2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
23 #include <linux/crypto.h>
24 #include <linux/scatterlist.h>
25 #include <crypto/b128ops.h>
27 #include <net/bluetooth/bluetooth.h>
28 #include <net/bluetooth/hci_core.h>
29 #include <net/bluetooth/l2cap.h>
30 #include <net/bluetooth/mgmt.h>
35 /* Low-level debug macros to be used for stuff that we don't want
36 * accidentially in dmesg, i.e. the values of the various crypto keys
37 * and the inputs & outputs of crypto functions.
40 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
43 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
47 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
49 /* Keys which are not distributed with Secure Connections */
50 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
52 #define SMP_TIMEOUT msecs_to_jiffies(30000)
54 #define AUTH_REQ_MASK(dev) (test_bit(HCI_SC_ENABLED, &(dev)->dev_flags) ? \
56 #define KEY_DIST_MASK 0x07
58 /* Maximum message length that can be passed to aes_cmac */
59 #define CMAC_MSG_MAX 80
71 SMP_FLAG_DHKEY_PENDING,
76 struct l2cap_conn *conn;
77 struct delayed_work security_timer;
78 unsigned long allow_cmd; /* Bitmask of allowed commands */
80 u8 preq[7]; /* SMP Pairing Request */
81 u8 prsp[7]; /* SMP Pairing Response */
82 u8 prnd[16]; /* SMP Pairing Random (local) */
83 u8 rrnd[16]; /* SMP Pairing Random (remote) */
84 u8 pcnf[16]; /* SMP Pairing Confirm */
85 u8 tk[16]; /* SMP Temporary Key */
92 struct smp_csrk *csrk;
93 struct smp_csrk *slave_csrk;
95 struct smp_ltk *slave_ltk;
96 struct smp_irk *remote_irk;
102 /* Secure Connections variables */
109 struct crypto_blkcipher *tfm_aes;
110 struct crypto_hash *tfm_cmac;
113 /* These debug key values are defined in the SMP section of the core
114 * specification. debug_pk is the public debug key and debug_sk the
117 static const u8 debug_pk[64] = {
118 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
119 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
120 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
121 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
123 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
124 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
125 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
126 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
129 static const u8 debug_sk[32] = {
130 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
131 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
132 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
133 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
136 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
140 for (i = 0; i < len; i++)
141 dst[len - 1 - i] = src[i];
144 /* The following functions map to the LE SC SMP crypto functions
145 * AES-CMAC, f4, f5, f6, g2 and h6.
148 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
149 size_t len, u8 mac[16])
151 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
152 struct hash_desc desc;
153 struct scatterlist sg;
156 if (len > CMAC_MSG_MAX)
160 BT_ERR("tfm %p", tfm);
167 crypto_hash_init(&desc);
169 /* Swap key and message from LSB to MSB */
170 swap_buf(k, tmp, 16);
171 swap_buf(m, msg_msb, len);
173 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
174 SMP_DBG("key %16phN", k);
176 err = crypto_hash_setkey(tfm, tmp, 16);
178 BT_ERR("cipher setkey failed: %d", err);
182 sg_init_one(&sg, msg_msb, len);
184 err = crypto_hash_update(&desc, &sg, len);
186 BT_ERR("Hash update error %d", err);
190 err = crypto_hash_final(&desc, mac_msb);
192 BT_ERR("Hash final error %d", err);
196 swap_buf(mac_msb, mac, 16);
198 SMP_DBG("mac %16phN", mac);
203 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
204 const u8 x[16], u8 z, u8 res[16])
209 SMP_DBG("u %32phN", u);
210 SMP_DBG("v %32phN", v);
211 SMP_DBG("x %16phN z %02x", x, z);
214 memcpy(m + 1, v, 32);
215 memcpy(m + 33, u, 32);
217 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
221 SMP_DBG("res %16phN", res);
226 static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32],
227 const u8 n1[16], const u8 n2[16], const u8 a1[7],
228 const u8 a2[7], u8 mackey[16], u8 ltk[16])
230 /* The btle, salt and length "magic" values are as defined in
231 * the SMP section of the Bluetooth core specification. In ASCII
232 * the btle value ends up being 'btle'. The salt is just a
233 * random number whereas length is the value 256 in little
236 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
237 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
238 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
239 const u8 length[2] = { 0x00, 0x01 };
243 SMP_DBG("w %32phN", w);
244 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
245 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
247 err = aes_cmac(tfm_cmac, salt, w, 32, t);
251 SMP_DBG("t %16phN", t);
253 memcpy(m, length, 2);
254 memcpy(m + 2, a2, 7);
255 memcpy(m + 9, a1, 7);
256 memcpy(m + 16, n2, 16);
257 memcpy(m + 32, n1, 16);
258 memcpy(m + 48, btle, 4);
260 m[52] = 0; /* Counter */
262 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
266 SMP_DBG("mackey %16phN", mackey);
268 m[52] = 1; /* Counter */
270 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
274 SMP_DBG("ltk %16phN", ltk);
279 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
280 const u8 n1[16], const u8 n2[16], const u8 r[16],
281 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
287 SMP_DBG("w %16phN", w);
288 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
289 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
292 memcpy(m + 7, a1, 7);
293 memcpy(m + 14, io_cap, 3);
294 memcpy(m + 17, r, 16);
295 memcpy(m + 33, n2, 16);
296 memcpy(m + 49, n1, 16);
298 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
302 BT_DBG("res %16phN", res);
307 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
308 const u8 x[16], const u8 y[16], u32 *val)
313 SMP_DBG("u %32phN", u);
314 SMP_DBG("v %32phN", v);
315 SMP_DBG("x %16phN y %16phN", x, y);
318 memcpy(m + 16, v, 32);
319 memcpy(m + 48, u, 32);
321 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
325 *val = get_unaligned_le32(tmp);
328 SMP_DBG("val %06u", *val);
333 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
334 const u8 key_id[4], u8 res[16])
338 SMP_DBG("w %16phN key_id %4phN", w, key_id);
340 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
344 SMP_DBG("res %16phN", res);
349 /* The following functions map to the legacy SMP crypto functions e, c1,
353 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
355 struct blkcipher_desc desc;
356 struct scatterlist sg;
357 uint8_t tmp[16], data[16];
361 BT_ERR("tfm %p", tfm);
368 /* The most significant octet of key corresponds to k[0] */
369 swap_buf(k, tmp, 16);
371 err = crypto_blkcipher_setkey(tfm, tmp, 16);
373 BT_ERR("cipher setkey failed: %d", err);
377 /* Most significant octet of plaintextData corresponds to data[0] */
378 swap_buf(r, data, 16);
380 sg_init_one(&sg, data, 16);
382 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
384 BT_ERR("Encrypt data error %d", err);
386 /* Most significant octet of encryptedData corresponds to data[0] */
387 swap_buf(data, r, 16);
392 static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
393 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
394 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
401 /* p1 = pres || preq || _rat || _iat */
404 memcpy(p1 + 2, preq, 7);
405 memcpy(p1 + 9, pres, 7);
407 /* p2 = padding || ia || ra */
409 memcpy(p2 + 6, ia, 6);
410 memset(p2 + 12, 0, 4);
413 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
415 /* res = e(k, res) */
416 err = smp_e(tfm_aes, k, res);
418 BT_ERR("Encrypt data error");
422 /* res = res XOR p2 */
423 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
425 /* res = e(k, res) */
426 err = smp_e(tfm_aes, k, res);
428 BT_ERR("Encrypt data error");
433 static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
434 const u8 r1[16], const u8 r2[16], u8 _r[16])
438 /* Just least significant octets from r1 and r2 are considered */
440 memcpy(_r + 8, r1, 8);
442 err = smp_e(tfm_aes, k, _r);
444 BT_ERR("Encrypt data error");
449 static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
450 const u8 r[3], u8 res[3])
455 /* r' = padding || r */
457 memset(_res + 3, 0, 13);
459 err = smp_e(tfm, irk, _res);
461 BT_ERR("Encrypt error");
465 /* The output of the random address function ah is:
466 * ah(h, r) = e(k, r') mod 2^24
467 * The output of the security function e is then truncated to 24 bits
468 * by taking the least significant 24 bits of the output of e as the
471 memcpy(res, _res, 3);
476 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
477 const bdaddr_t *bdaddr)
479 struct l2cap_chan *chan = hdev->smp_data;
480 struct crypto_blkcipher *tfm;
484 if (!chan || !chan->data)
489 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
491 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
495 return !memcmp(bdaddr->b, hash, 3);
498 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
500 struct l2cap_chan *chan = hdev->smp_data;
501 struct crypto_blkcipher *tfm;
504 if (!chan || !chan->data)
509 get_random_bytes(&rpa->b[3], 3);
511 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
512 rpa->b[5] |= 0x40; /* Set second most significant bit */
514 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
518 BT_DBG("RPA %pMR", rpa);
523 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
525 struct l2cap_chan *chan = conn->smp;
526 struct smp_chan *smp;
533 BT_DBG("code 0x%2.2x", code);
535 iv[0].iov_base = &code;
538 iv[1].iov_base = data;
541 memset(&msg, 0, sizeof(msg));
543 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
545 l2cap_chan_send(chan, &msg, 1 + len);
552 cancel_delayed_work_sync(&smp->security_timer);
553 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
556 static u8 authreq_to_seclevel(u8 authreq)
558 if (authreq & SMP_AUTH_MITM) {
559 if (authreq & SMP_AUTH_SC)
560 return BT_SECURITY_FIPS;
562 return BT_SECURITY_HIGH;
564 return BT_SECURITY_MEDIUM;
568 static __u8 seclevel_to_authreq(__u8 sec_level)
571 case BT_SECURITY_FIPS:
572 case BT_SECURITY_HIGH:
573 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
574 case BT_SECURITY_MEDIUM:
575 return SMP_AUTH_BONDING;
577 return SMP_AUTH_NONE;
581 static void build_pairing_cmd(struct l2cap_conn *conn,
582 struct smp_cmd_pairing *req,
583 struct smp_cmd_pairing *rsp, __u8 authreq)
585 struct l2cap_chan *chan = conn->smp;
586 struct smp_chan *smp = chan->data;
587 struct hci_conn *hcon = conn->hcon;
588 struct hci_dev *hdev = hcon->hdev;
589 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
591 if (test_bit(HCI_BONDABLE, &conn->hcon->hdev->dev_flags)) {
592 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
593 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
594 authreq |= SMP_AUTH_BONDING;
596 authreq &= ~SMP_AUTH_BONDING;
599 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
600 remote_dist |= SMP_DIST_ID_KEY;
602 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
603 local_dist |= SMP_DIST_ID_KEY;
605 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags) &&
606 (authreq & SMP_AUTH_SC)) {
607 struct oob_data *oob_data;
610 if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
611 local_dist |= SMP_DIST_LINK_KEY;
612 remote_dist |= SMP_DIST_LINK_KEY;
615 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
616 bdaddr_type = BDADDR_LE_PUBLIC;
618 bdaddr_type = BDADDR_LE_RANDOM;
620 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
623 set_bit(SMP_FLAG_OOB, &smp->flags);
624 oob_flag = SMP_OOB_PRESENT;
625 memcpy(smp->rr, oob_data->rand256, 16);
626 memcpy(smp->pcnf, oob_data->hash256, 16);
630 authreq &= ~SMP_AUTH_SC;
634 req->io_capability = conn->hcon->io_capability;
635 req->oob_flag = oob_flag;
636 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
637 req->init_key_dist = local_dist;
638 req->resp_key_dist = remote_dist;
639 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
641 smp->remote_key_dist = remote_dist;
645 rsp->io_capability = conn->hcon->io_capability;
646 rsp->oob_flag = oob_flag;
647 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
648 rsp->init_key_dist = req->init_key_dist & remote_dist;
649 rsp->resp_key_dist = req->resp_key_dist & local_dist;
650 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
652 smp->remote_key_dist = rsp->init_key_dist;
655 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
657 struct l2cap_chan *chan = conn->smp;
658 struct smp_chan *smp = chan->data;
660 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
661 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
662 return SMP_ENC_KEY_SIZE;
664 smp->enc_key_size = max_key_size;
669 static void smp_chan_destroy(struct l2cap_conn *conn)
671 struct l2cap_chan *chan = conn->smp;
672 struct smp_chan *smp = chan->data;
673 struct hci_conn *hcon = conn->hcon;
678 cancel_delayed_work_sync(&smp->security_timer);
680 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
681 mgmt_smp_complete(hcon, complete);
684 kfree(smp->slave_csrk);
685 kfree(smp->link_key);
687 crypto_free_blkcipher(smp->tfm_aes);
688 crypto_free_hash(smp->tfm_cmac);
690 /* Ensure that we don't leave any debug key around if debug key
691 * support hasn't been explicitly enabled.
693 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
694 !test_bit(HCI_KEEP_DEBUG_KEYS, &hcon->hdev->dev_flags)) {
695 list_del_rcu(&smp->ltk->list);
696 kfree_rcu(smp->ltk, rcu);
700 /* If pairing failed clean up any keys we might have */
703 list_del_rcu(&smp->ltk->list);
704 kfree_rcu(smp->ltk, rcu);
707 if (smp->slave_ltk) {
708 list_del_rcu(&smp->slave_ltk->list);
709 kfree_rcu(smp->slave_ltk, rcu);
712 if (smp->remote_irk) {
713 list_del_rcu(&smp->remote_irk->list);
714 kfree_rcu(smp->remote_irk, rcu);
723 static void smp_failure(struct l2cap_conn *conn, u8 reason)
725 struct hci_conn *hcon = conn->hcon;
726 struct l2cap_chan *chan = conn->smp;
729 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
732 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
733 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
736 smp_chan_destroy(conn);
739 #define JUST_WORKS 0x00
740 #define JUST_CFM 0x01
741 #define REQ_PASSKEY 0x02
742 #define CFM_PASSKEY 0x03
744 #define DSP_PASSKEY 0x05
747 static const u8 gen_method[5][5] = {
748 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
749 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
750 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
751 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
752 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
755 static const u8 sc_method[5][5] = {
756 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
757 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
758 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
759 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
760 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
763 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
765 /* If either side has unknown io_caps, use JUST_CFM (which gets
766 * converted later to JUST_WORKS if we're initiators.
768 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
769 remote_io > SMP_IO_KEYBOARD_DISPLAY)
772 if (test_bit(SMP_FLAG_SC, &smp->flags))
773 return sc_method[remote_io][local_io];
775 return gen_method[remote_io][local_io];
778 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
779 u8 local_io, u8 remote_io)
781 struct hci_conn *hcon = conn->hcon;
782 struct l2cap_chan *chan = conn->smp;
783 struct smp_chan *smp = chan->data;
787 /* Initialize key for JUST WORKS */
788 memset(smp->tk, 0, sizeof(smp->tk));
789 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
791 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
793 /* If neither side wants MITM, either "just" confirm an incoming
794 * request or use just-works for outgoing ones. The JUST_CFM
795 * will be converted to JUST_WORKS if necessary later in this
796 * function. If either side has MITM look up the method from the
799 if (!(auth & SMP_AUTH_MITM))
800 smp->method = JUST_CFM;
802 smp->method = get_auth_method(smp, local_io, remote_io);
804 /* Don't confirm locally initiated pairing attempts */
805 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
807 smp->method = JUST_WORKS;
809 /* Don't bother user space with no IO capabilities */
810 if (smp->method == JUST_CFM &&
811 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
812 smp->method = JUST_WORKS;
814 /* If Just Works, Continue with Zero TK */
815 if (smp->method == JUST_WORKS) {
816 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
820 /* Not Just Works/Confirm results in MITM Authentication */
821 if (smp->method != JUST_CFM) {
822 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
823 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
824 hcon->pending_sec_level = BT_SECURITY_HIGH;
827 /* If both devices have Keyoard-Display I/O, the master
828 * Confirms and the slave Enters the passkey.
830 if (smp->method == OVERLAP) {
831 if (hcon->role == HCI_ROLE_MASTER)
832 smp->method = CFM_PASSKEY;
834 smp->method = REQ_PASSKEY;
837 /* Generate random passkey. */
838 if (smp->method == CFM_PASSKEY) {
839 memset(smp->tk, 0, sizeof(smp->tk));
840 get_random_bytes(&passkey, sizeof(passkey));
842 put_unaligned_le32(passkey, smp->tk);
843 BT_DBG("PassKey: %d", passkey);
844 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
847 if (smp->method == REQ_PASSKEY)
848 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
849 hcon->type, hcon->dst_type);
850 else if (smp->method == JUST_CFM)
851 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
852 hcon->type, hcon->dst_type,
855 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
856 hcon->type, hcon->dst_type,
862 static u8 smp_confirm(struct smp_chan *smp)
864 struct l2cap_conn *conn = smp->conn;
865 struct smp_cmd_pairing_confirm cp;
868 BT_DBG("conn %p", conn);
870 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
871 conn->hcon->init_addr_type, &conn->hcon->init_addr,
872 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
875 return SMP_UNSPECIFIED;
877 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
879 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
882 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
884 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
889 static u8 smp_random(struct smp_chan *smp)
891 struct l2cap_conn *conn = smp->conn;
892 struct hci_conn *hcon = conn->hcon;
896 if (IS_ERR_OR_NULL(smp->tfm_aes))
897 return SMP_UNSPECIFIED;
899 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
901 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
902 hcon->init_addr_type, &hcon->init_addr,
903 hcon->resp_addr_type, &hcon->resp_addr, confirm);
905 return SMP_UNSPECIFIED;
907 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
908 BT_ERR("Pairing failed (confirmation values mismatch)");
909 return SMP_CONFIRM_FAILED;
917 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
919 memset(stk + smp->enc_key_size, 0,
920 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
922 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
923 return SMP_UNSPECIFIED;
925 hci_le_start_enc(hcon, ediv, rand, stk);
926 hcon->enc_key_size = smp->enc_key_size;
927 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
933 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
936 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
938 memset(stk + smp->enc_key_size, 0,
939 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
941 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
946 /* Even though there's no _SLAVE suffix this is the
947 * slave STK we're adding for later lookup (the master
948 * STK never needs to be stored).
950 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
951 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
957 static void smp_notify_keys(struct l2cap_conn *conn)
959 struct l2cap_chan *chan = conn->smp;
960 struct smp_chan *smp = chan->data;
961 struct hci_conn *hcon = conn->hcon;
962 struct hci_dev *hdev = hcon->hdev;
963 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
964 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
967 if (smp->remote_irk) {
968 mgmt_new_irk(hdev, smp->remote_irk);
969 /* Now that user space can be considered to know the
970 * identity address track the connection based on it
971 * from now on (assuming this is an LE link).
973 if (hcon->type == LE_LINK) {
974 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
975 hcon->dst_type = smp->remote_irk->addr_type;
976 queue_work(hdev->workqueue, &conn->id_addr_update_work);
979 /* When receiving an indentity resolving key for
980 * a remote device that does not use a resolvable
981 * private address, just remove the key so that
982 * it is possible to use the controller white
985 * Userspace will have been told to not store
986 * this key at this point. So it is safe to
989 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
990 list_del_rcu(&smp->remote_irk->list);
991 kfree_rcu(smp->remote_irk, rcu);
992 smp->remote_irk = NULL;
996 if (hcon->type == ACL_LINK) {
997 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1000 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1003 /* The LTKs and CSRKs should be persistent only if both sides
1004 * had the bonding bit set in their authentication requests.
1006 persistent = !!((req->auth_req & rsp->auth_req) &
1012 smp->csrk->bdaddr_type = hcon->dst_type;
1013 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1014 mgmt_new_csrk(hdev, smp->csrk, persistent);
1017 if (smp->slave_csrk) {
1018 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1019 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1020 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1024 smp->ltk->bdaddr_type = hcon->dst_type;
1025 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1026 mgmt_new_ltk(hdev, smp->ltk, persistent);
1029 if (smp->slave_ltk) {
1030 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1031 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1032 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1035 if (smp->link_key) {
1036 struct link_key *key;
1039 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1040 type = HCI_LK_DEBUG_COMBINATION;
1041 else if (hcon->sec_level == BT_SECURITY_FIPS)
1042 type = HCI_LK_AUTH_COMBINATION_P256;
1044 type = HCI_LK_UNAUTH_COMBINATION_P256;
1046 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1047 smp->link_key, type, 0, &persistent);
1049 mgmt_new_link_key(hdev, key, persistent);
1051 /* Don't keep debug keys around if the relevant
1054 if (!test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags) &&
1055 key->type == HCI_LK_DEBUG_COMBINATION) {
1056 list_del_rcu(&key->list);
1057 kfree_rcu(key, rcu);
1063 static void sc_add_ltk(struct smp_chan *smp)
1065 struct hci_conn *hcon = smp->conn->hcon;
1068 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1069 key_type = SMP_LTK_P256_DEBUG;
1071 key_type = SMP_LTK_P256;
1073 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1078 memset(smp->tk + smp->enc_key_size, 0,
1079 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1081 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1082 key_type, auth, smp->tk, smp->enc_key_size,
1086 static void sc_generate_link_key(struct smp_chan *smp)
1088 /* These constants are as specified in the core specification.
1089 * In ASCII they spell out to 'tmp1' and 'lebr'.
1091 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1092 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1094 smp->link_key = kzalloc(16, GFP_KERNEL);
1098 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1099 kfree(smp->link_key);
1100 smp->link_key = NULL;
1104 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1105 kfree(smp->link_key);
1106 smp->link_key = NULL;
1111 static void smp_allow_key_dist(struct smp_chan *smp)
1113 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1114 * will be allowed in each PDU handler to ensure we receive
1115 * them in the correct order.
1117 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1118 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1119 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1120 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1121 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1122 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1125 static void sc_generate_ltk(struct smp_chan *smp)
1127 /* These constants are as specified in the core specification.
1128 * In ASCII they spell out to 'tmp2' and 'brle'.
1130 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1131 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1132 struct hci_conn *hcon = smp->conn->hcon;
1133 struct hci_dev *hdev = hcon->hdev;
1134 struct link_key *key;
1136 key = hci_find_link_key(hdev, &hcon->dst);
1138 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1142 if (key->type == HCI_LK_DEBUG_COMBINATION)
1143 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1145 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1148 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1154 static void smp_distribute_keys(struct smp_chan *smp)
1156 struct smp_cmd_pairing *req, *rsp;
1157 struct l2cap_conn *conn = smp->conn;
1158 struct hci_conn *hcon = conn->hcon;
1159 struct hci_dev *hdev = hcon->hdev;
1162 BT_DBG("conn %p", conn);
1164 rsp = (void *) &smp->prsp[1];
1166 /* The responder sends its keys first */
1167 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1168 smp_allow_key_dist(smp);
1172 req = (void *) &smp->preq[1];
1175 keydist = &rsp->init_key_dist;
1176 *keydist &= req->init_key_dist;
1178 keydist = &rsp->resp_key_dist;
1179 *keydist &= req->resp_key_dist;
1182 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1183 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1184 sc_generate_link_key(smp);
1185 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1186 sc_generate_ltk(smp);
1188 /* Clear the keys which are generated but not distributed */
1189 *keydist &= ~SMP_SC_NO_DIST;
1192 BT_DBG("keydist 0x%x", *keydist);
1194 if (*keydist & SMP_DIST_ENC_KEY) {
1195 struct smp_cmd_encrypt_info enc;
1196 struct smp_cmd_master_ident ident;
1197 struct smp_ltk *ltk;
1202 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1203 get_random_bytes(&ediv, sizeof(ediv));
1204 get_random_bytes(&rand, sizeof(rand));
1206 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1208 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1209 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1210 SMP_LTK_SLAVE, authenticated, enc.ltk,
1211 smp->enc_key_size, ediv, rand);
1212 smp->slave_ltk = ltk;
1217 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1219 *keydist &= ~SMP_DIST_ENC_KEY;
1222 if (*keydist & SMP_DIST_ID_KEY) {
1223 struct smp_cmd_ident_addr_info addrinfo;
1224 struct smp_cmd_ident_info idinfo;
1226 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1228 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1230 /* The hci_conn contains the local identity address
1231 * after the connection has been established.
1233 * This is true even when the connection has been
1234 * established using a resolvable random address.
1236 bacpy(&addrinfo.bdaddr, &hcon->src);
1237 addrinfo.addr_type = hcon->src_type;
1239 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1242 *keydist &= ~SMP_DIST_ID_KEY;
1245 if (*keydist & SMP_DIST_SIGN) {
1246 struct smp_cmd_sign_info sign;
1247 struct smp_csrk *csrk;
1249 /* Generate a new random key */
1250 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1252 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1254 csrk->master = 0x00;
1255 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1257 smp->slave_csrk = csrk;
1259 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1261 *keydist &= ~SMP_DIST_SIGN;
1264 /* If there are still keys to be received wait for them */
1265 if (smp->remote_key_dist & KEY_DIST_MASK) {
1266 smp_allow_key_dist(smp);
1270 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1271 smp_notify_keys(conn);
1273 smp_chan_destroy(conn);
1276 static void smp_timeout(struct work_struct *work)
1278 struct smp_chan *smp = container_of(work, struct smp_chan,
1279 security_timer.work);
1280 struct l2cap_conn *conn = smp->conn;
1282 BT_DBG("conn %p", conn);
1284 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1287 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1289 struct l2cap_chan *chan = conn->smp;
1290 struct smp_chan *smp;
1292 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1296 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1297 if (IS_ERR(smp->tfm_aes)) {
1298 BT_ERR("Unable to create ECB crypto context");
1303 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1304 if (IS_ERR(smp->tfm_cmac)) {
1305 BT_ERR("Unable to create CMAC crypto context");
1306 crypto_free_blkcipher(smp->tfm_aes);
1314 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1316 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1318 hci_conn_hold(conn->hcon);
1323 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1325 struct hci_conn *hcon = smp->conn->hcon;
1326 u8 *na, *nb, a[7], b[7];
1336 memcpy(a, &hcon->init_addr, 6);
1337 memcpy(b, &hcon->resp_addr, 6);
1338 a[6] = hcon->init_addr_type;
1339 b[6] = hcon->resp_addr_type;
1341 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1344 static void sc_dhkey_check(struct smp_chan *smp)
1346 struct hci_conn *hcon = smp->conn->hcon;
1347 struct smp_cmd_dhkey_check check;
1348 u8 a[7], b[7], *local_addr, *remote_addr;
1349 u8 io_cap[3], r[16];
1351 memcpy(a, &hcon->init_addr, 6);
1352 memcpy(b, &hcon->resp_addr, 6);
1353 a[6] = hcon->init_addr_type;
1354 b[6] = hcon->resp_addr_type;
1359 memcpy(io_cap, &smp->preq[1], 3);
1363 memcpy(io_cap, &smp->prsp[1], 3);
1366 memset(r, 0, sizeof(r));
1368 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1369 put_unaligned_le32(hcon->passkey_notify, r);
1371 if (smp->method == REQ_OOB)
1372 memcpy(r, smp->rr, 16);
1374 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1375 local_addr, remote_addr, check.e);
1377 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1380 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1382 struct l2cap_conn *conn = smp->conn;
1383 struct hci_conn *hcon = conn->hcon;
1384 struct smp_cmd_pairing_confirm cfm;
1387 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1390 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1392 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1394 return SMP_UNSPECIFIED;
1396 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1401 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1403 struct l2cap_conn *conn = smp->conn;
1404 struct hci_conn *hcon = conn->hcon;
1405 struct hci_dev *hdev = hcon->hdev;
1408 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1409 if (smp->passkey_round >= 20)
1413 case SMP_CMD_PAIRING_RANDOM:
1414 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1417 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1419 return SMP_UNSPECIFIED;
1421 if (memcmp(smp->pcnf, cfm, 16))
1422 return SMP_CONFIRM_FAILED;
1424 smp->passkey_round++;
1426 if (smp->passkey_round == 20) {
1427 /* Generate MacKey and LTK */
1428 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1429 return SMP_UNSPECIFIED;
1432 /* The round is only complete when the initiator
1433 * receives pairing random.
1436 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1437 sizeof(smp->prnd), smp->prnd);
1438 if (smp->passkey_round == 20)
1439 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1441 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1445 /* Start the next round */
1446 if (smp->passkey_round != 20)
1447 return sc_passkey_round(smp, 0);
1449 /* Passkey rounds are complete - start DHKey Check */
1450 sc_dhkey_check(smp);
1451 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1455 case SMP_CMD_PAIRING_CONFIRM:
1456 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1457 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1461 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1464 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1465 sizeof(smp->prnd), smp->prnd);
1469 return sc_passkey_send_confirm(smp);
1471 case SMP_CMD_PUBLIC_KEY:
1473 /* Initiating device starts the round */
1477 BT_DBG("%s Starting passkey round %u", hdev->name,
1478 smp->passkey_round + 1);
1480 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1482 return sc_passkey_send_confirm(smp);
1488 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1490 struct l2cap_conn *conn = smp->conn;
1491 struct hci_conn *hcon = conn->hcon;
1494 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1497 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1498 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1500 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1501 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1503 case MGMT_OP_USER_PASSKEY_REPLY:
1504 hcon->passkey_notify = le32_to_cpu(passkey);
1505 smp->passkey_round = 0;
1507 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1508 smp_op = SMP_CMD_PAIRING_CONFIRM;
1512 if (sc_passkey_round(smp, smp_op))
1518 /* Initiator sends DHKey check first */
1520 sc_dhkey_check(smp);
1521 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1522 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1523 sc_dhkey_check(smp);
1530 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1532 struct l2cap_conn *conn = hcon->l2cap_data;
1533 struct l2cap_chan *chan;
1534 struct smp_chan *smp;
1547 l2cap_chan_lock(chan);
1555 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1556 err = sc_user_reply(smp, mgmt_op, passkey);
1561 case MGMT_OP_USER_PASSKEY_REPLY:
1562 value = le32_to_cpu(passkey);
1563 memset(smp->tk, 0, sizeof(smp->tk));
1564 BT_DBG("PassKey: %d", value);
1565 put_unaligned_le32(value, smp->tk);
1567 case MGMT_OP_USER_CONFIRM_REPLY:
1568 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1570 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1571 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1572 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1576 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1583 /* If it is our turn to send Pairing Confirm, do so now */
1584 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1585 u8 rsp = smp_confirm(smp);
1587 smp_failure(conn, rsp);
1591 l2cap_chan_unlock(chan);
1595 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1596 struct smp_cmd_pairing *req,
1597 struct smp_cmd_pairing *rsp)
1599 struct l2cap_conn *conn = smp->conn;
1600 struct hci_dev *hdev = conn->hcon->hdev;
1601 u8 local_dist = 0, remote_dist = 0;
1603 if (test_bit(HCI_BONDABLE, &hdev->dev_flags)) {
1604 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1605 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1608 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
1609 remote_dist |= SMP_DIST_ID_KEY;
1611 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
1612 local_dist |= SMP_DIST_ID_KEY;
1615 memset(req, 0, sizeof(*req));
1617 req->init_key_dist = local_dist;
1618 req->resp_key_dist = remote_dist;
1619 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1621 smp->remote_key_dist = remote_dist;
1626 memset(rsp, 0, sizeof(*rsp));
1628 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1629 rsp->init_key_dist = req->init_key_dist & remote_dist;
1630 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1632 smp->remote_key_dist = rsp->init_key_dist;
1635 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1637 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1638 struct l2cap_chan *chan = conn->smp;
1639 struct hci_dev *hdev = conn->hcon->hdev;
1640 struct smp_chan *smp;
1641 u8 key_size, auth, sec_level;
1644 BT_DBG("conn %p", conn);
1646 if (skb->len < sizeof(*req))
1647 return SMP_INVALID_PARAMS;
1649 if (conn->hcon->role != HCI_ROLE_SLAVE)
1650 return SMP_CMD_NOTSUPP;
1653 smp = smp_chan_create(conn);
1658 return SMP_UNSPECIFIED;
1660 /* We didn't start the pairing, so match remote */
1661 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1663 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
1664 (auth & SMP_AUTH_BONDING))
1665 return SMP_PAIRING_NOTSUPP;
1667 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1668 return SMP_AUTH_REQUIREMENTS;
1670 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1671 memcpy(&smp->preq[1], req, sizeof(*req));
1672 skb_pull(skb, sizeof(*req));
1674 /* SMP over BR/EDR requires special treatment */
1675 if (conn->hcon->type == ACL_LINK) {
1676 /* We must have a BR/EDR SC link */
1677 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1678 !test_bit(HCI_FORCE_LESC, &hdev->dbg_flags))
1679 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1681 set_bit(SMP_FLAG_SC, &smp->flags);
1683 build_bredr_pairing_cmd(smp, req, &rsp);
1685 key_size = min(req->max_key_size, rsp.max_key_size);
1686 if (check_enc_key_size(conn, key_size))
1687 return SMP_ENC_KEY_SIZE;
1689 /* Clear bits which are generated but not distributed */
1690 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1692 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1693 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1694 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1696 smp_distribute_keys(smp);
1700 build_pairing_cmd(conn, req, &rsp, auth);
1702 if (rsp.auth_req & SMP_AUTH_SC)
1703 set_bit(SMP_FLAG_SC, &smp->flags);
1705 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1706 sec_level = BT_SECURITY_MEDIUM;
1708 sec_level = authreq_to_seclevel(auth);
1710 if (sec_level > conn->hcon->pending_sec_level)
1711 conn->hcon->pending_sec_level = sec_level;
1713 /* If we need MITM check that it can be achieved */
1714 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1717 method = get_auth_method(smp, conn->hcon->io_capability,
1718 req->io_capability);
1719 if (method == JUST_WORKS || method == JUST_CFM)
1720 return SMP_AUTH_REQUIREMENTS;
1723 key_size = min(req->max_key_size, rsp.max_key_size);
1724 if (check_enc_key_size(conn, key_size))
1725 return SMP_ENC_KEY_SIZE;
1727 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1729 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1730 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1732 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1734 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1736 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1737 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1738 /* Clear bits which are generated but not distributed */
1739 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1740 /* Wait for Public Key from Initiating Device */
1743 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1746 /* Request setup of TK */
1747 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1749 return SMP_UNSPECIFIED;
1754 static u8 sc_send_public_key(struct smp_chan *smp)
1756 struct hci_dev *hdev = smp->conn->hcon->hdev;
1760 if (test_bit(HCI_USE_DEBUG_KEYS, &hdev->dev_flags)) {
1761 BT_DBG("Using debug keys");
1762 memcpy(smp->local_pk, debug_pk, 64);
1763 memcpy(smp->local_sk, debug_sk, 32);
1764 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1767 /* Generate local key pair for Secure Connections */
1768 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1769 return SMP_UNSPECIFIED;
1771 /* This is unlikely, but we need to check that
1772 * we didn't accidentially generate a debug key.
1774 if (memcmp(smp->local_sk, debug_sk, 32))
1779 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1780 SMP_DBG("Local Public Key Y: %32phN", &smp->local_pk[32]);
1781 SMP_DBG("Local Private Key: %32phN", smp->local_sk);
1783 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1788 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1790 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1791 struct l2cap_chan *chan = conn->smp;
1792 struct smp_chan *smp = chan->data;
1793 struct hci_dev *hdev = conn->hcon->hdev;
1797 BT_DBG("conn %p", conn);
1799 if (skb->len < sizeof(*rsp))
1800 return SMP_INVALID_PARAMS;
1802 if (conn->hcon->role != HCI_ROLE_MASTER)
1803 return SMP_CMD_NOTSUPP;
1805 skb_pull(skb, sizeof(*rsp));
1807 req = (void *) &smp->preq[1];
1809 key_size = min(req->max_key_size, rsp->max_key_size);
1810 if (check_enc_key_size(conn, key_size))
1811 return SMP_ENC_KEY_SIZE;
1813 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1815 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1816 return SMP_AUTH_REQUIREMENTS;
1818 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1819 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1821 /* Update remote key distribution in case the remote cleared
1822 * some bits that we had enabled in our request.
1824 smp->remote_key_dist &= rsp->resp_key_dist;
1826 /* For BR/EDR this means we're done and can start phase 3 */
1827 if (conn->hcon->type == ACL_LINK) {
1828 /* Clear bits which are generated but not distributed */
1829 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1830 smp_distribute_keys(smp);
1834 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1835 set_bit(SMP_FLAG_SC, &smp->flags);
1836 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1837 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1839 /* If we need MITM check that it can be achieved */
1840 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1843 method = get_auth_method(smp, req->io_capability,
1844 rsp->io_capability);
1845 if (method == JUST_WORKS || method == JUST_CFM)
1846 return SMP_AUTH_REQUIREMENTS;
1849 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1851 /* Update remote key distribution in case the remote cleared
1852 * some bits that we had enabled in our request.
1854 smp->remote_key_dist &= rsp->resp_key_dist;
1856 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1857 /* Clear bits which are generated but not distributed */
1858 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1859 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1860 return sc_send_public_key(smp);
1863 auth |= req->auth_req;
1865 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1867 return SMP_UNSPECIFIED;
1869 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1871 /* Can't compose response until we have been confirmed */
1872 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1873 return smp_confirm(smp);
1878 static u8 sc_check_confirm(struct smp_chan *smp)
1880 struct l2cap_conn *conn = smp->conn;
1884 /* Public Key exchange must happen before any other steps */
1885 if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
1886 return SMP_UNSPECIFIED;
1888 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1889 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1891 if (conn->hcon->out) {
1892 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1894 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1900 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1902 struct l2cap_chan *chan = conn->smp;
1903 struct smp_chan *smp = chan->data;
1905 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
1907 if (skb->len < sizeof(smp->pcnf))
1908 return SMP_INVALID_PARAMS;
1910 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1911 skb_pull(skb, sizeof(smp->pcnf));
1913 if (test_bit(SMP_FLAG_SC, &smp->flags))
1914 return sc_check_confirm(smp);
1916 if (conn->hcon->out) {
1917 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1919 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1923 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1924 return smp_confirm(smp);
1926 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1931 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
1933 struct l2cap_chan *chan = conn->smp;
1934 struct smp_chan *smp = chan->data;
1935 struct hci_conn *hcon = conn->hcon;
1936 u8 *pkax, *pkbx, *na, *nb;
1940 BT_DBG("conn %p", conn);
1942 if (skb->len < sizeof(smp->rrnd))
1943 return SMP_INVALID_PARAMS;
1945 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
1946 skb_pull(skb, sizeof(smp->rrnd));
1948 if (!test_bit(SMP_FLAG_SC, &smp->flags))
1949 return smp_random(smp);
1952 pkax = smp->local_pk;
1953 pkbx = smp->remote_pk;
1957 pkax = smp->remote_pk;
1958 pkbx = smp->local_pk;
1963 if (smp->method == REQ_OOB) {
1965 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1966 sizeof(smp->prnd), smp->prnd);
1967 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1968 goto mackey_and_ltk;
1971 /* Passkey entry has special treatment */
1972 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1973 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
1978 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1981 return SMP_UNSPECIFIED;
1983 if (memcmp(smp->pcnf, cfm, 16))
1984 return SMP_CONFIRM_FAILED;
1986 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1988 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1992 /* Generate MacKey and LTK */
1993 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
1995 return SMP_UNSPECIFIED;
1997 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
1999 sc_dhkey_check(smp);
2000 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2005 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2007 return SMP_UNSPECIFIED;
2009 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2010 hcon->dst_type, passkey, 0);
2012 return SMP_UNSPECIFIED;
2014 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2019 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2021 struct smp_ltk *key;
2022 struct hci_conn *hcon = conn->hcon;
2024 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2028 if (smp_ltk_sec_level(key) < sec_level)
2031 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2034 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
2035 hcon->enc_key_size = key->enc_size;
2037 /* We never store STKs for master role, so clear this flag */
2038 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2043 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2044 enum smp_key_pref key_pref)
2046 if (sec_level == BT_SECURITY_LOW)
2049 /* If we're encrypted with an STK but the caller prefers using
2050 * LTK claim insufficient security. This way we allow the
2051 * connection to be re-encrypted with an LTK, even if the LTK
2052 * provides the same level of security. Only exception is if we
2053 * don't have an LTK (e.g. because of key distribution bits).
2055 if (key_pref == SMP_USE_LTK &&
2056 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2057 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2060 if (hcon->sec_level >= sec_level)
2066 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2068 struct smp_cmd_security_req *rp = (void *) skb->data;
2069 struct smp_cmd_pairing cp;
2070 struct hci_conn *hcon = conn->hcon;
2071 struct hci_dev *hdev = hcon->hdev;
2072 struct smp_chan *smp;
2075 BT_DBG("conn %p", conn);
2077 if (skb->len < sizeof(*rp))
2078 return SMP_INVALID_PARAMS;
2080 if (hcon->role != HCI_ROLE_MASTER)
2081 return SMP_CMD_NOTSUPP;
2083 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2085 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
2086 return SMP_AUTH_REQUIREMENTS;
2088 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2089 sec_level = BT_SECURITY_MEDIUM;
2091 sec_level = authreq_to_seclevel(auth);
2093 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2096 if (sec_level > hcon->pending_sec_level)
2097 hcon->pending_sec_level = sec_level;
2099 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2102 smp = smp_chan_create(conn);
2104 return SMP_UNSPECIFIED;
2106 if (!test_bit(HCI_BONDABLE, &hcon->hdev->dev_flags) &&
2107 (auth & SMP_AUTH_BONDING))
2108 return SMP_PAIRING_NOTSUPP;
2110 skb_pull(skb, sizeof(*rp));
2112 memset(&cp, 0, sizeof(cp));
2113 build_pairing_cmd(conn, &cp, NULL, auth);
2115 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2116 memcpy(&smp->preq[1], &cp, sizeof(cp));
2118 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2119 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2124 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2126 struct l2cap_conn *conn = hcon->l2cap_data;
2127 struct l2cap_chan *chan;
2128 struct smp_chan *smp;
2132 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2134 /* This may be NULL if there's an unexpected disconnection */
2140 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
2143 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2146 if (sec_level > hcon->pending_sec_level)
2147 hcon->pending_sec_level = sec_level;
2149 if (hcon->role == HCI_ROLE_MASTER)
2150 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2153 l2cap_chan_lock(chan);
2155 /* If SMP is already in progress ignore this request */
2161 smp = smp_chan_create(conn);
2167 authreq = seclevel_to_authreq(sec_level);
2169 if (test_bit(HCI_SC_ENABLED, &hcon->hdev->dev_flags))
2170 authreq |= SMP_AUTH_SC;
2172 /* Require MITM if IO Capability allows or the security level
2175 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2176 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2177 authreq |= SMP_AUTH_MITM;
2179 if (hcon->role == HCI_ROLE_MASTER) {
2180 struct smp_cmd_pairing cp;
2182 build_pairing_cmd(conn, &cp, NULL, authreq);
2183 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2184 memcpy(&smp->preq[1], &cp, sizeof(cp));
2186 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2187 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2189 struct smp_cmd_security_req cp;
2190 cp.auth_req = authreq;
2191 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2192 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2195 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2199 l2cap_chan_unlock(chan);
2203 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2205 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2206 struct l2cap_chan *chan = conn->smp;
2207 struct smp_chan *smp = chan->data;
2209 BT_DBG("conn %p", conn);
2211 if (skb->len < sizeof(*rp))
2212 return SMP_INVALID_PARAMS;
2214 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2216 skb_pull(skb, sizeof(*rp));
2218 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2223 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2225 struct smp_cmd_master_ident *rp = (void *) skb->data;
2226 struct l2cap_chan *chan = conn->smp;
2227 struct smp_chan *smp = chan->data;
2228 struct hci_dev *hdev = conn->hcon->hdev;
2229 struct hci_conn *hcon = conn->hcon;
2230 struct smp_ltk *ltk;
2233 BT_DBG("conn %p", conn);
2235 if (skb->len < sizeof(*rp))
2236 return SMP_INVALID_PARAMS;
2238 /* Mark the information as received */
2239 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2241 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2242 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2243 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2244 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2246 skb_pull(skb, sizeof(*rp));
2248 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2249 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2250 authenticated, smp->tk, smp->enc_key_size,
2251 rp->ediv, rp->rand);
2253 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2254 smp_distribute_keys(smp);
2259 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2261 struct smp_cmd_ident_info *info = (void *) skb->data;
2262 struct l2cap_chan *chan = conn->smp;
2263 struct smp_chan *smp = chan->data;
2267 if (skb->len < sizeof(*info))
2268 return SMP_INVALID_PARAMS;
2270 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2272 skb_pull(skb, sizeof(*info));
2274 memcpy(smp->irk, info->irk, 16);
2279 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2280 struct sk_buff *skb)
2282 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2283 struct l2cap_chan *chan = conn->smp;
2284 struct smp_chan *smp = chan->data;
2285 struct hci_conn *hcon = conn->hcon;
2290 if (skb->len < sizeof(*info))
2291 return SMP_INVALID_PARAMS;
2293 /* Mark the information as received */
2294 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2296 if (smp->remote_key_dist & SMP_DIST_SIGN)
2297 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2299 skb_pull(skb, sizeof(*info));
2301 /* Strictly speaking the Core Specification (4.1) allows sending
2302 * an empty address which would force us to rely on just the IRK
2303 * as "identity information". However, since such
2304 * implementations are not known of and in order to not over
2305 * complicate our implementation, simply pretend that we never
2306 * received an IRK for such a device.
2308 if (!bacmp(&info->bdaddr, BDADDR_ANY)) {
2309 BT_ERR("Ignoring IRK with no identity address");
2313 bacpy(&smp->id_addr, &info->bdaddr);
2314 smp->id_addr_type = info->addr_type;
2316 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2317 bacpy(&rpa, &hcon->dst);
2319 bacpy(&rpa, BDADDR_ANY);
2321 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2322 smp->id_addr_type, smp->irk, &rpa);
2325 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2326 smp_distribute_keys(smp);
2331 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2333 struct smp_cmd_sign_info *rp = (void *) skb->data;
2334 struct l2cap_chan *chan = conn->smp;
2335 struct smp_chan *smp = chan->data;
2336 struct smp_csrk *csrk;
2338 BT_DBG("conn %p", conn);
2340 if (skb->len < sizeof(*rp))
2341 return SMP_INVALID_PARAMS;
2343 /* Mark the information as received */
2344 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2346 skb_pull(skb, sizeof(*rp));
2348 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2350 csrk->master = 0x01;
2351 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2354 smp_distribute_keys(smp);
2359 static u8 sc_select_method(struct smp_chan *smp)
2361 struct l2cap_conn *conn = smp->conn;
2362 struct hci_conn *hcon = conn->hcon;
2363 struct smp_cmd_pairing *local, *remote;
2364 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2366 if (test_bit(SMP_FLAG_OOB, &smp->flags))
2369 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2370 * which are needed as inputs to some crypto functions. To get
2371 * the "struct smp_cmd_pairing" from them we need to skip the
2372 * first byte which contains the opcode.
2375 local = (void *) &smp->preq[1];
2376 remote = (void *) &smp->prsp[1];
2378 local = (void *) &smp->prsp[1];
2379 remote = (void *) &smp->preq[1];
2382 local_io = local->io_capability;
2383 remote_io = remote->io_capability;
2385 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2386 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2388 /* If either side wants MITM, look up the method from the table,
2389 * otherwise use JUST WORKS.
2391 if (local_mitm || remote_mitm)
2392 method = get_auth_method(smp, local_io, remote_io);
2394 method = JUST_WORKS;
2396 /* Don't confirm locally initiated pairing attempts */
2397 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2398 method = JUST_WORKS;
2403 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2405 struct smp_cmd_public_key *key = (void *) skb->data;
2406 struct hci_conn *hcon = conn->hcon;
2407 struct l2cap_chan *chan = conn->smp;
2408 struct smp_chan *smp = chan->data;
2409 struct hci_dev *hdev = hcon->hdev;
2410 struct smp_cmd_pairing_confirm cfm;
2413 BT_DBG("conn %p", conn);
2415 if (skb->len < sizeof(*key))
2416 return SMP_INVALID_PARAMS;
2418 memcpy(smp->remote_pk, key, 64);
2420 /* Non-initiating device sends its public key after receiving
2421 * the key from the initiating device.
2424 err = sc_send_public_key(smp);
2429 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2430 SMP_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]);
2432 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2433 return SMP_UNSPECIFIED;
2435 SMP_DBG("DHKey %32phN", smp->dhkey);
2437 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2439 smp->method = sc_select_method(smp);
2441 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2443 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2444 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2445 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2447 hcon->pending_sec_level = BT_SECURITY_FIPS;
2449 if (!memcmp(debug_pk, smp->remote_pk, 64))
2450 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2452 if (smp->method == DSP_PASSKEY) {
2453 get_random_bytes(&hcon->passkey_notify,
2454 sizeof(hcon->passkey_notify));
2455 hcon->passkey_notify %= 1000000;
2456 hcon->passkey_entered = 0;
2457 smp->passkey_round = 0;
2458 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2460 hcon->passkey_notify,
2461 hcon->passkey_entered))
2462 return SMP_UNSPECIFIED;
2463 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2464 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2467 if (smp->method == REQ_OOB) {
2468 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2469 smp->rr, 0, cfm.confirm_val);
2471 return SMP_UNSPECIFIED;
2473 if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2474 return SMP_CONFIRM_FAILED;
2477 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2478 sizeof(smp->prnd), smp->prnd);
2480 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2486 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2488 if (smp->method == REQ_PASSKEY) {
2489 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2491 return SMP_UNSPECIFIED;
2492 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2493 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2497 /* The Initiating device waits for the non-initiating device to
2498 * send the confirm value.
2500 if (conn->hcon->out)
2503 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2504 0, cfm.confirm_val);
2506 return SMP_UNSPECIFIED;
2508 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2509 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2514 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2516 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2517 struct l2cap_chan *chan = conn->smp;
2518 struct hci_conn *hcon = conn->hcon;
2519 struct smp_chan *smp = chan->data;
2520 u8 a[7], b[7], *local_addr, *remote_addr;
2521 u8 io_cap[3], r[16], e[16];
2524 BT_DBG("conn %p", conn);
2526 if (skb->len < sizeof(*check))
2527 return SMP_INVALID_PARAMS;
2529 memcpy(a, &hcon->init_addr, 6);
2530 memcpy(b, &hcon->resp_addr, 6);
2531 a[6] = hcon->init_addr_type;
2532 b[6] = hcon->resp_addr_type;
2537 memcpy(io_cap, &smp->prsp[1], 3);
2541 memcpy(io_cap, &smp->preq[1], 3);
2544 memset(r, 0, sizeof(r));
2546 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2547 put_unaligned_le32(hcon->passkey_notify, r);
2549 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2550 io_cap, remote_addr, local_addr, e);
2552 return SMP_UNSPECIFIED;
2554 if (memcmp(check->e, e, 16))
2555 return SMP_DHKEY_CHECK_FAILED;
2558 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2559 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2563 /* Slave sends DHKey check as response to master */
2564 sc_dhkey_check(smp);
2570 hci_le_start_enc(hcon, 0, 0, smp->tk);
2571 hcon->enc_key_size = smp->enc_key_size;
2577 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2578 struct sk_buff *skb)
2580 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2582 BT_DBG("value 0x%02x", kp->value);
2587 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2589 struct l2cap_conn *conn = chan->conn;
2590 struct hci_conn *hcon = conn->hcon;
2591 struct smp_chan *smp;
2598 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
2599 reason = SMP_PAIRING_NOTSUPP;
2603 code = skb->data[0];
2604 skb_pull(skb, sizeof(code));
2608 if (code > SMP_CMD_MAX)
2611 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2614 /* If we don't have a context the only allowed commands are
2615 * pairing request and security request.
2617 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2621 case SMP_CMD_PAIRING_REQ:
2622 reason = smp_cmd_pairing_req(conn, skb);
2625 case SMP_CMD_PAIRING_FAIL:
2626 smp_failure(conn, 0);
2630 case SMP_CMD_PAIRING_RSP:
2631 reason = smp_cmd_pairing_rsp(conn, skb);
2634 case SMP_CMD_SECURITY_REQ:
2635 reason = smp_cmd_security_req(conn, skb);
2638 case SMP_CMD_PAIRING_CONFIRM:
2639 reason = smp_cmd_pairing_confirm(conn, skb);
2642 case SMP_CMD_PAIRING_RANDOM:
2643 reason = smp_cmd_pairing_random(conn, skb);
2646 case SMP_CMD_ENCRYPT_INFO:
2647 reason = smp_cmd_encrypt_info(conn, skb);
2650 case SMP_CMD_MASTER_IDENT:
2651 reason = smp_cmd_master_ident(conn, skb);
2654 case SMP_CMD_IDENT_INFO:
2655 reason = smp_cmd_ident_info(conn, skb);
2658 case SMP_CMD_IDENT_ADDR_INFO:
2659 reason = smp_cmd_ident_addr_info(conn, skb);
2662 case SMP_CMD_SIGN_INFO:
2663 reason = smp_cmd_sign_info(conn, skb);
2666 case SMP_CMD_PUBLIC_KEY:
2667 reason = smp_cmd_public_key(conn, skb);
2670 case SMP_CMD_DHKEY_CHECK:
2671 reason = smp_cmd_dhkey_check(conn, skb);
2674 case SMP_CMD_KEYPRESS_NOTIFY:
2675 reason = smp_cmd_keypress_notify(conn, skb);
2679 BT_DBG("Unknown command code 0x%2.2x", code);
2680 reason = SMP_CMD_NOTSUPP;
2687 smp_failure(conn, reason);
2694 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2700 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2702 struct l2cap_conn *conn = chan->conn;
2704 BT_DBG("chan %p", chan);
2707 smp_chan_destroy(conn);
2710 l2cap_chan_put(chan);
2713 static void bredr_pairing(struct l2cap_chan *chan)
2715 struct l2cap_conn *conn = chan->conn;
2716 struct hci_conn *hcon = conn->hcon;
2717 struct hci_dev *hdev = hcon->hdev;
2718 struct smp_cmd_pairing req;
2719 struct smp_chan *smp;
2721 BT_DBG("chan %p", chan);
2723 /* Only new pairings are interesting */
2724 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2727 /* Don't bother if we're not encrypted */
2728 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2731 /* Only master may initiate SMP over BR/EDR */
2732 if (hcon->role != HCI_ROLE_MASTER)
2735 /* Secure Connections support must be enabled */
2736 if (!test_bit(HCI_SC_ENABLED, &hdev->dev_flags))
2739 /* BR/EDR must use Secure Connections for SMP */
2740 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2741 !test_bit(HCI_FORCE_LESC, &hdev->dbg_flags))
2744 /* If our LE support is not enabled don't do anything */
2745 if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags))
2748 /* Don't bother if remote LE support is not enabled */
2749 if (!lmp_host_le_capable(hcon))
2752 /* Remote must support SMP fixed chan for BR/EDR */
2753 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2756 /* Don't bother if SMP is already ongoing */
2760 smp = smp_chan_create(conn);
2762 BT_ERR("%s unable to create SMP context for BR/EDR",
2767 set_bit(SMP_FLAG_SC, &smp->flags);
2769 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2771 /* Prepare and send the BR/EDR SMP Pairing Request */
2772 build_bredr_pairing_cmd(smp, &req, NULL);
2774 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2775 memcpy(&smp->preq[1], &req, sizeof(req));
2777 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2778 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2781 static void smp_resume_cb(struct l2cap_chan *chan)
2783 struct smp_chan *smp = chan->data;
2784 struct l2cap_conn *conn = chan->conn;
2785 struct hci_conn *hcon = conn->hcon;
2787 BT_DBG("chan %p", chan);
2789 if (hcon->type == ACL_LINK) {
2790 bredr_pairing(chan);
2797 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2800 cancel_delayed_work(&smp->security_timer);
2802 smp_distribute_keys(smp);
2805 static void smp_ready_cb(struct l2cap_chan *chan)
2807 struct l2cap_conn *conn = chan->conn;
2808 struct hci_conn *hcon = conn->hcon;
2810 BT_DBG("chan %p", chan);
2813 l2cap_chan_hold(chan);
2815 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2816 bredr_pairing(chan);
2819 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
2823 BT_DBG("chan %p", chan);
2825 err = smp_sig_channel(chan, skb);
2827 struct smp_chan *smp = chan->data;
2830 cancel_delayed_work_sync(&smp->security_timer);
2832 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
2838 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
2839 unsigned long hdr_len,
2840 unsigned long len, int nb)
2842 struct sk_buff *skb;
2844 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
2846 return ERR_PTR(-ENOMEM);
2848 skb->priority = HCI_PRIO_MAX;
2849 bt_cb(skb)->chan = chan;
2854 static const struct l2cap_ops smp_chan_ops = {
2855 .name = "Security Manager",
2856 .ready = smp_ready_cb,
2857 .recv = smp_recv_cb,
2858 .alloc_skb = smp_alloc_skb_cb,
2859 .teardown = smp_teardown_cb,
2860 .resume = smp_resume_cb,
2862 .new_connection = l2cap_chan_no_new_connection,
2863 .state_change = l2cap_chan_no_state_change,
2864 .close = l2cap_chan_no_close,
2865 .defer = l2cap_chan_no_defer,
2866 .suspend = l2cap_chan_no_suspend,
2867 .set_shutdown = l2cap_chan_no_set_shutdown,
2868 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2871 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
2873 struct l2cap_chan *chan;
2875 BT_DBG("pchan %p", pchan);
2877 chan = l2cap_chan_create();
2881 chan->chan_type = pchan->chan_type;
2882 chan->ops = &smp_chan_ops;
2883 chan->scid = pchan->scid;
2884 chan->dcid = chan->scid;
2885 chan->imtu = pchan->imtu;
2886 chan->omtu = pchan->omtu;
2887 chan->mode = pchan->mode;
2889 /* Other L2CAP channels may request SMP routines in order to
2890 * change the security level. This means that the SMP channel
2891 * lock must be considered in its own category to avoid lockdep
2894 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
2896 BT_DBG("created chan %p", chan);
2901 static const struct l2cap_ops smp_root_chan_ops = {
2902 .name = "Security Manager Root",
2903 .new_connection = smp_new_conn_cb,
2905 /* None of these are implemented for the root channel */
2906 .close = l2cap_chan_no_close,
2907 .alloc_skb = l2cap_chan_no_alloc_skb,
2908 .recv = l2cap_chan_no_recv,
2909 .state_change = l2cap_chan_no_state_change,
2910 .teardown = l2cap_chan_no_teardown,
2911 .ready = l2cap_chan_no_ready,
2912 .defer = l2cap_chan_no_defer,
2913 .suspend = l2cap_chan_no_suspend,
2914 .resume = l2cap_chan_no_resume,
2915 .set_shutdown = l2cap_chan_no_set_shutdown,
2916 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2919 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
2921 struct l2cap_chan *chan;
2922 struct crypto_blkcipher *tfm_aes;
2924 if (cid == L2CAP_CID_SMP_BREDR) {
2929 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, 0);
2930 if (IS_ERR(tfm_aes)) {
2931 BT_ERR("Unable to create crypto context");
2932 return ERR_CAST(tfm_aes);
2936 chan = l2cap_chan_create();
2938 crypto_free_blkcipher(tfm_aes);
2939 return ERR_PTR(-ENOMEM);
2942 chan->data = tfm_aes;
2944 l2cap_add_scid(chan, cid);
2946 l2cap_chan_set_defaults(chan);
2948 bacpy(&chan->src, &hdev->bdaddr);
2949 if (cid == L2CAP_CID_SMP)
2950 chan->src_type = BDADDR_LE_PUBLIC;
2952 chan->src_type = BDADDR_BREDR;
2953 chan->state = BT_LISTEN;
2954 chan->mode = L2CAP_MODE_BASIC;
2955 chan->imtu = L2CAP_DEFAULT_MTU;
2956 chan->ops = &smp_root_chan_ops;
2958 /* Set correct nesting level for a parent/listening channel */
2959 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
2964 static void smp_del_chan(struct l2cap_chan *chan)
2966 struct crypto_blkcipher *tfm_aes;
2968 BT_DBG("chan %p", chan);
2970 tfm_aes = chan->data;
2973 crypto_free_blkcipher(tfm_aes);
2976 l2cap_chan_put(chan);
2979 int smp_register(struct hci_dev *hdev)
2981 struct l2cap_chan *chan;
2983 BT_DBG("%s", hdev->name);
2985 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
2987 return PTR_ERR(chan);
2989 hdev->smp_data = chan;
2991 if (!lmp_sc_capable(hdev) &&
2992 !test_bit(HCI_FORCE_LESC, &hdev->dbg_flags))
2995 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
2997 int err = PTR_ERR(chan);
2998 chan = hdev->smp_data;
2999 hdev->smp_data = NULL;
3004 hdev->smp_bredr_data = chan;
3009 void smp_unregister(struct hci_dev *hdev)
3011 struct l2cap_chan *chan;
3013 if (hdev->smp_bredr_data) {
3014 chan = hdev->smp_bredr_data;
3015 hdev->smp_bredr_data = NULL;
3019 if (hdev->smp_data) {
3020 chan = hdev->smp_data;
3021 hdev->smp_data = NULL;
3026 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3028 static int __init test_ah(struct crypto_blkcipher *tfm_aes)
3030 const u8 irk[16] = {
3031 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3032 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3033 const u8 r[3] = { 0x94, 0x81, 0x70 };
3034 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3038 err = smp_ah(tfm_aes, irk, r, res);
3042 if (memcmp(res, exp, 3))
3048 static int __init test_c1(struct crypto_blkcipher *tfm_aes)
3051 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3052 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3054 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3055 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3056 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3057 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3058 const u8 _iat = 0x01;
3059 const u8 _rat = 0x00;
3060 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3061 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3062 const u8 exp[16] = {
3063 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3064 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3068 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3072 if (memcmp(res, exp, 16))
3078 static int __init test_s1(struct crypto_blkcipher *tfm_aes)
3081 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3082 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3084 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3086 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3087 const u8 exp[16] = {
3088 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3089 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3093 err = smp_s1(tfm_aes, k, r1, r2, res);
3097 if (memcmp(res, exp, 16))
3103 static int __init test_f4(struct crypto_hash *tfm_cmac)
3106 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3107 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3108 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3109 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3111 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3112 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3113 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3114 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3116 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3117 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3119 const u8 exp[16] = {
3120 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3121 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3125 err = smp_f4(tfm_cmac, u, v, x, z, res);
3129 if (memcmp(res, exp, 16))
3135 static int __init test_f5(struct crypto_hash *tfm_cmac)
3138 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3139 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3140 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3141 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3143 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3144 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3146 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3147 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3148 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3149 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3150 const u8 exp_ltk[16] = {
3151 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3152 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3153 const u8 exp_mackey[16] = {
3154 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3155 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3156 u8 mackey[16], ltk[16];
3159 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3163 if (memcmp(mackey, exp_mackey, 16))
3166 if (memcmp(ltk, exp_ltk, 16))
3172 static int __init test_f6(struct crypto_hash *tfm_cmac)
3175 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3176 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3178 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3179 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3181 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3182 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3184 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3185 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3186 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3187 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3188 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3189 const u8 exp[16] = {
3190 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3191 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3195 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3199 if (memcmp(res, exp, 16))
3205 static int __init test_g2(struct crypto_hash *tfm_cmac)
3208 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3209 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3210 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3211 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3213 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3214 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3215 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3216 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3218 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3219 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3221 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3222 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3223 const u32 exp_val = 0x2f9ed5ba % 1000000;
3227 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3237 static int __init test_h6(struct crypto_hash *tfm_cmac)
3240 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3241 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3242 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3243 const u8 exp[16] = {
3244 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3245 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3249 err = smp_h6(tfm_cmac, w, key_id, res);
3253 if (memcmp(res, exp, 16))
3259 static int __init run_selftests(struct crypto_blkcipher *tfm_aes,
3260 struct crypto_hash *tfm_cmac)
3262 ktime_t calltime, delta, rettime;
3263 unsigned long long duration;
3266 calltime = ktime_get();
3268 err = test_ah(tfm_aes);
3270 BT_ERR("smp_ah test failed");
3274 err = test_c1(tfm_aes);
3276 BT_ERR("smp_c1 test failed");
3280 err = test_s1(tfm_aes);
3282 BT_ERR("smp_s1 test failed");
3286 err = test_f4(tfm_cmac);
3288 BT_ERR("smp_f4 test failed");
3292 err = test_f5(tfm_cmac);
3294 BT_ERR("smp_f5 test failed");
3298 err = test_f6(tfm_cmac);
3300 BT_ERR("smp_f6 test failed");
3304 err = test_g2(tfm_cmac);
3306 BT_ERR("smp_g2 test failed");
3310 err = test_h6(tfm_cmac);
3312 BT_ERR("smp_h6 test failed");
3316 rettime = ktime_get();
3317 delta = ktime_sub(rettime, calltime);
3318 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3320 BT_INFO("SMP test passed in %lld usecs", duration);
3325 int __init bt_selftest_smp(void)
3327 struct crypto_blkcipher *tfm_aes;
3328 struct crypto_hash *tfm_cmac;
3331 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3332 if (IS_ERR(tfm_aes)) {
3333 BT_ERR("Unable to create ECB crypto context");
3334 return PTR_ERR(tfm_aes);
3337 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3338 if (IS_ERR(tfm_cmac)) {
3339 BT_ERR("Unable to create CMAC crypto context");
3340 crypto_free_blkcipher(tfm_aes);
3341 return PTR_ERR(tfm_cmac);
3344 err = run_selftests(tfm_aes, tfm_cmac);
3346 crypto_free_hash(tfm_cmac);
3347 crypto_free_blkcipher(tfm_aes);