xref: /openbmc/linux/net/bluetooth/smp.c (revision 4984dd069f2995f239f075199ee8c0d9f020bcd9)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/algapi.h>
27 #include <crypto/b128ops.h>
28 #include <crypto/hash.h>
29 #include <crypto/kpp.h>
30 
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/mgmt.h>
35 
36 #include "ecdh_helper.h"
37 #include "smp.h"
38 
39 #define SMP_DEV(hdev) \
40 	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
41 
42 /* Low-level debug macros to be used for stuff that we don't want
43  * accidentially in dmesg, i.e. the values of the various crypto keys
44  * and the inputs & outputs of crypto functions.
45  */
46 #ifdef DEBUG
47 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
48 				 ##__VA_ARGS__)
49 #else
50 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
51 				    ##__VA_ARGS__)
52 #endif
53 
54 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
55 
56 /* Keys which are not distributed with Secure Connections */
57 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
58 
59 #define SMP_TIMEOUT	msecs_to_jiffies(30000)
60 
61 #define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
62 				 0x3f : 0x07)
63 #define KEY_DIST_MASK		0x07
64 
65 /* Maximum message length that can be passed to aes_cmac */
66 #define CMAC_MSG_MAX	80
67 
68 enum {
69 	SMP_FLAG_TK_VALID,
70 	SMP_FLAG_CFM_PENDING,
71 	SMP_FLAG_MITM_AUTH,
72 	SMP_FLAG_COMPLETE,
73 	SMP_FLAG_INITIATOR,
74 	SMP_FLAG_SC,
75 	SMP_FLAG_REMOTE_PK,
76 	SMP_FLAG_DEBUG_KEY,
77 	SMP_FLAG_WAIT_USER,
78 	SMP_FLAG_DHKEY_PENDING,
79 	SMP_FLAG_REMOTE_OOB,
80 	SMP_FLAG_LOCAL_OOB,
81 	SMP_FLAG_CT2,
82 };
83 
84 struct smp_dev {
85 	/* Secure Connections OOB data */
86 	bool			local_oob;
87 	u8			local_pk[64];
88 	u8			local_rand[16];
89 	bool			debug_key;
90 
91 	struct crypto_cipher	*tfm_aes;
92 	struct crypto_shash	*tfm_cmac;
93 	struct crypto_kpp	*tfm_ecdh;
94 };
95 
96 struct smp_chan {
97 	struct l2cap_conn	*conn;
98 	struct delayed_work	security_timer;
99 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
100 
101 	u8		preq[7]; /* SMP Pairing Request */
102 	u8		prsp[7]; /* SMP Pairing Response */
103 	u8		prnd[16]; /* SMP Pairing Random (local) */
104 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
105 	u8		pcnf[16]; /* SMP Pairing Confirm */
106 	u8		tk[16]; /* SMP Temporary Key */
107 	u8		rr[16]; /* Remote OOB ra/rb value */
108 	u8		lr[16]; /* Local OOB ra/rb value */
109 	u8		enc_key_size;
110 	u8		remote_key_dist;
111 	bdaddr_t	id_addr;
112 	u8		id_addr_type;
113 	u8		irk[16];
114 	struct smp_csrk	*csrk;
115 	struct smp_csrk	*slave_csrk;
116 	struct smp_ltk	*ltk;
117 	struct smp_ltk	*slave_ltk;
118 	struct smp_irk	*remote_irk;
119 	u8		*link_key;
120 	unsigned long	flags;
121 	u8		method;
122 	u8		passkey_round;
123 
124 	/* Secure Connections variables */
125 	u8			local_pk[64];
126 	u8			remote_pk[64];
127 	u8			dhkey[32];
128 	u8			mackey[16];
129 
130 	struct crypto_cipher	*tfm_aes;
131 	struct crypto_shash	*tfm_cmac;
132 	struct crypto_kpp	*tfm_ecdh;
133 };
134 
135 /* These debug key values are defined in the SMP section of the core
136  * specification. debug_pk is the public debug key and debug_sk the
137  * private debug key.
138  */
139 static const u8 debug_pk[64] = {
140 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
141 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
142 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
143 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
144 
145 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
146 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
147 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
148 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
149 };
150 
151 static const u8 debug_sk[32] = {
152 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
153 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
154 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
155 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
156 };
157 
158 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
159 {
160 	size_t i;
161 
162 	for (i = 0; i < len; i++)
163 		dst[len - 1 - i] = src[i];
164 }
165 
166 /* The following functions map to the LE SC SMP crypto functions
167  * AES-CMAC, f4, f5, f6, g2 and h6.
168  */
169 
170 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
171 		    size_t len, u8 mac[16])
172 {
173 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
174 	SHASH_DESC_ON_STACK(desc, tfm);
175 	int err;
176 
177 	if (len > CMAC_MSG_MAX)
178 		return -EFBIG;
179 
180 	if (!tfm) {
181 		BT_ERR("tfm %p", tfm);
182 		return -EINVAL;
183 	}
184 
185 	desc->tfm = tfm;
186 
187 	/* Swap key and message from LSB to MSB */
188 	swap_buf(k, tmp, 16);
189 	swap_buf(m, msg_msb, len);
190 
191 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
192 	SMP_DBG("key %16phN", k);
193 
194 	err = crypto_shash_setkey(tfm, tmp, 16);
195 	if (err) {
196 		BT_ERR("cipher setkey failed: %d", err);
197 		return err;
198 	}
199 
200 	err = crypto_shash_digest(desc, msg_msb, len, mac_msb);
201 	shash_desc_zero(desc);
202 	if (err) {
203 		BT_ERR("Hash computation error %d", err);
204 		return err;
205 	}
206 
207 	swap_buf(mac_msb, mac, 16);
208 
209 	SMP_DBG("mac %16phN", mac);
210 
211 	return 0;
212 }
213 
214 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
215 		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
216 {
217 	u8 m[65];
218 	int err;
219 
220 	SMP_DBG("u %32phN", u);
221 	SMP_DBG("v %32phN", v);
222 	SMP_DBG("x %16phN z %02x", x, z);
223 
224 	m[0] = z;
225 	memcpy(m + 1, v, 32);
226 	memcpy(m + 33, u, 32);
227 
228 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
229 	if (err)
230 		return err;
231 
232 	SMP_DBG("res %16phN", res);
233 
234 	return err;
235 }
236 
237 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
238 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
239 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
240 {
241 	/* The btle, salt and length "magic" values are as defined in
242 	 * the SMP section of the Bluetooth core specification. In ASCII
243 	 * the btle value ends up being 'btle'. The salt is just a
244 	 * random number whereas length is the value 256 in little
245 	 * endian format.
246 	 */
247 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
248 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
249 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
250 	const u8 length[2] = { 0x00, 0x01 };
251 	u8 m[53], t[16];
252 	int err;
253 
254 	SMP_DBG("w %32phN", w);
255 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
256 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
257 
258 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
259 	if (err)
260 		return err;
261 
262 	SMP_DBG("t %16phN", t);
263 
264 	memcpy(m, length, 2);
265 	memcpy(m + 2, a2, 7);
266 	memcpy(m + 9, a1, 7);
267 	memcpy(m + 16, n2, 16);
268 	memcpy(m + 32, n1, 16);
269 	memcpy(m + 48, btle, 4);
270 
271 	m[52] = 0; /* Counter */
272 
273 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
274 	if (err)
275 		return err;
276 
277 	SMP_DBG("mackey %16phN", mackey);
278 
279 	m[52] = 1; /* Counter */
280 
281 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
282 	if (err)
283 		return err;
284 
285 	SMP_DBG("ltk %16phN", ltk);
286 
287 	return 0;
288 }
289 
290 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
291 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
292 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
293 		  u8 res[16])
294 {
295 	u8 m[65];
296 	int err;
297 
298 	SMP_DBG("w %16phN", w);
299 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
300 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
301 
302 	memcpy(m, a2, 7);
303 	memcpy(m + 7, a1, 7);
304 	memcpy(m + 14, io_cap, 3);
305 	memcpy(m + 17, r, 16);
306 	memcpy(m + 33, n2, 16);
307 	memcpy(m + 49, n1, 16);
308 
309 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
310 	if (err)
311 		return err;
312 
313 	SMP_DBG("res %16phN", res);
314 
315 	return err;
316 }
317 
318 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
319 		  const u8 x[16], const u8 y[16], u32 *val)
320 {
321 	u8 m[80], tmp[16];
322 	int err;
323 
324 	SMP_DBG("u %32phN", u);
325 	SMP_DBG("v %32phN", v);
326 	SMP_DBG("x %16phN y %16phN", x, y);
327 
328 	memcpy(m, y, 16);
329 	memcpy(m + 16, v, 32);
330 	memcpy(m + 48, u, 32);
331 
332 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
333 	if (err)
334 		return err;
335 
336 	*val = get_unaligned_le32(tmp);
337 	*val %= 1000000;
338 
339 	SMP_DBG("val %06u", *val);
340 
341 	return 0;
342 }
343 
344 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
345 		  const u8 key_id[4], u8 res[16])
346 {
347 	int err;
348 
349 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
350 
351 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
352 	if (err)
353 		return err;
354 
355 	SMP_DBG("res %16phN", res);
356 
357 	return err;
358 }
359 
360 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
361 		  const u8 salt[16], u8 res[16])
362 {
363 	int err;
364 
365 	SMP_DBG("w %16phN salt %16phN", w, salt);
366 
367 	err = aes_cmac(tfm_cmac, salt, w, 16, res);
368 	if (err)
369 		return err;
370 
371 	SMP_DBG("res %16phN", res);
372 
373 	return err;
374 }
375 
376 /* The following functions map to the legacy SMP crypto functions e, c1,
377  * s1 and ah.
378  */
379 
380 static int smp_e(struct crypto_cipher *tfm, const u8 *k, u8 *r)
381 {
382 	uint8_t tmp[16], data[16];
383 	int err;
384 
385 	SMP_DBG("k %16phN r %16phN", k, r);
386 
387 	if (!tfm) {
388 		BT_ERR("tfm %p", tfm);
389 		return -EINVAL;
390 	}
391 
392 	/* The most significant octet of key corresponds to k[0] */
393 	swap_buf(k, tmp, 16);
394 
395 	err = crypto_cipher_setkey(tfm, tmp, 16);
396 	if (err) {
397 		BT_ERR("cipher setkey failed: %d", err);
398 		return err;
399 	}
400 
401 	/* Most significant octet of plaintextData corresponds to data[0] */
402 	swap_buf(r, data, 16);
403 
404 	crypto_cipher_encrypt_one(tfm, data, data);
405 
406 	/* Most significant octet of encryptedData corresponds to data[0] */
407 	swap_buf(data, r, 16);
408 
409 	SMP_DBG("r %16phN", r);
410 
411 	return err;
412 }
413 
414 static int smp_c1(struct crypto_cipher *tfm_aes, const u8 k[16],
415 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
416 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
417 {
418 	u8 p1[16], p2[16];
419 	int err;
420 
421 	SMP_DBG("k %16phN r %16phN", k, r);
422 	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
423 	SMP_DBG("preq %7phN pres %7phN", preq, pres);
424 
425 	memset(p1, 0, 16);
426 
427 	/* p1 = pres || preq || _rat || _iat */
428 	p1[0] = _iat;
429 	p1[1] = _rat;
430 	memcpy(p1 + 2, preq, 7);
431 	memcpy(p1 + 9, pres, 7);
432 
433 	SMP_DBG("p1 %16phN", p1);
434 
435 	/* res = r XOR p1 */
436 	u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
437 
438 	/* res = e(k, res) */
439 	err = smp_e(tfm_aes, k, res);
440 	if (err) {
441 		BT_ERR("Encrypt data error");
442 		return err;
443 	}
444 
445 	/* p2 = padding || ia || ra */
446 	memcpy(p2, ra, 6);
447 	memcpy(p2 + 6, ia, 6);
448 	memset(p2 + 12, 0, 4);
449 
450 	SMP_DBG("p2 %16phN", p2);
451 
452 	/* res = res XOR p2 */
453 	u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
454 
455 	/* res = e(k, res) */
456 	err = smp_e(tfm_aes, k, res);
457 	if (err)
458 		BT_ERR("Encrypt data error");
459 
460 	return err;
461 }
462 
463 static int smp_s1(struct crypto_cipher *tfm_aes, const u8 k[16],
464 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
465 {
466 	int err;
467 
468 	/* Just least significant octets from r1 and r2 are considered */
469 	memcpy(_r, r2, 8);
470 	memcpy(_r + 8, r1, 8);
471 
472 	err = smp_e(tfm_aes, k, _r);
473 	if (err)
474 		BT_ERR("Encrypt data error");
475 
476 	return err;
477 }
478 
479 static int smp_ah(struct crypto_cipher *tfm, const u8 irk[16],
480 		  const u8 r[3], u8 res[3])
481 {
482 	u8 _res[16];
483 	int err;
484 
485 	/* r' = padding || r */
486 	memcpy(_res, r, 3);
487 	memset(_res + 3, 0, 13);
488 
489 	err = smp_e(tfm, irk, _res);
490 	if (err) {
491 		BT_ERR("Encrypt error");
492 		return err;
493 	}
494 
495 	/* The output of the random address function ah is:
496 	 *	ah(k, r) = e(k, r') mod 2^24
497 	 * The output of the security function e is then truncated to 24 bits
498 	 * by taking the least significant 24 bits of the output of e as the
499 	 * result of ah.
500 	 */
501 	memcpy(res, _res, 3);
502 
503 	return 0;
504 }
505 
506 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
507 		     const bdaddr_t *bdaddr)
508 {
509 	struct l2cap_chan *chan = hdev->smp_data;
510 	struct smp_dev *smp;
511 	u8 hash[3];
512 	int err;
513 
514 	if (!chan || !chan->data)
515 		return false;
516 
517 	smp = chan->data;
518 
519 	BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
520 
521 	err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
522 	if (err)
523 		return false;
524 
525 	return !crypto_memneq(bdaddr->b, hash, 3);
526 }
527 
528 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
529 {
530 	struct l2cap_chan *chan = hdev->smp_data;
531 	struct smp_dev *smp;
532 	int err;
533 
534 	if (!chan || !chan->data)
535 		return -EOPNOTSUPP;
536 
537 	smp = chan->data;
538 
539 	get_random_bytes(&rpa->b[3], 3);
540 
541 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
542 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
543 
544 	err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
545 	if (err < 0)
546 		return err;
547 
548 	BT_DBG("RPA %pMR", rpa);
549 
550 	return 0;
551 }
552 
553 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
554 {
555 	struct l2cap_chan *chan = hdev->smp_data;
556 	struct smp_dev *smp;
557 	int err;
558 
559 	if (!chan || !chan->data)
560 		return -EOPNOTSUPP;
561 
562 	smp = chan->data;
563 
564 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
565 		BT_DBG("Using debug keys");
566 		err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
567 		if (err)
568 			return err;
569 		memcpy(smp->local_pk, debug_pk, 64);
570 		smp->debug_key = true;
571 	} else {
572 		while (true) {
573 			/* Generate key pair for Secure Connections */
574 			err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
575 			if (err)
576 				return err;
577 
578 			/* This is unlikely, but we need to check that
579 			 * we didn't accidentially generate a debug key.
580 			 */
581 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
582 				break;
583 		}
584 		smp->debug_key = false;
585 	}
586 
587 	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
588 	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
589 
590 	get_random_bytes(smp->local_rand, 16);
591 
592 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
593 		     smp->local_rand, 0, hash);
594 	if (err < 0)
595 		return err;
596 
597 	memcpy(rand, smp->local_rand, 16);
598 
599 	smp->local_oob = true;
600 
601 	return 0;
602 }
603 
604 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
605 {
606 	struct l2cap_chan *chan = conn->smp;
607 	struct smp_chan *smp;
608 	struct kvec iv[2];
609 	struct msghdr msg;
610 
611 	if (!chan)
612 		return;
613 
614 	BT_DBG("code 0x%2.2x", code);
615 
616 	iv[0].iov_base = &code;
617 	iv[0].iov_len = 1;
618 
619 	iv[1].iov_base = data;
620 	iv[1].iov_len = len;
621 
622 	memset(&msg, 0, sizeof(msg));
623 
624 	iov_iter_kvec(&msg.msg_iter, WRITE, iv, 2, 1 + len);
625 
626 	l2cap_chan_send(chan, &msg, 1 + len);
627 
628 	if (!chan->data)
629 		return;
630 
631 	smp = chan->data;
632 
633 	cancel_delayed_work_sync(&smp->security_timer);
634 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
635 }
636 
637 static u8 authreq_to_seclevel(u8 authreq)
638 {
639 	if (authreq & SMP_AUTH_MITM) {
640 		if (authreq & SMP_AUTH_SC)
641 			return BT_SECURITY_FIPS;
642 		else
643 			return BT_SECURITY_HIGH;
644 	} else {
645 		return BT_SECURITY_MEDIUM;
646 	}
647 }
648 
649 static __u8 seclevel_to_authreq(__u8 sec_level)
650 {
651 	switch (sec_level) {
652 	case BT_SECURITY_FIPS:
653 	case BT_SECURITY_HIGH:
654 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
655 	case BT_SECURITY_MEDIUM:
656 		return SMP_AUTH_BONDING;
657 	default:
658 		return SMP_AUTH_NONE;
659 	}
660 }
661 
662 static void build_pairing_cmd(struct l2cap_conn *conn,
663 			      struct smp_cmd_pairing *req,
664 			      struct smp_cmd_pairing *rsp, __u8 authreq)
665 {
666 	struct l2cap_chan *chan = conn->smp;
667 	struct smp_chan *smp = chan->data;
668 	struct hci_conn *hcon = conn->hcon;
669 	struct hci_dev *hdev = hcon->hdev;
670 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
671 
672 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
673 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
674 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
675 		authreq |= SMP_AUTH_BONDING;
676 	} else {
677 		authreq &= ~SMP_AUTH_BONDING;
678 	}
679 
680 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
681 		remote_dist |= SMP_DIST_ID_KEY;
682 
683 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
684 		local_dist |= SMP_DIST_ID_KEY;
685 
686 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
687 	    (authreq & SMP_AUTH_SC)) {
688 		struct oob_data *oob_data;
689 		u8 bdaddr_type;
690 
691 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
692 			local_dist |= SMP_DIST_LINK_KEY;
693 			remote_dist |= SMP_DIST_LINK_KEY;
694 		}
695 
696 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
697 			bdaddr_type = BDADDR_LE_PUBLIC;
698 		else
699 			bdaddr_type = BDADDR_LE_RANDOM;
700 
701 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
702 						    bdaddr_type);
703 		if (oob_data && oob_data->present) {
704 			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
705 			oob_flag = SMP_OOB_PRESENT;
706 			memcpy(smp->rr, oob_data->rand256, 16);
707 			memcpy(smp->pcnf, oob_data->hash256, 16);
708 			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
709 			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
710 		}
711 
712 	} else {
713 		authreq &= ~SMP_AUTH_SC;
714 	}
715 
716 	if (rsp == NULL) {
717 		req->io_capability = conn->hcon->io_capability;
718 		req->oob_flag = oob_flag;
719 		req->max_key_size = hdev->le_max_key_size;
720 		req->init_key_dist = local_dist;
721 		req->resp_key_dist = remote_dist;
722 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
723 
724 		smp->remote_key_dist = remote_dist;
725 		return;
726 	}
727 
728 	rsp->io_capability = conn->hcon->io_capability;
729 	rsp->oob_flag = oob_flag;
730 	rsp->max_key_size = hdev->le_max_key_size;
731 	rsp->init_key_dist = req->init_key_dist & remote_dist;
732 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
733 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
734 
735 	smp->remote_key_dist = rsp->init_key_dist;
736 }
737 
738 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
739 {
740 	struct l2cap_chan *chan = conn->smp;
741 	struct hci_dev *hdev = conn->hcon->hdev;
742 	struct smp_chan *smp = chan->data;
743 
744 	if (max_key_size > hdev->le_max_key_size ||
745 	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
746 		return SMP_ENC_KEY_SIZE;
747 
748 	smp->enc_key_size = max_key_size;
749 
750 	return 0;
751 }
752 
753 static void smp_chan_destroy(struct l2cap_conn *conn)
754 {
755 	struct l2cap_chan *chan = conn->smp;
756 	struct smp_chan *smp = chan->data;
757 	struct hci_conn *hcon = conn->hcon;
758 	bool complete;
759 
760 	BUG_ON(!smp);
761 
762 	cancel_delayed_work_sync(&smp->security_timer);
763 
764 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
765 	mgmt_smp_complete(hcon, complete);
766 
767 	kzfree(smp->csrk);
768 	kzfree(smp->slave_csrk);
769 	kzfree(smp->link_key);
770 
771 	crypto_free_cipher(smp->tfm_aes);
772 	crypto_free_shash(smp->tfm_cmac);
773 	crypto_free_kpp(smp->tfm_ecdh);
774 
775 	/* Ensure that we don't leave any debug key around if debug key
776 	 * support hasn't been explicitly enabled.
777 	 */
778 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
779 	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
780 		list_del_rcu(&smp->ltk->list);
781 		kfree_rcu(smp->ltk, rcu);
782 		smp->ltk = NULL;
783 	}
784 
785 	/* If pairing failed clean up any keys we might have */
786 	if (!complete) {
787 		if (smp->ltk) {
788 			list_del_rcu(&smp->ltk->list);
789 			kfree_rcu(smp->ltk, rcu);
790 		}
791 
792 		if (smp->slave_ltk) {
793 			list_del_rcu(&smp->slave_ltk->list);
794 			kfree_rcu(smp->slave_ltk, rcu);
795 		}
796 
797 		if (smp->remote_irk) {
798 			list_del_rcu(&smp->remote_irk->list);
799 			kfree_rcu(smp->remote_irk, rcu);
800 		}
801 	}
802 
803 	chan->data = NULL;
804 	kzfree(smp);
805 	hci_conn_drop(hcon);
806 }
807 
808 static void smp_failure(struct l2cap_conn *conn, u8 reason)
809 {
810 	struct hci_conn *hcon = conn->hcon;
811 	struct l2cap_chan *chan = conn->smp;
812 
813 	if (reason)
814 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
815 			     &reason);
816 
817 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
818 
819 	if (chan->data)
820 		smp_chan_destroy(conn);
821 }
822 
823 #define JUST_WORKS	0x00
824 #define JUST_CFM	0x01
825 #define REQ_PASSKEY	0x02
826 #define CFM_PASSKEY	0x03
827 #define REQ_OOB		0x04
828 #define DSP_PASSKEY	0x05
829 #define OVERLAP		0xFF
830 
831 static const u8 gen_method[5][5] = {
832 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
833 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
834 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
835 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
836 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
837 };
838 
839 static const u8 sc_method[5][5] = {
840 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
841 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
842 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
843 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
844 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
845 };
846 
847 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
848 {
849 	/* If either side has unknown io_caps, use JUST_CFM (which gets
850 	 * converted later to JUST_WORKS if we're initiators.
851 	 */
852 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
853 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
854 		return JUST_CFM;
855 
856 	if (test_bit(SMP_FLAG_SC, &smp->flags))
857 		return sc_method[remote_io][local_io];
858 
859 	return gen_method[remote_io][local_io];
860 }
861 
862 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
863 						u8 local_io, u8 remote_io)
864 {
865 	struct hci_conn *hcon = conn->hcon;
866 	struct l2cap_chan *chan = conn->smp;
867 	struct smp_chan *smp = chan->data;
868 	u32 passkey = 0;
869 	int ret = 0;
870 
871 	/* Initialize key for JUST WORKS */
872 	memset(smp->tk, 0, sizeof(smp->tk));
873 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
874 
875 	BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
876 
877 	/* If neither side wants MITM, either "just" confirm an incoming
878 	 * request or use just-works for outgoing ones. The JUST_CFM
879 	 * will be converted to JUST_WORKS if necessary later in this
880 	 * function. If either side has MITM look up the method from the
881 	 * table.
882 	 */
883 	if (!(auth & SMP_AUTH_MITM))
884 		smp->method = JUST_CFM;
885 	else
886 		smp->method = get_auth_method(smp, local_io, remote_io);
887 
888 	/* Don't confirm locally initiated pairing attempts */
889 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
890 						&smp->flags))
891 		smp->method = JUST_WORKS;
892 
893 	/* Don't bother user space with no IO capabilities */
894 	if (smp->method == JUST_CFM &&
895 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
896 		smp->method = JUST_WORKS;
897 
898 	/* If Just Works, Continue with Zero TK */
899 	if (smp->method == JUST_WORKS) {
900 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
901 		return 0;
902 	}
903 
904 	/* If this function is used for SC -> legacy fallback we
905 	 * can only recover the just-works case.
906 	 */
907 	if (test_bit(SMP_FLAG_SC, &smp->flags))
908 		return -EINVAL;
909 
910 	/* Not Just Works/Confirm results in MITM Authentication */
911 	if (smp->method != JUST_CFM) {
912 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
913 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
914 			hcon->pending_sec_level = BT_SECURITY_HIGH;
915 	}
916 
917 	/* If both devices have Keyoard-Display I/O, the master
918 	 * Confirms and the slave Enters the passkey.
919 	 */
920 	if (smp->method == OVERLAP) {
921 		if (hcon->role == HCI_ROLE_MASTER)
922 			smp->method = CFM_PASSKEY;
923 		else
924 			smp->method = REQ_PASSKEY;
925 	}
926 
927 	/* Generate random passkey. */
928 	if (smp->method == CFM_PASSKEY) {
929 		memset(smp->tk, 0, sizeof(smp->tk));
930 		get_random_bytes(&passkey, sizeof(passkey));
931 		passkey %= 1000000;
932 		put_unaligned_le32(passkey, smp->tk);
933 		BT_DBG("PassKey: %d", passkey);
934 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
935 	}
936 
937 	if (smp->method == REQ_PASSKEY)
938 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
939 						hcon->type, hcon->dst_type);
940 	else if (smp->method == JUST_CFM)
941 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
942 						hcon->type, hcon->dst_type,
943 						passkey, 1);
944 	else
945 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
946 						hcon->type, hcon->dst_type,
947 						passkey, 0);
948 
949 	return ret;
950 }
951 
952 static u8 smp_confirm(struct smp_chan *smp)
953 {
954 	struct l2cap_conn *conn = smp->conn;
955 	struct smp_cmd_pairing_confirm cp;
956 	int ret;
957 
958 	BT_DBG("conn %p", conn);
959 
960 	ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
961 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
962 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
963 		     cp.confirm_val);
964 	if (ret)
965 		return SMP_UNSPECIFIED;
966 
967 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
968 
969 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
970 
971 	if (conn->hcon->out)
972 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
973 	else
974 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
975 
976 	return 0;
977 }
978 
979 static u8 smp_random(struct smp_chan *smp)
980 {
981 	struct l2cap_conn *conn = smp->conn;
982 	struct hci_conn *hcon = conn->hcon;
983 	u8 confirm[16];
984 	int ret;
985 
986 	if (IS_ERR_OR_NULL(smp->tfm_aes))
987 		return SMP_UNSPECIFIED;
988 
989 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
990 
991 	ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
992 		     hcon->init_addr_type, &hcon->init_addr,
993 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
994 	if (ret)
995 		return SMP_UNSPECIFIED;
996 
997 	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
998 		bt_dev_err(hcon->hdev, "pairing failed "
999 			   "(confirmation values mismatch)");
1000 		return SMP_CONFIRM_FAILED;
1001 	}
1002 
1003 	if (hcon->out) {
1004 		u8 stk[16];
1005 		__le64 rand = 0;
1006 		__le16 ediv = 0;
1007 
1008 		smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
1009 
1010 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1011 			return SMP_UNSPECIFIED;
1012 
1013 		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1014 		hcon->enc_key_size = smp->enc_key_size;
1015 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1016 	} else {
1017 		u8 stk[16], auth;
1018 		__le64 rand = 0;
1019 		__le16 ediv = 0;
1020 
1021 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1022 			     smp->prnd);
1023 
1024 		smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
1025 
1026 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1027 			auth = 1;
1028 		else
1029 			auth = 0;
1030 
1031 		/* Even though there's no _SLAVE suffix this is the
1032 		 * slave STK we're adding for later lookup (the master
1033 		 * STK never needs to be stored).
1034 		 */
1035 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1036 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1037 	}
1038 
1039 	return 0;
1040 }
1041 
1042 static void smp_notify_keys(struct l2cap_conn *conn)
1043 {
1044 	struct l2cap_chan *chan = conn->smp;
1045 	struct smp_chan *smp = chan->data;
1046 	struct hci_conn *hcon = conn->hcon;
1047 	struct hci_dev *hdev = hcon->hdev;
1048 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1049 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1050 	bool persistent;
1051 
1052 	if (hcon->type == ACL_LINK) {
1053 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1054 			persistent = false;
1055 		else
1056 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1057 					       &hcon->flags);
1058 	} else {
1059 		/* The LTKs, IRKs and CSRKs should be persistent only if
1060 		 * both sides had the bonding bit set in their
1061 		 * authentication requests.
1062 		 */
1063 		persistent = !!((req->auth_req & rsp->auth_req) &
1064 				SMP_AUTH_BONDING);
1065 	}
1066 
1067 	if (smp->remote_irk) {
1068 		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1069 
1070 		/* Now that user space can be considered to know the
1071 		 * identity address track the connection based on it
1072 		 * from now on (assuming this is an LE link).
1073 		 */
1074 		if (hcon->type == LE_LINK) {
1075 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1076 			hcon->dst_type = smp->remote_irk->addr_type;
1077 			queue_work(hdev->workqueue, &conn->id_addr_update_work);
1078 		}
1079 	}
1080 
1081 	if (smp->csrk) {
1082 		smp->csrk->bdaddr_type = hcon->dst_type;
1083 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1084 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1085 	}
1086 
1087 	if (smp->slave_csrk) {
1088 		smp->slave_csrk->bdaddr_type = hcon->dst_type;
1089 		bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1090 		mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1091 	}
1092 
1093 	if (smp->ltk) {
1094 		smp->ltk->bdaddr_type = hcon->dst_type;
1095 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1096 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1097 	}
1098 
1099 	if (smp->slave_ltk) {
1100 		smp->slave_ltk->bdaddr_type = hcon->dst_type;
1101 		bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1102 		mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1103 	}
1104 
1105 	if (smp->link_key) {
1106 		struct link_key *key;
1107 		u8 type;
1108 
1109 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1110 			type = HCI_LK_DEBUG_COMBINATION;
1111 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1112 			type = HCI_LK_AUTH_COMBINATION_P256;
1113 		else
1114 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1115 
1116 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1117 				       smp->link_key, type, 0, &persistent);
1118 		if (key) {
1119 			mgmt_new_link_key(hdev, key, persistent);
1120 
1121 			/* Don't keep debug keys around if the relevant
1122 			 * flag is not set.
1123 			 */
1124 			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1125 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1126 				list_del_rcu(&key->list);
1127 				kfree_rcu(key, rcu);
1128 			}
1129 		}
1130 	}
1131 }
1132 
1133 static void sc_add_ltk(struct smp_chan *smp)
1134 {
1135 	struct hci_conn *hcon = smp->conn->hcon;
1136 	u8 key_type, auth;
1137 
1138 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1139 		key_type = SMP_LTK_P256_DEBUG;
1140 	else
1141 		key_type = SMP_LTK_P256;
1142 
1143 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1144 		auth = 1;
1145 	else
1146 		auth = 0;
1147 
1148 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1149 			       key_type, auth, smp->tk, smp->enc_key_size,
1150 			       0, 0);
1151 }
1152 
1153 static void sc_generate_link_key(struct smp_chan *smp)
1154 {
1155 	/* From core spec. Spells out in ASCII as 'lebr'. */
1156 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1157 
1158 	smp->link_key = kzalloc(16, GFP_KERNEL);
1159 	if (!smp->link_key)
1160 		return;
1161 
1162 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1163 		/* SALT = 0x00000000000000000000000000000000746D7031 */
1164 		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1165 
1166 		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1167 			kzfree(smp->link_key);
1168 			smp->link_key = NULL;
1169 			return;
1170 		}
1171 	} else {
1172 		/* From core spec. Spells out in ASCII as 'tmp1'. */
1173 		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1174 
1175 		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1176 			kzfree(smp->link_key);
1177 			smp->link_key = NULL;
1178 			return;
1179 		}
1180 	}
1181 
1182 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1183 		kzfree(smp->link_key);
1184 		smp->link_key = NULL;
1185 		return;
1186 	}
1187 }
1188 
1189 static void smp_allow_key_dist(struct smp_chan *smp)
1190 {
1191 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1192 	 * will be allowed in each PDU handler to ensure we receive
1193 	 * them in the correct order.
1194 	 */
1195 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1196 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1197 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1198 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1199 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1200 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1201 }
1202 
1203 static void sc_generate_ltk(struct smp_chan *smp)
1204 {
1205 	/* From core spec. Spells out in ASCII as 'brle'. */
1206 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1207 	struct hci_conn *hcon = smp->conn->hcon;
1208 	struct hci_dev *hdev = hcon->hdev;
1209 	struct link_key *key;
1210 
1211 	key = hci_find_link_key(hdev, &hcon->dst);
1212 	if (!key) {
1213 		bt_dev_err(hdev, "no Link Key found to generate LTK");
1214 		return;
1215 	}
1216 
1217 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1218 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1219 
1220 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1221 		/* SALT = 0x00000000000000000000000000000000746D7032 */
1222 		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1223 
1224 		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1225 			return;
1226 	} else {
1227 		/* From core spec. Spells out in ASCII as 'tmp2'. */
1228 		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1229 
1230 		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1231 			return;
1232 	}
1233 
1234 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1235 		return;
1236 
1237 	sc_add_ltk(smp);
1238 }
1239 
1240 static void smp_distribute_keys(struct smp_chan *smp)
1241 {
1242 	struct smp_cmd_pairing *req, *rsp;
1243 	struct l2cap_conn *conn = smp->conn;
1244 	struct hci_conn *hcon = conn->hcon;
1245 	struct hci_dev *hdev = hcon->hdev;
1246 	__u8 *keydist;
1247 
1248 	BT_DBG("conn %p", conn);
1249 
1250 	rsp = (void *) &smp->prsp[1];
1251 
1252 	/* The responder sends its keys first */
1253 	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1254 		smp_allow_key_dist(smp);
1255 		return;
1256 	}
1257 
1258 	req = (void *) &smp->preq[1];
1259 
1260 	if (hcon->out) {
1261 		keydist = &rsp->init_key_dist;
1262 		*keydist &= req->init_key_dist;
1263 	} else {
1264 		keydist = &rsp->resp_key_dist;
1265 		*keydist &= req->resp_key_dist;
1266 	}
1267 
1268 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1269 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1270 			sc_generate_link_key(smp);
1271 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1272 			sc_generate_ltk(smp);
1273 
1274 		/* Clear the keys which are generated but not distributed */
1275 		*keydist &= ~SMP_SC_NO_DIST;
1276 	}
1277 
1278 	BT_DBG("keydist 0x%x", *keydist);
1279 
1280 	if (*keydist & SMP_DIST_ENC_KEY) {
1281 		struct smp_cmd_encrypt_info enc;
1282 		struct smp_cmd_master_ident ident;
1283 		struct smp_ltk *ltk;
1284 		u8 authenticated;
1285 		__le16 ediv;
1286 		__le64 rand;
1287 
1288 		/* Make sure we generate only the significant amount of
1289 		 * bytes based on the encryption key size, and set the rest
1290 		 * of the value to zeroes.
1291 		 */
1292 		get_random_bytes(enc.ltk, smp->enc_key_size);
1293 		memset(enc.ltk + smp->enc_key_size, 0,
1294 		       sizeof(enc.ltk) - smp->enc_key_size);
1295 
1296 		get_random_bytes(&ediv, sizeof(ediv));
1297 		get_random_bytes(&rand, sizeof(rand));
1298 
1299 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1300 
1301 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1302 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1303 				  SMP_LTK_SLAVE, authenticated, enc.ltk,
1304 				  smp->enc_key_size, ediv, rand);
1305 		smp->slave_ltk = ltk;
1306 
1307 		ident.ediv = ediv;
1308 		ident.rand = rand;
1309 
1310 		smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1311 
1312 		*keydist &= ~SMP_DIST_ENC_KEY;
1313 	}
1314 
1315 	if (*keydist & SMP_DIST_ID_KEY) {
1316 		struct smp_cmd_ident_addr_info addrinfo;
1317 		struct smp_cmd_ident_info idinfo;
1318 
1319 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1320 
1321 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1322 
1323 		/* The hci_conn contains the local identity address
1324 		 * after the connection has been established.
1325 		 *
1326 		 * This is true even when the connection has been
1327 		 * established using a resolvable random address.
1328 		 */
1329 		bacpy(&addrinfo.bdaddr, &hcon->src);
1330 		addrinfo.addr_type = hcon->src_type;
1331 
1332 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1333 			     &addrinfo);
1334 
1335 		*keydist &= ~SMP_DIST_ID_KEY;
1336 	}
1337 
1338 	if (*keydist & SMP_DIST_SIGN) {
1339 		struct smp_cmd_sign_info sign;
1340 		struct smp_csrk *csrk;
1341 
1342 		/* Generate a new random key */
1343 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1344 
1345 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1346 		if (csrk) {
1347 			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1348 				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1349 			else
1350 				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1351 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1352 		}
1353 		smp->slave_csrk = csrk;
1354 
1355 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1356 
1357 		*keydist &= ~SMP_DIST_SIGN;
1358 	}
1359 
1360 	/* If there are still keys to be received wait for them */
1361 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1362 		smp_allow_key_dist(smp);
1363 		return;
1364 	}
1365 
1366 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1367 	smp_notify_keys(conn);
1368 
1369 	smp_chan_destroy(conn);
1370 }
1371 
1372 static void smp_timeout(struct work_struct *work)
1373 {
1374 	struct smp_chan *smp = container_of(work, struct smp_chan,
1375 					    security_timer.work);
1376 	struct l2cap_conn *conn = smp->conn;
1377 
1378 	BT_DBG("conn %p", conn);
1379 
1380 	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1381 }
1382 
1383 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1384 {
1385 	struct l2cap_chan *chan = conn->smp;
1386 	struct smp_chan *smp;
1387 
1388 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1389 	if (!smp)
1390 		return NULL;
1391 
1392 	smp->tfm_aes = crypto_alloc_cipher("aes", 0, 0);
1393 	if (IS_ERR(smp->tfm_aes)) {
1394 		BT_ERR("Unable to create AES crypto context");
1395 		goto zfree_smp;
1396 	}
1397 
1398 	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1399 	if (IS_ERR(smp->tfm_cmac)) {
1400 		BT_ERR("Unable to create CMAC crypto context");
1401 		goto free_cipher;
1402 	}
1403 
1404 	smp->tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
1405 	if (IS_ERR(smp->tfm_ecdh)) {
1406 		BT_ERR("Unable to create ECDH crypto context");
1407 		goto free_shash;
1408 	}
1409 
1410 	smp->conn = conn;
1411 	chan->data = smp;
1412 
1413 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1414 
1415 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1416 
1417 	hci_conn_hold(conn->hcon);
1418 
1419 	return smp;
1420 
1421 free_shash:
1422 	crypto_free_shash(smp->tfm_cmac);
1423 free_cipher:
1424 	crypto_free_cipher(smp->tfm_aes);
1425 zfree_smp:
1426 	kzfree(smp);
1427 	return NULL;
1428 }
1429 
1430 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1431 {
1432 	struct hci_conn *hcon = smp->conn->hcon;
1433 	u8 *na, *nb, a[7], b[7];
1434 
1435 	if (hcon->out) {
1436 		na   = smp->prnd;
1437 		nb   = smp->rrnd;
1438 	} else {
1439 		na   = smp->rrnd;
1440 		nb   = smp->prnd;
1441 	}
1442 
1443 	memcpy(a, &hcon->init_addr, 6);
1444 	memcpy(b, &hcon->resp_addr, 6);
1445 	a[6] = hcon->init_addr_type;
1446 	b[6] = hcon->resp_addr_type;
1447 
1448 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1449 }
1450 
1451 static void sc_dhkey_check(struct smp_chan *smp)
1452 {
1453 	struct hci_conn *hcon = smp->conn->hcon;
1454 	struct smp_cmd_dhkey_check check;
1455 	u8 a[7], b[7], *local_addr, *remote_addr;
1456 	u8 io_cap[3], r[16];
1457 
1458 	memcpy(a, &hcon->init_addr, 6);
1459 	memcpy(b, &hcon->resp_addr, 6);
1460 	a[6] = hcon->init_addr_type;
1461 	b[6] = hcon->resp_addr_type;
1462 
1463 	if (hcon->out) {
1464 		local_addr = a;
1465 		remote_addr = b;
1466 		memcpy(io_cap, &smp->preq[1], 3);
1467 	} else {
1468 		local_addr = b;
1469 		remote_addr = a;
1470 		memcpy(io_cap, &smp->prsp[1], 3);
1471 	}
1472 
1473 	memset(r, 0, sizeof(r));
1474 
1475 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1476 		put_unaligned_le32(hcon->passkey_notify, r);
1477 
1478 	if (smp->method == REQ_OOB)
1479 		memcpy(r, smp->rr, 16);
1480 
1481 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1482 	       local_addr, remote_addr, check.e);
1483 
1484 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1485 }
1486 
1487 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1488 {
1489 	struct l2cap_conn *conn = smp->conn;
1490 	struct hci_conn *hcon = conn->hcon;
1491 	struct smp_cmd_pairing_confirm cfm;
1492 	u8 r;
1493 
1494 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1495 	r |= 0x80;
1496 
1497 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1498 
1499 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1500 		   cfm.confirm_val))
1501 		return SMP_UNSPECIFIED;
1502 
1503 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1504 
1505 	return 0;
1506 }
1507 
1508 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1509 {
1510 	struct l2cap_conn *conn = smp->conn;
1511 	struct hci_conn *hcon = conn->hcon;
1512 	struct hci_dev *hdev = hcon->hdev;
1513 	u8 cfm[16], r;
1514 
1515 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1516 	if (smp->passkey_round >= 20)
1517 		return 0;
1518 
1519 	switch (smp_op) {
1520 	case SMP_CMD_PAIRING_RANDOM:
1521 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1522 		r |= 0x80;
1523 
1524 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1525 			   smp->rrnd, r, cfm))
1526 			return SMP_UNSPECIFIED;
1527 
1528 		if (crypto_memneq(smp->pcnf, cfm, 16))
1529 			return SMP_CONFIRM_FAILED;
1530 
1531 		smp->passkey_round++;
1532 
1533 		if (smp->passkey_round == 20) {
1534 			/* Generate MacKey and LTK */
1535 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1536 				return SMP_UNSPECIFIED;
1537 		}
1538 
1539 		/* The round is only complete when the initiator
1540 		 * receives pairing random.
1541 		 */
1542 		if (!hcon->out) {
1543 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1544 				     sizeof(smp->prnd), smp->prnd);
1545 			if (smp->passkey_round == 20)
1546 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1547 			else
1548 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1549 			return 0;
1550 		}
1551 
1552 		/* Start the next round */
1553 		if (smp->passkey_round != 20)
1554 			return sc_passkey_round(smp, 0);
1555 
1556 		/* Passkey rounds are complete - start DHKey Check */
1557 		sc_dhkey_check(smp);
1558 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1559 
1560 		break;
1561 
1562 	case SMP_CMD_PAIRING_CONFIRM:
1563 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1564 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1565 			return 0;
1566 		}
1567 
1568 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1569 
1570 		if (hcon->out) {
1571 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1572 				     sizeof(smp->prnd), smp->prnd);
1573 			return 0;
1574 		}
1575 
1576 		return sc_passkey_send_confirm(smp);
1577 
1578 	case SMP_CMD_PUBLIC_KEY:
1579 	default:
1580 		/* Initiating device starts the round */
1581 		if (!hcon->out)
1582 			return 0;
1583 
1584 		BT_DBG("%s Starting passkey round %u", hdev->name,
1585 		       smp->passkey_round + 1);
1586 
1587 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1588 
1589 		return sc_passkey_send_confirm(smp);
1590 	}
1591 
1592 	return 0;
1593 }
1594 
1595 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1596 {
1597 	struct l2cap_conn *conn = smp->conn;
1598 	struct hci_conn *hcon = conn->hcon;
1599 	u8 smp_op;
1600 
1601 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1602 
1603 	switch (mgmt_op) {
1604 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1605 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1606 		return 0;
1607 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1608 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1609 		return 0;
1610 	case MGMT_OP_USER_PASSKEY_REPLY:
1611 		hcon->passkey_notify = le32_to_cpu(passkey);
1612 		smp->passkey_round = 0;
1613 
1614 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1615 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1616 		else
1617 			smp_op = 0;
1618 
1619 		if (sc_passkey_round(smp, smp_op))
1620 			return -EIO;
1621 
1622 		return 0;
1623 	}
1624 
1625 	/* Initiator sends DHKey check first */
1626 	if (hcon->out) {
1627 		sc_dhkey_check(smp);
1628 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1629 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1630 		sc_dhkey_check(smp);
1631 		sc_add_ltk(smp);
1632 	}
1633 
1634 	return 0;
1635 }
1636 
1637 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1638 {
1639 	struct l2cap_conn *conn = hcon->l2cap_data;
1640 	struct l2cap_chan *chan;
1641 	struct smp_chan *smp;
1642 	u32 value;
1643 	int err;
1644 
1645 	BT_DBG("");
1646 
1647 	if (!conn)
1648 		return -ENOTCONN;
1649 
1650 	chan = conn->smp;
1651 	if (!chan)
1652 		return -ENOTCONN;
1653 
1654 	l2cap_chan_lock(chan);
1655 	if (!chan->data) {
1656 		err = -ENOTCONN;
1657 		goto unlock;
1658 	}
1659 
1660 	smp = chan->data;
1661 
1662 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1663 		err = sc_user_reply(smp, mgmt_op, passkey);
1664 		goto unlock;
1665 	}
1666 
1667 	switch (mgmt_op) {
1668 	case MGMT_OP_USER_PASSKEY_REPLY:
1669 		value = le32_to_cpu(passkey);
1670 		memset(smp->tk, 0, sizeof(smp->tk));
1671 		BT_DBG("PassKey: %d", value);
1672 		put_unaligned_le32(value, smp->tk);
1673 		/* Fall Through */
1674 	case MGMT_OP_USER_CONFIRM_REPLY:
1675 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1676 		break;
1677 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1678 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1679 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1680 		err = 0;
1681 		goto unlock;
1682 	default:
1683 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1684 		err = -EOPNOTSUPP;
1685 		goto unlock;
1686 	}
1687 
1688 	err = 0;
1689 
1690 	/* If it is our turn to send Pairing Confirm, do so now */
1691 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1692 		u8 rsp = smp_confirm(smp);
1693 		if (rsp)
1694 			smp_failure(conn, rsp);
1695 	}
1696 
1697 unlock:
1698 	l2cap_chan_unlock(chan);
1699 	return err;
1700 }
1701 
1702 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1703 				    struct smp_cmd_pairing *req,
1704 				    struct smp_cmd_pairing *rsp)
1705 {
1706 	struct l2cap_conn *conn = smp->conn;
1707 	struct hci_dev *hdev = conn->hcon->hdev;
1708 	u8 local_dist = 0, remote_dist = 0;
1709 
1710 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1711 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1712 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1713 	}
1714 
1715 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1716 		remote_dist |= SMP_DIST_ID_KEY;
1717 
1718 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1719 		local_dist |= SMP_DIST_ID_KEY;
1720 
1721 	if (!rsp) {
1722 		memset(req, 0, sizeof(*req));
1723 
1724 		req->auth_req        = SMP_AUTH_CT2;
1725 		req->init_key_dist   = local_dist;
1726 		req->resp_key_dist   = remote_dist;
1727 		req->max_key_size    = conn->hcon->enc_key_size;
1728 
1729 		smp->remote_key_dist = remote_dist;
1730 
1731 		return;
1732 	}
1733 
1734 	memset(rsp, 0, sizeof(*rsp));
1735 
1736 	rsp->auth_req        = SMP_AUTH_CT2;
1737 	rsp->max_key_size    = conn->hcon->enc_key_size;
1738 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1739 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1740 
1741 	smp->remote_key_dist = rsp->init_key_dist;
1742 }
1743 
1744 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1745 {
1746 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1747 	struct l2cap_chan *chan = conn->smp;
1748 	struct hci_dev *hdev = conn->hcon->hdev;
1749 	struct smp_chan *smp;
1750 	u8 key_size, auth, sec_level;
1751 	int ret;
1752 
1753 	BT_DBG("conn %p", conn);
1754 
1755 	if (skb->len < sizeof(*req))
1756 		return SMP_INVALID_PARAMS;
1757 
1758 	if (conn->hcon->role != HCI_ROLE_SLAVE)
1759 		return SMP_CMD_NOTSUPP;
1760 
1761 	if (!chan->data)
1762 		smp = smp_chan_create(conn);
1763 	else
1764 		smp = chan->data;
1765 
1766 	if (!smp)
1767 		return SMP_UNSPECIFIED;
1768 
1769 	/* We didn't start the pairing, so match remote */
1770 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1771 
1772 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1773 	    (auth & SMP_AUTH_BONDING))
1774 		return SMP_PAIRING_NOTSUPP;
1775 
1776 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1777 		return SMP_AUTH_REQUIREMENTS;
1778 
1779 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1780 	memcpy(&smp->preq[1], req, sizeof(*req));
1781 	skb_pull(skb, sizeof(*req));
1782 
1783 	/* If the remote side's OOB flag is set it means it has
1784 	 * successfully received our local OOB data - therefore set the
1785 	 * flag to indicate that local OOB is in use.
1786 	 */
1787 	if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1788 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1789 
1790 	/* SMP over BR/EDR requires special treatment */
1791 	if (conn->hcon->type == ACL_LINK) {
1792 		/* We must have a BR/EDR SC link */
1793 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1794 		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1795 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1796 
1797 		set_bit(SMP_FLAG_SC, &smp->flags);
1798 
1799 		build_bredr_pairing_cmd(smp, req, &rsp);
1800 
1801 		if (req->auth_req & SMP_AUTH_CT2)
1802 			set_bit(SMP_FLAG_CT2, &smp->flags);
1803 
1804 		key_size = min(req->max_key_size, rsp.max_key_size);
1805 		if (check_enc_key_size(conn, key_size))
1806 			return SMP_ENC_KEY_SIZE;
1807 
1808 		/* Clear bits which are generated but not distributed */
1809 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1810 
1811 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1812 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1813 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1814 
1815 		smp_distribute_keys(smp);
1816 		return 0;
1817 	}
1818 
1819 	build_pairing_cmd(conn, req, &rsp, auth);
1820 
1821 	if (rsp.auth_req & SMP_AUTH_SC) {
1822 		set_bit(SMP_FLAG_SC, &smp->flags);
1823 
1824 		if (rsp.auth_req & SMP_AUTH_CT2)
1825 			set_bit(SMP_FLAG_CT2, &smp->flags);
1826 	}
1827 
1828 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1829 		sec_level = BT_SECURITY_MEDIUM;
1830 	else
1831 		sec_level = authreq_to_seclevel(auth);
1832 
1833 	if (sec_level > conn->hcon->pending_sec_level)
1834 		conn->hcon->pending_sec_level = sec_level;
1835 
1836 	/* If we need MITM check that it can be achieved */
1837 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1838 		u8 method;
1839 
1840 		method = get_auth_method(smp, conn->hcon->io_capability,
1841 					 req->io_capability);
1842 		if (method == JUST_WORKS || method == JUST_CFM)
1843 			return SMP_AUTH_REQUIREMENTS;
1844 	}
1845 
1846 	key_size = min(req->max_key_size, rsp.max_key_size);
1847 	if (check_enc_key_size(conn, key_size))
1848 		return SMP_ENC_KEY_SIZE;
1849 
1850 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1851 
1852 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1853 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1854 
1855 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1856 
1857 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1858 
1859 	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1860 	 * SC case, however some implementations incorrectly copy RFU auth
1861 	 * req bits from our security request, which may create a false
1862 	 * positive SC enablement.
1863 	 */
1864 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1865 
1866 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1867 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1868 		/* Clear bits which are generated but not distributed */
1869 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1870 		/* Wait for Public Key from Initiating Device */
1871 		return 0;
1872 	}
1873 
1874 	/* Request setup of TK */
1875 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1876 	if (ret)
1877 		return SMP_UNSPECIFIED;
1878 
1879 	return 0;
1880 }
1881 
1882 static u8 sc_send_public_key(struct smp_chan *smp)
1883 {
1884 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1885 
1886 	BT_DBG("");
1887 
1888 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1889 		struct l2cap_chan *chan = hdev->smp_data;
1890 		struct smp_dev *smp_dev;
1891 
1892 		if (!chan || !chan->data)
1893 			return SMP_UNSPECIFIED;
1894 
1895 		smp_dev = chan->data;
1896 
1897 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1898 		memcpy(smp->lr, smp_dev->local_rand, 16);
1899 
1900 		if (smp_dev->debug_key)
1901 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1902 
1903 		goto done;
1904 	}
1905 
1906 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1907 		BT_DBG("Using debug keys");
1908 		if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1909 			return SMP_UNSPECIFIED;
1910 		memcpy(smp->local_pk, debug_pk, 64);
1911 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1912 	} else {
1913 		while (true) {
1914 			/* Generate key pair for Secure Connections */
1915 			if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1916 				return SMP_UNSPECIFIED;
1917 
1918 			/* This is unlikely, but we need to check that
1919 			 * we didn't accidentially generate a debug key.
1920 			 */
1921 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
1922 				break;
1923 		}
1924 	}
1925 
1926 done:
1927 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1928 	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1929 
1930 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1931 
1932 	return 0;
1933 }
1934 
1935 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1936 {
1937 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1938 	struct l2cap_chan *chan = conn->smp;
1939 	struct smp_chan *smp = chan->data;
1940 	struct hci_dev *hdev = conn->hcon->hdev;
1941 	u8 key_size, auth;
1942 	int ret;
1943 
1944 	BT_DBG("conn %p", conn);
1945 
1946 	if (skb->len < sizeof(*rsp))
1947 		return SMP_INVALID_PARAMS;
1948 
1949 	if (conn->hcon->role != HCI_ROLE_MASTER)
1950 		return SMP_CMD_NOTSUPP;
1951 
1952 	skb_pull(skb, sizeof(*rsp));
1953 
1954 	req = (void *) &smp->preq[1];
1955 
1956 	key_size = min(req->max_key_size, rsp->max_key_size);
1957 	if (check_enc_key_size(conn, key_size))
1958 		return SMP_ENC_KEY_SIZE;
1959 
1960 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1961 
1962 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1963 		return SMP_AUTH_REQUIREMENTS;
1964 
1965 	/* If the remote side's OOB flag is set it means it has
1966 	 * successfully received our local OOB data - therefore set the
1967 	 * flag to indicate that local OOB is in use.
1968 	 */
1969 	if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1970 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1971 
1972 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1973 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1974 
1975 	/* Update remote key distribution in case the remote cleared
1976 	 * some bits that we had enabled in our request.
1977 	 */
1978 	smp->remote_key_dist &= rsp->resp_key_dist;
1979 
1980 	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1981 		set_bit(SMP_FLAG_CT2, &smp->flags);
1982 
1983 	/* For BR/EDR this means we're done and can start phase 3 */
1984 	if (conn->hcon->type == ACL_LINK) {
1985 		/* Clear bits which are generated but not distributed */
1986 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1987 		smp_distribute_keys(smp);
1988 		return 0;
1989 	}
1990 
1991 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1992 		set_bit(SMP_FLAG_SC, &smp->flags);
1993 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1994 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1995 
1996 	/* If we need MITM check that it can be achieved */
1997 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1998 		u8 method;
1999 
2000 		method = get_auth_method(smp, req->io_capability,
2001 					 rsp->io_capability);
2002 		if (method == JUST_WORKS || method == JUST_CFM)
2003 			return SMP_AUTH_REQUIREMENTS;
2004 	}
2005 
2006 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
2007 
2008 	/* Update remote key distribution in case the remote cleared
2009 	 * some bits that we had enabled in our request.
2010 	 */
2011 	smp->remote_key_dist &= rsp->resp_key_dist;
2012 
2013 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2014 		/* Clear bits which are generated but not distributed */
2015 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2016 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2017 		return sc_send_public_key(smp);
2018 	}
2019 
2020 	auth |= req->auth_req;
2021 
2022 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2023 	if (ret)
2024 		return SMP_UNSPECIFIED;
2025 
2026 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2027 
2028 	/* Can't compose response until we have been confirmed */
2029 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2030 		return smp_confirm(smp);
2031 
2032 	return 0;
2033 }
2034 
2035 static u8 sc_check_confirm(struct smp_chan *smp)
2036 {
2037 	struct l2cap_conn *conn = smp->conn;
2038 
2039 	BT_DBG("");
2040 
2041 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2042 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2043 
2044 	if (conn->hcon->out) {
2045 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2046 			     smp->prnd);
2047 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2048 	}
2049 
2050 	return 0;
2051 }
2052 
2053 /* Work-around for some implementations that incorrectly copy RFU bits
2054  * from our security request and thereby create the impression that
2055  * we're doing SC when in fact the remote doesn't support it.
2056  */
2057 static int fixup_sc_false_positive(struct smp_chan *smp)
2058 {
2059 	struct l2cap_conn *conn = smp->conn;
2060 	struct hci_conn *hcon = conn->hcon;
2061 	struct hci_dev *hdev = hcon->hdev;
2062 	struct smp_cmd_pairing *req, *rsp;
2063 	u8 auth;
2064 
2065 	/* The issue is only observed when we're in slave role */
2066 	if (hcon->out)
2067 		return SMP_UNSPECIFIED;
2068 
2069 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2070 		bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2071 		return SMP_UNSPECIFIED;
2072 	}
2073 
2074 	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2075 
2076 	req = (void *) &smp->preq[1];
2077 	rsp = (void *) &smp->prsp[1];
2078 
2079 	/* Rebuild key dist flags which may have been cleared for SC */
2080 	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2081 
2082 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2083 
2084 	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2085 		bt_dev_err(hdev, "failed to fall back to legacy SMP");
2086 		return SMP_UNSPECIFIED;
2087 	}
2088 
2089 	clear_bit(SMP_FLAG_SC, &smp->flags);
2090 
2091 	return 0;
2092 }
2093 
2094 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2095 {
2096 	struct l2cap_chan *chan = conn->smp;
2097 	struct smp_chan *smp = chan->data;
2098 
2099 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2100 
2101 	if (skb->len < sizeof(smp->pcnf))
2102 		return SMP_INVALID_PARAMS;
2103 
2104 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2105 	skb_pull(skb, sizeof(smp->pcnf));
2106 
2107 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2108 		int ret;
2109 
2110 		/* Public Key exchange must happen before any other steps */
2111 		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2112 			return sc_check_confirm(smp);
2113 
2114 		BT_ERR("Unexpected SMP Pairing Confirm");
2115 
2116 		ret = fixup_sc_false_positive(smp);
2117 		if (ret)
2118 			return ret;
2119 	}
2120 
2121 	if (conn->hcon->out) {
2122 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2123 			     smp->prnd);
2124 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2125 		return 0;
2126 	}
2127 
2128 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2129 		return smp_confirm(smp);
2130 
2131 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2132 
2133 	return 0;
2134 }
2135 
2136 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2137 {
2138 	struct l2cap_chan *chan = conn->smp;
2139 	struct smp_chan *smp = chan->data;
2140 	struct hci_conn *hcon = conn->hcon;
2141 	u8 *pkax, *pkbx, *na, *nb;
2142 	u32 passkey;
2143 	int err;
2144 
2145 	BT_DBG("conn %p", conn);
2146 
2147 	if (skb->len < sizeof(smp->rrnd))
2148 		return SMP_INVALID_PARAMS;
2149 
2150 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2151 	skb_pull(skb, sizeof(smp->rrnd));
2152 
2153 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2154 		return smp_random(smp);
2155 
2156 	if (hcon->out) {
2157 		pkax = smp->local_pk;
2158 		pkbx = smp->remote_pk;
2159 		na   = smp->prnd;
2160 		nb   = smp->rrnd;
2161 	} else {
2162 		pkax = smp->remote_pk;
2163 		pkbx = smp->local_pk;
2164 		na   = smp->rrnd;
2165 		nb   = smp->prnd;
2166 	}
2167 
2168 	if (smp->method == REQ_OOB) {
2169 		if (!hcon->out)
2170 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2171 				     sizeof(smp->prnd), smp->prnd);
2172 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2173 		goto mackey_and_ltk;
2174 	}
2175 
2176 	/* Passkey entry has special treatment */
2177 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2178 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2179 
2180 	if (hcon->out) {
2181 		u8 cfm[16];
2182 
2183 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2184 			     smp->rrnd, 0, cfm);
2185 		if (err)
2186 			return SMP_UNSPECIFIED;
2187 
2188 		if (crypto_memneq(smp->pcnf, cfm, 16))
2189 			return SMP_CONFIRM_FAILED;
2190 	} else {
2191 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2192 			     smp->prnd);
2193 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2194 	}
2195 
2196 mackey_and_ltk:
2197 	/* Generate MacKey and LTK */
2198 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2199 	if (err)
2200 		return SMP_UNSPECIFIED;
2201 
2202 	if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2203 		if (hcon->out) {
2204 			sc_dhkey_check(smp);
2205 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2206 		}
2207 		return 0;
2208 	}
2209 
2210 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2211 	if (err)
2212 		return SMP_UNSPECIFIED;
2213 
2214 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2215 					hcon->dst_type, passkey, 0);
2216 	if (err)
2217 		return SMP_UNSPECIFIED;
2218 
2219 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2220 
2221 	return 0;
2222 }
2223 
2224 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2225 {
2226 	struct smp_ltk *key;
2227 	struct hci_conn *hcon = conn->hcon;
2228 
2229 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2230 	if (!key)
2231 		return false;
2232 
2233 	if (smp_ltk_sec_level(key) < sec_level)
2234 		return false;
2235 
2236 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2237 		return true;
2238 
2239 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2240 	hcon->enc_key_size = key->enc_size;
2241 
2242 	/* We never store STKs for master role, so clear this flag */
2243 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2244 
2245 	return true;
2246 }
2247 
2248 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2249 			     enum smp_key_pref key_pref)
2250 {
2251 	if (sec_level == BT_SECURITY_LOW)
2252 		return true;
2253 
2254 	/* If we're encrypted with an STK but the caller prefers using
2255 	 * LTK claim insufficient security. This way we allow the
2256 	 * connection to be re-encrypted with an LTK, even if the LTK
2257 	 * provides the same level of security. Only exception is if we
2258 	 * don't have an LTK (e.g. because of key distribution bits).
2259 	 */
2260 	if (key_pref == SMP_USE_LTK &&
2261 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2262 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2263 		return false;
2264 
2265 	if (hcon->sec_level >= sec_level)
2266 		return true;
2267 
2268 	return false;
2269 }
2270 
2271 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2272 {
2273 	struct smp_cmd_security_req *rp = (void *) skb->data;
2274 	struct smp_cmd_pairing cp;
2275 	struct hci_conn *hcon = conn->hcon;
2276 	struct hci_dev *hdev = hcon->hdev;
2277 	struct smp_chan *smp;
2278 	u8 sec_level, auth;
2279 
2280 	BT_DBG("conn %p", conn);
2281 
2282 	if (skb->len < sizeof(*rp))
2283 		return SMP_INVALID_PARAMS;
2284 
2285 	if (hcon->role != HCI_ROLE_MASTER)
2286 		return SMP_CMD_NOTSUPP;
2287 
2288 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2289 
2290 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2291 		return SMP_AUTH_REQUIREMENTS;
2292 
2293 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2294 		sec_level = BT_SECURITY_MEDIUM;
2295 	else
2296 		sec_level = authreq_to_seclevel(auth);
2297 
2298 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2299 		/* If link is already encrypted with sufficient security we
2300 		 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2301 		 * Part H 2.4.6
2302 		 */
2303 		smp_ltk_encrypt(conn, hcon->sec_level);
2304 		return 0;
2305 	}
2306 
2307 	if (sec_level > hcon->pending_sec_level)
2308 		hcon->pending_sec_level = sec_level;
2309 
2310 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2311 		return 0;
2312 
2313 	smp = smp_chan_create(conn);
2314 	if (!smp)
2315 		return SMP_UNSPECIFIED;
2316 
2317 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2318 	    (auth & SMP_AUTH_BONDING))
2319 		return SMP_PAIRING_NOTSUPP;
2320 
2321 	skb_pull(skb, sizeof(*rp));
2322 
2323 	memset(&cp, 0, sizeof(cp));
2324 	build_pairing_cmd(conn, &cp, NULL, auth);
2325 
2326 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2327 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2328 
2329 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2330 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2331 
2332 	return 0;
2333 }
2334 
2335 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2336 {
2337 	struct l2cap_conn *conn = hcon->l2cap_data;
2338 	struct l2cap_chan *chan;
2339 	struct smp_chan *smp;
2340 	__u8 authreq;
2341 	int ret;
2342 
2343 	BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2344 
2345 	/* This may be NULL if there's an unexpected disconnection */
2346 	if (!conn)
2347 		return 1;
2348 
2349 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2350 		return 1;
2351 
2352 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2353 		return 1;
2354 
2355 	if (sec_level > hcon->pending_sec_level)
2356 		hcon->pending_sec_level = sec_level;
2357 
2358 	if (hcon->role == HCI_ROLE_MASTER)
2359 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2360 			return 0;
2361 
2362 	chan = conn->smp;
2363 	if (!chan) {
2364 		bt_dev_err(hcon->hdev, "security requested but not available");
2365 		return 1;
2366 	}
2367 
2368 	l2cap_chan_lock(chan);
2369 
2370 	/* If SMP is already in progress ignore this request */
2371 	if (chan->data) {
2372 		ret = 0;
2373 		goto unlock;
2374 	}
2375 
2376 	smp = smp_chan_create(conn);
2377 	if (!smp) {
2378 		ret = 1;
2379 		goto unlock;
2380 	}
2381 
2382 	authreq = seclevel_to_authreq(sec_level);
2383 
2384 	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2385 		authreq |= SMP_AUTH_SC;
2386 		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2387 			authreq |= SMP_AUTH_CT2;
2388 	}
2389 
2390 	/* Require MITM if IO Capability allows or the security level
2391 	 * requires it.
2392 	 */
2393 	if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2394 	    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2395 		authreq |= SMP_AUTH_MITM;
2396 
2397 	if (hcon->role == HCI_ROLE_MASTER) {
2398 		struct smp_cmd_pairing cp;
2399 
2400 		build_pairing_cmd(conn, &cp, NULL, authreq);
2401 		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2402 		memcpy(&smp->preq[1], &cp, sizeof(cp));
2403 
2404 		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2405 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2406 	} else {
2407 		struct smp_cmd_security_req cp;
2408 		cp.auth_req = authreq;
2409 		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2410 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2411 	}
2412 
2413 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2414 	ret = 0;
2415 
2416 unlock:
2417 	l2cap_chan_unlock(chan);
2418 	return ret;
2419 }
2420 
2421 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2422 				  u8 addr_type)
2423 {
2424 	struct hci_conn *hcon;
2425 	struct l2cap_conn *conn;
2426 	struct l2cap_chan *chan;
2427 	struct smp_chan *smp;
2428 	int err;
2429 
2430 	err = hci_remove_ltk(hdev, bdaddr, addr_type);
2431 	hci_remove_irk(hdev, bdaddr, addr_type);
2432 
2433 	hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2434 	if (!hcon)
2435 		goto done;
2436 
2437 	conn = hcon->l2cap_data;
2438 	if (!conn)
2439 		goto done;
2440 
2441 	chan = conn->smp;
2442 	if (!chan)
2443 		goto done;
2444 
2445 	l2cap_chan_lock(chan);
2446 
2447 	smp = chan->data;
2448 	if (smp) {
2449 		/* Set keys to NULL to make sure smp_failure() does not try to
2450 		 * remove and free already invalidated rcu list entries. */
2451 		smp->ltk = NULL;
2452 		smp->slave_ltk = NULL;
2453 		smp->remote_irk = NULL;
2454 
2455 		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2456 			smp_failure(conn, 0);
2457 		else
2458 			smp_failure(conn, SMP_UNSPECIFIED);
2459 		err = 0;
2460 	}
2461 
2462 	l2cap_chan_unlock(chan);
2463 
2464 done:
2465 	return err;
2466 }
2467 
2468 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2469 {
2470 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2471 	struct l2cap_chan *chan = conn->smp;
2472 	struct smp_chan *smp = chan->data;
2473 
2474 	BT_DBG("conn %p", conn);
2475 
2476 	if (skb->len < sizeof(*rp))
2477 		return SMP_INVALID_PARAMS;
2478 
2479 	SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2480 
2481 	skb_pull(skb, sizeof(*rp));
2482 
2483 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2484 
2485 	return 0;
2486 }
2487 
2488 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2489 {
2490 	struct smp_cmd_master_ident *rp = (void *) skb->data;
2491 	struct l2cap_chan *chan = conn->smp;
2492 	struct smp_chan *smp = chan->data;
2493 	struct hci_dev *hdev = conn->hcon->hdev;
2494 	struct hci_conn *hcon = conn->hcon;
2495 	struct smp_ltk *ltk;
2496 	u8 authenticated;
2497 
2498 	BT_DBG("conn %p", conn);
2499 
2500 	if (skb->len < sizeof(*rp))
2501 		return SMP_INVALID_PARAMS;
2502 
2503 	/* Mark the information as received */
2504 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2505 
2506 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2507 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2508 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2509 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2510 
2511 	skb_pull(skb, sizeof(*rp));
2512 
2513 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2514 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2515 			  authenticated, smp->tk, smp->enc_key_size,
2516 			  rp->ediv, rp->rand);
2517 	smp->ltk = ltk;
2518 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2519 		smp_distribute_keys(smp);
2520 
2521 	return 0;
2522 }
2523 
2524 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2525 {
2526 	struct smp_cmd_ident_info *info = (void *) skb->data;
2527 	struct l2cap_chan *chan = conn->smp;
2528 	struct smp_chan *smp = chan->data;
2529 
2530 	BT_DBG("");
2531 
2532 	if (skb->len < sizeof(*info))
2533 		return SMP_INVALID_PARAMS;
2534 
2535 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2536 
2537 	skb_pull(skb, sizeof(*info));
2538 
2539 	memcpy(smp->irk, info->irk, 16);
2540 
2541 	return 0;
2542 }
2543 
2544 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2545 				   struct sk_buff *skb)
2546 {
2547 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2548 	struct l2cap_chan *chan = conn->smp;
2549 	struct smp_chan *smp = chan->data;
2550 	struct hci_conn *hcon = conn->hcon;
2551 	bdaddr_t rpa;
2552 
2553 	BT_DBG("");
2554 
2555 	if (skb->len < sizeof(*info))
2556 		return SMP_INVALID_PARAMS;
2557 
2558 	/* Mark the information as received */
2559 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2560 
2561 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2562 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2563 
2564 	skb_pull(skb, sizeof(*info));
2565 
2566 	/* Strictly speaking the Core Specification (4.1) allows sending
2567 	 * an empty address which would force us to rely on just the IRK
2568 	 * as "identity information". However, since such
2569 	 * implementations are not known of and in order to not over
2570 	 * complicate our implementation, simply pretend that we never
2571 	 * received an IRK for such a device.
2572 	 *
2573 	 * The Identity Address must also be a Static Random or Public
2574 	 * Address, which hci_is_identity_address() checks for.
2575 	 */
2576 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2577 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2578 		bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2579 		goto distribute;
2580 	}
2581 
2582 	bacpy(&smp->id_addr, &info->bdaddr);
2583 	smp->id_addr_type = info->addr_type;
2584 
2585 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2586 		bacpy(&rpa, &hcon->dst);
2587 	else
2588 		bacpy(&rpa, BDADDR_ANY);
2589 
2590 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2591 				      smp->id_addr_type, smp->irk, &rpa);
2592 
2593 distribute:
2594 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2595 		smp_distribute_keys(smp);
2596 
2597 	return 0;
2598 }
2599 
2600 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2601 {
2602 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2603 	struct l2cap_chan *chan = conn->smp;
2604 	struct smp_chan *smp = chan->data;
2605 	struct smp_csrk *csrk;
2606 
2607 	BT_DBG("conn %p", conn);
2608 
2609 	if (skb->len < sizeof(*rp))
2610 		return SMP_INVALID_PARAMS;
2611 
2612 	/* Mark the information as received */
2613 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2614 
2615 	skb_pull(skb, sizeof(*rp));
2616 
2617 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2618 	if (csrk) {
2619 		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2620 			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2621 		else
2622 			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2623 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2624 	}
2625 	smp->csrk = csrk;
2626 	smp_distribute_keys(smp);
2627 
2628 	return 0;
2629 }
2630 
2631 static u8 sc_select_method(struct smp_chan *smp)
2632 {
2633 	struct l2cap_conn *conn = smp->conn;
2634 	struct hci_conn *hcon = conn->hcon;
2635 	struct smp_cmd_pairing *local, *remote;
2636 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2637 
2638 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2639 	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2640 		return REQ_OOB;
2641 
2642 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2643 	 * which are needed as inputs to some crypto functions. To get
2644 	 * the "struct smp_cmd_pairing" from them we need to skip the
2645 	 * first byte which contains the opcode.
2646 	 */
2647 	if (hcon->out) {
2648 		local = (void *) &smp->preq[1];
2649 		remote = (void *) &smp->prsp[1];
2650 	} else {
2651 		local = (void *) &smp->prsp[1];
2652 		remote = (void *) &smp->preq[1];
2653 	}
2654 
2655 	local_io = local->io_capability;
2656 	remote_io = remote->io_capability;
2657 
2658 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2659 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2660 
2661 	/* If either side wants MITM, look up the method from the table,
2662 	 * otherwise use JUST WORKS.
2663 	 */
2664 	if (local_mitm || remote_mitm)
2665 		method = get_auth_method(smp, local_io, remote_io);
2666 	else
2667 		method = JUST_WORKS;
2668 
2669 	/* Don't confirm locally initiated pairing attempts */
2670 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2671 		method = JUST_WORKS;
2672 
2673 	return method;
2674 }
2675 
2676 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2677 {
2678 	struct smp_cmd_public_key *key = (void *) skb->data;
2679 	struct hci_conn *hcon = conn->hcon;
2680 	struct l2cap_chan *chan = conn->smp;
2681 	struct smp_chan *smp = chan->data;
2682 	struct hci_dev *hdev = hcon->hdev;
2683 	struct crypto_kpp *tfm_ecdh;
2684 	struct smp_cmd_pairing_confirm cfm;
2685 	int err;
2686 
2687 	BT_DBG("conn %p", conn);
2688 
2689 	if (skb->len < sizeof(*key))
2690 		return SMP_INVALID_PARAMS;
2691 
2692 	memcpy(smp->remote_pk, key, 64);
2693 
2694 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2695 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2696 			     smp->rr, 0, cfm.confirm_val);
2697 		if (err)
2698 			return SMP_UNSPECIFIED;
2699 
2700 		if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2701 			return SMP_CONFIRM_FAILED;
2702 	}
2703 
2704 	/* Non-initiating device sends its public key after receiving
2705 	 * the key from the initiating device.
2706 	 */
2707 	if (!hcon->out) {
2708 		err = sc_send_public_key(smp);
2709 		if (err)
2710 			return err;
2711 	}
2712 
2713 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2714 	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2715 
2716 	/* Compute the shared secret on the same crypto tfm on which the private
2717 	 * key was set/generated.
2718 	 */
2719 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2720 		struct l2cap_chan *hchan = hdev->smp_data;
2721 		struct smp_dev *smp_dev;
2722 
2723 		if (!hchan || !hchan->data)
2724 			return SMP_UNSPECIFIED;
2725 
2726 		smp_dev = hchan->data;
2727 
2728 		tfm_ecdh = smp_dev->tfm_ecdh;
2729 	} else {
2730 		tfm_ecdh = smp->tfm_ecdh;
2731 	}
2732 
2733 	if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2734 		return SMP_UNSPECIFIED;
2735 
2736 	SMP_DBG("DHKey %32phN", smp->dhkey);
2737 
2738 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2739 
2740 	smp->method = sc_select_method(smp);
2741 
2742 	BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2743 
2744 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2745 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2746 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2747 	else
2748 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2749 
2750 	if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2751 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2752 
2753 	if (smp->method == DSP_PASSKEY) {
2754 		get_random_bytes(&hcon->passkey_notify,
2755 				 sizeof(hcon->passkey_notify));
2756 		hcon->passkey_notify %= 1000000;
2757 		hcon->passkey_entered = 0;
2758 		smp->passkey_round = 0;
2759 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2760 					     hcon->dst_type,
2761 					     hcon->passkey_notify,
2762 					     hcon->passkey_entered))
2763 			return SMP_UNSPECIFIED;
2764 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2765 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2766 	}
2767 
2768 	if (smp->method == REQ_OOB) {
2769 		if (hcon->out)
2770 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2771 				     sizeof(smp->prnd), smp->prnd);
2772 
2773 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2774 
2775 		return 0;
2776 	}
2777 
2778 	if (hcon->out)
2779 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2780 
2781 	if (smp->method == REQ_PASSKEY) {
2782 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2783 					      hcon->dst_type))
2784 			return SMP_UNSPECIFIED;
2785 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2786 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2787 		return 0;
2788 	}
2789 
2790 	/* The Initiating device waits for the non-initiating device to
2791 	 * send the confirm value.
2792 	 */
2793 	if (conn->hcon->out)
2794 		return 0;
2795 
2796 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2797 		     0, cfm.confirm_val);
2798 	if (err)
2799 		return SMP_UNSPECIFIED;
2800 
2801 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2802 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2803 
2804 	return 0;
2805 }
2806 
2807 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2808 {
2809 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2810 	struct l2cap_chan *chan = conn->smp;
2811 	struct hci_conn *hcon = conn->hcon;
2812 	struct smp_chan *smp = chan->data;
2813 	u8 a[7], b[7], *local_addr, *remote_addr;
2814 	u8 io_cap[3], r[16], e[16];
2815 	int err;
2816 
2817 	BT_DBG("conn %p", conn);
2818 
2819 	if (skb->len < sizeof(*check))
2820 		return SMP_INVALID_PARAMS;
2821 
2822 	memcpy(a, &hcon->init_addr, 6);
2823 	memcpy(b, &hcon->resp_addr, 6);
2824 	a[6] = hcon->init_addr_type;
2825 	b[6] = hcon->resp_addr_type;
2826 
2827 	if (hcon->out) {
2828 		local_addr = a;
2829 		remote_addr = b;
2830 		memcpy(io_cap, &smp->prsp[1], 3);
2831 	} else {
2832 		local_addr = b;
2833 		remote_addr = a;
2834 		memcpy(io_cap, &smp->preq[1], 3);
2835 	}
2836 
2837 	memset(r, 0, sizeof(r));
2838 
2839 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2840 		put_unaligned_le32(hcon->passkey_notify, r);
2841 	else if (smp->method == REQ_OOB)
2842 		memcpy(r, smp->lr, 16);
2843 
2844 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2845 		     io_cap, remote_addr, local_addr, e);
2846 	if (err)
2847 		return SMP_UNSPECIFIED;
2848 
2849 	if (crypto_memneq(check->e, e, 16))
2850 		return SMP_DHKEY_CHECK_FAILED;
2851 
2852 	if (!hcon->out) {
2853 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2854 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2855 			return 0;
2856 		}
2857 
2858 		/* Slave sends DHKey check as response to master */
2859 		sc_dhkey_check(smp);
2860 	}
2861 
2862 	sc_add_ltk(smp);
2863 
2864 	if (hcon->out) {
2865 		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2866 		hcon->enc_key_size = smp->enc_key_size;
2867 	}
2868 
2869 	return 0;
2870 }
2871 
2872 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2873 				   struct sk_buff *skb)
2874 {
2875 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2876 
2877 	BT_DBG("value 0x%02x", kp->value);
2878 
2879 	return 0;
2880 }
2881 
2882 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2883 {
2884 	struct l2cap_conn *conn = chan->conn;
2885 	struct hci_conn *hcon = conn->hcon;
2886 	struct smp_chan *smp;
2887 	__u8 code, reason;
2888 	int err = 0;
2889 
2890 	if (skb->len < 1)
2891 		return -EILSEQ;
2892 
2893 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2894 		reason = SMP_PAIRING_NOTSUPP;
2895 		goto done;
2896 	}
2897 
2898 	code = skb->data[0];
2899 	skb_pull(skb, sizeof(code));
2900 
2901 	smp = chan->data;
2902 
2903 	if (code > SMP_CMD_MAX)
2904 		goto drop;
2905 
2906 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2907 		goto drop;
2908 
2909 	/* If we don't have a context the only allowed commands are
2910 	 * pairing request and security request.
2911 	 */
2912 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2913 		goto drop;
2914 
2915 	switch (code) {
2916 	case SMP_CMD_PAIRING_REQ:
2917 		reason = smp_cmd_pairing_req(conn, skb);
2918 		break;
2919 
2920 	case SMP_CMD_PAIRING_FAIL:
2921 		smp_failure(conn, 0);
2922 		err = -EPERM;
2923 		break;
2924 
2925 	case SMP_CMD_PAIRING_RSP:
2926 		reason = smp_cmd_pairing_rsp(conn, skb);
2927 		break;
2928 
2929 	case SMP_CMD_SECURITY_REQ:
2930 		reason = smp_cmd_security_req(conn, skb);
2931 		break;
2932 
2933 	case SMP_CMD_PAIRING_CONFIRM:
2934 		reason = smp_cmd_pairing_confirm(conn, skb);
2935 		break;
2936 
2937 	case SMP_CMD_PAIRING_RANDOM:
2938 		reason = smp_cmd_pairing_random(conn, skb);
2939 		break;
2940 
2941 	case SMP_CMD_ENCRYPT_INFO:
2942 		reason = smp_cmd_encrypt_info(conn, skb);
2943 		break;
2944 
2945 	case SMP_CMD_MASTER_IDENT:
2946 		reason = smp_cmd_master_ident(conn, skb);
2947 		break;
2948 
2949 	case SMP_CMD_IDENT_INFO:
2950 		reason = smp_cmd_ident_info(conn, skb);
2951 		break;
2952 
2953 	case SMP_CMD_IDENT_ADDR_INFO:
2954 		reason = smp_cmd_ident_addr_info(conn, skb);
2955 		break;
2956 
2957 	case SMP_CMD_SIGN_INFO:
2958 		reason = smp_cmd_sign_info(conn, skb);
2959 		break;
2960 
2961 	case SMP_CMD_PUBLIC_KEY:
2962 		reason = smp_cmd_public_key(conn, skb);
2963 		break;
2964 
2965 	case SMP_CMD_DHKEY_CHECK:
2966 		reason = smp_cmd_dhkey_check(conn, skb);
2967 		break;
2968 
2969 	case SMP_CMD_KEYPRESS_NOTIFY:
2970 		reason = smp_cmd_keypress_notify(conn, skb);
2971 		break;
2972 
2973 	default:
2974 		BT_DBG("Unknown command code 0x%2.2x", code);
2975 		reason = SMP_CMD_NOTSUPP;
2976 		goto done;
2977 	}
2978 
2979 done:
2980 	if (!err) {
2981 		if (reason)
2982 			smp_failure(conn, reason);
2983 		kfree_skb(skb);
2984 	}
2985 
2986 	return err;
2987 
2988 drop:
2989 	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
2990 		   code, &hcon->dst);
2991 	kfree_skb(skb);
2992 	return 0;
2993 }
2994 
2995 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2996 {
2997 	struct l2cap_conn *conn = chan->conn;
2998 
2999 	BT_DBG("chan %p", chan);
3000 
3001 	if (chan->data)
3002 		smp_chan_destroy(conn);
3003 
3004 	conn->smp = NULL;
3005 	l2cap_chan_put(chan);
3006 }
3007 
3008 static void bredr_pairing(struct l2cap_chan *chan)
3009 {
3010 	struct l2cap_conn *conn = chan->conn;
3011 	struct hci_conn *hcon = conn->hcon;
3012 	struct hci_dev *hdev = hcon->hdev;
3013 	struct smp_cmd_pairing req;
3014 	struct smp_chan *smp;
3015 
3016 	BT_DBG("chan %p", chan);
3017 
3018 	/* Only new pairings are interesting */
3019 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3020 		return;
3021 
3022 	/* Don't bother if we're not encrypted */
3023 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3024 		return;
3025 
3026 	/* Only master may initiate SMP over BR/EDR */
3027 	if (hcon->role != HCI_ROLE_MASTER)
3028 		return;
3029 
3030 	/* Secure Connections support must be enabled */
3031 	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3032 		return;
3033 
3034 	/* BR/EDR must use Secure Connections for SMP */
3035 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3036 	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3037 		return;
3038 
3039 	/* If our LE support is not enabled don't do anything */
3040 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3041 		return;
3042 
3043 	/* Don't bother if remote LE support is not enabled */
3044 	if (!lmp_host_le_capable(hcon))
3045 		return;
3046 
3047 	/* Remote must support SMP fixed chan for BR/EDR */
3048 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3049 		return;
3050 
3051 	/* Don't bother if SMP is already ongoing */
3052 	if (chan->data)
3053 		return;
3054 
3055 	smp = smp_chan_create(conn);
3056 	if (!smp) {
3057 		bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3058 		return;
3059 	}
3060 
3061 	set_bit(SMP_FLAG_SC, &smp->flags);
3062 
3063 	BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3064 
3065 	/* Prepare and send the BR/EDR SMP Pairing Request */
3066 	build_bredr_pairing_cmd(smp, &req, NULL);
3067 
3068 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
3069 	memcpy(&smp->preq[1], &req, sizeof(req));
3070 
3071 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3072 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3073 }
3074 
3075 static void smp_resume_cb(struct l2cap_chan *chan)
3076 {
3077 	struct smp_chan *smp = chan->data;
3078 	struct l2cap_conn *conn = chan->conn;
3079 	struct hci_conn *hcon = conn->hcon;
3080 
3081 	BT_DBG("chan %p", chan);
3082 
3083 	if (hcon->type == ACL_LINK) {
3084 		bredr_pairing(chan);
3085 		return;
3086 	}
3087 
3088 	if (!smp)
3089 		return;
3090 
3091 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3092 		return;
3093 
3094 	cancel_delayed_work(&smp->security_timer);
3095 
3096 	smp_distribute_keys(smp);
3097 }
3098 
3099 static void smp_ready_cb(struct l2cap_chan *chan)
3100 {
3101 	struct l2cap_conn *conn = chan->conn;
3102 	struct hci_conn *hcon = conn->hcon;
3103 
3104 	BT_DBG("chan %p", chan);
3105 
3106 	/* No need to call l2cap_chan_hold() here since we already own
3107 	 * the reference taken in smp_new_conn_cb(). This is just the
3108 	 * first time that we tie it to a specific pointer. The code in
3109 	 * l2cap_core.c ensures that there's no risk this function wont
3110 	 * get called if smp_new_conn_cb was previously called.
3111 	 */
3112 	conn->smp = chan;
3113 
3114 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3115 		bredr_pairing(chan);
3116 }
3117 
3118 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3119 {
3120 	int err;
3121 
3122 	BT_DBG("chan %p", chan);
3123 
3124 	err = smp_sig_channel(chan, skb);
3125 	if (err) {
3126 		struct smp_chan *smp = chan->data;
3127 
3128 		if (smp)
3129 			cancel_delayed_work_sync(&smp->security_timer);
3130 
3131 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3132 	}
3133 
3134 	return err;
3135 }
3136 
3137 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3138 					unsigned long hdr_len,
3139 					unsigned long len, int nb)
3140 {
3141 	struct sk_buff *skb;
3142 
3143 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3144 	if (!skb)
3145 		return ERR_PTR(-ENOMEM);
3146 
3147 	skb->priority = HCI_PRIO_MAX;
3148 	bt_cb(skb)->l2cap.chan = chan;
3149 
3150 	return skb;
3151 }
3152 
3153 static const struct l2cap_ops smp_chan_ops = {
3154 	.name			= "Security Manager",
3155 	.ready			= smp_ready_cb,
3156 	.recv			= smp_recv_cb,
3157 	.alloc_skb		= smp_alloc_skb_cb,
3158 	.teardown		= smp_teardown_cb,
3159 	.resume			= smp_resume_cb,
3160 
3161 	.new_connection		= l2cap_chan_no_new_connection,
3162 	.state_change		= l2cap_chan_no_state_change,
3163 	.close			= l2cap_chan_no_close,
3164 	.defer			= l2cap_chan_no_defer,
3165 	.suspend		= l2cap_chan_no_suspend,
3166 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3167 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3168 };
3169 
3170 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3171 {
3172 	struct l2cap_chan *chan;
3173 
3174 	BT_DBG("pchan %p", pchan);
3175 
3176 	chan = l2cap_chan_create();
3177 	if (!chan)
3178 		return NULL;
3179 
3180 	chan->chan_type	= pchan->chan_type;
3181 	chan->ops	= &smp_chan_ops;
3182 	chan->scid	= pchan->scid;
3183 	chan->dcid	= chan->scid;
3184 	chan->imtu	= pchan->imtu;
3185 	chan->omtu	= pchan->omtu;
3186 	chan->mode	= pchan->mode;
3187 
3188 	/* Other L2CAP channels may request SMP routines in order to
3189 	 * change the security level. This means that the SMP channel
3190 	 * lock must be considered in its own category to avoid lockdep
3191 	 * warnings.
3192 	 */
3193 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3194 
3195 	BT_DBG("created chan %p", chan);
3196 
3197 	return chan;
3198 }
3199 
3200 static const struct l2cap_ops smp_root_chan_ops = {
3201 	.name			= "Security Manager Root",
3202 	.new_connection		= smp_new_conn_cb,
3203 
3204 	/* None of these are implemented for the root channel */
3205 	.close			= l2cap_chan_no_close,
3206 	.alloc_skb		= l2cap_chan_no_alloc_skb,
3207 	.recv			= l2cap_chan_no_recv,
3208 	.state_change		= l2cap_chan_no_state_change,
3209 	.teardown		= l2cap_chan_no_teardown,
3210 	.ready			= l2cap_chan_no_ready,
3211 	.defer			= l2cap_chan_no_defer,
3212 	.suspend		= l2cap_chan_no_suspend,
3213 	.resume			= l2cap_chan_no_resume,
3214 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3215 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3216 };
3217 
3218 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3219 {
3220 	struct l2cap_chan *chan;
3221 	struct smp_dev *smp;
3222 	struct crypto_cipher *tfm_aes;
3223 	struct crypto_shash *tfm_cmac;
3224 	struct crypto_kpp *tfm_ecdh;
3225 
3226 	if (cid == L2CAP_CID_SMP_BREDR) {
3227 		smp = NULL;
3228 		goto create_chan;
3229 	}
3230 
3231 	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3232 	if (!smp)
3233 		return ERR_PTR(-ENOMEM);
3234 
3235 	tfm_aes = crypto_alloc_cipher("aes", 0, 0);
3236 	if (IS_ERR(tfm_aes)) {
3237 		BT_ERR("Unable to create AES crypto context");
3238 		kzfree(smp);
3239 		return ERR_CAST(tfm_aes);
3240 	}
3241 
3242 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3243 	if (IS_ERR(tfm_cmac)) {
3244 		BT_ERR("Unable to create CMAC crypto context");
3245 		crypto_free_cipher(tfm_aes);
3246 		kzfree(smp);
3247 		return ERR_CAST(tfm_cmac);
3248 	}
3249 
3250 	tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3251 	if (IS_ERR(tfm_ecdh)) {
3252 		BT_ERR("Unable to create ECDH crypto context");
3253 		crypto_free_shash(tfm_cmac);
3254 		crypto_free_cipher(tfm_aes);
3255 		kzfree(smp);
3256 		return ERR_CAST(tfm_ecdh);
3257 	}
3258 
3259 	smp->local_oob = false;
3260 	smp->tfm_aes = tfm_aes;
3261 	smp->tfm_cmac = tfm_cmac;
3262 	smp->tfm_ecdh = tfm_ecdh;
3263 
3264 create_chan:
3265 	chan = l2cap_chan_create();
3266 	if (!chan) {
3267 		if (smp) {
3268 			crypto_free_cipher(smp->tfm_aes);
3269 			crypto_free_shash(smp->tfm_cmac);
3270 			crypto_free_kpp(smp->tfm_ecdh);
3271 			kzfree(smp);
3272 		}
3273 		return ERR_PTR(-ENOMEM);
3274 	}
3275 
3276 	chan->data = smp;
3277 
3278 	l2cap_add_scid(chan, cid);
3279 
3280 	l2cap_chan_set_defaults(chan);
3281 
3282 	if (cid == L2CAP_CID_SMP) {
3283 		u8 bdaddr_type;
3284 
3285 		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3286 
3287 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3288 			chan->src_type = BDADDR_LE_PUBLIC;
3289 		else
3290 			chan->src_type = BDADDR_LE_RANDOM;
3291 	} else {
3292 		bacpy(&chan->src, &hdev->bdaddr);
3293 		chan->src_type = BDADDR_BREDR;
3294 	}
3295 
3296 	chan->state = BT_LISTEN;
3297 	chan->mode = L2CAP_MODE_BASIC;
3298 	chan->imtu = L2CAP_DEFAULT_MTU;
3299 	chan->ops = &smp_root_chan_ops;
3300 
3301 	/* Set correct nesting level for a parent/listening channel */
3302 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3303 
3304 	return chan;
3305 }
3306 
3307 static void smp_del_chan(struct l2cap_chan *chan)
3308 {
3309 	struct smp_dev *smp;
3310 
3311 	BT_DBG("chan %p", chan);
3312 
3313 	smp = chan->data;
3314 	if (smp) {
3315 		chan->data = NULL;
3316 		crypto_free_cipher(smp->tfm_aes);
3317 		crypto_free_shash(smp->tfm_cmac);
3318 		crypto_free_kpp(smp->tfm_ecdh);
3319 		kzfree(smp);
3320 	}
3321 
3322 	l2cap_chan_put(chan);
3323 }
3324 
3325 static ssize_t force_bredr_smp_read(struct file *file,
3326 				    char __user *user_buf,
3327 				    size_t count, loff_t *ppos)
3328 {
3329 	struct hci_dev *hdev = file->private_data;
3330 	char buf[3];
3331 
3332 	buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3333 	buf[1] = '\n';
3334 	buf[2] = '\0';
3335 	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3336 }
3337 
3338 static ssize_t force_bredr_smp_write(struct file *file,
3339 				     const char __user *user_buf,
3340 				     size_t count, loff_t *ppos)
3341 {
3342 	struct hci_dev *hdev = file->private_data;
3343 	bool enable;
3344 	int err;
3345 
3346 	err = kstrtobool_from_user(user_buf, count, &enable);
3347 	if (err)
3348 		return err;
3349 
3350 	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3351 		return -EALREADY;
3352 
3353 	if (enable) {
3354 		struct l2cap_chan *chan;
3355 
3356 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3357 		if (IS_ERR(chan))
3358 			return PTR_ERR(chan);
3359 
3360 		hdev->smp_bredr_data = chan;
3361 	} else {
3362 		struct l2cap_chan *chan;
3363 
3364 		chan = hdev->smp_bredr_data;
3365 		hdev->smp_bredr_data = NULL;
3366 		smp_del_chan(chan);
3367 	}
3368 
3369 	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3370 
3371 	return count;
3372 }
3373 
3374 static const struct file_operations force_bredr_smp_fops = {
3375 	.open		= simple_open,
3376 	.read		= force_bredr_smp_read,
3377 	.write		= force_bredr_smp_write,
3378 	.llseek		= default_llseek,
3379 };
3380 
3381 static ssize_t le_min_key_size_read(struct file *file,
3382 				     char __user *user_buf,
3383 				     size_t count, loff_t *ppos)
3384 {
3385 	struct hci_dev *hdev = file->private_data;
3386 	char buf[4];
3387 
3388 	snprintf(buf, sizeof(buf), "%2u\n", hdev->le_min_key_size);
3389 
3390 	return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3391 }
3392 
3393 static ssize_t le_min_key_size_write(struct file *file,
3394 				      const char __user *user_buf,
3395 				      size_t count, loff_t *ppos)
3396 {
3397 	struct hci_dev *hdev = file->private_data;
3398 	char buf[32];
3399 	size_t buf_size = min(count, (sizeof(buf) - 1));
3400 	u8 key_size;
3401 
3402 	if (copy_from_user(buf, user_buf, buf_size))
3403 		return -EFAULT;
3404 
3405 	buf[buf_size] = '\0';
3406 
3407 	sscanf(buf, "%hhu", &key_size);
3408 
3409 	if (key_size > hdev->le_max_key_size ||
3410 	    key_size < SMP_MIN_ENC_KEY_SIZE)
3411 		return -EINVAL;
3412 
3413 	hdev->le_min_key_size = key_size;
3414 
3415 	return count;
3416 }
3417 
3418 static const struct file_operations le_min_key_size_fops = {
3419 	.open		= simple_open,
3420 	.read		= le_min_key_size_read,
3421 	.write		= le_min_key_size_write,
3422 	.llseek		= default_llseek,
3423 };
3424 
3425 static ssize_t le_max_key_size_read(struct file *file,
3426 				     char __user *user_buf,
3427 				     size_t count, loff_t *ppos)
3428 {
3429 	struct hci_dev *hdev = file->private_data;
3430 	char buf[4];
3431 
3432 	snprintf(buf, sizeof(buf), "%2u\n", hdev->le_max_key_size);
3433 
3434 	return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3435 }
3436 
3437 static ssize_t le_max_key_size_write(struct file *file,
3438 				      const char __user *user_buf,
3439 				      size_t count, loff_t *ppos)
3440 {
3441 	struct hci_dev *hdev = file->private_data;
3442 	char buf[32];
3443 	size_t buf_size = min(count, (sizeof(buf) - 1));
3444 	u8 key_size;
3445 
3446 	if (copy_from_user(buf, user_buf, buf_size))
3447 		return -EFAULT;
3448 
3449 	buf[buf_size] = '\0';
3450 
3451 	sscanf(buf, "%hhu", &key_size);
3452 
3453 	if (key_size > SMP_MAX_ENC_KEY_SIZE ||
3454 	    key_size < hdev->le_min_key_size)
3455 		return -EINVAL;
3456 
3457 	hdev->le_max_key_size = key_size;
3458 
3459 	return count;
3460 }
3461 
3462 static const struct file_operations le_max_key_size_fops = {
3463 	.open		= simple_open,
3464 	.read		= le_max_key_size_read,
3465 	.write		= le_max_key_size_write,
3466 	.llseek		= default_llseek,
3467 };
3468 
3469 int smp_register(struct hci_dev *hdev)
3470 {
3471 	struct l2cap_chan *chan;
3472 
3473 	BT_DBG("%s", hdev->name);
3474 
3475 	/* If the controller does not support Low Energy operation, then
3476 	 * there is also no need to register any SMP channel.
3477 	 */
3478 	if (!lmp_le_capable(hdev))
3479 		return 0;
3480 
3481 	if (WARN_ON(hdev->smp_data)) {
3482 		chan = hdev->smp_data;
3483 		hdev->smp_data = NULL;
3484 		smp_del_chan(chan);
3485 	}
3486 
3487 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3488 	if (IS_ERR(chan))
3489 		return PTR_ERR(chan);
3490 
3491 	hdev->smp_data = chan;
3492 
3493 	debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3494 			    &le_min_key_size_fops);
3495 	debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3496 			    &le_max_key_size_fops);
3497 
3498 	/* If the controller does not support BR/EDR Secure Connections
3499 	 * feature, then the BR/EDR SMP channel shall not be present.
3500 	 *
3501 	 * To test this with Bluetooth 4.0 controllers, create a debugfs
3502 	 * switch that allows forcing BR/EDR SMP support and accepting
3503 	 * cross-transport pairing on non-AES encrypted connections.
3504 	 */
3505 	if (!lmp_sc_capable(hdev)) {
3506 		debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3507 				    hdev, &force_bredr_smp_fops);
3508 
3509 		/* Flag can be already set here (due to power toggle) */
3510 		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3511 			return 0;
3512 	}
3513 
3514 	if (WARN_ON(hdev->smp_bredr_data)) {
3515 		chan = hdev->smp_bredr_data;
3516 		hdev->smp_bredr_data = NULL;
3517 		smp_del_chan(chan);
3518 	}
3519 
3520 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3521 	if (IS_ERR(chan)) {
3522 		int err = PTR_ERR(chan);
3523 		chan = hdev->smp_data;
3524 		hdev->smp_data = NULL;
3525 		smp_del_chan(chan);
3526 		return err;
3527 	}
3528 
3529 	hdev->smp_bredr_data = chan;
3530 
3531 	return 0;
3532 }
3533 
3534 void smp_unregister(struct hci_dev *hdev)
3535 {
3536 	struct l2cap_chan *chan;
3537 
3538 	if (hdev->smp_bredr_data) {
3539 		chan = hdev->smp_bredr_data;
3540 		hdev->smp_bredr_data = NULL;
3541 		smp_del_chan(chan);
3542 	}
3543 
3544 	if (hdev->smp_data) {
3545 		chan = hdev->smp_data;
3546 		hdev->smp_data = NULL;
3547 		smp_del_chan(chan);
3548 	}
3549 }
3550 
3551 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3552 
3553 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3554 {
3555 	u8 pk[64];
3556 	int err;
3557 
3558 	err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3559 	if (err)
3560 		return err;
3561 
3562 	err = generate_ecdh_public_key(tfm_ecdh, pk);
3563 	if (err)
3564 		return err;
3565 
3566 	if (crypto_memneq(pk, debug_pk, 64))
3567 		return -EINVAL;
3568 
3569 	return 0;
3570 }
3571 
3572 static int __init test_ah(struct crypto_cipher *tfm_aes)
3573 {
3574 	const u8 irk[16] = {
3575 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3576 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3577 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3578 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3579 	u8 res[3];
3580 	int err;
3581 
3582 	err = smp_ah(tfm_aes, irk, r, res);
3583 	if (err)
3584 		return err;
3585 
3586 	if (crypto_memneq(res, exp, 3))
3587 		return -EINVAL;
3588 
3589 	return 0;
3590 }
3591 
3592 static int __init test_c1(struct crypto_cipher *tfm_aes)
3593 {
3594 	const u8 k[16] = {
3595 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3596 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3597 	const u8 r[16] = {
3598 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3599 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3600 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3601 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3602 	const u8 _iat = 0x01;
3603 	const u8 _rat = 0x00;
3604 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3605 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3606 	const u8 exp[16] = {
3607 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3608 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3609 	u8 res[16];
3610 	int err;
3611 
3612 	err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3613 	if (err)
3614 		return err;
3615 
3616 	if (crypto_memneq(res, exp, 16))
3617 		return -EINVAL;
3618 
3619 	return 0;
3620 }
3621 
3622 static int __init test_s1(struct crypto_cipher *tfm_aes)
3623 {
3624 	const u8 k[16] = {
3625 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3626 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3627 	const u8 r1[16] = {
3628 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3629 	const u8 r2[16] = {
3630 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3631 	const u8 exp[16] = {
3632 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3633 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3634 	u8 res[16];
3635 	int err;
3636 
3637 	err = smp_s1(tfm_aes, k, r1, r2, res);
3638 	if (err)
3639 		return err;
3640 
3641 	if (crypto_memneq(res, exp, 16))
3642 		return -EINVAL;
3643 
3644 	return 0;
3645 }
3646 
3647 static int __init test_f4(struct crypto_shash *tfm_cmac)
3648 {
3649 	const u8 u[32] = {
3650 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3651 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3652 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3653 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3654 	const u8 v[32] = {
3655 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3656 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3657 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3658 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3659 	const u8 x[16] = {
3660 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3661 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3662 	const u8 z = 0x00;
3663 	const u8 exp[16] = {
3664 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3665 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3666 	u8 res[16];
3667 	int err;
3668 
3669 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3670 	if (err)
3671 		return err;
3672 
3673 	if (crypto_memneq(res, exp, 16))
3674 		return -EINVAL;
3675 
3676 	return 0;
3677 }
3678 
3679 static int __init test_f5(struct crypto_shash *tfm_cmac)
3680 {
3681 	const u8 w[32] = {
3682 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3683 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3684 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3685 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3686 	const u8 n1[16] = {
3687 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3688 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3689 	const u8 n2[16] = {
3690 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3691 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3692 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3693 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3694 	const u8 exp_ltk[16] = {
3695 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3696 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3697 	const u8 exp_mackey[16] = {
3698 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3699 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3700 	u8 mackey[16], ltk[16];
3701 	int err;
3702 
3703 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3704 	if (err)
3705 		return err;
3706 
3707 	if (crypto_memneq(mackey, exp_mackey, 16))
3708 		return -EINVAL;
3709 
3710 	if (crypto_memneq(ltk, exp_ltk, 16))
3711 		return -EINVAL;
3712 
3713 	return 0;
3714 }
3715 
3716 static int __init test_f6(struct crypto_shash *tfm_cmac)
3717 {
3718 	const u8 w[16] = {
3719 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3720 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3721 	const u8 n1[16] = {
3722 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3723 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3724 	const u8 n2[16] = {
3725 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3726 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3727 	const u8 r[16] = {
3728 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3729 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3730 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3731 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3732 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3733 	const u8 exp[16] = {
3734 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3735 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3736 	u8 res[16];
3737 	int err;
3738 
3739 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3740 	if (err)
3741 		return err;
3742 
3743 	if (crypto_memneq(res, exp, 16))
3744 		return -EINVAL;
3745 
3746 	return 0;
3747 }
3748 
3749 static int __init test_g2(struct crypto_shash *tfm_cmac)
3750 {
3751 	const u8 u[32] = {
3752 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3753 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3754 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3755 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3756 	const u8 v[32] = {
3757 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3758 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3759 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3760 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3761 	const u8 x[16] = {
3762 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3763 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3764 	const u8 y[16] = {
3765 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3766 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3767 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3768 	u32 val;
3769 	int err;
3770 
3771 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3772 	if (err)
3773 		return err;
3774 
3775 	if (val != exp_val)
3776 		return -EINVAL;
3777 
3778 	return 0;
3779 }
3780 
3781 static int __init test_h6(struct crypto_shash *tfm_cmac)
3782 {
3783 	const u8 w[16] = {
3784 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3785 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3786 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3787 	const u8 exp[16] = {
3788 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3789 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3790 	u8 res[16];
3791 	int err;
3792 
3793 	err = smp_h6(tfm_cmac, w, key_id, res);
3794 	if (err)
3795 		return err;
3796 
3797 	if (crypto_memneq(res, exp, 16))
3798 		return -EINVAL;
3799 
3800 	return 0;
3801 }
3802 
3803 static char test_smp_buffer[32];
3804 
3805 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3806 			     size_t count, loff_t *ppos)
3807 {
3808 	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3809 				       strlen(test_smp_buffer));
3810 }
3811 
3812 static const struct file_operations test_smp_fops = {
3813 	.open		= simple_open,
3814 	.read		= test_smp_read,
3815 	.llseek		= default_llseek,
3816 };
3817 
3818 static int __init run_selftests(struct crypto_cipher *tfm_aes,
3819 				struct crypto_shash *tfm_cmac,
3820 				struct crypto_kpp *tfm_ecdh)
3821 {
3822 	ktime_t calltime, delta, rettime;
3823 	unsigned long long duration;
3824 	int err;
3825 
3826 	calltime = ktime_get();
3827 
3828 	err = test_debug_key(tfm_ecdh);
3829 	if (err) {
3830 		BT_ERR("debug_key test failed");
3831 		goto done;
3832 	}
3833 
3834 	err = test_ah(tfm_aes);
3835 	if (err) {
3836 		BT_ERR("smp_ah test failed");
3837 		goto done;
3838 	}
3839 
3840 	err = test_c1(tfm_aes);
3841 	if (err) {
3842 		BT_ERR("smp_c1 test failed");
3843 		goto done;
3844 	}
3845 
3846 	err = test_s1(tfm_aes);
3847 	if (err) {
3848 		BT_ERR("smp_s1 test failed");
3849 		goto done;
3850 	}
3851 
3852 	err = test_f4(tfm_cmac);
3853 	if (err) {
3854 		BT_ERR("smp_f4 test failed");
3855 		goto done;
3856 	}
3857 
3858 	err = test_f5(tfm_cmac);
3859 	if (err) {
3860 		BT_ERR("smp_f5 test failed");
3861 		goto done;
3862 	}
3863 
3864 	err = test_f6(tfm_cmac);
3865 	if (err) {
3866 		BT_ERR("smp_f6 test failed");
3867 		goto done;
3868 	}
3869 
3870 	err = test_g2(tfm_cmac);
3871 	if (err) {
3872 		BT_ERR("smp_g2 test failed");
3873 		goto done;
3874 	}
3875 
3876 	err = test_h6(tfm_cmac);
3877 	if (err) {
3878 		BT_ERR("smp_h6 test failed");
3879 		goto done;
3880 	}
3881 
3882 	rettime = ktime_get();
3883 	delta = ktime_sub(rettime, calltime);
3884 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3885 
3886 	BT_INFO("SMP test passed in %llu usecs", duration);
3887 
3888 done:
3889 	if (!err)
3890 		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3891 			 "PASS (%llu usecs)\n", duration);
3892 	else
3893 		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3894 
3895 	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3896 			    &test_smp_fops);
3897 
3898 	return err;
3899 }
3900 
3901 int __init bt_selftest_smp(void)
3902 {
3903 	struct crypto_cipher *tfm_aes;
3904 	struct crypto_shash *tfm_cmac;
3905 	struct crypto_kpp *tfm_ecdh;
3906 	int err;
3907 
3908 	tfm_aes = crypto_alloc_cipher("aes", 0, 0);
3909 	if (IS_ERR(tfm_aes)) {
3910 		BT_ERR("Unable to create AES crypto context");
3911 		return PTR_ERR(tfm_aes);
3912 	}
3913 
3914 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3915 	if (IS_ERR(tfm_cmac)) {
3916 		BT_ERR("Unable to create CMAC crypto context");
3917 		crypto_free_cipher(tfm_aes);
3918 		return PTR_ERR(tfm_cmac);
3919 	}
3920 
3921 	tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3922 	if (IS_ERR(tfm_ecdh)) {
3923 		BT_ERR("Unable to create ECDH crypto context");
3924 		crypto_free_shash(tfm_cmac);
3925 		crypto_free_cipher(tfm_aes);
3926 		return PTR_ERR(tfm_ecdh);
3927 	}
3928 
3929 	err = run_selftests(tfm_aes, tfm_cmac, tfm_ecdh);
3930 
3931 	crypto_free_shash(tfm_cmac);
3932 	crypto_free_cipher(tfm_aes);
3933 	crypto_free_kpp(tfm_ecdh);
3934 
3935 	return err;
3936 }
3937 
3938 #endif
3939