xref: /openbmc/linux/net/bluetooth/smp.c (revision f17f06a0)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/aes.h>
27 #include <crypto/algapi.h>
28 #include <crypto/b128ops.h>
29 #include <crypto/hash.h>
30 #include <crypto/kpp.h>
31 
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/l2cap.h>
35 #include <net/bluetooth/mgmt.h>
36 
37 #include "ecdh_helper.h"
38 #include "smp.h"
39 
40 #define SMP_DEV(hdev) \
41 	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
42 
43 /* Low-level debug macros to be used for stuff that we don't want
44  * accidentially in dmesg, i.e. the values of the various crypto keys
45  * and the inputs & outputs of crypto functions.
46  */
47 #ifdef DEBUG
48 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
49 				 ##__VA_ARGS__)
50 #else
51 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
52 				    ##__VA_ARGS__)
53 #endif
54 
55 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
56 
57 /* Keys which are not distributed with Secure Connections */
58 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
59 
60 #define SMP_TIMEOUT	msecs_to_jiffies(30000)
61 
62 #define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
63 				 0x3f : 0x07)
64 #define KEY_DIST_MASK		0x07
65 
66 /* Maximum message length that can be passed to aes_cmac */
67 #define CMAC_MSG_MAX	80
68 
69 enum {
70 	SMP_FLAG_TK_VALID,
71 	SMP_FLAG_CFM_PENDING,
72 	SMP_FLAG_MITM_AUTH,
73 	SMP_FLAG_COMPLETE,
74 	SMP_FLAG_INITIATOR,
75 	SMP_FLAG_SC,
76 	SMP_FLAG_REMOTE_PK,
77 	SMP_FLAG_DEBUG_KEY,
78 	SMP_FLAG_WAIT_USER,
79 	SMP_FLAG_DHKEY_PENDING,
80 	SMP_FLAG_REMOTE_OOB,
81 	SMP_FLAG_LOCAL_OOB,
82 	SMP_FLAG_CT2,
83 };
84 
85 struct smp_dev {
86 	/* Secure Connections OOB data */
87 	bool			local_oob;
88 	u8			local_pk[64];
89 	u8			local_rand[16];
90 	bool			debug_key;
91 
92 	struct crypto_shash	*tfm_cmac;
93 	struct crypto_kpp	*tfm_ecdh;
94 };
95 
96 struct smp_chan {
97 	struct l2cap_conn	*conn;
98 	struct delayed_work	security_timer;
99 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
100 
101 	u8		preq[7]; /* SMP Pairing Request */
102 	u8		prsp[7]; /* SMP Pairing Response */
103 	u8		prnd[16]; /* SMP Pairing Random (local) */
104 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
105 	u8		pcnf[16]; /* SMP Pairing Confirm */
106 	u8		tk[16]; /* SMP Temporary Key */
107 	u8		rr[16]; /* Remote OOB ra/rb value */
108 	u8		lr[16]; /* Local OOB ra/rb value */
109 	u8		enc_key_size;
110 	u8		remote_key_dist;
111 	bdaddr_t	id_addr;
112 	u8		id_addr_type;
113 	u8		irk[16];
114 	struct smp_csrk	*csrk;
115 	struct smp_csrk	*slave_csrk;
116 	struct smp_ltk	*ltk;
117 	struct smp_ltk	*slave_ltk;
118 	struct smp_irk	*remote_irk;
119 	u8		*link_key;
120 	unsigned long	flags;
121 	u8		method;
122 	u8		passkey_round;
123 
124 	/* Secure Connections variables */
125 	u8			local_pk[64];
126 	u8			remote_pk[64];
127 	u8			dhkey[32];
128 	u8			mackey[16];
129 
130 	struct crypto_shash	*tfm_cmac;
131 	struct crypto_kpp	*tfm_ecdh;
132 };
133 
134 /* These debug key values are defined in the SMP section of the core
135  * specification. debug_pk is the public debug key and debug_sk the
136  * private debug key.
137  */
138 static const u8 debug_pk[64] = {
139 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
140 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
141 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
142 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
143 
144 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
145 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
146 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
147 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
148 };
149 
150 static const u8 debug_sk[32] = {
151 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
152 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
153 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
154 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
155 };
156 
157 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
158 {
159 	size_t i;
160 
161 	for (i = 0; i < len; i++)
162 		dst[len - 1 - i] = src[i];
163 }
164 
165 /* The following functions map to the LE SC SMP crypto functions
166  * AES-CMAC, f4, f5, f6, g2 and h6.
167  */
168 
169 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
170 		    size_t len, u8 mac[16])
171 {
172 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
173 	SHASH_DESC_ON_STACK(desc, tfm);
174 	int err;
175 
176 	if (len > CMAC_MSG_MAX)
177 		return -EFBIG;
178 
179 	if (!tfm) {
180 		BT_ERR("tfm %p", tfm);
181 		return -EINVAL;
182 	}
183 
184 	desc->tfm = tfm;
185 
186 	/* Swap key and message from LSB to MSB */
187 	swap_buf(k, tmp, 16);
188 	swap_buf(m, msg_msb, len);
189 
190 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
191 	SMP_DBG("key %16phN", k);
192 
193 	err = crypto_shash_setkey(tfm, tmp, 16);
194 	if (err) {
195 		BT_ERR("cipher setkey failed: %d", err);
196 		return err;
197 	}
198 
199 	err = crypto_shash_digest(desc, msg_msb, len, mac_msb);
200 	shash_desc_zero(desc);
201 	if (err) {
202 		BT_ERR("Hash computation error %d", err);
203 		return err;
204 	}
205 
206 	swap_buf(mac_msb, mac, 16);
207 
208 	SMP_DBG("mac %16phN", mac);
209 
210 	return 0;
211 }
212 
213 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
214 		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
215 {
216 	u8 m[65];
217 	int err;
218 
219 	SMP_DBG("u %32phN", u);
220 	SMP_DBG("v %32phN", v);
221 	SMP_DBG("x %16phN z %02x", x, z);
222 
223 	m[0] = z;
224 	memcpy(m + 1, v, 32);
225 	memcpy(m + 33, u, 32);
226 
227 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
228 	if (err)
229 		return err;
230 
231 	SMP_DBG("res %16phN", res);
232 
233 	return err;
234 }
235 
236 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
237 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
238 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
239 {
240 	/* The btle, salt and length "magic" values are as defined in
241 	 * the SMP section of the Bluetooth core specification. In ASCII
242 	 * the btle value ends up being 'btle'. The salt is just a
243 	 * random number whereas length is the value 256 in little
244 	 * endian format.
245 	 */
246 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
247 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
248 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
249 	const u8 length[2] = { 0x00, 0x01 };
250 	u8 m[53], t[16];
251 	int err;
252 
253 	SMP_DBG("w %32phN", w);
254 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
255 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
256 
257 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
258 	if (err)
259 		return err;
260 
261 	SMP_DBG("t %16phN", t);
262 
263 	memcpy(m, length, 2);
264 	memcpy(m + 2, a2, 7);
265 	memcpy(m + 9, a1, 7);
266 	memcpy(m + 16, n2, 16);
267 	memcpy(m + 32, n1, 16);
268 	memcpy(m + 48, btle, 4);
269 
270 	m[52] = 0; /* Counter */
271 
272 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
273 	if (err)
274 		return err;
275 
276 	SMP_DBG("mackey %16phN", mackey);
277 
278 	m[52] = 1; /* Counter */
279 
280 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
281 	if (err)
282 		return err;
283 
284 	SMP_DBG("ltk %16phN", ltk);
285 
286 	return 0;
287 }
288 
289 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
290 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
291 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
292 		  u8 res[16])
293 {
294 	u8 m[65];
295 	int err;
296 
297 	SMP_DBG("w %16phN", w);
298 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
299 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
300 
301 	memcpy(m, a2, 7);
302 	memcpy(m + 7, a1, 7);
303 	memcpy(m + 14, io_cap, 3);
304 	memcpy(m + 17, r, 16);
305 	memcpy(m + 33, n2, 16);
306 	memcpy(m + 49, n1, 16);
307 
308 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
309 	if (err)
310 		return err;
311 
312 	SMP_DBG("res %16phN", res);
313 
314 	return err;
315 }
316 
317 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
318 		  const u8 x[16], const u8 y[16], u32 *val)
319 {
320 	u8 m[80], tmp[16];
321 	int err;
322 
323 	SMP_DBG("u %32phN", u);
324 	SMP_DBG("v %32phN", v);
325 	SMP_DBG("x %16phN y %16phN", x, y);
326 
327 	memcpy(m, y, 16);
328 	memcpy(m + 16, v, 32);
329 	memcpy(m + 48, u, 32);
330 
331 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
332 	if (err)
333 		return err;
334 
335 	*val = get_unaligned_le32(tmp);
336 	*val %= 1000000;
337 
338 	SMP_DBG("val %06u", *val);
339 
340 	return 0;
341 }
342 
343 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
344 		  const u8 key_id[4], u8 res[16])
345 {
346 	int err;
347 
348 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
349 
350 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
351 	if (err)
352 		return err;
353 
354 	SMP_DBG("res %16phN", res);
355 
356 	return err;
357 }
358 
359 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
360 		  const u8 salt[16], u8 res[16])
361 {
362 	int err;
363 
364 	SMP_DBG("w %16phN salt %16phN", w, salt);
365 
366 	err = aes_cmac(tfm_cmac, salt, w, 16, res);
367 	if (err)
368 		return err;
369 
370 	SMP_DBG("res %16phN", res);
371 
372 	return err;
373 }
374 
375 /* The following functions map to the legacy SMP crypto functions e, c1,
376  * s1 and ah.
377  */
378 
379 static int smp_e(const u8 *k, u8 *r)
380 {
381 	struct crypto_aes_ctx ctx;
382 	uint8_t tmp[16], data[16];
383 	int err;
384 
385 	SMP_DBG("k %16phN r %16phN", k, r);
386 
387 	/* The most significant octet of key corresponds to k[0] */
388 	swap_buf(k, tmp, 16);
389 
390 	err = aes_expandkey(&ctx, tmp, 16);
391 	if (err) {
392 		BT_ERR("cipher setkey failed: %d", err);
393 		return err;
394 	}
395 
396 	/* Most significant octet of plaintextData corresponds to data[0] */
397 	swap_buf(r, data, 16);
398 
399 	aes_encrypt(&ctx, data, data);
400 
401 	/* Most significant octet of encryptedData corresponds to data[0] */
402 	swap_buf(data, r, 16);
403 
404 	SMP_DBG("r %16phN", r);
405 
406 	memzero_explicit(&ctx, sizeof (ctx));
407 	return err;
408 }
409 
410 static int smp_c1(const u8 k[16],
411 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
412 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
413 {
414 	u8 p1[16], p2[16];
415 	int err;
416 
417 	SMP_DBG("k %16phN r %16phN", k, r);
418 	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
419 	SMP_DBG("preq %7phN pres %7phN", preq, pres);
420 
421 	memset(p1, 0, 16);
422 
423 	/* p1 = pres || preq || _rat || _iat */
424 	p1[0] = _iat;
425 	p1[1] = _rat;
426 	memcpy(p1 + 2, preq, 7);
427 	memcpy(p1 + 9, pres, 7);
428 
429 	SMP_DBG("p1 %16phN", p1);
430 
431 	/* res = r XOR p1 */
432 	u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
433 
434 	/* res = e(k, res) */
435 	err = smp_e(k, res);
436 	if (err) {
437 		BT_ERR("Encrypt data error");
438 		return err;
439 	}
440 
441 	/* p2 = padding || ia || ra */
442 	memcpy(p2, ra, 6);
443 	memcpy(p2 + 6, ia, 6);
444 	memset(p2 + 12, 0, 4);
445 
446 	SMP_DBG("p2 %16phN", p2);
447 
448 	/* res = res XOR p2 */
449 	u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
450 
451 	/* res = e(k, res) */
452 	err = smp_e(k, res);
453 	if (err)
454 		BT_ERR("Encrypt data error");
455 
456 	return err;
457 }
458 
459 static int smp_s1(const u8 k[16],
460 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
461 {
462 	int err;
463 
464 	/* Just least significant octets from r1 and r2 are considered */
465 	memcpy(_r, r2, 8);
466 	memcpy(_r + 8, r1, 8);
467 
468 	err = smp_e(k, _r);
469 	if (err)
470 		BT_ERR("Encrypt data error");
471 
472 	return err;
473 }
474 
475 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
476 {
477 	u8 _res[16];
478 	int err;
479 
480 	/* r' = padding || r */
481 	memcpy(_res, r, 3);
482 	memset(_res + 3, 0, 13);
483 
484 	err = smp_e(irk, _res);
485 	if (err) {
486 		BT_ERR("Encrypt error");
487 		return err;
488 	}
489 
490 	/* The output of the random address function ah is:
491 	 *	ah(k, r) = e(k, r') mod 2^24
492 	 * The output of the security function e is then truncated to 24 bits
493 	 * by taking the least significant 24 bits of the output of e as the
494 	 * result of ah.
495 	 */
496 	memcpy(res, _res, 3);
497 
498 	return 0;
499 }
500 
501 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
502 		     const bdaddr_t *bdaddr)
503 {
504 	struct l2cap_chan *chan = hdev->smp_data;
505 	u8 hash[3];
506 	int err;
507 
508 	if (!chan || !chan->data)
509 		return false;
510 
511 	BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
512 
513 	err = smp_ah(irk, &bdaddr->b[3], hash);
514 	if (err)
515 		return false;
516 
517 	return !crypto_memneq(bdaddr->b, hash, 3);
518 }
519 
520 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
521 {
522 	struct l2cap_chan *chan = hdev->smp_data;
523 	int err;
524 
525 	if (!chan || !chan->data)
526 		return -EOPNOTSUPP;
527 
528 	get_random_bytes(&rpa->b[3], 3);
529 
530 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
531 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
532 
533 	err = smp_ah(irk, &rpa->b[3], rpa->b);
534 	if (err < 0)
535 		return err;
536 
537 	BT_DBG("RPA %pMR", rpa);
538 
539 	return 0;
540 }
541 
542 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
543 {
544 	struct l2cap_chan *chan = hdev->smp_data;
545 	struct smp_dev *smp;
546 	int err;
547 
548 	if (!chan || !chan->data)
549 		return -EOPNOTSUPP;
550 
551 	smp = chan->data;
552 
553 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
554 		BT_DBG("Using debug keys");
555 		err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
556 		if (err)
557 			return err;
558 		memcpy(smp->local_pk, debug_pk, 64);
559 		smp->debug_key = true;
560 	} else {
561 		while (true) {
562 			/* Generate key pair for Secure Connections */
563 			err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
564 			if (err)
565 				return err;
566 
567 			/* This is unlikely, but we need to check that
568 			 * we didn't accidentially generate a debug key.
569 			 */
570 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
571 				break;
572 		}
573 		smp->debug_key = false;
574 	}
575 
576 	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
577 	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
578 
579 	get_random_bytes(smp->local_rand, 16);
580 
581 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
582 		     smp->local_rand, 0, hash);
583 	if (err < 0)
584 		return err;
585 
586 	memcpy(rand, smp->local_rand, 16);
587 
588 	smp->local_oob = true;
589 
590 	return 0;
591 }
592 
593 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
594 {
595 	struct l2cap_chan *chan = conn->smp;
596 	struct smp_chan *smp;
597 	struct kvec iv[2];
598 	struct msghdr msg;
599 
600 	if (!chan)
601 		return;
602 
603 	BT_DBG("code 0x%2.2x", code);
604 
605 	iv[0].iov_base = &code;
606 	iv[0].iov_len = 1;
607 
608 	iv[1].iov_base = data;
609 	iv[1].iov_len = len;
610 
611 	memset(&msg, 0, sizeof(msg));
612 
613 	iov_iter_kvec(&msg.msg_iter, WRITE, iv, 2, 1 + len);
614 
615 	l2cap_chan_send(chan, &msg, 1 + len);
616 
617 	if (!chan->data)
618 		return;
619 
620 	smp = chan->data;
621 
622 	cancel_delayed_work_sync(&smp->security_timer);
623 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
624 }
625 
626 static u8 authreq_to_seclevel(u8 authreq)
627 {
628 	if (authreq & SMP_AUTH_MITM) {
629 		if (authreq & SMP_AUTH_SC)
630 			return BT_SECURITY_FIPS;
631 		else
632 			return BT_SECURITY_HIGH;
633 	} else {
634 		return BT_SECURITY_MEDIUM;
635 	}
636 }
637 
638 static __u8 seclevel_to_authreq(__u8 sec_level)
639 {
640 	switch (sec_level) {
641 	case BT_SECURITY_FIPS:
642 	case BT_SECURITY_HIGH:
643 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
644 	case BT_SECURITY_MEDIUM:
645 		return SMP_AUTH_BONDING;
646 	default:
647 		return SMP_AUTH_NONE;
648 	}
649 }
650 
651 static void build_pairing_cmd(struct l2cap_conn *conn,
652 			      struct smp_cmd_pairing *req,
653 			      struct smp_cmd_pairing *rsp, __u8 authreq)
654 {
655 	struct l2cap_chan *chan = conn->smp;
656 	struct smp_chan *smp = chan->data;
657 	struct hci_conn *hcon = conn->hcon;
658 	struct hci_dev *hdev = hcon->hdev;
659 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
660 
661 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
662 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
663 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
664 		authreq |= SMP_AUTH_BONDING;
665 	} else {
666 		authreq &= ~SMP_AUTH_BONDING;
667 	}
668 
669 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
670 		remote_dist |= SMP_DIST_ID_KEY;
671 
672 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
673 		local_dist |= SMP_DIST_ID_KEY;
674 
675 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
676 	    (authreq & SMP_AUTH_SC)) {
677 		struct oob_data *oob_data;
678 		u8 bdaddr_type;
679 
680 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
681 			local_dist |= SMP_DIST_LINK_KEY;
682 			remote_dist |= SMP_DIST_LINK_KEY;
683 		}
684 
685 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
686 			bdaddr_type = BDADDR_LE_PUBLIC;
687 		else
688 			bdaddr_type = BDADDR_LE_RANDOM;
689 
690 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
691 						    bdaddr_type);
692 		if (oob_data && oob_data->present) {
693 			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
694 			oob_flag = SMP_OOB_PRESENT;
695 			memcpy(smp->rr, oob_data->rand256, 16);
696 			memcpy(smp->pcnf, oob_data->hash256, 16);
697 			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
698 			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
699 		}
700 
701 	} else {
702 		authreq &= ~SMP_AUTH_SC;
703 	}
704 
705 	if (rsp == NULL) {
706 		req->io_capability = conn->hcon->io_capability;
707 		req->oob_flag = oob_flag;
708 		req->max_key_size = hdev->le_max_key_size;
709 		req->init_key_dist = local_dist;
710 		req->resp_key_dist = remote_dist;
711 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
712 
713 		smp->remote_key_dist = remote_dist;
714 		return;
715 	}
716 
717 	rsp->io_capability = conn->hcon->io_capability;
718 	rsp->oob_flag = oob_flag;
719 	rsp->max_key_size = hdev->le_max_key_size;
720 	rsp->init_key_dist = req->init_key_dist & remote_dist;
721 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
722 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
723 
724 	smp->remote_key_dist = rsp->init_key_dist;
725 }
726 
727 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
728 {
729 	struct l2cap_chan *chan = conn->smp;
730 	struct hci_dev *hdev = conn->hcon->hdev;
731 	struct smp_chan *smp = chan->data;
732 
733 	if (max_key_size > hdev->le_max_key_size ||
734 	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
735 		return SMP_ENC_KEY_SIZE;
736 
737 	smp->enc_key_size = max_key_size;
738 
739 	return 0;
740 }
741 
742 static void smp_chan_destroy(struct l2cap_conn *conn)
743 {
744 	struct l2cap_chan *chan = conn->smp;
745 	struct smp_chan *smp = chan->data;
746 	struct hci_conn *hcon = conn->hcon;
747 	bool complete;
748 
749 	BUG_ON(!smp);
750 
751 	cancel_delayed_work_sync(&smp->security_timer);
752 
753 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
754 	mgmt_smp_complete(hcon, complete);
755 
756 	kzfree(smp->csrk);
757 	kzfree(smp->slave_csrk);
758 	kzfree(smp->link_key);
759 
760 	crypto_free_shash(smp->tfm_cmac);
761 	crypto_free_kpp(smp->tfm_ecdh);
762 
763 	/* Ensure that we don't leave any debug key around if debug key
764 	 * support hasn't been explicitly enabled.
765 	 */
766 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
767 	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
768 		list_del_rcu(&smp->ltk->list);
769 		kfree_rcu(smp->ltk, rcu);
770 		smp->ltk = NULL;
771 	}
772 
773 	/* If pairing failed clean up any keys we might have */
774 	if (!complete) {
775 		if (smp->ltk) {
776 			list_del_rcu(&smp->ltk->list);
777 			kfree_rcu(smp->ltk, rcu);
778 		}
779 
780 		if (smp->slave_ltk) {
781 			list_del_rcu(&smp->slave_ltk->list);
782 			kfree_rcu(smp->slave_ltk, rcu);
783 		}
784 
785 		if (smp->remote_irk) {
786 			list_del_rcu(&smp->remote_irk->list);
787 			kfree_rcu(smp->remote_irk, rcu);
788 		}
789 	}
790 
791 	chan->data = NULL;
792 	kzfree(smp);
793 	hci_conn_drop(hcon);
794 }
795 
796 static void smp_failure(struct l2cap_conn *conn, u8 reason)
797 {
798 	struct hci_conn *hcon = conn->hcon;
799 	struct l2cap_chan *chan = conn->smp;
800 
801 	if (reason)
802 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
803 			     &reason);
804 
805 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
806 
807 	if (chan->data)
808 		smp_chan_destroy(conn);
809 }
810 
811 #define JUST_WORKS	0x00
812 #define JUST_CFM	0x01
813 #define REQ_PASSKEY	0x02
814 #define CFM_PASSKEY	0x03
815 #define REQ_OOB		0x04
816 #define DSP_PASSKEY	0x05
817 #define OVERLAP		0xFF
818 
819 static const u8 gen_method[5][5] = {
820 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
821 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
822 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
823 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
824 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
825 };
826 
827 static const u8 sc_method[5][5] = {
828 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
829 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
830 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
831 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
832 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
833 };
834 
835 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
836 {
837 	/* If either side has unknown io_caps, use JUST_CFM (which gets
838 	 * converted later to JUST_WORKS if we're initiators.
839 	 */
840 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
841 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
842 		return JUST_CFM;
843 
844 	if (test_bit(SMP_FLAG_SC, &smp->flags))
845 		return sc_method[remote_io][local_io];
846 
847 	return gen_method[remote_io][local_io];
848 }
849 
850 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
851 						u8 local_io, u8 remote_io)
852 {
853 	struct hci_conn *hcon = conn->hcon;
854 	struct l2cap_chan *chan = conn->smp;
855 	struct smp_chan *smp = chan->data;
856 	u32 passkey = 0;
857 	int ret = 0;
858 
859 	/* Initialize key for JUST WORKS */
860 	memset(smp->tk, 0, sizeof(smp->tk));
861 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
862 
863 	BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
864 
865 	/* If neither side wants MITM, either "just" confirm an incoming
866 	 * request or use just-works for outgoing ones. The JUST_CFM
867 	 * will be converted to JUST_WORKS if necessary later in this
868 	 * function. If either side has MITM look up the method from the
869 	 * table.
870 	 */
871 	if (!(auth & SMP_AUTH_MITM))
872 		smp->method = JUST_CFM;
873 	else
874 		smp->method = get_auth_method(smp, local_io, remote_io);
875 
876 	/* Don't confirm locally initiated pairing attempts */
877 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
878 						&smp->flags))
879 		smp->method = JUST_WORKS;
880 
881 	/* Don't bother user space with no IO capabilities */
882 	if (smp->method == JUST_CFM &&
883 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
884 		smp->method = JUST_WORKS;
885 
886 	/* If Just Works, Continue with Zero TK */
887 	if (smp->method == JUST_WORKS) {
888 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
889 		return 0;
890 	}
891 
892 	/* If this function is used for SC -> legacy fallback we
893 	 * can only recover the just-works case.
894 	 */
895 	if (test_bit(SMP_FLAG_SC, &smp->flags))
896 		return -EINVAL;
897 
898 	/* Not Just Works/Confirm results in MITM Authentication */
899 	if (smp->method != JUST_CFM) {
900 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
901 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
902 			hcon->pending_sec_level = BT_SECURITY_HIGH;
903 	}
904 
905 	/* If both devices have Keyoard-Display I/O, the master
906 	 * Confirms and the slave Enters the passkey.
907 	 */
908 	if (smp->method == OVERLAP) {
909 		if (hcon->role == HCI_ROLE_MASTER)
910 			smp->method = CFM_PASSKEY;
911 		else
912 			smp->method = REQ_PASSKEY;
913 	}
914 
915 	/* Generate random passkey. */
916 	if (smp->method == CFM_PASSKEY) {
917 		memset(smp->tk, 0, sizeof(smp->tk));
918 		get_random_bytes(&passkey, sizeof(passkey));
919 		passkey %= 1000000;
920 		put_unaligned_le32(passkey, smp->tk);
921 		BT_DBG("PassKey: %d", passkey);
922 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
923 	}
924 
925 	if (smp->method == REQ_PASSKEY)
926 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
927 						hcon->type, hcon->dst_type);
928 	else if (smp->method == JUST_CFM)
929 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
930 						hcon->type, hcon->dst_type,
931 						passkey, 1);
932 	else
933 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
934 						hcon->type, hcon->dst_type,
935 						passkey, 0);
936 
937 	return ret;
938 }
939 
940 static u8 smp_confirm(struct smp_chan *smp)
941 {
942 	struct l2cap_conn *conn = smp->conn;
943 	struct smp_cmd_pairing_confirm cp;
944 	int ret;
945 
946 	BT_DBG("conn %p", conn);
947 
948 	ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
949 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
950 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
951 		     cp.confirm_val);
952 	if (ret)
953 		return SMP_UNSPECIFIED;
954 
955 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
956 
957 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
958 
959 	if (conn->hcon->out)
960 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
961 	else
962 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
963 
964 	return 0;
965 }
966 
967 static u8 smp_random(struct smp_chan *smp)
968 {
969 	struct l2cap_conn *conn = smp->conn;
970 	struct hci_conn *hcon = conn->hcon;
971 	u8 confirm[16];
972 	int ret;
973 
974 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
975 
976 	ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
977 		     hcon->init_addr_type, &hcon->init_addr,
978 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
979 	if (ret)
980 		return SMP_UNSPECIFIED;
981 
982 	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
983 		bt_dev_err(hcon->hdev, "pairing failed "
984 			   "(confirmation values mismatch)");
985 		return SMP_CONFIRM_FAILED;
986 	}
987 
988 	if (hcon->out) {
989 		u8 stk[16];
990 		__le64 rand = 0;
991 		__le16 ediv = 0;
992 
993 		smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
994 
995 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
996 			return SMP_UNSPECIFIED;
997 
998 		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
999 		hcon->enc_key_size = smp->enc_key_size;
1000 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1001 	} else {
1002 		u8 stk[16], auth;
1003 		__le64 rand = 0;
1004 		__le16 ediv = 0;
1005 
1006 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1007 			     smp->prnd);
1008 
1009 		smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
1010 
1011 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1012 			auth = 1;
1013 		else
1014 			auth = 0;
1015 
1016 		/* Even though there's no _SLAVE suffix this is the
1017 		 * slave STK we're adding for later lookup (the master
1018 		 * STK never needs to be stored).
1019 		 */
1020 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1021 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1022 	}
1023 
1024 	return 0;
1025 }
1026 
1027 static void smp_notify_keys(struct l2cap_conn *conn)
1028 {
1029 	struct l2cap_chan *chan = conn->smp;
1030 	struct smp_chan *smp = chan->data;
1031 	struct hci_conn *hcon = conn->hcon;
1032 	struct hci_dev *hdev = hcon->hdev;
1033 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1034 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1035 	bool persistent;
1036 
1037 	if (hcon->type == ACL_LINK) {
1038 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1039 			persistent = false;
1040 		else
1041 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1042 					       &hcon->flags);
1043 	} else {
1044 		/* The LTKs, IRKs and CSRKs should be persistent only if
1045 		 * both sides had the bonding bit set in their
1046 		 * authentication requests.
1047 		 */
1048 		persistent = !!((req->auth_req & rsp->auth_req) &
1049 				SMP_AUTH_BONDING);
1050 	}
1051 
1052 	if (smp->remote_irk) {
1053 		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1054 
1055 		/* Now that user space can be considered to know the
1056 		 * identity address track the connection based on it
1057 		 * from now on (assuming this is an LE link).
1058 		 */
1059 		if (hcon->type == LE_LINK) {
1060 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1061 			hcon->dst_type = smp->remote_irk->addr_type;
1062 			queue_work(hdev->workqueue, &conn->id_addr_update_work);
1063 		}
1064 	}
1065 
1066 	if (smp->csrk) {
1067 		smp->csrk->bdaddr_type = hcon->dst_type;
1068 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1069 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1070 	}
1071 
1072 	if (smp->slave_csrk) {
1073 		smp->slave_csrk->bdaddr_type = hcon->dst_type;
1074 		bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1075 		mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1076 	}
1077 
1078 	if (smp->ltk) {
1079 		smp->ltk->bdaddr_type = hcon->dst_type;
1080 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1081 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1082 	}
1083 
1084 	if (smp->slave_ltk) {
1085 		smp->slave_ltk->bdaddr_type = hcon->dst_type;
1086 		bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1087 		mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1088 	}
1089 
1090 	if (smp->link_key) {
1091 		struct link_key *key;
1092 		u8 type;
1093 
1094 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1095 			type = HCI_LK_DEBUG_COMBINATION;
1096 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1097 			type = HCI_LK_AUTH_COMBINATION_P256;
1098 		else
1099 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1100 
1101 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1102 				       smp->link_key, type, 0, &persistent);
1103 		if (key) {
1104 			mgmt_new_link_key(hdev, key, persistent);
1105 
1106 			/* Don't keep debug keys around if the relevant
1107 			 * flag is not set.
1108 			 */
1109 			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1110 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1111 				list_del_rcu(&key->list);
1112 				kfree_rcu(key, rcu);
1113 			}
1114 		}
1115 	}
1116 }
1117 
1118 static void sc_add_ltk(struct smp_chan *smp)
1119 {
1120 	struct hci_conn *hcon = smp->conn->hcon;
1121 	u8 key_type, auth;
1122 
1123 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1124 		key_type = SMP_LTK_P256_DEBUG;
1125 	else
1126 		key_type = SMP_LTK_P256;
1127 
1128 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1129 		auth = 1;
1130 	else
1131 		auth = 0;
1132 
1133 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1134 			       key_type, auth, smp->tk, smp->enc_key_size,
1135 			       0, 0);
1136 }
1137 
1138 static void sc_generate_link_key(struct smp_chan *smp)
1139 {
1140 	/* From core spec. Spells out in ASCII as 'lebr'. */
1141 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1142 
1143 	smp->link_key = kzalloc(16, GFP_KERNEL);
1144 	if (!smp->link_key)
1145 		return;
1146 
1147 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1148 		/* SALT = 0x00000000000000000000000000000000746D7031 */
1149 		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1150 
1151 		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1152 			kzfree(smp->link_key);
1153 			smp->link_key = NULL;
1154 			return;
1155 		}
1156 	} else {
1157 		/* From core spec. Spells out in ASCII as 'tmp1'. */
1158 		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1159 
1160 		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1161 			kzfree(smp->link_key);
1162 			smp->link_key = NULL;
1163 			return;
1164 		}
1165 	}
1166 
1167 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1168 		kzfree(smp->link_key);
1169 		smp->link_key = NULL;
1170 		return;
1171 	}
1172 }
1173 
1174 static void smp_allow_key_dist(struct smp_chan *smp)
1175 {
1176 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1177 	 * will be allowed in each PDU handler to ensure we receive
1178 	 * them in the correct order.
1179 	 */
1180 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1181 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1182 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1183 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1184 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1185 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1186 }
1187 
1188 static void sc_generate_ltk(struct smp_chan *smp)
1189 {
1190 	/* From core spec. Spells out in ASCII as 'brle'. */
1191 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1192 	struct hci_conn *hcon = smp->conn->hcon;
1193 	struct hci_dev *hdev = hcon->hdev;
1194 	struct link_key *key;
1195 
1196 	key = hci_find_link_key(hdev, &hcon->dst);
1197 	if (!key) {
1198 		bt_dev_err(hdev, "no Link Key found to generate LTK");
1199 		return;
1200 	}
1201 
1202 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1203 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1204 
1205 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1206 		/* SALT = 0x00000000000000000000000000000000746D7032 */
1207 		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1208 
1209 		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1210 			return;
1211 	} else {
1212 		/* From core spec. Spells out in ASCII as 'tmp2'. */
1213 		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1214 
1215 		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1216 			return;
1217 	}
1218 
1219 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1220 		return;
1221 
1222 	sc_add_ltk(smp);
1223 }
1224 
1225 static void smp_distribute_keys(struct smp_chan *smp)
1226 {
1227 	struct smp_cmd_pairing *req, *rsp;
1228 	struct l2cap_conn *conn = smp->conn;
1229 	struct hci_conn *hcon = conn->hcon;
1230 	struct hci_dev *hdev = hcon->hdev;
1231 	__u8 *keydist;
1232 
1233 	BT_DBG("conn %p", conn);
1234 
1235 	rsp = (void *) &smp->prsp[1];
1236 
1237 	/* The responder sends its keys first */
1238 	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1239 		smp_allow_key_dist(smp);
1240 		return;
1241 	}
1242 
1243 	req = (void *) &smp->preq[1];
1244 
1245 	if (hcon->out) {
1246 		keydist = &rsp->init_key_dist;
1247 		*keydist &= req->init_key_dist;
1248 	} else {
1249 		keydist = &rsp->resp_key_dist;
1250 		*keydist &= req->resp_key_dist;
1251 	}
1252 
1253 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1254 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1255 			sc_generate_link_key(smp);
1256 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1257 			sc_generate_ltk(smp);
1258 
1259 		/* Clear the keys which are generated but not distributed */
1260 		*keydist &= ~SMP_SC_NO_DIST;
1261 	}
1262 
1263 	BT_DBG("keydist 0x%x", *keydist);
1264 
1265 	if (*keydist & SMP_DIST_ENC_KEY) {
1266 		struct smp_cmd_encrypt_info enc;
1267 		struct smp_cmd_master_ident ident;
1268 		struct smp_ltk *ltk;
1269 		u8 authenticated;
1270 		__le16 ediv;
1271 		__le64 rand;
1272 
1273 		/* Make sure we generate only the significant amount of
1274 		 * bytes based on the encryption key size, and set the rest
1275 		 * of the value to zeroes.
1276 		 */
1277 		get_random_bytes(enc.ltk, smp->enc_key_size);
1278 		memset(enc.ltk + smp->enc_key_size, 0,
1279 		       sizeof(enc.ltk) - smp->enc_key_size);
1280 
1281 		get_random_bytes(&ediv, sizeof(ediv));
1282 		get_random_bytes(&rand, sizeof(rand));
1283 
1284 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1285 
1286 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1287 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1288 				  SMP_LTK_SLAVE, authenticated, enc.ltk,
1289 				  smp->enc_key_size, ediv, rand);
1290 		smp->slave_ltk = ltk;
1291 
1292 		ident.ediv = ediv;
1293 		ident.rand = rand;
1294 
1295 		smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1296 
1297 		*keydist &= ~SMP_DIST_ENC_KEY;
1298 	}
1299 
1300 	if (*keydist & SMP_DIST_ID_KEY) {
1301 		struct smp_cmd_ident_addr_info addrinfo;
1302 		struct smp_cmd_ident_info idinfo;
1303 
1304 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1305 
1306 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1307 
1308 		/* The hci_conn contains the local identity address
1309 		 * after the connection has been established.
1310 		 *
1311 		 * This is true even when the connection has been
1312 		 * established using a resolvable random address.
1313 		 */
1314 		bacpy(&addrinfo.bdaddr, &hcon->src);
1315 		addrinfo.addr_type = hcon->src_type;
1316 
1317 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1318 			     &addrinfo);
1319 
1320 		*keydist &= ~SMP_DIST_ID_KEY;
1321 	}
1322 
1323 	if (*keydist & SMP_DIST_SIGN) {
1324 		struct smp_cmd_sign_info sign;
1325 		struct smp_csrk *csrk;
1326 
1327 		/* Generate a new random key */
1328 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1329 
1330 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1331 		if (csrk) {
1332 			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1333 				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1334 			else
1335 				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1336 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1337 		}
1338 		smp->slave_csrk = csrk;
1339 
1340 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1341 
1342 		*keydist &= ~SMP_DIST_SIGN;
1343 	}
1344 
1345 	/* If there are still keys to be received wait for them */
1346 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1347 		smp_allow_key_dist(smp);
1348 		return;
1349 	}
1350 
1351 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1352 	smp_notify_keys(conn);
1353 
1354 	smp_chan_destroy(conn);
1355 }
1356 
1357 static void smp_timeout(struct work_struct *work)
1358 {
1359 	struct smp_chan *smp = container_of(work, struct smp_chan,
1360 					    security_timer.work);
1361 	struct l2cap_conn *conn = smp->conn;
1362 
1363 	BT_DBG("conn %p", conn);
1364 
1365 	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1366 }
1367 
1368 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1369 {
1370 	struct l2cap_chan *chan = conn->smp;
1371 	struct smp_chan *smp;
1372 
1373 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1374 	if (!smp)
1375 		return NULL;
1376 
1377 	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1378 	if (IS_ERR(smp->tfm_cmac)) {
1379 		BT_ERR("Unable to create CMAC crypto context");
1380 		goto zfree_smp;
1381 	}
1382 
1383 	smp->tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
1384 	if (IS_ERR(smp->tfm_ecdh)) {
1385 		BT_ERR("Unable to create ECDH crypto context");
1386 		goto free_shash;
1387 	}
1388 
1389 	smp->conn = conn;
1390 	chan->data = smp;
1391 
1392 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1393 
1394 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1395 
1396 	hci_conn_hold(conn->hcon);
1397 
1398 	return smp;
1399 
1400 free_shash:
1401 	crypto_free_shash(smp->tfm_cmac);
1402 zfree_smp:
1403 	kzfree(smp);
1404 	return NULL;
1405 }
1406 
1407 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1408 {
1409 	struct hci_conn *hcon = smp->conn->hcon;
1410 	u8 *na, *nb, a[7], b[7];
1411 
1412 	if (hcon->out) {
1413 		na   = smp->prnd;
1414 		nb   = smp->rrnd;
1415 	} else {
1416 		na   = smp->rrnd;
1417 		nb   = smp->prnd;
1418 	}
1419 
1420 	memcpy(a, &hcon->init_addr, 6);
1421 	memcpy(b, &hcon->resp_addr, 6);
1422 	a[6] = hcon->init_addr_type;
1423 	b[6] = hcon->resp_addr_type;
1424 
1425 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1426 }
1427 
1428 static void sc_dhkey_check(struct smp_chan *smp)
1429 {
1430 	struct hci_conn *hcon = smp->conn->hcon;
1431 	struct smp_cmd_dhkey_check check;
1432 	u8 a[7], b[7], *local_addr, *remote_addr;
1433 	u8 io_cap[3], r[16];
1434 
1435 	memcpy(a, &hcon->init_addr, 6);
1436 	memcpy(b, &hcon->resp_addr, 6);
1437 	a[6] = hcon->init_addr_type;
1438 	b[6] = hcon->resp_addr_type;
1439 
1440 	if (hcon->out) {
1441 		local_addr = a;
1442 		remote_addr = b;
1443 		memcpy(io_cap, &smp->preq[1], 3);
1444 	} else {
1445 		local_addr = b;
1446 		remote_addr = a;
1447 		memcpy(io_cap, &smp->prsp[1], 3);
1448 	}
1449 
1450 	memset(r, 0, sizeof(r));
1451 
1452 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1453 		put_unaligned_le32(hcon->passkey_notify, r);
1454 
1455 	if (smp->method == REQ_OOB)
1456 		memcpy(r, smp->rr, 16);
1457 
1458 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1459 	       local_addr, remote_addr, check.e);
1460 
1461 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1462 }
1463 
1464 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1465 {
1466 	struct l2cap_conn *conn = smp->conn;
1467 	struct hci_conn *hcon = conn->hcon;
1468 	struct smp_cmd_pairing_confirm cfm;
1469 	u8 r;
1470 
1471 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1472 	r |= 0x80;
1473 
1474 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1475 
1476 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1477 		   cfm.confirm_val))
1478 		return SMP_UNSPECIFIED;
1479 
1480 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1481 
1482 	return 0;
1483 }
1484 
1485 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1486 {
1487 	struct l2cap_conn *conn = smp->conn;
1488 	struct hci_conn *hcon = conn->hcon;
1489 	struct hci_dev *hdev = hcon->hdev;
1490 	u8 cfm[16], r;
1491 
1492 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1493 	if (smp->passkey_round >= 20)
1494 		return 0;
1495 
1496 	switch (smp_op) {
1497 	case SMP_CMD_PAIRING_RANDOM:
1498 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1499 		r |= 0x80;
1500 
1501 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1502 			   smp->rrnd, r, cfm))
1503 			return SMP_UNSPECIFIED;
1504 
1505 		if (crypto_memneq(smp->pcnf, cfm, 16))
1506 			return SMP_CONFIRM_FAILED;
1507 
1508 		smp->passkey_round++;
1509 
1510 		if (smp->passkey_round == 20) {
1511 			/* Generate MacKey and LTK */
1512 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1513 				return SMP_UNSPECIFIED;
1514 		}
1515 
1516 		/* The round is only complete when the initiator
1517 		 * receives pairing random.
1518 		 */
1519 		if (!hcon->out) {
1520 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1521 				     sizeof(smp->prnd), smp->prnd);
1522 			if (smp->passkey_round == 20)
1523 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1524 			else
1525 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1526 			return 0;
1527 		}
1528 
1529 		/* Start the next round */
1530 		if (smp->passkey_round != 20)
1531 			return sc_passkey_round(smp, 0);
1532 
1533 		/* Passkey rounds are complete - start DHKey Check */
1534 		sc_dhkey_check(smp);
1535 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1536 
1537 		break;
1538 
1539 	case SMP_CMD_PAIRING_CONFIRM:
1540 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1541 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1542 			return 0;
1543 		}
1544 
1545 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1546 
1547 		if (hcon->out) {
1548 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1549 				     sizeof(smp->prnd), smp->prnd);
1550 			return 0;
1551 		}
1552 
1553 		return sc_passkey_send_confirm(smp);
1554 
1555 	case SMP_CMD_PUBLIC_KEY:
1556 	default:
1557 		/* Initiating device starts the round */
1558 		if (!hcon->out)
1559 			return 0;
1560 
1561 		BT_DBG("%s Starting passkey round %u", hdev->name,
1562 		       smp->passkey_round + 1);
1563 
1564 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1565 
1566 		return sc_passkey_send_confirm(smp);
1567 	}
1568 
1569 	return 0;
1570 }
1571 
1572 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1573 {
1574 	struct l2cap_conn *conn = smp->conn;
1575 	struct hci_conn *hcon = conn->hcon;
1576 	u8 smp_op;
1577 
1578 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1579 
1580 	switch (mgmt_op) {
1581 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1582 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1583 		return 0;
1584 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1585 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1586 		return 0;
1587 	case MGMT_OP_USER_PASSKEY_REPLY:
1588 		hcon->passkey_notify = le32_to_cpu(passkey);
1589 		smp->passkey_round = 0;
1590 
1591 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1592 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1593 		else
1594 			smp_op = 0;
1595 
1596 		if (sc_passkey_round(smp, smp_op))
1597 			return -EIO;
1598 
1599 		return 0;
1600 	}
1601 
1602 	/* Initiator sends DHKey check first */
1603 	if (hcon->out) {
1604 		sc_dhkey_check(smp);
1605 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1606 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1607 		sc_dhkey_check(smp);
1608 		sc_add_ltk(smp);
1609 	}
1610 
1611 	return 0;
1612 }
1613 
1614 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1615 {
1616 	struct l2cap_conn *conn = hcon->l2cap_data;
1617 	struct l2cap_chan *chan;
1618 	struct smp_chan *smp;
1619 	u32 value;
1620 	int err;
1621 
1622 	BT_DBG("");
1623 
1624 	if (!conn)
1625 		return -ENOTCONN;
1626 
1627 	chan = conn->smp;
1628 	if (!chan)
1629 		return -ENOTCONN;
1630 
1631 	l2cap_chan_lock(chan);
1632 	if (!chan->data) {
1633 		err = -ENOTCONN;
1634 		goto unlock;
1635 	}
1636 
1637 	smp = chan->data;
1638 
1639 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1640 		err = sc_user_reply(smp, mgmt_op, passkey);
1641 		goto unlock;
1642 	}
1643 
1644 	switch (mgmt_op) {
1645 	case MGMT_OP_USER_PASSKEY_REPLY:
1646 		value = le32_to_cpu(passkey);
1647 		memset(smp->tk, 0, sizeof(smp->tk));
1648 		BT_DBG("PassKey: %d", value);
1649 		put_unaligned_le32(value, smp->tk);
1650 		/* Fall Through */
1651 	case MGMT_OP_USER_CONFIRM_REPLY:
1652 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1653 		break;
1654 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1655 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1656 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1657 		err = 0;
1658 		goto unlock;
1659 	default:
1660 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1661 		err = -EOPNOTSUPP;
1662 		goto unlock;
1663 	}
1664 
1665 	err = 0;
1666 
1667 	/* If it is our turn to send Pairing Confirm, do so now */
1668 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1669 		u8 rsp = smp_confirm(smp);
1670 		if (rsp)
1671 			smp_failure(conn, rsp);
1672 	}
1673 
1674 unlock:
1675 	l2cap_chan_unlock(chan);
1676 	return err;
1677 }
1678 
1679 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1680 				    struct smp_cmd_pairing *req,
1681 				    struct smp_cmd_pairing *rsp)
1682 {
1683 	struct l2cap_conn *conn = smp->conn;
1684 	struct hci_dev *hdev = conn->hcon->hdev;
1685 	u8 local_dist = 0, remote_dist = 0;
1686 
1687 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1688 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1689 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1690 	}
1691 
1692 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1693 		remote_dist |= SMP_DIST_ID_KEY;
1694 
1695 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1696 		local_dist |= SMP_DIST_ID_KEY;
1697 
1698 	if (!rsp) {
1699 		memset(req, 0, sizeof(*req));
1700 
1701 		req->auth_req        = SMP_AUTH_CT2;
1702 		req->init_key_dist   = local_dist;
1703 		req->resp_key_dist   = remote_dist;
1704 		req->max_key_size    = conn->hcon->enc_key_size;
1705 
1706 		smp->remote_key_dist = remote_dist;
1707 
1708 		return;
1709 	}
1710 
1711 	memset(rsp, 0, sizeof(*rsp));
1712 
1713 	rsp->auth_req        = SMP_AUTH_CT2;
1714 	rsp->max_key_size    = conn->hcon->enc_key_size;
1715 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1716 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1717 
1718 	smp->remote_key_dist = rsp->init_key_dist;
1719 }
1720 
1721 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1722 {
1723 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1724 	struct l2cap_chan *chan = conn->smp;
1725 	struct hci_dev *hdev = conn->hcon->hdev;
1726 	struct smp_chan *smp;
1727 	u8 key_size, auth, sec_level;
1728 	int ret;
1729 
1730 	BT_DBG("conn %p", conn);
1731 
1732 	if (skb->len < sizeof(*req))
1733 		return SMP_INVALID_PARAMS;
1734 
1735 	if (conn->hcon->role != HCI_ROLE_SLAVE)
1736 		return SMP_CMD_NOTSUPP;
1737 
1738 	if (!chan->data)
1739 		smp = smp_chan_create(conn);
1740 	else
1741 		smp = chan->data;
1742 
1743 	if (!smp)
1744 		return SMP_UNSPECIFIED;
1745 
1746 	/* We didn't start the pairing, so match remote */
1747 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1748 
1749 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1750 	    (auth & SMP_AUTH_BONDING))
1751 		return SMP_PAIRING_NOTSUPP;
1752 
1753 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1754 		return SMP_AUTH_REQUIREMENTS;
1755 
1756 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1757 	memcpy(&smp->preq[1], req, sizeof(*req));
1758 	skb_pull(skb, sizeof(*req));
1759 
1760 	/* If the remote side's OOB flag is set it means it has
1761 	 * successfully received our local OOB data - therefore set the
1762 	 * flag to indicate that local OOB is in use.
1763 	 */
1764 	if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1765 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1766 
1767 	/* SMP over BR/EDR requires special treatment */
1768 	if (conn->hcon->type == ACL_LINK) {
1769 		/* We must have a BR/EDR SC link */
1770 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1771 		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1772 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1773 
1774 		set_bit(SMP_FLAG_SC, &smp->flags);
1775 
1776 		build_bredr_pairing_cmd(smp, req, &rsp);
1777 
1778 		if (req->auth_req & SMP_AUTH_CT2)
1779 			set_bit(SMP_FLAG_CT2, &smp->flags);
1780 
1781 		key_size = min(req->max_key_size, rsp.max_key_size);
1782 		if (check_enc_key_size(conn, key_size))
1783 			return SMP_ENC_KEY_SIZE;
1784 
1785 		/* Clear bits which are generated but not distributed */
1786 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1787 
1788 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1789 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1790 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1791 
1792 		smp_distribute_keys(smp);
1793 		return 0;
1794 	}
1795 
1796 	build_pairing_cmd(conn, req, &rsp, auth);
1797 
1798 	if (rsp.auth_req & SMP_AUTH_SC) {
1799 		set_bit(SMP_FLAG_SC, &smp->flags);
1800 
1801 		if (rsp.auth_req & SMP_AUTH_CT2)
1802 			set_bit(SMP_FLAG_CT2, &smp->flags);
1803 	}
1804 
1805 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1806 		sec_level = BT_SECURITY_MEDIUM;
1807 	else
1808 		sec_level = authreq_to_seclevel(auth);
1809 
1810 	if (sec_level > conn->hcon->pending_sec_level)
1811 		conn->hcon->pending_sec_level = sec_level;
1812 
1813 	/* If we need MITM check that it can be achieved */
1814 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1815 		u8 method;
1816 
1817 		method = get_auth_method(smp, conn->hcon->io_capability,
1818 					 req->io_capability);
1819 		if (method == JUST_WORKS || method == JUST_CFM)
1820 			return SMP_AUTH_REQUIREMENTS;
1821 	}
1822 
1823 	key_size = min(req->max_key_size, rsp.max_key_size);
1824 	if (check_enc_key_size(conn, key_size))
1825 		return SMP_ENC_KEY_SIZE;
1826 
1827 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1828 
1829 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1830 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1831 
1832 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1833 
1834 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1835 
1836 	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1837 	 * SC case, however some implementations incorrectly copy RFU auth
1838 	 * req bits from our security request, which may create a false
1839 	 * positive SC enablement.
1840 	 */
1841 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1842 
1843 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1844 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1845 		/* Clear bits which are generated but not distributed */
1846 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1847 		/* Wait for Public Key from Initiating Device */
1848 		return 0;
1849 	}
1850 
1851 	/* Request setup of TK */
1852 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1853 	if (ret)
1854 		return SMP_UNSPECIFIED;
1855 
1856 	return 0;
1857 }
1858 
1859 static u8 sc_send_public_key(struct smp_chan *smp)
1860 {
1861 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1862 
1863 	BT_DBG("");
1864 
1865 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1866 		struct l2cap_chan *chan = hdev->smp_data;
1867 		struct smp_dev *smp_dev;
1868 
1869 		if (!chan || !chan->data)
1870 			return SMP_UNSPECIFIED;
1871 
1872 		smp_dev = chan->data;
1873 
1874 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1875 		memcpy(smp->lr, smp_dev->local_rand, 16);
1876 
1877 		if (smp_dev->debug_key)
1878 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1879 
1880 		goto done;
1881 	}
1882 
1883 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1884 		BT_DBG("Using debug keys");
1885 		if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1886 			return SMP_UNSPECIFIED;
1887 		memcpy(smp->local_pk, debug_pk, 64);
1888 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1889 	} else {
1890 		while (true) {
1891 			/* Generate key pair for Secure Connections */
1892 			if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1893 				return SMP_UNSPECIFIED;
1894 
1895 			/* This is unlikely, but we need to check that
1896 			 * we didn't accidentially generate a debug key.
1897 			 */
1898 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
1899 				break;
1900 		}
1901 	}
1902 
1903 done:
1904 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1905 	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1906 
1907 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1908 
1909 	return 0;
1910 }
1911 
1912 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1913 {
1914 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1915 	struct l2cap_chan *chan = conn->smp;
1916 	struct smp_chan *smp = chan->data;
1917 	struct hci_dev *hdev = conn->hcon->hdev;
1918 	u8 key_size, auth;
1919 	int ret;
1920 
1921 	BT_DBG("conn %p", conn);
1922 
1923 	if (skb->len < sizeof(*rsp))
1924 		return SMP_INVALID_PARAMS;
1925 
1926 	if (conn->hcon->role != HCI_ROLE_MASTER)
1927 		return SMP_CMD_NOTSUPP;
1928 
1929 	skb_pull(skb, sizeof(*rsp));
1930 
1931 	req = (void *) &smp->preq[1];
1932 
1933 	key_size = min(req->max_key_size, rsp->max_key_size);
1934 	if (check_enc_key_size(conn, key_size))
1935 		return SMP_ENC_KEY_SIZE;
1936 
1937 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1938 
1939 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1940 		return SMP_AUTH_REQUIREMENTS;
1941 
1942 	/* If the remote side's OOB flag is set it means it has
1943 	 * successfully received our local OOB data - therefore set the
1944 	 * flag to indicate that local OOB is in use.
1945 	 */
1946 	if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1947 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1948 
1949 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1950 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1951 
1952 	/* Update remote key distribution in case the remote cleared
1953 	 * some bits that we had enabled in our request.
1954 	 */
1955 	smp->remote_key_dist &= rsp->resp_key_dist;
1956 
1957 	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1958 		set_bit(SMP_FLAG_CT2, &smp->flags);
1959 
1960 	/* For BR/EDR this means we're done and can start phase 3 */
1961 	if (conn->hcon->type == ACL_LINK) {
1962 		/* Clear bits which are generated but not distributed */
1963 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1964 		smp_distribute_keys(smp);
1965 		return 0;
1966 	}
1967 
1968 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1969 		set_bit(SMP_FLAG_SC, &smp->flags);
1970 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1971 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1972 
1973 	/* If we need MITM check that it can be achieved */
1974 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1975 		u8 method;
1976 
1977 		method = get_auth_method(smp, req->io_capability,
1978 					 rsp->io_capability);
1979 		if (method == JUST_WORKS || method == JUST_CFM)
1980 			return SMP_AUTH_REQUIREMENTS;
1981 	}
1982 
1983 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1984 
1985 	/* Update remote key distribution in case the remote cleared
1986 	 * some bits that we had enabled in our request.
1987 	 */
1988 	smp->remote_key_dist &= rsp->resp_key_dist;
1989 
1990 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1991 		/* Clear bits which are generated but not distributed */
1992 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1993 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1994 		return sc_send_public_key(smp);
1995 	}
1996 
1997 	auth |= req->auth_req;
1998 
1999 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2000 	if (ret)
2001 		return SMP_UNSPECIFIED;
2002 
2003 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2004 
2005 	/* Can't compose response until we have been confirmed */
2006 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2007 		return smp_confirm(smp);
2008 
2009 	return 0;
2010 }
2011 
2012 static u8 sc_check_confirm(struct smp_chan *smp)
2013 {
2014 	struct l2cap_conn *conn = smp->conn;
2015 
2016 	BT_DBG("");
2017 
2018 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2019 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2020 
2021 	if (conn->hcon->out) {
2022 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2023 			     smp->prnd);
2024 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2025 	}
2026 
2027 	return 0;
2028 }
2029 
2030 /* Work-around for some implementations that incorrectly copy RFU bits
2031  * from our security request and thereby create the impression that
2032  * we're doing SC when in fact the remote doesn't support it.
2033  */
2034 static int fixup_sc_false_positive(struct smp_chan *smp)
2035 {
2036 	struct l2cap_conn *conn = smp->conn;
2037 	struct hci_conn *hcon = conn->hcon;
2038 	struct hci_dev *hdev = hcon->hdev;
2039 	struct smp_cmd_pairing *req, *rsp;
2040 	u8 auth;
2041 
2042 	/* The issue is only observed when we're in slave role */
2043 	if (hcon->out)
2044 		return SMP_UNSPECIFIED;
2045 
2046 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2047 		bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2048 		return SMP_UNSPECIFIED;
2049 	}
2050 
2051 	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2052 
2053 	req = (void *) &smp->preq[1];
2054 	rsp = (void *) &smp->prsp[1];
2055 
2056 	/* Rebuild key dist flags which may have been cleared for SC */
2057 	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2058 
2059 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2060 
2061 	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2062 		bt_dev_err(hdev, "failed to fall back to legacy SMP");
2063 		return SMP_UNSPECIFIED;
2064 	}
2065 
2066 	clear_bit(SMP_FLAG_SC, &smp->flags);
2067 
2068 	return 0;
2069 }
2070 
2071 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2072 {
2073 	struct l2cap_chan *chan = conn->smp;
2074 	struct smp_chan *smp = chan->data;
2075 
2076 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2077 
2078 	if (skb->len < sizeof(smp->pcnf))
2079 		return SMP_INVALID_PARAMS;
2080 
2081 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2082 	skb_pull(skb, sizeof(smp->pcnf));
2083 
2084 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2085 		int ret;
2086 
2087 		/* Public Key exchange must happen before any other steps */
2088 		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2089 			return sc_check_confirm(smp);
2090 
2091 		BT_ERR("Unexpected SMP Pairing Confirm");
2092 
2093 		ret = fixup_sc_false_positive(smp);
2094 		if (ret)
2095 			return ret;
2096 	}
2097 
2098 	if (conn->hcon->out) {
2099 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2100 			     smp->prnd);
2101 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2102 		return 0;
2103 	}
2104 
2105 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2106 		return smp_confirm(smp);
2107 
2108 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2109 
2110 	return 0;
2111 }
2112 
2113 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2114 {
2115 	struct l2cap_chan *chan = conn->smp;
2116 	struct smp_chan *smp = chan->data;
2117 	struct hci_conn *hcon = conn->hcon;
2118 	u8 *pkax, *pkbx, *na, *nb;
2119 	u32 passkey;
2120 	int err;
2121 
2122 	BT_DBG("conn %p", conn);
2123 
2124 	if (skb->len < sizeof(smp->rrnd))
2125 		return SMP_INVALID_PARAMS;
2126 
2127 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2128 	skb_pull(skb, sizeof(smp->rrnd));
2129 
2130 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2131 		return smp_random(smp);
2132 
2133 	if (hcon->out) {
2134 		pkax = smp->local_pk;
2135 		pkbx = smp->remote_pk;
2136 		na   = smp->prnd;
2137 		nb   = smp->rrnd;
2138 	} else {
2139 		pkax = smp->remote_pk;
2140 		pkbx = smp->local_pk;
2141 		na   = smp->rrnd;
2142 		nb   = smp->prnd;
2143 	}
2144 
2145 	if (smp->method == REQ_OOB) {
2146 		if (!hcon->out)
2147 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2148 				     sizeof(smp->prnd), smp->prnd);
2149 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2150 		goto mackey_and_ltk;
2151 	}
2152 
2153 	/* Passkey entry has special treatment */
2154 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2155 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2156 
2157 	if (hcon->out) {
2158 		u8 cfm[16];
2159 
2160 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2161 			     smp->rrnd, 0, cfm);
2162 		if (err)
2163 			return SMP_UNSPECIFIED;
2164 
2165 		if (crypto_memneq(smp->pcnf, cfm, 16))
2166 			return SMP_CONFIRM_FAILED;
2167 	} else {
2168 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2169 			     smp->prnd);
2170 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2171 	}
2172 
2173 mackey_and_ltk:
2174 	/* Generate MacKey and LTK */
2175 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2176 	if (err)
2177 		return SMP_UNSPECIFIED;
2178 
2179 	if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2180 		if (hcon->out) {
2181 			sc_dhkey_check(smp);
2182 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2183 		}
2184 		return 0;
2185 	}
2186 
2187 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2188 	if (err)
2189 		return SMP_UNSPECIFIED;
2190 
2191 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2192 					hcon->dst_type, passkey, 0);
2193 	if (err)
2194 		return SMP_UNSPECIFIED;
2195 
2196 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2197 
2198 	return 0;
2199 }
2200 
2201 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2202 {
2203 	struct smp_ltk *key;
2204 	struct hci_conn *hcon = conn->hcon;
2205 
2206 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2207 	if (!key)
2208 		return false;
2209 
2210 	if (smp_ltk_sec_level(key) < sec_level)
2211 		return false;
2212 
2213 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2214 		return true;
2215 
2216 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2217 	hcon->enc_key_size = key->enc_size;
2218 
2219 	/* We never store STKs for master role, so clear this flag */
2220 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2221 
2222 	return true;
2223 }
2224 
2225 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2226 			     enum smp_key_pref key_pref)
2227 {
2228 	if (sec_level == BT_SECURITY_LOW)
2229 		return true;
2230 
2231 	/* If we're encrypted with an STK but the caller prefers using
2232 	 * LTK claim insufficient security. This way we allow the
2233 	 * connection to be re-encrypted with an LTK, even if the LTK
2234 	 * provides the same level of security. Only exception is if we
2235 	 * don't have an LTK (e.g. because of key distribution bits).
2236 	 */
2237 	if (key_pref == SMP_USE_LTK &&
2238 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2239 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2240 		return false;
2241 
2242 	if (hcon->sec_level >= sec_level)
2243 		return true;
2244 
2245 	return false;
2246 }
2247 
2248 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2249 {
2250 	struct smp_cmd_security_req *rp = (void *) skb->data;
2251 	struct smp_cmd_pairing cp;
2252 	struct hci_conn *hcon = conn->hcon;
2253 	struct hci_dev *hdev = hcon->hdev;
2254 	struct smp_chan *smp;
2255 	u8 sec_level, auth;
2256 
2257 	BT_DBG("conn %p", conn);
2258 
2259 	if (skb->len < sizeof(*rp))
2260 		return SMP_INVALID_PARAMS;
2261 
2262 	if (hcon->role != HCI_ROLE_MASTER)
2263 		return SMP_CMD_NOTSUPP;
2264 
2265 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2266 
2267 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2268 		return SMP_AUTH_REQUIREMENTS;
2269 
2270 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2271 		sec_level = BT_SECURITY_MEDIUM;
2272 	else
2273 		sec_level = authreq_to_seclevel(auth);
2274 
2275 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2276 		/* If link is already encrypted with sufficient security we
2277 		 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2278 		 * Part H 2.4.6
2279 		 */
2280 		smp_ltk_encrypt(conn, hcon->sec_level);
2281 		return 0;
2282 	}
2283 
2284 	if (sec_level > hcon->pending_sec_level)
2285 		hcon->pending_sec_level = sec_level;
2286 
2287 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2288 		return 0;
2289 
2290 	smp = smp_chan_create(conn);
2291 	if (!smp)
2292 		return SMP_UNSPECIFIED;
2293 
2294 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2295 	    (auth & SMP_AUTH_BONDING))
2296 		return SMP_PAIRING_NOTSUPP;
2297 
2298 	skb_pull(skb, sizeof(*rp));
2299 
2300 	memset(&cp, 0, sizeof(cp));
2301 	build_pairing_cmd(conn, &cp, NULL, auth);
2302 
2303 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2304 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2305 
2306 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2307 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2308 
2309 	return 0;
2310 }
2311 
2312 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2313 {
2314 	struct l2cap_conn *conn = hcon->l2cap_data;
2315 	struct l2cap_chan *chan;
2316 	struct smp_chan *smp;
2317 	__u8 authreq;
2318 	int ret;
2319 
2320 	BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2321 
2322 	/* This may be NULL if there's an unexpected disconnection */
2323 	if (!conn)
2324 		return 1;
2325 
2326 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2327 		return 1;
2328 
2329 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2330 		return 1;
2331 
2332 	if (sec_level > hcon->pending_sec_level)
2333 		hcon->pending_sec_level = sec_level;
2334 
2335 	if (hcon->role == HCI_ROLE_MASTER)
2336 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2337 			return 0;
2338 
2339 	chan = conn->smp;
2340 	if (!chan) {
2341 		bt_dev_err(hcon->hdev, "security requested but not available");
2342 		return 1;
2343 	}
2344 
2345 	l2cap_chan_lock(chan);
2346 
2347 	/* If SMP is already in progress ignore this request */
2348 	if (chan->data) {
2349 		ret = 0;
2350 		goto unlock;
2351 	}
2352 
2353 	smp = smp_chan_create(conn);
2354 	if (!smp) {
2355 		ret = 1;
2356 		goto unlock;
2357 	}
2358 
2359 	authreq = seclevel_to_authreq(sec_level);
2360 
2361 	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2362 		authreq |= SMP_AUTH_SC;
2363 		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2364 			authreq |= SMP_AUTH_CT2;
2365 	}
2366 
2367 	/* Require MITM if IO Capability allows or the security level
2368 	 * requires it.
2369 	 */
2370 	if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2371 	    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2372 		authreq |= SMP_AUTH_MITM;
2373 
2374 	if (hcon->role == HCI_ROLE_MASTER) {
2375 		struct smp_cmd_pairing cp;
2376 
2377 		build_pairing_cmd(conn, &cp, NULL, authreq);
2378 		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2379 		memcpy(&smp->preq[1], &cp, sizeof(cp));
2380 
2381 		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2382 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2383 	} else {
2384 		struct smp_cmd_security_req cp;
2385 		cp.auth_req = authreq;
2386 		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2387 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2388 	}
2389 
2390 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2391 	ret = 0;
2392 
2393 unlock:
2394 	l2cap_chan_unlock(chan);
2395 	return ret;
2396 }
2397 
2398 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2399 				  u8 addr_type)
2400 {
2401 	struct hci_conn *hcon;
2402 	struct l2cap_conn *conn;
2403 	struct l2cap_chan *chan;
2404 	struct smp_chan *smp;
2405 	int err;
2406 
2407 	err = hci_remove_ltk(hdev, bdaddr, addr_type);
2408 	hci_remove_irk(hdev, bdaddr, addr_type);
2409 
2410 	hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2411 	if (!hcon)
2412 		goto done;
2413 
2414 	conn = hcon->l2cap_data;
2415 	if (!conn)
2416 		goto done;
2417 
2418 	chan = conn->smp;
2419 	if (!chan)
2420 		goto done;
2421 
2422 	l2cap_chan_lock(chan);
2423 
2424 	smp = chan->data;
2425 	if (smp) {
2426 		/* Set keys to NULL to make sure smp_failure() does not try to
2427 		 * remove and free already invalidated rcu list entries. */
2428 		smp->ltk = NULL;
2429 		smp->slave_ltk = NULL;
2430 		smp->remote_irk = NULL;
2431 
2432 		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2433 			smp_failure(conn, 0);
2434 		else
2435 			smp_failure(conn, SMP_UNSPECIFIED);
2436 		err = 0;
2437 	}
2438 
2439 	l2cap_chan_unlock(chan);
2440 
2441 done:
2442 	return err;
2443 }
2444 
2445 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2446 {
2447 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2448 	struct l2cap_chan *chan = conn->smp;
2449 	struct smp_chan *smp = chan->data;
2450 
2451 	BT_DBG("conn %p", conn);
2452 
2453 	if (skb->len < sizeof(*rp))
2454 		return SMP_INVALID_PARAMS;
2455 
2456 	/* Pairing is aborted if any blocked keys are distributed */
2457 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2458 			       rp->ltk)) {
2459 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2460 					"LTK blocked for %pMR",
2461 					&conn->hcon->dst);
2462 		return SMP_INVALID_PARAMS;
2463 	}
2464 
2465 	SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2466 
2467 	skb_pull(skb, sizeof(*rp));
2468 
2469 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2470 
2471 	return 0;
2472 }
2473 
2474 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2475 {
2476 	struct smp_cmd_master_ident *rp = (void *) skb->data;
2477 	struct l2cap_chan *chan = conn->smp;
2478 	struct smp_chan *smp = chan->data;
2479 	struct hci_dev *hdev = conn->hcon->hdev;
2480 	struct hci_conn *hcon = conn->hcon;
2481 	struct smp_ltk *ltk;
2482 	u8 authenticated;
2483 
2484 	BT_DBG("conn %p", conn);
2485 
2486 	if (skb->len < sizeof(*rp))
2487 		return SMP_INVALID_PARAMS;
2488 
2489 	/* Mark the information as received */
2490 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2491 
2492 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2493 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2494 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2495 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2496 
2497 	skb_pull(skb, sizeof(*rp));
2498 
2499 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2500 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2501 			  authenticated, smp->tk, smp->enc_key_size,
2502 			  rp->ediv, rp->rand);
2503 	smp->ltk = ltk;
2504 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2505 		smp_distribute_keys(smp);
2506 
2507 	return 0;
2508 }
2509 
2510 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2511 {
2512 	struct smp_cmd_ident_info *info = (void *) skb->data;
2513 	struct l2cap_chan *chan = conn->smp;
2514 	struct smp_chan *smp = chan->data;
2515 
2516 	BT_DBG("");
2517 
2518 	if (skb->len < sizeof(*info))
2519 		return SMP_INVALID_PARAMS;
2520 
2521 	/* Pairing is aborted if any blocked keys are distributed */
2522 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2523 			       info->irk)) {
2524 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2525 					"Identity key blocked for %pMR",
2526 					&conn->hcon->dst);
2527 		return SMP_INVALID_PARAMS;
2528 	}
2529 
2530 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2531 
2532 	skb_pull(skb, sizeof(*info));
2533 
2534 	memcpy(smp->irk, info->irk, 16);
2535 
2536 	return 0;
2537 }
2538 
2539 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2540 				   struct sk_buff *skb)
2541 {
2542 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2543 	struct l2cap_chan *chan = conn->smp;
2544 	struct smp_chan *smp = chan->data;
2545 	struct hci_conn *hcon = conn->hcon;
2546 	bdaddr_t rpa;
2547 
2548 	BT_DBG("");
2549 
2550 	if (skb->len < sizeof(*info))
2551 		return SMP_INVALID_PARAMS;
2552 
2553 	/* Mark the information as received */
2554 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2555 
2556 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2557 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2558 
2559 	skb_pull(skb, sizeof(*info));
2560 
2561 	/* Strictly speaking the Core Specification (4.1) allows sending
2562 	 * an empty address which would force us to rely on just the IRK
2563 	 * as "identity information". However, since such
2564 	 * implementations are not known of and in order to not over
2565 	 * complicate our implementation, simply pretend that we never
2566 	 * received an IRK for such a device.
2567 	 *
2568 	 * The Identity Address must also be a Static Random or Public
2569 	 * Address, which hci_is_identity_address() checks for.
2570 	 */
2571 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2572 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2573 		bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2574 		goto distribute;
2575 	}
2576 
2577 	/* Drop IRK if peer is using identity address during pairing but is
2578 	 * providing different address as identity information.
2579 	 *
2580 	 * Microsoft Surface Precision Mouse is known to have this bug.
2581 	 */
2582 	if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2583 	    (bacmp(&info->bdaddr, &hcon->dst) ||
2584 	     info->addr_type != hcon->dst_type)) {
2585 		bt_dev_err(hcon->hdev,
2586 			   "ignoring IRK with invalid identity address");
2587 		goto distribute;
2588 	}
2589 
2590 	bacpy(&smp->id_addr, &info->bdaddr);
2591 	smp->id_addr_type = info->addr_type;
2592 
2593 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2594 		bacpy(&rpa, &hcon->dst);
2595 	else
2596 		bacpy(&rpa, BDADDR_ANY);
2597 
2598 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2599 				      smp->id_addr_type, smp->irk, &rpa);
2600 
2601 distribute:
2602 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2603 		smp_distribute_keys(smp);
2604 
2605 	return 0;
2606 }
2607 
2608 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2609 {
2610 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2611 	struct l2cap_chan *chan = conn->smp;
2612 	struct smp_chan *smp = chan->data;
2613 	struct smp_csrk *csrk;
2614 
2615 	BT_DBG("conn %p", conn);
2616 
2617 	if (skb->len < sizeof(*rp))
2618 		return SMP_INVALID_PARAMS;
2619 
2620 	/* Mark the information as received */
2621 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2622 
2623 	skb_pull(skb, sizeof(*rp));
2624 
2625 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2626 	if (csrk) {
2627 		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2628 			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2629 		else
2630 			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2631 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2632 	}
2633 	smp->csrk = csrk;
2634 	smp_distribute_keys(smp);
2635 
2636 	return 0;
2637 }
2638 
2639 static u8 sc_select_method(struct smp_chan *smp)
2640 {
2641 	struct l2cap_conn *conn = smp->conn;
2642 	struct hci_conn *hcon = conn->hcon;
2643 	struct smp_cmd_pairing *local, *remote;
2644 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2645 
2646 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2647 	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2648 		return REQ_OOB;
2649 
2650 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2651 	 * which are needed as inputs to some crypto functions. To get
2652 	 * the "struct smp_cmd_pairing" from them we need to skip the
2653 	 * first byte which contains the opcode.
2654 	 */
2655 	if (hcon->out) {
2656 		local = (void *) &smp->preq[1];
2657 		remote = (void *) &smp->prsp[1];
2658 	} else {
2659 		local = (void *) &smp->prsp[1];
2660 		remote = (void *) &smp->preq[1];
2661 	}
2662 
2663 	local_io = local->io_capability;
2664 	remote_io = remote->io_capability;
2665 
2666 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2667 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2668 
2669 	/* If either side wants MITM, look up the method from the table,
2670 	 * otherwise use JUST WORKS.
2671 	 */
2672 	if (local_mitm || remote_mitm)
2673 		method = get_auth_method(smp, local_io, remote_io);
2674 	else
2675 		method = JUST_WORKS;
2676 
2677 	/* Don't confirm locally initiated pairing attempts */
2678 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2679 		method = JUST_WORKS;
2680 
2681 	return method;
2682 }
2683 
2684 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2685 {
2686 	struct smp_cmd_public_key *key = (void *) skb->data;
2687 	struct hci_conn *hcon = conn->hcon;
2688 	struct l2cap_chan *chan = conn->smp;
2689 	struct smp_chan *smp = chan->data;
2690 	struct hci_dev *hdev = hcon->hdev;
2691 	struct crypto_kpp *tfm_ecdh;
2692 	struct smp_cmd_pairing_confirm cfm;
2693 	int err;
2694 
2695 	BT_DBG("conn %p", conn);
2696 
2697 	if (skb->len < sizeof(*key))
2698 		return SMP_INVALID_PARAMS;
2699 
2700 	memcpy(smp->remote_pk, key, 64);
2701 
2702 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2703 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2704 			     smp->rr, 0, cfm.confirm_val);
2705 		if (err)
2706 			return SMP_UNSPECIFIED;
2707 
2708 		if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2709 			return SMP_CONFIRM_FAILED;
2710 	}
2711 
2712 	/* Non-initiating device sends its public key after receiving
2713 	 * the key from the initiating device.
2714 	 */
2715 	if (!hcon->out) {
2716 		err = sc_send_public_key(smp);
2717 		if (err)
2718 			return err;
2719 	}
2720 
2721 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2722 	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2723 
2724 	/* Compute the shared secret on the same crypto tfm on which the private
2725 	 * key was set/generated.
2726 	 */
2727 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2728 		struct l2cap_chan *hchan = hdev->smp_data;
2729 		struct smp_dev *smp_dev;
2730 
2731 		if (!hchan || !hchan->data)
2732 			return SMP_UNSPECIFIED;
2733 
2734 		smp_dev = hchan->data;
2735 
2736 		tfm_ecdh = smp_dev->tfm_ecdh;
2737 	} else {
2738 		tfm_ecdh = smp->tfm_ecdh;
2739 	}
2740 
2741 	if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2742 		return SMP_UNSPECIFIED;
2743 
2744 	SMP_DBG("DHKey %32phN", smp->dhkey);
2745 
2746 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2747 
2748 	smp->method = sc_select_method(smp);
2749 
2750 	BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2751 
2752 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2753 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2754 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2755 	else
2756 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2757 
2758 	if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2759 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2760 
2761 	if (smp->method == DSP_PASSKEY) {
2762 		get_random_bytes(&hcon->passkey_notify,
2763 				 sizeof(hcon->passkey_notify));
2764 		hcon->passkey_notify %= 1000000;
2765 		hcon->passkey_entered = 0;
2766 		smp->passkey_round = 0;
2767 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2768 					     hcon->dst_type,
2769 					     hcon->passkey_notify,
2770 					     hcon->passkey_entered))
2771 			return SMP_UNSPECIFIED;
2772 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2773 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2774 	}
2775 
2776 	if (smp->method == REQ_OOB) {
2777 		if (hcon->out)
2778 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2779 				     sizeof(smp->prnd), smp->prnd);
2780 
2781 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2782 
2783 		return 0;
2784 	}
2785 
2786 	if (hcon->out)
2787 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2788 
2789 	if (smp->method == REQ_PASSKEY) {
2790 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2791 					      hcon->dst_type))
2792 			return SMP_UNSPECIFIED;
2793 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2794 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2795 		return 0;
2796 	}
2797 
2798 	/* The Initiating device waits for the non-initiating device to
2799 	 * send the confirm value.
2800 	 */
2801 	if (conn->hcon->out)
2802 		return 0;
2803 
2804 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2805 		     0, cfm.confirm_val);
2806 	if (err)
2807 		return SMP_UNSPECIFIED;
2808 
2809 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2810 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2811 
2812 	return 0;
2813 }
2814 
2815 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2816 {
2817 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2818 	struct l2cap_chan *chan = conn->smp;
2819 	struct hci_conn *hcon = conn->hcon;
2820 	struct smp_chan *smp = chan->data;
2821 	u8 a[7], b[7], *local_addr, *remote_addr;
2822 	u8 io_cap[3], r[16], e[16];
2823 	int err;
2824 
2825 	BT_DBG("conn %p", conn);
2826 
2827 	if (skb->len < sizeof(*check))
2828 		return SMP_INVALID_PARAMS;
2829 
2830 	memcpy(a, &hcon->init_addr, 6);
2831 	memcpy(b, &hcon->resp_addr, 6);
2832 	a[6] = hcon->init_addr_type;
2833 	b[6] = hcon->resp_addr_type;
2834 
2835 	if (hcon->out) {
2836 		local_addr = a;
2837 		remote_addr = b;
2838 		memcpy(io_cap, &smp->prsp[1], 3);
2839 	} else {
2840 		local_addr = b;
2841 		remote_addr = a;
2842 		memcpy(io_cap, &smp->preq[1], 3);
2843 	}
2844 
2845 	memset(r, 0, sizeof(r));
2846 
2847 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2848 		put_unaligned_le32(hcon->passkey_notify, r);
2849 	else if (smp->method == REQ_OOB)
2850 		memcpy(r, smp->lr, 16);
2851 
2852 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2853 		     io_cap, remote_addr, local_addr, e);
2854 	if (err)
2855 		return SMP_UNSPECIFIED;
2856 
2857 	if (crypto_memneq(check->e, e, 16))
2858 		return SMP_DHKEY_CHECK_FAILED;
2859 
2860 	if (!hcon->out) {
2861 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2862 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2863 			return 0;
2864 		}
2865 
2866 		/* Slave sends DHKey check as response to master */
2867 		sc_dhkey_check(smp);
2868 	}
2869 
2870 	sc_add_ltk(smp);
2871 
2872 	if (hcon->out) {
2873 		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2874 		hcon->enc_key_size = smp->enc_key_size;
2875 	}
2876 
2877 	return 0;
2878 }
2879 
2880 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2881 				   struct sk_buff *skb)
2882 {
2883 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2884 
2885 	BT_DBG("value 0x%02x", kp->value);
2886 
2887 	return 0;
2888 }
2889 
2890 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2891 {
2892 	struct l2cap_conn *conn = chan->conn;
2893 	struct hci_conn *hcon = conn->hcon;
2894 	struct smp_chan *smp;
2895 	__u8 code, reason;
2896 	int err = 0;
2897 
2898 	if (skb->len < 1)
2899 		return -EILSEQ;
2900 
2901 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2902 		reason = SMP_PAIRING_NOTSUPP;
2903 		goto done;
2904 	}
2905 
2906 	code = skb->data[0];
2907 	skb_pull(skb, sizeof(code));
2908 
2909 	smp = chan->data;
2910 
2911 	if (code > SMP_CMD_MAX)
2912 		goto drop;
2913 
2914 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2915 		goto drop;
2916 
2917 	/* If we don't have a context the only allowed commands are
2918 	 * pairing request and security request.
2919 	 */
2920 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2921 		goto drop;
2922 
2923 	switch (code) {
2924 	case SMP_CMD_PAIRING_REQ:
2925 		reason = smp_cmd_pairing_req(conn, skb);
2926 		break;
2927 
2928 	case SMP_CMD_PAIRING_FAIL:
2929 		smp_failure(conn, 0);
2930 		err = -EPERM;
2931 		break;
2932 
2933 	case SMP_CMD_PAIRING_RSP:
2934 		reason = smp_cmd_pairing_rsp(conn, skb);
2935 		break;
2936 
2937 	case SMP_CMD_SECURITY_REQ:
2938 		reason = smp_cmd_security_req(conn, skb);
2939 		break;
2940 
2941 	case SMP_CMD_PAIRING_CONFIRM:
2942 		reason = smp_cmd_pairing_confirm(conn, skb);
2943 		break;
2944 
2945 	case SMP_CMD_PAIRING_RANDOM:
2946 		reason = smp_cmd_pairing_random(conn, skb);
2947 		break;
2948 
2949 	case SMP_CMD_ENCRYPT_INFO:
2950 		reason = smp_cmd_encrypt_info(conn, skb);
2951 		break;
2952 
2953 	case SMP_CMD_MASTER_IDENT:
2954 		reason = smp_cmd_master_ident(conn, skb);
2955 		break;
2956 
2957 	case SMP_CMD_IDENT_INFO:
2958 		reason = smp_cmd_ident_info(conn, skb);
2959 		break;
2960 
2961 	case SMP_CMD_IDENT_ADDR_INFO:
2962 		reason = smp_cmd_ident_addr_info(conn, skb);
2963 		break;
2964 
2965 	case SMP_CMD_SIGN_INFO:
2966 		reason = smp_cmd_sign_info(conn, skb);
2967 		break;
2968 
2969 	case SMP_CMD_PUBLIC_KEY:
2970 		reason = smp_cmd_public_key(conn, skb);
2971 		break;
2972 
2973 	case SMP_CMD_DHKEY_CHECK:
2974 		reason = smp_cmd_dhkey_check(conn, skb);
2975 		break;
2976 
2977 	case SMP_CMD_KEYPRESS_NOTIFY:
2978 		reason = smp_cmd_keypress_notify(conn, skb);
2979 		break;
2980 
2981 	default:
2982 		BT_DBG("Unknown command code 0x%2.2x", code);
2983 		reason = SMP_CMD_NOTSUPP;
2984 		goto done;
2985 	}
2986 
2987 done:
2988 	if (!err) {
2989 		if (reason)
2990 			smp_failure(conn, reason);
2991 		kfree_skb(skb);
2992 	}
2993 
2994 	return err;
2995 
2996 drop:
2997 	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
2998 		   code, &hcon->dst);
2999 	kfree_skb(skb);
3000 	return 0;
3001 }
3002 
3003 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3004 {
3005 	struct l2cap_conn *conn = chan->conn;
3006 
3007 	BT_DBG("chan %p", chan);
3008 
3009 	if (chan->data)
3010 		smp_chan_destroy(conn);
3011 
3012 	conn->smp = NULL;
3013 	l2cap_chan_put(chan);
3014 }
3015 
3016 static void bredr_pairing(struct l2cap_chan *chan)
3017 {
3018 	struct l2cap_conn *conn = chan->conn;
3019 	struct hci_conn *hcon = conn->hcon;
3020 	struct hci_dev *hdev = hcon->hdev;
3021 	struct smp_cmd_pairing req;
3022 	struct smp_chan *smp;
3023 
3024 	BT_DBG("chan %p", chan);
3025 
3026 	/* Only new pairings are interesting */
3027 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3028 		return;
3029 
3030 	/* Don't bother if we're not encrypted */
3031 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3032 		return;
3033 
3034 	/* Only master may initiate SMP over BR/EDR */
3035 	if (hcon->role != HCI_ROLE_MASTER)
3036 		return;
3037 
3038 	/* Secure Connections support must be enabled */
3039 	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3040 		return;
3041 
3042 	/* BR/EDR must use Secure Connections for SMP */
3043 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3044 	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3045 		return;
3046 
3047 	/* If our LE support is not enabled don't do anything */
3048 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3049 		return;
3050 
3051 	/* Don't bother if remote LE support is not enabled */
3052 	if (!lmp_host_le_capable(hcon))
3053 		return;
3054 
3055 	/* Remote must support SMP fixed chan for BR/EDR */
3056 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3057 		return;
3058 
3059 	/* Don't bother if SMP is already ongoing */
3060 	if (chan->data)
3061 		return;
3062 
3063 	smp = smp_chan_create(conn);
3064 	if (!smp) {
3065 		bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3066 		return;
3067 	}
3068 
3069 	set_bit(SMP_FLAG_SC, &smp->flags);
3070 
3071 	BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3072 
3073 	/* Prepare and send the BR/EDR SMP Pairing Request */
3074 	build_bredr_pairing_cmd(smp, &req, NULL);
3075 
3076 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
3077 	memcpy(&smp->preq[1], &req, sizeof(req));
3078 
3079 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3080 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3081 }
3082 
3083 static void smp_resume_cb(struct l2cap_chan *chan)
3084 {
3085 	struct smp_chan *smp = chan->data;
3086 	struct l2cap_conn *conn = chan->conn;
3087 	struct hci_conn *hcon = conn->hcon;
3088 
3089 	BT_DBG("chan %p", chan);
3090 
3091 	if (hcon->type == ACL_LINK) {
3092 		bredr_pairing(chan);
3093 		return;
3094 	}
3095 
3096 	if (!smp)
3097 		return;
3098 
3099 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3100 		return;
3101 
3102 	cancel_delayed_work(&smp->security_timer);
3103 
3104 	smp_distribute_keys(smp);
3105 }
3106 
3107 static void smp_ready_cb(struct l2cap_chan *chan)
3108 {
3109 	struct l2cap_conn *conn = chan->conn;
3110 	struct hci_conn *hcon = conn->hcon;
3111 
3112 	BT_DBG("chan %p", chan);
3113 
3114 	/* No need to call l2cap_chan_hold() here since we already own
3115 	 * the reference taken in smp_new_conn_cb(). This is just the
3116 	 * first time that we tie it to a specific pointer. The code in
3117 	 * l2cap_core.c ensures that there's no risk this function wont
3118 	 * get called if smp_new_conn_cb was previously called.
3119 	 */
3120 	conn->smp = chan;
3121 
3122 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3123 		bredr_pairing(chan);
3124 }
3125 
3126 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3127 {
3128 	int err;
3129 
3130 	BT_DBG("chan %p", chan);
3131 
3132 	err = smp_sig_channel(chan, skb);
3133 	if (err) {
3134 		struct smp_chan *smp = chan->data;
3135 
3136 		if (smp)
3137 			cancel_delayed_work_sync(&smp->security_timer);
3138 
3139 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3140 	}
3141 
3142 	return err;
3143 }
3144 
3145 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3146 					unsigned long hdr_len,
3147 					unsigned long len, int nb)
3148 {
3149 	struct sk_buff *skb;
3150 
3151 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3152 	if (!skb)
3153 		return ERR_PTR(-ENOMEM);
3154 
3155 	skb->priority = HCI_PRIO_MAX;
3156 	bt_cb(skb)->l2cap.chan = chan;
3157 
3158 	return skb;
3159 }
3160 
3161 static const struct l2cap_ops smp_chan_ops = {
3162 	.name			= "Security Manager",
3163 	.ready			= smp_ready_cb,
3164 	.recv			= smp_recv_cb,
3165 	.alloc_skb		= smp_alloc_skb_cb,
3166 	.teardown		= smp_teardown_cb,
3167 	.resume			= smp_resume_cb,
3168 
3169 	.new_connection		= l2cap_chan_no_new_connection,
3170 	.state_change		= l2cap_chan_no_state_change,
3171 	.close			= l2cap_chan_no_close,
3172 	.defer			= l2cap_chan_no_defer,
3173 	.suspend		= l2cap_chan_no_suspend,
3174 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3175 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3176 };
3177 
3178 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3179 {
3180 	struct l2cap_chan *chan;
3181 
3182 	BT_DBG("pchan %p", pchan);
3183 
3184 	chan = l2cap_chan_create();
3185 	if (!chan)
3186 		return NULL;
3187 
3188 	chan->chan_type	= pchan->chan_type;
3189 	chan->ops	= &smp_chan_ops;
3190 	chan->scid	= pchan->scid;
3191 	chan->dcid	= chan->scid;
3192 	chan->imtu	= pchan->imtu;
3193 	chan->omtu	= pchan->omtu;
3194 	chan->mode	= pchan->mode;
3195 
3196 	/* Other L2CAP channels may request SMP routines in order to
3197 	 * change the security level. This means that the SMP channel
3198 	 * lock must be considered in its own category to avoid lockdep
3199 	 * warnings.
3200 	 */
3201 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3202 
3203 	BT_DBG("created chan %p", chan);
3204 
3205 	return chan;
3206 }
3207 
3208 static const struct l2cap_ops smp_root_chan_ops = {
3209 	.name			= "Security Manager Root",
3210 	.new_connection		= smp_new_conn_cb,
3211 
3212 	/* None of these are implemented for the root channel */
3213 	.close			= l2cap_chan_no_close,
3214 	.alloc_skb		= l2cap_chan_no_alloc_skb,
3215 	.recv			= l2cap_chan_no_recv,
3216 	.state_change		= l2cap_chan_no_state_change,
3217 	.teardown		= l2cap_chan_no_teardown,
3218 	.ready			= l2cap_chan_no_ready,
3219 	.defer			= l2cap_chan_no_defer,
3220 	.suspend		= l2cap_chan_no_suspend,
3221 	.resume			= l2cap_chan_no_resume,
3222 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3223 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3224 };
3225 
3226 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3227 {
3228 	struct l2cap_chan *chan;
3229 	struct smp_dev *smp;
3230 	struct crypto_shash *tfm_cmac;
3231 	struct crypto_kpp *tfm_ecdh;
3232 
3233 	if (cid == L2CAP_CID_SMP_BREDR) {
3234 		smp = NULL;
3235 		goto create_chan;
3236 	}
3237 
3238 	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3239 	if (!smp)
3240 		return ERR_PTR(-ENOMEM);
3241 
3242 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3243 	if (IS_ERR(tfm_cmac)) {
3244 		BT_ERR("Unable to create CMAC crypto context");
3245 		kzfree(smp);
3246 		return ERR_CAST(tfm_cmac);
3247 	}
3248 
3249 	tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3250 	if (IS_ERR(tfm_ecdh)) {
3251 		BT_ERR("Unable to create ECDH crypto context");
3252 		crypto_free_shash(tfm_cmac);
3253 		kzfree(smp);
3254 		return ERR_CAST(tfm_ecdh);
3255 	}
3256 
3257 	smp->local_oob = false;
3258 	smp->tfm_cmac = tfm_cmac;
3259 	smp->tfm_ecdh = tfm_ecdh;
3260 
3261 create_chan:
3262 	chan = l2cap_chan_create();
3263 	if (!chan) {
3264 		if (smp) {
3265 			crypto_free_shash(smp->tfm_cmac);
3266 			crypto_free_kpp(smp->tfm_ecdh);
3267 			kzfree(smp);
3268 		}
3269 		return ERR_PTR(-ENOMEM);
3270 	}
3271 
3272 	chan->data = smp;
3273 
3274 	l2cap_add_scid(chan, cid);
3275 
3276 	l2cap_chan_set_defaults(chan);
3277 
3278 	if (cid == L2CAP_CID_SMP) {
3279 		u8 bdaddr_type;
3280 
3281 		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3282 
3283 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3284 			chan->src_type = BDADDR_LE_PUBLIC;
3285 		else
3286 			chan->src_type = BDADDR_LE_RANDOM;
3287 	} else {
3288 		bacpy(&chan->src, &hdev->bdaddr);
3289 		chan->src_type = BDADDR_BREDR;
3290 	}
3291 
3292 	chan->state = BT_LISTEN;
3293 	chan->mode = L2CAP_MODE_BASIC;
3294 	chan->imtu = L2CAP_DEFAULT_MTU;
3295 	chan->ops = &smp_root_chan_ops;
3296 
3297 	/* Set correct nesting level for a parent/listening channel */
3298 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3299 
3300 	return chan;
3301 }
3302 
3303 static void smp_del_chan(struct l2cap_chan *chan)
3304 {
3305 	struct smp_dev *smp;
3306 
3307 	BT_DBG("chan %p", chan);
3308 
3309 	smp = chan->data;
3310 	if (smp) {
3311 		chan->data = NULL;
3312 		crypto_free_shash(smp->tfm_cmac);
3313 		crypto_free_kpp(smp->tfm_ecdh);
3314 		kzfree(smp);
3315 	}
3316 
3317 	l2cap_chan_put(chan);
3318 }
3319 
3320 static ssize_t force_bredr_smp_read(struct file *file,
3321 				    char __user *user_buf,
3322 				    size_t count, loff_t *ppos)
3323 {
3324 	struct hci_dev *hdev = file->private_data;
3325 	char buf[3];
3326 
3327 	buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3328 	buf[1] = '\n';
3329 	buf[2] = '\0';
3330 	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3331 }
3332 
3333 static ssize_t force_bredr_smp_write(struct file *file,
3334 				     const char __user *user_buf,
3335 				     size_t count, loff_t *ppos)
3336 {
3337 	struct hci_dev *hdev = file->private_data;
3338 	bool enable;
3339 	int err;
3340 
3341 	err = kstrtobool_from_user(user_buf, count, &enable);
3342 	if (err)
3343 		return err;
3344 
3345 	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3346 		return -EALREADY;
3347 
3348 	if (enable) {
3349 		struct l2cap_chan *chan;
3350 
3351 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3352 		if (IS_ERR(chan))
3353 			return PTR_ERR(chan);
3354 
3355 		hdev->smp_bredr_data = chan;
3356 	} else {
3357 		struct l2cap_chan *chan;
3358 
3359 		chan = hdev->smp_bredr_data;
3360 		hdev->smp_bredr_data = NULL;
3361 		smp_del_chan(chan);
3362 	}
3363 
3364 	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3365 
3366 	return count;
3367 }
3368 
3369 static const struct file_operations force_bredr_smp_fops = {
3370 	.open		= simple_open,
3371 	.read		= force_bredr_smp_read,
3372 	.write		= force_bredr_smp_write,
3373 	.llseek		= default_llseek,
3374 };
3375 
3376 int smp_register(struct hci_dev *hdev)
3377 {
3378 	struct l2cap_chan *chan;
3379 
3380 	BT_DBG("%s", hdev->name);
3381 
3382 	/* If the controller does not support Low Energy operation, then
3383 	 * there is also no need to register any SMP channel.
3384 	 */
3385 	if (!lmp_le_capable(hdev))
3386 		return 0;
3387 
3388 	if (WARN_ON(hdev->smp_data)) {
3389 		chan = hdev->smp_data;
3390 		hdev->smp_data = NULL;
3391 		smp_del_chan(chan);
3392 	}
3393 
3394 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3395 	if (IS_ERR(chan))
3396 		return PTR_ERR(chan);
3397 
3398 	hdev->smp_data = chan;
3399 
3400 	/* If the controller does not support BR/EDR Secure Connections
3401 	 * feature, then the BR/EDR SMP channel shall not be present.
3402 	 *
3403 	 * To test this with Bluetooth 4.0 controllers, create a debugfs
3404 	 * switch that allows forcing BR/EDR SMP support and accepting
3405 	 * cross-transport pairing on non-AES encrypted connections.
3406 	 */
3407 	if (!lmp_sc_capable(hdev)) {
3408 		debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3409 				    hdev, &force_bredr_smp_fops);
3410 
3411 		/* Flag can be already set here (due to power toggle) */
3412 		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3413 			return 0;
3414 	}
3415 
3416 	if (WARN_ON(hdev->smp_bredr_data)) {
3417 		chan = hdev->smp_bredr_data;
3418 		hdev->smp_bredr_data = NULL;
3419 		smp_del_chan(chan);
3420 	}
3421 
3422 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3423 	if (IS_ERR(chan)) {
3424 		int err = PTR_ERR(chan);
3425 		chan = hdev->smp_data;
3426 		hdev->smp_data = NULL;
3427 		smp_del_chan(chan);
3428 		return err;
3429 	}
3430 
3431 	hdev->smp_bredr_data = chan;
3432 
3433 	return 0;
3434 }
3435 
3436 void smp_unregister(struct hci_dev *hdev)
3437 {
3438 	struct l2cap_chan *chan;
3439 
3440 	if (hdev->smp_bredr_data) {
3441 		chan = hdev->smp_bredr_data;
3442 		hdev->smp_bredr_data = NULL;
3443 		smp_del_chan(chan);
3444 	}
3445 
3446 	if (hdev->smp_data) {
3447 		chan = hdev->smp_data;
3448 		hdev->smp_data = NULL;
3449 		smp_del_chan(chan);
3450 	}
3451 }
3452 
3453 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3454 
3455 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3456 {
3457 	u8 pk[64];
3458 	int err;
3459 
3460 	err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3461 	if (err)
3462 		return err;
3463 
3464 	err = generate_ecdh_public_key(tfm_ecdh, pk);
3465 	if (err)
3466 		return err;
3467 
3468 	if (crypto_memneq(pk, debug_pk, 64))
3469 		return -EINVAL;
3470 
3471 	return 0;
3472 }
3473 
3474 static int __init test_ah(void)
3475 {
3476 	const u8 irk[16] = {
3477 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3478 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3479 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3480 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3481 	u8 res[3];
3482 	int err;
3483 
3484 	err = smp_ah(irk, r, res);
3485 	if (err)
3486 		return err;
3487 
3488 	if (crypto_memneq(res, exp, 3))
3489 		return -EINVAL;
3490 
3491 	return 0;
3492 }
3493 
3494 static int __init test_c1(void)
3495 {
3496 	const u8 k[16] = {
3497 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3498 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3499 	const u8 r[16] = {
3500 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3501 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3502 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3503 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3504 	const u8 _iat = 0x01;
3505 	const u8 _rat = 0x00;
3506 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3507 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3508 	const u8 exp[16] = {
3509 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3510 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3511 	u8 res[16];
3512 	int err;
3513 
3514 	err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3515 	if (err)
3516 		return err;
3517 
3518 	if (crypto_memneq(res, exp, 16))
3519 		return -EINVAL;
3520 
3521 	return 0;
3522 }
3523 
3524 static int __init test_s1(void)
3525 {
3526 	const u8 k[16] = {
3527 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3528 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3529 	const u8 r1[16] = {
3530 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3531 	const u8 r2[16] = {
3532 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3533 	const u8 exp[16] = {
3534 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3535 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3536 	u8 res[16];
3537 	int err;
3538 
3539 	err = smp_s1(k, r1, r2, res);
3540 	if (err)
3541 		return err;
3542 
3543 	if (crypto_memneq(res, exp, 16))
3544 		return -EINVAL;
3545 
3546 	return 0;
3547 }
3548 
3549 static int __init test_f4(struct crypto_shash *tfm_cmac)
3550 {
3551 	const u8 u[32] = {
3552 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3553 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3554 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3555 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3556 	const u8 v[32] = {
3557 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3558 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3559 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3560 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3561 	const u8 x[16] = {
3562 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3563 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3564 	const u8 z = 0x00;
3565 	const u8 exp[16] = {
3566 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3567 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3568 	u8 res[16];
3569 	int err;
3570 
3571 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3572 	if (err)
3573 		return err;
3574 
3575 	if (crypto_memneq(res, exp, 16))
3576 		return -EINVAL;
3577 
3578 	return 0;
3579 }
3580 
3581 static int __init test_f5(struct crypto_shash *tfm_cmac)
3582 {
3583 	const u8 w[32] = {
3584 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3585 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3586 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3587 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3588 	const u8 n1[16] = {
3589 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3590 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3591 	const u8 n2[16] = {
3592 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3593 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3594 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3595 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3596 	const u8 exp_ltk[16] = {
3597 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3598 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3599 	const u8 exp_mackey[16] = {
3600 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3601 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3602 	u8 mackey[16], ltk[16];
3603 	int err;
3604 
3605 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3606 	if (err)
3607 		return err;
3608 
3609 	if (crypto_memneq(mackey, exp_mackey, 16))
3610 		return -EINVAL;
3611 
3612 	if (crypto_memneq(ltk, exp_ltk, 16))
3613 		return -EINVAL;
3614 
3615 	return 0;
3616 }
3617 
3618 static int __init test_f6(struct crypto_shash *tfm_cmac)
3619 {
3620 	const u8 w[16] = {
3621 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3622 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3623 	const u8 n1[16] = {
3624 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3625 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3626 	const u8 n2[16] = {
3627 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3628 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3629 	const u8 r[16] = {
3630 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3631 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3632 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3633 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3634 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3635 	const u8 exp[16] = {
3636 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3637 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3638 	u8 res[16];
3639 	int err;
3640 
3641 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3642 	if (err)
3643 		return err;
3644 
3645 	if (crypto_memneq(res, exp, 16))
3646 		return -EINVAL;
3647 
3648 	return 0;
3649 }
3650 
3651 static int __init test_g2(struct crypto_shash *tfm_cmac)
3652 {
3653 	const u8 u[32] = {
3654 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3655 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3656 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3657 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3658 	const u8 v[32] = {
3659 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3660 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3661 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3662 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3663 	const u8 x[16] = {
3664 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3665 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3666 	const u8 y[16] = {
3667 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3668 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3669 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3670 	u32 val;
3671 	int err;
3672 
3673 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3674 	if (err)
3675 		return err;
3676 
3677 	if (val != exp_val)
3678 		return -EINVAL;
3679 
3680 	return 0;
3681 }
3682 
3683 static int __init test_h6(struct crypto_shash *tfm_cmac)
3684 {
3685 	const u8 w[16] = {
3686 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3687 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3688 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3689 	const u8 exp[16] = {
3690 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3691 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3692 	u8 res[16];
3693 	int err;
3694 
3695 	err = smp_h6(tfm_cmac, w, key_id, res);
3696 	if (err)
3697 		return err;
3698 
3699 	if (crypto_memneq(res, exp, 16))
3700 		return -EINVAL;
3701 
3702 	return 0;
3703 }
3704 
3705 static char test_smp_buffer[32];
3706 
3707 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3708 			     size_t count, loff_t *ppos)
3709 {
3710 	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3711 				       strlen(test_smp_buffer));
3712 }
3713 
3714 static const struct file_operations test_smp_fops = {
3715 	.open		= simple_open,
3716 	.read		= test_smp_read,
3717 	.llseek		= default_llseek,
3718 };
3719 
3720 static int __init run_selftests(struct crypto_shash *tfm_cmac,
3721 				struct crypto_kpp *tfm_ecdh)
3722 {
3723 	ktime_t calltime, delta, rettime;
3724 	unsigned long long duration;
3725 	int err;
3726 
3727 	calltime = ktime_get();
3728 
3729 	err = test_debug_key(tfm_ecdh);
3730 	if (err) {
3731 		BT_ERR("debug_key test failed");
3732 		goto done;
3733 	}
3734 
3735 	err = test_ah();
3736 	if (err) {
3737 		BT_ERR("smp_ah test failed");
3738 		goto done;
3739 	}
3740 
3741 	err = test_c1();
3742 	if (err) {
3743 		BT_ERR("smp_c1 test failed");
3744 		goto done;
3745 	}
3746 
3747 	err = test_s1();
3748 	if (err) {
3749 		BT_ERR("smp_s1 test failed");
3750 		goto done;
3751 	}
3752 
3753 	err = test_f4(tfm_cmac);
3754 	if (err) {
3755 		BT_ERR("smp_f4 test failed");
3756 		goto done;
3757 	}
3758 
3759 	err = test_f5(tfm_cmac);
3760 	if (err) {
3761 		BT_ERR("smp_f5 test failed");
3762 		goto done;
3763 	}
3764 
3765 	err = test_f6(tfm_cmac);
3766 	if (err) {
3767 		BT_ERR("smp_f6 test failed");
3768 		goto done;
3769 	}
3770 
3771 	err = test_g2(tfm_cmac);
3772 	if (err) {
3773 		BT_ERR("smp_g2 test failed");
3774 		goto done;
3775 	}
3776 
3777 	err = test_h6(tfm_cmac);
3778 	if (err) {
3779 		BT_ERR("smp_h6 test failed");
3780 		goto done;
3781 	}
3782 
3783 	rettime = ktime_get();
3784 	delta = ktime_sub(rettime, calltime);
3785 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3786 
3787 	BT_INFO("SMP test passed in %llu usecs", duration);
3788 
3789 done:
3790 	if (!err)
3791 		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3792 			 "PASS (%llu usecs)\n", duration);
3793 	else
3794 		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3795 
3796 	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3797 			    &test_smp_fops);
3798 
3799 	return err;
3800 }
3801 
3802 int __init bt_selftest_smp(void)
3803 {
3804 	struct crypto_shash *tfm_cmac;
3805 	struct crypto_kpp *tfm_ecdh;
3806 	int err;
3807 
3808 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3809 	if (IS_ERR(tfm_cmac)) {
3810 		BT_ERR("Unable to create CMAC crypto context");
3811 		return PTR_ERR(tfm_cmac);
3812 	}
3813 
3814 	tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3815 	if (IS_ERR(tfm_ecdh)) {
3816 		BT_ERR("Unable to create ECDH crypto context");
3817 		crypto_free_shash(tfm_cmac);
3818 		return PTR_ERR(tfm_ecdh);
3819 	}
3820 
3821 	err = run_selftests(tfm_cmac, tfm_ecdh);
3822 
3823 	crypto_free_shash(tfm_cmac);
3824 	crypto_free_kpp(tfm_ecdh);
3825 
3826 	return err;
3827 }
3828 
3829 #endif
3830