2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/aes.h>
27 #include <crypto/algapi.h>
28 #include <crypto/hash.h>
29 #include <crypto/kpp.h>
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/mgmt.h>
36 #include "ecdh_helper.h"
39 #define SMP_DEV(hdev) \
40 ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
42 /* Low-level debug macros to be used for stuff that we don't want
43 * accidentally in dmesg, i.e. the values of the various crypto keys
44 * and the inputs & outputs of crypto functions.
47 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
50 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
54 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
56 /* Keys which are not distributed with Secure Connections */
57 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY)
59 #define SMP_TIMEOUT msecs_to_jiffies(30000)
61 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
63 #define KEY_DIST_MASK 0x07
65 /* Maximum message length that can be passed to aes_cmac */
66 #define CMAC_MSG_MAX 80
78 SMP_FLAG_DHKEY_PENDING,
85 /* Secure Connections OOB data */
91 struct crypto_shash *tfm_cmac;
92 struct crypto_kpp *tfm_ecdh;
96 struct l2cap_conn *conn;
97 struct delayed_work security_timer;
98 unsigned long allow_cmd; /* Bitmask of allowed commands */
100 u8 preq[7]; /* SMP Pairing Request */
101 u8 prsp[7]; /* SMP Pairing Response */
102 u8 prnd[16]; /* SMP Pairing Random (local) */
103 u8 rrnd[16]; /* SMP Pairing Random (remote) */
104 u8 pcnf[16]; /* SMP Pairing Confirm */
105 u8 tk[16]; /* SMP Temporary Key */
106 u8 rr[16]; /* Remote OOB ra/rb value */
107 u8 lr[16]; /* Local OOB ra/rb value */
113 struct smp_csrk *csrk;
114 struct smp_csrk *responder_csrk;
116 struct smp_ltk *responder_ltk;
117 struct smp_irk *remote_irk;
123 /* Secure Connections variables */
129 struct crypto_shash *tfm_cmac;
130 struct crypto_kpp *tfm_ecdh;
133 /* These debug key values are defined in the SMP section of the core
134 * specification. debug_pk is the public debug key and debug_sk the
137 static const u8 debug_pk[64] = {
138 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
139 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
140 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
141 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
143 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
144 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
145 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
146 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
149 static const u8 debug_sk[32] = {
150 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
151 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
152 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
153 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
156 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
160 for (i = 0; i < len; i++)
161 dst[len - 1 - i] = src[i];
164 /* The following functions map to the LE SC SMP crypto functions
165 * AES-CMAC, f4, f5, f6, g2 and h6.
168 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
169 size_t len, u8 mac[16])
171 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
174 if (len > CMAC_MSG_MAX)
178 BT_ERR("tfm %p", tfm);
182 /* Swap key and message from LSB to MSB */
183 swap_buf(k, tmp, 16);
184 swap_buf(m, msg_msb, len);
186 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
187 SMP_DBG("key %16phN", k);
189 err = crypto_shash_setkey(tfm, tmp, 16);
191 BT_ERR("cipher setkey failed: %d", err);
195 err = crypto_shash_tfm_digest(tfm, msg_msb, len, mac_msb);
197 BT_ERR("Hash computation error %d", err);
201 swap_buf(mac_msb, mac, 16);
203 SMP_DBG("mac %16phN", mac);
208 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
209 const u8 v[32], const u8 x[16], u8 z, u8 res[16])
214 SMP_DBG("u %32phN", u);
215 SMP_DBG("v %32phN", v);
216 SMP_DBG("x %16phN z %02x", x, z);
219 memcpy(m + 1, v, 32);
220 memcpy(m + 33, u, 32);
222 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
226 SMP_DBG("res %16phN", res);
231 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
232 const u8 n1[16], const u8 n2[16], const u8 a1[7],
233 const u8 a2[7], u8 mackey[16], u8 ltk[16])
235 /* The btle, salt and length "magic" values are as defined in
236 * the SMP section of the Bluetooth core specification. In ASCII
237 * the btle value ends up being 'btle'. The salt is just a
238 * random number whereas length is the value 256 in little
241 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
242 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
243 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
244 const u8 length[2] = { 0x00, 0x01 };
248 SMP_DBG("w %32phN", w);
249 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
250 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
252 err = aes_cmac(tfm_cmac, salt, w, 32, t);
256 SMP_DBG("t %16phN", t);
258 memcpy(m, length, 2);
259 memcpy(m + 2, a2, 7);
260 memcpy(m + 9, a1, 7);
261 memcpy(m + 16, n2, 16);
262 memcpy(m + 32, n1, 16);
263 memcpy(m + 48, btle, 4);
265 m[52] = 0; /* Counter */
267 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
271 SMP_DBG("mackey %16phN", mackey);
273 m[52] = 1; /* Counter */
275 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
279 SMP_DBG("ltk %16phN", ltk);
284 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
285 const u8 n1[16], const u8 n2[16], const u8 r[16],
286 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
292 SMP_DBG("w %16phN", w);
293 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
294 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
297 memcpy(m + 7, a1, 7);
298 memcpy(m + 14, io_cap, 3);
299 memcpy(m + 17, r, 16);
300 memcpy(m + 33, n2, 16);
301 memcpy(m + 49, n1, 16);
303 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
307 SMP_DBG("res %16phN", res);
312 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
313 const u8 x[16], const u8 y[16], u32 *val)
318 SMP_DBG("u %32phN", u);
319 SMP_DBG("v %32phN", v);
320 SMP_DBG("x %16phN y %16phN", x, y);
323 memcpy(m + 16, v, 32);
324 memcpy(m + 48, u, 32);
326 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
330 *val = get_unaligned_le32(tmp);
333 SMP_DBG("val %06u", *val);
338 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
339 const u8 key_id[4], u8 res[16])
343 SMP_DBG("w %16phN key_id %4phN", w, key_id);
345 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
349 SMP_DBG("res %16phN", res);
354 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
355 const u8 salt[16], u8 res[16])
359 SMP_DBG("w %16phN salt %16phN", w, salt);
361 err = aes_cmac(tfm_cmac, salt, w, 16, res);
365 SMP_DBG("res %16phN", res);
370 /* The following functions map to the legacy SMP crypto functions e, c1,
374 static int smp_e(const u8 *k, u8 *r)
376 struct crypto_aes_ctx ctx;
377 uint8_t tmp[16], data[16];
380 SMP_DBG("k %16phN r %16phN", k, r);
382 /* The most significant octet of key corresponds to k[0] */
383 swap_buf(k, tmp, 16);
385 err = aes_expandkey(&ctx, tmp, 16);
387 BT_ERR("cipher setkey failed: %d", err);
391 /* Most significant octet of plaintextData corresponds to data[0] */
392 swap_buf(r, data, 16);
394 aes_encrypt(&ctx, data, data);
396 /* Most significant octet of encryptedData corresponds to data[0] */
397 swap_buf(data, r, 16);
399 SMP_DBG("r %16phN", r);
401 memzero_explicit(&ctx, sizeof(ctx));
405 static int smp_c1(const u8 k[16],
406 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
407 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
412 SMP_DBG("k %16phN r %16phN", k, r);
413 SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
414 SMP_DBG("preq %7phN pres %7phN", preq, pres);
418 /* p1 = pres || preq || _rat || _iat */
421 memcpy(p1 + 2, preq, 7);
422 memcpy(p1 + 9, pres, 7);
424 SMP_DBG("p1 %16phN", p1);
427 crypto_xor_cpy(res, r, p1, sizeof(p1));
429 /* res = e(k, res) */
432 BT_ERR("Encrypt data error");
436 /* p2 = padding || ia || ra */
438 memcpy(p2 + 6, ia, 6);
439 memset(p2 + 12, 0, 4);
441 SMP_DBG("p2 %16phN", p2);
443 /* res = res XOR p2 */
444 crypto_xor(res, p2, sizeof(p2));
446 /* res = e(k, res) */
449 BT_ERR("Encrypt data error");
454 static int smp_s1(const u8 k[16],
455 const u8 r1[16], const u8 r2[16], u8 _r[16])
459 /* Just least significant octets from r1 and r2 are considered */
461 memcpy(_r + 8, r1, 8);
465 BT_ERR("Encrypt data error");
470 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
475 /* r' = padding || r */
477 memset(_res + 3, 0, 13);
479 err = smp_e(irk, _res);
481 BT_ERR("Encrypt error");
485 /* The output of the random address function ah is:
486 * ah(k, r) = e(k, r') mod 2^24
487 * The output of the security function e is then truncated to 24 bits
488 * by taking the least significant 24 bits of the output of e as the
491 memcpy(res, _res, 3);
496 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
497 const bdaddr_t *bdaddr)
499 struct l2cap_chan *chan = hdev->smp_data;
503 if (!chan || !chan->data)
506 bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk);
508 err = smp_ah(irk, &bdaddr->b[3], hash);
512 return !crypto_memneq(bdaddr->b, hash, 3);
515 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
517 struct l2cap_chan *chan = hdev->smp_data;
520 if (!chan || !chan->data)
523 get_random_bytes(&rpa->b[3], 3);
525 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
526 rpa->b[5] |= 0x40; /* Set second most significant bit */
528 err = smp_ah(irk, &rpa->b[3], rpa->b);
532 bt_dev_dbg(hdev, "RPA %pMR", rpa);
537 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
539 struct l2cap_chan *chan = hdev->smp_data;
543 if (!chan || !chan->data)
548 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
549 bt_dev_dbg(hdev, "Using debug keys");
550 err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
553 memcpy(smp->local_pk, debug_pk, 64);
554 smp->debug_key = true;
557 /* Generate key pair for Secure Connections */
558 err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
562 /* This is unlikely, but we need to check that
563 * we didn't accidentally generate a debug key.
565 if (crypto_memneq(smp->local_pk, debug_pk, 64))
568 smp->debug_key = false;
571 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
572 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
574 get_random_bytes(smp->local_rand, 16);
576 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
577 smp->local_rand, 0, hash);
581 memcpy(rand, smp->local_rand, 16);
583 smp->local_oob = true;
588 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
590 struct l2cap_chan *chan = conn->smp;
591 struct smp_chan *smp;
598 bt_dev_dbg(conn->hcon->hdev, "code 0x%2.2x", code);
600 iv[0].iov_base = &code;
603 iv[1].iov_base = data;
606 memset(&msg, 0, sizeof(msg));
608 iov_iter_kvec(&msg.msg_iter, WRITE, iv, 2, 1 + len);
610 l2cap_chan_send(chan, &msg, 1 + len);
617 cancel_delayed_work_sync(&smp->security_timer);
618 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
621 static u8 authreq_to_seclevel(u8 authreq)
623 if (authreq & SMP_AUTH_MITM) {
624 if (authreq & SMP_AUTH_SC)
625 return BT_SECURITY_FIPS;
627 return BT_SECURITY_HIGH;
629 return BT_SECURITY_MEDIUM;
633 static __u8 seclevel_to_authreq(__u8 sec_level)
636 case BT_SECURITY_FIPS:
637 case BT_SECURITY_HIGH:
638 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
639 case BT_SECURITY_MEDIUM:
640 return SMP_AUTH_BONDING;
642 return SMP_AUTH_NONE;
646 static void build_pairing_cmd(struct l2cap_conn *conn,
647 struct smp_cmd_pairing *req,
648 struct smp_cmd_pairing *rsp, __u8 authreq)
650 struct l2cap_chan *chan = conn->smp;
651 struct smp_chan *smp = chan->data;
652 struct hci_conn *hcon = conn->hcon;
653 struct hci_dev *hdev = hcon->hdev;
654 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
656 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
657 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
658 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
659 authreq |= SMP_AUTH_BONDING;
661 authreq &= ~SMP_AUTH_BONDING;
664 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
665 remote_dist |= SMP_DIST_ID_KEY;
667 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
668 local_dist |= SMP_DIST_ID_KEY;
670 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
671 (authreq & SMP_AUTH_SC)) {
672 struct oob_data *oob_data;
675 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
676 local_dist |= SMP_DIST_LINK_KEY;
677 remote_dist |= SMP_DIST_LINK_KEY;
680 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
681 bdaddr_type = BDADDR_LE_PUBLIC;
683 bdaddr_type = BDADDR_LE_RANDOM;
685 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
687 if (oob_data && oob_data->present) {
688 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
689 oob_flag = SMP_OOB_PRESENT;
690 memcpy(smp->rr, oob_data->rand256, 16);
691 memcpy(smp->pcnf, oob_data->hash256, 16);
692 SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
693 SMP_DBG("OOB Remote Random: %16phN", smp->rr);
697 authreq &= ~SMP_AUTH_SC;
701 req->io_capability = conn->hcon->io_capability;
702 req->oob_flag = oob_flag;
703 req->max_key_size = hdev->le_max_key_size;
704 req->init_key_dist = local_dist;
705 req->resp_key_dist = remote_dist;
706 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
708 smp->remote_key_dist = remote_dist;
712 rsp->io_capability = conn->hcon->io_capability;
713 rsp->oob_flag = oob_flag;
714 rsp->max_key_size = hdev->le_max_key_size;
715 rsp->init_key_dist = req->init_key_dist & remote_dist;
716 rsp->resp_key_dist = req->resp_key_dist & local_dist;
717 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
719 smp->remote_key_dist = rsp->init_key_dist;
722 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
724 struct l2cap_chan *chan = conn->smp;
725 struct hci_dev *hdev = conn->hcon->hdev;
726 struct smp_chan *smp = chan->data;
728 if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS &&
729 max_key_size != SMP_MAX_ENC_KEY_SIZE)
730 return SMP_ENC_KEY_SIZE;
732 if (max_key_size > hdev->le_max_key_size ||
733 max_key_size < SMP_MIN_ENC_KEY_SIZE)
734 return SMP_ENC_KEY_SIZE;
736 smp->enc_key_size = max_key_size;
741 static void smp_chan_destroy(struct l2cap_conn *conn)
743 struct l2cap_chan *chan = conn->smp;
744 struct smp_chan *smp = chan->data;
745 struct hci_conn *hcon = conn->hcon;
750 cancel_delayed_work_sync(&smp->security_timer);
752 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
753 mgmt_smp_complete(hcon, complete);
755 kfree_sensitive(smp->csrk);
756 kfree_sensitive(smp->responder_csrk);
757 kfree_sensitive(smp->link_key);
759 crypto_free_shash(smp->tfm_cmac);
760 crypto_free_kpp(smp->tfm_ecdh);
762 /* Ensure that we don't leave any debug key around if debug key
763 * support hasn't been explicitly enabled.
765 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
766 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
767 list_del_rcu(&smp->ltk->list);
768 kfree_rcu(smp->ltk, rcu);
772 /* If pairing failed clean up any keys we might have */
775 list_del_rcu(&smp->ltk->list);
776 kfree_rcu(smp->ltk, rcu);
779 if (smp->responder_ltk) {
780 list_del_rcu(&smp->responder_ltk->list);
781 kfree_rcu(smp->responder_ltk, rcu);
784 if (smp->remote_irk) {
785 list_del_rcu(&smp->remote_irk->list);
786 kfree_rcu(smp->remote_irk, rcu);
791 kfree_sensitive(smp);
795 static void smp_failure(struct l2cap_conn *conn, u8 reason)
797 struct hci_conn *hcon = conn->hcon;
798 struct l2cap_chan *chan = conn->smp;
801 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
804 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
807 smp_chan_destroy(conn);
810 #define JUST_WORKS 0x00
811 #define JUST_CFM 0x01
812 #define REQ_PASSKEY 0x02
813 #define CFM_PASSKEY 0x03
815 #define DSP_PASSKEY 0x05
818 static const u8 gen_method[5][5] = {
819 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
820 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
821 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
822 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
823 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
826 static const u8 sc_method[5][5] = {
827 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
828 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
829 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
830 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
831 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
834 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
836 /* If either side has unknown io_caps, use JUST_CFM (which gets
837 * converted later to JUST_WORKS if we're initiators.
839 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
840 remote_io > SMP_IO_KEYBOARD_DISPLAY)
843 if (test_bit(SMP_FLAG_SC, &smp->flags))
844 return sc_method[remote_io][local_io];
846 return gen_method[remote_io][local_io];
849 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
850 u8 local_io, u8 remote_io)
852 struct hci_conn *hcon = conn->hcon;
853 struct l2cap_chan *chan = conn->smp;
854 struct smp_chan *smp = chan->data;
858 /* Initialize key for JUST WORKS */
859 memset(smp->tk, 0, sizeof(smp->tk));
860 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
862 bt_dev_dbg(hcon->hdev, "auth:%u lcl:%u rem:%u", auth, local_io,
865 /* If neither side wants MITM, either "just" confirm an incoming
866 * request or use just-works for outgoing ones. The JUST_CFM
867 * will be converted to JUST_WORKS if necessary later in this
868 * function. If either side has MITM look up the method from the
871 if (!(auth & SMP_AUTH_MITM))
872 smp->method = JUST_CFM;
874 smp->method = get_auth_method(smp, local_io, remote_io);
876 /* Don't confirm locally initiated pairing attempts */
877 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
879 smp->method = JUST_WORKS;
881 /* Don't bother user space with no IO capabilities */
882 if (smp->method == JUST_CFM &&
883 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
884 smp->method = JUST_WORKS;
886 /* If Just Works, Continue with Zero TK */
887 if (smp->method == JUST_WORKS) {
888 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
892 /* If this function is used for SC -> legacy fallback we
893 * can only recover the just-works case.
895 if (test_bit(SMP_FLAG_SC, &smp->flags))
898 /* Not Just Works/Confirm results in MITM Authentication */
899 if (smp->method != JUST_CFM) {
900 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
901 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
902 hcon->pending_sec_level = BT_SECURITY_HIGH;
905 /* If both devices have Keyboard-Display I/O, the initiator
906 * Confirms and the responder Enters the passkey.
908 if (smp->method == OVERLAP) {
909 if (hcon->role == HCI_ROLE_MASTER)
910 smp->method = CFM_PASSKEY;
912 smp->method = REQ_PASSKEY;
915 /* Generate random passkey. */
916 if (smp->method == CFM_PASSKEY) {
917 memset(smp->tk, 0, sizeof(smp->tk));
918 get_random_bytes(&passkey, sizeof(passkey));
920 put_unaligned_le32(passkey, smp->tk);
921 bt_dev_dbg(hcon->hdev, "PassKey: %u", passkey);
922 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
925 if (smp->method == REQ_PASSKEY)
926 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
927 hcon->type, hcon->dst_type);
928 else if (smp->method == JUST_CFM)
929 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
930 hcon->type, hcon->dst_type,
933 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
934 hcon->type, hcon->dst_type,
940 static u8 smp_confirm(struct smp_chan *smp)
942 struct l2cap_conn *conn = smp->conn;
943 struct smp_cmd_pairing_confirm cp;
946 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
948 ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
949 conn->hcon->init_addr_type, &conn->hcon->init_addr,
950 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
953 return SMP_UNSPECIFIED;
955 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
957 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
960 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
962 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
967 static u8 smp_random(struct smp_chan *smp)
969 struct l2cap_conn *conn = smp->conn;
970 struct hci_conn *hcon = conn->hcon;
974 bt_dev_dbg(conn->hcon->hdev, "conn %p %s", conn,
975 conn->hcon->out ? "initiator" : "responder");
977 ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
978 hcon->init_addr_type, &hcon->init_addr,
979 hcon->resp_addr_type, &hcon->resp_addr, confirm);
981 return SMP_UNSPECIFIED;
983 if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
984 bt_dev_err(hcon->hdev, "pairing failed "
985 "(confirmation values mismatch)");
986 return SMP_CONFIRM_FAILED;
994 smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
996 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
997 return SMP_UNSPECIFIED;
999 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1000 hcon->enc_key_size = smp->enc_key_size;
1001 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1007 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1010 smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
1012 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1017 /* Even though there's no _RESPONDER suffix this is the
1018 * responder STK we're adding for later lookup (the initiator
1019 * STK never needs to be stored).
1021 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1022 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1028 static void smp_notify_keys(struct l2cap_conn *conn)
1030 struct l2cap_chan *chan = conn->smp;
1031 struct smp_chan *smp = chan->data;
1032 struct hci_conn *hcon = conn->hcon;
1033 struct hci_dev *hdev = hcon->hdev;
1034 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1035 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1038 if (hcon->type == ACL_LINK) {
1039 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1042 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1045 /* The LTKs, IRKs and CSRKs should be persistent only if
1046 * both sides had the bonding bit set in their
1047 * authentication requests.
1049 persistent = !!((req->auth_req & rsp->auth_req) &
1053 if (smp->remote_irk) {
1054 mgmt_new_irk(hdev, smp->remote_irk, persistent);
1056 /* Now that user space can be considered to know the
1057 * identity address track the connection based on it
1058 * from now on (assuming this is an LE link).
1060 if (hcon->type == LE_LINK) {
1061 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1062 hcon->dst_type = smp->remote_irk->addr_type;
1063 queue_work(hdev->workqueue, &conn->id_addr_update_work);
1068 smp->csrk->bdaddr_type = hcon->dst_type;
1069 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1070 mgmt_new_csrk(hdev, smp->csrk, persistent);
1073 if (smp->responder_csrk) {
1074 smp->responder_csrk->bdaddr_type = hcon->dst_type;
1075 bacpy(&smp->responder_csrk->bdaddr, &hcon->dst);
1076 mgmt_new_csrk(hdev, smp->responder_csrk, persistent);
1080 smp->ltk->bdaddr_type = hcon->dst_type;
1081 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1082 mgmt_new_ltk(hdev, smp->ltk, persistent);
1085 if (smp->responder_ltk) {
1086 smp->responder_ltk->bdaddr_type = hcon->dst_type;
1087 bacpy(&smp->responder_ltk->bdaddr, &hcon->dst);
1088 mgmt_new_ltk(hdev, smp->responder_ltk, persistent);
1091 if (smp->link_key) {
1092 struct link_key *key;
1095 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1096 type = HCI_LK_DEBUG_COMBINATION;
1097 else if (hcon->sec_level == BT_SECURITY_FIPS)
1098 type = HCI_LK_AUTH_COMBINATION_P256;
1100 type = HCI_LK_UNAUTH_COMBINATION_P256;
1102 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1103 smp->link_key, type, 0, &persistent);
1105 mgmt_new_link_key(hdev, key, persistent);
1107 /* Don't keep debug keys around if the relevant
1110 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1111 key->type == HCI_LK_DEBUG_COMBINATION) {
1112 list_del_rcu(&key->list);
1113 kfree_rcu(key, rcu);
1119 static void sc_add_ltk(struct smp_chan *smp)
1121 struct hci_conn *hcon = smp->conn->hcon;
1124 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1125 key_type = SMP_LTK_P256_DEBUG;
1127 key_type = SMP_LTK_P256;
1129 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1134 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1135 key_type, auth, smp->tk, smp->enc_key_size,
1139 static void sc_generate_link_key(struct smp_chan *smp)
1141 /* From core spec. Spells out in ASCII as 'lebr'. */
1142 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1144 smp->link_key = kzalloc(16, GFP_KERNEL);
1148 if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1149 /* SALT = 0x000000000000000000000000746D7031 */
1150 const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1152 if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1153 kfree_sensitive(smp->link_key);
1154 smp->link_key = NULL;
1158 /* From core spec. Spells out in ASCII as 'tmp1'. */
1159 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1161 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1162 kfree_sensitive(smp->link_key);
1163 smp->link_key = NULL;
1168 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1169 kfree_sensitive(smp->link_key);
1170 smp->link_key = NULL;
1175 static void smp_allow_key_dist(struct smp_chan *smp)
1177 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1178 * will be allowed in each PDU handler to ensure we receive
1179 * them in the correct order.
1181 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1182 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1183 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1184 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1185 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1186 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1189 static void sc_generate_ltk(struct smp_chan *smp)
1191 /* From core spec. Spells out in ASCII as 'brle'. */
1192 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1193 struct hci_conn *hcon = smp->conn->hcon;
1194 struct hci_dev *hdev = hcon->hdev;
1195 struct link_key *key;
1197 key = hci_find_link_key(hdev, &hcon->dst);
1199 bt_dev_err(hdev, "no Link Key found to generate LTK");
1203 if (key->type == HCI_LK_DEBUG_COMBINATION)
1204 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1206 if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1207 /* SALT = 0x000000000000000000000000746D7032 */
1208 const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1210 if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1213 /* From core spec. Spells out in ASCII as 'tmp2'. */
1214 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1216 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1220 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1226 static void smp_distribute_keys(struct smp_chan *smp)
1228 struct smp_cmd_pairing *req, *rsp;
1229 struct l2cap_conn *conn = smp->conn;
1230 struct hci_conn *hcon = conn->hcon;
1231 struct hci_dev *hdev = hcon->hdev;
1234 bt_dev_dbg(hdev, "conn %p", conn);
1236 rsp = (void *) &smp->prsp[1];
1238 /* The responder sends its keys first */
1239 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1240 smp_allow_key_dist(smp);
1244 req = (void *) &smp->preq[1];
1247 keydist = &rsp->init_key_dist;
1248 *keydist &= req->init_key_dist;
1250 keydist = &rsp->resp_key_dist;
1251 *keydist &= req->resp_key_dist;
1254 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1255 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1256 sc_generate_link_key(smp);
1257 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1258 sc_generate_ltk(smp);
1260 /* Clear the keys which are generated but not distributed */
1261 *keydist &= ~SMP_SC_NO_DIST;
1264 bt_dev_dbg(hdev, "keydist 0x%x", *keydist);
1266 if (*keydist & SMP_DIST_ENC_KEY) {
1267 struct smp_cmd_encrypt_info enc;
1268 struct smp_cmd_initiator_ident ident;
1269 struct smp_ltk *ltk;
1274 /* Make sure we generate only the significant amount of
1275 * bytes based on the encryption key size, and set the rest
1276 * of the value to zeroes.
1278 get_random_bytes(enc.ltk, smp->enc_key_size);
1279 memset(enc.ltk + smp->enc_key_size, 0,
1280 sizeof(enc.ltk) - smp->enc_key_size);
1282 get_random_bytes(&ediv, sizeof(ediv));
1283 get_random_bytes(&rand, sizeof(rand));
1285 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1287 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1288 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1289 SMP_LTK_RESPONDER, authenticated, enc.ltk,
1290 smp->enc_key_size, ediv, rand);
1291 smp->responder_ltk = ltk;
1296 smp_send_cmd(conn, SMP_CMD_INITIATOR_IDENT, sizeof(ident),
1299 *keydist &= ~SMP_DIST_ENC_KEY;
1302 if (*keydist & SMP_DIST_ID_KEY) {
1303 struct smp_cmd_ident_addr_info addrinfo;
1304 struct smp_cmd_ident_info idinfo;
1306 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1308 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1310 /* The hci_conn contains the local identity address
1311 * after the connection has been established.
1313 * This is true even when the connection has been
1314 * established using a resolvable random address.
1316 bacpy(&addrinfo.bdaddr, &hcon->src);
1317 addrinfo.addr_type = hcon->src_type;
1319 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1322 *keydist &= ~SMP_DIST_ID_KEY;
1325 if (*keydist & SMP_DIST_SIGN) {
1326 struct smp_cmd_sign_info sign;
1327 struct smp_csrk *csrk;
1329 /* Generate a new random key */
1330 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1332 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1334 if (hcon->sec_level > BT_SECURITY_MEDIUM)
1335 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1337 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1338 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1340 smp->responder_csrk = csrk;
1342 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1344 *keydist &= ~SMP_DIST_SIGN;
1347 /* If there are still keys to be received wait for them */
1348 if (smp->remote_key_dist & KEY_DIST_MASK) {
1349 smp_allow_key_dist(smp);
1353 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1354 smp_notify_keys(conn);
1356 smp_chan_destroy(conn);
1359 static void smp_timeout(struct work_struct *work)
1361 struct smp_chan *smp = container_of(work, struct smp_chan,
1362 security_timer.work);
1363 struct l2cap_conn *conn = smp->conn;
1365 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
1367 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1370 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1372 struct hci_conn *hcon = conn->hcon;
1373 struct l2cap_chan *chan = conn->smp;
1374 struct smp_chan *smp;
1376 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1380 smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1381 if (IS_ERR(smp->tfm_cmac)) {
1382 bt_dev_err(hcon->hdev, "Unable to create CMAC crypto context");
1386 smp->tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
1387 if (IS_ERR(smp->tfm_ecdh)) {
1388 bt_dev_err(hcon->hdev, "Unable to create ECDH crypto context");
1395 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1397 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1399 hci_conn_hold(hcon);
1404 crypto_free_shash(smp->tfm_cmac);
1406 kfree_sensitive(smp);
1410 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1412 struct hci_conn *hcon = smp->conn->hcon;
1413 u8 *na, *nb, a[7], b[7];
1423 memcpy(a, &hcon->init_addr, 6);
1424 memcpy(b, &hcon->resp_addr, 6);
1425 a[6] = hcon->init_addr_type;
1426 b[6] = hcon->resp_addr_type;
1428 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1431 static void sc_dhkey_check(struct smp_chan *smp)
1433 struct hci_conn *hcon = smp->conn->hcon;
1434 struct smp_cmd_dhkey_check check;
1435 u8 a[7], b[7], *local_addr, *remote_addr;
1436 u8 io_cap[3], r[16];
1438 memcpy(a, &hcon->init_addr, 6);
1439 memcpy(b, &hcon->resp_addr, 6);
1440 a[6] = hcon->init_addr_type;
1441 b[6] = hcon->resp_addr_type;
1446 memcpy(io_cap, &smp->preq[1], 3);
1450 memcpy(io_cap, &smp->prsp[1], 3);
1453 memset(r, 0, sizeof(r));
1455 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1456 put_unaligned_le32(hcon->passkey_notify, r);
1458 if (smp->method == REQ_OOB)
1459 memcpy(r, smp->rr, 16);
1461 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1462 local_addr, remote_addr, check.e);
1464 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1467 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1469 struct l2cap_conn *conn = smp->conn;
1470 struct hci_conn *hcon = conn->hcon;
1471 struct smp_cmd_pairing_confirm cfm;
1474 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1477 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1479 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1481 return SMP_UNSPECIFIED;
1483 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1488 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1490 struct l2cap_conn *conn = smp->conn;
1491 struct hci_conn *hcon = conn->hcon;
1492 struct hci_dev *hdev = hcon->hdev;
1495 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1496 if (smp->passkey_round >= 20)
1500 case SMP_CMD_PAIRING_RANDOM:
1501 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1504 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1506 return SMP_UNSPECIFIED;
1508 if (crypto_memneq(smp->pcnf, cfm, 16))
1509 return SMP_CONFIRM_FAILED;
1511 smp->passkey_round++;
1513 if (smp->passkey_round == 20) {
1514 /* Generate MacKey and LTK */
1515 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1516 return SMP_UNSPECIFIED;
1519 /* The round is only complete when the initiator
1520 * receives pairing random.
1523 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1524 sizeof(smp->prnd), smp->prnd);
1525 if (smp->passkey_round == 20)
1526 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1528 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1532 /* Start the next round */
1533 if (smp->passkey_round != 20)
1534 return sc_passkey_round(smp, 0);
1536 /* Passkey rounds are complete - start DHKey Check */
1537 sc_dhkey_check(smp);
1538 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1542 case SMP_CMD_PAIRING_CONFIRM:
1543 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1544 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1548 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1551 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1552 sizeof(smp->prnd), smp->prnd);
1556 return sc_passkey_send_confirm(smp);
1558 case SMP_CMD_PUBLIC_KEY:
1560 /* Initiating device starts the round */
1564 bt_dev_dbg(hdev, "Starting passkey round %u",
1565 smp->passkey_round + 1);
1567 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1569 return sc_passkey_send_confirm(smp);
1575 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1577 struct l2cap_conn *conn = smp->conn;
1578 struct hci_conn *hcon = conn->hcon;
1581 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1584 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1585 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1587 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1588 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1590 case MGMT_OP_USER_PASSKEY_REPLY:
1591 hcon->passkey_notify = le32_to_cpu(passkey);
1592 smp->passkey_round = 0;
1594 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1595 smp_op = SMP_CMD_PAIRING_CONFIRM;
1599 if (sc_passkey_round(smp, smp_op))
1605 /* Initiator sends DHKey check first */
1607 sc_dhkey_check(smp);
1608 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1609 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1610 sc_dhkey_check(smp);
1617 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1619 struct l2cap_conn *conn = hcon->l2cap_data;
1620 struct l2cap_chan *chan;
1621 struct smp_chan *smp;
1628 bt_dev_dbg(conn->hcon->hdev, "");
1634 l2cap_chan_lock(chan);
1642 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1643 err = sc_user_reply(smp, mgmt_op, passkey);
1648 case MGMT_OP_USER_PASSKEY_REPLY:
1649 value = le32_to_cpu(passkey);
1650 memset(smp->tk, 0, sizeof(smp->tk));
1651 bt_dev_dbg(conn->hcon->hdev, "PassKey: %u", value);
1652 put_unaligned_le32(value, smp->tk);
1654 case MGMT_OP_USER_CONFIRM_REPLY:
1655 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1657 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1658 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1659 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1663 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1670 /* If it is our turn to send Pairing Confirm, do so now */
1671 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1672 u8 rsp = smp_confirm(smp);
1674 smp_failure(conn, rsp);
1678 l2cap_chan_unlock(chan);
1682 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1683 struct smp_cmd_pairing *req,
1684 struct smp_cmd_pairing *rsp)
1686 struct l2cap_conn *conn = smp->conn;
1687 struct hci_dev *hdev = conn->hcon->hdev;
1688 u8 local_dist = 0, remote_dist = 0;
1690 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1691 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1692 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1695 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1696 remote_dist |= SMP_DIST_ID_KEY;
1698 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1699 local_dist |= SMP_DIST_ID_KEY;
1702 memset(req, 0, sizeof(*req));
1704 req->auth_req = SMP_AUTH_CT2;
1705 req->init_key_dist = local_dist;
1706 req->resp_key_dist = remote_dist;
1707 req->max_key_size = conn->hcon->enc_key_size;
1709 smp->remote_key_dist = remote_dist;
1714 memset(rsp, 0, sizeof(*rsp));
1716 rsp->auth_req = SMP_AUTH_CT2;
1717 rsp->max_key_size = conn->hcon->enc_key_size;
1718 rsp->init_key_dist = req->init_key_dist & remote_dist;
1719 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1721 smp->remote_key_dist = rsp->init_key_dist;
1724 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1726 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1727 struct l2cap_chan *chan = conn->smp;
1728 struct hci_dev *hdev = conn->hcon->hdev;
1729 struct smp_chan *smp;
1730 u8 key_size, auth, sec_level;
1733 bt_dev_dbg(hdev, "conn %p", conn);
1735 if (skb->len < sizeof(*req))
1736 return SMP_INVALID_PARAMS;
1738 if (conn->hcon->role != HCI_ROLE_SLAVE)
1739 return SMP_CMD_NOTSUPP;
1742 smp = smp_chan_create(conn);
1747 return SMP_UNSPECIFIED;
1749 /* We didn't start the pairing, so match remote */
1750 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1752 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1753 (auth & SMP_AUTH_BONDING))
1754 return SMP_PAIRING_NOTSUPP;
1756 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1757 return SMP_AUTH_REQUIREMENTS;
1759 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1760 memcpy(&smp->preq[1], req, sizeof(*req));
1761 skb_pull(skb, sizeof(*req));
1763 /* If the remote side's OOB flag is set it means it has
1764 * successfully received our local OOB data - therefore set the
1765 * flag to indicate that local OOB is in use.
1767 if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1768 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1770 /* SMP over BR/EDR requires special treatment */
1771 if (conn->hcon->type == ACL_LINK) {
1772 /* We must have a BR/EDR SC link */
1773 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1774 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1775 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1777 set_bit(SMP_FLAG_SC, &smp->flags);
1779 build_bredr_pairing_cmd(smp, req, &rsp);
1781 if (req->auth_req & SMP_AUTH_CT2)
1782 set_bit(SMP_FLAG_CT2, &smp->flags);
1784 key_size = min(req->max_key_size, rsp.max_key_size);
1785 if (check_enc_key_size(conn, key_size))
1786 return SMP_ENC_KEY_SIZE;
1788 /* Clear bits which are generated but not distributed */
1789 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1791 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1792 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1793 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1795 smp_distribute_keys(smp);
1799 build_pairing_cmd(conn, req, &rsp, auth);
1801 if (rsp.auth_req & SMP_AUTH_SC) {
1802 set_bit(SMP_FLAG_SC, &smp->flags);
1804 if (rsp.auth_req & SMP_AUTH_CT2)
1805 set_bit(SMP_FLAG_CT2, &smp->flags);
1808 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1809 sec_level = BT_SECURITY_MEDIUM;
1811 sec_level = authreq_to_seclevel(auth);
1813 if (sec_level > conn->hcon->pending_sec_level)
1814 conn->hcon->pending_sec_level = sec_level;
1816 /* If we need MITM check that it can be achieved */
1817 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1820 method = get_auth_method(smp, conn->hcon->io_capability,
1821 req->io_capability);
1822 if (method == JUST_WORKS || method == JUST_CFM)
1823 return SMP_AUTH_REQUIREMENTS;
1826 key_size = min(req->max_key_size, rsp.max_key_size);
1827 if (check_enc_key_size(conn, key_size))
1828 return SMP_ENC_KEY_SIZE;
1830 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1832 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1833 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1835 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1837 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1839 /* Strictly speaking we shouldn't allow Pairing Confirm for the
1840 * SC case, however some implementations incorrectly copy RFU auth
1841 * req bits from our security request, which may create a false
1842 * positive SC enablement.
1844 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1846 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1847 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1848 /* Clear bits which are generated but not distributed */
1849 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1850 /* Wait for Public Key from Initiating Device */
1854 /* Request setup of TK */
1855 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1857 return SMP_UNSPECIFIED;
1862 static u8 sc_send_public_key(struct smp_chan *smp)
1864 struct hci_dev *hdev = smp->conn->hcon->hdev;
1866 bt_dev_dbg(hdev, "");
1868 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1869 struct l2cap_chan *chan = hdev->smp_data;
1870 struct smp_dev *smp_dev;
1872 if (!chan || !chan->data)
1873 return SMP_UNSPECIFIED;
1875 smp_dev = chan->data;
1877 memcpy(smp->local_pk, smp_dev->local_pk, 64);
1878 memcpy(smp->lr, smp_dev->local_rand, 16);
1880 if (smp_dev->debug_key)
1881 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1886 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1887 bt_dev_dbg(hdev, "Using debug keys");
1888 if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1889 return SMP_UNSPECIFIED;
1890 memcpy(smp->local_pk, debug_pk, 64);
1891 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1894 /* Generate key pair for Secure Connections */
1895 if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1896 return SMP_UNSPECIFIED;
1898 /* This is unlikely, but we need to check that
1899 * we didn't accidentally generate a debug key.
1901 if (crypto_memneq(smp->local_pk, debug_pk, 64))
1907 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1908 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1910 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1915 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1917 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1918 struct l2cap_chan *chan = conn->smp;
1919 struct smp_chan *smp = chan->data;
1920 struct hci_dev *hdev = conn->hcon->hdev;
1924 bt_dev_dbg(hdev, "conn %p", conn);
1926 if (skb->len < sizeof(*rsp))
1927 return SMP_INVALID_PARAMS;
1929 if (conn->hcon->role != HCI_ROLE_MASTER)
1930 return SMP_CMD_NOTSUPP;
1932 skb_pull(skb, sizeof(*rsp));
1934 req = (void *) &smp->preq[1];
1936 key_size = min(req->max_key_size, rsp->max_key_size);
1937 if (check_enc_key_size(conn, key_size))
1938 return SMP_ENC_KEY_SIZE;
1940 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1942 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1943 return SMP_AUTH_REQUIREMENTS;
1945 /* If the remote side's OOB flag is set it means it has
1946 * successfully received our local OOB data - therefore set the
1947 * flag to indicate that local OOB is in use.
1949 if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1950 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1952 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1953 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1955 /* Update remote key distribution in case the remote cleared
1956 * some bits that we had enabled in our request.
1958 smp->remote_key_dist &= rsp->resp_key_dist;
1960 if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1961 set_bit(SMP_FLAG_CT2, &smp->flags);
1963 /* For BR/EDR this means we're done and can start phase 3 */
1964 if (conn->hcon->type == ACL_LINK) {
1965 /* Clear bits which are generated but not distributed */
1966 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1967 smp_distribute_keys(smp);
1971 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1972 set_bit(SMP_FLAG_SC, &smp->flags);
1973 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1974 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1976 /* If we need MITM check that it can be achieved */
1977 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1980 method = get_auth_method(smp, req->io_capability,
1981 rsp->io_capability);
1982 if (method == JUST_WORKS || method == JUST_CFM)
1983 return SMP_AUTH_REQUIREMENTS;
1986 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1988 /* Update remote key distribution in case the remote cleared
1989 * some bits that we had enabled in our request.
1991 smp->remote_key_dist &= rsp->resp_key_dist;
1993 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1994 /* Clear bits which are generated but not distributed */
1995 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1996 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1997 return sc_send_public_key(smp);
2000 auth |= req->auth_req;
2002 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2004 return SMP_UNSPECIFIED;
2006 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2008 /* Can't compose response until we have been confirmed */
2009 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2010 return smp_confirm(smp);
2015 static u8 sc_check_confirm(struct smp_chan *smp)
2017 struct l2cap_conn *conn = smp->conn;
2019 bt_dev_dbg(conn->hcon->hdev, "");
2021 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2022 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2024 if (conn->hcon->out) {
2025 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2027 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2033 /* Work-around for some implementations that incorrectly copy RFU bits
2034 * from our security request and thereby create the impression that
2035 * we're doing SC when in fact the remote doesn't support it.
2037 static int fixup_sc_false_positive(struct smp_chan *smp)
2039 struct l2cap_conn *conn = smp->conn;
2040 struct hci_conn *hcon = conn->hcon;
2041 struct hci_dev *hdev = hcon->hdev;
2042 struct smp_cmd_pairing *req, *rsp;
2045 /* The issue is only observed when we're in responder role */
2047 return SMP_UNSPECIFIED;
2049 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2050 bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2051 return SMP_UNSPECIFIED;
2054 bt_dev_err(hdev, "trying to fall back to legacy SMP");
2056 req = (void *) &smp->preq[1];
2057 rsp = (void *) &smp->prsp[1];
2059 /* Rebuild key dist flags which may have been cleared for SC */
2060 smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2062 auth = req->auth_req & AUTH_REQ_MASK(hdev);
2064 if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2065 bt_dev_err(hdev, "failed to fall back to legacy SMP");
2066 return SMP_UNSPECIFIED;
2069 clear_bit(SMP_FLAG_SC, &smp->flags);
2074 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2076 struct l2cap_chan *chan = conn->smp;
2077 struct smp_chan *smp = chan->data;
2078 struct hci_conn *hcon = conn->hcon;
2079 struct hci_dev *hdev = hcon->hdev;
2081 bt_dev_dbg(hdev, "conn %p %s", conn,
2082 hcon->out ? "initiator" : "responder");
2084 if (skb->len < sizeof(smp->pcnf))
2085 return SMP_INVALID_PARAMS;
2087 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2088 skb_pull(skb, sizeof(smp->pcnf));
2090 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2093 /* Public Key exchange must happen before any other steps */
2094 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2095 return sc_check_confirm(smp);
2097 bt_dev_err(hdev, "Unexpected SMP Pairing Confirm");
2099 ret = fixup_sc_false_positive(smp);
2104 if (conn->hcon->out) {
2105 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2107 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2111 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2112 return smp_confirm(smp);
2114 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2119 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2121 struct l2cap_chan *chan = conn->smp;
2122 struct smp_chan *smp = chan->data;
2123 struct hci_conn *hcon = conn->hcon;
2124 u8 *pkax, *pkbx, *na, *nb, confirm_hint;
2128 bt_dev_dbg(hcon->hdev, "conn %p", conn);
2130 if (skb->len < sizeof(smp->rrnd))
2131 return SMP_INVALID_PARAMS;
2133 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2134 skb_pull(skb, sizeof(smp->rrnd));
2136 if (!test_bit(SMP_FLAG_SC, &smp->flags))
2137 return smp_random(smp);
2140 pkax = smp->local_pk;
2141 pkbx = smp->remote_pk;
2145 pkax = smp->remote_pk;
2146 pkbx = smp->local_pk;
2151 if (smp->method == REQ_OOB) {
2153 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2154 sizeof(smp->prnd), smp->prnd);
2155 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2156 goto mackey_and_ltk;
2159 /* Passkey entry has special treatment */
2160 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2161 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2166 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2169 return SMP_UNSPECIFIED;
2171 if (crypto_memneq(smp->pcnf, cfm, 16))
2172 return SMP_CONFIRM_FAILED;
2174 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2176 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2178 /* Only Just-Works pairing requires extra checks */
2179 if (smp->method != JUST_WORKS)
2180 goto mackey_and_ltk;
2182 /* If there already exists long term key in local host, leave
2183 * the decision to user space since the remote device could
2184 * be legitimate or malicious.
2186 if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2188 /* Set passkey to 0. The value can be any number since
2189 * it'll be ignored anyway.
2198 /* Generate MacKey and LTK */
2199 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2201 return SMP_UNSPECIFIED;
2203 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2205 sc_dhkey_check(smp);
2206 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2211 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2213 return SMP_UNSPECIFIED;
2218 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2219 hcon->dst_type, passkey, confirm_hint);
2221 return SMP_UNSPECIFIED;
2223 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2228 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2230 struct smp_ltk *key;
2231 struct hci_conn *hcon = conn->hcon;
2233 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2237 if (smp_ltk_sec_level(key) < sec_level)
2240 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2243 hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2244 hcon->enc_key_size = key->enc_size;
2246 /* We never store STKs for initiator role, so clear this flag */
2247 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2252 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2253 enum smp_key_pref key_pref)
2255 if (sec_level == BT_SECURITY_LOW)
2258 /* If we're encrypted with an STK but the caller prefers using
2259 * LTK claim insufficient security. This way we allow the
2260 * connection to be re-encrypted with an LTK, even if the LTK
2261 * provides the same level of security. Only exception is if we
2262 * don't have an LTK (e.g. because of key distribution bits).
2264 if (key_pref == SMP_USE_LTK &&
2265 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2266 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2269 if (hcon->sec_level >= sec_level)
2275 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2277 struct smp_cmd_security_req *rp = (void *) skb->data;
2278 struct smp_cmd_pairing cp;
2279 struct hci_conn *hcon = conn->hcon;
2280 struct hci_dev *hdev = hcon->hdev;
2281 struct smp_chan *smp;
2284 bt_dev_dbg(hdev, "conn %p", conn);
2286 if (skb->len < sizeof(*rp))
2287 return SMP_INVALID_PARAMS;
2289 if (hcon->role != HCI_ROLE_MASTER)
2290 return SMP_CMD_NOTSUPP;
2292 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2294 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2295 return SMP_AUTH_REQUIREMENTS;
2297 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2298 sec_level = BT_SECURITY_MEDIUM;
2300 sec_level = authreq_to_seclevel(auth);
2302 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2303 /* If link is already encrypted with sufficient security we
2304 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2307 smp_ltk_encrypt(conn, hcon->sec_level);
2311 if (sec_level > hcon->pending_sec_level)
2312 hcon->pending_sec_level = sec_level;
2314 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2317 smp = smp_chan_create(conn);
2319 return SMP_UNSPECIFIED;
2321 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2322 (auth & SMP_AUTH_BONDING))
2323 return SMP_PAIRING_NOTSUPP;
2325 skb_pull(skb, sizeof(*rp));
2327 memset(&cp, 0, sizeof(cp));
2328 build_pairing_cmd(conn, &cp, NULL, auth);
2330 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2331 memcpy(&smp->preq[1], &cp, sizeof(cp));
2333 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2334 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2339 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2341 struct l2cap_conn *conn = hcon->l2cap_data;
2342 struct l2cap_chan *chan;
2343 struct smp_chan *smp;
2347 bt_dev_dbg(hcon->hdev, "conn %p hcon %p level 0x%2.2x", conn, hcon,
2350 /* This may be NULL if there's an unexpected disconnection */
2354 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2357 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2360 if (sec_level > hcon->pending_sec_level)
2361 hcon->pending_sec_level = sec_level;
2363 if (hcon->role == HCI_ROLE_MASTER)
2364 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2369 bt_dev_err(hcon->hdev, "security requested but not available");
2373 l2cap_chan_lock(chan);
2375 /* If SMP is already in progress ignore this request */
2381 smp = smp_chan_create(conn);
2387 authreq = seclevel_to_authreq(sec_level);
2389 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2390 authreq |= SMP_AUTH_SC;
2391 if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2392 authreq |= SMP_AUTH_CT2;
2395 /* Don't attempt to set MITM if setting is overridden by debugfs
2396 * Needed to pass certification test SM/MAS/PKE/BV-01-C
2398 if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) {
2399 /* Require MITM if IO Capability allows or the security level
2402 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2403 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2404 authreq |= SMP_AUTH_MITM;
2407 if (hcon->role == HCI_ROLE_MASTER) {
2408 struct smp_cmd_pairing cp;
2410 build_pairing_cmd(conn, &cp, NULL, authreq);
2411 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2412 memcpy(&smp->preq[1], &cp, sizeof(cp));
2414 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2415 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2417 struct smp_cmd_security_req cp;
2418 cp.auth_req = authreq;
2419 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2420 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2423 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2427 l2cap_chan_unlock(chan);
2431 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2434 struct hci_conn *hcon;
2435 struct l2cap_conn *conn;
2436 struct l2cap_chan *chan;
2437 struct smp_chan *smp;
2440 err = hci_remove_ltk(hdev, bdaddr, addr_type);
2441 hci_remove_irk(hdev, bdaddr, addr_type);
2443 hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2447 conn = hcon->l2cap_data;
2455 l2cap_chan_lock(chan);
2459 /* Set keys to NULL to make sure smp_failure() does not try to
2460 * remove and free already invalidated rcu list entries. */
2462 smp->responder_ltk = NULL;
2463 smp->remote_irk = NULL;
2465 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2466 smp_failure(conn, 0);
2468 smp_failure(conn, SMP_UNSPECIFIED);
2472 l2cap_chan_unlock(chan);
2478 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2480 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2481 struct l2cap_chan *chan = conn->smp;
2482 struct smp_chan *smp = chan->data;
2484 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2486 if (skb->len < sizeof(*rp))
2487 return SMP_INVALID_PARAMS;
2489 /* Pairing is aborted if any blocked keys are distributed */
2490 if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2492 bt_dev_warn_ratelimited(conn->hcon->hdev,
2493 "LTK blocked for %pMR",
2495 return SMP_INVALID_PARAMS;
2498 SMP_ALLOW_CMD(smp, SMP_CMD_INITIATOR_IDENT);
2500 skb_pull(skb, sizeof(*rp));
2502 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2507 static int smp_cmd_initiator_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2509 struct smp_cmd_initiator_ident *rp = (void *)skb->data;
2510 struct l2cap_chan *chan = conn->smp;
2511 struct smp_chan *smp = chan->data;
2512 struct hci_dev *hdev = conn->hcon->hdev;
2513 struct hci_conn *hcon = conn->hcon;
2514 struct smp_ltk *ltk;
2517 bt_dev_dbg(hdev, "conn %p", conn);
2519 if (skb->len < sizeof(*rp))
2520 return SMP_INVALID_PARAMS;
2522 /* Mark the information as received */
2523 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2525 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2526 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2527 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2528 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2530 skb_pull(skb, sizeof(*rp));
2532 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2533 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2534 authenticated, smp->tk, smp->enc_key_size,
2535 rp->ediv, rp->rand);
2537 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2538 smp_distribute_keys(smp);
2543 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2545 struct smp_cmd_ident_info *info = (void *) skb->data;
2546 struct l2cap_chan *chan = conn->smp;
2547 struct smp_chan *smp = chan->data;
2549 bt_dev_dbg(conn->hcon->hdev, "");
2551 if (skb->len < sizeof(*info))
2552 return SMP_INVALID_PARAMS;
2554 /* Pairing is aborted if any blocked keys are distributed */
2555 if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2557 bt_dev_warn_ratelimited(conn->hcon->hdev,
2558 "Identity key blocked for %pMR",
2560 return SMP_INVALID_PARAMS;
2563 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2565 skb_pull(skb, sizeof(*info));
2567 memcpy(smp->irk, info->irk, 16);
2572 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2573 struct sk_buff *skb)
2575 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2576 struct l2cap_chan *chan = conn->smp;
2577 struct smp_chan *smp = chan->data;
2578 struct hci_conn *hcon = conn->hcon;
2581 bt_dev_dbg(hcon->hdev, "");
2583 if (skb->len < sizeof(*info))
2584 return SMP_INVALID_PARAMS;
2586 /* Mark the information as received */
2587 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2589 if (smp->remote_key_dist & SMP_DIST_SIGN)
2590 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2592 skb_pull(skb, sizeof(*info));
2594 /* Strictly speaking the Core Specification (4.1) allows sending
2595 * an empty address which would force us to rely on just the IRK
2596 * as "identity information". However, since such
2597 * implementations are not known of and in order to not over
2598 * complicate our implementation, simply pretend that we never
2599 * received an IRK for such a device.
2601 * The Identity Address must also be a Static Random or Public
2602 * Address, which hci_is_identity_address() checks for.
2604 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2605 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2606 bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2610 /* Drop IRK if peer is using identity address during pairing but is
2611 * providing different address as identity information.
2613 * Microsoft Surface Precision Mouse is known to have this bug.
2615 if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2616 (bacmp(&info->bdaddr, &hcon->dst) ||
2617 info->addr_type != hcon->dst_type)) {
2618 bt_dev_err(hcon->hdev,
2619 "ignoring IRK with invalid identity address");
2623 bacpy(&smp->id_addr, &info->bdaddr);
2624 smp->id_addr_type = info->addr_type;
2626 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2627 bacpy(&rpa, &hcon->dst);
2629 bacpy(&rpa, BDADDR_ANY);
2631 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2632 smp->id_addr_type, smp->irk, &rpa);
2635 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2636 smp_distribute_keys(smp);
2641 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2643 struct smp_cmd_sign_info *rp = (void *) skb->data;
2644 struct l2cap_chan *chan = conn->smp;
2645 struct smp_chan *smp = chan->data;
2646 struct smp_csrk *csrk;
2648 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2650 if (skb->len < sizeof(*rp))
2651 return SMP_INVALID_PARAMS;
2653 /* Mark the information as received */
2654 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2656 skb_pull(skb, sizeof(*rp));
2658 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2660 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2661 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2663 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2664 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2667 smp_distribute_keys(smp);
2672 static u8 sc_select_method(struct smp_chan *smp)
2674 struct l2cap_conn *conn = smp->conn;
2675 struct hci_conn *hcon = conn->hcon;
2676 struct smp_cmd_pairing *local, *remote;
2677 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2679 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2680 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2683 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2684 * which are needed as inputs to some crypto functions. To get
2685 * the "struct smp_cmd_pairing" from them we need to skip the
2686 * first byte which contains the opcode.
2689 local = (void *) &smp->preq[1];
2690 remote = (void *) &smp->prsp[1];
2692 local = (void *) &smp->prsp[1];
2693 remote = (void *) &smp->preq[1];
2696 local_io = local->io_capability;
2697 remote_io = remote->io_capability;
2699 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2700 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2702 /* If either side wants MITM, look up the method from the table,
2703 * otherwise use JUST WORKS.
2705 if (local_mitm || remote_mitm)
2706 method = get_auth_method(smp, local_io, remote_io);
2708 method = JUST_WORKS;
2710 /* Don't confirm locally initiated pairing attempts */
2711 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2712 method = JUST_WORKS;
2717 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2719 struct smp_cmd_public_key *key = (void *) skb->data;
2720 struct hci_conn *hcon = conn->hcon;
2721 struct l2cap_chan *chan = conn->smp;
2722 struct smp_chan *smp = chan->data;
2723 struct hci_dev *hdev = hcon->hdev;
2724 struct crypto_kpp *tfm_ecdh;
2725 struct smp_cmd_pairing_confirm cfm;
2728 bt_dev_dbg(hdev, "conn %p", conn);
2730 if (skb->len < sizeof(*key))
2731 return SMP_INVALID_PARAMS;
2733 /* Check if remote and local public keys are the same and debug key is
2736 if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
2737 !crypto_memneq(key, smp->local_pk, 64)) {
2738 bt_dev_err(hdev, "Remote and local public keys are identical");
2739 return SMP_UNSPECIFIED;
2742 memcpy(smp->remote_pk, key, 64);
2744 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2745 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2746 smp->rr, 0, cfm.confirm_val);
2748 return SMP_UNSPECIFIED;
2750 if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2751 return SMP_CONFIRM_FAILED;
2754 /* Non-initiating device sends its public key after receiving
2755 * the key from the initiating device.
2758 err = sc_send_public_key(smp);
2763 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2764 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2766 /* Compute the shared secret on the same crypto tfm on which the private
2767 * key was set/generated.
2769 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2770 struct l2cap_chan *hchan = hdev->smp_data;
2771 struct smp_dev *smp_dev;
2773 if (!hchan || !hchan->data)
2774 return SMP_UNSPECIFIED;
2776 smp_dev = hchan->data;
2778 tfm_ecdh = smp_dev->tfm_ecdh;
2780 tfm_ecdh = smp->tfm_ecdh;
2783 if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2784 return SMP_UNSPECIFIED;
2786 SMP_DBG("DHKey %32phN", smp->dhkey);
2788 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2790 smp->method = sc_select_method(smp);
2792 bt_dev_dbg(hdev, "selected method 0x%02x", smp->method);
2794 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2795 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2796 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2798 hcon->pending_sec_level = BT_SECURITY_FIPS;
2800 if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2801 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2803 if (smp->method == DSP_PASSKEY) {
2804 get_random_bytes(&hcon->passkey_notify,
2805 sizeof(hcon->passkey_notify));
2806 hcon->passkey_notify %= 1000000;
2807 hcon->passkey_entered = 0;
2808 smp->passkey_round = 0;
2809 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2811 hcon->passkey_notify,
2812 hcon->passkey_entered))
2813 return SMP_UNSPECIFIED;
2814 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2815 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2818 if (smp->method == REQ_OOB) {
2820 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2821 sizeof(smp->prnd), smp->prnd);
2823 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2829 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2831 if (smp->method == REQ_PASSKEY) {
2832 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2834 return SMP_UNSPECIFIED;
2835 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2836 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2840 /* The Initiating device waits for the non-initiating device to
2841 * send the confirm value.
2843 if (conn->hcon->out)
2846 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2847 0, cfm.confirm_val);
2849 return SMP_UNSPECIFIED;
2851 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2852 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2857 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2859 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2860 struct l2cap_chan *chan = conn->smp;
2861 struct hci_conn *hcon = conn->hcon;
2862 struct smp_chan *smp = chan->data;
2863 u8 a[7], b[7], *local_addr, *remote_addr;
2864 u8 io_cap[3], r[16], e[16];
2867 bt_dev_dbg(hcon->hdev, "conn %p", conn);
2869 if (skb->len < sizeof(*check))
2870 return SMP_INVALID_PARAMS;
2872 memcpy(a, &hcon->init_addr, 6);
2873 memcpy(b, &hcon->resp_addr, 6);
2874 a[6] = hcon->init_addr_type;
2875 b[6] = hcon->resp_addr_type;
2880 memcpy(io_cap, &smp->prsp[1], 3);
2884 memcpy(io_cap, &smp->preq[1], 3);
2887 memset(r, 0, sizeof(r));
2889 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2890 put_unaligned_le32(hcon->passkey_notify, r);
2891 else if (smp->method == REQ_OOB)
2892 memcpy(r, smp->lr, 16);
2894 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2895 io_cap, remote_addr, local_addr, e);
2897 return SMP_UNSPECIFIED;
2899 if (crypto_memneq(check->e, e, 16))
2900 return SMP_DHKEY_CHECK_FAILED;
2903 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2904 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2908 /* Responder sends DHKey check as response to initiator */
2909 sc_dhkey_check(smp);
2915 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2916 hcon->enc_key_size = smp->enc_key_size;
2922 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2923 struct sk_buff *skb)
2925 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2927 bt_dev_dbg(conn->hcon->hdev, "value 0x%02x", kp->value);
2932 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2934 struct l2cap_conn *conn = chan->conn;
2935 struct hci_conn *hcon = conn->hcon;
2936 struct smp_chan *smp;
2943 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2944 reason = SMP_PAIRING_NOTSUPP;
2948 code = skb->data[0];
2949 skb_pull(skb, sizeof(code));
2953 if (code > SMP_CMD_MAX)
2956 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2959 /* If we don't have a context the only allowed commands are
2960 * pairing request and security request.
2962 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2966 case SMP_CMD_PAIRING_REQ:
2967 reason = smp_cmd_pairing_req(conn, skb);
2970 case SMP_CMD_PAIRING_FAIL:
2971 smp_failure(conn, 0);
2975 case SMP_CMD_PAIRING_RSP:
2976 reason = smp_cmd_pairing_rsp(conn, skb);
2979 case SMP_CMD_SECURITY_REQ:
2980 reason = smp_cmd_security_req(conn, skb);
2983 case SMP_CMD_PAIRING_CONFIRM:
2984 reason = smp_cmd_pairing_confirm(conn, skb);
2987 case SMP_CMD_PAIRING_RANDOM:
2988 reason = smp_cmd_pairing_random(conn, skb);
2991 case SMP_CMD_ENCRYPT_INFO:
2992 reason = smp_cmd_encrypt_info(conn, skb);
2995 case SMP_CMD_INITIATOR_IDENT:
2996 reason = smp_cmd_initiator_ident(conn, skb);
2999 case SMP_CMD_IDENT_INFO:
3000 reason = smp_cmd_ident_info(conn, skb);
3003 case SMP_CMD_IDENT_ADDR_INFO:
3004 reason = smp_cmd_ident_addr_info(conn, skb);
3007 case SMP_CMD_SIGN_INFO:
3008 reason = smp_cmd_sign_info(conn, skb);
3011 case SMP_CMD_PUBLIC_KEY:
3012 reason = smp_cmd_public_key(conn, skb);
3015 case SMP_CMD_DHKEY_CHECK:
3016 reason = smp_cmd_dhkey_check(conn, skb);
3019 case SMP_CMD_KEYPRESS_NOTIFY:
3020 reason = smp_cmd_keypress_notify(conn, skb);
3024 bt_dev_dbg(hcon->hdev, "Unknown command code 0x%2.2x", code);
3025 reason = SMP_CMD_NOTSUPP;
3032 smp_failure(conn, reason);
3039 bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3045 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3047 struct l2cap_conn *conn = chan->conn;
3049 bt_dev_dbg(conn->hcon->hdev, "chan %p", chan);
3052 smp_chan_destroy(conn);
3055 l2cap_chan_put(chan);
3058 static void bredr_pairing(struct l2cap_chan *chan)
3060 struct l2cap_conn *conn = chan->conn;
3061 struct hci_conn *hcon = conn->hcon;
3062 struct hci_dev *hdev = hcon->hdev;
3063 struct smp_cmd_pairing req;
3064 struct smp_chan *smp;
3066 bt_dev_dbg(hdev, "chan %p", chan);
3068 /* Only new pairings are interesting */
3069 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3072 /* Don't bother if we're not encrypted */
3073 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3076 /* Only initiator may initiate SMP over BR/EDR */
3077 if (hcon->role != HCI_ROLE_MASTER)
3080 /* Secure Connections support must be enabled */
3081 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3084 /* BR/EDR must use Secure Connections for SMP */
3085 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3086 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3089 /* If our LE support is not enabled don't do anything */
3090 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3093 /* Don't bother if remote LE support is not enabled */
3094 if (!lmp_host_le_capable(hcon))
3097 /* Remote must support SMP fixed chan for BR/EDR */
3098 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3101 /* Don't bother if SMP is already ongoing */
3105 smp = smp_chan_create(conn);
3107 bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3111 set_bit(SMP_FLAG_SC, &smp->flags);
3113 bt_dev_dbg(hdev, "starting SMP over BR/EDR");
3115 /* Prepare and send the BR/EDR SMP Pairing Request */
3116 build_bredr_pairing_cmd(smp, &req, NULL);
3118 smp->preq[0] = SMP_CMD_PAIRING_REQ;
3119 memcpy(&smp->preq[1], &req, sizeof(req));
3121 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3122 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3125 static void smp_resume_cb(struct l2cap_chan *chan)
3127 struct smp_chan *smp = chan->data;
3128 struct l2cap_conn *conn = chan->conn;
3129 struct hci_conn *hcon = conn->hcon;
3131 bt_dev_dbg(hcon->hdev, "chan %p", chan);
3133 if (hcon->type == ACL_LINK) {
3134 bredr_pairing(chan);
3141 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3144 cancel_delayed_work(&smp->security_timer);
3146 smp_distribute_keys(smp);
3149 static void smp_ready_cb(struct l2cap_chan *chan)
3151 struct l2cap_conn *conn = chan->conn;
3152 struct hci_conn *hcon = conn->hcon;
3154 bt_dev_dbg(hcon->hdev, "chan %p", chan);
3156 /* No need to call l2cap_chan_hold() here since we already own
3157 * the reference taken in smp_new_conn_cb(). This is just the
3158 * first time that we tie it to a specific pointer. The code in
3159 * l2cap_core.c ensures that there's no risk this function wont
3160 * get called if smp_new_conn_cb was previously called.
3164 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3165 bredr_pairing(chan);
3168 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3172 bt_dev_dbg(chan->conn->hcon->hdev, "chan %p", chan);
3174 err = smp_sig_channel(chan, skb);
3176 struct smp_chan *smp = chan->data;
3179 cancel_delayed_work_sync(&smp->security_timer);
3181 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3187 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3188 unsigned long hdr_len,
3189 unsigned long len, int nb)
3191 struct sk_buff *skb;
3193 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3195 return ERR_PTR(-ENOMEM);
3197 skb->priority = HCI_PRIO_MAX;
3198 bt_cb(skb)->l2cap.chan = chan;
3203 static const struct l2cap_ops smp_chan_ops = {
3204 .name = "Security Manager",
3205 .ready = smp_ready_cb,
3206 .recv = smp_recv_cb,
3207 .alloc_skb = smp_alloc_skb_cb,
3208 .teardown = smp_teardown_cb,
3209 .resume = smp_resume_cb,
3211 .new_connection = l2cap_chan_no_new_connection,
3212 .state_change = l2cap_chan_no_state_change,
3213 .close = l2cap_chan_no_close,
3214 .defer = l2cap_chan_no_defer,
3215 .suspend = l2cap_chan_no_suspend,
3216 .set_shutdown = l2cap_chan_no_set_shutdown,
3217 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3220 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3222 struct l2cap_chan *chan;
3224 BT_DBG("pchan %p", pchan);
3226 chan = l2cap_chan_create();
3230 chan->chan_type = pchan->chan_type;
3231 chan->ops = &smp_chan_ops;
3232 chan->scid = pchan->scid;
3233 chan->dcid = chan->scid;
3234 chan->imtu = pchan->imtu;
3235 chan->omtu = pchan->omtu;
3236 chan->mode = pchan->mode;
3238 /* Other L2CAP channels may request SMP routines in order to
3239 * change the security level. This means that the SMP channel
3240 * lock must be considered in its own category to avoid lockdep
3243 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3245 BT_DBG("created chan %p", chan);
3250 static const struct l2cap_ops smp_root_chan_ops = {
3251 .name = "Security Manager Root",
3252 .new_connection = smp_new_conn_cb,
3254 /* None of these are implemented for the root channel */
3255 .close = l2cap_chan_no_close,
3256 .alloc_skb = l2cap_chan_no_alloc_skb,
3257 .recv = l2cap_chan_no_recv,
3258 .state_change = l2cap_chan_no_state_change,
3259 .teardown = l2cap_chan_no_teardown,
3260 .ready = l2cap_chan_no_ready,
3261 .defer = l2cap_chan_no_defer,
3262 .suspend = l2cap_chan_no_suspend,
3263 .resume = l2cap_chan_no_resume,
3264 .set_shutdown = l2cap_chan_no_set_shutdown,
3265 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3268 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3270 struct l2cap_chan *chan;
3271 struct smp_dev *smp;
3272 struct crypto_shash *tfm_cmac;
3273 struct crypto_kpp *tfm_ecdh;
3275 if (cid == L2CAP_CID_SMP_BREDR) {
3280 smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3282 return ERR_PTR(-ENOMEM);
3284 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3285 if (IS_ERR(tfm_cmac)) {
3286 bt_dev_err(hdev, "Unable to create CMAC crypto context");
3287 kfree_sensitive(smp);
3288 return ERR_CAST(tfm_cmac);
3291 tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3292 if (IS_ERR(tfm_ecdh)) {
3293 bt_dev_err(hdev, "Unable to create ECDH crypto context");
3294 crypto_free_shash(tfm_cmac);
3295 kfree_sensitive(smp);
3296 return ERR_CAST(tfm_ecdh);
3299 smp->local_oob = false;
3300 smp->tfm_cmac = tfm_cmac;
3301 smp->tfm_ecdh = tfm_ecdh;
3304 chan = l2cap_chan_create();
3307 crypto_free_shash(smp->tfm_cmac);
3308 crypto_free_kpp(smp->tfm_ecdh);
3309 kfree_sensitive(smp);
3311 return ERR_PTR(-ENOMEM);
3316 l2cap_add_scid(chan, cid);
3318 l2cap_chan_set_defaults(chan);
3320 if (cid == L2CAP_CID_SMP) {
3323 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3325 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3326 chan->src_type = BDADDR_LE_PUBLIC;
3328 chan->src_type = BDADDR_LE_RANDOM;
3330 bacpy(&chan->src, &hdev->bdaddr);
3331 chan->src_type = BDADDR_BREDR;
3334 chan->state = BT_LISTEN;
3335 chan->mode = L2CAP_MODE_BASIC;
3336 chan->imtu = L2CAP_DEFAULT_MTU;
3337 chan->ops = &smp_root_chan_ops;
3339 /* Set correct nesting level for a parent/listening channel */
3340 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3345 static void smp_del_chan(struct l2cap_chan *chan)
3347 struct smp_dev *smp;
3349 BT_DBG("chan %p", chan);
3354 crypto_free_shash(smp->tfm_cmac);
3355 crypto_free_kpp(smp->tfm_ecdh);
3356 kfree_sensitive(smp);
3359 l2cap_chan_put(chan);
3362 int smp_force_bredr(struct hci_dev *hdev, bool enable)
3364 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3368 struct l2cap_chan *chan;
3370 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3372 return PTR_ERR(chan);
3374 hdev->smp_bredr_data = chan;
3376 struct l2cap_chan *chan;
3378 chan = hdev->smp_bredr_data;
3379 hdev->smp_bredr_data = NULL;
3383 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3388 int smp_register(struct hci_dev *hdev)
3390 struct l2cap_chan *chan;
3392 bt_dev_dbg(hdev, "");
3394 /* If the controller does not support Low Energy operation, then
3395 * there is also no need to register any SMP channel.
3397 if (!lmp_le_capable(hdev))
3400 if (WARN_ON(hdev->smp_data)) {
3401 chan = hdev->smp_data;
3402 hdev->smp_data = NULL;
3406 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3408 return PTR_ERR(chan);
3410 hdev->smp_data = chan;
3412 if (!lmp_sc_capable(hdev)) {
3413 /* Flag can be already set here (due to power toggle) */
3414 if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3418 if (WARN_ON(hdev->smp_bredr_data)) {
3419 chan = hdev->smp_bredr_data;
3420 hdev->smp_bredr_data = NULL;
3424 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3426 int err = PTR_ERR(chan);
3427 chan = hdev->smp_data;
3428 hdev->smp_data = NULL;
3433 hdev->smp_bredr_data = chan;
3438 void smp_unregister(struct hci_dev *hdev)
3440 struct l2cap_chan *chan;
3442 if (hdev->smp_bredr_data) {
3443 chan = hdev->smp_bredr_data;
3444 hdev->smp_bredr_data = NULL;
3448 if (hdev->smp_data) {
3449 chan = hdev->smp_data;
3450 hdev->smp_data = NULL;
3455 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3457 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3462 err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3466 err = generate_ecdh_public_key(tfm_ecdh, pk);
3470 if (crypto_memneq(pk, debug_pk, 64))
3476 static int __init test_ah(void)
3478 const u8 irk[16] = {
3479 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3480 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3481 const u8 r[3] = { 0x94, 0x81, 0x70 };
3482 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3486 err = smp_ah(irk, r, res);
3490 if (crypto_memneq(res, exp, 3))
3496 static int __init test_c1(void)
3499 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3500 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3502 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3503 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3504 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3505 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3506 const u8 _iat = 0x01;
3507 const u8 _rat = 0x00;
3508 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3509 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3510 const u8 exp[16] = {
3511 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3512 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3516 err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3520 if (crypto_memneq(res, exp, 16))
3526 static int __init test_s1(void)
3529 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3530 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3532 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3534 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3535 const u8 exp[16] = {
3536 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3537 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3541 err = smp_s1(k, r1, r2, res);
3545 if (crypto_memneq(res, exp, 16))
3551 static int __init test_f4(struct crypto_shash *tfm_cmac)
3554 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3555 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3556 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3557 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3559 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3560 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3561 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3562 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3564 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3565 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3567 const u8 exp[16] = {
3568 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3569 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3573 err = smp_f4(tfm_cmac, u, v, x, z, res);
3577 if (crypto_memneq(res, exp, 16))
3583 static int __init test_f5(struct crypto_shash *tfm_cmac)
3586 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3587 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3588 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3589 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3591 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3592 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3594 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3595 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3596 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3597 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3598 const u8 exp_ltk[16] = {
3599 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3600 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3601 const u8 exp_mackey[16] = {
3602 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3603 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3604 u8 mackey[16], ltk[16];
3607 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3611 if (crypto_memneq(mackey, exp_mackey, 16))
3614 if (crypto_memneq(ltk, exp_ltk, 16))
3620 static int __init test_f6(struct crypto_shash *tfm_cmac)
3623 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3624 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3626 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3627 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3629 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3630 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3632 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3633 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3634 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3635 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3636 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3637 const u8 exp[16] = {
3638 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3639 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3643 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3647 if (crypto_memneq(res, exp, 16))
3653 static int __init test_g2(struct crypto_shash *tfm_cmac)
3656 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3657 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3658 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3659 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3661 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3662 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3663 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3664 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3666 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3667 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3669 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3670 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3671 const u32 exp_val = 0x2f9ed5ba % 1000000;
3675 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3685 static int __init test_h6(struct crypto_shash *tfm_cmac)
3688 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3689 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3690 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3691 const u8 exp[16] = {
3692 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3693 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3697 err = smp_h6(tfm_cmac, w, key_id, res);
3701 if (crypto_memneq(res, exp, 16))
3707 static char test_smp_buffer[32];
3709 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3710 size_t count, loff_t *ppos)
3712 return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3713 strlen(test_smp_buffer));
3716 static const struct file_operations test_smp_fops = {
3717 .open = simple_open,
3718 .read = test_smp_read,
3719 .llseek = default_llseek,
3722 static int __init run_selftests(struct crypto_shash *tfm_cmac,
3723 struct crypto_kpp *tfm_ecdh)
3725 ktime_t calltime, delta, rettime;
3726 unsigned long long duration;
3729 calltime = ktime_get();
3731 err = test_debug_key(tfm_ecdh);
3733 BT_ERR("debug_key test failed");
3739 BT_ERR("smp_ah test failed");
3745 BT_ERR("smp_c1 test failed");
3751 BT_ERR("smp_s1 test failed");
3755 err = test_f4(tfm_cmac);
3757 BT_ERR("smp_f4 test failed");
3761 err = test_f5(tfm_cmac);
3763 BT_ERR("smp_f5 test failed");
3767 err = test_f6(tfm_cmac);
3769 BT_ERR("smp_f6 test failed");
3773 err = test_g2(tfm_cmac);
3775 BT_ERR("smp_g2 test failed");
3779 err = test_h6(tfm_cmac);
3781 BT_ERR("smp_h6 test failed");
3785 rettime = ktime_get();
3786 delta = ktime_sub(rettime, calltime);
3787 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3789 BT_INFO("SMP test passed in %llu usecs", duration);
3793 snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3794 "PASS (%llu usecs)\n", duration);
3796 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3798 debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3804 int __init bt_selftest_smp(void)
3806 struct crypto_shash *tfm_cmac;
3807 struct crypto_kpp *tfm_ecdh;
3810 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3811 if (IS_ERR(tfm_cmac)) {
3812 BT_ERR("Unable to create CMAC crypto context");
3813 return PTR_ERR(tfm_cmac);
3816 tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3817 if (IS_ERR(tfm_ecdh)) {
3818 BT_ERR("Unable to create ECDH crypto context");
3819 crypto_free_shash(tfm_cmac);
3820 return PTR_ERR(tfm_ecdh);
3823 err = run_selftests(tfm_cmac, tfm_ecdh);
3825 crypto_free_shash(tfm_cmac);
3826 crypto_free_kpp(tfm_ecdh);