xref: /openbmc/linux/net/bluetooth/smp.c (revision b285d2ae)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/aes.h>
27 #include <crypto/algapi.h>
28 #include <crypto/b128ops.h>
29 #include <crypto/hash.h>
30 #include <crypto/kpp.h>
31 
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/l2cap.h>
35 #include <net/bluetooth/mgmt.h>
36 
37 #include "ecdh_helper.h"
38 #include "smp.h"
39 
40 #define SMP_DEV(hdev) \
41 	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
42 
43 /* Low-level debug macros to be used for stuff that we don't want
44  * accidentially in dmesg, i.e. the values of the various crypto keys
45  * and the inputs & outputs of crypto functions.
46  */
47 #ifdef DEBUG
48 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
49 				 ##__VA_ARGS__)
50 #else
51 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
52 				    ##__VA_ARGS__)
53 #endif
54 
55 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
56 
57 /* Keys which are not distributed with Secure Connections */
58 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
59 
60 #define SMP_TIMEOUT	msecs_to_jiffies(30000)
61 
62 #define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
63 				 0x3f : 0x07)
64 #define KEY_DIST_MASK		0x07
65 
66 /* Maximum message length that can be passed to aes_cmac */
67 #define CMAC_MSG_MAX	80
68 
69 enum {
70 	SMP_FLAG_TK_VALID,
71 	SMP_FLAG_CFM_PENDING,
72 	SMP_FLAG_MITM_AUTH,
73 	SMP_FLAG_COMPLETE,
74 	SMP_FLAG_INITIATOR,
75 	SMP_FLAG_SC,
76 	SMP_FLAG_REMOTE_PK,
77 	SMP_FLAG_DEBUG_KEY,
78 	SMP_FLAG_WAIT_USER,
79 	SMP_FLAG_DHKEY_PENDING,
80 	SMP_FLAG_REMOTE_OOB,
81 	SMP_FLAG_LOCAL_OOB,
82 	SMP_FLAG_CT2,
83 };
84 
85 struct smp_dev {
86 	/* Secure Connections OOB data */
87 	bool			local_oob;
88 	u8			local_pk[64];
89 	u8			local_rand[16];
90 	bool			debug_key;
91 
92 	struct crypto_shash	*tfm_cmac;
93 	struct crypto_kpp	*tfm_ecdh;
94 };
95 
96 struct smp_chan {
97 	struct l2cap_conn	*conn;
98 	struct delayed_work	security_timer;
99 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
100 
101 	u8		preq[7]; /* SMP Pairing Request */
102 	u8		prsp[7]; /* SMP Pairing Response */
103 	u8		prnd[16]; /* SMP Pairing Random (local) */
104 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
105 	u8		pcnf[16]; /* SMP Pairing Confirm */
106 	u8		tk[16]; /* SMP Temporary Key */
107 	u8		rr[16]; /* Remote OOB ra/rb value */
108 	u8		lr[16]; /* Local OOB ra/rb value */
109 	u8		enc_key_size;
110 	u8		remote_key_dist;
111 	bdaddr_t	id_addr;
112 	u8		id_addr_type;
113 	u8		irk[16];
114 	struct smp_csrk	*csrk;
115 	struct smp_csrk	*slave_csrk;
116 	struct smp_ltk	*ltk;
117 	struct smp_ltk	*slave_ltk;
118 	struct smp_irk	*remote_irk;
119 	u8		*link_key;
120 	unsigned long	flags;
121 	u8		method;
122 	u8		passkey_round;
123 
124 	/* Secure Connections variables */
125 	u8			local_pk[64];
126 	u8			remote_pk[64];
127 	u8			dhkey[32];
128 	u8			mackey[16];
129 
130 	struct crypto_shash	*tfm_cmac;
131 	struct crypto_kpp	*tfm_ecdh;
132 };
133 
134 /* These debug key values are defined in the SMP section of the core
135  * specification. debug_pk is the public debug key and debug_sk the
136  * private debug key.
137  */
138 static const u8 debug_pk[64] = {
139 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
140 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
141 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
142 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
143 
144 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
145 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
146 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
147 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
148 };
149 
150 static const u8 debug_sk[32] = {
151 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
152 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
153 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
154 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
155 };
156 
157 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
158 {
159 	size_t i;
160 
161 	for (i = 0; i < len; i++)
162 		dst[len - 1 - i] = src[i];
163 }
164 
165 /* The following functions map to the LE SC SMP crypto functions
166  * AES-CMAC, f4, f5, f6, g2 and h6.
167  */
168 
169 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
170 		    size_t len, u8 mac[16])
171 {
172 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
173 	int err;
174 
175 	if (len > CMAC_MSG_MAX)
176 		return -EFBIG;
177 
178 	if (!tfm) {
179 		BT_ERR("tfm %p", tfm);
180 		return -EINVAL;
181 	}
182 
183 	/* Swap key and message from LSB to MSB */
184 	swap_buf(k, tmp, 16);
185 	swap_buf(m, msg_msb, len);
186 
187 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
188 	SMP_DBG("key %16phN", k);
189 
190 	err = crypto_shash_setkey(tfm, tmp, 16);
191 	if (err) {
192 		BT_ERR("cipher setkey failed: %d", err);
193 		return err;
194 	}
195 
196 	err = crypto_shash_tfm_digest(tfm, msg_msb, len, mac_msb);
197 	if (err) {
198 		BT_ERR("Hash computation error %d", err);
199 		return err;
200 	}
201 
202 	swap_buf(mac_msb, mac, 16);
203 
204 	SMP_DBG("mac %16phN", mac);
205 
206 	return 0;
207 }
208 
209 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
210 		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
211 {
212 	u8 m[65];
213 	int err;
214 
215 	SMP_DBG("u %32phN", u);
216 	SMP_DBG("v %32phN", v);
217 	SMP_DBG("x %16phN z %02x", x, z);
218 
219 	m[0] = z;
220 	memcpy(m + 1, v, 32);
221 	memcpy(m + 33, u, 32);
222 
223 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
224 	if (err)
225 		return err;
226 
227 	SMP_DBG("res %16phN", res);
228 
229 	return err;
230 }
231 
232 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
233 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
234 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
235 {
236 	/* The btle, salt and length "magic" values are as defined in
237 	 * the SMP section of the Bluetooth core specification. In ASCII
238 	 * the btle value ends up being 'btle'. The salt is just a
239 	 * random number whereas length is the value 256 in little
240 	 * endian format.
241 	 */
242 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
243 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
244 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
245 	const u8 length[2] = { 0x00, 0x01 };
246 	u8 m[53], t[16];
247 	int err;
248 
249 	SMP_DBG("w %32phN", w);
250 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
251 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
252 
253 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
254 	if (err)
255 		return err;
256 
257 	SMP_DBG("t %16phN", t);
258 
259 	memcpy(m, length, 2);
260 	memcpy(m + 2, a2, 7);
261 	memcpy(m + 9, a1, 7);
262 	memcpy(m + 16, n2, 16);
263 	memcpy(m + 32, n1, 16);
264 	memcpy(m + 48, btle, 4);
265 
266 	m[52] = 0; /* Counter */
267 
268 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
269 	if (err)
270 		return err;
271 
272 	SMP_DBG("mackey %16phN", mackey);
273 
274 	m[52] = 1; /* Counter */
275 
276 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
277 	if (err)
278 		return err;
279 
280 	SMP_DBG("ltk %16phN", ltk);
281 
282 	return 0;
283 }
284 
285 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
286 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
287 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
288 		  u8 res[16])
289 {
290 	u8 m[65];
291 	int err;
292 
293 	SMP_DBG("w %16phN", w);
294 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
295 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
296 
297 	memcpy(m, a2, 7);
298 	memcpy(m + 7, a1, 7);
299 	memcpy(m + 14, io_cap, 3);
300 	memcpy(m + 17, r, 16);
301 	memcpy(m + 33, n2, 16);
302 	memcpy(m + 49, n1, 16);
303 
304 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
305 	if (err)
306 		return err;
307 
308 	SMP_DBG("res %16phN", res);
309 
310 	return err;
311 }
312 
313 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
314 		  const u8 x[16], const u8 y[16], u32 *val)
315 {
316 	u8 m[80], tmp[16];
317 	int err;
318 
319 	SMP_DBG("u %32phN", u);
320 	SMP_DBG("v %32phN", v);
321 	SMP_DBG("x %16phN y %16phN", x, y);
322 
323 	memcpy(m, y, 16);
324 	memcpy(m + 16, v, 32);
325 	memcpy(m + 48, u, 32);
326 
327 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
328 	if (err)
329 		return err;
330 
331 	*val = get_unaligned_le32(tmp);
332 	*val %= 1000000;
333 
334 	SMP_DBG("val %06u", *val);
335 
336 	return 0;
337 }
338 
339 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
340 		  const u8 key_id[4], u8 res[16])
341 {
342 	int err;
343 
344 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
345 
346 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
347 	if (err)
348 		return err;
349 
350 	SMP_DBG("res %16phN", res);
351 
352 	return err;
353 }
354 
355 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
356 		  const u8 salt[16], u8 res[16])
357 {
358 	int err;
359 
360 	SMP_DBG("w %16phN salt %16phN", w, salt);
361 
362 	err = aes_cmac(tfm_cmac, salt, w, 16, res);
363 	if (err)
364 		return err;
365 
366 	SMP_DBG("res %16phN", res);
367 
368 	return err;
369 }
370 
371 /* The following functions map to the legacy SMP crypto functions e, c1,
372  * s1 and ah.
373  */
374 
375 static int smp_e(const u8 *k, u8 *r)
376 {
377 	struct crypto_aes_ctx ctx;
378 	uint8_t tmp[16], data[16];
379 	int err;
380 
381 	SMP_DBG("k %16phN r %16phN", k, r);
382 
383 	/* The most significant octet of key corresponds to k[0] */
384 	swap_buf(k, tmp, 16);
385 
386 	err = aes_expandkey(&ctx, tmp, 16);
387 	if (err) {
388 		BT_ERR("cipher setkey failed: %d", err);
389 		return err;
390 	}
391 
392 	/* Most significant octet of plaintextData corresponds to data[0] */
393 	swap_buf(r, data, 16);
394 
395 	aes_encrypt(&ctx, data, data);
396 
397 	/* Most significant octet of encryptedData corresponds to data[0] */
398 	swap_buf(data, r, 16);
399 
400 	SMP_DBG("r %16phN", r);
401 
402 	memzero_explicit(&ctx, sizeof (ctx));
403 	return err;
404 }
405 
406 static int smp_c1(const u8 k[16],
407 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
408 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
409 {
410 	u8 p1[16], p2[16];
411 	int err;
412 
413 	SMP_DBG("k %16phN r %16phN", k, r);
414 	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
415 	SMP_DBG("preq %7phN pres %7phN", preq, pres);
416 
417 	memset(p1, 0, 16);
418 
419 	/* p1 = pres || preq || _rat || _iat */
420 	p1[0] = _iat;
421 	p1[1] = _rat;
422 	memcpy(p1 + 2, preq, 7);
423 	memcpy(p1 + 9, pres, 7);
424 
425 	SMP_DBG("p1 %16phN", p1);
426 
427 	/* res = r XOR p1 */
428 	u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
429 
430 	/* res = e(k, res) */
431 	err = smp_e(k, res);
432 	if (err) {
433 		BT_ERR("Encrypt data error");
434 		return err;
435 	}
436 
437 	/* p2 = padding || ia || ra */
438 	memcpy(p2, ra, 6);
439 	memcpy(p2 + 6, ia, 6);
440 	memset(p2 + 12, 0, 4);
441 
442 	SMP_DBG("p2 %16phN", p2);
443 
444 	/* res = res XOR p2 */
445 	u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
446 
447 	/* res = e(k, res) */
448 	err = smp_e(k, res);
449 	if (err)
450 		BT_ERR("Encrypt data error");
451 
452 	return err;
453 }
454 
455 static int smp_s1(const u8 k[16],
456 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
457 {
458 	int err;
459 
460 	/* Just least significant octets from r1 and r2 are considered */
461 	memcpy(_r, r2, 8);
462 	memcpy(_r + 8, r1, 8);
463 
464 	err = smp_e(k, _r);
465 	if (err)
466 		BT_ERR("Encrypt data error");
467 
468 	return err;
469 }
470 
471 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
472 {
473 	u8 _res[16];
474 	int err;
475 
476 	/* r' = padding || r */
477 	memcpy(_res, r, 3);
478 	memset(_res + 3, 0, 13);
479 
480 	err = smp_e(irk, _res);
481 	if (err) {
482 		BT_ERR("Encrypt error");
483 		return err;
484 	}
485 
486 	/* The output of the random address function ah is:
487 	 *	ah(k, r) = e(k, r') mod 2^24
488 	 * The output of the security function e is then truncated to 24 bits
489 	 * by taking the least significant 24 bits of the output of e as the
490 	 * result of ah.
491 	 */
492 	memcpy(res, _res, 3);
493 
494 	return 0;
495 }
496 
497 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
498 		     const bdaddr_t *bdaddr)
499 {
500 	struct l2cap_chan *chan = hdev->smp_data;
501 	u8 hash[3];
502 	int err;
503 
504 	if (!chan || !chan->data)
505 		return false;
506 
507 	bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk);
508 
509 	err = smp_ah(irk, &bdaddr->b[3], hash);
510 	if (err)
511 		return false;
512 
513 	return !crypto_memneq(bdaddr->b, hash, 3);
514 }
515 
516 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
517 {
518 	struct l2cap_chan *chan = hdev->smp_data;
519 	int err;
520 
521 	if (!chan || !chan->data)
522 		return -EOPNOTSUPP;
523 
524 	get_random_bytes(&rpa->b[3], 3);
525 
526 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
527 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
528 
529 	err = smp_ah(irk, &rpa->b[3], rpa->b);
530 	if (err < 0)
531 		return err;
532 
533 	bt_dev_dbg(hdev, "RPA %pMR", rpa);
534 
535 	return 0;
536 }
537 
538 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
539 {
540 	struct l2cap_chan *chan = hdev->smp_data;
541 	struct smp_dev *smp;
542 	int err;
543 
544 	if (!chan || !chan->data)
545 		return -EOPNOTSUPP;
546 
547 	smp = chan->data;
548 
549 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
550 		bt_dev_dbg(hdev, "Using debug keys");
551 		err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
552 		if (err)
553 			return err;
554 		memcpy(smp->local_pk, debug_pk, 64);
555 		smp->debug_key = true;
556 	} else {
557 		while (true) {
558 			/* Generate key pair for Secure Connections */
559 			err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
560 			if (err)
561 				return err;
562 
563 			/* This is unlikely, but we need to check that
564 			 * we didn't accidentially generate a debug key.
565 			 */
566 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
567 				break;
568 		}
569 		smp->debug_key = false;
570 	}
571 
572 	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
573 	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
574 
575 	get_random_bytes(smp->local_rand, 16);
576 
577 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
578 		     smp->local_rand, 0, hash);
579 	if (err < 0)
580 		return err;
581 
582 	memcpy(rand, smp->local_rand, 16);
583 
584 	smp->local_oob = true;
585 
586 	return 0;
587 }
588 
589 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
590 {
591 	struct l2cap_chan *chan = conn->smp;
592 	struct smp_chan *smp;
593 	struct kvec iv[2];
594 	struct msghdr msg;
595 
596 	if (!chan)
597 		return;
598 
599 	BT_DBG("code 0x%2.2x", code);
600 
601 	iv[0].iov_base = &code;
602 	iv[0].iov_len = 1;
603 
604 	iv[1].iov_base = data;
605 	iv[1].iov_len = len;
606 
607 	memset(&msg, 0, sizeof(msg));
608 
609 	iov_iter_kvec(&msg.msg_iter, WRITE, iv, 2, 1 + len);
610 
611 	l2cap_chan_send(chan, &msg, 1 + len);
612 
613 	if (!chan->data)
614 		return;
615 
616 	smp = chan->data;
617 
618 	cancel_delayed_work_sync(&smp->security_timer);
619 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
620 }
621 
622 static u8 authreq_to_seclevel(u8 authreq)
623 {
624 	if (authreq & SMP_AUTH_MITM) {
625 		if (authreq & SMP_AUTH_SC)
626 			return BT_SECURITY_FIPS;
627 		else
628 			return BT_SECURITY_HIGH;
629 	} else {
630 		return BT_SECURITY_MEDIUM;
631 	}
632 }
633 
634 static __u8 seclevel_to_authreq(__u8 sec_level)
635 {
636 	switch (sec_level) {
637 	case BT_SECURITY_FIPS:
638 	case BT_SECURITY_HIGH:
639 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
640 	case BT_SECURITY_MEDIUM:
641 		return SMP_AUTH_BONDING;
642 	default:
643 		return SMP_AUTH_NONE;
644 	}
645 }
646 
647 static void build_pairing_cmd(struct l2cap_conn *conn,
648 			      struct smp_cmd_pairing *req,
649 			      struct smp_cmd_pairing *rsp, __u8 authreq)
650 {
651 	struct l2cap_chan *chan = conn->smp;
652 	struct smp_chan *smp = chan->data;
653 	struct hci_conn *hcon = conn->hcon;
654 	struct hci_dev *hdev = hcon->hdev;
655 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
656 
657 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
658 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
659 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
660 		authreq |= SMP_AUTH_BONDING;
661 	} else {
662 		authreq &= ~SMP_AUTH_BONDING;
663 	}
664 
665 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
666 		remote_dist |= SMP_DIST_ID_KEY;
667 
668 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
669 		local_dist |= SMP_DIST_ID_KEY;
670 
671 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
672 	    (authreq & SMP_AUTH_SC)) {
673 		struct oob_data *oob_data;
674 		u8 bdaddr_type;
675 
676 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
677 			local_dist |= SMP_DIST_LINK_KEY;
678 			remote_dist |= SMP_DIST_LINK_KEY;
679 		}
680 
681 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
682 			bdaddr_type = BDADDR_LE_PUBLIC;
683 		else
684 			bdaddr_type = BDADDR_LE_RANDOM;
685 
686 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
687 						    bdaddr_type);
688 		if (oob_data && oob_data->present) {
689 			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
690 			oob_flag = SMP_OOB_PRESENT;
691 			memcpy(smp->rr, oob_data->rand256, 16);
692 			memcpy(smp->pcnf, oob_data->hash256, 16);
693 			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
694 			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
695 		}
696 
697 	} else {
698 		authreq &= ~SMP_AUTH_SC;
699 	}
700 
701 	if (rsp == NULL) {
702 		req->io_capability = conn->hcon->io_capability;
703 		req->oob_flag = oob_flag;
704 		req->max_key_size = hdev->le_max_key_size;
705 		req->init_key_dist = local_dist;
706 		req->resp_key_dist = remote_dist;
707 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
708 
709 		smp->remote_key_dist = remote_dist;
710 		return;
711 	}
712 
713 	rsp->io_capability = conn->hcon->io_capability;
714 	rsp->oob_flag = oob_flag;
715 	rsp->max_key_size = hdev->le_max_key_size;
716 	rsp->init_key_dist = req->init_key_dist & remote_dist;
717 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
718 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
719 
720 	smp->remote_key_dist = rsp->init_key_dist;
721 }
722 
723 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
724 {
725 	struct l2cap_chan *chan = conn->smp;
726 	struct hci_dev *hdev = conn->hcon->hdev;
727 	struct smp_chan *smp = chan->data;
728 
729 	if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS &&
730 	    max_key_size != SMP_MAX_ENC_KEY_SIZE)
731 		return SMP_ENC_KEY_SIZE;
732 
733 	if (max_key_size > hdev->le_max_key_size ||
734 	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
735 		return SMP_ENC_KEY_SIZE;
736 
737 	smp->enc_key_size = max_key_size;
738 
739 	return 0;
740 }
741 
742 static void smp_chan_destroy(struct l2cap_conn *conn)
743 {
744 	struct l2cap_chan *chan = conn->smp;
745 	struct smp_chan *smp = chan->data;
746 	struct hci_conn *hcon = conn->hcon;
747 	bool complete;
748 
749 	BUG_ON(!smp);
750 
751 	cancel_delayed_work_sync(&smp->security_timer);
752 
753 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
754 	mgmt_smp_complete(hcon, complete);
755 
756 	kfree_sensitive(smp->csrk);
757 	kfree_sensitive(smp->slave_csrk);
758 	kfree_sensitive(smp->link_key);
759 
760 	crypto_free_shash(smp->tfm_cmac);
761 	crypto_free_kpp(smp->tfm_ecdh);
762 
763 	/* Ensure that we don't leave any debug key around if debug key
764 	 * support hasn't been explicitly enabled.
765 	 */
766 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
767 	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
768 		list_del_rcu(&smp->ltk->list);
769 		kfree_rcu(smp->ltk, rcu);
770 		smp->ltk = NULL;
771 	}
772 
773 	/* If pairing failed clean up any keys we might have */
774 	if (!complete) {
775 		if (smp->ltk) {
776 			list_del_rcu(&smp->ltk->list);
777 			kfree_rcu(smp->ltk, rcu);
778 		}
779 
780 		if (smp->slave_ltk) {
781 			list_del_rcu(&smp->slave_ltk->list);
782 			kfree_rcu(smp->slave_ltk, rcu);
783 		}
784 
785 		if (smp->remote_irk) {
786 			list_del_rcu(&smp->remote_irk->list);
787 			kfree_rcu(smp->remote_irk, rcu);
788 		}
789 	}
790 
791 	chan->data = NULL;
792 	kfree_sensitive(smp);
793 	hci_conn_drop(hcon);
794 }
795 
796 static void smp_failure(struct l2cap_conn *conn, u8 reason)
797 {
798 	struct hci_conn *hcon = conn->hcon;
799 	struct l2cap_chan *chan = conn->smp;
800 
801 	if (reason)
802 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
803 			     &reason);
804 
805 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
806 
807 	if (chan->data)
808 		smp_chan_destroy(conn);
809 }
810 
811 #define JUST_WORKS	0x00
812 #define JUST_CFM	0x01
813 #define REQ_PASSKEY	0x02
814 #define CFM_PASSKEY	0x03
815 #define REQ_OOB		0x04
816 #define DSP_PASSKEY	0x05
817 #define OVERLAP		0xFF
818 
819 static const u8 gen_method[5][5] = {
820 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
821 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
822 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
823 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
824 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
825 };
826 
827 static const u8 sc_method[5][5] = {
828 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
829 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
830 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
831 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
832 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
833 };
834 
835 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
836 {
837 	/* If either side has unknown io_caps, use JUST_CFM (which gets
838 	 * converted later to JUST_WORKS if we're initiators.
839 	 */
840 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
841 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
842 		return JUST_CFM;
843 
844 	if (test_bit(SMP_FLAG_SC, &smp->flags))
845 		return sc_method[remote_io][local_io];
846 
847 	return gen_method[remote_io][local_io];
848 }
849 
850 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
851 						u8 local_io, u8 remote_io)
852 {
853 	struct hci_conn *hcon = conn->hcon;
854 	struct l2cap_chan *chan = conn->smp;
855 	struct smp_chan *smp = chan->data;
856 	u32 passkey = 0;
857 	int ret;
858 
859 	/* Initialize key for JUST WORKS */
860 	memset(smp->tk, 0, sizeof(smp->tk));
861 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
862 
863 	BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
864 
865 	/* If neither side wants MITM, either "just" confirm an incoming
866 	 * request or use just-works for outgoing ones. The JUST_CFM
867 	 * will be converted to JUST_WORKS if necessary later in this
868 	 * function. If either side has MITM look up the method from the
869 	 * table.
870 	 */
871 	if (!(auth & SMP_AUTH_MITM))
872 		smp->method = JUST_CFM;
873 	else
874 		smp->method = get_auth_method(smp, local_io, remote_io);
875 
876 	/* Don't confirm locally initiated pairing attempts */
877 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
878 						&smp->flags))
879 		smp->method = JUST_WORKS;
880 
881 	/* Don't bother user space with no IO capabilities */
882 	if (smp->method == JUST_CFM &&
883 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
884 		smp->method = JUST_WORKS;
885 
886 	/* If Just Works, Continue with Zero TK and ask user-space for
887 	 * confirmation */
888 	if (smp->method == JUST_WORKS) {
889 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
890 						hcon->type,
891 						hcon->dst_type,
892 						passkey, 1);
893 		if (ret)
894 			return ret;
895 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
896 		return 0;
897 	}
898 
899 	/* If this function is used for SC -> legacy fallback we
900 	 * can only recover the just-works case.
901 	 */
902 	if (test_bit(SMP_FLAG_SC, &smp->flags))
903 		return -EINVAL;
904 
905 	/* Not Just Works/Confirm results in MITM Authentication */
906 	if (smp->method != JUST_CFM) {
907 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
908 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
909 			hcon->pending_sec_level = BT_SECURITY_HIGH;
910 	}
911 
912 	/* If both devices have Keyoard-Display I/O, the master
913 	 * Confirms and the slave Enters the passkey.
914 	 */
915 	if (smp->method == OVERLAP) {
916 		if (hcon->role == HCI_ROLE_MASTER)
917 			smp->method = CFM_PASSKEY;
918 		else
919 			smp->method = REQ_PASSKEY;
920 	}
921 
922 	/* Generate random passkey. */
923 	if (smp->method == CFM_PASSKEY) {
924 		memset(smp->tk, 0, sizeof(smp->tk));
925 		get_random_bytes(&passkey, sizeof(passkey));
926 		passkey %= 1000000;
927 		put_unaligned_le32(passkey, smp->tk);
928 		BT_DBG("PassKey: %d", passkey);
929 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
930 	}
931 
932 	if (smp->method == REQ_PASSKEY)
933 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
934 						hcon->type, hcon->dst_type);
935 	else if (smp->method == JUST_CFM)
936 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
937 						hcon->type, hcon->dst_type,
938 						passkey, 1);
939 	else
940 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
941 						hcon->type, hcon->dst_type,
942 						passkey, 0);
943 
944 	return ret;
945 }
946 
947 static u8 smp_confirm(struct smp_chan *smp)
948 {
949 	struct l2cap_conn *conn = smp->conn;
950 	struct smp_cmd_pairing_confirm cp;
951 	int ret;
952 
953 	BT_DBG("conn %p", conn);
954 
955 	ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
956 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
957 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
958 		     cp.confirm_val);
959 	if (ret)
960 		return SMP_UNSPECIFIED;
961 
962 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
963 
964 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
965 
966 	if (conn->hcon->out)
967 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
968 	else
969 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
970 
971 	return 0;
972 }
973 
974 static u8 smp_random(struct smp_chan *smp)
975 {
976 	struct l2cap_conn *conn = smp->conn;
977 	struct hci_conn *hcon = conn->hcon;
978 	u8 confirm[16];
979 	int ret;
980 
981 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
982 
983 	ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
984 		     hcon->init_addr_type, &hcon->init_addr,
985 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
986 	if (ret)
987 		return SMP_UNSPECIFIED;
988 
989 	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
990 		bt_dev_err(hcon->hdev, "pairing failed "
991 			   "(confirmation values mismatch)");
992 		return SMP_CONFIRM_FAILED;
993 	}
994 
995 	if (hcon->out) {
996 		u8 stk[16];
997 		__le64 rand = 0;
998 		__le16 ediv = 0;
999 
1000 		smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
1001 
1002 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1003 			return SMP_UNSPECIFIED;
1004 
1005 		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1006 		hcon->enc_key_size = smp->enc_key_size;
1007 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1008 	} else {
1009 		u8 stk[16], auth;
1010 		__le64 rand = 0;
1011 		__le16 ediv = 0;
1012 
1013 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1014 			     smp->prnd);
1015 
1016 		smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
1017 
1018 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1019 			auth = 1;
1020 		else
1021 			auth = 0;
1022 
1023 		/* Even though there's no _SLAVE suffix this is the
1024 		 * slave STK we're adding for later lookup (the master
1025 		 * STK never needs to be stored).
1026 		 */
1027 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1028 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1029 	}
1030 
1031 	return 0;
1032 }
1033 
1034 static void smp_notify_keys(struct l2cap_conn *conn)
1035 {
1036 	struct l2cap_chan *chan = conn->smp;
1037 	struct smp_chan *smp = chan->data;
1038 	struct hci_conn *hcon = conn->hcon;
1039 	struct hci_dev *hdev = hcon->hdev;
1040 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1041 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1042 	bool persistent;
1043 
1044 	if (hcon->type == ACL_LINK) {
1045 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1046 			persistent = false;
1047 		else
1048 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1049 					       &hcon->flags);
1050 	} else {
1051 		/* The LTKs, IRKs and CSRKs should be persistent only if
1052 		 * both sides had the bonding bit set in their
1053 		 * authentication requests.
1054 		 */
1055 		persistent = !!((req->auth_req & rsp->auth_req) &
1056 				SMP_AUTH_BONDING);
1057 	}
1058 
1059 	if (smp->remote_irk) {
1060 		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1061 
1062 		/* Now that user space can be considered to know the
1063 		 * identity address track the connection based on it
1064 		 * from now on (assuming this is an LE link).
1065 		 */
1066 		if (hcon->type == LE_LINK) {
1067 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1068 			hcon->dst_type = smp->remote_irk->addr_type;
1069 			queue_work(hdev->workqueue, &conn->id_addr_update_work);
1070 		}
1071 	}
1072 
1073 	if (smp->csrk) {
1074 		smp->csrk->bdaddr_type = hcon->dst_type;
1075 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1076 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1077 	}
1078 
1079 	if (smp->slave_csrk) {
1080 		smp->slave_csrk->bdaddr_type = hcon->dst_type;
1081 		bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1082 		mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1083 	}
1084 
1085 	if (smp->ltk) {
1086 		smp->ltk->bdaddr_type = hcon->dst_type;
1087 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1088 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1089 	}
1090 
1091 	if (smp->slave_ltk) {
1092 		smp->slave_ltk->bdaddr_type = hcon->dst_type;
1093 		bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1094 		mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1095 	}
1096 
1097 	if (smp->link_key) {
1098 		struct link_key *key;
1099 		u8 type;
1100 
1101 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1102 			type = HCI_LK_DEBUG_COMBINATION;
1103 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1104 			type = HCI_LK_AUTH_COMBINATION_P256;
1105 		else
1106 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1107 
1108 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1109 				       smp->link_key, type, 0, &persistent);
1110 		if (key) {
1111 			mgmt_new_link_key(hdev, key, persistent);
1112 
1113 			/* Don't keep debug keys around if the relevant
1114 			 * flag is not set.
1115 			 */
1116 			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1117 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1118 				list_del_rcu(&key->list);
1119 				kfree_rcu(key, rcu);
1120 			}
1121 		}
1122 	}
1123 }
1124 
1125 static void sc_add_ltk(struct smp_chan *smp)
1126 {
1127 	struct hci_conn *hcon = smp->conn->hcon;
1128 	u8 key_type, auth;
1129 
1130 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1131 		key_type = SMP_LTK_P256_DEBUG;
1132 	else
1133 		key_type = SMP_LTK_P256;
1134 
1135 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1136 		auth = 1;
1137 	else
1138 		auth = 0;
1139 
1140 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1141 			       key_type, auth, smp->tk, smp->enc_key_size,
1142 			       0, 0);
1143 }
1144 
1145 static void sc_generate_link_key(struct smp_chan *smp)
1146 {
1147 	/* From core spec. Spells out in ASCII as 'lebr'. */
1148 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1149 
1150 	smp->link_key = kzalloc(16, GFP_KERNEL);
1151 	if (!smp->link_key)
1152 		return;
1153 
1154 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1155 		/* SALT = 0x000000000000000000000000746D7031 */
1156 		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1157 
1158 		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1159 			kfree_sensitive(smp->link_key);
1160 			smp->link_key = NULL;
1161 			return;
1162 		}
1163 	} else {
1164 		/* From core spec. Spells out in ASCII as 'tmp1'. */
1165 		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1166 
1167 		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1168 			kfree_sensitive(smp->link_key);
1169 			smp->link_key = NULL;
1170 			return;
1171 		}
1172 	}
1173 
1174 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1175 		kfree_sensitive(smp->link_key);
1176 		smp->link_key = NULL;
1177 		return;
1178 	}
1179 }
1180 
1181 static void smp_allow_key_dist(struct smp_chan *smp)
1182 {
1183 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1184 	 * will be allowed in each PDU handler to ensure we receive
1185 	 * them in the correct order.
1186 	 */
1187 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1188 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1189 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1190 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1191 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1192 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1193 }
1194 
1195 static void sc_generate_ltk(struct smp_chan *smp)
1196 {
1197 	/* From core spec. Spells out in ASCII as 'brle'. */
1198 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1199 	struct hci_conn *hcon = smp->conn->hcon;
1200 	struct hci_dev *hdev = hcon->hdev;
1201 	struct link_key *key;
1202 
1203 	key = hci_find_link_key(hdev, &hcon->dst);
1204 	if (!key) {
1205 		bt_dev_err(hdev, "no Link Key found to generate LTK");
1206 		return;
1207 	}
1208 
1209 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1210 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1211 
1212 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1213 		/* SALT = 0x000000000000000000000000746D7032 */
1214 		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1215 
1216 		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1217 			return;
1218 	} else {
1219 		/* From core spec. Spells out in ASCII as 'tmp2'. */
1220 		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1221 
1222 		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1223 			return;
1224 	}
1225 
1226 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1227 		return;
1228 
1229 	sc_add_ltk(smp);
1230 }
1231 
1232 static void smp_distribute_keys(struct smp_chan *smp)
1233 {
1234 	struct smp_cmd_pairing *req, *rsp;
1235 	struct l2cap_conn *conn = smp->conn;
1236 	struct hci_conn *hcon = conn->hcon;
1237 	struct hci_dev *hdev = hcon->hdev;
1238 	__u8 *keydist;
1239 
1240 	BT_DBG("conn %p", conn);
1241 
1242 	rsp = (void *) &smp->prsp[1];
1243 
1244 	/* The responder sends its keys first */
1245 	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1246 		smp_allow_key_dist(smp);
1247 		return;
1248 	}
1249 
1250 	req = (void *) &smp->preq[1];
1251 
1252 	if (hcon->out) {
1253 		keydist = &rsp->init_key_dist;
1254 		*keydist &= req->init_key_dist;
1255 	} else {
1256 		keydist = &rsp->resp_key_dist;
1257 		*keydist &= req->resp_key_dist;
1258 	}
1259 
1260 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1261 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1262 			sc_generate_link_key(smp);
1263 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1264 			sc_generate_ltk(smp);
1265 
1266 		/* Clear the keys which are generated but not distributed */
1267 		*keydist &= ~SMP_SC_NO_DIST;
1268 	}
1269 
1270 	BT_DBG("keydist 0x%x", *keydist);
1271 
1272 	if (*keydist & SMP_DIST_ENC_KEY) {
1273 		struct smp_cmd_encrypt_info enc;
1274 		struct smp_cmd_master_ident ident;
1275 		struct smp_ltk *ltk;
1276 		u8 authenticated;
1277 		__le16 ediv;
1278 		__le64 rand;
1279 
1280 		/* Make sure we generate only the significant amount of
1281 		 * bytes based on the encryption key size, and set the rest
1282 		 * of the value to zeroes.
1283 		 */
1284 		get_random_bytes(enc.ltk, smp->enc_key_size);
1285 		memset(enc.ltk + smp->enc_key_size, 0,
1286 		       sizeof(enc.ltk) - smp->enc_key_size);
1287 
1288 		get_random_bytes(&ediv, sizeof(ediv));
1289 		get_random_bytes(&rand, sizeof(rand));
1290 
1291 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1292 
1293 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1294 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1295 				  SMP_LTK_SLAVE, authenticated, enc.ltk,
1296 				  smp->enc_key_size, ediv, rand);
1297 		smp->slave_ltk = ltk;
1298 
1299 		ident.ediv = ediv;
1300 		ident.rand = rand;
1301 
1302 		smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1303 
1304 		*keydist &= ~SMP_DIST_ENC_KEY;
1305 	}
1306 
1307 	if (*keydist & SMP_DIST_ID_KEY) {
1308 		struct smp_cmd_ident_addr_info addrinfo;
1309 		struct smp_cmd_ident_info idinfo;
1310 
1311 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1312 
1313 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1314 
1315 		/* The hci_conn contains the local identity address
1316 		 * after the connection has been established.
1317 		 *
1318 		 * This is true even when the connection has been
1319 		 * established using a resolvable random address.
1320 		 */
1321 		bacpy(&addrinfo.bdaddr, &hcon->src);
1322 		addrinfo.addr_type = hcon->src_type;
1323 
1324 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1325 			     &addrinfo);
1326 
1327 		*keydist &= ~SMP_DIST_ID_KEY;
1328 	}
1329 
1330 	if (*keydist & SMP_DIST_SIGN) {
1331 		struct smp_cmd_sign_info sign;
1332 		struct smp_csrk *csrk;
1333 
1334 		/* Generate a new random key */
1335 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1336 
1337 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1338 		if (csrk) {
1339 			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1340 				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1341 			else
1342 				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1343 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1344 		}
1345 		smp->slave_csrk = csrk;
1346 
1347 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1348 
1349 		*keydist &= ~SMP_DIST_SIGN;
1350 	}
1351 
1352 	/* If there are still keys to be received wait for them */
1353 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1354 		smp_allow_key_dist(smp);
1355 		return;
1356 	}
1357 
1358 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1359 	smp_notify_keys(conn);
1360 
1361 	smp_chan_destroy(conn);
1362 }
1363 
1364 static void smp_timeout(struct work_struct *work)
1365 {
1366 	struct smp_chan *smp = container_of(work, struct smp_chan,
1367 					    security_timer.work);
1368 	struct l2cap_conn *conn = smp->conn;
1369 
1370 	BT_DBG("conn %p", conn);
1371 
1372 	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1373 }
1374 
1375 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1376 {
1377 	struct l2cap_chan *chan = conn->smp;
1378 	struct smp_chan *smp;
1379 
1380 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1381 	if (!smp)
1382 		return NULL;
1383 
1384 	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1385 	if (IS_ERR(smp->tfm_cmac)) {
1386 		BT_ERR("Unable to create CMAC crypto context");
1387 		goto zfree_smp;
1388 	}
1389 
1390 	smp->tfm_ecdh = crypto_alloc_kpp("ecdh", 0, 0);
1391 	if (IS_ERR(smp->tfm_ecdh)) {
1392 		BT_ERR("Unable to create ECDH crypto context");
1393 		goto free_shash;
1394 	}
1395 
1396 	smp->conn = conn;
1397 	chan->data = smp;
1398 
1399 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1400 
1401 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1402 
1403 	hci_conn_hold(conn->hcon);
1404 
1405 	return smp;
1406 
1407 free_shash:
1408 	crypto_free_shash(smp->tfm_cmac);
1409 zfree_smp:
1410 	kfree_sensitive(smp);
1411 	return NULL;
1412 }
1413 
1414 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1415 {
1416 	struct hci_conn *hcon = smp->conn->hcon;
1417 	u8 *na, *nb, a[7], b[7];
1418 
1419 	if (hcon->out) {
1420 		na   = smp->prnd;
1421 		nb   = smp->rrnd;
1422 	} else {
1423 		na   = smp->rrnd;
1424 		nb   = smp->prnd;
1425 	}
1426 
1427 	memcpy(a, &hcon->init_addr, 6);
1428 	memcpy(b, &hcon->resp_addr, 6);
1429 	a[6] = hcon->init_addr_type;
1430 	b[6] = hcon->resp_addr_type;
1431 
1432 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1433 }
1434 
1435 static void sc_dhkey_check(struct smp_chan *smp)
1436 {
1437 	struct hci_conn *hcon = smp->conn->hcon;
1438 	struct smp_cmd_dhkey_check check;
1439 	u8 a[7], b[7], *local_addr, *remote_addr;
1440 	u8 io_cap[3], r[16];
1441 
1442 	memcpy(a, &hcon->init_addr, 6);
1443 	memcpy(b, &hcon->resp_addr, 6);
1444 	a[6] = hcon->init_addr_type;
1445 	b[6] = hcon->resp_addr_type;
1446 
1447 	if (hcon->out) {
1448 		local_addr = a;
1449 		remote_addr = b;
1450 		memcpy(io_cap, &smp->preq[1], 3);
1451 	} else {
1452 		local_addr = b;
1453 		remote_addr = a;
1454 		memcpy(io_cap, &smp->prsp[1], 3);
1455 	}
1456 
1457 	memset(r, 0, sizeof(r));
1458 
1459 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1460 		put_unaligned_le32(hcon->passkey_notify, r);
1461 
1462 	if (smp->method == REQ_OOB)
1463 		memcpy(r, smp->rr, 16);
1464 
1465 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1466 	       local_addr, remote_addr, check.e);
1467 
1468 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1469 }
1470 
1471 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1472 {
1473 	struct l2cap_conn *conn = smp->conn;
1474 	struct hci_conn *hcon = conn->hcon;
1475 	struct smp_cmd_pairing_confirm cfm;
1476 	u8 r;
1477 
1478 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1479 	r |= 0x80;
1480 
1481 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1482 
1483 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1484 		   cfm.confirm_val))
1485 		return SMP_UNSPECIFIED;
1486 
1487 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1488 
1489 	return 0;
1490 }
1491 
1492 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1493 {
1494 	struct l2cap_conn *conn = smp->conn;
1495 	struct hci_conn *hcon = conn->hcon;
1496 	struct hci_dev *hdev = hcon->hdev;
1497 	u8 cfm[16], r;
1498 
1499 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1500 	if (smp->passkey_round >= 20)
1501 		return 0;
1502 
1503 	switch (smp_op) {
1504 	case SMP_CMD_PAIRING_RANDOM:
1505 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1506 		r |= 0x80;
1507 
1508 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1509 			   smp->rrnd, r, cfm))
1510 			return SMP_UNSPECIFIED;
1511 
1512 		if (crypto_memneq(smp->pcnf, cfm, 16))
1513 			return SMP_CONFIRM_FAILED;
1514 
1515 		smp->passkey_round++;
1516 
1517 		if (smp->passkey_round == 20) {
1518 			/* Generate MacKey and LTK */
1519 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1520 				return SMP_UNSPECIFIED;
1521 		}
1522 
1523 		/* The round is only complete when the initiator
1524 		 * receives pairing random.
1525 		 */
1526 		if (!hcon->out) {
1527 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1528 				     sizeof(smp->prnd), smp->prnd);
1529 			if (smp->passkey_round == 20)
1530 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1531 			else
1532 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1533 			return 0;
1534 		}
1535 
1536 		/* Start the next round */
1537 		if (smp->passkey_round != 20)
1538 			return sc_passkey_round(smp, 0);
1539 
1540 		/* Passkey rounds are complete - start DHKey Check */
1541 		sc_dhkey_check(smp);
1542 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1543 
1544 		break;
1545 
1546 	case SMP_CMD_PAIRING_CONFIRM:
1547 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1548 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1549 			return 0;
1550 		}
1551 
1552 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1553 
1554 		if (hcon->out) {
1555 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1556 				     sizeof(smp->prnd), smp->prnd);
1557 			return 0;
1558 		}
1559 
1560 		return sc_passkey_send_confirm(smp);
1561 
1562 	case SMP_CMD_PUBLIC_KEY:
1563 	default:
1564 		/* Initiating device starts the round */
1565 		if (!hcon->out)
1566 			return 0;
1567 
1568 		BT_DBG("%s Starting passkey round %u", hdev->name,
1569 		       smp->passkey_round + 1);
1570 
1571 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1572 
1573 		return sc_passkey_send_confirm(smp);
1574 	}
1575 
1576 	return 0;
1577 }
1578 
1579 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1580 {
1581 	struct l2cap_conn *conn = smp->conn;
1582 	struct hci_conn *hcon = conn->hcon;
1583 	u8 smp_op;
1584 
1585 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1586 
1587 	switch (mgmt_op) {
1588 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1589 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1590 		return 0;
1591 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1592 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1593 		return 0;
1594 	case MGMT_OP_USER_PASSKEY_REPLY:
1595 		hcon->passkey_notify = le32_to_cpu(passkey);
1596 		smp->passkey_round = 0;
1597 
1598 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1599 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1600 		else
1601 			smp_op = 0;
1602 
1603 		if (sc_passkey_round(smp, smp_op))
1604 			return -EIO;
1605 
1606 		return 0;
1607 	}
1608 
1609 	/* Initiator sends DHKey check first */
1610 	if (hcon->out) {
1611 		sc_dhkey_check(smp);
1612 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1613 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1614 		sc_dhkey_check(smp);
1615 		sc_add_ltk(smp);
1616 	}
1617 
1618 	return 0;
1619 }
1620 
1621 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1622 {
1623 	struct l2cap_conn *conn = hcon->l2cap_data;
1624 	struct l2cap_chan *chan;
1625 	struct smp_chan *smp;
1626 	u32 value;
1627 	int err;
1628 
1629 	BT_DBG("");
1630 
1631 	if (!conn)
1632 		return -ENOTCONN;
1633 
1634 	chan = conn->smp;
1635 	if (!chan)
1636 		return -ENOTCONN;
1637 
1638 	l2cap_chan_lock(chan);
1639 	if (!chan->data) {
1640 		err = -ENOTCONN;
1641 		goto unlock;
1642 	}
1643 
1644 	smp = chan->data;
1645 
1646 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1647 		err = sc_user_reply(smp, mgmt_op, passkey);
1648 		goto unlock;
1649 	}
1650 
1651 	switch (mgmt_op) {
1652 	case MGMT_OP_USER_PASSKEY_REPLY:
1653 		value = le32_to_cpu(passkey);
1654 		memset(smp->tk, 0, sizeof(smp->tk));
1655 		BT_DBG("PassKey: %d", value);
1656 		put_unaligned_le32(value, smp->tk);
1657 		fallthrough;
1658 	case MGMT_OP_USER_CONFIRM_REPLY:
1659 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1660 		break;
1661 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1662 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1663 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1664 		err = 0;
1665 		goto unlock;
1666 	default:
1667 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1668 		err = -EOPNOTSUPP;
1669 		goto unlock;
1670 	}
1671 
1672 	err = 0;
1673 
1674 	/* If it is our turn to send Pairing Confirm, do so now */
1675 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1676 		u8 rsp = smp_confirm(smp);
1677 		if (rsp)
1678 			smp_failure(conn, rsp);
1679 	}
1680 
1681 unlock:
1682 	l2cap_chan_unlock(chan);
1683 	return err;
1684 }
1685 
1686 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1687 				    struct smp_cmd_pairing *req,
1688 				    struct smp_cmd_pairing *rsp)
1689 {
1690 	struct l2cap_conn *conn = smp->conn;
1691 	struct hci_dev *hdev = conn->hcon->hdev;
1692 	u8 local_dist = 0, remote_dist = 0;
1693 
1694 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1695 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1696 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1697 	}
1698 
1699 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1700 		remote_dist |= SMP_DIST_ID_KEY;
1701 
1702 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1703 		local_dist |= SMP_DIST_ID_KEY;
1704 
1705 	if (!rsp) {
1706 		memset(req, 0, sizeof(*req));
1707 
1708 		req->auth_req        = SMP_AUTH_CT2;
1709 		req->init_key_dist   = local_dist;
1710 		req->resp_key_dist   = remote_dist;
1711 		req->max_key_size    = conn->hcon->enc_key_size;
1712 
1713 		smp->remote_key_dist = remote_dist;
1714 
1715 		return;
1716 	}
1717 
1718 	memset(rsp, 0, sizeof(*rsp));
1719 
1720 	rsp->auth_req        = SMP_AUTH_CT2;
1721 	rsp->max_key_size    = conn->hcon->enc_key_size;
1722 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1723 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1724 
1725 	smp->remote_key_dist = rsp->init_key_dist;
1726 }
1727 
1728 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1729 {
1730 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1731 	struct l2cap_chan *chan = conn->smp;
1732 	struct hci_dev *hdev = conn->hcon->hdev;
1733 	struct smp_chan *smp;
1734 	u8 key_size, auth, sec_level;
1735 	int ret;
1736 
1737 	BT_DBG("conn %p", conn);
1738 
1739 	if (skb->len < sizeof(*req))
1740 		return SMP_INVALID_PARAMS;
1741 
1742 	if (conn->hcon->role != HCI_ROLE_SLAVE)
1743 		return SMP_CMD_NOTSUPP;
1744 
1745 	if (!chan->data)
1746 		smp = smp_chan_create(conn);
1747 	else
1748 		smp = chan->data;
1749 
1750 	if (!smp)
1751 		return SMP_UNSPECIFIED;
1752 
1753 	/* We didn't start the pairing, so match remote */
1754 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1755 
1756 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1757 	    (auth & SMP_AUTH_BONDING))
1758 		return SMP_PAIRING_NOTSUPP;
1759 
1760 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1761 		return SMP_AUTH_REQUIREMENTS;
1762 
1763 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1764 	memcpy(&smp->preq[1], req, sizeof(*req));
1765 	skb_pull(skb, sizeof(*req));
1766 
1767 	/* If the remote side's OOB flag is set it means it has
1768 	 * successfully received our local OOB data - therefore set the
1769 	 * flag to indicate that local OOB is in use.
1770 	 */
1771 	if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1772 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1773 
1774 	/* SMP over BR/EDR requires special treatment */
1775 	if (conn->hcon->type == ACL_LINK) {
1776 		/* We must have a BR/EDR SC link */
1777 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1778 		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1779 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1780 
1781 		set_bit(SMP_FLAG_SC, &smp->flags);
1782 
1783 		build_bredr_pairing_cmd(smp, req, &rsp);
1784 
1785 		if (req->auth_req & SMP_AUTH_CT2)
1786 			set_bit(SMP_FLAG_CT2, &smp->flags);
1787 
1788 		key_size = min(req->max_key_size, rsp.max_key_size);
1789 		if (check_enc_key_size(conn, key_size))
1790 			return SMP_ENC_KEY_SIZE;
1791 
1792 		/* Clear bits which are generated but not distributed */
1793 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1794 
1795 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1796 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1797 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1798 
1799 		smp_distribute_keys(smp);
1800 		return 0;
1801 	}
1802 
1803 	build_pairing_cmd(conn, req, &rsp, auth);
1804 
1805 	if (rsp.auth_req & SMP_AUTH_SC) {
1806 		set_bit(SMP_FLAG_SC, &smp->flags);
1807 
1808 		if (rsp.auth_req & SMP_AUTH_CT2)
1809 			set_bit(SMP_FLAG_CT2, &smp->flags);
1810 	}
1811 
1812 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1813 		sec_level = BT_SECURITY_MEDIUM;
1814 	else
1815 		sec_level = authreq_to_seclevel(auth);
1816 
1817 	if (sec_level > conn->hcon->pending_sec_level)
1818 		conn->hcon->pending_sec_level = sec_level;
1819 
1820 	/* If we need MITM check that it can be achieved */
1821 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1822 		u8 method;
1823 
1824 		method = get_auth_method(smp, conn->hcon->io_capability,
1825 					 req->io_capability);
1826 		if (method == JUST_WORKS || method == JUST_CFM)
1827 			return SMP_AUTH_REQUIREMENTS;
1828 	}
1829 
1830 	key_size = min(req->max_key_size, rsp.max_key_size);
1831 	if (check_enc_key_size(conn, key_size))
1832 		return SMP_ENC_KEY_SIZE;
1833 
1834 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1835 
1836 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1837 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1838 
1839 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1840 
1841 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1842 
1843 	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1844 	 * SC case, however some implementations incorrectly copy RFU auth
1845 	 * req bits from our security request, which may create a false
1846 	 * positive SC enablement.
1847 	 */
1848 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1849 
1850 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1851 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1852 		/* Clear bits which are generated but not distributed */
1853 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1854 		/* Wait for Public Key from Initiating Device */
1855 		return 0;
1856 	}
1857 
1858 	/* Request setup of TK */
1859 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1860 	if (ret)
1861 		return SMP_UNSPECIFIED;
1862 
1863 	return 0;
1864 }
1865 
1866 static u8 sc_send_public_key(struct smp_chan *smp)
1867 {
1868 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1869 
1870 	bt_dev_dbg(hdev, "");
1871 
1872 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1873 		struct l2cap_chan *chan = hdev->smp_data;
1874 		struct smp_dev *smp_dev;
1875 
1876 		if (!chan || !chan->data)
1877 			return SMP_UNSPECIFIED;
1878 
1879 		smp_dev = chan->data;
1880 
1881 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1882 		memcpy(smp->lr, smp_dev->local_rand, 16);
1883 
1884 		if (smp_dev->debug_key)
1885 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1886 
1887 		goto done;
1888 	}
1889 
1890 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1891 		BT_DBG("Using debug keys");
1892 		if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1893 			return SMP_UNSPECIFIED;
1894 		memcpy(smp->local_pk, debug_pk, 64);
1895 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1896 	} else {
1897 		while (true) {
1898 			/* Generate key pair for Secure Connections */
1899 			if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1900 				return SMP_UNSPECIFIED;
1901 
1902 			/* This is unlikely, but we need to check that
1903 			 * we didn't accidentially generate a debug key.
1904 			 */
1905 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
1906 				break;
1907 		}
1908 	}
1909 
1910 done:
1911 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1912 	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1913 
1914 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1915 
1916 	return 0;
1917 }
1918 
1919 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1920 {
1921 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1922 	struct l2cap_chan *chan = conn->smp;
1923 	struct smp_chan *smp = chan->data;
1924 	struct hci_dev *hdev = conn->hcon->hdev;
1925 	u8 key_size, auth;
1926 	int ret;
1927 
1928 	BT_DBG("conn %p", conn);
1929 
1930 	if (skb->len < sizeof(*rsp))
1931 		return SMP_INVALID_PARAMS;
1932 
1933 	if (conn->hcon->role != HCI_ROLE_MASTER)
1934 		return SMP_CMD_NOTSUPP;
1935 
1936 	skb_pull(skb, sizeof(*rsp));
1937 
1938 	req = (void *) &smp->preq[1];
1939 
1940 	key_size = min(req->max_key_size, rsp->max_key_size);
1941 	if (check_enc_key_size(conn, key_size))
1942 		return SMP_ENC_KEY_SIZE;
1943 
1944 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1945 
1946 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1947 		return SMP_AUTH_REQUIREMENTS;
1948 
1949 	/* If the remote side's OOB flag is set it means it has
1950 	 * successfully received our local OOB data - therefore set the
1951 	 * flag to indicate that local OOB is in use.
1952 	 */
1953 	if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1954 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1955 
1956 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1957 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1958 
1959 	/* Update remote key distribution in case the remote cleared
1960 	 * some bits that we had enabled in our request.
1961 	 */
1962 	smp->remote_key_dist &= rsp->resp_key_dist;
1963 
1964 	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1965 		set_bit(SMP_FLAG_CT2, &smp->flags);
1966 
1967 	/* For BR/EDR this means we're done and can start phase 3 */
1968 	if (conn->hcon->type == ACL_LINK) {
1969 		/* Clear bits which are generated but not distributed */
1970 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1971 		smp_distribute_keys(smp);
1972 		return 0;
1973 	}
1974 
1975 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1976 		set_bit(SMP_FLAG_SC, &smp->flags);
1977 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1978 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1979 
1980 	/* If we need MITM check that it can be achieved */
1981 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1982 		u8 method;
1983 
1984 		method = get_auth_method(smp, req->io_capability,
1985 					 rsp->io_capability);
1986 		if (method == JUST_WORKS || method == JUST_CFM)
1987 			return SMP_AUTH_REQUIREMENTS;
1988 	}
1989 
1990 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1991 
1992 	/* Update remote key distribution in case the remote cleared
1993 	 * some bits that we had enabled in our request.
1994 	 */
1995 	smp->remote_key_dist &= rsp->resp_key_dist;
1996 
1997 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1998 		/* Clear bits which are generated but not distributed */
1999 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2000 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2001 		return sc_send_public_key(smp);
2002 	}
2003 
2004 	auth |= req->auth_req;
2005 
2006 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2007 	if (ret)
2008 		return SMP_UNSPECIFIED;
2009 
2010 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2011 
2012 	/* Can't compose response until we have been confirmed */
2013 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2014 		return smp_confirm(smp);
2015 
2016 	return 0;
2017 }
2018 
2019 static u8 sc_check_confirm(struct smp_chan *smp)
2020 {
2021 	struct l2cap_conn *conn = smp->conn;
2022 
2023 	BT_DBG("");
2024 
2025 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2026 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2027 
2028 	if (conn->hcon->out) {
2029 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2030 			     smp->prnd);
2031 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2032 	}
2033 
2034 	return 0;
2035 }
2036 
2037 /* Work-around for some implementations that incorrectly copy RFU bits
2038  * from our security request and thereby create the impression that
2039  * we're doing SC when in fact the remote doesn't support it.
2040  */
2041 static int fixup_sc_false_positive(struct smp_chan *smp)
2042 {
2043 	struct l2cap_conn *conn = smp->conn;
2044 	struct hci_conn *hcon = conn->hcon;
2045 	struct hci_dev *hdev = hcon->hdev;
2046 	struct smp_cmd_pairing *req, *rsp;
2047 	u8 auth;
2048 
2049 	/* The issue is only observed when we're in slave role */
2050 	if (hcon->out)
2051 		return SMP_UNSPECIFIED;
2052 
2053 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2054 		bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2055 		return SMP_UNSPECIFIED;
2056 	}
2057 
2058 	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2059 
2060 	req = (void *) &smp->preq[1];
2061 	rsp = (void *) &smp->prsp[1];
2062 
2063 	/* Rebuild key dist flags which may have been cleared for SC */
2064 	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2065 
2066 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2067 
2068 	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2069 		bt_dev_err(hdev, "failed to fall back to legacy SMP");
2070 		return SMP_UNSPECIFIED;
2071 	}
2072 
2073 	clear_bit(SMP_FLAG_SC, &smp->flags);
2074 
2075 	return 0;
2076 }
2077 
2078 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2079 {
2080 	struct l2cap_chan *chan = conn->smp;
2081 	struct smp_chan *smp = chan->data;
2082 
2083 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2084 
2085 	if (skb->len < sizeof(smp->pcnf))
2086 		return SMP_INVALID_PARAMS;
2087 
2088 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2089 	skb_pull(skb, sizeof(smp->pcnf));
2090 
2091 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2092 		int ret;
2093 
2094 		/* Public Key exchange must happen before any other steps */
2095 		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2096 			return sc_check_confirm(smp);
2097 
2098 		BT_ERR("Unexpected SMP Pairing Confirm");
2099 
2100 		ret = fixup_sc_false_positive(smp);
2101 		if (ret)
2102 			return ret;
2103 	}
2104 
2105 	if (conn->hcon->out) {
2106 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2107 			     smp->prnd);
2108 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2109 		return 0;
2110 	}
2111 
2112 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2113 		return smp_confirm(smp);
2114 
2115 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2116 
2117 	return 0;
2118 }
2119 
2120 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2121 {
2122 	struct l2cap_chan *chan = conn->smp;
2123 	struct smp_chan *smp = chan->data;
2124 	struct hci_conn *hcon = conn->hcon;
2125 	u8 *pkax, *pkbx, *na, *nb, confirm_hint;
2126 	u32 passkey;
2127 	int err;
2128 
2129 	BT_DBG("conn %p", conn);
2130 
2131 	if (skb->len < sizeof(smp->rrnd))
2132 		return SMP_INVALID_PARAMS;
2133 
2134 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2135 	skb_pull(skb, sizeof(smp->rrnd));
2136 
2137 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2138 		return smp_random(smp);
2139 
2140 	if (hcon->out) {
2141 		pkax = smp->local_pk;
2142 		pkbx = smp->remote_pk;
2143 		na   = smp->prnd;
2144 		nb   = smp->rrnd;
2145 	} else {
2146 		pkax = smp->remote_pk;
2147 		pkbx = smp->local_pk;
2148 		na   = smp->rrnd;
2149 		nb   = smp->prnd;
2150 	}
2151 
2152 	if (smp->method == REQ_OOB) {
2153 		if (!hcon->out)
2154 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2155 				     sizeof(smp->prnd), smp->prnd);
2156 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2157 		goto mackey_and_ltk;
2158 	}
2159 
2160 	/* Passkey entry has special treatment */
2161 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2162 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2163 
2164 	if (hcon->out) {
2165 		u8 cfm[16];
2166 
2167 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2168 			     smp->rrnd, 0, cfm);
2169 		if (err)
2170 			return SMP_UNSPECIFIED;
2171 
2172 		if (crypto_memneq(smp->pcnf, cfm, 16))
2173 			return SMP_CONFIRM_FAILED;
2174 	} else {
2175 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2176 			     smp->prnd);
2177 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2178 
2179 		/* Only Just-Works pairing requires extra checks */
2180 		if (smp->method != JUST_WORKS)
2181 			goto mackey_and_ltk;
2182 
2183 		/* If there already exists long term key in local host, leave
2184 		 * the decision to user space since the remote device could
2185 		 * be legitimate or malicious.
2186 		 */
2187 		if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2188 				 hcon->role)) {
2189 			/* Set passkey to 0. The value can be any number since
2190 			 * it'll be ignored anyway.
2191 			 */
2192 			passkey = 0;
2193 			confirm_hint = 1;
2194 			goto confirm;
2195 		}
2196 	}
2197 
2198 mackey_and_ltk:
2199 	/* Generate MacKey and LTK */
2200 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2201 	if (err)
2202 		return SMP_UNSPECIFIED;
2203 
2204 	if (smp->method == REQ_OOB) {
2205 		if (hcon->out) {
2206 			sc_dhkey_check(smp);
2207 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2208 		}
2209 		return 0;
2210 	}
2211 
2212 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2213 	if (err)
2214 		return SMP_UNSPECIFIED;
2215 
2216 	confirm_hint = 0;
2217 
2218 confirm:
2219 	if (smp->method == JUST_WORKS)
2220 		confirm_hint = 1;
2221 
2222 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2223 					hcon->dst_type, passkey, confirm_hint);
2224 	if (err)
2225 		return SMP_UNSPECIFIED;
2226 
2227 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2228 
2229 	return 0;
2230 }
2231 
2232 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2233 {
2234 	struct smp_ltk *key;
2235 	struct hci_conn *hcon = conn->hcon;
2236 
2237 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2238 	if (!key)
2239 		return false;
2240 
2241 	if (smp_ltk_sec_level(key) < sec_level)
2242 		return false;
2243 
2244 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2245 		return true;
2246 
2247 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2248 	hcon->enc_key_size = key->enc_size;
2249 
2250 	/* We never store STKs for master role, so clear this flag */
2251 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2252 
2253 	return true;
2254 }
2255 
2256 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2257 			     enum smp_key_pref key_pref)
2258 {
2259 	if (sec_level == BT_SECURITY_LOW)
2260 		return true;
2261 
2262 	/* If we're encrypted with an STK but the caller prefers using
2263 	 * LTK claim insufficient security. This way we allow the
2264 	 * connection to be re-encrypted with an LTK, even if the LTK
2265 	 * provides the same level of security. Only exception is if we
2266 	 * don't have an LTK (e.g. because of key distribution bits).
2267 	 */
2268 	if (key_pref == SMP_USE_LTK &&
2269 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2270 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2271 		return false;
2272 
2273 	if (hcon->sec_level >= sec_level)
2274 		return true;
2275 
2276 	return false;
2277 }
2278 
2279 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2280 {
2281 	struct smp_cmd_security_req *rp = (void *) skb->data;
2282 	struct smp_cmd_pairing cp;
2283 	struct hci_conn *hcon = conn->hcon;
2284 	struct hci_dev *hdev = hcon->hdev;
2285 	struct smp_chan *smp;
2286 	u8 sec_level, auth;
2287 
2288 	BT_DBG("conn %p", conn);
2289 
2290 	if (skb->len < sizeof(*rp))
2291 		return SMP_INVALID_PARAMS;
2292 
2293 	if (hcon->role != HCI_ROLE_MASTER)
2294 		return SMP_CMD_NOTSUPP;
2295 
2296 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2297 
2298 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2299 		return SMP_AUTH_REQUIREMENTS;
2300 
2301 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2302 		sec_level = BT_SECURITY_MEDIUM;
2303 	else
2304 		sec_level = authreq_to_seclevel(auth);
2305 
2306 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2307 		/* If link is already encrypted with sufficient security we
2308 		 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2309 		 * Part H 2.4.6
2310 		 */
2311 		smp_ltk_encrypt(conn, hcon->sec_level);
2312 		return 0;
2313 	}
2314 
2315 	if (sec_level > hcon->pending_sec_level)
2316 		hcon->pending_sec_level = sec_level;
2317 
2318 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2319 		return 0;
2320 
2321 	smp = smp_chan_create(conn);
2322 	if (!smp)
2323 		return SMP_UNSPECIFIED;
2324 
2325 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2326 	    (auth & SMP_AUTH_BONDING))
2327 		return SMP_PAIRING_NOTSUPP;
2328 
2329 	skb_pull(skb, sizeof(*rp));
2330 
2331 	memset(&cp, 0, sizeof(cp));
2332 	build_pairing_cmd(conn, &cp, NULL, auth);
2333 
2334 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2335 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2336 
2337 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2338 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2339 
2340 	return 0;
2341 }
2342 
2343 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2344 {
2345 	struct l2cap_conn *conn = hcon->l2cap_data;
2346 	struct l2cap_chan *chan;
2347 	struct smp_chan *smp;
2348 	__u8 authreq;
2349 	int ret;
2350 
2351 	BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2352 
2353 	/* This may be NULL if there's an unexpected disconnection */
2354 	if (!conn)
2355 		return 1;
2356 
2357 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2358 		return 1;
2359 
2360 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2361 		return 1;
2362 
2363 	if (sec_level > hcon->pending_sec_level)
2364 		hcon->pending_sec_level = sec_level;
2365 
2366 	if (hcon->role == HCI_ROLE_MASTER)
2367 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2368 			return 0;
2369 
2370 	chan = conn->smp;
2371 	if (!chan) {
2372 		bt_dev_err(hcon->hdev, "security requested but not available");
2373 		return 1;
2374 	}
2375 
2376 	l2cap_chan_lock(chan);
2377 
2378 	/* If SMP is already in progress ignore this request */
2379 	if (chan->data) {
2380 		ret = 0;
2381 		goto unlock;
2382 	}
2383 
2384 	smp = smp_chan_create(conn);
2385 	if (!smp) {
2386 		ret = 1;
2387 		goto unlock;
2388 	}
2389 
2390 	authreq = seclevel_to_authreq(sec_level);
2391 
2392 	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2393 		authreq |= SMP_AUTH_SC;
2394 		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2395 			authreq |= SMP_AUTH_CT2;
2396 	}
2397 
2398 	/* Don't attempt to set MITM if setting is overridden by debugfs
2399 	 * Needed to pass certification test SM/MAS/PKE/BV-01-C
2400 	 */
2401 	if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) {
2402 		/* Require MITM if IO Capability allows or the security level
2403 		 * requires it.
2404 		 */
2405 		if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2406 		    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2407 			authreq |= SMP_AUTH_MITM;
2408 	}
2409 
2410 	if (hcon->role == HCI_ROLE_MASTER) {
2411 		struct smp_cmd_pairing cp;
2412 
2413 		build_pairing_cmd(conn, &cp, NULL, authreq);
2414 		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2415 		memcpy(&smp->preq[1], &cp, sizeof(cp));
2416 
2417 		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2418 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2419 	} else {
2420 		struct smp_cmd_security_req cp;
2421 		cp.auth_req = authreq;
2422 		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2423 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2424 	}
2425 
2426 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2427 	ret = 0;
2428 
2429 unlock:
2430 	l2cap_chan_unlock(chan);
2431 	return ret;
2432 }
2433 
2434 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2435 				  u8 addr_type)
2436 {
2437 	struct hci_conn *hcon;
2438 	struct l2cap_conn *conn;
2439 	struct l2cap_chan *chan;
2440 	struct smp_chan *smp;
2441 	int err;
2442 
2443 	err = hci_remove_ltk(hdev, bdaddr, addr_type);
2444 	hci_remove_irk(hdev, bdaddr, addr_type);
2445 
2446 	hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2447 	if (!hcon)
2448 		goto done;
2449 
2450 	conn = hcon->l2cap_data;
2451 	if (!conn)
2452 		goto done;
2453 
2454 	chan = conn->smp;
2455 	if (!chan)
2456 		goto done;
2457 
2458 	l2cap_chan_lock(chan);
2459 
2460 	smp = chan->data;
2461 	if (smp) {
2462 		/* Set keys to NULL to make sure smp_failure() does not try to
2463 		 * remove and free already invalidated rcu list entries. */
2464 		smp->ltk = NULL;
2465 		smp->slave_ltk = NULL;
2466 		smp->remote_irk = NULL;
2467 
2468 		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2469 			smp_failure(conn, 0);
2470 		else
2471 			smp_failure(conn, SMP_UNSPECIFIED);
2472 		err = 0;
2473 	}
2474 
2475 	l2cap_chan_unlock(chan);
2476 
2477 done:
2478 	return err;
2479 }
2480 
2481 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2482 {
2483 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2484 	struct l2cap_chan *chan = conn->smp;
2485 	struct smp_chan *smp = chan->data;
2486 
2487 	BT_DBG("conn %p", conn);
2488 
2489 	if (skb->len < sizeof(*rp))
2490 		return SMP_INVALID_PARAMS;
2491 
2492 	/* Pairing is aborted if any blocked keys are distributed */
2493 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2494 			       rp->ltk)) {
2495 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2496 					"LTK blocked for %pMR",
2497 					&conn->hcon->dst);
2498 		return SMP_INVALID_PARAMS;
2499 	}
2500 
2501 	SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2502 
2503 	skb_pull(skb, sizeof(*rp));
2504 
2505 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2506 
2507 	return 0;
2508 }
2509 
2510 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2511 {
2512 	struct smp_cmd_master_ident *rp = (void *) skb->data;
2513 	struct l2cap_chan *chan = conn->smp;
2514 	struct smp_chan *smp = chan->data;
2515 	struct hci_dev *hdev = conn->hcon->hdev;
2516 	struct hci_conn *hcon = conn->hcon;
2517 	struct smp_ltk *ltk;
2518 	u8 authenticated;
2519 
2520 	BT_DBG("conn %p", conn);
2521 
2522 	if (skb->len < sizeof(*rp))
2523 		return SMP_INVALID_PARAMS;
2524 
2525 	/* Mark the information as received */
2526 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2527 
2528 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2529 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2530 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2531 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2532 
2533 	skb_pull(skb, sizeof(*rp));
2534 
2535 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2536 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2537 			  authenticated, smp->tk, smp->enc_key_size,
2538 			  rp->ediv, rp->rand);
2539 	smp->ltk = ltk;
2540 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2541 		smp_distribute_keys(smp);
2542 
2543 	return 0;
2544 }
2545 
2546 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2547 {
2548 	struct smp_cmd_ident_info *info = (void *) skb->data;
2549 	struct l2cap_chan *chan = conn->smp;
2550 	struct smp_chan *smp = chan->data;
2551 
2552 	BT_DBG("");
2553 
2554 	if (skb->len < sizeof(*info))
2555 		return SMP_INVALID_PARAMS;
2556 
2557 	/* Pairing is aborted if any blocked keys are distributed */
2558 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2559 			       info->irk)) {
2560 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2561 					"Identity key blocked for %pMR",
2562 					&conn->hcon->dst);
2563 		return SMP_INVALID_PARAMS;
2564 	}
2565 
2566 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2567 
2568 	skb_pull(skb, sizeof(*info));
2569 
2570 	memcpy(smp->irk, info->irk, 16);
2571 
2572 	return 0;
2573 }
2574 
2575 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2576 				   struct sk_buff *skb)
2577 {
2578 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2579 	struct l2cap_chan *chan = conn->smp;
2580 	struct smp_chan *smp = chan->data;
2581 	struct hci_conn *hcon = conn->hcon;
2582 	bdaddr_t rpa;
2583 
2584 	BT_DBG("");
2585 
2586 	if (skb->len < sizeof(*info))
2587 		return SMP_INVALID_PARAMS;
2588 
2589 	/* Mark the information as received */
2590 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2591 
2592 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2593 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2594 
2595 	skb_pull(skb, sizeof(*info));
2596 
2597 	/* Strictly speaking the Core Specification (4.1) allows sending
2598 	 * an empty address which would force us to rely on just the IRK
2599 	 * as "identity information". However, since such
2600 	 * implementations are not known of and in order to not over
2601 	 * complicate our implementation, simply pretend that we never
2602 	 * received an IRK for such a device.
2603 	 *
2604 	 * The Identity Address must also be a Static Random or Public
2605 	 * Address, which hci_is_identity_address() checks for.
2606 	 */
2607 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2608 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2609 		bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2610 		goto distribute;
2611 	}
2612 
2613 	/* Drop IRK if peer is using identity address during pairing but is
2614 	 * providing different address as identity information.
2615 	 *
2616 	 * Microsoft Surface Precision Mouse is known to have this bug.
2617 	 */
2618 	if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2619 	    (bacmp(&info->bdaddr, &hcon->dst) ||
2620 	     info->addr_type != hcon->dst_type)) {
2621 		bt_dev_err(hcon->hdev,
2622 			   "ignoring IRK with invalid identity address");
2623 		goto distribute;
2624 	}
2625 
2626 	bacpy(&smp->id_addr, &info->bdaddr);
2627 	smp->id_addr_type = info->addr_type;
2628 
2629 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2630 		bacpy(&rpa, &hcon->dst);
2631 	else
2632 		bacpy(&rpa, BDADDR_ANY);
2633 
2634 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2635 				      smp->id_addr_type, smp->irk, &rpa);
2636 
2637 distribute:
2638 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2639 		smp_distribute_keys(smp);
2640 
2641 	return 0;
2642 }
2643 
2644 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2645 {
2646 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2647 	struct l2cap_chan *chan = conn->smp;
2648 	struct smp_chan *smp = chan->data;
2649 	struct smp_csrk *csrk;
2650 
2651 	BT_DBG("conn %p", conn);
2652 
2653 	if (skb->len < sizeof(*rp))
2654 		return SMP_INVALID_PARAMS;
2655 
2656 	/* Mark the information as received */
2657 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2658 
2659 	skb_pull(skb, sizeof(*rp));
2660 
2661 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2662 	if (csrk) {
2663 		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2664 			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2665 		else
2666 			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2667 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2668 	}
2669 	smp->csrk = csrk;
2670 	smp_distribute_keys(smp);
2671 
2672 	return 0;
2673 }
2674 
2675 static u8 sc_select_method(struct smp_chan *smp)
2676 {
2677 	struct l2cap_conn *conn = smp->conn;
2678 	struct hci_conn *hcon = conn->hcon;
2679 	struct smp_cmd_pairing *local, *remote;
2680 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2681 
2682 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2683 	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2684 		return REQ_OOB;
2685 
2686 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2687 	 * which are needed as inputs to some crypto functions. To get
2688 	 * the "struct smp_cmd_pairing" from them we need to skip the
2689 	 * first byte which contains the opcode.
2690 	 */
2691 	if (hcon->out) {
2692 		local = (void *) &smp->preq[1];
2693 		remote = (void *) &smp->prsp[1];
2694 	} else {
2695 		local = (void *) &smp->prsp[1];
2696 		remote = (void *) &smp->preq[1];
2697 	}
2698 
2699 	local_io = local->io_capability;
2700 	remote_io = remote->io_capability;
2701 
2702 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2703 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2704 
2705 	/* If either side wants MITM, look up the method from the table,
2706 	 * otherwise use JUST WORKS.
2707 	 */
2708 	if (local_mitm || remote_mitm)
2709 		method = get_auth_method(smp, local_io, remote_io);
2710 	else
2711 		method = JUST_WORKS;
2712 
2713 	/* Don't confirm locally initiated pairing attempts */
2714 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2715 		method = JUST_WORKS;
2716 
2717 	return method;
2718 }
2719 
2720 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2721 {
2722 	struct smp_cmd_public_key *key = (void *) skb->data;
2723 	struct hci_conn *hcon = conn->hcon;
2724 	struct l2cap_chan *chan = conn->smp;
2725 	struct smp_chan *smp = chan->data;
2726 	struct hci_dev *hdev = hcon->hdev;
2727 	struct crypto_kpp *tfm_ecdh;
2728 	struct smp_cmd_pairing_confirm cfm;
2729 	int err;
2730 
2731 	BT_DBG("conn %p", conn);
2732 
2733 	if (skb->len < sizeof(*key))
2734 		return SMP_INVALID_PARAMS;
2735 
2736 	memcpy(smp->remote_pk, key, 64);
2737 
2738 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2739 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2740 			     smp->rr, 0, cfm.confirm_val);
2741 		if (err)
2742 			return SMP_UNSPECIFIED;
2743 
2744 		if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2745 			return SMP_CONFIRM_FAILED;
2746 	}
2747 
2748 	/* Non-initiating device sends its public key after receiving
2749 	 * the key from the initiating device.
2750 	 */
2751 	if (!hcon->out) {
2752 		err = sc_send_public_key(smp);
2753 		if (err)
2754 			return err;
2755 	}
2756 
2757 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2758 	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2759 
2760 	/* Compute the shared secret on the same crypto tfm on which the private
2761 	 * key was set/generated.
2762 	 */
2763 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2764 		struct l2cap_chan *hchan = hdev->smp_data;
2765 		struct smp_dev *smp_dev;
2766 
2767 		if (!hchan || !hchan->data)
2768 			return SMP_UNSPECIFIED;
2769 
2770 		smp_dev = hchan->data;
2771 
2772 		tfm_ecdh = smp_dev->tfm_ecdh;
2773 	} else {
2774 		tfm_ecdh = smp->tfm_ecdh;
2775 	}
2776 
2777 	if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2778 		return SMP_UNSPECIFIED;
2779 
2780 	SMP_DBG("DHKey %32phN", smp->dhkey);
2781 
2782 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2783 
2784 	smp->method = sc_select_method(smp);
2785 
2786 	BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2787 
2788 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2789 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2790 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2791 	else
2792 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2793 
2794 	if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2795 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2796 
2797 	if (smp->method == DSP_PASSKEY) {
2798 		get_random_bytes(&hcon->passkey_notify,
2799 				 sizeof(hcon->passkey_notify));
2800 		hcon->passkey_notify %= 1000000;
2801 		hcon->passkey_entered = 0;
2802 		smp->passkey_round = 0;
2803 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2804 					     hcon->dst_type,
2805 					     hcon->passkey_notify,
2806 					     hcon->passkey_entered))
2807 			return SMP_UNSPECIFIED;
2808 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2809 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2810 	}
2811 
2812 	if (smp->method == REQ_OOB) {
2813 		if (hcon->out)
2814 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2815 				     sizeof(smp->prnd), smp->prnd);
2816 
2817 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2818 
2819 		return 0;
2820 	}
2821 
2822 	if (hcon->out)
2823 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2824 
2825 	if (smp->method == REQ_PASSKEY) {
2826 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2827 					      hcon->dst_type))
2828 			return SMP_UNSPECIFIED;
2829 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2830 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2831 		return 0;
2832 	}
2833 
2834 	/* The Initiating device waits for the non-initiating device to
2835 	 * send the confirm value.
2836 	 */
2837 	if (conn->hcon->out)
2838 		return 0;
2839 
2840 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2841 		     0, cfm.confirm_val);
2842 	if (err)
2843 		return SMP_UNSPECIFIED;
2844 
2845 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2846 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2847 
2848 	return 0;
2849 }
2850 
2851 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2852 {
2853 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2854 	struct l2cap_chan *chan = conn->smp;
2855 	struct hci_conn *hcon = conn->hcon;
2856 	struct smp_chan *smp = chan->data;
2857 	u8 a[7], b[7], *local_addr, *remote_addr;
2858 	u8 io_cap[3], r[16], e[16];
2859 	int err;
2860 
2861 	BT_DBG("conn %p", conn);
2862 
2863 	if (skb->len < sizeof(*check))
2864 		return SMP_INVALID_PARAMS;
2865 
2866 	memcpy(a, &hcon->init_addr, 6);
2867 	memcpy(b, &hcon->resp_addr, 6);
2868 	a[6] = hcon->init_addr_type;
2869 	b[6] = hcon->resp_addr_type;
2870 
2871 	if (hcon->out) {
2872 		local_addr = a;
2873 		remote_addr = b;
2874 		memcpy(io_cap, &smp->prsp[1], 3);
2875 	} else {
2876 		local_addr = b;
2877 		remote_addr = a;
2878 		memcpy(io_cap, &smp->preq[1], 3);
2879 	}
2880 
2881 	memset(r, 0, sizeof(r));
2882 
2883 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2884 		put_unaligned_le32(hcon->passkey_notify, r);
2885 	else if (smp->method == REQ_OOB)
2886 		memcpy(r, smp->lr, 16);
2887 
2888 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2889 		     io_cap, remote_addr, local_addr, e);
2890 	if (err)
2891 		return SMP_UNSPECIFIED;
2892 
2893 	if (crypto_memneq(check->e, e, 16))
2894 		return SMP_DHKEY_CHECK_FAILED;
2895 
2896 	if (!hcon->out) {
2897 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2898 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2899 			return 0;
2900 		}
2901 
2902 		/* Slave sends DHKey check as response to master */
2903 		sc_dhkey_check(smp);
2904 	}
2905 
2906 	sc_add_ltk(smp);
2907 
2908 	if (hcon->out) {
2909 		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2910 		hcon->enc_key_size = smp->enc_key_size;
2911 	}
2912 
2913 	return 0;
2914 }
2915 
2916 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2917 				   struct sk_buff *skb)
2918 {
2919 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2920 
2921 	BT_DBG("value 0x%02x", kp->value);
2922 
2923 	return 0;
2924 }
2925 
2926 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2927 {
2928 	struct l2cap_conn *conn = chan->conn;
2929 	struct hci_conn *hcon = conn->hcon;
2930 	struct smp_chan *smp;
2931 	__u8 code, reason;
2932 	int err = 0;
2933 
2934 	if (skb->len < 1)
2935 		return -EILSEQ;
2936 
2937 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2938 		reason = SMP_PAIRING_NOTSUPP;
2939 		goto done;
2940 	}
2941 
2942 	code = skb->data[0];
2943 	skb_pull(skb, sizeof(code));
2944 
2945 	smp = chan->data;
2946 
2947 	if (code > SMP_CMD_MAX)
2948 		goto drop;
2949 
2950 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2951 		goto drop;
2952 
2953 	/* If we don't have a context the only allowed commands are
2954 	 * pairing request and security request.
2955 	 */
2956 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2957 		goto drop;
2958 
2959 	switch (code) {
2960 	case SMP_CMD_PAIRING_REQ:
2961 		reason = smp_cmd_pairing_req(conn, skb);
2962 		break;
2963 
2964 	case SMP_CMD_PAIRING_FAIL:
2965 		smp_failure(conn, 0);
2966 		err = -EPERM;
2967 		break;
2968 
2969 	case SMP_CMD_PAIRING_RSP:
2970 		reason = smp_cmd_pairing_rsp(conn, skb);
2971 		break;
2972 
2973 	case SMP_CMD_SECURITY_REQ:
2974 		reason = smp_cmd_security_req(conn, skb);
2975 		break;
2976 
2977 	case SMP_CMD_PAIRING_CONFIRM:
2978 		reason = smp_cmd_pairing_confirm(conn, skb);
2979 		break;
2980 
2981 	case SMP_CMD_PAIRING_RANDOM:
2982 		reason = smp_cmd_pairing_random(conn, skb);
2983 		break;
2984 
2985 	case SMP_CMD_ENCRYPT_INFO:
2986 		reason = smp_cmd_encrypt_info(conn, skb);
2987 		break;
2988 
2989 	case SMP_CMD_MASTER_IDENT:
2990 		reason = smp_cmd_master_ident(conn, skb);
2991 		break;
2992 
2993 	case SMP_CMD_IDENT_INFO:
2994 		reason = smp_cmd_ident_info(conn, skb);
2995 		break;
2996 
2997 	case SMP_CMD_IDENT_ADDR_INFO:
2998 		reason = smp_cmd_ident_addr_info(conn, skb);
2999 		break;
3000 
3001 	case SMP_CMD_SIGN_INFO:
3002 		reason = smp_cmd_sign_info(conn, skb);
3003 		break;
3004 
3005 	case SMP_CMD_PUBLIC_KEY:
3006 		reason = smp_cmd_public_key(conn, skb);
3007 		break;
3008 
3009 	case SMP_CMD_DHKEY_CHECK:
3010 		reason = smp_cmd_dhkey_check(conn, skb);
3011 		break;
3012 
3013 	case SMP_CMD_KEYPRESS_NOTIFY:
3014 		reason = smp_cmd_keypress_notify(conn, skb);
3015 		break;
3016 
3017 	default:
3018 		BT_DBG("Unknown command code 0x%2.2x", code);
3019 		reason = SMP_CMD_NOTSUPP;
3020 		goto done;
3021 	}
3022 
3023 done:
3024 	if (!err) {
3025 		if (reason)
3026 			smp_failure(conn, reason);
3027 		kfree_skb(skb);
3028 	}
3029 
3030 	return err;
3031 
3032 drop:
3033 	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3034 		   code, &hcon->dst);
3035 	kfree_skb(skb);
3036 	return 0;
3037 }
3038 
3039 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3040 {
3041 	struct l2cap_conn *conn = chan->conn;
3042 
3043 	BT_DBG("chan %p", chan);
3044 
3045 	if (chan->data)
3046 		smp_chan_destroy(conn);
3047 
3048 	conn->smp = NULL;
3049 	l2cap_chan_put(chan);
3050 }
3051 
3052 static void bredr_pairing(struct l2cap_chan *chan)
3053 {
3054 	struct l2cap_conn *conn = chan->conn;
3055 	struct hci_conn *hcon = conn->hcon;
3056 	struct hci_dev *hdev = hcon->hdev;
3057 	struct smp_cmd_pairing req;
3058 	struct smp_chan *smp;
3059 
3060 	BT_DBG("chan %p", chan);
3061 
3062 	/* Only new pairings are interesting */
3063 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3064 		return;
3065 
3066 	/* Don't bother if we're not encrypted */
3067 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3068 		return;
3069 
3070 	/* Only master may initiate SMP over BR/EDR */
3071 	if (hcon->role != HCI_ROLE_MASTER)
3072 		return;
3073 
3074 	/* Secure Connections support must be enabled */
3075 	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3076 		return;
3077 
3078 	/* BR/EDR must use Secure Connections for SMP */
3079 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3080 	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3081 		return;
3082 
3083 	/* If our LE support is not enabled don't do anything */
3084 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3085 		return;
3086 
3087 	/* Don't bother if remote LE support is not enabled */
3088 	if (!lmp_host_le_capable(hcon))
3089 		return;
3090 
3091 	/* Remote must support SMP fixed chan for BR/EDR */
3092 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3093 		return;
3094 
3095 	/* Don't bother if SMP is already ongoing */
3096 	if (chan->data)
3097 		return;
3098 
3099 	smp = smp_chan_create(conn);
3100 	if (!smp) {
3101 		bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3102 		return;
3103 	}
3104 
3105 	set_bit(SMP_FLAG_SC, &smp->flags);
3106 
3107 	BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3108 
3109 	/* Prepare and send the BR/EDR SMP Pairing Request */
3110 	build_bredr_pairing_cmd(smp, &req, NULL);
3111 
3112 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
3113 	memcpy(&smp->preq[1], &req, sizeof(req));
3114 
3115 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3116 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3117 }
3118 
3119 static void smp_resume_cb(struct l2cap_chan *chan)
3120 {
3121 	struct smp_chan *smp = chan->data;
3122 	struct l2cap_conn *conn = chan->conn;
3123 	struct hci_conn *hcon = conn->hcon;
3124 
3125 	BT_DBG("chan %p", chan);
3126 
3127 	if (hcon->type == ACL_LINK) {
3128 		bredr_pairing(chan);
3129 		return;
3130 	}
3131 
3132 	if (!smp)
3133 		return;
3134 
3135 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3136 		return;
3137 
3138 	cancel_delayed_work(&smp->security_timer);
3139 
3140 	smp_distribute_keys(smp);
3141 }
3142 
3143 static void smp_ready_cb(struct l2cap_chan *chan)
3144 {
3145 	struct l2cap_conn *conn = chan->conn;
3146 	struct hci_conn *hcon = conn->hcon;
3147 
3148 	BT_DBG("chan %p", chan);
3149 
3150 	/* No need to call l2cap_chan_hold() here since we already own
3151 	 * the reference taken in smp_new_conn_cb(). This is just the
3152 	 * first time that we tie it to a specific pointer. The code in
3153 	 * l2cap_core.c ensures that there's no risk this function wont
3154 	 * get called if smp_new_conn_cb was previously called.
3155 	 */
3156 	conn->smp = chan;
3157 
3158 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3159 		bredr_pairing(chan);
3160 }
3161 
3162 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3163 {
3164 	int err;
3165 
3166 	BT_DBG("chan %p", chan);
3167 
3168 	err = smp_sig_channel(chan, skb);
3169 	if (err) {
3170 		struct smp_chan *smp = chan->data;
3171 
3172 		if (smp)
3173 			cancel_delayed_work_sync(&smp->security_timer);
3174 
3175 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3176 	}
3177 
3178 	return err;
3179 }
3180 
3181 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3182 					unsigned long hdr_len,
3183 					unsigned long len, int nb)
3184 {
3185 	struct sk_buff *skb;
3186 
3187 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3188 	if (!skb)
3189 		return ERR_PTR(-ENOMEM);
3190 
3191 	skb->priority = HCI_PRIO_MAX;
3192 	bt_cb(skb)->l2cap.chan = chan;
3193 
3194 	return skb;
3195 }
3196 
3197 static const struct l2cap_ops smp_chan_ops = {
3198 	.name			= "Security Manager",
3199 	.ready			= smp_ready_cb,
3200 	.recv			= smp_recv_cb,
3201 	.alloc_skb		= smp_alloc_skb_cb,
3202 	.teardown		= smp_teardown_cb,
3203 	.resume			= smp_resume_cb,
3204 
3205 	.new_connection		= l2cap_chan_no_new_connection,
3206 	.state_change		= l2cap_chan_no_state_change,
3207 	.close			= l2cap_chan_no_close,
3208 	.defer			= l2cap_chan_no_defer,
3209 	.suspend		= l2cap_chan_no_suspend,
3210 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3211 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3212 };
3213 
3214 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3215 {
3216 	struct l2cap_chan *chan;
3217 
3218 	BT_DBG("pchan %p", pchan);
3219 
3220 	chan = l2cap_chan_create();
3221 	if (!chan)
3222 		return NULL;
3223 
3224 	chan->chan_type	= pchan->chan_type;
3225 	chan->ops	= &smp_chan_ops;
3226 	chan->scid	= pchan->scid;
3227 	chan->dcid	= chan->scid;
3228 	chan->imtu	= pchan->imtu;
3229 	chan->omtu	= pchan->omtu;
3230 	chan->mode	= pchan->mode;
3231 
3232 	/* Other L2CAP channels may request SMP routines in order to
3233 	 * change the security level. This means that the SMP channel
3234 	 * lock must be considered in its own category to avoid lockdep
3235 	 * warnings.
3236 	 */
3237 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3238 
3239 	BT_DBG("created chan %p", chan);
3240 
3241 	return chan;
3242 }
3243 
3244 static const struct l2cap_ops smp_root_chan_ops = {
3245 	.name			= "Security Manager Root",
3246 	.new_connection		= smp_new_conn_cb,
3247 
3248 	/* None of these are implemented for the root channel */
3249 	.close			= l2cap_chan_no_close,
3250 	.alloc_skb		= l2cap_chan_no_alloc_skb,
3251 	.recv			= l2cap_chan_no_recv,
3252 	.state_change		= l2cap_chan_no_state_change,
3253 	.teardown		= l2cap_chan_no_teardown,
3254 	.ready			= l2cap_chan_no_ready,
3255 	.defer			= l2cap_chan_no_defer,
3256 	.suspend		= l2cap_chan_no_suspend,
3257 	.resume			= l2cap_chan_no_resume,
3258 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3259 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3260 };
3261 
3262 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3263 {
3264 	struct l2cap_chan *chan;
3265 	struct smp_dev *smp;
3266 	struct crypto_shash *tfm_cmac;
3267 	struct crypto_kpp *tfm_ecdh;
3268 
3269 	if (cid == L2CAP_CID_SMP_BREDR) {
3270 		smp = NULL;
3271 		goto create_chan;
3272 	}
3273 
3274 	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3275 	if (!smp)
3276 		return ERR_PTR(-ENOMEM);
3277 
3278 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3279 	if (IS_ERR(tfm_cmac)) {
3280 		BT_ERR("Unable to create CMAC crypto context");
3281 		kfree_sensitive(smp);
3282 		return ERR_CAST(tfm_cmac);
3283 	}
3284 
3285 	tfm_ecdh = crypto_alloc_kpp("ecdh", 0, 0);
3286 	if (IS_ERR(tfm_ecdh)) {
3287 		BT_ERR("Unable to create ECDH crypto context");
3288 		crypto_free_shash(tfm_cmac);
3289 		kfree_sensitive(smp);
3290 		return ERR_CAST(tfm_ecdh);
3291 	}
3292 
3293 	smp->local_oob = false;
3294 	smp->tfm_cmac = tfm_cmac;
3295 	smp->tfm_ecdh = tfm_ecdh;
3296 
3297 create_chan:
3298 	chan = l2cap_chan_create();
3299 	if (!chan) {
3300 		if (smp) {
3301 			crypto_free_shash(smp->tfm_cmac);
3302 			crypto_free_kpp(smp->tfm_ecdh);
3303 			kfree_sensitive(smp);
3304 		}
3305 		return ERR_PTR(-ENOMEM);
3306 	}
3307 
3308 	chan->data = smp;
3309 
3310 	l2cap_add_scid(chan, cid);
3311 
3312 	l2cap_chan_set_defaults(chan);
3313 
3314 	if (cid == L2CAP_CID_SMP) {
3315 		u8 bdaddr_type;
3316 
3317 		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3318 
3319 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3320 			chan->src_type = BDADDR_LE_PUBLIC;
3321 		else
3322 			chan->src_type = BDADDR_LE_RANDOM;
3323 	} else {
3324 		bacpy(&chan->src, &hdev->bdaddr);
3325 		chan->src_type = BDADDR_BREDR;
3326 	}
3327 
3328 	chan->state = BT_LISTEN;
3329 	chan->mode = L2CAP_MODE_BASIC;
3330 	chan->imtu = L2CAP_DEFAULT_MTU;
3331 	chan->ops = &smp_root_chan_ops;
3332 
3333 	/* Set correct nesting level for a parent/listening channel */
3334 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3335 
3336 	return chan;
3337 }
3338 
3339 static void smp_del_chan(struct l2cap_chan *chan)
3340 {
3341 	struct smp_dev *smp;
3342 
3343 	BT_DBG("chan %p", chan);
3344 
3345 	smp = chan->data;
3346 	if (smp) {
3347 		chan->data = NULL;
3348 		crypto_free_shash(smp->tfm_cmac);
3349 		crypto_free_kpp(smp->tfm_ecdh);
3350 		kfree_sensitive(smp);
3351 	}
3352 
3353 	l2cap_chan_put(chan);
3354 }
3355 
3356 static ssize_t force_bredr_smp_read(struct file *file,
3357 				    char __user *user_buf,
3358 				    size_t count, loff_t *ppos)
3359 {
3360 	struct hci_dev *hdev = file->private_data;
3361 	char buf[3];
3362 
3363 	buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3364 	buf[1] = '\n';
3365 	buf[2] = '\0';
3366 	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3367 }
3368 
3369 static ssize_t force_bredr_smp_write(struct file *file,
3370 				     const char __user *user_buf,
3371 				     size_t count, loff_t *ppos)
3372 {
3373 	struct hci_dev *hdev = file->private_data;
3374 	bool enable;
3375 	int err;
3376 
3377 	err = kstrtobool_from_user(user_buf, count, &enable);
3378 	if (err)
3379 		return err;
3380 
3381 	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3382 		return -EALREADY;
3383 
3384 	if (enable) {
3385 		struct l2cap_chan *chan;
3386 
3387 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3388 		if (IS_ERR(chan))
3389 			return PTR_ERR(chan);
3390 
3391 		hdev->smp_bredr_data = chan;
3392 	} else {
3393 		struct l2cap_chan *chan;
3394 
3395 		chan = hdev->smp_bredr_data;
3396 		hdev->smp_bredr_data = NULL;
3397 		smp_del_chan(chan);
3398 	}
3399 
3400 	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3401 
3402 	return count;
3403 }
3404 
3405 static const struct file_operations force_bredr_smp_fops = {
3406 	.open		= simple_open,
3407 	.read		= force_bredr_smp_read,
3408 	.write		= force_bredr_smp_write,
3409 	.llseek		= default_llseek,
3410 };
3411 
3412 int smp_register(struct hci_dev *hdev)
3413 {
3414 	struct l2cap_chan *chan;
3415 
3416 	BT_DBG("%s", hdev->name);
3417 
3418 	/* If the controller does not support Low Energy operation, then
3419 	 * there is also no need to register any SMP channel.
3420 	 */
3421 	if (!lmp_le_capable(hdev))
3422 		return 0;
3423 
3424 	if (WARN_ON(hdev->smp_data)) {
3425 		chan = hdev->smp_data;
3426 		hdev->smp_data = NULL;
3427 		smp_del_chan(chan);
3428 	}
3429 
3430 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3431 	if (IS_ERR(chan))
3432 		return PTR_ERR(chan);
3433 
3434 	hdev->smp_data = chan;
3435 
3436 	/* If the controller does not support BR/EDR Secure Connections
3437 	 * feature, then the BR/EDR SMP channel shall not be present.
3438 	 *
3439 	 * To test this with Bluetooth 4.0 controllers, create a debugfs
3440 	 * switch that allows forcing BR/EDR SMP support and accepting
3441 	 * cross-transport pairing on non-AES encrypted connections.
3442 	 */
3443 	if (!lmp_sc_capable(hdev)) {
3444 		debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3445 				    hdev, &force_bredr_smp_fops);
3446 
3447 		/* Flag can be already set here (due to power toggle) */
3448 		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3449 			return 0;
3450 	}
3451 
3452 	if (WARN_ON(hdev->smp_bredr_data)) {
3453 		chan = hdev->smp_bredr_data;
3454 		hdev->smp_bredr_data = NULL;
3455 		smp_del_chan(chan);
3456 	}
3457 
3458 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3459 	if (IS_ERR(chan)) {
3460 		int err = PTR_ERR(chan);
3461 		chan = hdev->smp_data;
3462 		hdev->smp_data = NULL;
3463 		smp_del_chan(chan);
3464 		return err;
3465 	}
3466 
3467 	hdev->smp_bredr_data = chan;
3468 
3469 	return 0;
3470 }
3471 
3472 void smp_unregister(struct hci_dev *hdev)
3473 {
3474 	struct l2cap_chan *chan;
3475 
3476 	if (hdev->smp_bredr_data) {
3477 		chan = hdev->smp_bredr_data;
3478 		hdev->smp_bredr_data = NULL;
3479 		smp_del_chan(chan);
3480 	}
3481 
3482 	if (hdev->smp_data) {
3483 		chan = hdev->smp_data;
3484 		hdev->smp_data = NULL;
3485 		smp_del_chan(chan);
3486 	}
3487 }
3488 
3489 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3490 
3491 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3492 {
3493 	u8 pk[64];
3494 	int err;
3495 
3496 	err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3497 	if (err)
3498 		return err;
3499 
3500 	err = generate_ecdh_public_key(tfm_ecdh, pk);
3501 	if (err)
3502 		return err;
3503 
3504 	if (crypto_memneq(pk, debug_pk, 64))
3505 		return -EINVAL;
3506 
3507 	return 0;
3508 }
3509 
3510 static int __init test_ah(void)
3511 {
3512 	const u8 irk[16] = {
3513 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3514 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3515 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3516 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3517 	u8 res[3];
3518 	int err;
3519 
3520 	err = smp_ah(irk, r, res);
3521 	if (err)
3522 		return err;
3523 
3524 	if (crypto_memneq(res, exp, 3))
3525 		return -EINVAL;
3526 
3527 	return 0;
3528 }
3529 
3530 static int __init test_c1(void)
3531 {
3532 	const u8 k[16] = {
3533 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3534 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3535 	const u8 r[16] = {
3536 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3537 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3538 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3539 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3540 	const u8 _iat = 0x01;
3541 	const u8 _rat = 0x00;
3542 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3543 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3544 	const u8 exp[16] = {
3545 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3546 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3547 	u8 res[16];
3548 	int err;
3549 
3550 	err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3551 	if (err)
3552 		return err;
3553 
3554 	if (crypto_memneq(res, exp, 16))
3555 		return -EINVAL;
3556 
3557 	return 0;
3558 }
3559 
3560 static int __init test_s1(void)
3561 {
3562 	const u8 k[16] = {
3563 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3564 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3565 	const u8 r1[16] = {
3566 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3567 	const u8 r2[16] = {
3568 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3569 	const u8 exp[16] = {
3570 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3571 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3572 	u8 res[16];
3573 	int err;
3574 
3575 	err = smp_s1(k, r1, r2, res);
3576 	if (err)
3577 		return err;
3578 
3579 	if (crypto_memneq(res, exp, 16))
3580 		return -EINVAL;
3581 
3582 	return 0;
3583 }
3584 
3585 static int __init test_f4(struct crypto_shash *tfm_cmac)
3586 {
3587 	const u8 u[32] = {
3588 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3589 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3590 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3591 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3592 	const u8 v[32] = {
3593 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3594 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3595 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3596 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3597 	const u8 x[16] = {
3598 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3599 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3600 	const u8 z = 0x00;
3601 	const u8 exp[16] = {
3602 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3603 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3604 	u8 res[16];
3605 	int err;
3606 
3607 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3608 	if (err)
3609 		return err;
3610 
3611 	if (crypto_memneq(res, exp, 16))
3612 		return -EINVAL;
3613 
3614 	return 0;
3615 }
3616 
3617 static int __init test_f5(struct crypto_shash *tfm_cmac)
3618 {
3619 	const u8 w[32] = {
3620 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3621 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3622 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3623 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3624 	const u8 n1[16] = {
3625 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3626 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3627 	const u8 n2[16] = {
3628 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3629 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3630 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3631 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3632 	const u8 exp_ltk[16] = {
3633 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3634 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3635 	const u8 exp_mackey[16] = {
3636 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3637 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3638 	u8 mackey[16], ltk[16];
3639 	int err;
3640 
3641 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3642 	if (err)
3643 		return err;
3644 
3645 	if (crypto_memneq(mackey, exp_mackey, 16))
3646 		return -EINVAL;
3647 
3648 	if (crypto_memneq(ltk, exp_ltk, 16))
3649 		return -EINVAL;
3650 
3651 	return 0;
3652 }
3653 
3654 static int __init test_f6(struct crypto_shash *tfm_cmac)
3655 {
3656 	const u8 w[16] = {
3657 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3658 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3659 	const u8 n1[16] = {
3660 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3661 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3662 	const u8 n2[16] = {
3663 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3664 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3665 	const u8 r[16] = {
3666 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3667 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3668 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3669 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3670 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3671 	const u8 exp[16] = {
3672 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3673 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3674 	u8 res[16];
3675 	int err;
3676 
3677 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3678 	if (err)
3679 		return err;
3680 
3681 	if (crypto_memneq(res, exp, 16))
3682 		return -EINVAL;
3683 
3684 	return 0;
3685 }
3686 
3687 static int __init test_g2(struct crypto_shash *tfm_cmac)
3688 {
3689 	const u8 u[32] = {
3690 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3691 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3692 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3693 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3694 	const u8 v[32] = {
3695 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3696 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3697 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3698 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3699 	const u8 x[16] = {
3700 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3701 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3702 	const u8 y[16] = {
3703 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3704 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3705 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3706 	u32 val;
3707 	int err;
3708 
3709 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3710 	if (err)
3711 		return err;
3712 
3713 	if (val != exp_val)
3714 		return -EINVAL;
3715 
3716 	return 0;
3717 }
3718 
3719 static int __init test_h6(struct crypto_shash *tfm_cmac)
3720 {
3721 	const u8 w[16] = {
3722 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3723 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3724 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3725 	const u8 exp[16] = {
3726 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3727 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3728 	u8 res[16];
3729 	int err;
3730 
3731 	err = smp_h6(tfm_cmac, w, key_id, res);
3732 	if (err)
3733 		return err;
3734 
3735 	if (crypto_memneq(res, exp, 16))
3736 		return -EINVAL;
3737 
3738 	return 0;
3739 }
3740 
3741 static char test_smp_buffer[32];
3742 
3743 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3744 			     size_t count, loff_t *ppos)
3745 {
3746 	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3747 				       strlen(test_smp_buffer));
3748 }
3749 
3750 static const struct file_operations test_smp_fops = {
3751 	.open		= simple_open,
3752 	.read		= test_smp_read,
3753 	.llseek		= default_llseek,
3754 };
3755 
3756 static int __init run_selftests(struct crypto_shash *tfm_cmac,
3757 				struct crypto_kpp *tfm_ecdh)
3758 {
3759 	ktime_t calltime, delta, rettime;
3760 	unsigned long long duration;
3761 	int err;
3762 
3763 	calltime = ktime_get();
3764 
3765 	err = test_debug_key(tfm_ecdh);
3766 	if (err) {
3767 		BT_ERR("debug_key test failed");
3768 		goto done;
3769 	}
3770 
3771 	err = test_ah();
3772 	if (err) {
3773 		BT_ERR("smp_ah test failed");
3774 		goto done;
3775 	}
3776 
3777 	err = test_c1();
3778 	if (err) {
3779 		BT_ERR("smp_c1 test failed");
3780 		goto done;
3781 	}
3782 
3783 	err = test_s1();
3784 	if (err) {
3785 		BT_ERR("smp_s1 test failed");
3786 		goto done;
3787 	}
3788 
3789 	err = test_f4(tfm_cmac);
3790 	if (err) {
3791 		BT_ERR("smp_f4 test failed");
3792 		goto done;
3793 	}
3794 
3795 	err = test_f5(tfm_cmac);
3796 	if (err) {
3797 		BT_ERR("smp_f5 test failed");
3798 		goto done;
3799 	}
3800 
3801 	err = test_f6(tfm_cmac);
3802 	if (err) {
3803 		BT_ERR("smp_f6 test failed");
3804 		goto done;
3805 	}
3806 
3807 	err = test_g2(tfm_cmac);
3808 	if (err) {
3809 		BT_ERR("smp_g2 test failed");
3810 		goto done;
3811 	}
3812 
3813 	err = test_h6(tfm_cmac);
3814 	if (err) {
3815 		BT_ERR("smp_h6 test failed");
3816 		goto done;
3817 	}
3818 
3819 	rettime = ktime_get();
3820 	delta = ktime_sub(rettime, calltime);
3821 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3822 
3823 	BT_INFO("SMP test passed in %llu usecs", duration);
3824 
3825 done:
3826 	if (!err)
3827 		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3828 			 "PASS (%llu usecs)\n", duration);
3829 	else
3830 		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3831 
3832 	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3833 			    &test_smp_fops);
3834 
3835 	return err;
3836 }
3837 
3838 int __init bt_selftest_smp(void)
3839 {
3840 	struct crypto_shash *tfm_cmac;
3841 	struct crypto_kpp *tfm_ecdh;
3842 	int err;
3843 
3844 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3845 	if (IS_ERR(tfm_cmac)) {
3846 		BT_ERR("Unable to create CMAC crypto context");
3847 		return PTR_ERR(tfm_cmac);
3848 	}
3849 
3850 	tfm_ecdh = crypto_alloc_kpp("ecdh", 0, 0);
3851 	if (IS_ERR(tfm_ecdh)) {
3852 		BT_ERR("Unable to create ECDH crypto context");
3853 		crypto_free_shash(tfm_cmac);
3854 		return PTR_ERR(tfm_ecdh);
3855 	}
3856 
3857 	err = run_selftests(tfm_cmac, tfm_ecdh);
3858 
3859 	crypto_free_shash(tfm_cmac);
3860 	crypto_free_kpp(tfm_ecdh);
3861 
3862 	return err;
3863 }
3864 
3865 #endif
3866