xref: /linux/net/bluetooth/smp.c (revision 3a37471551cd3b287ce7f02ed25bcf8ec37a191d)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/b128ops.h>
27 #include <crypto/hash.h>
28 
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/l2cap.h>
32 #include <net/bluetooth/mgmt.h>
33 
34 #include "ecc.h"
35 #include "smp.h"
36 
37 #define SMP_DEV(hdev) \
38 	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
39 
40 /* Low-level debug macros to be used for stuff that we don't want
41  * accidentially in dmesg, i.e. the values of the various crypto keys
42  * and the inputs & outputs of crypto functions.
43  */
44 #ifdef DEBUG
45 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
46 				 ##__VA_ARGS__)
47 #else
48 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
49 				    ##__VA_ARGS__)
50 #endif
51 
52 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
53 
54 /* Keys which are not distributed with Secure Connections */
55 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
56 
57 #define SMP_TIMEOUT	msecs_to_jiffies(30000)
58 
59 #define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
60 				 0x3f : 0x07)
61 #define KEY_DIST_MASK		0x07
62 
63 /* Maximum message length that can be passed to aes_cmac */
64 #define CMAC_MSG_MAX	80
65 
66 enum {
67 	SMP_FLAG_TK_VALID,
68 	SMP_FLAG_CFM_PENDING,
69 	SMP_FLAG_MITM_AUTH,
70 	SMP_FLAG_COMPLETE,
71 	SMP_FLAG_INITIATOR,
72 	SMP_FLAG_SC,
73 	SMP_FLAG_REMOTE_PK,
74 	SMP_FLAG_DEBUG_KEY,
75 	SMP_FLAG_WAIT_USER,
76 	SMP_FLAG_DHKEY_PENDING,
77 	SMP_FLAG_REMOTE_OOB,
78 	SMP_FLAG_LOCAL_OOB,
79 	SMP_FLAG_CT2,
80 };
81 
82 struct smp_dev {
83 	/* Secure Connections OOB data */
84 	u8			local_pk[64];
85 	u8			local_sk[32];
86 	u8			local_rand[16];
87 	bool			debug_key;
88 
89 	u8			min_key_size;
90 	u8			max_key_size;
91 
92 	struct crypto_cipher	*tfm_aes;
93 	struct crypto_shash	*tfm_cmac;
94 };
95 
96 struct smp_chan {
97 	struct l2cap_conn	*conn;
98 	struct delayed_work	security_timer;
99 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
100 
101 	u8		preq[7]; /* SMP Pairing Request */
102 	u8		prsp[7]; /* SMP Pairing Response */
103 	u8		prnd[16]; /* SMP Pairing Random (local) */
104 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
105 	u8		pcnf[16]; /* SMP Pairing Confirm */
106 	u8		tk[16]; /* SMP Temporary Key */
107 	u8		rr[16]; /* Remote OOB ra/rb value */
108 	u8		lr[16]; /* Local OOB ra/rb value */
109 	u8		enc_key_size;
110 	u8		remote_key_dist;
111 	bdaddr_t	id_addr;
112 	u8		id_addr_type;
113 	u8		irk[16];
114 	struct smp_csrk	*csrk;
115 	struct smp_csrk	*slave_csrk;
116 	struct smp_ltk	*ltk;
117 	struct smp_ltk	*slave_ltk;
118 	struct smp_irk	*remote_irk;
119 	u8		*link_key;
120 	unsigned long	flags;
121 	u8		method;
122 	u8		passkey_round;
123 
124 	/* Secure Connections variables */
125 	u8			local_pk[64];
126 	u8			local_sk[32];
127 	u8			remote_pk[64];
128 	u8			dhkey[32];
129 	u8			mackey[16];
130 
131 	struct crypto_cipher	*tfm_aes;
132 	struct crypto_shash	*tfm_cmac;
133 };
134 
135 /* These debug key values are defined in the SMP section of the core
136  * specification. debug_pk is the public debug key and debug_sk the
137  * private debug key.
138  */
139 static const u8 debug_pk[64] = {
140 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
141 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
142 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
143 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
144 
145 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
146 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
147 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
148 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
149 };
150 
151 static const u8 debug_sk[32] = {
152 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
153 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
154 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
155 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
156 };
157 
158 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
159 {
160 	size_t i;
161 
162 	for (i = 0; i < len; i++)
163 		dst[len - 1 - i] = src[i];
164 }
165 
166 /* The following functions map to the LE SC SMP crypto functions
167  * AES-CMAC, f4, f5, f6, g2 and h6.
168  */
169 
170 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
171 		    size_t len, u8 mac[16])
172 {
173 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
174 	SHASH_DESC_ON_STACK(desc, tfm);
175 	int err;
176 
177 	if (len > CMAC_MSG_MAX)
178 		return -EFBIG;
179 
180 	if (!tfm) {
181 		BT_ERR("tfm %p", tfm);
182 		return -EINVAL;
183 	}
184 
185 	desc->tfm = tfm;
186 	desc->flags = 0;
187 
188 	/* Swap key and message from LSB to MSB */
189 	swap_buf(k, tmp, 16);
190 	swap_buf(m, msg_msb, len);
191 
192 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
193 	SMP_DBG("key %16phN", k);
194 
195 	err = crypto_shash_setkey(tfm, tmp, 16);
196 	if (err) {
197 		BT_ERR("cipher setkey failed: %d", err);
198 		return err;
199 	}
200 
201 	err = crypto_shash_digest(desc, msg_msb, len, mac_msb);
202 	shash_desc_zero(desc);
203 	if (err) {
204 		BT_ERR("Hash computation error %d", err);
205 		return err;
206 	}
207 
208 	swap_buf(mac_msb, mac, 16);
209 
210 	SMP_DBG("mac %16phN", mac);
211 
212 	return 0;
213 }
214 
215 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
216 		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
217 {
218 	u8 m[65];
219 	int err;
220 
221 	SMP_DBG("u %32phN", u);
222 	SMP_DBG("v %32phN", v);
223 	SMP_DBG("x %16phN z %02x", x, z);
224 
225 	m[0] = z;
226 	memcpy(m + 1, v, 32);
227 	memcpy(m + 33, u, 32);
228 
229 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
230 	if (err)
231 		return err;
232 
233 	SMP_DBG("res %16phN", res);
234 
235 	return err;
236 }
237 
238 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
239 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
240 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
241 {
242 	/* The btle, salt and length "magic" values are as defined in
243 	 * the SMP section of the Bluetooth core specification. In ASCII
244 	 * the btle value ends up being 'btle'. The salt is just a
245 	 * random number whereas length is the value 256 in little
246 	 * endian format.
247 	 */
248 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
249 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
250 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
251 	const u8 length[2] = { 0x00, 0x01 };
252 	u8 m[53], t[16];
253 	int err;
254 
255 	SMP_DBG("w %32phN", w);
256 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
257 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
258 
259 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
260 	if (err)
261 		return err;
262 
263 	SMP_DBG("t %16phN", t);
264 
265 	memcpy(m, length, 2);
266 	memcpy(m + 2, a2, 7);
267 	memcpy(m + 9, a1, 7);
268 	memcpy(m + 16, n2, 16);
269 	memcpy(m + 32, n1, 16);
270 	memcpy(m + 48, btle, 4);
271 
272 	m[52] = 0; /* Counter */
273 
274 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
275 	if (err)
276 		return err;
277 
278 	SMP_DBG("mackey %16phN", mackey);
279 
280 	m[52] = 1; /* Counter */
281 
282 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
283 	if (err)
284 		return err;
285 
286 	SMP_DBG("ltk %16phN", ltk);
287 
288 	return 0;
289 }
290 
291 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
292 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
293 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
294 		  u8 res[16])
295 {
296 	u8 m[65];
297 	int err;
298 
299 	SMP_DBG("w %16phN", w);
300 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
301 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
302 
303 	memcpy(m, a2, 7);
304 	memcpy(m + 7, a1, 7);
305 	memcpy(m + 14, io_cap, 3);
306 	memcpy(m + 17, r, 16);
307 	memcpy(m + 33, n2, 16);
308 	memcpy(m + 49, n1, 16);
309 
310 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
311 	if (err)
312 		return err;
313 
314 	SMP_DBG("res %16phN", res);
315 
316 	return err;
317 }
318 
319 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
320 		  const u8 x[16], const u8 y[16], u32 *val)
321 {
322 	u8 m[80], tmp[16];
323 	int err;
324 
325 	SMP_DBG("u %32phN", u);
326 	SMP_DBG("v %32phN", v);
327 	SMP_DBG("x %16phN y %16phN", x, y);
328 
329 	memcpy(m, y, 16);
330 	memcpy(m + 16, v, 32);
331 	memcpy(m + 48, u, 32);
332 
333 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
334 	if (err)
335 		return err;
336 
337 	*val = get_unaligned_le32(tmp);
338 	*val %= 1000000;
339 
340 	SMP_DBG("val %06u", *val);
341 
342 	return 0;
343 }
344 
345 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
346 		  const u8 key_id[4], u8 res[16])
347 {
348 	int err;
349 
350 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
351 
352 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
353 	if (err)
354 		return err;
355 
356 	SMP_DBG("res %16phN", res);
357 
358 	return err;
359 }
360 
361 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
362 		  const u8 salt[16], u8 res[16])
363 {
364 	int err;
365 
366 	SMP_DBG("w %16phN salt %16phN", w, salt);
367 
368 	err = aes_cmac(tfm_cmac, salt, w, 16, res);
369 	if (err)
370 		return err;
371 
372 	SMP_DBG("res %16phN", res);
373 
374 	return err;
375 }
376 
377 /* The following functions map to the legacy SMP crypto functions e, c1,
378  * s1 and ah.
379  */
380 
381 static int smp_e(struct crypto_cipher *tfm, const u8 *k, u8 *r)
382 {
383 	uint8_t tmp[16], data[16];
384 	int err;
385 
386 	SMP_DBG("k %16phN r %16phN", k, r);
387 
388 	if (!tfm) {
389 		BT_ERR("tfm %p", tfm);
390 		return -EINVAL;
391 	}
392 
393 	/* The most significant octet of key corresponds to k[0] */
394 	swap_buf(k, tmp, 16);
395 
396 	err = crypto_cipher_setkey(tfm, tmp, 16);
397 	if (err) {
398 		BT_ERR("cipher setkey failed: %d", err);
399 		return err;
400 	}
401 
402 	/* Most significant octet of plaintextData corresponds to data[0] */
403 	swap_buf(r, data, 16);
404 
405 	crypto_cipher_encrypt_one(tfm, data, data);
406 
407 	/* Most significant octet of encryptedData corresponds to data[0] */
408 	swap_buf(data, r, 16);
409 
410 	SMP_DBG("r %16phN", r);
411 
412 	return err;
413 }
414 
415 static int smp_c1(struct crypto_cipher *tfm_aes, const u8 k[16],
416 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
417 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
418 {
419 	u8 p1[16], p2[16];
420 	int err;
421 
422 	SMP_DBG("k %16phN r %16phN", k, r);
423 	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
424 	SMP_DBG("preq %7phN pres %7phN", preq, pres);
425 
426 	memset(p1, 0, 16);
427 
428 	/* p1 = pres || preq || _rat || _iat */
429 	p1[0] = _iat;
430 	p1[1] = _rat;
431 	memcpy(p1 + 2, preq, 7);
432 	memcpy(p1 + 9, pres, 7);
433 
434 	SMP_DBG("p1 %16phN", p1);
435 
436 	/* res = r XOR p1 */
437 	u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
438 
439 	/* res = e(k, res) */
440 	err = smp_e(tfm_aes, k, res);
441 	if (err) {
442 		BT_ERR("Encrypt data error");
443 		return err;
444 	}
445 
446 	/* p2 = padding || ia || ra */
447 	memcpy(p2, ra, 6);
448 	memcpy(p2 + 6, ia, 6);
449 	memset(p2 + 12, 0, 4);
450 
451 	SMP_DBG("p2 %16phN", p2);
452 
453 	/* res = res XOR p2 */
454 	u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
455 
456 	/* res = e(k, res) */
457 	err = smp_e(tfm_aes, k, res);
458 	if (err)
459 		BT_ERR("Encrypt data error");
460 
461 	return err;
462 }
463 
464 static int smp_s1(struct crypto_cipher *tfm_aes, const u8 k[16],
465 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
466 {
467 	int err;
468 
469 	/* Just least significant octets from r1 and r2 are considered */
470 	memcpy(_r, r2, 8);
471 	memcpy(_r + 8, r1, 8);
472 
473 	err = smp_e(tfm_aes, k, _r);
474 	if (err)
475 		BT_ERR("Encrypt data error");
476 
477 	return err;
478 }
479 
480 static int smp_ah(struct crypto_cipher *tfm, const u8 irk[16],
481 		  const u8 r[3], u8 res[3])
482 {
483 	u8 _res[16];
484 	int err;
485 
486 	/* r' = padding || r */
487 	memcpy(_res, r, 3);
488 	memset(_res + 3, 0, 13);
489 
490 	err = smp_e(tfm, irk, _res);
491 	if (err) {
492 		BT_ERR("Encrypt error");
493 		return err;
494 	}
495 
496 	/* The output of the random address function ah is:
497 	 *	ah(k, r) = e(k, r') mod 2^24
498 	 * The output of the security function e is then truncated to 24 bits
499 	 * by taking the least significant 24 bits of the output of e as the
500 	 * result of ah.
501 	 */
502 	memcpy(res, _res, 3);
503 
504 	return 0;
505 }
506 
507 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
508 		     const bdaddr_t *bdaddr)
509 {
510 	struct l2cap_chan *chan = hdev->smp_data;
511 	struct smp_dev *smp;
512 	u8 hash[3];
513 	int err;
514 
515 	if (!chan || !chan->data)
516 		return false;
517 
518 	smp = chan->data;
519 
520 	BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
521 
522 	err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
523 	if (err)
524 		return false;
525 
526 	return !memcmp(bdaddr->b, hash, 3);
527 }
528 
529 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
530 {
531 	struct l2cap_chan *chan = hdev->smp_data;
532 	struct smp_dev *smp;
533 	int err;
534 
535 	if (!chan || !chan->data)
536 		return -EOPNOTSUPP;
537 
538 	smp = chan->data;
539 
540 	get_random_bytes(&rpa->b[3], 3);
541 
542 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
543 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
544 
545 	err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
546 	if (err < 0)
547 		return err;
548 
549 	BT_DBG("RPA %pMR", rpa);
550 
551 	return 0;
552 }
553 
554 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
555 {
556 	struct l2cap_chan *chan = hdev->smp_data;
557 	struct smp_dev *smp;
558 	int err;
559 
560 	if (!chan || !chan->data)
561 		return -EOPNOTSUPP;
562 
563 	smp = chan->data;
564 
565 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
566 		BT_DBG("Using debug keys");
567 		memcpy(smp->local_pk, debug_pk, 64);
568 		memcpy(smp->local_sk, debug_sk, 32);
569 		smp->debug_key = true;
570 	} else {
571 		while (true) {
572 			/* Generate local key pair for Secure Connections */
573 			if (!ecc_make_key(smp->local_pk, smp->local_sk))
574 				return -EIO;
575 
576 			/* This is unlikely, but we need to check that
577 			 * we didn't accidentially generate a debug key.
578 			 */
579 			if (memcmp(smp->local_sk, debug_sk, 32))
580 				break;
581 		}
582 		smp->debug_key = false;
583 	}
584 
585 	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
586 	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
587 	SMP_DBG("OOB Private Key:  %32phN", smp->local_sk);
588 
589 	get_random_bytes(smp->local_rand, 16);
590 
591 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
592 		     smp->local_rand, 0, hash);
593 	if (err < 0)
594 		return err;
595 
596 	memcpy(rand, smp->local_rand, 16);
597 
598 	return 0;
599 }
600 
601 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
602 {
603 	struct l2cap_chan *chan = conn->smp;
604 	struct smp_chan *smp;
605 	struct kvec iv[2];
606 	struct msghdr msg;
607 
608 	if (!chan)
609 		return;
610 
611 	BT_DBG("code 0x%2.2x", code);
612 
613 	iv[0].iov_base = &code;
614 	iv[0].iov_len = 1;
615 
616 	iv[1].iov_base = data;
617 	iv[1].iov_len = len;
618 
619 	memset(&msg, 0, sizeof(msg));
620 
621 	iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
622 
623 	l2cap_chan_send(chan, &msg, 1 + len);
624 
625 	if (!chan->data)
626 		return;
627 
628 	smp = chan->data;
629 
630 	cancel_delayed_work_sync(&smp->security_timer);
631 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
632 }
633 
634 static u8 authreq_to_seclevel(u8 authreq)
635 {
636 	if (authreq & SMP_AUTH_MITM) {
637 		if (authreq & SMP_AUTH_SC)
638 			return BT_SECURITY_FIPS;
639 		else
640 			return BT_SECURITY_HIGH;
641 	} else {
642 		return BT_SECURITY_MEDIUM;
643 	}
644 }
645 
646 static __u8 seclevel_to_authreq(__u8 sec_level)
647 {
648 	switch (sec_level) {
649 	case BT_SECURITY_FIPS:
650 	case BT_SECURITY_HIGH:
651 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
652 	case BT_SECURITY_MEDIUM:
653 		return SMP_AUTH_BONDING;
654 	default:
655 		return SMP_AUTH_NONE;
656 	}
657 }
658 
659 static void build_pairing_cmd(struct l2cap_conn *conn,
660 			      struct smp_cmd_pairing *req,
661 			      struct smp_cmd_pairing *rsp, __u8 authreq)
662 {
663 	struct l2cap_chan *chan = conn->smp;
664 	struct smp_chan *smp = chan->data;
665 	struct hci_conn *hcon = conn->hcon;
666 	struct hci_dev *hdev = hcon->hdev;
667 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
668 
669 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
670 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
671 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
672 		authreq |= SMP_AUTH_BONDING;
673 	} else {
674 		authreq &= ~SMP_AUTH_BONDING;
675 	}
676 
677 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
678 		remote_dist |= SMP_DIST_ID_KEY;
679 
680 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
681 		local_dist |= SMP_DIST_ID_KEY;
682 
683 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
684 	    (authreq & SMP_AUTH_SC)) {
685 		struct oob_data *oob_data;
686 		u8 bdaddr_type;
687 
688 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
689 			local_dist |= SMP_DIST_LINK_KEY;
690 			remote_dist |= SMP_DIST_LINK_KEY;
691 		}
692 
693 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
694 			bdaddr_type = BDADDR_LE_PUBLIC;
695 		else
696 			bdaddr_type = BDADDR_LE_RANDOM;
697 
698 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
699 						    bdaddr_type);
700 		if (oob_data && oob_data->present) {
701 			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
702 			oob_flag = SMP_OOB_PRESENT;
703 			memcpy(smp->rr, oob_data->rand256, 16);
704 			memcpy(smp->pcnf, oob_data->hash256, 16);
705 			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
706 			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
707 		}
708 
709 	} else {
710 		authreq &= ~SMP_AUTH_SC;
711 	}
712 
713 	if (rsp == NULL) {
714 		req->io_capability = conn->hcon->io_capability;
715 		req->oob_flag = oob_flag;
716 		req->max_key_size = SMP_DEV(hdev)->max_key_size;
717 		req->init_key_dist = local_dist;
718 		req->resp_key_dist = remote_dist;
719 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
720 
721 		smp->remote_key_dist = remote_dist;
722 		return;
723 	}
724 
725 	rsp->io_capability = conn->hcon->io_capability;
726 	rsp->oob_flag = oob_flag;
727 	rsp->max_key_size = SMP_DEV(hdev)->max_key_size;
728 	rsp->init_key_dist = req->init_key_dist & remote_dist;
729 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
730 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
731 
732 	smp->remote_key_dist = rsp->init_key_dist;
733 }
734 
735 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
736 {
737 	struct l2cap_chan *chan = conn->smp;
738 	struct hci_dev *hdev = conn->hcon->hdev;
739 	struct smp_chan *smp = chan->data;
740 
741 	if (max_key_size > SMP_DEV(hdev)->max_key_size ||
742 	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
743 		return SMP_ENC_KEY_SIZE;
744 
745 	smp->enc_key_size = max_key_size;
746 
747 	return 0;
748 }
749 
750 static void smp_chan_destroy(struct l2cap_conn *conn)
751 {
752 	struct l2cap_chan *chan = conn->smp;
753 	struct smp_chan *smp = chan->data;
754 	struct hci_conn *hcon = conn->hcon;
755 	bool complete;
756 
757 	BUG_ON(!smp);
758 
759 	cancel_delayed_work_sync(&smp->security_timer);
760 
761 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
762 	mgmt_smp_complete(hcon, complete);
763 
764 	kzfree(smp->csrk);
765 	kzfree(smp->slave_csrk);
766 	kzfree(smp->link_key);
767 
768 	crypto_free_cipher(smp->tfm_aes);
769 	crypto_free_shash(smp->tfm_cmac);
770 
771 	/* Ensure that we don't leave any debug key around if debug key
772 	 * support hasn't been explicitly enabled.
773 	 */
774 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
775 	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
776 		list_del_rcu(&smp->ltk->list);
777 		kfree_rcu(smp->ltk, rcu);
778 		smp->ltk = NULL;
779 	}
780 
781 	/* If pairing failed clean up any keys we might have */
782 	if (!complete) {
783 		if (smp->ltk) {
784 			list_del_rcu(&smp->ltk->list);
785 			kfree_rcu(smp->ltk, rcu);
786 		}
787 
788 		if (smp->slave_ltk) {
789 			list_del_rcu(&smp->slave_ltk->list);
790 			kfree_rcu(smp->slave_ltk, rcu);
791 		}
792 
793 		if (smp->remote_irk) {
794 			list_del_rcu(&smp->remote_irk->list);
795 			kfree_rcu(smp->remote_irk, rcu);
796 		}
797 	}
798 
799 	chan->data = NULL;
800 	kzfree(smp);
801 	hci_conn_drop(hcon);
802 }
803 
804 static void smp_failure(struct l2cap_conn *conn, u8 reason)
805 {
806 	struct hci_conn *hcon = conn->hcon;
807 	struct l2cap_chan *chan = conn->smp;
808 
809 	if (reason)
810 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
811 			     &reason);
812 
813 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
814 
815 	if (chan->data)
816 		smp_chan_destroy(conn);
817 }
818 
819 #define JUST_WORKS	0x00
820 #define JUST_CFM	0x01
821 #define REQ_PASSKEY	0x02
822 #define CFM_PASSKEY	0x03
823 #define REQ_OOB		0x04
824 #define DSP_PASSKEY	0x05
825 #define OVERLAP		0xFF
826 
827 static const u8 gen_method[5][5] = {
828 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
829 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
830 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
831 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
832 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
833 };
834 
835 static const u8 sc_method[5][5] = {
836 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
837 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
838 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
839 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
840 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
841 };
842 
843 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
844 {
845 	/* If either side has unknown io_caps, use JUST_CFM (which gets
846 	 * converted later to JUST_WORKS if we're initiators.
847 	 */
848 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
849 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
850 		return JUST_CFM;
851 
852 	if (test_bit(SMP_FLAG_SC, &smp->flags))
853 		return sc_method[remote_io][local_io];
854 
855 	return gen_method[remote_io][local_io];
856 }
857 
858 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
859 						u8 local_io, u8 remote_io)
860 {
861 	struct hci_conn *hcon = conn->hcon;
862 	struct l2cap_chan *chan = conn->smp;
863 	struct smp_chan *smp = chan->data;
864 	u32 passkey = 0;
865 	int ret = 0;
866 
867 	/* Initialize key for JUST WORKS */
868 	memset(smp->tk, 0, sizeof(smp->tk));
869 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
870 
871 	BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
872 
873 	/* If neither side wants MITM, either "just" confirm an incoming
874 	 * request or use just-works for outgoing ones. The JUST_CFM
875 	 * will be converted to JUST_WORKS if necessary later in this
876 	 * function. If either side has MITM look up the method from the
877 	 * table.
878 	 */
879 	if (!(auth & SMP_AUTH_MITM))
880 		smp->method = JUST_CFM;
881 	else
882 		smp->method = get_auth_method(smp, local_io, remote_io);
883 
884 	/* Don't confirm locally initiated pairing attempts */
885 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
886 						&smp->flags))
887 		smp->method = JUST_WORKS;
888 
889 	/* Don't bother user space with no IO capabilities */
890 	if (smp->method == JUST_CFM &&
891 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
892 		smp->method = JUST_WORKS;
893 
894 	/* If Just Works, Continue with Zero TK */
895 	if (smp->method == JUST_WORKS) {
896 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
897 		return 0;
898 	}
899 
900 	/* If this function is used for SC -> legacy fallback we
901 	 * can only recover the just-works case.
902 	 */
903 	if (test_bit(SMP_FLAG_SC, &smp->flags))
904 		return -EINVAL;
905 
906 	/* Not Just Works/Confirm results in MITM Authentication */
907 	if (smp->method != JUST_CFM) {
908 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
909 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
910 			hcon->pending_sec_level = BT_SECURITY_HIGH;
911 	}
912 
913 	/* If both devices have Keyoard-Display I/O, the master
914 	 * Confirms and the slave Enters the passkey.
915 	 */
916 	if (smp->method == OVERLAP) {
917 		if (hcon->role == HCI_ROLE_MASTER)
918 			smp->method = CFM_PASSKEY;
919 		else
920 			smp->method = REQ_PASSKEY;
921 	}
922 
923 	/* Generate random passkey. */
924 	if (smp->method == CFM_PASSKEY) {
925 		memset(smp->tk, 0, sizeof(smp->tk));
926 		get_random_bytes(&passkey, sizeof(passkey));
927 		passkey %= 1000000;
928 		put_unaligned_le32(passkey, smp->tk);
929 		BT_DBG("PassKey: %d", passkey);
930 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
931 	}
932 
933 	if (smp->method == REQ_PASSKEY)
934 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
935 						hcon->type, hcon->dst_type);
936 	else if (smp->method == JUST_CFM)
937 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
938 						hcon->type, hcon->dst_type,
939 						passkey, 1);
940 	else
941 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
942 						hcon->type, hcon->dst_type,
943 						passkey, 0);
944 
945 	return ret;
946 }
947 
948 static u8 smp_confirm(struct smp_chan *smp)
949 {
950 	struct l2cap_conn *conn = smp->conn;
951 	struct smp_cmd_pairing_confirm cp;
952 	int ret;
953 
954 	BT_DBG("conn %p", conn);
955 
956 	ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
957 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
958 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
959 		     cp.confirm_val);
960 	if (ret)
961 		return SMP_UNSPECIFIED;
962 
963 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
964 
965 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
966 
967 	if (conn->hcon->out)
968 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
969 	else
970 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
971 
972 	return 0;
973 }
974 
975 static u8 smp_random(struct smp_chan *smp)
976 {
977 	struct l2cap_conn *conn = smp->conn;
978 	struct hci_conn *hcon = conn->hcon;
979 	u8 confirm[16];
980 	int ret;
981 
982 	if (IS_ERR_OR_NULL(smp->tfm_aes))
983 		return SMP_UNSPECIFIED;
984 
985 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
986 
987 	ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
988 		     hcon->init_addr_type, &hcon->init_addr,
989 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
990 	if (ret)
991 		return SMP_UNSPECIFIED;
992 
993 	if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
994 		BT_ERR("Pairing failed (confirmation values mismatch)");
995 		return SMP_CONFIRM_FAILED;
996 	}
997 
998 	if (hcon->out) {
999 		u8 stk[16];
1000 		__le64 rand = 0;
1001 		__le16 ediv = 0;
1002 
1003 		smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
1004 
1005 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1006 			return SMP_UNSPECIFIED;
1007 
1008 		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1009 		hcon->enc_key_size = smp->enc_key_size;
1010 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1011 	} else {
1012 		u8 stk[16], auth;
1013 		__le64 rand = 0;
1014 		__le16 ediv = 0;
1015 
1016 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1017 			     smp->prnd);
1018 
1019 		smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
1020 
1021 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1022 			auth = 1;
1023 		else
1024 			auth = 0;
1025 
1026 		/* Even though there's no _SLAVE suffix this is the
1027 		 * slave STK we're adding for later lookup (the master
1028 		 * STK never needs to be stored).
1029 		 */
1030 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1031 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1032 	}
1033 
1034 	return 0;
1035 }
1036 
1037 static void smp_notify_keys(struct l2cap_conn *conn)
1038 {
1039 	struct l2cap_chan *chan = conn->smp;
1040 	struct smp_chan *smp = chan->data;
1041 	struct hci_conn *hcon = conn->hcon;
1042 	struct hci_dev *hdev = hcon->hdev;
1043 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1044 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1045 	bool persistent;
1046 
1047 	if (hcon->type == ACL_LINK) {
1048 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1049 			persistent = false;
1050 		else
1051 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1052 					       &hcon->flags);
1053 	} else {
1054 		/* The LTKs, IRKs and CSRKs should be persistent only if
1055 		 * both sides had the bonding bit set in their
1056 		 * authentication requests.
1057 		 */
1058 		persistent = !!((req->auth_req & rsp->auth_req) &
1059 				SMP_AUTH_BONDING);
1060 	}
1061 
1062 	if (smp->remote_irk) {
1063 		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1064 
1065 		/* Now that user space can be considered to know the
1066 		 * identity address track the connection based on it
1067 		 * from now on (assuming this is an LE link).
1068 		 */
1069 		if (hcon->type == LE_LINK) {
1070 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1071 			hcon->dst_type = smp->remote_irk->addr_type;
1072 			queue_work(hdev->workqueue, &conn->id_addr_update_work);
1073 		}
1074 	}
1075 
1076 	if (smp->csrk) {
1077 		smp->csrk->bdaddr_type = hcon->dst_type;
1078 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1079 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1080 	}
1081 
1082 	if (smp->slave_csrk) {
1083 		smp->slave_csrk->bdaddr_type = hcon->dst_type;
1084 		bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1085 		mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1086 	}
1087 
1088 	if (smp->ltk) {
1089 		smp->ltk->bdaddr_type = hcon->dst_type;
1090 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1091 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1092 	}
1093 
1094 	if (smp->slave_ltk) {
1095 		smp->slave_ltk->bdaddr_type = hcon->dst_type;
1096 		bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1097 		mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1098 	}
1099 
1100 	if (smp->link_key) {
1101 		struct link_key *key;
1102 		u8 type;
1103 
1104 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1105 			type = HCI_LK_DEBUG_COMBINATION;
1106 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1107 			type = HCI_LK_AUTH_COMBINATION_P256;
1108 		else
1109 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1110 
1111 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1112 				       smp->link_key, type, 0, &persistent);
1113 		if (key) {
1114 			mgmt_new_link_key(hdev, key, persistent);
1115 
1116 			/* Don't keep debug keys around if the relevant
1117 			 * flag is not set.
1118 			 */
1119 			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1120 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1121 				list_del_rcu(&key->list);
1122 				kfree_rcu(key, rcu);
1123 			}
1124 		}
1125 	}
1126 }
1127 
1128 static void sc_add_ltk(struct smp_chan *smp)
1129 {
1130 	struct hci_conn *hcon = smp->conn->hcon;
1131 	u8 key_type, auth;
1132 
1133 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1134 		key_type = SMP_LTK_P256_DEBUG;
1135 	else
1136 		key_type = SMP_LTK_P256;
1137 
1138 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1139 		auth = 1;
1140 	else
1141 		auth = 0;
1142 
1143 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1144 			       key_type, auth, smp->tk, smp->enc_key_size,
1145 			       0, 0);
1146 }
1147 
1148 static void sc_generate_link_key(struct smp_chan *smp)
1149 {
1150 	/* From core spec. Spells out in ASCII as 'lebr'. */
1151 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1152 
1153 	smp->link_key = kzalloc(16, GFP_KERNEL);
1154 	if (!smp->link_key)
1155 		return;
1156 
1157 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1158 		/* SALT = 0x00000000000000000000000000000000746D7031 */
1159 		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1160 
1161 		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1162 			kzfree(smp->link_key);
1163 			smp->link_key = NULL;
1164 			return;
1165 		}
1166 	} else {
1167 		/* From core spec. Spells out in ASCII as 'tmp1'. */
1168 		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1169 
1170 		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1171 			kzfree(smp->link_key);
1172 			smp->link_key = NULL;
1173 			return;
1174 		}
1175 	}
1176 
1177 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1178 		kzfree(smp->link_key);
1179 		smp->link_key = NULL;
1180 		return;
1181 	}
1182 }
1183 
1184 static void smp_allow_key_dist(struct smp_chan *smp)
1185 {
1186 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1187 	 * will be allowed in each PDU handler to ensure we receive
1188 	 * them in the correct order.
1189 	 */
1190 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1191 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1192 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1193 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1194 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1195 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1196 }
1197 
1198 static void sc_generate_ltk(struct smp_chan *smp)
1199 {
1200 	/* From core spec. Spells out in ASCII as 'brle'. */
1201 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1202 	struct hci_conn *hcon = smp->conn->hcon;
1203 	struct hci_dev *hdev = hcon->hdev;
1204 	struct link_key *key;
1205 
1206 	key = hci_find_link_key(hdev, &hcon->dst);
1207 	if (!key) {
1208 		BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1209 		return;
1210 	}
1211 
1212 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1213 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1214 
1215 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1216 		/* SALT = 0x00000000000000000000000000000000746D7032 */
1217 		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1218 
1219 		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1220 			return;
1221 	} else {
1222 		/* From core spec. Spells out in ASCII as 'tmp2'. */
1223 		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1224 
1225 		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1226 			return;
1227 	}
1228 
1229 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1230 		return;
1231 
1232 	sc_add_ltk(smp);
1233 }
1234 
1235 static void smp_distribute_keys(struct smp_chan *smp)
1236 {
1237 	struct smp_cmd_pairing *req, *rsp;
1238 	struct l2cap_conn *conn = smp->conn;
1239 	struct hci_conn *hcon = conn->hcon;
1240 	struct hci_dev *hdev = hcon->hdev;
1241 	__u8 *keydist;
1242 
1243 	BT_DBG("conn %p", conn);
1244 
1245 	rsp = (void *) &smp->prsp[1];
1246 
1247 	/* The responder sends its keys first */
1248 	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1249 		smp_allow_key_dist(smp);
1250 		return;
1251 	}
1252 
1253 	req = (void *) &smp->preq[1];
1254 
1255 	if (hcon->out) {
1256 		keydist = &rsp->init_key_dist;
1257 		*keydist &= req->init_key_dist;
1258 	} else {
1259 		keydist = &rsp->resp_key_dist;
1260 		*keydist &= req->resp_key_dist;
1261 	}
1262 
1263 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1264 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1265 			sc_generate_link_key(smp);
1266 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1267 			sc_generate_ltk(smp);
1268 
1269 		/* Clear the keys which are generated but not distributed */
1270 		*keydist &= ~SMP_SC_NO_DIST;
1271 	}
1272 
1273 	BT_DBG("keydist 0x%x", *keydist);
1274 
1275 	if (*keydist & SMP_DIST_ENC_KEY) {
1276 		struct smp_cmd_encrypt_info enc;
1277 		struct smp_cmd_master_ident ident;
1278 		struct smp_ltk *ltk;
1279 		u8 authenticated;
1280 		__le16 ediv;
1281 		__le64 rand;
1282 
1283 		/* Make sure we generate only the significant amount of
1284 		 * bytes based on the encryption key size, and set the rest
1285 		 * of the value to zeroes.
1286 		 */
1287 		get_random_bytes(enc.ltk, smp->enc_key_size);
1288 		memset(enc.ltk + smp->enc_key_size, 0,
1289 		       sizeof(enc.ltk) - smp->enc_key_size);
1290 
1291 		get_random_bytes(&ediv, sizeof(ediv));
1292 		get_random_bytes(&rand, sizeof(rand));
1293 
1294 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1295 
1296 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1297 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1298 				  SMP_LTK_SLAVE, authenticated, enc.ltk,
1299 				  smp->enc_key_size, ediv, rand);
1300 		smp->slave_ltk = ltk;
1301 
1302 		ident.ediv = ediv;
1303 		ident.rand = rand;
1304 
1305 		smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1306 
1307 		*keydist &= ~SMP_DIST_ENC_KEY;
1308 	}
1309 
1310 	if (*keydist & SMP_DIST_ID_KEY) {
1311 		struct smp_cmd_ident_addr_info addrinfo;
1312 		struct smp_cmd_ident_info idinfo;
1313 
1314 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1315 
1316 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1317 
1318 		/* The hci_conn contains the local identity address
1319 		 * after the connection has been established.
1320 		 *
1321 		 * This is true even when the connection has been
1322 		 * established using a resolvable random address.
1323 		 */
1324 		bacpy(&addrinfo.bdaddr, &hcon->src);
1325 		addrinfo.addr_type = hcon->src_type;
1326 
1327 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1328 			     &addrinfo);
1329 
1330 		*keydist &= ~SMP_DIST_ID_KEY;
1331 	}
1332 
1333 	if (*keydist & SMP_DIST_SIGN) {
1334 		struct smp_cmd_sign_info sign;
1335 		struct smp_csrk *csrk;
1336 
1337 		/* Generate a new random key */
1338 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1339 
1340 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1341 		if (csrk) {
1342 			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1343 				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1344 			else
1345 				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1346 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1347 		}
1348 		smp->slave_csrk = csrk;
1349 
1350 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1351 
1352 		*keydist &= ~SMP_DIST_SIGN;
1353 	}
1354 
1355 	/* If there are still keys to be received wait for them */
1356 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1357 		smp_allow_key_dist(smp);
1358 		return;
1359 	}
1360 
1361 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1362 	smp_notify_keys(conn);
1363 
1364 	smp_chan_destroy(conn);
1365 }
1366 
1367 static void smp_timeout(struct work_struct *work)
1368 {
1369 	struct smp_chan *smp = container_of(work, struct smp_chan,
1370 					    security_timer.work);
1371 	struct l2cap_conn *conn = smp->conn;
1372 
1373 	BT_DBG("conn %p", conn);
1374 
1375 	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1376 }
1377 
1378 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1379 {
1380 	struct l2cap_chan *chan = conn->smp;
1381 	struct smp_chan *smp;
1382 
1383 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1384 	if (!smp)
1385 		return NULL;
1386 
1387 	smp->tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
1388 	if (IS_ERR(smp->tfm_aes)) {
1389 		BT_ERR("Unable to create AES crypto context");
1390 		kzfree(smp);
1391 		return NULL;
1392 	}
1393 
1394 	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1395 	if (IS_ERR(smp->tfm_cmac)) {
1396 		BT_ERR("Unable to create CMAC crypto context");
1397 		crypto_free_cipher(smp->tfm_aes);
1398 		kzfree(smp);
1399 		return NULL;
1400 	}
1401 
1402 	smp->conn = conn;
1403 	chan->data = smp;
1404 
1405 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1406 
1407 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1408 
1409 	hci_conn_hold(conn->hcon);
1410 
1411 	return smp;
1412 }
1413 
1414 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1415 {
1416 	struct hci_conn *hcon = smp->conn->hcon;
1417 	u8 *na, *nb, a[7], b[7];
1418 
1419 	if (hcon->out) {
1420 		na   = smp->prnd;
1421 		nb   = smp->rrnd;
1422 	} else {
1423 		na   = smp->rrnd;
1424 		nb   = smp->prnd;
1425 	}
1426 
1427 	memcpy(a, &hcon->init_addr, 6);
1428 	memcpy(b, &hcon->resp_addr, 6);
1429 	a[6] = hcon->init_addr_type;
1430 	b[6] = hcon->resp_addr_type;
1431 
1432 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1433 }
1434 
1435 static void sc_dhkey_check(struct smp_chan *smp)
1436 {
1437 	struct hci_conn *hcon = smp->conn->hcon;
1438 	struct smp_cmd_dhkey_check check;
1439 	u8 a[7], b[7], *local_addr, *remote_addr;
1440 	u8 io_cap[3], r[16];
1441 
1442 	memcpy(a, &hcon->init_addr, 6);
1443 	memcpy(b, &hcon->resp_addr, 6);
1444 	a[6] = hcon->init_addr_type;
1445 	b[6] = hcon->resp_addr_type;
1446 
1447 	if (hcon->out) {
1448 		local_addr = a;
1449 		remote_addr = b;
1450 		memcpy(io_cap, &smp->preq[1], 3);
1451 	} else {
1452 		local_addr = b;
1453 		remote_addr = a;
1454 		memcpy(io_cap, &smp->prsp[1], 3);
1455 	}
1456 
1457 	memset(r, 0, sizeof(r));
1458 
1459 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1460 		put_unaligned_le32(hcon->passkey_notify, r);
1461 
1462 	if (smp->method == REQ_OOB)
1463 		memcpy(r, smp->rr, 16);
1464 
1465 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1466 	       local_addr, remote_addr, check.e);
1467 
1468 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1469 }
1470 
1471 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1472 {
1473 	struct l2cap_conn *conn = smp->conn;
1474 	struct hci_conn *hcon = conn->hcon;
1475 	struct smp_cmd_pairing_confirm cfm;
1476 	u8 r;
1477 
1478 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1479 	r |= 0x80;
1480 
1481 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1482 
1483 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1484 		   cfm.confirm_val))
1485 		return SMP_UNSPECIFIED;
1486 
1487 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1488 
1489 	return 0;
1490 }
1491 
1492 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1493 {
1494 	struct l2cap_conn *conn = smp->conn;
1495 	struct hci_conn *hcon = conn->hcon;
1496 	struct hci_dev *hdev = hcon->hdev;
1497 	u8 cfm[16], r;
1498 
1499 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1500 	if (smp->passkey_round >= 20)
1501 		return 0;
1502 
1503 	switch (smp_op) {
1504 	case SMP_CMD_PAIRING_RANDOM:
1505 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1506 		r |= 0x80;
1507 
1508 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1509 			   smp->rrnd, r, cfm))
1510 			return SMP_UNSPECIFIED;
1511 
1512 		if (memcmp(smp->pcnf, cfm, 16))
1513 			return SMP_CONFIRM_FAILED;
1514 
1515 		smp->passkey_round++;
1516 
1517 		if (smp->passkey_round == 20) {
1518 			/* Generate MacKey and LTK */
1519 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1520 				return SMP_UNSPECIFIED;
1521 		}
1522 
1523 		/* The round is only complete when the initiator
1524 		 * receives pairing random.
1525 		 */
1526 		if (!hcon->out) {
1527 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1528 				     sizeof(smp->prnd), smp->prnd);
1529 			if (smp->passkey_round == 20)
1530 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1531 			else
1532 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1533 			return 0;
1534 		}
1535 
1536 		/* Start the next round */
1537 		if (smp->passkey_round != 20)
1538 			return sc_passkey_round(smp, 0);
1539 
1540 		/* Passkey rounds are complete - start DHKey Check */
1541 		sc_dhkey_check(smp);
1542 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1543 
1544 		break;
1545 
1546 	case SMP_CMD_PAIRING_CONFIRM:
1547 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1548 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1549 			return 0;
1550 		}
1551 
1552 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1553 
1554 		if (hcon->out) {
1555 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1556 				     sizeof(smp->prnd), smp->prnd);
1557 			return 0;
1558 		}
1559 
1560 		return sc_passkey_send_confirm(smp);
1561 
1562 	case SMP_CMD_PUBLIC_KEY:
1563 	default:
1564 		/* Initiating device starts the round */
1565 		if (!hcon->out)
1566 			return 0;
1567 
1568 		BT_DBG("%s Starting passkey round %u", hdev->name,
1569 		       smp->passkey_round + 1);
1570 
1571 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1572 
1573 		return sc_passkey_send_confirm(smp);
1574 	}
1575 
1576 	return 0;
1577 }
1578 
1579 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1580 {
1581 	struct l2cap_conn *conn = smp->conn;
1582 	struct hci_conn *hcon = conn->hcon;
1583 	u8 smp_op;
1584 
1585 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1586 
1587 	switch (mgmt_op) {
1588 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1589 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1590 		return 0;
1591 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1592 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1593 		return 0;
1594 	case MGMT_OP_USER_PASSKEY_REPLY:
1595 		hcon->passkey_notify = le32_to_cpu(passkey);
1596 		smp->passkey_round = 0;
1597 
1598 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1599 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1600 		else
1601 			smp_op = 0;
1602 
1603 		if (sc_passkey_round(smp, smp_op))
1604 			return -EIO;
1605 
1606 		return 0;
1607 	}
1608 
1609 	/* Initiator sends DHKey check first */
1610 	if (hcon->out) {
1611 		sc_dhkey_check(smp);
1612 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1613 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1614 		sc_dhkey_check(smp);
1615 		sc_add_ltk(smp);
1616 	}
1617 
1618 	return 0;
1619 }
1620 
1621 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1622 {
1623 	struct l2cap_conn *conn = hcon->l2cap_data;
1624 	struct l2cap_chan *chan;
1625 	struct smp_chan *smp;
1626 	u32 value;
1627 	int err;
1628 
1629 	BT_DBG("");
1630 
1631 	if (!conn)
1632 		return -ENOTCONN;
1633 
1634 	chan = conn->smp;
1635 	if (!chan)
1636 		return -ENOTCONN;
1637 
1638 	l2cap_chan_lock(chan);
1639 	if (!chan->data) {
1640 		err = -ENOTCONN;
1641 		goto unlock;
1642 	}
1643 
1644 	smp = chan->data;
1645 
1646 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1647 		err = sc_user_reply(smp, mgmt_op, passkey);
1648 		goto unlock;
1649 	}
1650 
1651 	switch (mgmt_op) {
1652 	case MGMT_OP_USER_PASSKEY_REPLY:
1653 		value = le32_to_cpu(passkey);
1654 		memset(smp->tk, 0, sizeof(smp->tk));
1655 		BT_DBG("PassKey: %d", value);
1656 		put_unaligned_le32(value, smp->tk);
1657 		/* Fall Through */
1658 	case MGMT_OP_USER_CONFIRM_REPLY:
1659 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1660 		break;
1661 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1662 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1663 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1664 		err = 0;
1665 		goto unlock;
1666 	default:
1667 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1668 		err = -EOPNOTSUPP;
1669 		goto unlock;
1670 	}
1671 
1672 	err = 0;
1673 
1674 	/* If it is our turn to send Pairing Confirm, do so now */
1675 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1676 		u8 rsp = smp_confirm(smp);
1677 		if (rsp)
1678 			smp_failure(conn, rsp);
1679 	}
1680 
1681 unlock:
1682 	l2cap_chan_unlock(chan);
1683 	return err;
1684 }
1685 
1686 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1687 				    struct smp_cmd_pairing *req,
1688 				    struct smp_cmd_pairing *rsp)
1689 {
1690 	struct l2cap_conn *conn = smp->conn;
1691 	struct hci_dev *hdev = conn->hcon->hdev;
1692 	u8 local_dist = 0, remote_dist = 0;
1693 
1694 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1695 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1696 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1697 	}
1698 
1699 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1700 		remote_dist |= SMP_DIST_ID_KEY;
1701 
1702 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1703 		local_dist |= SMP_DIST_ID_KEY;
1704 
1705 	if (!rsp) {
1706 		memset(req, 0, sizeof(*req));
1707 
1708 		req->auth_req        = SMP_AUTH_CT2;
1709 		req->init_key_dist   = local_dist;
1710 		req->resp_key_dist   = remote_dist;
1711 		req->max_key_size    = conn->hcon->enc_key_size;
1712 
1713 		smp->remote_key_dist = remote_dist;
1714 
1715 		return;
1716 	}
1717 
1718 	memset(rsp, 0, sizeof(*rsp));
1719 
1720 	rsp->auth_req        = SMP_AUTH_CT2;
1721 	rsp->max_key_size    = conn->hcon->enc_key_size;
1722 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1723 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1724 
1725 	smp->remote_key_dist = rsp->init_key_dist;
1726 }
1727 
1728 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1729 {
1730 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1731 	struct l2cap_chan *chan = conn->smp;
1732 	struct hci_dev *hdev = conn->hcon->hdev;
1733 	struct smp_chan *smp;
1734 	u8 key_size, auth, sec_level;
1735 	int ret;
1736 
1737 	BT_DBG("conn %p", conn);
1738 
1739 	if (skb->len < sizeof(*req))
1740 		return SMP_INVALID_PARAMS;
1741 
1742 	if (conn->hcon->role != HCI_ROLE_SLAVE)
1743 		return SMP_CMD_NOTSUPP;
1744 
1745 	if (!chan->data)
1746 		smp = smp_chan_create(conn);
1747 	else
1748 		smp = chan->data;
1749 
1750 	if (!smp)
1751 		return SMP_UNSPECIFIED;
1752 
1753 	/* We didn't start the pairing, so match remote */
1754 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1755 
1756 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1757 	    (auth & SMP_AUTH_BONDING))
1758 		return SMP_PAIRING_NOTSUPP;
1759 
1760 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1761 		return SMP_AUTH_REQUIREMENTS;
1762 
1763 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1764 	memcpy(&smp->preq[1], req, sizeof(*req));
1765 	skb_pull(skb, sizeof(*req));
1766 
1767 	/* If the remote side's OOB flag is set it means it has
1768 	 * successfully received our local OOB data - therefore set the
1769 	 * flag to indicate that local OOB is in use.
1770 	 */
1771 	if (req->oob_flag == SMP_OOB_PRESENT)
1772 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1773 
1774 	/* SMP over BR/EDR requires special treatment */
1775 	if (conn->hcon->type == ACL_LINK) {
1776 		/* We must have a BR/EDR SC link */
1777 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1778 		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1779 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1780 
1781 		set_bit(SMP_FLAG_SC, &smp->flags);
1782 
1783 		build_bredr_pairing_cmd(smp, req, &rsp);
1784 
1785 		if (req->auth_req & SMP_AUTH_CT2)
1786 			set_bit(SMP_FLAG_CT2, &smp->flags);
1787 
1788 		key_size = min(req->max_key_size, rsp.max_key_size);
1789 		if (check_enc_key_size(conn, key_size))
1790 			return SMP_ENC_KEY_SIZE;
1791 
1792 		/* Clear bits which are generated but not distributed */
1793 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1794 
1795 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1796 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1797 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1798 
1799 		smp_distribute_keys(smp);
1800 		return 0;
1801 	}
1802 
1803 	build_pairing_cmd(conn, req, &rsp, auth);
1804 
1805 	if (rsp.auth_req & SMP_AUTH_SC) {
1806 		set_bit(SMP_FLAG_SC, &smp->flags);
1807 
1808 		if (rsp.auth_req & SMP_AUTH_CT2)
1809 			set_bit(SMP_FLAG_CT2, &smp->flags);
1810 	}
1811 
1812 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1813 		sec_level = BT_SECURITY_MEDIUM;
1814 	else
1815 		sec_level = authreq_to_seclevel(auth);
1816 
1817 	if (sec_level > conn->hcon->pending_sec_level)
1818 		conn->hcon->pending_sec_level = sec_level;
1819 
1820 	/* If we need MITM check that it can be achieved */
1821 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1822 		u8 method;
1823 
1824 		method = get_auth_method(smp, conn->hcon->io_capability,
1825 					 req->io_capability);
1826 		if (method == JUST_WORKS || method == JUST_CFM)
1827 			return SMP_AUTH_REQUIREMENTS;
1828 	}
1829 
1830 	key_size = min(req->max_key_size, rsp.max_key_size);
1831 	if (check_enc_key_size(conn, key_size))
1832 		return SMP_ENC_KEY_SIZE;
1833 
1834 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1835 
1836 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1837 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1838 
1839 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1840 
1841 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1842 
1843 	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1844 	 * SC case, however some implementations incorrectly copy RFU auth
1845 	 * req bits from our security request, which may create a false
1846 	 * positive SC enablement.
1847 	 */
1848 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1849 
1850 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1851 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1852 		/* Clear bits which are generated but not distributed */
1853 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1854 		/* Wait for Public Key from Initiating Device */
1855 		return 0;
1856 	}
1857 
1858 	/* Request setup of TK */
1859 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1860 	if (ret)
1861 		return SMP_UNSPECIFIED;
1862 
1863 	return 0;
1864 }
1865 
1866 static u8 sc_send_public_key(struct smp_chan *smp)
1867 {
1868 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1869 
1870 	BT_DBG("");
1871 
1872 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1873 		struct l2cap_chan *chan = hdev->smp_data;
1874 		struct smp_dev *smp_dev;
1875 
1876 		if (!chan || !chan->data)
1877 			return SMP_UNSPECIFIED;
1878 
1879 		smp_dev = chan->data;
1880 
1881 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1882 		memcpy(smp->local_sk, smp_dev->local_sk, 32);
1883 		memcpy(smp->lr, smp_dev->local_rand, 16);
1884 
1885 		if (smp_dev->debug_key)
1886 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1887 
1888 		goto done;
1889 	}
1890 
1891 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1892 		BT_DBG("Using debug keys");
1893 		memcpy(smp->local_pk, debug_pk, 64);
1894 		memcpy(smp->local_sk, debug_sk, 32);
1895 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1896 	} else {
1897 		while (true) {
1898 			/* Generate local key pair for Secure Connections */
1899 			if (!ecc_make_key(smp->local_pk, smp->local_sk))
1900 				return SMP_UNSPECIFIED;
1901 
1902 			/* This is unlikely, but we need to check that
1903 			 * we didn't accidentially generate a debug key.
1904 			 */
1905 			if (memcmp(smp->local_sk, debug_sk, 32))
1906 				break;
1907 		}
1908 	}
1909 
1910 done:
1911 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1912 	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1913 	SMP_DBG("Local Private Key:  %32phN", smp->local_sk);
1914 
1915 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1916 
1917 	return 0;
1918 }
1919 
1920 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1921 {
1922 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1923 	struct l2cap_chan *chan = conn->smp;
1924 	struct smp_chan *smp = chan->data;
1925 	struct hci_dev *hdev = conn->hcon->hdev;
1926 	u8 key_size, auth;
1927 	int ret;
1928 
1929 	BT_DBG("conn %p", conn);
1930 
1931 	if (skb->len < sizeof(*rsp))
1932 		return SMP_INVALID_PARAMS;
1933 
1934 	if (conn->hcon->role != HCI_ROLE_MASTER)
1935 		return SMP_CMD_NOTSUPP;
1936 
1937 	skb_pull(skb, sizeof(*rsp));
1938 
1939 	req = (void *) &smp->preq[1];
1940 
1941 	key_size = min(req->max_key_size, rsp->max_key_size);
1942 	if (check_enc_key_size(conn, key_size))
1943 		return SMP_ENC_KEY_SIZE;
1944 
1945 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1946 
1947 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1948 		return SMP_AUTH_REQUIREMENTS;
1949 
1950 	/* If the remote side's OOB flag is set it means it has
1951 	 * successfully received our local OOB data - therefore set the
1952 	 * flag to indicate that local OOB is in use.
1953 	 */
1954 	if (rsp->oob_flag == SMP_OOB_PRESENT)
1955 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1956 
1957 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1958 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1959 
1960 	/* Update remote key distribution in case the remote cleared
1961 	 * some bits that we had enabled in our request.
1962 	 */
1963 	smp->remote_key_dist &= rsp->resp_key_dist;
1964 
1965 	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1966 		set_bit(SMP_FLAG_CT2, &smp->flags);
1967 
1968 	/* For BR/EDR this means we're done and can start phase 3 */
1969 	if (conn->hcon->type == ACL_LINK) {
1970 		/* Clear bits which are generated but not distributed */
1971 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1972 		smp_distribute_keys(smp);
1973 		return 0;
1974 	}
1975 
1976 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1977 		set_bit(SMP_FLAG_SC, &smp->flags);
1978 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1979 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1980 
1981 	/* If we need MITM check that it can be achieved */
1982 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1983 		u8 method;
1984 
1985 		method = get_auth_method(smp, req->io_capability,
1986 					 rsp->io_capability);
1987 		if (method == JUST_WORKS || method == JUST_CFM)
1988 			return SMP_AUTH_REQUIREMENTS;
1989 	}
1990 
1991 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1992 
1993 	/* Update remote key distribution in case the remote cleared
1994 	 * some bits that we had enabled in our request.
1995 	 */
1996 	smp->remote_key_dist &= rsp->resp_key_dist;
1997 
1998 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1999 		/* Clear bits which are generated but not distributed */
2000 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2001 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2002 		return sc_send_public_key(smp);
2003 	}
2004 
2005 	auth |= req->auth_req;
2006 
2007 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2008 	if (ret)
2009 		return SMP_UNSPECIFIED;
2010 
2011 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2012 
2013 	/* Can't compose response until we have been confirmed */
2014 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2015 		return smp_confirm(smp);
2016 
2017 	return 0;
2018 }
2019 
2020 static u8 sc_check_confirm(struct smp_chan *smp)
2021 {
2022 	struct l2cap_conn *conn = smp->conn;
2023 
2024 	BT_DBG("");
2025 
2026 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2027 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2028 
2029 	if (conn->hcon->out) {
2030 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2031 			     smp->prnd);
2032 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2033 	}
2034 
2035 	return 0;
2036 }
2037 
2038 /* Work-around for some implementations that incorrectly copy RFU bits
2039  * from our security request and thereby create the impression that
2040  * we're doing SC when in fact the remote doesn't support it.
2041  */
2042 static int fixup_sc_false_positive(struct smp_chan *smp)
2043 {
2044 	struct l2cap_conn *conn = smp->conn;
2045 	struct hci_conn *hcon = conn->hcon;
2046 	struct hci_dev *hdev = hcon->hdev;
2047 	struct smp_cmd_pairing *req, *rsp;
2048 	u8 auth;
2049 
2050 	/* The issue is only observed when we're in slave role */
2051 	if (hcon->out)
2052 		return SMP_UNSPECIFIED;
2053 
2054 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2055 		BT_ERR("Refusing SMP SC -> legacy fallback in SC-only mode");
2056 		return SMP_UNSPECIFIED;
2057 	}
2058 
2059 	BT_ERR("Trying to fall back to legacy SMP");
2060 
2061 	req = (void *) &smp->preq[1];
2062 	rsp = (void *) &smp->prsp[1];
2063 
2064 	/* Rebuild key dist flags which may have been cleared for SC */
2065 	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2066 
2067 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2068 
2069 	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2070 		BT_ERR("Failed to fall back to legacy SMP");
2071 		return SMP_UNSPECIFIED;
2072 	}
2073 
2074 	clear_bit(SMP_FLAG_SC, &smp->flags);
2075 
2076 	return 0;
2077 }
2078 
2079 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2080 {
2081 	struct l2cap_chan *chan = conn->smp;
2082 	struct smp_chan *smp = chan->data;
2083 
2084 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2085 
2086 	if (skb->len < sizeof(smp->pcnf))
2087 		return SMP_INVALID_PARAMS;
2088 
2089 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2090 	skb_pull(skb, sizeof(smp->pcnf));
2091 
2092 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2093 		int ret;
2094 
2095 		/* Public Key exchange must happen before any other steps */
2096 		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2097 			return sc_check_confirm(smp);
2098 
2099 		BT_ERR("Unexpected SMP Pairing Confirm");
2100 
2101 		ret = fixup_sc_false_positive(smp);
2102 		if (ret)
2103 			return ret;
2104 	}
2105 
2106 	if (conn->hcon->out) {
2107 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2108 			     smp->prnd);
2109 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2110 		return 0;
2111 	}
2112 
2113 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2114 		return smp_confirm(smp);
2115 
2116 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2117 
2118 	return 0;
2119 }
2120 
2121 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2122 {
2123 	struct l2cap_chan *chan = conn->smp;
2124 	struct smp_chan *smp = chan->data;
2125 	struct hci_conn *hcon = conn->hcon;
2126 	u8 *pkax, *pkbx, *na, *nb;
2127 	u32 passkey;
2128 	int err;
2129 
2130 	BT_DBG("conn %p", conn);
2131 
2132 	if (skb->len < sizeof(smp->rrnd))
2133 		return SMP_INVALID_PARAMS;
2134 
2135 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2136 	skb_pull(skb, sizeof(smp->rrnd));
2137 
2138 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2139 		return smp_random(smp);
2140 
2141 	if (hcon->out) {
2142 		pkax = smp->local_pk;
2143 		pkbx = smp->remote_pk;
2144 		na   = smp->prnd;
2145 		nb   = smp->rrnd;
2146 	} else {
2147 		pkax = smp->remote_pk;
2148 		pkbx = smp->local_pk;
2149 		na   = smp->rrnd;
2150 		nb   = smp->prnd;
2151 	}
2152 
2153 	if (smp->method == REQ_OOB) {
2154 		if (!hcon->out)
2155 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2156 				     sizeof(smp->prnd), smp->prnd);
2157 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2158 		goto mackey_and_ltk;
2159 	}
2160 
2161 	/* Passkey entry has special treatment */
2162 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2163 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2164 
2165 	if (hcon->out) {
2166 		u8 cfm[16];
2167 
2168 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2169 			     smp->rrnd, 0, cfm);
2170 		if (err)
2171 			return SMP_UNSPECIFIED;
2172 
2173 		if (memcmp(smp->pcnf, cfm, 16))
2174 			return SMP_CONFIRM_FAILED;
2175 	} else {
2176 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2177 			     smp->prnd);
2178 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2179 	}
2180 
2181 mackey_and_ltk:
2182 	/* Generate MacKey and LTK */
2183 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2184 	if (err)
2185 		return SMP_UNSPECIFIED;
2186 
2187 	if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2188 		if (hcon->out) {
2189 			sc_dhkey_check(smp);
2190 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2191 		}
2192 		return 0;
2193 	}
2194 
2195 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2196 	if (err)
2197 		return SMP_UNSPECIFIED;
2198 
2199 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2200 					hcon->dst_type, passkey, 0);
2201 	if (err)
2202 		return SMP_UNSPECIFIED;
2203 
2204 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2205 
2206 	return 0;
2207 }
2208 
2209 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2210 {
2211 	struct smp_ltk *key;
2212 	struct hci_conn *hcon = conn->hcon;
2213 
2214 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2215 	if (!key)
2216 		return false;
2217 
2218 	if (smp_ltk_sec_level(key) < sec_level)
2219 		return false;
2220 
2221 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2222 		return true;
2223 
2224 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2225 	hcon->enc_key_size = key->enc_size;
2226 
2227 	/* We never store STKs for master role, so clear this flag */
2228 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2229 
2230 	return true;
2231 }
2232 
2233 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2234 			     enum smp_key_pref key_pref)
2235 {
2236 	if (sec_level == BT_SECURITY_LOW)
2237 		return true;
2238 
2239 	/* If we're encrypted with an STK but the caller prefers using
2240 	 * LTK claim insufficient security. This way we allow the
2241 	 * connection to be re-encrypted with an LTK, even if the LTK
2242 	 * provides the same level of security. Only exception is if we
2243 	 * don't have an LTK (e.g. because of key distribution bits).
2244 	 */
2245 	if (key_pref == SMP_USE_LTK &&
2246 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2247 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2248 		return false;
2249 
2250 	if (hcon->sec_level >= sec_level)
2251 		return true;
2252 
2253 	return false;
2254 }
2255 
2256 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2257 {
2258 	struct smp_cmd_security_req *rp = (void *) skb->data;
2259 	struct smp_cmd_pairing cp;
2260 	struct hci_conn *hcon = conn->hcon;
2261 	struct hci_dev *hdev = hcon->hdev;
2262 	struct smp_chan *smp;
2263 	u8 sec_level, auth;
2264 
2265 	BT_DBG("conn %p", conn);
2266 
2267 	if (skb->len < sizeof(*rp))
2268 		return SMP_INVALID_PARAMS;
2269 
2270 	if (hcon->role != HCI_ROLE_MASTER)
2271 		return SMP_CMD_NOTSUPP;
2272 
2273 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2274 
2275 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2276 		return SMP_AUTH_REQUIREMENTS;
2277 
2278 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2279 		sec_level = BT_SECURITY_MEDIUM;
2280 	else
2281 		sec_level = authreq_to_seclevel(auth);
2282 
2283 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2284 		return 0;
2285 
2286 	if (sec_level > hcon->pending_sec_level)
2287 		hcon->pending_sec_level = sec_level;
2288 
2289 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2290 		return 0;
2291 
2292 	smp = smp_chan_create(conn);
2293 	if (!smp)
2294 		return SMP_UNSPECIFIED;
2295 
2296 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2297 	    (auth & SMP_AUTH_BONDING))
2298 		return SMP_PAIRING_NOTSUPP;
2299 
2300 	skb_pull(skb, sizeof(*rp));
2301 
2302 	memset(&cp, 0, sizeof(cp));
2303 	build_pairing_cmd(conn, &cp, NULL, auth);
2304 
2305 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2306 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2307 
2308 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2309 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2310 
2311 	return 0;
2312 }
2313 
2314 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2315 {
2316 	struct l2cap_conn *conn = hcon->l2cap_data;
2317 	struct l2cap_chan *chan;
2318 	struct smp_chan *smp;
2319 	__u8 authreq;
2320 	int ret;
2321 
2322 	BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2323 
2324 	/* This may be NULL if there's an unexpected disconnection */
2325 	if (!conn)
2326 		return 1;
2327 
2328 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2329 		return 1;
2330 
2331 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2332 		return 1;
2333 
2334 	if (sec_level > hcon->pending_sec_level)
2335 		hcon->pending_sec_level = sec_level;
2336 
2337 	if (hcon->role == HCI_ROLE_MASTER)
2338 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2339 			return 0;
2340 
2341 	chan = conn->smp;
2342 	if (!chan) {
2343 		BT_ERR("SMP security requested but not available");
2344 		return 1;
2345 	}
2346 
2347 	l2cap_chan_lock(chan);
2348 
2349 	/* If SMP is already in progress ignore this request */
2350 	if (chan->data) {
2351 		ret = 0;
2352 		goto unlock;
2353 	}
2354 
2355 	smp = smp_chan_create(conn);
2356 	if (!smp) {
2357 		ret = 1;
2358 		goto unlock;
2359 	}
2360 
2361 	authreq = seclevel_to_authreq(sec_level);
2362 
2363 	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2364 		authreq |= SMP_AUTH_SC;
2365 		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2366 			authreq |= SMP_AUTH_CT2;
2367 	}
2368 
2369 	/* Require MITM if IO Capability allows or the security level
2370 	 * requires it.
2371 	 */
2372 	if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2373 	    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2374 		authreq |= SMP_AUTH_MITM;
2375 
2376 	if (hcon->role == HCI_ROLE_MASTER) {
2377 		struct smp_cmd_pairing cp;
2378 
2379 		build_pairing_cmd(conn, &cp, NULL, authreq);
2380 		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2381 		memcpy(&smp->preq[1], &cp, sizeof(cp));
2382 
2383 		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2384 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2385 	} else {
2386 		struct smp_cmd_security_req cp;
2387 		cp.auth_req = authreq;
2388 		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2389 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2390 	}
2391 
2392 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2393 	ret = 0;
2394 
2395 unlock:
2396 	l2cap_chan_unlock(chan);
2397 	return ret;
2398 }
2399 
2400 void smp_cancel_pairing(struct hci_conn *hcon)
2401 {
2402 	struct l2cap_conn *conn = hcon->l2cap_data;
2403 	struct l2cap_chan *chan;
2404 	struct smp_chan *smp;
2405 
2406 	if (!conn)
2407 		return;
2408 
2409 	chan = conn->smp;
2410 	if (!chan)
2411 		return;
2412 
2413 	l2cap_chan_lock(chan);
2414 
2415 	smp = chan->data;
2416 	if (smp) {
2417 		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2418 			smp_failure(conn, 0);
2419 		else
2420 			smp_failure(conn, SMP_UNSPECIFIED);
2421 	}
2422 
2423 	l2cap_chan_unlock(chan);
2424 }
2425 
2426 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2427 {
2428 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2429 	struct l2cap_chan *chan = conn->smp;
2430 	struct smp_chan *smp = chan->data;
2431 
2432 	BT_DBG("conn %p", conn);
2433 
2434 	if (skb->len < sizeof(*rp))
2435 		return SMP_INVALID_PARAMS;
2436 
2437 	SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2438 
2439 	skb_pull(skb, sizeof(*rp));
2440 
2441 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2442 
2443 	return 0;
2444 }
2445 
2446 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2447 {
2448 	struct smp_cmd_master_ident *rp = (void *) skb->data;
2449 	struct l2cap_chan *chan = conn->smp;
2450 	struct smp_chan *smp = chan->data;
2451 	struct hci_dev *hdev = conn->hcon->hdev;
2452 	struct hci_conn *hcon = conn->hcon;
2453 	struct smp_ltk *ltk;
2454 	u8 authenticated;
2455 
2456 	BT_DBG("conn %p", conn);
2457 
2458 	if (skb->len < sizeof(*rp))
2459 		return SMP_INVALID_PARAMS;
2460 
2461 	/* Mark the information as received */
2462 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2463 
2464 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2465 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2466 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2467 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2468 
2469 	skb_pull(skb, sizeof(*rp));
2470 
2471 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2472 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2473 			  authenticated, smp->tk, smp->enc_key_size,
2474 			  rp->ediv, rp->rand);
2475 	smp->ltk = ltk;
2476 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2477 		smp_distribute_keys(smp);
2478 
2479 	return 0;
2480 }
2481 
2482 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2483 {
2484 	struct smp_cmd_ident_info *info = (void *) skb->data;
2485 	struct l2cap_chan *chan = conn->smp;
2486 	struct smp_chan *smp = chan->data;
2487 
2488 	BT_DBG("");
2489 
2490 	if (skb->len < sizeof(*info))
2491 		return SMP_INVALID_PARAMS;
2492 
2493 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2494 
2495 	skb_pull(skb, sizeof(*info));
2496 
2497 	memcpy(smp->irk, info->irk, 16);
2498 
2499 	return 0;
2500 }
2501 
2502 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2503 				   struct sk_buff *skb)
2504 {
2505 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2506 	struct l2cap_chan *chan = conn->smp;
2507 	struct smp_chan *smp = chan->data;
2508 	struct hci_conn *hcon = conn->hcon;
2509 	bdaddr_t rpa;
2510 
2511 	BT_DBG("");
2512 
2513 	if (skb->len < sizeof(*info))
2514 		return SMP_INVALID_PARAMS;
2515 
2516 	/* Mark the information as received */
2517 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2518 
2519 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2520 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2521 
2522 	skb_pull(skb, sizeof(*info));
2523 
2524 	/* Strictly speaking the Core Specification (4.1) allows sending
2525 	 * an empty address which would force us to rely on just the IRK
2526 	 * as "identity information". However, since such
2527 	 * implementations are not known of and in order to not over
2528 	 * complicate our implementation, simply pretend that we never
2529 	 * received an IRK for such a device.
2530 	 *
2531 	 * The Identity Address must also be a Static Random or Public
2532 	 * Address, which hci_is_identity_address() checks for.
2533 	 */
2534 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2535 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2536 		BT_ERR("Ignoring IRK with no identity address");
2537 		goto distribute;
2538 	}
2539 
2540 	bacpy(&smp->id_addr, &info->bdaddr);
2541 	smp->id_addr_type = info->addr_type;
2542 
2543 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2544 		bacpy(&rpa, &hcon->dst);
2545 	else
2546 		bacpy(&rpa, BDADDR_ANY);
2547 
2548 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2549 				      smp->id_addr_type, smp->irk, &rpa);
2550 
2551 distribute:
2552 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2553 		smp_distribute_keys(smp);
2554 
2555 	return 0;
2556 }
2557 
2558 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2559 {
2560 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2561 	struct l2cap_chan *chan = conn->smp;
2562 	struct smp_chan *smp = chan->data;
2563 	struct smp_csrk *csrk;
2564 
2565 	BT_DBG("conn %p", conn);
2566 
2567 	if (skb->len < sizeof(*rp))
2568 		return SMP_INVALID_PARAMS;
2569 
2570 	/* Mark the information as received */
2571 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2572 
2573 	skb_pull(skb, sizeof(*rp));
2574 
2575 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2576 	if (csrk) {
2577 		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2578 			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2579 		else
2580 			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2581 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2582 	}
2583 	smp->csrk = csrk;
2584 	smp_distribute_keys(smp);
2585 
2586 	return 0;
2587 }
2588 
2589 static u8 sc_select_method(struct smp_chan *smp)
2590 {
2591 	struct l2cap_conn *conn = smp->conn;
2592 	struct hci_conn *hcon = conn->hcon;
2593 	struct smp_cmd_pairing *local, *remote;
2594 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2595 
2596 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2597 	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2598 		return REQ_OOB;
2599 
2600 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2601 	 * which are needed as inputs to some crypto functions. To get
2602 	 * the "struct smp_cmd_pairing" from them we need to skip the
2603 	 * first byte which contains the opcode.
2604 	 */
2605 	if (hcon->out) {
2606 		local = (void *) &smp->preq[1];
2607 		remote = (void *) &smp->prsp[1];
2608 	} else {
2609 		local = (void *) &smp->prsp[1];
2610 		remote = (void *) &smp->preq[1];
2611 	}
2612 
2613 	local_io = local->io_capability;
2614 	remote_io = remote->io_capability;
2615 
2616 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2617 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2618 
2619 	/* If either side wants MITM, look up the method from the table,
2620 	 * otherwise use JUST WORKS.
2621 	 */
2622 	if (local_mitm || remote_mitm)
2623 		method = get_auth_method(smp, local_io, remote_io);
2624 	else
2625 		method = JUST_WORKS;
2626 
2627 	/* Don't confirm locally initiated pairing attempts */
2628 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2629 		method = JUST_WORKS;
2630 
2631 	return method;
2632 }
2633 
2634 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2635 {
2636 	struct smp_cmd_public_key *key = (void *) skb->data;
2637 	struct hci_conn *hcon = conn->hcon;
2638 	struct l2cap_chan *chan = conn->smp;
2639 	struct smp_chan *smp = chan->data;
2640 	struct hci_dev *hdev = hcon->hdev;
2641 	struct smp_cmd_pairing_confirm cfm;
2642 	int err;
2643 
2644 	BT_DBG("conn %p", conn);
2645 
2646 	if (skb->len < sizeof(*key))
2647 		return SMP_INVALID_PARAMS;
2648 
2649 	memcpy(smp->remote_pk, key, 64);
2650 
2651 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2652 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2653 			     smp->rr, 0, cfm.confirm_val);
2654 		if (err)
2655 			return SMP_UNSPECIFIED;
2656 
2657 		if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2658 			return SMP_CONFIRM_FAILED;
2659 	}
2660 
2661 	/* Non-initiating device sends its public key after receiving
2662 	 * the key from the initiating device.
2663 	 */
2664 	if (!hcon->out) {
2665 		err = sc_send_public_key(smp);
2666 		if (err)
2667 			return err;
2668 	}
2669 
2670 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2671 	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2672 
2673 	if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2674 		return SMP_UNSPECIFIED;
2675 
2676 	SMP_DBG("DHKey %32phN", smp->dhkey);
2677 
2678 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2679 
2680 	smp->method = sc_select_method(smp);
2681 
2682 	BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2683 
2684 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2685 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2686 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2687 	else
2688 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2689 
2690 	if (!memcmp(debug_pk, smp->remote_pk, 64))
2691 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2692 
2693 	if (smp->method == DSP_PASSKEY) {
2694 		get_random_bytes(&hcon->passkey_notify,
2695 				 sizeof(hcon->passkey_notify));
2696 		hcon->passkey_notify %= 1000000;
2697 		hcon->passkey_entered = 0;
2698 		smp->passkey_round = 0;
2699 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2700 					     hcon->dst_type,
2701 					     hcon->passkey_notify,
2702 					     hcon->passkey_entered))
2703 			return SMP_UNSPECIFIED;
2704 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2705 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2706 	}
2707 
2708 	if (smp->method == REQ_OOB) {
2709 		if (hcon->out)
2710 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2711 				     sizeof(smp->prnd), smp->prnd);
2712 
2713 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2714 
2715 		return 0;
2716 	}
2717 
2718 	if (hcon->out)
2719 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2720 
2721 	if (smp->method == REQ_PASSKEY) {
2722 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2723 					      hcon->dst_type))
2724 			return SMP_UNSPECIFIED;
2725 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2726 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2727 		return 0;
2728 	}
2729 
2730 	/* The Initiating device waits for the non-initiating device to
2731 	 * send the confirm value.
2732 	 */
2733 	if (conn->hcon->out)
2734 		return 0;
2735 
2736 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2737 		     0, cfm.confirm_val);
2738 	if (err)
2739 		return SMP_UNSPECIFIED;
2740 
2741 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2742 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2743 
2744 	return 0;
2745 }
2746 
2747 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2748 {
2749 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2750 	struct l2cap_chan *chan = conn->smp;
2751 	struct hci_conn *hcon = conn->hcon;
2752 	struct smp_chan *smp = chan->data;
2753 	u8 a[7], b[7], *local_addr, *remote_addr;
2754 	u8 io_cap[3], r[16], e[16];
2755 	int err;
2756 
2757 	BT_DBG("conn %p", conn);
2758 
2759 	if (skb->len < sizeof(*check))
2760 		return SMP_INVALID_PARAMS;
2761 
2762 	memcpy(a, &hcon->init_addr, 6);
2763 	memcpy(b, &hcon->resp_addr, 6);
2764 	a[6] = hcon->init_addr_type;
2765 	b[6] = hcon->resp_addr_type;
2766 
2767 	if (hcon->out) {
2768 		local_addr = a;
2769 		remote_addr = b;
2770 		memcpy(io_cap, &smp->prsp[1], 3);
2771 	} else {
2772 		local_addr = b;
2773 		remote_addr = a;
2774 		memcpy(io_cap, &smp->preq[1], 3);
2775 	}
2776 
2777 	memset(r, 0, sizeof(r));
2778 
2779 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2780 		put_unaligned_le32(hcon->passkey_notify, r);
2781 	else if (smp->method == REQ_OOB)
2782 		memcpy(r, smp->lr, 16);
2783 
2784 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2785 		     io_cap, remote_addr, local_addr, e);
2786 	if (err)
2787 		return SMP_UNSPECIFIED;
2788 
2789 	if (memcmp(check->e, e, 16))
2790 		return SMP_DHKEY_CHECK_FAILED;
2791 
2792 	if (!hcon->out) {
2793 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2794 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2795 			return 0;
2796 		}
2797 
2798 		/* Slave sends DHKey check as response to master */
2799 		sc_dhkey_check(smp);
2800 	}
2801 
2802 	sc_add_ltk(smp);
2803 
2804 	if (hcon->out) {
2805 		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2806 		hcon->enc_key_size = smp->enc_key_size;
2807 	}
2808 
2809 	return 0;
2810 }
2811 
2812 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2813 				   struct sk_buff *skb)
2814 {
2815 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2816 
2817 	BT_DBG("value 0x%02x", kp->value);
2818 
2819 	return 0;
2820 }
2821 
2822 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2823 {
2824 	struct l2cap_conn *conn = chan->conn;
2825 	struct hci_conn *hcon = conn->hcon;
2826 	struct smp_chan *smp;
2827 	__u8 code, reason;
2828 	int err = 0;
2829 
2830 	if (skb->len < 1)
2831 		return -EILSEQ;
2832 
2833 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2834 		reason = SMP_PAIRING_NOTSUPP;
2835 		goto done;
2836 	}
2837 
2838 	code = skb->data[0];
2839 	skb_pull(skb, sizeof(code));
2840 
2841 	smp = chan->data;
2842 
2843 	if (code > SMP_CMD_MAX)
2844 		goto drop;
2845 
2846 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2847 		goto drop;
2848 
2849 	/* If we don't have a context the only allowed commands are
2850 	 * pairing request and security request.
2851 	 */
2852 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2853 		goto drop;
2854 
2855 	switch (code) {
2856 	case SMP_CMD_PAIRING_REQ:
2857 		reason = smp_cmd_pairing_req(conn, skb);
2858 		break;
2859 
2860 	case SMP_CMD_PAIRING_FAIL:
2861 		smp_failure(conn, 0);
2862 		err = -EPERM;
2863 		break;
2864 
2865 	case SMP_CMD_PAIRING_RSP:
2866 		reason = smp_cmd_pairing_rsp(conn, skb);
2867 		break;
2868 
2869 	case SMP_CMD_SECURITY_REQ:
2870 		reason = smp_cmd_security_req(conn, skb);
2871 		break;
2872 
2873 	case SMP_CMD_PAIRING_CONFIRM:
2874 		reason = smp_cmd_pairing_confirm(conn, skb);
2875 		break;
2876 
2877 	case SMP_CMD_PAIRING_RANDOM:
2878 		reason = smp_cmd_pairing_random(conn, skb);
2879 		break;
2880 
2881 	case SMP_CMD_ENCRYPT_INFO:
2882 		reason = smp_cmd_encrypt_info(conn, skb);
2883 		break;
2884 
2885 	case SMP_CMD_MASTER_IDENT:
2886 		reason = smp_cmd_master_ident(conn, skb);
2887 		break;
2888 
2889 	case SMP_CMD_IDENT_INFO:
2890 		reason = smp_cmd_ident_info(conn, skb);
2891 		break;
2892 
2893 	case SMP_CMD_IDENT_ADDR_INFO:
2894 		reason = smp_cmd_ident_addr_info(conn, skb);
2895 		break;
2896 
2897 	case SMP_CMD_SIGN_INFO:
2898 		reason = smp_cmd_sign_info(conn, skb);
2899 		break;
2900 
2901 	case SMP_CMD_PUBLIC_KEY:
2902 		reason = smp_cmd_public_key(conn, skb);
2903 		break;
2904 
2905 	case SMP_CMD_DHKEY_CHECK:
2906 		reason = smp_cmd_dhkey_check(conn, skb);
2907 		break;
2908 
2909 	case SMP_CMD_KEYPRESS_NOTIFY:
2910 		reason = smp_cmd_keypress_notify(conn, skb);
2911 		break;
2912 
2913 	default:
2914 		BT_DBG("Unknown command code 0x%2.2x", code);
2915 		reason = SMP_CMD_NOTSUPP;
2916 		goto done;
2917 	}
2918 
2919 done:
2920 	if (!err) {
2921 		if (reason)
2922 			smp_failure(conn, reason);
2923 		kfree_skb(skb);
2924 	}
2925 
2926 	return err;
2927 
2928 drop:
2929 	BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2930 	       code, &hcon->dst);
2931 	kfree_skb(skb);
2932 	return 0;
2933 }
2934 
2935 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2936 {
2937 	struct l2cap_conn *conn = chan->conn;
2938 
2939 	BT_DBG("chan %p", chan);
2940 
2941 	if (chan->data)
2942 		smp_chan_destroy(conn);
2943 
2944 	conn->smp = NULL;
2945 	l2cap_chan_put(chan);
2946 }
2947 
2948 static void bredr_pairing(struct l2cap_chan *chan)
2949 {
2950 	struct l2cap_conn *conn = chan->conn;
2951 	struct hci_conn *hcon = conn->hcon;
2952 	struct hci_dev *hdev = hcon->hdev;
2953 	struct smp_cmd_pairing req;
2954 	struct smp_chan *smp;
2955 
2956 	BT_DBG("chan %p", chan);
2957 
2958 	/* Only new pairings are interesting */
2959 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2960 		return;
2961 
2962 	/* Don't bother if we're not encrypted */
2963 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2964 		return;
2965 
2966 	/* Only master may initiate SMP over BR/EDR */
2967 	if (hcon->role != HCI_ROLE_MASTER)
2968 		return;
2969 
2970 	/* Secure Connections support must be enabled */
2971 	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
2972 		return;
2973 
2974 	/* BR/EDR must use Secure Connections for SMP */
2975 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2976 	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
2977 		return;
2978 
2979 	/* If our LE support is not enabled don't do anything */
2980 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2981 		return;
2982 
2983 	/* Don't bother if remote LE support is not enabled */
2984 	if (!lmp_host_le_capable(hcon))
2985 		return;
2986 
2987 	/* Remote must support SMP fixed chan for BR/EDR */
2988 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2989 		return;
2990 
2991 	/* Don't bother if SMP is already ongoing */
2992 	if (chan->data)
2993 		return;
2994 
2995 	smp = smp_chan_create(conn);
2996 	if (!smp) {
2997 		BT_ERR("%s unable to create SMP context for BR/EDR",
2998 		       hdev->name);
2999 		return;
3000 	}
3001 
3002 	set_bit(SMP_FLAG_SC, &smp->flags);
3003 
3004 	BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3005 
3006 	/* Prepare and send the BR/EDR SMP Pairing Request */
3007 	build_bredr_pairing_cmd(smp, &req, NULL);
3008 
3009 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
3010 	memcpy(&smp->preq[1], &req, sizeof(req));
3011 
3012 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3013 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3014 }
3015 
3016 static void smp_resume_cb(struct l2cap_chan *chan)
3017 {
3018 	struct smp_chan *smp = chan->data;
3019 	struct l2cap_conn *conn = chan->conn;
3020 	struct hci_conn *hcon = conn->hcon;
3021 
3022 	BT_DBG("chan %p", chan);
3023 
3024 	if (hcon->type == ACL_LINK) {
3025 		bredr_pairing(chan);
3026 		return;
3027 	}
3028 
3029 	if (!smp)
3030 		return;
3031 
3032 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3033 		return;
3034 
3035 	cancel_delayed_work(&smp->security_timer);
3036 
3037 	smp_distribute_keys(smp);
3038 }
3039 
3040 static void smp_ready_cb(struct l2cap_chan *chan)
3041 {
3042 	struct l2cap_conn *conn = chan->conn;
3043 	struct hci_conn *hcon = conn->hcon;
3044 
3045 	BT_DBG("chan %p", chan);
3046 
3047 	/* No need to call l2cap_chan_hold() here since we already own
3048 	 * the reference taken in smp_new_conn_cb(). This is just the
3049 	 * first time that we tie it to a specific pointer. The code in
3050 	 * l2cap_core.c ensures that there's no risk this function wont
3051 	 * get called if smp_new_conn_cb was previously called.
3052 	 */
3053 	conn->smp = chan;
3054 
3055 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3056 		bredr_pairing(chan);
3057 }
3058 
3059 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3060 {
3061 	int err;
3062 
3063 	BT_DBG("chan %p", chan);
3064 
3065 	err = smp_sig_channel(chan, skb);
3066 	if (err) {
3067 		struct smp_chan *smp = chan->data;
3068 
3069 		if (smp)
3070 			cancel_delayed_work_sync(&smp->security_timer);
3071 
3072 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3073 	}
3074 
3075 	return err;
3076 }
3077 
3078 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3079 					unsigned long hdr_len,
3080 					unsigned long len, int nb)
3081 {
3082 	struct sk_buff *skb;
3083 
3084 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3085 	if (!skb)
3086 		return ERR_PTR(-ENOMEM);
3087 
3088 	skb->priority = HCI_PRIO_MAX;
3089 	bt_cb(skb)->l2cap.chan = chan;
3090 
3091 	return skb;
3092 }
3093 
3094 static const struct l2cap_ops smp_chan_ops = {
3095 	.name			= "Security Manager",
3096 	.ready			= smp_ready_cb,
3097 	.recv			= smp_recv_cb,
3098 	.alloc_skb		= smp_alloc_skb_cb,
3099 	.teardown		= smp_teardown_cb,
3100 	.resume			= smp_resume_cb,
3101 
3102 	.new_connection		= l2cap_chan_no_new_connection,
3103 	.state_change		= l2cap_chan_no_state_change,
3104 	.close			= l2cap_chan_no_close,
3105 	.defer			= l2cap_chan_no_defer,
3106 	.suspend		= l2cap_chan_no_suspend,
3107 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3108 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3109 };
3110 
3111 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3112 {
3113 	struct l2cap_chan *chan;
3114 
3115 	BT_DBG("pchan %p", pchan);
3116 
3117 	chan = l2cap_chan_create();
3118 	if (!chan)
3119 		return NULL;
3120 
3121 	chan->chan_type	= pchan->chan_type;
3122 	chan->ops	= &smp_chan_ops;
3123 	chan->scid	= pchan->scid;
3124 	chan->dcid	= chan->scid;
3125 	chan->imtu	= pchan->imtu;
3126 	chan->omtu	= pchan->omtu;
3127 	chan->mode	= pchan->mode;
3128 
3129 	/* Other L2CAP channels may request SMP routines in order to
3130 	 * change the security level. This means that the SMP channel
3131 	 * lock must be considered in its own category to avoid lockdep
3132 	 * warnings.
3133 	 */
3134 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3135 
3136 	BT_DBG("created chan %p", chan);
3137 
3138 	return chan;
3139 }
3140 
3141 static const struct l2cap_ops smp_root_chan_ops = {
3142 	.name			= "Security Manager Root",
3143 	.new_connection		= smp_new_conn_cb,
3144 
3145 	/* None of these are implemented for the root channel */
3146 	.close			= l2cap_chan_no_close,
3147 	.alloc_skb		= l2cap_chan_no_alloc_skb,
3148 	.recv			= l2cap_chan_no_recv,
3149 	.state_change		= l2cap_chan_no_state_change,
3150 	.teardown		= l2cap_chan_no_teardown,
3151 	.ready			= l2cap_chan_no_ready,
3152 	.defer			= l2cap_chan_no_defer,
3153 	.suspend		= l2cap_chan_no_suspend,
3154 	.resume			= l2cap_chan_no_resume,
3155 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3156 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3157 };
3158 
3159 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3160 {
3161 	struct l2cap_chan *chan;
3162 	struct smp_dev *smp;
3163 	struct crypto_cipher *tfm_aes;
3164 	struct crypto_shash *tfm_cmac;
3165 
3166 	if (cid == L2CAP_CID_SMP_BREDR) {
3167 		smp = NULL;
3168 		goto create_chan;
3169 	}
3170 
3171 	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3172 	if (!smp)
3173 		return ERR_PTR(-ENOMEM);
3174 
3175 	tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3176 	if (IS_ERR(tfm_aes)) {
3177 		BT_ERR("Unable to create AES crypto context");
3178 		kzfree(smp);
3179 		return ERR_CAST(tfm_aes);
3180 	}
3181 
3182 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3183 	if (IS_ERR(tfm_cmac)) {
3184 		BT_ERR("Unable to create CMAC crypto context");
3185 		crypto_free_cipher(tfm_aes);
3186 		kzfree(smp);
3187 		return ERR_CAST(tfm_cmac);
3188 	}
3189 
3190 	smp->tfm_aes = tfm_aes;
3191 	smp->tfm_cmac = tfm_cmac;
3192 	smp->min_key_size = SMP_MIN_ENC_KEY_SIZE;
3193 	smp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
3194 
3195 create_chan:
3196 	chan = l2cap_chan_create();
3197 	if (!chan) {
3198 		if (smp) {
3199 			crypto_free_cipher(smp->tfm_aes);
3200 			crypto_free_shash(smp->tfm_cmac);
3201 			kzfree(smp);
3202 		}
3203 		return ERR_PTR(-ENOMEM);
3204 	}
3205 
3206 	chan->data = smp;
3207 
3208 	l2cap_add_scid(chan, cid);
3209 
3210 	l2cap_chan_set_defaults(chan);
3211 
3212 	if (cid == L2CAP_CID_SMP) {
3213 		u8 bdaddr_type;
3214 
3215 		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3216 
3217 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3218 			chan->src_type = BDADDR_LE_PUBLIC;
3219 		else
3220 			chan->src_type = BDADDR_LE_RANDOM;
3221 	} else {
3222 		bacpy(&chan->src, &hdev->bdaddr);
3223 		chan->src_type = BDADDR_BREDR;
3224 	}
3225 
3226 	chan->state = BT_LISTEN;
3227 	chan->mode = L2CAP_MODE_BASIC;
3228 	chan->imtu = L2CAP_DEFAULT_MTU;
3229 	chan->ops = &smp_root_chan_ops;
3230 
3231 	/* Set correct nesting level for a parent/listening channel */
3232 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3233 
3234 	return chan;
3235 }
3236 
3237 static void smp_del_chan(struct l2cap_chan *chan)
3238 {
3239 	struct smp_dev *smp;
3240 
3241 	BT_DBG("chan %p", chan);
3242 
3243 	smp = chan->data;
3244 	if (smp) {
3245 		chan->data = NULL;
3246 		crypto_free_cipher(smp->tfm_aes);
3247 		crypto_free_shash(smp->tfm_cmac);
3248 		kzfree(smp);
3249 	}
3250 
3251 	l2cap_chan_put(chan);
3252 }
3253 
3254 static ssize_t force_bredr_smp_read(struct file *file,
3255 				    char __user *user_buf,
3256 				    size_t count, loff_t *ppos)
3257 {
3258 	struct hci_dev *hdev = file->private_data;
3259 	char buf[3];
3260 
3261 	buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3262 	buf[1] = '\n';
3263 	buf[2] = '\0';
3264 	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3265 }
3266 
3267 static ssize_t force_bredr_smp_write(struct file *file,
3268 				     const char __user *user_buf,
3269 				     size_t count, loff_t *ppos)
3270 {
3271 	struct hci_dev *hdev = file->private_data;
3272 	char buf[32];
3273 	size_t buf_size = min(count, (sizeof(buf)-1));
3274 	bool enable;
3275 
3276 	if (copy_from_user(buf, user_buf, buf_size))
3277 		return -EFAULT;
3278 
3279 	buf[buf_size] = '\0';
3280 	if (strtobool(buf, &enable))
3281 		return -EINVAL;
3282 
3283 	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3284 		return -EALREADY;
3285 
3286 	if (enable) {
3287 		struct l2cap_chan *chan;
3288 
3289 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3290 		if (IS_ERR(chan))
3291 			return PTR_ERR(chan);
3292 
3293 		hdev->smp_bredr_data = chan;
3294 	} else {
3295 		struct l2cap_chan *chan;
3296 
3297 		chan = hdev->smp_bredr_data;
3298 		hdev->smp_bredr_data = NULL;
3299 		smp_del_chan(chan);
3300 	}
3301 
3302 	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3303 
3304 	return count;
3305 }
3306 
3307 static const struct file_operations force_bredr_smp_fops = {
3308 	.open		= simple_open,
3309 	.read		= force_bredr_smp_read,
3310 	.write		= force_bredr_smp_write,
3311 	.llseek		= default_llseek,
3312 };
3313 
3314 static ssize_t le_min_key_size_read(struct file *file,
3315 				     char __user *user_buf,
3316 				     size_t count, loff_t *ppos)
3317 {
3318 	struct hci_dev *hdev = file->private_data;
3319 	char buf[4];
3320 
3321 	snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->min_key_size);
3322 
3323 	return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3324 }
3325 
3326 static ssize_t le_min_key_size_write(struct file *file,
3327 				      const char __user *user_buf,
3328 				      size_t count, loff_t *ppos)
3329 {
3330 	struct hci_dev *hdev = file->private_data;
3331 	char buf[32];
3332 	size_t buf_size = min(count, (sizeof(buf) - 1));
3333 	u8 key_size;
3334 
3335 	if (copy_from_user(buf, user_buf, buf_size))
3336 		return -EFAULT;
3337 
3338 	buf[buf_size] = '\0';
3339 
3340 	sscanf(buf, "%hhu", &key_size);
3341 
3342 	if (key_size > SMP_DEV(hdev)->max_key_size ||
3343 	    key_size < SMP_MIN_ENC_KEY_SIZE)
3344 		return -EINVAL;
3345 
3346 	SMP_DEV(hdev)->min_key_size = key_size;
3347 
3348 	return count;
3349 }
3350 
3351 static const struct file_operations le_min_key_size_fops = {
3352 	.open		= simple_open,
3353 	.read		= le_min_key_size_read,
3354 	.write		= le_min_key_size_write,
3355 	.llseek		= default_llseek,
3356 };
3357 
3358 static ssize_t le_max_key_size_read(struct file *file,
3359 				     char __user *user_buf,
3360 				     size_t count, loff_t *ppos)
3361 {
3362 	struct hci_dev *hdev = file->private_data;
3363 	char buf[4];
3364 
3365 	snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->max_key_size);
3366 
3367 	return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3368 }
3369 
3370 static ssize_t le_max_key_size_write(struct file *file,
3371 				      const char __user *user_buf,
3372 				      size_t count, loff_t *ppos)
3373 {
3374 	struct hci_dev *hdev = file->private_data;
3375 	char buf[32];
3376 	size_t buf_size = min(count, (sizeof(buf) - 1));
3377 	u8 key_size;
3378 
3379 	if (copy_from_user(buf, user_buf, buf_size))
3380 		return -EFAULT;
3381 
3382 	buf[buf_size] = '\0';
3383 
3384 	sscanf(buf, "%hhu", &key_size);
3385 
3386 	if (key_size > SMP_MAX_ENC_KEY_SIZE ||
3387 	    key_size < SMP_DEV(hdev)->min_key_size)
3388 		return -EINVAL;
3389 
3390 	SMP_DEV(hdev)->max_key_size = key_size;
3391 
3392 	return count;
3393 }
3394 
3395 static const struct file_operations le_max_key_size_fops = {
3396 	.open		= simple_open,
3397 	.read		= le_max_key_size_read,
3398 	.write		= le_max_key_size_write,
3399 	.llseek		= default_llseek,
3400 };
3401 
3402 int smp_register(struct hci_dev *hdev)
3403 {
3404 	struct l2cap_chan *chan;
3405 
3406 	BT_DBG("%s", hdev->name);
3407 
3408 	/* If the controller does not support Low Energy operation, then
3409 	 * there is also no need to register any SMP channel.
3410 	 */
3411 	if (!lmp_le_capable(hdev))
3412 		return 0;
3413 
3414 	if (WARN_ON(hdev->smp_data)) {
3415 		chan = hdev->smp_data;
3416 		hdev->smp_data = NULL;
3417 		smp_del_chan(chan);
3418 	}
3419 
3420 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3421 	if (IS_ERR(chan))
3422 		return PTR_ERR(chan);
3423 
3424 	hdev->smp_data = chan;
3425 
3426 	debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3427 			    &le_min_key_size_fops);
3428 	debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3429 			    &le_max_key_size_fops);
3430 
3431 	/* If the controller does not support BR/EDR Secure Connections
3432 	 * feature, then the BR/EDR SMP channel shall not be present.
3433 	 *
3434 	 * To test this with Bluetooth 4.0 controllers, create a debugfs
3435 	 * switch that allows forcing BR/EDR SMP support and accepting
3436 	 * cross-transport pairing on non-AES encrypted connections.
3437 	 */
3438 	if (!lmp_sc_capable(hdev)) {
3439 		debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3440 				    hdev, &force_bredr_smp_fops);
3441 
3442 		/* Flag can be already set here (due to power toggle) */
3443 		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3444 			return 0;
3445 	}
3446 
3447 	if (WARN_ON(hdev->smp_bredr_data)) {
3448 		chan = hdev->smp_bredr_data;
3449 		hdev->smp_bredr_data = NULL;
3450 		smp_del_chan(chan);
3451 	}
3452 
3453 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3454 	if (IS_ERR(chan)) {
3455 		int err = PTR_ERR(chan);
3456 		chan = hdev->smp_data;
3457 		hdev->smp_data = NULL;
3458 		smp_del_chan(chan);
3459 		return err;
3460 	}
3461 
3462 	hdev->smp_bredr_data = chan;
3463 
3464 	return 0;
3465 }
3466 
3467 void smp_unregister(struct hci_dev *hdev)
3468 {
3469 	struct l2cap_chan *chan;
3470 
3471 	if (hdev->smp_bredr_data) {
3472 		chan = hdev->smp_bredr_data;
3473 		hdev->smp_bredr_data = NULL;
3474 		smp_del_chan(chan);
3475 	}
3476 
3477 	if (hdev->smp_data) {
3478 		chan = hdev->smp_data;
3479 		hdev->smp_data = NULL;
3480 		smp_del_chan(chan);
3481 	}
3482 }
3483 
3484 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3485 
3486 static int __init test_ah(struct crypto_cipher *tfm_aes)
3487 {
3488 	const u8 irk[16] = {
3489 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3490 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3491 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3492 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3493 	u8 res[3];
3494 	int err;
3495 
3496 	err = smp_ah(tfm_aes, irk, r, res);
3497 	if (err)
3498 		return err;
3499 
3500 	if (memcmp(res, exp, 3))
3501 		return -EINVAL;
3502 
3503 	return 0;
3504 }
3505 
3506 static int __init test_c1(struct crypto_cipher *tfm_aes)
3507 {
3508 	const u8 k[16] = {
3509 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3510 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3511 	const u8 r[16] = {
3512 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3513 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3514 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3515 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3516 	const u8 _iat = 0x01;
3517 	const u8 _rat = 0x00;
3518 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3519 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3520 	const u8 exp[16] = {
3521 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3522 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3523 	u8 res[16];
3524 	int err;
3525 
3526 	err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3527 	if (err)
3528 		return err;
3529 
3530 	if (memcmp(res, exp, 16))
3531 		return -EINVAL;
3532 
3533 	return 0;
3534 }
3535 
3536 static int __init test_s1(struct crypto_cipher *tfm_aes)
3537 {
3538 	const u8 k[16] = {
3539 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3540 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3541 	const u8 r1[16] = {
3542 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3543 	const u8 r2[16] = {
3544 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3545 	const u8 exp[16] = {
3546 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3547 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3548 	u8 res[16];
3549 	int err;
3550 
3551 	err = smp_s1(tfm_aes, k, r1, r2, res);
3552 	if (err)
3553 		return err;
3554 
3555 	if (memcmp(res, exp, 16))
3556 		return -EINVAL;
3557 
3558 	return 0;
3559 }
3560 
3561 static int __init test_f4(struct crypto_shash *tfm_cmac)
3562 {
3563 	const u8 u[32] = {
3564 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3565 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3566 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3567 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3568 	const u8 v[32] = {
3569 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3570 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3571 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3572 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3573 	const u8 x[16] = {
3574 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3575 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3576 	const u8 z = 0x00;
3577 	const u8 exp[16] = {
3578 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3579 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3580 	u8 res[16];
3581 	int err;
3582 
3583 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3584 	if (err)
3585 		return err;
3586 
3587 	if (memcmp(res, exp, 16))
3588 		return -EINVAL;
3589 
3590 	return 0;
3591 }
3592 
3593 static int __init test_f5(struct crypto_shash *tfm_cmac)
3594 {
3595 	const u8 w[32] = {
3596 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3597 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3598 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3599 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3600 	const u8 n1[16] = {
3601 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3602 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3603 	const u8 n2[16] = {
3604 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3605 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3606 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3607 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3608 	const u8 exp_ltk[16] = {
3609 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3610 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3611 	const u8 exp_mackey[16] = {
3612 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3613 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3614 	u8 mackey[16], ltk[16];
3615 	int err;
3616 
3617 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3618 	if (err)
3619 		return err;
3620 
3621 	if (memcmp(mackey, exp_mackey, 16))
3622 		return -EINVAL;
3623 
3624 	if (memcmp(ltk, exp_ltk, 16))
3625 		return -EINVAL;
3626 
3627 	return 0;
3628 }
3629 
3630 static int __init test_f6(struct crypto_shash *tfm_cmac)
3631 {
3632 	const u8 w[16] = {
3633 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3634 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3635 	const u8 n1[16] = {
3636 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3637 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3638 	const u8 n2[16] = {
3639 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3640 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3641 	const u8 r[16] = {
3642 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3643 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3644 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3645 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3646 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3647 	const u8 exp[16] = {
3648 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3649 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3650 	u8 res[16];
3651 	int err;
3652 
3653 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3654 	if (err)
3655 		return err;
3656 
3657 	if (memcmp(res, exp, 16))
3658 		return -EINVAL;
3659 
3660 	return 0;
3661 }
3662 
3663 static int __init test_g2(struct crypto_shash *tfm_cmac)
3664 {
3665 	const u8 u[32] = {
3666 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3667 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3668 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3669 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3670 	const u8 v[32] = {
3671 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3672 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3673 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3674 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3675 	const u8 x[16] = {
3676 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3677 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3678 	const u8 y[16] = {
3679 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3680 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3681 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3682 	u32 val;
3683 	int err;
3684 
3685 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3686 	if (err)
3687 		return err;
3688 
3689 	if (val != exp_val)
3690 		return -EINVAL;
3691 
3692 	return 0;
3693 }
3694 
3695 static int __init test_h6(struct crypto_shash *tfm_cmac)
3696 {
3697 	const u8 w[16] = {
3698 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3699 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3700 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3701 	const u8 exp[16] = {
3702 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3703 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3704 	u8 res[16];
3705 	int err;
3706 
3707 	err = smp_h6(tfm_cmac, w, key_id, res);
3708 	if (err)
3709 		return err;
3710 
3711 	if (memcmp(res, exp, 16))
3712 		return -EINVAL;
3713 
3714 	return 0;
3715 }
3716 
3717 static char test_smp_buffer[32];
3718 
3719 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3720 			     size_t count, loff_t *ppos)
3721 {
3722 	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3723 				       strlen(test_smp_buffer));
3724 }
3725 
3726 static const struct file_operations test_smp_fops = {
3727 	.open		= simple_open,
3728 	.read		= test_smp_read,
3729 	.llseek		= default_llseek,
3730 };
3731 
3732 static int __init run_selftests(struct crypto_cipher *tfm_aes,
3733 				struct crypto_shash *tfm_cmac)
3734 {
3735 	ktime_t calltime, delta, rettime;
3736 	unsigned long long duration;
3737 	int err;
3738 
3739 	calltime = ktime_get();
3740 
3741 	err = test_ah(tfm_aes);
3742 	if (err) {
3743 		BT_ERR("smp_ah test failed");
3744 		goto done;
3745 	}
3746 
3747 	err = test_c1(tfm_aes);
3748 	if (err) {
3749 		BT_ERR("smp_c1 test failed");
3750 		goto done;
3751 	}
3752 
3753 	err = test_s1(tfm_aes);
3754 	if (err) {
3755 		BT_ERR("smp_s1 test failed");
3756 		goto done;
3757 	}
3758 
3759 	err = test_f4(tfm_cmac);
3760 	if (err) {
3761 		BT_ERR("smp_f4 test failed");
3762 		goto done;
3763 	}
3764 
3765 	err = test_f5(tfm_cmac);
3766 	if (err) {
3767 		BT_ERR("smp_f5 test failed");
3768 		goto done;
3769 	}
3770 
3771 	err = test_f6(tfm_cmac);
3772 	if (err) {
3773 		BT_ERR("smp_f6 test failed");
3774 		goto done;
3775 	}
3776 
3777 	err = test_g2(tfm_cmac);
3778 	if (err) {
3779 		BT_ERR("smp_g2 test failed");
3780 		goto done;
3781 	}
3782 
3783 	err = test_h6(tfm_cmac);
3784 	if (err) {
3785 		BT_ERR("smp_h6 test failed");
3786 		goto done;
3787 	}
3788 
3789 	rettime = ktime_get();
3790 	delta = ktime_sub(rettime, calltime);
3791 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3792 
3793 	BT_INFO("SMP test passed in %llu usecs", duration);
3794 
3795 done:
3796 	if (!err)
3797 		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3798 			 "PASS (%llu usecs)\n", duration);
3799 	else
3800 		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3801 
3802 	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3803 			    &test_smp_fops);
3804 
3805 	return err;
3806 }
3807 
3808 int __init bt_selftest_smp(void)
3809 {
3810 	struct crypto_cipher *tfm_aes;
3811 	struct crypto_shash *tfm_cmac;
3812 	int err;
3813 
3814 	tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3815 	if (IS_ERR(tfm_aes)) {
3816 		BT_ERR("Unable to create AES crypto context");
3817 		return PTR_ERR(tfm_aes);
3818 	}
3819 
3820 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3821 	if (IS_ERR(tfm_cmac)) {
3822 		BT_ERR("Unable to create CMAC crypto context");
3823 		crypto_free_cipher(tfm_aes);
3824 		return PTR_ERR(tfm_cmac);
3825 	}
3826 
3827 	err = run_selftests(tfm_aes, tfm_cmac);
3828 
3829 	crypto_free_shash(tfm_cmac);
3830 	crypto_free_cipher(tfm_aes);
3831 
3832 	return err;
3833 }
3834 
3835 #endif
3836