xref: /openbmc/linux/net/bluetooth/smp.c (revision 9fa996c5f003beae0d8ca323caf06a2b73e471ec)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/aes.h>
27 #include <crypto/algapi.h>
28 #include <crypto/hash.h>
29 #include <crypto/kpp.h>
30 
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/mgmt.h>
35 
36 #include "ecdh_helper.h"
37 #include "smp.h"
38 
39 #define SMP_DEV(hdev) \
40 	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
41 
42 /* Low-level debug macros to be used for stuff that we don't want
43  * accidentially in dmesg, i.e. the values of the various crypto keys
44  * and the inputs & outputs of crypto functions.
45  */
46 #ifdef DEBUG
47 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
48 				 ##__VA_ARGS__)
49 #else
50 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
51 				    ##__VA_ARGS__)
52 #endif
53 
54 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
55 
56 /* Keys which are not distributed with Secure Connections */
57 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY)
58 
59 #define SMP_TIMEOUT	msecs_to_jiffies(30000)
60 
61 #define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
62 				 0x3f : 0x07)
63 #define KEY_DIST_MASK		0x07
64 
65 /* Maximum message length that can be passed to aes_cmac */
66 #define CMAC_MSG_MAX	80
67 
68 enum {
69 	SMP_FLAG_TK_VALID,
70 	SMP_FLAG_CFM_PENDING,
71 	SMP_FLAG_MITM_AUTH,
72 	SMP_FLAG_COMPLETE,
73 	SMP_FLAG_INITIATOR,
74 	SMP_FLAG_SC,
75 	SMP_FLAG_REMOTE_PK,
76 	SMP_FLAG_DEBUG_KEY,
77 	SMP_FLAG_WAIT_USER,
78 	SMP_FLAG_DHKEY_PENDING,
79 	SMP_FLAG_REMOTE_OOB,
80 	SMP_FLAG_LOCAL_OOB,
81 	SMP_FLAG_CT2,
82 };
83 
84 struct smp_dev {
85 	/* Secure Connections OOB data */
86 	bool			local_oob;
87 	u8			local_pk[64];
88 	u8			local_rand[16];
89 	bool			debug_key;
90 
91 	struct crypto_shash	*tfm_cmac;
92 	struct crypto_kpp	*tfm_ecdh;
93 };
94 
95 struct smp_chan {
96 	struct l2cap_conn	*conn;
97 	struct delayed_work	security_timer;
98 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
99 
100 	u8		preq[7]; /* SMP Pairing Request */
101 	u8		prsp[7]; /* SMP Pairing Response */
102 	u8		prnd[16]; /* SMP Pairing Random (local) */
103 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
104 	u8		pcnf[16]; /* SMP Pairing Confirm */
105 	u8		tk[16]; /* SMP Temporary Key */
106 	u8		rr[16]; /* Remote OOB ra/rb value */
107 	u8		lr[16]; /* Local OOB ra/rb value */
108 	u8		enc_key_size;
109 	u8		remote_key_dist;
110 	bdaddr_t	id_addr;
111 	u8		id_addr_type;
112 	u8		irk[16];
113 	struct smp_csrk	*csrk;
114 	struct smp_csrk	*slave_csrk;
115 	struct smp_ltk	*ltk;
116 	struct smp_ltk	*slave_ltk;
117 	struct smp_irk	*remote_irk;
118 	u8		*link_key;
119 	unsigned long	flags;
120 	u8		method;
121 	u8		passkey_round;
122 
123 	/* Secure Connections variables */
124 	u8			local_pk[64];
125 	u8			remote_pk[64];
126 	u8			dhkey[32];
127 	u8			mackey[16];
128 
129 	struct crypto_shash	*tfm_cmac;
130 	struct crypto_kpp	*tfm_ecdh;
131 };
132 
133 /* These debug key values are defined in the SMP section of the core
134  * specification. debug_pk is the public debug key and debug_sk the
135  * private debug key.
136  */
137 static const u8 debug_pk[64] = {
138 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
139 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
140 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
141 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
142 
143 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
144 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
145 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
146 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
147 };
148 
149 static const u8 debug_sk[32] = {
150 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
151 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
152 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
153 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
154 };
155 
156 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
157 {
158 	size_t i;
159 
160 	for (i = 0; i < len; i++)
161 		dst[len - 1 - i] = src[i];
162 }
163 
164 /* The following functions map to the LE SC SMP crypto functions
165  * AES-CMAC, f4, f5, f6, g2 and h6.
166  */
167 
168 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
169 		    size_t len, u8 mac[16])
170 {
171 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
172 	int err;
173 
174 	if (len > CMAC_MSG_MAX)
175 		return -EFBIG;
176 
177 	if (!tfm) {
178 		BT_ERR("tfm %p", tfm);
179 		return -EINVAL;
180 	}
181 
182 	/* Swap key and message from LSB to MSB */
183 	swap_buf(k, tmp, 16);
184 	swap_buf(m, msg_msb, len);
185 
186 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
187 	SMP_DBG("key %16phN", k);
188 
189 	err = crypto_shash_setkey(tfm, tmp, 16);
190 	if (err) {
191 		BT_ERR("cipher setkey failed: %d", err);
192 		return err;
193 	}
194 
195 	err = crypto_shash_tfm_digest(tfm, msg_msb, len, mac_msb);
196 	if (err) {
197 		BT_ERR("Hash computation error %d", err);
198 		return err;
199 	}
200 
201 	swap_buf(mac_msb, mac, 16);
202 
203 	SMP_DBG("mac %16phN", mac);
204 
205 	return 0;
206 }
207 
208 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
209 		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
210 {
211 	u8 m[65];
212 	int err;
213 
214 	SMP_DBG("u %32phN", u);
215 	SMP_DBG("v %32phN", v);
216 	SMP_DBG("x %16phN z %02x", x, z);
217 
218 	m[0] = z;
219 	memcpy(m + 1, v, 32);
220 	memcpy(m + 33, u, 32);
221 
222 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
223 	if (err)
224 		return err;
225 
226 	SMP_DBG("res %16phN", res);
227 
228 	return err;
229 }
230 
231 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
232 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
233 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
234 {
235 	/* The btle, salt and length "magic" values are as defined in
236 	 * the SMP section of the Bluetooth core specification. In ASCII
237 	 * the btle value ends up being 'btle'. The salt is just a
238 	 * random number whereas length is the value 256 in little
239 	 * endian format.
240 	 */
241 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
242 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
243 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
244 	const u8 length[2] = { 0x00, 0x01 };
245 	u8 m[53], t[16];
246 	int err;
247 
248 	SMP_DBG("w %32phN", w);
249 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
250 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
251 
252 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
253 	if (err)
254 		return err;
255 
256 	SMP_DBG("t %16phN", t);
257 
258 	memcpy(m, length, 2);
259 	memcpy(m + 2, a2, 7);
260 	memcpy(m + 9, a1, 7);
261 	memcpy(m + 16, n2, 16);
262 	memcpy(m + 32, n1, 16);
263 	memcpy(m + 48, btle, 4);
264 
265 	m[52] = 0; /* Counter */
266 
267 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
268 	if (err)
269 		return err;
270 
271 	SMP_DBG("mackey %16phN", mackey);
272 
273 	m[52] = 1; /* Counter */
274 
275 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
276 	if (err)
277 		return err;
278 
279 	SMP_DBG("ltk %16phN", ltk);
280 
281 	return 0;
282 }
283 
284 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
285 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
286 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
287 		  u8 res[16])
288 {
289 	u8 m[65];
290 	int err;
291 
292 	SMP_DBG("w %16phN", w);
293 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
294 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
295 
296 	memcpy(m, a2, 7);
297 	memcpy(m + 7, a1, 7);
298 	memcpy(m + 14, io_cap, 3);
299 	memcpy(m + 17, r, 16);
300 	memcpy(m + 33, n2, 16);
301 	memcpy(m + 49, n1, 16);
302 
303 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
304 	if (err)
305 		return err;
306 
307 	SMP_DBG("res %16phN", res);
308 
309 	return err;
310 }
311 
312 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
313 		  const u8 x[16], const u8 y[16], u32 *val)
314 {
315 	u8 m[80], tmp[16];
316 	int err;
317 
318 	SMP_DBG("u %32phN", u);
319 	SMP_DBG("v %32phN", v);
320 	SMP_DBG("x %16phN y %16phN", x, y);
321 
322 	memcpy(m, y, 16);
323 	memcpy(m + 16, v, 32);
324 	memcpy(m + 48, u, 32);
325 
326 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
327 	if (err)
328 		return err;
329 
330 	*val = get_unaligned_le32(tmp);
331 	*val %= 1000000;
332 
333 	SMP_DBG("val %06u", *val);
334 
335 	return 0;
336 }
337 
338 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
339 		  const u8 key_id[4], u8 res[16])
340 {
341 	int err;
342 
343 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
344 
345 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
346 	if (err)
347 		return err;
348 
349 	SMP_DBG("res %16phN", res);
350 
351 	return err;
352 }
353 
354 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
355 		  const u8 salt[16], u8 res[16])
356 {
357 	int err;
358 
359 	SMP_DBG("w %16phN salt %16phN", w, salt);
360 
361 	err = aes_cmac(tfm_cmac, salt, w, 16, res);
362 	if (err)
363 		return err;
364 
365 	SMP_DBG("res %16phN", res);
366 
367 	return err;
368 }
369 
370 /* The following functions map to the legacy SMP crypto functions e, c1,
371  * s1 and ah.
372  */
373 
374 static int smp_e(const u8 *k, u8 *r)
375 {
376 	struct crypto_aes_ctx ctx;
377 	uint8_t tmp[16], data[16];
378 	int err;
379 
380 	SMP_DBG("k %16phN r %16phN", k, r);
381 
382 	/* The most significant octet of key corresponds to k[0] */
383 	swap_buf(k, tmp, 16);
384 
385 	err = aes_expandkey(&ctx, tmp, 16);
386 	if (err) {
387 		BT_ERR("cipher setkey failed: %d", err);
388 		return err;
389 	}
390 
391 	/* Most significant octet of plaintextData corresponds to data[0] */
392 	swap_buf(r, data, 16);
393 
394 	aes_encrypt(&ctx, data, data);
395 
396 	/* Most significant octet of encryptedData corresponds to data[0] */
397 	swap_buf(data, r, 16);
398 
399 	SMP_DBG("r %16phN", r);
400 
401 	memzero_explicit(&ctx, sizeof(ctx));
402 	return err;
403 }
404 
405 static int smp_c1(const u8 k[16],
406 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
407 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
408 {
409 	u8 p1[16], p2[16];
410 	int err;
411 
412 	SMP_DBG("k %16phN r %16phN", k, r);
413 	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
414 	SMP_DBG("preq %7phN pres %7phN", preq, pres);
415 
416 	memset(p1, 0, 16);
417 
418 	/* p1 = pres || preq || _rat || _iat */
419 	p1[0] = _iat;
420 	p1[1] = _rat;
421 	memcpy(p1 + 2, preq, 7);
422 	memcpy(p1 + 9, pres, 7);
423 
424 	SMP_DBG("p1 %16phN", p1);
425 
426 	/* res = r XOR p1 */
427 	crypto_xor_cpy(res, r, p1, sizeof(p1));
428 
429 	/* res = e(k, res) */
430 	err = smp_e(k, res);
431 	if (err) {
432 		BT_ERR("Encrypt data error");
433 		return err;
434 	}
435 
436 	/* p2 = padding || ia || ra */
437 	memcpy(p2, ra, 6);
438 	memcpy(p2 + 6, ia, 6);
439 	memset(p2 + 12, 0, 4);
440 
441 	SMP_DBG("p2 %16phN", p2);
442 
443 	/* res = res XOR p2 */
444 	crypto_xor(res, p2, sizeof(p2));
445 
446 	/* res = e(k, res) */
447 	err = smp_e(k, res);
448 	if (err)
449 		BT_ERR("Encrypt data error");
450 
451 	return err;
452 }
453 
454 static int smp_s1(const u8 k[16],
455 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
456 {
457 	int err;
458 
459 	/* Just least significant octets from r1 and r2 are considered */
460 	memcpy(_r, r2, 8);
461 	memcpy(_r + 8, r1, 8);
462 
463 	err = smp_e(k, _r);
464 	if (err)
465 		BT_ERR("Encrypt data error");
466 
467 	return err;
468 }
469 
470 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
471 {
472 	u8 _res[16];
473 	int err;
474 
475 	/* r' = padding || r */
476 	memcpy(_res, r, 3);
477 	memset(_res + 3, 0, 13);
478 
479 	err = smp_e(irk, _res);
480 	if (err) {
481 		BT_ERR("Encrypt error");
482 		return err;
483 	}
484 
485 	/* The output of the random address function ah is:
486 	 *	ah(k, r) = e(k, r') mod 2^24
487 	 * The output of the security function e is then truncated to 24 bits
488 	 * by taking the least significant 24 bits of the output of e as the
489 	 * result of ah.
490 	 */
491 	memcpy(res, _res, 3);
492 
493 	return 0;
494 }
495 
496 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
497 		     const bdaddr_t *bdaddr)
498 {
499 	struct l2cap_chan *chan = hdev->smp_data;
500 	u8 hash[3];
501 	int err;
502 
503 	if (!chan || !chan->data)
504 		return false;
505 
506 	bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk);
507 
508 	err = smp_ah(irk, &bdaddr->b[3], hash);
509 	if (err)
510 		return false;
511 
512 	return !crypto_memneq(bdaddr->b, hash, 3);
513 }
514 
515 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
516 {
517 	struct l2cap_chan *chan = hdev->smp_data;
518 	int err;
519 
520 	if (!chan || !chan->data)
521 		return -EOPNOTSUPP;
522 
523 	get_random_bytes(&rpa->b[3], 3);
524 
525 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
526 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
527 
528 	err = smp_ah(irk, &rpa->b[3], rpa->b);
529 	if (err < 0)
530 		return err;
531 
532 	bt_dev_dbg(hdev, "RPA %pMR", rpa);
533 
534 	return 0;
535 }
536 
537 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
538 {
539 	struct l2cap_chan *chan = hdev->smp_data;
540 	struct smp_dev *smp;
541 	int err;
542 
543 	if (!chan || !chan->data)
544 		return -EOPNOTSUPP;
545 
546 	smp = chan->data;
547 
548 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
549 		bt_dev_dbg(hdev, "Using debug keys");
550 		err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
551 		if (err)
552 			return err;
553 		memcpy(smp->local_pk, debug_pk, 64);
554 		smp->debug_key = true;
555 	} else {
556 		while (true) {
557 			/* Generate key pair for Secure Connections */
558 			err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
559 			if (err)
560 				return err;
561 
562 			/* This is unlikely, but we need to check that
563 			 * we didn't accidentially generate a debug key.
564 			 */
565 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
566 				break;
567 		}
568 		smp->debug_key = false;
569 	}
570 
571 	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
572 	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
573 
574 	get_random_bytes(smp->local_rand, 16);
575 
576 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
577 		     smp->local_rand, 0, hash);
578 	if (err < 0)
579 		return err;
580 
581 	memcpy(rand, smp->local_rand, 16);
582 
583 	smp->local_oob = true;
584 
585 	return 0;
586 }
587 
588 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
589 {
590 	struct l2cap_chan *chan = conn->smp;
591 	struct smp_chan *smp;
592 	struct kvec iv[2];
593 	struct msghdr msg;
594 
595 	if (!chan)
596 		return;
597 
598 	bt_dev_dbg(conn->hcon->hdev, "code 0x%2.2x", code);
599 
600 	iv[0].iov_base = &code;
601 	iv[0].iov_len = 1;
602 
603 	iv[1].iov_base = data;
604 	iv[1].iov_len = len;
605 
606 	memset(&msg, 0, sizeof(msg));
607 
608 	iov_iter_kvec(&msg.msg_iter, WRITE, iv, 2, 1 + len);
609 
610 	l2cap_chan_send(chan, &msg, 1 + len);
611 
612 	if (!chan->data)
613 		return;
614 
615 	smp = chan->data;
616 
617 	cancel_delayed_work_sync(&smp->security_timer);
618 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
619 }
620 
621 static u8 authreq_to_seclevel(u8 authreq)
622 {
623 	if (authreq & SMP_AUTH_MITM) {
624 		if (authreq & SMP_AUTH_SC)
625 			return BT_SECURITY_FIPS;
626 		else
627 			return BT_SECURITY_HIGH;
628 	} else {
629 		return BT_SECURITY_MEDIUM;
630 	}
631 }
632 
633 static __u8 seclevel_to_authreq(__u8 sec_level)
634 {
635 	switch (sec_level) {
636 	case BT_SECURITY_FIPS:
637 	case BT_SECURITY_HIGH:
638 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
639 	case BT_SECURITY_MEDIUM:
640 		return SMP_AUTH_BONDING;
641 	default:
642 		return SMP_AUTH_NONE;
643 	}
644 }
645 
646 static void build_pairing_cmd(struct l2cap_conn *conn,
647 			      struct smp_cmd_pairing *req,
648 			      struct smp_cmd_pairing *rsp, __u8 authreq)
649 {
650 	struct l2cap_chan *chan = conn->smp;
651 	struct smp_chan *smp = chan->data;
652 	struct hci_conn *hcon = conn->hcon;
653 	struct hci_dev *hdev = hcon->hdev;
654 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
655 
656 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
657 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
658 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
659 		authreq |= SMP_AUTH_BONDING;
660 	} else {
661 		authreq &= ~SMP_AUTH_BONDING;
662 	}
663 
664 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
665 		remote_dist |= SMP_DIST_ID_KEY;
666 
667 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
668 		local_dist |= SMP_DIST_ID_KEY;
669 
670 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
671 	    (authreq & SMP_AUTH_SC)) {
672 		struct oob_data *oob_data;
673 		u8 bdaddr_type;
674 
675 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
676 			local_dist |= SMP_DIST_LINK_KEY;
677 			remote_dist |= SMP_DIST_LINK_KEY;
678 		}
679 
680 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
681 			bdaddr_type = BDADDR_LE_PUBLIC;
682 		else
683 			bdaddr_type = BDADDR_LE_RANDOM;
684 
685 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
686 						    bdaddr_type);
687 		if (oob_data && oob_data->present) {
688 			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
689 			oob_flag = SMP_OOB_PRESENT;
690 			memcpy(smp->rr, oob_data->rand256, 16);
691 			memcpy(smp->pcnf, oob_data->hash256, 16);
692 			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
693 			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
694 		}
695 
696 	} else {
697 		authreq &= ~SMP_AUTH_SC;
698 	}
699 
700 	if (rsp == NULL) {
701 		req->io_capability = conn->hcon->io_capability;
702 		req->oob_flag = oob_flag;
703 		req->max_key_size = hdev->le_max_key_size;
704 		req->init_key_dist = local_dist;
705 		req->resp_key_dist = remote_dist;
706 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
707 
708 		smp->remote_key_dist = remote_dist;
709 		return;
710 	}
711 
712 	rsp->io_capability = conn->hcon->io_capability;
713 	rsp->oob_flag = oob_flag;
714 	rsp->max_key_size = hdev->le_max_key_size;
715 	rsp->init_key_dist = req->init_key_dist & remote_dist;
716 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
717 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
718 
719 	smp->remote_key_dist = rsp->init_key_dist;
720 }
721 
722 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
723 {
724 	struct l2cap_chan *chan = conn->smp;
725 	struct hci_dev *hdev = conn->hcon->hdev;
726 	struct smp_chan *smp = chan->data;
727 
728 	if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS &&
729 	    max_key_size != SMP_MAX_ENC_KEY_SIZE)
730 		return SMP_ENC_KEY_SIZE;
731 
732 	if (max_key_size > hdev->le_max_key_size ||
733 	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
734 		return SMP_ENC_KEY_SIZE;
735 
736 	smp->enc_key_size = max_key_size;
737 
738 	return 0;
739 }
740 
741 static void smp_chan_destroy(struct l2cap_conn *conn)
742 {
743 	struct l2cap_chan *chan = conn->smp;
744 	struct smp_chan *smp = chan->data;
745 	struct hci_conn *hcon = conn->hcon;
746 	bool complete;
747 
748 	BUG_ON(!smp);
749 
750 	cancel_delayed_work_sync(&smp->security_timer);
751 
752 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
753 	mgmt_smp_complete(hcon, complete);
754 
755 	kfree_sensitive(smp->csrk);
756 	kfree_sensitive(smp->slave_csrk);
757 	kfree_sensitive(smp->link_key);
758 
759 	crypto_free_shash(smp->tfm_cmac);
760 	crypto_free_kpp(smp->tfm_ecdh);
761 
762 	/* Ensure that we don't leave any debug key around if debug key
763 	 * support hasn't been explicitly enabled.
764 	 */
765 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
766 	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
767 		list_del_rcu(&smp->ltk->list);
768 		kfree_rcu(smp->ltk, rcu);
769 		smp->ltk = NULL;
770 	}
771 
772 	/* If pairing failed clean up any keys we might have */
773 	if (!complete) {
774 		if (smp->ltk) {
775 			list_del_rcu(&smp->ltk->list);
776 			kfree_rcu(smp->ltk, rcu);
777 		}
778 
779 		if (smp->slave_ltk) {
780 			list_del_rcu(&smp->slave_ltk->list);
781 			kfree_rcu(smp->slave_ltk, rcu);
782 		}
783 
784 		if (smp->remote_irk) {
785 			list_del_rcu(&smp->remote_irk->list);
786 			kfree_rcu(smp->remote_irk, rcu);
787 		}
788 	}
789 
790 	chan->data = NULL;
791 	kfree_sensitive(smp);
792 	hci_conn_drop(hcon);
793 }
794 
795 static void smp_failure(struct l2cap_conn *conn, u8 reason)
796 {
797 	struct hci_conn *hcon = conn->hcon;
798 	struct l2cap_chan *chan = conn->smp;
799 
800 	if (reason)
801 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
802 			     &reason);
803 
804 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
805 
806 	if (chan->data)
807 		smp_chan_destroy(conn);
808 }
809 
810 #define JUST_WORKS	0x00
811 #define JUST_CFM	0x01
812 #define REQ_PASSKEY	0x02
813 #define CFM_PASSKEY	0x03
814 #define REQ_OOB		0x04
815 #define DSP_PASSKEY	0x05
816 #define OVERLAP		0xFF
817 
818 static const u8 gen_method[5][5] = {
819 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
820 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
821 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
822 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
823 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
824 };
825 
826 static const u8 sc_method[5][5] = {
827 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
828 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
829 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
830 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
831 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
832 };
833 
834 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
835 {
836 	/* If either side has unknown io_caps, use JUST_CFM (which gets
837 	 * converted later to JUST_WORKS if we're initiators.
838 	 */
839 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
840 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
841 		return JUST_CFM;
842 
843 	if (test_bit(SMP_FLAG_SC, &smp->flags))
844 		return sc_method[remote_io][local_io];
845 
846 	return gen_method[remote_io][local_io];
847 }
848 
849 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
850 						u8 local_io, u8 remote_io)
851 {
852 	struct hci_conn *hcon = conn->hcon;
853 	struct l2cap_chan *chan = conn->smp;
854 	struct smp_chan *smp = chan->data;
855 	u32 passkey = 0;
856 	int ret;
857 
858 	/* Initialize key for JUST WORKS */
859 	memset(smp->tk, 0, sizeof(smp->tk));
860 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
861 
862 	bt_dev_dbg(hcon->hdev, "auth:%d lcl:%d rem:%d", auth, local_io,
863 		   remote_io);
864 
865 	/* If neither side wants MITM, either "just" confirm an incoming
866 	 * request or use just-works for outgoing ones. The JUST_CFM
867 	 * will be converted to JUST_WORKS if necessary later in this
868 	 * function. If either side has MITM look up the method from the
869 	 * table.
870 	 */
871 	if (!(auth & SMP_AUTH_MITM))
872 		smp->method = JUST_CFM;
873 	else
874 		smp->method = get_auth_method(smp, local_io, remote_io);
875 
876 	/* Don't confirm locally initiated pairing attempts */
877 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
878 						&smp->flags))
879 		smp->method = JUST_WORKS;
880 
881 	/* Don't bother user space with no IO capabilities */
882 	if (smp->method == JUST_CFM &&
883 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
884 		smp->method = JUST_WORKS;
885 
886 	/* If Just Works, Continue with Zero TK and ask user-space for
887 	 * confirmation */
888 	if (smp->method == JUST_WORKS) {
889 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
890 						hcon->type,
891 						hcon->dst_type,
892 						passkey, 1);
893 		if (ret)
894 			return ret;
895 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
896 		return 0;
897 	}
898 
899 	/* If this function is used for SC -> legacy fallback we
900 	 * can only recover the just-works case.
901 	 */
902 	if (test_bit(SMP_FLAG_SC, &smp->flags))
903 		return -EINVAL;
904 
905 	/* Not Just Works/Confirm results in MITM Authentication */
906 	if (smp->method != JUST_CFM) {
907 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
908 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
909 			hcon->pending_sec_level = BT_SECURITY_HIGH;
910 	}
911 
912 	/* If both devices have Keyoard-Display I/O, the master
913 	 * Confirms and the slave Enters the passkey.
914 	 */
915 	if (smp->method == OVERLAP) {
916 		if (hcon->role == HCI_ROLE_MASTER)
917 			smp->method = CFM_PASSKEY;
918 		else
919 			smp->method = REQ_PASSKEY;
920 	}
921 
922 	/* Generate random passkey. */
923 	if (smp->method == CFM_PASSKEY) {
924 		memset(smp->tk, 0, sizeof(smp->tk));
925 		get_random_bytes(&passkey, sizeof(passkey));
926 		passkey %= 1000000;
927 		put_unaligned_le32(passkey, smp->tk);
928 		bt_dev_dbg(hcon->hdev, "PassKey: %d", passkey);
929 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
930 	}
931 
932 	if (smp->method == REQ_PASSKEY)
933 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
934 						hcon->type, hcon->dst_type);
935 	else if (smp->method == JUST_CFM)
936 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
937 						hcon->type, hcon->dst_type,
938 						passkey, 1);
939 	else
940 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
941 						hcon->type, hcon->dst_type,
942 						passkey, 0);
943 
944 	return ret;
945 }
946 
947 static u8 smp_confirm(struct smp_chan *smp)
948 {
949 	struct l2cap_conn *conn = smp->conn;
950 	struct smp_cmd_pairing_confirm cp;
951 	int ret;
952 
953 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
954 
955 	ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
956 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
957 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
958 		     cp.confirm_val);
959 	if (ret)
960 		return SMP_UNSPECIFIED;
961 
962 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
963 
964 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
965 
966 	if (conn->hcon->out)
967 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
968 	else
969 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
970 
971 	return 0;
972 }
973 
974 static u8 smp_random(struct smp_chan *smp)
975 {
976 	struct l2cap_conn *conn = smp->conn;
977 	struct hci_conn *hcon = conn->hcon;
978 	u8 confirm[16];
979 	int ret;
980 
981 	bt_dev_dbg(conn->hcon->hdev, "conn %p %s", conn,
982 		   conn->hcon->out ? "master" : "slave");
983 
984 	ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
985 		     hcon->init_addr_type, &hcon->init_addr,
986 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
987 	if (ret)
988 		return SMP_UNSPECIFIED;
989 
990 	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
991 		bt_dev_err(hcon->hdev, "pairing failed "
992 			   "(confirmation values mismatch)");
993 		return SMP_CONFIRM_FAILED;
994 	}
995 
996 	if (hcon->out) {
997 		u8 stk[16];
998 		__le64 rand = 0;
999 		__le16 ediv = 0;
1000 
1001 		smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
1002 
1003 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1004 			return SMP_UNSPECIFIED;
1005 
1006 		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1007 		hcon->enc_key_size = smp->enc_key_size;
1008 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1009 	} else {
1010 		u8 stk[16], auth;
1011 		__le64 rand = 0;
1012 		__le16 ediv = 0;
1013 
1014 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1015 			     smp->prnd);
1016 
1017 		smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
1018 
1019 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1020 			auth = 1;
1021 		else
1022 			auth = 0;
1023 
1024 		/* Even though there's no _SLAVE suffix this is the
1025 		 * slave STK we're adding for later lookup (the master
1026 		 * STK never needs to be stored).
1027 		 */
1028 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1029 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1030 	}
1031 
1032 	return 0;
1033 }
1034 
1035 static void smp_notify_keys(struct l2cap_conn *conn)
1036 {
1037 	struct l2cap_chan *chan = conn->smp;
1038 	struct smp_chan *smp = chan->data;
1039 	struct hci_conn *hcon = conn->hcon;
1040 	struct hci_dev *hdev = hcon->hdev;
1041 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1042 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1043 	bool persistent;
1044 
1045 	if (hcon->type == ACL_LINK) {
1046 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1047 			persistent = false;
1048 		else
1049 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1050 					       &hcon->flags);
1051 	} else {
1052 		/* The LTKs, IRKs and CSRKs should be persistent only if
1053 		 * both sides had the bonding bit set in their
1054 		 * authentication requests.
1055 		 */
1056 		persistent = !!((req->auth_req & rsp->auth_req) &
1057 				SMP_AUTH_BONDING);
1058 	}
1059 
1060 	if (smp->remote_irk) {
1061 		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1062 
1063 		/* Now that user space can be considered to know the
1064 		 * identity address track the connection based on it
1065 		 * from now on (assuming this is an LE link).
1066 		 */
1067 		if (hcon->type == LE_LINK) {
1068 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1069 			hcon->dst_type = smp->remote_irk->addr_type;
1070 			queue_work(hdev->workqueue, &conn->id_addr_update_work);
1071 		}
1072 	}
1073 
1074 	if (smp->csrk) {
1075 		smp->csrk->bdaddr_type = hcon->dst_type;
1076 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1077 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1078 	}
1079 
1080 	if (smp->slave_csrk) {
1081 		smp->slave_csrk->bdaddr_type = hcon->dst_type;
1082 		bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1083 		mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1084 	}
1085 
1086 	if (smp->ltk) {
1087 		smp->ltk->bdaddr_type = hcon->dst_type;
1088 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1089 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1090 	}
1091 
1092 	if (smp->slave_ltk) {
1093 		smp->slave_ltk->bdaddr_type = hcon->dst_type;
1094 		bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1095 		mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1096 	}
1097 
1098 	if (smp->link_key) {
1099 		struct link_key *key;
1100 		u8 type;
1101 
1102 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1103 			type = HCI_LK_DEBUG_COMBINATION;
1104 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1105 			type = HCI_LK_AUTH_COMBINATION_P256;
1106 		else
1107 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1108 
1109 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1110 				       smp->link_key, type, 0, &persistent);
1111 		if (key) {
1112 			mgmt_new_link_key(hdev, key, persistent);
1113 
1114 			/* Don't keep debug keys around if the relevant
1115 			 * flag is not set.
1116 			 */
1117 			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1118 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1119 				list_del_rcu(&key->list);
1120 				kfree_rcu(key, rcu);
1121 			}
1122 		}
1123 	}
1124 }
1125 
1126 static void sc_add_ltk(struct smp_chan *smp)
1127 {
1128 	struct hci_conn *hcon = smp->conn->hcon;
1129 	u8 key_type, auth;
1130 
1131 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1132 		key_type = SMP_LTK_P256_DEBUG;
1133 	else
1134 		key_type = SMP_LTK_P256;
1135 
1136 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1137 		auth = 1;
1138 	else
1139 		auth = 0;
1140 
1141 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1142 			       key_type, auth, smp->tk, smp->enc_key_size,
1143 			       0, 0);
1144 }
1145 
1146 static void sc_generate_link_key(struct smp_chan *smp)
1147 {
1148 	/* From core spec. Spells out in ASCII as 'lebr'. */
1149 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1150 
1151 	smp->link_key = kzalloc(16, GFP_KERNEL);
1152 	if (!smp->link_key)
1153 		return;
1154 
1155 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1156 		/* SALT = 0x000000000000000000000000746D7031 */
1157 		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1158 
1159 		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1160 			kfree_sensitive(smp->link_key);
1161 			smp->link_key = NULL;
1162 			return;
1163 		}
1164 	} else {
1165 		/* From core spec. Spells out in ASCII as 'tmp1'. */
1166 		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1167 
1168 		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1169 			kfree_sensitive(smp->link_key);
1170 			smp->link_key = NULL;
1171 			return;
1172 		}
1173 	}
1174 
1175 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1176 		kfree_sensitive(smp->link_key);
1177 		smp->link_key = NULL;
1178 		return;
1179 	}
1180 }
1181 
1182 static void smp_allow_key_dist(struct smp_chan *smp)
1183 {
1184 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1185 	 * will be allowed in each PDU handler to ensure we receive
1186 	 * them in the correct order.
1187 	 */
1188 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1189 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1190 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1191 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1192 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1193 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1194 }
1195 
1196 static void sc_generate_ltk(struct smp_chan *smp)
1197 {
1198 	/* From core spec. Spells out in ASCII as 'brle'. */
1199 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1200 	struct hci_conn *hcon = smp->conn->hcon;
1201 	struct hci_dev *hdev = hcon->hdev;
1202 	struct link_key *key;
1203 
1204 	key = hci_find_link_key(hdev, &hcon->dst);
1205 	if (!key) {
1206 		bt_dev_err(hdev, "no Link Key found to generate LTK");
1207 		return;
1208 	}
1209 
1210 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1211 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1212 
1213 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1214 		/* SALT = 0x000000000000000000000000746D7032 */
1215 		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1216 
1217 		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1218 			return;
1219 	} else {
1220 		/* From core spec. Spells out in ASCII as 'tmp2'. */
1221 		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1222 
1223 		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1224 			return;
1225 	}
1226 
1227 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1228 		return;
1229 
1230 	sc_add_ltk(smp);
1231 }
1232 
1233 static void smp_distribute_keys(struct smp_chan *smp)
1234 {
1235 	struct smp_cmd_pairing *req, *rsp;
1236 	struct l2cap_conn *conn = smp->conn;
1237 	struct hci_conn *hcon = conn->hcon;
1238 	struct hci_dev *hdev = hcon->hdev;
1239 	__u8 *keydist;
1240 
1241 	bt_dev_dbg(hdev, "conn %p", conn);
1242 
1243 	rsp = (void *) &smp->prsp[1];
1244 
1245 	/* The responder sends its keys first */
1246 	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1247 		smp_allow_key_dist(smp);
1248 		return;
1249 	}
1250 
1251 	req = (void *) &smp->preq[1];
1252 
1253 	if (hcon->out) {
1254 		keydist = &rsp->init_key_dist;
1255 		*keydist &= req->init_key_dist;
1256 	} else {
1257 		keydist = &rsp->resp_key_dist;
1258 		*keydist &= req->resp_key_dist;
1259 	}
1260 
1261 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1262 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1263 			sc_generate_link_key(smp);
1264 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1265 			sc_generate_ltk(smp);
1266 
1267 		/* Clear the keys which are generated but not distributed */
1268 		*keydist &= ~SMP_SC_NO_DIST;
1269 	}
1270 
1271 	bt_dev_dbg(hdev, "keydist 0x%x", *keydist);
1272 
1273 	if (*keydist & SMP_DIST_ENC_KEY) {
1274 		struct smp_cmd_encrypt_info enc;
1275 		struct smp_cmd_master_ident ident;
1276 		struct smp_ltk *ltk;
1277 		u8 authenticated;
1278 		__le16 ediv;
1279 		__le64 rand;
1280 
1281 		/* Make sure we generate only the significant amount of
1282 		 * bytes based on the encryption key size, and set the rest
1283 		 * of the value to zeroes.
1284 		 */
1285 		get_random_bytes(enc.ltk, smp->enc_key_size);
1286 		memset(enc.ltk + smp->enc_key_size, 0,
1287 		       sizeof(enc.ltk) - smp->enc_key_size);
1288 
1289 		get_random_bytes(&ediv, sizeof(ediv));
1290 		get_random_bytes(&rand, sizeof(rand));
1291 
1292 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1293 
1294 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1295 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1296 				  SMP_LTK_SLAVE, authenticated, enc.ltk,
1297 				  smp->enc_key_size, ediv, rand);
1298 		smp->slave_ltk = ltk;
1299 
1300 		ident.ediv = ediv;
1301 		ident.rand = rand;
1302 
1303 		smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1304 
1305 		*keydist &= ~SMP_DIST_ENC_KEY;
1306 	}
1307 
1308 	if (*keydist & SMP_DIST_ID_KEY) {
1309 		struct smp_cmd_ident_addr_info addrinfo;
1310 		struct smp_cmd_ident_info idinfo;
1311 
1312 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1313 
1314 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1315 
1316 		/* The hci_conn contains the local identity address
1317 		 * after the connection has been established.
1318 		 *
1319 		 * This is true even when the connection has been
1320 		 * established using a resolvable random address.
1321 		 */
1322 		bacpy(&addrinfo.bdaddr, &hcon->src);
1323 		addrinfo.addr_type = hcon->src_type;
1324 
1325 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1326 			     &addrinfo);
1327 
1328 		*keydist &= ~SMP_DIST_ID_KEY;
1329 	}
1330 
1331 	if (*keydist & SMP_DIST_SIGN) {
1332 		struct smp_cmd_sign_info sign;
1333 		struct smp_csrk *csrk;
1334 
1335 		/* Generate a new random key */
1336 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1337 
1338 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1339 		if (csrk) {
1340 			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1341 				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1342 			else
1343 				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1344 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1345 		}
1346 		smp->slave_csrk = csrk;
1347 
1348 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1349 
1350 		*keydist &= ~SMP_DIST_SIGN;
1351 	}
1352 
1353 	/* If there are still keys to be received wait for them */
1354 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1355 		smp_allow_key_dist(smp);
1356 		return;
1357 	}
1358 
1359 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1360 	smp_notify_keys(conn);
1361 
1362 	smp_chan_destroy(conn);
1363 }
1364 
1365 static void smp_timeout(struct work_struct *work)
1366 {
1367 	struct smp_chan *smp = container_of(work, struct smp_chan,
1368 					    security_timer.work);
1369 	struct l2cap_conn *conn = smp->conn;
1370 
1371 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
1372 
1373 	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1374 }
1375 
1376 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1377 {
1378 	struct hci_conn *hcon = conn->hcon;
1379 	struct l2cap_chan *chan = conn->smp;
1380 	struct smp_chan *smp;
1381 
1382 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1383 	if (!smp)
1384 		return NULL;
1385 
1386 	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1387 	if (IS_ERR(smp->tfm_cmac)) {
1388 		bt_dev_err(hcon->hdev, "Unable to create CMAC crypto context");
1389 		goto zfree_smp;
1390 	}
1391 
1392 	smp->tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
1393 	if (IS_ERR(smp->tfm_ecdh)) {
1394 		bt_dev_err(hcon->hdev, "Unable to create ECDH crypto context");
1395 		goto free_shash;
1396 	}
1397 
1398 	smp->conn = conn;
1399 	chan->data = smp;
1400 
1401 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1402 
1403 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1404 
1405 	hci_conn_hold(hcon);
1406 
1407 	return smp;
1408 
1409 free_shash:
1410 	crypto_free_shash(smp->tfm_cmac);
1411 zfree_smp:
1412 	kfree_sensitive(smp);
1413 	return NULL;
1414 }
1415 
1416 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1417 {
1418 	struct hci_conn *hcon = smp->conn->hcon;
1419 	u8 *na, *nb, a[7], b[7];
1420 
1421 	if (hcon->out) {
1422 		na   = smp->prnd;
1423 		nb   = smp->rrnd;
1424 	} else {
1425 		na   = smp->rrnd;
1426 		nb   = smp->prnd;
1427 	}
1428 
1429 	memcpy(a, &hcon->init_addr, 6);
1430 	memcpy(b, &hcon->resp_addr, 6);
1431 	a[6] = hcon->init_addr_type;
1432 	b[6] = hcon->resp_addr_type;
1433 
1434 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1435 }
1436 
1437 static void sc_dhkey_check(struct smp_chan *smp)
1438 {
1439 	struct hci_conn *hcon = smp->conn->hcon;
1440 	struct smp_cmd_dhkey_check check;
1441 	u8 a[7], b[7], *local_addr, *remote_addr;
1442 	u8 io_cap[3], r[16];
1443 
1444 	memcpy(a, &hcon->init_addr, 6);
1445 	memcpy(b, &hcon->resp_addr, 6);
1446 	a[6] = hcon->init_addr_type;
1447 	b[6] = hcon->resp_addr_type;
1448 
1449 	if (hcon->out) {
1450 		local_addr = a;
1451 		remote_addr = b;
1452 		memcpy(io_cap, &smp->preq[1], 3);
1453 	} else {
1454 		local_addr = b;
1455 		remote_addr = a;
1456 		memcpy(io_cap, &smp->prsp[1], 3);
1457 	}
1458 
1459 	memset(r, 0, sizeof(r));
1460 
1461 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1462 		put_unaligned_le32(hcon->passkey_notify, r);
1463 
1464 	if (smp->method == REQ_OOB)
1465 		memcpy(r, smp->rr, 16);
1466 
1467 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1468 	       local_addr, remote_addr, check.e);
1469 
1470 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1471 }
1472 
1473 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1474 {
1475 	struct l2cap_conn *conn = smp->conn;
1476 	struct hci_conn *hcon = conn->hcon;
1477 	struct smp_cmd_pairing_confirm cfm;
1478 	u8 r;
1479 
1480 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1481 	r |= 0x80;
1482 
1483 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1484 
1485 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1486 		   cfm.confirm_val))
1487 		return SMP_UNSPECIFIED;
1488 
1489 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1490 
1491 	return 0;
1492 }
1493 
1494 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1495 {
1496 	struct l2cap_conn *conn = smp->conn;
1497 	struct hci_conn *hcon = conn->hcon;
1498 	struct hci_dev *hdev = hcon->hdev;
1499 	u8 cfm[16], r;
1500 
1501 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1502 	if (smp->passkey_round >= 20)
1503 		return 0;
1504 
1505 	switch (smp_op) {
1506 	case SMP_CMD_PAIRING_RANDOM:
1507 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1508 		r |= 0x80;
1509 
1510 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1511 			   smp->rrnd, r, cfm))
1512 			return SMP_UNSPECIFIED;
1513 
1514 		if (crypto_memneq(smp->pcnf, cfm, 16))
1515 			return SMP_CONFIRM_FAILED;
1516 
1517 		smp->passkey_round++;
1518 
1519 		if (smp->passkey_round == 20) {
1520 			/* Generate MacKey and LTK */
1521 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1522 				return SMP_UNSPECIFIED;
1523 		}
1524 
1525 		/* The round is only complete when the initiator
1526 		 * receives pairing random.
1527 		 */
1528 		if (!hcon->out) {
1529 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1530 				     sizeof(smp->prnd), smp->prnd);
1531 			if (smp->passkey_round == 20)
1532 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1533 			else
1534 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1535 			return 0;
1536 		}
1537 
1538 		/* Start the next round */
1539 		if (smp->passkey_round != 20)
1540 			return sc_passkey_round(smp, 0);
1541 
1542 		/* Passkey rounds are complete - start DHKey Check */
1543 		sc_dhkey_check(smp);
1544 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1545 
1546 		break;
1547 
1548 	case SMP_CMD_PAIRING_CONFIRM:
1549 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1550 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1551 			return 0;
1552 		}
1553 
1554 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1555 
1556 		if (hcon->out) {
1557 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1558 				     sizeof(smp->prnd), smp->prnd);
1559 			return 0;
1560 		}
1561 
1562 		return sc_passkey_send_confirm(smp);
1563 
1564 	case SMP_CMD_PUBLIC_KEY:
1565 	default:
1566 		/* Initiating device starts the round */
1567 		if (!hcon->out)
1568 			return 0;
1569 
1570 		bt_dev_dbg(hdev, "Starting passkey round %u",
1571 			   smp->passkey_round + 1);
1572 
1573 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1574 
1575 		return sc_passkey_send_confirm(smp);
1576 	}
1577 
1578 	return 0;
1579 }
1580 
1581 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1582 {
1583 	struct l2cap_conn *conn = smp->conn;
1584 	struct hci_conn *hcon = conn->hcon;
1585 	u8 smp_op;
1586 
1587 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1588 
1589 	switch (mgmt_op) {
1590 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1591 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1592 		return 0;
1593 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1594 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1595 		return 0;
1596 	case MGMT_OP_USER_PASSKEY_REPLY:
1597 		hcon->passkey_notify = le32_to_cpu(passkey);
1598 		smp->passkey_round = 0;
1599 
1600 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1601 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1602 		else
1603 			smp_op = 0;
1604 
1605 		if (sc_passkey_round(smp, smp_op))
1606 			return -EIO;
1607 
1608 		return 0;
1609 	}
1610 
1611 	/* Initiator sends DHKey check first */
1612 	if (hcon->out) {
1613 		sc_dhkey_check(smp);
1614 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1615 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1616 		sc_dhkey_check(smp);
1617 		sc_add_ltk(smp);
1618 	}
1619 
1620 	return 0;
1621 }
1622 
1623 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1624 {
1625 	struct l2cap_conn *conn = hcon->l2cap_data;
1626 	struct l2cap_chan *chan;
1627 	struct smp_chan *smp;
1628 	u32 value;
1629 	int err;
1630 
1631 	if (!conn)
1632 		return -ENOTCONN;
1633 
1634 	bt_dev_dbg(conn->hcon->hdev, "");
1635 
1636 	chan = conn->smp;
1637 	if (!chan)
1638 		return -ENOTCONN;
1639 
1640 	l2cap_chan_lock(chan);
1641 	if (!chan->data) {
1642 		err = -ENOTCONN;
1643 		goto unlock;
1644 	}
1645 
1646 	smp = chan->data;
1647 
1648 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1649 		err = sc_user_reply(smp, mgmt_op, passkey);
1650 		goto unlock;
1651 	}
1652 
1653 	switch (mgmt_op) {
1654 	case MGMT_OP_USER_PASSKEY_REPLY:
1655 		value = le32_to_cpu(passkey);
1656 		memset(smp->tk, 0, sizeof(smp->tk));
1657 		bt_dev_dbg(conn->hcon->hdev, "PassKey: %d", value);
1658 		put_unaligned_le32(value, smp->tk);
1659 		fallthrough;
1660 	case MGMT_OP_USER_CONFIRM_REPLY:
1661 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1662 		break;
1663 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1664 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1665 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1666 		err = 0;
1667 		goto unlock;
1668 	default:
1669 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1670 		err = -EOPNOTSUPP;
1671 		goto unlock;
1672 	}
1673 
1674 	err = 0;
1675 
1676 	/* If it is our turn to send Pairing Confirm, do so now */
1677 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1678 		u8 rsp = smp_confirm(smp);
1679 		if (rsp)
1680 			smp_failure(conn, rsp);
1681 	}
1682 
1683 unlock:
1684 	l2cap_chan_unlock(chan);
1685 	return err;
1686 }
1687 
1688 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1689 				    struct smp_cmd_pairing *req,
1690 				    struct smp_cmd_pairing *rsp)
1691 {
1692 	struct l2cap_conn *conn = smp->conn;
1693 	struct hci_dev *hdev = conn->hcon->hdev;
1694 	u8 local_dist = 0, remote_dist = 0;
1695 
1696 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1697 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1698 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1699 	}
1700 
1701 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1702 		remote_dist |= SMP_DIST_ID_KEY;
1703 
1704 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1705 		local_dist |= SMP_DIST_ID_KEY;
1706 
1707 	if (!rsp) {
1708 		memset(req, 0, sizeof(*req));
1709 
1710 		req->auth_req        = SMP_AUTH_CT2;
1711 		req->init_key_dist   = local_dist;
1712 		req->resp_key_dist   = remote_dist;
1713 		req->max_key_size    = conn->hcon->enc_key_size;
1714 
1715 		smp->remote_key_dist = remote_dist;
1716 
1717 		return;
1718 	}
1719 
1720 	memset(rsp, 0, sizeof(*rsp));
1721 
1722 	rsp->auth_req        = SMP_AUTH_CT2;
1723 	rsp->max_key_size    = conn->hcon->enc_key_size;
1724 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1725 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1726 
1727 	smp->remote_key_dist = rsp->init_key_dist;
1728 }
1729 
1730 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1731 {
1732 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1733 	struct l2cap_chan *chan = conn->smp;
1734 	struct hci_dev *hdev = conn->hcon->hdev;
1735 	struct smp_chan *smp;
1736 	u8 key_size, auth, sec_level;
1737 	int ret;
1738 
1739 	bt_dev_dbg(hdev, "conn %p", conn);
1740 
1741 	if (skb->len < sizeof(*req))
1742 		return SMP_INVALID_PARAMS;
1743 
1744 	if (conn->hcon->role != HCI_ROLE_SLAVE)
1745 		return SMP_CMD_NOTSUPP;
1746 
1747 	if (!chan->data)
1748 		smp = smp_chan_create(conn);
1749 	else
1750 		smp = chan->data;
1751 
1752 	if (!smp)
1753 		return SMP_UNSPECIFIED;
1754 
1755 	/* We didn't start the pairing, so match remote */
1756 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1757 
1758 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1759 	    (auth & SMP_AUTH_BONDING))
1760 		return SMP_PAIRING_NOTSUPP;
1761 
1762 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1763 		return SMP_AUTH_REQUIREMENTS;
1764 
1765 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1766 	memcpy(&smp->preq[1], req, sizeof(*req));
1767 	skb_pull(skb, sizeof(*req));
1768 
1769 	/* If the remote side's OOB flag is set it means it has
1770 	 * successfully received our local OOB data - therefore set the
1771 	 * flag to indicate that local OOB is in use.
1772 	 */
1773 	if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1774 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1775 
1776 	/* SMP over BR/EDR requires special treatment */
1777 	if (conn->hcon->type == ACL_LINK) {
1778 		/* We must have a BR/EDR SC link */
1779 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1780 		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1781 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1782 
1783 		set_bit(SMP_FLAG_SC, &smp->flags);
1784 
1785 		build_bredr_pairing_cmd(smp, req, &rsp);
1786 
1787 		if (req->auth_req & SMP_AUTH_CT2)
1788 			set_bit(SMP_FLAG_CT2, &smp->flags);
1789 
1790 		key_size = min(req->max_key_size, rsp.max_key_size);
1791 		if (check_enc_key_size(conn, key_size))
1792 			return SMP_ENC_KEY_SIZE;
1793 
1794 		/* Clear bits which are generated but not distributed */
1795 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1796 
1797 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1798 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1799 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1800 
1801 		smp_distribute_keys(smp);
1802 		return 0;
1803 	}
1804 
1805 	build_pairing_cmd(conn, req, &rsp, auth);
1806 
1807 	if (rsp.auth_req & SMP_AUTH_SC) {
1808 		set_bit(SMP_FLAG_SC, &smp->flags);
1809 
1810 		if (rsp.auth_req & SMP_AUTH_CT2)
1811 			set_bit(SMP_FLAG_CT2, &smp->flags);
1812 	}
1813 
1814 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1815 		sec_level = BT_SECURITY_MEDIUM;
1816 	else
1817 		sec_level = authreq_to_seclevel(auth);
1818 
1819 	if (sec_level > conn->hcon->pending_sec_level)
1820 		conn->hcon->pending_sec_level = sec_level;
1821 
1822 	/* If we need MITM check that it can be achieved */
1823 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1824 		u8 method;
1825 
1826 		method = get_auth_method(smp, conn->hcon->io_capability,
1827 					 req->io_capability);
1828 		if (method == JUST_WORKS || method == JUST_CFM)
1829 			return SMP_AUTH_REQUIREMENTS;
1830 	}
1831 
1832 	key_size = min(req->max_key_size, rsp.max_key_size);
1833 	if (check_enc_key_size(conn, key_size))
1834 		return SMP_ENC_KEY_SIZE;
1835 
1836 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1837 
1838 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1839 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1840 
1841 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1842 
1843 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1844 
1845 	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1846 	 * SC case, however some implementations incorrectly copy RFU auth
1847 	 * req bits from our security request, which may create a false
1848 	 * positive SC enablement.
1849 	 */
1850 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1851 
1852 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1853 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1854 		/* Clear bits which are generated but not distributed */
1855 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1856 		/* Wait for Public Key from Initiating Device */
1857 		return 0;
1858 	}
1859 
1860 	/* Request setup of TK */
1861 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1862 	if (ret)
1863 		return SMP_UNSPECIFIED;
1864 
1865 	return 0;
1866 }
1867 
1868 static u8 sc_send_public_key(struct smp_chan *smp)
1869 {
1870 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1871 
1872 	bt_dev_dbg(hdev, "");
1873 
1874 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1875 		struct l2cap_chan *chan = hdev->smp_data;
1876 		struct smp_dev *smp_dev;
1877 
1878 		if (!chan || !chan->data)
1879 			return SMP_UNSPECIFIED;
1880 
1881 		smp_dev = chan->data;
1882 
1883 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1884 		memcpy(smp->lr, smp_dev->local_rand, 16);
1885 
1886 		if (smp_dev->debug_key)
1887 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1888 
1889 		goto done;
1890 	}
1891 
1892 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1893 		bt_dev_dbg(hdev, "Using debug keys");
1894 		if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1895 			return SMP_UNSPECIFIED;
1896 		memcpy(smp->local_pk, debug_pk, 64);
1897 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1898 	} else {
1899 		while (true) {
1900 			/* Generate key pair for Secure Connections */
1901 			if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1902 				return SMP_UNSPECIFIED;
1903 
1904 			/* This is unlikely, but we need to check that
1905 			 * we didn't accidentially generate a debug key.
1906 			 */
1907 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
1908 				break;
1909 		}
1910 	}
1911 
1912 done:
1913 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1914 	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1915 
1916 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1917 
1918 	return 0;
1919 }
1920 
1921 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1922 {
1923 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1924 	struct l2cap_chan *chan = conn->smp;
1925 	struct smp_chan *smp = chan->data;
1926 	struct hci_dev *hdev = conn->hcon->hdev;
1927 	u8 key_size, auth;
1928 	int ret;
1929 
1930 	bt_dev_dbg(hdev, "conn %p", conn);
1931 
1932 	if (skb->len < sizeof(*rsp))
1933 		return SMP_INVALID_PARAMS;
1934 
1935 	if (conn->hcon->role != HCI_ROLE_MASTER)
1936 		return SMP_CMD_NOTSUPP;
1937 
1938 	skb_pull(skb, sizeof(*rsp));
1939 
1940 	req = (void *) &smp->preq[1];
1941 
1942 	key_size = min(req->max_key_size, rsp->max_key_size);
1943 	if (check_enc_key_size(conn, key_size))
1944 		return SMP_ENC_KEY_SIZE;
1945 
1946 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1947 
1948 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1949 		return SMP_AUTH_REQUIREMENTS;
1950 
1951 	/* If the remote side's OOB flag is set it means it has
1952 	 * successfully received our local OOB data - therefore set the
1953 	 * flag to indicate that local OOB is in use.
1954 	 */
1955 	if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1956 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1957 
1958 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1959 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1960 
1961 	/* Update remote key distribution in case the remote cleared
1962 	 * some bits that we had enabled in our request.
1963 	 */
1964 	smp->remote_key_dist &= rsp->resp_key_dist;
1965 
1966 	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1967 		set_bit(SMP_FLAG_CT2, &smp->flags);
1968 
1969 	/* For BR/EDR this means we're done and can start phase 3 */
1970 	if (conn->hcon->type == ACL_LINK) {
1971 		/* Clear bits which are generated but not distributed */
1972 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1973 		smp_distribute_keys(smp);
1974 		return 0;
1975 	}
1976 
1977 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1978 		set_bit(SMP_FLAG_SC, &smp->flags);
1979 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1980 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1981 
1982 	/* If we need MITM check that it can be achieved */
1983 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1984 		u8 method;
1985 
1986 		method = get_auth_method(smp, req->io_capability,
1987 					 rsp->io_capability);
1988 		if (method == JUST_WORKS || method == JUST_CFM)
1989 			return SMP_AUTH_REQUIREMENTS;
1990 	}
1991 
1992 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1993 
1994 	/* Update remote key distribution in case the remote cleared
1995 	 * some bits that we had enabled in our request.
1996 	 */
1997 	smp->remote_key_dist &= rsp->resp_key_dist;
1998 
1999 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2000 		/* Clear bits which are generated but not distributed */
2001 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2002 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2003 		return sc_send_public_key(smp);
2004 	}
2005 
2006 	auth |= req->auth_req;
2007 
2008 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2009 	if (ret)
2010 		return SMP_UNSPECIFIED;
2011 
2012 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2013 
2014 	/* Can't compose response until we have been confirmed */
2015 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2016 		return smp_confirm(smp);
2017 
2018 	return 0;
2019 }
2020 
2021 static u8 sc_check_confirm(struct smp_chan *smp)
2022 {
2023 	struct l2cap_conn *conn = smp->conn;
2024 
2025 	bt_dev_dbg(conn->hcon->hdev, "");
2026 
2027 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2028 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2029 
2030 	if (conn->hcon->out) {
2031 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2032 			     smp->prnd);
2033 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2034 	}
2035 
2036 	return 0;
2037 }
2038 
2039 /* Work-around for some implementations that incorrectly copy RFU bits
2040  * from our security request and thereby create the impression that
2041  * we're doing SC when in fact the remote doesn't support it.
2042  */
2043 static int fixup_sc_false_positive(struct smp_chan *smp)
2044 {
2045 	struct l2cap_conn *conn = smp->conn;
2046 	struct hci_conn *hcon = conn->hcon;
2047 	struct hci_dev *hdev = hcon->hdev;
2048 	struct smp_cmd_pairing *req, *rsp;
2049 	u8 auth;
2050 
2051 	/* The issue is only observed when we're in slave role */
2052 	if (hcon->out)
2053 		return SMP_UNSPECIFIED;
2054 
2055 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2056 		bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2057 		return SMP_UNSPECIFIED;
2058 	}
2059 
2060 	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2061 
2062 	req = (void *) &smp->preq[1];
2063 	rsp = (void *) &smp->prsp[1];
2064 
2065 	/* Rebuild key dist flags which may have been cleared for SC */
2066 	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2067 
2068 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2069 
2070 	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2071 		bt_dev_err(hdev, "failed to fall back to legacy SMP");
2072 		return SMP_UNSPECIFIED;
2073 	}
2074 
2075 	clear_bit(SMP_FLAG_SC, &smp->flags);
2076 
2077 	return 0;
2078 }
2079 
2080 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2081 {
2082 	struct l2cap_chan *chan = conn->smp;
2083 	struct smp_chan *smp = chan->data;
2084 	struct hci_conn *hcon = conn->hcon;
2085 	struct hci_dev *hdev = hcon->hdev;
2086 
2087 	bt_dev_dbg(hdev, "conn %p %s", conn, hcon->out ? "master" : "slave");
2088 
2089 	if (skb->len < sizeof(smp->pcnf))
2090 		return SMP_INVALID_PARAMS;
2091 
2092 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2093 	skb_pull(skb, sizeof(smp->pcnf));
2094 
2095 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2096 		int ret;
2097 
2098 		/* Public Key exchange must happen before any other steps */
2099 		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2100 			return sc_check_confirm(smp);
2101 
2102 		bt_dev_err(hdev, "Unexpected SMP Pairing Confirm");
2103 
2104 		ret = fixup_sc_false_positive(smp);
2105 		if (ret)
2106 			return ret;
2107 	}
2108 
2109 	if (conn->hcon->out) {
2110 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2111 			     smp->prnd);
2112 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2113 		return 0;
2114 	}
2115 
2116 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2117 		return smp_confirm(smp);
2118 
2119 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2120 
2121 	return 0;
2122 }
2123 
2124 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2125 {
2126 	struct l2cap_chan *chan = conn->smp;
2127 	struct smp_chan *smp = chan->data;
2128 	struct hci_conn *hcon = conn->hcon;
2129 	u8 *pkax, *pkbx, *na, *nb, confirm_hint;
2130 	u32 passkey;
2131 	int err;
2132 
2133 	bt_dev_dbg(hcon->hdev, "conn %p", conn);
2134 
2135 	if (skb->len < sizeof(smp->rrnd))
2136 		return SMP_INVALID_PARAMS;
2137 
2138 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2139 	skb_pull(skb, sizeof(smp->rrnd));
2140 
2141 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2142 		return smp_random(smp);
2143 
2144 	if (hcon->out) {
2145 		pkax = smp->local_pk;
2146 		pkbx = smp->remote_pk;
2147 		na   = smp->prnd;
2148 		nb   = smp->rrnd;
2149 	} else {
2150 		pkax = smp->remote_pk;
2151 		pkbx = smp->local_pk;
2152 		na   = smp->rrnd;
2153 		nb   = smp->prnd;
2154 	}
2155 
2156 	if (smp->method == REQ_OOB) {
2157 		if (!hcon->out)
2158 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2159 				     sizeof(smp->prnd), smp->prnd);
2160 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2161 		goto mackey_and_ltk;
2162 	}
2163 
2164 	/* Passkey entry has special treatment */
2165 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2166 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2167 
2168 	if (hcon->out) {
2169 		u8 cfm[16];
2170 
2171 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2172 			     smp->rrnd, 0, cfm);
2173 		if (err)
2174 			return SMP_UNSPECIFIED;
2175 
2176 		if (crypto_memneq(smp->pcnf, cfm, 16))
2177 			return SMP_CONFIRM_FAILED;
2178 	} else {
2179 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2180 			     smp->prnd);
2181 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2182 
2183 		/* Only Just-Works pairing requires extra checks */
2184 		if (smp->method != JUST_WORKS)
2185 			goto mackey_and_ltk;
2186 
2187 		/* If there already exists long term key in local host, leave
2188 		 * the decision to user space since the remote device could
2189 		 * be legitimate or malicious.
2190 		 */
2191 		if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2192 				 hcon->role)) {
2193 			/* Set passkey to 0. The value can be any number since
2194 			 * it'll be ignored anyway.
2195 			 */
2196 			passkey = 0;
2197 			confirm_hint = 1;
2198 			goto confirm;
2199 		}
2200 	}
2201 
2202 mackey_and_ltk:
2203 	/* Generate MacKey and LTK */
2204 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2205 	if (err)
2206 		return SMP_UNSPECIFIED;
2207 
2208 	if (smp->method == REQ_OOB) {
2209 		if (hcon->out) {
2210 			sc_dhkey_check(smp);
2211 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2212 		}
2213 		return 0;
2214 	}
2215 
2216 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2217 	if (err)
2218 		return SMP_UNSPECIFIED;
2219 
2220 	confirm_hint = 0;
2221 
2222 confirm:
2223 	if (smp->method == JUST_WORKS)
2224 		confirm_hint = 1;
2225 
2226 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2227 					hcon->dst_type, passkey, confirm_hint);
2228 	if (err)
2229 		return SMP_UNSPECIFIED;
2230 
2231 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2232 
2233 	return 0;
2234 }
2235 
2236 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2237 {
2238 	struct smp_ltk *key;
2239 	struct hci_conn *hcon = conn->hcon;
2240 
2241 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2242 	if (!key)
2243 		return false;
2244 
2245 	if (smp_ltk_sec_level(key) < sec_level)
2246 		return false;
2247 
2248 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2249 		return true;
2250 
2251 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2252 	hcon->enc_key_size = key->enc_size;
2253 
2254 	/* We never store STKs for master role, so clear this flag */
2255 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2256 
2257 	return true;
2258 }
2259 
2260 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2261 			     enum smp_key_pref key_pref)
2262 {
2263 	if (sec_level == BT_SECURITY_LOW)
2264 		return true;
2265 
2266 	/* If we're encrypted with an STK but the caller prefers using
2267 	 * LTK claim insufficient security. This way we allow the
2268 	 * connection to be re-encrypted with an LTK, even if the LTK
2269 	 * provides the same level of security. Only exception is if we
2270 	 * don't have an LTK (e.g. because of key distribution bits).
2271 	 */
2272 	if (key_pref == SMP_USE_LTK &&
2273 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2274 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2275 		return false;
2276 
2277 	if (hcon->sec_level >= sec_level)
2278 		return true;
2279 
2280 	return false;
2281 }
2282 
2283 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2284 {
2285 	struct smp_cmd_security_req *rp = (void *) skb->data;
2286 	struct smp_cmd_pairing cp;
2287 	struct hci_conn *hcon = conn->hcon;
2288 	struct hci_dev *hdev = hcon->hdev;
2289 	struct smp_chan *smp;
2290 	u8 sec_level, auth;
2291 
2292 	bt_dev_dbg(hdev, "conn %p", conn);
2293 
2294 	if (skb->len < sizeof(*rp))
2295 		return SMP_INVALID_PARAMS;
2296 
2297 	if (hcon->role != HCI_ROLE_MASTER)
2298 		return SMP_CMD_NOTSUPP;
2299 
2300 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2301 
2302 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2303 		return SMP_AUTH_REQUIREMENTS;
2304 
2305 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2306 		sec_level = BT_SECURITY_MEDIUM;
2307 	else
2308 		sec_level = authreq_to_seclevel(auth);
2309 
2310 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2311 		/* If link is already encrypted with sufficient security we
2312 		 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2313 		 * Part H 2.4.6
2314 		 */
2315 		smp_ltk_encrypt(conn, hcon->sec_level);
2316 		return 0;
2317 	}
2318 
2319 	if (sec_level > hcon->pending_sec_level)
2320 		hcon->pending_sec_level = sec_level;
2321 
2322 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2323 		return 0;
2324 
2325 	smp = smp_chan_create(conn);
2326 	if (!smp)
2327 		return SMP_UNSPECIFIED;
2328 
2329 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2330 	    (auth & SMP_AUTH_BONDING))
2331 		return SMP_PAIRING_NOTSUPP;
2332 
2333 	skb_pull(skb, sizeof(*rp));
2334 
2335 	memset(&cp, 0, sizeof(cp));
2336 	build_pairing_cmd(conn, &cp, NULL, auth);
2337 
2338 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2339 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2340 
2341 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2342 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2343 
2344 	return 0;
2345 }
2346 
2347 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2348 {
2349 	struct l2cap_conn *conn = hcon->l2cap_data;
2350 	struct l2cap_chan *chan;
2351 	struct smp_chan *smp;
2352 	__u8 authreq;
2353 	int ret;
2354 
2355 	bt_dev_dbg(hcon->hdev, "conn %p hcon %p level 0x%2.2x", conn, hcon,
2356 		   sec_level);
2357 
2358 	/* This may be NULL if there's an unexpected disconnection */
2359 	if (!conn)
2360 		return 1;
2361 
2362 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2363 		return 1;
2364 
2365 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2366 		return 1;
2367 
2368 	if (sec_level > hcon->pending_sec_level)
2369 		hcon->pending_sec_level = sec_level;
2370 
2371 	if (hcon->role == HCI_ROLE_MASTER)
2372 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2373 			return 0;
2374 
2375 	chan = conn->smp;
2376 	if (!chan) {
2377 		bt_dev_err(hcon->hdev, "security requested but not available");
2378 		return 1;
2379 	}
2380 
2381 	l2cap_chan_lock(chan);
2382 
2383 	/* If SMP is already in progress ignore this request */
2384 	if (chan->data) {
2385 		ret = 0;
2386 		goto unlock;
2387 	}
2388 
2389 	smp = smp_chan_create(conn);
2390 	if (!smp) {
2391 		ret = 1;
2392 		goto unlock;
2393 	}
2394 
2395 	authreq = seclevel_to_authreq(sec_level);
2396 
2397 	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2398 		authreq |= SMP_AUTH_SC;
2399 		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2400 			authreq |= SMP_AUTH_CT2;
2401 	}
2402 
2403 	/* Don't attempt to set MITM if setting is overridden by debugfs
2404 	 * Needed to pass certification test SM/MAS/PKE/BV-01-C
2405 	 */
2406 	if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) {
2407 		/* Require MITM if IO Capability allows or the security level
2408 		 * requires it.
2409 		 */
2410 		if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2411 		    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2412 			authreq |= SMP_AUTH_MITM;
2413 	}
2414 
2415 	if (hcon->role == HCI_ROLE_MASTER) {
2416 		struct smp_cmd_pairing cp;
2417 
2418 		build_pairing_cmd(conn, &cp, NULL, authreq);
2419 		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2420 		memcpy(&smp->preq[1], &cp, sizeof(cp));
2421 
2422 		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2423 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2424 	} else {
2425 		struct smp_cmd_security_req cp;
2426 		cp.auth_req = authreq;
2427 		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2428 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2429 	}
2430 
2431 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2432 	ret = 0;
2433 
2434 unlock:
2435 	l2cap_chan_unlock(chan);
2436 	return ret;
2437 }
2438 
2439 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2440 				  u8 addr_type)
2441 {
2442 	struct hci_conn *hcon;
2443 	struct l2cap_conn *conn;
2444 	struct l2cap_chan *chan;
2445 	struct smp_chan *smp;
2446 	int err;
2447 
2448 	err = hci_remove_ltk(hdev, bdaddr, addr_type);
2449 	hci_remove_irk(hdev, bdaddr, addr_type);
2450 
2451 	hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2452 	if (!hcon)
2453 		goto done;
2454 
2455 	conn = hcon->l2cap_data;
2456 	if (!conn)
2457 		goto done;
2458 
2459 	chan = conn->smp;
2460 	if (!chan)
2461 		goto done;
2462 
2463 	l2cap_chan_lock(chan);
2464 
2465 	smp = chan->data;
2466 	if (smp) {
2467 		/* Set keys to NULL to make sure smp_failure() does not try to
2468 		 * remove and free already invalidated rcu list entries. */
2469 		smp->ltk = NULL;
2470 		smp->slave_ltk = NULL;
2471 		smp->remote_irk = NULL;
2472 
2473 		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2474 			smp_failure(conn, 0);
2475 		else
2476 			smp_failure(conn, SMP_UNSPECIFIED);
2477 		err = 0;
2478 	}
2479 
2480 	l2cap_chan_unlock(chan);
2481 
2482 done:
2483 	return err;
2484 }
2485 
2486 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2487 {
2488 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2489 	struct l2cap_chan *chan = conn->smp;
2490 	struct smp_chan *smp = chan->data;
2491 
2492 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2493 
2494 	if (skb->len < sizeof(*rp))
2495 		return SMP_INVALID_PARAMS;
2496 
2497 	/* Pairing is aborted if any blocked keys are distributed */
2498 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2499 			       rp->ltk)) {
2500 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2501 					"LTK blocked for %pMR",
2502 					&conn->hcon->dst);
2503 		return SMP_INVALID_PARAMS;
2504 	}
2505 
2506 	SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2507 
2508 	skb_pull(skb, sizeof(*rp));
2509 
2510 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2511 
2512 	return 0;
2513 }
2514 
2515 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2516 {
2517 	struct smp_cmd_master_ident *rp = (void *) skb->data;
2518 	struct l2cap_chan *chan = conn->smp;
2519 	struct smp_chan *smp = chan->data;
2520 	struct hci_dev *hdev = conn->hcon->hdev;
2521 	struct hci_conn *hcon = conn->hcon;
2522 	struct smp_ltk *ltk;
2523 	u8 authenticated;
2524 
2525 	bt_dev_dbg(hdev, "conn %p", conn);
2526 
2527 	if (skb->len < sizeof(*rp))
2528 		return SMP_INVALID_PARAMS;
2529 
2530 	/* Mark the information as received */
2531 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2532 
2533 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2534 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2535 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2536 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2537 
2538 	skb_pull(skb, sizeof(*rp));
2539 
2540 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2541 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2542 			  authenticated, smp->tk, smp->enc_key_size,
2543 			  rp->ediv, rp->rand);
2544 	smp->ltk = ltk;
2545 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2546 		smp_distribute_keys(smp);
2547 
2548 	return 0;
2549 }
2550 
2551 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2552 {
2553 	struct smp_cmd_ident_info *info = (void *) skb->data;
2554 	struct l2cap_chan *chan = conn->smp;
2555 	struct smp_chan *smp = chan->data;
2556 
2557 	bt_dev_dbg(conn->hcon->hdev, "");
2558 
2559 	if (skb->len < sizeof(*info))
2560 		return SMP_INVALID_PARAMS;
2561 
2562 	/* Pairing is aborted if any blocked keys are distributed */
2563 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2564 			       info->irk)) {
2565 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2566 					"Identity key blocked for %pMR",
2567 					&conn->hcon->dst);
2568 		return SMP_INVALID_PARAMS;
2569 	}
2570 
2571 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2572 
2573 	skb_pull(skb, sizeof(*info));
2574 
2575 	memcpy(smp->irk, info->irk, 16);
2576 
2577 	return 0;
2578 }
2579 
2580 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2581 				   struct sk_buff *skb)
2582 {
2583 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2584 	struct l2cap_chan *chan = conn->smp;
2585 	struct smp_chan *smp = chan->data;
2586 	struct hci_conn *hcon = conn->hcon;
2587 	bdaddr_t rpa;
2588 
2589 	bt_dev_dbg(hcon->hdev, "");
2590 
2591 	if (skb->len < sizeof(*info))
2592 		return SMP_INVALID_PARAMS;
2593 
2594 	/* Mark the information as received */
2595 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2596 
2597 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2598 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2599 
2600 	skb_pull(skb, sizeof(*info));
2601 
2602 	/* Strictly speaking the Core Specification (4.1) allows sending
2603 	 * an empty address which would force us to rely on just the IRK
2604 	 * as "identity information". However, since such
2605 	 * implementations are not known of and in order to not over
2606 	 * complicate our implementation, simply pretend that we never
2607 	 * received an IRK for such a device.
2608 	 *
2609 	 * The Identity Address must also be a Static Random or Public
2610 	 * Address, which hci_is_identity_address() checks for.
2611 	 */
2612 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2613 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2614 		bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2615 		goto distribute;
2616 	}
2617 
2618 	/* Drop IRK if peer is using identity address during pairing but is
2619 	 * providing different address as identity information.
2620 	 *
2621 	 * Microsoft Surface Precision Mouse is known to have this bug.
2622 	 */
2623 	if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2624 	    (bacmp(&info->bdaddr, &hcon->dst) ||
2625 	     info->addr_type != hcon->dst_type)) {
2626 		bt_dev_err(hcon->hdev,
2627 			   "ignoring IRK with invalid identity address");
2628 		goto distribute;
2629 	}
2630 
2631 	bacpy(&smp->id_addr, &info->bdaddr);
2632 	smp->id_addr_type = info->addr_type;
2633 
2634 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2635 		bacpy(&rpa, &hcon->dst);
2636 	else
2637 		bacpy(&rpa, BDADDR_ANY);
2638 
2639 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2640 				      smp->id_addr_type, smp->irk, &rpa);
2641 
2642 distribute:
2643 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2644 		smp_distribute_keys(smp);
2645 
2646 	return 0;
2647 }
2648 
2649 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2650 {
2651 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2652 	struct l2cap_chan *chan = conn->smp;
2653 	struct smp_chan *smp = chan->data;
2654 	struct smp_csrk *csrk;
2655 
2656 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2657 
2658 	if (skb->len < sizeof(*rp))
2659 		return SMP_INVALID_PARAMS;
2660 
2661 	/* Mark the information as received */
2662 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2663 
2664 	skb_pull(skb, sizeof(*rp));
2665 
2666 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2667 	if (csrk) {
2668 		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2669 			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2670 		else
2671 			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2672 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2673 	}
2674 	smp->csrk = csrk;
2675 	smp_distribute_keys(smp);
2676 
2677 	return 0;
2678 }
2679 
2680 static u8 sc_select_method(struct smp_chan *smp)
2681 {
2682 	struct l2cap_conn *conn = smp->conn;
2683 	struct hci_conn *hcon = conn->hcon;
2684 	struct smp_cmd_pairing *local, *remote;
2685 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2686 
2687 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2688 	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2689 		return REQ_OOB;
2690 
2691 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2692 	 * which are needed as inputs to some crypto functions. To get
2693 	 * the "struct smp_cmd_pairing" from them we need to skip the
2694 	 * first byte which contains the opcode.
2695 	 */
2696 	if (hcon->out) {
2697 		local = (void *) &smp->preq[1];
2698 		remote = (void *) &smp->prsp[1];
2699 	} else {
2700 		local = (void *) &smp->prsp[1];
2701 		remote = (void *) &smp->preq[1];
2702 	}
2703 
2704 	local_io = local->io_capability;
2705 	remote_io = remote->io_capability;
2706 
2707 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2708 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2709 
2710 	/* If either side wants MITM, look up the method from the table,
2711 	 * otherwise use JUST WORKS.
2712 	 */
2713 	if (local_mitm || remote_mitm)
2714 		method = get_auth_method(smp, local_io, remote_io);
2715 	else
2716 		method = JUST_WORKS;
2717 
2718 	/* Don't confirm locally initiated pairing attempts */
2719 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2720 		method = JUST_WORKS;
2721 
2722 	return method;
2723 }
2724 
2725 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2726 {
2727 	struct smp_cmd_public_key *key = (void *) skb->data;
2728 	struct hci_conn *hcon = conn->hcon;
2729 	struct l2cap_chan *chan = conn->smp;
2730 	struct smp_chan *smp = chan->data;
2731 	struct hci_dev *hdev = hcon->hdev;
2732 	struct crypto_kpp *tfm_ecdh;
2733 	struct smp_cmd_pairing_confirm cfm;
2734 	int err;
2735 
2736 	bt_dev_dbg(hdev, "conn %p", conn);
2737 
2738 	if (skb->len < sizeof(*key))
2739 		return SMP_INVALID_PARAMS;
2740 
2741 	/* Check if remote and local public keys are the same and debug key is
2742 	 * not in use.
2743 	 */
2744 	if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
2745 	    !crypto_memneq(key, smp->local_pk, 64)) {
2746 		bt_dev_err(hdev, "Remote and local public keys are identical");
2747 		return SMP_UNSPECIFIED;
2748 	}
2749 
2750 	memcpy(smp->remote_pk, key, 64);
2751 
2752 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2753 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2754 			     smp->rr, 0, cfm.confirm_val);
2755 		if (err)
2756 			return SMP_UNSPECIFIED;
2757 
2758 		if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2759 			return SMP_CONFIRM_FAILED;
2760 	}
2761 
2762 	/* Non-initiating device sends its public key after receiving
2763 	 * the key from the initiating device.
2764 	 */
2765 	if (!hcon->out) {
2766 		err = sc_send_public_key(smp);
2767 		if (err)
2768 			return err;
2769 	}
2770 
2771 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2772 	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2773 
2774 	/* Compute the shared secret on the same crypto tfm on which the private
2775 	 * key was set/generated.
2776 	 */
2777 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2778 		struct l2cap_chan *hchan = hdev->smp_data;
2779 		struct smp_dev *smp_dev;
2780 
2781 		if (!hchan || !hchan->data)
2782 			return SMP_UNSPECIFIED;
2783 
2784 		smp_dev = hchan->data;
2785 
2786 		tfm_ecdh = smp_dev->tfm_ecdh;
2787 	} else {
2788 		tfm_ecdh = smp->tfm_ecdh;
2789 	}
2790 
2791 	if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2792 		return SMP_UNSPECIFIED;
2793 
2794 	SMP_DBG("DHKey %32phN", smp->dhkey);
2795 
2796 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2797 
2798 	smp->method = sc_select_method(smp);
2799 
2800 	bt_dev_dbg(hdev, "selected method 0x%02x", smp->method);
2801 
2802 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2803 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2804 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2805 	else
2806 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2807 
2808 	if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2809 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2810 
2811 	if (smp->method == DSP_PASSKEY) {
2812 		get_random_bytes(&hcon->passkey_notify,
2813 				 sizeof(hcon->passkey_notify));
2814 		hcon->passkey_notify %= 1000000;
2815 		hcon->passkey_entered = 0;
2816 		smp->passkey_round = 0;
2817 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2818 					     hcon->dst_type,
2819 					     hcon->passkey_notify,
2820 					     hcon->passkey_entered))
2821 			return SMP_UNSPECIFIED;
2822 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2823 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2824 	}
2825 
2826 	if (smp->method == REQ_OOB) {
2827 		if (hcon->out)
2828 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2829 				     sizeof(smp->prnd), smp->prnd);
2830 
2831 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2832 
2833 		return 0;
2834 	}
2835 
2836 	if (hcon->out)
2837 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2838 
2839 	if (smp->method == REQ_PASSKEY) {
2840 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2841 					      hcon->dst_type))
2842 			return SMP_UNSPECIFIED;
2843 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2844 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2845 		return 0;
2846 	}
2847 
2848 	/* The Initiating device waits for the non-initiating device to
2849 	 * send the confirm value.
2850 	 */
2851 	if (conn->hcon->out)
2852 		return 0;
2853 
2854 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2855 		     0, cfm.confirm_val);
2856 	if (err)
2857 		return SMP_UNSPECIFIED;
2858 
2859 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2860 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2861 
2862 	return 0;
2863 }
2864 
2865 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2866 {
2867 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2868 	struct l2cap_chan *chan = conn->smp;
2869 	struct hci_conn *hcon = conn->hcon;
2870 	struct smp_chan *smp = chan->data;
2871 	u8 a[7], b[7], *local_addr, *remote_addr;
2872 	u8 io_cap[3], r[16], e[16];
2873 	int err;
2874 
2875 	bt_dev_dbg(hcon->hdev, "conn %p", conn);
2876 
2877 	if (skb->len < sizeof(*check))
2878 		return SMP_INVALID_PARAMS;
2879 
2880 	memcpy(a, &hcon->init_addr, 6);
2881 	memcpy(b, &hcon->resp_addr, 6);
2882 	a[6] = hcon->init_addr_type;
2883 	b[6] = hcon->resp_addr_type;
2884 
2885 	if (hcon->out) {
2886 		local_addr = a;
2887 		remote_addr = b;
2888 		memcpy(io_cap, &smp->prsp[1], 3);
2889 	} else {
2890 		local_addr = b;
2891 		remote_addr = a;
2892 		memcpy(io_cap, &smp->preq[1], 3);
2893 	}
2894 
2895 	memset(r, 0, sizeof(r));
2896 
2897 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2898 		put_unaligned_le32(hcon->passkey_notify, r);
2899 	else if (smp->method == REQ_OOB)
2900 		memcpy(r, smp->lr, 16);
2901 
2902 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2903 		     io_cap, remote_addr, local_addr, e);
2904 	if (err)
2905 		return SMP_UNSPECIFIED;
2906 
2907 	if (crypto_memneq(check->e, e, 16))
2908 		return SMP_DHKEY_CHECK_FAILED;
2909 
2910 	if (!hcon->out) {
2911 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2912 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2913 			return 0;
2914 		}
2915 
2916 		/* Slave sends DHKey check as response to master */
2917 		sc_dhkey_check(smp);
2918 	}
2919 
2920 	sc_add_ltk(smp);
2921 
2922 	if (hcon->out) {
2923 		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2924 		hcon->enc_key_size = smp->enc_key_size;
2925 	}
2926 
2927 	return 0;
2928 }
2929 
2930 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2931 				   struct sk_buff *skb)
2932 {
2933 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2934 
2935 	bt_dev_dbg(conn->hcon->hdev, "value 0x%02x", kp->value);
2936 
2937 	return 0;
2938 }
2939 
2940 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2941 {
2942 	struct l2cap_conn *conn = chan->conn;
2943 	struct hci_conn *hcon = conn->hcon;
2944 	struct smp_chan *smp;
2945 	__u8 code, reason;
2946 	int err = 0;
2947 
2948 	if (skb->len < 1)
2949 		return -EILSEQ;
2950 
2951 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2952 		reason = SMP_PAIRING_NOTSUPP;
2953 		goto done;
2954 	}
2955 
2956 	code = skb->data[0];
2957 	skb_pull(skb, sizeof(code));
2958 
2959 	smp = chan->data;
2960 
2961 	if (code > SMP_CMD_MAX)
2962 		goto drop;
2963 
2964 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2965 		goto drop;
2966 
2967 	/* If we don't have a context the only allowed commands are
2968 	 * pairing request and security request.
2969 	 */
2970 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2971 		goto drop;
2972 
2973 	switch (code) {
2974 	case SMP_CMD_PAIRING_REQ:
2975 		reason = smp_cmd_pairing_req(conn, skb);
2976 		break;
2977 
2978 	case SMP_CMD_PAIRING_FAIL:
2979 		smp_failure(conn, 0);
2980 		err = -EPERM;
2981 		break;
2982 
2983 	case SMP_CMD_PAIRING_RSP:
2984 		reason = smp_cmd_pairing_rsp(conn, skb);
2985 		break;
2986 
2987 	case SMP_CMD_SECURITY_REQ:
2988 		reason = smp_cmd_security_req(conn, skb);
2989 		break;
2990 
2991 	case SMP_CMD_PAIRING_CONFIRM:
2992 		reason = smp_cmd_pairing_confirm(conn, skb);
2993 		break;
2994 
2995 	case SMP_CMD_PAIRING_RANDOM:
2996 		reason = smp_cmd_pairing_random(conn, skb);
2997 		break;
2998 
2999 	case SMP_CMD_ENCRYPT_INFO:
3000 		reason = smp_cmd_encrypt_info(conn, skb);
3001 		break;
3002 
3003 	case SMP_CMD_MASTER_IDENT:
3004 		reason = smp_cmd_master_ident(conn, skb);
3005 		break;
3006 
3007 	case SMP_CMD_IDENT_INFO:
3008 		reason = smp_cmd_ident_info(conn, skb);
3009 		break;
3010 
3011 	case SMP_CMD_IDENT_ADDR_INFO:
3012 		reason = smp_cmd_ident_addr_info(conn, skb);
3013 		break;
3014 
3015 	case SMP_CMD_SIGN_INFO:
3016 		reason = smp_cmd_sign_info(conn, skb);
3017 		break;
3018 
3019 	case SMP_CMD_PUBLIC_KEY:
3020 		reason = smp_cmd_public_key(conn, skb);
3021 		break;
3022 
3023 	case SMP_CMD_DHKEY_CHECK:
3024 		reason = smp_cmd_dhkey_check(conn, skb);
3025 		break;
3026 
3027 	case SMP_CMD_KEYPRESS_NOTIFY:
3028 		reason = smp_cmd_keypress_notify(conn, skb);
3029 		break;
3030 
3031 	default:
3032 		bt_dev_dbg(hcon->hdev, "Unknown command code 0x%2.2x", code);
3033 		reason = SMP_CMD_NOTSUPP;
3034 		goto done;
3035 	}
3036 
3037 done:
3038 	if (!err) {
3039 		if (reason)
3040 			smp_failure(conn, reason);
3041 		kfree_skb(skb);
3042 	}
3043 
3044 	return err;
3045 
3046 drop:
3047 	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3048 		   code, &hcon->dst);
3049 	kfree_skb(skb);
3050 	return 0;
3051 }
3052 
3053 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3054 {
3055 	struct l2cap_conn *conn = chan->conn;
3056 
3057 	bt_dev_dbg(conn->hcon->hdev, "chan %p", chan);
3058 
3059 	if (chan->data)
3060 		smp_chan_destroy(conn);
3061 
3062 	conn->smp = NULL;
3063 	l2cap_chan_put(chan);
3064 }
3065 
3066 static void bredr_pairing(struct l2cap_chan *chan)
3067 {
3068 	struct l2cap_conn *conn = chan->conn;
3069 	struct hci_conn *hcon = conn->hcon;
3070 	struct hci_dev *hdev = hcon->hdev;
3071 	struct smp_cmd_pairing req;
3072 	struct smp_chan *smp;
3073 
3074 	bt_dev_dbg(hdev, "chan %p", chan);
3075 
3076 	/* Only new pairings are interesting */
3077 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3078 		return;
3079 
3080 	/* Don't bother if we're not encrypted */
3081 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3082 		return;
3083 
3084 	/* Only master may initiate SMP over BR/EDR */
3085 	if (hcon->role != HCI_ROLE_MASTER)
3086 		return;
3087 
3088 	/* Secure Connections support must be enabled */
3089 	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3090 		return;
3091 
3092 	/* BR/EDR must use Secure Connections for SMP */
3093 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3094 	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3095 		return;
3096 
3097 	/* If our LE support is not enabled don't do anything */
3098 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3099 		return;
3100 
3101 	/* Don't bother if remote LE support is not enabled */
3102 	if (!lmp_host_le_capable(hcon))
3103 		return;
3104 
3105 	/* Remote must support SMP fixed chan for BR/EDR */
3106 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3107 		return;
3108 
3109 	/* Don't bother if SMP is already ongoing */
3110 	if (chan->data)
3111 		return;
3112 
3113 	smp = smp_chan_create(conn);
3114 	if (!smp) {
3115 		bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3116 		return;
3117 	}
3118 
3119 	set_bit(SMP_FLAG_SC, &smp->flags);
3120 
3121 	bt_dev_dbg(hdev, "starting SMP over BR/EDR");
3122 
3123 	/* Prepare and send the BR/EDR SMP Pairing Request */
3124 	build_bredr_pairing_cmd(smp, &req, NULL);
3125 
3126 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
3127 	memcpy(&smp->preq[1], &req, sizeof(req));
3128 
3129 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3130 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3131 }
3132 
3133 static void smp_resume_cb(struct l2cap_chan *chan)
3134 {
3135 	struct smp_chan *smp = chan->data;
3136 	struct l2cap_conn *conn = chan->conn;
3137 	struct hci_conn *hcon = conn->hcon;
3138 
3139 	bt_dev_dbg(hcon->hdev, "chan %p", chan);
3140 
3141 	if (hcon->type == ACL_LINK) {
3142 		bredr_pairing(chan);
3143 		return;
3144 	}
3145 
3146 	if (!smp)
3147 		return;
3148 
3149 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3150 		return;
3151 
3152 	cancel_delayed_work(&smp->security_timer);
3153 
3154 	smp_distribute_keys(smp);
3155 }
3156 
3157 static void smp_ready_cb(struct l2cap_chan *chan)
3158 {
3159 	struct l2cap_conn *conn = chan->conn;
3160 	struct hci_conn *hcon = conn->hcon;
3161 
3162 	bt_dev_dbg(hcon->hdev, "chan %p", chan);
3163 
3164 	/* No need to call l2cap_chan_hold() here since we already own
3165 	 * the reference taken in smp_new_conn_cb(). This is just the
3166 	 * first time that we tie it to a specific pointer. The code in
3167 	 * l2cap_core.c ensures that there's no risk this function wont
3168 	 * get called if smp_new_conn_cb was previously called.
3169 	 */
3170 	conn->smp = chan;
3171 
3172 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3173 		bredr_pairing(chan);
3174 }
3175 
3176 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3177 {
3178 	int err;
3179 
3180 	bt_dev_dbg(chan->conn->hcon->hdev, "chan %p", chan);
3181 
3182 	err = smp_sig_channel(chan, skb);
3183 	if (err) {
3184 		struct smp_chan *smp = chan->data;
3185 
3186 		if (smp)
3187 			cancel_delayed_work_sync(&smp->security_timer);
3188 
3189 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3190 	}
3191 
3192 	return err;
3193 }
3194 
3195 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3196 					unsigned long hdr_len,
3197 					unsigned long len, int nb)
3198 {
3199 	struct sk_buff *skb;
3200 
3201 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3202 	if (!skb)
3203 		return ERR_PTR(-ENOMEM);
3204 
3205 	skb->priority = HCI_PRIO_MAX;
3206 	bt_cb(skb)->l2cap.chan = chan;
3207 
3208 	return skb;
3209 }
3210 
3211 static const struct l2cap_ops smp_chan_ops = {
3212 	.name			= "Security Manager",
3213 	.ready			= smp_ready_cb,
3214 	.recv			= smp_recv_cb,
3215 	.alloc_skb		= smp_alloc_skb_cb,
3216 	.teardown		= smp_teardown_cb,
3217 	.resume			= smp_resume_cb,
3218 
3219 	.new_connection		= l2cap_chan_no_new_connection,
3220 	.state_change		= l2cap_chan_no_state_change,
3221 	.close			= l2cap_chan_no_close,
3222 	.defer			= l2cap_chan_no_defer,
3223 	.suspend		= l2cap_chan_no_suspend,
3224 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3225 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3226 };
3227 
3228 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3229 {
3230 	struct l2cap_chan *chan;
3231 
3232 	bt_dev_dbg(pchan->conn->hcon->hdev, "pchan %p", pchan);
3233 
3234 	chan = l2cap_chan_create();
3235 	if (!chan)
3236 		return NULL;
3237 
3238 	chan->chan_type	= pchan->chan_type;
3239 	chan->ops	= &smp_chan_ops;
3240 	chan->scid	= pchan->scid;
3241 	chan->dcid	= chan->scid;
3242 	chan->imtu	= pchan->imtu;
3243 	chan->omtu	= pchan->omtu;
3244 	chan->mode	= pchan->mode;
3245 
3246 	/* Other L2CAP channels may request SMP routines in order to
3247 	 * change the security level. This means that the SMP channel
3248 	 * lock must be considered in its own category to avoid lockdep
3249 	 * warnings.
3250 	 */
3251 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3252 
3253 	bt_dev_dbg(pchan->conn->hcon->hdev, "created chan %p", chan);
3254 
3255 	return chan;
3256 }
3257 
3258 static const struct l2cap_ops smp_root_chan_ops = {
3259 	.name			= "Security Manager Root",
3260 	.new_connection		= smp_new_conn_cb,
3261 
3262 	/* None of these are implemented for the root channel */
3263 	.close			= l2cap_chan_no_close,
3264 	.alloc_skb		= l2cap_chan_no_alloc_skb,
3265 	.recv			= l2cap_chan_no_recv,
3266 	.state_change		= l2cap_chan_no_state_change,
3267 	.teardown		= l2cap_chan_no_teardown,
3268 	.ready			= l2cap_chan_no_ready,
3269 	.defer			= l2cap_chan_no_defer,
3270 	.suspend		= l2cap_chan_no_suspend,
3271 	.resume			= l2cap_chan_no_resume,
3272 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3273 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3274 };
3275 
3276 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3277 {
3278 	struct l2cap_chan *chan;
3279 	struct smp_dev *smp;
3280 	struct crypto_shash *tfm_cmac;
3281 	struct crypto_kpp *tfm_ecdh;
3282 
3283 	if (cid == L2CAP_CID_SMP_BREDR) {
3284 		smp = NULL;
3285 		goto create_chan;
3286 	}
3287 
3288 	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3289 	if (!smp)
3290 		return ERR_PTR(-ENOMEM);
3291 
3292 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3293 	if (IS_ERR(tfm_cmac)) {
3294 		bt_dev_err(hdev, "Unable to create CMAC crypto context");
3295 		kfree_sensitive(smp);
3296 		return ERR_CAST(tfm_cmac);
3297 	}
3298 
3299 	tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3300 	if (IS_ERR(tfm_ecdh)) {
3301 		bt_dev_err(hdev, "Unable to create ECDH crypto context");
3302 		crypto_free_shash(tfm_cmac);
3303 		kfree_sensitive(smp);
3304 		return ERR_CAST(tfm_ecdh);
3305 	}
3306 
3307 	smp->local_oob = false;
3308 	smp->tfm_cmac = tfm_cmac;
3309 	smp->tfm_ecdh = tfm_ecdh;
3310 
3311 create_chan:
3312 	chan = l2cap_chan_create();
3313 	if (!chan) {
3314 		if (smp) {
3315 			crypto_free_shash(smp->tfm_cmac);
3316 			crypto_free_kpp(smp->tfm_ecdh);
3317 			kfree_sensitive(smp);
3318 		}
3319 		return ERR_PTR(-ENOMEM);
3320 	}
3321 
3322 	chan->data = smp;
3323 
3324 	l2cap_add_scid(chan, cid);
3325 
3326 	l2cap_chan_set_defaults(chan);
3327 
3328 	if (cid == L2CAP_CID_SMP) {
3329 		u8 bdaddr_type;
3330 
3331 		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3332 
3333 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3334 			chan->src_type = BDADDR_LE_PUBLIC;
3335 		else
3336 			chan->src_type = BDADDR_LE_RANDOM;
3337 	} else {
3338 		bacpy(&chan->src, &hdev->bdaddr);
3339 		chan->src_type = BDADDR_BREDR;
3340 	}
3341 
3342 	chan->state = BT_LISTEN;
3343 	chan->mode = L2CAP_MODE_BASIC;
3344 	chan->imtu = L2CAP_DEFAULT_MTU;
3345 	chan->ops = &smp_root_chan_ops;
3346 
3347 	/* Set correct nesting level for a parent/listening channel */
3348 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3349 
3350 	return chan;
3351 }
3352 
3353 static void smp_del_chan(struct l2cap_chan *chan)
3354 {
3355 	struct smp_dev *smp;
3356 
3357 	bt_dev_dbg(chan->conn->hcon->hdev, "chan %p", chan);
3358 
3359 	smp = chan->data;
3360 	if (smp) {
3361 		chan->data = NULL;
3362 		crypto_free_shash(smp->tfm_cmac);
3363 		crypto_free_kpp(smp->tfm_ecdh);
3364 		kfree_sensitive(smp);
3365 	}
3366 
3367 	l2cap_chan_put(chan);
3368 }
3369 
3370 int smp_force_bredr(struct hci_dev *hdev, bool enable)
3371 {
3372 	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3373 		return -EALREADY;
3374 
3375 	if (enable) {
3376 		struct l2cap_chan *chan;
3377 
3378 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3379 		if (IS_ERR(chan))
3380 			return PTR_ERR(chan);
3381 
3382 		hdev->smp_bredr_data = chan;
3383 	} else {
3384 		struct l2cap_chan *chan;
3385 
3386 		chan = hdev->smp_bredr_data;
3387 		hdev->smp_bredr_data = NULL;
3388 		smp_del_chan(chan);
3389 	}
3390 
3391 	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3392 
3393 	return 0;
3394 }
3395 
3396 int smp_register(struct hci_dev *hdev)
3397 {
3398 	struct l2cap_chan *chan;
3399 
3400 	bt_dev_dbg(hdev, "");
3401 
3402 	/* If the controller does not support Low Energy operation, then
3403 	 * there is also no need to register any SMP channel.
3404 	 */
3405 	if (!lmp_le_capable(hdev))
3406 		return 0;
3407 
3408 	if (WARN_ON(hdev->smp_data)) {
3409 		chan = hdev->smp_data;
3410 		hdev->smp_data = NULL;
3411 		smp_del_chan(chan);
3412 	}
3413 
3414 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3415 	if (IS_ERR(chan))
3416 		return PTR_ERR(chan);
3417 
3418 	hdev->smp_data = chan;
3419 
3420 	if (!lmp_sc_capable(hdev)) {
3421 		/* Flag can be already set here (due to power toggle) */
3422 		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3423 			return 0;
3424 	}
3425 
3426 	if (WARN_ON(hdev->smp_bredr_data)) {
3427 		chan = hdev->smp_bredr_data;
3428 		hdev->smp_bredr_data = NULL;
3429 		smp_del_chan(chan);
3430 	}
3431 
3432 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3433 	if (IS_ERR(chan)) {
3434 		int err = PTR_ERR(chan);
3435 		chan = hdev->smp_data;
3436 		hdev->smp_data = NULL;
3437 		smp_del_chan(chan);
3438 		return err;
3439 	}
3440 
3441 	hdev->smp_bredr_data = chan;
3442 
3443 	return 0;
3444 }
3445 
3446 void smp_unregister(struct hci_dev *hdev)
3447 {
3448 	struct l2cap_chan *chan;
3449 
3450 	if (hdev->smp_bredr_data) {
3451 		chan = hdev->smp_bredr_data;
3452 		hdev->smp_bredr_data = NULL;
3453 		smp_del_chan(chan);
3454 	}
3455 
3456 	if (hdev->smp_data) {
3457 		chan = hdev->smp_data;
3458 		hdev->smp_data = NULL;
3459 		smp_del_chan(chan);
3460 	}
3461 }
3462 
3463 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3464 
3465 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3466 {
3467 	u8 pk[64];
3468 	int err;
3469 
3470 	err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3471 	if (err)
3472 		return err;
3473 
3474 	err = generate_ecdh_public_key(tfm_ecdh, pk);
3475 	if (err)
3476 		return err;
3477 
3478 	if (crypto_memneq(pk, debug_pk, 64))
3479 		return -EINVAL;
3480 
3481 	return 0;
3482 }
3483 
3484 static int __init test_ah(void)
3485 {
3486 	const u8 irk[16] = {
3487 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3488 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3489 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3490 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3491 	u8 res[3];
3492 	int err;
3493 
3494 	err = smp_ah(irk, r, res);
3495 	if (err)
3496 		return err;
3497 
3498 	if (crypto_memneq(res, exp, 3))
3499 		return -EINVAL;
3500 
3501 	return 0;
3502 }
3503 
3504 static int __init test_c1(void)
3505 {
3506 	const u8 k[16] = {
3507 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3508 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3509 	const u8 r[16] = {
3510 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3511 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3512 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3513 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3514 	const u8 _iat = 0x01;
3515 	const u8 _rat = 0x00;
3516 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3517 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3518 	const u8 exp[16] = {
3519 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3520 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3521 	u8 res[16];
3522 	int err;
3523 
3524 	err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3525 	if (err)
3526 		return err;
3527 
3528 	if (crypto_memneq(res, exp, 16))
3529 		return -EINVAL;
3530 
3531 	return 0;
3532 }
3533 
3534 static int __init test_s1(void)
3535 {
3536 	const u8 k[16] = {
3537 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3538 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3539 	const u8 r1[16] = {
3540 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3541 	const u8 r2[16] = {
3542 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3543 	const u8 exp[16] = {
3544 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3545 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3546 	u8 res[16];
3547 	int err;
3548 
3549 	err = smp_s1(k, r1, r2, res);
3550 	if (err)
3551 		return err;
3552 
3553 	if (crypto_memneq(res, exp, 16))
3554 		return -EINVAL;
3555 
3556 	return 0;
3557 }
3558 
3559 static int __init test_f4(struct crypto_shash *tfm_cmac)
3560 {
3561 	const u8 u[32] = {
3562 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3563 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3564 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3565 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3566 	const u8 v[32] = {
3567 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3568 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3569 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3570 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3571 	const u8 x[16] = {
3572 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3573 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3574 	const u8 z = 0x00;
3575 	const u8 exp[16] = {
3576 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3577 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3578 	u8 res[16];
3579 	int err;
3580 
3581 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3582 	if (err)
3583 		return err;
3584 
3585 	if (crypto_memneq(res, exp, 16))
3586 		return -EINVAL;
3587 
3588 	return 0;
3589 }
3590 
3591 static int __init test_f5(struct crypto_shash *tfm_cmac)
3592 {
3593 	const u8 w[32] = {
3594 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3595 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3596 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3597 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3598 	const u8 n1[16] = {
3599 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3600 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3601 	const u8 n2[16] = {
3602 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3603 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3604 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3605 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3606 	const u8 exp_ltk[16] = {
3607 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3608 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3609 	const u8 exp_mackey[16] = {
3610 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3611 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3612 	u8 mackey[16], ltk[16];
3613 	int err;
3614 
3615 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3616 	if (err)
3617 		return err;
3618 
3619 	if (crypto_memneq(mackey, exp_mackey, 16))
3620 		return -EINVAL;
3621 
3622 	if (crypto_memneq(ltk, exp_ltk, 16))
3623 		return -EINVAL;
3624 
3625 	return 0;
3626 }
3627 
3628 static int __init test_f6(struct crypto_shash *tfm_cmac)
3629 {
3630 	const u8 w[16] = {
3631 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3632 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3633 	const u8 n1[16] = {
3634 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3635 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3636 	const u8 n2[16] = {
3637 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3638 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3639 	const u8 r[16] = {
3640 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3641 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3642 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3643 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3644 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3645 	const u8 exp[16] = {
3646 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3647 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3648 	u8 res[16];
3649 	int err;
3650 
3651 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3652 	if (err)
3653 		return err;
3654 
3655 	if (crypto_memneq(res, exp, 16))
3656 		return -EINVAL;
3657 
3658 	return 0;
3659 }
3660 
3661 static int __init test_g2(struct crypto_shash *tfm_cmac)
3662 {
3663 	const u8 u[32] = {
3664 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3665 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3666 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3667 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3668 	const u8 v[32] = {
3669 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3670 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3671 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3672 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3673 	const u8 x[16] = {
3674 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3675 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3676 	const u8 y[16] = {
3677 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3678 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3679 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3680 	u32 val;
3681 	int err;
3682 
3683 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3684 	if (err)
3685 		return err;
3686 
3687 	if (val != exp_val)
3688 		return -EINVAL;
3689 
3690 	return 0;
3691 }
3692 
3693 static int __init test_h6(struct crypto_shash *tfm_cmac)
3694 {
3695 	const u8 w[16] = {
3696 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3697 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3698 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3699 	const u8 exp[16] = {
3700 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3701 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3702 	u8 res[16];
3703 	int err;
3704 
3705 	err = smp_h6(tfm_cmac, w, key_id, res);
3706 	if (err)
3707 		return err;
3708 
3709 	if (crypto_memneq(res, exp, 16))
3710 		return -EINVAL;
3711 
3712 	return 0;
3713 }
3714 
3715 static char test_smp_buffer[32];
3716 
3717 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3718 			     size_t count, loff_t *ppos)
3719 {
3720 	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3721 				       strlen(test_smp_buffer));
3722 }
3723 
3724 static const struct file_operations test_smp_fops = {
3725 	.open		= simple_open,
3726 	.read		= test_smp_read,
3727 	.llseek		= default_llseek,
3728 };
3729 
3730 static int __init run_selftests(struct crypto_shash *tfm_cmac,
3731 				struct crypto_kpp *tfm_ecdh)
3732 {
3733 	ktime_t calltime, delta, rettime;
3734 	unsigned long long duration;
3735 	int err;
3736 
3737 	calltime = ktime_get();
3738 
3739 	err = test_debug_key(tfm_ecdh);
3740 	if (err) {
3741 		BT_ERR("debug_key test failed");
3742 		goto done;
3743 	}
3744 
3745 	err = test_ah();
3746 	if (err) {
3747 		BT_ERR("smp_ah test failed");
3748 		goto done;
3749 	}
3750 
3751 	err = test_c1();
3752 	if (err) {
3753 		BT_ERR("smp_c1 test failed");
3754 		goto done;
3755 	}
3756 
3757 	err = test_s1();
3758 	if (err) {
3759 		BT_ERR("smp_s1 test failed");
3760 		goto done;
3761 	}
3762 
3763 	err = test_f4(tfm_cmac);
3764 	if (err) {
3765 		BT_ERR("smp_f4 test failed");
3766 		goto done;
3767 	}
3768 
3769 	err = test_f5(tfm_cmac);
3770 	if (err) {
3771 		BT_ERR("smp_f5 test failed");
3772 		goto done;
3773 	}
3774 
3775 	err = test_f6(tfm_cmac);
3776 	if (err) {
3777 		BT_ERR("smp_f6 test failed");
3778 		goto done;
3779 	}
3780 
3781 	err = test_g2(tfm_cmac);
3782 	if (err) {
3783 		BT_ERR("smp_g2 test failed");
3784 		goto done;
3785 	}
3786 
3787 	err = test_h6(tfm_cmac);
3788 	if (err) {
3789 		BT_ERR("smp_h6 test failed");
3790 		goto done;
3791 	}
3792 
3793 	rettime = ktime_get();
3794 	delta = ktime_sub(rettime, calltime);
3795 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3796 
3797 	BT_INFO("SMP test passed in %llu usecs", duration);
3798 
3799 done:
3800 	if (!err)
3801 		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3802 			 "PASS (%llu usecs)\n", duration);
3803 	else
3804 		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3805 
3806 	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3807 			    &test_smp_fops);
3808 
3809 	return err;
3810 }
3811 
3812 int __init bt_selftest_smp(void)
3813 {
3814 	struct crypto_shash *tfm_cmac;
3815 	struct crypto_kpp *tfm_ecdh;
3816 	int err;
3817 
3818 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3819 	if (IS_ERR(tfm_cmac)) {
3820 		BT_ERR("Unable to create CMAC crypto context");
3821 		return PTR_ERR(tfm_cmac);
3822 	}
3823 
3824 	tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3825 	if (IS_ERR(tfm_ecdh)) {
3826 		BT_ERR("Unable to create ECDH crypto context");
3827 		crypto_free_shash(tfm_cmac);
3828 		return PTR_ERR(tfm_ecdh);
3829 	}
3830 
3831 	err = run_selftests(tfm_cmac, tfm_ecdh);
3832 
3833 	crypto_free_shash(tfm_cmac);
3834 	crypto_free_kpp(tfm_ecdh);
3835 
3836 	return err;
3837 }
3838 
3839 #endif
3840