xref: /linux/net/bluetooth/smp.c (revision cfda8617e22a8bf217a613d0b3ba3a38778443ba)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/aes.h>
27 #include <crypto/algapi.h>
28 #include <crypto/b128ops.h>
29 #include <crypto/hash.h>
30 #include <crypto/kpp.h>
31 
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/l2cap.h>
35 #include <net/bluetooth/mgmt.h>
36 
37 #include "ecdh_helper.h"
38 #include "smp.h"
39 
40 #define SMP_DEV(hdev) \
41 	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
42 
43 /* Low-level debug macros to be used for stuff that we don't want
44  * accidentially in dmesg, i.e. the values of the various crypto keys
45  * and the inputs & outputs of crypto functions.
46  */
47 #ifdef DEBUG
48 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
49 				 ##__VA_ARGS__)
50 #else
51 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
52 				    ##__VA_ARGS__)
53 #endif
54 
55 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
56 
57 /* Keys which are not distributed with Secure Connections */
58 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
59 
60 #define SMP_TIMEOUT	msecs_to_jiffies(30000)
61 
62 #define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
63 				 0x3f : 0x07)
64 #define KEY_DIST_MASK		0x07
65 
66 /* Maximum message length that can be passed to aes_cmac */
67 #define CMAC_MSG_MAX	80
68 
69 enum {
70 	SMP_FLAG_TK_VALID,
71 	SMP_FLAG_CFM_PENDING,
72 	SMP_FLAG_MITM_AUTH,
73 	SMP_FLAG_COMPLETE,
74 	SMP_FLAG_INITIATOR,
75 	SMP_FLAG_SC,
76 	SMP_FLAG_REMOTE_PK,
77 	SMP_FLAG_DEBUG_KEY,
78 	SMP_FLAG_WAIT_USER,
79 	SMP_FLAG_DHKEY_PENDING,
80 	SMP_FLAG_REMOTE_OOB,
81 	SMP_FLAG_LOCAL_OOB,
82 	SMP_FLAG_CT2,
83 };
84 
85 struct smp_dev {
86 	/* Secure Connections OOB data */
87 	bool			local_oob;
88 	u8			local_pk[64];
89 	u8			local_rand[16];
90 	bool			debug_key;
91 
92 	struct crypto_shash	*tfm_cmac;
93 	struct crypto_kpp	*tfm_ecdh;
94 };
95 
96 struct smp_chan {
97 	struct l2cap_conn	*conn;
98 	struct delayed_work	security_timer;
99 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
100 
101 	u8		preq[7]; /* SMP Pairing Request */
102 	u8		prsp[7]; /* SMP Pairing Response */
103 	u8		prnd[16]; /* SMP Pairing Random (local) */
104 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
105 	u8		pcnf[16]; /* SMP Pairing Confirm */
106 	u8		tk[16]; /* SMP Temporary Key */
107 	u8		rr[16]; /* Remote OOB ra/rb value */
108 	u8		lr[16]; /* Local OOB ra/rb value */
109 	u8		enc_key_size;
110 	u8		remote_key_dist;
111 	bdaddr_t	id_addr;
112 	u8		id_addr_type;
113 	u8		irk[16];
114 	struct smp_csrk	*csrk;
115 	struct smp_csrk	*slave_csrk;
116 	struct smp_ltk	*ltk;
117 	struct smp_ltk	*slave_ltk;
118 	struct smp_irk	*remote_irk;
119 	u8		*link_key;
120 	unsigned long	flags;
121 	u8		method;
122 	u8		passkey_round;
123 
124 	/* Secure Connections variables */
125 	u8			local_pk[64];
126 	u8			remote_pk[64];
127 	u8			dhkey[32];
128 	u8			mackey[16];
129 
130 	struct crypto_shash	*tfm_cmac;
131 	struct crypto_kpp	*tfm_ecdh;
132 };
133 
134 /* These debug key values are defined in the SMP section of the core
135  * specification. debug_pk is the public debug key and debug_sk the
136  * private debug key.
137  */
138 static const u8 debug_pk[64] = {
139 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
140 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
141 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
142 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
143 
144 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
145 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
146 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
147 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
148 };
149 
150 static const u8 debug_sk[32] = {
151 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
152 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
153 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
154 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
155 };
156 
157 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
158 {
159 	size_t i;
160 
161 	for (i = 0; i < len; i++)
162 		dst[len - 1 - i] = src[i];
163 }
164 
165 /* The following functions map to the LE SC SMP crypto functions
166  * AES-CMAC, f4, f5, f6, g2 and h6.
167  */
168 
169 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
170 		    size_t len, u8 mac[16])
171 {
172 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
173 	SHASH_DESC_ON_STACK(desc, tfm);
174 	int err;
175 
176 	if (len > CMAC_MSG_MAX)
177 		return -EFBIG;
178 
179 	if (!tfm) {
180 		BT_ERR("tfm %p", tfm);
181 		return -EINVAL;
182 	}
183 
184 	desc->tfm = tfm;
185 
186 	/* Swap key and message from LSB to MSB */
187 	swap_buf(k, tmp, 16);
188 	swap_buf(m, msg_msb, len);
189 
190 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
191 	SMP_DBG("key %16phN", k);
192 
193 	err = crypto_shash_setkey(tfm, tmp, 16);
194 	if (err) {
195 		BT_ERR("cipher setkey failed: %d", err);
196 		return err;
197 	}
198 
199 	err = crypto_shash_digest(desc, msg_msb, len, mac_msb);
200 	shash_desc_zero(desc);
201 	if (err) {
202 		BT_ERR("Hash computation error %d", err);
203 		return err;
204 	}
205 
206 	swap_buf(mac_msb, mac, 16);
207 
208 	SMP_DBG("mac %16phN", mac);
209 
210 	return 0;
211 }
212 
213 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
214 		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
215 {
216 	u8 m[65];
217 	int err;
218 
219 	SMP_DBG("u %32phN", u);
220 	SMP_DBG("v %32phN", v);
221 	SMP_DBG("x %16phN z %02x", x, z);
222 
223 	m[0] = z;
224 	memcpy(m + 1, v, 32);
225 	memcpy(m + 33, u, 32);
226 
227 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
228 	if (err)
229 		return err;
230 
231 	SMP_DBG("res %16phN", res);
232 
233 	return err;
234 }
235 
236 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
237 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
238 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
239 {
240 	/* The btle, salt and length "magic" values are as defined in
241 	 * the SMP section of the Bluetooth core specification. In ASCII
242 	 * the btle value ends up being 'btle'. The salt is just a
243 	 * random number whereas length is the value 256 in little
244 	 * endian format.
245 	 */
246 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
247 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
248 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
249 	const u8 length[2] = { 0x00, 0x01 };
250 	u8 m[53], t[16];
251 	int err;
252 
253 	SMP_DBG("w %32phN", w);
254 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
255 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
256 
257 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
258 	if (err)
259 		return err;
260 
261 	SMP_DBG("t %16phN", t);
262 
263 	memcpy(m, length, 2);
264 	memcpy(m + 2, a2, 7);
265 	memcpy(m + 9, a1, 7);
266 	memcpy(m + 16, n2, 16);
267 	memcpy(m + 32, n1, 16);
268 	memcpy(m + 48, btle, 4);
269 
270 	m[52] = 0; /* Counter */
271 
272 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
273 	if (err)
274 		return err;
275 
276 	SMP_DBG("mackey %16phN", mackey);
277 
278 	m[52] = 1; /* Counter */
279 
280 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
281 	if (err)
282 		return err;
283 
284 	SMP_DBG("ltk %16phN", ltk);
285 
286 	return 0;
287 }
288 
289 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
290 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
291 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
292 		  u8 res[16])
293 {
294 	u8 m[65];
295 	int err;
296 
297 	SMP_DBG("w %16phN", w);
298 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
299 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
300 
301 	memcpy(m, a2, 7);
302 	memcpy(m + 7, a1, 7);
303 	memcpy(m + 14, io_cap, 3);
304 	memcpy(m + 17, r, 16);
305 	memcpy(m + 33, n2, 16);
306 	memcpy(m + 49, n1, 16);
307 
308 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
309 	if (err)
310 		return err;
311 
312 	SMP_DBG("res %16phN", res);
313 
314 	return err;
315 }
316 
317 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
318 		  const u8 x[16], const u8 y[16], u32 *val)
319 {
320 	u8 m[80], tmp[16];
321 	int err;
322 
323 	SMP_DBG("u %32phN", u);
324 	SMP_DBG("v %32phN", v);
325 	SMP_DBG("x %16phN y %16phN", x, y);
326 
327 	memcpy(m, y, 16);
328 	memcpy(m + 16, v, 32);
329 	memcpy(m + 48, u, 32);
330 
331 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
332 	if (err)
333 		return err;
334 
335 	*val = get_unaligned_le32(tmp);
336 	*val %= 1000000;
337 
338 	SMP_DBG("val %06u", *val);
339 
340 	return 0;
341 }
342 
343 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
344 		  const u8 key_id[4], u8 res[16])
345 {
346 	int err;
347 
348 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
349 
350 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
351 	if (err)
352 		return err;
353 
354 	SMP_DBG("res %16phN", res);
355 
356 	return err;
357 }
358 
359 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
360 		  const u8 salt[16], u8 res[16])
361 {
362 	int err;
363 
364 	SMP_DBG("w %16phN salt %16phN", w, salt);
365 
366 	err = aes_cmac(tfm_cmac, salt, w, 16, res);
367 	if (err)
368 		return err;
369 
370 	SMP_DBG("res %16phN", res);
371 
372 	return err;
373 }
374 
375 /* The following functions map to the legacy SMP crypto functions e, c1,
376  * s1 and ah.
377  */
378 
379 static int smp_e(const u8 *k, u8 *r)
380 {
381 	struct crypto_aes_ctx ctx;
382 	uint8_t tmp[16], data[16];
383 	int err;
384 
385 	SMP_DBG("k %16phN r %16phN", k, r);
386 
387 	/* The most significant octet of key corresponds to k[0] */
388 	swap_buf(k, tmp, 16);
389 
390 	err = aes_expandkey(&ctx, tmp, 16);
391 	if (err) {
392 		BT_ERR("cipher setkey failed: %d", err);
393 		return err;
394 	}
395 
396 	/* Most significant octet of plaintextData corresponds to data[0] */
397 	swap_buf(r, data, 16);
398 
399 	aes_encrypt(&ctx, data, data);
400 
401 	/* Most significant octet of encryptedData corresponds to data[0] */
402 	swap_buf(data, r, 16);
403 
404 	SMP_DBG("r %16phN", r);
405 
406 	memzero_explicit(&ctx, sizeof (ctx));
407 	return err;
408 }
409 
410 static int smp_c1(const u8 k[16],
411 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
412 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
413 {
414 	u8 p1[16], p2[16];
415 	int err;
416 
417 	SMP_DBG("k %16phN r %16phN", k, r);
418 	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
419 	SMP_DBG("preq %7phN pres %7phN", preq, pres);
420 
421 	memset(p1, 0, 16);
422 
423 	/* p1 = pres || preq || _rat || _iat */
424 	p1[0] = _iat;
425 	p1[1] = _rat;
426 	memcpy(p1 + 2, preq, 7);
427 	memcpy(p1 + 9, pres, 7);
428 
429 	SMP_DBG("p1 %16phN", p1);
430 
431 	/* res = r XOR p1 */
432 	u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
433 
434 	/* res = e(k, res) */
435 	err = smp_e(k, res);
436 	if (err) {
437 		BT_ERR("Encrypt data error");
438 		return err;
439 	}
440 
441 	/* p2 = padding || ia || ra */
442 	memcpy(p2, ra, 6);
443 	memcpy(p2 + 6, ia, 6);
444 	memset(p2 + 12, 0, 4);
445 
446 	SMP_DBG("p2 %16phN", p2);
447 
448 	/* res = res XOR p2 */
449 	u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
450 
451 	/* res = e(k, res) */
452 	err = smp_e(k, res);
453 	if (err)
454 		BT_ERR("Encrypt data error");
455 
456 	return err;
457 }
458 
459 static int smp_s1(const u8 k[16],
460 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
461 {
462 	int err;
463 
464 	/* Just least significant octets from r1 and r2 are considered */
465 	memcpy(_r, r2, 8);
466 	memcpy(_r + 8, r1, 8);
467 
468 	err = smp_e(k, _r);
469 	if (err)
470 		BT_ERR("Encrypt data error");
471 
472 	return err;
473 }
474 
475 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
476 {
477 	u8 _res[16];
478 	int err;
479 
480 	/* r' = padding || r */
481 	memcpy(_res, r, 3);
482 	memset(_res + 3, 0, 13);
483 
484 	err = smp_e(irk, _res);
485 	if (err) {
486 		BT_ERR("Encrypt error");
487 		return err;
488 	}
489 
490 	/* The output of the random address function ah is:
491 	 *	ah(k, r) = e(k, r') mod 2^24
492 	 * The output of the security function e is then truncated to 24 bits
493 	 * by taking the least significant 24 bits of the output of e as the
494 	 * result of ah.
495 	 */
496 	memcpy(res, _res, 3);
497 
498 	return 0;
499 }
500 
501 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
502 		     const bdaddr_t *bdaddr)
503 {
504 	struct l2cap_chan *chan = hdev->smp_data;
505 	u8 hash[3];
506 	int err;
507 
508 	if (!chan || !chan->data)
509 		return false;
510 
511 	BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
512 
513 	err = smp_ah(irk, &bdaddr->b[3], hash);
514 	if (err)
515 		return false;
516 
517 	return !crypto_memneq(bdaddr->b, hash, 3);
518 }
519 
520 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
521 {
522 	struct l2cap_chan *chan = hdev->smp_data;
523 	int err;
524 
525 	if (!chan || !chan->data)
526 		return -EOPNOTSUPP;
527 
528 	get_random_bytes(&rpa->b[3], 3);
529 
530 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
531 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
532 
533 	err = smp_ah(irk, &rpa->b[3], rpa->b);
534 	if (err < 0)
535 		return err;
536 
537 	BT_DBG("RPA %pMR", rpa);
538 
539 	return 0;
540 }
541 
542 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
543 {
544 	struct l2cap_chan *chan = hdev->smp_data;
545 	struct smp_dev *smp;
546 	int err;
547 
548 	if (!chan || !chan->data)
549 		return -EOPNOTSUPP;
550 
551 	smp = chan->data;
552 
553 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
554 		BT_DBG("Using debug keys");
555 		err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
556 		if (err)
557 			return err;
558 		memcpy(smp->local_pk, debug_pk, 64);
559 		smp->debug_key = true;
560 	} else {
561 		while (true) {
562 			/* Generate key pair for Secure Connections */
563 			err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
564 			if (err)
565 				return err;
566 
567 			/* This is unlikely, but we need to check that
568 			 * we didn't accidentially generate a debug key.
569 			 */
570 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
571 				break;
572 		}
573 		smp->debug_key = false;
574 	}
575 
576 	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
577 	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
578 
579 	get_random_bytes(smp->local_rand, 16);
580 
581 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
582 		     smp->local_rand, 0, hash);
583 	if (err < 0)
584 		return err;
585 
586 	memcpy(rand, smp->local_rand, 16);
587 
588 	smp->local_oob = true;
589 
590 	return 0;
591 }
592 
593 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
594 {
595 	struct l2cap_chan *chan = conn->smp;
596 	struct smp_chan *smp;
597 	struct kvec iv[2];
598 	struct msghdr msg;
599 
600 	if (!chan)
601 		return;
602 
603 	BT_DBG("code 0x%2.2x", code);
604 
605 	iv[0].iov_base = &code;
606 	iv[0].iov_len = 1;
607 
608 	iv[1].iov_base = data;
609 	iv[1].iov_len = len;
610 
611 	memset(&msg, 0, sizeof(msg));
612 
613 	iov_iter_kvec(&msg.msg_iter, WRITE, iv, 2, 1 + len);
614 
615 	l2cap_chan_send(chan, &msg, 1 + len);
616 
617 	if (!chan->data)
618 		return;
619 
620 	smp = chan->data;
621 
622 	cancel_delayed_work_sync(&smp->security_timer);
623 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
624 }
625 
626 static u8 authreq_to_seclevel(u8 authreq)
627 {
628 	if (authreq & SMP_AUTH_MITM) {
629 		if (authreq & SMP_AUTH_SC)
630 			return BT_SECURITY_FIPS;
631 		else
632 			return BT_SECURITY_HIGH;
633 	} else {
634 		return BT_SECURITY_MEDIUM;
635 	}
636 }
637 
638 static __u8 seclevel_to_authreq(__u8 sec_level)
639 {
640 	switch (sec_level) {
641 	case BT_SECURITY_FIPS:
642 	case BT_SECURITY_HIGH:
643 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
644 	case BT_SECURITY_MEDIUM:
645 		return SMP_AUTH_BONDING;
646 	default:
647 		return SMP_AUTH_NONE;
648 	}
649 }
650 
651 static void build_pairing_cmd(struct l2cap_conn *conn,
652 			      struct smp_cmd_pairing *req,
653 			      struct smp_cmd_pairing *rsp, __u8 authreq)
654 {
655 	struct l2cap_chan *chan = conn->smp;
656 	struct smp_chan *smp = chan->data;
657 	struct hci_conn *hcon = conn->hcon;
658 	struct hci_dev *hdev = hcon->hdev;
659 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
660 
661 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
662 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
663 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
664 		authreq |= SMP_AUTH_BONDING;
665 	} else {
666 		authreq &= ~SMP_AUTH_BONDING;
667 	}
668 
669 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
670 		remote_dist |= SMP_DIST_ID_KEY;
671 
672 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
673 		local_dist |= SMP_DIST_ID_KEY;
674 
675 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
676 	    (authreq & SMP_AUTH_SC)) {
677 		struct oob_data *oob_data;
678 		u8 bdaddr_type;
679 
680 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
681 			local_dist |= SMP_DIST_LINK_KEY;
682 			remote_dist |= SMP_DIST_LINK_KEY;
683 		}
684 
685 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
686 			bdaddr_type = BDADDR_LE_PUBLIC;
687 		else
688 			bdaddr_type = BDADDR_LE_RANDOM;
689 
690 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
691 						    bdaddr_type);
692 		if (oob_data && oob_data->present) {
693 			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
694 			oob_flag = SMP_OOB_PRESENT;
695 			memcpy(smp->rr, oob_data->rand256, 16);
696 			memcpy(smp->pcnf, oob_data->hash256, 16);
697 			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
698 			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
699 		}
700 
701 	} else {
702 		authreq &= ~SMP_AUTH_SC;
703 	}
704 
705 	if (rsp == NULL) {
706 		req->io_capability = conn->hcon->io_capability;
707 		req->oob_flag = oob_flag;
708 		req->max_key_size = hdev->le_max_key_size;
709 		req->init_key_dist = local_dist;
710 		req->resp_key_dist = remote_dist;
711 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
712 
713 		smp->remote_key_dist = remote_dist;
714 		return;
715 	}
716 
717 	rsp->io_capability = conn->hcon->io_capability;
718 	rsp->oob_flag = oob_flag;
719 	rsp->max_key_size = hdev->le_max_key_size;
720 	rsp->init_key_dist = req->init_key_dist & remote_dist;
721 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
722 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
723 
724 	smp->remote_key_dist = rsp->init_key_dist;
725 }
726 
727 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
728 {
729 	struct l2cap_chan *chan = conn->smp;
730 	struct hci_dev *hdev = conn->hcon->hdev;
731 	struct smp_chan *smp = chan->data;
732 
733 	if (max_key_size > hdev->le_max_key_size ||
734 	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
735 		return SMP_ENC_KEY_SIZE;
736 
737 	smp->enc_key_size = max_key_size;
738 
739 	return 0;
740 }
741 
742 static void smp_chan_destroy(struct l2cap_conn *conn)
743 {
744 	struct l2cap_chan *chan = conn->smp;
745 	struct smp_chan *smp = chan->data;
746 	struct hci_conn *hcon = conn->hcon;
747 	bool complete;
748 
749 	BUG_ON(!smp);
750 
751 	cancel_delayed_work_sync(&smp->security_timer);
752 
753 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
754 	mgmt_smp_complete(hcon, complete);
755 
756 	kzfree(smp->csrk);
757 	kzfree(smp->slave_csrk);
758 	kzfree(smp->link_key);
759 
760 	crypto_free_shash(smp->tfm_cmac);
761 	crypto_free_kpp(smp->tfm_ecdh);
762 
763 	/* Ensure that we don't leave any debug key around if debug key
764 	 * support hasn't been explicitly enabled.
765 	 */
766 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
767 	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
768 		list_del_rcu(&smp->ltk->list);
769 		kfree_rcu(smp->ltk, rcu);
770 		smp->ltk = NULL;
771 	}
772 
773 	/* If pairing failed clean up any keys we might have */
774 	if (!complete) {
775 		if (smp->ltk) {
776 			list_del_rcu(&smp->ltk->list);
777 			kfree_rcu(smp->ltk, rcu);
778 		}
779 
780 		if (smp->slave_ltk) {
781 			list_del_rcu(&smp->slave_ltk->list);
782 			kfree_rcu(smp->slave_ltk, rcu);
783 		}
784 
785 		if (smp->remote_irk) {
786 			list_del_rcu(&smp->remote_irk->list);
787 			kfree_rcu(smp->remote_irk, rcu);
788 		}
789 	}
790 
791 	chan->data = NULL;
792 	kzfree(smp);
793 	hci_conn_drop(hcon);
794 }
795 
796 static void smp_failure(struct l2cap_conn *conn, u8 reason)
797 {
798 	struct hci_conn *hcon = conn->hcon;
799 	struct l2cap_chan *chan = conn->smp;
800 
801 	if (reason)
802 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
803 			     &reason);
804 
805 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
806 
807 	if (chan->data)
808 		smp_chan_destroy(conn);
809 }
810 
811 #define JUST_WORKS	0x00
812 #define JUST_CFM	0x01
813 #define REQ_PASSKEY	0x02
814 #define CFM_PASSKEY	0x03
815 #define REQ_OOB		0x04
816 #define DSP_PASSKEY	0x05
817 #define OVERLAP		0xFF
818 
819 static const u8 gen_method[5][5] = {
820 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
821 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
822 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
823 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
824 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
825 };
826 
827 static const u8 sc_method[5][5] = {
828 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
829 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
830 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
831 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
832 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
833 };
834 
835 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
836 {
837 	/* If either side has unknown io_caps, use JUST_CFM (which gets
838 	 * converted later to JUST_WORKS if we're initiators.
839 	 */
840 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
841 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
842 		return JUST_CFM;
843 
844 	if (test_bit(SMP_FLAG_SC, &smp->flags))
845 		return sc_method[remote_io][local_io];
846 
847 	return gen_method[remote_io][local_io];
848 }
849 
850 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
851 						u8 local_io, u8 remote_io)
852 {
853 	struct hci_conn *hcon = conn->hcon;
854 	struct l2cap_chan *chan = conn->smp;
855 	struct smp_chan *smp = chan->data;
856 	u32 passkey = 0;
857 	int ret = 0;
858 
859 	/* Initialize key for JUST WORKS */
860 	memset(smp->tk, 0, sizeof(smp->tk));
861 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
862 
863 	BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
864 
865 	/* If neither side wants MITM, either "just" confirm an incoming
866 	 * request or use just-works for outgoing ones. The JUST_CFM
867 	 * will be converted to JUST_WORKS if necessary later in this
868 	 * function. If either side has MITM look up the method from the
869 	 * table.
870 	 */
871 	if (!(auth & SMP_AUTH_MITM))
872 		smp->method = JUST_CFM;
873 	else
874 		smp->method = get_auth_method(smp, local_io, remote_io);
875 
876 	/* Don't confirm locally initiated pairing attempts */
877 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
878 						&smp->flags))
879 		smp->method = JUST_WORKS;
880 
881 	/* Don't bother user space with no IO capabilities */
882 	if (smp->method == JUST_CFM &&
883 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
884 		smp->method = JUST_WORKS;
885 
886 	/* If Just Works, Continue with Zero TK */
887 	if (smp->method == JUST_WORKS) {
888 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
889 		return 0;
890 	}
891 
892 	/* If this function is used for SC -> legacy fallback we
893 	 * can only recover the just-works case.
894 	 */
895 	if (test_bit(SMP_FLAG_SC, &smp->flags))
896 		return -EINVAL;
897 
898 	/* Not Just Works/Confirm results in MITM Authentication */
899 	if (smp->method != JUST_CFM) {
900 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
901 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
902 			hcon->pending_sec_level = BT_SECURITY_HIGH;
903 	}
904 
905 	/* If both devices have Keyoard-Display I/O, the master
906 	 * Confirms and the slave Enters the passkey.
907 	 */
908 	if (smp->method == OVERLAP) {
909 		if (hcon->role == HCI_ROLE_MASTER)
910 			smp->method = CFM_PASSKEY;
911 		else
912 			smp->method = REQ_PASSKEY;
913 	}
914 
915 	/* Generate random passkey. */
916 	if (smp->method == CFM_PASSKEY) {
917 		memset(smp->tk, 0, sizeof(smp->tk));
918 		get_random_bytes(&passkey, sizeof(passkey));
919 		passkey %= 1000000;
920 		put_unaligned_le32(passkey, smp->tk);
921 		BT_DBG("PassKey: %d", passkey);
922 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
923 	}
924 
925 	if (smp->method == REQ_PASSKEY)
926 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
927 						hcon->type, hcon->dst_type);
928 	else if (smp->method == JUST_CFM)
929 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
930 						hcon->type, hcon->dst_type,
931 						passkey, 1);
932 	else
933 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
934 						hcon->type, hcon->dst_type,
935 						passkey, 0);
936 
937 	return ret;
938 }
939 
940 static u8 smp_confirm(struct smp_chan *smp)
941 {
942 	struct l2cap_conn *conn = smp->conn;
943 	struct smp_cmd_pairing_confirm cp;
944 	int ret;
945 
946 	BT_DBG("conn %p", conn);
947 
948 	ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
949 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
950 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
951 		     cp.confirm_val);
952 	if (ret)
953 		return SMP_UNSPECIFIED;
954 
955 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
956 
957 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
958 
959 	if (conn->hcon->out)
960 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
961 	else
962 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
963 
964 	return 0;
965 }
966 
967 static u8 smp_random(struct smp_chan *smp)
968 {
969 	struct l2cap_conn *conn = smp->conn;
970 	struct hci_conn *hcon = conn->hcon;
971 	u8 confirm[16];
972 	int ret;
973 
974 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
975 
976 	ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
977 		     hcon->init_addr_type, &hcon->init_addr,
978 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
979 	if (ret)
980 		return SMP_UNSPECIFIED;
981 
982 	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
983 		bt_dev_err(hcon->hdev, "pairing failed "
984 			   "(confirmation values mismatch)");
985 		return SMP_CONFIRM_FAILED;
986 	}
987 
988 	if (hcon->out) {
989 		u8 stk[16];
990 		__le64 rand = 0;
991 		__le16 ediv = 0;
992 
993 		smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
994 
995 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
996 			return SMP_UNSPECIFIED;
997 
998 		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
999 		hcon->enc_key_size = smp->enc_key_size;
1000 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1001 	} else {
1002 		u8 stk[16], auth;
1003 		__le64 rand = 0;
1004 		__le16 ediv = 0;
1005 
1006 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1007 			     smp->prnd);
1008 
1009 		smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
1010 
1011 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1012 			auth = 1;
1013 		else
1014 			auth = 0;
1015 
1016 		/* Even though there's no _SLAVE suffix this is the
1017 		 * slave STK we're adding for later lookup (the master
1018 		 * STK never needs to be stored).
1019 		 */
1020 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1021 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1022 	}
1023 
1024 	return 0;
1025 }
1026 
1027 static void smp_notify_keys(struct l2cap_conn *conn)
1028 {
1029 	struct l2cap_chan *chan = conn->smp;
1030 	struct smp_chan *smp = chan->data;
1031 	struct hci_conn *hcon = conn->hcon;
1032 	struct hci_dev *hdev = hcon->hdev;
1033 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1034 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1035 	bool persistent;
1036 
1037 	if (hcon->type == ACL_LINK) {
1038 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1039 			persistent = false;
1040 		else
1041 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1042 					       &hcon->flags);
1043 	} else {
1044 		/* The LTKs, IRKs and CSRKs should be persistent only if
1045 		 * both sides had the bonding bit set in their
1046 		 * authentication requests.
1047 		 */
1048 		persistent = !!((req->auth_req & rsp->auth_req) &
1049 				SMP_AUTH_BONDING);
1050 	}
1051 
1052 	if (smp->remote_irk) {
1053 		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1054 
1055 		/* Now that user space can be considered to know the
1056 		 * identity address track the connection based on it
1057 		 * from now on (assuming this is an LE link).
1058 		 */
1059 		if (hcon->type == LE_LINK) {
1060 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1061 			hcon->dst_type = smp->remote_irk->addr_type;
1062 			queue_work(hdev->workqueue, &conn->id_addr_update_work);
1063 		}
1064 	}
1065 
1066 	if (smp->csrk) {
1067 		smp->csrk->bdaddr_type = hcon->dst_type;
1068 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1069 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1070 	}
1071 
1072 	if (smp->slave_csrk) {
1073 		smp->slave_csrk->bdaddr_type = hcon->dst_type;
1074 		bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1075 		mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1076 	}
1077 
1078 	if (smp->ltk) {
1079 		smp->ltk->bdaddr_type = hcon->dst_type;
1080 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1081 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1082 	}
1083 
1084 	if (smp->slave_ltk) {
1085 		smp->slave_ltk->bdaddr_type = hcon->dst_type;
1086 		bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1087 		mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1088 	}
1089 
1090 	if (smp->link_key) {
1091 		struct link_key *key;
1092 		u8 type;
1093 
1094 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1095 			type = HCI_LK_DEBUG_COMBINATION;
1096 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1097 			type = HCI_LK_AUTH_COMBINATION_P256;
1098 		else
1099 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1100 
1101 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1102 				       smp->link_key, type, 0, &persistent);
1103 		if (key) {
1104 			mgmt_new_link_key(hdev, key, persistent);
1105 
1106 			/* Don't keep debug keys around if the relevant
1107 			 * flag is not set.
1108 			 */
1109 			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1110 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1111 				list_del_rcu(&key->list);
1112 				kfree_rcu(key, rcu);
1113 			}
1114 		}
1115 	}
1116 }
1117 
1118 static void sc_add_ltk(struct smp_chan *smp)
1119 {
1120 	struct hci_conn *hcon = smp->conn->hcon;
1121 	u8 key_type, auth;
1122 
1123 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1124 		key_type = SMP_LTK_P256_DEBUG;
1125 	else
1126 		key_type = SMP_LTK_P256;
1127 
1128 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1129 		auth = 1;
1130 	else
1131 		auth = 0;
1132 
1133 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1134 			       key_type, auth, smp->tk, smp->enc_key_size,
1135 			       0, 0);
1136 }
1137 
1138 static void sc_generate_link_key(struct smp_chan *smp)
1139 {
1140 	/* From core spec. Spells out in ASCII as 'lebr'. */
1141 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1142 
1143 	smp->link_key = kzalloc(16, GFP_KERNEL);
1144 	if (!smp->link_key)
1145 		return;
1146 
1147 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1148 		/* SALT = 0x00000000000000000000000000000000746D7031 */
1149 		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1150 
1151 		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1152 			kzfree(smp->link_key);
1153 			smp->link_key = NULL;
1154 			return;
1155 		}
1156 	} else {
1157 		/* From core spec. Spells out in ASCII as 'tmp1'. */
1158 		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1159 
1160 		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1161 			kzfree(smp->link_key);
1162 			smp->link_key = NULL;
1163 			return;
1164 		}
1165 	}
1166 
1167 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1168 		kzfree(smp->link_key);
1169 		smp->link_key = NULL;
1170 		return;
1171 	}
1172 }
1173 
1174 static void smp_allow_key_dist(struct smp_chan *smp)
1175 {
1176 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1177 	 * will be allowed in each PDU handler to ensure we receive
1178 	 * them in the correct order.
1179 	 */
1180 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1181 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1182 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1183 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1184 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1185 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1186 }
1187 
1188 static void sc_generate_ltk(struct smp_chan *smp)
1189 {
1190 	/* From core spec. Spells out in ASCII as 'brle'. */
1191 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1192 	struct hci_conn *hcon = smp->conn->hcon;
1193 	struct hci_dev *hdev = hcon->hdev;
1194 	struct link_key *key;
1195 
1196 	key = hci_find_link_key(hdev, &hcon->dst);
1197 	if (!key) {
1198 		bt_dev_err(hdev, "no Link Key found to generate LTK");
1199 		return;
1200 	}
1201 
1202 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1203 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1204 
1205 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1206 		/* SALT = 0x00000000000000000000000000000000746D7032 */
1207 		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1208 
1209 		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1210 			return;
1211 	} else {
1212 		/* From core spec. Spells out in ASCII as 'tmp2'. */
1213 		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1214 
1215 		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1216 			return;
1217 	}
1218 
1219 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1220 		return;
1221 
1222 	sc_add_ltk(smp);
1223 }
1224 
1225 static void smp_distribute_keys(struct smp_chan *smp)
1226 {
1227 	struct smp_cmd_pairing *req, *rsp;
1228 	struct l2cap_conn *conn = smp->conn;
1229 	struct hci_conn *hcon = conn->hcon;
1230 	struct hci_dev *hdev = hcon->hdev;
1231 	__u8 *keydist;
1232 
1233 	BT_DBG("conn %p", conn);
1234 
1235 	rsp = (void *) &smp->prsp[1];
1236 
1237 	/* The responder sends its keys first */
1238 	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1239 		smp_allow_key_dist(smp);
1240 		return;
1241 	}
1242 
1243 	req = (void *) &smp->preq[1];
1244 
1245 	if (hcon->out) {
1246 		keydist = &rsp->init_key_dist;
1247 		*keydist &= req->init_key_dist;
1248 	} else {
1249 		keydist = &rsp->resp_key_dist;
1250 		*keydist &= req->resp_key_dist;
1251 	}
1252 
1253 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1254 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1255 			sc_generate_link_key(smp);
1256 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1257 			sc_generate_ltk(smp);
1258 
1259 		/* Clear the keys which are generated but not distributed */
1260 		*keydist &= ~SMP_SC_NO_DIST;
1261 	}
1262 
1263 	BT_DBG("keydist 0x%x", *keydist);
1264 
1265 	if (*keydist & SMP_DIST_ENC_KEY) {
1266 		struct smp_cmd_encrypt_info enc;
1267 		struct smp_cmd_master_ident ident;
1268 		struct smp_ltk *ltk;
1269 		u8 authenticated;
1270 		__le16 ediv;
1271 		__le64 rand;
1272 
1273 		/* Make sure we generate only the significant amount of
1274 		 * bytes based on the encryption key size, and set the rest
1275 		 * of the value to zeroes.
1276 		 */
1277 		get_random_bytes(enc.ltk, smp->enc_key_size);
1278 		memset(enc.ltk + smp->enc_key_size, 0,
1279 		       sizeof(enc.ltk) - smp->enc_key_size);
1280 
1281 		get_random_bytes(&ediv, sizeof(ediv));
1282 		get_random_bytes(&rand, sizeof(rand));
1283 
1284 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1285 
1286 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1287 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1288 				  SMP_LTK_SLAVE, authenticated, enc.ltk,
1289 				  smp->enc_key_size, ediv, rand);
1290 		smp->slave_ltk = ltk;
1291 
1292 		ident.ediv = ediv;
1293 		ident.rand = rand;
1294 
1295 		smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1296 
1297 		*keydist &= ~SMP_DIST_ENC_KEY;
1298 	}
1299 
1300 	if (*keydist & SMP_DIST_ID_KEY) {
1301 		struct smp_cmd_ident_addr_info addrinfo;
1302 		struct smp_cmd_ident_info idinfo;
1303 
1304 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1305 
1306 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1307 
1308 		/* The hci_conn contains the local identity address
1309 		 * after the connection has been established.
1310 		 *
1311 		 * This is true even when the connection has been
1312 		 * established using a resolvable random address.
1313 		 */
1314 		bacpy(&addrinfo.bdaddr, &hcon->src);
1315 		addrinfo.addr_type = hcon->src_type;
1316 
1317 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1318 			     &addrinfo);
1319 
1320 		*keydist &= ~SMP_DIST_ID_KEY;
1321 	}
1322 
1323 	if (*keydist & SMP_DIST_SIGN) {
1324 		struct smp_cmd_sign_info sign;
1325 		struct smp_csrk *csrk;
1326 
1327 		/* Generate a new random key */
1328 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1329 
1330 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1331 		if (csrk) {
1332 			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1333 				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1334 			else
1335 				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1336 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1337 		}
1338 		smp->slave_csrk = csrk;
1339 
1340 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1341 
1342 		*keydist &= ~SMP_DIST_SIGN;
1343 	}
1344 
1345 	/* If there are still keys to be received wait for them */
1346 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1347 		smp_allow_key_dist(smp);
1348 		return;
1349 	}
1350 
1351 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1352 	smp_notify_keys(conn);
1353 
1354 	smp_chan_destroy(conn);
1355 }
1356 
1357 static void smp_timeout(struct work_struct *work)
1358 {
1359 	struct smp_chan *smp = container_of(work, struct smp_chan,
1360 					    security_timer.work);
1361 	struct l2cap_conn *conn = smp->conn;
1362 
1363 	BT_DBG("conn %p", conn);
1364 
1365 	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1366 }
1367 
1368 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1369 {
1370 	struct l2cap_chan *chan = conn->smp;
1371 	struct smp_chan *smp;
1372 
1373 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1374 	if (!smp)
1375 		return NULL;
1376 
1377 	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1378 	if (IS_ERR(smp->tfm_cmac)) {
1379 		BT_ERR("Unable to create CMAC crypto context");
1380 		goto zfree_smp;
1381 	}
1382 
1383 	smp->tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
1384 	if (IS_ERR(smp->tfm_ecdh)) {
1385 		BT_ERR("Unable to create ECDH crypto context");
1386 		goto free_shash;
1387 	}
1388 
1389 	smp->conn = conn;
1390 	chan->data = smp;
1391 
1392 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1393 
1394 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1395 
1396 	hci_conn_hold(conn->hcon);
1397 
1398 	return smp;
1399 
1400 free_shash:
1401 	crypto_free_shash(smp->tfm_cmac);
1402 zfree_smp:
1403 	kzfree(smp);
1404 	return NULL;
1405 }
1406 
1407 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1408 {
1409 	struct hci_conn *hcon = smp->conn->hcon;
1410 	u8 *na, *nb, a[7], b[7];
1411 
1412 	if (hcon->out) {
1413 		na   = smp->prnd;
1414 		nb   = smp->rrnd;
1415 	} else {
1416 		na   = smp->rrnd;
1417 		nb   = smp->prnd;
1418 	}
1419 
1420 	memcpy(a, &hcon->init_addr, 6);
1421 	memcpy(b, &hcon->resp_addr, 6);
1422 	a[6] = hcon->init_addr_type;
1423 	b[6] = hcon->resp_addr_type;
1424 
1425 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1426 }
1427 
1428 static void sc_dhkey_check(struct smp_chan *smp)
1429 {
1430 	struct hci_conn *hcon = smp->conn->hcon;
1431 	struct smp_cmd_dhkey_check check;
1432 	u8 a[7], b[7], *local_addr, *remote_addr;
1433 	u8 io_cap[3], r[16];
1434 
1435 	memcpy(a, &hcon->init_addr, 6);
1436 	memcpy(b, &hcon->resp_addr, 6);
1437 	a[6] = hcon->init_addr_type;
1438 	b[6] = hcon->resp_addr_type;
1439 
1440 	if (hcon->out) {
1441 		local_addr = a;
1442 		remote_addr = b;
1443 		memcpy(io_cap, &smp->preq[1], 3);
1444 	} else {
1445 		local_addr = b;
1446 		remote_addr = a;
1447 		memcpy(io_cap, &smp->prsp[1], 3);
1448 	}
1449 
1450 	memset(r, 0, sizeof(r));
1451 
1452 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1453 		put_unaligned_le32(hcon->passkey_notify, r);
1454 
1455 	if (smp->method == REQ_OOB)
1456 		memcpy(r, smp->rr, 16);
1457 
1458 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1459 	       local_addr, remote_addr, check.e);
1460 
1461 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1462 }
1463 
1464 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1465 {
1466 	struct l2cap_conn *conn = smp->conn;
1467 	struct hci_conn *hcon = conn->hcon;
1468 	struct smp_cmd_pairing_confirm cfm;
1469 	u8 r;
1470 
1471 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1472 	r |= 0x80;
1473 
1474 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1475 
1476 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1477 		   cfm.confirm_val))
1478 		return SMP_UNSPECIFIED;
1479 
1480 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1481 
1482 	return 0;
1483 }
1484 
1485 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1486 {
1487 	struct l2cap_conn *conn = smp->conn;
1488 	struct hci_conn *hcon = conn->hcon;
1489 	struct hci_dev *hdev = hcon->hdev;
1490 	u8 cfm[16], r;
1491 
1492 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1493 	if (smp->passkey_round >= 20)
1494 		return 0;
1495 
1496 	switch (smp_op) {
1497 	case SMP_CMD_PAIRING_RANDOM:
1498 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1499 		r |= 0x80;
1500 
1501 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1502 			   smp->rrnd, r, cfm))
1503 			return SMP_UNSPECIFIED;
1504 
1505 		if (crypto_memneq(smp->pcnf, cfm, 16))
1506 			return SMP_CONFIRM_FAILED;
1507 
1508 		smp->passkey_round++;
1509 
1510 		if (smp->passkey_round == 20) {
1511 			/* Generate MacKey and LTK */
1512 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1513 				return SMP_UNSPECIFIED;
1514 		}
1515 
1516 		/* The round is only complete when the initiator
1517 		 * receives pairing random.
1518 		 */
1519 		if (!hcon->out) {
1520 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1521 				     sizeof(smp->prnd), smp->prnd);
1522 			if (smp->passkey_round == 20)
1523 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1524 			else
1525 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1526 			return 0;
1527 		}
1528 
1529 		/* Start the next round */
1530 		if (smp->passkey_round != 20)
1531 			return sc_passkey_round(smp, 0);
1532 
1533 		/* Passkey rounds are complete - start DHKey Check */
1534 		sc_dhkey_check(smp);
1535 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1536 
1537 		break;
1538 
1539 	case SMP_CMD_PAIRING_CONFIRM:
1540 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1541 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1542 			return 0;
1543 		}
1544 
1545 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1546 
1547 		if (hcon->out) {
1548 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1549 				     sizeof(smp->prnd), smp->prnd);
1550 			return 0;
1551 		}
1552 
1553 		return sc_passkey_send_confirm(smp);
1554 
1555 	case SMP_CMD_PUBLIC_KEY:
1556 	default:
1557 		/* Initiating device starts the round */
1558 		if (!hcon->out)
1559 			return 0;
1560 
1561 		BT_DBG("%s Starting passkey round %u", hdev->name,
1562 		       smp->passkey_round + 1);
1563 
1564 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1565 
1566 		return sc_passkey_send_confirm(smp);
1567 	}
1568 
1569 	return 0;
1570 }
1571 
1572 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1573 {
1574 	struct l2cap_conn *conn = smp->conn;
1575 	struct hci_conn *hcon = conn->hcon;
1576 	u8 smp_op;
1577 
1578 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1579 
1580 	switch (mgmt_op) {
1581 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1582 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1583 		return 0;
1584 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1585 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1586 		return 0;
1587 	case MGMT_OP_USER_PASSKEY_REPLY:
1588 		hcon->passkey_notify = le32_to_cpu(passkey);
1589 		smp->passkey_round = 0;
1590 
1591 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1592 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1593 		else
1594 			smp_op = 0;
1595 
1596 		if (sc_passkey_round(smp, smp_op))
1597 			return -EIO;
1598 
1599 		return 0;
1600 	}
1601 
1602 	/* Initiator sends DHKey check first */
1603 	if (hcon->out) {
1604 		sc_dhkey_check(smp);
1605 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1606 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1607 		sc_dhkey_check(smp);
1608 		sc_add_ltk(smp);
1609 	}
1610 
1611 	return 0;
1612 }
1613 
1614 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1615 {
1616 	struct l2cap_conn *conn = hcon->l2cap_data;
1617 	struct l2cap_chan *chan;
1618 	struct smp_chan *smp;
1619 	u32 value;
1620 	int err;
1621 
1622 	BT_DBG("");
1623 
1624 	if (!conn)
1625 		return -ENOTCONN;
1626 
1627 	chan = conn->smp;
1628 	if (!chan)
1629 		return -ENOTCONN;
1630 
1631 	l2cap_chan_lock(chan);
1632 	if (!chan->data) {
1633 		err = -ENOTCONN;
1634 		goto unlock;
1635 	}
1636 
1637 	smp = chan->data;
1638 
1639 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1640 		err = sc_user_reply(smp, mgmt_op, passkey);
1641 		goto unlock;
1642 	}
1643 
1644 	switch (mgmt_op) {
1645 	case MGMT_OP_USER_PASSKEY_REPLY:
1646 		value = le32_to_cpu(passkey);
1647 		memset(smp->tk, 0, sizeof(smp->tk));
1648 		BT_DBG("PassKey: %d", value);
1649 		put_unaligned_le32(value, smp->tk);
1650 		/* Fall Through */
1651 	case MGMT_OP_USER_CONFIRM_REPLY:
1652 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1653 		break;
1654 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1655 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1656 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1657 		err = 0;
1658 		goto unlock;
1659 	default:
1660 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1661 		err = -EOPNOTSUPP;
1662 		goto unlock;
1663 	}
1664 
1665 	err = 0;
1666 
1667 	/* If it is our turn to send Pairing Confirm, do so now */
1668 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1669 		u8 rsp = smp_confirm(smp);
1670 		if (rsp)
1671 			smp_failure(conn, rsp);
1672 	}
1673 
1674 unlock:
1675 	l2cap_chan_unlock(chan);
1676 	return err;
1677 }
1678 
1679 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1680 				    struct smp_cmd_pairing *req,
1681 				    struct smp_cmd_pairing *rsp)
1682 {
1683 	struct l2cap_conn *conn = smp->conn;
1684 	struct hci_dev *hdev = conn->hcon->hdev;
1685 	u8 local_dist = 0, remote_dist = 0;
1686 
1687 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1688 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1689 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1690 	}
1691 
1692 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1693 		remote_dist |= SMP_DIST_ID_KEY;
1694 
1695 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1696 		local_dist |= SMP_DIST_ID_KEY;
1697 
1698 	if (!rsp) {
1699 		memset(req, 0, sizeof(*req));
1700 
1701 		req->auth_req        = SMP_AUTH_CT2;
1702 		req->init_key_dist   = local_dist;
1703 		req->resp_key_dist   = remote_dist;
1704 		req->max_key_size    = conn->hcon->enc_key_size;
1705 
1706 		smp->remote_key_dist = remote_dist;
1707 
1708 		return;
1709 	}
1710 
1711 	memset(rsp, 0, sizeof(*rsp));
1712 
1713 	rsp->auth_req        = SMP_AUTH_CT2;
1714 	rsp->max_key_size    = conn->hcon->enc_key_size;
1715 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1716 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1717 
1718 	smp->remote_key_dist = rsp->init_key_dist;
1719 }
1720 
1721 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1722 {
1723 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1724 	struct l2cap_chan *chan = conn->smp;
1725 	struct hci_dev *hdev = conn->hcon->hdev;
1726 	struct smp_chan *smp;
1727 	u8 key_size, auth, sec_level;
1728 	int ret;
1729 
1730 	BT_DBG("conn %p", conn);
1731 
1732 	if (skb->len < sizeof(*req))
1733 		return SMP_INVALID_PARAMS;
1734 
1735 	if (conn->hcon->role != HCI_ROLE_SLAVE)
1736 		return SMP_CMD_NOTSUPP;
1737 
1738 	if (!chan->data)
1739 		smp = smp_chan_create(conn);
1740 	else
1741 		smp = chan->data;
1742 
1743 	if (!smp)
1744 		return SMP_UNSPECIFIED;
1745 
1746 	/* We didn't start the pairing, so match remote */
1747 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1748 
1749 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1750 	    (auth & SMP_AUTH_BONDING))
1751 		return SMP_PAIRING_NOTSUPP;
1752 
1753 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1754 		return SMP_AUTH_REQUIREMENTS;
1755 
1756 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1757 	memcpy(&smp->preq[1], req, sizeof(*req));
1758 	skb_pull(skb, sizeof(*req));
1759 
1760 	/* If the remote side's OOB flag is set it means it has
1761 	 * successfully received our local OOB data - therefore set the
1762 	 * flag to indicate that local OOB is in use.
1763 	 */
1764 	if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1765 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1766 
1767 	/* SMP over BR/EDR requires special treatment */
1768 	if (conn->hcon->type == ACL_LINK) {
1769 		/* We must have a BR/EDR SC link */
1770 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1771 		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1772 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1773 
1774 		set_bit(SMP_FLAG_SC, &smp->flags);
1775 
1776 		build_bredr_pairing_cmd(smp, req, &rsp);
1777 
1778 		if (req->auth_req & SMP_AUTH_CT2)
1779 			set_bit(SMP_FLAG_CT2, &smp->flags);
1780 
1781 		key_size = min(req->max_key_size, rsp.max_key_size);
1782 		if (check_enc_key_size(conn, key_size))
1783 			return SMP_ENC_KEY_SIZE;
1784 
1785 		/* Clear bits which are generated but not distributed */
1786 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1787 
1788 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1789 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1790 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1791 
1792 		smp_distribute_keys(smp);
1793 		return 0;
1794 	}
1795 
1796 	build_pairing_cmd(conn, req, &rsp, auth);
1797 
1798 	if (rsp.auth_req & SMP_AUTH_SC) {
1799 		set_bit(SMP_FLAG_SC, &smp->flags);
1800 
1801 		if (rsp.auth_req & SMP_AUTH_CT2)
1802 			set_bit(SMP_FLAG_CT2, &smp->flags);
1803 	}
1804 
1805 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1806 		sec_level = BT_SECURITY_MEDIUM;
1807 	else
1808 		sec_level = authreq_to_seclevel(auth);
1809 
1810 	if (sec_level > conn->hcon->pending_sec_level)
1811 		conn->hcon->pending_sec_level = sec_level;
1812 
1813 	/* If we need MITM check that it can be achieved */
1814 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1815 		u8 method;
1816 
1817 		method = get_auth_method(smp, conn->hcon->io_capability,
1818 					 req->io_capability);
1819 		if (method == JUST_WORKS || method == JUST_CFM)
1820 			return SMP_AUTH_REQUIREMENTS;
1821 	}
1822 
1823 	key_size = min(req->max_key_size, rsp.max_key_size);
1824 	if (check_enc_key_size(conn, key_size))
1825 		return SMP_ENC_KEY_SIZE;
1826 
1827 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1828 
1829 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1830 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1831 
1832 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1833 
1834 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1835 
1836 	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1837 	 * SC case, however some implementations incorrectly copy RFU auth
1838 	 * req bits from our security request, which may create a false
1839 	 * positive SC enablement.
1840 	 */
1841 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1842 
1843 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1844 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1845 		/* Clear bits which are generated but not distributed */
1846 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1847 		/* Wait for Public Key from Initiating Device */
1848 		return 0;
1849 	}
1850 
1851 	/* Request setup of TK */
1852 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1853 	if (ret)
1854 		return SMP_UNSPECIFIED;
1855 
1856 	return 0;
1857 }
1858 
1859 static u8 sc_send_public_key(struct smp_chan *smp)
1860 {
1861 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1862 
1863 	BT_DBG("");
1864 
1865 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1866 		struct l2cap_chan *chan = hdev->smp_data;
1867 		struct smp_dev *smp_dev;
1868 
1869 		if (!chan || !chan->data)
1870 			return SMP_UNSPECIFIED;
1871 
1872 		smp_dev = chan->data;
1873 
1874 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1875 		memcpy(smp->lr, smp_dev->local_rand, 16);
1876 
1877 		if (smp_dev->debug_key)
1878 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1879 
1880 		goto done;
1881 	}
1882 
1883 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1884 		BT_DBG("Using debug keys");
1885 		if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1886 			return SMP_UNSPECIFIED;
1887 		memcpy(smp->local_pk, debug_pk, 64);
1888 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1889 	} else {
1890 		while (true) {
1891 			/* Generate key pair for Secure Connections */
1892 			if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1893 				return SMP_UNSPECIFIED;
1894 
1895 			/* This is unlikely, but we need to check that
1896 			 * we didn't accidentially generate a debug key.
1897 			 */
1898 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
1899 				break;
1900 		}
1901 	}
1902 
1903 done:
1904 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1905 	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1906 
1907 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1908 
1909 	return 0;
1910 }
1911 
1912 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1913 {
1914 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1915 	struct l2cap_chan *chan = conn->smp;
1916 	struct smp_chan *smp = chan->data;
1917 	struct hci_dev *hdev = conn->hcon->hdev;
1918 	u8 key_size, auth;
1919 	int ret;
1920 
1921 	BT_DBG("conn %p", conn);
1922 
1923 	if (skb->len < sizeof(*rsp))
1924 		return SMP_INVALID_PARAMS;
1925 
1926 	if (conn->hcon->role != HCI_ROLE_MASTER)
1927 		return SMP_CMD_NOTSUPP;
1928 
1929 	skb_pull(skb, sizeof(*rsp));
1930 
1931 	req = (void *) &smp->preq[1];
1932 
1933 	key_size = min(req->max_key_size, rsp->max_key_size);
1934 	if (check_enc_key_size(conn, key_size))
1935 		return SMP_ENC_KEY_SIZE;
1936 
1937 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1938 
1939 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1940 		return SMP_AUTH_REQUIREMENTS;
1941 
1942 	/* If the remote side's OOB flag is set it means it has
1943 	 * successfully received our local OOB data - therefore set the
1944 	 * flag to indicate that local OOB is in use.
1945 	 */
1946 	if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1947 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1948 
1949 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1950 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1951 
1952 	/* Update remote key distribution in case the remote cleared
1953 	 * some bits that we had enabled in our request.
1954 	 */
1955 	smp->remote_key_dist &= rsp->resp_key_dist;
1956 
1957 	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1958 		set_bit(SMP_FLAG_CT2, &smp->flags);
1959 
1960 	/* For BR/EDR this means we're done and can start phase 3 */
1961 	if (conn->hcon->type == ACL_LINK) {
1962 		/* Clear bits which are generated but not distributed */
1963 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1964 		smp_distribute_keys(smp);
1965 		return 0;
1966 	}
1967 
1968 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1969 		set_bit(SMP_FLAG_SC, &smp->flags);
1970 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1971 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1972 
1973 	/* If we need MITM check that it can be achieved */
1974 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1975 		u8 method;
1976 
1977 		method = get_auth_method(smp, req->io_capability,
1978 					 rsp->io_capability);
1979 		if (method == JUST_WORKS || method == JUST_CFM)
1980 			return SMP_AUTH_REQUIREMENTS;
1981 	}
1982 
1983 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1984 
1985 	/* Update remote key distribution in case the remote cleared
1986 	 * some bits that we had enabled in our request.
1987 	 */
1988 	smp->remote_key_dist &= rsp->resp_key_dist;
1989 
1990 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1991 		/* Clear bits which are generated but not distributed */
1992 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1993 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1994 		return sc_send_public_key(smp);
1995 	}
1996 
1997 	auth |= req->auth_req;
1998 
1999 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2000 	if (ret)
2001 		return SMP_UNSPECIFIED;
2002 
2003 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2004 
2005 	/* Can't compose response until we have been confirmed */
2006 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2007 		return smp_confirm(smp);
2008 
2009 	return 0;
2010 }
2011 
2012 static u8 sc_check_confirm(struct smp_chan *smp)
2013 {
2014 	struct l2cap_conn *conn = smp->conn;
2015 
2016 	BT_DBG("");
2017 
2018 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2019 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2020 
2021 	if (conn->hcon->out) {
2022 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2023 			     smp->prnd);
2024 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2025 	}
2026 
2027 	return 0;
2028 }
2029 
2030 /* Work-around for some implementations that incorrectly copy RFU bits
2031  * from our security request and thereby create the impression that
2032  * we're doing SC when in fact the remote doesn't support it.
2033  */
2034 static int fixup_sc_false_positive(struct smp_chan *smp)
2035 {
2036 	struct l2cap_conn *conn = smp->conn;
2037 	struct hci_conn *hcon = conn->hcon;
2038 	struct hci_dev *hdev = hcon->hdev;
2039 	struct smp_cmd_pairing *req, *rsp;
2040 	u8 auth;
2041 
2042 	/* The issue is only observed when we're in slave role */
2043 	if (hcon->out)
2044 		return SMP_UNSPECIFIED;
2045 
2046 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2047 		bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2048 		return SMP_UNSPECIFIED;
2049 	}
2050 
2051 	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2052 
2053 	req = (void *) &smp->preq[1];
2054 	rsp = (void *) &smp->prsp[1];
2055 
2056 	/* Rebuild key dist flags which may have been cleared for SC */
2057 	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2058 
2059 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2060 
2061 	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2062 		bt_dev_err(hdev, "failed to fall back to legacy SMP");
2063 		return SMP_UNSPECIFIED;
2064 	}
2065 
2066 	clear_bit(SMP_FLAG_SC, &smp->flags);
2067 
2068 	return 0;
2069 }
2070 
2071 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2072 {
2073 	struct l2cap_chan *chan = conn->smp;
2074 	struct smp_chan *smp = chan->data;
2075 
2076 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2077 
2078 	if (skb->len < sizeof(smp->pcnf))
2079 		return SMP_INVALID_PARAMS;
2080 
2081 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2082 	skb_pull(skb, sizeof(smp->pcnf));
2083 
2084 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2085 		int ret;
2086 
2087 		/* Public Key exchange must happen before any other steps */
2088 		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2089 			return sc_check_confirm(smp);
2090 
2091 		BT_ERR("Unexpected SMP Pairing Confirm");
2092 
2093 		ret = fixup_sc_false_positive(smp);
2094 		if (ret)
2095 			return ret;
2096 	}
2097 
2098 	if (conn->hcon->out) {
2099 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2100 			     smp->prnd);
2101 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2102 		return 0;
2103 	}
2104 
2105 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2106 		return smp_confirm(smp);
2107 
2108 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2109 
2110 	return 0;
2111 }
2112 
2113 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2114 {
2115 	struct l2cap_chan *chan = conn->smp;
2116 	struct smp_chan *smp = chan->data;
2117 	struct hci_conn *hcon = conn->hcon;
2118 	u8 *pkax, *pkbx, *na, *nb;
2119 	u32 passkey;
2120 	int err;
2121 
2122 	BT_DBG("conn %p", conn);
2123 
2124 	if (skb->len < sizeof(smp->rrnd))
2125 		return SMP_INVALID_PARAMS;
2126 
2127 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2128 	skb_pull(skb, sizeof(smp->rrnd));
2129 
2130 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2131 		return smp_random(smp);
2132 
2133 	if (hcon->out) {
2134 		pkax = smp->local_pk;
2135 		pkbx = smp->remote_pk;
2136 		na   = smp->prnd;
2137 		nb   = smp->rrnd;
2138 	} else {
2139 		pkax = smp->remote_pk;
2140 		pkbx = smp->local_pk;
2141 		na   = smp->rrnd;
2142 		nb   = smp->prnd;
2143 	}
2144 
2145 	if (smp->method == REQ_OOB) {
2146 		if (!hcon->out)
2147 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2148 				     sizeof(smp->prnd), smp->prnd);
2149 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2150 		goto mackey_and_ltk;
2151 	}
2152 
2153 	/* Passkey entry has special treatment */
2154 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2155 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2156 
2157 	if (hcon->out) {
2158 		u8 cfm[16];
2159 
2160 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2161 			     smp->rrnd, 0, cfm);
2162 		if (err)
2163 			return SMP_UNSPECIFIED;
2164 
2165 		if (crypto_memneq(smp->pcnf, cfm, 16))
2166 			return SMP_CONFIRM_FAILED;
2167 	} else {
2168 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2169 			     smp->prnd);
2170 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2171 	}
2172 
2173 mackey_and_ltk:
2174 	/* Generate MacKey and LTK */
2175 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2176 	if (err)
2177 		return SMP_UNSPECIFIED;
2178 
2179 	if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2180 		if (hcon->out) {
2181 			sc_dhkey_check(smp);
2182 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2183 		}
2184 		return 0;
2185 	}
2186 
2187 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2188 	if (err)
2189 		return SMP_UNSPECIFIED;
2190 
2191 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2192 					hcon->dst_type, passkey, 0);
2193 	if (err)
2194 		return SMP_UNSPECIFIED;
2195 
2196 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2197 
2198 	return 0;
2199 }
2200 
2201 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2202 {
2203 	struct smp_ltk *key;
2204 	struct hci_conn *hcon = conn->hcon;
2205 
2206 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2207 	if (!key)
2208 		return false;
2209 
2210 	if (smp_ltk_sec_level(key) < sec_level)
2211 		return false;
2212 
2213 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2214 		return true;
2215 
2216 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2217 	hcon->enc_key_size = key->enc_size;
2218 
2219 	/* We never store STKs for master role, so clear this flag */
2220 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2221 
2222 	return true;
2223 }
2224 
2225 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2226 			     enum smp_key_pref key_pref)
2227 {
2228 	if (sec_level == BT_SECURITY_LOW)
2229 		return true;
2230 
2231 	/* If we're encrypted with an STK but the caller prefers using
2232 	 * LTK claim insufficient security. This way we allow the
2233 	 * connection to be re-encrypted with an LTK, even if the LTK
2234 	 * provides the same level of security. Only exception is if we
2235 	 * don't have an LTK (e.g. because of key distribution bits).
2236 	 */
2237 	if (key_pref == SMP_USE_LTK &&
2238 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2239 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2240 		return false;
2241 
2242 	if (hcon->sec_level >= sec_level)
2243 		return true;
2244 
2245 	return false;
2246 }
2247 
2248 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2249 {
2250 	struct smp_cmd_security_req *rp = (void *) skb->data;
2251 	struct smp_cmd_pairing cp;
2252 	struct hci_conn *hcon = conn->hcon;
2253 	struct hci_dev *hdev = hcon->hdev;
2254 	struct smp_chan *smp;
2255 	u8 sec_level, auth;
2256 
2257 	BT_DBG("conn %p", conn);
2258 
2259 	if (skb->len < sizeof(*rp))
2260 		return SMP_INVALID_PARAMS;
2261 
2262 	if (hcon->role != HCI_ROLE_MASTER)
2263 		return SMP_CMD_NOTSUPP;
2264 
2265 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2266 
2267 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2268 		return SMP_AUTH_REQUIREMENTS;
2269 
2270 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2271 		sec_level = BT_SECURITY_MEDIUM;
2272 	else
2273 		sec_level = authreq_to_seclevel(auth);
2274 
2275 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2276 		/* If link is already encrypted with sufficient security we
2277 		 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2278 		 * Part H 2.4.6
2279 		 */
2280 		smp_ltk_encrypt(conn, hcon->sec_level);
2281 		return 0;
2282 	}
2283 
2284 	if (sec_level > hcon->pending_sec_level)
2285 		hcon->pending_sec_level = sec_level;
2286 
2287 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2288 		return 0;
2289 
2290 	smp = smp_chan_create(conn);
2291 	if (!smp)
2292 		return SMP_UNSPECIFIED;
2293 
2294 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2295 	    (auth & SMP_AUTH_BONDING))
2296 		return SMP_PAIRING_NOTSUPP;
2297 
2298 	skb_pull(skb, sizeof(*rp));
2299 
2300 	memset(&cp, 0, sizeof(cp));
2301 	build_pairing_cmd(conn, &cp, NULL, auth);
2302 
2303 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2304 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2305 
2306 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2307 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2308 
2309 	return 0;
2310 }
2311 
2312 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2313 {
2314 	struct l2cap_conn *conn = hcon->l2cap_data;
2315 	struct l2cap_chan *chan;
2316 	struct smp_chan *smp;
2317 	__u8 authreq;
2318 	int ret;
2319 
2320 	BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2321 
2322 	/* This may be NULL if there's an unexpected disconnection */
2323 	if (!conn)
2324 		return 1;
2325 
2326 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2327 		return 1;
2328 
2329 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2330 		return 1;
2331 
2332 	if (sec_level > hcon->pending_sec_level)
2333 		hcon->pending_sec_level = sec_level;
2334 
2335 	if (hcon->role == HCI_ROLE_MASTER)
2336 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2337 			return 0;
2338 
2339 	chan = conn->smp;
2340 	if (!chan) {
2341 		bt_dev_err(hcon->hdev, "security requested but not available");
2342 		return 1;
2343 	}
2344 
2345 	l2cap_chan_lock(chan);
2346 
2347 	/* If SMP is already in progress ignore this request */
2348 	if (chan->data) {
2349 		ret = 0;
2350 		goto unlock;
2351 	}
2352 
2353 	smp = smp_chan_create(conn);
2354 	if (!smp) {
2355 		ret = 1;
2356 		goto unlock;
2357 	}
2358 
2359 	authreq = seclevel_to_authreq(sec_level);
2360 
2361 	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2362 		authreq |= SMP_AUTH_SC;
2363 		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2364 			authreq |= SMP_AUTH_CT2;
2365 	}
2366 
2367 	/* Require MITM if IO Capability allows or the security level
2368 	 * requires it.
2369 	 */
2370 	if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2371 	    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2372 		authreq |= SMP_AUTH_MITM;
2373 
2374 	if (hcon->role == HCI_ROLE_MASTER) {
2375 		struct smp_cmd_pairing cp;
2376 
2377 		build_pairing_cmd(conn, &cp, NULL, authreq);
2378 		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2379 		memcpy(&smp->preq[1], &cp, sizeof(cp));
2380 
2381 		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2382 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2383 	} else {
2384 		struct smp_cmd_security_req cp;
2385 		cp.auth_req = authreq;
2386 		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2387 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2388 	}
2389 
2390 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2391 	ret = 0;
2392 
2393 unlock:
2394 	l2cap_chan_unlock(chan);
2395 	return ret;
2396 }
2397 
2398 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2399 				  u8 addr_type)
2400 {
2401 	struct hci_conn *hcon;
2402 	struct l2cap_conn *conn;
2403 	struct l2cap_chan *chan;
2404 	struct smp_chan *smp;
2405 	int err;
2406 
2407 	err = hci_remove_ltk(hdev, bdaddr, addr_type);
2408 	hci_remove_irk(hdev, bdaddr, addr_type);
2409 
2410 	hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2411 	if (!hcon)
2412 		goto done;
2413 
2414 	conn = hcon->l2cap_data;
2415 	if (!conn)
2416 		goto done;
2417 
2418 	chan = conn->smp;
2419 	if (!chan)
2420 		goto done;
2421 
2422 	l2cap_chan_lock(chan);
2423 
2424 	smp = chan->data;
2425 	if (smp) {
2426 		/* Set keys to NULL to make sure smp_failure() does not try to
2427 		 * remove and free already invalidated rcu list entries. */
2428 		smp->ltk = NULL;
2429 		smp->slave_ltk = NULL;
2430 		smp->remote_irk = NULL;
2431 
2432 		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2433 			smp_failure(conn, 0);
2434 		else
2435 			smp_failure(conn, SMP_UNSPECIFIED);
2436 		err = 0;
2437 	}
2438 
2439 	l2cap_chan_unlock(chan);
2440 
2441 done:
2442 	return err;
2443 }
2444 
2445 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2446 {
2447 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2448 	struct l2cap_chan *chan = conn->smp;
2449 	struct smp_chan *smp = chan->data;
2450 
2451 	BT_DBG("conn %p", conn);
2452 
2453 	if (skb->len < sizeof(*rp))
2454 		return SMP_INVALID_PARAMS;
2455 
2456 	SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2457 
2458 	skb_pull(skb, sizeof(*rp));
2459 
2460 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2461 
2462 	return 0;
2463 }
2464 
2465 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2466 {
2467 	struct smp_cmd_master_ident *rp = (void *) skb->data;
2468 	struct l2cap_chan *chan = conn->smp;
2469 	struct smp_chan *smp = chan->data;
2470 	struct hci_dev *hdev = conn->hcon->hdev;
2471 	struct hci_conn *hcon = conn->hcon;
2472 	struct smp_ltk *ltk;
2473 	u8 authenticated;
2474 
2475 	BT_DBG("conn %p", conn);
2476 
2477 	if (skb->len < sizeof(*rp))
2478 		return SMP_INVALID_PARAMS;
2479 
2480 	/* Mark the information as received */
2481 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2482 
2483 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2484 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2485 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2486 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2487 
2488 	skb_pull(skb, sizeof(*rp));
2489 
2490 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2491 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2492 			  authenticated, smp->tk, smp->enc_key_size,
2493 			  rp->ediv, rp->rand);
2494 	smp->ltk = ltk;
2495 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2496 		smp_distribute_keys(smp);
2497 
2498 	return 0;
2499 }
2500 
2501 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2502 {
2503 	struct smp_cmd_ident_info *info = (void *) skb->data;
2504 	struct l2cap_chan *chan = conn->smp;
2505 	struct smp_chan *smp = chan->data;
2506 
2507 	BT_DBG("");
2508 
2509 	if (skb->len < sizeof(*info))
2510 		return SMP_INVALID_PARAMS;
2511 
2512 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2513 
2514 	skb_pull(skb, sizeof(*info));
2515 
2516 	memcpy(smp->irk, info->irk, 16);
2517 
2518 	return 0;
2519 }
2520 
2521 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2522 				   struct sk_buff *skb)
2523 {
2524 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2525 	struct l2cap_chan *chan = conn->smp;
2526 	struct smp_chan *smp = chan->data;
2527 	struct hci_conn *hcon = conn->hcon;
2528 	bdaddr_t rpa;
2529 
2530 	BT_DBG("");
2531 
2532 	if (skb->len < sizeof(*info))
2533 		return SMP_INVALID_PARAMS;
2534 
2535 	/* Mark the information as received */
2536 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2537 
2538 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2539 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2540 
2541 	skb_pull(skb, sizeof(*info));
2542 
2543 	/* Strictly speaking the Core Specification (4.1) allows sending
2544 	 * an empty address which would force us to rely on just the IRK
2545 	 * as "identity information". However, since such
2546 	 * implementations are not known of and in order to not over
2547 	 * complicate our implementation, simply pretend that we never
2548 	 * received an IRK for such a device.
2549 	 *
2550 	 * The Identity Address must also be a Static Random or Public
2551 	 * Address, which hci_is_identity_address() checks for.
2552 	 */
2553 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2554 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2555 		bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2556 		goto distribute;
2557 	}
2558 
2559 	/* Drop IRK if peer is using identity address during pairing but is
2560 	 * providing different address as identity information.
2561 	 *
2562 	 * Microsoft Surface Precision Mouse is known to have this bug.
2563 	 */
2564 	if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2565 	    (bacmp(&info->bdaddr, &hcon->dst) ||
2566 	     info->addr_type != hcon->dst_type)) {
2567 		bt_dev_err(hcon->hdev,
2568 			   "ignoring IRK with invalid identity address");
2569 		goto distribute;
2570 	}
2571 
2572 	bacpy(&smp->id_addr, &info->bdaddr);
2573 	smp->id_addr_type = info->addr_type;
2574 
2575 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2576 		bacpy(&rpa, &hcon->dst);
2577 	else
2578 		bacpy(&rpa, BDADDR_ANY);
2579 
2580 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2581 				      smp->id_addr_type, smp->irk, &rpa);
2582 
2583 distribute:
2584 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2585 		smp_distribute_keys(smp);
2586 
2587 	return 0;
2588 }
2589 
2590 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2591 {
2592 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2593 	struct l2cap_chan *chan = conn->smp;
2594 	struct smp_chan *smp = chan->data;
2595 	struct smp_csrk *csrk;
2596 
2597 	BT_DBG("conn %p", conn);
2598 
2599 	if (skb->len < sizeof(*rp))
2600 		return SMP_INVALID_PARAMS;
2601 
2602 	/* Mark the information as received */
2603 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2604 
2605 	skb_pull(skb, sizeof(*rp));
2606 
2607 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2608 	if (csrk) {
2609 		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2610 			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2611 		else
2612 			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2613 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2614 	}
2615 	smp->csrk = csrk;
2616 	smp_distribute_keys(smp);
2617 
2618 	return 0;
2619 }
2620 
2621 static u8 sc_select_method(struct smp_chan *smp)
2622 {
2623 	struct l2cap_conn *conn = smp->conn;
2624 	struct hci_conn *hcon = conn->hcon;
2625 	struct smp_cmd_pairing *local, *remote;
2626 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2627 
2628 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2629 	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2630 		return REQ_OOB;
2631 
2632 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2633 	 * which are needed as inputs to some crypto functions. To get
2634 	 * the "struct smp_cmd_pairing" from them we need to skip the
2635 	 * first byte which contains the opcode.
2636 	 */
2637 	if (hcon->out) {
2638 		local = (void *) &smp->preq[1];
2639 		remote = (void *) &smp->prsp[1];
2640 	} else {
2641 		local = (void *) &smp->prsp[1];
2642 		remote = (void *) &smp->preq[1];
2643 	}
2644 
2645 	local_io = local->io_capability;
2646 	remote_io = remote->io_capability;
2647 
2648 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2649 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2650 
2651 	/* If either side wants MITM, look up the method from the table,
2652 	 * otherwise use JUST WORKS.
2653 	 */
2654 	if (local_mitm || remote_mitm)
2655 		method = get_auth_method(smp, local_io, remote_io);
2656 	else
2657 		method = JUST_WORKS;
2658 
2659 	/* Don't confirm locally initiated pairing attempts */
2660 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2661 		method = JUST_WORKS;
2662 
2663 	return method;
2664 }
2665 
2666 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2667 {
2668 	struct smp_cmd_public_key *key = (void *) skb->data;
2669 	struct hci_conn *hcon = conn->hcon;
2670 	struct l2cap_chan *chan = conn->smp;
2671 	struct smp_chan *smp = chan->data;
2672 	struct hci_dev *hdev = hcon->hdev;
2673 	struct crypto_kpp *tfm_ecdh;
2674 	struct smp_cmd_pairing_confirm cfm;
2675 	int err;
2676 
2677 	BT_DBG("conn %p", conn);
2678 
2679 	if (skb->len < sizeof(*key))
2680 		return SMP_INVALID_PARAMS;
2681 
2682 	memcpy(smp->remote_pk, key, 64);
2683 
2684 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2685 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2686 			     smp->rr, 0, cfm.confirm_val);
2687 		if (err)
2688 			return SMP_UNSPECIFIED;
2689 
2690 		if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2691 			return SMP_CONFIRM_FAILED;
2692 	}
2693 
2694 	/* Non-initiating device sends its public key after receiving
2695 	 * the key from the initiating device.
2696 	 */
2697 	if (!hcon->out) {
2698 		err = sc_send_public_key(smp);
2699 		if (err)
2700 			return err;
2701 	}
2702 
2703 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2704 	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2705 
2706 	/* Compute the shared secret on the same crypto tfm on which the private
2707 	 * key was set/generated.
2708 	 */
2709 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2710 		struct l2cap_chan *hchan = hdev->smp_data;
2711 		struct smp_dev *smp_dev;
2712 
2713 		if (!hchan || !hchan->data)
2714 			return SMP_UNSPECIFIED;
2715 
2716 		smp_dev = hchan->data;
2717 
2718 		tfm_ecdh = smp_dev->tfm_ecdh;
2719 	} else {
2720 		tfm_ecdh = smp->tfm_ecdh;
2721 	}
2722 
2723 	if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2724 		return SMP_UNSPECIFIED;
2725 
2726 	SMP_DBG("DHKey %32phN", smp->dhkey);
2727 
2728 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2729 
2730 	smp->method = sc_select_method(smp);
2731 
2732 	BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2733 
2734 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2735 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2736 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2737 	else
2738 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2739 
2740 	if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2741 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2742 
2743 	if (smp->method == DSP_PASSKEY) {
2744 		get_random_bytes(&hcon->passkey_notify,
2745 				 sizeof(hcon->passkey_notify));
2746 		hcon->passkey_notify %= 1000000;
2747 		hcon->passkey_entered = 0;
2748 		smp->passkey_round = 0;
2749 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2750 					     hcon->dst_type,
2751 					     hcon->passkey_notify,
2752 					     hcon->passkey_entered))
2753 			return SMP_UNSPECIFIED;
2754 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2755 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2756 	}
2757 
2758 	if (smp->method == REQ_OOB) {
2759 		if (hcon->out)
2760 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2761 				     sizeof(smp->prnd), smp->prnd);
2762 
2763 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2764 
2765 		return 0;
2766 	}
2767 
2768 	if (hcon->out)
2769 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2770 
2771 	if (smp->method == REQ_PASSKEY) {
2772 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2773 					      hcon->dst_type))
2774 			return SMP_UNSPECIFIED;
2775 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2776 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2777 		return 0;
2778 	}
2779 
2780 	/* The Initiating device waits for the non-initiating device to
2781 	 * send the confirm value.
2782 	 */
2783 	if (conn->hcon->out)
2784 		return 0;
2785 
2786 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2787 		     0, cfm.confirm_val);
2788 	if (err)
2789 		return SMP_UNSPECIFIED;
2790 
2791 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2792 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2793 
2794 	return 0;
2795 }
2796 
2797 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2798 {
2799 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2800 	struct l2cap_chan *chan = conn->smp;
2801 	struct hci_conn *hcon = conn->hcon;
2802 	struct smp_chan *smp = chan->data;
2803 	u8 a[7], b[7], *local_addr, *remote_addr;
2804 	u8 io_cap[3], r[16], e[16];
2805 	int err;
2806 
2807 	BT_DBG("conn %p", conn);
2808 
2809 	if (skb->len < sizeof(*check))
2810 		return SMP_INVALID_PARAMS;
2811 
2812 	memcpy(a, &hcon->init_addr, 6);
2813 	memcpy(b, &hcon->resp_addr, 6);
2814 	a[6] = hcon->init_addr_type;
2815 	b[6] = hcon->resp_addr_type;
2816 
2817 	if (hcon->out) {
2818 		local_addr = a;
2819 		remote_addr = b;
2820 		memcpy(io_cap, &smp->prsp[1], 3);
2821 	} else {
2822 		local_addr = b;
2823 		remote_addr = a;
2824 		memcpy(io_cap, &smp->preq[1], 3);
2825 	}
2826 
2827 	memset(r, 0, sizeof(r));
2828 
2829 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2830 		put_unaligned_le32(hcon->passkey_notify, r);
2831 	else if (smp->method == REQ_OOB)
2832 		memcpy(r, smp->lr, 16);
2833 
2834 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2835 		     io_cap, remote_addr, local_addr, e);
2836 	if (err)
2837 		return SMP_UNSPECIFIED;
2838 
2839 	if (crypto_memneq(check->e, e, 16))
2840 		return SMP_DHKEY_CHECK_FAILED;
2841 
2842 	if (!hcon->out) {
2843 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2844 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2845 			return 0;
2846 		}
2847 
2848 		/* Slave sends DHKey check as response to master */
2849 		sc_dhkey_check(smp);
2850 	}
2851 
2852 	sc_add_ltk(smp);
2853 
2854 	if (hcon->out) {
2855 		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2856 		hcon->enc_key_size = smp->enc_key_size;
2857 	}
2858 
2859 	return 0;
2860 }
2861 
2862 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2863 				   struct sk_buff *skb)
2864 {
2865 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2866 
2867 	BT_DBG("value 0x%02x", kp->value);
2868 
2869 	return 0;
2870 }
2871 
2872 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2873 {
2874 	struct l2cap_conn *conn = chan->conn;
2875 	struct hci_conn *hcon = conn->hcon;
2876 	struct smp_chan *smp;
2877 	__u8 code, reason;
2878 	int err = 0;
2879 
2880 	if (skb->len < 1)
2881 		return -EILSEQ;
2882 
2883 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2884 		reason = SMP_PAIRING_NOTSUPP;
2885 		goto done;
2886 	}
2887 
2888 	code = skb->data[0];
2889 	skb_pull(skb, sizeof(code));
2890 
2891 	smp = chan->data;
2892 
2893 	if (code > SMP_CMD_MAX)
2894 		goto drop;
2895 
2896 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2897 		goto drop;
2898 
2899 	/* If we don't have a context the only allowed commands are
2900 	 * pairing request and security request.
2901 	 */
2902 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2903 		goto drop;
2904 
2905 	switch (code) {
2906 	case SMP_CMD_PAIRING_REQ:
2907 		reason = smp_cmd_pairing_req(conn, skb);
2908 		break;
2909 
2910 	case SMP_CMD_PAIRING_FAIL:
2911 		smp_failure(conn, 0);
2912 		err = -EPERM;
2913 		break;
2914 
2915 	case SMP_CMD_PAIRING_RSP:
2916 		reason = smp_cmd_pairing_rsp(conn, skb);
2917 		break;
2918 
2919 	case SMP_CMD_SECURITY_REQ:
2920 		reason = smp_cmd_security_req(conn, skb);
2921 		break;
2922 
2923 	case SMP_CMD_PAIRING_CONFIRM:
2924 		reason = smp_cmd_pairing_confirm(conn, skb);
2925 		break;
2926 
2927 	case SMP_CMD_PAIRING_RANDOM:
2928 		reason = smp_cmd_pairing_random(conn, skb);
2929 		break;
2930 
2931 	case SMP_CMD_ENCRYPT_INFO:
2932 		reason = smp_cmd_encrypt_info(conn, skb);
2933 		break;
2934 
2935 	case SMP_CMD_MASTER_IDENT:
2936 		reason = smp_cmd_master_ident(conn, skb);
2937 		break;
2938 
2939 	case SMP_CMD_IDENT_INFO:
2940 		reason = smp_cmd_ident_info(conn, skb);
2941 		break;
2942 
2943 	case SMP_CMD_IDENT_ADDR_INFO:
2944 		reason = smp_cmd_ident_addr_info(conn, skb);
2945 		break;
2946 
2947 	case SMP_CMD_SIGN_INFO:
2948 		reason = smp_cmd_sign_info(conn, skb);
2949 		break;
2950 
2951 	case SMP_CMD_PUBLIC_KEY:
2952 		reason = smp_cmd_public_key(conn, skb);
2953 		break;
2954 
2955 	case SMP_CMD_DHKEY_CHECK:
2956 		reason = smp_cmd_dhkey_check(conn, skb);
2957 		break;
2958 
2959 	case SMP_CMD_KEYPRESS_NOTIFY:
2960 		reason = smp_cmd_keypress_notify(conn, skb);
2961 		break;
2962 
2963 	default:
2964 		BT_DBG("Unknown command code 0x%2.2x", code);
2965 		reason = SMP_CMD_NOTSUPP;
2966 		goto done;
2967 	}
2968 
2969 done:
2970 	if (!err) {
2971 		if (reason)
2972 			smp_failure(conn, reason);
2973 		kfree_skb(skb);
2974 	}
2975 
2976 	return err;
2977 
2978 drop:
2979 	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
2980 		   code, &hcon->dst);
2981 	kfree_skb(skb);
2982 	return 0;
2983 }
2984 
2985 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2986 {
2987 	struct l2cap_conn *conn = chan->conn;
2988 
2989 	BT_DBG("chan %p", chan);
2990 
2991 	if (chan->data)
2992 		smp_chan_destroy(conn);
2993 
2994 	conn->smp = NULL;
2995 	l2cap_chan_put(chan);
2996 }
2997 
2998 static void bredr_pairing(struct l2cap_chan *chan)
2999 {
3000 	struct l2cap_conn *conn = chan->conn;
3001 	struct hci_conn *hcon = conn->hcon;
3002 	struct hci_dev *hdev = hcon->hdev;
3003 	struct smp_cmd_pairing req;
3004 	struct smp_chan *smp;
3005 
3006 	BT_DBG("chan %p", chan);
3007 
3008 	/* Only new pairings are interesting */
3009 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3010 		return;
3011 
3012 	/* Don't bother if we're not encrypted */
3013 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3014 		return;
3015 
3016 	/* Only master may initiate SMP over BR/EDR */
3017 	if (hcon->role != HCI_ROLE_MASTER)
3018 		return;
3019 
3020 	/* Secure Connections support must be enabled */
3021 	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3022 		return;
3023 
3024 	/* BR/EDR must use Secure Connections for SMP */
3025 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3026 	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3027 		return;
3028 
3029 	/* If our LE support is not enabled don't do anything */
3030 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3031 		return;
3032 
3033 	/* Don't bother if remote LE support is not enabled */
3034 	if (!lmp_host_le_capable(hcon))
3035 		return;
3036 
3037 	/* Remote must support SMP fixed chan for BR/EDR */
3038 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3039 		return;
3040 
3041 	/* Don't bother if SMP is already ongoing */
3042 	if (chan->data)
3043 		return;
3044 
3045 	smp = smp_chan_create(conn);
3046 	if (!smp) {
3047 		bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3048 		return;
3049 	}
3050 
3051 	set_bit(SMP_FLAG_SC, &smp->flags);
3052 
3053 	BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3054 
3055 	/* Prepare and send the BR/EDR SMP Pairing Request */
3056 	build_bredr_pairing_cmd(smp, &req, NULL);
3057 
3058 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
3059 	memcpy(&smp->preq[1], &req, sizeof(req));
3060 
3061 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3062 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3063 }
3064 
3065 static void smp_resume_cb(struct l2cap_chan *chan)
3066 {
3067 	struct smp_chan *smp = chan->data;
3068 	struct l2cap_conn *conn = chan->conn;
3069 	struct hci_conn *hcon = conn->hcon;
3070 
3071 	BT_DBG("chan %p", chan);
3072 
3073 	if (hcon->type == ACL_LINK) {
3074 		bredr_pairing(chan);
3075 		return;
3076 	}
3077 
3078 	if (!smp)
3079 		return;
3080 
3081 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3082 		return;
3083 
3084 	cancel_delayed_work(&smp->security_timer);
3085 
3086 	smp_distribute_keys(smp);
3087 }
3088 
3089 static void smp_ready_cb(struct l2cap_chan *chan)
3090 {
3091 	struct l2cap_conn *conn = chan->conn;
3092 	struct hci_conn *hcon = conn->hcon;
3093 
3094 	BT_DBG("chan %p", chan);
3095 
3096 	/* No need to call l2cap_chan_hold() here since we already own
3097 	 * the reference taken in smp_new_conn_cb(). This is just the
3098 	 * first time that we tie it to a specific pointer. The code in
3099 	 * l2cap_core.c ensures that there's no risk this function wont
3100 	 * get called if smp_new_conn_cb was previously called.
3101 	 */
3102 	conn->smp = chan;
3103 
3104 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3105 		bredr_pairing(chan);
3106 }
3107 
3108 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3109 {
3110 	int err;
3111 
3112 	BT_DBG("chan %p", chan);
3113 
3114 	err = smp_sig_channel(chan, skb);
3115 	if (err) {
3116 		struct smp_chan *smp = chan->data;
3117 
3118 		if (smp)
3119 			cancel_delayed_work_sync(&smp->security_timer);
3120 
3121 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3122 	}
3123 
3124 	return err;
3125 }
3126 
3127 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3128 					unsigned long hdr_len,
3129 					unsigned long len, int nb)
3130 {
3131 	struct sk_buff *skb;
3132 
3133 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3134 	if (!skb)
3135 		return ERR_PTR(-ENOMEM);
3136 
3137 	skb->priority = HCI_PRIO_MAX;
3138 	bt_cb(skb)->l2cap.chan = chan;
3139 
3140 	return skb;
3141 }
3142 
3143 static const struct l2cap_ops smp_chan_ops = {
3144 	.name			= "Security Manager",
3145 	.ready			= smp_ready_cb,
3146 	.recv			= smp_recv_cb,
3147 	.alloc_skb		= smp_alloc_skb_cb,
3148 	.teardown		= smp_teardown_cb,
3149 	.resume			= smp_resume_cb,
3150 
3151 	.new_connection		= l2cap_chan_no_new_connection,
3152 	.state_change		= l2cap_chan_no_state_change,
3153 	.close			= l2cap_chan_no_close,
3154 	.defer			= l2cap_chan_no_defer,
3155 	.suspend		= l2cap_chan_no_suspend,
3156 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3157 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3158 };
3159 
3160 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3161 {
3162 	struct l2cap_chan *chan;
3163 
3164 	BT_DBG("pchan %p", pchan);
3165 
3166 	chan = l2cap_chan_create();
3167 	if (!chan)
3168 		return NULL;
3169 
3170 	chan->chan_type	= pchan->chan_type;
3171 	chan->ops	= &smp_chan_ops;
3172 	chan->scid	= pchan->scid;
3173 	chan->dcid	= chan->scid;
3174 	chan->imtu	= pchan->imtu;
3175 	chan->omtu	= pchan->omtu;
3176 	chan->mode	= pchan->mode;
3177 
3178 	/* Other L2CAP channels may request SMP routines in order to
3179 	 * change the security level. This means that the SMP channel
3180 	 * lock must be considered in its own category to avoid lockdep
3181 	 * warnings.
3182 	 */
3183 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3184 
3185 	BT_DBG("created chan %p", chan);
3186 
3187 	return chan;
3188 }
3189 
3190 static const struct l2cap_ops smp_root_chan_ops = {
3191 	.name			= "Security Manager Root",
3192 	.new_connection		= smp_new_conn_cb,
3193 
3194 	/* None of these are implemented for the root channel */
3195 	.close			= l2cap_chan_no_close,
3196 	.alloc_skb		= l2cap_chan_no_alloc_skb,
3197 	.recv			= l2cap_chan_no_recv,
3198 	.state_change		= l2cap_chan_no_state_change,
3199 	.teardown		= l2cap_chan_no_teardown,
3200 	.ready			= l2cap_chan_no_ready,
3201 	.defer			= l2cap_chan_no_defer,
3202 	.suspend		= l2cap_chan_no_suspend,
3203 	.resume			= l2cap_chan_no_resume,
3204 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3205 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3206 };
3207 
3208 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3209 {
3210 	struct l2cap_chan *chan;
3211 	struct smp_dev *smp;
3212 	struct crypto_shash *tfm_cmac;
3213 	struct crypto_kpp *tfm_ecdh;
3214 
3215 	if (cid == L2CAP_CID_SMP_BREDR) {
3216 		smp = NULL;
3217 		goto create_chan;
3218 	}
3219 
3220 	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3221 	if (!smp)
3222 		return ERR_PTR(-ENOMEM);
3223 
3224 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3225 	if (IS_ERR(tfm_cmac)) {
3226 		BT_ERR("Unable to create CMAC crypto context");
3227 		kzfree(smp);
3228 		return ERR_CAST(tfm_cmac);
3229 	}
3230 
3231 	tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3232 	if (IS_ERR(tfm_ecdh)) {
3233 		BT_ERR("Unable to create ECDH crypto context");
3234 		crypto_free_shash(tfm_cmac);
3235 		kzfree(smp);
3236 		return ERR_CAST(tfm_ecdh);
3237 	}
3238 
3239 	smp->local_oob = false;
3240 	smp->tfm_cmac = tfm_cmac;
3241 	smp->tfm_ecdh = tfm_ecdh;
3242 
3243 create_chan:
3244 	chan = l2cap_chan_create();
3245 	if (!chan) {
3246 		if (smp) {
3247 			crypto_free_shash(smp->tfm_cmac);
3248 			crypto_free_kpp(smp->tfm_ecdh);
3249 			kzfree(smp);
3250 		}
3251 		return ERR_PTR(-ENOMEM);
3252 	}
3253 
3254 	chan->data = smp;
3255 
3256 	l2cap_add_scid(chan, cid);
3257 
3258 	l2cap_chan_set_defaults(chan);
3259 
3260 	if (cid == L2CAP_CID_SMP) {
3261 		u8 bdaddr_type;
3262 
3263 		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3264 
3265 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3266 			chan->src_type = BDADDR_LE_PUBLIC;
3267 		else
3268 			chan->src_type = BDADDR_LE_RANDOM;
3269 	} else {
3270 		bacpy(&chan->src, &hdev->bdaddr);
3271 		chan->src_type = BDADDR_BREDR;
3272 	}
3273 
3274 	chan->state = BT_LISTEN;
3275 	chan->mode = L2CAP_MODE_BASIC;
3276 	chan->imtu = L2CAP_DEFAULT_MTU;
3277 	chan->ops = &smp_root_chan_ops;
3278 
3279 	/* Set correct nesting level for a parent/listening channel */
3280 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3281 
3282 	return chan;
3283 }
3284 
3285 static void smp_del_chan(struct l2cap_chan *chan)
3286 {
3287 	struct smp_dev *smp;
3288 
3289 	BT_DBG("chan %p", chan);
3290 
3291 	smp = chan->data;
3292 	if (smp) {
3293 		chan->data = NULL;
3294 		crypto_free_shash(smp->tfm_cmac);
3295 		crypto_free_kpp(smp->tfm_ecdh);
3296 		kzfree(smp);
3297 	}
3298 
3299 	l2cap_chan_put(chan);
3300 }
3301 
3302 static ssize_t force_bredr_smp_read(struct file *file,
3303 				    char __user *user_buf,
3304 				    size_t count, loff_t *ppos)
3305 {
3306 	struct hci_dev *hdev = file->private_data;
3307 	char buf[3];
3308 
3309 	buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3310 	buf[1] = '\n';
3311 	buf[2] = '\0';
3312 	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3313 }
3314 
3315 static ssize_t force_bredr_smp_write(struct file *file,
3316 				     const char __user *user_buf,
3317 				     size_t count, loff_t *ppos)
3318 {
3319 	struct hci_dev *hdev = file->private_data;
3320 	bool enable;
3321 	int err;
3322 
3323 	err = kstrtobool_from_user(user_buf, count, &enable);
3324 	if (err)
3325 		return err;
3326 
3327 	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3328 		return -EALREADY;
3329 
3330 	if (enable) {
3331 		struct l2cap_chan *chan;
3332 
3333 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3334 		if (IS_ERR(chan))
3335 			return PTR_ERR(chan);
3336 
3337 		hdev->smp_bredr_data = chan;
3338 	} else {
3339 		struct l2cap_chan *chan;
3340 
3341 		chan = hdev->smp_bredr_data;
3342 		hdev->smp_bredr_data = NULL;
3343 		smp_del_chan(chan);
3344 	}
3345 
3346 	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3347 
3348 	return count;
3349 }
3350 
3351 static const struct file_operations force_bredr_smp_fops = {
3352 	.open		= simple_open,
3353 	.read		= force_bredr_smp_read,
3354 	.write		= force_bredr_smp_write,
3355 	.llseek		= default_llseek,
3356 };
3357 
3358 static ssize_t le_min_key_size_read(struct file *file,
3359 				     char __user *user_buf,
3360 				     size_t count, loff_t *ppos)
3361 {
3362 	struct hci_dev *hdev = file->private_data;
3363 	char buf[4];
3364 
3365 	snprintf(buf, sizeof(buf), "%2u\n", hdev->le_min_key_size);
3366 
3367 	return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3368 }
3369 
3370 static ssize_t le_min_key_size_write(struct file *file,
3371 				      const char __user *user_buf,
3372 				      size_t count, loff_t *ppos)
3373 {
3374 	struct hci_dev *hdev = file->private_data;
3375 	char buf[32];
3376 	size_t buf_size = min(count, (sizeof(buf) - 1));
3377 	u8 key_size;
3378 
3379 	if (copy_from_user(buf, user_buf, buf_size))
3380 		return -EFAULT;
3381 
3382 	buf[buf_size] = '\0';
3383 
3384 	sscanf(buf, "%hhu", &key_size);
3385 
3386 	if (key_size > hdev->le_max_key_size ||
3387 	    key_size < SMP_MIN_ENC_KEY_SIZE)
3388 		return -EINVAL;
3389 
3390 	hdev->le_min_key_size = key_size;
3391 
3392 	return count;
3393 }
3394 
3395 static const struct file_operations le_min_key_size_fops = {
3396 	.open		= simple_open,
3397 	.read		= le_min_key_size_read,
3398 	.write		= le_min_key_size_write,
3399 	.llseek		= default_llseek,
3400 };
3401 
3402 static ssize_t le_max_key_size_read(struct file *file,
3403 				     char __user *user_buf,
3404 				     size_t count, loff_t *ppos)
3405 {
3406 	struct hci_dev *hdev = file->private_data;
3407 	char buf[4];
3408 
3409 	snprintf(buf, sizeof(buf), "%2u\n", hdev->le_max_key_size);
3410 
3411 	return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3412 }
3413 
3414 static ssize_t le_max_key_size_write(struct file *file,
3415 				      const char __user *user_buf,
3416 				      size_t count, loff_t *ppos)
3417 {
3418 	struct hci_dev *hdev = file->private_data;
3419 	char buf[32];
3420 	size_t buf_size = min(count, (sizeof(buf) - 1));
3421 	u8 key_size;
3422 
3423 	if (copy_from_user(buf, user_buf, buf_size))
3424 		return -EFAULT;
3425 
3426 	buf[buf_size] = '\0';
3427 
3428 	sscanf(buf, "%hhu", &key_size);
3429 
3430 	if (key_size > SMP_MAX_ENC_KEY_SIZE ||
3431 	    key_size < hdev->le_min_key_size)
3432 		return -EINVAL;
3433 
3434 	hdev->le_max_key_size = key_size;
3435 
3436 	return count;
3437 }
3438 
3439 static const struct file_operations le_max_key_size_fops = {
3440 	.open		= simple_open,
3441 	.read		= le_max_key_size_read,
3442 	.write		= le_max_key_size_write,
3443 	.llseek		= default_llseek,
3444 };
3445 
3446 int smp_register(struct hci_dev *hdev)
3447 {
3448 	struct l2cap_chan *chan;
3449 
3450 	BT_DBG("%s", hdev->name);
3451 
3452 	/* If the controller does not support Low Energy operation, then
3453 	 * there is also no need to register any SMP channel.
3454 	 */
3455 	if (!lmp_le_capable(hdev))
3456 		return 0;
3457 
3458 	if (WARN_ON(hdev->smp_data)) {
3459 		chan = hdev->smp_data;
3460 		hdev->smp_data = NULL;
3461 		smp_del_chan(chan);
3462 	}
3463 
3464 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3465 	if (IS_ERR(chan))
3466 		return PTR_ERR(chan);
3467 
3468 	hdev->smp_data = chan;
3469 
3470 	debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3471 			    &le_min_key_size_fops);
3472 	debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3473 			    &le_max_key_size_fops);
3474 
3475 	/* If the controller does not support BR/EDR Secure Connections
3476 	 * feature, then the BR/EDR SMP channel shall not be present.
3477 	 *
3478 	 * To test this with Bluetooth 4.0 controllers, create a debugfs
3479 	 * switch that allows forcing BR/EDR SMP support and accepting
3480 	 * cross-transport pairing on non-AES encrypted connections.
3481 	 */
3482 	if (!lmp_sc_capable(hdev)) {
3483 		debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3484 				    hdev, &force_bredr_smp_fops);
3485 
3486 		/* Flag can be already set here (due to power toggle) */
3487 		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3488 			return 0;
3489 	}
3490 
3491 	if (WARN_ON(hdev->smp_bredr_data)) {
3492 		chan = hdev->smp_bredr_data;
3493 		hdev->smp_bredr_data = NULL;
3494 		smp_del_chan(chan);
3495 	}
3496 
3497 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3498 	if (IS_ERR(chan)) {
3499 		int err = PTR_ERR(chan);
3500 		chan = hdev->smp_data;
3501 		hdev->smp_data = NULL;
3502 		smp_del_chan(chan);
3503 		return err;
3504 	}
3505 
3506 	hdev->smp_bredr_data = chan;
3507 
3508 	return 0;
3509 }
3510 
3511 void smp_unregister(struct hci_dev *hdev)
3512 {
3513 	struct l2cap_chan *chan;
3514 
3515 	if (hdev->smp_bredr_data) {
3516 		chan = hdev->smp_bredr_data;
3517 		hdev->smp_bredr_data = NULL;
3518 		smp_del_chan(chan);
3519 	}
3520 
3521 	if (hdev->smp_data) {
3522 		chan = hdev->smp_data;
3523 		hdev->smp_data = NULL;
3524 		smp_del_chan(chan);
3525 	}
3526 }
3527 
3528 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3529 
3530 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3531 {
3532 	u8 pk[64];
3533 	int err;
3534 
3535 	err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3536 	if (err)
3537 		return err;
3538 
3539 	err = generate_ecdh_public_key(tfm_ecdh, pk);
3540 	if (err)
3541 		return err;
3542 
3543 	if (crypto_memneq(pk, debug_pk, 64))
3544 		return -EINVAL;
3545 
3546 	return 0;
3547 }
3548 
3549 static int __init test_ah(void)
3550 {
3551 	const u8 irk[16] = {
3552 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3553 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3554 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3555 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3556 	u8 res[3];
3557 	int err;
3558 
3559 	err = smp_ah(irk, r, res);
3560 	if (err)
3561 		return err;
3562 
3563 	if (crypto_memneq(res, exp, 3))
3564 		return -EINVAL;
3565 
3566 	return 0;
3567 }
3568 
3569 static int __init test_c1(void)
3570 {
3571 	const u8 k[16] = {
3572 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3573 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3574 	const u8 r[16] = {
3575 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3576 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3577 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3578 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3579 	const u8 _iat = 0x01;
3580 	const u8 _rat = 0x00;
3581 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3582 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3583 	const u8 exp[16] = {
3584 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3585 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3586 	u8 res[16];
3587 	int err;
3588 
3589 	err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3590 	if (err)
3591 		return err;
3592 
3593 	if (crypto_memneq(res, exp, 16))
3594 		return -EINVAL;
3595 
3596 	return 0;
3597 }
3598 
3599 static int __init test_s1(void)
3600 {
3601 	const u8 k[16] = {
3602 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3603 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3604 	const u8 r1[16] = {
3605 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3606 	const u8 r2[16] = {
3607 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3608 	const u8 exp[16] = {
3609 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3610 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3611 	u8 res[16];
3612 	int err;
3613 
3614 	err = smp_s1(k, r1, r2, res);
3615 	if (err)
3616 		return err;
3617 
3618 	if (crypto_memneq(res, exp, 16))
3619 		return -EINVAL;
3620 
3621 	return 0;
3622 }
3623 
3624 static int __init test_f4(struct crypto_shash *tfm_cmac)
3625 {
3626 	const u8 u[32] = {
3627 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3628 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3629 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3630 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3631 	const u8 v[32] = {
3632 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3633 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3634 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3635 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3636 	const u8 x[16] = {
3637 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3638 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3639 	const u8 z = 0x00;
3640 	const u8 exp[16] = {
3641 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3642 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3643 	u8 res[16];
3644 	int err;
3645 
3646 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3647 	if (err)
3648 		return err;
3649 
3650 	if (crypto_memneq(res, exp, 16))
3651 		return -EINVAL;
3652 
3653 	return 0;
3654 }
3655 
3656 static int __init test_f5(struct crypto_shash *tfm_cmac)
3657 {
3658 	const u8 w[32] = {
3659 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3660 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3661 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3662 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3663 	const u8 n1[16] = {
3664 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3665 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3666 	const u8 n2[16] = {
3667 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3668 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3669 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3670 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3671 	const u8 exp_ltk[16] = {
3672 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3673 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3674 	const u8 exp_mackey[16] = {
3675 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3676 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3677 	u8 mackey[16], ltk[16];
3678 	int err;
3679 
3680 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3681 	if (err)
3682 		return err;
3683 
3684 	if (crypto_memneq(mackey, exp_mackey, 16))
3685 		return -EINVAL;
3686 
3687 	if (crypto_memneq(ltk, exp_ltk, 16))
3688 		return -EINVAL;
3689 
3690 	return 0;
3691 }
3692 
3693 static int __init test_f6(struct crypto_shash *tfm_cmac)
3694 {
3695 	const u8 w[16] = {
3696 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3697 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3698 	const u8 n1[16] = {
3699 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3700 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3701 	const u8 n2[16] = {
3702 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3703 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3704 	const u8 r[16] = {
3705 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3706 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3707 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3708 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3709 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3710 	const u8 exp[16] = {
3711 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3712 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3713 	u8 res[16];
3714 	int err;
3715 
3716 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3717 	if (err)
3718 		return err;
3719 
3720 	if (crypto_memneq(res, exp, 16))
3721 		return -EINVAL;
3722 
3723 	return 0;
3724 }
3725 
3726 static int __init test_g2(struct crypto_shash *tfm_cmac)
3727 {
3728 	const u8 u[32] = {
3729 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3730 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3731 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3732 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3733 	const u8 v[32] = {
3734 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3735 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3736 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3737 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3738 	const u8 x[16] = {
3739 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3740 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3741 	const u8 y[16] = {
3742 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3743 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3744 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3745 	u32 val;
3746 	int err;
3747 
3748 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3749 	if (err)
3750 		return err;
3751 
3752 	if (val != exp_val)
3753 		return -EINVAL;
3754 
3755 	return 0;
3756 }
3757 
3758 static int __init test_h6(struct crypto_shash *tfm_cmac)
3759 {
3760 	const u8 w[16] = {
3761 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3762 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3763 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3764 	const u8 exp[16] = {
3765 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3766 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3767 	u8 res[16];
3768 	int err;
3769 
3770 	err = smp_h6(tfm_cmac, w, key_id, res);
3771 	if (err)
3772 		return err;
3773 
3774 	if (crypto_memneq(res, exp, 16))
3775 		return -EINVAL;
3776 
3777 	return 0;
3778 }
3779 
3780 static char test_smp_buffer[32];
3781 
3782 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3783 			     size_t count, loff_t *ppos)
3784 {
3785 	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3786 				       strlen(test_smp_buffer));
3787 }
3788 
3789 static const struct file_operations test_smp_fops = {
3790 	.open		= simple_open,
3791 	.read		= test_smp_read,
3792 	.llseek		= default_llseek,
3793 };
3794 
3795 static int __init run_selftests(struct crypto_shash *tfm_cmac,
3796 				struct crypto_kpp *tfm_ecdh)
3797 {
3798 	ktime_t calltime, delta, rettime;
3799 	unsigned long long duration;
3800 	int err;
3801 
3802 	calltime = ktime_get();
3803 
3804 	err = test_debug_key(tfm_ecdh);
3805 	if (err) {
3806 		BT_ERR("debug_key test failed");
3807 		goto done;
3808 	}
3809 
3810 	err = test_ah();
3811 	if (err) {
3812 		BT_ERR("smp_ah test failed");
3813 		goto done;
3814 	}
3815 
3816 	err = test_c1();
3817 	if (err) {
3818 		BT_ERR("smp_c1 test failed");
3819 		goto done;
3820 	}
3821 
3822 	err = test_s1();
3823 	if (err) {
3824 		BT_ERR("smp_s1 test failed");
3825 		goto done;
3826 	}
3827 
3828 	err = test_f4(tfm_cmac);
3829 	if (err) {
3830 		BT_ERR("smp_f4 test failed");
3831 		goto done;
3832 	}
3833 
3834 	err = test_f5(tfm_cmac);
3835 	if (err) {
3836 		BT_ERR("smp_f5 test failed");
3837 		goto done;
3838 	}
3839 
3840 	err = test_f6(tfm_cmac);
3841 	if (err) {
3842 		BT_ERR("smp_f6 test failed");
3843 		goto done;
3844 	}
3845 
3846 	err = test_g2(tfm_cmac);
3847 	if (err) {
3848 		BT_ERR("smp_g2 test failed");
3849 		goto done;
3850 	}
3851 
3852 	err = test_h6(tfm_cmac);
3853 	if (err) {
3854 		BT_ERR("smp_h6 test failed");
3855 		goto done;
3856 	}
3857 
3858 	rettime = ktime_get();
3859 	delta = ktime_sub(rettime, calltime);
3860 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3861 
3862 	BT_INFO("SMP test passed in %llu usecs", duration);
3863 
3864 done:
3865 	if (!err)
3866 		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3867 			 "PASS (%llu usecs)\n", duration);
3868 	else
3869 		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3870 
3871 	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3872 			    &test_smp_fops);
3873 
3874 	return err;
3875 }
3876 
3877 int __init bt_selftest_smp(void)
3878 {
3879 	struct crypto_shash *tfm_cmac;
3880 	struct crypto_kpp *tfm_ecdh;
3881 	int err;
3882 
3883 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3884 	if (IS_ERR(tfm_cmac)) {
3885 		BT_ERR("Unable to create CMAC crypto context");
3886 		return PTR_ERR(tfm_cmac);
3887 	}
3888 
3889 	tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3890 	if (IS_ERR(tfm_ecdh)) {
3891 		BT_ERR("Unable to create ECDH crypto context");
3892 		crypto_free_shash(tfm_cmac);
3893 		return PTR_ERR(tfm_ecdh);
3894 	}
3895 
3896 	err = run_selftests(tfm_cmac, tfm_ecdh);
3897 
3898 	crypto_free_shash(tfm_cmac);
3899 	crypto_free_kpp(tfm_ecdh);
3900 
3901 	return err;
3902 }
3903 
3904 #endif
3905