2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/algapi.h>
27 #include <crypto/b128ops.h>
28 #include <crypto/hash.h>
29 #include <crypto/kpp.h>
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/mgmt.h>
36 #include "ecdh_helper.h"
39 #define SMP_DEV(hdev) \
40 ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
42 /* Low-level debug macros to be used for stuff that we don't want
43 * accidentially in dmesg, i.e. the values of the various crypto keys
44 * and the inputs & outputs of crypto functions.
47 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
50 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
54 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
56 /* Keys which are not distributed with Secure Connections */
57 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
59 #define SMP_TIMEOUT msecs_to_jiffies(30000)
61 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
63 #define KEY_DIST_MASK 0x07
65 /* Maximum message length that can be passed to aes_cmac */
66 #define CMAC_MSG_MAX 80
78 SMP_FLAG_DHKEY_PENDING,
85 /* Secure Connections OOB data */
91 struct crypto_cipher *tfm_aes;
92 struct crypto_shash *tfm_cmac;
93 struct crypto_kpp *tfm_ecdh;
97 struct l2cap_conn *conn;
98 struct delayed_work security_timer;
99 unsigned long allow_cmd; /* Bitmask of allowed commands */
101 u8 preq[7]; /* SMP Pairing Request */
102 u8 prsp[7]; /* SMP Pairing Response */
103 u8 prnd[16]; /* SMP Pairing Random (local) */
104 u8 rrnd[16]; /* SMP Pairing Random (remote) */
105 u8 pcnf[16]; /* SMP Pairing Confirm */
106 u8 tk[16]; /* SMP Temporary Key */
107 u8 rr[16]; /* Remote OOB ra/rb value */
108 u8 lr[16]; /* Local OOB ra/rb value */
114 struct smp_csrk *csrk;
115 struct smp_csrk *slave_csrk;
117 struct smp_ltk *slave_ltk;
118 struct smp_irk *remote_irk;
124 /* Secure Connections variables */
130 struct crypto_cipher *tfm_aes;
131 struct crypto_shash *tfm_cmac;
132 struct crypto_kpp *tfm_ecdh;
135 /* These debug key values are defined in the SMP section of the core
136 * specification. debug_pk is the public debug key and debug_sk the
139 static const u8 debug_pk[64] = {
140 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
141 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
142 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
143 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
145 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
146 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
147 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
148 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
151 static const u8 debug_sk[32] = {
152 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
153 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
154 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
155 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
158 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
162 for (i = 0; i < len; i++)
163 dst[len - 1 - i] = src[i];
166 /* The following functions map to the LE SC SMP crypto functions
167 * AES-CMAC, f4, f5, f6, g2 and h6.
170 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
171 size_t len, u8 mac[16])
173 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
174 SHASH_DESC_ON_STACK(desc, tfm);
177 if (len > CMAC_MSG_MAX)
181 BT_ERR("tfm %p", tfm);
187 /* Swap key and message from LSB to MSB */
188 swap_buf(k, tmp, 16);
189 swap_buf(m, msg_msb, len);
191 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
192 SMP_DBG("key %16phN", k);
194 err = crypto_shash_setkey(tfm, tmp, 16);
196 BT_ERR("cipher setkey failed: %d", err);
200 err = crypto_shash_digest(desc, msg_msb, len, mac_msb);
201 shash_desc_zero(desc);
203 BT_ERR("Hash computation error %d", err);
207 swap_buf(mac_msb, mac, 16);
209 SMP_DBG("mac %16phN", mac);
214 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
215 const u8 v[32], const u8 x[16], u8 z, u8 res[16])
220 SMP_DBG("u %32phN", u);
221 SMP_DBG("v %32phN", v);
222 SMP_DBG("x %16phN z %02x", x, z);
225 memcpy(m + 1, v, 32);
226 memcpy(m + 33, u, 32);
228 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
232 SMP_DBG("res %16phN", res);
237 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
238 const u8 n1[16], const u8 n2[16], const u8 a1[7],
239 const u8 a2[7], u8 mackey[16], u8 ltk[16])
241 /* The btle, salt and length "magic" values are as defined in
242 * the SMP section of the Bluetooth core specification. In ASCII
243 * the btle value ends up being 'btle'. The salt is just a
244 * random number whereas length is the value 256 in little
247 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
248 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
249 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
250 const u8 length[2] = { 0x00, 0x01 };
254 SMP_DBG("w %32phN", w);
255 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
256 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
258 err = aes_cmac(tfm_cmac, salt, w, 32, t);
262 SMP_DBG("t %16phN", t);
264 memcpy(m, length, 2);
265 memcpy(m + 2, a2, 7);
266 memcpy(m + 9, a1, 7);
267 memcpy(m + 16, n2, 16);
268 memcpy(m + 32, n1, 16);
269 memcpy(m + 48, btle, 4);
271 m[52] = 0; /* Counter */
273 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
277 SMP_DBG("mackey %16phN", mackey);
279 m[52] = 1; /* Counter */
281 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
285 SMP_DBG("ltk %16phN", ltk);
290 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
291 const u8 n1[16], const u8 n2[16], const u8 r[16],
292 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
298 SMP_DBG("w %16phN", w);
299 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
300 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
303 memcpy(m + 7, a1, 7);
304 memcpy(m + 14, io_cap, 3);
305 memcpy(m + 17, r, 16);
306 memcpy(m + 33, n2, 16);
307 memcpy(m + 49, n1, 16);
309 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
313 SMP_DBG("res %16phN", res);
318 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
319 const u8 x[16], const u8 y[16], u32 *val)
324 SMP_DBG("u %32phN", u);
325 SMP_DBG("v %32phN", v);
326 SMP_DBG("x %16phN y %16phN", x, y);
329 memcpy(m + 16, v, 32);
330 memcpy(m + 48, u, 32);
332 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
336 *val = get_unaligned_le32(tmp);
339 SMP_DBG("val %06u", *val);
344 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
345 const u8 key_id[4], u8 res[16])
349 SMP_DBG("w %16phN key_id %4phN", w, key_id);
351 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
355 SMP_DBG("res %16phN", res);
360 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
361 const u8 salt[16], u8 res[16])
365 SMP_DBG("w %16phN salt %16phN", w, salt);
367 err = aes_cmac(tfm_cmac, salt, w, 16, res);
371 SMP_DBG("res %16phN", res);
376 /* The following functions map to the legacy SMP crypto functions e, c1,
380 static int smp_e(struct crypto_cipher *tfm, const u8 *k, u8 *r)
382 uint8_t tmp[16], data[16];
385 SMP_DBG("k %16phN r %16phN", k, r);
388 BT_ERR("tfm %p", tfm);
392 /* The most significant octet of key corresponds to k[0] */
393 swap_buf(k, tmp, 16);
395 err = crypto_cipher_setkey(tfm, tmp, 16);
397 BT_ERR("cipher setkey failed: %d", err);
401 /* Most significant octet of plaintextData corresponds to data[0] */
402 swap_buf(r, data, 16);
404 crypto_cipher_encrypt_one(tfm, data, data);
406 /* Most significant octet of encryptedData corresponds to data[0] */
407 swap_buf(data, r, 16);
409 SMP_DBG("r %16phN", r);
414 static int smp_c1(struct crypto_cipher *tfm_aes, const u8 k[16],
415 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
416 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
421 SMP_DBG("k %16phN r %16phN", k, r);
422 SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
423 SMP_DBG("preq %7phN pres %7phN", preq, pres);
427 /* p1 = pres || preq || _rat || _iat */
430 memcpy(p1 + 2, preq, 7);
431 memcpy(p1 + 9, pres, 7);
433 SMP_DBG("p1 %16phN", p1);
436 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
438 /* res = e(k, res) */
439 err = smp_e(tfm_aes, k, res);
441 BT_ERR("Encrypt data error");
445 /* p2 = padding || ia || ra */
447 memcpy(p2 + 6, ia, 6);
448 memset(p2 + 12, 0, 4);
450 SMP_DBG("p2 %16phN", p2);
452 /* res = res XOR p2 */
453 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
455 /* res = e(k, res) */
456 err = smp_e(tfm_aes, k, res);
458 BT_ERR("Encrypt data error");
463 static int smp_s1(struct crypto_cipher *tfm_aes, const u8 k[16],
464 const u8 r1[16], const u8 r2[16], u8 _r[16])
468 /* Just least significant octets from r1 and r2 are considered */
470 memcpy(_r + 8, r1, 8);
472 err = smp_e(tfm_aes, k, _r);
474 BT_ERR("Encrypt data error");
479 static int smp_ah(struct crypto_cipher *tfm, const u8 irk[16],
480 const u8 r[3], u8 res[3])
485 /* r' = padding || r */
487 memset(_res + 3, 0, 13);
489 err = smp_e(tfm, irk, _res);
491 BT_ERR("Encrypt error");
495 /* The output of the random address function ah is:
496 * ah(k, r) = e(k, r') mod 2^24
497 * The output of the security function e is then truncated to 24 bits
498 * by taking the least significant 24 bits of the output of e as the
501 memcpy(res, _res, 3);
506 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
507 const bdaddr_t *bdaddr)
509 struct l2cap_chan *chan = hdev->smp_data;
514 if (!chan || !chan->data)
519 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
521 err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
525 return !crypto_memneq(bdaddr->b, hash, 3);
528 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
530 struct l2cap_chan *chan = hdev->smp_data;
534 if (!chan || !chan->data)
539 get_random_bytes(&rpa->b[3], 3);
541 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
542 rpa->b[5] |= 0x40; /* Set second most significant bit */
544 err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
548 BT_DBG("RPA %pMR", rpa);
553 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
555 struct l2cap_chan *chan = hdev->smp_data;
559 if (!chan || !chan->data)
564 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
565 BT_DBG("Using debug keys");
566 err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
569 memcpy(smp->local_pk, debug_pk, 64);
570 smp->debug_key = true;
573 /* Generate key pair for Secure Connections */
574 err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
578 /* This is unlikely, but we need to check that
579 * we didn't accidentially generate a debug key.
581 if (crypto_memneq(smp->local_pk, debug_pk, 64))
584 smp->debug_key = false;
587 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
588 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
590 get_random_bytes(smp->local_rand, 16);
592 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
593 smp->local_rand, 0, hash);
597 memcpy(rand, smp->local_rand, 16);
599 smp->local_oob = true;
604 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
606 struct l2cap_chan *chan = conn->smp;
607 struct smp_chan *smp;
614 BT_DBG("code 0x%2.2x", code);
616 iv[0].iov_base = &code;
619 iv[1].iov_base = data;
622 memset(&msg, 0, sizeof(msg));
624 iov_iter_kvec(&msg.msg_iter, WRITE, iv, 2, 1 + len);
626 l2cap_chan_send(chan, &msg, 1 + len);
633 cancel_delayed_work_sync(&smp->security_timer);
634 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
637 static u8 authreq_to_seclevel(u8 authreq)
639 if (authreq & SMP_AUTH_MITM) {
640 if (authreq & SMP_AUTH_SC)
641 return BT_SECURITY_FIPS;
643 return BT_SECURITY_HIGH;
645 return BT_SECURITY_MEDIUM;
649 static __u8 seclevel_to_authreq(__u8 sec_level)
652 case BT_SECURITY_FIPS:
653 case BT_SECURITY_HIGH:
654 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
655 case BT_SECURITY_MEDIUM:
656 return SMP_AUTH_BONDING;
658 return SMP_AUTH_NONE;
662 static void build_pairing_cmd(struct l2cap_conn *conn,
663 struct smp_cmd_pairing *req,
664 struct smp_cmd_pairing *rsp, __u8 authreq)
666 struct l2cap_chan *chan = conn->smp;
667 struct smp_chan *smp = chan->data;
668 struct hci_conn *hcon = conn->hcon;
669 struct hci_dev *hdev = hcon->hdev;
670 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
672 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
673 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
674 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
675 authreq |= SMP_AUTH_BONDING;
677 authreq &= ~SMP_AUTH_BONDING;
680 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
681 remote_dist |= SMP_DIST_ID_KEY;
683 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
684 local_dist |= SMP_DIST_ID_KEY;
686 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
687 (authreq & SMP_AUTH_SC)) {
688 struct oob_data *oob_data;
691 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
692 local_dist |= SMP_DIST_LINK_KEY;
693 remote_dist |= SMP_DIST_LINK_KEY;
696 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
697 bdaddr_type = BDADDR_LE_PUBLIC;
699 bdaddr_type = BDADDR_LE_RANDOM;
701 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
703 if (oob_data && oob_data->present) {
704 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
705 oob_flag = SMP_OOB_PRESENT;
706 memcpy(smp->rr, oob_data->rand256, 16);
707 memcpy(smp->pcnf, oob_data->hash256, 16);
708 SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
709 SMP_DBG("OOB Remote Random: %16phN", smp->rr);
713 authreq &= ~SMP_AUTH_SC;
717 req->io_capability = conn->hcon->io_capability;
718 req->oob_flag = oob_flag;
719 req->max_key_size = hdev->le_max_key_size;
720 req->init_key_dist = local_dist;
721 req->resp_key_dist = remote_dist;
722 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
724 smp->remote_key_dist = remote_dist;
728 rsp->io_capability = conn->hcon->io_capability;
729 rsp->oob_flag = oob_flag;
730 rsp->max_key_size = hdev->le_max_key_size;
731 rsp->init_key_dist = req->init_key_dist & remote_dist;
732 rsp->resp_key_dist = req->resp_key_dist & local_dist;
733 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
735 smp->remote_key_dist = rsp->init_key_dist;
738 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
740 struct l2cap_chan *chan = conn->smp;
741 struct hci_dev *hdev = conn->hcon->hdev;
742 struct smp_chan *smp = chan->data;
744 if (max_key_size > hdev->le_max_key_size ||
745 max_key_size < SMP_MIN_ENC_KEY_SIZE)
746 return SMP_ENC_KEY_SIZE;
748 smp->enc_key_size = max_key_size;
753 static void smp_chan_destroy(struct l2cap_conn *conn)
755 struct l2cap_chan *chan = conn->smp;
756 struct smp_chan *smp = chan->data;
757 struct hci_conn *hcon = conn->hcon;
762 cancel_delayed_work_sync(&smp->security_timer);
764 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
765 mgmt_smp_complete(hcon, complete);
768 kzfree(smp->slave_csrk);
769 kzfree(smp->link_key);
771 crypto_free_cipher(smp->tfm_aes);
772 crypto_free_shash(smp->tfm_cmac);
773 crypto_free_kpp(smp->tfm_ecdh);
775 /* Ensure that we don't leave any debug key around if debug key
776 * support hasn't been explicitly enabled.
778 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
779 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
780 list_del_rcu(&smp->ltk->list);
781 kfree_rcu(smp->ltk, rcu);
785 /* If pairing failed clean up any keys we might have */
788 list_del_rcu(&smp->ltk->list);
789 kfree_rcu(smp->ltk, rcu);
792 if (smp->slave_ltk) {
793 list_del_rcu(&smp->slave_ltk->list);
794 kfree_rcu(smp->slave_ltk, rcu);
797 if (smp->remote_irk) {
798 list_del_rcu(&smp->remote_irk->list);
799 kfree_rcu(smp->remote_irk, rcu);
808 static void smp_failure(struct l2cap_conn *conn, u8 reason)
810 struct hci_conn *hcon = conn->hcon;
811 struct l2cap_chan *chan = conn->smp;
814 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
817 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
820 smp_chan_destroy(conn);
823 #define JUST_WORKS 0x00
824 #define JUST_CFM 0x01
825 #define REQ_PASSKEY 0x02
826 #define CFM_PASSKEY 0x03
828 #define DSP_PASSKEY 0x05
831 static const u8 gen_method[5][5] = {
832 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
833 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
834 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
835 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
836 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
839 static const u8 sc_method[5][5] = {
840 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
841 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
842 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
843 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
844 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
847 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
849 /* If either side has unknown io_caps, use JUST_CFM (which gets
850 * converted later to JUST_WORKS if we're initiators.
852 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
853 remote_io > SMP_IO_KEYBOARD_DISPLAY)
856 if (test_bit(SMP_FLAG_SC, &smp->flags))
857 return sc_method[remote_io][local_io];
859 return gen_method[remote_io][local_io];
862 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
863 u8 local_io, u8 remote_io)
865 struct hci_conn *hcon = conn->hcon;
866 struct l2cap_chan *chan = conn->smp;
867 struct smp_chan *smp = chan->data;
871 /* Initialize key for JUST WORKS */
872 memset(smp->tk, 0, sizeof(smp->tk));
873 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
875 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
877 /* If neither side wants MITM, either "just" confirm an incoming
878 * request or use just-works for outgoing ones. The JUST_CFM
879 * will be converted to JUST_WORKS if necessary later in this
880 * function. If either side has MITM look up the method from the
883 if (!(auth & SMP_AUTH_MITM))
884 smp->method = JUST_CFM;
886 smp->method = get_auth_method(smp, local_io, remote_io);
888 /* Don't confirm locally initiated pairing attempts */
889 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
891 smp->method = JUST_WORKS;
893 /* Don't bother user space with no IO capabilities */
894 if (smp->method == JUST_CFM &&
895 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
896 smp->method = JUST_WORKS;
898 /* If Just Works, Continue with Zero TK */
899 if (smp->method == JUST_WORKS) {
900 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
904 /* If this function is used for SC -> legacy fallback we
905 * can only recover the just-works case.
907 if (test_bit(SMP_FLAG_SC, &smp->flags))
910 /* Not Just Works/Confirm results in MITM Authentication */
911 if (smp->method != JUST_CFM) {
912 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
913 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
914 hcon->pending_sec_level = BT_SECURITY_HIGH;
917 /* If both devices have Keyoard-Display I/O, the master
918 * Confirms and the slave Enters the passkey.
920 if (smp->method == OVERLAP) {
921 if (hcon->role == HCI_ROLE_MASTER)
922 smp->method = CFM_PASSKEY;
924 smp->method = REQ_PASSKEY;
927 /* Generate random passkey. */
928 if (smp->method == CFM_PASSKEY) {
929 memset(smp->tk, 0, sizeof(smp->tk));
930 get_random_bytes(&passkey, sizeof(passkey));
932 put_unaligned_le32(passkey, smp->tk);
933 BT_DBG("PassKey: %d", passkey);
934 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
937 if (smp->method == REQ_PASSKEY)
938 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
939 hcon->type, hcon->dst_type);
940 else if (smp->method == JUST_CFM)
941 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
942 hcon->type, hcon->dst_type,
945 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
946 hcon->type, hcon->dst_type,
952 static u8 smp_confirm(struct smp_chan *smp)
954 struct l2cap_conn *conn = smp->conn;
955 struct smp_cmd_pairing_confirm cp;
958 BT_DBG("conn %p", conn);
960 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
961 conn->hcon->init_addr_type, &conn->hcon->init_addr,
962 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
965 return SMP_UNSPECIFIED;
967 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
969 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
972 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
974 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
979 static u8 smp_random(struct smp_chan *smp)
981 struct l2cap_conn *conn = smp->conn;
982 struct hci_conn *hcon = conn->hcon;
986 if (IS_ERR_OR_NULL(smp->tfm_aes))
987 return SMP_UNSPECIFIED;
989 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
991 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
992 hcon->init_addr_type, &hcon->init_addr,
993 hcon->resp_addr_type, &hcon->resp_addr, confirm);
995 return SMP_UNSPECIFIED;
997 if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
998 bt_dev_err(hcon->hdev, "pairing failed "
999 "(confirmation values mismatch)");
1000 return SMP_CONFIRM_FAILED;
1008 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
1010 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1011 return SMP_UNSPECIFIED;
1013 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1014 hcon->enc_key_size = smp->enc_key_size;
1015 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1021 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1024 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
1026 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1031 /* Even though there's no _SLAVE suffix this is the
1032 * slave STK we're adding for later lookup (the master
1033 * STK never needs to be stored).
1035 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1036 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1042 static void smp_notify_keys(struct l2cap_conn *conn)
1044 struct l2cap_chan *chan = conn->smp;
1045 struct smp_chan *smp = chan->data;
1046 struct hci_conn *hcon = conn->hcon;
1047 struct hci_dev *hdev = hcon->hdev;
1048 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1049 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1052 if (hcon->type == ACL_LINK) {
1053 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1056 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1059 /* The LTKs, IRKs and CSRKs should be persistent only if
1060 * both sides had the bonding bit set in their
1061 * authentication requests.
1063 persistent = !!((req->auth_req & rsp->auth_req) &
1067 if (smp->remote_irk) {
1068 mgmt_new_irk(hdev, smp->remote_irk, persistent);
1070 /* Now that user space can be considered to know the
1071 * identity address track the connection based on it
1072 * from now on (assuming this is an LE link).
1074 if (hcon->type == LE_LINK) {
1075 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1076 hcon->dst_type = smp->remote_irk->addr_type;
1077 queue_work(hdev->workqueue, &conn->id_addr_update_work);
1082 smp->csrk->bdaddr_type = hcon->dst_type;
1083 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1084 mgmt_new_csrk(hdev, smp->csrk, persistent);
1087 if (smp->slave_csrk) {
1088 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1089 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1090 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1094 smp->ltk->bdaddr_type = hcon->dst_type;
1095 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1096 mgmt_new_ltk(hdev, smp->ltk, persistent);
1099 if (smp->slave_ltk) {
1100 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1101 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1102 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1105 if (smp->link_key) {
1106 struct link_key *key;
1109 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1110 type = HCI_LK_DEBUG_COMBINATION;
1111 else if (hcon->sec_level == BT_SECURITY_FIPS)
1112 type = HCI_LK_AUTH_COMBINATION_P256;
1114 type = HCI_LK_UNAUTH_COMBINATION_P256;
1116 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1117 smp->link_key, type, 0, &persistent);
1119 mgmt_new_link_key(hdev, key, persistent);
1121 /* Don't keep debug keys around if the relevant
1124 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1125 key->type == HCI_LK_DEBUG_COMBINATION) {
1126 list_del_rcu(&key->list);
1127 kfree_rcu(key, rcu);
1133 static void sc_add_ltk(struct smp_chan *smp)
1135 struct hci_conn *hcon = smp->conn->hcon;
1138 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1139 key_type = SMP_LTK_P256_DEBUG;
1141 key_type = SMP_LTK_P256;
1143 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1148 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1149 key_type, auth, smp->tk, smp->enc_key_size,
1153 static void sc_generate_link_key(struct smp_chan *smp)
1155 /* From core spec. Spells out in ASCII as 'lebr'. */
1156 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1158 smp->link_key = kzalloc(16, GFP_KERNEL);
1162 if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1163 /* SALT = 0x00000000000000000000000000000000746D7031 */
1164 const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1166 if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1167 kzfree(smp->link_key);
1168 smp->link_key = NULL;
1172 /* From core spec. Spells out in ASCII as 'tmp1'. */
1173 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1175 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1176 kzfree(smp->link_key);
1177 smp->link_key = NULL;
1182 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1183 kzfree(smp->link_key);
1184 smp->link_key = NULL;
1189 static void smp_allow_key_dist(struct smp_chan *smp)
1191 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1192 * will be allowed in each PDU handler to ensure we receive
1193 * them in the correct order.
1195 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1196 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1197 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1198 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1199 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1200 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1203 static void sc_generate_ltk(struct smp_chan *smp)
1205 /* From core spec. Spells out in ASCII as 'brle'. */
1206 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1207 struct hci_conn *hcon = smp->conn->hcon;
1208 struct hci_dev *hdev = hcon->hdev;
1209 struct link_key *key;
1211 key = hci_find_link_key(hdev, &hcon->dst);
1213 bt_dev_err(hdev, "no Link Key found to generate LTK");
1217 if (key->type == HCI_LK_DEBUG_COMBINATION)
1218 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1220 if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1221 /* SALT = 0x00000000000000000000000000000000746D7032 */
1222 const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1224 if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1227 /* From core spec. Spells out in ASCII as 'tmp2'. */
1228 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1230 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1234 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1240 static void smp_distribute_keys(struct smp_chan *smp)
1242 struct smp_cmd_pairing *req, *rsp;
1243 struct l2cap_conn *conn = smp->conn;
1244 struct hci_conn *hcon = conn->hcon;
1245 struct hci_dev *hdev = hcon->hdev;
1248 BT_DBG("conn %p", conn);
1250 rsp = (void *) &smp->prsp[1];
1252 /* The responder sends its keys first */
1253 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1254 smp_allow_key_dist(smp);
1258 req = (void *) &smp->preq[1];
1261 keydist = &rsp->init_key_dist;
1262 *keydist &= req->init_key_dist;
1264 keydist = &rsp->resp_key_dist;
1265 *keydist &= req->resp_key_dist;
1268 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1269 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1270 sc_generate_link_key(smp);
1271 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1272 sc_generate_ltk(smp);
1274 /* Clear the keys which are generated but not distributed */
1275 *keydist &= ~SMP_SC_NO_DIST;
1278 BT_DBG("keydist 0x%x", *keydist);
1280 if (*keydist & SMP_DIST_ENC_KEY) {
1281 struct smp_cmd_encrypt_info enc;
1282 struct smp_cmd_master_ident ident;
1283 struct smp_ltk *ltk;
1288 /* Make sure we generate only the significant amount of
1289 * bytes based on the encryption key size, and set the rest
1290 * of the value to zeroes.
1292 get_random_bytes(enc.ltk, smp->enc_key_size);
1293 memset(enc.ltk + smp->enc_key_size, 0,
1294 sizeof(enc.ltk) - smp->enc_key_size);
1296 get_random_bytes(&ediv, sizeof(ediv));
1297 get_random_bytes(&rand, sizeof(rand));
1299 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1301 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1302 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1303 SMP_LTK_SLAVE, authenticated, enc.ltk,
1304 smp->enc_key_size, ediv, rand);
1305 smp->slave_ltk = ltk;
1310 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1312 *keydist &= ~SMP_DIST_ENC_KEY;
1315 if (*keydist & SMP_DIST_ID_KEY) {
1316 struct smp_cmd_ident_addr_info addrinfo;
1317 struct smp_cmd_ident_info idinfo;
1319 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1321 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1323 /* The hci_conn contains the local identity address
1324 * after the connection has been established.
1326 * This is true even when the connection has been
1327 * established using a resolvable random address.
1329 bacpy(&addrinfo.bdaddr, &hcon->src);
1330 addrinfo.addr_type = hcon->src_type;
1332 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1335 *keydist &= ~SMP_DIST_ID_KEY;
1338 if (*keydist & SMP_DIST_SIGN) {
1339 struct smp_cmd_sign_info sign;
1340 struct smp_csrk *csrk;
1342 /* Generate a new random key */
1343 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1345 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1347 if (hcon->sec_level > BT_SECURITY_MEDIUM)
1348 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1350 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1351 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1353 smp->slave_csrk = csrk;
1355 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1357 *keydist &= ~SMP_DIST_SIGN;
1360 /* If there are still keys to be received wait for them */
1361 if (smp->remote_key_dist & KEY_DIST_MASK) {
1362 smp_allow_key_dist(smp);
1366 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1367 smp_notify_keys(conn);
1369 smp_chan_destroy(conn);
1372 static void smp_timeout(struct work_struct *work)
1374 struct smp_chan *smp = container_of(work, struct smp_chan,
1375 security_timer.work);
1376 struct l2cap_conn *conn = smp->conn;
1378 BT_DBG("conn %p", conn);
1380 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1383 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1385 struct l2cap_chan *chan = conn->smp;
1386 struct smp_chan *smp;
1388 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1392 smp->tfm_aes = crypto_alloc_cipher("aes", 0, 0);
1393 if (IS_ERR(smp->tfm_aes)) {
1394 BT_ERR("Unable to create AES crypto context");
1398 smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1399 if (IS_ERR(smp->tfm_cmac)) {
1400 BT_ERR("Unable to create CMAC crypto context");
1404 smp->tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
1405 if (IS_ERR(smp->tfm_ecdh)) {
1406 BT_ERR("Unable to create ECDH crypto context");
1413 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1415 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1417 hci_conn_hold(conn->hcon);
1422 crypto_free_shash(smp->tfm_cmac);
1424 crypto_free_cipher(smp->tfm_aes);
1430 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1432 struct hci_conn *hcon = smp->conn->hcon;
1433 u8 *na, *nb, a[7], b[7];
1443 memcpy(a, &hcon->init_addr, 6);
1444 memcpy(b, &hcon->resp_addr, 6);
1445 a[6] = hcon->init_addr_type;
1446 b[6] = hcon->resp_addr_type;
1448 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1451 static void sc_dhkey_check(struct smp_chan *smp)
1453 struct hci_conn *hcon = smp->conn->hcon;
1454 struct smp_cmd_dhkey_check check;
1455 u8 a[7], b[7], *local_addr, *remote_addr;
1456 u8 io_cap[3], r[16];
1458 memcpy(a, &hcon->init_addr, 6);
1459 memcpy(b, &hcon->resp_addr, 6);
1460 a[6] = hcon->init_addr_type;
1461 b[6] = hcon->resp_addr_type;
1466 memcpy(io_cap, &smp->preq[1], 3);
1470 memcpy(io_cap, &smp->prsp[1], 3);
1473 memset(r, 0, sizeof(r));
1475 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1476 put_unaligned_le32(hcon->passkey_notify, r);
1478 if (smp->method == REQ_OOB)
1479 memcpy(r, smp->rr, 16);
1481 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1482 local_addr, remote_addr, check.e);
1484 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1487 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1489 struct l2cap_conn *conn = smp->conn;
1490 struct hci_conn *hcon = conn->hcon;
1491 struct smp_cmd_pairing_confirm cfm;
1494 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1497 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1499 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1501 return SMP_UNSPECIFIED;
1503 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1508 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1510 struct l2cap_conn *conn = smp->conn;
1511 struct hci_conn *hcon = conn->hcon;
1512 struct hci_dev *hdev = hcon->hdev;
1515 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1516 if (smp->passkey_round >= 20)
1520 case SMP_CMD_PAIRING_RANDOM:
1521 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1524 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1526 return SMP_UNSPECIFIED;
1528 if (crypto_memneq(smp->pcnf, cfm, 16))
1529 return SMP_CONFIRM_FAILED;
1531 smp->passkey_round++;
1533 if (smp->passkey_round == 20) {
1534 /* Generate MacKey and LTK */
1535 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1536 return SMP_UNSPECIFIED;
1539 /* The round is only complete when the initiator
1540 * receives pairing random.
1543 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1544 sizeof(smp->prnd), smp->prnd);
1545 if (smp->passkey_round == 20)
1546 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1548 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1552 /* Start the next round */
1553 if (smp->passkey_round != 20)
1554 return sc_passkey_round(smp, 0);
1556 /* Passkey rounds are complete - start DHKey Check */
1557 sc_dhkey_check(smp);
1558 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1562 case SMP_CMD_PAIRING_CONFIRM:
1563 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1564 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1568 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1571 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1572 sizeof(smp->prnd), smp->prnd);
1576 return sc_passkey_send_confirm(smp);
1578 case SMP_CMD_PUBLIC_KEY:
1580 /* Initiating device starts the round */
1584 BT_DBG("%s Starting passkey round %u", hdev->name,
1585 smp->passkey_round + 1);
1587 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1589 return sc_passkey_send_confirm(smp);
1595 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1597 struct l2cap_conn *conn = smp->conn;
1598 struct hci_conn *hcon = conn->hcon;
1601 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1604 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1605 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1607 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1608 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1610 case MGMT_OP_USER_PASSKEY_REPLY:
1611 hcon->passkey_notify = le32_to_cpu(passkey);
1612 smp->passkey_round = 0;
1614 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1615 smp_op = SMP_CMD_PAIRING_CONFIRM;
1619 if (sc_passkey_round(smp, smp_op))
1625 /* Initiator sends DHKey check first */
1627 sc_dhkey_check(smp);
1628 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1629 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1630 sc_dhkey_check(smp);
1637 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1639 struct l2cap_conn *conn = hcon->l2cap_data;
1640 struct l2cap_chan *chan;
1641 struct smp_chan *smp;
1654 l2cap_chan_lock(chan);
1662 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1663 err = sc_user_reply(smp, mgmt_op, passkey);
1668 case MGMT_OP_USER_PASSKEY_REPLY:
1669 value = le32_to_cpu(passkey);
1670 memset(smp->tk, 0, sizeof(smp->tk));
1671 BT_DBG("PassKey: %d", value);
1672 put_unaligned_le32(value, smp->tk);
1674 case MGMT_OP_USER_CONFIRM_REPLY:
1675 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1677 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1678 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1679 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1683 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1690 /* If it is our turn to send Pairing Confirm, do so now */
1691 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1692 u8 rsp = smp_confirm(smp);
1694 smp_failure(conn, rsp);
1698 l2cap_chan_unlock(chan);
1702 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1703 struct smp_cmd_pairing *req,
1704 struct smp_cmd_pairing *rsp)
1706 struct l2cap_conn *conn = smp->conn;
1707 struct hci_dev *hdev = conn->hcon->hdev;
1708 u8 local_dist = 0, remote_dist = 0;
1710 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1711 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1712 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1715 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1716 remote_dist |= SMP_DIST_ID_KEY;
1718 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1719 local_dist |= SMP_DIST_ID_KEY;
1722 memset(req, 0, sizeof(*req));
1724 req->auth_req = SMP_AUTH_CT2;
1725 req->init_key_dist = local_dist;
1726 req->resp_key_dist = remote_dist;
1727 req->max_key_size = conn->hcon->enc_key_size;
1729 smp->remote_key_dist = remote_dist;
1734 memset(rsp, 0, sizeof(*rsp));
1736 rsp->auth_req = SMP_AUTH_CT2;
1737 rsp->max_key_size = conn->hcon->enc_key_size;
1738 rsp->init_key_dist = req->init_key_dist & remote_dist;
1739 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1741 smp->remote_key_dist = rsp->init_key_dist;
1744 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1746 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1747 struct l2cap_chan *chan = conn->smp;
1748 struct hci_dev *hdev = conn->hcon->hdev;
1749 struct smp_chan *smp;
1750 u8 key_size, auth, sec_level;
1753 BT_DBG("conn %p", conn);
1755 if (skb->len < sizeof(*req))
1756 return SMP_INVALID_PARAMS;
1758 if (conn->hcon->role != HCI_ROLE_SLAVE)
1759 return SMP_CMD_NOTSUPP;
1762 smp = smp_chan_create(conn);
1767 return SMP_UNSPECIFIED;
1769 /* We didn't start the pairing, so match remote */
1770 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1772 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1773 (auth & SMP_AUTH_BONDING))
1774 return SMP_PAIRING_NOTSUPP;
1776 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1777 return SMP_AUTH_REQUIREMENTS;
1779 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1780 memcpy(&smp->preq[1], req, sizeof(*req));
1781 skb_pull(skb, sizeof(*req));
1783 /* If the remote side's OOB flag is set it means it has
1784 * successfully received our local OOB data - therefore set the
1785 * flag to indicate that local OOB is in use.
1787 if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1788 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1790 /* SMP over BR/EDR requires special treatment */
1791 if (conn->hcon->type == ACL_LINK) {
1792 /* We must have a BR/EDR SC link */
1793 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1794 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1795 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1797 set_bit(SMP_FLAG_SC, &smp->flags);
1799 build_bredr_pairing_cmd(smp, req, &rsp);
1801 if (req->auth_req & SMP_AUTH_CT2)
1802 set_bit(SMP_FLAG_CT2, &smp->flags);
1804 key_size = min(req->max_key_size, rsp.max_key_size);
1805 if (check_enc_key_size(conn, key_size))
1806 return SMP_ENC_KEY_SIZE;
1808 /* Clear bits which are generated but not distributed */
1809 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1811 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1812 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1813 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1815 smp_distribute_keys(smp);
1819 build_pairing_cmd(conn, req, &rsp, auth);
1821 if (rsp.auth_req & SMP_AUTH_SC) {
1822 set_bit(SMP_FLAG_SC, &smp->flags);
1824 if (rsp.auth_req & SMP_AUTH_CT2)
1825 set_bit(SMP_FLAG_CT2, &smp->flags);
1828 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1829 sec_level = BT_SECURITY_MEDIUM;
1831 sec_level = authreq_to_seclevel(auth);
1833 if (sec_level > conn->hcon->pending_sec_level)
1834 conn->hcon->pending_sec_level = sec_level;
1836 /* If we need MITM check that it can be achieved */
1837 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1840 method = get_auth_method(smp, conn->hcon->io_capability,
1841 req->io_capability);
1842 if (method == JUST_WORKS || method == JUST_CFM)
1843 return SMP_AUTH_REQUIREMENTS;
1846 key_size = min(req->max_key_size, rsp.max_key_size);
1847 if (check_enc_key_size(conn, key_size))
1848 return SMP_ENC_KEY_SIZE;
1850 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1852 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1853 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1855 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1857 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1859 /* Strictly speaking we shouldn't allow Pairing Confirm for the
1860 * SC case, however some implementations incorrectly copy RFU auth
1861 * req bits from our security request, which may create a false
1862 * positive SC enablement.
1864 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1866 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1867 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1868 /* Clear bits which are generated but not distributed */
1869 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1870 /* Wait for Public Key from Initiating Device */
1874 /* Request setup of TK */
1875 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1877 return SMP_UNSPECIFIED;
1882 static u8 sc_send_public_key(struct smp_chan *smp)
1884 struct hci_dev *hdev = smp->conn->hcon->hdev;
1888 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1889 struct l2cap_chan *chan = hdev->smp_data;
1890 struct smp_dev *smp_dev;
1892 if (!chan || !chan->data)
1893 return SMP_UNSPECIFIED;
1895 smp_dev = chan->data;
1897 memcpy(smp->local_pk, smp_dev->local_pk, 64);
1898 memcpy(smp->lr, smp_dev->local_rand, 16);
1900 if (smp_dev->debug_key)
1901 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1906 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1907 BT_DBG("Using debug keys");
1908 if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1909 return SMP_UNSPECIFIED;
1910 memcpy(smp->local_pk, debug_pk, 64);
1911 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1914 /* Generate key pair for Secure Connections */
1915 if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1916 return SMP_UNSPECIFIED;
1918 /* This is unlikely, but we need to check that
1919 * we didn't accidentially generate a debug key.
1921 if (crypto_memneq(smp->local_pk, debug_pk, 64))
1927 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1928 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1930 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1935 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1937 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1938 struct l2cap_chan *chan = conn->smp;
1939 struct smp_chan *smp = chan->data;
1940 struct hci_dev *hdev = conn->hcon->hdev;
1944 BT_DBG("conn %p", conn);
1946 if (skb->len < sizeof(*rsp))
1947 return SMP_INVALID_PARAMS;
1949 if (conn->hcon->role != HCI_ROLE_MASTER)
1950 return SMP_CMD_NOTSUPP;
1952 skb_pull(skb, sizeof(*rsp));
1954 req = (void *) &smp->preq[1];
1956 key_size = min(req->max_key_size, rsp->max_key_size);
1957 if (check_enc_key_size(conn, key_size))
1958 return SMP_ENC_KEY_SIZE;
1960 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1962 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1963 return SMP_AUTH_REQUIREMENTS;
1965 /* If the remote side's OOB flag is set it means it has
1966 * successfully received our local OOB data - therefore set the
1967 * flag to indicate that local OOB is in use.
1969 if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1970 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1972 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1973 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1975 /* Update remote key distribution in case the remote cleared
1976 * some bits that we had enabled in our request.
1978 smp->remote_key_dist &= rsp->resp_key_dist;
1980 if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1981 set_bit(SMP_FLAG_CT2, &smp->flags);
1983 /* For BR/EDR this means we're done and can start phase 3 */
1984 if (conn->hcon->type == ACL_LINK) {
1985 /* Clear bits which are generated but not distributed */
1986 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1987 smp_distribute_keys(smp);
1991 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1992 set_bit(SMP_FLAG_SC, &smp->flags);
1993 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1994 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1996 /* If we need MITM check that it can be achieved */
1997 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
2000 method = get_auth_method(smp, req->io_capability,
2001 rsp->io_capability);
2002 if (method == JUST_WORKS || method == JUST_CFM)
2003 return SMP_AUTH_REQUIREMENTS;
2006 get_random_bytes(smp->prnd, sizeof(smp->prnd));
2008 /* Update remote key distribution in case the remote cleared
2009 * some bits that we had enabled in our request.
2011 smp->remote_key_dist &= rsp->resp_key_dist;
2013 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2014 /* Clear bits which are generated but not distributed */
2015 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2016 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2017 return sc_send_public_key(smp);
2020 auth |= req->auth_req;
2022 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2024 return SMP_UNSPECIFIED;
2026 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2028 /* Can't compose response until we have been confirmed */
2029 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2030 return smp_confirm(smp);
2035 static u8 sc_check_confirm(struct smp_chan *smp)
2037 struct l2cap_conn *conn = smp->conn;
2041 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2042 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2044 if (conn->hcon->out) {
2045 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2047 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2053 /* Work-around for some implementations that incorrectly copy RFU bits
2054 * from our security request and thereby create the impression that
2055 * we're doing SC when in fact the remote doesn't support it.
2057 static int fixup_sc_false_positive(struct smp_chan *smp)
2059 struct l2cap_conn *conn = smp->conn;
2060 struct hci_conn *hcon = conn->hcon;
2061 struct hci_dev *hdev = hcon->hdev;
2062 struct smp_cmd_pairing *req, *rsp;
2065 /* The issue is only observed when we're in slave role */
2067 return SMP_UNSPECIFIED;
2069 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2070 bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2071 return SMP_UNSPECIFIED;
2074 bt_dev_err(hdev, "trying to fall back to legacy SMP");
2076 req = (void *) &smp->preq[1];
2077 rsp = (void *) &smp->prsp[1];
2079 /* Rebuild key dist flags which may have been cleared for SC */
2080 smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2082 auth = req->auth_req & AUTH_REQ_MASK(hdev);
2084 if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2085 bt_dev_err(hdev, "failed to fall back to legacy SMP");
2086 return SMP_UNSPECIFIED;
2089 clear_bit(SMP_FLAG_SC, &smp->flags);
2094 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2096 struct l2cap_chan *chan = conn->smp;
2097 struct smp_chan *smp = chan->data;
2099 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2101 if (skb->len < sizeof(smp->pcnf))
2102 return SMP_INVALID_PARAMS;
2104 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2105 skb_pull(skb, sizeof(smp->pcnf));
2107 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2110 /* Public Key exchange must happen before any other steps */
2111 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2112 return sc_check_confirm(smp);
2114 BT_ERR("Unexpected SMP Pairing Confirm");
2116 ret = fixup_sc_false_positive(smp);
2121 if (conn->hcon->out) {
2122 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2124 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2128 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2129 return smp_confirm(smp);
2131 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2136 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2138 struct l2cap_chan *chan = conn->smp;
2139 struct smp_chan *smp = chan->data;
2140 struct hci_conn *hcon = conn->hcon;
2141 u8 *pkax, *pkbx, *na, *nb;
2145 BT_DBG("conn %p", conn);
2147 if (skb->len < sizeof(smp->rrnd))
2148 return SMP_INVALID_PARAMS;
2150 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2151 skb_pull(skb, sizeof(smp->rrnd));
2153 if (!test_bit(SMP_FLAG_SC, &smp->flags))
2154 return smp_random(smp);
2157 pkax = smp->local_pk;
2158 pkbx = smp->remote_pk;
2162 pkax = smp->remote_pk;
2163 pkbx = smp->local_pk;
2168 if (smp->method == REQ_OOB) {
2170 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2171 sizeof(smp->prnd), smp->prnd);
2172 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2173 goto mackey_and_ltk;
2176 /* Passkey entry has special treatment */
2177 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2178 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2183 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2186 return SMP_UNSPECIFIED;
2188 if (crypto_memneq(smp->pcnf, cfm, 16))
2189 return SMP_CONFIRM_FAILED;
2191 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2193 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2197 /* Generate MacKey and LTK */
2198 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2200 return SMP_UNSPECIFIED;
2202 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2204 sc_dhkey_check(smp);
2205 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2210 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2212 return SMP_UNSPECIFIED;
2214 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2215 hcon->dst_type, passkey, 0);
2217 return SMP_UNSPECIFIED;
2219 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2224 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2226 struct smp_ltk *key;
2227 struct hci_conn *hcon = conn->hcon;
2229 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2233 if (smp_ltk_sec_level(key) < sec_level)
2236 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2239 hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2240 hcon->enc_key_size = key->enc_size;
2242 /* We never store STKs for master role, so clear this flag */
2243 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2248 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2249 enum smp_key_pref key_pref)
2251 if (sec_level == BT_SECURITY_LOW)
2254 /* If we're encrypted with an STK but the caller prefers using
2255 * LTK claim insufficient security. This way we allow the
2256 * connection to be re-encrypted with an LTK, even if the LTK
2257 * provides the same level of security. Only exception is if we
2258 * don't have an LTK (e.g. because of key distribution bits).
2260 if (key_pref == SMP_USE_LTK &&
2261 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2262 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2265 if (hcon->sec_level >= sec_level)
2271 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2273 struct smp_cmd_security_req *rp = (void *) skb->data;
2274 struct smp_cmd_pairing cp;
2275 struct hci_conn *hcon = conn->hcon;
2276 struct hci_dev *hdev = hcon->hdev;
2277 struct smp_chan *smp;
2280 BT_DBG("conn %p", conn);
2282 if (skb->len < sizeof(*rp))
2283 return SMP_INVALID_PARAMS;
2285 if (hcon->role != HCI_ROLE_MASTER)
2286 return SMP_CMD_NOTSUPP;
2288 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2290 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2291 return SMP_AUTH_REQUIREMENTS;
2293 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2294 sec_level = BT_SECURITY_MEDIUM;
2296 sec_level = authreq_to_seclevel(auth);
2298 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2299 /* If link is already encrypted with sufficient security we
2300 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2303 smp_ltk_encrypt(conn, hcon->sec_level);
2307 if (sec_level > hcon->pending_sec_level)
2308 hcon->pending_sec_level = sec_level;
2310 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2313 smp = smp_chan_create(conn);
2315 return SMP_UNSPECIFIED;
2317 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2318 (auth & SMP_AUTH_BONDING))
2319 return SMP_PAIRING_NOTSUPP;
2321 skb_pull(skb, sizeof(*rp));
2323 memset(&cp, 0, sizeof(cp));
2324 build_pairing_cmd(conn, &cp, NULL, auth);
2326 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2327 memcpy(&smp->preq[1], &cp, sizeof(cp));
2329 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2330 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2335 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2337 struct l2cap_conn *conn = hcon->l2cap_data;
2338 struct l2cap_chan *chan;
2339 struct smp_chan *smp;
2343 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2345 /* This may be NULL if there's an unexpected disconnection */
2349 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2352 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2355 if (sec_level > hcon->pending_sec_level)
2356 hcon->pending_sec_level = sec_level;
2358 if (hcon->role == HCI_ROLE_MASTER)
2359 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2364 bt_dev_err(hcon->hdev, "security requested but not available");
2368 l2cap_chan_lock(chan);
2370 /* If SMP is already in progress ignore this request */
2376 smp = smp_chan_create(conn);
2382 authreq = seclevel_to_authreq(sec_level);
2384 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2385 authreq |= SMP_AUTH_SC;
2386 if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2387 authreq |= SMP_AUTH_CT2;
2390 /* Require MITM if IO Capability allows or the security level
2393 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2394 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2395 authreq |= SMP_AUTH_MITM;
2397 if (hcon->role == HCI_ROLE_MASTER) {
2398 struct smp_cmd_pairing cp;
2400 build_pairing_cmd(conn, &cp, NULL, authreq);
2401 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2402 memcpy(&smp->preq[1], &cp, sizeof(cp));
2404 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2405 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2407 struct smp_cmd_security_req cp;
2408 cp.auth_req = authreq;
2409 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2410 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2413 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2417 l2cap_chan_unlock(chan);
2421 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2424 struct hci_conn *hcon;
2425 struct l2cap_conn *conn;
2426 struct l2cap_chan *chan;
2427 struct smp_chan *smp;
2430 err = hci_remove_ltk(hdev, bdaddr, addr_type);
2431 hci_remove_irk(hdev, bdaddr, addr_type);
2433 hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2437 conn = hcon->l2cap_data;
2445 l2cap_chan_lock(chan);
2449 /* Set keys to NULL to make sure smp_failure() does not try to
2450 * remove and free already invalidated rcu list entries. */
2452 smp->slave_ltk = NULL;
2453 smp->remote_irk = NULL;
2455 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2456 smp_failure(conn, 0);
2458 smp_failure(conn, SMP_UNSPECIFIED);
2462 l2cap_chan_unlock(chan);
2468 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2470 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2471 struct l2cap_chan *chan = conn->smp;
2472 struct smp_chan *smp = chan->data;
2474 BT_DBG("conn %p", conn);
2476 if (skb->len < sizeof(*rp))
2477 return SMP_INVALID_PARAMS;
2479 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2481 skb_pull(skb, sizeof(*rp));
2483 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2488 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2490 struct smp_cmd_master_ident *rp = (void *) skb->data;
2491 struct l2cap_chan *chan = conn->smp;
2492 struct smp_chan *smp = chan->data;
2493 struct hci_dev *hdev = conn->hcon->hdev;
2494 struct hci_conn *hcon = conn->hcon;
2495 struct smp_ltk *ltk;
2498 BT_DBG("conn %p", conn);
2500 if (skb->len < sizeof(*rp))
2501 return SMP_INVALID_PARAMS;
2503 /* Mark the information as received */
2504 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2506 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2507 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2508 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2509 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2511 skb_pull(skb, sizeof(*rp));
2513 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2514 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2515 authenticated, smp->tk, smp->enc_key_size,
2516 rp->ediv, rp->rand);
2518 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2519 smp_distribute_keys(smp);
2524 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2526 struct smp_cmd_ident_info *info = (void *) skb->data;
2527 struct l2cap_chan *chan = conn->smp;
2528 struct smp_chan *smp = chan->data;
2532 if (skb->len < sizeof(*info))
2533 return SMP_INVALID_PARAMS;
2535 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2537 skb_pull(skb, sizeof(*info));
2539 memcpy(smp->irk, info->irk, 16);
2544 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2545 struct sk_buff *skb)
2547 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2548 struct l2cap_chan *chan = conn->smp;
2549 struct smp_chan *smp = chan->data;
2550 struct hci_conn *hcon = conn->hcon;
2555 if (skb->len < sizeof(*info))
2556 return SMP_INVALID_PARAMS;
2558 /* Mark the information as received */
2559 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2561 if (smp->remote_key_dist & SMP_DIST_SIGN)
2562 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2564 skb_pull(skb, sizeof(*info));
2566 /* Strictly speaking the Core Specification (4.1) allows sending
2567 * an empty address which would force us to rely on just the IRK
2568 * as "identity information". However, since such
2569 * implementations are not known of and in order to not over
2570 * complicate our implementation, simply pretend that we never
2571 * received an IRK for such a device.
2573 * The Identity Address must also be a Static Random or Public
2574 * Address, which hci_is_identity_address() checks for.
2576 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2577 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2578 bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2582 /* Drop IRK if peer is using identity address during pairing but is
2583 * providing different address as identity information.
2585 * Microsoft Surface Precision Mouse is known to have this bug.
2587 if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2588 (bacmp(&info->bdaddr, &hcon->dst) ||
2589 info->addr_type != hcon->dst_type)) {
2590 bt_dev_err(hcon->hdev,
2591 "ignoring IRK with invalid identity address");
2595 bacpy(&smp->id_addr, &info->bdaddr);
2596 smp->id_addr_type = info->addr_type;
2598 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2599 bacpy(&rpa, &hcon->dst);
2601 bacpy(&rpa, BDADDR_ANY);
2603 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2604 smp->id_addr_type, smp->irk, &rpa);
2607 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2608 smp_distribute_keys(smp);
2613 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2615 struct smp_cmd_sign_info *rp = (void *) skb->data;
2616 struct l2cap_chan *chan = conn->smp;
2617 struct smp_chan *smp = chan->data;
2618 struct smp_csrk *csrk;
2620 BT_DBG("conn %p", conn);
2622 if (skb->len < sizeof(*rp))
2623 return SMP_INVALID_PARAMS;
2625 /* Mark the information as received */
2626 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2628 skb_pull(skb, sizeof(*rp));
2630 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2632 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2633 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2635 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2636 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2639 smp_distribute_keys(smp);
2644 static u8 sc_select_method(struct smp_chan *smp)
2646 struct l2cap_conn *conn = smp->conn;
2647 struct hci_conn *hcon = conn->hcon;
2648 struct smp_cmd_pairing *local, *remote;
2649 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2651 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2652 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2655 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2656 * which are needed as inputs to some crypto functions. To get
2657 * the "struct smp_cmd_pairing" from them we need to skip the
2658 * first byte which contains the opcode.
2661 local = (void *) &smp->preq[1];
2662 remote = (void *) &smp->prsp[1];
2664 local = (void *) &smp->prsp[1];
2665 remote = (void *) &smp->preq[1];
2668 local_io = local->io_capability;
2669 remote_io = remote->io_capability;
2671 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2672 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2674 /* If either side wants MITM, look up the method from the table,
2675 * otherwise use JUST WORKS.
2677 if (local_mitm || remote_mitm)
2678 method = get_auth_method(smp, local_io, remote_io);
2680 method = JUST_WORKS;
2682 /* Don't confirm locally initiated pairing attempts */
2683 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2684 method = JUST_WORKS;
2689 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2691 struct smp_cmd_public_key *key = (void *) skb->data;
2692 struct hci_conn *hcon = conn->hcon;
2693 struct l2cap_chan *chan = conn->smp;
2694 struct smp_chan *smp = chan->data;
2695 struct hci_dev *hdev = hcon->hdev;
2696 struct crypto_kpp *tfm_ecdh;
2697 struct smp_cmd_pairing_confirm cfm;
2700 BT_DBG("conn %p", conn);
2702 if (skb->len < sizeof(*key))
2703 return SMP_INVALID_PARAMS;
2705 memcpy(smp->remote_pk, key, 64);
2707 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2708 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2709 smp->rr, 0, cfm.confirm_val);
2711 return SMP_UNSPECIFIED;
2713 if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2714 return SMP_CONFIRM_FAILED;
2717 /* Non-initiating device sends its public key after receiving
2718 * the key from the initiating device.
2721 err = sc_send_public_key(smp);
2726 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2727 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2729 /* Compute the shared secret on the same crypto tfm on which the private
2730 * key was set/generated.
2732 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2733 struct l2cap_chan *hchan = hdev->smp_data;
2734 struct smp_dev *smp_dev;
2736 if (!hchan || !hchan->data)
2737 return SMP_UNSPECIFIED;
2739 smp_dev = hchan->data;
2741 tfm_ecdh = smp_dev->tfm_ecdh;
2743 tfm_ecdh = smp->tfm_ecdh;
2746 if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2747 return SMP_UNSPECIFIED;
2749 SMP_DBG("DHKey %32phN", smp->dhkey);
2751 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2753 smp->method = sc_select_method(smp);
2755 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2757 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2758 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2759 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2761 hcon->pending_sec_level = BT_SECURITY_FIPS;
2763 if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2764 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2766 if (smp->method == DSP_PASSKEY) {
2767 get_random_bytes(&hcon->passkey_notify,
2768 sizeof(hcon->passkey_notify));
2769 hcon->passkey_notify %= 1000000;
2770 hcon->passkey_entered = 0;
2771 smp->passkey_round = 0;
2772 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2774 hcon->passkey_notify,
2775 hcon->passkey_entered))
2776 return SMP_UNSPECIFIED;
2777 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2778 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2781 if (smp->method == REQ_OOB) {
2783 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2784 sizeof(smp->prnd), smp->prnd);
2786 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2792 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2794 if (smp->method == REQ_PASSKEY) {
2795 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2797 return SMP_UNSPECIFIED;
2798 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2799 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2803 /* The Initiating device waits for the non-initiating device to
2804 * send the confirm value.
2806 if (conn->hcon->out)
2809 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2810 0, cfm.confirm_val);
2812 return SMP_UNSPECIFIED;
2814 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2815 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2820 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2822 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2823 struct l2cap_chan *chan = conn->smp;
2824 struct hci_conn *hcon = conn->hcon;
2825 struct smp_chan *smp = chan->data;
2826 u8 a[7], b[7], *local_addr, *remote_addr;
2827 u8 io_cap[3], r[16], e[16];
2830 BT_DBG("conn %p", conn);
2832 if (skb->len < sizeof(*check))
2833 return SMP_INVALID_PARAMS;
2835 memcpy(a, &hcon->init_addr, 6);
2836 memcpy(b, &hcon->resp_addr, 6);
2837 a[6] = hcon->init_addr_type;
2838 b[6] = hcon->resp_addr_type;
2843 memcpy(io_cap, &smp->prsp[1], 3);
2847 memcpy(io_cap, &smp->preq[1], 3);
2850 memset(r, 0, sizeof(r));
2852 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2853 put_unaligned_le32(hcon->passkey_notify, r);
2854 else if (smp->method == REQ_OOB)
2855 memcpy(r, smp->lr, 16);
2857 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2858 io_cap, remote_addr, local_addr, e);
2860 return SMP_UNSPECIFIED;
2862 if (crypto_memneq(check->e, e, 16))
2863 return SMP_DHKEY_CHECK_FAILED;
2866 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2867 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2871 /* Slave sends DHKey check as response to master */
2872 sc_dhkey_check(smp);
2878 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2879 hcon->enc_key_size = smp->enc_key_size;
2885 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2886 struct sk_buff *skb)
2888 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2890 BT_DBG("value 0x%02x", kp->value);
2895 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2897 struct l2cap_conn *conn = chan->conn;
2898 struct hci_conn *hcon = conn->hcon;
2899 struct smp_chan *smp;
2906 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2907 reason = SMP_PAIRING_NOTSUPP;
2911 code = skb->data[0];
2912 skb_pull(skb, sizeof(code));
2916 if (code > SMP_CMD_MAX)
2919 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2922 /* If we don't have a context the only allowed commands are
2923 * pairing request and security request.
2925 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2929 case SMP_CMD_PAIRING_REQ:
2930 reason = smp_cmd_pairing_req(conn, skb);
2933 case SMP_CMD_PAIRING_FAIL:
2934 smp_failure(conn, 0);
2938 case SMP_CMD_PAIRING_RSP:
2939 reason = smp_cmd_pairing_rsp(conn, skb);
2942 case SMP_CMD_SECURITY_REQ:
2943 reason = smp_cmd_security_req(conn, skb);
2946 case SMP_CMD_PAIRING_CONFIRM:
2947 reason = smp_cmd_pairing_confirm(conn, skb);
2950 case SMP_CMD_PAIRING_RANDOM:
2951 reason = smp_cmd_pairing_random(conn, skb);
2954 case SMP_CMD_ENCRYPT_INFO:
2955 reason = smp_cmd_encrypt_info(conn, skb);
2958 case SMP_CMD_MASTER_IDENT:
2959 reason = smp_cmd_master_ident(conn, skb);
2962 case SMP_CMD_IDENT_INFO:
2963 reason = smp_cmd_ident_info(conn, skb);
2966 case SMP_CMD_IDENT_ADDR_INFO:
2967 reason = smp_cmd_ident_addr_info(conn, skb);
2970 case SMP_CMD_SIGN_INFO:
2971 reason = smp_cmd_sign_info(conn, skb);
2974 case SMP_CMD_PUBLIC_KEY:
2975 reason = smp_cmd_public_key(conn, skb);
2978 case SMP_CMD_DHKEY_CHECK:
2979 reason = smp_cmd_dhkey_check(conn, skb);
2982 case SMP_CMD_KEYPRESS_NOTIFY:
2983 reason = smp_cmd_keypress_notify(conn, skb);
2987 BT_DBG("Unknown command code 0x%2.2x", code);
2988 reason = SMP_CMD_NOTSUPP;
2995 smp_failure(conn, reason);
3002 bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3008 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3010 struct l2cap_conn *conn = chan->conn;
3012 BT_DBG("chan %p", chan);
3015 smp_chan_destroy(conn);
3018 l2cap_chan_put(chan);
3021 static void bredr_pairing(struct l2cap_chan *chan)
3023 struct l2cap_conn *conn = chan->conn;
3024 struct hci_conn *hcon = conn->hcon;
3025 struct hci_dev *hdev = hcon->hdev;
3026 struct smp_cmd_pairing req;
3027 struct smp_chan *smp;
3029 BT_DBG("chan %p", chan);
3031 /* Only new pairings are interesting */
3032 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3035 /* Don't bother if we're not encrypted */
3036 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3039 /* Only master may initiate SMP over BR/EDR */
3040 if (hcon->role != HCI_ROLE_MASTER)
3043 /* Secure Connections support must be enabled */
3044 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3047 /* BR/EDR must use Secure Connections for SMP */
3048 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3049 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3052 /* If our LE support is not enabled don't do anything */
3053 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3056 /* Don't bother if remote LE support is not enabled */
3057 if (!lmp_host_le_capable(hcon))
3060 /* Remote must support SMP fixed chan for BR/EDR */
3061 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3064 /* Don't bother if SMP is already ongoing */
3068 smp = smp_chan_create(conn);
3070 bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3074 set_bit(SMP_FLAG_SC, &smp->flags);
3076 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3078 /* Prepare and send the BR/EDR SMP Pairing Request */
3079 build_bredr_pairing_cmd(smp, &req, NULL);
3081 smp->preq[0] = SMP_CMD_PAIRING_REQ;
3082 memcpy(&smp->preq[1], &req, sizeof(req));
3084 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3085 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3088 static void smp_resume_cb(struct l2cap_chan *chan)
3090 struct smp_chan *smp = chan->data;
3091 struct l2cap_conn *conn = chan->conn;
3092 struct hci_conn *hcon = conn->hcon;
3094 BT_DBG("chan %p", chan);
3096 if (hcon->type == ACL_LINK) {
3097 bredr_pairing(chan);
3104 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3107 cancel_delayed_work(&smp->security_timer);
3109 smp_distribute_keys(smp);
3112 static void smp_ready_cb(struct l2cap_chan *chan)
3114 struct l2cap_conn *conn = chan->conn;
3115 struct hci_conn *hcon = conn->hcon;
3117 BT_DBG("chan %p", chan);
3119 /* No need to call l2cap_chan_hold() here since we already own
3120 * the reference taken in smp_new_conn_cb(). This is just the
3121 * first time that we tie it to a specific pointer. The code in
3122 * l2cap_core.c ensures that there's no risk this function wont
3123 * get called if smp_new_conn_cb was previously called.
3127 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3128 bredr_pairing(chan);
3131 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3135 BT_DBG("chan %p", chan);
3137 err = smp_sig_channel(chan, skb);
3139 struct smp_chan *smp = chan->data;
3142 cancel_delayed_work_sync(&smp->security_timer);
3144 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3150 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3151 unsigned long hdr_len,
3152 unsigned long len, int nb)
3154 struct sk_buff *skb;
3156 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3158 return ERR_PTR(-ENOMEM);
3160 skb->priority = HCI_PRIO_MAX;
3161 bt_cb(skb)->l2cap.chan = chan;
3166 static const struct l2cap_ops smp_chan_ops = {
3167 .name = "Security Manager",
3168 .ready = smp_ready_cb,
3169 .recv = smp_recv_cb,
3170 .alloc_skb = smp_alloc_skb_cb,
3171 .teardown = smp_teardown_cb,
3172 .resume = smp_resume_cb,
3174 .new_connection = l2cap_chan_no_new_connection,
3175 .state_change = l2cap_chan_no_state_change,
3176 .close = l2cap_chan_no_close,
3177 .defer = l2cap_chan_no_defer,
3178 .suspend = l2cap_chan_no_suspend,
3179 .set_shutdown = l2cap_chan_no_set_shutdown,
3180 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3183 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3185 struct l2cap_chan *chan;
3187 BT_DBG("pchan %p", pchan);
3189 chan = l2cap_chan_create();
3193 chan->chan_type = pchan->chan_type;
3194 chan->ops = &smp_chan_ops;
3195 chan->scid = pchan->scid;
3196 chan->dcid = chan->scid;
3197 chan->imtu = pchan->imtu;
3198 chan->omtu = pchan->omtu;
3199 chan->mode = pchan->mode;
3201 /* Other L2CAP channels may request SMP routines in order to
3202 * change the security level. This means that the SMP channel
3203 * lock must be considered in its own category to avoid lockdep
3206 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3208 BT_DBG("created chan %p", chan);
3213 static const struct l2cap_ops smp_root_chan_ops = {
3214 .name = "Security Manager Root",
3215 .new_connection = smp_new_conn_cb,
3217 /* None of these are implemented for the root channel */
3218 .close = l2cap_chan_no_close,
3219 .alloc_skb = l2cap_chan_no_alloc_skb,
3220 .recv = l2cap_chan_no_recv,
3221 .state_change = l2cap_chan_no_state_change,
3222 .teardown = l2cap_chan_no_teardown,
3223 .ready = l2cap_chan_no_ready,
3224 .defer = l2cap_chan_no_defer,
3225 .suspend = l2cap_chan_no_suspend,
3226 .resume = l2cap_chan_no_resume,
3227 .set_shutdown = l2cap_chan_no_set_shutdown,
3228 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3231 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3233 struct l2cap_chan *chan;
3234 struct smp_dev *smp;
3235 struct crypto_cipher *tfm_aes;
3236 struct crypto_shash *tfm_cmac;
3237 struct crypto_kpp *tfm_ecdh;
3239 if (cid == L2CAP_CID_SMP_BREDR) {
3244 smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3246 return ERR_PTR(-ENOMEM);
3248 tfm_aes = crypto_alloc_cipher("aes", 0, 0);
3249 if (IS_ERR(tfm_aes)) {
3250 BT_ERR("Unable to create AES crypto context");
3252 return ERR_CAST(tfm_aes);
3255 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3256 if (IS_ERR(tfm_cmac)) {
3257 BT_ERR("Unable to create CMAC crypto context");
3258 crypto_free_cipher(tfm_aes);
3260 return ERR_CAST(tfm_cmac);
3263 tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3264 if (IS_ERR(tfm_ecdh)) {
3265 BT_ERR("Unable to create ECDH crypto context");
3266 crypto_free_shash(tfm_cmac);
3267 crypto_free_cipher(tfm_aes);
3269 return ERR_CAST(tfm_ecdh);
3272 smp->local_oob = false;
3273 smp->tfm_aes = tfm_aes;
3274 smp->tfm_cmac = tfm_cmac;
3275 smp->tfm_ecdh = tfm_ecdh;
3278 chan = l2cap_chan_create();
3281 crypto_free_cipher(smp->tfm_aes);
3282 crypto_free_shash(smp->tfm_cmac);
3283 crypto_free_kpp(smp->tfm_ecdh);
3286 return ERR_PTR(-ENOMEM);
3291 l2cap_add_scid(chan, cid);
3293 l2cap_chan_set_defaults(chan);
3295 if (cid == L2CAP_CID_SMP) {
3298 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3300 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3301 chan->src_type = BDADDR_LE_PUBLIC;
3303 chan->src_type = BDADDR_LE_RANDOM;
3305 bacpy(&chan->src, &hdev->bdaddr);
3306 chan->src_type = BDADDR_BREDR;
3309 chan->state = BT_LISTEN;
3310 chan->mode = L2CAP_MODE_BASIC;
3311 chan->imtu = L2CAP_DEFAULT_MTU;
3312 chan->ops = &smp_root_chan_ops;
3314 /* Set correct nesting level for a parent/listening channel */
3315 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3320 static void smp_del_chan(struct l2cap_chan *chan)
3322 struct smp_dev *smp;
3324 BT_DBG("chan %p", chan);
3329 crypto_free_cipher(smp->tfm_aes);
3330 crypto_free_shash(smp->tfm_cmac);
3331 crypto_free_kpp(smp->tfm_ecdh);
3335 l2cap_chan_put(chan);
3338 static ssize_t force_bredr_smp_read(struct file *file,
3339 char __user *user_buf,
3340 size_t count, loff_t *ppos)
3342 struct hci_dev *hdev = file->private_data;
3345 buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3348 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3351 static ssize_t force_bredr_smp_write(struct file *file,
3352 const char __user *user_buf,
3353 size_t count, loff_t *ppos)
3355 struct hci_dev *hdev = file->private_data;
3359 err = kstrtobool_from_user(user_buf, count, &enable);
3363 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3367 struct l2cap_chan *chan;
3369 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3371 return PTR_ERR(chan);
3373 hdev->smp_bredr_data = chan;
3375 struct l2cap_chan *chan;
3377 chan = hdev->smp_bredr_data;
3378 hdev->smp_bredr_data = NULL;
3382 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3387 static const struct file_operations force_bredr_smp_fops = {
3388 .open = simple_open,
3389 .read = force_bredr_smp_read,
3390 .write = force_bredr_smp_write,
3391 .llseek = default_llseek,
3394 static ssize_t le_min_key_size_read(struct file *file,
3395 char __user *user_buf,
3396 size_t count, loff_t *ppos)
3398 struct hci_dev *hdev = file->private_data;
3401 snprintf(buf, sizeof(buf), "%2u\n", hdev->le_min_key_size);
3403 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3406 static ssize_t le_min_key_size_write(struct file *file,
3407 const char __user *user_buf,
3408 size_t count, loff_t *ppos)
3410 struct hci_dev *hdev = file->private_data;
3412 size_t buf_size = min(count, (sizeof(buf) - 1));
3415 if (copy_from_user(buf, user_buf, buf_size))
3418 buf[buf_size] = '\0';
3420 sscanf(buf, "%hhu", &key_size);
3422 if (key_size > hdev->le_max_key_size ||
3423 key_size < SMP_MIN_ENC_KEY_SIZE)
3426 hdev->le_min_key_size = key_size;
3431 static const struct file_operations le_min_key_size_fops = {
3432 .open = simple_open,
3433 .read = le_min_key_size_read,
3434 .write = le_min_key_size_write,
3435 .llseek = default_llseek,
3438 static ssize_t le_max_key_size_read(struct file *file,
3439 char __user *user_buf,
3440 size_t count, loff_t *ppos)
3442 struct hci_dev *hdev = file->private_data;
3445 snprintf(buf, sizeof(buf), "%2u\n", hdev->le_max_key_size);
3447 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3450 static ssize_t le_max_key_size_write(struct file *file,
3451 const char __user *user_buf,
3452 size_t count, loff_t *ppos)
3454 struct hci_dev *hdev = file->private_data;
3456 size_t buf_size = min(count, (sizeof(buf) - 1));
3459 if (copy_from_user(buf, user_buf, buf_size))
3462 buf[buf_size] = '\0';
3464 sscanf(buf, "%hhu", &key_size);
3466 if (key_size > SMP_MAX_ENC_KEY_SIZE ||
3467 key_size < hdev->le_min_key_size)
3470 hdev->le_max_key_size = key_size;
3475 static const struct file_operations le_max_key_size_fops = {
3476 .open = simple_open,
3477 .read = le_max_key_size_read,
3478 .write = le_max_key_size_write,
3479 .llseek = default_llseek,
3482 int smp_register(struct hci_dev *hdev)
3484 struct l2cap_chan *chan;
3486 BT_DBG("%s", hdev->name);
3488 /* If the controller does not support Low Energy operation, then
3489 * there is also no need to register any SMP channel.
3491 if (!lmp_le_capable(hdev))
3494 if (WARN_ON(hdev->smp_data)) {
3495 chan = hdev->smp_data;
3496 hdev->smp_data = NULL;
3500 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3502 return PTR_ERR(chan);
3504 hdev->smp_data = chan;
3506 debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3507 &le_min_key_size_fops);
3508 debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3509 &le_max_key_size_fops);
3511 /* If the controller does not support BR/EDR Secure Connections
3512 * feature, then the BR/EDR SMP channel shall not be present.
3514 * To test this with Bluetooth 4.0 controllers, create a debugfs
3515 * switch that allows forcing BR/EDR SMP support and accepting
3516 * cross-transport pairing on non-AES encrypted connections.
3518 if (!lmp_sc_capable(hdev)) {
3519 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3520 hdev, &force_bredr_smp_fops);
3522 /* Flag can be already set here (due to power toggle) */
3523 if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3527 if (WARN_ON(hdev->smp_bredr_data)) {
3528 chan = hdev->smp_bredr_data;
3529 hdev->smp_bredr_data = NULL;
3533 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3535 int err = PTR_ERR(chan);
3536 chan = hdev->smp_data;
3537 hdev->smp_data = NULL;
3542 hdev->smp_bredr_data = chan;
3547 void smp_unregister(struct hci_dev *hdev)
3549 struct l2cap_chan *chan;
3551 if (hdev->smp_bredr_data) {
3552 chan = hdev->smp_bredr_data;
3553 hdev->smp_bredr_data = NULL;
3557 if (hdev->smp_data) {
3558 chan = hdev->smp_data;
3559 hdev->smp_data = NULL;
3564 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3566 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3571 err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3575 err = generate_ecdh_public_key(tfm_ecdh, pk);
3579 if (crypto_memneq(pk, debug_pk, 64))
3585 static int __init test_ah(struct crypto_cipher *tfm_aes)
3587 const u8 irk[16] = {
3588 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3589 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3590 const u8 r[3] = { 0x94, 0x81, 0x70 };
3591 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3595 err = smp_ah(tfm_aes, irk, r, res);
3599 if (crypto_memneq(res, exp, 3))
3605 static int __init test_c1(struct crypto_cipher *tfm_aes)
3608 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3609 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3611 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3612 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3613 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3614 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3615 const u8 _iat = 0x01;
3616 const u8 _rat = 0x00;
3617 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3618 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3619 const u8 exp[16] = {
3620 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3621 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3625 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3629 if (crypto_memneq(res, exp, 16))
3635 static int __init test_s1(struct crypto_cipher *tfm_aes)
3638 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3639 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3641 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3643 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3644 const u8 exp[16] = {
3645 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3646 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3650 err = smp_s1(tfm_aes, k, r1, r2, res);
3654 if (crypto_memneq(res, exp, 16))
3660 static int __init test_f4(struct crypto_shash *tfm_cmac)
3663 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3664 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3665 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3666 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3668 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3669 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3670 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3671 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3673 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3674 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3676 const u8 exp[16] = {
3677 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3678 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3682 err = smp_f4(tfm_cmac, u, v, x, z, res);
3686 if (crypto_memneq(res, exp, 16))
3692 static int __init test_f5(struct crypto_shash *tfm_cmac)
3695 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3696 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3697 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3698 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3700 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3701 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3703 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3704 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3705 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3706 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3707 const u8 exp_ltk[16] = {
3708 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3709 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3710 const u8 exp_mackey[16] = {
3711 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3712 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3713 u8 mackey[16], ltk[16];
3716 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3720 if (crypto_memneq(mackey, exp_mackey, 16))
3723 if (crypto_memneq(ltk, exp_ltk, 16))
3729 static int __init test_f6(struct crypto_shash *tfm_cmac)
3732 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3733 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3735 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3736 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3738 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3739 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3741 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3742 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3743 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3744 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3745 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3746 const u8 exp[16] = {
3747 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3748 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3752 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3756 if (crypto_memneq(res, exp, 16))
3762 static int __init test_g2(struct crypto_shash *tfm_cmac)
3765 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3766 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3767 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3768 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3770 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3771 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3772 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3773 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3775 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3776 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3778 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3779 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3780 const u32 exp_val = 0x2f9ed5ba % 1000000;
3784 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3794 static int __init test_h6(struct crypto_shash *tfm_cmac)
3797 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3798 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3799 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3800 const u8 exp[16] = {
3801 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3802 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3806 err = smp_h6(tfm_cmac, w, key_id, res);
3810 if (crypto_memneq(res, exp, 16))
3816 static char test_smp_buffer[32];
3818 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3819 size_t count, loff_t *ppos)
3821 return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3822 strlen(test_smp_buffer));
3825 static const struct file_operations test_smp_fops = {
3826 .open = simple_open,
3827 .read = test_smp_read,
3828 .llseek = default_llseek,
3831 static int __init run_selftests(struct crypto_cipher *tfm_aes,
3832 struct crypto_shash *tfm_cmac,
3833 struct crypto_kpp *tfm_ecdh)
3835 ktime_t calltime, delta, rettime;
3836 unsigned long long duration;
3839 calltime = ktime_get();
3841 err = test_debug_key(tfm_ecdh);
3843 BT_ERR("debug_key test failed");
3847 err = test_ah(tfm_aes);
3849 BT_ERR("smp_ah test failed");
3853 err = test_c1(tfm_aes);
3855 BT_ERR("smp_c1 test failed");
3859 err = test_s1(tfm_aes);
3861 BT_ERR("smp_s1 test failed");
3865 err = test_f4(tfm_cmac);
3867 BT_ERR("smp_f4 test failed");
3871 err = test_f5(tfm_cmac);
3873 BT_ERR("smp_f5 test failed");
3877 err = test_f6(tfm_cmac);
3879 BT_ERR("smp_f6 test failed");
3883 err = test_g2(tfm_cmac);
3885 BT_ERR("smp_g2 test failed");
3889 err = test_h6(tfm_cmac);
3891 BT_ERR("smp_h6 test failed");
3895 rettime = ktime_get();
3896 delta = ktime_sub(rettime, calltime);
3897 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3899 BT_INFO("SMP test passed in %llu usecs", duration);
3903 snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3904 "PASS (%llu usecs)\n", duration);
3906 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3908 debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3914 int __init bt_selftest_smp(void)
3916 struct crypto_cipher *tfm_aes;
3917 struct crypto_shash *tfm_cmac;
3918 struct crypto_kpp *tfm_ecdh;
3921 tfm_aes = crypto_alloc_cipher("aes", 0, 0);
3922 if (IS_ERR(tfm_aes)) {
3923 BT_ERR("Unable to create AES crypto context");
3924 return PTR_ERR(tfm_aes);
3927 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3928 if (IS_ERR(tfm_cmac)) {
3929 BT_ERR("Unable to create CMAC crypto context");
3930 crypto_free_cipher(tfm_aes);
3931 return PTR_ERR(tfm_cmac);
3934 tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3935 if (IS_ERR(tfm_ecdh)) {
3936 BT_ERR("Unable to create ECDH crypto context");
3937 crypto_free_shash(tfm_cmac);
3938 crypto_free_cipher(tfm_aes);
3939 return PTR_ERR(tfm_ecdh);
3942 err = run_selftests(tfm_aes, tfm_cmac, tfm_ecdh);
3944 crypto_free_shash(tfm_cmac);
3945 crypto_free_cipher(tfm_aes);
3946 crypto_free_kpp(tfm_ecdh);