xref: /openbmc/linux/net/bluetooth/smp.c (revision fb8d6c8d)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/aes.h>
27 #include <crypto/algapi.h>
28 #include <crypto/b128ops.h>
29 #include <crypto/hash.h>
30 #include <crypto/kpp.h>
31 
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/l2cap.h>
35 #include <net/bluetooth/mgmt.h>
36 
37 #include "ecdh_helper.h"
38 #include "smp.h"
39 
40 #define SMP_DEV(hdev) \
41 	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
42 
43 /* Low-level debug macros to be used for stuff that we don't want
44  * accidentially in dmesg, i.e. the values of the various crypto keys
45  * and the inputs & outputs of crypto functions.
46  */
47 #ifdef DEBUG
48 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
49 				 ##__VA_ARGS__)
50 #else
51 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
52 				    ##__VA_ARGS__)
53 #endif
54 
55 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
56 
57 /* Keys which are not distributed with Secure Connections */
58 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
59 
60 #define SMP_TIMEOUT	msecs_to_jiffies(30000)
61 
62 #define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
63 				 0x3f : 0x07)
64 #define KEY_DIST_MASK		0x07
65 
66 /* Maximum message length that can be passed to aes_cmac */
67 #define CMAC_MSG_MAX	80
68 
69 enum {
70 	SMP_FLAG_TK_VALID,
71 	SMP_FLAG_CFM_PENDING,
72 	SMP_FLAG_MITM_AUTH,
73 	SMP_FLAG_COMPLETE,
74 	SMP_FLAG_INITIATOR,
75 	SMP_FLAG_SC,
76 	SMP_FLAG_REMOTE_PK,
77 	SMP_FLAG_DEBUG_KEY,
78 	SMP_FLAG_WAIT_USER,
79 	SMP_FLAG_DHKEY_PENDING,
80 	SMP_FLAG_REMOTE_OOB,
81 	SMP_FLAG_LOCAL_OOB,
82 	SMP_FLAG_CT2,
83 };
84 
85 struct smp_dev {
86 	/* Secure Connections OOB data */
87 	bool			local_oob;
88 	u8			local_pk[64];
89 	u8			local_rand[16];
90 	bool			debug_key;
91 
92 	struct crypto_shash	*tfm_cmac;
93 	struct crypto_kpp	*tfm_ecdh;
94 };
95 
96 struct smp_chan {
97 	struct l2cap_conn	*conn;
98 	struct delayed_work	security_timer;
99 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
100 
101 	u8		preq[7]; /* SMP Pairing Request */
102 	u8		prsp[7]; /* SMP Pairing Response */
103 	u8		prnd[16]; /* SMP Pairing Random (local) */
104 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
105 	u8		pcnf[16]; /* SMP Pairing Confirm */
106 	u8		tk[16]; /* SMP Temporary Key */
107 	u8		rr[16]; /* Remote OOB ra/rb value */
108 	u8		lr[16]; /* Local OOB ra/rb value */
109 	u8		enc_key_size;
110 	u8		remote_key_dist;
111 	bdaddr_t	id_addr;
112 	u8		id_addr_type;
113 	u8		irk[16];
114 	struct smp_csrk	*csrk;
115 	struct smp_csrk	*slave_csrk;
116 	struct smp_ltk	*ltk;
117 	struct smp_ltk	*slave_ltk;
118 	struct smp_irk	*remote_irk;
119 	u8		*link_key;
120 	unsigned long	flags;
121 	u8		method;
122 	u8		passkey_round;
123 
124 	/* Secure Connections variables */
125 	u8			local_pk[64];
126 	u8			remote_pk[64];
127 	u8			dhkey[32];
128 	u8			mackey[16];
129 
130 	struct crypto_shash	*tfm_cmac;
131 	struct crypto_kpp	*tfm_ecdh;
132 };
133 
134 /* These debug key values are defined in the SMP section of the core
135  * specification. debug_pk is the public debug key and debug_sk the
136  * private debug key.
137  */
138 static const u8 debug_pk[64] = {
139 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
140 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
141 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
142 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
143 
144 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
145 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
146 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
147 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
148 };
149 
150 static const u8 debug_sk[32] = {
151 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
152 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
153 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
154 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
155 };
156 
157 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
158 {
159 	size_t i;
160 
161 	for (i = 0; i < len; i++)
162 		dst[len - 1 - i] = src[i];
163 }
164 
165 /* The following functions map to the LE SC SMP crypto functions
166  * AES-CMAC, f4, f5, f6, g2 and h6.
167  */
168 
169 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
170 		    size_t len, u8 mac[16])
171 {
172 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
173 	SHASH_DESC_ON_STACK(desc, tfm);
174 	int err;
175 
176 	if (len > CMAC_MSG_MAX)
177 		return -EFBIG;
178 
179 	if (!tfm) {
180 		BT_ERR("tfm %p", tfm);
181 		return -EINVAL;
182 	}
183 
184 	desc->tfm = tfm;
185 
186 	/* Swap key and message from LSB to MSB */
187 	swap_buf(k, tmp, 16);
188 	swap_buf(m, msg_msb, len);
189 
190 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
191 	SMP_DBG("key %16phN", k);
192 
193 	err = crypto_shash_setkey(tfm, tmp, 16);
194 	if (err) {
195 		BT_ERR("cipher setkey failed: %d", err);
196 		return err;
197 	}
198 
199 	err = crypto_shash_digest(desc, msg_msb, len, mac_msb);
200 	shash_desc_zero(desc);
201 	if (err) {
202 		BT_ERR("Hash computation error %d", err);
203 		return err;
204 	}
205 
206 	swap_buf(mac_msb, mac, 16);
207 
208 	SMP_DBG("mac %16phN", mac);
209 
210 	return 0;
211 }
212 
213 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
214 		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
215 {
216 	u8 m[65];
217 	int err;
218 
219 	SMP_DBG("u %32phN", u);
220 	SMP_DBG("v %32phN", v);
221 	SMP_DBG("x %16phN z %02x", x, z);
222 
223 	m[0] = z;
224 	memcpy(m + 1, v, 32);
225 	memcpy(m + 33, u, 32);
226 
227 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
228 	if (err)
229 		return err;
230 
231 	SMP_DBG("res %16phN", res);
232 
233 	return err;
234 }
235 
236 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
237 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
238 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
239 {
240 	/* The btle, salt and length "magic" values are as defined in
241 	 * the SMP section of the Bluetooth core specification. In ASCII
242 	 * the btle value ends up being 'btle'. The salt is just a
243 	 * random number whereas length is the value 256 in little
244 	 * endian format.
245 	 */
246 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
247 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
248 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
249 	const u8 length[2] = { 0x00, 0x01 };
250 	u8 m[53], t[16];
251 	int err;
252 
253 	SMP_DBG("w %32phN", w);
254 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
255 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
256 
257 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
258 	if (err)
259 		return err;
260 
261 	SMP_DBG("t %16phN", t);
262 
263 	memcpy(m, length, 2);
264 	memcpy(m + 2, a2, 7);
265 	memcpy(m + 9, a1, 7);
266 	memcpy(m + 16, n2, 16);
267 	memcpy(m + 32, n1, 16);
268 	memcpy(m + 48, btle, 4);
269 
270 	m[52] = 0; /* Counter */
271 
272 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
273 	if (err)
274 		return err;
275 
276 	SMP_DBG("mackey %16phN", mackey);
277 
278 	m[52] = 1; /* Counter */
279 
280 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
281 	if (err)
282 		return err;
283 
284 	SMP_DBG("ltk %16phN", ltk);
285 
286 	return 0;
287 }
288 
289 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
290 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
291 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
292 		  u8 res[16])
293 {
294 	u8 m[65];
295 	int err;
296 
297 	SMP_DBG("w %16phN", w);
298 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
299 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
300 
301 	memcpy(m, a2, 7);
302 	memcpy(m + 7, a1, 7);
303 	memcpy(m + 14, io_cap, 3);
304 	memcpy(m + 17, r, 16);
305 	memcpy(m + 33, n2, 16);
306 	memcpy(m + 49, n1, 16);
307 
308 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
309 	if (err)
310 		return err;
311 
312 	SMP_DBG("res %16phN", res);
313 
314 	return err;
315 }
316 
317 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
318 		  const u8 x[16], const u8 y[16], u32 *val)
319 {
320 	u8 m[80], tmp[16];
321 	int err;
322 
323 	SMP_DBG("u %32phN", u);
324 	SMP_DBG("v %32phN", v);
325 	SMP_DBG("x %16phN y %16phN", x, y);
326 
327 	memcpy(m, y, 16);
328 	memcpy(m + 16, v, 32);
329 	memcpy(m + 48, u, 32);
330 
331 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
332 	if (err)
333 		return err;
334 
335 	*val = get_unaligned_le32(tmp);
336 	*val %= 1000000;
337 
338 	SMP_DBG("val %06u", *val);
339 
340 	return 0;
341 }
342 
343 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
344 		  const u8 key_id[4], u8 res[16])
345 {
346 	int err;
347 
348 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
349 
350 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
351 	if (err)
352 		return err;
353 
354 	SMP_DBG("res %16phN", res);
355 
356 	return err;
357 }
358 
359 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
360 		  const u8 salt[16], u8 res[16])
361 {
362 	int err;
363 
364 	SMP_DBG("w %16phN salt %16phN", w, salt);
365 
366 	err = aes_cmac(tfm_cmac, salt, w, 16, res);
367 	if (err)
368 		return err;
369 
370 	SMP_DBG("res %16phN", res);
371 
372 	return err;
373 }
374 
375 /* The following functions map to the legacy SMP crypto functions e, c1,
376  * s1 and ah.
377  */
378 
379 static int smp_e(const u8 *k, u8 *r)
380 {
381 	struct crypto_aes_ctx ctx;
382 	uint8_t tmp[16], data[16];
383 	int err;
384 
385 	SMP_DBG("k %16phN r %16phN", k, r);
386 
387 	/* The most significant octet of key corresponds to k[0] */
388 	swap_buf(k, tmp, 16);
389 
390 	err = aes_expandkey(&ctx, tmp, 16);
391 	if (err) {
392 		BT_ERR("cipher setkey failed: %d", err);
393 		return err;
394 	}
395 
396 	/* Most significant octet of plaintextData corresponds to data[0] */
397 	swap_buf(r, data, 16);
398 
399 	aes_encrypt(&ctx, data, data);
400 
401 	/* Most significant octet of encryptedData corresponds to data[0] */
402 	swap_buf(data, r, 16);
403 
404 	SMP_DBG("r %16phN", r);
405 
406 	memzero_explicit(&ctx, sizeof (ctx));
407 	return err;
408 }
409 
410 static int smp_c1(const u8 k[16],
411 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
412 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
413 {
414 	u8 p1[16], p2[16];
415 	int err;
416 
417 	SMP_DBG("k %16phN r %16phN", k, r);
418 	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
419 	SMP_DBG("preq %7phN pres %7phN", preq, pres);
420 
421 	memset(p1, 0, 16);
422 
423 	/* p1 = pres || preq || _rat || _iat */
424 	p1[0] = _iat;
425 	p1[1] = _rat;
426 	memcpy(p1 + 2, preq, 7);
427 	memcpy(p1 + 9, pres, 7);
428 
429 	SMP_DBG("p1 %16phN", p1);
430 
431 	/* res = r XOR p1 */
432 	u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
433 
434 	/* res = e(k, res) */
435 	err = smp_e(k, res);
436 	if (err) {
437 		BT_ERR("Encrypt data error");
438 		return err;
439 	}
440 
441 	/* p2 = padding || ia || ra */
442 	memcpy(p2, ra, 6);
443 	memcpy(p2 + 6, ia, 6);
444 	memset(p2 + 12, 0, 4);
445 
446 	SMP_DBG("p2 %16phN", p2);
447 
448 	/* res = res XOR p2 */
449 	u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
450 
451 	/* res = e(k, res) */
452 	err = smp_e(k, res);
453 	if (err)
454 		BT_ERR("Encrypt data error");
455 
456 	return err;
457 }
458 
459 static int smp_s1(const u8 k[16],
460 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
461 {
462 	int err;
463 
464 	/* Just least significant octets from r1 and r2 are considered */
465 	memcpy(_r, r2, 8);
466 	memcpy(_r + 8, r1, 8);
467 
468 	err = smp_e(k, _r);
469 	if (err)
470 		BT_ERR("Encrypt data error");
471 
472 	return err;
473 }
474 
475 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
476 {
477 	u8 _res[16];
478 	int err;
479 
480 	/* r' = padding || r */
481 	memcpy(_res, r, 3);
482 	memset(_res + 3, 0, 13);
483 
484 	err = smp_e(irk, _res);
485 	if (err) {
486 		BT_ERR("Encrypt error");
487 		return err;
488 	}
489 
490 	/* The output of the random address function ah is:
491 	 *	ah(k, r) = e(k, r') mod 2^24
492 	 * The output of the security function e is then truncated to 24 bits
493 	 * by taking the least significant 24 bits of the output of e as the
494 	 * result of ah.
495 	 */
496 	memcpy(res, _res, 3);
497 
498 	return 0;
499 }
500 
501 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
502 		     const bdaddr_t *bdaddr)
503 {
504 	struct l2cap_chan *chan = hdev->smp_data;
505 	struct smp_dev *smp;
506 	u8 hash[3];
507 	int err;
508 
509 	if (!chan || !chan->data)
510 		return false;
511 
512 	smp = chan->data;
513 
514 	BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
515 
516 	err = smp_ah(irk, &bdaddr->b[3], hash);
517 	if (err)
518 		return false;
519 
520 	return !crypto_memneq(bdaddr->b, hash, 3);
521 }
522 
523 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
524 {
525 	struct l2cap_chan *chan = hdev->smp_data;
526 	struct smp_dev *smp;
527 	int err;
528 
529 	if (!chan || !chan->data)
530 		return -EOPNOTSUPP;
531 
532 	smp = chan->data;
533 
534 	get_random_bytes(&rpa->b[3], 3);
535 
536 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
537 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
538 
539 	err = smp_ah(irk, &rpa->b[3], rpa->b);
540 	if (err < 0)
541 		return err;
542 
543 	BT_DBG("RPA %pMR", rpa);
544 
545 	return 0;
546 }
547 
548 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
549 {
550 	struct l2cap_chan *chan = hdev->smp_data;
551 	struct smp_dev *smp;
552 	int err;
553 
554 	if (!chan || !chan->data)
555 		return -EOPNOTSUPP;
556 
557 	smp = chan->data;
558 
559 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
560 		BT_DBG("Using debug keys");
561 		err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
562 		if (err)
563 			return err;
564 		memcpy(smp->local_pk, debug_pk, 64);
565 		smp->debug_key = true;
566 	} else {
567 		while (true) {
568 			/* Generate key pair for Secure Connections */
569 			err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
570 			if (err)
571 				return err;
572 
573 			/* This is unlikely, but we need to check that
574 			 * we didn't accidentially generate a debug key.
575 			 */
576 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
577 				break;
578 		}
579 		smp->debug_key = false;
580 	}
581 
582 	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
583 	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
584 
585 	get_random_bytes(smp->local_rand, 16);
586 
587 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
588 		     smp->local_rand, 0, hash);
589 	if (err < 0)
590 		return err;
591 
592 	memcpy(rand, smp->local_rand, 16);
593 
594 	smp->local_oob = true;
595 
596 	return 0;
597 }
598 
599 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
600 {
601 	struct l2cap_chan *chan = conn->smp;
602 	struct smp_chan *smp;
603 	struct kvec iv[2];
604 	struct msghdr msg;
605 
606 	if (!chan)
607 		return;
608 
609 	BT_DBG("code 0x%2.2x", code);
610 
611 	iv[0].iov_base = &code;
612 	iv[0].iov_len = 1;
613 
614 	iv[1].iov_base = data;
615 	iv[1].iov_len = len;
616 
617 	memset(&msg, 0, sizeof(msg));
618 
619 	iov_iter_kvec(&msg.msg_iter, WRITE, iv, 2, 1 + len);
620 
621 	l2cap_chan_send(chan, &msg, 1 + len);
622 
623 	if (!chan->data)
624 		return;
625 
626 	smp = chan->data;
627 
628 	cancel_delayed_work_sync(&smp->security_timer);
629 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
630 }
631 
632 static u8 authreq_to_seclevel(u8 authreq)
633 {
634 	if (authreq & SMP_AUTH_MITM) {
635 		if (authreq & SMP_AUTH_SC)
636 			return BT_SECURITY_FIPS;
637 		else
638 			return BT_SECURITY_HIGH;
639 	} else {
640 		return BT_SECURITY_MEDIUM;
641 	}
642 }
643 
644 static __u8 seclevel_to_authreq(__u8 sec_level)
645 {
646 	switch (sec_level) {
647 	case BT_SECURITY_FIPS:
648 	case BT_SECURITY_HIGH:
649 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
650 	case BT_SECURITY_MEDIUM:
651 		return SMP_AUTH_BONDING;
652 	default:
653 		return SMP_AUTH_NONE;
654 	}
655 }
656 
657 static void build_pairing_cmd(struct l2cap_conn *conn,
658 			      struct smp_cmd_pairing *req,
659 			      struct smp_cmd_pairing *rsp, __u8 authreq)
660 {
661 	struct l2cap_chan *chan = conn->smp;
662 	struct smp_chan *smp = chan->data;
663 	struct hci_conn *hcon = conn->hcon;
664 	struct hci_dev *hdev = hcon->hdev;
665 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
666 
667 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
668 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
669 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
670 		authreq |= SMP_AUTH_BONDING;
671 	} else {
672 		authreq &= ~SMP_AUTH_BONDING;
673 	}
674 
675 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
676 		remote_dist |= SMP_DIST_ID_KEY;
677 
678 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
679 		local_dist |= SMP_DIST_ID_KEY;
680 
681 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
682 	    (authreq & SMP_AUTH_SC)) {
683 		struct oob_data *oob_data;
684 		u8 bdaddr_type;
685 
686 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
687 			local_dist |= SMP_DIST_LINK_KEY;
688 			remote_dist |= SMP_DIST_LINK_KEY;
689 		}
690 
691 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
692 			bdaddr_type = BDADDR_LE_PUBLIC;
693 		else
694 			bdaddr_type = BDADDR_LE_RANDOM;
695 
696 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
697 						    bdaddr_type);
698 		if (oob_data && oob_data->present) {
699 			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
700 			oob_flag = SMP_OOB_PRESENT;
701 			memcpy(smp->rr, oob_data->rand256, 16);
702 			memcpy(smp->pcnf, oob_data->hash256, 16);
703 			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
704 			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
705 		}
706 
707 	} else {
708 		authreq &= ~SMP_AUTH_SC;
709 	}
710 
711 	if (rsp == NULL) {
712 		req->io_capability = conn->hcon->io_capability;
713 		req->oob_flag = oob_flag;
714 		req->max_key_size = hdev->le_max_key_size;
715 		req->init_key_dist = local_dist;
716 		req->resp_key_dist = remote_dist;
717 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
718 
719 		smp->remote_key_dist = remote_dist;
720 		return;
721 	}
722 
723 	rsp->io_capability = conn->hcon->io_capability;
724 	rsp->oob_flag = oob_flag;
725 	rsp->max_key_size = hdev->le_max_key_size;
726 	rsp->init_key_dist = req->init_key_dist & remote_dist;
727 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
728 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
729 
730 	smp->remote_key_dist = rsp->init_key_dist;
731 }
732 
733 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
734 {
735 	struct l2cap_chan *chan = conn->smp;
736 	struct hci_dev *hdev = conn->hcon->hdev;
737 	struct smp_chan *smp = chan->data;
738 
739 	if (max_key_size > hdev->le_max_key_size ||
740 	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
741 		return SMP_ENC_KEY_SIZE;
742 
743 	smp->enc_key_size = max_key_size;
744 
745 	return 0;
746 }
747 
748 static void smp_chan_destroy(struct l2cap_conn *conn)
749 {
750 	struct l2cap_chan *chan = conn->smp;
751 	struct smp_chan *smp = chan->data;
752 	struct hci_conn *hcon = conn->hcon;
753 	bool complete;
754 
755 	BUG_ON(!smp);
756 
757 	cancel_delayed_work_sync(&smp->security_timer);
758 
759 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
760 	mgmt_smp_complete(hcon, complete);
761 
762 	kzfree(smp->csrk);
763 	kzfree(smp->slave_csrk);
764 	kzfree(smp->link_key);
765 
766 	crypto_free_shash(smp->tfm_cmac);
767 	crypto_free_kpp(smp->tfm_ecdh);
768 
769 	/* Ensure that we don't leave any debug key around if debug key
770 	 * support hasn't been explicitly enabled.
771 	 */
772 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
773 	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
774 		list_del_rcu(&smp->ltk->list);
775 		kfree_rcu(smp->ltk, rcu);
776 		smp->ltk = NULL;
777 	}
778 
779 	/* If pairing failed clean up any keys we might have */
780 	if (!complete) {
781 		if (smp->ltk) {
782 			list_del_rcu(&smp->ltk->list);
783 			kfree_rcu(smp->ltk, rcu);
784 		}
785 
786 		if (smp->slave_ltk) {
787 			list_del_rcu(&smp->slave_ltk->list);
788 			kfree_rcu(smp->slave_ltk, rcu);
789 		}
790 
791 		if (smp->remote_irk) {
792 			list_del_rcu(&smp->remote_irk->list);
793 			kfree_rcu(smp->remote_irk, rcu);
794 		}
795 	}
796 
797 	chan->data = NULL;
798 	kzfree(smp);
799 	hci_conn_drop(hcon);
800 }
801 
802 static void smp_failure(struct l2cap_conn *conn, u8 reason)
803 {
804 	struct hci_conn *hcon = conn->hcon;
805 	struct l2cap_chan *chan = conn->smp;
806 
807 	if (reason)
808 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
809 			     &reason);
810 
811 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
812 
813 	if (chan->data)
814 		smp_chan_destroy(conn);
815 }
816 
817 #define JUST_WORKS	0x00
818 #define JUST_CFM	0x01
819 #define REQ_PASSKEY	0x02
820 #define CFM_PASSKEY	0x03
821 #define REQ_OOB		0x04
822 #define DSP_PASSKEY	0x05
823 #define OVERLAP		0xFF
824 
825 static const u8 gen_method[5][5] = {
826 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
827 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
828 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
829 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
830 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
831 };
832 
833 static const u8 sc_method[5][5] = {
834 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
835 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
836 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
837 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
838 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
839 };
840 
841 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
842 {
843 	/* If either side has unknown io_caps, use JUST_CFM (which gets
844 	 * converted later to JUST_WORKS if we're initiators.
845 	 */
846 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
847 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
848 		return JUST_CFM;
849 
850 	if (test_bit(SMP_FLAG_SC, &smp->flags))
851 		return sc_method[remote_io][local_io];
852 
853 	return gen_method[remote_io][local_io];
854 }
855 
856 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
857 						u8 local_io, u8 remote_io)
858 {
859 	struct hci_conn *hcon = conn->hcon;
860 	struct l2cap_chan *chan = conn->smp;
861 	struct smp_chan *smp = chan->data;
862 	u32 passkey = 0;
863 	int ret = 0;
864 
865 	/* Initialize key for JUST WORKS */
866 	memset(smp->tk, 0, sizeof(smp->tk));
867 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
868 
869 	BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
870 
871 	/* If neither side wants MITM, either "just" confirm an incoming
872 	 * request or use just-works for outgoing ones. The JUST_CFM
873 	 * will be converted to JUST_WORKS if necessary later in this
874 	 * function. If either side has MITM look up the method from the
875 	 * table.
876 	 */
877 	if (!(auth & SMP_AUTH_MITM))
878 		smp->method = JUST_CFM;
879 	else
880 		smp->method = get_auth_method(smp, local_io, remote_io);
881 
882 	/* Don't confirm locally initiated pairing attempts */
883 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
884 						&smp->flags))
885 		smp->method = JUST_WORKS;
886 
887 	/* Don't bother user space with no IO capabilities */
888 	if (smp->method == JUST_CFM &&
889 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
890 		smp->method = JUST_WORKS;
891 
892 	/* If Just Works, Continue with Zero TK */
893 	if (smp->method == JUST_WORKS) {
894 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
895 		return 0;
896 	}
897 
898 	/* If this function is used for SC -> legacy fallback we
899 	 * can only recover the just-works case.
900 	 */
901 	if (test_bit(SMP_FLAG_SC, &smp->flags))
902 		return -EINVAL;
903 
904 	/* Not Just Works/Confirm results in MITM Authentication */
905 	if (smp->method != JUST_CFM) {
906 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
907 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
908 			hcon->pending_sec_level = BT_SECURITY_HIGH;
909 	}
910 
911 	/* If both devices have Keyoard-Display I/O, the master
912 	 * Confirms and the slave Enters the passkey.
913 	 */
914 	if (smp->method == OVERLAP) {
915 		if (hcon->role == HCI_ROLE_MASTER)
916 			smp->method = CFM_PASSKEY;
917 		else
918 			smp->method = REQ_PASSKEY;
919 	}
920 
921 	/* Generate random passkey. */
922 	if (smp->method == CFM_PASSKEY) {
923 		memset(smp->tk, 0, sizeof(smp->tk));
924 		get_random_bytes(&passkey, sizeof(passkey));
925 		passkey %= 1000000;
926 		put_unaligned_le32(passkey, smp->tk);
927 		BT_DBG("PassKey: %d", passkey);
928 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
929 	}
930 
931 	if (smp->method == REQ_PASSKEY)
932 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
933 						hcon->type, hcon->dst_type);
934 	else if (smp->method == JUST_CFM)
935 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
936 						hcon->type, hcon->dst_type,
937 						passkey, 1);
938 	else
939 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
940 						hcon->type, hcon->dst_type,
941 						passkey, 0);
942 
943 	return ret;
944 }
945 
946 static u8 smp_confirm(struct smp_chan *smp)
947 {
948 	struct l2cap_conn *conn = smp->conn;
949 	struct smp_cmd_pairing_confirm cp;
950 	int ret;
951 
952 	BT_DBG("conn %p", conn);
953 
954 	ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
955 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
956 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
957 		     cp.confirm_val);
958 	if (ret)
959 		return SMP_UNSPECIFIED;
960 
961 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
962 
963 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
964 
965 	if (conn->hcon->out)
966 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
967 	else
968 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
969 
970 	return 0;
971 }
972 
973 static u8 smp_random(struct smp_chan *smp)
974 {
975 	struct l2cap_conn *conn = smp->conn;
976 	struct hci_conn *hcon = conn->hcon;
977 	u8 confirm[16];
978 	int ret;
979 
980 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
981 
982 	ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
983 		     hcon->init_addr_type, &hcon->init_addr,
984 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
985 	if (ret)
986 		return SMP_UNSPECIFIED;
987 
988 	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
989 		bt_dev_err(hcon->hdev, "pairing failed "
990 			   "(confirmation values mismatch)");
991 		return SMP_CONFIRM_FAILED;
992 	}
993 
994 	if (hcon->out) {
995 		u8 stk[16];
996 		__le64 rand = 0;
997 		__le16 ediv = 0;
998 
999 		smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
1000 
1001 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1002 			return SMP_UNSPECIFIED;
1003 
1004 		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1005 		hcon->enc_key_size = smp->enc_key_size;
1006 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1007 	} else {
1008 		u8 stk[16], auth;
1009 		__le64 rand = 0;
1010 		__le16 ediv = 0;
1011 
1012 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1013 			     smp->prnd);
1014 
1015 		smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
1016 
1017 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1018 			auth = 1;
1019 		else
1020 			auth = 0;
1021 
1022 		/* Even though there's no _SLAVE suffix this is the
1023 		 * slave STK we're adding for later lookup (the master
1024 		 * STK never needs to be stored).
1025 		 */
1026 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1027 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1028 	}
1029 
1030 	return 0;
1031 }
1032 
1033 static void smp_notify_keys(struct l2cap_conn *conn)
1034 {
1035 	struct l2cap_chan *chan = conn->smp;
1036 	struct smp_chan *smp = chan->data;
1037 	struct hci_conn *hcon = conn->hcon;
1038 	struct hci_dev *hdev = hcon->hdev;
1039 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1040 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1041 	bool persistent;
1042 
1043 	if (hcon->type == ACL_LINK) {
1044 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1045 			persistent = false;
1046 		else
1047 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1048 					       &hcon->flags);
1049 	} else {
1050 		/* The LTKs, IRKs and CSRKs should be persistent only if
1051 		 * both sides had the bonding bit set in their
1052 		 * authentication requests.
1053 		 */
1054 		persistent = !!((req->auth_req & rsp->auth_req) &
1055 				SMP_AUTH_BONDING);
1056 	}
1057 
1058 	if (smp->remote_irk) {
1059 		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1060 
1061 		/* Now that user space can be considered to know the
1062 		 * identity address track the connection based on it
1063 		 * from now on (assuming this is an LE link).
1064 		 */
1065 		if (hcon->type == LE_LINK) {
1066 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1067 			hcon->dst_type = smp->remote_irk->addr_type;
1068 			queue_work(hdev->workqueue, &conn->id_addr_update_work);
1069 		}
1070 	}
1071 
1072 	if (smp->csrk) {
1073 		smp->csrk->bdaddr_type = hcon->dst_type;
1074 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1075 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1076 	}
1077 
1078 	if (smp->slave_csrk) {
1079 		smp->slave_csrk->bdaddr_type = hcon->dst_type;
1080 		bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1081 		mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1082 	}
1083 
1084 	if (smp->ltk) {
1085 		smp->ltk->bdaddr_type = hcon->dst_type;
1086 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1087 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1088 	}
1089 
1090 	if (smp->slave_ltk) {
1091 		smp->slave_ltk->bdaddr_type = hcon->dst_type;
1092 		bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1093 		mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1094 	}
1095 
1096 	if (smp->link_key) {
1097 		struct link_key *key;
1098 		u8 type;
1099 
1100 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1101 			type = HCI_LK_DEBUG_COMBINATION;
1102 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1103 			type = HCI_LK_AUTH_COMBINATION_P256;
1104 		else
1105 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1106 
1107 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1108 				       smp->link_key, type, 0, &persistent);
1109 		if (key) {
1110 			mgmt_new_link_key(hdev, key, persistent);
1111 
1112 			/* Don't keep debug keys around if the relevant
1113 			 * flag is not set.
1114 			 */
1115 			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1116 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1117 				list_del_rcu(&key->list);
1118 				kfree_rcu(key, rcu);
1119 			}
1120 		}
1121 	}
1122 }
1123 
1124 static void sc_add_ltk(struct smp_chan *smp)
1125 {
1126 	struct hci_conn *hcon = smp->conn->hcon;
1127 	u8 key_type, auth;
1128 
1129 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1130 		key_type = SMP_LTK_P256_DEBUG;
1131 	else
1132 		key_type = SMP_LTK_P256;
1133 
1134 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1135 		auth = 1;
1136 	else
1137 		auth = 0;
1138 
1139 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1140 			       key_type, auth, smp->tk, smp->enc_key_size,
1141 			       0, 0);
1142 }
1143 
1144 static void sc_generate_link_key(struct smp_chan *smp)
1145 {
1146 	/* From core spec. Spells out in ASCII as 'lebr'. */
1147 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1148 
1149 	smp->link_key = kzalloc(16, GFP_KERNEL);
1150 	if (!smp->link_key)
1151 		return;
1152 
1153 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1154 		/* SALT = 0x00000000000000000000000000000000746D7031 */
1155 		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1156 
1157 		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1158 			kzfree(smp->link_key);
1159 			smp->link_key = NULL;
1160 			return;
1161 		}
1162 	} else {
1163 		/* From core spec. Spells out in ASCII as 'tmp1'. */
1164 		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1165 
1166 		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1167 			kzfree(smp->link_key);
1168 			smp->link_key = NULL;
1169 			return;
1170 		}
1171 	}
1172 
1173 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1174 		kzfree(smp->link_key);
1175 		smp->link_key = NULL;
1176 		return;
1177 	}
1178 }
1179 
1180 static void smp_allow_key_dist(struct smp_chan *smp)
1181 {
1182 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1183 	 * will be allowed in each PDU handler to ensure we receive
1184 	 * them in the correct order.
1185 	 */
1186 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1187 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1188 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1189 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1190 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1191 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1192 }
1193 
1194 static void sc_generate_ltk(struct smp_chan *smp)
1195 {
1196 	/* From core spec. Spells out in ASCII as 'brle'. */
1197 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1198 	struct hci_conn *hcon = smp->conn->hcon;
1199 	struct hci_dev *hdev = hcon->hdev;
1200 	struct link_key *key;
1201 
1202 	key = hci_find_link_key(hdev, &hcon->dst);
1203 	if (!key) {
1204 		bt_dev_err(hdev, "no Link Key found to generate LTK");
1205 		return;
1206 	}
1207 
1208 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1209 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1210 
1211 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1212 		/* SALT = 0x00000000000000000000000000000000746D7032 */
1213 		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1214 
1215 		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1216 			return;
1217 	} else {
1218 		/* From core spec. Spells out in ASCII as 'tmp2'. */
1219 		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1220 
1221 		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1222 			return;
1223 	}
1224 
1225 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1226 		return;
1227 
1228 	sc_add_ltk(smp);
1229 }
1230 
1231 static void smp_distribute_keys(struct smp_chan *smp)
1232 {
1233 	struct smp_cmd_pairing *req, *rsp;
1234 	struct l2cap_conn *conn = smp->conn;
1235 	struct hci_conn *hcon = conn->hcon;
1236 	struct hci_dev *hdev = hcon->hdev;
1237 	__u8 *keydist;
1238 
1239 	BT_DBG("conn %p", conn);
1240 
1241 	rsp = (void *) &smp->prsp[1];
1242 
1243 	/* The responder sends its keys first */
1244 	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1245 		smp_allow_key_dist(smp);
1246 		return;
1247 	}
1248 
1249 	req = (void *) &smp->preq[1];
1250 
1251 	if (hcon->out) {
1252 		keydist = &rsp->init_key_dist;
1253 		*keydist &= req->init_key_dist;
1254 	} else {
1255 		keydist = &rsp->resp_key_dist;
1256 		*keydist &= req->resp_key_dist;
1257 	}
1258 
1259 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1260 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1261 			sc_generate_link_key(smp);
1262 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1263 			sc_generate_ltk(smp);
1264 
1265 		/* Clear the keys which are generated but not distributed */
1266 		*keydist &= ~SMP_SC_NO_DIST;
1267 	}
1268 
1269 	BT_DBG("keydist 0x%x", *keydist);
1270 
1271 	if (*keydist & SMP_DIST_ENC_KEY) {
1272 		struct smp_cmd_encrypt_info enc;
1273 		struct smp_cmd_master_ident ident;
1274 		struct smp_ltk *ltk;
1275 		u8 authenticated;
1276 		__le16 ediv;
1277 		__le64 rand;
1278 
1279 		/* Make sure we generate only the significant amount of
1280 		 * bytes based on the encryption key size, and set the rest
1281 		 * of the value to zeroes.
1282 		 */
1283 		get_random_bytes(enc.ltk, smp->enc_key_size);
1284 		memset(enc.ltk + smp->enc_key_size, 0,
1285 		       sizeof(enc.ltk) - smp->enc_key_size);
1286 
1287 		get_random_bytes(&ediv, sizeof(ediv));
1288 		get_random_bytes(&rand, sizeof(rand));
1289 
1290 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1291 
1292 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1293 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1294 				  SMP_LTK_SLAVE, authenticated, enc.ltk,
1295 				  smp->enc_key_size, ediv, rand);
1296 		smp->slave_ltk = ltk;
1297 
1298 		ident.ediv = ediv;
1299 		ident.rand = rand;
1300 
1301 		smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1302 
1303 		*keydist &= ~SMP_DIST_ENC_KEY;
1304 	}
1305 
1306 	if (*keydist & SMP_DIST_ID_KEY) {
1307 		struct smp_cmd_ident_addr_info addrinfo;
1308 		struct smp_cmd_ident_info idinfo;
1309 
1310 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1311 
1312 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1313 
1314 		/* The hci_conn contains the local identity address
1315 		 * after the connection has been established.
1316 		 *
1317 		 * This is true even when the connection has been
1318 		 * established using a resolvable random address.
1319 		 */
1320 		bacpy(&addrinfo.bdaddr, &hcon->src);
1321 		addrinfo.addr_type = hcon->src_type;
1322 
1323 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1324 			     &addrinfo);
1325 
1326 		*keydist &= ~SMP_DIST_ID_KEY;
1327 	}
1328 
1329 	if (*keydist & SMP_DIST_SIGN) {
1330 		struct smp_cmd_sign_info sign;
1331 		struct smp_csrk *csrk;
1332 
1333 		/* Generate a new random key */
1334 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1335 
1336 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1337 		if (csrk) {
1338 			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1339 				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1340 			else
1341 				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1342 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1343 		}
1344 		smp->slave_csrk = csrk;
1345 
1346 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1347 
1348 		*keydist &= ~SMP_DIST_SIGN;
1349 	}
1350 
1351 	/* If there are still keys to be received wait for them */
1352 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1353 		smp_allow_key_dist(smp);
1354 		return;
1355 	}
1356 
1357 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1358 	smp_notify_keys(conn);
1359 
1360 	smp_chan_destroy(conn);
1361 }
1362 
1363 static void smp_timeout(struct work_struct *work)
1364 {
1365 	struct smp_chan *smp = container_of(work, struct smp_chan,
1366 					    security_timer.work);
1367 	struct l2cap_conn *conn = smp->conn;
1368 
1369 	BT_DBG("conn %p", conn);
1370 
1371 	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1372 }
1373 
1374 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1375 {
1376 	struct l2cap_chan *chan = conn->smp;
1377 	struct smp_chan *smp;
1378 
1379 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1380 	if (!smp)
1381 		return NULL;
1382 
1383 	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1384 	if (IS_ERR(smp->tfm_cmac)) {
1385 		BT_ERR("Unable to create CMAC crypto context");
1386 		goto zfree_smp;
1387 	}
1388 
1389 	smp->tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
1390 	if (IS_ERR(smp->tfm_ecdh)) {
1391 		BT_ERR("Unable to create ECDH crypto context");
1392 		goto free_shash;
1393 	}
1394 
1395 	smp->conn = conn;
1396 	chan->data = smp;
1397 
1398 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1399 
1400 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1401 
1402 	hci_conn_hold(conn->hcon);
1403 
1404 	return smp;
1405 
1406 free_shash:
1407 	crypto_free_shash(smp->tfm_cmac);
1408 zfree_smp:
1409 	kzfree(smp);
1410 	return NULL;
1411 }
1412 
1413 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1414 {
1415 	struct hci_conn *hcon = smp->conn->hcon;
1416 	u8 *na, *nb, a[7], b[7];
1417 
1418 	if (hcon->out) {
1419 		na   = smp->prnd;
1420 		nb   = smp->rrnd;
1421 	} else {
1422 		na   = smp->rrnd;
1423 		nb   = smp->prnd;
1424 	}
1425 
1426 	memcpy(a, &hcon->init_addr, 6);
1427 	memcpy(b, &hcon->resp_addr, 6);
1428 	a[6] = hcon->init_addr_type;
1429 	b[6] = hcon->resp_addr_type;
1430 
1431 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1432 }
1433 
1434 static void sc_dhkey_check(struct smp_chan *smp)
1435 {
1436 	struct hci_conn *hcon = smp->conn->hcon;
1437 	struct smp_cmd_dhkey_check check;
1438 	u8 a[7], b[7], *local_addr, *remote_addr;
1439 	u8 io_cap[3], r[16];
1440 
1441 	memcpy(a, &hcon->init_addr, 6);
1442 	memcpy(b, &hcon->resp_addr, 6);
1443 	a[6] = hcon->init_addr_type;
1444 	b[6] = hcon->resp_addr_type;
1445 
1446 	if (hcon->out) {
1447 		local_addr = a;
1448 		remote_addr = b;
1449 		memcpy(io_cap, &smp->preq[1], 3);
1450 	} else {
1451 		local_addr = b;
1452 		remote_addr = a;
1453 		memcpy(io_cap, &smp->prsp[1], 3);
1454 	}
1455 
1456 	memset(r, 0, sizeof(r));
1457 
1458 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1459 		put_unaligned_le32(hcon->passkey_notify, r);
1460 
1461 	if (smp->method == REQ_OOB)
1462 		memcpy(r, smp->rr, 16);
1463 
1464 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1465 	       local_addr, remote_addr, check.e);
1466 
1467 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1468 }
1469 
1470 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1471 {
1472 	struct l2cap_conn *conn = smp->conn;
1473 	struct hci_conn *hcon = conn->hcon;
1474 	struct smp_cmd_pairing_confirm cfm;
1475 	u8 r;
1476 
1477 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1478 	r |= 0x80;
1479 
1480 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1481 
1482 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1483 		   cfm.confirm_val))
1484 		return SMP_UNSPECIFIED;
1485 
1486 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1487 
1488 	return 0;
1489 }
1490 
1491 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1492 {
1493 	struct l2cap_conn *conn = smp->conn;
1494 	struct hci_conn *hcon = conn->hcon;
1495 	struct hci_dev *hdev = hcon->hdev;
1496 	u8 cfm[16], r;
1497 
1498 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1499 	if (smp->passkey_round >= 20)
1500 		return 0;
1501 
1502 	switch (smp_op) {
1503 	case SMP_CMD_PAIRING_RANDOM:
1504 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1505 		r |= 0x80;
1506 
1507 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1508 			   smp->rrnd, r, cfm))
1509 			return SMP_UNSPECIFIED;
1510 
1511 		if (crypto_memneq(smp->pcnf, cfm, 16))
1512 			return SMP_CONFIRM_FAILED;
1513 
1514 		smp->passkey_round++;
1515 
1516 		if (smp->passkey_round == 20) {
1517 			/* Generate MacKey and LTK */
1518 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1519 				return SMP_UNSPECIFIED;
1520 		}
1521 
1522 		/* The round is only complete when the initiator
1523 		 * receives pairing random.
1524 		 */
1525 		if (!hcon->out) {
1526 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1527 				     sizeof(smp->prnd), smp->prnd);
1528 			if (smp->passkey_round == 20)
1529 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1530 			else
1531 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1532 			return 0;
1533 		}
1534 
1535 		/* Start the next round */
1536 		if (smp->passkey_round != 20)
1537 			return sc_passkey_round(smp, 0);
1538 
1539 		/* Passkey rounds are complete - start DHKey Check */
1540 		sc_dhkey_check(smp);
1541 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1542 
1543 		break;
1544 
1545 	case SMP_CMD_PAIRING_CONFIRM:
1546 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1547 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1548 			return 0;
1549 		}
1550 
1551 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1552 
1553 		if (hcon->out) {
1554 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1555 				     sizeof(smp->prnd), smp->prnd);
1556 			return 0;
1557 		}
1558 
1559 		return sc_passkey_send_confirm(smp);
1560 
1561 	case SMP_CMD_PUBLIC_KEY:
1562 	default:
1563 		/* Initiating device starts the round */
1564 		if (!hcon->out)
1565 			return 0;
1566 
1567 		BT_DBG("%s Starting passkey round %u", hdev->name,
1568 		       smp->passkey_round + 1);
1569 
1570 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1571 
1572 		return sc_passkey_send_confirm(smp);
1573 	}
1574 
1575 	return 0;
1576 }
1577 
1578 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1579 {
1580 	struct l2cap_conn *conn = smp->conn;
1581 	struct hci_conn *hcon = conn->hcon;
1582 	u8 smp_op;
1583 
1584 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1585 
1586 	switch (mgmt_op) {
1587 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1588 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1589 		return 0;
1590 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1591 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1592 		return 0;
1593 	case MGMT_OP_USER_PASSKEY_REPLY:
1594 		hcon->passkey_notify = le32_to_cpu(passkey);
1595 		smp->passkey_round = 0;
1596 
1597 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1598 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1599 		else
1600 			smp_op = 0;
1601 
1602 		if (sc_passkey_round(smp, smp_op))
1603 			return -EIO;
1604 
1605 		return 0;
1606 	}
1607 
1608 	/* Initiator sends DHKey check first */
1609 	if (hcon->out) {
1610 		sc_dhkey_check(smp);
1611 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1612 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1613 		sc_dhkey_check(smp);
1614 		sc_add_ltk(smp);
1615 	}
1616 
1617 	return 0;
1618 }
1619 
1620 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1621 {
1622 	struct l2cap_conn *conn = hcon->l2cap_data;
1623 	struct l2cap_chan *chan;
1624 	struct smp_chan *smp;
1625 	u32 value;
1626 	int err;
1627 
1628 	BT_DBG("");
1629 
1630 	if (!conn)
1631 		return -ENOTCONN;
1632 
1633 	chan = conn->smp;
1634 	if (!chan)
1635 		return -ENOTCONN;
1636 
1637 	l2cap_chan_lock(chan);
1638 	if (!chan->data) {
1639 		err = -ENOTCONN;
1640 		goto unlock;
1641 	}
1642 
1643 	smp = chan->data;
1644 
1645 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1646 		err = sc_user_reply(smp, mgmt_op, passkey);
1647 		goto unlock;
1648 	}
1649 
1650 	switch (mgmt_op) {
1651 	case MGMT_OP_USER_PASSKEY_REPLY:
1652 		value = le32_to_cpu(passkey);
1653 		memset(smp->tk, 0, sizeof(smp->tk));
1654 		BT_DBG("PassKey: %d", value);
1655 		put_unaligned_le32(value, smp->tk);
1656 		/* Fall Through */
1657 	case MGMT_OP_USER_CONFIRM_REPLY:
1658 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1659 		break;
1660 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1661 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1662 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1663 		err = 0;
1664 		goto unlock;
1665 	default:
1666 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1667 		err = -EOPNOTSUPP;
1668 		goto unlock;
1669 	}
1670 
1671 	err = 0;
1672 
1673 	/* If it is our turn to send Pairing Confirm, do so now */
1674 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1675 		u8 rsp = smp_confirm(smp);
1676 		if (rsp)
1677 			smp_failure(conn, rsp);
1678 	}
1679 
1680 unlock:
1681 	l2cap_chan_unlock(chan);
1682 	return err;
1683 }
1684 
1685 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1686 				    struct smp_cmd_pairing *req,
1687 				    struct smp_cmd_pairing *rsp)
1688 {
1689 	struct l2cap_conn *conn = smp->conn;
1690 	struct hci_dev *hdev = conn->hcon->hdev;
1691 	u8 local_dist = 0, remote_dist = 0;
1692 
1693 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1694 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1695 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1696 	}
1697 
1698 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1699 		remote_dist |= SMP_DIST_ID_KEY;
1700 
1701 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1702 		local_dist |= SMP_DIST_ID_KEY;
1703 
1704 	if (!rsp) {
1705 		memset(req, 0, sizeof(*req));
1706 
1707 		req->auth_req        = SMP_AUTH_CT2;
1708 		req->init_key_dist   = local_dist;
1709 		req->resp_key_dist   = remote_dist;
1710 		req->max_key_size    = conn->hcon->enc_key_size;
1711 
1712 		smp->remote_key_dist = remote_dist;
1713 
1714 		return;
1715 	}
1716 
1717 	memset(rsp, 0, sizeof(*rsp));
1718 
1719 	rsp->auth_req        = SMP_AUTH_CT2;
1720 	rsp->max_key_size    = conn->hcon->enc_key_size;
1721 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1722 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1723 
1724 	smp->remote_key_dist = rsp->init_key_dist;
1725 }
1726 
1727 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1728 {
1729 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1730 	struct l2cap_chan *chan = conn->smp;
1731 	struct hci_dev *hdev = conn->hcon->hdev;
1732 	struct smp_chan *smp;
1733 	u8 key_size, auth, sec_level;
1734 	int ret;
1735 
1736 	BT_DBG("conn %p", conn);
1737 
1738 	if (skb->len < sizeof(*req))
1739 		return SMP_INVALID_PARAMS;
1740 
1741 	if (conn->hcon->role != HCI_ROLE_SLAVE)
1742 		return SMP_CMD_NOTSUPP;
1743 
1744 	if (!chan->data)
1745 		smp = smp_chan_create(conn);
1746 	else
1747 		smp = chan->data;
1748 
1749 	if (!smp)
1750 		return SMP_UNSPECIFIED;
1751 
1752 	/* We didn't start the pairing, so match remote */
1753 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1754 
1755 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1756 	    (auth & SMP_AUTH_BONDING))
1757 		return SMP_PAIRING_NOTSUPP;
1758 
1759 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1760 		return SMP_AUTH_REQUIREMENTS;
1761 
1762 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1763 	memcpy(&smp->preq[1], req, sizeof(*req));
1764 	skb_pull(skb, sizeof(*req));
1765 
1766 	/* If the remote side's OOB flag is set it means it has
1767 	 * successfully received our local OOB data - therefore set the
1768 	 * flag to indicate that local OOB is in use.
1769 	 */
1770 	if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1771 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1772 
1773 	/* SMP over BR/EDR requires special treatment */
1774 	if (conn->hcon->type == ACL_LINK) {
1775 		/* We must have a BR/EDR SC link */
1776 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1777 		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1778 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1779 
1780 		set_bit(SMP_FLAG_SC, &smp->flags);
1781 
1782 		build_bredr_pairing_cmd(smp, req, &rsp);
1783 
1784 		if (req->auth_req & SMP_AUTH_CT2)
1785 			set_bit(SMP_FLAG_CT2, &smp->flags);
1786 
1787 		key_size = min(req->max_key_size, rsp.max_key_size);
1788 		if (check_enc_key_size(conn, key_size))
1789 			return SMP_ENC_KEY_SIZE;
1790 
1791 		/* Clear bits which are generated but not distributed */
1792 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1793 
1794 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1795 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1796 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1797 
1798 		smp_distribute_keys(smp);
1799 		return 0;
1800 	}
1801 
1802 	build_pairing_cmd(conn, req, &rsp, auth);
1803 
1804 	if (rsp.auth_req & SMP_AUTH_SC) {
1805 		set_bit(SMP_FLAG_SC, &smp->flags);
1806 
1807 		if (rsp.auth_req & SMP_AUTH_CT2)
1808 			set_bit(SMP_FLAG_CT2, &smp->flags);
1809 	}
1810 
1811 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1812 		sec_level = BT_SECURITY_MEDIUM;
1813 	else
1814 		sec_level = authreq_to_seclevel(auth);
1815 
1816 	if (sec_level > conn->hcon->pending_sec_level)
1817 		conn->hcon->pending_sec_level = sec_level;
1818 
1819 	/* If we need MITM check that it can be achieved */
1820 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1821 		u8 method;
1822 
1823 		method = get_auth_method(smp, conn->hcon->io_capability,
1824 					 req->io_capability);
1825 		if (method == JUST_WORKS || method == JUST_CFM)
1826 			return SMP_AUTH_REQUIREMENTS;
1827 	}
1828 
1829 	key_size = min(req->max_key_size, rsp.max_key_size);
1830 	if (check_enc_key_size(conn, key_size))
1831 		return SMP_ENC_KEY_SIZE;
1832 
1833 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1834 
1835 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1836 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1837 
1838 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1839 
1840 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1841 
1842 	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1843 	 * SC case, however some implementations incorrectly copy RFU auth
1844 	 * req bits from our security request, which may create a false
1845 	 * positive SC enablement.
1846 	 */
1847 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1848 
1849 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1850 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1851 		/* Clear bits which are generated but not distributed */
1852 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1853 		/* Wait for Public Key from Initiating Device */
1854 		return 0;
1855 	}
1856 
1857 	/* Request setup of TK */
1858 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1859 	if (ret)
1860 		return SMP_UNSPECIFIED;
1861 
1862 	return 0;
1863 }
1864 
1865 static u8 sc_send_public_key(struct smp_chan *smp)
1866 {
1867 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1868 
1869 	BT_DBG("");
1870 
1871 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1872 		struct l2cap_chan *chan = hdev->smp_data;
1873 		struct smp_dev *smp_dev;
1874 
1875 		if (!chan || !chan->data)
1876 			return SMP_UNSPECIFIED;
1877 
1878 		smp_dev = chan->data;
1879 
1880 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1881 		memcpy(smp->lr, smp_dev->local_rand, 16);
1882 
1883 		if (smp_dev->debug_key)
1884 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1885 
1886 		goto done;
1887 	}
1888 
1889 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1890 		BT_DBG("Using debug keys");
1891 		if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1892 			return SMP_UNSPECIFIED;
1893 		memcpy(smp->local_pk, debug_pk, 64);
1894 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1895 	} else {
1896 		while (true) {
1897 			/* Generate key pair for Secure Connections */
1898 			if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1899 				return SMP_UNSPECIFIED;
1900 
1901 			/* This is unlikely, but we need to check that
1902 			 * we didn't accidentially generate a debug key.
1903 			 */
1904 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
1905 				break;
1906 		}
1907 	}
1908 
1909 done:
1910 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1911 	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1912 
1913 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1914 
1915 	return 0;
1916 }
1917 
1918 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1919 {
1920 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1921 	struct l2cap_chan *chan = conn->smp;
1922 	struct smp_chan *smp = chan->data;
1923 	struct hci_dev *hdev = conn->hcon->hdev;
1924 	u8 key_size, auth;
1925 	int ret;
1926 
1927 	BT_DBG("conn %p", conn);
1928 
1929 	if (skb->len < sizeof(*rsp))
1930 		return SMP_INVALID_PARAMS;
1931 
1932 	if (conn->hcon->role != HCI_ROLE_MASTER)
1933 		return SMP_CMD_NOTSUPP;
1934 
1935 	skb_pull(skb, sizeof(*rsp));
1936 
1937 	req = (void *) &smp->preq[1];
1938 
1939 	key_size = min(req->max_key_size, rsp->max_key_size);
1940 	if (check_enc_key_size(conn, key_size))
1941 		return SMP_ENC_KEY_SIZE;
1942 
1943 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1944 
1945 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1946 		return SMP_AUTH_REQUIREMENTS;
1947 
1948 	/* If the remote side's OOB flag is set it means it has
1949 	 * successfully received our local OOB data - therefore set the
1950 	 * flag to indicate that local OOB is in use.
1951 	 */
1952 	if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1953 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1954 
1955 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1956 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1957 
1958 	/* Update remote key distribution in case the remote cleared
1959 	 * some bits that we had enabled in our request.
1960 	 */
1961 	smp->remote_key_dist &= rsp->resp_key_dist;
1962 
1963 	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1964 		set_bit(SMP_FLAG_CT2, &smp->flags);
1965 
1966 	/* For BR/EDR this means we're done and can start phase 3 */
1967 	if (conn->hcon->type == ACL_LINK) {
1968 		/* Clear bits which are generated but not distributed */
1969 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1970 		smp_distribute_keys(smp);
1971 		return 0;
1972 	}
1973 
1974 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1975 		set_bit(SMP_FLAG_SC, &smp->flags);
1976 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1977 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1978 
1979 	/* If we need MITM check that it can be achieved */
1980 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1981 		u8 method;
1982 
1983 		method = get_auth_method(smp, req->io_capability,
1984 					 rsp->io_capability);
1985 		if (method == JUST_WORKS || method == JUST_CFM)
1986 			return SMP_AUTH_REQUIREMENTS;
1987 	}
1988 
1989 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1990 
1991 	/* Update remote key distribution in case the remote cleared
1992 	 * some bits that we had enabled in our request.
1993 	 */
1994 	smp->remote_key_dist &= rsp->resp_key_dist;
1995 
1996 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1997 		/* Clear bits which are generated but not distributed */
1998 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1999 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2000 		return sc_send_public_key(smp);
2001 	}
2002 
2003 	auth |= req->auth_req;
2004 
2005 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2006 	if (ret)
2007 		return SMP_UNSPECIFIED;
2008 
2009 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2010 
2011 	/* Can't compose response until we have been confirmed */
2012 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2013 		return smp_confirm(smp);
2014 
2015 	return 0;
2016 }
2017 
2018 static u8 sc_check_confirm(struct smp_chan *smp)
2019 {
2020 	struct l2cap_conn *conn = smp->conn;
2021 
2022 	BT_DBG("");
2023 
2024 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2025 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2026 
2027 	if (conn->hcon->out) {
2028 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2029 			     smp->prnd);
2030 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2031 	}
2032 
2033 	return 0;
2034 }
2035 
2036 /* Work-around for some implementations that incorrectly copy RFU bits
2037  * from our security request and thereby create the impression that
2038  * we're doing SC when in fact the remote doesn't support it.
2039  */
2040 static int fixup_sc_false_positive(struct smp_chan *smp)
2041 {
2042 	struct l2cap_conn *conn = smp->conn;
2043 	struct hci_conn *hcon = conn->hcon;
2044 	struct hci_dev *hdev = hcon->hdev;
2045 	struct smp_cmd_pairing *req, *rsp;
2046 	u8 auth;
2047 
2048 	/* The issue is only observed when we're in slave role */
2049 	if (hcon->out)
2050 		return SMP_UNSPECIFIED;
2051 
2052 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2053 		bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2054 		return SMP_UNSPECIFIED;
2055 	}
2056 
2057 	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2058 
2059 	req = (void *) &smp->preq[1];
2060 	rsp = (void *) &smp->prsp[1];
2061 
2062 	/* Rebuild key dist flags which may have been cleared for SC */
2063 	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2064 
2065 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2066 
2067 	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2068 		bt_dev_err(hdev, "failed to fall back to legacy SMP");
2069 		return SMP_UNSPECIFIED;
2070 	}
2071 
2072 	clear_bit(SMP_FLAG_SC, &smp->flags);
2073 
2074 	return 0;
2075 }
2076 
2077 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2078 {
2079 	struct l2cap_chan *chan = conn->smp;
2080 	struct smp_chan *smp = chan->data;
2081 
2082 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2083 
2084 	if (skb->len < sizeof(smp->pcnf))
2085 		return SMP_INVALID_PARAMS;
2086 
2087 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2088 	skb_pull(skb, sizeof(smp->pcnf));
2089 
2090 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2091 		int ret;
2092 
2093 		/* Public Key exchange must happen before any other steps */
2094 		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2095 			return sc_check_confirm(smp);
2096 
2097 		BT_ERR("Unexpected SMP Pairing Confirm");
2098 
2099 		ret = fixup_sc_false_positive(smp);
2100 		if (ret)
2101 			return ret;
2102 	}
2103 
2104 	if (conn->hcon->out) {
2105 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2106 			     smp->prnd);
2107 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2108 		return 0;
2109 	}
2110 
2111 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2112 		return smp_confirm(smp);
2113 
2114 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2115 
2116 	return 0;
2117 }
2118 
2119 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2120 {
2121 	struct l2cap_chan *chan = conn->smp;
2122 	struct smp_chan *smp = chan->data;
2123 	struct hci_conn *hcon = conn->hcon;
2124 	u8 *pkax, *pkbx, *na, *nb;
2125 	u32 passkey;
2126 	int err;
2127 
2128 	BT_DBG("conn %p", conn);
2129 
2130 	if (skb->len < sizeof(smp->rrnd))
2131 		return SMP_INVALID_PARAMS;
2132 
2133 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2134 	skb_pull(skb, sizeof(smp->rrnd));
2135 
2136 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2137 		return smp_random(smp);
2138 
2139 	if (hcon->out) {
2140 		pkax = smp->local_pk;
2141 		pkbx = smp->remote_pk;
2142 		na   = smp->prnd;
2143 		nb   = smp->rrnd;
2144 	} else {
2145 		pkax = smp->remote_pk;
2146 		pkbx = smp->local_pk;
2147 		na   = smp->rrnd;
2148 		nb   = smp->prnd;
2149 	}
2150 
2151 	if (smp->method == REQ_OOB) {
2152 		if (!hcon->out)
2153 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2154 				     sizeof(smp->prnd), smp->prnd);
2155 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2156 		goto mackey_and_ltk;
2157 	}
2158 
2159 	/* Passkey entry has special treatment */
2160 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2161 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2162 
2163 	if (hcon->out) {
2164 		u8 cfm[16];
2165 
2166 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2167 			     smp->rrnd, 0, cfm);
2168 		if (err)
2169 			return SMP_UNSPECIFIED;
2170 
2171 		if (crypto_memneq(smp->pcnf, cfm, 16))
2172 			return SMP_CONFIRM_FAILED;
2173 	} else {
2174 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2175 			     smp->prnd);
2176 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2177 	}
2178 
2179 mackey_and_ltk:
2180 	/* Generate MacKey and LTK */
2181 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2182 	if (err)
2183 		return SMP_UNSPECIFIED;
2184 
2185 	if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2186 		if (hcon->out) {
2187 			sc_dhkey_check(smp);
2188 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2189 		}
2190 		return 0;
2191 	}
2192 
2193 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2194 	if (err)
2195 		return SMP_UNSPECIFIED;
2196 
2197 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2198 					hcon->dst_type, passkey, 0);
2199 	if (err)
2200 		return SMP_UNSPECIFIED;
2201 
2202 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2203 
2204 	return 0;
2205 }
2206 
2207 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2208 {
2209 	struct smp_ltk *key;
2210 	struct hci_conn *hcon = conn->hcon;
2211 
2212 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2213 	if (!key)
2214 		return false;
2215 
2216 	if (smp_ltk_sec_level(key) < sec_level)
2217 		return false;
2218 
2219 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2220 		return true;
2221 
2222 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2223 	hcon->enc_key_size = key->enc_size;
2224 
2225 	/* We never store STKs for master role, so clear this flag */
2226 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2227 
2228 	return true;
2229 }
2230 
2231 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2232 			     enum smp_key_pref key_pref)
2233 {
2234 	if (sec_level == BT_SECURITY_LOW)
2235 		return true;
2236 
2237 	/* If we're encrypted with an STK but the caller prefers using
2238 	 * LTK claim insufficient security. This way we allow the
2239 	 * connection to be re-encrypted with an LTK, even if the LTK
2240 	 * provides the same level of security. Only exception is if we
2241 	 * don't have an LTK (e.g. because of key distribution bits).
2242 	 */
2243 	if (key_pref == SMP_USE_LTK &&
2244 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2245 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2246 		return false;
2247 
2248 	if (hcon->sec_level >= sec_level)
2249 		return true;
2250 
2251 	return false;
2252 }
2253 
2254 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2255 {
2256 	struct smp_cmd_security_req *rp = (void *) skb->data;
2257 	struct smp_cmd_pairing cp;
2258 	struct hci_conn *hcon = conn->hcon;
2259 	struct hci_dev *hdev = hcon->hdev;
2260 	struct smp_chan *smp;
2261 	u8 sec_level, auth;
2262 
2263 	BT_DBG("conn %p", conn);
2264 
2265 	if (skb->len < sizeof(*rp))
2266 		return SMP_INVALID_PARAMS;
2267 
2268 	if (hcon->role != HCI_ROLE_MASTER)
2269 		return SMP_CMD_NOTSUPP;
2270 
2271 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2272 
2273 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2274 		return SMP_AUTH_REQUIREMENTS;
2275 
2276 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2277 		sec_level = BT_SECURITY_MEDIUM;
2278 	else
2279 		sec_level = authreq_to_seclevel(auth);
2280 
2281 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2282 		/* If link is already encrypted with sufficient security we
2283 		 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2284 		 * Part H 2.4.6
2285 		 */
2286 		smp_ltk_encrypt(conn, hcon->sec_level);
2287 		return 0;
2288 	}
2289 
2290 	if (sec_level > hcon->pending_sec_level)
2291 		hcon->pending_sec_level = sec_level;
2292 
2293 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2294 		return 0;
2295 
2296 	smp = smp_chan_create(conn);
2297 	if (!smp)
2298 		return SMP_UNSPECIFIED;
2299 
2300 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2301 	    (auth & SMP_AUTH_BONDING))
2302 		return SMP_PAIRING_NOTSUPP;
2303 
2304 	skb_pull(skb, sizeof(*rp));
2305 
2306 	memset(&cp, 0, sizeof(cp));
2307 	build_pairing_cmd(conn, &cp, NULL, auth);
2308 
2309 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2310 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2311 
2312 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2313 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2314 
2315 	return 0;
2316 }
2317 
2318 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2319 {
2320 	struct l2cap_conn *conn = hcon->l2cap_data;
2321 	struct l2cap_chan *chan;
2322 	struct smp_chan *smp;
2323 	__u8 authreq;
2324 	int ret;
2325 
2326 	BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2327 
2328 	/* This may be NULL if there's an unexpected disconnection */
2329 	if (!conn)
2330 		return 1;
2331 
2332 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2333 		return 1;
2334 
2335 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2336 		return 1;
2337 
2338 	if (sec_level > hcon->pending_sec_level)
2339 		hcon->pending_sec_level = sec_level;
2340 
2341 	if (hcon->role == HCI_ROLE_MASTER)
2342 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2343 			return 0;
2344 
2345 	chan = conn->smp;
2346 	if (!chan) {
2347 		bt_dev_err(hcon->hdev, "security requested but not available");
2348 		return 1;
2349 	}
2350 
2351 	l2cap_chan_lock(chan);
2352 
2353 	/* If SMP is already in progress ignore this request */
2354 	if (chan->data) {
2355 		ret = 0;
2356 		goto unlock;
2357 	}
2358 
2359 	smp = smp_chan_create(conn);
2360 	if (!smp) {
2361 		ret = 1;
2362 		goto unlock;
2363 	}
2364 
2365 	authreq = seclevel_to_authreq(sec_level);
2366 
2367 	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2368 		authreq |= SMP_AUTH_SC;
2369 		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2370 			authreq |= SMP_AUTH_CT2;
2371 	}
2372 
2373 	/* Require MITM if IO Capability allows or the security level
2374 	 * requires it.
2375 	 */
2376 	if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2377 	    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2378 		authreq |= SMP_AUTH_MITM;
2379 
2380 	if (hcon->role == HCI_ROLE_MASTER) {
2381 		struct smp_cmd_pairing cp;
2382 
2383 		build_pairing_cmd(conn, &cp, NULL, authreq);
2384 		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2385 		memcpy(&smp->preq[1], &cp, sizeof(cp));
2386 
2387 		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2388 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2389 	} else {
2390 		struct smp_cmd_security_req cp;
2391 		cp.auth_req = authreq;
2392 		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2393 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2394 	}
2395 
2396 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2397 	ret = 0;
2398 
2399 unlock:
2400 	l2cap_chan_unlock(chan);
2401 	return ret;
2402 }
2403 
2404 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2405 				  u8 addr_type)
2406 {
2407 	struct hci_conn *hcon;
2408 	struct l2cap_conn *conn;
2409 	struct l2cap_chan *chan;
2410 	struct smp_chan *smp;
2411 	int err;
2412 
2413 	err = hci_remove_ltk(hdev, bdaddr, addr_type);
2414 	hci_remove_irk(hdev, bdaddr, addr_type);
2415 
2416 	hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2417 	if (!hcon)
2418 		goto done;
2419 
2420 	conn = hcon->l2cap_data;
2421 	if (!conn)
2422 		goto done;
2423 
2424 	chan = conn->smp;
2425 	if (!chan)
2426 		goto done;
2427 
2428 	l2cap_chan_lock(chan);
2429 
2430 	smp = chan->data;
2431 	if (smp) {
2432 		/* Set keys to NULL to make sure smp_failure() does not try to
2433 		 * remove and free already invalidated rcu list entries. */
2434 		smp->ltk = NULL;
2435 		smp->slave_ltk = NULL;
2436 		smp->remote_irk = NULL;
2437 
2438 		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2439 			smp_failure(conn, 0);
2440 		else
2441 			smp_failure(conn, SMP_UNSPECIFIED);
2442 		err = 0;
2443 	}
2444 
2445 	l2cap_chan_unlock(chan);
2446 
2447 done:
2448 	return err;
2449 }
2450 
2451 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2452 {
2453 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2454 	struct l2cap_chan *chan = conn->smp;
2455 	struct smp_chan *smp = chan->data;
2456 
2457 	BT_DBG("conn %p", conn);
2458 
2459 	if (skb->len < sizeof(*rp))
2460 		return SMP_INVALID_PARAMS;
2461 
2462 	SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2463 
2464 	skb_pull(skb, sizeof(*rp));
2465 
2466 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2467 
2468 	return 0;
2469 }
2470 
2471 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2472 {
2473 	struct smp_cmd_master_ident *rp = (void *) skb->data;
2474 	struct l2cap_chan *chan = conn->smp;
2475 	struct smp_chan *smp = chan->data;
2476 	struct hci_dev *hdev = conn->hcon->hdev;
2477 	struct hci_conn *hcon = conn->hcon;
2478 	struct smp_ltk *ltk;
2479 	u8 authenticated;
2480 
2481 	BT_DBG("conn %p", conn);
2482 
2483 	if (skb->len < sizeof(*rp))
2484 		return SMP_INVALID_PARAMS;
2485 
2486 	/* Mark the information as received */
2487 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2488 
2489 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2490 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2491 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2492 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2493 
2494 	skb_pull(skb, sizeof(*rp));
2495 
2496 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2497 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2498 			  authenticated, smp->tk, smp->enc_key_size,
2499 			  rp->ediv, rp->rand);
2500 	smp->ltk = ltk;
2501 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2502 		smp_distribute_keys(smp);
2503 
2504 	return 0;
2505 }
2506 
2507 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2508 {
2509 	struct smp_cmd_ident_info *info = (void *) skb->data;
2510 	struct l2cap_chan *chan = conn->smp;
2511 	struct smp_chan *smp = chan->data;
2512 
2513 	BT_DBG("");
2514 
2515 	if (skb->len < sizeof(*info))
2516 		return SMP_INVALID_PARAMS;
2517 
2518 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2519 
2520 	skb_pull(skb, sizeof(*info));
2521 
2522 	memcpy(smp->irk, info->irk, 16);
2523 
2524 	return 0;
2525 }
2526 
2527 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2528 				   struct sk_buff *skb)
2529 {
2530 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2531 	struct l2cap_chan *chan = conn->smp;
2532 	struct smp_chan *smp = chan->data;
2533 	struct hci_conn *hcon = conn->hcon;
2534 	bdaddr_t rpa;
2535 
2536 	BT_DBG("");
2537 
2538 	if (skb->len < sizeof(*info))
2539 		return SMP_INVALID_PARAMS;
2540 
2541 	/* Mark the information as received */
2542 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2543 
2544 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2545 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2546 
2547 	skb_pull(skb, sizeof(*info));
2548 
2549 	/* Strictly speaking the Core Specification (4.1) allows sending
2550 	 * an empty address which would force us to rely on just the IRK
2551 	 * as "identity information". However, since such
2552 	 * implementations are not known of and in order to not over
2553 	 * complicate our implementation, simply pretend that we never
2554 	 * received an IRK for such a device.
2555 	 *
2556 	 * The Identity Address must also be a Static Random or Public
2557 	 * Address, which hci_is_identity_address() checks for.
2558 	 */
2559 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2560 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2561 		bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2562 		goto distribute;
2563 	}
2564 
2565 	/* Drop IRK if peer is using identity address during pairing but is
2566 	 * providing different address as identity information.
2567 	 *
2568 	 * Microsoft Surface Precision Mouse is known to have this bug.
2569 	 */
2570 	if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2571 	    (bacmp(&info->bdaddr, &hcon->dst) ||
2572 	     info->addr_type != hcon->dst_type)) {
2573 		bt_dev_err(hcon->hdev,
2574 			   "ignoring IRK with invalid identity address");
2575 		goto distribute;
2576 	}
2577 
2578 	bacpy(&smp->id_addr, &info->bdaddr);
2579 	smp->id_addr_type = info->addr_type;
2580 
2581 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2582 		bacpy(&rpa, &hcon->dst);
2583 	else
2584 		bacpy(&rpa, BDADDR_ANY);
2585 
2586 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2587 				      smp->id_addr_type, smp->irk, &rpa);
2588 
2589 distribute:
2590 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2591 		smp_distribute_keys(smp);
2592 
2593 	return 0;
2594 }
2595 
2596 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2597 {
2598 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2599 	struct l2cap_chan *chan = conn->smp;
2600 	struct smp_chan *smp = chan->data;
2601 	struct smp_csrk *csrk;
2602 
2603 	BT_DBG("conn %p", conn);
2604 
2605 	if (skb->len < sizeof(*rp))
2606 		return SMP_INVALID_PARAMS;
2607 
2608 	/* Mark the information as received */
2609 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2610 
2611 	skb_pull(skb, sizeof(*rp));
2612 
2613 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2614 	if (csrk) {
2615 		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2616 			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2617 		else
2618 			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2619 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2620 	}
2621 	smp->csrk = csrk;
2622 	smp_distribute_keys(smp);
2623 
2624 	return 0;
2625 }
2626 
2627 static u8 sc_select_method(struct smp_chan *smp)
2628 {
2629 	struct l2cap_conn *conn = smp->conn;
2630 	struct hci_conn *hcon = conn->hcon;
2631 	struct smp_cmd_pairing *local, *remote;
2632 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2633 
2634 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2635 	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2636 		return REQ_OOB;
2637 
2638 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2639 	 * which are needed as inputs to some crypto functions. To get
2640 	 * the "struct smp_cmd_pairing" from them we need to skip the
2641 	 * first byte which contains the opcode.
2642 	 */
2643 	if (hcon->out) {
2644 		local = (void *) &smp->preq[1];
2645 		remote = (void *) &smp->prsp[1];
2646 	} else {
2647 		local = (void *) &smp->prsp[1];
2648 		remote = (void *) &smp->preq[1];
2649 	}
2650 
2651 	local_io = local->io_capability;
2652 	remote_io = remote->io_capability;
2653 
2654 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2655 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2656 
2657 	/* If either side wants MITM, look up the method from the table,
2658 	 * otherwise use JUST WORKS.
2659 	 */
2660 	if (local_mitm || remote_mitm)
2661 		method = get_auth_method(smp, local_io, remote_io);
2662 	else
2663 		method = JUST_WORKS;
2664 
2665 	/* Don't confirm locally initiated pairing attempts */
2666 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2667 		method = JUST_WORKS;
2668 
2669 	return method;
2670 }
2671 
2672 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2673 {
2674 	struct smp_cmd_public_key *key = (void *) skb->data;
2675 	struct hci_conn *hcon = conn->hcon;
2676 	struct l2cap_chan *chan = conn->smp;
2677 	struct smp_chan *smp = chan->data;
2678 	struct hci_dev *hdev = hcon->hdev;
2679 	struct crypto_kpp *tfm_ecdh;
2680 	struct smp_cmd_pairing_confirm cfm;
2681 	int err;
2682 
2683 	BT_DBG("conn %p", conn);
2684 
2685 	if (skb->len < sizeof(*key))
2686 		return SMP_INVALID_PARAMS;
2687 
2688 	memcpy(smp->remote_pk, key, 64);
2689 
2690 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2691 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2692 			     smp->rr, 0, cfm.confirm_val);
2693 		if (err)
2694 			return SMP_UNSPECIFIED;
2695 
2696 		if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2697 			return SMP_CONFIRM_FAILED;
2698 	}
2699 
2700 	/* Non-initiating device sends its public key after receiving
2701 	 * the key from the initiating device.
2702 	 */
2703 	if (!hcon->out) {
2704 		err = sc_send_public_key(smp);
2705 		if (err)
2706 			return err;
2707 	}
2708 
2709 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2710 	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2711 
2712 	/* Compute the shared secret on the same crypto tfm on which the private
2713 	 * key was set/generated.
2714 	 */
2715 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2716 		struct l2cap_chan *hchan = hdev->smp_data;
2717 		struct smp_dev *smp_dev;
2718 
2719 		if (!hchan || !hchan->data)
2720 			return SMP_UNSPECIFIED;
2721 
2722 		smp_dev = hchan->data;
2723 
2724 		tfm_ecdh = smp_dev->tfm_ecdh;
2725 	} else {
2726 		tfm_ecdh = smp->tfm_ecdh;
2727 	}
2728 
2729 	if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2730 		return SMP_UNSPECIFIED;
2731 
2732 	SMP_DBG("DHKey %32phN", smp->dhkey);
2733 
2734 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2735 
2736 	smp->method = sc_select_method(smp);
2737 
2738 	BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2739 
2740 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2741 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2742 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2743 	else
2744 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2745 
2746 	if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2747 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2748 
2749 	if (smp->method == DSP_PASSKEY) {
2750 		get_random_bytes(&hcon->passkey_notify,
2751 				 sizeof(hcon->passkey_notify));
2752 		hcon->passkey_notify %= 1000000;
2753 		hcon->passkey_entered = 0;
2754 		smp->passkey_round = 0;
2755 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2756 					     hcon->dst_type,
2757 					     hcon->passkey_notify,
2758 					     hcon->passkey_entered))
2759 			return SMP_UNSPECIFIED;
2760 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2761 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2762 	}
2763 
2764 	if (smp->method == REQ_OOB) {
2765 		if (hcon->out)
2766 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2767 				     sizeof(smp->prnd), smp->prnd);
2768 
2769 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2770 
2771 		return 0;
2772 	}
2773 
2774 	if (hcon->out)
2775 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2776 
2777 	if (smp->method == REQ_PASSKEY) {
2778 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2779 					      hcon->dst_type))
2780 			return SMP_UNSPECIFIED;
2781 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2782 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2783 		return 0;
2784 	}
2785 
2786 	/* The Initiating device waits for the non-initiating device to
2787 	 * send the confirm value.
2788 	 */
2789 	if (conn->hcon->out)
2790 		return 0;
2791 
2792 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2793 		     0, cfm.confirm_val);
2794 	if (err)
2795 		return SMP_UNSPECIFIED;
2796 
2797 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2798 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2799 
2800 	return 0;
2801 }
2802 
2803 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2804 {
2805 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2806 	struct l2cap_chan *chan = conn->smp;
2807 	struct hci_conn *hcon = conn->hcon;
2808 	struct smp_chan *smp = chan->data;
2809 	u8 a[7], b[7], *local_addr, *remote_addr;
2810 	u8 io_cap[3], r[16], e[16];
2811 	int err;
2812 
2813 	BT_DBG("conn %p", conn);
2814 
2815 	if (skb->len < sizeof(*check))
2816 		return SMP_INVALID_PARAMS;
2817 
2818 	memcpy(a, &hcon->init_addr, 6);
2819 	memcpy(b, &hcon->resp_addr, 6);
2820 	a[6] = hcon->init_addr_type;
2821 	b[6] = hcon->resp_addr_type;
2822 
2823 	if (hcon->out) {
2824 		local_addr = a;
2825 		remote_addr = b;
2826 		memcpy(io_cap, &smp->prsp[1], 3);
2827 	} else {
2828 		local_addr = b;
2829 		remote_addr = a;
2830 		memcpy(io_cap, &smp->preq[1], 3);
2831 	}
2832 
2833 	memset(r, 0, sizeof(r));
2834 
2835 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2836 		put_unaligned_le32(hcon->passkey_notify, r);
2837 	else if (smp->method == REQ_OOB)
2838 		memcpy(r, smp->lr, 16);
2839 
2840 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2841 		     io_cap, remote_addr, local_addr, e);
2842 	if (err)
2843 		return SMP_UNSPECIFIED;
2844 
2845 	if (crypto_memneq(check->e, e, 16))
2846 		return SMP_DHKEY_CHECK_FAILED;
2847 
2848 	if (!hcon->out) {
2849 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2850 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2851 			return 0;
2852 		}
2853 
2854 		/* Slave sends DHKey check as response to master */
2855 		sc_dhkey_check(smp);
2856 	}
2857 
2858 	sc_add_ltk(smp);
2859 
2860 	if (hcon->out) {
2861 		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2862 		hcon->enc_key_size = smp->enc_key_size;
2863 	}
2864 
2865 	return 0;
2866 }
2867 
2868 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2869 				   struct sk_buff *skb)
2870 {
2871 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2872 
2873 	BT_DBG("value 0x%02x", kp->value);
2874 
2875 	return 0;
2876 }
2877 
2878 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2879 {
2880 	struct l2cap_conn *conn = chan->conn;
2881 	struct hci_conn *hcon = conn->hcon;
2882 	struct smp_chan *smp;
2883 	__u8 code, reason;
2884 	int err = 0;
2885 
2886 	if (skb->len < 1)
2887 		return -EILSEQ;
2888 
2889 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2890 		reason = SMP_PAIRING_NOTSUPP;
2891 		goto done;
2892 	}
2893 
2894 	code = skb->data[0];
2895 	skb_pull(skb, sizeof(code));
2896 
2897 	smp = chan->data;
2898 
2899 	if (code > SMP_CMD_MAX)
2900 		goto drop;
2901 
2902 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2903 		goto drop;
2904 
2905 	/* If we don't have a context the only allowed commands are
2906 	 * pairing request and security request.
2907 	 */
2908 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2909 		goto drop;
2910 
2911 	switch (code) {
2912 	case SMP_CMD_PAIRING_REQ:
2913 		reason = smp_cmd_pairing_req(conn, skb);
2914 		break;
2915 
2916 	case SMP_CMD_PAIRING_FAIL:
2917 		smp_failure(conn, 0);
2918 		err = -EPERM;
2919 		break;
2920 
2921 	case SMP_CMD_PAIRING_RSP:
2922 		reason = smp_cmd_pairing_rsp(conn, skb);
2923 		break;
2924 
2925 	case SMP_CMD_SECURITY_REQ:
2926 		reason = smp_cmd_security_req(conn, skb);
2927 		break;
2928 
2929 	case SMP_CMD_PAIRING_CONFIRM:
2930 		reason = smp_cmd_pairing_confirm(conn, skb);
2931 		break;
2932 
2933 	case SMP_CMD_PAIRING_RANDOM:
2934 		reason = smp_cmd_pairing_random(conn, skb);
2935 		break;
2936 
2937 	case SMP_CMD_ENCRYPT_INFO:
2938 		reason = smp_cmd_encrypt_info(conn, skb);
2939 		break;
2940 
2941 	case SMP_CMD_MASTER_IDENT:
2942 		reason = smp_cmd_master_ident(conn, skb);
2943 		break;
2944 
2945 	case SMP_CMD_IDENT_INFO:
2946 		reason = smp_cmd_ident_info(conn, skb);
2947 		break;
2948 
2949 	case SMP_CMD_IDENT_ADDR_INFO:
2950 		reason = smp_cmd_ident_addr_info(conn, skb);
2951 		break;
2952 
2953 	case SMP_CMD_SIGN_INFO:
2954 		reason = smp_cmd_sign_info(conn, skb);
2955 		break;
2956 
2957 	case SMP_CMD_PUBLIC_KEY:
2958 		reason = smp_cmd_public_key(conn, skb);
2959 		break;
2960 
2961 	case SMP_CMD_DHKEY_CHECK:
2962 		reason = smp_cmd_dhkey_check(conn, skb);
2963 		break;
2964 
2965 	case SMP_CMD_KEYPRESS_NOTIFY:
2966 		reason = smp_cmd_keypress_notify(conn, skb);
2967 		break;
2968 
2969 	default:
2970 		BT_DBG("Unknown command code 0x%2.2x", code);
2971 		reason = SMP_CMD_NOTSUPP;
2972 		goto done;
2973 	}
2974 
2975 done:
2976 	if (!err) {
2977 		if (reason)
2978 			smp_failure(conn, reason);
2979 		kfree_skb(skb);
2980 	}
2981 
2982 	return err;
2983 
2984 drop:
2985 	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
2986 		   code, &hcon->dst);
2987 	kfree_skb(skb);
2988 	return 0;
2989 }
2990 
2991 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2992 {
2993 	struct l2cap_conn *conn = chan->conn;
2994 
2995 	BT_DBG("chan %p", chan);
2996 
2997 	if (chan->data)
2998 		smp_chan_destroy(conn);
2999 
3000 	conn->smp = NULL;
3001 	l2cap_chan_put(chan);
3002 }
3003 
3004 static void bredr_pairing(struct l2cap_chan *chan)
3005 {
3006 	struct l2cap_conn *conn = chan->conn;
3007 	struct hci_conn *hcon = conn->hcon;
3008 	struct hci_dev *hdev = hcon->hdev;
3009 	struct smp_cmd_pairing req;
3010 	struct smp_chan *smp;
3011 
3012 	BT_DBG("chan %p", chan);
3013 
3014 	/* Only new pairings are interesting */
3015 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3016 		return;
3017 
3018 	/* Don't bother if we're not encrypted */
3019 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3020 		return;
3021 
3022 	/* Only master may initiate SMP over BR/EDR */
3023 	if (hcon->role != HCI_ROLE_MASTER)
3024 		return;
3025 
3026 	/* Secure Connections support must be enabled */
3027 	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3028 		return;
3029 
3030 	/* BR/EDR must use Secure Connections for SMP */
3031 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3032 	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3033 		return;
3034 
3035 	/* If our LE support is not enabled don't do anything */
3036 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3037 		return;
3038 
3039 	/* Don't bother if remote LE support is not enabled */
3040 	if (!lmp_host_le_capable(hcon))
3041 		return;
3042 
3043 	/* Remote must support SMP fixed chan for BR/EDR */
3044 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3045 		return;
3046 
3047 	/* Don't bother if SMP is already ongoing */
3048 	if (chan->data)
3049 		return;
3050 
3051 	smp = smp_chan_create(conn);
3052 	if (!smp) {
3053 		bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3054 		return;
3055 	}
3056 
3057 	set_bit(SMP_FLAG_SC, &smp->flags);
3058 
3059 	BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3060 
3061 	/* Prepare and send the BR/EDR SMP Pairing Request */
3062 	build_bredr_pairing_cmd(smp, &req, NULL);
3063 
3064 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
3065 	memcpy(&smp->preq[1], &req, sizeof(req));
3066 
3067 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3068 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3069 }
3070 
3071 static void smp_resume_cb(struct l2cap_chan *chan)
3072 {
3073 	struct smp_chan *smp = chan->data;
3074 	struct l2cap_conn *conn = chan->conn;
3075 	struct hci_conn *hcon = conn->hcon;
3076 
3077 	BT_DBG("chan %p", chan);
3078 
3079 	if (hcon->type == ACL_LINK) {
3080 		bredr_pairing(chan);
3081 		return;
3082 	}
3083 
3084 	if (!smp)
3085 		return;
3086 
3087 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3088 		return;
3089 
3090 	cancel_delayed_work(&smp->security_timer);
3091 
3092 	smp_distribute_keys(smp);
3093 }
3094 
3095 static void smp_ready_cb(struct l2cap_chan *chan)
3096 {
3097 	struct l2cap_conn *conn = chan->conn;
3098 	struct hci_conn *hcon = conn->hcon;
3099 
3100 	BT_DBG("chan %p", chan);
3101 
3102 	/* No need to call l2cap_chan_hold() here since we already own
3103 	 * the reference taken in smp_new_conn_cb(). This is just the
3104 	 * first time that we tie it to a specific pointer. The code in
3105 	 * l2cap_core.c ensures that there's no risk this function wont
3106 	 * get called if smp_new_conn_cb was previously called.
3107 	 */
3108 	conn->smp = chan;
3109 
3110 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3111 		bredr_pairing(chan);
3112 }
3113 
3114 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3115 {
3116 	int err;
3117 
3118 	BT_DBG("chan %p", chan);
3119 
3120 	err = smp_sig_channel(chan, skb);
3121 	if (err) {
3122 		struct smp_chan *smp = chan->data;
3123 
3124 		if (smp)
3125 			cancel_delayed_work_sync(&smp->security_timer);
3126 
3127 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3128 	}
3129 
3130 	return err;
3131 }
3132 
3133 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3134 					unsigned long hdr_len,
3135 					unsigned long len, int nb)
3136 {
3137 	struct sk_buff *skb;
3138 
3139 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3140 	if (!skb)
3141 		return ERR_PTR(-ENOMEM);
3142 
3143 	skb->priority = HCI_PRIO_MAX;
3144 	bt_cb(skb)->l2cap.chan = chan;
3145 
3146 	return skb;
3147 }
3148 
3149 static const struct l2cap_ops smp_chan_ops = {
3150 	.name			= "Security Manager",
3151 	.ready			= smp_ready_cb,
3152 	.recv			= smp_recv_cb,
3153 	.alloc_skb		= smp_alloc_skb_cb,
3154 	.teardown		= smp_teardown_cb,
3155 	.resume			= smp_resume_cb,
3156 
3157 	.new_connection		= l2cap_chan_no_new_connection,
3158 	.state_change		= l2cap_chan_no_state_change,
3159 	.close			= l2cap_chan_no_close,
3160 	.defer			= l2cap_chan_no_defer,
3161 	.suspend		= l2cap_chan_no_suspend,
3162 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3163 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3164 };
3165 
3166 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3167 {
3168 	struct l2cap_chan *chan;
3169 
3170 	BT_DBG("pchan %p", pchan);
3171 
3172 	chan = l2cap_chan_create();
3173 	if (!chan)
3174 		return NULL;
3175 
3176 	chan->chan_type	= pchan->chan_type;
3177 	chan->ops	= &smp_chan_ops;
3178 	chan->scid	= pchan->scid;
3179 	chan->dcid	= chan->scid;
3180 	chan->imtu	= pchan->imtu;
3181 	chan->omtu	= pchan->omtu;
3182 	chan->mode	= pchan->mode;
3183 
3184 	/* Other L2CAP channels may request SMP routines in order to
3185 	 * change the security level. This means that the SMP channel
3186 	 * lock must be considered in its own category to avoid lockdep
3187 	 * warnings.
3188 	 */
3189 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3190 
3191 	BT_DBG("created chan %p", chan);
3192 
3193 	return chan;
3194 }
3195 
3196 static const struct l2cap_ops smp_root_chan_ops = {
3197 	.name			= "Security Manager Root",
3198 	.new_connection		= smp_new_conn_cb,
3199 
3200 	/* None of these are implemented for the root channel */
3201 	.close			= l2cap_chan_no_close,
3202 	.alloc_skb		= l2cap_chan_no_alloc_skb,
3203 	.recv			= l2cap_chan_no_recv,
3204 	.state_change		= l2cap_chan_no_state_change,
3205 	.teardown		= l2cap_chan_no_teardown,
3206 	.ready			= l2cap_chan_no_ready,
3207 	.defer			= l2cap_chan_no_defer,
3208 	.suspend		= l2cap_chan_no_suspend,
3209 	.resume			= l2cap_chan_no_resume,
3210 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3211 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3212 };
3213 
3214 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3215 {
3216 	struct l2cap_chan *chan;
3217 	struct smp_dev *smp;
3218 	struct crypto_shash *tfm_cmac;
3219 	struct crypto_kpp *tfm_ecdh;
3220 
3221 	if (cid == L2CAP_CID_SMP_BREDR) {
3222 		smp = NULL;
3223 		goto create_chan;
3224 	}
3225 
3226 	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3227 	if (!smp)
3228 		return ERR_PTR(-ENOMEM);
3229 
3230 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3231 	if (IS_ERR(tfm_cmac)) {
3232 		BT_ERR("Unable to create CMAC crypto context");
3233 		kzfree(smp);
3234 		return ERR_CAST(tfm_cmac);
3235 	}
3236 
3237 	tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3238 	if (IS_ERR(tfm_ecdh)) {
3239 		BT_ERR("Unable to create ECDH crypto context");
3240 		crypto_free_shash(tfm_cmac);
3241 		kzfree(smp);
3242 		return ERR_CAST(tfm_ecdh);
3243 	}
3244 
3245 	smp->local_oob = false;
3246 	smp->tfm_cmac = tfm_cmac;
3247 	smp->tfm_ecdh = tfm_ecdh;
3248 
3249 create_chan:
3250 	chan = l2cap_chan_create();
3251 	if (!chan) {
3252 		if (smp) {
3253 			crypto_free_shash(smp->tfm_cmac);
3254 			crypto_free_kpp(smp->tfm_ecdh);
3255 			kzfree(smp);
3256 		}
3257 		return ERR_PTR(-ENOMEM);
3258 	}
3259 
3260 	chan->data = smp;
3261 
3262 	l2cap_add_scid(chan, cid);
3263 
3264 	l2cap_chan_set_defaults(chan);
3265 
3266 	if (cid == L2CAP_CID_SMP) {
3267 		u8 bdaddr_type;
3268 
3269 		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3270 
3271 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3272 			chan->src_type = BDADDR_LE_PUBLIC;
3273 		else
3274 			chan->src_type = BDADDR_LE_RANDOM;
3275 	} else {
3276 		bacpy(&chan->src, &hdev->bdaddr);
3277 		chan->src_type = BDADDR_BREDR;
3278 	}
3279 
3280 	chan->state = BT_LISTEN;
3281 	chan->mode = L2CAP_MODE_BASIC;
3282 	chan->imtu = L2CAP_DEFAULT_MTU;
3283 	chan->ops = &smp_root_chan_ops;
3284 
3285 	/* Set correct nesting level for a parent/listening channel */
3286 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3287 
3288 	return chan;
3289 }
3290 
3291 static void smp_del_chan(struct l2cap_chan *chan)
3292 {
3293 	struct smp_dev *smp;
3294 
3295 	BT_DBG("chan %p", chan);
3296 
3297 	smp = chan->data;
3298 	if (smp) {
3299 		chan->data = NULL;
3300 		crypto_free_shash(smp->tfm_cmac);
3301 		crypto_free_kpp(smp->tfm_ecdh);
3302 		kzfree(smp);
3303 	}
3304 
3305 	l2cap_chan_put(chan);
3306 }
3307 
3308 static ssize_t force_bredr_smp_read(struct file *file,
3309 				    char __user *user_buf,
3310 				    size_t count, loff_t *ppos)
3311 {
3312 	struct hci_dev *hdev = file->private_data;
3313 	char buf[3];
3314 
3315 	buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3316 	buf[1] = '\n';
3317 	buf[2] = '\0';
3318 	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3319 }
3320 
3321 static ssize_t force_bredr_smp_write(struct file *file,
3322 				     const char __user *user_buf,
3323 				     size_t count, loff_t *ppos)
3324 {
3325 	struct hci_dev *hdev = file->private_data;
3326 	bool enable;
3327 	int err;
3328 
3329 	err = kstrtobool_from_user(user_buf, count, &enable);
3330 	if (err)
3331 		return err;
3332 
3333 	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3334 		return -EALREADY;
3335 
3336 	if (enable) {
3337 		struct l2cap_chan *chan;
3338 
3339 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3340 		if (IS_ERR(chan))
3341 			return PTR_ERR(chan);
3342 
3343 		hdev->smp_bredr_data = chan;
3344 	} else {
3345 		struct l2cap_chan *chan;
3346 
3347 		chan = hdev->smp_bredr_data;
3348 		hdev->smp_bredr_data = NULL;
3349 		smp_del_chan(chan);
3350 	}
3351 
3352 	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3353 
3354 	return count;
3355 }
3356 
3357 static const struct file_operations force_bredr_smp_fops = {
3358 	.open		= simple_open,
3359 	.read		= force_bredr_smp_read,
3360 	.write		= force_bredr_smp_write,
3361 	.llseek		= default_llseek,
3362 };
3363 
3364 static ssize_t le_min_key_size_read(struct file *file,
3365 				     char __user *user_buf,
3366 				     size_t count, loff_t *ppos)
3367 {
3368 	struct hci_dev *hdev = file->private_data;
3369 	char buf[4];
3370 
3371 	snprintf(buf, sizeof(buf), "%2u\n", hdev->le_min_key_size);
3372 
3373 	return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3374 }
3375 
3376 static ssize_t le_min_key_size_write(struct file *file,
3377 				      const char __user *user_buf,
3378 				      size_t count, loff_t *ppos)
3379 {
3380 	struct hci_dev *hdev = file->private_data;
3381 	char buf[32];
3382 	size_t buf_size = min(count, (sizeof(buf) - 1));
3383 	u8 key_size;
3384 
3385 	if (copy_from_user(buf, user_buf, buf_size))
3386 		return -EFAULT;
3387 
3388 	buf[buf_size] = '\0';
3389 
3390 	sscanf(buf, "%hhu", &key_size);
3391 
3392 	if (key_size > hdev->le_max_key_size ||
3393 	    key_size < SMP_MIN_ENC_KEY_SIZE)
3394 		return -EINVAL;
3395 
3396 	hdev->le_min_key_size = key_size;
3397 
3398 	return count;
3399 }
3400 
3401 static const struct file_operations le_min_key_size_fops = {
3402 	.open		= simple_open,
3403 	.read		= le_min_key_size_read,
3404 	.write		= le_min_key_size_write,
3405 	.llseek		= default_llseek,
3406 };
3407 
3408 static ssize_t le_max_key_size_read(struct file *file,
3409 				     char __user *user_buf,
3410 				     size_t count, loff_t *ppos)
3411 {
3412 	struct hci_dev *hdev = file->private_data;
3413 	char buf[4];
3414 
3415 	snprintf(buf, sizeof(buf), "%2u\n", hdev->le_max_key_size);
3416 
3417 	return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3418 }
3419 
3420 static ssize_t le_max_key_size_write(struct file *file,
3421 				      const char __user *user_buf,
3422 				      size_t count, loff_t *ppos)
3423 {
3424 	struct hci_dev *hdev = file->private_data;
3425 	char buf[32];
3426 	size_t buf_size = min(count, (sizeof(buf) - 1));
3427 	u8 key_size;
3428 
3429 	if (copy_from_user(buf, user_buf, buf_size))
3430 		return -EFAULT;
3431 
3432 	buf[buf_size] = '\0';
3433 
3434 	sscanf(buf, "%hhu", &key_size);
3435 
3436 	if (key_size > SMP_MAX_ENC_KEY_SIZE ||
3437 	    key_size < hdev->le_min_key_size)
3438 		return -EINVAL;
3439 
3440 	hdev->le_max_key_size = key_size;
3441 
3442 	return count;
3443 }
3444 
3445 static const struct file_operations le_max_key_size_fops = {
3446 	.open		= simple_open,
3447 	.read		= le_max_key_size_read,
3448 	.write		= le_max_key_size_write,
3449 	.llseek		= default_llseek,
3450 };
3451 
3452 int smp_register(struct hci_dev *hdev)
3453 {
3454 	struct l2cap_chan *chan;
3455 
3456 	BT_DBG("%s", hdev->name);
3457 
3458 	/* If the controller does not support Low Energy operation, then
3459 	 * there is also no need to register any SMP channel.
3460 	 */
3461 	if (!lmp_le_capable(hdev))
3462 		return 0;
3463 
3464 	if (WARN_ON(hdev->smp_data)) {
3465 		chan = hdev->smp_data;
3466 		hdev->smp_data = NULL;
3467 		smp_del_chan(chan);
3468 	}
3469 
3470 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3471 	if (IS_ERR(chan))
3472 		return PTR_ERR(chan);
3473 
3474 	hdev->smp_data = chan;
3475 
3476 	debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3477 			    &le_min_key_size_fops);
3478 	debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3479 			    &le_max_key_size_fops);
3480 
3481 	/* If the controller does not support BR/EDR Secure Connections
3482 	 * feature, then the BR/EDR SMP channel shall not be present.
3483 	 *
3484 	 * To test this with Bluetooth 4.0 controllers, create a debugfs
3485 	 * switch that allows forcing BR/EDR SMP support and accepting
3486 	 * cross-transport pairing on non-AES encrypted connections.
3487 	 */
3488 	if (!lmp_sc_capable(hdev)) {
3489 		debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3490 				    hdev, &force_bredr_smp_fops);
3491 
3492 		/* Flag can be already set here (due to power toggle) */
3493 		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3494 			return 0;
3495 	}
3496 
3497 	if (WARN_ON(hdev->smp_bredr_data)) {
3498 		chan = hdev->smp_bredr_data;
3499 		hdev->smp_bredr_data = NULL;
3500 		smp_del_chan(chan);
3501 	}
3502 
3503 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3504 	if (IS_ERR(chan)) {
3505 		int err = PTR_ERR(chan);
3506 		chan = hdev->smp_data;
3507 		hdev->smp_data = NULL;
3508 		smp_del_chan(chan);
3509 		return err;
3510 	}
3511 
3512 	hdev->smp_bredr_data = chan;
3513 
3514 	return 0;
3515 }
3516 
3517 void smp_unregister(struct hci_dev *hdev)
3518 {
3519 	struct l2cap_chan *chan;
3520 
3521 	if (hdev->smp_bredr_data) {
3522 		chan = hdev->smp_bredr_data;
3523 		hdev->smp_bredr_data = NULL;
3524 		smp_del_chan(chan);
3525 	}
3526 
3527 	if (hdev->smp_data) {
3528 		chan = hdev->smp_data;
3529 		hdev->smp_data = NULL;
3530 		smp_del_chan(chan);
3531 	}
3532 }
3533 
3534 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3535 
3536 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3537 {
3538 	u8 pk[64];
3539 	int err;
3540 
3541 	err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3542 	if (err)
3543 		return err;
3544 
3545 	err = generate_ecdh_public_key(tfm_ecdh, pk);
3546 	if (err)
3547 		return err;
3548 
3549 	if (crypto_memneq(pk, debug_pk, 64))
3550 		return -EINVAL;
3551 
3552 	return 0;
3553 }
3554 
3555 static int __init test_ah(void)
3556 {
3557 	const u8 irk[16] = {
3558 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3559 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3560 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3561 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3562 	u8 res[3];
3563 	int err;
3564 
3565 	err = smp_ah(irk, r, res);
3566 	if (err)
3567 		return err;
3568 
3569 	if (crypto_memneq(res, exp, 3))
3570 		return -EINVAL;
3571 
3572 	return 0;
3573 }
3574 
3575 static int __init test_c1(void)
3576 {
3577 	const u8 k[16] = {
3578 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3579 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3580 	const u8 r[16] = {
3581 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3582 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3583 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3584 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3585 	const u8 _iat = 0x01;
3586 	const u8 _rat = 0x00;
3587 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3588 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3589 	const u8 exp[16] = {
3590 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3591 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3592 	u8 res[16];
3593 	int err;
3594 
3595 	err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3596 	if (err)
3597 		return err;
3598 
3599 	if (crypto_memneq(res, exp, 16))
3600 		return -EINVAL;
3601 
3602 	return 0;
3603 }
3604 
3605 static int __init test_s1(void)
3606 {
3607 	const u8 k[16] = {
3608 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3609 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3610 	const u8 r1[16] = {
3611 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3612 	const u8 r2[16] = {
3613 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3614 	const u8 exp[16] = {
3615 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3616 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3617 	u8 res[16];
3618 	int err;
3619 
3620 	err = smp_s1(k, r1, r2, res);
3621 	if (err)
3622 		return err;
3623 
3624 	if (crypto_memneq(res, exp, 16))
3625 		return -EINVAL;
3626 
3627 	return 0;
3628 }
3629 
3630 static int __init test_f4(struct crypto_shash *tfm_cmac)
3631 {
3632 	const u8 u[32] = {
3633 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3634 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3635 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3636 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3637 	const u8 v[32] = {
3638 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3639 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3640 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3641 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3642 	const u8 x[16] = {
3643 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3644 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3645 	const u8 z = 0x00;
3646 	const u8 exp[16] = {
3647 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3648 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3649 	u8 res[16];
3650 	int err;
3651 
3652 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3653 	if (err)
3654 		return err;
3655 
3656 	if (crypto_memneq(res, exp, 16))
3657 		return -EINVAL;
3658 
3659 	return 0;
3660 }
3661 
3662 static int __init test_f5(struct crypto_shash *tfm_cmac)
3663 {
3664 	const u8 w[32] = {
3665 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3666 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3667 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3668 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3669 	const u8 n1[16] = {
3670 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3671 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3672 	const u8 n2[16] = {
3673 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3674 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3675 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3676 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3677 	const u8 exp_ltk[16] = {
3678 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3679 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3680 	const u8 exp_mackey[16] = {
3681 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3682 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3683 	u8 mackey[16], ltk[16];
3684 	int err;
3685 
3686 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3687 	if (err)
3688 		return err;
3689 
3690 	if (crypto_memneq(mackey, exp_mackey, 16))
3691 		return -EINVAL;
3692 
3693 	if (crypto_memneq(ltk, exp_ltk, 16))
3694 		return -EINVAL;
3695 
3696 	return 0;
3697 }
3698 
3699 static int __init test_f6(struct crypto_shash *tfm_cmac)
3700 {
3701 	const u8 w[16] = {
3702 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3703 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3704 	const u8 n1[16] = {
3705 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3706 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3707 	const u8 n2[16] = {
3708 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3709 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3710 	const u8 r[16] = {
3711 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3712 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3713 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3714 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3715 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3716 	const u8 exp[16] = {
3717 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3718 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3719 	u8 res[16];
3720 	int err;
3721 
3722 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3723 	if (err)
3724 		return err;
3725 
3726 	if (crypto_memneq(res, exp, 16))
3727 		return -EINVAL;
3728 
3729 	return 0;
3730 }
3731 
3732 static int __init test_g2(struct crypto_shash *tfm_cmac)
3733 {
3734 	const u8 u[32] = {
3735 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3736 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3737 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3738 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3739 	const u8 v[32] = {
3740 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3741 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3742 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3743 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3744 	const u8 x[16] = {
3745 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3746 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3747 	const u8 y[16] = {
3748 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3749 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3750 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3751 	u32 val;
3752 	int err;
3753 
3754 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3755 	if (err)
3756 		return err;
3757 
3758 	if (val != exp_val)
3759 		return -EINVAL;
3760 
3761 	return 0;
3762 }
3763 
3764 static int __init test_h6(struct crypto_shash *tfm_cmac)
3765 {
3766 	const u8 w[16] = {
3767 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3768 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3769 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3770 	const u8 exp[16] = {
3771 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3772 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3773 	u8 res[16];
3774 	int err;
3775 
3776 	err = smp_h6(tfm_cmac, w, key_id, res);
3777 	if (err)
3778 		return err;
3779 
3780 	if (crypto_memneq(res, exp, 16))
3781 		return -EINVAL;
3782 
3783 	return 0;
3784 }
3785 
3786 static char test_smp_buffer[32];
3787 
3788 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3789 			     size_t count, loff_t *ppos)
3790 {
3791 	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3792 				       strlen(test_smp_buffer));
3793 }
3794 
3795 static const struct file_operations test_smp_fops = {
3796 	.open		= simple_open,
3797 	.read		= test_smp_read,
3798 	.llseek		= default_llseek,
3799 };
3800 
3801 static int __init run_selftests(struct crypto_shash *tfm_cmac,
3802 				struct crypto_kpp *tfm_ecdh)
3803 {
3804 	ktime_t calltime, delta, rettime;
3805 	unsigned long long duration;
3806 	int err;
3807 
3808 	calltime = ktime_get();
3809 
3810 	err = test_debug_key(tfm_ecdh);
3811 	if (err) {
3812 		BT_ERR("debug_key test failed");
3813 		goto done;
3814 	}
3815 
3816 	err = test_ah();
3817 	if (err) {
3818 		BT_ERR("smp_ah test failed");
3819 		goto done;
3820 	}
3821 
3822 	err = test_c1();
3823 	if (err) {
3824 		BT_ERR("smp_c1 test failed");
3825 		goto done;
3826 	}
3827 
3828 	err = test_s1();
3829 	if (err) {
3830 		BT_ERR("smp_s1 test failed");
3831 		goto done;
3832 	}
3833 
3834 	err = test_f4(tfm_cmac);
3835 	if (err) {
3836 		BT_ERR("smp_f4 test failed");
3837 		goto done;
3838 	}
3839 
3840 	err = test_f5(tfm_cmac);
3841 	if (err) {
3842 		BT_ERR("smp_f5 test failed");
3843 		goto done;
3844 	}
3845 
3846 	err = test_f6(tfm_cmac);
3847 	if (err) {
3848 		BT_ERR("smp_f6 test failed");
3849 		goto done;
3850 	}
3851 
3852 	err = test_g2(tfm_cmac);
3853 	if (err) {
3854 		BT_ERR("smp_g2 test failed");
3855 		goto done;
3856 	}
3857 
3858 	err = test_h6(tfm_cmac);
3859 	if (err) {
3860 		BT_ERR("smp_h6 test failed");
3861 		goto done;
3862 	}
3863 
3864 	rettime = ktime_get();
3865 	delta = ktime_sub(rettime, calltime);
3866 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3867 
3868 	BT_INFO("SMP test passed in %llu usecs", duration);
3869 
3870 done:
3871 	if (!err)
3872 		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3873 			 "PASS (%llu usecs)\n", duration);
3874 	else
3875 		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3876 
3877 	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3878 			    &test_smp_fops);
3879 
3880 	return err;
3881 }
3882 
3883 int __init bt_selftest_smp(void)
3884 {
3885 	struct crypto_shash *tfm_cmac;
3886 	struct crypto_kpp *tfm_ecdh;
3887 	int err;
3888 
3889 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3890 	if (IS_ERR(tfm_cmac)) {
3891 		BT_ERR("Unable to create CMAC crypto context");
3892 		return PTR_ERR(tfm_cmac);
3893 	}
3894 
3895 	tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3896 	if (IS_ERR(tfm_ecdh)) {
3897 		BT_ERR("Unable to create ECDH crypto context");
3898 		crypto_free_shash(tfm_cmac);
3899 		return PTR_ERR(tfm_ecdh);
3900 	}
3901 
3902 	err = run_selftests(tfm_cmac, tfm_ecdh);
3903 
3904 	crypto_free_shash(tfm_cmac);
3905 	crypto_free_kpp(tfm_ecdh);
3906 
3907 	return err;
3908 }
3909 
3910 #endif
3911