan *chan;
3368 
3369 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3370 		if (IS_ERR(chan))
3371 			return PTR_ERR(chan);
3372 
3373 		hdev->smp_bredr_data = chan;
3374 	} else {
3375 		struct l2cap_chan *chan;
3376 
3377 		chan = hdev->smp_bredr_data;
3378 		hdev->smp_bredr_data = NULL;
3379 		smp_del_chan(chan);
3380 	}
3381 
3382 	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3383 
3384 	return count;
3385 }
3386 
3387 static const struct file_operations force_bredr_smp_fops = {
3388 	.open		= simple_open,
3389 	.read		= force_bredr_smp_read,
3390 	.write		= force_bredr_smp_write,
3391 	.llseek		= default_llseek,
3392 };
3393 
3394 static ssize_t le_min_key_size_read(struct file *file,
3395 				     char __user *user_buf,
3396 				     size_t count, loff_t *ppos)
3397 {
3398 	struct hci_dev *hdev = file->private_data;
3399 	char buf[4];
3400 
3401 	snprintf(buf, sizeof(buf), "%2u\n", hdev->le_min_key_size);
3402 
3403 	return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3404 }
3405 
3406 static ssize_t le_min_key_size_write(struct file *file,
3407 				      const char __user *user_buf,
3408 				      size_t count, loff_t *ppos)
3409 {
3410 	struct hci_dev *hdev = file->private_data;
3411 	char buf[32];
3412 	size_t buf_size = min(count, (sizeof(buf) - 1));
3413 	u8 key_size;
3414 
3415 	if (copy_from_user(buf, user_buf, buf_size))
3416 		return -EFAULT;
3417 
3418 	buf[buf_size] = '\0';
3419 
3420 	sscanf(buf, "%hhu", &key_size);
3421 
3422 	if (key_size > hdev->le_max_key_size ||
3423 	    key_size < SMP_MIN_ENC_KEY_SIZE)
3424 		return -EINVAL;
3425 
3426 	hdev->le_min_key_size = key_size;
3427 
3428 	return count;
3429 }
3430 
3431 static const struct file_operations le_min_key_size_fops = {
3432 	.open		= simple_open,
3433 	.read		= le_min_key_size_read,
3434 	.write		= le_min_key_size_write,
3435 	.llseek		= default_llseek,
3436 };
3437 
3438 static ssize_t le_max_key_size_read(struct file *file,
3439 				     char __user *user_buf,
3440 				     size_t count, loff_t *ppos)
3441 {
3442 	struct hci_dev *hdev = file->private_data;
3443 	char buf[4];
3444 
3445 	snprintf(buf, sizeof(buf), "%2u\n", hdev->le_max_key_size);
3446 
3447 	return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3448 }
3449 
3450 static ssize_t le_max_key_size_write(struct file *file,
3451 				      const char __user *user_buf,
3452 				      size_t count, loff_t *ppos)
3453 {
3454 	struct hci_dev *hdev = file->private_data;
3455 	char buf[32];
3456 	size_t buf_size = min(count, (sizeof(buf) - 1));
3457 	u8 key_size;
3458 
3459 	if (copy_from_user(buf, user_buf, buf_size))
3460 		return -EFAULT;
3461 
3462 	buf[buf_size] = '\0';
3463 
3464 	sscanf(buf, "%hhu", &key_size);
3465 
3466 	if (key_size > SMP_MAX_ENC_KEY_SIZE ||
3467 	    key_size < hdev->le_min_key_size)
3468 		return -EINVAL;
3469 
3470 	hdev->le_max_key_size = key_size;
3471 
3472 	return count;
3473 }
3474 
3475 static const struct file_operations le_max_key_size_fops = {
3476 	.open		= simple_open,
3477 	.read		= le_max_key_size_read,
3478 	.write		= le_max_key_size_write,
3479 	.llseek		= default_llseek,
3480 };
3481 
3482 int smp_register(struct hci_dev *hdev)
3483 {
3484 	struct l2cap_chan *chan;
3485 
3486 	BT_DBG("%s", hdev->name);
3487 
3488 	/* If the controller does not support Low Energy operation, then
3489 	 * there is also no need to register any SMP channel.
3490 	 */
3491 	if (!lmp_le_capable(hdev))
3492 		return 0;
3493 
3494 	if (WARN_ON(hdev->smp_data)) {
3495 		chan = hdev->smp_data;
3496 		hdev->smp_data = NULL;
3497 		smp_del_chan(chan);
3498 	}
3499 
3500 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3501 	if (IS_ERR(chan))
3502 		return PTR_ERR(chan);
3503 
3504 	hdev->smp_data = chan;
3505 
3506 	debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3507 			    &le_min_key_size_fops);
3508 	debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3509 			    &le_max_key_size_fops);
3510 
3511 	/* If the controller does not support BR/EDR Secure Connections
3512 	 * feature, then the BR/EDR SMP channel shall not be present.
3513 	 *
3514 	 * To test this with Bluetooth 4.0 controllers, create a debugfs
3515 	 * switch that allows forcing BR/EDR SMP support and accepting
3516 	 * cross-transport pairing on non-AES encrypted connections.
3517 	 */
3518 	if (!lmp_sc_capable(hdev)) {
3519 		debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3520 				    hdev, &force_bredr_smp_fops);
3521 
3522 		/* Flag can be already set here (due to power toggle) */
3523 		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3524 			return 0;
3525 	}
3526 
3527 	if (WARN_ON(hdev->smp_bredr_data)) {
3528 		chan = hdev->smp_bredr_data;
3529 		hdev->smp_bredr_data = NULL;
3530 		smp_del_chan(chan);
3531 	}
3532 
3533 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3534 	if (IS_ERR(chan)) {
3535 		int err = PTR_ERR(chan);
3536 		chan = hdev->smp_data;
3537 		hdev->smp_data = NULL;
3538 		smp_del_chan(chan);
3539 		return err;
3540 	}
3541 
3542 	hdev->smp_bredr_data = chan;
3543 
3544 	return 0;
3545 }
3546 
3547 void smp_unregister(struct hci_dev *hdev)
3548 {
3549 	struct l2cap_chan *chan;
3550 
3551 	if (hdev->smp_bredr_data) {
3552 		chan = hdev->smp_bredr_data;
3553 		hdev->smp_bredr_data = NULL;
3554 		smp_del_chan(chan);
3555 	}
3556 
3557 	if (hdev->smp_data) {
3558 		chan = hdev->smp_data;
3559 		hdev->smp_data = NULL;
3560 		smp_del_chan(chan);
3561 	}
3562 }
3563 
3564 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3565 
3566 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3567 {
3568 	u8 pk[64];
3569 	int err;
3570 
3571 	err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3572 	if (err)
3573 		return err;
3574 
3575 	err = generate_ecdh_public_key(tfm_ecdh, pk);
3576 	if (err)
3577 		return err;
3578 
3579 	if (crypto_memneq(pk, debug_pk, 64))
3580 		return -EINVAL;
3581 
3582 	return 0;
3583 }
3584 
3585 static int __init test_ah(struct crypto_cipher *tfm_aes)
3586 {
3587 	const u8 irk[16] = {
3588 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3589 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3590 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3591 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3592 	u8 res[3];
3593 	int err;
3594 
3595 	err = smp_ah(tfm_aes, irk, r, res);
3596 	if (err)
3597 		return err;
3598 
3599 	if (crypto_memneq(res, exp, 3))
3600 		return -EINVAL;
3601 
3602 	return 0;
3603 }
3604 
3605 static int __init test_c1(struct crypto_cipher *tfm_aes)
3606 {
3607 	const u8 k[16] = {
3608 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3609 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3610 	const u8 r[16] = {
3611 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3612 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3613 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3614 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3615 	const u8 _iat = 0x01;
3616 	const u8 _rat = 0x00;
3617 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3618 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3619 	const u8 exp[16] = {
3620 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3621 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3622 	u8 res[16];
3623 	int err;
3624 
3625 	err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3626 	if (err)
3627 		return err;
3628 
3629 	if (crypto_memneq(res, exp, 16))
3630 		return -EINVAL;
3631 
3632 	return 0;
3633 }
3634 
3635 static int __init test_s1(struct crypto_cipher *tfm_aes)
3636 {
3637 	const u8 k[16] = {
3638 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3639 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3640 	const u8 r1[16] = {
3641 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3642 	const u8 r2[16] = {
3643 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3644 	const u8 exp[16] = {
3645 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3646 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3647 	u8 res[16];
3648 	int err;
3649 
3650 	err = smp_s1(tfm_aes, k, r1, r2, res);
3651 	if (err)
3652 		return err;
3653 
3654 	if (crypto_memneq(res, exp, 16))
3655 		return -EINVAL;
3656 
3657 	return 0;
3658 }
3659 
3660 static int __init test_f4(struct crypto_shash *tfm_cmac)
3661 {
3662 	const u8 u[32] = {
3663 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3664 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3665 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3666 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3667 	const u8 v[32] = {
3668 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3669 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3670 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3671 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3672 	const u8 x[16] = {
3673 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3674 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3675 	const u8 z = 0x00;
3676 	const u8 exp[16] = {
3677 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3678 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3679 	u8 res[16];
3680 	int err;
3681 
3682 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3683 	if (err)
3684 		return err;
3685 
3686 	if (crypto_memneq(res, exp, 16))
3687 		return -EINVAL;
3688 
3689 	return 0;
3690 }
3691 
3692 static int __init test_f5(struct crypto_shash *tfm_cmac)
3693 {
3694 	const u8 w[32] = {
3695 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3696 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3697 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3698 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3699 	const u8 n1[16] = {
3700 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3701 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3702 	const u8 n2[16] = {
3703 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3704 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3705 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3706 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3707 	const u8 exp_ltk[16] = {
3708 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3709 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3710 	const u8 exp_mackey[16] = {
3711 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3712 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3713 	u8 mackey[16], ltk[16];
3714 	int err;
3715 
3716 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3717 	if (err)
3718 		return err;
3719 
3720 	if (crypto_memneq(mackey, exp_mackey, 16))
3721 		return -EINVAL;
3722 
3723 	if (crypto_memneq(ltk, exp_ltk, 16))
3724 		return -EINVAL;
3725 
3726 	return 0;
3727 }
3728 
3729 static int __init test_f6(struct crypto_shash *tfm_cmac)
3730 {
3731 	const u8 w[16] = {
3732 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3733 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3734 	const u8 n1[16] = {
3735 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3736 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3737 	const u8 n2[16] = {
3738 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3739 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3740 	const u8 r[16] = {
3741 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3742 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3743 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3744 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3745 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3746 	const u8 exp[16] = {
3747 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3748 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3749 	u8 res[16];
3750 	int err;
3751 
3752 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3753 	if (err)
3754 		return err;
3755 
3756 	if (crypto_memneq(res, exp, 16))
3757 		return -EINVAL;
3758 
3759 	return 0;
3760 }
3761 
3762 static int __init test_g2(struct crypto_shash *tfm_cmac)
3763 {
3764 	const u8 u[32] = {
3765 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3766 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3767 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3768 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3769 	const u8 v[32] = {
3770 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3771 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3772 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3773 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3774 	const u8 x[16] = {
3775 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3776 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3777 	const u8 y[16] = {
3778 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3779 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3780 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3781 	u32 val;
3782 	int err;
3783 
3784 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3785 	if (err)
3786 		return err;
3787 
3788 	if (val != exp_val)
3789 		return -EINVAL;
3790 
3791 	return 0;
3792 }
3793 
3794 static int __init test_h6(struct crypto_shash *tfm_cmac)
3795 {
3796 	const u8 w[16] = {
3797 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3798 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3799 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3800 	const u8 exp[16] = {
3801 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3802 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3803 	u8 res[16];
3804 	int err;
3805 
3806 	err = smp_h6(tfm_cmac, w, key_id, res);
3807 	if (err)
3808 		return err;
3809 
3810 	if (crypto_memneq(res, exp, 16))
3811 		return -EINVAL;
3812 
3813 	return 0;
3814 }
3815 
3816 static char test_smp_buffer[32];
3817 
3818 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3819 			     size_t count, loff_t *ppos)
3820 {
3821 	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3822 				       strlen(test_smp_buffer));
3823 }
3824 
3825 static const struct file_operations test_smp_fops = {
3826 	.open		= simple_open,
3827 	.read		= test_smp_read,
3828 	.llseek		= default_llseek,
3829 };
3830 
3831 static int __init run_selftests(struct crypto_cipher *tfm_aes,
3832 				struct crypto_shash *tfm_cmac,
3833 				struct crypto_kpp *tfm_ecdh)
3834 {
3835 	ktime_t calltime, delta, rettime;
3836 	unsigned long long duration;
3837 	int err;
3838 
3839 	calltime = ktime_get();
3840 
3841 	err = test_debug_key(tfm_ecdh);
3842 	if (err) {
3843 		BT_ERR("debug_key test failed");
3844 		goto done;
3845 	}
3846 
3847 	err = test_ah(tfm_aes);
3848 	if (err) {
3849 		BT_ERR("smp_ah test failed");
3850 		goto done;
3851 	}
3852 
3853 	err = test_c1(tfm_aes);
3854 	if (err) {
3855 		BT_ERR("smp_c1 test failed");
3856 		goto done;
3857 	}
3858 
3859 	err = test_s1(tfm_aes);
3860 	if (err) {
3861 		BT_ERR("smp_s1 test failed");
3862 		goto done;
3863 	}
3864 
3865 	err = test_f4(tfm_cmac);
3866 	if (err) {
3867 		BT_ERR("smp_f4 test failed");
3868 		goto done;
3869 	}
3870 
3871 	err = test_f5(tfm_cmac);
3872 	if (err) {
3873 		BT_ERR("smp_f5 test failed");
3874 		goto done;
3875 	}
3876 
3877 	err = test_f6(tfm_cmac);
3878 	if (err) {
3879 		BT_ERR("smp_f6 test failed");
3880 		goto done;
3881 	}
3882 
3883 	err = test_g2(tfm_cmac);
3884 	if (err) {
3885 		BT_ERR("smp_g2 test failed");
3886 		goto done;
3887 	}
3888 
3889 	err = test_h6(tfm_cmac);
3890 	if (err) {
3891 		BT_ERR("smp_h6 test failed");
3892 		goto done;
3893 	}
3894 
3895 	rettime = ktime_get();
3896 	delta = ktime_sub(rettime, calltime);
3897 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3898 
3899 	BT_INFO("SMP test passed in %llu usecs", duration);
3900 
3901 done:
3902 	if (!err)
3903 		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3904 			 "PASS (%llu usecs)\n", duration);
3905 	else
3906 		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3907 
3908 	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3909 			    &test_smp_fops);
3910 
3911 	return err;
3912 }
3913 
3914 int __init bt_selftest_smp(void)
3915 {
3916 	struct crypto_cipher *tfm_aes;
3917 	struct crypto_shash *tfm_cmac;
3918 	struct crypto_kpp *tfm_ecdh;
3919 	int err;
3920 
3921 	tfm_aes = crypto_alloc_cipher("aes", 0, 0);
3922 	if (IS_ERR(tfm_aes)) {
3923 		BT_ERR("Unable to create AES crypto context");
3924 		return PTR_ERR(tfm_aes);
3925 	}
3926 
3927 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3928 	if (IS_ERR(tfm_cmac)) {
3929 		BT_ERR("Unable to create CMAC crypto context");
3930 		crypto_free_cipher(tfm_aes);
3931 		return PTR_ERR(tfm_cmac);
3932 	}
3933 
3934 	tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3935 	if (IS_ERR(tfm_ecdh)) {
3936 		BT_ERR("Unable to create ECDH crypto context");
3937 		crypto_free_shash(tfm_cmac);
3938 		crypto_free_cipher(tfm_aes);
3939 		return PTR_ERR(tfm_ecdh);
3940 	}
3941 
3942 	err = run_selftests(tfm_aes, tfm_cmac, tfm_ecdh);
3943 
3944 	crypto_free_shash(tfm_cmac);
3945 	crypto_free_cipher(tfm_aes);
3946 	crypto_free_kpp(tfm_ecdh);
3947 
3948 	return err;
3949 }
3950 
3951 #endif
3952