2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/algapi.h>
27 #include <crypto/b128ops.h>
28 #include <crypto/hash.h>
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/l2cap.h>
33 #include <net/bluetooth/mgmt.h>
35 #include "ecdh_helper.h"
38 #define SMP_DEV(hdev) \
39 ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
41 /* Low-level debug macros to be used for stuff that we don't want
42 * accidentially in dmesg, i.e. the values of the various crypto keys
43 * and the inputs & outputs of crypto functions.
46 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
49 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
53 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
55 /* Keys which are not distributed with Secure Connections */
56 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
58 #define SMP_TIMEOUT msecs_to_jiffies(30000)
60 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
62 #define KEY_DIST_MASK 0x07
64 /* Maximum message length that can be passed to aes_cmac */
65 #define CMAC_MSG_MAX 80
77 SMP_FLAG_DHKEY_PENDING,
84 /* Secure Connections OOB data */
93 struct crypto_cipher *tfm_aes;
94 struct crypto_shash *tfm_cmac;
98 struct l2cap_conn *conn;
99 struct delayed_work security_timer;
100 unsigned long allow_cmd; /* Bitmask of allowed commands */
102 u8 preq[7]; /* SMP Pairing Request */
103 u8 prsp[7]; /* SMP Pairing Response */
104 u8 prnd[16]; /* SMP Pairing Random (local) */
105 u8 rrnd[16]; /* SMP Pairing Random (remote) */
106 u8 pcnf[16]; /* SMP Pairing Confirm */
107 u8 tk[16]; /* SMP Temporary Key */
108 u8 rr[16]; /* Remote OOB ra/rb value */
109 u8 lr[16]; /* Local OOB ra/rb value */
115 struct smp_csrk *csrk;
116 struct smp_csrk *slave_csrk;
118 struct smp_ltk *slave_ltk;
119 struct smp_irk *remote_irk;
125 /* Secure Connections variables */
132 struct crypto_cipher *tfm_aes;
133 struct crypto_shash *tfm_cmac;
136 /* These debug key values are defined in the SMP section of the core
137 * specification. debug_pk is the public debug key and debug_sk the
140 static const u8 debug_pk[64] = {
141 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
142 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
143 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
144 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
146 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
147 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
148 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
149 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
152 static const u8 debug_sk[32] = {
153 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
154 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
155 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
156 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
159 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
163 for (i = 0; i < len; i++)
164 dst[len - 1 - i] = src[i];
167 /* The following functions map to the LE SC SMP crypto functions
168 * AES-CMAC, f4, f5, f6, g2 and h6.
171 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
172 size_t len, u8 mac[16])
174 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
175 SHASH_DESC_ON_STACK(desc, tfm);
178 if (len > CMAC_MSG_MAX)
182 BT_ERR("tfm %p", tfm);
189 /* Swap key and message from LSB to MSB */
190 swap_buf(k, tmp, 16);
191 swap_buf(m, msg_msb, len);
193 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
194 SMP_DBG("key %16phN", k);
196 err = crypto_shash_setkey(tfm, tmp, 16);
198 BT_ERR("cipher setkey failed: %d", err);
202 err = crypto_shash_digest(desc, msg_msb, len, mac_msb);
203 shash_desc_zero(desc);
205 BT_ERR("Hash computation error %d", err);
209 swap_buf(mac_msb, mac, 16);
211 SMP_DBG("mac %16phN", mac);
216 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
217 const u8 v[32], const u8 x[16], u8 z, u8 res[16])
222 SMP_DBG("u %32phN", u);
223 SMP_DBG("v %32phN", v);
224 SMP_DBG("x %16phN z %02x", x, z);
227 memcpy(m + 1, v, 32);
228 memcpy(m + 33, u, 32);
230 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
234 SMP_DBG("res %16phN", res);
239 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
240 const u8 n1[16], const u8 n2[16], const u8 a1[7],
241 const u8 a2[7], u8 mackey[16], u8 ltk[16])
243 /* The btle, salt and length "magic" values are as defined in
244 * the SMP section of the Bluetooth core specification. In ASCII
245 * the btle value ends up being 'btle'. The salt is just a
246 * random number whereas length is the value 256 in little
249 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
250 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
251 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
252 const u8 length[2] = { 0x00, 0x01 };
256 SMP_DBG("w %32phN", w);
257 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
258 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
260 err = aes_cmac(tfm_cmac, salt, w, 32, t);
264 SMP_DBG("t %16phN", t);
266 memcpy(m, length, 2);
267 memcpy(m + 2, a2, 7);
268 memcpy(m + 9, a1, 7);
269 memcpy(m + 16, n2, 16);
270 memcpy(m + 32, n1, 16);
271 memcpy(m + 48, btle, 4);
273 m[52] = 0; /* Counter */
275 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
279 SMP_DBG("mackey %16phN", mackey);
281 m[52] = 1; /* Counter */
283 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
287 SMP_DBG("ltk %16phN", ltk);
292 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
293 const u8 n1[16], const u8 n2[16], const u8 r[16],
294 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
300 SMP_DBG("w %16phN", w);
301 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
302 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
305 memcpy(m + 7, a1, 7);
306 memcpy(m + 14, io_cap, 3);
307 memcpy(m + 17, r, 16);
308 memcpy(m + 33, n2, 16);
309 memcpy(m + 49, n1, 16);
311 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
315 SMP_DBG("res %16phN", res);
320 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
321 const u8 x[16], const u8 y[16], u32 *val)
326 SMP_DBG("u %32phN", u);
327 SMP_DBG("v %32phN", v);
328 SMP_DBG("x %16phN y %16phN", x, y);
331 memcpy(m + 16, v, 32);
332 memcpy(m + 48, u, 32);
334 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
338 *val = get_unaligned_le32(tmp);
341 SMP_DBG("val %06u", *val);
346 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
347 const u8 key_id[4], u8 res[16])
351 SMP_DBG("w %16phN key_id %4phN", w, key_id);
353 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
357 SMP_DBG("res %16phN", res);
362 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
363 const u8 salt[16], u8 res[16])
367 SMP_DBG("w %16phN salt %16phN", w, salt);
369 err = aes_cmac(tfm_cmac, salt, w, 16, res);
373 SMP_DBG("res %16phN", res);
378 /* The following functions map to the legacy SMP crypto functions e, c1,
382 static int smp_e(struct crypto_cipher *tfm, const u8 *k, u8 *r)
384 uint8_t tmp[16], data[16];
387 SMP_DBG("k %16phN r %16phN", k, r);
390 BT_ERR("tfm %p", tfm);
394 /* The most significant octet of key corresponds to k[0] */
395 swap_buf(k, tmp, 16);
397 err = crypto_cipher_setkey(tfm, tmp, 16);
399 BT_ERR("cipher setkey failed: %d", err);
403 /* Most significant octet of plaintextData corresponds to data[0] */
404 swap_buf(r, data, 16);
406 crypto_cipher_encrypt_one(tfm, data, data);
408 /* Most significant octet of encryptedData corresponds to data[0] */
409 swap_buf(data, r, 16);
411 SMP_DBG("r %16phN", r);
416 static int smp_c1(struct crypto_cipher *tfm_aes, const u8 k[16],
417 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
418 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
423 SMP_DBG("k %16phN r %16phN", k, r);
424 SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
425 SMP_DBG("preq %7phN pres %7phN", preq, pres);
429 /* p1 = pres || preq || _rat || _iat */
432 memcpy(p1 + 2, preq, 7);
433 memcpy(p1 + 9, pres, 7);
435 SMP_DBG("p1 %16phN", p1);
438 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
440 /* res = e(k, res) */
441 err = smp_e(tfm_aes, k, res);
443 BT_ERR("Encrypt data error");
447 /* p2 = padding || ia || ra */
449 memcpy(p2 + 6, ia, 6);
450 memset(p2 + 12, 0, 4);
452 SMP_DBG("p2 %16phN", p2);
454 /* res = res XOR p2 */
455 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
457 /* res = e(k, res) */
458 err = smp_e(tfm_aes, k, res);
460 BT_ERR("Encrypt data error");
465 static int smp_s1(struct crypto_cipher *tfm_aes, const u8 k[16],
466 const u8 r1[16], const u8 r2[16], u8 _r[16])
470 /* Just least significant octets from r1 and r2 are considered */
472 memcpy(_r + 8, r1, 8);
474 err = smp_e(tfm_aes, k, _r);
476 BT_ERR("Encrypt data error");
481 static int smp_ah(struct crypto_cipher *tfm, const u8 irk[16],
482 const u8 r[3], u8 res[3])
487 /* r' = padding || r */
489 memset(_res + 3, 0, 13);
491 err = smp_e(tfm, irk, _res);
493 BT_ERR("Encrypt error");
497 /* The output of the random address function ah is:
498 * ah(k, r) = e(k, r') mod 2^24
499 * The output of the security function e is then truncated to 24 bits
500 * by taking the least significant 24 bits of the output of e as the
503 memcpy(res, _res, 3);
508 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
509 const bdaddr_t *bdaddr)
511 struct l2cap_chan *chan = hdev->smp_data;
516 if (!chan || !chan->data)
521 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
523 err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
527 return !crypto_memneq(bdaddr->b, hash, 3);
530 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
532 struct l2cap_chan *chan = hdev->smp_data;
536 if (!chan || !chan->data)
541 get_random_bytes(&rpa->b[3], 3);
543 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
544 rpa->b[5] |= 0x40; /* Set second most significant bit */
546 err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
550 BT_DBG("RPA %pMR", rpa);
555 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
557 struct l2cap_chan *chan = hdev->smp_data;
561 if (!chan || !chan->data)
566 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
567 BT_DBG("Using debug keys");
568 memcpy(smp->local_pk, debug_pk, 64);
569 memcpy(smp->local_sk, debug_sk, 32);
570 smp->debug_key = true;
573 /* Seed private key with random number */
574 get_random_bytes(smp->local_sk, 32);
576 /* Generate local key pair for Secure Connections */
577 if (!generate_ecdh_keys(smp->local_pk, smp->local_sk))
580 /* This is unlikely, but we need to check that
581 * we didn't accidentially generate a debug key.
583 if (crypto_memneq(smp->local_sk, debug_sk, 32))
586 smp->debug_key = false;
589 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
590 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
591 SMP_DBG("OOB Private Key: %32phN", smp->local_sk);
593 get_random_bytes(smp->local_rand, 16);
595 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
596 smp->local_rand, 0, hash);
600 memcpy(rand, smp->local_rand, 16);
605 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
607 struct l2cap_chan *chan = conn->smp;
608 struct smp_chan *smp;
615 BT_DBG("code 0x%2.2x", code);
617 iv[0].iov_base = &code;
620 iv[1].iov_base = data;
623 memset(&msg, 0, sizeof(msg));
625 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
627 l2cap_chan_send(chan, &msg, 1 + len);
634 cancel_delayed_work_sync(&smp->security_timer);
635 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
638 static u8 authreq_to_seclevel(u8 authreq)
640 if (authreq & SMP_AUTH_MITM) {
641 if (authreq & SMP_AUTH_SC)
642 return BT_SECURITY_FIPS;
644 return BT_SECURITY_HIGH;
646 return BT_SECURITY_MEDIUM;
650 static __u8 seclevel_to_authreq(__u8 sec_level)
653 case BT_SECURITY_FIPS:
654 case BT_SECURITY_HIGH:
655 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
656 case BT_SECURITY_MEDIUM:
657 return SMP_AUTH_BONDING;
659 return SMP_AUTH_NONE;
663 static void build_pairing_cmd(struct l2cap_conn *conn,
664 struct smp_cmd_pairing *req,
665 struct smp_cmd_pairing *rsp, __u8 authreq)
667 struct l2cap_chan *chan = conn->smp;
668 struct smp_chan *smp = chan->data;
669 struct hci_conn *hcon = conn->hcon;
670 struct hci_dev *hdev = hcon->hdev;
671 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
673 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
674 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
675 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
676 authreq |= SMP_AUTH_BONDING;
678 authreq &= ~SMP_AUTH_BONDING;
681 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
682 remote_dist |= SMP_DIST_ID_KEY;
684 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
685 local_dist |= SMP_DIST_ID_KEY;
687 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
688 (authreq & SMP_AUTH_SC)) {
689 struct oob_data *oob_data;
692 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
693 local_dist |= SMP_DIST_LINK_KEY;
694 remote_dist |= SMP_DIST_LINK_KEY;
697 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
698 bdaddr_type = BDADDR_LE_PUBLIC;
700 bdaddr_type = BDADDR_LE_RANDOM;
702 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
704 if (oob_data && oob_data->present) {
705 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
706 oob_flag = SMP_OOB_PRESENT;
707 memcpy(smp->rr, oob_data->rand256, 16);
708 memcpy(smp->pcnf, oob_data->hash256, 16);
709 SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
710 SMP_DBG("OOB Remote Random: %16phN", smp->rr);
714 authreq &= ~SMP_AUTH_SC;
718 req->io_capability = conn->hcon->io_capability;
719 req->oob_flag = oob_flag;
720 req->max_key_size = SMP_DEV(hdev)->max_key_size;
721 req->init_key_dist = local_dist;
722 req->resp_key_dist = remote_dist;
723 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
725 smp->remote_key_dist = remote_dist;
729 rsp->io_capability = conn->hcon->io_capability;
730 rsp->oob_flag = oob_flag;
731 rsp->max_key_size = SMP_DEV(hdev)->max_key_size;
732 rsp->init_key_dist = req->init_key_dist & remote_dist;
733 rsp->resp_key_dist = req->resp_key_dist & local_dist;
734 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
736 smp->remote_key_dist = rsp->init_key_dist;
739 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
741 struct l2cap_chan *chan = conn->smp;
742 struct hci_dev *hdev = conn->hcon->hdev;
743 struct smp_chan *smp = chan->data;
745 if (max_key_size > SMP_DEV(hdev)->max_key_size ||
746 max_key_size < SMP_MIN_ENC_KEY_SIZE)
747 return SMP_ENC_KEY_SIZE;
749 smp->enc_key_size = max_key_size;
754 static void smp_chan_destroy(struct l2cap_conn *conn)
756 struct l2cap_chan *chan = conn->smp;
757 struct smp_chan *smp = chan->data;
758 struct hci_conn *hcon = conn->hcon;
763 cancel_delayed_work_sync(&smp->security_timer);
765 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
766 mgmt_smp_complete(hcon, complete);
769 kzfree(smp->slave_csrk);
770 kzfree(smp->link_key);
772 crypto_free_cipher(smp->tfm_aes);
773 crypto_free_shash(smp->tfm_cmac);
775 /* Ensure that we don't leave any debug key around if debug key
776 * support hasn't been explicitly enabled.
778 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
779 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
780 list_del_rcu(&smp->ltk->list);
781 kfree_rcu(smp->ltk, rcu);
785 /* If pairing failed clean up any keys we might have */
788 list_del_rcu(&smp->ltk->list);
789 kfree_rcu(smp->ltk, rcu);
792 if (smp->slave_ltk) {
793 list_del_rcu(&smp->slave_ltk->list);
794 kfree_rcu(smp->slave_ltk, rcu);
797 if (smp->remote_irk) {
798 list_del_rcu(&smp->remote_irk->list);
799 kfree_rcu(smp->remote_irk, rcu);
808 static void smp_failure(struct l2cap_conn *conn, u8 reason)
810 struct hci_conn *hcon = conn->hcon;
811 struct l2cap_chan *chan = conn->smp;
814 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
817 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
820 smp_chan_destroy(conn);
823 #define JUST_WORKS 0x00
824 #define JUST_CFM 0x01
825 #define REQ_PASSKEY 0x02
826 #define CFM_PASSKEY 0x03
828 #define DSP_PASSKEY 0x05
831 static const u8 gen_method[5][5] = {
832 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
833 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
834 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
835 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
836 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
839 static const u8 sc_method[5][5] = {
840 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
841 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
842 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
843 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
844 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
847 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
849 /* If either side has unknown io_caps, use JUST_CFM (which gets
850 * converted later to JUST_WORKS if we're initiators.
852 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
853 remote_io > SMP_IO_KEYBOARD_DISPLAY)
856 if (test_bit(SMP_FLAG_SC, &smp->flags))
857 return sc_method[remote_io][local_io];
859 return gen_method[remote_io][local_io];
862 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
863 u8 local_io, u8 remote_io)
865 struct hci_conn *hcon = conn->hcon;
866 struct l2cap_chan *chan = conn->smp;
867 struct smp_chan *smp = chan->data;
871 /* Initialize key for JUST WORKS */
872 memset(smp->tk, 0, sizeof(smp->tk));
873 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
875 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
877 /* If neither side wants MITM, either "just" confirm an incoming
878 * request or use just-works for outgoing ones. The JUST_CFM
879 * will be converted to JUST_WORKS if necessary later in this
880 * function. If either side has MITM look up the method from the
883 if (!(auth & SMP_AUTH_MITM))
884 smp->method = JUST_CFM;
886 smp->method = get_auth_method(smp, local_io, remote_io);
888 /* Don't confirm locally initiated pairing attempts */
889 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
891 smp->method = JUST_WORKS;
893 /* Don't bother user space with no IO capabilities */
894 if (smp->method == JUST_CFM &&
895 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
896 smp->method = JUST_WORKS;
898 /* If Just Works, Continue with Zero TK */
899 if (smp->method == JUST_WORKS) {
900 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
904 /* If this function is used for SC -> legacy fallback we
905 * can only recover the just-works case.
907 if (test_bit(SMP_FLAG_SC, &smp->flags))
910 /* Not Just Works/Confirm results in MITM Authentication */
911 if (smp->method != JUST_CFM) {
912 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
913 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
914 hcon->pending_sec_level = BT_SECURITY_HIGH;
917 /* If both devices have Keyoard-Display I/O, the master
918 * Confirms and the slave Enters the passkey.
920 if (smp->method == OVERLAP) {
921 if (hcon->role == HCI_ROLE_MASTER)
922 smp->method = CFM_PASSKEY;
924 smp->method = REQ_PASSKEY;
927 /* Generate random passkey. */
928 if (smp->method == CFM_PASSKEY) {
929 memset(smp->tk, 0, sizeof(smp->tk));
930 get_random_bytes(&passkey, sizeof(passkey));
932 put_unaligned_le32(passkey, smp->tk);
933 BT_DBG("PassKey: %d", passkey);
934 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
937 if (smp->method == REQ_PASSKEY)
938 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
939 hcon->type, hcon->dst_type);
940 else if (smp->method == JUST_CFM)
941 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
942 hcon->type, hcon->dst_type,
945 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
946 hcon->type, hcon->dst_type,
952 static u8 smp_confirm(struct smp_chan *smp)
954 struct l2cap_conn *conn = smp->conn;
955 struct smp_cmd_pairing_confirm cp;
958 BT_DBG("conn %p", conn);
960 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
961 conn->hcon->init_addr_type, &conn->hcon->init_addr,
962 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
965 return SMP_UNSPECIFIED;
967 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
969 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
972 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
974 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
979 static u8 smp_random(struct smp_chan *smp)
981 struct l2cap_conn *conn = smp->conn;
982 struct hci_conn *hcon = conn->hcon;
986 if (IS_ERR_OR_NULL(smp->tfm_aes))
987 return SMP_UNSPECIFIED;
989 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
991 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
992 hcon->init_addr_type, &hcon->init_addr,
993 hcon->resp_addr_type, &hcon->resp_addr, confirm);
995 return SMP_UNSPECIFIED;
997 if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
998 BT_ERR("Pairing failed (confirmation values mismatch)");
999 return SMP_CONFIRM_FAILED;
1007 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
1009 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1010 return SMP_UNSPECIFIED;
1012 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1013 hcon->enc_key_size = smp->enc_key_size;
1014 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1020 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1023 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
1025 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1030 /* Even though there's no _SLAVE suffix this is the
1031 * slave STK we're adding for later lookup (the master
1032 * STK never needs to be stored).
1034 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1035 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1041 static void smp_notify_keys(struct l2cap_conn *conn)
1043 struct l2cap_chan *chan = conn->smp;
1044 struct smp_chan *smp = chan->data;
1045 struct hci_conn *hcon = conn->hcon;
1046 struct hci_dev *hdev = hcon->hdev;
1047 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1048 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1051 if (hcon->type == ACL_LINK) {
1052 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1055 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1058 /* The LTKs, IRKs and CSRKs should be persistent only if
1059 * both sides had the bonding bit set in their
1060 * authentication requests.
1062 persistent = !!((req->auth_req & rsp->auth_req) &
1066 if (smp->remote_irk) {
1067 mgmt_new_irk(hdev, smp->remote_irk, persistent);
1069 /* Now that user space can be considered to know the
1070 * identity address track the connection based on it
1071 * from now on (assuming this is an LE link).
1073 if (hcon->type == LE_LINK) {
1074 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1075 hcon->dst_type = smp->remote_irk->addr_type;
1076 queue_work(hdev->workqueue, &conn->id_addr_update_work);
1081 smp->csrk->bdaddr_type = hcon->dst_type;
1082 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1083 mgmt_new_csrk(hdev, smp->csrk, persistent);
1086 if (smp->slave_csrk) {
1087 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1088 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1089 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1093 smp->ltk->bdaddr_type = hcon->dst_type;
1094 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1095 mgmt_new_ltk(hdev, smp->ltk, persistent);
1098 if (smp->slave_ltk) {
1099 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1100 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1101 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1104 if (smp->link_key) {
1105 struct link_key *key;
1108 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1109 type = HCI_LK_DEBUG_COMBINATION;
1110 else if (hcon->sec_level == BT_SECURITY_FIPS)
1111 type = HCI_LK_AUTH_COMBINATION_P256;
1113 type = HCI_LK_UNAUTH_COMBINATION_P256;
1115 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1116 smp->link_key, type, 0, &persistent);
1118 mgmt_new_link_key(hdev, key, persistent);
1120 /* Don't keep debug keys around if the relevant
1123 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1124 key->type == HCI_LK_DEBUG_COMBINATION) {
1125 list_del_rcu(&key->list);
1126 kfree_rcu(key, rcu);
1132 static void sc_add_ltk(struct smp_chan *smp)
1134 struct hci_conn *hcon = smp->conn->hcon;
1137 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1138 key_type = SMP_LTK_P256_DEBUG;
1140 key_type = SMP_LTK_P256;
1142 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1147 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1148 key_type, auth, smp->tk, smp->enc_key_size,
1152 static void sc_generate_link_key(struct smp_chan *smp)
1154 /* From core spec. Spells out in ASCII as 'lebr'. */
1155 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1157 smp->link_key = kzalloc(16, GFP_KERNEL);
1161 if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1162 /* SALT = 0x00000000000000000000000000000000746D7031 */
1163 const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1165 if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1166 kzfree(smp->link_key);
1167 smp->link_key = NULL;
1171 /* From core spec. Spells out in ASCII as 'tmp1'. */
1172 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1174 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1175 kzfree(smp->link_key);
1176 smp->link_key = NULL;
1181 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1182 kzfree(smp->link_key);
1183 smp->link_key = NULL;
1188 static void smp_allow_key_dist(struct smp_chan *smp)
1190 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1191 * will be allowed in each PDU handler to ensure we receive
1192 * them in the correct order.
1194 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1195 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1196 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1197 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1198 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1199 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1202 static void sc_generate_ltk(struct smp_chan *smp)
1204 /* From core spec. Spells out in ASCII as 'brle'. */
1205 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1206 struct hci_conn *hcon = smp->conn->hcon;
1207 struct hci_dev *hdev = hcon->hdev;
1208 struct link_key *key;
1210 key = hci_find_link_key(hdev, &hcon->dst);
1212 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1216 if (key->type == HCI_LK_DEBUG_COMBINATION)
1217 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1219 if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1220 /* SALT = 0x00000000000000000000000000000000746D7032 */
1221 const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1223 if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1226 /* From core spec. Spells out in ASCII as 'tmp2'. */
1227 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1229 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1233 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1239 static void smp_distribute_keys(struct smp_chan *smp)
1241 struct smp_cmd_pairing *req, *rsp;
1242 struct l2cap_conn *conn = smp->conn;
1243 struct hci_conn *hcon = conn->hcon;
1244 struct hci_dev *hdev = hcon->hdev;
1247 BT_DBG("conn %p", conn);
1249 rsp = (void *) &smp->prsp[1];
1251 /* The responder sends its keys first */
1252 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1253 smp_allow_key_dist(smp);
1257 req = (void *) &smp->preq[1];
1260 keydist = &rsp->init_key_dist;
1261 *keydist &= req->init_key_dist;
1263 keydist = &rsp->resp_key_dist;
1264 *keydist &= req->resp_key_dist;
1267 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1268 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1269 sc_generate_link_key(smp);
1270 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1271 sc_generate_ltk(smp);
1273 /* Clear the keys which are generated but not distributed */
1274 *keydist &= ~SMP_SC_NO_DIST;
1277 BT_DBG("keydist 0x%x", *keydist);
1279 if (*keydist & SMP_DIST_ENC_KEY) {
1280 struct smp_cmd_encrypt_info enc;
1281 struct smp_cmd_master_ident ident;
1282 struct smp_ltk *ltk;
1287 /* Make sure we generate only the significant amount of
1288 * bytes based on the encryption key size, and set the rest
1289 * of the value to zeroes.
1291 get_random_bytes(enc.ltk, smp->enc_key_size);
1292 memset(enc.ltk + smp->enc_key_size, 0,
1293 sizeof(enc.ltk) - smp->enc_key_size);
1295 get_random_bytes(&ediv, sizeof(ediv));
1296 get_random_bytes(&rand, sizeof(rand));
1298 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1300 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1301 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1302 SMP_LTK_SLAVE, authenticated, enc.ltk,
1303 smp->enc_key_size, ediv, rand);
1304 smp->slave_ltk = ltk;
1309 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1311 *keydist &= ~SMP_DIST_ENC_KEY;
1314 if (*keydist & SMP_DIST_ID_KEY) {
1315 struct smp_cmd_ident_addr_info addrinfo;
1316 struct smp_cmd_ident_info idinfo;
1318 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1320 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1322 /* The hci_conn contains the local identity address
1323 * after the connection has been established.
1325 * This is true even when the connection has been
1326 * established using a resolvable random address.
1328 bacpy(&addrinfo.bdaddr, &hcon->src);
1329 addrinfo.addr_type = hcon->src_type;
1331 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1334 *keydist &= ~SMP_DIST_ID_KEY;
1337 if (*keydist & SMP_DIST_SIGN) {
1338 struct smp_cmd_sign_info sign;
1339 struct smp_csrk *csrk;
1341 /* Generate a new random key */
1342 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1344 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1346 if (hcon->sec_level > BT_SECURITY_MEDIUM)
1347 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1349 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1350 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1352 smp->slave_csrk = csrk;
1354 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1356 *keydist &= ~SMP_DIST_SIGN;
1359 /* If there are still keys to be received wait for them */
1360 if (smp->remote_key_dist & KEY_DIST_MASK) {
1361 smp_allow_key_dist(smp);
1365 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1366 smp_notify_keys(conn);
1368 smp_chan_destroy(conn);
1371 static void smp_timeout(struct work_struct *work)
1373 struct smp_chan *smp = container_of(work, struct smp_chan,
1374 security_timer.work);
1375 struct l2cap_conn *conn = smp->conn;
1377 BT_DBG("conn %p", conn);
1379 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1382 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1384 struct l2cap_chan *chan = conn->smp;
1385 struct smp_chan *smp;
1387 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1391 smp->tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
1392 if (IS_ERR(smp->tfm_aes)) {
1393 BT_ERR("Unable to create AES crypto context");
1398 smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1399 if (IS_ERR(smp->tfm_cmac)) {
1400 BT_ERR("Unable to create CMAC crypto context");
1401 crypto_free_cipher(smp->tfm_aes);
1409 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1411 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1413 hci_conn_hold(conn->hcon);
1418 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1420 struct hci_conn *hcon = smp->conn->hcon;
1421 u8 *na, *nb, a[7], b[7];
1431 memcpy(a, &hcon->init_addr, 6);
1432 memcpy(b, &hcon->resp_addr, 6);
1433 a[6] = hcon->init_addr_type;
1434 b[6] = hcon->resp_addr_type;
1436 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1439 static void sc_dhkey_check(struct smp_chan *smp)
1441 struct hci_conn *hcon = smp->conn->hcon;
1442 struct smp_cmd_dhkey_check check;
1443 u8 a[7], b[7], *local_addr, *remote_addr;
1444 u8 io_cap[3], r[16];
1446 memcpy(a, &hcon->init_addr, 6);
1447 memcpy(b, &hcon->resp_addr, 6);
1448 a[6] = hcon->init_addr_type;
1449 b[6] = hcon->resp_addr_type;
1454 memcpy(io_cap, &smp->preq[1], 3);
1458 memcpy(io_cap, &smp->prsp[1], 3);
1461 memset(r, 0, sizeof(r));
1463 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1464 put_unaligned_le32(hcon->passkey_notify, r);
1466 if (smp->method == REQ_OOB)
1467 memcpy(r, smp->rr, 16);
1469 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1470 local_addr, remote_addr, check.e);
1472 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1475 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1477 struct l2cap_conn *conn = smp->conn;
1478 struct hci_conn *hcon = conn->hcon;
1479 struct smp_cmd_pairing_confirm cfm;
1482 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1485 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1487 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1489 return SMP_UNSPECIFIED;
1491 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1496 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1498 struct l2cap_conn *conn = smp->conn;
1499 struct hci_conn *hcon = conn->hcon;
1500 struct hci_dev *hdev = hcon->hdev;
1503 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1504 if (smp->passkey_round >= 20)
1508 case SMP_CMD_PAIRING_RANDOM:
1509 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1512 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1514 return SMP_UNSPECIFIED;
1516 if (crypto_memneq(smp->pcnf, cfm, 16))
1517 return SMP_CONFIRM_FAILED;
1519 smp->passkey_round++;
1521 if (smp->passkey_round == 20) {
1522 /* Generate MacKey and LTK */
1523 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1524 return SMP_UNSPECIFIED;
1527 /* The round is only complete when the initiator
1528 * receives pairing random.
1531 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1532 sizeof(smp->prnd), smp->prnd);
1533 if (smp->passkey_round == 20)
1534 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1536 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1540 /* Start the next round */
1541 if (smp->passkey_round != 20)
1542 return sc_passkey_round(smp, 0);
1544 /* Passkey rounds are complete - start DHKey Check */
1545 sc_dhkey_check(smp);
1546 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1550 case SMP_CMD_PAIRING_CONFIRM:
1551 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1552 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1556 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1559 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1560 sizeof(smp->prnd), smp->prnd);
1564 return sc_passkey_send_confirm(smp);
1566 case SMP_CMD_PUBLIC_KEY:
1568 /* Initiating device starts the round */
1572 BT_DBG("%s Starting passkey round %u", hdev->name,
1573 smp->passkey_round + 1);
1575 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1577 return sc_passkey_send_confirm(smp);
1583 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1585 struct l2cap_conn *conn = smp->conn;
1586 struct hci_conn *hcon = conn->hcon;
1589 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1592 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1593 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1595 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1596 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1598 case MGMT_OP_USER_PASSKEY_REPLY:
1599 hcon->passkey_notify = le32_to_cpu(passkey);
1600 smp->passkey_round = 0;
1602 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1603 smp_op = SMP_CMD_PAIRING_CONFIRM;
1607 if (sc_passkey_round(smp, smp_op))
1613 /* Initiator sends DHKey check first */
1615 sc_dhkey_check(smp);
1616 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1617 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1618 sc_dhkey_check(smp);
1625 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1627 struct l2cap_conn *conn = hcon->l2cap_data;
1628 struct l2cap_chan *chan;
1629 struct smp_chan *smp;
1642 l2cap_chan_lock(chan);
1650 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1651 err = sc_user_reply(smp, mgmt_op, passkey);
1656 case MGMT_OP_USER_PASSKEY_REPLY:
1657 value = le32_to_cpu(passkey);
1658 memset(smp->tk, 0, sizeof(smp->tk));
1659 BT_DBG("PassKey: %d", value);
1660 put_unaligned_le32(value, smp->tk);
1662 case MGMT_OP_USER_CONFIRM_REPLY:
1663 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1665 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1666 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1667 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1671 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1678 /* If it is our turn to send Pairing Confirm, do so now */
1679 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1680 u8 rsp = smp_confirm(smp);
1682 smp_failure(conn, rsp);
1686 l2cap_chan_unlock(chan);
1690 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1691 struct smp_cmd_pairing *req,
1692 struct smp_cmd_pairing *rsp)
1694 struct l2cap_conn *conn = smp->conn;
1695 struct hci_dev *hdev = conn->hcon->hdev;
1696 u8 local_dist = 0, remote_dist = 0;
1698 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1699 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1700 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1703 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1704 remote_dist |= SMP_DIST_ID_KEY;
1706 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1707 local_dist |= SMP_DIST_ID_KEY;
1710 memset(req, 0, sizeof(*req));
1712 req->auth_req = SMP_AUTH_CT2;
1713 req->init_key_dist = local_dist;
1714 req->resp_key_dist = remote_dist;
1715 req->max_key_size = conn->hcon->enc_key_size;
1717 smp->remote_key_dist = remote_dist;
1722 memset(rsp, 0, sizeof(*rsp));
1724 rsp->auth_req = SMP_AUTH_CT2;
1725 rsp->max_key_size = conn->hcon->enc_key_size;
1726 rsp->init_key_dist = req->init_key_dist & remote_dist;
1727 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1729 smp->remote_key_dist = rsp->init_key_dist;
1732 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1734 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1735 struct l2cap_chan *chan = conn->smp;
1736 struct hci_dev *hdev = conn->hcon->hdev;
1737 struct smp_chan *smp;
1738 u8 key_size, auth, sec_level;
1741 BT_DBG("conn %p", conn);
1743 if (skb->len < sizeof(*req))
1744 return SMP_INVALID_PARAMS;
1746 if (conn->hcon->role != HCI_ROLE_SLAVE)
1747 return SMP_CMD_NOTSUPP;
1750 smp = smp_chan_create(conn);
1755 return SMP_UNSPECIFIED;
1757 /* We didn't start the pairing, so match remote */
1758 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1760 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1761 (auth & SMP_AUTH_BONDING))
1762 return SMP_PAIRING_NOTSUPP;
1764 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1765 return SMP_AUTH_REQUIREMENTS;
1767 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1768 memcpy(&smp->preq[1], req, sizeof(*req));
1769 skb_pull(skb, sizeof(*req));
1771 /* If the remote side's OOB flag is set it means it has
1772 * successfully received our local OOB data - therefore set the
1773 * flag to indicate that local OOB is in use.
1775 if (req->oob_flag == SMP_OOB_PRESENT)
1776 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1778 /* SMP over BR/EDR requires special treatment */
1779 if (conn->hcon->type == ACL_LINK) {
1780 /* We must have a BR/EDR SC link */
1781 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1782 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1783 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1785 set_bit(SMP_FLAG_SC, &smp->flags);
1787 build_bredr_pairing_cmd(smp, req, &rsp);
1789 if (req->auth_req & SMP_AUTH_CT2)
1790 set_bit(SMP_FLAG_CT2, &smp->flags);
1792 key_size = min(req->max_key_size, rsp.max_key_size);
1793 if (check_enc_key_size(conn, key_size))
1794 return SMP_ENC_KEY_SIZE;
1796 /* Clear bits which are generated but not distributed */
1797 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1799 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1800 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1801 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1803 smp_distribute_keys(smp);
1807 build_pairing_cmd(conn, req, &rsp, auth);
1809 if (rsp.auth_req & SMP_AUTH_SC) {
1810 set_bit(SMP_FLAG_SC, &smp->flags);
1812 if (rsp.auth_req & SMP_AUTH_CT2)
1813 set_bit(SMP_FLAG_CT2, &smp->flags);
1816 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1817 sec_level = BT_SECURITY_MEDIUM;
1819 sec_level = authreq_to_seclevel(auth);
1821 if (sec_level > conn->hcon->pending_sec_level)
1822 conn->hcon->pending_sec_level = sec_level;
1824 /* If we need MITM check that it can be achieved */
1825 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1828 method = get_auth_method(smp, conn->hcon->io_capability,
1829 req->io_capability);
1830 if (method == JUST_WORKS || method == JUST_CFM)
1831 return SMP_AUTH_REQUIREMENTS;
1834 key_size = min(req->max_key_size, rsp.max_key_size);
1835 if (check_enc_key_size(conn, key_size))
1836 return SMP_ENC_KEY_SIZE;
1838 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1840 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1841 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1843 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1845 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1847 /* Strictly speaking we shouldn't allow Pairing Confirm for the
1848 * SC case, however some implementations incorrectly copy RFU auth
1849 * req bits from our security request, which may create a false
1850 * positive SC enablement.
1852 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1854 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1855 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1856 /* Clear bits which are generated but not distributed */
1857 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1858 /* Wait for Public Key from Initiating Device */
1862 /* Request setup of TK */
1863 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1865 return SMP_UNSPECIFIED;
1870 static u8 sc_send_public_key(struct smp_chan *smp)
1872 struct hci_dev *hdev = smp->conn->hcon->hdev;
1876 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1877 struct l2cap_chan *chan = hdev->smp_data;
1878 struct smp_dev *smp_dev;
1880 if (!chan || !chan->data)
1881 return SMP_UNSPECIFIED;
1883 smp_dev = chan->data;
1885 memcpy(smp->local_pk, smp_dev->local_pk, 64);
1886 memcpy(smp->local_sk, smp_dev->local_sk, 32);
1887 memcpy(smp->lr, smp_dev->local_rand, 16);
1889 if (smp_dev->debug_key)
1890 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1895 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1896 BT_DBG("Using debug keys");
1897 memcpy(smp->local_pk, debug_pk, 64);
1898 memcpy(smp->local_sk, debug_sk, 32);
1899 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1902 /* Seed private key with random number */
1903 get_random_bytes(smp->local_sk, 32);
1905 /* Generate local key pair for Secure Connections */
1906 if (!generate_ecdh_keys(smp->local_pk, smp->local_sk))
1907 return SMP_UNSPECIFIED;
1909 /* This is unlikely, but we need to check that
1910 * we didn't accidentially generate a debug key.
1912 if (crypto_memneq(smp->local_sk, debug_sk, 32))
1918 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1919 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1920 SMP_DBG("Local Private Key: %32phN", smp->local_sk);
1922 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1927 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1929 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1930 struct l2cap_chan *chan = conn->smp;
1931 struct smp_chan *smp = chan->data;
1932 struct hci_dev *hdev = conn->hcon->hdev;
1936 BT_DBG("conn %p", conn);
1938 if (skb->len < sizeof(*rsp))
1939 return SMP_INVALID_PARAMS;
1941 if (conn->hcon->role != HCI_ROLE_MASTER)
1942 return SMP_CMD_NOTSUPP;
1944 skb_pull(skb, sizeof(*rsp));
1946 req = (void *) &smp->preq[1];
1948 key_size = min(req->max_key_size, rsp->max_key_size);
1949 if (check_enc_key_size(conn, key_size))
1950 return SMP_ENC_KEY_SIZE;
1952 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1954 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1955 return SMP_AUTH_REQUIREMENTS;
1957 /* If the remote side's OOB flag is set it means it has
1958 * successfully received our local OOB data - therefore set the
1959 * flag to indicate that local OOB is in use.
1961 if (rsp->oob_flag == SMP_OOB_PRESENT)
1962 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1964 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1965 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1967 /* Update remote key distribution in case the remote cleared
1968 * some bits that we had enabled in our request.
1970 smp->remote_key_dist &= rsp->resp_key_dist;
1972 if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1973 set_bit(SMP_FLAG_CT2, &smp->flags);
1975 /* For BR/EDR this means we're done and can start phase 3 */
1976 if (conn->hcon->type == ACL_LINK) {
1977 /* Clear bits which are generated but not distributed */
1978 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1979 smp_distribute_keys(smp);
1983 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1984 set_bit(SMP_FLAG_SC, &smp->flags);
1985 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1986 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1988 /* If we need MITM check that it can be achieved */
1989 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1992 method = get_auth_method(smp, req->io_capability,
1993 rsp->io_capability);
1994 if (method == JUST_WORKS || method == JUST_CFM)
1995 return SMP_AUTH_REQUIREMENTS;
1998 get_random_bytes(smp->prnd, sizeof(smp->prnd));
2000 /* Update remote key distribution in case the remote cleared
2001 * some bits that we had enabled in our request.
2003 smp->remote_key_dist &= rsp->resp_key_dist;
2005 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2006 /* Clear bits which are generated but not distributed */
2007 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2008 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2009 return sc_send_public_key(smp);
2012 auth |= req->auth_req;
2014 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2016 return SMP_UNSPECIFIED;
2018 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2020 /* Can't compose response until we have been confirmed */
2021 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2022 return smp_confirm(smp);
2027 static u8 sc_check_confirm(struct smp_chan *smp)
2029 struct l2cap_conn *conn = smp->conn;
2033 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2034 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2036 if (conn->hcon->out) {
2037 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2039 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2045 /* Work-around for some implementations that incorrectly copy RFU bits
2046 * from our security request and thereby create the impression that
2047 * we're doing SC when in fact the remote doesn't support it.
2049 static int fixup_sc_false_positive(struct smp_chan *smp)
2051 struct l2cap_conn *conn = smp->conn;
2052 struct hci_conn *hcon = conn->hcon;
2053 struct hci_dev *hdev = hcon->hdev;
2054 struct smp_cmd_pairing *req, *rsp;
2057 /* The issue is only observed when we're in slave role */
2059 return SMP_UNSPECIFIED;
2061 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2062 BT_ERR("Refusing SMP SC -> legacy fallback in SC-only mode");
2063 return SMP_UNSPECIFIED;
2066 BT_ERR("Trying to fall back to legacy SMP");
2068 req = (void *) &smp->preq[1];
2069 rsp = (void *) &smp->prsp[1];
2071 /* Rebuild key dist flags which may have been cleared for SC */
2072 smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2074 auth = req->auth_req & AUTH_REQ_MASK(hdev);
2076 if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2077 BT_ERR("Failed to fall back to legacy SMP");
2078 return SMP_UNSPECIFIED;
2081 clear_bit(SMP_FLAG_SC, &smp->flags);
2086 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2088 struct l2cap_chan *chan = conn->smp;
2089 struct smp_chan *smp = chan->data;
2091 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2093 if (skb->len < sizeof(smp->pcnf))
2094 return SMP_INVALID_PARAMS;
2096 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2097 skb_pull(skb, sizeof(smp->pcnf));
2099 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2102 /* Public Key exchange must happen before any other steps */
2103 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2104 return sc_check_confirm(smp);
2106 BT_ERR("Unexpected SMP Pairing Confirm");
2108 ret = fixup_sc_false_positive(smp);
2113 if (conn->hcon->out) {
2114 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2116 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2120 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2121 return smp_confirm(smp);
2123 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2128 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2130 struct l2cap_chan *chan = conn->smp;
2131 struct smp_chan *smp = chan->data;
2132 struct hci_conn *hcon = conn->hcon;
2133 u8 *pkax, *pkbx, *na, *nb;
2137 BT_DBG("conn %p", conn);
2139 if (skb->len < sizeof(smp->rrnd))
2140 return SMP_INVALID_PARAMS;
2142 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2143 skb_pull(skb, sizeof(smp->rrnd));
2145 if (!test_bit(SMP_FLAG_SC, &smp->flags))
2146 return smp_random(smp);
2149 pkax = smp->local_pk;
2150 pkbx = smp->remote_pk;
2154 pkax = smp->remote_pk;
2155 pkbx = smp->local_pk;
2160 if (smp->method == REQ_OOB) {
2162 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2163 sizeof(smp->prnd), smp->prnd);
2164 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2165 goto mackey_and_ltk;
2168 /* Passkey entry has special treatment */
2169 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2170 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2175 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2178 return SMP_UNSPECIFIED;
2180 if (crypto_memneq(smp->pcnf, cfm, 16))
2181 return SMP_CONFIRM_FAILED;
2183 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2185 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2189 /* Generate MacKey and LTK */
2190 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2192 return SMP_UNSPECIFIED;
2194 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2196 sc_dhkey_check(smp);
2197 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2202 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2204 return SMP_UNSPECIFIED;
2206 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2207 hcon->dst_type, passkey, 0);
2209 return SMP_UNSPECIFIED;
2211 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2216 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2218 struct smp_ltk *key;
2219 struct hci_conn *hcon = conn->hcon;
2221 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2225 if (smp_ltk_sec_level(key) < sec_level)
2228 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2231 hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2232 hcon->enc_key_size = key->enc_size;
2234 /* We never store STKs for master role, so clear this flag */
2235 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2240 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2241 enum smp_key_pref key_pref)
2243 if (sec_level == BT_SECURITY_LOW)
2246 /* If we're encrypted with an STK but the caller prefers using
2247 * LTK claim insufficient security. This way we allow the
2248 * connection to be re-encrypted with an LTK, even if the LTK
2249 * provides the same level of security. Only exception is if we
2250 * don't have an LTK (e.g. because of key distribution bits).
2252 if (key_pref == SMP_USE_LTK &&
2253 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2254 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2257 if (hcon->sec_level >= sec_level)
2263 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2265 struct smp_cmd_security_req *rp = (void *) skb->data;
2266 struct smp_cmd_pairing cp;
2267 struct hci_conn *hcon = conn->hcon;
2268 struct hci_dev *hdev = hcon->hdev;
2269 struct smp_chan *smp;
2272 BT_DBG("conn %p", conn);
2274 if (skb->len < sizeof(*rp))
2275 return SMP_INVALID_PARAMS;
2277 if (hcon->role != HCI_ROLE_MASTER)
2278 return SMP_CMD_NOTSUPP;
2280 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2282 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2283 return SMP_AUTH_REQUIREMENTS;
2285 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2286 sec_level = BT_SECURITY_MEDIUM;
2288 sec_level = authreq_to_seclevel(auth);
2290 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2293 if (sec_level > hcon->pending_sec_level)
2294 hcon->pending_sec_level = sec_level;
2296 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2299 smp = smp_chan_create(conn);
2301 return SMP_UNSPECIFIED;
2303 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2304 (auth & SMP_AUTH_BONDING))
2305 return SMP_PAIRING_NOTSUPP;
2307 skb_pull(skb, sizeof(*rp));
2309 memset(&cp, 0, sizeof(cp));
2310 build_pairing_cmd(conn, &cp, NULL, auth);
2312 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2313 memcpy(&smp->preq[1], &cp, sizeof(cp));
2315 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2316 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2321 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2323 struct l2cap_conn *conn = hcon->l2cap_data;
2324 struct l2cap_chan *chan;
2325 struct smp_chan *smp;
2329 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2331 /* This may be NULL if there's an unexpected disconnection */
2335 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2338 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2341 if (sec_level > hcon->pending_sec_level)
2342 hcon->pending_sec_level = sec_level;
2344 if (hcon->role == HCI_ROLE_MASTER)
2345 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2350 BT_ERR("SMP security requested but not available");
2354 l2cap_chan_lock(chan);
2356 /* If SMP is already in progress ignore this request */
2362 smp = smp_chan_create(conn);
2368 authreq = seclevel_to_authreq(sec_level);
2370 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2371 authreq |= SMP_AUTH_SC;
2372 if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2373 authreq |= SMP_AUTH_CT2;
2376 /* Require MITM if IO Capability allows or the security level
2379 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2380 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2381 authreq |= SMP_AUTH_MITM;
2383 if (hcon->role == HCI_ROLE_MASTER) {
2384 struct smp_cmd_pairing cp;
2386 build_pairing_cmd(conn, &cp, NULL, authreq);
2387 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2388 memcpy(&smp->preq[1], &cp, sizeof(cp));
2390 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2391 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2393 struct smp_cmd_security_req cp;
2394 cp.auth_req = authreq;
2395 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2396 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2399 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2403 l2cap_chan_unlock(chan);
2407 void smp_cancel_pairing(struct hci_conn *hcon)
2409 struct l2cap_conn *conn = hcon->l2cap_data;
2410 struct l2cap_chan *chan;
2411 struct smp_chan *smp;
2420 l2cap_chan_lock(chan);
2424 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2425 smp_failure(conn, 0);
2427 smp_failure(conn, SMP_UNSPECIFIED);
2430 l2cap_chan_unlock(chan);
2433 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2435 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2436 struct l2cap_chan *chan = conn->smp;
2437 struct smp_chan *smp = chan->data;
2439 BT_DBG("conn %p", conn);
2441 if (skb->len < sizeof(*rp))
2442 return SMP_INVALID_PARAMS;
2444 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2446 skb_pull(skb, sizeof(*rp));
2448 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2453 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2455 struct smp_cmd_master_ident *rp = (void *) skb->data;
2456 struct l2cap_chan *chan = conn->smp;
2457 struct smp_chan *smp = chan->data;
2458 struct hci_dev *hdev = conn->hcon->hdev;
2459 struct hci_conn *hcon = conn->hcon;
2460 struct smp_ltk *ltk;
2463 BT_DBG("conn %p", conn);
2465 if (skb->len < sizeof(*rp))
2466 return SMP_INVALID_PARAMS;
2468 /* Mark the information as received */
2469 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2471 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2472 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2473 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2474 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2476 skb_pull(skb, sizeof(*rp));
2478 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2479 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2480 authenticated, smp->tk, smp->enc_key_size,
2481 rp->ediv, rp->rand);
2483 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2484 smp_distribute_keys(smp);
2489 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2491 struct smp_cmd_ident_info *info = (void *) skb->data;
2492 struct l2cap_chan *chan = conn->smp;
2493 struct smp_chan *smp = chan->data;
2497 if (skb->len < sizeof(*info))
2498 return SMP_INVALID_PARAMS;
2500 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2502 skb_pull(skb, sizeof(*info));
2504 memcpy(smp->irk, info->irk, 16);
2509 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2510 struct sk_buff *skb)
2512 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2513 struct l2cap_chan *chan = conn->smp;
2514 struct smp_chan *smp = chan->data;
2515 struct hci_conn *hcon = conn->hcon;
2520 if (skb->len < sizeof(*info))
2521 return SMP_INVALID_PARAMS;
2523 /* Mark the information as received */
2524 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2526 if (smp->remote_key_dist & SMP_DIST_SIGN)
2527 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2529 skb_pull(skb, sizeof(*info));
2531 /* Strictly speaking the Core Specification (4.1) allows sending
2532 * an empty address which would force us to rely on just the IRK
2533 * as "identity information". However, since such
2534 * implementations are not known of and in order to not over
2535 * complicate our implementation, simply pretend that we never
2536 * received an IRK for such a device.
2538 * The Identity Address must also be a Static Random or Public
2539 * Address, which hci_is_identity_address() checks for.
2541 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2542 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2543 BT_ERR("Ignoring IRK with no identity address");
2547 bacpy(&smp->id_addr, &info->bdaddr);
2548 smp->id_addr_type = info->addr_type;
2550 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2551 bacpy(&rpa, &hcon->dst);
2553 bacpy(&rpa, BDADDR_ANY);
2555 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2556 smp->id_addr_type, smp->irk, &rpa);
2559 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2560 smp_distribute_keys(smp);
2565 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2567 struct smp_cmd_sign_info *rp = (void *) skb->data;
2568 struct l2cap_chan *chan = conn->smp;
2569 struct smp_chan *smp = chan->data;
2570 struct smp_csrk *csrk;
2572 BT_DBG("conn %p", conn);
2574 if (skb->len < sizeof(*rp))
2575 return SMP_INVALID_PARAMS;
2577 /* Mark the information as received */
2578 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2580 skb_pull(skb, sizeof(*rp));
2582 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2584 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2585 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2587 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2588 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2591 smp_distribute_keys(smp);
2596 static u8 sc_select_method(struct smp_chan *smp)
2598 struct l2cap_conn *conn = smp->conn;
2599 struct hci_conn *hcon = conn->hcon;
2600 struct smp_cmd_pairing *local, *remote;
2601 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2603 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2604 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2607 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2608 * which are needed as inputs to some crypto functions. To get
2609 * the "struct smp_cmd_pairing" from them we need to skip the
2610 * first byte which contains the opcode.
2613 local = (void *) &smp->preq[1];
2614 remote = (void *) &smp->prsp[1];
2616 local = (void *) &smp->prsp[1];
2617 remote = (void *) &smp->preq[1];
2620 local_io = local->io_capability;
2621 remote_io = remote->io_capability;
2623 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2624 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2626 /* If either side wants MITM, look up the method from the table,
2627 * otherwise use JUST WORKS.
2629 if (local_mitm || remote_mitm)
2630 method = get_auth_method(smp, local_io, remote_io);
2632 method = JUST_WORKS;
2634 /* Don't confirm locally initiated pairing attempts */
2635 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2636 method = JUST_WORKS;
2641 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2643 struct smp_cmd_public_key *key = (void *) skb->data;
2644 struct hci_conn *hcon = conn->hcon;
2645 struct l2cap_chan *chan = conn->smp;
2646 struct smp_chan *smp = chan->data;
2647 struct hci_dev *hdev = hcon->hdev;
2648 struct smp_cmd_pairing_confirm cfm;
2651 BT_DBG("conn %p", conn);
2653 if (skb->len < sizeof(*key))
2654 return SMP_INVALID_PARAMS;
2656 memcpy(smp->remote_pk, key, 64);
2658 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2659 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2660 smp->rr, 0, cfm.confirm_val);
2662 return SMP_UNSPECIFIED;
2664 if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2665 return SMP_CONFIRM_FAILED;
2668 /* Non-initiating device sends its public key after receiving
2669 * the key from the initiating device.
2672 err = sc_send_public_key(smp);
2677 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2678 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2680 if (!compute_ecdh_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2681 return SMP_UNSPECIFIED;
2683 SMP_DBG("DHKey %32phN", smp->dhkey);
2685 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2687 smp->method = sc_select_method(smp);
2689 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2691 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2692 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2693 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2695 hcon->pending_sec_level = BT_SECURITY_FIPS;
2697 if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2698 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2700 if (smp->method == DSP_PASSKEY) {
2701 get_random_bytes(&hcon->passkey_notify,
2702 sizeof(hcon->passkey_notify));
2703 hcon->passkey_notify %= 1000000;
2704 hcon->passkey_entered = 0;
2705 smp->passkey_round = 0;
2706 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2708 hcon->passkey_notify,
2709 hcon->passkey_entered))
2710 return SMP_UNSPECIFIED;
2711 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2712 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2715 if (smp->method == REQ_OOB) {
2717 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2718 sizeof(smp->prnd), smp->prnd);
2720 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2726 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2728 if (smp->method == REQ_PASSKEY) {
2729 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2731 return SMP_UNSPECIFIED;
2732 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2733 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2737 /* The Initiating device waits for the non-initiating device to
2738 * send the confirm value.
2740 if (conn->hcon->out)
2743 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2744 0, cfm.confirm_val);
2746 return SMP_UNSPECIFIED;
2748 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2749 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2754 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2756 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2757 struct l2cap_chan *chan = conn->smp;
2758 struct hci_conn *hcon = conn->hcon;
2759 struct smp_chan *smp = chan->data;
2760 u8 a[7], b[7], *local_addr, *remote_addr;
2761 u8 io_cap[3], r[16], e[16];
2764 BT_DBG("conn %p", conn);
2766 if (skb->len < sizeof(*check))
2767 return SMP_INVALID_PARAMS;
2769 memcpy(a, &hcon->init_addr, 6);
2770 memcpy(b, &hcon->resp_addr, 6);
2771 a[6] = hcon->init_addr_type;
2772 b[6] = hcon->resp_addr_type;
2777 memcpy(io_cap, &smp->prsp[1], 3);
2781 memcpy(io_cap, &smp->preq[1], 3);
2784 memset(r, 0, sizeof(r));
2786 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2787 put_unaligned_le32(hcon->passkey_notify, r);
2788 else if (smp->method == REQ_OOB)
2789 memcpy(r, smp->lr, 16);
2791 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2792 io_cap, remote_addr, local_addr, e);
2794 return SMP_UNSPECIFIED;
2796 if (crypto_memneq(check->e, e, 16))
2797 return SMP_DHKEY_CHECK_FAILED;
2800 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2801 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2805 /* Slave sends DHKey check as response to master */
2806 sc_dhkey_check(smp);
2812 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2813 hcon->enc_key_size = smp->enc_key_size;
2819 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2820 struct sk_buff *skb)
2822 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2824 BT_DBG("value 0x%02x", kp->value);
2829 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2831 struct l2cap_conn *conn = chan->conn;
2832 struct hci_conn *hcon = conn->hcon;
2833 struct smp_chan *smp;
2840 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2841 reason = SMP_PAIRING_NOTSUPP;
2845 code = skb->data[0];
2846 skb_pull(skb, sizeof(code));
2850 if (code > SMP_CMD_MAX)
2853 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2856 /* If we don't have a context the only allowed commands are
2857 * pairing request and security request.
2859 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2863 case SMP_CMD_PAIRING_REQ:
2864 reason = smp_cmd_pairing_req(conn, skb);
2867 case SMP_CMD_PAIRING_FAIL:
2868 smp_failure(conn, 0);
2872 case SMP_CMD_PAIRING_RSP:
2873 reason = smp_cmd_pairing_rsp(conn, skb);
2876 case SMP_CMD_SECURITY_REQ:
2877 reason = smp_cmd_security_req(conn, skb);
2880 case SMP_CMD_PAIRING_CONFIRM:
2881 reason = smp_cmd_pairing_confirm(conn, skb);
2884 case SMP_CMD_PAIRING_RANDOM:
2885 reason = smp_cmd_pairing_random(conn, skb);
2888 case SMP_CMD_ENCRYPT_INFO:
2889 reason = smp_cmd_encrypt_info(conn, skb);
2892 case SMP_CMD_MASTER_IDENT:
2893 reason = smp_cmd_master_ident(conn, skb);
2896 case SMP_CMD_IDENT_INFO:
2897 reason = smp_cmd_ident_info(conn, skb);
2900 case SMP_CMD_IDENT_ADDR_INFO:
2901 reason = smp_cmd_ident_addr_info(conn, skb);
2904 case SMP_CMD_SIGN_INFO:
2905 reason = smp_cmd_sign_info(conn, skb);
2908 case SMP_CMD_PUBLIC_KEY:
2909 reason = smp_cmd_public_key(conn, skb);
2912 case SMP_CMD_DHKEY_CHECK:
2913 reason = smp_cmd_dhkey_check(conn, skb);
2916 case SMP_CMD_KEYPRESS_NOTIFY:
2917 reason = smp_cmd_keypress_notify(conn, skb);
2921 BT_DBG("Unknown command code 0x%2.2x", code);
2922 reason = SMP_CMD_NOTSUPP;
2929 smp_failure(conn, reason);
2936 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2942 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2944 struct l2cap_conn *conn = chan->conn;
2946 BT_DBG("chan %p", chan);
2949 smp_chan_destroy(conn);
2952 l2cap_chan_put(chan);
2955 static void bredr_pairing(struct l2cap_chan *chan)
2957 struct l2cap_conn *conn = chan->conn;
2958 struct hci_conn *hcon = conn->hcon;
2959 struct hci_dev *hdev = hcon->hdev;
2960 struct smp_cmd_pairing req;
2961 struct smp_chan *smp;
2963 BT_DBG("chan %p", chan);
2965 /* Only new pairings are interesting */
2966 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2969 /* Don't bother if we're not encrypted */
2970 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2973 /* Only master may initiate SMP over BR/EDR */
2974 if (hcon->role != HCI_ROLE_MASTER)
2977 /* Secure Connections support must be enabled */
2978 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
2981 /* BR/EDR must use Secure Connections for SMP */
2982 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2983 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
2986 /* If our LE support is not enabled don't do anything */
2987 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2990 /* Don't bother if remote LE support is not enabled */
2991 if (!lmp_host_le_capable(hcon))
2994 /* Remote must support SMP fixed chan for BR/EDR */
2995 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2998 /* Don't bother if SMP is already ongoing */
3002 smp = smp_chan_create(conn);
3004 BT_ERR("%s unable to create SMP context for BR/EDR",
3009 set_bit(SMP_FLAG_SC, &smp->flags);
3011 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3013 /* Prepare and send the BR/EDR SMP Pairing Request */
3014 build_bredr_pairing_cmd(smp, &req, NULL);
3016 smp->preq[0] = SMP_CMD_PAIRING_REQ;
3017 memcpy(&smp->preq[1], &req, sizeof(req));
3019 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3020 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3023 static void smp_resume_cb(struct l2cap_chan *chan)
3025 struct smp_chan *smp = chan->data;
3026 struct l2cap_conn *conn = chan->conn;
3027 struct hci_conn *hcon = conn->hcon;
3029 BT_DBG("chan %p", chan);
3031 if (hcon->type == ACL_LINK) {
3032 bredr_pairing(chan);
3039 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3042 cancel_delayed_work(&smp->security_timer);
3044 smp_distribute_keys(smp);
3047 static void smp_ready_cb(struct l2cap_chan *chan)
3049 struct l2cap_conn *conn = chan->conn;
3050 struct hci_conn *hcon = conn->hcon;
3052 BT_DBG("chan %p", chan);
3054 /* No need to call l2cap_chan_hold() here since we already own
3055 * the reference taken in smp_new_conn_cb(). This is just the
3056 * first time that we tie it to a specific pointer. The code in
3057 * l2cap_core.c ensures that there's no risk this function wont
3058 * get called if smp_new_conn_cb was previously called.
3062 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3063 bredr_pairing(chan);
3066 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3070 BT_DBG("chan %p", chan);
3072 err = smp_sig_channel(chan, skb);
3074 struct smp_chan *smp = chan->data;
3077 cancel_delayed_work_sync(&smp->security_timer);
3079 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3085 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3086 unsigned long hdr_len,
3087 unsigned long len, int nb)
3089 struct sk_buff *skb;
3091 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3093 return ERR_PTR(-ENOMEM);
3095 skb->priority = HCI_PRIO_MAX;
3096 bt_cb(skb)->l2cap.chan = chan;
3101 static const struct l2cap_ops smp_chan_ops = {
3102 .name = "Security Manager",
3103 .ready = smp_ready_cb,
3104 .recv = smp_recv_cb,
3105 .alloc_skb = smp_alloc_skb_cb,
3106 .teardown = smp_teardown_cb,
3107 .resume = smp_resume_cb,
3109 .new_connection = l2cap_chan_no_new_connection,
3110 .state_change = l2cap_chan_no_state_change,
3111 .close = l2cap_chan_no_close,
3112 .defer = l2cap_chan_no_defer,
3113 .suspend = l2cap_chan_no_suspend,
3114 .set_shutdown = l2cap_chan_no_set_shutdown,
3115 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3118 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3120 struct l2cap_chan *chan;
3122 BT_DBG("pchan %p", pchan);
3124 chan = l2cap_chan_create();
3128 chan->chan_type = pchan->chan_type;
3129 chan->ops = &smp_chan_ops;
3130 chan->scid = pchan->scid;
3131 chan->dcid = chan->scid;
3132 chan->imtu = pchan->imtu;
3133 chan->omtu = pchan->omtu;
3134 chan->mode = pchan->mode;
3136 /* Other L2CAP channels may request SMP routines in order to
3137 * change the security level. This means that the SMP channel
3138 * lock must be considered in its own category to avoid lockdep
3141 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3143 BT_DBG("created chan %p", chan);
3148 static const struct l2cap_ops smp_root_chan_ops = {
3149 .name = "Security Manager Root",
3150 .new_connection = smp_new_conn_cb,
3152 /* None of these are implemented for the root channel */
3153 .close = l2cap_chan_no_close,
3154 .alloc_skb = l2cap_chan_no_alloc_skb,
3155 .recv = l2cap_chan_no_recv,
3156 .state_change = l2cap_chan_no_state_change,
3157 .teardown = l2cap_chan_no_teardown,
3158 .ready = l2cap_chan_no_ready,
3159 .defer = l2cap_chan_no_defer,
3160 .suspend = l2cap_chan_no_suspend,
3161 .resume = l2cap_chan_no_resume,
3162 .set_shutdown = l2cap_chan_no_set_shutdown,
3163 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3166 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3168 struct l2cap_chan *chan;
3169 struct smp_dev *smp;
3170 struct crypto_cipher *tfm_aes;
3171 struct crypto_shash *tfm_cmac;
3173 if (cid == L2CAP_CID_SMP_BREDR) {
3178 smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3180 return ERR_PTR(-ENOMEM);
3182 tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3183 if (IS_ERR(tfm_aes)) {
3184 BT_ERR("Unable to create AES crypto context");
3186 return ERR_CAST(tfm_aes);
3189 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3190 if (IS_ERR(tfm_cmac)) {
3191 BT_ERR("Unable to create CMAC crypto context");
3192 crypto_free_cipher(tfm_aes);
3194 return ERR_CAST(tfm_cmac);
3197 smp->tfm_aes = tfm_aes;
3198 smp->tfm_cmac = tfm_cmac;
3199 smp->min_key_size = SMP_MIN_ENC_KEY_SIZE;
3200 smp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
3203 chan = l2cap_chan_create();
3206 crypto_free_cipher(smp->tfm_aes);
3207 crypto_free_shash(smp->tfm_cmac);
3210 return ERR_PTR(-ENOMEM);
3215 l2cap_add_scid(chan, cid);
3217 l2cap_chan_set_defaults(chan);
3219 if (cid == L2CAP_CID_SMP) {
3222 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3224 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3225 chan->src_type = BDADDR_LE_PUBLIC;
3227 chan->src_type = BDADDR_LE_RANDOM;
3229 bacpy(&chan->src, &hdev->bdaddr);
3230 chan->src_type = BDADDR_BREDR;
3233 chan->state = BT_LISTEN;
3234 chan->mode = L2CAP_MODE_BASIC;
3235 chan->imtu = L2CAP_DEFAULT_MTU;
3236 chan->ops = &smp_root_chan_ops;
3238 /* Set correct nesting level for a parent/listening channel */
3239 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3244 static void smp_del_chan(struct l2cap_chan *chan)
3246 struct smp_dev *smp;
3248 BT_DBG("chan %p", chan);
3253 crypto_free_cipher(smp->tfm_aes);
3254 crypto_free_shash(smp->tfm_cmac);
3258 l2cap_chan_put(chan);
3261 static ssize_t force_bredr_smp_read(struct file *file,
3262 char __user *user_buf,
3263 size_t count, loff_t *ppos)
3265 struct hci_dev *hdev = file->private_data;
3268 buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3271 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3274 static ssize_t force_bredr_smp_write(struct file *file,
3275 const char __user *user_buf,
3276 size_t count, loff_t *ppos)
3278 struct hci_dev *hdev = file->private_data;
3280 size_t buf_size = min(count, (sizeof(buf)-1));
3283 if (copy_from_user(buf, user_buf, buf_size))
3286 buf[buf_size] = '\0';
3287 if (strtobool(buf, &enable))
3290 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3294 struct l2cap_chan *chan;
3296 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3298 return PTR_ERR(chan);
3300 hdev->smp_bredr_data = chan;
3302 struct l2cap_chan *chan;
3304 chan = hdev->smp_bredr_data;
3305 hdev->smp_bredr_data = NULL;
3309 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3314 static const struct file_operations force_bredr_smp_fops = {
3315 .open = simple_open,
3316 .read = force_bredr_smp_read,
3317 .write = force_bredr_smp_write,
3318 .llseek = default_llseek,
3321 static ssize_t le_min_key_size_read(struct file *file,
3322 char __user *user_buf,
3323 size_t count, loff_t *ppos)
3325 struct hci_dev *hdev = file->private_data;
3328 snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->min_key_size);
3330 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3333 static ssize_t le_min_key_size_write(struct file *file,
3334 const char __user *user_buf,
3335 size_t count, loff_t *ppos)
3337 struct hci_dev *hdev = file->private_data;
3339 size_t buf_size = min(count, (sizeof(buf) - 1));
3342 if (copy_from_user(buf, user_buf, buf_size))
3345 buf[buf_size] = '\0';
3347 sscanf(buf, "%hhu", &key_size);
3349 if (key_size > SMP_DEV(hdev)->max_key_size ||
3350 key_size < SMP_MIN_ENC_KEY_SIZE)
3353 SMP_DEV(hdev)->min_key_size = key_size;
3358 static const struct file_operations le_min_key_size_fops = {
3359 .open = simple_open,
3360 .read = le_min_key_size_read,
3361 .write = le_min_key_size_write,
3362 .llseek = default_llseek,
3365 static ssize_t le_max_key_size_read(struct file *file,
3366 char __user *user_buf,
3367 size_t count, loff_t *ppos)
3369 struct hci_dev *hdev = file->private_data;
3372 snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->max_key_size);
3374 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3377 static ssize_t le_max_key_size_write(struct file *file,
3378 const char __user *user_buf,
3379 size_t count, loff_t *ppos)
3381 struct hci_dev *hdev = file->private_data;
3383 size_t buf_size = min(count, (sizeof(buf) - 1));
3386 if (copy_from_user(buf, user_buf, buf_size))
3389 buf[buf_size] = '\0';
3391 sscanf(buf, "%hhu", &key_size);
3393 if (key_size > SMP_MAX_ENC_KEY_SIZE ||
3394 key_size < SMP_DEV(hdev)->min_key_size)
3397 SMP_DEV(hdev)->max_key_size = key_size;
3402 static const struct file_operations le_max_key_size_fops = {
3403 .open = simple_open,
3404 .read = le_max_key_size_read,
3405 .write = le_max_key_size_write,
3406 .llseek = default_llseek,
3409 int smp_register(struct hci_dev *hdev)
3411 struct l2cap_chan *chan;
3413 BT_DBG("%s", hdev->name);
3415 /* If the controller does not support Low Energy operation, then
3416 * there is also no need to register any SMP channel.
3418 if (!lmp_le_capable(hdev))
3421 if (WARN_ON(hdev->smp_data)) {
3422 chan = hdev->smp_data;
3423 hdev->smp_data = NULL;
3427 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3429 return PTR_ERR(chan);
3431 hdev->smp_data = chan;
3433 debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3434 &le_min_key_size_fops);
3435 debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3436 &le_max_key_size_fops);
3438 /* If the controller does not support BR/EDR Secure Connections
3439 * feature, then the BR/EDR SMP channel shall not be present.
3441 * To test this with Bluetooth 4.0 controllers, create a debugfs
3442 * switch that allows forcing BR/EDR SMP support and accepting
3443 * cross-transport pairing on non-AES encrypted connections.
3445 if (!lmp_sc_capable(hdev)) {
3446 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3447 hdev, &force_bredr_smp_fops);
3449 /* Flag can be already set here (due to power toggle) */
3450 if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3454 if (WARN_ON(hdev->smp_bredr_data)) {
3455 chan = hdev->smp_bredr_data;
3456 hdev->smp_bredr_data = NULL;
3460 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3462 int err = PTR_ERR(chan);
3463 chan = hdev->smp_data;
3464 hdev->smp_data = NULL;
3469 hdev->smp_bredr_data = chan;
3474 void smp_unregister(struct hci_dev *hdev)
3476 struct l2cap_chan *chan;
3478 if (hdev->smp_bredr_data) {
3479 chan = hdev->smp_bredr_data;
3480 hdev->smp_bredr_data = NULL;
3484 if (hdev->smp_data) {
3485 chan = hdev->smp_data;
3486 hdev->smp_data = NULL;
3491 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3493 static inline void swap_digits(u64 *in, u64 *out, unsigned int ndigits)
3497 for (i = 0; i < ndigits; i++)
3498 out[i] = __swab64(in[ndigits - 1 - i]);
3501 static int __init test_debug_key(void)
3505 swap_digits((u64 *)debug_sk, (u64 *)sk, 4);
3507 if (!generate_ecdh_keys(pk, sk))
3510 if (crypto_memneq(sk, debug_sk, 32))
3513 if (crypto_memneq(pk, debug_pk, 64))
3519 static int __init test_ah(struct crypto_cipher *tfm_aes)
3521 const u8 irk[16] = {
3522 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3523 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3524 const u8 r[3] = { 0x94, 0x81, 0x70 };
3525 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3529 err = smp_ah(tfm_aes, irk, r, res);
3533 if (crypto_memneq(res, exp, 3))
3539 static int __init test_c1(struct crypto_cipher *tfm_aes)
3542 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3543 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3545 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3546 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3547 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3548 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3549 const u8 _iat = 0x01;
3550 const u8 _rat = 0x00;
3551 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3552 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3553 const u8 exp[16] = {
3554 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3555 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3559 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3563 if (crypto_memneq(res, exp, 16))
3569 static int __init test_s1(struct crypto_cipher *tfm_aes)
3572 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3573 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3575 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3577 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3578 const u8 exp[16] = {
3579 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3580 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3584 err = smp_s1(tfm_aes, k, r1, r2, res);
3588 if (crypto_memneq(res, exp, 16))
3594 static int __init test_f4(struct crypto_shash *tfm_cmac)
3597 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3598 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3599 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3600 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3602 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3603 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3604 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3605 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3607 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3608 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3610 const u8 exp[16] = {
3611 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3612 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3616 err = smp_f4(tfm_cmac, u, v, x, z, res);
3620 if (crypto_memneq(res, exp, 16))
3626 static int __init test_f5(struct crypto_shash *tfm_cmac)
3629 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3630 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3631 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3632 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3634 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3635 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3637 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3638 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3639 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3640 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3641 const u8 exp_ltk[16] = {
3642 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3643 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3644 const u8 exp_mackey[16] = {
3645 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3646 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3647 u8 mackey[16], ltk[16];
3650 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3654 if (crypto_memneq(mackey, exp_mackey, 16))
3657 if (crypto_memneq(ltk, exp_ltk, 16))
3663 static int __init test_f6(struct crypto_shash *tfm_cmac)
3666 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3667 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3669 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3670 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3672 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3673 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3675 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3676 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3677 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3678 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3679 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3680 const u8 exp[16] = {
3681 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3682 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3686 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3690 if (crypto_memneq(res, exp, 16))
3696 static int __init test_g2(struct crypto_shash *tfm_cmac)
3699 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3700 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3701 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3702 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3704 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3705 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3706 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3707 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3709 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3710 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3712 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3713 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3714 const u32 exp_val = 0x2f9ed5ba % 1000000;
3718 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3728 static int __init test_h6(struct crypto_shash *tfm_cmac)
3731 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3732 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3733 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3734 const u8 exp[16] = {
3735 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3736 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3740 err = smp_h6(tfm_cmac, w, key_id, res);
3744 if (crypto_memneq(res, exp, 16))
3750 static char test_smp_buffer[32];
3752 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3753 size_t count, loff_t *ppos)
3755 return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3756 strlen(test_smp_buffer));
3759 static const struct file_operations test_smp_fops = {
3760 .open = simple_open,
3761 .read = test_smp_read,
3762 .llseek = default_llseek,
3765 static int __init run_selftests(struct crypto_cipher *tfm_aes,
3766 struct crypto_shash *tfm_cmac)
3768 ktime_t calltime, delta, rettime;
3769 unsigned long long duration;
3772 calltime = ktime_get();
3774 err = test_debug_key();
3776 BT_ERR("debug_key test failed");
3780 err = test_ah(tfm_aes);
3782 BT_ERR("smp_ah test failed");
3786 err = test_c1(tfm_aes);
3788 BT_ERR("smp_c1 test failed");
3792 err = test_s1(tfm_aes);
3794 BT_ERR("smp_s1 test failed");
3798 err = test_f4(tfm_cmac);
3800 BT_ERR("smp_f4 test failed");
3804 err = test_f5(tfm_cmac);
3806 BT_ERR("smp_f5 test failed");
3810 err = test_f6(tfm_cmac);
3812 BT_ERR("smp_f6 test failed");
3816 err = test_g2(tfm_cmac);
3818 BT_ERR("smp_g2 test failed");
3822 err = test_h6(tfm_cmac);
3824 BT_ERR("smp_h6 test failed");
3828 rettime = ktime_get();
3829 delta = ktime_sub(rettime, calltime);
3830 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3832 BT_INFO("SMP test passed in %llu usecs", duration);
3836 snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3837 "PASS (%llu usecs)\n", duration);
3839 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3841 debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3847 int __init bt_selftest_smp(void)
3849 struct crypto_cipher *tfm_aes;
3850 struct crypto_shash *tfm_cmac;
3853 tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3854 if (IS_ERR(tfm_aes)) {
3855 BT_ERR("Unable to create AES crypto context");
3856 return PTR_ERR(tfm_aes);
3859 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3860 if (IS_ERR(tfm_cmac)) {
3861 BT_ERR("Unable to create CMAC crypto context");
3862 crypto_free_cipher(tfm_aes);
3863 return PTR_ERR(tfm_cmac);
3866 err = run_selftests(tfm_aes, tfm_cmac);
3868 crypto_free_shash(tfm_cmac);
3869 crypto_free_cipher(tfm_aes);
projects / karo-tx-linux.git / blob