xref: /linux/net/bluetooth/smp.c (revision 83869019c74cc2d01c96a3be2463a4eebe362224)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/aes.h>
27 #include <crypto/algapi.h>
28 #include <crypto/hash.h>
29 #include <crypto/kpp.h>
30 
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/mgmt.h>
35 
36 #include "ecdh_helper.h"
37 #include "smp.h"
38 
39 #define SMP_DEV(hdev) \
40 	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
41 
42 /* Low-level debug macros to be used for stuff that we don't want
43  * accidentally in dmesg, i.e. the values of the various crypto keys
44  * and the inputs & outputs of crypto functions.
45  */
46 #ifdef DEBUG
47 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
48 				 ##__VA_ARGS__)
49 #else
50 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
51 				    ##__VA_ARGS__)
52 #endif
53 
54 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
55 
56 /* Keys which are not distributed with Secure Connections */
57 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY)
58 
59 #define SMP_TIMEOUT	msecs_to_jiffies(30000)
60 
61 #define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
62 				 0x3f : 0x07)
63 #define KEY_DIST_MASK		0x07
64 
65 /* Maximum message length that can be passed to aes_cmac */
66 #define CMAC_MSG_MAX	80
67 
68 enum {
69 	SMP_FLAG_TK_VALID,
70 	SMP_FLAG_CFM_PENDING,
71 	SMP_FLAG_MITM_AUTH,
72 	SMP_FLAG_COMPLETE,
73 	SMP_FLAG_INITIATOR,
74 	SMP_FLAG_SC,
75 	SMP_FLAG_REMOTE_PK,
76 	SMP_FLAG_DEBUG_KEY,
77 	SMP_FLAG_WAIT_USER,
78 	SMP_FLAG_DHKEY_PENDING,
79 	SMP_FLAG_REMOTE_OOB,
80 	SMP_FLAG_LOCAL_OOB,
81 	SMP_FLAG_CT2,
82 };
83 
84 struct smp_dev {
85 	/* Secure Connections OOB data */
86 	bool			local_oob;
87 	u8			local_pk[64];
88 	u8			local_rand[16];
89 	bool			debug_key;
90 
91 	struct crypto_shash	*tfm_cmac;
92 	struct crypto_kpp	*tfm_ecdh;
93 };
94 
95 struct smp_chan {
96 	struct l2cap_conn	*conn;
97 	struct delayed_work	security_timer;
98 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
99 
100 	u8		preq[7]; /* SMP Pairing Request */
101 	u8		prsp[7]; /* SMP Pairing Response */
102 	u8		prnd[16]; /* SMP Pairing Random (local) */
103 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
104 	u8		pcnf[16]; /* SMP Pairing Confirm */
105 	u8		tk[16]; /* SMP Temporary Key */
106 	u8		rr[16]; /* Remote OOB ra/rb value */
107 	u8		lr[16]; /* Local OOB ra/rb value */
108 	u8		enc_key_size;
109 	u8		remote_key_dist;
110 	bdaddr_t	id_addr;
111 	u8		id_addr_type;
112 	u8		irk[16];
113 	struct smp_csrk	*csrk;
114 	struct smp_csrk	*responder_csrk;
115 	struct smp_ltk	*ltk;
116 	struct smp_ltk	*responder_ltk;
117 	struct smp_irk	*remote_irk;
118 	u8		*link_key;
119 	unsigned long	flags;
120 	u8		method;
121 	u8		passkey_round;
122 
123 	/* Secure Connections variables */
124 	u8			local_pk[64];
125 	u8			remote_pk[64];
126 	u8			dhkey[32];
127 	u8			mackey[16];
128 
129 	struct crypto_shash	*tfm_cmac;
130 	struct crypto_kpp	*tfm_ecdh;
131 };
132 
133 /* These debug key values are defined in the SMP section of the core
134  * specification. debug_pk is the public debug key and debug_sk the
135  * private debug key.
136  */
137 static const u8 debug_pk[64] = {
138 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
139 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
140 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
141 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
142 
143 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
144 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
145 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
146 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
147 };
148 
149 static const u8 debug_sk[32] = {
150 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
151 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
152 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
153 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
154 };
155 
156 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
157 {
158 	size_t i;
159 
160 	for (i = 0; i < len; i++)
161 		dst[len - 1 - i] = src[i];
162 }
163 
164 /* The following functions map to the LE SC SMP crypto functions
165  * AES-CMAC, f4, f5, f6, g2 and h6.
166  */
167 
168 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
169 		    size_t len, u8 mac[16])
170 {
171 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
172 	int err;
173 
174 	if (len > CMAC_MSG_MAX)
175 		return -EFBIG;
176 
177 	if (!tfm) {
178 		BT_ERR("tfm %p", tfm);
179 		return -EINVAL;
180 	}
181 
182 	/* Swap key and message from LSB to MSB */
183 	swap_buf(k, tmp, 16);
184 	swap_buf(m, msg_msb, len);
185 
186 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
187 	SMP_DBG("key %16phN", k);
188 
189 	err = crypto_shash_setkey(tfm, tmp, 16);
190 	if (err) {
191 		BT_ERR("cipher setkey failed: %d", err);
192 		return err;
193 	}
194 
195 	err = crypto_shash_tfm_digest(tfm, msg_msb, len, mac_msb);
196 	if (err) {
197 		BT_ERR("Hash computation error %d", err);
198 		return err;
199 	}
200 
201 	swap_buf(mac_msb, mac, 16);
202 
203 	SMP_DBG("mac %16phN", mac);
204 
205 	return 0;
206 }
207 
208 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
209 		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
210 {
211 	u8 m[65];
212 	int err;
213 
214 	SMP_DBG("u %32phN", u);
215 	SMP_DBG("v %32phN", v);
216 	SMP_DBG("x %16phN z %02x", x, z);
217 
218 	m[0] = z;
219 	memcpy(m + 1, v, 32);
220 	memcpy(m + 33, u, 32);
221 
222 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
223 	if (err)
224 		return err;
225 
226 	SMP_DBG("res %16phN", res);
227 
228 	return err;
229 }
230 
231 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
232 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
233 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
234 {
235 	/* The btle, salt and length "magic" values are as defined in
236 	 * the SMP section of the Bluetooth core specification. In ASCII
237 	 * the btle value ends up being 'btle'. The salt is just a
238 	 * random number whereas length is the value 256 in little
239 	 * endian format.
240 	 */
241 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
242 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
243 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
244 	const u8 length[2] = { 0x00, 0x01 };
245 	u8 m[53], t[16];
246 	int err;
247 
248 	SMP_DBG("w %32phN", w);
249 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
250 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
251 
252 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
253 	if (err)
254 		return err;
255 
256 	SMP_DBG("t %16phN", t);
257 
258 	memcpy(m, length, 2);
259 	memcpy(m + 2, a2, 7);
260 	memcpy(m + 9, a1, 7);
261 	memcpy(m + 16, n2, 16);
262 	memcpy(m + 32, n1, 16);
263 	memcpy(m + 48, btle, 4);
264 
265 	m[52] = 0; /* Counter */
266 
267 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
268 	if (err)
269 		return err;
270 
271 	SMP_DBG("mackey %16phN", mackey);
272 
273 	m[52] = 1; /* Counter */
274 
275 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
276 	if (err)
277 		return err;
278 
279 	SMP_DBG("ltk %16phN", ltk);
280 
281 	return 0;
282 }
283 
284 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
285 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
286 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
287 		  u8 res[16])
288 {
289 	u8 m[65];
290 	int err;
291 
292 	SMP_DBG("w %16phN", w);
293 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
294 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
295 
296 	memcpy(m, a2, 7);
297 	memcpy(m + 7, a1, 7);
298 	memcpy(m + 14, io_cap, 3);
299 	memcpy(m + 17, r, 16);
300 	memcpy(m + 33, n2, 16);
301 	memcpy(m + 49, n1, 16);
302 
303 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
304 	if (err)
305 		return err;
306 
307 	SMP_DBG("res %16phN", res);
308 
309 	return err;
310 }
311 
312 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
313 		  const u8 x[16], const u8 y[16], u32 *val)
314 {
315 	u8 m[80], tmp[16];
316 	int err;
317 
318 	SMP_DBG("u %32phN", u);
319 	SMP_DBG("v %32phN", v);
320 	SMP_DBG("x %16phN y %16phN", x, y);
321 
322 	memcpy(m, y, 16);
323 	memcpy(m + 16, v, 32);
324 	memcpy(m + 48, u, 32);
325 
326 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
327 	if (err)
328 		return err;
329 
330 	*val = get_unaligned_le32(tmp);
331 	*val %= 1000000;
332 
333 	SMP_DBG("val %06u", *val);
334 
335 	return 0;
336 }
337 
338 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
339 		  const u8 key_id[4], u8 res[16])
340 {
341 	int err;
342 
343 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
344 
345 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
346 	if (err)
347 		return err;
348 
349 	SMP_DBG("res %16phN", res);
350 
351 	return err;
352 }
353 
354 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
355 		  const u8 salt[16], u8 res[16])
356 {
357 	int err;
358 
359 	SMP_DBG("w %16phN salt %16phN", w, salt);
360 
361 	err = aes_cmac(tfm_cmac, salt, w, 16, res);
362 	if (err)
363 		return err;
364 
365 	SMP_DBG("res %16phN", res);
366 
367 	return err;
368 }
369 
370 /* The following functions map to the legacy SMP crypto functions e, c1,
371  * s1 and ah.
372  */
373 
374 static int smp_e(const u8 *k, u8 *r)
375 {
376 	struct crypto_aes_ctx ctx;
377 	uint8_t tmp[16], data[16];
378 	int err;
379 
380 	SMP_DBG("k %16phN r %16phN", k, r);
381 
382 	/* The most significant octet of key corresponds to k[0] */
383 	swap_buf(k, tmp, 16);
384 
385 	err = aes_expandkey(&ctx, tmp, 16);
386 	if (err) {
387 		BT_ERR("cipher setkey failed: %d", err);
388 		return err;
389 	}
390 
391 	/* Most significant octet of plaintextData corresponds to data[0] */
392 	swap_buf(r, data, 16);
393 
394 	aes_encrypt(&ctx, data, data);
395 
396 	/* Most significant octet of encryptedData corresponds to data[0] */
397 	swap_buf(data, r, 16);
398 
399 	SMP_DBG("r %16phN", r);
400 
401 	memzero_explicit(&ctx, sizeof(ctx));
402 	return err;
403 }
404 
405 static int smp_c1(const u8 k[16],
406 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
407 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
408 {
409 	u8 p1[16], p2[16];
410 	int err;
411 
412 	SMP_DBG("k %16phN r %16phN", k, r);
413 	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
414 	SMP_DBG("preq %7phN pres %7phN", preq, pres);
415 
416 	memset(p1, 0, 16);
417 
418 	/* p1 = pres || preq || _rat || _iat */
419 	p1[0] = _iat;
420 	p1[1] = _rat;
421 	memcpy(p1 + 2, preq, 7);
422 	memcpy(p1 + 9, pres, 7);
423 
424 	SMP_DBG("p1 %16phN", p1);
425 
426 	/* res = r XOR p1 */
427 	crypto_xor_cpy(res, r, p1, sizeof(p1));
428 
429 	/* res = e(k, res) */
430 	err = smp_e(k, res);
431 	if (err) {
432 		BT_ERR("Encrypt data error");
433 		return err;
434 	}
435 
436 	/* p2 = padding || ia || ra */
437 	memcpy(p2, ra, 6);
438 	memcpy(p2 + 6, ia, 6);
439 	memset(p2 + 12, 0, 4);
440 
441 	SMP_DBG("p2 %16phN", p2);
442 
443 	/* res = res XOR p2 */
444 	crypto_xor(res, p2, sizeof(p2));
445 
446 	/* res = e(k, res) */
447 	err = smp_e(k, res);
448 	if (err)
449 		BT_ERR("Encrypt data error");
450 
451 	return err;
452 }
453 
454 static int smp_s1(const u8 k[16],
455 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
456 {
457 	int err;
458 
459 	/* Just least significant octets from r1 and r2 are considered */
460 	memcpy(_r, r2, 8);
461 	memcpy(_r + 8, r1, 8);
462 
463 	err = smp_e(k, _r);
464 	if (err)
465 		BT_ERR("Encrypt data error");
466 
467 	return err;
468 }
469 
470 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
471 {
472 	u8 _res[16];
473 	int err;
474 
475 	/* r' = padding || r */
476 	memcpy(_res, r, 3);
477 	memset(_res + 3, 0, 13);
478 
479 	err = smp_e(irk, _res);
480 	if (err) {
481 		BT_ERR("Encrypt error");
482 		return err;
483 	}
484 
485 	/* The output of the random address function ah is:
486 	 *	ah(k, r) = e(k, r') mod 2^24
487 	 * The output of the security function e is then truncated to 24 bits
488 	 * by taking the least significant 24 bits of the output of e as the
489 	 * result of ah.
490 	 */
491 	memcpy(res, _res, 3);
492 
493 	return 0;
494 }
495 
496 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
497 		     const bdaddr_t *bdaddr)
498 {
499 	struct l2cap_chan *chan = hdev->smp_data;
500 	u8 hash[3];
501 	int err;
502 
503 	if (!chan || !chan->data)
504 		return false;
505 
506 	bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk);
507 
508 	err = smp_ah(irk, &bdaddr->b[3], hash);
509 	if (err)
510 		return false;
511 
512 	return !crypto_memneq(bdaddr->b, hash, 3);
513 }
514 
515 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
516 {
517 	struct l2cap_chan *chan = hdev->smp_data;
518 	int err;
519 
520 	if (!chan || !chan->data)
521 		return -EOPNOTSUPP;
522 
523 	get_random_bytes(&rpa->b[3], 3);
524 
525 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
526 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
527 
528 	err = smp_ah(irk, &rpa->b[3], rpa->b);
529 	if (err < 0)
530 		return err;
531 
532 	bt_dev_dbg(hdev, "RPA %pMR", rpa);
533 
534 	return 0;
535 }
536 
537 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
538 {
539 	struct l2cap_chan *chan = hdev->smp_data;
540 	struct smp_dev *smp;
541 	int err;
542 
543 	if (!chan || !chan->data)
544 		return -EOPNOTSUPP;
545 
546 	smp = chan->data;
547 
548 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
549 		bt_dev_dbg(hdev, "Using debug keys");
550 		err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
551 		if (err)
552 			return err;
553 		memcpy(smp->local_pk, debug_pk, 64);
554 		smp->debug_key = true;
555 	} else {
556 		while (true) {
557 			/* Generate key pair for Secure Connections */
558 			err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
559 			if (err)
560 				return err;
561 
562 			/* This is unlikely, but we need to check that
563 			 * we didn't accidentally generate a debug key.
564 			 */
565 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
566 				break;
567 		}
568 		smp->debug_key = false;
569 	}
570 
571 	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
572 	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
573 
574 	get_random_bytes(smp->local_rand, 16);
575 
576 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
577 		     smp->local_rand, 0, hash);
578 	if (err < 0)
579 		return err;
580 
581 	memcpy(rand, smp->local_rand, 16);
582 
583 	smp->local_oob = true;
584 
585 	return 0;
586 }
587 
588 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
589 {
590 	struct l2cap_chan *chan = conn->smp;
591 	struct smp_chan *smp;
592 	struct kvec iv[2];
593 	struct msghdr msg;
594 
595 	if (!chan)
596 		return;
597 
598 	bt_dev_dbg(conn->hcon->hdev, "code 0x%2.2x", code);
599 
600 	iv[0].iov_base = &code;
601 	iv[0].iov_len = 1;
602 
603 	iv[1].iov_base = data;
604 	iv[1].iov_len = len;
605 
606 	memset(&msg, 0, sizeof(msg));
607 
608 	iov_iter_kvec(&msg.msg_iter, WRITE, iv, 2, 1 + len);
609 
610 	l2cap_chan_send(chan, &msg, 1 + len);
611 
612 	if (!chan->data)
613 		return;
614 
615 	smp = chan->data;
616 
617 	cancel_delayed_work_sync(&smp->security_timer);
618 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
619 }
620 
621 static u8 authreq_to_seclevel(u8 authreq)
622 {
623 	if (authreq & SMP_AUTH_MITM) {
624 		if (authreq & SMP_AUTH_SC)
625 			return BT_SECURITY_FIPS;
626 		else
627 			return BT_SECURITY_HIGH;
628 	} else {
629 		return BT_SECURITY_MEDIUM;
630 	}
631 }
632 
633 static __u8 seclevel_to_authreq(__u8 sec_level)
634 {
635 	switch (sec_level) {
636 	case BT_SECURITY_FIPS:
637 	case BT_SECURITY_HIGH:
638 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
639 	case BT_SECURITY_MEDIUM:
640 		return SMP_AUTH_BONDING;
641 	default:
642 		return SMP_AUTH_NONE;
643 	}
644 }
645 
646 static void build_pairing_cmd(struct l2cap_conn *conn,
647 			      struct smp_cmd_pairing *req,
648 			      struct smp_cmd_pairing *rsp, __u8 authreq)
649 {
650 	struct l2cap_chan *chan = conn->smp;
651 	struct smp_chan *smp = chan->data;
652 	struct hci_conn *hcon = conn->hcon;
653 	struct hci_dev *hdev = hcon->hdev;
654 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
655 
656 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
657 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
658 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
659 		authreq |= SMP_AUTH_BONDING;
660 	} else {
661 		authreq &= ~SMP_AUTH_BONDING;
662 	}
663 
664 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
665 		remote_dist |= SMP_DIST_ID_KEY;
666 
667 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
668 		local_dist |= SMP_DIST_ID_KEY;
669 
670 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
671 	    (authreq & SMP_AUTH_SC)) {
672 		struct oob_data *oob_data;
673 		u8 bdaddr_type;
674 
675 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
676 			local_dist |= SMP_DIST_LINK_KEY;
677 			remote_dist |= SMP_DIST_LINK_KEY;
678 		}
679 
680 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
681 			bdaddr_type = BDADDR_LE_PUBLIC;
682 		else
683 			bdaddr_type = BDADDR_LE_RANDOM;
684 
685 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
686 						    bdaddr_type);
687 		if (oob_data && oob_data->present) {
688 			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
689 			oob_flag = SMP_OOB_PRESENT;
690 			memcpy(smp->rr, oob_data->rand256, 16);
691 			memcpy(smp->pcnf, oob_data->hash256, 16);
692 			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
693 			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
694 		}
695 
696 	} else {
697 		authreq &= ~SMP_AUTH_SC;
698 	}
699 
700 	if (rsp == NULL) {
701 		req->io_capability = conn->hcon->io_capability;
702 		req->oob_flag = oob_flag;
703 		req->max_key_size = hdev->le_max_key_size;
704 		req->init_key_dist = local_dist;
705 		req->resp_key_dist = remote_dist;
706 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
707 
708 		smp->remote_key_dist = remote_dist;
709 		return;
710 	}
711 
712 	rsp->io_capability = conn->hcon->io_capability;
713 	rsp->oob_flag = oob_flag;
714 	rsp->max_key_size = hdev->le_max_key_size;
715 	rsp->init_key_dist = req->init_key_dist & remote_dist;
716 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
717 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
718 
719 	smp->remote_key_dist = rsp->init_key_dist;
720 }
721 
722 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
723 {
724 	struct l2cap_chan *chan = conn->smp;
725 	struct hci_dev *hdev = conn->hcon->hdev;
726 	struct smp_chan *smp = chan->data;
727 
728 	if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS &&
729 	    max_key_size != SMP_MAX_ENC_KEY_SIZE)
730 		return SMP_ENC_KEY_SIZE;
731 
732 	if (max_key_size > hdev->le_max_key_size ||
733 	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
734 		return SMP_ENC_KEY_SIZE;
735 
736 	smp->enc_key_size = max_key_size;
737 
738 	return 0;
739 }
740 
741 static void smp_chan_destroy(struct l2cap_conn *conn)
742 {
743 	struct l2cap_chan *chan = conn->smp;
744 	struct smp_chan *smp = chan->data;
745 	struct hci_conn *hcon = conn->hcon;
746 	bool complete;
747 
748 	BUG_ON(!smp);
749 
750 	cancel_delayed_work_sync(&smp->security_timer);
751 
752 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
753 	mgmt_smp_complete(hcon, complete);
754 
755 	kfree_sensitive(smp->csrk);
756 	kfree_sensitive(smp->responder_csrk);
757 	kfree_sensitive(smp->link_key);
758 
759 	crypto_free_shash(smp->tfm_cmac);
760 	crypto_free_kpp(smp->tfm_ecdh);
761 
762 	/* Ensure that we don't leave any debug key around if debug key
763 	 * support hasn't been explicitly enabled.
764 	 */
765 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
766 	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
767 		list_del_rcu(&smp->ltk->list);
768 		kfree_rcu(smp->ltk, rcu);
769 		smp->ltk = NULL;
770 	}
771 
772 	/* If pairing failed clean up any keys we might have */
773 	if (!complete) {
774 		if (smp->ltk) {
775 			list_del_rcu(&smp->ltk->list);
776 			kfree_rcu(smp->ltk, rcu);
777 		}
778 
779 		if (smp->responder_ltk) {
780 			list_del_rcu(&smp->responder_ltk->list);
781 			kfree_rcu(smp->responder_ltk, rcu);
782 		}
783 
784 		if (smp->remote_irk) {
785 			list_del_rcu(&smp->remote_irk->list);
786 			kfree_rcu(smp->remote_irk, rcu);
787 		}
788 	}
789 
790 	chan->data = NULL;
791 	kfree_sensitive(smp);
792 	hci_conn_drop(hcon);
793 }
794 
795 static void smp_failure(struct l2cap_conn *conn, u8 reason)
796 {
797 	struct hci_conn *hcon = conn->hcon;
798 	struct l2cap_chan *chan = conn->smp;
799 
800 	if (reason)
801 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
802 			     &reason);
803 
804 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
805 
806 	if (chan->data)
807 		smp_chan_destroy(conn);
808 }
809 
810 #define JUST_WORKS	0x00
811 #define JUST_CFM	0x01
812 #define REQ_PASSKEY	0x02
813 #define CFM_PASSKEY	0x03
814 #define REQ_OOB		0x04
815 #define DSP_PASSKEY	0x05
816 #define OVERLAP		0xFF
817 
818 static const u8 gen_method[5][5] = {
819 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
820 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
821 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
822 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
823 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
824 };
825 
826 static const u8 sc_method[5][5] = {
827 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
828 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
829 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
830 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
831 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
832 };
833 
834 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
835 {
836 	/* If either side has unknown io_caps, use JUST_CFM (which gets
837 	 * converted later to JUST_WORKS if we're initiators.
838 	 */
839 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
840 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
841 		return JUST_CFM;
842 
843 	if (test_bit(SMP_FLAG_SC, &smp->flags))
844 		return sc_method[remote_io][local_io];
845 
846 	return gen_method[remote_io][local_io];
847 }
848 
849 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
850 						u8 local_io, u8 remote_io)
851 {
852 	struct hci_conn *hcon = conn->hcon;
853 	struct l2cap_chan *chan = conn->smp;
854 	struct smp_chan *smp = chan->data;
855 	u32 passkey = 0;
856 	int ret;
857 
858 	/* Initialize key for JUST WORKS */
859 	memset(smp->tk, 0, sizeof(smp->tk));
860 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
861 
862 	bt_dev_dbg(hcon->hdev, "auth:%u lcl:%u rem:%u", auth, local_io,
863 		   remote_io);
864 
865 	/* If neither side wants MITM, either "just" confirm an incoming
866 	 * request or use just-works for outgoing ones. The JUST_CFM
867 	 * will be converted to JUST_WORKS if necessary later in this
868 	 * function. If either side has MITM look up the method from the
869 	 * table.
870 	 */
871 	if (!(auth & SMP_AUTH_MITM))
872 		smp->method = JUST_CFM;
873 	else
874 		smp->method = get_auth_method(smp, local_io, remote_io);
875 
876 	/* Don't confirm locally initiated pairing attempts */
877 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
878 						&smp->flags))
879 		smp->method = JUST_WORKS;
880 
881 	/* Don't bother user space with no IO capabilities */
882 	if (smp->method == JUST_CFM &&
883 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
884 		smp->method = JUST_WORKS;
885 
886 	/* If Just Works, Continue with Zero TK and ask user-space for
887 	 * confirmation */
888 	if (smp->method == JUST_WORKS) {
889 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
890 						hcon->type,
891 						hcon->dst_type,
892 						passkey, 1);
893 		if (ret)
894 			return ret;
895 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
896 		return 0;
897 	}
898 
899 	/* If this function is used for SC -> legacy fallback we
900 	 * can only recover the just-works case.
901 	 */
902 	if (test_bit(SMP_FLAG_SC, &smp->flags))
903 		return -EINVAL;
904 
905 	/* Not Just Works/Confirm results in MITM Authentication */
906 	if (smp->method != JUST_CFM) {
907 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
908 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
909 			hcon->pending_sec_level = BT_SECURITY_HIGH;
910 	}
911 
912 	/* If both devices have Keyboard-Display I/O, the initiator
913 	 * Confirms and the responder Enters the passkey.
914 	 */
915 	if (smp->method == OVERLAP) {
916 		if (hcon->role == HCI_ROLE_MASTER)
917 			smp->method = CFM_PASSKEY;
918 		else
919 			smp->method = REQ_PASSKEY;
920 	}
921 
922 	/* Generate random passkey. */
923 	if (smp->method == CFM_PASSKEY) {
924 		memset(smp->tk, 0, sizeof(smp->tk));
925 		get_random_bytes(&passkey, sizeof(passkey));
926 		passkey %= 1000000;
927 		put_unaligned_le32(passkey, smp->tk);
928 		bt_dev_dbg(hcon->hdev, "PassKey: %u", passkey);
929 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
930 	}
931 
932 	if (smp->method == REQ_PASSKEY)
933 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
934 						hcon->type, hcon->dst_type);
935 	else if (smp->method == JUST_CFM)
936 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
937 						hcon->type, hcon->dst_type,
938 						passkey, 1);
939 	else
940 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
941 						hcon->type, hcon->dst_type,
942 						passkey, 0);
943 
944 	return ret;
945 }
946 
947 static u8 smp_confirm(struct smp_chan *smp)
948 {
949 	struct l2cap_conn *conn = smp->conn;
950 	struct smp_cmd_pairing_confirm cp;
951 	int ret;
952 
953 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
954 
955 	ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
956 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
957 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
958 		     cp.confirm_val);
959 	if (ret)
960 		return SMP_UNSPECIFIED;
961 
962 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
963 
964 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
965 
966 	if (conn->hcon->out)
967 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
968 	else
969 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
970 
971 	return 0;
972 }
973 
974 static u8 smp_random(struct smp_chan *smp)
975 {
976 	struct l2cap_conn *conn = smp->conn;
977 	struct hci_conn *hcon = conn->hcon;
978 	u8 confirm[16];
979 	int ret;
980 
981 	bt_dev_dbg(conn->hcon->hdev, "conn %p %s", conn,
982 		   conn->hcon->out ? "initiator" : "responder");
983 
984 	ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
985 		     hcon->init_addr_type, &hcon->init_addr,
986 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
987 	if (ret)
988 		return SMP_UNSPECIFIED;
989 
990 	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
991 		bt_dev_err(hcon->hdev, "pairing failed "
992 			   "(confirmation values mismatch)");
993 		return SMP_CONFIRM_FAILED;
994 	}
995 
996 	if (hcon->out) {
997 		u8 stk[16];
998 		__le64 rand = 0;
999 		__le16 ediv = 0;
1000 
1001 		smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
1002 
1003 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1004 			return SMP_UNSPECIFIED;
1005 
1006 		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1007 		hcon->enc_key_size = smp->enc_key_size;
1008 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1009 	} else {
1010 		u8 stk[16], auth;
1011 		__le64 rand = 0;
1012 		__le16 ediv = 0;
1013 
1014 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1015 			     smp->prnd);
1016 
1017 		smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
1018 
1019 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1020 			auth = 1;
1021 		else
1022 			auth = 0;
1023 
1024 		/* Even though there's no _RESPONDER suffix this is the
1025 		 * responder STK we're adding for later lookup (the initiator
1026 		 * STK never needs to be stored).
1027 		 */
1028 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1029 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1030 	}
1031 
1032 	return 0;
1033 }
1034 
1035 static void smp_notify_keys(struct l2cap_conn *conn)
1036 {
1037 	struct l2cap_chan *chan = conn->smp;
1038 	struct smp_chan *smp = chan->data;
1039 	struct hci_conn *hcon = conn->hcon;
1040 	struct hci_dev *hdev = hcon->hdev;
1041 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1042 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1043 	bool persistent;
1044 
1045 	if (hcon->type == ACL_LINK) {
1046 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1047 			persistent = false;
1048 		else
1049 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1050 					       &hcon->flags);
1051 	} else {
1052 		/* The LTKs, IRKs and CSRKs should be persistent only if
1053 		 * both sides had the bonding bit set in their
1054 		 * authentication requests.
1055 		 */
1056 		persistent = !!((req->auth_req & rsp->auth_req) &
1057 				SMP_AUTH_BONDING);
1058 	}
1059 
1060 	if (smp->remote_irk) {
1061 		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1062 
1063 		/* Now that user space can be considered to know the
1064 		 * identity address track the connection based on it
1065 		 * from now on (assuming this is an LE link).
1066 		 */
1067 		if (hcon->type == LE_LINK) {
1068 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1069 			hcon->dst_type = smp->remote_irk->addr_type;
1070 			queue_work(hdev->workqueue, &conn->id_addr_update_work);
1071 		}
1072 	}
1073 
1074 	if (smp->csrk) {
1075 		smp->csrk->bdaddr_type = hcon->dst_type;
1076 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1077 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1078 	}
1079 
1080 	if (smp->responder_csrk) {
1081 		smp->responder_csrk->bdaddr_type = hcon->dst_type;
1082 		bacpy(&smp->responder_csrk->bdaddr, &hcon->dst);
1083 		mgmt_new_csrk(hdev, smp->responder_csrk, persistent);
1084 	}
1085 
1086 	if (smp->ltk) {
1087 		smp->ltk->bdaddr_type = hcon->dst_type;
1088 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1089 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1090 	}
1091 
1092 	if (smp->responder_ltk) {
1093 		smp->responder_ltk->bdaddr_type = hcon->dst_type;
1094 		bacpy(&smp->responder_ltk->bdaddr, &hcon->dst);
1095 		mgmt_new_ltk(hdev, smp->responder_ltk, persistent);
1096 	}
1097 
1098 	if (smp->link_key) {
1099 		struct link_key *key;
1100 		u8 type;
1101 
1102 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1103 			type = HCI_LK_DEBUG_COMBINATION;
1104 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1105 			type = HCI_LK_AUTH_COMBINATION_P256;
1106 		else
1107 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1108 
1109 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1110 				       smp->link_key, type, 0, &persistent);
1111 		if (key) {
1112 			mgmt_new_link_key(hdev, key, persistent);
1113 
1114 			/* Don't keep debug keys around if the relevant
1115 			 * flag is not set.
1116 			 */
1117 			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1118 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1119 				list_del_rcu(&key->list);
1120 				kfree_rcu(key, rcu);
1121 			}
1122 		}
1123 	}
1124 }
1125 
1126 static void sc_add_ltk(struct smp_chan *smp)
1127 {
1128 	struct hci_conn *hcon = smp->conn->hcon;
1129 	u8 key_type, auth;
1130 
1131 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1132 		key_type = SMP_LTK_P256_DEBUG;
1133 	else
1134 		key_type = SMP_LTK_P256;
1135 
1136 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1137 		auth = 1;
1138 	else
1139 		auth = 0;
1140 
1141 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1142 			       key_type, auth, smp->tk, smp->enc_key_size,
1143 			       0, 0);
1144 }
1145 
1146 static void sc_generate_link_key(struct smp_chan *smp)
1147 {
1148 	/* From core spec. Spells out in ASCII as 'lebr'. */
1149 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1150 
1151 	smp->link_key = kzalloc(16, GFP_KERNEL);
1152 	if (!smp->link_key)
1153 		return;
1154 
1155 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1156 		/* SALT = 0x000000000000000000000000746D7031 */
1157 		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1158 
1159 		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1160 			kfree_sensitive(smp->link_key);
1161 			smp->link_key = NULL;
1162 			return;
1163 		}
1164 	} else {
1165 		/* From core spec. Spells out in ASCII as 'tmp1'. */
1166 		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1167 
1168 		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1169 			kfree_sensitive(smp->link_key);
1170 			smp->link_key = NULL;
1171 			return;
1172 		}
1173 	}
1174 
1175 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1176 		kfree_sensitive(smp->link_key);
1177 		smp->link_key = NULL;
1178 		return;
1179 	}
1180 }
1181 
1182 static void smp_allow_key_dist(struct smp_chan *smp)
1183 {
1184 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1185 	 * will be allowed in each PDU handler to ensure we receive
1186 	 * them in the correct order.
1187 	 */
1188 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1189 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1190 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1191 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1192 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1193 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1194 }
1195 
1196 static void sc_generate_ltk(struct smp_chan *smp)
1197 {
1198 	/* From core spec. Spells out in ASCII as 'brle'. */
1199 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1200 	struct hci_conn *hcon = smp->conn->hcon;
1201 	struct hci_dev *hdev = hcon->hdev;
1202 	struct link_key *key;
1203 
1204 	key = hci_find_link_key(hdev, &hcon->dst);
1205 	if (!key) {
1206 		bt_dev_err(hdev, "no Link Key found to generate LTK");
1207 		return;
1208 	}
1209 
1210 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1211 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1212 
1213 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1214 		/* SALT = 0x000000000000000000000000746D7032 */
1215 		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1216 
1217 		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1218 			return;
1219 	} else {
1220 		/* From core spec. Spells out in ASCII as 'tmp2'. */
1221 		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1222 
1223 		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1224 			return;
1225 	}
1226 
1227 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1228 		return;
1229 
1230 	sc_add_ltk(smp);
1231 }
1232 
1233 static void smp_distribute_keys(struct smp_chan *smp)
1234 {
1235 	struct smp_cmd_pairing *req, *rsp;
1236 	struct l2cap_conn *conn = smp->conn;
1237 	struct hci_conn *hcon = conn->hcon;
1238 	struct hci_dev *hdev = hcon->hdev;
1239 	__u8 *keydist;
1240 
1241 	bt_dev_dbg(hdev, "conn %p", conn);
1242 
1243 	rsp = (void *) &smp->prsp[1];
1244 
1245 	/* The responder sends its keys first */
1246 	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1247 		smp_allow_key_dist(smp);
1248 		return;
1249 	}
1250 
1251 	req = (void *) &smp->preq[1];
1252 
1253 	if (hcon->out) {
1254 		keydist = &rsp->init_key_dist;
1255 		*keydist &= req->init_key_dist;
1256 	} else {
1257 		keydist = &rsp->resp_key_dist;
1258 		*keydist &= req->resp_key_dist;
1259 	}
1260 
1261 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1262 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1263 			sc_generate_link_key(smp);
1264 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1265 			sc_generate_ltk(smp);
1266 
1267 		/* Clear the keys which are generated but not distributed */
1268 		*keydist &= ~SMP_SC_NO_DIST;
1269 	}
1270 
1271 	bt_dev_dbg(hdev, "keydist 0x%x", *keydist);
1272 
1273 	if (*keydist & SMP_DIST_ENC_KEY) {
1274 		struct smp_cmd_encrypt_info enc;
1275 		struct smp_cmd_initiator_ident ident;
1276 		struct smp_ltk *ltk;
1277 		u8 authenticated;
1278 		__le16 ediv;
1279 		__le64 rand;
1280 
1281 		/* Make sure we generate only the significant amount of
1282 		 * bytes based on the encryption key size, and set the rest
1283 		 * of the value to zeroes.
1284 		 */
1285 		get_random_bytes(enc.ltk, smp->enc_key_size);
1286 		memset(enc.ltk + smp->enc_key_size, 0,
1287 		       sizeof(enc.ltk) - smp->enc_key_size);
1288 
1289 		get_random_bytes(&ediv, sizeof(ediv));
1290 		get_random_bytes(&rand, sizeof(rand));
1291 
1292 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1293 
1294 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1295 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1296 				  SMP_LTK_RESPONDER, authenticated, enc.ltk,
1297 				  smp->enc_key_size, ediv, rand);
1298 		smp->responder_ltk = ltk;
1299 
1300 		ident.ediv = ediv;
1301 		ident.rand = rand;
1302 
1303 		smp_send_cmd(conn, SMP_CMD_INITIATOR_IDENT, sizeof(ident),
1304 			     &ident);
1305 
1306 		*keydist &= ~SMP_DIST_ENC_KEY;
1307 	}
1308 
1309 	if (*keydist & SMP_DIST_ID_KEY) {
1310 		struct smp_cmd_ident_addr_info addrinfo;
1311 		struct smp_cmd_ident_info idinfo;
1312 
1313 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1314 
1315 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1316 
1317 		/* The hci_conn contains the local identity address
1318 		 * after the connection has been established.
1319 		 *
1320 		 * This is true even when the connection has been
1321 		 * established using a resolvable random address.
1322 		 */
1323 		bacpy(&addrinfo.bdaddr, &hcon->src);
1324 		addrinfo.addr_type = hcon->src_type;
1325 
1326 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1327 			     &addrinfo);
1328 
1329 		*keydist &= ~SMP_DIST_ID_KEY;
1330 	}
1331 
1332 	if (*keydist & SMP_DIST_SIGN) {
1333 		struct smp_cmd_sign_info sign;
1334 		struct smp_csrk *csrk;
1335 
1336 		/* Generate a new random key */
1337 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1338 
1339 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1340 		if (csrk) {
1341 			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1342 				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1343 			else
1344 				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1345 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1346 		}
1347 		smp->responder_csrk = csrk;
1348 
1349 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1350 
1351 		*keydist &= ~SMP_DIST_SIGN;
1352 	}
1353 
1354 	/* If there are still keys to be received wait for them */
1355 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1356 		smp_allow_key_dist(smp);
1357 		return;
1358 	}
1359 
1360 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1361 	smp_notify_keys(conn);
1362 
1363 	smp_chan_destroy(conn);
1364 }
1365 
1366 static void smp_timeout(struct work_struct *work)
1367 {
1368 	struct smp_chan *smp = container_of(work, struct smp_chan,
1369 					    security_timer.work);
1370 	struct l2cap_conn *conn = smp->conn;
1371 
1372 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
1373 
1374 	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1375 }
1376 
1377 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1378 {
1379 	struct hci_conn *hcon = conn->hcon;
1380 	struct l2cap_chan *chan = conn->smp;
1381 	struct smp_chan *smp;
1382 
1383 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1384 	if (!smp)
1385 		return NULL;
1386 
1387 	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1388 	if (IS_ERR(smp->tfm_cmac)) {
1389 		bt_dev_err(hcon->hdev, "Unable to create CMAC crypto context");
1390 		goto zfree_smp;
1391 	}
1392 
1393 	smp->tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
1394 	if (IS_ERR(smp->tfm_ecdh)) {
1395 		bt_dev_err(hcon->hdev, "Unable to create ECDH crypto context");
1396 		goto free_shash;
1397 	}
1398 
1399 	smp->conn = conn;
1400 	chan->data = smp;
1401 
1402 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1403 
1404 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1405 
1406 	hci_conn_hold(hcon);
1407 
1408 	return smp;
1409 
1410 free_shash:
1411 	crypto_free_shash(smp->tfm_cmac);
1412 zfree_smp:
1413 	kfree_sensitive(smp);
1414 	return NULL;
1415 }
1416 
1417 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1418 {
1419 	struct hci_conn *hcon = smp->conn->hcon;
1420 	u8 *na, *nb, a[7], b[7];
1421 
1422 	if (hcon->out) {
1423 		na   = smp->prnd;
1424 		nb   = smp->rrnd;
1425 	} else {
1426 		na   = smp->rrnd;
1427 		nb   = smp->prnd;
1428 	}
1429 
1430 	memcpy(a, &hcon->init_addr, 6);
1431 	memcpy(b, &hcon->resp_addr, 6);
1432 	a[6] = hcon->init_addr_type;
1433 	b[6] = hcon->resp_addr_type;
1434 
1435 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1436 }
1437 
1438 static void sc_dhkey_check(struct smp_chan *smp)
1439 {
1440 	struct hci_conn *hcon = smp->conn->hcon;
1441 	struct smp_cmd_dhkey_check check;
1442 	u8 a[7], b[7], *local_addr, *remote_addr;
1443 	u8 io_cap[3], r[16];
1444 
1445 	memcpy(a, &hcon->init_addr, 6);
1446 	memcpy(b, &hcon->resp_addr, 6);
1447 	a[6] = hcon->init_addr_type;
1448 	b[6] = hcon->resp_addr_type;
1449 
1450 	if (hcon->out) {
1451 		local_addr = a;
1452 		remote_addr = b;
1453 		memcpy(io_cap, &smp->preq[1], 3);
1454 	} else {
1455 		local_addr = b;
1456 		remote_addr = a;
1457 		memcpy(io_cap, &smp->prsp[1], 3);
1458 	}
1459 
1460 	memset(r, 0, sizeof(r));
1461 
1462 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1463 		put_unaligned_le32(hcon->passkey_notify, r);
1464 
1465 	if (smp->method == REQ_OOB)
1466 		memcpy(r, smp->rr, 16);
1467 
1468 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1469 	       local_addr, remote_addr, check.e);
1470 
1471 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1472 }
1473 
1474 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1475 {
1476 	struct l2cap_conn *conn = smp->conn;
1477 	struct hci_conn *hcon = conn->hcon;
1478 	struct smp_cmd_pairing_confirm cfm;
1479 	u8 r;
1480 
1481 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1482 	r |= 0x80;
1483 
1484 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1485 
1486 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1487 		   cfm.confirm_val))
1488 		return SMP_UNSPECIFIED;
1489 
1490 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1491 
1492 	return 0;
1493 }
1494 
1495 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1496 {
1497 	struct l2cap_conn *conn = smp->conn;
1498 	struct hci_conn *hcon = conn->hcon;
1499 	struct hci_dev *hdev = hcon->hdev;
1500 	u8 cfm[16], r;
1501 
1502 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1503 	if (smp->passkey_round >= 20)
1504 		return 0;
1505 
1506 	switch (smp_op) {
1507 	case SMP_CMD_PAIRING_RANDOM:
1508 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1509 		r |= 0x80;
1510 
1511 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1512 			   smp->rrnd, r, cfm))
1513 			return SMP_UNSPECIFIED;
1514 
1515 		if (crypto_memneq(smp->pcnf, cfm, 16))
1516 			return SMP_CONFIRM_FAILED;
1517 
1518 		smp->passkey_round++;
1519 
1520 		if (smp->passkey_round == 20) {
1521 			/* Generate MacKey and LTK */
1522 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1523 				return SMP_UNSPECIFIED;
1524 		}
1525 
1526 		/* The round is only complete when the initiator
1527 		 * receives pairing random.
1528 		 */
1529 		if (!hcon->out) {
1530 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1531 				     sizeof(smp->prnd), smp->prnd);
1532 			if (smp->passkey_round == 20)
1533 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1534 			else
1535 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1536 			return 0;
1537 		}
1538 
1539 		/* Start the next round */
1540 		if (smp->passkey_round != 20)
1541 			return sc_passkey_round(smp, 0);
1542 
1543 		/* Passkey rounds are complete - start DHKey Check */
1544 		sc_dhkey_check(smp);
1545 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1546 
1547 		break;
1548 
1549 	case SMP_CMD_PAIRING_CONFIRM:
1550 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1551 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1552 			return 0;
1553 		}
1554 
1555 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1556 
1557 		if (hcon->out) {
1558 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1559 				     sizeof(smp->prnd), smp->prnd);
1560 			return 0;
1561 		}
1562 
1563 		return sc_passkey_send_confirm(smp);
1564 
1565 	case SMP_CMD_PUBLIC_KEY:
1566 	default:
1567 		/* Initiating device starts the round */
1568 		if (!hcon->out)
1569 			return 0;
1570 
1571 		bt_dev_dbg(hdev, "Starting passkey round %u",
1572 			   smp->passkey_round + 1);
1573 
1574 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1575 
1576 		return sc_passkey_send_confirm(smp);
1577 	}
1578 
1579 	return 0;
1580 }
1581 
1582 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1583 {
1584 	struct l2cap_conn *conn = smp->conn;
1585 	struct hci_conn *hcon = conn->hcon;
1586 	u8 smp_op;
1587 
1588 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1589 
1590 	switch (mgmt_op) {
1591 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1592 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1593 		return 0;
1594 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1595 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1596 		return 0;
1597 	case MGMT_OP_USER_PASSKEY_REPLY:
1598 		hcon->passkey_notify = le32_to_cpu(passkey);
1599 		smp->passkey_round = 0;
1600 
1601 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1602 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1603 		else
1604 			smp_op = 0;
1605 
1606 		if (sc_passkey_round(smp, smp_op))
1607 			return -EIO;
1608 
1609 		return 0;
1610 	}
1611 
1612 	/* Initiator sends DHKey check first */
1613 	if (hcon->out) {
1614 		sc_dhkey_check(smp);
1615 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1616 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1617 		sc_dhkey_check(smp);
1618 		sc_add_ltk(smp);
1619 	}
1620 
1621 	return 0;
1622 }
1623 
1624 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1625 {
1626 	struct l2cap_conn *conn = hcon->l2cap_data;
1627 	struct l2cap_chan *chan;
1628 	struct smp_chan *smp;
1629 	u32 value;
1630 	int err;
1631 
1632 	if (!conn)
1633 		return -ENOTCONN;
1634 
1635 	bt_dev_dbg(conn->hcon->hdev, "");
1636 
1637 	chan = conn->smp;
1638 	if (!chan)
1639 		return -ENOTCONN;
1640 
1641 	l2cap_chan_lock(chan);
1642 	if (!chan->data) {
1643 		err = -ENOTCONN;
1644 		goto unlock;
1645 	}
1646 
1647 	smp = chan->data;
1648 
1649 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1650 		err = sc_user_reply(smp, mgmt_op, passkey);
1651 		goto unlock;
1652 	}
1653 
1654 	switch (mgmt_op) {
1655 	case MGMT_OP_USER_PASSKEY_REPLY:
1656 		value = le32_to_cpu(passkey);
1657 		memset(smp->tk, 0, sizeof(smp->tk));
1658 		bt_dev_dbg(conn->hcon->hdev, "PassKey: %u", value);
1659 		put_unaligned_le32(value, smp->tk);
1660 		fallthrough;
1661 	case MGMT_OP_USER_CONFIRM_REPLY:
1662 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1663 		break;
1664 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1665 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1666 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1667 		err = 0;
1668 		goto unlock;
1669 	default:
1670 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1671 		err = -EOPNOTSUPP;
1672 		goto unlock;
1673 	}
1674 
1675 	err = 0;
1676 
1677 	/* If it is our turn to send Pairing Confirm, do so now */
1678 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1679 		u8 rsp = smp_confirm(smp);
1680 		if (rsp)
1681 			smp_failure(conn, rsp);
1682 	}
1683 
1684 unlock:
1685 	l2cap_chan_unlock(chan);
1686 	return err;
1687 }
1688 
1689 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1690 				    struct smp_cmd_pairing *req,
1691 				    struct smp_cmd_pairing *rsp)
1692 {
1693 	struct l2cap_conn *conn = smp->conn;
1694 	struct hci_dev *hdev = conn->hcon->hdev;
1695 	u8 local_dist = 0, remote_dist = 0;
1696 
1697 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1698 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1699 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1700 	}
1701 
1702 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1703 		remote_dist |= SMP_DIST_ID_KEY;
1704 
1705 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1706 		local_dist |= SMP_DIST_ID_KEY;
1707 
1708 	if (!rsp) {
1709 		memset(req, 0, sizeof(*req));
1710 
1711 		req->auth_req        = SMP_AUTH_CT2;
1712 		req->init_key_dist   = local_dist;
1713 		req->resp_key_dist   = remote_dist;
1714 		req->max_key_size    = conn->hcon->enc_key_size;
1715 
1716 		smp->remote_key_dist = remote_dist;
1717 
1718 		return;
1719 	}
1720 
1721 	memset(rsp, 0, sizeof(*rsp));
1722 
1723 	rsp->auth_req        = SMP_AUTH_CT2;
1724 	rsp->max_key_size    = conn->hcon->enc_key_size;
1725 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1726 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1727 
1728 	smp->remote_key_dist = rsp->init_key_dist;
1729 }
1730 
1731 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1732 {
1733 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1734 	struct l2cap_chan *chan = conn->smp;
1735 	struct hci_dev *hdev = conn->hcon->hdev;
1736 	struct smp_chan *smp;
1737 	u8 key_size, auth, sec_level;
1738 	int ret;
1739 
1740 	bt_dev_dbg(hdev, "conn %p", conn);
1741 
1742 	if (skb->len < sizeof(*req))
1743 		return SMP_INVALID_PARAMS;
1744 
1745 	if (conn->hcon->role != HCI_ROLE_SLAVE)
1746 		return SMP_CMD_NOTSUPP;
1747 
1748 	if (!chan->data)
1749 		smp = smp_chan_create(conn);
1750 	else
1751 		smp = chan->data;
1752 
1753 	if (!smp)
1754 		return SMP_UNSPECIFIED;
1755 
1756 	/* We didn't start the pairing, so match remote */
1757 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1758 
1759 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1760 	    (auth & SMP_AUTH_BONDING))
1761 		return SMP_PAIRING_NOTSUPP;
1762 
1763 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1764 		return SMP_AUTH_REQUIREMENTS;
1765 
1766 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1767 	memcpy(&smp->preq[1], req, sizeof(*req));
1768 	skb_pull(skb, sizeof(*req));
1769 
1770 	/* If the remote side's OOB flag is set it means it has
1771 	 * successfully received our local OOB data - therefore set the
1772 	 * flag to indicate that local OOB is in use.
1773 	 */
1774 	if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1775 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1776 
1777 	/* SMP over BR/EDR requires special treatment */
1778 	if (conn->hcon->type == ACL_LINK) {
1779 		/* We must have a BR/EDR SC link */
1780 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1781 		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1782 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1783 
1784 		set_bit(SMP_FLAG_SC, &smp->flags);
1785 
1786 		build_bredr_pairing_cmd(smp, req, &rsp);
1787 
1788 		if (req->auth_req & SMP_AUTH_CT2)
1789 			set_bit(SMP_FLAG_CT2, &smp->flags);
1790 
1791 		key_size = min(req->max_key_size, rsp.max_key_size);
1792 		if (check_enc_key_size(conn, key_size))
1793 			return SMP_ENC_KEY_SIZE;
1794 
1795 		/* Clear bits which are generated but not distributed */
1796 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1797 
1798 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1799 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1800 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1801 
1802 		smp_distribute_keys(smp);
1803 		return 0;
1804 	}
1805 
1806 	build_pairing_cmd(conn, req, &rsp, auth);
1807 
1808 	if (rsp.auth_req & SMP_AUTH_SC) {
1809 		set_bit(SMP_FLAG_SC, &smp->flags);
1810 
1811 		if (rsp.auth_req & SMP_AUTH_CT2)
1812 			set_bit(SMP_FLAG_CT2, &smp->flags);
1813 	}
1814 
1815 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1816 		sec_level = BT_SECURITY_MEDIUM;
1817 	else
1818 		sec_level = authreq_to_seclevel(auth);
1819 
1820 	if (sec_level > conn->hcon->pending_sec_level)
1821 		conn->hcon->pending_sec_level = sec_level;
1822 
1823 	/* If we need MITM check that it can be achieved */
1824 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1825 		u8 method;
1826 
1827 		method = get_auth_method(smp, conn->hcon->io_capability,
1828 					 req->io_capability);
1829 		if (method == JUST_WORKS || method == JUST_CFM)
1830 			return SMP_AUTH_REQUIREMENTS;
1831 	}
1832 
1833 	key_size = min(req->max_key_size, rsp.max_key_size);
1834 	if (check_enc_key_size(conn, key_size))
1835 		return SMP_ENC_KEY_SIZE;
1836 
1837 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1838 
1839 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1840 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1841 
1842 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1843 
1844 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1845 
1846 	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1847 	 * SC case, however some implementations incorrectly copy RFU auth
1848 	 * req bits from our security request, which may create a false
1849 	 * positive SC enablement.
1850 	 */
1851 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1852 
1853 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1854 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1855 		/* Clear bits which are generated but not distributed */
1856 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1857 		/* Wait for Public Key from Initiating Device */
1858 		return 0;
1859 	}
1860 
1861 	/* Request setup of TK */
1862 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1863 	if (ret)
1864 		return SMP_UNSPECIFIED;
1865 
1866 	return 0;
1867 }
1868 
1869 static u8 sc_send_public_key(struct smp_chan *smp)
1870 {
1871 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1872 
1873 	bt_dev_dbg(hdev, "");
1874 
1875 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1876 		struct l2cap_chan *chan = hdev->smp_data;
1877 		struct smp_dev *smp_dev;
1878 
1879 		if (!chan || !chan->data)
1880 			return SMP_UNSPECIFIED;
1881 
1882 		smp_dev = chan->data;
1883 
1884 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1885 		memcpy(smp->lr, smp_dev->local_rand, 16);
1886 
1887 		if (smp_dev->debug_key)
1888 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1889 
1890 		goto done;
1891 	}
1892 
1893 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1894 		bt_dev_dbg(hdev, "Using debug keys");
1895 		if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1896 			return SMP_UNSPECIFIED;
1897 		memcpy(smp->local_pk, debug_pk, 64);
1898 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1899 	} else {
1900 		while (true) {
1901 			/* Generate key pair for Secure Connections */
1902 			if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1903 				return SMP_UNSPECIFIED;
1904 
1905 			/* This is unlikely, but we need to check that
1906 			 * we didn't accidentally generate a debug key.
1907 			 */
1908 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
1909 				break;
1910 		}
1911 	}
1912 
1913 done:
1914 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1915 	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1916 
1917 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1918 
1919 	return 0;
1920 }
1921 
1922 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1923 {
1924 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1925 	struct l2cap_chan *chan = conn->smp;
1926 	struct smp_chan *smp = chan->data;
1927 	struct hci_dev *hdev = conn->hcon->hdev;
1928 	u8 key_size, auth;
1929 	int ret;
1930 
1931 	bt_dev_dbg(hdev, "conn %p", conn);
1932 
1933 	if (skb->len < sizeof(*rsp))
1934 		return SMP_INVALID_PARAMS;
1935 
1936 	if (conn->hcon->role != HCI_ROLE_MASTER)
1937 		return SMP_CMD_NOTSUPP;
1938 
1939 	skb_pull(skb, sizeof(*rsp));
1940 
1941 	req = (void *) &smp->preq[1];
1942 
1943 	key_size = min(req->max_key_size, rsp->max_key_size);
1944 	if (check_enc_key_size(conn, key_size))
1945 		return SMP_ENC_KEY_SIZE;
1946 
1947 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1948 
1949 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1950 		return SMP_AUTH_REQUIREMENTS;
1951 
1952 	/* If the remote side's OOB flag is set it means it has
1953 	 * successfully received our local OOB data - therefore set the
1954 	 * flag to indicate that local OOB is in use.
1955 	 */
1956 	if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1957 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1958 
1959 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1960 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1961 
1962 	/* Update remote key distribution in case the remote cleared
1963 	 * some bits that we had enabled in our request.
1964 	 */
1965 	smp->remote_key_dist &= rsp->resp_key_dist;
1966 
1967 	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1968 		set_bit(SMP_FLAG_CT2, &smp->flags);
1969 
1970 	/* For BR/EDR this means we're done and can start phase 3 */
1971 	if (conn->hcon->type == ACL_LINK) {
1972 		/* Clear bits which are generated but not distributed */
1973 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1974 		smp_distribute_keys(smp);
1975 		return 0;
1976 	}
1977 
1978 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1979 		set_bit(SMP_FLAG_SC, &smp->flags);
1980 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1981 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1982 
1983 	/* If we need MITM check that it can be achieved */
1984 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1985 		u8 method;
1986 
1987 		method = get_auth_method(smp, req->io_capability,
1988 					 rsp->io_capability);
1989 		if (method == JUST_WORKS || method == JUST_CFM)
1990 			return SMP_AUTH_REQUIREMENTS;
1991 	}
1992 
1993 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1994 
1995 	/* Update remote key distribution in case the remote cleared
1996 	 * some bits that we had enabled in our request.
1997 	 */
1998 	smp->remote_key_dist &= rsp->resp_key_dist;
1999 
2000 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2001 		/* Clear bits which are generated but not distributed */
2002 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2003 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2004 		return sc_send_public_key(smp);
2005 	}
2006 
2007 	auth |= req->auth_req;
2008 
2009 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2010 	if (ret)
2011 		return SMP_UNSPECIFIED;
2012 
2013 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2014 
2015 	/* Can't compose response until we have been confirmed */
2016 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2017 		return smp_confirm(smp);
2018 
2019 	return 0;
2020 }
2021 
2022 static u8 sc_check_confirm(struct smp_chan *smp)
2023 {
2024 	struct l2cap_conn *conn = smp->conn;
2025 
2026 	bt_dev_dbg(conn->hcon->hdev, "");
2027 
2028 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2029 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2030 
2031 	if (conn->hcon->out) {
2032 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2033 			     smp->prnd);
2034 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2035 	}
2036 
2037 	return 0;
2038 }
2039 
2040 /* Work-around for some implementations that incorrectly copy RFU bits
2041  * from our security request and thereby create the impression that
2042  * we're doing SC when in fact the remote doesn't support it.
2043  */
2044 static int fixup_sc_false_positive(struct smp_chan *smp)
2045 {
2046 	struct l2cap_conn *conn = smp->conn;
2047 	struct hci_conn *hcon = conn->hcon;
2048 	struct hci_dev *hdev = hcon->hdev;
2049 	struct smp_cmd_pairing *req, *rsp;
2050 	u8 auth;
2051 
2052 	/* The issue is only observed when we're in responder role */
2053 	if (hcon->out)
2054 		return SMP_UNSPECIFIED;
2055 
2056 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2057 		bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2058 		return SMP_UNSPECIFIED;
2059 	}
2060 
2061 	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2062 
2063 	req = (void *) &smp->preq[1];
2064 	rsp = (void *) &smp->prsp[1];
2065 
2066 	/* Rebuild key dist flags which may have been cleared for SC */
2067 	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2068 
2069 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2070 
2071 	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2072 		bt_dev_err(hdev, "failed to fall back to legacy SMP");
2073 		return SMP_UNSPECIFIED;
2074 	}
2075 
2076 	clear_bit(SMP_FLAG_SC, &smp->flags);
2077 
2078 	return 0;
2079 }
2080 
2081 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2082 {
2083 	struct l2cap_chan *chan = conn->smp;
2084 	struct smp_chan *smp = chan->data;
2085 	struct hci_conn *hcon = conn->hcon;
2086 	struct hci_dev *hdev = hcon->hdev;
2087 
2088 	bt_dev_dbg(hdev, "conn %p %s", conn,
2089 		   hcon->out ? "initiator" : "responder");
2090 
2091 	if (skb->len < sizeof(smp->pcnf))
2092 		return SMP_INVALID_PARAMS;
2093 
2094 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2095 	skb_pull(skb, sizeof(smp->pcnf));
2096 
2097 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2098 		int ret;
2099 
2100 		/* Public Key exchange must happen before any other steps */
2101 		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2102 			return sc_check_confirm(smp);
2103 
2104 		bt_dev_err(hdev, "Unexpected SMP Pairing Confirm");
2105 
2106 		ret = fixup_sc_false_positive(smp);
2107 		if (ret)
2108 			return ret;
2109 	}
2110 
2111 	if (conn->hcon->out) {
2112 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2113 			     smp->prnd);
2114 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2115 		return 0;
2116 	}
2117 
2118 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2119 		return smp_confirm(smp);
2120 
2121 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2122 
2123 	return 0;
2124 }
2125 
2126 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2127 {
2128 	struct l2cap_chan *chan = conn->smp;
2129 	struct smp_chan *smp = chan->data;
2130 	struct hci_conn *hcon = conn->hcon;
2131 	u8 *pkax, *pkbx, *na, *nb, confirm_hint;
2132 	u32 passkey;
2133 	int err;
2134 
2135 	bt_dev_dbg(hcon->hdev, "conn %p", conn);
2136 
2137 	if (skb->len < sizeof(smp->rrnd))
2138 		return SMP_INVALID_PARAMS;
2139 
2140 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2141 	skb_pull(skb, sizeof(smp->rrnd));
2142 
2143 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2144 		return smp_random(smp);
2145 
2146 	if (hcon->out) {
2147 		pkax = smp->local_pk;
2148 		pkbx = smp->remote_pk;
2149 		na   = smp->prnd;
2150 		nb   = smp->rrnd;
2151 	} else {
2152 		pkax = smp->remote_pk;
2153 		pkbx = smp->local_pk;
2154 		na   = smp->rrnd;
2155 		nb   = smp->prnd;
2156 	}
2157 
2158 	if (smp->method == REQ_OOB) {
2159 		if (!hcon->out)
2160 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2161 				     sizeof(smp->prnd), smp->prnd);
2162 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2163 		goto mackey_and_ltk;
2164 	}
2165 
2166 	/* Passkey entry has special treatment */
2167 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2168 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2169 
2170 	if (hcon->out) {
2171 		u8 cfm[16];
2172 
2173 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2174 			     smp->rrnd, 0, cfm);
2175 		if (err)
2176 			return SMP_UNSPECIFIED;
2177 
2178 		if (crypto_memneq(smp->pcnf, cfm, 16))
2179 			return SMP_CONFIRM_FAILED;
2180 	} else {
2181 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2182 			     smp->prnd);
2183 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2184 
2185 		/* Only Just-Works pairing requires extra checks */
2186 		if (smp->method != JUST_WORKS)
2187 			goto mackey_and_ltk;
2188 
2189 		/* If there already exists long term key in local host, leave
2190 		 * the decision to user space since the remote device could
2191 		 * be legitimate or malicious.
2192 		 */
2193 		if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2194 				 hcon->role)) {
2195 			/* Set passkey to 0. The value can be any number since
2196 			 * it'll be ignored anyway.
2197 			 */
2198 			passkey = 0;
2199 			confirm_hint = 1;
2200 			goto confirm;
2201 		}
2202 	}
2203 
2204 mackey_and_ltk:
2205 	/* Generate MacKey and LTK */
2206 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2207 	if (err)
2208 		return SMP_UNSPECIFIED;
2209 
2210 	if (smp->method == REQ_OOB) {
2211 		if (hcon->out) {
2212 			sc_dhkey_check(smp);
2213 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2214 		}
2215 		return 0;
2216 	}
2217 
2218 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2219 	if (err)
2220 		return SMP_UNSPECIFIED;
2221 
2222 	confirm_hint = 0;
2223 
2224 confirm:
2225 	if (smp->method == JUST_WORKS)
2226 		confirm_hint = 1;
2227 
2228 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2229 					hcon->dst_type, passkey, confirm_hint);
2230 	if (err)
2231 		return SMP_UNSPECIFIED;
2232 
2233 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2234 
2235 	return 0;
2236 }
2237 
2238 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2239 {
2240 	struct smp_ltk *key;
2241 	struct hci_conn *hcon = conn->hcon;
2242 
2243 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2244 	if (!key)
2245 		return false;
2246 
2247 	if (smp_ltk_sec_level(key) < sec_level)
2248 		return false;
2249 
2250 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2251 		return true;
2252 
2253 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2254 	hcon->enc_key_size = key->enc_size;
2255 
2256 	/* We never store STKs for initiator role, so clear this flag */
2257 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2258 
2259 	return true;
2260 }
2261 
2262 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2263 			     enum smp_key_pref key_pref)
2264 {
2265 	if (sec_level == BT_SECURITY_LOW)
2266 		return true;
2267 
2268 	/* If we're encrypted with an STK but the caller prefers using
2269 	 * LTK claim insufficient security. This way we allow the
2270 	 * connection to be re-encrypted with an LTK, even if the LTK
2271 	 * provides the same level of security. Only exception is if we
2272 	 * don't have an LTK (e.g. because of key distribution bits).
2273 	 */
2274 	if (key_pref == SMP_USE_LTK &&
2275 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2276 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2277 		return false;
2278 
2279 	if (hcon->sec_level >= sec_level)
2280 		return true;
2281 
2282 	return false;
2283 }
2284 
2285 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2286 {
2287 	struct smp_cmd_security_req *rp = (void *) skb->data;
2288 	struct smp_cmd_pairing cp;
2289 	struct hci_conn *hcon = conn->hcon;
2290 	struct hci_dev *hdev = hcon->hdev;
2291 	struct smp_chan *smp;
2292 	u8 sec_level, auth;
2293 
2294 	bt_dev_dbg(hdev, "conn %p", conn);
2295 
2296 	if (skb->len < sizeof(*rp))
2297 		return SMP_INVALID_PARAMS;
2298 
2299 	if (hcon->role != HCI_ROLE_MASTER)
2300 		return SMP_CMD_NOTSUPP;
2301 
2302 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2303 
2304 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2305 		return SMP_AUTH_REQUIREMENTS;
2306 
2307 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2308 		sec_level = BT_SECURITY_MEDIUM;
2309 	else
2310 		sec_level = authreq_to_seclevel(auth);
2311 
2312 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2313 		/* If link is already encrypted with sufficient security we
2314 		 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2315 		 * Part H 2.4.6
2316 		 */
2317 		smp_ltk_encrypt(conn, hcon->sec_level);
2318 		return 0;
2319 	}
2320 
2321 	if (sec_level > hcon->pending_sec_level)
2322 		hcon->pending_sec_level = sec_level;
2323 
2324 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2325 		return 0;
2326 
2327 	smp = smp_chan_create(conn);
2328 	if (!smp)
2329 		return SMP_UNSPECIFIED;
2330 
2331 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2332 	    (auth & SMP_AUTH_BONDING))
2333 		return SMP_PAIRING_NOTSUPP;
2334 
2335 	skb_pull(skb, sizeof(*rp));
2336 
2337 	memset(&cp, 0, sizeof(cp));
2338 	build_pairing_cmd(conn, &cp, NULL, auth);
2339 
2340 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2341 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2342 
2343 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2344 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2345 
2346 	return 0;
2347 }
2348 
2349 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2350 {
2351 	struct l2cap_conn *conn = hcon->l2cap_data;
2352 	struct l2cap_chan *chan;
2353 	struct smp_chan *smp;
2354 	__u8 authreq;
2355 	int ret;
2356 
2357 	bt_dev_dbg(hcon->hdev, "conn %p hcon %p level 0x%2.2x", conn, hcon,
2358 		   sec_level);
2359 
2360 	/* This may be NULL if there's an unexpected disconnection */
2361 	if (!conn)
2362 		return 1;
2363 
2364 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2365 		return 1;
2366 
2367 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2368 		return 1;
2369 
2370 	if (sec_level > hcon->pending_sec_level)
2371 		hcon->pending_sec_level = sec_level;
2372 
2373 	if (hcon->role == HCI_ROLE_MASTER)
2374 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2375 			return 0;
2376 
2377 	chan = conn->smp;
2378 	if (!chan) {
2379 		bt_dev_err(hcon->hdev, "security requested but not available");
2380 		return 1;
2381 	}
2382 
2383 	l2cap_chan_lock(chan);
2384 
2385 	/* If SMP is already in progress ignore this request */
2386 	if (chan->data) {
2387 		ret = 0;
2388 		goto unlock;
2389 	}
2390 
2391 	smp = smp_chan_create(conn);
2392 	if (!smp) {
2393 		ret = 1;
2394 		goto unlock;
2395 	}
2396 
2397 	authreq = seclevel_to_authreq(sec_level);
2398 
2399 	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2400 		authreq |= SMP_AUTH_SC;
2401 		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2402 			authreq |= SMP_AUTH_CT2;
2403 	}
2404 
2405 	/* Don't attempt to set MITM if setting is overridden by debugfs
2406 	 * Needed to pass certification test SM/MAS/PKE/BV-01-C
2407 	 */
2408 	if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) {
2409 		/* Require MITM if IO Capability allows or the security level
2410 		 * requires it.
2411 		 */
2412 		if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2413 		    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2414 			authreq |= SMP_AUTH_MITM;
2415 	}
2416 
2417 	if (hcon->role == HCI_ROLE_MASTER) {
2418 		struct smp_cmd_pairing cp;
2419 
2420 		build_pairing_cmd(conn, &cp, NULL, authreq);
2421 		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2422 		memcpy(&smp->preq[1], &cp, sizeof(cp));
2423 
2424 		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2425 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2426 	} else {
2427 		struct smp_cmd_security_req cp;
2428 		cp.auth_req = authreq;
2429 		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2430 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2431 	}
2432 
2433 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2434 	ret = 0;
2435 
2436 unlock:
2437 	l2cap_chan_unlock(chan);
2438 	return ret;
2439 }
2440 
2441 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2442 				  u8 addr_type)
2443 {
2444 	struct hci_conn *hcon;
2445 	struct l2cap_conn *conn;
2446 	struct l2cap_chan *chan;
2447 	struct smp_chan *smp;
2448 	int err;
2449 
2450 	err = hci_remove_ltk(hdev, bdaddr, addr_type);
2451 	hci_remove_irk(hdev, bdaddr, addr_type);
2452 
2453 	hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2454 	if (!hcon)
2455 		goto done;
2456 
2457 	conn = hcon->l2cap_data;
2458 	if (!conn)
2459 		goto done;
2460 
2461 	chan = conn->smp;
2462 	if (!chan)
2463 		goto done;
2464 
2465 	l2cap_chan_lock(chan);
2466 
2467 	smp = chan->data;
2468 	if (smp) {
2469 		/* Set keys to NULL to make sure smp_failure() does not try to
2470 		 * remove and free already invalidated rcu list entries. */
2471 		smp->ltk = NULL;
2472 		smp->responder_ltk = NULL;
2473 		smp->remote_irk = NULL;
2474 
2475 		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2476 			smp_failure(conn, 0);
2477 		else
2478 			smp_failure(conn, SMP_UNSPECIFIED);
2479 		err = 0;
2480 	}
2481 
2482 	l2cap_chan_unlock(chan);
2483 
2484 done:
2485 	return err;
2486 }
2487 
2488 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2489 {
2490 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2491 	struct l2cap_chan *chan = conn->smp;
2492 	struct smp_chan *smp = chan->data;
2493 
2494 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2495 
2496 	if (skb->len < sizeof(*rp))
2497 		return SMP_INVALID_PARAMS;
2498 
2499 	/* Pairing is aborted if any blocked keys are distributed */
2500 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2501 			       rp->ltk)) {
2502 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2503 					"LTK blocked for %pMR",
2504 					&conn->hcon->dst);
2505 		return SMP_INVALID_PARAMS;
2506 	}
2507 
2508 	SMP_ALLOW_CMD(smp, SMP_CMD_INITIATOR_IDENT);
2509 
2510 	skb_pull(skb, sizeof(*rp));
2511 
2512 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2513 
2514 	return 0;
2515 }
2516 
2517 static int smp_cmd_initiator_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2518 {
2519 	struct smp_cmd_initiator_ident *rp = (void *)skb->data;
2520 	struct l2cap_chan *chan = conn->smp;
2521 	struct smp_chan *smp = chan->data;
2522 	struct hci_dev *hdev = conn->hcon->hdev;
2523 	struct hci_conn *hcon = conn->hcon;
2524 	struct smp_ltk *ltk;
2525 	u8 authenticated;
2526 
2527 	bt_dev_dbg(hdev, "conn %p", conn);
2528 
2529 	if (skb->len < sizeof(*rp))
2530 		return SMP_INVALID_PARAMS;
2531 
2532 	/* Mark the information as received */
2533 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2534 
2535 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2536 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2537 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2538 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2539 
2540 	skb_pull(skb, sizeof(*rp));
2541 
2542 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2543 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2544 			  authenticated, smp->tk, smp->enc_key_size,
2545 			  rp->ediv, rp->rand);
2546 	smp->ltk = ltk;
2547 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2548 		smp_distribute_keys(smp);
2549 
2550 	return 0;
2551 }
2552 
2553 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2554 {
2555 	struct smp_cmd_ident_info *info = (void *) skb->data;
2556 	struct l2cap_chan *chan = conn->smp;
2557 	struct smp_chan *smp = chan->data;
2558 
2559 	bt_dev_dbg(conn->hcon->hdev, "");
2560 
2561 	if (skb->len < sizeof(*info))
2562 		return SMP_INVALID_PARAMS;
2563 
2564 	/* Pairing is aborted if any blocked keys are distributed */
2565 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2566 			       info->irk)) {
2567 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2568 					"Identity key blocked for %pMR",
2569 					&conn->hcon->dst);
2570 		return SMP_INVALID_PARAMS;
2571 	}
2572 
2573 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2574 
2575 	skb_pull(skb, sizeof(*info));
2576 
2577 	memcpy(smp->irk, info->irk, 16);
2578 
2579 	return 0;
2580 }
2581 
2582 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2583 				   struct sk_buff *skb)
2584 {
2585 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2586 	struct l2cap_chan *chan = conn->smp;
2587 	struct smp_chan *smp = chan->data;
2588 	struct hci_conn *hcon = conn->hcon;
2589 	bdaddr_t rpa;
2590 
2591 	bt_dev_dbg(hcon->hdev, "");
2592 
2593 	if (skb->len < sizeof(*info))
2594 		return SMP_INVALID_PARAMS;
2595 
2596 	/* Mark the information as received */
2597 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2598 
2599 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2600 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2601 
2602 	skb_pull(skb, sizeof(*info));
2603 
2604 	/* Strictly speaking the Core Specification (4.1) allows sending
2605 	 * an empty address which would force us to rely on just the IRK
2606 	 * as "identity information". However, since such
2607 	 * implementations are not known of and in order to not over
2608 	 * complicate our implementation, simply pretend that we never
2609 	 * received an IRK for such a device.
2610 	 *
2611 	 * The Identity Address must also be a Static Random or Public
2612 	 * Address, which hci_is_identity_address() checks for.
2613 	 */
2614 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2615 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2616 		bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2617 		goto distribute;
2618 	}
2619 
2620 	/* Drop IRK if peer is using identity address during pairing but is
2621 	 * providing different address as identity information.
2622 	 *
2623 	 * Microsoft Surface Precision Mouse is known to have this bug.
2624 	 */
2625 	if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2626 	    (bacmp(&info->bdaddr, &hcon->dst) ||
2627 	     info->addr_type != hcon->dst_type)) {
2628 		bt_dev_err(hcon->hdev,
2629 			   "ignoring IRK with invalid identity address");
2630 		goto distribute;
2631 	}
2632 
2633 	bacpy(&smp->id_addr, &info->bdaddr);
2634 	smp->id_addr_type = info->addr_type;
2635 
2636 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2637 		bacpy(&rpa, &hcon->dst);
2638 	else
2639 		bacpy(&rpa, BDADDR_ANY);
2640 
2641 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2642 				      smp->id_addr_type, smp->irk, &rpa);
2643 
2644 distribute:
2645 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2646 		smp_distribute_keys(smp);
2647 
2648 	return 0;
2649 }
2650 
2651 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2652 {
2653 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2654 	struct l2cap_chan *chan = conn->smp;
2655 	struct smp_chan *smp = chan->data;
2656 	struct smp_csrk *csrk;
2657 
2658 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2659 
2660 	if (skb->len < sizeof(*rp))
2661 		return SMP_INVALID_PARAMS;
2662 
2663 	/* Mark the information as received */
2664 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2665 
2666 	skb_pull(skb, sizeof(*rp));
2667 
2668 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2669 	if (csrk) {
2670 		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2671 			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2672 		else
2673 			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2674 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2675 	}
2676 	smp->csrk = csrk;
2677 	smp_distribute_keys(smp);
2678 
2679 	return 0;
2680 }
2681 
2682 static u8 sc_select_method(struct smp_chan *smp)
2683 {
2684 	struct l2cap_conn *conn = smp->conn;
2685 	struct hci_conn *hcon = conn->hcon;
2686 	struct smp_cmd_pairing *local, *remote;
2687 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2688 
2689 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2690 	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2691 		return REQ_OOB;
2692 
2693 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2694 	 * which are needed as inputs to some crypto functions. To get
2695 	 * the "struct smp_cmd_pairing" from them we need to skip the
2696 	 * first byte which contains the opcode.
2697 	 */
2698 	if (hcon->out) {
2699 		local = (void *) &smp->preq[1];
2700 		remote = (void *) &smp->prsp[1];
2701 	} else {
2702 		local = (void *) &smp->prsp[1];
2703 		remote = (void *) &smp->preq[1];
2704 	}
2705 
2706 	local_io = local->io_capability;
2707 	remote_io = remote->io_capability;
2708 
2709 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2710 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2711 
2712 	/* If either side wants MITM, look up the method from the table,
2713 	 * otherwise use JUST WORKS.
2714 	 */
2715 	if (local_mitm || remote_mitm)
2716 		method = get_auth_method(smp, local_io, remote_io);
2717 	else
2718 		method = JUST_WORKS;
2719 
2720 	/* Don't confirm locally initiated pairing attempts */
2721 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2722 		method = JUST_WORKS;
2723 
2724 	return method;
2725 }
2726 
2727 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2728 {
2729 	struct smp_cmd_public_key *key = (void *) skb->data;
2730 	struct hci_conn *hcon = conn->hcon;
2731 	struct l2cap_chan *chan = conn->smp;
2732 	struct smp_chan *smp = chan->data;
2733 	struct hci_dev *hdev = hcon->hdev;
2734 	struct crypto_kpp *tfm_ecdh;
2735 	struct smp_cmd_pairing_confirm cfm;
2736 	int err;
2737 
2738 	bt_dev_dbg(hdev, "conn %p", conn);
2739 
2740 	if (skb->len < sizeof(*key))
2741 		return SMP_INVALID_PARAMS;
2742 
2743 	/* Check if remote and local public keys are the same and debug key is
2744 	 * not in use.
2745 	 */
2746 	if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
2747 	    !crypto_memneq(key, smp->local_pk, 64)) {
2748 		bt_dev_err(hdev, "Remote and local public keys are identical");
2749 		return SMP_UNSPECIFIED;
2750 	}
2751 
2752 	memcpy(smp->remote_pk, key, 64);
2753 
2754 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2755 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2756 			     smp->rr, 0, cfm.confirm_val);
2757 		if (err)
2758 			return SMP_UNSPECIFIED;
2759 
2760 		if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2761 			return SMP_CONFIRM_FAILED;
2762 	}
2763 
2764 	/* Non-initiating device sends its public key after receiving
2765 	 * the key from the initiating device.
2766 	 */
2767 	if (!hcon->out) {
2768 		err = sc_send_public_key(smp);
2769 		if (err)
2770 			return err;
2771 	}
2772 
2773 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2774 	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2775 
2776 	/* Compute the shared secret on the same crypto tfm on which the private
2777 	 * key was set/generated.
2778 	 */
2779 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2780 		struct l2cap_chan *hchan = hdev->smp_data;
2781 		struct smp_dev *smp_dev;
2782 
2783 		if (!hchan || !hchan->data)
2784 			return SMP_UNSPECIFIED;
2785 
2786 		smp_dev = hchan->data;
2787 
2788 		tfm_ecdh = smp_dev->tfm_ecdh;
2789 	} else {
2790 		tfm_ecdh = smp->tfm_ecdh;
2791 	}
2792 
2793 	if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2794 		return SMP_UNSPECIFIED;
2795 
2796 	SMP_DBG("DHKey %32phN", smp->dhkey);
2797 
2798 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2799 
2800 	smp->method = sc_select_method(smp);
2801 
2802 	bt_dev_dbg(hdev, "selected method 0x%02x", smp->method);
2803 
2804 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2805 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2806 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2807 	else
2808 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2809 
2810 	if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2811 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2812 
2813 	if (smp->method == DSP_PASSKEY) {
2814 		get_random_bytes(&hcon->passkey_notify,
2815 				 sizeof(hcon->passkey_notify));
2816 		hcon->passkey_notify %= 1000000;
2817 		hcon->passkey_entered = 0;
2818 		smp->passkey_round = 0;
2819 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2820 					     hcon->dst_type,
2821 					     hcon->passkey_notify,
2822 					     hcon->passkey_entered))
2823 			return SMP_UNSPECIFIED;
2824 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2825 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2826 	}
2827 
2828 	if (smp->method == REQ_OOB) {
2829 		if (hcon->out)
2830 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2831 				     sizeof(smp->prnd), smp->prnd);
2832 
2833 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2834 
2835 		return 0;
2836 	}
2837 
2838 	if (hcon->out)
2839 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2840 
2841 	if (smp->method == REQ_PASSKEY) {
2842 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2843 					      hcon->dst_type))
2844 			return SMP_UNSPECIFIED;
2845 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2846 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2847 		return 0;
2848 	}
2849 
2850 	/* The Initiating device waits for the non-initiating device to
2851 	 * send the confirm value.
2852 	 */
2853 	if (conn->hcon->out)
2854 		return 0;
2855 
2856 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2857 		     0, cfm.confirm_val);
2858 	if (err)
2859 		return SMP_UNSPECIFIED;
2860 
2861 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2862 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2863 
2864 	return 0;
2865 }
2866 
2867 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2868 {
2869 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2870 	struct l2cap_chan *chan = conn->smp;
2871 	struct hci_conn *hcon = conn->hcon;
2872 	struct smp_chan *smp = chan->data;
2873 	u8 a[7], b[7], *local_addr, *remote_addr;
2874 	u8 io_cap[3], r[16], e[16];
2875 	int err;
2876 
2877 	bt_dev_dbg(hcon->hdev, "conn %p", conn);
2878 
2879 	if (skb->len < sizeof(*check))
2880 		return SMP_INVALID_PARAMS;
2881 
2882 	memcpy(a, &hcon->init_addr, 6);
2883 	memcpy(b, &hcon->resp_addr, 6);
2884 	a[6] = hcon->init_addr_type;
2885 	b[6] = hcon->resp_addr_type;
2886 
2887 	if (hcon->out) {
2888 		local_addr = a;
2889 		remote_addr = b;
2890 		memcpy(io_cap, &smp->prsp[1], 3);
2891 	} else {
2892 		local_addr = b;
2893 		remote_addr = a;
2894 		memcpy(io_cap, &smp->preq[1], 3);
2895 	}
2896 
2897 	memset(r, 0, sizeof(r));
2898 
2899 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2900 		put_unaligned_le32(hcon->passkey_notify, r);
2901 	else if (smp->method == REQ_OOB)
2902 		memcpy(r, smp->lr, 16);
2903 
2904 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2905 		     io_cap, remote_addr, local_addr, e);
2906 	if (err)
2907 		return SMP_UNSPECIFIED;
2908 
2909 	if (crypto_memneq(check->e, e, 16))
2910 		return SMP_DHKEY_CHECK_FAILED;
2911 
2912 	if (!hcon->out) {
2913 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2914 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2915 			return 0;
2916 		}
2917 
2918 		/* Responder sends DHKey check as response to initiator */
2919 		sc_dhkey_check(smp);
2920 	}
2921 
2922 	sc_add_ltk(smp);
2923 
2924 	if (hcon->out) {
2925 		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2926 		hcon->enc_key_size = smp->enc_key_size;
2927 	}
2928 
2929 	return 0;
2930 }
2931 
2932 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2933 				   struct sk_buff *skb)
2934 {
2935 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2936 
2937 	bt_dev_dbg(conn->hcon->hdev, "value 0x%02x", kp->value);
2938 
2939 	return 0;
2940 }
2941 
2942 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2943 {
2944 	struct l2cap_conn *conn = chan->conn;
2945 	struct hci_conn *hcon = conn->hcon;
2946 	struct smp_chan *smp;
2947 	__u8 code, reason;
2948 	int err = 0;
2949 
2950 	if (skb->len < 1)
2951 		return -EILSEQ;
2952 
2953 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2954 		reason = SMP_PAIRING_NOTSUPP;
2955 		goto done;
2956 	}
2957 
2958 	code = skb->data[0];
2959 	skb_pull(skb, sizeof(code));
2960 
2961 	smp = chan->data;
2962 
2963 	if (code > SMP_CMD_MAX)
2964 		goto drop;
2965 
2966 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2967 		goto drop;
2968 
2969 	/* If we don't have a context the only allowed commands are
2970 	 * pairing request and security request.
2971 	 */
2972 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2973 		goto drop;
2974 
2975 	switch (code) {
2976 	case SMP_CMD_PAIRING_REQ:
2977 		reason = smp_cmd_pairing_req(conn, skb);
2978 		break;
2979 
2980 	case SMP_CMD_PAIRING_FAIL:
2981 		smp_failure(conn, 0);
2982 		err = -EPERM;
2983 		break;
2984 
2985 	case SMP_CMD_PAIRING_RSP:
2986 		reason = smp_cmd_pairing_rsp(conn, skb);
2987 		break;
2988 
2989 	case SMP_CMD_SECURITY_REQ:
2990 		reason = smp_cmd_security_req(conn, skb);
2991 		break;
2992 
2993 	case SMP_CMD_PAIRING_CONFIRM:
2994 		reason = smp_cmd_pairing_confirm(conn, skb);
2995 		break;
2996 
2997 	case SMP_CMD_PAIRING_RANDOM:
2998 		reason = smp_cmd_pairing_random(conn, skb);
2999 		break;
3000 
3001 	case SMP_CMD_ENCRYPT_INFO:
3002 		reason = smp_cmd_encrypt_info(conn, skb);
3003 		break;
3004 
3005 	case SMP_CMD_INITIATOR_IDENT:
3006 		reason = smp_cmd_initiator_ident(conn, skb);
3007 		break;
3008 
3009 	case SMP_CMD_IDENT_INFO:
3010 		reason = smp_cmd_ident_info(conn, skb);
3011 		break;
3012 
3013 	case SMP_CMD_IDENT_ADDR_INFO:
3014 		reason = smp_cmd_ident_addr_info(conn, skb);
3015 		break;
3016 
3017 	case SMP_CMD_SIGN_INFO:
3018 		reason = smp_cmd_sign_info(conn, skb);
3019 		break;
3020 
3021 	case SMP_CMD_PUBLIC_KEY:
3022 		reason = smp_cmd_public_key(conn, skb);
3023 		break;
3024 
3025 	case SMP_CMD_DHKEY_CHECK:
3026 		reason = smp_cmd_dhkey_check(conn, skb);
3027 		break;
3028 
3029 	case SMP_CMD_KEYPRESS_NOTIFY:
3030 		reason = smp_cmd_keypress_notify(conn, skb);
3031 		break;
3032 
3033 	default:
3034 		bt_dev_dbg(hcon->hdev, "Unknown command code 0x%2.2x", code);
3035 		reason = SMP_CMD_NOTSUPP;
3036 		goto done;
3037 	}
3038 
3039 done:
3040 	if (!err) {
3041 		if (reason)
3042 			smp_failure(conn, reason);
3043 		kfree_skb(skb);
3044 	}
3045 
3046 	return err;
3047 
3048 drop:
3049 	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3050 		   code, &hcon->dst);
3051 	kfree_skb(skb);
3052 	return 0;
3053 }
3054 
3055 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3056 {
3057 	struct l2cap_conn *conn = chan->conn;
3058 
3059 	bt_dev_dbg(conn->hcon->hdev, "chan %p", chan);
3060 
3061 	if (chan->data)
3062 		smp_chan_destroy(conn);
3063 
3064 	conn->smp = NULL;
3065 	l2cap_chan_put(chan);
3066 }
3067 
3068 static void bredr_pairing(struct l2cap_chan *chan)
3069 {
3070 	struct l2cap_conn *conn = chan->conn;
3071 	struct hci_conn *hcon = conn->hcon;
3072 	struct hci_dev *hdev = hcon->hdev;
3073 	struct smp_cmd_pairing req;
3074 	struct smp_chan *smp;
3075 
3076 	bt_dev_dbg(hdev, "chan %p", chan);
3077 
3078 	/* Only new pairings are interesting */
3079 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3080 		return;
3081 
3082 	/* Don't bother if we're not encrypted */
3083 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3084 		return;
3085 
3086 	/* Only initiator may initiate SMP over BR/EDR */
3087 	if (hcon->role != HCI_ROLE_MASTER)
3088 		return;
3089 
3090 	/* Secure Connections support must be enabled */
3091 	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3092 		return;
3093 
3094 	/* BR/EDR must use Secure Connections for SMP */
3095 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3096 	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3097 		return;
3098 
3099 	/* If our LE support is not enabled don't do anything */
3100 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3101 		return;
3102 
3103 	/* Don't bother if remote LE support is not enabled */
3104 	if (!lmp_host_le_capable(hcon))
3105 		return;
3106 
3107 	/* Remote must support SMP fixed chan for BR/EDR */
3108 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3109 		return;
3110 
3111 	/* Don't bother if SMP is already ongoing */
3112 	if (chan->data)
3113 		return;
3114 
3115 	smp = smp_chan_create(conn);
3116 	if (!smp) {
3117 		bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3118 		return;
3119 	}
3120 
3121 	set_bit(SMP_FLAG_SC, &smp->flags);
3122 
3123 	bt_dev_dbg(hdev, "starting SMP over BR/EDR");
3124 
3125 	/* Prepare and send the BR/EDR SMP Pairing Request */
3126 	build_bredr_pairing_cmd(smp, &req, NULL);
3127 
3128 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
3129 	memcpy(&smp->preq[1], &req, sizeof(req));
3130 
3131 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3132 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3133 }
3134 
3135 static void smp_resume_cb(struct l2cap_chan *chan)
3136 {
3137 	struct smp_chan *smp = chan->data;
3138 	struct l2cap_conn *conn = chan->conn;
3139 	struct hci_conn *hcon = conn->hcon;
3140 
3141 	bt_dev_dbg(hcon->hdev, "chan %p", chan);
3142 
3143 	if (hcon->type == ACL_LINK) {
3144 		bredr_pairing(chan);
3145 		return;
3146 	}
3147 
3148 	if (!smp)
3149 		return;
3150 
3151 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3152 		return;
3153 
3154 	cancel_delayed_work(&smp->security_timer);
3155 
3156 	smp_distribute_keys(smp);
3157 }
3158 
3159 static void smp_ready_cb(struct l2cap_chan *chan)
3160 {
3161 	struct l2cap_conn *conn = chan->conn;
3162 	struct hci_conn *hcon = conn->hcon;
3163 
3164 	bt_dev_dbg(hcon->hdev, "chan %p", chan);
3165 
3166 	/* No need to call l2cap_chan_hold() here since we already own
3167 	 * the reference taken in smp_new_conn_cb(). This is just the
3168 	 * first time that we tie it to a specific pointer. The code in
3169 	 * l2cap_core.c ensures that there's no risk this function wont
3170 	 * get called if smp_new_conn_cb was previously called.
3171 	 */
3172 	conn->smp = chan;
3173 
3174 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3175 		bredr_pairing(chan);
3176 }
3177 
3178 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3179 {
3180 	int err;
3181 
3182 	bt_dev_dbg(chan->conn->hcon->hdev, "chan %p", chan);
3183 
3184 	err = smp_sig_channel(chan, skb);
3185 	if (err) {
3186 		struct smp_chan *smp = chan->data;
3187 
3188 		if (smp)
3189 			cancel_delayed_work_sync(&smp->security_timer);
3190 
3191 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3192 	}
3193 
3194 	return err;
3195 }
3196 
3197 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3198 					unsigned long hdr_len,
3199 					unsigned long len, int nb)
3200 {
3201 	struct sk_buff *skb;
3202 
3203 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3204 	if (!skb)
3205 		return ERR_PTR(-ENOMEM);
3206 
3207 	skb->priority = HCI_PRIO_MAX;
3208 	bt_cb(skb)->l2cap.chan = chan;
3209 
3210 	return skb;
3211 }
3212 
3213 static const struct l2cap_ops smp_chan_ops = {
3214 	.name			= "Security Manager",
3215 	.ready			= smp_ready_cb,
3216 	.recv			= smp_recv_cb,
3217 	.alloc_skb		= smp_alloc_skb_cb,
3218 	.teardown		= smp_teardown_cb,
3219 	.resume			= smp_resume_cb,
3220 
3221 	.new_connection		= l2cap_chan_no_new_connection,
3222 	.state_change		= l2cap_chan_no_state_change,
3223 	.close			= l2cap_chan_no_close,
3224 	.defer			= l2cap_chan_no_defer,
3225 	.suspend		= l2cap_chan_no_suspend,
3226 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3227 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3228 };
3229 
3230 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3231 {
3232 	struct l2cap_chan *chan;
3233 
3234 	BT_DBG("pchan %p", pchan);
3235 
3236 	chan = l2cap_chan_create();
3237 	if (!chan)
3238 		return NULL;
3239 
3240 	chan->chan_type	= pchan->chan_type;
3241 	chan->ops	= &smp_chan_ops;
3242 	chan->scid	= pchan->scid;
3243 	chan->dcid	= chan->scid;
3244 	chan->imtu	= pchan->imtu;
3245 	chan->omtu	= pchan->omtu;
3246 	chan->mode	= pchan->mode;
3247 
3248 	/* Other L2CAP channels may request SMP routines in order to
3249 	 * change the security level. This means that the SMP channel
3250 	 * lock must be considered in its own category to avoid lockdep
3251 	 * warnings.
3252 	 */
3253 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3254 
3255 	BT_DBG("created chan %p", chan);
3256 
3257 	return chan;
3258 }
3259 
3260 static const struct l2cap_ops smp_root_chan_ops = {
3261 	.name			= "Security Manager Root",
3262 	.new_connection		= smp_new_conn_cb,
3263 
3264 	/* None of these are implemented for the root channel */
3265 	.close			= l2cap_chan_no_close,
3266 	.alloc_skb		= l2cap_chan_no_alloc_skb,
3267 	.recv			= l2cap_chan_no_recv,
3268 	.state_change		= l2cap_chan_no_state_change,
3269 	.teardown		= l2cap_chan_no_teardown,
3270 	.ready			= l2cap_chan_no_ready,
3271 	.defer			= l2cap_chan_no_defer,
3272 	.suspend		= l2cap_chan_no_suspend,
3273 	.resume			= l2cap_chan_no_resume,
3274 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3275 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3276 };
3277 
3278 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3279 {
3280 	struct l2cap_chan *chan;
3281 	struct smp_dev *smp;
3282 	struct crypto_shash *tfm_cmac;
3283 	struct crypto_kpp *tfm_ecdh;
3284 
3285 	if (cid == L2CAP_CID_SMP_BREDR) {
3286 		smp = NULL;
3287 		goto create_chan;
3288 	}
3289 
3290 	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3291 	if (!smp)
3292 		return ERR_PTR(-ENOMEM);
3293 
3294 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3295 	if (IS_ERR(tfm_cmac)) {
3296 		bt_dev_err(hdev, "Unable to create CMAC crypto context");
3297 		kfree_sensitive(smp);
3298 		return ERR_CAST(tfm_cmac);
3299 	}
3300 
3301 	tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3302 	if (IS_ERR(tfm_ecdh)) {
3303 		bt_dev_err(hdev, "Unable to create ECDH crypto context");
3304 		crypto_free_shash(tfm_cmac);
3305 		kfree_sensitive(smp);
3306 		return ERR_CAST(tfm_ecdh);
3307 	}
3308 
3309 	smp->local_oob = false;
3310 	smp->tfm_cmac = tfm_cmac;
3311 	smp->tfm_ecdh = tfm_ecdh;
3312 
3313 create_chan:
3314 	chan = l2cap_chan_create();
3315 	if (!chan) {
3316 		if (smp) {
3317 			crypto_free_shash(smp->tfm_cmac);
3318 			crypto_free_kpp(smp->tfm_ecdh);
3319 			kfree_sensitive(smp);
3320 		}
3321 		return ERR_PTR(-ENOMEM);
3322 	}
3323 
3324 	chan->data = smp;
3325 
3326 	l2cap_add_scid(chan, cid);
3327 
3328 	l2cap_chan_set_defaults(chan);
3329 
3330 	if (cid == L2CAP_CID_SMP) {
3331 		u8 bdaddr_type;
3332 
3333 		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3334 
3335 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3336 			chan->src_type = BDADDR_LE_PUBLIC;
3337 		else
3338 			chan->src_type = BDADDR_LE_RANDOM;
3339 	} else {
3340 		bacpy(&chan->src, &hdev->bdaddr);
3341 		chan->src_type = BDADDR_BREDR;
3342 	}
3343 
3344 	chan->state = BT_LISTEN;
3345 	chan->mode = L2CAP_MODE_BASIC;
3346 	chan->imtu = L2CAP_DEFAULT_MTU;
3347 	chan->ops = &smp_root_chan_ops;
3348 
3349 	/* Set correct nesting level for a parent/listening channel */
3350 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3351 
3352 	return chan;
3353 }
3354 
3355 static void smp_del_chan(struct l2cap_chan *chan)
3356 {
3357 	struct smp_dev *smp;
3358 
3359 	BT_DBG("chan %p", chan);
3360 
3361 	smp = chan->data;
3362 	if (smp) {
3363 		chan->data = NULL;
3364 		crypto_free_shash(smp->tfm_cmac);
3365 		crypto_free_kpp(smp->tfm_ecdh);
3366 		kfree_sensitive(smp);
3367 	}
3368 
3369 	l2cap_chan_put(chan);
3370 }
3371 
3372 int smp_force_bredr(struct hci_dev *hdev, bool enable)
3373 {
3374 	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3375 		return -EALREADY;
3376 
3377 	if (enable) {
3378 		struct l2cap_chan *chan;
3379 
3380 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3381 		if (IS_ERR(chan))
3382 			return PTR_ERR(chan);
3383 
3384 		hdev->smp_bredr_data = chan;
3385 	} else {
3386 		struct l2cap_chan *chan;
3387 
3388 		chan = hdev->smp_bredr_data;
3389 		hdev->smp_bredr_data = NULL;
3390 		smp_del_chan(chan);
3391 	}
3392 
3393 	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3394 
3395 	return 0;
3396 }
3397 
3398 int smp_register(struct hci_dev *hdev)
3399 {
3400 	struct l2cap_chan *chan;
3401 
3402 	bt_dev_dbg(hdev, "");
3403 
3404 	/* If the controller does not support Low Energy operation, then
3405 	 * there is also no need to register any SMP channel.
3406 	 */
3407 	if (!lmp_le_capable(hdev))
3408 		return 0;
3409 
3410 	if (WARN_ON(hdev->smp_data)) {
3411 		chan = hdev->smp_data;
3412 		hdev->smp_data = NULL;
3413 		smp_del_chan(chan);
3414 	}
3415 
3416 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3417 	if (IS_ERR(chan))
3418 		return PTR_ERR(chan);
3419 
3420 	hdev->smp_data = chan;
3421 
3422 	if (!lmp_sc_capable(hdev)) {
3423 		/* Flag can be already set here (due to power toggle) */
3424 		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3425 			return 0;
3426 	}
3427 
3428 	if (WARN_ON(hdev->smp_bredr_data)) {
3429 		chan = hdev->smp_bredr_data;
3430 		hdev->smp_bredr_data = NULL;
3431 		smp_del_chan(chan);
3432 	}
3433 
3434 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3435 	if (IS_ERR(chan)) {
3436 		int err = PTR_ERR(chan);
3437 		chan = hdev->smp_data;
3438 		hdev->smp_data = NULL;
3439 		smp_del_chan(chan);
3440 		return err;
3441 	}
3442 
3443 	hdev->smp_bredr_data = chan;
3444 
3445 	return 0;
3446 }
3447 
3448 void smp_unregister(struct hci_dev *hdev)
3449 {
3450 	struct l2cap_chan *chan;
3451 
3452 	if (hdev->smp_bredr_data) {
3453 		chan = hdev->smp_bredr_data;
3454 		hdev->smp_bredr_data = NULL;
3455 		smp_del_chan(chan);
3456 	}
3457 
3458 	if (hdev->smp_data) {
3459 		chan = hdev->smp_data;
3460 		hdev->smp_data = NULL;
3461 		smp_del_chan(chan);
3462 	}
3463 }
3464 
3465 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3466 
3467 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3468 {
3469 	u8 pk[64];
3470 	int err;
3471 
3472 	err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3473 	if (err)
3474 		return err;
3475 
3476 	err = generate_ecdh_public_key(tfm_ecdh, pk);
3477 	if (err)
3478 		return err;
3479 
3480 	if (crypto_memneq(pk, debug_pk, 64))
3481 		return -EINVAL;
3482 
3483 	return 0;
3484 }
3485 
3486 static int __init test_ah(void)
3487 {
3488 	const u8 irk[16] = {
3489 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3490 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3491 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3492 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3493 	u8 res[3];
3494 	int err;
3495 
3496 	err = smp_ah(irk, r, res);
3497 	if (err)
3498 		return err;
3499 
3500 	if (crypto_memneq(res, exp, 3))
3501 		return -EINVAL;
3502 
3503 	return 0;
3504 }
3505 
3506 static int __init test_c1(void)
3507 {
3508 	const u8 k[16] = {
3509 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3510 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3511 	const u8 r[16] = {
3512 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3513 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3514 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3515 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3516 	const u8 _iat = 0x01;
3517 	const u8 _rat = 0x00;
3518 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3519 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3520 	const u8 exp[16] = {
3521 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3522 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3523 	u8 res[16];
3524 	int err;
3525 
3526 	err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3527 	if (err)
3528 		return err;
3529 
3530 	if (crypto_memneq(res, exp, 16))
3531 		return -EINVAL;
3532 
3533 	return 0;
3534 }
3535 
3536 static int __init test_s1(void)
3537 {
3538 	const u8 k[16] = {
3539 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3540 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3541 	const u8 r1[16] = {
3542 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3543 	const u8 r2[16] = {
3544 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3545 	const u8 exp[16] = {
3546 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3547 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3548 	u8 res[16];
3549 	int err;
3550 
3551 	err = smp_s1(k, r1, r2, res);
3552 	if (err)
3553 		return err;
3554 
3555 	if (crypto_memneq(res, exp, 16))
3556 		return -EINVAL;
3557 
3558 	return 0;
3559 }
3560 
3561 static int __init test_f4(struct crypto_shash *tfm_cmac)
3562 {
3563 	const u8 u[32] = {
3564 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3565 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3566 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3567 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3568 	const u8 v[32] = {
3569 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3570 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3571 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3572 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3573 	const u8 x[16] = {
3574 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3575 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3576 	const u8 z = 0x00;
3577 	const u8 exp[16] = {
3578 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3579 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3580 	u8 res[16];
3581 	int err;
3582 
3583 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3584 	if (err)
3585 		return err;
3586 
3587 	if (crypto_memneq(res, exp, 16))
3588 		return -EINVAL;
3589 
3590 	return 0;
3591 }
3592 
3593 static int __init test_f5(struct crypto_shash *tfm_cmac)
3594 {
3595 	const u8 w[32] = {
3596 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3597 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3598 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3599 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3600 	const u8 n1[16] = {
3601 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3602 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3603 	const u8 n2[16] = {
3604 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3605 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3606 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3607 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3608 	const u8 exp_ltk[16] = {
3609 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3610 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3611 	const u8 exp_mackey[16] = {
3612 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3613 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3614 	u8 mackey[16], ltk[16];
3615 	int err;
3616 
3617 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3618 	if (err)
3619 		return err;
3620 
3621 	if (crypto_memneq(mackey, exp_mackey, 16))
3622 		return -EINVAL;
3623 
3624 	if (crypto_memneq(ltk, exp_ltk, 16))
3625 		return -EINVAL;
3626 
3627 	return 0;
3628 }
3629 
3630 static int __init test_f6(struct crypto_shash *tfm_cmac)
3631 {
3632 	const u8 w[16] = {
3633 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3634 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3635 	const u8 n1[16] = {
3636 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3637 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3638 	const u8 n2[16] = {
3639 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3640 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3641 	const u8 r[16] = {
3642 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3643 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3644 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3645 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3646 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3647 	const u8 exp[16] = {
3648 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3649 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3650 	u8 res[16];
3651 	int err;
3652 
3653 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3654 	if (err)
3655 		return err;
3656 
3657 	if (crypto_memneq(res, exp, 16))
3658 		return -EINVAL;
3659 
3660 	return 0;
3661 }
3662 
3663 static int __init test_g2(struct crypto_shash *tfm_cmac)
3664 {
3665 	const u8 u[32] = {
3666 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3667 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3668 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3669 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3670 	const u8 v[32] = {
3671 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3672 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3673 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3674 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3675 	const u8 x[16] = {
3676 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3677 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3678 	const u8 y[16] = {
3679 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3680 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3681 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3682 	u32 val;
3683 	int err;
3684 
3685 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3686 	if (err)
3687 		return err;
3688 
3689 	if (val != exp_val)
3690 		return -EINVAL;
3691 
3692 	return 0;
3693 }
3694 
3695 static int __init test_h6(struct crypto_shash *tfm_cmac)
3696 {
3697 	const u8 w[16] = {
3698 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3699 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3700 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3701 	const u8 exp[16] = {
3702 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3703 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3704 	u8 res[16];
3705 	int err;
3706 
3707 	err = smp_h6(tfm_cmac, w, key_id, res);
3708 	if (err)
3709 		return err;
3710 
3711 	if (crypto_memneq(res, exp, 16))
3712 		return -EINVAL;
3713 
3714 	return 0;
3715 }
3716 
3717 static char test_smp_buffer[32];
3718 
3719 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3720 			     size_t count, loff_t *ppos)
3721 {
3722 	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3723 				       strlen(test_smp_buffer));
3724 }
3725 
3726 static const struct file_operations test_smp_fops = {
3727 	.open		= simple_open,
3728 	.read		= test_smp_read,
3729 	.llseek		= default_llseek,
3730 };
3731 
3732 static int __init run_selftests(struct crypto_shash *tfm_cmac,
3733 				struct crypto_kpp *tfm_ecdh)
3734 {
3735 	ktime_t calltime, delta, rettime;
3736 	unsigned long long duration;
3737 	int err;
3738 
3739 	calltime = ktime_get();
3740 
3741 	err = test_debug_key(tfm_ecdh);
3742 	if (err) {
3743 		BT_ERR("debug_key test failed");
3744 		goto done;
3745 	}
3746 
3747 	err = test_ah();
3748 	if (err) {
3749 		BT_ERR("smp_ah test failed");
3750 		goto done;
3751 	}
3752 
3753 	err = test_c1();
3754 	if (err) {
3755 		BT_ERR("smp_c1 test failed");
3756 		goto done;
3757 	}
3758 
3759 	err = test_s1();
3760 	if (err) {
3761 		BT_ERR("smp_s1 test failed");
3762 		goto done;
3763 	}
3764 
3765 	err = test_f4(tfm_cmac);
3766 	if (err) {
3767 		BT_ERR("smp_f4 test failed");
3768 		goto done;
3769 	}
3770 
3771 	err = test_f5(tfm_cmac);
3772 	if (err) {
3773 		BT_ERR("smp_f5 test failed");
3774 		goto done;
3775 	}
3776 
3777 	err = test_f6(tfm_cmac);
3778 	if (err) {
3779 		BT_ERR("smp_f6 test failed");
3780 		goto done;
3781 	}
3782 
3783 	err = test_g2(tfm_cmac);
3784 	if (err) {
3785 		BT_ERR("smp_g2 test failed");
3786 		goto done;
3787 	}
3788 
3789 	err = test_h6(tfm_cmac);
3790 	if (err) {
3791 		BT_ERR("smp_h6 test failed");
3792 		goto done;
3793 	}
3794 
3795 	rettime = ktime_get();
3796 	delta = ktime_sub(rettime, calltime);
3797 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3798 
3799 	BT_INFO("SMP test passed in %llu usecs", duration);
3800 
3801 done:
3802 	if (!err)
3803 		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3804 			 "PASS (%llu usecs)\n", duration);
3805 	else
3806 		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3807 
3808 	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3809 			    &test_smp_fops);
3810 
3811 	return err;
3812 }
3813 
3814 int __init bt_selftest_smp(void)
3815 {
3816 	struct crypto_shash *tfm_cmac;
3817 	struct crypto_kpp *tfm_ecdh;
3818 	int err;
3819 
3820 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3821 	if (IS_ERR(tfm_cmac)) {
3822 		BT_ERR("Unable to create CMAC crypto context");
3823 		return PTR_ERR(tfm_cmac);
3824 	}
3825 
3826 	tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3827 	if (IS_ERR(tfm_ecdh)) {
3828 		BT_ERR("Unable to create ECDH crypto context");
3829 		crypto_free_shash(tfm_cmac);
3830 		return PTR_ERR(tfm_ecdh);
3831 	}
3832 
3833 	err = run_selftests(tfm_cmac, tfm_ecdh);
3834 
3835 	crypto_free_shash(tfm_cmac);
3836 	crypto_free_kpp(tfm_ecdh);
3837 
3838 	return err;
3839 }
3840 
3841 #endif
3842