xref: /openbmc/linux/net/bluetooth/smp.c (revision abfbd895)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/crypto.h>
25 #include <linux/scatterlist.h>
26 #include <crypto/b128ops.h>
27 
28 #include <net/bluetooth/bluetooth.h>
29 #include <net/bluetooth/hci_core.h>
30 #include <net/bluetooth/l2cap.h>
31 #include <net/bluetooth/mgmt.h>
32 
33 #include "ecc.h"
34 #include "smp.h"
35 
36 #define SMP_DEV(hdev) \
37 	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
38 
39 /* Low-level debug macros to be used for stuff that we don't want
40  * accidentially in dmesg, i.e. the values of the various crypto keys
41  * and the inputs & outputs of crypto functions.
42  */
43 #ifdef DEBUG
44 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
45 				 ##__VA_ARGS__)
46 #else
47 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
48 				    ##__VA_ARGS__)
49 #endif
50 
51 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
52 
53 /* Keys which are not distributed with Secure Connections */
54 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
55 
56 #define SMP_TIMEOUT	msecs_to_jiffies(30000)
57 
58 #define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
59 				 0x1f : 0x07)
60 #define KEY_DIST_MASK		0x07
61 
62 /* Maximum message length that can be passed to aes_cmac */
63 #define CMAC_MSG_MAX	80
64 
65 enum {
66 	SMP_FLAG_TK_VALID,
67 	SMP_FLAG_CFM_PENDING,
68 	SMP_FLAG_MITM_AUTH,
69 	SMP_FLAG_COMPLETE,
70 	SMP_FLAG_INITIATOR,
71 	SMP_FLAG_SC,
72 	SMP_FLAG_REMOTE_PK,
73 	SMP_FLAG_DEBUG_KEY,
74 	SMP_FLAG_WAIT_USER,
75 	SMP_FLAG_DHKEY_PENDING,
76 	SMP_FLAG_REMOTE_OOB,
77 	SMP_FLAG_LOCAL_OOB,
78 };
79 
80 struct smp_dev {
81 	/* Secure Connections OOB data */
82 	u8			local_pk[64];
83 	u8			local_sk[32];
84 	u8			local_rand[16];
85 	bool			debug_key;
86 
87 	u8			min_key_size;
88 	u8			max_key_size;
89 
90 	struct crypto_blkcipher	*tfm_aes;
91 	struct crypto_hash	*tfm_cmac;
92 };
93 
94 struct smp_chan {
95 	struct l2cap_conn	*conn;
96 	struct delayed_work	security_timer;
97 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
98 
99 	u8		preq[7]; /* SMP Pairing Request */
100 	u8		prsp[7]; /* SMP Pairing Response */
101 	u8		prnd[16]; /* SMP Pairing Random (local) */
102 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
103 	u8		pcnf[16]; /* SMP Pairing Confirm */
104 	u8		tk[16]; /* SMP Temporary Key */
105 	u8		rr[16]; /* Remote OOB ra/rb value */
106 	u8		lr[16]; /* Local OOB ra/rb value */
107 	u8		enc_key_size;
108 	u8		remote_key_dist;
109 	bdaddr_t	id_addr;
110 	u8		id_addr_type;
111 	u8		irk[16];
112 	struct smp_csrk	*csrk;
113 	struct smp_csrk	*slave_csrk;
114 	struct smp_ltk	*ltk;
115 	struct smp_ltk	*slave_ltk;
116 	struct smp_irk	*remote_irk;
117 	u8		*link_key;
118 	unsigned long	flags;
119 	u8		method;
120 	u8		passkey_round;
121 
122 	/* Secure Connections variables */
123 	u8			local_pk[64];
124 	u8			local_sk[32];
125 	u8			remote_pk[64];
126 	u8			dhkey[32];
127 	u8			mackey[16];
128 
129 	struct crypto_blkcipher	*tfm_aes;
130 	struct crypto_hash	*tfm_cmac;
131 };
132 
133 /* These debug key values are defined in the SMP section of the core
134  * specification. debug_pk is the public debug key and debug_sk the
135  * private debug key.
136  */
137 static const u8 debug_pk[64] = {
138 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
139 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
140 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
141 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
142 
143 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
144 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
145 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
146 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
147 };
148 
149 static const u8 debug_sk[32] = {
150 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
151 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
152 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
153 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
154 };
155 
156 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
157 {
158 	size_t i;
159 
160 	for (i = 0; i < len; i++)
161 		dst[len - 1 - i] = src[i];
162 }
163 
164 /* The following functions map to the LE SC SMP crypto functions
165  * AES-CMAC, f4, f5, f6, g2 and h6.
166  */
167 
168 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
169 		    size_t len, u8 mac[16])
170 {
171 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
172 	struct hash_desc desc;
173 	struct scatterlist sg;
174 	int err;
175 
176 	if (len > CMAC_MSG_MAX)
177 		return -EFBIG;
178 
179 	if (!tfm) {
180 		BT_ERR("tfm %p", tfm);
181 		return -EINVAL;
182 	}
183 
184 	desc.tfm = tfm;
185 	desc.flags = 0;
186 
187 	crypto_hash_init(&desc);
188 
189 	/* Swap key and message from LSB to MSB */
190 	swap_buf(k, tmp, 16);
191 	swap_buf(m, msg_msb, len);
192 
193 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
194 	SMP_DBG("key %16phN", k);
195 
196 	err = crypto_hash_setkey(tfm, tmp, 16);
197 	if (err) {
198 		BT_ERR("cipher setkey failed: %d", err);
199 		return err;
200 	}
201 
202 	sg_init_one(&sg, msg_msb, len);
203 
204 	err = crypto_hash_update(&desc, &sg, len);
205 	if (err) {
206 		BT_ERR("Hash update error %d", err);
207 		return err;
208 	}
209 
210 	err = crypto_hash_final(&desc, mac_msb);
211 	if (err) {
212 		BT_ERR("Hash final error %d", err);
213 		return err;
214 	}
215 
216 	swap_buf(mac_msb, mac, 16);
217 
218 	SMP_DBG("mac %16phN", mac);
219 
220 	return 0;
221 }
222 
223 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
224 		  const u8 x[16], u8 z, u8 res[16])
225 {
226 	u8 m[65];
227 	int err;
228 
229 	SMP_DBG("u %32phN", u);
230 	SMP_DBG("v %32phN", v);
231 	SMP_DBG("x %16phN z %02x", x, z);
232 
233 	m[0] = z;
234 	memcpy(m + 1, v, 32);
235 	memcpy(m + 33, u, 32);
236 
237 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
238 	if (err)
239 		return err;
240 
241 	SMP_DBG("res %16phN", res);
242 
243 	return err;
244 }
245 
246 static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32],
247 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
248 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
249 {
250 	/* The btle, salt and length "magic" values are as defined in
251 	 * the SMP section of the Bluetooth core specification. In ASCII
252 	 * the btle value ends up being 'btle'. The salt is just a
253 	 * random number whereas length is the value 256 in little
254 	 * endian format.
255 	 */
256 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
257 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
258 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
259 	const u8 length[2] = { 0x00, 0x01 };
260 	u8 m[53], t[16];
261 	int err;
262 
263 	SMP_DBG("w %32phN", w);
264 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
265 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
266 
267 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
268 	if (err)
269 		return err;
270 
271 	SMP_DBG("t %16phN", t);
272 
273 	memcpy(m, length, 2);
274 	memcpy(m + 2, a2, 7);
275 	memcpy(m + 9, a1, 7);
276 	memcpy(m + 16, n2, 16);
277 	memcpy(m + 32, n1, 16);
278 	memcpy(m + 48, btle, 4);
279 
280 	m[52] = 0; /* Counter */
281 
282 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
283 	if (err)
284 		return err;
285 
286 	SMP_DBG("mackey %16phN", mackey);
287 
288 	m[52] = 1; /* Counter */
289 
290 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
291 	if (err)
292 		return err;
293 
294 	SMP_DBG("ltk %16phN", ltk);
295 
296 	return 0;
297 }
298 
299 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
300 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
301 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
302 		  u8 res[16])
303 {
304 	u8 m[65];
305 	int err;
306 
307 	SMP_DBG("w %16phN", w);
308 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
309 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
310 
311 	memcpy(m, a2, 7);
312 	memcpy(m + 7, a1, 7);
313 	memcpy(m + 14, io_cap, 3);
314 	memcpy(m + 17, r, 16);
315 	memcpy(m + 33, n2, 16);
316 	memcpy(m + 49, n1, 16);
317 
318 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
319 	if (err)
320 		return err;
321 
322 	SMP_DBG("res %16phN", res);
323 
324 	return err;
325 }
326 
327 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
328 		  const u8 x[16], const u8 y[16], u32 *val)
329 {
330 	u8 m[80], tmp[16];
331 	int err;
332 
333 	SMP_DBG("u %32phN", u);
334 	SMP_DBG("v %32phN", v);
335 	SMP_DBG("x %16phN y %16phN", x, y);
336 
337 	memcpy(m, y, 16);
338 	memcpy(m + 16, v, 32);
339 	memcpy(m + 48, u, 32);
340 
341 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
342 	if (err)
343 		return err;
344 
345 	*val = get_unaligned_le32(tmp);
346 	*val %= 1000000;
347 
348 	SMP_DBG("val %06u", *val);
349 
350 	return 0;
351 }
352 
353 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
354 		  const u8 key_id[4], u8 res[16])
355 {
356 	int err;
357 
358 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
359 
360 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
361 	if (err)
362 		return err;
363 
364 	SMP_DBG("res %16phN", res);
365 
366 	return err;
367 }
368 
369 /* The following functions map to the legacy SMP crypto functions e, c1,
370  * s1 and ah.
371  */
372 
373 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
374 {
375 	struct blkcipher_desc desc;
376 	struct scatterlist sg;
377 	uint8_t tmp[16], data[16];
378 	int err;
379 
380 	SMP_DBG("k %16phN r %16phN", k, r);
381 
382 	if (!tfm) {
383 		BT_ERR("tfm %p", tfm);
384 		return -EINVAL;
385 	}
386 
387 	desc.tfm = tfm;
388 	desc.flags = 0;
389 
390 	/* The most significant octet of key corresponds to k[0] */
391 	swap_buf(k, tmp, 16);
392 
393 	err = crypto_blkcipher_setkey(tfm, tmp, 16);
394 	if (err) {
395 		BT_ERR("cipher setkey failed: %d", err);
396 		return err;
397 	}
398 
399 	/* Most significant octet of plaintextData corresponds to data[0] */
400 	swap_buf(r, data, 16);
401 
402 	sg_init_one(&sg, data, 16);
403 
404 	err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
405 	if (err)
406 		BT_ERR("Encrypt data error %d", err);
407 
408 	/* Most significant octet of encryptedData corresponds to data[0] */
409 	swap_buf(data, r, 16);
410 
411 	SMP_DBG("r %16phN", r);
412 
413 	return err;
414 }
415 
416 static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
417 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
418 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
419 {
420 	u8 p1[16], p2[16];
421 	int err;
422 
423 	SMP_DBG("k %16phN r %16phN", k, r);
424 	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
425 	SMP_DBG("preq %7phN pres %7phN", preq, pres);
426 
427 	memset(p1, 0, 16);
428 
429 	/* p1 = pres || preq || _rat || _iat */
430 	p1[0] = _iat;
431 	p1[1] = _rat;
432 	memcpy(p1 + 2, preq, 7);
433 	memcpy(p1 + 9, pres, 7);
434 
435 	SMP_DBG("p1 %16phN", p1);
436 
437 	/* res = r XOR p1 */
438 	u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
439 
440 	/* res = e(k, res) */
441 	err = smp_e(tfm_aes, k, res);
442 	if (err) {
443 		BT_ERR("Encrypt data error");
444 		return err;
445 	}
446 
447 	/* p2 = padding || ia || ra */
448 	memcpy(p2, ra, 6);
449 	memcpy(p2 + 6, ia, 6);
450 	memset(p2 + 12, 0, 4);
451 
452 	SMP_DBG("p2 %16phN", p2);
453 
454 	/* res = res XOR p2 */
455 	u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
456 
457 	/* res = e(k, res) */
458 	err = smp_e(tfm_aes, k, res);
459 	if (err)
460 		BT_ERR("Encrypt data error");
461 
462 	return err;
463 }
464 
465 static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
466 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
467 {
468 	int err;
469 
470 	/* Just least significant octets from r1 and r2 are considered */
471 	memcpy(_r, r2, 8);
472 	memcpy(_r + 8, r1, 8);
473 
474 	err = smp_e(tfm_aes, k, _r);
475 	if (err)
476 		BT_ERR("Encrypt data error");
477 
478 	return err;
479 }
480 
481 static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
482 		  const u8 r[3], u8 res[3])
483 {
484 	u8 _res[16];
485 	int err;
486 
487 	/* r' = padding || r */
488 	memcpy(_res, r, 3);
489 	memset(_res + 3, 0, 13);
490 
491 	err = smp_e(tfm, irk, _res);
492 	if (err) {
493 		BT_ERR("Encrypt error");
494 		return err;
495 	}
496 
497 	/* The output of the random address function ah is:
498 	 *	ah(k, r) = e(k, r') mod 2^24
499 	 * The output of the security function e is then truncated to 24 bits
500 	 * by taking the least significant 24 bits of the output of e as the
501 	 * result of ah.
502 	 */
503 	memcpy(res, _res, 3);
504 
505 	return 0;
506 }
507 
508 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
509 		     const bdaddr_t *bdaddr)
510 {
511 	struct l2cap_chan *chan = hdev->smp_data;
512 	struct smp_dev *smp;
513 	u8 hash[3];
514 	int err;
515 
516 	if (!chan || !chan->data)
517 		return false;
518 
519 	smp = chan->data;
520 
521 	BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
522 
523 	err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
524 	if (err)
525 		return false;
526 
527 	return !memcmp(bdaddr->b, hash, 3);
528 }
529 
530 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
531 {
532 	struct l2cap_chan *chan = hdev->smp_data;
533 	struct smp_dev *smp;
534 	int err;
535 
536 	if (!chan || !chan->data)
537 		return -EOPNOTSUPP;
538 
539 	smp = chan->data;
540 
541 	get_random_bytes(&rpa->b[3], 3);
542 
543 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
544 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
545 
546 	err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
547 	if (err < 0)
548 		return err;
549 
550 	BT_DBG("RPA %pMR", rpa);
551 
552 	return 0;
553 }
554 
555 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
556 {
557 	struct l2cap_chan *chan = hdev->smp_data;
558 	struct smp_dev *smp;
559 	int err;
560 
561 	if (!chan || !chan->data)
562 		return -EOPNOTSUPP;
563 
564 	smp = chan->data;
565 
566 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
567 		BT_DBG("Using debug keys");
568 		memcpy(smp->local_pk, debug_pk, 64);
569 		memcpy(smp->local_sk, debug_sk, 32);
570 		smp->debug_key = true;
571 	} else {
572 		while (true) {
573 			/* Generate local key pair for Secure Connections */
574 			if (!ecc_make_key(smp->local_pk, smp->local_sk))
575 				return -EIO;
576 
577 			/* This is unlikely, but we need to check that
578 			 * we didn't accidentially generate a debug key.
579 			 */
580 			if (memcmp(smp->local_sk, debug_sk, 32))
581 				break;
582 		}
583 		smp->debug_key = false;
584 	}
585 
586 	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
587 	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
588 	SMP_DBG("OOB Private Key:  %32phN", smp->local_sk);
589 
590 	get_random_bytes(smp->local_rand, 16);
591 
592 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
593 		     smp->local_rand, 0, hash);
594 	if (err < 0)
595 		return err;
596 
597 	memcpy(rand, smp->local_rand, 16);
598 
599 	return 0;
600 }
601 
602 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
603 {
604 	struct l2cap_chan *chan = conn->smp;
605 	struct smp_chan *smp;
606 	struct kvec iv[2];
607 	struct msghdr msg;
608 
609 	if (!chan)
610 		return;
611 
612 	BT_DBG("code 0x%2.2x", code);
613 
614 	iv[0].iov_base = &code;
615 	iv[0].iov_len = 1;
616 
617 	iv[1].iov_base = data;
618 	iv[1].iov_len = len;
619 
620 	memset(&msg, 0, sizeof(msg));
621 
622 	iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
623 
624 	l2cap_chan_send(chan, &msg, 1 + len);
625 
626 	if (!chan->data)
627 		return;
628 
629 	smp = chan->data;
630 
631 	cancel_delayed_work_sync(&smp->security_timer);
632 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
633 }
634 
635 static u8 authreq_to_seclevel(u8 authreq)
636 {
637 	if (authreq & SMP_AUTH_MITM) {
638 		if (authreq & SMP_AUTH_SC)
639 			return BT_SECURITY_FIPS;
640 		else
641 			return BT_SECURITY_HIGH;
642 	} else {
643 		return BT_SECURITY_MEDIUM;
644 	}
645 }
646 
647 static __u8 seclevel_to_authreq(__u8 sec_level)
648 {
649 	switch (sec_level) {
650 	case BT_SECURITY_FIPS:
651 	case BT_SECURITY_HIGH:
652 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
653 	case BT_SECURITY_MEDIUM:
654 		return SMP_AUTH_BONDING;
655 	default:
656 		return SMP_AUTH_NONE;
657 	}
658 }
659 
660 static void build_pairing_cmd(struct l2cap_conn *conn,
661 			      struct smp_cmd_pairing *req,
662 			      struct smp_cmd_pairing *rsp, __u8 authreq)
663 {
664 	struct l2cap_chan *chan = conn->smp;
665 	struct smp_chan *smp = chan->data;
666 	struct hci_conn *hcon = conn->hcon;
667 	struct hci_dev *hdev = hcon->hdev;
668 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
669 
670 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
671 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
672 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
673 		authreq |= SMP_AUTH_BONDING;
674 	} else {
675 		authreq &= ~SMP_AUTH_BONDING;
676 	}
677 
678 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
679 		remote_dist |= SMP_DIST_ID_KEY;
680 
681 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
682 		local_dist |= SMP_DIST_ID_KEY;
683 
684 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
685 	    (authreq & SMP_AUTH_SC)) {
686 		struct oob_data *oob_data;
687 		u8 bdaddr_type;
688 
689 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
690 			local_dist |= SMP_DIST_LINK_KEY;
691 			remote_dist |= SMP_DIST_LINK_KEY;
692 		}
693 
694 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
695 			bdaddr_type = BDADDR_LE_PUBLIC;
696 		else
697 			bdaddr_type = BDADDR_LE_RANDOM;
698 
699 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
700 						    bdaddr_type);
701 		if (oob_data && oob_data->present) {
702 			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
703 			oob_flag = SMP_OOB_PRESENT;
704 			memcpy(smp->rr, oob_data->rand256, 16);
705 			memcpy(smp->pcnf, oob_data->hash256, 16);
706 			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
707 			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
708 		}
709 
710 	} else {
711 		authreq &= ~SMP_AUTH_SC;
712 	}
713 
714 	if (rsp == NULL) {
715 		req->io_capability = conn->hcon->io_capability;
716 		req->oob_flag = oob_flag;
717 		req->max_key_size = SMP_DEV(hdev)->max_key_size;
718 		req->init_key_dist = local_dist;
719 		req->resp_key_dist = remote_dist;
720 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
721 
722 		smp->remote_key_dist = remote_dist;
723 		return;
724 	}
725 
726 	rsp->io_capability = conn->hcon->io_capability;
727 	rsp->oob_flag = oob_flag;
728 	rsp->max_key_size = SMP_DEV(hdev)->max_key_size;
729 	rsp->init_key_dist = req->init_key_dist & remote_dist;
730 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
731 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
732 
733 	smp->remote_key_dist = rsp->init_key_dist;
734 }
735 
736 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
737 {
738 	struct l2cap_chan *chan = conn->smp;
739 	struct hci_dev *hdev = conn->hcon->hdev;
740 	struct smp_chan *smp = chan->data;
741 
742 	if (max_key_size > SMP_DEV(hdev)->max_key_size ||
743 	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
744 		return SMP_ENC_KEY_SIZE;
745 
746 	smp->enc_key_size = max_key_size;
747 
748 	return 0;
749 }
750 
751 static void smp_chan_destroy(struct l2cap_conn *conn)
752 {
753 	struct l2cap_chan *chan = conn->smp;
754 	struct smp_chan *smp = chan->data;
755 	struct hci_conn *hcon = conn->hcon;
756 	bool complete;
757 
758 	BUG_ON(!smp);
759 
760 	cancel_delayed_work_sync(&smp->security_timer);
761 
762 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
763 	mgmt_smp_complete(hcon, complete);
764 
765 	kzfree(smp->csrk);
766 	kzfree(smp->slave_csrk);
767 	kzfree(smp->link_key);
768 
769 	crypto_free_blkcipher(smp->tfm_aes);
770 	crypto_free_hash(smp->tfm_cmac);
771 
772 	/* Ensure that we don't leave any debug key around if debug key
773 	 * support hasn't been explicitly enabled.
774 	 */
775 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
776 	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
777 		list_del_rcu(&smp->ltk->list);
778 		kfree_rcu(smp->ltk, rcu);
779 		smp->ltk = NULL;
780 	}
781 
782 	/* If pairing failed clean up any keys we might have */
783 	if (!complete) {
784 		if (smp->ltk) {
785 			list_del_rcu(&smp->ltk->list);
786 			kfree_rcu(smp->ltk, rcu);
787 		}
788 
789 		if (smp->slave_ltk) {
790 			list_del_rcu(&smp->slave_ltk->list);
791 			kfree_rcu(smp->slave_ltk, rcu);
792 		}
793 
794 		if (smp->remote_irk) {
795 			list_del_rcu(&smp->remote_irk->list);
796 			kfree_rcu(smp->remote_irk, rcu);
797 		}
798 	}
799 
800 	chan->data = NULL;
801 	kzfree(smp);
802 	hci_conn_drop(hcon);
803 }
804 
805 static void smp_failure(struct l2cap_conn *conn, u8 reason)
806 {
807 	struct hci_conn *hcon = conn->hcon;
808 	struct l2cap_chan *chan = conn->smp;
809 
810 	if (reason)
811 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
812 			     &reason);
813 
814 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
815 
816 	if (chan->data)
817 		smp_chan_destroy(conn);
818 }
819 
820 #define JUST_WORKS	0x00
821 #define JUST_CFM	0x01
822 #define REQ_PASSKEY	0x02
823 #define CFM_PASSKEY	0x03
824 #define REQ_OOB		0x04
825 #define DSP_PASSKEY	0x05
826 #define OVERLAP		0xFF
827 
828 static const u8 gen_method[5][5] = {
829 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
830 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
831 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
832 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
833 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
834 };
835 
836 static const u8 sc_method[5][5] = {
837 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
838 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
839 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
840 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
841 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
842 };
843 
844 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
845 {
846 	/* If either side has unknown io_caps, use JUST_CFM (which gets
847 	 * converted later to JUST_WORKS if we're initiators.
848 	 */
849 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
850 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
851 		return JUST_CFM;
852 
853 	if (test_bit(SMP_FLAG_SC, &smp->flags))
854 		return sc_method[remote_io][local_io];
855 
856 	return gen_method[remote_io][local_io];
857 }
858 
859 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
860 						u8 local_io, u8 remote_io)
861 {
862 	struct hci_conn *hcon = conn->hcon;
863 	struct l2cap_chan *chan = conn->smp;
864 	struct smp_chan *smp = chan->data;
865 	u32 passkey = 0;
866 	int ret = 0;
867 
868 	/* Initialize key for JUST WORKS */
869 	memset(smp->tk, 0, sizeof(smp->tk));
870 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
871 
872 	BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
873 
874 	/* If neither side wants MITM, either "just" confirm an incoming
875 	 * request or use just-works for outgoing ones. The JUST_CFM
876 	 * will be converted to JUST_WORKS if necessary later in this
877 	 * function. If either side has MITM look up the method from the
878 	 * table.
879 	 */
880 	if (!(auth & SMP_AUTH_MITM))
881 		smp->method = JUST_CFM;
882 	else
883 		smp->method = get_auth_method(smp, local_io, remote_io);
884 
885 	/* Don't confirm locally initiated pairing attempts */
886 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
887 						&smp->flags))
888 		smp->method = JUST_WORKS;
889 
890 	/* Don't bother user space with no IO capabilities */
891 	if (smp->method == JUST_CFM &&
892 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
893 		smp->method = JUST_WORKS;
894 
895 	/* If Just Works, Continue with Zero TK */
896 	if (smp->method == JUST_WORKS) {
897 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
898 		return 0;
899 	}
900 
901 	/* If this function is used for SC -> legacy fallback we
902 	 * can only recover the just-works case.
903 	 */
904 	if (test_bit(SMP_FLAG_SC, &smp->flags))
905 		return -EINVAL;
906 
907 	/* Not Just Works/Confirm results in MITM Authentication */
908 	if (smp->method != JUST_CFM) {
909 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
910 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
911 			hcon->pending_sec_level = BT_SECURITY_HIGH;
912 	}
913 
914 	/* If both devices have Keyoard-Display I/O, the master
915 	 * Confirms and the slave Enters the passkey.
916 	 */
917 	if (smp->method == OVERLAP) {
918 		if (hcon->role == HCI_ROLE_MASTER)
919 			smp->method = CFM_PASSKEY;
920 		else
921 			smp->method = REQ_PASSKEY;
922 	}
923 
924 	/* Generate random passkey. */
925 	if (smp->method == CFM_PASSKEY) {
926 		memset(smp->tk, 0, sizeof(smp->tk));
927 		get_random_bytes(&passkey, sizeof(passkey));
928 		passkey %= 1000000;
929 		put_unaligned_le32(passkey, smp->tk);
930 		BT_DBG("PassKey: %d", passkey);
931 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
932 	}
933 
934 	if (smp->method == REQ_PASSKEY)
935 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
936 						hcon->type, hcon->dst_type);
937 	else if (smp->method == JUST_CFM)
938 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
939 						hcon->type, hcon->dst_type,
940 						passkey, 1);
941 	else
942 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
943 						hcon->type, hcon->dst_type,
944 						passkey, 0);
945 
946 	return ret;
947 }
948 
949 static u8 smp_confirm(struct smp_chan *smp)
950 {
951 	struct l2cap_conn *conn = smp->conn;
952 	struct smp_cmd_pairing_confirm cp;
953 	int ret;
954 
955 	BT_DBG("conn %p", conn);
956 
957 	ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
958 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
959 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
960 		     cp.confirm_val);
961 	if (ret)
962 		return SMP_UNSPECIFIED;
963 
964 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
965 
966 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
967 
968 	if (conn->hcon->out)
969 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
970 	else
971 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
972 
973 	return 0;
974 }
975 
976 static u8 smp_random(struct smp_chan *smp)
977 {
978 	struct l2cap_conn *conn = smp->conn;
979 	struct hci_conn *hcon = conn->hcon;
980 	u8 confirm[16];
981 	int ret;
982 
983 	if (IS_ERR_OR_NULL(smp->tfm_aes))
984 		return SMP_UNSPECIFIED;
985 
986 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
987 
988 	ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
989 		     hcon->init_addr_type, &hcon->init_addr,
990 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
991 	if (ret)
992 		return SMP_UNSPECIFIED;
993 
994 	if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
995 		BT_ERR("Pairing failed (confirmation values mismatch)");
996 		return SMP_CONFIRM_FAILED;
997 	}
998 
999 	if (hcon->out) {
1000 		u8 stk[16];
1001 		__le64 rand = 0;
1002 		__le16 ediv = 0;
1003 
1004 		smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
1005 
1006 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1007 			return SMP_UNSPECIFIED;
1008 
1009 		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1010 		hcon->enc_key_size = smp->enc_key_size;
1011 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1012 	} else {
1013 		u8 stk[16], auth;
1014 		__le64 rand = 0;
1015 		__le16 ediv = 0;
1016 
1017 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1018 			     smp->prnd);
1019 
1020 		smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
1021 
1022 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1023 			auth = 1;
1024 		else
1025 			auth = 0;
1026 
1027 		/* Even though there's no _SLAVE suffix this is the
1028 		 * slave STK we're adding for later lookup (the master
1029 		 * STK never needs to be stored).
1030 		 */
1031 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1032 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1033 	}
1034 
1035 	return 0;
1036 }
1037 
1038 static void smp_notify_keys(struct l2cap_conn *conn)
1039 {
1040 	struct l2cap_chan *chan = conn->smp;
1041 	struct smp_chan *smp = chan->data;
1042 	struct hci_conn *hcon = conn->hcon;
1043 	struct hci_dev *hdev = hcon->hdev;
1044 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1045 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1046 	bool persistent;
1047 
1048 	if (hcon->type == ACL_LINK) {
1049 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1050 			persistent = false;
1051 		else
1052 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1053 					       &hcon->flags);
1054 	} else {
1055 		/* The LTKs, IRKs and CSRKs should be persistent only if
1056 		 * both sides had the bonding bit set in their
1057 		 * authentication requests.
1058 		 */
1059 		persistent = !!((req->auth_req & rsp->auth_req) &
1060 				SMP_AUTH_BONDING);
1061 	}
1062 
1063 	if (smp->remote_irk) {
1064 		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1065 
1066 		/* Now that user space can be considered to know the
1067 		 * identity address track the connection based on it
1068 		 * from now on (assuming this is an LE link).
1069 		 */
1070 		if (hcon->type == LE_LINK) {
1071 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1072 			hcon->dst_type = smp->remote_irk->addr_type;
1073 			queue_work(hdev->workqueue, &conn->id_addr_update_work);
1074 		}
1075 
1076 		/* When receiving an indentity resolving key for
1077 		 * a remote device that does not use a resolvable
1078 		 * private address, just remove the key so that
1079 		 * it is possible to use the controller white
1080 		 * list for scanning.
1081 		 *
1082 		 * Userspace will have been told to not store
1083 		 * this key at this point. So it is safe to
1084 		 * just remove it.
1085 		 */
1086 		if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
1087 			list_del_rcu(&smp->remote_irk->list);
1088 			kfree_rcu(smp->remote_irk, rcu);
1089 			smp->remote_irk = NULL;
1090 		}
1091 	}
1092 
1093 	if (smp->csrk) {
1094 		smp->csrk->bdaddr_type = hcon->dst_type;
1095 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1096 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1097 	}
1098 
1099 	if (smp->slave_csrk) {
1100 		smp->slave_csrk->bdaddr_type = hcon->dst_type;
1101 		bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1102 		mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1103 	}
1104 
1105 	if (smp->ltk) {
1106 		smp->ltk->bdaddr_type = hcon->dst_type;
1107 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1108 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1109 	}
1110 
1111 	if (smp->slave_ltk) {
1112 		smp->slave_ltk->bdaddr_type = hcon->dst_type;
1113 		bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1114 		mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1115 	}
1116 
1117 	if (smp->link_key) {
1118 		struct link_key *key;
1119 		u8 type;
1120 
1121 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1122 			type = HCI_LK_DEBUG_COMBINATION;
1123 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1124 			type = HCI_LK_AUTH_COMBINATION_P256;
1125 		else
1126 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1127 
1128 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1129 				       smp->link_key, type, 0, &persistent);
1130 		if (key) {
1131 			mgmt_new_link_key(hdev, key, persistent);
1132 
1133 			/* Don't keep debug keys around if the relevant
1134 			 * flag is not set.
1135 			 */
1136 			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1137 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1138 				list_del_rcu(&key->list);
1139 				kfree_rcu(key, rcu);
1140 			}
1141 		}
1142 	}
1143 }
1144 
1145 static void sc_add_ltk(struct smp_chan *smp)
1146 {
1147 	struct hci_conn *hcon = smp->conn->hcon;
1148 	u8 key_type, auth;
1149 
1150 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1151 		key_type = SMP_LTK_P256_DEBUG;
1152 	else
1153 		key_type = SMP_LTK_P256;
1154 
1155 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1156 		auth = 1;
1157 	else
1158 		auth = 0;
1159 
1160 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1161 			       key_type, auth, smp->tk, smp->enc_key_size,
1162 			       0, 0);
1163 }
1164 
1165 static void sc_generate_link_key(struct smp_chan *smp)
1166 {
1167 	/* These constants are as specified in the core specification.
1168 	 * In ASCII they spell out to 'tmp1' and 'lebr'.
1169 	 */
1170 	const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1171 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1172 
1173 	smp->link_key = kzalloc(16, GFP_KERNEL);
1174 	if (!smp->link_key)
1175 		return;
1176 
1177 	if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1178 		kzfree(smp->link_key);
1179 		smp->link_key = NULL;
1180 		return;
1181 	}
1182 
1183 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1184 		kzfree(smp->link_key);
1185 		smp->link_key = NULL;
1186 		return;
1187 	}
1188 }
1189 
1190 static void smp_allow_key_dist(struct smp_chan *smp)
1191 {
1192 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1193 	 * will be allowed in each PDU handler to ensure we receive
1194 	 * them in the correct order.
1195 	 */
1196 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1197 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1198 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1199 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1200 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1201 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1202 }
1203 
1204 static void sc_generate_ltk(struct smp_chan *smp)
1205 {
1206 	/* These constants are as specified in the core specification.
1207 	 * In ASCII they spell out to 'tmp2' and 'brle'.
1208 	 */
1209 	const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1210 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1211 	struct hci_conn *hcon = smp->conn->hcon;
1212 	struct hci_dev *hdev = hcon->hdev;
1213 	struct link_key *key;
1214 
1215 	key = hci_find_link_key(hdev, &hcon->dst);
1216 	if (!key) {
1217 		BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1218 		return;
1219 	}
1220 
1221 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1222 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1223 
1224 	if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1225 		return;
1226 
1227 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1228 		return;
1229 
1230 	sc_add_ltk(smp);
1231 }
1232 
1233 static void smp_distribute_keys(struct smp_chan *smp)
1234 {
1235 	struct smp_cmd_pairing *req, *rsp;
1236 	struct l2cap_conn *conn = smp->conn;
1237 	struct hci_conn *hcon = conn->hcon;
1238 	struct hci_dev *hdev = hcon->hdev;
1239 	__u8 *keydist;
1240 
1241 	BT_DBG("conn %p", conn);
1242 
1243 	rsp = (void *) &smp->prsp[1];
1244 
1245 	/* The responder sends its keys first */
1246 	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1247 		smp_allow_key_dist(smp);
1248 		return;
1249 	}
1250 
1251 	req = (void *) &smp->preq[1];
1252 
1253 	if (hcon->out) {
1254 		keydist = &rsp->init_key_dist;
1255 		*keydist &= req->init_key_dist;
1256 	} else {
1257 		keydist = &rsp->resp_key_dist;
1258 		*keydist &= req->resp_key_dist;
1259 	}
1260 
1261 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1262 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1263 			sc_generate_link_key(smp);
1264 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1265 			sc_generate_ltk(smp);
1266 
1267 		/* Clear the keys which are generated but not distributed */
1268 		*keydist &= ~SMP_SC_NO_DIST;
1269 	}
1270 
1271 	BT_DBG("keydist 0x%x", *keydist);
1272 
1273 	if (*keydist & SMP_DIST_ENC_KEY) {
1274 		struct smp_cmd_encrypt_info enc;
1275 		struct smp_cmd_master_ident ident;
1276 		struct smp_ltk *ltk;
1277 		u8 authenticated;
1278 		__le16 ediv;
1279 		__le64 rand;
1280 
1281 		/* Make sure we generate only the significant amount of
1282 		 * bytes based on the encryption key size, and set the rest
1283 		 * of the value to zeroes.
1284 		 */
1285 		get_random_bytes(enc.ltk, smp->enc_key_size);
1286 		memset(enc.ltk + smp->enc_key_size, 0,
1287 		       sizeof(enc.ltk) - smp->enc_key_size);
1288 
1289 		get_random_bytes(&ediv, sizeof(ediv));
1290 		get_random_bytes(&rand, sizeof(rand));
1291 
1292 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1293 
1294 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1295 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1296 				  SMP_LTK_SLAVE, authenticated, enc.ltk,
1297 				  smp->enc_key_size, ediv, rand);
1298 		smp->slave_ltk = ltk;
1299 
1300 		ident.ediv = ediv;
1301 		ident.rand = rand;
1302 
1303 		smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1304 
1305 		*keydist &= ~SMP_DIST_ENC_KEY;
1306 	}
1307 
1308 	if (*keydist & SMP_DIST_ID_KEY) {
1309 		struct smp_cmd_ident_addr_info addrinfo;
1310 		struct smp_cmd_ident_info idinfo;
1311 
1312 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1313 
1314 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1315 
1316 		/* The hci_conn contains the local identity address
1317 		 * after the connection has been established.
1318 		 *
1319 		 * This is true even when the connection has been
1320 		 * established using a resolvable random address.
1321 		 */
1322 		bacpy(&addrinfo.bdaddr, &hcon->src);
1323 		addrinfo.addr_type = hcon->src_type;
1324 
1325 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1326 			     &addrinfo);
1327 
1328 		*keydist &= ~SMP_DIST_ID_KEY;
1329 	}
1330 
1331 	if (*keydist & SMP_DIST_SIGN) {
1332 		struct smp_cmd_sign_info sign;
1333 		struct smp_csrk *csrk;
1334 
1335 		/* Generate a new random key */
1336 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1337 
1338 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1339 		if (csrk) {
1340 			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1341 				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1342 			else
1343 				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1344 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1345 		}
1346 		smp->slave_csrk = csrk;
1347 
1348 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1349 
1350 		*keydist &= ~SMP_DIST_SIGN;
1351 	}
1352 
1353 	/* If there are still keys to be received wait for them */
1354 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1355 		smp_allow_key_dist(smp);
1356 		return;
1357 	}
1358 
1359 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1360 	smp_notify_keys(conn);
1361 
1362 	smp_chan_destroy(conn);
1363 }
1364 
1365 static void smp_timeout(struct work_struct *work)
1366 {
1367 	struct smp_chan *smp = container_of(work, struct smp_chan,
1368 					    security_timer.work);
1369 	struct l2cap_conn *conn = smp->conn;
1370 
1371 	BT_DBG("conn %p", conn);
1372 
1373 	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1374 }
1375 
1376 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1377 {
1378 	struct l2cap_chan *chan = conn->smp;
1379 	struct smp_chan *smp;
1380 
1381 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1382 	if (!smp)
1383 		return NULL;
1384 
1385 	smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1386 	if (IS_ERR(smp->tfm_aes)) {
1387 		BT_ERR("Unable to create ECB crypto context");
1388 		kzfree(smp);
1389 		return NULL;
1390 	}
1391 
1392 	smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1393 	if (IS_ERR(smp->tfm_cmac)) {
1394 		BT_ERR("Unable to create CMAC crypto context");
1395 		crypto_free_blkcipher(smp->tfm_aes);
1396 		kzfree(smp);
1397 		return NULL;
1398 	}
1399 
1400 	smp->conn = conn;
1401 	chan->data = smp;
1402 
1403 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1404 
1405 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1406 
1407 	hci_conn_hold(conn->hcon);
1408 
1409 	return smp;
1410 }
1411 
1412 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1413 {
1414 	struct hci_conn *hcon = smp->conn->hcon;
1415 	u8 *na, *nb, a[7], b[7];
1416 
1417 	if (hcon->out) {
1418 		na   = smp->prnd;
1419 		nb   = smp->rrnd;
1420 	} else {
1421 		na   = smp->rrnd;
1422 		nb   = smp->prnd;
1423 	}
1424 
1425 	memcpy(a, &hcon->init_addr, 6);
1426 	memcpy(b, &hcon->resp_addr, 6);
1427 	a[6] = hcon->init_addr_type;
1428 	b[6] = hcon->resp_addr_type;
1429 
1430 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1431 }
1432 
1433 static void sc_dhkey_check(struct smp_chan *smp)
1434 {
1435 	struct hci_conn *hcon = smp->conn->hcon;
1436 	struct smp_cmd_dhkey_check check;
1437 	u8 a[7], b[7], *local_addr, *remote_addr;
1438 	u8 io_cap[3], r[16];
1439 
1440 	memcpy(a, &hcon->init_addr, 6);
1441 	memcpy(b, &hcon->resp_addr, 6);
1442 	a[6] = hcon->init_addr_type;
1443 	b[6] = hcon->resp_addr_type;
1444 
1445 	if (hcon->out) {
1446 		local_addr = a;
1447 		remote_addr = b;
1448 		memcpy(io_cap, &smp->preq[1], 3);
1449 	} else {
1450 		local_addr = b;
1451 		remote_addr = a;
1452 		memcpy(io_cap, &smp->prsp[1], 3);
1453 	}
1454 
1455 	memset(r, 0, sizeof(r));
1456 
1457 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1458 		put_unaligned_le32(hcon->passkey_notify, r);
1459 
1460 	if (smp->method == REQ_OOB)
1461 		memcpy(r, smp->rr, 16);
1462 
1463 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1464 	       local_addr, remote_addr, check.e);
1465 
1466 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1467 }
1468 
1469 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1470 {
1471 	struct l2cap_conn *conn = smp->conn;
1472 	struct hci_conn *hcon = conn->hcon;
1473 	struct smp_cmd_pairing_confirm cfm;
1474 	u8 r;
1475 
1476 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1477 	r |= 0x80;
1478 
1479 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1480 
1481 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1482 		   cfm.confirm_val))
1483 		return SMP_UNSPECIFIED;
1484 
1485 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1486 
1487 	return 0;
1488 }
1489 
1490 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1491 {
1492 	struct l2cap_conn *conn = smp->conn;
1493 	struct hci_conn *hcon = conn->hcon;
1494 	struct hci_dev *hdev = hcon->hdev;
1495 	u8 cfm[16], r;
1496 
1497 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1498 	if (smp->passkey_round >= 20)
1499 		return 0;
1500 
1501 	switch (smp_op) {
1502 	case SMP_CMD_PAIRING_RANDOM:
1503 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1504 		r |= 0x80;
1505 
1506 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1507 			   smp->rrnd, r, cfm))
1508 			return SMP_UNSPECIFIED;
1509 
1510 		if (memcmp(smp->pcnf, cfm, 16))
1511 			return SMP_CONFIRM_FAILED;
1512 
1513 		smp->passkey_round++;
1514 
1515 		if (smp->passkey_round == 20) {
1516 			/* Generate MacKey and LTK */
1517 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1518 				return SMP_UNSPECIFIED;
1519 		}
1520 
1521 		/* The round is only complete when the initiator
1522 		 * receives pairing random.
1523 		 */
1524 		if (!hcon->out) {
1525 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1526 				     sizeof(smp->prnd), smp->prnd);
1527 			if (smp->passkey_round == 20)
1528 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1529 			else
1530 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1531 			return 0;
1532 		}
1533 
1534 		/* Start the next round */
1535 		if (smp->passkey_round != 20)
1536 			return sc_passkey_round(smp, 0);
1537 
1538 		/* Passkey rounds are complete - start DHKey Check */
1539 		sc_dhkey_check(smp);
1540 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1541 
1542 		break;
1543 
1544 	case SMP_CMD_PAIRING_CONFIRM:
1545 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1546 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1547 			return 0;
1548 		}
1549 
1550 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1551 
1552 		if (hcon->out) {
1553 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1554 				     sizeof(smp->prnd), smp->prnd);
1555 			return 0;
1556 		}
1557 
1558 		return sc_passkey_send_confirm(smp);
1559 
1560 	case SMP_CMD_PUBLIC_KEY:
1561 	default:
1562 		/* Initiating device starts the round */
1563 		if (!hcon->out)
1564 			return 0;
1565 
1566 		BT_DBG("%s Starting passkey round %u", hdev->name,
1567 		       smp->passkey_round + 1);
1568 
1569 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1570 
1571 		return sc_passkey_send_confirm(smp);
1572 	}
1573 
1574 	return 0;
1575 }
1576 
1577 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1578 {
1579 	struct l2cap_conn *conn = smp->conn;
1580 	struct hci_conn *hcon = conn->hcon;
1581 	u8 smp_op;
1582 
1583 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1584 
1585 	switch (mgmt_op) {
1586 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1587 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1588 		return 0;
1589 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1590 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1591 		return 0;
1592 	case MGMT_OP_USER_PASSKEY_REPLY:
1593 		hcon->passkey_notify = le32_to_cpu(passkey);
1594 		smp->passkey_round = 0;
1595 
1596 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1597 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1598 		else
1599 			smp_op = 0;
1600 
1601 		if (sc_passkey_round(smp, smp_op))
1602 			return -EIO;
1603 
1604 		return 0;
1605 	}
1606 
1607 	/* Initiator sends DHKey check first */
1608 	if (hcon->out) {
1609 		sc_dhkey_check(smp);
1610 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1611 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1612 		sc_dhkey_check(smp);
1613 		sc_add_ltk(smp);
1614 	}
1615 
1616 	return 0;
1617 }
1618 
1619 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1620 {
1621 	struct l2cap_conn *conn = hcon->l2cap_data;
1622 	struct l2cap_chan *chan;
1623 	struct smp_chan *smp;
1624 	u32 value;
1625 	int err;
1626 
1627 	BT_DBG("");
1628 
1629 	if (!conn)
1630 		return -ENOTCONN;
1631 
1632 	chan = conn->smp;
1633 	if (!chan)
1634 		return -ENOTCONN;
1635 
1636 	l2cap_chan_lock(chan);
1637 	if (!chan->data) {
1638 		err = -ENOTCONN;
1639 		goto unlock;
1640 	}
1641 
1642 	smp = chan->data;
1643 
1644 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1645 		err = sc_user_reply(smp, mgmt_op, passkey);
1646 		goto unlock;
1647 	}
1648 
1649 	switch (mgmt_op) {
1650 	case MGMT_OP_USER_PASSKEY_REPLY:
1651 		value = le32_to_cpu(passkey);
1652 		memset(smp->tk, 0, sizeof(smp->tk));
1653 		BT_DBG("PassKey: %d", value);
1654 		put_unaligned_le32(value, smp->tk);
1655 		/* Fall Through */
1656 	case MGMT_OP_USER_CONFIRM_REPLY:
1657 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1658 		break;
1659 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1660 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1661 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1662 		err = 0;
1663 		goto unlock;
1664 	default:
1665 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1666 		err = -EOPNOTSUPP;
1667 		goto unlock;
1668 	}
1669 
1670 	err = 0;
1671 
1672 	/* If it is our turn to send Pairing Confirm, do so now */
1673 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1674 		u8 rsp = smp_confirm(smp);
1675 		if (rsp)
1676 			smp_failure(conn, rsp);
1677 	}
1678 
1679 unlock:
1680 	l2cap_chan_unlock(chan);
1681 	return err;
1682 }
1683 
1684 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1685 				    struct smp_cmd_pairing *req,
1686 				    struct smp_cmd_pairing *rsp)
1687 {
1688 	struct l2cap_conn *conn = smp->conn;
1689 	struct hci_dev *hdev = conn->hcon->hdev;
1690 	u8 local_dist = 0, remote_dist = 0;
1691 
1692 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1693 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1694 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1695 	}
1696 
1697 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1698 		remote_dist |= SMP_DIST_ID_KEY;
1699 
1700 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1701 		local_dist |= SMP_DIST_ID_KEY;
1702 
1703 	if (!rsp) {
1704 		memset(req, 0, sizeof(*req));
1705 
1706 		req->init_key_dist   = local_dist;
1707 		req->resp_key_dist   = remote_dist;
1708 		req->max_key_size    = conn->hcon->enc_key_size;
1709 
1710 		smp->remote_key_dist = remote_dist;
1711 
1712 		return;
1713 	}
1714 
1715 	memset(rsp, 0, sizeof(*rsp));
1716 
1717 	rsp->max_key_size    = conn->hcon->enc_key_size;
1718 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1719 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1720 
1721 	smp->remote_key_dist = rsp->init_key_dist;
1722 }
1723 
1724 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1725 {
1726 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1727 	struct l2cap_chan *chan = conn->smp;
1728 	struct hci_dev *hdev = conn->hcon->hdev;
1729 	struct smp_chan *smp;
1730 	u8 key_size, auth, sec_level;
1731 	int ret;
1732 
1733 	BT_DBG("conn %p", conn);
1734 
1735 	if (skb->len < sizeof(*req))
1736 		return SMP_INVALID_PARAMS;
1737 
1738 	if (conn->hcon->role != HCI_ROLE_SLAVE)
1739 		return SMP_CMD_NOTSUPP;
1740 
1741 	if (!chan->data)
1742 		smp = smp_chan_create(conn);
1743 	else
1744 		smp = chan->data;
1745 
1746 	if (!smp)
1747 		return SMP_UNSPECIFIED;
1748 
1749 	/* We didn't start the pairing, so match remote */
1750 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1751 
1752 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1753 	    (auth & SMP_AUTH_BONDING))
1754 		return SMP_PAIRING_NOTSUPP;
1755 
1756 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1757 		return SMP_AUTH_REQUIREMENTS;
1758 
1759 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1760 	memcpy(&smp->preq[1], req, sizeof(*req));
1761 	skb_pull(skb, sizeof(*req));
1762 
1763 	/* If the remote side's OOB flag is set it means it has
1764 	 * successfully received our local OOB data - therefore set the
1765 	 * flag to indicate that local OOB is in use.
1766 	 */
1767 	if (req->oob_flag == SMP_OOB_PRESENT)
1768 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1769 
1770 	/* SMP over BR/EDR requires special treatment */
1771 	if (conn->hcon->type == ACL_LINK) {
1772 		/* We must have a BR/EDR SC link */
1773 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1774 		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1775 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1776 
1777 		set_bit(SMP_FLAG_SC, &smp->flags);
1778 
1779 		build_bredr_pairing_cmd(smp, req, &rsp);
1780 
1781 		key_size = min(req->max_key_size, rsp.max_key_size);
1782 		if (check_enc_key_size(conn, key_size))
1783 			return SMP_ENC_KEY_SIZE;
1784 
1785 		/* Clear bits which are generated but not distributed */
1786 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1787 
1788 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1789 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1790 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1791 
1792 		smp_distribute_keys(smp);
1793 		return 0;
1794 	}
1795 
1796 	build_pairing_cmd(conn, req, &rsp, auth);
1797 
1798 	if (rsp.auth_req & SMP_AUTH_SC)
1799 		set_bit(SMP_FLAG_SC, &smp->flags);
1800 
1801 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1802 		sec_level = BT_SECURITY_MEDIUM;
1803 	else
1804 		sec_level = authreq_to_seclevel(auth);
1805 
1806 	if (sec_level > conn->hcon->pending_sec_level)
1807 		conn->hcon->pending_sec_level = sec_level;
1808 
1809 	/* If we need MITM check that it can be achieved */
1810 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1811 		u8 method;
1812 
1813 		method = get_auth_method(smp, conn->hcon->io_capability,
1814 					 req->io_capability);
1815 		if (method == JUST_WORKS || method == JUST_CFM)
1816 			return SMP_AUTH_REQUIREMENTS;
1817 	}
1818 
1819 	key_size = min(req->max_key_size, rsp.max_key_size);
1820 	if (check_enc_key_size(conn, key_size))
1821 		return SMP_ENC_KEY_SIZE;
1822 
1823 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1824 
1825 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1826 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1827 
1828 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1829 
1830 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1831 
1832 	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1833 	 * SC case, however some implementations incorrectly copy RFU auth
1834 	 * req bits from our security request, which may create a false
1835 	 * positive SC enablement.
1836 	 */
1837 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1838 
1839 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1840 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1841 		/* Clear bits which are generated but not distributed */
1842 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1843 		/* Wait for Public Key from Initiating Device */
1844 		return 0;
1845 	}
1846 
1847 	/* Request setup of TK */
1848 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1849 	if (ret)
1850 		return SMP_UNSPECIFIED;
1851 
1852 	return 0;
1853 }
1854 
1855 static u8 sc_send_public_key(struct smp_chan *smp)
1856 {
1857 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1858 
1859 	BT_DBG("");
1860 
1861 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1862 		struct l2cap_chan *chan = hdev->smp_data;
1863 		struct smp_dev *smp_dev;
1864 
1865 		if (!chan || !chan->data)
1866 			return SMP_UNSPECIFIED;
1867 
1868 		smp_dev = chan->data;
1869 
1870 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1871 		memcpy(smp->local_sk, smp_dev->local_sk, 32);
1872 		memcpy(smp->lr, smp_dev->local_rand, 16);
1873 
1874 		if (smp_dev->debug_key)
1875 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1876 
1877 		goto done;
1878 	}
1879 
1880 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1881 		BT_DBG("Using debug keys");
1882 		memcpy(smp->local_pk, debug_pk, 64);
1883 		memcpy(smp->local_sk, debug_sk, 32);
1884 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1885 	} else {
1886 		while (true) {
1887 			/* Generate local key pair for Secure Connections */
1888 			if (!ecc_make_key(smp->local_pk, smp->local_sk))
1889 				return SMP_UNSPECIFIED;
1890 
1891 			/* This is unlikely, but we need to check that
1892 			 * we didn't accidentially generate a debug key.
1893 			 */
1894 			if (memcmp(smp->local_sk, debug_sk, 32))
1895 				break;
1896 		}
1897 	}
1898 
1899 done:
1900 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1901 	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1902 	SMP_DBG("Local Private Key:  %32phN", smp->local_sk);
1903 
1904 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1905 
1906 	return 0;
1907 }
1908 
1909 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1910 {
1911 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1912 	struct l2cap_chan *chan = conn->smp;
1913 	struct smp_chan *smp = chan->data;
1914 	struct hci_dev *hdev = conn->hcon->hdev;
1915 	u8 key_size, auth;
1916 	int ret;
1917 
1918 	BT_DBG("conn %p", conn);
1919 
1920 	if (skb->len < sizeof(*rsp))
1921 		return SMP_INVALID_PARAMS;
1922 
1923 	if (conn->hcon->role != HCI_ROLE_MASTER)
1924 		return SMP_CMD_NOTSUPP;
1925 
1926 	skb_pull(skb, sizeof(*rsp));
1927 
1928 	req = (void *) &smp->preq[1];
1929 
1930 	key_size = min(req->max_key_size, rsp->max_key_size);
1931 	if (check_enc_key_size(conn, key_size))
1932 		return SMP_ENC_KEY_SIZE;
1933 
1934 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1935 
1936 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1937 		return SMP_AUTH_REQUIREMENTS;
1938 
1939 	/* If the remote side's OOB flag is set it means it has
1940 	 * successfully received our local OOB data - therefore set the
1941 	 * flag to indicate that local OOB is in use.
1942 	 */
1943 	if (rsp->oob_flag == SMP_OOB_PRESENT)
1944 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1945 
1946 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1947 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1948 
1949 	/* Update remote key distribution in case the remote cleared
1950 	 * some bits that we had enabled in our request.
1951 	 */
1952 	smp->remote_key_dist &= rsp->resp_key_dist;
1953 
1954 	/* For BR/EDR this means we're done and can start phase 3 */
1955 	if (conn->hcon->type == ACL_LINK) {
1956 		/* Clear bits which are generated but not distributed */
1957 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1958 		smp_distribute_keys(smp);
1959 		return 0;
1960 	}
1961 
1962 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1963 		set_bit(SMP_FLAG_SC, &smp->flags);
1964 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1965 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1966 
1967 	/* If we need MITM check that it can be achieved */
1968 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1969 		u8 method;
1970 
1971 		method = get_auth_method(smp, req->io_capability,
1972 					 rsp->io_capability);
1973 		if (method == JUST_WORKS || method == JUST_CFM)
1974 			return SMP_AUTH_REQUIREMENTS;
1975 	}
1976 
1977 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1978 
1979 	/* Update remote key distribution in case the remote cleared
1980 	 * some bits that we had enabled in our request.
1981 	 */
1982 	smp->remote_key_dist &= rsp->resp_key_dist;
1983 
1984 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1985 		/* Clear bits which are generated but not distributed */
1986 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1987 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1988 		return sc_send_public_key(smp);
1989 	}
1990 
1991 	auth |= req->auth_req;
1992 
1993 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1994 	if (ret)
1995 		return SMP_UNSPECIFIED;
1996 
1997 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1998 
1999 	/* Can't compose response until we have been confirmed */
2000 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2001 		return smp_confirm(smp);
2002 
2003 	return 0;
2004 }
2005 
2006 static u8 sc_check_confirm(struct smp_chan *smp)
2007 {
2008 	struct l2cap_conn *conn = smp->conn;
2009 
2010 	BT_DBG("");
2011 
2012 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2013 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2014 
2015 	if (conn->hcon->out) {
2016 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2017 			     smp->prnd);
2018 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2019 	}
2020 
2021 	return 0;
2022 }
2023 
2024 /* Work-around for some implementations that incorrectly copy RFU bits
2025  * from our security request and thereby create the impression that
2026  * we're doing SC when in fact the remote doesn't support it.
2027  */
2028 static int fixup_sc_false_positive(struct smp_chan *smp)
2029 {
2030 	struct l2cap_conn *conn = smp->conn;
2031 	struct hci_conn *hcon = conn->hcon;
2032 	struct hci_dev *hdev = hcon->hdev;
2033 	struct smp_cmd_pairing *req, *rsp;
2034 	u8 auth;
2035 
2036 	/* The issue is only observed when we're in slave role */
2037 	if (hcon->out)
2038 		return SMP_UNSPECIFIED;
2039 
2040 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2041 		BT_ERR("Refusing SMP SC -> legacy fallback in SC-only mode");
2042 		return SMP_UNSPECIFIED;
2043 	}
2044 
2045 	BT_ERR("Trying to fall back to legacy SMP");
2046 
2047 	req = (void *) &smp->preq[1];
2048 	rsp = (void *) &smp->prsp[1];
2049 
2050 	/* Rebuild key dist flags which may have been cleared for SC */
2051 	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2052 
2053 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2054 
2055 	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2056 		BT_ERR("Failed to fall back to legacy SMP");
2057 		return SMP_UNSPECIFIED;
2058 	}
2059 
2060 	clear_bit(SMP_FLAG_SC, &smp->flags);
2061 
2062 	return 0;
2063 }
2064 
2065 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2066 {
2067 	struct l2cap_chan *chan = conn->smp;
2068 	struct smp_chan *smp = chan->data;
2069 
2070 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2071 
2072 	if (skb->len < sizeof(smp->pcnf))
2073 		return SMP_INVALID_PARAMS;
2074 
2075 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2076 	skb_pull(skb, sizeof(smp->pcnf));
2077 
2078 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2079 		int ret;
2080 
2081 		/* Public Key exchange must happen before any other steps */
2082 		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2083 			return sc_check_confirm(smp);
2084 
2085 		BT_ERR("Unexpected SMP Pairing Confirm");
2086 
2087 		ret = fixup_sc_false_positive(smp);
2088 		if (ret)
2089 			return ret;
2090 	}
2091 
2092 	if (conn->hcon->out) {
2093 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2094 			     smp->prnd);
2095 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2096 		return 0;
2097 	}
2098 
2099 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2100 		return smp_confirm(smp);
2101 
2102 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2103 
2104 	return 0;
2105 }
2106 
2107 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2108 {
2109 	struct l2cap_chan *chan = conn->smp;
2110 	struct smp_chan *smp = chan->data;
2111 	struct hci_conn *hcon = conn->hcon;
2112 	u8 *pkax, *pkbx, *na, *nb;
2113 	u32 passkey;
2114 	int err;
2115 
2116 	BT_DBG("conn %p", conn);
2117 
2118 	if (skb->len < sizeof(smp->rrnd))
2119 		return SMP_INVALID_PARAMS;
2120 
2121 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2122 	skb_pull(skb, sizeof(smp->rrnd));
2123 
2124 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2125 		return smp_random(smp);
2126 
2127 	if (hcon->out) {
2128 		pkax = smp->local_pk;
2129 		pkbx = smp->remote_pk;
2130 		na   = smp->prnd;
2131 		nb   = smp->rrnd;
2132 	} else {
2133 		pkax = smp->remote_pk;
2134 		pkbx = smp->local_pk;
2135 		na   = smp->rrnd;
2136 		nb   = smp->prnd;
2137 	}
2138 
2139 	if (smp->method == REQ_OOB) {
2140 		if (!hcon->out)
2141 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2142 				     sizeof(smp->prnd), smp->prnd);
2143 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2144 		goto mackey_and_ltk;
2145 	}
2146 
2147 	/* Passkey entry has special treatment */
2148 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2149 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2150 
2151 	if (hcon->out) {
2152 		u8 cfm[16];
2153 
2154 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2155 			     smp->rrnd, 0, cfm);
2156 		if (err)
2157 			return SMP_UNSPECIFIED;
2158 
2159 		if (memcmp(smp->pcnf, cfm, 16))
2160 			return SMP_CONFIRM_FAILED;
2161 	} else {
2162 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2163 			     smp->prnd);
2164 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2165 	}
2166 
2167 mackey_and_ltk:
2168 	/* Generate MacKey and LTK */
2169 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2170 	if (err)
2171 		return SMP_UNSPECIFIED;
2172 
2173 	if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2174 		if (hcon->out) {
2175 			sc_dhkey_check(smp);
2176 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2177 		}
2178 		return 0;
2179 	}
2180 
2181 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2182 	if (err)
2183 		return SMP_UNSPECIFIED;
2184 
2185 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2186 					hcon->dst_type, passkey, 0);
2187 	if (err)
2188 		return SMP_UNSPECIFIED;
2189 
2190 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2191 
2192 	return 0;
2193 }
2194 
2195 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2196 {
2197 	struct smp_ltk *key;
2198 	struct hci_conn *hcon = conn->hcon;
2199 
2200 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2201 	if (!key)
2202 		return false;
2203 
2204 	if (smp_ltk_sec_level(key) < sec_level)
2205 		return false;
2206 
2207 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2208 		return true;
2209 
2210 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2211 	hcon->enc_key_size = key->enc_size;
2212 
2213 	/* We never store STKs for master role, so clear this flag */
2214 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2215 
2216 	return true;
2217 }
2218 
2219 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2220 			     enum smp_key_pref key_pref)
2221 {
2222 	if (sec_level == BT_SECURITY_LOW)
2223 		return true;
2224 
2225 	/* If we're encrypted with an STK but the caller prefers using
2226 	 * LTK claim insufficient security. This way we allow the
2227 	 * connection to be re-encrypted with an LTK, even if the LTK
2228 	 * provides the same level of security. Only exception is if we
2229 	 * don't have an LTK (e.g. because of key distribution bits).
2230 	 */
2231 	if (key_pref == SMP_USE_LTK &&
2232 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2233 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2234 		return false;
2235 
2236 	if (hcon->sec_level >= sec_level)
2237 		return true;
2238 
2239 	return false;
2240 }
2241 
2242 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2243 {
2244 	struct smp_cmd_security_req *rp = (void *) skb->data;
2245 	struct smp_cmd_pairing cp;
2246 	struct hci_conn *hcon = conn->hcon;
2247 	struct hci_dev *hdev = hcon->hdev;
2248 	struct smp_chan *smp;
2249 	u8 sec_level, auth;
2250 
2251 	BT_DBG("conn %p", conn);
2252 
2253 	if (skb->len < sizeof(*rp))
2254 		return SMP_INVALID_PARAMS;
2255 
2256 	if (hcon->role != HCI_ROLE_MASTER)
2257 		return SMP_CMD_NOTSUPP;
2258 
2259 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2260 
2261 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2262 		return SMP_AUTH_REQUIREMENTS;
2263 
2264 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2265 		sec_level = BT_SECURITY_MEDIUM;
2266 	else
2267 		sec_level = authreq_to_seclevel(auth);
2268 
2269 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2270 		return 0;
2271 
2272 	if (sec_level > hcon->pending_sec_level)
2273 		hcon->pending_sec_level = sec_level;
2274 
2275 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2276 		return 0;
2277 
2278 	smp = smp_chan_create(conn);
2279 	if (!smp)
2280 		return SMP_UNSPECIFIED;
2281 
2282 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2283 	    (auth & SMP_AUTH_BONDING))
2284 		return SMP_PAIRING_NOTSUPP;
2285 
2286 	skb_pull(skb, sizeof(*rp));
2287 
2288 	memset(&cp, 0, sizeof(cp));
2289 	build_pairing_cmd(conn, &cp, NULL, auth);
2290 
2291 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2292 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2293 
2294 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2295 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2296 
2297 	return 0;
2298 }
2299 
2300 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2301 {
2302 	struct l2cap_conn *conn = hcon->l2cap_data;
2303 	struct l2cap_chan *chan;
2304 	struct smp_chan *smp;
2305 	__u8 authreq;
2306 	int ret;
2307 
2308 	BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2309 
2310 	/* This may be NULL if there's an unexpected disconnection */
2311 	if (!conn)
2312 		return 1;
2313 
2314 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2315 		return 1;
2316 
2317 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2318 		return 1;
2319 
2320 	if (sec_level > hcon->pending_sec_level)
2321 		hcon->pending_sec_level = sec_level;
2322 
2323 	if (hcon->role == HCI_ROLE_MASTER)
2324 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2325 			return 0;
2326 
2327 	chan = conn->smp;
2328 	if (!chan) {
2329 		BT_ERR("SMP security requested but not available");
2330 		return 1;
2331 	}
2332 
2333 	l2cap_chan_lock(chan);
2334 
2335 	/* If SMP is already in progress ignore this request */
2336 	if (chan->data) {
2337 		ret = 0;
2338 		goto unlock;
2339 	}
2340 
2341 	smp = smp_chan_create(conn);
2342 	if (!smp) {
2343 		ret = 1;
2344 		goto unlock;
2345 	}
2346 
2347 	authreq = seclevel_to_authreq(sec_level);
2348 
2349 	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED))
2350 		authreq |= SMP_AUTH_SC;
2351 
2352 	/* Require MITM if IO Capability allows or the security level
2353 	 * requires it.
2354 	 */
2355 	if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2356 	    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2357 		authreq |= SMP_AUTH_MITM;
2358 
2359 	if (hcon->role == HCI_ROLE_MASTER) {
2360 		struct smp_cmd_pairing cp;
2361 
2362 		build_pairing_cmd(conn, &cp, NULL, authreq);
2363 		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2364 		memcpy(&smp->preq[1], &cp, sizeof(cp));
2365 
2366 		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2367 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2368 	} else {
2369 		struct smp_cmd_security_req cp;
2370 		cp.auth_req = authreq;
2371 		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2372 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2373 	}
2374 
2375 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2376 	ret = 0;
2377 
2378 unlock:
2379 	l2cap_chan_unlock(chan);
2380 	return ret;
2381 }
2382 
2383 void smp_cancel_pairing(struct hci_conn *hcon)
2384 {
2385 	struct l2cap_conn *conn = hcon->l2cap_data;
2386 	struct l2cap_chan *chan;
2387 	struct smp_chan *smp;
2388 
2389 	if (!conn)
2390 		return;
2391 
2392 	chan = conn->smp;
2393 	if (!chan)
2394 		return;
2395 
2396 	l2cap_chan_lock(chan);
2397 
2398 	smp = chan->data;
2399 	if (smp) {
2400 		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2401 			smp_failure(conn, 0);
2402 		else
2403 			smp_failure(conn, SMP_UNSPECIFIED);
2404 	}
2405 
2406 	l2cap_chan_unlock(chan);
2407 }
2408 
2409 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2410 {
2411 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2412 	struct l2cap_chan *chan = conn->smp;
2413 	struct smp_chan *smp = chan->data;
2414 
2415 	BT_DBG("conn %p", conn);
2416 
2417 	if (skb->len < sizeof(*rp))
2418 		return SMP_INVALID_PARAMS;
2419 
2420 	SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2421 
2422 	skb_pull(skb, sizeof(*rp));
2423 
2424 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2425 
2426 	return 0;
2427 }
2428 
2429 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2430 {
2431 	struct smp_cmd_master_ident *rp = (void *) skb->data;
2432 	struct l2cap_chan *chan = conn->smp;
2433 	struct smp_chan *smp = chan->data;
2434 	struct hci_dev *hdev = conn->hcon->hdev;
2435 	struct hci_conn *hcon = conn->hcon;
2436 	struct smp_ltk *ltk;
2437 	u8 authenticated;
2438 
2439 	BT_DBG("conn %p", conn);
2440 
2441 	if (skb->len < sizeof(*rp))
2442 		return SMP_INVALID_PARAMS;
2443 
2444 	/* Mark the information as received */
2445 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2446 
2447 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2448 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2449 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2450 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2451 
2452 	skb_pull(skb, sizeof(*rp));
2453 
2454 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2455 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2456 			  authenticated, smp->tk, smp->enc_key_size,
2457 			  rp->ediv, rp->rand);
2458 	smp->ltk = ltk;
2459 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2460 		smp_distribute_keys(smp);
2461 
2462 	return 0;
2463 }
2464 
2465 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2466 {
2467 	struct smp_cmd_ident_info *info = (void *) skb->data;
2468 	struct l2cap_chan *chan = conn->smp;
2469 	struct smp_chan *smp = chan->data;
2470 
2471 	BT_DBG("");
2472 
2473 	if (skb->len < sizeof(*info))
2474 		return SMP_INVALID_PARAMS;
2475 
2476 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2477 
2478 	skb_pull(skb, sizeof(*info));
2479 
2480 	memcpy(smp->irk, info->irk, 16);
2481 
2482 	return 0;
2483 }
2484 
2485 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2486 				   struct sk_buff *skb)
2487 {
2488 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2489 	struct l2cap_chan *chan = conn->smp;
2490 	struct smp_chan *smp = chan->data;
2491 	struct hci_conn *hcon = conn->hcon;
2492 	bdaddr_t rpa;
2493 
2494 	BT_DBG("");
2495 
2496 	if (skb->len < sizeof(*info))
2497 		return SMP_INVALID_PARAMS;
2498 
2499 	/* Mark the information as received */
2500 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2501 
2502 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2503 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2504 
2505 	skb_pull(skb, sizeof(*info));
2506 
2507 	/* Strictly speaking the Core Specification (4.1) allows sending
2508 	 * an empty address which would force us to rely on just the IRK
2509 	 * as "identity information". However, since such
2510 	 * implementations are not known of and in order to not over
2511 	 * complicate our implementation, simply pretend that we never
2512 	 * received an IRK for such a device.
2513 	 *
2514 	 * The Identity Address must also be a Static Random or Public
2515 	 * Address, which hci_is_identity_address() checks for.
2516 	 */
2517 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2518 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2519 		BT_ERR("Ignoring IRK with no identity address");
2520 		goto distribute;
2521 	}
2522 
2523 	bacpy(&smp->id_addr, &info->bdaddr);
2524 	smp->id_addr_type = info->addr_type;
2525 
2526 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2527 		bacpy(&rpa, &hcon->dst);
2528 	else
2529 		bacpy(&rpa, BDADDR_ANY);
2530 
2531 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2532 				      smp->id_addr_type, smp->irk, &rpa);
2533 
2534 distribute:
2535 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2536 		smp_distribute_keys(smp);
2537 
2538 	return 0;
2539 }
2540 
2541 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2542 {
2543 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2544 	struct l2cap_chan *chan = conn->smp;
2545 	struct smp_chan *smp = chan->data;
2546 	struct smp_csrk *csrk;
2547 
2548 	BT_DBG("conn %p", conn);
2549 
2550 	if (skb->len < sizeof(*rp))
2551 		return SMP_INVALID_PARAMS;
2552 
2553 	/* Mark the information as received */
2554 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2555 
2556 	skb_pull(skb, sizeof(*rp));
2557 
2558 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2559 	if (csrk) {
2560 		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2561 			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2562 		else
2563 			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2564 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2565 	}
2566 	smp->csrk = csrk;
2567 	smp_distribute_keys(smp);
2568 
2569 	return 0;
2570 }
2571 
2572 static u8 sc_select_method(struct smp_chan *smp)
2573 {
2574 	struct l2cap_conn *conn = smp->conn;
2575 	struct hci_conn *hcon = conn->hcon;
2576 	struct smp_cmd_pairing *local, *remote;
2577 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2578 
2579 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2580 	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2581 		return REQ_OOB;
2582 
2583 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2584 	 * which are needed as inputs to some crypto functions. To get
2585 	 * the "struct smp_cmd_pairing" from them we need to skip the
2586 	 * first byte which contains the opcode.
2587 	 */
2588 	if (hcon->out) {
2589 		local = (void *) &smp->preq[1];
2590 		remote = (void *) &smp->prsp[1];
2591 	} else {
2592 		local = (void *) &smp->prsp[1];
2593 		remote = (void *) &smp->preq[1];
2594 	}
2595 
2596 	local_io = local->io_capability;
2597 	remote_io = remote->io_capability;
2598 
2599 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2600 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2601 
2602 	/* If either side wants MITM, look up the method from the table,
2603 	 * otherwise use JUST WORKS.
2604 	 */
2605 	if (local_mitm || remote_mitm)
2606 		method = get_auth_method(smp, local_io, remote_io);
2607 	else
2608 		method = JUST_WORKS;
2609 
2610 	/* Don't confirm locally initiated pairing attempts */
2611 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2612 		method = JUST_WORKS;
2613 
2614 	return method;
2615 }
2616 
2617 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2618 {
2619 	struct smp_cmd_public_key *key = (void *) skb->data;
2620 	struct hci_conn *hcon = conn->hcon;
2621 	struct l2cap_chan *chan = conn->smp;
2622 	struct smp_chan *smp = chan->data;
2623 	struct hci_dev *hdev = hcon->hdev;
2624 	struct smp_cmd_pairing_confirm cfm;
2625 	int err;
2626 
2627 	BT_DBG("conn %p", conn);
2628 
2629 	if (skb->len < sizeof(*key))
2630 		return SMP_INVALID_PARAMS;
2631 
2632 	memcpy(smp->remote_pk, key, 64);
2633 
2634 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2635 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2636 			     smp->rr, 0, cfm.confirm_val);
2637 		if (err)
2638 			return SMP_UNSPECIFIED;
2639 
2640 		if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2641 			return SMP_CONFIRM_FAILED;
2642 	}
2643 
2644 	/* Non-initiating device sends its public key after receiving
2645 	 * the key from the initiating device.
2646 	 */
2647 	if (!hcon->out) {
2648 		err = sc_send_public_key(smp);
2649 		if (err)
2650 			return err;
2651 	}
2652 
2653 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2654 	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2655 
2656 	if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2657 		return SMP_UNSPECIFIED;
2658 
2659 	SMP_DBG("DHKey %32phN", smp->dhkey);
2660 
2661 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2662 
2663 	smp->method = sc_select_method(smp);
2664 
2665 	BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2666 
2667 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2668 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2669 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2670 	else
2671 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2672 
2673 	if (!memcmp(debug_pk, smp->remote_pk, 64))
2674 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2675 
2676 	if (smp->method == DSP_PASSKEY) {
2677 		get_random_bytes(&hcon->passkey_notify,
2678 				 sizeof(hcon->passkey_notify));
2679 		hcon->passkey_notify %= 1000000;
2680 		hcon->passkey_entered = 0;
2681 		smp->passkey_round = 0;
2682 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2683 					     hcon->dst_type,
2684 					     hcon->passkey_notify,
2685 					     hcon->passkey_entered))
2686 			return SMP_UNSPECIFIED;
2687 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2688 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2689 	}
2690 
2691 	if (smp->method == REQ_OOB) {
2692 		if (hcon->out)
2693 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2694 				     sizeof(smp->prnd), smp->prnd);
2695 
2696 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2697 
2698 		return 0;
2699 	}
2700 
2701 	if (hcon->out)
2702 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2703 
2704 	if (smp->method == REQ_PASSKEY) {
2705 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2706 					      hcon->dst_type))
2707 			return SMP_UNSPECIFIED;
2708 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2709 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2710 		return 0;
2711 	}
2712 
2713 	/* The Initiating device waits for the non-initiating device to
2714 	 * send the confirm value.
2715 	 */
2716 	if (conn->hcon->out)
2717 		return 0;
2718 
2719 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2720 		     0, cfm.confirm_val);
2721 	if (err)
2722 		return SMP_UNSPECIFIED;
2723 
2724 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2725 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2726 
2727 	return 0;
2728 }
2729 
2730 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2731 {
2732 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2733 	struct l2cap_chan *chan = conn->smp;
2734 	struct hci_conn *hcon = conn->hcon;
2735 	struct smp_chan *smp = chan->data;
2736 	u8 a[7], b[7], *local_addr, *remote_addr;
2737 	u8 io_cap[3], r[16], e[16];
2738 	int err;
2739 
2740 	BT_DBG("conn %p", conn);
2741 
2742 	if (skb->len < sizeof(*check))
2743 		return SMP_INVALID_PARAMS;
2744 
2745 	memcpy(a, &hcon->init_addr, 6);
2746 	memcpy(b, &hcon->resp_addr, 6);
2747 	a[6] = hcon->init_addr_type;
2748 	b[6] = hcon->resp_addr_type;
2749 
2750 	if (hcon->out) {
2751 		local_addr = a;
2752 		remote_addr = b;
2753 		memcpy(io_cap, &smp->prsp[1], 3);
2754 	} else {
2755 		local_addr = b;
2756 		remote_addr = a;
2757 		memcpy(io_cap, &smp->preq[1], 3);
2758 	}
2759 
2760 	memset(r, 0, sizeof(r));
2761 
2762 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2763 		put_unaligned_le32(hcon->passkey_notify, r);
2764 	else if (smp->method == REQ_OOB)
2765 		memcpy(r, smp->lr, 16);
2766 
2767 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2768 		     io_cap, remote_addr, local_addr, e);
2769 	if (err)
2770 		return SMP_UNSPECIFIED;
2771 
2772 	if (memcmp(check->e, e, 16))
2773 		return SMP_DHKEY_CHECK_FAILED;
2774 
2775 	if (!hcon->out) {
2776 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2777 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2778 			return 0;
2779 		}
2780 
2781 		/* Slave sends DHKey check as response to master */
2782 		sc_dhkey_check(smp);
2783 	}
2784 
2785 	sc_add_ltk(smp);
2786 
2787 	if (hcon->out) {
2788 		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2789 		hcon->enc_key_size = smp->enc_key_size;
2790 	}
2791 
2792 	return 0;
2793 }
2794 
2795 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2796 				   struct sk_buff *skb)
2797 {
2798 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2799 
2800 	BT_DBG("value 0x%02x", kp->value);
2801 
2802 	return 0;
2803 }
2804 
2805 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2806 {
2807 	struct l2cap_conn *conn = chan->conn;
2808 	struct hci_conn *hcon = conn->hcon;
2809 	struct smp_chan *smp;
2810 	__u8 code, reason;
2811 	int err = 0;
2812 
2813 	if (skb->len < 1)
2814 		return -EILSEQ;
2815 
2816 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2817 		reason = SMP_PAIRING_NOTSUPP;
2818 		goto done;
2819 	}
2820 
2821 	code = skb->data[0];
2822 	skb_pull(skb, sizeof(code));
2823 
2824 	smp = chan->data;
2825 
2826 	if (code > SMP_CMD_MAX)
2827 		goto drop;
2828 
2829 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2830 		goto drop;
2831 
2832 	/* If we don't have a context the only allowed commands are
2833 	 * pairing request and security request.
2834 	 */
2835 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2836 		goto drop;
2837 
2838 	switch (code) {
2839 	case SMP_CMD_PAIRING_REQ:
2840 		reason = smp_cmd_pairing_req(conn, skb);
2841 		break;
2842 
2843 	case SMP_CMD_PAIRING_FAIL:
2844 		smp_failure(conn, 0);
2845 		err = -EPERM;
2846 		break;
2847 
2848 	case SMP_CMD_PAIRING_RSP:
2849 		reason = smp_cmd_pairing_rsp(conn, skb);
2850 		break;
2851 
2852 	case SMP_CMD_SECURITY_REQ:
2853 		reason = smp_cmd_security_req(conn, skb);
2854 		break;
2855 
2856 	case SMP_CMD_PAIRING_CONFIRM:
2857 		reason = smp_cmd_pairing_confirm(conn, skb);
2858 		break;
2859 
2860 	case SMP_CMD_PAIRING_RANDOM:
2861 		reason = smp_cmd_pairing_random(conn, skb);
2862 		break;
2863 
2864 	case SMP_CMD_ENCRYPT_INFO:
2865 		reason = smp_cmd_encrypt_info(conn, skb);
2866 		break;
2867 
2868 	case SMP_CMD_MASTER_IDENT:
2869 		reason = smp_cmd_master_ident(conn, skb);
2870 		break;
2871 
2872 	case SMP_CMD_IDENT_INFO:
2873 		reason = smp_cmd_ident_info(conn, skb);
2874 		break;
2875 
2876 	case SMP_CMD_IDENT_ADDR_INFO:
2877 		reason = smp_cmd_ident_addr_info(conn, skb);
2878 		break;
2879 
2880 	case SMP_CMD_SIGN_INFO:
2881 		reason = smp_cmd_sign_info(conn, skb);
2882 		break;
2883 
2884 	case SMP_CMD_PUBLIC_KEY:
2885 		reason = smp_cmd_public_key(conn, skb);
2886 		break;
2887 
2888 	case SMP_CMD_DHKEY_CHECK:
2889 		reason = smp_cmd_dhkey_check(conn, skb);
2890 		break;
2891 
2892 	case SMP_CMD_KEYPRESS_NOTIFY:
2893 		reason = smp_cmd_keypress_notify(conn, skb);
2894 		break;
2895 
2896 	default:
2897 		BT_DBG("Unknown command code 0x%2.2x", code);
2898 		reason = SMP_CMD_NOTSUPP;
2899 		goto done;
2900 	}
2901 
2902 done:
2903 	if (!err) {
2904 		if (reason)
2905 			smp_failure(conn, reason);
2906 		kfree_skb(skb);
2907 	}
2908 
2909 	return err;
2910 
2911 drop:
2912 	BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2913 	       code, &hcon->dst);
2914 	kfree_skb(skb);
2915 	return 0;
2916 }
2917 
2918 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2919 {
2920 	struct l2cap_conn *conn = chan->conn;
2921 
2922 	BT_DBG("chan %p", chan);
2923 
2924 	if (chan->data)
2925 		smp_chan_destroy(conn);
2926 
2927 	conn->smp = NULL;
2928 	l2cap_chan_put(chan);
2929 }
2930 
2931 static void bredr_pairing(struct l2cap_chan *chan)
2932 {
2933 	struct l2cap_conn *conn = chan->conn;
2934 	struct hci_conn *hcon = conn->hcon;
2935 	struct hci_dev *hdev = hcon->hdev;
2936 	struct smp_cmd_pairing req;
2937 	struct smp_chan *smp;
2938 
2939 	BT_DBG("chan %p", chan);
2940 
2941 	/* Only new pairings are interesting */
2942 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2943 		return;
2944 
2945 	/* Don't bother if we're not encrypted */
2946 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2947 		return;
2948 
2949 	/* Only master may initiate SMP over BR/EDR */
2950 	if (hcon->role != HCI_ROLE_MASTER)
2951 		return;
2952 
2953 	/* Secure Connections support must be enabled */
2954 	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
2955 		return;
2956 
2957 	/* BR/EDR must use Secure Connections for SMP */
2958 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2959 	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
2960 		return;
2961 
2962 	/* If our LE support is not enabled don't do anything */
2963 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2964 		return;
2965 
2966 	/* Don't bother if remote LE support is not enabled */
2967 	if (!lmp_host_le_capable(hcon))
2968 		return;
2969 
2970 	/* Remote must support SMP fixed chan for BR/EDR */
2971 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2972 		return;
2973 
2974 	/* Don't bother if SMP is already ongoing */
2975 	if (chan->data)
2976 		return;
2977 
2978 	smp = smp_chan_create(conn);
2979 	if (!smp) {
2980 		BT_ERR("%s unable to create SMP context for BR/EDR",
2981 		       hdev->name);
2982 		return;
2983 	}
2984 
2985 	set_bit(SMP_FLAG_SC, &smp->flags);
2986 
2987 	BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2988 
2989 	/* Prepare and send the BR/EDR SMP Pairing Request */
2990 	build_bredr_pairing_cmd(smp, &req, NULL);
2991 
2992 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2993 	memcpy(&smp->preq[1], &req, sizeof(req));
2994 
2995 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2996 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2997 }
2998 
2999 static void smp_resume_cb(struct l2cap_chan *chan)
3000 {
3001 	struct smp_chan *smp = chan->data;
3002 	struct l2cap_conn *conn = chan->conn;
3003 	struct hci_conn *hcon = conn->hcon;
3004 
3005 	BT_DBG("chan %p", chan);
3006 
3007 	if (hcon->type == ACL_LINK) {
3008 		bredr_pairing(chan);
3009 		return;
3010 	}
3011 
3012 	if (!smp)
3013 		return;
3014 
3015 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3016 		return;
3017 
3018 	cancel_delayed_work(&smp->security_timer);
3019 
3020 	smp_distribute_keys(smp);
3021 }
3022 
3023 static void smp_ready_cb(struct l2cap_chan *chan)
3024 {
3025 	struct l2cap_conn *conn = chan->conn;
3026 	struct hci_conn *hcon = conn->hcon;
3027 
3028 	BT_DBG("chan %p", chan);
3029 
3030 	/* No need to call l2cap_chan_hold() here since we already own
3031 	 * the reference taken in smp_new_conn_cb(). This is just the
3032 	 * first time that we tie it to a specific pointer. The code in
3033 	 * l2cap_core.c ensures that there's no risk this function wont
3034 	 * get called if smp_new_conn_cb was previously called.
3035 	 */
3036 	conn->smp = chan;
3037 
3038 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3039 		bredr_pairing(chan);
3040 }
3041 
3042 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3043 {
3044 	int err;
3045 
3046 	BT_DBG("chan %p", chan);
3047 
3048 	err = smp_sig_channel(chan, skb);
3049 	if (err) {
3050 		struct smp_chan *smp = chan->data;
3051 
3052 		if (smp)
3053 			cancel_delayed_work_sync(&smp->security_timer);
3054 
3055 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3056 	}
3057 
3058 	return err;
3059 }
3060 
3061 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3062 					unsigned long hdr_len,
3063 					unsigned long len, int nb)
3064 {
3065 	struct sk_buff *skb;
3066 
3067 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3068 	if (!skb)
3069 		return ERR_PTR(-ENOMEM);
3070 
3071 	skb->priority = HCI_PRIO_MAX;
3072 	bt_cb(skb)->l2cap.chan = chan;
3073 
3074 	return skb;
3075 }
3076 
3077 static const struct l2cap_ops smp_chan_ops = {
3078 	.name			= "Security Manager",
3079 	.ready			= smp_ready_cb,
3080 	.recv			= smp_recv_cb,
3081 	.alloc_skb		= smp_alloc_skb_cb,
3082 	.teardown		= smp_teardown_cb,
3083 	.resume			= smp_resume_cb,
3084 
3085 	.new_connection		= l2cap_chan_no_new_connection,
3086 	.state_change		= l2cap_chan_no_state_change,
3087 	.close			= l2cap_chan_no_close,
3088 	.defer			= l2cap_chan_no_defer,
3089 	.suspend		= l2cap_chan_no_suspend,
3090 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3091 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3092 };
3093 
3094 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3095 {
3096 	struct l2cap_chan *chan;
3097 
3098 	BT_DBG("pchan %p", pchan);
3099 
3100 	chan = l2cap_chan_create();
3101 	if (!chan)
3102 		return NULL;
3103 
3104 	chan->chan_type	= pchan->chan_type;
3105 	chan->ops	= &smp_chan_ops;
3106 	chan->scid	= pchan->scid;
3107 	chan->dcid	= chan->scid;
3108 	chan->imtu	= pchan->imtu;
3109 	chan->omtu	= pchan->omtu;
3110 	chan->mode	= pchan->mode;
3111 
3112 	/* Other L2CAP channels may request SMP routines in order to
3113 	 * change the security level. This means that the SMP channel
3114 	 * lock must be considered in its own category to avoid lockdep
3115 	 * warnings.
3116 	 */
3117 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3118 
3119 	BT_DBG("created chan %p", chan);
3120 
3121 	return chan;
3122 }
3123 
3124 static const struct l2cap_ops smp_root_chan_ops = {
3125 	.name			= "Security Manager Root",
3126 	.new_connection		= smp_new_conn_cb,
3127 
3128 	/* None of these are implemented for the root channel */
3129 	.close			= l2cap_chan_no_close,
3130 	.alloc_skb		= l2cap_chan_no_alloc_skb,
3131 	.recv			= l2cap_chan_no_recv,
3132 	.state_change		= l2cap_chan_no_state_change,
3133 	.teardown		= l2cap_chan_no_teardown,
3134 	.ready			= l2cap_chan_no_ready,
3135 	.defer			= l2cap_chan_no_defer,
3136 	.suspend		= l2cap_chan_no_suspend,
3137 	.resume			= l2cap_chan_no_resume,
3138 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3139 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3140 };
3141 
3142 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3143 {
3144 	struct l2cap_chan *chan;
3145 	struct smp_dev *smp;
3146 	struct crypto_blkcipher *tfm_aes;
3147 	struct crypto_hash *tfm_cmac;
3148 
3149 	if (cid == L2CAP_CID_SMP_BREDR) {
3150 		smp = NULL;
3151 		goto create_chan;
3152 	}
3153 
3154 	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3155 	if (!smp)
3156 		return ERR_PTR(-ENOMEM);
3157 
3158 	tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3159 	if (IS_ERR(tfm_aes)) {
3160 		BT_ERR("Unable to create ECB crypto context");
3161 		kzfree(smp);
3162 		return ERR_CAST(tfm_aes);
3163 	}
3164 
3165 	tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3166 	if (IS_ERR(tfm_cmac)) {
3167 		BT_ERR("Unable to create CMAC crypto context");
3168 		crypto_free_blkcipher(tfm_aes);
3169 		kzfree(smp);
3170 		return ERR_CAST(tfm_cmac);
3171 	}
3172 
3173 	smp->tfm_aes = tfm_aes;
3174 	smp->tfm_cmac = tfm_cmac;
3175 	smp->min_key_size = SMP_MIN_ENC_KEY_SIZE;
3176 	smp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
3177 
3178 create_chan:
3179 	chan = l2cap_chan_create();
3180 	if (!chan) {
3181 		if (smp) {
3182 			crypto_free_blkcipher(smp->tfm_aes);
3183 			crypto_free_hash(smp->tfm_cmac);
3184 			kzfree(smp);
3185 		}
3186 		return ERR_PTR(-ENOMEM);
3187 	}
3188 
3189 	chan->data = smp;
3190 
3191 	l2cap_add_scid(chan, cid);
3192 
3193 	l2cap_chan_set_defaults(chan);
3194 
3195 	if (cid == L2CAP_CID_SMP) {
3196 		u8 bdaddr_type;
3197 
3198 		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3199 
3200 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3201 			chan->src_type = BDADDR_LE_PUBLIC;
3202 		else
3203 			chan->src_type = BDADDR_LE_RANDOM;
3204 	} else {
3205 		bacpy(&chan->src, &hdev->bdaddr);
3206 		chan->src_type = BDADDR_BREDR;
3207 	}
3208 
3209 	chan->state = BT_LISTEN;
3210 	chan->mode = L2CAP_MODE_BASIC;
3211 	chan->imtu = L2CAP_DEFAULT_MTU;
3212 	chan->ops = &smp_root_chan_ops;
3213 
3214 	/* Set correct nesting level for a parent/listening channel */
3215 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3216 
3217 	return chan;
3218 }
3219 
3220 static void smp_del_chan(struct l2cap_chan *chan)
3221 {
3222 	struct smp_dev *smp;
3223 
3224 	BT_DBG("chan %p", chan);
3225 
3226 	smp = chan->data;
3227 	if (smp) {
3228 		chan->data = NULL;
3229 		if (smp->tfm_aes)
3230 			crypto_free_blkcipher(smp->tfm_aes);
3231 		if (smp->tfm_cmac)
3232 			crypto_free_hash(smp->tfm_cmac);
3233 		kzfree(smp);
3234 	}
3235 
3236 	l2cap_chan_put(chan);
3237 }
3238 
3239 static ssize_t force_bredr_smp_read(struct file *file,
3240 				    char __user *user_buf,
3241 				    size_t count, loff_t *ppos)
3242 {
3243 	struct hci_dev *hdev = file->private_data;
3244 	char buf[3];
3245 
3246 	buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3247 	buf[1] = '\n';
3248 	buf[2] = '\0';
3249 	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3250 }
3251 
3252 static ssize_t force_bredr_smp_write(struct file *file,
3253 				     const char __user *user_buf,
3254 				     size_t count, loff_t *ppos)
3255 {
3256 	struct hci_dev *hdev = file->private_data;
3257 	char buf[32];
3258 	size_t buf_size = min(count, (sizeof(buf)-1));
3259 	bool enable;
3260 
3261 	if (copy_from_user(buf, user_buf, buf_size))
3262 		return -EFAULT;
3263 
3264 	buf[buf_size] = '\0';
3265 	if (strtobool(buf, &enable))
3266 		return -EINVAL;
3267 
3268 	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3269 		return -EALREADY;
3270 
3271 	if (enable) {
3272 		struct l2cap_chan *chan;
3273 
3274 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3275 		if (IS_ERR(chan))
3276 			return PTR_ERR(chan);
3277 
3278 		hdev->smp_bredr_data = chan;
3279 	} else {
3280 		struct l2cap_chan *chan;
3281 
3282 		chan = hdev->smp_bredr_data;
3283 		hdev->smp_bredr_data = NULL;
3284 		smp_del_chan(chan);
3285 	}
3286 
3287 	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3288 
3289 	return count;
3290 }
3291 
3292 static const struct file_operations force_bredr_smp_fops = {
3293 	.open		= simple_open,
3294 	.read		= force_bredr_smp_read,
3295 	.write		= force_bredr_smp_write,
3296 	.llseek		= default_llseek,
3297 };
3298 
3299 static ssize_t le_min_key_size_read(struct file *file,
3300 				     char __user *user_buf,
3301 				     size_t count, loff_t *ppos)
3302 {
3303 	struct hci_dev *hdev = file->private_data;
3304 	char buf[4];
3305 
3306 	snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->min_key_size);
3307 
3308 	return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3309 }
3310 
3311 static ssize_t le_min_key_size_write(struct file *file,
3312 				      const char __user *user_buf,
3313 				      size_t count, loff_t *ppos)
3314 {
3315 	struct hci_dev *hdev = file->private_data;
3316 	char buf[32];
3317 	size_t buf_size = min(count, (sizeof(buf) - 1));
3318 	u8 key_size;
3319 
3320 	if (copy_from_user(buf, user_buf, buf_size))
3321 		return -EFAULT;
3322 
3323 	buf[buf_size] = '\0';
3324 
3325 	sscanf(buf, "%hhu", &key_size);
3326 
3327 	if (key_size > SMP_DEV(hdev)->max_key_size ||
3328 	    key_size < SMP_MIN_ENC_KEY_SIZE)
3329 		return -EINVAL;
3330 
3331 	SMP_DEV(hdev)->min_key_size = key_size;
3332 
3333 	return count;
3334 }
3335 
3336 static const struct file_operations le_min_key_size_fops = {
3337 	.open		= simple_open,
3338 	.read		= le_min_key_size_read,
3339 	.write		= le_min_key_size_write,
3340 	.llseek		= default_llseek,
3341 };
3342 
3343 static ssize_t le_max_key_size_read(struct file *file,
3344 				     char __user *user_buf,
3345 				     size_t count, loff_t *ppos)
3346 {
3347 	struct hci_dev *hdev = file->private_data;
3348 	char buf[4];
3349 
3350 	snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->max_key_size);
3351 
3352 	return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3353 }
3354 
3355 static ssize_t le_max_key_size_write(struct file *file,
3356 				      const char __user *user_buf,
3357 				      size_t count, loff_t *ppos)
3358 {
3359 	struct hci_dev *hdev = file->private_data;
3360 	char buf[32];
3361 	size_t buf_size = min(count, (sizeof(buf) - 1));
3362 	u8 key_size;
3363 
3364 	if (copy_from_user(buf, user_buf, buf_size))
3365 		return -EFAULT;
3366 
3367 	buf[buf_size] = '\0';
3368 
3369 	sscanf(buf, "%hhu", &key_size);
3370 
3371 	if (key_size > SMP_MAX_ENC_KEY_SIZE ||
3372 	    key_size < SMP_DEV(hdev)->min_key_size)
3373 		return -EINVAL;
3374 
3375 	SMP_DEV(hdev)->max_key_size = key_size;
3376 
3377 	return count;
3378 }
3379 
3380 static const struct file_operations le_max_key_size_fops = {
3381 	.open		= simple_open,
3382 	.read		= le_max_key_size_read,
3383 	.write		= le_max_key_size_write,
3384 	.llseek		= default_llseek,
3385 };
3386 
3387 int smp_register(struct hci_dev *hdev)
3388 {
3389 	struct l2cap_chan *chan;
3390 
3391 	BT_DBG("%s", hdev->name);
3392 
3393 	/* If the controller does not support Low Energy operation, then
3394 	 * there is also no need to register any SMP channel.
3395 	 */
3396 	if (!lmp_le_capable(hdev))
3397 		return 0;
3398 
3399 	if (WARN_ON(hdev->smp_data)) {
3400 		chan = hdev->smp_data;
3401 		hdev->smp_data = NULL;
3402 		smp_del_chan(chan);
3403 	}
3404 
3405 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3406 	if (IS_ERR(chan))
3407 		return PTR_ERR(chan);
3408 
3409 	hdev->smp_data = chan;
3410 
3411 	debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3412 			    &le_min_key_size_fops);
3413 	debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3414 			    &le_max_key_size_fops);
3415 
3416 	/* If the controller does not support BR/EDR Secure Connections
3417 	 * feature, then the BR/EDR SMP channel shall not be present.
3418 	 *
3419 	 * To test this with Bluetooth 4.0 controllers, create a debugfs
3420 	 * switch that allows forcing BR/EDR SMP support and accepting
3421 	 * cross-transport pairing on non-AES encrypted connections.
3422 	 */
3423 	if (!lmp_sc_capable(hdev)) {
3424 		debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3425 				    hdev, &force_bredr_smp_fops);
3426 		return 0;
3427 	}
3428 
3429 	if (WARN_ON(hdev->smp_bredr_data)) {
3430 		chan = hdev->smp_bredr_data;
3431 		hdev->smp_bredr_data = NULL;
3432 		smp_del_chan(chan);
3433 	}
3434 
3435 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3436 	if (IS_ERR(chan)) {
3437 		int err = PTR_ERR(chan);
3438 		chan = hdev->smp_data;
3439 		hdev->smp_data = NULL;
3440 		smp_del_chan(chan);
3441 		return err;
3442 	}
3443 
3444 	hdev->smp_bredr_data = chan;
3445 
3446 	return 0;
3447 }
3448 
3449 void smp_unregister(struct hci_dev *hdev)
3450 {
3451 	struct l2cap_chan *chan;
3452 
3453 	if (hdev->smp_bredr_data) {
3454 		chan = hdev->smp_bredr_data;
3455 		hdev->smp_bredr_data = NULL;
3456 		smp_del_chan(chan);
3457 	}
3458 
3459 	if (hdev->smp_data) {
3460 		chan = hdev->smp_data;
3461 		hdev->smp_data = NULL;
3462 		smp_del_chan(chan);
3463 	}
3464 }
3465 
3466 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3467 
3468 static int __init test_ah(struct crypto_blkcipher *tfm_aes)
3469 {
3470 	const u8 irk[16] = {
3471 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3472 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3473 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3474 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3475 	u8 res[3];
3476 	int err;
3477 
3478 	err = smp_ah(tfm_aes, irk, r, res);
3479 	if (err)
3480 		return err;
3481 
3482 	if (memcmp(res, exp, 3))
3483 		return -EINVAL;
3484 
3485 	return 0;
3486 }
3487 
3488 static int __init test_c1(struct crypto_blkcipher *tfm_aes)
3489 {
3490 	const u8 k[16] = {
3491 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3492 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3493 	const u8 r[16] = {
3494 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3495 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3496 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3497 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3498 	const u8 _iat = 0x01;
3499 	const u8 _rat = 0x00;
3500 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3501 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3502 	const u8 exp[16] = {
3503 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3504 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3505 	u8 res[16];
3506 	int err;
3507 
3508 	err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3509 	if (err)
3510 		return err;
3511 
3512 	if (memcmp(res, exp, 16))
3513 		return -EINVAL;
3514 
3515 	return 0;
3516 }
3517 
3518 static int __init test_s1(struct crypto_blkcipher *tfm_aes)
3519 {
3520 	const u8 k[16] = {
3521 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3522 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3523 	const u8 r1[16] = {
3524 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3525 	const u8 r2[16] = {
3526 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3527 	const u8 exp[16] = {
3528 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3529 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3530 	u8 res[16];
3531 	int err;
3532 
3533 	err = smp_s1(tfm_aes, k, r1, r2, res);
3534 	if (err)
3535 		return err;
3536 
3537 	if (memcmp(res, exp, 16))
3538 		return -EINVAL;
3539 
3540 	return 0;
3541 }
3542 
3543 static int __init test_f4(struct crypto_hash *tfm_cmac)
3544 {
3545 	const u8 u[32] = {
3546 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3547 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3548 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3549 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3550 	const u8 v[32] = {
3551 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3552 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3553 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3554 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3555 	const u8 x[16] = {
3556 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3557 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3558 	const u8 z = 0x00;
3559 	const u8 exp[16] = {
3560 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3561 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3562 	u8 res[16];
3563 	int err;
3564 
3565 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3566 	if (err)
3567 		return err;
3568 
3569 	if (memcmp(res, exp, 16))
3570 		return -EINVAL;
3571 
3572 	return 0;
3573 }
3574 
3575 static int __init test_f5(struct crypto_hash *tfm_cmac)
3576 {
3577 	const u8 w[32] = {
3578 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3579 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3580 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3581 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3582 	const u8 n1[16] = {
3583 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3584 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3585 	const u8 n2[16] = {
3586 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3587 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3588 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3589 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3590 	const u8 exp_ltk[16] = {
3591 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3592 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3593 	const u8 exp_mackey[16] = {
3594 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3595 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3596 	u8 mackey[16], ltk[16];
3597 	int err;
3598 
3599 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3600 	if (err)
3601 		return err;
3602 
3603 	if (memcmp(mackey, exp_mackey, 16))
3604 		return -EINVAL;
3605 
3606 	if (memcmp(ltk, exp_ltk, 16))
3607 		return -EINVAL;
3608 
3609 	return 0;
3610 }
3611 
3612 static int __init test_f6(struct crypto_hash *tfm_cmac)
3613 {
3614 	const u8 w[16] = {
3615 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3616 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3617 	const u8 n1[16] = {
3618 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3619 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3620 	const u8 n2[16] = {
3621 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3622 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3623 	const u8 r[16] = {
3624 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3625 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3626 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3627 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3628 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3629 	const u8 exp[16] = {
3630 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3631 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3632 	u8 res[16];
3633 	int err;
3634 
3635 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3636 	if (err)
3637 		return err;
3638 
3639 	if (memcmp(res, exp, 16))
3640 		return -EINVAL;
3641 
3642 	return 0;
3643 }
3644 
3645 static int __init test_g2(struct crypto_hash *tfm_cmac)
3646 {
3647 	const u8 u[32] = {
3648 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3649 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3650 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3651 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3652 	const u8 v[32] = {
3653 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3654 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3655 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3656 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3657 	const u8 x[16] = {
3658 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3659 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3660 	const u8 y[16] = {
3661 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3662 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3663 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3664 	u32 val;
3665 	int err;
3666 
3667 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3668 	if (err)
3669 		return err;
3670 
3671 	if (val != exp_val)
3672 		return -EINVAL;
3673 
3674 	return 0;
3675 }
3676 
3677 static int __init test_h6(struct crypto_hash *tfm_cmac)
3678 {
3679 	const u8 w[16] = {
3680 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3681 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3682 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3683 	const u8 exp[16] = {
3684 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3685 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3686 	u8 res[16];
3687 	int err;
3688 
3689 	err = smp_h6(tfm_cmac, w, key_id, res);
3690 	if (err)
3691 		return err;
3692 
3693 	if (memcmp(res, exp, 16))
3694 		return -EINVAL;
3695 
3696 	return 0;
3697 }
3698 
3699 static char test_smp_buffer[32];
3700 
3701 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3702 			     size_t count, loff_t *ppos)
3703 {
3704 	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3705 				       strlen(test_smp_buffer));
3706 }
3707 
3708 static const struct file_operations test_smp_fops = {
3709 	.open		= simple_open,
3710 	.read		= test_smp_read,
3711 	.llseek		= default_llseek,
3712 };
3713 
3714 static int __init run_selftests(struct crypto_blkcipher *tfm_aes,
3715 				struct crypto_hash *tfm_cmac)
3716 {
3717 	ktime_t calltime, delta, rettime;
3718 	unsigned long long duration;
3719 	int err;
3720 
3721 	calltime = ktime_get();
3722 
3723 	err = test_ah(tfm_aes);
3724 	if (err) {
3725 		BT_ERR("smp_ah test failed");
3726 		goto done;
3727 	}
3728 
3729 	err = test_c1(tfm_aes);
3730 	if (err) {
3731 		BT_ERR("smp_c1 test failed");
3732 		goto done;
3733 	}
3734 
3735 	err = test_s1(tfm_aes);
3736 	if (err) {
3737 		BT_ERR("smp_s1 test failed");
3738 		goto done;
3739 	}
3740 
3741 	err = test_f4(tfm_cmac);
3742 	if (err) {
3743 		BT_ERR("smp_f4 test failed");
3744 		goto done;
3745 	}
3746 
3747 	err = test_f5(tfm_cmac);
3748 	if (err) {
3749 		BT_ERR("smp_f5 test failed");
3750 		goto done;
3751 	}
3752 
3753 	err = test_f6(tfm_cmac);
3754 	if (err) {
3755 		BT_ERR("smp_f6 test failed");
3756 		goto done;
3757 	}
3758 
3759 	err = test_g2(tfm_cmac);
3760 	if (err) {
3761 		BT_ERR("smp_g2 test failed");
3762 		goto done;
3763 	}
3764 
3765 	err = test_h6(tfm_cmac);
3766 	if (err) {
3767 		BT_ERR("smp_h6 test failed");
3768 		goto done;
3769 	}
3770 
3771 	rettime = ktime_get();
3772 	delta = ktime_sub(rettime, calltime);
3773 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3774 
3775 	BT_INFO("SMP test passed in %llu usecs", duration);
3776 
3777 done:
3778 	if (!err)
3779 		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3780 			 "PASS (%llu usecs)\n", duration);
3781 	else
3782 		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3783 
3784 	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3785 			    &test_smp_fops);
3786 
3787 	return err;
3788 }
3789 
3790 int __init bt_selftest_smp(void)
3791 {
3792 	struct crypto_blkcipher *tfm_aes;
3793 	struct crypto_hash *tfm_cmac;
3794 	int err;
3795 
3796 	tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3797 	if (IS_ERR(tfm_aes)) {
3798 		BT_ERR("Unable to create ECB crypto context");
3799 		return PTR_ERR(tfm_aes);
3800 	}
3801 
3802 	tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3803 	if (IS_ERR(tfm_cmac)) {
3804 		BT_ERR("Unable to create CMAC crypto context");
3805 		crypto_free_blkcipher(tfm_aes);
3806 		return PTR_ERR(tfm_cmac);
3807 	}
3808 
3809 	err = run_selftests(tfm_aes, tfm_cmac);
3810 
3811 	crypto_free_hash(tfm_cmac);
3812 	crypto_free_blkcipher(tfm_aes);
3813 
3814 	return err;
3815 }
3816 
3817 #endif
3818