2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
23 #include <linux/debugfs.h>
24 #include <linux/crypto.h>
25 #include <linux/scatterlist.h>
26 #include <crypto/b128ops.h>
28 #include <net/bluetooth/bluetooth.h>
29 #include <net/bluetooth/hci_core.h>
30 #include <net/bluetooth/l2cap.h>
31 #include <net/bluetooth/mgmt.h>
36 /* Low-level debug macros to be used for stuff that we don't want
37 * accidentially in dmesg, i.e. the values of the various crypto keys
38 * and the inputs & outputs of crypto functions.
41 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
44 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
48 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
50 /* Keys which are not distributed with Secure Connections */
51 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
53 #define SMP_TIMEOUT msecs_to_jiffies(30000)
55 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
57 #define KEY_DIST_MASK 0x07
59 /* Maximum message length that can be passed to aes_cmac */
60 #define CMAC_MSG_MAX 80
72 SMP_FLAG_DHKEY_PENDING,
77 /* Secure Connections OOB data */
83 struct crypto_blkcipher *tfm_aes;
84 struct crypto_hash *tfm_cmac;
88 struct l2cap_conn *conn;
89 struct delayed_work security_timer;
90 unsigned long allow_cmd; /* Bitmask of allowed commands */
92 u8 preq[7]; /* SMP Pairing Request */
93 u8 prsp[7]; /* SMP Pairing Response */
94 u8 prnd[16]; /* SMP Pairing Random (local) */
95 u8 rrnd[16]; /* SMP Pairing Random (remote) */
96 u8 pcnf[16]; /* SMP Pairing Confirm */
97 u8 tk[16]; /* SMP Temporary Key */
104 struct smp_csrk *csrk;
105 struct smp_csrk *slave_csrk;
107 struct smp_ltk *slave_ltk;
108 struct smp_irk *remote_irk;
114 /* Secure Connections variables */
121 struct crypto_blkcipher *tfm_aes;
122 struct crypto_hash *tfm_cmac;
125 /* These debug key values are defined in the SMP section of the core
126 * specification. debug_pk is the public debug key and debug_sk the
129 static const u8 debug_pk[64] = {
130 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
131 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
132 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
133 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
135 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
136 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
137 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
138 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
141 static const u8 debug_sk[32] = {
142 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
143 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
144 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
145 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
148 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
152 for (i = 0; i < len; i++)
153 dst[len - 1 - i] = src[i];
156 /* The following functions map to the LE SC SMP crypto functions
157 * AES-CMAC, f4, f5, f6, g2 and h6.
160 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
161 size_t len, u8 mac[16])
163 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
164 struct hash_desc desc;
165 struct scatterlist sg;
168 if (len > CMAC_MSG_MAX)
172 BT_ERR("tfm %p", tfm);
179 crypto_hash_init(&desc);
181 /* Swap key and message from LSB to MSB */
182 swap_buf(k, tmp, 16);
183 swap_buf(m, msg_msb, len);
185 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
186 SMP_DBG("key %16phN", k);
188 err = crypto_hash_setkey(tfm, tmp, 16);
190 BT_ERR("cipher setkey failed: %d", err);
194 sg_init_one(&sg, msg_msb, len);
196 err = crypto_hash_update(&desc, &sg, len);
198 BT_ERR("Hash update error %d", err);
202 err = crypto_hash_final(&desc, mac_msb);
204 BT_ERR("Hash final error %d", err);
208 swap_buf(mac_msb, mac, 16);
210 SMP_DBG("mac %16phN", mac);
215 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
216 const u8 x[16], u8 z, u8 res[16])
221 SMP_DBG("u %32phN", u);
222 SMP_DBG("v %32phN", v);
223 SMP_DBG("x %16phN z %02x", x, z);
226 memcpy(m + 1, v, 32);
227 memcpy(m + 33, u, 32);
229 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
233 SMP_DBG("res %16phN", res);
238 static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32],
239 const u8 n1[16], const u8 n2[16], const u8 a1[7],
240 const u8 a2[7], u8 mackey[16], u8 ltk[16])
242 /* The btle, salt and length "magic" values are as defined in
243 * the SMP section of the Bluetooth core specification. In ASCII
244 * the btle value ends up being 'btle'. The salt is just a
245 * random number whereas length is the value 256 in little
248 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
249 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
250 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
251 const u8 length[2] = { 0x00, 0x01 };
255 SMP_DBG("w %32phN", w);
256 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
257 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
259 err = aes_cmac(tfm_cmac, salt, w, 32, t);
263 SMP_DBG("t %16phN", t);
265 memcpy(m, length, 2);
266 memcpy(m + 2, a2, 7);
267 memcpy(m + 9, a1, 7);
268 memcpy(m + 16, n2, 16);
269 memcpy(m + 32, n1, 16);
270 memcpy(m + 48, btle, 4);
272 m[52] = 0; /* Counter */
274 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
278 SMP_DBG("mackey %16phN", mackey);
280 m[52] = 1; /* Counter */
282 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
286 SMP_DBG("ltk %16phN", ltk);
291 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
292 const u8 n1[16], const u8 n2[16], const u8 r[16],
293 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
299 SMP_DBG("w %16phN", w);
300 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
301 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
304 memcpy(m + 7, a1, 7);
305 memcpy(m + 14, io_cap, 3);
306 memcpy(m + 17, r, 16);
307 memcpy(m + 33, n2, 16);
308 memcpy(m + 49, n1, 16);
310 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
314 SMP_DBG("res %16phN", res);
319 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
320 const u8 x[16], const u8 y[16], u32 *val)
325 SMP_DBG("u %32phN", u);
326 SMP_DBG("v %32phN", v);
327 SMP_DBG("x %16phN y %16phN", x, y);
330 memcpy(m + 16, v, 32);
331 memcpy(m + 48, u, 32);
333 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
337 *val = get_unaligned_le32(tmp);
340 SMP_DBG("val %06u", *val);
345 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
346 const u8 key_id[4], u8 res[16])
350 SMP_DBG("w %16phN key_id %4phN", w, key_id);
352 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
356 SMP_DBG("res %16phN", res);
361 /* The following functions map to the legacy SMP crypto functions e, c1,
365 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
367 struct blkcipher_desc desc;
368 struct scatterlist sg;
369 uint8_t tmp[16], data[16];
373 BT_ERR("tfm %p", tfm);
380 /* The most significant octet of key corresponds to k[0] */
381 swap_buf(k, tmp, 16);
383 err = crypto_blkcipher_setkey(tfm, tmp, 16);
385 BT_ERR("cipher setkey failed: %d", err);
389 /* Most significant octet of plaintextData corresponds to data[0] */
390 swap_buf(r, data, 16);
392 sg_init_one(&sg, data, 16);
394 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
396 BT_ERR("Encrypt data error %d", err);
398 /* Most significant octet of encryptedData corresponds to data[0] */
399 swap_buf(data, r, 16);
404 static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
405 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
406 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
413 /* p1 = pres || preq || _rat || _iat */
416 memcpy(p1 + 2, preq, 7);
417 memcpy(p1 + 9, pres, 7);
419 /* p2 = padding || ia || ra */
421 memcpy(p2 + 6, ia, 6);
422 memset(p2 + 12, 0, 4);
425 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
427 /* res = e(k, res) */
428 err = smp_e(tfm_aes, k, res);
430 BT_ERR("Encrypt data error");
434 /* res = res XOR p2 */
435 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
437 /* res = e(k, res) */
438 err = smp_e(tfm_aes, k, res);
440 BT_ERR("Encrypt data error");
445 static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
446 const u8 r1[16], const u8 r2[16], u8 _r[16])
450 /* Just least significant octets from r1 and r2 are considered */
452 memcpy(_r + 8, r1, 8);
454 err = smp_e(tfm_aes, k, _r);
456 BT_ERR("Encrypt data error");
461 static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
462 const u8 r[3], u8 res[3])
467 /* r' = padding || r */
469 memset(_res + 3, 0, 13);
471 err = smp_e(tfm, irk, _res);
473 BT_ERR("Encrypt error");
477 /* The output of the random address function ah is:
478 * ah(h, r) = e(k, r') mod 2^24
479 * The output of the security function e is then truncated to 24 bits
480 * by taking the least significant 24 bits of the output of e as the
483 memcpy(res, _res, 3);
488 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
489 const bdaddr_t *bdaddr)
491 struct l2cap_chan *chan = hdev->smp_data;
496 if (!chan || !chan->data)
501 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
503 err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
507 return !memcmp(bdaddr->b, hash, 3);
510 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
512 struct l2cap_chan *chan = hdev->smp_data;
516 if (!chan || !chan->data)
521 get_random_bytes(&rpa->b[3], 3);
523 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
524 rpa->b[5] |= 0x40; /* Set second most significant bit */
526 err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
530 BT_DBG("RPA %pMR", rpa);
535 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
537 struct l2cap_chan *chan = hdev->smp_data;
541 if (!chan || !chan->data)
546 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
547 BT_DBG("Using debug keys");
548 memcpy(smp->local_pk, debug_pk, 64);
549 memcpy(smp->local_sk, debug_sk, 32);
550 smp->debug_key = true;
553 /* Generate local key pair for Secure Connections */
554 if (!ecc_make_key(smp->local_pk, smp->local_sk))
557 /* This is unlikely, but we need to check that
558 * we didn't accidentially generate a debug key.
560 if (memcmp(smp->local_sk, debug_sk, 32))
563 smp->debug_key = false;
566 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
567 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
568 SMP_DBG("OOB Private Key: %32phN", smp->local_sk);
570 get_random_bytes(smp->local_rr, 16);
572 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
573 smp->local_rr, 0, hash);
577 memcpy(rand, smp->local_rr, 16);
582 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
584 struct l2cap_chan *chan = conn->smp;
585 struct smp_chan *smp;
592 BT_DBG("code 0x%2.2x", code);
594 iv[0].iov_base = &code;
597 iv[1].iov_base = data;
600 memset(&msg, 0, sizeof(msg));
602 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
604 l2cap_chan_send(chan, &msg, 1 + len);
611 cancel_delayed_work_sync(&smp->security_timer);
612 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
615 static u8 authreq_to_seclevel(u8 authreq)
617 if (authreq & SMP_AUTH_MITM) {
618 if (authreq & SMP_AUTH_SC)
619 return BT_SECURITY_FIPS;
621 return BT_SECURITY_HIGH;
623 return BT_SECURITY_MEDIUM;
627 static __u8 seclevel_to_authreq(__u8 sec_level)
630 case BT_SECURITY_FIPS:
631 case BT_SECURITY_HIGH:
632 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
633 case BT_SECURITY_MEDIUM:
634 return SMP_AUTH_BONDING;
636 return SMP_AUTH_NONE;
640 static void build_pairing_cmd(struct l2cap_conn *conn,
641 struct smp_cmd_pairing *req,
642 struct smp_cmd_pairing *rsp, __u8 authreq)
644 struct l2cap_chan *chan = conn->smp;
645 struct smp_chan *smp = chan->data;
646 struct hci_conn *hcon = conn->hcon;
647 struct hci_dev *hdev = hcon->hdev;
648 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
650 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
651 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
652 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
653 authreq |= SMP_AUTH_BONDING;
655 authreq &= ~SMP_AUTH_BONDING;
658 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
659 remote_dist |= SMP_DIST_ID_KEY;
661 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
662 local_dist |= SMP_DIST_ID_KEY;
664 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
665 (authreq & SMP_AUTH_SC)) {
666 struct oob_data *oob_data;
669 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
670 local_dist |= SMP_DIST_LINK_KEY;
671 remote_dist |= SMP_DIST_LINK_KEY;
674 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
675 bdaddr_type = BDADDR_LE_PUBLIC;
677 bdaddr_type = BDADDR_LE_RANDOM;
679 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
681 if (oob_data && oob_data->present) {
682 set_bit(SMP_FLAG_OOB, &smp->flags);
683 oob_flag = SMP_OOB_PRESENT;
684 memcpy(smp->rr, oob_data->rand256, 16);
685 memcpy(smp->pcnf, oob_data->hash256, 16);
689 authreq &= ~SMP_AUTH_SC;
693 req->io_capability = conn->hcon->io_capability;
694 req->oob_flag = oob_flag;
695 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
696 req->init_key_dist = local_dist;
697 req->resp_key_dist = remote_dist;
698 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
700 smp->remote_key_dist = remote_dist;
704 rsp->io_capability = conn->hcon->io_capability;
705 rsp->oob_flag = oob_flag;
706 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
707 rsp->init_key_dist = req->init_key_dist & remote_dist;
708 rsp->resp_key_dist = req->resp_key_dist & local_dist;
709 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
711 smp->remote_key_dist = rsp->init_key_dist;
714 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
716 struct l2cap_chan *chan = conn->smp;
717 struct smp_chan *smp = chan->data;
719 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
720 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
721 return SMP_ENC_KEY_SIZE;
723 smp->enc_key_size = max_key_size;
728 static void smp_chan_destroy(struct l2cap_conn *conn)
730 struct l2cap_chan *chan = conn->smp;
731 struct smp_chan *smp = chan->data;
732 struct hci_conn *hcon = conn->hcon;
737 cancel_delayed_work_sync(&smp->security_timer);
739 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
740 mgmt_smp_complete(hcon, complete);
743 kzfree(smp->slave_csrk);
744 kzfree(smp->link_key);
746 crypto_free_blkcipher(smp->tfm_aes);
747 crypto_free_hash(smp->tfm_cmac);
749 /* Ensure that we don't leave any debug key around if debug key
750 * support hasn't been explicitly enabled.
752 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
753 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
754 list_del_rcu(&smp->ltk->list);
755 kfree_rcu(smp->ltk, rcu);
759 /* If pairing failed clean up any keys we might have */
762 list_del_rcu(&smp->ltk->list);
763 kfree_rcu(smp->ltk, rcu);
766 if (smp->slave_ltk) {
767 list_del_rcu(&smp->slave_ltk->list);
768 kfree_rcu(smp->slave_ltk, rcu);
771 if (smp->remote_irk) {
772 list_del_rcu(&smp->remote_irk->list);
773 kfree_rcu(smp->remote_irk, rcu);
782 static void smp_failure(struct l2cap_conn *conn, u8 reason)
784 struct hci_conn *hcon = conn->hcon;
785 struct l2cap_chan *chan = conn->smp;
788 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
791 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
792 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
795 smp_chan_destroy(conn);
798 #define JUST_WORKS 0x00
799 #define JUST_CFM 0x01
800 #define REQ_PASSKEY 0x02
801 #define CFM_PASSKEY 0x03
803 #define DSP_PASSKEY 0x05
806 static const u8 gen_method[5][5] = {
807 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
808 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
809 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
810 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
811 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
814 static const u8 sc_method[5][5] = {
815 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
816 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
817 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
818 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
819 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
822 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
824 /* If either side has unknown io_caps, use JUST_CFM (which gets
825 * converted later to JUST_WORKS if we're initiators.
827 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
828 remote_io > SMP_IO_KEYBOARD_DISPLAY)
831 if (test_bit(SMP_FLAG_SC, &smp->flags))
832 return sc_method[remote_io][local_io];
834 return gen_method[remote_io][local_io];
837 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
838 u8 local_io, u8 remote_io)
840 struct hci_conn *hcon = conn->hcon;
841 struct l2cap_chan *chan = conn->smp;
842 struct smp_chan *smp = chan->data;
846 /* Initialize key for JUST WORKS */
847 memset(smp->tk, 0, sizeof(smp->tk));
848 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
850 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
852 /* If neither side wants MITM, either "just" confirm an incoming
853 * request or use just-works for outgoing ones. The JUST_CFM
854 * will be converted to JUST_WORKS if necessary later in this
855 * function. If either side has MITM look up the method from the
858 if (!(auth & SMP_AUTH_MITM))
859 smp->method = JUST_CFM;
861 smp->method = get_auth_method(smp, local_io, remote_io);
863 /* Don't confirm locally initiated pairing attempts */
864 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
866 smp->method = JUST_WORKS;
868 /* Don't bother user space with no IO capabilities */
869 if (smp->method == JUST_CFM &&
870 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
871 smp->method = JUST_WORKS;
873 /* If Just Works, Continue with Zero TK */
874 if (smp->method == JUST_WORKS) {
875 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
879 /* Not Just Works/Confirm results in MITM Authentication */
880 if (smp->method != JUST_CFM) {
881 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
882 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
883 hcon->pending_sec_level = BT_SECURITY_HIGH;
886 /* If both devices have Keyoard-Display I/O, the master
887 * Confirms and the slave Enters the passkey.
889 if (smp->method == OVERLAP) {
890 if (hcon->role == HCI_ROLE_MASTER)
891 smp->method = CFM_PASSKEY;
893 smp->method = REQ_PASSKEY;
896 /* Generate random passkey. */
897 if (smp->method == CFM_PASSKEY) {
898 memset(smp->tk, 0, sizeof(smp->tk));
899 get_random_bytes(&passkey, sizeof(passkey));
901 put_unaligned_le32(passkey, smp->tk);
902 BT_DBG("PassKey: %d", passkey);
903 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
906 if (smp->method == REQ_PASSKEY)
907 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
908 hcon->type, hcon->dst_type);
909 else if (smp->method == JUST_CFM)
910 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
911 hcon->type, hcon->dst_type,
914 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
915 hcon->type, hcon->dst_type,
921 static u8 smp_confirm(struct smp_chan *smp)
923 struct l2cap_conn *conn = smp->conn;
924 struct smp_cmd_pairing_confirm cp;
927 BT_DBG("conn %p", conn);
929 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
930 conn->hcon->init_addr_type, &conn->hcon->init_addr,
931 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
934 return SMP_UNSPECIFIED;
936 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
938 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
941 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
943 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
948 static u8 smp_random(struct smp_chan *smp)
950 struct l2cap_conn *conn = smp->conn;
951 struct hci_conn *hcon = conn->hcon;
955 if (IS_ERR_OR_NULL(smp->tfm_aes))
956 return SMP_UNSPECIFIED;
958 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
960 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
961 hcon->init_addr_type, &hcon->init_addr,
962 hcon->resp_addr_type, &hcon->resp_addr, confirm);
964 return SMP_UNSPECIFIED;
966 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
967 BT_ERR("Pairing failed (confirmation values mismatch)");
968 return SMP_CONFIRM_FAILED;
976 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
978 memset(stk + smp->enc_key_size, 0,
979 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
981 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
982 return SMP_UNSPECIFIED;
984 hci_le_start_enc(hcon, ediv, rand, stk);
985 hcon->enc_key_size = smp->enc_key_size;
986 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
992 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
995 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
997 memset(stk + smp->enc_key_size, 0,
998 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1000 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1005 /* Even though there's no _SLAVE suffix this is the
1006 * slave STK we're adding for later lookup (the master
1007 * STK never needs to be stored).
1009 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1010 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1016 static void smp_notify_keys(struct l2cap_conn *conn)
1018 struct l2cap_chan *chan = conn->smp;
1019 struct smp_chan *smp = chan->data;
1020 struct hci_conn *hcon = conn->hcon;
1021 struct hci_dev *hdev = hcon->hdev;
1022 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1023 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1026 if (smp->remote_irk) {
1027 mgmt_new_irk(hdev, smp->remote_irk);
1028 /* Now that user space can be considered to know the
1029 * identity address track the connection based on it
1030 * from now on (assuming this is an LE link).
1032 if (hcon->type == LE_LINK) {
1033 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1034 hcon->dst_type = smp->remote_irk->addr_type;
1035 queue_work(hdev->workqueue, &conn->id_addr_update_work);
1038 /* When receiving an indentity resolving key for
1039 * a remote device that does not use a resolvable
1040 * private address, just remove the key so that
1041 * it is possible to use the controller white
1042 * list for scanning.
1044 * Userspace will have been told to not store
1045 * this key at this point. So it is safe to
1048 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
1049 list_del_rcu(&smp->remote_irk->list);
1050 kfree_rcu(smp->remote_irk, rcu);
1051 smp->remote_irk = NULL;
1055 if (hcon->type == ACL_LINK) {
1056 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1059 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1062 /* The LTKs and CSRKs should be persistent only if both sides
1063 * had the bonding bit set in their authentication requests.
1065 persistent = !!((req->auth_req & rsp->auth_req) &
1071 smp->csrk->bdaddr_type = hcon->dst_type;
1072 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1073 mgmt_new_csrk(hdev, smp->csrk, persistent);
1076 if (smp->slave_csrk) {
1077 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1078 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1079 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1083 smp->ltk->bdaddr_type = hcon->dst_type;
1084 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1085 mgmt_new_ltk(hdev, smp->ltk, persistent);
1088 if (smp->slave_ltk) {
1089 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1090 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1091 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1094 if (smp->link_key) {
1095 struct link_key *key;
1098 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1099 type = HCI_LK_DEBUG_COMBINATION;
1100 else if (hcon->sec_level == BT_SECURITY_FIPS)
1101 type = HCI_LK_AUTH_COMBINATION_P256;
1103 type = HCI_LK_UNAUTH_COMBINATION_P256;
1105 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1106 smp->link_key, type, 0, &persistent);
1108 mgmt_new_link_key(hdev, key, persistent);
1110 /* Don't keep debug keys around if the relevant
1113 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1114 key->type == HCI_LK_DEBUG_COMBINATION) {
1115 list_del_rcu(&key->list);
1116 kfree_rcu(key, rcu);
1122 static void sc_add_ltk(struct smp_chan *smp)
1124 struct hci_conn *hcon = smp->conn->hcon;
1127 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1128 key_type = SMP_LTK_P256_DEBUG;
1130 key_type = SMP_LTK_P256;
1132 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1137 memset(smp->tk + smp->enc_key_size, 0,
1138 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1140 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1141 key_type, auth, smp->tk, smp->enc_key_size,
1145 static void sc_generate_link_key(struct smp_chan *smp)
1147 /* These constants are as specified in the core specification.
1148 * In ASCII they spell out to 'tmp1' and 'lebr'.
1150 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1151 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1153 smp->link_key = kzalloc(16, GFP_KERNEL);
1157 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1158 kzfree(smp->link_key);
1159 smp->link_key = NULL;
1163 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1164 kzfree(smp->link_key);
1165 smp->link_key = NULL;
1170 static void smp_allow_key_dist(struct smp_chan *smp)
1172 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1173 * will be allowed in each PDU handler to ensure we receive
1174 * them in the correct order.
1176 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1177 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1178 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1179 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1180 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1181 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1184 static void sc_generate_ltk(struct smp_chan *smp)
1186 /* These constants are as specified in the core specification.
1187 * In ASCII they spell out to 'tmp2' and 'brle'.
1189 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1190 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1191 struct hci_conn *hcon = smp->conn->hcon;
1192 struct hci_dev *hdev = hcon->hdev;
1193 struct link_key *key;
1195 key = hci_find_link_key(hdev, &hcon->dst);
1197 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1201 if (key->type == HCI_LK_DEBUG_COMBINATION)
1202 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1204 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1207 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1213 static void smp_distribute_keys(struct smp_chan *smp)
1215 struct smp_cmd_pairing *req, *rsp;
1216 struct l2cap_conn *conn = smp->conn;
1217 struct hci_conn *hcon = conn->hcon;
1218 struct hci_dev *hdev = hcon->hdev;
1221 BT_DBG("conn %p", conn);
1223 rsp = (void *) &smp->prsp[1];
1225 /* The responder sends its keys first */
1226 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1227 smp_allow_key_dist(smp);
1231 req = (void *) &smp->preq[1];
1234 keydist = &rsp->init_key_dist;
1235 *keydist &= req->init_key_dist;
1237 keydist = &rsp->resp_key_dist;
1238 *keydist &= req->resp_key_dist;
1241 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1242 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1243 sc_generate_link_key(smp);
1244 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1245 sc_generate_ltk(smp);
1247 /* Clear the keys which are generated but not distributed */
1248 *keydist &= ~SMP_SC_NO_DIST;
1251 BT_DBG("keydist 0x%x", *keydist);
1253 if (*keydist & SMP_DIST_ENC_KEY) {
1254 struct smp_cmd_encrypt_info enc;
1255 struct smp_cmd_master_ident ident;
1256 struct smp_ltk *ltk;
1261 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1262 get_random_bytes(&ediv, sizeof(ediv));
1263 get_random_bytes(&rand, sizeof(rand));
1265 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1267 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1268 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1269 SMP_LTK_SLAVE, authenticated, enc.ltk,
1270 smp->enc_key_size, ediv, rand);
1271 smp->slave_ltk = ltk;
1276 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1278 *keydist &= ~SMP_DIST_ENC_KEY;
1281 if (*keydist & SMP_DIST_ID_KEY) {
1282 struct smp_cmd_ident_addr_info addrinfo;
1283 struct smp_cmd_ident_info idinfo;
1285 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1287 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1289 /* The hci_conn contains the local identity address
1290 * after the connection has been established.
1292 * This is true even when the connection has been
1293 * established using a resolvable random address.
1295 bacpy(&addrinfo.bdaddr, &hcon->src);
1296 addrinfo.addr_type = hcon->src_type;
1298 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1301 *keydist &= ~SMP_DIST_ID_KEY;
1304 if (*keydist & SMP_DIST_SIGN) {
1305 struct smp_cmd_sign_info sign;
1306 struct smp_csrk *csrk;
1308 /* Generate a new random key */
1309 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1311 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1313 if (hcon->sec_level > BT_SECURITY_MEDIUM)
1314 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1316 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1317 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1319 smp->slave_csrk = csrk;
1321 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1323 *keydist &= ~SMP_DIST_SIGN;
1326 /* If there are still keys to be received wait for them */
1327 if (smp->remote_key_dist & KEY_DIST_MASK) {
1328 smp_allow_key_dist(smp);
1332 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1333 smp_notify_keys(conn);
1335 smp_chan_destroy(conn);
1338 static void smp_timeout(struct work_struct *work)
1340 struct smp_chan *smp = container_of(work, struct smp_chan,
1341 security_timer.work);
1342 struct l2cap_conn *conn = smp->conn;
1344 BT_DBG("conn %p", conn);
1346 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1349 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1351 struct l2cap_chan *chan = conn->smp;
1352 struct smp_chan *smp;
1354 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1358 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1359 if (IS_ERR(smp->tfm_aes)) {
1360 BT_ERR("Unable to create ECB crypto context");
1365 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1366 if (IS_ERR(smp->tfm_cmac)) {
1367 BT_ERR("Unable to create CMAC crypto context");
1368 crypto_free_blkcipher(smp->tfm_aes);
1376 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1378 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1380 hci_conn_hold(conn->hcon);
1385 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1387 struct hci_conn *hcon = smp->conn->hcon;
1388 u8 *na, *nb, a[7], b[7];
1398 memcpy(a, &hcon->init_addr, 6);
1399 memcpy(b, &hcon->resp_addr, 6);
1400 a[6] = hcon->init_addr_type;
1401 b[6] = hcon->resp_addr_type;
1403 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1406 static void sc_dhkey_check(struct smp_chan *smp)
1408 struct hci_conn *hcon = smp->conn->hcon;
1409 struct smp_cmd_dhkey_check check;
1410 u8 a[7], b[7], *local_addr, *remote_addr;
1411 u8 io_cap[3], r[16];
1413 memcpy(a, &hcon->init_addr, 6);
1414 memcpy(b, &hcon->resp_addr, 6);
1415 a[6] = hcon->init_addr_type;
1416 b[6] = hcon->resp_addr_type;
1421 memcpy(io_cap, &smp->preq[1], 3);
1425 memcpy(io_cap, &smp->prsp[1], 3);
1428 memset(r, 0, sizeof(r));
1430 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1431 put_unaligned_le32(hcon->passkey_notify, r);
1433 if (smp->method == REQ_OOB)
1434 memcpy(r, smp->rr, 16);
1436 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1437 local_addr, remote_addr, check.e);
1439 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1442 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1444 struct l2cap_conn *conn = smp->conn;
1445 struct hci_conn *hcon = conn->hcon;
1446 struct smp_cmd_pairing_confirm cfm;
1449 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1452 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1454 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1456 return SMP_UNSPECIFIED;
1458 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1463 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1465 struct l2cap_conn *conn = smp->conn;
1466 struct hci_conn *hcon = conn->hcon;
1467 struct hci_dev *hdev = hcon->hdev;
1470 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1471 if (smp->passkey_round >= 20)
1475 case SMP_CMD_PAIRING_RANDOM:
1476 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1479 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1481 return SMP_UNSPECIFIED;
1483 if (memcmp(smp->pcnf, cfm, 16))
1484 return SMP_CONFIRM_FAILED;
1486 smp->passkey_round++;
1488 if (smp->passkey_round == 20) {
1489 /* Generate MacKey and LTK */
1490 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1491 return SMP_UNSPECIFIED;
1494 /* The round is only complete when the initiator
1495 * receives pairing random.
1498 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1499 sizeof(smp->prnd), smp->prnd);
1500 if (smp->passkey_round == 20)
1501 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1503 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1507 /* Start the next round */
1508 if (smp->passkey_round != 20)
1509 return sc_passkey_round(smp, 0);
1511 /* Passkey rounds are complete - start DHKey Check */
1512 sc_dhkey_check(smp);
1513 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1517 case SMP_CMD_PAIRING_CONFIRM:
1518 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1519 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1523 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1526 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1527 sizeof(smp->prnd), smp->prnd);
1531 return sc_passkey_send_confirm(smp);
1533 case SMP_CMD_PUBLIC_KEY:
1535 /* Initiating device starts the round */
1539 BT_DBG("%s Starting passkey round %u", hdev->name,
1540 smp->passkey_round + 1);
1542 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1544 return sc_passkey_send_confirm(smp);
1550 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1552 struct l2cap_conn *conn = smp->conn;
1553 struct hci_conn *hcon = conn->hcon;
1556 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1559 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1560 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1562 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1563 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1565 case MGMT_OP_USER_PASSKEY_REPLY:
1566 hcon->passkey_notify = le32_to_cpu(passkey);
1567 smp->passkey_round = 0;
1569 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1570 smp_op = SMP_CMD_PAIRING_CONFIRM;
1574 if (sc_passkey_round(smp, smp_op))
1580 /* Initiator sends DHKey check first */
1582 sc_dhkey_check(smp);
1583 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1584 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1585 sc_dhkey_check(smp);
1592 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1594 struct l2cap_conn *conn = hcon->l2cap_data;
1595 struct l2cap_chan *chan;
1596 struct smp_chan *smp;
1609 l2cap_chan_lock(chan);
1617 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1618 err = sc_user_reply(smp, mgmt_op, passkey);
1623 case MGMT_OP_USER_PASSKEY_REPLY:
1624 value = le32_to_cpu(passkey);
1625 memset(smp->tk, 0, sizeof(smp->tk));
1626 BT_DBG("PassKey: %d", value);
1627 put_unaligned_le32(value, smp->tk);
1629 case MGMT_OP_USER_CONFIRM_REPLY:
1630 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1632 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1633 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1634 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1638 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1645 /* If it is our turn to send Pairing Confirm, do so now */
1646 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1647 u8 rsp = smp_confirm(smp);
1649 smp_failure(conn, rsp);
1653 l2cap_chan_unlock(chan);
1657 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1658 struct smp_cmd_pairing *req,
1659 struct smp_cmd_pairing *rsp)
1661 struct l2cap_conn *conn = smp->conn;
1662 struct hci_dev *hdev = conn->hcon->hdev;
1663 u8 local_dist = 0, remote_dist = 0;
1665 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1666 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1667 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1670 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1671 remote_dist |= SMP_DIST_ID_KEY;
1673 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1674 local_dist |= SMP_DIST_ID_KEY;
1677 memset(req, 0, sizeof(*req));
1679 req->init_key_dist = local_dist;
1680 req->resp_key_dist = remote_dist;
1681 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1683 smp->remote_key_dist = remote_dist;
1688 memset(rsp, 0, sizeof(*rsp));
1690 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1691 rsp->init_key_dist = req->init_key_dist & remote_dist;
1692 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1694 smp->remote_key_dist = rsp->init_key_dist;
1697 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1699 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1700 struct l2cap_chan *chan = conn->smp;
1701 struct hci_dev *hdev = conn->hcon->hdev;
1702 struct smp_chan *smp;
1703 u8 key_size, auth, sec_level;
1706 BT_DBG("conn %p", conn);
1708 if (skb->len < sizeof(*req))
1709 return SMP_INVALID_PARAMS;
1711 if (conn->hcon->role != HCI_ROLE_SLAVE)
1712 return SMP_CMD_NOTSUPP;
1715 smp = smp_chan_create(conn);
1720 return SMP_UNSPECIFIED;
1722 /* We didn't start the pairing, so match remote */
1723 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1725 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1726 (auth & SMP_AUTH_BONDING))
1727 return SMP_PAIRING_NOTSUPP;
1729 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1730 return SMP_AUTH_REQUIREMENTS;
1732 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1733 memcpy(&smp->preq[1], req, sizeof(*req));
1734 skb_pull(skb, sizeof(*req));
1736 /* SMP over BR/EDR requires special treatment */
1737 if (conn->hcon->type == ACL_LINK) {
1738 /* We must have a BR/EDR SC link */
1739 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1740 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1741 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1743 set_bit(SMP_FLAG_SC, &smp->flags);
1745 build_bredr_pairing_cmd(smp, req, &rsp);
1747 key_size = min(req->max_key_size, rsp.max_key_size);
1748 if (check_enc_key_size(conn, key_size))
1749 return SMP_ENC_KEY_SIZE;
1751 /* Clear bits which are generated but not distributed */
1752 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1754 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1755 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1756 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1758 smp_distribute_keys(smp);
1762 build_pairing_cmd(conn, req, &rsp, auth);
1764 if (rsp.auth_req & SMP_AUTH_SC)
1765 set_bit(SMP_FLAG_SC, &smp->flags);
1767 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1768 sec_level = BT_SECURITY_MEDIUM;
1770 sec_level = authreq_to_seclevel(auth);
1772 if (sec_level > conn->hcon->pending_sec_level)
1773 conn->hcon->pending_sec_level = sec_level;
1775 /* If we need MITM check that it can be achieved */
1776 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1779 method = get_auth_method(smp, conn->hcon->io_capability,
1780 req->io_capability);
1781 if (method == JUST_WORKS || method == JUST_CFM)
1782 return SMP_AUTH_REQUIREMENTS;
1785 key_size = min(req->max_key_size, rsp.max_key_size);
1786 if (check_enc_key_size(conn, key_size))
1787 return SMP_ENC_KEY_SIZE;
1789 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1791 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1792 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1794 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1796 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1798 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1799 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1800 /* Clear bits which are generated but not distributed */
1801 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1802 /* Wait for Public Key from Initiating Device */
1806 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1808 /* Request setup of TK */
1809 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1811 return SMP_UNSPECIFIED;
1816 static u8 sc_send_public_key(struct smp_chan *smp)
1818 struct hci_dev *hdev = smp->conn->hcon->hdev;
1822 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1823 BT_DBG("Using debug keys");
1824 memcpy(smp->local_pk, debug_pk, 64);
1825 memcpy(smp->local_sk, debug_sk, 32);
1826 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1829 /* Generate local key pair for Secure Connections */
1830 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1831 return SMP_UNSPECIFIED;
1833 /* This is unlikely, but we need to check that
1834 * we didn't accidentially generate a debug key.
1836 if (memcmp(smp->local_sk, debug_sk, 32))
1841 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1842 SMP_DBG("Local Public Key Y: %32phN", &smp->local_pk[32]);
1843 SMP_DBG("Local Private Key: %32phN", smp->local_sk);
1845 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1850 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1852 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1853 struct l2cap_chan *chan = conn->smp;
1854 struct smp_chan *smp = chan->data;
1855 struct hci_dev *hdev = conn->hcon->hdev;
1859 BT_DBG("conn %p", conn);
1861 if (skb->len < sizeof(*rsp))
1862 return SMP_INVALID_PARAMS;
1864 if (conn->hcon->role != HCI_ROLE_MASTER)
1865 return SMP_CMD_NOTSUPP;
1867 skb_pull(skb, sizeof(*rsp));
1869 req = (void *) &smp->preq[1];
1871 key_size = min(req->max_key_size, rsp->max_key_size);
1872 if (check_enc_key_size(conn, key_size))
1873 return SMP_ENC_KEY_SIZE;
1875 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1877 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1878 return SMP_AUTH_REQUIREMENTS;
1880 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1881 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1883 /* Update remote key distribution in case the remote cleared
1884 * some bits that we had enabled in our request.
1886 smp->remote_key_dist &= rsp->resp_key_dist;
1888 /* For BR/EDR this means we're done and can start phase 3 */
1889 if (conn->hcon->type == ACL_LINK) {
1890 /* Clear bits which are generated but not distributed */
1891 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1892 smp_distribute_keys(smp);
1896 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1897 set_bit(SMP_FLAG_SC, &smp->flags);
1898 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1899 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1901 /* If we need MITM check that it can be achieved */
1902 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1905 method = get_auth_method(smp, req->io_capability,
1906 rsp->io_capability);
1907 if (method == JUST_WORKS || method == JUST_CFM)
1908 return SMP_AUTH_REQUIREMENTS;
1911 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1913 /* Update remote key distribution in case the remote cleared
1914 * some bits that we had enabled in our request.
1916 smp->remote_key_dist &= rsp->resp_key_dist;
1918 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1919 /* Clear bits which are generated but not distributed */
1920 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1921 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1922 return sc_send_public_key(smp);
1925 auth |= req->auth_req;
1927 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1929 return SMP_UNSPECIFIED;
1931 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1933 /* Can't compose response until we have been confirmed */
1934 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1935 return smp_confirm(smp);
1940 static u8 sc_check_confirm(struct smp_chan *smp)
1942 struct l2cap_conn *conn = smp->conn;
1946 /* Public Key exchange must happen before any other steps */
1947 if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
1948 return SMP_UNSPECIFIED;
1950 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1951 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1953 if (conn->hcon->out) {
1954 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1956 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1962 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1964 struct l2cap_chan *chan = conn->smp;
1965 struct smp_chan *smp = chan->data;
1967 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
1969 if (skb->len < sizeof(smp->pcnf))
1970 return SMP_INVALID_PARAMS;
1972 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1973 skb_pull(skb, sizeof(smp->pcnf));
1975 if (test_bit(SMP_FLAG_SC, &smp->flags))
1976 return sc_check_confirm(smp);
1978 if (conn->hcon->out) {
1979 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1981 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1985 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1986 return smp_confirm(smp);
1988 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1993 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
1995 struct l2cap_chan *chan = conn->smp;
1996 struct smp_chan *smp = chan->data;
1997 struct hci_conn *hcon = conn->hcon;
1998 u8 *pkax, *pkbx, *na, *nb;
2002 BT_DBG("conn %p", conn);
2004 if (skb->len < sizeof(smp->rrnd))
2005 return SMP_INVALID_PARAMS;
2007 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2008 skb_pull(skb, sizeof(smp->rrnd));
2010 if (!test_bit(SMP_FLAG_SC, &smp->flags))
2011 return smp_random(smp);
2014 pkax = smp->local_pk;
2015 pkbx = smp->remote_pk;
2019 pkax = smp->remote_pk;
2020 pkbx = smp->local_pk;
2025 if (smp->method == REQ_OOB) {
2027 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2028 sizeof(smp->prnd), smp->prnd);
2029 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2030 goto mackey_and_ltk;
2033 /* Passkey entry has special treatment */
2034 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2035 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2040 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2043 return SMP_UNSPECIFIED;
2045 if (memcmp(smp->pcnf, cfm, 16))
2046 return SMP_CONFIRM_FAILED;
2048 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2050 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2054 /* Generate MacKey and LTK */
2055 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2057 return SMP_UNSPECIFIED;
2059 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2061 sc_dhkey_check(smp);
2062 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2067 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2069 return SMP_UNSPECIFIED;
2071 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2072 hcon->dst_type, passkey, 0);
2074 return SMP_UNSPECIFIED;
2076 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2081 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2083 struct smp_ltk *key;
2084 struct hci_conn *hcon = conn->hcon;
2086 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2090 if (smp_ltk_sec_level(key) < sec_level)
2093 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2096 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
2097 hcon->enc_key_size = key->enc_size;
2099 /* We never store STKs for master role, so clear this flag */
2100 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2105 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2106 enum smp_key_pref key_pref)
2108 if (sec_level == BT_SECURITY_LOW)
2111 /* If we're encrypted with an STK but the caller prefers using
2112 * LTK claim insufficient security. This way we allow the
2113 * connection to be re-encrypted with an LTK, even if the LTK
2114 * provides the same level of security. Only exception is if we
2115 * don't have an LTK (e.g. because of key distribution bits).
2117 if (key_pref == SMP_USE_LTK &&
2118 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2119 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2122 if (hcon->sec_level >= sec_level)
2128 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2130 struct smp_cmd_security_req *rp = (void *) skb->data;
2131 struct smp_cmd_pairing cp;
2132 struct hci_conn *hcon = conn->hcon;
2133 struct hci_dev *hdev = hcon->hdev;
2134 struct smp_chan *smp;
2137 BT_DBG("conn %p", conn);
2139 if (skb->len < sizeof(*rp))
2140 return SMP_INVALID_PARAMS;
2142 if (hcon->role != HCI_ROLE_MASTER)
2143 return SMP_CMD_NOTSUPP;
2145 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2147 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2148 return SMP_AUTH_REQUIREMENTS;
2150 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2151 sec_level = BT_SECURITY_MEDIUM;
2153 sec_level = authreq_to_seclevel(auth);
2155 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2158 if (sec_level > hcon->pending_sec_level)
2159 hcon->pending_sec_level = sec_level;
2161 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2164 smp = smp_chan_create(conn);
2166 return SMP_UNSPECIFIED;
2168 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2169 (auth & SMP_AUTH_BONDING))
2170 return SMP_PAIRING_NOTSUPP;
2172 skb_pull(skb, sizeof(*rp));
2174 memset(&cp, 0, sizeof(cp));
2175 build_pairing_cmd(conn, &cp, NULL, auth);
2177 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2178 memcpy(&smp->preq[1], &cp, sizeof(cp));
2180 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2181 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2186 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2188 struct l2cap_conn *conn = hcon->l2cap_data;
2189 struct l2cap_chan *chan;
2190 struct smp_chan *smp;
2194 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2196 /* This may be NULL if there's an unexpected disconnection */
2202 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2205 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2208 if (sec_level > hcon->pending_sec_level)
2209 hcon->pending_sec_level = sec_level;
2211 if (hcon->role == HCI_ROLE_MASTER)
2212 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2215 l2cap_chan_lock(chan);
2217 /* If SMP is already in progress ignore this request */
2223 smp = smp_chan_create(conn);
2229 authreq = seclevel_to_authreq(sec_level);
2231 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED))
2232 authreq |= SMP_AUTH_SC;
2234 /* Require MITM if IO Capability allows or the security level
2237 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2238 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2239 authreq |= SMP_AUTH_MITM;
2241 if (hcon->role == HCI_ROLE_MASTER) {
2242 struct smp_cmd_pairing cp;
2244 build_pairing_cmd(conn, &cp, NULL, authreq);
2245 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2246 memcpy(&smp->preq[1], &cp, sizeof(cp));
2248 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2249 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2251 struct smp_cmd_security_req cp;
2252 cp.auth_req = authreq;
2253 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2254 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2257 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2261 l2cap_chan_unlock(chan);
2265 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2267 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2268 struct l2cap_chan *chan = conn->smp;
2269 struct smp_chan *smp = chan->data;
2271 BT_DBG("conn %p", conn);
2273 if (skb->len < sizeof(*rp))
2274 return SMP_INVALID_PARAMS;
2276 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2278 skb_pull(skb, sizeof(*rp));
2280 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2285 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2287 struct smp_cmd_master_ident *rp = (void *) skb->data;
2288 struct l2cap_chan *chan = conn->smp;
2289 struct smp_chan *smp = chan->data;
2290 struct hci_dev *hdev = conn->hcon->hdev;
2291 struct hci_conn *hcon = conn->hcon;
2292 struct smp_ltk *ltk;
2295 BT_DBG("conn %p", conn);
2297 if (skb->len < sizeof(*rp))
2298 return SMP_INVALID_PARAMS;
2300 /* Mark the information as received */
2301 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2303 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2304 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2305 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2306 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2308 skb_pull(skb, sizeof(*rp));
2310 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2311 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2312 authenticated, smp->tk, smp->enc_key_size,
2313 rp->ediv, rp->rand);
2315 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2316 smp_distribute_keys(smp);
2321 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2323 struct smp_cmd_ident_info *info = (void *) skb->data;
2324 struct l2cap_chan *chan = conn->smp;
2325 struct smp_chan *smp = chan->data;
2329 if (skb->len < sizeof(*info))
2330 return SMP_INVALID_PARAMS;
2332 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2334 skb_pull(skb, sizeof(*info));
2336 memcpy(smp->irk, info->irk, 16);
2341 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2342 struct sk_buff *skb)
2344 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2345 struct l2cap_chan *chan = conn->smp;
2346 struct smp_chan *smp = chan->data;
2347 struct hci_conn *hcon = conn->hcon;
2352 if (skb->len < sizeof(*info))
2353 return SMP_INVALID_PARAMS;
2355 /* Mark the information as received */
2356 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2358 if (smp->remote_key_dist & SMP_DIST_SIGN)
2359 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2361 skb_pull(skb, sizeof(*info));
2363 /* Strictly speaking the Core Specification (4.1) allows sending
2364 * an empty address which would force us to rely on just the IRK
2365 * as "identity information". However, since such
2366 * implementations are not known of and in order to not over
2367 * complicate our implementation, simply pretend that we never
2368 * received an IRK for such a device.
2370 * The Identity Address must also be a Static Random or Public
2371 * Address, which hci_is_identity_address() checks for.
2373 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2374 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2375 BT_ERR("Ignoring IRK with no identity address");
2379 bacpy(&smp->id_addr, &info->bdaddr);
2380 smp->id_addr_type = info->addr_type;
2382 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2383 bacpy(&rpa, &hcon->dst);
2385 bacpy(&rpa, BDADDR_ANY);
2387 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2388 smp->id_addr_type, smp->irk, &rpa);
2391 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2392 smp_distribute_keys(smp);
2397 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2399 struct smp_cmd_sign_info *rp = (void *) skb->data;
2400 struct l2cap_chan *chan = conn->smp;
2401 struct smp_chan *smp = chan->data;
2402 struct smp_csrk *csrk;
2404 BT_DBG("conn %p", conn);
2406 if (skb->len < sizeof(*rp))
2407 return SMP_INVALID_PARAMS;
2409 /* Mark the information as received */
2410 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2412 skb_pull(skb, sizeof(*rp));
2414 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2416 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2417 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2419 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2420 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2423 smp_distribute_keys(smp);
2428 static u8 sc_select_method(struct smp_chan *smp)
2430 struct l2cap_conn *conn = smp->conn;
2431 struct hci_conn *hcon = conn->hcon;
2432 struct smp_cmd_pairing *local, *remote;
2433 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2435 if (test_bit(SMP_FLAG_OOB, &smp->flags))
2438 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2439 * which are needed as inputs to some crypto functions. To get
2440 * the "struct smp_cmd_pairing" from them we need to skip the
2441 * first byte which contains the opcode.
2444 local = (void *) &smp->preq[1];
2445 remote = (void *) &smp->prsp[1];
2447 local = (void *) &smp->prsp[1];
2448 remote = (void *) &smp->preq[1];
2451 local_io = local->io_capability;
2452 remote_io = remote->io_capability;
2454 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2455 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2457 /* If either side wants MITM, look up the method from the table,
2458 * otherwise use JUST WORKS.
2460 if (local_mitm || remote_mitm)
2461 method = get_auth_method(smp, local_io, remote_io);
2463 method = JUST_WORKS;
2465 /* Don't confirm locally initiated pairing attempts */
2466 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2467 method = JUST_WORKS;
2472 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2474 struct smp_cmd_public_key *key = (void *) skb->data;
2475 struct hci_conn *hcon = conn->hcon;
2476 struct l2cap_chan *chan = conn->smp;
2477 struct smp_chan *smp = chan->data;
2478 struct hci_dev *hdev = hcon->hdev;
2479 struct smp_cmd_pairing_confirm cfm;
2482 BT_DBG("conn %p", conn);
2484 if (skb->len < sizeof(*key))
2485 return SMP_INVALID_PARAMS;
2487 memcpy(smp->remote_pk, key, 64);
2489 /* Non-initiating device sends its public key after receiving
2490 * the key from the initiating device.
2493 err = sc_send_public_key(smp);
2498 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2499 SMP_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]);
2501 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2502 return SMP_UNSPECIFIED;
2504 SMP_DBG("DHKey %32phN", smp->dhkey);
2506 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2508 smp->method = sc_select_method(smp);
2510 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2512 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2513 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2514 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2516 hcon->pending_sec_level = BT_SECURITY_FIPS;
2518 if (!memcmp(debug_pk, smp->remote_pk, 64))
2519 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2521 if (smp->method == DSP_PASSKEY) {
2522 get_random_bytes(&hcon->passkey_notify,
2523 sizeof(hcon->passkey_notify));
2524 hcon->passkey_notify %= 1000000;
2525 hcon->passkey_entered = 0;
2526 smp->passkey_round = 0;
2527 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2529 hcon->passkey_notify,
2530 hcon->passkey_entered))
2531 return SMP_UNSPECIFIED;
2532 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2533 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2536 if (smp->method == REQ_OOB) {
2537 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2538 smp->rr, 0, cfm.confirm_val);
2540 return SMP_UNSPECIFIED;
2542 if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2543 return SMP_CONFIRM_FAILED;
2546 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2547 sizeof(smp->prnd), smp->prnd);
2549 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2555 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2557 if (smp->method == REQ_PASSKEY) {
2558 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2560 return SMP_UNSPECIFIED;
2561 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2562 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2566 /* The Initiating device waits for the non-initiating device to
2567 * send the confirm value.
2569 if (conn->hcon->out)
2572 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2573 0, cfm.confirm_val);
2575 return SMP_UNSPECIFIED;
2577 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2578 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2583 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2585 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2586 struct l2cap_chan *chan = conn->smp;
2587 struct hci_conn *hcon = conn->hcon;
2588 struct smp_chan *smp = chan->data;
2589 u8 a[7], b[7], *local_addr, *remote_addr;
2590 u8 io_cap[3], r[16], e[16];
2593 BT_DBG("conn %p", conn);
2595 if (skb->len < sizeof(*check))
2596 return SMP_INVALID_PARAMS;
2598 memcpy(a, &hcon->init_addr, 6);
2599 memcpy(b, &hcon->resp_addr, 6);
2600 a[6] = hcon->init_addr_type;
2601 b[6] = hcon->resp_addr_type;
2606 memcpy(io_cap, &smp->prsp[1], 3);
2610 memcpy(io_cap, &smp->preq[1], 3);
2613 memset(r, 0, sizeof(r));
2615 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2616 put_unaligned_le32(hcon->passkey_notify, r);
2618 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2619 io_cap, remote_addr, local_addr, e);
2621 return SMP_UNSPECIFIED;
2623 if (memcmp(check->e, e, 16))
2624 return SMP_DHKEY_CHECK_FAILED;
2627 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2628 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2632 /* Slave sends DHKey check as response to master */
2633 sc_dhkey_check(smp);
2639 hci_le_start_enc(hcon, 0, 0, smp->tk);
2640 hcon->enc_key_size = smp->enc_key_size;
2646 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2647 struct sk_buff *skb)
2649 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2651 BT_DBG("value 0x%02x", kp->value);
2656 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2658 struct l2cap_conn *conn = chan->conn;
2659 struct hci_conn *hcon = conn->hcon;
2660 struct smp_chan *smp;
2667 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2668 reason = SMP_PAIRING_NOTSUPP;
2672 code = skb->data[0];
2673 skb_pull(skb, sizeof(code));
2677 if (code > SMP_CMD_MAX)
2680 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2683 /* If we don't have a context the only allowed commands are
2684 * pairing request and security request.
2686 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2690 case SMP_CMD_PAIRING_REQ:
2691 reason = smp_cmd_pairing_req(conn, skb);
2694 case SMP_CMD_PAIRING_FAIL:
2695 smp_failure(conn, 0);
2699 case SMP_CMD_PAIRING_RSP:
2700 reason = smp_cmd_pairing_rsp(conn, skb);
2703 case SMP_CMD_SECURITY_REQ:
2704 reason = smp_cmd_security_req(conn, skb);
2707 case SMP_CMD_PAIRING_CONFIRM:
2708 reason = smp_cmd_pairing_confirm(conn, skb);
2711 case SMP_CMD_PAIRING_RANDOM:
2712 reason = smp_cmd_pairing_random(conn, skb);
2715 case SMP_CMD_ENCRYPT_INFO:
2716 reason = smp_cmd_encrypt_info(conn, skb);
2719 case SMP_CMD_MASTER_IDENT:
2720 reason = smp_cmd_master_ident(conn, skb);
2723 case SMP_CMD_IDENT_INFO:
2724 reason = smp_cmd_ident_info(conn, skb);
2727 case SMP_CMD_IDENT_ADDR_INFO:
2728 reason = smp_cmd_ident_addr_info(conn, skb);
2731 case SMP_CMD_SIGN_INFO:
2732 reason = smp_cmd_sign_info(conn, skb);
2735 case SMP_CMD_PUBLIC_KEY:
2736 reason = smp_cmd_public_key(conn, skb);
2739 case SMP_CMD_DHKEY_CHECK:
2740 reason = smp_cmd_dhkey_check(conn, skb);
2743 case SMP_CMD_KEYPRESS_NOTIFY:
2744 reason = smp_cmd_keypress_notify(conn, skb);
2748 BT_DBG("Unknown command code 0x%2.2x", code);
2749 reason = SMP_CMD_NOTSUPP;
2756 smp_failure(conn, reason);
2763 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2769 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2771 struct l2cap_conn *conn = chan->conn;
2773 BT_DBG("chan %p", chan);
2776 smp_chan_destroy(conn);
2779 l2cap_chan_put(chan);
2782 static void bredr_pairing(struct l2cap_chan *chan)
2784 struct l2cap_conn *conn = chan->conn;
2785 struct hci_conn *hcon = conn->hcon;
2786 struct hci_dev *hdev = hcon->hdev;
2787 struct smp_cmd_pairing req;
2788 struct smp_chan *smp;
2790 BT_DBG("chan %p", chan);
2792 /* Only new pairings are interesting */
2793 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2796 /* Don't bother if we're not encrypted */
2797 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2800 /* Only master may initiate SMP over BR/EDR */
2801 if (hcon->role != HCI_ROLE_MASTER)
2804 /* Secure Connections support must be enabled */
2805 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
2808 /* BR/EDR must use Secure Connections for SMP */
2809 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2810 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
2813 /* If our LE support is not enabled don't do anything */
2814 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2817 /* Don't bother if remote LE support is not enabled */
2818 if (!lmp_host_le_capable(hcon))
2821 /* Remote must support SMP fixed chan for BR/EDR */
2822 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2825 /* Don't bother if SMP is already ongoing */
2829 smp = smp_chan_create(conn);
2831 BT_ERR("%s unable to create SMP context for BR/EDR",
2836 set_bit(SMP_FLAG_SC, &smp->flags);
2838 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2840 /* Prepare and send the BR/EDR SMP Pairing Request */
2841 build_bredr_pairing_cmd(smp, &req, NULL);
2843 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2844 memcpy(&smp->preq[1], &req, sizeof(req));
2846 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2847 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2850 static void smp_resume_cb(struct l2cap_chan *chan)
2852 struct smp_chan *smp = chan->data;
2853 struct l2cap_conn *conn = chan->conn;
2854 struct hci_conn *hcon = conn->hcon;
2856 BT_DBG("chan %p", chan);
2858 if (hcon->type == ACL_LINK) {
2859 bredr_pairing(chan);
2866 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2869 cancel_delayed_work(&smp->security_timer);
2871 smp_distribute_keys(smp);
2874 static void smp_ready_cb(struct l2cap_chan *chan)
2876 struct l2cap_conn *conn = chan->conn;
2877 struct hci_conn *hcon = conn->hcon;
2879 BT_DBG("chan %p", chan);
2882 l2cap_chan_hold(chan);
2884 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2885 bredr_pairing(chan);
2888 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
2892 BT_DBG("chan %p", chan);
2894 err = smp_sig_channel(chan, skb);
2896 struct smp_chan *smp = chan->data;
2899 cancel_delayed_work_sync(&smp->security_timer);
2901 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
2907 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
2908 unsigned long hdr_len,
2909 unsigned long len, int nb)
2911 struct sk_buff *skb;
2913 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
2915 return ERR_PTR(-ENOMEM);
2917 skb->priority = HCI_PRIO_MAX;
2918 bt_cb(skb)->chan = chan;
2923 static const struct l2cap_ops smp_chan_ops = {
2924 .name = "Security Manager",
2925 .ready = smp_ready_cb,
2926 .recv = smp_recv_cb,
2927 .alloc_skb = smp_alloc_skb_cb,
2928 .teardown = smp_teardown_cb,
2929 .resume = smp_resume_cb,
2931 .new_connection = l2cap_chan_no_new_connection,
2932 .state_change = l2cap_chan_no_state_change,
2933 .close = l2cap_chan_no_close,
2934 .defer = l2cap_chan_no_defer,
2935 .suspend = l2cap_chan_no_suspend,
2936 .set_shutdown = l2cap_chan_no_set_shutdown,
2937 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2940 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
2942 struct l2cap_chan *chan;
2944 BT_DBG("pchan %p", pchan);
2946 chan = l2cap_chan_create();
2950 chan->chan_type = pchan->chan_type;
2951 chan->ops = &smp_chan_ops;
2952 chan->scid = pchan->scid;
2953 chan->dcid = chan->scid;
2954 chan->imtu = pchan->imtu;
2955 chan->omtu = pchan->omtu;
2956 chan->mode = pchan->mode;
2958 /* Other L2CAP channels may request SMP routines in order to
2959 * change the security level. This means that the SMP channel
2960 * lock must be considered in its own category to avoid lockdep
2963 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
2965 BT_DBG("created chan %p", chan);
2970 static const struct l2cap_ops smp_root_chan_ops = {
2971 .name = "Security Manager Root",
2972 .new_connection = smp_new_conn_cb,
2974 /* None of these are implemented for the root channel */
2975 .close = l2cap_chan_no_close,
2976 .alloc_skb = l2cap_chan_no_alloc_skb,
2977 .recv = l2cap_chan_no_recv,
2978 .state_change = l2cap_chan_no_state_change,
2979 .teardown = l2cap_chan_no_teardown,
2980 .ready = l2cap_chan_no_ready,
2981 .defer = l2cap_chan_no_defer,
2982 .suspend = l2cap_chan_no_suspend,
2983 .resume = l2cap_chan_no_resume,
2984 .set_shutdown = l2cap_chan_no_set_shutdown,
2985 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2988 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
2990 struct l2cap_chan *chan;
2991 struct smp_dev *smp;
2992 struct crypto_blkcipher *tfm_aes;
2993 struct crypto_hash *tfm_cmac;
2995 if (cid == L2CAP_CID_SMP_BREDR) {
3000 smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3002 return ERR_PTR(-ENOMEM);
3004 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3005 if (IS_ERR(tfm_aes)) {
3006 BT_ERR("Unable to create ECB crypto context");
3008 return ERR_CAST(tfm_aes);
3011 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3012 if (IS_ERR(tfm_cmac)) {
3013 BT_ERR("Unable to create CMAC crypto context");
3014 crypto_free_blkcipher(tfm_aes);
3016 return ERR_CAST(tfm_cmac);
3019 smp->tfm_aes = tfm_aes;
3020 smp->tfm_cmac = tfm_cmac;
3023 chan = l2cap_chan_create();
3025 crypto_free_blkcipher(smp->tfm_aes);
3026 crypto_free_hash(smp->tfm_cmac);
3028 return ERR_PTR(-ENOMEM);
3033 l2cap_add_scid(chan, cid);
3035 l2cap_chan_set_defaults(chan);
3037 if (cid == L2CAP_CID_SMP) {
3040 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3042 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3043 chan->src_type = BDADDR_LE_PUBLIC;
3045 chan->src_type = BDADDR_LE_RANDOM;
3047 bacpy(&chan->src, &hdev->bdaddr);
3048 chan->src_type = BDADDR_BREDR;
3051 chan->state = BT_LISTEN;
3052 chan->mode = L2CAP_MODE_BASIC;
3053 chan->imtu = L2CAP_DEFAULT_MTU;
3054 chan->ops = &smp_root_chan_ops;
3056 /* Set correct nesting level for a parent/listening channel */
3057 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3062 static void smp_del_chan(struct l2cap_chan *chan)
3064 struct smp_dev *smp;
3066 BT_DBG("chan %p", chan);
3072 crypto_free_blkcipher(smp->tfm_aes);
3074 crypto_free_hash(smp->tfm_cmac);
3078 l2cap_chan_put(chan);
3081 static ssize_t force_bredr_smp_read(struct file *file,
3082 char __user *user_buf,
3083 size_t count, loff_t *ppos)
3085 struct hci_dev *hdev = file->private_data;
3088 buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3091 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3094 static ssize_t force_bredr_smp_write(struct file *file,
3095 const char __user *user_buf,
3096 size_t count, loff_t *ppos)
3098 struct hci_dev *hdev = file->private_data;
3100 size_t buf_size = min(count, (sizeof(buf)-1));
3103 if (copy_from_user(buf, user_buf, buf_size))
3106 buf[buf_size] = '\0';
3107 if (strtobool(buf, &enable))
3110 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3114 struct l2cap_chan *chan;
3116 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3118 return PTR_ERR(chan);
3120 hdev->smp_bredr_data = chan;
3122 struct l2cap_chan *chan;
3124 chan = hdev->smp_bredr_data;
3125 hdev->smp_bredr_data = NULL;
3129 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3134 static const struct file_operations force_bredr_smp_fops = {
3135 .open = simple_open,
3136 .read = force_bredr_smp_read,
3137 .write = force_bredr_smp_write,
3138 .llseek = default_llseek,
3141 int smp_register(struct hci_dev *hdev)
3143 struct l2cap_chan *chan;
3145 BT_DBG("%s", hdev->name);
3147 /* If the controller does not support Low Energy operation, then
3148 * there is also no need to register any SMP channel.
3150 if (!lmp_le_capable(hdev))
3153 if (WARN_ON(hdev->smp_data)) {
3154 chan = hdev->smp_data;
3155 hdev->smp_data = NULL;
3159 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3161 return PTR_ERR(chan);
3163 hdev->smp_data = chan;
3165 /* If the controller does not support BR/EDR Secure Connections
3166 * feature, then the BR/EDR SMP channel shall not be present.
3168 * To test this with Bluetooth 4.0 controllers, create a debugfs
3169 * switch that allows forcing BR/EDR SMP support and accepting
3170 * cross-transport pairing on non-AES encrypted connections.
3172 if (!lmp_sc_capable(hdev)) {
3173 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3174 hdev, &force_bredr_smp_fops);
3178 if (WARN_ON(hdev->smp_bredr_data)) {
3179 chan = hdev->smp_bredr_data;
3180 hdev->smp_bredr_data = NULL;
3184 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3186 int err = PTR_ERR(chan);
3187 chan = hdev->smp_data;
3188 hdev->smp_data = NULL;
3193 hdev->smp_bredr_data = chan;
3198 void smp_unregister(struct hci_dev *hdev)
3200 struct l2cap_chan *chan;
3202 if (hdev->smp_bredr_data) {
3203 chan = hdev->smp_bredr_data;
3204 hdev->smp_bredr_data = NULL;
3208 if (hdev->smp_data) {
3209 chan = hdev->smp_data;
3210 hdev->smp_data = NULL;
3215 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3217 static int __init test_ah(struct crypto_blkcipher *tfm_aes)
3219 const u8 irk[16] = {
3220 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3221 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3222 const u8 r[3] = { 0x94, 0x81, 0x70 };
3223 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3227 err = smp_ah(tfm_aes, irk, r, res);
3231 if (memcmp(res, exp, 3))
3237 static int __init test_c1(struct crypto_blkcipher *tfm_aes)
3240 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3241 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3243 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3244 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3245 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3246 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3247 const u8 _iat = 0x01;
3248 const u8 _rat = 0x00;
3249 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3250 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3251 const u8 exp[16] = {
3252 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3253 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3257 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3261 if (memcmp(res, exp, 16))
3267 static int __init test_s1(struct crypto_blkcipher *tfm_aes)
3270 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3271 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3273 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3275 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3276 const u8 exp[16] = {
3277 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3278 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3282 err = smp_s1(tfm_aes, k, r1, r2, res);
3286 if (memcmp(res, exp, 16))
3292 static int __init test_f4(struct crypto_hash *tfm_cmac)
3295 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3296 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3297 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3298 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3300 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3301 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3302 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3303 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3305 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3306 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3308 const u8 exp[16] = {
3309 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3310 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3314 err = smp_f4(tfm_cmac, u, v, x, z, res);
3318 if (memcmp(res, exp, 16))
3324 static int __init test_f5(struct crypto_hash *tfm_cmac)
3327 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3328 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3329 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3330 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3332 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3333 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3335 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3336 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3337 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3338 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3339 const u8 exp_ltk[16] = {
3340 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3341 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3342 const u8 exp_mackey[16] = {
3343 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3344 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3345 u8 mackey[16], ltk[16];
3348 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3352 if (memcmp(mackey, exp_mackey, 16))
3355 if (memcmp(ltk, exp_ltk, 16))
3361 static int __init test_f6(struct crypto_hash *tfm_cmac)
3364 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3365 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3367 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3368 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3370 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3371 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3373 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3374 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3375 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3376 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3377 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3378 const u8 exp[16] = {
3379 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3380 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3384 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3388 if (memcmp(res, exp, 16))
3394 static int __init test_g2(struct crypto_hash *tfm_cmac)
3397 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3398 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3399 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3400 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3402 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3403 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3404 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3405 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3407 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3408 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3410 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3411 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3412 const u32 exp_val = 0x2f9ed5ba % 1000000;
3416 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3426 static int __init test_h6(struct crypto_hash *tfm_cmac)
3429 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3430 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3431 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3432 const u8 exp[16] = {
3433 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3434 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3438 err = smp_h6(tfm_cmac, w, key_id, res);
3442 if (memcmp(res, exp, 16))
3448 static int __init run_selftests(struct crypto_blkcipher *tfm_aes,
3449 struct crypto_hash *tfm_cmac)
3451 ktime_t calltime, delta, rettime;
3452 unsigned long long duration;
3455 calltime = ktime_get();
3457 err = test_ah(tfm_aes);
3459 BT_ERR("smp_ah test failed");
3463 err = test_c1(tfm_aes);
3465 BT_ERR("smp_c1 test failed");
3469 err = test_s1(tfm_aes);
3471 BT_ERR("smp_s1 test failed");
3475 err = test_f4(tfm_cmac);
3477 BT_ERR("smp_f4 test failed");
3481 err = test_f5(tfm_cmac);
3483 BT_ERR("smp_f5 test failed");
3487 err = test_f6(tfm_cmac);
3489 BT_ERR("smp_f6 test failed");
3493 err = test_g2(tfm_cmac);
3495 BT_ERR("smp_g2 test failed");
3499 err = test_h6(tfm_cmac);
3501 BT_ERR("smp_h6 test failed");
3505 rettime = ktime_get();
3506 delta = ktime_sub(rettime, calltime);
3507 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3509 BT_INFO("SMP test passed in %llu usecs", duration);
3514 int __init bt_selftest_smp(void)
3516 struct crypto_blkcipher *tfm_aes;
3517 struct crypto_hash *tfm_cmac;
3520 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3521 if (IS_ERR(tfm_aes)) {
3522 BT_ERR("Unable to create ECB crypto context");
3523 return PTR_ERR(tfm_aes);
3526 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3527 if (IS_ERR(tfm_cmac)) {
3528 BT_ERR("Unable to create CMAC crypto context");
3529 crypto_free_blkcipher(tfm_aes);
3530 return PTR_ERR(tfm_cmac);
3533 err = run_selftests(tfm_aes, tfm_cmac);
3535 crypto_free_hash(tfm_cmac);
3536 crypto_free_blkcipher(tfm_aes);