2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
23 #include <linux/crypto.h>
24 #include <linux/scatterlist.h>
25 #include <crypto/b128ops.h>
27 #include <net/bluetooth/bluetooth.h>
28 #include <net/bluetooth/hci_core.h>
29 #include <net/bluetooth/l2cap.h>
30 #include <net/bluetooth/mgmt.h>
35 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
37 /* Keys which are not distributed with Secure Connections */
38 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
40 #define SMP_TIMEOUT msecs_to_jiffies(30000)
42 #define AUTH_REQ_MASK(dev) (test_bit(HCI_SC_ENABLED, &(dev)->dev_flags) ? \
44 #define KEY_DIST_MASK 0x07
46 /* Maximum message length that can be passed to aes_cmac */
47 #define CMAC_MSG_MAX 80
62 struct l2cap_conn *conn;
63 struct delayed_work security_timer;
64 unsigned long allow_cmd; /* Bitmask of allowed commands */
66 u8 preq[7]; /* SMP Pairing Request */
67 u8 prsp[7]; /* SMP Pairing Response */
68 u8 prnd[16]; /* SMP Pairing Random (local) */
69 u8 rrnd[16]; /* SMP Pairing Random (remote) */
70 u8 pcnf[16]; /* SMP Pairing Confirm */
71 u8 tk[16]; /* SMP Temporary Key */
77 struct smp_csrk *csrk;
78 struct smp_csrk *slave_csrk;
80 struct smp_ltk *slave_ltk;
81 struct smp_irk *remote_irk;
87 /* Secure Connections variables */
94 struct crypto_blkcipher *tfm_aes;
95 struct crypto_hash *tfm_cmac;
98 /* These debug key values are defined in the SMP section of the core
99 * specification. debug_pk is the public debug key and debug_sk the
102 static const u8 debug_pk[64] = {
103 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
104 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
105 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
106 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
108 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
109 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
110 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
111 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
114 static const u8 debug_sk[32] = {
115 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
116 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
117 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
118 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
121 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
125 for (i = 0; i < len; i++)
126 dst[len - 1 - i] = src[i];
129 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
130 size_t len, u8 mac[16])
132 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
133 struct hash_desc desc;
134 struct scatterlist sg;
137 if (len > CMAC_MSG_MAX)
141 BT_ERR("tfm %p", tfm);
148 crypto_hash_init(&desc);
150 /* Swap key and message from LSB to MSB */
151 swap_buf(k, tmp, 16);
152 swap_buf(m, msg_msb, len);
154 BT_DBG("msg (len %zu) %*phN", len, (int) len, m);
155 BT_DBG("key %16phN", k);
157 err = crypto_hash_setkey(tfm, tmp, 16);
159 BT_ERR("cipher setkey failed: %d", err);
163 sg_init_one(&sg, msg_msb, len);
165 err = crypto_hash_update(&desc, &sg, len);
167 BT_ERR("Hash update error %d", err);
171 err = crypto_hash_final(&desc, mac_msb);
173 BT_ERR("Hash final error %d", err);
177 swap_buf(mac_msb, mac, 16);
179 BT_DBG("mac %16phN", mac);
184 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
185 const u8 x[16], u8 z, u8 res[16])
190 BT_DBG("u %32phN", u);
191 BT_DBG("v %32phN", v);
192 BT_DBG("x %16phN z %02x", x, z);
195 memcpy(m + 1, v, 32);
196 memcpy(m + 33, u, 32);
198 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
202 BT_DBG("res %16phN", res);
207 static int smp_f5(struct crypto_hash *tfm_cmac, u8 w[32], u8 n1[16], u8 n2[16],
208 u8 a1[7], u8 a2[7], u8 mackey[16], u8 ltk[16])
210 /* The btle, salt and length "magic" values are as defined in
211 * the SMP section of the Bluetooth core specification. In ASCII
212 * the btle value ends up being 'btle'. The salt is just a
213 * random number whereas length is the value 256 in little
216 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
217 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
218 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
219 const u8 length[2] = { 0x00, 0x01 };
223 BT_DBG("w %32phN", w);
224 BT_DBG("n1 %16phN n2 %16phN", n1, n2);
225 BT_DBG("a1 %7phN a2 %7phN", a1, a2);
227 err = aes_cmac(tfm_cmac, salt, w, 32, t);
231 BT_DBG("t %16phN", t);
233 memcpy(m, length, 2);
234 memcpy(m + 2, a2, 7);
235 memcpy(m + 9, a1, 7);
236 memcpy(m + 16, n2, 16);
237 memcpy(m + 32, n1, 16);
238 memcpy(m + 48, btle, 4);
240 m[52] = 0; /* Counter */
242 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
246 BT_DBG("mackey %16phN", mackey);
248 m[52] = 1; /* Counter */
250 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
254 BT_DBG("ltk %16phN", ltk);
259 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
260 const u8 n1[16], u8 n2[16], const u8 r[16],
261 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
267 BT_DBG("w %16phN", w);
268 BT_DBG("n1 %16phN n2 %16phN", n1, n2);
269 BT_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
272 memcpy(m + 7, a1, 7);
273 memcpy(m + 14, io_cap, 3);
274 memcpy(m + 17, r, 16);
275 memcpy(m + 33, n2, 16);
276 memcpy(m + 49, n1, 16);
278 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
282 BT_DBG("res %16phN", res);
287 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
288 const u8 x[16], const u8 y[16], u32 *val)
293 BT_DBG("u %32phN", u);
294 BT_DBG("v %32phN", v);
295 BT_DBG("x %16phN y %16phN", x, y);
298 memcpy(m + 16, v, 32);
299 memcpy(m + 48, u, 32);
301 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
305 *val = get_unaligned_le32(tmp);
308 BT_DBG("val %06u", *val);
313 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
315 struct blkcipher_desc desc;
316 struct scatterlist sg;
317 uint8_t tmp[16], data[16];
321 BT_ERR("tfm %p", tfm);
328 /* The most significant octet of key corresponds to k[0] */
329 swap_buf(k, tmp, 16);
331 err = crypto_blkcipher_setkey(tfm, tmp, 16);
333 BT_ERR("cipher setkey failed: %d", err);
337 /* Most significant octet of plaintextData corresponds to data[0] */
338 swap_buf(r, data, 16);
340 sg_init_one(&sg, data, 16);
342 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
344 BT_ERR("Encrypt data error %d", err);
346 /* Most significant octet of encryptedData corresponds to data[0] */
347 swap_buf(data, r, 16);
352 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
353 const u8 key_id[4], u8 res[16])
357 BT_DBG("w %16phN key_id %4phN", w, key_id);
359 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
363 BT_DBG("res %16phN", res);
368 static int smp_ah(struct crypto_blkcipher *tfm, u8 irk[16], u8 r[3], u8 res[3])
373 /* r' = padding || r */
375 memset(_res + 3, 0, 13);
377 err = smp_e(tfm, irk, _res);
379 BT_ERR("Encrypt error");
383 /* The output of the random address function ah is:
384 * ah(h, r) = e(k, r') mod 2^24
385 * The output of the security function e is then truncated to 24 bits
386 * by taking the least significant 24 bits of the output of e as the
389 memcpy(res, _res, 3);
394 bool smp_irk_matches(struct hci_dev *hdev, u8 irk[16], bdaddr_t *bdaddr)
396 struct l2cap_chan *chan = hdev->smp_data;
397 struct crypto_blkcipher *tfm;
401 if (!chan || !chan->data)
406 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
408 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
412 return !memcmp(bdaddr->b, hash, 3);
415 int smp_generate_rpa(struct hci_dev *hdev, u8 irk[16], bdaddr_t *rpa)
417 struct l2cap_chan *chan = hdev->smp_data;
418 struct crypto_blkcipher *tfm;
421 if (!chan || !chan->data)
426 get_random_bytes(&rpa->b[3], 3);
428 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
429 rpa->b[5] |= 0x40; /* Set second most significant bit */
431 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
435 BT_DBG("RPA %pMR", rpa);
440 static int smp_c1(struct crypto_blkcipher *tfm_aes, u8 k[16], u8 r[16],
441 u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia, u8 _rat,
442 bdaddr_t *ra, u8 res[16])
449 /* p1 = pres || preq || _rat || _iat */
452 memcpy(p1 + 2, preq, 7);
453 memcpy(p1 + 9, pres, 7);
455 /* p2 = padding || ia || ra */
457 memcpy(p2 + 6, ia, 6);
458 memset(p2 + 12, 0, 4);
461 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
463 /* res = e(k, res) */
464 err = smp_e(tfm_aes, k, res);
466 BT_ERR("Encrypt data error");
470 /* res = res XOR p2 */
471 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
473 /* res = e(k, res) */
474 err = smp_e(tfm_aes, k, res);
476 BT_ERR("Encrypt data error");
481 static int smp_s1(struct crypto_blkcipher *tfm_aes, u8 k[16], u8 r1[16],
482 u8 r2[16], u8 _r[16])
486 /* Just least significant octets from r1 and r2 are considered */
488 memcpy(_r + 8, r1, 8);
490 err = smp_e(tfm_aes, k, _r);
492 BT_ERR("Encrypt data error");
497 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
499 struct l2cap_chan *chan = conn->smp;
500 struct smp_chan *smp;
507 BT_DBG("code 0x%2.2x", code);
509 iv[0].iov_base = &code;
512 iv[1].iov_base = data;
515 memset(&msg, 0, sizeof(msg));
517 msg.msg_iov = (struct iovec *) &iv;
520 l2cap_chan_send(chan, &msg, 1 + len);
527 cancel_delayed_work_sync(&smp->security_timer);
528 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
531 static u8 authreq_to_seclevel(u8 authreq)
533 if (authreq & SMP_AUTH_MITM) {
534 if (authreq & SMP_AUTH_SC)
535 return BT_SECURITY_FIPS;
537 return BT_SECURITY_HIGH;
539 return BT_SECURITY_MEDIUM;
543 static __u8 seclevel_to_authreq(__u8 sec_level)
546 case BT_SECURITY_FIPS:
547 case BT_SECURITY_HIGH:
548 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
549 case BT_SECURITY_MEDIUM:
550 return SMP_AUTH_BONDING;
552 return SMP_AUTH_NONE;
556 static void build_pairing_cmd(struct l2cap_conn *conn,
557 struct smp_cmd_pairing *req,
558 struct smp_cmd_pairing *rsp, __u8 authreq)
560 struct l2cap_chan *chan = conn->smp;
561 struct smp_chan *smp = chan->data;
562 struct hci_conn *hcon = conn->hcon;
563 struct hci_dev *hdev = hcon->hdev;
564 u8 local_dist = 0, remote_dist = 0;
566 if (test_bit(HCI_BONDABLE, &conn->hcon->hdev->dev_flags)) {
567 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
568 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
569 authreq |= SMP_AUTH_BONDING;
571 authreq &= ~SMP_AUTH_BONDING;
574 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
575 remote_dist |= SMP_DIST_ID_KEY;
577 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
578 local_dist |= SMP_DIST_ID_KEY;
580 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags)) {
581 if ((authreq & SMP_AUTH_SC) &&
582 test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
583 local_dist |= SMP_DIST_LINK_KEY;
584 remote_dist |= SMP_DIST_LINK_KEY;
587 authreq &= ~SMP_AUTH_SC;
591 req->io_capability = conn->hcon->io_capability;
592 req->oob_flag = SMP_OOB_NOT_PRESENT;
593 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
594 req->init_key_dist = local_dist;
595 req->resp_key_dist = remote_dist;
596 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
598 smp->remote_key_dist = remote_dist;
602 rsp->io_capability = conn->hcon->io_capability;
603 rsp->oob_flag = SMP_OOB_NOT_PRESENT;
604 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
605 rsp->init_key_dist = req->init_key_dist & remote_dist;
606 rsp->resp_key_dist = req->resp_key_dist & local_dist;
607 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
609 smp->remote_key_dist = rsp->init_key_dist;
612 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
614 struct l2cap_chan *chan = conn->smp;
615 struct smp_chan *smp = chan->data;
617 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
618 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
619 return SMP_ENC_KEY_SIZE;
621 smp->enc_key_size = max_key_size;
626 static void smp_chan_destroy(struct l2cap_conn *conn)
628 struct l2cap_chan *chan = conn->smp;
629 struct smp_chan *smp = chan->data;
634 cancel_delayed_work_sync(&smp->security_timer);
636 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
637 mgmt_smp_complete(conn->hcon, complete);
640 kfree(smp->slave_csrk);
641 kfree(smp->link_key);
643 crypto_free_blkcipher(smp->tfm_aes);
644 crypto_free_hash(smp->tfm_cmac);
646 /* If pairing failed clean up any keys we might have */
649 list_del_rcu(&smp->ltk->list);
650 kfree_rcu(smp->ltk, rcu);
653 if (smp->slave_ltk) {
654 list_del_rcu(&smp->slave_ltk->list);
655 kfree_rcu(smp->slave_ltk, rcu);
658 if (smp->remote_irk) {
659 list_del_rcu(&smp->remote_irk->list);
660 kfree_rcu(smp->remote_irk, rcu);
666 hci_conn_drop(conn->hcon);
669 static void smp_failure(struct l2cap_conn *conn, u8 reason)
671 struct hci_conn *hcon = conn->hcon;
672 struct l2cap_chan *chan = conn->smp;
675 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
678 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
679 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
682 smp_chan_destroy(conn);
685 #define JUST_WORKS 0x00
686 #define JUST_CFM 0x01
687 #define REQ_PASSKEY 0x02
688 #define CFM_PASSKEY 0x03
690 #define DSP_PASSKEY 0x05
693 static const u8 gen_method[5][5] = {
694 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
695 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
696 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
697 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
698 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
701 static const u8 sc_method[5][5] = {
702 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
703 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
704 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
705 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
706 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
709 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
711 /* If either side has unknown io_caps, use JUST_CFM (which gets
712 * converted later to JUST_WORKS if we're initiators.
714 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
715 remote_io > SMP_IO_KEYBOARD_DISPLAY)
718 if (test_bit(SMP_FLAG_SC, &smp->flags))
719 return sc_method[remote_io][local_io];
721 return gen_method[remote_io][local_io];
724 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
725 u8 local_io, u8 remote_io)
727 struct hci_conn *hcon = conn->hcon;
728 struct l2cap_chan *chan = conn->smp;
729 struct smp_chan *smp = chan->data;
733 /* Initialize key for JUST WORKS */
734 memset(smp->tk, 0, sizeof(smp->tk));
735 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
737 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
739 /* If neither side wants MITM, either "just" confirm an incoming
740 * request or use just-works for outgoing ones. The JUST_CFM
741 * will be converted to JUST_WORKS if necessary later in this
742 * function. If either side has MITM look up the method from the
745 if (!(auth & SMP_AUTH_MITM))
746 smp->method = JUST_CFM;
748 smp->method = get_auth_method(smp, local_io, remote_io);
750 /* Don't confirm locally initiated pairing attempts */
751 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
753 smp->method = JUST_WORKS;
755 /* Don't bother user space with no IO capabilities */
756 if (smp->method == JUST_CFM &&
757 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
758 smp->method = JUST_WORKS;
760 /* If Just Works, Continue with Zero TK */
761 if (smp->method == JUST_WORKS) {
762 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
766 /* Not Just Works/Confirm results in MITM Authentication */
767 if (smp->method != JUST_CFM) {
768 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
769 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
770 hcon->pending_sec_level = BT_SECURITY_HIGH;
773 /* If both devices have Keyoard-Display I/O, the master
774 * Confirms and the slave Enters the passkey.
776 if (smp->method == OVERLAP) {
777 if (hcon->role == HCI_ROLE_MASTER)
778 smp->method = CFM_PASSKEY;
780 smp->method = REQ_PASSKEY;
783 /* Generate random passkey. */
784 if (smp->method == CFM_PASSKEY) {
785 memset(smp->tk, 0, sizeof(smp->tk));
786 get_random_bytes(&passkey, sizeof(passkey));
788 put_unaligned_le32(passkey, smp->tk);
789 BT_DBG("PassKey: %d", passkey);
790 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
793 if (smp->method == REQ_PASSKEY)
794 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
795 hcon->type, hcon->dst_type);
796 else if (smp->method == JUST_CFM)
797 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
798 hcon->type, hcon->dst_type,
801 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
802 hcon->type, hcon->dst_type,
808 static u8 smp_confirm(struct smp_chan *smp)
810 struct l2cap_conn *conn = smp->conn;
811 struct smp_cmd_pairing_confirm cp;
814 BT_DBG("conn %p", conn);
816 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
817 conn->hcon->init_addr_type, &conn->hcon->init_addr,
818 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
821 return SMP_UNSPECIFIED;
823 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
825 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
828 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
830 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
835 static u8 smp_random(struct smp_chan *smp)
837 struct l2cap_conn *conn = smp->conn;
838 struct hci_conn *hcon = conn->hcon;
842 if (IS_ERR_OR_NULL(smp->tfm_aes))
843 return SMP_UNSPECIFIED;
845 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
847 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
848 hcon->init_addr_type, &hcon->init_addr,
849 hcon->resp_addr_type, &hcon->resp_addr, confirm);
851 return SMP_UNSPECIFIED;
853 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
854 BT_ERR("Pairing failed (confirmation values mismatch)");
855 return SMP_CONFIRM_FAILED;
863 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
865 memset(stk + smp->enc_key_size, 0,
866 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
868 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
869 return SMP_UNSPECIFIED;
871 hci_le_start_enc(hcon, ediv, rand, stk);
872 hcon->enc_key_size = smp->enc_key_size;
873 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
879 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
882 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
884 memset(stk + smp->enc_key_size, 0,
885 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
887 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
892 /* Even though there's no _SLAVE suffix this is the
893 * slave STK we're adding for later lookup (the master
894 * STK never needs to be stored).
896 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
897 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
903 static void smp_notify_keys(struct l2cap_conn *conn)
905 struct l2cap_chan *chan = conn->smp;
906 struct smp_chan *smp = chan->data;
907 struct hci_conn *hcon = conn->hcon;
908 struct hci_dev *hdev = hcon->hdev;
909 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
910 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
913 if (smp->remote_irk) {
914 mgmt_new_irk(hdev, smp->remote_irk);
915 /* Now that user space can be considered to know the
916 * identity address track the connection based on it
919 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
920 hcon->dst_type = smp->remote_irk->addr_type;
921 queue_work(hdev->workqueue, &conn->id_addr_update_work);
923 /* When receiving an indentity resolving key for
924 * a remote device that does not use a resolvable
925 * private address, just remove the key so that
926 * it is possible to use the controller white
929 * Userspace will have been told to not store
930 * this key at this point. So it is safe to
933 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
934 list_del_rcu(&smp->remote_irk->list);
935 kfree_rcu(smp->remote_irk, rcu);
936 smp->remote_irk = NULL;
940 /* The LTKs and CSRKs should be persistent only if both sides
941 * had the bonding bit set in their authentication requests.
943 persistent = !!((req->auth_req & rsp->auth_req) & SMP_AUTH_BONDING);
946 smp->csrk->bdaddr_type = hcon->dst_type;
947 bacpy(&smp->csrk->bdaddr, &hcon->dst);
948 mgmt_new_csrk(hdev, smp->csrk, persistent);
951 if (smp->slave_csrk) {
952 smp->slave_csrk->bdaddr_type = hcon->dst_type;
953 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
954 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
958 smp->ltk->bdaddr_type = hcon->dst_type;
959 bacpy(&smp->ltk->bdaddr, &hcon->dst);
960 mgmt_new_ltk(hdev, smp->ltk, persistent);
963 if (smp->slave_ltk) {
964 smp->slave_ltk->bdaddr_type = hcon->dst_type;
965 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
966 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
970 struct link_key *key;
973 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
974 type = HCI_LK_DEBUG_COMBINATION;
975 else if (hcon->sec_level == BT_SECURITY_FIPS)
976 type = HCI_LK_AUTH_COMBINATION_P256;
978 type = HCI_LK_UNAUTH_COMBINATION_P256;
980 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
981 smp->link_key, type, 0, &persistent);
983 mgmt_new_link_key(hdev, key, persistent);
985 /* Don't keep debug keys around if the relevant
988 if (!test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags) &&
989 key->type == HCI_LK_DEBUG_COMBINATION) {
990 list_del_rcu(&key->list);
997 static void sc_generate_link_key(struct smp_chan *smp)
999 /* These constants are as specified in the core specification.
1000 * In ASCII they spell out to 'tmp1' and 'lebr'.
1002 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1003 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1005 smp->link_key = kzalloc(16, GFP_KERNEL);
1009 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1010 kfree(smp->link_key);
1011 smp->link_key = NULL;
1015 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1016 kfree(smp->link_key);
1017 smp->link_key = NULL;
1022 static void smp_allow_key_dist(struct smp_chan *smp)
1024 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1025 * will be allowed in each PDU handler to ensure we receive
1026 * them in the correct order.
1028 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1029 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1030 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1031 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1032 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1033 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1036 static void smp_distribute_keys(struct smp_chan *smp)
1038 struct smp_cmd_pairing *req, *rsp;
1039 struct l2cap_conn *conn = smp->conn;
1040 struct hci_conn *hcon = conn->hcon;
1041 struct hci_dev *hdev = hcon->hdev;
1044 BT_DBG("conn %p", conn);
1046 rsp = (void *) &smp->prsp[1];
1048 /* The responder sends its keys first */
1049 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1050 smp_allow_key_dist(smp);
1054 req = (void *) &smp->preq[1];
1057 keydist = &rsp->init_key_dist;
1058 *keydist &= req->init_key_dist;
1060 keydist = &rsp->resp_key_dist;
1061 *keydist &= req->resp_key_dist;
1064 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1065 if (*keydist & SMP_DIST_LINK_KEY)
1066 sc_generate_link_key(smp);
1068 /* Clear the keys which are generated but not distributed */
1069 *keydist &= ~SMP_SC_NO_DIST;
1072 BT_DBG("keydist 0x%x", *keydist);
1074 if (*keydist & SMP_DIST_ENC_KEY) {
1075 struct smp_cmd_encrypt_info enc;
1076 struct smp_cmd_master_ident ident;
1077 struct smp_ltk *ltk;
1082 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1083 get_random_bytes(&ediv, sizeof(ediv));
1084 get_random_bytes(&rand, sizeof(rand));
1086 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1088 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1089 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1090 SMP_LTK_SLAVE, authenticated, enc.ltk,
1091 smp->enc_key_size, ediv, rand);
1092 smp->slave_ltk = ltk;
1097 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1099 *keydist &= ~SMP_DIST_ENC_KEY;
1102 if (*keydist & SMP_DIST_ID_KEY) {
1103 struct smp_cmd_ident_addr_info addrinfo;
1104 struct smp_cmd_ident_info idinfo;
1106 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1108 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1110 /* The hci_conn contains the local identity address
1111 * after the connection has been established.
1113 * This is true even when the connection has been
1114 * established using a resolvable random address.
1116 bacpy(&addrinfo.bdaddr, &hcon->src);
1117 addrinfo.addr_type = hcon->src_type;
1119 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1122 *keydist &= ~SMP_DIST_ID_KEY;
1125 if (*keydist & SMP_DIST_SIGN) {
1126 struct smp_cmd_sign_info sign;
1127 struct smp_csrk *csrk;
1129 /* Generate a new random key */
1130 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1132 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1134 csrk->master = 0x00;
1135 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1137 smp->slave_csrk = csrk;
1139 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1141 *keydist &= ~SMP_DIST_SIGN;
1144 /* If there are still keys to be received wait for them */
1145 if (smp->remote_key_dist & KEY_DIST_MASK) {
1146 smp_allow_key_dist(smp);
1150 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1151 smp_notify_keys(conn);
1153 smp_chan_destroy(conn);
1156 static void smp_timeout(struct work_struct *work)
1158 struct smp_chan *smp = container_of(work, struct smp_chan,
1159 security_timer.work);
1160 struct l2cap_conn *conn = smp->conn;
1162 BT_DBG("conn %p", conn);
1164 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1167 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1169 struct l2cap_chan *chan = conn->smp;
1170 struct smp_chan *smp;
1172 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1176 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1177 if (IS_ERR(smp->tfm_aes)) {
1178 BT_ERR("Unable to create ECB crypto context");
1183 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1184 if (IS_ERR(smp->tfm_cmac)) {
1185 BT_ERR("Unable to create CMAC crypto context");
1186 crypto_free_blkcipher(smp->tfm_aes);
1194 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1196 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1198 hci_conn_hold(conn->hcon);
1203 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1205 struct hci_conn *hcon = smp->conn->hcon;
1206 u8 *na, *nb, a[7], b[7];
1216 memcpy(a, &hcon->init_addr, 6);
1217 memcpy(b, &hcon->resp_addr, 6);
1218 a[6] = hcon->init_addr_type;
1219 b[6] = hcon->resp_addr_type;
1221 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1224 static void sc_dhkey_check(struct smp_chan *smp)
1226 struct hci_conn *hcon = smp->conn->hcon;
1227 struct smp_cmd_dhkey_check check;
1228 u8 a[7], b[7], *local_addr, *remote_addr;
1229 u8 io_cap[3], r[16];
1231 memcpy(a, &hcon->init_addr, 6);
1232 memcpy(b, &hcon->resp_addr, 6);
1233 a[6] = hcon->init_addr_type;
1234 b[6] = hcon->resp_addr_type;
1239 memcpy(io_cap, &smp->preq[1], 3);
1243 memcpy(io_cap, &smp->prsp[1], 3);
1246 memset(r, 0, sizeof(r));
1248 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1249 put_unaligned_le32(hcon->passkey_notify, r);
1251 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1252 local_addr, remote_addr, check.e);
1254 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1257 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1259 struct l2cap_conn *conn = smp->conn;
1260 struct hci_conn *hcon = conn->hcon;
1261 struct smp_cmd_pairing_confirm cfm;
1264 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1267 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1269 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1271 return SMP_UNSPECIFIED;
1273 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1278 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1280 struct l2cap_conn *conn = smp->conn;
1281 struct hci_conn *hcon = conn->hcon;
1282 struct hci_dev *hdev = hcon->hdev;
1285 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1286 if (smp->passkey_round >= 20)
1290 case SMP_CMD_PAIRING_RANDOM:
1291 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1294 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1296 return SMP_UNSPECIFIED;
1298 if (memcmp(smp->pcnf, cfm, 16))
1299 return SMP_CONFIRM_FAILED;
1301 smp->passkey_round++;
1303 if (smp->passkey_round == 20) {
1304 /* Generate MacKey and LTK */
1305 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1306 return SMP_UNSPECIFIED;
1309 /* The round is only complete when the initiator
1310 * receives pairing random.
1313 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1314 sizeof(smp->prnd), smp->prnd);
1315 if (smp->passkey_round == 20) {
1316 sc_dhkey_check(smp);
1317 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1319 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1324 /* Start the next round */
1325 if (smp->passkey_round != 20)
1326 return sc_passkey_round(smp, 0);
1328 /* Passkey rounds are complete - start DHKey Check */
1329 sc_dhkey_check(smp);
1330 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1334 case SMP_CMD_PAIRING_CONFIRM:
1335 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1336 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1340 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1343 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1344 sizeof(smp->prnd), smp->prnd);
1348 return sc_passkey_send_confirm(smp);
1350 case SMP_CMD_PUBLIC_KEY:
1352 /* Initiating device starts the round */
1356 BT_DBG("%s Starting passkey round %u", hdev->name,
1357 smp->passkey_round + 1);
1359 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1361 return sc_passkey_send_confirm(smp);
1367 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1369 struct l2cap_conn *conn = smp->conn;
1370 struct hci_conn *hcon = conn->hcon;
1373 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1376 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1377 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1379 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1380 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1382 case MGMT_OP_USER_PASSKEY_REPLY:
1383 hcon->passkey_notify = le32_to_cpu(passkey);
1384 smp->passkey_round = 0;
1386 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1387 smp_op = SMP_CMD_PAIRING_CONFIRM;
1391 if (sc_passkey_round(smp, smp_op))
1397 sc_dhkey_check(smp);
1402 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1404 struct l2cap_conn *conn = hcon->l2cap_data;
1405 struct l2cap_chan *chan;
1406 struct smp_chan *smp;
1419 l2cap_chan_lock(chan);
1427 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1428 err = sc_user_reply(smp, mgmt_op, passkey);
1433 case MGMT_OP_USER_PASSKEY_REPLY:
1434 value = le32_to_cpu(passkey);
1435 memset(smp->tk, 0, sizeof(smp->tk));
1436 BT_DBG("PassKey: %d", value);
1437 put_unaligned_le32(value, smp->tk);
1439 case MGMT_OP_USER_CONFIRM_REPLY:
1440 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1442 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1443 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1444 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1448 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1455 /* If it is our turn to send Pairing Confirm, do so now */
1456 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1457 u8 rsp = smp_confirm(smp);
1459 smp_failure(conn, rsp);
1463 l2cap_chan_unlock(chan);
1467 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1469 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1470 struct l2cap_chan *chan = conn->smp;
1471 struct hci_dev *hdev = conn->hcon->hdev;
1472 struct smp_chan *smp;
1473 u8 key_size, auth, sec_level;
1476 BT_DBG("conn %p", conn);
1478 if (skb->len < sizeof(*req))
1479 return SMP_INVALID_PARAMS;
1481 if (conn->hcon->role != HCI_ROLE_SLAVE)
1482 return SMP_CMD_NOTSUPP;
1485 smp = smp_chan_create(conn);
1490 return SMP_UNSPECIFIED;
1492 /* We didn't start the pairing, so match remote */
1493 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1495 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
1496 (auth & SMP_AUTH_BONDING))
1497 return SMP_PAIRING_NOTSUPP;
1499 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1500 memcpy(&smp->preq[1], req, sizeof(*req));
1501 skb_pull(skb, sizeof(*req));
1503 build_pairing_cmd(conn, req, &rsp, auth);
1505 if (rsp.auth_req & SMP_AUTH_SC)
1506 set_bit(SMP_FLAG_SC, &smp->flags);
1508 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1509 sec_level = BT_SECURITY_MEDIUM;
1511 sec_level = authreq_to_seclevel(auth);
1513 if (sec_level > conn->hcon->pending_sec_level)
1514 conn->hcon->pending_sec_level = sec_level;
1516 /* If we need MITM check that it can be achieved */
1517 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1520 method = get_auth_method(smp, conn->hcon->io_capability,
1521 req->io_capability);
1522 if (method == JUST_WORKS || method == JUST_CFM)
1523 return SMP_AUTH_REQUIREMENTS;
1526 key_size = min(req->max_key_size, rsp.max_key_size);
1527 if (check_enc_key_size(conn, key_size))
1528 return SMP_ENC_KEY_SIZE;
1530 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1532 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1533 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1535 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1537 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1539 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1540 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1541 /* Clear bits which are generated but not distributed */
1542 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1543 /* Wait for Public Key from Initiating Device */
1546 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1549 /* Request setup of TK */
1550 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1552 return SMP_UNSPECIFIED;
1557 static u8 sc_send_public_key(struct smp_chan *smp)
1562 /* Generate local key pair for Secure Connections */
1563 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1564 return SMP_UNSPECIFIED;
1566 /* This is unlikely, but we need to check that we didn't
1567 * accidentially generate a debug key.
1569 if (memcmp(smp->local_sk, debug_sk, 32))
1573 BT_DBG("Local Public Key X: %32phN", smp->local_pk);
1574 BT_DBG("Local Public Key Y: %32phN", &smp->local_pk[32]);
1575 BT_DBG("Local Private Key: %32phN", smp->local_sk);
1577 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1582 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1584 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1585 struct l2cap_chan *chan = conn->smp;
1586 struct smp_chan *smp = chan->data;
1587 struct hci_dev *hdev = conn->hcon->hdev;
1591 BT_DBG("conn %p", conn);
1593 if (skb->len < sizeof(*rsp))
1594 return SMP_INVALID_PARAMS;
1596 if (conn->hcon->role != HCI_ROLE_MASTER)
1597 return SMP_CMD_NOTSUPP;
1599 skb_pull(skb, sizeof(*rsp));
1601 req = (void *) &smp->preq[1];
1603 key_size = min(req->max_key_size, rsp->max_key_size);
1604 if (check_enc_key_size(conn, key_size))
1605 return SMP_ENC_KEY_SIZE;
1607 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1609 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1610 set_bit(SMP_FLAG_SC, &smp->flags);
1611 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1612 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1614 /* If we need MITM check that it can be achieved */
1615 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1618 method = get_auth_method(smp, req->io_capability,
1619 rsp->io_capability);
1620 if (method == JUST_WORKS || method == JUST_CFM)
1621 return SMP_AUTH_REQUIREMENTS;
1624 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1626 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1627 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1629 /* Update remote key distribution in case the remote cleared
1630 * some bits that we had enabled in our request.
1632 smp->remote_key_dist &= rsp->resp_key_dist;
1634 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1635 /* Clear bits which are generated but not distributed */
1636 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1637 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1638 return sc_send_public_key(smp);
1641 auth |= req->auth_req;
1643 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1645 return SMP_UNSPECIFIED;
1647 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1649 /* Can't compose response until we have been confirmed */
1650 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1651 return smp_confirm(smp);
1656 static u8 sc_check_confirm(struct smp_chan *smp)
1658 struct l2cap_conn *conn = smp->conn;
1662 /* Public Key exchange must happen before any other steps */
1663 if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
1664 return SMP_UNSPECIFIED;
1666 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1667 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1669 if (conn->hcon->out) {
1670 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1672 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1678 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1680 struct l2cap_chan *chan = conn->smp;
1681 struct smp_chan *smp = chan->data;
1683 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
1685 if (skb->len < sizeof(smp->pcnf))
1686 return SMP_INVALID_PARAMS;
1688 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1689 skb_pull(skb, sizeof(smp->pcnf));
1691 if (test_bit(SMP_FLAG_SC, &smp->flags))
1692 return sc_check_confirm(smp);
1694 if (conn->hcon->out) {
1695 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1697 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1701 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1702 return smp_confirm(smp);
1704 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1709 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
1711 struct l2cap_chan *chan = conn->smp;
1712 struct smp_chan *smp = chan->data;
1713 struct hci_conn *hcon = conn->hcon;
1714 u8 *pkax, *pkbx, *na, *nb;
1718 BT_DBG("conn %p", conn);
1720 if (skb->len < sizeof(smp->rrnd))
1721 return SMP_INVALID_PARAMS;
1723 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
1724 skb_pull(skb, sizeof(smp->rrnd));
1726 if (!test_bit(SMP_FLAG_SC, &smp->flags))
1727 return smp_random(smp);
1729 /* Passkey entry has special treatment */
1730 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1731 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
1736 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1739 return SMP_UNSPECIFIED;
1741 if (memcmp(smp->pcnf, cfm, 16))
1742 return SMP_CONFIRM_FAILED;
1744 pkax = smp->local_pk;
1745 pkbx = smp->remote_pk;
1749 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1751 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1753 pkax = smp->remote_pk;
1754 pkbx = smp->local_pk;
1759 /* Generate MacKey and LTK */
1760 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
1762 return SMP_UNSPECIFIED;
1764 if (smp->method == JUST_WORKS) {
1766 sc_dhkey_check(smp);
1767 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1772 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
1774 return SMP_UNSPECIFIED;
1776 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
1777 hcon->dst_type, passkey, 0);
1779 return SMP_UNSPECIFIED;
1781 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1786 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
1788 struct smp_ltk *key;
1789 struct hci_conn *hcon = conn->hcon;
1791 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
1795 if (smp_ltk_sec_level(key) < sec_level)
1798 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1801 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
1802 hcon->enc_key_size = key->enc_size;
1804 /* We never store STKs for master role, so clear this flag */
1805 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1810 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
1811 enum smp_key_pref key_pref)
1813 if (sec_level == BT_SECURITY_LOW)
1816 /* If we're encrypted with an STK but the caller prefers using
1817 * LTK claim insufficient security. This way we allow the
1818 * connection to be re-encrypted with an LTK, even if the LTK
1819 * provides the same level of security. Only exception is if we
1820 * don't have an LTK (e.g. because of key distribution bits).
1822 if (key_pref == SMP_USE_LTK &&
1823 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
1824 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
1827 if (hcon->sec_level >= sec_level)
1833 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
1835 struct smp_cmd_security_req *rp = (void *) skb->data;
1836 struct smp_cmd_pairing cp;
1837 struct hci_conn *hcon = conn->hcon;
1838 struct hci_dev *hdev = hcon->hdev;
1839 struct smp_chan *smp;
1842 BT_DBG("conn %p", conn);
1844 if (skb->len < sizeof(*rp))
1845 return SMP_INVALID_PARAMS;
1847 if (hcon->role != HCI_ROLE_MASTER)
1848 return SMP_CMD_NOTSUPP;
1850 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
1852 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1853 sec_level = BT_SECURITY_MEDIUM;
1855 sec_level = authreq_to_seclevel(auth);
1857 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
1860 if (sec_level > hcon->pending_sec_level)
1861 hcon->pending_sec_level = sec_level;
1863 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
1866 smp = smp_chan_create(conn);
1868 return SMP_UNSPECIFIED;
1870 if (!test_bit(HCI_BONDABLE, &hcon->hdev->dev_flags) &&
1871 (auth & SMP_AUTH_BONDING))
1872 return SMP_PAIRING_NOTSUPP;
1874 skb_pull(skb, sizeof(*rp));
1876 memset(&cp, 0, sizeof(cp));
1877 build_pairing_cmd(conn, &cp, NULL, auth);
1879 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1880 memcpy(&smp->preq[1], &cp, sizeof(cp));
1882 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
1883 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
1888 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
1890 struct l2cap_conn *conn = hcon->l2cap_data;
1891 struct l2cap_chan *chan;
1892 struct smp_chan *smp;
1896 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
1898 /* This may be NULL if there's an unexpected disconnection */
1904 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
1907 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
1910 if (sec_level > hcon->pending_sec_level)
1911 hcon->pending_sec_level = sec_level;
1913 if (hcon->role == HCI_ROLE_MASTER)
1914 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
1917 l2cap_chan_lock(chan);
1919 /* If SMP is already in progress ignore this request */
1925 smp = smp_chan_create(conn);
1931 authreq = seclevel_to_authreq(sec_level);
1933 if (test_bit(HCI_SC_ENABLED, &hcon->hdev->dev_flags))
1934 authreq |= SMP_AUTH_SC;
1936 /* Require MITM if IO Capability allows or the security level
1939 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
1940 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
1941 authreq |= SMP_AUTH_MITM;
1943 if (hcon->role == HCI_ROLE_MASTER) {
1944 struct smp_cmd_pairing cp;
1946 build_pairing_cmd(conn, &cp, NULL, authreq);
1947 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1948 memcpy(&smp->preq[1], &cp, sizeof(cp));
1950 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
1951 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
1953 struct smp_cmd_security_req cp;
1954 cp.auth_req = authreq;
1955 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
1956 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
1959 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
1963 l2cap_chan_unlock(chan);
1967 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
1969 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
1970 struct l2cap_chan *chan = conn->smp;
1971 struct smp_chan *smp = chan->data;
1973 BT_DBG("conn %p", conn);
1975 if (skb->len < sizeof(*rp))
1976 return SMP_INVALID_PARAMS;
1978 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
1980 skb_pull(skb, sizeof(*rp));
1982 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
1987 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
1989 struct smp_cmd_master_ident *rp = (void *) skb->data;
1990 struct l2cap_chan *chan = conn->smp;
1991 struct smp_chan *smp = chan->data;
1992 struct hci_dev *hdev = conn->hcon->hdev;
1993 struct hci_conn *hcon = conn->hcon;
1994 struct smp_ltk *ltk;
1997 BT_DBG("conn %p", conn);
1999 if (skb->len < sizeof(*rp))
2000 return SMP_INVALID_PARAMS;
2002 /* Mark the information as received */
2003 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2005 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2006 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2007 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2008 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2010 skb_pull(skb, sizeof(*rp));
2012 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2013 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2014 authenticated, smp->tk, smp->enc_key_size,
2015 rp->ediv, rp->rand);
2017 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2018 smp_distribute_keys(smp);
2023 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2025 struct smp_cmd_ident_info *info = (void *) skb->data;
2026 struct l2cap_chan *chan = conn->smp;
2027 struct smp_chan *smp = chan->data;
2031 if (skb->len < sizeof(*info))
2032 return SMP_INVALID_PARAMS;
2034 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2036 skb_pull(skb, sizeof(*info));
2038 memcpy(smp->irk, info->irk, 16);
2043 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2044 struct sk_buff *skb)
2046 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2047 struct l2cap_chan *chan = conn->smp;
2048 struct smp_chan *smp = chan->data;
2049 struct hci_conn *hcon = conn->hcon;
2054 if (skb->len < sizeof(*info))
2055 return SMP_INVALID_PARAMS;
2057 /* Mark the information as received */
2058 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2060 if (smp->remote_key_dist & SMP_DIST_SIGN)
2061 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2063 skb_pull(skb, sizeof(*info));
2065 /* Strictly speaking the Core Specification (4.1) allows sending
2066 * an empty address which would force us to rely on just the IRK
2067 * as "identity information". However, since such
2068 * implementations are not known of and in order to not over
2069 * complicate our implementation, simply pretend that we never
2070 * received an IRK for such a device.
2072 if (!bacmp(&info->bdaddr, BDADDR_ANY)) {
2073 BT_ERR("Ignoring IRK with no identity address");
2077 bacpy(&smp->id_addr, &info->bdaddr);
2078 smp->id_addr_type = info->addr_type;
2080 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2081 bacpy(&rpa, &hcon->dst);
2083 bacpy(&rpa, BDADDR_ANY);
2085 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2086 smp->id_addr_type, smp->irk, &rpa);
2089 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2090 smp_distribute_keys(smp);
2095 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2097 struct smp_cmd_sign_info *rp = (void *) skb->data;
2098 struct l2cap_chan *chan = conn->smp;
2099 struct smp_chan *smp = chan->data;
2100 struct smp_csrk *csrk;
2102 BT_DBG("conn %p", conn);
2104 if (skb->len < sizeof(*rp))
2105 return SMP_INVALID_PARAMS;
2107 /* Mark the information as received */
2108 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2110 skb_pull(skb, sizeof(*rp));
2112 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2114 csrk->master = 0x01;
2115 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2118 smp_distribute_keys(smp);
2123 static u8 sc_select_method(struct smp_chan *smp)
2125 struct l2cap_conn *conn = smp->conn;
2126 struct hci_conn *hcon = conn->hcon;
2127 struct smp_cmd_pairing *local, *remote;
2128 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2130 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2131 * which are needed as inputs to some crypto functions. To get
2132 * the "struct smp_cmd_pairing" from them we need to skip the
2133 * first byte which contains the opcode.
2136 local = (void *) &smp->preq[1];
2137 remote = (void *) &smp->prsp[1];
2139 local = (void *) &smp->prsp[1];
2140 remote = (void *) &smp->preq[1];
2143 local_io = local->io_capability;
2144 remote_io = remote->io_capability;
2146 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2147 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2149 /* If either side wants MITM, look up the method from the table,
2150 * otherwise use JUST WORKS.
2152 if (local_mitm || remote_mitm)
2153 method = get_auth_method(smp, local_io, remote_io);
2155 method = JUST_WORKS;
2157 /* Don't confirm locally initiated pairing attempts */
2158 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2159 method = JUST_WORKS;
2164 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2166 struct smp_cmd_public_key *key = (void *) skb->data;
2167 struct hci_conn *hcon = conn->hcon;
2168 struct l2cap_chan *chan = conn->smp;
2169 struct smp_chan *smp = chan->data;
2170 struct hci_dev *hdev = hcon->hdev;
2171 struct smp_cmd_pairing_confirm cfm;
2174 BT_DBG("conn %p", conn);
2176 if (skb->len < sizeof(*key))
2177 return SMP_INVALID_PARAMS;
2179 memcpy(smp->remote_pk, key, 64);
2181 /* Non-initiating device sends its public key after receiving
2182 * the key from the initiating device.
2185 err = sc_send_public_key(smp);
2190 BT_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2191 BT_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]);
2193 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2194 return SMP_UNSPECIFIED;
2196 BT_DBG("DHKey %32phN", smp->dhkey);
2198 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2200 smp->method = sc_select_method(smp);
2202 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2204 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2205 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2206 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2208 hcon->pending_sec_level = BT_SECURITY_FIPS;
2210 if (!memcmp(debug_pk, smp->remote_pk, 64))
2211 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2213 if (smp->method == DSP_PASSKEY) {
2214 get_random_bytes(&hcon->passkey_notify,
2215 sizeof(hcon->passkey_notify));
2216 hcon->passkey_notify %= 1000000;
2217 hcon->passkey_entered = 0;
2218 smp->passkey_round = 0;
2219 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2221 hcon->passkey_notify,
2222 hcon->passkey_entered))
2223 return SMP_UNSPECIFIED;
2224 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2225 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2229 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2231 if (smp->method == REQ_PASSKEY) {
2232 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2234 return SMP_UNSPECIFIED;
2235 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2236 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2240 /* The Initiating device waits for the non-initiating device to
2241 * send the confirm value.
2243 if (conn->hcon->out)
2246 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2247 0, cfm.confirm_val);
2249 return SMP_UNSPECIFIED;
2251 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2252 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2257 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2259 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2260 struct l2cap_chan *chan = conn->smp;
2261 struct hci_conn *hcon = conn->hcon;
2262 struct smp_chan *smp = chan->data;
2263 u8 a[7], b[7], *local_addr, *remote_addr;
2264 u8 io_cap[3], r[16], e[16];
2268 BT_DBG("conn %p", conn);
2270 if (skb->len < sizeof(*check))
2271 return SMP_INVALID_PARAMS;
2273 memcpy(a, &hcon->init_addr, 6);
2274 memcpy(b, &hcon->resp_addr, 6);
2275 a[6] = hcon->init_addr_type;
2276 b[6] = hcon->resp_addr_type;
2281 memcpy(io_cap, &smp->prsp[1], 3);
2285 memcpy(io_cap, &smp->preq[1], 3);
2288 memset(r, 0, sizeof(r));
2290 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2291 put_unaligned_le32(hcon->passkey_notify, r);
2293 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2294 io_cap, remote_addr, local_addr, e);
2296 return SMP_UNSPECIFIED;
2298 if (memcmp(check->e, e, 16))
2299 return SMP_DHKEY_CHECK_FAILED;
2301 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
2302 key_type = SMP_LTK_P256_DEBUG;
2304 key_type = SMP_LTK_P256;
2306 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
2311 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2312 key_type, auth, smp->tk, smp->enc_key_size,
2316 hci_le_start_enc(hcon, 0, 0, smp->tk);
2317 hcon->enc_key_size = smp->enc_key_size;
2323 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2325 struct l2cap_conn *conn = chan->conn;
2326 struct hci_conn *hcon = conn->hcon;
2327 struct smp_chan *smp;
2331 if (hcon->type != LE_LINK) {
2339 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
2340 reason = SMP_PAIRING_NOTSUPP;
2344 code = skb->data[0];
2345 skb_pull(skb, sizeof(code));
2349 if (code > SMP_CMD_MAX)
2352 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2355 /* If we don't have a context the only allowed commands are
2356 * pairing request and security request.
2358 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2362 case SMP_CMD_PAIRING_REQ:
2363 reason = smp_cmd_pairing_req(conn, skb);
2366 case SMP_CMD_PAIRING_FAIL:
2367 smp_failure(conn, 0);
2371 case SMP_CMD_PAIRING_RSP:
2372 reason = smp_cmd_pairing_rsp(conn, skb);
2375 case SMP_CMD_SECURITY_REQ:
2376 reason = smp_cmd_security_req(conn, skb);
2379 case SMP_CMD_PAIRING_CONFIRM:
2380 reason = smp_cmd_pairing_confirm(conn, skb);
2383 case SMP_CMD_PAIRING_RANDOM:
2384 reason = smp_cmd_pairing_random(conn, skb);
2387 case SMP_CMD_ENCRYPT_INFO:
2388 reason = smp_cmd_encrypt_info(conn, skb);
2391 case SMP_CMD_MASTER_IDENT:
2392 reason = smp_cmd_master_ident(conn, skb);
2395 case SMP_CMD_IDENT_INFO:
2396 reason = smp_cmd_ident_info(conn, skb);
2399 case SMP_CMD_IDENT_ADDR_INFO:
2400 reason = smp_cmd_ident_addr_info(conn, skb);
2403 case SMP_CMD_SIGN_INFO:
2404 reason = smp_cmd_sign_info(conn, skb);
2407 case SMP_CMD_PUBLIC_KEY:
2408 reason = smp_cmd_public_key(conn, skb);
2411 case SMP_CMD_DHKEY_CHECK:
2412 reason = smp_cmd_dhkey_check(conn, skb);
2416 BT_DBG("Unknown command code 0x%2.2x", code);
2417 reason = SMP_CMD_NOTSUPP;
2424 smp_failure(conn, reason);
2431 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2437 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2439 struct l2cap_conn *conn = chan->conn;
2441 BT_DBG("chan %p", chan);
2444 smp_chan_destroy(conn);
2447 l2cap_chan_put(chan);
2450 static void smp_resume_cb(struct l2cap_chan *chan)
2452 struct smp_chan *smp = chan->data;
2453 struct l2cap_conn *conn = chan->conn;
2454 struct hci_conn *hcon = conn->hcon;
2456 BT_DBG("chan %p", chan);
2461 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2464 cancel_delayed_work(&smp->security_timer);
2466 smp_distribute_keys(smp);
2469 static void smp_ready_cb(struct l2cap_chan *chan)
2471 struct l2cap_conn *conn = chan->conn;
2473 BT_DBG("chan %p", chan);
2476 l2cap_chan_hold(chan);
2479 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
2483 BT_DBG("chan %p", chan);
2485 err = smp_sig_channel(chan, skb);
2487 struct smp_chan *smp = chan->data;
2490 cancel_delayed_work_sync(&smp->security_timer);
2492 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
2498 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
2499 unsigned long hdr_len,
2500 unsigned long len, int nb)
2502 struct sk_buff *skb;
2504 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
2506 return ERR_PTR(-ENOMEM);
2508 skb->priority = HCI_PRIO_MAX;
2509 bt_cb(skb)->chan = chan;
2514 static const struct l2cap_ops smp_chan_ops = {
2515 .name = "Security Manager",
2516 .ready = smp_ready_cb,
2517 .recv = smp_recv_cb,
2518 .alloc_skb = smp_alloc_skb_cb,
2519 .teardown = smp_teardown_cb,
2520 .resume = smp_resume_cb,
2522 .new_connection = l2cap_chan_no_new_connection,
2523 .state_change = l2cap_chan_no_state_change,
2524 .close = l2cap_chan_no_close,
2525 .defer = l2cap_chan_no_defer,
2526 .suspend = l2cap_chan_no_suspend,
2527 .set_shutdown = l2cap_chan_no_set_shutdown,
2528 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2529 .memcpy_fromiovec = l2cap_chan_no_memcpy_fromiovec,
2532 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
2534 struct l2cap_chan *chan;
2536 BT_DBG("pchan %p", pchan);
2538 chan = l2cap_chan_create();
2542 chan->chan_type = pchan->chan_type;
2543 chan->ops = &smp_chan_ops;
2544 chan->scid = pchan->scid;
2545 chan->dcid = chan->scid;
2546 chan->imtu = pchan->imtu;
2547 chan->omtu = pchan->omtu;
2548 chan->mode = pchan->mode;
2550 /* Other L2CAP channels may request SMP routines in order to
2551 * change the security level. This means that the SMP channel
2552 * lock must be considered in its own category to avoid lockdep
2555 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
2557 BT_DBG("created chan %p", chan);
2562 static const struct l2cap_ops smp_root_chan_ops = {
2563 .name = "Security Manager Root",
2564 .new_connection = smp_new_conn_cb,
2566 /* None of these are implemented for the root channel */
2567 .close = l2cap_chan_no_close,
2568 .alloc_skb = l2cap_chan_no_alloc_skb,
2569 .recv = l2cap_chan_no_recv,
2570 .state_change = l2cap_chan_no_state_change,
2571 .teardown = l2cap_chan_no_teardown,
2572 .ready = l2cap_chan_no_ready,
2573 .defer = l2cap_chan_no_defer,
2574 .suspend = l2cap_chan_no_suspend,
2575 .resume = l2cap_chan_no_resume,
2576 .set_shutdown = l2cap_chan_no_set_shutdown,
2577 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2578 .memcpy_fromiovec = l2cap_chan_no_memcpy_fromiovec,
2581 int smp_register(struct hci_dev *hdev)
2583 struct l2cap_chan *chan;
2584 struct crypto_blkcipher *tfm_aes;
2586 BT_DBG("%s", hdev->name);
2588 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, 0);
2589 if (IS_ERR(tfm_aes)) {
2590 int err = PTR_ERR(tfm_aes);
2591 BT_ERR("Unable to create crypto context");
2595 chan = l2cap_chan_create();
2597 crypto_free_blkcipher(tfm_aes);
2601 chan->data = tfm_aes;
2603 l2cap_add_scid(chan, L2CAP_CID_SMP);
2605 l2cap_chan_set_defaults(chan);
2607 bacpy(&chan->src, &hdev->bdaddr);
2608 chan->src_type = BDADDR_LE_PUBLIC;
2609 chan->state = BT_LISTEN;
2610 chan->mode = L2CAP_MODE_BASIC;
2611 chan->imtu = L2CAP_DEFAULT_MTU;
2612 chan->ops = &smp_root_chan_ops;
2614 /* Set correct nesting level for a parent/listening channel */
2615 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
2617 hdev->smp_data = chan;
2622 void smp_unregister(struct hci_dev *hdev)
2624 struct l2cap_chan *chan = hdev->smp_data;
2625 struct crypto_blkcipher *tfm_aes;
2630 BT_DBG("%s chan %p", hdev->name, chan);
2632 tfm_aes = chan->data;
2635 crypto_free_blkcipher(tfm_aes);
2638 hdev->smp_data = NULL;
2639 l2cap_chan_put(chan);