2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
23 #include <linux/debugfs.h>
24 #include <linux/crypto.h>
25 #include <linux/scatterlist.h>
26 #include <crypto/b128ops.h>
28 #include <net/bluetooth/bluetooth.h>
29 #include <net/bluetooth/hci_core.h>
30 #include <net/bluetooth/l2cap.h>
31 #include <net/bluetooth/mgmt.h>
36 /* Low-level debug macros to be used for stuff that we don't want
37 * accidentially in dmesg, i.e. the values of the various crypto keys
38 * and the inputs & outputs of crypto functions.
41 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
44 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
48 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
50 /* Keys which are not distributed with Secure Connections */
51 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
53 #define SMP_TIMEOUT msecs_to_jiffies(30000)
55 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
57 #define KEY_DIST_MASK 0x07
59 /* Maximum message length that can be passed to aes_cmac */
60 #define CMAC_MSG_MAX 80
72 SMP_FLAG_DHKEY_PENDING,
77 struct crypto_blkcipher *tfm_aes;
81 struct l2cap_conn *conn;
82 struct delayed_work security_timer;
83 unsigned long allow_cmd; /* Bitmask of allowed commands */
85 u8 preq[7]; /* SMP Pairing Request */
86 u8 prsp[7]; /* SMP Pairing Response */
87 u8 prnd[16]; /* SMP Pairing Random (local) */
88 u8 rrnd[16]; /* SMP Pairing Random (remote) */
89 u8 pcnf[16]; /* SMP Pairing Confirm */
90 u8 tk[16]; /* SMP Temporary Key */
97 struct smp_csrk *csrk;
98 struct smp_csrk *slave_csrk;
100 struct smp_ltk *slave_ltk;
101 struct smp_irk *remote_irk;
107 /* Secure Connections variables */
114 struct crypto_blkcipher *tfm_aes;
115 struct crypto_hash *tfm_cmac;
118 /* These debug key values are defined in the SMP section of the core
119 * specification. debug_pk is the public debug key and debug_sk the
122 static const u8 debug_pk[64] = {
123 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
124 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
125 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
126 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
128 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
129 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
130 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
131 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
134 static const u8 debug_sk[32] = {
135 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
136 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
137 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
138 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
141 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
145 for (i = 0; i < len; i++)
146 dst[len - 1 - i] = src[i];
149 /* The following functions map to the LE SC SMP crypto functions
150 * AES-CMAC, f4, f5, f6, g2 and h6.
153 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
154 size_t len, u8 mac[16])
156 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
157 struct hash_desc desc;
158 struct scatterlist sg;
161 if (len > CMAC_MSG_MAX)
165 BT_ERR("tfm %p", tfm);
172 crypto_hash_init(&desc);
174 /* Swap key and message from LSB to MSB */
175 swap_buf(k, tmp, 16);
176 swap_buf(m, msg_msb, len);
178 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
179 SMP_DBG("key %16phN", k);
181 err = crypto_hash_setkey(tfm, tmp, 16);
183 BT_ERR("cipher setkey failed: %d", err);
187 sg_init_one(&sg, msg_msb, len);
189 err = crypto_hash_update(&desc, &sg, len);
191 BT_ERR("Hash update error %d", err);
195 err = crypto_hash_final(&desc, mac_msb);
197 BT_ERR("Hash final error %d", err);
201 swap_buf(mac_msb, mac, 16);
203 SMP_DBG("mac %16phN", mac);
208 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
209 const u8 x[16], u8 z, u8 res[16])
214 SMP_DBG("u %32phN", u);
215 SMP_DBG("v %32phN", v);
216 SMP_DBG("x %16phN z %02x", x, z);
219 memcpy(m + 1, v, 32);
220 memcpy(m + 33, u, 32);
222 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
226 SMP_DBG("res %16phN", res);
231 static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32],
232 const u8 n1[16], const u8 n2[16], const u8 a1[7],
233 const u8 a2[7], u8 mackey[16], u8 ltk[16])
235 /* The btle, salt and length "magic" values are as defined in
236 * the SMP section of the Bluetooth core specification. In ASCII
237 * the btle value ends up being 'btle'. The salt is just a
238 * random number whereas length is the value 256 in little
241 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
242 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
243 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
244 const u8 length[2] = { 0x00, 0x01 };
248 SMP_DBG("w %32phN", w);
249 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
250 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
252 err = aes_cmac(tfm_cmac, salt, w, 32, t);
256 SMP_DBG("t %16phN", t);
258 memcpy(m, length, 2);
259 memcpy(m + 2, a2, 7);
260 memcpy(m + 9, a1, 7);
261 memcpy(m + 16, n2, 16);
262 memcpy(m + 32, n1, 16);
263 memcpy(m + 48, btle, 4);
265 m[52] = 0; /* Counter */
267 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
271 SMP_DBG("mackey %16phN", mackey);
273 m[52] = 1; /* Counter */
275 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
279 SMP_DBG("ltk %16phN", ltk);
284 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
285 const u8 n1[16], const u8 n2[16], const u8 r[16],
286 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
292 SMP_DBG("w %16phN", w);
293 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
294 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
297 memcpy(m + 7, a1, 7);
298 memcpy(m + 14, io_cap, 3);
299 memcpy(m + 17, r, 16);
300 memcpy(m + 33, n2, 16);
301 memcpy(m + 49, n1, 16);
303 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
307 SMP_DBG("res %16phN", res);
312 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
313 const u8 x[16], const u8 y[16], u32 *val)
318 SMP_DBG("u %32phN", u);
319 SMP_DBG("v %32phN", v);
320 SMP_DBG("x %16phN y %16phN", x, y);
323 memcpy(m + 16, v, 32);
324 memcpy(m + 48, u, 32);
326 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
330 *val = get_unaligned_le32(tmp);
333 SMP_DBG("val %06u", *val);
338 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
339 const u8 key_id[4], u8 res[16])
343 SMP_DBG("w %16phN key_id %4phN", w, key_id);
345 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
349 SMP_DBG("res %16phN", res);
354 /* The following functions map to the legacy SMP crypto functions e, c1,
358 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
360 struct blkcipher_desc desc;
361 struct scatterlist sg;
362 uint8_t tmp[16], data[16];
366 BT_ERR("tfm %p", tfm);
373 /* The most significant octet of key corresponds to k[0] */
374 swap_buf(k, tmp, 16);
376 err = crypto_blkcipher_setkey(tfm, tmp, 16);
378 BT_ERR("cipher setkey failed: %d", err);
382 /* Most significant octet of plaintextData corresponds to data[0] */
383 swap_buf(r, data, 16);
385 sg_init_one(&sg, data, 16);
387 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
389 BT_ERR("Encrypt data error %d", err);
391 /* Most significant octet of encryptedData corresponds to data[0] */
392 swap_buf(data, r, 16);
397 static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
398 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
399 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
406 /* p1 = pres || preq || _rat || _iat */
409 memcpy(p1 + 2, preq, 7);
410 memcpy(p1 + 9, pres, 7);
412 /* p2 = padding || ia || ra */
414 memcpy(p2 + 6, ia, 6);
415 memset(p2 + 12, 0, 4);
418 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
420 /* res = e(k, res) */
421 err = smp_e(tfm_aes, k, res);
423 BT_ERR("Encrypt data error");
427 /* res = res XOR p2 */
428 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
430 /* res = e(k, res) */
431 err = smp_e(tfm_aes, k, res);
433 BT_ERR("Encrypt data error");
438 static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
439 const u8 r1[16], const u8 r2[16], u8 _r[16])
443 /* Just least significant octets from r1 and r2 are considered */
445 memcpy(_r + 8, r1, 8);
447 err = smp_e(tfm_aes, k, _r);
449 BT_ERR("Encrypt data error");
454 static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
455 const u8 r[3], u8 res[3])
460 /* r' = padding || r */
462 memset(_res + 3, 0, 13);
464 err = smp_e(tfm, irk, _res);
466 BT_ERR("Encrypt error");
470 /* The output of the random address function ah is:
471 * ah(h, r) = e(k, r') mod 2^24
472 * The output of the security function e is then truncated to 24 bits
473 * by taking the least significant 24 bits of the output of e as the
476 memcpy(res, _res, 3);
481 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
482 const bdaddr_t *bdaddr)
484 struct l2cap_chan *chan = hdev->smp_data;
489 if (!chan || !chan->data)
494 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
496 err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
500 return !memcmp(bdaddr->b, hash, 3);
503 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
505 struct l2cap_chan *chan = hdev->smp_data;
509 if (!chan || !chan->data)
514 get_random_bytes(&rpa->b[3], 3);
516 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
517 rpa->b[5] |= 0x40; /* Set second most significant bit */
519 err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
523 BT_DBG("RPA %pMR", rpa);
528 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
530 struct l2cap_chan *chan = conn->smp;
531 struct smp_chan *smp;
538 BT_DBG("code 0x%2.2x", code);
540 iv[0].iov_base = &code;
543 iv[1].iov_base = data;
546 memset(&msg, 0, sizeof(msg));
548 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
550 l2cap_chan_send(chan, &msg, 1 + len);
557 cancel_delayed_work_sync(&smp->security_timer);
558 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
561 static u8 authreq_to_seclevel(u8 authreq)
563 if (authreq & SMP_AUTH_MITM) {
564 if (authreq & SMP_AUTH_SC)
565 return BT_SECURITY_FIPS;
567 return BT_SECURITY_HIGH;
569 return BT_SECURITY_MEDIUM;
573 static __u8 seclevel_to_authreq(__u8 sec_level)
576 case BT_SECURITY_FIPS:
577 case BT_SECURITY_HIGH:
578 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
579 case BT_SECURITY_MEDIUM:
580 return SMP_AUTH_BONDING;
582 return SMP_AUTH_NONE;
586 static void build_pairing_cmd(struct l2cap_conn *conn,
587 struct smp_cmd_pairing *req,
588 struct smp_cmd_pairing *rsp, __u8 authreq)
590 struct l2cap_chan *chan = conn->smp;
591 struct smp_chan *smp = chan->data;
592 struct hci_conn *hcon = conn->hcon;
593 struct hci_dev *hdev = hcon->hdev;
594 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
596 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
597 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
598 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
599 authreq |= SMP_AUTH_BONDING;
601 authreq &= ~SMP_AUTH_BONDING;
604 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
605 remote_dist |= SMP_DIST_ID_KEY;
607 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
608 local_dist |= SMP_DIST_ID_KEY;
610 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
611 (authreq & SMP_AUTH_SC)) {
612 struct oob_data *oob_data;
615 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
616 local_dist |= SMP_DIST_LINK_KEY;
617 remote_dist |= SMP_DIST_LINK_KEY;
620 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
621 bdaddr_type = BDADDR_LE_PUBLIC;
623 bdaddr_type = BDADDR_LE_RANDOM;
625 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
627 if (oob_data && oob_data->present) {
628 set_bit(SMP_FLAG_OOB, &smp->flags);
629 oob_flag = SMP_OOB_PRESENT;
630 memcpy(smp->rr, oob_data->rand256, 16);
631 memcpy(smp->pcnf, oob_data->hash256, 16);
635 authreq &= ~SMP_AUTH_SC;
639 req->io_capability = conn->hcon->io_capability;
640 req->oob_flag = oob_flag;
641 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
642 req->init_key_dist = local_dist;
643 req->resp_key_dist = remote_dist;
644 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
646 smp->remote_key_dist = remote_dist;
650 rsp->io_capability = conn->hcon->io_capability;
651 rsp->oob_flag = oob_flag;
652 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
653 rsp->init_key_dist = req->init_key_dist & remote_dist;
654 rsp->resp_key_dist = req->resp_key_dist & local_dist;
655 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
657 smp->remote_key_dist = rsp->init_key_dist;
660 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
662 struct l2cap_chan *chan = conn->smp;
663 struct smp_chan *smp = chan->data;
665 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
666 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
667 return SMP_ENC_KEY_SIZE;
669 smp->enc_key_size = max_key_size;
674 static void smp_chan_destroy(struct l2cap_conn *conn)
676 struct l2cap_chan *chan = conn->smp;
677 struct smp_chan *smp = chan->data;
678 struct hci_conn *hcon = conn->hcon;
683 cancel_delayed_work_sync(&smp->security_timer);
685 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
686 mgmt_smp_complete(hcon, complete);
689 kzfree(smp->slave_csrk);
690 kzfree(smp->link_key);
692 crypto_free_blkcipher(smp->tfm_aes);
693 crypto_free_hash(smp->tfm_cmac);
695 /* Ensure that we don't leave any debug key around if debug key
696 * support hasn't been explicitly enabled.
698 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
699 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
700 list_del_rcu(&smp->ltk->list);
701 kfree_rcu(smp->ltk, rcu);
705 /* If pairing failed clean up any keys we might have */
708 list_del_rcu(&smp->ltk->list);
709 kfree_rcu(smp->ltk, rcu);
712 if (smp->slave_ltk) {
713 list_del_rcu(&smp->slave_ltk->list);
714 kfree_rcu(smp->slave_ltk, rcu);
717 if (smp->remote_irk) {
718 list_del_rcu(&smp->remote_irk->list);
719 kfree_rcu(smp->remote_irk, rcu);
728 static void smp_failure(struct l2cap_conn *conn, u8 reason)
730 struct hci_conn *hcon = conn->hcon;
731 struct l2cap_chan *chan = conn->smp;
734 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
737 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
738 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
741 smp_chan_destroy(conn);
744 #define JUST_WORKS 0x00
745 #define JUST_CFM 0x01
746 #define REQ_PASSKEY 0x02
747 #define CFM_PASSKEY 0x03
749 #define DSP_PASSKEY 0x05
752 static const u8 gen_method[5][5] = {
753 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
754 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
755 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
756 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
757 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
760 static const u8 sc_method[5][5] = {
761 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
762 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
763 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
764 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
765 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
768 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
770 /* If either side has unknown io_caps, use JUST_CFM (which gets
771 * converted later to JUST_WORKS if we're initiators.
773 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
774 remote_io > SMP_IO_KEYBOARD_DISPLAY)
777 if (test_bit(SMP_FLAG_SC, &smp->flags))
778 return sc_method[remote_io][local_io];
780 return gen_method[remote_io][local_io];
783 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
784 u8 local_io, u8 remote_io)
786 struct hci_conn *hcon = conn->hcon;
787 struct l2cap_chan *chan = conn->smp;
788 struct smp_chan *smp = chan->data;
792 /* Initialize key for JUST WORKS */
793 memset(smp->tk, 0, sizeof(smp->tk));
794 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
796 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
798 /* If neither side wants MITM, either "just" confirm an incoming
799 * request or use just-works for outgoing ones. The JUST_CFM
800 * will be converted to JUST_WORKS if necessary later in this
801 * function. If either side has MITM look up the method from the
804 if (!(auth & SMP_AUTH_MITM))
805 smp->method = JUST_CFM;
807 smp->method = get_auth_method(smp, local_io, remote_io);
809 /* Don't confirm locally initiated pairing attempts */
810 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
812 smp->method = JUST_WORKS;
814 /* Don't bother user space with no IO capabilities */
815 if (smp->method == JUST_CFM &&
816 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
817 smp->method = JUST_WORKS;
819 /* If Just Works, Continue with Zero TK */
820 if (smp->method == JUST_WORKS) {
821 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
825 /* Not Just Works/Confirm results in MITM Authentication */
826 if (smp->method != JUST_CFM) {
827 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
828 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
829 hcon->pending_sec_level = BT_SECURITY_HIGH;
832 /* If both devices have Keyoard-Display I/O, the master
833 * Confirms and the slave Enters the passkey.
835 if (smp->method == OVERLAP) {
836 if (hcon->role == HCI_ROLE_MASTER)
837 smp->method = CFM_PASSKEY;
839 smp->method = REQ_PASSKEY;
842 /* Generate random passkey. */
843 if (smp->method == CFM_PASSKEY) {
844 memset(smp->tk, 0, sizeof(smp->tk));
845 get_random_bytes(&passkey, sizeof(passkey));
847 put_unaligned_le32(passkey, smp->tk);
848 BT_DBG("PassKey: %d", passkey);
849 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
852 if (smp->method == REQ_PASSKEY)
853 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
854 hcon->type, hcon->dst_type);
855 else if (smp->method == JUST_CFM)
856 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
857 hcon->type, hcon->dst_type,
860 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
861 hcon->type, hcon->dst_type,
867 static u8 smp_confirm(struct smp_chan *smp)
869 struct l2cap_conn *conn = smp->conn;
870 struct smp_cmd_pairing_confirm cp;
873 BT_DBG("conn %p", conn);
875 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
876 conn->hcon->init_addr_type, &conn->hcon->init_addr,
877 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
880 return SMP_UNSPECIFIED;
882 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
884 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
887 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
889 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
894 static u8 smp_random(struct smp_chan *smp)
896 struct l2cap_conn *conn = smp->conn;
897 struct hci_conn *hcon = conn->hcon;
901 if (IS_ERR_OR_NULL(smp->tfm_aes))
902 return SMP_UNSPECIFIED;
904 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
906 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
907 hcon->init_addr_type, &hcon->init_addr,
908 hcon->resp_addr_type, &hcon->resp_addr, confirm);
910 return SMP_UNSPECIFIED;
912 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
913 BT_ERR("Pairing failed (confirmation values mismatch)");
914 return SMP_CONFIRM_FAILED;
922 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
924 memset(stk + smp->enc_key_size, 0,
925 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
927 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
928 return SMP_UNSPECIFIED;
930 hci_le_start_enc(hcon, ediv, rand, stk);
931 hcon->enc_key_size = smp->enc_key_size;
932 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
938 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
941 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
943 memset(stk + smp->enc_key_size, 0,
944 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
946 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
951 /* Even though there's no _SLAVE suffix this is the
952 * slave STK we're adding for later lookup (the master
953 * STK never needs to be stored).
955 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
956 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
962 static void smp_notify_keys(struct l2cap_conn *conn)
964 struct l2cap_chan *chan = conn->smp;
965 struct smp_chan *smp = chan->data;
966 struct hci_conn *hcon = conn->hcon;
967 struct hci_dev *hdev = hcon->hdev;
968 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
969 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
972 if (smp->remote_irk) {
973 mgmt_new_irk(hdev, smp->remote_irk);
974 /* Now that user space can be considered to know the
975 * identity address track the connection based on it
976 * from now on (assuming this is an LE link).
978 if (hcon->type == LE_LINK) {
979 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
980 hcon->dst_type = smp->remote_irk->addr_type;
981 queue_work(hdev->workqueue, &conn->id_addr_update_work);
984 /* When receiving an indentity resolving key for
985 * a remote device that does not use a resolvable
986 * private address, just remove the key so that
987 * it is possible to use the controller white
990 * Userspace will have been told to not store
991 * this key at this point. So it is safe to
994 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
995 list_del_rcu(&smp->remote_irk->list);
996 kfree_rcu(smp->remote_irk, rcu);
997 smp->remote_irk = NULL;
1001 if (hcon->type == ACL_LINK) {
1002 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1005 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1008 /* The LTKs and CSRKs should be persistent only if both sides
1009 * had the bonding bit set in their authentication requests.
1011 persistent = !!((req->auth_req & rsp->auth_req) &
1017 smp->csrk->bdaddr_type = hcon->dst_type;
1018 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1019 mgmt_new_csrk(hdev, smp->csrk, persistent);
1022 if (smp->slave_csrk) {
1023 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1024 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1025 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1029 smp->ltk->bdaddr_type = hcon->dst_type;
1030 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1031 mgmt_new_ltk(hdev, smp->ltk, persistent);
1034 if (smp->slave_ltk) {
1035 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1036 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1037 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1040 if (smp->link_key) {
1041 struct link_key *key;
1044 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1045 type = HCI_LK_DEBUG_COMBINATION;
1046 else if (hcon->sec_level == BT_SECURITY_FIPS)
1047 type = HCI_LK_AUTH_COMBINATION_P256;
1049 type = HCI_LK_UNAUTH_COMBINATION_P256;
1051 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1052 smp->link_key, type, 0, &persistent);
1054 mgmt_new_link_key(hdev, key, persistent);
1056 /* Don't keep debug keys around if the relevant
1059 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1060 key->type == HCI_LK_DEBUG_COMBINATION) {
1061 list_del_rcu(&key->list);
1062 kfree_rcu(key, rcu);
1068 static void sc_add_ltk(struct smp_chan *smp)
1070 struct hci_conn *hcon = smp->conn->hcon;
1073 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1074 key_type = SMP_LTK_P256_DEBUG;
1076 key_type = SMP_LTK_P256;
1078 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1083 memset(smp->tk + smp->enc_key_size, 0,
1084 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1086 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1087 key_type, auth, smp->tk, smp->enc_key_size,
1091 static void sc_generate_link_key(struct smp_chan *smp)
1093 /* These constants are as specified in the core specification.
1094 * In ASCII they spell out to 'tmp1' and 'lebr'.
1096 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1097 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1099 smp->link_key = kzalloc(16, GFP_KERNEL);
1103 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1104 kzfree(smp->link_key);
1105 smp->link_key = NULL;
1109 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1110 kzfree(smp->link_key);
1111 smp->link_key = NULL;
1116 static void smp_allow_key_dist(struct smp_chan *smp)
1118 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1119 * will be allowed in each PDU handler to ensure we receive
1120 * them in the correct order.
1122 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1123 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1124 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1125 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1126 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1127 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1130 static void sc_generate_ltk(struct smp_chan *smp)
1132 /* These constants are as specified in the core specification.
1133 * In ASCII they spell out to 'tmp2' and 'brle'.
1135 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1136 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1137 struct hci_conn *hcon = smp->conn->hcon;
1138 struct hci_dev *hdev = hcon->hdev;
1139 struct link_key *key;
1141 key = hci_find_link_key(hdev, &hcon->dst);
1143 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1147 if (key->type == HCI_LK_DEBUG_COMBINATION)
1148 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1150 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1153 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1159 static void smp_distribute_keys(struct smp_chan *smp)
1161 struct smp_cmd_pairing *req, *rsp;
1162 struct l2cap_conn *conn = smp->conn;
1163 struct hci_conn *hcon = conn->hcon;
1164 struct hci_dev *hdev = hcon->hdev;
1167 BT_DBG("conn %p", conn);
1169 rsp = (void *) &smp->prsp[1];
1171 /* The responder sends its keys first */
1172 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1173 smp_allow_key_dist(smp);
1177 req = (void *) &smp->preq[1];
1180 keydist = &rsp->init_key_dist;
1181 *keydist &= req->init_key_dist;
1183 keydist = &rsp->resp_key_dist;
1184 *keydist &= req->resp_key_dist;
1187 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1188 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1189 sc_generate_link_key(smp);
1190 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1191 sc_generate_ltk(smp);
1193 /* Clear the keys which are generated but not distributed */
1194 *keydist &= ~SMP_SC_NO_DIST;
1197 BT_DBG("keydist 0x%x", *keydist);
1199 if (*keydist & SMP_DIST_ENC_KEY) {
1200 struct smp_cmd_encrypt_info enc;
1201 struct smp_cmd_master_ident ident;
1202 struct smp_ltk *ltk;
1207 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1208 get_random_bytes(&ediv, sizeof(ediv));
1209 get_random_bytes(&rand, sizeof(rand));
1211 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1213 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1214 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1215 SMP_LTK_SLAVE, authenticated, enc.ltk,
1216 smp->enc_key_size, ediv, rand);
1217 smp->slave_ltk = ltk;
1222 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1224 *keydist &= ~SMP_DIST_ENC_KEY;
1227 if (*keydist & SMP_DIST_ID_KEY) {
1228 struct smp_cmd_ident_addr_info addrinfo;
1229 struct smp_cmd_ident_info idinfo;
1231 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1233 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1235 /* The hci_conn contains the local identity address
1236 * after the connection has been established.
1238 * This is true even when the connection has been
1239 * established using a resolvable random address.
1241 bacpy(&addrinfo.bdaddr, &hcon->src);
1242 addrinfo.addr_type = hcon->src_type;
1244 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1247 *keydist &= ~SMP_DIST_ID_KEY;
1250 if (*keydist & SMP_DIST_SIGN) {
1251 struct smp_cmd_sign_info sign;
1252 struct smp_csrk *csrk;
1254 /* Generate a new random key */
1255 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1257 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1259 if (hcon->sec_level > BT_SECURITY_MEDIUM)
1260 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1262 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1263 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1265 smp->slave_csrk = csrk;
1267 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1269 *keydist &= ~SMP_DIST_SIGN;
1272 /* If there are still keys to be received wait for them */
1273 if (smp->remote_key_dist & KEY_DIST_MASK) {
1274 smp_allow_key_dist(smp);
1278 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1279 smp_notify_keys(conn);
1281 smp_chan_destroy(conn);
1284 static void smp_timeout(struct work_struct *work)
1286 struct smp_chan *smp = container_of(work, struct smp_chan,
1287 security_timer.work);
1288 struct l2cap_conn *conn = smp->conn;
1290 BT_DBG("conn %p", conn);
1292 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1295 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1297 struct l2cap_chan *chan = conn->smp;
1298 struct smp_chan *smp;
1300 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1304 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1305 if (IS_ERR(smp->tfm_aes)) {
1306 BT_ERR("Unable to create ECB crypto context");
1311 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1312 if (IS_ERR(smp->tfm_cmac)) {
1313 BT_ERR("Unable to create CMAC crypto context");
1314 crypto_free_blkcipher(smp->tfm_aes);
1322 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1324 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1326 hci_conn_hold(conn->hcon);
1331 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1333 struct hci_conn *hcon = smp->conn->hcon;
1334 u8 *na, *nb, a[7], b[7];
1344 memcpy(a, &hcon->init_addr, 6);
1345 memcpy(b, &hcon->resp_addr, 6);
1346 a[6] = hcon->init_addr_type;
1347 b[6] = hcon->resp_addr_type;
1349 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1352 static void sc_dhkey_check(struct smp_chan *smp)
1354 struct hci_conn *hcon = smp->conn->hcon;
1355 struct smp_cmd_dhkey_check check;
1356 u8 a[7], b[7], *local_addr, *remote_addr;
1357 u8 io_cap[3], r[16];
1359 memcpy(a, &hcon->init_addr, 6);
1360 memcpy(b, &hcon->resp_addr, 6);
1361 a[6] = hcon->init_addr_type;
1362 b[6] = hcon->resp_addr_type;
1367 memcpy(io_cap, &smp->preq[1], 3);
1371 memcpy(io_cap, &smp->prsp[1], 3);
1374 memset(r, 0, sizeof(r));
1376 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1377 put_unaligned_le32(hcon->passkey_notify, r);
1379 if (smp->method == REQ_OOB)
1380 memcpy(r, smp->rr, 16);
1382 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1383 local_addr, remote_addr, check.e);
1385 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1388 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1390 struct l2cap_conn *conn = smp->conn;
1391 struct hci_conn *hcon = conn->hcon;
1392 struct smp_cmd_pairing_confirm cfm;
1395 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1398 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1400 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1402 return SMP_UNSPECIFIED;
1404 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1409 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1411 struct l2cap_conn *conn = smp->conn;
1412 struct hci_conn *hcon = conn->hcon;
1413 struct hci_dev *hdev = hcon->hdev;
1416 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1417 if (smp->passkey_round >= 20)
1421 case SMP_CMD_PAIRING_RANDOM:
1422 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1425 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1427 return SMP_UNSPECIFIED;
1429 if (memcmp(smp->pcnf, cfm, 16))
1430 return SMP_CONFIRM_FAILED;
1432 smp->passkey_round++;
1434 if (smp->passkey_round == 20) {
1435 /* Generate MacKey and LTK */
1436 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1437 return SMP_UNSPECIFIED;
1440 /* The round is only complete when the initiator
1441 * receives pairing random.
1444 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1445 sizeof(smp->prnd), smp->prnd);
1446 if (smp->passkey_round == 20)
1447 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1449 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1453 /* Start the next round */
1454 if (smp->passkey_round != 20)
1455 return sc_passkey_round(smp, 0);
1457 /* Passkey rounds are complete - start DHKey Check */
1458 sc_dhkey_check(smp);
1459 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1463 case SMP_CMD_PAIRING_CONFIRM:
1464 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1465 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1469 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1472 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1473 sizeof(smp->prnd), smp->prnd);
1477 return sc_passkey_send_confirm(smp);
1479 case SMP_CMD_PUBLIC_KEY:
1481 /* Initiating device starts the round */
1485 BT_DBG("%s Starting passkey round %u", hdev->name,
1486 smp->passkey_round + 1);
1488 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1490 return sc_passkey_send_confirm(smp);
1496 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1498 struct l2cap_conn *conn = smp->conn;
1499 struct hci_conn *hcon = conn->hcon;
1502 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1505 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1506 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1508 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1509 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1511 case MGMT_OP_USER_PASSKEY_REPLY:
1512 hcon->passkey_notify = le32_to_cpu(passkey);
1513 smp->passkey_round = 0;
1515 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1516 smp_op = SMP_CMD_PAIRING_CONFIRM;
1520 if (sc_passkey_round(smp, smp_op))
1526 /* Initiator sends DHKey check first */
1528 sc_dhkey_check(smp);
1529 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1530 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1531 sc_dhkey_check(smp);
1538 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1540 struct l2cap_conn *conn = hcon->l2cap_data;
1541 struct l2cap_chan *chan;
1542 struct smp_chan *smp;
1555 l2cap_chan_lock(chan);
1563 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1564 err = sc_user_reply(smp, mgmt_op, passkey);
1569 case MGMT_OP_USER_PASSKEY_REPLY:
1570 value = le32_to_cpu(passkey);
1571 memset(smp->tk, 0, sizeof(smp->tk));
1572 BT_DBG("PassKey: %d", value);
1573 put_unaligned_le32(value, smp->tk);
1575 case MGMT_OP_USER_CONFIRM_REPLY:
1576 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1578 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1579 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1580 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1584 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1591 /* If it is our turn to send Pairing Confirm, do so now */
1592 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1593 u8 rsp = smp_confirm(smp);
1595 smp_failure(conn, rsp);
1599 l2cap_chan_unlock(chan);
1603 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1604 struct smp_cmd_pairing *req,
1605 struct smp_cmd_pairing *rsp)
1607 struct l2cap_conn *conn = smp->conn;
1608 struct hci_dev *hdev = conn->hcon->hdev;
1609 u8 local_dist = 0, remote_dist = 0;
1611 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1612 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1613 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1616 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1617 remote_dist |= SMP_DIST_ID_KEY;
1619 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1620 local_dist |= SMP_DIST_ID_KEY;
1623 memset(req, 0, sizeof(*req));
1625 req->init_key_dist = local_dist;
1626 req->resp_key_dist = remote_dist;
1627 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1629 smp->remote_key_dist = remote_dist;
1634 memset(rsp, 0, sizeof(*rsp));
1636 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1637 rsp->init_key_dist = req->init_key_dist & remote_dist;
1638 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1640 smp->remote_key_dist = rsp->init_key_dist;
1643 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1645 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1646 struct l2cap_chan *chan = conn->smp;
1647 struct hci_dev *hdev = conn->hcon->hdev;
1648 struct smp_chan *smp;
1649 u8 key_size, auth, sec_level;
1652 BT_DBG("conn %p", conn);
1654 if (skb->len < sizeof(*req))
1655 return SMP_INVALID_PARAMS;
1657 if (conn->hcon->role != HCI_ROLE_SLAVE)
1658 return SMP_CMD_NOTSUPP;
1661 smp = smp_chan_create(conn);
1666 return SMP_UNSPECIFIED;
1668 /* We didn't start the pairing, so match remote */
1669 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1671 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1672 (auth & SMP_AUTH_BONDING))
1673 return SMP_PAIRING_NOTSUPP;
1675 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1676 return SMP_AUTH_REQUIREMENTS;
1678 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1679 memcpy(&smp->preq[1], req, sizeof(*req));
1680 skb_pull(skb, sizeof(*req));
1682 /* SMP over BR/EDR requires special treatment */
1683 if (conn->hcon->type == ACL_LINK) {
1684 /* We must have a BR/EDR SC link */
1685 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1686 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1687 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1689 set_bit(SMP_FLAG_SC, &smp->flags);
1691 build_bredr_pairing_cmd(smp, req, &rsp);
1693 key_size = min(req->max_key_size, rsp.max_key_size);
1694 if (check_enc_key_size(conn, key_size))
1695 return SMP_ENC_KEY_SIZE;
1697 /* Clear bits which are generated but not distributed */
1698 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1700 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1701 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1702 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1704 smp_distribute_keys(smp);
1708 build_pairing_cmd(conn, req, &rsp, auth);
1710 if (rsp.auth_req & SMP_AUTH_SC)
1711 set_bit(SMP_FLAG_SC, &smp->flags);
1713 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1714 sec_level = BT_SECURITY_MEDIUM;
1716 sec_level = authreq_to_seclevel(auth);
1718 if (sec_level > conn->hcon->pending_sec_level)
1719 conn->hcon->pending_sec_level = sec_level;
1721 /* If we need MITM check that it can be achieved */
1722 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1725 method = get_auth_method(smp, conn->hcon->io_capability,
1726 req->io_capability);
1727 if (method == JUST_WORKS || method == JUST_CFM)
1728 return SMP_AUTH_REQUIREMENTS;
1731 key_size = min(req->max_key_size, rsp.max_key_size);
1732 if (check_enc_key_size(conn, key_size))
1733 return SMP_ENC_KEY_SIZE;
1735 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1737 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1738 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1740 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1742 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1744 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1745 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1746 /* Clear bits which are generated but not distributed */
1747 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1748 /* Wait for Public Key from Initiating Device */
1752 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1754 /* Request setup of TK */
1755 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1757 return SMP_UNSPECIFIED;
1762 static u8 sc_send_public_key(struct smp_chan *smp)
1764 struct hci_dev *hdev = smp->conn->hcon->hdev;
1768 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1769 BT_DBG("Using debug keys");
1770 memcpy(smp->local_pk, debug_pk, 64);
1771 memcpy(smp->local_sk, debug_sk, 32);
1772 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1775 /* Generate local key pair for Secure Connections */
1776 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1777 return SMP_UNSPECIFIED;
1779 /* This is unlikely, but we need to check that
1780 * we didn't accidentially generate a debug key.
1782 if (memcmp(smp->local_sk, debug_sk, 32))
1787 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1788 SMP_DBG("Local Public Key Y: %32phN", &smp->local_pk[32]);
1789 SMP_DBG("Local Private Key: %32phN", smp->local_sk);
1791 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1796 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1798 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1799 struct l2cap_chan *chan = conn->smp;
1800 struct smp_chan *smp = chan->data;
1801 struct hci_dev *hdev = conn->hcon->hdev;
1805 BT_DBG("conn %p", conn);
1807 if (skb->len < sizeof(*rsp))
1808 return SMP_INVALID_PARAMS;
1810 if (conn->hcon->role != HCI_ROLE_MASTER)
1811 return SMP_CMD_NOTSUPP;
1813 skb_pull(skb, sizeof(*rsp));
1815 req = (void *) &smp->preq[1];
1817 key_size = min(req->max_key_size, rsp->max_key_size);
1818 if (check_enc_key_size(conn, key_size))
1819 return SMP_ENC_KEY_SIZE;
1821 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1823 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1824 return SMP_AUTH_REQUIREMENTS;
1826 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1827 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1829 /* Update remote key distribution in case the remote cleared
1830 * some bits that we had enabled in our request.
1832 smp->remote_key_dist &= rsp->resp_key_dist;
1834 /* For BR/EDR this means we're done and can start phase 3 */
1835 if (conn->hcon->type == ACL_LINK) {
1836 /* Clear bits which are generated but not distributed */
1837 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1838 smp_distribute_keys(smp);
1842 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1843 set_bit(SMP_FLAG_SC, &smp->flags);
1844 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1845 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1847 /* If we need MITM check that it can be achieved */
1848 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1851 method = get_auth_method(smp, req->io_capability,
1852 rsp->io_capability);
1853 if (method == JUST_WORKS || method == JUST_CFM)
1854 return SMP_AUTH_REQUIREMENTS;
1857 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1859 /* Update remote key distribution in case the remote cleared
1860 * some bits that we had enabled in our request.
1862 smp->remote_key_dist &= rsp->resp_key_dist;
1864 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1865 /* Clear bits which are generated but not distributed */
1866 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1867 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1868 return sc_send_public_key(smp);
1871 auth |= req->auth_req;
1873 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1875 return SMP_UNSPECIFIED;
1877 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1879 /* Can't compose response until we have been confirmed */
1880 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1881 return smp_confirm(smp);
1886 static u8 sc_check_confirm(struct smp_chan *smp)
1888 struct l2cap_conn *conn = smp->conn;
1892 /* Public Key exchange must happen before any other steps */
1893 if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
1894 return SMP_UNSPECIFIED;
1896 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1897 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1899 if (conn->hcon->out) {
1900 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1902 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1908 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1910 struct l2cap_chan *chan = conn->smp;
1911 struct smp_chan *smp = chan->data;
1913 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
1915 if (skb->len < sizeof(smp->pcnf))
1916 return SMP_INVALID_PARAMS;
1918 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1919 skb_pull(skb, sizeof(smp->pcnf));
1921 if (test_bit(SMP_FLAG_SC, &smp->flags))
1922 return sc_check_confirm(smp);
1924 if (conn->hcon->out) {
1925 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1927 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1931 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1932 return smp_confirm(smp);
1934 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1939 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
1941 struct l2cap_chan *chan = conn->smp;
1942 struct smp_chan *smp = chan->data;
1943 struct hci_conn *hcon = conn->hcon;
1944 u8 *pkax, *pkbx, *na, *nb;
1948 BT_DBG("conn %p", conn);
1950 if (skb->len < sizeof(smp->rrnd))
1951 return SMP_INVALID_PARAMS;
1953 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
1954 skb_pull(skb, sizeof(smp->rrnd));
1956 if (!test_bit(SMP_FLAG_SC, &smp->flags))
1957 return smp_random(smp);
1960 pkax = smp->local_pk;
1961 pkbx = smp->remote_pk;
1965 pkax = smp->remote_pk;
1966 pkbx = smp->local_pk;
1971 if (smp->method == REQ_OOB) {
1973 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1974 sizeof(smp->prnd), smp->prnd);
1975 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1976 goto mackey_and_ltk;
1979 /* Passkey entry has special treatment */
1980 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1981 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
1986 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1989 return SMP_UNSPECIFIED;
1991 if (memcmp(smp->pcnf, cfm, 16))
1992 return SMP_CONFIRM_FAILED;
1994 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1996 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2000 /* Generate MacKey and LTK */
2001 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2003 return SMP_UNSPECIFIED;
2005 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2007 sc_dhkey_check(smp);
2008 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2013 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2015 return SMP_UNSPECIFIED;
2017 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2018 hcon->dst_type, passkey, 0);
2020 return SMP_UNSPECIFIED;
2022 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2027 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2029 struct smp_ltk *key;
2030 struct hci_conn *hcon = conn->hcon;
2032 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2036 if (smp_ltk_sec_level(key) < sec_level)
2039 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2042 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
2043 hcon->enc_key_size = key->enc_size;
2045 /* We never store STKs for master role, so clear this flag */
2046 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2051 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2052 enum smp_key_pref key_pref)
2054 if (sec_level == BT_SECURITY_LOW)
2057 /* If we're encrypted with an STK but the caller prefers using
2058 * LTK claim insufficient security. This way we allow the
2059 * connection to be re-encrypted with an LTK, even if the LTK
2060 * provides the same level of security. Only exception is if we
2061 * don't have an LTK (e.g. because of key distribution bits).
2063 if (key_pref == SMP_USE_LTK &&
2064 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2065 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2068 if (hcon->sec_level >= sec_level)
2074 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2076 struct smp_cmd_security_req *rp = (void *) skb->data;
2077 struct smp_cmd_pairing cp;
2078 struct hci_conn *hcon = conn->hcon;
2079 struct hci_dev *hdev = hcon->hdev;
2080 struct smp_chan *smp;
2083 BT_DBG("conn %p", conn);
2085 if (skb->len < sizeof(*rp))
2086 return SMP_INVALID_PARAMS;
2088 if (hcon->role != HCI_ROLE_MASTER)
2089 return SMP_CMD_NOTSUPP;
2091 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2093 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2094 return SMP_AUTH_REQUIREMENTS;
2096 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2097 sec_level = BT_SECURITY_MEDIUM;
2099 sec_level = authreq_to_seclevel(auth);
2101 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2104 if (sec_level > hcon->pending_sec_level)
2105 hcon->pending_sec_level = sec_level;
2107 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2110 smp = smp_chan_create(conn);
2112 return SMP_UNSPECIFIED;
2114 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2115 (auth & SMP_AUTH_BONDING))
2116 return SMP_PAIRING_NOTSUPP;
2118 skb_pull(skb, sizeof(*rp));
2120 memset(&cp, 0, sizeof(cp));
2121 build_pairing_cmd(conn, &cp, NULL, auth);
2123 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2124 memcpy(&smp->preq[1], &cp, sizeof(cp));
2126 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2127 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2132 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2134 struct l2cap_conn *conn = hcon->l2cap_data;
2135 struct l2cap_chan *chan;
2136 struct smp_chan *smp;
2140 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2142 /* This may be NULL if there's an unexpected disconnection */
2148 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2151 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2154 if (sec_level > hcon->pending_sec_level)
2155 hcon->pending_sec_level = sec_level;
2157 if (hcon->role == HCI_ROLE_MASTER)
2158 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2161 l2cap_chan_lock(chan);
2163 /* If SMP is already in progress ignore this request */
2169 smp = smp_chan_create(conn);
2175 authreq = seclevel_to_authreq(sec_level);
2177 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED))
2178 authreq |= SMP_AUTH_SC;
2180 /* Require MITM if IO Capability allows or the security level
2183 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2184 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2185 authreq |= SMP_AUTH_MITM;
2187 if (hcon->role == HCI_ROLE_MASTER) {
2188 struct smp_cmd_pairing cp;
2190 build_pairing_cmd(conn, &cp, NULL, authreq);
2191 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2192 memcpy(&smp->preq[1], &cp, sizeof(cp));
2194 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2195 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2197 struct smp_cmd_security_req cp;
2198 cp.auth_req = authreq;
2199 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2200 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2203 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2207 l2cap_chan_unlock(chan);
2211 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2213 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2214 struct l2cap_chan *chan = conn->smp;
2215 struct smp_chan *smp = chan->data;
2217 BT_DBG("conn %p", conn);
2219 if (skb->len < sizeof(*rp))
2220 return SMP_INVALID_PARAMS;
2222 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2224 skb_pull(skb, sizeof(*rp));
2226 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2231 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2233 struct smp_cmd_master_ident *rp = (void *) skb->data;
2234 struct l2cap_chan *chan = conn->smp;
2235 struct smp_chan *smp = chan->data;
2236 struct hci_dev *hdev = conn->hcon->hdev;
2237 struct hci_conn *hcon = conn->hcon;
2238 struct smp_ltk *ltk;
2241 BT_DBG("conn %p", conn);
2243 if (skb->len < sizeof(*rp))
2244 return SMP_INVALID_PARAMS;
2246 /* Mark the information as received */
2247 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2249 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2250 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2251 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2252 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2254 skb_pull(skb, sizeof(*rp));
2256 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2257 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2258 authenticated, smp->tk, smp->enc_key_size,
2259 rp->ediv, rp->rand);
2261 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2262 smp_distribute_keys(smp);
2267 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2269 struct smp_cmd_ident_info *info = (void *) skb->data;
2270 struct l2cap_chan *chan = conn->smp;
2271 struct smp_chan *smp = chan->data;
2275 if (skb->len < sizeof(*info))
2276 return SMP_INVALID_PARAMS;
2278 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2280 skb_pull(skb, sizeof(*info));
2282 memcpy(smp->irk, info->irk, 16);
2287 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2288 struct sk_buff *skb)
2290 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2291 struct l2cap_chan *chan = conn->smp;
2292 struct smp_chan *smp = chan->data;
2293 struct hci_conn *hcon = conn->hcon;
2298 if (skb->len < sizeof(*info))
2299 return SMP_INVALID_PARAMS;
2301 /* Mark the information as received */
2302 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2304 if (smp->remote_key_dist & SMP_DIST_SIGN)
2305 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2307 skb_pull(skb, sizeof(*info));
2309 /* Strictly speaking the Core Specification (4.1) allows sending
2310 * an empty address which would force us to rely on just the IRK
2311 * as "identity information". However, since such
2312 * implementations are not known of and in order to not over
2313 * complicate our implementation, simply pretend that we never
2314 * received an IRK for such a device.
2316 * The Identity Address must also be a Static Random or Public
2317 * Address, which hci_is_identity_address() checks for.
2319 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2320 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2321 BT_ERR("Ignoring IRK with no identity address");
2325 bacpy(&smp->id_addr, &info->bdaddr);
2326 smp->id_addr_type = info->addr_type;
2328 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2329 bacpy(&rpa, &hcon->dst);
2331 bacpy(&rpa, BDADDR_ANY);
2333 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2334 smp->id_addr_type, smp->irk, &rpa);
2337 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2338 smp_distribute_keys(smp);
2343 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2345 struct smp_cmd_sign_info *rp = (void *) skb->data;
2346 struct l2cap_chan *chan = conn->smp;
2347 struct smp_chan *smp = chan->data;
2348 struct smp_csrk *csrk;
2350 BT_DBG("conn %p", conn);
2352 if (skb->len < sizeof(*rp))
2353 return SMP_INVALID_PARAMS;
2355 /* Mark the information as received */
2356 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2358 skb_pull(skb, sizeof(*rp));
2360 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2362 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2363 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2365 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2366 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2369 smp_distribute_keys(smp);
2374 static u8 sc_select_method(struct smp_chan *smp)
2376 struct l2cap_conn *conn = smp->conn;
2377 struct hci_conn *hcon = conn->hcon;
2378 struct smp_cmd_pairing *local, *remote;
2379 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2381 if (test_bit(SMP_FLAG_OOB, &smp->flags))
2384 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2385 * which are needed as inputs to some crypto functions. To get
2386 * the "struct smp_cmd_pairing" from them we need to skip the
2387 * first byte which contains the opcode.
2390 local = (void *) &smp->preq[1];
2391 remote = (void *) &smp->prsp[1];
2393 local = (void *) &smp->prsp[1];
2394 remote = (void *) &smp->preq[1];
2397 local_io = local->io_capability;
2398 remote_io = remote->io_capability;
2400 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2401 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2403 /* If either side wants MITM, look up the method from the table,
2404 * otherwise use JUST WORKS.
2406 if (local_mitm || remote_mitm)
2407 method = get_auth_method(smp, local_io, remote_io);
2409 method = JUST_WORKS;
2411 /* Don't confirm locally initiated pairing attempts */
2412 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2413 method = JUST_WORKS;
2418 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2420 struct smp_cmd_public_key *key = (void *) skb->data;
2421 struct hci_conn *hcon = conn->hcon;
2422 struct l2cap_chan *chan = conn->smp;
2423 struct smp_chan *smp = chan->data;
2424 struct hci_dev *hdev = hcon->hdev;
2425 struct smp_cmd_pairing_confirm cfm;
2428 BT_DBG("conn %p", conn);
2430 if (skb->len < sizeof(*key))
2431 return SMP_INVALID_PARAMS;
2433 memcpy(smp->remote_pk, key, 64);
2435 /* Non-initiating device sends its public key after receiving
2436 * the key from the initiating device.
2439 err = sc_send_public_key(smp);
2444 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2445 SMP_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]);
2447 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2448 return SMP_UNSPECIFIED;
2450 SMP_DBG("DHKey %32phN", smp->dhkey);
2452 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2454 smp->method = sc_select_method(smp);
2456 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2458 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2459 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2460 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2462 hcon->pending_sec_level = BT_SECURITY_FIPS;
2464 if (!memcmp(debug_pk, smp->remote_pk, 64))
2465 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2467 if (smp->method == DSP_PASSKEY) {
2468 get_random_bytes(&hcon->passkey_notify,
2469 sizeof(hcon->passkey_notify));
2470 hcon->passkey_notify %= 1000000;
2471 hcon->passkey_entered = 0;
2472 smp->passkey_round = 0;
2473 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2475 hcon->passkey_notify,
2476 hcon->passkey_entered))
2477 return SMP_UNSPECIFIED;
2478 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2479 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2482 if (smp->method == REQ_OOB) {
2483 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2484 smp->rr, 0, cfm.confirm_val);
2486 return SMP_UNSPECIFIED;
2488 if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2489 return SMP_CONFIRM_FAILED;
2492 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2493 sizeof(smp->prnd), smp->prnd);
2495 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2501 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2503 if (smp->method == REQ_PASSKEY) {
2504 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2506 return SMP_UNSPECIFIED;
2507 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2508 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2512 /* The Initiating device waits for the non-initiating device to
2513 * send the confirm value.
2515 if (conn->hcon->out)
2518 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2519 0, cfm.confirm_val);
2521 return SMP_UNSPECIFIED;
2523 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2524 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2529 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2531 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2532 struct l2cap_chan *chan = conn->smp;
2533 struct hci_conn *hcon = conn->hcon;
2534 struct smp_chan *smp = chan->data;
2535 u8 a[7], b[7], *local_addr, *remote_addr;
2536 u8 io_cap[3], r[16], e[16];
2539 BT_DBG("conn %p", conn);
2541 if (skb->len < sizeof(*check))
2542 return SMP_INVALID_PARAMS;
2544 memcpy(a, &hcon->init_addr, 6);
2545 memcpy(b, &hcon->resp_addr, 6);
2546 a[6] = hcon->init_addr_type;
2547 b[6] = hcon->resp_addr_type;
2552 memcpy(io_cap, &smp->prsp[1], 3);
2556 memcpy(io_cap, &smp->preq[1], 3);
2559 memset(r, 0, sizeof(r));
2561 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2562 put_unaligned_le32(hcon->passkey_notify, r);
2564 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2565 io_cap, remote_addr, local_addr, e);
2567 return SMP_UNSPECIFIED;
2569 if (memcmp(check->e, e, 16))
2570 return SMP_DHKEY_CHECK_FAILED;
2573 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2574 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2578 /* Slave sends DHKey check as response to master */
2579 sc_dhkey_check(smp);
2585 hci_le_start_enc(hcon, 0, 0, smp->tk);
2586 hcon->enc_key_size = smp->enc_key_size;
2592 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2593 struct sk_buff *skb)
2595 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2597 BT_DBG("value 0x%02x", kp->value);
2602 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2604 struct l2cap_conn *conn = chan->conn;
2605 struct hci_conn *hcon = conn->hcon;
2606 struct smp_chan *smp;
2613 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2614 reason = SMP_PAIRING_NOTSUPP;
2618 code = skb->data[0];
2619 skb_pull(skb, sizeof(code));
2623 if (code > SMP_CMD_MAX)
2626 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2629 /* If we don't have a context the only allowed commands are
2630 * pairing request and security request.
2632 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2636 case SMP_CMD_PAIRING_REQ:
2637 reason = smp_cmd_pairing_req(conn, skb);
2640 case SMP_CMD_PAIRING_FAIL:
2641 smp_failure(conn, 0);
2645 case SMP_CMD_PAIRING_RSP:
2646 reason = smp_cmd_pairing_rsp(conn, skb);
2649 case SMP_CMD_SECURITY_REQ:
2650 reason = smp_cmd_security_req(conn, skb);
2653 case SMP_CMD_PAIRING_CONFIRM:
2654 reason = smp_cmd_pairing_confirm(conn, skb);
2657 case SMP_CMD_PAIRING_RANDOM:
2658 reason = smp_cmd_pairing_random(conn, skb);
2661 case SMP_CMD_ENCRYPT_INFO:
2662 reason = smp_cmd_encrypt_info(conn, skb);
2665 case SMP_CMD_MASTER_IDENT:
2666 reason = smp_cmd_master_ident(conn, skb);
2669 case SMP_CMD_IDENT_INFO:
2670 reason = smp_cmd_ident_info(conn, skb);
2673 case SMP_CMD_IDENT_ADDR_INFO:
2674 reason = smp_cmd_ident_addr_info(conn, skb);
2677 case SMP_CMD_SIGN_INFO:
2678 reason = smp_cmd_sign_info(conn, skb);
2681 case SMP_CMD_PUBLIC_KEY:
2682 reason = smp_cmd_public_key(conn, skb);
2685 case SMP_CMD_DHKEY_CHECK:
2686 reason = smp_cmd_dhkey_check(conn, skb);
2689 case SMP_CMD_KEYPRESS_NOTIFY:
2690 reason = smp_cmd_keypress_notify(conn, skb);
2694 BT_DBG("Unknown command code 0x%2.2x", code);
2695 reason = SMP_CMD_NOTSUPP;
2702 smp_failure(conn, reason);
2709 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2715 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2717 struct l2cap_conn *conn = chan->conn;
2719 BT_DBG("chan %p", chan);
2722 smp_chan_destroy(conn);
2725 l2cap_chan_put(chan);
2728 static void bredr_pairing(struct l2cap_chan *chan)
2730 struct l2cap_conn *conn = chan->conn;
2731 struct hci_conn *hcon = conn->hcon;
2732 struct hci_dev *hdev = hcon->hdev;
2733 struct smp_cmd_pairing req;
2734 struct smp_chan *smp;
2736 BT_DBG("chan %p", chan);
2738 /* Only new pairings are interesting */
2739 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2742 /* Don't bother if we're not encrypted */
2743 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2746 /* Only master may initiate SMP over BR/EDR */
2747 if (hcon->role != HCI_ROLE_MASTER)
2750 /* Secure Connections support must be enabled */
2751 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
2754 /* BR/EDR must use Secure Connections for SMP */
2755 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2756 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
2759 /* If our LE support is not enabled don't do anything */
2760 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2763 /* Don't bother if remote LE support is not enabled */
2764 if (!lmp_host_le_capable(hcon))
2767 /* Remote must support SMP fixed chan for BR/EDR */
2768 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2771 /* Don't bother if SMP is already ongoing */
2775 smp = smp_chan_create(conn);
2777 BT_ERR("%s unable to create SMP context for BR/EDR",
2782 set_bit(SMP_FLAG_SC, &smp->flags);
2784 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2786 /* Prepare and send the BR/EDR SMP Pairing Request */
2787 build_bredr_pairing_cmd(smp, &req, NULL);
2789 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2790 memcpy(&smp->preq[1], &req, sizeof(req));
2792 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2793 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2796 static void smp_resume_cb(struct l2cap_chan *chan)
2798 struct smp_chan *smp = chan->data;
2799 struct l2cap_conn *conn = chan->conn;
2800 struct hci_conn *hcon = conn->hcon;
2802 BT_DBG("chan %p", chan);
2804 if (hcon->type == ACL_LINK) {
2805 bredr_pairing(chan);
2812 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2815 cancel_delayed_work(&smp->security_timer);
2817 smp_distribute_keys(smp);
2820 static void smp_ready_cb(struct l2cap_chan *chan)
2822 struct l2cap_conn *conn = chan->conn;
2823 struct hci_conn *hcon = conn->hcon;
2825 BT_DBG("chan %p", chan);
2828 l2cap_chan_hold(chan);
2830 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2831 bredr_pairing(chan);
2834 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
2838 BT_DBG("chan %p", chan);
2840 err = smp_sig_channel(chan, skb);
2842 struct smp_chan *smp = chan->data;
2845 cancel_delayed_work_sync(&smp->security_timer);
2847 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
2853 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
2854 unsigned long hdr_len,
2855 unsigned long len, int nb)
2857 struct sk_buff *skb;
2859 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
2861 return ERR_PTR(-ENOMEM);
2863 skb->priority = HCI_PRIO_MAX;
2864 bt_cb(skb)->chan = chan;
2869 static const struct l2cap_ops smp_chan_ops = {
2870 .name = "Security Manager",
2871 .ready = smp_ready_cb,
2872 .recv = smp_recv_cb,
2873 .alloc_skb = smp_alloc_skb_cb,
2874 .teardown = smp_teardown_cb,
2875 .resume = smp_resume_cb,
2877 .new_connection = l2cap_chan_no_new_connection,
2878 .state_change = l2cap_chan_no_state_change,
2879 .close = l2cap_chan_no_close,
2880 .defer = l2cap_chan_no_defer,
2881 .suspend = l2cap_chan_no_suspend,
2882 .set_shutdown = l2cap_chan_no_set_shutdown,
2883 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2886 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
2888 struct l2cap_chan *chan;
2890 BT_DBG("pchan %p", pchan);
2892 chan = l2cap_chan_create();
2896 chan->chan_type = pchan->chan_type;
2897 chan->ops = &smp_chan_ops;
2898 chan->scid = pchan->scid;
2899 chan->dcid = chan->scid;
2900 chan->imtu = pchan->imtu;
2901 chan->omtu = pchan->omtu;
2902 chan->mode = pchan->mode;
2904 /* Other L2CAP channels may request SMP routines in order to
2905 * change the security level. This means that the SMP channel
2906 * lock must be considered in its own category to avoid lockdep
2909 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
2911 BT_DBG("created chan %p", chan);
2916 static const struct l2cap_ops smp_root_chan_ops = {
2917 .name = "Security Manager Root",
2918 .new_connection = smp_new_conn_cb,
2920 /* None of these are implemented for the root channel */
2921 .close = l2cap_chan_no_close,
2922 .alloc_skb = l2cap_chan_no_alloc_skb,
2923 .recv = l2cap_chan_no_recv,
2924 .state_change = l2cap_chan_no_state_change,
2925 .teardown = l2cap_chan_no_teardown,
2926 .ready = l2cap_chan_no_ready,
2927 .defer = l2cap_chan_no_defer,
2928 .suspend = l2cap_chan_no_suspend,
2929 .resume = l2cap_chan_no_resume,
2930 .set_shutdown = l2cap_chan_no_set_shutdown,
2931 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2934 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
2936 struct l2cap_chan *chan;
2937 struct smp_dev *smp;
2938 struct crypto_blkcipher *tfm_aes;
2940 if (cid == L2CAP_CID_SMP_BREDR) {
2945 smp = kzalloc(sizeof(*smp), GFP_KERNEL);
2947 return ERR_PTR(-ENOMEM);
2949 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
2950 if (IS_ERR(tfm_aes)) {
2951 BT_ERR("Unable to create ECB crypto context");
2953 return ERR_CAST(tfm_aes);
2956 smp->tfm_aes = tfm_aes;
2959 chan = l2cap_chan_create();
2961 crypto_free_blkcipher(smp->tfm_aes);
2963 return ERR_PTR(-ENOMEM);
2968 l2cap_add_scid(chan, cid);
2970 l2cap_chan_set_defaults(chan);
2972 if (cid == L2CAP_CID_SMP) {
2975 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
2977 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
2978 chan->src_type = BDADDR_LE_PUBLIC;
2980 chan->src_type = BDADDR_LE_RANDOM;
2982 bacpy(&chan->src, &hdev->bdaddr);
2983 chan->src_type = BDADDR_BREDR;
2986 chan->state = BT_LISTEN;
2987 chan->mode = L2CAP_MODE_BASIC;
2988 chan->imtu = L2CAP_DEFAULT_MTU;
2989 chan->ops = &smp_root_chan_ops;
2991 /* Set correct nesting level for a parent/listening channel */
2992 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
2997 static void smp_del_chan(struct l2cap_chan *chan)
2999 struct smp_dev *smp;
3001 BT_DBG("chan %p", chan);
3007 crypto_free_blkcipher(smp->tfm_aes);
3011 l2cap_chan_put(chan);
3014 static ssize_t force_bredr_smp_read(struct file *file,
3015 char __user *user_buf,
3016 size_t count, loff_t *ppos)
3018 struct hci_dev *hdev = file->private_data;
3021 buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3024 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3027 static ssize_t force_bredr_smp_write(struct file *file,
3028 const char __user *user_buf,
3029 size_t count, loff_t *ppos)
3031 struct hci_dev *hdev = file->private_data;
3033 size_t buf_size = min(count, (sizeof(buf)-1));
3036 if (copy_from_user(buf, user_buf, buf_size))
3039 buf[buf_size] = '\0';
3040 if (strtobool(buf, &enable))
3043 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3047 struct l2cap_chan *chan;
3049 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3051 return PTR_ERR(chan);
3053 hdev->smp_bredr_data = chan;
3055 struct l2cap_chan *chan;
3057 chan = hdev->smp_bredr_data;
3058 hdev->smp_bredr_data = NULL;
3062 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3067 static const struct file_operations force_bredr_smp_fops = {
3068 .open = simple_open,
3069 .read = force_bredr_smp_read,
3070 .write = force_bredr_smp_write,
3071 .llseek = default_llseek,
3074 int smp_register(struct hci_dev *hdev)
3076 struct l2cap_chan *chan;
3078 BT_DBG("%s", hdev->name);
3080 /* If the controller does not support Low Energy operation, then
3081 * there is also no need to register any SMP channel.
3083 if (!lmp_le_capable(hdev))
3086 if (WARN_ON(hdev->smp_data)) {
3087 chan = hdev->smp_data;
3088 hdev->smp_data = NULL;
3092 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3094 return PTR_ERR(chan);
3096 hdev->smp_data = chan;
3098 /* If the controller does not support BR/EDR Secure Connections
3099 * feature, then the BR/EDR SMP channel shall not be present.
3101 * To test this with Bluetooth 4.0 controllers, create a debugfs
3102 * switch that allows forcing BR/EDR SMP support and accepting
3103 * cross-transport pairing on non-AES encrypted connections.
3105 if (!lmp_sc_capable(hdev)) {
3106 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3107 hdev, &force_bredr_smp_fops);
3111 if (WARN_ON(hdev->smp_bredr_data)) {
3112 chan = hdev->smp_bredr_data;
3113 hdev->smp_bredr_data = NULL;
3117 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3119 int err = PTR_ERR(chan);
3120 chan = hdev->smp_data;
3121 hdev->smp_data = NULL;
3126 hdev->smp_bredr_data = chan;
3131 void smp_unregister(struct hci_dev *hdev)
3133 struct l2cap_chan *chan;
3135 if (hdev->smp_bredr_data) {
3136 chan = hdev->smp_bredr_data;
3137 hdev->smp_bredr_data = NULL;
3141 if (hdev->smp_data) {
3142 chan = hdev->smp_data;
3143 hdev->smp_data = NULL;
3148 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3150 static int __init test_ah(struct crypto_blkcipher *tfm_aes)
3152 const u8 irk[16] = {
3153 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3154 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3155 const u8 r[3] = { 0x94, 0x81, 0x70 };
3156 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3160 err = smp_ah(tfm_aes, irk, r, res);
3164 if (memcmp(res, exp, 3))
3170 static int __init test_c1(struct crypto_blkcipher *tfm_aes)
3173 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3174 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3176 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3177 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3178 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3179 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3180 const u8 _iat = 0x01;
3181 const u8 _rat = 0x00;
3182 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3183 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3184 const u8 exp[16] = {
3185 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3186 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3190 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3194 if (memcmp(res, exp, 16))
3200 static int __init test_s1(struct crypto_blkcipher *tfm_aes)
3203 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3204 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3206 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3208 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3209 const u8 exp[16] = {
3210 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3211 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3215 err = smp_s1(tfm_aes, k, r1, r2, res);
3219 if (memcmp(res, exp, 16))
3225 static int __init test_f4(struct crypto_hash *tfm_cmac)
3228 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3229 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3230 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3231 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3233 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3234 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3235 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3236 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3238 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3239 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3241 const u8 exp[16] = {
3242 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3243 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3247 err = smp_f4(tfm_cmac, u, v, x, z, res);
3251 if (memcmp(res, exp, 16))
3257 static int __init test_f5(struct crypto_hash *tfm_cmac)
3260 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3261 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3262 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3263 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3265 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3266 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3268 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3269 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3270 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3271 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3272 const u8 exp_ltk[16] = {
3273 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3274 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3275 const u8 exp_mackey[16] = {
3276 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3277 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3278 u8 mackey[16], ltk[16];
3281 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3285 if (memcmp(mackey, exp_mackey, 16))
3288 if (memcmp(ltk, exp_ltk, 16))
3294 static int __init test_f6(struct crypto_hash *tfm_cmac)
3297 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3298 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3300 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3301 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3303 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3304 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3306 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3307 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3308 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3309 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3310 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3311 const u8 exp[16] = {
3312 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3313 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3317 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3321 if (memcmp(res, exp, 16))
3327 static int __init test_g2(struct crypto_hash *tfm_cmac)
3330 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3331 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3332 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3333 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3335 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3336 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3337 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3338 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3340 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3341 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3343 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3344 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3345 const u32 exp_val = 0x2f9ed5ba % 1000000;
3349 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3359 static int __init test_h6(struct crypto_hash *tfm_cmac)
3362 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3363 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3364 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3365 const u8 exp[16] = {
3366 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3367 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3371 err = smp_h6(tfm_cmac, w, key_id, res);
3375 if (memcmp(res, exp, 16))
3381 static int __init run_selftests(struct crypto_blkcipher *tfm_aes,
3382 struct crypto_hash *tfm_cmac)
3384 ktime_t calltime, delta, rettime;
3385 unsigned long long duration;
3388 calltime = ktime_get();
3390 err = test_ah(tfm_aes);
3392 BT_ERR("smp_ah test failed");
3396 err = test_c1(tfm_aes);
3398 BT_ERR("smp_c1 test failed");
3402 err = test_s1(tfm_aes);
3404 BT_ERR("smp_s1 test failed");
3408 err = test_f4(tfm_cmac);
3410 BT_ERR("smp_f4 test failed");
3414 err = test_f5(tfm_cmac);
3416 BT_ERR("smp_f5 test failed");
3420 err = test_f6(tfm_cmac);
3422 BT_ERR("smp_f6 test failed");
3426 err = test_g2(tfm_cmac);
3428 BT_ERR("smp_g2 test failed");
3432 err = test_h6(tfm_cmac);
3434 BT_ERR("smp_h6 test failed");
3438 rettime = ktime_get();
3439 delta = ktime_sub(rettime, calltime);
3440 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3442 BT_INFO("SMP test passed in %llu usecs", duration);
3447 int __init bt_selftest_smp(void)
3449 struct crypto_blkcipher *tfm_aes;
3450 struct crypto_hash *tfm_cmac;
3453 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3454 if (IS_ERR(tfm_aes)) {
3455 BT_ERR("Unable to create ECB crypto context");
3456 return PTR_ERR(tfm_aes);
3459 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3460 if (IS_ERR(tfm_cmac)) {
3461 BT_ERR("Unable to create CMAC crypto context");
3462 crypto_free_blkcipher(tfm_aes);
3463 return PTR_ERR(tfm_cmac);
3466 err = run_selftests(tfm_aes, tfm_cmac);
3468 crypto_free_hash(tfm_cmac);
3469 crypto_free_blkcipher(tfm_aes);