2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
23 #include <linux/debugfs.h>
24 #include <linux/crypto.h>
25 #include <linux/scatterlist.h>
26 #include <crypto/b128ops.h>
28 #include <net/bluetooth/bluetooth.h>
29 #include <net/bluetooth/hci_core.h>
30 #include <net/bluetooth/l2cap.h>
31 #include <net/bluetooth/mgmt.h>
36 /* Low-level debug macros to be used for stuff that we don't want
37 * accidentially in dmesg, i.e. the values of the various crypto keys
38 * and the inputs & outputs of crypto functions.
41 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
44 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
48 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
50 /* Keys which are not distributed with Secure Connections */
51 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
53 #define SMP_TIMEOUT msecs_to_jiffies(30000)
55 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
57 #define KEY_DIST_MASK 0x07
59 /* Maximum message length that can be passed to aes_cmac */
60 #define CMAC_MSG_MAX 80
72 SMP_FLAG_DHKEY_PENDING,
78 /* Secure Connections OOB data */
84 struct crypto_blkcipher *tfm_aes;
85 struct crypto_hash *tfm_cmac;
89 struct l2cap_conn *conn;
90 struct delayed_work security_timer;
91 unsigned long allow_cmd; /* Bitmask of allowed commands */
93 u8 preq[7]; /* SMP Pairing Request */
94 u8 prsp[7]; /* SMP Pairing Response */
95 u8 prnd[16]; /* SMP Pairing Random (local) */
96 u8 rrnd[16]; /* SMP Pairing Random (remote) */
97 u8 pcnf[16]; /* SMP Pairing Confirm */
98 u8 tk[16]; /* SMP Temporary Key */
99 u8 rr[16]; /* Remote OOB ra/rb value */
100 u8 lr[16]; /* Local OOB ra/rb value */
106 struct smp_csrk *csrk;
107 struct smp_csrk *slave_csrk;
109 struct smp_ltk *slave_ltk;
110 struct smp_irk *remote_irk;
116 /* Secure Connections variables */
123 struct crypto_blkcipher *tfm_aes;
124 struct crypto_hash *tfm_cmac;
127 /* These debug key values are defined in the SMP section of the core
128 * specification. debug_pk is the public debug key and debug_sk the
131 static const u8 debug_pk[64] = {
132 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
133 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
134 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
135 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
137 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
138 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
139 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
140 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
143 static const u8 debug_sk[32] = {
144 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
145 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
146 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
147 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
150 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
154 for (i = 0; i < len; i++)
155 dst[len - 1 - i] = src[i];
158 /* The following functions map to the LE SC SMP crypto functions
159 * AES-CMAC, f4, f5, f6, g2 and h6.
162 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
163 size_t len, u8 mac[16])
165 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
166 struct hash_desc desc;
167 struct scatterlist sg;
170 if (len > CMAC_MSG_MAX)
174 BT_ERR("tfm %p", tfm);
181 crypto_hash_init(&desc);
183 /* Swap key and message from LSB to MSB */
184 swap_buf(k, tmp, 16);
185 swap_buf(m, msg_msb, len);
187 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
188 SMP_DBG("key %16phN", k);
190 err = crypto_hash_setkey(tfm, tmp, 16);
192 BT_ERR("cipher setkey failed: %d", err);
196 sg_init_one(&sg, msg_msb, len);
198 err = crypto_hash_update(&desc, &sg, len);
200 BT_ERR("Hash update error %d", err);
204 err = crypto_hash_final(&desc, mac_msb);
206 BT_ERR("Hash final error %d", err);
210 swap_buf(mac_msb, mac, 16);
212 SMP_DBG("mac %16phN", mac);
217 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
218 const u8 x[16], u8 z, u8 res[16])
223 SMP_DBG("u %32phN", u);
224 SMP_DBG("v %32phN", v);
225 SMP_DBG("x %16phN z %02x", x, z);
228 memcpy(m + 1, v, 32);
229 memcpy(m + 33, u, 32);
231 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
235 SMP_DBG("res %16phN", res);
240 static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32],
241 const u8 n1[16], const u8 n2[16], const u8 a1[7],
242 const u8 a2[7], u8 mackey[16], u8 ltk[16])
244 /* The btle, salt and length "magic" values are as defined in
245 * the SMP section of the Bluetooth core specification. In ASCII
246 * the btle value ends up being 'btle'. The salt is just a
247 * random number whereas length is the value 256 in little
250 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
251 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
252 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
253 const u8 length[2] = { 0x00, 0x01 };
257 SMP_DBG("w %32phN", w);
258 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
259 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
261 err = aes_cmac(tfm_cmac, salt, w, 32, t);
265 SMP_DBG("t %16phN", t);
267 memcpy(m, length, 2);
268 memcpy(m + 2, a2, 7);
269 memcpy(m + 9, a1, 7);
270 memcpy(m + 16, n2, 16);
271 memcpy(m + 32, n1, 16);
272 memcpy(m + 48, btle, 4);
274 m[52] = 0; /* Counter */
276 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
280 SMP_DBG("mackey %16phN", mackey);
282 m[52] = 1; /* Counter */
284 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
288 SMP_DBG("ltk %16phN", ltk);
293 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
294 const u8 n1[16], const u8 n2[16], const u8 r[16],
295 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
301 SMP_DBG("w %16phN", w);
302 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
303 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
306 memcpy(m + 7, a1, 7);
307 memcpy(m + 14, io_cap, 3);
308 memcpy(m + 17, r, 16);
309 memcpy(m + 33, n2, 16);
310 memcpy(m + 49, n1, 16);
312 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
316 SMP_DBG("res %16phN", res);
321 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
322 const u8 x[16], const u8 y[16], u32 *val)
327 SMP_DBG("u %32phN", u);
328 SMP_DBG("v %32phN", v);
329 SMP_DBG("x %16phN y %16phN", x, y);
332 memcpy(m + 16, v, 32);
333 memcpy(m + 48, u, 32);
335 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
339 *val = get_unaligned_le32(tmp);
342 SMP_DBG("val %06u", *val);
347 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
348 const u8 key_id[4], u8 res[16])
352 SMP_DBG("w %16phN key_id %4phN", w, key_id);
354 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
358 SMP_DBG("res %16phN", res);
363 /* The following functions map to the legacy SMP crypto functions e, c1,
367 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
369 struct blkcipher_desc desc;
370 struct scatterlist sg;
371 uint8_t tmp[16], data[16];
375 BT_ERR("tfm %p", tfm);
382 /* The most significant octet of key corresponds to k[0] */
383 swap_buf(k, tmp, 16);
385 err = crypto_blkcipher_setkey(tfm, tmp, 16);
387 BT_ERR("cipher setkey failed: %d", err);
391 /* Most significant octet of plaintextData corresponds to data[0] */
392 swap_buf(r, data, 16);
394 sg_init_one(&sg, data, 16);
396 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
398 BT_ERR("Encrypt data error %d", err);
400 /* Most significant octet of encryptedData corresponds to data[0] */
401 swap_buf(data, r, 16);
406 static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
407 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
408 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
415 /* p1 = pres || preq || _rat || _iat */
418 memcpy(p1 + 2, preq, 7);
419 memcpy(p1 + 9, pres, 7);
421 /* p2 = padding || ia || ra */
423 memcpy(p2 + 6, ia, 6);
424 memset(p2 + 12, 0, 4);
427 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
429 /* res = e(k, res) */
430 err = smp_e(tfm_aes, k, res);
432 BT_ERR("Encrypt data error");
436 /* res = res XOR p2 */
437 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
439 /* res = e(k, res) */
440 err = smp_e(tfm_aes, k, res);
442 BT_ERR("Encrypt data error");
447 static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
448 const u8 r1[16], const u8 r2[16], u8 _r[16])
452 /* Just least significant octets from r1 and r2 are considered */
454 memcpy(_r + 8, r1, 8);
456 err = smp_e(tfm_aes, k, _r);
458 BT_ERR("Encrypt data error");
463 static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
464 const u8 r[3], u8 res[3])
469 /* r' = padding || r */
471 memset(_res + 3, 0, 13);
473 err = smp_e(tfm, irk, _res);
475 BT_ERR("Encrypt error");
479 /* The output of the random address function ah is:
480 * ah(h, r) = e(k, r') mod 2^24
481 * The output of the security function e is then truncated to 24 bits
482 * by taking the least significant 24 bits of the output of e as the
485 memcpy(res, _res, 3);
490 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
491 const bdaddr_t *bdaddr)
493 struct l2cap_chan *chan = hdev->smp_data;
498 if (!chan || !chan->data)
503 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
505 err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
509 return !memcmp(bdaddr->b, hash, 3);
512 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
514 struct l2cap_chan *chan = hdev->smp_data;
518 if (!chan || !chan->data)
523 get_random_bytes(&rpa->b[3], 3);
525 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
526 rpa->b[5] |= 0x40; /* Set second most significant bit */
528 err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
532 BT_DBG("RPA %pMR", rpa);
537 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
539 struct l2cap_chan *chan = hdev->smp_data;
543 if (!chan || !chan->data)
548 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
549 BT_DBG("Using debug keys");
550 memcpy(smp->local_pk, debug_pk, 64);
551 memcpy(smp->local_sk, debug_sk, 32);
552 smp->debug_key = true;
555 /* Generate local key pair for Secure Connections */
556 if (!ecc_make_key(smp->local_pk, smp->local_sk))
559 /* This is unlikely, but we need to check that
560 * we didn't accidentially generate a debug key.
562 if (memcmp(smp->local_sk, debug_sk, 32))
565 smp->debug_key = false;
568 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
569 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
570 SMP_DBG("OOB Private Key: %32phN", smp->local_sk);
572 get_random_bytes(smp->local_rr, 16);
574 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
575 smp->local_rr, 0, hash);
579 memcpy(rand, smp->local_rr, 16);
584 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
586 struct l2cap_chan *chan = conn->smp;
587 struct smp_chan *smp;
594 BT_DBG("code 0x%2.2x", code);
596 iv[0].iov_base = &code;
599 iv[1].iov_base = data;
602 memset(&msg, 0, sizeof(msg));
604 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
606 l2cap_chan_send(chan, &msg, 1 + len);
613 cancel_delayed_work_sync(&smp->security_timer);
614 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
617 static u8 authreq_to_seclevel(u8 authreq)
619 if (authreq & SMP_AUTH_MITM) {
620 if (authreq & SMP_AUTH_SC)
621 return BT_SECURITY_FIPS;
623 return BT_SECURITY_HIGH;
625 return BT_SECURITY_MEDIUM;
629 static __u8 seclevel_to_authreq(__u8 sec_level)
632 case BT_SECURITY_FIPS:
633 case BT_SECURITY_HIGH:
634 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
635 case BT_SECURITY_MEDIUM:
636 return SMP_AUTH_BONDING;
638 return SMP_AUTH_NONE;
642 static void build_pairing_cmd(struct l2cap_conn *conn,
643 struct smp_cmd_pairing *req,
644 struct smp_cmd_pairing *rsp, __u8 authreq)
646 struct l2cap_chan *chan = conn->smp;
647 struct smp_chan *smp = chan->data;
648 struct hci_conn *hcon = conn->hcon;
649 struct hci_dev *hdev = hcon->hdev;
650 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
652 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
653 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
654 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
655 authreq |= SMP_AUTH_BONDING;
657 authreq &= ~SMP_AUTH_BONDING;
660 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
661 remote_dist |= SMP_DIST_ID_KEY;
663 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
664 local_dist |= SMP_DIST_ID_KEY;
666 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
667 (authreq & SMP_AUTH_SC)) {
668 struct oob_data *oob_data;
671 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
672 local_dist |= SMP_DIST_LINK_KEY;
673 remote_dist |= SMP_DIST_LINK_KEY;
676 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
677 bdaddr_type = BDADDR_LE_PUBLIC;
679 bdaddr_type = BDADDR_LE_RANDOM;
681 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
683 if (oob_data && oob_data->present) {
684 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
685 oob_flag = SMP_OOB_PRESENT;
686 memcpy(smp->rr, oob_data->rand256, 16);
687 memcpy(smp->pcnf, oob_data->hash256, 16);
691 authreq &= ~SMP_AUTH_SC;
695 req->io_capability = conn->hcon->io_capability;
696 req->oob_flag = oob_flag;
697 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
698 req->init_key_dist = local_dist;
699 req->resp_key_dist = remote_dist;
700 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
702 smp->remote_key_dist = remote_dist;
706 rsp->io_capability = conn->hcon->io_capability;
707 rsp->oob_flag = oob_flag;
708 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
709 rsp->init_key_dist = req->init_key_dist & remote_dist;
710 rsp->resp_key_dist = req->resp_key_dist & local_dist;
711 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
713 smp->remote_key_dist = rsp->init_key_dist;
716 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
718 struct l2cap_chan *chan = conn->smp;
719 struct smp_chan *smp = chan->data;
721 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
722 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
723 return SMP_ENC_KEY_SIZE;
725 smp->enc_key_size = max_key_size;
730 static void smp_chan_destroy(struct l2cap_conn *conn)
732 struct l2cap_chan *chan = conn->smp;
733 struct smp_chan *smp = chan->data;
734 struct hci_conn *hcon = conn->hcon;
739 cancel_delayed_work_sync(&smp->security_timer);
741 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
742 mgmt_smp_complete(hcon, complete);
745 kzfree(smp->slave_csrk);
746 kzfree(smp->link_key);
748 crypto_free_blkcipher(smp->tfm_aes);
749 crypto_free_hash(smp->tfm_cmac);
751 /* Ensure that we don't leave any debug key around if debug key
752 * support hasn't been explicitly enabled.
754 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
755 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
756 list_del_rcu(&smp->ltk->list);
757 kfree_rcu(smp->ltk, rcu);
761 /* If pairing failed clean up any keys we might have */
764 list_del_rcu(&smp->ltk->list);
765 kfree_rcu(smp->ltk, rcu);
768 if (smp->slave_ltk) {
769 list_del_rcu(&smp->slave_ltk->list);
770 kfree_rcu(smp->slave_ltk, rcu);
773 if (smp->remote_irk) {
774 list_del_rcu(&smp->remote_irk->list);
775 kfree_rcu(smp->remote_irk, rcu);
784 static void smp_failure(struct l2cap_conn *conn, u8 reason)
786 struct hci_conn *hcon = conn->hcon;
787 struct l2cap_chan *chan = conn->smp;
790 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
793 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
794 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
797 smp_chan_destroy(conn);
800 #define JUST_WORKS 0x00
801 #define JUST_CFM 0x01
802 #define REQ_PASSKEY 0x02
803 #define CFM_PASSKEY 0x03
805 #define DSP_PASSKEY 0x05
808 static const u8 gen_method[5][5] = {
809 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
810 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
811 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
812 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
813 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
816 static const u8 sc_method[5][5] = {
817 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
818 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
819 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
820 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
821 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
824 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
826 /* If either side has unknown io_caps, use JUST_CFM (which gets
827 * converted later to JUST_WORKS if we're initiators.
829 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
830 remote_io > SMP_IO_KEYBOARD_DISPLAY)
833 if (test_bit(SMP_FLAG_SC, &smp->flags))
834 return sc_method[remote_io][local_io];
836 return gen_method[remote_io][local_io];
839 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
840 u8 local_io, u8 remote_io)
842 struct hci_conn *hcon = conn->hcon;
843 struct l2cap_chan *chan = conn->smp;
844 struct smp_chan *smp = chan->data;
848 /* Initialize key for JUST WORKS */
849 memset(smp->tk, 0, sizeof(smp->tk));
850 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
852 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
854 /* If neither side wants MITM, either "just" confirm an incoming
855 * request or use just-works for outgoing ones. The JUST_CFM
856 * will be converted to JUST_WORKS if necessary later in this
857 * function. If either side has MITM look up the method from the
860 if (!(auth & SMP_AUTH_MITM))
861 smp->method = JUST_CFM;
863 smp->method = get_auth_method(smp, local_io, remote_io);
865 /* Don't confirm locally initiated pairing attempts */
866 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
868 smp->method = JUST_WORKS;
870 /* Don't bother user space with no IO capabilities */
871 if (smp->method == JUST_CFM &&
872 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
873 smp->method = JUST_WORKS;
875 /* If Just Works, Continue with Zero TK */
876 if (smp->method == JUST_WORKS) {
877 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
881 /* Not Just Works/Confirm results in MITM Authentication */
882 if (smp->method != JUST_CFM) {
883 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
884 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
885 hcon->pending_sec_level = BT_SECURITY_HIGH;
888 /* If both devices have Keyoard-Display I/O, the master
889 * Confirms and the slave Enters the passkey.
891 if (smp->method == OVERLAP) {
892 if (hcon->role == HCI_ROLE_MASTER)
893 smp->method = CFM_PASSKEY;
895 smp->method = REQ_PASSKEY;
898 /* Generate random passkey. */
899 if (smp->method == CFM_PASSKEY) {
900 memset(smp->tk, 0, sizeof(smp->tk));
901 get_random_bytes(&passkey, sizeof(passkey));
903 put_unaligned_le32(passkey, smp->tk);
904 BT_DBG("PassKey: %d", passkey);
905 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
908 if (smp->method == REQ_PASSKEY)
909 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
910 hcon->type, hcon->dst_type);
911 else if (smp->method == JUST_CFM)
912 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
913 hcon->type, hcon->dst_type,
916 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
917 hcon->type, hcon->dst_type,
923 static u8 smp_confirm(struct smp_chan *smp)
925 struct l2cap_conn *conn = smp->conn;
926 struct smp_cmd_pairing_confirm cp;
929 BT_DBG("conn %p", conn);
931 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
932 conn->hcon->init_addr_type, &conn->hcon->init_addr,
933 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
936 return SMP_UNSPECIFIED;
938 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
940 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
943 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
945 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
950 static u8 smp_random(struct smp_chan *smp)
952 struct l2cap_conn *conn = smp->conn;
953 struct hci_conn *hcon = conn->hcon;
957 if (IS_ERR_OR_NULL(smp->tfm_aes))
958 return SMP_UNSPECIFIED;
960 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
962 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
963 hcon->init_addr_type, &hcon->init_addr,
964 hcon->resp_addr_type, &hcon->resp_addr, confirm);
966 return SMP_UNSPECIFIED;
968 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
969 BT_ERR("Pairing failed (confirmation values mismatch)");
970 return SMP_CONFIRM_FAILED;
978 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
980 memset(stk + smp->enc_key_size, 0,
981 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
983 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
984 return SMP_UNSPECIFIED;
986 hci_le_start_enc(hcon, ediv, rand, stk);
987 hcon->enc_key_size = smp->enc_key_size;
988 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
994 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
997 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
999 memset(stk + smp->enc_key_size, 0,
1000 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1002 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1007 /* Even though there's no _SLAVE suffix this is the
1008 * slave STK we're adding for later lookup (the master
1009 * STK never needs to be stored).
1011 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1012 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1018 static void smp_notify_keys(struct l2cap_conn *conn)
1020 struct l2cap_chan *chan = conn->smp;
1021 struct smp_chan *smp = chan->data;
1022 struct hci_conn *hcon = conn->hcon;
1023 struct hci_dev *hdev = hcon->hdev;
1024 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1025 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1028 if (smp->remote_irk) {
1029 mgmt_new_irk(hdev, smp->remote_irk);
1030 /* Now that user space can be considered to know the
1031 * identity address track the connection based on it
1032 * from now on (assuming this is an LE link).
1034 if (hcon->type == LE_LINK) {
1035 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1036 hcon->dst_type = smp->remote_irk->addr_type;
1037 queue_work(hdev->workqueue, &conn->id_addr_update_work);
1040 /* When receiving an indentity resolving key for
1041 * a remote device that does not use a resolvable
1042 * private address, just remove the key so that
1043 * it is possible to use the controller white
1044 * list for scanning.
1046 * Userspace will have been told to not store
1047 * this key at this point. So it is safe to
1050 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
1051 list_del_rcu(&smp->remote_irk->list);
1052 kfree_rcu(smp->remote_irk, rcu);
1053 smp->remote_irk = NULL;
1057 if (hcon->type == ACL_LINK) {
1058 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1061 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1064 /* The LTKs and CSRKs should be persistent only if both sides
1065 * had the bonding bit set in their authentication requests.
1067 persistent = !!((req->auth_req & rsp->auth_req) &
1073 smp->csrk->bdaddr_type = hcon->dst_type;
1074 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1075 mgmt_new_csrk(hdev, smp->csrk, persistent);
1078 if (smp->slave_csrk) {
1079 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1080 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1081 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1085 smp->ltk->bdaddr_type = hcon->dst_type;
1086 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1087 mgmt_new_ltk(hdev, smp->ltk, persistent);
1090 if (smp->slave_ltk) {
1091 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1092 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1093 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1096 if (smp->link_key) {
1097 struct link_key *key;
1100 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1101 type = HCI_LK_DEBUG_COMBINATION;
1102 else if (hcon->sec_level == BT_SECURITY_FIPS)
1103 type = HCI_LK_AUTH_COMBINATION_P256;
1105 type = HCI_LK_UNAUTH_COMBINATION_P256;
1107 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1108 smp->link_key, type, 0, &persistent);
1110 mgmt_new_link_key(hdev, key, persistent);
1112 /* Don't keep debug keys around if the relevant
1115 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1116 key->type == HCI_LK_DEBUG_COMBINATION) {
1117 list_del_rcu(&key->list);
1118 kfree_rcu(key, rcu);
1124 static void sc_add_ltk(struct smp_chan *smp)
1126 struct hci_conn *hcon = smp->conn->hcon;
1129 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1130 key_type = SMP_LTK_P256_DEBUG;
1132 key_type = SMP_LTK_P256;
1134 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1139 memset(smp->tk + smp->enc_key_size, 0,
1140 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1142 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1143 key_type, auth, smp->tk, smp->enc_key_size,
1147 static void sc_generate_link_key(struct smp_chan *smp)
1149 /* These constants are as specified in the core specification.
1150 * In ASCII they spell out to 'tmp1' and 'lebr'.
1152 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1153 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1155 smp->link_key = kzalloc(16, GFP_KERNEL);
1159 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1160 kzfree(smp->link_key);
1161 smp->link_key = NULL;
1165 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1166 kzfree(smp->link_key);
1167 smp->link_key = NULL;
1172 static void smp_allow_key_dist(struct smp_chan *smp)
1174 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1175 * will be allowed in each PDU handler to ensure we receive
1176 * them in the correct order.
1178 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1179 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1180 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1181 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1182 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1183 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1186 static void sc_generate_ltk(struct smp_chan *smp)
1188 /* These constants are as specified in the core specification.
1189 * In ASCII they spell out to 'tmp2' and 'brle'.
1191 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1192 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1193 struct hci_conn *hcon = smp->conn->hcon;
1194 struct hci_dev *hdev = hcon->hdev;
1195 struct link_key *key;
1197 key = hci_find_link_key(hdev, &hcon->dst);
1199 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1203 if (key->type == HCI_LK_DEBUG_COMBINATION)
1204 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1206 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1209 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1215 static void smp_distribute_keys(struct smp_chan *smp)
1217 struct smp_cmd_pairing *req, *rsp;
1218 struct l2cap_conn *conn = smp->conn;
1219 struct hci_conn *hcon = conn->hcon;
1220 struct hci_dev *hdev = hcon->hdev;
1223 BT_DBG("conn %p", conn);
1225 rsp = (void *) &smp->prsp[1];
1227 /* The responder sends its keys first */
1228 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1229 smp_allow_key_dist(smp);
1233 req = (void *) &smp->preq[1];
1236 keydist = &rsp->init_key_dist;
1237 *keydist &= req->init_key_dist;
1239 keydist = &rsp->resp_key_dist;
1240 *keydist &= req->resp_key_dist;
1243 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1244 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1245 sc_generate_link_key(smp);
1246 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1247 sc_generate_ltk(smp);
1249 /* Clear the keys which are generated but not distributed */
1250 *keydist &= ~SMP_SC_NO_DIST;
1253 BT_DBG("keydist 0x%x", *keydist);
1255 if (*keydist & SMP_DIST_ENC_KEY) {
1256 struct smp_cmd_encrypt_info enc;
1257 struct smp_cmd_master_ident ident;
1258 struct smp_ltk *ltk;
1263 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1264 get_random_bytes(&ediv, sizeof(ediv));
1265 get_random_bytes(&rand, sizeof(rand));
1267 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1269 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1270 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1271 SMP_LTK_SLAVE, authenticated, enc.ltk,
1272 smp->enc_key_size, ediv, rand);
1273 smp->slave_ltk = ltk;
1278 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1280 *keydist &= ~SMP_DIST_ENC_KEY;
1283 if (*keydist & SMP_DIST_ID_KEY) {
1284 struct smp_cmd_ident_addr_info addrinfo;
1285 struct smp_cmd_ident_info idinfo;
1287 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1289 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1291 /* The hci_conn contains the local identity address
1292 * after the connection has been established.
1294 * This is true even when the connection has been
1295 * established using a resolvable random address.
1297 bacpy(&addrinfo.bdaddr, &hcon->src);
1298 addrinfo.addr_type = hcon->src_type;
1300 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1303 *keydist &= ~SMP_DIST_ID_KEY;
1306 if (*keydist & SMP_DIST_SIGN) {
1307 struct smp_cmd_sign_info sign;
1308 struct smp_csrk *csrk;
1310 /* Generate a new random key */
1311 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1313 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1315 if (hcon->sec_level > BT_SECURITY_MEDIUM)
1316 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1318 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1319 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1321 smp->slave_csrk = csrk;
1323 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1325 *keydist &= ~SMP_DIST_SIGN;
1328 /* If there are still keys to be received wait for them */
1329 if (smp->remote_key_dist & KEY_DIST_MASK) {
1330 smp_allow_key_dist(smp);
1334 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1335 smp_notify_keys(conn);
1337 smp_chan_destroy(conn);
1340 static void smp_timeout(struct work_struct *work)
1342 struct smp_chan *smp = container_of(work, struct smp_chan,
1343 security_timer.work);
1344 struct l2cap_conn *conn = smp->conn;
1346 BT_DBG("conn %p", conn);
1348 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1351 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1353 struct l2cap_chan *chan = conn->smp;
1354 struct smp_chan *smp;
1356 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1360 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1361 if (IS_ERR(smp->tfm_aes)) {
1362 BT_ERR("Unable to create ECB crypto context");
1367 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1368 if (IS_ERR(smp->tfm_cmac)) {
1369 BT_ERR("Unable to create CMAC crypto context");
1370 crypto_free_blkcipher(smp->tfm_aes);
1378 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1380 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1382 hci_conn_hold(conn->hcon);
1387 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1389 struct hci_conn *hcon = smp->conn->hcon;
1390 u8 *na, *nb, a[7], b[7];
1400 memcpy(a, &hcon->init_addr, 6);
1401 memcpy(b, &hcon->resp_addr, 6);
1402 a[6] = hcon->init_addr_type;
1403 b[6] = hcon->resp_addr_type;
1405 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1408 static void sc_dhkey_check(struct smp_chan *smp)
1410 struct hci_conn *hcon = smp->conn->hcon;
1411 struct smp_cmd_dhkey_check check;
1412 u8 a[7], b[7], *local_addr, *remote_addr;
1413 u8 io_cap[3], r[16];
1415 memcpy(a, &hcon->init_addr, 6);
1416 memcpy(b, &hcon->resp_addr, 6);
1417 a[6] = hcon->init_addr_type;
1418 b[6] = hcon->resp_addr_type;
1423 memcpy(io_cap, &smp->preq[1], 3);
1427 memcpy(io_cap, &smp->prsp[1], 3);
1430 memset(r, 0, sizeof(r));
1432 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1433 put_unaligned_le32(hcon->passkey_notify, r);
1435 if (smp->method == REQ_OOB)
1436 memcpy(r, smp->rr, 16);
1438 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1439 local_addr, remote_addr, check.e);
1441 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1444 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1446 struct l2cap_conn *conn = smp->conn;
1447 struct hci_conn *hcon = conn->hcon;
1448 struct smp_cmd_pairing_confirm cfm;
1451 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1454 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1456 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1458 return SMP_UNSPECIFIED;
1460 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1465 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1467 struct l2cap_conn *conn = smp->conn;
1468 struct hci_conn *hcon = conn->hcon;
1469 struct hci_dev *hdev = hcon->hdev;
1472 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1473 if (smp->passkey_round >= 20)
1477 case SMP_CMD_PAIRING_RANDOM:
1478 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1481 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1483 return SMP_UNSPECIFIED;
1485 if (memcmp(smp->pcnf, cfm, 16))
1486 return SMP_CONFIRM_FAILED;
1488 smp->passkey_round++;
1490 if (smp->passkey_round == 20) {
1491 /* Generate MacKey and LTK */
1492 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1493 return SMP_UNSPECIFIED;
1496 /* The round is only complete when the initiator
1497 * receives pairing random.
1500 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1501 sizeof(smp->prnd), smp->prnd);
1502 if (smp->passkey_round == 20)
1503 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1505 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1509 /* Start the next round */
1510 if (smp->passkey_round != 20)
1511 return sc_passkey_round(smp, 0);
1513 /* Passkey rounds are complete - start DHKey Check */
1514 sc_dhkey_check(smp);
1515 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1519 case SMP_CMD_PAIRING_CONFIRM:
1520 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1521 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1525 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1528 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1529 sizeof(smp->prnd), smp->prnd);
1533 return sc_passkey_send_confirm(smp);
1535 case SMP_CMD_PUBLIC_KEY:
1537 /* Initiating device starts the round */
1541 BT_DBG("%s Starting passkey round %u", hdev->name,
1542 smp->passkey_round + 1);
1544 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1546 return sc_passkey_send_confirm(smp);
1552 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1554 struct l2cap_conn *conn = smp->conn;
1555 struct hci_conn *hcon = conn->hcon;
1558 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1561 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1562 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1564 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1565 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1567 case MGMT_OP_USER_PASSKEY_REPLY:
1568 hcon->passkey_notify = le32_to_cpu(passkey);
1569 smp->passkey_round = 0;
1571 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1572 smp_op = SMP_CMD_PAIRING_CONFIRM;
1576 if (sc_passkey_round(smp, smp_op))
1582 /* Initiator sends DHKey check first */
1584 sc_dhkey_check(smp);
1585 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1586 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1587 sc_dhkey_check(smp);
1594 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1596 struct l2cap_conn *conn = hcon->l2cap_data;
1597 struct l2cap_chan *chan;
1598 struct smp_chan *smp;
1611 l2cap_chan_lock(chan);
1619 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1620 err = sc_user_reply(smp, mgmt_op, passkey);
1625 case MGMT_OP_USER_PASSKEY_REPLY:
1626 value = le32_to_cpu(passkey);
1627 memset(smp->tk, 0, sizeof(smp->tk));
1628 BT_DBG("PassKey: %d", value);
1629 put_unaligned_le32(value, smp->tk);
1631 case MGMT_OP_USER_CONFIRM_REPLY:
1632 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1634 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1635 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1636 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1640 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1647 /* If it is our turn to send Pairing Confirm, do so now */
1648 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1649 u8 rsp = smp_confirm(smp);
1651 smp_failure(conn, rsp);
1655 l2cap_chan_unlock(chan);
1659 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1660 struct smp_cmd_pairing *req,
1661 struct smp_cmd_pairing *rsp)
1663 struct l2cap_conn *conn = smp->conn;
1664 struct hci_dev *hdev = conn->hcon->hdev;
1665 u8 local_dist = 0, remote_dist = 0;
1667 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1668 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1669 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1672 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1673 remote_dist |= SMP_DIST_ID_KEY;
1675 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1676 local_dist |= SMP_DIST_ID_KEY;
1679 memset(req, 0, sizeof(*req));
1681 req->init_key_dist = local_dist;
1682 req->resp_key_dist = remote_dist;
1683 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1685 smp->remote_key_dist = remote_dist;
1690 memset(rsp, 0, sizeof(*rsp));
1692 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1693 rsp->init_key_dist = req->init_key_dist & remote_dist;
1694 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1696 smp->remote_key_dist = rsp->init_key_dist;
1699 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1701 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1702 struct l2cap_chan *chan = conn->smp;
1703 struct hci_dev *hdev = conn->hcon->hdev;
1704 struct smp_chan *smp;
1705 u8 key_size, auth, sec_level;
1708 BT_DBG("conn %p", conn);
1710 if (skb->len < sizeof(*req))
1711 return SMP_INVALID_PARAMS;
1713 if (conn->hcon->role != HCI_ROLE_SLAVE)
1714 return SMP_CMD_NOTSUPP;
1717 smp = smp_chan_create(conn);
1722 return SMP_UNSPECIFIED;
1724 /* We didn't start the pairing, so match remote */
1725 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1727 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1728 (auth & SMP_AUTH_BONDING))
1729 return SMP_PAIRING_NOTSUPP;
1731 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1732 return SMP_AUTH_REQUIREMENTS;
1734 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1735 memcpy(&smp->preq[1], req, sizeof(*req));
1736 skb_pull(skb, sizeof(*req));
1738 if (req->oob_flag == SMP_OOB_PRESENT)
1739 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1741 /* SMP over BR/EDR requires special treatment */
1742 if (conn->hcon->type == ACL_LINK) {
1743 /* We must have a BR/EDR SC link */
1744 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1745 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1746 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1748 set_bit(SMP_FLAG_SC, &smp->flags);
1750 build_bredr_pairing_cmd(smp, req, &rsp);
1752 key_size = min(req->max_key_size, rsp.max_key_size);
1753 if (check_enc_key_size(conn, key_size))
1754 return SMP_ENC_KEY_SIZE;
1756 /* Clear bits which are generated but not distributed */
1757 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1759 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1760 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1761 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1763 smp_distribute_keys(smp);
1767 build_pairing_cmd(conn, req, &rsp, auth);
1769 if (rsp.auth_req & SMP_AUTH_SC)
1770 set_bit(SMP_FLAG_SC, &smp->flags);
1772 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1773 sec_level = BT_SECURITY_MEDIUM;
1775 sec_level = authreq_to_seclevel(auth);
1777 if (sec_level > conn->hcon->pending_sec_level)
1778 conn->hcon->pending_sec_level = sec_level;
1780 /* If we need MITM check that it can be achieved */
1781 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1784 method = get_auth_method(smp, conn->hcon->io_capability,
1785 req->io_capability);
1786 if (method == JUST_WORKS || method == JUST_CFM)
1787 return SMP_AUTH_REQUIREMENTS;
1790 key_size = min(req->max_key_size, rsp.max_key_size);
1791 if (check_enc_key_size(conn, key_size))
1792 return SMP_ENC_KEY_SIZE;
1794 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1796 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1797 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1799 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1801 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1803 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1804 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1805 /* Clear bits which are generated but not distributed */
1806 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1807 /* Wait for Public Key from Initiating Device */
1811 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1813 /* Request setup of TK */
1814 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1816 return SMP_UNSPECIFIED;
1821 static u8 sc_send_public_key(struct smp_chan *smp)
1823 struct hci_dev *hdev = smp->conn->hcon->hdev;
1827 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1828 struct l2cap_chan *chan = hdev->smp_data;
1829 struct smp_dev *smp_dev;
1831 if (!chan || !chan->data)
1832 return SMP_UNSPECIFIED;
1834 smp_dev = chan->data;
1836 memcpy(smp->local_pk, smp_dev->local_pk, 64);
1837 memcpy(smp->local_sk, smp_dev->local_sk, 32);
1838 memcpy(smp->lr, smp_dev->local_rr, 16);
1840 if (smp_dev->debug_key)
1841 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1846 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1847 BT_DBG("Using debug keys");
1848 memcpy(smp->local_pk, debug_pk, 64);
1849 memcpy(smp->local_sk, debug_sk, 32);
1850 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1853 /* Generate local key pair for Secure Connections */
1854 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1855 return SMP_UNSPECIFIED;
1857 /* This is unlikely, but we need to check that
1858 * we didn't accidentially generate a debug key.
1860 if (memcmp(smp->local_sk, debug_sk, 32))
1866 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1867 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1868 SMP_DBG("Local Private Key: %32phN", smp->local_sk);
1870 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1875 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1877 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1878 struct l2cap_chan *chan = conn->smp;
1879 struct smp_chan *smp = chan->data;
1880 struct hci_dev *hdev = conn->hcon->hdev;
1884 BT_DBG("conn %p", conn);
1886 if (skb->len < sizeof(*rsp))
1887 return SMP_INVALID_PARAMS;
1889 if (conn->hcon->role != HCI_ROLE_MASTER)
1890 return SMP_CMD_NOTSUPP;
1892 skb_pull(skb, sizeof(*rsp));
1894 req = (void *) &smp->preq[1];
1896 key_size = min(req->max_key_size, rsp->max_key_size);
1897 if (check_enc_key_size(conn, key_size))
1898 return SMP_ENC_KEY_SIZE;
1900 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1902 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1903 return SMP_AUTH_REQUIREMENTS;
1905 if (rsp->oob_flag == SMP_OOB_PRESENT)
1906 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1908 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1909 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1911 /* Update remote key distribution in case the remote cleared
1912 * some bits that we had enabled in our request.
1914 smp->remote_key_dist &= rsp->resp_key_dist;
1916 /* For BR/EDR this means we're done and can start phase 3 */
1917 if (conn->hcon->type == ACL_LINK) {
1918 /* Clear bits which are generated but not distributed */
1919 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1920 smp_distribute_keys(smp);
1924 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1925 set_bit(SMP_FLAG_SC, &smp->flags);
1926 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1927 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1929 /* If we need MITM check that it can be achieved */
1930 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1933 method = get_auth_method(smp, req->io_capability,
1934 rsp->io_capability);
1935 if (method == JUST_WORKS || method == JUST_CFM)
1936 return SMP_AUTH_REQUIREMENTS;
1939 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1941 /* Update remote key distribution in case the remote cleared
1942 * some bits that we had enabled in our request.
1944 smp->remote_key_dist &= rsp->resp_key_dist;
1946 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1947 /* Clear bits which are generated but not distributed */
1948 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1949 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1950 return sc_send_public_key(smp);
1953 auth |= req->auth_req;
1955 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1957 return SMP_UNSPECIFIED;
1959 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1961 /* Can't compose response until we have been confirmed */
1962 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1963 return smp_confirm(smp);
1968 static u8 sc_check_confirm(struct smp_chan *smp)
1970 struct l2cap_conn *conn = smp->conn;
1974 /* Public Key exchange must happen before any other steps */
1975 if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
1976 return SMP_UNSPECIFIED;
1978 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1979 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1981 if (conn->hcon->out) {
1982 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1984 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1990 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1992 struct l2cap_chan *chan = conn->smp;
1993 struct smp_chan *smp = chan->data;
1995 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
1997 if (skb->len < sizeof(smp->pcnf))
1998 return SMP_INVALID_PARAMS;
2000 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2001 skb_pull(skb, sizeof(smp->pcnf));
2003 if (test_bit(SMP_FLAG_SC, &smp->flags))
2004 return sc_check_confirm(smp);
2006 if (conn->hcon->out) {
2007 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2009 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2013 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2014 return smp_confirm(smp);
2016 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2021 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2023 struct l2cap_chan *chan = conn->smp;
2024 struct smp_chan *smp = chan->data;
2025 struct hci_conn *hcon = conn->hcon;
2026 u8 *pkax, *pkbx, *na, *nb;
2030 BT_DBG("conn %p", conn);
2032 if (skb->len < sizeof(smp->rrnd))
2033 return SMP_INVALID_PARAMS;
2035 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2036 skb_pull(skb, sizeof(smp->rrnd));
2038 if (!test_bit(SMP_FLAG_SC, &smp->flags))
2039 return smp_random(smp);
2042 pkax = smp->local_pk;
2043 pkbx = smp->remote_pk;
2047 pkax = smp->remote_pk;
2048 pkbx = smp->local_pk;
2053 if (smp->method == REQ_OOB) {
2055 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2056 sizeof(smp->prnd), smp->prnd);
2057 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2058 goto mackey_and_ltk;
2061 /* Passkey entry has special treatment */
2062 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2063 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2068 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2071 return SMP_UNSPECIFIED;
2073 if (memcmp(smp->pcnf, cfm, 16))
2074 return SMP_CONFIRM_FAILED;
2076 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2078 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2082 /* Generate MacKey and LTK */
2083 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2085 return SMP_UNSPECIFIED;
2087 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2089 sc_dhkey_check(smp);
2090 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2095 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2097 return SMP_UNSPECIFIED;
2099 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2100 hcon->dst_type, passkey, 0);
2102 return SMP_UNSPECIFIED;
2104 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2109 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2111 struct smp_ltk *key;
2112 struct hci_conn *hcon = conn->hcon;
2114 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2118 if (smp_ltk_sec_level(key) < sec_level)
2121 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2124 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
2125 hcon->enc_key_size = key->enc_size;
2127 /* We never store STKs for master role, so clear this flag */
2128 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2133 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2134 enum smp_key_pref key_pref)
2136 if (sec_level == BT_SECURITY_LOW)
2139 /* If we're encrypted with an STK but the caller prefers using
2140 * LTK claim insufficient security. This way we allow the
2141 * connection to be re-encrypted with an LTK, even if the LTK
2142 * provides the same level of security. Only exception is if we
2143 * don't have an LTK (e.g. because of key distribution bits).
2145 if (key_pref == SMP_USE_LTK &&
2146 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2147 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2150 if (hcon->sec_level >= sec_level)
2156 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2158 struct smp_cmd_security_req *rp = (void *) skb->data;
2159 struct smp_cmd_pairing cp;
2160 struct hci_conn *hcon = conn->hcon;
2161 struct hci_dev *hdev = hcon->hdev;
2162 struct smp_chan *smp;
2165 BT_DBG("conn %p", conn);
2167 if (skb->len < sizeof(*rp))
2168 return SMP_INVALID_PARAMS;
2170 if (hcon->role != HCI_ROLE_MASTER)
2171 return SMP_CMD_NOTSUPP;
2173 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2175 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2176 return SMP_AUTH_REQUIREMENTS;
2178 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2179 sec_level = BT_SECURITY_MEDIUM;
2181 sec_level = authreq_to_seclevel(auth);
2183 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2186 if (sec_level > hcon->pending_sec_level)
2187 hcon->pending_sec_level = sec_level;
2189 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2192 smp = smp_chan_create(conn);
2194 return SMP_UNSPECIFIED;
2196 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2197 (auth & SMP_AUTH_BONDING))
2198 return SMP_PAIRING_NOTSUPP;
2200 skb_pull(skb, sizeof(*rp));
2202 memset(&cp, 0, sizeof(cp));
2203 build_pairing_cmd(conn, &cp, NULL, auth);
2205 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2206 memcpy(&smp->preq[1], &cp, sizeof(cp));
2208 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2209 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2214 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2216 struct l2cap_conn *conn = hcon->l2cap_data;
2217 struct l2cap_chan *chan;
2218 struct smp_chan *smp;
2222 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2224 /* This may be NULL if there's an unexpected disconnection */
2230 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2233 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2236 if (sec_level > hcon->pending_sec_level)
2237 hcon->pending_sec_level = sec_level;
2239 if (hcon->role == HCI_ROLE_MASTER)
2240 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2243 l2cap_chan_lock(chan);
2245 /* If SMP is already in progress ignore this request */
2251 smp = smp_chan_create(conn);
2257 authreq = seclevel_to_authreq(sec_level);
2259 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED))
2260 authreq |= SMP_AUTH_SC;
2262 /* Require MITM if IO Capability allows or the security level
2265 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2266 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2267 authreq |= SMP_AUTH_MITM;
2269 if (hcon->role == HCI_ROLE_MASTER) {
2270 struct smp_cmd_pairing cp;
2272 build_pairing_cmd(conn, &cp, NULL, authreq);
2273 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2274 memcpy(&smp->preq[1], &cp, sizeof(cp));
2276 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2277 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2279 struct smp_cmd_security_req cp;
2280 cp.auth_req = authreq;
2281 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2282 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2285 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2289 l2cap_chan_unlock(chan);
2293 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2295 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2296 struct l2cap_chan *chan = conn->smp;
2297 struct smp_chan *smp = chan->data;
2299 BT_DBG("conn %p", conn);
2301 if (skb->len < sizeof(*rp))
2302 return SMP_INVALID_PARAMS;
2304 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2306 skb_pull(skb, sizeof(*rp));
2308 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2313 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2315 struct smp_cmd_master_ident *rp = (void *) skb->data;
2316 struct l2cap_chan *chan = conn->smp;
2317 struct smp_chan *smp = chan->data;
2318 struct hci_dev *hdev = conn->hcon->hdev;
2319 struct hci_conn *hcon = conn->hcon;
2320 struct smp_ltk *ltk;
2323 BT_DBG("conn %p", conn);
2325 if (skb->len < sizeof(*rp))
2326 return SMP_INVALID_PARAMS;
2328 /* Mark the information as received */
2329 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2331 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2332 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2333 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2334 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2336 skb_pull(skb, sizeof(*rp));
2338 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2339 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2340 authenticated, smp->tk, smp->enc_key_size,
2341 rp->ediv, rp->rand);
2343 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2344 smp_distribute_keys(smp);
2349 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2351 struct smp_cmd_ident_info *info = (void *) skb->data;
2352 struct l2cap_chan *chan = conn->smp;
2353 struct smp_chan *smp = chan->data;
2357 if (skb->len < sizeof(*info))
2358 return SMP_INVALID_PARAMS;
2360 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2362 skb_pull(skb, sizeof(*info));
2364 memcpy(smp->irk, info->irk, 16);
2369 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2370 struct sk_buff *skb)
2372 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2373 struct l2cap_chan *chan = conn->smp;
2374 struct smp_chan *smp = chan->data;
2375 struct hci_conn *hcon = conn->hcon;
2380 if (skb->len < sizeof(*info))
2381 return SMP_INVALID_PARAMS;
2383 /* Mark the information as received */
2384 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2386 if (smp->remote_key_dist & SMP_DIST_SIGN)
2387 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2389 skb_pull(skb, sizeof(*info));
2391 /* Strictly speaking the Core Specification (4.1) allows sending
2392 * an empty address which would force us to rely on just the IRK
2393 * as "identity information". However, since such
2394 * implementations are not known of and in order to not over
2395 * complicate our implementation, simply pretend that we never
2396 * received an IRK for such a device.
2398 * The Identity Address must also be a Static Random or Public
2399 * Address, which hci_is_identity_address() checks for.
2401 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2402 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2403 BT_ERR("Ignoring IRK with no identity address");
2407 bacpy(&smp->id_addr, &info->bdaddr);
2408 smp->id_addr_type = info->addr_type;
2410 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2411 bacpy(&rpa, &hcon->dst);
2413 bacpy(&rpa, BDADDR_ANY);
2415 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2416 smp->id_addr_type, smp->irk, &rpa);
2419 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2420 smp_distribute_keys(smp);
2425 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2427 struct smp_cmd_sign_info *rp = (void *) skb->data;
2428 struct l2cap_chan *chan = conn->smp;
2429 struct smp_chan *smp = chan->data;
2430 struct smp_csrk *csrk;
2432 BT_DBG("conn %p", conn);
2434 if (skb->len < sizeof(*rp))
2435 return SMP_INVALID_PARAMS;
2437 /* Mark the information as received */
2438 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2440 skb_pull(skb, sizeof(*rp));
2442 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2444 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2445 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2447 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2448 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2451 smp_distribute_keys(smp);
2456 static u8 sc_select_method(struct smp_chan *smp)
2458 struct l2cap_conn *conn = smp->conn;
2459 struct hci_conn *hcon = conn->hcon;
2460 struct smp_cmd_pairing *local, *remote;
2461 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2463 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2464 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2467 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2468 * which are needed as inputs to some crypto functions. To get
2469 * the "struct smp_cmd_pairing" from them we need to skip the
2470 * first byte which contains the opcode.
2473 local = (void *) &smp->preq[1];
2474 remote = (void *) &smp->prsp[1];
2476 local = (void *) &smp->prsp[1];
2477 remote = (void *) &smp->preq[1];
2480 local_io = local->io_capability;
2481 remote_io = remote->io_capability;
2483 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2484 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2486 /* If either side wants MITM, look up the method from the table,
2487 * otherwise use JUST WORKS.
2489 if (local_mitm || remote_mitm)
2490 method = get_auth_method(smp, local_io, remote_io);
2492 method = JUST_WORKS;
2494 /* Don't confirm locally initiated pairing attempts */
2495 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2496 method = JUST_WORKS;
2501 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2503 struct smp_cmd_public_key *key = (void *) skb->data;
2504 struct hci_conn *hcon = conn->hcon;
2505 struct l2cap_chan *chan = conn->smp;
2506 struct smp_chan *smp = chan->data;
2507 struct hci_dev *hdev = hcon->hdev;
2508 struct smp_cmd_pairing_confirm cfm;
2511 BT_DBG("conn %p", conn);
2513 if (skb->len < sizeof(*key))
2514 return SMP_INVALID_PARAMS;
2516 memcpy(smp->remote_pk, key, 64);
2518 /* Non-initiating device sends its public key after receiving
2519 * the key from the initiating device.
2522 err = sc_send_public_key(smp);
2527 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2528 SMP_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]);
2530 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2531 return SMP_UNSPECIFIED;
2533 SMP_DBG("DHKey %32phN", smp->dhkey);
2535 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2537 smp->method = sc_select_method(smp);
2539 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2541 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2542 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2543 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2545 hcon->pending_sec_level = BT_SECURITY_FIPS;
2547 if (!memcmp(debug_pk, smp->remote_pk, 64))
2548 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2550 if (smp->method == DSP_PASSKEY) {
2551 get_random_bytes(&hcon->passkey_notify,
2552 sizeof(hcon->passkey_notify));
2553 hcon->passkey_notify %= 1000000;
2554 hcon->passkey_entered = 0;
2555 smp->passkey_round = 0;
2556 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2558 hcon->passkey_notify,
2559 hcon->passkey_entered))
2560 return SMP_UNSPECIFIED;
2561 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2562 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2565 if (smp->method == REQ_OOB) {
2566 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2567 smp->rr, 0, cfm.confirm_val);
2569 return SMP_UNSPECIFIED;
2571 if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2572 return SMP_CONFIRM_FAILED;
2575 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2576 sizeof(smp->prnd), smp->prnd);
2578 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2584 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2586 if (smp->method == REQ_PASSKEY) {
2587 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2589 return SMP_UNSPECIFIED;
2590 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2591 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2595 /* The Initiating device waits for the non-initiating device to
2596 * send the confirm value.
2598 if (conn->hcon->out)
2601 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2602 0, cfm.confirm_val);
2604 return SMP_UNSPECIFIED;
2606 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2607 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2612 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2614 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2615 struct l2cap_chan *chan = conn->smp;
2616 struct hci_conn *hcon = conn->hcon;
2617 struct smp_chan *smp = chan->data;
2618 u8 a[7], b[7], *local_addr, *remote_addr;
2619 u8 io_cap[3], r[16], e[16];
2622 BT_DBG("conn %p", conn);
2624 if (skb->len < sizeof(*check))
2625 return SMP_INVALID_PARAMS;
2627 memcpy(a, &hcon->init_addr, 6);
2628 memcpy(b, &hcon->resp_addr, 6);
2629 a[6] = hcon->init_addr_type;
2630 b[6] = hcon->resp_addr_type;
2635 memcpy(io_cap, &smp->prsp[1], 3);
2639 memcpy(io_cap, &smp->preq[1], 3);
2642 memset(r, 0, sizeof(r));
2644 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2645 put_unaligned_le32(hcon->passkey_notify, r);
2646 else if (smp->method == REQ_OOB)
2647 memcpy(r, smp->lr, 16);
2649 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2650 io_cap, remote_addr, local_addr, e);
2652 return SMP_UNSPECIFIED;
2654 if (memcmp(check->e, e, 16))
2655 return SMP_DHKEY_CHECK_FAILED;
2658 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2659 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2663 /* Slave sends DHKey check as response to master */
2664 sc_dhkey_check(smp);
2670 hci_le_start_enc(hcon, 0, 0, smp->tk);
2671 hcon->enc_key_size = smp->enc_key_size;
2677 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2678 struct sk_buff *skb)
2680 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2682 BT_DBG("value 0x%02x", kp->value);
2687 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2689 struct l2cap_conn *conn = chan->conn;
2690 struct hci_conn *hcon = conn->hcon;
2691 struct smp_chan *smp;
2698 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2699 reason = SMP_PAIRING_NOTSUPP;
2703 code = skb->data[0];
2704 skb_pull(skb, sizeof(code));
2708 if (code > SMP_CMD_MAX)
2711 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2714 /* If we don't have a context the only allowed commands are
2715 * pairing request and security request.
2717 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2721 case SMP_CMD_PAIRING_REQ:
2722 reason = smp_cmd_pairing_req(conn, skb);
2725 case SMP_CMD_PAIRING_FAIL:
2726 smp_failure(conn, 0);
2730 case SMP_CMD_PAIRING_RSP:
2731 reason = smp_cmd_pairing_rsp(conn, skb);
2734 case SMP_CMD_SECURITY_REQ:
2735 reason = smp_cmd_security_req(conn, skb);
2738 case SMP_CMD_PAIRING_CONFIRM:
2739 reason = smp_cmd_pairing_confirm(conn, skb);
2742 case SMP_CMD_PAIRING_RANDOM:
2743 reason = smp_cmd_pairing_random(conn, skb);
2746 case SMP_CMD_ENCRYPT_INFO:
2747 reason = smp_cmd_encrypt_info(conn, skb);
2750 case SMP_CMD_MASTER_IDENT:
2751 reason = smp_cmd_master_ident(conn, skb);
2754 case SMP_CMD_IDENT_INFO:
2755 reason = smp_cmd_ident_info(conn, skb);
2758 case SMP_CMD_IDENT_ADDR_INFO:
2759 reason = smp_cmd_ident_addr_info(conn, skb);
2762 case SMP_CMD_SIGN_INFO:
2763 reason = smp_cmd_sign_info(conn, skb);
2766 case SMP_CMD_PUBLIC_KEY:
2767 reason = smp_cmd_public_key(conn, skb);
2770 case SMP_CMD_DHKEY_CHECK:
2771 reason = smp_cmd_dhkey_check(conn, skb);
2774 case SMP_CMD_KEYPRESS_NOTIFY:
2775 reason = smp_cmd_keypress_notify(conn, skb);
2779 BT_DBG("Unknown command code 0x%2.2x", code);
2780 reason = SMP_CMD_NOTSUPP;
2787 smp_failure(conn, reason);
2794 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2800 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2802 struct l2cap_conn *conn = chan->conn;
2804 BT_DBG("chan %p", chan);
2807 smp_chan_destroy(conn);
2810 l2cap_chan_put(chan);
2813 static void bredr_pairing(struct l2cap_chan *chan)
2815 struct l2cap_conn *conn = chan->conn;
2816 struct hci_conn *hcon = conn->hcon;
2817 struct hci_dev *hdev = hcon->hdev;
2818 struct smp_cmd_pairing req;
2819 struct smp_chan *smp;
2821 BT_DBG("chan %p", chan);
2823 /* Only new pairings are interesting */
2824 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2827 /* Don't bother if we're not encrypted */
2828 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2831 /* Only master may initiate SMP over BR/EDR */
2832 if (hcon->role != HCI_ROLE_MASTER)
2835 /* Secure Connections support must be enabled */
2836 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
2839 /* BR/EDR must use Secure Connections for SMP */
2840 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2841 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
2844 /* If our LE support is not enabled don't do anything */
2845 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2848 /* Don't bother if remote LE support is not enabled */
2849 if (!lmp_host_le_capable(hcon))
2852 /* Remote must support SMP fixed chan for BR/EDR */
2853 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2856 /* Don't bother if SMP is already ongoing */
2860 smp = smp_chan_create(conn);
2862 BT_ERR("%s unable to create SMP context for BR/EDR",
2867 set_bit(SMP_FLAG_SC, &smp->flags);
2869 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2871 /* Prepare and send the BR/EDR SMP Pairing Request */
2872 build_bredr_pairing_cmd(smp, &req, NULL);
2874 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2875 memcpy(&smp->preq[1], &req, sizeof(req));
2877 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2878 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2881 static void smp_resume_cb(struct l2cap_chan *chan)
2883 struct smp_chan *smp = chan->data;
2884 struct l2cap_conn *conn = chan->conn;
2885 struct hci_conn *hcon = conn->hcon;
2887 BT_DBG("chan %p", chan);
2889 if (hcon->type == ACL_LINK) {
2890 bredr_pairing(chan);
2897 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2900 cancel_delayed_work(&smp->security_timer);
2902 smp_distribute_keys(smp);
2905 static void smp_ready_cb(struct l2cap_chan *chan)
2907 struct l2cap_conn *conn = chan->conn;
2908 struct hci_conn *hcon = conn->hcon;
2910 BT_DBG("chan %p", chan);
2913 l2cap_chan_hold(chan);
2915 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2916 bredr_pairing(chan);
2919 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
2923 BT_DBG("chan %p", chan);
2925 err = smp_sig_channel(chan, skb);
2927 struct smp_chan *smp = chan->data;
2930 cancel_delayed_work_sync(&smp->security_timer);
2932 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
2938 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
2939 unsigned long hdr_len,
2940 unsigned long len, int nb)
2942 struct sk_buff *skb;
2944 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
2946 return ERR_PTR(-ENOMEM);
2948 skb->priority = HCI_PRIO_MAX;
2949 bt_cb(skb)->chan = chan;
2954 static const struct l2cap_ops smp_chan_ops = {
2955 .name = "Security Manager",
2956 .ready = smp_ready_cb,
2957 .recv = smp_recv_cb,
2958 .alloc_skb = smp_alloc_skb_cb,
2959 .teardown = smp_teardown_cb,
2960 .resume = smp_resume_cb,
2962 .new_connection = l2cap_chan_no_new_connection,
2963 .state_change = l2cap_chan_no_state_change,
2964 .close = l2cap_chan_no_close,
2965 .defer = l2cap_chan_no_defer,
2966 .suspend = l2cap_chan_no_suspend,
2967 .set_shutdown = l2cap_chan_no_set_shutdown,
2968 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2971 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
2973 struct l2cap_chan *chan;
2975 BT_DBG("pchan %p", pchan);
2977 chan = l2cap_chan_create();
2981 chan->chan_type = pchan->chan_type;
2982 chan->ops = &smp_chan_ops;
2983 chan->scid = pchan->scid;
2984 chan->dcid = chan->scid;
2985 chan->imtu = pchan->imtu;
2986 chan->omtu = pchan->omtu;
2987 chan->mode = pchan->mode;
2989 /* Other L2CAP channels may request SMP routines in order to
2990 * change the security level. This means that the SMP channel
2991 * lock must be considered in its own category to avoid lockdep
2994 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
2996 BT_DBG("created chan %p", chan);
3001 static const struct l2cap_ops smp_root_chan_ops = {
3002 .name = "Security Manager Root",
3003 .new_connection = smp_new_conn_cb,
3005 /* None of these are implemented for the root channel */
3006 .close = l2cap_chan_no_close,
3007 .alloc_skb = l2cap_chan_no_alloc_skb,
3008 .recv = l2cap_chan_no_recv,
3009 .state_change = l2cap_chan_no_state_change,
3010 .teardown = l2cap_chan_no_teardown,
3011 .ready = l2cap_chan_no_ready,
3012 .defer = l2cap_chan_no_defer,
3013 .suspend = l2cap_chan_no_suspend,
3014 .resume = l2cap_chan_no_resume,
3015 .set_shutdown = l2cap_chan_no_set_shutdown,
3016 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3019 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3021 struct l2cap_chan *chan;
3022 struct smp_dev *smp;
3023 struct crypto_blkcipher *tfm_aes;
3024 struct crypto_hash *tfm_cmac;
3026 if (cid == L2CAP_CID_SMP_BREDR) {
3031 smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3033 return ERR_PTR(-ENOMEM);
3035 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3036 if (IS_ERR(tfm_aes)) {
3037 BT_ERR("Unable to create ECB crypto context");
3039 return ERR_CAST(tfm_aes);
3042 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3043 if (IS_ERR(tfm_cmac)) {
3044 BT_ERR("Unable to create CMAC crypto context");
3045 crypto_free_blkcipher(tfm_aes);
3047 return ERR_CAST(tfm_cmac);
3050 smp->tfm_aes = tfm_aes;
3051 smp->tfm_cmac = tfm_cmac;
3054 chan = l2cap_chan_create();
3056 crypto_free_blkcipher(smp->tfm_aes);
3057 crypto_free_hash(smp->tfm_cmac);
3059 return ERR_PTR(-ENOMEM);
3064 l2cap_add_scid(chan, cid);
3066 l2cap_chan_set_defaults(chan);
3068 if (cid == L2CAP_CID_SMP) {
3071 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3073 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3074 chan->src_type = BDADDR_LE_PUBLIC;
3076 chan->src_type = BDADDR_LE_RANDOM;
3078 bacpy(&chan->src, &hdev->bdaddr);
3079 chan->src_type = BDADDR_BREDR;
3082 chan->state = BT_LISTEN;
3083 chan->mode = L2CAP_MODE_BASIC;
3084 chan->imtu = L2CAP_DEFAULT_MTU;
3085 chan->ops = &smp_root_chan_ops;
3087 /* Set correct nesting level for a parent/listening channel */
3088 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3093 static void smp_del_chan(struct l2cap_chan *chan)
3095 struct smp_dev *smp;
3097 BT_DBG("chan %p", chan);
3103 crypto_free_blkcipher(smp->tfm_aes);
3105 crypto_free_hash(smp->tfm_cmac);
3109 l2cap_chan_put(chan);
3112 static ssize_t force_bredr_smp_read(struct file *file,
3113 char __user *user_buf,
3114 size_t count, loff_t *ppos)
3116 struct hci_dev *hdev = file->private_data;
3119 buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3122 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3125 static ssize_t force_bredr_smp_write(struct file *file,
3126 const char __user *user_buf,
3127 size_t count, loff_t *ppos)
3129 struct hci_dev *hdev = file->private_data;
3131 size_t buf_size = min(count, (sizeof(buf)-1));
3134 if (copy_from_user(buf, user_buf, buf_size))
3137 buf[buf_size] = '\0';
3138 if (strtobool(buf, &enable))
3141 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3145 struct l2cap_chan *chan;
3147 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3149 return PTR_ERR(chan);
3151 hdev->smp_bredr_data = chan;
3153 struct l2cap_chan *chan;
3155 chan = hdev->smp_bredr_data;
3156 hdev->smp_bredr_data = NULL;
3160 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3165 static const struct file_operations force_bredr_smp_fops = {
3166 .open = simple_open,
3167 .read = force_bredr_smp_read,
3168 .write = force_bredr_smp_write,
3169 .llseek = default_llseek,
3172 int smp_register(struct hci_dev *hdev)
3174 struct l2cap_chan *chan;
3176 BT_DBG("%s", hdev->name);
3178 /* If the controller does not support Low Energy operation, then
3179 * there is also no need to register any SMP channel.
3181 if (!lmp_le_capable(hdev))
3184 if (WARN_ON(hdev->smp_data)) {
3185 chan = hdev->smp_data;
3186 hdev->smp_data = NULL;
3190 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3192 return PTR_ERR(chan);
3194 hdev->smp_data = chan;
3196 /* If the controller does not support BR/EDR Secure Connections
3197 * feature, then the BR/EDR SMP channel shall not be present.
3199 * To test this with Bluetooth 4.0 controllers, create a debugfs
3200 * switch that allows forcing BR/EDR SMP support and accepting
3201 * cross-transport pairing on non-AES encrypted connections.
3203 if (!lmp_sc_capable(hdev)) {
3204 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3205 hdev, &force_bredr_smp_fops);
3209 if (WARN_ON(hdev->smp_bredr_data)) {
3210 chan = hdev->smp_bredr_data;
3211 hdev->smp_bredr_data = NULL;
3215 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3217 int err = PTR_ERR(chan);
3218 chan = hdev->smp_data;
3219 hdev->smp_data = NULL;
3224 hdev->smp_bredr_data = chan;
3229 void smp_unregister(struct hci_dev *hdev)
3231 struct l2cap_chan *chan;
3233 if (hdev->smp_bredr_data) {
3234 chan = hdev->smp_bredr_data;
3235 hdev->smp_bredr_data = NULL;
3239 if (hdev->smp_data) {
3240 chan = hdev->smp_data;
3241 hdev->smp_data = NULL;
3246 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3248 static int __init test_ah(struct crypto_blkcipher *tfm_aes)
3250 const u8 irk[16] = {
3251 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3252 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3253 const u8 r[3] = { 0x94, 0x81, 0x70 };
3254 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3258 err = smp_ah(tfm_aes, irk, r, res);
3262 if (memcmp(res, exp, 3))
3268 static int __init test_c1(struct crypto_blkcipher *tfm_aes)
3271 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3272 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3274 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3275 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3276 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3277 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3278 const u8 _iat = 0x01;
3279 const u8 _rat = 0x00;
3280 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3281 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3282 const u8 exp[16] = {
3283 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3284 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3288 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3292 if (memcmp(res, exp, 16))
3298 static int __init test_s1(struct crypto_blkcipher *tfm_aes)
3301 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3302 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3304 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3306 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3307 const u8 exp[16] = {
3308 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3309 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3313 err = smp_s1(tfm_aes, k, r1, r2, res);
3317 if (memcmp(res, exp, 16))
3323 static int __init test_f4(struct crypto_hash *tfm_cmac)
3326 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3327 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3328 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3329 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3331 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3332 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3333 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3334 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3336 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3337 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3339 const u8 exp[16] = {
3340 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3341 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3345 err = smp_f4(tfm_cmac, u, v, x, z, res);
3349 if (memcmp(res, exp, 16))
3355 static int __init test_f5(struct crypto_hash *tfm_cmac)
3358 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3359 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3360 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3361 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3363 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3364 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3366 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3367 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3368 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3369 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3370 const u8 exp_ltk[16] = {
3371 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3372 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3373 const u8 exp_mackey[16] = {
3374 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3375 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3376 u8 mackey[16], ltk[16];
3379 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3383 if (memcmp(mackey, exp_mackey, 16))
3386 if (memcmp(ltk, exp_ltk, 16))
3392 static int __init test_f6(struct crypto_hash *tfm_cmac)
3395 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3396 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3398 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3399 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3401 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3402 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3404 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3405 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3406 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3407 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3408 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3409 const u8 exp[16] = {
3410 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3411 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3415 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3419 if (memcmp(res, exp, 16))
3425 static int __init test_g2(struct crypto_hash *tfm_cmac)
3428 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3429 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3430 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3431 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3433 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3434 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3435 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3436 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3438 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3439 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3441 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3442 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3443 const u32 exp_val = 0x2f9ed5ba % 1000000;
3447 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3457 static int __init test_h6(struct crypto_hash *tfm_cmac)
3460 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3461 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3462 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3463 const u8 exp[16] = {
3464 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3465 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3469 err = smp_h6(tfm_cmac, w, key_id, res);
3473 if (memcmp(res, exp, 16))
3479 static int __init run_selftests(struct crypto_blkcipher *tfm_aes,
3480 struct crypto_hash *tfm_cmac)
3482 ktime_t calltime, delta, rettime;
3483 unsigned long long duration;
3486 calltime = ktime_get();
3488 err = test_ah(tfm_aes);
3490 BT_ERR("smp_ah test failed");
3494 err = test_c1(tfm_aes);
3496 BT_ERR("smp_c1 test failed");
3500 err = test_s1(tfm_aes);
3502 BT_ERR("smp_s1 test failed");
3506 err = test_f4(tfm_cmac);
3508 BT_ERR("smp_f4 test failed");
3512 err = test_f5(tfm_cmac);
3514 BT_ERR("smp_f5 test failed");
3518 err = test_f6(tfm_cmac);
3520 BT_ERR("smp_f6 test failed");
3524 err = test_g2(tfm_cmac);
3526 BT_ERR("smp_g2 test failed");
3530 err = test_h6(tfm_cmac);
3532 BT_ERR("smp_h6 test failed");
3536 rettime = ktime_get();
3537 delta = ktime_sub(rettime, calltime);
3538 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3540 BT_INFO("SMP test passed in %llu usecs", duration);
3545 int __init bt_selftest_smp(void)
3547 struct crypto_blkcipher *tfm_aes;
3548 struct crypto_hash *tfm_cmac;
3551 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3552 if (IS_ERR(tfm_aes)) {
3553 BT_ERR("Unable to create ECB crypto context");
3554 return PTR_ERR(tfm_aes);
3557 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3558 if (IS_ERR(tfm_cmac)) {
3559 BT_ERR("Unable to create CMAC crypto context");
3560 crypto_free_blkcipher(tfm_aes);
3561 return PTR_ERR(tfm_cmac);
3564 err = run_selftests(tfm_aes, tfm_cmac);
3566 crypto_free_hash(tfm_cmac);
3567 crypto_free_blkcipher(tfm_aes);