xref: /linux/net/bluetooth/smp.c (revision b68fc09be48edbc47de1a0f3d42ef8adf6c0ac55)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/algapi.h>
27 #include <crypto/b128ops.h>
28 #include <crypto/hash.h>
29 #include <crypto/kpp.h>
30 
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/mgmt.h>
35 
36 #include "ecdh_helper.h"
37 #include "smp.h"
38 
39 #define SMP_DEV(hdev) \
40 	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
41 
42 /* Low-level debug macros to be used for stuff that we don't want
43  * accidentially in dmesg, i.e. the values of the various crypto keys
44  * and the inputs & outputs of crypto functions.
45  */
46 #ifdef DEBUG
47 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
48 				 ##__VA_ARGS__)
49 #else
50 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
51 				    ##__VA_ARGS__)
52 #endif
53 
54 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
55 
56 /* Keys which are not distributed with Secure Connections */
57 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
58 
59 #define SMP_TIMEOUT	msecs_to_jiffies(30000)
60 
61 #define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
62 				 0x3f : 0x07)
63 #define KEY_DIST_MASK		0x07
64 
65 /* Maximum message length that can be passed to aes_cmac */
66 #define CMAC_MSG_MAX	80
67 
68 enum {
69 	SMP_FLAG_TK_VALID,
70 	SMP_FLAG_CFM_PENDING,
71 	SMP_FLAG_MITM_AUTH,
72 	SMP_FLAG_COMPLETE,
73 	SMP_FLAG_INITIATOR,
74 	SMP_FLAG_SC,
75 	SMP_FLAG_REMOTE_PK,
76 	SMP_FLAG_DEBUG_KEY,
77 	SMP_FLAG_WAIT_USER,
78 	SMP_FLAG_DHKEY_PENDING,
79 	SMP_FLAG_REMOTE_OOB,
80 	SMP_FLAG_LOCAL_OOB,
81 	SMP_FLAG_CT2,
82 };
83 
84 struct smp_dev {
85 	/* Secure Connections OOB data */
86 	bool			local_oob;
87 	u8			local_pk[64];
88 	u8			local_rand[16];
89 	bool			debug_key;
90 
91 	struct crypto_cipher	*tfm_aes;
92 	struct crypto_shash	*tfm_cmac;
93 	struct crypto_kpp	*tfm_ecdh;
94 };
95 
96 struct smp_chan {
97 	struct l2cap_conn	*conn;
98 	struct delayed_work	security_timer;
99 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
100 
101 	u8		preq[7]; /* SMP Pairing Request */
102 	u8		prsp[7]; /* SMP Pairing Response */
103 	u8		prnd[16]; /* SMP Pairing Random (local) */
104 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
105 	u8		pcnf[16]; /* SMP Pairing Confirm */
106 	u8		tk[16]; /* SMP Temporary Key */
107 	u8		rr[16]; /* Remote OOB ra/rb value */
108 	u8		lr[16]; /* Local OOB ra/rb value */
109 	u8		enc_key_size;
110 	u8		remote_key_dist;
111 	bdaddr_t	id_addr;
112 	u8		id_addr_type;
113 	u8		irk[16];
114 	struct smp_csrk	*csrk;
115 	struct smp_csrk	*slave_csrk;
116 	struct smp_ltk	*ltk;
117 	struct smp_ltk	*slave_ltk;
118 	struct smp_irk	*remote_irk;
119 	u8		*link_key;
120 	unsigned long	flags;
121 	u8		method;
122 	u8		passkey_round;
123 
124 	/* Secure Connections variables */
125 	u8			local_pk[64];
126 	u8			remote_pk[64];
127 	u8			dhkey[32];
128 	u8			mackey[16];
129 
130 	struct crypto_cipher	*tfm_aes;
131 	struct crypto_shash	*tfm_cmac;
132 	struct crypto_kpp	*tfm_ecdh;
133 };
134 
135 /* These debug key values are defined in the SMP section of the core
136  * specification. debug_pk is the public debug key and debug_sk the
137  * private debug key.
138  */
139 static const u8 debug_pk[64] = {
140 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
141 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
142 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
143 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
144 
145 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
146 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
147 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
148 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
149 };
150 
151 static const u8 debug_sk[32] = {
152 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
153 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
154 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
155 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
156 };
157 
158 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
159 {
160 	size_t i;
161 
162 	for (i = 0; i < len; i++)
163 		dst[len - 1 - i] = src[i];
164 }
165 
166 /* The following functions map to the LE SC SMP crypto functions
167  * AES-CMAC, f4, f5, f6, g2 and h6.
168  */
169 
170 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
171 		    size_t len, u8 mac[16])
172 {
173 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
174 	SHASH_DESC_ON_STACK(desc, tfm);
175 	int err;
176 
177 	if (len > CMAC_MSG_MAX)
178 		return -EFBIG;
179 
180 	if (!tfm) {
181 		BT_ERR("tfm %p", tfm);
182 		return -EINVAL;
183 	}
184 
185 	desc->tfm = tfm;
186 	desc->flags = 0;
187 
188 	/* Swap key and message from LSB to MSB */
189 	swap_buf(k, tmp, 16);
190 	swap_buf(m, msg_msb, len);
191 
192 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
193 	SMP_DBG("key %16phN", k);
194 
195 	err = crypto_shash_setkey(tfm, tmp, 16);
196 	if (err) {
197 		BT_ERR("cipher setkey failed: %d", err);
198 		return err;
199 	}
200 
201 	err = crypto_shash_digest(desc, msg_msb, len, mac_msb);
202 	shash_desc_zero(desc);
203 	if (err) {
204 		BT_ERR("Hash computation error %d", err);
205 		return err;
206 	}
207 
208 	swap_buf(mac_msb, mac, 16);
209 
210 	SMP_DBG("mac %16phN", mac);
211 
212 	return 0;
213 }
214 
215 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
216 		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
217 {
218 	u8 m[65];
219 	int err;
220 
221 	SMP_DBG("u %32phN", u);
222 	SMP_DBG("v %32phN", v);
223 	SMP_DBG("x %16phN z %02x", x, z);
224 
225 	m[0] = z;
226 	memcpy(m + 1, v, 32);
227 	memcpy(m + 33, u, 32);
228 
229 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
230 	if (err)
231 		return err;
232 
233 	SMP_DBG("res %16phN", res);
234 
235 	return err;
236 }
237 
238 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
239 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
240 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
241 {
242 	/* The btle, salt and length "magic" values are as defined in
243 	 * the SMP section of the Bluetooth core specification. In ASCII
244 	 * the btle value ends up being 'btle'. The salt is just a
245 	 * random number whereas length is the value 256 in little
246 	 * endian format.
247 	 */
248 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
249 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
250 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
251 	const u8 length[2] = { 0x00, 0x01 };
252 	u8 m[53], t[16];
253 	int err;
254 
255 	SMP_DBG("w %32phN", w);
256 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
257 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
258 
259 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
260 	if (err)
261 		return err;
262 
263 	SMP_DBG("t %16phN", t);
264 
265 	memcpy(m, length, 2);
266 	memcpy(m + 2, a2, 7);
267 	memcpy(m + 9, a1, 7);
268 	memcpy(m + 16, n2, 16);
269 	memcpy(m + 32, n1, 16);
270 	memcpy(m + 48, btle, 4);
271 
272 	m[52] = 0; /* Counter */
273 
274 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
275 	if (err)
276 		return err;
277 
278 	SMP_DBG("mackey %16phN", mackey);
279 
280 	m[52] = 1; /* Counter */
281 
282 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
283 	if (err)
284 		return err;
285 
286 	SMP_DBG("ltk %16phN", ltk);
287 
288 	return 0;
289 }
290 
291 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
292 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
293 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
294 		  u8 res[16])
295 {
296 	u8 m[65];
297 	int err;
298 
299 	SMP_DBG("w %16phN", w);
300 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
301 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
302 
303 	memcpy(m, a2, 7);
304 	memcpy(m + 7, a1, 7);
305 	memcpy(m + 14, io_cap, 3);
306 	memcpy(m + 17, r, 16);
307 	memcpy(m + 33, n2, 16);
308 	memcpy(m + 49, n1, 16);
309 
310 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
311 	if (err)
312 		return err;
313 
314 	SMP_DBG("res %16phN", res);
315 
316 	return err;
317 }
318 
319 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
320 		  const u8 x[16], const u8 y[16], u32 *val)
321 {
322 	u8 m[80], tmp[16];
323 	int err;
324 
325 	SMP_DBG("u %32phN", u);
326 	SMP_DBG("v %32phN", v);
327 	SMP_DBG("x %16phN y %16phN", x, y);
328 
329 	memcpy(m, y, 16);
330 	memcpy(m + 16, v, 32);
331 	memcpy(m + 48, u, 32);
332 
333 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
334 	if (err)
335 		return err;
336 
337 	*val = get_unaligned_le32(tmp);
338 	*val %= 1000000;
339 
340 	SMP_DBG("val %06u", *val);
341 
342 	return 0;
343 }
344 
345 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
346 		  const u8 key_id[4], u8 res[16])
347 {
348 	int err;
349 
350 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
351 
352 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
353 	if (err)
354 		return err;
355 
356 	SMP_DBG("res %16phN", res);
357 
358 	return err;
359 }
360 
361 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
362 		  const u8 salt[16], u8 res[16])
363 {
364 	int err;
365 
366 	SMP_DBG("w %16phN salt %16phN", w, salt);
367 
368 	err = aes_cmac(tfm_cmac, salt, w, 16, res);
369 	if (err)
370 		return err;
371 
372 	SMP_DBG("res %16phN", res);
373 
374 	return err;
375 }
376 
377 /* The following functions map to the legacy SMP crypto functions e, c1,
378  * s1 and ah.
379  */
380 
381 static int smp_e(struct crypto_cipher *tfm, const u8 *k, u8 *r)
382 {
383 	uint8_t tmp[16], data[16];
384 	int err;
385 
386 	SMP_DBG("k %16phN r %16phN", k, r);
387 
388 	if (!tfm) {
389 		BT_ERR("tfm %p", tfm);
390 		return -EINVAL;
391 	}
392 
393 	/* The most significant octet of key corresponds to k[0] */
394 	swap_buf(k, tmp, 16);
395 
396 	err = crypto_cipher_setkey(tfm, tmp, 16);
397 	if (err) {
398 		BT_ERR("cipher setkey failed: %d", err);
399 		return err;
400 	}
401 
402 	/* Most significant octet of plaintextData corresponds to data[0] */
403 	swap_buf(r, data, 16);
404 
405 	crypto_cipher_encrypt_one(tfm, data, data);
406 
407 	/* Most significant octet of encryptedData corresponds to data[0] */
408 	swap_buf(data, r, 16);
409 
410 	SMP_DBG("r %16phN", r);
411 
412 	return err;
413 }
414 
415 static int smp_c1(struct crypto_cipher *tfm_aes, const u8 k[16],
416 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
417 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
418 {
419 	u8 p1[16], p2[16];
420 	int err;
421 
422 	SMP_DBG("k %16phN r %16phN", k, r);
423 	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
424 	SMP_DBG("preq %7phN pres %7phN", preq, pres);
425 
426 	memset(p1, 0, 16);
427 
428 	/* p1 = pres || preq || _rat || _iat */
429 	p1[0] = _iat;
430 	p1[1] = _rat;
431 	memcpy(p1 + 2, preq, 7);
432 	memcpy(p1 + 9, pres, 7);
433 
434 	SMP_DBG("p1 %16phN", p1);
435 
436 	/* res = r XOR p1 */
437 	u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
438 
439 	/* res = e(k, res) */
440 	err = smp_e(tfm_aes, k, res);
441 	if (err) {
442 		BT_ERR("Encrypt data error");
443 		return err;
444 	}
445 
446 	/* p2 = padding || ia || ra */
447 	memcpy(p2, ra, 6);
448 	memcpy(p2 + 6, ia, 6);
449 	memset(p2 + 12, 0, 4);
450 
451 	SMP_DBG("p2 %16phN", p2);
452 
453 	/* res = res XOR p2 */
454 	u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
455 
456 	/* res = e(k, res) */
457 	err = smp_e(tfm_aes, k, res);
458 	if (err)
459 		BT_ERR("Encrypt data error");
460 
461 	return err;
462 }
463 
464 static int smp_s1(struct crypto_cipher *tfm_aes, const u8 k[16],
465 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
466 {
467 	int err;
468 
469 	/* Just least significant octets from r1 and r2 are considered */
470 	memcpy(_r, r2, 8);
471 	memcpy(_r + 8, r1, 8);
472 
473 	err = smp_e(tfm_aes, k, _r);
474 	if (err)
475 		BT_ERR("Encrypt data error");
476 
477 	return err;
478 }
479 
480 static int smp_ah(struct crypto_cipher *tfm, const u8 irk[16],
481 		  const u8 r[3], u8 res[3])
482 {
483 	u8 _res[16];
484 	int err;
485 
486 	/* r' = padding || r */
487 	memcpy(_res, r, 3);
488 	memset(_res + 3, 0, 13);
489 
490 	err = smp_e(tfm, irk, _res);
491 	if (err) {
492 		BT_ERR("Encrypt error");
493 		return err;
494 	}
495 
496 	/* The output of the random address function ah is:
497 	 *	ah(k, r) = e(k, r') mod 2^24
498 	 * The output of the security function e is then truncated to 24 bits
499 	 * by taking the least significant 24 bits of the output of e as the
500 	 * result of ah.
501 	 */
502 	memcpy(res, _res, 3);
503 
504 	return 0;
505 }
506 
507 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
508 		     const bdaddr_t *bdaddr)
509 {
510 	struct l2cap_chan *chan = hdev->smp_data;
511 	struct smp_dev *smp;
512 	u8 hash[3];
513 	int err;
514 
515 	if (!chan || !chan->data)
516 		return false;
517 
518 	smp = chan->data;
519 
520 	BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
521 
522 	err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
523 	if (err)
524 		return false;
525 
526 	return !crypto_memneq(bdaddr->b, hash, 3);
527 }
528 
529 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
530 {
531 	struct l2cap_chan *chan = hdev->smp_data;
532 	struct smp_dev *smp;
533 	int err;
534 
535 	if (!chan || !chan->data)
536 		return -EOPNOTSUPP;
537 
538 	smp = chan->data;
539 
540 	get_random_bytes(&rpa->b[3], 3);
541 
542 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
543 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
544 
545 	err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
546 	if (err < 0)
547 		return err;
548 
549 	BT_DBG("RPA %pMR", rpa);
550 
551 	return 0;
552 }
553 
554 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
555 {
556 	struct l2cap_chan *chan = hdev->smp_data;
557 	struct smp_dev *smp;
558 	int err;
559 
560 	if (!chan || !chan->data)
561 		return -EOPNOTSUPP;
562 
563 	smp = chan->data;
564 
565 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
566 		BT_DBG("Using debug keys");
567 		err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
568 		if (err)
569 			return err;
570 		memcpy(smp->local_pk, debug_pk, 64);
571 		smp->debug_key = true;
572 	} else {
573 		while (true) {
574 			/* Generate key pair for Secure Connections */
575 			err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
576 			if (err)
577 				return err;
578 
579 			/* This is unlikely, but we need to check that
580 			 * we didn't accidentially generate a debug key.
581 			 */
582 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
583 				break;
584 		}
585 		smp->debug_key = false;
586 	}
587 
588 	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
589 	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
590 
591 	get_random_bytes(smp->local_rand, 16);
592 
593 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
594 		     smp->local_rand, 0, hash);
595 	if (err < 0)
596 		return err;
597 
598 	memcpy(rand, smp->local_rand, 16);
599 
600 	smp->local_oob = true;
601 
602 	return 0;
603 }
604 
605 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
606 {
607 	struct l2cap_chan *chan = conn->smp;
608 	struct smp_chan *smp;
609 	struct kvec iv[2];
610 	struct msghdr msg;
611 
612 	if (!chan)
613 		return;
614 
615 	BT_DBG("code 0x%2.2x", code);
616 
617 	iv[0].iov_base = &code;
618 	iv[0].iov_len = 1;
619 
620 	iv[1].iov_base = data;
621 	iv[1].iov_len = len;
622 
623 	memset(&msg, 0, sizeof(msg));
624 
625 	iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
626 
627 	l2cap_chan_send(chan, &msg, 1 + len);
628 
629 	if (!chan->data)
630 		return;
631 
632 	smp = chan->data;
633 
634 	cancel_delayed_work_sync(&smp->security_timer);
635 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
636 }
637 
638 static u8 authreq_to_seclevel(u8 authreq)
639 {
640 	if (authreq & SMP_AUTH_MITM) {
641 		if (authreq & SMP_AUTH_SC)
642 			return BT_SECURITY_FIPS;
643 		else
644 			return BT_SECURITY_HIGH;
645 	} else {
646 		return BT_SECURITY_MEDIUM;
647 	}
648 }
649 
650 static __u8 seclevel_to_authreq(__u8 sec_level)
651 {
652 	switch (sec_level) {
653 	case BT_SECURITY_FIPS:
654 	case BT_SECURITY_HIGH:
655 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
656 	case BT_SECURITY_MEDIUM:
657 		return SMP_AUTH_BONDING;
658 	default:
659 		return SMP_AUTH_NONE;
660 	}
661 }
662 
663 static void build_pairing_cmd(struct l2cap_conn *conn,
664 			      struct smp_cmd_pairing *req,
665 			      struct smp_cmd_pairing *rsp, __u8 authreq)
666 {
667 	struct l2cap_chan *chan = conn->smp;
668 	struct smp_chan *smp = chan->data;
669 	struct hci_conn *hcon = conn->hcon;
670 	struct hci_dev *hdev = hcon->hdev;
671 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
672 
673 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
674 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
675 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
676 		authreq |= SMP_AUTH_BONDING;
677 	} else {
678 		authreq &= ~SMP_AUTH_BONDING;
679 	}
680 
681 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
682 		remote_dist |= SMP_DIST_ID_KEY;
683 
684 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
685 		local_dist |= SMP_DIST_ID_KEY;
686 
687 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
688 	    (authreq & SMP_AUTH_SC)) {
689 		struct oob_data *oob_data;
690 		u8 bdaddr_type;
691 
692 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
693 			local_dist |= SMP_DIST_LINK_KEY;
694 			remote_dist |= SMP_DIST_LINK_KEY;
695 		}
696 
697 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
698 			bdaddr_type = BDADDR_LE_PUBLIC;
699 		else
700 			bdaddr_type = BDADDR_LE_RANDOM;
701 
702 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
703 						    bdaddr_type);
704 		if (oob_data && oob_data->present) {
705 			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
706 			oob_flag = SMP_OOB_PRESENT;
707 			memcpy(smp->rr, oob_data->rand256, 16);
708 			memcpy(smp->pcnf, oob_data->hash256, 16);
709 			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
710 			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
711 		}
712 
713 	} else {
714 		authreq &= ~SMP_AUTH_SC;
715 	}
716 
717 	if (rsp == NULL) {
718 		req->io_capability = conn->hcon->io_capability;
719 		req->oob_flag = oob_flag;
720 		req->max_key_size = hdev->le_max_key_size;
721 		req->init_key_dist = local_dist;
722 		req->resp_key_dist = remote_dist;
723 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
724 
725 		smp->remote_key_dist = remote_dist;
726 		return;
727 	}
728 
729 	rsp->io_capability = conn->hcon->io_capability;
730 	rsp->oob_flag = oob_flag;
731 	rsp->max_key_size = hdev->le_max_key_size;
732 	rsp->init_key_dist = req->init_key_dist & remote_dist;
733 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
734 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
735 
736 	smp->remote_key_dist = rsp->init_key_dist;
737 }
738 
739 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
740 {
741 	struct l2cap_chan *chan = conn->smp;
742 	struct hci_dev *hdev = conn->hcon->hdev;
743 	struct smp_chan *smp = chan->data;
744 
745 	if (max_key_size > hdev->le_max_key_size ||
746 	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
747 		return SMP_ENC_KEY_SIZE;
748 
749 	smp->enc_key_size = max_key_size;
750 
751 	return 0;
752 }
753 
754 static void smp_chan_destroy(struct l2cap_conn *conn)
755 {
756 	struct l2cap_chan *chan = conn->smp;
757 	struct smp_chan *smp = chan->data;
758 	struct hci_conn *hcon = conn->hcon;
759 	bool complete;
760 
761 	BUG_ON(!smp);
762 
763 	cancel_delayed_work_sync(&smp->security_timer);
764 
765 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
766 	mgmt_smp_complete(hcon, complete);
767 
768 	kzfree(smp->csrk);
769 	kzfree(smp->slave_csrk);
770 	kzfree(smp->link_key);
771 
772 	crypto_free_cipher(smp->tfm_aes);
773 	crypto_free_shash(smp->tfm_cmac);
774 	crypto_free_kpp(smp->tfm_ecdh);
775 
776 	/* Ensure that we don't leave any debug key around if debug key
777 	 * support hasn't been explicitly enabled.
778 	 */
779 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
780 	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
781 		list_del_rcu(&smp->ltk->list);
782 		kfree_rcu(smp->ltk, rcu);
783 		smp->ltk = NULL;
784 	}
785 
786 	/* If pairing failed clean up any keys we might have */
787 	if (!complete) {
788 		if (smp->ltk) {
789 			list_del_rcu(&smp->ltk->list);
790 			kfree_rcu(smp->ltk, rcu);
791 		}
792 
793 		if (smp->slave_ltk) {
794 			list_del_rcu(&smp->slave_ltk->list);
795 			kfree_rcu(smp->slave_ltk, rcu);
796 		}
797 
798 		if (smp->remote_irk) {
799 			list_del_rcu(&smp->remote_irk->list);
800 			kfree_rcu(smp->remote_irk, rcu);
801 		}
802 	}
803 
804 	chan->data = NULL;
805 	kzfree(smp);
806 	hci_conn_drop(hcon);
807 }
808 
809 static void smp_failure(struct l2cap_conn *conn, u8 reason)
810 {
811 	struct hci_conn *hcon = conn->hcon;
812 	struct l2cap_chan *chan = conn->smp;
813 
814 	if (reason)
815 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
816 			     &reason);
817 
818 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
819 
820 	if (chan->data)
821 		smp_chan_destroy(conn);
822 }
823 
824 #define JUST_WORKS	0x00
825 #define JUST_CFM	0x01
826 #define REQ_PASSKEY	0x02
827 #define CFM_PASSKEY	0x03
828 #define REQ_OOB		0x04
829 #define DSP_PASSKEY	0x05
830 #define OVERLAP		0xFF
831 
832 static const u8 gen_method[5][5] = {
833 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
834 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
835 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
836 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
837 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
838 };
839 
840 static const u8 sc_method[5][5] = {
841 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
842 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
843 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
844 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
845 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
846 };
847 
848 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
849 {
850 	/* If either side has unknown io_caps, use JUST_CFM (which gets
851 	 * converted later to JUST_WORKS if we're initiators.
852 	 */
853 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
854 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
855 		return JUST_CFM;
856 
857 	if (test_bit(SMP_FLAG_SC, &smp->flags))
858 		return sc_method[remote_io][local_io];
859 
860 	return gen_method[remote_io][local_io];
861 }
862 
863 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
864 						u8 local_io, u8 remote_io)
865 {
866 	struct hci_conn *hcon = conn->hcon;
867 	struct l2cap_chan *chan = conn->smp;
868 	struct smp_chan *smp = chan->data;
869 	u32 passkey = 0;
870 	int ret = 0;
871 
872 	/* Initialize key for JUST WORKS */
873 	memset(smp->tk, 0, sizeof(smp->tk));
874 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
875 
876 	BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
877 
878 	/* If neither side wants MITM, either "just" confirm an incoming
879 	 * request or use just-works for outgoing ones. The JUST_CFM
880 	 * will be converted to JUST_WORKS if necessary later in this
881 	 * function. If either side has MITM look up the method from the
882 	 * table.
883 	 */
884 	if (!(auth & SMP_AUTH_MITM))
885 		smp->method = JUST_CFM;
886 	else
887 		smp->method = get_auth_method(smp, local_io, remote_io);
888 
889 	/* Don't confirm locally initiated pairing attempts */
890 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
891 						&smp->flags))
892 		smp->method = JUST_WORKS;
893 
894 	/* Don't bother user space with no IO capabilities */
895 	if (smp->method == JUST_CFM &&
896 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
897 		smp->method = JUST_WORKS;
898 
899 	/* If Just Works, Continue with Zero TK */
900 	if (smp->method == JUST_WORKS) {
901 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
902 		return 0;
903 	}
904 
905 	/* If this function is used for SC -> legacy fallback we
906 	 * can only recover the just-works case.
907 	 */
908 	if (test_bit(SMP_FLAG_SC, &smp->flags))
909 		return -EINVAL;
910 
911 	/* Not Just Works/Confirm results in MITM Authentication */
912 	if (smp->method != JUST_CFM) {
913 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
914 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
915 			hcon->pending_sec_level = BT_SECURITY_HIGH;
916 	}
917 
918 	/* If both devices have Keyoard-Display I/O, the master
919 	 * Confirms and the slave Enters the passkey.
920 	 */
921 	if (smp->method == OVERLAP) {
922 		if (hcon->role == HCI_ROLE_MASTER)
923 			smp->method = CFM_PASSKEY;
924 		else
925 			smp->method = REQ_PASSKEY;
926 	}
927 
928 	/* Generate random passkey. */
929 	if (smp->method == CFM_PASSKEY) {
930 		memset(smp->tk, 0, sizeof(smp->tk));
931 		get_random_bytes(&passkey, sizeof(passkey));
932 		passkey %= 1000000;
933 		put_unaligned_le32(passkey, smp->tk);
934 		BT_DBG("PassKey: %d", passkey);
935 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
936 	}
937 
938 	if (smp->method == REQ_PASSKEY)
939 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
940 						hcon->type, hcon->dst_type);
941 	else if (smp->method == JUST_CFM)
942 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
943 						hcon->type, hcon->dst_type,
944 						passkey, 1);
945 	else
946 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
947 						hcon->type, hcon->dst_type,
948 						passkey, 0);
949 
950 	return ret;
951 }
952 
953 static u8 smp_confirm(struct smp_chan *smp)
954 {
955 	struct l2cap_conn *conn = smp->conn;
956 	struct smp_cmd_pairing_confirm cp;
957 	int ret;
958 
959 	BT_DBG("conn %p", conn);
960 
961 	ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
962 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
963 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
964 		     cp.confirm_val);
965 	if (ret)
966 		return SMP_UNSPECIFIED;
967 
968 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
969 
970 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
971 
972 	if (conn->hcon->out)
973 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
974 	else
975 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
976 
977 	return 0;
978 }
979 
980 static u8 smp_random(struct smp_chan *smp)
981 {
982 	struct l2cap_conn *conn = smp->conn;
983 	struct hci_conn *hcon = conn->hcon;
984 	u8 confirm[16];
985 	int ret;
986 
987 	if (IS_ERR_OR_NULL(smp->tfm_aes))
988 		return SMP_UNSPECIFIED;
989 
990 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
991 
992 	ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
993 		     hcon->init_addr_type, &hcon->init_addr,
994 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
995 	if (ret)
996 		return SMP_UNSPECIFIED;
997 
998 	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
999 		bt_dev_err(hcon->hdev, "pairing failed "
1000 			   "(confirmation values mismatch)");
1001 		return SMP_CONFIRM_FAILED;
1002 	}
1003 
1004 	if (hcon->out) {
1005 		u8 stk[16];
1006 		__le64 rand = 0;
1007 		__le16 ediv = 0;
1008 
1009 		smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
1010 
1011 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1012 			return SMP_UNSPECIFIED;
1013 
1014 		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1015 		hcon->enc_key_size = smp->enc_key_size;
1016 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1017 	} else {
1018 		u8 stk[16], auth;
1019 		__le64 rand = 0;
1020 		__le16 ediv = 0;
1021 
1022 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1023 			     smp->prnd);
1024 
1025 		smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
1026 
1027 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1028 			auth = 1;
1029 		else
1030 			auth = 0;
1031 
1032 		/* Even though there's no _SLAVE suffix this is the
1033 		 * slave STK we're adding for later lookup (the master
1034 		 * STK never needs to be stored).
1035 		 */
1036 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1037 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1038 	}
1039 
1040 	return 0;
1041 }
1042 
1043 static void smp_notify_keys(struct l2cap_conn *conn)
1044 {
1045 	struct l2cap_chan *chan = conn->smp;
1046 	struct smp_chan *smp = chan->data;
1047 	struct hci_conn *hcon = conn->hcon;
1048 	struct hci_dev *hdev = hcon->hdev;
1049 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1050 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1051 	bool persistent;
1052 
1053 	if (hcon->type == ACL_LINK) {
1054 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1055 			persistent = false;
1056 		else
1057 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1058 					       &hcon->flags);
1059 	} else {
1060 		/* The LTKs, IRKs and CSRKs should be persistent only if
1061 		 * both sides had the bonding bit set in their
1062 		 * authentication requests.
1063 		 */
1064 		persistent = !!((req->auth_req & rsp->auth_req) &
1065 				SMP_AUTH_BONDING);
1066 	}
1067 
1068 	if (smp->remote_irk) {
1069 		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1070 
1071 		/* Now that user space can be considered to know the
1072 		 * identity address track the connection based on it
1073 		 * from now on (assuming this is an LE link).
1074 		 */
1075 		if (hcon->type == LE_LINK) {
1076 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1077 			hcon->dst_type = smp->remote_irk->addr_type;
1078 			queue_work(hdev->workqueue, &conn->id_addr_update_work);
1079 		}
1080 	}
1081 
1082 	if (smp->csrk) {
1083 		smp->csrk->bdaddr_type = hcon->dst_type;
1084 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1085 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1086 	}
1087 
1088 	if (smp->slave_csrk) {
1089 		smp->slave_csrk->bdaddr_type = hcon->dst_type;
1090 		bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1091 		mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1092 	}
1093 
1094 	if (smp->ltk) {
1095 		smp->ltk->bdaddr_type = hcon->dst_type;
1096 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1097 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1098 	}
1099 
1100 	if (smp->slave_ltk) {
1101 		smp->slave_ltk->bdaddr_type = hcon->dst_type;
1102 		bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1103 		mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1104 	}
1105 
1106 	if (smp->link_key) {
1107 		struct link_key *key;
1108 		u8 type;
1109 
1110 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1111 			type = HCI_LK_DEBUG_COMBINATION;
1112 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1113 			type = HCI_LK_AUTH_COMBINATION_P256;
1114 		else
1115 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1116 
1117 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1118 				       smp->link_key, type, 0, &persistent);
1119 		if (key) {
1120 			mgmt_new_link_key(hdev, key, persistent);
1121 
1122 			/* Don't keep debug keys around if the relevant
1123 			 * flag is not set.
1124 			 */
1125 			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1126 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1127 				list_del_rcu(&key->list);
1128 				kfree_rcu(key, rcu);
1129 			}
1130 		}
1131 	}
1132 }
1133 
1134 static void sc_add_ltk(struct smp_chan *smp)
1135 {
1136 	struct hci_conn *hcon = smp->conn->hcon;
1137 	u8 key_type, auth;
1138 
1139 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1140 		key_type = SMP_LTK_P256_DEBUG;
1141 	else
1142 		key_type = SMP_LTK_P256;
1143 
1144 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1145 		auth = 1;
1146 	else
1147 		auth = 0;
1148 
1149 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1150 			       key_type, auth, smp->tk, smp->enc_key_size,
1151 			       0, 0);
1152 }
1153 
1154 static void sc_generate_link_key(struct smp_chan *smp)
1155 {
1156 	/* From core spec. Spells out in ASCII as 'lebr'. */
1157 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1158 
1159 	smp->link_key = kzalloc(16, GFP_KERNEL);
1160 	if (!smp->link_key)
1161 		return;
1162 
1163 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1164 		/* SALT = 0x00000000000000000000000000000000746D7031 */
1165 		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1166 
1167 		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1168 			kzfree(smp->link_key);
1169 			smp->link_key = NULL;
1170 			return;
1171 		}
1172 	} else {
1173 		/* From core spec. Spells out in ASCII as 'tmp1'. */
1174 		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1175 
1176 		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1177 			kzfree(smp->link_key);
1178 			smp->link_key = NULL;
1179 			return;
1180 		}
1181 	}
1182 
1183 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1184 		kzfree(smp->link_key);
1185 		smp->link_key = NULL;
1186 		return;
1187 	}
1188 }
1189 
1190 static void smp_allow_key_dist(struct smp_chan *smp)
1191 {
1192 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1193 	 * will be allowed in each PDU handler to ensure we receive
1194 	 * them in the correct order.
1195 	 */
1196 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1197 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1198 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1199 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1200 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1201 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1202 }
1203 
1204 static void sc_generate_ltk(struct smp_chan *smp)
1205 {
1206 	/* From core spec. Spells out in ASCII as 'brle'. */
1207 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1208 	struct hci_conn *hcon = smp->conn->hcon;
1209 	struct hci_dev *hdev = hcon->hdev;
1210 	struct link_key *key;
1211 
1212 	key = hci_find_link_key(hdev, &hcon->dst);
1213 	if (!key) {
1214 		bt_dev_err(hdev, "no Link Key found to generate LTK");
1215 		return;
1216 	}
1217 
1218 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1219 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1220 
1221 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1222 		/* SALT = 0x00000000000000000000000000000000746D7032 */
1223 		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1224 
1225 		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1226 			return;
1227 	} else {
1228 		/* From core spec. Spells out in ASCII as 'tmp2'. */
1229 		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1230 
1231 		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1232 			return;
1233 	}
1234 
1235 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1236 		return;
1237 
1238 	sc_add_ltk(smp);
1239 }
1240 
1241 static void smp_distribute_keys(struct smp_chan *smp)
1242 {
1243 	struct smp_cmd_pairing *req, *rsp;
1244 	struct l2cap_conn *conn = smp->conn;
1245 	struct hci_conn *hcon = conn->hcon;
1246 	struct hci_dev *hdev = hcon->hdev;
1247 	__u8 *keydist;
1248 
1249 	BT_DBG("conn %p", conn);
1250 
1251 	rsp = (void *) &smp->prsp[1];
1252 
1253 	/* The responder sends its keys first */
1254 	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1255 		smp_allow_key_dist(smp);
1256 		return;
1257 	}
1258 
1259 	req = (void *) &smp->preq[1];
1260 
1261 	if (hcon->out) {
1262 		keydist = &rsp->init_key_dist;
1263 		*keydist &= req->init_key_dist;
1264 	} else {
1265 		keydist = &rsp->resp_key_dist;
1266 		*keydist &= req->resp_key_dist;
1267 	}
1268 
1269 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1270 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1271 			sc_generate_link_key(smp);
1272 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1273 			sc_generate_ltk(smp);
1274 
1275 		/* Clear the keys which are generated but not distributed */
1276 		*keydist &= ~SMP_SC_NO_DIST;
1277 	}
1278 
1279 	BT_DBG("keydist 0x%x", *keydist);
1280 
1281 	if (*keydist & SMP_DIST_ENC_KEY) {
1282 		struct smp_cmd_encrypt_info enc;
1283 		struct smp_cmd_master_ident ident;
1284 		struct smp_ltk *ltk;
1285 		u8 authenticated;
1286 		__le16 ediv;
1287 		__le64 rand;
1288 
1289 		/* Make sure we generate only the significant amount of
1290 		 * bytes based on the encryption key size, and set the rest
1291 		 * of the value to zeroes.
1292 		 */
1293 		get_random_bytes(enc.ltk, smp->enc_key_size);
1294 		memset(enc.ltk + smp->enc_key_size, 0,
1295 		       sizeof(enc.ltk) - smp->enc_key_size);
1296 
1297 		get_random_bytes(&ediv, sizeof(ediv));
1298 		get_random_bytes(&rand, sizeof(rand));
1299 
1300 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1301 
1302 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1303 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1304 				  SMP_LTK_SLAVE, authenticated, enc.ltk,
1305 				  smp->enc_key_size, ediv, rand);
1306 		smp->slave_ltk = ltk;
1307 
1308 		ident.ediv = ediv;
1309 		ident.rand = rand;
1310 
1311 		smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1312 
1313 		*keydist &= ~SMP_DIST_ENC_KEY;
1314 	}
1315 
1316 	if (*keydist & SMP_DIST_ID_KEY) {
1317 		struct smp_cmd_ident_addr_info addrinfo;
1318 		struct smp_cmd_ident_info idinfo;
1319 
1320 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1321 
1322 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1323 
1324 		/* The hci_conn contains the local identity address
1325 		 * after the connection has been established.
1326 		 *
1327 		 * This is true even when the connection has been
1328 		 * established using a resolvable random address.
1329 		 */
1330 		bacpy(&addrinfo.bdaddr, &hcon->src);
1331 		addrinfo.addr_type = hcon->src_type;
1332 
1333 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1334 			     &addrinfo);
1335 
1336 		*keydist &= ~SMP_DIST_ID_KEY;
1337 	}
1338 
1339 	if (*keydist & SMP_DIST_SIGN) {
1340 		struct smp_cmd_sign_info sign;
1341 		struct smp_csrk *csrk;
1342 
1343 		/* Generate a new random key */
1344 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1345 
1346 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1347 		if (csrk) {
1348 			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1349 				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1350 			else
1351 				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1352 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1353 		}
1354 		smp->slave_csrk = csrk;
1355 
1356 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1357 
1358 		*keydist &= ~SMP_DIST_SIGN;
1359 	}
1360 
1361 	/* If there are still keys to be received wait for them */
1362 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1363 		smp_allow_key_dist(smp);
1364 		return;
1365 	}
1366 
1367 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1368 	smp_notify_keys(conn);
1369 
1370 	smp_chan_destroy(conn);
1371 }
1372 
1373 static void smp_timeout(struct work_struct *work)
1374 {
1375 	struct smp_chan *smp = container_of(work, struct smp_chan,
1376 					    security_timer.work);
1377 	struct l2cap_conn *conn = smp->conn;
1378 
1379 	BT_DBG("conn %p", conn);
1380 
1381 	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1382 }
1383 
1384 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1385 {
1386 	struct l2cap_chan *chan = conn->smp;
1387 	struct smp_chan *smp;
1388 
1389 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1390 	if (!smp)
1391 		return NULL;
1392 
1393 	smp->tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
1394 	if (IS_ERR(smp->tfm_aes)) {
1395 		BT_ERR("Unable to create AES crypto context");
1396 		goto zfree_smp;
1397 	}
1398 
1399 	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1400 	if (IS_ERR(smp->tfm_cmac)) {
1401 		BT_ERR("Unable to create CMAC crypto context");
1402 		goto free_cipher;
1403 	}
1404 
1405 	smp->tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
1406 	if (IS_ERR(smp->tfm_ecdh)) {
1407 		BT_ERR("Unable to create ECDH crypto context");
1408 		goto free_shash;
1409 	}
1410 
1411 	smp->conn = conn;
1412 	chan->data = smp;
1413 
1414 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1415 
1416 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1417 
1418 	hci_conn_hold(conn->hcon);
1419 
1420 	return smp;
1421 
1422 free_shash:
1423 	crypto_free_shash(smp->tfm_cmac);
1424 free_cipher:
1425 	crypto_free_cipher(smp->tfm_aes);
1426 zfree_smp:
1427 	kzfree(smp);
1428 	return NULL;
1429 }
1430 
1431 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1432 {
1433 	struct hci_conn *hcon = smp->conn->hcon;
1434 	u8 *na, *nb, a[7], b[7];
1435 
1436 	if (hcon->out) {
1437 		na   = smp->prnd;
1438 		nb   = smp->rrnd;
1439 	} else {
1440 		na   = smp->rrnd;
1441 		nb   = smp->prnd;
1442 	}
1443 
1444 	memcpy(a, &hcon->init_addr, 6);
1445 	memcpy(b, &hcon->resp_addr, 6);
1446 	a[6] = hcon->init_addr_type;
1447 	b[6] = hcon->resp_addr_type;
1448 
1449 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1450 }
1451 
1452 static void sc_dhkey_check(struct smp_chan *smp)
1453 {
1454 	struct hci_conn *hcon = smp->conn->hcon;
1455 	struct smp_cmd_dhkey_check check;
1456 	u8 a[7], b[7], *local_addr, *remote_addr;
1457 	u8 io_cap[3], r[16];
1458 
1459 	memcpy(a, &hcon->init_addr, 6);
1460 	memcpy(b, &hcon->resp_addr, 6);
1461 	a[6] = hcon->init_addr_type;
1462 	b[6] = hcon->resp_addr_type;
1463 
1464 	if (hcon->out) {
1465 		local_addr = a;
1466 		remote_addr = b;
1467 		memcpy(io_cap, &smp->preq[1], 3);
1468 	} else {
1469 		local_addr = b;
1470 		remote_addr = a;
1471 		memcpy(io_cap, &smp->prsp[1], 3);
1472 	}
1473 
1474 	memset(r, 0, sizeof(r));
1475 
1476 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1477 		put_unaligned_le32(hcon->passkey_notify, r);
1478 
1479 	if (smp->method == REQ_OOB)
1480 		memcpy(r, smp->rr, 16);
1481 
1482 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1483 	       local_addr, remote_addr, check.e);
1484 
1485 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1486 }
1487 
1488 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1489 {
1490 	struct l2cap_conn *conn = smp->conn;
1491 	struct hci_conn *hcon = conn->hcon;
1492 	struct smp_cmd_pairing_confirm cfm;
1493 	u8 r;
1494 
1495 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1496 	r |= 0x80;
1497 
1498 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1499 
1500 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1501 		   cfm.confirm_val))
1502 		return SMP_UNSPECIFIED;
1503 
1504 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1505 
1506 	return 0;
1507 }
1508 
1509 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1510 {
1511 	struct l2cap_conn *conn = smp->conn;
1512 	struct hci_conn *hcon = conn->hcon;
1513 	struct hci_dev *hdev = hcon->hdev;
1514 	u8 cfm[16], r;
1515 
1516 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1517 	if (smp->passkey_round >= 20)
1518 		return 0;
1519 
1520 	switch (smp_op) {
1521 	case SMP_CMD_PAIRING_RANDOM:
1522 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1523 		r |= 0x80;
1524 
1525 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1526 			   smp->rrnd, r, cfm))
1527 			return SMP_UNSPECIFIED;
1528 
1529 		if (crypto_memneq(smp->pcnf, cfm, 16))
1530 			return SMP_CONFIRM_FAILED;
1531 
1532 		smp->passkey_round++;
1533 
1534 		if (smp->passkey_round == 20) {
1535 			/* Generate MacKey and LTK */
1536 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1537 				return SMP_UNSPECIFIED;
1538 		}
1539 
1540 		/* The round is only complete when the initiator
1541 		 * receives pairing random.
1542 		 */
1543 		if (!hcon->out) {
1544 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1545 				     sizeof(smp->prnd), smp->prnd);
1546 			if (smp->passkey_round == 20)
1547 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1548 			else
1549 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1550 			return 0;
1551 		}
1552 
1553 		/* Start the next round */
1554 		if (smp->passkey_round != 20)
1555 			return sc_passkey_round(smp, 0);
1556 
1557 		/* Passkey rounds are complete - start DHKey Check */
1558 		sc_dhkey_check(smp);
1559 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1560 
1561 		break;
1562 
1563 	case SMP_CMD_PAIRING_CONFIRM:
1564 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1565 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1566 			return 0;
1567 		}
1568 
1569 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1570 
1571 		if (hcon->out) {
1572 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1573 				     sizeof(smp->prnd), smp->prnd);
1574 			return 0;
1575 		}
1576 
1577 		return sc_passkey_send_confirm(smp);
1578 
1579 	case SMP_CMD_PUBLIC_KEY:
1580 	default:
1581 		/* Initiating device starts the round */
1582 		if (!hcon->out)
1583 			return 0;
1584 
1585 		BT_DBG("%s Starting passkey round %u", hdev->name,
1586 		       smp->passkey_round + 1);
1587 
1588 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1589 
1590 		return sc_passkey_send_confirm(smp);
1591 	}
1592 
1593 	return 0;
1594 }
1595 
1596 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1597 {
1598 	struct l2cap_conn *conn = smp->conn;
1599 	struct hci_conn *hcon = conn->hcon;
1600 	u8 smp_op;
1601 
1602 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1603 
1604 	switch (mgmt_op) {
1605 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1606 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1607 		return 0;
1608 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1609 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1610 		return 0;
1611 	case MGMT_OP_USER_PASSKEY_REPLY:
1612 		hcon->passkey_notify = le32_to_cpu(passkey);
1613 		smp->passkey_round = 0;
1614 
1615 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1616 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1617 		else
1618 			smp_op = 0;
1619 
1620 		if (sc_passkey_round(smp, smp_op))
1621 			return -EIO;
1622 
1623 		return 0;
1624 	}
1625 
1626 	/* Initiator sends DHKey check first */
1627 	if (hcon->out) {
1628 		sc_dhkey_check(smp);
1629 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1630 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1631 		sc_dhkey_check(smp);
1632 		sc_add_ltk(smp);
1633 	}
1634 
1635 	return 0;
1636 }
1637 
1638 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1639 {
1640 	struct l2cap_conn *conn = hcon->l2cap_data;
1641 	struct l2cap_chan *chan;
1642 	struct smp_chan *smp;
1643 	u32 value;
1644 	int err;
1645 
1646 	BT_DBG("");
1647 
1648 	if (!conn)
1649 		return -ENOTCONN;
1650 
1651 	chan = conn->smp;
1652 	if (!chan)
1653 		return -ENOTCONN;
1654 
1655 	l2cap_chan_lock(chan);
1656 	if (!chan->data) {
1657 		err = -ENOTCONN;
1658 		goto unlock;
1659 	}
1660 
1661 	smp = chan->data;
1662 
1663 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1664 		err = sc_user_reply(smp, mgmt_op, passkey);
1665 		goto unlock;
1666 	}
1667 
1668 	switch (mgmt_op) {
1669 	case MGMT_OP_USER_PASSKEY_REPLY:
1670 		value = le32_to_cpu(passkey);
1671 		memset(smp->tk, 0, sizeof(smp->tk));
1672 		BT_DBG("PassKey: %d", value);
1673 		put_unaligned_le32(value, smp->tk);
1674 		/* Fall Through */
1675 	case MGMT_OP_USER_CONFIRM_REPLY:
1676 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1677 		break;
1678 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1679 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1680 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1681 		err = 0;
1682 		goto unlock;
1683 	default:
1684 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1685 		err = -EOPNOTSUPP;
1686 		goto unlock;
1687 	}
1688 
1689 	err = 0;
1690 
1691 	/* If it is our turn to send Pairing Confirm, do so now */
1692 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1693 		u8 rsp = smp_confirm(smp);
1694 		if (rsp)
1695 			smp_failure(conn, rsp);
1696 	}
1697 
1698 unlock:
1699 	l2cap_chan_unlock(chan);
1700 	return err;
1701 }
1702 
1703 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1704 				    struct smp_cmd_pairing *req,
1705 				    struct smp_cmd_pairing *rsp)
1706 {
1707 	struct l2cap_conn *conn = smp->conn;
1708 	struct hci_dev *hdev = conn->hcon->hdev;
1709 	u8 local_dist = 0, remote_dist = 0;
1710 
1711 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1712 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1713 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1714 	}
1715 
1716 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1717 		remote_dist |= SMP_DIST_ID_KEY;
1718 
1719 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1720 		local_dist |= SMP_DIST_ID_KEY;
1721 
1722 	if (!rsp) {
1723 		memset(req, 0, sizeof(*req));
1724 
1725 		req->auth_req        = SMP_AUTH_CT2;
1726 		req->init_key_dist   = local_dist;
1727 		req->resp_key_dist   = remote_dist;
1728 		req->max_key_size    = conn->hcon->enc_key_size;
1729 
1730 		smp->remote_key_dist = remote_dist;
1731 
1732 		return;
1733 	}
1734 
1735 	memset(rsp, 0, sizeof(*rsp));
1736 
1737 	rsp->auth_req        = SMP_AUTH_CT2;
1738 	rsp->max_key_size    = conn->hcon->enc_key_size;
1739 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1740 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1741 
1742 	smp->remote_key_dist = rsp->init_key_dist;
1743 }
1744 
1745 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1746 {
1747 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1748 	struct l2cap_chan *chan = conn->smp;
1749 	struct hci_dev *hdev = conn->hcon->hdev;
1750 	struct smp_chan *smp;
1751 	u8 key_size, auth, sec_level;
1752 	int ret;
1753 
1754 	BT_DBG("conn %p", conn);
1755 
1756 	if (skb->len < sizeof(*req))
1757 		return SMP_INVALID_PARAMS;
1758 
1759 	if (conn->hcon->role != HCI_ROLE_SLAVE)
1760 		return SMP_CMD_NOTSUPP;
1761 
1762 	if (!chan->data)
1763 		smp = smp_chan_create(conn);
1764 	else
1765 		smp = chan->data;
1766 
1767 	if (!smp)
1768 		return SMP_UNSPECIFIED;
1769 
1770 	/* We didn't start the pairing, so match remote */
1771 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1772 
1773 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1774 	    (auth & SMP_AUTH_BONDING))
1775 		return SMP_PAIRING_NOTSUPP;
1776 
1777 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1778 		return SMP_AUTH_REQUIREMENTS;
1779 
1780 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1781 	memcpy(&smp->preq[1], req, sizeof(*req));
1782 	skb_pull(skb, sizeof(*req));
1783 
1784 	/* If the remote side's OOB flag is set it means it has
1785 	 * successfully received our local OOB data - therefore set the
1786 	 * flag to indicate that local OOB is in use.
1787 	 */
1788 	if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1789 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1790 
1791 	/* SMP over BR/EDR requires special treatment */
1792 	if (conn->hcon->type == ACL_LINK) {
1793 		/* We must have a BR/EDR SC link */
1794 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1795 		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1796 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1797 
1798 		set_bit(SMP_FLAG_SC, &smp->flags);
1799 
1800 		build_bredr_pairing_cmd(smp, req, &rsp);
1801 
1802 		if (req->auth_req & SMP_AUTH_CT2)
1803 			set_bit(SMP_FLAG_CT2, &smp->flags);
1804 
1805 		key_size = min(req->max_key_size, rsp.max_key_size);
1806 		if (check_enc_key_size(conn, key_size))
1807 			return SMP_ENC_KEY_SIZE;
1808 
1809 		/* Clear bits which are generated but not distributed */
1810 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1811 
1812 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1813 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1814 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1815 
1816 		smp_distribute_keys(smp);
1817 		return 0;
1818 	}
1819 
1820 	build_pairing_cmd(conn, req, &rsp, auth);
1821 
1822 	if (rsp.auth_req & SMP_AUTH_SC) {
1823 		set_bit(SMP_FLAG_SC, &smp->flags);
1824 
1825 		if (rsp.auth_req & SMP_AUTH_CT2)
1826 			set_bit(SMP_FLAG_CT2, &smp->flags);
1827 	}
1828 
1829 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1830 		sec_level = BT_SECURITY_MEDIUM;
1831 	else
1832 		sec_level = authreq_to_seclevel(auth);
1833 
1834 	if (sec_level > conn->hcon->pending_sec_level)
1835 		conn->hcon->pending_sec_level = sec_level;
1836 
1837 	/* If we need MITM check that it can be achieved */
1838 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1839 		u8 method;
1840 
1841 		method = get_auth_method(smp, conn->hcon->io_capability,
1842 					 req->io_capability);
1843 		if (method == JUST_WORKS || method == JUST_CFM)
1844 			return SMP_AUTH_REQUIREMENTS;
1845 	}
1846 
1847 	key_size = min(req->max_key_size, rsp.max_key_size);
1848 	if (check_enc_key_size(conn, key_size))
1849 		return SMP_ENC_KEY_SIZE;
1850 
1851 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1852 
1853 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1854 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1855 
1856 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1857 
1858 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1859 
1860 	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1861 	 * SC case, however some implementations incorrectly copy RFU auth
1862 	 * req bits from our security request, which may create a false
1863 	 * positive SC enablement.
1864 	 */
1865 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1866 
1867 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1868 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1869 		/* Clear bits which are generated but not distributed */
1870 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1871 		/* Wait for Public Key from Initiating Device */
1872 		return 0;
1873 	}
1874 
1875 	/* Request setup of TK */
1876 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1877 	if (ret)
1878 		return SMP_UNSPECIFIED;
1879 
1880 	return 0;
1881 }
1882 
1883 static u8 sc_send_public_key(struct smp_chan *smp)
1884 {
1885 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1886 
1887 	BT_DBG("");
1888 
1889 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1890 		struct l2cap_chan *chan = hdev->smp_data;
1891 		struct smp_dev *smp_dev;
1892 
1893 		if (!chan || !chan->data)
1894 			return SMP_UNSPECIFIED;
1895 
1896 		smp_dev = chan->data;
1897 
1898 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1899 		memcpy(smp->lr, smp_dev->local_rand, 16);
1900 
1901 		if (smp_dev->debug_key)
1902 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1903 
1904 		goto done;
1905 	}
1906 
1907 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1908 		BT_DBG("Using debug keys");
1909 		if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1910 			return SMP_UNSPECIFIED;
1911 		memcpy(smp->local_pk, debug_pk, 64);
1912 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1913 	} else {
1914 		while (true) {
1915 			/* Generate key pair for Secure Connections */
1916 			if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1917 				return SMP_UNSPECIFIED;
1918 
1919 			/* This is unlikely, but we need to check that
1920 			 * we didn't accidentially generate a debug key.
1921 			 */
1922 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
1923 				break;
1924 		}
1925 	}
1926 
1927 done:
1928 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1929 	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1930 
1931 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1932 
1933 	return 0;
1934 }
1935 
1936 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1937 {
1938 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1939 	struct l2cap_chan *chan = conn->smp;
1940 	struct smp_chan *smp = chan->data;
1941 	struct hci_dev *hdev = conn->hcon->hdev;
1942 	u8 key_size, auth;
1943 	int ret;
1944 
1945 	BT_DBG("conn %p", conn);
1946 
1947 	if (skb->len < sizeof(*rsp))
1948 		return SMP_INVALID_PARAMS;
1949 
1950 	if (conn->hcon->role != HCI_ROLE_MASTER)
1951 		return SMP_CMD_NOTSUPP;
1952 
1953 	skb_pull(skb, sizeof(*rsp));
1954 
1955 	req = (void *) &smp->preq[1];
1956 
1957 	key_size = min(req->max_key_size, rsp->max_key_size);
1958 	if (check_enc_key_size(conn, key_size))
1959 		return SMP_ENC_KEY_SIZE;
1960 
1961 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1962 
1963 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1964 		return SMP_AUTH_REQUIREMENTS;
1965 
1966 	/* If the remote side's OOB flag is set it means it has
1967 	 * successfully received our local OOB data - therefore set the
1968 	 * flag to indicate that local OOB is in use.
1969 	 */
1970 	if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1971 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1972 
1973 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1974 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1975 
1976 	/* Update remote key distribution in case the remote cleared
1977 	 * some bits that we had enabled in our request.
1978 	 */
1979 	smp->remote_key_dist &= rsp->resp_key_dist;
1980 
1981 	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1982 		set_bit(SMP_FLAG_CT2, &smp->flags);
1983 
1984 	/* For BR/EDR this means we're done and can start phase 3 */
1985 	if (conn->hcon->type == ACL_LINK) {
1986 		/* Clear bits which are generated but not distributed */
1987 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1988 		smp_distribute_keys(smp);
1989 		return 0;
1990 	}
1991 
1992 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1993 		set_bit(SMP_FLAG_SC, &smp->flags);
1994 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1995 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1996 
1997 	/* If we need MITM check that it can be achieved */
1998 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1999 		u8 method;
2000 
2001 		method = get_auth_method(smp, req->io_capability,
2002 					 rsp->io_capability);
2003 		if (method == JUST_WORKS || method == JUST_CFM)
2004 			return SMP_AUTH_REQUIREMENTS;
2005 	}
2006 
2007 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
2008 
2009 	/* Update remote key distribution in case the remote cleared
2010 	 * some bits that we had enabled in our request.
2011 	 */
2012 	smp->remote_key_dist &= rsp->resp_key_dist;
2013 
2014 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2015 		/* Clear bits which are generated but not distributed */
2016 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2017 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2018 		return sc_send_public_key(smp);
2019 	}
2020 
2021 	auth |= req->auth_req;
2022 
2023 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2024 	if (ret)
2025 		return SMP_UNSPECIFIED;
2026 
2027 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2028 
2029 	/* Can't compose response until we have been confirmed */
2030 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2031 		return smp_confirm(smp);
2032 
2033 	return 0;
2034 }
2035 
2036 static u8 sc_check_confirm(struct smp_chan *smp)
2037 {
2038 	struct l2cap_conn *conn = smp->conn;
2039 
2040 	BT_DBG("");
2041 
2042 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2043 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2044 
2045 	if (conn->hcon->out) {
2046 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2047 			     smp->prnd);
2048 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2049 	}
2050 
2051 	return 0;
2052 }
2053 
2054 /* Work-around for some implementations that incorrectly copy RFU bits
2055  * from our security request and thereby create the impression that
2056  * we're doing SC when in fact the remote doesn't support it.
2057  */
2058 static int fixup_sc_false_positive(struct smp_chan *smp)
2059 {
2060 	struct l2cap_conn *conn = smp->conn;
2061 	struct hci_conn *hcon = conn->hcon;
2062 	struct hci_dev *hdev = hcon->hdev;
2063 	struct smp_cmd_pairing *req, *rsp;
2064 	u8 auth;
2065 
2066 	/* The issue is only observed when we're in slave role */
2067 	if (hcon->out)
2068 		return SMP_UNSPECIFIED;
2069 
2070 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2071 		bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2072 		return SMP_UNSPECIFIED;
2073 	}
2074 
2075 	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2076 
2077 	req = (void *) &smp->preq[1];
2078 	rsp = (void *) &smp->prsp[1];
2079 
2080 	/* Rebuild key dist flags which may have been cleared for SC */
2081 	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2082 
2083 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2084 
2085 	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2086 		bt_dev_err(hdev, "failed to fall back to legacy SMP");
2087 		return SMP_UNSPECIFIED;
2088 	}
2089 
2090 	clear_bit(SMP_FLAG_SC, &smp->flags);
2091 
2092 	return 0;
2093 }
2094 
2095 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2096 {
2097 	struct l2cap_chan *chan = conn->smp;
2098 	struct smp_chan *smp = chan->data;
2099 
2100 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2101 
2102 	if (skb->len < sizeof(smp->pcnf))
2103 		return SMP_INVALID_PARAMS;
2104 
2105 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2106 	skb_pull(skb, sizeof(smp->pcnf));
2107 
2108 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2109 		int ret;
2110 
2111 		/* Public Key exchange must happen before any other steps */
2112 		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2113 			return sc_check_confirm(smp);
2114 
2115 		BT_ERR("Unexpected SMP Pairing Confirm");
2116 
2117 		ret = fixup_sc_false_positive(smp);
2118 		if (ret)
2119 			return ret;
2120 	}
2121 
2122 	if (conn->hcon->out) {
2123 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2124 			     smp->prnd);
2125 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2126 		return 0;
2127 	}
2128 
2129 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2130 		return smp_confirm(smp);
2131 
2132 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2133 
2134 	return 0;
2135 }
2136 
2137 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2138 {
2139 	struct l2cap_chan *chan = conn->smp;
2140 	struct smp_chan *smp = chan->data;
2141 	struct hci_conn *hcon = conn->hcon;
2142 	u8 *pkax, *pkbx, *na, *nb;
2143 	u32 passkey;
2144 	int err;
2145 
2146 	BT_DBG("conn %p", conn);
2147 
2148 	if (skb->len < sizeof(smp->rrnd))
2149 		return SMP_INVALID_PARAMS;
2150 
2151 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2152 	skb_pull(skb, sizeof(smp->rrnd));
2153 
2154 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2155 		return smp_random(smp);
2156 
2157 	if (hcon->out) {
2158 		pkax = smp->local_pk;
2159 		pkbx = smp->remote_pk;
2160 		na   = smp->prnd;
2161 		nb   = smp->rrnd;
2162 	} else {
2163 		pkax = smp->remote_pk;
2164 		pkbx = smp->local_pk;
2165 		na   = smp->rrnd;
2166 		nb   = smp->prnd;
2167 	}
2168 
2169 	if (smp->method == REQ_OOB) {
2170 		if (!hcon->out)
2171 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2172 				     sizeof(smp->prnd), smp->prnd);
2173 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2174 		goto mackey_and_ltk;
2175 	}
2176 
2177 	/* Passkey entry has special treatment */
2178 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2179 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2180 
2181 	if (hcon->out) {
2182 		u8 cfm[16];
2183 
2184 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2185 			     smp->rrnd, 0, cfm);
2186 		if (err)
2187 			return SMP_UNSPECIFIED;
2188 
2189 		if (crypto_memneq(smp->pcnf, cfm, 16))
2190 			return SMP_CONFIRM_FAILED;
2191 	} else {
2192 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2193 			     smp->prnd);
2194 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2195 	}
2196 
2197 mackey_and_ltk:
2198 	/* Generate MacKey and LTK */
2199 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2200 	if (err)
2201 		return SMP_UNSPECIFIED;
2202 
2203 	if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2204 		if (hcon->out) {
2205 			sc_dhkey_check(smp);
2206 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2207 		}
2208 		return 0;
2209 	}
2210 
2211 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2212 	if (err)
2213 		return SMP_UNSPECIFIED;
2214 
2215 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2216 					hcon->dst_type, passkey, 0);
2217 	if (err)
2218 		return SMP_UNSPECIFIED;
2219 
2220 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2221 
2222 	return 0;
2223 }
2224 
2225 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2226 {
2227 	struct smp_ltk *key;
2228 	struct hci_conn *hcon = conn->hcon;
2229 
2230 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2231 	if (!key)
2232 		return false;
2233 
2234 	if (smp_ltk_sec_level(key) < sec_level)
2235 		return false;
2236 
2237 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2238 		return true;
2239 
2240 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2241 	hcon->enc_key_size = key->enc_size;
2242 
2243 	/* We never store STKs for master role, so clear this flag */
2244 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2245 
2246 	return true;
2247 }
2248 
2249 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2250 			     enum smp_key_pref key_pref)
2251 {
2252 	if (sec_level == BT_SECURITY_LOW)
2253 		return true;
2254 
2255 	/* If we're encrypted with an STK but the caller prefers using
2256 	 * LTK claim insufficient security. This way we allow the
2257 	 * connection to be re-encrypted with an LTK, even if the LTK
2258 	 * provides the same level of security. Only exception is if we
2259 	 * don't have an LTK (e.g. because of key distribution bits).
2260 	 */
2261 	if (key_pref == SMP_USE_LTK &&
2262 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2263 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2264 		return false;
2265 
2266 	if (hcon->sec_level >= sec_level)
2267 		return true;
2268 
2269 	return false;
2270 }
2271 
2272 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2273 {
2274 	struct smp_cmd_security_req *rp = (void *) skb->data;
2275 	struct smp_cmd_pairing cp;
2276 	struct hci_conn *hcon = conn->hcon;
2277 	struct hci_dev *hdev = hcon->hdev;
2278 	struct smp_chan *smp;
2279 	u8 sec_level, auth;
2280 
2281 	BT_DBG("conn %p", conn);
2282 
2283 	if (skb->len < sizeof(*rp))
2284 		return SMP_INVALID_PARAMS;
2285 
2286 	if (hcon->role != HCI_ROLE_MASTER)
2287 		return SMP_CMD_NOTSUPP;
2288 
2289 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2290 
2291 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2292 		return SMP_AUTH_REQUIREMENTS;
2293 
2294 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2295 		sec_level = BT_SECURITY_MEDIUM;
2296 	else
2297 		sec_level = authreq_to_seclevel(auth);
2298 
2299 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2300 		/* If link is already encrypted with sufficient security we
2301 		 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2302 		 * Part H 2.4.6
2303 		 */
2304 		smp_ltk_encrypt(conn, hcon->sec_level);
2305 		return 0;
2306 	}
2307 
2308 	if (sec_level > hcon->pending_sec_level)
2309 		hcon->pending_sec_level = sec_level;
2310 
2311 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2312 		return 0;
2313 
2314 	smp = smp_chan_create(conn);
2315 	if (!smp)
2316 		return SMP_UNSPECIFIED;
2317 
2318 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2319 	    (auth & SMP_AUTH_BONDING))
2320 		return SMP_PAIRING_NOTSUPP;
2321 
2322 	skb_pull(skb, sizeof(*rp));
2323 
2324 	memset(&cp, 0, sizeof(cp));
2325 	build_pairing_cmd(conn, &cp, NULL, auth);
2326 
2327 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2328 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2329 
2330 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2331 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2332 
2333 	return 0;
2334 }
2335 
2336 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2337 {
2338 	struct l2cap_conn *conn = hcon->l2cap_data;
2339 	struct l2cap_chan *chan;
2340 	struct smp_chan *smp;
2341 	__u8 authreq;
2342 	int ret;
2343 
2344 	BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2345 
2346 	/* This may be NULL if there's an unexpected disconnection */
2347 	if (!conn)
2348 		return 1;
2349 
2350 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2351 		return 1;
2352 
2353 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2354 		return 1;
2355 
2356 	if (sec_level > hcon->pending_sec_level)
2357 		hcon->pending_sec_level = sec_level;
2358 
2359 	if (hcon->role == HCI_ROLE_MASTER)
2360 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2361 			return 0;
2362 
2363 	chan = conn->smp;
2364 	if (!chan) {
2365 		bt_dev_err(hcon->hdev, "security requested but not available");
2366 		return 1;
2367 	}
2368 
2369 	l2cap_chan_lock(chan);
2370 
2371 	/* If SMP is already in progress ignore this request */
2372 	if (chan->data) {
2373 		ret = 0;
2374 		goto unlock;
2375 	}
2376 
2377 	smp = smp_chan_create(conn);
2378 	if (!smp) {
2379 		ret = 1;
2380 		goto unlock;
2381 	}
2382 
2383 	authreq = seclevel_to_authreq(sec_level);
2384 
2385 	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2386 		authreq |= SMP_AUTH_SC;
2387 		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2388 			authreq |= SMP_AUTH_CT2;
2389 	}
2390 
2391 	/* Require MITM if IO Capability allows or the security level
2392 	 * requires it.
2393 	 */
2394 	if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2395 	    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2396 		authreq |= SMP_AUTH_MITM;
2397 
2398 	if (hcon->role == HCI_ROLE_MASTER) {
2399 		struct smp_cmd_pairing cp;
2400 
2401 		build_pairing_cmd(conn, &cp, NULL, authreq);
2402 		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2403 		memcpy(&smp->preq[1], &cp, sizeof(cp));
2404 
2405 		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2406 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2407 	} else {
2408 		struct smp_cmd_security_req cp;
2409 		cp.auth_req = authreq;
2410 		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2411 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2412 	}
2413 
2414 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2415 	ret = 0;
2416 
2417 unlock:
2418 	l2cap_chan_unlock(chan);
2419 	return ret;
2420 }
2421 
2422 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2423 				  u8 addr_type)
2424 {
2425 	struct hci_conn *hcon;
2426 	struct l2cap_conn *conn;
2427 	struct l2cap_chan *chan;
2428 	struct smp_chan *smp;
2429 	int err;
2430 
2431 	err = hci_remove_ltk(hdev, bdaddr, addr_type);
2432 	hci_remove_irk(hdev, bdaddr, addr_type);
2433 
2434 	hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2435 	if (!hcon)
2436 		goto done;
2437 
2438 	conn = hcon->l2cap_data;
2439 	if (!conn)
2440 		goto done;
2441 
2442 	chan = conn->smp;
2443 	if (!chan)
2444 		goto done;
2445 
2446 	l2cap_chan_lock(chan);
2447 
2448 	smp = chan->data;
2449 	if (smp) {
2450 		/* Set keys to NULL to make sure smp_failure() does not try to
2451 		 * remove and free already invalidated rcu list entries. */
2452 		smp->ltk = NULL;
2453 		smp->slave_ltk = NULL;
2454 		smp->remote_irk = NULL;
2455 
2456 		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2457 			smp_failure(conn, 0);
2458 		else
2459 			smp_failure(conn, SMP_UNSPECIFIED);
2460 		err = 0;
2461 	}
2462 
2463 	l2cap_chan_unlock(chan);
2464 
2465 done:
2466 	return err;
2467 }
2468 
2469 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2470 {
2471 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2472 	struct l2cap_chan *chan = conn->smp;
2473 	struct smp_chan *smp = chan->data;
2474 
2475 	BT_DBG("conn %p", conn);
2476 
2477 	if (skb->len < sizeof(*rp))
2478 		return SMP_INVALID_PARAMS;
2479 
2480 	SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2481 
2482 	skb_pull(skb, sizeof(*rp));
2483 
2484 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2485 
2486 	return 0;
2487 }
2488 
2489 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2490 {
2491 	struct smp_cmd_master_ident *rp = (void *) skb->data;
2492 	struct l2cap_chan *chan = conn->smp;
2493 	struct smp_chan *smp = chan->data;
2494 	struct hci_dev *hdev = conn->hcon->hdev;
2495 	struct hci_conn *hcon = conn->hcon;
2496 	struct smp_ltk *ltk;
2497 	u8 authenticated;
2498 
2499 	BT_DBG("conn %p", conn);
2500 
2501 	if (skb->len < sizeof(*rp))
2502 		return SMP_INVALID_PARAMS;
2503 
2504 	/* Mark the information as received */
2505 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2506 
2507 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2508 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2509 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2510 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2511 
2512 	skb_pull(skb, sizeof(*rp));
2513 
2514 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2515 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2516 			  authenticated, smp->tk, smp->enc_key_size,
2517 			  rp->ediv, rp->rand);
2518 	smp->ltk = ltk;
2519 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2520 		smp_distribute_keys(smp);
2521 
2522 	return 0;
2523 }
2524 
2525 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2526 {
2527 	struct smp_cmd_ident_info *info = (void *) skb->data;
2528 	struct l2cap_chan *chan = conn->smp;
2529 	struct smp_chan *smp = chan->data;
2530 
2531 	BT_DBG("");
2532 
2533 	if (skb->len < sizeof(*info))
2534 		return SMP_INVALID_PARAMS;
2535 
2536 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2537 
2538 	skb_pull(skb, sizeof(*info));
2539 
2540 	memcpy(smp->irk, info->irk, 16);
2541 
2542 	return 0;
2543 }
2544 
2545 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2546 				   struct sk_buff *skb)
2547 {
2548 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2549 	struct l2cap_chan *chan = conn->smp;
2550 	struct smp_chan *smp = chan->data;
2551 	struct hci_conn *hcon = conn->hcon;
2552 	bdaddr_t rpa;
2553 
2554 	BT_DBG("");
2555 
2556 	if (skb->len < sizeof(*info))
2557 		return SMP_INVALID_PARAMS;
2558 
2559 	/* Mark the information as received */
2560 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2561 
2562 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2563 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2564 
2565 	skb_pull(skb, sizeof(*info));
2566 
2567 	/* Strictly speaking the Core Specification (4.1) allows sending
2568 	 * an empty address which would force us to rely on just the IRK
2569 	 * as "identity information". However, since such
2570 	 * implementations are not known of and in order to not over
2571 	 * complicate our implementation, simply pretend that we never
2572 	 * received an IRK for such a device.
2573 	 *
2574 	 * The Identity Address must also be a Static Random or Public
2575 	 * Address, which hci_is_identity_address() checks for.
2576 	 */
2577 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2578 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2579 		bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2580 		goto distribute;
2581 	}
2582 
2583 	bacpy(&smp->id_addr, &info->bdaddr);
2584 	smp->id_addr_type = info->addr_type;
2585 
2586 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2587 		bacpy(&rpa, &hcon->dst);
2588 	else
2589 		bacpy(&rpa, BDADDR_ANY);
2590 
2591 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2592 				      smp->id_addr_type, smp->irk, &rpa);
2593 
2594 distribute:
2595 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2596 		smp_distribute_keys(smp);
2597 
2598 	return 0;
2599 }
2600 
2601 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2602 {
2603 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2604 	struct l2cap_chan *chan = conn->smp;
2605 	struct smp_chan *smp = chan->data;
2606 	struct smp_csrk *csrk;
2607 
2608 	BT_DBG("conn %p", conn);
2609 
2610 	if (skb->len < sizeof(*rp))
2611 		return SMP_INVALID_PARAMS;
2612 
2613 	/* Mark the information as received */
2614 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2615 
2616 	skb_pull(skb, sizeof(*rp));
2617 
2618 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2619 	if (csrk) {
2620 		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2621 			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2622 		else
2623 			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2624 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2625 	}
2626 	smp->csrk = csrk;
2627 	smp_distribute_keys(smp);
2628 
2629 	return 0;
2630 }
2631 
2632 static u8 sc_select_method(struct smp_chan *smp)
2633 {
2634 	struct l2cap_conn *conn = smp->conn;
2635 	struct hci_conn *hcon = conn->hcon;
2636 	struct smp_cmd_pairing *local, *remote;
2637 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2638 
2639 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2640 	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2641 		return REQ_OOB;
2642 
2643 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2644 	 * which are needed as inputs to some crypto functions. To get
2645 	 * the "struct smp_cmd_pairing" from them we need to skip the
2646 	 * first byte which contains the opcode.
2647 	 */
2648 	if (hcon->out) {
2649 		local = (void *) &smp->preq[1];
2650 		remote = (void *) &smp->prsp[1];
2651 	} else {
2652 		local = (void *) &smp->prsp[1];
2653 		remote = (void *) &smp->preq[1];
2654 	}
2655 
2656 	local_io = local->io_capability;
2657 	remote_io = remote->io_capability;
2658 
2659 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2660 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2661 
2662 	/* If either side wants MITM, look up the method from the table,
2663 	 * otherwise use JUST WORKS.
2664 	 */
2665 	if (local_mitm || remote_mitm)
2666 		method = get_auth_method(smp, local_io, remote_io);
2667 	else
2668 		method = JUST_WORKS;
2669 
2670 	/* Don't confirm locally initiated pairing attempts */
2671 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2672 		method = JUST_WORKS;
2673 
2674 	return method;
2675 }
2676 
2677 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2678 {
2679 	struct smp_cmd_public_key *key = (void *) skb->data;
2680 	struct hci_conn *hcon = conn->hcon;
2681 	struct l2cap_chan *chan = conn->smp;
2682 	struct smp_chan *smp = chan->data;
2683 	struct hci_dev *hdev = hcon->hdev;
2684 	struct crypto_kpp *tfm_ecdh;
2685 	struct smp_cmd_pairing_confirm cfm;
2686 	int err;
2687 
2688 	BT_DBG("conn %p", conn);
2689 
2690 	if (skb->len < sizeof(*key))
2691 		return SMP_INVALID_PARAMS;
2692 
2693 	memcpy(smp->remote_pk, key, 64);
2694 
2695 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2696 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2697 			     smp->rr, 0, cfm.confirm_val);
2698 		if (err)
2699 			return SMP_UNSPECIFIED;
2700 
2701 		if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2702 			return SMP_CONFIRM_FAILED;
2703 	}
2704 
2705 	/* Non-initiating device sends its public key after receiving
2706 	 * the key from the initiating device.
2707 	 */
2708 	if (!hcon->out) {
2709 		err = sc_send_public_key(smp);
2710 		if (err)
2711 			return err;
2712 	}
2713 
2714 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2715 	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2716 
2717 	/* Compute the shared secret on the same crypto tfm on which the private
2718 	 * key was set/generated.
2719 	 */
2720 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2721 		struct l2cap_chan *hchan = hdev->smp_data;
2722 		struct smp_dev *smp_dev;
2723 
2724 		if (!hchan || !hchan->data)
2725 			return SMP_UNSPECIFIED;
2726 
2727 		smp_dev = hchan->data;
2728 
2729 		tfm_ecdh = smp_dev->tfm_ecdh;
2730 	} else {
2731 		tfm_ecdh = smp->tfm_ecdh;
2732 	}
2733 
2734 	if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2735 		return SMP_UNSPECIFIED;
2736 
2737 	SMP_DBG("DHKey %32phN", smp->dhkey);
2738 
2739 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2740 
2741 	smp->method = sc_select_method(smp);
2742 
2743 	BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2744 
2745 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2746 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2747 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2748 	else
2749 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2750 
2751 	if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2752 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2753 
2754 	if (smp->method == DSP_PASSKEY) {
2755 		get_random_bytes(&hcon->passkey_notify,
2756 				 sizeof(hcon->passkey_notify));
2757 		hcon->passkey_notify %= 1000000;
2758 		hcon->passkey_entered = 0;
2759 		smp->passkey_round = 0;
2760 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2761 					     hcon->dst_type,
2762 					     hcon->passkey_notify,
2763 					     hcon->passkey_entered))
2764 			return SMP_UNSPECIFIED;
2765 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2766 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2767 	}
2768 
2769 	if (smp->method == REQ_OOB) {
2770 		if (hcon->out)
2771 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2772 				     sizeof(smp->prnd), smp->prnd);
2773 
2774 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2775 
2776 		return 0;
2777 	}
2778 
2779 	if (hcon->out)
2780 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2781 
2782 	if (smp->method == REQ_PASSKEY) {
2783 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2784 					      hcon->dst_type))
2785 			return SMP_UNSPECIFIED;
2786 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2787 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2788 		return 0;
2789 	}
2790 
2791 	/* The Initiating device waits for the non-initiating device to
2792 	 * send the confirm value.
2793 	 */
2794 	if (conn->hcon->out)
2795 		return 0;
2796 
2797 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2798 		     0, cfm.confirm_val);
2799 	if (err)
2800 		return SMP_UNSPECIFIED;
2801 
2802 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2803 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2804 
2805 	return 0;
2806 }
2807 
2808 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2809 {
2810 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2811 	struct l2cap_chan *chan = conn->smp;
2812 	struct hci_conn *hcon = conn->hcon;
2813 	struct smp_chan *smp = chan->data;
2814 	u8 a[7], b[7], *local_addr, *remote_addr;
2815 	u8 io_cap[3], r[16], e[16];
2816 	int err;
2817 
2818 	BT_DBG("conn %p", conn);
2819 
2820 	if (skb->len < sizeof(*check))
2821 		return SMP_INVALID_PARAMS;
2822 
2823 	memcpy(a, &hcon->init_addr, 6);
2824 	memcpy(b, &hcon->resp_addr, 6);
2825 	a[6] = hcon->init_addr_type;
2826 	b[6] = hcon->resp_addr_type;
2827 
2828 	if (hcon->out) {
2829 		local_addr = a;
2830 		remote_addr = b;
2831 		memcpy(io_cap, &smp->prsp[1], 3);
2832 	} else {
2833 		local_addr = b;
2834 		remote_addr = a;
2835 		memcpy(io_cap, &smp->preq[1], 3);
2836 	}
2837 
2838 	memset(r, 0, sizeof(r));
2839 
2840 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2841 		put_unaligned_le32(hcon->passkey_notify, r);
2842 	else if (smp->method == REQ_OOB)
2843 		memcpy(r, smp->lr, 16);
2844 
2845 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2846 		     io_cap, remote_addr, local_addr, e);
2847 	if (err)
2848 		return SMP_UNSPECIFIED;
2849 
2850 	if (crypto_memneq(check->e, e, 16))
2851 		return SMP_DHKEY_CHECK_FAILED;
2852 
2853 	if (!hcon->out) {
2854 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2855 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2856 			return 0;
2857 		}
2858 
2859 		/* Slave sends DHKey check as response to master */
2860 		sc_dhkey_check(smp);
2861 	}
2862 
2863 	sc_add_ltk(smp);
2864 
2865 	if (hcon->out) {
2866 		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2867 		hcon->enc_key_size = smp->enc_key_size;
2868 	}
2869 
2870 	return 0;
2871 }
2872 
2873 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2874 				   struct sk_buff *skb)
2875 {
2876 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2877 
2878 	BT_DBG("value 0x%02x", kp->value);
2879 
2880 	return 0;
2881 }
2882 
2883 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2884 {
2885 	struct l2cap_conn *conn = chan->conn;
2886 	struct hci_conn *hcon = conn->hcon;
2887 	struct smp_chan *smp;
2888 	__u8 code, reason;
2889 	int err = 0;
2890 
2891 	if (skb->len < 1)
2892 		return -EILSEQ;
2893 
2894 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2895 		reason = SMP_PAIRING_NOTSUPP;
2896 		goto done;
2897 	}
2898 
2899 	code = skb->data[0];
2900 	skb_pull(skb, sizeof(code));
2901 
2902 	smp = chan->data;
2903 
2904 	if (code > SMP_CMD_MAX)
2905 		goto drop;
2906 
2907 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2908 		goto drop;
2909 
2910 	/* If we don't have a context the only allowed commands are
2911 	 * pairing request and security request.
2912 	 */
2913 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2914 		goto drop;
2915 
2916 	switch (code) {
2917 	case SMP_CMD_PAIRING_REQ:
2918 		reason = smp_cmd_pairing_req(conn, skb);
2919 		break;
2920 
2921 	case SMP_CMD_PAIRING_FAIL:
2922 		smp_failure(conn, 0);
2923 		err = -EPERM;
2924 		break;
2925 
2926 	case SMP_CMD_PAIRING_RSP:
2927 		reason = smp_cmd_pairing_rsp(conn, skb);
2928 		break;
2929 
2930 	case SMP_CMD_SECURITY_REQ:
2931 		reason = smp_cmd_security_req(conn, skb);
2932 		break;
2933 
2934 	case SMP_CMD_PAIRING_CONFIRM:
2935 		reason = smp_cmd_pairing_confirm(conn, skb);
2936 		break;
2937 
2938 	case SMP_CMD_PAIRING_RANDOM:
2939 		reason = smp_cmd_pairing_random(conn, skb);
2940 		break;
2941 
2942 	case SMP_CMD_ENCRYPT_INFO:
2943 		reason = smp_cmd_encrypt_info(conn, skb);
2944 		break;
2945 
2946 	case SMP_CMD_MASTER_IDENT:
2947 		reason = smp_cmd_master_ident(conn, skb);
2948 		break;
2949 
2950 	case SMP_CMD_IDENT_INFO:
2951 		reason = smp_cmd_ident_info(conn, skb);
2952 		break;
2953 
2954 	case SMP_CMD_IDENT_ADDR_INFO:
2955 		reason = smp_cmd_ident_addr_info(conn, skb);
2956 		break;
2957 
2958 	case SMP_CMD_SIGN_INFO:
2959 		reason = smp_cmd_sign_info(conn, skb);
2960 		break;
2961 
2962 	case SMP_CMD_PUBLIC_KEY:
2963 		reason = smp_cmd_public_key(conn, skb);
2964 		break;
2965 
2966 	case SMP_CMD_DHKEY_CHECK:
2967 		reason = smp_cmd_dhkey_check(conn, skb);
2968 		break;
2969 
2970 	case SMP_CMD_KEYPRESS_NOTIFY:
2971 		reason = smp_cmd_keypress_notify(conn, skb);
2972 		break;
2973 
2974 	default:
2975 		BT_DBG("Unknown command code 0x%2.2x", code);
2976 		reason = SMP_CMD_NOTSUPP;
2977 		goto done;
2978 	}
2979 
2980 done:
2981 	if (!err) {
2982 		if (reason)
2983 			smp_failure(conn, reason);
2984 		kfree_skb(skb);
2985 	}
2986 
2987 	return err;
2988 
2989 drop:
2990 	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
2991 		   code, &hcon->dst);
2992 	kfree_skb(skb);
2993 	return 0;
2994 }
2995 
2996 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2997 {
2998 	struct l2cap_conn *conn = chan->conn;
2999 
3000 	BT_DBG("chan %p", chan);
3001 
3002 	if (chan->data)
3003 		smp_chan_destroy(conn);
3004 
3005 	conn->smp = NULL;
3006 	l2cap_chan_put(chan);
3007 }
3008 
3009 static void bredr_pairing(struct l2cap_chan *chan)
3010 {
3011 	struct l2cap_conn *conn = chan->conn;
3012 	struct hci_conn *hcon = conn->hcon;
3013 	struct hci_dev *hdev = hcon->hdev;
3014 	struct smp_cmd_pairing req;
3015 	struct smp_chan *smp;
3016 
3017 	BT_DBG("chan %p", chan);
3018 
3019 	/* Only new pairings are interesting */
3020 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3021 		return;
3022 
3023 	/* Don't bother if we're not encrypted */
3024 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3025 		return;
3026 
3027 	/* Only master may initiate SMP over BR/EDR */
3028 	if (hcon->role != HCI_ROLE_MASTER)
3029 		return;
3030 
3031 	/* Secure Connections support must be enabled */
3032 	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3033 		return;
3034 
3035 	/* BR/EDR must use Secure Connections for SMP */
3036 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3037 	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3038 		return;
3039 
3040 	/* If our LE support is not enabled don't do anything */
3041 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3042 		return;
3043 
3044 	/* Don't bother if remote LE support is not enabled */
3045 	if (!lmp_host_le_capable(hcon))
3046 		return;
3047 
3048 	/* Remote must support SMP fixed chan for BR/EDR */
3049 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3050 		return;
3051 
3052 	/* Don't bother if SMP is already ongoing */
3053 	if (chan->data)
3054 		return;
3055 
3056 	smp = smp_chan_create(conn);
3057 	if (!smp) {
3058 		bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3059 		return;
3060 	}
3061 
3062 	set_bit(SMP_FLAG_SC, &smp->flags);
3063 
3064 	BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3065 
3066 	/* Prepare and send the BR/EDR SMP Pairing Request */
3067 	build_bredr_pairing_cmd(smp, &req, NULL);
3068 
3069 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
3070 	memcpy(&smp->preq[1], &req, sizeof(req));
3071 
3072 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3073 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3074 }
3075 
3076 static void smp_resume_cb(struct l2cap_chan *chan)
3077 {
3078 	struct smp_chan *smp = chan->data;
3079 	struct l2cap_conn *conn = chan->conn;
3080 	struct hci_conn *hcon = conn->hcon;
3081 
3082 	BT_DBG("chan %p", chan);
3083 
3084 	if (hcon->type == ACL_LINK) {
3085 		bredr_pairing(chan);
3086 		return;
3087 	}
3088 
3089 	if (!smp)
3090 		return;
3091 
3092 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3093 		return;
3094 
3095 	cancel_delayed_work(&smp->security_timer);
3096 
3097 	smp_distribute_keys(smp);
3098 }
3099 
3100 static void smp_ready_cb(struct l2cap_chan *chan)
3101 {
3102 	struct l2cap_conn *conn = chan->conn;
3103 	struct hci_conn *hcon = conn->hcon;
3104 
3105 	BT_DBG("chan %p", chan);
3106 
3107 	/* No need to call l2cap_chan_hold() here since we already own
3108 	 * the reference taken in smp_new_conn_cb(). This is just the
3109 	 * first time that we tie it to a specific pointer. The code in
3110 	 * l2cap_core.c ensures that there's no risk this function wont
3111 	 * get called if smp_new_conn_cb was previously called.
3112 	 */
3113 	conn->smp = chan;
3114 
3115 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3116 		bredr_pairing(chan);
3117 }
3118 
3119 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3120 {
3121 	int err;
3122 
3123 	BT_DBG("chan %p", chan);
3124 
3125 	err = smp_sig_channel(chan, skb);
3126 	if (err) {
3127 		struct smp_chan *smp = chan->data;
3128 
3129 		if (smp)
3130 			cancel_delayed_work_sync(&smp->security_timer);
3131 
3132 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3133 	}
3134 
3135 	return err;
3136 }
3137 
3138 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3139 					unsigned long hdr_len,
3140 					unsigned long len, int nb)
3141 {
3142 	struct sk_buff *skb;
3143 
3144 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3145 	if (!skb)
3146 		return ERR_PTR(-ENOMEM);
3147 
3148 	skb->priority = HCI_PRIO_MAX;
3149 	bt_cb(skb)->l2cap.chan = chan;
3150 
3151 	return skb;
3152 }
3153 
3154 static const struct l2cap_ops smp_chan_ops = {
3155 	.name			= "Security Manager",
3156 	.ready			= smp_ready_cb,
3157 	.recv			= smp_recv_cb,
3158 	.alloc_skb		= smp_alloc_skb_cb,
3159 	.teardown		= smp_teardown_cb,
3160 	.resume			= smp_resume_cb,
3161 
3162 	.new_connection		= l2cap_chan_no_new_connection,
3163 	.state_change		= l2cap_chan_no_state_change,
3164 	.close			= l2cap_chan_no_close,
3165 	.defer			= l2cap_chan_no_defer,
3166 	.suspend		= l2cap_chan_no_suspend,
3167 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3168 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3169 };
3170 
3171 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3172 {
3173 	struct l2cap_chan *chan;
3174 
3175 	BT_DBG("pchan %p", pchan);
3176 
3177 	chan = l2cap_chan_create();
3178 	if (!chan)
3179 		return NULL;
3180 
3181 	chan->chan_type	= pchan->chan_type;
3182 	chan->ops	= &smp_chan_ops;
3183 	chan->scid	= pchan->scid;
3184 	chan->dcid	= chan->scid;
3185 	chan->imtu	= pchan->imtu;
3186 	chan->omtu	= pchan->omtu;
3187 	chan->mode	= pchan->mode;
3188 
3189 	/* Other L2CAP channels may request SMP routines in order to
3190 	 * change the security level. This means that the SMP channel
3191 	 * lock must be considered in its own category to avoid lockdep
3192 	 * warnings.
3193 	 */
3194 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3195 
3196 	BT_DBG("created chan %p", chan);
3197 
3198 	return chan;
3199 }
3200 
3201 static const struct l2cap_ops smp_root_chan_ops = {
3202 	.name			= "Security Manager Root",
3203 	.new_connection		= smp_new_conn_cb,
3204 
3205 	/* None of these are implemented for the root channel */
3206 	.close			= l2cap_chan_no_close,
3207 	.alloc_skb		= l2cap_chan_no_alloc_skb,
3208 	.recv			= l2cap_chan_no_recv,
3209 	.state_change		= l2cap_chan_no_state_change,
3210 	.teardown		= l2cap_chan_no_teardown,
3211 	.ready			= l2cap_chan_no_ready,
3212 	.defer			= l2cap_chan_no_defer,
3213 	.suspend		= l2cap_chan_no_suspend,
3214 	.resume			= l2cap_chan_no_resume,
3215 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3216 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3217 };
3218 
3219 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3220 {
3221 	struct l2cap_chan *chan;
3222 	struct smp_dev *smp;
3223 	struct crypto_cipher *tfm_aes;
3224 	struct crypto_shash *tfm_cmac;
3225 	struct crypto_kpp *tfm_ecdh;
3226 
3227 	if (cid == L2CAP_CID_SMP_BREDR) {
3228 		smp = NULL;
3229 		goto create_chan;
3230 	}
3231 
3232 	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3233 	if (!smp)
3234 		return ERR_PTR(-ENOMEM);
3235 
3236 	tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3237 	if (IS_ERR(tfm_aes)) {
3238 		BT_ERR("Unable to create AES crypto context");
3239 		kzfree(smp);
3240 		return ERR_CAST(tfm_aes);
3241 	}
3242 
3243 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3244 	if (IS_ERR(tfm_cmac)) {
3245 		BT_ERR("Unable to create CMAC crypto context");
3246 		crypto_free_cipher(tfm_aes);
3247 		kzfree(smp);
3248 		return ERR_CAST(tfm_cmac);
3249 	}
3250 
3251 	tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3252 	if (IS_ERR(tfm_ecdh)) {
3253 		BT_ERR("Unable to create ECDH crypto context");
3254 		crypto_free_shash(tfm_cmac);
3255 		crypto_free_cipher(tfm_aes);
3256 		kzfree(smp);
3257 		return ERR_CAST(tfm_ecdh);
3258 	}
3259 
3260 	smp->local_oob = false;
3261 	smp->tfm_aes = tfm_aes;
3262 	smp->tfm_cmac = tfm_cmac;
3263 	smp->tfm_ecdh = tfm_ecdh;
3264 
3265 create_chan:
3266 	chan = l2cap_chan_create();
3267 	if (!chan) {
3268 		if (smp) {
3269 			crypto_free_cipher(smp->tfm_aes);
3270 			crypto_free_shash(smp->tfm_cmac);
3271 			crypto_free_kpp(smp->tfm_ecdh);
3272 			kzfree(smp);
3273 		}
3274 		return ERR_PTR(-ENOMEM);
3275 	}
3276 
3277 	chan->data = smp;
3278 
3279 	l2cap_add_scid(chan, cid);
3280 
3281 	l2cap_chan_set_defaults(chan);
3282 
3283 	if (cid == L2CAP_CID_SMP) {
3284 		u8 bdaddr_type;
3285 
3286 		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3287 
3288 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3289 			chan->src_type = BDADDR_LE_PUBLIC;
3290 		else
3291 			chan->src_type = BDADDR_LE_RANDOM;
3292 	} else {
3293 		bacpy(&chan->src, &hdev->bdaddr);
3294 		chan->src_type = BDADDR_BREDR;
3295 	}
3296 
3297 	chan->state = BT_LISTEN;
3298 	chan->mode = L2CAP_MODE_BASIC;
3299 	chan->imtu = L2CAP_DEFAULT_MTU;
3300 	chan->ops = &smp_root_chan_ops;
3301 
3302 	/* Set correct nesting level for a parent/listening channel */
3303 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3304 
3305 	return chan;
3306 }
3307 
3308 static void smp_del_chan(struct l2cap_chan *chan)
3309 {
3310 	struct smp_dev *smp;
3311 
3312 	BT_DBG("chan %p", chan);
3313 
3314 	smp = chan->data;
3315 	if (smp) {
3316 		chan->data = NULL;
3317 		crypto_free_cipher(smp->tfm_aes);
3318 		crypto_free_shash(smp->tfm_cmac);
3319 		crypto_free_kpp(smp->tfm_ecdh);
3320 		kzfree(smp);
3321 	}
3322 
3323 	l2cap_chan_put(chan);
3324 }
3325 
3326 static ssize_t force_bredr_smp_read(struct file *file,
3327 				    char __user *user_buf,
3328 				    size_t count, loff_t *ppos)
3329 {
3330 	struct hci_dev *hdev = file->private_data;
3331 	char buf[3];
3332 
3333 	buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3334 	buf[1] = '\n';
3335 	buf[2] = '\0';
3336 	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3337 }
3338 
3339 static ssize_t force_bredr_smp_write(struct file *file,
3340 				     const char __user *user_buf,
3341 				     size_t count, loff_t *ppos)
3342 {
3343 	struct hci_dev *hdev = file->private_data;
3344 	bool enable;
3345 	int err;
3346 
3347 	err = kstrtobool_from_user(user_buf, count, &enable);
3348 	if (err)
3349 		return err;
3350 
3351 	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3352 		return -EALREADY;
3353 
3354 	if (enable) {
3355 		struct l2cap_chan *chan;
3356 
3357 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3358 		if (IS_ERR(chan))
3359 			return PTR_ERR(chan);
3360 
3361 		hdev->smp_bredr_data = chan;
3362 	} else {
3363 		struct l2cap_chan *chan;
3364 
3365 		chan = hdev->smp_bredr_data;
3366 		hdev->smp_bredr_data = NULL;
3367 		smp_del_chan(chan);
3368 	}
3369 
3370 	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3371 
3372 	return count;
3373 }
3374 
3375 static const struct file_operations force_bredr_smp_fops = {
3376 	.open		= simple_open,
3377 	.read		= force_bredr_smp_read,
3378 	.write		= force_bredr_smp_write,
3379 	.llseek		= default_llseek,
3380 };
3381 
3382 static ssize_t le_min_key_size_read(struct file *file,
3383 				     char __user *user_buf,
3384 				     size_t count, loff_t *ppos)
3385 {
3386 	struct hci_dev *hdev = file->private_data;
3387 	char buf[4];
3388 
3389 	snprintf(buf, sizeof(buf), "%2u\n", hdev->le_min_key_size);
3390 
3391 	return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3392 }
3393 
3394 static ssize_t le_min_key_size_write(struct file *file,
3395 				      const char __user *user_buf,
3396 				      size_t count, loff_t *ppos)
3397 {
3398 	struct hci_dev *hdev = file->private_data;
3399 	char buf[32];
3400 	size_t buf_size = min(count, (sizeof(buf) - 1));
3401 	u8 key_size;
3402 
3403 	if (copy_from_user(buf, user_buf, buf_size))
3404 		return -EFAULT;
3405 
3406 	buf[buf_size] = '\0';
3407 
3408 	sscanf(buf, "%hhu", &key_size);
3409 
3410 	if (key_size > hdev->le_max_key_size ||
3411 	    key_size < SMP_MIN_ENC_KEY_SIZE)
3412 		return -EINVAL;
3413 
3414 	hdev->le_min_key_size = key_size;
3415 
3416 	return count;
3417 }
3418 
3419 static const struct file_operations le_min_key_size_fops = {
3420 	.open		= simple_open,
3421 	.read		= le_min_key_size_read,
3422 	.write		= le_min_key_size_write,
3423 	.llseek		= default_llseek,
3424 };
3425 
3426 static ssize_t le_max_key_size_read(struct file *file,
3427 				     char __user *user_buf,
3428 				     size_t count, loff_t *ppos)
3429 {
3430 	struct hci_dev *hdev = file->private_data;
3431 	char buf[4];
3432 
3433 	snprintf(buf, sizeof(buf), "%2u\n", hdev->le_max_key_size);
3434 
3435 	return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3436 }
3437 
3438 static ssize_t le_max_key_size_write(struct file *file,
3439 				      const char __user *user_buf,
3440 				      size_t count, loff_t *ppos)
3441 {
3442 	struct hci_dev *hdev = file->private_data;
3443 	char buf[32];
3444 	size_t buf_size = min(count, (sizeof(buf) - 1));
3445 	u8 key_size;
3446 
3447 	if (copy_from_user(buf, user_buf, buf_size))
3448 		return -EFAULT;
3449 
3450 	buf[buf_size] = '\0';
3451 
3452 	sscanf(buf, "%hhu", &key_size);
3453 
3454 	if (key_size > SMP_MAX_ENC_KEY_SIZE ||
3455 	    key_size < hdev->le_min_key_size)
3456 		return -EINVAL;
3457 
3458 	hdev->le_max_key_size = key_size;
3459 
3460 	return count;
3461 }
3462 
3463 static const struct file_operations le_max_key_size_fops = {
3464 	.open		= simple_open,
3465 	.read		= le_max_key_size_read,
3466 	.write		= le_max_key_size_write,
3467 	.llseek		= default_llseek,
3468 };
3469 
3470 int smp_register(struct hci_dev *hdev)
3471 {
3472 	struct l2cap_chan *chan;
3473 
3474 	BT_DBG("%s", hdev->name);
3475 
3476 	/* If the controller does not support Low Energy operation, then
3477 	 * there is also no need to register any SMP channel.
3478 	 */
3479 	if (!lmp_le_capable(hdev))
3480 		return 0;
3481 
3482 	if (WARN_ON(hdev->smp_data)) {
3483 		chan = hdev->smp_data;
3484 		hdev->smp_data = NULL;
3485 		smp_del_chan(chan);
3486 	}
3487 
3488 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3489 	if (IS_ERR(chan))
3490 		return PTR_ERR(chan);
3491 
3492 	hdev->smp_data = chan;
3493 
3494 	debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3495 			    &le_min_key_size_fops);
3496 	debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3497 			    &le_max_key_size_fops);
3498 
3499 	/* If the controller does not support BR/EDR Secure Connections
3500 	 * feature, then the BR/EDR SMP channel shall not be present.
3501 	 *
3502 	 * To test this with Bluetooth 4.0 controllers, create a debugfs
3503 	 * switch that allows forcing BR/EDR SMP support and accepting
3504 	 * cross-transport pairing on non-AES encrypted connections.
3505 	 */
3506 	if (!lmp_sc_capable(hdev)) {
3507 		debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3508 				    hdev, &force_bredr_smp_fops);
3509 
3510 		/* Flag can be already set here (due to power toggle) */
3511 		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3512 			return 0;
3513 	}
3514 
3515 	if (WARN_ON(hdev->smp_bredr_data)) {
3516 		chan = hdev->smp_bredr_data;
3517 		hdev->smp_bredr_data = NULL;
3518 		smp_del_chan(chan);
3519 	}
3520 
3521 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3522 	if (IS_ERR(chan)) {
3523 		int err = PTR_ERR(chan);
3524 		chan = hdev->smp_data;
3525 		hdev->smp_data = NULL;
3526 		smp_del_chan(chan);
3527 		return err;
3528 	}
3529 
3530 	hdev->smp_bredr_data = chan;
3531 
3532 	return 0;
3533 }
3534 
3535 void smp_unregister(struct hci_dev *hdev)
3536 {
3537 	struct l2cap_chan *chan;
3538 
3539 	if (hdev->smp_bredr_data) {
3540 		chan = hdev->smp_bredr_data;
3541 		hdev->smp_bredr_data = NULL;
3542 		smp_del_chan(chan);
3543 	}
3544 
3545 	if (hdev->smp_data) {
3546 		chan = hdev->smp_data;
3547 		hdev->smp_data = NULL;
3548 		smp_del_chan(chan);
3549 	}
3550 }
3551 
3552 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3553 
3554 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3555 {
3556 	u8 pk[64];
3557 	int err;
3558 
3559 	err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3560 	if (err)
3561 		return err;
3562 
3563 	err = generate_ecdh_public_key(tfm_ecdh, pk);
3564 	if (err)
3565 		return err;
3566 
3567 	if (crypto_memneq(pk, debug_pk, 64))
3568 		return -EINVAL;
3569 
3570 	return 0;
3571 }
3572 
3573 static int __init test_ah(struct crypto_cipher *tfm_aes)
3574 {
3575 	const u8 irk[16] = {
3576 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3577 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3578 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3579 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3580 	u8 res[3];
3581 	int err;
3582 
3583 	err = smp_ah(tfm_aes, irk, r, res);
3584 	if (err)
3585 		return err;
3586 
3587 	if (crypto_memneq(res, exp, 3))
3588 		return -EINVAL;
3589 
3590 	return 0;
3591 }
3592 
3593 static int __init test_c1(struct crypto_cipher *tfm_aes)
3594 {
3595 	const u8 k[16] = {
3596 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3597 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3598 	const u8 r[16] = {
3599 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3600 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3601 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3602 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3603 	const u8 _iat = 0x01;
3604 	const u8 _rat = 0x00;
3605 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3606 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3607 	const u8 exp[16] = {
3608 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3609 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3610 	u8 res[16];
3611 	int err;
3612 
3613 	err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3614 	if (err)
3615 		return err;
3616 
3617 	if (crypto_memneq(res, exp, 16))
3618 		return -EINVAL;
3619 
3620 	return 0;
3621 }
3622 
3623 static int __init test_s1(struct crypto_cipher *tfm_aes)
3624 {
3625 	const u8 k[16] = {
3626 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3627 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3628 	const u8 r1[16] = {
3629 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3630 	const u8 r2[16] = {
3631 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3632 	const u8 exp[16] = {
3633 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3634 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3635 	u8 res[16];
3636 	int err;
3637 
3638 	err = smp_s1(tfm_aes, k, r1, r2, res);
3639 	if (err)
3640 		return err;
3641 
3642 	if (crypto_memneq(res, exp, 16))
3643 		return -EINVAL;
3644 
3645 	return 0;
3646 }
3647 
3648 static int __init test_f4(struct crypto_shash *tfm_cmac)
3649 {
3650 	const u8 u[32] = {
3651 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3652 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3653 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3654 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3655 	const u8 v[32] = {
3656 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3657 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3658 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3659 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3660 	const u8 x[16] = {
3661 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3662 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3663 	const u8 z = 0x00;
3664 	const u8 exp[16] = {
3665 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3666 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3667 	u8 res[16];
3668 	int err;
3669 
3670 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3671 	if (err)
3672 		return err;
3673 
3674 	if (crypto_memneq(res, exp, 16))
3675 		return -EINVAL;
3676 
3677 	return 0;
3678 }
3679 
3680 static int __init test_f5(struct crypto_shash *tfm_cmac)
3681 {
3682 	const u8 w[32] = {
3683 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3684 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3685 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3686 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3687 	const u8 n1[16] = {
3688 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3689 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3690 	const u8 n2[16] = {
3691 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3692 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3693 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3694 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3695 	const u8 exp_ltk[16] = {
3696 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3697 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3698 	const u8 exp_mackey[16] = {
3699 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3700 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3701 	u8 mackey[16], ltk[16];
3702 	int err;
3703 
3704 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3705 	if (err)
3706 		return err;
3707 
3708 	if (crypto_memneq(mackey, exp_mackey, 16))
3709 		return -EINVAL;
3710 
3711 	if (crypto_memneq(ltk, exp_ltk, 16))
3712 		return -EINVAL;
3713 
3714 	return 0;
3715 }
3716 
3717 static int __init test_f6(struct crypto_shash *tfm_cmac)
3718 {
3719 	const u8 w[16] = {
3720 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3721 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3722 	const u8 n1[16] = {
3723 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3724 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3725 	const u8 n2[16] = {
3726 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3727 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3728 	const u8 r[16] = {
3729 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3730 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3731 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3732 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3733 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3734 	const u8 exp[16] = {
3735 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3736 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3737 	u8 res[16];
3738 	int err;
3739 
3740 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3741 	if (err)
3742 		return err;
3743 
3744 	if (crypto_memneq(res, exp, 16))
3745 		return -EINVAL;
3746 
3747 	return 0;
3748 }
3749 
3750 static int __init test_g2(struct crypto_shash *tfm_cmac)
3751 {
3752 	const u8 u[32] = {
3753 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3754 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3755 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3756 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3757 	const u8 v[32] = {
3758 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3759 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3760 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3761 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3762 	const u8 x[16] = {
3763 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3764 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3765 	const u8 y[16] = {
3766 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3767 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3768 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3769 	u32 val;
3770 	int err;
3771 
3772 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3773 	if (err)
3774 		return err;
3775 
3776 	if (val != exp_val)
3777 		return -EINVAL;
3778 
3779 	return 0;
3780 }
3781 
3782 static int __init test_h6(struct crypto_shash *tfm_cmac)
3783 {
3784 	const u8 w[16] = {
3785 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3786 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3787 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3788 	const u8 exp[16] = {
3789 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3790 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3791 	u8 res[16];
3792 	int err;
3793 
3794 	err = smp_h6(tfm_cmac, w, key_id, res);
3795 	if (err)
3796 		return err;
3797 
3798 	if (crypto_memneq(res, exp, 16))
3799 		return -EINVAL;
3800 
3801 	return 0;
3802 }
3803 
3804 static char test_smp_buffer[32];
3805 
3806 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3807 			     size_t count, loff_t *ppos)
3808 {
3809 	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3810 				       strlen(test_smp_buffer));
3811 }
3812 
3813 static const struct file_operations test_smp_fops = {
3814 	.open		= simple_open,
3815 	.read		= test_smp_read,
3816 	.llseek		= default_llseek,
3817 };
3818 
3819 static int __init run_selftests(struct crypto_cipher *tfm_aes,
3820 				struct crypto_shash *tfm_cmac,
3821 				struct crypto_kpp *tfm_ecdh)
3822 {
3823 	ktime_t calltime, delta, rettime;
3824 	unsigned long long duration;
3825 	int err;
3826 
3827 	calltime = ktime_get();
3828 
3829 	err = test_debug_key(tfm_ecdh);
3830 	if (err) {
3831 		BT_ERR("debug_key test failed");
3832 		goto done;
3833 	}
3834 
3835 	err = test_ah(tfm_aes);
3836 	if (err) {
3837 		BT_ERR("smp_ah test failed");
3838 		goto done;
3839 	}
3840 
3841 	err = test_c1(tfm_aes);
3842 	if (err) {
3843 		BT_ERR("smp_c1 test failed");
3844 		goto done;
3845 	}
3846 
3847 	err = test_s1(tfm_aes);
3848 	if (err) {
3849 		BT_ERR("smp_s1 test failed");
3850 		goto done;
3851 	}
3852 
3853 	err = test_f4(tfm_cmac);
3854 	if (err) {
3855 		BT_ERR("smp_f4 test failed");
3856 		goto done;
3857 	}
3858 
3859 	err = test_f5(tfm_cmac);
3860 	if (err) {
3861 		BT_ERR("smp_f5 test failed");
3862 		goto done;
3863 	}
3864 
3865 	err = test_f6(tfm_cmac);
3866 	if (err) {
3867 		BT_ERR("smp_f6 test failed");
3868 		goto done;
3869 	}
3870 
3871 	err = test_g2(tfm_cmac);
3872 	if (err) {
3873 		BT_ERR("smp_g2 test failed");
3874 		goto done;
3875 	}
3876 
3877 	err = test_h6(tfm_cmac);
3878 	if (err) {
3879 		BT_ERR("smp_h6 test failed");
3880 		goto done;
3881 	}
3882 
3883 	rettime = ktime_get();
3884 	delta = ktime_sub(rettime, calltime);
3885 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3886 
3887 	BT_INFO("SMP test passed in %llu usecs", duration);
3888 
3889 done:
3890 	if (!err)
3891 		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3892 			 "PASS (%llu usecs)\n", duration);
3893 	else
3894 		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3895 
3896 	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3897 			    &test_smp_fops);
3898 
3899 	return err;
3900 }
3901 
3902 int __init bt_selftest_smp(void)
3903 {
3904 	struct crypto_cipher *tfm_aes;
3905 	struct crypto_shash *tfm_cmac;
3906 	struct crypto_kpp *tfm_ecdh;
3907 	int err;
3908 
3909 	tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3910 	if (IS_ERR(tfm_aes)) {
3911 		BT_ERR("Unable to create AES crypto context");
3912 		return PTR_ERR(tfm_aes);
3913 	}
3914 
3915 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3916 	if (IS_ERR(tfm_cmac)) {
3917 		BT_ERR("Unable to create CMAC crypto context");
3918 		crypto_free_cipher(tfm_aes);
3919 		return PTR_ERR(tfm_cmac);
3920 	}
3921 
3922 	tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3923 	if (IS_ERR(tfm_ecdh)) {
3924 		BT_ERR("Unable to create ECDH crypto context");
3925 		crypto_free_shash(tfm_cmac);
3926 		crypto_free_cipher(tfm_aes);
3927 		return PTR_ERR(tfm_ecdh);
3928 	}
3929 
3930 	err = run_selftests(tfm_aes, tfm_cmac, tfm_ecdh);
3931 
3932 	crypto_free_shash(tfm_cmac);
3933 	crypto_free_cipher(tfm_aes);
3934 	crypto_free_kpp(tfm_ecdh);
3935 
3936 	return err;
3937 }
3938 
3939 #endif
3940