2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
23 #include <linux/debugfs.h>
24 #include <linux/crypto.h>
25 #include <linux/scatterlist.h>
26 #include <crypto/b128ops.h>
28 #include <net/bluetooth/bluetooth.h>
29 #include <net/bluetooth/hci_core.h>
30 #include <net/bluetooth/l2cap.h>
31 #include <net/bluetooth/mgmt.h>
36 /* Low-level debug macros to be used for stuff that we don't want
37 * accidentially in dmesg, i.e. the values of the various crypto keys
38 * and the inputs & outputs of crypto functions.
41 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
44 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
48 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
50 /* Keys which are not distributed with Secure Connections */
51 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
53 #define SMP_TIMEOUT msecs_to_jiffies(30000)
55 #define AUTH_REQ_MASK(dev) (test_bit(HCI_SC_ENABLED, &(dev)->dev_flags) ? \
57 #define KEY_DIST_MASK 0x07
59 /* Maximum message length that can be passed to aes_cmac */
60 #define CMAC_MSG_MAX 80
72 SMP_FLAG_DHKEY_PENDING,
77 struct l2cap_conn *conn;
78 struct delayed_work security_timer;
79 unsigned long allow_cmd; /* Bitmask of allowed commands */
81 u8 preq[7]; /* SMP Pairing Request */
82 u8 prsp[7]; /* SMP Pairing Response */
83 u8 prnd[16]; /* SMP Pairing Random (local) */
84 u8 rrnd[16]; /* SMP Pairing Random (remote) */
85 u8 pcnf[16]; /* SMP Pairing Confirm */
86 u8 tk[16]; /* SMP Temporary Key */
93 struct smp_csrk *csrk;
94 struct smp_csrk *slave_csrk;
96 struct smp_ltk *slave_ltk;
97 struct smp_irk *remote_irk;
103 /* Secure Connections variables */
110 struct crypto_blkcipher *tfm_aes;
111 struct crypto_hash *tfm_cmac;
114 /* These debug key values are defined in the SMP section of the core
115 * specification. debug_pk is the public debug key and debug_sk the
118 static const u8 debug_pk[64] = {
119 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
120 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
121 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
122 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
124 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
125 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
126 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
127 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
130 static const u8 debug_sk[32] = {
131 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
132 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
133 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
134 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
137 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
141 for (i = 0; i < len; i++)
142 dst[len - 1 - i] = src[i];
145 /* The following functions map to the LE SC SMP crypto functions
146 * AES-CMAC, f4, f5, f6, g2 and h6.
149 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
150 size_t len, u8 mac[16])
152 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
153 struct hash_desc desc;
154 struct scatterlist sg;
157 if (len > CMAC_MSG_MAX)
161 BT_ERR("tfm %p", tfm);
168 crypto_hash_init(&desc);
170 /* Swap key and message from LSB to MSB */
171 swap_buf(k, tmp, 16);
172 swap_buf(m, msg_msb, len);
174 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
175 SMP_DBG("key %16phN", k);
177 err = crypto_hash_setkey(tfm, tmp, 16);
179 BT_ERR("cipher setkey failed: %d", err);
183 sg_init_one(&sg, msg_msb, len);
185 err = crypto_hash_update(&desc, &sg, len);
187 BT_ERR("Hash update error %d", err);
191 err = crypto_hash_final(&desc, mac_msb);
193 BT_ERR("Hash final error %d", err);
197 swap_buf(mac_msb, mac, 16);
199 SMP_DBG("mac %16phN", mac);
204 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
205 const u8 x[16], u8 z, u8 res[16])
210 SMP_DBG("u %32phN", u);
211 SMP_DBG("v %32phN", v);
212 SMP_DBG("x %16phN z %02x", x, z);
215 memcpy(m + 1, v, 32);
216 memcpy(m + 33, u, 32);
218 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
222 SMP_DBG("res %16phN", res);
227 static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32],
228 const u8 n1[16], const u8 n2[16], const u8 a1[7],
229 const u8 a2[7], u8 mackey[16], u8 ltk[16])
231 /* The btle, salt and length "magic" values are as defined in
232 * the SMP section of the Bluetooth core specification. In ASCII
233 * the btle value ends up being 'btle'. The salt is just a
234 * random number whereas length is the value 256 in little
237 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
238 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
239 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
240 const u8 length[2] = { 0x00, 0x01 };
244 SMP_DBG("w %32phN", w);
245 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
246 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
248 err = aes_cmac(tfm_cmac, salt, w, 32, t);
252 SMP_DBG("t %16phN", t);
254 memcpy(m, length, 2);
255 memcpy(m + 2, a2, 7);
256 memcpy(m + 9, a1, 7);
257 memcpy(m + 16, n2, 16);
258 memcpy(m + 32, n1, 16);
259 memcpy(m + 48, btle, 4);
261 m[52] = 0; /* Counter */
263 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
267 SMP_DBG("mackey %16phN", mackey);
269 m[52] = 1; /* Counter */
271 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
275 SMP_DBG("ltk %16phN", ltk);
280 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
281 const u8 n1[16], const u8 n2[16], const u8 r[16],
282 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
288 SMP_DBG("w %16phN", w);
289 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
290 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
293 memcpy(m + 7, a1, 7);
294 memcpy(m + 14, io_cap, 3);
295 memcpy(m + 17, r, 16);
296 memcpy(m + 33, n2, 16);
297 memcpy(m + 49, n1, 16);
299 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
303 SMP_DBG("res %16phN", res);
308 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
309 const u8 x[16], const u8 y[16], u32 *val)
314 SMP_DBG("u %32phN", u);
315 SMP_DBG("v %32phN", v);
316 SMP_DBG("x %16phN y %16phN", x, y);
319 memcpy(m + 16, v, 32);
320 memcpy(m + 48, u, 32);
322 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
326 *val = get_unaligned_le32(tmp);
329 SMP_DBG("val %06u", *val);
334 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
335 const u8 key_id[4], u8 res[16])
339 SMP_DBG("w %16phN key_id %4phN", w, key_id);
341 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
345 SMP_DBG("res %16phN", res);
350 /* The following functions map to the legacy SMP crypto functions e, c1,
354 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
356 struct blkcipher_desc desc;
357 struct scatterlist sg;
358 uint8_t tmp[16], data[16];
362 BT_ERR("tfm %p", tfm);
369 /* The most significant octet of key corresponds to k[0] */
370 swap_buf(k, tmp, 16);
372 err = crypto_blkcipher_setkey(tfm, tmp, 16);
374 BT_ERR("cipher setkey failed: %d", err);
378 /* Most significant octet of plaintextData corresponds to data[0] */
379 swap_buf(r, data, 16);
381 sg_init_one(&sg, data, 16);
383 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
385 BT_ERR("Encrypt data error %d", err);
387 /* Most significant octet of encryptedData corresponds to data[0] */
388 swap_buf(data, r, 16);
393 static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
394 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
395 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
402 /* p1 = pres || preq || _rat || _iat */
405 memcpy(p1 + 2, preq, 7);
406 memcpy(p1 + 9, pres, 7);
408 /* p2 = padding || ia || ra */
410 memcpy(p2 + 6, ia, 6);
411 memset(p2 + 12, 0, 4);
414 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
416 /* res = e(k, res) */
417 err = smp_e(tfm_aes, k, res);
419 BT_ERR("Encrypt data error");
423 /* res = res XOR p2 */
424 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
426 /* res = e(k, res) */
427 err = smp_e(tfm_aes, k, res);
429 BT_ERR("Encrypt data error");
434 static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
435 const u8 r1[16], const u8 r2[16], u8 _r[16])
439 /* Just least significant octets from r1 and r2 are considered */
441 memcpy(_r + 8, r1, 8);
443 err = smp_e(tfm_aes, k, _r);
445 BT_ERR("Encrypt data error");
450 static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
451 const u8 r[3], u8 res[3])
456 /* r' = padding || r */
458 memset(_res + 3, 0, 13);
460 err = smp_e(tfm, irk, _res);
462 BT_ERR("Encrypt error");
466 /* The output of the random address function ah is:
467 * ah(h, r) = e(k, r') mod 2^24
468 * The output of the security function e is then truncated to 24 bits
469 * by taking the least significant 24 bits of the output of e as the
472 memcpy(res, _res, 3);
477 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
478 const bdaddr_t *bdaddr)
480 struct l2cap_chan *chan = hdev->smp_data;
481 struct crypto_blkcipher *tfm;
485 if (!chan || !chan->data)
490 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
492 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
496 return !memcmp(bdaddr->b, hash, 3);
499 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
501 struct l2cap_chan *chan = hdev->smp_data;
502 struct crypto_blkcipher *tfm;
505 if (!chan || !chan->data)
510 get_random_bytes(&rpa->b[3], 3);
512 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
513 rpa->b[5] |= 0x40; /* Set second most significant bit */
515 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
519 BT_DBG("RPA %pMR", rpa);
524 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
526 struct l2cap_chan *chan = conn->smp;
527 struct smp_chan *smp;
534 BT_DBG("code 0x%2.2x", code);
536 iv[0].iov_base = &code;
539 iv[1].iov_base = data;
542 memset(&msg, 0, sizeof(msg));
544 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
546 l2cap_chan_send(chan, &msg, 1 + len);
553 cancel_delayed_work_sync(&smp->security_timer);
554 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
557 static u8 authreq_to_seclevel(u8 authreq)
559 if (authreq & SMP_AUTH_MITM) {
560 if (authreq & SMP_AUTH_SC)
561 return BT_SECURITY_FIPS;
563 return BT_SECURITY_HIGH;
565 return BT_SECURITY_MEDIUM;
569 static __u8 seclevel_to_authreq(__u8 sec_level)
572 case BT_SECURITY_FIPS:
573 case BT_SECURITY_HIGH:
574 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
575 case BT_SECURITY_MEDIUM:
576 return SMP_AUTH_BONDING;
578 return SMP_AUTH_NONE;
582 static void build_pairing_cmd(struct l2cap_conn *conn,
583 struct smp_cmd_pairing *req,
584 struct smp_cmd_pairing *rsp, __u8 authreq)
586 struct l2cap_chan *chan = conn->smp;
587 struct smp_chan *smp = chan->data;
588 struct hci_conn *hcon = conn->hcon;
589 struct hci_dev *hdev = hcon->hdev;
590 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
592 if (test_bit(HCI_BONDABLE, &conn->hcon->hdev->dev_flags)) {
593 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
594 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
595 authreq |= SMP_AUTH_BONDING;
597 authreq &= ~SMP_AUTH_BONDING;
600 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
601 remote_dist |= SMP_DIST_ID_KEY;
603 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
604 local_dist |= SMP_DIST_ID_KEY;
606 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags) &&
607 (authreq & SMP_AUTH_SC)) {
608 struct oob_data *oob_data;
611 if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
612 local_dist |= SMP_DIST_LINK_KEY;
613 remote_dist |= SMP_DIST_LINK_KEY;
616 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
617 bdaddr_type = BDADDR_LE_PUBLIC;
619 bdaddr_type = BDADDR_LE_RANDOM;
621 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
623 if (oob_data && oob_data->present) {
624 set_bit(SMP_FLAG_OOB, &smp->flags);
625 oob_flag = SMP_OOB_PRESENT;
626 memcpy(smp->rr, oob_data->rand256, 16);
627 memcpy(smp->pcnf, oob_data->hash256, 16);
631 authreq &= ~SMP_AUTH_SC;
635 req->io_capability = conn->hcon->io_capability;
636 req->oob_flag = oob_flag;
637 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
638 req->init_key_dist = local_dist;
639 req->resp_key_dist = remote_dist;
640 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
642 smp->remote_key_dist = remote_dist;
646 rsp->io_capability = conn->hcon->io_capability;
647 rsp->oob_flag = oob_flag;
648 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
649 rsp->init_key_dist = req->init_key_dist & remote_dist;
650 rsp->resp_key_dist = req->resp_key_dist & local_dist;
651 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
653 smp->remote_key_dist = rsp->init_key_dist;
656 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
658 struct l2cap_chan *chan = conn->smp;
659 struct smp_chan *smp = chan->data;
661 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
662 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
663 return SMP_ENC_KEY_SIZE;
665 smp->enc_key_size = max_key_size;
670 static void smp_chan_destroy(struct l2cap_conn *conn)
672 struct l2cap_chan *chan = conn->smp;
673 struct smp_chan *smp = chan->data;
674 struct hci_conn *hcon = conn->hcon;
679 cancel_delayed_work_sync(&smp->security_timer);
681 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
682 mgmt_smp_complete(hcon, complete);
685 kfree(smp->slave_csrk);
686 kfree(smp->link_key);
688 crypto_free_blkcipher(smp->tfm_aes);
689 crypto_free_hash(smp->tfm_cmac);
691 /* Ensure that we don't leave any debug key around if debug key
692 * support hasn't been explicitly enabled.
694 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
695 !test_bit(HCI_KEEP_DEBUG_KEYS, &hcon->hdev->dev_flags)) {
696 list_del_rcu(&smp->ltk->list);
697 kfree_rcu(smp->ltk, rcu);
701 /* If pairing failed clean up any keys we might have */
704 list_del_rcu(&smp->ltk->list);
705 kfree_rcu(smp->ltk, rcu);
708 if (smp->slave_ltk) {
709 list_del_rcu(&smp->slave_ltk->list);
710 kfree_rcu(smp->slave_ltk, rcu);
713 if (smp->remote_irk) {
714 list_del_rcu(&smp->remote_irk->list);
715 kfree_rcu(smp->remote_irk, rcu);
724 static void smp_failure(struct l2cap_conn *conn, u8 reason)
726 struct hci_conn *hcon = conn->hcon;
727 struct l2cap_chan *chan = conn->smp;
730 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
733 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
734 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
737 smp_chan_destroy(conn);
740 #define JUST_WORKS 0x00
741 #define JUST_CFM 0x01
742 #define REQ_PASSKEY 0x02
743 #define CFM_PASSKEY 0x03
745 #define DSP_PASSKEY 0x05
748 static const u8 gen_method[5][5] = {
749 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
750 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
751 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
752 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
753 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
756 static const u8 sc_method[5][5] = {
757 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
758 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
759 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
760 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
761 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
764 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
766 /* If either side has unknown io_caps, use JUST_CFM (which gets
767 * converted later to JUST_WORKS if we're initiators.
769 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
770 remote_io > SMP_IO_KEYBOARD_DISPLAY)
773 if (test_bit(SMP_FLAG_SC, &smp->flags))
774 return sc_method[remote_io][local_io];
776 return gen_method[remote_io][local_io];
779 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
780 u8 local_io, u8 remote_io)
782 struct hci_conn *hcon = conn->hcon;
783 struct l2cap_chan *chan = conn->smp;
784 struct smp_chan *smp = chan->data;
788 /* Initialize key for JUST WORKS */
789 memset(smp->tk, 0, sizeof(smp->tk));
790 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
792 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
794 /* If neither side wants MITM, either "just" confirm an incoming
795 * request or use just-works for outgoing ones. The JUST_CFM
796 * will be converted to JUST_WORKS if necessary later in this
797 * function. If either side has MITM look up the method from the
800 if (!(auth & SMP_AUTH_MITM))
801 smp->method = JUST_CFM;
803 smp->method = get_auth_method(smp, local_io, remote_io);
805 /* Don't confirm locally initiated pairing attempts */
806 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
808 smp->method = JUST_WORKS;
810 /* Don't bother user space with no IO capabilities */
811 if (smp->method == JUST_CFM &&
812 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
813 smp->method = JUST_WORKS;
815 /* If Just Works, Continue with Zero TK */
816 if (smp->method == JUST_WORKS) {
817 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
821 /* Not Just Works/Confirm results in MITM Authentication */
822 if (smp->method != JUST_CFM) {
823 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
824 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
825 hcon->pending_sec_level = BT_SECURITY_HIGH;
828 /* If both devices have Keyoard-Display I/O, the master
829 * Confirms and the slave Enters the passkey.
831 if (smp->method == OVERLAP) {
832 if (hcon->role == HCI_ROLE_MASTER)
833 smp->method = CFM_PASSKEY;
835 smp->method = REQ_PASSKEY;
838 /* Generate random passkey. */
839 if (smp->method == CFM_PASSKEY) {
840 memset(smp->tk, 0, sizeof(smp->tk));
841 get_random_bytes(&passkey, sizeof(passkey));
843 put_unaligned_le32(passkey, smp->tk);
844 BT_DBG("PassKey: %d", passkey);
845 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
848 if (smp->method == REQ_PASSKEY)
849 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
850 hcon->type, hcon->dst_type);
851 else if (smp->method == JUST_CFM)
852 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
853 hcon->type, hcon->dst_type,
856 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
857 hcon->type, hcon->dst_type,
863 static u8 smp_confirm(struct smp_chan *smp)
865 struct l2cap_conn *conn = smp->conn;
866 struct smp_cmd_pairing_confirm cp;
869 BT_DBG("conn %p", conn);
871 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
872 conn->hcon->init_addr_type, &conn->hcon->init_addr,
873 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
876 return SMP_UNSPECIFIED;
878 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
880 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
883 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
885 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
890 static u8 smp_random(struct smp_chan *smp)
892 struct l2cap_conn *conn = smp->conn;
893 struct hci_conn *hcon = conn->hcon;
897 if (IS_ERR_OR_NULL(smp->tfm_aes))
898 return SMP_UNSPECIFIED;
900 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
902 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
903 hcon->init_addr_type, &hcon->init_addr,
904 hcon->resp_addr_type, &hcon->resp_addr, confirm);
906 return SMP_UNSPECIFIED;
908 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
909 BT_ERR("Pairing failed (confirmation values mismatch)");
910 return SMP_CONFIRM_FAILED;
918 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
920 memset(stk + smp->enc_key_size, 0,
921 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
923 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
924 return SMP_UNSPECIFIED;
926 hci_le_start_enc(hcon, ediv, rand, stk);
927 hcon->enc_key_size = smp->enc_key_size;
928 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
934 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
937 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
939 memset(stk + smp->enc_key_size, 0,
940 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
942 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
947 /* Even though there's no _SLAVE suffix this is the
948 * slave STK we're adding for later lookup (the master
949 * STK never needs to be stored).
951 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
952 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
958 static void smp_notify_keys(struct l2cap_conn *conn)
960 struct l2cap_chan *chan = conn->smp;
961 struct smp_chan *smp = chan->data;
962 struct hci_conn *hcon = conn->hcon;
963 struct hci_dev *hdev = hcon->hdev;
964 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
965 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
968 if (smp->remote_irk) {
969 mgmt_new_irk(hdev, smp->remote_irk);
970 /* Now that user space can be considered to know the
971 * identity address track the connection based on it
972 * from now on (assuming this is an LE link).
974 if (hcon->type == LE_LINK) {
975 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
976 hcon->dst_type = smp->remote_irk->addr_type;
977 queue_work(hdev->workqueue, &conn->id_addr_update_work);
980 /* When receiving an indentity resolving key for
981 * a remote device that does not use a resolvable
982 * private address, just remove the key so that
983 * it is possible to use the controller white
986 * Userspace will have been told to not store
987 * this key at this point. So it is safe to
990 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
991 list_del_rcu(&smp->remote_irk->list);
992 kfree_rcu(smp->remote_irk, rcu);
993 smp->remote_irk = NULL;
997 if (hcon->type == ACL_LINK) {
998 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1001 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1004 /* The LTKs and CSRKs should be persistent only if both sides
1005 * had the bonding bit set in their authentication requests.
1007 persistent = !!((req->auth_req & rsp->auth_req) &
1013 smp->csrk->bdaddr_type = hcon->dst_type;
1014 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1015 mgmt_new_csrk(hdev, smp->csrk, persistent);
1018 if (smp->slave_csrk) {
1019 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1020 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1021 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1025 smp->ltk->bdaddr_type = hcon->dst_type;
1026 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1027 mgmt_new_ltk(hdev, smp->ltk, persistent);
1030 if (smp->slave_ltk) {
1031 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1032 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1033 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1036 if (smp->link_key) {
1037 struct link_key *key;
1040 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1041 type = HCI_LK_DEBUG_COMBINATION;
1042 else if (hcon->sec_level == BT_SECURITY_FIPS)
1043 type = HCI_LK_AUTH_COMBINATION_P256;
1045 type = HCI_LK_UNAUTH_COMBINATION_P256;
1047 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1048 smp->link_key, type, 0, &persistent);
1050 mgmt_new_link_key(hdev, key, persistent);
1052 /* Don't keep debug keys around if the relevant
1055 if (!test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags) &&
1056 key->type == HCI_LK_DEBUG_COMBINATION) {
1057 list_del_rcu(&key->list);
1058 kfree_rcu(key, rcu);
1064 static void sc_add_ltk(struct smp_chan *smp)
1066 struct hci_conn *hcon = smp->conn->hcon;
1069 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1070 key_type = SMP_LTK_P256_DEBUG;
1072 key_type = SMP_LTK_P256;
1074 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1079 memset(smp->tk + smp->enc_key_size, 0,
1080 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1082 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1083 key_type, auth, smp->tk, smp->enc_key_size,
1087 static void sc_generate_link_key(struct smp_chan *smp)
1089 /* These constants are as specified in the core specification.
1090 * In ASCII they spell out to 'tmp1' and 'lebr'.
1092 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1093 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1095 smp->link_key = kzalloc(16, GFP_KERNEL);
1099 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1100 kfree(smp->link_key);
1101 smp->link_key = NULL;
1105 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1106 kfree(smp->link_key);
1107 smp->link_key = NULL;
1112 static void smp_allow_key_dist(struct smp_chan *smp)
1114 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1115 * will be allowed in each PDU handler to ensure we receive
1116 * them in the correct order.
1118 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1119 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1120 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1121 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1122 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1123 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1126 static void sc_generate_ltk(struct smp_chan *smp)
1128 /* These constants are as specified in the core specification.
1129 * In ASCII they spell out to 'tmp2' and 'brle'.
1131 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1132 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1133 struct hci_conn *hcon = smp->conn->hcon;
1134 struct hci_dev *hdev = hcon->hdev;
1135 struct link_key *key;
1137 key = hci_find_link_key(hdev, &hcon->dst);
1139 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1143 if (key->type == HCI_LK_DEBUG_COMBINATION)
1144 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1146 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1149 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1155 static void smp_distribute_keys(struct smp_chan *smp)
1157 struct smp_cmd_pairing *req, *rsp;
1158 struct l2cap_conn *conn = smp->conn;
1159 struct hci_conn *hcon = conn->hcon;
1160 struct hci_dev *hdev = hcon->hdev;
1163 BT_DBG("conn %p", conn);
1165 rsp = (void *) &smp->prsp[1];
1167 /* The responder sends its keys first */
1168 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1169 smp_allow_key_dist(smp);
1173 req = (void *) &smp->preq[1];
1176 keydist = &rsp->init_key_dist;
1177 *keydist &= req->init_key_dist;
1179 keydist = &rsp->resp_key_dist;
1180 *keydist &= req->resp_key_dist;
1183 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1184 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1185 sc_generate_link_key(smp);
1186 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1187 sc_generate_ltk(smp);
1189 /* Clear the keys which are generated but not distributed */
1190 *keydist &= ~SMP_SC_NO_DIST;
1193 BT_DBG("keydist 0x%x", *keydist);
1195 if (*keydist & SMP_DIST_ENC_KEY) {
1196 struct smp_cmd_encrypt_info enc;
1197 struct smp_cmd_master_ident ident;
1198 struct smp_ltk *ltk;
1203 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1204 get_random_bytes(&ediv, sizeof(ediv));
1205 get_random_bytes(&rand, sizeof(rand));
1207 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1209 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1210 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1211 SMP_LTK_SLAVE, authenticated, enc.ltk,
1212 smp->enc_key_size, ediv, rand);
1213 smp->slave_ltk = ltk;
1218 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1220 *keydist &= ~SMP_DIST_ENC_KEY;
1223 if (*keydist & SMP_DIST_ID_KEY) {
1224 struct smp_cmd_ident_addr_info addrinfo;
1225 struct smp_cmd_ident_info idinfo;
1227 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1229 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1231 /* The hci_conn contains the local identity address
1232 * after the connection has been established.
1234 * This is true even when the connection has been
1235 * established using a resolvable random address.
1237 bacpy(&addrinfo.bdaddr, &hcon->src);
1238 addrinfo.addr_type = hcon->src_type;
1240 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1243 *keydist &= ~SMP_DIST_ID_KEY;
1246 if (*keydist & SMP_DIST_SIGN) {
1247 struct smp_cmd_sign_info sign;
1248 struct smp_csrk *csrk;
1250 /* Generate a new random key */
1251 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1253 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1255 csrk->master = 0x00;
1256 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1258 smp->slave_csrk = csrk;
1260 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1262 *keydist &= ~SMP_DIST_SIGN;
1265 /* If there are still keys to be received wait for them */
1266 if (smp->remote_key_dist & KEY_DIST_MASK) {
1267 smp_allow_key_dist(smp);
1271 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1272 smp_notify_keys(conn);
1274 smp_chan_destroy(conn);
1277 static void smp_timeout(struct work_struct *work)
1279 struct smp_chan *smp = container_of(work, struct smp_chan,
1280 security_timer.work);
1281 struct l2cap_conn *conn = smp->conn;
1283 BT_DBG("conn %p", conn);
1285 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1288 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1290 struct l2cap_chan *chan = conn->smp;
1291 struct smp_chan *smp;
1293 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1297 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1298 if (IS_ERR(smp->tfm_aes)) {
1299 BT_ERR("Unable to create ECB crypto context");
1304 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1305 if (IS_ERR(smp->tfm_cmac)) {
1306 BT_ERR("Unable to create CMAC crypto context");
1307 crypto_free_blkcipher(smp->tfm_aes);
1315 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1317 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1319 hci_conn_hold(conn->hcon);
1324 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1326 struct hci_conn *hcon = smp->conn->hcon;
1327 u8 *na, *nb, a[7], b[7];
1337 memcpy(a, &hcon->init_addr, 6);
1338 memcpy(b, &hcon->resp_addr, 6);
1339 a[6] = hcon->init_addr_type;
1340 b[6] = hcon->resp_addr_type;
1342 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1345 static void sc_dhkey_check(struct smp_chan *smp)
1347 struct hci_conn *hcon = smp->conn->hcon;
1348 struct smp_cmd_dhkey_check check;
1349 u8 a[7], b[7], *local_addr, *remote_addr;
1350 u8 io_cap[3], r[16];
1352 memcpy(a, &hcon->init_addr, 6);
1353 memcpy(b, &hcon->resp_addr, 6);
1354 a[6] = hcon->init_addr_type;
1355 b[6] = hcon->resp_addr_type;
1360 memcpy(io_cap, &smp->preq[1], 3);
1364 memcpy(io_cap, &smp->prsp[1], 3);
1367 memset(r, 0, sizeof(r));
1369 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1370 put_unaligned_le32(hcon->passkey_notify, r);
1372 if (smp->method == REQ_OOB)
1373 memcpy(r, smp->rr, 16);
1375 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1376 local_addr, remote_addr, check.e);
1378 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1381 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1383 struct l2cap_conn *conn = smp->conn;
1384 struct hci_conn *hcon = conn->hcon;
1385 struct smp_cmd_pairing_confirm cfm;
1388 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1391 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1393 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1395 return SMP_UNSPECIFIED;
1397 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1402 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1404 struct l2cap_conn *conn = smp->conn;
1405 struct hci_conn *hcon = conn->hcon;
1406 struct hci_dev *hdev = hcon->hdev;
1409 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1410 if (smp->passkey_round >= 20)
1414 case SMP_CMD_PAIRING_RANDOM:
1415 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1418 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1420 return SMP_UNSPECIFIED;
1422 if (memcmp(smp->pcnf, cfm, 16))
1423 return SMP_CONFIRM_FAILED;
1425 smp->passkey_round++;
1427 if (smp->passkey_round == 20) {
1428 /* Generate MacKey and LTK */
1429 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1430 return SMP_UNSPECIFIED;
1433 /* The round is only complete when the initiator
1434 * receives pairing random.
1437 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1438 sizeof(smp->prnd), smp->prnd);
1439 if (smp->passkey_round == 20)
1440 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1442 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1446 /* Start the next round */
1447 if (smp->passkey_round != 20)
1448 return sc_passkey_round(smp, 0);
1450 /* Passkey rounds are complete - start DHKey Check */
1451 sc_dhkey_check(smp);
1452 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1456 case SMP_CMD_PAIRING_CONFIRM:
1457 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1458 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1462 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1465 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1466 sizeof(smp->prnd), smp->prnd);
1470 return sc_passkey_send_confirm(smp);
1472 case SMP_CMD_PUBLIC_KEY:
1474 /* Initiating device starts the round */
1478 BT_DBG("%s Starting passkey round %u", hdev->name,
1479 smp->passkey_round + 1);
1481 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1483 return sc_passkey_send_confirm(smp);
1489 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1491 struct l2cap_conn *conn = smp->conn;
1492 struct hci_conn *hcon = conn->hcon;
1495 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1498 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1499 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1501 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1502 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1504 case MGMT_OP_USER_PASSKEY_REPLY:
1505 hcon->passkey_notify = le32_to_cpu(passkey);
1506 smp->passkey_round = 0;
1508 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1509 smp_op = SMP_CMD_PAIRING_CONFIRM;
1513 if (sc_passkey_round(smp, smp_op))
1519 /* Initiator sends DHKey check first */
1521 sc_dhkey_check(smp);
1522 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1523 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1524 sc_dhkey_check(smp);
1531 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1533 struct l2cap_conn *conn = hcon->l2cap_data;
1534 struct l2cap_chan *chan;
1535 struct smp_chan *smp;
1548 l2cap_chan_lock(chan);
1556 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1557 err = sc_user_reply(smp, mgmt_op, passkey);
1562 case MGMT_OP_USER_PASSKEY_REPLY:
1563 value = le32_to_cpu(passkey);
1564 memset(smp->tk, 0, sizeof(smp->tk));
1565 BT_DBG("PassKey: %d", value);
1566 put_unaligned_le32(value, smp->tk);
1568 case MGMT_OP_USER_CONFIRM_REPLY:
1569 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1571 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1572 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1573 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1577 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1584 /* If it is our turn to send Pairing Confirm, do so now */
1585 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1586 u8 rsp = smp_confirm(smp);
1588 smp_failure(conn, rsp);
1592 l2cap_chan_unlock(chan);
1596 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1597 struct smp_cmd_pairing *req,
1598 struct smp_cmd_pairing *rsp)
1600 struct l2cap_conn *conn = smp->conn;
1601 struct hci_dev *hdev = conn->hcon->hdev;
1602 u8 local_dist = 0, remote_dist = 0;
1604 if (test_bit(HCI_BONDABLE, &hdev->dev_flags)) {
1605 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1606 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1609 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
1610 remote_dist |= SMP_DIST_ID_KEY;
1612 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
1613 local_dist |= SMP_DIST_ID_KEY;
1616 memset(req, 0, sizeof(*req));
1618 req->init_key_dist = local_dist;
1619 req->resp_key_dist = remote_dist;
1620 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1622 smp->remote_key_dist = remote_dist;
1627 memset(rsp, 0, sizeof(*rsp));
1629 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1630 rsp->init_key_dist = req->init_key_dist & remote_dist;
1631 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1633 smp->remote_key_dist = rsp->init_key_dist;
1636 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1638 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1639 struct l2cap_chan *chan = conn->smp;
1640 struct hci_dev *hdev = conn->hcon->hdev;
1641 struct smp_chan *smp;
1642 u8 key_size, auth, sec_level;
1645 BT_DBG("conn %p", conn);
1647 if (skb->len < sizeof(*req))
1648 return SMP_INVALID_PARAMS;
1650 if (conn->hcon->role != HCI_ROLE_SLAVE)
1651 return SMP_CMD_NOTSUPP;
1654 smp = smp_chan_create(conn);
1659 return SMP_UNSPECIFIED;
1661 /* We didn't start the pairing, so match remote */
1662 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1664 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
1665 (auth & SMP_AUTH_BONDING))
1666 return SMP_PAIRING_NOTSUPP;
1668 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1669 return SMP_AUTH_REQUIREMENTS;
1671 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1672 memcpy(&smp->preq[1], req, sizeof(*req));
1673 skb_pull(skb, sizeof(*req));
1675 /* SMP over BR/EDR requires special treatment */
1676 if (conn->hcon->type == ACL_LINK) {
1677 /* We must have a BR/EDR SC link */
1678 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1679 !test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags))
1680 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1682 set_bit(SMP_FLAG_SC, &smp->flags);
1684 build_bredr_pairing_cmd(smp, req, &rsp);
1686 key_size = min(req->max_key_size, rsp.max_key_size);
1687 if (check_enc_key_size(conn, key_size))
1688 return SMP_ENC_KEY_SIZE;
1690 /* Clear bits which are generated but not distributed */
1691 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1693 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1694 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1695 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1697 smp_distribute_keys(smp);
1701 build_pairing_cmd(conn, req, &rsp, auth);
1703 if (rsp.auth_req & SMP_AUTH_SC)
1704 set_bit(SMP_FLAG_SC, &smp->flags);
1706 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1707 sec_level = BT_SECURITY_MEDIUM;
1709 sec_level = authreq_to_seclevel(auth);
1711 if (sec_level > conn->hcon->pending_sec_level)
1712 conn->hcon->pending_sec_level = sec_level;
1714 /* If we need MITM check that it can be achieved */
1715 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1718 method = get_auth_method(smp, conn->hcon->io_capability,
1719 req->io_capability);
1720 if (method == JUST_WORKS || method == JUST_CFM)
1721 return SMP_AUTH_REQUIREMENTS;
1724 key_size = min(req->max_key_size, rsp.max_key_size);
1725 if (check_enc_key_size(conn, key_size))
1726 return SMP_ENC_KEY_SIZE;
1728 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1730 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1731 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1733 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1735 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1737 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1738 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1739 /* Clear bits which are generated but not distributed */
1740 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1741 /* Wait for Public Key from Initiating Device */
1744 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1747 /* Request setup of TK */
1748 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1750 return SMP_UNSPECIFIED;
1755 static u8 sc_send_public_key(struct smp_chan *smp)
1757 struct hci_dev *hdev = smp->conn->hcon->hdev;
1761 if (test_bit(HCI_USE_DEBUG_KEYS, &hdev->dev_flags)) {
1762 BT_DBG("Using debug keys");
1763 memcpy(smp->local_pk, debug_pk, 64);
1764 memcpy(smp->local_sk, debug_sk, 32);
1765 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1768 /* Generate local key pair for Secure Connections */
1769 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1770 return SMP_UNSPECIFIED;
1772 /* This is unlikely, but we need to check that
1773 * we didn't accidentially generate a debug key.
1775 if (memcmp(smp->local_sk, debug_sk, 32))
1780 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1781 SMP_DBG("Local Public Key Y: %32phN", &smp->local_pk[32]);
1782 SMP_DBG("Local Private Key: %32phN", smp->local_sk);
1784 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1789 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1791 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1792 struct l2cap_chan *chan = conn->smp;
1793 struct smp_chan *smp = chan->data;
1794 struct hci_dev *hdev = conn->hcon->hdev;
1798 BT_DBG("conn %p", conn);
1800 if (skb->len < sizeof(*rsp))
1801 return SMP_INVALID_PARAMS;
1803 if (conn->hcon->role != HCI_ROLE_MASTER)
1804 return SMP_CMD_NOTSUPP;
1806 skb_pull(skb, sizeof(*rsp));
1808 req = (void *) &smp->preq[1];
1810 key_size = min(req->max_key_size, rsp->max_key_size);
1811 if (check_enc_key_size(conn, key_size))
1812 return SMP_ENC_KEY_SIZE;
1814 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1816 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1817 return SMP_AUTH_REQUIREMENTS;
1819 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1820 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1822 /* Update remote key distribution in case the remote cleared
1823 * some bits that we had enabled in our request.
1825 smp->remote_key_dist &= rsp->resp_key_dist;
1827 /* For BR/EDR this means we're done and can start phase 3 */
1828 if (conn->hcon->type == ACL_LINK) {
1829 /* Clear bits which are generated but not distributed */
1830 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1831 smp_distribute_keys(smp);
1835 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1836 set_bit(SMP_FLAG_SC, &smp->flags);
1837 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1838 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1840 /* If we need MITM check that it can be achieved */
1841 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1844 method = get_auth_method(smp, req->io_capability,
1845 rsp->io_capability);
1846 if (method == JUST_WORKS || method == JUST_CFM)
1847 return SMP_AUTH_REQUIREMENTS;
1850 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1852 /* Update remote key distribution in case the remote cleared
1853 * some bits that we had enabled in our request.
1855 smp->remote_key_dist &= rsp->resp_key_dist;
1857 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1858 /* Clear bits which are generated but not distributed */
1859 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1860 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1861 return sc_send_public_key(smp);
1864 auth |= req->auth_req;
1866 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1868 return SMP_UNSPECIFIED;
1870 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1872 /* Can't compose response until we have been confirmed */
1873 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1874 return smp_confirm(smp);
1879 static u8 sc_check_confirm(struct smp_chan *smp)
1881 struct l2cap_conn *conn = smp->conn;
1885 /* Public Key exchange must happen before any other steps */
1886 if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
1887 return SMP_UNSPECIFIED;
1889 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1890 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1892 if (conn->hcon->out) {
1893 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1895 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1901 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1903 struct l2cap_chan *chan = conn->smp;
1904 struct smp_chan *smp = chan->data;
1906 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
1908 if (skb->len < sizeof(smp->pcnf))
1909 return SMP_INVALID_PARAMS;
1911 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1912 skb_pull(skb, sizeof(smp->pcnf));
1914 if (test_bit(SMP_FLAG_SC, &smp->flags))
1915 return sc_check_confirm(smp);
1917 if (conn->hcon->out) {
1918 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1920 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1924 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1925 return smp_confirm(smp);
1927 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1932 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
1934 struct l2cap_chan *chan = conn->smp;
1935 struct smp_chan *smp = chan->data;
1936 struct hci_conn *hcon = conn->hcon;
1937 u8 *pkax, *pkbx, *na, *nb;
1941 BT_DBG("conn %p", conn);
1943 if (skb->len < sizeof(smp->rrnd))
1944 return SMP_INVALID_PARAMS;
1946 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
1947 skb_pull(skb, sizeof(smp->rrnd));
1949 if (!test_bit(SMP_FLAG_SC, &smp->flags))
1950 return smp_random(smp);
1953 pkax = smp->local_pk;
1954 pkbx = smp->remote_pk;
1958 pkax = smp->remote_pk;
1959 pkbx = smp->local_pk;
1964 if (smp->method == REQ_OOB) {
1966 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1967 sizeof(smp->prnd), smp->prnd);
1968 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1969 goto mackey_and_ltk;
1972 /* Passkey entry has special treatment */
1973 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1974 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
1979 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1982 return SMP_UNSPECIFIED;
1984 if (memcmp(smp->pcnf, cfm, 16))
1985 return SMP_CONFIRM_FAILED;
1987 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1989 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1993 /* Generate MacKey and LTK */
1994 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
1996 return SMP_UNSPECIFIED;
1998 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2000 sc_dhkey_check(smp);
2001 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2006 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2008 return SMP_UNSPECIFIED;
2010 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2011 hcon->dst_type, passkey, 0);
2013 return SMP_UNSPECIFIED;
2015 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2020 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2022 struct smp_ltk *key;
2023 struct hci_conn *hcon = conn->hcon;
2025 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2029 if (smp_ltk_sec_level(key) < sec_level)
2032 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2035 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
2036 hcon->enc_key_size = key->enc_size;
2038 /* We never store STKs for master role, so clear this flag */
2039 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2044 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2045 enum smp_key_pref key_pref)
2047 if (sec_level == BT_SECURITY_LOW)
2050 /* If we're encrypted with an STK but the caller prefers using
2051 * LTK claim insufficient security. This way we allow the
2052 * connection to be re-encrypted with an LTK, even if the LTK
2053 * provides the same level of security. Only exception is if we
2054 * don't have an LTK (e.g. because of key distribution bits).
2056 if (key_pref == SMP_USE_LTK &&
2057 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2058 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2061 if (hcon->sec_level >= sec_level)
2067 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2069 struct smp_cmd_security_req *rp = (void *) skb->data;
2070 struct smp_cmd_pairing cp;
2071 struct hci_conn *hcon = conn->hcon;
2072 struct hci_dev *hdev = hcon->hdev;
2073 struct smp_chan *smp;
2076 BT_DBG("conn %p", conn);
2078 if (skb->len < sizeof(*rp))
2079 return SMP_INVALID_PARAMS;
2081 if (hcon->role != HCI_ROLE_MASTER)
2082 return SMP_CMD_NOTSUPP;
2084 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2086 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
2087 return SMP_AUTH_REQUIREMENTS;
2089 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2090 sec_level = BT_SECURITY_MEDIUM;
2092 sec_level = authreq_to_seclevel(auth);
2094 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2097 if (sec_level > hcon->pending_sec_level)
2098 hcon->pending_sec_level = sec_level;
2100 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2103 smp = smp_chan_create(conn);
2105 return SMP_UNSPECIFIED;
2107 if (!test_bit(HCI_BONDABLE, &hcon->hdev->dev_flags) &&
2108 (auth & SMP_AUTH_BONDING))
2109 return SMP_PAIRING_NOTSUPP;
2111 skb_pull(skb, sizeof(*rp));
2113 memset(&cp, 0, sizeof(cp));
2114 build_pairing_cmd(conn, &cp, NULL, auth);
2116 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2117 memcpy(&smp->preq[1], &cp, sizeof(cp));
2119 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2120 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2125 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2127 struct l2cap_conn *conn = hcon->l2cap_data;
2128 struct l2cap_chan *chan;
2129 struct smp_chan *smp;
2133 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2135 /* This may be NULL if there's an unexpected disconnection */
2141 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
2144 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2147 if (sec_level > hcon->pending_sec_level)
2148 hcon->pending_sec_level = sec_level;
2150 if (hcon->role == HCI_ROLE_MASTER)
2151 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2154 l2cap_chan_lock(chan);
2156 /* If SMP is already in progress ignore this request */
2162 smp = smp_chan_create(conn);
2168 authreq = seclevel_to_authreq(sec_level);
2170 if (test_bit(HCI_SC_ENABLED, &hcon->hdev->dev_flags))
2171 authreq |= SMP_AUTH_SC;
2173 /* Require MITM if IO Capability allows or the security level
2176 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2177 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2178 authreq |= SMP_AUTH_MITM;
2180 if (hcon->role == HCI_ROLE_MASTER) {
2181 struct smp_cmd_pairing cp;
2183 build_pairing_cmd(conn, &cp, NULL, authreq);
2184 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2185 memcpy(&smp->preq[1], &cp, sizeof(cp));
2187 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2188 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2190 struct smp_cmd_security_req cp;
2191 cp.auth_req = authreq;
2192 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2193 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2196 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2200 l2cap_chan_unlock(chan);
2204 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2206 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2207 struct l2cap_chan *chan = conn->smp;
2208 struct smp_chan *smp = chan->data;
2210 BT_DBG("conn %p", conn);
2212 if (skb->len < sizeof(*rp))
2213 return SMP_INVALID_PARAMS;
2215 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2217 skb_pull(skb, sizeof(*rp));
2219 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2224 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2226 struct smp_cmd_master_ident *rp = (void *) skb->data;
2227 struct l2cap_chan *chan = conn->smp;
2228 struct smp_chan *smp = chan->data;
2229 struct hci_dev *hdev = conn->hcon->hdev;
2230 struct hci_conn *hcon = conn->hcon;
2231 struct smp_ltk *ltk;
2234 BT_DBG("conn %p", conn);
2236 if (skb->len < sizeof(*rp))
2237 return SMP_INVALID_PARAMS;
2239 /* Mark the information as received */
2240 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2242 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2243 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2244 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2245 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2247 skb_pull(skb, sizeof(*rp));
2249 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2250 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2251 authenticated, smp->tk, smp->enc_key_size,
2252 rp->ediv, rp->rand);
2254 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2255 smp_distribute_keys(smp);
2260 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2262 struct smp_cmd_ident_info *info = (void *) skb->data;
2263 struct l2cap_chan *chan = conn->smp;
2264 struct smp_chan *smp = chan->data;
2268 if (skb->len < sizeof(*info))
2269 return SMP_INVALID_PARAMS;
2271 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2273 skb_pull(skb, sizeof(*info));
2275 memcpy(smp->irk, info->irk, 16);
2280 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2281 struct sk_buff *skb)
2283 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2284 struct l2cap_chan *chan = conn->smp;
2285 struct smp_chan *smp = chan->data;
2286 struct hci_conn *hcon = conn->hcon;
2291 if (skb->len < sizeof(*info))
2292 return SMP_INVALID_PARAMS;
2294 /* Mark the information as received */
2295 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2297 if (smp->remote_key_dist & SMP_DIST_SIGN)
2298 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2300 skb_pull(skb, sizeof(*info));
2302 /* Strictly speaking the Core Specification (4.1) allows sending
2303 * an empty address which would force us to rely on just the IRK
2304 * as "identity information". However, since such
2305 * implementations are not known of and in order to not over
2306 * complicate our implementation, simply pretend that we never
2307 * received an IRK for such a device.
2309 * The Identity Address must also be a Static Random or Public
2310 * Address, which hci_is_identity_address() checks for.
2312 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2313 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2314 BT_ERR("Ignoring IRK with no identity address");
2318 bacpy(&smp->id_addr, &info->bdaddr);
2319 smp->id_addr_type = info->addr_type;
2321 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2322 bacpy(&rpa, &hcon->dst);
2324 bacpy(&rpa, BDADDR_ANY);
2326 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2327 smp->id_addr_type, smp->irk, &rpa);
2330 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2331 smp_distribute_keys(smp);
2336 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2338 struct smp_cmd_sign_info *rp = (void *) skb->data;
2339 struct l2cap_chan *chan = conn->smp;
2340 struct smp_chan *smp = chan->data;
2341 struct smp_csrk *csrk;
2343 BT_DBG("conn %p", conn);
2345 if (skb->len < sizeof(*rp))
2346 return SMP_INVALID_PARAMS;
2348 /* Mark the information as received */
2349 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2351 skb_pull(skb, sizeof(*rp));
2353 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2355 csrk->master = 0x01;
2356 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2359 smp_distribute_keys(smp);
2364 static u8 sc_select_method(struct smp_chan *smp)
2366 struct l2cap_conn *conn = smp->conn;
2367 struct hci_conn *hcon = conn->hcon;
2368 struct smp_cmd_pairing *local, *remote;
2369 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2371 if (test_bit(SMP_FLAG_OOB, &smp->flags))
2374 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2375 * which are needed as inputs to some crypto functions. To get
2376 * the "struct smp_cmd_pairing" from them we need to skip the
2377 * first byte which contains the opcode.
2380 local = (void *) &smp->preq[1];
2381 remote = (void *) &smp->prsp[1];
2383 local = (void *) &smp->prsp[1];
2384 remote = (void *) &smp->preq[1];
2387 local_io = local->io_capability;
2388 remote_io = remote->io_capability;
2390 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2391 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2393 /* If either side wants MITM, look up the method from the table,
2394 * otherwise use JUST WORKS.
2396 if (local_mitm || remote_mitm)
2397 method = get_auth_method(smp, local_io, remote_io);
2399 method = JUST_WORKS;
2401 /* Don't confirm locally initiated pairing attempts */
2402 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2403 method = JUST_WORKS;
2408 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2410 struct smp_cmd_public_key *key = (void *) skb->data;
2411 struct hci_conn *hcon = conn->hcon;
2412 struct l2cap_chan *chan = conn->smp;
2413 struct smp_chan *smp = chan->data;
2414 struct hci_dev *hdev = hcon->hdev;
2415 struct smp_cmd_pairing_confirm cfm;
2418 BT_DBG("conn %p", conn);
2420 if (skb->len < sizeof(*key))
2421 return SMP_INVALID_PARAMS;
2423 memcpy(smp->remote_pk, key, 64);
2425 /* Non-initiating device sends its public key after receiving
2426 * the key from the initiating device.
2429 err = sc_send_public_key(smp);
2434 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2435 SMP_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]);
2437 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2438 return SMP_UNSPECIFIED;
2440 SMP_DBG("DHKey %32phN", smp->dhkey);
2442 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2444 smp->method = sc_select_method(smp);
2446 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2448 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2449 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2450 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2452 hcon->pending_sec_level = BT_SECURITY_FIPS;
2454 if (!memcmp(debug_pk, smp->remote_pk, 64))
2455 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2457 if (smp->method == DSP_PASSKEY) {
2458 get_random_bytes(&hcon->passkey_notify,
2459 sizeof(hcon->passkey_notify));
2460 hcon->passkey_notify %= 1000000;
2461 hcon->passkey_entered = 0;
2462 smp->passkey_round = 0;
2463 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2465 hcon->passkey_notify,
2466 hcon->passkey_entered))
2467 return SMP_UNSPECIFIED;
2468 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2469 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2472 if (smp->method == REQ_OOB) {
2473 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2474 smp->rr, 0, cfm.confirm_val);
2476 return SMP_UNSPECIFIED;
2478 if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2479 return SMP_CONFIRM_FAILED;
2482 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2483 sizeof(smp->prnd), smp->prnd);
2485 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2491 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2493 if (smp->method == REQ_PASSKEY) {
2494 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2496 return SMP_UNSPECIFIED;
2497 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2498 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2502 /* The Initiating device waits for the non-initiating device to
2503 * send the confirm value.
2505 if (conn->hcon->out)
2508 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2509 0, cfm.confirm_val);
2511 return SMP_UNSPECIFIED;
2513 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2514 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2519 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2521 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2522 struct l2cap_chan *chan = conn->smp;
2523 struct hci_conn *hcon = conn->hcon;
2524 struct smp_chan *smp = chan->data;
2525 u8 a[7], b[7], *local_addr, *remote_addr;
2526 u8 io_cap[3], r[16], e[16];
2529 BT_DBG("conn %p", conn);
2531 if (skb->len < sizeof(*check))
2532 return SMP_INVALID_PARAMS;
2534 memcpy(a, &hcon->init_addr, 6);
2535 memcpy(b, &hcon->resp_addr, 6);
2536 a[6] = hcon->init_addr_type;
2537 b[6] = hcon->resp_addr_type;
2542 memcpy(io_cap, &smp->prsp[1], 3);
2546 memcpy(io_cap, &smp->preq[1], 3);
2549 memset(r, 0, sizeof(r));
2551 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2552 put_unaligned_le32(hcon->passkey_notify, r);
2554 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2555 io_cap, remote_addr, local_addr, e);
2557 return SMP_UNSPECIFIED;
2559 if (memcmp(check->e, e, 16))
2560 return SMP_DHKEY_CHECK_FAILED;
2563 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2564 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2568 /* Slave sends DHKey check as response to master */
2569 sc_dhkey_check(smp);
2575 hci_le_start_enc(hcon, 0, 0, smp->tk);
2576 hcon->enc_key_size = smp->enc_key_size;
2582 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2583 struct sk_buff *skb)
2585 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2587 BT_DBG("value 0x%02x", kp->value);
2592 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2594 struct l2cap_conn *conn = chan->conn;
2595 struct hci_conn *hcon = conn->hcon;
2596 struct smp_chan *smp;
2603 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
2604 reason = SMP_PAIRING_NOTSUPP;
2608 code = skb->data[0];
2609 skb_pull(skb, sizeof(code));
2613 if (code > SMP_CMD_MAX)
2616 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2619 /* If we don't have a context the only allowed commands are
2620 * pairing request and security request.
2622 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2626 case SMP_CMD_PAIRING_REQ:
2627 reason = smp_cmd_pairing_req(conn, skb);
2630 case SMP_CMD_PAIRING_FAIL:
2631 smp_failure(conn, 0);
2635 case SMP_CMD_PAIRING_RSP:
2636 reason = smp_cmd_pairing_rsp(conn, skb);
2639 case SMP_CMD_SECURITY_REQ:
2640 reason = smp_cmd_security_req(conn, skb);
2643 case SMP_CMD_PAIRING_CONFIRM:
2644 reason = smp_cmd_pairing_confirm(conn, skb);
2647 case SMP_CMD_PAIRING_RANDOM:
2648 reason = smp_cmd_pairing_random(conn, skb);
2651 case SMP_CMD_ENCRYPT_INFO:
2652 reason = smp_cmd_encrypt_info(conn, skb);
2655 case SMP_CMD_MASTER_IDENT:
2656 reason = smp_cmd_master_ident(conn, skb);
2659 case SMP_CMD_IDENT_INFO:
2660 reason = smp_cmd_ident_info(conn, skb);
2663 case SMP_CMD_IDENT_ADDR_INFO:
2664 reason = smp_cmd_ident_addr_info(conn, skb);
2667 case SMP_CMD_SIGN_INFO:
2668 reason = smp_cmd_sign_info(conn, skb);
2671 case SMP_CMD_PUBLIC_KEY:
2672 reason = smp_cmd_public_key(conn, skb);
2675 case SMP_CMD_DHKEY_CHECK:
2676 reason = smp_cmd_dhkey_check(conn, skb);
2679 case SMP_CMD_KEYPRESS_NOTIFY:
2680 reason = smp_cmd_keypress_notify(conn, skb);
2684 BT_DBG("Unknown command code 0x%2.2x", code);
2685 reason = SMP_CMD_NOTSUPP;
2692 smp_failure(conn, reason);
2699 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2705 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2707 struct l2cap_conn *conn = chan->conn;
2709 BT_DBG("chan %p", chan);
2712 smp_chan_destroy(conn);
2715 l2cap_chan_put(chan);
2718 static void bredr_pairing(struct l2cap_chan *chan)
2720 struct l2cap_conn *conn = chan->conn;
2721 struct hci_conn *hcon = conn->hcon;
2722 struct hci_dev *hdev = hcon->hdev;
2723 struct smp_cmd_pairing req;
2724 struct smp_chan *smp;
2726 BT_DBG("chan %p", chan);
2728 /* Only new pairings are interesting */
2729 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2732 /* Don't bother if we're not encrypted */
2733 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2736 /* Only master may initiate SMP over BR/EDR */
2737 if (hcon->role != HCI_ROLE_MASTER)
2740 /* Secure Connections support must be enabled */
2741 if (!test_bit(HCI_SC_ENABLED, &hdev->dev_flags))
2744 /* BR/EDR must use Secure Connections for SMP */
2745 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2746 !test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags))
2749 /* If our LE support is not enabled don't do anything */
2750 if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags))
2753 /* Don't bother if remote LE support is not enabled */
2754 if (!lmp_host_le_capable(hcon))
2757 /* Remote must support SMP fixed chan for BR/EDR */
2758 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2761 /* Don't bother if SMP is already ongoing */
2765 smp = smp_chan_create(conn);
2767 BT_ERR("%s unable to create SMP context for BR/EDR",
2772 set_bit(SMP_FLAG_SC, &smp->flags);
2774 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2776 /* Prepare and send the BR/EDR SMP Pairing Request */
2777 build_bredr_pairing_cmd(smp, &req, NULL);
2779 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2780 memcpy(&smp->preq[1], &req, sizeof(req));
2782 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2783 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2786 static void smp_resume_cb(struct l2cap_chan *chan)
2788 struct smp_chan *smp = chan->data;
2789 struct l2cap_conn *conn = chan->conn;
2790 struct hci_conn *hcon = conn->hcon;
2792 BT_DBG("chan %p", chan);
2794 if (hcon->type == ACL_LINK) {
2795 bredr_pairing(chan);
2802 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2805 cancel_delayed_work(&smp->security_timer);
2807 smp_distribute_keys(smp);
2810 static void smp_ready_cb(struct l2cap_chan *chan)
2812 struct l2cap_conn *conn = chan->conn;
2813 struct hci_conn *hcon = conn->hcon;
2815 BT_DBG("chan %p", chan);
2818 l2cap_chan_hold(chan);
2820 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2821 bredr_pairing(chan);
2824 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
2828 BT_DBG("chan %p", chan);
2830 err = smp_sig_channel(chan, skb);
2832 struct smp_chan *smp = chan->data;
2835 cancel_delayed_work_sync(&smp->security_timer);
2837 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
2843 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
2844 unsigned long hdr_len,
2845 unsigned long len, int nb)
2847 struct sk_buff *skb;
2849 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
2851 return ERR_PTR(-ENOMEM);
2853 skb->priority = HCI_PRIO_MAX;
2854 bt_cb(skb)->chan = chan;
2859 static const struct l2cap_ops smp_chan_ops = {
2860 .name = "Security Manager",
2861 .ready = smp_ready_cb,
2862 .recv = smp_recv_cb,
2863 .alloc_skb = smp_alloc_skb_cb,
2864 .teardown = smp_teardown_cb,
2865 .resume = smp_resume_cb,
2867 .new_connection = l2cap_chan_no_new_connection,
2868 .state_change = l2cap_chan_no_state_change,
2869 .close = l2cap_chan_no_close,
2870 .defer = l2cap_chan_no_defer,
2871 .suspend = l2cap_chan_no_suspend,
2872 .set_shutdown = l2cap_chan_no_set_shutdown,
2873 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2876 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
2878 struct l2cap_chan *chan;
2880 BT_DBG("pchan %p", pchan);
2882 chan = l2cap_chan_create();
2886 chan->chan_type = pchan->chan_type;
2887 chan->ops = &smp_chan_ops;
2888 chan->scid = pchan->scid;
2889 chan->dcid = chan->scid;
2890 chan->imtu = pchan->imtu;
2891 chan->omtu = pchan->omtu;
2892 chan->mode = pchan->mode;
2894 /* Other L2CAP channels may request SMP routines in order to
2895 * change the security level. This means that the SMP channel
2896 * lock must be considered in its own category to avoid lockdep
2899 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
2901 BT_DBG("created chan %p", chan);
2906 static const struct l2cap_ops smp_root_chan_ops = {
2907 .name = "Security Manager Root",
2908 .new_connection = smp_new_conn_cb,
2910 /* None of these are implemented for the root channel */
2911 .close = l2cap_chan_no_close,
2912 .alloc_skb = l2cap_chan_no_alloc_skb,
2913 .recv = l2cap_chan_no_recv,
2914 .state_change = l2cap_chan_no_state_change,
2915 .teardown = l2cap_chan_no_teardown,
2916 .ready = l2cap_chan_no_ready,
2917 .defer = l2cap_chan_no_defer,
2918 .suspend = l2cap_chan_no_suspend,
2919 .resume = l2cap_chan_no_resume,
2920 .set_shutdown = l2cap_chan_no_set_shutdown,
2921 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2924 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
2926 struct l2cap_chan *chan;
2927 struct crypto_blkcipher *tfm_aes;
2929 if (cid == L2CAP_CID_SMP_BREDR) {
2934 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, 0);
2935 if (IS_ERR(tfm_aes)) {
2936 BT_ERR("Unable to create crypto context");
2937 return ERR_CAST(tfm_aes);
2941 chan = l2cap_chan_create();
2943 crypto_free_blkcipher(tfm_aes);
2944 return ERR_PTR(-ENOMEM);
2947 chan->data = tfm_aes;
2949 l2cap_add_scid(chan, cid);
2951 l2cap_chan_set_defaults(chan);
2953 if (cid == L2CAP_CID_SMP) {
2954 /* If usage of static address is forced or if the devices
2955 * does not have a public address, then listen on the static
2958 * In case BR/EDR has been disabled on a dual-mode controller
2959 * and a static address has been configued, then listen on
2960 * the static address instead.
2962 if (test_bit(HCI_FORCE_STATIC_ADDR, &hdev->dbg_flags) ||
2963 !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
2964 (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags) &&
2965 bacmp(&hdev->static_addr, BDADDR_ANY))) {
2966 bacpy(&chan->src, &hdev->static_addr);
2967 chan->src_type = BDADDR_LE_RANDOM;
2969 bacpy(&chan->src, &hdev->bdaddr);
2970 chan->src_type = BDADDR_LE_PUBLIC;
2973 bacpy(&chan->src, &hdev->bdaddr);
2974 chan->src_type = BDADDR_BREDR;
2977 chan->state = BT_LISTEN;
2978 chan->mode = L2CAP_MODE_BASIC;
2979 chan->imtu = L2CAP_DEFAULT_MTU;
2980 chan->ops = &smp_root_chan_ops;
2982 /* Set correct nesting level for a parent/listening channel */
2983 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
2988 static void smp_del_chan(struct l2cap_chan *chan)
2990 struct crypto_blkcipher *tfm_aes;
2992 BT_DBG("chan %p", chan);
2994 tfm_aes = chan->data;
2997 crypto_free_blkcipher(tfm_aes);
3000 l2cap_chan_put(chan);
3003 static ssize_t force_bredr_smp_read(struct file *file,
3004 char __user *user_buf,
3005 size_t count, loff_t *ppos)
3007 struct hci_dev *hdev = file->private_data;
3010 buf[0] = test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags) ? 'Y': 'N';
3013 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3016 static ssize_t force_bredr_smp_write(struct file *file,
3017 const char __user *user_buf,
3018 size_t count, loff_t *ppos)
3020 struct hci_dev *hdev = file->private_data;
3022 size_t buf_size = min(count, (sizeof(buf)-1));
3025 if (copy_from_user(buf, user_buf, buf_size))
3028 buf[buf_size] = '\0';
3029 if (strtobool(buf, &enable))
3032 if (enable == test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags))
3036 struct l2cap_chan *chan;
3038 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3040 return PTR_ERR(chan);
3042 hdev->smp_bredr_data = chan;
3044 struct l2cap_chan *chan;
3046 chan = hdev->smp_bredr_data;
3047 hdev->smp_bredr_data = NULL;
3051 change_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags);
3056 static const struct file_operations force_bredr_smp_fops = {
3057 .open = simple_open,
3058 .read = force_bredr_smp_read,
3059 .write = force_bredr_smp_write,
3060 .llseek = default_llseek,
3063 int smp_register(struct hci_dev *hdev)
3065 struct l2cap_chan *chan;
3067 BT_DBG("%s", hdev->name);
3069 /* If the controller does not support Low Energy operation, then
3070 * there is also no need to register any SMP channel.
3072 if (!lmp_le_capable(hdev))
3075 if (WARN_ON(hdev->smp_data)) {
3076 chan = hdev->smp_data;
3077 hdev->smp_data = NULL;
3081 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3083 return PTR_ERR(chan);
3085 hdev->smp_data = chan;
3087 /* If the controller does not support BR/EDR Secure Connections
3088 * feature, then the BR/EDR SMP channel shall not be present.
3090 * To test this with Bluetooth 4.0 controllers, create a debugfs
3091 * switch that allows forcing BR/EDR SMP support and accepting
3092 * cross-transport pairing on non-AES encrypted connections.
3094 if (!lmp_sc_capable(hdev)) {
3095 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3096 hdev, &force_bredr_smp_fops);
3100 if (WARN_ON(hdev->smp_bredr_data)) {
3101 chan = hdev->smp_bredr_data;
3102 hdev->smp_bredr_data = NULL;
3106 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3108 int err = PTR_ERR(chan);
3109 chan = hdev->smp_data;
3110 hdev->smp_data = NULL;
3115 hdev->smp_bredr_data = chan;
3120 void smp_unregister(struct hci_dev *hdev)
3122 struct l2cap_chan *chan;
3124 if (hdev->smp_bredr_data) {
3125 chan = hdev->smp_bredr_data;
3126 hdev->smp_bredr_data = NULL;
3130 if (hdev->smp_data) {
3131 chan = hdev->smp_data;
3132 hdev->smp_data = NULL;
3137 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3139 static int __init test_ah(struct crypto_blkcipher *tfm_aes)
3141 const u8 irk[16] = {
3142 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3143 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3144 const u8 r[3] = { 0x94, 0x81, 0x70 };
3145 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3149 err = smp_ah(tfm_aes, irk, r, res);
3153 if (memcmp(res, exp, 3))
3159 static int __init test_c1(struct crypto_blkcipher *tfm_aes)
3162 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3163 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3165 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3166 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3167 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3168 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3169 const u8 _iat = 0x01;
3170 const u8 _rat = 0x00;
3171 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3172 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3173 const u8 exp[16] = {
3174 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3175 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3179 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3183 if (memcmp(res, exp, 16))
3189 static int __init test_s1(struct crypto_blkcipher *tfm_aes)
3192 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3193 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3195 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3197 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3198 const u8 exp[16] = {
3199 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3200 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3204 err = smp_s1(tfm_aes, k, r1, r2, res);
3208 if (memcmp(res, exp, 16))
3214 static int __init test_f4(struct crypto_hash *tfm_cmac)
3217 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3218 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3219 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3220 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3222 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3223 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3224 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3225 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3227 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3228 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3230 const u8 exp[16] = {
3231 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3232 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3236 err = smp_f4(tfm_cmac, u, v, x, z, res);
3240 if (memcmp(res, exp, 16))
3246 static int __init test_f5(struct crypto_hash *tfm_cmac)
3249 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3250 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3251 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3252 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3254 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3255 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3257 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3258 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3259 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3260 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3261 const u8 exp_ltk[16] = {
3262 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3263 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3264 const u8 exp_mackey[16] = {
3265 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3266 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3267 u8 mackey[16], ltk[16];
3270 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3274 if (memcmp(mackey, exp_mackey, 16))
3277 if (memcmp(ltk, exp_ltk, 16))
3283 static int __init test_f6(struct crypto_hash *tfm_cmac)
3286 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3287 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3289 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3290 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3292 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3293 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3295 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3296 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3297 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3298 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3299 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3300 const u8 exp[16] = {
3301 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3302 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3306 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3310 if (memcmp(res, exp, 16))
3316 static int __init test_g2(struct crypto_hash *tfm_cmac)
3319 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3320 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3321 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3322 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3324 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3325 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3326 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3327 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3329 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3330 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3332 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3333 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3334 const u32 exp_val = 0x2f9ed5ba % 1000000;
3338 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3348 static int __init test_h6(struct crypto_hash *tfm_cmac)
3351 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3352 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3353 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3354 const u8 exp[16] = {
3355 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3356 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3360 err = smp_h6(tfm_cmac, w, key_id, res);
3364 if (memcmp(res, exp, 16))
3370 static int __init run_selftests(struct crypto_blkcipher *tfm_aes,
3371 struct crypto_hash *tfm_cmac)
3373 ktime_t calltime, delta, rettime;
3374 unsigned long long duration;
3377 calltime = ktime_get();
3379 err = test_ah(tfm_aes);
3381 BT_ERR("smp_ah test failed");
3385 err = test_c1(tfm_aes);
3387 BT_ERR("smp_c1 test failed");
3391 err = test_s1(tfm_aes);
3393 BT_ERR("smp_s1 test failed");
3397 err = test_f4(tfm_cmac);
3399 BT_ERR("smp_f4 test failed");
3403 err = test_f5(tfm_cmac);
3405 BT_ERR("smp_f5 test failed");
3409 err = test_f6(tfm_cmac);
3411 BT_ERR("smp_f6 test failed");
3415 err = test_g2(tfm_cmac);
3417 BT_ERR("smp_g2 test failed");
3421 err = test_h6(tfm_cmac);
3423 BT_ERR("smp_h6 test failed");
3427 rettime = ktime_get();
3428 delta = ktime_sub(rettime, calltime);
3429 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3431 BT_INFO("SMP test passed in %llu usecs", duration);
3436 int __init bt_selftest_smp(void)
3438 struct crypto_blkcipher *tfm_aes;
3439 struct crypto_hash *tfm_cmac;
3442 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3443 if (IS_ERR(tfm_aes)) {
3444 BT_ERR("Unable to create ECB crypto context");
3445 return PTR_ERR(tfm_aes);
3448 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3449 if (IS_ERR(tfm_cmac)) {
3450 BT_ERR("Unable to create CMAC crypto context");
3451 crypto_free_blkcipher(tfm_aes);
3452 return PTR_ERR(tfm_cmac);
3455 err = run_selftests(tfm_aes, tfm_cmac);
3457 crypto_free_hash(tfm_cmac);
3458 crypto_free_blkcipher(tfm_aes);