xref: /openbmc/linux/net/bluetooth/smp.c (revision ca48739e)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/aes.h>
27 #include <crypto/algapi.h>
28 #include <crypto/hash.h>
29 #include <crypto/kpp.h>
30 
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/mgmt.h>
35 
36 #include "ecdh_helper.h"
37 #include "smp.h"
38 
39 #define SMP_DEV(hdev) \
40 	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
41 
42 /* Low-level debug macros to be used for stuff that we don't want
43  * accidentially in dmesg, i.e. the values of the various crypto keys
44  * and the inputs & outputs of crypto functions.
45  */
46 #ifdef DEBUG
47 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
48 				 ##__VA_ARGS__)
49 #else
50 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
51 				    ##__VA_ARGS__)
52 #endif
53 
54 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
55 
56 /* Keys which are not distributed with Secure Connections */
57 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
58 
59 #define SMP_TIMEOUT	msecs_to_jiffies(30000)
60 
61 #define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
62 				 0x3f : 0x07)
63 #define KEY_DIST_MASK		0x07
64 
65 /* Maximum message length that can be passed to aes_cmac */
66 #define CMAC_MSG_MAX	80
67 
68 enum {
69 	SMP_FLAG_TK_VALID,
70 	SMP_FLAG_CFM_PENDING,
71 	SMP_FLAG_MITM_AUTH,
72 	SMP_FLAG_COMPLETE,
73 	SMP_FLAG_INITIATOR,
74 	SMP_FLAG_SC,
75 	SMP_FLAG_REMOTE_PK,
76 	SMP_FLAG_DEBUG_KEY,
77 	SMP_FLAG_WAIT_USER,
78 	SMP_FLAG_DHKEY_PENDING,
79 	SMP_FLAG_REMOTE_OOB,
80 	SMP_FLAG_LOCAL_OOB,
81 	SMP_FLAG_CT2,
82 };
83 
84 struct smp_dev {
85 	/* Secure Connections OOB data */
86 	bool			local_oob;
87 	u8			local_pk[64];
88 	u8			local_rand[16];
89 	bool			debug_key;
90 
91 	struct crypto_shash	*tfm_cmac;
92 	struct crypto_kpp	*tfm_ecdh;
93 };
94 
95 struct smp_chan {
96 	struct l2cap_conn	*conn;
97 	struct delayed_work	security_timer;
98 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
99 
100 	u8		preq[7]; /* SMP Pairing Request */
101 	u8		prsp[7]; /* SMP Pairing Response */
102 	u8		prnd[16]; /* SMP Pairing Random (local) */
103 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
104 	u8		pcnf[16]; /* SMP Pairing Confirm */
105 	u8		tk[16]; /* SMP Temporary Key */
106 	u8		rr[16]; /* Remote OOB ra/rb value */
107 	u8		lr[16]; /* Local OOB ra/rb value */
108 	u8		enc_key_size;
109 	u8		remote_key_dist;
110 	bdaddr_t	id_addr;
111 	u8		id_addr_type;
112 	u8		irk[16];
113 	struct smp_csrk	*csrk;
114 	struct smp_csrk	*slave_csrk;
115 	struct smp_ltk	*ltk;
116 	struct smp_ltk	*slave_ltk;
117 	struct smp_irk	*remote_irk;
118 	u8		*link_key;
119 	unsigned long	flags;
120 	u8		method;
121 	u8		passkey_round;
122 
123 	/* Secure Connections variables */
124 	u8			local_pk[64];
125 	u8			remote_pk[64];
126 	u8			dhkey[32];
127 	u8			mackey[16];
128 
129 	struct crypto_shash	*tfm_cmac;
130 	struct crypto_kpp	*tfm_ecdh;
131 };
132 
133 /* These debug key values are defined in the SMP section of the core
134  * specification. debug_pk is the public debug key and debug_sk the
135  * private debug key.
136  */
137 static const u8 debug_pk[64] = {
138 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
139 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
140 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
141 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
142 
143 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
144 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
145 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
146 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
147 };
148 
149 static const u8 debug_sk[32] = {
150 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
151 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
152 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
153 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
154 };
155 
156 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
157 {
158 	size_t i;
159 
160 	for (i = 0; i < len; i++)
161 		dst[len - 1 - i] = src[i];
162 }
163 
164 /* The following functions map to the LE SC SMP crypto functions
165  * AES-CMAC, f4, f5, f6, g2 and h6.
166  */
167 
168 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
169 		    size_t len, u8 mac[16])
170 {
171 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
172 	int err;
173 
174 	if (len > CMAC_MSG_MAX)
175 		return -EFBIG;
176 
177 	if (!tfm) {
178 		BT_ERR("tfm %p", tfm);
179 		return -EINVAL;
180 	}
181 
182 	/* Swap key and message from LSB to MSB */
183 	swap_buf(k, tmp, 16);
184 	swap_buf(m, msg_msb, len);
185 
186 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
187 	SMP_DBG("key %16phN", k);
188 
189 	err = crypto_shash_setkey(tfm, tmp, 16);
190 	if (err) {
191 		BT_ERR("cipher setkey failed: %d", err);
192 		return err;
193 	}
194 
195 	err = crypto_shash_tfm_digest(tfm, msg_msb, len, mac_msb);
196 	if (err) {
197 		BT_ERR("Hash computation error %d", err);
198 		return err;
199 	}
200 
201 	swap_buf(mac_msb, mac, 16);
202 
203 	SMP_DBG("mac %16phN", mac);
204 
205 	return 0;
206 }
207 
208 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
209 		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
210 {
211 	u8 m[65];
212 	int err;
213 
214 	SMP_DBG("u %32phN", u);
215 	SMP_DBG("v %32phN", v);
216 	SMP_DBG("x %16phN z %02x", x, z);
217 
218 	m[0] = z;
219 	memcpy(m + 1, v, 32);
220 	memcpy(m + 33, u, 32);
221 
222 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
223 	if (err)
224 		return err;
225 
226 	SMP_DBG("res %16phN", res);
227 
228 	return err;
229 }
230 
231 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
232 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
233 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
234 {
235 	/* The btle, salt and length "magic" values are as defined in
236 	 * the SMP section of the Bluetooth core specification. In ASCII
237 	 * the btle value ends up being 'btle'. The salt is just a
238 	 * random number whereas length is the value 256 in little
239 	 * endian format.
240 	 */
241 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
242 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
243 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
244 	const u8 length[2] = { 0x00, 0x01 };
245 	u8 m[53], t[16];
246 	int err;
247 
248 	SMP_DBG("w %32phN", w);
249 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
250 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
251 
252 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
253 	if (err)
254 		return err;
255 
256 	SMP_DBG("t %16phN", t);
257 
258 	memcpy(m, length, 2);
259 	memcpy(m + 2, a2, 7);
260 	memcpy(m + 9, a1, 7);
261 	memcpy(m + 16, n2, 16);
262 	memcpy(m + 32, n1, 16);
263 	memcpy(m + 48, btle, 4);
264 
265 	m[52] = 0; /* Counter */
266 
267 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
268 	if (err)
269 		return err;
270 
271 	SMP_DBG("mackey %16phN", mackey);
272 
273 	m[52] = 1; /* Counter */
274 
275 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
276 	if (err)
277 		return err;
278 
279 	SMP_DBG("ltk %16phN", ltk);
280 
281 	return 0;
282 }
283 
284 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
285 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
286 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
287 		  u8 res[16])
288 {
289 	u8 m[65];
290 	int err;
291 
292 	SMP_DBG("w %16phN", w);
293 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
294 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
295 
296 	memcpy(m, a2, 7);
297 	memcpy(m + 7, a1, 7);
298 	memcpy(m + 14, io_cap, 3);
299 	memcpy(m + 17, r, 16);
300 	memcpy(m + 33, n2, 16);
301 	memcpy(m + 49, n1, 16);
302 
303 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
304 	if (err)
305 		return err;
306 
307 	SMP_DBG("res %16phN", res);
308 
309 	return err;
310 }
311 
312 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
313 		  const u8 x[16], const u8 y[16], u32 *val)
314 {
315 	u8 m[80], tmp[16];
316 	int err;
317 
318 	SMP_DBG("u %32phN", u);
319 	SMP_DBG("v %32phN", v);
320 	SMP_DBG("x %16phN y %16phN", x, y);
321 
322 	memcpy(m, y, 16);
323 	memcpy(m + 16, v, 32);
324 	memcpy(m + 48, u, 32);
325 
326 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
327 	if (err)
328 		return err;
329 
330 	*val = get_unaligned_le32(tmp);
331 	*val %= 1000000;
332 
333 	SMP_DBG("val %06u", *val);
334 
335 	return 0;
336 }
337 
338 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
339 		  const u8 key_id[4], u8 res[16])
340 {
341 	int err;
342 
343 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
344 
345 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
346 	if (err)
347 		return err;
348 
349 	SMP_DBG("res %16phN", res);
350 
351 	return err;
352 }
353 
354 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
355 		  const u8 salt[16], u8 res[16])
356 {
357 	int err;
358 
359 	SMP_DBG("w %16phN salt %16phN", w, salt);
360 
361 	err = aes_cmac(tfm_cmac, salt, w, 16, res);
362 	if (err)
363 		return err;
364 
365 	SMP_DBG("res %16phN", res);
366 
367 	return err;
368 }
369 
370 /* The following functions map to the legacy SMP crypto functions e, c1,
371  * s1 and ah.
372  */
373 
374 static int smp_e(const u8 *k, u8 *r)
375 {
376 	struct crypto_aes_ctx ctx;
377 	uint8_t tmp[16], data[16];
378 	int err;
379 
380 	SMP_DBG("k %16phN r %16phN", k, r);
381 
382 	/* The most significant octet of key corresponds to k[0] */
383 	swap_buf(k, tmp, 16);
384 
385 	err = aes_expandkey(&ctx, tmp, 16);
386 	if (err) {
387 		BT_ERR("cipher setkey failed: %d", err);
388 		return err;
389 	}
390 
391 	/* Most significant octet of plaintextData corresponds to data[0] */
392 	swap_buf(r, data, 16);
393 
394 	aes_encrypt(&ctx, data, data);
395 
396 	/* Most significant octet of encryptedData corresponds to data[0] */
397 	swap_buf(data, r, 16);
398 
399 	SMP_DBG("r %16phN", r);
400 
401 	memzero_explicit(&ctx, sizeof (ctx));
402 	return err;
403 }
404 
405 static int smp_c1(const u8 k[16],
406 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
407 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
408 {
409 	u8 p1[16], p2[16];
410 	int err;
411 
412 	SMP_DBG("k %16phN r %16phN", k, r);
413 	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
414 	SMP_DBG("preq %7phN pres %7phN", preq, pres);
415 
416 	memset(p1, 0, 16);
417 
418 	/* p1 = pres || preq || _rat || _iat */
419 	p1[0] = _iat;
420 	p1[1] = _rat;
421 	memcpy(p1 + 2, preq, 7);
422 	memcpy(p1 + 9, pres, 7);
423 
424 	SMP_DBG("p1 %16phN", p1);
425 
426 	/* res = r XOR p1 */
427 	crypto_xor_cpy(res, r, p1, sizeof(p1));
428 
429 	/* res = e(k, res) */
430 	err = smp_e(k, res);
431 	if (err) {
432 		BT_ERR("Encrypt data error");
433 		return err;
434 	}
435 
436 	/* p2 = padding || ia || ra */
437 	memcpy(p2, ra, 6);
438 	memcpy(p2 + 6, ia, 6);
439 	memset(p2 + 12, 0, 4);
440 
441 	SMP_DBG("p2 %16phN", p2);
442 
443 	/* res = res XOR p2 */
444 	crypto_xor(res, p2, sizeof(p2));
445 
446 	/* res = e(k, res) */
447 	err = smp_e(k, res);
448 	if (err)
449 		BT_ERR("Encrypt data error");
450 
451 	return err;
452 }
453 
454 static int smp_s1(const u8 k[16],
455 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
456 {
457 	int err;
458 
459 	/* Just least significant octets from r1 and r2 are considered */
460 	memcpy(_r, r2, 8);
461 	memcpy(_r + 8, r1, 8);
462 
463 	err = smp_e(k, _r);
464 	if (err)
465 		BT_ERR("Encrypt data error");
466 
467 	return err;
468 }
469 
470 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
471 {
472 	u8 _res[16];
473 	int err;
474 
475 	/* r' = padding || r */
476 	memcpy(_res, r, 3);
477 	memset(_res + 3, 0, 13);
478 
479 	err = smp_e(irk, _res);
480 	if (err) {
481 		BT_ERR("Encrypt error");
482 		return err;
483 	}
484 
485 	/* The output of the random address function ah is:
486 	 *	ah(k, r) = e(k, r') mod 2^24
487 	 * The output of the security function e is then truncated to 24 bits
488 	 * by taking the least significant 24 bits of the output of e as the
489 	 * result of ah.
490 	 */
491 	memcpy(res, _res, 3);
492 
493 	return 0;
494 }
495 
496 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
497 		     const bdaddr_t *bdaddr)
498 {
499 	struct l2cap_chan *chan = hdev->smp_data;
500 	u8 hash[3];
501 	int err;
502 
503 	if (!chan || !chan->data)
504 		return false;
505 
506 	bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk);
507 
508 	err = smp_ah(irk, &bdaddr->b[3], hash);
509 	if (err)
510 		return false;
511 
512 	return !crypto_memneq(bdaddr->b, hash, 3);
513 }
514 
515 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
516 {
517 	struct l2cap_chan *chan = hdev->smp_data;
518 	int err;
519 
520 	if (!chan || !chan->data)
521 		return -EOPNOTSUPP;
522 
523 	get_random_bytes(&rpa->b[3], 3);
524 
525 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
526 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
527 
528 	err = smp_ah(irk, &rpa->b[3], rpa->b);
529 	if (err < 0)
530 		return err;
531 
532 	bt_dev_dbg(hdev, "RPA %pMR", rpa);
533 
534 	return 0;
535 }
536 
537 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
538 {
539 	struct l2cap_chan *chan = hdev->smp_data;
540 	struct smp_dev *smp;
541 	int err;
542 
543 	if (!chan || !chan->data)
544 		return -EOPNOTSUPP;
545 
546 	smp = chan->data;
547 
548 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
549 		bt_dev_dbg(hdev, "Using debug keys");
550 		err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
551 		if (err)
552 			return err;
553 		memcpy(smp->local_pk, debug_pk, 64);
554 		smp->debug_key = true;
555 	} else {
556 		while (true) {
557 			/* Generate key pair for Secure Connections */
558 			err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
559 			if (err)
560 				return err;
561 
562 			/* This is unlikely, but we need to check that
563 			 * we didn't accidentially generate a debug key.
564 			 */
565 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
566 				break;
567 		}
568 		smp->debug_key = false;
569 	}
570 
571 	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
572 	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
573 
574 	get_random_bytes(smp->local_rand, 16);
575 
576 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
577 		     smp->local_rand, 0, hash);
578 	if (err < 0)
579 		return err;
580 
581 	memcpy(rand, smp->local_rand, 16);
582 
583 	smp->local_oob = true;
584 
585 	return 0;
586 }
587 
588 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
589 {
590 	struct l2cap_chan *chan = conn->smp;
591 	struct smp_chan *smp;
592 	struct kvec iv[2];
593 	struct msghdr msg;
594 
595 	if (!chan)
596 		return;
597 
598 	BT_DBG("code 0x%2.2x", code);
599 
600 	iv[0].iov_base = &code;
601 	iv[0].iov_len = 1;
602 
603 	iv[1].iov_base = data;
604 	iv[1].iov_len = len;
605 
606 	memset(&msg, 0, sizeof(msg));
607 
608 	iov_iter_kvec(&msg.msg_iter, WRITE, iv, 2, 1 + len);
609 
610 	l2cap_chan_send(chan, &msg, 1 + len);
611 
612 	if (!chan->data)
613 		return;
614 
615 	smp = chan->data;
616 
617 	cancel_delayed_work_sync(&smp->security_timer);
618 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
619 }
620 
621 static u8 authreq_to_seclevel(u8 authreq)
622 {
623 	if (authreq & SMP_AUTH_MITM) {
624 		if (authreq & SMP_AUTH_SC)
625 			return BT_SECURITY_FIPS;
626 		else
627 			return BT_SECURITY_HIGH;
628 	} else {
629 		return BT_SECURITY_MEDIUM;
630 	}
631 }
632 
633 static __u8 seclevel_to_authreq(__u8 sec_level)
634 {
635 	switch (sec_level) {
636 	case BT_SECURITY_FIPS:
637 	case BT_SECURITY_HIGH:
638 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
639 	case BT_SECURITY_MEDIUM:
640 		return SMP_AUTH_BONDING;
641 	default:
642 		return SMP_AUTH_NONE;
643 	}
644 }
645 
646 static void build_pairing_cmd(struct l2cap_conn *conn,
647 			      struct smp_cmd_pairing *req,
648 			      struct smp_cmd_pairing *rsp, __u8 authreq)
649 {
650 	struct l2cap_chan *chan = conn->smp;
651 	struct smp_chan *smp = chan->data;
652 	struct hci_conn *hcon = conn->hcon;
653 	struct hci_dev *hdev = hcon->hdev;
654 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
655 
656 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
657 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
658 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
659 		authreq |= SMP_AUTH_BONDING;
660 	} else {
661 		authreq &= ~SMP_AUTH_BONDING;
662 	}
663 
664 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
665 		remote_dist |= SMP_DIST_ID_KEY;
666 
667 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
668 		local_dist |= SMP_DIST_ID_KEY;
669 
670 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
671 	    (authreq & SMP_AUTH_SC)) {
672 		struct oob_data *oob_data;
673 		u8 bdaddr_type;
674 
675 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
676 			local_dist |= SMP_DIST_LINK_KEY;
677 			remote_dist |= SMP_DIST_LINK_KEY;
678 		}
679 
680 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
681 			bdaddr_type = BDADDR_LE_PUBLIC;
682 		else
683 			bdaddr_type = BDADDR_LE_RANDOM;
684 
685 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
686 						    bdaddr_type);
687 		if (oob_data && oob_data->present) {
688 			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
689 			oob_flag = SMP_OOB_PRESENT;
690 			memcpy(smp->rr, oob_data->rand256, 16);
691 			memcpy(smp->pcnf, oob_data->hash256, 16);
692 			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
693 			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
694 		}
695 
696 	} else {
697 		authreq &= ~SMP_AUTH_SC;
698 	}
699 
700 	if (rsp == NULL) {
701 		req->io_capability = conn->hcon->io_capability;
702 		req->oob_flag = oob_flag;
703 		req->max_key_size = hdev->le_max_key_size;
704 		req->init_key_dist = local_dist;
705 		req->resp_key_dist = remote_dist;
706 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
707 
708 		smp->remote_key_dist = remote_dist;
709 		return;
710 	}
711 
712 	rsp->io_capability = conn->hcon->io_capability;
713 	rsp->oob_flag = oob_flag;
714 	rsp->max_key_size = hdev->le_max_key_size;
715 	rsp->init_key_dist = req->init_key_dist & remote_dist;
716 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
717 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
718 
719 	smp->remote_key_dist = rsp->init_key_dist;
720 }
721 
722 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
723 {
724 	struct l2cap_chan *chan = conn->smp;
725 	struct hci_dev *hdev = conn->hcon->hdev;
726 	struct smp_chan *smp = chan->data;
727 
728 	if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS &&
729 	    max_key_size != SMP_MAX_ENC_KEY_SIZE)
730 		return SMP_ENC_KEY_SIZE;
731 
732 	if (max_key_size > hdev->le_max_key_size ||
733 	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
734 		return SMP_ENC_KEY_SIZE;
735 
736 	smp->enc_key_size = max_key_size;
737 
738 	return 0;
739 }
740 
741 static void smp_chan_destroy(struct l2cap_conn *conn)
742 {
743 	struct l2cap_chan *chan = conn->smp;
744 	struct smp_chan *smp = chan->data;
745 	struct hci_conn *hcon = conn->hcon;
746 	bool complete;
747 
748 	BUG_ON(!smp);
749 
750 	cancel_delayed_work_sync(&smp->security_timer);
751 
752 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
753 	mgmt_smp_complete(hcon, complete);
754 
755 	kfree_sensitive(smp->csrk);
756 	kfree_sensitive(smp->slave_csrk);
757 	kfree_sensitive(smp->link_key);
758 
759 	crypto_free_shash(smp->tfm_cmac);
760 	crypto_free_kpp(smp->tfm_ecdh);
761 
762 	/* Ensure that we don't leave any debug key around if debug key
763 	 * support hasn't been explicitly enabled.
764 	 */
765 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
766 	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
767 		list_del_rcu(&smp->ltk->list);
768 		kfree_rcu(smp->ltk, rcu);
769 		smp->ltk = NULL;
770 	}
771 
772 	/* If pairing failed clean up any keys we might have */
773 	if (!complete) {
774 		if (smp->ltk) {
775 			list_del_rcu(&smp->ltk->list);
776 			kfree_rcu(smp->ltk, rcu);
777 		}
778 
779 		if (smp->slave_ltk) {
780 			list_del_rcu(&smp->slave_ltk->list);
781 			kfree_rcu(smp->slave_ltk, rcu);
782 		}
783 
784 		if (smp->remote_irk) {
785 			list_del_rcu(&smp->remote_irk->list);
786 			kfree_rcu(smp->remote_irk, rcu);
787 		}
788 	}
789 
790 	chan->data = NULL;
791 	kfree_sensitive(smp);
792 	hci_conn_drop(hcon);
793 }
794 
795 static void smp_failure(struct l2cap_conn *conn, u8 reason)
796 {
797 	struct hci_conn *hcon = conn->hcon;
798 	struct l2cap_chan *chan = conn->smp;
799 
800 	if (reason)
801 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
802 			     &reason);
803 
804 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
805 
806 	if (chan->data)
807 		smp_chan_destroy(conn);
808 }
809 
810 #define JUST_WORKS	0x00
811 #define JUST_CFM	0x01
812 #define REQ_PASSKEY	0x02
813 #define CFM_PASSKEY	0x03
814 #define REQ_OOB		0x04
815 #define DSP_PASSKEY	0x05
816 #define OVERLAP		0xFF
817 
818 static const u8 gen_method[5][5] = {
819 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
820 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
821 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
822 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
823 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
824 };
825 
826 static const u8 sc_method[5][5] = {
827 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
828 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
829 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
830 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
831 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
832 };
833 
834 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
835 {
836 	/* If either side has unknown io_caps, use JUST_CFM (which gets
837 	 * converted later to JUST_WORKS if we're initiators.
838 	 */
839 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
840 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
841 		return JUST_CFM;
842 
843 	if (test_bit(SMP_FLAG_SC, &smp->flags))
844 		return sc_method[remote_io][local_io];
845 
846 	return gen_method[remote_io][local_io];
847 }
848 
849 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
850 						u8 local_io, u8 remote_io)
851 {
852 	struct hci_conn *hcon = conn->hcon;
853 	struct l2cap_chan *chan = conn->smp;
854 	struct smp_chan *smp = chan->data;
855 	u32 passkey = 0;
856 	int ret;
857 
858 	/* Initialize key for JUST WORKS */
859 	memset(smp->tk, 0, sizeof(smp->tk));
860 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
861 
862 	BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
863 
864 	/* If neither side wants MITM, either "just" confirm an incoming
865 	 * request or use just-works for outgoing ones. The JUST_CFM
866 	 * will be converted to JUST_WORKS if necessary later in this
867 	 * function. If either side has MITM look up the method from the
868 	 * table.
869 	 */
870 	if (!(auth & SMP_AUTH_MITM))
871 		smp->method = JUST_CFM;
872 	else
873 		smp->method = get_auth_method(smp, local_io, remote_io);
874 
875 	/* Don't confirm locally initiated pairing attempts */
876 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
877 						&smp->flags))
878 		smp->method = JUST_WORKS;
879 
880 	/* Don't bother user space with no IO capabilities */
881 	if (smp->method == JUST_CFM &&
882 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
883 		smp->method = JUST_WORKS;
884 
885 	/* If Just Works, Continue with Zero TK and ask user-space for
886 	 * confirmation */
887 	if (smp->method == JUST_WORKS) {
888 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
889 						hcon->type,
890 						hcon->dst_type,
891 						passkey, 1);
892 		if (ret)
893 			return ret;
894 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
895 		return 0;
896 	}
897 
898 	/* If this function is used for SC -> legacy fallback we
899 	 * can only recover the just-works case.
900 	 */
901 	if (test_bit(SMP_FLAG_SC, &smp->flags))
902 		return -EINVAL;
903 
904 	/* Not Just Works/Confirm results in MITM Authentication */
905 	if (smp->method != JUST_CFM) {
906 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
907 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
908 			hcon->pending_sec_level = BT_SECURITY_HIGH;
909 	}
910 
911 	/* If both devices have Keyoard-Display I/O, the master
912 	 * Confirms and the slave Enters the passkey.
913 	 */
914 	if (smp->method == OVERLAP) {
915 		if (hcon->role == HCI_ROLE_MASTER)
916 			smp->method = CFM_PASSKEY;
917 		else
918 			smp->method = REQ_PASSKEY;
919 	}
920 
921 	/* Generate random passkey. */
922 	if (smp->method == CFM_PASSKEY) {
923 		memset(smp->tk, 0, sizeof(smp->tk));
924 		get_random_bytes(&passkey, sizeof(passkey));
925 		passkey %= 1000000;
926 		put_unaligned_le32(passkey, smp->tk);
927 		BT_DBG("PassKey: %d", passkey);
928 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
929 	}
930 
931 	if (smp->method == REQ_PASSKEY)
932 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
933 						hcon->type, hcon->dst_type);
934 	else if (smp->method == JUST_CFM)
935 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
936 						hcon->type, hcon->dst_type,
937 						passkey, 1);
938 	else
939 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
940 						hcon->type, hcon->dst_type,
941 						passkey, 0);
942 
943 	return ret;
944 }
945 
946 static u8 smp_confirm(struct smp_chan *smp)
947 {
948 	struct l2cap_conn *conn = smp->conn;
949 	struct smp_cmd_pairing_confirm cp;
950 	int ret;
951 
952 	BT_DBG("conn %p", conn);
953 
954 	ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
955 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
956 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
957 		     cp.confirm_val);
958 	if (ret)
959 		return SMP_UNSPECIFIED;
960 
961 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
962 
963 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
964 
965 	if (conn->hcon->out)
966 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
967 	else
968 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
969 
970 	return 0;
971 }
972 
973 static u8 smp_random(struct smp_chan *smp)
974 {
975 	struct l2cap_conn *conn = smp->conn;
976 	struct hci_conn *hcon = conn->hcon;
977 	u8 confirm[16];
978 	int ret;
979 
980 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
981 
982 	ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
983 		     hcon->init_addr_type, &hcon->init_addr,
984 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
985 	if (ret)
986 		return SMP_UNSPECIFIED;
987 
988 	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
989 		bt_dev_err(hcon->hdev, "pairing failed "
990 			   "(confirmation values mismatch)");
991 		return SMP_CONFIRM_FAILED;
992 	}
993 
994 	if (hcon->out) {
995 		u8 stk[16];
996 		__le64 rand = 0;
997 		__le16 ediv = 0;
998 
999 		smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
1000 
1001 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1002 			return SMP_UNSPECIFIED;
1003 
1004 		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1005 		hcon->enc_key_size = smp->enc_key_size;
1006 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1007 	} else {
1008 		u8 stk[16], auth;
1009 		__le64 rand = 0;
1010 		__le16 ediv = 0;
1011 
1012 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1013 			     smp->prnd);
1014 
1015 		smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
1016 
1017 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1018 			auth = 1;
1019 		else
1020 			auth = 0;
1021 
1022 		/* Even though there's no _SLAVE suffix this is the
1023 		 * slave STK we're adding for later lookup (the master
1024 		 * STK never needs to be stored).
1025 		 */
1026 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1027 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1028 	}
1029 
1030 	return 0;
1031 }
1032 
1033 static void smp_notify_keys(struct l2cap_conn *conn)
1034 {
1035 	struct l2cap_chan *chan = conn->smp;
1036 	struct smp_chan *smp = chan->data;
1037 	struct hci_conn *hcon = conn->hcon;
1038 	struct hci_dev *hdev = hcon->hdev;
1039 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1040 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1041 	bool persistent;
1042 
1043 	if (hcon->type == ACL_LINK) {
1044 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1045 			persistent = false;
1046 		else
1047 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1048 					       &hcon->flags);
1049 	} else {
1050 		/* The LTKs, IRKs and CSRKs should be persistent only if
1051 		 * both sides had the bonding bit set in their
1052 		 * authentication requests.
1053 		 */
1054 		persistent = !!((req->auth_req & rsp->auth_req) &
1055 				SMP_AUTH_BONDING);
1056 	}
1057 
1058 	if (smp->remote_irk) {
1059 		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1060 
1061 		/* Now that user space can be considered to know the
1062 		 * identity address track the connection based on it
1063 		 * from now on (assuming this is an LE link).
1064 		 */
1065 		if (hcon->type == LE_LINK) {
1066 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1067 			hcon->dst_type = smp->remote_irk->addr_type;
1068 			queue_work(hdev->workqueue, &conn->id_addr_update_work);
1069 		}
1070 	}
1071 
1072 	if (smp->csrk) {
1073 		smp->csrk->bdaddr_type = hcon->dst_type;
1074 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1075 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1076 	}
1077 
1078 	if (smp->slave_csrk) {
1079 		smp->slave_csrk->bdaddr_type = hcon->dst_type;
1080 		bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1081 		mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1082 	}
1083 
1084 	if (smp->ltk) {
1085 		smp->ltk->bdaddr_type = hcon->dst_type;
1086 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1087 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1088 	}
1089 
1090 	if (smp->slave_ltk) {
1091 		smp->slave_ltk->bdaddr_type = hcon->dst_type;
1092 		bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1093 		mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1094 	}
1095 
1096 	if (smp->link_key) {
1097 		struct link_key *key;
1098 		u8 type;
1099 
1100 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1101 			type = HCI_LK_DEBUG_COMBINATION;
1102 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1103 			type = HCI_LK_AUTH_COMBINATION_P256;
1104 		else
1105 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1106 
1107 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1108 				       smp->link_key, type, 0, &persistent);
1109 		if (key) {
1110 			mgmt_new_link_key(hdev, key, persistent);
1111 
1112 			/* Don't keep debug keys around if the relevant
1113 			 * flag is not set.
1114 			 */
1115 			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1116 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1117 				list_del_rcu(&key->list);
1118 				kfree_rcu(key, rcu);
1119 			}
1120 		}
1121 	}
1122 }
1123 
1124 static void sc_add_ltk(struct smp_chan *smp)
1125 {
1126 	struct hci_conn *hcon = smp->conn->hcon;
1127 	u8 key_type, auth;
1128 
1129 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1130 		key_type = SMP_LTK_P256_DEBUG;
1131 	else
1132 		key_type = SMP_LTK_P256;
1133 
1134 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1135 		auth = 1;
1136 	else
1137 		auth = 0;
1138 
1139 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1140 			       key_type, auth, smp->tk, smp->enc_key_size,
1141 			       0, 0);
1142 }
1143 
1144 static void sc_generate_link_key(struct smp_chan *smp)
1145 {
1146 	/* From core spec. Spells out in ASCII as 'lebr'. */
1147 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1148 
1149 	smp->link_key = kzalloc(16, GFP_KERNEL);
1150 	if (!smp->link_key)
1151 		return;
1152 
1153 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1154 		/* SALT = 0x000000000000000000000000746D7031 */
1155 		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1156 
1157 		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1158 			kfree_sensitive(smp->link_key);
1159 			smp->link_key = NULL;
1160 			return;
1161 		}
1162 	} else {
1163 		/* From core spec. Spells out in ASCII as 'tmp1'. */
1164 		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1165 
1166 		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1167 			kfree_sensitive(smp->link_key);
1168 			smp->link_key = NULL;
1169 			return;
1170 		}
1171 	}
1172 
1173 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1174 		kfree_sensitive(smp->link_key);
1175 		smp->link_key = NULL;
1176 		return;
1177 	}
1178 }
1179 
1180 static void smp_allow_key_dist(struct smp_chan *smp)
1181 {
1182 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1183 	 * will be allowed in each PDU handler to ensure we receive
1184 	 * them in the correct order.
1185 	 */
1186 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1187 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1188 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1189 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1190 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1191 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1192 }
1193 
1194 static void sc_generate_ltk(struct smp_chan *smp)
1195 {
1196 	/* From core spec. Spells out in ASCII as 'brle'. */
1197 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1198 	struct hci_conn *hcon = smp->conn->hcon;
1199 	struct hci_dev *hdev = hcon->hdev;
1200 	struct link_key *key;
1201 
1202 	key = hci_find_link_key(hdev, &hcon->dst);
1203 	if (!key) {
1204 		bt_dev_err(hdev, "no Link Key found to generate LTK");
1205 		return;
1206 	}
1207 
1208 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1209 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1210 
1211 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1212 		/* SALT = 0x000000000000000000000000746D7032 */
1213 		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1214 
1215 		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1216 			return;
1217 	} else {
1218 		/* From core spec. Spells out in ASCII as 'tmp2'. */
1219 		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1220 
1221 		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1222 			return;
1223 	}
1224 
1225 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1226 		return;
1227 
1228 	sc_add_ltk(smp);
1229 }
1230 
1231 static void smp_distribute_keys(struct smp_chan *smp)
1232 {
1233 	struct smp_cmd_pairing *req, *rsp;
1234 	struct l2cap_conn *conn = smp->conn;
1235 	struct hci_conn *hcon = conn->hcon;
1236 	struct hci_dev *hdev = hcon->hdev;
1237 	__u8 *keydist;
1238 
1239 	BT_DBG("conn %p", conn);
1240 
1241 	rsp = (void *) &smp->prsp[1];
1242 
1243 	/* The responder sends its keys first */
1244 	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1245 		smp_allow_key_dist(smp);
1246 		return;
1247 	}
1248 
1249 	req = (void *) &smp->preq[1];
1250 
1251 	if (hcon->out) {
1252 		keydist = &rsp->init_key_dist;
1253 		*keydist &= req->init_key_dist;
1254 	} else {
1255 		keydist = &rsp->resp_key_dist;
1256 		*keydist &= req->resp_key_dist;
1257 	}
1258 
1259 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1260 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1261 			sc_generate_link_key(smp);
1262 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1263 			sc_generate_ltk(smp);
1264 
1265 		/* Clear the keys which are generated but not distributed */
1266 		*keydist &= ~SMP_SC_NO_DIST;
1267 	}
1268 
1269 	BT_DBG("keydist 0x%x", *keydist);
1270 
1271 	if (*keydist & SMP_DIST_ENC_KEY) {
1272 		struct smp_cmd_encrypt_info enc;
1273 		struct smp_cmd_master_ident ident;
1274 		struct smp_ltk *ltk;
1275 		u8 authenticated;
1276 		__le16 ediv;
1277 		__le64 rand;
1278 
1279 		/* Make sure we generate only the significant amount of
1280 		 * bytes based on the encryption key size, and set the rest
1281 		 * of the value to zeroes.
1282 		 */
1283 		get_random_bytes(enc.ltk, smp->enc_key_size);
1284 		memset(enc.ltk + smp->enc_key_size, 0,
1285 		       sizeof(enc.ltk) - smp->enc_key_size);
1286 
1287 		get_random_bytes(&ediv, sizeof(ediv));
1288 		get_random_bytes(&rand, sizeof(rand));
1289 
1290 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1291 
1292 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1293 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1294 				  SMP_LTK_SLAVE, authenticated, enc.ltk,
1295 				  smp->enc_key_size, ediv, rand);
1296 		smp->slave_ltk = ltk;
1297 
1298 		ident.ediv = ediv;
1299 		ident.rand = rand;
1300 
1301 		smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1302 
1303 		*keydist &= ~SMP_DIST_ENC_KEY;
1304 	}
1305 
1306 	if (*keydist & SMP_DIST_ID_KEY) {
1307 		struct smp_cmd_ident_addr_info addrinfo;
1308 		struct smp_cmd_ident_info idinfo;
1309 
1310 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1311 
1312 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1313 
1314 		/* The hci_conn contains the local identity address
1315 		 * after the connection has been established.
1316 		 *
1317 		 * This is true even when the connection has been
1318 		 * established using a resolvable random address.
1319 		 */
1320 		bacpy(&addrinfo.bdaddr, &hcon->src);
1321 		addrinfo.addr_type = hcon->src_type;
1322 
1323 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1324 			     &addrinfo);
1325 
1326 		*keydist &= ~SMP_DIST_ID_KEY;
1327 	}
1328 
1329 	if (*keydist & SMP_DIST_SIGN) {
1330 		struct smp_cmd_sign_info sign;
1331 		struct smp_csrk *csrk;
1332 
1333 		/* Generate a new random key */
1334 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1335 
1336 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1337 		if (csrk) {
1338 			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1339 				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1340 			else
1341 				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1342 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1343 		}
1344 		smp->slave_csrk = csrk;
1345 
1346 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1347 
1348 		*keydist &= ~SMP_DIST_SIGN;
1349 	}
1350 
1351 	/* If there are still keys to be received wait for them */
1352 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1353 		smp_allow_key_dist(smp);
1354 		return;
1355 	}
1356 
1357 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1358 	smp_notify_keys(conn);
1359 
1360 	smp_chan_destroy(conn);
1361 }
1362 
1363 static void smp_timeout(struct work_struct *work)
1364 {
1365 	struct smp_chan *smp = container_of(work, struct smp_chan,
1366 					    security_timer.work);
1367 	struct l2cap_conn *conn = smp->conn;
1368 
1369 	BT_DBG("conn %p", conn);
1370 
1371 	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1372 }
1373 
1374 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1375 {
1376 	struct l2cap_chan *chan = conn->smp;
1377 	struct smp_chan *smp;
1378 
1379 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1380 	if (!smp)
1381 		return NULL;
1382 
1383 	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1384 	if (IS_ERR(smp->tfm_cmac)) {
1385 		BT_ERR("Unable to create CMAC crypto context");
1386 		goto zfree_smp;
1387 	}
1388 
1389 	smp->tfm_ecdh = crypto_alloc_kpp("ecdh", 0, 0);
1390 	if (IS_ERR(smp->tfm_ecdh)) {
1391 		BT_ERR("Unable to create ECDH crypto context");
1392 		goto free_shash;
1393 	}
1394 
1395 	smp->conn = conn;
1396 	chan->data = smp;
1397 
1398 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1399 
1400 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1401 
1402 	hci_conn_hold(conn->hcon);
1403 
1404 	return smp;
1405 
1406 free_shash:
1407 	crypto_free_shash(smp->tfm_cmac);
1408 zfree_smp:
1409 	kfree_sensitive(smp);
1410 	return NULL;
1411 }
1412 
1413 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1414 {
1415 	struct hci_conn *hcon = smp->conn->hcon;
1416 	u8 *na, *nb, a[7], b[7];
1417 
1418 	if (hcon->out) {
1419 		na   = smp->prnd;
1420 		nb   = smp->rrnd;
1421 	} else {
1422 		na   = smp->rrnd;
1423 		nb   = smp->prnd;
1424 	}
1425 
1426 	memcpy(a, &hcon->init_addr, 6);
1427 	memcpy(b, &hcon->resp_addr, 6);
1428 	a[6] = hcon->init_addr_type;
1429 	b[6] = hcon->resp_addr_type;
1430 
1431 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1432 }
1433 
1434 static void sc_dhkey_check(struct smp_chan *smp)
1435 {
1436 	struct hci_conn *hcon = smp->conn->hcon;
1437 	struct smp_cmd_dhkey_check check;
1438 	u8 a[7], b[7], *local_addr, *remote_addr;
1439 	u8 io_cap[3], r[16];
1440 
1441 	memcpy(a, &hcon->init_addr, 6);
1442 	memcpy(b, &hcon->resp_addr, 6);
1443 	a[6] = hcon->init_addr_type;
1444 	b[6] = hcon->resp_addr_type;
1445 
1446 	if (hcon->out) {
1447 		local_addr = a;
1448 		remote_addr = b;
1449 		memcpy(io_cap, &smp->preq[1], 3);
1450 	} else {
1451 		local_addr = b;
1452 		remote_addr = a;
1453 		memcpy(io_cap, &smp->prsp[1], 3);
1454 	}
1455 
1456 	memset(r, 0, sizeof(r));
1457 
1458 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1459 		put_unaligned_le32(hcon->passkey_notify, r);
1460 
1461 	if (smp->method == REQ_OOB)
1462 		memcpy(r, smp->rr, 16);
1463 
1464 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1465 	       local_addr, remote_addr, check.e);
1466 
1467 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1468 }
1469 
1470 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1471 {
1472 	struct l2cap_conn *conn = smp->conn;
1473 	struct hci_conn *hcon = conn->hcon;
1474 	struct smp_cmd_pairing_confirm cfm;
1475 	u8 r;
1476 
1477 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1478 	r |= 0x80;
1479 
1480 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1481 
1482 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1483 		   cfm.confirm_val))
1484 		return SMP_UNSPECIFIED;
1485 
1486 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1487 
1488 	return 0;
1489 }
1490 
1491 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1492 {
1493 	struct l2cap_conn *conn = smp->conn;
1494 	struct hci_conn *hcon = conn->hcon;
1495 	struct hci_dev *hdev = hcon->hdev;
1496 	u8 cfm[16], r;
1497 
1498 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1499 	if (smp->passkey_round >= 20)
1500 		return 0;
1501 
1502 	switch (smp_op) {
1503 	case SMP_CMD_PAIRING_RANDOM:
1504 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1505 		r |= 0x80;
1506 
1507 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1508 			   smp->rrnd, r, cfm))
1509 			return SMP_UNSPECIFIED;
1510 
1511 		if (crypto_memneq(smp->pcnf, cfm, 16))
1512 			return SMP_CONFIRM_FAILED;
1513 
1514 		smp->passkey_round++;
1515 
1516 		if (smp->passkey_round == 20) {
1517 			/* Generate MacKey and LTK */
1518 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1519 				return SMP_UNSPECIFIED;
1520 		}
1521 
1522 		/* The round is only complete when the initiator
1523 		 * receives pairing random.
1524 		 */
1525 		if (!hcon->out) {
1526 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1527 				     sizeof(smp->prnd), smp->prnd);
1528 			if (smp->passkey_round == 20)
1529 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1530 			else
1531 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1532 			return 0;
1533 		}
1534 
1535 		/* Start the next round */
1536 		if (smp->passkey_round != 20)
1537 			return sc_passkey_round(smp, 0);
1538 
1539 		/* Passkey rounds are complete - start DHKey Check */
1540 		sc_dhkey_check(smp);
1541 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1542 
1543 		break;
1544 
1545 	case SMP_CMD_PAIRING_CONFIRM:
1546 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1547 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1548 			return 0;
1549 		}
1550 
1551 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1552 
1553 		if (hcon->out) {
1554 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1555 				     sizeof(smp->prnd), smp->prnd);
1556 			return 0;
1557 		}
1558 
1559 		return sc_passkey_send_confirm(smp);
1560 
1561 	case SMP_CMD_PUBLIC_KEY:
1562 	default:
1563 		/* Initiating device starts the round */
1564 		if (!hcon->out)
1565 			return 0;
1566 
1567 		BT_DBG("%s Starting passkey round %u", hdev->name,
1568 		       smp->passkey_round + 1);
1569 
1570 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1571 
1572 		return sc_passkey_send_confirm(smp);
1573 	}
1574 
1575 	return 0;
1576 }
1577 
1578 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1579 {
1580 	struct l2cap_conn *conn = smp->conn;
1581 	struct hci_conn *hcon = conn->hcon;
1582 	u8 smp_op;
1583 
1584 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1585 
1586 	switch (mgmt_op) {
1587 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1588 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1589 		return 0;
1590 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1591 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1592 		return 0;
1593 	case MGMT_OP_USER_PASSKEY_REPLY:
1594 		hcon->passkey_notify = le32_to_cpu(passkey);
1595 		smp->passkey_round = 0;
1596 
1597 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1598 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1599 		else
1600 			smp_op = 0;
1601 
1602 		if (sc_passkey_round(smp, smp_op))
1603 			return -EIO;
1604 
1605 		return 0;
1606 	}
1607 
1608 	/* Initiator sends DHKey check first */
1609 	if (hcon->out) {
1610 		sc_dhkey_check(smp);
1611 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1612 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1613 		sc_dhkey_check(smp);
1614 		sc_add_ltk(smp);
1615 	}
1616 
1617 	return 0;
1618 }
1619 
1620 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1621 {
1622 	struct l2cap_conn *conn = hcon->l2cap_data;
1623 	struct l2cap_chan *chan;
1624 	struct smp_chan *smp;
1625 	u32 value;
1626 	int err;
1627 
1628 	BT_DBG("");
1629 
1630 	if (!conn)
1631 		return -ENOTCONN;
1632 
1633 	chan = conn->smp;
1634 	if (!chan)
1635 		return -ENOTCONN;
1636 
1637 	l2cap_chan_lock(chan);
1638 	if (!chan->data) {
1639 		err = -ENOTCONN;
1640 		goto unlock;
1641 	}
1642 
1643 	smp = chan->data;
1644 
1645 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1646 		err = sc_user_reply(smp, mgmt_op, passkey);
1647 		goto unlock;
1648 	}
1649 
1650 	switch (mgmt_op) {
1651 	case MGMT_OP_USER_PASSKEY_REPLY:
1652 		value = le32_to_cpu(passkey);
1653 		memset(smp->tk, 0, sizeof(smp->tk));
1654 		BT_DBG("PassKey: %d", value);
1655 		put_unaligned_le32(value, smp->tk);
1656 		fallthrough;
1657 	case MGMT_OP_USER_CONFIRM_REPLY:
1658 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1659 		break;
1660 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1661 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1662 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1663 		err = 0;
1664 		goto unlock;
1665 	default:
1666 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1667 		err = -EOPNOTSUPP;
1668 		goto unlock;
1669 	}
1670 
1671 	err = 0;
1672 
1673 	/* If it is our turn to send Pairing Confirm, do so now */
1674 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1675 		u8 rsp = smp_confirm(smp);
1676 		if (rsp)
1677 			smp_failure(conn, rsp);
1678 	}
1679 
1680 unlock:
1681 	l2cap_chan_unlock(chan);
1682 	return err;
1683 }
1684 
1685 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1686 				    struct smp_cmd_pairing *req,
1687 				    struct smp_cmd_pairing *rsp)
1688 {
1689 	struct l2cap_conn *conn = smp->conn;
1690 	struct hci_dev *hdev = conn->hcon->hdev;
1691 	u8 local_dist = 0, remote_dist = 0;
1692 
1693 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1694 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1695 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1696 	}
1697 
1698 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1699 		remote_dist |= SMP_DIST_ID_KEY;
1700 
1701 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1702 		local_dist |= SMP_DIST_ID_KEY;
1703 
1704 	if (!rsp) {
1705 		memset(req, 0, sizeof(*req));
1706 
1707 		req->auth_req        = SMP_AUTH_CT2;
1708 		req->init_key_dist   = local_dist;
1709 		req->resp_key_dist   = remote_dist;
1710 		req->max_key_size    = conn->hcon->enc_key_size;
1711 
1712 		smp->remote_key_dist = remote_dist;
1713 
1714 		return;
1715 	}
1716 
1717 	memset(rsp, 0, sizeof(*rsp));
1718 
1719 	rsp->auth_req        = SMP_AUTH_CT2;
1720 	rsp->max_key_size    = conn->hcon->enc_key_size;
1721 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1722 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1723 
1724 	smp->remote_key_dist = rsp->init_key_dist;
1725 }
1726 
1727 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1728 {
1729 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1730 	struct l2cap_chan *chan = conn->smp;
1731 	struct hci_dev *hdev = conn->hcon->hdev;
1732 	struct smp_chan *smp;
1733 	u8 key_size, auth, sec_level;
1734 	int ret;
1735 
1736 	BT_DBG("conn %p", conn);
1737 
1738 	if (skb->len < sizeof(*req))
1739 		return SMP_INVALID_PARAMS;
1740 
1741 	if (conn->hcon->role != HCI_ROLE_SLAVE)
1742 		return SMP_CMD_NOTSUPP;
1743 
1744 	if (!chan->data)
1745 		smp = smp_chan_create(conn);
1746 	else
1747 		smp = chan->data;
1748 
1749 	if (!smp)
1750 		return SMP_UNSPECIFIED;
1751 
1752 	/* We didn't start the pairing, so match remote */
1753 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1754 
1755 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1756 	    (auth & SMP_AUTH_BONDING))
1757 		return SMP_PAIRING_NOTSUPP;
1758 
1759 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1760 		return SMP_AUTH_REQUIREMENTS;
1761 
1762 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1763 	memcpy(&smp->preq[1], req, sizeof(*req));
1764 	skb_pull(skb, sizeof(*req));
1765 
1766 	/* If the remote side's OOB flag is set it means it has
1767 	 * successfully received our local OOB data - therefore set the
1768 	 * flag to indicate that local OOB is in use.
1769 	 */
1770 	if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1771 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1772 
1773 	/* SMP over BR/EDR requires special treatment */
1774 	if (conn->hcon->type == ACL_LINK) {
1775 		/* We must have a BR/EDR SC link */
1776 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1777 		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1778 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1779 
1780 		set_bit(SMP_FLAG_SC, &smp->flags);
1781 
1782 		build_bredr_pairing_cmd(smp, req, &rsp);
1783 
1784 		if (req->auth_req & SMP_AUTH_CT2)
1785 			set_bit(SMP_FLAG_CT2, &smp->flags);
1786 
1787 		key_size = min(req->max_key_size, rsp.max_key_size);
1788 		if (check_enc_key_size(conn, key_size))
1789 			return SMP_ENC_KEY_SIZE;
1790 
1791 		/* Clear bits which are generated but not distributed */
1792 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1793 
1794 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1795 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1796 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1797 
1798 		smp_distribute_keys(smp);
1799 		return 0;
1800 	}
1801 
1802 	build_pairing_cmd(conn, req, &rsp, auth);
1803 
1804 	if (rsp.auth_req & SMP_AUTH_SC) {
1805 		set_bit(SMP_FLAG_SC, &smp->flags);
1806 
1807 		if (rsp.auth_req & SMP_AUTH_CT2)
1808 			set_bit(SMP_FLAG_CT2, &smp->flags);
1809 	}
1810 
1811 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1812 		sec_level = BT_SECURITY_MEDIUM;
1813 	else
1814 		sec_level = authreq_to_seclevel(auth);
1815 
1816 	if (sec_level > conn->hcon->pending_sec_level)
1817 		conn->hcon->pending_sec_level = sec_level;
1818 
1819 	/* If we need MITM check that it can be achieved */
1820 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1821 		u8 method;
1822 
1823 		method = get_auth_method(smp, conn->hcon->io_capability,
1824 					 req->io_capability);
1825 		if (method == JUST_WORKS || method == JUST_CFM)
1826 			return SMP_AUTH_REQUIREMENTS;
1827 	}
1828 
1829 	key_size = min(req->max_key_size, rsp.max_key_size);
1830 	if (check_enc_key_size(conn, key_size))
1831 		return SMP_ENC_KEY_SIZE;
1832 
1833 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1834 
1835 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1836 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1837 
1838 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1839 
1840 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1841 
1842 	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1843 	 * SC case, however some implementations incorrectly copy RFU auth
1844 	 * req bits from our security request, which may create a false
1845 	 * positive SC enablement.
1846 	 */
1847 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1848 
1849 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1850 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1851 		/* Clear bits which are generated but not distributed */
1852 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1853 		/* Wait for Public Key from Initiating Device */
1854 		return 0;
1855 	}
1856 
1857 	/* Request setup of TK */
1858 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1859 	if (ret)
1860 		return SMP_UNSPECIFIED;
1861 
1862 	return 0;
1863 }
1864 
1865 static u8 sc_send_public_key(struct smp_chan *smp)
1866 {
1867 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1868 
1869 	bt_dev_dbg(hdev, "");
1870 
1871 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1872 		struct l2cap_chan *chan = hdev->smp_data;
1873 		struct smp_dev *smp_dev;
1874 
1875 		if (!chan || !chan->data)
1876 			return SMP_UNSPECIFIED;
1877 
1878 		smp_dev = chan->data;
1879 
1880 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1881 		memcpy(smp->lr, smp_dev->local_rand, 16);
1882 
1883 		if (smp_dev->debug_key)
1884 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1885 
1886 		goto done;
1887 	}
1888 
1889 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1890 		BT_DBG("Using debug keys");
1891 		if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1892 			return SMP_UNSPECIFIED;
1893 		memcpy(smp->local_pk, debug_pk, 64);
1894 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1895 	} else {
1896 		while (true) {
1897 			/* Generate key pair for Secure Connections */
1898 			if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1899 				return SMP_UNSPECIFIED;
1900 
1901 			/* This is unlikely, but we need to check that
1902 			 * we didn't accidentially generate a debug key.
1903 			 */
1904 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
1905 				break;
1906 		}
1907 	}
1908 
1909 done:
1910 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1911 	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1912 
1913 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1914 
1915 	return 0;
1916 }
1917 
1918 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1919 {
1920 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1921 	struct l2cap_chan *chan = conn->smp;
1922 	struct smp_chan *smp = chan->data;
1923 	struct hci_dev *hdev = conn->hcon->hdev;
1924 	u8 key_size, auth;
1925 	int ret;
1926 
1927 	BT_DBG("conn %p", conn);
1928 
1929 	if (skb->len < sizeof(*rsp))
1930 		return SMP_INVALID_PARAMS;
1931 
1932 	if (conn->hcon->role != HCI_ROLE_MASTER)
1933 		return SMP_CMD_NOTSUPP;
1934 
1935 	skb_pull(skb, sizeof(*rsp));
1936 
1937 	req = (void *) &smp->preq[1];
1938 
1939 	key_size = min(req->max_key_size, rsp->max_key_size);
1940 	if (check_enc_key_size(conn, key_size))
1941 		return SMP_ENC_KEY_SIZE;
1942 
1943 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1944 
1945 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1946 		return SMP_AUTH_REQUIREMENTS;
1947 
1948 	/* If the remote side's OOB flag is set it means it has
1949 	 * successfully received our local OOB data - therefore set the
1950 	 * flag to indicate that local OOB is in use.
1951 	 */
1952 	if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1953 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1954 
1955 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1956 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1957 
1958 	/* Update remote key distribution in case the remote cleared
1959 	 * some bits that we had enabled in our request.
1960 	 */
1961 	smp->remote_key_dist &= rsp->resp_key_dist;
1962 
1963 	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1964 		set_bit(SMP_FLAG_CT2, &smp->flags);
1965 
1966 	/* For BR/EDR this means we're done and can start phase 3 */
1967 	if (conn->hcon->type == ACL_LINK) {
1968 		/* Clear bits which are generated but not distributed */
1969 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1970 		smp_distribute_keys(smp);
1971 		return 0;
1972 	}
1973 
1974 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1975 		set_bit(SMP_FLAG_SC, &smp->flags);
1976 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1977 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1978 
1979 	/* If we need MITM check that it can be achieved */
1980 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1981 		u8 method;
1982 
1983 		method = get_auth_method(smp, req->io_capability,
1984 					 rsp->io_capability);
1985 		if (method == JUST_WORKS || method == JUST_CFM)
1986 			return SMP_AUTH_REQUIREMENTS;
1987 	}
1988 
1989 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1990 
1991 	/* Update remote key distribution in case the remote cleared
1992 	 * some bits that we had enabled in our request.
1993 	 */
1994 	smp->remote_key_dist &= rsp->resp_key_dist;
1995 
1996 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1997 		/* Clear bits which are generated but not distributed */
1998 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1999 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2000 		return sc_send_public_key(smp);
2001 	}
2002 
2003 	auth |= req->auth_req;
2004 
2005 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2006 	if (ret)
2007 		return SMP_UNSPECIFIED;
2008 
2009 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2010 
2011 	/* Can't compose response until we have been confirmed */
2012 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2013 		return smp_confirm(smp);
2014 
2015 	return 0;
2016 }
2017 
2018 static u8 sc_check_confirm(struct smp_chan *smp)
2019 {
2020 	struct l2cap_conn *conn = smp->conn;
2021 
2022 	BT_DBG("");
2023 
2024 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2025 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2026 
2027 	if (conn->hcon->out) {
2028 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2029 			     smp->prnd);
2030 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2031 	}
2032 
2033 	return 0;
2034 }
2035 
2036 /* Work-around for some implementations that incorrectly copy RFU bits
2037  * from our security request and thereby create the impression that
2038  * we're doing SC when in fact the remote doesn't support it.
2039  */
2040 static int fixup_sc_false_positive(struct smp_chan *smp)
2041 {
2042 	struct l2cap_conn *conn = smp->conn;
2043 	struct hci_conn *hcon = conn->hcon;
2044 	struct hci_dev *hdev = hcon->hdev;
2045 	struct smp_cmd_pairing *req, *rsp;
2046 	u8 auth;
2047 
2048 	/* The issue is only observed when we're in slave role */
2049 	if (hcon->out)
2050 		return SMP_UNSPECIFIED;
2051 
2052 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2053 		bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2054 		return SMP_UNSPECIFIED;
2055 	}
2056 
2057 	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2058 
2059 	req = (void *) &smp->preq[1];
2060 	rsp = (void *) &smp->prsp[1];
2061 
2062 	/* Rebuild key dist flags which may have been cleared for SC */
2063 	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2064 
2065 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2066 
2067 	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2068 		bt_dev_err(hdev, "failed to fall back to legacy SMP");
2069 		return SMP_UNSPECIFIED;
2070 	}
2071 
2072 	clear_bit(SMP_FLAG_SC, &smp->flags);
2073 
2074 	return 0;
2075 }
2076 
2077 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2078 {
2079 	struct l2cap_chan *chan = conn->smp;
2080 	struct smp_chan *smp = chan->data;
2081 
2082 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2083 
2084 	if (skb->len < sizeof(smp->pcnf))
2085 		return SMP_INVALID_PARAMS;
2086 
2087 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2088 	skb_pull(skb, sizeof(smp->pcnf));
2089 
2090 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2091 		int ret;
2092 
2093 		/* Public Key exchange must happen before any other steps */
2094 		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2095 			return sc_check_confirm(smp);
2096 
2097 		BT_ERR("Unexpected SMP Pairing Confirm");
2098 
2099 		ret = fixup_sc_false_positive(smp);
2100 		if (ret)
2101 			return ret;
2102 	}
2103 
2104 	if (conn->hcon->out) {
2105 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2106 			     smp->prnd);
2107 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2108 		return 0;
2109 	}
2110 
2111 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2112 		return smp_confirm(smp);
2113 
2114 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2115 
2116 	return 0;
2117 }
2118 
2119 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2120 {
2121 	struct l2cap_chan *chan = conn->smp;
2122 	struct smp_chan *smp = chan->data;
2123 	struct hci_conn *hcon = conn->hcon;
2124 	u8 *pkax, *pkbx, *na, *nb, confirm_hint;
2125 	u32 passkey;
2126 	int err;
2127 
2128 	BT_DBG("conn %p", conn);
2129 
2130 	if (skb->len < sizeof(smp->rrnd))
2131 		return SMP_INVALID_PARAMS;
2132 
2133 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2134 	skb_pull(skb, sizeof(smp->rrnd));
2135 
2136 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2137 		return smp_random(smp);
2138 
2139 	if (hcon->out) {
2140 		pkax = smp->local_pk;
2141 		pkbx = smp->remote_pk;
2142 		na   = smp->prnd;
2143 		nb   = smp->rrnd;
2144 	} else {
2145 		pkax = smp->remote_pk;
2146 		pkbx = smp->local_pk;
2147 		na   = smp->rrnd;
2148 		nb   = smp->prnd;
2149 	}
2150 
2151 	if (smp->method == REQ_OOB) {
2152 		if (!hcon->out)
2153 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2154 				     sizeof(smp->prnd), smp->prnd);
2155 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2156 		goto mackey_and_ltk;
2157 	}
2158 
2159 	/* Passkey entry has special treatment */
2160 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2161 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2162 
2163 	if (hcon->out) {
2164 		u8 cfm[16];
2165 
2166 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2167 			     smp->rrnd, 0, cfm);
2168 		if (err)
2169 			return SMP_UNSPECIFIED;
2170 
2171 		if (crypto_memneq(smp->pcnf, cfm, 16))
2172 			return SMP_CONFIRM_FAILED;
2173 	} else {
2174 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2175 			     smp->prnd);
2176 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2177 
2178 		/* Only Just-Works pairing requires extra checks */
2179 		if (smp->method != JUST_WORKS)
2180 			goto mackey_and_ltk;
2181 
2182 		/* If there already exists long term key in local host, leave
2183 		 * the decision to user space since the remote device could
2184 		 * be legitimate or malicious.
2185 		 */
2186 		if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2187 				 hcon->role)) {
2188 			/* Set passkey to 0. The value can be any number since
2189 			 * it'll be ignored anyway.
2190 			 */
2191 			passkey = 0;
2192 			confirm_hint = 1;
2193 			goto confirm;
2194 		}
2195 	}
2196 
2197 mackey_and_ltk:
2198 	/* Generate MacKey and LTK */
2199 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2200 	if (err)
2201 		return SMP_UNSPECIFIED;
2202 
2203 	if (smp->method == REQ_OOB) {
2204 		if (hcon->out) {
2205 			sc_dhkey_check(smp);
2206 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2207 		}
2208 		return 0;
2209 	}
2210 
2211 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2212 	if (err)
2213 		return SMP_UNSPECIFIED;
2214 
2215 	confirm_hint = 0;
2216 
2217 confirm:
2218 	if (smp->method == JUST_WORKS)
2219 		confirm_hint = 1;
2220 
2221 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2222 					hcon->dst_type, passkey, confirm_hint);
2223 	if (err)
2224 		return SMP_UNSPECIFIED;
2225 
2226 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2227 
2228 	return 0;
2229 }
2230 
2231 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2232 {
2233 	struct smp_ltk *key;
2234 	struct hci_conn *hcon = conn->hcon;
2235 
2236 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2237 	if (!key)
2238 		return false;
2239 
2240 	if (smp_ltk_sec_level(key) < sec_level)
2241 		return false;
2242 
2243 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2244 		return true;
2245 
2246 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2247 	hcon->enc_key_size = key->enc_size;
2248 
2249 	/* We never store STKs for master role, so clear this flag */
2250 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2251 
2252 	return true;
2253 }
2254 
2255 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2256 			     enum smp_key_pref key_pref)
2257 {
2258 	if (sec_level == BT_SECURITY_LOW)
2259 		return true;
2260 
2261 	/* If we're encrypted with an STK but the caller prefers using
2262 	 * LTK claim insufficient security. This way we allow the
2263 	 * connection to be re-encrypted with an LTK, even if the LTK
2264 	 * provides the same level of security. Only exception is if we
2265 	 * don't have an LTK (e.g. because of key distribution bits).
2266 	 */
2267 	if (key_pref == SMP_USE_LTK &&
2268 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2269 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2270 		return false;
2271 
2272 	if (hcon->sec_level >= sec_level)
2273 		return true;
2274 
2275 	return false;
2276 }
2277 
2278 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2279 {
2280 	struct smp_cmd_security_req *rp = (void *) skb->data;
2281 	struct smp_cmd_pairing cp;
2282 	struct hci_conn *hcon = conn->hcon;
2283 	struct hci_dev *hdev = hcon->hdev;
2284 	struct smp_chan *smp;
2285 	u8 sec_level, auth;
2286 
2287 	BT_DBG("conn %p", conn);
2288 
2289 	if (skb->len < sizeof(*rp))
2290 		return SMP_INVALID_PARAMS;
2291 
2292 	if (hcon->role != HCI_ROLE_MASTER)
2293 		return SMP_CMD_NOTSUPP;
2294 
2295 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2296 
2297 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2298 		return SMP_AUTH_REQUIREMENTS;
2299 
2300 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2301 		sec_level = BT_SECURITY_MEDIUM;
2302 	else
2303 		sec_level = authreq_to_seclevel(auth);
2304 
2305 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2306 		/* If link is already encrypted with sufficient security we
2307 		 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2308 		 * Part H 2.4.6
2309 		 */
2310 		smp_ltk_encrypt(conn, hcon->sec_level);
2311 		return 0;
2312 	}
2313 
2314 	if (sec_level > hcon->pending_sec_level)
2315 		hcon->pending_sec_level = sec_level;
2316 
2317 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2318 		return 0;
2319 
2320 	smp = smp_chan_create(conn);
2321 	if (!smp)
2322 		return SMP_UNSPECIFIED;
2323 
2324 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2325 	    (auth & SMP_AUTH_BONDING))
2326 		return SMP_PAIRING_NOTSUPP;
2327 
2328 	skb_pull(skb, sizeof(*rp));
2329 
2330 	memset(&cp, 0, sizeof(cp));
2331 	build_pairing_cmd(conn, &cp, NULL, auth);
2332 
2333 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2334 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2335 
2336 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2337 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2338 
2339 	return 0;
2340 }
2341 
2342 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2343 {
2344 	struct l2cap_conn *conn = hcon->l2cap_data;
2345 	struct l2cap_chan *chan;
2346 	struct smp_chan *smp;
2347 	__u8 authreq;
2348 	int ret;
2349 
2350 	BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2351 
2352 	/* This may be NULL if there's an unexpected disconnection */
2353 	if (!conn)
2354 		return 1;
2355 
2356 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2357 		return 1;
2358 
2359 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2360 		return 1;
2361 
2362 	if (sec_level > hcon->pending_sec_level)
2363 		hcon->pending_sec_level = sec_level;
2364 
2365 	if (hcon->role == HCI_ROLE_MASTER)
2366 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2367 			return 0;
2368 
2369 	chan = conn->smp;
2370 	if (!chan) {
2371 		bt_dev_err(hcon->hdev, "security requested but not available");
2372 		return 1;
2373 	}
2374 
2375 	l2cap_chan_lock(chan);
2376 
2377 	/* If SMP is already in progress ignore this request */
2378 	if (chan->data) {
2379 		ret = 0;
2380 		goto unlock;
2381 	}
2382 
2383 	smp = smp_chan_create(conn);
2384 	if (!smp) {
2385 		ret = 1;
2386 		goto unlock;
2387 	}
2388 
2389 	authreq = seclevel_to_authreq(sec_level);
2390 
2391 	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2392 		authreq |= SMP_AUTH_SC;
2393 		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2394 			authreq |= SMP_AUTH_CT2;
2395 	}
2396 
2397 	/* Don't attempt to set MITM if setting is overridden by debugfs
2398 	 * Needed to pass certification test SM/MAS/PKE/BV-01-C
2399 	 */
2400 	if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) {
2401 		/* Require MITM if IO Capability allows or the security level
2402 		 * requires it.
2403 		 */
2404 		if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2405 		    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2406 			authreq |= SMP_AUTH_MITM;
2407 	}
2408 
2409 	if (hcon->role == HCI_ROLE_MASTER) {
2410 		struct smp_cmd_pairing cp;
2411 
2412 		build_pairing_cmd(conn, &cp, NULL, authreq);
2413 		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2414 		memcpy(&smp->preq[1], &cp, sizeof(cp));
2415 
2416 		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2417 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2418 	} else {
2419 		struct smp_cmd_security_req cp;
2420 		cp.auth_req = authreq;
2421 		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2422 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2423 	}
2424 
2425 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2426 	ret = 0;
2427 
2428 unlock:
2429 	l2cap_chan_unlock(chan);
2430 	return ret;
2431 }
2432 
2433 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2434 				  u8 addr_type)
2435 {
2436 	struct hci_conn *hcon;
2437 	struct l2cap_conn *conn;
2438 	struct l2cap_chan *chan;
2439 	struct smp_chan *smp;
2440 	int err;
2441 
2442 	err = hci_remove_ltk(hdev, bdaddr, addr_type);
2443 	hci_remove_irk(hdev, bdaddr, addr_type);
2444 
2445 	hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2446 	if (!hcon)
2447 		goto done;
2448 
2449 	conn = hcon->l2cap_data;
2450 	if (!conn)
2451 		goto done;
2452 
2453 	chan = conn->smp;
2454 	if (!chan)
2455 		goto done;
2456 
2457 	l2cap_chan_lock(chan);
2458 
2459 	smp = chan->data;
2460 	if (smp) {
2461 		/* Set keys to NULL to make sure smp_failure() does not try to
2462 		 * remove and free already invalidated rcu list entries. */
2463 		smp->ltk = NULL;
2464 		smp->slave_ltk = NULL;
2465 		smp->remote_irk = NULL;
2466 
2467 		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2468 			smp_failure(conn, 0);
2469 		else
2470 			smp_failure(conn, SMP_UNSPECIFIED);
2471 		err = 0;
2472 	}
2473 
2474 	l2cap_chan_unlock(chan);
2475 
2476 done:
2477 	return err;
2478 }
2479 
2480 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2481 {
2482 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2483 	struct l2cap_chan *chan = conn->smp;
2484 	struct smp_chan *smp = chan->data;
2485 
2486 	BT_DBG("conn %p", conn);
2487 
2488 	if (skb->len < sizeof(*rp))
2489 		return SMP_INVALID_PARAMS;
2490 
2491 	/* Pairing is aborted if any blocked keys are distributed */
2492 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2493 			       rp->ltk)) {
2494 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2495 					"LTK blocked for %pMR",
2496 					&conn->hcon->dst);
2497 		return SMP_INVALID_PARAMS;
2498 	}
2499 
2500 	SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2501 
2502 	skb_pull(skb, sizeof(*rp));
2503 
2504 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2505 
2506 	return 0;
2507 }
2508 
2509 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2510 {
2511 	struct smp_cmd_master_ident *rp = (void *) skb->data;
2512 	struct l2cap_chan *chan = conn->smp;
2513 	struct smp_chan *smp = chan->data;
2514 	struct hci_dev *hdev = conn->hcon->hdev;
2515 	struct hci_conn *hcon = conn->hcon;
2516 	struct smp_ltk *ltk;
2517 	u8 authenticated;
2518 
2519 	BT_DBG("conn %p", conn);
2520 
2521 	if (skb->len < sizeof(*rp))
2522 		return SMP_INVALID_PARAMS;
2523 
2524 	/* Mark the information as received */
2525 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2526 
2527 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2528 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2529 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2530 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2531 
2532 	skb_pull(skb, sizeof(*rp));
2533 
2534 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2535 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2536 			  authenticated, smp->tk, smp->enc_key_size,
2537 			  rp->ediv, rp->rand);
2538 	smp->ltk = ltk;
2539 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2540 		smp_distribute_keys(smp);
2541 
2542 	return 0;
2543 }
2544 
2545 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2546 {
2547 	struct smp_cmd_ident_info *info = (void *) skb->data;
2548 	struct l2cap_chan *chan = conn->smp;
2549 	struct smp_chan *smp = chan->data;
2550 
2551 	BT_DBG("");
2552 
2553 	if (skb->len < sizeof(*info))
2554 		return SMP_INVALID_PARAMS;
2555 
2556 	/* Pairing is aborted if any blocked keys are distributed */
2557 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2558 			       info->irk)) {
2559 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2560 					"Identity key blocked for %pMR",
2561 					&conn->hcon->dst);
2562 		return SMP_INVALID_PARAMS;
2563 	}
2564 
2565 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2566 
2567 	skb_pull(skb, sizeof(*info));
2568 
2569 	memcpy(smp->irk, info->irk, 16);
2570 
2571 	return 0;
2572 }
2573 
2574 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2575 				   struct sk_buff *skb)
2576 {
2577 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2578 	struct l2cap_chan *chan = conn->smp;
2579 	struct smp_chan *smp = chan->data;
2580 	struct hci_conn *hcon = conn->hcon;
2581 	bdaddr_t rpa;
2582 
2583 	BT_DBG("");
2584 
2585 	if (skb->len < sizeof(*info))
2586 		return SMP_INVALID_PARAMS;
2587 
2588 	/* Mark the information as received */
2589 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2590 
2591 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2592 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2593 
2594 	skb_pull(skb, sizeof(*info));
2595 
2596 	/* Strictly speaking the Core Specification (4.1) allows sending
2597 	 * an empty address which would force us to rely on just the IRK
2598 	 * as "identity information". However, since such
2599 	 * implementations are not known of and in order to not over
2600 	 * complicate our implementation, simply pretend that we never
2601 	 * received an IRK for such a device.
2602 	 *
2603 	 * The Identity Address must also be a Static Random or Public
2604 	 * Address, which hci_is_identity_address() checks for.
2605 	 */
2606 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2607 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2608 		bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2609 		goto distribute;
2610 	}
2611 
2612 	/* Drop IRK if peer is using identity address during pairing but is
2613 	 * providing different address as identity information.
2614 	 *
2615 	 * Microsoft Surface Precision Mouse is known to have this bug.
2616 	 */
2617 	if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2618 	    (bacmp(&info->bdaddr, &hcon->dst) ||
2619 	     info->addr_type != hcon->dst_type)) {
2620 		bt_dev_err(hcon->hdev,
2621 			   "ignoring IRK with invalid identity address");
2622 		goto distribute;
2623 	}
2624 
2625 	bacpy(&smp->id_addr, &info->bdaddr);
2626 	smp->id_addr_type = info->addr_type;
2627 
2628 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2629 		bacpy(&rpa, &hcon->dst);
2630 	else
2631 		bacpy(&rpa, BDADDR_ANY);
2632 
2633 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2634 				      smp->id_addr_type, smp->irk, &rpa);
2635 
2636 distribute:
2637 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2638 		smp_distribute_keys(smp);
2639 
2640 	return 0;
2641 }
2642 
2643 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2644 {
2645 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2646 	struct l2cap_chan *chan = conn->smp;
2647 	struct smp_chan *smp = chan->data;
2648 	struct smp_csrk *csrk;
2649 
2650 	BT_DBG("conn %p", conn);
2651 
2652 	if (skb->len < sizeof(*rp))
2653 		return SMP_INVALID_PARAMS;
2654 
2655 	/* Mark the information as received */
2656 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2657 
2658 	skb_pull(skb, sizeof(*rp));
2659 
2660 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2661 	if (csrk) {
2662 		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2663 			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2664 		else
2665 			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2666 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2667 	}
2668 	smp->csrk = csrk;
2669 	smp_distribute_keys(smp);
2670 
2671 	return 0;
2672 }
2673 
2674 static u8 sc_select_method(struct smp_chan *smp)
2675 {
2676 	struct l2cap_conn *conn = smp->conn;
2677 	struct hci_conn *hcon = conn->hcon;
2678 	struct smp_cmd_pairing *local, *remote;
2679 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2680 
2681 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2682 	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2683 		return REQ_OOB;
2684 
2685 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2686 	 * which are needed as inputs to some crypto functions. To get
2687 	 * the "struct smp_cmd_pairing" from them we need to skip the
2688 	 * first byte which contains the opcode.
2689 	 */
2690 	if (hcon->out) {
2691 		local = (void *) &smp->preq[1];
2692 		remote = (void *) &smp->prsp[1];
2693 	} else {
2694 		local = (void *) &smp->prsp[1];
2695 		remote = (void *) &smp->preq[1];
2696 	}
2697 
2698 	local_io = local->io_capability;
2699 	remote_io = remote->io_capability;
2700 
2701 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2702 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2703 
2704 	/* If either side wants MITM, look up the method from the table,
2705 	 * otherwise use JUST WORKS.
2706 	 */
2707 	if (local_mitm || remote_mitm)
2708 		method = get_auth_method(smp, local_io, remote_io);
2709 	else
2710 		method = JUST_WORKS;
2711 
2712 	/* Don't confirm locally initiated pairing attempts */
2713 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2714 		method = JUST_WORKS;
2715 
2716 	return method;
2717 }
2718 
2719 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2720 {
2721 	struct smp_cmd_public_key *key = (void *) skb->data;
2722 	struct hci_conn *hcon = conn->hcon;
2723 	struct l2cap_chan *chan = conn->smp;
2724 	struct smp_chan *smp = chan->data;
2725 	struct hci_dev *hdev = hcon->hdev;
2726 	struct crypto_kpp *tfm_ecdh;
2727 	struct smp_cmd_pairing_confirm cfm;
2728 	int err;
2729 
2730 	BT_DBG("conn %p", conn);
2731 
2732 	if (skb->len < sizeof(*key))
2733 		return SMP_INVALID_PARAMS;
2734 
2735 	memcpy(smp->remote_pk, key, 64);
2736 
2737 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2738 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2739 			     smp->rr, 0, cfm.confirm_val);
2740 		if (err)
2741 			return SMP_UNSPECIFIED;
2742 
2743 		if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2744 			return SMP_CONFIRM_FAILED;
2745 	}
2746 
2747 	/* Non-initiating device sends its public key after receiving
2748 	 * the key from the initiating device.
2749 	 */
2750 	if (!hcon->out) {
2751 		err = sc_send_public_key(smp);
2752 		if (err)
2753 			return err;
2754 	}
2755 
2756 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2757 	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2758 
2759 	/* Compute the shared secret on the same crypto tfm on which the private
2760 	 * key was set/generated.
2761 	 */
2762 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2763 		struct l2cap_chan *hchan = hdev->smp_data;
2764 		struct smp_dev *smp_dev;
2765 
2766 		if (!hchan || !hchan->data)
2767 			return SMP_UNSPECIFIED;
2768 
2769 		smp_dev = hchan->data;
2770 
2771 		tfm_ecdh = smp_dev->tfm_ecdh;
2772 	} else {
2773 		tfm_ecdh = smp->tfm_ecdh;
2774 	}
2775 
2776 	if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2777 		return SMP_UNSPECIFIED;
2778 
2779 	SMP_DBG("DHKey %32phN", smp->dhkey);
2780 
2781 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2782 
2783 	smp->method = sc_select_method(smp);
2784 
2785 	BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2786 
2787 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2788 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2789 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2790 	else
2791 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2792 
2793 	if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2794 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2795 
2796 	if (smp->method == DSP_PASSKEY) {
2797 		get_random_bytes(&hcon->passkey_notify,
2798 				 sizeof(hcon->passkey_notify));
2799 		hcon->passkey_notify %= 1000000;
2800 		hcon->passkey_entered = 0;
2801 		smp->passkey_round = 0;
2802 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2803 					     hcon->dst_type,
2804 					     hcon->passkey_notify,
2805 					     hcon->passkey_entered))
2806 			return SMP_UNSPECIFIED;
2807 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2808 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2809 	}
2810 
2811 	if (smp->method == REQ_OOB) {
2812 		if (hcon->out)
2813 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2814 				     sizeof(smp->prnd), smp->prnd);
2815 
2816 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2817 
2818 		return 0;
2819 	}
2820 
2821 	if (hcon->out)
2822 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2823 
2824 	if (smp->method == REQ_PASSKEY) {
2825 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2826 					      hcon->dst_type))
2827 			return SMP_UNSPECIFIED;
2828 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2829 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2830 		return 0;
2831 	}
2832 
2833 	/* The Initiating device waits for the non-initiating device to
2834 	 * send the confirm value.
2835 	 */
2836 	if (conn->hcon->out)
2837 		return 0;
2838 
2839 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2840 		     0, cfm.confirm_val);
2841 	if (err)
2842 		return SMP_UNSPECIFIED;
2843 
2844 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2845 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2846 
2847 	return 0;
2848 }
2849 
2850 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2851 {
2852 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2853 	struct l2cap_chan *chan = conn->smp;
2854 	struct hci_conn *hcon = conn->hcon;
2855 	struct smp_chan *smp = chan->data;
2856 	u8 a[7], b[7], *local_addr, *remote_addr;
2857 	u8 io_cap[3], r[16], e[16];
2858 	int err;
2859 
2860 	BT_DBG("conn %p", conn);
2861 
2862 	if (skb->len < sizeof(*check))
2863 		return SMP_INVALID_PARAMS;
2864 
2865 	memcpy(a, &hcon->init_addr, 6);
2866 	memcpy(b, &hcon->resp_addr, 6);
2867 	a[6] = hcon->init_addr_type;
2868 	b[6] = hcon->resp_addr_type;
2869 
2870 	if (hcon->out) {
2871 		local_addr = a;
2872 		remote_addr = b;
2873 		memcpy(io_cap, &smp->prsp[1], 3);
2874 	} else {
2875 		local_addr = b;
2876 		remote_addr = a;
2877 		memcpy(io_cap, &smp->preq[1], 3);
2878 	}
2879 
2880 	memset(r, 0, sizeof(r));
2881 
2882 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2883 		put_unaligned_le32(hcon->passkey_notify, r);
2884 	else if (smp->method == REQ_OOB)
2885 		memcpy(r, smp->lr, 16);
2886 
2887 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2888 		     io_cap, remote_addr, local_addr, e);
2889 	if (err)
2890 		return SMP_UNSPECIFIED;
2891 
2892 	if (crypto_memneq(check->e, e, 16))
2893 		return SMP_DHKEY_CHECK_FAILED;
2894 
2895 	if (!hcon->out) {
2896 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2897 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2898 			return 0;
2899 		}
2900 
2901 		/* Slave sends DHKey check as response to master */
2902 		sc_dhkey_check(smp);
2903 	}
2904 
2905 	sc_add_ltk(smp);
2906 
2907 	if (hcon->out) {
2908 		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2909 		hcon->enc_key_size = smp->enc_key_size;
2910 	}
2911 
2912 	return 0;
2913 }
2914 
2915 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2916 				   struct sk_buff *skb)
2917 {
2918 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2919 
2920 	BT_DBG("value 0x%02x", kp->value);
2921 
2922 	return 0;
2923 }
2924 
2925 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2926 {
2927 	struct l2cap_conn *conn = chan->conn;
2928 	struct hci_conn *hcon = conn->hcon;
2929 	struct smp_chan *smp;
2930 	__u8 code, reason;
2931 	int err = 0;
2932 
2933 	if (skb->len < 1)
2934 		return -EILSEQ;
2935 
2936 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2937 		reason = SMP_PAIRING_NOTSUPP;
2938 		goto done;
2939 	}
2940 
2941 	code = skb->data[0];
2942 	skb_pull(skb, sizeof(code));
2943 
2944 	smp = chan->data;
2945 
2946 	if (code > SMP_CMD_MAX)
2947 		goto drop;
2948 
2949 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2950 		goto drop;
2951 
2952 	/* If we don't have a context the only allowed commands are
2953 	 * pairing request and security request.
2954 	 */
2955 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2956 		goto drop;
2957 
2958 	switch (code) {
2959 	case SMP_CMD_PAIRING_REQ:
2960 		reason = smp_cmd_pairing_req(conn, skb);
2961 		break;
2962 
2963 	case SMP_CMD_PAIRING_FAIL:
2964 		smp_failure(conn, 0);
2965 		err = -EPERM;
2966 		break;
2967 
2968 	case SMP_CMD_PAIRING_RSP:
2969 		reason = smp_cmd_pairing_rsp(conn, skb);
2970 		break;
2971 
2972 	case SMP_CMD_SECURITY_REQ:
2973 		reason = smp_cmd_security_req(conn, skb);
2974 		break;
2975 
2976 	case SMP_CMD_PAIRING_CONFIRM:
2977 		reason = smp_cmd_pairing_confirm(conn, skb);
2978 		break;
2979 
2980 	case SMP_CMD_PAIRING_RANDOM:
2981 		reason = smp_cmd_pairing_random(conn, skb);
2982 		break;
2983 
2984 	case SMP_CMD_ENCRYPT_INFO:
2985 		reason = smp_cmd_encrypt_info(conn, skb);
2986 		break;
2987 
2988 	case SMP_CMD_MASTER_IDENT:
2989 		reason = smp_cmd_master_ident(conn, skb);
2990 		break;
2991 
2992 	case SMP_CMD_IDENT_INFO:
2993 		reason = smp_cmd_ident_info(conn, skb);
2994 		break;
2995 
2996 	case SMP_CMD_IDENT_ADDR_INFO:
2997 		reason = smp_cmd_ident_addr_info(conn, skb);
2998 		break;
2999 
3000 	case SMP_CMD_SIGN_INFO:
3001 		reason = smp_cmd_sign_info(conn, skb);
3002 		break;
3003 
3004 	case SMP_CMD_PUBLIC_KEY:
3005 		reason = smp_cmd_public_key(conn, skb);
3006 		break;
3007 
3008 	case SMP_CMD_DHKEY_CHECK:
3009 		reason = smp_cmd_dhkey_check(conn, skb);
3010 		break;
3011 
3012 	case SMP_CMD_KEYPRESS_NOTIFY:
3013 		reason = smp_cmd_keypress_notify(conn, skb);
3014 		break;
3015 
3016 	default:
3017 		BT_DBG("Unknown command code 0x%2.2x", code);
3018 		reason = SMP_CMD_NOTSUPP;
3019 		goto done;
3020 	}
3021 
3022 done:
3023 	if (!err) {
3024 		if (reason)
3025 			smp_failure(conn, reason);
3026 		kfree_skb(skb);
3027 	}
3028 
3029 	return err;
3030 
3031 drop:
3032 	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3033 		   code, &hcon->dst);
3034 	kfree_skb(skb);
3035 	return 0;
3036 }
3037 
3038 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3039 {
3040 	struct l2cap_conn *conn = chan->conn;
3041 
3042 	BT_DBG("chan %p", chan);
3043 
3044 	if (chan->data)
3045 		smp_chan_destroy(conn);
3046 
3047 	conn->smp = NULL;
3048 	l2cap_chan_put(chan);
3049 }
3050 
3051 static void bredr_pairing(struct l2cap_chan *chan)
3052 {
3053 	struct l2cap_conn *conn = chan->conn;
3054 	struct hci_conn *hcon = conn->hcon;
3055 	struct hci_dev *hdev = hcon->hdev;
3056 	struct smp_cmd_pairing req;
3057 	struct smp_chan *smp;
3058 
3059 	BT_DBG("chan %p", chan);
3060 
3061 	/* Only new pairings are interesting */
3062 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3063 		return;
3064 
3065 	/* Don't bother if we're not encrypted */
3066 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3067 		return;
3068 
3069 	/* Only master may initiate SMP over BR/EDR */
3070 	if (hcon->role != HCI_ROLE_MASTER)
3071 		return;
3072 
3073 	/* Secure Connections support must be enabled */
3074 	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3075 		return;
3076 
3077 	/* BR/EDR must use Secure Connections for SMP */
3078 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3079 	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3080 		return;
3081 
3082 	/* If our LE support is not enabled don't do anything */
3083 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3084 		return;
3085 
3086 	/* Don't bother if remote LE support is not enabled */
3087 	if (!lmp_host_le_capable(hcon))
3088 		return;
3089 
3090 	/* Remote must support SMP fixed chan for BR/EDR */
3091 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3092 		return;
3093 
3094 	/* Don't bother if SMP is already ongoing */
3095 	if (chan->data)
3096 		return;
3097 
3098 	smp = smp_chan_create(conn);
3099 	if (!smp) {
3100 		bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3101 		return;
3102 	}
3103 
3104 	set_bit(SMP_FLAG_SC, &smp->flags);
3105 
3106 	BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3107 
3108 	/* Prepare and send the BR/EDR SMP Pairing Request */
3109 	build_bredr_pairing_cmd(smp, &req, NULL);
3110 
3111 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
3112 	memcpy(&smp->preq[1], &req, sizeof(req));
3113 
3114 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3115 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3116 }
3117 
3118 static void smp_resume_cb(struct l2cap_chan *chan)
3119 {
3120 	struct smp_chan *smp = chan->data;
3121 	struct l2cap_conn *conn = chan->conn;
3122 	struct hci_conn *hcon = conn->hcon;
3123 
3124 	BT_DBG("chan %p", chan);
3125 
3126 	if (hcon->type == ACL_LINK) {
3127 		bredr_pairing(chan);
3128 		return;
3129 	}
3130 
3131 	if (!smp)
3132 		return;
3133 
3134 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3135 		return;
3136 
3137 	cancel_delayed_work(&smp->security_timer);
3138 
3139 	smp_distribute_keys(smp);
3140 }
3141 
3142 static void smp_ready_cb(struct l2cap_chan *chan)
3143 {
3144 	struct l2cap_conn *conn = chan->conn;
3145 	struct hci_conn *hcon = conn->hcon;
3146 
3147 	BT_DBG("chan %p", chan);
3148 
3149 	/* No need to call l2cap_chan_hold() here since we already own
3150 	 * the reference taken in smp_new_conn_cb(). This is just the
3151 	 * first time that we tie it to a specific pointer. The code in
3152 	 * l2cap_core.c ensures that there's no risk this function wont
3153 	 * get called if smp_new_conn_cb was previously called.
3154 	 */
3155 	conn->smp = chan;
3156 
3157 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3158 		bredr_pairing(chan);
3159 }
3160 
3161 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3162 {
3163 	int err;
3164 
3165 	BT_DBG("chan %p", chan);
3166 
3167 	err = smp_sig_channel(chan, skb);
3168 	if (err) {
3169 		struct smp_chan *smp = chan->data;
3170 
3171 		if (smp)
3172 			cancel_delayed_work_sync(&smp->security_timer);
3173 
3174 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3175 	}
3176 
3177 	return err;
3178 }
3179 
3180 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3181 					unsigned long hdr_len,
3182 					unsigned long len, int nb)
3183 {
3184 	struct sk_buff *skb;
3185 
3186 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3187 	if (!skb)
3188 		return ERR_PTR(-ENOMEM);
3189 
3190 	skb->priority = HCI_PRIO_MAX;
3191 	bt_cb(skb)->l2cap.chan = chan;
3192 
3193 	return skb;
3194 }
3195 
3196 static const struct l2cap_ops smp_chan_ops = {
3197 	.name			= "Security Manager",
3198 	.ready			= smp_ready_cb,
3199 	.recv			= smp_recv_cb,
3200 	.alloc_skb		= smp_alloc_skb_cb,
3201 	.teardown		= smp_teardown_cb,
3202 	.resume			= smp_resume_cb,
3203 
3204 	.new_connection		= l2cap_chan_no_new_connection,
3205 	.state_change		= l2cap_chan_no_state_change,
3206 	.close			= l2cap_chan_no_close,
3207 	.defer			= l2cap_chan_no_defer,
3208 	.suspend		= l2cap_chan_no_suspend,
3209 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3210 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3211 };
3212 
3213 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3214 {
3215 	struct l2cap_chan *chan;
3216 
3217 	BT_DBG("pchan %p", pchan);
3218 
3219 	chan = l2cap_chan_create();
3220 	if (!chan)
3221 		return NULL;
3222 
3223 	chan->chan_type	= pchan->chan_type;
3224 	chan->ops	= &smp_chan_ops;
3225 	chan->scid	= pchan->scid;
3226 	chan->dcid	= chan->scid;
3227 	chan->imtu	= pchan->imtu;
3228 	chan->omtu	= pchan->omtu;
3229 	chan->mode	= pchan->mode;
3230 
3231 	/* Other L2CAP channels may request SMP routines in order to
3232 	 * change the security level. This means that the SMP channel
3233 	 * lock must be considered in its own category to avoid lockdep
3234 	 * warnings.
3235 	 */
3236 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3237 
3238 	BT_DBG("created chan %p", chan);
3239 
3240 	return chan;
3241 }
3242 
3243 static const struct l2cap_ops smp_root_chan_ops = {
3244 	.name			= "Security Manager Root",
3245 	.new_connection		= smp_new_conn_cb,
3246 
3247 	/* None of these are implemented for the root channel */
3248 	.close			= l2cap_chan_no_close,
3249 	.alloc_skb		= l2cap_chan_no_alloc_skb,
3250 	.recv			= l2cap_chan_no_recv,
3251 	.state_change		= l2cap_chan_no_state_change,
3252 	.teardown		= l2cap_chan_no_teardown,
3253 	.ready			= l2cap_chan_no_ready,
3254 	.defer			= l2cap_chan_no_defer,
3255 	.suspend		= l2cap_chan_no_suspend,
3256 	.resume			= l2cap_chan_no_resume,
3257 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3258 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3259 };
3260 
3261 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3262 {
3263 	struct l2cap_chan *chan;
3264 	struct smp_dev *smp;
3265 	struct crypto_shash *tfm_cmac;
3266 	struct crypto_kpp *tfm_ecdh;
3267 
3268 	if (cid == L2CAP_CID_SMP_BREDR) {
3269 		smp = NULL;
3270 		goto create_chan;
3271 	}
3272 
3273 	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3274 	if (!smp)
3275 		return ERR_PTR(-ENOMEM);
3276 
3277 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3278 	if (IS_ERR(tfm_cmac)) {
3279 		BT_ERR("Unable to create CMAC crypto context");
3280 		kfree_sensitive(smp);
3281 		return ERR_CAST(tfm_cmac);
3282 	}
3283 
3284 	tfm_ecdh = crypto_alloc_kpp("ecdh", 0, 0);
3285 	if (IS_ERR(tfm_ecdh)) {
3286 		BT_ERR("Unable to create ECDH crypto context");
3287 		crypto_free_shash(tfm_cmac);
3288 		kfree_sensitive(smp);
3289 		return ERR_CAST(tfm_ecdh);
3290 	}
3291 
3292 	smp->local_oob = false;
3293 	smp->tfm_cmac = tfm_cmac;
3294 	smp->tfm_ecdh = tfm_ecdh;
3295 
3296 create_chan:
3297 	chan = l2cap_chan_create();
3298 	if (!chan) {
3299 		if (smp) {
3300 			crypto_free_shash(smp->tfm_cmac);
3301 			crypto_free_kpp(smp->tfm_ecdh);
3302 			kfree_sensitive(smp);
3303 		}
3304 		return ERR_PTR(-ENOMEM);
3305 	}
3306 
3307 	chan->data = smp;
3308 
3309 	l2cap_add_scid(chan, cid);
3310 
3311 	l2cap_chan_set_defaults(chan);
3312 
3313 	if (cid == L2CAP_CID_SMP) {
3314 		u8 bdaddr_type;
3315 
3316 		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3317 
3318 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3319 			chan->src_type = BDADDR_LE_PUBLIC;
3320 		else
3321 			chan->src_type = BDADDR_LE_RANDOM;
3322 	} else {
3323 		bacpy(&chan->src, &hdev->bdaddr);
3324 		chan->src_type = BDADDR_BREDR;
3325 	}
3326 
3327 	chan->state = BT_LISTEN;
3328 	chan->mode = L2CAP_MODE_BASIC;
3329 	chan->imtu = L2CAP_DEFAULT_MTU;
3330 	chan->ops = &smp_root_chan_ops;
3331 
3332 	/* Set correct nesting level for a parent/listening channel */
3333 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3334 
3335 	return chan;
3336 }
3337 
3338 static void smp_del_chan(struct l2cap_chan *chan)
3339 {
3340 	struct smp_dev *smp;
3341 
3342 	BT_DBG("chan %p", chan);
3343 
3344 	smp = chan->data;
3345 	if (smp) {
3346 		chan->data = NULL;
3347 		crypto_free_shash(smp->tfm_cmac);
3348 		crypto_free_kpp(smp->tfm_ecdh);
3349 		kfree_sensitive(smp);
3350 	}
3351 
3352 	l2cap_chan_put(chan);
3353 }
3354 
3355 int smp_force_bredr(struct hci_dev *hdev, bool enable)
3356 {
3357 	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3358 		return -EALREADY;
3359 
3360 	if (enable) {
3361 		struct l2cap_chan *chan;
3362 
3363 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3364 		if (IS_ERR(chan))
3365 			return PTR_ERR(chan);
3366 
3367 		hdev->smp_bredr_data = chan;
3368 	} else {
3369 		struct l2cap_chan *chan;
3370 
3371 		chan = hdev->smp_bredr_data;
3372 		hdev->smp_bredr_data = NULL;
3373 		smp_del_chan(chan);
3374 	}
3375 
3376 	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3377 
3378 	return 0;
3379 }
3380 
3381 int smp_register(struct hci_dev *hdev)
3382 {
3383 	struct l2cap_chan *chan;
3384 
3385 	BT_DBG("%s", hdev->name);
3386 
3387 	/* If the controller does not support Low Energy operation, then
3388 	 * there is also no need to register any SMP channel.
3389 	 */
3390 	if (!lmp_le_capable(hdev))
3391 		return 0;
3392 
3393 	if (WARN_ON(hdev->smp_data)) {
3394 		chan = hdev->smp_data;
3395 		hdev->smp_data = NULL;
3396 		smp_del_chan(chan);
3397 	}
3398 
3399 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3400 	if (IS_ERR(chan))
3401 		return PTR_ERR(chan);
3402 
3403 	hdev->smp_data = chan;
3404 
3405 	if (!lmp_sc_capable(hdev)) {
3406 		/* Flag can be already set here (due to power toggle) */
3407 		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3408 			return 0;
3409 	}
3410 
3411 	if (WARN_ON(hdev->smp_bredr_data)) {
3412 		chan = hdev->smp_bredr_data;
3413 		hdev->smp_bredr_data = NULL;
3414 		smp_del_chan(chan);
3415 	}
3416 
3417 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3418 	if (IS_ERR(chan)) {
3419 		int err = PTR_ERR(chan);
3420 		chan = hdev->smp_data;
3421 		hdev->smp_data = NULL;
3422 		smp_del_chan(chan);
3423 		return err;
3424 	}
3425 
3426 	hdev->smp_bredr_data = chan;
3427 
3428 	return 0;
3429 }
3430 
3431 void smp_unregister(struct hci_dev *hdev)
3432 {
3433 	struct l2cap_chan *chan;
3434 
3435 	if (hdev->smp_bredr_data) {
3436 		chan = hdev->smp_bredr_data;
3437 		hdev->smp_bredr_data = NULL;
3438 		smp_del_chan(chan);
3439 	}
3440 
3441 	if (hdev->smp_data) {
3442 		chan = hdev->smp_data;
3443 		hdev->smp_data = NULL;
3444 		smp_del_chan(chan);
3445 	}
3446 }
3447 
3448 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3449 
3450 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3451 {
3452 	u8 pk[64];
3453 	int err;
3454 
3455 	err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3456 	if (err)
3457 		return err;
3458 
3459 	err = generate_ecdh_public_key(tfm_ecdh, pk);
3460 	if (err)
3461 		return err;
3462 
3463 	if (crypto_memneq(pk, debug_pk, 64))
3464 		return -EINVAL;
3465 
3466 	return 0;
3467 }
3468 
3469 static int __init test_ah(void)
3470 {
3471 	const u8 irk[16] = {
3472 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3473 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3474 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3475 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3476 	u8 res[3];
3477 	int err;
3478 
3479 	err = smp_ah(irk, r, res);
3480 	if (err)
3481 		return err;
3482 
3483 	if (crypto_memneq(res, exp, 3))
3484 		return -EINVAL;
3485 
3486 	return 0;
3487 }
3488 
3489 static int __init test_c1(void)
3490 {
3491 	const u8 k[16] = {
3492 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3493 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3494 	const u8 r[16] = {
3495 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3496 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3497 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3498 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3499 	const u8 _iat = 0x01;
3500 	const u8 _rat = 0x00;
3501 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3502 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3503 	const u8 exp[16] = {
3504 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3505 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3506 	u8 res[16];
3507 	int err;
3508 
3509 	err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3510 	if (err)
3511 		return err;
3512 
3513 	if (crypto_memneq(res, exp, 16))
3514 		return -EINVAL;
3515 
3516 	return 0;
3517 }
3518 
3519 static int __init test_s1(void)
3520 {
3521 	const u8 k[16] = {
3522 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3523 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3524 	const u8 r1[16] = {
3525 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3526 	const u8 r2[16] = {
3527 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3528 	const u8 exp[16] = {
3529 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3530 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3531 	u8 res[16];
3532 	int err;
3533 
3534 	err = smp_s1(k, r1, r2, res);
3535 	if (err)
3536 		return err;
3537 
3538 	if (crypto_memneq(res, exp, 16))
3539 		return -EINVAL;
3540 
3541 	return 0;
3542 }
3543 
3544 static int __init test_f4(struct crypto_shash *tfm_cmac)
3545 {
3546 	const u8 u[32] = {
3547 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3548 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3549 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3550 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3551 	const u8 v[32] = {
3552 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3553 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3554 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3555 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3556 	const u8 x[16] = {
3557 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3558 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3559 	const u8 z = 0x00;
3560 	const u8 exp[16] = {
3561 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3562 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3563 	u8 res[16];
3564 	int err;
3565 
3566 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3567 	if (err)
3568 		return err;
3569 
3570 	if (crypto_memneq(res, exp, 16))
3571 		return -EINVAL;
3572 
3573 	return 0;
3574 }
3575 
3576 static int __init test_f5(struct crypto_shash *tfm_cmac)
3577 {
3578 	const u8 w[32] = {
3579 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3580 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3581 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3582 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3583 	const u8 n1[16] = {
3584 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3585 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3586 	const u8 n2[16] = {
3587 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3588 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3589 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3590 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3591 	const u8 exp_ltk[16] = {
3592 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3593 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3594 	const u8 exp_mackey[16] = {
3595 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3596 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3597 	u8 mackey[16], ltk[16];
3598 	int err;
3599 
3600 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3601 	if (err)
3602 		return err;
3603 
3604 	if (crypto_memneq(mackey, exp_mackey, 16))
3605 		return -EINVAL;
3606 
3607 	if (crypto_memneq(ltk, exp_ltk, 16))
3608 		return -EINVAL;
3609 
3610 	return 0;
3611 }
3612 
3613 static int __init test_f6(struct crypto_shash *tfm_cmac)
3614 {
3615 	const u8 w[16] = {
3616 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3617 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3618 	const u8 n1[16] = {
3619 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3620 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3621 	const u8 n2[16] = {
3622 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3623 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3624 	const u8 r[16] = {
3625 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3626 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3627 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3628 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3629 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3630 	const u8 exp[16] = {
3631 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3632 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3633 	u8 res[16];
3634 	int err;
3635 
3636 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3637 	if (err)
3638 		return err;
3639 
3640 	if (crypto_memneq(res, exp, 16))
3641 		return -EINVAL;
3642 
3643 	return 0;
3644 }
3645 
3646 static int __init test_g2(struct crypto_shash *tfm_cmac)
3647 {
3648 	const u8 u[32] = {
3649 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3650 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3651 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3652 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3653 	const u8 v[32] = {
3654 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3655 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3656 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3657 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3658 	const u8 x[16] = {
3659 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3660 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3661 	const u8 y[16] = {
3662 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3663 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3664 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3665 	u32 val;
3666 	int err;
3667 
3668 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3669 	if (err)
3670 		return err;
3671 
3672 	if (val != exp_val)
3673 		return -EINVAL;
3674 
3675 	return 0;
3676 }
3677 
3678 static int __init test_h6(struct crypto_shash *tfm_cmac)
3679 {
3680 	const u8 w[16] = {
3681 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3682 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3683 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3684 	const u8 exp[16] = {
3685 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3686 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3687 	u8 res[16];
3688 	int err;
3689 
3690 	err = smp_h6(tfm_cmac, w, key_id, res);
3691 	if (err)
3692 		return err;
3693 
3694 	if (crypto_memneq(res, exp, 16))
3695 		return -EINVAL;
3696 
3697 	return 0;
3698 }
3699 
3700 static char test_smp_buffer[32];
3701 
3702 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3703 			     size_t count, loff_t *ppos)
3704 {
3705 	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3706 				       strlen(test_smp_buffer));
3707 }
3708 
3709 static const struct file_operations test_smp_fops = {
3710 	.open		= simple_open,
3711 	.read		= test_smp_read,
3712 	.llseek		= default_llseek,
3713 };
3714 
3715 static int __init run_selftests(struct crypto_shash *tfm_cmac,
3716 				struct crypto_kpp *tfm_ecdh)
3717 {
3718 	ktime_t calltime, delta, rettime;
3719 	unsigned long long duration;
3720 	int err;
3721 
3722 	calltime = ktime_get();
3723 
3724 	err = test_debug_key(tfm_ecdh);
3725 	if (err) {
3726 		BT_ERR("debug_key test failed");
3727 		goto done;
3728 	}
3729 
3730 	err = test_ah();
3731 	if (err) {
3732 		BT_ERR("smp_ah test failed");
3733 		goto done;
3734 	}
3735 
3736 	err = test_c1();
3737 	if (err) {
3738 		BT_ERR("smp_c1 test failed");
3739 		goto done;
3740 	}
3741 
3742 	err = test_s1();
3743 	if (err) {
3744 		BT_ERR("smp_s1 test failed");
3745 		goto done;
3746 	}
3747 
3748 	err = test_f4(tfm_cmac);
3749 	if (err) {
3750 		BT_ERR("smp_f4 test failed");
3751 		goto done;
3752 	}
3753 
3754 	err = test_f5(tfm_cmac);
3755 	if (err) {
3756 		BT_ERR("smp_f5 test failed");
3757 		goto done;
3758 	}
3759 
3760 	err = test_f6(tfm_cmac);
3761 	if (err) {
3762 		BT_ERR("smp_f6 test failed");
3763 		goto done;
3764 	}
3765 
3766 	err = test_g2(tfm_cmac);
3767 	if (err) {
3768 		BT_ERR("smp_g2 test failed");
3769 		goto done;
3770 	}
3771 
3772 	err = test_h6(tfm_cmac);
3773 	if (err) {
3774 		BT_ERR("smp_h6 test failed");
3775 		goto done;
3776 	}
3777 
3778 	rettime = ktime_get();
3779 	delta = ktime_sub(rettime, calltime);
3780 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3781 
3782 	BT_INFO("SMP test passed in %llu usecs", duration);
3783 
3784 done:
3785 	if (!err)
3786 		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3787 			 "PASS (%llu usecs)\n", duration);
3788 	else
3789 		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3790 
3791 	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3792 			    &test_smp_fops);
3793 
3794 	return err;
3795 }
3796 
3797 int __init bt_selftest_smp(void)
3798 {
3799 	struct crypto_shash *tfm_cmac;
3800 	struct crypto_kpp *tfm_ecdh;
3801 	int err;
3802 
3803 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3804 	if (IS_ERR(tfm_cmac)) {
3805 		BT_ERR("Unable to create CMAC crypto context");
3806 		return PTR_ERR(tfm_cmac);
3807 	}
3808 
3809 	tfm_ecdh = crypto_alloc_kpp("ecdh", 0, 0);
3810 	if (IS_ERR(tfm_ecdh)) {
3811 		BT_ERR("Unable to create ECDH crypto context");
3812 		crypto_free_shash(tfm_cmac);
3813 		return PTR_ERR(tfm_ecdh);
3814 	}
3815 
3816 	err = run_selftests(tfm_cmac, tfm_ecdh);
3817 
3818 	crypto_free_shash(tfm_cmac);
3819 	crypto_free_kpp(tfm_ecdh);
3820 
3821 	return err;
3822 }
3823 
3824 #endif
3825