2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
23 #include <linux/debugfs.h>
24 #include <linux/crypto.h>
25 #include <linux/scatterlist.h>
26 #include <crypto/b128ops.h>
28 #include <net/bluetooth/bluetooth.h>
29 #include <net/bluetooth/hci_core.h>
30 #include <net/bluetooth/l2cap.h>
31 #include <net/bluetooth/mgmt.h>
36 /* Low-level debug macros to be used for stuff that we don't want
37 * accidentially in dmesg, i.e. the values of the various crypto keys
38 * and the inputs & outputs of crypto functions.
41 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
44 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
48 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
50 /* Keys which are not distributed with Secure Connections */
51 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
53 #define SMP_TIMEOUT msecs_to_jiffies(30000)
55 #define AUTH_REQ_MASK(dev) (test_bit(HCI_SC_ENABLED, &(dev)->dev_flags) ? \
57 #define KEY_DIST_MASK 0x07
59 /* Maximum message length that can be passed to aes_cmac */
60 #define CMAC_MSG_MAX 80
72 SMP_FLAG_DHKEY_PENDING,
77 struct l2cap_conn *conn;
78 struct delayed_work security_timer;
79 unsigned long allow_cmd; /* Bitmask of allowed commands */
81 u8 preq[7]; /* SMP Pairing Request */
82 u8 prsp[7]; /* SMP Pairing Response */
83 u8 prnd[16]; /* SMP Pairing Random (local) */
84 u8 rrnd[16]; /* SMP Pairing Random (remote) */
85 u8 pcnf[16]; /* SMP Pairing Confirm */
86 u8 tk[16]; /* SMP Temporary Key */
93 struct smp_csrk *csrk;
94 struct smp_csrk *slave_csrk;
96 struct smp_ltk *slave_ltk;
97 struct smp_irk *remote_irk;
103 /* Secure Connections variables */
110 struct crypto_blkcipher *tfm_aes;
111 struct crypto_hash *tfm_cmac;
114 /* These debug key values are defined in the SMP section of the core
115 * specification. debug_pk is the public debug key and debug_sk the
118 static const u8 debug_pk[64] = {
119 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
120 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
121 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
122 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
124 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
125 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
126 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
127 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
130 static const u8 debug_sk[32] = {
131 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
132 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
133 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
134 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
137 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
141 for (i = 0; i < len; i++)
142 dst[len - 1 - i] = src[i];
145 /* The following functions map to the LE SC SMP crypto functions
146 * AES-CMAC, f4, f5, f6, g2 and h6.
149 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
150 size_t len, u8 mac[16])
152 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
153 struct hash_desc desc;
154 struct scatterlist sg;
157 if (len > CMAC_MSG_MAX)
161 BT_ERR("tfm %p", tfm);
168 crypto_hash_init(&desc);
170 /* Swap key and message from LSB to MSB */
171 swap_buf(k, tmp, 16);
172 swap_buf(m, msg_msb, len);
174 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
175 SMP_DBG("key %16phN", k);
177 err = crypto_hash_setkey(tfm, tmp, 16);
179 BT_ERR("cipher setkey failed: %d", err);
183 sg_init_one(&sg, msg_msb, len);
185 err = crypto_hash_update(&desc, &sg, len);
187 BT_ERR("Hash update error %d", err);
191 err = crypto_hash_final(&desc, mac_msb);
193 BT_ERR("Hash final error %d", err);
197 swap_buf(mac_msb, mac, 16);
199 SMP_DBG("mac %16phN", mac);
204 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
205 const u8 x[16], u8 z, u8 res[16])
210 SMP_DBG("u %32phN", u);
211 SMP_DBG("v %32phN", v);
212 SMP_DBG("x %16phN z %02x", x, z);
215 memcpy(m + 1, v, 32);
216 memcpy(m + 33, u, 32);
218 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
222 SMP_DBG("res %16phN", res);
227 static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32],
228 const u8 n1[16], const u8 n2[16], const u8 a1[7],
229 const u8 a2[7], u8 mackey[16], u8 ltk[16])
231 /* The btle, salt and length "magic" values are as defined in
232 * the SMP section of the Bluetooth core specification. In ASCII
233 * the btle value ends up being 'btle'. The salt is just a
234 * random number whereas length is the value 256 in little
237 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
238 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
239 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
240 const u8 length[2] = { 0x00, 0x01 };
244 SMP_DBG("w %32phN", w);
245 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
246 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
248 err = aes_cmac(tfm_cmac, salt, w, 32, t);
252 SMP_DBG("t %16phN", t);
254 memcpy(m, length, 2);
255 memcpy(m + 2, a2, 7);
256 memcpy(m + 9, a1, 7);
257 memcpy(m + 16, n2, 16);
258 memcpy(m + 32, n1, 16);
259 memcpy(m + 48, btle, 4);
261 m[52] = 0; /* Counter */
263 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
267 SMP_DBG("mackey %16phN", mackey);
269 m[52] = 1; /* Counter */
271 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
275 SMP_DBG("ltk %16phN", ltk);
280 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
281 const u8 n1[16], const u8 n2[16], const u8 r[16],
282 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
288 SMP_DBG("w %16phN", w);
289 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
290 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
293 memcpy(m + 7, a1, 7);
294 memcpy(m + 14, io_cap, 3);
295 memcpy(m + 17, r, 16);
296 memcpy(m + 33, n2, 16);
297 memcpy(m + 49, n1, 16);
299 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
303 SMP_DBG("res %16phN", res);
308 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
309 const u8 x[16], const u8 y[16], u32 *val)
314 SMP_DBG("u %32phN", u);
315 SMP_DBG("v %32phN", v);
316 SMP_DBG("x %16phN y %16phN", x, y);
319 memcpy(m + 16, v, 32);
320 memcpy(m + 48, u, 32);
322 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
326 *val = get_unaligned_le32(tmp);
329 SMP_DBG("val %06u", *val);
334 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
335 const u8 key_id[4], u8 res[16])
339 SMP_DBG("w %16phN key_id %4phN", w, key_id);
341 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
345 SMP_DBG("res %16phN", res);
350 /* The following functions map to the legacy SMP crypto functions e, c1,
354 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
356 struct blkcipher_desc desc;
357 struct scatterlist sg;
358 uint8_t tmp[16], data[16];
362 BT_ERR("tfm %p", tfm);
369 /* The most significant octet of key corresponds to k[0] */
370 swap_buf(k, tmp, 16);
372 err = crypto_blkcipher_setkey(tfm, tmp, 16);
374 BT_ERR("cipher setkey failed: %d", err);
378 /* Most significant octet of plaintextData corresponds to data[0] */
379 swap_buf(r, data, 16);
381 sg_init_one(&sg, data, 16);
383 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
385 BT_ERR("Encrypt data error %d", err);
387 /* Most significant octet of encryptedData corresponds to data[0] */
388 swap_buf(data, r, 16);
393 static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
394 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
395 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
402 /* p1 = pres || preq || _rat || _iat */
405 memcpy(p1 + 2, preq, 7);
406 memcpy(p1 + 9, pres, 7);
408 /* p2 = padding || ia || ra */
410 memcpy(p2 + 6, ia, 6);
411 memset(p2 + 12, 0, 4);
414 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
416 /* res = e(k, res) */
417 err = smp_e(tfm_aes, k, res);
419 BT_ERR("Encrypt data error");
423 /* res = res XOR p2 */
424 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
426 /* res = e(k, res) */
427 err = smp_e(tfm_aes, k, res);
429 BT_ERR("Encrypt data error");
434 static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
435 const u8 r1[16], const u8 r2[16], u8 _r[16])
439 /* Just least significant octets from r1 and r2 are considered */
441 memcpy(_r + 8, r1, 8);
443 err = smp_e(tfm_aes, k, _r);
445 BT_ERR("Encrypt data error");
450 static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
451 const u8 r[3], u8 res[3])
456 /* r' = padding || r */
458 memset(_res + 3, 0, 13);
460 err = smp_e(tfm, irk, _res);
462 BT_ERR("Encrypt error");
466 /* The output of the random address function ah is:
467 * ah(h, r) = e(k, r') mod 2^24
468 * The output of the security function e is then truncated to 24 bits
469 * by taking the least significant 24 bits of the output of e as the
472 memcpy(res, _res, 3);
477 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
478 const bdaddr_t *bdaddr)
480 struct l2cap_chan *chan = hdev->smp_data;
481 struct crypto_blkcipher *tfm;
485 if (!chan || !chan->data)
490 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
492 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
496 return !memcmp(bdaddr->b, hash, 3);
499 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
501 struct l2cap_chan *chan = hdev->smp_data;
502 struct crypto_blkcipher *tfm;
505 if (!chan || !chan->data)
510 get_random_bytes(&rpa->b[3], 3);
512 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
513 rpa->b[5] |= 0x40; /* Set second most significant bit */
515 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
519 BT_DBG("RPA %pMR", rpa);
524 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
526 struct l2cap_chan *chan = conn->smp;
527 struct smp_chan *smp;
534 BT_DBG("code 0x%2.2x", code);
536 iv[0].iov_base = &code;
539 iv[1].iov_base = data;
542 memset(&msg, 0, sizeof(msg));
544 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
546 l2cap_chan_send(chan, &msg, 1 + len);
553 cancel_delayed_work_sync(&smp->security_timer);
554 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
557 static u8 authreq_to_seclevel(u8 authreq)
559 if (authreq & SMP_AUTH_MITM) {
560 if (authreq & SMP_AUTH_SC)
561 return BT_SECURITY_FIPS;
563 return BT_SECURITY_HIGH;
565 return BT_SECURITY_MEDIUM;
569 static __u8 seclevel_to_authreq(__u8 sec_level)
572 case BT_SECURITY_FIPS:
573 case BT_SECURITY_HIGH:
574 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
575 case BT_SECURITY_MEDIUM:
576 return SMP_AUTH_BONDING;
578 return SMP_AUTH_NONE;
582 static void build_pairing_cmd(struct l2cap_conn *conn,
583 struct smp_cmd_pairing *req,
584 struct smp_cmd_pairing *rsp, __u8 authreq)
586 struct l2cap_chan *chan = conn->smp;
587 struct smp_chan *smp = chan->data;
588 struct hci_conn *hcon = conn->hcon;
589 struct hci_dev *hdev = hcon->hdev;
590 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
592 if (test_bit(HCI_BONDABLE, &conn->hcon->hdev->dev_flags)) {
593 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
594 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
595 authreq |= SMP_AUTH_BONDING;
597 authreq &= ~SMP_AUTH_BONDING;
600 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
601 remote_dist |= SMP_DIST_ID_KEY;
603 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
604 local_dist |= SMP_DIST_ID_KEY;
606 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags) &&
607 (authreq & SMP_AUTH_SC)) {
608 struct oob_data *oob_data;
611 if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
612 local_dist |= SMP_DIST_LINK_KEY;
613 remote_dist |= SMP_DIST_LINK_KEY;
616 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
617 bdaddr_type = BDADDR_LE_PUBLIC;
619 bdaddr_type = BDADDR_LE_RANDOM;
621 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
623 if (oob_data && oob_data->present) {
624 set_bit(SMP_FLAG_OOB, &smp->flags);
625 oob_flag = SMP_OOB_PRESENT;
626 memcpy(smp->rr, oob_data->rand256, 16);
627 memcpy(smp->pcnf, oob_data->hash256, 16);
631 authreq &= ~SMP_AUTH_SC;
635 req->io_capability = conn->hcon->io_capability;
636 req->oob_flag = oob_flag;
637 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
638 req->init_key_dist = local_dist;
639 req->resp_key_dist = remote_dist;
640 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
642 smp->remote_key_dist = remote_dist;
646 rsp->io_capability = conn->hcon->io_capability;
647 rsp->oob_flag = oob_flag;
648 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
649 rsp->init_key_dist = req->init_key_dist & remote_dist;
650 rsp->resp_key_dist = req->resp_key_dist & local_dist;
651 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
653 smp->remote_key_dist = rsp->init_key_dist;
656 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
658 struct l2cap_chan *chan = conn->smp;
659 struct smp_chan *smp = chan->data;
661 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
662 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
663 return SMP_ENC_KEY_SIZE;
665 smp->enc_key_size = max_key_size;
670 static void smp_chan_destroy(struct l2cap_conn *conn)
672 struct l2cap_chan *chan = conn->smp;
673 struct smp_chan *smp = chan->data;
674 struct hci_conn *hcon = conn->hcon;
679 cancel_delayed_work_sync(&smp->security_timer);
681 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
682 mgmt_smp_complete(hcon, complete);
685 kfree(smp->slave_csrk);
686 kfree(smp->link_key);
688 crypto_free_blkcipher(smp->tfm_aes);
689 crypto_free_hash(smp->tfm_cmac);
691 /* Ensure that we don't leave any debug key around if debug key
692 * support hasn't been explicitly enabled.
694 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
695 !test_bit(HCI_KEEP_DEBUG_KEYS, &hcon->hdev->dev_flags)) {
696 list_del_rcu(&smp->ltk->list);
697 kfree_rcu(smp->ltk, rcu);
701 /* If pairing failed clean up any keys we might have */
704 list_del_rcu(&smp->ltk->list);
705 kfree_rcu(smp->ltk, rcu);
708 if (smp->slave_ltk) {
709 list_del_rcu(&smp->slave_ltk->list);
710 kfree_rcu(smp->slave_ltk, rcu);
713 if (smp->remote_irk) {
714 list_del_rcu(&smp->remote_irk->list);
715 kfree_rcu(smp->remote_irk, rcu);
724 static void smp_failure(struct l2cap_conn *conn, u8 reason)
726 struct hci_conn *hcon = conn->hcon;
727 struct l2cap_chan *chan = conn->smp;
730 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
733 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
734 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
737 smp_chan_destroy(conn);
740 #define JUST_WORKS 0x00
741 #define JUST_CFM 0x01
742 #define REQ_PASSKEY 0x02
743 #define CFM_PASSKEY 0x03
745 #define DSP_PASSKEY 0x05
748 static const u8 gen_method[5][5] = {
749 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
750 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
751 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
752 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
753 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
756 static const u8 sc_method[5][5] = {
757 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
758 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
759 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
760 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
761 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
764 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
766 /* If either side has unknown io_caps, use JUST_CFM (which gets
767 * converted later to JUST_WORKS if we're initiators.
769 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
770 remote_io > SMP_IO_KEYBOARD_DISPLAY)
773 if (test_bit(SMP_FLAG_SC, &smp->flags))
774 return sc_method[remote_io][local_io];
776 return gen_method[remote_io][local_io];
779 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
780 u8 local_io, u8 remote_io)
782 struct hci_conn *hcon = conn->hcon;
783 struct l2cap_chan *chan = conn->smp;
784 struct smp_chan *smp = chan->data;
788 /* Initialize key for JUST WORKS */
789 memset(smp->tk, 0, sizeof(smp->tk));
790 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
792 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
794 /* If neither side wants MITM, either "just" confirm an incoming
795 * request or use just-works for outgoing ones. The JUST_CFM
796 * will be converted to JUST_WORKS if necessary later in this
797 * function. If either side has MITM look up the method from the
800 if (!(auth & SMP_AUTH_MITM))
801 smp->method = JUST_CFM;
803 smp->method = get_auth_method(smp, local_io, remote_io);
805 /* Don't confirm locally initiated pairing attempts */
806 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
808 smp->method = JUST_WORKS;
810 /* Don't bother user space with no IO capabilities */
811 if (smp->method == JUST_CFM &&
812 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
813 smp->method = JUST_WORKS;
815 /* If Just Works, Continue with Zero TK */
816 if (smp->method == JUST_WORKS) {
817 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
821 /* Not Just Works/Confirm results in MITM Authentication */
822 if (smp->method != JUST_CFM) {
823 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
824 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
825 hcon->pending_sec_level = BT_SECURITY_HIGH;
828 /* If both devices have Keyoard-Display I/O, the master
829 * Confirms and the slave Enters the passkey.
831 if (smp->method == OVERLAP) {
832 if (hcon->role == HCI_ROLE_MASTER)
833 smp->method = CFM_PASSKEY;
835 smp->method = REQ_PASSKEY;
838 /* Generate random passkey. */
839 if (smp->method == CFM_PASSKEY) {
840 memset(smp->tk, 0, sizeof(smp->tk));
841 get_random_bytes(&passkey, sizeof(passkey));
843 put_unaligned_le32(passkey, smp->tk);
844 BT_DBG("PassKey: %d", passkey);
845 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
848 if (smp->method == REQ_PASSKEY)
849 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
850 hcon->type, hcon->dst_type);
851 else if (smp->method == JUST_CFM)
852 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
853 hcon->type, hcon->dst_type,
856 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
857 hcon->type, hcon->dst_type,
863 static u8 smp_confirm(struct smp_chan *smp)
865 struct l2cap_conn *conn = smp->conn;
866 struct smp_cmd_pairing_confirm cp;
869 BT_DBG("conn %p", conn);
871 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
872 conn->hcon->init_addr_type, &conn->hcon->init_addr,
873 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
876 return SMP_UNSPECIFIED;
878 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
880 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
883 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
885 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
890 static u8 smp_random(struct smp_chan *smp)
892 struct l2cap_conn *conn = smp->conn;
893 struct hci_conn *hcon = conn->hcon;
897 if (IS_ERR_OR_NULL(smp->tfm_aes))
898 return SMP_UNSPECIFIED;
900 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
902 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
903 hcon->init_addr_type, &hcon->init_addr,
904 hcon->resp_addr_type, &hcon->resp_addr, confirm);
906 return SMP_UNSPECIFIED;
908 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
909 BT_ERR("Pairing failed (confirmation values mismatch)");
910 return SMP_CONFIRM_FAILED;
918 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
920 memset(stk + smp->enc_key_size, 0,
921 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
923 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
924 return SMP_UNSPECIFIED;
926 hci_le_start_enc(hcon, ediv, rand, stk);
927 hcon->enc_key_size = smp->enc_key_size;
928 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
934 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
937 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
939 memset(stk + smp->enc_key_size, 0,
940 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
942 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
947 /* Even though there's no _SLAVE suffix this is the
948 * slave STK we're adding for later lookup (the master
949 * STK never needs to be stored).
951 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
952 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
958 static void smp_notify_keys(struct l2cap_conn *conn)
960 struct l2cap_chan *chan = conn->smp;
961 struct smp_chan *smp = chan->data;
962 struct hci_conn *hcon = conn->hcon;
963 struct hci_dev *hdev = hcon->hdev;
964 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
965 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
968 if (smp->remote_irk) {
969 mgmt_new_irk(hdev, smp->remote_irk);
970 /* Now that user space can be considered to know the
971 * identity address track the connection based on it
972 * from now on (assuming this is an LE link).
974 if (hcon->type == LE_LINK) {
975 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
976 hcon->dst_type = smp->remote_irk->addr_type;
977 queue_work(hdev->workqueue, &conn->id_addr_update_work);
980 /* When receiving an indentity resolving key for
981 * a remote device that does not use a resolvable
982 * private address, just remove the key so that
983 * it is possible to use the controller white
986 * Userspace will have been told to not store
987 * this key at this point. So it is safe to
990 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
991 list_del_rcu(&smp->remote_irk->list);
992 kfree_rcu(smp->remote_irk, rcu);
993 smp->remote_irk = NULL;
997 if (hcon->type == ACL_LINK) {
998 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1001 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1004 /* The LTKs and CSRKs should be persistent only if both sides
1005 * had the bonding bit set in their authentication requests.
1007 persistent = !!((req->auth_req & rsp->auth_req) &
1013 smp->csrk->bdaddr_type = hcon->dst_type;
1014 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1015 mgmt_new_csrk(hdev, smp->csrk, persistent);
1018 if (smp->slave_csrk) {
1019 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1020 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1021 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1025 smp->ltk->bdaddr_type = hcon->dst_type;
1026 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1027 mgmt_new_ltk(hdev, smp->ltk, persistent);
1030 if (smp->slave_ltk) {
1031 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1032 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1033 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1036 if (smp->link_key) {
1037 struct link_key *key;
1040 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1041 type = HCI_LK_DEBUG_COMBINATION;
1042 else if (hcon->sec_level == BT_SECURITY_FIPS)
1043 type = HCI_LK_AUTH_COMBINATION_P256;
1045 type = HCI_LK_UNAUTH_COMBINATION_P256;
1047 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1048 smp->link_key, type, 0, &persistent);
1050 mgmt_new_link_key(hdev, key, persistent);
1052 /* Don't keep debug keys around if the relevant
1055 if (!test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags) &&
1056 key->type == HCI_LK_DEBUG_COMBINATION) {
1057 list_del_rcu(&key->list);
1058 kfree_rcu(key, rcu);
1064 static void sc_add_ltk(struct smp_chan *smp)
1066 struct hci_conn *hcon = smp->conn->hcon;
1069 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1070 key_type = SMP_LTK_P256_DEBUG;
1072 key_type = SMP_LTK_P256;
1074 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1079 memset(smp->tk + smp->enc_key_size, 0,
1080 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1082 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1083 key_type, auth, smp->tk, smp->enc_key_size,
1087 static void sc_generate_link_key(struct smp_chan *smp)
1089 /* These constants are as specified in the core specification.
1090 * In ASCII they spell out to 'tmp1' and 'lebr'.
1092 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1093 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1095 smp->link_key = kzalloc(16, GFP_KERNEL);
1099 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1100 kfree(smp->link_key);
1101 smp->link_key = NULL;
1105 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1106 kfree(smp->link_key);
1107 smp->link_key = NULL;
1112 static void smp_allow_key_dist(struct smp_chan *smp)
1114 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1115 * will be allowed in each PDU handler to ensure we receive
1116 * them in the correct order.
1118 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1119 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1120 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1121 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1122 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1123 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1126 static void sc_generate_ltk(struct smp_chan *smp)
1128 /* These constants are as specified in the core specification.
1129 * In ASCII they spell out to 'tmp2' and 'brle'.
1131 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1132 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1133 struct hci_conn *hcon = smp->conn->hcon;
1134 struct hci_dev *hdev = hcon->hdev;
1135 struct link_key *key;
1137 key = hci_find_link_key(hdev, &hcon->dst);
1139 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1143 if (key->type == HCI_LK_DEBUG_COMBINATION)
1144 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1146 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1149 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1155 static void smp_distribute_keys(struct smp_chan *smp)
1157 struct smp_cmd_pairing *req, *rsp;
1158 struct l2cap_conn *conn = smp->conn;
1159 struct hci_conn *hcon = conn->hcon;
1160 struct hci_dev *hdev = hcon->hdev;
1163 BT_DBG("conn %p", conn);
1165 rsp = (void *) &smp->prsp[1];
1167 /* The responder sends its keys first */
1168 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1169 smp_allow_key_dist(smp);
1173 req = (void *) &smp->preq[1];
1176 keydist = &rsp->init_key_dist;
1177 *keydist &= req->init_key_dist;
1179 keydist = &rsp->resp_key_dist;
1180 *keydist &= req->resp_key_dist;
1183 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1184 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1185 sc_generate_link_key(smp);
1186 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1187 sc_generate_ltk(smp);
1189 /* Clear the keys which are generated but not distributed */
1190 *keydist &= ~SMP_SC_NO_DIST;
1193 BT_DBG("keydist 0x%x", *keydist);
1195 if (*keydist & SMP_DIST_ENC_KEY) {
1196 struct smp_cmd_encrypt_info enc;
1197 struct smp_cmd_master_ident ident;
1198 struct smp_ltk *ltk;
1203 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1204 get_random_bytes(&ediv, sizeof(ediv));
1205 get_random_bytes(&rand, sizeof(rand));
1207 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1209 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1210 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1211 SMP_LTK_SLAVE, authenticated, enc.ltk,
1212 smp->enc_key_size, ediv, rand);
1213 smp->slave_ltk = ltk;
1218 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1220 *keydist &= ~SMP_DIST_ENC_KEY;
1223 if (*keydist & SMP_DIST_ID_KEY) {
1224 struct smp_cmd_ident_addr_info addrinfo;
1225 struct smp_cmd_ident_info idinfo;
1227 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1229 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1231 /* The hci_conn contains the local identity address
1232 * after the connection has been established.
1234 * This is true even when the connection has been
1235 * established using a resolvable random address.
1237 bacpy(&addrinfo.bdaddr, &hcon->src);
1238 addrinfo.addr_type = hcon->src_type;
1240 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1243 *keydist &= ~SMP_DIST_ID_KEY;
1246 if (*keydist & SMP_DIST_SIGN) {
1247 struct smp_cmd_sign_info sign;
1248 struct smp_csrk *csrk;
1250 /* Generate a new random key */
1251 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1253 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1255 if (hcon->sec_level > BT_SECURITY_MEDIUM)
1256 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1258 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1259 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1261 smp->slave_csrk = csrk;
1263 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1265 *keydist &= ~SMP_DIST_SIGN;
1268 /* If there are still keys to be received wait for them */
1269 if (smp->remote_key_dist & KEY_DIST_MASK) {
1270 smp_allow_key_dist(smp);
1274 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1275 smp_notify_keys(conn);
1277 smp_chan_destroy(conn);
1280 static void smp_timeout(struct work_struct *work)
1282 struct smp_chan *smp = container_of(work, struct smp_chan,
1283 security_timer.work);
1284 struct l2cap_conn *conn = smp->conn;
1286 BT_DBG("conn %p", conn);
1288 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1291 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1293 struct l2cap_chan *chan = conn->smp;
1294 struct smp_chan *smp;
1296 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1300 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1301 if (IS_ERR(smp->tfm_aes)) {
1302 BT_ERR("Unable to create ECB crypto context");
1307 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1308 if (IS_ERR(smp->tfm_cmac)) {
1309 BT_ERR("Unable to create CMAC crypto context");
1310 crypto_free_blkcipher(smp->tfm_aes);
1318 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1320 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1322 hci_conn_hold(conn->hcon);
1327 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1329 struct hci_conn *hcon = smp->conn->hcon;
1330 u8 *na, *nb, a[7], b[7];
1340 memcpy(a, &hcon->init_addr, 6);
1341 memcpy(b, &hcon->resp_addr, 6);
1342 a[6] = hcon->init_addr_type;
1343 b[6] = hcon->resp_addr_type;
1345 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1348 static void sc_dhkey_check(struct smp_chan *smp)
1350 struct hci_conn *hcon = smp->conn->hcon;
1351 struct smp_cmd_dhkey_check check;
1352 u8 a[7], b[7], *local_addr, *remote_addr;
1353 u8 io_cap[3], r[16];
1355 memcpy(a, &hcon->init_addr, 6);
1356 memcpy(b, &hcon->resp_addr, 6);
1357 a[6] = hcon->init_addr_type;
1358 b[6] = hcon->resp_addr_type;
1363 memcpy(io_cap, &smp->preq[1], 3);
1367 memcpy(io_cap, &smp->prsp[1], 3);
1370 memset(r, 0, sizeof(r));
1372 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1373 put_unaligned_le32(hcon->passkey_notify, r);
1375 if (smp->method == REQ_OOB)
1376 memcpy(r, smp->rr, 16);
1378 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1379 local_addr, remote_addr, check.e);
1381 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1384 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1386 struct l2cap_conn *conn = smp->conn;
1387 struct hci_conn *hcon = conn->hcon;
1388 struct smp_cmd_pairing_confirm cfm;
1391 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1394 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1396 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1398 return SMP_UNSPECIFIED;
1400 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1405 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1407 struct l2cap_conn *conn = smp->conn;
1408 struct hci_conn *hcon = conn->hcon;
1409 struct hci_dev *hdev = hcon->hdev;
1412 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1413 if (smp->passkey_round >= 20)
1417 case SMP_CMD_PAIRING_RANDOM:
1418 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1421 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1423 return SMP_UNSPECIFIED;
1425 if (memcmp(smp->pcnf, cfm, 16))
1426 return SMP_CONFIRM_FAILED;
1428 smp->passkey_round++;
1430 if (smp->passkey_round == 20) {
1431 /* Generate MacKey and LTK */
1432 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1433 return SMP_UNSPECIFIED;
1436 /* The round is only complete when the initiator
1437 * receives pairing random.
1440 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1441 sizeof(smp->prnd), smp->prnd);
1442 if (smp->passkey_round == 20)
1443 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1445 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1449 /* Start the next round */
1450 if (smp->passkey_round != 20)
1451 return sc_passkey_round(smp, 0);
1453 /* Passkey rounds are complete - start DHKey Check */
1454 sc_dhkey_check(smp);
1455 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1459 case SMP_CMD_PAIRING_CONFIRM:
1460 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1461 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1465 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1468 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1469 sizeof(smp->prnd), smp->prnd);
1473 return sc_passkey_send_confirm(smp);
1475 case SMP_CMD_PUBLIC_KEY:
1477 /* Initiating device starts the round */
1481 BT_DBG("%s Starting passkey round %u", hdev->name,
1482 smp->passkey_round + 1);
1484 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1486 return sc_passkey_send_confirm(smp);
1492 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1494 struct l2cap_conn *conn = smp->conn;
1495 struct hci_conn *hcon = conn->hcon;
1498 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1501 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1502 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1504 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1505 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1507 case MGMT_OP_USER_PASSKEY_REPLY:
1508 hcon->passkey_notify = le32_to_cpu(passkey);
1509 smp->passkey_round = 0;
1511 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1512 smp_op = SMP_CMD_PAIRING_CONFIRM;
1516 if (sc_passkey_round(smp, smp_op))
1522 /* Initiator sends DHKey check first */
1524 sc_dhkey_check(smp);
1525 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1526 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1527 sc_dhkey_check(smp);
1534 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1536 struct l2cap_conn *conn = hcon->l2cap_data;
1537 struct l2cap_chan *chan;
1538 struct smp_chan *smp;
1551 l2cap_chan_lock(chan);
1559 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1560 err = sc_user_reply(smp, mgmt_op, passkey);
1565 case MGMT_OP_USER_PASSKEY_REPLY:
1566 value = le32_to_cpu(passkey);
1567 memset(smp->tk, 0, sizeof(smp->tk));
1568 BT_DBG("PassKey: %d", value);
1569 put_unaligned_le32(value, smp->tk);
1571 case MGMT_OP_USER_CONFIRM_REPLY:
1572 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1574 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1575 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1576 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1580 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1587 /* If it is our turn to send Pairing Confirm, do so now */
1588 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1589 u8 rsp = smp_confirm(smp);
1591 smp_failure(conn, rsp);
1595 l2cap_chan_unlock(chan);
1599 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1600 struct smp_cmd_pairing *req,
1601 struct smp_cmd_pairing *rsp)
1603 struct l2cap_conn *conn = smp->conn;
1604 struct hci_dev *hdev = conn->hcon->hdev;
1605 u8 local_dist = 0, remote_dist = 0;
1607 if (test_bit(HCI_BONDABLE, &hdev->dev_flags)) {
1608 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1609 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1612 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
1613 remote_dist |= SMP_DIST_ID_KEY;
1615 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
1616 local_dist |= SMP_DIST_ID_KEY;
1619 memset(req, 0, sizeof(*req));
1621 req->init_key_dist = local_dist;
1622 req->resp_key_dist = remote_dist;
1623 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1625 smp->remote_key_dist = remote_dist;
1630 memset(rsp, 0, sizeof(*rsp));
1632 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1633 rsp->init_key_dist = req->init_key_dist & remote_dist;
1634 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1636 smp->remote_key_dist = rsp->init_key_dist;
1639 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1641 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1642 struct l2cap_chan *chan = conn->smp;
1643 struct hci_dev *hdev = conn->hcon->hdev;
1644 struct smp_chan *smp;
1645 u8 key_size, auth, sec_level;
1648 BT_DBG("conn %p", conn);
1650 if (skb->len < sizeof(*req))
1651 return SMP_INVALID_PARAMS;
1653 if (conn->hcon->role != HCI_ROLE_SLAVE)
1654 return SMP_CMD_NOTSUPP;
1657 smp = smp_chan_create(conn);
1662 return SMP_UNSPECIFIED;
1664 /* We didn't start the pairing, so match remote */
1665 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1667 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
1668 (auth & SMP_AUTH_BONDING))
1669 return SMP_PAIRING_NOTSUPP;
1671 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1672 return SMP_AUTH_REQUIREMENTS;
1674 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1675 memcpy(&smp->preq[1], req, sizeof(*req));
1676 skb_pull(skb, sizeof(*req));
1678 /* SMP over BR/EDR requires special treatment */
1679 if (conn->hcon->type == ACL_LINK) {
1680 /* We must have a BR/EDR SC link */
1681 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1682 !test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags))
1683 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1685 set_bit(SMP_FLAG_SC, &smp->flags);
1687 build_bredr_pairing_cmd(smp, req, &rsp);
1689 key_size = min(req->max_key_size, rsp.max_key_size);
1690 if (check_enc_key_size(conn, key_size))
1691 return SMP_ENC_KEY_SIZE;
1693 /* Clear bits which are generated but not distributed */
1694 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1696 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1697 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1698 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1700 smp_distribute_keys(smp);
1704 build_pairing_cmd(conn, req, &rsp, auth);
1706 if (rsp.auth_req & SMP_AUTH_SC)
1707 set_bit(SMP_FLAG_SC, &smp->flags);
1709 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1710 sec_level = BT_SECURITY_MEDIUM;
1712 sec_level = authreq_to_seclevel(auth);
1714 if (sec_level > conn->hcon->pending_sec_level)
1715 conn->hcon->pending_sec_level = sec_level;
1717 /* If we need MITM check that it can be achieved */
1718 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1721 method = get_auth_method(smp, conn->hcon->io_capability,
1722 req->io_capability);
1723 if (method == JUST_WORKS || method == JUST_CFM)
1724 return SMP_AUTH_REQUIREMENTS;
1727 key_size = min(req->max_key_size, rsp.max_key_size);
1728 if (check_enc_key_size(conn, key_size))
1729 return SMP_ENC_KEY_SIZE;
1731 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1733 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1734 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1736 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1738 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1740 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1741 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1742 /* Clear bits which are generated but not distributed */
1743 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1744 /* Wait for Public Key from Initiating Device */
1747 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1750 /* Request setup of TK */
1751 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1753 return SMP_UNSPECIFIED;
1758 static u8 sc_send_public_key(struct smp_chan *smp)
1760 struct hci_dev *hdev = smp->conn->hcon->hdev;
1764 if (test_bit(HCI_USE_DEBUG_KEYS, &hdev->dev_flags)) {
1765 BT_DBG("Using debug keys");
1766 memcpy(smp->local_pk, debug_pk, 64);
1767 memcpy(smp->local_sk, debug_sk, 32);
1768 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1771 /* Generate local key pair for Secure Connections */
1772 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1773 return SMP_UNSPECIFIED;
1775 /* This is unlikely, but we need to check that
1776 * we didn't accidentially generate a debug key.
1778 if (memcmp(smp->local_sk, debug_sk, 32))
1783 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1784 SMP_DBG("Local Public Key Y: %32phN", &smp->local_pk[32]);
1785 SMP_DBG("Local Private Key: %32phN", smp->local_sk);
1787 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1792 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1794 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1795 struct l2cap_chan *chan = conn->smp;
1796 struct smp_chan *smp = chan->data;
1797 struct hci_dev *hdev = conn->hcon->hdev;
1801 BT_DBG("conn %p", conn);
1803 if (skb->len < sizeof(*rsp))
1804 return SMP_INVALID_PARAMS;
1806 if (conn->hcon->role != HCI_ROLE_MASTER)
1807 return SMP_CMD_NOTSUPP;
1809 skb_pull(skb, sizeof(*rsp));
1811 req = (void *) &smp->preq[1];
1813 key_size = min(req->max_key_size, rsp->max_key_size);
1814 if (check_enc_key_size(conn, key_size))
1815 return SMP_ENC_KEY_SIZE;
1817 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1819 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1820 return SMP_AUTH_REQUIREMENTS;
1822 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1823 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1825 /* Update remote key distribution in case the remote cleared
1826 * some bits that we had enabled in our request.
1828 smp->remote_key_dist &= rsp->resp_key_dist;
1830 /* For BR/EDR this means we're done and can start phase 3 */
1831 if (conn->hcon->type == ACL_LINK) {
1832 /* Clear bits which are generated but not distributed */
1833 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1834 smp_distribute_keys(smp);
1838 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1839 set_bit(SMP_FLAG_SC, &smp->flags);
1840 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1841 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1843 /* If we need MITM check that it can be achieved */
1844 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1847 method = get_auth_method(smp, req->io_capability,
1848 rsp->io_capability);
1849 if (method == JUST_WORKS || method == JUST_CFM)
1850 return SMP_AUTH_REQUIREMENTS;
1853 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1855 /* Update remote key distribution in case the remote cleared
1856 * some bits that we had enabled in our request.
1858 smp->remote_key_dist &= rsp->resp_key_dist;
1860 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1861 /* Clear bits which are generated but not distributed */
1862 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1863 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1864 return sc_send_public_key(smp);
1867 auth |= req->auth_req;
1869 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1871 return SMP_UNSPECIFIED;
1873 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1875 /* Can't compose response until we have been confirmed */
1876 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1877 return smp_confirm(smp);
1882 static u8 sc_check_confirm(struct smp_chan *smp)
1884 struct l2cap_conn *conn = smp->conn;
1888 /* Public Key exchange must happen before any other steps */
1889 if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
1890 return SMP_UNSPECIFIED;
1892 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1893 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1895 if (conn->hcon->out) {
1896 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1898 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1904 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1906 struct l2cap_chan *chan = conn->smp;
1907 struct smp_chan *smp = chan->data;
1909 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
1911 if (skb->len < sizeof(smp->pcnf))
1912 return SMP_INVALID_PARAMS;
1914 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1915 skb_pull(skb, sizeof(smp->pcnf));
1917 if (test_bit(SMP_FLAG_SC, &smp->flags))
1918 return sc_check_confirm(smp);
1920 if (conn->hcon->out) {
1921 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1923 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1927 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1928 return smp_confirm(smp);
1930 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1935 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
1937 struct l2cap_chan *chan = conn->smp;
1938 struct smp_chan *smp = chan->data;
1939 struct hci_conn *hcon = conn->hcon;
1940 u8 *pkax, *pkbx, *na, *nb;
1944 BT_DBG("conn %p", conn);
1946 if (skb->len < sizeof(smp->rrnd))
1947 return SMP_INVALID_PARAMS;
1949 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
1950 skb_pull(skb, sizeof(smp->rrnd));
1952 if (!test_bit(SMP_FLAG_SC, &smp->flags))
1953 return smp_random(smp);
1956 pkax = smp->local_pk;
1957 pkbx = smp->remote_pk;
1961 pkax = smp->remote_pk;
1962 pkbx = smp->local_pk;
1967 if (smp->method == REQ_OOB) {
1969 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1970 sizeof(smp->prnd), smp->prnd);
1971 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1972 goto mackey_and_ltk;
1975 /* Passkey entry has special treatment */
1976 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1977 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
1982 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1985 return SMP_UNSPECIFIED;
1987 if (memcmp(smp->pcnf, cfm, 16))
1988 return SMP_CONFIRM_FAILED;
1990 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1992 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1996 /* Generate MacKey and LTK */
1997 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
1999 return SMP_UNSPECIFIED;
2001 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2003 sc_dhkey_check(smp);
2004 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2009 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2011 return SMP_UNSPECIFIED;
2013 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2014 hcon->dst_type, passkey, 0);
2016 return SMP_UNSPECIFIED;
2018 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2023 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2025 struct smp_ltk *key;
2026 struct hci_conn *hcon = conn->hcon;
2028 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2032 if (smp_ltk_sec_level(key) < sec_level)
2035 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2038 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
2039 hcon->enc_key_size = key->enc_size;
2041 /* We never store STKs for master role, so clear this flag */
2042 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2047 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2048 enum smp_key_pref key_pref)
2050 if (sec_level == BT_SECURITY_LOW)
2053 /* If we're encrypted with an STK but the caller prefers using
2054 * LTK claim insufficient security. This way we allow the
2055 * connection to be re-encrypted with an LTK, even if the LTK
2056 * provides the same level of security. Only exception is if we
2057 * don't have an LTK (e.g. because of key distribution bits).
2059 if (key_pref == SMP_USE_LTK &&
2060 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2061 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2064 if (hcon->sec_level >= sec_level)
2070 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2072 struct smp_cmd_security_req *rp = (void *) skb->data;
2073 struct smp_cmd_pairing cp;
2074 struct hci_conn *hcon = conn->hcon;
2075 struct hci_dev *hdev = hcon->hdev;
2076 struct smp_chan *smp;
2079 BT_DBG("conn %p", conn);
2081 if (skb->len < sizeof(*rp))
2082 return SMP_INVALID_PARAMS;
2084 if (hcon->role != HCI_ROLE_MASTER)
2085 return SMP_CMD_NOTSUPP;
2087 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2089 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
2090 return SMP_AUTH_REQUIREMENTS;
2092 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2093 sec_level = BT_SECURITY_MEDIUM;
2095 sec_level = authreq_to_seclevel(auth);
2097 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2100 if (sec_level > hcon->pending_sec_level)
2101 hcon->pending_sec_level = sec_level;
2103 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2106 smp = smp_chan_create(conn);
2108 return SMP_UNSPECIFIED;
2110 if (!test_bit(HCI_BONDABLE, &hcon->hdev->dev_flags) &&
2111 (auth & SMP_AUTH_BONDING))
2112 return SMP_PAIRING_NOTSUPP;
2114 skb_pull(skb, sizeof(*rp));
2116 memset(&cp, 0, sizeof(cp));
2117 build_pairing_cmd(conn, &cp, NULL, auth);
2119 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2120 memcpy(&smp->preq[1], &cp, sizeof(cp));
2122 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2123 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2128 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2130 struct l2cap_conn *conn = hcon->l2cap_data;
2131 struct l2cap_chan *chan;
2132 struct smp_chan *smp;
2136 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2138 /* This may be NULL if there's an unexpected disconnection */
2144 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
2147 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2150 if (sec_level > hcon->pending_sec_level)
2151 hcon->pending_sec_level = sec_level;
2153 if (hcon->role == HCI_ROLE_MASTER)
2154 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2157 l2cap_chan_lock(chan);
2159 /* If SMP is already in progress ignore this request */
2165 smp = smp_chan_create(conn);
2171 authreq = seclevel_to_authreq(sec_level);
2173 if (test_bit(HCI_SC_ENABLED, &hcon->hdev->dev_flags))
2174 authreq |= SMP_AUTH_SC;
2176 /* Require MITM if IO Capability allows or the security level
2179 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2180 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2181 authreq |= SMP_AUTH_MITM;
2183 if (hcon->role == HCI_ROLE_MASTER) {
2184 struct smp_cmd_pairing cp;
2186 build_pairing_cmd(conn, &cp, NULL, authreq);
2187 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2188 memcpy(&smp->preq[1], &cp, sizeof(cp));
2190 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2191 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2193 struct smp_cmd_security_req cp;
2194 cp.auth_req = authreq;
2195 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2196 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2199 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2203 l2cap_chan_unlock(chan);
2207 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2209 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2210 struct l2cap_chan *chan = conn->smp;
2211 struct smp_chan *smp = chan->data;
2213 BT_DBG("conn %p", conn);
2215 if (skb->len < sizeof(*rp))
2216 return SMP_INVALID_PARAMS;
2218 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2220 skb_pull(skb, sizeof(*rp));
2222 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2227 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2229 struct smp_cmd_master_ident *rp = (void *) skb->data;
2230 struct l2cap_chan *chan = conn->smp;
2231 struct smp_chan *smp = chan->data;
2232 struct hci_dev *hdev = conn->hcon->hdev;
2233 struct hci_conn *hcon = conn->hcon;
2234 struct smp_ltk *ltk;
2237 BT_DBG("conn %p", conn);
2239 if (skb->len < sizeof(*rp))
2240 return SMP_INVALID_PARAMS;
2242 /* Mark the information as received */
2243 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2245 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2246 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2247 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2248 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2250 skb_pull(skb, sizeof(*rp));
2252 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2253 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2254 authenticated, smp->tk, smp->enc_key_size,
2255 rp->ediv, rp->rand);
2257 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2258 smp_distribute_keys(smp);
2263 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2265 struct smp_cmd_ident_info *info = (void *) skb->data;
2266 struct l2cap_chan *chan = conn->smp;
2267 struct smp_chan *smp = chan->data;
2271 if (skb->len < sizeof(*info))
2272 return SMP_INVALID_PARAMS;
2274 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2276 skb_pull(skb, sizeof(*info));
2278 memcpy(smp->irk, info->irk, 16);
2283 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2284 struct sk_buff *skb)
2286 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2287 struct l2cap_chan *chan = conn->smp;
2288 struct smp_chan *smp = chan->data;
2289 struct hci_conn *hcon = conn->hcon;
2294 if (skb->len < sizeof(*info))
2295 return SMP_INVALID_PARAMS;
2297 /* Mark the information as received */
2298 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2300 if (smp->remote_key_dist & SMP_DIST_SIGN)
2301 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2303 skb_pull(skb, sizeof(*info));
2305 /* Strictly speaking the Core Specification (4.1) allows sending
2306 * an empty address which would force us to rely on just the IRK
2307 * as "identity information". However, since such
2308 * implementations are not known of and in order to not over
2309 * complicate our implementation, simply pretend that we never
2310 * received an IRK for such a device.
2312 * The Identity Address must also be a Static Random or Public
2313 * Address, which hci_is_identity_address() checks for.
2315 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2316 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2317 BT_ERR("Ignoring IRK with no identity address");
2321 bacpy(&smp->id_addr, &info->bdaddr);
2322 smp->id_addr_type = info->addr_type;
2324 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2325 bacpy(&rpa, &hcon->dst);
2327 bacpy(&rpa, BDADDR_ANY);
2329 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2330 smp->id_addr_type, smp->irk, &rpa);
2333 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2334 smp_distribute_keys(smp);
2339 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2341 struct smp_cmd_sign_info *rp = (void *) skb->data;
2342 struct l2cap_chan *chan = conn->smp;
2343 struct smp_chan *smp = chan->data;
2344 struct smp_csrk *csrk;
2346 BT_DBG("conn %p", conn);
2348 if (skb->len < sizeof(*rp))
2349 return SMP_INVALID_PARAMS;
2351 /* Mark the information as received */
2352 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2354 skb_pull(skb, sizeof(*rp));
2356 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2358 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2359 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2361 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2362 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2365 smp_distribute_keys(smp);
2370 static u8 sc_select_method(struct smp_chan *smp)
2372 struct l2cap_conn *conn = smp->conn;
2373 struct hci_conn *hcon = conn->hcon;
2374 struct smp_cmd_pairing *local, *remote;
2375 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2377 if (test_bit(SMP_FLAG_OOB, &smp->flags))
2380 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2381 * which are needed as inputs to some crypto functions. To get
2382 * the "struct smp_cmd_pairing" from them we need to skip the
2383 * first byte which contains the opcode.
2386 local = (void *) &smp->preq[1];
2387 remote = (void *) &smp->prsp[1];
2389 local = (void *) &smp->prsp[1];
2390 remote = (void *) &smp->preq[1];
2393 local_io = local->io_capability;
2394 remote_io = remote->io_capability;
2396 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2397 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2399 /* If either side wants MITM, look up the method from the table,
2400 * otherwise use JUST WORKS.
2402 if (local_mitm || remote_mitm)
2403 method = get_auth_method(smp, local_io, remote_io);
2405 method = JUST_WORKS;
2407 /* Don't confirm locally initiated pairing attempts */
2408 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2409 method = JUST_WORKS;
2414 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2416 struct smp_cmd_public_key *key = (void *) skb->data;
2417 struct hci_conn *hcon = conn->hcon;
2418 struct l2cap_chan *chan = conn->smp;
2419 struct smp_chan *smp = chan->data;
2420 struct hci_dev *hdev = hcon->hdev;
2421 struct smp_cmd_pairing_confirm cfm;
2424 BT_DBG("conn %p", conn);
2426 if (skb->len < sizeof(*key))
2427 return SMP_INVALID_PARAMS;
2429 memcpy(smp->remote_pk, key, 64);
2431 /* Non-initiating device sends its public key after receiving
2432 * the key from the initiating device.
2435 err = sc_send_public_key(smp);
2440 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2441 SMP_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]);
2443 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2444 return SMP_UNSPECIFIED;
2446 SMP_DBG("DHKey %32phN", smp->dhkey);
2448 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2450 smp->method = sc_select_method(smp);
2452 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2454 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2455 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2456 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2458 hcon->pending_sec_level = BT_SECURITY_FIPS;
2460 if (!memcmp(debug_pk, smp->remote_pk, 64))
2461 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2463 if (smp->method == DSP_PASSKEY) {
2464 get_random_bytes(&hcon->passkey_notify,
2465 sizeof(hcon->passkey_notify));
2466 hcon->passkey_notify %= 1000000;
2467 hcon->passkey_entered = 0;
2468 smp->passkey_round = 0;
2469 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2471 hcon->passkey_notify,
2472 hcon->passkey_entered))
2473 return SMP_UNSPECIFIED;
2474 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2475 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2478 if (smp->method == REQ_OOB) {
2479 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2480 smp->rr, 0, cfm.confirm_val);
2482 return SMP_UNSPECIFIED;
2484 if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2485 return SMP_CONFIRM_FAILED;
2488 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2489 sizeof(smp->prnd), smp->prnd);
2491 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2497 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2499 if (smp->method == REQ_PASSKEY) {
2500 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2502 return SMP_UNSPECIFIED;
2503 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2504 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2508 /* The Initiating device waits for the non-initiating device to
2509 * send the confirm value.
2511 if (conn->hcon->out)
2514 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2515 0, cfm.confirm_val);
2517 return SMP_UNSPECIFIED;
2519 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2520 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2525 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2527 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2528 struct l2cap_chan *chan = conn->smp;
2529 struct hci_conn *hcon = conn->hcon;
2530 struct smp_chan *smp = chan->data;
2531 u8 a[7], b[7], *local_addr, *remote_addr;
2532 u8 io_cap[3], r[16], e[16];
2535 BT_DBG("conn %p", conn);
2537 if (skb->len < sizeof(*check))
2538 return SMP_INVALID_PARAMS;
2540 memcpy(a, &hcon->init_addr, 6);
2541 memcpy(b, &hcon->resp_addr, 6);
2542 a[6] = hcon->init_addr_type;
2543 b[6] = hcon->resp_addr_type;
2548 memcpy(io_cap, &smp->prsp[1], 3);
2552 memcpy(io_cap, &smp->preq[1], 3);
2555 memset(r, 0, sizeof(r));
2557 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2558 put_unaligned_le32(hcon->passkey_notify, r);
2560 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2561 io_cap, remote_addr, local_addr, e);
2563 return SMP_UNSPECIFIED;
2565 if (memcmp(check->e, e, 16))
2566 return SMP_DHKEY_CHECK_FAILED;
2569 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2570 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2574 /* Slave sends DHKey check as response to master */
2575 sc_dhkey_check(smp);
2581 hci_le_start_enc(hcon, 0, 0, smp->tk);
2582 hcon->enc_key_size = smp->enc_key_size;
2588 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2589 struct sk_buff *skb)
2591 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2593 BT_DBG("value 0x%02x", kp->value);
2598 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2600 struct l2cap_conn *conn = chan->conn;
2601 struct hci_conn *hcon = conn->hcon;
2602 struct smp_chan *smp;
2609 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
2610 reason = SMP_PAIRING_NOTSUPP;
2614 code = skb->data[0];
2615 skb_pull(skb, sizeof(code));
2619 if (code > SMP_CMD_MAX)
2622 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2625 /* If we don't have a context the only allowed commands are
2626 * pairing request and security request.
2628 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2632 case SMP_CMD_PAIRING_REQ:
2633 reason = smp_cmd_pairing_req(conn, skb);
2636 case SMP_CMD_PAIRING_FAIL:
2637 smp_failure(conn, 0);
2641 case SMP_CMD_PAIRING_RSP:
2642 reason = smp_cmd_pairing_rsp(conn, skb);
2645 case SMP_CMD_SECURITY_REQ:
2646 reason = smp_cmd_security_req(conn, skb);
2649 case SMP_CMD_PAIRING_CONFIRM:
2650 reason = smp_cmd_pairing_confirm(conn, skb);
2653 case SMP_CMD_PAIRING_RANDOM:
2654 reason = smp_cmd_pairing_random(conn, skb);
2657 case SMP_CMD_ENCRYPT_INFO:
2658 reason = smp_cmd_encrypt_info(conn, skb);
2661 case SMP_CMD_MASTER_IDENT:
2662 reason = smp_cmd_master_ident(conn, skb);
2665 case SMP_CMD_IDENT_INFO:
2666 reason = smp_cmd_ident_info(conn, skb);
2669 case SMP_CMD_IDENT_ADDR_INFO:
2670 reason = smp_cmd_ident_addr_info(conn, skb);
2673 case SMP_CMD_SIGN_INFO:
2674 reason = smp_cmd_sign_info(conn, skb);
2677 case SMP_CMD_PUBLIC_KEY:
2678 reason = smp_cmd_public_key(conn, skb);
2681 case SMP_CMD_DHKEY_CHECK:
2682 reason = smp_cmd_dhkey_check(conn, skb);
2685 case SMP_CMD_KEYPRESS_NOTIFY:
2686 reason = smp_cmd_keypress_notify(conn, skb);
2690 BT_DBG("Unknown command code 0x%2.2x", code);
2691 reason = SMP_CMD_NOTSUPP;
2698 smp_failure(conn, reason);
2705 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2711 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2713 struct l2cap_conn *conn = chan->conn;
2715 BT_DBG("chan %p", chan);
2718 smp_chan_destroy(conn);
2721 l2cap_chan_put(chan);
2724 static void bredr_pairing(struct l2cap_chan *chan)
2726 struct l2cap_conn *conn = chan->conn;
2727 struct hci_conn *hcon = conn->hcon;
2728 struct hci_dev *hdev = hcon->hdev;
2729 struct smp_cmd_pairing req;
2730 struct smp_chan *smp;
2732 BT_DBG("chan %p", chan);
2734 /* Only new pairings are interesting */
2735 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2738 /* Don't bother if we're not encrypted */
2739 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2742 /* Only master may initiate SMP over BR/EDR */
2743 if (hcon->role != HCI_ROLE_MASTER)
2746 /* Secure Connections support must be enabled */
2747 if (!test_bit(HCI_SC_ENABLED, &hdev->dev_flags))
2750 /* BR/EDR must use Secure Connections for SMP */
2751 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2752 !test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags))
2755 /* If our LE support is not enabled don't do anything */
2756 if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags))
2759 /* Don't bother if remote LE support is not enabled */
2760 if (!lmp_host_le_capable(hcon))
2763 /* Remote must support SMP fixed chan for BR/EDR */
2764 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2767 /* Don't bother if SMP is already ongoing */
2771 smp = smp_chan_create(conn);
2773 BT_ERR("%s unable to create SMP context for BR/EDR",
2778 set_bit(SMP_FLAG_SC, &smp->flags);
2780 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2782 /* Prepare and send the BR/EDR SMP Pairing Request */
2783 build_bredr_pairing_cmd(smp, &req, NULL);
2785 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2786 memcpy(&smp->preq[1], &req, sizeof(req));
2788 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2789 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2792 static void smp_resume_cb(struct l2cap_chan *chan)
2794 struct smp_chan *smp = chan->data;
2795 struct l2cap_conn *conn = chan->conn;
2796 struct hci_conn *hcon = conn->hcon;
2798 BT_DBG("chan %p", chan);
2800 if (hcon->type == ACL_LINK) {
2801 bredr_pairing(chan);
2808 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2811 cancel_delayed_work(&smp->security_timer);
2813 smp_distribute_keys(smp);
2816 static void smp_ready_cb(struct l2cap_chan *chan)
2818 struct l2cap_conn *conn = chan->conn;
2819 struct hci_conn *hcon = conn->hcon;
2821 BT_DBG("chan %p", chan);
2824 l2cap_chan_hold(chan);
2826 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2827 bredr_pairing(chan);
2830 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
2834 BT_DBG("chan %p", chan);
2836 err = smp_sig_channel(chan, skb);
2838 struct smp_chan *smp = chan->data;
2841 cancel_delayed_work_sync(&smp->security_timer);
2843 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
2849 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
2850 unsigned long hdr_len,
2851 unsigned long len, int nb)
2853 struct sk_buff *skb;
2855 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
2857 return ERR_PTR(-ENOMEM);
2859 skb->priority = HCI_PRIO_MAX;
2860 bt_cb(skb)->chan = chan;
2865 static const struct l2cap_ops smp_chan_ops = {
2866 .name = "Security Manager",
2867 .ready = smp_ready_cb,
2868 .recv = smp_recv_cb,
2869 .alloc_skb = smp_alloc_skb_cb,
2870 .teardown = smp_teardown_cb,
2871 .resume = smp_resume_cb,
2873 .new_connection = l2cap_chan_no_new_connection,
2874 .state_change = l2cap_chan_no_state_change,
2875 .close = l2cap_chan_no_close,
2876 .defer = l2cap_chan_no_defer,
2877 .suspend = l2cap_chan_no_suspend,
2878 .set_shutdown = l2cap_chan_no_set_shutdown,
2879 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2882 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
2884 struct l2cap_chan *chan;
2886 BT_DBG("pchan %p", pchan);
2888 chan = l2cap_chan_create();
2892 chan->chan_type = pchan->chan_type;
2893 chan->ops = &smp_chan_ops;
2894 chan->scid = pchan->scid;
2895 chan->dcid = chan->scid;
2896 chan->imtu = pchan->imtu;
2897 chan->omtu = pchan->omtu;
2898 chan->mode = pchan->mode;
2900 /* Other L2CAP channels may request SMP routines in order to
2901 * change the security level. This means that the SMP channel
2902 * lock must be considered in its own category to avoid lockdep
2905 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
2907 BT_DBG("created chan %p", chan);
2912 static const struct l2cap_ops smp_root_chan_ops = {
2913 .name = "Security Manager Root",
2914 .new_connection = smp_new_conn_cb,
2916 /* None of these are implemented for the root channel */
2917 .close = l2cap_chan_no_close,
2918 .alloc_skb = l2cap_chan_no_alloc_skb,
2919 .recv = l2cap_chan_no_recv,
2920 .state_change = l2cap_chan_no_state_change,
2921 .teardown = l2cap_chan_no_teardown,
2922 .ready = l2cap_chan_no_ready,
2923 .defer = l2cap_chan_no_defer,
2924 .suspend = l2cap_chan_no_suspend,
2925 .resume = l2cap_chan_no_resume,
2926 .set_shutdown = l2cap_chan_no_set_shutdown,
2927 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2930 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
2932 struct l2cap_chan *chan;
2933 struct crypto_blkcipher *tfm_aes;
2935 if (cid == L2CAP_CID_SMP_BREDR) {
2940 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, 0);
2941 if (IS_ERR(tfm_aes)) {
2942 BT_ERR("Unable to create crypto context");
2943 return ERR_CAST(tfm_aes);
2947 chan = l2cap_chan_create();
2949 crypto_free_blkcipher(tfm_aes);
2950 return ERR_PTR(-ENOMEM);
2953 chan->data = tfm_aes;
2955 l2cap_add_scid(chan, cid);
2957 l2cap_chan_set_defaults(chan);
2959 if (cid == L2CAP_CID_SMP) {
2962 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
2964 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
2965 chan->src_type = BDADDR_LE_PUBLIC;
2967 chan->src_type = BDADDR_LE_RANDOM;
2969 bacpy(&chan->src, &hdev->bdaddr);
2970 chan->src_type = BDADDR_BREDR;
2973 chan->state = BT_LISTEN;
2974 chan->mode = L2CAP_MODE_BASIC;
2975 chan->imtu = L2CAP_DEFAULT_MTU;
2976 chan->ops = &smp_root_chan_ops;
2978 /* Set correct nesting level for a parent/listening channel */
2979 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
2984 static void smp_del_chan(struct l2cap_chan *chan)
2986 struct crypto_blkcipher *tfm_aes;
2988 BT_DBG("chan %p", chan);
2990 tfm_aes = chan->data;
2993 crypto_free_blkcipher(tfm_aes);
2996 l2cap_chan_put(chan);
2999 static ssize_t force_bredr_smp_read(struct file *file,
3000 char __user *user_buf,
3001 size_t count, loff_t *ppos)
3003 struct hci_dev *hdev = file->private_data;
3006 buf[0] = test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags) ? 'Y': 'N';
3009 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3012 static ssize_t force_bredr_smp_write(struct file *file,
3013 const char __user *user_buf,
3014 size_t count, loff_t *ppos)
3016 struct hci_dev *hdev = file->private_data;
3018 size_t buf_size = min(count, (sizeof(buf)-1));
3021 if (copy_from_user(buf, user_buf, buf_size))
3024 buf[buf_size] = '\0';
3025 if (strtobool(buf, &enable))
3028 if (enable == test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags))
3032 struct l2cap_chan *chan;
3034 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3036 return PTR_ERR(chan);
3038 hdev->smp_bredr_data = chan;
3040 struct l2cap_chan *chan;
3042 chan = hdev->smp_bredr_data;
3043 hdev->smp_bredr_data = NULL;
3047 change_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags);
3052 static const struct file_operations force_bredr_smp_fops = {
3053 .open = simple_open,
3054 .read = force_bredr_smp_read,
3055 .write = force_bredr_smp_write,
3056 .llseek = default_llseek,
3059 int smp_register(struct hci_dev *hdev)
3061 struct l2cap_chan *chan;
3063 BT_DBG("%s", hdev->name);
3065 /* If the controller does not support Low Energy operation, then
3066 * there is also no need to register any SMP channel.
3068 if (!lmp_le_capable(hdev))
3071 if (WARN_ON(hdev->smp_data)) {
3072 chan = hdev->smp_data;
3073 hdev->smp_data = NULL;
3077 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3079 return PTR_ERR(chan);
3081 hdev->smp_data = chan;
3083 /* If the controller does not support BR/EDR Secure Connections
3084 * feature, then the BR/EDR SMP channel shall not be present.
3086 * To test this with Bluetooth 4.0 controllers, create a debugfs
3087 * switch that allows forcing BR/EDR SMP support and accepting
3088 * cross-transport pairing on non-AES encrypted connections.
3090 if (!lmp_sc_capable(hdev)) {
3091 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3092 hdev, &force_bredr_smp_fops);
3096 if (WARN_ON(hdev->smp_bredr_data)) {
3097 chan = hdev->smp_bredr_data;
3098 hdev->smp_bredr_data = NULL;
3102 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3104 int err = PTR_ERR(chan);
3105 chan = hdev->smp_data;
3106 hdev->smp_data = NULL;
3111 hdev->smp_bredr_data = chan;
3116 void smp_unregister(struct hci_dev *hdev)
3118 struct l2cap_chan *chan;
3120 if (hdev->smp_bredr_data) {
3121 chan = hdev->smp_bredr_data;
3122 hdev->smp_bredr_data = NULL;
3126 if (hdev->smp_data) {
3127 chan = hdev->smp_data;
3128 hdev->smp_data = NULL;
3133 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3135 static int __init test_ah(struct crypto_blkcipher *tfm_aes)
3137 const u8 irk[16] = {
3138 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3139 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3140 const u8 r[3] = { 0x94, 0x81, 0x70 };
3141 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3145 err = smp_ah(tfm_aes, irk, r, res);
3149 if (memcmp(res, exp, 3))
3155 static int __init test_c1(struct crypto_blkcipher *tfm_aes)
3158 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3159 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3161 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3162 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3163 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3164 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3165 const u8 _iat = 0x01;
3166 const u8 _rat = 0x00;
3167 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3168 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3169 const u8 exp[16] = {
3170 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3171 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3175 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3179 if (memcmp(res, exp, 16))
3185 static int __init test_s1(struct crypto_blkcipher *tfm_aes)
3188 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3189 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3191 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3193 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3194 const u8 exp[16] = {
3195 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3196 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3200 err = smp_s1(tfm_aes, k, r1, r2, res);
3204 if (memcmp(res, exp, 16))
3210 static int __init test_f4(struct crypto_hash *tfm_cmac)
3213 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3214 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3215 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3216 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3218 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3219 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3220 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3221 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3223 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3224 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3226 const u8 exp[16] = {
3227 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3228 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3232 err = smp_f4(tfm_cmac, u, v, x, z, res);
3236 if (memcmp(res, exp, 16))
3242 static int __init test_f5(struct crypto_hash *tfm_cmac)
3245 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3246 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3247 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3248 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3250 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3251 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3253 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3254 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3255 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3256 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3257 const u8 exp_ltk[16] = {
3258 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3259 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3260 const u8 exp_mackey[16] = {
3261 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3262 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3263 u8 mackey[16], ltk[16];
3266 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3270 if (memcmp(mackey, exp_mackey, 16))
3273 if (memcmp(ltk, exp_ltk, 16))
3279 static int __init test_f6(struct crypto_hash *tfm_cmac)
3282 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3283 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3285 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3286 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3288 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3289 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3291 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3292 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3293 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3294 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3295 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3296 const u8 exp[16] = {
3297 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3298 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3302 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3306 if (memcmp(res, exp, 16))
3312 static int __init test_g2(struct crypto_hash *tfm_cmac)
3315 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3316 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3317 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3318 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3320 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3321 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3322 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3323 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3325 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3326 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3328 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3329 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3330 const u32 exp_val = 0x2f9ed5ba % 1000000;
3334 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3344 static int __init test_h6(struct crypto_hash *tfm_cmac)
3347 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3348 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3349 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3350 const u8 exp[16] = {
3351 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3352 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3356 err = smp_h6(tfm_cmac, w, key_id, res);
3360 if (memcmp(res, exp, 16))
3366 static int __init run_selftests(struct crypto_blkcipher *tfm_aes,
3367 struct crypto_hash *tfm_cmac)
3369 ktime_t calltime, delta, rettime;
3370 unsigned long long duration;
3373 calltime = ktime_get();
3375 err = test_ah(tfm_aes);
3377 BT_ERR("smp_ah test failed");
3381 err = test_c1(tfm_aes);
3383 BT_ERR("smp_c1 test failed");
3387 err = test_s1(tfm_aes);
3389 BT_ERR("smp_s1 test failed");
3393 err = test_f4(tfm_cmac);
3395 BT_ERR("smp_f4 test failed");
3399 err = test_f5(tfm_cmac);
3401 BT_ERR("smp_f5 test failed");
3405 err = test_f6(tfm_cmac);
3407 BT_ERR("smp_f6 test failed");
3411 err = test_g2(tfm_cmac);
3413 BT_ERR("smp_g2 test failed");
3417 err = test_h6(tfm_cmac);
3419 BT_ERR("smp_h6 test failed");
3423 rettime = ktime_get();
3424 delta = ktime_sub(rettime, calltime);
3425 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3427 BT_INFO("SMP test passed in %llu usecs", duration);
3432 int __init bt_selftest_smp(void)
3434 struct crypto_blkcipher *tfm_aes;
3435 struct crypto_hash *tfm_cmac;
3438 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3439 if (IS_ERR(tfm_aes)) {
3440 BT_ERR("Unable to create ECB crypto context");
3441 return PTR_ERR(tfm_aes);
3444 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3445 if (IS_ERR(tfm_cmac)) {
3446 BT_ERR("Unable to create CMAC crypto context");
3447 crypto_free_blkcipher(tfm_aes);
3448 return PTR_ERR(tfm_cmac);
3451 err = run_selftests(tfm_aes, tfm_cmac);
3453 crypto_free_hash(tfm_cmac);
3454 crypto_free_blkcipher(tfm_aes);