xref: /openbmc/linux/net/bluetooth/smp.c (revision 3d3337de)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/crypto.h>
25 #include <linux/scatterlist.h>
26 #include <crypto/b128ops.h>
27 
28 #include <net/bluetooth/bluetooth.h>
29 #include <net/bluetooth/hci_core.h>
30 #include <net/bluetooth/l2cap.h>
31 #include <net/bluetooth/mgmt.h>
32 
33 #include "ecc.h"
34 #include "smp.h"
35 
36 /* Low-level debug macros to be used for stuff that we don't want
37  * accidentially in dmesg, i.e. the values of the various crypto keys
38  * and the inputs & outputs of crypto functions.
39  */
40 #ifdef DEBUG
41 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
42 				 ##__VA_ARGS__)
43 #else
44 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
45 				    ##__VA_ARGS__)
46 #endif
47 
48 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
49 
50 /* Keys which are not distributed with Secure Connections */
51 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
52 
53 #define SMP_TIMEOUT	msecs_to_jiffies(30000)
54 
55 #define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
56 				 0x1f : 0x07)
57 #define KEY_DIST_MASK		0x07
58 
59 /* Maximum message length that can be passed to aes_cmac */
60 #define CMAC_MSG_MAX	80
61 
62 enum {
63 	SMP_FLAG_TK_VALID,
64 	SMP_FLAG_CFM_PENDING,
65 	SMP_FLAG_MITM_AUTH,
66 	SMP_FLAG_COMPLETE,
67 	SMP_FLAG_INITIATOR,
68 	SMP_FLAG_SC,
69 	SMP_FLAG_REMOTE_PK,
70 	SMP_FLAG_DEBUG_KEY,
71 	SMP_FLAG_WAIT_USER,
72 	SMP_FLAG_DHKEY_PENDING,
73 	SMP_FLAG_REMOTE_OOB,
74 	SMP_FLAG_LOCAL_OOB,
75 };
76 
77 struct smp_dev {
78 	/* Secure Connections OOB data */
79 	u8			local_pk[64];
80 	u8			local_sk[32];
81 	u8			local_rand[16];
82 	bool			debug_key;
83 
84 	struct crypto_blkcipher	*tfm_aes;
85 	struct crypto_hash	*tfm_cmac;
86 };
87 
88 struct smp_chan {
89 	struct l2cap_conn	*conn;
90 	struct delayed_work	security_timer;
91 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
92 
93 	u8		preq[7]; /* SMP Pairing Request */
94 	u8		prsp[7]; /* SMP Pairing Response */
95 	u8		prnd[16]; /* SMP Pairing Random (local) */
96 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
97 	u8		pcnf[16]; /* SMP Pairing Confirm */
98 	u8		tk[16]; /* SMP Temporary Key */
99 	u8		rr[16]; /* Remote OOB ra/rb value */
100 	u8		lr[16]; /* Local OOB ra/rb value */
101 	u8		enc_key_size;
102 	u8		remote_key_dist;
103 	bdaddr_t	id_addr;
104 	u8		id_addr_type;
105 	u8		irk[16];
106 	struct smp_csrk	*csrk;
107 	struct smp_csrk	*slave_csrk;
108 	struct smp_ltk	*ltk;
109 	struct smp_ltk	*slave_ltk;
110 	struct smp_irk	*remote_irk;
111 	u8		*link_key;
112 	unsigned long	flags;
113 	u8		method;
114 	u8		passkey_round;
115 
116 	/* Secure Connections variables */
117 	u8			local_pk[64];
118 	u8			local_sk[32];
119 	u8			remote_pk[64];
120 	u8			dhkey[32];
121 	u8			mackey[16];
122 
123 	struct crypto_blkcipher	*tfm_aes;
124 	struct crypto_hash	*tfm_cmac;
125 };
126 
127 /* These debug key values are defined in the SMP section of the core
128  * specification. debug_pk is the public debug key and debug_sk the
129  * private debug key.
130  */
131 static const u8 debug_pk[64] = {
132 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
133 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
134 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
135 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
136 
137 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
138 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
139 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
140 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
141 };
142 
143 static const u8 debug_sk[32] = {
144 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
145 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
146 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
147 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
148 };
149 
150 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
151 {
152 	size_t i;
153 
154 	for (i = 0; i < len; i++)
155 		dst[len - 1 - i] = src[i];
156 }
157 
158 /* The following functions map to the LE SC SMP crypto functions
159  * AES-CMAC, f4, f5, f6, g2 and h6.
160  */
161 
162 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
163 		    size_t len, u8 mac[16])
164 {
165 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
166 	struct hash_desc desc;
167 	struct scatterlist sg;
168 	int err;
169 
170 	if (len > CMAC_MSG_MAX)
171 		return -EFBIG;
172 
173 	if (!tfm) {
174 		BT_ERR("tfm %p", tfm);
175 		return -EINVAL;
176 	}
177 
178 	desc.tfm = tfm;
179 	desc.flags = 0;
180 
181 	crypto_hash_init(&desc);
182 
183 	/* Swap key and message from LSB to MSB */
184 	swap_buf(k, tmp, 16);
185 	swap_buf(m, msg_msb, len);
186 
187 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
188 	SMP_DBG("key %16phN", k);
189 
190 	err = crypto_hash_setkey(tfm, tmp, 16);
191 	if (err) {
192 		BT_ERR("cipher setkey failed: %d", err);
193 		return err;
194 	}
195 
196 	sg_init_one(&sg, msg_msb, len);
197 
198 	err = crypto_hash_update(&desc, &sg, len);
199 	if (err) {
200 		BT_ERR("Hash update error %d", err);
201 		return err;
202 	}
203 
204 	err = crypto_hash_final(&desc, mac_msb);
205 	if (err) {
206 		BT_ERR("Hash final error %d", err);
207 		return err;
208 	}
209 
210 	swap_buf(mac_msb, mac, 16);
211 
212 	SMP_DBG("mac %16phN", mac);
213 
214 	return 0;
215 }
216 
217 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
218 		  const u8 x[16], u8 z, u8 res[16])
219 {
220 	u8 m[65];
221 	int err;
222 
223 	SMP_DBG("u %32phN", u);
224 	SMP_DBG("v %32phN", v);
225 	SMP_DBG("x %16phN z %02x", x, z);
226 
227 	m[0] = z;
228 	memcpy(m + 1, v, 32);
229 	memcpy(m + 33, u, 32);
230 
231 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
232 	if (err)
233 		return err;
234 
235 	SMP_DBG("res %16phN", res);
236 
237 	return err;
238 }
239 
240 static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32],
241 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
242 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
243 {
244 	/* The btle, salt and length "magic" values are as defined in
245 	 * the SMP section of the Bluetooth core specification. In ASCII
246 	 * the btle value ends up being 'btle'. The salt is just a
247 	 * random number whereas length is the value 256 in little
248 	 * endian format.
249 	 */
250 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
251 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
252 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
253 	const u8 length[2] = { 0x00, 0x01 };
254 	u8 m[53], t[16];
255 	int err;
256 
257 	SMP_DBG("w %32phN", w);
258 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
259 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
260 
261 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
262 	if (err)
263 		return err;
264 
265 	SMP_DBG("t %16phN", t);
266 
267 	memcpy(m, length, 2);
268 	memcpy(m + 2, a2, 7);
269 	memcpy(m + 9, a1, 7);
270 	memcpy(m + 16, n2, 16);
271 	memcpy(m + 32, n1, 16);
272 	memcpy(m + 48, btle, 4);
273 
274 	m[52] = 0; /* Counter */
275 
276 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
277 	if (err)
278 		return err;
279 
280 	SMP_DBG("mackey %16phN", mackey);
281 
282 	m[52] = 1; /* Counter */
283 
284 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
285 	if (err)
286 		return err;
287 
288 	SMP_DBG("ltk %16phN", ltk);
289 
290 	return 0;
291 }
292 
293 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
294 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
295 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
296 		  u8 res[16])
297 {
298 	u8 m[65];
299 	int err;
300 
301 	SMP_DBG("w %16phN", w);
302 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
303 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
304 
305 	memcpy(m, a2, 7);
306 	memcpy(m + 7, a1, 7);
307 	memcpy(m + 14, io_cap, 3);
308 	memcpy(m + 17, r, 16);
309 	memcpy(m + 33, n2, 16);
310 	memcpy(m + 49, n1, 16);
311 
312 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
313 	if (err)
314 		return err;
315 
316 	SMP_DBG("res %16phN", res);
317 
318 	return err;
319 }
320 
321 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
322 		  const u8 x[16], const u8 y[16], u32 *val)
323 {
324 	u8 m[80], tmp[16];
325 	int err;
326 
327 	SMP_DBG("u %32phN", u);
328 	SMP_DBG("v %32phN", v);
329 	SMP_DBG("x %16phN y %16phN", x, y);
330 
331 	memcpy(m, y, 16);
332 	memcpy(m + 16, v, 32);
333 	memcpy(m + 48, u, 32);
334 
335 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
336 	if (err)
337 		return err;
338 
339 	*val = get_unaligned_le32(tmp);
340 	*val %= 1000000;
341 
342 	SMP_DBG("val %06u", *val);
343 
344 	return 0;
345 }
346 
347 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
348 		  const u8 key_id[4], u8 res[16])
349 {
350 	int err;
351 
352 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
353 
354 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
355 	if (err)
356 		return err;
357 
358 	SMP_DBG("res %16phN", res);
359 
360 	return err;
361 }
362 
363 /* The following functions map to the legacy SMP crypto functions e, c1,
364  * s1 and ah.
365  */
366 
367 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
368 {
369 	struct blkcipher_desc desc;
370 	struct scatterlist sg;
371 	uint8_t tmp[16], data[16];
372 	int err;
373 
374 	if (!tfm) {
375 		BT_ERR("tfm %p", tfm);
376 		return -EINVAL;
377 	}
378 
379 	desc.tfm = tfm;
380 	desc.flags = 0;
381 
382 	/* The most significant octet of key corresponds to k[0] */
383 	swap_buf(k, tmp, 16);
384 
385 	err = crypto_blkcipher_setkey(tfm, tmp, 16);
386 	if (err) {
387 		BT_ERR("cipher setkey failed: %d", err);
388 		return err;
389 	}
390 
391 	/* Most significant octet of plaintextData corresponds to data[0] */
392 	swap_buf(r, data, 16);
393 
394 	sg_init_one(&sg, data, 16);
395 
396 	err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
397 	if (err)
398 		BT_ERR("Encrypt data error %d", err);
399 
400 	/* Most significant octet of encryptedData corresponds to data[0] */
401 	swap_buf(data, r, 16);
402 
403 	return err;
404 }
405 
406 static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
407 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
408 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
409 {
410 	u8 p1[16], p2[16];
411 	int err;
412 
413 	memset(p1, 0, 16);
414 
415 	/* p1 = pres || preq || _rat || _iat */
416 	p1[0] = _iat;
417 	p1[1] = _rat;
418 	memcpy(p1 + 2, preq, 7);
419 	memcpy(p1 + 9, pres, 7);
420 
421 	/* p2 = padding || ia || ra */
422 	memcpy(p2, ra, 6);
423 	memcpy(p2 + 6, ia, 6);
424 	memset(p2 + 12, 0, 4);
425 
426 	/* res = r XOR p1 */
427 	u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
428 
429 	/* res = e(k, res) */
430 	err = smp_e(tfm_aes, k, res);
431 	if (err) {
432 		BT_ERR("Encrypt data error");
433 		return err;
434 	}
435 
436 	/* res = res XOR p2 */
437 	u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
438 
439 	/* res = e(k, res) */
440 	err = smp_e(tfm_aes, k, res);
441 	if (err)
442 		BT_ERR("Encrypt data error");
443 
444 	return err;
445 }
446 
447 static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
448 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
449 {
450 	int err;
451 
452 	/* Just least significant octets from r1 and r2 are considered */
453 	memcpy(_r, r2, 8);
454 	memcpy(_r + 8, r1, 8);
455 
456 	err = smp_e(tfm_aes, k, _r);
457 	if (err)
458 		BT_ERR("Encrypt data error");
459 
460 	return err;
461 }
462 
463 static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
464 		  const u8 r[3], u8 res[3])
465 {
466 	u8 _res[16];
467 	int err;
468 
469 	/* r' = padding || r */
470 	memcpy(_res, r, 3);
471 	memset(_res + 3, 0, 13);
472 
473 	err = smp_e(tfm, irk, _res);
474 	if (err) {
475 		BT_ERR("Encrypt error");
476 		return err;
477 	}
478 
479 	/* The output of the random address function ah is:
480 	 *	ah(h, r) = e(k, r') mod 2^24
481 	 * The output of the security function e is then truncated to 24 bits
482 	 * by taking the least significant 24 bits of the output of e as the
483 	 * result of ah.
484 	 */
485 	memcpy(res, _res, 3);
486 
487 	return 0;
488 }
489 
490 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
491 		     const bdaddr_t *bdaddr)
492 {
493 	struct l2cap_chan *chan = hdev->smp_data;
494 	struct smp_dev *smp;
495 	u8 hash[3];
496 	int err;
497 
498 	if (!chan || !chan->data)
499 		return false;
500 
501 	smp = chan->data;
502 
503 	BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
504 
505 	err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
506 	if (err)
507 		return false;
508 
509 	return !memcmp(bdaddr->b, hash, 3);
510 }
511 
512 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
513 {
514 	struct l2cap_chan *chan = hdev->smp_data;
515 	struct smp_dev *smp;
516 	int err;
517 
518 	if (!chan || !chan->data)
519 		return -EOPNOTSUPP;
520 
521 	smp = chan->data;
522 
523 	get_random_bytes(&rpa->b[3], 3);
524 
525 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
526 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
527 
528 	err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
529 	if (err < 0)
530 		return err;
531 
532 	BT_DBG("RPA %pMR", rpa);
533 
534 	return 0;
535 }
536 
537 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
538 {
539 	struct l2cap_chan *chan = hdev->smp_data;
540 	struct smp_dev *smp;
541 	int err;
542 
543 	if (!chan || !chan->data)
544 		return -EOPNOTSUPP;
545 
546 	smp = chan->data;
547 
548 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
549 		BT_DBG("Using debug keys");
550 		memcpy(smp->local_pk, debug_pk, 64);
551 		memcpy(smp->local_sk, debug_sk, 32);
552 		smp->debug_key = true;
553 	} else {
554 		while (true) {
555 			/* Generate local key pair for Secure Connections */
556 			if (!ecc_make_key(smp->local_pk, smp->local_sk))
557 				return -EIO;
558 
559 			/* This is unlikely, but we need to check that
560 			 * we didn't accidentially generate a debug key.
561 			 */
562 			if (memcmp(smp->local_sk, debug_sk, 32))
563 				break;
564 		}
565 		smp->debug_key = false;
566 	}
567 
568 	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
569 	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
570 	SMP_DBG("OOB Private Key:  %32phN", smp->local_sk);
571 
572 	get_random_bytes(smp->local_rand, 16);
573 
574 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
575 		     smp->local_rand, 0, hash);
576 	if (err < 0)
577 		return err;
578 
579 	memcpy(rand, smp->local_rand, 16);
580 
581 	return 0;
582 }
583 
584 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
585 {
586 	struct l2cap_chan *chan = conn->smp;
587 	struct smp_chan *smp;
588 	struct kvec iv[2];
589 	struct msghdr msg;
590 
591 	if (!chan)
592 		return;
593 
594 	BT_DBG("code 0x%2.2x", code);
595 
596 	iv[0].iov_base = &code;
597 	iv[0].iov_len = 1;
598 
599 	iv[1].iov_base = data;
600 	iv[1].iov_len = len;
601 
602 	memset(&msg, 0, sizeof(msg));
603 
604 	iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
605 
606 	l2cap_chan_send(chan, &msg, 1 + len);
607 
608 	if (!chan->data)
609 		return;
610 
611 	smp = chan->data;
612 
613 	cancel_delayed_work_sync(&smp->security_timer);
614 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
615 }
616 
617 static u8 authreq_to_seclevel(u8 authreq)
618 {
619 	if (authreq & SMP_AUTH_MITM) {
620 		if (authreq & SMP_AUTH_SC)
621 			return BT_SECURITY_FIPS;
622 		else
623 			return BT_SECURITY_HIGH;
624 	} else {
625 		return BT_SECURITY_MEDIUM;
626 	}
627 }
628 
629 static __u8 seclevel_to_authreq(__u8 sec_level)
630 {
631 	switch (sec_level) {
632 	case BT_SECURITY_FIPS:
633 	case BT_SECURITY_HIGH:
634 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
635 	case BT_SECURITY_MEDIUM:
636 		return SMP_AUTH_BONDING;
637 	default:
638 		return SMP_AUTH_NONE;
639 	}
640 }
641 
642 static void build_pairing_cmd(struct l2cap_conn *conn,
643 			      struct smp_cmd_pairing *req,
644 			      struct smp_cmd_pairing *rsp, __u8 authreq)
645 {
646 	struct l2cap_chan *chan = conn->smp;
647 	struct smp_chan *smp = chan->data;
648 	struct hci_conn *hcon = conn->hcon;
649 	struct hci_dev *hdev = hcon->hdev;
650 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
651 
652 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
653 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
654 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
655 		authreq |= SMP_AUTH_BONDING;
656 	} else {
657 		authreq &= ~SMP_AUTH_BONDING;
658 	}
659 
660 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
661 		remote_dist |= SMP_DIST_ID_KEY;
662 
663 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
664 		local_dist |= SMP_DIST_ID_KEY;
665 
666 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
667 	    (authreq & SMP_AUTH_SC)) {
668 		struct oob_data *oob_data;
669 		u8 bdaddr_type;
670 
671 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
672 			local_dist |= SMP_DIST_LINK_KEY;
673 			remote_dist |= SMP_DIST_LINK_KEY;
674 		}
675 
676 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
677 			bdaddr_type = BDADDR_LE_PUBLIC;
678 		else
679 			bdaddr_type = BDADDR_LE_RANDOM;
680 
681 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
682 						    bdaddr_type);
683 		if (oob_data && oob_data->present) {
684 			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
685 			oob_flag = SMP_OOB_PRESENT;
686 			memcpy(smp->rr, oob_data->rand256, 16);
687 			memcpy(smp->pcnf, oob_data->hash256, 16);
688 			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
689 			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
690 		}
691 
692 	} else {
693 		authreq &= ~SMP_AUTH_SC;
694 	}
695 
696 	if (rsp == NULL) {
697 		req->io_capability = conn->hcon->io_capability;
698 		req->oob_flag = oob_flag;
699 		req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
700 		req->init_key_dist = local_dist;
701 		req->resp_key_dist = remote_dist;
702 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
703 
704 		smp->remote_key_dist = remote_dist;
705 		return;
706 	}
707 
708 	rsp->io_capability = conn->hcon->io_capability;
709 	rsp->oob_flag = oob_flag;
710 	rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
711 	rsp->init_key_dist = req->init_key_dist & remote_dist;
712 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
713 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
714 
715 	smp->remote_key_dist = rsp->init_key_dist;
716 }
717 
718 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
719 {
720 	struct l2cap_chan *chan = conn->smp;
721 	struct smp_chan *smp = chan->data;
722 
723 	if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
724 	    (max_key_size < SMP_MIN_ENC_KEY_SIZE))
725 		return SMP_ENC_KEY_SIZE;
726 
727 	smp->enc_key_size = max_key_size;
728 
729 	return 0;
730 }
731 
732 static void smp_chan_destroy(struct l2cap_conn *conn)
733 {
734 	struct l2cap_chan *chan = conn->smp;
735 	struct smp_chan *smp = chan->data;
736 	struct hci_conn *hcon = conn->hcon;
737 	bool complete;
738 
739 	BUG_ON(!smp);
740 
741 	cancel_delayed_work_sync(&smp->security_timer);
742 
743 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
744 	mgmt_smp_complete(hcon, complete);
745 
746 	kzfree(smp->csrk);
747 	kzfree(smp->slave_csrk);
748 	kzfree(smp->link_key);
749 
750 	crypto_free_blkcipher(smp->tfm_aes);
751 	crypto_free_hash(smp->tfm_cmac);
752 
753 	/* Ensure that we don't leave any debug key around if debug key
754 	 * support hasn't been explicitly enabled.
755 	 */
756 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
757 	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
758 		list_del_rcu(&smp->ltk->list);
759 		kfree_rcu(smp->ltk, rcu);
760 		smp->ltk = NULL;
761 	}
762 
763 	/* If pairing failed clean up any keys we might have */
764 	if (!complete) {
765 		if (smp->ltk) {
766 			list_del_rcu(&smp->ltk->list);
767 			kfree_rcu(smp->ltk, rcu);
768 		}
769 
770 		if (smp->slave_ltk) {
771 			list_del_rcu(&smp->slave_ltk->list);
772 			kfree_rcu(smp->slave_ltk, rcu);
773 		}
774 
775 		if (smp->remote_irk) {
776 			list_del_rcu(&smp->remote_irk->list);
777 			kfree_rcu(smp->remote_irk, rcu);
778 		}
779 	}
780 
781 	chan->data = NULL;
782 	kzfree(smp);
783 	hci_conn_drop(hcon);
784 }
785 
786 static void smp_failure(struct l2cap_conn *conn, u8 reason)
787 {
788 	struct hci_conn *hcon = conn->hcon;
789 	struct l2cap_chan *chan = conn->smp;
790 
791 	if (reason)
792 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
793 			     &reason);
794 
795 	clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
796 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
797 
798 	if (chan->data)
799 		smp_chan_destroy(conn);
800 }
801 
802 #define JUST_WORKS	0x00
803 #define JUST_CFM	0x01
804 #define REQ_PASSKEY	0x02
805 #define CFM_PASSKEY	0x03
806 #define REQ_OOB		0x04
807 #define DSP_PASSKEY	0x05
808 #define OVERLAP		0xFF
809 
810 static const u8 gen_method[5][5] = {
811 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
812 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
813 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
814 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
815 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
816 };
817 
818 static const u8 sc_method[5][5] = {
819 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
820 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
821 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
822 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
823 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
824 };
825 
826 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
827 {
828 	/* If either side has unknown io_caps, use JUST_CFM (which gets
829 	 * converted later to JUST_WORKS if we're initiators.
830 	 */
831 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
832 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
833 		return JUST_CFM;
834 
835 	if (test_bit(SMP_FLAG_SC, &smp->flags))
836 		return sc_method[remote_io][local_io];
837 
838 	return gen_method[remote_io][local_io];
839 }
840 
841 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
842 						u8 local_io, u8 remote_io)
843 {
844 	struct hci_conn *hcon = conn->hcon;
845 	struct l2cap_chan *chan = conn->smp;
846 	struct smp_chan *smp = chan->data;
847 	u32 passkey = 0;
848 	int ret = 0;
849 
850 	/* Initialize key for JUST WORKS */
851 	memset(smp->tk, 0, sizeof(smp->tk));
852 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
853 
854 	BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
855 
856 	/* If neither side wants MITM, either "just" confirm an incoming
857 	 * request or use just-works for outgoing ones. The JUST_CFM
858 	 * will be converted to JUST_WORKS if necessary later in this
859 	 * function. If either side has MITM look up the method from the
860 	 * table.
861 	 */
862 	if (!(auth & SMP_AUTH_MITM))
863 		smp->method = JUST_CFM;
864 	else
865 		smp->method = get_auth_method(smp, local_io, remote_io);
866 
867 	/* Don't confirm locally initiated pairing attempts */
868 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
869 						&smp->flags))
870 		smp->method = JUST_WORKS;
871 
872 	/* Don't bother user space with no IO capabilities */
873 	if (smp->method == JUST_CFM &&
874 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
875 		smp->method = JUST_WORKS;
876 
877 	/* If Just Works, Continue with Zero TK */
878 	if (smp->method == JUST_WORKS) {
879 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
880 		return 0;
881 	}
882 
883 	/* If this function is used for SC -> legacy fallback we
884 	 * can only recover the just-works case.
885 	 */
886 	if (test_bit(SMP_FLAG_SC, &smp->flags))
887 		return -EINVAL;
888 
889 	/* Not Just Works/Confirm results in MITM Authentication */
890 	if (smp->method != JUST_CFM) {
891 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
892 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
893 			hcon->pending_sec_level = BT_SECURITY_HIGH;
894 	}
895 
896 	/* If both devices have Keyoard-Display I/O, the master
897 	 * Confirms and the slave Enters the passkey.
898 	 */
899 	if (smp->method == OVERLAP) {
900 		if (hcon->role == HCI_ROLE_MASTER)
901 			smp->method = CFM_PASSKEY;
902 		else
903 			smp->method = REQ_PASSKEY;
904 	}
905 
906 	/* Generate random passkey. */
907 	if (smp->method == CFM_PASSKEY) {
908 		memset(smp->tk, 0, sizeof(smp->tk));
909 		get_random_bytes(&passkey, sizeof(passkey));
910 		passkey %= 1000000;
911 		put_unaligned_le32(passkey, smp->tk);
912 		BT_DBG("PassKey: %d", passkey);
913 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
914 	}
915 
916 	if (smp->method == REQ_PASSKEY)
917 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
918 						hcon->type, hcon->dst_type);
919 	else if (smp->method == JUST_CFM)
920 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
921 						hcon->type, hcon->dst_type,
922 						passkey, 1);
923 	else
924 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
925 						hcon->type, hcon->dst_type,
926 						passkey, 0);
927 
928 	return ret;
929 }
930 
931 static u8 smp_confirm(struct smp_chan *smp)
932 {
933 	struct l2cap_conn *conn = smp->conn;
934 	struct smp_cmd_pairing_confirm cp;
935 	int ret;
936 
937 	BT_DBG("conn %p", conn);
938 
939 	ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
940 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
941 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
942 		     cp.confirm_val);
943 	if (ret)
944 		return SMP_UNSPECIFIED;
945 
946 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
947 
948 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
949 
950 	if (conn->hcon->out)
951 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
952 	else
953 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
954 
955 	return 0;
956 }
957 
958 static u8 smp_random(struct smp_chan *smp)
959 {
960 	struct l2cap_conn *conn = smp->conn;
961 	struct hci_conn *hcon = conn->hcon;
962 	u8 confirm[16];
963 	int ret;
964 
965 	if (IS_ERR_OR_NULL(smp->tfm_aes))
966 		return SMP_UNSPECIFIED;
967 
968 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
969 
970 	ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
971 		     hcon->init_addr_type, &hcon->init_addr,
972 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
973 	if (ret)
974 		return SMP_UNSPECIFIED;
975 
976 	if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
977 		BT_ERR("Pairing failed (confirmation values mismatch)");
978 		return SMP_CONFIRM_FAILED;
979 	}
980 
981 	if (hcon->out) {
982 		u8 stk[16];
983 		__le64 rand = 0;
984 		__le16 ediv = 0;
985 
986 		smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
987 
988 		memset(stk + smp->enc_key_size, 0,
989 		       SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
990 
991 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
992 			return SMP_UNSPECIFIED;
993 
994 		hci_le_start_enc(hcon, ediv, rand, stk);
995 		hcon->enc_key_size = smp->enc_key_size;
996 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
997 	} else {
998 		u8 stk[16], auth;
999 		__le64 rand = 0;
1000 		__le16 ediv = 0;
1001 
1002 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1003 			     smp->prnd);
1004 
1005 		smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
1006 
1007 		memset(stk + smp->enc_key_size, 0,
1008 		       SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1009 
1010 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1011 			auth = 1;
1012 		else
1013 			auth = 0;
1014 
1015 		/* Even though there's no _SLAVE suffix this is the
1016 		 * slave STK we're adding for later lookup (the master
1017 		 * STK never needs to be stored).
1018 		 */
1019 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1020 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1021 	}
1022 
1023 	return 0;
1024 }
1025 
1026 static void smp_notify_keys(struct l2cap_conn *conn)
1027 {
1028 	struct l2cap_chan *chan = conn->smp;
1029 	struct smp_chan *smp = chan->data;
1030 	struct hci_conn *hcon = conn->hcon;
1031 	struct hci_dev *hdev = hcon->hdev;
1032 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1033 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1034 	bool persistent;
1035 
1036 	if (smp->remote_irk) {
1037 		mgmt_new_irk(hdev, smp->remote_irk);
1038 		/* Now that user space can be considered to know the
1039 		 * identity address track the connection based on it
1040 		 * from now on (assuming this is an LE link).
1041 		 */
1042 		if (hcon->type == LE_LINK) {
1043 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1044 			hcon->dst_type = smp->remote_irk->addr_type;
1045 			queue_work(hdev->workqueue, &conn->id_addr_update_work);
1046 		}
1047 
1048 		/* When receiving an indentity resolving key for
1049 		 * a remote device that does not use a resolvable
1050 		 * private address, just remove the key so that
1051 		 * it is possible to use the controller white
1052 		 * list for scanning.
1053 		 *
1054 		 * Userspace will have been told to not store
1055 		 * this key at this point. So it is safe to
1056 		 * just remove it.
1057 		 */
1058 		if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
1059 			list_del_rcu(&smp->remote_irk->list);
1060 			kfree_rcu(smp->remote_irk, rcu);
1061 			smp->remote_irk = NULL;
1062 		}
1063 	}
1064 
1065 	if (hcon->type == ACL_LINK) {
1066 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1067 			persistent = false;
1068 		else
1069 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1070 					       &hcon->flags);
1071 	} else {
1072 		/* The LTKs and CSRKs should be persistent only if both sides
1073 		 * had the bonding bit set in their authentication requests.
1074 		 */
1075 		persistent = !!((req->auth_req & rsp->auth_req) &
1076 				SMP_AUTH_BONDING);
1077 	}
1078 
1079 
1080 	if (smp->csrk) {
1081 		smp->csrk->bdaddr_type = hcon->dst_type;
1082 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1083 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1084 	}
1085 
1086 	if (smp->slave_csrk) {
1087 		smp->slave_csrk->bdaddr_type = hcon->dst_type;
1088 		bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1089 		mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1090 	}
1091 
1092 	if (smp->ltk) {
1093 		smp->ltk->bdaddr_type = hcon->dst_type;
1094 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1095 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1096 	}
1097 
1098 	if (smp->slave_ltk) {
1099 		smp->slave_ltk->bdaddr_type = hcon->dst_type;
1100 		bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1101 		mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1102 	}
1103 
1104 	if (smp->link_key) {
1105 		struct link_key *key;
1106 		u8 type;
1107 
1108 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1109 			type = HCI_LK_DEBUG_COMBINATION;
1110 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1111 			type = HCI_LK_AUTH_COMBINATION_P256;
1112 		else
1113 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1114 
1115 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1116 				       smp->link_key, type, 0, &persistent);
1117 		if (key) {
1118 			mgmt_new_link_key(hdev, key, persistent);
1119 
1120 			/* Don't keep debug keys around if the relevant
1121 			 * flag is not set.
1122 			 */
1123 			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1124 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1125 				list_del_rcu(&key->list);
1126 				kfree_rcu(key, rcu);
1127 			}
1128 		}
1129 	}
1130 }
1131 
1132 static void sc_add_ltk(struct smp_chan *smp)
1133 {
1134 	struct hci_conn *hcon = smp->conn->hcon;
1135 	u8 key_type, auth;
1136 
1137 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1138 		key_type = SMP_LTK_P256_DEBUG;
1139 	else
1140 		key_type = SMP_LTK_P256;
1141 
1142 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1143 		auth = 1;
1144 	else
1145 		auth = 0;
1146 
1147 	memset(smp->tk + smp->enc_key_size, 0,
1148 	       SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1149 
1150 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1151 			       key_type, auth, smp->tk, smp->enc_key_size,
1152 			       0, 0);
1153 }
1154 
1155 static void sc_generate_link_key(struct smp_chan *smp)
1156 {
1157 	/* These constants are as specified in the core specification.
1158 	 * In ASCII they spell out to 'tmp1' and 'lebr'.
1159 	 */
1160 	const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1161 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1162 
1163 	smp->link_key = kzalloc(16, GFP_KERNEL);
1164 	if (!smp->link_key)
1165 		return;
1166 
1167 	if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1168 		kzfree(smp->link_key);
1169 		smp->link_key = NULL;
1170 		return;
1171 	}
1172 
1173 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1174 		kzfree(smp->link_key);
1175 		smp->link_key = NULL;
1176 		return;
1177 	}
1178 }
1179 
1180 static void smp_allow_key_dist(struct smp_chan *smp)
1181 {
1182 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1183 	 * will be allowed in each PDU handler to ensure we receive
1184 	 * them in the correct order.
1185 	 */
1186 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1187 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1188 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1189 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1190 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1191 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1192 }
1193 
1194 static void sc_generate_ltk(struct smp_chan *smp)
1195 {
1196 	/* These constants are as specified in the core specification.
1197 	 * In ASCII they spell out to 'tmp2' and 'brle'.
1198 	 */
1199 	const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1200 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1201 	struct hci_conn *hcon = smp->conn->hcon;
1202 	struct hci_dev *hdev = hcon->hdev;
1203 	struct link_key *key;
1204 
1205 	key = hci_find_link_key(hdev, &hcon->dst);
1206 	if (!key) {
1207 		BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1208 		return;
1209 	}
1210 
1211 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1212 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1213 
1214 	if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1215 		return;
1216 
1217 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1218 		return;
1219 
1220 	sc_add_ltk(smp);
1221 }
1222 
1223 static void smp_distribute_keys(struct smp_chan *smp)
1224 {
1225 	struct smp_cmd_pairing *req, *rsp;
1226 	struct l2cap_conn *conn = smp->conn;
1227 	struct hci_conn *hcon = conn->hcon;
1228 	struct hci_dev *hdev = hcon->hdev;
1229 	__u8 *keydist;
1230 
1231 	BT_DBG("conn %p", conn);
1232 
1233 	rsp = (void *) &smp->prsp[1];
1234 
1235 	/* The responder sends its keys first */
1236 	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1237 		smp_allow_key_dist(smp);
1238 		return;
1239 	}
1240 
1241 	req = (void *) &smp->preq[1];
1242 
1243 	if (hcon->out) {
1244 		keydist = &rsp->init_key_dist;
1245 		*keydist &= req->init_key_dist;
1246 	} else {
1247 		keydist = &rsp->resp_key_dist;
1248 		*keydist &= req->resp_key_dist;
1249 	}
1250 
1251 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1252 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1253 			sc_generate_link_key(smp);
1254 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1255 			sc_generate_ltk(smp);
1256 
1257 		/* Clear the keys which are generated but not distributed */
1258 		*keydist &= ~SMP_SC_NO_DIST;
1259 	}
1260 
1261 	BT_DBG("keydist 0x%x", *keydist);
1262 
1263 	if (*keydist & SMP_DIST_ENC_KEY) {
1264 		struct smp_cmd_encrypt_info enc;
1265 		struct smp_cmd_master_ident ident;
1266 		struct smp_ltk *ltk;
1267 		u8 authenticated;
1268 		__le16 ediv;
1269 		__le64 rand;
1270 
1271 		get_random_bytes(enc.ltk, sizeof(enc.ltk));
1272 		get_random_bytes(&ediv, sizeof(ediv));
1273 		get_random_bytes(&rand, sizeof(rand));
1274 
1275 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1276 
1277 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1278 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1279 				  SMP_LTK_SLAVE, authenticated, enc.ltk,
1280 				  smp->enc_key_size, ediv, rand);
1281 		smp->slave_ltk = ltk;
1282 
1283 		ident.ediv = ediv;
1284 		ident.rand = rand;
1285 
1286 		smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1287 
1288 		*keydist &= ~SMP_DIST_ENC_KEY;
1289 	}
1290 
1291 	if (*keydist & SMP_DIST_ID_KEY) {
1292 		struct smp_cmd_ident_addr_info addrinfo;
1293 		struct smp_cmd_ident_info idinfo;
1294 
1295 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1296 
1297 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1298 
1299 		/* The hci_conn contains the local identity address
1300 		 * after the connection has been established.
1301 		 *
1302 		 * This is true even when the connection has been
1303 		 * established using a resolvable random address.
1304 		 */
1305 		bacpy(&addrinfo.bdaddr, &hcon->src);
1306 		addrinfo.addr_type = hcon->src_type;
1307 
1308 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1309 			     &addrinfo);
1310 
1311 		*keydist &= ~SMP_DIST_ID_KEY;
1312 	}
1313 
1314 	if (*keydist & SMP_DIST_SIGN) {
1315 		struct smp_cmd_sign_info sign;
1316 		struct smp_csrk *csrk;
1317 
1318 		/* Generate a new random key */
1319 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1320 
1321 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1322 		if (csrk) {
1323 			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1324 				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1325 			else
1326 				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1327 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1328 		}
1329 		smp->slave_csrk = csrk;
1330 
1331 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1332 
1333 		*keydist &= ~SMP_DIST_SIGN;
1334 	}
1335 
1336 	/* If there are still keys to be received wait for them */
1337 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1338 		smp_allow_key_dist(smp);
1339 		return;
1340 	}
1341 
1342 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1343 	smp_notify_keys(conn);
1344 
1345 	smp_chan_destroy(conn);
1346 }
1347 
1348 static void smp_timeout(struct work_struct *work)
1349 {
1350 	struct smp_chan *smp = container_of(work, struct smp_chan,
1351 					    security_timer.work);
1352 	struct l2cap_conn *conn = smp->conn;
1353 
1354 	BT_DBG("conn %p", conn);
1355 
1356 	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1357 }
1358 
1359 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1360 {
1361 	struct l2cap_chan *chan = conn->smp;
1362 	struct smp_chan *smp;
1363 
1364 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1365 	if (!smp)
1366 		return NULL;
1367 
1368 	smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1369 	if (IS_ERR(smp->tfm_aes)) {
1370 		BT_ERR("Unable to create ECB crypto context");
1371 		kzfree(smp);
1372 		return NULL;
1373 	}
1374 
1375 	smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1376 	if (IS_ERR(smp->tfm_cmac)) {
1377 		BT_ERR("Unable to create CMAC crypto context");
1378 		crypto_free_blkcipher(smp->tfm_aes);
1379 		kzfree(smp);
1380 		return NULL;
1381 	}
1382 
1383 	smp->conn = conn;
1384 	chan->data = smp;
1385 
1386 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1387 
1388 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1389 
1390 	hci_conn_hold(conn->hcon);
1391 
1392 	return smp;
1393 }
1394 
1395 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1396 {
1397 	struct hci_conn *hcon = smp->conn->hcon;
1398 	u8 *na, *nb, a[7], b[7];
1399 
1400 	if (hcon->out) {
1401 		na   = smp->prnd;
1402 		nb   = smp->rrnd;
1403 	} else {
1404 		na   = smp->rrnd;
1405 		nb   = smp->prnd;
1406 	}
1407 
1408 	memcpy(a, &hcon->init_addr, 6);
1409 	memcpy(b, &hcon->resp_addr, 6);
1410 	a[6] = hcon->init_addr_type;
1411 	b[6] = hcon->resp_addr_type;
1412 
1413 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1414 }
1415 
1416 static void sc_dhkey_check(struct smp_chan *smp)
1417 {
1418 	struct hci_conn *hcon = smp->conn->hcon;
1419 	struct smp_cmd_dhkey_check check;
1420 	u8 a[7], b[7], *local_addr, *remote_addr;
1421 	u8 io_cap[3], r[16];
1422 
1423 	memcpy(a, &hcon->init_addr, 6);
1424 	memcpy(b, &hcon->resp_addr, 6);
1425 	a[6] = hcon->init_addr_type;
1426 	b[6] = hcon->resp_addr_type;
1427 
1428 	if (hcon->out) {
1429 		local_addr = a;
1430 		remote_addr = b;
1431 		memcpy(io_cap, &smp->preq[1], 3);
1432 	} else {
1433 		local_addr = b;
1434 		remote_addr = a;
1435 		memcpy(io_cap, &smp->prsp[1], 3);
1436 	}
1437 
1438 	memset(r, 0, sizeof(r));
1439 
1440 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1441 		put_unaligned_le32(hcon->passkey_notify, r);
1442 
1443 	if (smp->method == REQ_OOB)
1444 		memcpy(r, smp->rr, 16);
1445 
1446 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1447 	       local_addr, remote_addr, check.e);
1448 
1449 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1450 }
1451 
1452 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1453 {
1454 	struct l2cap_conn *conn = smp->conn;
1455 	struct hci_conn *hcon = conn->hcon;
1456 	struct smp_cmd_pairing_confirm cfm;
1457 	u8 r;
1458 
1459 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1460 	r |= 0x80;
1461 
1462 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1463 
1464 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1465 		   cfm.confirm_val))
1466 		return SMP_UNSPECIFIED;
1467 
1468 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1469 
1470 	return 0;
1471 }
1472 
1473 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1474 {
1475 	struct l2cap_conn *conn = smp->conn;
1476 	struct hci_conn *hcon = conn->hcon;
1477 	struct hci_dev *hdev = hcon->hdev;
1478 	u8 cfm[16], r;
1479 
1480 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1481 	if (smp->passkey_round >= 20)
1482 		return 0;
1483 
1484 	switch (smp_op) {
1485 	case SMP_CMD_PAIRING_RANDOM:
1486 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1487 		r |= 0x80;
1488 
1489 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1490 			   smp->rrnd, r, cfm))
1491 			return SMP_UNSPECIFIED;
1492 
1493 		if (memcmp(smp->pcnf, cfm, 16))
1494 			return SMP_CONFIRM_FAILED;
1495 
1496 		smp->passkey_round++;
1497 
1498 		if (smp->passkey_round == 20) {
1499 			/* Generate MacKey and LTK */
1500 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1501 				return SMP_UNSPECIFIED;
1502 		}
1503 
1504 		/* The round is only complete when the initiator
1505 		 * receives pairing random.
1506 		 */
1507 		if (!hcon->out) {
1508 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1509 				     sizeof(smp->prnd), smp->prnd);
1510 			if (smp->passkey_round == 20)
1511 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1512 			else
1513 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1514 			return 0;
1515 		}
1516 
1517 		/* Start the next round */
1518 		if (smp->passkey_round != 20)
1519 			return sc_passkey_round(smp, 0);
1520 
1521 		/* Passkey rounds are complete - start DHKey Check */
1522 		sc_dhkey_check(smp);
1523 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1524 
1525 		break;
1526 
1527 	case SMP_CMD_PAIRING_CONFIRM:
1528 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1529 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1530 			return 0;
1531 		}
1532 
1533 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1534 
1535 		if (hcon->out) {
1536 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1537 				     sizeof(smp->prnd), smp->prnd);
1538 			return 0;
1539 		}
1540 
1541 		return sc_passkey_send_confirm(smp);
1542 
1543 	case SMP_CMD_PUBLIC_KEY:
1544 	default:
1545 		/* Initiating device starts the round */
1546 		if (!hcon->out)
1547 			return 0;
1548 
1549 		BT_DBG("%s Starting passkey round %u", hdev->name,
1550 		       smp->passkey_round + 1);
1551 
1552 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1553 
1554 		return sc_passkey_send_confirm(smp);
1555 	}
1556 
1557 	return 0;
1558 }
1559 
1560 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1561 {
1562 	struct l2cap_conn *conn = smp->conn;
1563 	struct hci_conn *hcon = conn->hcon;
1564 	u8 smp_op;
1565 
1566 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1567 
1568 	switch (mgmt_op) {
1569 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1570 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1571 		return 0;
1572 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1573 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1574 		return 0;
1575 	case MGMT_OP_USER_PASSKEY_REPLY:
1576 		hcon->passkey_notify = le32_to_cpu(passkey);
1577 		smp->passkey_round = 0;
1578 
1579 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1580 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1581 		else
1582 			smp_op = 0;
1583 
1584 		if (sc_passkey_round(smp, smp_op))
1585 			return -EIO;
1586 
1587 		return 0;
1588 	}
1589 
1590 	/* Initiator sends DHKey check first */
1591 	if (hcon->out) {
1592 		sc_dhkey_check(smp);
1593 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1594 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1595 		sc_dhkey_check(smp);
1596 		sc_add_ltk(smp);
1597 	}
1598 
1599 	return 0;
1600 }
1601 
1602 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1603 {
1604 	struct l2cap_conn *conn = hcon->l2cap_data;
1605 	struct l2cap_chan *chan;
1606 	struct smp_chan *smp;
1607 	u32 value;
1608 	int err;
1609 
1610 	BT_DBG("");
1611 
1612 	if (!conn)
1613 		return -ENOTCONN;
1614 
1615 	chan = conn->smp;
1616 	if (!chan)
1617 		return -ENOTCONN;
1618 
1619 	l2cap_chan_lock(chan);
1620 	if (!chan->data) {
1621 		err = -ENOTCONN;
1622 		goto unlock;
1623 	}
1624 
1625 	smp = chan->data;
1626 
1627 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1628 		err = sc_user_reply(smp, mgmt_op, passkey);
1629 		goto unlock;
1630 	}
1631 
1632 	switch (mgmt_op) {
1633 	case MGMT_OP_USER_PASSKEY_REPLY:
1634 		value = le32_to_cpu(passkey);
1635 		memset(smp->tk, 0, sizeof(smp->tk));
1636 		BT_DBG("PassKey: %d", value);
1637 		put_unaligned_le32(value, smp->tk);
1638 		/* Fall Through */
1639 	case MGMT_OP_USER_CONFIRM_REPLY:
1640 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1641 		break;
1642 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1643 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1644 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1645 		err = 0;
1646 		goto unlock;
1647 	default:
1648 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1649 		err = -EOPNOTSUPP;
1650 		goto unlock;
1651 	}
1652 
1653 	err = 0;
1654 
1655 	/* If it is our turn to send Pairing Confirm, do so now */
1656 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1657 		u8 rsp = smp_confirm(smp);
1658 		if (rsp)
1659 			smp_failure(conn, rsp);
1660 	}
1661 
1662 unlock:
1663 	l2cap_chan_unlock(chan);
1664 	return err;
1665 }
1666 
1667 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1668 				    struct smp_cmd_pairing *req,
1669 				    struct smp_cmd_pairing *rsp)
1670 {
1671 	struct l2cap_conn *conn = smp->conn;
1672 	struct hci_dev *hdev = conn->hcon->hdev;
1673 	u8 local_dist = 0, remote_dist = 0;
1674 
1675 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1676 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1677 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1678 	}
1679 
1680 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1681 		remote_dist |= SMP_DIST_ID_KEY;
1682 
1683 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1684 		local_dist |= SMP_DIST_ID_KEY;
1685 
1686 	if (!rsp) {
1687 		memset(req, 0, sizeof(*req));
1688 
1689 		req->init_key_dist   = local_dist;
1690 		req->resp_key_dist   = remote_dist;
1691 		req->max_key_size    = SMP_MAX_ENC_KEY_SIZE;
1692 
1693 		smp->remote_key_dist = remote_dist;
1694 
1695 		return;
1696 	}
1697 
1698 	memset(rsp, 0, sizeof(*rsp));
1699 
1700 	rsp->max_key_size    = SMP_MAX_ENC_KEY_SIZE;
1701 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1702 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1703 
1704 	smp->remote_key_dist = rsp->init_key_dist;
1705 }
1706 
1707 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1708 {
1709 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1710 	struct l2cap_chan *chan = conn->smp;
1711 	struct hci_dev *hdev = conn->hcon->hdev;
1712 	struct smp_chan *smp;
1713 	u8 key_size, auth, sec_level;
1714 	int ret;
1715 
1716 	BT_DBG("conn %p", conn);
1717 
1718 	if (skb->len < sizeof(*req))
1719 		return SMP_INVALID_PARAMS;
1720 
1721 	if (conn->hcon->role != HCI_ROLE_SLAVE)
1722 		return SMP_CMD_NOTSUPP;
1723 
1724 	if (!chan->data)
1725 		smp = smp_chan_create(conn);
1726 	else
1727 		smp = chan->data;
1728 
1729 	if (!smp)
1730 		return SMP_UNSPECIFIED;
1731 
1732 	/* We didn't start the pairing, so match remote */
1733 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1734 
1735 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1736 	    (auth & SMP_AUTH_BONDING))
1737 		return SMP_PAIRING_NOTSUPP;
1738 
1739 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1740 		return SMP_AUTH_REQUIREMENTS;
1741 
1742 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1743 	memcpy(&smp->preq[1], req, sizeof(*req));
1744 	skb_pull(skb, sizeof(*req));
1745 
1746 	/* If the remote side's OOB flag is set it means it has
1747 	 * successfully received our local OOB data - therefore set the
1748 	 * flag to indicate that local OOB is in use.
1749 	 */
1750 	if (req->oob_flag == SMP_OOB_PRESENT)
1751 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1752 
1753 	/* SMP over BR/EDR requires special treatment */
1754 	if (conn->hcon->type == ACL_LINK) {
1755 		/* We must have a BR/EDR SC link */
1756 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1757 		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1758 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1759 
1760 		set_bit(SMP_FLAG_SC, &smp->flags);
1761 
1762 		build_bredr_pairing_cmd(smp, req, &rsp);
1763 
1764 		key_size = min(req->max_key_size, rsp.max_key_size);
1765 		if (check_enc_key_size(conn, key_size))
1766 			return SMP_ENC_KEY_SIZE;
1767 
1768 		/* Clear bits which are generated but not distributed */
1769 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1770 
1771 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1772 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1773 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1774 
1775 		smp_distribute_keys(smp);
1776 		return 0;
1777 	}
1778 
1779 	build_pairing_cmd(conn, req, &rsp, auth);
1780 
1781 	if (rsp.auth_req & SMP_AUTH_SC)
1782 		set_bit(SMP_FLAG_SC, &smp->flags);
1783 
1784 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1785 		sec_level = BT_SECURITY_MEDIUM;
1786 	else
1787 		sec_level = authreq_to_seclevel(auth);
1788 
1789 	if (sec_level > conn->hcon->pending_sec_level)
1790 		conn->hcon->pending_sec_level = sec_level;
1791 
1792 	/* If we need MITM check that it can be achieved */
1793 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1794 		u8 method;
1795 
1796 		method = get_auth_method(smp, conn->hcon->io_capability,
1797 					 req->io_capability);
1798 		if (method == JUST_WORKS || method == JUST_CFM)
1799 			return SMP_AUTH_REQUIREMENTS;
1800 	}
1801 
1802 	key_size = min(req->max_key_size, rsp.max_key_size);
1803 	if (check_enc_key_size(conn, key_size))
1804 		return SMP_ENC_KEY_SIZE;
1805 
1806 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1807 
1808 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1809 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1810 
1811 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1812 
1813 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1814 
1815 	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1816 	 * SC case, however some implementations incorrectly copy RFU auth
1817 	 * req bits from our security request, which may create a false
1818 	 * positive SC enablement.
1819 	 */
1820 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1821 
1822 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1823 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1824 		/* Clear bits which are generated but not distributed */
1825 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1826 		/* Wait for Public Key from Initiating Device */
1827 		return 0;
1828 	}
1829 
1830 	/* Request setup of TK */
1831 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1832 	if (ret)
1833 		return SMP_UNSPECIFIED;
1834 
1835 	return 0;
1836 }
1837 
1838 static u8 sc_send_public_key(struct smp_chan *smp)
1839 {
1840 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1841 
1842 	BT_DBG("");
1843 
1844 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1845 		struct l2cap_chan *chan = hdev->smp_data;
1846 		struct smp_dev *smp_dev;
1847 
1848 		if (!chan || !chan->data)
1849 			return SMP_UNSPECIFIED;
1850 
1851 		smp_dev = chan->data;
1852 
1853 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1854 		memcpy(smp->local_sk, smp_dev->local_sk, 32);
1855 		memcpy(smp->lr, smp_dev->local_rand, 16);
1856 
1857 		if (smp_dev->debug_key)
1858 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1859 
1860 		goto done;
1861 	}
1862 
1863 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1864 		BT_DBG("Using debug keys");
1865 		memcpy(smp->local_pk, debug_pk, 64);
1866 		memcpy(smp->local_sk, debug_sk, 32);
1867 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1868 	} else {
1869 		while (true) {
1870 			/* Generate local key pair for Secure Connections */
1871 			if (!ecc_make_key(smp->local_pk, smp->local_sk))
1872 				return SMP_UNSPECIFIED;
1873 
1874 			/* This is unlikely, but we need to check that
1875 			 * we didn't accidentially generate a debug key.
1876 			 */
1877 			if (memcmp(smp->local_sk, debug_sk, 32))
1878 				break;
1879 		}
1880 	}
1881 
1882 done:
1883 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1884 	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1885 	SMP_DBG("Local Private Key:  %32phN", smp->local_sk);
1886 
1887 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1888 
1889 	return 0;
1890 }
1891 
1892 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1893 {
1894 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1895 	struct l2cap_chan *chan = conn->smp;
1896 	struct smp_chan *smp = chan->data;
1897 	struct hci_dev *hdev = conn->hcon->hdev;
1898 	u8 key_size, auth;
1899 	int ret;
1900 
1901 	BT_DBG("conn %p", conn);
1902 
1903 	if (skb->len < sizeof(*rsp))
1904 		return SMP_INVALID_PARAMS;
1905 
1906 	if (conn->hcon->role != HCI_ROLE_MASTER)
1907 		return SMP_CMD_NOTSUPP;
1908 
1909 	skb_pull(skb, sizeof(*rsp));
1910 
1911 	req = (void *) &smp->preq[1];
1912 
1913 	key_size = min(req->max_key_size, rsp->max_key_size);
1914 	if (check_enc_key_size(conn, key_size))
1915 		return SMP_ENC_KEY_SIZE;
1916 
1917 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1918 
1919 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1920 		return SMP_AUTH_REQUIREMENTS;
1921 
1922 	/* If the remote side's OOB flag is set it means it has
1923 	 * successfully received our local OOB data - therefore set the
1924 	 * flag to indicate that local OOB is in use.
1925 	 */
1926 	if (rsp->oob_flag == SMP_OOB_PRESENT)
1927 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1928 
1929 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1930 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1931 
1932 	/* Update remote key distribution in case the remote cleared
1933 	 * some bits that we had enabled in our request.
1934 	 */
1935 	smp->remote_key_dist &= rsp->resp_key_dist;
1936 
1937 	/* For BR/EDR this means we're done and can start phase 3 */
1938 	if (conn->hcon->type == ACL_LINK) {
1939 		/* Clear bits which are generated but not distributed */
1940 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1941 		smp_distribute_keys(smp);
1942 		return 0;
1943 	}
1944 
1945 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1946 		set_bit(SMP_FLAG_SC, &smp->flags);
1947 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1948 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1949 
1950 	/* If we need MITM check that it can be achieved */
1951 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1952 		u8 method;
1953 
1954 		method = get_auth_method(smp, req->io_capability,
1955 					 rsp->io_capability);
1956 		if (method == JUST_WORKS || method == JUST_CFM)
1957 			return SMP_AUTH_REQUIREMENTS;
1958 	}
1959 
1960 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1961 
1962 	/* Update remote key distribution in case the remote cleared
1963 	 * some bits that we had enabled in our request.
1964 	 */
1965 	smp->remote_key_dist &= rsp->resp_key_dist;
1966 
1967 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1968 		/* Clear bits which are generated but not distributed */
1969 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1970 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1971 		return sc_send_public_key(smp);
1972 	}
1973 
1974 	auth |= req->auth_req;
1975 
1976 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1977 	if (ret)
1978 		return SMP_UNSPECIFIED;
1979 
1980 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1981 
1982 	/* Can't compose response until we have been confirmed */
1983 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1984 		return smp_confirm(smp);
1985 
1986 	return 0;
1987 }
1988 
1989 static u8 sc_check_confirm(struct smp_chan *smp)
1990 {
1991 	struct l2cap_conn *conn = smp->conn;
1992 
1993 	BT_DBG("");
1994 
1995 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1996 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1997 
1998 	if (conn->hcon->out) {
1999 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2000 			     smp->prnd);
2001 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2002 	}
2003 
2004 	return 0;
2005 }
2006 
2007 /* Work-around for some implementations that incorrectly copy RFU bits
2008  * from our security request and thereby create the impression that
2009  * we're doing SC when in fact the remote doesn't support it.
2010  */
2011 static int fixup_sc_false_positive(struct smp_chan *smp)
2012 {
2013 	struct l2cap_conn *conn = smp->conn;
2014 	struct hci_conn *hcon = conn->hcon;
2015 	struct hci_dev *hdev = hcon->hdev;
2016 	struct smp_cmd_pairing *req, *rsp;
2017 	u8 auth;
2018 
2019 	/* The issue is only observed when we're in slave role */
2020 	if (hcon->out)
2021 		return SMP_UNSPECIFIED;
2022 
2023 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2024 		BT_ERR("Refusing SMP SC -> legacy fallback in SC-only mode");
2025 		return SMP_UNSPECIFIED;
2026 	}
2027 
2028 	BT_ERR("Trying to fall back to legacy SMP");
2029 
2030 	req = (void *) &smp->preq[1];
2031 	rsp = (void *) &smp->prsp[1];
2032 
2033 	/* Rebuild key dist flags which may have been cleared for SC */
2034 	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2035 
2036 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2037 
2038 	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2039 		BT_ERR("Failed to fall back to legacy SMP");
2040 		return SMP_UNSPECIFIED;
2041 	}
2042 
2043 	clear_bit(SMP_FLAG_SC, &smp->flags);
2044 
2045 	return 0;
2046 }
2047 
2048 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2049 {
2050 	struct l2cap_chan *chan = conn->smp;
2051 	struct smp_chan *smp = chan->data;
2052 
2053 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2054 
2055 	if (skb->len < sizeof(smp->pcnf))
2056 		return SMP_INVALID_PARAMS;
2057 
2058 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2059 	skb_pull(skb, sizeof(smp->pcnf));
2060 
2061 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2062 		int ret;
2063 
2064 		/* Public Key exchange must happen before any other steps */
2065 		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2066 			return sc_check_confirm(smp);
2067 
2068 		BT_ERR("Unexpected SMP Pairing Confirm");
2069 
2070 		ret = fixup_sc_false_positive(smp);
2071 		if (ret)
2072 			return ret;
2073 	}
2074 
2075 	if (conn->hcon->out) {
2076 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2077 			     smp->prnd);
2078 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2079 		return 0;
2080 	}
2081 
2082 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2083 		return smp_confirm(smp);
2084 
2085 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2086 
2087 	return 0;
2088 }
2089 
2090 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2091 {
2092 	struct l2cap_chan *chan = conn->smp;
2093 	struct smp_chan *smp = chan->data;
2094 	struct hci_conn *hcon = conn->hcon;
2095 	u8 *pkax, *pkbx, *na, *nb;
2096 	u32 passkey;
2097 	int err;
2098 
2099 	BT_DBG("conn %p", conn);
2100 
2101 	if (skb->len < sizeof(smp->rrnd))
2102 		return SMP_INVALID_PARAMS;
2103 
2104 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2105 	skb_pull(skb, sizeof(smp->rrnd));
2106 
2107 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2108 		return smp_random(smp);
2109 
2110 	if (hcon->out) {
2111 		pkax = smp->local_pk;
2112 		pkbx = smp->remote_pk;
2113 		na   = smp->prnd;
2114 		nb   = smp->rrnd;
2115 	} else {
2116 		pkax = smp->remote_pk;
2117 		pkbx = smp->local_pk;
2118 		na   = smp->rrnd;
2119 		nb   = smp->prnd;
2120 	}
2121 
2122 	if (smp->method == REQ_OOB) {
2123 		if (!hcon->out)
2124 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2125 				     sizeof(smp->prnd), smp->prnd);
2126 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2127 		goto mackey_and_ltk;
2128 	}
2129 
2130 	/* Passkey entry has special treatment */
2131 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2132 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2133 
2134 	if (hcon->out) {
2135 		u8 cfm[16];
2136 
2137 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2138 			     smp->rrnd, 0, cfm);
2139 		if (err)
2140 			return SMP_UNSPECIFIED;
2141 
2142 		if (memcmp(smp->pcnf, cfm, 16))
2143 			return SMP_CONFIRM_FAILED;
2144 	} else {
2145 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2146 			     smp->prnd);
2147 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2148 	}
2149 
2150 mackey_and_ltk:
2151 	/* Generate MacKey and LTK */
2152 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2153 	if (err)
2154 		return SMP_UNSPECIFIED;
2155 
2156 	if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2157 		if (hcon->out) {
2158 			sc_dhkey_check(smp);
2159 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2160 		}
2161 		return 0;
2162 	}
2163 
2164 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2165 	if (err)
2166 		return SMP_UNSPECIFIED;
2167 
2168 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2169 					hcon->dst_type, passkey, 0);
2170 	if (err)
2171 		return SMP_UNSPECIFIED;
2172 
2173 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2174 
2175 	return 0;
2176 }
2177 
2178 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2179 {
2180 	struct smp_ltk *key;
2181 	struct hci_conn *hcon = conn->hcon;
2182 
2183 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2184 	if (!key)
2185 		return false;
2186 
2187 	if (smp_ltk_sec_level(key) < sec_level)
2188 		return false;
2189 
2190 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2191 		return true;
2192 
2193 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
2194 	hcon->enc_key_size = key->enc_size;
2195 
2196 	/* We never store STKs for master role, so clear this flag */
2197 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2198 
2199 	return true;
2200 }
2201 
2202 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2203 			     enum smp_key_pref key_pref)
2204 {
2205 	if (sec_level == BT_SECURITY_LOW)
2206 		return true;
2207 
2208 	/* If we're encrypted with an STK but the caller prefers using
2209 	 * LTK claim insufficient security. This way we allow the
2210 	 * connection to be re-encrypted with an LTK, even if the LTK
2211 	 * provides the same level of security. Only exception is if we
2212 	 * don't have an LTK (e.g. because of key distribution bits).
2213 	 */
2214 	if (key_pref == SMP_USE_LTK &&
2215 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2216 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2217 		return false;
2218 
2219 	if (hcon->sec_level >= sec_level)
2220 		return true;
2221 
2222 	return false;
2223 }
2224 
2225 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2226 {
2227 	struct smp_cmd_security_req *rp = (void *) skb->data;
2228 	struct smp_cmd_pairing cp;
2229 	struct hci_conn *hcon = conn->hcon;
2230 	struct hci_dev *hdev = hcon->hdev;
2231 	struct smp_chan *smp;
2232 	u8 sec_level, auth;
2233 
2234 	BT_DBG("conn %p", conn);
2235 
2236 	if (skb->len < sizeof(*rp))
2237 		return SMP_INVALID_PARAMS;
2238 
2239 	if (hcon->role != HCI_ROLE_MASTER)
2240 		return SMP_CMD_NOTSUPP;
2241 
2242 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2243 
2244 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2245 		return SMP_AUTH_REQUIREMENTS;
2246 
2247 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2248 		sec_level = BT_SECURITY_MEDIUM;
2249 	else
2250 		sec_level = authreq_to_seclevel(auth);
2251 
2252 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2253 		return 0;
2254 
2255 	if (sec_level > hcon->pending_sec_level)
2256 		hcon->pending_sec_level = sec_level;
2257 
2258 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2259 		return 0;
2260 
2261 	smp = smp_chan_create(conn);
2262 	if (!smp)
2263 		return SMP_UNSPECIFIED;
2264 
2265 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2266 	    (auth & SMP_AUTH_BONDING))
2267 		return SMP_PAIRING_NOTSUPP;
2268 
2269 	skb_pull(skb, sizeof(*rp));
2270 
2271 	memset(&cp, 0, sizeof(cp));
2272 	build_pairing_cmd(conn, &cp, NULL, auth);
2273 
2274 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2275 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2276 
2277 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2278 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2279 
2280 	return 0;
2281 }
2282 
2283 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2284 {
2285 	struct l2cap_conn *conn = hcon->l2cap_data;
2286 	struct l2cap_chan *chan;
2287 	struct smp_chan *smp;
2288 	__u8 authreq;
2289 	int ret;
2290 
2291 	BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2292 
2293 	/* This may be NULL if there's an unexpected disconnection */
2294 	if (!conn)
2295 		return 1;
2296 
2297 	chan = conn->smp;
2298 
2299 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2300 		return 1;
2301 
2302 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2303 		return 1;
2304 
2305 	if (sec_level > hcon->pending_sec_level)
2306 		hcon->pending_sec_level = sec_level;
2307 
2308 	if (hcon->role == HCI_ROLE_MASTER)
2309 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2310 			return 0;
2311 
2312 	l2cap_chan_lock(chan);
2313 
2314 	/* If SMP is already in progress ignore this request */
2315 	if (chan->data) {
2316 		ret = 0;
2317 		goto unlock;
2318 	}
2319 
2320 	smp = smp_chan_create(conn);
2321 	if (!smp) {
2322 		ret = 1;
2323 		goto unlock;
2324 	}
2325 
2326 	authreq = seclevel_to_authreq(sec_level);
2327 
2328 	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED))
2329 		authreq |= SMP_AUTH_SC;
2330 
2331 	/* Require MITM if IO Capability allows or the security level
2332 	 * requires it.
2333 	 */
2334 	if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2335 	    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2336 		authreq |= SMP_AUTH_MITM;
2337 
2338 	if (hcon->role == HCI_ROLE_MASTER) {
2339 		struct smp_cmd_pairing cp;
2340 
2341 		build_pairing_cmd(conn, &cp, NULL, authreq);
2342 		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2343 		memcpy(&smp->preq[1], &cp, sizeof(cp));
2344 
2345 		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2346 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2347 	} else {
2348 		struct smp_cmd_security_req cp;
2349 		cp.auth_req = authreq;
2350 		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2351 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2352 	}
2353 
2354 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2355 	ret = 0;
2356 
2357 unlock:
2358 	l2cap_chan_unlock(chan);
2359 	return ret;
2360 }
2361 
2362 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2363 {
2364 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2365 	struct l2cap_chan *chan = conn->smp;
2366 	struct smp_chan *smp = chan->data;
2367 
2368 	BT_DBG("conn %p", conn);
2369 
2370 	if (skb->len < sizeof(*rp))
2371 		return SMP_INVALID_PARAMS;
2372 
2373 	SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2374 
2375 	skb_pull(skb, sizeof(*rp));
2376 
2377 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2378 
2379 	return 0;
2380 }
2381 
2382 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2383 {
2384 	struct smp_cmd_master_ident *rp = (void *) skb->data;
2385 	struct l2cap_chan *chan = conn->smp;
2386 	struct smp_chan *smp = chan->data;
2387 	struct hci_dev *hdev = conn->hcon->hdev;
2388 	struct hci_conn *hcon = conn->hcon;
2389 	struct smp_ltk *ltk;
2390 	u8 authenticated;
2391 
2392 	BT_DBG("conn %p", conn);
2393 
2394 	if (skb->len < sizeof(*rp))
2395 		return SMP_INVALID_PARAMS;
2396 
2397 	/* Mark the information as received */
2398 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2399 
2400 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2401 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2402 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2403 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2404 
2405 	skb_pull(skb, sizeof(*rp));
2406 
2407 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2408 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2409 			  authenticated, smp->tk, smp->enc_key_size,
2410 			  rp->ediv, rp->rand);
2411 	smp->ltk = ltk;
2412 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2413 		smp_distribute_keys(smp);
2414 
2415 	return 0;
2416 }
2417 
2418 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2419 {
2420 	struct smp_cmd_ident_info *info = (void *) skb->data;
2421 	struct l2cap_chan *chan = conn->smp;
2422 	struct smp_chan *smp = chan->data;
2423 
2424 	BT_DBG("");
2425 
2426 	if (skb->len < sizeof(*info))
2427 		return SMP_INVALID_PARAMS;
2428 
2429 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2430 
2431 	skb_pull(skb, sizeof(*info));
2432 
2433 	memcpy(smp->irk, info->irk, 16);
2434 
2435 	return 0;
2436 }
2437 
2438 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2439 				   struct sk_buff *skb)
2440 {
2441 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2442 	struct l2cap_chan *chan = conn->smp;
2443 	struct smp_chan *smp = chan->data;
2444 	struct hci_conn *hcon = conn->hcon;
2445 	bdaddr_t rpa;
2446 
2447 	BT_DBG("");
2448 
2449 	if (skb->len < sizeof(*info))
2450 		return SMP_INVALID_PARAMS;
2451 
2452 	/* Mark the information as received */
2453 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2454 
2455 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2456 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2457 
2458 	skb_pull(skb, sizeof(*info));
2459 
2460 	/* Strictly speaking the Core Specification (4.1) allows sending
2461 	 * an empty address which would force us to rely on just the IRK
2462 	 * as "identity information". However, since such
2463 	 * implementations are not known of and in order to not over
2464 	 * complicate our implementation, simply pretend that we never
2465 	 * received an IRK for such a device.
2466 	 *
2467 	 * The Identity Address must also be a Static Random or Public
2468 	 * Address, which hci_is_identity_address() checks for.
2469 	 */
2470 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2471 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2472 		BT_ERR("Ignoring IRK with no identity address");
2473 		goto distribute;
2474 	}
2475 
2476 	bacpy(&smp->id_addr, &info->bdaddr);
2477 	smp->id_addr_type = info->addr_type;
2478 
2479 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2480 		bacpy(&rpa, &hcon->dst);
2481 	else
2482 		bacpy(&rpa, BDADDR_ANY);
2483 
2484 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2485 				      smp->id_addr_type, smp->irk, &rpa);
2486 
2487 distribute:
2488 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2489 		smp_distribute_keys(smp);
2490 
2491 	return 0;
2492 }
2493 
2494 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2495 {
2496 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2497 	struct l2cap_chan *chan = conn->smp;
2498 	struct smp_chan *smp = chan->data;
2499 	struct smp_csrk *csrk;
2500 
2501 	BT_DBG("conn %p", conn);
2502 
2503 	if (skb->len < sizeof(*rp))
2504 		return SMP_INVALID_PARAMS;
2505 
2506 	/* Mark the information as received */
2507 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2508 
2509 	skb_pull(skb, sizeof(*rp));
2510 
2511 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2512 	if (csrk) {
2513 		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2514 			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2515 		else
2516 			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2517 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2518 	}
2519 	smp->csrk = csrk;
2520 	smp_distribute_keys(smp);
2521 
2522 	return 0;
2523 }
2524 
2525 static u8 sc_select_method(struct smp_chan *smp)
2526 {
2527 	struct l2cap_conn *conn = smp->conn;
2528 	struct hci_conn *hcon = conn->hcon;
2529 	struct smp_cmd_pairing *local, *remote;
2530 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2531 
2532 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2533 	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2534 		return REQ_OOB;
2535 
2536 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2537 	 * which are needed as inputs to some crypto functions. To get
2538 	 * the "struct smp_cmd_pairing" from them we need to skip the
2539 	 * first byte which contains the opcode.
2540 	 */
2541 	if (hcon->out) {
2542 		local = (void *) &smp->preq[1];
2543 		remote = (void *) &smp->prsp[1];
2544 	} else {
2545 		local = (void *) &smp->prsp[1];
2546 		remote = (void *) &smp->preq[1];
2547 	}
2548 
2549 	local_io = local->io_capability;
2550 	remote_io = remote->io_capability;
2551 
2552 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2553 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2554 
2555 	/* If either side wants MITM, look up the method from the table,
2556 	 * otherwise use JUST WORKS.
2557 	 */
2558 	if (local_mitm || remote_mitm)
2559 		method = get_auth_method(smp, local_io, remote_io);
2560 	else
2561 		method = JUST_WORKS;
2562 
2563 	/* Don't confirm locally initiated pairing attempts */
2564 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2565 		method = JUST_WORKS;
2566 
2567 	return method;
2568 }
2569 
2570 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2571 {
2572 	struct smp_cmd_public_key *key = (void *) skb->data;
2573 	struct hci_conn *hcon = conn->hcon;
2574 	struct l2cap_chan *chan = conn->smp;
2575 	struct smp_chan *smp = chan->data;
2576 	struct hci_dev *hdev = hcon->hdev;
2577 	struct smp_cmd_pairing_confirm cfm;
2578 	int err;
2579 
2580 	BT_DBG("conn %p", conn);
2581 
2582 	if (skb->len < sizeof(*key))
2583 		return SMP_INVALID_PARAMS;
2584 
2585 	memcpy(smp->remote_pk, key, 64);
2586 
2587 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2588 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2589 			     smp->rr, 0, cfm.confirm_val);
2590 		if (err)
2591 			return SMP_UNSPECIFIED;
2592 
2593 		if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2594 			return SMP_CONFIRM_FAILED;
2595 	}
2596 
2597 	/* Non-initiating device sends its public key after receiving
2598 	 * the key from the initiating device.
2599 	 */
2600 	if (!hcon->out) {
2601 		err = sc_send_public_key(smp);
2602 		if (err)
2603 			return err;
2604 	}
2605 
2606 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2607 	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2608 
2609 	if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2610 		return SMP_UNSPECIFIED;
2611 
2612 	SMP_DBG("DHKey %32phN", smp->dhkey);
2613 
2614 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2615 
2616 	smp->method = sc_select_method(smp);
2617 
2618 	BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2619 
2620 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2621 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2622 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2623 	else
2624 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2625 
2626 	if (!memcmp(debug_pk, smp->remote_pk, 64))
2627 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2628 
2629 	if (smp->method == DSP_PASSKEY) {
2630 		get_random_bytes(&hcon->passkey_notify,
2631 				 sizeof(hcon->passkey_notify));
2632 		hcon->passkey_notify %= 1000000;
2633 		hcon->passkey_entered = 0;
2634 		smp->passkey_round = 0;
2635 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2636 					     hcon->dst_type,
2637 					     hcon->passkey_notify,
2638 					     hcon->passkey_entered))
2639 			return SMP_UNSPECIFIED;
2640 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2641 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2642 	}
2643 
2644 	if (smp->method == REQ_OOB) {
2645 		if (hcon->out)
2646 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2647 				     sizeof(smp->prnd), smp->prnd);
2648 
2649 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2650 
2651 		return 0;
2652 	}
2653 
2654 	if (hcon->out)
2655 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2656 
2657 	if (smp->method == REQ_PASSKEY) {
2658 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2659 					      hcon->dst_type))
2660 			return SMP_UNSPECIFIED;
2661 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2662 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2663 		return 0;
2664 	}
2665 
2666 	/* The Initiating device waits for the non-initiating device to
2667 	 * send the confirm value.
2668 	 */
2669 	if (conn->hcon->out)
2670 		return 0;
2671 
2672 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2673 		     0, cfm.confirm_val);
2674 	if (err)
2675 		return SMP_UNSPECIFIED;
2676 
2677 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2678 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2679 
2680 	return 0;
2681 }
2682 
2683 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2684 {
2685 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2686 	struct l2cap_chan *chan = conn->smp;
2687 	struct hci_conn *hcon = conn->hcon;
2688 	struct smp_chan *smp = chan->data;
2689 	u8 a[7], b[7], *local_addr, *remote_addr;
2690 	u8 io_cap[3], r[16], e[16];
2691 	int err;
2692 
2693 	BT_DBG("conn %p", conn);
2694 
2695 	if (skb->len < sizeof(*check))
2696 		return SMP_INVALID_PARAMS;
2697 
2698 	memcpy(a, &hcon->init_addr, 6);
2699 	memcpy(b, &hcon->resp_addr, 6);
2700 	a[6] = hcon->init_addr_type;
2701 	b[6] = hcon->resp_addr_type;
2702 
2703 	if (hcon->out) {
2704 		local_addr = a;
2705 		remote_addr = b;
2706 		memcpy(io_cap, &smp->prsp[1], 3);
2707 	} else {
2708 		local_addr = b;
2709 		remote_addr = a;
2710 		memcpy(io_cap, &smp->preq[1], 3);
2711 	}
2712 
2713 	memset(r, 0, sizeof(r));
2714 
2715 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2716 		put_unaligned_le32(hcon->passkey_notify, r);
2717 	else if (smp->method == REQ_OOB)
2718 		memcpy(r, smp->lr, 16);
2719 
2720 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2721 		     io_cap, remote_addr, local_addr, e);
2722 	if (err)
2723 		return SMP_UNSPECIFIED;
2724 
2725 	if (memcmp(check->e, e, 16))
2726 		return SMP_DHKEY_CHECK_FAILED;
2727 
2728 	if (!hcon->out) {
2729 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2730 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2731 			return 0;
2732 		}
2733 
2734 		/* Slave sends DHKey check as response to master */
2735 		sc_dhkey_check(smp);
2736 	}
2737 
2738 	sc_add_ltk(smp);
2739 
2740 	if (hcon->out) {
2741 		hci_le_start_enc(hcon, 0, 0, smp->tk);
2742 		hcon->enc_key_size = smp->enc_key_size;
2743 	}
2744 
2745 	return 0;
2746 }
2747 
2748 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2749 				   struct sk_buff *skb)
2750 {
2751 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2752 
2753 	BT_DBG("value 0x%02x", kp->value);
2754 
2755 	return 0;
2756 }
2757 
2758 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2759 {
2760 	struct l2cap_conn *conn = chan->conn;
2761 	struct hci_conn *hcon = conn->hcon;
2762 	struct smp_chan *smp;
2763 	__u8 code, reason;
2764 	int err = 0;
2765 
2766 	if (skb->len < 1)
2767 		return -EILSEQ;
2768 
2769 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2770 		reason = SMP_PAIRING_NOTSUPP;
2771 		goto done;
2772 	}
2773 
2774 	code = skb->data[0];
2775 	skb_pull(skb, sizeof(code));
2776 
2777 	smp = chan->data;
2778 
2779 	if (code > SMP_CMD_MAX)
2780 		goto drop;
2781 
2782 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2783 		goto drop;
2784 
2785 	/* If we don't have a context the only allowed commands are
2786 	 * pairing request and security request.
2787 	 */
2788 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2789 		goto drop;
2790 
2791 	switch (code) {
2792 	case SMP_CMD_PAIRING_REQ:
2793 		reason = smp_cmd_pairing_req(conn, skb);
2794 		break;
2795 
2796 	case SMP_CMD_PAIRING_FAIL:
2797 		smp_failure(conn, 0);
2798 		err = -EPERM;
2799 		break;
2800 
2801 	case SMP_CMD_PAIRING_RSP:
2802 		reason = smp_cmd_pairing_rsp(conn, skb);
2803 		break;
2804 
2805 	case SMP_CMD_SECURITY_REQ:
2806 		reason = smp_cmd_security_req(conn, skb);
2807 		break;
2808 
2809 	case SMP_CMD_PAIRING_CONFIRM:
2810 		reason = smp_cmd_pairing_confirm(conn, skb);
2811 		break;
2812 
2813 	case SMP_CMD_PAIRING_RANDOM:
2814 		reason = smp_cmd_pairing_random(conn, skb);
2815 		break;
2816 
2817 	case SMP_CMD_ENCRYPT_INFO:
2818 		reason = smp_cmd_encrypt_info(conn, skb);
2819 		break;
2820 
2821 	case SMP_CMD_MASTER_IDENT:
2822 		reason = smp_cmd_master_ident(conn, skb);
2823 		break;
2824 
2825 	case SMP_CMD_IDENT_INFO:
2826 		reason = smp_cmd_ident_info(conn, skb);
2827 		break;
2828 
2829 	case SMP_CMD_IDENT_ADDR_INFO:
2830 		reason = smp_cmd_ident_addr_info(conn, skb);
2831 		break;
2832 
2833 	case SMP_CMD_SIGN_INFO:
2834 		reason = smp_cmd_sign_info(conn, skb);
2835 		break;
2836 
2837 	case SMP_CMD_PUBLIC_KEY:
2838 		reason = smp_cmd_public_key(conn, skb);
2839 		break;
2840 
2841 	case SMP_CMD_DHKEY_CHECK:
2842 		reason = smp_cmd_dhkey_check(conn, skb);
2843 		break;
2844 
2845 	case SMP_CMD_KEYPRESS_NOTIFY:
2846 		reason = smp_cmd_keypress_notify(conn, skb);
2847 		break;
2848 
2849 	default:
2850 		BT_DBG("Unknown command code 0x%2.2x", code);
2851 		reason = SMP_CMD_NOTSUPP;
2852 		goto done;
2853 	}
2854 
2855 done:
2856 	if (!err) {
2857 		if (reason)
2858 			smp_failure(conn, reason);
2859 		kfree_skb(skb);
2860 	}
2861 
2862 	return err;
2863 
2864 drop:
2865 	BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2866 	       code, &hcon->dst);
2867 	kfree_skb(skb);
2868 	return 0;
2869 }
2870 
2871 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2872 {
2873 	struct l2cap_conn *conn = chan->conn;
2874 
2875 	BT_DBG("chan %p", chan);
2876 
2877 	if (chan->data)
2878 		smp_chan_destroy(conn);
2879 
2880 	conn->smp = NULL;
2881 	l2cap_chan_put(chan);
2882 }
2883 
2884 static void bredr_pairing(struct l2cap_chan *chan)
2885 {
2886 	struct l2cap_conn *conn = chan->conn;
2887 	struct hci_conn *hcon = conn->hcon;
2888 	struct hci_dev *hdev = hcon->hdev;
2889 	struct smp_cmd_pairing req;
2890 	struct smp_chan *smp;
2891 
2892 	BT_DBG("chan %p", chan);
2893 
2894 	/* Only new pairings are interesting */
2895 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2896 		return;
2897 
2898 	/* Don't bother if we're not encrypted */
2899 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2900 		return;
2901 
2902 	/* Only master may initiate SMP over BR/EDR */
2903 	if (hcon->role != HCI_ROLE_MASTER)
2904 		return;
2905 
2906 	/* Secure Connections support must be enabled */
2907 	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
2908 		return;
2909 
2910 	/* BR/EDR must use Secure Connections for SMP */
2911 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2912 	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
2913 		return;
2914 
2915 	/* If our LE support is not enabled don't do anything */
2916 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2917 		return;
2918 
2919 	/* Don't bother if remote LE support is not enabled */
2920 	if (!lmp_host_le_capable(hcon))
2921 		return;
2922 
2923 	/* Remote must support SMP fixed chan for BR/EDR */
2924 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2925 		return;
2926 
2927 	/* Don't bother if SMP is already ongoing */
2928 	if (chan->data)
2929 		return;
2930 
2931 	smp = smp_chan_create(conn);
2932 	if (!smp) {
2933 		BT_ERR("%s unable to create SMP context for BR/EDR",
2934 		       hdev->name);
2935 		return;
2936 	}
2937 
2938 	set_bit(SMP_FLAG_SC, &smp->flags);
2939 
2940 	BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2941 
2942 	/* Prepare and send the BR/EDR SMP Pairing Request */
2943 	build_bredr_pairing_cmd(smp, &req, NULL);
2944 
2945 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2946 	memcpy(&smp->preq[1], &req, sizeof(req));
2947 
2948 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2949 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2950 }
2951 
2952 static void smp_resume_cb(struct l2cap_chan *chan)
2953 {
2954 	struct smp_chan *smp = chan->data;
2955 	struct l2cap_conn *conn = chan->conn;
2956 	struct hci_conn *hcon = conn->hcon;
2957 
2958 	BT_DBG("chan %p", chan);
2959 
2960 	if (hcon->type == ACL_LINK) {
2961 		bredr_pairing(chan);
2962 		return;
2963 	}
2964 
2965 	if (!smp)
2966 		return;
2967 
2968 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2969 		return;
2970 
2971 	cancel_delayed_work(&smp->security_timer);
2972 
2973 	smp_distribute_keys(smp);
2974 }
2975 
2976 static void smp_ready_cb(struct l2cap_chan *chan)
2977 {
2978 	struct l2cap_conn *conn = chan->conn;
2979 	struct hci_conn *hcon = conn->hcon;
2980 
2981 	BT_DBG("chan %p", chan);
2982 
2983 	conn->smp = chan;
2984 	l2cap_chan_hold(chan);
2985 
2986 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2987 		bredr_pairing(chan);
2988 }
2989 
2990 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
2991 {
2992 	int err;
2993 
2994 	BT_DBG("chan %p", chan);
2995 
2996 	err = smp_sig_channel(chan, skb);
2997 	if (err) {
2998 		struct smp_chan *smp = chan->data;
2999 
3000 		if (smp)
3001 			cancel_delayed_work_sync(&smp->security_timer);
3002 
3003 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3004 	}
3005 
3006 	return err;
3007 }
3008 
3009 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3010 					unsigned long hdr_len,
3011 					unsigned long len, int nb)
3012 {
3013 	struct sk_buff *skb;
3014 
3015 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3016 	if (!skb)
3017 		return ERR_PTR(-ENOMEM);
3018 
3019 	skb->priority = HCI_PRIO_MAX;
3020 	bt_cb(skb)->l2cap.chan = chan;
3021 
3022 	return skb;
3023 }
3024 
3025 static const struct l2cap_ops smp_chan_ops = {
3026 	.name			= "Security Manager",
3027 	.ready			= smp_ready_cb,
3028 	.recv			= smp_recv_cb,
3029 	.alloc_skb		= smp_alloc_skb_cb,
3030 	.teardown		= smp_teardown_cb,
3031 	.resume			= smp_resume_cb,
3032 
3033 	.new_connection		= l2cap_chan_no_new_connection,
3034 	.state_change		= l2cap_chan_no_state_change,
3035 	.close			= l2cap_chan_no_close,
3036 	.defer			= l2cap_chan_no_defer,
3037 	.suspend		= l2cap_chan_no_suspend,
3038 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3039 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3040 };
3041 
3042 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3043 {
3044 	struct l2cap_chan *chan;
3045 
3046 	BT_DBG("pchan %p", pchan);
3047 
3048 	chan = l2cap_chan_create();
3049 	if (!chan)
3050 		return NULL;
3051 
3052 	chan->chan_type	= pchan->chan_type;
3053 	chan->ops	= &smp_chan_ops;
3054 	chan->scid	= pchan->scid;
3055 	chan->dcid	= chan->scid;
3056 	chan->imtu	= pchan->imtu;
3057 	chan->omtu	= pchan->omtu;
3058 	chan->mode	= pchan->mode;
3059 
3060 	/* Other L2CAP channels may request SMP routines in order to
3061 	 * change the security level. This means that the SMP channel
3062 	 * lock must be considered in its own category to avoid lockdep
3063 	 * warnings.
3064 	 */
3065 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3066 
3067 	BT_DBG("created chan %p", chan);
3068 
3069 	return chan;
3070 }
3071 
3072 static const struct l2cap_ops smp_root_chan_ops = {
3073 	.name			= "Security Manager Root",
3074 	.new_connection		= smp_new_conn_cb,
3075 
3076 	/* None of these are implemented for the root channel */
3077 	.close			= l2cap_chan_no_close,
3078 	.alloc_skb		= l2cap_chan_no_alloc_skb,
3079 	.recv			= l2cap_chan_no_recv,
3080 	.state_change		= l2cap_chan_no_state_change,
3081 	.teardown		= l2cap_chan_no_teardown,
3082 	.ready			= l2cap_chan_no_ready,
3083 	.defer			= l2cap_chan_no_defer,
3084 	.suspend		= l2cap_chan_no_suspend,
3085 	.resume			= l2cap_chan_no_resume,
3086 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3087 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3088 };
3089 
3090 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3091 {
3092 	struct l2cap_chan *chan;
3093 	struct smp_dev *smp;
3094 	struct crypto_blkcipher *tfm_aes;
3095 	struct crypto_hash *tfm_cmac;
3096 
3097 	if (cid == L2CAP_CID_SMP_BREDR) {
3098 		smp = NULL;
3099 		goto create_chan;
3100 	}
3101 
3102 	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3103 	if (!smp)
3104 		return ERR_PTR(-ENOMEM);
3105 
3106 	tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3107 	if (IS_ERR(tfm_aes)) {
3108 		BT_ERR("Unable to create ECB crypto context");
3109 		kzfree(smp);
3110 		return ERR_CAST(tfm_aes);
3111 	}
3112 
3113 	tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3114 	if (IS_ERR(tfm_cmac)) {
3115 		BT_ERR("Unable to create CMAC crypto context");
3116 		crypto_free_blkcipher(tfm_aes);
3117 		kzfree(smp);
3118 		return ERR_CAST(tfm_cmac);
3119 	}
3120 
3121 	smp->tfm_aes = tfm_aes;
3122 	smp->tfm_cmac = tfm_cmac;
3123 
3124 create_chan:
3125 	chan = l2cap_chan_create();
3126 	if (!chan) {
3127 		if (smp) {
3128 			crypto_free_blkcipher(smp->tfm_aes);
3129 			crypto_free_hash(smp->tfm_cmac);
3130 			kzfree(smp);
3131 		}
3132 		return ERR_PTR(-ENOMEM);
3133 	}
3134 
3135 	chan->data = smp;
3136 
3137 	l2cap_add_scid(chan, cid);
3138 
3139 	l2cap_chan_set_defaults(chan);
3140 
3141 	if (cid == L2CAP_CID_SMP) {
3142 		u8 bdaddr_type;
3143 
3144 		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3145 
3146 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3147 			chan->src_type = BDADDR_LE_PUBLIC;
3148 		else
3149 			chan->src_type = BDADDR_LE_RANDOM;
3150 	} else {
3151 		bacpy(&chan->src, &hdev->bdaddr);
3152 		chan->src_type = BDADDR_BREDR;
3153 	}
3154 
3155 	chan->state = BT_LISTEN;
3156 	chan->mode = L2CAP_MODE_BASIC;
3157 	chan->imtu = L2CAP_DEFAULT_MTU;
3158 	chan->ops = &smp_root_chan_ops;
3159 
3160 	/* Set correct nesting level for a parent/listening channel */
3161 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3162 
3163 	return chan;
3164 }
3165 
3166 static void smp_del_chan(struct l2cap_chan *chan)
3167 {
3168 	struct smp_dev *smp;
3169 
3170 	BT_DBG("chan %p", chan);
3171 
3172 	smp = chan->data;
3173 	if (smp) {
3174 		chan->data = NULL;
3175 		if (smp->tfm_aes)
3176 			crypto_free_blkcipher(smp->tfm_aes);
3177 		if (smp->tfm_cmac)
3178 			crypto_free_hash(smp->tfm_cmac);
3179 		kzfree(smp);
3180 	}
3181 
3182 	l2cap_chan_put(chan);
3183 }
3184 
3185 static ssize_t force_bredr_smp_read(struct file *file,
3186 				    char __user *user_buf,
3187 				    size_t count, loff_t *ppos)
3188 {
3189 	struct hci_dev *hdev = file->private_data;
3190 	char buf[3];
3191 
3192 	buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3193 	buf[1] = '\n';
3194 	buf[2] = '\0';
3195 	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3196 }
3197 
3198 static ssize_t force_bredr_smp_write(struct file *file,
3199 				     const char __user *user_buf,
3200 				     size_t count, loff_t *ppos)
3201 {
3202 	struct hci_dev *hdev = file->private_data;
3203 	char buf[32];
3204 	size_t buf_size = min(count, (sizeof(buf)-1));
3205 	bool enable;
3206 
3207 	if (copy_from_user(buf, user_buf, buf_size))
3208 		return -EFAULT;
3209 
3210 	buf[buf_size] = '\0';
3211 	if (strtobool(buf, &enable))
3212 		return -EINVAL;
3213 
3214 	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3215 		return -EALREADY;
3216 
3217 	if (enable) {
3218 		struct l2cap_chan *chan;
3219 
3220 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3221 		if (IS_ERR(chan))
3222 			return PTR_ERR(chan);
3223 
3224 		hdev->smp_bredr_data = chan;
3225 	} else {
3226 		struct l2cap_chan *chan;
3227 
3228 		chan = hdev->smp_bredr_data;
3229 		hdev->smp_bredr_data = NULL;
3230 		smp_del_chan(chan);
3231 	}
3232 
3233 	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3234 
3235 	return count;
3236 }
3237 
3238 static const struct file_operations force_bredr_smp_fops = {
3239 	.open		= simple_open,
3240 	.read		= force_bredr_smp_read,
3241 	.write		= force_bredr_smp_write,
3242 	.llseek		= default_llseek,
3243 };
3244 
3245 int smp_register(struct hci_dev *hdev)
3246 {
3247 	struct l2cap_chan *chan;
3248 
3249 	BT_DBG("%s", hdev->name);
3250 
3251 	/* If the controller does not support Low Energy operation, then
3252 	 * there is also no need to register any SMP channel.
3253 	 */
3254 	if (!lmp_le_capable(hdev))
3255 		return 0;
3256 
3257 	if (WARN_ON(hdev->smp_data)) {
3258 		chan = hdev->smp_data;
3259 		hdev->smp_data = NULL;
3260 		smp_del_chan(chan);
3261 	}
3262 
3263 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3264 	if (IS_ERR(chan))
3265 		return PTR_ERR(chan);
3266 
3267 	hdev->smp_data = chan;
3268 
3269 	/* If the controller does not support BR/EDR Secure Connections
3270 	 * feature, then the BR/EDR SMP channel shall not be present.
3271 	 *
3272 	 * To test this with Bluetooth 4.0 controllers, create a debugfs
3273 	 * switch that allows forcing BR/EDR SMP support and accepting
3274 	 * cross-transport pairing on non-AES encrypted connections.
3275 	 */
3276 	if (!lmp_sc_capable(hdev)) {
3277 		debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3278 				    hdev, &force_bredr_smp_fops);
3279 		return 0;
3280 	}
3281 
3282 	if (WARN_ON(hdev->smp_bredr_data)) {
3283 		chan = hdev->smp_bredr_data;
3284 		hdev->smp_bredr_data = NULL;
3285 		smp_del_chan(chan);
3286 	}
3287 
3288 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3289 	if (IS_ERR(chan)) {
3290 		int err = PTR_ERR(chan);
3291 		chan = hdev->smp_data;
3292 		hdev->smp_data = NULL;
3293 		smp_del_chan(chan);
3294 		return err;
3295 	}
3296 
3297 	hdev->smp_bredr_data = chan;
3298 
3299 	return 0;
3300 }
3301 
3302 void smp_unregister(struct hci_dev *hdev)
3303 {
3304 	struct l2cap_chan *chan;
3305 
3306 	if (hdev->smp_bredr_data) {
3307 		chan = hdev->smp_bredr_data;
3308 		hdev->smp_bredr_data = NULL;
3309 		smp_del_chan(chan);
3310 	}
3311 
3312 	if (hdev->smp_data) {
3313 		chan = hdev->smp_data;
3314 		hdev->smp_data = NULL;
3315 		smp_del_chan(chan);
3316 	}
3317 }
3318 
3319 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3320 
3321 static int __init test_ah(struct crypto_blkcipher *tfm_aes)
3322 {
3323 	const u8 irk[16] = {
3324 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3325 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3326 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3327 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3328 	u8 res[3];
3329 	int err;
3330 
3331 	err = smp_ah(tfm_aes, irk, r, res);
3332 	if (err)
3333 		return err;
3334 
3335 	if (memcmp(res, exp, 3))
3336 		return -EINVAL;
3337 
3338 	return 0;
3339 }
3340 
3341 static int __init test_c1(struct crypto_blkcipher *tfm_aes)
3342 {
3343 	const u8 k[16] = {
3344 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3345 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3346 	const u8 r[16] = {
3347 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3348 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3349 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3350 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3351 	const u8 _iat = 0x01;
3352 	const u8 _rat = 0x00;
3353 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3354 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3355 	const u8 exp[16] = {
3356 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3357 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3358 	u8 res[16];
3359 	int err;
3360 
3361 	err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3362 	if (err)
3363 		return err;
3364 
3365 	if (memcmp(res, exp, 16))
3366 		return -EINVAL;
3367 
3368 	return 0;
3369 }
3370 
3371 static int __init test_s1(struct crypto_blkcipher *tfm_aes)
3372 {
3373 	const u8 k[16] = {
3374 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3375 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3376 	const u8 r1[16] = {
3377 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3378 	const u8 r2[16] = {
3379 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3380 	const u8 exp[16] = {
3381 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3382 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3383 	u8 res[16];
3384 	int err;
3385 
3386 	err = smp_s1(tfm_aes, k, r1, r2, res);
3387 	if (err)
3388 		return err;
3389 
3390 	if (memcmp(res, exp, 16))
3391 		return -EINVAL;
3392 
3393 	return 0;
3394 }
3395 
3396 static int __init test_f4(struct crypto_hash *tfm_cmac)
3397 {
3398 	const u8 u[32] = {
3399 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3400 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3401 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3402 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3403 	const u8 v[32] = {
3404 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3405 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3406 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3407 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3408 	const u8 x[16] = {
3409 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3410 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3411 	const u8 z = 0x00;
3412 	const u8 exp[16] = {
3413 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3414 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3415 	u8 res[16];
3416 	int err;
3417 
3418 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3419 	if (err)
3420 		return err;
3421 
3422 	if (memcmp(res, exp, 16))
3423 		return -EINVAL;
3424 
3425 	return 0;
3426 }
3427 
3428 static int __init test_f5(struct crypto_hash *tfm_cmac)
3429 {
3430 	const u8 w[32] = {
3431 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3432 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3433 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3434 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3435 	const u8 n1[16] = {
3436 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3437 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3438 	const u8 n2[16] = {
3439 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3440 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3441 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3442 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3443 	const u8 exp_ltk[16] = {
3444 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3445 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3446 	const u8 exp_mackey[16] = {
3447 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3448 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3449 	u8 mackey[16], ltk[16];
3450 	int err;
3451 
3452 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3453 	if (err)
3454 		return err;
3455 
3456 	if (memcmp(mackey, exp_mackey, 16))
3457 		return -EINVAL;
3458 
3459 	if (memcmp(ltk, exp_ltk, 16))
3460 		return -EINVAL;
3461 
3462 	return 0;
3463 }
3464 
3465 static int __init test_f6(struct crypto_hash *tfm_cmac)
3466 {
3467 	const u8 w[16] = {
3468 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3469 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3470 	const u8 n1[16] = {
3471 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3472 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3473 	const u8 n2[16] = {
3474 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3475 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3476 	const u8 r[16] = {
3477 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3478 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3479 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3480 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3481 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3482 	const u8 exp[16] = {
3483 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3484 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3485 	u8 res[16];
3486 	int err;
3487 
3488 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3489 	if (err)
3490 		return err;
3491 
3492 	if (memcmp(res, exp, 16))
3493 		return -EINVAL;
3494 
3495 	return 0;
3496 }
3497 
3498 static int __init test_g2(struct crypto_hash *tfm_cmac)
3499 {
3500 	const u8 u[32] = {
3501 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3502 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3503 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3504 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3505 	const u8 v[32] = {
3506 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3507 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3508 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3509 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3510 	const u8 x[16] = {
3511 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3512 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3513 	const u8 y[16] = {
3514 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3515 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3516 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3517 	u32 val;
3518 	int err;
3519 
3520 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3521 	if (err)
3522 		return err;
3523 
3524 	if (val != exp_val)
3525 		return -EINVAL;
3526 
3527 	return 0;
3528 }
3529 
3530 static int __init test_h6(struct crypto_hash *tfm_cmac)
3531 {
3532 	const u8 w[16] = {
3533 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3534 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3535 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3536 	const u8 exp[16] = {
3537 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3538 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3539 	u8 res[16];
3540 	int err;
3541 
3542 	err = smp_h6(tfm_cmac, w, key_id, res);
3543 	if (err)
3544 		return err;
3545 
3546 	if (memcmp(res, exp, 16))
3547 		return -EINVAL;
3548 
3549 	return 0;
3550 }
3551 
3552 static char test_smp_buffer[32];
3553 
3554 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3555 			     size_t count, loff_t *ppos)
3556 {
3557 	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3558 				       strlen(test_smp_buffer));
3559 }
3560 
3561 static const struct file_operations test_smp_fops = {
3562 	.open		= simple_open,
3563 	.read		= test_smp_read,
3564 	.llseek		= default_llseek,
3565 };
3566 
3567 static int __init run_selftests(struct crypto_blkcipher *tfm_aes,
3568 				struct crypto_hash *tfm_cmac)
3569 {
3570 	ktime_t calltime, delta, rettime;
3571 	unsigned long long duration;
3572 	int err;
3573 
3574 	calltime = ktime_get();
3575 
3576 	err = test_ah(tfm_aes);
3577 	if (err) {
3578 		BT_ERR("smp_ah test failed");
3579 		goto done;
3580 	}
3581 
3582 	err = test_c1(tfm_aes);
3583 	if (err) {
3584 		BT_ERR("smp_c1 test failed");
3585 		goto done;
3586 	}
3587 
3588 	err = test_s1(tfm_aes);
3589 	if (err) {
3590 		BT_ERR("smp_s1 test failed");
3591 		goto done;
3592 	}
3593 
3594 	err = test_f4(tfm_cmac);
3595 	if (err) {
3596 		BT_ERR("smp_f4 test failed");
3597 		goto done;
3598 	}
3599 
3600 	err = test_f5(tfm_cmac);
3601 	if (err) {
3602 		BT_ERR("smp_f5 test failed");
3603 		goto done;
3604 	}
3605 
3606 	err = test_f6(tfm_cmac);
3607 	if (err) {
3608 		BT_ERR("smp_f6 test failed");
3609 		goto done;
3610 	}
3611 
3612 	err = test_g2(tfm_cmac);
3613 	if (err) {
3614 		BT_ERR("smp_g2 test failed");
3615 		goto done;
3616 	}
3617 
3618 	err = test_h6(tfm_cmac);
3619 	if (err) {
3620 		BT_ERR("smp_h6 test failed");
3621 		goto done;
3622 	}
3623 
3624 	rettime = ktime_get();
3625 	delta = ktime_sub(rettime, calltime);
3626 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3627 
3628 	BT_INFO("SMP test passed in %llu usecs", duration);
3629 
3630 done:
3631 	if (!err)
3632 		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3633 			 "PASS (%llu usecs)\n", duration);
3634 	else
3635 		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3636 
3637 	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3638 			    &test_smp_fops);
3639 
3640 	return err;
3641 }
3642 
3643 int __init bt_selftest_smp(void)
3644 {
3645 	struct crypto_blkcipher *tfm_aes;
3646 	struct crypto_hash *tfm_cmac;
3647 	int err;
3648 
3649 	tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3650 	if (IS_ERR(tfm_aes)) {
3651 		BT_ERR("Unable to create ECB crypto context");
3652 		return PTR_ERR(tfm_aes);
3653 	}
3654 
3655 	tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3656 	if (IS_ERR(tfm_cmac)) {
3657 		BT_ERR("Unable to create CMAC crypto context");
3658 		crypto_free_blkcipher(tfm_aes);
3659 		return PTR_ERR(tfm_cmac);
3660 	}
3661 
3662 	err = run_selftests(tfm_aes, tfm_cmac);
3663 
3664 	crypto_free_hash(tfm_cmac);
3665 	crypto_free_blkcipher(tfm_aes);
3666 
3667 	return err;
3668 }
3669 
3670 #endif
3671