xref: /linux/net/bluetooth/smp.c (revision 2ba9268dd603d23e17643437b2246acb6844953b)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/crypto.h>
25 #include <linux/scatterlist.h>
26 #include <crypto/b128ops.h>
27 
28 #include <net/bluetooth/bluetooth.h>
29 #include <net/bluetooth/hci_core.h>
30 #include <net/bluetooth/l2cap.h>
31 #include <net/bluetooth/mgmt.h>
32 
33 #include "ecc.h"
34 #include "smp.h"
35 
36 /* Low-level debug macros to be used for stuff that we don't want
37  * accidentially in dmesg, i.e. the values of the various crypto keys
38  * and the inputs & outputs of crypto functions.
39  */
40 #ifdef DEBUG
41 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
42 				 ##__VA_ARGS__)
43 #else
44 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
45 				    ##__VA_ARGS__)
46 #endif
47 
48 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
49 
50 /* Keys which are not distributed with Secure Connections */
51 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
52 
53 #define SMP_TIMEOUT	msecs_to_jiffies(30000)
54 
55 #define AUTH_REQ_MASK(dev)	(test_bit(HCI_SC_ENABLED, &(dev)->dev_flags) ? \
56 				 0x1f : 0x07)
57 #define KEY_DIST_MASK		0x07
58 
59 /* Maximum message length that can be passed to aes_cmac */
60 #define CMAC_MSG_MAX	80
61 
62 enum {
63 	SMP_FLAG_TK_VALID,
64 	SMP_FLAG_CFM_PENDING,
65 	SMP_FLAG_MITM_AUTH,
66 	SMP_FLAG_COMPLETE,
67 	SMP_FLAG_INITIATOR,
68 	SMP_FLAG_SC,
69 	SMP_FLAG_REMOTE_PK,
70 	SMP_FLAG_DEBUG_KEY,
71 	SMP_FLAG_WAIT_USER,
72 	SMP_FLAG_DHKEY_PENDING,
73 	SMP_FLAG_OOB,
74 };
75 
76 struct smp_chan {
77 	struct l2cap_conn	*conn;
78 	struct delayed_work	security_timer;
79 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
80 
81 	u8		preq[7]; /* SMP Pairing Request */
82 	u8		prsp[7]; /* SMP Pairing Response */
83 	u8		prnd[16]; /* SMP Pairing Random (local) */
84 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
85 	u8		pcnf[16]; /* SMP Pairing Confirm */
86 	u8		tk[16]; /* SMP Temporary Key */
87 	u8		rr[16];
88 	u8		enc_key_size;
89 	u8		remote_key_dist;
90 	bdaddr_t	id_addr;
91 	u8		id_addr_type;
92 	u8		irk[16];
93 	struct smp_csrk	*csrk;
94 	struct smp_csrk	*slave_csrk;
95 	struct smp_ltk	*ltk;
96 	struct smp_ltk	*slave_ltk;
97 	struct smp_irk	*remote_irk;
98 	u8		*link_key;
99 	unsigned long	flags;
100 	u8		method;
101 	u8		passkey_round;
102 
103 	/* Secure Connections variables */
104 	u8			local_pk[64];
105 	u8			local_sk[32];
106 	u8			remote_pk[64];
107 	u8			dhkey[32];
108 	u8			mackey[16];
109 
110 	struct crypto_blkcipher	*tfm_aes;
111 	struct crypto_hash	*tfm_cmac;
112 };
113 
114 /* These debug key values are defined in the SMP section of the core
115  * specification. debug_pk is the public debug key and debug_sk the
116  * private debug key.
117  */
118 static const u8 debug_pk[64] = {
119 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
120 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
121 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
122 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
123 
124 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
125 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
126 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
127 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
128 };
129 
130 static const u8 debug_sk[32] = {
131 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
132 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
133 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
134 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
135 };
136 
137 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
138 {
139 	size_t i;
140 
141 	for (i = 0; i < len; i++)
142 		dst[len - 1 - i] = src[i];
143 }
144 
145 /* The following functions map to the LE SC SMP crypto functions
146  * AES-CMAC, f4, f5, f6, g2 and h6.
147  */
148 
149 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
150 		    size_t len, u8 mac[16])
151 {
152 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
153 	struct hash_desc desc;
154 	struct scatterlist sg;
155 	int err;
156 
157 	if (len > CMAC_MSG_MAX)
158 		return -EFBIG;
159 
160 	if (!tfm) {
161 		BT_ERR("tfm %p", tfm);
162 		return -EINVAL;
163 	}
164 
165 	desc.tfm = tfm;
166 	desc.flags = 0;
167 
168 	crypto_hash_init(&desc);
169 
170 	/* Swap key and message from LSB to MSB */
171 	swap_buf(k, tmp, 16);
172 	swap_buf(m, msg_msb, len);
173 
174 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
175 	SMP_DBG("key %16phN", k);
176 
177 	err = crypto_hash_setkey(tfm, tmp, 16);
178 	if (err) {
179 		BT_ERR("cipher setkey failed: %d", err);
180 		return err;
181 	}
182 
183 	sg_init_one(&sg, msg_msb, len);
184 
185 	err = crypto_hash_update(&desc, &sg, len);
186 	if (err) {
187 		BT_ERR("Hash update error %d", err);
188 		return err;
189 	}
190 
191 	err = crypto_hash_final(&desc, mac_msb);
192 	if (err) {
193 		BT_ERR("Hash final error %d", err);
194 		return err;
195 	}
196 
197 	swap_buf(mac_msb, mac, 16);
198 
199 	SMP_DBG("mac %16phN", mac);
200 
201 	return 0;
202 }
203 
204 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
205 		  const u8 x[16], u8 z, u8 res[16])
206 {
207 	u8 m[65];
208 	int err;
209 
210 	SMP_DBG("u %32phN", u);
211 	SMP_DBG("v %32phN", v);
212 	SMP_DBG("x %16phN z %02x", x, z);
213 
214 	m[0] = z;
215 	memcpy(m + 1, v, 32);
216 	memcpy(m + 33, u, 32);
217 
218 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
219 	if (err)
220 		return err;
221 
222 	SMP_DBG("res %16phN", res);
223 
224 	return err;
225 }
226 
227 static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32],
228 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
229 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
230 {
231 	/* The btle, salt and length "magic" values are as defined in
232 	 * the SMP section of the Bluetooth core specification. In ASCII
233 	 * the btle value ends up being 'btle'. The salt is just a
234 	 * random number whereas length is the value 256 in little
235 	 * endian format.
236 	 */
237 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
238 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
239 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
240 	const u8 length[2] = { 0x00, 0x01 };
241 	u8 m[53], t[16];
242 	int err;
243 
244 	SMP_DBG("w %32phN", w);
245 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
246 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
247 
248 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
249 	if (err)
250 		return err;
251 
252 	SMP_DBG("t %16phN", t);
253 
254 	memcpy(m, length, 2);
255 	memcpy(m + 2, a2, 7);
256 	memcpy(m + 9, a1, 7);
257 	memcpy(m + 16, n2, 16);
258 	memcpy(m + 32, n1, 16);
259 	memcpy(m + 48, btle, 4);
260 
261 	m[52] = 0; /* Counter */
262 
263 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
264 	if (err)
265 		return err;
266 
267 	SMP_DBG("mackey %16phN", mackey);
268 
269 	m[52] = 1; /* Counter */
270 
271 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
272 	if (err)
273 		return err;
274 
275 	SMP_DBG("ltk %16phN", ltk);
276 
277 	return 0;
278 }
279 
280 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
281 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
282 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
283 		  u8 res[16])
284 {
285 	u8 m[65];
286 	int err;
287 
288 	SMP_DBG("w %16phN", w);
289 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
290 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
291 
292 	memcpy(m, a2, 7);
293 	memcpy(m + 7, a1, 7);
294 	memcpy(m + 14, io_cap, 3);
295 	memcpy(m + 17, r, 16);
296 	memcpy(m + 33, n2, 16);
297 	memcpy(m + 49, n1, 16);
298 
299 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
300 	if (err)
301 		return err;
302 
303 	SMP_DBG("res %16phN", res);
304 
305 	return err;
306 }
307 
308 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
309 		  const u8 x[16], const u8 y[16], u32 *val)
310 {
311 	u8 m[80], tmp[16];
312 	int err;
313 
314 	SMP_DBG("u %32phN", u);
315 	SMP_DBG("v %32phN", v);
316 	SMP_DBG("x %16phN y %16phN", x, y);
317 
318 	memcpy(m, y, 16);
319 	memcpy(m + 16, v, 32);
320 	memcpy(m + 48, u, 32);
321 
322 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
323 	if (err)
324 		return err;
325 
326 	*val = get_unaligned_le32(tmp);
327 	*val %= 1000000;
328 
329 	SMP_DBG("val %06u", *val);
330 
331 	return 0;
332 }
333 
334 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
335 		  const u8 key_id[4], u8 res[16])
336 {
337 	int err;
338 
339 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
340 
341 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
342 	if (err)
343 		return err;
344 
345 	SMP_DBG("res %16phN", res);
346 
347 	return err;
348 }
349 
350 /* The following functions map to the legacy SMP crypto functions e, c1,
351  * s1 and ah.
352  */
353 
354 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
355 {
356 	struct blkcipher_desc desc;
357 	struct scatterlist sg;
358 	uint8_t tmp[16], data[16];
359 	int err;
360 
361 	if (!tfm) {
362 		BT_ERR("tfm %p", tfm);
363 		return -EINVAL;
364 	}
365 
366 	desc.tfm = tfm;
367 	desc.flags = 0;
368 
369 	/* The most significant octet of key corresponds to k[0] */
370 	swap_buf(k, tmp, 16);
371 
372 	err = crypto_blkcipher_setkey(tfm, tmp, 16);
373 	if (err) {
374 		BT_ERR("cipher setkey failed: %d", err);
375 		return err;
376 	}
377 
378 	/* Most significant octet of plaintextData corresponds to data[0] */
379 	swap_buf(r, data, 16);
380 
381 	sg_init_one(&sg, data, 16);
382 
383 	err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
384 	if (err)
385 		BT_ERR("Encrypt data error %d", err);
386 
387 	/* Most significant octet of encryptedData corresponds to data[0] */
388 	swap_buf(data, r, 16);
389 
390 	return err;
391 }
392 
393 static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
394 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
395 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
396 {
397 	u8 p1[16], p2[16];
398 	int err;
399 
400 	memset(p1, 0, 16);
401 
402 	/* p1 = pres || preq || _rat || _iat */
403 	p1[0] = _iat;
404 	p1[1] = _rat;
405 	memcpy(p1 + 2, preq, 7);
406 	memcpy(p1 + 9, pres, 7);
407 
408 	/* p2 = padding || ia || ra */
409 	memcpy(p2, ra, 6);
410 	memcpy(p2 + 6, ia, 6);
411 	memset(p2 + 12, 0, 4);
412 
413 	/* res = r XOR p1 */
414 	u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
415 
416 	/* res = e(k, res) */
417 	err = smp_e(tfm_aes, k, res);
418 	if (err) {
419 		BT_ERR("Encrypt data error");
420 		return err;
421 	}
422 
423 	/* res = res XOR p2 */
424 	u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
425 
426 	/* res = e(k, res) */
427 	err = smp_e(tfm_aes, k, res);
428 	if (err)
429 		BT_ERR("Encrypt data error");
430 
431 	return err;
432 }
433 
434 static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
435 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
436 {
437 	int err;
438 
439 	/* Just least significant octets from r1 and r2 are considered */
440 	memcpy(_r, r2, 8);
441 	memcpy(_r + 8, r1, 8);
442 
443 	err = smp_e(tfm_aes, k, _r);
444 	if (err)
445 		BT_ERR("Encrypt data error");
446 
447 	return err;
448 }
449 
450 static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
451 		  const u8 r[3], u8 res[3])
452 {
453 	u8 _res[16];
454 	int err;
455 
456 	/* r' = padding || r */
457 	memcpy(_res, r, 3);
458 	memset(_res + 3, 0, 13);
459 
460 	err = smp_e(tfm, irk, _res);
461 	if (err) {
462 		BT_ERR("Encrypt error");
463 		return err;
464 	}
465 
466 	/* The output of the random address function ah is:
467 	 *	ah(h, r) = e(k, r') mod 2^24
468 	 * The output of the security function e is then truncated to 24 bits
469 	 * by taking the least significant 24 bits of the output of e as the
470 	 * result of ah.
471 	 */
472 	memcpy(res, _res, 3);
473 
474 	return 0;
475 }
476 
477 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
478 		     const bdaddr_t *bdaddr)
479 {
480 	struct l2cap_chan *chan = hdev->smp_data;
481 	struct crypto_blkcipher *tfm;
482 	u8 hash[3];
483 	int err;
484 
485 	if (!chan || !chan->data)
486 		return false;
487 
488 	tfm = chan->data;
489 
490 	BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
491 
492 	err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
493 	if (err)
494 		return false;
495 
496 	return !memcmp(bdaddr->b, hash, 3);
497 }
498 
499 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
500 {
501 	struct l2cap_chan *chan = hdev->smp_data;
502 	struct crypto_blkcipher *tfm;
503 	int err;
504 
505 	if (!chan || !chan->data)
506 		return -EOPNOTSUPP;
507 
508 	tfm = chan->data;
509 
510 	get_random_bytes(&rpa->b[3], 3);
511 
512 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
513 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
514 
515 	err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
516 	if (err < 0)
517 		return err;
518 
519 	BT_DBG("RPA %pMR", rpa);
520 
521 	return 0;
522 }
523 
524 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
525 {
526 	struct l2cap_chan *chan = conn->smp;
527 	struct smp_chan *smp;
528 	struct kvec iv[2];
529 	struct msghdr msg;
530 
531 	if (!chan)
532 		return;
533 
534 	BT_DBG("code 0x%2.2x", code);
535 
536 	iv[0].iov_base = &code;
537 	iv[0].iov_len = 1;
538 
539 	iv[1].iov_base = data;
540 	iv[1].iov_len = len;
541 
542 	memset(&msg, 0, sizeof(msg));
543 
544 	iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
545 
546 	l2cap_chan_send(chan, &msg, 1 + len);
547 
548 	if (!chan->data)
549 		return;
550 
551 	smp = chan->data;
552 
553 	cancel_delayed_work_sync(&smp->security_timer);
554 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
555 }
556 
557 static u8 authreq_to_seclevel(u8 authreq)
558 {
559 	if (authreq & SMP_AUTH_MITM) {
560 		if (authreq & SMP_AUTH_SC)
561 			return BT_SECURITY_FIPS;
562 		else
563 			return BT_SECURITY_HIGH;
564 	} else {
565 		return BT_SECURITY_MEDIUM;
566 	}
567 }
568 
569 static __u8 seclevel_to_authreq(__u8 sec_level)
570 {
571 	switch (sec_level) {
572 	case BT_SECURITY_FIPS:
573 	case BT_SECURITY_HIGH:
574 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
575 	case BT_SECURITY_MEDIUM:
576 		return SMP_AUTH_BONDING;
577 	default:
578 		return SMP_AUTH_NONE;
579 	}
580 }
581 
582 static void build_pairing_cmd(struct l2cap_conn *conn,
583 			      struct smp_cmd_pairing *req,
584 			      struct smp_cmd_pairing *rsp, __u8 authreq)
585 {
586 	struct l2cap_chan *chan = conn->smp;
587 	struct smp_chan *smp = chan->data;
588 	struct hci_conn *hcon = conn->hcon;
589 	struct hci_dev *hdev = hcon->hdev;
590 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
591 
592 	if (test_bit(HCI_BONDABLE, &conn->hcon->hdev->dev_flags)) {
593 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
594 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
595 		authreq |= SMP_AUTH_BONDING;
596 	} else {
597 		authreq &= ~SMP_AUTH_BONDING;
598 	}
599 
600 	if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
601 		remote_dist |= SMP_DIST_ID_KEY;
602 
603 	if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
604 		local_dist |= SMP_DIST_ID_KEY;
605 
606 	if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags) &&
607 	    (authreq & SMP_AUTH_SC)) {
608 		struct oob_data *oob_data;
609 		u8 bdaddr_type;
610 
611 		if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
612 			local_dist |= SMP_DIST_LINK_KEY;
613 			remote_dist |= SMP_DIST_LINK_KEY;
614 		}
615 
616 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
617 			bdaddr_type = BDADDR_LE_PUBLIC;
618 		else
619 			bdaddr_type = BDADDR_LE_RANDOM;
620 
621 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
622 						    bdaddr_type);
623 		if (oob_data && oob_data->present) {
624 			set_bit(SMP_FLAG_OOB, &smp->flags);
625 			oob_flag = SMP_OOB_PRESENT;
626 			memcpy(smp->rr, oob_data->rand256, 16);
627 			memcpy(smp->pcnf, oob_data->hash256, 16);
628 		}
629 
630 	} else {
631 		authreq &= ~SMP_AUTH_SC;
632 	}
633 
634 	if (rsp == NULL) {
635 		req->io_capability = conn->hcon->io_capability;
636 		req->oob_flag = oob_flag;
637 		req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
638 		req->init_key_dist = local_dist;
639 		req->resp_key_dist = remote_dist;
640 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
641 
642 		smp->remote_key_dist = remote_dist;
643 		return;
644 	}
645 
646 	rsp->io_capability = conn->hcon->io_capability;
647 	rsp->oob_flag = oob_flag;
648 	rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
649 	rsp->init_key_dist = req->init_key_dist & remote_dist;
650 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
651 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
652 
653 	smp->remote_key_dist = rsp->init_key_dist;
654 }
655 
656 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
657 {
658 	struct l2cap_chan *chan = conn->smp;
659 	struct smp_chan *smp = chan->data;
660 
661 	if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
662 	    (max_key_size < SMP_MIN_ENC_KEY_SIZE))
663 		return SMP_ENC_KEY_SIZE;
664 
665 	smp->enc_key_size = max_key_size;
666 
667 	return 0;
668 }
669 
670 static void smp_chan_destroy(struct l2cap_conn *conn)
671 {
672 	struct l2cap_chan *chan = conn->smp;
673 	struct smp_chan *smp = chan->data;
674 	struct hci_conn *hcon = conn->hcon;
675 	bool complete;
676 
677 	BUG_ON(!smp);
678 
679 	cancel_delayed_work_sync(&smp->security_timer);
680 
681 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
682 	mgmt_smp_complete(hcon, complete);
683 
684 	kfree(smp->csrk);
685 	kfree(smp->slave_csrk);
686 	kfree(smp->link_key);
687 
688 	crypto_free_blkcipher(smp->tfm_aes);
689 	crypto_free_hash(smp->tfm_cmac);
690 
691 	/* Ensure that we don't leave any debug key around if debug key
692 	 * support hasn't been explicitly enabled.
693 	 */
694 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
695 	    !test_bit(HCI_KEEP_DEBUG_KEYS, &hcon->hdev->dev_flags)) {
696 		list_del_rcu(&smp->ltk->list);
697 		kfree_rcu(smp->ltk, rcu);
698 		smp->ltk = NULL;
699 	}
700 
701 	/* If pairing failed clean up any keys we might have */
702 	if (!complete) {
703 		if (smp->ltk) {
704 			list_del_rcu(&smp->ltk->list);
705 			kfree_rcu(smp->ltk, rcu);
706 		}
707 
708 		if (smp->slave_ltk) {
709 			list_del_rcu(&smp->slave_ltk->list);
710 			kfree_rcu(smp->slave_ltk, rcu);
711 		}
712 
713 		if (smp->remote_irk) {
714 			list_del_rcu(&smp->remote_irk->list);
715 			kfree_rcu(smp->remote_irk, rcu);
716 		}
717 	}
718 
719 	chan->data = NULL;
720 	kfree(smp);
721 	hci_conn_drop(hcon);
722 }
723 
724 static void smp_failure(struct l2cap_conn *conn, u8 reason)
725 {
726 	struct hci_conn *hcon = conn->hcon;
727 	struct l2cap_chan *chan = conn->smp;
728 
729 	if (reason)
730 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
731 			     &reason);
732 
733 	clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
734 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
735 
736 	if (chan->data)
737 		smp_chan_destroy(conn);
738 }
739 
740 #define JUST_WORKS	0x00
741 #define JUST_CFM	0x01
742 #define REQ_PASSKEY	0x02
743 #define CFM_PASSKEY	0x03
744 #define REQ_OOB		0x04
745 #define DSP_PASSKEY	0x05
746 #define OVERLAP		0xFF
747 
748 static const u8 gen_method[5][5] = {
749 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
750 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
751 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
752 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
753 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
754 };
755 
756 static const u8 sc_method[5][5] = {
757 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
758 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
759 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
760 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
761 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
762 };
763 
764 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
765 {
766 	/* If either side has unknown io_caps, use JUST_CFM (which gets
767 	 * converted later to JUST_WORKS if we're initiators.
768 	 */
769 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
770 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
771 		return JUST_CFM;
772 
773 	if (test_bit(SMP_FLAG_SC, &smp->flags))
774 		return sc_method[remote_io][local_io];
775 
776 	return gen_method[remote_io][local_io];
777 }
778 
779 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
780 						u8 local_io, u8 remote_io)
781 {
782 	struct hci_conn *hcon = conn->hcon;
783 	struct l2cap_chan *chan = conn->smp;
784 	struct smp_chan *smp = chan->data;
785 	u32 passkey = 0;
786 	int ret = 0;
787 
788 	/* Initialize key for JUST WORKS */
789 	memset(smp->tk, 0, sizeof(smp->tk));
790 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
791 
792 	BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
793 
794 	/* If neither side wants MITM, either "just" confirm an incoming
795 	 * request or use just-works for outgoing ones. The JUST_CFM
796 	 * will be converted to JUST_WORKS if necessary later in this
797 	 * function. If either side has MITM look up the method from the
798 	 * table.
799 	 */
800 	if (!(auth & SMP_AUTH_MITM))
801 		smp->method = JUST_CFM;
802 	else
803 		smp->method = get_auth_method(smp, local_io, remote_io);
804 
805 	/* Don't confirm locally initiated pairing attempts */
806 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
807 						&smp->flags))
808 		smp->method = JUST_WORKS;
809 
810 	/* Don't bother user space with no IO capabilities */
811 	if (smp->method == JUST_CFM &&
812 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
813 		smp->method = JUST_WORKS;
814 
815 	/* If Just Works, Continue with Zero TK */
816 	if (smp->method == JUST_WORKS) {
817 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
818 		return 0;
819 	}
820 
821 	/* Not Just Works/Confirm results in MITM Authentication */
822 	if (smp->method != JUST_CFM) {
823 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
824 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
825 			hcon->pending_sec_level = BT_SECURITY_HIGH;
826 	}
827 
828 	/* If both devices have Keyoard-Display I/O, the master
829 	 * Confirms and the slave Enters the passkey.
830 	 */
831 	if (smp->method == OVERLAP) {
832 		if (hcon->role == HCI_ROLE_MASTER)
833 			smp->method = CFM_PASSKEY;
834 		else
835 			smp->method = REQ_PASSKEY;
836 	}
837 
838 	/* Generate random passkey. */
839 	if (smp->method == CFM_PASSKEY) {
840 		memset(smp->tk, 0, sizeof(smp->tk));
841 		get_random_bytes(&passkey, sizeof(passkey));
842 		passkey %= 1000000;
843 		put_unaligned_le32(passkey, smp->tk);
844 		BT_DBG("PassKey: %d", passkey);
845 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
846 	}
847 
848 	if (smp->method == REQ_PASSKEY)
849 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
850 						hcon->type, hcon->dst_type);
851 	else if (smp->method == JUST_CFM)
852 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
853 						hcon->type, hcon->dst_type,
854 						passkey, 1);
855 	else
856 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
857 						hcon->type, hcon->dst_type,
858 						passkey, 0);
859 
860 	return ret;
861 }
862 
863 static u8 smp_confirm(struct smp_chan *smp)
864 {
865 	struct l2cap_conn *conn = smp->conn;
866 	struct smp_cmd_pairing_confirm cp;
867 	int ret;
868 
869 	BT_DBG("conn %p", conn);
870 
871 	ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
872 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
873 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
874 		     cp.confirm_val);
875 	if (ret)
876 		return SMP_UNSPECIFIED;
877 
878 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
879 
880 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
881 
882 	if (conn->hcon->out)
883 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
884 	else
885 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
886 
887 	return 0;
888 }
889 
890 static u8 smp_random(struct smp_chan *smp)
891 {
892 	struct l2cap_conn *conn = smp->conn;
893 	struct hci_conn *hcon = conn->hcon;
894 	u8 confirm[16];
895 	int ret;
896 
897 	if (IS_ERR_OR_NULL(smp->tfm_aes))
898 		return SMP_UNSPECIFIED;
899 
900 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
901 
902 	ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
903 		     hcon->init_addr_type, &hcon->init_addr,
904 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
905 	if (ret)
906 		return SMP_UNSPECIFIED;
907 
908 	if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
909 		BT_ERR("Pairing failed (confirmation values mismatch)");
910 		return SMP_CONFIRM_FAILED;
911 	}
912 
913 	if (hcon->out) {
914 		u8 stk[16];
915 		__le64 rand = 0;
916 		__le16 ediv = 0;
917 
918 		smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
919 
920 		memset(stk + smp->enc_key_size, 0,
921 		       SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
922 
923 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
924 			return SMP_UNSPECIFIED;
925 
926 		hci_le_start_enc(hcon, ediv, rand, stk);
927 		hcon->enc_key_size = smp->enc_key_size;
928 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
929 	} else {
930 		u8 stk[16], auth;
931 		__le64 rand = 0;
932 		__le16 ediv = 0;
933 
934 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
935 			     smp->prnd);
936 
937 		smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
938 
939 		memset(stk + smp->enc_key_size, 0,
940 		       SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
941 
942 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
943 			auth = 1;
944 		else
945 			auth = 0;
946 
947 		/* Even though there's no _SLAVE suffix this is the
948 		 * slave STK we're adding for later lookup (the master
949 		 * STK never needs to be stored).
950 		 */
951 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
952 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
953 	}
954 
955 	return 0;
956 }
957 
958 static void smp_notify_keys(struct l2cap_conn *conn)
959 {
960 	struct l2cap_chan *chan = conn->smp;
961 	struct smp_chan *smp = chan->data;
962 	struct hci_conn *hcon = conn->hcon;
963 	struct hci_dev *hdev = hcon->hdev;
964 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
965 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
966 	bool persistent;
967 
968 	if (smp->remote_irk) {
969 		mgmt_new_irk(hdev, smp->remote_irk);
970 		/* Now that user space can be considered to know the
971 		 * identity address track the connection based on it
972 		 * from now on (assuming this is an LE link).
973 		 */
974 		if (hcon->type == LE_LINK) {
975 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
976 			hcon->dst_type = smp->remote_irk->addr_type;
977 			queue_work(hdev->workqueue, &conn->id_addr_update_work);
978 		}
979 
980 		/* When receiving an indentity resolving key for
981 		 * a remote device that does not use a resolvable
982 		 * private address, just remove the key so that
983 		 * it is possible to use the controller white
984 		 * list for scanning.
985 		 *
986 		 * Userspace will have been told to not store
987 		 * this key at this point. So it is safe to
988 		 * just remove it.
989 		 */
990 		if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
991 			list_del_rcu(&smp->remote_irk->list);
992 			kfree_rcu(smp->remote_irk, rcu);
993 			smp->remote_irk = NULL;
994 		}
995 	}
996 
997 	if (hcon->type == ACL_LINK) {
998 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
999 			persistent = false;
1000 		else
1001 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1002 					       &hcon->flags);
1003 	} else {
1004 		/* The LTKs and CSRKs should be persistent only if both sides
1005 		 * had the bonding bit set in their authentication requests.
1006 		 */
1007 		persistent = !!((req->auth_req & rsp->auth_req) &
1008 				SMP_AUTH_BONDING);
1009 	}
1010 
1011 
1012 	if (smp->csrk) {
1013 		smp->csrk->bdaddr_type = hcon->dst_type;
1014 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1015 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1016 	}
1017 
1018 	if (smp->slave_csrk) {
1019 		smp->slave_csrk->bdaddr_type = hcon->dst_type;
1020 		bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1021 		mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1022 	}
1023 
1024 	if (smp->ltk) {
1025 		smp->ltk->bdaddr_type = hcon->dst_type;
1026 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1027 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1028 	}
1029 
1030 	if (smp->slave_ltk) {
1031 		smp->slave_ltk->bdaddr_type = hcon->dst_type;
1032 		bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1033 		mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1034 	}
1035 
1036 	if (smp->link_key) {
1037 		struct link_key *key;
1038 		u8 type;
1039 
1040 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1041 			type = HCI_LK_DEBUG_COMBINATION;
1042 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1043 			type = HCI_LK_AUTH_COMBINATION_P256;
1044 		else
1045 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1046 
1047 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1048 				       smp->link_key, type, 0, &persistent);
1049 		if (key) {
1050 			mgmt_new_link_key(hdev, key, persistent);
1051 
1052 			/* Don't keep debug keys around if the relevant
1053 			 * flag is not set.
1054 			 */
1055 			if (!test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags) &&
1056 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1057 				list_del_rcu(&key->list);
1058 				kfree_rcu(key, rcu);
1059 			}
1060 		}
1061 	}
1062 }
1063 
1064 static void sc_add_ltk(struct smp_chan *smp)
1065 {
1066 	struct hci_conn *hcon = smp->conn->hcon;
1067 	u8 key_type, auth;
1068 
1069 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1070 		key_type = SMP_LTK_P256_DEBUG;
1071 	else
1072 		key_type = SMP_LTK_P256;
1073 
1074 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1075 		auth = 1;
1076 	else
1077 		auth = 0;
1078 
1079 	memset(smp->tk + smp->enc_key_size, 0,
1080 	       SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1081 
1082 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1083 			       key_type, auth, smp->tk, smp->enc_key_size,
1084 			       0, 0);
1085 }
1086 
1087 static void sc_generate_link_key(struct smp_chan *smp)
1088 {
1089 	/* These constants are as specified in the core specification.
1090 	 * In ASCII they spell out to 'tmp1' and 'lebr'.
1091 	 */
1092 	const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1093 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1094 
1095 	smp->link_key = kzalloc(16, GFP_KERNEL);
1096 	if (!smp->link_key)
1097 		return;
1098 
1099 	if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1100 		kfree(smp->link_key);
1101 		smp->link_key = NULL;
1102 		return;
1103 	}
1104 
1105 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1106 		kfree(smp->link_key);
1107 		smp->link_key = NULL;
1108 		return;
1109 	}
1110 }
1111 
1112 static void smp_allow_key_dist(struct smp_chan *smp)
1113 {
1114 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1115 	 * will be allowed in each PDU handler to ensure we receive
1116 	 * them in the correct order.
1117 	 */
1118 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1119 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1120 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1121 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1122 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1123 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1124 }
1125 
1126 static void sc_generate_ltk(struct smp_chan *smp)
1127 {
1128 	/* These constants are as specified in the core specification.
1129 	 * In ASCII they spell out to 'tmp2' and 'brle'.
1130 	 */
1131 	const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1132 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1133 	struct hci_conn *hcon = smp->conn->hcon;
1134 	struct hci_dev *hdev = hcon->hdev;
1135 	struct link_key *key;
1136 
1137 	key = hci_find_link_key(hdev, &hcon->dst);
1138 	if (!key) {
1139 		BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1140 		return;
1141 	}
1142 
1143 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1144 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1145 
1146 	if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1147 		return;
1148 
1149 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1150 		return;
1151 
1152 	sc_add_ltk(smp);
1153 }
1154 
1155 static void smp_distribute_keys(struct smp_chan *smp)
1156 {
1157 	struct smp_cmd_pairing *req, *rsp;
1158 	struct l2cap_conn *conn = smp->conn;
1159 	struct hci_conn *hcon = conn->hcon;
1160 	struct hci_dev *hdev = hcon->hdev;
1161 	__u8 *keydist;
1162 
1163 	BT_DBG("conn %p", conn);
1164 
1165 	rsp = (void *) &smp->prsp[1];
1166 
1167 	/* The responder sends its keys first */
1168 	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1169 		smp_allow_key_dist(smp);
1170 		return;
1171 	}
1172 
1173 	req = (void *) &smp->preq[1];
1174 
1175 	if (hcon->out) {
1176 		keydist = &rsp->init_key_dist;
1177 		*keydist &= req->init_key_dist;
1178 	} else {
1179 		keydist = &rsp->resp_key_dist;
1180 		*keydist &= req->resp_key_dist;
1181 	}
1182 
1183 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1184 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1185 			sc_generate_link_key(smp);
1186 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1187 			sc_generate_ltk(smp);
1188 
1189 		/* Clear the keys which are generated but not distributed */
1190 		*keydist &= ~SMP_SC_NO_DIST;
1191 	}
1192 
1193 	BT_DBG("keydist 0x%x", *keydist);
1194 
1195 	if (*keydist & SMP_DIST_ENC_KEY) {
1196 		struct smp_cmd_encrypt_info enc;
1197 		struct smp_cmd_master_ident ident;
1198 		struct smp_ltk *ltk;
1199 		u8 authenticated;
1200 		__le16 ediv;
1201 		__le64 rand;
1202 
1203 		get_random_bytes(enc.ltk, sizeof(enc.ltk));
1204 		get_random_bytes(&ediv, sizeof(ediv));
1205 		get_random_bytes(&rand, sizeof(rand));
1206 
1207 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1208 
1209 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1210 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1211 				  SMP_LTK_SLAVE, authenticated, enc.ltk,
1212 				  smp->enc_key_size, ediv, rand);
1213 		smp->slave_ltk = ltk;
1214 
1215 		ident.ediv = ediv;
1216 		ident.rand = rand;
1217 
1218 		smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1219 
1220 		*keydist &= ~SMP_DIST_ENC_KEY;
1221 	}
1222 
1223 	if (*keydist & SMP_DIST_ID_KEY) {
1224 		struct smp_cmd_ident_addr_info addrinfo;
1225 		struct smp_cmd_ident_info idinfo;
1226 
1227 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1228 
1229 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1230 
1231 		/* The hci_conn contains the local identity address
1232 		 * after the connection has been established.
1233 		 *
1234 		 * This is true even when the connection has been
1235 		 * established using a resolvable random address.
1236 		 */
1237 		bacpy(&addrinfo.bdaddr, &hcon->src);
1238 		addrinfo.addr_type = hcon->src_type;
1239 
1240 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1241 			     &addrinfo);
1242 
1243 		*keydist &= ~SMP_DIST_ID_KEY;
1244 	}
1245 
1246 	if (*keydist & SMP_DIST_SIGN) {
1247 		struct smp_cmd_sign_info sign;
1248 		struct smp_csrk *csrk;
1249 
1250 		/* Generate a new random key */
1251 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1252 
1253 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1254 		if (csrk) {
1255 			csrk->master = 0x00;
1256 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1257 		}
1258 		smp->slave_csrk = csrk;
1259 
1260 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1261 
1262 		*keydist &= ~SMP_DIST_SIGN;
1263 	}
1264 
1265 	/* If there are still keys to be received wait for them */
1266 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1267 		smp_allow_key_dist(smp);
1268 		return;
1269 	}
1270 
1271 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1272 	smp_notify_keys(conn);
1273 
1274 	smp_chan_destroy(conn);
1275 }
1276 
1277 static void smp_timeout(struct work_struct *work)
1278 {
1279 	struct smp_chan *smp = container_of(work, struct smp_chan,
1280 					    security_timer.work);
1281 	struct l2cap_conn *conn = smp->conn;
1282 
1283 	BT_DBG("conn %p", conn);
1284 
1285 	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1286 }
1287 
1288 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1289 {
1290 	struct l2cap_chan *chan = conn->smp;
1291 	struct smp_chan *smp;
1292 
1293 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1294 	if (!smp)
1295 		return NULL;
1296 
1297 	smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1298 	if (IS_ERR(smp->tfm_aes)) {
1299 		BT_ERR("Unable to create ECB crypto context");
1300 		kfree(smp);
1301 		return NULL;
1302 	}
1303 
1304 	smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1305 	if (IS_ERR(smp->tfm_cmac)) {
1306 		BT_ERR("Unable to create CMAC crypto context");
1307 		crypto_free_blkcipher(smp->tfm_aes);
1308 		kfree(smp);
1309 		return NULL;
1310 	}
1311 
1312 	smp->conn = conn;
1313 	chan->data = smp;
1314 
1315 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1316 
1317 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1318 
1319 	hci_conn_hold(conn->hcon);
1320 
1321 	return smp;
1322 }
1323 
1324 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1325 {
1326 	struct hci_conn *hcon = smp->conn->hcon;
1327 	u8 *na, *nb, a[7], b[7];
1328 
1329 	if (hcon->out) {
1330 		na   = smp->prnd;
1331 		nb   = smp->rrnd;
1332 	} else {
1333 		na   = smp->rrnd;
1334 		nb   = smp->prnd;
1335 	}
1336 
1337 	memcpy(a, &hcon->init_addr, 6);
1338 	memcpy(b, &hcon->resp_addr, 6);
1339 	a[6] = hcon->init_addr_type;
1340 	b[6] = hcon->resp_addr_type;
1341 
1342 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1343 }
1344 
1345 static void sc_dhkey_check(struct smp_chan *smp)
1346 {
1347 	struct hci_conn *hcon = smp->conn->hcon;
1348 	struct smp_cmd_dhkey_check check;
1349 	u8 a[7], b[7], *local_addr, *remote_addr;
1350 	u8 io_cap[3], r[16];
1351 
1352 	memcpy(a, &hcon->init_addr, 6);
1353 	memcpy(b, &hcon->resp_addr, 6);
1354 	a[6] = hcon->init_addr_type;
1355 	b[6] = hcon->resp_addr_type;
1356 
1357 	if (hcon->out) {
1358 		local_addr = a;
1359 		remote_addr = b;
1360 		memcpy(io_cap, &smp->preq[1], 3);
1361 	} else {
1362 		local_addr = b;
1363 		remote_addr = a;
1364 		memcpy(io_cap, &smp->prsp[1], 3);
1365 	}
1366 
1367 	memset(r, 0, sizeof(r));
1368 
1369 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1370 		put_unaligned_le32(hcon->passkey_notify, r);
1371 
1372 	if (smp->method == REQ_OOB)
1373 		memcpy(r, smp->rr, 16);
1374 
1375 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1376 	       local_addr, remote_addr, check.e);
1377 
1378 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1379 }
1380 
1381 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1382 {
1383 	struct l2cap_conn *conn = smp->conn;
1384 	struct hci_conn *hcon = conn->hcon;
1385 	struct smp_cmd_pairing_confirm cfm;
1386 	u8 r;
1387 
1388 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1389 	r |= 0x80;
1390 
1391 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1392 
1393 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1394 		   cfm.confirm_val))
1395 		return SMP_UNSPECIFIED;
1396 
1397 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1398 
1399 	return 0;
1400 }
1401 
1402 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1403 {
1404 	struct l2cap_conn *conn = smp->conn;
1405 	struct hci_conn *hcon = conn->hcon;
1406 	struct hci_dev *hdev = hcon->hdev;
1407 	u8 cfm[16], r;
1408 
1409 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1410 	if (smp->passkey_round >= 20)
1411 		return 0;
1412 
1413 	switch (smp_op) {
1414 	case SMP_CMD_PAIRING_RANDOM:
1415 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1416 		r |= 0x80;
1417 
1418 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1419 			   smp->rrnd, r, cfm))
1420 			return SMP_UNSPECIFIED;
1421 
1422 		if (memcmp(smp->pcnf, cfm, 16))
1423 			return SMP_CONFIRM_FAILED;
1424 
1425 		smp->passkey_round++;
1426 
1427 		if (smp->passkey_round == 20) {
1428 			/* Generate MacKey and LTK */
1429 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1430 				return SMP_UNSPECIFIED;
1431 		}
1432 
1433 		/* The round is only complete when the initiator
1434 		 * receives pairing random.
1435 		 */
1436 		if (!hcon->out) {
1437 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1438 				     sizeof(smp->prnd), smp->prnd);
1439 			if (smp->passkey_round == 20)
1440 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1441 			else
1442 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1443 			return 0;
1444 		}
1445 
1446 		/* Start the next round */
1447 		if (smp->passkey_round != 20)
1448 			return sc_passkey_round(smp, 0);
1449 
1450 		/* Passkey rounds are complete - start DHKey Check */
1451 		sc_dhkey_check(smp);
1452 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1453 
1454 		break;
1455 
1456 	case SMP_CMD_PAIRING_CONFIRM:
1457 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1458 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1459 			return 0;
1460 		}
1461 
1462 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1463 
1464 		if (hcon->out) {
1465 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1466 				     sizeof(smp->prnd), smp->prnd);
1467 			return 0;
1468 		}
1469 
1470 		return sc_passkey_send_confirm(smp);
1471 
1472 	case SMP_CMD_PUBLIC_KEY:
1473 	default:
1474 		/* Initiating device starts the round */
1475 		if (!hcon->out)
1476 			return 0;
1477 
1478 		BT_DBG("%s Starting passkey round %u", hdev->name,
1479 		       smp->passkey_round + 1);
1480 
1481 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1482 
1483 		return sc_passkey_send_confirm(smp);
1484 	}
1485 
1486 	return 0;
1487 }
1488 
1489 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1490 {
1491 	struct l2cap_conn *conn = smp->conn;
1492 	struct hci_conn *hcon = conn->hcon;
1493 	u8 smp_op;
1494 
1495 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1496 
1497 	switch (mgmt_op) {
1498 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1499 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1500 		return 0;
1501 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1502 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1503 		return 0;
1504 	case MGMT_OP_USER_PASSKEY_REPLY:
1505 		hcon->passkey_notify = le32_to_cpu(passkey);
1506 		smp->passkey_round = 0;
1507 
1508 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1509 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1510 		else
1511 			smp_op = 0;
1512 
1513 		if (sc_passkey_round(smp, smp_op))
1514 			return -EIO;
1515 
1516 		return 0;
1517 	}
1518 
1519 	/* Initiator sends DHKey check first */
1520 	if (hcon->out) {
1521 		sc_dhkey_check(smp);
1522 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1523 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1524 		sc_dhkey_check(smp);
1525 		sc_add_ltk(smp);
1526 	}
1527 
1528 	return 0;
1529 }
1530 
1531 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1532 {
1533 	struct l2cap_conn *conn = hcon->l2cap_data;
1534 	struct l2cap_chan *chan;
1535 	struct smp_chan *smp;
1536 	u32 value;
1537 	int err;
1538 
1539 	BT_DBG("");
1540 
1541 	if (!conn)
1542 		return -ENOTCONN;
1543 
1544 	chan = conn->smp;
1545 	if (!chan)
1546 		return -ENOTCONN;
1547 
1548 	l2cap_chan_lock(chan);
1549 	if (!chan->data) {
1550 		err = -ENOTCONN;
1551 		goto unlock;
1552 	}
1553 
1554 	smp = chan->data;
1555 
1556 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1557 		err = sc_user_reply(smp, mgmt_op, passkey);
1558 		goto unlock;
1559 	}
1560 
1561 	switch (mgmt_op) {
1562 	case MGMT_OP_USER_PASSKEY_REPLY:
1563 		value = le32_to_cpu(passkey);
1564 		memset(smp->tk, 0, sizeof(smp->tk));
1565 		BT_DBG("PassKey: %d", value);
1566 		put_unaligned_le32(value, smp->tk);
1567 		/* Fall Through */
1568 	case MGMT_OP_USER_CONFIRM_REPLY:
1569 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1570 		break;
1571 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1572 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1573 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1574 		err = 0;
1575 		goto unlock;
1576 	default:
1577 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1578 		err = -EOPNOTSUPP;
1579 		goto unlock;
1580 	}
1581 
1582 	err = 0;
1583 
1584 	/* If it is our turn to send Pairing Confirm, do so now */
1585 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1586 		u8 rsp = smp_confirm(smp);
1587 		if (rsp)
1588 			smp_failure(conn, rsp);
1589 	}
1590 
1591 unlock:
1592 	l2cap_chan_unlock(chan);
1593 	return err;
1594 }
1595 
1596 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1597 				    struct smp_cmd_pairing *req,
1598 				    struct smp_cmd_pairing *rsp)
1599 {
1600 	struct l2cap_conn *conn = smp->conn;
1601 	struct hci_dev *hdev = conn->hcon->hdev;
1602 	u8 local_dist = 0, remote_dist = 0;
1603 
1604 	if (test_bit(HCI_BONDABLE, &hdev->dev_flags)) {
1605 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1606 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1607 	}
1608 
1609 	if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
1610 		remote_dist |= SMP_DIST_ID_KEY;
1611 
1612 	if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
1613 		local_dist |= SMP_DIST_ID_KEY;
1614 
1615 	if (!rsp) {
1616 		memset(req, 0, sizeof(*req));
1617 
1618 		req->init_key_dist   = local_dist;
1619 		req->resp_key_dist   = remote_dist;
1620 		req->max_key_size    = SMP_MAX_ENC_KEY_SIZE;
1621 
1622 		smp->remote_key_dist = remote_dist;
1623 
1624 		return;
1625 	}
1626 
1627 	memset(rsp, 0, sizeof(*rsp));
1628 
1629 	rsp->max_key_size    = SMP_MAX_ENC_KEY_SIZE;
1630 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1631 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1632 
1633 	smp->remote_key_dist = rsp->init_key_dist;
1634 }
1635 
1636 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1637 {
1638 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1639 	struct l2cap_chan *chan = conn->smp;
1640 	struct hci_dev *hdev = conn->hcon->hdev;
1641 	struct smp_chan *smp;
1642 	u8 key_size, auth, sec_level;
1643 	int ret;
1644 
1645 	BT_DBG("conn %p", conn);
1646 
1647 	if (skb->len < sizeof(*req))
1648 		return SMP_INVALID_PARAMS;
1649 
1650 	if (conn->hcon->role != HCI_ROLE_SLAVE)
1651 		return SMP_CMD_NOTSUPP;
1652 
1653 	if (!chan->data)
1654 		smp = smp_chan_create(conn);
1655 	else
1656 		smp = chan->data;
1657 
1658 	if (!smp)
1659 		return SMP_UNSPECIFIED;
1660 
1661 	/* We didn't start the pairing, so match remote */
1662 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1663 
1664 	if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
1665 	    (auth & SMP_AUTH_BONDING))
1666 		return SMP_PAIRING_NOTSUPP;
1667 
1668 	if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1669 		return SMP_AUTH_REQUIREMENTS;
1670 
1671 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1672 	memcpy(&smp->preq[1], req, sizeof(*req));
1673 	skb_pull(skb, sizeof(*req));
1674 
1675 	/* SMP over BR/EDR requires special treatment */
1676 	if (conn->hcon->type == ACL_LINK) {
1677 		/* We must have a BR/EDR SC link */
1678 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1679 		    !test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags))
1680 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1681 
1682 		set_bit(SMP_FLAG_SC, &smp->flags);
1683 
1684 		build_bredr_pairing_cmd(smp, req, &rsp);
1685 
1686 		key_size = min(req->max_key_size, rsp.max_key_size);
1687 		if (check_enc_key_size(conn, key_size))
1688 			return SMP_ENC_KEY_SIZE;
1689 
1690 		/* Clear bits which are generated but not distributed */
1691 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1692 
1693 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1694 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1695 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1696 
1697 		smp_distribute_keys(smp);
1698 		return 0;
1699 	}
1700 
1701 	build_pairing_cmd(conn, req, &rsp, auth);
1702 
1703 	if (rsp.auth_req & SMP_AUTH_SC)
1704 		set_bit(SMP_FLAG_SC, &smp->flags);
1705 
1706 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1707 		sec_level = BT_SECURITY_MEDIUM;
1708 	else
1709 		sec_level = authreq_to_seclevel(auth);
1710 
1711 	if (sec_level > conn->hcon->pending_sec_level)
1712 		conn->hcon->pending_sec_level = sec_level;
1713 
1714 	/* If we need MITM check that it can be achieved */
1715 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1716 		u8 method;
1717 
1718 		method = get_auth_method(smp, conn->hcon->io_capability,
1719 					 req->io_capability);
1720 		if (method == JUST_WORKS || method == JUST_CFM)
1721 			return SMP_AUTH_REQUIREMENTS;
1722 	}
1723 
1724 	key_size = min(req->max_key_size, rsp.max_key_size);
1725 	if (check_enc_key_size(conn, key_size))
1726 		return SMP_ENC_KEY_SIZE;
1727 
1728 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1729 
1730 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1731 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1732 
1733 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1734 
1735 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1736 
1737 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1738 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1739 		/* Clear bits which are generated but not distributed */
1740 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1741 		/* Wait for Public Key from Initiating Device */
1742 		return 0;
1743 	} else {
1744 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1745 	}
1746 
1747 	/* Request setup of TK */
1748 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1749 	if (ret)
1750 		return SMP_UNSPECIFIED;
1751 
1752 	return 0;
1753 }
1754 
1755 static u8 sc_send_public_key(struct smp_chan *smp)
1756 {
1757 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1758 
1759 	BT_DBG("");
1760 
1761 	if (test_bit(HCI_USE_DEBUG_KEYS, &hdev->dev_flags)) {
1762 		BT_DBG("Using debug keys");
1763 		memcpy(smp->local_pk, debug_pk, 64);
1764 		memcpy(smp->local_sk, debug_sk, 32);
1765 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1766 	} else {
1767 		while (true) {
1768 			/* Generate local key pair for Secure Connections */
1769 			if (!ecc_make_key(smp->local_pk, smp->local_sk))
1770 				return SMP_UNSPECIFIED;
1771 
1772 			/* This is unlikely, but we need to check that
1773 			 * we didn't accidentially generate a debug key.
1774 			 */
1775 			if (memcmp(smp->local_sk, debug_sk, 32))
1776 				break;
1777 		}
1778 	}
1779 
1780 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1781 	SMP_DBG("Local Public Key Y: %32phN", &smp->local_pk[32]);
1782 	SMP_DBG("Local Private Key:  %32phN", smp->local_sk);
1783 
1784 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1785 
1786 	return 0;
1787 }
1788 
1789 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1790 {
1791 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1792 	struct l2cap_chan *chan = conn->smp;
1793 	struct smp_chan *smp = chan->data;
1794 	struct hci_dev *hdev = conn->hcon->hdev;
1795 	u8 key_size, auth;
1796 	int ret;
1797 
1798 	BT_DBG("conn %p", conn);
1799 
1800 	if (skb->len < sizeof(*rsp))
1801 		return SMP_INVALID_PARAMS;
1802 
1803 	if (conn->hcon->role != HCI_ROLE_MASTER)
1804 		return SMP_CMD_NOTSUPP;
1805 
1806 	skb_pull(skb, sizeof(*rsp));
1807 
1808 	req = (void *) &smp->preq[1];
1809 
1810 	key_size = min(req->max_key_size, rsp->max_key_size);
1811 	if (check_enc_key_size(conn, key_size))
1812 		return SMP_ENC_KEY_SIZE;
1813 
1814 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1815 
1816 	if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1817 		return SMP_AUTH_REQUIREMENTS;
1818 
1819 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1820 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1821 
1822 	/* Update remote key distribution in case the remote cleared
1823 	 * some bits that we had enabled in our request.
1824 	 */
1825 	smp->remote_key_dist &= rsp->resp_key_dist;
1826 
1827 	/* For BR/EDR this means we're done and can start phase 3 */
1828 	if (conn->hcon->type == ACL_LINK) {
1829 		/* Clear bits which are generated but not distributed */
1830 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1831 		smp_distribute_keys(smp);
1832 		return 0;
1833 	}
1834 
1835 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1836 		set_bit(SMP_FLAG_SC, &smp->flags);
1837 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1838 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1839 
1840 	/* If we need MITM check that it can be achieved */
1841 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1842 		u8 method;
1843 
1844 		method = get_auth_method(smp, req->io_capability,
1845 					 rsp->io_capability);
1846 		if (method == JUST_WORKS || method == JUST_CFM)
1847 			return SMP_AUTH_REQUIREMENTS;
1848 	}
1849 
1850 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1851 
1852 	/* Update remote key distribution in case the remote cleared
1853 	 * some bits that we had enabled in our request.
1854 	 */
1855 	smp->remote_key_dist &= rsp->resp_key_dist;
1856 
1857 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1858 		/* Clear bits which are generated but not distributed */
1859 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1860 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1861 		return sc_send_public_key(smp);
1862 	}
1863 
1864 	auth |= req->auth_req;
1865 
1866 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1867 	if (ret)
1868 		return SMP_UNSPECIFIED;
1869 
1870 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1871 
1872 	/* Can't compose response until we have been confirmed */
1873 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1874 		return smp_confirm(smp);
1875 
1876 	return 0;
1877 }
1878 
1879 static u8 sc_check_confirm(struct smp_chan *smp)
1880 {
1881 	struct l2cap_conn *conn = smp->conn;
1882 
1883 	BT_DBG("");
1884 
1885 	/* Public Key exchange must happen before any other steps */
1886 	if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
1887 		return SMP_UNSPECIFIED;
1888 
1889 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1890 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1891 
1892 	if (conn->hcon->out) {
1893 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1894 			     smp->prnd);
1895 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1896 	}
1897 
1898 	return 0;
1899 }
1900 
1901 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1902 {
1903 	struct l2cap_chan *chan = conn->smp;
1904 	struct smp_chan *smp = chan->data;
1905 
1906 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
1907 
1908 	if (skb->len < sizeof(smp->pcnf))
1909 		return SMP_INVALID_PARAMS;
1910 
1911 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1912 	skb_pull(skb, sizeof(smp->pcnf));
1913 
1914 	if (test_bit(SMP_FLAG_SC, &smp->flags))
1915 		return sc_check_confirm(smp);
1916 
1917 	if (conn->hcon->out) {
1918 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1919 			     smp->prnd);
1920 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1921 		return 0;
1922 	}
1923 
1924 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1925 		return smp_confirm(smp);
1926 	else
1927 		set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1928 
1929 	return 0;
1930 }
1931 
1932 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
1933 {
1934 	struct l2cap_chan *chan = conn->smp;
1935 	struct smp_chan *smp = chan->data;
1936 	struct hci_conn *hcon = conn->hcon;
1937 	u8 *pkax, *pkbx, *na, *nb;
1938 	u32 passkey;
1939 	int err;
1940 
1941 	BT_DBG("conn %p", conn);
1942 
1943 	if (skb->len < sizeof(smp->rrnd))
1944 		return SMP_INVALID_PARAMS;
1945 
1946 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
1947 	skb_pull(skb, sizeof(smp->rrnd));
1948 
1949 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
1950 		return smp_random(smp);
1951 
1952 	if (hcon->out) {
1953 		pkax = smp->local_pk;
1954 		pkbx = smp->remote_pk;
1955 		na   = smp->prnd;
1956 		nb   = smp->rrnd;
1957 	} else {
1958 		pkax = smp->remote_pk;
1959 		pkbx = smp->local_pk;
1960 		na   = smp->rrnd;
1961 		nb   = smp->prnd;
1962 	}
1963 
1964 	if (smp->method == REQ_OOB) {
1965 		if (!hcon->out)
1966 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1967 				     sizeof(smp->prnd), smp->prnd);
1968 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1969 		goto mackey_and_ltk;
1970 	}
1971 
1972 	/* Passkey entry has special treatment */
1973 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1974 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
1975 
1976 	if (hcon->out) {
1977 		u8 cfm[16];
1978 
1979 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1980 			     smp->rrnd, 0, cfm);
1981 		if (err)
1982 			return SMP_UNSPECIFIED;
1983 
1984 		if (memcmp(smp->pcnf, cfm, 16))
1985 			return SMP_CONFIRM_FAILED;
1986 	} else {
1987 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1988 			     smp->prnd);
1989 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1990 	}
1991 
1992 mackey_and_ltk:
1993 	/* Generate MacKey and LTK */
1994 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
1995 	if (err)
1996 		return SMP_UNSPECIFIED;
1997 
1998 	if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
1999 		if (hcon->out) {
2000 			sc_dhkey_check(smp);
2001 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2002 		}
2003 		return 0;
2004 	}
2005 
2006 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2007 	if (err)
2008 		return SMP_UNSPECIFIED;
2009 
2010 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2011 					hcon->dst_type, passkey, 0);
2012 	if (err)
2013 		return SMP_UNSPECIFIED;
2014 
2015 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2016 
2017 	return 0;
2018 }
2019 
2020 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2021 {
2022 	struct smp_ltk *key;
2023 	struct hci_conn *hcon = conn->hcon;
2024 
2025 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2026 	if (!key)
2027 		return false;
2028 
2029 	if (smp_ltk_sec_level(key) < sec_level)
2030 		return false;
2031 
2032 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2033 		return true;
2034 
2035 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
2036 	hcon->enc_key_size = key->enc_size;
2037 
2038 	/* We never store STKs for master role, so clear this flag */
2039 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2040 
2041 	return true;
2042 }
2043 
2044 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2045 			     enum smp_key_pref key_pref)
2046 {
2047 	if (sec_level == BT_SECURITY_LOW)
2048 		return true;
2049 
2050 	/* If we're encrypted with an STK but the caller prefers using
2051 	 * LTK claim insufficient security. This way we allow the
2052 	 * connection to be re-encrypted with an LTK, even if the LTK
2053 	 * provides the same level of security. Only exception is if we
2054 	 * don't have an LTK (e.g. because of key distribution bits).
2055 	 */
2056 	if (key_pref == SMP_USE_LTK &&
2057 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2058 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2059 		return false;
2060 
2061 	if (hcon->sec_level >= sec_level)
2062 		return true;
2063 
2064 	return false;
2065 }
2066 
2067 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2068 {
2069 	struct smp_cmd_security_req *rp = (void *) skb->data;
2070 	struct smp_cmd_pairing cp;
2071 	struct hci_conn *hcon = conn->hcon;
2072 	struct hci_dev *hdev = hcon->hdev;
2073 	struct smp_chan *smp;
2074 	u8 sec_level, auth;
2075 
2076 	BT_DBG("conn %p", conn);
2077 
2078 	if (skb->len < sizeof(*rp))
2079 		return SMP_INVALID_PARAMS;
2080 
2081 	if (hcon->role != HCI_ROLE_MASTER)
2082 		return SMP_CMD_NOTSUPP;
2083 
2084 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2085 
2086 	if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
2087 		return SMP_AUTH_REQUIREMENTS;
2088 
2089 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2090 		sec_level = BT_SECURITY_MEDIUM;
2091 	else
2092 		sec_level = authreq_to_seclevel(auth);
2093 
2094 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2095 		return 0;
2096 
2097 	if (sec_level > hcon->pending_sec_level)
2098 		hcon->pending_sec_level = sec_level;
2099 
2100 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2101 		return 0;
2102 
2103 	smp = smp_chan_create(conn);
2104 	if (!smp)
2105 		return SMP_UNSPECIFIED;
2106 
2107 	if (!test_bit(HCI_BONDABLE, &hcon->hdev->dev_flags) &&
2108 	    (auth & SMP_AUTH_BONDING))
2109 		return SMP_PAIRING_NOTSUPP;
2110 
2111 	skb_pull(skb, sizeof(*rp));
2112 
2113 	memset(&cp, 0, sizeof(cp));
2114 	build_pairing_cmd(conn, &cp, NULL, auth);
2115 
2116 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2117 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2118 
2119 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2120 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2121 
2122 	return 0;
2123 }
2124 
2125 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2126 {
2127 	struct l2cap_conn *conn = hcon->l2cap_data;
2128 	struct l2cap_chan *chan;
2129 	struct smp_chan *smp;
2130 	__u8 authreq;
2131 	int ret;
2132 
2133 	BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2134 
2135 	/* This may be NULL if there's an unexpected disconnection */
2136 	if (!conn)
2137 		return 1;
2138 
2139 	chan = conn->smp;
2140 
2141 	if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
2142 		return 1;
2143 
2144 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2145 		return 1;
2146 
2147 	if (sec_level > hcon->pending_sec_level)
2148 		hcon->pending_sec_level = sec_level;
2149 
2150 	if (hcon->role == HCI_ROLE_MASTER)
2151 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2152 			return 0;
2153 
2154 	l2cap_chan_lock(chan);
2155 
2156 	/* If SMP is already in progress ignore this request */
2157 	if (chan->data) {
2158 		ret = 0;
2159 		goto unlock;
2160 	}
2161 
2162 	smp = smp_chan_create(conn);
2163 	if (!smp) {
2164 		ret = 1;
2165 		goto unlock;
2166 	}
2167 
2168 	authreq = seclevel_to_authreq(sec_level);
2169 
2170 	if (test_bit(HCI_SC_ENABLED, &hcon->hdev->dev_flags))
2171 		authreq |= SMP_AUTH_SC;
2172 
2173 	/* Require MITM if IO Capability allows or the security level
2174 	 * requires it.
2175 	 */
2176 	if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2177 	    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2178 		authreq |= SMP_AUTH_MITM;
2179 
2180 	if (hcon->role == HCI_ROLE_MASTER) {
2181 		struct smp_cmd_pairing cp;
2182 
2183 		build_pairing_cmd(conn, &cp, NULL, authreq);
2184 		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2185 		memcpy(&smp->preq[1], &cp, sizeof(cp));
2186 
2187 		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2188 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2189 	} else {
2190 		struct smp_cmd_security_req cp;
2191 		cp.auth_req = authreq;
2192 		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2193 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2194 	}
2195 
2196 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2197 	ret = 0;
2198 
2199 unlock:
2200 	l2cap_chan_unlock(chan);
2201 	return ret;
2202 }
2203 
2204 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2205 {
2206 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2207 	struct l2cap_chan *chan = conn->smp;
2208 	struct smp_chan *smp = chan->data;
2209 
2210 	BT_DBG("conn %p", conn);
2211 
2212 	if (skb->len < sizeof(*rp))
2213 		return SMP_INVALID_PARAMS;
2214 
2215 	SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2216 
2217 	skb_pull(skb, sizeof(*rp));
2218 
2219 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2220 
2221 	return 0;
2222 }
2223 
2224 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2225 {
2226 	struct smp_cmd_master_ident *rp = (void *) skb->data;
2227 	struct l2cap_chan *chan = conn->smp;
2228 	struct smp_chan *smp = chan->data;
2229 	struct hci_dev *hdev = conn->hcon->hdev;
2230 	struct hci_conn *hcon = conn->hcon;
2231 	struct smp_ltk *ltk;
2232 	u8 authenticated;
2233 
2234 	BT_DBG("conn %p", conn);
2235 
2236 	if (skb->len < sizeof(*rp))
2237 		return SMP_INVALID_PARAMS;
2238 
2239 	/* Mark the information as received */
2240 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2241 
2242 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2243 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2244 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2245 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2246 
2247 	skb_pull(skb, sizeof(*rp));
2248 
2249 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2250 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2251 			  authenticated, smp->tk, smp->enc_key_size,
2252 			  rp->ediv, rp->rand);
2253 	smp->ltk = ltk;
2254 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2255 		smp_distribute_keys(smp);
2256 
2257 	return 0;
2258 }
2259 
2260 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2261 {
2262 	struct smp_cmd_ident_info *info = (void *) skb->data;
2263 	struct l2cap_chan *chan = conn->smp;
2264 	struct smp_chan *smp = chan->data;
2265 
2266 	BT_DBG("");
2267 
2268 	if (skb->len < sizeof(*info))
2269 		return SMP_INVALID_PARAMS;
2270 
2271 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2272 
2273 	skb_pull(skb, sizeof(*info));
2274 
2275 	memcpy(smp->irk, info->irk, 16);
2276 
2277 	return 0;
2278 }
2279 
2280 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2281 				   struct sk_buff *skb)
2282 {
2283 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2284 	struct l2cap_chan *chan = conn->smp;
2285 	struct smp_chan *smp = chan->data;
2286 	struct hci_conn *hcon = conn->hcon;
2287 	bdaddr_t rpa;
2288 
2289 	BT_DBG("");
2290 
2291 	if (skb->len < sizeof(*info))
2292 		return SMP_INVALID_PARAMS;
2293 
2294 	/* Mark the information as received */
2295 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2296 
2297 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2298 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2299 
2300 	skb_pull(skb, sizeof(*info));
2301 
2302 	/* Strictly speaking the Core Specification (4.1) allows sending
2303 	 * an empty address which would force us to rely on just the IRK
2304 	 * as "identity information". However, since such
2305 	 * implementations are not known of and in order to not over
2306 	 * complicate our implementation, simply pretend that we never
2307 	 * received an IRK for such a device.
2308 	 *
2309 	 * The Identity Address must also be a Static Random or Public
2310 	 * Address, which hci_is_identity_address() checks for.
2311 	 */
2312 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2313 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2314 		BT_ERR("Ignoring IRK with no identity address");
2315 		goto distribute;
2316 	}
2317 
2318 	bacpy(&smp->id_addr, &info->bdaddr);
2319 	smp->id_addr_type = info->addr_type;
2320 
2321 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2322 		bacpy(&rpa, &hcon->dst);
2323 	else
2324 		bacpy(&rpa, BDADDR_ANY);
2325 
2326 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2327 				      smp->id_addr_type, smp->irk, &rpa);
2328 
2329 distribute:
2330 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2331 		smp_distribute_keys(smp);
2332 
2333 	return 0;
2334 }
2335 
2336 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2337 {
2338 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2339 	struct l2cap_chan *chan = conn->smp;
2340 	struct smp_chan *smp = chan->data;
2341 	struct smp_csrk *csrk;
2342 
2343 	BT_DBG("conn %p", conn);
2344 
2345 	if (skb->len < sizeof(*rp))
2346 		return SMP_INVALID_PARAMS;
2347 
2348 	/* Mark the information as received */
2349 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2350 
2351 	skb_pull(skb, sizeof(*rp));
2352 
2353 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2354 	if (csrk) {
2355 		csrk->master = 0x01;
2356 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2357 	}
2358 	smp->csrk = csrk;
2359 	smp_distribute_keys(smp);
2360 
2361 	return 0;
2362 }
2363 
2364 static u8 sc_select_method(struct smp_chan *smp)
2365 {
2366 	struct l2cap_conn *conn = smp->conn;
2367 	struct hci_conn *hcon = conn->hcon;
2368 	struct smp_cmd_pairing *local, *remote;
2369 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2370 
2371 	if (test_bit(SMP_FLAG_OOB, &smp->flags))
2372 		return REQ_OOB;
2373 
2374 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2375 	 * which are needed as inputs to some crypto functions. To get
2376 	 * the "struct smp_cmd_pairing" from them we need to skip the
2377 	 * first byte which contains the opcode.
2378 	 */
2379 	if (hcon->out) {
2380 		local = (void *) &smp->preq[1];
2381 		remote = (void *) &smp->prsp[1];
2382 	} else {
2383 		local = (void *) &smp->prsp[1];
2384 		remote = (void *) &smp->preq[1];
2385 	}
2386 
2387 	local_io = local->io_capability;
2388 	remote_io = remote->io_capability;
2389 
2390 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2391 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2392 
2393 	/* If either side wants MITM, look up the method from the table,
2394 	 * otherwise use JUST WORKS.
2395 	 */
2396 	if (local_mitm || remote_mitm)
2397 		method = get_auth_method(smp, local_io, remote_io);
2398 	else
2399 		method = JUST_WORKS;
2400 
2401 	/* Don't confirm locally initiated pairing attempts */
2402 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2403 		method = JUST_WORKS;
2404 
2405 	return method;
2406 }
2407 
2408 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2409 {
2410 	struct smp_cmd_public_key *key = (void *) skb->data;
2411 	struct hci_conn *hcon = conn->hcon;
2412 	struct l2cap_chan *chan = conn->smp;
2413 	struct smp_chan *smp = chan->data;
2414 	struct hci_dev *hdev = hcon->hdev;
2415 	struct smp_cmd_pairing_confirm cfm;
2416 	int err;
2417 
2418 	BT_DBG("conn %p", conn);
2419 
2420 	if (skb->len < sizeof(*key))
2421 		return SMP_INVALID_PARAMS;
2422 
2423 	memcpy(smp->remote_pk, key, 64);
2424 
2425 	/* Non-initiating device sends its public key after receiving
2426 	 * the key from the initiating device.
2427 	 */
2428 	if (!hcon->out) {
2429 		err = sc_send_public_key(smp);
2430 		if (err)
2431 			return err;
2432 	}
2433 
2434 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2435 	SMP_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]);
2436 
2437 	if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2438 		return SMP_UNSPECIFIED;
2439 
2440 	SMP_DBG("DHKey %32phN", smp->dhkey);
2441 
2442 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2443 
2444 	smp->method = sc_select_method(smp);
2445 
2446 	BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2447 
2448 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2449 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2450 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2451 	else
2452 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2453 
2454 	if (!memcmp(debug_pk, smp->remote_pk, 64))
2455 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2456 
2457 	if (smp->method == DSP_PASSKEY) {
2458 		get_random_bytes(&hcon->passkey_notify,
2459 				 sizeof(hcon->passkey_notify));
2460 		hcon->passkey_notify %= 1000000;
2461 		hcon->passkey_entered = 0;
2462 		smp->passkey_round = 0;
2463 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2464 					     hcon->dst_type,
2465 					     hcon->passkey_notify,
2466 					     hcon->passkey_entered))
2467 			return SMP_UNSPECIFIED;
2468 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2469 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2470 	}
2471 
2472 	if (smp->method == REQ_OOB) {
2473 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2474 			     smp->rr, 0, cfm.confirm_val);
2475 		if (err)
2476 			return SMP_UNSPECIFIED;
2477 
2478 		if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2479 			return SMP_CONFIRM_FAILED;
2480 
2481 		if (hcon->out)
2482 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2483 				     sizeof(smp->prnd), smp->prnd);
2484 
2485 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2486 
2487 		return 0;
2488 	}
2489 
2490 	if (hcon->out)
2491 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2492 
2493 	if (smp->method == REQ_PASSKEY) {
2494 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2495 					      hcon->dst_type))
2496 			return SMP_UNSPECIFIED;
2497 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2498 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2499 		return 0;
2500 	}
2501 
2502 	/* The Initiating device waits for the non-initiating device to
2503 	 * send the confirm value.
2504 	 */
2505 	if (conn->hcon->out)
2506 		return 0;
2507 
2508 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2509 		     0, cfm.confirm_val);
2510 	if (err)
2511 		return SMP_UNSPECIFIED;
2512 
2513 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2514 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2515 
2516 	return 0;
2517 }
2518 
2519 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2520 {
2521 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2522 	struct l2cap_chan *chan = conn->smp;
2523 	struct hci_conn *hcon = conn->hcon;
2524 	struct smp_chan *smp = chan->data;
2525 	u8 a[7], b[7], *local_addr, *remote_addr;
2526 	u8 io_cap[3], r[16], e[16];
2527 	int err;
2528 
2529 	BT_DBG("conn %p", conn);
2530 
2531 	if (skb->len < sizeof(*check))
2532 		return SMP_INVALID_PARAMS;
2533 
2534 	memcpy(a, &hcon->init_addr, 6);
2535 	memcpy(b, &hcon->resp_addr, 6);
2536 	a[6] = hcon->init_addr_type;
2537 	b[6] = hcon->resp_addr_type;
2538 
2539 	if (hcon->out) {
2540 		local_addr = a;
2541 		remote_addr = b;
2542 		memcpy(io_cap, &smp->prsp[1], 3);
2543 	} else {
2544 		local_addr = b;
2545 		remote_addr = a;
2546 		memcpy(io_cap, &smp->preq[1], 3);
2547 	}
2548 
2549 	memset(r, 0, sizeof(r));
2550 
2551 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2552 		put_unaligned_le32(hcon->passkey_notify, r);
2553 
2554 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2555 		     io_cap, remote_addr, local_addr, e);
2556 	if (err)
2557 		return SMP_UNSPECIFIED;
2558 
2559 	if (memcmp(check->e, e, 16))
2560 		return SMP_DHKEY_CHECK_FAILED;
2561 
2562 	if (!hcon->out) {
2563 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2564 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2565 			return 0;
2566 		}
2567 
2568 		/* Slave sends DHKey check as response to master */
2569 		sc_dhkey_check(smp);
2570 	}
2571 
2572 	sc_add_ltk(smp);
2573 
2574 	if (hcon->out) {
2575 		hci_le_start_enc(hcon, 0, 0, smp->tk);
2576 		hcon->enc_key_size = smp->enc_key_size;
2577 	}
2578 
2579 	return 0;
2580 }
2581 
2582 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2583 				   struct sk_buff *skb)
2584 {
2585 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2586 
2587 	BT_DBG("value 0x%02x", kp->value);
2588 
2589 	return 0;
2590 }
2591 
2592 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2593 {
2594 	struct l2cap_conn *conn = chan->conn;
2595 	struct hci_conn *hcon = conn->hcon;
2596 	struct smp_chan *smp;
2597 	__u8 code, reason;
2598 	int err = 0;
2599 
2600 	if (skb->len < 1)
2601 		return -EILSEQ;
2602 
2603 	if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
2604 		reason = SMP_PAIRING_NOTSUPP;
2605 		goto done;
2606 	}
2607 
2608 	code = skb->data[0];
2609 	skb_pull(skb, sizeof(code));
2610 
2611 	smp = chan->data;
2612 
2613 	if (code > SMP_CMD_MAX)
2614 		goto drop;
2615 
2616 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2617 		goto drop;
2618 
2619 	/* If we don't have a context the only allowed commands are
2620 	 * pairing request and security request.
2621 	 */
2622 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2623 		goto drop;
2624 
2625 	switch (code) {
2626 	case SMP_CMD_PAIRING_REQ:
2627 		reason = smp_cmd_pairing_req(conn, skb);
2628 		break;
2629 
2630 	case SMP_CMD_PAIRING_FAIL:
2631 		smp_failure(conn, 0);
2632 		err = -EPERM;
2633 		break;
2634 
2635 	case SMP_CMD_PAIRING_RSP:
2636 		reason = smp_cmd_pairing_rsp(conn, skb);
2637 		break;
2638 
2639 	case SMP_CMD_SECURITY_REQ:
2640 		reason = smp_cmd_security_req(conn, skb);
2641 		break;
2642 
2643 	case SMP_CMD_PAIRING_CONFIRM:
2644 		reason = smp_cmd_pairing_confirm(conn, skb);
2645 		break;
2646 
2647 	case SMP_CMD_PAIRING_RANDOM:
2648 		reason = smp_cmd_pairing_random(conn, skb);
2649 		break;
2650 
2651 	case SMP_CMD_ENCRYPT_INFO:
2652 		reason = smp_cmd_encrypt_info(conn, skb);
2653 		break;
2654 
2655 	case SMP_CMD_MASTER_IDENT:
2656 		reason = smp_cmd_master_ident(conn, skb);
2657 		break;
2658 
2659 	case SMP_CMD_IDENT_INFO:
2660 		reason = smp_cmd_ident_info(conn, skb);
2661 		break;
2662 
2663 	case SMP_CMD_IDENT_ADDR_INFO:
2664 		reason = smp_cmd_ident_addr_info(conn, skb);
2665 		break;
2666 
2667 	case SMP_CMD_SIGN_INFO:
2668 		reason = smp_cmd_sign_info(conn, skb);
2669 		break;
2670 
2671 	case SMP_CMD_PUBLIC_KEY:
2672 		reason = smp_cmd_public_key(conn, skb);
2673 		break;
2674 
2675 	case SMP_CMD_DHKEY_CHECK:
2676 		reason = smp_cmd_dhkey_check(conn, skb);
2677 		break;
2678 
2679 	case SMP_CMD_KEYPRESS_NOTIFY:
2680 		reason = smp_cmd_keypress_notify(conn, skb);
2681 		break;
2682 
2683 	default:
2684 		BT_DBG("Unknown command code 0x%2.2x", code);
2685 		reason = SMP_CMD_NOTSUPP;
2686 		goto done;
2687 	}
2688 
2689 done:
2690 	if (!err) {
2691 		if (reason)
2692 			smp_failure(conn, reason);
2693 		kfree_skb(skb);
2694 	}
2695 
2696 	return err;
2697 
2698 drop:
2699 	BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2700 	       code, &hcon->dst);
2701 	kfree_skb(skb);
2702 	return 0;
2703 }
2704 
2705 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2706 {
2707 	struct l2cap_conn *conn = chan->conn;
2708 
2709 	BT_DBG("chan %p", chan);
2710 
2711 	if (chan->data)
2712 		smp_chan_destroy(conn);
2713 
2714 	conn->smp = NULL;
2715 	l2cap_chan_put(chan);
2716 }
2717 
2718 static void bredr_pairing(struct l2cap_chan *chan)
2719 {
2720 	struct l2cap_conn *conn = chan->conn;
2721 	struct hci_conn *hcon = conn->hcon;
2722 	struct hci_dev *hdev = hcon->hdev;
2723 	struct smp_cmd_pairing req;
2724 	struct smp_chan *smp;
2725 
2726 	BT_DBG("chan %p", chan);
2727 
2728 	/* Only new pairings are interesting */
2729 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2730 		return;
2731 
2732 	/* Don't bother if we're not encrypted */
2733 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2734 		return;
2735 
2736 	/* Only master may initiate SMP over BR/EDR */
2737 	if (hcon->role != HCI_ROLE_MASTER)
2738 		return;
2739 
2740 	/* Secure Connections support must be enabled */
2741 	if (!test_bit(HCI_SC_ENABLED, &hdev->dev_flags))
2742 		return;
2743 
2744 	/* BR/EDR must use Secure Connections for SMP */
2745 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2746 	    !test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags))
2747 		return;
2748 
2749 	/* If our LE support is not enabled don't do anything */
2750 	if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags))
2751 		return;
2752 
2753 	/* Don't bother if remote LE support is not enabled */
2754 	if (!lmp_host_le_capable(hcon))
2755 		return;
2756 
2757 	/* Remote must support SMP fixed chan for BR/EDR */
2758 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2759 		return;
2760 
2761 	/* Don't bother if SMP is already ongoing */
2762 	if (chan->data)
2763 		return;
2764 
2765 	smp = smp_chan_create(conn);
2766 	if (!smp) {
2767 		BT_ERR("%s unable to create SMP context for BR/EDR",
2768 		       hdev->name);
2769 		return;
2770 	}
2771 
2772 	set_bit(SMP_FLAG_SC, &smp->flags);
2773 
2774 	BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2775 
2776 	/* Prepare and send the BR/EDR SMP Pairing Request */
2777 	build_bredr_pairing_cmd(smp, &req, NULL);
2778 
2779 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2780 	memcpy(&smp->preq[1], &req, sizeof(req));
2781 
2782 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2783 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2784 }
2785 
2786 static void smp_resume_cb(struct l2cap_chan *chan)
2787 {
2788 	struct smp_chan *smp = chan->data;
2789 	struct l2cap_conn *conn = chan->conn;
2790 	struct hci_conn *hcon = conn->hcon;
2791 
2792 	BT_DBG("chan %p", chan);
2793 
2794 	if (hcon->type == ACL_LINK) {
2795 		bredr_pairing(chan);
2796 		return;
2797 	}
2798 
2799 	if (!smp)
2800 		return;
2801 
2802 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2803 		return;
2804 
2805 	cancel_delayed_work(&smp->security_timer);
2806 
2807 	smp_distribute_keys(smp);
2808 }
2809 
2810 static void smp_ready_cb(struct l2cap_chan *chan)
2811 {
2812 	struct l2cap_conn *conn = chan->conn;
2813 	struct hci_conn *hcon = conn->hcon;
2814 
2815 	BT_DBG("chan %p", chan);
2816 
2817 	conn->smp = chan;
2818 	l2cap_chan_hold(chan);
2819 
2820 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2821 		bredr_pairing(chan);
2822 }
2823 
2824 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
2825 {
2826 	int err;
2827 
2828 	BT_DBG("chan %p", chan);
2829 
2830 	err = smp_sig_channel(chan, skb);
2831 	if (err) {
2832 		struct smp_chan *smp = chan->data;
2833 
2834 		if (smp)
2835 			cancel_delayed_work_sync(&smp->security_timer);
2836 
2837 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
2838 	}
2839 
2840 	return err;
2841 }
2842 
2843 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
2844 					unsigned long hdr_len,
2845 					unsigned long len, int nb)
2846 {
2847 	struct sk_buff *skb;
2848 
2849 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
2850 	if (!skb)
2851 		return ERR_PTR(-ENOMEM);
2852 
2853 	skb->priority = HCI_PRIO_MAX;
2854 	bt_cb(skb)->chan = chan;
2855 
2856 	return skb;
2857 }
2858 
2859 static const struct l2cap_ops smp_chan_ops = {
2860 	.name			= "Security Manager",
2861 	.ready			= smp_ready_cb,
2862 	.recv			= smp_recv_cb,
2863 	.alloc_skb		= smp_alloc_skb_cb,
2864 	.teardown		= smp_teardown_cb,
2865 	.resume			= smp_resume_cb,
2866 
2867 	.new_connection		= l2cap_chan_no_new_connection,
2868 	.state_change		= l2cap_chan_no_state_change,
2869 	.close			= l2cap_chan_no_close,
2870 	.defer			= l2cap_chan_no_defer,
2871 	.suspend		= l2cap_chan_no_suspend,
2872 	.set_shutdown		= l2cap_chan_no_set_shutdown,
2873 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
2874 };
2875 
2876 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
2877 {
2878 	struct l2cap_chan *chan;
2879 
2880 	BT_DBG("pchan %p", pchan);
2881 
2882 	chan = l2cap_chan_create();
2883 	if (!chan)
2884 		return NULL;
2885 
2886 	chan->chan_type	= pchan->chan_type;
2887 	chan->ops	= &smp_chan_ops;
2888 	chan->scid	= pchan->scid;
2889 	chan->dcid	= chan->scid;
2890 	chan->imtu	= pchan->imtu;
2891 	chan->omtu	= pchan->omtu;
2892 	chan->mode	= pchan->mode;
2893 
2894 	/* Other L2CAP channels may request SMP routines in order to
2895 	 * change the security level. This means that the SMP channel
2896 	 * lock must be considered in its own category to avoid lockdep
2897 	 * warnings.
2898 	 */
2899 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
2900 
2901 	BT_DBG("created chan %p", chan);
2902 
2903 	return chan;
2904 }
2905 
2906 static const struct l2cap_ops smp_root_chan_ops = {
2907 	.name			= "Security Manager Root",
2908 	.new_connection		= smp_new_conn_cb,
2909 
2910 	/* None of these are implemented for the root channel */
2911 	.close			= l2cap_chan_no_close,
2912 	.alloc_skb		= l2cap_chan_no_alloc_skb,
2913 	.recv			= l2cap_chan_no_recv,
2914 	.state_change		= l2cap_chan_no_state_change,
2915 	.teardown		= l2cap_chan_no_teardown,
2916 	.ready			= l2cap_chan_no_ready,
2917 	.defer			= l2cap_chan_no_defer,
2918 	.suspend		= l2cap_chan_no_suspend,
2919 	.resume			= l2cap_chan_no_resume,
2920 	.set_shutdown		= l2cap_chan_no_set_shutdown,
2921 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
2922 };
2923 
2924 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
2925 {
2926 	struct l2cap_chan *chan;
2927 	struct crypto_blkcipher	*tfm_aes;
2928 
2929 	if (cid == L2CAP_CID_SMP_BREDR) {
2930 		tfm_aes = NULL;
2931 		goto create_chan;
2932 	}
2933 
2934 	tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, 0);
2935 	if (IS_ERR(tfm_aes)) {
2936 		BT_ERR("Unable to create crypto context");
2937 		return ERR_CAST(tfm_aes);
2938 	}
2939 
2940 create_chan:
2941 	chan = l2cap_chan_create();
2942 	if (!chan) {
2943 		crypto_free_blkcipher(tfm_aes);
2944 		return ERR_PTR(-ENOMEM);
2945 	}
2946 
2947 	chan->data = tfm_aes;
2948 
2949 	l2cap_add_scid(chan, cid);
2950 
2951 	l2cap_chan_set_defaults(chan);
2952 
2953 	if (cid == L2CAP_CID_SMP) {
2954 		/* If usage of static address is forced or if the devices
2955 		 * does not have a public address, then listen on the static
2956 		 * address.
2957 		 *
2958 		 * In case BR/EDR has been disabled on a dual-mode controller
2959 		 * and a static address has been configued, then listen on
2960 		 * the static address instead.
2961 		 */
2962 		if (test_bit(HCI_FORCE_STATIC_ADDR, &hdev->dbg_flags) ||
2963 		    !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
2964 		    (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags) &&
2965 		     bacmp(&hdev->static_addr, BDADDR_ANY))) {
2966 			bacpy(&chan->src, &hdev->static_addr);
2967 			chan->src_type = BDADDR_LE_RANDOM;
2968 		} else {
2969 			bacpy(&chan->src, &hdev->bdaddr);
2970 			chan->src_type = BDADDR_LE_PUBLIC;
2971 		}
2972 	} else {
2973 		bacpy(&chan->src, &hdev->bdaddr);
2974 		chan->src_type = BDADDR_BREDR;
2975 	}
2976 
2977 	chan->state = BT_LISTEN;
2978 	chan->mode = L2CAP_MODE_BASIC;
2979 	chan->imtu = L2CAP_DEFAULT_MTU;
2980 	chan->ops = &smp_root_chan_ops;
2981 
2982 	/* Set correct nesting level for a parent/listening channel */
2983 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
2984 
2985 	return chan;
2986 }
2987 
2988 static void smp_del_chan(struct l2cap_chan *chan)
2989 {
2990 	struct crypto_blkcipher	*tfm_aes;
2991 
2992 	BT_DBG("chan %p", chan);
2993 
2994 	tfm_aes = chan->data;
2995 	if (tfm_aes) {
2996 		chan->data = NULL;
2997 		crypto_free_blkcipher(tfm_aes);
2998 	}
2999 
3000 	l2cap_chan_put(chan);
3001 }
3002 
3003 static ssize_t force_bredr_smp_read(struct file *file,
3004 				    char __user *user_buf,
3005 				    size_t count, loff_t *ppos)
3006 {
3007 	struct hci_dev *hdev = file->private_data;
3008 	char buf[3];
3009 
3010 	buf[0] = test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags) ? 'Y': 'N';
3011 	buf[1] = '\n';
3012 	buf[2] = '\0';
3013 	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3014 }
3015 
3016 static ssize_t force_bredr_smp_write(struct file *file,
3017 				     const char __user *user_buf,
3018 				     size_t count, loff_t *ppos)
3019 {
3020 	struct hci_dev *hdev = file->private_data;
3021 	char buf[32];
3022 	size_t buf_size = min(count, (sizeof(buf)-1));
3023 	bool enable;
3024 
3025 	if (copy_from_user(buf, user_buf, buf_size))
3026 		return -EFAULT;
3027 
3028 	buf[buf_size] = '\0';
3029 	if (strtobool(buf, &enable))
3030 		return -EINVAL;
3031 
3032 	if (enable == test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags))
3033 		return -EALREADY;
3034 
3035 	if (enable) {
3036 		struct l2cap_chan *chan;
3037 
3038 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3039 		if (IS_ERR(chan))
3040 			return PTR_ERR(chan);
3041 
3042 		hdev->smp_bredr_data = chan;
3043 	} else {
3044 		struct l2cap_chan *chan;
3045 
3046 		chan = hdev->smp_bredr_data;
3047 		hdev->smp_bredr_data = NULL;
3048 		smp_del_chan(chan);
3049 	}
3050 
3051 	change_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags);
3052 
3053 	return count;
3054 }
3055 
3056 static const struct file_operations force_bredr_smp_fops = {
3057 	.open		= simple_open,
3058 	.read		= force_bredr_smp_read,
3059 	.write		= force_bredr_smp_write,
3060 	.llseek		= default_llseek,
3061 };
3062 
3063 int smp_register(struct hci_dev *hdev)
3064 {
3065 	struct l2cap_chan *chan;
3066 
3067 	BT_DBG("%s", hdev->name);
3068 
3069 	/* If the controller does not support Low Energy operation, then
3070 	 * there is also no need to register any SMP channel.
3071 	 */
3072 	if (!lmp_le_capable(hdev))
3073 		return 0;
3074 
3075 	if (WARN_ON(hdev->smp_data)) {
3076 		chan = hdev->smp_data;
3077 		hdev->smp_data = NULL;
3078 		smp_del_chan(chan);
3079 	}
3080 
3081 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3082 	if (IS_ERR(chan))
3083 		return PTR_ERR(chan);
3084 
3085 	hdev->smp_data = chan;
3086 
3087 	/* If the controller does not support BR/EDR Secure Connections
3088 	 * feature, then the BR/EDR SMP channel shall not be present.
3089 	 *
3090 	 * To test this with Bluetooth 4.0 controllers, create a debugfs
3091 	 * switch that allows forcing BR/EDR SMP support and accepting
3092 	 * cross-transport pairing on non-AES encrypted connections.
3093 	 */
3094 	if (!lmp_sc_capable(hdev)) {
3095 		debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3096 				    hdev, &force_bredr_smp_fops);
3097 		return 0;
3098 	}
3099 
3100 	if (WARN_ON(hdev->smp_bredr_data)) {
3101 		chan = hdev->smp_bredr_data;
3102 		hdev->smp_bredr_data = NULL;
3103 		smp_del_chan(chan);
3104 	}
3105 
3106 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3107 	if (IS_ERR(chan)) {
3108 		int err = PTR_ERR(chan);
3109 		chan = hdev->smp_data;
3110 		hdev->smp_data = NULL;
3111 		smp_del_chan(chan);
3112 		return err;
3113 	}
3114 
3115 	hdev->smp_bredr_data = chan;
3116 
3117 	return 0;
3118 }
3119 
3120 void smp_unregister(struct hci_dev *hdev)
3121 {
3122 	struct l2cap_chan *chan;
3123 
3124 	if (hdev->smp_bredr_data) {
3125 		chan = hdev->smp_bredr_data;
3126 		hdev->smp_bredr_data = NULL;
3127 		smp_del_chan(chan);
3128 	}
3129 
3130 	if (hdev->smp_data) {
3131 		chan = hdev->smp_data;
3132 		hdev->smp_data = NULL;
3133 		smp_del_chan(chan);
3134 	}
3135 }
3136 
3137 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3138 
3139 static int __init test_ah(struct crypto_blkcipher *tfm_aes)
3140 {
3141 	const u8 irk[16] = {
3142 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3143 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3144 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3145 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3146 	u8 res[3];
3147 	int err;
3148 
3149 	err = smp_ah(tfm_aes, irk, r, res);
3150 	if (err)
3151 		return err;
3152 
3153 	if (memcmp(res, exp, 3))
3154 		return -EINVAL;
3155 
3156 	return 0;
3157 }
3158 
3159 static int __init test_c1(struct crypto_blkcipher *tfm_aes)
3160 {
3161 	const u8 k[16] = {
3162 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3163 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3164 	const u8 r[16] = {
3165 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3166 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3167 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3168 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3169 	const u8 _iat = 0x01;
3170 	const u8 _rat = 0x00;
3171 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3172 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3173 	const u8 exp[16] = {
3174 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3175 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3176 	u8 res[16];
3177 	int err;
3178 
3179 	err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3180 	if (err)
3181 		return err;
3182 
3183 	if (memcmp(res, exp, 16))
3184 		return -EINVAL;
3185 
3186 	return 0;
3187 }
3188 
3189 static int __init test_s1(struct crypto_blkcipher *tfm_aes)
3190 {
3191 	const u8 k[16] = {
3192 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3193 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3194 	const u8 r1[16] = {
3195 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3196 	const u8 r2[16] = {
3197 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3198 	const u8 exp[16] = {
3199 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3200 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3201 	u8 res[16];
3202 	int err;
3203 
3204 	err = smp_s1(tfm_aes, k, r1, r2, res);
3205 	if (err)
3206 		return err;
3207 
3208 	if (memcmp(res, exp, 16))
3209 		return -EINVAL;
3210 
3211 	return 0;
3212 }
3213 
3214 static int __init test_f4(struct crypto_hash *tfm_cmac)
3215 {
3216 	const u8 u[32] = {
3217 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3218 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3219 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3220 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3221 	const u8 v[32] = {
3222 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3223 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3224 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3225 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3226 	const u8 x[16] = {
3227 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3228 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3229 	const u8 z = 0x00;
3230 	const u8 exp[16] = {
3231 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3232 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3233 	u8 res[16];
3234 	int err;
3235 
3236 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3237 	if (err)
3238 		return err;
3239 
3240 	if (memcmp(res, exp, 16))
3241 		return -EINVAL;
3242 
3243 	return 0;
3244 }
3245 
3246 static int __init test_f5(struct crypto_hash *tfm_cmac)
3247 {
3248 	const u8 w[32] = {
3249 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3250 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3251 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3252 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3253 	const u8 n1[16] = {
3254 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3255 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3256 	const u8 n2[16] = {
3257 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3258 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3259 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3260 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3261 	const u8 exp_ltk[16] = {
3262 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3263 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3264 	const u8 exp_mackey[16] = {
3265 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3266 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3267 	u8 mackey[16], ltk[16];
3268 	int err;
3269 
3270 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3271 	if (err)
3272 		return err;
3273 
3274 	if (memcmp(mackey, exp_mackey, 16))
3275 		return -EINVAL;
3276 
3277 	if (memcmp(ltk, exp_ltk, 16))
3278 		return -EINVAL;
3279 
3280 	return 0;
3281 }
3282 
3283 static int __init test_f6(struct crypto_hash *tfm_cmac)
3284 {
3285 	const u8 w[16] = {
3286 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3287 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3288 	const u8 n1[16] = {
3289 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3290 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3291 	const u8 n2[16] = {
3292 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3293 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3294 	const u8 r[16] = {
3295 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3296 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3297 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3298 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3299 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3300 	const u8 exp[16] = {
3301 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3302 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3303 	u8 res[16];
3304 	int err;
3305 
3306 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3307 	if (err)
3308 		return err;
3309 
3310 	if (memcmp(res, exp, 16))
3311 		return -EINVAL;
3312 
3313 	return 0;
3314 }
3315 
3316 static int __init test_g2(struct crypto_hash *tfm_cmac)
3317 {
3318 	const u8 u[32] = {
3319 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3320 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3321 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3322 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3323 	const u8 v[32] = {
3324 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3325 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3326 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3327 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3328 	const u8 x[16] = {
3329 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3330 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3331 	const u8 y[16] = {
3332 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3333 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3334 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3335 	u32 val;
3336 	int err;
3337 
3338 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3339 	if (err)
3340 		return err;
3341 
3342 	if (val != exp_val)
3343 		return -EINVAL;
3344 
3345 	return 0;
3346 }
3347 
3348 static int __init test_h6(struct crypto_hash *tfm_cmac)
3349 {
3350 	const u8 w[16] = {
3351 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3352 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3353 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3354 	const u8 exp[16] = {
3355 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3356 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3357 	u8 res[16];
3358 	int err;
3359 
3360 	err = smp_h6(tfm_cmac, w, key_id, res);
3361 	if (err)
3362 		return err;
3363 
3364 	if (memcmp(res, exp, 16))
3365 		return -EINVAL;
3366 
3367 	return 0;
3368 }
3369 
3370 static int __init run_selftests(struct crypto_blkcipher *tfm_aes,
3371 				struct crypto_hash *tfm_cmac)
3372 {
3373 	ktime_t calltime, delta, rettime;
3374 	unsigned long long duration;
3375 	int err;
3376 
3377 	calltime = ktime_get();
3378 
3379 	err = test_ah(tfm_aes);
3380 	if (err) {
3381 		BT_ERR("smp_ah test failed");
3382 		return err;
3383 	}
3384 
3385 	err = test_c1(tfm_aes);
3386 	if (err) {
3387 		BT_ERR("smp_c1 test failed");
3388 		return err;
3389 	}
3390 
3391 	err = test_s1(tfm_aes);
3392 	if (err) {
3393 		BT_ERR("smp_s1 test failed");
3394 		return err;
3395 	}
3396 
3397 	err = test_f4(tfm_cmac);
3398 	if (err) {
3399 		BT_ERR("smp_f4 test failed");
3400 		return err;
3401 	}
3402 
3403 	err = test_f5(tfm_cmac);
3404 	if (err) {
3405 		BT_ERR("smp_f5 test failed");
3406 		return err;
3407 	}
3408 
3409 	err = test_f6(tfm_cmac);
3410 	if (err) {
3411 		BT_ERR("smp_f6 test failed");
3412 		return err;
3413 	}
3414 
3415 	err = test_g2(tfm_cmac);
3416 	if (err) {
3417 		BT_ERR("smp_g2 test failed");
3418 		return err;
3419 	}
3420 
3421 	err = test_h6(tfm_cmac);
3422 	if (err) {
3423 		BT_ERR("smp_h6 test failed");
3424 		return err;
3425 	}
3426 
3427 	rettime = ktime_get();
3428 	delta = ktime_sub(rettime, calltime);
3429 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3430 
3431 	BT_INFO("SMP test passed in %llu usecs", duration);
3432 
3433 	return 0;
3434 }
3435 
3436 int __init bt_selftest_smp(void)
3437 {
3438 	struct crypto_blkcipher *tfm_aes;
3439 	struct crypto_hash *tfm_cmac;
3440 	int err;
3441 
3442 	tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3443 	if (IS_ERR(tfm_aes)) {
3444 		BT_ERR("Unable to create ECB crypto context");
3445 		return PTR_ERR(tfm_aes);
3446 	}
3447 
3448 	tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3449 	if (IS_ERR(tfm_cmac)) {
3450 		BT_ERR("Unable to create CMAC crypto context");
3451 		crypto_free_blkcipher(tfm_aes);
3452 		return PTR_ERR(tfm_cmac);
3453 	}
3454 
3455 	err = run_selftests(tfm_aes, tfm_cmac);
3456 
3457 	crypto_free_hash(tfm_cmac);
3458 	crypto_free_blkcipher(tfm_aes);
3459 
3460 	return err;
3461 }
3462 
3463 #endif
3464