2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
23 #include <linux/debugfs.h>
24 #include <linux/crypto.h>
25 #include <linux/scatterlist.h>
26 #include <crypto/b128ops.h>
28 #include <net/bluetooth/bluetooth.h>
29 #include <net/bluetooth/hci_core.h>
30 #include <net/bluetooth/l2cap.h>
31 #include <net/bluetooth/mgmt.h>
36 /* Low-level debug macros to be used for stuff that we don't want
37 * accidentially in dmesg, i.e. the values of the various crypto keys
38 * and the inputs & outputs of crypto functions.
41 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
44 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
48 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
50 /* Keys which are not distributed with Secure Connections */
51 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
53 #define SMP_TIMEOUT msecs_to_jiffies(30000)
55 #define AUTH_REQ_MASK(dev) (test_bit(HCI_SC_ENABLED, &(dev)->dev_flags) ? \
57 #define KEY_DIST_MASK 0x07
59 /* Maximum message length that can be passed to aes_cmac */
60 #define CMAC_MSG_MAX 80
72 SMP_FLAG_DHKEY_PENDING,
77 struct l2cap_conn *conn;
78 struct delayed_work security_timer;
79 unsigned long allow_cmd; /* Bitmask of allowed commands */
81 u8 preq[7]; /* SMP Pairing Request */
82 u8 prsp[7]; /* SMP Pairing Response */
83 u8 prnd[16]; /* SMP Pairing Random (local) */
84 u8 rrnd[16]; /* SMP Pairing Random (remote) */
85 u8 pcnf[16]; /* SMP Pairing Confirm */
86 u8 tk[16]; /* SMP Temporary Key */
93 struct smp_csrk *csrk;
94 struct smp_csrk *slave_csrk;
96 struct smp_ltk *slave_ltk;
97 struct smp_irk *remote_irk;
103 /* Secure Connections variables */
110 struct crypto_blkcipher *tfm_aes;
111 struct crypto_hash *tfm_cmac;
114 /* These debug key values are defined in the SMP section of the core
115 * specification. debug_pk is the public debug key and debug_sk the
118 static const u8 debug_pk[64] = {
119 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
120 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
121 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
122 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
124 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
125 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
126 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
127 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
130 static const u8 debug_sk[32] = {
131 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
132 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
133 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
134 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
137 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
141 for (i = 0; i < len; i++)
142 dst[len - 1 - i] = src[i];
145 /* The following functions map to the LE SC SMP crypto functions
146 * AES-CMAC, f4, f5, f6, g2 and h6.
149 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
150 size_t len, u8 mac[16])
152 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
153 struct hash_desc desc;
154 struct scatterlist sg;
157 if (len > CMAC_MSG_MAX)
161 BT_ERR("tfm %p", tfm);
168 crypto_hash_init(&desc);
170 /* Swap key and message from LSB to MSB */
171 swap_buf(k, tmp, 16);
172 swap_buf(m, msg_msb, len);
174 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
175 SMP_DBG("key %16phN", k);
177 err = crypto_hash_setkey(tfm, tmp, 16);
179 BT_ERR("cipher setkey failed: %d", err);
183 sg_init_one(&sg, msg_msb, len);
185 err = crypto_hash_update(&desc, &sg, len);
187 BT_ERR("Hash update error %d", err);
191 err = crypto_hash_final(&desc, mac_msb);
193 BT_ERR("Hash final error %d", err);
197 swap_buf(mac_msb, mac, 16);
199 SMP_DBG("mac %16phN", mac);
204 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
205 const u8 x[16], u8 z, u8 res[16])
210 SMP_DBG("u %32phN", u);
211 SMP_DBG("v %32phN", v);
212 SMP_DBG("x %16phN z %02x", x, z);
215 memcpy(m + 1, v, 32);
216 memcpy(m + 33, u, 32);
218 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
222 SMP_DBG("res %16phN", res);
227 static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32],
228 const u8 n1[16], const u8 n2[16], const u8 a1[7],
229 const u8 a2[7], u8 mackey[16], u8 ltk[16])
231 /* The btle, salt and length "magic" values are as defined in
232 * the SMP section of the Bluetooth core specification. In ASCII
233 * the btle value ends up being 'btle'. The salt is just a
234 * random number whereas length is the value 256 in little
237 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
238 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
239 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
240 const u8 length[2] = { 0x00, 0x01 };
244 SMP_DBG("w %32phN", w);
245 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
246 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
248 err = aes_cmac(tfm_cmac, salt, w, 32, t);
252 SMP_DBG("t %16phN", t);
254 memcpy(m, length, 2);
255 memcpy(m + 2, a2, 7);
256 memcpy(m + 9, a1, 7);
257 memcpy(m + 16, n2, 16);
258 memcpy(m + 32, n1, 16);
259 memcpy(m + 48, btle, 4);
261 m[52] = 0; /* Counter */
263 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
267 SMP_DBG("mackey %16phN", mackey);
269 m[52] = 1; /* Counter */
271 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
275 SMP_DBG("ltk %16phN", ltk);
280 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
281 const u8 n1[16], const u8 n2[16], const u8 r[16],
282 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
288 SMP_DBG("w %16phN", w);
289 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
290 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
293 memcpy(m + 7, a1, 7);
294 memcpy(m + 14, io_cap, 3);
295 memcpy(m + 17, r, 16);
296 memcpy(m + 33, n2, 16);
297 memcpy(m + 49, n1, 16);
299 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
303 SMP_DBG("res %16phN", res);
308 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
309 const u8 x[16], const u8 y[16], u32 *val)
314 SMP_DBG("u %32phN", u);
315 SMP_DBG("v %32phN", v);
316 SMP_DBG("x %16phN y %16phN", x, y);
319 memcpy(m + 16, v, 32);
320 memcpy(m + 48, u, 32);
322 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
326 *val = get_unaligned_le32(tmp);
329 SMP_DBG("val %06u", *val);
334 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
335 const u8 key_id[4], u8 res[16])
339 SMP_DBG("w %16phN key_id %4phN", w, key_id);
341 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
345 SMP_DBG("res %16phN", res);
350 /* The following functions map to the legacy SMP crypto functions e, c1,
354 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
356 struct blkcipher_desc desc;
357 struct scatterlist sg;
358 uint8_t tmp[16], data[16];
362 BT_ERR("tfm %p", tfm);
369 /* The most significant octet of key corresponds to k[0] */
370 swap_buf(k, tmp, 16);
372 err = crypto_blkcipher_setkey(tfm, tmp, 16);
374 BT_ERR("cipher setkey failed: %d", err);
378 /* Most significant octet of plaintextData corresponds to data[0] */
379 swap_buf(r, data, 16);
381 sg_init_one(&sg, data, 16);
383 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
385 BT_ERR("Encrypt data error %d", err);
387 /* Most significant octet of encryptedData corresponds to data[0] */
388 swap_buf(data, r, 16);
393 static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
394 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
395 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
402 /* p1 = pres || preq || _rat || _iat */
405 memcpy(p1 + 2, preq, 7);
406 memcpy(p1 + 9, pres, 7);
408 /* p2 = padding || ia || ra */
410 memcpy(p2 + 6, ia, 6);
411 memset(p2 + 12, 0, 4);
414 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
416 /* res = e(k, res) */
417 err = smp_e(tfm_aes, k, res);
419 BT_ERR("Encrypt data error");
423 /* res = res XOR p2 */
424 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
426 /* res = e(k, res) */
427 err = smp_e(tfm_aes, k, res);
429 BT_ERR("Encrypt data error");
434 static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
435 const u8 r1[16], const u8 r2[16], u8 _r[16])
439 /* Just least significant octets from r1 and r2 are considered */
441 memcpy(_r + 8, r1, 8);
443 err = smp_e(tfm_aes, k, _r);
445 BT_ERR("Encrypt data error");
450 static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
451 const u8 r[3], u8 res[3])
456 /* r' = padding || r */
458 memset(_res + 3, 0, 13);
460 err = smp_e(tfm, irk, _res);
462 BT_ERR("Encrypt error");
466 /* The output of the random address function ah is:
467 * ah(h, r) = e(k, r') mod 2^24
468 * The output of the security function e is then truncated to 24 bits
469 * by taking the least significant 24 bits of the output of e as the
472 memcpy(res, _res, 3);
477 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
478 const bdaddr_t *bdaddr)
480 struct l2cap_chan *chan = hdev->smp_data;
481 struct crypto_blkcipher *tfm;
485 if (!chan || !chan->data)
490 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
492 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
496 return !memcmp(bdaddr->b, hash, 3);
499 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
501 struct l2cap_chan *chan = hdev->smp_data;
502 struct crypto_blkcipher *tfm;
505 if (!chan || !chan->data)
510 get_random_bytes(&rpa->b[3], 3);
512 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
513 rpa->b[5] |= 0x40; /* Set second most significant bit */
515 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
519 BT_DBG("RPA %pMR", rpa);
524 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
526 struct l2cap_chan *chan = conn->smp;
527 struct smp_chan *smp;
534 BT_DBG("code 0x%2.2x", code);
536 iv[0].iov_base = &code;
539 iv[1].iov_base = data;
542 memset(&msg, 0, sizeof(msg));
544 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
546 l2cap_chan_send(chan, &msg, 1 + len);
553 cancel_delayed_work_sync(&smp->security_timer);
554 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
557 static u8 authreq_to_seclevel(u8 authreq)
559 if (authreq & SMP_AUTH_MITM) {
560 if (authreq & SMP_AUTH_SC)
561 return BT_SECURITY_FIPS;
563 return BT_SECURITY_HIGH;
565 return BT_SECURITY_MEDIUM;
569 static __u8 seclevel_to_authreq(__u8 sec_level)
572 case BT_SECURITY_FIPS:
573 case BT_SECURITY_HIGH:
574 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
575 case BT_SECURITY_MEDIUM:
576 return SMP_AUTH_BONDING;
578 return SMP_AUTH_NONE;
582 static void build_pairing_cmd(struct l2cap_conn *conn,
583 struct smp_cmd_pairing *req,
584 struct smp_cmd_pairing *rsp, __u8 authreq)
586 struct l2cap_chan *chan = conn->smp;
587 struct smp_chan *smp = chan->data;
588 struct hci_conn *hcon = conn->hcon;
589 struct hci_dev *hdev = hcon->hdev;
590 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
592 if (test_bit(HCI_BONDABLE, &conn->hcon->hdev->dev_flags)) {
593 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
594 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
595 authreq |= SMP_AUTH_BONDING;
597 authreq &= ~SMP_AUTH_BONDING;
600 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
601 remote_dist |= SMP_DIST_ID_KEY;
603 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
604 local_dist |= SMP_DIST_ID_KEY;
606 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags) &&
607 (authreq & SMP_AUTH_SC)) {
608 struct oob_data *oob_data;
611 if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
612 local_dist |= SMP_DIST_LINK_KEY;
613 remote_dist |= SMP_DIST_LINK_KEY;
616 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
617 bdaddr_type = BDADDR_LE_PUBLIC;
619 bdaddr_type = BDADDR_LE_RANDOM;
621 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
624 set_bit(SMP_FLAG_OOB, &smp->flags);
625 oob_flag = SMP_OOB_PRESENT;
626 memcpy(smp->rr, oob_data->rand256, 16);
627 memcpy(smp->pcnf, oob_data->hash256, 16);
631 authreq &= ~SMP_AUTH_SC;
635 req->io_capability = conn->hcon->io_capability;
636 req->oob_flag = oob_flag;
637 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
638 req->init_key_dist = local_dist;
639 req->resp_key_dist = remote_dist;
640 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
642 smp->remote_key_dist = remote_dist;
646 rsp->io_capability = conn->hcon->io_capability;
647 rsp->oob_flag = oob_flag;
648 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
649 rsp->init_key_dist = req->init_key_dist & remote_dist;
650 rsp->resp_key_dist = req->resp_key_dist & local_dist;
651 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
653 smp->remote_key_dist = rsp->init_key_dist;
656 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
658 struct l2cap_chan *chan = conn->smp;
659 struct smp_chan *smp = chan->data;
661 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
662 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
663 return SMP_ENC_KEY_SIZE;
665 smp->enc_key_size = max_key_size;
670 static void smp_chan_destroy(struct l2cap_conn *conn)
672 struct l2cap_chan *chan = conn->smp;
673 struct smp_chan *smp = chan->data;
674 struct hci_conn *hcon = conn->hcon;
679 cancel_delayed_work_sync(&smp->security_timer);
681 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
682 mgmt_smp_complete(hcon, complete);
685 kfree(smp->slave_csrk);
686 kfree(smp->link_key);
688 crypto_free_blkcipher(smp->tfm_aes);
689 crypto_free_hash(smp->tfm_cmac);
691 /* Ensure that we don't leave any debug key around if debug key
692 * support hasn't been explicitly enabled.
694 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
695 !test_bit(HCI_KEEP_DEBUG_KEYS, &hcon->hdev->dev_flags)) {
696 list_del_rcu(&smp->ltk->list);
697 kfree_rcu(smp->ltk, rcu);
701 /* If pairing failed clean up any keys we might have */
704 list_del_rcu(&smp->ltk->list);
705 kfree_rcu(smp->ltk, rcu);
708 if (smp->slave_ltk) {
709 list_del_rcu(&smp->slave_ltk->list);
710 kfree_rcu(smp->slave_ltk, rcu);
713 if (smp->remote_irk) {
714 list_del_rcu(&smp->remote_irk->list);
715 kfree_rcu(smp->remote_irk, rcu);
724 static void smp_failure(struct l2cap_conn *conn, u8 reason)
726 struct hci_conn *hcon = conn->hcon;
727 struct l2cap_chan *chan = conn->smp;
730 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
733 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
734 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
737 smp_chan_destroy(conn);
740 #define JUST_WORKS 0x00
741 #define JUST_CFM 0x01
742 #define REQ_PASSKEY 0x02
743 #define CFM_PASSKEY 0x03
745 #define DSP_PASSKEY 0x05
748 static const u8 gen_method[5][5] = {
749 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
750 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
751 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
752 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
753 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
756 static const u8 sc_method[5][5] = {
757 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
758 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
759 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
760 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
761 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
764 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
766 /* If either side has unknown io_caps, use JUST_CFM (which gets
767 * converted later to JUST_WORKS if we're initiators.
769 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
770 remote_io > SMP_IO_KEYBOARD_DISPLAY)
773 if (test_bit(SMP_FLAG_SC, &smp->flags))
774 return sc_method[remote_io][local_io];
776 return gen_method[remote_io][local_io];
779 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
780 u8 local_io, u8 remote_io)
782 struct hci_conn *hcon = conn->hcon;
783 struct l2cap_chan *chan = conn->smp;
784 struct smp_chan *smp = chan->data;
788 /* Initialize key for JUST WORKS */
789 memset(smp->tk, 0, sizeof(smp->tk));
790 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
792 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
794 /* If neither side wants MITM, either "just" confirm an incoming
795 * request or use just-works for outgoing ones. The JUST_CFM
796 * will be converted to JUST_WORKS if necessary later in this
797 * function. If either side has MITM look up the method from the
800 if (!(auth & SMP_AUTH_MITM))
801 smp->method = JUST_CFM;
803 smp->method = get_auth_method(smp, local_io, remote_io);
805 /* Don't confirm locally initiated pairing attempts */
806 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
808 smp->method = JUST_WORKS;
810 /* Don't bother user space with no IO capabilities */
811 if (smp->method == JUST_CFM &&
812 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
813 smp->method = JUST_WORKS;
815 /* If Just Works, Continue with Zero TK */
816 if (smp->method == JUST_WORKS) {
817 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
821 /* Not Just Works/Confirm results in MITM Authentication */
822 if (smp->method != JUST_CFM) {
823 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
824 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
825 hcon->pending_sec_level = BT_SECURITY_HIGH;
828 /* If both devices have Keyoard-Display I/O, the master
829 * Confirms and the slave Enters the passkey.
831 if (smp->method == OVERLAP) {
832 if (hcon->role == HCI_ROLE_MASTER)
833 smp->method = CFM_PASSKEY;
835 smp->method = REQ_PASSKEY;
838 /* Generate random passkey. */
839 if (smp->method == CFM_PASSKEY) {
840 memset(smp->tk, 0, sizeof(smp->tk));
841 get_random_bytes(&passkey, sizeof(passkey));
843 put_unaligned_le32(passkey, smp->tk);
844 BT_DBG("PassKey: %d", passkey);
845 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
848 if (smp->method == REQ_PASSKEY)
849 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
850 hcon->type, hcon->dst_type);
851 else if (smp->method == JUST_CFM)
852 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
853 hcon->type, hcon->dst_type,
856 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
857 hcon->type, hcon->dst_type,
863 static u8 smp_confirm(struct smp_chan *smp)
865 struct l2cap_conn *conn = smp->conn;
866 struct smp_cmd_pairing_confirm cp;
869 BT_DBG("conn %p", conn);
871 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
872 conn->hcon->init_addr_type, &conn->hcon->init_addr,
873 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
876 return SMP_UNSPECIFIED;
878 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
880 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
883 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
885 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
890 static u8 smp_random(struct smp_chan *smp)
892 struct l2cap_conn *conn = smp->conn;
893 struct hci_conn *hcon = conn->hcon;
897 if (IS_ERR_OR_NULL(smp->tfm_aes))
898 return SMP_UNSPECIFIED;
900 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
902 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
903 hcon->init_addr_type, &hcon->init_addr,
904 hcon->resp_addr_type, &hcon->resp_addr, confirm);
906 return SMP_UNSPECIFIED;
908 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
909 BT_ERR("Pairing failed (confirmation values mismatch)");
910 return SMP_CONFIRM_FAILED;
918 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
920 memset(stk + smp->enc_key_size, 0,
921 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
923 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
924 return SMP_UNSPECIFIED;
926 hci_le_start_enc(hcon, ediv, rand, stk);
927 hcon->enc_key_size = smp->enc_key_size;
928 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
934 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
937 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
939 memset(stk + smp->enc_key_size, 0,
940 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
942 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
947 /* Even though there's no _SLAVE suffix this is the
948 * slave STK we're adding for later lookup (the master
949 * STK never needs to be stored).
951 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
952 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
958 static void smp_notify_keys(struct l2cap_conn *conn)
960 struct l2cap_chan *chan = conn->smp;
961 struct smp_chan *smp = chan->data;
962 struct hci_conn *hcon = conn->hcon;
963 struct hci_dev *hdev = hcon->hdev;
964 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
965 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
968 if (smp->remote_irk) {
969 mgmt_new_irk(hdev, smp->remote_irk);
970 /* Now that user space can be considered to know the
971 * identity address track the connection based on it
972 * from now on (assuming this is an LE link).
974 if (hcon->type == LE_LINK) {
975 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
976 hcon->dst_type = smp->remote_irk->addr_type;
977 queue_work(hdev->workqueue, &conn->id_addr_update_work);
980 /* When receiving an indentity resolving key for
981 * a remote device that does not use a resolvable
982 * private address, just remove the key so that
983 * it is possible to use the controller white
986 * Userspace will have been told to not store
987 * this key at this point. So it is safe to
990 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
991 list_del_rcu(&smp->remote_irk->list);
992 kfree_rcu(smp->remote_irk, rcu);
993 smp->remote_irk = NULL;
997 if (hcon->type == ACL_LINK) {
998 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1001 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1004 /* The LTKs and CSRKs should be persistent only if both sides
1005 * had the bonding bit set in their authentication requests.
1007 persistent = !!((req->auth_req & rsp->auth_req) &
1013 smp->csrk->bdaddr_type = hcon->dst_type;
1014 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1015 mgmt_new_csrk(hdev, smp->csrk, persistent);
1018 if (smp->slave_csrk) {
1019 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1020 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1021 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1025 smp->ltk->bdaddr_type = hcon->dst_type;
1026 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1027 mgmt_new_ltk(hdev, smp->ltk, persistent);
1030 if (smp->slave_ltk) {
1031 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1032 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1033 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1036 if (smp->link_key) {
1037 struct link_key *key;
1040 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1041 type = HCI_LK_DEBUG_COMBINATION;
1042 else if (hcon->sec_level == BT_SECURITY_FIPS)
1043 type = HCI_LK_AUTH_COMBINATION_P256;
1045 type = HCI_LK_UNAUTH_COMBINATION_P256;
1047 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1048 smp->link_key, type, 0, &persistent);
1050 mgmt_new_link_key(hdev, key, persistent);
1052 /* Don't keep debug keys around if the relevant
1055 if (!test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags) &&
1056 key->type == HCI_LK_DEBUG_COMBINATION) {
1057 list_del_rcu(&key->list);
1058 kfree_rcu(key, rcu);
1064 static void sc_add_ltk(struct smp_chan *smp)
1066 struct hci_conn *hcon = smp->conn->hcon;
1069 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1070 key_type = SMP_LTK_P256_DEBUG;
1072 key_type = SMP_LTK_P256;
1074 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1079 memset(smp->tk + smp->enc_key_size, 0,
1080 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1082 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1083 key_type, auth, smp->tk, smp->enc_key_size,
1087 static void sc_generate_link_key(struct smp_chan *smp)
1089 /* These constants are as specified in the core specification.
1090 * In ASCII they spell out to 'tmp1' and 'lebr'.
1092 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1093 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1095 smp->link_key = kzalloc(16, GFP_KERNEL);
1099 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1100 kfree(smp->link_key);
1101 smp->link_key = NULL;
1105 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1106 kfree(smp->link_key);
1107 smp->link_key = NULL;
1112 static void smp_allow_key_dist(struct smp_chan *smp)
1114 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1115 * will be allowed in each PDU handler to ensure we receive
1116 * them in the correct order.
1118 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1119 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1120 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1121 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1122 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1123 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1126 static void sc_generate_ltk(struct smp_chan *smp)
1128 /* These constants are as specified in the core specification.
1129 * In ASCII they spell out to 'tmp2' and 'brle'.
1131 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1132 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1133 struct hci_conn *hcon = smp->conn->hcon;
1134 struct hci_dev *hdev = hcon->hdev;
1135 struct link_key *key;
1137 key = hci_find_link_key(hdev, &hcon->dst);
1139 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1143 if (key->type == HCI_LK_DEBUG_COMBINATION)
1144 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1146 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1149 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1155 static void smp_distribute_keys(struct smp_chan *smp)
1157 struct smp_cmd_pairing *req, *rsp;
1158 struct l2cap_conn *conn = smp->conn;
1159 struct hci_conn *hcon = conn->hcon;
1160 struct hci_dev *hdev = hcon->hdev;
1163 BT_DBG("conn %p", conn);
1165 rsp = (void *) &smp->prsp[1];
1167 /* The responder sends its keys first */
1168 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1169 smp_allow_key_dist(smp);
1173 req = (void *) &smp->preq[1];
1176 keydist = &rsp->init_key_dist;
1177 *keydist &= req->init_key_dist;
1179 keydist = &rsp->resp_key_dist;
1180 *keydist &= req->resp_key_dist;
1183 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1184 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1185 sc_generate_link_key(smp);
1186 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1187 sc_generate_ltk(smp);
1189 /* Clear the keys which are generated but not distributed */
1190 *keydist &= ~SMP_SC_NO_DIST;
1193 BT_DBG("keydist 0x%x", *keydist);
1195 if (*keydist & SMP_DIST_ENC_KEY) {
1196 struct smp_cmd_encrypt_info enc;
1197 struct smp_cmd_master_ident ident;
1198 struct smp_ltk *ltk;
1203 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1204 get_random_bytes(&ediv, sizeof(ediv));
1205 get_random_bytes(&rand, sizeof(rand));
1207 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1209 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1210 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1211 SMP_LTK_SLAVE, authenticated, enc.ltk,
1212 smp->enc_key_size, ediv, rand);
1213 smp->slave_ltk = ltk;
1218 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1220 *keydist &= ~SMP_DIST_ENC_KEY;
1223 if (*keydist & SMP_DIST_ID_KEY) {
1224 struct smp_cmd_ident_addr_info addrinfo;
1225 struct smp_cmd_ident_info idinfo;
1227 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1229 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1231 /* The hci_conn contains the local identity address
1232 * after the connection has been established.
1234 * This is true even when the connection has been
1235 * established using a resolvable random address.
1237 bacpy(&addrinfo.bdaddr, &hcon->src);
1238 addrinfo.addr_type = hcon->src_type;
1240 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1243 *keydist &= ~SMP_DIST_ID_KEY;
1246 if (*keydist & SMP_DIST_SIGN) {
1247 struct smp_cmd_sign_info sign;
1248 struct smp_csrk *csrk;
1250 /* Generate a new random key */
1251 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1253 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1255 csrk->master = 0x00;
1256 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1258 smp->slave_csrk = csrk;
1260 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1262 *keydist &= ~SMP_DIST_SIGN;
1265 /* If there are still keys to be received wait for them */
1266 if (smp->remote_key_dist & KEY_DIST_MASK) {
1267 smp_allow_key_dist(smp);
1271 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1272 smp_notify_keys(conn);
1274 smp_chan_destroy(conn);
1277 static void smp_timeout(struct work_struct *work)
1279 struct smp_chan *smp = container_of(work, struct smp_chan,
1280 security_timer.work);
1281 struct l2cap_conn *conn = smp->conn;
1283 BT_DBG("conn %p", conn);
1285 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1288 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1290 struct l2cap_chan *chan = conn->smp;
1291 struct smp_chan *smp;
1293 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1297 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1298 if (IS_ERR(smp->tfm_aes)) {
1299 BT_ERR("Unable to create ECB crypto context");
1304 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1305 if (IS_ERR(smp->tfm_cmac)) {
1306 BT_ERR("Unable to create CMAC crypto context");
1307 crypto_free_blkcipher(smp->tfm_aes);
1315 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1317 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1319 hci_conn_hold(conn->hcon);
1324 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1326 struct hci_conn *hcon = smp->conn->hcon;
1327 u8 *na, *nb, a[7], b[7];
1337 memcpy(a, &hcon->init_addr, 6);
1338 memcpy(b, &hcon->resp_addr, 6);
1339 a[6] = hcon->init_addr_type;
1340 b[6] = hcon->resp_addr_type;
1342 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1345 static void sc_dhkey_check(struct smp_chan *smp)
1347 struct hci_conn *hcon = smp->conn->hcon;
1348 struct smp_cmd_dhkey_check check;
1349 u8 a[7], b[7], *local_addr, *remote_addr;
1350 u8 io_cap[3], r[16];
1352 memcpy(a, &hcon->init_addr, 6);
1353 memcpy(b, &hcon->resp_addr, 6);
1354 a[6] = hcon->init_addr_type;
1355 b[6] = hcon->resp_addr_type;
1360 memcpy(io_cap, &smp->preq[1], 3);
1364 memcpy(io_cap, &smp->prsp[1], 3);
1367 memset(r, 0, sizeof(r));
1369 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1370 put_unaligned_le32(hcon->passkey_notify, r);
1372 if (smp->method == REQ_OOB)
1373 memcpy(r, smp->rr, 16);
1375 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1376 local_addr, remote_addr, check.e);
1378 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1381 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1383 struct l2cap_conn *conn = smp->conn;
1384 struct hci_conn *hcon = conn->hcon;
1385 struct smp_cmd_pairing_confirm cfm;
1388 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1391 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1393 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1395 return SMP_UNSPECIFIED;
1397 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1402 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1404 struct l2cap_conn *conn = smp->conn;
1405 struct hci_conn *hcon = conn->hcon;
1406 struct hci_dev *hdev = hcon->hdev;
1409 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1410 if (smp->passkey_round >= 20)
1414 case SMP_CMD_PAIRING_RANDOM:
1415 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1418 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1420 return SMP_UNSPECIFIED;
1422 if (memcmp(smp->pcnf, cfm, 16))
1423 return SMP_CONFIRM_FAILED;
1425 smp->passkey_round++;
1427 if (smp->passkey_round == 20) {
1428 /* Generate MacKey and LTK */
1429 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1430 return SMP_UNSPECIFIED;
1433 /* The round is only complete when the initiator
1434 * receives pairing random.
1437 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1438 sizeof(smp->prnd), smp->prnd);
1439 if (smp->passkey_round == 20)
1440 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1442 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1446 /* Start the next round */
1447 if (smp->passkey_round != 20)
1448 return sc_passkey_round(smp, 0);
1450 /* Passkey rounds are complete - start DHKey Check */
1451 sc_dhkey_check(smp);
1452 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1456 case SMP_CMD_PAIRING_CONFIRM:
1457 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1458 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1462 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1465 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1466 sizeof(smp->prnd), smp->prnd);
1470 return sc_passkey_send_confirm(smp);
1472 case SMP_CMD_PUBLIC_KEY:
1474 /* Initiating device starts the round */
1478 BT_DBG("%s Starting passkey round %u", hdev->name,
1479 smp->passkey_round + 1);
1481 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1483 return sc_passkey_send_confirm(smp);
1489 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1491 struct l2cap_conn *conn = smp->conn;
1492 struct hci_conn *hcon = conn->hcon;
1495 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1498 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1499 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1501 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1502 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1504 case MGMT_OP_USER_PASSKEY_REPLY:
1505 hcon->passkey_notify = le32_to_cpu(passkey);
1506 smp->passkey_round = 0;
1508 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1509 smp_op = SMP_CMD_PAIRING_CONFIRM;
1513 if (sc_passkey_round(smp, smp_op))
1519 /* Initiator sends DHKey check first */
1521 sc_dhkey_check(smp);
1522 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1523 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1524 sc_dhkey_check(smp);
1531 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1533 struct l2cap_conn *conn = hcon->l2cap_data;
1534 struct l2cap_chan *chan;
1535 struct smp_chan *smp;
1548 l2cap_chan_lock(chan);
1556 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1557 err = sc_user_reply(smp, mgmt_op, passkey);
1562 case MGMT_OP_USER_PASSKEY_REPLY:
1563 value = le32_to_cpu(passkey);
1564 memset(smp->tk, 0, sizeof(smp->tk));
1565 BT_DBG("PassKey: %d", value);
1566 put_unaligned_le32(value, smp->tk);
1568 case MGMT_OP_USER_CONFIRM_REPLY:
1569 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1571 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1572 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1573 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1577 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1584 /* If it is our turn to send Pairing Confirm, do so now */
1585 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1586 u8 rsp = smp_confirm(smp);
1588 smp_failure(conn, rsp);
1592 l2cap_chan_unlock(chan);
1596 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1597 struct smp_cmd_pairing *req,
1598 struct smp_cmd_pairing *rsp)
1600 struct l2cap_conn *conn = smp->conn;
1601 struct hci_dev *hdev = conn->hcon->hdev;
1602 u8 local_dist = 0, remote_dist = 0;
1604 if (test_bit(HCI_BONDABLE, &hdev->dev_flags)) {
1605 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1606 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1609 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
1610 remote_dist |= SMP_DIST_ID_KEY;
1612 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
1613 local_dist |= SMP_DIST_ID_KEY;
1616 memset(req, 0, sizeof(*req));
1618 req->init_key_dist = local_dist;
1619 req->resp_key_dist = remote_dist;
1620 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1622 smp->remote_key_dist = remote_dist;
1627 memset(rsp, 0, sizeof(*rsp));
1629 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1630 rsp->init_key_dist = req->init_key_dist & remote_dist;
1631 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1633 smp->remote_key_dist = rsp->init_key_dist;
1636 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1638 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1639 struct l2cap_chan *chan = conn->smp;
1640 struct hci_dev *hdev = conn->hcon->hdev;
1641 struct smp_chan *smp;
1642 u8 key_size, auth, sec_level;
1645 BT_DBG("conn %p", conn);
1647 if (skb->len < sizeof(*req))
1648 return SMP_INVALID_PARAMS;
1650 if (conn->hcon->role != HCI_ROLE_SLAVE)
1651 return SMP_CMD_NOTSUPP;
1654 smp = smp_chan_create(conn);
1659 return SMP_UNSPECIFIED;
1661 /* We didn't start the pairing, so match remote */
1662 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1664 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
1665 (auth & SMP_AUTH_BONDING))
1666 return SMP_PAIRING_NOTSUPP;
1668 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1669 return SMP_AUTH_REQUIREMENTS;
1671 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1672 memcpy(&smp->preq[1], req, sizeof(*req));
1673 skb_pull(skb, sizeof(*req));
1675 /* SMP over BR/EDR requires special treatment */
1676 if (conn->hcon->type == ACL_LINK) {
1677 /* We must have a BR/EDR SC link */
1678 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1679 !test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags))
1680 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1682 set_bit(SMP_FLAG_SC, &smp->flags);
1684 build_bredr_pairing_cmd(smp, req, &rsp);
1686 key_size = min(req->max_key_size, rsp.max_key_size);
1687 if (check_enc_key_size(conn, key_size))
1688 return SMP_ENC_KEY_SIZE;
1690 /* Clear bits which are generated but not distributed */
1691 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1693 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1694 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1695 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1697 smp_distribute_keys(smp);
1701 build_pairing_cmd(conn, req, &rsp, auth);
1703 if (rsp.auth_req & SMP_AUTH_SC)
1704 set_bit(SMP_FLAG_SC, &smp->flags);
1706 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1707 sec_level = BT_SECURITY_MEDIUM;
1709 sec_level = authreq_to_seclevel(auth);
1711 if (sec_level > conn->hcon->pending_sec_level)
1712 conn->hcon->pending_sec_level = sec_level;
1714 /* If we need MITM check that it can be achieved */
1715 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1718 method = get_auth_method(smp, conn->hcon->io_capability,
1719 req->io_capability);
1720 if (method == JUST_WORKS || method == JUST_CFM)
1721 return SMP_AUTH_REQUIREMENTS;
1724 key_size = min(req->max_key_size, rsp.max_key_size);
1725 if (check_enc_key_size(conn, key_size))
1726 return SMP_ENC_KEY_SIZE;
1728 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1730 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1731 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1733 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1735 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1737 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1738 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1739 /* Clear bits which are generated but not distributed */
1740 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1741 /* Wait for Public Key from Initiating Device */
1744 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1747 /* Request setup of TK */
1748 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1750 return SMP_UNSPECIFIED;
1755 static u8 sc_send_public_key(struct smp_chan *smp)
1757 struct hci_dev *hdev = smp->conn->hcon->hdev;
1761 if (test_bit(HCI_USE_DEBUG_KEYS, &hdev->dev_flags)) {
1762 BT_DBG("Using debug keys");
1763 memcpy(smp->local_pk, debug_pk, 64);
1764 memcpy(smp->local_sk, debug_sk, 32);
1765 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1768 /* Generate local key pair for Secure Connections */
1769 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1770 return SMP_UNSPECIFIED;
1772 /* This is unlikely, but we need to check that
1773 * we didn't accidentially generate a debug key.
1775 if (memcmp(smp->local_sk, debug_sk, 32))
1780 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1781 SMP_DBG("Local Public Key Y: %32phN", &smp->local_pk[32]);
1782 SMP_DBG("Local Private Key: %32phN", smp->local_sk);
1784 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1789 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1791 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1792 struct l2cap_chan *chan = conn->smp;
1793 struct smp_chan *smp = chan->data;
1794 struct hci_dev *hdev = conn->hcon->hdev;
1798 BT_DBG("conn %p", conn);
1800 if (skb->len < sizeof(*rsp))
1801 return SMP_INVALID_PARAMS;
1803 if (conn->hcon->role != HCI_ROLE_MASTER)
1804 return SMP_CMD_NOTSUPP;
1806 skb_pull(skb, sizeof(*rsp));
1808 req = (void *) &smp->preq[1];
1810 key_size = min(req->max_key_size, rsp->max_key_size);
1811 if (check_enc_key_size(conn, key_size))
1812 return SMP_ENC_KEY_SIZE;
1814 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1816 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1817 return SMP_AUTH_REQUIREMENTS;
1819 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1820 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1822 /* Update remote key distribution in case the remote cleared
1823 * some bits that we had enabled in our request.
1825 smp->remote_key_dist &= rsp->resp_key_dist;
1827 /* For BR/EDR this means we're done and can start phase 3 */
1828 if (conn->hcon->type == ACL_LINK) {
1829 /* Clear bits which are generated but not distributed */
1830 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1831 smp_distribute_keys(smp);
1835 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1836 set_bit(SMP_FLAG_SC, &smp->flags);
1837 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1838 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1840 /* If we need MITM check that it can be achieved */
1841 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1844 method = get_auth_method(smp, req->io_capability,
1845 rsp->io_capability);
1846 if (method == JUST_WORKS || method == JUST_CFM)
1847 return SMP_AUTH_REQUIREMENTS;
1850 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1852 /* Update remote key distribution in case the remote cleared
1853 * some bits that we had enabled in our request.
1855 smp->remote_key_dist &= rsp->resp_key_dist;
1857 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1858 /* Clear bits which are generated but not distributed */
1859 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1860 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1861 return sc_send_public_key(smp);
1864 auth |= req->auth_req;
1866 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1868 return SMP_UNSPECIFIED;
1870 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1872 /* Can't compose response until we have been confirmed */
1873 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1874 return smp_confirm(smp);
1879 static u8 sc_check_confirm(struct smp_chan *smp)
1881 struct l2cap_conn *conn = smp->conn;
1885 /* Public Key exchange must happen before any other steps */
1886 if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
1887 return SMP_UNSPECIFIED;
1889 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1890 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1892 if (conn->hcon->out) {
1893 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1895 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1901 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1903 struct l2cap_chan *chan = conn->smp;
1904 struct smp_chan *smp = chan->data;
1906 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
1908 if (skb->len < sizeof(smp->pcnf))
1909 return SMP_INVALID_PARAMS;
1911 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1912 skb_pull(skb, sizeof(smp->pcnf));
1914 if (test_bit(SMP_FLAG_SC, &smp->flags))
1915 return sc_check_confirm(smp);
1917 if (conn->hcon->out) {
1918 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1920 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1924 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1925 return smp_confirm(smp);
1927 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1932 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
1934 struct l2cap_chan *chan = conn->smp;
1935 struct smp_chan *smp = chan->data;
1936 struct hci_conn *hcon = conn->hcon;
1937 u8 *pkax, *pkbx, *na, *nb;
1941 BT_DBG("conn %p", conn);
1943 if (skb->len < sizeof(smp->rrnd))
1944 return SMP_INVALID_PARAMS;
1946 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
1947 skb_pull(skb, sizeof(smp->rrnd));
1949 if (!test_bit(SMP_FLAG_SC, &smp->flags))
1950 return smp_random(smp);
1953 pkax = smp->local_pk;
1954 pkbx = smp->remote_pk;
1958 pkax = smp->remote_pk;
1959 pkbx = smp->local_pk;
1964 if (smp->method == REQ_OOB) {
1966 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1967 sizeof(smp->prnd), smp->prnd);
1968 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1969 goto mackey_and_ltk;
1972 /* Passkey entry has special treatment */
1973 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1974 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
1979 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1982 return SMP_UNSPECIFIED;
1984 if (memcmp(smp->pcnf, cfm, 16))
1985 return SMP_CONFIRM_FAILED;
1987 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1989 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1993 /* Generate MacKey and LTK */
1994 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
1996 return SMP_UNSPECIFIED;
1998 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2000 sc_dhkey_check(smp);
2001 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2006 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2008 return SMP_UNSPECIFIED;
2010 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2011 hcon->dst_type, passkey, 0);
2013 return SMP_UNSPECIFIED;
2015 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2020 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2022 struct smp_ltk *key;
2023 struct hci_conn *hcon = conn->hcon;
2025 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2029 if (smp_ltk_sec_level(key) < sec_level)
2032 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2035 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
2036 hcon->enc_key_size = key->enc_size;
2038 /* We never store STKs for master role, so clear this flag */
2039 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2044 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2045 enum smp_key_pref key_pref)
2047 if (sec_level == BT_SECURITY_LOW)
2050 /* If we're encrypted with an STK but the caller prefers using
2051 * LTK claim insufficient security. This way we allow the
2052 * connection to be re-encrypted with an LTK, even if the LTK
2053 * provides the same level of security. Only exception is if we
2054 * don't have an LTK (e.g. because of key distribution bits).
2056 if (key_pref == SMP_USE_LTK &&
2057 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2058 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2061 if (hcon->sec_level >= sec_level)
2067 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2069 struct smp_cmd_security_req *rp = (void *) skb->data;
2070 struct smp_cmd_pairing cp;
2071 struct hci_conn *hcon = conn->hcon;
2072 struct hci_dev *hdev = hcon->hdev;
2073 struct smp_chan *smp;
2076 BT_DBG("conn %p", conn);
2078 if (skb->len < sizeof(*rp))
2079 return SMP_INVALID_PARAMS;
2081 if (hcon->role != HCI_ROLE_MASTER)
2082 return SMP_CMD_NOTSUPP;
2084 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2086 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
2087 return SMP_AUTH_REQUIREMENTS;
2089 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2090 sec_level = BT_SECURITY_MEDIUM;
2092 sec_level = authreq_to_seclevel(auth);
2094 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2097 if (sec_level > hcon->pending_sec_level)
2098 hcon->pending_sec_level = sec_level;
2100 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2103 smp = smp_chan_create(conn);
2105 return SMP_UNSPECIFIED;
2107 if (!test_bit(HCI_BONDABLE, &hcon->hdev->dev_flags) &&
2108 (auth & SMP_AUTH_BONDING))
2109 return SMP_PAIRING_NOTSUPP;
2111 skb_pull(skb, sizeof(*rp));
2113 memset(&cp, 0, sizeof(cp));
2114 build_pairing_cmd(conn, &cp, NULL, auth);
2116 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2117 memcpy(&smp->preq[1], &cp, sizeof(cp));
2119 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2120 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2125 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2127 struct l2cap_conn *conn = hcon->l2cap_data;
2128 struct l2cap_chan *chan;
2129 struct smp_chan *smp;
2133 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2135 /* This may be NULL if there's an unexpected disconnection */
2141 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
2144 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2147 if (sec_level > hcon->pending_sec_level)
2148 hcon->pending_sec_level = sec_level;
2150 if (hcon->role == HCI_ROLE_MASTER)
2151 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2154 l2cap_chan_lock(chan);
2156 /* If SMP is already in progress ignore this request */
2162 smp = smp_chan_create(conn);
2168 authreq = seclevel_to_authreq(sec_level);
2170 if (test_bit(HCI_SC_ENABLED, &hcon->hdev->dev_flags))
2171 authreq |= SMP_AUTH_SC;
2173 /* Require MITM if IO Capability allows or the security level
2176 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2177 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2178 authreq |= SMP_AUTH_MITM;
2180 if (hcon->role == HCI_ROLE_MASTER) {
2181 struct smp_cmd_pairing cp;
2183 build_pairing_cmd(conn, &cp, NULL, authreq);
2184 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2185 memcpy(&smp->preq[1], &cp, sizeof(cp));
2187 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2188 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2190 struct smp_cmd_security_req cp;
2191 cp.auth_req = authreq;
2192 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2193 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2196 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2200 l2cap_chan_unlock(chan);
2204 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2206 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2207 struct l2cap_chan *chan = conn->smp;
2208 struct smp_chan *smp = chan->data;
2210 BT_DBG("conn %p", conn);
2212 if (skb->len < sizeof(*rp))
2213 return SMP_INVALID_PARAMS;
2215 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2217 skb_pull(skb, sizeof(*rp));
2219 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2224 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2226 struct smp_cmd_master_ident *rp = (void *) skb->data;
2227 struct l2cap_chan *chan = conn->smp;
2228 struct smp_chan *smp = chan->data;
2229 struct hci_dev *hdev = conn->hcon->hdev;
2230 struct hci_conn *hcon = conn->hcon;
2231 struct smp_ltk *ltk;
2234 BT_DBG("conn %p", conn);
2236 if (skb->len < sizeof(*rp))
2237 return SMP_INVALID_PARAMS;
2239 /* Mark the information as received */
2240 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2242 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2243 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2244 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2245 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2247 skb_pull(skb, sizeof(*rp));
2249 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2250 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2251 authenticated, smp->tk, smp->enc_key_size,
2252 rp->ediv, rp->rand);
2254 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2255 smp_distribute_keys(smp);
2260 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2262 struct smp_cmd_ident_info *info = (void *) skb->data;
2263 struct l2cap_chan *chan = conn->smp;
2264 struct smp_chan *smp = chan->data;
2268 if (skb->len < sizeof(*info))
2269 return SMP_INVALID_PARAMS;
2271 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2273 skb_pull(skb, sizeof(*info));
2275 memcpy(smp->irk, info->irk, 16);
2280 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2281 struct sk_buff *skb)
2283 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2284 struct l2cap_chan *chan = conn->smp;
2285 struct smp_chan *smp = chan->data;
2286 struct hci_conn *hcon = conn->hcon;
2291 if (skb->len < sizeof(*info))
2292 return SMP_INVALID_PARAMS;
2294 /* Mark the information as received */
2295 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2297 if (smp->remote_key_dist & SMP_DIST_SIGN)
2298 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2300 skb_pull(skb, sizeof(*info));
2302 /* Strictly speaking the Core Specification (4.1) allows sending
2303 * an empty address which would force us to rely on just the IRK
2304 * as "identity information". However, since such
2305 * implementations are not known of and in order to not over
2306 * complicate our implementation, simply pretend that we never
2307 * received an IRK for such a device.
2309 if (!bacmp(&info->bdaddr, BDADDR_ANY)) {
2310 BT_ERR("Ignoring IRK with no identity address");
2314 bacpy(&smp->id_addr, &info->bdaddr);
2315 smp->id_addr_type = info->addr_type;
2317 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2318 bacpy(&rpa, &hcon->dst);
2320 bacpy(&rpa, BDADDR_ANY);
2322 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2323 smp->id_addr_type, smp->irk, &rpa);
2326 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2327 smp_distribute_keys(smp);
2332 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2334 struct smp_cmd_sign_info *rp = (void *) skb->data;
2335 struct l2cap_chan *chan = conn->smp;
2336 struct smp_chan *smp = chan->data;
2337 struct smp_csrk *csrk;
2339 BT_DBG("conn %p", conn);
2341 if (skb->len < sizeof(*rp))
2342 return SMP_INVALID_PARAMS;
2344 /* Mark the information as received */
2345 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2347 skb_pull(skb, sizeof(*rp));
2349 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2351 csrk->master = 0x01;
2352 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2355 smp_distribute_keys(smp);
2360 static u8 sc_select_method(struct smp_chan *smp)
2362 struct l2cap_conn *conn = smp->conn;
2363 struct hci_conn *hcon = conn->hcon;
2364 struct smp_cmd_pairing *local, *remote;
2365 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2367 if (test_bit(SMP_FLAG_OOB, &smp->flags))
2370 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2371 * which are needed as inputs to some crypto functions. To get
2372 * the "struct smp_cmd_pairing" from them we need to skip the
2373 * first byte which contains the opcode.
2376 local = (void *) &smp->preq[1];
2377 remote = (void *) &smp->prsp[1];
2379 local = (void *) &smp->prsp[1];
2380 remote = (void *) &smp->preq[1];
2383 local_io = local->io_capability;
2384 remote_io = remote->io_capability;
2386 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2387 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2389 /* If either side wants MITM, look up the method from the table,
2390 * otherwise use JUST WORKS.
2392 if (local_mitm || remote_mitm)
2393 method = get_auth_method(smp, local_io, remote_io);
2395 method = JUST_WORKS;
2397 /* Don't confirm locally initiated pairing attempts */
2398 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2399 method = JUST_WORKS;
2404 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2406 struct smp_cmd_public_key *key = (void *) skb->data;
2407 struct hci_conn *hcon = conn->hcon;
2408 struct l2cap_chan *chan = conn->smp;
2409 struct smp_chan *smp = chan->data;
2410 struct hci_dev *hdev = hcon->hdev;
2411 struct smp_cmd_pairing_confirm cfm;
2414 BT_DBG("conn %p", conn);
2416 if (skb->len < sizeof(*key))
2417 return SMP_INVALID_PARAMS;
2419 memcpy(smp->remote_pk, key, 64);
2421 /* Non-initiating device sends its public key after receiving
2422 * the key from the initiating device.
2425 err = sc_send_public_key(smp);
2430 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2431 SMP_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]);
2433 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2434 return SMP_UNSPECIFIED;
2436 SMP_DBG("DHKey %32phN", smp->dhkey);
2438 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2440 smp->method = sc_select_method(smp);
2442 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2444 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2445 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2446 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2448 hcon->pending_sec_level = BT_SECURITY_FIPS;
2450 if (!memcmp(debug_pk, smp->remote_pk, 64))
2451 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2453 if (smp->method == DSP_PASSKEY) {
2454 get_random_bytes(&hcon->passkey_notify,
2455 sizeof(hcon->passkey_notify));
2456 hcon->passkey_notify %= 1000000;
2457 hcon->passkey_entered = 0;
2458 smp->passkey_round = 0;
2459 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2461 hcon->passkey_notify,
2462 hcon->passkey_entered))
2463 return SMP_UNSPECIFIED;
2464 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2465 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2468 if (smp->method == REQ_OOB) {
2469 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2470 smp->rr, 0, cfm.confirm_val);
2472 return SMP_UNSPECIFIED;
2474 if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2475 return SMP_CONFIRM_FAILED;
2478 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2479 sizeof(smp->prnd), smp->prnd);
2481 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2487 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2489 if (smp->method == REQ_PASSKEY) {
2490 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2492 return SMP_UNSPECIFIED;
2493 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2494 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2498 /* The Initiating device waits for the non-initiating device to
2499 * send the confirm value.
2501 if (conn->hcon->out)
2504 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2505 0, cfm.confirm_val);
2507 return SMP_UNSPECIFIED;
2509 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2510 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2515 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2517 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2518 struct l2cap_chan *chan = conn->smp;
2519 struct hci_conn *hcon = conn->hcon;
2520 struct smp_chan *smp = chan->data;
2521 u8 a[7], b[7], *local_addr, *remote_addr;
2522 u8 io_cap[3], r[16], e[16];
2525 BT_DBG("conn %p", conn);
2527 if (skb->len < sizeof(*check))
2528 return SMP_INVALID_PARAMS;
2530 memcpy(a, &hcon->init_addr, 6);
2531 memcpy(b, &hcon->resp_addr, 6);
2532 a[6] = hcon->init_addr_type;
2533 b[6] = hcon->resp_addr_type;
2538 memcpy(io_cap, &smp->prsp[1], 3);
2542 memcpy(io_cap, &smp->preq[1], 3);
2545 memset(r, 0, sizeof(r));
2547 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2548 put_unaligned_le32(hcon->passkey_notify, r);
2550 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2551 io_cap, remote_addr, local_addr, e);
2553 return SMP_UNSPECIFIED;
2555 if (memcmp(check->e, e, 16))
2556 return SMP_DHKEY_CHECK_FAILED;
2559 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2560 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2564 /* Slave sends DHKey check as response to master */
2565 sc_dhkey_check(smp);
2571 hci_le_start_enc(hcon, 0, 0, smp->tk);
2572 hcon->enc_key_size = smp->enc_key_size;
2578 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2579 struct sk_buff *skb)
2581 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2583 BT_DBG("value 0x%02x", kp->value);
2588 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2590 struct l2cap_conn *conn = chan->conn;
2591 struct hci_conn *hcon = conn->hcon;
2592 struct smp_chan *smp;
2599 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
2600 reason = SMP_PAIRING_NOTSUPP;
2604 code = skb->data[0];
2605 skb_pull(skb, sizeof(code));
2609 if (code > SMP_CMD_MAX)
2612 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2615 /* If we don't have a context the only allowed commands are
2616 * pairing request and security request.
2618 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2622 case SMP_CMD_PAIRING_REQ:
2623 reason = smp_cmd_pairing_req(conn, skb);
2626 case SMP_CMD_PAIRING_FAIL:
2627 smp_failure(conn, 0);
2631 case SMP_CMD_PAIRING_RSP:
2632 reason = smp_cmd_pairing_rsp(conn, skb);
2635 case SMP_CMD_SECURITY_REQ:
2636 reason = smp_cmd_security_req(conn, skb);
2639 case SMP_CMD_PAIRING_CONFIRM:
2640 reason = smp_cmd_pairing_confirm(conn, skb);
2643 case SMP_CMD_PAIRING_RANDOM:
2644 reason = smp_cmd_pairing_random(conn, skb);
2647 case SMP_CMD_ENCRYPT_INFO:
2648 reason = smp_cmd_encrypt_info(conn, skb);
2651 case SMP_CMD_MASTER_IDENT:
2652 reason = smp_cmd_master_ident(conn, skb);
2655 case SMP_CMD_IDENT_INFO:
2656 reason = smp_cmd_ident_info(conn, skb);
2659 case SMP_CMD_IDENT_ADDR_INFO:
2660 reason = smp_cmd_ident_addr_info(conn, skb);
2663 case SMP_CMD_SIGN_INFO:
2664 reason = smp_cmd_sign_info(conn, skb);
2667 case SMP_CMD_PUBLIC_KEY:
2668 reason = smp_cmd_public_key(conn, skb);
2671 case SMP_CMD_DHKEY_CHECK:
2672 reason = smp_cmd_dhkey_check(conn, skb);
2675 case SMP_CMD_KEYPRESS_NOTIFY:
2676 reason = smp_cmd_keypress_notify(conn, skb);
2680 BT_DBG("Unknown command code 0x%2.2x", code);
2681 reason = SMP_CMD_NOTSUPP;
2688 smp_failure(conn, reason);
2695 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2701 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2703 struct l2cap_conn *conn = chan->conn;
2705 BT_DBG("chan %p", chan);
2708 smp_chan_destroy(conn);
2711 l2cap_chan_put(chan);
2714 static void bredr_pairing(struct l2cap_chan *chan)
2716 struct l2cap_conn *conn = chan->conn;
2717 struct hci_conn *hcon = conn->hcon;
2718 struct hci_dev *hdev = hcon->hdev;
2719 struct smp_cmd_pairing req;
2720 struct smp_chan *smp;
2722 BT_DBG("chan %p", chan);
2724 /* Only new pairings are interesting */
2725 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2728 /* Don't bother if we're not encrypted */
2729 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2732 /* Only master may initiate SMP over BR/EDR */
2733 if (hcon->role != HCI_ROLE_MASTER)
2736 /* Secure Connections support must be enabled */
2737 if (!test_bit(HCI_SC_ENABLED, &hdev->dev_flags))
2740 /* BR/EDR must use Secure Connections for SMP */
2741 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2742 !test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags))
2745 /* If our LE support is not enabled don't do anything */
2746 if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags))
2749 /* Don't bother if remote LE support is not enabled */
2750 if (!lmp_host_le_capable(hcon))
2753 /* Remote must support SMP fixed chan for BR/EDR */
2754 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2757 /* Don't bother if SMP is already ongoing */
2761 smp = smp_chan_create(conn);
2763 BT_ERR("%s unable to create SMP context for BR/EDR",
2768 set_bit(SMP_FLAG_SC, &smp->flags);
2770 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2772 /* Prepare and send the BR/EDR SMP Pairing Request */
2773 build_bredr_pairing_cmd(smp, &req, NULL);
2775 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2776 memcpy(&smp->preq[1], &req, sizeof(req));
2778 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2779 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2782 static void smp_resume_cb(struct l2cap_chan *chan)
2784 struct smp_chan *smp = chan->data;
2785 struct l2cap_conn *conn = chan->conn;
2786 struct hci_conn *hcon = conn->hcon;
2788 BT_DBG("chan %p", chan);
2790 if (hcon->type == ACL_LINK) {
2791 bredr_pairing(chan);
2798 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2801 cancel_delayed_work(&smp->security_timer);
2803 smp_distribute_keys(smp);
2806 static void smp_ready_cb(struct l2cap_chan *chan)
2808 struct l2cap_conn *conn = chan->conn;
2809 struct hci_conn *hcon = conn->hcon;
2811 BT_DBG("chan %p", chan);
2814 l2cap_chan_hold(chan);
2816 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2817 bredr_pairing(chan);
2820 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
2824 BT_DBG("chan %p", chan);
2826 err = smp_sig_channel(chan, skb);
2828 struct smp_chan *smp = chan->data;
2831 cancel_delayed_work_sync(&smp->security_timer);
2833 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
2839 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
2840 unsigned long hdr_len,
2841 unsigned long len, int nb)
2843 struct sk_buff *skb;
2845 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
2847 return ERR_PTR(-ENOMEM);
2849 skb->priority = HCI_PRIO_MAX;
2850 bt_cb(skb)->chan = chan;
2855 static const struct l2cap_ops smp_chan_ops = {
2856 .name = "Security Manager",
2857 .ready = smp_ready_cb,
2858 .recv = smp_recv_cb,
2859 .alloc_skb = smp_alloc_skb_cb,
2860 .teardown = smp_teardown_cb,
2861 .resume = smp_resume_cb,
2863 .new_connection = l2cap_chan_no_new_connection,
2864 .state_change = l2cap_chan_no_state_change,
2865 .close = l2cap_chan_no_close,
2866 .defer = l2cap_chan_no_defer,
2867 .suspend = l2cap_chan_no_suspend,
2868 .set_shutdown = l2cap_chan_no_set_shutdown,
2869 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2872 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
2874 struct l2cap_chan *chan;
2876 BT_DBG("pchan %p", pchan);
2878 chan = l2cap_chan_create();
2882 chan->chan_type = pchan->chan_type;
2883 chan->ops = &smp_chan_ops;
2884 chan->scid = pchan->scid;
2885 chan->dcid = chan->scid;
2886 chan->imtu = pchan->imtu;
2887 chan->omtu = pchan->omtu;
2888 chan->mode = pchan->mode;
2890 /* Other L2CAP channels may request SMP routines in order to
2891 * change the security level. This means that the SMP channel
2892 * lock must be considered in its own category to avoid lockdep
2895 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
2897 BT_DBG("created chan %p", chan);
2902 static const struct l2cap_ops smp_root_chan_ops = {
2903 .name = "Security Manager Root",
2904 .new_connection = smp_new_conn_cb,
2906 /* None of these are implemented for the root channel */
2907 .close = l2cap_chan_no_close,
2908 .alloc_skb = l2cap_chan_no_alloc_skb,
2909 .recv = l2cap_chan_no_recv,
2910 .state_change = l2cap_chan_no_state_change,
2911 .teardown = l2cap_chan_no_teardown,
2912 .ready = l2cap_chan_no_ready,
2913 .defer = l2cap_chan_no_defer,
2914 .suspend = l2cap_chan_no_suspend,
2915 .resume = l2cap_chan_no_resume,
2916 .set_shutdown = l2cap_chan_no_set_shutdown,
2917 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2920 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
2922 struct l2cap_chan *chan;
2923 struct crypto_blkcipher *tfm_aes;
2925 if (cid == L2CAP_CID_SMP_BREDR) {
2930 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, 0);
2931 if (IS_ERR(tfm_aes)) {
2932 BT_ERR("Unable to create crypto context");
2933 return ERR_CAST(tfm_aes);
2937 chan = l2cap_chan_create();
2939 crypto_free_blkcipher(tfm_aes);
2940 return ERR_PTR(-ENOMEM);
2943 chan->data = tfm_aes;
2945 l2cap_add_scid(chan, cid);
2947 l2cap_chan_set_defaults(chan);
2949 bacpy(&chan->src, &hdev->bdaddr);
2950 if (cid == L2CAP_CID_SMP)
2951 chan->src_type = BDADDR_LE_PUBLIC;
2953 chan->src_type = BDADDR_BREDR;
2954 chan->state = BT_LISTEN;
2955 chan->mode = L2CAP_MODE_BASIC;
2956 chan->imtu = L2CAP_DEFAULT_MTU;
2957 chan->ops = &smp_root_chan_ops;
2959 /* Set correct nesting level for a parent/listening channel */
2960 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
2965 static void smp_del_chan(struct l2cap_chan *chan)
2967 struct crypto_blkcipher *tfm_aes;
2969 BT_DBG("chan %p", chan);
2971 tfm_aes = chan->data;
2974 crypto_free_blkcipher(tfm_aes);
2977 l2cap_chan_put(chan);
2980 static ssize_t force_bredr_smp_read(struct file *file,
2981 char __user *user_buf,
2982 size_t count, loff_t *ppos)
2984 struct hci_dev *hdev = file->private_data;
2987 buf[0] = test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags) ? 'Y': 'N';
2990 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
2993 static ssize_t force_bredr_smp_write(struct file *file,
2994 const char __user *user_buf,
2995 size_t count, loff_t *ppos)
2997 struct hci_dev *hdev = file->private_data;
2999 size_t buf_size = min(count, (sizeof(buf)-1));
3002 if (copy_from_user(buf, user_buf, buf_size))
3005 buf[buf_size] = '\0';
3006 if (strtobool(buf, &enable))
3009 if (enable == test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags))
3013 struct l2cap_chan *chan;
3015 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3017 return PTR_ERR(chan);
3019 hdev->smp_bredr_data = chan;
3021 struct l2cap_chan *chan;
3023 chan = hdev->smp_bredr_data;
3024 hdev->smp_bredr_data = NULL;
3028 change_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags);
3033 static const struct file_operations force_bredr_smp_fops = {
3034 .open = simple_open,
3035 .read = force_bredr_smp_read,
3036 .write = force_bredr_smp_write,
3037 .llseek = default_llseek,
3040 int smp_register(struct hci_dev *hdev)
3042 struct l2cap_chan *chan;
3044 BT_DBG("%s", hdev->name);
3046 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3048 return PTR_ERR(chan);
3050 hdev->smp_data = chan;
3052 /* If the controller does not support BR/EDR Secure Connections
3053 * feature, then the BR/EDR SMP channel shall not be present.
3055 * To test this with Bluetooth 4.0 controllers, create a debugfs
3056 * switch that allows forcing BR/EDR SMP support and accepting
3057 * cross-transport pairing on non-AES encrypted connections.
3059 if (!lmp_sc_capable(hdev)) {
3060 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3061 hdev, &force_bredr_smp_fops);
3065 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3067 int err = PTR_ERR(chan);
3068 chan = hdev->smp_data;
3069 hdev->smp_data = NULL;
3074 hdev->smp_bredr_data = chan;
3079 void smp_unregister(struct hci_dev *hdev)
3081 struct l2cap_chan *chan;
3083 if (hdev->smp_bredr_data) {
3084 chan = hdev->smp_bredr_data;
3085 hdev->smp_bredr_data = NULL;
3089 if (hdev->smp_data) {
3090 chan = hdev->smp_data;
3091 hdev->smp_data = NULL;
3096 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3098 static int __init test_ah(struct crypto_blkcipher *tfm_aes)
3100 const u8 irk[16] = {
3101 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3102 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3103 const u8 r[3] = { 0x94, 0x81, 0x70 };
3104 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3108 err = smp_ah(tfm_aes, irk, r, res);
3112 if (memcmp(res, exp, 3))
3118 static int __init test_c1(struct crypto_blkcipher *tfm_aes)
3121 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3122 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3124 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3125 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3126 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3127 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3128 const u8 _iat = 0x01;
3129 const u8 _rat = 0x00;
3130 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3131 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3132 const u8 exp[16] = {
3133 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3134 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3138 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3142 if (memcmp(res, exp, 16))
3148 static int __init test_s1(struct crypto_blkcipher *tfm_aes)
3151 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3152 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3154 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3156 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3157 const u8 exp[16] = {
3158 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3159 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3163 err = smp_s1(tfm_aes, k, r1, r2, res);
3167 if (memcmp(res, exp, 16))
3173 static int __init test_f4(struct crypto_hash *tfm_cmac)
3176 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3177 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3178 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3179 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3181 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3182 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3183 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3184 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3186 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3187 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3189 const u8 exp[16] = {
3190 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3191 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3195 err = smp_f4(tfm_cmac, u, v, x, z, res);
3199 if (memcmp(res, exp, 16))
3205 static int __init test_f5(struct crypto_hash *tfm_cmac)
3208 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3209 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3210 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3211 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3213 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3214 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3216 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3217 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3218 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3219 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3220 const u8 exp_ltk[16] = {
3221 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3222 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3223 const u8 exp_mackey[16] = {
3224 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3225 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3226 u8 mackey[16], ltk[16];
3229 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3233 if (memcmp(mackey, exp_mackey, 16))
3236 if (memcmp(ltk, exp_ltk, 16))
3242 static int __init test_f6(struct crypto_hash *tfm_cmac)
3245 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3246 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3248 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3249 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3251 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3252 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3254 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3255 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3256 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3257 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3258 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3259 const u8 exp[16] = {
3260 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3261 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3265 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3269 if (memcmp(res, exp, 16))
3275 static int __init test_g2(struct crypto_hash *tfm_cmac)
3278 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3279 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3280 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3281 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3283 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3284 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3285 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3286 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3288 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3289 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3291 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3292 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3293 const u32 exp_val = 0x2f9ed5ba % 1000000;
3297 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3307 static int __init test_h6(struct crypto_hash *tfm_cmac)
3310 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3311 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3312 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3313 const u8 exp[16] = {
3314 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3315 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3319 err = smp_h6(tfm_cmac, w, key_id, res);
3323 if (memcmp(res, exp, 16))
3329 static int __init run_selftests(struct crypto_blkcipher *tfm_aes,
3330 struct crypto_hash *tfm_cmac)
3332 ktime_t calltime, delta, rettime;
3333 unsigned long long duration;
3336 calltime = ktime_get();
3338 err = test_ah(tfm_aes);
3340 BT_ERR("smp_ah test failed");
3344 err = test_c1(tfm_aes);
3346 BT_ERR("smp_c1 test failed");
3350 err = test_s1(tfm_aes);
3352 BT_ERR("smp_s1 test failed");
3356 err = test_f4(tfm_cmac);
3358 BT_ERR("smp_f4 test failed");
3362 err = test_f5(tfm_cmac);
3364 BT_ERR("smp_f5 test failed");
3368 err = test_f6(tfm_cmac);
3370 BT_ERR("smp_f6 test failed");
3374 err = test_g2(tfm_cmac);
3376 BT_ERR("smp_g2 test failed");
3380 err = test_h6(tfm_cmac);
3382 BT_ERR("smp_h6 test failed");
3386 rettime = ktime_get();
3387 delta = ktime_sub(rettime, calltime);
3388 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3390 BT_INFO("SMP test passed in %lld usecs", duration);
3395 int __init bt_selftest_smp(void)
3397 struct crypto_blkcipher *tfm_aes;
3398 struct crypto_hash *tfm_cmac;
3401 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3402 if (IS_ERR(tfm_aes)) {
3403 BT_ERR("Unable to create ECB crypto context");
3404 return PTR_ERR(tfm_aes);
3407 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3408 if (IS_ERR(tfm_cmac)) {
3409 BT_ERR("Unable to create CMAC crypto context");
3410 crypto_free_blkcipher(tfm_aes);
3411 return PTR_ERR(tfm_cmac);
3414 err = run_selftests(tfm_aes, tfm_cmac);
3416 crypto_free_hash(tfm_cmac);
3417 crypto_free_blkcipher(tfm_aes);