xref: /openbmc/linux/net/bluetooth/smp.c (revision e72e8bf1)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/aes.h>
27 #include <crypto/algapi.h>
28 #include <crypto/b128ops.h>
29 #include <crypto/hash.h>
30 #include <crypto/kpp.h>
31 
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/l2cap.h>
35 #include <net/bluetooth/mgmt.h>
36 
37 #include "ecdh_helper.h"
38 #include "smp.h"
39 
40 #define SMP_DEV(hdev) \
41 	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
42 
43 /* Low-level debug macros to be used for stuff that we don't want
44  * accidentially in dmesg, i.e. the values of the various crypto keys
45  * and the inputs & outputs of crypto functions.
46  */
47 #ifdef DEBUG
48 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
49 				 ##__VA_ARGS__)
50 #else
51 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
52 				    ##__VA_ARGS__)
53 #endif
54 
55 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
56 
57 /* Keys which are not distributed with Secure Connections */
58 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
59 
60 #define SMP_TIMEOUT	msecs_to_jiffies(30000)
61 
62 #define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
63 				 0x3f : 0x07)
64 #define KEY_DIST_MASK		0x07
65 
66 /* Maximum message length that can be passed to aes_cmac */
67 #define CMAC_MSG_MAX	80
68 
69 enum {
70 	SMP_FLAG_TK_VALID,
71 	SMP_FLAG_CFM_PENDING,
72 	SMP_FLAG_MITM_AUTH,
73 	SMP_FLAG_COMPLETE,
74 	SMP_FLAG_INITIATOR,
75 	SMP_FLAG_SC,
76 	SMP_FLAG_REMOTE_PK,
77 	SMP_FLAG_DEBUG_KEY,
78 	SMP_FLAG_WAIT_USER,
79 	SMP_FLAG_DHKEY_PENDING,
80 	SMP_FLAG_REMOTE_OOB,
81 	SMP_FLAG_LOCAL_OOB,
82 	SMP_FLAG_CT2,
83 };
84 
85 struct smp_dev {
86 	/* Secure Connections OOB data */
87 	bool			local_oob;
88 	u8			local_pk[64];
89 	u8			local_rand[16];
90 	bool			debug_key;
91 
92 	struct crypto_shash	*tfm_cmac;
93 	struct crypto_kpp	*tfm_ecdh;
94 };
95 
96 struct smp_chan {
97 	struct l2cap_conn	*conn;
98 	struct delayed_work	security_timer;
99 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
100 
101 	u8		preq[7]; /* SMP Pairing Request */
102 	u8		prsp[7]; /* SMP Pairing Response */
103 	u8		prnd[16]; /* SMP Pairing Random (local) */
104 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
105 	u8		pcnf[16]; /* SMP Pairing Confirm */
106 	u8		tk[16]; /* SMP Temporary Key */
107 	u8		rr[16]; /* Remote OOB ra/rb value */
108 	u8		lr[16]; /* Local OOB ra/rb value */
109 	u8		enc_key_size;
110 	u8		remote_key_dist;
111 	bdaddr_t	id_addr;
112 	u8		id_addr_type;
113 	u8		irk[16];
114 	struct smp_csrk	*csrk;
115 	struct smp_csrk	*slave_csrk;
116 	struct smp_ltk	*ltk;
117 	struct smp_ltk	*slave_ltk;
118 	struct smp_irk	*remote_irk;
119 	u8		*link_key;
120 	unsigned long	flags;
121 	u8		method;
122 	u8		passkey_round;
123 
124 	/* Secure Connections variables */
125 	u8			local_pk[64];
126 	u8			remote_pk[64];
127 	u8			dhkey[32];
128 	u8			mackey[16];
129 
130 	struct crypto_shash	*tfm_cmac;
131 	struct crypto_kpp	*tfm_ecdh;
132 };
133 
134 /* These debug key values are defined in the SMP section of the core
135  * specification. debug_pk is the public debug key and debug_sk the
136  * private debug key.
137  */
138 static const u8 debug_pk[64] = {
139 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
140 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
141 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
142 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
143 
144 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
145 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
146 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
147 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
148 };
149 
150 static const u8 debug_sk[32] = {
151 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
152 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
153 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
154 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
155 };
156 
157 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
158 {
159 	size_t i;
160 
161 	for (i = 0; i < len; i++)
162 		dst[len - 1 - i] = src[i];
163 }
164 
165 /* The following functions map to the LE SC SMP crypto functions
166  * AES-CMAC, f4, f5, f6, g2 and h6.
167  */
168 
169 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
170 		    size_t len, u8 mac[16])
171 {
172 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
173 	SHASH_DESC_ON_STACK(desc, tfm);
174 	int err;
175 
176 	if (len > CMAC_MSG_MAX)
177 		return -EFBIG;
178 
179 	if (!tfm) {
180 		BT_ERR("tfm %p", tfm);
181 		return -EINVAL;
182 	}
183 
184 	desc->tfm = tfm;
185 
186 	/* Swap key and message from LSB to MSB */
187 	swap_buf(k, tmp, 16);
188 	swap_buf(m, msg_msb, len);
189 
190 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
191 	SMP_DBG("key %16phN", k);
192 
193 	err = crypto_shash_setkey(tfm, tmp, 16);
194 	if (err) {
195 		BT_ERR("cipher setkey failed: %d", err);
196 		return err;
197 	}
198 
199 	err = crypto_shash_digest(desc, msg_msb, len, mac_msb);
200 	shash_desc_zero(desc);
201 	if (err) {
202 		BT_ERR("Hash computation error %d", err);
203 		return err;
204 	}
205 
206 	swap_buf(mac_msb, mac, 16);
207 
208 	SMP_DBG("mac %16phN", mac);
209 
210 	return 0;
211 }
212 
213 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
214 		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
215 {
216 	u8 m[65];
217 	int err;
218 
219 	SMP_DBG("u %32phN", u);
220 	SMP_DBG("v %32phN", v);
221 	SMP_DBG("x %16phN z %02x", x, z);
222 
223 	m[0] = z;
224 	memcpy(m + 1, v, 32);
225 	memcpy(m + 33, u, 32);
226 
227 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
228 	if (err)
229 		return err;
230 
231 	SMP_DBG("res %16phN", res);
232 
233 	return err;
234 }
235 
236 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
237 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
238 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
239 {
240 	/* The btle, salt and length "magic" values are as defined in
241 	 * the SMP section of the Bluetooth core specification. In ASCII
242 	 * the btle value ends up being 'btle'. The salt is just a
243 	 * random number whereas length is the value 256 in little
244 	 * endian format.
245 	 */
246 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
247 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
248 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
249 	const u8 length[2] = { 0x00, 0x01 };
250 	u8 m[53], t[16];
251 	int err;
252 
253 	SMP_DBG("w %32phN", w);
254 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
255 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
256 
257 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
258 	if (err)
259 		return err;
260 
261 	SMP_DBG("t %16phN", t);
262 
263 	memcpy(m, length, 2);
264 	memcpy(m + 2, a2, 7);
265 	memcpy(m + 9, a1, 7);
266 	memcpy(m + 16, n2, 16);
267 	memcpy(m + 32, n1, 16);
268 	memcpy(m + 48, btle, 4);
269 
270 	m[52] = 0; /* Counter */
271 
272 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
273 	if (err)
274 		return err;
275 
276 	SMP_DBG("mackey %16phN", mackey);
277 
278 	m[52] = 1; /* Counter */
279 
280 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
281 	if (err)
282 		return err;
283 
284 	SMP_DBG("ltk %16phN", ltk);
285 
286 	return 0;
287 }
288 
289 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
290 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
291 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
292 		  u8 res[16])
293 {
294 	u8 m[65];
295 	int err;
296 
297 	SMP_DBG("w %16phN", w);
298 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
299 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
300 
301 	memcpy(m, a2, 7);
302 	memcpy(m + 7, a1, 7);
303 	memcpy(m + 14, io_cap, 3);
304 	memcpy(m + 17, r, 16);
305 	memcpy(m + 33, n2, 16);
306 	memcpy(m + 49, n1, 16);
307 
308 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
309 	if (err)
310 		return err;
311 
312 	SMP_DBG("res %16phN", res);
313 
314 	return err;
315 }
316 
317 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
318 		  const u8 x[16], const u8 y[16], u32 *val)
319 {
320 	u8 m[80], tmp[16];
321 	int err;
322 
323 	SMP_DBG("u %32phN", u);
324 	SMP_DBG("v %32phN", v);
325 	SMP_DBG("x %16phN y %16phN", x, y);
326 
327 	memcpy(m, y, 16);
328 	memcpy(m + 16, v, 32);
329 	memcpy(m + 48, u, 32);
330 
331 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
332 	if (err)
333 		return err;
334 
335 	*val = get_unaligned_le32(tmp);
336 	*val %= 1000000;
337 
338 	SMP_DBG("val %06u", *val);
339 
340 	return 0;
341 }
342 
343 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
344 		  const u8 key_id[4], u8 res[16])
345 {
346 	int err;
347 
348 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
349 
350 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
351 	if (err)
352 		return err;
353 
354 	SMP_DBG("res %16phN", res);
355 
356 	return err;
357 }
358 
359 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
360 		  const u8 salt[16], u8 res[16])
361 {
362 	int err;
363 
364 	SMP_DBG("w %16phN salt %16phN", w, salt);
365 
366 	err = aes_cmac(tfm_cmac, salt, w, 16, res);
367 	if (err)
368 		return err;
369 
370 	SMP_DBG("res %16phN", res);
371 
372 	return err;
373 }
374 
375 /* The following functions map to the legacy SMP crypto functions e, c1,
376  * s1 and ah.
377  */
378 
379 static int smp_e(const u8 *k, u8 *r)
380 {
381 	struct crypto_aes_ctx ctx;
382 	uint8_t tmp[16], data[16];
383 	int err;
384 
385 	SMP_DBG("k %16phN r %16phN", k, r);
386 
387 	/* The most significant octet of key corresponds to k[0] */
388 	swap_buf(k, tmp, 16);
389 
390 	err = aes_expandkey(&ctx, tmp, 16);
391 	if (err) {
392 		BT_ERR("cipher setkey failed: %d", err);
393 		return err;
394 	}
395 
396 	/* Most significant octet of plaintextData corresponds to data[0] */
397 	swap_buf(r, data, 16);
398 
399 	aes_encrypt(&ctx, data, data);
400 
401 	/* Most significant octet of encryptedData corresponds to data[0] */
402 	swap_buf(data, r, 16);
403 
404 	SMP_DBG("r %16phN", r);
405 
406 	memzero_explicit(&ctx, sizeof (ctx));
407 	return err;
408 }
409 
410 static int smp_c1(const u8 k[16],
411 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
412 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
413 {
414 	u8 p1[16], p2[16];
415 	int err;
416 
417 	SMP_DBG("k %16phN r %16phN", k, r);
418 	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
419 	SMP_DBG("preq %7phN pres %7phN", preq, pres);
420 
421 	memset(p1, 0, 16);
422 
423 	/* p1 = pres || preq || _rat || _iat */
424 	p1[0] = _iat;
425 	p1[1] = _rat;
426 	memcpy(p1 + 2, preq, 7);
427 	memcpy(p1 + 9, pres, 7);
428 
429 	SMP_DBG("p1 %16phN", p1);
430 
431 	/* res = r XOR p1 */
432 	u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
433 
434 	/* res = e(k, res) */
435 	err = smp_e(k, res);
436 	if (err) {
437 		BT_ERR("Encrypt data error");
438 		return err;
439 	}
440 
441 	/* p2 = padding || ia || ra */
442 	memcpy(p2, ra, 6);
443 	memcpy(p2 + 6, ia, 6);
444 	memset(p2 + 12, 0, 4);
445 
446 	SMP_DBG("p2 %16phN", p2);
447 
448 	/* res = res XOR p2 */
449 	u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
450 
451 	/* res = e(k, res) */
452 	err = smp_e(k, res);
453 	if (err)
454 		BT_ERR("Encrypt data error");
455 
456 	return err;
457 }
458 
459 static int smp_s1(const u8 k[16],
460 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
461 {
462 	int err;
463 
464 	/* Just least significant octets from r1 and r2 are considered */
465 	memcpy(_r, r2, 8);
466 	memcpy(_r + 8, r1, 8);
467 
468 	err = smp_e(k, _r);
469 	if (err)
470 		BT_ERR("Encrypt data error");
471 
472 	return err;
473 }
474 
475 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
476 {
477 	u8 _res[16];
478 	int err;
479 
480 	/* r' = padding || r */
481 	memcpy(_res, r, 3);
482 	memset(_res + 3, 0, 13);
483 
484 	err = smp_e(irk, _res);
485 	if (err) {
486 		BT_ERR("Encrypt error");
487 		return err;
488 	}
489 
490 	/* The output of the random address function ah is:
491 	 *	ah(k, r) = e(k, r') mod 2^24
492 	 * The output of the security function e is then truncated to 24 bits
493 	 * by taking the least significant 24 bits of the output of e as the
494 	 * result of ah.
495 	 */
496 	memcpy(res, _res, 3);
497 
498 	return 0;
499 }
500 
501 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
502 		     const bdaddr_t *bdaddr)
503 {
504 	struct l2cap_chan *chan = hdev->smp_data;
505 	u8 hash[3];
506 	int err;
507 
508 	if (!chan || !chan->data)
509 		return false;
510 
511 	BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
512 
513 	err = smp_ah(irk, &bdaddr->b[3], hash);
514 	if (err)
515 		return false;
516 
517 	return !crypto_memneq(bdaddr->b, hash, 3);
518 }
519 
520 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
521 {
522 	struct l2cap_chan *chan = hdev->smp_data;
523 	int err;
524 
525 	if (!chan || !chan->data)
526 		return -EOPNOTSUPP;
527 
528 	get_random_bytes(&rpa->b[3], 3);
529 
530 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
531 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
532 
533 	err = smp_ah(irk, &rpa->b[3], rpa->b);
534 	if (err < 0)
535 		return err;
536 
537 	BT_DBG("RPA %pMR", rpa);
538 
539 	return 0;
540 }
541 
542 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
543 {
544 	struct l2cap_chan *chan = hdev->smp_data;
545 	struct smp_dev *smp;
546 	int err;
547 
548 	if (!chan || !chan->data)
549 		return -EOPNOTSUPP;
550 
551 	smp = chan->data;
552 
553 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
554 		BT_DBG("Using debug keys");
555 		err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
556 		if (err)
557 			return err;
558 		memcpy(smp->local_pk, debug_pk, 64);
559 		smp->debug_key = true;
560 	} else {
561 		while (true) {
562 			/* Generate key pair for Secure Connections */
563 			err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
564 			if (err)
565 				return err;
566 
567 			/* This is unlikely, but we need to check that
568 			 * we didn't accidentially generate a debug key.
569 			 */
570 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
571 				break;
572 		}
573 		smp->debug_key = false;
574 	}
575 
576 	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
577 	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
578 
579 	get_random_bytes(smp->local_rand, 16);
580 
581 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
582 		     smp->local_rand, 0, hash);
583 	if (err < 0)
584 		return err;
585 
586 	memcpy(rand, smp->local_rand, 16);
587 
588 	smp->local_oob = true;
589 
590 	return 0;
591 }
592 
593 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
594 {
595 	struct l2cap_chan *chan = conn->smp;
596 	struct smp_chan *smp;
597 	struct kvec iv[2];
598 	struct msghdr msg;
599 
600 	if (!chan)
601 		return;
602 
603 	BT_DBG("code 0x%2.2x", code);
604 
605 	iv[0].iov_base = &code;
606 	iv[0].iov_len = 1;
607 
608 	iv[1].iov_base = data;
609 	iv[1].iov_len = len;
610 
611 	memset(&msg, 0, sizeof(msg));
612 
613 	iov_iter_kvec(&msg.msg_iter, WRITE, iv, 2, 1 + len);
614 
615 	l2cap_chan_send(chan, &msg, 1 + len);
616 
617 	if (!chan->data)
618 		return;
619 
620 	smp = chan->data;
621 
622 	cancel_delayed_work_sync(&smp->security_timer);
623 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
624 }
625 
626 static u8 authreq_to_seclevel(u8 authreq)
627 {
628 	if (authreq & SMP_AUTH_MITM) {
629 		if (authreq & SMP_AUTH_SC)
630 			return BT_SECURITY_FIPS;
631 		else
632 			return BT_SECURITY_HIGH;
633 	} else {
634 		return BT_SECURITY_MEDIUM;
635 	}
636 }
637 
638 static __u8 seclevel_to_authreq(__u8 sec_level)
639 {
640 	switch (sec_level) {
641 	case BT_SECURITY_FIPS:
642 	case BT_SECURITY_HIGH:
643 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
644 	case BT_SECURITY_MEDIUM:
645 		return SMP_AUTH_BONDING;
646 	default:
647 		return SMP_AUTH_NONE;
648 	}
649 }
650 
651 static void build_pairing_cmd(struct l2cap_conn *conn,
652 			      struct smp_cmd_pairing *req,
653 			      struct smp_cmd_pairing *rsp, __u8 authreq)
654 {
655 	struct l2cap_chan *chan = conn->smp;
656 	struct smp_chan *smp = chan->data;
657 	struct hci_conn *hcon = conn->hcon;
658 	struct hci_dev *hdev = hcon->hdev;
659 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
660 
661 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
662 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
663 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
664 		authreq |= SMP_AUTH_BONDING;
665 	} else {
666 		authreq &= ~SMP_AUTH_BONDING;
667 	}
668 
669 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
670 		remote_dist |= SMP_DIST_ID_KEY;
671 
672 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
673 		local_dist |= SMP_DIST_ID_KEY;
674 
675 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
676 	    (authreq & SMP_AUTH_SC)) {
677 		struct oob_data *oob_data;
678 		u8 bdaddr_type;
679 
680 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
681 			local_dist |= SMP_DIST_LINK_KEY;
682 			remote_dist |= SMP_DIST_LINK_KEY;
683 		}
684 
685 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
686 			bdaddr_type = BDADDR_LE_PUBLIC;
687 		else
688 			bdaddr_type = BDADDR_LE_RANDOM;
689 
690 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
691 						    bdaddr_type);
692 		if (oob_data && oob_data->present) {
693 			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
694 			oob_flag = SMP_OOB_PRESENT;
695 			memcpy(smp->rr, oob_data->rand256, 16);
696 			memcpy(smp->pcnf, oob_data->hash256, 16);
697 			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
698 			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
699 		}
700 
701 	} else {
702 		authreq &= ~SMP_AUTH_SC;
703 	}
704 
705 	if (rsp == NULL) {
706 		req->io_capability = conn->hcon->io_capability;
707 		req->oob_flag = oob_flag;
708 		req->max_key_size = hdev->le_max_key_size;
709 		req->init_key_dist = local_dist;
710 		req->resp_key_dist = remote_dist;
711 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
712 
713 		smp->remote_key_dist = remote_dist;
714 		return;
715 	}
716 
717 	rsp->io_capability = conn->hcon->io_capability;
718 	rsp->oob_flag = oob_flag;
719 	rsp->max_key_size = hdev->le_max_key_size;
720 	rsp->init_key_dist = req->init_key_dist & remote_dist;
721 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
722 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
723 
724 	smp->remote_key_dist = rsp->init_key_dist;
725 }
726 
727 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
728 {
729 	struct l2cap_chan *chan = conn->smp;
730 	struct hci_dev *hdev = conn->hcon->hdev;
731 	struct smp_chan *smp = chan->data;
732 
733 	if (max_key_size > hdev->le_max_key_size ||
734 	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
735 		return SMP_ENC_KEY_SIZE;
736 
737 	smp->enc_key_size = max_key_size;
738 
739 	return 0;
740 }
741 
742 static void smp_chan_destroy(struct l2cap_conn *conn)
743 {
744 	struct l2cap_chan *chan = conn->smp;
745 	struct smp_chan *smp = chan->data;
746 	struct hci_conn *hcon = conn->hcon;
747 	bool complete;
748 
749 	BUG_ON(!smp);
750 
751 	cancel_delayed_work_sync(&smp->security_timer);
752 
753 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
754 	mgmt_smp_complete(hcon, complete);
755 
756 	kzfree(smp->csrk);
757 	kzfree(smp->slave_csrk);
758 	kzfree(smp->link_key);
759 
760 	crypto_free_shash(smp->tfm_cmac);
761 	crypto_free_kpp(smp->tfm_ecdh);
762 
763 	/* Ensure that we don't leave any debug key around if debug key
764 	 * support hasn't been explicitly enabled.
765 	 */
766 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
767 	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
768 		list_del_rcu(&smp->ltk->list);
769 		kfree_rcu(smp->ltk, rcu);
770 		smp->ltk = NULL;
771 	}
772 
773 	/* If pairing failed clean up any keys we might have */
774 	if (!complete) {
775 		if (smp->ltk) {
776 			list_del_rcu(&smp->ltk->list);
777 			kfree_rcu(smp->ltk, rcu);
778 		}
779 
780 		if (smp->slave_ltk) {
781 			list_del_rcu(&smp->slave_ltk->list);
782 			kfree_rcu(smp->slave_ltk, rcu);
783 		}
784 
785 		if (smp->remote_irk) {
786 			list_del_rcu(&smp->remote_irk->list);
787 			kfree_rcu(smp->remote_irk, rcu);
788 		}
789 	}
790 
791 	chan->data = NULL;
792 	kzfree(smp);
793 	hci_conn_drop(hcon);
794 }
795 
796 static void smp_failure(struct l2cap_conn *conn, u8 reason)
797 {
798 	struct hci_conn *hcon = conn->hcon;
799 	struct l2cap_chan *chan = conn->smp;
800 
801 	if (reason)
802 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
803 			     &reason);
804 
805 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
806 
807 	if (chan->data)
808 		smp_chan_destroy(conn);
809 }
810 
811 #define JUST_WORKS	0x00
812 #define JUST_CFM	0x01
813 #define REQ_PASSKEY	0x02
814 #define CFM_PASSKEY	0x03
815 #define REQ_OOB		0x04
816 #define DSP_PASSKEY	0x05
817 #define OVERLAP		0xFF
818 
819 static const u8 gen_method[5][5] = {
820 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
821 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
822 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
823 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
824 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
825 };
826 
827 static const u8 sc_method[5][5] = {
828 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
829 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
830 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
831 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
832 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
833 };
834 
835 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
836 {
837 	/* If either side has unknown io_caps, use JUST_CFM (which gets
838 	 * converted later to JUST_WORKS if we're initiators.
839 	 */
840 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
841 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
842 		return JUST_CFM;
843 
844 	if (test_bit(SMP_FLAG_SC, &smp->flags))
845 		return sc_method[remote_io][local_io];
846 
847 	return gen_method[remote_io][local_io];
848 }
849 
850 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
851 						u8 local_io, u8 remote_io)
852 {
853 	struct hci_conn *hcon = conn->hcon;
854 	struct l2cap_chan *chan = conn->smp;
855 	struct smp_chan *smp = chan->data;
856 	u32 passkey = 0;
857 	int ret = 0;
858 
859 	/* Initialize key for JUST WORKS */
860 	memset(smp->tk, 0, sizeof(smp->tk));
861 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
862 
863 	BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
864 
865 	/* If neither side wants MITM, either "just" confirm an incoming
866 	 * request or use just-works for outgoing ones. The JUST_CFM
867 	 * will be converted to JUST_WORKS if necessary later in this
868 	 * function. If either side has MITM look up the method from the
869 	 * table.
870 	 */
871 	if (!(auth & SMP_AUTH_MITM))
872 		smp->method = JUST_CFM;
873 	else
874 		smp->method = get_auth_method(smp, local_io, remote_io);
875 
876 	/* Don't confirm locally initiated pairing attempts */
877 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
878 						&smp->flags))
879 		smp->method = JUST_WORKS;
880 
881 	/* Don't bother user space with no IO capabilities */
882 	if (smp->method == JUST_CFM &&
883 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
884 		smp->method = JUST_WORKS;
885 
886 	/* If Just Works, Continue with Zero TK */
887 	if (smp->method == JUST_WORKS) {
888 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
889 		return 0;
890 	}
891 
892 	/* If this function is used for SC -> legacy fallback we
893 	 * can only recover the just-works case.
894 	 */
895 	if (test_bit(SMP_FLAG_SC, &smp->flags))
896 		return -EINVAL;
897 
898 	/* Not Just Works/Confirm results in MITM Authentication */
899 	if (smp->method != JUST_CFM) {
900 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
901 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
902 			hcon->pending_sec_level = BT_SECURITY_HIGH;
903 	}
904 
905 	/* If both devices have Keyoard-Display I/O, the master
906 	 * Confirms and the slave Enters the passkey.
907 	 */
908 	if (smp->method == OVERLAP) {
909 		if (hcon->role == HCI_ROLE_MASTER)
910 			smp->method = CFM_PASSKEY;
911 		else
912 			smp->method = REQ_PASSKEY;
913 	}
914 
915 	/* Generate random passkey. */
916 	if (smp->method == CFM_PASSKEY) {
917 		memset(smp->tk, 0, sizeof(smp->tk));
918 		get_random_bytes(&passkey, sizeof(passkey));
919 		passkey %= 1000000;
920 		put_unaligned_le32(passkey, smp->tk);
921 		BT_DBG("PassKey: %d", passkey);
922 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
923 	}
924 
925 	if (smp->method == REQ_PASSKEY)
926 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
927 						hcon->type, hcon->dst_type);
928 	else if (smp->method == JUST_CFM)
929 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
930 						hcon->type, hcon->dst_type,
931 						passkey, 1);
932 	else
933 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
934 						hcon->type, hcon->dst_type,
935 						passkey, 0);
936 
937 	return ret;
938 }
939 
940 static u8 smp_confirm(struct smp_chan *smp)
941 {
942 	struct l2cap_conn *conn = smp->conn;
943 	struct smp_cmd_pairing_confirm cp;
944 	int ret;
945 
946 	BT_DBG("conn %p", conn);
947 
948 	ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
949 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
950 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
951 		     cp.confirm_val);
952 	if (ret)
953 		return SMP_UNSPECIFIED;
954 
955 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
956 
957 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
958 
959 	if (conn->hcon->out)
960 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
961 	else
962 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
963 
964 	return 0;
965 }
966 
967 static u8 smp_random(struct smp_chan *smp)
968 {
969 	struct l2cap_conn *conn = smp->conn;
970 	struct hci_conn *hcon = conn->hcon;
971 	u8 confirm[16];
972 	int ret;
973 
974 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
975 
976 	ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
977 		     hcon->init_addr_type, &hcon->init_addr,
978 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
979 	if (ret)
980 		return SMP_UNSPECIFIED;
981 
982 	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
983 		bt_dev_err(hcon->hdev, "pairing failed "
984 			   "(confirmation values mismatch)");
985 		return SMP_CONFIRM_FAILED;
986 	}
987 
988 	if (hcon->out) {
989 		u8 stk[16];
990 		__le64 rand = 0;
991 		__le16 ediv = 0;
992 
993 		smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
994 
995 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
996 			return SMP_UNSPECIFIED;
997 
998 		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
999 		hcon->enc_key_size = smp->enc_key_size;
1000 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1001 	} else {
1002 		u8 stk[16], auth;
1003 		__le64 rand = 0;
1004 		__le16 ediv = 0;
1005 
1006 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1007 			     smp->prnd);
1008 
1009 		smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
1010 
1011 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1012 			auth = 1;
1013 		else
1014 			auth = 0;
1015 
1016 		/* Even though there's no _SLAVE suffix this is the
1017 		 * slave STK we're adding for later lookup (the master
1018 		 * STK never needs to be stored).
1019 		 */
1020 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1021 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1022 	}
1023 
1024 	return 0;
1025 }
1026 
1027 static void smp_notify_keys(struct l2cap_conn *conn)
1028 {
1029 	struct l2cap_chan *chan = conn->smp;
1030 	struct smp_chan *smp = chan->data;
1031 	struct hci_conn *hcon = conn->hcon;
1032 	struct hci_dev *hdev = hcon->hdev;
1033 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1034 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1035 	bool persistent;
1036 
1037 	if (hcon->type == ACL_LINK) {
1038 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1039 			persistent = false;
1040 		else
1041 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1042 					       &hcon->flags);
1043 	} else {
1044 		/* The LTKs, IRKs and CSRKs should be persistent only if
1045 		 * both sides had the bonding bit set in their
1046 		 * authentication requests.
1047 		 */
1048 		persistent = !!((req->auth_req & rsp->auth_req) &
1049 				SMP_AUTH_BONDING);
1050 	}
1051 
1052 	if (smp->remote_irk) {
1053 		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1054 
1055 		/* Now that user space can be considered to know the
1056 		 * identity address track the connection based on it
1057 		 * from now on (assuming this is an LE link).
1058 		 */
1059 		if (hcon->type == LE_LINK) {
1060 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1061 			hcon->dst_type = smp->remote_irk->addr_type;
1062 			queue_work(hdev->workqueue, &conn->id_addr_update_work);
1063 		}
1064 	}
1065 
1066 	if (smp->csrk) {
1067 		smp->csrk->bdaddr_type = hcon->dst_type;
1068 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1069 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1070 	}
1071 
1072 	if (smp->slave_csrk) {
1073 		smp->slave_csrk->bdaddr_type = hcon->dst_type;
1074 		bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1075 		mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1076 	}
1077 
1078 	if (smp->ltk) {
1079 		smp->ltk->bdaddr_type = hcon->dst_type;
1080 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1081 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1082 	}
1083 
1084 	if (smp->slave_ltk) {
1085 		smp->slave_ltk->bdaddr_type = hcon->dst_type;
1086 		bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1087 		mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1088 	}
1089 
1090 	if (smp->link_key) {
1091 		struct link_key *key;
1092 		u8 type;
1093 
1094 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1095 			type = HCI_LK_DEBUG_COMBINATION;
1096 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1097 			type = HCI_LK_AUTH_COMBINATION_P256;
1098 		else
1099 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1100 
1101 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1102 				       smp->link_key, type, 0, &persistent);
1103 		if (key) {
1104 			mgmt_new_link_key(hdev, key, persistent);
1105 
1106 			/* Don't keep debug keys around if the relevant
1107 			 * flag is not set.
1108 			 */
1109 			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1110 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1111 				list_del_rcu(&key->list);
1112 				kfree_rcu(key, rcu);
1113 			}
1114 		}
1115 	}
1116 }
1117 
1118 static void sc_add_ltk(struct smp_chan *smp)
1119 {
1120 	struct hci_conn *hcon = smp->conn->hcon;
1121 	u8 key_type, auth;
1122 
1123 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1124 		key_type = SMP_LTK_P256_DEBUG;
1125 	else
1126 		key_type = SMP_LTK_P256;
1127 
1128 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1129 		auth = 1;
1130 	else
1131 		auth = 0;
1132 
1133 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1134 			       key_type, auth, smp->tk, smp->enc_key_size,
1135 			       0, 0);
1136 }
1137 
1138 static void sc_generate_link_key(struct smp_chan *smp)
1139 {
1140 	/* From core spec. Spells out in ASCII as 'lebr'. */
1141 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1142 
1143 	smp->link_key = kzalloc(16, GFP_KERNEL);
1144 	if (!smp->link_key)
1145 		return;
1146 
1147 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1148 		/* SALT = 0x000000000000000000000000746D7031 */
1149 		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1150 
1151 		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1152 			kzfree(smp->link_key);
1153 			smp->link_key = NULL;
1154 			return;
1155 		}
1156 	} else {
1157 		/* From core spec. Spells out in ASCII as 'tmp1'. */
1158 		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1159 
1160 		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1161 			kzfree(smp->link_key);
1162 			smp->link_key = NULL;
1163 			return;
1164 		}
1165 	}
1166 
1167 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1168 		kzfree(smp->link_key);
1169 		smp->link_key = NULL;
1170 		return;
1171 	}
1172 }
1173 
1174 static void smp_allow_key_dist(struct smp_chan *smp)
1175 {
1176 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1177 	 * will be allowed in each PDU handler to ensure we receive
1178 	 * them in the correct order.
1179 	 */
1180 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1181 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1182 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1183 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1184 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1185 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1186 }
1187 
1188 static void sc_generate_ltk(struct smp_chan *smp)
1189 {
1190 	/* From core spec. Spells out in ASCII as 'brle'. */
1191 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1192 	struct hci_conn *hcon = smp->conn->hcon;
1193 	struct hci_dev *hdev = hcon->hdev;
1194 	struct link_key *key;
1195 
1196 	key = hci_find_link_key(hdev, &hcon->dst);
1197 	if (!key) {
1198 		bt_dev_err(hdev, "no Link Key found to generate LTK");
1199 		return;
1200 	}
1201 
1202 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1203 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1204 
1205 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1206 		/* SALT = 0x000000000000000000000000746D7032 */
1207 		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1208 
1209 		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1210 			return;
1211 	} else {
1212 		/* From core spec. Spells out in ASCII as 'tmp2'. */
1213 		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1214 
1215 		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1216 			return;
1217 	}
1218 
1219 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1220 		return;
1221 
1222 	sc_add_ltk(smp);
1223 }
1224 
1225 static void smp_distribute_keys(struct smp_chan *smp)
1226 {
1227 	struct smp_cmd_pairing *req, *rsp;
1228 	struct l2cap_conn *conn = smp->conn;
1229 	struct hci_conn *hcon = conn->hcon;
1230 	struct hci_dev *hdev = hcon->hdev;
1231 	__u8 *keydist;
1232 
1233 	BT_DBG("conn %p", conn);
1234 
1235 	rsp = (void *) &smp->prsp[1];
1236 
1237 	/* The responder sends its keys first */
1238 	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1239 		smp_allow_key_dist(smp);
1240 		return;
1241 	}
1242 
1243 	req = (void *) &smp->preq[1];
1244 
1245 	if (hcon->out) {
1246 		keydist = &rsp->init_key_dist;
1247 		*keydist &= req->init_key_dist;
1248 	} else {
1249 		keydist = &rsp->resp_key_dist;
1250 		*keydist &= req->resp_key_dist;
1251 	}
1252 
1253 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1254 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1255 			sc_generate_link_key(smp);
1256 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1257 			sc_generate_ltk(smp);
1258 
1259 		/* Clear the keys which are generated but not distributed */
1260 		*keydist &= ~SMP_SC_NO_DIST;
1261 	}
1262 
1263 	BT_DBG("keydist 0x%x", *keydist);
1264 
1265 	if (*keydist & SMP_DIST_ENC_KEY) {
1266 		struct smp_cmd_encrypt_info enc;
1267 		struct smp_cmd_master_ident ident;
1268 		struct smp_ltk *ltk;
1269 		u8 authenticated;
1270 		__le16 ediv;
1271 		__le64 rand;
1272 
1273 		/* Make sure we generate only the significant amount of
1274 		 * bytes based on the encryption key size, and set the rest
1275 		 * of the value to zeroes.
1276 		 */
1277 		get_random_bytes(enc.ltk, smp->enc_key_size);
1278 		memset(enc.ltk + smp->enc_key_size, 0,
1279 		       sizeof(enc.ltk) - smp->enc_key_size);
1280 
1281 		get_random_bytes(&ediv, sizeof(ediv));
1282 		get_random_bytes(&rand, sizeof(rand));
1283 
1284 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1285 
1286 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1287 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1288 				  SMP_LTK_SLAVE, authenticated, enc.ltk,
1289 				  smp->enc_key_size, ediv, rand);
1290 		smp->slave_ltk = ltk;
1291 
1292 		ident.ediv = ediv;
1293 		ident.rand = rand;
1294 
1295 		smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1296 
1297 		*keydist &= ~SMP_DIST_ENC_KEY;
1298 	}
1299 
1300 	if (*keydist & SMP_DIST_ID_KEY) {
1301 		struct smp_cmd_ident_addr_info addrinfo;
1302 		struct smp_cmd_ident_info idinfo;
1303 
1304 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1305 
1306 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1307 
1308 		/* The hci_conn contains the local identity address
1309 		 * after the connection has been established.
1310 		 *
1311 		 * This is true even when the connection has been
1312 		 * established using a resolvable random address.
1313 		 */
1314 		bacpy(&addrinfo.bdaddr, &hcon->src);
1315 		addrinfo.addr_type = hcon->src_type;
1316 
1317 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1318 			     &addrinfo);
1319 
1320 		*keydist &= ~SMP_DIST_ID_KEY;
1321 	}
1322 
1323 	if (*keydist & SMP_DIST_SIGN) {
1324 		struct smp_cmd_sign_info sign;
1325 		struct smp_csrk *csrk;
1326 
1327 		/* Generate a new random key */
1328 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1329 
1330 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1331 		if (csrk) {
1332 			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1333 				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1334 			else
1335 				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1336 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1337 		}
1338 		smp->slave_csrk = csrk;
1339 
1340 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1341 
1342 		*keydist &= ~SMP_DIST_SIGN;
1343 	}
1344 
1345 	/* If there are still keys to be received wait for them */
1346 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1347 		smp_allow_key_dist(smp);
1348 		return;
1349 	}
1350 
1351 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1352 	smp_notify_keys(conn);
1353 
1354 	smp_chan_destroy(conn);
1355 }
1356 
1357 static void smp_timeout(struct work_struct *work)
1358 {
1359 	struct smp_chan *smp = container_of(work, struct smp_chan,
1360 					    security_timer.work);
1361 	struct l2cap_conn *conn = smp->conn;
1362 
1363 	BT_DBG("conn %p", conn);
1364 
1365 	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1366 }
1367 
1368 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1369 {
1370 	struct l2cap_chan *chan = conn->smp;
1371 	struct smp_chan *smp;
1372 
1373 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1374 	if (!smp)
1375 		return NULL;
1376 
1377 	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1378 	if (IS_ERR(smp->tfm_cmac)) {
1379 		BT_ERR("Unable to create CMAC crypto context");
1380 		goto zfree_smp;
1381 	}
1382 
1383 	smp->tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
1384 	if (IS_ERR(smp->tfm_ecdh)) {
1385 		BT_ERR("Unable to create ECDH crypto context");
1386 		goto free_shash;
1387 	}
1388 
1389 	smp->conn = conn;
1390 	chan->data = smp;
1391 
1392 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1393 
1394 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1395 
1396 	hci_conn_hold(conn->hcon);
1397 
1398 	return smp;
1399 
1400 free_shash:
1401 	crypto_free_shash(smp->tfm_cmac);
1402 zfree_smp:
1403 	kzfree(smp);
1404 	return NULL;
1405 }
1406 
1407 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1408 {
1409 	struct hci_conn *hcon = smp->conn->hcon;
1410 	u8 *na, *nb, a[7], b[7];
1411 
1412 	if (hcon->out) {
1413 		na   = smp->prnd;
1414 		nb   = smp->rrnd;
1415 	} else {
1416 		na   = smp->rrnd;
1417 		nb   = smp->prnd;
1418 	}
1419 
1420 	memcpy(a, &hcon->init_addr, 6);
1421 	memcpy(b, &hcon->resp_addr, 6);
1422 	a[6] = hcon->init_addr_type;
1423 	b[6] = hcon->resp_addr_type;
1424 
1425 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1426 }
1427 
1428 static void sc_dhkey_check(struct smp_chan *smp)
1429 {
1430 	struct hci_conn *hcon = smp->conn->hcon;
1431 	struct smp_cmd_dhkey_check check;
1432 	u8 a[7], b[7], *local_addr, *remote_addr;
1433 	u8 io_cap[3], r[16];
1434 
1435 	memcpy(a, &hcon->init_addr, 6);
1436 	memcpy(b, &hcon->resp_addr, 6);
1437 	a[6] = hcon->init_addr_type;
1438 	b[6] = hcon->resp_addr_type;
1439 
1440 	if (hcon->out) {
1441 		local_addr = a;
1442 		remote_addr = b;
1443 		memcpy(io_cap, &smp->preq[1], 3);
1444 	} else {
1445 		local_addr = b;
1446 		remote_addr = a;
1447 		memcpy(io_cap, &smp->prsp[1], 3);
1448 	}
1449 
1450 	memset(r, 0, sizeof(r));
1451 
1452 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1453 		put_unaligned_le32(hcon->passkey_notify, r);
1454 
1455 	if (smp->method == REQ_OOB)
1456 		memcpy(r, smp->rr, 16);
1457 
1458 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1459 	       local_addr, remote_addr, check.e);
1460 
1461 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1462 }
1463 
1464 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1465 {
1466 	struct l2cap_conn *conn = smp->conn;
1467 	struct hci_conn *hcon = conn->hcon;
1468 	struct smp_cmd_pairing_confirm cfm;
1469 	u8 r;
1470 
1471 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1472 	r |= 0x80;
1473 
1474 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1475 
1476 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1477 		   cfm.confirm_val))
1478 		return SMP_UNSPECIFIED;
1479 
1480 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1481 
1482 	return 0;
1483 }
1484 
1485 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1486 {
1487 	struct l2cap_conn *conn = smp->conn;
1488 	struct hci_conn *hcon = conn->hcon;
1489 	struct hci_dev *hdev = hcon->hdev;
1490 	u8 cfm[16], r;
1491 
1492 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1493 	if (smp->passkey_round >= 20)
1494 		return 0;
1495 
1496 	switch (smp_op) {
1497 	case SMP_CMD_PAIRING_RANDOM:
1498 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1499 		r |= 0x80;
1500 
1501 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1502 			   smp->rrnd, r, cfm))
1503 			return SMP_UNSPECIFIED;
1504 
1505 		if (crypto_memneq(smp->pcnf, cfm, 16))
1506 			return SMP_CONFIRM_FAILED;
1507 
1508 		smp->passkey_round++;
1509 
1510 		if (smp->passkey_round == 20) {
1511 			/* Generate MacKey and LTK */
1512 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1513 				return SMP_UNSPECIFIED;
1514 		}
1515 
1516 		/* The round is only complete when the initiator
1517 		 * receives pairing random.
1518 		 */
1519 		if (!hcon->out) {
1520 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1521 				     sizeof(smp->prnd), smp->prnd);
1522 			if (smp->passkey_round == 20)
1523 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1524 			else
1525 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1526 			return 0;
1527 		}
1528 
1529 		/* Start the next round */
1530 		if (smp->passkey_round != 20)
1531 			return sc_passkey_round(smp, 0);
1532 
1533 		/* Passkey rounds are complete - start DHKey Check */
1534 		sc_dhkey_check(smp);
1535 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1536 
1537 		break;
1538 
1539 	case SMP_CMD_PAIRING_CONFIRM:
1540 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1541 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1542 			return 0;
1543 		}
1544 
1545 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1546 
1547 		if (hcon->out) {
1548 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1549 				     sizeof(smp->prnd), smp->prnd);
1550 			return 0;
1551 		}
1552 
1553 		return sc_passkey_send_confirm(smp);
1554 
1555 	case SMP_CMD_PUBLIC_KEY:
1556 	default:
1557 		/* Initiating device starts the round */
1558 		if (!hcon->out)
1559 			return 0;
1560 
1561 		BT_DBG("%s Starting passkey round %u", hdev->name,
1562 		       smp->passkey_round + 1);
1563 
1564 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1565 
1566 		return sc_passkey_send_confirm(smp);
1567 	}
1568 
1569 	return 0;
1570 }
1571 
1572 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1573 {
1574 	struct l2cap_conn *conn = smp->conn;
1575 	struct hci_conn *hcon = conn->hcon;
1576 	u8 smp_op;
1577 
1578 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1579 
1580 	switch (mgmt_op) {
1581 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1582 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1583 		return 0;
1584 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1585 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1586 		return 0;
1587 	case MGMT_OP_USER_PASSKEY_REPLY:
1588 		hcon->passkey_notify = le32_to_cpu(passkey);
1589 		smp->passkey_round = 0;
1590 
1591 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1592 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1593 		else
1594 			smp_op = 0;
1595 
1596 		if (sc_passkey_round(smp, smp_op))
1597 			return -EIO;
1598 
1599 		return 0;
1600 	}
1601 
1602 	/* Initiator sends DHKey check first */
1603 	if (hcon->out) {
1604 		sc_dhkey_check(smp);
1605 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1606 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1607 		sc_dhkey_check(smp);
1608 		sc_add_ltk(smp);
1609 	}
1610 
1611 	return 0;
1612 }
1613 
1614 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1615 {
1616 	struct l2cap_conn *conn = hcon->l2cap_data;
1617 	struct l2cap_chan *chan;
1618 	struct smp_chan *smp;
1619 	u32 value;
1620 	int err;
1621 
1622 	BT_DBG("");
1623 
1624 	if (!conn)
1625 		return -ENOTCONN;
1626 
1627 	chan = conn->smp;
1628 	if (!chan)
1629 		return -ENOTCONN;
1630 
1631 	l2cap_chan_lock(chan);
1632 	if (!chan->data) {
1633 		err = -ENOTCONN;
1634 		goto unlock;
1635 	}
1636 
1637 	smp = chan->data;
1638 
1639 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1640 		err = sc_user_reply(smp, mgmt_op, passkey);
1641 		goto unlock;
1642 	}
1643 
1644 	switch (mgmt_op) {
1645 	case MGMT_OP_USER_PASSKEY_REPLY:
1646 		value = le32_to_cpu(passkey);
1647 		memset(smp->tk, 0, sizeof(smp->tk));
1648 		BT_DBG("PassKey: %d", value);
1649 		put_unaligned_le32(value, smp->tk);
1650 		/* Fall Through */
1651 	case MGMT_OP_USER_CONFIRM_REPLY:
1652 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1653 		break;
1654 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1655 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1656 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1657 		err = 0;
1658 		goto unlock;
1659 	default:
1660 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1661 		err = -EOPNOTSUPP;
1662 		goto unlock;
1663 	}
1664 
1665 	err = 0;
1666 
1667 	/* If it is our turn to send Pairing Confirm, do so now */
1668 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1669 		u8 rsp = smp_confirm(smp);
1670 		if (rsp)
1671 			smp_failure(conn, rsp);
1672 	}
1673 
1674 unlock:
1675 	l2cap_chan_unlock(chan);
1676 	return err;
1677 }
1678 
1679 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1680 				    struct smp_cmd_pairing *req,
1681 				    struct smp_cmd_pairing *rsp)
1682 {
1683 	struct l2cap_conn *conn = smp->conn;
1684 	struct hci_dev *hdev = conn->hcon->hdev;
1685 	u8 local_dist = 0, remote_dist = 0;
1686 
1687 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1688 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1689 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1690 	}
1691 
1692 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1693 		remote_dist |= SMP_DIST_ID_KEY;
1694 
1695 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1696 		local_dist |= SMP_DIST_ID_KEY;
1697 
1698 	if (!rsp) {
1699 		memset(req, 0, sizeof(*req));
1700 
1701 		req->auth_req        = SMP_AUTH_CT2;
1702 		req->init_key_dist   = local_dist;
1703 		req->resp_key_dist   = remote_dist;
1704 		req->max_key_size    = conn->hcon->enc_key_size;
1705 
1706 		smp->remote_key_dist = remote_dist;
1707 
1708 		return;
1709 	}
1710 
1711 	memset(rsp, 0, sizeof(*rsp));
1712 
1713 	rsp->auth_req        = SMP_AUTH_CT2;
1714 	rsp->max_key_size    = conn->hcon->enc_key_size;
1715 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1716 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1717 
1718 	smp->remote_key_dist = rsp->init_key_dist;
1719 }
1720 
1721 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1722 {
1723 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1724 	struct l2cap_chan *chan = conn->smp;
1725 	struct hci_dev *hdev = conn->hcon->hdev;
1726 	struct smp_chan *smp;
1727 	u8 key_size, auth, sec_level;
1728 	int ret;
1729 
1730 	BT_DBG("conn %p", conn);
1731 
1732 	if (skb->len < sizeof(*req))
1733 		return SMP_INVALID_PARAMS;
1734 
1735 	if (conn->hcon->role != HCI_ROLE_SLAVE)
1736 		return SMP_CMD_NOTSUPP;
1737 
1738 	if (!chan->data)
1739 		smp = smp_chan_create(conn);
1740 	else
1741 		smp = chan->data;
1742 
1743 	if (!smp)
1744 		return SMP_UNSPECIFIED;
1745 
1746 	/* We didn't start the pairing, so match remote */
1747 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1748 
1749 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1750 	    (auth & SMP_AUTH_BONDING))
1751 		return SMP_PAIRING_NOTSUPP;
1752 
1753 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1754 		return SMP_AUTH_REQUIREMENTS;
1755 
1756 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1757 	memcpy(&smp->preq[1], req, sizeof(*req));
1758 	skb_pull(skb, sizeof(*req));
1759 
1760 	/* If the remote side's OOB flag is set it means it has
1761 	 * successfully received our local OOB data - therefore set the
1762 	 * flag to indicate that local OOB is in use.
1763 	 */
1764 	if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1765 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1766 
1767 	/* SMP over BR/EDR requires special treatment */
1768 	if (conn->hcon->type == ACL_LINK) {
1769 		/* We must have a BR/EDR SC link */
1770 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1771 		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1772 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1773 
1774 		set_bit(SMP_FLAG_SC, &smp->flags);
1775 
1776 		build_bredr_pairing_cmd(smp, req, &rsp);
1777 
1778 		if (req->auth_req & SMP_AUTH_CT2)
1779 			set_bit(SMP_FLAG_CT2, &smp->flags);
1780 
1781 		key_size = min(req->max_key_size, rsp.max_key_size);
1782 		if (check_enc_key_size(conn, key_size))
1783 			return SMP_ENC_KEY_SIZE;
1784 
1785 		/* Clear bits which are generated but not distributed */
1786 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1787 
1788 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1789 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1790 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1791 
1792 		smp_distribute_keys(smp);
1793 		return 0;
1794 	}
1795 
1796 	build_pairing_cmd(conn, req, &rsp, auth);
1797 
1798 	if (rsp.auth_req & SMP_AUTH_SC) {
1799 		set_bit(SMP_FLAG_SC, &smp->flags);
1800 
1801 		if (rsp.auth_req & SMP_AUTH_CT2)
1802 			set_bit(SMP_FLAG_CT2, &smp->flags);
1803 	}
1804 
1805 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1806 		sec_level = BT_SECURITY_MEDIUM;
1807 	else
1808 		sec_level = authreq_to_seclevel(auth);
1809 
1810 	if (sec_level > conn->hcon->pending_sec_level)
1811 		conn->hcon->pending_sec_level = sec_level;
1812 
1813 	/* If we need MITM check that it can be achieved */
1814 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1815 		u8 method;
1816 
1817 		method = get_auth_method(smp, conn->hcon->io_capability,
1818 					 req->io_capability);
1819 		if (method == JUST_WORKS || method == JUST_CFM)
1820 			return SMP_AUTH_REQUIREMENTS;
1821 	}
1822 
1823 	key_size = min(req->max_key_size, rsp.max_key_size);
1824 	if (check_enc_key_size(conn, key_size))
1825 		return SMP_ENC_KEY_SIZE;
1826 
1827 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1828 
1829 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1830 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1831 
1832 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1833 
1834 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1835 
1836 	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1837 	 * SC case, however some implementations incorrectly copy RFU auth
1838 	 * req bits from our security request, which may create a false
1839 	 * positive SC enablement.
1840 	 */
1841 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1842 
1843 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1844 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1845 		/* Clear bits which are generated but not distributed */
1846 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1847 		/* Wait for Public Key from Initiating Device */
1848 		return 0;
1849 	}
1850 
1851 	/* Request setup of TK */
1852 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1853 	if (ret)
1854 		return SMP_UNSPECIFIED;
1855 
1856 	return 0;
1857 }
1858 
1859 static u8 sc_send_public_key(struct smp_chan *smp)
1860 {
1861 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1862 
1863 	BT_DBG("");
1864 
1865 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1866 		struct l2cap_chan *chan = hdev->smp_data;
1867 		struct smp_dev *smp_dev;
1868 
1869 		if (!chan || !chan->data)
1870 			return SMP_UNSPECIFIED;
1871 
1872 		smp_dev = chan->data;
1873 
1874 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1875 		memcpy(smp->lr, smp_dev->local_rand, 16);
1876 
1877 		if (smp_dev->debug_key)
1878 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1879 
1880 		goto done;
1881 	}
1882 
1883 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1884 		BT_DBG("Using debug keys");
1885 		if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1886 			return SMP_UNSPECIFIED;
1887 		memcpy(smp->local_pk, debug_pk, 64);
1888 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1889 	} else {
1890 		while (true) {
1891 			/* Generate key pair for Secure Connections */
1892 			if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1893 				return SMP_UNSPECIFIED;
1894 
1895 			/* This is unlikely, but we need to check that
1896 			 * we didn't accidentially generate a debug key.
1897 			 */
1898 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
1899 				break;
1900 		}
1901 	}
1902 
1903 done:
1904 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1905 	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1906 
1907 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1908 
1909 	return 0;
1910 }
1911 
1912 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1913 {
1914 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1915 	struct l2cap_chan *chan = conn->smp;
1916 	struct smp_chan *smp = chan->data;
1917 	struct hci_dev *hdev = conn->hcon->hdev;
1918 	u8 key_size, auth;
1919 	int ret;
1920 
1921 	BT_DBG("conn %p", conn);
1922 
1923 	if (skb->len < sizeof(*rsp))
1924 		return SMP_INVALID_PARAMS;
1925 
1926 	if (conn->hcon->role != HCI_ROLE_MASTER)
1927 		return SMP_CMD_NOTSUPP;
1928 
1929 	skb_pull(skb, sizeof(*rsp));
1930 
1931 	req = (void *) &smp->preq[1];
1932 
1933 	key_size = min(req->max_key_size, rsp->max_key_size);
1934 	if (check_enc_key_size(conn, key_size))
1935 		return SMP_ENC_KEY_SIZE;
1936 
1937 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1938 
1939 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1940 		return SMP_AUTH_REQUIREMENTS;
1941 
1942 	/* If the remote side's OOB flag is set it means it has
1943 	 * successfully received our local OOB data - therefore set the
1944 	 * flag to indicate that local OOB is in use.
1945 	 */
1946 	if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1947 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1948 
1949 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1950 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1951 
1952 	/* Update remote key distribution in case the remote cleared
1953 	 * some bits that we had enabled in our request.
1954 	 */
1955 	smp->remote_key_dist &= rsp->resp_key_dist;
1956 
1957 	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1958 		set_bit(SMP_FLAG_CT2, &smp->flags);
1959 
1960 	/* For BR/EDR this means we're done and can start phase 3 */
1961 	if (conn->hcon->type == ACL_LINK) {
1962 		/* Clear bits which are generated but not distributed */
1963 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1964 		smp_distribute_keys(smp);
1965 		return 0;
1966 	}
1967 
1968 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1969 		set_bit(SMP_FLAG_SC, &smp->flags);
1970 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1971 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1972 
1973 	/* If we need MITM check that it can be achieved */
1974 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1975 		u8 method;
1976 
1977 		method = get_auth_method(smp, req->io_capability,
1978 					 rsp->io_capability);
1979 		if (method == JUST_WORKS || method == JUST_CFM)
1980 			return SMP_AUTH_REQUIREMENTS;
1981 	}
1982 
1983 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1984 
1985 	/* Update remote key distribution in case the remote cleared
1986 	 * some bits that we had enabled in our request.
1987 	 */
1988 	smp->remote_key_dist &= rsp->resp_key_dist;
1989 
1990 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1991 		/* Clear bits which are generated but not distributed */
1992 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1993 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1994 		return sc_send_public_key(smp);
1995 	}
1996 
1997 	auth |= req->auth_req;
1998 
1999 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2000 	if (ret)
2001 		return SMP_UNSPECIFIED;
2002 
2003 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2004 
2005 	/* Can't compose response until we have been confirmed */
2006 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2007 		return smp_confirm(smp);
2008 
2009 	return 0;
2010 }
2011 
2012 static u8 sc_check_confirm(struct smp_chan *smp)
2013 {
2014 	struct l2cap_conn *conn = smp->conn;
2015 
2016 	BT_DBG("");
2017 
2018 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2019 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2020 
2021 	if (conn->hcon->out) {
2022 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2023 			     smp->prnd);
2024 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2025 	}
2026 
2027 	return 0;
2028 }
2029 
2030 /* Work-around for some implementations that incorrectly copy RFU bits
2031  * from our security request and thereby create the impression that
2032  * we're doing SC when in fact the remote doesn't support it.
2033  */
2034 static int fixup_sc_false_positive(struct smp_chan *smp)
2035 {
2036 	struct l2cap_conn *conn = smp->conn;
2037 	struct hci_conn *hcon = conn->hcon;
2038 	struct hci_dev *hdev = hcon->hdev;
2039 	struct smp_cmd_pairing *req, *rsp;
2040 	u8 auth;
2041 
2042 	/* The issue is only observed when we're in slave role */
2043 	if (hcon->out)
2044 		return SMP_UNSPECIFIED;
2045 
2046 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2047 		bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2048 		return SMP_UNSPECIFIED;
2049 	}
2050 
2051 	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2052 
2053 	req = (void *) &smp->preq[1];
2054 	rsp = (void *) &smp->prsp[1];
2055 
2056 	/* Rebuild key dist flags which may have been cleared for SC */
2057 	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2058 
2059 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2060 
2061 	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2062 		bt_dev_err(hdev, "failed to fall back to legacy SMP");
2063 		return SMP_UNSPECIFIED;
2064 	}
2065 
2066 	clear_bit(SMP_FLAG_SC, &smp->flags);
2067 
2068 	return 0;
2069 }
2070 
2071 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2072 {
2073 	struct l2cap_chan *chan = conn->smp;
2074 	struct smp_chan *smp = chan->data;
2075 
2076 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2077 
2078 	if (skb->len < sizeof(smp->pcnf))
2079 		return SMP_INVALID_PARAMS;
2080 
2081 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2082 	skb_pull(skb, sizeof(smp->pcnf));
2083 
2084 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2085 		int ret;
2086 
2087 		/* Public Key exchange must happen before any other steps */
2088 		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2089 			return sc_check_confirm(smp);
2090 
2091 		BT_ERR("Unexpected SMP Pairing Confirm");
2092 
2093 		ret = fixup_sc_false_positive(smp);
2094 		if (ret)
2095 			return ret;
2096 	}
2097 
2098 	if (conn->hcon->out) {
2099 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2100 			     smp->prnd);
2101 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2102 		return 0;
2103 	}
2104 
2105 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2106 		return smp_confirm(smp);
2107 
2108 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2109 
2110 	return 0;
2111 }
2112 
2113 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2114 {
2115 	struct l2cap_chan *chan = conn->smp;
2116 	struct smp_chan *smp = chan->data;
2117 	struct hci_conn *hcon = conn->hcon;
2118 	u8 *pkax, *pkbx, *na, *nb, confirm_hint;
2119 	u32 passkey;
2120 	int err;
2121 
2122 	BT_DBG("conn %p", conn);
2123 
2124 	if (skb->len < sizeof(smp->rrnd))
2125 		return SMP_INVALID_PARAMS;
2126 
2127 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2128 	skb_pull(skb, sizeof(smp->rrnd));
2129 
2130 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2131 		return smp_random(smp);
2132 
2133 	if (hcon->out) {
2134 		pkax = smp->local_pk;
2135 		pkbx = smp->remote_pk;
2136 		na   = smp->prnd;
2137 		nb   = smp->rrnd;
2138 	} else {
2139 		pkax = smp->remote_pk;
2140 		pkbx = smp->local_pk;
2141 		na   = smp->rrnd;
2142 		nb   = smp->prnd;
2143 	}
2144 
2145 	if (smp->method == REQ_OOB) {
2146 		if (!hcon->out)
2147 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2148 				     sizeof(smp->prnd), smp->prnd);
2149 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2150 		goto mackey_and_ltk;
2151 	}
2152 
2153 	/* Passkey entry has special treatment */
2154 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2155 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2156 
2157 	if (hcon->out) {
2158 		u8 cfm[16];
2159 
2160 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2161 			     smp->rrnd, 0, cfm);
2162 		if (err)
2163 			return SMP_UNSPECIFIED;
2164 
2165 		if (crypto_memneq(smp->pcnf, cfm, 16))
2166 			return SMP_CONFIRM_FAILED;
2167 	} else {
2168 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2169 			     smp->prnd);
2170 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2171 
2172 		/* Only Just-Works pairing requires extra checks */
2173 		if (smp->method != JUST_WORKS)
2174 			goto mackey_and_ltk;
2175 
2176 		/* If there already exists long term key in local host, leave
2177 		 * the decision to user space since the remote device could
2178 		 * be legitimate or malicious.
2179 		 */
2180 		if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2181 				 hcon->role)) {
2182 			/* Set passkey to 0. The value can be any number since
2183 			 * it'll be ignored anyway.
2184 			 */
2185 			passkey = 0;
2186 			confirm_hint = 1;
2187 			goto confirm;
2188 		}
2189 	}
2190 
2191 mackey_and_ltk:
2192 	/* Generate MacKey and LTK */
2193 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2194 	if (err)
2195 		return SMP_UNSPECIFIED;
2196 
2197 	if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2198 		if (hcon->out) {
2199 			sc_dhkey_check(smp);
2200 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2201 		}
2202 		return 0;
2203 	}
2204 
2205 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2206 	if (err)
2207 		return SMP_UNSPECIFIED;
2208 
2209 	confirm_hint = 0;
2210 
2211 confirm:
2212 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2213 					hcon->dst_type, passkey, confirm_hint);
2214 	if (err)
2215 		return SMP_UNSPECIFIED;
2216 
2217 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2218 
2219 	return 0;
2220 }
2221 
2222 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2223 {
2224 	struct smp_ltk *key;
2225 	struct hci_conn *hcon = conn->hcon;
2226 
2227 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2228 	if (!key)
2229 		return false;
2230 
2231 	if (smp_ltk_sec_level(key) < sec_level)
2232 		return false;
2233 
2234 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2235 		return true;
2236 
2237 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2238 	hcon->enc_key_size = key->enc_size;
2239 
2240 	/* We never store STKs for master role, so clear this flag */
2241 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2242 
2243 	return true;
2244 }
2245 
2246 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2247 			     enum smp_key_pref key_pref)
2248 {
2249 	if (sec_level == BT_SECURITY_LOW)
2250 		return true;
2251 
2252 	/* If we're encrypted with an STK but the caller prefers using
2253 	 * LTK claim insufficient security. This way we allow the
2254 	 * connection to be re-encrypted with an LTK, even if the LTK
2255 	 * provides the same level of security. Only exception is if we
2256 	 * don't have an LTK (e.g. because of key distribution bits).
2257 	 */
2258 	if (key_pref == SMP_USE_LTK &&
2259 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2260 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2261 		return false;
2262 
2263 	if (hcon->sec_level >= sec_level)
2264 		return true;
2265 
2266 	return false;
2267 }
2268 
2269 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2270 {
2271 	struct smp_cmd_security_req *rp = (void *) skb->data;
2272 	struct smp_cmd_pairing cp;
2273 	struct hci_conn *hcon = conn->hcon;
2274 	struct hci_dev *hdev = hcon->hdev;
2275 	struct smp_chan *smp;
2276 	u8 sec_level, auth;
2277 
2278 	BT_DBG("conn %p", conn);
2279 
2280 	if (skb->len < sizeof(*rp))
2281 		return SMP_INVALID_PARAMS;
2282 
2283 	if (hcon->role != HCI_ROLE_MASTER)
2284 		return SMP_CMD_NOTSUPP;
2285 
2286 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2287 
2288 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2289 		return SMP_AUTH_REQUIREMENTS;
2290 
2291 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2292 		sec_level = BT_SECURITY_MEDIUM;
2293 	else
2294 		sec_level = authreq_to_seclevel(auth);
2295 
2296 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2297 		/* If link is already encrypted with sufficient security we
2298 		 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2299 		 * Part H 2.4.6
2300 		 */
2301 		smp_ltk_encrypt(conn, hcon->sec_level);
2302 		return 0;
2303 	}
2304 
2305 	if (sec_level > hcon->pending_sec_level)
2306 		hcon->pending_sec_level = sec_level;
2307 
2308 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2309 		return 0;
2310 
2311 	smp = smp_chan_create(conn);
2312 	if (!smp)
2313 		return SMP_UNSPECIFIED;
2314 
2315 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2316 	    (auth & SMP_AUTH_BONDING))
2317 		return SMP_PAIRING_NOTSUPP;
2318 
2319 	skb_pull(skb, sizeof(*rp));
2320 
2321 	memset(&cp, 0, sizeof(cp));
2322 	build_pairing_cmd(conn, &cp, NULL, auth);
2323 
2324 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2325 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2326 
2327 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2328 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2329 
2330 	return 0;
2331 }
2332 
2333 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2334 {
2335 	struct l2cap_conn *conn = hcon->l2cap_data;
2336 	struct l2cap_chan *chan;
2337 	struct smp_chan *smp;
2338 	__u8 authreq;
2339 	int ret;
2340 
2341 	BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2342 
2343 	/* This may be NULL if there's an unexpected disconnection */
2344 	if (!conn)
2345 		return 1;
2346 
2347 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2348 		return 1;
2349 
2350 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2351 		return 1;
2352 
2353 	if (sec_level > hcon->pending_sec_level)
2354 		hcon->pending_sec_level = sec_level;
2355 
2356 	if (hcon->role == HCI_ROLE_MASTER)
2357 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2358 			return 0;
2359 
2360 	chan = conn->smp;
2361 	if (!chan) {
2362 		bt_dev_err(hcon->hdev, "security requested but not available");
2363 		return 1;
2364 	}
2365 
2366 	l2cap_chan_lock(chan);
2367 
2368 	/* If SMP is already in progress ignore this request */
2369 	if (chan->data) {
2370 		ret = 0;
2371 		goto unlock;
2372 	}
2373 
2374 	smp = smp_chan_create(conn);
2375 	if (!smp) {
2376 		ret = 1;
2377 		goto unlock;
2378 	}
2379 
2380 	authreq = seclevel_to_authreq(sec_level);
2381 
2382 	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2383 		authreq |= SMP_AUTH_SC;
2384 		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2385 			authreq |= SMP_AUTH_CT2;
2386 	}
2387 
2388 	/* Require MITM if IO Capability allows or the security level
2389 	 * requires it.
2390 	 */
2391 	if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2392 	    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2393 		authreq |= SMP_AUTH_MITM;
2394 
2395 	if (hcon->role == HCI_ROLE_MASTER) {
2396 		struct smp_cmd_pairing cp;
2397 
2398 		build_pairing_cmd(conn, &cp, NULL, authreq);
2399 		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2400 		memcpy(&smp->preq[1], &cp, sizeof(cp));
2401 
2402 		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2403 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2404 	} else {
2405 		struct smp_cmd_security_req cp;
2406 		cp.auth_req = authreq;
2407 		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2408 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2409 	}
2410 
2411 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2412 	ret = 0;
2413 
2414 unlock:
2415 	l2cap_chan_unlock(chan);
2416 	return ret;
2417 }
2418 
2419 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2420 				  u8 addr_type)
2421 {
2422 	struct hci_conn *hcon;
2423 	struct l2cap_conn *conn;
2424 	struct l2cap_chan *chan;
2425 	struct smp_chan *smp;
2426 	int err;
2427 
2428 	err = hci_remove_ltk(hdev, bdaddr, addr_type);
2429 	hci_remove_irk(hdev, bdaddr, addr_type);
2430 
2431 	hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2432 	if (!hcon)
2433 		goto done;
2434 
2435 	conn = hcon->l2cap_data;
2436 	if (!conn)
2437 		goto done;
2438 
2439 	chan = conn->smp;
2440 	if (!chan)
2441 		goto done;
2442 
2443 	l2cap_chan_lock(chan);
2444 
2445 	smp = chan->data;
2446 	if (smp) {
2447 		/* Set keys to NULL to make sure smp_failure() does not try to
2448 		 * remove and free already invalidated rcu list entries. */
2449 		smp->ltk = NULL;
2450 		smp->slave_ltk = NULL;
2451 		smp->remote_irk = NULL;
2452 
2453 		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2454 			smp_failure(conn, 0);
2455 		else
2456 			smp_failure(conn, SMP_UNSPECIFIED);
2457 		err = 0;
2458 	}
2459 
2460 	l2cap_chan_unlock(chan);
2461 
2462 done:
2463 	return err;
2464 }
2465 
2466 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2467 {
2468 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2469 	struct l2cap_chan *chan = conn->smp;
2470 	struct smp_chan *smp = chan->data;
2471 
2472 	BT_DBG("conn %p", conn);
2473 
2474 	if (skb->len < sizeof(*rp))
2475 		return SMP_INVALID_PARAMS;
2476 
2477 	/* Pairing is aborted if any blocked keys are distributed */
2478 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2479 			       rp->ltk)) {
2480 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2481 					"LTK blocked for %pMR",
2482 					&conn->hcon->dst);
2483 		return SMP_INVALID_PARAMS;
2484 	}
2485 
2486 	SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2487 
2488 	skb_pull(skb, sizeof(*rp));
2489 
2490 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2491 
2492 	return 0;
2493 }
2494 
2495 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2496 {
2497 	struct smp_cmd_master_ident *rp = (void *) skb->data;
2498 	struct l2cap_chan *chan = conn->smp;
2499 	struct smp_chan *smp = chan->data;
2500 	struct hci_dev *hdev = conn->hcon->hdev;
2501 	struct hci_conn *hcon = conn->hcon;
2502 	struct smp_ltk *ltk;
2503 	u8 authenticated;
2504 
2505 	BT_DBG("conn %p", conn);
2506 
2507 	if (skb->len < sizeof(*rp))
2508 		return SMP_INVALID_PARAMS;
2509 
2510 	/* Mark the information as received */
2511 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2512 
2513 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2514 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2515 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2516 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2517 
2518 	skb_pull(skb, sizeof(*rp));
2519 
2520 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2521 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2522 			  authenticated, smp->tk, smp->enc_key_size,
2523 			  rp->ediv, rp->rand);
2524 	smp->ltk = ltk;
2525 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2526 		smp_distribute_keys(smp);
2527 
2528 	return 0;
2529 }
2530 
2531 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2532 {
2533 	struct smp_cmd_ident_info *info = (void *) skb->data;
2534 	struct l2cap_chan *chan = conn->smp;
2535 	struct smp_chan *smp = chan->data;
2536 
2537 	BT_DBG("");
2538 
2539 	if (skb->len < sizeof(*info))
2540 		return SMP_INVALID_PARAMS;
2541 
2542 	/* Pairing is aborted if any blocked keys are distributed */
2543 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2544 			       info->irk)) {
2545 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2546 					"Identity key blocked for %pMR",
2547 					&conn->hcon->dst);
2548 		return SMP_INVALID_PARAMS;
2549 	}
2550 
2551 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2552 
2553 	skb_pull(skb, sizeof(*info));
2554 
2555 	memcpy(smp->irk, info->irk, 16);
2556 
2557 	return 0;
2558 }
2559 
2560 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2561 				   struct sk_buff *skb)
2562 {
2563 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2564 	struct l2cap_chan *chan = conn->smp;
2565 	struct smp_chan *smp = chan->data;
2566 	struct hci_conn *hcon = conn->hcon;
2567 	bdaddr_t rpa;
2568 
2569 	BT_DBG("");
2570 
2571 	if (skb->len < sizeof(*info))
2572 		return SMP_INVALID_PARAMS;
2573 
2574 	/* Mark the information as received */
2575 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2576 
2577 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2578 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2579 
2580 	skb_pull(skb, sizeof(*info));
2581 
2582 	/* Strictly speaking the Core Specification (4.1) allows sending
2583 	 * an empty address which would force us to rely on just the IRK
2584 	 * as "identity information". However, since such
2585 	 * implementations are not known of and in order to not over
2586 	 * complicate our implementation, simply pretend that we never
2587 	 * received an IRK for such a device.
2588 	 *
2589 	 * The Identity Address must also be a Static Random or Public
2590 	 * Address, which hci_is_identity_address() checks for.
2591 	 */
2592 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2593 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2594 		bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2595 		goto distribute;
2596 	}
2597 
2598 	/* Drop IRK if peer is using identity address during pairing but is
2599 	 * providing different address as identity information.
2600 	 *
2601 	 * Microsoft Surface Precision Mouse is known to have this bug.
2602 	 */
2603 	if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2604 	    (bacmp(&info->bdaddr, &hcon->dst) ||
2605 	     info->addr_type != hcon->dst_type)) {
2606 		bt_dev_err(hcon->hdev,
2607 			   "ignoring IRK with invalid identity address");
2608 		goto distribute;
2609 	}
2610 
2611 	bacpy(&smp->id_addr, &info->bdaddr);
2612 	smp->id_addr_type = info->addr_type;
2613 
2614 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2615 		bacpy(&rpa, &hcon->dst);
2616 	else
2617 		bacpy(&rpa, BDADDR_ANY);
2618 
2619 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2620 				      smp->id_addr_type, smp->irk, &rpa);
2621 
2622 distribute:
2623 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2624 		smp_distribute_keys(smp);
2625 
2626 	return 0;
2627 }
2628 
2629 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2630 {
2631 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2632 	struct l2cap_chan *chan = conn->smp;
2633 	struct smp_chan *smp = chan->data;
2634 	struct smp_csrk *csrk;
2635 
2636 	BT_DBG("conn %p", conn);
2637 
2638 	if (skb->len < sizeof(*rp))
2639 		return SMP_INVALID_PARAMS;
2640 
2641 	/* Mark the information as received */
2642 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2643 
2644 	skb_pull(skb, sizeof(*rp));
2645 
2646 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2647 	if (csrk) {
2648 		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2649 			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2650 		else
2651 			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2652 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2653 	}
2654 	smp->csrk = csrk;
2655 	smp_distribute_keys(smp);
2656 
2657 	return 0;
2658 }
2659 
2660 static u8 sc_select_method(struct smp_chan *smp)
2661 {
2662 	struct l2cap_conn *conn = smp->conn;
2663 	struct hci_conn *hcon = conn->hcon;
2664 	struct smp_cmd_pairing *local, *remote;
2665 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2666 
2667 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2668 	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2669 		return REQ_OOB;
2670 
2671 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2672 	 * which are needed as inputs to some crypto functions. To get
2673 	 * the "struct smp_cmd_pairing" from them we need to skip the
2674 	 * first byte which contains the opcode.
2675 	 */
2676 	if (hcon->out) {
2677 		local = (void *) &smp->preq[1];
2678 		remote = (void *) &smp->prsp[1];
2679 	} else {
2680 		local = (void *) &smp->prsp[1];
2681 		remote = (void *) &smp->preq[1];
2682 	}
2683 
2684 	local_io = local->io_capability;
2685 	remote_io = remote->io_capability;
2686 
2687 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2688 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2689 
2690 	/* If either side wants MITM, look up the method from the table,
2691 	 * otherwise use JUST WORKS.
2692 	 */
2693 	if (local_mitm || remote_mitm)
2694 		method = get_auth_method(smp, local_io, remote_io);
2695 	else
2696 		method = JUST_WORKS;
2697 
2698 	/* Don't confirm locally initiated pairing attempts */
2699 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2700 		method = JUST_WORKS;
2701 
2702 	return method;
2703 }
2704 
2705 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2706 {
2707 	struct smp_cmd_public_key *key = (void *) skb->data;
2708 	struct hci_conn *hcon = conn->hcon;
2709 	struct l2cap_chan *chan = conn->smp;
2710 	struct smp_chan *smp = chan->data;
2711 	struct hci_dev *hdev = hcon->hdev;
2712 	struct crypto_kpp *tfm_ecdh;
2713 	struct smp_cmd_pairing_confirm cfm;
2714 	int err;
2715 
2716 	BT_DBG("conn %p", conn);
2717 
2718 	if (skb->len < sizeof(*key))
2719 		return SMP_INVALID_PARAMS;
2720 
2721 	memcpy(smp->remote_pk, key, 64);
2722 
2723 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2724 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2725 			     smp->rr, 0, cfm.confirm_val);
2726 		if (err)
2727 			return SMP_UNSPECIFIED;
2728 
2729 		if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2730 			return SMP_CONFIRM_FAILED;
2731 	}
2732 
2733 	/* Non-initiating device sends its public key after receiving
2734 	 * the key from the initiating device.
2735 	 */
2736 	if (!hcon->out) {
2737 		err = sc_send_public_key(smp);
2738 		if (err)
2739 			return err;
2740 	}
2741 
2742 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2743 	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2744 
2745 	/* Compute the shared secret on the same crypto tfm on which the private
2746 	 * key was set/generated.
2747 	 */
2748 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2749 		struct l2cap_chan *hchan = hdev->smp_data;
2750 		struct smp_dev *smp_dev;
2751 
2752 		if (!hchan || !hchan->data)
2753 			return SMP_UNSPECIFIED;
2754 
2755 		smp_dev = hchan->data;
2756 
2757 		tfm_ecdh = smp_dev->tfm_ecdh;
2758 	} else {
2759 		tfm_ecdh = smp->tfm_ecdh;
2760 	}
2761 
2762 	if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2763 		return SMP_UNSPECIFIED;
2764 
2765 	SMP_DBG("DHKey %32phN", smp->dhkey);
2766 
2767 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2768 
2769 	smp->method = sc_select_method(smp);
2770 
2771 	BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2772 
2773 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2774 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2775 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2776 	else
2777 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2778 
2779 	if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2780 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2781 
2782 	if (smp->method == DSP_PASSKEY) {
2783 		get_random_bytes(&hcon->passkey_notify,
2784 				 sizeof(hcon->passkey_notify));
2785 		hcon->passkey_notify %= 1000000;
2786 		hcon->passkey_entered = 0;
2787 		smp->passkey_round = 0;
2788 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2789 					     hcon->dst_type,
2790 					     hcon->passkey_notify,
2791 					     hcon->passkey_entered))
2792 			return SMP_UNSPECIFIED;
2793 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2794 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2795 	}
2796 
2797 	if (smp->method == REQ_OOB) {
2798 		if (hcon->out)
2799 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2800 				     sizeof(smp->prnd), smp->prnd);
2801 
2802 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2803 
2804 		return 0;
2805 	}
2806 
2807 	if (hcon->out)
2808 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2809 
2810 	if (smp->method == REQ_PASSKEY) {
2811 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2812 					      hcon->dst_type))
2813 			return SMP_UNSPECIFIED;
2814 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2815 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2816 		return 0;
2817 	}
2818 
2819 	/* The Initiating device waits for the non-initiating device to
2820 	 * send the confirm value.
2821 	 */
2822 	if (conn->hcon->out)
2823 		return 0;
2824 
2825 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2826 		     0, cfm.confirm_val);
2827 	if (err)
2828 		return SMP_UNSPECIFIED;
2829 
2830 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2831 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2832 
2833 	return 0;
2834 }
2835 
2836 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2837 {
2838 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2839 	struct l2cap_chan *chan = conn->smp;
2840 	struct hci_conn *hcon = conn->hcon;
2841 	struct smp_chan *smp = chan->data;
2842 	u8 a[7], b[7], *local_addr, *remote_addr;
2843 	u8 io_cap[3], r[16], e[16];
2844 	int err;
2845 
2846 	BT_DBG("conn %p", conn);
2847 
2848 	if (skb->len < sizeof(*check))
2849 		return SMP_INVALID_PARAMS;
2850 
2851 	memcpy(a, &hcon->init_addr, 6);
2852 	memcpy(b, &hcon->resp_addr, 6);
2853 	a[6] = hcon->init_addr_type;
2854 	b[6] = hcon->resp_addr_type;
2855 
2856 	if (hcon->out) {
2857 		local_addr = a;
2858 		remote_addr = b;
2859 		memcpy(io_cap, &smp->prsp[1], 3);
2860 	} else {
2861 		local_addr = b;
2862 		remote_addr = a;
2863 		memcpy(io_cap, &smp->preq[1], 3);
2864 	}
2865 
2866 	memset(r, 0, sizeof(r));
2867 
2868 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2869 		put_unaligned_le32(hcon->passkey_notify, r);
2870 	else if (smp->method == REQ_OOB)
2871 		memcpy(r, smp->lr, 16);
2872 
2873 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2874 		     io_cap, remote_addr, local_addr, e);
2875 	if (err)
2876 		return SMP_UNSPECIFIED;
2877 
2878 	if (crypto_memneq(check->e, e, 16))
2879 		return SMP_DHKEY_CHECK_FAILED;
2880 
2881 	if (!hcon->out) {
2882 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2883 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2884 			return 0;
2885 		}
2886 
2887 		/* Slave sends DHKey check as response to master */
2888 		sc_dhkey_check(smp);
2889 	}
2890 
2891 	sc_add_ltk(smp);
2892 
2893 	if (hcon->out) {
2894 		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2895 		hcon->enc_key_size = smp->enc_key_size;
2896 	}
2897 
2898 	return 0;
2899 }
2900 
2901 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2902 				   struct sk_buff *skb)
2903 {
2904 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2905 
2906 	BT_DBG("value 0x%02x", kp->value);
2907 
2908 	return 0;
2909 }
2910 
2911 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2912 {
2913 	struct l2cap_conn *conn = chan->conn;
2914 	struct hci_conn *hcon = conn->hcon;
2915 	struct smp_chan *smp;
2916 	__u8 code, reason;
2917 	int err = 0;
2918 
2919 	if (skb->len < 1)
2920 		return -EILSEQ;
2921 
2922 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2923 		reason = SMP_PAIRING_NOTSUPP;
2924 		goto done;
2925 	}
2926 
2927 	code = skb->data[0];
2928 	skb_pull(skb, sizeof(code));
2929 
2930 	smp = chan->data;
2931 
2932 	if (code > SMP_CMD_MAX)
2933 		goto drop;
2934 
2935 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2936 		goto drop;
2937 
2938 	/* If we don't have a context the only allowed commands are
2939 	 * pairing request and security request.
2940 	 */
2941 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2942 		goto drop;
2943 
2944 	switch (code) {
2945 	case SMP_CMD_PAIRING_REQ:
2946 		reason = smp_cmd_pairing_req(conn, skb);
2947 		break;
2948 
2949 	case SMP_CMD_PAIRING_FAIL:
2950 		smp_failure(conn, 0);
2951 		err = -EPERM;
2952 		break;
2953 
2954 	case SMP_CMD_PAIRING_RSP:
2955 		reason = smp_cmd_pairing_rsp(conn, skb);
2956 		break;
2957 
2958 	case SMP_CMD_SECURITY_REQ:
2959 		reason = smp_cmd_security_req(conn, skb);
2960 		break;
2961 
2962 	case SMP_CMD_PAIRING_CONFIRM:
2963 		reason = smp_cmd_pairing_confirm(conn, skb);
2964 		break;
2965 
2966 	case SMP_CMD_PAIRING_RANDOM:
2967 		reason = smp_cmd_pairing_random(conn, skb);
2968 		break;
2969 
2970 	case SMP_CMD_ENCRYPT_INFO:
2971 		reason = smp_cmd_encrypt_info(conn, skb);
2972 		break;
2973 
2974 	case SMP_CMD_MASTER_IDENT:
2975 		reason = smp_cmd_master_ident(conn, skb);
2976 		break;
2977 
2978 	case SMP_CMD_IDENT_INFO:
2979 		reason = smp_cmd_ident_info(conn, skb);
2980 		break;
2981 
2982 	case SMP_CMD_IDENT_ADDR_INFO:
2983 		reason = smp_cmd_ident_addr_info(conn, skb);
2984 		break;
2985 
2986 	case SMP_CMD_SIGN_INFO:
2987 		reason = smp_cmd_sign_info(conn, skb);
2988 		break;
2989 
2990 	case SMP_CMD_PUBLIC_KEY:
2991 		reason = smp_cmd_public_key(conn, skb);
2992 		break;
2993 
2994 	case SMP_CMD_DHKEY_CHECK:
2995 		reason = smp_cmd_dhkey_check(conn, skb);
2996 		break;
2997 
2998 	case SMP_CMD_KEYPRESS_NOTIFY:
2999 		reason = smp_cmd_keypress_notify(conn, skb);
3000 		break;
3001 
3002 	default:
3003 		BT_DBG("Unknown command code 0x%2.2x", code);
3004 		reason = SMP_CMD_NOTSUPP;
3005 		goto done;
3006 	}
3007 
3008 done:
3009 	if (!err) {
3010 		if (reason)
3011 			smp_failure(conn, reason);
3012 		kfree_skb(skb);
3013 	}
3014 
3015 	return err;
3016 
3017 drop:
3018 	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3019 		   code, &hcon->dst);
3020 	kfree_skb(skb);
3021 	return 0;
3022 }
3023 
3024 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3025 {
3026 	struct l2cap_conn *conn = chan->conn;
3027 
3028 	BT_DBG("chan %p", chan);
3029 
3030 	if (chan->data)
3031 		smp_chan_destroy(conn);
3032 
3033 	conn->smp = NULL;
3034 	l2cap_chan_put(chan);
3035 }
3036 
3037 static void bredr_pairing(struct l2cap_chan *chan)
3038 {
3039 	struct l2cap_conn *conn = chan->conn;
3040 	struct hci_conn *hcon = conn->hcon;
3041 	struct hci_dev *hdev = hcon->hdev;
3042 	struct smp_cmd_pairing req;
3043 	struct smp_chan *smp;
3044 
3045 	BT_DBG("chan %p", chan);
3046 
3047 	/* Only new pairings are interesting */
3048 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3049 		return;
3050 
3051 	/* Don't bother if we're not encrypted */
3052 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3053 		return;
3054 
3055 	/* Only master may initiate SMP over BR/EDR */
3056 	if (hcon->role != HCI_ROLE_MASTER)
3057 		return;
3058 
3059 	/* Secure Connections support must be enabled */
3060 	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3061 		return;
3062 
3063 	/* BR/EDR must use Secure Connections for SMP */
3064 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3065 	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3066 		return;
3067 
3068 	/* If our LE support is not enabled don't do anything */
3069 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3070 		return;
3071 
3072 	/* Don't bother if remote LE support is not enabled */
3073 	if (!lmp_host_le_capable(hcon))
3074 		return;
3075 
3076 	/* Remote must support SMP fixed chan for BR/EDR */
3077 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3078 		return;
3079 
3080 	/* Don't bother if SMP is already ongoing */
3081 	if (chan->data)
3082 		return;
3083 
3084 	smp = smp_chan_create(conn);
3085 	if (!smp) {
3086 		bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3087 		return;
3088 	}
3089 
3090 	set_bit(SMP_FLAG_SC, &smp->flags);
3091 
3092 	BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3093 
3094 	/* Prepare and send the BR/EDR SMP Pairing Request */
3095 	build_bredr_pairing_cmd(smp, &req, NULL);
3096 
3097 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
3098 	memcpy(&smp->preq[1], &req, sizeof(req));
3099 
3100 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3101 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3102 }
3103 
3104 static void smp_resume_cb(struct l2cap_chan *chan)
3105 {
3106 	struct smp_chan *smp = chan->data;
3107 	struct l2cap_conn *conn = chan->conn;
3108 	struct hci_conn *hcon = conn->hcon;
3109 
3110 	BT_DBG("chan %p", chan);
3111 
3112 	if (hcon->type == ACL_LINK) {
3113 		bredr_pairing(chan);
3114 		return;
3115 	}
3116 
3117 	if (!smp)
3118 		return;
3119 
3120 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3121 		return;
3122 
3123 	cancel_delayed_work(&smp->security_timer);
3124 
3125 	smp_distribute_keys(smp);
3126 }
3127 
3128 static void smp_ready_cb(struct l2cap_chan *chan)
3129 {
3130 	struct l2cap_conn *conn = chan->conn;
3131 	struct hci_conn *hcon = conn->hcon;
3132 
3133 	BT_DBG("chan %p", chan);
3134 
3135 	/* No need to call l2cap_chan_hold() here since we already own
3136 	 * the reference taken in smp_new_conn_cb(). This is just the
3137 	 * first time that we tie it to a specific pointer. The code in
3138 	 * l2cap_core.c ensures that there's no risk this function wont
3139 	 * get called if smp_new_conn_cb was previously called.
3140 	 */
3141 	conn->smp = chan;
3142 
3143 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3144 		bredr_pairing(chan);
3145 }
3146 
3147 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3148 {
3149 	int err;
3150 
3151 	BT_DBG("chan %p", chan);
3152 
3153 	err = smp_sig_channel(chan, skb);
3154 	if (err) {
3155 		struct smp_chan *smp = chan->data;
3156 
3157 		if (smp)
3158 			cancel_delayed_work_sync(&smp->security_timer);
3159 
3160 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3161 	}
3162 
3163 	return err;
3164 }
3165 
3166 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3167 					unsigned long hdr_len,
3168 					unsigned long len, int nb)
3169 {
3170 	struct sk_buff *skb;
3171 
3172 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3173 	if (!skb)
3174 		return ERR_PTR(-ENOMEM);
3175 
3176 	skb->priority = HCI_PRIO_MAX;
3177 	bt_cb(skb)->l2cap.chan = chan;
3178 
3179 	return skb;
3180 }
3181 
3182 static const struct l2cap_ops smp_chan_ops = {
3183 	.name			= "Security Manager",
3184 	.ready			= smp_ready_cb,
3185 	.recv			= smp_recv_cb,
3186 	.alloc_skb		= smp_alloc_skb_cb,
3187 	.teardown		= smp_teardown_cb,
3188 	.resume			= smp_resume_cb,
3189 
3190 	.new_connection		= l2cap_chan_no_new_connection,
3191 	.state_change		= l2cap_chan_no_state_change,
3192 	.close			= l2cap_chan_no_close,
3193 	.defer			= l2cap_chan_no_defer,
3194 	.suspend		= l2cap_chan_no_suspend,
3195 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3196 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3197 };
3198 
3199 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3200 {
3201 	struct l2cap_chan *chan;
3202 
3203 	BT_DBG("pchan %p", pchan);
3204 
3205 	chan = l2cap_chan_create();
3206 	if (!chan)
3207 		return NULL;
3208 
3209 	chan->chan_type	= pchan->chan_type;
3210 	chan->ops	= &smp_chan_ops;
3211 	chan->scid	= pchan->scid;
3212 	chan->dcid	= chan->scid;
3213 	chan->imtu	= pchan->imtu;
3214 	chan->omtu	= pchan->omtu;
3215 	chan->mode	= pchan->mode;
3216 
3217 	/* Other L2CAP channels may request SMP routines in order to
3218 	 * change the security level. This means that the SMP channel
3219 	 * lock must be considered in its own category to avoid lockdep
3220 	 * warnings.
3221 	 */
3222 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3223 
3224 	BT_DBG("created chan %p", chan);
3225 
3226 	return chan;
3227 }
3228 
3229 static const struct l2cap_ops smp_root_chan_ops = {
3230 	.name			= "Security Manager Root",
3231 	.new_connection		= smp_new_conn_cb,
3232 
3233 	/* None of these are implemented for the root channel */
3234 	.close			= l2cap_chan_no_close,
3235 	.alloc_skb		= l2cap_chan_no_alloc_skb,
3236 	.recv			= l2cap_chan_no_recv,
3237 	.state_change		= l2cap_chan_no_state_change,
3238 	.teardown		= l2cap_chan_no_teardown,
3239 	.ready			= l2cap_chan_no_ready,
3240 	.defer			= l2cap_chan_no_defer,
3241 	.suspend		= l2cap_chan_no_suspend,
3242 	.resume			= l2cap_chan_no_resume,
3243 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3244 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3245 };
3246 
3247 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3248 {
3249 	struct l2cap_chan *chan;
3250 	struct smp_dev *smp;
3251 	struct crypto_shash *tfm_cmac;
3252 	struct crypto_kpp *tfm_ecdh;
3253 
3254 	if (cid == L2CAP_CID_SMP_BREDR) {
3255 		smp = NULL;
3256 		goto create_chan;
3257 	}
3258 
3259 	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3260 	if (!smp)
3261 		return ERR_PTR(-ENOMEM);
3262 
3263 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3264 	if (IS_ERR(tfm_cmac)) {
3265 		BT_ERR("Unable to create CMAC crypto context");
3266 		kzfree(smp);
3267 		return ERR_CAST(tfm_cmac);
3268 	}
3269 
3270 	tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3271 	if (IS_ERR(tfm_ecdh)) {
3272 		BT_ERR("Unable to create ECDH crypto context");
3273 		crypto_free_shash(tfm_cmac);
3274 		kzfree(smp);
3275 		return ERR_CAST(tfm_ecdh);
3276 	}
3277 
3278 	smp->local_oob = false;
3279 	smp->tfm_cmac = tfm_cmac;
3280 	smp->tfm_ecdh = tfm_ecdh;
3281 
3282 create_chan:
3283 	chan = l2cap_chan_create();
3284 	if (!chan) {
3285 		if (smp) {
3286 			crypto_free_shash(smp->tfm_cmac);
3287 			crypto_free_kpp(smp->tfm_ecdh);
3288 			kzfree(smp);
3289 		}
3290 		return ERR_PTR(-ENOMEM);
3291 	}
3292 
3293 	chan->data = smp;
3294 
3295 	l2cap_add_scid(chan, cid);
3296 
3297 	l2cap_chan_set_defaults(chan);
3298 
3299 	if (cid == L2CAP_CID_SMP) {
3300 		u8 bdaddr_type;
3301 
3302 		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3303 
3304 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3305 			chan->src_type = BDADDR_LE_PUBLIC;
3306 		else
3307 			chan->src_type = BDADDR_LE_RANDOM;
3308 	} else {
3309 		bacpy(&chan->src, &hdev->bdaddr);
3310 		chan->src_type = BDADDR_BREDR;
3311 	}
3312 
3313 	chan->state = BT_LISTEN;
3314 	chan->mode = L2CAP_MODE_BASIC;
3315 	chan->imtu = L2CAP_DEFAULT_MTU;
3316 	chan->ops = &smp_root_chan_ops;
3317 
3318 	/* Set correct nesting level for a parent/listening channel */
3319 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3320 
3321 	return chan;
3322 }
3323 
3324 static void smp_del_chan(struct l2cap_chan *chan)
3325 {
3326 	struct smp_dev *smp;
3327 
3328 	BT_DBG("chan %p", chan);
3329 
3330 	smp = chan->data;
3331 	if (smp) {
3332 		chan->data = NULL;
3333 		crypto_free_shash(smp->tfm_cmac);
3334 		crypto_free_kpp(smp->tfm_ecdh);
3335 		kzfree(smp);
3336 	}
3337 
3338 	l2cap_chan_put(chan);
3339 }
3340 
3341 static ssize_t force_bredr_smp_read(struct file *file,
3342 				    char __user *user_buf,
3343 				    size_t count, loff_t *ppos)
3344 {
3345 	struct hci_dev *hdev = file->private_data;
3346 	char buf[3];
3347 
3348 	buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3349 	buf[1] = '\n';
3350 	buf[2] = '\0';
3351 	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3352 }
3353 
3354 static ssize_t force_bredr_smp_write(struct file *file,
3355 				     const char __user *user_buf,
3356 				     size_t count, loff_t *ppos)
3357 {
3358 	struct hci_dev *hdev = file->private_data;
3359 	bool enable;
3360 	int err;
3361 
3362 	err = kstrtobool_from_user(user_buf, count, &enable);
3363 	if (err)
3364 		return err;
3365 
3366 	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3367 		return -EALREADY;
3368 
3369 	if (enable) {
3370 		struct l2cap_chan *chan;
3371 
3372 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3373 		if (IS_ERR(chan))
3374 			return PTR_ERR(chan);
3375 
3376 		hdev->smp_bredr_data = chan;
3377 	} else {
3378 		struct l2cap_chan *chan;
3379 
3380 		chan = hdev->smp_bredr_data;
3381 		hdev->smp_bredr_data = NULL;
3382 		smp_del_chan(chan);
3383 	}
3384 
3385 	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3386 
3387 	return count;
3388 }
3389 
3390 static const struct file_operations force_bredr_smp_fops = {
3391 	.open		= simple_open,
3392 	.read		= force_bredr_smp_read,
3393 	.write		= force_bredr_smp_write,
3394 	.llseek		= default_llseek,
3395 };
3396 
3397 int smp_register(struct hci_dev *hdev)
3398 {
3399 	struct l2cap_chan *chan;
3400 
3401 	BT_DBG("%s", hdev->name);
3402 
3403 	/* If the controller does not support Low Energy operation, then
3404 	 * there is also no need to register any SMP channel.
3405 	 */
3406 	if (!lmp_le_capable(hdev))
3407 		return 0;
3408 
3409 	if (WARN_ON(hdev->smp_data)) {
3410 		chan = hdev->smp_data;
3411 		hdev->smp_data = NULL;
3412 		smp_del_chan(chan);
3413 	}
3414 
3415 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3416 	if (IS_ERR(chan))
3417 		return PTR_ERR(chan);
3418 
3419 	hdev->smp_data = chan;
3420 
3421 	/* If the controller does not support BR/EDR Secure Connections
3422 	 * feature, then the BR/EDR SMP channel shall not be present.
3423 	 *
3424 	 * To test this with Bluetooth 4.0 controllers, create a debugfs
3425 	 * switch that allows forcing BR/EDR SMP support and accepting
3426 	 * cross-transport pairing on non-AES encrypted connections.
3427 	 */
3428 	if (!lmp_sc_capable(hdev)) {
3429 		debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3430 				    hdev, &force_bredr_smp_fops);
3431 
3432 		/* Flag can be already set here (due to power toggle) */
3433 		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3434 			return 0;
3435 	}
3436 
3437 	if (WARN_ON(hdev->smp_bredr_data)) {
3438 		chan = hdev->smp_bredr_data;
3439 		hdev->smp_bredr_data = NULL;
3440 		smp_del_chan(chan);
3441 	}
3442 
3443 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3444 	if (IS_ERR(chan)) {
3445 		int err = PTR_ERR(chan);
3446 		chan = hdev->smp_data;
3447 		hdev->smp_data = NULL;
3448 		smp_del_chan(chan);
3449 		return err;
3450 	}
3451 
3452 	hdev->smp_bredr_data = chan;
3453 
3454 	return 0;
3455 }
3456 
3457 void smp_unregister(struct hci_dev *hdev)
3458 {
3459 	struct l2cap_chan *chan;
3460 
3461 	if (hdev->smp_bredr_data) {
3462 		chan = hdev->smp_bredr_data;
3463 		hdev->smp_bredr_data = NULL;
3464 		smp_del_chan(chan);
3465 	}
3466 
3467 	if (hdev->smp_data) {
3468 		chan = hdev->smp_data;
3469 		hdev->smp_data = NULL;
3470 		smp_del_chan(chan);
3471 	}
3472 }
3473 
3474 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3475 
3476 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3477 {
3478 	u8 pk[64];
3479 	int err;
3480 
3481 	err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3482 	if (err)
3483 		return err;
3484 
3485 	err = generate_ecdh_public_key(tfm_ecdh, pk);
3486 	if (err)
3487 		return err;
3488 
3489 	if (crypto_memneq(pk, debug_pk, 64))
3490 		return -EINVAL;
3491 
3492 	return 0;
3493 }
3494 
3495 static int __init test_ah(void)
3496 {
3497 	const u8 irk[16] = {
3498 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3499 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3500 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3501 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3502 	u8 res[3];
3503 	int err;
3504 
3505 	err = smp_ah(irk, r, res);
3506 	if (err)
3507 		return err;
3508 
3509 	if (crypto_memneq(res, exp, 3))
3510 		return -EINVAL;
3511 
3512 	return 0;
3513 }
3514 
3515 static int __init test_c1(void)
3516 {
3517 	const u8 k[16] = {
3518 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3519 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3520 	const u8 r[16] = {
3521 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3522 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3523 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3524 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3525 	const u8 _iat = 0x01;
3526 	const u8 _rat = 0x00;
3527 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3528 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3529 	const u8 exp[16] = {
3530 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3531 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3532 	u8 res[16];
3533 	int err;
3534 
3535 	err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3536 	if (err)
3537 		return err;
3538 
3539 	if (crypto_memneq(res, exp, 16))
3540 		return -EINVAL;
3541 
3542 	return 0;
3543 }
3544 
3545 static int __init test_s1(void)
3546 {
3547 	const u8 k[16] = {
3548 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3549 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3550 	const u8 r1[16] = {
3551 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3552 	const u8 r2[16] = {
3553 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3554 	const u8 exp[16] = {
3555 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3556 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3557 	u8 res[16];
3558 	int err;
3559 
3560 	err = smp_s1(k, r1, r2, res);
3561 	if (err)
3562 		return err;
3563 
3564 	if (crypto_memneq(res, exp, 16))
3565 		return -EINVAL;
3566 
3567 	return 0;
3568 }
3569 
3570 static int __init test_f4(struct crypto_shash *tfm_cmac)
3571 {
3572 	const u8 u[32] = {
3573 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3574 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3575 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3576 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3577 	const u8 v[32] = {
3578 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3579 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3580 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3581 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3582 	const u8 x[16] = {
3583 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3584 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3585 	const u8 z = 0x00;
3586 	const u8 exp[16] = {
3587 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3588 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3589 	u8 res[16];
3590 	int err;
3591 
3592 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3593 	if (err)
3594 		return err;
3595 
3596 	if (crypto_memneq(res, exp, 16))
3597 		return -EINVAL;
3598 
3599 	return 0;
3600 }
3601 
3602 static int __init test_f5(struct crypto_shash *tfm_cmac)
3603 {
3604 	const u8 w[32] = {
3605 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3606 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3607 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3608 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3609 	const u8 n1[16] = {
3610 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3611 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3612 	const u8 n2[16] = {
3613 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3614 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3615 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3616 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3617 	const u8 exp_ltk[16] = {
3618 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3619 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3620 	const u8 exp_mackey[16] = {
3621 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3622 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3623 	u8 mackey[16], ltk[16];
3624 	int err;
3625 
3626 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3627 	if (err)
3628 		return err;
3629 
3630 	if (crypto_memneq(mackey, exp_mackey, 16))
3631 		return -EINVAL;
3632 
3633 	if (crypto_memneq(ltk, exp_ltk, 16))
3634 		return -EINVAL;
3635 
3636 	return 0;
3637 }
3638 
3639 static int __init test_f6(struct crypto_shash *tfm_cmac)
3640 {
3641 	const u8 w[16] = {
3642 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3643 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3644 	const u8 n1[16] = {
3645 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3646 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3647 	const u8 n2[16] = {
3648 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3649 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3650 	const u8 r[16] = {
3651 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3652 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3653 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3654 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3655 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3656 	const u8 exp[16] = {
3657 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3658 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3659 	u8 res[16];
3660 	int err;
3661 
3662 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3663 	if (err)
3664 		return err;
3665 
3666 	if (crypto_memneq(res, exp, 16))
3667 		return -EINVAL;
3668 
3669 	return 0;
3670 }
3671 
3672 static int __init test_g2(struct crypto_shash *tfm_cmac)
3673 {
3674 	const u8 u[32] = {
3675 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3676 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3677 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3678 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3679 	const u8 v[32] = {
3680 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3681 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3682 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3683 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3684 	const u8 x[16] = {
3685 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3686 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3687 	const u8 y[16] = {
3688 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3689 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3690 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3691 	u32 val;
3692 	int err;
3693 
3694 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3695 	if (err)
3696 		return err;
3697 
3698 	if (val != exp_val)
3699 		return -EINVAL;
3700 
3701 	return 0;
3702 }
3703 
3704 static int __init test_h6(struct crypto_shash *tfm_cmac)
3705 {
3706 	const u8 w[16] = {
3707 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3708 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3709 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3710 	const u8 exp[16] = {
3711 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3712 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3713 	u8 res[16];
3714 	int err;
3715 
3716 	err = smp_h6(tfm_cmac, w, key_id, res);
3717 	if (err)
3718 		return err;
3719 
3720 	if (crypto_memneq(res, exp, 16))
3721 		return -EINVAL;
3722 
3723 	return 0;
3724 }
3725 
3726 static char test_smp_buffer[32];
3727 
3728 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3729 			     size_t count, loff_t *ppos)
3730 {
3731 	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3732 				       strlen(test_smp_buffer));
3733 }
3734 
3735 static const struct file_operations test_smp_fops = {
3736 	.open		= simple_open,
3737 	.read		= test_smp_read,
3738 	.llseek		= default_llseek,
3739 };
3740 
3741 static int __init run_selftests(struct crypto_shash *tfm_cmac,
3742 				struct crypto_kpp *tfm_ecdh)
3743 {
3744 	ktime_t calltime, delta, rettime;
3745 	unsigned long long duration;
3746 	int err;
3747 
3748 	calltime = ktime_get();
3749 
3750 	err = test_debug_key(tfm_ecdh);
3751 	if (err) {
3752 		BT_ERR("debug_key test failed");
3753 		goto done;
3754 	}
3755 
3756 	err = test_ah();
3757 	if (err) {
3758 		BT_ERR("smp_ah test failed");
3759 		goto done;
3760 	}
3761 
3762 	err = test_c1();
3763 	if (err) {
3764 		BT_ERR("smp_c1 test failed");
3765 		goto done;
3766 	}
3767 
3768 	err = test_s1();
3769 	if (err) {
3770 		BT_ERR("smp_s1 test failed");
3771 		goto done;
3772 	}
3773 
3774 	err = test_f4(tfm_cmac);
3775 	if (err) {
3776 		BT_ERR("smp_f4 test failed");
3777 		goto done;
3778 	}
3779 
3780 	err = test_f5(tfm_cmac);
3781 	if (err) {
3782 		BT_ERR("smp_f5 test failed");
3783 		goto done;
3784 	}
3785 
3786 	err = test_f6(tfm_cmac);
3787 	if (err) {
3788 		BT_ERR("smp_f6 test failed");
3789 		goto done;
3790 	}
3791 
3792 	err = test_g2(tfm_cmac);
3793 	if (err) {
3794 		BT_ERR("smp_g2 test failed");
3795 		goto done;
3796 	}
3797 
3798 	err = test_h6(tfm_cmac);
3799 	if (err) {
3800 		BT_ERR("smp_h6 test failed");
3801 		goto done;
3802 	}
3803 
3804 	rettime = ktime_get();
3805 	delta = ktime_sub(rettime, calltime);
3806 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3807 
3808 	BT_INFO("SMP test passed in %llu usecs", duration);
3809 
3810 done:
3811 	if (!err)
3812 		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3813 			 "PASS (%llu usecs)\n", duration);
3814 	else
3815 		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3816 
3817 	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3818 			    &test_smp_fops);
3819 
3820 	return err;
3821 }
3822 
3823 int __init bt_selftest_smp(void)
3824 {
3825 	struct crypto_shash *tfm_cmac;
3826 	struct crypto_kpp *tfm_ecdh;
3827 	int err;
3828 
3829 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3830 	if (IS_ERR(tfm_cmac)) {
3831 		BT_ERR("Unable to create CMAC crypto context");
3832 		return PTR_ERR(tfm_cmac);
3833 	}
3834 
3835 	tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3836 	if (IS_ERR(tfm_ecdh)) {
3837 		BT_ERR("Unable to create ECDH crypto context");
3838 		crypto_free_shash(tfm_cmac);
3839 		return PTR_ERR(tfm_ecdh);
3840 	}
3841 
3842 	err = run_selftests(tfm_cmac, tfm_ecdh);
3843 
3844 	crypto_free_shash(tfm_cmac);
3845 	crypto_free_kpp(tfm_ecdh);
3846 
3847 	return err;
3848 }
3849 
3850 #endif
3851