xref: /openbmc/linux/net/bluetooth/smp.c (revision 82e6fdd6)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/algapi.h>
27 #include <crypto/b128ops.h>
28 #include <crypto/hash.h>
29 #include <crypto/kpp.h>
30 
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/mgmt.h>
35 
36 #include "ecdh_helper.h"
37 #include "smp.h"
38 
39 #define SMP_DEV(hdev) \
40 	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
41 
42 /* Low-level debug macros to be used for stuff that we don't want
43  * accidentially in dmesg, i.e. the values of the various crypto keys
44  * and the inputs & outputs of crypto functions.
45  */
46 #ifdef DEBUG
47 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
48 				 ##__VA_ARGS__)
49 #else
50 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
51 				    ##__VA_ARGS__)
52 #endif
53 
54 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
55 
56 /* Keys which are not distributed with Secure Connections */
57 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
58 
59 #define SMP_TIMEOUT	msecs_to_jiffies(30000)
60 
61 #define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
62 				 0x3f : 0x07)
63 #define KEY_DIST_MASK		0x07
64 
65 /* Maximum message length that can be passed to aes_cmac */
66 #define CMAC_MSG_MAX	80
67 
68 enum {
69 	SMP_FLAG_TK_VALID,
70 	SMP_FLAG_CFM_PENDING,
71 	SMP_FLAG_MITM_AUTH,
72 	SMP_FLAG_COMPLETE,
73 	SMP_FLAG_INITIATOR,
74 	SMP_FLAG_SC,
75 	SMP_FLAG_REMOTE_PK,
76 	SMP_FLAG_DEBUG_KEY,
77 	SMP_FLAG_WAIT_USER,
78 	SMP_FLAG_DHKEY_PENDING,
79 	SMP_FLAG_REMOTE_OOB,
80 	SMP_FLAG_LOCAL_OOB,
81 	SMP_FLAG_CT2,
82 };
83 
84 struct smp_dev {
85 	/* Secure Connections OOB data */
86 	u8			local_pk[64];
87 	u8			local_rand[16];
88 	bool			debug_key;
89 
90 	u8			min_key_size;
91 	u8			max_key_size;
92 
93 	struct crypto_cipher	*tfm_aes;
94 	struct crypto_shash	*tfm_cmac;
95 	struct crypto_kpp	*tfm_ecdh;
96 };
97 
98 struct smp_chan {
99 	struct l2cap_conn	*conn;
100 	struct delayed_work	security_timer;
101 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
102 
103 	u8		preq[7]; /* SMP Pairing Request */
104 	u8		prsp[7]; /* SMP Pairing Response */
105 	u8		prnd[16]; /* SMP Pairing Random (local) */
106 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
107 	u8		pcnf[16]; /* SMP Pairing Confirm */
108 	u8		tk[16]; /* SMP Temporary Key */
109 	u8		rr[16]; /* Remote OOB ra/rb value */
110 	u8		lr[16]; /* Local OOB ra/rb value */
111 	u8		enc_key_size;
112 	u8		remote_key_dist;
113 	bdaddr_t	id_addr;
114 	u8		id_addr_type;
115 	u8		irk[16];
116 	struct smp_csrk	*csrk;
117 	struct smp_csrk	*slave_csrk;
118 	struct smp_ltk	*ltk;
119 	struct smp_ltk	*slave_ltk;
120 	struct smp_irk	*remote_irk;
121 	u8		*link_key;
122 	unsigned long	flags;
123 	u8		method;
124 	u8		passkey_round;
125 
126 	/* Secure Connections variables */
127 	u8			local_pk[64];
128 	u8			remote_pk[64];
129 	u8			dhkey[32];
130 	u8			mackey[16];
131 
132 	struct crypto_cipher	*tfm_aes;
133 	struct crypto_shash	*tfm_cmac;
134 	struct crypto_kpp	*tfm_ecdh;
135 };
136 
137 /* These debug key values are defined in the SMP section of the core
138  * specification. debug_pk is the public debug key and debug_sk the
139  * private debug key.
140  */
141 static const u8 debug_pk[64] = {
142 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
143 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
144 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
145 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
146 
147 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
148 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
149 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
150 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
151 };
152 
153 static const u8 debug_sk[32] = {
154 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
155 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
156 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
157 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
158 };
159 
160 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
161 {
162 	size_t i;
163 
164 	for (i = 0; i < len; i++)
165 		dst[len - 1 - i] = src[i];
166 }
167 
168 /* The following functions map to the LE SC SMP crypto functions
169  * AES-CMAC, f4, f5, f6, g2 and h6.
170  */
171 
172 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
173 		    size_t len, u8 mac[16])
174 {
175 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
176 	SHASH_DESC_ON_STACK(desc, tfm);
177 	int err;
178 
179 	if (len > CMAC_MSG_MAX)
180 		return -EFBIG;
181 
182 	if (!tfm) {
183 		BT_ERR("tfm %p", tfm);
184 		return -EINVAL;
185 	}
186 
187 	desc->tfm = tfm;
188 	desc->flags = 0;
189 
190 	/* Swap key and message from LSB to MSB */
191 	swap_buf(k, tmp, 16);
192 	swap_buf(m, msg_msb, len);
193 
194 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
195 	SMP_DBG("key %16phN", k);
196 
197 	err = crypto_shash_setkey(tfm, tmp, 16);
198 	if (err) {
199 		BT_ERR("cipher setkey failed: %d", err);
200 		return err;
201 	}
202 
203 	err = crypto_shash_digest(desc, msg_msb, len, mac_msb);
204 	shash_desc_zero(desc);
205 	if (err) {
206 		BT_ERR("Hash computation error %d", err);
207 		return err;
208 	}
209 
210 	swap_buf(mac_msb, mac, 16);
211 
212 	SMP_DBG("mac %16phN", mac);
213 
214 	return 0;
215 }
216 
217 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
218 		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
219 {
220 	u8 m[65];
221 	int err;
222 
223 	SMP_DBG("u %32phN", u);
224 	SMP_DBG("v %32phN", v);
225 	SMP_DBG("x %16phN z %02x", x, z);
226 
227 	m[0] = z;
228 	memcpy(m + 1, v, 32);
229 	memcpy(m + 33, u, 32);
230 
231 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
232 	if (err)
233 		return err;
234 
235 	SMP_DBG("res %16phN", res);
236 
237 	return err;
238 }
239 
240 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
241 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
242 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
243 {
244 	/* The btle, salt and length "magic" values are as defined in
245 	 * the SMP section of the Bluetooth core specification. In ASCII
246 	 * the btle value ends up being 'btle'. The salt is just a
247 	 * random number whereas length is the value 256 in little
248 	 * endian format.
249 	 */
250 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
251 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
252 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
253 	const u8 length[2] = { 0x00, 0x01 };
254 	u8 m[53], t[16];
255 	int err;
256 
257 	SMP_DBG("w %32phN", w);
258 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
259 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
260 
261 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
262 	if (err)
263 		return err;
264 
265 	SMP_DBG("t %16phN", t);
266 
267 	memcpy(m, length, 2);
268 	memcpy(m + 2, a2, 7);
269 	memcpy(m + 9, a1, 7);
270 	memcpy(m + 16, n2, 16);
271 	memcpy(m + 32, n1, 16);
272 	memcpy(m + 48, btle, 4);
273 
274 	m[52] = 0; /* Counter */
275 
276 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
277 	if (err)
278 		return err;
279 
280 	SMP_DBG("mackey %16phN", mackey);
281 
282 	m[52] = 1; /* Counter */
283 
284 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
285 	if (err)
286 		return err;
287 
288 	SMP_DBG("ltk %16phN", ltk);
289 
290 	return 0;
291 }
292 
293 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
294 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
295 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
296 		  u8 res[16])
297 {
298 	u8 m[65];
299 	int err;
300 
301 	SMP_DBG("w %16phN", w);
302 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
303 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
304 
305 	memcpy(m, a2, 7);
306 	memcpy(m + 7, a1, 7);
307 	memcpy(m + 14, io_cap, 3);
308 	memcpy(m + 17, r, 16);
309 	memcpy(m + 33, n2, 16);
310 	memcpy(m + 49, n1, 16);
311 
312 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
313 	if (err)
314 		return err;
315 
316 	SMP_DBG("res %16phN", res);
317 
318 	return err;
319 }
320 
321 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
322 		  const u8 x[16], const u8 y[16], u32 *val)
323 {
324 	u8 m[80], tmp[16];
325 	int err;
326 
327 	SMP_DBG("u %32phN", u);
328 	SMP_DBG("v %32phN", v);
329 	SMP_DBG("x %16phN y %16phN", x, y);
330 
331 	memcpy(m, y, 16);
332 	memcpy(m + 16, v, 32);
333 	memcpy(m + 48, u, 32);
334 
335 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
336 	if (err)
337 		return err;
338 
339 	*val = get_unaligned_le32(tmp);
340 	*val %= 1000000;
341 
342 	SMP_DBG("val %06u", *val);
343 
344 	return 0;
345 }
346 
347 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
348 		  const u8 key_id[4], u8 res[16])
349 {
350 	int err;
351 
352 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
353 
354 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
355 	if (err)
356 		return err;
357 
358 	SMP_DBG("res %16phN", res);
359 
360 	return err;
361 }
362 
363 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
364 		  const u8 salt[16], u8 res[16])
365 {
366 	int err;
367 
368 	SMP_DBG("w %16phN salt %16phN", w, salt);
369 
370 	err = aes_cmac(tfm_cmac, salt, w, 16, res);
371 	if (err)
372 		return err;
373 
374 	SMP_DBG("res %16phN", res);
375 
376 	return err;
377 }
378 
379 /* The following functions map to the legacy SMP crypto functions e, c1,
380  * s1 and ah.
381  */
382 
383 static int smp_e(struct crypto_cipher *tfm, const u8 *k, u8 *r)
384 {
385 	uint8_t tmp[16], data[16];
386 	int err;
387 
388 	SMP_DBG("k %16phN r %16phN", k, r);
389 
390 	if (!tfm) {
391 		BT_ERR("tfm %p", tfm);
392 		return -EINVAL;
393 	}
394 
395 	/* The most significant octet of key corresponds to k[0] */
396 	swap_buf(k, tmp, 16);
397 
398 	err = crypto_cipher_setkey(tfm, tmp, 16);
399 	if (err) {
400 		BT_ERR("cipher setkey failed: %d", err);
401 		return err;
402 	}
403 
404 	/* Most significant octet of plaintextData corresponds to data[0] */
405 	swap_buf(r, data, 16);
406 
407 	crypto_cipher_encrypt_one(tfm, data, data);
408 
409 	/* Most significant octet of encryptedData corresponds to data[0] */
410 	swap_buf(data, r, 16);
411 
412 	SMP_DBG("r %16phN", r);
413 
414 	return err;
415 }
416 
417 static int smp_c1(struct crypto_cipher *tfm_aes, const u8 k[16],
418 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
419 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
420 {
421 	u8 p1[16], p2[16];
422 	int err;
423 
424 	SMP_DBG("k %16phN r %16phN", k, r);
425 	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
426 	SMP_DBG("preq %7phN pres %7phN", preq, pres);
427 
428 	memset(p1, 0, 16);
429 
430 	/* p1 = pres || preq || _rat || _iat */
431 	p1[0] = _iat;
432 	p1[1] = _rat;
433 	memcpy(p1 + 2, preq, 7);
434 	memcpy(p1 + 9, pres, 7);
435 
436 	SMP_DBG("p1 %16phN", p1);
437 
438 	/* res = r XOR p1 */
439 	u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
440 
441 	/* res = e(k, res) */
442 	err = smp_e(tfm_aes, k, res);
443 	if (err) {
444 		BT_ERR("Encrypt data error");
445 		return err;
446 	}
447 
448 	/* p2 = padding || ia || ra */
449 	memcpy(p2, ra, 6);
450 	memcpy(p2 + 6, ia, 6);
451 	memset(p2 + 12, 0, 4);
452 
453 	SMP_DBG("p2 %16phN", p2);
454 
455 	/* res = res XOR p2 */
456 	u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
457 
458 	/* res = e(k, res) */
459 	err = smp_e(tfm_aes, k, res);
460 	if (err)
461 		BT_ERR("Encrypt data error");
462 
463 	return err;
464 }
465 
466 static int smp_s1(struct crypto_cipher *tfm_aes, const u8 k[16],
467 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
468 {
469 	int err;
470 
471 	/* Just least significant octets from r1 and r2 are considered */
472 	memcpy(_r, r2, 8);
473 	memcpy(_r + 8, r1, 8);
474 
475 	err = smp_e(tfm_aes, k, _r);
476 	if (err)
477 		BT_ERR("Encrypt data error");
478 
479 	return err;
480 }
481 
482 static int smp_ah(struct crypto_cipher *tfm, const u8 irk[16],
483 		  const u8 r[3], u8 res[3])
484 {
485 	u8 _res[16];
486 	int err;
487 
488 	/* r' = padding || r */
489 	memcpy(_res, r, 3);
490 	memset(_res + 3, 0, 13);
491 
492 	err = smp_e(tfm, irk, _res);
493 	if (err) {
494 		BT_ERR("Encrypt error");
495 		return err;
496 	}
497 
498 	/* The output of the random address function ah is:
499 	 *	ah(k, r) = e(k, r') mod 2^24
500 	 * The output of the security function e is then truncated to 24 bits
501 	 * by taking the least significant 24 bits of the output of e as the
502 	 * result of ah.
503 	 */
504 	memcpy(res, _res, 3);
505 
506 	return 0;
507 }
508 
509 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
510 		     const bdaddr_t *bdaddr)
511 {
512 	struct l2cap_chan *chan = hdev->smp_data;
513 	struct smp_dev *smp;
514 	u8 hash[3];
515 	int err;
516 
517 	if (!chan || !chan->data)
518 		return false;
519 
520 	smp = chan->data;
521 
522 	BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
523 
524 	err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
525 	if (err)
526 		return false;
527 
528 	return !crypto_memneq(bdaddr->b, hash, 3);
529 }
530 
531 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
532 {
533 	struct l2cap_chan *chan = hdev->smp_data;
534 	struct smp_dev *smp;
535 	int err;
536 
537 	if (!chan || !chan->data)
538 		return -EOPNOTSUPP;
539 
540 	smp = chan->data;
541 
542 	get_random_bytes(&rpa->b[3], 3);
543 
544 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
545 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
546 
547 	err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
548 	if (err < 0)
549 		return err;
550 
551 	BT_DBG("RPA %pMR", rpa);
552 
553 	return 0;
554 }
555 
556 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
557 {
558 	struct l2cap_chan *chan = hdev->smp_data;
559 	struct smp_dev *smp;
560 	int err;
561 
562 	if (!chan || !chan->data)
563 		return -EOPNOTSUPP;
564 
565 	smp = chan->data;
566 
567 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
568 		BT_DBG("Using debug keys");
569 		err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
570 		if (err)
571 			return err;
572 		memcpy(smp->local_pk, debug_pk, 64);
573 		smp->debug_key = true;
574 	} else {
575 		while (true) {
576 			/* Generate key pair for Secure Connections */
577 			err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
578 			if (err)
579 				return err;
580 
581 			/* This is unlikely, but we need to check that
582 			 * we didn't accidentially generate a debug key.
583 			 */
584 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
585 				break;
586 		}
587 		smp->debug_key = false;
588 	}
589 
590 	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
591 	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
592 
593 	get_random_bytes(smp->local_rand, 16);
594 
595 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
596 		     smp->local_rand, 0, hash);
597 	if (err < 0)
598 		return err;
599 
600 	memcpy(rand, smp->local_rand, 16);
601 
602 	return 0;
603 }
604 
605 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
606 {
607 	struct l2cap_chan *chan = conn->smp;
608 	struct smp_chan *smp;
609 	struct kvec iv[2];
610 	struct msghdr msg;
611 
612 	if (!chan)
613 		return;
614 
615 	BT_DBG("code 0x%2.2x", code);
616 
617 	iv[0].iov_base = &code;
618 	iv[0].iov_len = 1;
619 
620 	iv[1].iov_base = data;
621 	iv[1].iov_len = len;
622 
623 	memset(&msg, 0, sizeof(msg));
624 
625 	iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
626 
627 	l2cap_chan_send(chan, &msg, 1 + len);
628 
629 	if (!chan->data)
630 		return;
631 
632 	smp = chan->data;
633 
634 	cancel_delayed_work_sync(&smp->security_timer);
635 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
636 }
637 
638 static u8 authreq_to_seclevel(u8 authreq)
639 {
640 	if (authreq & SMP_AUTH_MITM) {
641 		if (authreq & SMP_AUTH_SC)
642 			return BT_SECURITY_FIPS;
643 		else
644 			return BT_SECURITY_HIGH;
645 	} else {
646 		return BT_SECURITY_MEDIUM;
647 	}
648 }
649 
650 static __u8 seclevel_to_authreq(__u8 sec_level)
651 {
652 	switch (sec_level) {
653 	case BT_SECURITY_FIPS:
654 	case BT_SECURITY_HIGH:
655 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
656 	case BT_SECURITY_MEDIUM:
657 		return SMP_AUTH_BONDING;
658 	default:
659 		return SMP_AUTH_NONE;
660 	}
661 }
662 
663 static void build_pairing_cmd(struct l2cap_conn *conn,
664 			      struct smp_cmd_pairing *req,
665 			      struct smp_cmd_pairing *rsp, __u8 authreq)
666 {
667 	struct l2cap_chan *chan = conn->smp;
668 	struct smp_chan *smp = chan->data;
669 	struct hci_conn *hcon = conn->hcon;
670 	struct hci_dev *hdev = hcon->hdev;
671 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
672 
673 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
674 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
675 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
676 		authreq |= SMP_AUTH_BONDING;
677 	} else {
678 		authreq &= ~SMP_AUTH_BONDING;
679 	}
680 
681 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
682 		remote_dist |= SMP_DIST_ID_KEY;
683 
684 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
685 		local_dist |= SMP_DIST_ID_KEY;
686 
687 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
688 	    (authreq & SMP_AUTH_SC)) {
689 		struct oob_data *oob_data;
690 		u8 bdaddr_type;
691 
692 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
693 			local_dist |= SMP_DIST_LINK_KEY;
694 			remote_dist |= SMP_DIST_LINK_KEY;
695 		}
696 
697 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
698 			bdaddr_type = BDADDR_LE_PUBLIC;
699 		else
700 			bdaddr_type = BDADDR_LE_RANDOM;
701 
702 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
703 						    bdaddr_type);
704 		if (oob_data && oob_data->present) {
705 			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
706 			oob_flag = SMP_OOB_PRESENT;
707 			memcpy(smp->rr, oob_data->rand256, 16);
708 			memcpy(smp->pcnf, oob_data->hash256, 16);
709 			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
710 			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
711 		}
712 
713 	} else {
714 		authreq &= ~SMP_AUTH_SC;
715 	}
716 
717 	if (rsp == NULL) {
718 		req->io_capability = conn->hcon->io_capability;
719 		req->oob_flag = oob_flag;
720 		req->max_key_size = SMP_DEV(hdev)->max_key_size;
721 		req->init_key_dist = local_dist;
722 		req->resp_key_dist = remote_dist;
723 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
724 
725 		smp->remote_key_dist = remote_dist;
726 		return;
727 	}
728 
729 	rsp->io_capability = conn->hcon->io_capability;
730 	rsp->oob_flag = oob_flag;
731 	rsp->max_key_size = SMP_DEV(hdev)->max_key_size;
732 	rsp->init_key_dist = req->init_key_dist & remote_dist;
733 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
734 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
735 
736 	smp->remote_key_dist = rsp->init_key_dist;
737 }
738 
739 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
740 {
741 	struct l2cap_chan *chan = conn->smp;
742 	struct hci_dev *hdev = conn->hcon->hdev;
743 	struct smp_chan *smp = chan->data;
744 
745 	if (max_key_size > SMP_DEV(hdev)->max_key_size ||
746 	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
747 		return SMP_ENC_KEY_SIZE;
748 
749 	smp->enc_key_size = max_key_size;
750 
751 	return 0;
752 }
753 
754 static void smp_chan_destroy(struct l2cap_conn *conn)
755 {
756 	struct l2cap_chan *chan = conn->smp;
757 	struct smp_chan *smp = chan->data;
758 	struct hci_conn *hcon = conn->hcon;
759 	bool complete;
760 
761 	BUG_ON(!smp);
762 
763 	cancel_delayed_work_sync(&smp->security_timer);
764 
765 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
766 	mgmt_smp_complete(hcon, complete);
767 
768 	kzfree(smp->csrk);
769 	kzfree(smp->slave_csrk);
770 	kzfree(smp->link_key);
771 
772 	crypto_free_cipher(smp->tfm_aes);
773 	crypto_free_shash(smp->tfm_cmac);
774 	crypto_free_kpp(smp->tfm_ecdh);
775 
776 	/* Ensure that we don't leave any debug key around if debug key
777 	 * support hasn't been explicitly enabled.
778 	 */
779 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
780 	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
781 		list_del_rcu(&smp->ltk->list);
782 		kfree_rcu(smp->ltk, rcu);
783 		smp->ltk = NULL;
784 	}
785 
786 	/* If pairing failed clean up any keys we might have */
787 	if (!complete) {
788 		if (smp->ltk) {
789 			list_del_rcu(&smp->ltk->list);
790 			kfree_rcu(smp->ltk, rcu);
791 		}
792 
793 		if (smp->slave_ltk) {
794 			list_del_rcu(&smp->slave_ltk->list);
795 			kfree_rcu(smp->slave_ltk, rcu);
796 		}
797 
798 		if (smp->remote_irk) {
799 			list_del_rcu(&smp->remote_irk->list);
800 			kfree_rcu(smp->remote_irk, rcu);
801 		}
802 	}
803 
804 	chan->data = NULL;
805 	kzfree(smp);
806 	hci_conn_drop(hcon);
807 }
808 
809 static void smp_failure(struct l2cap_conn *conn, u8 reason)
810 {
811 	struct hci_conn *hcon = conn->hcon;
812 	struct l2cap_chan *chan = conn->smp;
813 
814 	if (reason)
815 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
816 			     &reason);
817 
818 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
819 
820 	if (chan->data)
821 		smp_chan_destroy(conn);
822 }
823 
824 #define JUST_WORKS	0x00
825 #define JUST_CFM	0x01
826 #define REQ_PASSKEY	0x02
827 #define CFM_PASSKEY	0x03
828 #define REQ_OOB		0x04
829 #define DSP_PASSKEY	0x05
830 #define OVERLAP		0xFF
831 
832 static const u8 gen_method[5][5] = {
833 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
834 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
835 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
836 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
837 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
838 };
839 
840 static const u8 sc_method[5][5] = {
841 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
842 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
843 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
844 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
845 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
846 };
847 
848 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
849 {
850 	/* If either side has unknown io_caps, use JUST_CFM (which gets
851 	 * converted later to JUST_WORKS if we're initiators.
852 	 */
853 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
854 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
855 		return JUST_CFM;
856 
857 	if (test_bit(SMP_FLAG_SC, &smp->flags))
858 		return sc_method[remote_io][local_io];
859 
860 	return gen_method[remote_io][local_io];
861 }
862 
863 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
864 						u8 local_io, u8 remote_io)
865 {
866 	struct hci_conn *hcon = conn->hcon;
867 	struct l2cap_chan *chan = conn->smp;
868 	struct smp_chan *smp = chan->data;
869 	u32 passkey = 0;
870 	int ret = 0;
871 
872 	/* Initialize key for JUST WORKS */
873 	memset(smp->tk, 0, sizeof(smp->tk));
874 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
875 
876 	BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
877 
878 	/* If neither side wants MITM, either "just" confirm an incoming
879 	 * request or use just-works for outgoing ones. The JUST_CFM
880 	 * will be converted to JUST_WORKS if necessary later in this
881 	 * function. If either side has MITM look up the method from the
882 	 * table.
883 	 */
884 	if (!(auth & SMP_AUTH_MITM))
885 		smp->method = JUST_CFM;
886 	else
887 		smp->method = get_auth_method(smp, local_io, remote_io);
888 
889 	/* Don't confirm locally initiated pairing attempts */
890 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
891 						&smp->flags))
892 		smp->method = JUST_WORKS;
893 
894 	/* Don't bother user space with no IO capabilities */
895 	if (smp->method == JUST_CFM &&
896 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
897 		smp->method = JUST_WORKS;
898 
899 	/* If Just Works, Continue with Zero TK */
900 	if (smp->method == JUST_WORKS) {
901 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
902 		return 0;
903 	}
904 
905 	/* If this function is used for SC -> legacy fallback we
906 	 * can only recover the just-works case.
907 	 */
908 	if (test_bit(SMP_FLAG_SC, &smp->flags))
909 		return -EINVAL;
910 
911 	/* Not Just Works/Confirm results in MITM Authentication */
912 	if (smp->method != JUST_CFM) {
913 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
914 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
915 			hcon->pending_sec_level = BT_SECURITY_HIGH;
916 	}
917 
918 	/* If both devices have Keyoard-Display I/O, the master
919 	 * Confirms and the slave Enters the passkey.
920 	 */
921 	if (smp->method == OVERLAP) {
922 		if (hcon->role == HCI_ROLE_MASTER)
923 			smp->method = CFM_PASSKEY;
924 		else
925 			smp->method = REQ_PASSKEY;
926 	}
927 
928 	/* Generate random passkey. */
929 	if (smp->method == CFM_PASSKEY) {
930 		memset(smp->tk, 0, sizeof(smp->tk));
931 		get_random_bytes(&passkey, sizeof(passkey));
932 		passkey %= 1000000;
933 		put_unaligned_le32(passkey, smp->tk);
934 		BT_DBG("PassKey: %d", passkey);
935 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
936 	}
937 
938 	if (smp->method == REQ_PASSKEY)
939 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
940 						hcon->type, hcon->dst_type);
941 	else if (smp->method == JUST_CFM)
942 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
943 						hcon->type, hcon->dst_type,
944 						passkey, 1);
945 	else
946 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
947 						hcon->type, hcon->dst_type,
948 						passkey, 0);
949 
950 	return ret;
951 }
952 
953 static u8 smp_confirm(struct smp_chan *smp)
954 {
955 	struct l2cap_conn *conn = smp->conn;
956 	struct smp_cmd_pairing_confirm cp;
957 	int ret;
958 
959 	BT_DBG("conn %p", conn);
960 
961 	ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
962 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
963 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
964 		     cp.confirm_val);
965 	if (ret)
966 		return SMP_UNSPECIFIED;
967 
968 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
969 
970 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
971 
972 	if (conn->hcon->out)
973 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
974 	else
975 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
976 
977 	return 0;
978 }
979 
980 static u8 smp_random(struct smp_chan *smp)
981 {
982 	struct l2cap_conn *conn = smp->conn;
983 	struct hci_conn *hcon = conn->hcon;
984 	u8 confirm[16];
985 	int ret;
986 
987 	if (IS_ERR_OR_NULL(smp->tfm_aes))
988 		return SMP_UNSPECIFIED;
989 
990 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
991 
992 	ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
993 		     hcon->init_addr_type, &hcon->init_addr,
994 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
995 	if (ret)
996 		return SMP_UNSPECIFIED;
997 
998 	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
999 		bt_dev_err(hcon->hdev, "pairing failed "
1000 			   "(confirmation values mismatch)");
1001 		return SMP_CONFIRM_FAILED;
1002 	}
1003 
1004 	if (hcon->out) {
1005 		u8 stk[16];
1006 		__le64 rand = 0;
1007 		__le16 ediv = 0;
1008 
1009 		smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
1010 
1011 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1012 			return SMP_UNSPECIFIED;
1013 
1014 		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1015 		hcon->enc_key_size = smp->enc_key_size;
1016 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1017 	} else {
1018 		u8 stk[16], auth;
1019 		__le64 rand = 0;
1020 		__le16 ediv = 0;
1021 
1022 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1023 			     smp->prnd);
1024 
1025 		smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
1026 
1027 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1028 			auth = 1;
1029 		else
1030 			auth = 0;
1031 
1032 		/* Even though there's no _SLAVE suffix this is the
1033 		 * slave STK we're adding for later lookup (the master
1034 		 * STK never needs to be stored).
1035 		 */
1036 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1037 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1038 	}
1039 
1040 	return 0;
1041 }
1042 
1043 static void smp_notify_keys(struct l2cap_conn *conn)
1044 {
1045 	struct l2cap_chan *chan = conn->smp;
1046 	struct smp_chan *smp = chan->data;
1047 	struct hci_conn *hcon = conn->hcon;
1048 	struct hci_dev *hdev = hcon->hdev;
1049 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1050 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1051 	bool persistent;
1052 
1053 	if (hcon->type == ACL_LINK) {
1054 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1055 			persistent = false;
1056 		else
1057 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1058 					       &hcon->flags);
1059 	} else {
1060 		/* The LTKs, IRKs and CSRKs should be persistent only if
1061 		 * both sides had the bonding bit set in their
1062 		 * authentication requests.
1063 		 */
1064 		persistent = !!((req->auth_req & rsp->auth_req) &
1065 				SMP_AUTH_BONDING);
1066 	}
1067 
1068 	if (smp->remote_irk) {
1069 		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1070 
1071 		/* Now that user space can be considered to know the
1072 		 * identity address track the connection based on it
1073 		 * from now on (assuming this is an LE link).
1074 		 */
1075 		if (hcon->type == LE_LINK) {
1076 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1077 			hcon->dst_type = smp->remote_irk->addr_type;
1078 			queue_work(hdev->workqueue, &conn->id_addr_update_work);
1079 		}
1080 	}
1081 
1082 	if (smp->csrk) {
1083 		smp->csrk->bdaddr_type = hcon->dst_type;
1084 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1085 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1086 	}
1087 
1088 	if (smp->slave_csrk) {
1089 		smp->slave_csrk->bdaddr_type = hcon->dst_type;
1090 		bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1091 		mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1092 	}
1093 
1094 	if (smp->ltk) {
1095 		smp->ltk->bdaddr_type = hcon->dst_type;
1096 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1097 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1098 	}
1099 
1100 	if (smp->slave_ltk) {
1101 		smp->slave_ltk->bdaddr_type = hcon->dst_type;
1102 		bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1103 		mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1104 	}
1105 
1106 	if (smp->link_key) {
1107 		struct link_key *key;
1108 		u8 type;
1109 
1110 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1111 			type = HCI_LK_DEBUG_COMBINATION;
1112 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1113 			type = HCI_LK_AUTH_COMBINATION_P256;
1114 		else
1115 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1116 
1117 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1118 				       smp->link_key, type, 0, &persistent);
1119 		if (key) {
1120 			mgmt_new_link_key(hdev, key, persistent);
1121 
1122 			/* Don't keep debug keys around if the relevant
1123 			 * flag is not set.
1124 			 */
1125 			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1126 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1127 				list_del_rcu(&key->list);
1128 				kfree_rcu(key, rcu);
1129 			}
1130 		}
1131 	}
1132 }
1133 
1134 static void sc_add_ltk(struct smp_chan *smp)
1135 {
1136 	struct hci_conn *hcon = smp->conn->hcon;
1137 	u8 key_type, auth;
1138 
1139 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1140 		key_type = SMP_LTK_P256_DEBUG;
1141 	else
1142 		key_type = SMP_LTK_P256;
1143 
1144 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1145 		auth = 1;
1146 	else
1147 		auth = 0;
1148 
1149 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1150 			       key_type, auth, smp->tk, smp->enc_key_size,
1151 			       0, 0);
1152 }
1153 
1154 static void sc_generate_link_key(struct smp_chan *smp)
1155 {
1156 	/* From core spec. Spells out in ASCII as 'lebr'. */
1157 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1158 
1159 	smp->link_key = kzalloc(16, GFP_KERNEL);
1160 	if (!smp->link_key)
1161 		return;
1162 
1163 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1164 		/* SALT = 0x00000000000000000000000000000000746D7031 */
1165 		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1166 
1167 		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1168 			kzfree(smp->link_key);
1169 			smp->link_key = NULL;
1170 			return;
1171 		}
1172 	} else {
1173 		/* From core spec. Spells out in ASCII as 'tmp1'. */
1174 		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1175 
1176 		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1177 			kzfree(smp->link_key);
1178 			smp->link_key = NULL;
1179 			return;
1180 		}
1181 	}
1182 
1183 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1184 		kzfree(smp->link_key);
1185 		smp->link_key = NULL;
1186 		return;
1187 	}
1188 }
1189 
1190 static void smp_allow_key_dist(struct smp_chan *smp)
1191 {
1192 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1193 	 * will be allowed in each PDU handler to ensure we receive
1194 	 * them in the correct order.
1195 	 */
1196 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1197 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1198 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1199 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1200 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1201 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1202 }
1203 
1204 static void sc_generate_ltk(struct smp_chan *smp)
1205 {
1206 	/* From core spec. Spells out in ASCII as 'brle'. */
1207 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1208 	struct hci_conn *hcon = smp->conn->hcon;
1209 	struct hci_dev *hdev = hcon->hdev;
1210 	struct link_key *key;
1211 
1212 	key = hci_find_link_key(hdev, &hcon->dst);
1213 	if (!key) {
1214 		bt_dev_err(hdev, "no Link Key found to generate LTK");
1215 		return;
1216 	}
1217 
1218 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1219 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1220 
1221 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1222 		/* SALT = 0x00000000000000000000000000000000746D7032 */
1223 		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1224 
1225 		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1226 			return;
1227 	} else {
1228 		/* From core spec. Spells out in ASCII as 'tmp2'. */
1229 		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1230 
1231 		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1232 			return;
1233 	}
1234 
1235 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1236 		return;
1237 
1238 	sc_add_ltk(smp);
1239 }
1240 
1241 static void smp_distribute_keys(struct smp_chan *smp)
1242 {
1243 	struct smp_cmd_pairing *req, *rsp;
1244 	struct l2cap_conn *conn = smp->conn;
1245 	struct hci_conn *hcon = conn->hcon;
1246 	struct hci_dev *hdev = hcon->hdev;
1247 	__u8 *keydist;
1248 
1249 	BT_DBG("conn %p", conn);
1250 
1251 	rsp = (void *) &smp->prsp[1];
1252 
1253 	/* The responder sends its keys first */
1254 	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1255 		smp_allow_key_dist(smp);
1256 		return;
1257 	}
1258 
1259 	req = (void *) &smp->preq[1];
1260 
1261 	if (hcon->out) {
1262 		keydist = &rsp->init_key_dist;
1263 		*keydist &= req->init_key_dist;
1264 	} else {
1265 		keydist = &rsp->resp_key_dist;
1266 		*keydist &= req->resp_key_dist;
1267 	}
1268 
1269 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1270 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1271 			sc_generate_link_key(smp);
1272 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1273 			sc_generate_ltk(smp);
1274 
1275 		/* Clear the keys which are generated but not distributed */
1276 		*keydist &= ~SMP_SC_NO_DIST;
1277 	}
1278 
1279 	BT_DBG("keydist 0x%x", *keydist);
1280 
1281 	if (*keydist & SMP_DIST_ENC_KEY) {
1282 		struct smp_cmd_encrypt_info enc;
1283 		struct smp_cmd_master_ident ident;
1284 		struct smp_ltk *ltk;
1285 		u8 authenticated;
1286 		__le16 ediv;
1287 		__le64 rand;
1288 
1289 		/* Make sure we generate only the significant amount of
1290 		 * bytes based on the encryption key size, and set the rest
1291 		 * of the value to zeroes.
1292 		 */
1293 		get_random_bytes(enc.ltk, smp->enc_key_size);
1294 		memset(enc.ltk + smp->enc_key_size, 0,
1295 		       sizeof(enc.ltk) - smp->enc_key_size);
1296 
1297 		get_random_bytes(&ediv, sizeof(ediv));
1298 		get_random_bytes(&rand, sizeof(rand));
1299 
1300 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1301 
1302 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1303 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1304 				  SMP_LTK_SLAVE, authenticated, enc.ltk,
1305 				  smp->enc_key_size, ediv, rand);
1306 		smp->slave_ltk = ltk;
1307 
1308 		ident.ediv = ediv;
1309 		ident.rand = rand;
1310 
1311 		smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1312 
1313 		*keydist &= ~SMP_DIST_ENC_KEY;
1314 	}
1315 
1316 	if (*keydist & SMP_DIST_ID_KEY) {
1317 		struct smp_cmd_ident_addr_info addrinfo;
1318 		struct smp_cmd_ident_info idinfo;
1319 
1320 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1321 
1322 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1323 
1324 		/* The hci_conn contains the local identity address
1325 		 * after the connection has been established.
1326 		 *
1327 		 * This is true even when the connection has been
1328 		 * established using a resolvable random address.
1329 		 */
1330 		bacpy(&addrinfo.bdaddr, &hcon->src);
1331 		addrinfo.addr_type = hcon->src_type;
1332 
1333 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1334 			     &addrinfo);
1335 
1336 		*keydist &= ~SMP_DIST_ID_KEY;
1337 	}
1338 
1339 	if (*keydist & SMP_DIST_SIGN) {
1340 		struct smp_cmd_sign_info sign;
1341 		struct smp_csrk *csrk;
1342 
1343 		/* Generate a new random key */
1344 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1345 
1346 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1347 		if (csrk) {
1348 			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1349 				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1350 			else
1351 				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1352 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1353 		}
1354 		smp->slave_csrk = csrk;
1355 
1356 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1357 
1358 		*keydist &= ~SMP_DIST_SIGN;
1359 	}
1360 
1361 	/* If there are still keys to be received wait for them */
1362 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1363 		smp_allow_key_dist(smp);
1364 		return;
1365 	}
1366 
1367 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1368 	smp_notify_keys(conn);
1369 
1370 	smp_chan_destroy(conn);
1371 }
1372 
1373 static void smp_timeout(struct work_struct *work)
1374 {
1375 	struct smp_chan *smp = container_of(work, struct smp_chan,
1376 					    security_timer.work);
1377 	struct l2cap_conn *conn = smp->conn;
1378 
1379 	BT_DBG("conn %p", conn);
1380 
1381 	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1382 }
1383 
1384 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1385 {
1386 	struct l2cap_chan *chan = conn->smp;
1387 	struct smp_chan *smp;
1388 
1389 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1390 	if (!smp)
1391 		return NULL;
1392 
1393 	smp->tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
1394 	if (IS_ERR(smp->tfm_aes)) {
1395 		BT_ERR("Unable to create AES crypto context");
1396 		goto zfree_smp;
1397 	}
1398 
1399 	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1400 	if (IS_ERR(smp->tfm_cmac)) {
1401 		BT_ERR("Unable to create CMAC crypto context");
1402 		goto free_cipher;
1403 	}
1404 
1405 	smp->tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
1406 	if (IS_ERR(smp->tfm_ecdh)) {
1407 		BT_ERR("Unable to create ECDH crypto context");
1408 		goto free_shash;
1409 	}
1410 
1411 	smp->conn = conn;
1412 	chan->data = smp;
1413 
1414 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1415 
1416 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1417 
1418 	hci_conn_hold(conn->hcon);
1419 
1420 	return smp;
1421 
1422 free_shash:
1423 	crypto_free_shash(smp->tfm_cmac);
1424 free_cipher:
1425 	crypto_free_cipher(smp->tfm_aes);
1426 zfree_smp:
1427 	kzfree(smp);
1428 	return NULL;
1429 }
1430 
1431 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1432 {
1433 	struct hci_conn *hcon = smp->conn->hcon;
1434 	u8 *na, *nb, a[7], b[7];
1435 
1436 	if (hcon->out) {
1437 		na   = smp->prnd;
1438 		nb   = smp->rrnd;
1439 	} else {
1440 		na   = smp->rrnd;
1441 		nb   = smp->prnd;
1442 	}
1443 
1444 	memcpy(a, &hcon->init_addr, 6);
1445 	memcpy(b, &hcon->resp_addr, 6);
1446 	a[6] = hcon->init_addr_type;
1447 	b[6] = hcon->resp_addr_type;
1448 
1449 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1450 }
1451 
1452 static void sc_dhkey_check(struct smp_chan *smp)
1453 {
1454 	struct hci_conn *hcon = smp->conn->hcon;
1455 	struct smp_cmd_dhkey_check check;
1456 	u8 a[7], b[7], *local_addr, *remote_addr;
1457 	u8 io_cap[3], r[16];
1458 
1459 	memcpy(a, &hcon->init_addr, 6);
1460 	memcpy(b, &hcon->resp_addr, 6);
1461 	a[6] = hcon->init_addr_type;
1462 	b[6] = hcon->resp_addr_type;
1463 
1464 	if (hcon->out) {
1465 		local_addr = a;
1466 		remote_addr = b;
1467 		memcpy(io_cap, &smp->preq[1], 3);
1468 	} else {
1469 		local_addr = b;
1470 		remote_addr = a;
1471 		memcpy(io_cap, &smp->prsp[1], 3);
1472 	}
1473 
1474 	memset(r, 0, sizeof(r));
1475 
1476 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1477 		put_unaligned_le32(hcon->passkey_notify, r);
1478 
1479 	if (smp->method == REQ_OOB)
1480 		memcpy(r, smp->rr, 16);
1481 
1482 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1483 	       local_addr, remote_addr, check.e);
1484 
1485 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1486 }
1487 
1488 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1489 {
1490 	struct l2cap_conn *conn = smp->conn;
1491 	struct hci_conn *hcon = conn->hcon;
1492 	struct smp_cmd_pairing_confirm cfm;
1493 	u8 r;
1494 
1495 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1496 	r |= 0x80;
1497 
1498 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1499 
1500 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1501 		   cfm.confirm_val))
1502 		return SMP_UNSPECIFIED;
1503 
1504 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1505 
1506 	return 0;
1507 }
1508 
1509 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1510 {
1511 	struct l2cap_conn *conn = smp->conn;
1512 	struct hci_conn *hcon = conn->hcon;
1513 	struct hci_dev *hdev = hcon->hdev;
1514 	u8 cfm[16], r;
1515 
1516 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1517 	if (smp->passkey_round >= 20)
1518 		return 0;
1519 
1520 	switch (smp_op) {
1521 	case SMP_CMD_PAIRING_RANDOM:
1522 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1523 		r |= 0x80;
1524 
1525 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1526 			   smp->rrnd, r, cfm))
1527 			return SMP_UNSPECIFIED;
1528 
1529 		if (crypto_memneq(smp->pcnf, cfm, 16))
1530 			return SMP_CONFIRM_FAILED;
1531 
1532 		smp->passkey_round++;
1533 
1534 		if (smp->passkey_round == 20) {
1535 			/* Generate MacKey and LTK */
1536 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1537 				return SMP_UNSPECIFIED;
1538 		}
1539 
1540 		/* The round is only complete when the initiator
1541 		 * receives pairing random.
1542 		 */
1543 		if (!hcon->out) {
1544 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1545 				     sizeof(smp->prnd), smp->prnd);
1546 			if (smp->passkey_round == 20)
1547 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1548 			else
1549 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1550 			return 0;
1551 		}
1552 
1553 		/* Start the next round */
1554 		if (smp->passkey_round != 20)
1555 			return sc_passkey_round(smp, 0);
1556 
1557 		/* Passkey rounds are complete - start DHKey Check */
1558 		sc_dhkey_check(smp);
1559 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1560 
1561 		break;
1562 
1563 	case SMP_CMD_PAIRING_CONFIRM:
1564 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1565 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1566 			return 0;
1567 		}
1568 
1569 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1570 
1571 		if (hcon->out) {
1572 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1573 				     sizeof(smp->prnd), smp->prnd);
1574 			return 0;
1575 		}
1576 
1577 		return sc_passkey_send_confirm(smp);
1578 
1579 	case SMP_CMD_PUBLIC_KEY:
1580 	default:
1581 		/* Initiating device starts the round */
1582 		if (!hcon->out)
1583 			return 0;
1584 
1585 		BT_DBG("%s Starting passkey round %u", hdev->name,
1586 		       smp->passkey_round + 1);
1587 
1588 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1589 
1590 		return sc_passkey_send_confirm(smp);
1591 	}
1592 
1593 	return 0;
1594 }
1595 
1596 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1597 {
1598 	struct l2cap_conn *conn = smp->conn;
1599 	struct hci_conn *hcon = conn->hcon;
1600 	u8 smp_op;
1601 
1602 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1603 
1604 	switch (mgmt_op) {
1605 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1606 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1607 		return 0;
1608 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1609 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1610 		return 0;
1611 	case MGMT_OP_USER_PASSKEY_REPLY:
1612 		hcon->passkey_notify = le32_to_cpu(passkey);
1613 		smp->passkey_round = 0;
1614 
1615 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1616 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1617 		else
1618 			smp_op = 0;
1619 
1620 		if (sc_passkey_round(smp, smp_op))
1621 			return -EIO;
1622 
1623 		return 0;
1624 	}
1625 
1626 	/* Initiator sends DHKey check first */
1627 	if (hcon->out) {
1628 		sc_dhkey_check(smp);
1629 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1630 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1631 		sc_dhkey_check(smp);
1632 		sc_add_ltk(smp);
1633 	}
1634 
1635 	return 0;
1636 }
1637 
1638 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1639 {
1640 	struct l2cap_conn *conn = hcon->l2cap_data;
1641 	struct l2cap_chan *chan;
1642 	struct smp_chan *smp;
1643 	u32 value;
1644 	int err;
1645 
1646 	BT_DBG("");
1647 
1648 	if (!conn)
1649 		return -ENOTCONN;
1650 
1651 	chan = conn->smp;
1652 	if (!chan)
1653 		return -ENOTCONN;
1654 
1655 	l2cap_chan_lock(chan);
1656 	if (!chan->data) {
1657 		err = -ENOTCONN;
1658 		goto unlock;
1659 	}
1660 
1661 	smp = chan->data;
1662 
1663 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1664 		err = sc_user_reply(smp, mgmt_op, passkey);
1665 		goto unlock;
1666 	}
1667 
1668 	switch (mgmt_op) {
1669 	case MGMT_OP_USER_PASSKEY_REPLY:
1670 		value = le32_to_cpu(passkey);
1671 		memset(smp->tk, 0, sizeof(smp->tk));
1672 		BT_DBG("PassKey: %d", value);
1673 		put_unaligned_le32(value, smp->tk);
1674 		/* Fall Through */
1675 	case MGMT_OP_USER_CONFIRM_REPLY:
1676 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1677 		break;
1678 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1679 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1680 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1681 		err = 0;
1682 		goto unlock;
1683 	default:
1684 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1685 		err = -EOPNOTSUPP;
1686 		goto unlock;
1687 	}
1688 
1689 	err = 0;
1690 
1691 	/* If it is our turn to send Pairing Confirm, do so now */
1692 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1693 		u8 rsp = smp_confirm(smp);
1694 		if (rsp)
1695 			smp_failure(conn, rsp);
1696 	}
1697 
1698 unlock:
1699 	l2cap_chan_unlock(chan);
1700 	return err;
1701 }
1702 
1703 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1704 				    struct smp_cmd_pairing *req,
1705 				    struct smp_cmd_pairing *rsp)
1706 {
1707 	struct l2cap_conn *conn = smp->conn;
1708 	struct hci_dev *hdev = conn->hcon->hdev;
1709 	u8 local_dist = 0, remote_dist = 0;
1710 
1711 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1712 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1713 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1714 	}
1715 
1716 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1717 		remote_dist |= SMP_DIST_ID_KEY;
1718 
1719 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1720 		local_dist |= SMP_DIST_ID_KEY;
1721 
1722 	if (!rsp) {
1723 		memset(req, 0, sizeof(*req));
1724 
1725 		req->auth_req        = SMP_AUTH_CT2;
1726 		req->init_key_dist   = local_dist;
1727 		req->resp_key_dist   = remote_dist;
1728 		req->max_key_size    = conn->hcon->enc_key_size;
1729 
1730 		smp->remote_key_dist = remote_dist;
1731 
1732 		return;
1733 	}
1734 
1735 	memset(rsp, 0, sizeof(*rsp));
1736 
1737 	rsp->auth_req        = SMP_AUTH_CT2;
1738 	rsp->max_key_size    = conn->hcon->enc_key_size;
1739 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1740 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1741 
1742 	smp->remote_key_dist = rsp->init_key_dist;
1743 }
1744 
1745 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1746 {
1747 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1748 	struct l2cap_chan *chan = conn->smp;
1749 	struct hci_dev *hdev = conn->hcon->hdev;
1750 	struct smp_chan *smp;
1751 	u8 key_size, auth, sec_level;
1752 	int ret;
1753 
1754 	BT_DBG("conn %p", conn);
1755 
1756 	if (skb->len < sizeof(*req))
1757 		return SMP_INVALID_PARAMS;
1758 
1759 	if (conn->hcon->role != HCI_ROLE_SLAVE)
1760 		return SMP_CMD_NOTSUPP;
1761 
1762 	if (!chan->data)
1763 		smp = smp_chan_create(conn);
1764 	else
1765 		smp = chan->data;
1766 
1767 	if (!smp)
1768 		return SMP_UNSPECIFIED;
1769 
1770 	/* We didn't start the pairing, so match remote */
1771 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1772 
1773 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1774 	    (auth & SMP_AUTH_BONDING))
1775 		return SMP_PAIRING_NOTSUPP;
1776 
1777 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1778 		return SMP_AUTH_REQUIREMENTS;
1779 
1780 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1781 	memcpy(&smp->preq[1], req, sizeof(*req));
1782 	skb_pull(skb, sizeof(*req));
1783 
1784 	/* If the remote side's OOB flag is set it means it has
1785 	 * successfully received our local OOB data - therefore set the
1786 	 * flag to indicate that local OOB is in use.
1787 	 */
1788 	if (req->oob_flag == SMP_OOB_PRESENT)
1789 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1790 
1791 	/* SMP over BR/EDR requires special treatment */
1792 	if (conn->hcon->type == ACL_LINK) {
1793 		/* We must have a BR/EDR SC link */
1794 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1795 		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1796 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1797 
1798 		set_bit(SMP_FLAG_SC, &smp->flags);
1799 
1800 		build_bredr_pairing_cmd(smp, req, &rsp);
1801 
1802 		if (req->auth_req & SMP_AUTH_CT2)
1803 			set_bit(SMP_FLAG_CT2, &smp->flags);
1804 
1805 		key_size = min(req->max_key_size, rsp.max_key_size);
1806 		if (check_enc_key_size(conn, key_size))
1807 			return SMP_ENC_KEY_SIZE;
1808 
1809 		/* Clear bits which are generated but not distributed */
1810 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1811 
1812 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1813 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1814 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1815 
1816 		smp_distribute_keys(smp);
1817 		return 0;
1818 	}
1819 
1820 	build_pairing_cmd(conn, req, &rsp, auth);
1821 
1822 	if (rsp.auth_req & SMP_AUTH_SC) {
1823 		set_bit(SMP_FLAG_SC, &smp->flags);
1824 
1825 		if (rsp.auth_req & SMP_AUTH_CT2)
1826 			set_bit(SMP_FLAG_CT2, &smp->flags);
1827 	}
1828 
1829 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1830 		sec_level = BT_SECURITY_MEDIUM;
1831 	else
1832 		sec_level = authreq_to_seclevel(auth);
1833 
1834 	if (sec_level > conn->hcon->pending_sec_level)
1835 		conn->hcon->pending_sec_level = sec_level;
1836 
1837 	/* If we need MITM check that it can be achieved */
1838 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1839 		u8 method;
1840 
1841 		method = get_auth_method(smp, conn->hcon->io_capability,
1842 					 req->io_capability);
1843 		if (method == JUST_WORKS || method == JUST_CFM)
1844 			return SMP_AUTH_REQUIREMENTS;
1845 	}
1846 
1847 	key_size = min(req->max_key_size, rsp.max_key_size);
1848 	if (check_enc_key_size(conn, key_size))
1849 		return SMP_ENC_KEY_SIZE;
1850 
1851 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1852 
1853 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1854 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1855 
1856 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1857 
1858 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1859 
1860 	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1861 	 * SC case, however some implementations incorrectly copy RFU auth
1862 	 * req bits from our security request, which may create a false
1863 	 * positive SC enablement.
1864 	 */
1865 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1866 
1867 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1868 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1869 		/* Clear bits which are generated but not distributed */
1870 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1871 		/* Wait for Public Key from Initiating Device */
1872 		return 0;
1873 	}
1874 
1875 	/* Request setup of TK */
1876 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1877 	if (ret)
1878 		return SMP_UNSPECIFIED;
1879 
1880 	return 0;
1881 }
1882 
1883 static u8 sc_send_public_key(struct smp_chan *smp)
1884 {
1885 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1886 
1887 	BT_DBG("");
1888 
1889 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1890 		struct l2cap_chan *chan = hdev->smp_data;
1891 		struct smp_dev *smp_dev;
1892 
1893 		if (!chan || !chan->data)
1894 			return SMP_UNSPECIFIED;
1895 
1896 		smp_dev = chan->data;
1897 
1898 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1899 		memcpy(smp->lr, smp_dev->local_rand, 16);
1900 
1901 		if (smp_dev->debug_key)
1902 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1903 
1904 		goto done;
1905 	}
1906 
1907 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1908 		BT_DBG("Using debug keys");
1909 		if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1910 			return SMP_UNSPECIFIED;
1911 		memcpy(smp->local_pk, debug_pk, 64);
1912 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1913 	} else {
1914 		while (true) {
1915 			/* Generate key pair for Secure Connections */
1916 			if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1917 				return SMP_UNSPECIFIED;
1918 
1919 			/* This is unlikely, but we need to check that
1920 			 * we didn't accidentially generate a debug key.
1921 			 */
1922 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
1923 				break;
1924 		}
1925 	}
1926 
1927 done:
1928 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1929 	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1930 
1931 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1932 
1933 	return 0;
1934 }
1935 
1936 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1937 {
1938 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1939 	struct l2cap_chan *chan = conn->smp;
1940 	struct smp_chan *smp = chan->data;
1941 	struct hci_dev *hdev = conn->hcon->hdev;
1942 	u8 key_size, auth;
1943 	int ret;
1944 
1945 	BT_DBG("conn %p", conn);
1946 
1947 	if (skb->len < sizeof(*rsp))
1948 		return SMP_INVALID_PARAMS;
1949 
1950 	if (conn->hcon->role != HCI_ROLE_MASTER)
1951 		return SMP_CMD_NOTSUPP;
1952 
1953 	skb_pull(skb, sizeof(*rsp));
1954 
1955 	req = (void *) &smp->preq[1];
1956 
1957 	key_size = min(req->max_key_size, rsp->max_key_size);
1958 	if (check_enc_key_size(conn, key_size))
1959 		return SMP_ENC_KEY_SIZE;
1960 
1961 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1962 
1963 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1964 		return SMP_AUTH_REQUIREMENTS;
1965 
1966 	/* If the remote side's OOB flag is set it means it has
1967 	 * successfully received our local OOB data - therefore set the
1968 	 * flag to indicate that local OOB is in use.
1969 	 */
1970 	if (rsp->oob_flag == SMP_OOB_PRESENT)
1971 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1972 
1973 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1974 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1975 
1976 	/* Update remote key distribution in case the remote cleared
1977 	 * some bits that we had enabled in our request.
1978 	 */
1979 	smp->remote_key_dist &= rsp->resp_key_dist;
1980 
1981 	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1982 		set_bit(SMP_FLAG_CT2, &smp->flags);
1983 
1984 	/* For BR/EDR this means we're done and can start phase 3 */
1985 	if (conn->hcon->type == ACL_LINK) {
1986 		/* Clear bits which are generated but not distributed */
1987 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1988 		smp_distribute_keys(smp);
1989 		return 0;
1990 	}
1991 
1992 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1993 		set_bit(SMP_FLAG_SC, &smp->flags);
1994 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1995 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1996 
1997 	/* If we need MITM check that it can be achieved */
1998 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1999 		u8 method;
2000 
2001 		method = get_auth_method(smp, req->io_capability,
2002 					 rsp->io_capability);
2003 		if (method == JUST_WORKS || method == JUST_CFM)
2004 			return SMP_AUTH_REQUIREMENTS;
2005 	}
2006 
2007 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
2008 
2009 	/* Update remote key distribution in case the remote cleared
2010 	 * some bits that we had enabled in our request.
2011 	 */
2012 	smp->remote_key_dist &= rsp->resp_key_dist;
2013 
2014 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2015 		/* Clear bits which are generated but not distributed */
2016 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2017 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2018 		return sc_send_public_key(smp);
2019 	}
2020 
2021 	auth |= req->auth_req;
2022 
2023 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2024 	if (ret)
2025 		return SMP_UNSPECIFIED;
2026 
2027 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2028 
2029 	/* Can't compose response until we have been confirmed */
2030 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2031 		return smp_confirm(smp);
2032 
2033 	return 0;
2034 }
2035 
2036 static u8 sc_check_confirm(struct smp_chan *smp)
2037 {
2038 	struct l2cap_conn *conn = smp->conn;
2039 
2040 	BT_DBG("");
2041 
2042 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2043 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2044 
2045 	if (conn->hcon->out) {
2046 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2047 			     smp->prnd);
2048 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2049 	}
2050 
2051 	return 0;
2052 }
2053 
2054 /* Work-around for some implementations that incorrectly copy RFU bits
2055  * from our security request and thereby create the impression that
2056  * we're doing SC when in fact the remote doesn't support it.
2057  */
2058 static int fixup_sc_false_positive(struct smp_chan *smp)
2059 {
2060 	struct l2cap_conn *conn = smp->conn;
2061 	struct hci_conn *hcon = conn->hcon;
2062 	struct hci_dev *hdev = hcon->hdev;
2063 	struct smp_cmd_pairing *req, *rsp;
2064 	u8 auth;
2065 
2066 	/* The issue is only observed when we're in slave role */
2067 	if (hcon->out)
2068 		return SMP_UNSPECIFIED;
2069 
2070 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2071 		bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2072 		return SMP_UNSPECIFIED;
2073 	}
2074 
2075 	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2076 
2077 	req = (void *) &smp->preq[1];
2078 	rsp = (void *) &smp->prsp[1];
2079 
2080 	/* Rebuild key dist flags which may have been cleared for SC */
2081 	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2082 
2083 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2084 
2085 	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2086 		bt_dev_err(hdev, "failed to fall back to legacy SMP");
2087 		return SMP_UNSPECIFIED;
2088 	}
2089 
2090 	clear_bit(SMP_FLAG_SC, &smp->flags);
2091 
2092 	return 0;
2093 }
2094 
2095 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2096 {
2097 	struct l2cap_chan *chan = conn->smp;
2098 	struct smp_chan *smp = chan->data;
2099 
2100 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2101 
2102 	if (skb->len < sizeof(smp->pcnf))
2103 		return SMP_INVALID_PARAMS;
2104 
2105 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2106 	skb_pull(skb, sizeof(smp->pcnf));
2107 
2108 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2109 		int ret;
2110 
2111 		/* Public Key exchange must happen before any other steps */
2112 		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2113 			return sc_check_confirm(smp);
2114 
2115 		BT_ERR("Unexpected SMP Pairing Confirm");
2116 
2117 		ret = fixup_sc_false_positive(smp);
2118 		if (ret)
2119 			return ret;
2120 	}
2121 
2122 	if (conn->hcon->out) {
2123 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2124 			     smp->prnd);
2125 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2126 		return 0;
2127 	}
2128 
2129 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2130 		return smp_confirm(smp);
2131 
2132 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2133 
2134 	return 0;
2135 }
2136 
2137 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2138 {
2139 	struct l2cap_chan *chan = conn->smp;
2140 	struct smp_chan *smp = chan->data;
2141 	struct hci_conn *hcon = conn->hcon;
2142 	u8 *pkax, *pkbx, *na, *nb;
2143 	u32 passkey;
2144 	int err;
2145 
2146 	BT_DBG("conn %p", conn);
2147 
2148 	if (skb->len < sizeof(smp->rrnd))
2149 		return SMP_INVALID_PARAMS;
2150 
2151 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2152 	skb_pull(skb, sizeof(smp->rrnd));
2153 
2154 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2155 		return smp_random(smp);
2156 
2157 	if (hcon->out) {
2158 		pkax = smp->local_pk;
2159 		pkbx = smp->remote_pk;
2160 		na   = smp->prnd;
2161 		nb   = smp->rrnd;
2162 	} else {
2163 		pkax = smp->remote_pk;
2164 		pkbx = smp->local_pk;
2165 		na   = smp->rrnd;
2166 		nb   = smp->prnd;
2167 	}
2168 
2169 	if (smp->method == REQ_OOB) {
2170 		if (!hcon->out)
2171 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2172 				     sizeof(smp->prnd), smp->prnd);
2173 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2174 		goto mackey_and_ltk;
2175 	}
2176 
2177 	/* Passkey entry has special treatment */
2178 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2179 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2180 
2181 	if (hcon->out) {
2182 		u8 cfm[16];
2183 
2184 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2185 			     smp->rrnd, 0, cfm);
2186 		if (err)
2187 			return SMP_UNSPECIFIED;
2188 
2189 		if (crypto_memneq(smp->pcnf, cfm, 16))
2190 			return SMP_CONFIRM_FAILED;
2191 	} else {
2192 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2193 			     smp->prnd);
2194 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2195 	}
2196 
2197 mackey_and_ltk:
2198 	/* Generate MacKey and LTK */
2199 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2200 	if (err)
2201 		return SMP_UNSPECIFIED;
2202 
2203 	if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2204 		if (hcon->out) {
2205 			sc_dhkey_check(smp);
2206 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2207 		}
2208 		return 0;
2209 	}
2210 
2211 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2212 	if (err)
2213 		return SMP_UNSPECIFIED;
2214 
2215 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2216 					hcon->dst_type, passkey, 0);
2217 	if (err)
2218 		return SMP_UNSPECIFIED;
2219 
2220 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2221 
2222 	return 0;
2223 }
2224 
2225 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2226 {
2227 	struct smp_ltk *key;
2228 	struct hci_conn *hcon = conn->hcon;
2229 
2230 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2231 	if (!key)
2232 		return false;
2233 
2234 	if (smp_ltk_sec_level(key) < sec_level)
2235 		return false;
2236 
2237 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2238 		return true;
2239 
2240 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2241 	hcon->enc_key_size = key->enc_size;
2242 
2243 	/* We never store STKs for master role, so clear this flag */
2244 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2245 
2246 	return true;
2247 }
2248 
2249 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2250 			     enum smp_key_pref key_pref)
2251 {
2252 	if (sec_level == BT_SECURITY_LOW)
2253 		return true;
2254 
2255 	/* If we're encrypted with an STK but the caller prefers using
2256 	 * LTK claim insufficient security. This way we allow the
2257 	 * connection to be re-encrypted with an LTK, even if the LTK
2258 	 * provides the same level of security. Only exception is if we
2259 	 * don't have an LTK (e.g. because of key distribution bits).
2260 	 */
2261 	if (key_pref == SMP_USE_LTK &&
2262 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2263 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2264 		return false;
2265 
2266 	if (hcon->sec_level >= sec_level)
2267 		return true;
2268 
2269 	return false;
2270 }
2271 
2272 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2273 {
2274 	struct smp_cmd_security_req *rp = (void *) skb->data;
2275 	struct smp_cmd_pairing cp;
2276 	struct hci_conn *hcon = conn->hcon;
2277 	struct hci_dev *hdev = hcon->hdev;
2278 	struct smp_chan *smp;
2279 	u8 sec_level, auth;
2280 
2281 	BT_DBG("conn %p", conn);
2282 
2283 	if (skb->len < sizeof(*rp))
2284 		return SMP_INVALID_PARAMS;
2285 
2286 	if (hcon->role != HCI_ROLE_MASTER)
2287 		return SMP_CMD_NOTSUPP;
2288 
2289 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2290 
2291 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2292 		return SMP_AUTH_REQUIREMENTS;
2293 
2294 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2295 		sec_level = BT_SECURITY_MEDIUM;
2296 	else
2297 		sec_level = authreq_to_seclevel(auth);
2298 
2299 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2300 		return 0;
2301 
2302 	if (sec_level > hcon->pending_sec_level)
2303 		hcon->pending_sec_level = sec_level;
2304 
2305 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2306 		return 0;
2307 
2308 	smp = smp_chan_create(conn);
2309 	if (!smp)
2310 		return SMP_UNSPECIFIED;
2311 
2312 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2313 	    (auth & SMP_AUTH_BONDING))
2314 		return SMP_PAIRING_NOTSUPP;
2315 
2316 	skb_pull(skb, sizeof(*rp));
2317 
2318 	memset(&cp, 0, sizeof(cp));
2319 	build_pairing_cmd(conn, &cp, NULL, auth);
2320 
2321 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2322 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2323 
2324 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2325 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2326 
2327 	return 0;
2328 }
2329 
2330 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2331 {
2332 	struct l2cap_conn *conn = hcon->l2cap_data;
2333 	struct l2cap_chan *chan;
2334 	struct smp_chan *smp;
2335 	__u8 authreq;
2336 	int ret;
2337 
2338 	BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2339 
2340 	/* This may be NULL if there's an unexpected disconnection */
2341 	if (!conn)
2342 		return 1;
2343 
2344 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2345 		return 1;
2346 
2347 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2348 		return 1;
2349 
2350 	if (sec_level > hcon->pending_sec_level)
2351 		hcon->pending_sec_level = sec_level;
2352 
2353 	if (hcon->role == HCI_ROLE_MASTER)
2354 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2355 			return 0;
2356 
2357 	chan = conn->smp;
2358 	if (!chan) {
2359 		bt_dev_err(hcon->hdev, "security requested but not available");
2360 		return 1;
2361 	}
2362 
2363 	l2cap_chan_lock(chan);
2364 
2365 	/* If SMP is already in progress ignore this request */
2366 	if (chan->data) {
2367 		ret = 0;
2368 		goto unlock;
2369 	}
2370 
2371 	smp = smp_chan_create(conn);
2372 	if (!smp) {
2373 		ret = 1;
2374 		goto unlock;
2375 	}
2376 
2377 	authreq = seclevel_to_authreq(sec_level);
2378 
2379 	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2380 		authreq |= SMP_AUTH_SC;
2381 		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2382 			authreq |= SMP_AUTH_CT2;
2383 	}
2384 
2385 	/* Require MITM if IO Capability allows or the security level
2386 	 * requires it.
2387 	 */
2388 	if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2389 	    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2390 		authreq |= SMP_AUTH_MITM;
2391 
2392 	if (hcon->role == HCI_ROLE_MASTER) {
2393 		struct smp_cmd_pairing cp;
2394 
2395 		build_pairing_cmd(conn, &cp, NULL, authreq);
2396 		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2397 		memcpy(&smp->preq[1], &cp, sizeof(cp));
2398 
2399 		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2400 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2401 	} else {
2402 		struct smp_cmd_security_req cp;
2403 		cp.auth_req = authreq;
2404 		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2405 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2406 	}
2407 
2408 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2409 	ret = 0;
2410 
2411 unlock:
2412 	l2cap_chan_unlock(chan);
2413 	return ret;
2414 }
2415 
2416 void smp_cancel_pairing(struct hci_conn *hcon)
2417 {
2418 	struct l2cap_conn *conn = hcon->l2cap_data;
2419 	struct l2cap_chan *chan;
2420 	struct smp_chan *smp;
2421 
2422 	if (!conn)
2423 		return;
2424 
2425 	chan = conn->smp;
2426 	if (!chan)
2427 		return;
2428 
2429 	l2cap_chan_lock(chan);
2430 
2431 	smp = chan->data;
2432 	if (smp) {
2433 		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2434 			smp_failure(conn, 0);
2435 		else
2436 			smp_failure(conn, SMP_UNSPECIFIED);
2437 	}
2438 
2439 	l2cap_chan_unlock(chan);
2440 }
2441 
2442 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2443 {
2444 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2445 	struct l2cap_chan *chan = conn->smp;
2446 	struct smp_chan *smp = chan->data;
2447 
2448 	BT_DBG("conn %p", conn);
2449 
2450 	if (skb->len < sizeof(*rp))
2451 		return SMP_INVALID_PARAMS;
2452 
2453 	SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2454 
2455 	skb_pull(skb, sizeof(*rp));
2456 
2457 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2458 
2459 	return 0;
2460 }
2461 
2462 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2463 {
2464 	struct smp_cmd_master_ident *rp = (void *) skb->data;
2465 	struct l2cap_chan *chan = conn->smp;
2466 	struct smp_chan *smp = chan->data;
2467 	struct hci_dev *hdev = conn->hcon->hdev;
2468 	struct hci_conn *hcon = conn->hcon;
2469 	struct smp_ltk *ltk;
2470 	u8 authenticated;
2471 
2472 	BT_DBG("conn %p", conn);
2473 
2474 	if (skb->len < sizeof(*rp))
2475 		return SMP_INVALID_PARAMS;
2476 
2477 	/* Mark the information as received */
2478 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2479 
2480 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2481 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2482 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2483 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2484 
2485 	skb_pull(skb, sizeof(*rp));
2486 
2487 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2488 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2489 			  authenticated, smp->tk, smp->enc_key_size,
2490 			  rp->ediv, rp->rand);
2491 	smp->ltk = ltk;
2492 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2493 		smp_distribute_keys(smp);
2494 
2495 	return 0;
2496 }
2497 
2498 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2499 {
2500 	struct smp_cmd_ident_info *info = (void *) skb->data;
2501 	struct l2cap_chan *chan = conn->smp;
2502 	struct smp_chan *smp = chan->data;
2503 
2504 	BT_DBG("");
2505 
2506 	if (skb->len < sizeof(*info))
2507 		return SMP_INVALID_PARAMS;
2508 
2509 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2510 
2511 	skb_pull(skb, sizeof(*info));
2512 
2513 	memcpy(smp->irk, info->irk, 16);
2514 
2515 	return 0;
2516 }
2517 
2518 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2519 				   struct sk_buff *skb)
2520 {
2521 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2522 	struct l2cap_chan *chan = conn->smp;
2523 	struct smp_chan *smp = chan->data;
2524 	struct hci_conn *hcon = conn->hcon;
2525 	bdaddr_t rpa;
2526 
2527 	BT_DBG("");
2528 
2529 	if (skb->len < sizeof(*info))
2530 		return SMP_INVALID_PARAMS;
2531 
2532 	/* Mark the information as received */
2533 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2534 
2535 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2536 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2537 
2538 	skb_pull(skb, sizeof(*info));
2539 
2540 	/* Strictly speaking the Core Specification (4.1) allows sending
2541 	 * an empty address which would force us to rely on just the IRK
2542 	 * as "identity information". However, since such
2543 	 * implementations are not known of and in order to not over
2544 	 * complicate our implementation, simply pretend that we never
2545 	 * received an IRK for such a device.
2546 	 *
2547 	 * The Identity Address must also be a Static Random or Public
2548 	 * Address, which hci_is_identity_address() checks for.
2549 	 */
2550 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2551 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2552 		bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2553 		goto distribute;
2554 	}
2555 
2556 	bacpy(&smp->id_addr, &info->bdaddr);
2557 	smp->id_addr_type = info->addr_type;
2558 
2559 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2560 		bacpy(&rpa, &hcon->dst);
2561 	else
2562 		bacpy(&rpa, BDADDR_ANY);
2563 
2564 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2565 				      smp->id_addr_type, smp->irk, &rpa);
2566 
2567 distribute:
2568 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2569 		smp_distribute_keys(smp);
2570 
2571 	return 0;
2572 }
2573 
2574 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2575 {
2576 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2577 	struct l2cap_chan *chan = conn->smp;
2578 	struct smp_chan *smp = chan->data;
2579 	struct smp_csrk *csrk;
2580 
2581 	BT_DBG("conn %p", conn);
2582 
2583 	if (skb->len < sizeof(*rp))
2584 		return SMP_INVALID_PARAMS;
2585 
2586 	/* Mark the information as received */
2587 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2588 
2589 	skb_pull(skb, sizeof(*rp));
2590 
2591 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2592 	if (csrk) {
2593 		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2594 			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2595 		else
2596 			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2597 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2598 	}
2599 	smp->csrk = csrk;
2600 	smp_distribute_keys(smp);
2601 
2602 	return 0;
2603 }
2604 
2605 static u8 sc_select_method(struct smp_chan *smp)
2606 {
2607 	struct l2cap_conn *conn = smp->conn;
2608 	struct hci_conn *hcon = conn->hcon;
2609 	struct smp_cmd_pairing *local, *remote;
2610 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2611 
2612 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2613 	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2614 		return REQ_OOB;
2615 
2616 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2617 	 * which are needed as inputs to some crypto functions. To get
2618 	 * the "struct smp_cmd_pairing" from them we need to skip the
2619 	 * first byte which contains the opcode.
2620 	 */
2621 	if (hcon->out) {
2622 		local = (void *) &smp->preq[1];
2623 		remote = (void *) &smp->prsp[1];
2624 	} else {
2625 		local = (void *) &smp->prsp[1];
2626 		remote = (void *) &smp->preq[1];
2627 	}
2628 
2629 	local_io = local->io_capability;
2630 	remote_io = remote->io_capability;
2631 
2632 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2633 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2634 
2635 	/* If either side wants MITM, look up the method from the table,
2636 	 * otherwise use JUST WORKS.
2637 	 */
2638 	if (local_mitm || remote_mitm)
2639 		method = get_auth_method(smp, local_io, remote_io);
2640 	else
2641 		method = JUST_WORKS;
2642 
2643 	/* Don't confirm locally initiated pairing attempts */
2644 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2645 		method = JUST_WORKS;
2646 
2647 	return method;
2648 }
2649 
2650 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2651 {
2652 	struct smp_cmd_public_key *key = (void *) skb->data;
2653 	struct hci_conn *hcon = conn->hcon;
2654 	struct l2cap_chan *chan = conn->smp;
2655 	struct smp_chan *smp = chan->data;
2656 	struct hci_dev *hdev = hcon->hdev;
2657 	struct crypto_kpp *tfm_ecdh;
2658 	struct smp_cmd_pairing_confirm cfm;
2659 	int err;
2660 
2661 	BT_DBG("conn %p", conn);
2662 
2663 	if (skb->len < sizeof(*key))
2664 		return SMP_INVALID_PARAMS;
2665 
2666 	memcpy(smp->remote_pk, key, 64);
2667 
2668 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2669 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2670 			     smp->rr, 0, cfm.confirm_val);
2671 		if (err)
2672 			return SMP_UNSPECIFIED;
2673 
2674 		if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2675 			return SMP_CONFIRM_FAILED;
2676 	}
2677 
2678 	/* Non-initiating device sends its public key after receiving
2679 	 * the key from the initiating device.
2680 	 */
2681 	if (!hcon->out) {
2682 		err = sc_send_public_key(smp);
2683 		if (err)
2684 			return err;
2685 	}
2686 
2687 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2688 	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2689 
2690 	/* Compute the shared secret on the same crypto tfm on which the private
2691 	 * key was set/generated.
2692 	 */
2693 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2694 		struct smp_dev *smp_dev = chan->data;
2695 
2696 		tfm_ecdh = smp_dev->tfm_ecdh;
2697 	} else {
2698 		tfm_ecdh = smp->tfm_ecdh;
2699 	}
2700 
2701 	if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2702 		return SMP_UNSPECIFIED;
2703 
2704 	SMP_DBG("DHKey %32phN", smp->dhkey);
2705 
2706 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2707 
2708 	smp->method = sc_select_method(smp);
2709 
2710 	BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2711 
2712 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2713 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2714 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2715 	else
2716 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2717 
2718 	if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2719 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2720 
2721 	if (smp->method == DSP_PASSKEY) {
2722 		get_random_bytes(&hcon->passkey_notify,
2723 				 sizeof(hcon->passkey_notify));
2724 		hcon->passkey_notify %= 1000000;
2725 		hcon->passkey_entered = 0;
2726 		smp->passkey_round = 0;
2727 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2728 					     hcon->dst_type,
2729 					     hcon->passkey_notify,
2730 					     hcon->passkey_entered))
2731 			return SMP_UNSPECIFIED;
2732 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2733 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2734 	}
2735 
2736 	if (smp->method == REQ_OOB) {
2737 		if (hcon->out)
2738 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2739 				     sizeof(smp->prnd), smp->prnd);
2740 
2741 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2742 
2743 		return 0;
2744 	}
2745 
2746 	if (hcon->out)
2747 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2748 
2749 	if (smp->method == REQ_PASSKEY) {
2750 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2751 					      hcon->dst_type))
2752 			return SMP_UNSPECIFIED;
2753 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2754 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2755 		return 0;
2756 	}
2757 
2758 	/* The Initiating device waits for the non-initiating device to
2759 	 * send the confirm value.
2760 	 */
2761 	if (conn->hcon->out)
2762 		return 0;
2763 
2764 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2765 		     0, cfm.confirm_val);
2766 	if (err)
2767 		return SMP_UNSPECIFIED;
2768 
2769 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2770 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2771 
2772 	return 0;
2773 }
2774 
2775 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2776 {
2777 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2778 	struct l2cap_chan *chan = conn->smp;
2779 	struct hci_conn *hcon = conn->hcon;
2780 	struct smp_chan *smp = chan->data;
2781 	u8 a[7], b[7], *local_addr, *remote_addr;
2782 	u8 io_cap[3], r[16], e[16];
2783 	int err;
2784 
2785 	BT_DBG("conn %p", conn);
2786 
2787 	if (skb->len < sizeof(*check))
2788 		return SMP_INVALID_PARAMS;
2789 
2790 	memcpy(a, &hcon->init_addr, 6);
2791 	memcpy(b, &hcon->resp_addr, 6);
2792 	a[6] = hcon->init_addr_type;
2793 	b[6] = hcon->resp_addr_type;
2794 
2795 	if (hcon->out) {
2796 		local_addr = a;
2797 		remote_addr = b;
2798 		memcpy(io_cap, &smp->prsp[1], 3);
2799 	} else {
2800 		local_addr = b;
2801 		remote_addr = a;
2802 		memcpy(io_cap, &smp->preq[1], 3);
2803 	}
2804 
2805 	memset(r, 0, sizeof(r));
2806 
2807 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2808 		put_unaligned_le32(hcon->passkey_notify, r);
2809 	else if (smp->method == REQ_OOB)
2810 		memcpy(r, smp->lr, 16);
2811 
2812 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2813 		     io_cap, remote_addr, local_addr, e);
2814 	if (err)
2815 		return SMP_UNSPECIFIED;
2816 
2817 	if (crypto_memneq(check->e, e, 16))
2818 		return SMP_DHKEY_CHECK_FAILED;
2819 
2820 	if (!hcon->out) {
2821 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2822 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2823 			return 0;
2824 		}
2825 
2826 		/* Slave sends DHKey check as response to master */
2827 		sc_dhkey_check(smp);
2828 	}
2829 
2830 	sc_add_ltk(smp);
2831 
2832 	if (hcon->out) {
2833 		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2834 		hcon->enc_key_size = smp->enc_key_size;
2835 	}
2836 
2837 	return 0;
2838 }
2839 
2840 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2841 				   struct sk_buff *skb)
2842 {
2843 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2844 
2845 	BT_DBG("value 0x%02x", kp->value);
2846 
2847 	return 0;
2848 }
2849 
2850 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2851 {
2852 	struct l2cap_conn *conn = chan->conn;
2853 	struct hci_conn *hcon = conn->hcon;
2854 	struct smp_chan *smp;
2855 	__u8 code, reason;
2856 	int err = 0;
2857 
2858 	if (skb->len < 1)
2859 		return -EILSEQ;
2860 
2861 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2862 		reason = SMP_PAIRING_NOTSUPP;
2863 		goto done;
2864 	}
2865 
2866 	code = skb->data[0];
2867 	skb_pull(skb, sizeof(code));
2868 
2869 	smp = chan->data;
2870 
2871 	if (code > SMP_CMD_MAX)
2872 		goto drop;
2873 
2874 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2875 		goto drop;
2876 
2877 	/* If we don't have a context the only allowed commands are
2878 	 * pairing request and security request.
2879 	 */
2880 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2881 		goto drop;
2882 
2883 	switch (code) {
2884 	case SMP_CMD_PAIRING_REQ:
2885 		reason = smp_cmd_pairing_req(conn, skb);
2886 		break;
2887 
2888 	case SMP_CMD_PAIRING_FAIL:
2889 		smp_failure(conn, 0);
2890 		err = -EPERM;
2891 		break;
2892 
2893 	case SMP_CMD_PAIRING_RSP:
2894 		reason = smp_cmd_pairing_rsp(conn, skb);
2895 		break;
2896 
2897 	case SMP_CMD_SECURITY_REQ:
2898 		reason = smp_cmd_security_req(conn, skb);
2899 		break;
2900 
2901 	case SMP_CMD_PAIRING_CONFIRM:
2902 		reason = smp_cmd_pairing_confirm(conn, skb);
2903 		break;
2904 
2905 	case SMP_CMD_PAIRING_RANDOM:
2906 		reason = smp_cmd_pairing_random(conn, skb);
2907 		break;
2908 
2909 	case SMP_CMD_ENCRYPT_INFO:
2910 		reason = smp_cmd_encrypt_info(conn, skb);
2911 		break;
2912 
2913 	case SMP_CMD_MASTER_IDENT:
2914 		reason = smp_cmd_master_ident(conn, skb);
2915 		break;
2916 
2917 	case SMP_CMD_IDENT_INFO:
2918 		reason = smp_cmd_ident_info(conn, skb);
2919 		break;
2920 
2921 	case SMP_CMD_IDENT_ADDR_INFO:
2922 		reason = smp_cmd_ident_addr_info(conn, skb);
2923 		break;
2924 
2925 	case SMP_CMD_SIGN_INFO:
2926 		reason = smp_cmd_sign_info(conn, skb);
2927 		break;
2928 
2929 	case SMP_CMD_PUBLIC_KEY:
2930 		reason = smp_cmd_public_key(conn, skb);
2931 		break;
2932 
2933 	case SMP_CMD_DHKEY_CHECK:
2934 		reason = smp_cmd_dhkey_check(conn, skb);
2935 		break;
2936 
2937 	case SMP_CMD_KEYPRESS_NOTIFY:
2938 		reason = smp_cmd_keypress_notify(conn, skb);
2939 		break;
2940 
2941 	default:
2942 		BT_DBG("Unknown command code 0x%2.2x", code);
2943 		reason = SMP_CMD_NOTSUPP;
2944 		goto done;
2945 	}
2946 
2947 done:
2948 	if (!err) {
2949 		if (reason)
2950 			smp_failure(conn, reason);
2951 		kfree_skb(skb);
2952 	}
2953 
2954 	return err;
2955 
2956 drop:
2957 	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
2958 		   code, &hcon->dst);
2959 	kfree_skb(skb);
2960 	return 0;
2961 }
2962 
2963 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2964 {
2965 	struct l2cap_conn *conn = chan->conn;
2966 
2967 	BT_DBG("chan %p", chan);
2968 
2969 	if (chan->data)
2970 		smp_chan_destroy(conn);
2971 
2972 	conn->smp = NULL;
2973 	l2cap_chan_put(chan);
2974 }
2975 
2976 static void bredr_pairing(struct l2cap_chan *chan)
2977 {
2978 	struct l2cap_conn *conn = chan->conn;
2979 	struct hci_conn *hcon = conn->hcon;
2980 	struct hci_dev *hdev = hcon->hdev;
2981 	struct smp_cmd_pairing req;
2982 	struct smp_chan *smp;
2983 
2984 	BT_DBG("chan %p", chan);
2985 
2986 	/* Only new pairings are interesting */
2987 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2988 		return;
2989 
2990 	/* Don't bother if we're not encrypted */
2991 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2992 		return;
2993 
2994 	/* Only master may initiate SMP over BR/EDR */
2995 	if (hcon->role != HCI_ROLE_MASTER)
2996 		return;
2997 
2998 	/* Secure Connections support must be enabled */
2999 	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3000 		return;
3001 
3002 	/* BR/EDR must use Secure Connections for SMP */
3003 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3004 	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3005 		return;
3006 
3007 	/* If our LE support is not enabled don't do anything */
3008 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3009 		return;
3010 
3011 	/* Don't bother if remote LE support is not enabled */
3012 	if (!lmp_host_le_capable(hcon))
3013 		return;
3014 
3015 	/* Remote must support SMP fixed chan for BR/EDR */
3016 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3017 		return;
3018 
3019 	/* Don't bother if SMP is already ongoing */
3020 	if (chan->data)
3021 		return;
3022 
3023 	smp = smp_chan_create(conn);
3024 	if (!smp) {
3025 		bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3026 		return;
3027 	}
3028 
3029 	set_bit(SMP_FLAG_SC, &smp->flags);
3030 
3031 	BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3032 
3033 	/* Prepare and send the BR/EDR SMP Pairing Request */
3034 	build_bredr_pairing_cmd(smp, &req, NULL);
3035 
3036 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
3037 	memcpy(&smp->preq[1], &req, sizeof(req));
3038 
3039 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3040 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3041 }
3042 
3043 static void smp_resume_cb(struct l2cap_chan *chan)
3044 {
3045 	struct smp_chan *smp = chan->data;
3046 	struct l2cap_conn *conn = chan->conn;
3047 	struct hci_conn *hcon = conn->hcon;
3048 
3049 	BT_DBG("chan %p", chan);
3050 
3051 	if (hcon->type == ACL_LINK) {
3052 		bredr_pairing(chan);
3053 		return;
3054 	}
3055 
3056 	if (!smp)
3057 		return;
3058 
3059 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3060 		return;
3061 
3062 	cancel_delayed_work(&smp->security_timer);
3063 
3064 	smp_distribute_keys(smp);
3065 }
3066 
3067 static void smp_ready_cb(struct l2cap_chan *chan)
3068 {
3069 	struct l2cap_conn *conn = chan->conn;
3070 	struct hci_conn *hcon = conn->hcon;
3071 
3072 	BT_DBG("chan %p", chan);
3073 
3074 	/* No need to call l2cap_chan_hold() here since we already own
3075 	 * the reference taken in smp_new_conn_cb(). This is just the
3076 	 * first time that we tie it to a specific pointer. The code in
3077 	 * l2cap_core.c ensures that there's no risk this function wont
3078 	 * get called if smp_new_conn_cb was previously called.
3079 	 */
3080 	conn->smp = chan;
3081 
3082 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3083 		bredr_pairing(chan);
3084 }
3085 
3086 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3087 {
3088 	int err;
3089 
3090 	BT_DBG("chan %p", chan);
3091 
3092 	err = smp_sig_channel(chan, skb);
3093 	if (err) {
3094 		struct smp_chan *smp = chan->data;
3095 
3096 		if (smp)
3097 			cancel_delayed_work_sync(&smp->security_timer);
3098 
3099 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3100 	}
3101 
3102 	return err;
3103 }
3104 
3105 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3106 					unsigned long hdr_len,
3107 					unsigned long len, int nb)
3108 {
3109 	struct sk_buff *skb;
3110 
3111 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3112 	if (!skb)
3113 		return ERR_PTR(-ENOMEM);
3114 
3115 	skb->priority = HCI_PRIO_MAX;
3116 	bt_cb(skb)->l2cap.chan = chan;
3117 
3118 	return skb;
3119 }
3120 
3121 static const struct l2cap_ops smp_chan_ops = {
3122 	.name			= "Security Manager",
3123 	.ready			= smp_ready_cb,
3124 	.recv			= smp_recv_cb,
3125 	.alloc_skb		= smp_alloc_skb_cb,
3126 	.teardown		= smp_teardown_cb,
3127 	.resume			= smp_resume_cb,
3128 
3129 	.new_connection		= l2cap_chan_no_new_connection,
3130 	.state_change		= l2cap_chan_no_state_change,
3131 	.close			= l2cap_chan_no_close,
3132 	.defer			= l2cap_chan_no_defer,
3133 	.suspend		= l2cap_chan_no_suspend,
3134 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3135 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3136 };
3137 
3138 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3139 {
3140 	struct l2cap_chan *chan;
3141 
3142 	BT_DBG("pchan %p", pchan);
3143 
3144 	chan = l2cap_chan_create();
3145 	if (!chan)
3146 		return NULL;
3147 
3148 	chan->chan_type	= pchan->chan_type;
3149 	chan->ops	= &smp_chan_ops;
3150 	chan->scid	= pchan->scid;
3151 	chan->dcid	= chan->scid;
3152 	chan->imtu	= pchan->imtu;
3153 	chan->omtu	= pchan->omtu;
3154 	chan->mode	= pchan->mode;
3155 
3156 	/* Other L2CAP channels may request SMP routines in order to
3157 	 * change the security level. This means that the SMP channel
3158 	 * lock must be considered in its own category to avoid lockdep
3159 	 * warnings.
3160 	 */
3161 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3162 
3163 	BT_DBG("created chan %p", chan);
3164 
3165 	return chan;
3166 }
3167 
3168 static const struct l2cap_ops smp_root_chan_ops = {
3169 	.name			= "Security Manager Root",
3170 	.new_connection		= smp_new_conn_cb,
3171 
3172 	/* None of these are implemented for the root channel */
3173 	.close			= l2cap_chan_no_close,
3174 	.alloc_skb		= l2cap_chan_no_alloc_skb,
3175 	.recv			= l2cap_chan_no_recv,
3176 	.state_change		= l2cap_chan_no_state_change,
3177 	.teardown		= l2cap_chan_no_teardown,
3178 	.ready			= l2cap_chan_no_ready,
3179 	.defer			= l2cap_chan_no_defer,
3180 	.suspend		= l2cap_chan_no_suspend,
3181 	.resume			= l2cap_chan_no_resume,
3182 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3183 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3184 };
3185 
3186 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3187 {
3188 	struct l2cap_chan *chan;
3189 	struct smp_dev *smp;
3190 	struct crypto_cipher *tfm_aes;
3191 	struct crypto_shash *tfm_cmac;
3192 	struct crypto_kpp *tfm_ecdh;
3193 
3194 	if (cid == L2CAP_CID_SMP_BREDR) {
3195 		smp = NULL;
3196 		goto create_chan;
3197 	}
3198 
3199 	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3200 	if (!smp)
3201 		return ERR_PTR(-ENOMEM);
3202 
3203 	tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3204 	if (IS_ERR(tfm_aes)) {
3205 		BT_ERR("Unable to create AES crypto context");
3206 		kzfree(smp);
3207 		return ERR_CAST(tfm_aes);
3208 	}
3209 
3210 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3211 	if (IS_ERR(tfm_cmac)) {
3212 		BT_ERR("Unable to create CMAC crypto context");
3213 		crypto_free_cipher(tfm_aes);
3214 		kzfree(smp);
3215 		return ERR_CAST(tfm_cmac);
3216 	}
3217 
3218 	tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3219 	if (IS_ERR(tfm_ecdh)) {
3220 		BT_ERR("Unable to create ECDH crypto context");
3221 		crypto_free_shash(tfm_cmac);
3222 		crypto_free_cipher(tfm_aes);
3223 		kzfree(smp);
3224 		return ERR_CAST(tfm_ecdh);
3225 	}
3226 
3227 	smp->tfm_aes = tfm_aes;
3228 	smp->tfm_cmac = tfm_cmac;
3229 	smp->tfm_ecdh = tfm_ecdh;
3230 	smp->min_key_size = SMP_MIN_ENC_KEY_SIZE;
3231 	smp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
3232 
3233 create_chan:
3234 	chan = l2cap_chan_create();
3235 	if (!chan) {
3236 		if (smp) {
3237 			crypto_free_cipher(smp->tfm_aes);
3238 			crypto_free_shash(smp->tfm_cmac);
3239 			crypto_free_kpp(smp->tfm_ecdh);
3240 			kzfree(smp);
3241 		}
3242 		return ERR_PTR(-ENOMEM);
3243 	}
3244 
3245 	chan->data = smp;
3246 
3247 	l2cap_add_scid(chan, cid);
3248 
3249 	l2cap_chan_set_defaults(chan);
3250 
3251 	if (cid == L2CAP_CID_SMP) {
3252 		u8 bdaddr_type;
3253 
3254 		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3255 
3256 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3257 			chan->src_type = BDADDR_LE_PUBLIC;
3258 		else
3259 			chan->src_type = BDADDR_LE_RANDOM;
3260 	} else {
3261 		bacpy(&chan->src, &hdev->bdaddr);
3262 		chan->src_type = BDADDR_BREDR;
3263 	}
3264 
3265 	chan->state = BT_LISTEN;
3266 	chan->mode = L2CAP_MODE_BASIC;
3267 	chan->imtu = L2CAP_DEFAULT_MTU;
3268 	chan->ops = &smp_root_chan_ops;
3269 
3270 	/* Set correct nesting level for a parent/listening channel */
3271 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3272 
3273 	return chan;
3274 }
3275 
3276 static void smp_del_chan(struct l2cap_chan *chan)
3277 {
3278 	struct smp_dev *smp;
3279 
3280 	BT_DBG("chan %p", chan);
3281 
3282 	smp = chan->data;
3283 	if (smp) {
3284 		chan->data = NULL;
3285 		crypto_free_cipher(smp->tfm_aes);
3286 		crypto_free_shash(smp->tfm_cmac);
3287 		crypto_free_kpp(smp->tfm_ecdh);
3288 		kzfree(smp);
3289 	}
3290 
3291 	l2cap_chan_put(chan);
3292 }
3293 
3294 static ssize_t force_bredr_smp_read(struct file *file,
3295 				    char __user *user_buf,
3296 				    size_t count, loff_t *ppos)
3297 {
3298 	struct hci_dev *hdev = file->private_data;
3299 	char buf[3];
3300 
3301 	buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3302 	buf[1] = '\n';
3303 	buf[2] = '\0';
3304 	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3305 }
3306 
3307 static ssize_t force_bredr_smp_write(struct file *file,
3308 				     const char __user *user_buf,
3309 				     size_t count, loff_t *ppos)
3310 {
3311 	struct hci_dev *hdev = file->private_data;
3312 	char buf[32];
3313 	size_t buf_size = min(count, (sizeof(buf)-1));
3314 	bool enable;
3315 
3316 	if (copy_from_user(buf, user_buf, buf_size))
3317 		return -EFAULT;
3318 
3319 	buf[buf_size] = '\0';
3320 	if (strtobool(buf, &enable))
3321 		return -EINVAL;
3322 
3323 	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3324 		return -EALREADY;
3325 
3326 	if (enable) {
3327 		struct l2cap_chan *chan;
3328 
3329 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3330 		if (IS_ERR(chan))
3331 			return PTR_ERR(chan);
3332 
3333 		hdev->smp_bredr_data = chan;
3334 	} else {
3335 		struct l2cap_chan *chan;
3336 
3337 		chan = hdev->smp_bredr_data;
3338 		hdev->smp_bredr_data = NULL;
3339 		smp_del_chan(chan);
3340 	}
3341 
3342 	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3343 
3344 	return count;
3345 }
3346 
3347 static const struct file_operations force_bredr_smp_fops = {
3348 	.open		= simple_open,
3349 	.read		= force_bredr_smp_read,
3350 	.write		= force_bredr_smp_write,
3351 	.llseek		= default_llseek,
3352 };
3353 
3354 static ssize_t le_min_key_size_read(struct file *file,
3355 				     char __user *user_buf,
3356 				     size_t count, loff_t *ppos)
3357 {
3358 	struct hci_dev *hdev = file->private_data;
3359 	char buf[4];
3360 
3361 	snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->min_key_size);
3362 
3363 	return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3364 }
3365 
3366 static ssize_t le_min_key_size_write(struct file *file,
3367 				      const char __user *user_buf,
3368 				      size_t count, loff_t *ppos)
3369 {
3370 	struct hci_dev *hdev = file->private_data;
3371 	char buf[32];
3372 	size_t buf_size = min(count, (sizeof(buf) - 1));
3373 	u8 key_size;
3374 
3375 	if (copy_from_user(buf, user_buf, buf_size))
3376 		return -EFAULT;
3377 
3378 	buf[buf_size] = '\0';
3379 
3380 	sscanf(buf, "%hhu", &key_size);
3381 
3382 	if (key_size > SMP_DEV(hdev)->max_key_size ||
3383 	    key_size < SMP_MIN_ENC_KEY_SIZE)
3384 		return -EINVAL;
3385 
3386 	SMP_DEV(hdev)->min_key_size = key_size;
3387 
3388 	return count;
3389 }
3390 
3391 static const struct file_operations le_min_key_size_fops = {
3392 	.open		= simple_open,
3393 	.read		= le_min_key_size_read,
3394 	.write		= le_min_key_size_write,
3395 	.llseek		= default_llseek,
3396 };
3397 
3398 static ssize_t le_max_key_size_read(struct file *file,
3399 				     char __user *user_buf,
3400 				     size_t count, loff_t *ppos)
3401 {
3402 	struct hci_dev *hdev = file->private_data;
3403 	char buf[4];
3404 
3405 	snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->max_key_size);
3406 
3407 	return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3408 }
3409 
3410 static ssize_t le_max_key_size_write(struct file *file,
3411 				      const char __user *user_buf,
3412 				      size_t count, loff_t *ppos)
3413 {
3414 	struct hci_dev *hdev = file->private_data;
3415 	char buf[32];
3416 	size_t buf_size = min(count, (sizeof(buf) - 1));
3417 	u8 key_size;
3418 
3419 	if (copy_from_user(buf, user_buf, buf_size))
3420 		return -EFAULT;
3421 
3422 	buf[buf_size] = '\0';
3423 
3424 	sscanf(buf, "%hhu", &key_size);
3425 
3426 	if (key_size > SMP_MAX_ENC_KEY_SIZE ||
3427 	    key_size < SMP_DEV(hdev)->min_key_size)
3428 		return -EINVAL;
3429 
3430 	SMP_DEV(hdev)->max_key_size = key_size;
3431 
3432 	return count;
3433 }
3434 
3435 static const struct file_operations le_max_key_size_fops = {
3436 	.open		= simple_open,
3437 	.read		= le_max_key_size_read,
3438 	.write		= le_max_key_size_write,
3439 	.llseek		= default_llseek,
3440 };
3441 
3442 int smp_register(struct hci_dev *hdev)
3443 {
3444 	struct l2cap_chan *chan;
3445 
3446 	BT_DBG("%s", hdev->name);
3447 
3448 	/* If the controller does not support Low Energy operation, then
3449 	 * there is also no need to register any SMP channel.
3450 	 */
3451 	if (!lmp_le_capable(hdev))
3452 		return 0;
3453 
3454 	if (WARN_ON(hdev->smp_data)) {
3455 		chan = hdev->smp_data;
3456 		hdev->smp_data = NULL;
3457 		smp_del_chan(chan);
3458 	}
3459 
3460 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3461 	if (IS_ERR(chan))
3462 		return PTR_ERR(chan);
3463 
3464 	hdev->smp_data = chan;
3465 
3466 	debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3467 			    &le_min_key_size_fops);
3468 	debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3469 			    &le_max_key_size_fops);
3470 
3471 	/* If the controller does not support BR/EDR Secure Connections
3472 	 * feature, then the BR/EDR SMP channel shall not be present.
3473 	 *
3474 	 * To test this with Bluetooth 4.0 controllers, create a debugfs
3475 	 * switch that allows forcing BR/EDR SMP support and accepting
3476 	 * cross-transport pairing on non-AES encrypted connections.
3477 	 */
3478 	if (!lmp_sc_capable(hdev)) {
3479 		debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3480 				    hdev, &force_bredr_smp_fops);
3481 
3482 		/* Flag can be already set here (due to power toggle) */
3483 		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3484 			return 0;
3485 	}
3486 
3487 	if (WARN_ON(hdev->smp_bredr_data)) {
3488 		chan = hdev->smp_bredr_data;
3489 		hdev->smp_bredr_data = NULL;
3490 		smp_del_chan(chan);
3491 	}
3492 
3493 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3494 	if (IS_ERR(chan)) {
3495 		int err = PTR_ERR(chan);
3496 		chan = hdev->smp_data;
3497 		hdev->smp_data = NULL;
3498 		smp_del_chan(chan);
3499 		return err;
3500 	}
3501 
3502 	hdev->smp_bredr_data = chan;
3503 
3504 	return 0;
3505 }
3506 
3507 void smp_unregister(struct hci_dev *hdev)
3508 {
3509 	struct l2cap_chan *chan;
3510 
3511 	if (hdev->smp_bredr_data) {
3512 		chan = hdev->smp_bredr_data;
3513 		hdev->smp_bredr_data = NULL;
3514 		smp_del_chan(chan);
3515 	}
3516 
3517 	if (hdev->smp_data) {
3518 		chan = hdev->smp_data;
3519 		hdev->smp_data = NULL;
3520 		smp_del_chan(chan);
3521 	}
3522 }
3523 
3524 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3525 
3526 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3527 {
3528 	u8 pk[64];
3529 	int err;
3530 
3531 	err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3532 	if (err)
3533 		return err;
3534 
3535 	err = generate_ecdh_public_key(tfm_ecdh, pk);
3536 	if (err)
3537 		return err;
3538 
3539 	if (crypto_memneq(pk, debug_pk, 64))
3540 		return -EINVAL;
3541 
3542 	return 0;
3543 }
3544 
3545 static int __init test_ah(struct crypto_cipher *tfm_aes)
3546 {
3547 	const u8 irk[16] = {
3548 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3549 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3550 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3551 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3552 	u8 res[3];
3553 	int err;
3554 
3555 	err = smp_ah(tfm_aes, irk, r, res);
3556 	if (err)
3557 		return err;
3558 
3559 	if (crypto_memneq(res, exp, 3))
3560 		return -EINVAL;
3561 
3562 	return 0;
3563 }
3564 
3565 static int __init test_c1(struct crypto_cipher *tfm_aes)
3566 {
3567 	const u8 k[16] = {
3568 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3569 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3570 	const u8 r[16] = {
3571 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3572 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3573 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3574 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3575 	const u8 _iat = 0x01;
3576 	const u8 _rat = 0x00;
3577 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3578 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3579 	const u8 exp[16] = {
3580 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3581 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3582 	u8 res[16];
3583 	int err;
3584 
3585 	err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3586 	if (err)
3587 		return err;
3588 
3589 	if (crypto_memneq(res, exp, 16))
3590 		return -EINVAL;
3591 
3592 	return 0;
3593 }
3594 
3595 static int __init test_s1(struct crypto_cipher *tfm_aes)
3596 {
3597 	const u8 k[16] = {
3598 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3599 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3600 	const u8 r1[16] = {
3601 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3602 	const u8 r2[16] = {
3603 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3604 	const u8 exp[16] = {
3605 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3606 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3607 	u8 res[16];
3608 	int err;
3609 
3610 	err = smp_s1(tfm_aes, k, r1, r2, res);
3611 	if (err)
3612 		return err;
3613 
3614 	if (crypto_memneq(res, exp, 16))
3615 		return -EINVAL;
3616 
3617 	return 0;
3618 }
3619 
3620 static int __init test_f4(struct crypto_shash *tfm_cmac)
3621 {
3622 	const u8 u[32] = {
3623 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3624 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3625 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3626 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3627 	const u8 v[32] = {
3628 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3629 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3630 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3631 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3632 	const u8 x[16] = {
3633 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3634 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3635 	const u8 z = 0x00;
3636 	const u8 exp[16] = {
3637 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3638 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3639 	u8 res[16];
3640 	int err;
3641 
3642 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3643 	if (err)
3644 		return err;
3645 
3646 	if (crypto_memneq(res, exp, 16))
3647 		return -EINVAL;
3648 
3649 	return 0;
3650 }
3651 
3652 static int __init test_f5(struct crypto_shash *tfm_cmac)
3653 {
3654 	const u8 w[32] = {
3655 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3656 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3657 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3658 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3659 	const u8 n1[16] = {
3660 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3661 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3662 	const u8 n2[16] = {
3663 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3664 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3665 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3666 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3667 	const u8 exp_ltk[16] = {
3668 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3669 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3670 	const u8 exp_mackey[16] = {
3671 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3672 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3673 	u8 mackey[16], ltk[16];
3674 	int err;
3675 
3676 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3677 	if (err)
3678 		return err;
3679 
3680 	if (crypto_memneq(mackey, exp_mackey, 16))
3681 		return -EINVAL;
3682 
3683 	if (crypto_memneq(ltk, exp_ltk, 16))
3684 		return -EINVAL;
3685 
3686 	return 0;
3687 }
3688 
3689 static int __init test_f6(struct crypto_shash *tfm_cmac)
3690 {
3691 	const u8 w[16] = {
3692 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3693 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3694 	const u8 n1[16] = {
3695 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3696 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3697 	const u8 n2[16] = {
3698 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3699 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3700 	const u8 r[16] = {
3701 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3702 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3703 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3704 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3705 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3706 	const u8 exp[16] = {
3707 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3708 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3709 	u8 res[16];
3710 	int err;
3711 
3712 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3713 	if (err)
3714 		return err;
3715 
3716 	if (crypto_memneq(res, exp, 16))
3717 		return -EINVAL;
3718 
3719 	return 0;
3720 }
3721 
3722 static int __init test_g2(struct crypto_shash *tfm_cmac)
3723 {
3724 	const u8 u[32] = {
3725 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3726 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3727 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3728 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3729 	const u8 v[32] = {
3730 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3731 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3732 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3733 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3734 	const u8 x[16] = {
3735 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3736 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3737 	const u8 y[16] = {
3738 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3739 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3740 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3741 	u32 val;
3742 	int err;
3743 
3744 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3745 	if (err)
3746 		return err;
3747 
3748 	if (val != exp_val)
3749 		return -EINVAL;
3750 
3751 	return 0;
3752 }
3753 
3754 static int __init test_h6(struct crypto_shash *tfm_cmac)
3755 {
3756 	const u8 w[16] = {
3757 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3758 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3759 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3760 	const u8 exp[16] = {
3761 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3762 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3763 	u8 res[16];
3764 	int err;
3765 
3766 	err = smp_h6(tfm_cmac, w, key_id, res);
3767 	if (err)
3768 		return err;
3769 
3770 	if (crypto_memneq(res, exp, 16))
3771 		return -EINVAL;
3772 
3773 	return 0;
3774 }
3775 
3776 static char test_smp_buffer[32];
3777 
3778 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3779 			     size_t count, loff_t *ppos)
3780 {
3781 	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3782 				       strlen(test_smp_buffer));
3783 }
3784 
3785 static const struct file_operations test_smp_fops = {
3786 	.open		= simple_open,
3787 	.read		= test_smp_read,
3788 	.llseek		= default_llseek,
3789 };
3790 
3791 static int __init run_selftests(struct crypto_cipher *tfm_aes,
3792 				struct crypto_shash *tfm_cmac,
3793 				struct crypto_kpp *tfm_ecdh)
3794 {
3795 	ktime_t calltime, delta, rettime;
3796 	unsigned long long duration;
3797 	int err;
3798 
3799 	calltime = ktime_get();
3800 
3801 	err = test_debug_key(tfm_ecdh);
3802 	if (err) {
3803 		BT_ERR("debug_key test failed");
3804 		goto done;
3805 	}
3806 
3807 	err = test_ah(tfm_aes);
3808 	if (err) {
3809 		BT_ERR("smp_ah test failed");
3810 		goto done;
3811 	}
3812 
3813 	err = test_c1(tfm_aes);
3814 	if (err) {
3815 		BT_ERR("smp_c1 test failed");
3816 		goto done;
3817 	}
3818 
3819 	err = test_s1(tfm_aes);
3820 	if (err) {
3821 		BT_ERR("smp_s1 test failed");
3822 		goto done;
3823 	}
3824 
3825 	err = test_f4(tfm_cmac);
3826 	if (err) {
3827 		BT_ERR("smp_f4 test failed");
3828 		goto done;
3829 	}
3830 
3831 	err = test_f5(tfm_cmac);
3832 	if (err) {
3833 		BT_ERR("smp_f5 test failed");
3834 		goto done;
3835 	}
3836 
3837 	err = test_f6(tfm_cmac);
3838 	if (err) {
3839 		BT_ERR("smp_f6 test failed");
3840 		goto done;
3841 	}
3842 
3843 	err = test_g2(tfm_cmac);
3844 	if (err) {
3845 		BT_ERR("smp_g2 test failed");
3846 		goto done;
3847 	}
3848 
3849 	err = test_h6(tfm_cmac);
3850 	if (err) {
3851 		BT_ERR("smp_h6 test failed");
3852 		goto done;
3853 	}
3854 
3855 	rettime = ktime_get();
3856 	delta = ktime_sub(rettime, calltime);
3857 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3858 
3859 	BT_INFO("SMP test passed in %llu usecs", duration);
3860 
3861 done:
3862 	if (!err)
3863 		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3864 			 "PASS (%llu usecs)\n", duration);
3865 	else
3866 		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3867 
3868 	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3869 			    &test_smp_fops);
3870 
3871 	return err;
3872 }
3873 
3874 int __init bt_selftest_smp(void)
3875 {
3876 	struct crypto_cipher *tfm_aes;
3877 	struct crypto_shash *tfm_cmac;
3878 	struct crypto_kpp *tfm_ecdh;
3879 	int err;
3880 
3881 	tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3882 	if (IS_ERR(tfm_aes)) {
3883 		BT_ERR("Unable to create AES crypto context");
3884 		return PTR_ERR(tfm_aes);
3885 	}
3886 
3887 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3888 	if (IS_ERR(tfm_cmac)) {
3889 		BT_ERR("Unable to create CMAC crypto context");
3890 		crypto_free_cipher(tfm_aes);
3891 		return PTR_ERR(tfm_cmac);
3892 	}
3893 
3894 	tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3895 	if (IS_ERR(tfm_ecdh)) {
3896 		BT_ERR("Unable to create ECDH crypto context");
3897 		crypto_free_shash(tfm_cmac);
3898 		crypto_free_cipher(tfm_aes);
3899 		return PTR_ERR(tfm_ecdh);
3900 	}
3901 
3902 	err = run_selftests(tfm_aes, tfm_cmac, tfm_ecdh);
3903 
3904 	crypto_free_shash(tfm_cmac);
3905 	crypto_free_cipher(tfm_aes);
3906 	crypto_free_kpp(tfm_ecdh);
3907 
3908 	return err;
3909 }
3910 
3911 #endif
3912