2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/aes.h>
27 #include <crypto/algapi.h>
28 #include <crypto/hash.h>
29 #include <crypto/kpp.h>
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/mgmt.h>
36 #include "ecdh_helper.h"
39 #define SMP_DEV(hdev) \
40 ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
42 /* Low-level debug macros to be used for stuff that we don't want
43 * accidentally in dmesg, i.e. the values of the various crypto keys
44 * and the inputs & outputs of crypto functions.
47 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
50 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
54 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
56 /* Keys which are not distributed with Secure Connections */
57 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY)
59 #define SMP_TIMEOUT msecs_to_jiffies(30000)
61 #define ID_ADDR_TIMEOUT msecs_to_jiffies(200)
63 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
65 #define KEY_DIST_MASK 0x07
67 /* Maximum message length that can be passed to aes_cmac */
68 #define CMAC_MSG_MAX 80
80 SMP_FLAG_DHKEY_PENDING,
87 /* Secure Connections OOB data */
93 struct crypto_shash *tfm_cmac;
94 struct crypto_kpp *tfm_ecdh;
98 struct l2cap_conn *conn;
99 struct delayed_work security_timer;
100 unsigned long allow_cmd; /* Bitmask of allowed commands */
102 u8 preq[7]; /* SMP Pairing Request */
103 u8 prsp[7]; /* SMP Pairing Response */
104 u8 prnd[16]; /* SMP Pairing Random (local) */
105 u8 rrnd[16]; /* SMP Pairing Random (remote) */
106 u8 pcnf[16]; /* SMP Pairing Confirm */
107 u8 tk[16]; /* SMP Temporary Key */
108 u8 rr[16]; /* Remote OOB ra/rb value */
109 u8 lr[16]; /* Local OOB ra/rb value */
115 struct smp_csrk *csrk;
116 struct smp_csrk *responder_csrk;
118 struct smp_ltk *responder_ltk;
119 struct smp_irk *remote_irk;
125 /* Secure Connections variables */
131 struct crypto_shash *tfm_cmac;
132 struct crypto_kpp *tfm_ecdh;
135 /* These debug key values are defined in the SMP section of the core
136 * specification. debug_pk is the public debug key and debug_sk the
139 static const u8 debug_pk[64] = {
140 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
141 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
142 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
143 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
145 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
146 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
147 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
148 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
151 static const u8 debug_sk[32] = {
152 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
153 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
154 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
155 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
158 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
162 for (i = 0; i < len; i++)
163 dst[len - 1 - i] = src[i];
166 /* The following functions map to the LE SC SMP crypto functions
167 * AES-CMAC, f4, f5, f6, g2 and h6.
170 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
171 size_t len, u8 mac[16])
173 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
176 if (len > CMAC_MSG_MAX)
180 BT_ERR("tfm %p", tfm);
184 /* Swap key and message from LSB to MSB */
185 swap_buf(k, tmp, 16);
186 swap_buf(m, msg_msb, len);
188 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
189 SMP_DBG("key %16phN", k);
191 err = crypto_shash_setkey(tfm, tmp, 16);
193 BT_ERR("cipher setkey failed: %d", err);
197 err = crypto_shash_tfm_digest(tfm, msg_msb, len, mac_msb);
199 BT_ERR("Hash computation error %d", err);
203 swap_buf(mac_msb, mac, 16);
205 SMP_DBG("mac %16phN", mac);
210 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
211 const u8 v[32], const u8 x[16], u8 z, u8 res[16])
216 SMP_DBG("u %32phN", u);
217 SMP_DBG("v %32phN", v);
218 SMP_DBG("x %16phN z %02x", x, z);
221 memcpy(m + 1, v, 32);
222 memcpy(m + 33, u, 32);
224 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
228 SMP_DBG("res %16phN", res);
233 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
234 const u8 n1[16], const u8 n2[16], const u8 a1[7],
235 const u8 a2[7], u8 mackey[16], u8 ltk[16])
237 /* The btle, salt and length "magic" values are as defined in
238 * the SMP section of the Bluetooth core specification. In ASCII
239 * the btle value ends up being 'btle'. The salt is just a
240 * random number whereas length is the value 256 in little
243 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
244 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
245 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
246 const u8 length[2] = { 0x00, 0x01 };
250 SMP_DBG("w %32phN", w);
251 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
252 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
254 err = aes_cmac(tfm_cmac, salt, w, 32, t);
258 SMP_DBG("t %16phN", t);
260 memcpy(m, length, 2);
261 memcpy(m + 2, a2, 7);
262 memcpy(m + 9, a1, 7);
263 memcpy(m + 16, n2, 16);
264 memcpy(m + 32, n1, 16);
265 memcpy(m + 48, btle, 4);
267 m[52] = 0; /* Counter */
269 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
273 SMP_DBG("mackey %16phN", mackey);
275 m[52] = 1; /* Counter */
277 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
281 SMP_DBG("ltk %16phN", ltk);
286 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
287 const u8 n1[16], const u8 n2[16], const u8 r[16],
288 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
294 SMP_DBG("w %16phN", w);
295 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
296 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
299 memcpy(m + 7, a1, 7);
300 memcpy(m + 14, io_cap, 3);
301 memcpy(m + 17, r, 16);
302 memcpy(m + 33, n2, 16);
303 memcpy(m + 49, n1, 16);
305 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
309 SMP_DBG("res %16phN", res);
314 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
315 const u8 x[16], const u8 y[16], u32 *val)
320 SMP_DBG("u %32phN", u);
321 SMP_DBG("v %32phN", v);
322 SMP_DBG("x %16phN y %16phN", x, y);
325 memcpy(m + 16, v, 32);
326 memcpy(m + 48, u, 32);
328 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
332 *val = get_unaligned_le32(tmp);
335 SMP_DBG("val %06u", *val);
340 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
341 const u8 key_id[4], u8 res[16])
345 SMP_DBG("w %16phN key_id %4phN", w, key_id);
347 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
351 SMP_DBG("res %16phN", res);
356 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
357 const u8 salt[16], u8 res[16])
361 SMP_DBG("w %16phN salt %16phN", w, salt);
363 err = aes_cmac(tfm_cmac, salt, w, 16, res);
367 SMP_DBG("res %16phN", res);
372 /* The following functions map to the legacy SMP crypto functions e, c1,
376 static int smp_e(const u8 *k, u8 *r)
378 struct crypto_aes_ctx ctx;
379 uint8_t tmp[16], data[16];
382 SMP_DBG("k %16phN r %16phN", k, r);
384 /* The most significant octet of key corresponds to k[0] */
385 swap_buf(k, tmp, 16);
387 err = aes_expandkey(&ctx, tmp, 16);
389 BT_ERR("cipher setkey failed: %d", err);
393 /* Most significant octet of plaintextData corresponds to data[0] */
394 swap_buf(r, data, 16);
396 aes_encrypt(&ctx, data, data);
398 /* Most significant octet of encryptedData corresponds to data[0] */
399 swap_buf(data, r, 16);
401 SMP_DBG("r %16phN", r);
403 memzero_explicit(&ctx, sizeof(ctx));
407 static int smp_c1(const u8 k[16],
408 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
409 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
414 SMP_DBG("k %16phN r %16phN", k, r);
415 SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
416 SMP_DBG("preq %7phN pres %7phN", preq, pres);
420 /* p1 = pres || preq || _rat || _iat */
423 memcpy(p1 + 2, preq, 7);
424 memcpy(p1 + 9, pres, 7);
426 SMP_DBG("p1 %16phN", p1);
429 crypto_xor_cpy(res, r, p1, sizeof(p1));
431 /* res = e(k, res) */
434 BT_ERR("Encrypt data error");
438 /* p2 = padding || ia || ra */
440 memcpy(p2 + 6, ia, 6);
441 memset(p2 + 12, 0, 4);
443 SMP_DBG("p2 %16phN", p2);
445 /* res = res XOR p2 */
446 crypto_xor(res, p2, sizeof(p2));
448 /* res = e(k, res) */
451 BT_ERR("Encrypt data error");
456 static int smp_s1(const u8 k[16],
457 const u8 r1[16], const u8 r2[16], u8 _r[16])
461 /* Just least significant octets from r1 and r2 are considered */
463 memcpy(_r + 8, r1, 8);
467 BT_ERR("Encrypt data error");
472 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
477 /* r' = padding || r */
479 memset(_res + 3, 0, 13);
481 err = smp_e(irk, _res);
483 BT_ERR("Encrypt error");
487 /* The output of the random address function ah is:
488 * ah(k, r) = e(k, r') mod 2^24
489 * The output of the security function e is then truncated to 24 bits
490 * by taking the least significant 24 bits of the output of e as the
493 memcpy(res, _res, 3);
498 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
499 const bdaddr_t *bdaddr)
501 struct l2cap_chan *chan = hdev->smp_data;
505 if (!chan || !chan->data)
508 bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk);
510 err = smp_ah(irk, &bdaddr->b[3], hash);
514 return !crypto_memneq(bdaddr->b, hash, 3);
517 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
519 struct l2cap_chan *chan = hdev->smp_data;
522 if (!chan || !chan->data)
525 get_random_bytes(&rpa->b[3], 3);
527 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
528 rpa->b[5] |= 0x40; /* Set second most significant bit */
530 err = smp_ah(irk, &rpa->b[3], rpa->b);
534 bt_dev_dbg(hdev, "RPA %pMR", rpa);
539 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
541 struct l2cap_chan *chan = hdev->smp_data;
545 if (!chan || !chan->data)
550 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
551 bt_dev_dbg(hdev, "Using debug keys");
552 err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
555 memcpy(smp->local_pk, debug_pk, 64);
556 smp->debug_key = true;
559 /* Generate key pair for Secure Connections */
560 err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
564 /* This is unlikely, but we need to check that
565 * we didn't accidentally generate a debug key.
567 if (crypto_memneq(smp->local_pk, debug_pk, 64))
570 smp->debug_key = false;
573 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
574 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
576 get_random_bytes(smp->local_rand, 16);
578 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
579 smp->local_rand, 0, hash);
583 memcpy(rand, smp->local_rand, 16);
585 smp->local_oob = true;
590 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
592 struct l2cap_chan *chan = conn->smp;
593 struct smp_chan *smp;
600 bt_dev_dbg(conn->hcon->hdev, "code 0x%2.2x", code);
602 iv[0].iov_base = &code;
605 iv[1].iov_base = data;
608 memset(&msg, 0, sizeof(msg));
610 iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, iv, 2, 1 + len);
612 l2cap_chan_send(chan, &msg, 1 + len);
619 cancel_delayed_work_sync(&smp->security_timer);
620 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
623 static u8 authreq_to_seclevel(u8 authreq)
625 if (authreq & SMP_AUTH_MITM) {
626 if (authreq & SMP_AUTH_SC)
627 return BT_SECURITY_FIPS;
629 return BT_SECURITY_HIGH;
631 return BT_SECURITY_MEDIUM;
635 static __u8 seclevel_to_authreq(__u8 sec_level)
638 case BT_SECURITY_FIPS:
639 case BT_SECURITY_HIGH:
640 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
641 case BT_SECURITY_MEDIUM:
642 return SMP_AUTH_BONDING;
644 return SMP_AUTH_NONE;
648 static void build_pairing_cmd(struct l2cap_conn *conn,
649 struct smp_cmd_pairing *req,
650 struct smp_cmd_pairing *rsp, __u8 authreq)
652 struct l2cap_chan *chan = conn->smp;
653 struct smp_chan *smp = chan->data;
654 struct hci_conn *hcon = conn->hcon;
655 struct hci_dev *hdev = hcon->hdev;
656 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
658 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
659 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
660 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
661 authreq |= SMP_AUTH_BONDING;
663 authreq &= ~SMP_AUTH_BONDING;
666 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
667 remote_dist |= SMP_DIST_ID_KEY;
669 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
670 local_dist |= SMP_DIST_ID_KEY;
672 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
673 (authreq & SMP_AUTH_SC)) {
674 struct oob_data *oob_data;
677 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
678 local_dist |= SMP_DIST_LINK_KEY;
679 remote_dist |= SMP_DIST_LINK_KEY;
682 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
683 bdaddr_type = BDADDR_LE_PUBLIC;
685 bdaddr_type = BDADDR_LE_RANDOM;
687 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
689 if (oob_data && oob_data->present) {
690 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
691 oob_flag = SMP_OOB_PRESENT;
692 memcpy(smp->rr, oob_data->rand256, 16);
693 memcpy(smp->pcnf, oob_data->hash256, 16);
694 SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
695 SMP_DBG("OOB Remote Random: %16phN", smp->rr);
699 authreq &= ~SMP_AUTH_SC;
703 req->io_capability = conn->hcon->io_capability;
704 req->oob_flag = oob_flag;
705 req->max_key_size = hdev->le_max_key_size;
706 req->init_key_dist = local_dist;
707 req->resp_key_dist = remote_dist;
708 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
710 smp->remote_key_dist = remote_dist;
714 rsp->io_capability = conn->hcon->io_capability;
715 rsp->oob_flag = oob_flag;
716 rsp->max_key_size = hdev->le_max_key_size;
717 rsp->init_key_dist = req->init_key_dist & remote_dist;
718 rsp->resp_key_dist = req->resp_key_dist & local_dist;
719 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
721 smp->remote_key_dist = rsp->init_key_dist;
724 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
726 struct l2cap_chan *chan = conn->smp;
727 struct hci_dev *hdev = conn->hcon->hdev;
728 struct smp_chan *smp = chan->data;
730 if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS &&
731 max_key_size != SMP_MAX_ENC_KEY_SIZE)
732 return SMP_ENC_KEY_SIZE;
734 if (max_key_size > hdev->le_max_key_size ||
735 max_key_size < SMP_MIN_ENC_KEY_SIZE)
736 return SMP_ENC_KEY_SIZE;
738 smp->enc_key_size = max_key_size;
743 static void smp_chan_destroy(struct l2cap_conn *conn)
745 struct l2cap_chan *chan = conn->smp;
746 struct smp_chan *smp = chan->data;
747 struct hci_conn *hcon = conn->hcon;
752 cancel_delayed_work_sync(&smp->security_timer);
754 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
755 mgmt_smp_complete(hcon, complete);
757 kfree_sensitive(smp->csrk);
758 kfree_sensitive(smp->responder_csrk);
759 kfree_sensitive(smp->link_key);
761 crypto_free_shash(smp->tfm_cmac);
762 crypto_free_kpp(smp->tfm_ecdh);
764 /* Ensure that we don't leave any debug key around if debug key
765 * support hasn't been explicitly enabled.
767 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
768 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
769 list_del_rcu(&smp->ltk->list);
770 kfree_rcu(smp->ltk, rcu);
774 /* If pairing failed clean up any keys we might have */
777 list_del_rcu(&smp->ltk->list);
778 kfree_rcu(smp->ltk, rcu);
781 if (smp->responder_ltk) {
782 list_del_rcu(&smp->responder_ltk->list);
783 kfree_rcu(smp->responder_ltk, rcu);
786 if (smp->remote_irk) {
787 list_del_rcu(&smp->remote_irk->list);
788 kfree_rcu(smp->remote_irk, rcu);
793 kfree_sensitive(smp);
797 static void smp_failure(struct l2cap_conn *conn, u8 reason)
799 struct hci_conn *hcon = conn->hcon;
800 struct l2cap_chan *chan = conn->smp;
803 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
806 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
809 smp_chan_destroy(conn);
812 #define JUST_WORKS 0x00
813 #define JUST_CFM 0x01
814 #define REQ_PASSKEY 0x02
815 #define CFM_PASSKEY 0x03
817 #define DSP_PASSKEY 0x05
820 static const u8 gen_method[5][5] = {
821 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
822 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
823 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
824 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
825 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
828 static const u8 sc_method[5][5] = {
829 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
830 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
831 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
832 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
833 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
836 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
838 /* If either side has unknown io_caps, use JUST_CFM (which gets
839 * converted later to JUST_WORKS if we're initiators.
841 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
842 remote_io > SMP_IO_KEYBOARD_DISPLAY)
845 if (test_bit(SMP_FLAG_SC, &smp->flags))
846 return sc_method[remote_io][local_io];
848 return gen_method[remote_io][local_io];
851 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
852 u8 local_io, u8 remote_io)
854 struct hci_conn *hcon = conn->hcon;
855 struct l2cap_chan *chan = conn->smp;
856 struct smp_chan *smp = chan->data;
860 /* Initialize key for JUST WORKS */
861 memset(smp->tk, 0, sizeof(smp->tk));
862 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
864 bt_dev_dbg(hcon->hdev, "auth:%u lcl:%u rem:%u", auth, local_io,
867 /* If neither side wants MITM, either "just" confirm an incoming
868 * request or use just-works for outgoing ones. The JUST_CFM
869 * will be converted to JUST_WORKS if necessary later in this
870 * function. If either side has MITM look up the method from the
873 if (!(auth & SMP_AUTH_MITM))
874 smp->method = JUST_CFM;
876 smp->method = get_auth_method(smp, local_io, remote_io);
878 /* Don't confirm locally initiated pairing attempts */
879 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
881 smp->method = JUST_WORKS;
883 /* Don't bother user space with no IO capabilities */
884 if (smp->method == JUST_CFM &&
885 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
886 smp->method = JUST_WORKS;
888 /* If Just Works, Continue with Zero TK and ask user-space for
890 if (smp->method == JUST_WORKS) {
891 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
897 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
901 /* If this function is used for SC -> legacy fallback we
902 * can only recover the just-works case.
904 if (test_bit(SMP_FLAG_SC, &smp->flags))
907 /* Not Just Works/Confirm results in MITM Authentication */
908 if (smp->method != JUST_CFM) {
909 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
910 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
911 hcon->pending_sec_level = BT_SECURITY_HIGH;
914 /* If both devices have Keyboard-Display I/O, the initiator
915 * Confirms and the responder Enters the passkey.
917 if (smp->method == OVERLAP) {
918 if (hcon->role == HCI_ROLE_MASTER)
919 smp->method = CFM_PASSKEY;
921 smp->method = REQ_PASSKEY;
924 /* Generate random passkey. */
925 if (smp->method == CFM_PASSKEY) {
926 memset(smp->tk, 0, sizeof(smp->tk));
927 get_random_bytes(&passkey, sizeof(passkey));
929 put_unaligned_le32(passkey, smp->tk);
930 bt_dev_dbg(hcon->hdev, "PassKey: %u", passkey);
931 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
934 if (smp->method == REQ_PASSKEY)
935 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
936 hcon->type, hcon->dst_type);
937 else if (smp->method == JUST_CFM)
938 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
939 hcon->type, hcon->dst_type,
942 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
943 hcon->type, hcon->dst_type,
949 static u8 smp_confirm(struct smp_chan *smp)
951 struct l2cap_conn *conn = smp->conn;
952 struct smp_cmd_pairing_confirm cp;
955 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
957 ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
958 conn->hcon->init_addr_type, &conn->hcon->init_addr,
959 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
962 return SMP_UNSPECIFIED;
964 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
966 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
969 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
971 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
976 static u8 smp_random(struct smp_chan *smp)
978 struct l2cap_conn *conn = smp->conn;
979 struct hci_conn *hcon = conn->hcon;
983 bt_dev_dbg(conn->hcon->hdev, "conn %p %s", conn,
984 conn->hcon->out ? "initiator" : "responder");
986 ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
987 hcon->init_addr_type, &hcon->init_addr,
988 hcon->resp_addr_type, &hcon->resp_addr, confirm);
990 return SMP_UNSPECIFIED;
992 if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
993 bt_dev_err(hcon->hdev, "pairing failed "
994 "(confirmation values mismatch)");
995 return SMP_CONFIRM_FAILED;
1003 smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
1005 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1006 return SMP_UNSPECIFIED;
1008 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1009 hcon->enc_key_size = smp->enc_key_size;
1010 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1016 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1019 smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
1021 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1026 /* Even though there's no _RESPONDER suffix this is the
1027 * responder STK we're adding for later lookup (the initiator
1028 * STK never needs to be stored).
1030 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1031 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1037 static void smp_notify_keys(struct l2cap_conn *conn)
1039 struct l2cap_chan *chan = conn->smp;
1040 struct smp_chan *smp = chan->data;
1041 struct hci_conn *hcon = conn->hcon;
1042 struct hci_dev *hdev = hcon->hdev;
1043 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1044 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1047 if (hcon->type == ACL_LINK) {
1048 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1051 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1054 /* The LTKs, IRKs and CSRKs should be persistent only if
1055 * both sides had the bonding bit set in their
1056 * authentication requests.
1058 persistent = !!((req->auth_req & rsp->auth_req) &
1062 if (smp->remote_irk) {
1063 smp->remote_irk->link_type = hcon->type;
1064 mgmt_new_irk(hdev, smp->remote_irk, persistent);
1066 /* Now that user space can be considered to know the
1067 * identity address track the connection based on it
1068 * from now on (assuming this is an LE link).
1070 if (hcon->type == LE_LINK) {
1071 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1072 hcon->dst_type = smp->remote_irk->addr_type;
1073 /* Use a short delay to make sure the new address is
1074 * propagated _before_ the channels.
1076 queue_delayed_work(hdev->workqueue,
1077 &conn->id_addr_timer,
1083 smp->csrk->link_type = hcon->type;
1084 smp->csrk->bdaddr_type = hcon->dst_type;
1085 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1086 mgmt_new_csrk(hdev, smp->csrk, persistent);
1089 if (smp->responder_csrk) {
1090 smp->responder_csrk->link_type = hcon->type;
1091 smp->responder_csrk->bdaddr_type = hcon->dst_type;
1092 bacpy(&smp->responder_csrk->bdaddr, &hcon->dst);
1093 mgmt_new_csrk(hdev, smp->responder_csrk, persistent);
1097 smp->ltk->link_type = hcon->type;
1098 smp->ltk->bdaddr_type = hcon->dst_type;
1099 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1100 mgmt_new_ltk(hdev, smp->ltk, persistent);
1103 if (smp->responder_ltk) {
1104 smp->responder_ltk->link_type = hcon->type;
1105 smp->responder_ltk->bdaddr_type = hcon->dst_type;
1106 bacpy(&smp->responder_ltk->bdaddr, &hcon->dst);
1107 mgmt_new_ltk(hdev, smp->responder_ltk, persistent);
1110 if (smp->link_key) {
1111 struct link_key *key;
1114 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1115 type = HCI_LK_DEBUG_COMBINATION;
1116 else if (hcon->sec_level == BT_SECURITY_FIPS)
1117 type = HCI_LK_AUTH_COMBINATION_P256;
1119 type = HCI_LK_UNAUTH_COMBINATION_P256;
1121 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1122 smp->link_key, type, 0, &persistent);
1124 key->link_type = hcon->type;
1125 key->bdaddr_type = hcon->dst_type;
1126 mgmt_new_link_key(hdev, key, persistent);
1128 /* Don't keep debug keys around if the relevant
1131 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1132 key->type == HCI_LK_DEBUG_COMBINATION) {
1133 list_del_rcu(&key->list);
1134 kfree_rcu(key, rcu);
1140 static void sc_add_ltk(struct smp_chan *smp)
1142 struct hci_conn *hcon = smp->conn->hcon;
1145 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1146 key_type = SMP_LTK_P256_DEBUG;
1148 key_type = SMP_LTK_P256;
1150 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1155 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1156 key_type, auth, smp->tk, smp->enc_key_size,
1160 static void sc_generate_link_key(struct smp_chan *smp)
1162 /* From core spec. Spells out in ASCII as 'lebr'. */
1163 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1165 smp->link_key = kzalloc(16, GFP_KERNEL);
1169 if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1170 /* SALT = 0x000000000000000000000000746D7031 */
1171 const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1173 if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1174 kfree_sensitive(smp->link_key);
1175 smp->link_key = NULL;
1179 /* From core spec. Spells out in ASCII as 'tmp1'. */
1180 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1182 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1183 kfree_sensitive(smp->link_key);
1184 smp->link_key = NULL;
1189 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1190 kfree_sensitive(smp->link_key);
1191 smp->link_key = NULL;
1196 static void smp_allow_key_dist(struct smp_chan *smp)
1198 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1199 * will be allowed in each PDU handler to ensure we receive
1200 * them in the correct order.
1202 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1203 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1204 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1205 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1206 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1207 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1210 static void sc_generate_ltk(struct smp_chan *smp)
1212 /* From core spec. Spells out in ASCII as 'brle'. */
1213 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1214 struct hci_conn *hcon = smp->conn->hcon;
1215 struct hci_dev *hdev = hcon->hdev;
1216 struct link_key *key;
1218 key = hci_find_link_key(hdev, &hcon->dst);
1220 bt_dev_err(hdev, "no Link Key found to generate LTK");
1224 if (key->type == HCI_LK_DEBUG_COMBINATION)
1225 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1227 if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1228 /* SALT = 0x000000000000000000000000746D7032 */
1229 const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1231 if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1234 /* From core spec. Spells out in ASCII as 'tmp2'. */
1235 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1237 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1241 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1247 static void smp_distribute_keys(struct smp_chan *smp)
1249 struct smp_cmd_pairing *req, *rsp;
1250 struct l2cap_conn *conn = smp->conn;
1251 struct hci_conn *hcon = conn->hcon;
1252 struct hci_dev *hdev = hcon->hdev;
1255 bt_dev_dbg(hdev, "conn %p", conn);
1257 rsp = (void *) &smp->prsp[1];
1259 /* The responder sends its keys first */
1260 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1261 smp_allow_key_dist(smp);
1265 req = (void *) &smp->preq[1];
1268 keydist = &rsp->init_key_dist;
1269 *keydist &= req->init_key_dist;
1271 keydist = &rsp->resp_key_dist;
1272 *keydist &= req->resp_key_dist;
1275 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1276 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1277 sc_generate_link_key(smp);
1278 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1279 sc_generate_ltk(smp);
1281 /* Clear the keys which are generated but not distributed */
1282 *keydist &= ~SMP_SC_NO_DIST;
1285 bt_dev_dbg(hdev, "keydist 0x%x", *keydist);
1287 if (*keydist & SMP_DIST_ENC_KEY) {
1288 struct smp_cmd_encrypt_info enc;
1289 struct smp_cmd_initiator_ident ident;
1290 struct smp_ltk *ltk;
1295 /* Make sure we generate only the significant amount of
1296 * bytes based on the encryption key size, and set the rest
1297 * of the value to zeroes.
1299 get_random_bytes(enc.ltk, smp->enc_key_size);
1300 memset(enc.ltk + smp->enc_key_size, 0,
1301 sizeof(enc.ltk) - smp->enc_key_size);
1303 get_random_bytes(&ediv, sizeof(ediv));
1304 get_random_bytes(&rand, sizeof(rand));
1306 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1308 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1309 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1310 SMP_LTK_RESPONDER, authenticated, enc.ltk,
1311 smp->enc_key_size, ediv, rand);
1312 smp->responder_ltk = ltk;
1317 smp_send_cmd(conn, SMP_CMD_INITIATOR_IDENT, sizeof(ident),
1320 *keydist &= ~SMP_DIST_ENC_KEY;
1323 if (*keydist & SMP_DIST_ID_KEY) {
1324 struct smp_cmd_ident_addr_info addrinfo;
1325 struct smp_cmd_ident_info idinfo;
1327 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1329 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1331 /* The hci_conn contains the local identity address
1332 * after the connection has been established.
1334 * This is true even when the connection has been
1335 * established using a resolvable random address.
1337 bacpy(&addrinfo.bdaddr, &hcon->src);
1338 addrinfo.addr_type = hcon->src_type;
1340 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1343 *keydist &= ~SMP_DIST_ID_KEY;
1346 if (*keydist & SMP_DIST_SIGN) {
1347 struct smp_cmd_sign_info sign;
1348 struct smp_csrk *csrk;
1350 /* Generate a new random key */
1351 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1353 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1355 if (hcon->sec_level > BT_SECURITY_MEDIUM)
1356 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1358 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1359 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1361 smp->responder_csrk = csrk;
1363 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1365 *keydist &= ~SMP_DIST_SIGN;
1368 /* If there are still keys to be received wait for them */
1369 if (smp->remote_key_dist & KEY_DIST_MASK) {
1370 smp_allow_key_dist(smp);
1374 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1375 smp_notify_keys(conn);
1377 smp_chan_destroy(conn);
1380 static void smp_timeout(struct work_struct *work)
1382 struct smp_chan *smp = container_of(work, struct smp_chan,
1383 security_timer.work);
1384 struct l2cap_conn *conn = smp->conn;
1386 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
1388 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1391 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1393 struct hci_conn *hcon = conn->hcon;
1394 struct l2cap_chan *chan = conn->smp;
1395 struct smp_chan *smp;
1397 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1401 smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1402 if (IS_ERR(smp->tfm_cmac)) {
1403 bt_dev_err(hcon->hdev, "Unable to create CMAC crypto context");
1407 smp->tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
1408 if (IS_ERR(smp->tfm_ecdh)) {
1409 bt_dev_err(hcon->hdev, "Unable to create ECDH crypto context");
1416 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1418 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1420 hci_conn_hold(hcon);
1425 crypto_free_shash(smp->tfm_cmac);
1427 kfree_sensitive(smp);
1431 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1433 struct hci_conn *hcon = smp->conn->hcon;
1434 u8 *na, *nb, a[7], b[7];
1444 memcpy(a, &hcon->init_addr, 6);
1445 memcpy(b, &hcon->resp_addr, 6);
1446 a[6] = hcon->init_addr_type;
1447 b[6] = hcon->resp_addr_type;
1449 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1452 static void sc_dhkey_check(struct smp_chan *smp)
1454 struct hci_conn *hcon = smp->conn->hcon;
1455 struct smp_cmd_dhkey_check check;
1456 u8 a[7], b[7], *local_addr, *remote_addr;
1457 u8 io_cap[3], r[16];
1459 memcpy(a, &hcon->init_addr, 6);
1460 memcpy(b, &hcon->resp_addr, 6);
1461 a[6] = hcon->init_addr_type;
1462 b[6] = hcon->resp_addr_type;
1467 memcpy(io_cap, &smp->preq[1], 3);
1471 memcpy(io_cap, &smp->prsp[1], 3);
1474 memset(r, 0, sizeof(r));
1476 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1477 put_unaligned_le32(hcon->passkey_notify, r);
1479 if (smp->method == REQ_OOB)
1480 memcpy(r, smp->rr, 16);
1482 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1483 local_addr, remote_addr, check.e);
1485 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1488 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1490 struct l2cap_conn *conn = smp->conn;
1491 struct hci_conn *hcon = conn->hcon;
1492 struct smp_cmd_pairing_confirm cfm;
1495 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1498 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1500 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1502 return SMP_UNSPECIFIED;
1504 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1509 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1511 struct l2cap_conn *conn = smp->conn;
1512 struct hci_conn *hcon = conn->hcon;
1513 struct hci_dev *hdev = hcon->hdev;
1516 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1517 if (smp->passkey_round >= 20)
1521 case SMP_CMD_PAIRING_RANDOM:
1522 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1525 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1527 return SMP_UNSPECIFIED;
1529 if (crypto_memneq(smp->pcnf, cfm, 16))
1530 return SMP_CONFIRM_FAILED;
1532 smp->passkey_round++;
1534 if (smp->passkey_round == 20) {
1535 /* Generate MacKey and LTK */
1536 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1537 return SMP_UNSPECIFIED;
1540 /* The round is only complete when the initiator
1541 * receives pairing random.
1544 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1545 sizeof(smp->prnd), smp->prnd);
1546 if (smp->passkey_round == 20)
1547 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1549 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1553 /* Start the next round */
1554 if (smp->passkey_round != 20)
1555 return sc_passkey_round(smp, 0);
1557 /* Passkey rounds are complete - start DHKey Check */
1558 sc_dhkey_check(smp);
1559 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1563 case SMP_CMD_PAIRING_CONFIRM:
1564 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1565 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1569 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1572 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1573 sizeof(smp->prnd), smp->prnd);
1577 return sc_passkey_send_confirm(smp);
1579 case SMP_CMD_PUBLIC_KEY:
1581 /* Initiating device starts the round */
1585 bt_dev_dbg(hdev, "Starting passkey round %u",
1586 smp->passkey_round + 1);
1588 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1590 return sc_passkey_send_confirm(smp);
1596 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1598 struct l2cap_conn *conn = smp->conn;
1599 struct hci_conn *hcon = conn->hcon;
1602 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1605 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1606 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1608 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1609 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1611 case MGMT_OP_USER_PASSKEY_REPLY:
1612 hcon->passkey_notify = le32_to_cpu(passkey);
1613 smp->passkey_round = 0;
1615 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1616 smp_op = SMP_CMD_PAIRING_CONFIRM;
1620 if (sc_passkey_round(smp, smp_op))
1626 /* Initiator sends DHKey check first */
1628 sc_dhkey_check(smp);
1629 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1630 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1631 sc_dhkey_check(smp);
1638 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1640 struct l2cap_conn *conn = hcon->l2cap_data;
1641 struct l2cap_chan *chan;
1642 struct smp_chan *smp;
1649 bt_dev_dbg(conn->hcon->hdev, "");
1655 l2cap_chan_lock(chan);
1663 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1664 err = sc_user_reply(smp, mgmt_op, passkey);
1669 case MGMT_OP_USER_PASSKEY_REPLY:
1670 value = le32_to_cpu(passkey);
1671 memset(smp->tk, 0, sizeof(smp->tk));
1672 bt_dev_dbg(conn->hcon->hdev, "PassKey: %u", value);
1673 put_unaligned_le32(value, smp->tk);
1675 case MGMT_OP_USER_CONFIRM_REPLY:
1676 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1678 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1679 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1680 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1684 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1691 /* If it is our turn to send Pairing Confirm, do so now */
1692 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1693 u8 rsp = smp_confirm(smp);
1695 smp_failure(conn, rsp);
1699 l2cap_chan_unlock(chan);
1703 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1704 struct smp_cmd_pairing *req,
1705 struct smp_cmd_pairing *rsp)
1707 struct l2cap_conn *conn = smp->conn;
1708 struct hci_dev *hdev = conn->hcon->hdev;
1709 u8 local_dist = 0, remote_dist = 0;
1711 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1712 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1713 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1716 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1717 remote_dist |= SMP_DIST_ID_KEY;
1719 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1720 local_dist |= SMP_DIST_ID_KEY;
1723 memset(req, 0, sizeof(*req));
1725 req->auth_req = SMP_AUTH_CT2;
1726 req->init_key_dist = local_dist;
1727 req->resp_key_dist = remote_dist;
1728 req->max_key_size = conn->hcon->enc_key_size;
1730 smp->remote_key_dist = remote_dist;
1735 memset(rsp, 0, sizeof(*rsp));
1737 rsp->auth_req = SMP_AUTH_CT2;
1738 rsp->max_key_size = conn->hcon->enc_key_size;
1739 rsp->init_key_dist = req->init_key_dist & remote_dist;
1740 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1742 smp->remote_key_dist = rsp->init_key_dist;
1745 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1747 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1748 struct l2cap_chan *chan = conn->smp;
1749 struct hci_dev *hdev = conn->hcon->hdev;
1750 struct smp_chan *smp;
1751 u8 key_size, auth, sec_level;
1754 bt_dev_dbg(hdev, "conn %p", conn);
1756 if (skb->len < sizeof(*req))
1757 return SMP_INVALID_PARAMS;
1759 if (conn->hcon->role != HCI_ROLE_SLAVE)
1760 return SMP_CMD_NOTSUPP;
1763 smp = smp_chan_create(conn);
1768 return SMP_UNSPECIFIED;
1770 /* We didn't start the pairing, so match remote */
1771 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1773 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1774 (auth & SMP_AUTH_BONDING))
1775 return SMP_PAIRING_NOTSUPP;
1777 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1778 return SMP_AUTH_REQUIREMENTS;
1780 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1781 memcpy(&smp->preq[1], req, sizeof(*req));
1782 skb_pull(skb, sizeof(*req));
1784 /* If the remote side's OOB flag is set it means it has
1785 * successfully received our local OOB data - therefore set the
1786 * flag to indicate that local OOB is in use.
1788 if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1789 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1791 /* SMP over BR/EDR requires special treatment */
1792 if (conn->hcon->type == ACL_LINK) {
1793 /* We must have a BR/EDR SC link */
1794 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1795 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1796 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1798 set_bit(SMP_FLAG_SC, &smp->flags);
1800 build_bredr_pairing_cmd(smp, req, &rsp);
1802 if (req->auth_req & SMP_AUTH_CT2)
1803 set_bit(SMP_FLAG_CT2, &smp->flags);
1805 key_size = min(req->max_key_size, rsp.max_key_size);
1806 if (check_enc_key_size(conn, key_size))
1807 return SMP_ENC_KEY_SIZE;
1809 /* Clear bits which are generated but not distributed */
1810 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1812 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1813 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1814 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1816 smp_distribute_keys(smp);
1820 build_pairing_cmd(conn, req, &rsp, auth);
1822 if (rsp.auth_req & SMP_AUTH_SC) {
1823 set_bit(SMP_FLAG_SC, &smp->flags);
1825 if (rsp.auth_req & SMP_AUTH_CT2)
1826 set_bit(SMP_FLAG_CT2, &smp->flags);
1829 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1830 sec_level = BT_SECURITY_MEDIUM;
1832 sec_level = authreq_to_seclevel(auth);
1834 if (sec_level > conn->hcon->pending_sec_level)
1835 conn->hcon->pending_sec_level = sec_level;
1837 /* If we need MITM check that it can be achieved */
1838 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1841 method = get_auth_method(smp, conn->hcon->io_capability,
1842 req->io_capability);
1843 if (method == JUST_WORKS || method == JUST_CFM)
1844 return SMP_AUTH_REQUIREMENTS;
1847 key_size = min(req->max_key_size, rsp.max_key_size);
1848 if (check_enc_key_size(conn, key_size))
1849 return SMP_ENC_KEY_SIZE;
1851 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1853 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1854 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1856 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1858 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1860 /* Strictly speaking we shouldn't allow Pairing Confirm for the
1861 * SC case, however some implementations incorrectly copy RFU auth
1862 * req bits from our security request, which may create a false
1863 * positive SC enablement.
1865 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1867 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1868 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1869 /* Clear bits which are generated but not distributed */
1870 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1871 /* Wait for Public Key from Initiating Device */
1875 /* Request setup of TK */
1876 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1878 return SMP_UNSPECIFIED;
1883 static u8 sc_send_public_key(struct smp_chan *smp)
1885 struct hci_dev *hdev = smp->conn->hcon->hdev;
1887 bt_dev_dbg(hdev, "");
1889 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1890 struct l2cap_chan *chan = hdev->smp_data;
1891 struct smp_dev *smp_dev;
1893 if (!chan || !chan->data)
1894 return SMP_UNSPECIFIED;
1896 smp_dev = chan->data;
1898 memcpy(smp->local_pk, smp_dev->local_pk, 64);
1899 memcpy(smp->lr, smp_dev->local_rand, 16);
1901 if (smp_dev->debug_key)
1902 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1907 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1908 bt_dev_dbg(hdev, "Using debug keys");
1909 if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1910 return SMP_UNSPECIFIED;
1911 memcpy(smp->local_pk, debug_pk, 64);
1912 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1915 /* Generate key pair for Secure Connections */
1916 if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1917 return SMP_UNSPECIFIED;
1919 /* This is unlikely, but we need to check that
1920 * we didn't accidentally generate a debug key.
1922 if (crypto_memneq(smp->local_pk, debug_pk, 64))
1928 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1929 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1931 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1936 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1938 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1939 struct l2cap_chan *chan = conn->smp;
1940 struct smp_chan *smp = chan->data;
1941 struct hci_dev *hdev = conn->hcon->hdev;
1945 bt_dev_dbg(hdev, "conn %p", conn);
1947 if (skb->len < sizeof(*rsp))
1948 return SMP_INVALID_PARAMS;
1950 if (conn->hcon->role != HCI_ROLE_MASTER)
1951 return SMP_CMD_NOTSUPP;
1953 skb_pull(skb, sizeof(*rsp));
1955 req = (void *) &smp->preq[1];
1957 key_size = min(req->max_key_size, rsp->max_key_size);
1958 if (check_enc_key_size(conn, key_size))
1959 return SMP_ENC_KEY_SIZE;
1961 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1963 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1964 return SMP_AUTH_REQUIREMENTS;
1966 /* If the remote side's OOB flag is set it means it has
1967 * successfully received our local OOB data - therefore set the
1968 * flag to indicate that local OOB is in use.
1970 if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1971 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1973 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1974 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1976 /* Update remote key distribution in case the remote cleared
1977 * some bits that we had enabled in our request.
1979 smp->remote_key_dist &= rsp->resp_key_dist;
1981 if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1982 set_bit(SMP_FLAG_CT2, &smp->flags);
1984 /* For BR/EDR this means we're done and can start phase 3 */
1985 if (conn->hcon->type == ACL_LINK) {
1986 /* Clear bits which are generated but not distributed */
1987 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1988 smp_distribute_keys(smp);
1992 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1993 set_bit(SMP_FLAG_SC, &smp->flags);
1994 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1995 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1997 /* If we need MITM check that it can be achieved */
1998 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
2001 method = get_auth_method(smp, req->io_capability,
2002 rsp->io_capability);
2003 if (method == JUST_WORKS || method == JUST_CFM)
2004 return SMP_AUTH_REQUIREMENTS;
2007 get_random_bytes(smp->prnd, sizeof(smp->prnd));
2009 /* Update remote key distribution in case the remote cleared
2010 * some bits that we had enabled in our request.
2012 smp->remote_key_dist &= rsp->resp_key_dist;
2014 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2015 /* Clear bits which are generated but not distributed */
2016 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2017 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2018 return sc_send_public_key(smp);
2021 auth |= req->auth_req;
2023 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2025 return SMP_UNSPECIFIED;
2027 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2029 /* Can't compose response until we have been confirmed */
2030 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2031 return smp_confirm(smp);
2036 static u8 sc_check_confirm(struct smp_chan *smp)
2038 struct l2cap_conn *conn = smp->conn;
2040 bt_dev_dbg(conn->hcon->hdev, "");
2042 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2043 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2045 if (conn->hcon->out) {
2046 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2048 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2054 /* Work-around for some implementations that incorrectly copy RFU bits
2055 * from our security request and thereby create the impression that
2056 * we're doing SC when in fact the remote doesn't support it.
2058 static int fixup_sc_false_positive(struct smp_chan *smp)
2060 struct l2cap_conn *conn = smp->conn;
2061 struct hci_conn *hcon = conn->hcon;
2062 struct hci_dev *hdev = hcon->hdev;
2063 struct smp_cmd_pairing *req, *rsp;
2066 /* The issue is only observed when we're in responder role */
2068 return SMP_UNSPECIFIED;
2070 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2071 bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2072 return SMP_UNSPECIFIED;
2075 bt_dev_err(hdev, "trying to fall back to legacy SMP");
2077 req = (void *) &smp->preq[1];
2078 rsp = (void *) &smp->prsp[1];
2080 /* Rebuild key dist flags which may have been cleared for SC */
2081 smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2083 auth = req->auth_req & AUTH_REQ_MASK(hdev);
2085 if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2086 bt_dev_err(hdev, "failed to fall back to legacy SMP");
2087 return SMP_UNSPECIFIED;
2090 clear_bit(SMP_FLAG_SC, &smp->flags);
2095 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2097 struct l2cap_chan *chan = conn->smp;
2098 struct smp_chan *smp = chan->data;
2099 struct hci_conn *hcon = conn->hcon;
2100 struct hci_dev *hdev = hcon->hdev;
2102 bt_dev_dbg(hdev, "conn %p %s", conn,
2103 hcon->out ? "initiator" : "responder");
2105 if (skb->len < sizeof(smp->pcnf))
2106 return SMP_INVALID_PARAMS;
2108 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2109 skb_pull(skb, sizeof(smp->pcnf));
2111 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2114 /* Public Key exchange must happen before any other steps */
2115 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2116 return sc_check_confirm(smp);
2118 bt_dev_err(hdev, "Unexpected SMP Pairing Confirm");
2120 ret = fixup_sc_false_positive(smp);
2125 if (conn->hcon->out) {
2126 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2128 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2132 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2133 return smp_confirm(smp);
2135 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2140 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2142 struct l2cap_chan *chan = conn->smp;
2143 struct smp_chan *smp = chan->data;
2144 struct hci_conn *hcon = conn->hcon;
2145 u8 *pkax, *pkbx, *na, *nb, confirm_hint;
2149 bt_dev_dbg(hcon->hdev, "conn %p", conn);
2151 if (skb->len < sizeof(smp->rrnd))
2152 return SMP_INVALID_PARAMS;
2154 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2155 skb_pull(skb, sizeof(smp->rrnd));
2157 if (!test_bit(SMP_FLAG_SC, &smp->flags))
2158 return smp_random(smp);
2161 pkax = smp->local_pk;
2162 pkbx = smp->remote_pk;
2166 pkax = smp->remote_pk;
2167 pkbx = smp->local_pk;
2172 if (smp->method == REQ_OOB) {
2174 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2175 sizeof(smp->prnd), smp->prnd);
2176 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2177 goto mackey_and_ltk;
2180 /* Passkey entry has special treatment */
2181 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2182 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2187 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2190 return SMP_UNSPECIFIED;
2192 if (crypto_memneq(smp->pcnf, cfm, 16))
2193 return SMP_CONFIRM_FAILED;
2195 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2197 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2199 /* Only Just-Works pairing requires extra checks */
2200 if (smp->method != JUST_WORKS)
2201 goto mackey_and_ltk;
2203 /* If there already exists long term key in local host, leave
2204 * the decision to user space since the remote device could
2205 * be legitimate or malicious.
2207 if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2209 /* Set passkey to 0. The value can be any number since
2210 * it'll be ignored anyway.
2219 /* Generate MacKey and LTK */
2220 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2222 return SMP_UNSPECIFIED;
2224 if (smp->method == REQ_OOB) {
2226 sc_dhkey_check(smp);
2227 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2232 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2234 return SMP_UNSPECIFIED;
2239 if (smp->method == JUST_WORKS)
2242 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2243 hcon->dst_type, passkey, confirm_hint);
2245 return SMP_UNSPECIFIED;
2247 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2252 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2254 struct smp_ltk *key;
2255 struct hci_conn *hcon = conn->hcon;
2257 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2261 if (smp_ltk_sec_level(key) < sec_level)
2264 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2267 hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2268 hcon->enc_key_size = key->enc_size;
2270 /* We never store STKs for initiator role, so clear this flag */
2271 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2276 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2277 enum smp_key_pref key_pref)
2279 if (sec_level == BT_SECURITY_LOW)
2282 /* If we're encrypted with an STK but the caller prefers using
2283 * LTK claim insufficient security. This way we allow the
2284 * connection to be re-encrypted with an LTK, even if the LTK
2285 * provides the same level of security. Only exception is if we
2286 * don't have an LTK (e.g. because of key distribution bits).
2288 if (key_pref == SMP_USE_LTK &&
2289 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2290 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2293 if (hcon->sec_level >= sec_level)
2299 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2301 struct smp_cmd_security_req *rp = (void *) skb->data;
2302 struct smp_cmd_pairing cp;
2303 struct hci_conn *hcon = conn->hcon;
2304 struct hci_dev *hdev = hcon->hdev;
2305 struct smp_chan *smp;
2308 bt_dev_dbg(hdev, "conn %p", conn);
2310 if (skb->len < sizeof(*rp))
2311 return SMP_INVALID_PARAMS;
2313 if (hcon->role != HCI_ROLE_MASTER)
2314 return SMP_CMD_NOTSUPP;
2316 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2318 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2319 return SMP_AUTH_REQUIREMENTS;
2321 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2322 sec_level = BT_SECURITY_MEDIUM;
2324 sec_level = authreq_to_seclevel(auth);
2326 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2327 /* If link is already encrypted with sufficient security we
2328 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2331 smp_ltk_encrypt(conn, hcon->sec_level);
2335 if (sec_level > hcon->pending_sec_level)
2336 hcon->pending_sec_level = sec_level;
2338 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2341 smp = smp_chan_create(conn);
2343 return SMP_UNSPECIFIED;
2345 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2346 (auth & SMP_AUTH_BONDING))
2347 return SMP_PAIRING_NOTSUPP;
2349 skb_pull(skb, sizeof(*rp));
2351 memset(&cp, 0, sizeof(cp));
2352 build_pairing_cmd(conn, &cp, NULL, auth);
2354 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2355 memcpy(&smp->preq[1], &cp, sizeof(cp));
2357 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2358 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2363 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2365 struct l2cap_conn *conn = hcon->l2cap_data;
2366 struct l2cap_chan *chan;
2367 struct smp_chan *smp;
2371 bt_dev_dbg(hcon->hdev, "conn %p hcon %p level 0x%2.2x", conn, hcon,
2374 /* This may be NULL if there's an unexpected disconnection */
2378 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2381 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2384 if (sec_level > hcon->pending_sec_level)
2385 hcon->pending_sec_level = sec_level;
2387 if (hcon->role == HCI_ROLE_MASTER)
2388 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2393 bt_dev_err(hcon->hdev, "security requested but not available");
2397 l2cap_chan_lock(chan);
2399 /* If SMP is already in progress ignore this request */
2405 smp = smp_chan_create(conn);
2411 authreq = seclevel_to_authreq(sec_level);
2413 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2414 authreq |= SMP_AUTH_SC;
2415 if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2416 authreq |= SMP_AUTH_CT2;
2419 /* Don't attempt to set MITM if setting is overridden by debugfs
2420 * Needed to pass certification test SM/MAS/PKE/BV-01-C
2422 if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) {
2423 /* Require MITM if IO Capability allows or the security level
2426 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2427 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2428 authreq |= SMP_AUTH_MITM;
2431 if (hcon->role == HCI_ROLE_MASTER) {
2432 struct smp_cmd_pairing cp;
2434 build_pairing_cmd(conn, &cp, NULL, authreq);
2435 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2436 memcpy(&smp->preq[1], &cp, sizeof(cp));
2438 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2439 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2441 struct smp_cmd_security_req cp;
2442 cp.auth_req = authreq;
2443 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2444 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2447 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2451 l2cap_chan_unlock(chan);
2455 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2458 struct hci_conn *hcon;
2459 struct l2cap_conn *conn;
2460 struct l2cap_chan *chan;
2461 struct smp_chan *smp;
2464 err = hci_remove_ltk(hdev, bdaddr, addr_type);
2465 hci_remove_irk(hdev, bdaddr, addr_type);
2467 hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2471 conn = hcon->l2cap_data;
2479 l2cap_chan_lock(chan);
2483 /* Set keys to NULL to make sure smp_failure() does not try to
2484 * remove and free already invalidated rcu list entries. */
2486 smp->responder_ltk = NULL;
2487 smp->remote_irk = NULL;
2489 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2490 smp_failure(conn, 0);
2492 smp_failure(conn, SMP_UNSPECIFIED);
2496 l2cap_chan_unlock(chan);
2502 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2504 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2505 struct l2cap_chan *chan = conn->smp;
2506 struct smp_chan *smp = chan->data;
2508 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2510 if (skb->len < sizeof(*rp))
2511 return SMP_INVALID_PARAMS;
2513 /* Pairing is aborted if any blocked keys are distributed */
2514 if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2516 bt_dev_warn_ratelimited(conn->hcon->hdev,
2517 "LTK blocked for %pMR",
2519 return SMP_INVALID_PARAMS;
2522 SMP_ALLOW_CMD(smp, SMP_CMD_INITIATOR_IDENT);
2524 skb_pull(skb, sizeof(*rp));
2526 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2531 static int smp_cmd_initiator_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2533 struct smp_cmd_initiator_ident *rp = (void *)skb->data;
2534 struct l2cap_chan *chan = conn->smp;
2535 struct smp_chan *smp = chan->data;
2536 struct hci_dev *hdev = conn->hcon->hdev;
2537 struct hci_conn *hcon = conn->hcon;
2538 struct smp_ltk *ltk;
2541 bt_dev_dbg(hdev, "conn %p", conn);
2543 if (skb->len < sizeof(*rp))
2544 return SMP_INVALID_PARAMS;
2546 /* Mark the information as received */
2547 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2549 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2550 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2551 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2552 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2554 skb_pull(skb, sizeof(*rp));
2556 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2557 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2558 authenticated, smp->tk, smp->enc_key_size,
2559 rp->ediv, rp->rand);
2561 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2562 smp_distribute_keys(smp);
2567 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2569 struct smp_cmd_ident_info *info = (void *) skb->data;
2570 struct l2cap_chan *chan = conn->smp;
2571 struct smp_chan *smp = chan->data;
2573 bt_dev_dbg(conn->hcon->hdev, "");
2575 if (skb->len < sizeof(*info))
2576 return SMP_INVALID_PARAMS;
2578 /* Pairing is aborted if any blocked keys are distributed */
2579 if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2581 bt_dev_warn_ratelimited(conn->hcon->hdev,
2582 "Identity key blocked for %pMR",
2584 return SMP_INVALID_PARAMS;
2587 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2589 skb_pull(skb, sizeof(*info));
2591 memcpy(smp->irk, info->irk, 16);
2596 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2597 struct sk_buff *skb)
2599 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2600 struct l2cap_chan *chan = conn->smp;
2601 struct smp_chan *smp = chan->data;
2602 struct hci_conn *hcon = conn->hcon;
2605 bt_dev_dbg(hcon->hdev, "");
2607 if (skb->len < sizeof(*info))
2608 return SMP_INVALID_PARAMS;
2610 /* Mark the information as received */
2611 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2613 if (smp->remote_key_dist & SMP_DIST_SIGN)
2614 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2616 skb_pull(skb, sizeof(*info));
2618 /* Strictly speaking the Core Specification (4.1) allows sending
2619 * an empty address which would force us to rely on just the IRK
2620 * as "identity information". However, since such
2621 * implementations are not known of and in order to not over
2622 * complicate our implementation, simply pretend that we never
2623 * received an IRK for such a device.
2625 * The Identity Address must also be a Static Random or Public
2626 * Address, which hci_is_identity_address() checks for.
2628 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2629 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2630 bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2634 /* Drop IRK if peer is using identity address during pairing but is
2635 * providing different address as identity information.
2637 * Microsoft Surface Precision Mouse is known to have this bug.
2639 if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2640 (bacmp(&info->bdaddr, &hcon->dst) ||
2641 info->addr_type != hcon->dst_type)) {
2642 bt_dev_err(hcon->hdev,
2643 "ignoring IRK with invalid identity address");
2647 bacpy(&smp->id_addr, &info->bdaddr);
2648 smp->id_addr_type = info->addr_type;
2650 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2651 bacpy(&rpa, &hcon->dst);
2653 bacpy(&rpa, BDADDR_ANY);
2655 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2656 smp->id_addr_type, smp->irk, &rpa);
2659 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2660 smp_distribute_keys(smp);
2665 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2667 struct smp_cmd_sign_info *rp = (void *) skb->data;
2668 struct l2cap_chan *chan = conn->smp;
2669 struct smp_chan *smp = chan->data;
2670 struct smp_csrk *csrk;
2672 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2674 if (skb->len < sizeof(*rp))
2675 return SMP_INVALID_PARAMS;
2677 /* Mark the information as received */
2678 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2680 skb_pull(skb, sizeof(*rp));
2682 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2684 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2685 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2687 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2688 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2691 smp_distribute_keys(smp);
2696 static u8 sc_select_method(struct smp_chan *smp)
2698 struct l2cap_conn *conn = smp->conn;
2699 struct hci_conn *hcon = conn->hcon;
2700 struct smp_cmd_pairing *local, *remote;
2701 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2703 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2704 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2707 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2708 * which are needed as inputs to some crypto functions. To get
2709 * the "struct smp_cmd_pairing" from them we need to skip the
2710 * first byte which contains the opcode.
2713 local = (void *) &smp->preq[1];
2714 remote = (void *) &smp->prsp[1];
2716 local = (void *) &smp->prsp[1];
2717 remote = (void *) &smp->preq[1];
2720 local_io = local->io_capability;
2721 remote_io = remote->io_capability;
2723 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2724 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2726 /* If either side wants MITM, look up the method from the table,
2727 * otherwise use JUST WORKS.
2729 if (local_mitm || remote_mitm)
2730 method = get_auth_method(smp, local_io, remote_io);
2732 method = JUST_WORKS;
2734 /* Don't confirm locally initiated pairing attempts */
2735 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2736 method = JUST_WORKS;
2741 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2743 struct smp_cmd_public_key *key = (void *) skb->data;
2744 struct hci_conn *hcon = conn->hcon;
2745 struct l2cap_chan *chan = conn->smp;
2746 struct smp_chan *smp = chan->data;
2747 struct hci_dev *hdev = hcon->hdev;
2748 struct crypto_kpp *tfm_ecdh;
2749 struct smp_cmd_pairing_confirm cfm;
2752 bt_dev_dbg(hdev, "conn %p", conn);
2754 if (skb->len < sizeof(*key))
2755 return SMP_INVALID_PARAMS;
2757 /* Check if remote and local public keys are the same and debug key is
2760 if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
2761 !crypto_memneq(key, smp->local_pk, 64)) {
2762 bt_dev_err(hdev, "Remote and local public keys are identical");
2763 return SMP_UNSPECIFIED;
2766 memcpy(smp->remote_pk, key, 64);
2768 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2769 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2770 smp->rr, 0, cfm.confirm_val);
2772 return SMP_UNSPECIFIED;
2774 if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2775 return SMP_CONFIRM_FAILED;
2778 /* Non-initiating device sends its public key after receiving
2779 * the key from the initiating device.
2782 err = sc_send_public_key(smp);
2787 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2788 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2790 /* Compute the shared secret on the same crypto tfm on which the private
2791 * key was set/generated.
2793 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2794 struct l2cap_chan *hchan = hdev->smp_data;
2795 struct smp_dev *smp_dev;
2797 if (!hchan || !hchan->data)
2798 return SMP_UNSPECIFIED;
2800 smp_dev = hchan->data;
2802 tfm_ecdh = smp_dev->tfm_ecdh;
2804 tfm_ecdh = smp->tfm_ecdh;
2807 if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2808 return SMP_UNSPECIFIED;
2810 SMP_DBG("DHKey %32phN", smp->dhkey);
2812 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2814 smp->method = sc_select_method(smp);
2816 bt_dev_dbg(hdev, "selected method 0x%02x", smp->method);
2818 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2819 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2820 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2822 hcon->pending_sec_level = BT_SECURITY_FIPS;
2824 if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2825 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2827 if (smp->method == DSP_PASSKEY) {
2828 get_random_bytes(&hcon->passkey_notify,
2829 sizeof(hcon->passkey_notify));
2830 hcon->passkey_notify %= 1000000;
2831 hcon->passkey_entered = 0;
2832 smp->passkey_round = 0;
2833 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2835 hcon->passkey_notify,
2836 hcon->passkey_entered))
2837 return SMP_UNSPECIFIED;
2838 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2839 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2842 if (smp->method == REQ_OOB) {
2844 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2845 sizeof(smp->prnd), smp->prnd);
2847 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2853 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2855 if (smp->method == REQ_PASSKEY) {
2856 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2858 return SMP_UNSPECIFIED;
2859 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2860 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2864 /* The Initiating device waits for the non-initiating device to
2865 * send the confirm value.
2867 if (conn->hcon->out)
2870 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2871 0, cfm.confirm_val);
2873 return SMP_UNSPECIFIED;
2875 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2876 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2881 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2883 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2884 struct l2cap_chan *chan = conn->smp;
2885 struct hci_conn *hcon = conn->hcon;
2886 struct smp_chan *smp = chan->data;
2887 u8 a[7], b[7], *local_addr, *remote_addr;
2888 u8 io_cap[3], r[16], e[16];
2891 bt_dev_dbg(hcon->hdev, "conn %p", conn);
2893 if (skb->len < sizeof(*check))
2894 return SMP_INVALID_PARAMS;
2896 memcpy(a, &hcon->init_addr, 6);
2897 memcpy(b, &hcon->resp_addr, 6);
2898 a[6] = hcon->init_addr_type;
2899 b[6] = hcon->resp_addr_type;
2904 memcpy(io_cap, &smp->prsp[1], 3);
2908 memcpy(io_cap, &smp->preq[1], 3);
2911 memset(r, 0, sizeof(r));
2913 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2914 put_unaligned_le32(hcon->passkey_notify, r);
2915 else if (smp->method == REQ_OOB)
2916 memcpy(r, smp->lr, 16);
2918 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2919 io_cap, remote_addr, local_addr, e);
2921 return SMP_UNSPECIFIED;
2923 if (crypto_memneq(check->e, e, 16))
2924 return SMP_DHKEY_CHECK_FAILED;
2927 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2928 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2932 /* Responder sends DHKey check as response to initiator */
2933 sc_dhkey_check(smp);
2939 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2940 hcon->enc_key_size = smp->enc_key_size;
2946 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2947 struct sk_buff *skb)
2949 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2951 bt_dev_dbg(conn->hcon->hdev, "value 0x%02x", kp->value);
2956 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2958 struct l2cap_conn *conn = chan->conn;
2959 struct hci_conn *hcon = conn->hcon;
2960 struct smp_chan *smp;
2967 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2968 reason = SMP_PAIRING_NOTSUPP;
2972 code = skb->data[0];
2973 skb_pull(skb, sizeof(code));
2977 if (code > SMP_CMD_MAX)
2980 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2983 /* If we don't have a context the only allowed commands are
2984 * pairing request and security request.
2986 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2990 case SMP_CMD_PAIRING_REQ:
2991 reason = smp_cmd_pairing_req(conn, skb);
2994 case SMP_CMD_PAIRING_FAIL:
2995 smp_failure(conn, 0);
2999 case SMP_CMD_PAIRING_RSP:
3000 reason = smp_cmd_pairing_rsp(conn, skb);
3003 case SMP_CMD_SECURITY_REQ:
3004 reason = smp_cmd_security_req(conn, skb);
3007 case SMP_CMD_PAIRING_CONFIRM:
3008 reason = smp_cmd_pairing_confirm(conn, skb);
3011 case SMP_CMD_PAIRING_RANDOM:
3012 reason = smp_cmd_pairing_random(conn, skb);
3015 case SMP_CMD_ENCRYPT_INFO:
3016 reason = smp_cmd_encrypt_info(conn, skb);
3019 case SMP_CMD_INITIATOR_IDENT:
3020 reason = smp_cmd_initiator_ident(conn, skb);
3023 case SMP_CMD_IDENT_INFO:
3024 reason = smp_cmd_ident_info(conn, skb);
3027 case SMP_CMD_IDENT_ADDR_INFO:
3028 reason = smp_cmd_ident_addr_info(conn, skb);
3031 case SMP_CMD_SIGN_INFO:
3032 reason = smp_cmd_sign_info(conn, skb);
3035 case SMP_CMD_PUBLIC_KEY:
3036 reason = smp_cmd_public_key(conn, skb);
3039 case SMP_CMD_DHKEY_CHECK:
3040 reason = smp_cmd_dhkey_check(conn, skb);
3043 case SMP_CMD_KEYPRESS_NOTIFY:
3044 reason = smp_cmd_keypress_notify(conn, skb);
3048 bt_dev_dbg(hcon->hdev, "Unknown command code 0x%2.2x", code);
3049 reason = SMP_CMD_NOTSUPP;
3056 smp_failure(conn, reason);
3063 bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3069 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3071 struct l2cap_conn *conn = chan->conn;
3073 bt_dev_dbg(conn->hcon->hdev, "chan %p", chan);
3076 smp_chan_destroy(conn);
3079 l2cap_chan_put(chan);
3082 static void bredr_pairing(struct l2cap_chan *chan)
3084 struct l2cap_conn *conn = chan->conn;
3085 struct hci_conn *hcon = conn->hcon;
3086 struct hci_dev *hdev = hcon->hdev;
3087 struct smp_cmd_pairing req;
3088 struct smp_chan *smp;
3090 bt_dev_dbg(hdev, "chan %p", chan);
3092 /* Only new pairings are interesting */
3093 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3096 /* Don't bother if we're not encrypted */
3097 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3100 /* Only initiator may initiate SMP over BR/EDR */
3101 if (hcon->role != HCI_ROLE_MASTER)
3104 /* Secure Connections support must be enabled */
3105 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3108 /* BR/EDR must use Secure Connections for SMP */
3109 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3110 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3113 /* If our LE support is not enabled don't do anything */
3114 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3117 /* Don't bother if remote LE support is not enabled */
3118 if (!lmp_host_le_capable(hcon))
3121 /* Remote must support SMP fixed chan for BR/EDR */
3122 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3125 /* Don't bother if SMP is already ongoing */
3129 smp = smp_chan_create(conn);
3131 bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3135 set_bit(SMP_FLAG_SC, &smp->flags);
3137 bt_dev_dbg(hdev, "starting SMP over BR/EDR");
3139 /* Prepare and send the BR/EDR SMP Pairing Request */
3140 build_bredr_pairing_cmd(smp, &req, NULL);
3142 smp->preq[0] = SMP_CMD_PAIRING_REQ;
3143 memcpy(&smp->preq[1], &req, sizeof(req));
3145 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3146 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3149 static void smp_resume_cb(struct l2cap_chan *chan)
3151 struct smp_chan *smp = chan->data;
3152 struct l2cap_conn *conn = chan->conn;
3153 struct hci_conn *hcon = conn->hcon;
3155 bt_dev_dbg(hcon->hdev, "chan %p", chan);
3157 if (hcon->type == ACL_LINK) {
3158 bredr_pairing(chan);
3165 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3168 cancel_delayed_work(&smp->security_timer);
3170 smp_distribute_keys(smp);
3173 static void smp_ready_cb(struct l2cap_chan *chan)
3175 struct l2cap_conn *conn = chan->conn;
3176 struct hci_conn *hcon = conn->hcon;
3178 bt_dev_dbg(hcon->hdev, "chan %p", chan);
3180 /* No need to call l2cap_chan_hold() here since we already own
3181 * the reference taken in smp_new_conn_cb(). This is just the
3182 * first time that we tie it to a specific pointer. The code in
3183 * l2cap_core.c ensures that there's no risk this function wont
3184 * get called if smp_new_conn_cb was previously called.
3188 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3189 bredr_pairing(chan);
3192 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3196 bt_dev_dbg(chan->conn->hcon->hdev, "chan %p", chan);
3198 err = smp_sig_channel(chan, skb);
3200 struct smp_chan *smp = chan->data;
3203 cancel_delayed_work_sync(&smp->security_timer);
3205 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3211 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3212 unsigned long hdr_len,
3213 unsigned long len, int nb)
3215 struct sk_buff *skb;
3217 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3219 return ERR_PTR(-ENOMEM);
3221 skb->priority = HCI_PRIO_MAX;
3222 bt_cb(skb)->l2cap.chan = chan;
3227 static const struct l2cap_ops smp_chan_ops = {
3228 .name = "Security Manager",
3229 .ready = smp_ready_cb,
3230 .recv = smp_recv_cb,
3231 .alloc_skb = smp_alloc_skb_cb,
3232 .teardown = smp_teardown_cb,
3233 .resume = smp_resume_cb,
3235 .new_connection = l2cap_chan_no_new_connection,
3236 .state_change = l2cap_chan_no_state_change,
3237 .close = l2cap_chan_no_close,
3238 .defer = l2cap_chan_no_defer,
3239 .suspend = l2cap_chan_no_suspend,
3240 .set_shutdown = l2cap_chan_no_set_shutdown,
3241 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3244 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3246 struct l2cap_chan *chan;
3248 BT_DBG("pchan %p", pchan);
3250 chan = l2cap_chan_create();
3254 chan->chan_type = pchan->chan_type;
3255 chan->ops = &smp_chan_ops;
3256 chan->scid = pchan->scid;
3257 chan->dcid = chan->scid;
3258 chan->imtu = pchan->imtu;
3259 chan->omtu = pchan->omtu;
3260 chan->mode = pchan->mode;
3262 /* Other L2CAP channels may request SMP routines in order to
3263 * change the security level. This means that the SMP channel
3264 * lock must be considered in its own category to avoid lockdep
3267 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3269 BT_DBG("created chan %p", chan);
3274 static const struct l2cap_ops smp_root_chan_ops = {
3275 .name = "Security Manager Root",
3276 .new_connection = smp_new_conn_cb,
3278 /* None of these are implemented for the root channel */
3279 .close = l2cap_chan_no_close,
3280 .alloc_skb = l2cap_chan_no_alloc_skb,
3281 .recv = l2cap_chan_no_recv,
3282 .state_change = l2cap_chan_no_state_change,
3283 .teardown = l2cap_chan_no_teardown,
3284 .ready = l2cap_chan_no_ready,
3285 .defer = l2cap_chan_no_defer,
3286 .suspend = l2cap_chan_no_suspend,
3287 .resume = l2cap_chan_no_resume,
3288 .set_shutdown = l2cap_chan_no_set_shutdown,
3289 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3292 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3294 struct l2cap_chan *chan;
3295 struct smp_dev *smp;
3296 struct crypto_shash *tfm_cmac;
3297 struct crypto_kpp *tfm_ecdh;
3299 if (cid == L2CAP_CID_SMP_BREDR) {
3304 smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3306 return ERR_PTR(-ENOMEM);
3308 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3309 if (IS_ERR(tfm_cmac)) {
3310 bt_dev_err(hdev, "Unable to create CMAC crypto context");
3311 kfree_sensitive(smp);
3312 return ERR_CAST(tfm_cmac);
3315 tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3316 if (IS_ERR(tfm_ecdh)) {
3317 bt_dev_err(hdev, "Unable to create ECDH crypto context");
3318 crypto_free_shash(tfm_cmac);
3319 kfree_sensitive(smp);
3320 return ERR_CAST(tfm_ecdh);
3323 smp->local_oob = false;
3324 smp->tfm_cmac = tfm_cmac;
3325 smp->tfm_ecdh = tfm_ecdh;
3328 chan = l2cap_chan_create();
3331 crypto_free_shash(smp->tfm_cmac);
3332 crypto_free_kpp(smp->tfm_ecdh);
3333 kfree_sensitive(smp);
3335 return ERR_PTR(-ENOMEM);
3340 l2cap_add_scid(chan, cid);
3342 l2cap_chan_set_defaults(chan);
3344 if (cid == L2CAP_CID_SMP) {
3347 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3349 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3350 chan->src_type = BDADDR_LE_PUBLIC;
3352 chan->src_type = BDADDR_LE_RANDOM;
3354 bacpy(&chan->src, &hdev->bdaddr);
3355 chan->src_type = BDADDR_BREDR;
3358 chan->state = BT_LISTEN;
3359 chan->mode = L2CAP_MODE_BASIC;
3360 chan->imtu = L2CAP_DEFAULT_MTU;
3361 chan->ops = &smp_root_chan_ops;
3363 /* Set correct nesting level for a parent/listening channel */
3364 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3369 static void smp_del_chan(struct l2cap_chan *chan)
3371 struct smp_dev *smp;
3373 BT_DBG("chan %p", chan);
3378 crypto_free_shash(smp->tfm_cmac);
3379 crypto_free_kpp(smp->tfm_ecdh);
3380 kfree_sensitive(smp);
3383 l2cap_chan_put(chan);
3386 int smp_force_bredr(struct hci_dev *hdev, bool enable)
3388 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3392 struct l2cap_chan *chan;
3394 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3396 return PTR_ERR(chan);
3398 hdev->smp_bredr_data = chan;
3400 struct l2cap_chan *chan;
3402 chan = hdev->smp_bredr_data;
3403 hdev->smp_bredr_data = NULL;
3407 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3412 int smp_register(struct hci_dev *hdev)
3414 struct l2cap_chan *chan;
3416 bt_dev_dbg(hdev, "");
3418 /* If the controller does not support Low Energy operation, then
3419 * there is also no need to register any SMP channel.
3421 if (!lmp_le_capable(hdev))
3424 if (WARN_ON(hdev->smp_data)) {
3425 chan = hdev->smp_data;
3426 hdev->smp_data = NULL;
3430 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3432 return PTR_ERR(chan);
3434 hdev->smp_data = chan;
3436 if (!lmp_sc_capable(hdev)) {
3437 /* Flag can be already set here (due to power toggle) */
3438 if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3442 if (WARN_ON(hdev->smp_bredr_data)) {
3443 chan = hdev->smp_bredr_data;
3444 hdev->smp_bredr_data = NULL;
3448 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3450 int err = PTR_ERR(chan);
3451 chan = hdev->smp_data;
3452 hdev->smp_data = NULL;
3457 hdev->smp_bredr_data = chan;
3462 void smp_unregister(struct hci_dev *hdev)
3464 struct l2cap_chan *chan;
3466 if (hdev->smp_bredr_data) {
3467 chan = hdev->smp_bredr_data;
3468 hdev->smp_bredr_data = NULL;
3472 if (hdev->smp_data) {
3473 chan = hdev->smp_data;
3474 hdev->smp_data = NULL;
3479 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3481 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3486 err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3490 err = generate_ecdh_public_key(tfm_ecdh, pk);
3494 if (crypto_memneq(pk, debug_pk, 64))
3500 static int __init test_ah(void)
3502 const u8 irk[16] = {
3503 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3504 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3505 const u8 r[3] = { 0x94, 0x81, 0x70 };
3506 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3510 err = smp_ah(irk, r, res);
3514 if (crypto_memneq(res, exp, 3))
3520 static int __init test_c1(void)
3523 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3524 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3526 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3527 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3528 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3529 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3530 const u8 _iat = 0x01;
3531 const u8 _rat = 0x00;
3532 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3533 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3534 const u8 exp[16] = {
3535 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3536 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3540 err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3544 if (crypto_memneq(res, exp, 16))
3550 static int __init test_s1(void)
3553 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3554 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3556 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3558 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3559 const u8 exp[16] = {
3560 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3561 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3565 err = smp_s1(k, r1, r2, res);
3569 if (crypto_memneq(res, exp, 16))
3575 static int __init test_f4(struct crypto_shash *tfm_cmac)
3578 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3579 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3580 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3581 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3583 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3584 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3585 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3586 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3588 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3589 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3591 const u8 exp[16] = {
3592 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3593 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3597 err = smp_f4(tfm_cmac, u, v, x, z, res);
3601 if (crypto_memneq(res, exp, 16))
3607 static int __init test_f5(struct crypto_shash *tfm_cmac)
3610 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3611 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3612 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3613 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3615 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3616 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3618 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3619 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3620 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3621 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3622 const u8 exp_ltk[16] = {
3623 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3624 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3625 const u8 exp_mackey[16] = {
3626 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3627 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3628 u8 mackey[16], ltk[16];
3631 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3635 if (crypto_memneq(mackey, exp_mackey, 16))
3638 if (crypto_memneq(ltk, exp_ltk, 16))
3644 static int __init test_f6(struct crypto_shash *tfm_cmac)
3647 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3648 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3650 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3651 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3653 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3654 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3656 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3657 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3658 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3659 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3660 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3661 const u8 exp[16] = {
3662 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3663 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3667 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3671 if (crypto_memneq(res, exp, 16))
3677 static int __init test_g2(struct crypto_shash *tfm_cmac)
3680 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3681 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3682 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3683 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3685 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3686 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3687 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3688 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3690 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3691 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3693 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3694 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3695 const u32 exp_val = 0x2f9ed5ba % 1000000;
3699 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3709 static int __init test_h6(struct crypto_shash *tfm_cmac)
3712 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3713 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3714 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3715 const u8 exp[16] = {
3716 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3717 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3721 err = smp_h6(tfm_cmac, w, key_id, res);
3725 if (crypto_memneq(res, exp, 16))
3731 static char test_smp_buffer[32];
3733 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3734 size_t count, loff_t *ppos)
3736 return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3737 strlen(test_smp_buffer));
3740 static const struct file_operations test_smp_fops = {
3741 .open = simple_open,
3742 .read = test_smp_read,
3743 .llseek = default_llseek,
3746 static int __init run_selftests(struct crypto_shash *tfm_cmac,
3747 struct crypto_kpp *tfm_ecdh)
3749 ktime_t calltime, delta, rettime;
3750 unsigned long long duration;
3753 calltime = ktime_get();
3755 err = test_debug_key(tfm_ecdh);
3757 BT_ERR("debug_key test failed");
3763 BT_ERR("smp_ah test failed");
3769 BT_ERR("smp_c1 test failed");
3775 BT_ERR("smp_s1 test failed");
3779 err = test_f4(tfm_cmac);
3781 BT_ERR("smp_f4 test failed");
3785 err = test_f5(tfm_cmac);
3787 BT_ERR("smp_f5 test failed");
3791 err = test_f6(tfm_cmac);
3793 BT_ERR("smp_f6 test failed");
3797 err = test_g2(tfm_cmac);
3799 BT_ERR("smp_g2 test failed");
3803 err = test_h6(tfm_cmac);
3805 BT_ERR("smp_h6 test failed");
3809 rettime = ktime_get();
3810 delta = ktime_sub(rettime, calltime);
3811 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3813 BT_INFO("SMP test passed in %llu usecs", duration);
3817 snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3818 "PASS (%llu usecs)\n", duration);
3820 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3822 debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3828 int __init bt_selftest_smp(void)
3830 struct crypto_shash *tfm_cmac;
3831 struct crypto_kpp *tfm_ecdh;
3834 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3835 if (IS_ERR(tfm_cmac)) {
3836 BT_ERR("Unable to create CMAC crypto context");
3837 return PTR_ERR(tfm_cmac);
3840 tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3841 if (IS_ERR(tfm_ecdh)) {
3842 BT_ERR("Unable to create ECDH crypto context");
3843 crypto_free_shash(tfm_cmac);
3844 return PTR_ERR(tfm_ecdh);
3847 err = run_selftests(tfm_cmac, tfm_ecdh);
3849 crypto_free_shash(tfm_cmac);
3850 crypto_free_kpp(tfm_ecdh);