2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/aes.h>
27 #include <crypto/algapi.h>
28 #include <crypto/b128ops.h>
29 #include <crypto/hash.h>
30 #include <crypto/kpp.h>
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/l2cap.h>
35 #include <net/bluetooth/mgmt.h>
37 #include "ecdh_helper.h"
40 #define SMP_DEV(hdev) \
41 ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
43 /* Low-level debug macros to be used for stuff that we don't want
44 * accidentially in dmesg, i.e. the values of the various crypto keys
45 * and the inputs & outputs of crypto functions.
48 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
51 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
55 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
57 /* Keys which are not distributed with Secure Connections */
58 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
60 #define SMP_TIMEOUT msecs_to_jiffies(30000)
62 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
64 #define KEY_DIST_MASK 0x07
66 /* Maximum message length that can be passed to aes_cmac */
67 #define CMAC_MSG_MAX 80
79 SMP_FLAG_DHKEY_PENDING,
86 /* Secure Connections OOB data */
92 struct crypto_shash *tfm_cmac;
93 struct crypto_kpp *tfm_ecdh;
97 struct l2cap_conn *conn;
98 struct delayed_work security_timer;
99 unsigned long allow_cmd; /* Bitmask of allowed commands */
101 u8 preq[7]; /* SMP Pairing Request */
102 u8 prsp[7]; /* SMP Pairing Response */
103 u8 prnd[16]; /* SMP Pairing Random (local) */
104 u8 rrnd[16]; /* SMP Pairing Random (remote) */
105 u8 pcnf[16]; /* SMP Pairing Confirm */
106 u8 tk[16]; /* SMP Temporary Key */
107 u8 rr[16]; /* Remote OOB ra/rb value */
108 u8 lr[16]; /* Local OOB ra/rb value */
114 struct smp_csrk *csrk;
115 struct smp_csrk *slave_csrk;
117 struct smp_ltk *slave_ltk;
118 struct smp_irk *remote_irk;
124 /* Secure Connections variables */
130 struct crypto_shash *tfm_cmac;
131 struct crypto_kpp *tfm_ecdh;
134 /* These debug key values are defined in the SMP section of the core
135 * specification. debug_pk is the public debug key and debug_sk the
138 static const u8 debug_pk[64] = {
139 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
140 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
141 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
142 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
144 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
145 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
146 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
147 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
150 static const u8 debug_sk[32] = {
151 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
152 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
153 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
154 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
157 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
161 for (i = 0; i < len; i++)
162 dst[len - 1 - i] = src[i];
165 /* The following functions map to the LE SC SMP crypto functions
166 * AES-CMAC, f4, f5, f6, g2 and h6.
169 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
170 size_t len, u8 mac[16])
172 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
175 if (len > CMAC_MSG_MAX)
179 BT_ERR("tfm %p", tfm);
183 /* Swap key and message from LSB to MSB */
184 swap_buf(k, tmp, 16);
185 swap_buf(m, msg_msb, len);
187 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
188 SMP_DBG("key %16phN", k);
190 err = crypto_shash_setkey(tfm, tmp, 16);
192 BT_ERR("cipher setkey failed: %d", err);
196 err = crypto_shash_tfm_digest(tfm, msg_msb, len, mac_msb);
198 BT_ERR("Hash computation error %d", err);
202 swap_buf(mac_msb, mac, 16);
204 SMP_DBG("mac %16phN", mac);
209 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
210 const u8 v[32], const u8 x[16], u8 z, u8 res[16])
215 SMP_DBG("u %32phN", u);
216 SMP_DBG("v %32phN", v);
217 SMP_DBG("x %16phN z %02x", x, z);
220 memcpy(m + 1, v, 32);
221 memcpy(m + 33, u, 32);
223 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
227 SMP_DBG("res %16phN", res);
232 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
233 const u8 n1[16], const u8 n2[16], const u8 a1[7],
234 const u8 a2[7], u8 mackey[16], u8 ltk[16])
236 /* The btle, salt and length "magic" values are as defined in
237 * the SMP section of the Bluetooth core specification. In ASCII
238 * the btle value ends up being 'btle'. The salt is just a
239 * random number whereas length is the value 256 in little
242 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
243 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
244 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
245 const u8 length[2] = { 0x00, 0x01 };
249 SMP_DBG("w %32phN", w);
250 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
251 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
253 err = aes_cmac(tfm_cmac, salt, w, 32, t);
257 SMP_DBG("t %16phN", t);
259 memcpy(m, length, 2);
260 memcpy(m + 2, a2, 7);
261 memcpy(m + 9, a1, 7);
262 memcpy(m + 16, n2, 16);
263 memcpy(m + 32, n1, 16);
264 memcpy(m + 48, btle, 4);
266 m[52] = 0; /* Counter */
268 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
272 SMP_DBG("mackey %16phN", mackey);
274 m[52] = 1; /* Counter */
276 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
280 SMP_DBG("ltk %16phN", ltk);
285 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
286 const u8 n1[16], const u8 n2[16], const u8 r[16],
287 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
293 SMP_DBG("w %16phN", w);
294 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
295 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
298 memcpy(m + 7, a1, 7);
299 memcpy(m + 14, io_cap, 3);
300 memcpy(m + 17, r, 16);
301 memcpy(m + 33, n2, 16);
302 memcpy(m + 49, n1, 16);
304 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
308 SMP_DBG("res %16phN", res);
313 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
314 const u8 x[16], const u8 y[16], u32 *val)
319 SMP_DBG("u %32phN", u);
320 SMP_DBG("v %32phN", v);
321 SMP_DBG("x %16phN y %16phN", x, y);
324 memcpy(m + 16, v, 32);
325 memcpy(m + 48, u, 32);
327 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
331 *val = get_unaligned_le32(tmp);
334 SMP_DBG("val %06u", *val);
339 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
340 const u8 key_id[4], u8 res[16])
344 SMP_DBG("w %16phN key_id %4phN", w, key_id);
346 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
350 SMP_DBG("res %16phN", res);
355 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
356 const u8 salt[16], u8 res[16])
360 SMP_DBG("w %16phN salt %16phN", w, salt);
362 err = aes_cmac(tfm_cmac, salt, w, 16, res);
366 SMP_DBG("res %16phN", res);
371 /* The following functions map to the legacy SMP crypto functions e, c1,
375 static int smp_e(const u8 *k, u8 *r)
377 struct crypto_aes_ctx ctx;
378 uint8_t tmp[16], data[16];
381 SMP_DBG("k %16phN r %16phN", k, r);
383 /* The most significant octet of key corresponds to k[0] */
384 swap_buf(k, tmp, 16);
386 err = aes_expandkey(&ctx, tmp, 16);
388 BT_ERR("cipher setkey failed: %d", err);
392 /* Most significant octet of plaintextData corresponds to data[0] */
393 swap_buf(r, data, 16);
395 aes_encrypt(&ctx, data, data);
397 /* Most significant octet of encryptedData corresponds to data[0] */
398 swap_buf(data, r, 16);
400 SMP_DBG("r %16phN", r);
402 memzero_explicit(&ctx, sizeof (ctx));
406 static int smp_c1(const u8 k[16],
407 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
408 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
413 SMP_DBG("k %16phN r %16phN", k, r);
414 SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
415 SMP_DBG("preq %7phN pres %7phN", preq, pres);
419 /* p1 = pres || preq || _rat || _iat */
422 memcpy(p1 + 2, preq, 7);
423 memcpy(p1 + 9, pres, 7);
425 SMP_DBG("p1 %16phN", p1);
428 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
430 /* res = e(k, res) */
433 BT_ERR("Encrypt data error");
437 /* p2 = padding || ia || ra */
439 memcpy(p2 + 6, ia, 6);
440 memset(p2 + 12, 0, 4);
442 SMP_DBG("p2 %16phN", p2);
444 /* res = res XOR p2 */
445 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
447 /* res = e(k, res) */
450 BT_ERR("Encrypt data error");
455 static int smp_s1(const u8 k[16],
456 const u8 r1[16], const u8 r2[16], u8 _r[16])
460 /* Just least significant octets from r1 and r2 are considered */
462 memcpy(_r + 8, r1, 8);
466 BT_ERR("Encrypt data error");
471 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
476 /* r' = padding || r */
478 memset(_res + 3, 0, 13);
480 err = smp_e(irk, _res);
482 BT_ERR("Encrypt error");
486 /* The output of the random address function ah is:
487 * ah(k, r) = e(k, r') mod 2^24
488 * The output of the security function e is then truncated to 24 bits
489 * by taking the least significant 24 bits of the output of e as the
492 memcpy(res, _res, 3);
497 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
498 const bdaddr_t *bdaddr)
500 struct l2cap_chan *chan = hdev->smp_data;
504 if (!chan || !chan->data)
507 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
509 err = smp_ah(irk, &bdaddr->b[3], hash);
513 return !crypto_memneq(bdaddr->b, hash, 3);
516 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
518 struct l2cap_chan *chan = hdev->smp_data;
521 if (!chan || !chan->data)
524 get_random_bytes(&rpa->b[3], 3);
526 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
527 rpa->b[5] |= 0x40; /* Set second most significant bit */
529 err = smp_ah(irk, &rpa->b[3], rpa->b);
533 BT_DBG("RPA %pMR", rpa);
538 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
540 struct l2cap_chan *chan = hdev->smp_data;
544 if (!chan || !chan->data)
549 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
550 BT_DBG("Using debug keys");
551 err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
554 memcpy(smp->local_pk, debug_pk, 64);
555 smp->debug_key = true;
558 /* Generate key pair for Secure Connections */
559 err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
563 /* This is unlikely, but we need to check that
564 * we didn't accidentially generate a debug key.
566 if (crypto_memneq(smp->local_pk, debug_pk, 64))
569 smp->debug_key = false;
572 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
573 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
575 get_random_bytes(smp->local_rand, 16);
577 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
578 smp->local_rand, 0, hash);
582 memcpy(rand, smp->local_rand, 16);
584 smp->local_oob = true;
589 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
591 struct l2cap_chan *chan = conn->smp;
592 struct smp_chan *smp;
599 BT_DBG("code 0x%2.2x", code);
601 iv[0].iov_base = &code;
604 iv[1].iov_base = data;
607 memset(&msg, 0, sizeof(msg));
609 iov_iter_kvec(&msg.msg_iter, WRITE, iv, 2, 1 + len);
611 l2cap_chan_send(chan, &msg, 1 + len);
618 cancel_delayed_work_sync(&smp->security_timer);
619 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
622 static u8 authreq_to_seclevel(u8 authreq)
624 if (authreq & SMP_AUTH_MITM) {
625 if (authreq & SMP_AUTH_SC)
626 return BT_SECURITY_FIPS;
628 return BT_SECURITY_HIGH;
630 return BT_SECURITY_MEDIUM;
634 static __u8 seclevel_to_authreq(__u8 sec_level)
637 case BT_SECURITY_FIPS:
638 case BT_SECURITY_HIGH:
639 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
640 case BT_SECURITY_MEDIUM:
641 return SMP_AUTH_BONDING;
643 return SMP_AUTH_NONE;
647 static void build_pairing_cmd(struct l2cap_conn *conn,
648 struct smp_cmd_pairing *req,
649 struct smp_cmd_pairing *rsp, __u8 authreq)
651 struct l2cap_chan *chan = conn->smp;
652 struct smp_chan *smp = chan->data;
653 struct hci_conn *hcon = conn->hcon;
654 struct hci_dev *hdev = hcon->hdev;
655 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
657 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
658 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
659 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
660 authreq |= SMP_AUTH_BONDING;
662 authreq &= ~SMP_AUTH_BONDING;
665 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
666 remote_dist |= SMP_DIST_ID_KEY;
668 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
669 local_dist |= SMP_DIST_ID_KEY;
671 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
672 (authreq & SMP_AUTH_SC)) {
673 struct oob_data *oob_data;
676 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
677 local_dist |= SMP_DIST_LINK_KEY;
678 remote_dist |= SMP_DIST_LINK_KEY;
681 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
682 bdaddr_type = BDADDR_LE_PUBLIC;
684 bdaddr_type = BDADDR_LE_RANDOM;
686 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
688 if (oob_data && oob_data->present) {
689 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
690 oob_flag = SMP_OOB_PRESENT;
691 memcpy(smp->rr, oob_data->rand256, 16);
692 memcpy(smp->pcnf, oob_data->hash256, 16);
693 SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
694 SMP_DBG("OOB Remote Random: %16phN", smp->rr);
698 authreq &= ~SMP_AUTH_SC;
702 req->io_capability = conn->hcon->io_capability;
703 req->oob_flag = oob_flag;
704 req->max_key_size = hdev->le_max_key_size;
705 req->init_key_dist = local_dist;
706 req->resp_key_dist = remote_dist;
707 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
709 smp->remote_key_dist = remote_dist;
713 rsp->io_capability = conn->hcon->io_capability;
714 rsp->oob_flag = oob_flag;
715 rsp->max_key_size = hdev->le_max_key_size;
716 rsp->init_key_dist = req->init_key_dist & remote_dist;
717 rsp->resp_key_dist = req->resp_key_dist & local_dist;
718 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
720 smp->remote_key_dist = rsp->init_key_dist;
723 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
725 struct l2cap_chan *chan = conn->smp;
726 struct hci_dev *hdev = conn->hcon->hdev;
727 struct smp_chan *smp = chan->data;
729 if (max_key_size > hdev->le_max_key_size ||
730 max_key_size < SMP_MIN_ENC_KEY_SIZE)
731 return SMP_ENC_KEY_SIZE;
733 smp->enc_key_size = max_key_size;
738 static void smp_chan_destroy(struct l2cap_conn *conn)
740 struct l2cap_chan *chan = conn->smp;
741 struct smp_chan *smp = chan->data;
742 struct hci_conn *hcon = conn->hcon;
747 cancel_delayed_work_sync(&smp->security_timer);
749 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
750 mgmt_smp_complete(hcon, complete);
753 kzfree(smp->slave_csrk);
754 kzfree(smp->link_key);
756 crypto_free_shash(smp->tfm_cmac);
757 crypto_free_kpp(smp->tfm_ecdh);
759 /* Ensure that we don't leave any debug key around if debug key
760 * support hasn't been explicitly enabled.
762 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
763 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
764 list_del_rcu(&smp->ltk->list);
765 kfree_rcu(smp->ltk, rcu);
769 /* If pairing failed clean up any keys we might have */
772 list_del_rcu(&smp->ltk->list);
773 kfree_rcu(smp->ltk, rcu);
776 if (smp->slave_ltk) {
777 list_del_rcu(&smp->slave_ltk->list);
778 kfree_rcu(smp->slave_ltk, rcu);
781 if (smp->remote_irk) {
782 list_del_rcu(&smp->remote_irk->list);
783 kfree_rcu(smp->remote_irk, rcu);
792 static void smp_failure(struct l2cap_conn *conn, u8 reason)
794 struct hci_conn *hcon = conn->hcon;
795 struct l2cap_chan *chan = conn->smp;
798 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
801 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
804 smp_chan_destroy(conn);
807 #define JUST_WORKS 0x00
808 #define JUST_CFM 0x01
809 #define REQ_PASSKEY 0x02
810 #define CFM_PASSKEY 0x03
812 #define DSP_PASSKEY 0x05
815 static const u8 gen_method[5][5] = {
816 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
817 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
818 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
819 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
820 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
823 static const u8 sc_method[5][5] = {
824 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
825 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
826 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
827 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
828 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
831 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
833 /* If either side has unknown io_caps, use JUST_CFM (which gets
834 * converted later to JUST_WORKS if we're initiators.
836 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
837 remote_io > SMP_IO_KEYBOARD_DISPLAY)
840 if (test_bit(SMP_FLAG_SC, &smp->flags))
841 return sc_method[remote_io][local_io];
843 return gen_method[remote_io][local_io];
846 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
847 u8 local_io, u8 remote_io)
849 struct hci_conn *hcon = conn->hcon;
850 struct l2cap_chan *chan = conn->smp;
851 struct smp_chan *smp = chan->data;
855 /* Initialize key for JUST WORKS */
856 memset(smp->tk, 0, sizeof(smp->tk));
857 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
859 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
861 /* If neither side wants MITM, either "just" confirm an incoming
862 * request or use just-works for outgoing ones. The JUST_CFM
863 * will be converted to JUST_WORKS if necessary later in this
864 * function. If either side has MITM look up the method from the
867 if (!(auth & SMP_AUTH_MITM))
868 smp->method = JUST_CFM;
870 smp->method = get_auth_method(smp, local_io, remote_io);
872 /* Don't confirm locally initiated pairing attempts */
873 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
875 smp->method = JUST_WORKS;
877 /* Don't bother user space with no IO capabilities */
878 if (smp->method == JUST_CFM &&
879 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
880 smp->method = JUST_WORKS;
882 /* If Just Works, Continue with Zero TK */
883 if (smp->method == JUST_WORKS) {
884 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
888 /* If this function is used for SC -> legacy fallback we
889 * can only recover the just-works case.
891 if (test_bit(SMP_FLAG_SC, &smp->flags))
894 /* Not Just Works/Confirm results in MITM Authentication */
895 if (smp->method != JUST_CFM) {
896 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
897 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
898 hcon->pending_sec_level = BT_SECURITY_HIGH;
901 /* If both devices have Keyoard-Display I/O, the master
902 * Confirms and the slave Enters the passkey.
904 if (smp->method == OVERLAP) {
905 if (hcon->role == HCI_ROLE_MASTER)
906 smp->method = CFM_PASSKEY;
908 smp->method = REQ_PASSKEY;
911 /* Generate random passkey. */
912 if (smp->method == CFM_PASSKEY) {
913 memset(smp->tk, 0, sizeof(smp->tk));
914 get_random_bytes(&passkey, sizeof(passkey));
916 put_unaligned_le32(passkey, smp->tk);
917 BT_DBG("PassKey: %d", passkey);
918 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
921 if (smp->method == REQ_PASSKEY)
922 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
923 hcon->type, hcon->dst_type);
924 else if (smp->method == JUST_CFM)
925 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
926 hcon->type, hcon->dst_type,
929 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
930 hcon->type, hcon->dst_type,
936 static u8 smp_confirm(struct smp_chan *smp)
938 struct l2cap_conn *conn = smp->conn;
939 struct smp_cmd_pairing_confirm cp;
942 BT_DBG("conn %p", conn);
944 ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
945 conn->hcon->init_addr_type, &conn->hcon->init_addr,
946 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
949 return SMP_UNSPECIFIED;
951 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
953 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
956 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
958 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
963 static u8 smp_random(struct smp_chan *smp)
965 struct l2cap_conn *conn = smp->conn;
966 struct hci_conn *hcon = conn->hcon;
970 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
972 ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
973 hcon->init_addr_type, &hcon->init_addr,
974 hcon->resp_addr_type, &hcon->resp_addr, confirm);
976 return SMP_UNSPECIFIED;
978 if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
979 bt_dev_err(hcon->hdev, "pairing failed "
980 "(confirmation values mismatch)");
981 return SMP_CONFIRM_FAILED;
989 smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
991 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
992 return SMP_UNSPECIFIED;
994 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
995 hcon->enc_key_size = smp->enc_key_size;
996 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1002 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1005 smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
1007 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1012 /* Even though there's no _SLAVE suffix this is the
1013 * slave STK we're adding for later lookup (the master
1014 * STK never needs to be stored).
1016 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1017 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1023 static void smp_notify_keys(struct l2cap_conn *conn)
1025 struct l2cap_chan *chan = conn->smp;
1026 struct smp_chan *smp = chan->data;
1027 struct hci_conn *hcon = conn->hcon;
1028 struct hci_dev *hdev = hcon->hdev;
1029 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1030 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1033 if (hcon->type == ACL_LINK) {
1034 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1037 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1040 /* The LTKs, IRKs and CSRKs should be persistent only if
1041 * both sides had the bonding bit set in their
1042 * authentication requests.
1044 persistent = !!((req->auth_req & rsp->auth_req) &
1048 if (smp->remote_irk) {
1049 mgmt_new_irk(hdev, smp->remote_irk, persistent);
1051 /* Now that user space can be considered to know the
1052 * identity address track the connection based on it
1053 * from now on (assuming this is an LE link).
1055 if (hcon->type == LE_LINK) {
1056 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1057 hcon->dst_type = smp->remote_irk->addr_type;
1058 queue_work(hdev->workqueue, &conn->id_addr_update_work);
1063 smp->csrk->bdaddr_type = hcon->dst_type;
1064 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1065 mgmt_new_csrk(hdev, smp->csrk, persistent);
1068 if (smp->slave_csrk) {
1069 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1070 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1071 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1075 smp->ltk->bdaddr_type = hcon->dst_type;
1076 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1077 mgmt_new_ltk(hdev, smp->ltk, persistent);
1080 if (smp->slave_ltk) {
1081 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1082 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1083 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1086 if (smp->link_key) {
1087 struct link_key *key;
1090 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1091 type = HCI_LK_DEBUG_COMBINATION;
1092 else if (hcon->sec_level == BT_SECURITY_FIPS)
1093 type = HCI_LK_AUTH_COMBINATION_P256;
1095 type = HCI_LK_UNAUTH_COMBINATION_P256;
1097 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1098 smp->link_key, type, 0, &persistent);
1100 mgmt_new_link_key(hdev, key, persistent);
1102 /* Don't keep debug keys around if the relevant
1105 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1106 key->type == HCI_LK_DEBUG_COMBINATION) {
1107 list_del_rcu(&key->list);
1108 kfree_rcu(key, rcu);
1114 static void sc_add_ltk(struct smp_chan *smp)
1116 struct hci_conn *hcon = smp->conn->hcon;
1119 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1120 key_type = SMP_LTK_P256_DEBUG;
1122 key_type = SMP_LTK_P256;
1124 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1129 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1130 key_type, auth, smp->tk, smp->enc_key_size,
1134 static void sc_generate_link_key(struct smp_chan *smp)
1136 /* From core spec. Spells out in ASCII as 'lebr'. */
1137 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1139 smp->link_key = kzalloc(16, GFP_KERNEL);
1143 if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1144 /* SALT = 0x000000000000000000000000746D7031 */
1145 const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1147 if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1148 kzfree(smp->link_key);
1149 smp->link_key = NULL;
1153 /* From core spec. Spells out in ASCII as 'tmp1'. */
1154 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1156 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1157 kzfree(smp->link_key);
1158 smp->link_key = NULL;
1163 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1164 kzfree(smp->link_key);
1165 smp->link_key = NULL;
1170 static void smp_allow_key_dist(struct smp_chan *smp)
1172 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1173 * will be allowed in each PDU handler to ensure we receive
1174 * them in the correct order.
1176 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1177 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1178 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1179 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1180 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1181 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1184 static void sc_generate_ltk(struct smp_chan *smp)
1186 /* From core spec. Spells out in ASCII as 'brle'. */
1187 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1188 struct hci_conn *hcon = smp->conn->hcon;
1189 struct hci_dev *hdev = hcon->hdev;
1190 struct link_key *key;
1192 key = hci_find_link_key(hdev, &hcon->dst);
1194 bt_dev_err(hdev, "no Link Key found to generate LTK");
1198 if (key->type == HCI_LK_DEBUG_COMBINATION)
1199 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1201 if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1202 /* SALT = 0x000000000000000000000000746D7032 */
1203 const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1205 if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1208 /* From core spec. Spells out in ASCII as 'tmp2'. */
1209 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1211 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1215 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1221 static void smp_distribute_keys(struct smp_chan *smp)
1223 struct smp_cmd_pairing *req, *rsp;
1224 struct l2cap_conn *conn = smp->conn;
1225 struct hci_conn *hcon = conn->hcon;
1226 struct hci_dev *hdev = hcon->hdev;
1229 BT_DBG("conn %p", conn);
1231 rsp = (void *) &smp->prsp[1];
1233 /* The responder sends its keys first */
1234 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1235 smp_allow_key_dist(smp);
1239 req = (void *) &smp->preq[1];
1242 keydist = &rsp->init_key_dist;
1243 *keydist &= req->init_key_dist;
1245 keydist = &rsp->resp_key_dist;
1246 *keydist &= req->resp_key_dist;
1249 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1250 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1251 sc_generate_link_key(smp);
1252 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1253 sc_generate_ltk(smp);
1255 /* Clear the keys which are generated but not distributed */
1256 *keydist &= ~SMP_SC_NO_DIST;
1259 BT_DBG("keydist 0x%x", *keydist);
1261 if (*keydist & SMP_DIST_ENC_KEY) {
1262 struct smp_cmd_encrypt_info enc;
1263 struct smp_cmd_master_ident ident;
1264 struct smp_ltk *ltk;
1269 /* Make sure we generate only the significant amount of
1270 * bytes based on the encryption key size, and set the rest
1271 * of the value to zeroes.
1273 get_random_bytes(enc.ltk, smp->enc_key_size);
1274 memset(enc.ltk + smp->enc_key_size, 0,
1275 sizeof(enc.ltk) - smp->enc_key_size);
1277 get_random_bytes(&ediv, sizeof(ediv));
1278 get_random_bytes(&rand, sizeof(rand));
1280 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1282 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1283 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1284 SMP_LTK_SLAVE, authenticated, enc.ltk,
1285 smp->enc_key_size, ediv, rand);
1286 smp->slave_ltk = ltk;
1291 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1293 *keydist &= ~SMP_DIST_ENC_KEY;
1296 if (*keydist & SMP_DIST_ID_KEY) {
1297 struct smp_cmd_ident_addr_info addrinfo;
1298 struct smp_cmd_ident_info idinfo;
1300 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1302 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1304 /* The hci_conn contains the local identity address
1305 * after the connection has been established.
1307 * This is true even when the connection has been
1308 * established using a resolvable random address.
1310 bacpy(&addrinfo.bdaddr, &hcon->src);
1311 addrinfo.addr_type = hcon->src_type;
1313 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1316 *keydist &= ~SMP_DIST_ID_KEY;
1319 if (*keydist & SMP_DIST_SIGN) {
1320 struct smp_cmd_sign_info sign;
1321 struct smp_csrk *csrk;
1323 /* Generate a new random key */
1324 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1326 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1328 if (hcon->sec_level > BT_SECURITY_MEDIUM)
1329 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1331 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1332 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1334 smp->slave_csrk = csrk;
1336 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1338 *keydist &= ~SMP_DIST_SIGN;
1341 /* If there are still keys to be received wait for them */
1342 if (smp->remote_key_dist & KEY_DIST_MASK) {
1343 smp_allow_key_dist(smp);
1347 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1348 smp_notify_keys(conn);
1350 smp_chan_destroy(conn);
1353 static void smp_timeout(struct work_struct *work)
1355 struct smp_chan *smp = container_of(work, struct smp_chan,
1356 security_timer.work);
1357 struct l2cap_conn *conn = smp->conn;
1359 BT_DBG("conn %p", conn);
1361 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1364 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1366 struct l2cap_chan *chan = conn->smp;
1367 struct smp_chan *smp;
1369 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1373 smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1374 if (IS_ERR(smp->tfm_cmac)) {
1375 BT_ERR("Unable to create CMAC crypto context");
1379 smp->tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
1380 if (IS_ERR(smp->tfm_ecdh)) {
1381 BT_ERR("Unable to create ECDH crypto context");
1388 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1390 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1392 hci_conn_hold(conn->hcon);
1397 crypto_free_shash(smp->tfm_cmac);
1403 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1405 struct hci_conn *hcon = smp->conn->hcon;
1406 u8 *na, *nb, a[7], b[7];
1416 memcpy(a, &hcon->init_addr, 6);
1417 memcpy(b, &hcon->resp_addr, 6);
1418 a[6] = hcon->init_addr_type;
1419 b[6] = hcon->resp_addr_type;
1421 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1424 static void sc_dhkey_check(struct smp_chan *smp)
1426 struct hci_conn *hcon = smp->conn->hcon;
1427 struct smp_cmd_dhkey_check check;
1428 u8 a[7], b[7], *local_addr, *remote_addr;
1429 u8 io_cap[3], r[16];
1431 memcpy(a, &hcon->init_addr, 6);
1432 memcpy(b, &hcon->resp_addr, 6);
1433 a[6] = hcon->init_addr_type;
1434 b[6] = hcon->resp_addr_type;
1439 memcpy(io_cap, &smp->preq[1], 3);
1443 memcpy(io_cap, &smp->prsp[1], 3);
1446 memset(r, 0, sizeof(r));
1448 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1449 put_unaligned_le32(hcon->passkey_notify, r);
1451 if (smp->method == REQ_OOB)
1452 memcpy(r, smp->rr, 16);
1454 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1455 local_addr, remote_addr, check.e);
1457 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1460 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1462 struct l2cap_conn *conn = smp->conn;
1463 struct hci_conn *hcon = conn->hcon;
1464 struct smp_cmd_pairing_confirm cfm;
1467 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1470 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1472 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1474 return SMP_UNSPECIFIED;
1476 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1481 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1483 struct l2cap_conn *conn = smp->conn;
1484 struct hci_conn *hcon = conn->hcon;
1485 struct hci_dev *hdev = hcon->hdev;
1488 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1489 if (smp->passkey_round >= 20)
1493 case SMP_CMD_PAIRING_RANDOM:
1494 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1497 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1499 return SMP_UNSPECIFIED;
1501 if (crypto_memneq(smp->pcnf, cfm, 16))
1502 return SMP_CONFIRM_FAILED;
1504 smp->passkey_round++;
1506 if (smp->passkey_round == 20) {
1507 /* Generate MacKey and LTK */
1508 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1509 return SMP_UNSPECIFIED;
1512 /* The round is only complete when the initiator
1513 * receives pairing random.
1516 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1517 sizeof(smp->prnd), smp->prnd);
1518 if (smp->passkey_round == 20)
1519 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1521 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1525 /* Start the next round */
1526 if (smp->passkey_round != 20)
1527 return sc_passkey_round(smp, 0);
1529 /* Passkey rounds are complete - start DHKey Check */
1530 sc_dhkey_check(smp);
1531 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1535 case SMP_CMD_PAIRING_CONFIRM:
1536 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1537 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1541 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1544 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1545 sizeof(smp->prnd), smp->prnd);
1549 return sc_passkey_send_confirm(smp);
1551 case SMP_CMD_PUBLIC_KEY:
1553 /* Initiating device starts the round */
1557 BT_DBG("%s Starting passkey round %u", hdev->name,
1558 smp->passkey_round + 1);
1560 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1562 return sc_passkey_send_confirm(smp);
1568 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1570 struct l2cap_conn *conn = smp->conn;
1571 struct hci_conn *hcon = conn->hcon;
1574 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1577 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1578 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1580 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1581 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1583 case MGMT_OP_USER_PASSKEY_REPLY:
1584 hcon->passkey_notify = le32_to_cpu(passkey);
1585 smp->passkey_round = 0;
1587 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1588 smp_op = SMP_CMD_PAIRING_CONFIRM;
1592 if (sc_passkey_round(smp, smp_op))
1598 /* Initiator sends DHKey check first */
1600 sc_dhkey_check(smp);
1601 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1602 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1603 sc_dhkey_check(smp);
1610 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1612 struct l2cap_conn *conn = hcon->l2cap_data;
1613 struct l2cap_chan *chan;
1614 struct smp_chan *smp;
1627 l2cap_chan_lock(chan);
1635 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1636 err = sc_user_reply(smp, mgmt_op, passkey);
1641 case MGMT_OP_USER_PASSKEY_REPLY:
1642 value = le32_to_cpu(passkey);
1643 memset(smp->tk, 0, sizeof(smp->tk));
1644 BT_DBG("PassKey: %d", value);
1645 put_unaligned_le32(value, smp->tk);
1647 case MGMT_OP_USER_CONFIRM_REPLY:
1648 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1650 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1651 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1652 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1656 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1663 /* If it is our turn to send Pairing Confirm, do so now */
1664 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1665 u8 rsp = smp_confirm(smp);
1667 smp_failure(conn, rsp);
1671 l2cap_chan_unlock(chan);
1675 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1676 struct smp_cmd_pairing *req,
1677 struct smp_cmd_pairing *rsp)
1679 struct l2cap_conn *conn = smp->conn;
1680 struct hci_dev *hdev = conn->hcon->hdev;
1681 u8 local_dist = 0, remote_dist = 0;
1683 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1684 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1685 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1688 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1689 remote_dist |= SMP_DIST_ID_KEY;
1691 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1692 local_dist |= SMP_DIST_ID_KEY;
1695 memset(req, 0, sizeof(*req));
1697 req->auth_req = SMP_AUTH_CT2;
1698 req->init_key_dist = local_dist;
1699 req->resp_key_dist = remote_dist;
1700 req->max_key_size = conn->hcon->enc_key_size;
1702 smp->remote_key_dist = remote_dist;
1707 memset(rsp, 0, sizeof(*rsp));
1709 rsp->auth_req = SMP_AUTH_CT2;
1710 rsp->max_key_size = conn->hcon->enc_key_size;
1711 rsp->init_key_dist = req->init_key_dist & remote_dist;
1712 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1714 smp->remote_key_dist = rsp->init_key_dist;
1717 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1719 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1720 struct l2cap_chan *chan = conn->smp;
1721 struct hci_dev *hdev = conn->hcon->hdev;
1722 struct smp_chan *smp;
1723 u8 key_size, auth, sec_level;
1726 BT_DBG("conn %p", conn);
1728 if (skb->len < sizeof(*req))
1729 return SMP_INVALID_PARAMS;
1731 if (conn->hcon->role != HCI_ROLE_SLAVE)
1732 return SMP_CMD_NOTSUPP;
1735 smp = smp_chan_create(conn);
1740 return SMP_UNSPECIFIED;
1742 /* We didn't start the pairing, so match remote */
1743 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1745 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1746 (auth & SMP_AUTH_BONDING))
1747 return SMP_PAIRING_NOTSUPP;
1749 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1750 return SMP_AUTH_REQUIREMENTS;
1752 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1753 memcpy(&smp->preq[1], req, sizeof(*req));
1754 skb_pull(skb, sizeof(*req));
1756 /* If the remote side's OOB flag is set it means it has
1757 * successfully received our local OOB data - therefore set the
1758 * flag to indicate that local OOB is in use.
1760 if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1761 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1763 /* SMP over BR/EDR requires special treatment */
1764 if (conn->hcon->type == ACL_LINK) {
1765 /* We must have a BR/EDR SC link */
1766 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1767 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1768 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1770 set_bit(SMP_FLAG_SC, &smp->flags);
1772 build_bredr_pairing_cmd(smp, req, &rsp);
1774 if (req->auth_req & SMP_AUTH_CT2)
1775 set_bit(SMP_FLAG_CT2, &smp->flags);
1777 key_size = min(req->max_key_size, rsp.max_key_size);
1778 if (check_enc_key_size(conn, key_size))
1779 return SMP_ENC_KEY_SIZE;
1781 /* Clear bits which are generated but not distributed */
1782 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1784 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1785 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1786 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1788 smp_distribute_keys(smp);
1792 build_pairing_cmd(conn, req, &rsp, auth);
1794 if (rsp.auth_req & SMP_AUTH_SC) {
1795 set_bit(SMP_FLAG_SC, &smp->flags);
1797 if (rsp.auth_req & SMP_AUTH_CT2)
1798 set_bit(SMP_FLAG_CT2, &smp->flags);
1801 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1802 sec_level = BT_SECURITY_MEDIUM;
1804 sec_level = authreq_to_seclevel(auth);
1806 if (sec_level > conn->hcon->pending_sec_level)
1807 conn->hcon->pending_sec_level = sec_level;
1809 /* If we need MITM check that it can be achieved */
1810 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1813 method = get_auth_method(smp, conn->hcon->io_capability,
1814 req->io_capability);
1815 if (method == JUST_WORKS || method == JUST_CFM)
1816 return SMP_AUTH_REQUIREMENTS;
1819 key_size = min(req->max_key_size, rsp.max_key_size);
1820 if (check_enc_key_size(conn, key_size))
1821 return SMP_ENC_KEY_SIZE;
1823 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1825 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1826 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1828 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1830 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1832 /* Strictly speaking we shouldn't allow Pairing Confirm for the
1833 * SC case, however some implementations incorrectly copy RFU auth
1834 * req bits from our security request, which may create a false
1835 * positive SC enablement.
1837 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1839 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1840 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1841 /* Clear bits which are generated but not distributed */
1842 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1843 /* Wait for Public Key from Initiating Device */
1847 /* Request setup of TK */
1848 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1850 return SMP_UNSPECIFIED;
1855 static u8 sc_send_public_key(struct smp_chan *smp)
1857 struct hci_dev *hdev = smp->conn->hcon->hdev;
1861 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1862 struct l2cap_chan *chan = hdev->smp_data;
1863 struct smp_dev *smp_dev;
1865 if (!chan || !chan->data)
1866 return SMP_UNSPECIFIED;
1868 smp_dev = chan->data;
1870 memcpy(smp->local_pk, smp_dev->local_pk, 64);
1871 memcpy(smp->lr, smp_dev->local_rand, 16);
1873 if (smp_dev->debug_key)
1874 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1879 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1880 BT_DBG("Using debug keys");
1881 if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1882 return SMP_UNSPECIFIED;
1883 memcpy(smp->local_pk, debug_pk, 64);
1884 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1887 /* Generate key pair for Secure Connections */
1888 if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1889 return SMP_UNSPECIFIED;
1891 /* This is unlikely, but we need to check that
1892 * we didn't accidentially generate a debug key.
1894 if (crypto_memneq(smp->local_pk, debug_pk, 64))
1900 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1901 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1903 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1908 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1910 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1911 struct l2cap_chan *chan = conn->smp;
1912 struct smp_chan *smp = chan->data;
1913 struct hci_dev *hdev = conn->hcon->hdev;
1917 BT_DBG("conn %p", conn);
1919 if (skb->len < sizeof(*rsp))
1920 return SMP_INVALID_PARAMS;
1922 if (conn->hcon->role != HCI_ROLE_MASTER)
1923 return SMP_CMD_NOTSUPP;
1925 skb_pull(skb, sizeof(*rsp));
1927 req = (void *) &smp->preq[1];
1929 key_size = min(req->max_key_size, rsp->max_key_size);
1930 if (check_enc_key_size(conn, key_size))
1931 return SMP_ENC_KEY_SIZE;
1933 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1935 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1936 return SMP_AUTH_REQUIREMENTS;
1938 /* If the remote side's OOB flag is set it means it has
1939 * successfully received our local OOB data - therefore set the
1940 * flag to indicate that local OOB is in use.
1942 if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1943 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1945 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1946 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1948 /* Update remote key distribution in case the remote cleared
1949 * some bits that we had enabled in our request.
1951 smp->remote_key_dist &= rsp->resp_key_dist;
1953 if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1954 set_bit(SMP_FLAG_CT2, &smp->flags);
1956 /* For BR/EDR this means we're done and can start phase 3 */
1957 if (conn->hcon->type == ACL_LINK) {
1958 /* Clear bits which are generated but not distributed */
1959 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1960 smp_distribute_keys(smp);
1964 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1965 set_bit(SMP_FLAG_SC, &smp->flags);
1966 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1967 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1969 /* If we need MITM check that it can be achieved */
1970 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1973 method = get_auth_method(smp, req->io_capability,
1974 rsp->io_capability);
1975 if (method == JUST_WORKS || method == JUST_CFM)
1976 return SMP_AUTH_REQUIREMENTS;
1979 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1981 /* Update remote key distribution in case the remote cleared
1982 * some bits that we had enabled in our request.
1984 smp->remote_key_dist &= rsp->resp_key_dist;
1986 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1987 /* Clear bits which are generated but not distributed */
1988 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1989 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1990 return sc_send_public_key(smp);
1993 auth |= req->auth_req;
1995 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1997 return SMP_UNSPECIFIED;
1999 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2001 /* Can't compose response until we have been confirmed */
2002 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2003 return smp_confirm(smp);
2008 static u8 sc_check_confirm(struct smp_chan *smp)
2010 struct l2cap_conn *conn = smp->conn;
2014 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2015 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2017 if (conn->hcon->out) {
2018 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2020 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2026 /* Work-around for some implementations that incorrectly copy RFU bits
2027 * from our security request and thereby create the impression that
2028 * we're doing SC when in fact the remote doesn't support it.
2030 static int fixup_sc_false_positive(struct smp_chan *smp)
2032 struct l2cap_conn *conn = smp->conn;
2033 struct hci_conn *hcon = conn->hcon;
2034 struct hci_dev *hdev = hcon->hdev;
2035 struct smp_cmd_pairing *req, *rsp;
2038 /* The issue is only observed when we're in slave role */
2040 return SMP_UNSPECIFIED;
2042 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2043 bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2044 return SMP_UNSPECIFIED;
2047 bt_dev_err(hdev, "trying to fall back to legacy SMP");
2049 req = (void *) &smp->preq[1];
2050 rsp = (void *) &smp->prsp[1];
2052 /* Rebuild key dist flags which may have been cleared for SC */
2053 smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2055 auth = req->auth_req & AUTH_REQ_MASK(hdev);
2057 if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2058 bt_dev_err(hdev, "failed to fall back to legacy SMP");
2059 return SMP_UNSPECIFIED;
2062 clear_bit(SMP_FLAG_SC, &smp->flags);
2067 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2069 struct l2cap_chan *chan = conn->smp;
2070 struct smp_chan *smp = chan->data;
2072 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2074 if (skb->len < sizeof(smp->pcnf))
2075 return SMP_INVALID_PARAMS;
2077 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2078 skb_pull(skb, sizeof(smp->pcnf));
2080 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2083 /* Public Key exchange must happen before any other steps */
2084 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2085 return sc_check_confirm(smp);
2087 BT_ERR("Unexpected SMP Pairing Confirm");
2089 ret = fixup_sc_false_positive(smp);
2094 if (conn->hcon->out) {
2095 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2097 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2101 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2102 return smp_confirm(smp);
2104 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2109 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2111 struct l2cap_chan *chan = conn->smp;
2112 struct smp_chan *smp = chan->data;
2113 struct hci_conn *hcon = conn->hcon;
2114 u8 *pkax, *pkbx, *na, *nb, confirm_hint;
2118 BT_DBG("conn %p", conn);
2120 if (skb->len < sizeof(smp->rrnd))
2121 return SMP_INVALID_PARAMS;
2123 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2124 skb_pull(skb, sizeof(smp->rrnd));
2126 if (!test_bit(SMP_FLAG_SC, &smp->flags))
2127 return smp_random(smp);
2130 pkax = smp->local_pk;
2131 pkbx = smp->remote_pk;
2135 pkax = smp->remote_pk;
2136 pkbx = smp->local_pk;
2141 if (smp->method == REQ_OOB) {
2143 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2144 sizeof(smp->prnd), smp->prnd);
2145 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2146 goto mackey_and_ltk;
2149 /* Passkey entry has special treatment */
2150 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2151 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2156 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2159 return SMP_UNSPECIFIED;
2161 if (crypto_memneq(smp->pcnf, cfm, 16))
2162 return SMP_CONFIRM_FAILED;
2164 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2166 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2168 /* Only Just-Works pairing requires extra checks */
2169 if (smp->method != JUST_WORKS)
2170 goto mackey_and_ltk;
2172 /* If there already exists long term key in local host, leave
2173 * the decision to user space since the remote device could
2174 * be legitimate or malicious.
2176 if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2178 /* Set passkey to 0. The value can be any number since
2179 * it'll be ignored anyway.
2188 /* Generate MacKey and LTK */
2189 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2191 return SMP_UNSPECIFIED;
2193 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2195 sc_dhkey_check(smp);
2196 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2201 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2203 return SMP_UNSPECIFIED;
2208 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2209 hcon->dst_type, passkey, confirm_hint);
2211 return SMP_UNSPECIFIED;
2213 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2218 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2220 struct smp_ltk *key;
2221 struct hci_conn *hcon = conn->hcon;
2223 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2227 if (smp_ltk_sec_level(key) < sec_level)
2230 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2233 hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2234 hcon->enc_key_size = key->enc_size;
2236 /* We never store STKs for master role, so clear this flag */
2237 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2242 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2243 enum smp_key_pref key_pref)
2245 if (sec_level == BT_SECURITY_LOW)
2248 /* If we're encrypted with an STK but the caller prefers using
2249 * LTK claim insufficient security. This way we allow the
2250 * connection to be re-encrypted with an LTK, even if the LTK
2251 * provides the same level of security. Only exception is if we
2252 * don't have an LTK (e.g. because of key distribution bits).
2254 if (key_pref == SMP_USE_LTK &&
2255 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2256 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2259 if (hcon->sec_level >= sec_level)
2265 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2267 struct smp_cmd_security_req *rp = (void *) skb->data;
2268 struct smp_cmd_pairing cp;
2269 struct hci_conn *hcon = conn->hcon;
2270 struct hci_dev *hdev = hcon->hdev;
2271 struct smp_chan *smp;
2274 BT_DBG("conn %p", conn);
2276 if (skb->len < sizeof(*rp))
2277 return SMP_INVALID_PARAMS;
2279 if (hcon->role != HCI_ROLE_MASTER)
2280 return SMP_CMD_NOTSUPP;
2282 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2284 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2285 return SMP_AUTH_REQUIREMENTS;
2287 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2288 sec_level = BT_SECURITY_MEDIUM;
2290 sec_level = authreq_to_seclevel(auth);
2292 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2293 /* If link is already encrypted with sufficient security we
2294 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2297 smp_ltk_encrypt(conn, hcon->sec_level);
2301 if (sec_level > hcon->pending_sec_level)
2302 hcon->pending_sec_level = sec_level;
2304 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2307 smp = smp_chan_create(conn);
2309 return SMP_UNSPECIFIED;
2311 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2312 (auth & SMP_AUTH_BONDING))
2313 return SMP_PAIRING_NOTSUPP;
2315 skb_pull(skb, sizeof(*rp));
2317 memset(&cp, 0, sizeof(cp));
2318 build_pairing_cmd(conn, &cp, NULL, auth);
2320 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2321 memcpy(&smp->preq[1], &cp, sizeof(cp));
2323 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2324 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2329 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2331 struct l2cap_conn *conn = hcon->l2cap_data;
2332 struct l2cap_chan *chan;
2333 struct smp_chan *smp;
2337 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2339 /* This may be NULL if there's an unexpected disconnection */
2343 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2346 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2349 if (sec_level > hcon->pending_sec_level)
2350 hcon->pending_sec_level = sec_level;
2352 if (hcon->role == HCI_ROLE_MASTER)
2353 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2358 bt_dev_err(hcon->hdev, "security requested but not available");
2362 l2cap_chan_lock(chan);
2364 /* If SMP is already in progress ignore this request */
2370 smp = smp_chan_create(conn);
2376 authreq = seclevel_to_authreq(sec_level);
2378 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2379 authreq |= SMP_AUTH_SC;
2380 if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2381 authreq |= SMP_AUTH_CT2;
2384 /* Require MITM if IO Capability allows or the security level
2387 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2388 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2389 authreq |= SMP_AUTH_MITM;
2391 if (hcon->role == HCI_ROLE_MASTER) {
2392 struct smp_cmd_pairing cp;
2394 build_pairing_cmd(conn, &cp, NULL, authreq);
2395 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2396 memcpy(&smp->preq[1], &cp, sizeof(cp));
2398 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2399 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2401 struct smp_cmd_security_req cp;
2402 cp.auth_req = authreq;
2403 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2404 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2407 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2411 l2cap_chan_unlock(chan);
2415 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2418 struct hci_conn *hcon;
2419 struct l2cap_conn *conn;
2420 struct l2cap_chan *chan;
2421 struct smp_chan *smp;
2424 err = hci_remove_ltk(hdev, bdaddr, addr_type);
2425 hci_remove_irk(hdev, bdaddr, addr_type);
2427 hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2431 conn = hcon->l2cap_data;
2439 l2cap_chan_lock(chan);
2443 /* Set keys to NULL to make sure smp_failure() does not try to
2444 * remove and free already invalidated rcu list entries. */
2446 smp->slave_ltk = NULL;
2447 smp->remote_irk = NULL;
2449 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2450 smp_failure(conn, 0);
2452 smp_failure(conn, SMP_UNSPECIFIED);
2456 l2cap_chan_unlock(chan);
2462 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2464 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2465 struct l2cap_chan *chan = conn->smp;
2466 struct smp_chan *smp = chan->data;
2468 BT_DBG("conn %p", conn);
2470 if (skb->len < sizeof(*rp))
2471 return SMP_INVALID_PARAMS;
2473 /* Pairing is aborted if any blocked keys are distributed */
2474 if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2476 bt_dev_warn_ratelimited(conn->hcon->hdev,
2477 "LTK blocked for %pMR",
2479 return SMP_INVALID_PARAMS;
2482 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2484 skb_pull(skb, sizeof(*rp));
2486 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2491 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2493 struct smp_cmd_master_ident *rp = (void *) skb->data;
2494 struct l2cap_chan *chan = conn->smp;
2495 struct smp_chan *smp = chan->data;
2496 struct hci_dev *hdev = conn->hcon->hdev;
2497 struct hci_conn *hcon = conn->hcon;
2498 struct smp_ltk *ltk;
2501 BT_DBG("conn %p", conn);
2503 if (skb->len < sizeof(*rp))
2504 return SMP_INVALID_PARAMS;
2506 /* Mark the information as received */
2507 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2509 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2510 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2511 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2512 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2514 skb_pull(skb, sizeof(*rp));
2516 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2517 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2518 authenticated, smp->tk, smp->enc_key_size,
2519 rp->ediv, rp->rand);
2521 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2522 smp_distribute_keys(smp);
2527 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2529 struct smp_cmd_ident_info *info = (void *) skb->data;
2530 struct l2cap_chan *chan = conn->smp;
2531 struct smp_chan *smp = chan->data;
2535 if (skb->len < sizeof(*info))
2536 return SMP_INVALID_PARAMS;
2538 /* Pairing is aborted if any blocked keys are distributed */
2539 if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2541 bt_dev_warn_ratelimited(conn->hcon->hdev,
2542 "Identity key blocked for %pMR",
2544 return SMP_INVALID_PARAMS;
2547 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2549 skb_pull(skb, sizeof(*info));
2551 memcpy(smp->irk, info->irk, 16);
2556 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2557 struct sk_buff *skb)
2559 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2560 struct l2cap_chan *chan = conn->smp;
2561 struct smp_chan *smp = chan->data;
2562 struct hci_conn *hcon = conn->hcon;
2567 if (skb->len < sizeof(*info))
2568 return SMP_INVALID_PARAMS;
2570 /* Mark the information as received */
2571 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2573 if (smp->remote_key_dist & SMP_DIST_SIGN)
2574 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2576 skb_pull(skb, sizeof(*info));
2578 /* Strictly speaking the Core Specification (4.1) allows sending
2579 * an empty address which would force us to rely on just the IRK
2580 * as "identity information". However, since such
2581 * implementations are not known of and in order to not over
2582 * complicate our implementation, simply pretend that we never
2583 * received an IRK for such a device.
2585 * The Identity Address must also be a Static Random or Public
2586 * Address, which hci_is_identity_address() checks for.
2588 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2589 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2590 bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2594 /* Drop IRK if peer is using identity address during pairing but is
2595 * providing different address as identity information.
2597 * Microsoft Surface Precision Mouse is known to have this bug.
2599 if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2600 (bacmp(&info->bdaddr, &hcon->dst) ||
2601 info->addr_type != hcon->dst_type)) {
2602 bt_dev_err(hcon->hdev,
2603 "ignoring IRK with invalid identity address");
2607 bacpy(&smp->id_addr, &info->bdaddr);
2608 smp->id_addr_type = info->addr_type;
2610 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2611 bacpy(&rpa, &hcon->dst);
2613 bacpy(&rpa, BDADDR_ANY);
2615 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2616 smp->id_addr_type, smp->irk, &rpa);
2619 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2620 smp_distribute_keys(smp);
2625 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2627 struct smp_cmd_sign_info *rp = (void *) skb->data;
2628 struct l2cap_chan *chan = conn->smp;
2629 struct smp_chan *smp = chan->data;
2630 struct smp_csrk *csrk;
2632 BT_DBG("conn %p", conn);
2634 if (skb->len < sizeof(*rp))
2635 return SMP_INVALID_PARAMS;
2637 /* Mark the information as received */
2638 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2640 skb_pull(skb, sizeof(*rp));
2642 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2644 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2645 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2647 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2648 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2651 smp_distribute_keys(smp);
2656 static u8 sc_select_method(struct smp_chan *smp)
2658 struct l2cap_conn *conn = smp->conn;
2659 struct hci_conn *hcon = conn->hcon;
2660 struct smp_cmd_pairing *local, *remote;
2661 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2663 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2664 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2667 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2668 * which are needed as inputs to some crypto functions. To get
2669 * the "struct smp_cmd_pairing" from them we need to skip the
2670 * first byte which contains the opcode.
2673 local = (void *) &smp->preq[1];
2674 remote = (void *) &smp->prsp[1];
2676 local = (void *) &smp->prsp[1];
2677 remote = (void *) &smp->preq[1];
2680 local_io = local->io_capability;
2681 remote_io = remote->io_capability;
2683 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2684 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2686 /* If either side wants MITM, look up the method from the table,
2687 * otherwise use JUST WORKS.
2689 if (local_mitm || remote_mitm)
2690 method = get_auth_method(smp, local_io, remote_io);
2692 method = JUST_WORKS;
2694 /* Don't confirm locally initiated pairing attempts */
2695 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2696 method = JUST_WORKS;
2701 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2703 struct smp_cmd_public_key *key = (void *) skb->data;
2704 struct hci_conn *hcon = conn->hcon;
2705 struct l2cap_chan *chan = conn->smp;
2706 struct smp_chan *smp = chan->data;
2707 struct hci_dev *hdev = hcon->hdev;
2708 struct crypto_kpp *tfm_ecdh;
2709 struct smp_cmd_pairing_confirm cfm;
2712 BT_DBG("conn %p", conn);
2714 if (skb->len < sizeof(*key))
2715 return SMP_INVALID_PARAMS;
2717 memcpy(smp->remote_pk, key, 64);
2719 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2720 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2721 smp->rr, 0, cfm.confirm_val);
2723 return SMP_UNSPECIFIED;
2725 if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2726 return SMP_CONFIRM_FAILED;
2729 /* Non-initiating device sends its public key after receiving
2730 * the key from the initiating device.
2733 err = sc_send_public_key(smp);
2738 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2739 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2741 /* Compute the shared secret on the same crypto tfm on which the private
2742 * key was set/generated.
2744 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2745 struct l2cap_chan *hchan = hdev->smp_data;
2746 struct smp_dev *smp_dev;
2748 if (!hchan || !hchan->data)
2749 return SMP_UNSPECIFIED;
2751 smp_dev = hchan->data;
2753 tfm_ecdh = smp_dev->tfm_ecdh;
2755 tfm_ecdh = smp->tfm_ecdh;
2758 if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2759 return SMP_UNSPECIFIED;
2761 SMP_DBG("DHKey %32phN", smp->dhkey);
2763 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2765 smp->method = sc_select_method(smp);
2767 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2769 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2770 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2771 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2773 hcon->pending_sec_level = BT_SECURITY_FIPS;
2775 if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2776 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2778 if (smp->method == DSP_PASSKEY) {
2779 get_random_bytes(&hcon->passkey_notify,
2780 sizeof(hcon->passkey_notify));
2781 hcon->passkey_notify %= 1000000;
2782 hcon->passkey_entered = 0;
2783 smp->passkey_round = 0;
2784 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2786 hcon->passkey_notify,
2787 hcon->passkey_entered))
2788 return SMP_UNSPECIFIED;
2789 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2790 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2793 if (smp->method == REQ_OOB) {
2795 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2796 sizeof(smp->prnd), smp->prnd);
2798 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2804 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2806 if (smp->method == REQ_PASSKEY) {
2807 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2809 return SMP_UNSPECIFIED;
2810 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2811 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2815 /* The Initiating device waits for the non-initiating device to
2816 * send the confirm value.
2818 if (conn->hcon->out)
2821 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2822 0, cfm.confirm_val);
2824 return SMP_UNSPECIFIED;
2826 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2827 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2832 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2834 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2835 struct l2cap_chan *chan = conn->smp;
2836 struct hci_conn *hcon = conn->hcon;
2837 struct smp_chan *smp = chan->data;
2838 u8 a[7], b[7], *local_addr, *remote_addr;
2839 u8 io_cap[3], r[16], e[16];
2842 BT_DBG("conn %p", conn);
2844 if (skb->len < sizeof(*check))
2845 return SMP_INVALID_PARAMS;
2847 memcpy(a, &hcon->init_addr, 6);
2848 memcpy(b, &hcon->resp_addr, 6);
2849 a[6] = hcon->init_addr_type;
2850 b[6] = hcon->resp_addr_type;
2855 memcpy(io_cap, &smp->prsp[1], 3);
2859 memcpy(io_cap, &smp->preq[1], 3);
2862 memset(r, 0, sizeof(r));
2864 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2865 put_unaligned_le32(hcon->passkey_notify, r);
2866 else if (smp->method == REQ_OOB)
2867 memcpy(r, smp->lr, 16);
2869 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2870 io_cap, remote_addr, local_addr, e);
2872 return SMP_UNSPECIFIED;
2874 if (crypto_memneq(check->e, e, 16))
2875 return SMP_DHKEY_CHECK_FAILED;
2878 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2879 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2883 /* Slave sends DHKey check as response to master */
2884 sc_dhkey_check(smp);
2890 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2891 hcon->enc_key_size = smp->enc_key_size;
2897 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2898 struct sk_buff *skb)
2900 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2902 BT_DBG("value 0x%02x", kp->value);
2907 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2909 struct l2cap_conn *conn = chan->conn;
2910 struct hci_conn *hcon = conn->hcon;
2911 struct smp_chan *smp;
2918 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2919 reason = SMP_PAIRING_NOTSUPP;
2923 code = skb->data[0];
2924 skb_pull(skb, sizeof(code));
2928 if (code > SMP_CMD_MAX)
2931 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2934 /* If we don't have a context the only allowed commands are
2935 * pairing request and security request.
2937 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2941 case SMP_CMD_PAIRING_REQ:
2942 reason = smp_cmd_pairing_req(conn, skb);
2945 case SMP_CMD_PAIRING_FAIL:
2946 smp_failure(conn, 0);
2950 case SMP_CMD_PAIRING_RSP:
2951 reason = smp_cmd_pairing_rsp(conn, skb);
2954 case SMP_CMD_SECURITY_REQ:
2955 reason = smp_cmd_security_req(conn, skb);
2958 case SMP_CMD_PAIRING_CONFIRM:
2959 reason = smp_cmd_pairing_confirm(conn, skb);
2962 case SMP_CMD_PAIRING_RANDOM:
2963 reason = smp_cmd_pairing_random(conn, skb);
2966 case SMP_CMD_ENCRYPT_INFO:
2967 reason = smp_cmd_encrypt_info(conn, skb);
2970 case SMP_CMD_MASTER_IDENT:
2971 reason = smp_cmd_master_ident(conn, skb);
2974 case SMP_CMD_IDENT_INFO:
2975 reason = smp_cmd_ident_info(conn, skb);
2978 case SMP_CMD_IDENT_ADDR_INFO:
2979 reason = smp_cmd_ident_addr_info(conn, skb);
2982 case SMP_CMD_SIGN_INFO:
2983 reason = smp_cmd_sign_info(conn, skb);
2986 case SMP_CMD_PUBLIC_KEY:
2987 reason = smp_cmd_public_key(conn, skb);
2990 case SMP_CMD_DHKEY_CHECK:
2991 reason = smp_cmd_dhkey_check(conn, skb);
2994 case SMP_CMD_KEYPRESS_NOTIFY:
2995 reason = smp_cmd_keypress_notify(conn, skb);
2999 BT_DBG("Unknown command code 0x%2.2x", code);
3000 reason = SMP_CMD_NOTSUPP;
3007 smp_failure(conn, reason);
3014 bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3020 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3022 struct l2cap_conn *conn = chan->conn;
3024 BT_DBG("chan %p", chan);
3027 smp_chan_destroy(conn);
3030 l2cap_chan_put(chan);
3033 static void bredr_pairing(struct l2cap_chan *chan)
3035 struct l2cap_conn *conn = chan->conn;
3036 struct hci_conn *hcon = conn->hcon;
3037 struct hci_dev *hdev = hcon->hdev;
3038 struct smp_cmd_pairing req;
3039 struct smp_chan *smp;
3041 BT_DBG("chan %p", chan);
3043 /* Only new pairings are interesting */
3044 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3047 /* Don't bother if we're not encrypted */
3048 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3051 /* Only master may initiate SMP over BR/EDR */
3052 if (hcon->role != HCI_ROLE_MASTER)
3055 /* Secure Connections support must be enabled */
3056 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3059 /* BR/EDR must use Secure Connections for SMP */
3060 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3061 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3064 /* If our LE support is not enabled don't do anything */
3065 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3068 /* Don't bother if remote LE support is not enabled */
3069 if (!lmp_host_le_capable(hcon))
3072 /* Remote must support SMP fixed chan for BR/EDR */
3073 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3076 /* Don't bother if SMP is already ongoing */
3080 smp = smp_chan_create(conn);
3082 bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3086 set_bit(SMP_FLAG_SC, &smp->flags);
3088 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3090 /* Prepare and send the BR/EDR SMP Pairing Request */
3091 build_bredr_pairing_cmd(smp, &req, NULL);
3093 smp->preq[0] = SMP_CMD_PAIRING_REQ;
3094 memcpy(&smp->preq[1], &req, sizeof(req));
3096 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3097 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3100 static void smp_resume_cb(struct l2cap_chan *chan)
3102 struct smp_chan *smp = chan->data;
3103 struct l2cap_conn *conn = chan->conn;
3104 struct hci_conn *hcon = conn->hcon;
3106 BT_DBG("chan %p", chan);
3108 if (hcon->type == ACL_LINK) {
3109 bredr_pairing(chan);
3116 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3119 cancel_delayed_work(&smp->security_timer);
3121 smp_distribute_keys(smp);
3124 static void smp_ready_cb(struct l2cap_chan *chan)
3126 struct l2cap_conn *conn = chan->conn;
3127 struct hci_conn *hcon = conn->hcon;
3129 BT_DBG("chan %p", chan);
3131 /* No need to call l2cap_chan_hold() here since we already own
3132 * the reference taken in smp_new_conn_cb(). This is just the
3133 * first time that we tie it to a specific pointer. The code in
3134 * l2cap_core.c ensures that there's no risk this function wont
3135 * get called if smp_new_conn_cb was previously called.
3139 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3140 bredr_pairing(chan);
3143 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3147 BT_DBG("chan %p", chan);
3149 err = smp_sig_channel(chan, skb);
3151 struct smp_chan *smp = chan->data;
3154 cancel_delayed_work_sync(&smp->security_timer);
3156 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3162 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3163 unsigned long hdr_len,
3164 unsigned long len, int nb)
3166 struct sk_buff *skb;
3168 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3170 return ERR_PTR(-ENOMEM);
3172 skb->priority = HCI_PRIO_MAX;
3173 bt_cb(skb)->l2cap.chan = chan;
3178 static const struct l2cap_ops smp_chan_ops = {
3179 .name = "Security Manager",
3180 .ready = smp_ready_cb,
3181 .recv = smp_recv_cb,
3182 .alloc_skb = smp_alloc_skb_cb,
3183 .teardown = smp_teardown_cb,
3184 .resume = smp_resume_cb,
3186 .new_connection = l2cap_chan_no_new_connection,
3187 .state_change = l2cap_chan_no_state_change,
3188 .close = l2cap_chan_no_close,
3189 .defer = l2cap_chan_no_defer,
3190 .suspend = l2cap_chan_no_suspend,
3191 .set_shutdown = l2cap_chan_no_set_shutdown,
3192 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3195 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3197 struct l2cap_chan *chan;
3199 BT_DBG("pchan %p", pchan);
3201 chan = l2cap_chan_create();
3205 chan->chan_type = pchan->chan_type;
3206 chan->ops = &smp_chan_ops;
3207 chan->scid = pchan->scid;
3208 chan->dcid = chan->scid;
3209 chan->imtu = pchan->imtu;
3210 chan->omtu = pchan->omtu;
3211 chan->mode = pchan->mode;
3213 /* Other L2CAP channels may request SMP routines in order to
3214 * change the security level. This means that the SMP channel
3215 * lock must be considered in its own category to avoid lockdep
3218 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3220 BT_DBG("created chan %p", chan);
3225 static const struct l2cap_ops smp_root_chan_ops = {
3226 .name = "Security Manager Root",
3227 .new_connection = smp_new_conn_cb,
3229 /* None of these are implemented for the root channel */
3230 .close = l2cap_chan_no_close,
3231 .alloc_skb = l2cap_chan_no_alloc_skb,
3232 .recv = l2cap_chan_no_recv,
3233 .state_change = l2cap_chan_no_state_change,
3234 .teardown = l2cap_chan_no_teardown,
3235 .ready = l2cap_chan_no_ready,
3236 .defer = l2cap_chan_no_defer,
3237 .suspend = l2cap_chan_no_suspend,
3238 .resume = l2cap_chan_no_resume,
3239 .set_shutdown = l2cap_chan_no_set_shutdown,
3240 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3243 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3245 struct l2cap_chan *chan;
3246 struct smp_dev *smp;
3247 struct crypto_shash *tfm_cmac;
3248 struct crypto_kpp *tfm_ecdh;
3250 if (cid == L2CAP_CID_SMP_BREDR) {
3255 smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3257 return ERR_PTR(-ENOMEM);
3259 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3260 if (IS_ERR(tfm_cmac)) {
3261 BT_ERR("Unable to create CMAC crypto context");
3263 return ERR_CAST(tfm_cmac);
3266 tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3267 if (IS_ERR(tfm_ecdh)) {
3268 BT_ERR("Unable to create ECDH crypto context");
3269 crypto_free_shash(tfm_cmac);
3271 return ERR_CAST(tfm_ecdh);
3274 smp->local_oob = false;
3275 smp->tfm_cmac = tfm_cmac;
3276 smp->tfm_ecdh = tfm_ecdh;
3279 chan = l2cap_chan_create();
3282 crypto_free_shash(smp->tfm_cmac);
3283 crypto_free_kpp(smp->tfm_ecdh);
3286 return ERR_PTR(-ENOMEM);
3291 l2cap_add_scid(chan, cid);
3293 l2cap_chan_set_defaults(chan);
3295 if (cid == L2CAP_CID_SMP) {
3298 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3300 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3301 chan->src_type = BDADDR_LE_PUBLIC;
3303 chan->src_type = BDADDR_LE_RANDOM;
3305 bacpy(&chan->src, &hdev->bdaddr);
3306 chan->src_type = BDADDR_BREDR;
3309 chan->state = BT_LISTEN;
3310 chan->mode = L2CAP_MODE_BASIC;
3311 chan->imtu = L2CAP_DEFAULT_MTU;
3312 chan->ops = &smp_root_chan_ops;
3314 /* Set correct nesting level for a parent/listening channel */
3315 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3320 static void smp_del_chan(struct l2cap_chan *chan)
3322 struct smp_dev *smp;
3324 BT_DBG("chan %p", chan);
3329 crypto_free_shash(smp->tfm_cmac);
3330 crypto_free_kpp(smp->tfm_ecdh);
3334 l2cap_chan_put(chan);
3337 static ssize_t force_bredr_smp_read(struct file *file,
3338 char __user *user_buf,
3339 size_t count, loff_t *ppos)
3341 struct hci_dev *hdev = file->private_data;
3344 buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3347 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3350 static ssize_t force_bredr_smp_write(struct file *file,
3351 const char __user *user_buf,
3352 size_t count, loff_t *ppos)
3354 struct hci_dev *hdev = file->private_data;
3358 err = kstrtobool_from_user(user_buf, count, &enable);
3362 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3366 struct l2cap_chan *chan;
3368 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3370 return PTR_ERR(chan);
3372 hdev->smp_bredr_data = chan;
3374 struct l2cap_chan *chan;
3376 chan = hdev->smp_bredr_data;
3377 hdev->smp_bredr_data = NULL;
3381 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3386 static const struct file_operations force_bredr_smp_fops = {
3387 .open = simple_open,
3388 .read = force_bredr_smp_read,
3389 .write = force_bredr_smp_write,
3390 .llseek = default_llseek,
3393 int smp_register(struct hci_dev *hdev)
3395 struct l2cap_chan *chan;
3397 BT_DBG("%s", hdev->name);
3399 /* If the controller does not support Low Energy operation, then
3400 * there is also no need to register any SMP channel.
3402 if (!lmp_le_capable(hdev))
3405 if (WARN_ON(hdev->smp_data)) {
3406 chan = hdev->smp_data;
3407 hdev->smp_data = NULL;
3411 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3413 return PTR_ERR(chan);
3415 hdev->smp_data = chan;
3417 /* If the controller does not support BR/EDR Secure Connections
3418 * feature, then the BR/EDR SMP channel shall not be present.
3420 * To test this with Bluetooth 4.0 controllers, create a debugfs
3421 * switch that allows forcing BR/EDR SMP support and accepting
3422 * cross-transport pairing on non-AES encrypted connections.
3424 if (!lmp_sc_capable(hdev)) {
3425 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3426 hdev, &force_bredr_smp_fops);
3428 /* Flag can be already set here (due to power toggle) */
3429 if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3433 if (WARN_ON(hdev->smp_bredr_data)) {
3434 chan = hdev->smp_bredr_data;
3435 hdev->smp_bredr_data = NULL;
3439 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3441 int err = PTR_ERR(chan);
3442 chan = hdev->smp_data;
3443 hdev->smp_data = NULL;
3448 hdev->smp_bredr_data = chan;
3453 void smp_unregister(struct hci_dev *hdev)
3455 struct l2cap_chan *chan;
3457 if (hdev->smp_bredr_data) {
3458 chan = hdev->smp_bredr_data;
3459 hdev->smp_bredr_data = NULL;
3463 if (hdev->smp_data) {
3464 chan = hdev->smp_data;
3465 hdev->smp_data = NULL;
3470 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3472 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3477 err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3481 err = generate_ecdh_public_key(tfm_ecdh, pk);
3485 if (crypto_memneq(pk, debug_pk, 64))
3491 static int __init test_ah(void)
3493 const u8 irk[16] = {
3494 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3495 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3496 const u8 r[3] = { 0x94, 0x81, 0x70 };
3497 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3501 err = smp_ah(irk, r, res);
3505 if (crypto_memneq(res, exp, 3))
3511 static int __init test_c1(void)
3514 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3515 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3517 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3518 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3519 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3520 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3521 const u8 _iat = 0x01;
3522 const u8 _rat = 0x00;
3523 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3524 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3525 const u8 exp[16] = {
3526 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3527 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3531 err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3535 if (crypto_memneq(res, exp, 16))
3541 static int __init test_s1(void)
3544 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3545 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3547 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3549 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3550 const u8 exp[16] = {
3551 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3552 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3556 err = smp_s1(k, r1, r2, res);
3560 if (crypto_memneq(res, exp, 16))
3566 static int __init test_f4(struct crypto_shash *tfm_cmac)
3569 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3570 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3571 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3572 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3574 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3575 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3576 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3577 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3579 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3580 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3582 const u8 exp[16] = {
3583 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3584 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3588 err = smp_f4(tfm_cmac, u, v, x, z, res);
3592 if (crypto_memneq(res, exp, 16))
3598 static int __init test_f5(struct crypto_shash *tfm_cmac)
3601 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3602 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3603 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3604 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3606 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3607 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3609 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3610 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3611 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3612 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3613 const u8 exp_ltk[16] = {
3614 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3615 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3616 const u8 exp_mackey[16] = {
3617 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3618 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3619 u8 mackey[16], ltk[16];
3622 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3626 if (crypto_memneq(mackey, exp_mackey, 16))
3629 if (crypto_memneq(ltk, exp_ltk, 16))
3635 static int __init test_f6(struct crypto_shash *tfm_cmac)
3638 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3639 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3641 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3642 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3644 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3645 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3647 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3648 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3649 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3650 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3651 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3652 const u8 exp[16] = {
3653 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3654 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3658 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3662 if (crypto_memneq(res, exp, 16))
3668 static int __init test_g2(struct crypto_shash *tfm_cmac)
3671 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3672 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3673 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3674 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3676 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3677 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3678 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3679 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3681 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3682 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3684 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3685 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3686 const u32 exp_val = 0x2f9ed5ba % 1000000;
3690 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3700 static int __init test_h6(struct crypto_shash *tfm_cmac)
3703 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3704 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3705 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3706 const u8 exp[16] = {
3707 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3708 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3712 err = smp_h6(tfm_cmac, w, key_id, res);
3716 if (crypto_memneq(res, exp, 16))
3722 static char test_smp_buffer[32];
3724 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3725 size_t count, loff_t *ppos)
3727 return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3728 strlen(test_smp_buffer));
3731 static const struct file_operations test_smp_fops = {
3732 .open = simple_open,
3733 .read = test_smp_read,
3734 .llseek = default_llseek,
3737 static int __init run_selftests(struct crypto_shash *tfm_cmac,
3738 struct crypto_kpp *tfm_ecdh)
3740 ktime_t calltime, delta, rettime;
3741 unsigned long long duration;
3744 calltime = ktime_get();
3746 err = test_debug_key(tfm_ecdh);
3748 BT_ERR("debug_key test failed");
3754 BT_ERR("smp_ah test failed");
3760 BT_ERR("smp_c1 test failed");
3766 BT_ERR("smp_s1 test failed");
3770 err = test_f4(tfm_cmac);
3772 BT_ERR("smp_f4 test failed");
3776 err = test_f5(tfm_cmac);
3778 BT_ERR("smp_f5 test failed");
3782 err = test_f6(tfm_cmac);
3784 BT_ERR("smp_f6 test failed");
3788 err = test_g2(tfm_cmac);
3790 BT_ERR("smp_g2 test failed");
3794 err = test_h6(tfm_cmac);
3796 BT_ERR("smp_h6 test failed");
3800 rettime = ktime_get();
3801 delta = ktime_sub(rettime, calltime);
3802 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3804 BT_INFO("SMP test passed in %llu usecs", duration);
3808 snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3809 "PASS (%llu usecs)\n", duration);
3811 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3813 debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3819 int __init bt_selftest_smp(void)
3821 struct crypto_shash *tfm_cmac;
3822 struct crypto_kpp *tfm_ecdh;
3825 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3826 if (IS_ERR(tfm_cmac)) {
3827 BT_ERR("Unable to create CMAC crypto context");
3828 return PTR_ERR(tfm_cmac);
3831 tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3832 if (IS_ERR(tfm_ecdh)) {
3833 BT_ERR("Unable to create ECDH crypto context");
3834 crypto_free_shash(tfm_cmac);
3835 return PTR_ERR(tfm_ecdh);
3838 err = run_selftests(tfm_cmac, tfm_ecdh);
3840 crypto_free_shash(tfm_cmac);
3841 crypto_free_kpp(tfm_ecdh);