xref: /linux/net/bluetooth/smp.c (revision 3b27d13940c3710a1128527c43719cb0bb05d73b)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/crypto.h>
25 #include <linux/scatterlist.h>
26 #include <crypto/b128ops.h>
27 
28 #include <net/bluetooth/bluetooth.h>
29 #include <net/bluetooth/hci_core.h>
30 #include <net/bluetooth/l2cap.h>
31 #include <net/bluetooth/mgmt.h>
32 
33 #include "ecc.h"
34 #include "smp.h"
35 
36 #define SMP_DEV(hdev) \
37 	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
38 
39 /* Low-level debug macros to be used for stuff that we don't want
40  * accidentially in dmesg, i.e. the values of the various crypto keys
41  * and the inputs & outputs of crypto functions.
42  */
43 #ifdef DEBUG
44 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
45 				 ##__VA_ARGS__)
46 #else
47 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
48 				    ##__VA_ARGS__)
49 #endif
50 
51 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
52 
53 /* Keys which are not distributed with Secure Connections */
54 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
55 
56 #define SMP_TIMEOUT	msecs_to_jiffies(30000)
57 
58 #define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
59 				 0x1f : 0x07)
60 #define KEY_DIST_MASK		0x07
61 
62 /* Maximum message length that can be passed to aes_cmac */
63 #define CMAC_MSG_MAX	80
64 
65 enum {
66 	SMP_FLAG_TK_VALID,
67 	SMP_FLAG_CFM_PENDING,
68 	SMP_FLAG_MITM_AUTH,
69 	SMP_FLAG_COMPLETE,
70 	SMP_FLAG_INITIATOR,
71 	SMP_FLAG_SC,
72 	SMP_FLAG_REMOTE_PK,
73 	SMP_FLAG_DEBUG_KEY,
74 	SMP_FLAG_WAIT_USER,
75 	SMP_FLAG_DHKEY_PENDING,
76 	SMP_FLAG_REMOTE_OOB,
77 	SMP_FLAG_LOCAL_OOB,
78 };
79 
80 struct smp_dev {
81 	/* Secure Connections OOB data */
82 	u8			local_pk[64];
83 	u8			local_sk[32];
84 	u8			local_rand[16];
85 	bool			debug_key;
86 
87 	u8			min_key_size;
88 	u8			max_key_size;
89 
90 	struct crypto_blkcipher	*tfm_aes;
91 	struct crypto_hash	*tfm_cmac;
92 };
93 
94 struct smp_chan {
95 	struct l2cap_conn	*conn;
96 	struct delayed_work	security_timer;
97 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
98 
99 	u8		preq[7]; /* SMP Pairing Request */
100 	u8		prsp[7]; /* SMP Pairing Response */
101 	u8		prnd[16]; /* SMP Pairing Random (local) */
102 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
103 	u8		pcnf[16]; /* SMP Pairing Confirm */
104 	u8		tk[16]; /* SMP Temporary Key */
105 	u8		rr[16]; /* Remote OOB ra/rb value */
106 	u8		lr[16]; /* Local OOB ra/rb value */
107 	u8		enc_key_size;
108 	u8		remote_key_dist;
109 	bdaddr_t	id_addr;
110 	u8		id_addr_type;
111 	u8		irk[16];
112 	struct smp_csrk	*csrk;
113 	struct smp_csrk	*slave_csrk;
114 	struct smp_ltk	*ltk;
115 	struct smp_ltk	*slave_ltk;
116 	struct smp_irk	*remote_irk;
117 	u8		*link_key;
118 	unsigned long	flags;
119 	u8		method;
120 	u8		passkey_round;
121 
122 	/* Secure Connections variables */
123 	u8			local_pk[64];
124 	u8			local_sk[32];
125 	u8			remote_pk[64];
126 	u8			dhkey[32];
127 	u8			mackey[16];
128 
129 	struct crypto_blkcipher	*tfm_aes;
130 	struct crypto_hash	*tfm_cmac;
131 };
132 
133 /* These debug key values are defined in the SMP section of the core
134  * specification. debug_pk is the public debug key and debug_sk the
135  * private debug key.
136  */
137 static const u8 debug_pk[64] = {
138 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
139 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
140 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
141 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
142 
143 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
144 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
145 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
146 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
147 };
148 
149 static const u8 debug_sk[32] = {
150 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
151 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
152 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
153 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
154 };
155 
156 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
157 {
158 	size_t i;
159 
160 	for (i = 0; i < len; i++)
161 		dst[len - 1 - i] = src[i];
162 }
163 
164 /* The following functions map to the LE SC SMP crypto functions
165  * AES-CMAC, f4, f5, f6, g2 and h6.
166  */
167 
168 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
169 		    size_t len, u8 mac[16])
170 {
171 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
172 	struct hash_desc desc;
173 	struct scatterlist sg;
174 	int err;
175 
176 	if (len > CMAC_MSG_MAX)
177 		return -EFBIG;
178 
179 	if (!tfm) {
180 		BT_ERR("tfm %p", tfm);
181 		return -EINVAL;
182 	}
183 
184 	desc.tfm = tfm;
185 	desc.flags = 0;
186 
187 	crypto_hash_init(&desc);
188 
189 	/* Swap key and message from LSB to MSB */
190 	swap_buf(k, tmp, 16);
191 	swap_buf(m, msg_msb, len);
192 
193 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
194 	SMP_DBG("key %16phN", k);
195 
196 	err = crypto_hash_setkey(tfm, tmp, 16);
197 	if (err) {
198 		BT_ERR("cipher setkey failed: %d", err);
199 		return err;
200 	}
201 
202 	sg_init_one(&sg, msg_msb, len);
203 
204 	err = crypto_hash_update(&desc, &sg, len);
205 	if (err) {
206 		BT_ERR("Hash update error %d", err);
207 		return err;
208 	}
209 
210 	err = crypto_hash_final(&desc, mac_msb);
211 	if (err) {
212 		BT_ERR("Hash final error %d", err);
213 		return err;
214 	}
215 
216 	swap_buf(mac_msb, mac, 16);
217 
218 	SMP_DBG("mac %16phN", mac);
219 
220 	return 0;
221 }
222 
223 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
224 		  const u8 x[16], u8 z, u8 res[16])
225 {
226 	u8 m[65];
227 	int err;
228 
229 	SMP_DBG("u %32phN", u);
230 	SMP_DBG("v %32phN", v);
231 	SMP_DBG("x %16phN z %02x", x, z);
232 
233 	m[0] = z;
234 	memcpy(m + 1, v, 32);
235 	memcpy(m + 33, u, 32);
236 
237 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
238 	if (err)
239 		return err;
240 
241 	SMP_DBG("res %16phN", res);
242 
243 	return err;
244 }
245 
246 static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32],
247 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
248 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
249 {
250 	/* The btle, salt and length "magic" values are as defined in
251 	 * the SMP section of the Bluetooth core specification. In ASCII
252 	 * the btle value ends up being 'btle'. The salt is just a
253 	 * random number whereas length is the value 256 in little
254 	 * endian format.
255 	 */
256 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
257 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
258 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
259 	const u8 length[2] = { 0x00, 0x01 };
260 	u8 m[53], t[16];
261 	int err;
262 
263 	SMP_DBG("w %32phN", w);
264 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
265 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
266 
267 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
268 	if (err)
269 		return err;
270 
271 	SMP_DBG("t %16phN", t);
272 
273 	memcpy(m, length, 2);
274 	memcpy(m + 2, a2, 7);
275 	memcpy(m + 9, a1, 7);
276 	memcpy(m + 16, n2, 16);
277 	memcpy(m + 32, n1, 16);
278 	memcpy(m + 48, btle, 4);
279 
280 	m[52] = 0; /* Counter */
281 
282 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
283 	if (err)
284 		return err;
285 
286 	SMP_DBG("mackey %16phN", mackey);
287 
288 	m[52] = 1; /* Counter */
289 
290 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
291 	if (err)
292 		return err;
293 
294 	SMP_DBG("ltk %16phN", ltk);
295 
296 	return 0;
297 }
298 
299 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
300 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
301 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
302 		  u8 res[16])
303 {
304 	u8 m[65];
305 	int err;
306 
307 	SMP_DBG("w %16phN", w);
308 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
309 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
310 
311 	memcpy(m, a2, 7);
312 	memcpy(m + 7, a1, 7);
313 	memcpy(m + 14, io_cap, 3);
314 	memcpy(m + 17, r, 16);
315 	memcpy(m + 33, n2, 16);
316 	memcpy(m + 49, n1, 16);
317 
318 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
319 	if (err)
320 		return err;
321 
322 	SMP_DBG("res %16phN", res);
323 
324 	return err;
325 }
326 
327 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
328 		  const u8 x[16], const u8 y[16], u32 *val)
329 {
330 	u8 m[80], tmp[16];
331 	int err;
332 
333 	SMP_DBG("u %32phN", u);
334 	SMP_DBG("v %32phN", v);
335 	SMP_DBG("x %16phN y %16phN", x, y);
336 
337 	memcpy(m, y, 16);
338 	memcpy(m + 16, v, 32);
339 	memcpy(m + 48, u, 32);
340 
341 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
342 	if (err)
343 		return err;
344 
345 	*val = get_unaligned_le32(tmp);
346 	*val %= 1000000;
347 
348 	SMP_DBG("val %06u", *val);
349 
350 	return 0;
351 }
352 
353 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
354 		  const u8 key_id[4], u8 res[16])
355 {
356 	int err;
357 
358 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
359 
360 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
361 	if (err)
362 		return err;
363 
364 	SMP_DBG("res %16phN", res);
365 
366 	return err;
367 }
368 
369 /* The following functions map to the legacy SMP crypto functions e, c1,
370  * s1 and ah.
371  */
372 
373 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
374 {
375 	struct blkcipher_desc desc;
376 	struct scatterlist sg;
377 	uint8_t tmp[16], data[16];
378 	int err;
379 
380 	SMP_DBG("k %16phN r %16phN", k, r);
381 
382 	if (!tfm) {
383 		BT_ERR("tfm %p", tfm);
384 		return -EINVAL;
385 	}
386 
387 	desc.tfm = tfm;
388 	desc.flags = 0;
389 
390 	/* The most significant octet of key corresponds to k[0] */
391 	swap_buf(k, tmp, 16);
392 
393 	err = crypto_blkcipher_setkey(tfm, tmp, 16);
394 	if (err) {
395 		BT_ERR("cipher setkey failed: %d", err);
396 		return err;
397 	}
398 
399 	/* Most significant octet of plaintextData corresponds to data[0] */
400 	swap_buf(r, data, 16);
401 
402 	sg_init_one(&sg, data, 16);
403 
404 	err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
405 	if (err)
406 		BT_ERR("Encrypt data error %d", err);
407 
408 	/* Most significant octet of encryptedData corresponds to data[0] */
409 	swap_buf(data, r, 16);
410 
411 	SMP_DBG("r %16phN", r);
412 
413 	return err;
414 }
415 
416 static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
417 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
418 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
419 {
420 	u8 p1[16], p2[16];
421 	int err;
422 
423 	SMP_DBG("k %16phN r %16phN", k, r);
424 	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
425 	SMP_DBG("preq %7phN pres %7phN", preq, pres);
426 
427 	memset(p1, 0, 16);
428 
429 	/* p1 = pres || preq || _rat || _iat */
430 	p1[0] = _iat;
431 	p1[1] = _rat;
432 	memcpy(p1 + 2, preq, 7);
433 	memcpy(p1 + 9, pres, 7);
434 
435 	SMP_DBG("p1 %16phN", p1);
436 
437 	/* res = r XOR p1 */
438 	u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
439 
440 	/* res = e(k, res) */
441 	err = smp_e(tfm_aes, k, res);
442 	if (err) {
443 		BT_ERR("Encrypt data error");
444 		return err;
445 	}
446 
447 	/* p2 = padding || ia || ra */
448 	memcpy(p2, ra, 6);
449 	memcpy(p2 + 6, ia, 6);
450 	memset(p2 + 12, 0, 4);
451 
452 	SMP_DBG("p2 %16phN", p2);
453 
454 	/* res = res XOR p2 */
455 	u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
456 
457 	/* res = e(k, res) */
458 	err = smp_e(tfm_aes, k, res);
459 	if (err)
460 		BT_ERR("Encrypt data error");
461 
462 	return err;
463 }
464 
465 static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
466 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
467 {
468 	int err;
469 
470 	/* Just least significant octets from r1 and r2 are considered */
471 	memcpy(_r, r2, 8);
472 	memcpy(_r + 8, r1, 8);
473 
474 	err = smp_e(tfm_aes, k, _r);
475 	if (err)
476 		BT_ERR("Encrypt data error");
477 
478 	return err;
479 }
480 
481 static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
482 		  const u8 r[3], u8 res[3])
483 {
484 	u8 _res[16];
485 	int err;
486 
487 	/* r' = padding || r */
488 	memcpy(_res, r, 3);
489 	memset(_res + 3, 0, 13);
490 
491 	err = smp_e(tfm, irk, _res);
492 	if (err) {
493 		BT_ERR("Encrypt error");
494 		return err;
495 	}
496 
497 	/* The output of the random address function ah is:
498 	 *	ah(h, r) = e(k, r') mod 2^24
499 	 * The output of the security function e is then truncated to 24 bits
500 	 * by taking the least significant 24 bits of the output of e as the
501 	 * result of ah.
502 	 */
503 	memcpy(res, _res, 3);
504 
505 	return 0;
506 }
507 
508 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
509 		     const bdaddr_t *bdaddr)
510 {
511 	struct l2cap_chan *chan = hdev->smp_data;
512 	struct smp_dev *smp;
513 	u8 hash[3];
514 	int err;
515 
516 	if (!chan || !chan->data)
517 		return false;
518 
519 	smp = chan->data;
520 
521 	BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
522 
523 	err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
524 	if (err)
525 		return false;
526 
527 	return !memcmp(bdaddr->b, hash, 3);
528 }
529 
530 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
531 {
532 	struct l2cap_chan *chan = hdev->smp_data;
533 	struct smp_dev *smp;
534 	int err;
535 
536 	if (!chan || !chan->data)
537 		return -EOPNOTSUPP;
538 
539 	smp = chan->data;
540 
541 	get_random_bytes(&rpa->b[3], 3);
542 
543 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
544 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
545 
546 	err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
547 	if (err < 0)
548 		return err;
549 
550 	BT_DBG("RPA %pMR", rpa);
551 
552 	return 0;
553 }
554 
555 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
556 {
557 	struct l2cap_chan *chan = hdev->smp_data;
558 	struct smp_dev *smp;
559 	int err;
560 
561 	if (!chan || !chan->data)
562 		return -EOPNOTSUPP;
563 
564 	smp = chan->data;
565 
566 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
567 		BT_DBG("Using debug keys");
568 		memcpy(smp->local_pk, debug_pk, 64);
569 		memcpy(smp->local_sk, debug_sk, 32);
570 		smp->debug_key = true;
571 	} else {
572 		while (true) {
573 			/* Generate local key pair for Secure Connections */
574 			if (!ecc_make_key(smp->local_pk, smp->local_sk))
575 				return -EIO;
576 
577 			/* This is unlikely, but we need to check that
578 			 * we didn't accidentially generate a debug key.
579 			 */
580 			if (memcmp(smp->local_sk, debug_sk, 32))
581 				break;
582 		}
583 		smp->debug_key = false;
584 	}
585 
586 	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
587 	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
588 	SMP_DBG("OOB Private Key:  %32phN", smp->local_sk);
589 
590 	get_random_bytes(smp->local_rand, 16);
591 
592 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
593 		     smp->local_rand, 0, hash);
594 	if (err < 0)
595 		return err;
596 
597 	memcpy(rand, smp->local_rand, 16);
598 
599 	return 0;
600 }
601 
602 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
603 {
604 	struct l2cap_chan *chan = conn->smp;
605 	struct smp_chan *smp;
606 	struct kvec iv[2];
607 	struct msghdr msg;
608 
609 	if (!chan)
610 		return;
611 
612 	BT_DBG("code 0x%2.2x", code);
613 
614 	iv[0].iov_base = &code;
615 	iv[0].iov_len = 1;
616 
617 	iv[1].iov_base = data;
618 	iv[1].iov_len = len;
619 
620 	memset(&msg, 0, sizeof(msg));
621 
622 	iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
623 
624 	l2cap_chan_send(chan, &msg, 1 + len);
625 
626 	if (!chan->data)
627 		return;
628 
629 	smp = chan->data;
630 
631 	cancel_delayed_work_sync(&smp->security_timer);
632 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
633 }
634 
635 static u8 authreq_to_seclevel(u8 authreq)
636 {
637 	if (authreq & SMP_AUTH_MITM) {
638 		if (authreq & SMP_AUTH_SC)
639 			return BT_SECURITY_FIPS;
640 		else
641 			return BT_SECURITY_HIGH;
642 	} else {
643 		return BT_SECURITY_MEDIUM;
644 	}
645 }
646 
647 static __u8 seclevel_to_authreq(__u8 sec_level)
648 {
649 	switch (sec_level) {
650 	case BT_SECURITY_FIPS:
651 	case BT_SECURITY_HIGH:
652 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
653 	case BT_SECURITY_MEDIUM:
654 		return SMP_AUTH_BONDING;
655 	default:
656 		return SMP_AUTH_NONE;
657 	}
658 }
659 
660 static void build_pairing_cmd(struct l2cap_conn *conn,
661 			      struct smp_cmd_pairing *req,
662 			      struct smp_cmd_pairing *rsp, __u8 authreq)
663 {
664 	struct l2cap_chan *chan = conn->smp;
665 	struct smp_chan *smp = chan->data;
666 	struct hci_conn *hcon = conn->hcon;
667 	struct hci_dev *hdev = hcon->hdev;
668 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
669 
670 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
671 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
672 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
673 		authreq |= SMP_AUTH_BONDING;
674 	} else {
675 		authreq &= ~SMP_AUTH_BONDING;
676 	}
677 
678 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
679 		remote_dist |= SMP_DIST_ID_KEY;
680 
681 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
682 		local_dist |= SMP_DIST_ID_KEY;
683 
684 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
685 	    (authreq & SMP_AUTH_SC)) {
686 		struct oob_data *oob_data;
687 		u8 bdaddr_type;
688 
689 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
690 			local_dist |= SMP_DIST_LINK_KEY;
691 			remote_dist |= SMP_DIST_LINK_KEY;
692 		}
693 
694 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
695 			bdaddr_type = BDADDR_LE_PUBLIC;
696 		else
697 			bdaddr_type = BDADDR_LE_RANDOM;
698 
699 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
700 						    bdaddr_type);
701 		if (oob_data && oob_data->present) {
702 			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
703 			oob_flag = SMP_OOB_PRESENT;
704 			memcpy(smp->rr, oob_data->rand256, 16);
705 			memcpy(smp->pcnf, oob_data->hash256, 16);
706 			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
707 			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
708 		}
709 
710 	} else {
711 		authreq &= ~SMP_AUTH_SC;
712 	}
713 
714 	if (rsp == NULL) {
715 		req->io_capability = conn->hcon->io_capability;
716 		req->oob_flag = oob_flag;
717 		req->max_key_size = SMP_DEV(hdev)->max_key_size;
718 		req->init_key_dist = local_dist;
719 		req->resp_key_dist = remote_dist;
720 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
721 
722 		smp->remote_key_dist = remote_dist;
723 		return;
724 	}
725 
726 	rsp->io_capability = conn->hcon->io_capability;
727 	rsp->oob_flag = oob_flag;
728 	rsp->max_key_size = SMP_DEV(hdev)->max_key_size;
729 	rsp->init_key_dist = req->init_key_dist & remote_dist;
730 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
731 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
732 
733 	smp->remote_key_dist = rsp->init_key_dist;
734 }
735 
736 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
737 {
738 	struct l2cap_chan *chan = conn->smp;
739 	struct hci_dev *hdev = conn->hcon->hdev;
740 	struct smp_chan *smp = chan->data;
741 
742 	if (max_key_size > SMP_DEV(hdev)->max_key_size ||
743 	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
744 		return SMP_ENC_KEY_SIZE;
745 
746 	smp->enc_key_size = max_key_size;
747 
748 	return 0;
749 }
750 
751 static void smp_chan_destroy(struct l2cap_conn *conn)
752 {
753 	struct l2cap_chan *chan = conn->smp;
754 	struct smp_chan *smp = chan->data;
755 	struct hci_conn *hcon = conn->hcon;
756 	bool complete;
757 
758 	BUG_ON(!smp);
759 
760 	cancel_delayed_work_sync(&smp->security_timer);
761 
762 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
763 	mgmt_smp_complete(hcon, complete);
764 
765 	kzfree(smp->csrk);
766 	kzfree(smp->slave_csrk);
767 	kzfree(smp->link_key);
768 
769 	crypto_free_blkcipher(smp->tfm_aes);
770 	crypto_free_hash(smp->tfm_cmac);
771 
772 	/* Ensure that we don't leave any debug key around if debug key
773 	 * support hasn't been explicitly enabled.
774 	 */
775 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
776 	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
777 		list_del_rcu(&smp->ltk->list);
778 		kfree_rcu(smp->ltk, rcu);
779 		smp->ltk = NULL;
780 	}
781 
782 	/* If pairing failed clean up any keys we might have */
783 	if (!complete) {
784 		if (smp->ltk) {
785 			list_del_rcu(&smp->ltk->list);
786 			kfree_rcu(smp->ltk, rcu);
787 		}
788 
789 		if (smp->slave_ltk) {
790 			list_del_rcu(&smp->slave_ltk->list);
791 			kfree_rcu(smp->slave_ltk, rcu);
792 		}
793 
794 		if (smp->remote_irk) {
795 			list_del_rcu(&smp->remote_irk->list);
796 			kfree_rcu(smp->remote_irk, rcu);
797 		}
798 	}
799 
800 	chan->data = NULL;
801 	kzfree(smp);
802 	hci_conn_drop(hcon);
803 }
804 
805 static void smp_failure(struct l2cap_conn *conn, u8 reason)
806 {
807 	struct hci_conn *hcon = conn->hcon;
808 	struct l2cap_chan *chan = conn->smp;
809 
810 	if (reason)
811 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
812 			     &reason);
813 
814 	clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
815 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
816 
817 	if (chan->data)
818 		smp_chan_destroy(conn);
819 }
820 
821 #define JUST_WORKS	0x00
822 #define JUST_CFM	0x01
823 #define REQ_PASSKEY	0x02
824 #define CFM_PASSKEY	0x03
825 #define REQ_OOB		0x04
826 #define DSP_PASSKEY	0x05
827 #define OVERLAP		0xFF
828 
829 static const u8 gen_method[5][5] = {
830 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
831 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
832 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
833 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
834 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
835 };
836 
837 static const u8 sc_method[5][5] = {
838 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
839 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
840 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
841 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
842 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
843 };
844 
845 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
846 {
847 	/* If either side has unknown io_caps, use JUST_CFM (which gets
848 	 * converted later to JUST_WORKS if we're initiators.
849 	 */
850 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
851 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
852 		return JUST_CFM;
853 
854 	if (test_bit(SMP_FLAG_SC, &smp->flags))
855 		return sc_method[remote_io][local_io];
856 
857 	return gen_method[remote_io][local_io];
858 }
859 
860 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
861 						u8 local_io, u8 remote_io)
862 {
863 	struct hci_conn *hcon = conn->hcon;
864 	struct l2cap_chan *chan = conn->smp;
865 	struct smp_chan *smp = chan->data;
866 	u32 passkey = 0;
867 	int ret = 0;
868 
869 	/* Initialize key for JUST WORKS */
870 	memset(smp->tk, 0, sizeof(smp->tk));
871 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
872 
873 	BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
874 
875 	/* If neither side wants MITM, either "just" confirm an incoming
876 	 * request or use just-works for outgoing ones. The JUST_CFM
877 	 * will be converted to JUST_WORKS if necessary later in this
878 	 * function. If either side has MITM look up the method from the
879 	 * table.
880 	 */
881 	if (!(auth & SMP_AUTH_MITM))
882 		smp->method = JUST_CFM;
883 	else
884 		smp->method = get_auth_method(smp, local_io, remote_io);
885 
886 	/* Don't confirm locally initiated pairing attempts */
887 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
888 						&smp->flags))
889 		smp->method = JUST_WORKS;
890 
891 	/* Don't bother user space with no IO capabilities */
892 	if (smp->method == JUST_CFM &&
893 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
894 		smp->method = JUST_WORKS;
895 
896 	/* If Just Works, Continue with Zero TK */
897 	if (smp->method == JUST_WORKS) {
898 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
899 		return 0;
900 	}
901 
902 	/* If this function is used for SC -> legacy fallback we
903 	 * can only recover the just-works case.
904 	 */
905 	if (test_bit(SMP_FLAG_SC, &smp->flags))
906 		return -EINVAL;
907 
908 	/* Not Just Works/Confirm results in MITM Authentication */
909 	if (smp->method != JUST_CFM) {
910 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
911 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
912 			hcon->pending_sec_level = BT_SECURITY_HIGH;
913 	}
914 
915 	/* If both devices have Keyoard-Display I/O, the master
916 	 * Confirms and the slave Enters the passkey.
917 	 */
918 	if (smp->method == OVERLAP) {
919 		if (hcon->role == HCI_ROLE_MASTER)
920 			smp->method = CFM_PASSKEY;
921 		else
922 			smp->method = REQ_PASSKEY;
923 	}
924 
925 	/* Generate random passkey. */
926 	if (smp->method == CFM_PASSKEY) {
927 		memset(smp->tk, 0, sizeof(smp->tk));
928 		get_random_bytes(&passkey, sizeof(passkey));
929 		passkey %= 1000000;
930 		put_unaligned_le32(passkey, smp->tk);
931 		BT_DBG("PassKey: %d", passkey);
932 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
933 	}
934 
935 	if (smp->method == REQ_PASSKEY)
936 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
937 						hcon->type, hcon->dst_type);
938 	else if (smp->method == JUST_CFM)
939 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
940 						hcon->type, hcon->dst_type,
941 						passkey, 1);
942 	else
943 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
944 						hcon->type, hcon->dst_type,
945 						passkey, 0);
946 
947 	return ret;
948 }
949 
950 static u8 smp_confirm(struct smp_chan *smp)
951 {
952 	struct l2cap_conn *conn = smp->conn;
953 	struct smp_cmd_pairing_confirm cp;
954 	int ret;
955 
956 	BT_DBG("conn %p", conn);
957 
958 	ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
959 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
960 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
961 		     cp.confirm_val);
962 	if (ret)
963 		return SMP_UNSPECIFIED;
964 
965 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
966 
967 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
968 
969 	if (conn->hcon->out)
970 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
971 	else
972 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
973 
974 	return 0;
975 }
976 
977 static u8 smp_random(struct smp_chan *smp)
978 {
979 	struct l2cap_conn *conn = smp->conn;
980 	struct hci_conn *hcon = conn->hcon;
981 	u8 confirm[16];
982 	int ret;
983 
984 	if (IS_ERR_OR_NULL(smp->tfm_aes))
985 		return SMP_UNSPECIFIED;
986 
987 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
988 
989 	ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
990 		     hcon->init_addr_type, &hcon->init_addr,
991 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
992 	if (ret)
993 		return SMP_UNSPECIFIED;
994 
995 	if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
996 		BT_ERR("Pairing failed (confirmation values mismatch)");
997 		return SMP_CONFIRM_FAILED;
998 	}
999 
1000 	if (hcon->out) {
1001 		u8 stk[16];
1002 		__le64 rand = 0;
1003 		__le16 ediv = 0;
1004 
1005 		smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
1006 
1007 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1008 			return SMP_UNSPECIFIED;
1009 
1010 		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1011 		hcon->enc_key_size = smp->enc_key_size;
1012 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1013 	} else {
1014 		u8 stk[16], auth;
1015 		__le64 rand = 0;
1016 		__le16 ediv = 0;
1017 
1018 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1019 			     smp->prnd);
1020 
1021 		smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
1022 
1023 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1024 			auth = 1;
1025 		else
1026 			auth = 0;
1027 
1028 		/* Even though there's no _SLAVE suffix this is the
1029 		 * slave STK we're adding for later lookup (the master
1030 		 * STK never needs to be stored).
1031 		 */
1032 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1033 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1034 	}
1035 
1036 	return 0;
1037 }
1038 
1039 static void smp_notify_keys(struct l2cap_conn *conn)
1040 {
1041 	struct l2cap_chan *chan = conn->smp;
1042 	struct smp_chan *smp = chan->data;
1043 	struct hci_conn *hcon = conn->hcon;
1044 	struct hci_dev *hdev = hcon->hdev;
1045 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1046 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1047 	bool persistent;
1048 
1049 	if (smp->remote_irk) {
1050 		mgmt_new_irk(hdev, smp->remote_irk);
1051 		/* Now that user space can be considered to know the
1052 		 * identity address track the connection based on it
1053 		 * from now on (assuming this is an LE link).
1054 		 */
1055 		if (hcon->type == LE_LINK) {
1056 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1057 			hcon->dst_type = smp->remote_irk->addr_type;
1058 			queue_work(hdev->workqueue, &conn->id_addr_update_work);
1059 		}
1060 
1061 		/* When receiving an indentity resolving key for
1062 		 * a remote device that does not use a resolvable
1063 		 * private address, just remove the key so that
1064 		 * it is possible to use the controller white
1065 		 * list for scanning.
1066 		 *
1067 		 * Userspace will have been told to not store
1068 		 * this key at this point. So it is safe to
1069 		 * just remove it.
1070 		 */
1071 		if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
1072 			list_del_rcu(&smp->remote_irk->list);
1073 			kfree_rcu(smp->remote_irk, rcu);
1074 			smp->remote_irk = NULL;
1075 		}
1076 	}
1077 
1078 	if (hcon->type == ACL_LINK) {
1079 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1080 			persistent = false;
1081 		else
1082 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1083 					       &hcon->flags);
1084 	} else {
1085 		/* The LTKs and CSRKs should be persistent only if both sides
1086 		 * had the bonding bit set in their authentication requests.
1087 		 */
1088 		persistent = !!((req->auth_req & rsp->auth_req) &
1089 				SMP_AUTH_BONDING);
1090 	}
1091 
1092 
1093 	if (smp->csrk) {
1094 		smp->csrk->bdaddr_type = hcon->dst_type;
1095 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1096 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1097 	}
1098 
1099 	if (smp->slave_csrk) {
1100 		smp->slave_csrk->bdaddr_type = hcon->dst_type;
1101 		bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1102 		mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1103 	}
1104 
1105 	if (smp->ltk) {
1106 		smp->ltk->bdaddr_type = hcon->dst_type;
1107 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1108 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1109 	}
1110 
1111 	if (smp->slave_ltk) {
1112 		smp->slave_ltk->bdaddr_type = hcon->dst_type;
1113 		bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1114 		mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1115 	}
1116 
1117 	if (smp->link_key) {
1118 		struct link_key *key;
1119 		u8 type;
1120 
1121 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1122 			type = HCI_LK_DEBUG_COMBINATION;
1123 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1124 			type = HCI_LK_AUTH_COMBINATION_P256;
1125 		else
1126 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1127 
1128 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1129 				       smp->link_key, type, 0, &persistent);
1130 		if (key) {
1131 			mgmt_new_link_key(hdev, key, persistent);
1132 
1133 			/* Don't keep debug keys around if the relevant
1134 			 * flag is not set.
1135 			 */
1136 			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1137 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1138 				list_del_rcu(&key->list);
1139 				kfree_rcu(key, rcu);
1140 			}
1141 		}
1142 	}
1143 }
1144 
1145 static void sc_add_ltk(struct smp_chan *smp)
1146 {
1147 	struct hci_conn *hcon = smp->conn->hcon;
1148 	u8 key_type, auth;
1149 
1150 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1151 		key_type = SMP_LTK_P256_DEBUG;
1152 	else
1153 		key_type = SMP_LTK_P256;
1154 
1155 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1156 		auth = 1;
1157 	else
1158 		auth = 0;
1159 
1160 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1161 			       key_type, auth, smp->tk, smp->enc_key_size,
1162 			       0, 0);
1163 }
1164 
1165 static void sc_generate_link_key(struct smp_chan *smp)
1166 {
1167 	/* These constants are as specified in the core specification.
1168 	 * In ASCII they spell out to 'tmp1' and 'lebr'.
1169 	 */
1170 	const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1171 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1172 
1173 	smp->link_key = kzalloc(16, GFP_KERNEL);
1174 	if (!smp->link_key)
1175 		return;
1176 
1177 	if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1178 		kzfree(smp->link_key);
1179 		smp->link_key = NULL;
1180 		return;
1181 	}
1182 
1183 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1184 		kzfree(smp->link_key);
1185 		smp->link_key = NULL;
1186 		return;
1187 	}
1188 }
1189 
1190 static void smp_allow_key_dist(struct smp_chan *smp)
1191 {
1192 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1193 	 * will be allowed in each PDU handler to ensure we receive
1194 	 * them in the correct order.
1195 	 */
1196 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1197 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1198 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1199 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1200 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1201 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1202 }
1203 
1204 static void sc_generate_ltk(struct smp_chan *smp)
1205 {
1206 	/* These constants are as specified in the core specification.
1207 	 * In ASCII they spell out to 'tmp2' and 'brle'.
1208 	 */
1209 	const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1210 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1211 	struct hci_conn *hcon = smp->conn->hcon;
1212 	struct hci_dev *hdev = hcon->hdev;
1213 	struct link_key *key;
1214 
1215 	key = hci_find_link_key(hdev, &hcon->dst);
1216 	if (!key) {
1217 		BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1218 		return;
1219 	}
1220 
1221 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1222 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1223 
1224 	if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1225 		return;
1226 
1227 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1228 		return;
1229 
1230 	sc_add_ltk(smp);
1231 }
1232 
1233 static void smp_distribute_keys(struct smp_chan *smp)
1234 {
1235 	struct smp_cmd_pairing *req, *rsp;
1236 	struct l2cap_conn *conn = smp->conn;
1237 	struct hci_conn *hcon = conn->hcon;
1238 	struct hci_dev *hdev = hcon->hdev;
1239 	__u8 *keydist;
1240 
1241 	BT_DBG("conn %p", conn);
1242 
1243 	rsp = (void *) &smp->prsp[1];
1244 
1245 	/* The responder sends its keys first */
1246 	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1247 		smp_allow_key_dist(smp);
1248 		return;
1249 	}
1250 
1251 	req = (void *) &smp->preq[1];
1252 
1253 	if (hcon->out) {
1254 		keydist = &rsp->init_key_dist;
1255 		*keydist &= req->init_key_dist;
1256 	} else {
1257 		keydist = &rsp->resp_key_dist;
1258 		*keydist &= req->resp_key_dist;
1259 	}
1260 
1261 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1262 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1263 			sc_generate_link_key(smp);
1264 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1265 			sc_generate_ltk(smp);
1266 
1267 		/* Clear the keys which are generated but not distributed */
1268 		*keydist &= ~SMP_SC_NO_DIST;
1269 	}
1270 
1271 	BT_DBG("keydist 0x%x", *keydist);
1272 
1273 	if (*keydist & SMP_DIST_ENC_KEY) {
1274 		struct smp_cmd_encrypt_info enc;
1275 		struct smp_cmd_master_ident ident;
1276 		struct smp_ltk *ltk;
1277 		u8 authenticated;
1278 		__le16 ediv;
1279 		__le64 rand;
1280 
1281 		/* Make sure we generate only the significant amount of
1282 		 * bytes based on the encryption key size, and set the rest
1283 		 * of the value to zeroes.
1284 		 */
1285 		get_random_bytes(enc.ltk, smp->enc_key_size);
1286 		memset(enc.ltk + smp->enc_key_size, 0,
1287 		       sizeof(enc.ltk) - smp->enc_key_size);
1288 
1289 		get_random_bytes(&ediv, sizeof(ediv));
1290 		get_random_bytes(&rand, sizeof(rand));
1291 
1292 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1293 
1294 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1295 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1296 				  SMP_LTK_SLAVE, authenticated, enc.ltk,
1297 				  smp->enc_key_size, ediv, rand);
1298 		smp->slave_ltk = ltk;
1299 
1300 		ident.ediv = ediv;
1301 		ident.rand = rand;
1302 
1303 		smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1304 
1305 		*keydist &= ~SMP_DIST_ENC_KEY;
1306 	}
1307 
1308 	if (*keydist & SMP_DIST_ID_KEY) {
1309 		struct smp_cmd_ident_addr_info addrinfo;
1310 		struct smp_cmd_ident_info idinfo;
1311 
1312 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1313 
1314 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1315 
1316 		/* The hci_conn contains the local identity address
1317 		 * after the connection has been established.
1318 		 *
1319 		 * This is true even when the connection has been
1320 		 * established using a resolvable random address.
1321 		 */
1322 		bacpy(&addrinfo.bdaddr, &hcon->src);
1323 		addrinfo.addr_type = hcon->src_type;
1324 
1325 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1326 			     &addrinfo);
1327 
1328 		*keydist &= ~SMP_DIST_ID_KEY;
1329 	}
1330 
1331 	if (*keydist & SMP_DIST_SIGN) {
1332 		struct smp_cmd_sign_info sign;
1333 		struct smp_csrk *csrk;
1334 
1335 		/* Generate a new random key */
1336 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1337 
1338 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1339 		if (csrk) {
1340 			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1341 				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1342 			else
1343 				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1344 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1345 		}
1346 		smp->slave_csrk = csrk;
1347 
1348 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1349 
1350 		*keydist &= ~SMP_DIST_SIGN;
1351 	}
1352 
1353 	/* If there are still keys to be received wait for them */
1354 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1355 		smp_allow_key_dist(smp);
1356 		return;
1357 	}
1358 
1359 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1360 	smp_notify_keys(conn);
1361 
1362 	smp_chan_destroy(conn);
1363 }
1364 
1365 static void smp_timeout(struct work_struct *work)
1366 {
1367 	struct smp_chan *smp = container_of(work, struct smp_chan,
1368 					    security_timer.work);
1369 	struct l2cap_conn *conn = smp->conn;
1370 
1371 	BT_DBG("conn %p", conn);
1372 
1373 	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1374 }
1375 
1376 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1377 {
1378 	struct l2cap_chan *chan = conn->smp;
1379 	struct smp_chan *smp;
1380 
1381 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1382 	if (!smp)
1383 		return NULL;
1384 
1385 	smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1386 	if (IS_ERR(smp->tfm_aes)) {
1387 		BT_ERR("Unable to create ECB crypto context");
1388 		kzfree(smp);
1389 		return NULL;
1390 	}
1391 
1392 	smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1393 	if (IS_ERR(smp->tfm_cmac)) {
1394 		BT_ERR("Unable to create CMAC crypto context");
1395 		crypto_free_blkcipher(smp->tfm_aes);
1396 		kzfree(smp);
1397 		return NULL;
1398 	}
1399 
1400 	smp->conn = conn;
1401 	chan->data = smp;
1402 
1403 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1404 
1405 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1406 
1407 	hci_conn_hold(conn->hcon);
1408 
1409 	return smp;
1410 }
1411 
1412 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1413 {
1414 	struct hci_conn *hcon = smp->conn->hcon;
1415 	u8 *na, *nb, a[7], b[7];
1416 
1417 	if (hcon->out) {
1418 		na   = smp->prnd;
1419 		nb   = smp->rrnd;
1420 	} else {
1421 		na   = smp->rrnd;
1422 		nb   = smp->prnd;
1423 	}
1424 
1425 	memcpy(a, &hcon->init_addr, 6);
1426 	memcpy(b, &hcon->resp_addr, 6);
1427 	a[6] = hcon->init_addr_type;
1428 	b[6] = hcon->resp_addr_type;
1429 
1430 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1431 }
1432 
1433 static void sc_dhkey_check(struct smp_chan *smp)
1434 {
1435 	struct hci_conn *hcon = smp->conn->hcon;
1436 	struct smp_cmd_dhkey_check check;
1437 	u8 a[7], b[7], *local_addr, *remote_addr;
1438 	u8 io_cap[3], r[16];
1439 
1440 	memcpy(a, &hcon->init_addr, 6);
1441 	memcpy(b, &hcon->resp_addr, 6);
1442 	a[6] = hcon->init_addr_type;
1443 	b[6] = hcon->resp_addr_type;
1444 
1445 	if (hcon->out) {
1446 		local_addr = a;
1447 		remote_addr = b;
1448 		memcpy(io_cap, &smp->preq[1], 3);
1449 	} else {
1450 		local_addr = b;
1451 		remote_addr = a;
1452 		memcpy(io_cap, &smp->prsp[1], 3);
1453 	}
1454 
1455 	memset(r, 0, sizeof(r));
1456 
1457 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1458 		put_unaligned_le32(hcon->passkey_notify, r);
1459 
1460 	if (smp->method == REQ_OOB)
1461 		memcpy(r, smp->rr, 16);
1462 
1463 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1464 	       local_addr, remote_addr, check.e);
1465 
1466 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1467 }
1468 
1469 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1470 {
1471 	struct l2cap_conn *conn = smp->conn;
1472 	struct hci_conn *hcon = conn->hcon;
1473 	struct smp_cmd_pairing_confirm cfm;
1474 	u8 r;
1475 
1476 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1477 	r |= 0x80;
1478 
1479 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1480 
1481 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1482 		   cfm.confirm_val))
1483 		return SMP_UNSPECIFIED;
1484 
1485 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1486 
1487 	return 0;
1488 }
1489 
1490 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1491 {
1492 	struct l2cap_conn *conn = smp->conn;
1493 	struct hci_conn *hcon = conn->hcon;
1494 	struct hci_dev *hdev = hcon->hdev;
1495 	u8 cfm[16], r;
1496 
1497 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1498 	if (smp->passkey_round >= 20)
1499 		return 0;
1500 
1501 	switch (smp_op) {
1502 	case SMP_CMD_PAIRING_RANDOM:
1503 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1504 		r |= 0x80;
1505 
1506 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1507 			   smp->rrnd, r, cfm))
1508 			return SMP_UNSPECIFIED;
1509 
1510 		if (memcmp(smp->pcnf, cfm, 16))
1511 			return SMP_CONFIRM_FAILED;
1512 
1513 		smp->passkey_round++;
1514 
1515 		if (smp->passkey_round == 20) {
1516 			/* Generate MacKey and LTK */
1517 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1518 				return SMP_UNSPECIFIED;
1519 		}
1520 
1521 		/* The round is only complete when the initiator
1522 		 * receives pairing random.
1523 		 */
1524 		if (!hcon->out) {
1525 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1526 				     sizeof(smp->prnd), smp->prnd);
1527 			if (smp->passkey_round == 20)
1528 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1529 			else
1530 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1531 			return 0;
1532 		}
1533 
1534 		/* Start the next round */
1535 		if (smp->passkey_round != 20)
1536 			return sc_passkey_round(smp, 0);
1537 
1538 		/* Passkey rounds are complete - start DHKey Check */
1539 		sc_dhkey_check(smp);
1540 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1541 
1542 		break;
1543 
1544 	case SMP_CMD_PAIRING_CONFIRM:
1545 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1546 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1547 			return 0;
1548 		}
1549 
1550 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1551 
1552 		if (hcon->out) {
1553 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1554 				     sizeof(smp->prnd), smp->prnd);
1555 			return 0;
1556 		}
1557 
1558 		return sc_passkey_send_confirm(smp);
1559 
1560 	case SMP_CMD_PUBLIC_KEY:
1561 	default:
1562 		/* Initiating device starts the round */
1563 		if (!hcon->out)
1564 			return 0;
1565 
1566 		BT_DBG("%s Starting passkey round %u", hdev->name,
1567 		       smp->passkey_round + 1);
1568 
1569 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1570 
1571 		return sc_passkey_send_confirm(smp);
1572 	}
1573 
1574 	return 0;
1575 }
1576 
1577 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1578 {
1579 	struct l2cap_conn *conn = smp->conn;
1580 	struct hci_conn *hcon = conn->hcon;
1581 	u8 smp_op;
1582 
1583 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1584 
1585 	switch (mgmt_op) {
1586 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1587 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1588 		return 0;
1589 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1590 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1591 		return 0;
1592 	case MGMT_OP_USER_PASSKEY_REPLY:
1593 		hcon->passkey_notify = le32_to_cpu(passkey);
1594 		smp->passkey_round = 0;
1595 
1596 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1597 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1598 		else
1599 			smp_op = 0;
1600 
1601 		if (sc_passkey_round(smp, smp_op))
1602 			return -EIO;
1603 
1604 		return 0;
1605 	}
1606 
1607 	/* Initiator sends DHKey check first */
1608 	if (hcon->out) {
1609 		sc_dhkey_check(smp);
1610 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1611 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1612 		sc_dhkey_check(smp);
1613 		sc_add_ltk(smp);
1614 	}
1615 
1616 	return 0;
1617 }
1618 
1619 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1620 {
1621 	struct l2cap_conn *conn = hcon->l2cap_data;
1622 	struct l2cap_chan *chan;
1623 	struct smp_chan *smp;
1624 	u32 value;
1625 	int err;
1626 
1627 	BT_DBG("");
1628 
1629 	if (!conn)
1630 		return -ENOTCONN;
1631 
1632 	chan = conn->smp;
1633 	if (!chan)
1634 		return -ENOTCONN;
1635 
1636 	l2cap_chan_lock(chan);
1637 	if (!chan->data) {
1638 		err = -ENOTCONN;
1639 		goto unlock;
1640 	}
1641 
1642 	smp = chan->data;
1643 
1644 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1645 		err = sc_user_reply(smp, mgmt_op, passkey);
1646 		goto unlock;
1647 	}
1648 
1649 	switch (mgmt_op) {
1650 	case MGMT_OP_USER_PASSKEY_REPLY:
1651 		value = le32_to_cpu(passkey);
1652 		memset(smp->tk, 0, sizeof(smp->tk));
1653 		BT_DBG("PassKey: %d", value);
1654 		put_unaligned_le32(value, smp->tk);
1655 		/* Fall Through */
1656 	case MGMT_OP_USER_CONFIRM_REPLY:
1657 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1658 		break;
1659 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1660 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1661 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1662 		err = 0;
1663 		goto unlock;
1664 	default:
1665 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1666 		err = -EOPNOTSUPP;
1667 		goto unlock;
1668 	}
1669 
1670 	err = 0;
1671 
1672 	/* If it is our turn to send Pairing Confirm, do so now */
1673 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1674 		u8 rsp = smp_confirm(smp);
1675 		if (rsp)
1676 			smp_failure(conn, rsp);
1677 	}
1678 
1679 unlock:
1680 	l2cap_chan_unlock(chan);
1681 	return err;
1682 }
1683 
1684 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1685 				    struct smp_cmd_pairing *req,
1686 				    struct smp_cmd_pairing *rsp)
1687 {
1688 	struct l2cap_conn *conn = smp->conn;
1689 	struct hci_dev *hdev = conn->hcon->hdev;
1690 	u8 local_dist = 0, remote_dist = 0;
1691 
1692 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1693 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1694 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1695 	}
1696 
1697 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1698 		remote_dist |= SMP_DIST_ID_KEY;
1699 
1700 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1701 		local_dist |= SMP_DIST_ID_KEY;
1702 
1703 	if (!rsp) {
1704 		memset(req, 0, sizeof(*req));
1705 
1706 		req->init_key_dist   = local_dist;
1707 		req->resp_key_dist   = remote_dist;
1708 		req->max_key_size    = conn->hcon->enc_key_size;
1709 
1710 		smp->remote_key_dist = remote_dist;
1711 
1712 		return;
1713 	}
1714 
1715 	memset(rsp, 0, sizeof(*rsp));
1716 
1717 	rsp->max_key_size    = conn->hcon->enc_key_size;
1718 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1719 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1720 
1721 	smp->remote_key_dist = rsp->init_key_dist;
1722 }
1723 
1724 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1725 {
1726 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1727 	struct l2cap_chan *chan = conn->smp;
1728 	struct hci_dev *hdev = conn->hcon->hdev;
1729 	struct smp_chan *smp;
1730 	u8 key_size, auth, sec_level;
1731 	int ret;
1732 
1733 	BT_DBG("conn %p", conn);
1734 
1735 	if (skb->len < sizeof(*req))
1736 		return SMP_INVALID_PARAMS;
1737 
1738 	if (conn->hcon->role != HCI_ROLE_SLAVE)
1739 		return SMP_CMD_NOTSUPP;
1740 
1741 	if (!chan->data)
1742 		smp = smp_chan_create(conn);
1743 	else
1744 		smp = chan->data;
1745 
1746 	if (!smp)
1747 		return SMP_UNSPECIFIED;
1748 
1749 	/* We didn't start the pairing, so match remote */
1750 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1751 
1752 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1753 	    (auth & SMP_AUTH_BONDING))
1754 		return SMP_PAIRING_NOTSUPP;
1755 
1756 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1757 		return SMP_AUTH_REQUIREMENTS;
1758 
1759 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1760 	memcpy(&smp->preq[1], req, sizeof(*req));
1761 	skb_pull(skb, sizeof(*req));
1762 
1763 	/* If the remote side's OOB flag is set it means it has
1764 	 * successfully received our local OOB data - therefore set the
1765 	 * flag to indicate that local OOB is in use.
1766 	 */
1767 	if (req->oob_flag == SMP_OOB_PRESENT)
1768 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1769 
1770 	/* SMP over BR/EDR requires special treatment */
1771 	if (conn->hcon->type == ACL_LINK) {
1772 		/* We must have a BR/EDR SC link */
1773 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1774 		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1775 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1776 
1777 		set_bit(SMP_FLAG_SC, &smp->flags);
1778 
1779 		build_bredr_pairing_cmd(smp, req, &rsp);
1780 
1781 		key_size = min(req->max_key_size, rsp.max_key_size);
1782 		if (check_enc_key_size(conn, key_size))
1783 			return SMP_ENC_KEY_SIZE;
1784 
1785 		/* Clear bits which are generated but not distributed */
1786 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1787 
1788 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1789 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1790 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1791 
1792 		smp_distribute_keys(smp);
1793 		return 0;
1794 	}
1795 
1796 	build_pairing_cmd(conn, req, &rsp, auth);
1797 
1798 	if (rsp.auth_req & SMP_AUTH_SC)
1799 		set_bit(SMP_FLAG_SC, &smp->flags);
1800 
1801 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1802 		sec_level = BT_SECURITY_MEDIUM;
1803 	else
1804 		sec_level = authreq_to_seclevel(auth);
1805 
1806 	if (sec_level > conn->hcon->pending_sec_level)
1807 		conn->hcon->pending_sec_level = sec_level;
1808 
1809 	/* If we need MITM check that it can be achieved */
1810 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1811 		u8 method;
1812 
1813 		method = get_auth_method(smp, conn->hcon->io_capability,
1814 					 req->io_capability);
1815 		if (method == JUST_WORKS || method == JUST_CFM)
1816 			return SMP_AUTH_REQUIREMENTS;
1817 	}
1818 
1819 	key_size = min(req->max_key_size, rsp.max_key_size);
1820 	if (check_enc_key_size(conn, key_size))
1821 		return SMP_ENC_KEY_SIZE;
1822 
1823 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1824 
1825 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1826 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1827 
1828 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1829 
1830 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1831 
1832 	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1833 	 * SC case, however some implementations incorrectly copy RFU auth
1834 	 * req bits from our security request, which may create a false
1835 	 * positive SC enablement.
1836 	 */
1837 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1838 
1839 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1840 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1841 		/* Clear bits which are generated but not distributed */
1842 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1843 		/* Wait for Public Key from Initiating Device */
1844 		return 0;
1845 	}
1846 
1847 	/* Request setup of TK */
1848 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1849 	if (ret)
1850 		return SMP_UNSPECIFIED;
1851 
1852 	return 0;
1853 }
1854 
1855 static u8 sc_send_public_key(struct smp_chan *smp)
1856 {
1857 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1858 
1859 	BT_DBG("");
1860 
1861 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1862 		struct l2cap_chan *chan = hdev->smp_data;
1863 		struct smp_dev *smp_dev;
1864 
1865 		if (!chan || !chan->data)
1866 			return SMP_UNSPECIFIED;
1867 
1868 		smp_dev = chan->data;
1869 
1870 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1871 		memcpy(smp->local_sk, smp_dev->local_sk, 32);
1872 		memcpy(smp->lr, smp_dev->local_rand, 16);
1873 
1874 		if (smp_dev->debug_key)
1875 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1876 
1877 		goto done;
1878 	}
1879 
1880 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1881 		BT_DBG("Using debug keys");
1882 		memcpy(smp->local_pk, debug_pk, 64);
1883 		memcpy(smp->local_sk, debug_sk, 32);
1884 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1885 	} else {
1886 		while (true) {
1887 			/* Generate local key pair for Secure Connections */
1888 			if (!ecc_make_key(smp->local_pk, smp->local_sk))
1889 				return SMP_UNSPECIFIED;
1890 
1891 			/* This is unlikely, but we need to check that
1892 			 * we didn't accidentially generate a debug key.
1893 			 */
1894 			if (memcmp(smp->local_sk, debug_sk, 32))
1895 				break;
1896 		}
1897 	}
1898 
1899 done:
1900 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1901 	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1902 	SMP_DBG("Local Private Key:  %32phN", smp->local_sk);
1903 
1904 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1905 
1906 	return 0;
1907 }
1908 
1909 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1910 {
1911 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1912 	struct l2cap_chan *chan = conn->smp;
1913 	struct smp_chan *smp = chan->data;
1914 	struct hci_dev *hdev = conn->hcon->hdev;
1915 	u8 key_size, auth;
1916 	int ret;
1917 
1918 	BT_DBG("conn %p", conn);
1919 
1920 	if (skb->len < sizeof(*rsp))
1921 		return SMP_INVALID_PARAMS;
1922 
1923 	if (conn->hcon->role != HCI_ROLE_MASTER)
1924 		return SMP_CMD_NOTSUPP;
1925 
1926 	skb_pull(skb, sizeof(*rsp));
1927 
1928 	req = (void *) &smp->preq[1];
1929 
1930 	key_size = min(req->max_key_size, rsp->max_key_size);
1931 	if (check_enc_key_size(conn, key_size))
1932 		return SMP_ENC_KEY_SIZE;
1933 
1934 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1935 
1936 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1937 		return SMP_AUTH_REQUIREMENTS;
1938 
1939 	/* If the remote side's OOB flag is set it means it has
1940 	 * successfully received our local OOB data - therefore set the
1941 	 * flag to indicate that local OOB is in use.
1942 	 */
1943 	if (rsp->oob_flag == SMP_OOB_PRESENT)
1944 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1945 
1946 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1947 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1948 
1949 	/* Update remote key distribution in case the remote cleared
1950 	 * some bits that we had enabled in our request.
1951 	 */
1952 	smp->remote_key_dist &= rsp->resp_key_dist;
1953 
1954 	/* For BR/EDR this means we're done and can start phase 3 */
1955 	if (conn->hcon->type == ACL_LINK) {
1956 		/* Clear bits which are generated but not distributed */
1957 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1958 		smp_distribute_keys(smp);
1959 		return 0;
1960 	}
1961 
1962 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1963 		set_bit(SMP_FLAG_SC, &smp->flags);
1964 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1965 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1966 
1967 	/* If we need MITM check that it can be achieved */
1968 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1969 		u8 method;
1970 
1971 		method = get_auth_method(smp, req->io_capability,
1972 					 rsp->io_capability);
1973 		if (method == JUST_WORKS || method == JUST_CFM)
1974 			return SMP_AUTH_REQUIREMENTS;
1975 	}
1976 
1977 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1978 
1979 	/* Update remote key distribution in case the remote cleared
1980 	 * some bits that we had enabled in our request.
1981 	 */
1982 	smp->remote_key_dist &= rsp->resp_key_dist;
1983 
1984 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1985 		/* Clear bits which are generated but not distributed */
1986 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1987 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1988 		return sc_send_public_key(smp);
1989 	}
1990 
1991 	auth |= req->auth_req;
1992 
1993 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1994 	if (ret)
1995 		return SMP_UNSPECIFIED;
1996 
1997 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1998 
1999 	/* Can't compose response until we have been confirmed */
2000 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2001 		return smp_confirm(smp);
2002 
2003 	return 0;
2004 }
2005 
2006 static u8 sc_check_confirm(struct smp_chan *smp)
2007 {
2008 	struct l2cap_conn *conn = smp->conn;
2009 
2010 	BT_DBG("");
2011 
2012 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2013 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2014 
2015 	if (conn->hcon->out) {
2016 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2017 			     smp->prnd);
2018 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2019 	}
2020 
2021 	return 0;
2022 }
2023 
2024 /* Work-around for some implementations that incorrectly copy RFU bits
2025  * from our security request and thereby create the impression that
2026  * we're doing SC when in fact the remote doesn't support it.
2027  */
2028 static int fixup_sc_false_positive(struct smp_chan *smp)
2029 {
2030 	struct l2cap_conn *conn = smp->conn;
2031 	struct hci_conn *hcon = conn->hcon;
2032 	struct hci_dev *hdev = hcon->hdev;
2033 	struct smp_cmd_pairing *req, *rsp;
2034 	u8 auth;
2035 
2036 	/* The issue is only observed when we're in slave role */
2037 	if (hcon->out)
2038 		return SMP_UNSPECIFIED;
2039 
2040 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2041 		BT_ERR("Refusing SMP SC -> legacy fallback in SC-only mode");
2042 		return SMP_UNSPECIFIED;
2043 	}
2044 
2045 	BT_ERR("Trying to fall back to legacy SMP");
2046 
2047 	req = (void *) &smp->preq[1];
2048 	rsp = (void *) &smp->prsp[1];
2049 
2050 	/* Rebuild key dist flags which may have been cleared for SC */
2051 	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2052 
2053 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2054 
2055 	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2056 		BT_ERR("Failed to fall back to legacy SMP");
2057 		return SMP_UNSPECIFIED;
2058 	}
2059 
2060 	clear_bit(SMP_FLAG_SC, &smp->flags);
2061 
2062 	return 0;
2063 }
2064 
2065 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2066 {
2067 	struct l2cap_chan *chan = conn->smp;
2068 	struct smp_chan *smp = chan->data;
2069 
2070 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2071 
2072 	if (skb->len < sizeof(smp->pcnf))
2073 		return SMP_INVALID_PARAMS;
2074 
2075 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2076 	skb_pull(skb, sizeof(smp->pcnf));
2077 
2078 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2079 		int ret;
2080 
2081 		/* Public Key exchange must happen before any other steps */
2082 		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2083 			return sc_check_confirm(smp);
2084 
2085 		BT_ERR("Unexpected SMP Pairing Confirm");
2086 
2087 		ret = fixup_sc_false_positive(smp);
2088 		if (ret)
2089 			return ret;
2090 	}
2091 
2092 	if (conn->hcon->out) {
2093 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2094 			     smp->prnd);
2095 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2096 		return 0;
2097 	}
2098 
2099 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2100 		return smp_confirm(smp);
2101 
2102 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2103 
2104 	return 0;
2105 }
2106 
2107 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2108 {
2109 	struct l2cap_chan *chan = conn->smp;
2110 	struct smp_chan *smp = chan->data;
2111 	struct hci_conn *hcon = conn->hcon;
2112 	u8 *pkax, *pkbx, *na, *nb;
2113 	u32 passkey;
2114 	int err;
2115 
2116 	BT_DBG("conn %p", conn);
2117 
2118 	if (skb->len < sizeof(smp->rrnd))
2119 		return SMP_INVALID_PARAMS;
2120 
2121 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2122 	skb_pull(skb, sizeof(smp->rrnd));
2123 
2124 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2125 		return smp_random(smp);
2126 
2127 	if (hcon->out) {
2128 		pkax = smp->local_pk;
2129 		pkbx = smp->remote_pk;
2130 		na   = smp->prnd;
2131 		nb   = smp->rrnd;
2132 	} else {
2133 		pkax = smp->remote_pk;
2134 		pkbx = smp->local_pk;
2135 		na   = smp->rrnd;
2136 		nb   = smp->prnd;
2137 	}
2138 
2139 	if (smp->method == REQ_OOB) {
2140 		if (!hcon->out)
2141 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2142 				     sizeof(smp->prnd), smp->prnd);
2143 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2144 		goto mackey_and_ltk;
2145 	}
2146 
2147 	/* Passkey entry has special treatment */
2148 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2149 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2150 
2151 	if (hcon->out) {
2152 		u8 cfm[16];
2153 
2154 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2155 			     smp->rrnd, 0, cfm);
2156 		if (err)
2157 			return SMP_UNSPECIFIED;
2158 
2159 		if (memcmp(smp->pcnf, cfm, 16))
2160 			return SMP_CONFIRM_FAILED;
2161 	} else {
2162 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2163 			     smp->prnd);
2164 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2165 	}
2166 
2167 mackey_and_ltk:
2168 	/* Generate MacKey and LTK */
2169 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2170 	if (err)
2171 		return SMP_UNSPECIFIED;
2172 
2173 	if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2174 		if (hcon->out) {
2175 			sc_dhkey_check(smp);
2176 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2177 		}
2178 		return 0;
2179 	}
2180 
2181 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2182 	if (err)
2183 		return SMP_UNSPECIFIED;
2184 
2185 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2186 					hcon->dst_type, passkey, 0);
2187 	if (err)
2188 		return SMP_UNSPECIFIED;
2189 
2190 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2191 
2192 	return 0;
2193 }
2194 
2195 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2196 {
2197 	struct smp_ltk *key;
2198 	struct hci_conn *hcon = conn->hcon;
2199 
2200 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2201 	if (!key)
2202 		return false;
2203 
2204 	if (smp_ltk_sec_level(key) < sec_level)
2205 		return false;
2206 
2207 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2208 		return true;
2209 
2210 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2211 	hcon->enc_key_size = key->enc_size;
2212 
2213 	/* We never store STKs for master role, so clear this flag */
2214 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2215 
2216 	return true;
2217 }
2218 
2219 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2220 			     enum smp_key_pref key_pref)
2221 {
2222 	if (sec_level == BT_SECURITY_LOW)
2223 		return true;
2224 
2225 	/* If we're encrypted with an STK but the caller prefers using
2226 	 * LTK claim insufficient security. This way we allow the
2227 	 * connection to be re-encrypted with an LTK, even if the LTK
2228 	 * provides the same level of security. Only exception is if we
2229 	 * don't have an LTK (e.g. because of key distribution bits).
2230 	 */
2231 	if (key_pref == SMP_USE_LTK &&
2232 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2233 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2234 		return false;
2235 
2236 	if (hcon->sec_level >= sec_level)
2237 		return true;
2238 
2239 	return false;
2240 }
2241 
2242 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2243 {
2244 	struct smp_cmd_security_req *rp = (void *) skb->data;
2245 	struct smp_cmd_pairing cp;
2246 	struct hci_conn *hcon = conn->hcon;
2247 	struct hci_dev *hdev = hcon->hdev;
2248 	struct smp_chan *smp;
2249 	u8 sec_level, auth;
2250 
2251 	BT_DBG("conn %p", conn);
2252 
2253 	if (skb->len < sizeof(*rp))
2254 		return SMP_INVALID_PARAMS;
2255 
2256 	if (hcon->role != HCI_ROLE_MASTER)
2257 		return SMP_CMD_NOTSUPP;
2258 
2259 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2260 
2261 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2262 		return SMP_AUTH_REQUIREMENTS;
2263 
2264 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2265 		sec_level = BT_SECURITY_MEDIUM;
2266 	else
2267 		sec_level = authreq_to_seclevel(auth);
2268 
2269 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2270 		return 0;
2271 
2272 	if (sec_level > hcon->pending_sec_level)
2273 		hcon->pending_sec_level = sec_level;
2274 
2275 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2276 		return 0;
2277 
2278 	smp = smp_chan_create(conn);
2279 	if (!smp)
2280 		return SMP_UNSPECIFIED;
2281 
2282 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2283 	    (auth & SMP_AUTH_BONDING))
2284 		return SMP_PAIRING_NOTSUPP;
2285 
2286 	skb_pull(skb, sizeof(*rp));
2287 
2288 	memset(&cp, 0, sizeof(cp));
2289 	build_pairing_cmd(conn, &cp, NULL, auth);
2290 
2291 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2292 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2293 
2294 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2295 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2296 
2297 	return 0;
2298 }
2299 
2300 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2301 {
2302 	struct l2cap_conn *conn = hcon->l2cap_data;
2303 	struct l2cap_chan *chan;
2304 	struct smp_chan *smp;
2305 	__u8 authreq;
2306 	int ret;
2307 
2308 	BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2309 
2310 	/* This may be NULL if there's an unexpected disconnection */
2311 	if (!conn)
2312 		return 1;
2313 
2314 	chan = conn->smp;
2315 	if (!chan) {
2316 		BT_ERR("SMP security requested but not available");
2317 		return 1;
2318 	}
2319 
2320 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2321 		return 1;
2322 
2323 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2324 		return 1;
2325 
2326 	if (sec_level > hcon->pending_sec_level)
2327 		hcon->pending_sec_level = sec_level;
2328 
2329 	if (hcon->role == HCI_ROLE_MASTER)
2330 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2331 			return 0;
2332 
2333 	l2cap_chan_lock(chan);
2334 
2335 	/* If SMP is already in progress ignore this request */
2336 	if (chan->data) {
2337 		ret = 0;
2338 		goto unlock;
2339 	}
2340 
2341 	smp = smp_chan_create(conn);
2342 	if (!smp) {
2343 		ret = 1;
2344 		goto unlock;
2345 	}
2346 
2347 	authreq = seclevel_to_authreq(sec_level);
2348 
2349 	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED))
2350 		authreq |= SMP_AUTH_SC;
2351 
2352 	/* Require MITM if IO Capability allows or the security level
2353 	 * requires it.
2354 	 */
2355 	if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2356 	    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2357 		authreq |= SMP_AUTH_MITM;
2358 
2359 	if (hcon->role == HCI_ROLE_MASTER) {
2360 		struct smp_cmd_pairing cp;
2361 
2362 		build_pairing_cmd(conn, &cp, NULL, authreq);
2363 		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2364 		memcpy(&smp->preq[1], &cp, sizeof(cp));
2365 
2366 		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2367 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2368 	} else {
2369 		struct smp_cmd_security_req cp;
2370 		cp.auth_req = authreq;
2371 		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2372 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2373 	}
2374 
2375 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2376 	ret = 0;
2377 
2378 unlock:
2379 	l2cap_chan_unlock(chan);
2380 	return ret;
2381 }
2382 
2383 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2384 {
2385 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2386 	struct l2cap_chan *chan = conn->smp;
2387 	struct smp_chan *smp = chan->data;
2388 
2389 	BT_DBG("conn %p", conn);
2390 
2391 	if (skb->len < sizeof(*rp))
2392 		return SMP_INVALID_PARAMS;
2393 
2394 	SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2395 
2396 	skb_pull(skb, sizeof(*rp));
2397 
2398 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2399 
2400 	return 0;
2401 }
2402 
2403 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2404 {
2405 	struct smp_cmd_master_ident *rp = (void *) skb->data;
2406 	struct l2cap_chan *chan = conn->smp;
2407 	struct smp_chan *smp = chan->data;
2408 	struct hci_dev *hdev = conn->hcon->hdev;
2409 	struct hci_conn *hcon = conn->hcon;
2410 	struct smp_ltk *ltk;
2411 	u8 authenticated;
2412 
2413 	BT_DBG("conn %p", conn);
2414 
2415 	if (skb->len < sizeof(*rp))
2416 		return SMP_INVALID_PARAMS;
2417 
2418 	/* Mark the information as received */
2419 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2420 
2421 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2422 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2423 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2424 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2425 
2426 	skb_pull(skb, sizeof(*rp));
2427 
2428 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2429 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2430 			  authenticated, smp->tk, smp->enc_key_size,
2431 			  rp->ediv, rp->rand);
2432 	smp->ltk = ltk;
2433 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2434 		smp_distribute_keys(smp);
2435 
2436 	return 0;
2437 }
2438 
2439 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2440 {
2441 	struct smp_cmd_ident_info *info = (void *) skb->data;
2442 	struct l2cap_chan *chan = conn->smp;
2443 	struct smp_chan *smp = chan->data;
2444 
2445 	BT_DBG("");
2446 
2447 	if (skb->len < sizeof(*info))
2448 		return SMP_INVALID_PARAMS;
2449 
2450 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2451 
2452 	skb_pull(skb, sizeof(*info));
2453 
2454 	memcpy(smp->irk, info->irk, 16);
2455 
2456 	return 0;
2457 }
2458 
2459 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2460 				   struct sk_buff *skb)
2461 {
2462 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2463 	struct l2cap_chan *chan = conn->smp;
2464 	struct smp_chan *smp = chan->data;
2465 	struct hci_conn *hcon = conn->hcon;
2466 	bdaddr_t rpa;
2467 
2468 	BT_DBG("");
2469 
2470 	if (skb->len < sizeof(*info))
2471 		return SMP_INVALID_PARAMS;
2472 
2473 	/* Mark the information as received */
2474 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2475 
2476 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2477 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2478 
2479 	skb_pull(skb, sizeof(*info));
2480 
2481 	/* Strictly speaking the Core Specification (4.1) allows sending
2482 	 * an empty address which would force us to rely on just the IRK
2483 	 * as "identity information". However, since such
2484 	 * implementations are not known of and in order to not over
2485 	 * complicate our implementation, simply pretend that we never
2486 	 * received an IRK for such a device.
2487 	 *
2488 	 * The Identity Address must also be a Static Random or Public
2489 	 * Address, which hci_is_identity_address() checks for.
2490 	 */
2491 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2492 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2493 		BT_ERR("Ignoring IRK with no identity address");
2494 		goto distribute;
2495 	}
2496 
2497 	bacpy(&smp->id_addr, &info->bdaddr);
2498 	smp->id_addr_type = info->addr_type;
2499 
2500 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2501 		bacpy(&rpa, &hcon->dst);
2502 	else
2503 		bacpy(&rpa, BDADDR_ANY);
2504 
2505 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2506 				      smp->id_addr_type, smp->irk, &rpa);
2507 
2508 distribute:
2509 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2510 		smp_distribute_keys(smp);
2511 
2512 	return 0;
2513 }
2514 
2515 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2516 {
2517 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2518 	struct l2cap_chan *chan = conn->smp;
2519 	struct smp_chan *smp = chan->data;
2520 	struct smp_csrk *csrk;
2521 
2522 	BT_DBG("conn %p", conn);
2523 
2524 	if (skb->len < sizeof(*rp))
2525 		return SMP_INVALID_PARAMS;
2526 
2527 	/* Mark the information as received */
2528 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2529 
2530 	skb_pull(skb, sizeof(*rp));
2531 
2532 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2533 	if (csrk) {
2534 		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2535 			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2536 		else
2537 			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2538 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2539 	}
2540 	smp->csrk = csrk;
2541 	smp_distribute_keys(smp);
2542 
2543 	return 0;
2544 }
2545 
2546 static u8 sc_select_method(struct smp_chan *smp)
2547 {
2548 	struct l2cap_conn *conn = smp->conn;
2549 	struct hci_conn *hcon = conn->hcon;
2550 	struct smp_cmd_pairing *local, *remote;
2551 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2552 
2553 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2554 	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2555 		return REQ_OOB;
2556 
2557 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2558 	 * which are needed as inputs to some crypto functions. To get
2559 	 * the "struct smp_cmd_pairing" from them we need to skip the
2560 	 * first byte which contains the opcode.
2561 	 */
2562 	if (hcon->out) {
2563 		local = (void *) &smp->preq[1];
2564 		remote = (void *) &smp->prsp[1];
2565 	} else {
2566 		local = (void *) &smp->prsp[1];
2567 		remote = (void *) &smp->preq[1];
2568 	}
2569 
2570 	local_io = local->io_capability;
2571 	remote_io = remote->io_capability;
2572 
2573 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2574 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2575 
2576 	/* If either side wants MITM, look up the method from the table,
2577 	 * otherwise use JUST WORKS.
2578 	 */
2579 	if (local_mitm || remote_mitm)
2580 		method = get_auth_method(smp, local_io, remote_io);
2581 	else
2582 		method = JUST_WORKS;
2583 
2584 	/* Don't confirm locally initiated pairing attempts */
2585 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2586 		method = JUST_WORKS;
2587 
2588 	return method;
2589 }
2590 
2591 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2592 {
2593 	struct smp_cmd_public_key *key = (void *) skb->data;
2594 	struct hci_conn *hcon = conn->hcon;
2595 	struct l2cap_chan *chan = conn->smp;
2596 	struct smp_chan *smp = chan->data;
2597 	struct hci_dev *hdev = hcon->hdev;
2598 	struct smp_cmd_pairing_confirm cfm;
2599 	int err;
2600 
2601 	BT_DBG("conn %p", conn);
2602 
2603 	if (skb->len < sizeof(*key))
2604 		return SMP_INVALID_PARAMS;
2605 
2606 	memcpy(smp->remote_pk, key, 64);
2607 
2608 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2609 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2610 			     smp->rr, 0, cfm.confirm_val);
2611 		if (err)
2612 			return SMP_UNSPECIFIED;
2613 
2614 		if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2615 			return SMP_CONFIRM_FAILED;
2616 	}
2617 
2618 	/* Non-initiating device sends its public key after receiving
2619 	 * the key from the initiating device.
2620 	 */
2621 	if (!hcon->out) {
2622 		err = sc_send_public_key(smp);
2623 		if (err)
2624 			return err;
2625 	}
2626 
2627 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2628 	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2629 
2630 	if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2631 		return SMP_UNSPECIFIED;
2632 
2633 	SMP_DBG("DHKey %32phN", smp->dhkey);
2634 
2635 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2636 
2637 	smp->method = sc_select_method(smp);
2638 
2639 	BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2640 
2641 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2642 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2643 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2644 	else
2645 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2646 
2647 	if (!memcmp(debug_pk, smp->remote_pk, 64))
2648 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2649 
2650 	if (smp->method == DSP_PASSKEY) {
2651 		get_random_bytes(&hcon->passkey_notify,
2652 				 sizeof(hcon->passkey_notify));
2653 		hcon->passkey_notify %= 1000000;
2654 		hcon->passkey_entered = 0;
2655 		smp->passkey_round = 0;
2656 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2657 					     hcon->dst_type,
2658 					     hcon->passkey_notify,
2659 					     hcon->passkey_entered))
2660 			return SMP_UNSPECIFIED;
2661 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2662 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2663 	}
2664 
2665 	if (smp->method == REQ_OOB) {
2666 		if (hcon->out)
2667 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2668 				     sizeof(smp->prnd), smp->prnd);
2669 
2670 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2671 
2672 		return 0;
2673 	}
2674 
2675 	if (hcon->out)
2676 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2677 
2678 	if (smp->method == REQ_PASSKEY) {
2679 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2680 					      hcon->dst_type))
2681 			return SMP_UNSPECIFIED;
2682 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2683 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2684 		return 0;
2685 	}
2686 
2687 	/* The Initiating device waits for the non-initiating device to
2688 	 * send the confirm value.
2689 	 */
2690 	if (conn->hcon->out)
2691 		return 0;
2692 
2693 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2694 		     0, cfm.confirm_val);
2695 	if (err)
2696 		return SMP_UNSPECIFIED;
2697 
2698 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2699 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2700 
2701 	return 0;
2702 }
2703 
2704 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2705 {
2706 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2707 	struct l2cap_chan *chan = conn->smp;
2708 	struct hci_conn *hcon = conn->hcon;
2709 	struct smp_chan *smp = chan->data;
2710 	u8 a[7], b[7], *local_addr, *remote_addr;
2711 	u8 io_cap[3], r[16], e[16];
2712 	int err;
2713 
2714 	BT_DBG("conn %p", conn);
2715 
2716 	if (skb->len < sizeof(*check))
2717 		return SMP_INVALID_PARAMS;
2718 
2719 	memcpy(a, &hcon->init_addr, 6);
2720 	memcpy(b, &hcon->resp_addr, 6);
2721 	a[6] = hcon->init_addr_type;
2722 	b[6] = hcon->resp_addr_type;
2723 
2724 	if (hcon->out) {
2725 		local_addr = a;
2726 		remote_addr = b;
2727 		memcpy(io_cap, &smp->prsp[1], 3);
2728 	} else {
2729 		local_addr = b;
2730 		remote_addr = a;
2731 		memcpy(io_cap, &smp->preq[1], 3);
2732 	}
2733 
2734 	memset(r, 0, sizeof(r));
2735 
2736 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2737 		put_unaligned_le32(hcon->passkey_notify, r);
2738 	else if (smp->method == REQ_OOB)
2739 		memcpy(r, smp->lr, 16);
2740 
2741 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2742 		     io_cap, remote_addr, local_addr, e);
2743 	if (err)
2744 		return SMP_UNSPECIFIED;
2745 
2746 	if (memcmp(check->e, e, 16))
2747 		return SMP_DHKEY_CHECK_FAILED;
2748 
2749 	if (!hcon->out) {
2750 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2751 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2752 			return 0;
2753 		}
2754 
2755 		/* Slave sends DHKey check as response to master */
2756 		sc_dhkey_check(smp);
2757 	}
2758 
2759 	sc_add_ltk(smp);
2760 
2761 	if (hcon->out) {
2762 		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2763 		hcon->enc_key_size = smp->enc_key_size;
2764 	}
2765 
2766 	return 0;
2767 }
2768 
2769 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2770 				   struct sk_buff *skb)
2771 {
2772 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2773 
2774 	BT_DBG("value 0x%02x", kp->value);
2775 
2776 	return 0;
2777 }
2778 
2779 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2780 {
2781 	struct l2cap_conn *conn = chan->conn;
2782 	struct hci_conn *hcon = conn->hcon;
2783 	struct smp_chan *smp;
2784 	__u8 code, reason;
2785 	int err = 0;
2786 
2787 	if (skb->len < 1)
2788 		return -EILSEQ;
2789 
2790 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2791 		reason = SMP_PAIRING_NOTSUPP;
2792 		goto done;
2793 	}
2794 
2795 	code = skb->data[0];
2796 	skb_pull(skb, sizeof(code));
2797 
2798 	smp = chan->data;
2799 
2800 	if (code > SMP_CMD_MAX)
2801 		goto drop;
2802 
2803 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2804 		goto drop;
2805 
2806 	/* If we don't have a context the only allowed commands are
2807 	 * pairing request and security request.
2808 	 */
2809 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2810 		goto drop;
2811 
2812 	switch (code) {
2813 	case SMP_CMD_PAIRING_REQ:
2814 		reason = smp_cmd_pairing_req(conn, skb);
2815 		break;
2816 
2817 	case SMP_CMD_PAIRING_FAIL:
2818 		smp_failure(conn, 0);
2819 		err = -EPERM;
2820 		break;
2821 
2822 	case SMP_CMD_PAIRING_RSP:
2823 		reason = smp_cmd_pairing_rsp(conn, skb);
2824 		break;
2825 
2826 	case SMP_CMD_SECURITY_REQ:
2827 		reason = smp_cmd_security_req(conn, skb);
2828 		break;
2829 
2830 	case SMP_CMD_PAIRING_CONFIRM:
2831 		reason = smp_cmd_pairing_confirm(conn, skb);
2832 		break;
2833 
2834 	case SMP_CMD_PAIRING_RANDOM:
2835 		reason = smp_cmd_pairing_random(conn, skb);
2836 		break;
2837 
2838 	case SMP_CMD_ENCRYPT_INFO:
2839 		reason = smp_cmd_encrypt_info(conn, skb);
2840 		break;
2841 
2842 	case SMP_CMD_MASTER_IDENT:
2843 		reason = smp_cmd_master_ident(conn, skb);
2844 		break;
2845 
2846 	case SMP_CMD_IDENT_INFO:
2847 		reason = smp_cmd_ident_info(conn, skb);
2848 		break;
2849 
2850 	case SMP_CMD_IDENT_ADDR_INFO:
2851 		reason = smp_cmd_ident_addr_info(conn, skb);
2852 		break;
2853 
2854 	case SMP_CMD_SIGN_INFO:
2855 		reason = smp_cmd_sign_info(conn, skb);
2856 		break;
2857 
2858 	case SMP_CMD_PUBLIC_KEY:
2859 		reason = smp_cmd_public_key(conn, skb);
2860 		break;
2861 
2862 	case SMP_CMD_DHKEY_CHECK:
2863 		reason = smp_cmd_dhkey_check(conn, skb);
2864 		break;
2865 
2866 	case SMP_CMD_KEYPRESS_NOTIFY:
2867 		reason = smp_cmd_keypress_notify(conn, skb);
2868 		break;
2869 
2870 	default:
2871 		BT_DBG("Unknown command code 0x%2.2x", code);
2872 		reason = SMP_CMD_NOTSUPP;
2873 		goto done;
2874 	}
2875 
2876 done:
2877 	if (!err) {
2878 		if (reason)
2879 			smp_failure(conn, reason);
2880 		kfree_skb(skb);
2881 	}
2882 
2883 	return err;
2884 
2885 drop:
2886 	BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2887 	       code, &hcon->dst);
2888 	kfree_skb(skb);
2889 	return 0;
2890 }
2891 
2892 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2893 {
2894 	struct l2cap_conn *conn = chan->conn;
2895 
2896 	BT_DBG("chan %p", chan);
2897 
2898 	if (chan->data)
2899 		smp_chan_destroy(conn);
2900 
2901 	conn->smp = NULL;
2902 	l2cap_chan_put(chan);
2903 }
2904 
2905 static void bredr_pairing(struct l2cap_chan *chan)
2906 {
2907 	struct l2cap_conn *conn = chan->conn;
2908 	struct hci_conn *hcon = conn->hcon;
2909 	struct hci_dev *hdev = hcon->hdev;
2910 	struct smp_cmd_pairing req;
2911 	struct smp_chan *smp;
2912 
2913 	BT_DBG("chan %p", chan);
2914 
2915 	/* Only new pairings are interesting */
2916 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2917 		return;
2918 
2919 	/* Don't bother if we're not encrypted */
2920 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2921 		return;
2922 
2923 	/* Only master may initiate SMP over BR/EDR */
2924 	if (hcon->role != HCI_ROLE_MASTER)
2925 		return;
2926 
2927 	/* Secure Connections support must be enabled */
2928 	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
2929 		return;
2930 
2931 	/* BR/EDR must use Secure Connections for SMP */
2932 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2933 	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
2934 		return;
2935 
2936 	/* If our LE support is not enabled don't do anything */
2937 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2938 		return;
2939 
2940 	/* Don't bother if remote LE support is not enabled */
2941 	if (!lmp_host_le_capable(hcon))
2942 		return;
2943 
2944 	/* Remote must support SMP fixed chan for BR/EDR */
2945 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2946 		return;
2947 
2948 	/* Don't bother if SMP is already ongoing */
2949 	if (chan->data)
2950 		return;
2951 
2952 	smp = smp_chan_create(conn);
2953 	if (!smp) {
2954 		BT_ERR("%s unable to create SMP context for BR/EDR",
2955 		       hdev->name);
2956 		return;
2957 	}
2958 
2959 	set_bit(SMP_FLAG_SC, &smp->flags);
2960 
2961 	BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2962 
2963 	/* Prepare and send the BR/EDR SMP Pairing Request */
2964 	build_bredr_pairing_cmd(smp, &req, NULL);
2965 
2966 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2967 	memcpy(&smp->preq[1], &req, sizeof(req));
2968 
2969 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2970 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2971 }
2972 
2973 static void smp_resume_cb(struct l2cap_chan *chan)
2974 {
2975 	struct smp_chan *smp = chan->data;
2976 	struct l2cap_conn *conn = chan->conn;
2977 	struct hci_conn *hcon = conn->hcon;
2978 
2979 	BT_DBG("chan %p", chan);
2980 
2981 	if (hcon->type == ACL_LINK) {
2982 		bredr_pairing(chan);
2983 		return;
2984 	}
2985 
2986 	if (!smp)
2987 		return;
2988 
2989 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2990 		return;
2991 
2992 	cancel_delayed_work(&smp->security_timer);
2993 
2994 	smp_distribute_keys(smp);
2995 }
2996 
2997 static void smp_ready_cb(struct l2cap_chan *chan)
2998 {
2999 	struct l2cap_conn *conn = chan->conn;
3000 	struct hci_conn *hcon = conn->hcon;
3001 
3002 	BT_DBG("chan %p", chan);
3003 
3004 	conn->smp = chan;
3005 	l2cap_chan_hold(chan);
3006 
3007 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3008 		bredr_pairing(chan);
3009 }
3010 
3011 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3012 {
3013 	int err;
3014 
3015 	BT_DBG("chan %p", chan);
3016 
3017 	err = smp_sig_channel(chan, skb);
3018 	if (err) {
3019 		struct smp_chan *smp = chan->data;
3020 
3021 		if (smp)
3022 			cancel_delayed_work_sync(&smp->security_timer);
3023 
3024 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3025 	}
3026 
3027 	return err;
3028 }
3029 
3030 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3031 					unsigned long hdr_len,
3032 					unsigned long len, int nb)
3033 {
3034 	struct sk_buff *skb;
3035 
3036 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3037 	if (!skb)
3038 		return ERR_PTR(-ENOMEM);
3039 
3040 	skb->priority = HCI_PRIO_MAX;
3041 	bt_cb(skb)->l2cap.chan = chan;
3042 
3043 	return skb;
3044 }
3045 
3046 static const struct l2cap_ops smp_chan_ops = {
3047 	.name			= "Security Manager",
3048 	.ready			= smp_ready_cb,
3049 	.recv			= smp_recv_cb,
3050 	.alloc_skb		= smp_alloc_skb_cb,
3051 	.teardown		= smp_teardown_cb,
3052 	.resume			= smp_resume_cb,
3053 
3054 	.new_connection		= l2cap_chan_no_new_connection,
3055 	.state_change		= l2cap_chan_no_state_change,
3056 	.close			= l2cap_chan_no_close,
3057 	.defer			= l2cap_chan_no_defer,
3058 	.suspend		= l2cap_chan_no_suspend,
3059 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3060 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3061 };
3062 
3063 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3064 {
3065 	struct l2cap_chan *chan;
3066 
3067 	BT_DBG("pchan %p", pchan);
3068 
3069 	chan = l2cap_chan_create();
3070 	if (!chan)
3071 		return NULL;
3072 
3073 	chan->chan_type	= pchan->chan_type;
3074 	chan->ops	= &smp_chan_ops;
3075 	chan->scid	= pchan->scid;
3076 	chan->dcid	= chan->scid;
3077 	chan->imtu	= pchan->imtu;
3078 	chan->omtu	= pchan->omtu;
3079 	chan->mode	= pchan->mode;
3080 
3081 	/* Other L2CAP channels may request SMP routines in order to
3082 	 * change the security level. This means that the SMP channel
3083 	 * lock must be considered in its own category to avoid lockdep
3084 	 * warnings.
3085 	 */
3086 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3087 
3088 	BT_DBG("created chan %p", chan);
3089 
3090 	return chan;
3091 }
3092 
3093 static const struct l2cap_ops smp_root_chan_ops = {
3094 	.name			= "Security Manager Root",
3095 	.new_connection		= smp_new_conn_cb,
3096 
3097 	/* None of these are implemented for the root channel */
3098 	.close			= l2cap_chan_no_close,
3099 	.alloc_skb		= l2cap_chan_no_alloc_skb,
3100 	.recv			= l2cap_chan_no_recv,
3101 	.state_change		= l2cap_chan_no_state_change,
3102 	.teardown		= l2cap_chan_no_teardown,
3103 	.ready			= l2cap_chan_no_ready,
3104 	.defer			= l2cap_chan_no_defer,
3105 	.suspend		= l2cap_chan_no_suspend,
3106 	.resume			= l2cap_chan_no_resume,
3107 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3108 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3109 };
3110 
3111 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3112 {
3113 	struct l2cap_chan *chan;
3114 	struct smp_dev *smp;
3115 	struct crypto_blkcipher *tfm_aes;
3116 	struct crypto_hash *tfm_cmac;
3117 
3118 	if (cid == L2CAP_CID_SMP_BREDR) {
3119 		smp = NULL;
3120 		goto create_chan;
3121 	}
3122 
3123 	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3124 	if (!smp)
3125 		return ERR_PTR(-ENOMEM);
3126 
3127 	tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3128 	if (IS_ERR(tfm_aes)) {
3129 		BT_ERR("Unable to create ECB crypto context");
3130 		kzfree(smp);
3131 		return ERR_CAST(tfm_aes);
3132 	}
3133 
3134 	tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3135 	if (IS_ERR(tfm_cmac)) {
3136 		BT_ERR("Unable to create CMAC crypto context");
3137 		crypto_free_blkcipher(tfm_aes);
3138 		kzfree(smp);
3139 		return ERR_CAST(tfm_cmac);
3140 	}
3141 
3142 	smp->tfm_aes = tfm_aes;
3143 	smp->tfm_cmac = tfm_cmac;
3144 	smp->min_key_size = SMP_MIN_ENC_KEY_SIZE;
3145 	smp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
3146 
3147 create_chan:
3148 	chan = l2cap_chan_create();
3149 	if (!chan) {
3150 		if (smp) {
3151 			crypto_free_blkcipher(smp->tfm_aes);
3152 			crypto_free_hash(smp->tfm_cmac);
3153 			kzfree(smp);
3154 		}
3155 		return ERR_PTR(-ENOMEM);
3156 	}
3157 
3158 	chan->data = smp;
3159 
3160 	l2cap_add_scid(chan, cid);
3161 
3162 	l2cap_chan_set_defaults(chan);
3163 
3164 	if (cid == L2CAP_CID_SMP) {
3165 		u8 bdaddr_type;
3166 
3167 		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3168 
3169 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3170 			chan->src_type = BDADDR_LE_PUBLIC;
3171 		else
3172 			chan->src_type = BDADDR_LE_RANDOM;
3173 	} else {
3174 		bacpy(&chan->src, &hdev->bdaddr);
3175 		chan->src_type = BDADDR_BREDR;
3176 	}
3177 
3178 	chan->state = BT_LISTEN;
3179 	chan->mode = L2CAP_MODE_BASIC;
3180 	chan->imtu = L2CAP_DEFAULT_MTU;
3181 	chan->ops = &smp_root_chan_ops;
3182 
3183 	/* Set correct nesting level for a parent/listening channel */
3184 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3185 
3186 	return chan;
3187 }
3188 
3189 static void smp_del_chan(struct l2cap_chan *chan)
3190 {
3191 	struct smp_dev *smp;
3192 
3193 	BT_DBG("chan %p", chan);
3194 
3195 	smp = chan->data;
3196 	if (smp) {
3197 		chan->data = NULL;
3198 		if (smp->tfm_aes)
3199 			crypto_free_blkcipher(smp->tfm_aes);
3200 		if (smp->tfm_cmac)
3201 			crypto_free_hash(smp->tfm_cmac);
3202 		kzfree(smp);
3203 	}
3204 
3205 	l2cap_chan_put(chan);
3206 }
3207 
3208 static ssize_t force_bredr_smp_read(struct file *file,
3209 				    char __user *user_buf,
3210 				    size_t count, loff_t *ppos)
3211 {
3212 	struct hci_dev *hdev = file->private_data;
3213 	char buf[3];
3214 
3215 	buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3216 	buf[1] = '\n';
3217 	buf[2] = '\0';
3218 	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3219 }
3220 
3221 static ssize_t force_bredr_smp_write(struct file *file,
3222 				     const char __user *user_buf,
3223 				     size_t count, loff_t *ppos)
3224 {
3225 	struct hci_dev *hdev = file->private_data;
3226 	char buf[32];
3227 	size_t buf_size = min(count, (sizeof(buf)-1));
3228 	bool enable;
3229 
3230 	if (copy_from_user(buf, user_buf, buf_size))
3231 		return -EFAULT;
3232 
3233 	buf[buf_size] = '\0';
3234 	if (strtobool(buf, &enable))
3235 		return -EINVAL;
3236 
3237 	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3238 		return -EALREADY;
3239 
3240 	if (enable) {
3241 		struct l2cap_chan *chan;
3242 
3243 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3244 		if (IS_ERR(chan))
3245 			return PTR_ERR(chan);
3246 
3247 		hdev->smp_bredr_data = chan;
3248 	} else {
3249 		struct l2cap_chan *chan;
3250 
3251 		chan = hdev->smp_bredr_data;
3252 		hdev->smp_bredr_data = NULL;
3253 		smp_del_chan(chan);
3254 	}
3255 
3256 	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3257 
3258 	return count;
3259 }
3260 
3261 static const struct file_operations force_bredr_smp_fops = {
3262 	.open		= simple_open,
3263 	.read		= force_bredr_smp_read,
3264 	.write		= force_bredr_smp_write,
3265 	.llseek		= default_llseek,
3266 };
3267 
3268 static ssize_t le_min_key_size_read(struct file *file,
3269 				     char __user *user_buf,
3270 				     size_t count, loff_t *ppos)
3271 {
3272 	struct hci_dev *hdev = file->private_data;
3273 	char buf[4];
3274 
3275 	snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->min_key_size);
3276 
3277 	return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3278 }
3279 
3280 static ssize_t le_min_key_size_write(struct file *file,
3281 				      const char __user *user_buf,
3282 				      size_t count, loff_t *ppos)
3283 {
3284 	struct hci_dev *hdev = file->private_data;
3285 	char buf[32];
3286 	size_t buf_size = min(count, (sizeof(buf) - 1));
3287 	u8 key_size;
3288 
3289 	if (copy_from_user(buf, user_buf, buf_size))
3290 		return -EFAULT;
3291 
3292 	buf[buf_size] = '\0';
3293 
3294 	sscanf(buf, "%hhu", &key_size);
3295 
3296 	if (key_size > SMP_DEV(hdev)->max_key_size ||
3297 	    key_size < SMP_MIN_ENC_KEY_SIZE)
3298 		return -EINVAL;
3299 
3300 	SMP_DEV(hdev)->min_key_size = key_size;
3301 
3302 	return count;
3303 }
3304 
3305 static const struct file_operations le_min_key_size_fops = {
3306 	.open		= simple_open,
3307 	.read		= le_min_key_size_read,
3308 	.write		= le_min_key_size_write,
3309 	.llseek		= default_llseek,
3310 };
3311 
3312 static ssize_t le_max_key_size_read(struct file *file,
3313 				     char __user *user_buf,
3314 				     size_t count, loff_t *ppos)
3315 {
3316 	struct hci_dev *hdev = file->private_data;
3317 	char buf[4];
3318 
3319 	snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->max_key_size);
3320 
3321 	return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3322 }
3323 
3324 static ssize_t le_max_key_size_write(struct file *file,
3325 				      const char __user *user_buf,
3326 				      size_t count, loff_t *ppos)
3327 {
3328 	struct hci_dev *hdev = file->private_data;
3329 	char buf[32];
3330 	size_t buf_size = min(count, (sizeof(buf) - 1));
3331 	u8 key_size;
3332 
3333 	if (copy_from_user(buf, user_buf, buf_size))
3334 		return -EFAULT;
3335 
3336 	buf[buf_size] = '\0';
3337 
3338 	sscanf(buf, "%hhu", &key_size);
3339 
3340 	if (key_size > SMP_MAX_ENC_KEY_SIZE ||
3341 	    key_size < SMP_DEV(hdev)->min_key_size)
3342 		return -EINVAL;
3343 
3344 	SMP_DEV(hdev)->max_key_size = key_size;
3345 
3346 	return count;
3347 }
3348 
3349 static const struct file_operations le_max_key_size_fops = {
3350 	.open		= simple_open,
3351 	.read		= le_max_key_size_read,
3352 	.write		= le_max_key_size_write,
3353 	.llseek		= default_llseek,
3354 };
3355 
3356 int smp_register(struct hci_dev *hdev)
3357 {
3358 	struct l2cap_chan *chan;
3359 
3360 	BT_DBG("%s", hdev->name);
3361 
3362 	/* If the controller does not support Low Energy operation, then
3363 	 * there is also no need to register any SMP channel.
3364 	 */
3365 	if (!lmp_le_capable(hdev))
3366 		return 0;
3367 
3368 	if (WARN_ON(hdev->smp_data)) {
3369 		chan = hdev->smp_data;
3370 		hdev->smp_data = NULL;
3371 		smp_del_chan(chan);
3372 	}
3373 
3374 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3375 	if (IS_ERR(chan))
3376 		return PTR_ERR(chan);
3377 
3378 	hdev->smp_data = chan;
3379 
3380 	debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3381 			    &le_min_key_size_fops);
3382 	debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3383 			    &le_max_key_size_fops);
3384 
3385 	/* If the controller does not support BR/EDR Secure Connections
3386 	 * feature, then the BR/EDR SMP channel shall not be present.
3387 	 *
3388 	 * To test this with Bluetooth 4.0 controllers, create a debugfs
3389 	 * switch that allows forcing BR/EDR SMP support and accepting
3390 	 * cross-transport pairing on non-AES encrypted connections.
3391 	 */
3392 	if (!lmp_sc_capable(hdev)) {
3393 		debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3394 				    hdev, &force_bredr_smp_fops);
3395 		return 0;
3396 	}
3397 
3398 	if (WARN_ON(hdev->smp_bredr_data)) {
3399 		chan = hdev->smp_bredr_data;
3400 		hdev->smp_bredr_data = NULL;
3401 		smp_del_chan(chan);
3402 	}
3403 
3404 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3405 	if (IS_ERR(chan)) {
3406 		int err = PTR_ERR(chan);
3407 		chan = hdev->smp_data;
3408 		hdev->smp_data = NULL;
3409 		smp_del_chan(chan);
3410 		return err;
3411 	}
3412 
3413 	hdev->smp_bredr_data = chan;
3414 
3415 	return 0;
3416 }
3417 
3418 void smp_unregister(struct hci_dev *hdev)
3419 {
3420 	struct l2cap_chan *chan;
3421 
3422 	if (hdev->smp_bredr_data) {
3423 		chan = hdev->smp_bredr_data;
3424 		hdev->smp_bredr_data = NULL;
3425 		smp_del_chan(chan);
3426 	}
3427 
3428 	if (hdev->smp_data) {
3429 		chan = hdev->smp_data;
3430 		hdev->smp_data = NULL;
3431 		smp_del_chan(chan);
3432 	}
3433 }
3434 
3435 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3436 
3437 static int __init test_ah(struct crypto_blkcipher *tfm_aes)
3438 {
3439 	const u8 irk[16] = {
3440 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3441 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3442 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3443 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3444 	u8 res[3];
3445 	int err;
3446 
3447 	err = smp_ah(tfm_aes, irk, r, res);
3448 	if (err)
3449 		return err;
3450 
3451 	if (memcmp(res, exp, 3))
3452 		return -EINVAL;
3453 
3454 	return 0;
3455 }
3456 
3457 static int __init test_c1(struct crypto_blkcipher *tfm_aes)
3458 {
3459 	const u8 k[16] = {
3460 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3461 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3462 	const u8 r[16] = {
3463 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3464 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3465 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3466 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3467 	const u8 _iat = 0x01;
3468 	const u8 _rat = 0x00;
3469 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3470 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3471 	const u8 exp[16] = {
3472 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3473 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3474 	u8 res[16];
3475 	int err;
3476 
3477 	err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3478 	if (err)
3479 		return err;
3480 
3481 	if (memcmp(res, exp, 16))
3482 		return -EINVAL;
3483 
3484 	return 0;
3485 }
3486 
3487 static int __init test_s1(struct crypto_blkcipher *tfm_aes)
3488 {
3489 	const u8 k[16] = {
3490 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3491 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3492 	const u8 r1[16] = {
3493 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3494 	const u8 r2[16] = {
3495 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3496 	const u8 exp[16] = {
3497 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3498 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3499 	u8 res[16];
3500 	int err;
3501 
3502 	err = smp_s1(tfm_aes, k, r1, r2, res);
3503 	if (err)
3504 		return err;
3505 
3506 	if (memcmp(res, exp, 16))
3507 		return -EINVAL;
3508 
3509 	return 0;
3510 }
3511 
3512 static int __init test_f4(struct crypto_hash *tfm_cmac)
3513 {
3514 	const u8 u[32] = {
3515 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3516 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3517 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3518 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3519 	const u8 v[32] = {
3520 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3521 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3522 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3523 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3524 	const u8 x[16] = {
3525 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3526 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3527 	const u8 z = 0x00;
3528 	const u8 exp[16] = {
3529 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3530 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3531 	u8 res[16];
3532 	int err;
3533 
3534 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3535 	if (err)
3536 		return err;
3537 
3538 	if (memcmp(res, exp, 16))
3539 		return -EINVAL;
3540 
3541 	return 0;
3542 }
3543 
3544 static int __init test_f5(struct crypto_hash *tfm_cmac)
3545 {
3546 	const u8 w[32] = {
3547 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3548 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3549 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3550 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3551 	const u8 n1[16] = {
3552 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3553 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3554 	const u8 n2[16] = {
3555 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3556 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3557 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3558 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3559 	const u8 exp_ltk[16] = {
3560 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3561 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3562 	const u8 exp_mackey[16] = {
3563 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3564 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3565 	u8 mackey[16], ltk[16];
3566 	int err;
3567 
3568 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3569 	if (err)
3570 		return err;
3571 
3572 	if (memcmp(mackey, exp_mackey, 16))
3573 		return -EINVAL;
3574 
3575 	if (memcmp(ltk, exp_ltk, 16))
3576 		return -EINVAL;
3577 
3578 	return 0;
3579 }
3580 
3581 static int __init test_f6(struct crypto_hash *tfm_cmac)
3582 {
3583 	const u8 w[16] = {
3584 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3585 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3586 	const u8 n1[16] = {
3587 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3588 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3589 	const u8 n2[16] = {
3590 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3591 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3592 	const u8 r[16] = {
3593 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3594 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3595 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3596 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3597 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3598 	const u8 exp[16] = {
3599 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3600 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3601 	u8 res[16];
3602 	int err;
3603 
3604 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3605 	if (err)
3606 		return err;
3607 
3608 	if (memcmp(res, exp, 16))
3609 		return -EINVAL;
3610 
3611 	return 0;
3612 }
3613 
3614 static int __init test_g2(struct crypto_hash *tfm_cmac)
3615 {
3616 	const u8 u[32] = {
3617 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3618 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3619 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3620 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3621 	const u8 v[32] = {
3622 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3623 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3624 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3625 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3626 	const u8 x[16] = {
3627 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3628 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3629 	const u8 y[16] = {
3630 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3631 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3632 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3633 	u32 val;
3634 	int err;
3635 
3636 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3637 	if (err)
3638 		return err;
3639 
3640 	if (val != exp_val)
3641 		return -EINVAL;
3642 
3643 	return 0;
3644 }
3645 
3646 static int __init test_h6(struct crypto_hash *tfm_cmac)
3647 {
3648 	const u8 w[16] = {
3649 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3650 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3651 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3652 	const u8 exp[16] = {
3653 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3654 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3655 	u8 res[16];
3656 	int err;
3657 
3658 	err = smp_h6(tfm_cmac, w, key_id, res);
3659 	if (err)
3660 		return err;
3661 
3662 	if (memcmp(res, exp, 16))
3663 		return -EINVAL;
3664 
3665 	return 0;
3666 }
3667 
3668 static char test_smp_buffer[32];
3669 
3670 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3671 			     size_t count, loff_t *ppos)
3672 {
3673 	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3674 				       strlen(test_smp_buffer));
3675 }
3676 
3677 static const struct file_operations test_smp_fops = {
3678 	.open		= simple_open,
3679 	.read		= test_smp_read,
3680 	.llseek		= default_llseek,
3681 };
3682 
3683 static int __init run_selftests(struct crypto_blkcipher *tfm_aes,
3684 				struct crypto_hash *tfm_cmac)
3685 {
3686 	ktime_t calltime, delta, rettime;
3687 	unsigned long long duration;
3688 	int err;
3689 
3690 	calltime = ktime_get();
3691 
3692 	err = test_ah(tfm_aes);
3693 	if (err) {
3694 		BT_ERR("smp_ah test failed");
3695 		goto done;
3696 	}
3697 
3698 	err = test_c1(tfm_aes);
3699 	if (err) {
3700 		BT_ERR("smp_c1 test failed");
3701 		goto done;
3702 	}
3703 
3704 	err = test_s1(tfm_aes);
3705 	if (err) {
3706 		BT_ERR("smp_s1 test failed");
3707 		goto done;
3708 	}
3709 
3710 	err = test_f4(tfm_cmac);
3711 	if (err) {
3712 		BT_ERR("smp_f4 test failed");
3713 		goto done;
3714 	}
3715 
3716 	err = test_f5(tfm_cmac);
3717 	if (err) {
3718 		BT_ERR("smp_f5 test failed");
3719 		goto done;
3720 	}
3721 
3722 	err = test_f6(tfm_cmac);
3723 	if (err) {
3724 		BT_ERR("smp_f6 test failed");
3725 		goto done;
3726 	}
3727 
3728 	err = test_g2(tfm_cmac);
3729 	if (err) {
3730 		BT_ERR("smp_g2 test failed");
3731 		goto done;
3732 	}
3733 
3734 	err = test_h6(tfm_cmac);
3735 	if (err) {
3736 		BT_ERR("smp_h6 test failed");
3737 		goto done;
3738 	}
3739 
3740 	rettime = ktime_get();
3741 	delta = ktime_sub(rettime, calltime);
3742 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3743 
3744 	BT_INFO("SMP test passed in %llu usecs", duration);
3745 
3746 done:
3747 	if (!err)
3748 		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3749 			 "PASS (%llu usecs)\n", duration);
3750 	else
3751 		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3752 
3753 	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3754 			    &test_smp_fops);
3755 
3756 	return err;
3757 }
3758 
3759 int __init bt_selftest_smp(void)
3760 {
3761 	struct crypto_blkcipher *tfm_aes;
3762 	struct crypto_hash *tfm_cmac;
3763 	int err;
3764 
3765 	tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3766 	if (IS_ERR(tfm_aes)) {
3767 		BT_ERR("Unable to create ECB crypto context");
3768 		return PTR_ERR(tfm_aes);
3769 	}
3770 
3771 	tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3772 	if (IS_ERR(tfm_cmac)) {
3773 		BT_ERR("Unable to create CMAC crypto context");
3774 		crypto_free_blkcipher(tfm_aes);
3775 		return PTR_ERR(tfm_cmac);
3776 	}
3777 
3778 	err = run_selftests(tfm_aes, tfm_cmac);
3779 
3780 	crypto_free_hash(tfm_cmac);
3781 	crypto_free_blkcipher(tfm_aes);
3782 
3783 	return err;
3784 }
3785 
3786 #endif
3787