2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
23 #include <linux/debugfs.h>
24 #include <linux/crypto.h>
25 #include <linux/scatterlist.h>
26 #include <crypto/b128ops.h>
28 #include <net/bluetooth/bluetooth.h>
29 #include <net/bluetooth/hci_core.h>
30 #include <net/bluetooth/l2cap.h>
31 #include <net/bluetooth/mgmt.h>
36 /* Low-level debug macros to be used for stuff that we don't want
37 * accidentially in dmesg, i.e. the values of the various crypto keys
38 * and the inputs & outputs of crypto functions.
41 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
44 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
48 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
50 /* Keys which are not distributed with Secure Connections */
51 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
53 #define SMP_TIMEOUT msecs_to_jiffies(30000)
55 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
57 #define KEY_DIST_MASK 0x07
59 /* Maximum message length that can be passed to aes_cmac */
60 #define CMAC_MSG_MAX 80
72 SMP_FLAG_DHKEY_PENDING,
78 /* Secure Connections OOB data */
84 struct crypto_blkcipher *tfm_aes;
85 struct crypto_hash *tfm_cmac;
89 struct l2cap_conn *conn;
90 struct delayed_work security_timer;
91 unsigned long allow_cmd; /* Bitmask of allowed commands */
93 u8 preq[7]; /* SMP Pairing Request */
94 u8 prsp[7]; /* SMP Pairing Response */
95 u8 prnd[16]; /* SMP Pairing Random (local) */
96 u8 rrnd[16]; /* SMP Pairing Random (remote) */
97 u8 pcnf[16]; /* SMP Pairing Confirm */
98 u8 tk[16]; /* SMP Temporary Key */
99 u8 rr[16]; /* Remote OOB ra/rb value */
100 u8 lr[16]; /* Local OOB ra/rb value */
106 struct smp_csrk *csrk;
107 struct smp_csrk *slave_csrk;
109 struct smp_ltk *slave_ltk;
110 struct smp_irk *remote_irk;
116 /* Secure Connections variables */
123 struct crypto_blkcipher *tfm_aes;
124 struct crypto_hash *tfm_cmac;
127 /* These debug key values are defined in the SMP section of the core
128 * specification. debug_pk is the public debug key and debug_sk the
131 static const u8 debug_pk[64] = {
132 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
133 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
134 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
135 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
137 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
138 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
139 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
140 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
143 static const u8 debug_sk[32] = {
144 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
145 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
146 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
147 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
150 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
154 for (i = 0; i < len; i++)
155 dst[len - 1 - i] = src[i];
158 /* The following functions map to the LE SC SMP crypto functions
159 * AES-CMAC, f4, f5, f6, g2 and h6.
162 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
163 size_t len, u8 mac[16])
165 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
166 struct hash_desc desc;
167 struct scatterlist sg;
170 if (len > CMAC_MSG_MAX)
174 BT_ERR("tfm %p", tfm);
181 crypto_hash_init(&desc);
183 /* Swap key and message from LSB to MSB */
184 swap_buf(k, tmp, 16);
185 swap_buf(m, msg_msb, len);
187 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
188 SMP_DBG("key %16phN", k);
190 err = crypto_hash_setkey(tfm, tmp, 16);
192 BT_ERR("cipher setkey failed: %d", err);
196 sg_init_one(&sg, msg_msb, len);
198 err = crypto_hash_update(&desc, &sg, len);
200 BT_ERR("Hash update error %d", err);
204 err = crypto_hash_final(&desc, mac_msb);
206 BT_ERR("Hash final error %d", err);
210 swap_buf(mac_msb, mac, 16);
212 SMP_DBG("mac %16phN", mac);
217 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
218 const u8 x[16], u8 z, u8 res[16])
223 SMP_DBG("u %32phN", u);
224 SMP_DBG("v %32phN", v);
225 SMP_DBG("x %16phN z %02x", x, z);
228 memcpy(m + 1, v, 32);
229 memcpy(m + 33, u, 32);
231 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
235 SMP_DBG("res %16phN", res);
240 static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32],
241 const u8 n1[16], const u8 n2[16], const u8 a1[7],
242 const u8 a2[7], u8 mackey[16], u8 ltk[16])
244 /* The btle, salt and length "magic" values are as defined in
245 * the SMP section of the Bluetooth core specification. In ASCII
246 * the btle value ends up being 'btle'. The salt is just a
247 * random number whereas length is the value 256 in little
250 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
251 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
252 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
253 const u8 length[2] = { 0x00, 0x01 };
257 SMP_DBG("w %32phN", w);
258 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
259 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
261 err = aes_cmac(tfm_cmac, salt, w, 32, t);
265 SMP_DBG("t %16phN", t);
267 memcpy(m, length, 2);
268 memcpy(m + 2, a2, 7);
269 memcpy(m + 9, a1, 7);
270 memcpy(m + 16, n2, 16);
271 memcpy(m + 32, n1, 16);
272 memcpy(m + 48, btle, 4);
274 m[52] = 0; /* Counter */
276 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
280 SMP_DBG("mackey %16phN", mackey);
282 m[52] = 1; /* Counter */
284 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
288 SMP_DBG("ltk %16phN", ltk);
293 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
294 const u8 n1[16], const u8 n2[16], const u8 r[16],
295 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
301 SMP_DBG("w %16phN", w);
302 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
303 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
306 memcpy(m + 7, a1, 7);
307 memcpy(m + 14, io_cap, 3);
308 memcpy(m + 17, r, 16);
309 memcpy(m + 33, n2, 16);
310 memcpy(m + 49, n1, 16);
312 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
316 SMP_DBG("res %16phN", res);
321 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
322 const u8 x[16], const u8 y[16], u32 *val)
327 SMP_DBG("u %32phN", u);
328 SMP_DBG("v %32phN", v);
329 SMP_DBG("x %16phN y %16phN", x, y);
332 memcpy(m + 16, v, 32);
333 memcpy(m + 48, u, 32);
335 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
339 *val = get_unaligned_le32(tmp);
342 SMP_DBG("val %06u", *val);
347 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
348 const u8 key_id[4], u8 res[16])
352 SMP_DBG("w %16phN key_id %4phN", w, key_id);
354 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
358 SMP_DBG("res %16phN", res);
363 /* The following functions map to the legacy SMP crypto functions e, c1,
367 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
369 struct blkcipher_desc desc;
370 struct scatterlist sg;
371 uint8_t tmp[16], data[16];
374 SMP_DBG("k %16phN r %16phN", k, r);
377 BT_ERR("tfm %p", tfm);
384 /* The most significant octet of key corresponds to k[0] */
385 swap_buf(k, tmp, 16);
387 err = crypto_blkcipher_setkey(tfm, tmp, 16);
389 BT_ERR("cipher setkey failed: %d", err);
393 /* Most significant octet of plaintextData corresponds to data[0] */
394 swap_buf(r, data, 16);
396 sg_init_one(&sg, data, 16);
398 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
400 BT_ERR("Encrypt data error %d", err);
402 /* Most significant octet of encryptedData corresponds to data[0] */
403 swap_buf(data, r, 16);
405 SMP_DBG("r %16phN", r);
410 static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
411 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
412 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
417 SMP_DBG("k %16phN r %16phN", k, r);
418 SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
419 SMP_DBG("preq %7phN pres %7phN", preq, pres);
423 /* p1 = pres || preq || _rat || _iat */
426 memcpy(p1 + 2, preq, 7);
427 memcpy(p1 + 9, pres, 7);
429 SMP_DBG("p1 %16phN", p1);
432 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
434 /* res = e(k, res) */
435 err = smp_e(tfm_aes, k, res);
437 BT_ERR("Encrypt data error");
441 /* p2 = padding || ia || ra */
443 memcpy(p2 + 6, ia, 6);
444 memset(p2 + 12, 0, 4);
446 SMP_DBG("p2 %16phN", p2);
448 /* res = res XOR p2 */
449 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
451 /* res = e(k, res) */
452 err = smp_e(tfm_aes, k, res);
454 BT_ERR("Encrypt data error");
459 static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
460 const u8 r1[16], const u8 r2[16], u8 _r[16])
464 /* Just least significant octets from r1 and r2 are considered */
466 memcpy(_r + 8, r1, 8);
468 err = smp_e(tfm_aes, k, _r);
470 BT_ERR("Encrypt data error");
475 static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
476 const u8 r[3], u8 res[3])
481 /* r' = padding || r */
483 memset(_res + 3, 0, 13);
485 err = smp_e(tfm, irk, _res);
487 BT_ERR("Encrypt error");
491 /* The output of the random address function ah is:
492 * ah(h, r) = e(k, r') mod 2^24
493 * The output of the security function e is then truncated to 24 bits
494 * by taking the least significant 24 bits of the output of e as the
497 memcpy(res, _res, 3);
502 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
503 const bdaddr_t *bdaddr)
505 struct l2cap_chan *chan = hdev->smp_data;
510 if (!chan || !chan->data)
515 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
517 err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
521 return !memcmp(bdaddr->b, hash, 3);
524 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
526 struct l2cap_chan *chan = hdev->smp_data;
530 if (!chan || !chan->data)
535 get_random_bytes(&rpa->b[3], 3);
537 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
538 rpa->b[5] |= 0x40; /* Set second most significant bit */
540 err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
544 BT_DBG("RPA %pMR", rpa);
549 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
551 struct l2cap_chan *chan = hdev->smp_data;
555 if (!chan || !chan->data)
560 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
561 BT_DBG("Using debug keys");
562 memcpy(smp->local_pk, debug_pk, 64);
563 memcpy(smp->local_sk, debug_sk, 32);
564 smp->debug_key = true;
567 /* Generate local key pair for Secure Connections */
568 if (!ecc_make_key(smp->local_pk, smp->local_sk))
571 /* This is unlikely, but we need to check that
572 * we didn't accidentially generate a debug key.
574 if (memcmp(smp->local_sk, debug_sk, 32))
577 smp->debug_key = false;
580 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
581 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
582 SMP_DBG("OOB Private Key: %32phN", smp->local_sk);
584 get_random_bytes(smp->local_rand, 16);
586 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
587 smp->local_rand, 0, hash);
591 memcpy(rand, smp->local_rand, 16);
596 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
598 struct l2cap_chan *chan = conn->smp;
599 struct smp_chan *smp;
606 BT_DBG("code 0x%2.2x", code);
608 iv[0].iov_base = &code;
611 iv[1].iov_base = data;
614 memset(&msg, 0, sizeof(msg));
616 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
618 l2cap_chan_send(chan, &msg, 1 + len);
625 cancel_delayed_work_sync(&smp->security_timer);
626 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
629 static u8 authreq_to_seclevel(u8 authreq)
631 if (authreq & SMP_AUTH_MITM) {
632 if (authreq & SMP_AUTH_SC)
633 return BT_SECURITY_FIPS;
635 return BT_SECURITY_HIGH;
637 return BT_SECURITY_MEDIUM;
641 static __u8 seclevel_to_authreq(__u8 sec_level)
644 case BT_SECURITY_FIPS:
645 case BT_SECURITY_HIGH:
646 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
647 case BT_SECURITY_MEDIUM:
648 return SMP_AUTH_BONDING;
650 return SMP_AUTH_NONE;
654 static void build_pairing_cmd(struct l2cap_conn *conn,
655 struct smp_cmd_pairing *req,
656 struct smp_cmd_pairing *rsp, __u8 authreq)
658 struct l2cap_chan *chan = conn->smp;
659 struct smp_chan *smp = chan->data;
660 struct hci_conn *hcon = conn->hcon;
661 struct hci_dev *hdev = hcon->hdev;
662 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
664 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
665 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
666 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
667 authreq |= SMP_AUTH_BONDING;
669 authreq &= ~SMP_AUTH_BONDING;
672 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
673 remote_dist |= SMP_DIST_ID_KEY;
675 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
676 local_dist |= SMP_DIST_ID_KEY;
678 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
679 (authreq & SMP_AUTH_SC)) {
680 struct oob_data *oob_data;
683 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
684 local_dist |= SMP_DIST_LINK_KEY;
685 remote_dist |= SMP_DIST_LINK_KEY;
688 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
689 bdaddr_type = BDADDR_LE_PUBLIC;
691 bdaddr_type = BDADDR_LE_RANDOM;
693 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
695 if (oob_data && oob_data->present) {
696 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
697 oob_flag = SMP_OOB_PRESENT;
698 memcpy(smp->rr, oob_data->rand256, 16);
699 memcpy(smp->pcnf, oob_data->hash256, 16);
700 SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
701 SMP_DBG("OOB Remote Random: %16phN", smp->rr);
705 authreq &= ~SMP_AUTH_SC;
709 req->io_capability = conn->hcon->io_capability;
710 req->oob_flag = oob_flag;
711 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
712 req->init_key_dist = local_dist;
713 req->resp_key_dist = remote_dist;
714 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
716 smp->remote_key_dist = remote_dist;
720 rsp->io_capability = conn->hcon->io_capability;
721 rsp->oob_flag = oob_flag;
722 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
723 rsp->init_key_dist = req->init_key_dist & remote_dist;
724 rsp->resp_key_dist = req->resp_key_dist & local_dist;
725 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
727 smp->remote_key_dist = rsp->init_key_dist;
730 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
732 struct l2cap_chan *chan = conn->smp;
733 struct smp_chan *smp = chan->data;
735 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
736 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
737 return SMP_ENC_KEY_SIZE;
739 smp->enc_key_size = max_key_size;
744 static void smp_chan_destroy(struct l2cap_conn *conn)
746 struct l2cap_chan *chan = conn->smp;
747 struct smp_chan *smp = chan->data;
748 struct hci_conn *hcon = conn->hcon;
753 cancel_delayed_work_sync(&smp->security_timer);
755 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
756 mgmt_smp_complete(hcon, complete);
759 kzfree(smp->slave_csrk);
760 kzfree(smp->link_key);
762 crypto_free_blkcipher(smp->tfm_aes);
763 crypto_free_hash(smp->tfm_cmac);
765 /* Ensure that we don't leave any debug key around if debug key
766 * support hasn't been explicitly enabled.
768 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
769 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
770 list_del_rcu(&smp->ltk->list);
771 kfree_rcu(smp->ltk, rcu);
775 /* If pairing failed clean up any keys we might have */
778 list_del_rcu(&smp->ltk->list);
779 kfree_rcu(smp->ltk, rcu);
782 if (smp->slave_ltk) {
783 list_del_rcu(&smp->slave_ltk->list);
784 kfree_rcu(smp->slave_ltk, rcu);
787 if (smp->remote_irk) {
788 list_del_rcu(&smp->remote_irk->list);
789 kfree_rcu(smp->remote_irk, rcu);
798 static void smp_failure(struct l2cap_conn *conn, u8 reason)
800 struct hci_conn *hcon = conn->hcon;
801 struct l2cap_chan *chan = conn->smp;
804 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
807 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
808 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
811 smp_chan_destroy(conn);
814 #define JUST_WORKS 0x00
815 #define JUST_CFM 0x01
816 #define REQ_PASSKEY 0x02
817 #define CFM_PASSKEY 0x03
819 #define DSP_PASSKEY 0x05
822 static const u8 gen_method[5][5] = {
823 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
824 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
825 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
826 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
827 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
830 static const u8 sc_method[5][5] = {
831 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
832 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
833 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
834 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
835 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
838 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
840 /* If either side has unknown io_caps, use JUST_CFM (which gets
841 * converted later to JUST_WORKS if we're initiators.
843 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
844 remote_io > SMP_IO_KEYBOARD_DISPLAY)
847 if (test_bit(SMP_FLAG_SC, &smp->flags))
848 return sc_method[remote_io][local_io];
850 return gen_method[remote_io][local_io];
853 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
854 u8 local_io, u8 remote_io)
856 struct hci_conn *hcon = conn->hcon;
857 struct l2cap_chan *chan = conn->smp;
858 struct smp_chan *smp = chan->data;
862 /* Initialize key for JUST WORKS */
863 memset(smp->tk, 0, sizeof(smp->tk));
864 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
866 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
868 /* If neither side wants MITM, either "just" confirm an incoming
869 * request or use just-works for outgoing ones. The JUST_CFM
870 * will be converted to JUST_WORKS if necessary later in this
871 * function. If either side has MITM look up the method from the
874 if (!(auth & SMP_AUTH_MITM))
875 smp->method = JUST_CFM;
877 smp->method = get_auth_method(smp, local_io, remote_io);
879 /* Don't confirm locally initiated pairing attempts */
880 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
882 smp->method = JUST_WORKS;
884 /* Don't bother user space with no IO capabilities */
885 if (smp->method == JUST_CFM &&
886 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
887 smp->method = JUST_WORKS;
889 /* If Just Works, Continue with Zero TK */
890 if (smp->method == JUST_WORKS) {
891 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
895 /* If this function is used for SC -> legacy fallback we
896 * can only recover the just-works case.
898 if (test_bit(SMP_FLAG_SC, &smp->flags))
901 /* Not Just Works/Confirm results in MITM Authentication */
902 if (smp->method != JUST_CFM) {
903 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
904 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
905 hcon->pending_sec_level = BT_SECURITY_HIGH;
908 /* If both devices have Keyoard-Display I/O, the master
909 * Confirms and the slave Enters the passkey.
911 if (smp->method == OVERLAP) {
912 if (hcon->role == HCI_ROLE_MASTER)
913 smp->method = CFM_PASSKEY;
915 smp->method = REQ_PASSKEY;
918 /* Generate random passkey. */
919 if (smp->method == CFM_PASSKEY) {
920 memset(smp->tk, 0, sizeof(smp->tk));
921 get_random_bytes(&passkey, sizeof(passkey));
923 put_unaligned_le32(passkey, smp->tk);
924 BT_DBG("PassKey: %d", passkey);
925 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
928 if (smp->method == REQ_PASSKEY)
929 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
930 hcon->type, hcon->dst_type);
931 else if (smp->method == JUST_CFM)
932 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
933 hcon->type, hcon->dst_type,
936 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
937 hcon->type, hcon->dst_type,
943 static u8 smp_confirm(struct smp_chan *smp)
945 struct l2cap_conn *conn = smp->conn;
946 struct smp_cmd_pairing_confirm cp;
949 BT_DBG("conn %p", conn);
951 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
952 conn->hcon->init_addr_type, &conn->hcon->init_addr,
953 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
956 return SMP_UNSPECIFIED;
958 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
960 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
963 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
965 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
970 static u8 smp_random(struct smp_chan *smp)
972 struct l2cap_conn *conn = smp->conn;
973 struct hci_conn *hcon = conn->hcon;
977 if (IS_ERR_OR_NULL(smp->tfm_aes))
978 return SMP_UNSPECIFIED;
980 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
982 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
983 hcon->init_addr_type, &hcon->init_addr,
984 hcon->resp_addr_type, &hcon->resp_addr, confirm);
986 return SMP_UNSPECIFIED;
988 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
989 BT_ERR("Pairing failed (confirmation values mismatch)");
990 return SMP_CONFIRM_FAILED;
998 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
1000 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1001 return SMP_UNSPECIFIED;
1003 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1004 hcon->enc_key_size = smp->enc_key_size;
1005 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1011 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1014 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
1016 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1021 /* Even though there's no _SLAVE suffix this is the
1022 * slave STK we're adding for later lookup (the master
1023 * STK never needs to be stored).
1025 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1026 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1032 static void smp_notify_keys(struct l2cap_conn *conn)
1034 struct l2cap_chan *chan = conn->smp;
1035 struct smp_chan *smp = chan->data;
1036 struct hci_conn *hcon = conn->hcon;
1037 struct hci_dev *hdev = hcon->hdev;
1038 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1039 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1042 if (smp->remote_irk) {
1043 mgmt_new_irk(hdev, smp->remote_irk);
1044 /* Now that user space can be considered to know the
1045 * identity address track the connection based on it
1046 * from now on (assuming this is an LE link).
1048 if (hcon->type == LE_LINK) {
1049 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1050 hcon->dst_type = smp->remote_irk->addr_type;
1051 queue_work(hdev->workqueue, &conn->id_addr_update_work);
1054 /* When receiving an indentity resolving key for
1055 * a remote device that does not use a resolvable
1056 * private address, just remove the key so that
1057 * it is possible to use the controller white
1058 * list for scanning.
1060 * Userspace will have been told to not store
1061 * this key at this point. So it is safe to
1064 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
1065 list_del_rcu(&smp->remote_irk->list);
1066 kfree_rcu(smp->remote_irk, rcu);
1067 smp->remote_irk = NULL;
1071 if (hcon->type == ACL_LINK) {
1072 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1075 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1078 /* The LTKs and CSRKs should be persistent only if both sides
1079 * had the bonding bit set in their authentication requests.
1081 persistent = !!((req->auth_req & rsp->auth_req) &
1087 smp->csrk->bdaddr_type = hcon->dst_type;
1088 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1089 mgmt_new_csrk(hdev, smp->csrk, persistent);
1092 if (smp->slave_csrk) {
1093 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1094 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1095 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1099 smp->ltk->bdaddr_type = hcon->dst_type;
1100 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1101 mgmt_new_ltk(hdev, smp->ltk, persistent);
1104 if (smp->slave_ltk) {
1105 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1106 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1107 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1110 if (smp->link_key) {
1111 struct link_key *key;
1114 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1115 type = HCI_LK_DEBUG_COMBINATION;
1116 else if (hcon->sec_level == BT_SECURITY_FIPS)
1117 type = HCI_LK_AUTH_COMBINATION_P256;
1119 type = HCI_LK_UNAUTH_COMBINATION_P256;
1121 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1122 smp->link_key, type, 0, &persistent);
1124 mgmt_new_link_key(hdev, key, persistent);
1126 /* Don't keep debug keys around if the relevant
1129 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1130 key->type == HCI_LK_DEBUG_COMBINATION) {
1131 list_del_rcu(&key->list);
1132 kfree_rcu(key, rcu);
1138 static void sc_add_ltk(struct smp_chan *smp)
1140 struct hci_conn *hcon = smp->conn->hcon;
1143 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1144 key_type = SMP_LTK_P256_DEBUG;
1146 key_type = SMP_LTK_P256;
1148 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1153 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1154 key_type, auth, smp->tk, smp->enc_key_size,
1158 static void sc_generate_link_key(struct smp_chan *smp)
1160 /* These constants are as specified in the core specification.
1161 * In ASCII they spell out to 'tmp1' and 'lebr'.
1163 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1164 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1166 smp->link_key = kzalloc(16, GFP_KERNEL);
1170 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1171 kzfree(smp->link_key);
1172 smp->link_key = NULL;
1176 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1177 kzfree(smp->link_key);
1178 smp->link_key = NULL;
1183 static void smp_allow_key_dist(struct smp_chan *smp)
1185 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1186 * will be allowed in each PDU handler to ensure we receive
1187 * them in the correct order.
1189 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1190 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1191 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1192 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1193 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1194 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1197 static void sc_generate_ltk(struct smp_chan *smp)
1199 /* These constants are as specified in the core specification.
1200 * In ASCII they spell out to 'tmp2' and 'brle'.
1202 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1203 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1204 struct hci_conn *hcon = smp->conn->hcon;
1205 struct hci_dev *hdev = hcon->hdev;
1206 struct link_key *key;
1208 key = hci_find_link_key(hdev, &hcon->dst);
1210 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1214 if (key->type == HCI_LK_DEBUG_COMBINATION)
1215 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1217 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1220 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1226 static void smp_distribute_keys(struct smp_chan *smp)
1228 struct smp_cmd_pairing *req, *rsp;
1229 struct l2cap_conn *conn = smp->conn;
1230 struct hci_conn *hcon = conn->hcon;
1231 struct hci_dev *hdev = hcon->hdev;
1234 BT_DBG("conn %p", conn);
1236 rsp = (void *) &smp->prsp[1];
1238 /* The responder sends its keys first */
1239 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1240 smp_allow_key_dist(smp);
1244 req = (void *) &smp->preq[1];
1247 keydist = &rsp->init_key_dist;
1248 *keydist &= req->init_key_dist;
1250 keydist = &rsp->resp_key_dist;
1251 *keydist &= req->resp_key_dist;
1254 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1255 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1256 sc_generate_link_key(smp);
1257 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1258 sc_generate_ltk(smp);
1260 /* Clear the keys which are generated but not distributed */
1261 *keydist &= ~SMP_SC_NO_DIST;
1264 BT_DBG("keydist 0x%x", *keydist);
1266 if (*keydist & SMP_DIST_ENC_KEY) {
1267 struct smp_cmd_encrypt_info enc;
1268 struct smp_cmd_master_ident ident;
1269 struct smp_ltk *ltk;
1274 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1275 get_random_bytes(&ediv, sizeof(ediv));
1276 get_random_bytes(&rand, sizeof(rand));
1278 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1280 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1281 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1282 SMP_LTK_SLAVE, authenticated, enc.ltk,
1283 smp->enc_key_size, ediv, rand);
1284 smp->slave_ltk = ltk;
1289 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1291 *keydist &= ~SMP_DIST_ENC_KEY;
1294 if (*keydist & SMP_DIST_ID_KEY) {
1295 struct smp_cmd_ident_addr_info addrinfo;
1296 struct smp_cmd_ident_info idinfo;
1298 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1300 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1302 /* The hci_conn contains the local identity address
1303 * after the connection has been established.
1305 * This is true even when the connection has been
1306 * established using a resolvable random address.
1308 bacpy(&addrinfo.bdaddr, &hcon->src);
1309 addrinfo.addr_type = hcon->src_type;
1311 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1314 *keydist &= ~SMP_DIST_ID_KEY;
1317 if (*keydist & SMP_DIST_SIGN) {
1318 struct smp_cmd_sign_info sign;
1319 struct smp_csrk *csrk;
1321 /* Generate a new random key */
1322 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1324 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1326 if (hcon->sec_level > BT_SECURITY_MEDIUM)
1327 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1329 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1330 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1332 smp->slave_csrk = csrk;
1334 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1336 *keydist &= ~SMP_DIST_SIGN;
1339 /* If there are still keys to be received wait for them */
1340 if (smp->remote_key_dist & KEY_DIST_MASK) {
1341 smp_allow_key_dist(smp);
1345 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1346 smp_notify_keys(conn);
1348 smp_chan_destroy(conn);
1351 static void smp_timeout(struct work_struct *work)
1353 struct smp_chan *smp = container_of(work, struct smp_chan,
1354 security_timer.work);
1355 struct l2cap_conn *conn = smp->conn;
1357 BT_DBG("conn %p", conn);
1359 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1362 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1364 struct l2cap_chan *chan = conn->smp;
1365 struct smp_chan *smp;
1367 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1371 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1372 if (IS_ERR(smp->tfm_aes)) {
1373 BT_ERR("Unable to create ECB crypto context");
1378 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1379 if (IS_ERR(smp->tfm_cmac)) {
1380 BT_ERR("Unable to create CMAC crypto context");
1381 crypto_free_blkcipher(smp->tfm_aes);
1389 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1391 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1393 hci_conn_hold(conn->hcon);
1398 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1400 struct hci_conn *hcon = smp->conn->hcon;
1401 u8 *na, *nb, a[7], b[7];
1411 memcpy(a, &hcon->init_addr, 6);
1412 memcpy(b, &hcon->resp_addr, 6);
1413 a[6] = hcon->init_addr_type;
1414 b[6] = hcon->resp_addr_type;
1416 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1419 static void sc_dhkey_check(struct smp_chan *smp)
1421 struct hci_conn *hcon = smp->conn->hcon;
1422 struct smp_cmd_dhkey_check check;
1423 u8 a[7], b[7], *local_addr, *remote_addr;
1424 u8 io_cap[3], r[16];
1426 memcpy(a, &hcon->init_addr, 6);
1427 memcpy(b, &hcon->resp_addr, 6);
1428 a[6] = hcon->init_addr_type;
1429 b[6] = hcon->resp_addr_type;
1434 memcpy(io_cap, &smp->preq[1], 3);
1438 memcpy(io_cap, &smp->prsp[1], 3);
1441 memset(r, 0, sizeof(r));
1443 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1444 put_unaligned_le32(hcon->passkey_notify, r);
1446 if (smp->method == REQ_OOB)
1447 memcpy(r, smp->rr, 16);
1449 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1450 local_addr, remote_addr, check.e);
1452 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1455 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1457 struct l2cap_conn *conn = smp->conn;
1458 struct hci_conn *hcon = conn->hcon;
1459 struct smp_cmd_pairing_confirm cfm;
1462 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1465 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1467 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1469 return SMP_UNSPECIFIED;
1471 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1476 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1478 struct l2cap_conn *conn = smp->conn;
1479 struct hci_conn *hcon = conn->hcon;
1480 struct hci_dev *hdev = hcon->hdev;
1483 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1484 if (smp->passkey_round >= 20)
1488 case SMP_CMD_PAIRING_RANDOM:
1489 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1492 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1494 return SMP_UNSPECIFIED;
1496 if (memcmp(smp->pcnf, cfm, 16))
1497 return SMP_CONFIRM_FAILED;
1499 smp->passkey_round++;
1501 if (smp->passkey_round == 20) {
1502 /* Generate MacKey and LTK */
1503 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1504 return SMP_UNSPECIFIED;
1507 /* The round is only complete when the initiator
1508 * receives pairing random.
1511 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1512 sizeof(smp->prnd), smp->prnd);
1513 if (smp->passkey_round == 20)
1514 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1516 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1520 /* Start the next round */
1521 if (smp->passkey_round != 20)
1522 return sc_passkey_round(smp, 0);
1524 /* Passkey rounds are complete - start DHKey Check */
1525 sc_dhkey_check(smp);
1526 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1530 case SMP_CMD_PAIRING_CONFIRM:
1531 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1532 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1536 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1539 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1540 sizeof(smp->prnd), smp->prnd);
1544 return sc_passkey_send_confirm(smp);
1546 case SMP_CMD_PUBLIC_KEY:
1548 /* Initiating device starts the round */
1552 BT_DBG("%s Starting passkey round %u", hdev->name,
1553 smp->passkey_round + 1);
1555 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1557 return sc_passkey_send_confirm(smp);
1563 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1565 struct l2cap_conn *conn = smp->conn;
1566 struct hci_conn *hcon = conn->hcon;
1569 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1572 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1573 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1575 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1576 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1578 case MGMT_OP_USER_PASSKEY_REPLY:
1579 hcon->passkey_notify = le32_to_cpu(passkey);
1580 smp->passkey_round = 0;
1582 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1583 smp_op = SMP_CMD_PAIRING_CONFIRM;
1587 if (sc_passkey_round(smp, smp_op))
1593 /* Initiator sends DHKey check first */
1595 sc_dhkey_check(smp);
1596 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1597 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1598 sc_dhkey_check(smp);
1605 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1607 struct l2cap_conn *conn = hcon->l2cap_data;
1608 struct l2cap_chan *chan;
1609 struct smp_chan *smp;
1622 l2cap_chan_lock(chan);
1630 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1631 err = sc_user_reply(smp, mgmt_op, passkey);
1636 case MGMT_OP_USER_PASSKEY_REPLY:
1637 value = le32_to_cpu(passkey);
1638 memset(smp->tk, 0, sizeof(smp->tk));
1639 BT_DBG("PassKey: %d", value);
1640 put_unaligned_le32(value, smp->tk);
1642 case MGMT_OP_USER_CONFIRM_REPLY:
1643 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1645 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1646 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1647 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1651 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1658 /* If it is our turn to send Pairing Confirm, do so now */
1659 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1660 u8 rsp = smp_confirm(smp);
1662 smp_failure(conn, rsp);
1666 l2cap_chan_unlock(chan);
1670 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1671 struct smp_cmd_pairing *req,
1672 struct smp_cmd_pairing *rsp)
1674 struct l2cap_conn *conn = smp->conn;
1675 struct hci_dev *hdev = conn->hcon->hdev;
1676 u8 local_dist = 0, remote_dist = 0;
1678 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1679 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1680 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1683 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1684 remote_dist |= SMP_DIST_ID_KEY;
1686 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1687 local_dist |= SMP_DIST_ID_KEY;
1690 memset(req, 0, sizeof(*req));
1692 req->init_key_dist = local_dist;
1693 req->resp_key_dist = remote_dist;
1694 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1696 smp->remote_key_dist = remote_dist;
1701 memset(rsp, 0, sizeof(*rsp));
1703 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1704 rsp->init_key_dist = req->init_key_dist & remote_dist;
1705 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1707 smp->remote_key_dist = rsp->init_key_dist;
1710 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1712 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1713 struct l2cap_chan *chan = conn->smp;
1714 struct hci_dev *hdev = conn->hcon->hdev;
1715 struct smp_chan *smp;
1716 u8 key_size, auth, sec_level;
1719 BT_DBG("conn %p", conn);
1721 if (skb->len < sizeof(*req))
1722 return SMP_INVALID_PARAMS;
1724 if (conn->hcon->role != HCI_ROLE_SLAVE)
1725 return SMP_CMD_NOTSUPP;
1728 smp = smp_chan_create(conn);
1733 return SMP_UNSPECIFIED;
1735 /* We didn't start the pairing, so match remote */
1736 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1738 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1739 (auth & SMP_AUTH_BONDING))
1740 return SMP_PAIRING_NOTSUPP;
1742 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1743 return SMP_AUTH_REQUIREMENTS;
1745 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1746 memcpy(&smp->preq[1], req, sizeof(*req));
1747 skb_pull(skb, sizeof(*req));
1749 /* If the remote side's OOB flag is set it means it has
1750 * successfully received our local OOB data - therefore set the
1751 * flag to indicate that local OOB is in use.
1753 if (req->oob_flag == SMP_OOB_PRESENT)
1754 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1756 /* SMP over BR/EDR requires special treatment */
1757 if (conn->hcon->type == ACL_LINK) {
1758 /* We must have a BR/EDR SC link */
1759 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1760 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1761 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1763 set_bit(SMP_FLAG_SC, &smp->flags);
1765 build_bredr_pairing_cmd(smp, req, &rsp);
1767 key_size = min(req->max_key_size, rsp.max_key_size);
1768 if (check_enc_key_size(conn, key_size))
1769 return SMP_ENC_KEY_SIZE;
1771 /* Clear bits which are generated but not distributed */
1772 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1774 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1775 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1776 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1778 smp_distribute_keys(smp);
1782 build_pairing_cmd(conn, req, &rsp, auth);
1784 if (rsp.auth_req & SMP_AUTH_SC)
1785 set_bit(SMP_FLAG_SC, &smp->flags);
1787 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1788 sec_level = BT_SECURITY_MEDIUM;
1790 sec_level = authreq_to_seclevel(auth);
1792 if (sec_level > conn->hcon->pending_sec_level)
1793 conn->hcon->pending_sec_level = sec_level;
1795 /* If we need MITM check that it can be achieved */
1796 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1799 method = get_auth_method(smp, conn->hcon->io_capability,
1800 req->io_capability);
1801 if (method == JUST_WORKS || method == JUST_CFM)
1802 return SMP_AUTH_REQUIREMENTS;
1805 key_size = min(req->max_key_size, rsp.max_key_size);
1806 if (check_enc_key_size(conn, key_size))
1807 return SMP_ENC_KEY_SIZE;
1809 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1811 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1812 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1814 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1816 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1818 /* Strictly speaking we shouldn't allow Pairing Confirm for the
1819 * SC case, however some implementations incorrectly copy RFU auth
1820 * req bits from our security request, which may create a false
1821 * positive SC enablement.
1823 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1825 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1826 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1827 /* Clear bits which are generated but not distributed */
1828 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1829 /* Wait for Public Key from Initiating Device */
1833 /* Request setup of TK */
1834 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1836 return SMP_UNSPECIFIED;
1841 static u8 sc_send_public_key(struct smp_chan *smp)
1843 struct hci_dev *hdev = smp->conn->hcon->hdev;
1847 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1848 struct l2cap_chan *chan = hdev->smp_data;
1849 struct smp_dev *smp_dev;
1851 if (!chan || !chan->data)
1852 return SMP_UNSPECIFIED;
1854 smp_dev = chan->data;
1856 memcpy(smp->local_pk, smp_dev->local_pk, 64);
1857 memcpy(smp->local_sk, smp_dev->local_sk, 32);
1858 memcpy(smp->lr, smp_dev->local_rand, 16);
1860 if (smp_dev->debug_key)
1861 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1866 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1867 BT_DBG("Using debug keys");
1868 memcpy(smp->local_pk, debug_pk, 64);
1869 memcpy(smp->local_sk, debug_sk, 32);
1870 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1873 /* Generate local key pair for Secure Connections */
1874 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1875 return SMP_UNSPECIFIED;
1877 /* This is unlikely, but we need to check that
1878 * we didn't accidentially generate a debug key.
1880 if (memcmp(smp->local_sk, debug_sk, 32))
1886 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1887 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1888 SMP_DBG("Local Private Key: %32phN", smp->local_sk);
1890 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1895 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1897 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1898 struct l2cap_chan *chan = conn->smp;
1899 struct smp_chan *smp = chan->data;
1900 struct hci_dev *hdev = conn->hcon->hdev;
1904 BT_DBG("conn %p", conn);
1906 if (skb->len < sizeof(*rsp))
1907 return SMP_INVALID_PARAMS;
1909 if (conn->hcon->role != HCI_ROLE_MASTER)
1910 return SMP_CMD_NOTSUPP;
1912 skb_pull(skb, sizeof(*rsp));
1914 req = (void *) &smp->preq[1];
1916 key_size = min(req->max_key_size, rsp->max_key_size);
1917 if (check_enc_key_size(conn, key_size))
1918 return SMP_ENC_KEY_SIZE;
1920 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1922 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1923 return SMP_AUTH_REQUIREMENTS;
1925 /* If the remote side's OOB flag is set it means it has
1926 * successfully received our local OOB data - therefore set the
1927 * flag to indicate that local OOB is in use.
1929 if (rsp->oob_flag == SMP_OOB_PRESENT)
1930 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1932 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1933 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1935 /* Update remote key distribution in case the remote cleared
1936 * some bits that we had enabled in our request.
1938 smp->remote_key_dist &= rsp->resp_key_dist;
1940 /* For BR/EDR this means we're done and can start phase 3 */
1941 if (conn->hcon->type == ACL_LINK) {
1942 /* Clear bits which are generated but not distributed */
1943 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1944 smp_distribute_keys(smp);
1948 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1949 set_bit(SMP_FLAG_SC, &smp->flags);
1950 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1951 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1953 /* If we need MITM check that it can be achieved */
1954 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1957 method = get_auth_method(smp, req->io_capability,
1958 rsp->io_capability);
1959 if (method == JUST_WORKS || method == JUST_CFM)
1960 return SMP_AUTH_REQUIREMENTS;
1963 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1965 /* Update remote key distribution in case the remote cleared
1966 * some bits that we had enabled in our request.
1968 smp->remote_key_dist &= rsp->resp_key_dist;
1970 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1971 /* Clear bits which are generated but not distributed */
1972 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1973 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1974 return sc_send_public_key(smp);
1977 auth |= req->auth_req;
1979 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1981 return SMP_UNSPECIFIED;
1983 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1985 /* Can't compose response until we have been confirmed */
1986 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1987 return smp_confirm(smp);
1992 static u8 sc_check_confirm(struct smp_chan *smp)
1994 struct l2cap_conn *conn = smp->conn;
1998 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1999 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2001 if (conn->hcon->out) {
2002 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2004 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2010 /* Work-around for some implementations that incorrectly copy RFU bits
2011 * from our security request and thereby create the impression that
2012 * we're doing SC when in fact the remote doesn't support it.
2014 static int fixup_sc_false_positive(struct smp_chan *smp)
2016 struct l2cap_conn *conn = smp->conn;
2017 struct hci_conn *hcon = conn->hcon;
2018 struct hci_dev *hdev = hcon->hdev;
2019 struct smp_cmd_pairing *req, *rsp;
2022 /* The issue is only observed when we're in slave role */
2024 return SMP_UNSPECIFIED;
2026 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2027 BT_ERR("Refusing SMP SC -> legacy fallback in SC-only mode");
2028 return SMP_UNSPECIFIED;
2031 BT_ERR("Trying to fall back to legacy SMP");
2033 req = (void *) &smp->preq[1];
2034 rsp = (void *) &smp->prsp[1];
2036 /* Rebuild key dist flags which may have been cleared for SC */
2037 smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2039 auth = req->auth_req & AUTH_REQ_MASK(hdev);
2041 if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2042 BT_ERR("Failed to fall back to legacy SMP");
2043 return SMP_UNSPECIFIED;
2046 clear_bit(SMP_FLAG_SC, &smp->flags);
2051 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2053 struct l2cap_chan *chan = conn->smp;
2054 struct smp_chan *smp = chan->data;
2056 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2058 if (skb->len < sizeof(smp->pcnf))
2059 return SMP_INVALID_PARAMS;
2061 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2062 skb_pull(skb, sizeof(smp->pcnf));
2064 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2067 /* Public Key exchange must happen before any other steps */
2068 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2069 return sc_check_confirm(smp);
2071 BT_ERR("Unexpected SMP Pairing Confirm");
2073 ret = fixup_sc_false_positive(smp);
2078 if (conn->hcon->out) {
2079 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2081 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2085 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2086 return smp_confirm(smp);
2088 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2093 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2095 struct l2cap_chan *chan = conn->smp;
2096 struct smp_chan *smp = chan->data;
2097 struct hci_conn *hcon = conn->hcon;
2098 u8 *pkax, *pkbx, *na, *nb;
2102 BT_DBG("conn %p", conn);
2104 if (skb->len < sizeof(smp->rrnd))
2105 return SMP_INVALID_PARAMS;
2107 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2108 skb_pull(skb, sizeof(smp->rrnd));
2110 if (!test_bit(SMP_FLAG_SC, &smp->flags))
2111 return smp_random(smp);
2114 pkax = smp->local_pk;
2115 pkbx = smp->remote_pk;
2119 pkax = smp->remote_pk;
2120 pkbx = smp->local_pk;
2125 if (smp->method == REQ_OOB) {
2127 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2128 sizeof(smp->prnd), smp->prnd);
2129 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2130 goto mackey_and_ltk;
2133 /* Passkey entry has special treatment */
2134 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2135 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2140 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2143 return SMP_UNSPECIFIED;
2145 if (memcmp(smp->pcnf, cfm, 16))
2146 return SMP_CONFIRM_FAILED;
2148 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2150 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2154 /* Generate MacKey and LTK */
2155 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2157 return SMP_UNSPECIFIED;
2159 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2161 sc_dhkey_check(smp);
2162 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2167 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2169 return SMP_UNSPECIFIED;
2171 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2172 hcon->dst_type, passkey, 0);
2174 return SMP_UNSPECIFIED;
2176 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2181 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2183 struct smp_ltk *key;
2184 struct hci_conn *hcon = conn->hcon;
2186 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2190 if (smp_ltk_sec_level(key) < sec_level)
2193 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2196 hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2197 hcon->enc_key_size = key->enc_size;
2199 /* We never store STKs for master role, so clear this flag */
2200 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2205 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2206 enum smp_key_pref key_pref)
2208 if (sec_level == BT_SECURITY_LOW)
2211 /* If we're encrypted with an STK but the caller prefers using
2212 * LTK claim insufficient security. This way we allow the
2213 * connection to be re-encrypted with an LTK, even if the LTK
2214 * provides the same level of security. Only exception is if we
2215 * don't have an LTK (e.g. because of key distribution bits).
2217 if (key_pref == SMP_USE_LTK &&
2218 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2219 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2222 if (hcon->sec_level >= sec_level)
2228 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2230 struct smp_cmd_security_req *rp = (void *) skb->data;
2231 struct smp_cmd_pairing cp;
2232 struct hci_conn *hcon = conn->hcon;
2233 struct hci_dev *hdev = hcon->hdev;
2234 struct smp_chan *smp;
2237 BT_DBG("conn %p", conn);
2239 if (skb->len < sizeof(*rp))
2240 return SMP_INVALID_PARAMS;
2242 if (hcon->role != HCI_ROLE_MASTER)
2243 return SMP_CMD_NOTSUPP;
2245 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2247 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2248 return SMP_AUTH_REQUIREMENTS;
2250 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2251 sec_level = BT_SECURITY_MEDIUM;
2253 sec_level = authreq_to_seclevel(auth);
2255 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2258 if (sec_level > hcon->pending_sec_level)
2259 hcon->pending_sec_level = sec_level;
2261 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2264 smp = smp_chan_create(conn);
2266 return SMP_UNSPECIFIED;
2268 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2269 (auth & SMP_AUTH_BONDING))
2270 return SMP_PAIRING_NOTSUPP;
2272 skb_pull(skb, sizeof(*rp));
2274 memset(&cp, 0, sizeof(cp));
2275 build_pairing_cmd(conn, &cp, NULL, auth);
2277 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2278 memcpy(&smp->preq[1], &cp, sizeof(cp));
2280 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2281 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2286 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2288 struct l2cap_conn *conn = hcon->l2cap_data;
2289 struct l2cap_chan *chan;
2290 struct smp_chan *smp;
2294 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2296 /* This may be NULL if there's an unexpected disconnection */
2302 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2305 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2308 if (sec_level > hcon->pending_sec_level)
2309 hcon->pending_sec_level = sec_level;
2311 if (hcon->role == HCI_ROLE_MASTER)
2312 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2315 l2cap_chan_lock(chan);
2317 /* If SMP is already in progress ignore this request */
2323 smp = smp_chan_create(conn);
2329 authreq = seclevel_to_authreq(sec_level);
2331 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED))
2332 authreq |= SMP_AUTH_SC;
2334 /* Require MITM if IO Capability allows or the security level
2337 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2338 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2339 authreq |= SMP_AUTH_MITM;
2341 if (hcon->role == HCI_ROLE_MASTER) {
2342 struct smp_cmd_pairing cp;
2344 build_pairing_cmd(conn, &cp, NULL, authreq);
2345 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2346 memcpy(&smp->preq[1], &cp, sizeof(cp));
2348 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2349 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2351 struct smp_cmd_security_req cp;
2352 cp.auth_req = authreq;
2353 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2354 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2357 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2361 l2cap_chan_unlock(chan);
2365 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2367 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2368 struct l2cap_chan *chan = conn->smp;
2369 struct smp_chan *smp = chan->data;
2371 BT_DBG("conn %p", conn);
2373 if (skb->len < sizeof(*rp))
2374 return SMP_INVALID_PARAMS;
2376 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2378 skb_pull(skb, sizeof(*rp));
2380 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2385 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2387 struct smp_cmd_master_ident *rp = (void *) skb->data;
2388 struct l2cap_chan *chan = conn->smp;
2389 struct smp_chan *smp = chan->data;
2390 struct hci_dev *hdev = conn->hcon->hdev;
2391 struct hci_conn *hcon = conn->hcon;
2392 struct smp_ltk *ltk;
2395 BT_DBG("conn %p", conn);
2397 if (skb->len < sizeof(*rp))
2398 return SMP_INVALID_PARAMS;
2400 /* Mark the information as received */
2401 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2403 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2404 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2405 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2406 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2408 skb_pull(skb, sizeof(*rp));
2410 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2411 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2412 authenticated, smp->tk, smp->enc_key_size,
2413 rp->ediv, rp->rand);
2415 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2416 smp_distribute_keys(smp);
2421 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2423 struct smp_cmd_ident_info *info = (void *) skb->data;
2424 struct l2cap_chan *chan = conn->smp;
2425 struct smp_chan *smp = chan->data;
2429 if (skb->len < sizeof(*info))
2430 return SMP_INVALID_PARAMS;
2432 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2434 skb_pull(skb, sizeof(*info));
2436 memcpy(smp->irk, info->irk, 16);
2441 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2442 struct sk_buff *skb)
2444 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2445 struct l2cap_chan *chan = conn->smp;
2446 struct smp_chan *smp = chan->data;
2447 struct hci_conn *hcon = conn->hcon;
2452 if (skb->len < sizeof(*info))
2453 return SMP_INVALID_PARAMS;
2455 /* Mark the information as received */
2456 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2458 if (smp->remote_key_dist & SMP_DIST_SIGN)
2459 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2461 skb_pull(skb, sizeof(*info));
2463 /* Strictly speaking the Core Specification (4.1) allows sending
2464 * an empty address which would force us to rely on just the IRK
2465 * as "identity information". However, since such
2466 * implementations are not known of and in order to not over
2467 * complicate our implementation, simply pretend that we never
2468 * received an IRK for such a device.
2470 * The Identity Address must also be a Static Random or Public
2471 * Address, which hci_is_identity_address() checks for.
2473 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2474 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2475 BT_ERR("Ignoring IRK with no identity address");
2479 bacpy(&smp->id_addr, &info->bdaddr);
2480 smp->id_addr_type = info->addr_type;
2482 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2483 bacpy(&rpa, &hcon->dst);
2485 bacpy(&rpa, BDADDR_ANY);
2487 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2488 smp->id_addr_type, smp->irk, &rpa);
2491 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2492 smp_distribute_keys(smp);
2497 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2499 struct smp_cmd_sign_info *rp = (void *) skb->data;
2500 struct l2cap_chan *chan = conn->smp;
2501 struct smp_chan *smp = chan->data;
2502 struct smp_csrk *csrk;
2504 BT_DBG("conn %p", conn);
2506 if (skb->len < sizeof(*rp))
2507 return SMP_INVALID_PARAMS;
2509 /* Mark the information as received */
2510 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2512 skb_pull(skb, sizeof(*rp));
2514 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2516 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2517 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2519 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2520 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2523 smp_distribute_keys(smp);
2528 static u8 sc_select_method(struct smp_chan *smp)
2530 struct l2cap_conn *conn = smp->conn;
2531 struct hci_conn *hcon = conn->hcon;
2532 struct smp_cmd_pairing *local, *remote;
2533 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2535 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2536 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2539 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2540 * which are needed as inputs to some crypto functions. To get
2541 * the "struct smp_cmd_pairing" from them we need to skip the
2542 * first byte which contains the opcode.
2545 local = (void *) &smp->preq[1];
2546 remote = (void *) &smp->prsp[1];
2548 local = (void *) &smp->prsp[1];
2549 remote = (void *) &smp->preq[1];
2552 local_io = local->io_capability;
2553 remote_io = remote->io_capability;
2555 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2556 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2558 /* If either side wants MITM, look up the method from the table,
2559 * otherwise use JUST WORKS.
2561 if (local_mitm || remote_mitm)
2562 method = get_auth_method(smp, local_io, remote_io);
2564 method = JUST_WORKS;
2566 /* Don't confirm locally initiated pairing attempts */
2567 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2568 method = JUST_WORKS;
2573 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2575 struct smp_cmd_public_key *key = (void *) skb->data;
2576 struct hci_conn *hcon = conn->hcon;
2577 struct l2cap_chan *chan = conn->smp;
2578 struct smp_chan *smp = chan->data;
2579 struct hci_dev *hdev = hcon->hdev;
2580 struct smp_cmd_pairing_confirm cfm;
2583 BT_DBG("conn %p", conn);
2585 if (skb->len < sizeof(*key))
2586 return SMP_INVALID_PARAMS;
2588 memcpy(smp->remote_pk, key, 64);
2590 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2591 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2592 smp->rr, 0, cfm.confirm_val);
2594 return SMP_UNSPECIFIED;
2596 if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2597 return SMP_CONFIRM_FAILED;
2600 /* Non-initiating device sends its public key after receiving
2601 * the key from the initiating device.
2604 err = sc_send_public_key(smp);
2609 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2610 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2612 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2613 return SMP_UNSPECIFIED;
2615 SMP_DBG("DHKey %32phN", smp->dhkey);
2617 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2619 smp->method = sc_select_method(smp);
2621 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2623 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2624 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2625 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2627 hcon->pending_sec_level = BT_SECURITY_FIPS;
2629 if (!memcmp(debug_pk, smp->remote_pk, 64))
2630 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2632 if (smp->method == DSP_PASSKEY) {
2633 get_random_bytes(&hcon->passkey_notify,
2634 sizeof(hcon->passkey_notify));
2635 hcon->passkey_notify %= 1000000;
2636 hcon->passkey_entered = 0;
2637 smp->passkey_round = 0;
2638 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2640 hcon->passkey_notify,
2641 hcon->passkey_entered))
2642 return SMP_UNSPECIFIED;
2643 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2644 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2647 if (smp->method == REQ_OOB) {
2649 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2650 sizeof(smp->prnd), smp->prnd);
2652 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2658 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2660 if (smp->method == REQ_PASSKEY) {
2661 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2663 return SMP_UNSPECIFIED;
2664 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2665 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2669 /* The Initiating device waits for the non-initiating device to
2670 * send the confirm value.
2672 if (conn->hcon->out)
2675 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2676 0, cfm.confirm_val);
2678 return SMP_UNSPECIFIED;
2680 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2681 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2686 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2688 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2689 struct l2cap_chan *chan = conn->smp;
2690 struct hci_conn *hcon = conn->hcon;
2691 struct smp_chan *smp = chan->data;
2692 u8 a[7], b[7], *local_addr, *remote_addr;
2693 u8 io_cap[3], r[16], e[16];
2696 BT_DBG("conn %p", conn);
2698 if (skb->len < sizeof(*check))
2699 return SMP_INVALID_PARAMS;
2701 memcpy(a, &hcon->init_addr, 6);
2702 memcpy(b, &hcon->resp_addr, 6);
2703 a[6] = hcon->init_addr_type;
2704 b[6] = hcon->resp_addr_type;
2709 memcpy(io_cap, &smp->prsp[1], 3);
2713 memcpy(io_cap, &smp->preq[1], 3);
2716 memset(r, 0, sizeof(r));
2718 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2719 put_unaligned_le32(hcon->passkey_notify, r);
2720 else if (smp->method == REQ_OOB)
2721 memcpy(r, smp->lr, 16);
2723 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2724 io_cap, remote_addr, local_addr, e);
2726 return SMP_UNSPECIFIED;
2728 if (memcmp(check->e, e, 16))
2729 return SMP_DHKEY_CHECK_FAILED;
2732 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2733 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2737 /* Slave sends DHKey check as response to master */
2738 sc_dhkey_check(smp);
2744 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2745 hcon->enc_key_size = smp->enc_key_size;
2751 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2752 struct sk_buff *skb)
2754 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2756 BT_DBG("value 0x%02x", kp->value);
2761 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2763 struct l2cap_conn *conn = chan->conn;
2764 struct hci_conn *hcon = conn->hcon;
2765 struct smp_chan *smp;
2772 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2773 reason = SMP_PAIRING_NOTSUPP;
2777 code = skb->data[0];
2778 skb_pull(skb, sizeof(code));
2782 if (code > SMP_CMD_MAX)
2785 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2788 /* If we don't have a context the only allowed commands are
2789 * pairing request and security request.
2791 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2795 case SMP_CMD_PAIRING_REQ:
2796 reason = smp_cmd_pairing_req(conn, skb);
2799 case SMP_CMD_PAIRING_FAIL:
2800 smp_failure(conn, 0);
2804 case SMP_CMD_PAIRING_RSP:
2805 reason = smp_cmd_pairing_rsp(conn, skb);
2808 case SMP_CMD_SECURITY_REQ:
2809 reason = smp_cmd_security_req(conn, skb);
2812 case SMP_CMD_PAIRING_CONFIRM:
2813 reason = smp_cmd_pairing_confirm(conn, skb);
2816 case SMP_CMD_PAIRING_RANDOM:
2817 reason = smp_cmd_pairing_random(conn, skb);
2820 case SMP_CMD_ENCRYPT_INFO:
2821 reason = smp_cmd_encrypt_info(conn, skb);
2824 case SMP_CMD_MASTER_IDENT:
2825 reason = smp_cmd_master_ident(conn, skb);
2828 case SMP_CMD_IDENT_INFO:
2829 reason = smp_cmd_ident_info(conn, skb);
2832 case SMP_CMD_IDENT_ADDR_INFO:
2833 reason = smp_cmd_ident_addr_info(conn, skb);
2836 case SMP_CMD_SIGN_INFO:
2837 reason = smp_cmd_sign_info(conn, skb);
2840 case SMP_CMD_PUBLIC_KEY:
2841 reason = smp_cmd_public_key(conn, skb);
2844 case SMP_CMD_DHKEY_CHECK:
2845 reason = smp_cmd_dhkey_check(conn, skb);
2848 case SMP_CMD_KEYPRESS_NOTIFY:
2849 reason = smp_cmd_keypress_notify(conn, skb);
2853 BT_DBG("Unknown command code 0x%2.2x", code);
2854 reason = SMP_CMD_NOTSUPP;
2861 smp_failure(conn, reason);
2868 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2874 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2876 struct l2cap_conn *conn = chan->conn;
2878 BT_DBG("chan %p", chan);
2881 smp_chan_destroy(conn);
2884 l2cap_chan_put(chan);
2887 static void bredr_pairing(struct l2cap_chan *chan)
2889 struct l2cap_conn *conn = chan->conn;
2890 struct hci_conn *hcon = conn->hcon;
2891 struct hci_dev *hdev = hcon->hdev;
2892 struct smp_cmd_pairing req;
2893 struct smp_chan *smp;
2895 BT_DBG("chan %p", chan);
2897 /* Only new pairings are interesting */
2898 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2901 /* Don't bother if we're not encrypted */
2902 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2905 /* Only master may initiate SMP over BR/EDR */
2906 if (hcon->role != HCI_ROLE_MASTER)
2909 /* Secure Connections support must be enabled */
2910 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
2913 /* BR/EDR must use Secure Connections for SMP */
2914 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2915 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
2918 /* If our LE support is not enabled don't do anything */
2919 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2922 /* Don't bother if remote LE support is not enabled */
2923 if (!lmp_host_le_capable(hcon))
2926 /* Remote must support SMP fixed chan for BR/EDR */
2927 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2930 /* Don't bother if SMP is already ongoing */
2934 smp = smp_chan_create(conn);
2936 BT_ERR("%s unable to create SMP context for BR/EDR",
2941 set_bit(SMP_FLAG_SC, &smp->flags);
2943 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2945 /* Prepare and send the BR/EDR SMP Pairing Request */
2946 build_bredr_pairing_cmd(smp, &req, NULL);
2948 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2949 memcpy(&smp->preq[1], &req, sizeof(req));
2951 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2952 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2955 static void smp_resume_cb(struct l2cap_chan *chan)
2957 struct smp_chan *smp = chan->data;
2958 struct l2cap_conn *conn = chan->conn;
2959 struct hci_conn *hcon = conn->hcon;
2961 BT_DBG("chan %p", chan);
2963 if (hcon->type == ACL_LINK) {
2964 bredr_pairing(chan);
2971 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2974 cancel_delayed_work(&smp->security_timer);
2976 smp_distribute_keys(smp);
2979 static void smp_ready_cb(struct l2cap_chan *chan)
2981 struct l2cap_conn *conn = chan->conn;
2982 struct hci_conn *hcon = conn->hcon;
2984 BT_DBG("chan %p", chan);
2987 l2cap_chan_hold(chan);
2989 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2990 bredr_pairing(chan);
2993 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
2997 BT_DBG("chan %p", chan);
2999 err = smp_sig_channel(chan, skb);
3001 struct smp_chan *smp = chan->data;
3004 cancel_delayed_work_sync(&smp->security_timer);
3006 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3012 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3013 unsigned long hdr_len,
3014 unsigned long len, int nb)
3016 struct sk_buff *skb;
3018 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3020 return ERR_PTR(-ENOMEM);
3022 skb->priority = HCI_PRIO_MAX;
3023 bt_cb(skb)->l2cap.chan = chan;
3028 static const struct l2cap_ops smp_chan_ops = {
3029 .name = "Security Manager",
3030 .ready = smp_ready_cb,
3031 .recv = smp_recv_cb,
3032 .alloc_skb = smp_alloc_skb_cb,
3033 .teardown = smp_teardown_cb,
3034 .resume = smp_resume_cb,
3036 .new_connection = l2cap_chan_no_new_connection,
3037 .state_change = l2cap_chan_no_state_change,
3038 .close = l2cap_chan_no_close,
3039 .defer = l2cap_chan_no_defer,
3040 .suspend = l2cap_chan_no_suspend,
3041 .set_shutdown = l2cap_chan_no_set_shutdown,
3042 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3045 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3047 struct l2cap_chan *chan;
3049 BT_DBG("pchan %p", pchan);
3051 chan = l2cap_chan_create();
3055 chan->chan_type = pchan->chan_type;
3056 chan->ops = &smp_chan_ops;
3057 chan->scid = pchan->scid;
3058 chan->dcid = chan->scid;
3059 chan->imtu = pchan->imtu;
3060 chan->omtu = pchan->omtu;
3061 chan->mode = pchan->mode;
3063 /* Other L2CAP channels may request SMP routines in order to
3064 * change the security level. This means that the SMP channel
3065 * lock must be considered in its own category to avoid lockdep
3068 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3070 BT_DBG("created chan %p", chan);
3075 static const struct l2cap_ops smp_root_chan_ops = {
3076 .name = "Security Manager Root",
3077 .new_connection = smp_new_conn_cb,
3079 /* None of these are implemented for the root channel */
3080 .close = l2cap_chan_no_close,
3081 .alloc_skb = l2cap_chan_no_alloc_skb,
3082 .recv = l2cap_chan_no_recv,
3083 .state_change = l2cap_chan_no_state_change,
3084 .teardown = l2cap_chan_no_teardown,
3085 .ready = l2cap_chan_no_ready,
3086 .defer = l2cap_chan_no_defer,
3087 .suspend = l2cap_chan_no_suspend,
3088 .resume = l2cap_chan_no_resume,
3089 .set_shutdown = l2cap_chan_no_set_shutdown,
3090 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3093 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3095 struct l2cap_chan *chan;
3096 struct smp_dev *smp;
3097 struct crypto_blkcipher *tfm_aes;
3098 struct crypto_hash *tfm_cmac;
3100 if (cid == L2CAP_CID_SMP_BREDR) {
3105 smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3107 return ERR_PTR(-ENOMEM);
3109 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3110 if (IS_ERR(tfm_aes)) {
3111 BT_ERR("Unable to create ECB crypto context");
3113 return ERR_CAST(tfm_aes);
3116 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3117 if (IS_ERR(tfm_cmac)) {
3118 BT_ERR("Unable to create CMAC crypto context");
3119 crypto_free_blkcipher(tfm_aes);
3121 return ERR_CAST(tfm_cmac);
3124 smp->tfm_aes = tfm_aes;
3125 smp->tfm_cmac = tfm_cmac;
3128 chan = l2cap_chan_create();
3131 crypto_free_blkcipher(smp->tfm_aes);
3132 crypto_free_hash(smp->tfm_cmac);
3135 return ERR_PTR(-ENOMEM);
3140 l2cap_add_scid(chan, cid);
3142 l2cap_chan_set_defaults(chan);
3144 if (cid == L2CAP_CID_SMP) {
3147 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3149 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3150 chan->src_type = BDADDR_LE_PUBLIC;
3152 chan->src_type = BDADDR_LE_RANDOM;
3154 bacpy(&chan->src, &hdev->bdaddr);
3155 chan->src_type = BDADDR_BREDR;
3158 chan->state = BT_LISTEN;
3159 chan->mode = L2CAP_MODE_BASIC;
3160 chan->imtu = L2CAP_DEFAULT_MTU;
3161 chan->ops = &smp_root_chan_ops;
3163 /* Set correct nesting level for a parent/listening channel */
3164 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3169 static void smp_del_chan(struct l2cap_chan *chan)
3171 struct smp_dev *smp;
3173 BT_DBG("chan %p", chan);
3179 crypto_free_blkcipher(smp->tfm_aes);
3181 crypto_free_hash(smp->tfm_cmac);
3185 l2cap_chan_put(chan);
3188 static ssize_t force_bredr_smp_read(struct file *file,
3189 char __user *user_buf,
3190 size_t count, loff_t *ppos)
3192 struct hci_dev *hdev = file->private_data;
3195 buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3198 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3201 static ssize_t force_bredr_smp_write(struct file *file,
3202 const char __user *user_buf,
3203 size_t count, loff_t *ppos)
3205 struct hci_dev *hdev = file->private_data;
3207 size_t buf_size = min(count, (sizeof(buf)-1));
3210 if (copy_from_user(buf, user_buf, buf_size))
3213 buf[buf_size] = '\0';
3214 if (strtobool(buf, &enable))
3217 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3221 struct l2cap_chan *chan;
3223 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3225 return PTR_ERR(chan);
3227 hdev->smp_bredr_data = chan;
3229 struct l2cap_chan *chan;
3231 chan = hdev->smp_bredr_data;
3232 hdev->smp_bredr_data = NULL;
3236 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3241 static const struct file_operations force_bredr_smp_fops = {
3242 .open = simple_open,
3243 .read = force_bredr_smp_read,
3244 .write = force_bredr_smp_write,
3245 .llseek = default_llseek,
3248 int smp_register(struct hci_dev *hdev)
3250 struct l2cap_chan *chan;
3252 BT_DBG("%s", hdev->name);
3254 /* If the controller does not support Low Energy operation, then
3255 * there is also no need to register any SMP channel.
3257 if (!lmp_le_capable(hdev))
3260 if (WARN_ON(hdev->smp_data)) {
3261 chan = hdev->smp_data;
3262 hdev->smp_data = NULL;
3266 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3268 return PTR_ERR(chan);
3270 hdev->smp_data = chan;
3272 /* If the controller does not support BR/EDR Secure Connections
3273 * feature, then the BR/EDR SMP channel shall not be present.
3275 * To test this with Bluetooth 4.0 controllers, create a debugfs
3276 * switch that allows forcing BR/EDR SMP support and accepting
3277 * cross-transport pairing on non-AES encrypted connections.
3279 if (!lmp_sc_capable(hdev)) {
3280 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3281 hdev, &force_bredr_smp_fops);
3285 if (WARN_ON(hdev->smp_bredr_data)) {
3286 chan = hdev->smp_bredr_data;
3287 hdev->smp_bredr_data = NULL;
3291 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3293 int err = PTR_ERR(chan);
3294 chan = hdev->smp_data;
3295 hdev->smp_data = NULL;
3300 hdev->smp_bredr_data = chan;
3305 void smp_unregister(struct hci_dev *hdev)
3307 struct l2cap_chan *chan;
3309 if (hdev->smp_bredr_data) {
3310 chan = hdev->smp_bredr_data;
3311 hdev->smp_bredr_data = NULL;
3315 if (hdev->smp_data) {
3316 chan = hdev->smp_data;
3317 hdev->smp_data = NULL;
3322 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3324 static int __init test_ah(struct crypto_blkcipher *tfm_aes)
3326 const u8 irk[16] = {
3327 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3328 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3329 const u8 r[3] = { 0x94, 0x81, 0x70 };
3330 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3334 err = smp_ah(tfm_aes, irk, r, res);
3338 if (memcmp(res, exp, 3))
3344 static int __init test_c1(struct crypto_blkcipher *tfm_aes)
3347 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3348 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3350 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3351 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3352 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3353 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3354 const u8 _iat = 0x01;
3355 const u8 _rat = 0x00;
3356 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3357 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3358 const u8 exp[16] = {
3359 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3360 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3364 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3368 if (memcmp(res, exp, 16))
3374 static int __init test_s1(struct crypto_blkcipher *tfm_aes)
3377 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3378 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3380 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3382 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3383 const u8 exp[16] = {
3384 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3385 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3389 err = smp_s1(tfm_aes, k, r1, r2, res);
3393 if (memcmp(res, exp, 16))
3399 static int __init test_f4(struct crypto_hash *tfm_cmac)
3402 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3403 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3404 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3405 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3407 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3408 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3409 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3410 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3412 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3413 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3415 const u8 exp[16] = {
3416 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3417 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3421 err = smp_f4(tfm_cmac, u, v, x, z, res);
3425 if (memcmp(res, exp, 16))
3431 static int __init test_f5(struct crypto_hash *tfm_cmac)
3434 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3435 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3436 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3437 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3439 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3440 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3442 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3443 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3444 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3445 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3446 const u8 exp_ltk[16] = {
3447 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3448 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3449 const u8 exp_mackey[16] = {
3450 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3451 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3452 u8 mackey[16], ltk[16];
3455 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3459 if (memcmp(mackey, exp_mackey, 16))
3462 if (memcmp(ltk, exp_ltk, 16))
3468 static int __init test_f6(struct crypto_hash *tfm_cmac)
3471 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3472 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3474 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3475 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3477 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3478 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3480 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3481 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3482 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3483 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3484 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3485 const u8 exp[16] = {
3486 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3487 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3491 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3495 if (memcmp(res, exp, 16))
3501 static int __init test_g2(struct crypto_hash *tfm_cmac)
3504 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3505 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3506 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3507 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3509 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3510 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3511 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3512 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3514 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3515 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3517 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3518 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3519 const u32 exp_val = 0x2f9ed5ba % 1000000;
3523 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3533 static int __init test_h6(struct crypto_hash *tfm_cmac)
3536 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3537 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3538 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3539 const u8 exp[16] = {
3540 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3541 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3545 err = smp_h6(tfm_cmac, w, key_id, res);
3549 if (memcmp(res, exp, 16))
3555 static char test_smp_buffer[32];
3557 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3558 size_t count, loff_t *ppos)
3560 return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3561 strlen(test_smp_buffer));
3564 static const struct file_operations test_smp_fops = {
3565 .open = simple_open,
3566 .read = test_smp_read,
3567 .llseek = default_llseek,
3570 static int __init run_selftests(struct crypto_blkcipher *tfm_aes,
3571 struct crypto_hash *tfm_cmac)
3573 ktime_t calltime, delta, rettime;
3574 unsigned long long duration;
3577 calltime = ktime_get();
3579 err = test_ah(tfm_aes);
3581 BT_ERR("smp_ah test failed");
3585 err = test_c1(tfm_aes);
3587 BT_ERR("smp_c1 test failed");
3591 err = test_s1(tfm_aes);
3593 BT_ERR("smp_s1 test failed");
3597 err = test_f4(tfm_cmac);
3599 BT_ERR("smp_f4 test failed");
3603 err = test_f5(tfm_cmac);
3605 BT_ERR("smp_f5 test failed");
3609 err = test_f6(tfm_cmac);
3611 BT_ERR("smp_f6 test failed");
3615 err = test_g2(tfm_cmac);
3617 BT_ERR("smp_g2 test failed");
3621 err = test_h6(tfm_cmac);
3623 BT_ERR("smp_h6 test failed");
3627 rettime = ktime_get();
3628 delta = ktime_sub(rettime, calltime);
3629 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3631 BT_INFO("SMP test passed in %llu usecs", duration);
3635 snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3636 "PASS (%llu usecs)\n", duration);
3638 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3640 debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3646 int __init bt_selftest_smp(void)
3648 struct crypto_blkcipher *tfm_aes;
3649 struct crypto_hash *tfm_cmac;
3652 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3653 if (IS_ERR(tfm_aes)) {
3654 BT_ERR("Unable to create ECB crypto context");
3655 return PTR_ERR(tfm_aes);
3658 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3659 if (IS_ERR(tfm_cmac)) {
3660 BT_ERR("Unable to create CMAC crypto context");
3661 crypto_free_blkcipher(tfm_aes);
3662 return PTR_ERR(tfm_cmac);
3665 err = run_selftests(tfm_aes, tfm_cmac);
3667 crypto_free_hash(tfm_cmac);
3668 crypto_free_blkcipher(tfm_aes);