2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
23 #include <linux/debugfs.h>
24 #include <linux/crypto.h>
25 #include <linux/scatterlist.h>
26 #include <crypto/b128ops.h>
28 #include <net/bluetooth/bluetooth.h>
29 #include <net/bluetooth/hci_core.h>
30 #include <net/bluetooth/l2cap.h>
31 #include <net/bluetooth/mgmt.h>
36 /* Low-level debug macros to be used for stuff that we don't want
37 * accidentially in dmesg, i.e. the values of the various crypto keys
38 * and the inputs & outputs of crypto functions.
41 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
44 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
48 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
50 /* Keys which are not distributed with Secure Connections */
51 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
53 #define SMP_TIMEOUT msecs_to_jiffies(30000)
55 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
57 #define KEY_DIST_MASK 0x07
59 /* Maximum message length that can be passed to aes_cmac */
60 #define CMAC_MSG_MAX 80
72 SMP_FLAG_DHKEY_PENDING,
77 /* Secure Connections OOB data */
83 struct crypto_blkcipher *tfm_aes;
84 struct crypto_hash *tfm_cmac;
88 struct l2cap_conn *conn;
89 struct delayed_work security_timer;
90 unsigned long allow_cmd; /* Bitmask of allowed commands */
92 u8 preq[7]; /* SMP Pairing Request */
93 u8 prsp[7]; /* SMP Pairing Response */
94 u8 prnd[16]; /* SMP Pairing Random (local) */
95 u8 rrnd[16]; /* SMP Pairing Random (remote) */
96 u8 pcnf[16]; /* SMP Pairing Confirm */
97 u8 tk[16]; /* SMP Temporary Key */
104 struct smp_csrk *csrk;
105 struct smp_csrk *slave_csrk;
107 struct smp_ltk *slave_ltk;
108 struct smp_irk *remote_irk;
114 /* Secure Connections variables */
121 struct crypto_blkcipher *tfm_aes;
122 struct crypto_hash *tfm_cmac;
125 /* These debug key values are defined in the SMP section of the core
126 * specification. debug_pk is the public debug key and debug_sk the
129 static const u8 debug_pk[64] = {
130 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
131 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
132 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
133 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
135 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
136 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
137 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
138 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
141 static const u8 debug_sk[32] = {
142 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
143 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
144 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
145 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
148 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
152 for (i = 0; i < len; i++)
153 dst[len - 1 - i] = src[i];
156 /* The following functions map to the LE SC SMP crypto functions
157 * AES-CMAC, f4, f5, f6, g2 and h6.
160 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
161 size_t len, u8 mac[16])
163 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
164 struct hash_desc desc;
165 struct scatterlist sg;
168 if (len > CMAC_MSG_MAX)
172 BT_ERR("tfm %p", tfm);
179 crypto_hash_init(&desc);
181 /* Swap key and message from LSB to MSB */
182 swap_buf(k, tmp, 16);
183 swap_buf(m, msg_msb, len);
185 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
186 SMP_DBG("key %16phN", k);
188 err = crypto_hash_setkey(tfm, tmp, 16);
190 BT_ERR("cipher setkey failed: %d", err);
194 sg_init_one(&sg, msg_msb, len);
196 err = crypto_hash_update(&desc, &sg, len);
198 BT_ERR("Hash update error %d", err);
202 err = crypto_hash_final(&desc, mac_msb);
204 BT_ERR("Hash final error %d", err);
208 swap_buf(mac_msb, mac, 16);
210 SMP_DBG("mac %16phN", mac);
215 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
216 const u8 x[16], u8 z, u8 res[16])
221 SMP_DBG("u %32phN", u);
222 SMP_DBG("v %32phN", v);
223 SMP_DBG("x %16phN z %02x", x, z);
226 memcpy(m + 1, v, 32);
227 memcpy(m + 33, u, 32);
229 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
233 SMP_DBG("res %16phN", res);
238 static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32],
239 const u8 n1[16], const u8 n2[16], const u8 a1[7],
240 const u8 a2[7], u8 mackey[16], u8 ltk[16])
242 /* The btle, salt and length "magic" values are as defined in
243 * the SMP section of the Bluetooth core specification. In ASCII
244 * the btle value ends up being 'btle'. The salt is just a
245 * random number whereas length is the value 256 in little
248 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
249 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
250 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
251 const u8 length[2] = { 0x00, 0x01 };
255 SMP_DBG("w %32phN", w);
256 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
257 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
259 err = aes_cmac(tfm_cmac, salt, w, 32, t);
263 SMP_DBG("t %16phN", t);
265 memcpy(m, length, 2);
266 memcpy(m + 2, a2, 7);
267 memcpy(m + 9, a1, 7);
268 memcpy(m + 16, n2, 16);
269 memcpy(m + 32, n1, 16);
270 memcpy(m + 48, btle, 4);
272 m[52] = 0; /* Counter */
274 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
278 SMP_DBG("mackey %16phN", mackey);
280 m[52] = 1; /* Counter */
282 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
286 SMP_DBG("ltk %16phN", ltk);
291 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
292 const u8 n1[16], const u8 n2[16], const u8 r[16],
293 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
299 SMP_DBG("w %16phN", w);
300 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
301 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
304 memcpy(m + 7, a1, 7);
305 memcpy(m + 14, io_cap, 3);
306 memcpy(m + 17, r, 16);
307 memcpy(m + 33, n2, 16);
308 memcpy(m + 49, n1, 16);
310 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
314 SMP_DBG("res %16phN", res);
319 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
320 const u8 x[16], const u8 y[16], u32 *val)
325 SMP_DBG("u %32phN", u);
326 SMP_DBG("v %32phN", v);
327 SMP_DBG("x %16phN y %16phN", x, y);
330 memcpy(m + 16, v, 32);
331 memcpy(m + 48, u, 32);
333 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
337 *val = get_unaligned_le32(tmp);
340 SMP_DBG("val %06u", *val);
345 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
346 const u8 key_id[4], u8 res[16])
350 SMP_DBG("w %16phN key_id %4phN", w, key_id);
352 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
356 SMP_DBG("res %16phN", res);
361 /* The following functions map to the legacy SMP crypto functions e, c1,
365 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
367 struct blkcipher_desc desc;
368 struct scatterlist sg;
369 uint8_t tmp[16], data[16];
373 BT_ERR("tfm %p", tfm);
380 /* The most significant octet of key corresponds to k[0] */
381 swap_buf(k, tmp, 16);
383 err = crypto_blkcipher_setkey(tfm, tmp, 16);
385 BT_ERR("cipher setkey failed: %d", err);
389 /* Most significant octet of plaintextData corresponds to data[0] */
390 swap_buf(r, data, 16);
392 sg_init_one(&sg, data, 16);
394 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
396 BT_ERR("Encrypt data error %d", err);
398 /* Most significant octet of encryptedData corresponds to data[0] */
399 swap_buf(data, r, 16);
404 static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
405 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
406 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
413 /* p1 = pres || preq || _rat || _iat */
416 memcpy(p1 + 2, preq, 7);
417 memcpy(p1 + 9, pres, 7);
419 /* p2 = padding || ia || ra */
421 memcpy(p2 + 6, ia, 6);
422 memset(p2 + 12, 0, 4);
425 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
427 /* res = e(k, res) */
428 err = smp_e(tfm_aes, k, res);
430 BT_ERR("Encrypt data error");
434 /* res = res XOR p2 */
435 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
437 /* res = e(k, res) */
438 err = smp_e(tfm_aes, k, res);
440 BT_ERR("Encrypt data error");
445 static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
446 const u8 r1[16], const u8 r2[16], u8 _r[16])
450 /* Just least significant octets from r1 and r2 are considered */
452 memcpy(_r + 8, r1, 8);
454 err = smp_e(tfm_aes, k, _r);
456 BT_ERR("Encrypt data error");
461 static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
462 const u8 r[3], u8 res[3])
467 /* r' = padding || r */
469 memset(_res + 3, 0, 13);
471 err = smp_e(tfm, irk, _res);
473 BT_ERR("Encrypt error");
477 /* The output of the random address function ah is:
478 * ah(h, r) = e(k, r') mod 2^24
479 * The output of the security function e is then truncated to 24 bits
480 * by taking the least significant 24 bits of the output of e as the
483 memcpy(res, _res, 3);
488 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
489 const bdaddr_t *bdaddr)
491 struct l2cap_chan *chan = hdev->smp_data;
496 if (!chan || !chan->data)
501 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
503 err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
507 return !memcmp(bdaddr->b, hash, 3);
510 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
512 struct l2cap_chan *chan = hdev->smp_data;
516 if (!chan || !chan->data)
521 get_random_bytes(&rpa->b[3], 3);
523 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
524 rpa->b[5] |= 0x40; /* Set second most significant bit */
526 err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
530 BT_DBG("RPA %pMR", rpa);
535 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
537 struct l2cap_chan *chan = hdev->smp_data;
541 if (!chan || !chan->data)
546 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
547 BT_DBG("Using debug keys");
548 memcpy(smp->local_pk, debug_pk, 64);
549 memcpy(smp->local_sk, debug_sk, 32);
550 smp->debug_key = true;
553 /* Generate local key pair for Secure Connections */
554 if (!ecc_make_key(smp->local_pk, smp->local_sk))
557 /* This is unlikely, but we need to check that
558 * we didn't accidentially generate a debug key.
560 if (memcmp(smp->local_sk, debug_sk, 32))
563 smp->debug_key = false;
566 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
567 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
568 SMP_DBG("OOB Private Key: %32phN", smp->local_sk);
570 get_random_bytes(smp->local_rr, 16);
572 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
573 smp->local_rr, 0, hash);
577 memcpy(rand, smp->local_rr, 16);
582 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
584 struct l2cap_chan *chan = conn->smp;
585 struct smp_chan *smp;
592 BT_DBG("code 0x%2.2x", code);
594 iv[0].iov_base = &code;
597 iv[1].iov_base = data;
600 memset(&msg, 0, sizeof(msg));
602 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
604 l2cap_chan_send(chan, &msg, 1 + len);
611 cancel_delayed_work_sync(&smp->security_timer);
612 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
615 static u8 authreq_to_seclevel(u8 authreq)
617 if (authreq & SMP_AUTH_MITM) {
618 if (authreq & SMP_AUTH_SC)
619 return BT_SECURITY_FIPS;
621 return BT_SECURITY_HIGH;
623 return BT_SECURITY_MEDIUM;
627 static __u8 seclevel_to_authreq(__u8 sec_level)
630 case BT_SECURITY_FIPS:
631 case BT_SECURITY_HIGH:
632 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
633 case BT_SECURITY_MEDIUM:
634 return SMP_AUTH_BONDING;
636 return SMP_AUTH_NONE;
640 static void build_pairing_cmd(struct l2cap_conn *conn,
641 struct smp_cmd_pairing *req,
642 struct smp_cmd_pairing *rsp, __u8 authreq)
644 struct l2cap_chan *chan = conn->smp;
645 struct smp_chan *smp = chan->data;
646 struct hci_conn *hcon = conn->hcon;
647 struct hci_dev *hdev = hcon->hdev;
648 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
650 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
651 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
652 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
653 authreq |= SMP_AUTH_BONDING;
655 authreq &= ~SMP_AUTH_BONDING;
658 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
659 remote_dist |= SMP_DIST_ID_KEY;
661 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
662 local_dist |= SMP_DIST_ID_KEY;
664 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
665 (authreq & SMP_AUTH_SC)) {
666 struct oob_data *oob_data;
669 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
670 local_dist |= SMP_DIST_LINK_KEY;
671 remote_dist |= SMP_DIST_LINK_KEY;
674 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
675 bdaddr_type = BDADDR_LE_PUBLIC;
677 bdaddr_type = BDADDR_LE_RANDOM;
679 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
681 if (oob_data && oob_data->present) {
682 set_bit(SMP_FLAG_OOB, &smp->flags);
683 oob_flag = SMP_OOB_PRESENT;
684 memcpy(smp->rr, oob_data->rand256, 16);
685 memcpy(smp->pcnf, oob_data->hash256, 16);
689 authreq &= ~SMP_AUTH_SC;
693 req->io_capability = conn->hcon->io_capability;
694 req->oob_flag = oob_flag;
695 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
696 req->init_key_dist = local_dist;
697 req->resp_key_dist = remote_dist;
698 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
700 smp->remote_key_dist = remote_dist;
704 rsp->io_capability = conn->hcon->io_capability;
705 rsp->oob_flag = oob_flag;
706 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
707 rsp->init_key_dist = req->init_key_dist & remote_dist;
708 rsp->resp_key_dist = req->resp_key_dist & local_dist;
709 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
711 smp->remote_key_dist = rsp->init_key_dist;
714 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
716 struct l2cap_chan *chan = conn->smp;
717 struct smp_chan *smp = chan->data;
719 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
720 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
721 return SMP_ENC_KEY_SIZE;
723 smp->enc_key_size = max_key_size;
728 static void smp_chan_destroy(struct l2cap_conn *conn)
730 struct l2cap_chan *chan = conn->smp;
731 struct smp_chan *smp = chan->data;
732 struct hci_conn *hcon = conn->hcon;
737 cancel_delayed_work_sync(&smp->security_timer);
739 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
740 mgmt_smp_complete(hcon, complete);
743 kzfree(smp->slave_csrk);
744 kzfree(smp->link_key);
746 crypto_free_blkcipher(smp->tfm_aes);
747 crypto_free_hash(smp->tfm_cmac);
749 /* Ensure that we don't leave any debug key around if debug key
750 * support hasn't been explicitly enabled.
752 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
753 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
754 list_del_rcu(&smp->ltk->list);
755 kfree_rcu(smp->ltk, rcu);
759 /* If pairing failed clean up any keys we might have */
762 list_del_rcu(&smp->ltk->list);
763 kfree_rcu(smp->ltk, rcu);
766 if (smp->slave_ltk) {
767 list_del_rcu(&smp->slave_ltk->list);
768 kfree_rcu(smp->slave_ltk, rcu);
771 if (smp->remote_irk) {
772 list_del_rcu(&smp->remote_irk->list);
773 kfree_rcu(smp->remote_irk, rcu);
782 static void smp_failure(struct l2cap_conn *conn, u8 reason)
784 struct hci_conn *hcon = conn->hcon;
785 struct l2cap_chan *chan = conn->smp;
788 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
791 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
792 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
795 smp_chan_destroy(conn);
798 #define JUST_WORKS 0x00
799 #define JUST_CFM 0x01
800 #define REQ_PASSKEY 0x02
801 #define CFM_PASSKEY 0x03
803 #define DSP_PASSKEY 0x05
806 static const u8 gen_method[5][5] = {
807 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
808 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
809 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
810 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
811 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
814 static const u8 sc_method[5][5] = {
815 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
816 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
817 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
818 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
819 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
822 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
824 /* If either side has unknown io_caps, use JUST_CFM (which gets
825 * converted later to JUST_WORKS if we're initiators.
827 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
828 remote_io > SMP_IO_KEYBOARD_DISPLAY)
831 if (test_bit(SMP_FLAG_SC, &smp->flags))
832 return sc_method[remote_io][local_io];
834 return gen_method[remote_io][local_io];
837 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
838 u8 local_io, u8 remote_io)
840 struct hci_conn *hcon = conn->hcon;
841 struct l2cap_chan *chan = conn->smp;
842 struct smp_chan *smp = chan->data;
846 /* Initialize key for JUST WORKS */
847 memset(smp->tk, 0, sizeof(smp->tk));
848 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
850 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
852 /* If neither side wants MITM, either "just" confirm an incoming
853 * request or use just-works for outgoing ones. The JUST_CFM
854 * will be converted to JUST_WORKS if necessary later in this
855 * function. If either side has MITM look up the method from the
858 if (!(auth & SMP_AUTH_MITM))
859 smp->method = JUST_CFM;
861 smp->method = get_auth_method(smp, local_io, remote_io);
863 /* Don't confirm locally initiated pairing attempts */
864 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
866 smp->method = JUST_WORKS;
868 /* Don't bother user space with no IO capabilities */
869 if (smp->method == JUST_CFM &&
870 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
871 smp->method = JUST_WORKS;
873 /* If Just Works, Continue with Zero TK */
874 if (smp->method == JUST_WORKS) {
875 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
879 /* Not Just Works/Confirm results in MITM Authentication */
880 if (smp->method != JUST_CFM) {
881 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
882 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
883 hcon->pending_sec_level = BT_SECURITY_HIGH;
886 /* If both devices have Keyoard-Display I/O, the master
887 * Confirms and the slave Enters the passkey.
889 if (smp->method == OVERLAP) {
890 if (hcon->role == HCI_ROLE_MASTER)
891 smp->method = CFM_PASSKEY;
893 smp->method = REQ_PASSKEY;
896 /* Generate random passkey. */
897 if (smp->method == CFM_PASSKEY) {
898 memset(smp->tk, 0, sizeof(smp->tk));
899 get_random_bytes(&passkey, sizeof(passkey));
901 put_unaligned_le32(passkey, smp->tk);
902 BT_DBG("PassKey: %d", passkey);
903 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
906 if (smp->method == REQ_PASSKEY)
907 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
908 hcon->type, hcon->dst_type);
909 else if (smp->method == JUST_CFM)
910 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
911 hcon->type, hcon->dst_type,
914 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
915 hcon->type, hcon->dst_type,
921 static u8 smp_confirm(struct smp_chan *smp)
923 struct l2cap_conn *conn = smp->conn;
924 struct smp_cmd_pairing_confirm cp;
927 BT_DBG("conn %p", conn);
929 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
930 conn->hcon->init_addr_type, &conn->hcon->init_addr,
931 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
934 return SMP_UNSPECIFIED;
936 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
938 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
941 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
943 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
948 static u8 smp_random(struct smp_chan *smp)
950 struct l2cap_conn *conn = smp->conn;
951 struct hci_conn *hcon = conn->hcon;
955 if (IS_ERR_OR_NULL(smp->tfm_aes))
956 return SMP_UNSPECIFIED;
958 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
960 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
961 hcon->init_addr_type, &hcon->init_addr,
962 hcon->resp_addr_type, &hcon->resp_addr, confirm);
964 return SMP_UNSPECIFIED;
966 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
967 BT_ERR("Pairing failed (confirmation values mismatch)");
968 return SMP_CONFIRM_FAILED;
976 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
978 memset(stk + smp->enc_key_size, 0,
979 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
981 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
982 return SMP_UNSPECIFIED;
984 hci_le_start_enc(hcon, ediv, rand, stk);
985 hcon->enc_key_size = smp->enc_key_size;
986 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
992 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
995 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
997 memset(stk + smp->enc_key_size, 0,
998 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1000 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1005 /* Even though there's no _SLAVE suffix this is the
1006 * slave STK we're adding for later lookup (the master
1007 * STK never needs to be stored).
1009 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1010 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1016 static void smp_notify_keys(struct l2cap_conn *conn)
1018 struct l2cap_chan *chan = conn->smp;
1019 struct smp_chan *smp = chan->data;
1020 struct hci_conn *hcon = conn->hcon;
1021 struct hci_dev *hdev = hcon->hdev;
1022 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1023 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1026 if (smp->remote_irk) {
1027 mgmt_new_irk(hdev, smp->remote_irk);
1028 /* Now that user space can be considered to know the
1029 * identity address track the connection based on it
1030 * from now on (assuming this is an LE link).
1032 if (hcon->type == LE_LINK) {
1033 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1034 hcon->dst_type = smp->remote_irk->addr_type;
1035 queue_work(hdev->workqueue, &conn->id_addr_update_work);
1038 /* When receiving an indentity resolving key for
1039 * a remote device that does not use a resolvable
1040 * private address, just remove the key so that
1041 * it is possible to use the controller white
1042 * list for scanning.
1044 * Userspace will have been told to not store
1045 * this key at this point. So it is safe to
1048 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
1049 list_del_rcu(&smp->remote_irk->list);
1050 kfree_rcu(smp->remote_irk, rcu);
1051 smp->remote_irk = NULL;
1055 if (hcon->type == ACL_LINK) {
1056 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1059 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1062 /* The LTKs and CSRKs should be persistent only if both sides
1063 * had the bonding bit set in their authentication requests.
1065 persistent = !!((req->auth_req & rsp->auth_req) &
1071 smp->csrk->bdaddr_type = hcon->dst_type;
1072 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1073 mgmt_new_csrk(hdev, smp->csrk, persistent);
1076 if (smp->slave_csrk) {
1077 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1078 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1079 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1083 smp->ltk->bdaddr_type = hcon->dst_type;
1084 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1085 mgmt_new_ltk(hdev, smp->ltk, persistent);
1088 if (smp->slave_ltk) {
1089 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1090 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1091 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1094 if (smp->link_key) {
1095 struct link_key *key;
1098 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1099 type = HCI_LK_DEBUG_COMBINATION;
1100 else if (hcon->sec_level == BT_SECURITY_FIPS)
1101 type = HCI_LK_AUTH_COMBINATION_P256;
1103 type = HCI_LK_UNAUTH_COMBINATION_P256;
1105 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1106 smp->link_key, type, 0, &persistent);
1108 mgmt_new_link_key(hdev, key, persistent);
1110 /* Don't keep debug keys around if the relevant
1113 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1114 key->type == HCI_LK_DEBUG_COMBINATION) {
1115 list_del_rcu(&key->list);
1116 kfree_rcu(key, rcu);
1122 static void sc_add_ltk(struct smp_chan *smp)
1124 struct hci_conn *hcon = smp->conn->hcon;
1127 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1128 key_type = SMP_LTK_P256_DEBUG;
1130 key_type = SMP_LTK_P256;
1132 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1137 memset(smp->tk + smp->enc_key_size, 0,
1138 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1140 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1141 key_type, auth, smp->tk, smp->enc_key_size,
1145 static void sc_generate_link_key(struct smp_chan *smp)
1147 /* These constants are as specified in the core specification.
1148 * In ASCII they spell out to 'tmp1' and 'lebr'.
1150 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1151 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1153 smp->link_key = kzalloc(16, GFP_KERNEL);
1157 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1158 kzfree(smp->link_key);
1159 smp->link_key = NULL;
1163 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1164 kzfree(smp->link_key);
1165 smp->link_key = NULL;
1170 static void smp_allow_key_dist(struct smp_chan *smp)
1172 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1173 * will be allowed in each PDU handler to ensure we receive
1174 * them in the correct order.
1176 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1177 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1178 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1179 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1180 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1181 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1184 static void sc_generate_ltk(struct smp_chan *smp)
1186 /* These constants are as specified in the core specification.
1187 * In ASCII they spell out to 'tmp2' and 'brle'.
1189 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1190 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1191 struct hci_conn *hcon = smp->conn->hcon;
1192 struct hci_dev *hdev = hcon->hdev;
1193 struct link_key *key;
1195 key = hci_find_link_key(hdev, &hcon->dst);
1197 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1201 if (key->type == HCI_LK_DEBUG_COMBINATION)
1202 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1204 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1207 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1213 static void smp_distribute_keys(struct smp_chan *smp)
1215 struct smp_cmd_pairing *req, *rsp;
1216 struct l2cap_conn *conn = smp->conn;
1217 struct hci_conn *hcon = conn->hcon;
1218 struct hci_dev *hdev = hcon->hdev;
1221 BT_DBG("conn %p", conn);
1223 rsp = (void *) &smp->prsp[1];
1225 /* The responder sends its keys first */
1226 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1227 smp_allow_key_dist(smp);
1231 req = (void *) &smp->preq[1];
1234 keydist = &rsp->init_key_dist;
1235 *keydist &= req->init_key_dist;
1237 keydist = &rsp->resp_key_dist;
1238 *keydist &= req->resp_key_dist;
1241 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1242 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1243 sc_generate_link_key(smp);
1244 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1245 sc_generate_ltk(smp);
1247 /* Clear the keys which are generated but not distributed */
1248 *keydist &= ~SMP_SC_NO_DIST;
1251 BT_DBG("keydist 0x%x", *keydist);
1253 if (*keydist & SMP_DIST_ENC_KEY) {
1254 struct smp_cmd_encrypt_info enc;
1255 struct smp_cmd_master_ident ident;
1256 struct smp_ltk *ltk;
1261 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1262 get_random_bytes(&ediv, sizeof(ediv));
1263 get_random_bytes(&rand, sizeof(rand));
1265 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1267 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1268 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1269 SMP_LTK_SLAVE, authenticated, enc.ltk,
1270 smp->enc_key_size, ediv, rand);
1271 smp->slave_ltk = ltk;
1276 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1278 *keydist &= ~SMP_DIST_ENC_KEY;
1281 if (*keydist & SMP_DIST_ID_KEY) {
1282 struct smp_cmd_ident_addr_info addrinfo;
1283 struct smp_cmd_ident_info idinfo;
1285 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1287 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1289 /* The hci_conn contains the local identity address
1290 * after the connection has been established.
1292 * This is true even when the connection has been
1293 * established using a resolvable random address.
1295 bacpy(&addrinfo.bdaddr, &hcon->src);
1296 addrinfo.addr_type = hcon->src_type;
1298 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1301 *keydist &= ~SMP_DIST_ID_KEY;
1304 if (*keydist & SMP_DIST_SIGN) {
1305 struct smp_cmd_sign_info sign;
1306 struct smp_csrk *csrk;
1308 /* Generate a new random key */
1309 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1311 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1313 if (hcon->sec_level > BT_SECURITY_MEDIUM)
1314 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1316 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1317 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1319 smp->slave_csrk = csrk;
1321 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1323 *keydist &= ~SMP_DIST_SIGN;
1326 /* If there are still keys to be received wait for them */
1327 if (smp->remote_key_dist & KEY_DIST_MASK) {
1328 smp_allow_key_dist(smp);
1332 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1333 smp_notify_keys(conn);
1335 smp_chan_destroy(conn);
1338 static void smp_timeout(struct work_struct *work)
1340 struct smp_chan *smp = container_of(work, struct smp_chan,
1341 security_timer.work);
1342 struct l2cap_conn *conn = smp->conn;
1344 BT_DBG("conn %p", conn);
1346 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1349 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1351 struct l2cap_chan *chan = conn->smp;
1352 struct smp_chan *smp;
1354 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1358 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1359 if (IS_ERR(smp->tfm_aes)) {
1360 BT_ERR("Unable to create ECB crypto context");
1365 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1366 if (IS_ERR(smp->tfm_cmac)) {
1367 BT_ERR("Unable to create CMAC crypto context");
1368 crypto_free_blkcipher(smp->tfm_aes);
1376 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1378 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1380 hci_conn_hold(conn->hcon);
1385 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1387 struct hci_conn *hcon = smp->conn->hcon;
1388 u8 *na, *nb, a[7], b[7];
1398 memcpy(a, &hcon->init_addr, 6);
1399 memcpy(b, &hcon->resp_addr, 6);
1400 a[6] = hcon->init_addr_type;
1401 b[6] = hcon->resp_addr_type;
1403 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1406 static void sc_dhkey_check(struct smp_chan *smp)
1408 struct hci_conn *hcon = smp->conn->hcon;
1409 struct smp_cmd_dhkey_check check;
1410 u8 a[7], b[7], *local_addr, *remote_addr;
1411 u8 io_cap[3], r[16];
1413 memcpy(a, &hcon->init_addr, 6);
1414 memcpy(b, &hcon->resp_addr, 6);
1415 a[6] = hcon->init_addr_type;
1416 b[6] = hcon->resp_addr_type;
1421 memcpy(io_cap, &smp->preq[1], 3);
1425 memcpy(io_cap, &smp->prsp[1], 3);
1428 memset(r, 0, sizeof(r));
1430 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1431 put_unaligned_le32(hcon->passkey_notify, r);
1433 if (smp->method == REQ_OOB)
1434 memcpy(r, smp->rr, 16);
1436 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1437 local_addr, remote_addr, check.e);
1439 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1442 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1444 struct l2cap_conn *conn = smp->conn;
1445 struct hci_conn *hcon = conn->hcon;
1446 struct smp_cmd_pairing_confirm cfm;
1449 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1452 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1454 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1456 return SMP_UNSPECIFIED;
1458 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1463 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1465 struct l2cap_conn *conn = smp->conn;
1466 struct hci_conn *hcon = conn->hcon;
1467 struct hci_dev *hdev = hcon->hdev;
1470 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1471 if (smp->passkey_round >= 20)
1475 case SMP_CMD_PAIRING_RANDOM:
1476 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1479 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1481 return SMP_UNSPECIFIED;
1483 if (memcmp(smp->pcnf, cfm, 16))
1484 return SMP_CONFIRM_FAILED;
1486 smp->passkey_round++;
1488 if (smp->passkey_round == 20) {
1489 /* Generate MacKey and LTK */
1490 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1491 return SMP_UNSPECIFIED;
1494 /* The round is only complete when the initiator
1495 * receives pairing random.
1498 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1499 sizeof(smp->prnd), smp->prnd);
1500 if (smp->passkey_round == 20)
1501 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1503 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1507 /* Start the next round */
1508 if (smp->passkey_round != 20)
1509 return sc_passkey_round(smp, 0);
1511 /* Passkey rounds are complete - start DHKey Check */
1512 sc_dhkey_check(smp);
1513 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1517 case SMP_CMD_PAIRING_CONFIRM:
1518 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1519 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1523 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1526 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1527 sizeof(smp->prnd), smp->prnd);
1531 return sc_passkey_send_confirm(smp);
1533 case SMP_CMD_PUBLIC_KEY:
1535 /* Initiating device starts the round */
1539 BT_DBG("%s Starting passkey round %u", hdev->name,
1540 smp->passkey_round + 1);
1542 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1544 return sc_passkey_send_confirm(smp);
1550 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1552 struct l2cap_conn *conn = smp->conn;
1553 struct hci_conn *hcon = conn->hcon;
1556 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1559 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1560 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1562 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1563 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1565 case MGMT_OP_USER_PASSKEY_REPLY:
1566 hcon->passkey_notify = le32_to_cpu(passkey);
1567 smp->passkey_round = 0;
1569 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1570 smp_op = SMP_CMD_PAIRING_CONFIRM;
1574 if (sc_passkey_round(smp, smp_op))
1580 /* Initiator sends DHKey check first */
1582 sc_dhkey_check(smp);
1583 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1584 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1585 sc_dhkey_check(smp);
1592 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1594 struct l2cap_conn *conn = hcon->l2cap_data;
1595 struct l2cap_chan *chan;
1596 struct smp_chan *smp;
1609 l2cap_chan_lock(chan);
1617 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1618 err = sc_user_reply(smp, mgmt_op, passkey);
1623 case MGMT_OP_USER_PASSKEY_REPLY:
1624 value = le32_to_cpu(passkey);
1625 memset(smp->tk, 0, sizeof(smp->tk));
1626 BT_DBG("PassKey: %d", value);
1627 put_unaligned_le32(value, smp->tk);
1629 case MGMT_OP_USER_CONFIRM_REPLY:
1630 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1632 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1633 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1634 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1638 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1645 /* If it is our turn to send Pairing Confirm, do so now */
1646 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1647 u8 rsp = smp_confirm(smp);
1649 smp_failure(conn, rsp);
1653 l2cap_chan_unlock(chan);
1657 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1658 struct smp_cmd_pairing *req,
1659 struct smp_cmd_pairing *rsp)
1661 struct l2cap_conn *conn = smp->conn;
1662 struct hci_dev *hdev = conn->hcon->hdev;
1663 u8 local_dist = 0, remote_dist = 0;
1665 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1666 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1667 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1670 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1671 remote_dist |= SMP_DIST_ID_KEY;
1673 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1674 local_dist |= SMP_DIST_ID_KEY;
1677 memset(req, 0, sizeof(*req));
1679 req->init_key_dist = local_dist;
1680 req->resp_key_dist = remote_dist;
1681 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1683 smp->remote_key_dist = remote_dist;
1688 memset(rsp, 0, sizeof(*rsp));
1690 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1691 rsp->init_key_dist = req->init_key_dist & remote_dist;
1692 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1694 smp->remote_key_dist = rsp->init_key_dist;
1697 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1699 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1700 struct l2cap_chan *chan = conn->smp;
1701 struct hci_dev *hdev = conn->hcon->hdev;
1702 struct smp_chan *smp;
1703 u8 key_size, auth, sec_level;
1706 BT_DBG("conn %p", conn);
1708 if (skb->len < sizeof(*req))
1709 return SMP_INVALID_PARAMS;
1711 if (conn->hcon->role != HCI_ROLE_SLAVE)
1712 return SMP_CMD_NOTSUPP;
1715 smp = smp_chan_create(conn);
1720 return SMP_UNSPECIFIED;
1722 /* We didn't start the pairing, so match remote */
1723 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1725 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1726 (auth & SMP_AUTH_BONDING))
1727 return SMP_PAIRING_NOTSUPP;
1729 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1730 return SMP_AUTH_REQUIREMENTS;
1732 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1733 memcpy(&smp->preq[1], req, sizeof(*req));
1734 skb_pull(skb, sizeof(*req));
1736 /* SMP over BR/EDR requires special treatment */
1737 if (conn->hcon->type == ACL_LINK) {
1738 /* We must have a BR/EDR SC link */
1739 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1740 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1741 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1743 set_bit(SMP_FLAG_SC, &smp->flags);
1745 build_bredr_pairing_cmd(smp, req, &rsp);
1747 key_size = min(req->max_key_size, rsp.max_key_size);
1748 if (check_enc_key_size(conn, key_size))
1749 return SMP_ENC_KEY_SIZE;
1751 /* Clear bits which are generated but not distributed */
1752 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1754 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1755 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1756 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1758 smp_distribute_keys(smp);
1762 build_pairing_cmd(conn, req, &rsp, auth);
1764 if (rsp.auth_req & SMP_AUTH_SC)
1765 set_bit(SMP_FLAG_SC, &smp->flags);
1767 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1768 sec_level = BT_SECURITY_MEDIUM;
1770 sec_level = authreq_to_seclevel(auth);
1772 if (sec_level > conn->hcon->pending_sec_level)
1773 conn->hcon->pending_sec_level = sec_level;
1775 /* If we need MITM check that it can be achieved */
1776 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1779 method = get_auth_method(smp, conn->hcon->io_capability,
1780 req->io_capability);
1781 if (method == JUST_WORKS || method == JUST_CFM)
1782 return SMP_AUTH_REQUIREMENTS;
1785 key_size = min(req->max_key_size, rsp.max_key_size);
1786 if (check_enc_key_size(conn, key_size))
1787 return SMP_ENC_KEY_SIZE;
1789 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1791 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1792 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1794 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1796 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1798 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1799 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1800 /* Clear bits which are generated but not distributed */
1801 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1802 /* Wait for Public Key from Initiating Device */
1806 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1808 /* Request setup of TK */
1809 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1811 return SMP_UNSPECIFIED;
1816 static u8 sc_send_public_key(struct smp_chan *smp)
1818 struct hci_dev *hdev = smp->conn->hcon->hdev;
1822 if (test_bit(SMP_FLAG_OOB, &smp->flags)) {
1823 struct l2cap_chan *chan = hdev->smp_data;
1824 struct smp_dev *smp_dev;
1826 if (!chan || !chan->data)
1827 return SMP_UNSPECIFIED;
1829 smp_dev = chan->data;
1831 memcpy(smp->local_pk, smp_dev->local_pk, 64);
1832 memcpy(smp->local_sk, smp_dev->local_sk, 32);
1833 memcpy(smp->rr, smp_dev->local_rr, 16);
1835 if (smp_dev->debug_key)
1836 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1841 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1842 BT_DBG("Using debug keys");
1843 memcpy(smp->local_pk, debug_pk, 64);
1844 memcpy(smp->local_sk, debug_sk, 32);
1845 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1848 /* Generate local key pair for Secure Connections */
1849 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1850 return SMP_UNSPECIFIED;
1852 /* This is unlikely, but we need to check that
1853 * we didn't accidentially generate a debug key.
1855 if (memcmp(smp->local_sk, debug_sk, 32))
1861 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1862 SMP_DBG("Local Public Key Y: %32phN", &smp->local_pk[32]);
1863 SMP_DBG("Local Private Key: %32phN", smp->local_sk);
1865 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1870 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1872 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1873 struct l2cap_chan *chan = conn->smp;
1874 struct smp_chan *smp = chan->data;
1875 struct hci_dev *hdev = conn->hcon->hdev;
1879 BT_DBG("conn %p", conn);
1881 if (skb->len < sizeof(*rsp))
1882 return SMP_INVALID_PARAMS;
1884 if (conn->hcon->role != HCI_ROLE_MASTER)
1885 return SMP_CMD_NOTSUPP;
1887 skb_pull(skb, sizeof(*rsp));
1889 req = (void *) &smp->preq[1];
1891 key_size = min(req->max_key_size, rsp->max_key_size);
1892 if (check_enc_key_size(conn, key_size))
1893 return SMP_ENC_KEY_SIZE;
1895 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1897 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1898 return SMP_AUTH_REQUIREMENTS;
1900 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1901 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1903 /* Update remote key distribution in case the remote cleared
1904 * some bits that we had enabled in our request.
1906 smp->remote_key_dist &= rsp->resp_key_dist;
1908 /* For BR/EDR this means we're done and can start phase 3 */
1909 if (conn->hcon->type == ACL_LINK) {
1910 /* Clear bits which are generated but not distributed */
1911 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1912 smp_distribute_keys(smp);
1916 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1917 set_bit(SMP_FLAG_SC, &smp->flags);
1918 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1919 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1921 /* If we need MITM check that it can be achieved */
1922 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1925 method = get_auth_method(smp, req->io_capability,
1926 rsp->io_capability);
1927 if (method == JUST_WORKS || method == JUST_CFM)
1928 return SMP_AUTH_REQUIREMENTS;
1931 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1933 /* Update remote key distribution in case the remote cleared
1934 * some bits that we had enabled in our request.
1936 smp->remote_key_dist &= rsp->resp_key_dist;
1938 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1939 /* Clear bits which are generated but not distributed */
1940 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1941 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1942 return sc_send_public_key(smp);
1945 auth |= req->auth_req;
1947 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1949 return SMP_UNSPECIFIED;
1951 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1953 /* Can't compose response until we have been confirmed */
1954 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1955 return smp_confirm(smp);
1960 static u8 sc_check_confirm(struct smp_chan *smp)
1962 struct l2cap_conn *conn = smp->conn;
1966 /* Public Key exchange must happen before any other steps */
1967 if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
1968 return SMP_UNSPECIFIED;
1970 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1971 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1973 if (conn->hcon->out) {
1974 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1976 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1982 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1984 struct l2cap_chan *chan = conn->smp;
1985 struct smp_chan *smp = chan->data;
1987 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
1989 if (skb->len < sizeof(smp->pcnf))
1990 return SMP_INVALID_PARAMS;
1992 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1993 skb_pull(skb, sizeof(smp->pcnf));
1995 if (test_bit(SMP_FLAG_SC, &smp->flags))
1996 return sc_check_confirm(smp);
1998 if (conn->hcon->out) {
1999 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2001 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2005 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2006 return smp_confirm(smp);
2008 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2013 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2015 struct l2cap_chan *chan = conn->smp;
2016 struct smp_chan *smp = chan->data;
2017 struct hci_conn *hcon = conn->hcon;
2018 u8 *pkax, *pkbx, *na, *nb;
2022 BT_DBG("conn %p", conn);
2024 if (skb->len < sizeof(smp->rrnd))
2025 return SMP_INVALID_PARAMS;
2027 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2028 skb_pull(skb, sizeof(smp->rrnd));
2030 if (!test_bit(SMP_FLAG_SC, &smp->flags))
2031 return smp_random(smp);
2034 pkax = smp->local_pk;
2035 pkbx = smp->remote_pk;
2039 pkax = smp->remote_pk;
2040 pkbx = smp->local_pk;
2045 if (smp->method == REQ_OOB) {
2047 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2048 sizeof(smp->prnd), smp->prnd);
2049 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2050 goto mackey_and_ltk;
2053 /* Passkey entry has special treatment */
2054 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2055 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2060 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2063 return SMP_UNSPECIFIED;
2065 if (memcmp(smp->pcnf, cfm, 16))
2066 return SMP_CONFIRM_FAILED;
2068 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2070 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2074 /* Generate MacKey and LTK */
2075 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2077 return SMP_UNSPECIFIED;
2079 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2081 sc_dhkey_check(smp);
2082 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2087 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2089 return SMP_UNSPECIFIED;
2091 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2092 hcon->dst_type, passkey, 0);
2094 return SMP_UNSPECIFIED;
2096 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2101 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2103 struct smp_ltk *key;
2104 struct hci_conn *hcon = conn->hcon;
2106 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2110 if (smp_ltk_sec_level(key) < sec_level)
2113 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2116 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
2117 hcon->enc_key_size = key->enc_size;
2119 /* We never store STKs for master role, so clear this flag */
2120 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2125 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2126 enum smp_key_pref key_pref)
2128 if (sec_level == BT_SECURITY_LOW)
2131 /* If we're encrypted with an STK but the caller prefers using
2132 * LTK claim insufficient security. This way we allow the
2133 * connection to be re-encrypted with an LTK, even if the LTK
2134 * provides the same level of security. Only exception is if we
2135 * don't have an LTK (e.g. because of key distribution bits).
2137 if (key_pref == SMP_USE_LTK &&
2138 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2139 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2142 if (hcon->sec_level >= sec_level)
2148 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2150 struct smp_cmd_security_req *rp = (void *) skb->data;
2151 struct smp_cmd_pairing cp;
2152 struct hci_conn *hcon = conn->hcon;
2153 struct hci_dev *hdev = hcon->hdev;
2154 struct smp_chan *smp;
2157 BT_DBG("conn %p", conn);
2159 if (skb->len < sizeof(*rp))
2160 return SMP_INVALID_PARAMS;
2162 if (hcon->role != HCI_ROLE_MASTER)
2163 return SMP_CMD_NOTSUPP;
2165 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2167 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2168 return SMP_AUTH_REQUIREMENTS;
2170 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2171 sec_level = BT_SECURITY_MEDIUM;
2173 sec_level = authreq_to_seclevel(auth);
2175 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2178 if (sec_level > hcon->pending_sec_level)
2179 hcon->pending_sec_level = sec_level;
2181 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2184 smp = smp_chan_create(conn);
2186 return SMP_UNSPECIFIED;
2188 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2189 (auth & SMP_AUTH_BONDING))
2190 return SMP_PAIRING_NOTSUPP;
2192 skb_pull(skb, sizeof(*rp));
2194 memset(&cp, 0, sizeof(cp));
2195 build_pairing_cmd(conn, &cp, NULL, auth);
2197 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2198 memcpy(&smp->preq[1], &cp, sizeof(cp));
2200 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2201 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2206 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2208 struct l2cap_conn *conn = hcon->l2cap_data;
2209 struct l2cap_chan *chan;
2210 struct smp_chan *smp;
2214 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2216 /* This may be NULL if there's an unexpected disconnection */
2222 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2225 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2228 if (sec_level > hcon->pending_sec_level)
2229 hcon->pending_sec_level = sec_level;
2231 if (hcon->role == HCI_ROLE_MASTER)
2232 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2235 l2cap_chan_lock(chan);
2237 /* If SMP is already in progress ignore this request */
2243 smp = smp_chan_create(conn);
2249 authreq = seclevel_to_authreq(sec_level);
2251 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED))
2252 authreq |= SMP_AUTH_SC;
2254 /* Require MITM if IO Capability allows or the security level
2257 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2258 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2259 authreq |= SMP_AUTH_MITM;
2261 if (hcon->role == HCI_ROLE_MASTER) {
2262 struct smp_cmd_pairing cp;
2264 build_pairing_cmd(conn, &cp, NULL, authreq);
2265 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2266 memcpy(&smp->preq[1], &cp, sizeof(cp));
2268 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2269 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2271 struct smp_cmd_security_req cp;
2272 cp.auth_req = authreq;
2273 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2274 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2277 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2281 l2cap_chan_unlock(chan);
2285 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2287 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2288 struct l2cap_chan *chan = conn->smp;
2289 struct smp_chan *smp = chan->data;
2291 BT_DBG("conn %p", conn);
2293 if (skb->len < sizeof(*rp))
2294 return SMP_INVALID_PARAMS;
2296 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2298 skb_pull(skb, sizeof(*rp));
2300 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2305 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2307 struct smp_cmd_master_ident *rp = (void *) skb->data;
2308 struct l2cap_chan *chan = conn->smp;
2309 struct smp_chan *smp = chan->data;
2310 struct hci_dev *hdev = conn->hcon->hdev;
2311 struct hci_conn *hcon = conn->hcon;
2312 struct smp_ltk *ltk;
2315 BT_DBG("conn %p", conn);
2317 if (skb->len < sizeof(*rp))
2318 return SMP_INVALID_PARAMS;
2320 /* Mark the information as received */
2321 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2323 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2324 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2325 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2326 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2328 skb_pull(skb, sizeof(*rp));
2330 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2331 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2332 authenticated, smp->tk, smp->enc_key_size,
2333 rp->ediv, rp->rand);
2335 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2336 smp_distribute_keys(smp);
2341 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2343 struct smp_cmd_ident_info *info = (void *) skb->data;
2344 struct l2cap_chan *chan = conn->smp;
2345 struct smp_chan *smp = chan->data;
2349 if (skb->len < sizeof(*info))
2350 return SMP_INVALID_PARAMS;
2352 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2354 skb_pull(skb, sizeof(*info));
2356 memcpy(smp->irk, info->irk, 16);
2361 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2362 struct sk_buff *skb)
2364 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2365 struct l2cap_chan *chan = conn->smp;
2366 struct smp_chan *smp = chan->data;
2367 struct hci_conn *hcon = conn->hcon;
2372 if (skb->len < sizeof(*info))
2373 return SMP_INVALID_PARAMS;
2375 /* Mark the information as received */
2376 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2378 if (smp->remote_key_dist & SMP_DIST_SIGN)
2379 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2381 skb_pull(skb, sizeof(*info));
2383 /* Strictly speaking the Core Specification (4.1) allows sending
2384 * an empty address which would force us to rely on just the IRK
2385 * as "identity information". However, since such
2386 * implementations are not known of and in order to not over
2387 * complicate our implementation, simply pretend that we never
2388 * received an IRK for such a device.
2390 * The Identity Address must also be a Static Random or Public
2391 * Address, which hci_is_identity_address() checks for.
2393 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2394 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2395 BT_ERR("Ignoring IRK with no identity address");
2399 bacpy(&smp->id_addr, &info->bdaddr);
2400 smp->id_addr_type = info->addr_type;
2402 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2403 bacpy(&rpa, &hcon->dst);
2405 bacpy(&rpa, BDADDR_ANY);
2407 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2408 smp->id_addr_type, smp->irk, &rpa);
2411 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2412 smp_distribute_keys(smp);
2417 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2419 struct smp_cmd_sign_info *rp = (void *) skb->data;
2420 struct l2cap_chan *chan = conn->smp;
2421 struct smp_chan *smp = chan->data;
2422 struct smp_csrk *csrk;
2424 BT_DBG("conn %p", conn);
2426 if (skb->len < sizeof(*rp))
2427 return SMP_INVALID_PARAMS;
2429 /* Mark the information as received */
2430 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2432 skb_pull(skb, sizeof(*rp));
2434 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2436 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2437 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2439 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2440 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2443 smp_distribute_keys(smp);
2448 static u8 sc_select_method(struct smp_chan *smp)
2450 struct l2cap_conn *conn = smp->conn;
2451 struct hci_conn *hcon = conn->hcon;
2452 struct smp_cmd_pairing *local, *remote;
2453 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2455 if (test_bit(SMP_FLAG_OOB, &smp->flags))
2458 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2459 * which are needed as inputs to some crypto functions. To get
2460 * the "struct smp_cmd_pairing" from them we need to skip the
2461 * first byte which contains the opcode.
2464 local = (void *) &smp->preq[1];
2465 remote = (void *) &smp->prsp[1];
2467 local = (void *) &smp->prsp[1];
2468 remote = (void *) &smp->preq[1];
2471 local_io = local->io_capability;
2472 remote_io = remote->io_capability;
2474 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2475 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2477 /* If either side wants MITM, look up the method from the table,
2478 * otherwise use JUST WORKS.
2480 if (local_mitm || remote_mitm)
2481 method = get_auth_method(smp, local_io, remote_io);
2483 method = JUST_WORKS;
2485 /* Don't confirm locally initiated pairing attempts */
2486 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2487 method = JUST_WORKS;
2492 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2494 struct smp_cmd_public_key *key = (void *) skb->data;
2495 struct hci_conn *hcon = conn->hcon;
2496 struct l2cap_chan *chan = conn->smp;
2497 struct smp_chan *smp = chan->data;
2498 struct hci_dev *hdev = hcon->hdev;
2499 struct smp_cmd_pairing_confirm cfm;
2502 BT_DBG("conn %p", conn);
2504 if (skb->len < sizeof(*key))
2505 return SMP_INVALID_PARAMS;
2507 memcpy(smp->remote_pk, key, 64);
2509 /* Non-initiating device sends its public key after receiving
2510 * the key from the initiating device.
2513 err = sc_send_public_key(smp);
2518 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2519 SMP_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]);
2521 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2522 return SMP_UNSPECIFIED;
2524 SMP_DBG("DHKey %32phN", smp->dhkey);
2526 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2528 smp->method = sc_select_method(smp);
2530 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2532 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2533 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2534 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2536 hcon->pending_sec_level = BT_SECURITY_FIPS;
2538 if (!memcmp(debug_pk, smp->remote_pk, 64))
2539 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2541 if (smp->method == DSP_PASSKEY) {
2542 get_random_bytes(&hcon->passkey_notify,
2543 sizeof(hcon->passkey_notify));
2544 hcon->passkey_notify %= 1000000;
2545 hcon->passkey_entered = 0;
2546 smp->passkey_round = 0;
2547 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2549 hcon->passkey_notify,
2550 hcon->passkey_entered))
2551 return SMP_UNSPECIFIED;
2552 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2553 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2556 if (smp->method == REQ_OOB) {
2557 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2558 smp->rr, 0, cfm.confirm_val);
2560 return SMP_UNSPECIFIED;
2562 if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2563 return SMP_CONFIRM_FAILED;
2566 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2567 sizeof(smp->prnd), smp->prnd);
2569 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2575 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2577 if (smp->method == REQ_PASSKEY) {
2578 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2580 return SMP_UNSPECIFIED;
2581 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2582 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2586 /* The Initiating device waits for the non-initiating device to
2587 * send the confirm value.
2589 if (conn->hcon->out)
2592 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2593 0, cfm.confirm_val);
2595 return SMP_UNSPECIFIED;
2597 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2598 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2603 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2605 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2606 struct l2cap_chan *chan = conn->smp;
2607 struct hci_conn *hcon = conn->hcon;
2608 struct smp_chan *smp = chan->data;
2609 u8 a[7], b[7], *local_addr, *remote_addr;
2610 u8 io_cap[3], r[16], e[16];
2613 BT_DBG("conn %p", conn);
2615 if (skb->len < sizeof(*check))
2616 return SMP_INVALID_PARAMS;
2618 memcpy(a, &hcon->init_addr, 6);
2619 memcpy(b, &hcon->resp_addr, 6);
2620 a[6] = hcon->init_addr_type;
2621 b[6] = hcon->resp_addr_type;
2626 memcpy(io_cap, &smp->prsp[1], 3);
2630 memcpy(io_cap, &smp->preq[1], 3);
2633 memset(r, 0, sizeof(r));
2635 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2636 put_unaligned_le32(hcon->passkey_notify, r);
2638 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2639 io_cap, remote_addr, local_addr, e);
2641 return SMP_UNSPECIFIED;
2643 if (memcmp(check->e, e, 16))
2644 return SMP_DHKEY_CHECK_FAILED;
2647 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2648 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2652 /* Slave sends DHKey check as response to master */
2653 sc_dhkey_check(smp);
2659 hci_le_start_enc(hcon, 0, 0, smp->tk);
2660 hcon->enc_key_size = smp->enc_key_size;
2666 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2667 struct sk_buff *skb)
2669 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2671 BT_DBG("value 0x%02x", kp->value);
2676 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2678 struct l2cap_conn *conn = chan->conn;
2679 struct hci_conn *hcon = conn->hcon;
2680 struct smp_chan *smp;
2687 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2688 reason = SMP_PAIRING_NOTSUPP;
2692 code = skb->data[0];
2693 skb_pull(skb, sizeof(code));
2697 if (code > SMP_CMD_MAX)
2700 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2703 /* If we don't have a context the only allowed commands are
2704 * pairing request and security request.
2706 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2710 case SMP_CMD_PAIRING_REQ:
2711 reason = smp_cmd_pairing_req(conn, skb);
2714 case SMP_CMD_PAIRING_FAIL:
2715 smp_failure(conn, 0);
2719 case SMP_CMD_PAIRING_RSP:
2720 reason = smp_cmd_pairing_rsp(conn, skb);
2723 case SMP_CMD_SECURITY_REQ:
2724 reason = smp_cmd_security_req(conn, skb);
2727 case SMP_CMD_PAIRING_CONFIRM:
2728 reason = smp_cmd_pairing_confirm(conn, skb);
2731 case SMP_CMD_PAIRING_RANDOM:
2732 reason = smp_cmd_pairing_random(conn, skb);
2735 case SMP_CMD_ENCRYPT_INFO:
2736 reason = smp_cmd_encrypt_info(conn, skb);
2739 case SMP_CMD_MASTER_IDENT:
2740 reason = smp_cmd_master_ident(conn, skb);
2743 case SMP_CMD_IDENT_INFO:
2744 reason = smp_cmd_ident_info(conn, skb);
2747 case SMP_CMD_IDENT_ADDR_INFO:
2748 reason = smp_cmd_ident_addr_info(conn, skb);
2751 case SMP_CMD_SIGN_INFO:
2752 reason = smp_cmd_sign_info(conn, skb);
2755 case SMP_CMD_PUBLIC_KEY:
2756 reason = smp_cmd_public_key(conn, skb);
2759 case SMP_CMD_DHKEY_CHECK:
2760 reason = smp_cmd_dhkey_check(conn, skb);
2763 case SMP_CMD_KEYPRESS_NOTIFY:
2764 reason = smp_cmd_keypress_notify(conn, skb);
2768 BT_DBG("Unknown command code 0x%2.2x", code);
2769 reason = SMP_CMD_NOTSUPP;
2776 smp_failure(conn, reason);
2783 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2789 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2791 struct l2cap_conn *conn = chan->conn;
2793 BT_DBG("chan %p", chan);
2796 smp_chan_destroy(conn);
2799 l2cap_chan_put(chan);
2802 static void bredr_pairing(struct l2cap_chan *chan)
2804 struct l2cap_conn *conn = chan->conn;
2805 struct hci_conn *hcon = conn->hcon;
2806 struct hci_dev *hdev = hcon->hdev;
2807 struct smp_cmd_pairing req;
2808 struct smp_chan *smp;
2810 BT_DBG("chan %p", chan);
2812 /* Only new pairings are interesting */
2813 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2816 /* Don't bother if we're not encrypted */
2817 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2820 /* Only master may initiate SMP over BR/EDR */
2821 if (hcon->role != HCI_ROLE_MASTER)
2824 /* Secure Connections support must be enabled */
2825 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
2828 /* BR/EDR must use Secure Connections for SMP */
2829 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2830 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
2833 /* If our LE support is not enabled don't do anything */
2834 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2837 /* Don't bother if remote LE support is not enabled */
2838 if (!lmp_host_le_capable(hcon))
2841 /* Remote must support SMP fixed chan for BR/EDR */
2842 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2845 /* Don't bother if SMP is already ongoing */
2849 smp = smp_chan_create(conn);
2851 BT_ERR("%s unable to create SMP context for BR/EDR",
2856 set_bit(SMP_FLAG_SC, &smp->flags);
2858 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2860 /* Prepare and send the BR/EDR SMP Pairing Request */
2861 build_bredr_pairing_cmd(smp, &req, NULL);
2863 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2864 memcpy(&smp->preq[1], &req, sizeof(req));
2866 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2867 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2870 static void smp_resume_cb(struct l2cap_chan *chan)
2872 struct smp_chan *smp = chan->data;
2873 struct l2cap_conn *conn = chan->conn;
2874 struct hci_conn *hcon = conn->hcon;
2876 BT_DBG("chan %p", chan);
2878 if (hcon->type == ACL_LINK) {
2879 bredr_pairing(chan);
2886 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2889 cancel_delayed_work(&smp->security_timer);
2891 smp_distribute_keys(smp);
2894 static void smp_ready_cb(struct l2cap_chan *chan)
2896 struct l2cap_conn *conn = chan->conn;
2897 struct hci_conn *hcon = conn->hcon;
2899 BT_DBG("chan %p", chan);
2902 l2cap_chan_hold(chan);
2904 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2905 bredr_pairing(chan);
2908 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
2912 BT_DBG("chan %p", chan);
2914 err = smp_sig_channel(chan, skb);
2916 struct smp_chan *smp = chan->data;
2919 cancel_delayed_work_sync(&smp->security_timer);
2921 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
2927 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
2928 unsigned long hdr_len,
2929 unsigned long len, int nb)
2931 struct sk_buff *skb;
2933 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
2935 return ERR_PTR(-ENOMEM);
2937 skb->priority = HCI_PRIO_MAX;
2938 bt_cb(skb)->chan = chan;
2943 static const struct l2cap_ops smp_chan_ops = {
2944 .name = "Security Manager",
2945 .ready = smp_ready_cb,
2946 .recv = smp_recv_cb,
2947 .alloc_skb = smp_alloc_skb_cb,
2948 .teardown = smp_teardown_cb,
2949 .resume = smp_resume_cb,
2951 .new_connection = l2cap_chan_no_new_connection,
2952 .state_change = l2cap_chan_no_state_change,
2953 .close = l2cap_chan_no_close,
2954 .defer = l2cap_chan_no_defer,
2955 .suspend = l2cap_chan_no_suspend,
2956 .set_shutdown = l2cap_chan_no_set_shutdown,
2957 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2960 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
2962 struct l2cap_chan *chan;
2964 BT_DBG("pchan %p", pchan);
2966 chan = l2cap_chan_create();
2970 chan->chan_type = pchan->chan_type;
2971 chan->ops = &smp_chan_ops;
2972 chan->scid = pchan->scid;
2973 chan->dcid = chan->scid;
2974 chan->imtu = pchan->imtu;
2975 chan->omtu = pchan->omtu;
2976 chan->mode = pchan->mode;
2978 /* Other L2CAP channels may request SMP routines in order to
2979 * change the security level. This means that the SMP channel
2980 * lock must be considered in its own category to avoid lockdep
2983 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
2985 BT_DBG("created chan %p", chan);
2990 static const struct l2cap_ops smp_root_chan_ops = {
2991 .name = "Security Manager Root",
2992 .new_connection = smp_new_conn_cb,
2994 /* None of these are implemented for the root channel */
2995 .close = l2cap_chan_no_close,
2996 .alloc_skb = l2cap_chan_no_alloc_skb,
2997 .recv = l2cap_chan_no_recv,
2998 .state_change = l2cap_chan_no_state_change,
2999 .teardown = l2cap_chan_no_teardown,
3000 .ready = l2cap_chan_no_ready,
3001 .defer = l2cap_chan_no_defer,
3002 .suspend = l2cap_chan_no_suspend,
3003 .resume = l2cap_chan_no_resume,
3004 .set_shutdown = l2cap_chan_no_set_shutdown,
3005 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3008 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3010 struct l2cap_chan *chan;
3011 struct smp_dev *smp;
3012 struct crypto_blkcipher *tfm_aes;
3013 struct crypto_hash *tfm_cmac;
3015 if (cid == L2CAP_CID_SMP_BREDR) {
3020 smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3022 return ERR_PTR(-ENOMEM);
3024 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3025 if (IS_ERR(tfm_aes)) {
3026 BT_ERR("Unable to create ECB crypto context");
3028 return ERR_CAST(tfm_aes);
3031 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3032 if (IS_ERR(tfm_cmac)) {
3033 BT_ERR("Unable to create CMAC crypto context");
3034 crypto_free_blkcipher(tfm_aes);
3036 return ERR_CAST(tfm_cmac);
3039 smp->tfm_aes = tfm_aes;
3040 smp->tfm_cmac = tfm_cmac;
3043 chan = l2cap_chan_create();
3045 crypto_free_blkcipher(smp->tfm_aes);
3046 crypto_free_hash(smp->tfm_cmac);
3048 return ERR_PTR(-ENOMEM);
3053 l2cap_add_scid(chan, cid);
3055 l2cap_chan_set_defaults(chan);
3057 if (cid == L2CAP_CID_SMP) {
3060 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3062 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3063 chan->src_type = BDADDR_LE_PUBLIC;
3065 chan->src_type = BDADDR_LE_RANDOM;
3067 bacpy(&chan->src, &hdev->bdaddr);
3068 chan->src_type = BDADDR_BREDR;
3071 chan->state = BT_LISTEN;
3072 chan->mode = L2CAP_MODE_BASIC;
3073 chan->imtu = L2CAP_DEFAULT_MTU;
3074 chan->ops = &smp_root_chan_ops;
3076 /* Set correct nesting level for a parent/listening channel */
3077 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3082 static void smp_del_chan(struct l2cap_chan *chan)
3084 struct smp_dev *smp;
3086 BT_DBG("chan %p", chan);
3092 crypto_free_blkcipher(smp->tfm_aes);
3094 crypto_free_hash(smp->tfm_cmac);
3098 l2cap_chan_put(chan);
3101 static ssize_t force_bredr_smp_read(struct file *file,
3102 char __user *user_buf,
3103 size_t count, loff_t *ppos)
3105 struct hci_dev *hdev = file->private_data;
3108 buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3111 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3114 static ssize_t force_bredr_smp_write(struct file *file,
3115 const char __user *user_buf,
3116 size_t count, loff_t *ppos)
3118 struct hci_dev *hdev = file->private_data;
3120 size_t buf_size = min(count, (sizeof(buf)-1));
3123 if (copy_from_user(buf, user_buf, buf_size))
3126 buf[buf_size] = '\0';
3127 if (strtobool(buf, &enable))
3130 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3134 struct l2cap_chan *chan;
3136 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3138 return PTR_ERR(chan);
3140 hdev->smp_bredr_data = chan;
3142 struct l2cap_chan *chan;
3144 chan = hdev->smp_bredr_data;
3145 hdev->smp_bredr_data = NULL;
3149 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3154 static const struct file_operations force_bredr_smp_fops = {
3155 .open = simple_open,
3156 .read = force_bredr_smp_read,
3157 .write = force_bredr_smp_write,
3158 .llseek = default_llseek,
3161 int smp_register(struct hci_dev *hdev)
3163 struct l2cap_chan *chan;
3165 BT_DBG("%s", hdev->name);
3167 /* If the controller does not support Low Energy operation, then
3168 * there is also no need to register any SMP channel.
3170 if (!lmp_le_capable(hdev))
3173 if (WARN_ON(hdev->smp_data)) {
3174 chan = hdev->smp_data;
3175 hdev->smp_data = NULL;
3179 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3181 return PTR_ERR(chan);
3183 hdev->smp_data = chan;
3185 /* If the controller does not support BR/EDR Secure Connections
3186 * feature, then the BR/EDR SMP channel shall not be present.
3188 * To test this with Bluetooth 4.0 controllers, create a debugfs
3189 * switch that allows forcing BR/EDR SMP support and accepting
3190 * cross-transport pairing on non-AES encrypted connections.
3192 if (!lmp_sc_capable(hdev)) {
3193 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3194 hdev, &force_bredr_smp_fops);
3198 if (WARN_ON(hdev->smp_bredr_data)) {
3199 chan = hdev->smp_bredr_data;
3200 hdev->smp_bredr_data = NULL;
3204 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3206 int err = PTR_ERR(chan);
3207 chan = hdev->smp_data;
3208 hdev->smp_data = NULL;
3213 hdev->smp_bredr_data = chan;
3218 void smp_unregister(struct hci_dev *hdev)
3220 struct l2cap_chan *chan;
3222 if (hdev->smp_bredr_data) {
3223 chan = hdev->smp_bredr_data;
3224 hdev->smp_bredr_data = NULL;
3228 if (hdev->smp_data) {
3229 chan = hdev->smp_data;
3230 hdev->smp_data = NULL;
3235 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3237 static int __init test_ah(struct crypto_blkcipher *tfm_aes)
3239 const u8 irk[16] = {
3240 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3241 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3242 const u8 r[3] = { 0x94, 0x81, 0x70 };
3243 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3247 err = smp_ah(tfm_aes, irk, r, res);
3251 if (memcmp(res, exp, 3))
3257 static int __init test_c1(struct crypto_blkcipher *tfm_aes)
3260 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3261 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3263 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3264 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3265 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3266 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3267 const u8 _iat = 0x01;
3268 const u8 _rat = 0x00;
3269 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3270 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3271 const u8 exp[16] = {
3272 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3273 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3277 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3281 if (memcmp(res, exp, 16))
3287 static int __init test_s1(struct crypto_blkcipher *tfm_aes)
3290 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3291 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3293 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3295 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3296 const u8 exp[16] = {
3297 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3298 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3302 err = smp_s1(tfm_aes, k, r1, r2, res);
3306 if (memcmp(res, exp, 16))
3312 static int __init test_f4(struct crypto_hash *tfm_cmac)
3315 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3316 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3317 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3318 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3320 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3321 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3322 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3323 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3325 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3326 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3328 const u8 exp[16] = {
3329 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3330 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3334 err = smp_f4(tfm_cmac, u, v, x, z, res);
3338 if (memcmp(res, exp, 16))
3344 static int __init test_f5(struct crypto_hash *tfm_cmac)
3347 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3348 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3349 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3350 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3352 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3353 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3355 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3356 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3357 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3358 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3359 const u8 exp_ltk[16] = {
3360 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3361 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3362 const u8 exp_mackey[16] = {
3363 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3364 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3365 u8 mackey[16], ltk[16];
3368 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3372 if (memcmp(mackey, exp_mackey, 16))
3375 if (memcmp(ltk, exp_ltk, 16))
3381 static int __init test_f6(struct crypto_hash *tfm_cmac)
3384 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3385 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3387 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3388 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3390 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3391 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3393 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3394 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3395 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3396 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3397 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3398 const u8 exp[16] = {
3399 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3400 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3404 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3408 if (memcmp(res, exp, 16))
3414 static int __init test_g2(struct crypto_hash *tfm_cmac)
3417 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3418 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3419 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3420 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3422 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3423 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3424 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3425 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3427 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3428 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3430 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3431 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3432 const u32 exp_val = 0x2f9ed5ba % 1000000;
3436 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3446 static int __init test_h6(struct crypto_hash *tfm_cmac)
3449 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3450 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3451 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3452 const u8 exp[16] = {
3453 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3454 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3458 err = smp_h6(tfm_cmac, w, key_id, res);
3462 if (memcmp(res, exp, 16))
3468 static int __init run_selftests(struct crypto_blkcipher *tfm_aes,
3469 struct crypto_hash *tfm_cmac)
3471 ktime_t calltime, delta, rettime;
3472 unsigned long long duration;
3475 calltime = ktime_get();
3477 err = test_ah(tfm_aes);
3479 BT_ERR("smp_ah test failed");
3483 err = test_c1(tfm_aes);
3485 BT_ERR("smp_c1 test failed");
3489 err = test_s1(tfm_aes);
3491 BT_ERR("smp_s1 test failed");
3495 err = test_f4(tfm_cmac);
3497 BT_ERR("smp_f4 test failed");
3501 err = test_f5(tfm_cmac);
3503 BT_ERR("smp_f5 test failed");
3507 err = test_f6(tfm_cmac);
3509 BT_ERR("smp_f6 test failed");
3513 err = test_g2(tfm_cmac);
3515 BT_ERR("smp_g2 test failed");
3519 err = test_h6(tfm_cmac);
3521 BT_ERR("smp_h6 test failed");
3525 rettime = ktime_get();
3526 delta = ktime_sub(rettime, calltime);
3527 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3529 BT_INFO("SMP test passed in %llu usecs", duration);
3534 int __init bt_selftest_smp(void)
3536 struct crypto_blkcipher *tfm_aes;
3537 struct crypto_hash *tfm_cmac;
3540 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3541 if (IS_ERR(tfm_aes)) {
3542 BT_ERR("Unable to create ECB crypto context");
3543 return PTR_ERR(tfm_aes);
3546 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3547 if (IS_ERR(tfm_cmac)) {
3548 BT_ERR("Unable to create CMAC crypto context");
3549 crypto_free_blkcipher(tfm_aes);
3550 return PTR_ERR(tfm_cmac);
3553 err = run_selftests(tfm_aes, tfm_cmac);
3555 crypto_free_hash(tfm_cmac);
3556 crypto_free_blkcipher(tfm_aes);