2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/algapi.h>
27 #include <crypto/b128ops.h>
28 #include <crypto/hash.h>
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/l2cap.h>
33 #include <net/bluetooth/mgmt.h>
38 #define SMP_DEV(hdev) \
39 ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
41 /* Low-level debug macros to be used for stuff that we don't want
42 * accidentially in dmesg, i.e. the values of the various crypto keys
43 * and the inputs & outputs of crypto functions.
46 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
49 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
53 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
55 /* Keys which are not distributed with Secure Connections */
56 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
58 #define SMP_TIMEOUT msecs_to_jiffies(30000)
60 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
62 #define KEY_DIST_MASK 0x07
64 /* Maximum message length that can be passed to aes_cmac */
65 #define CMAC_MSG_MAX 80
77 SMP_FLAG_DHKEY_PENDING,
83 /* Secure Connections OOB data */
92 struct crypto_cipher *tfm_aes;
93 struct crypto_shash *tfm_cmac;
97 struct l2cap_conn *conn;
98 struct delayed_work security_timer;
99 unsigned long allow_cmd; /* Bitmask of allowed commands */
101 u8 preq[7]; /* SMP Pairing Request */
102 u8 prsp[7]; /* SMP Pairing Response */
103 u8 prnd[16]; /* SMP Pairing Random (local) */
104 u8 rrnd[16]; /* SMP Pairing Random (remote) */
105 u8 pcnf[16]; /* SMP Pairing Confirm */
106 u8 tk[16]; /* SMP Temporary Key */
107 u8 rr[16]; /* Remote OOB ra/rb value */
108 u8 lr[16]; /* Local OOB ra/rb value */
114 struct smp_csrk *csrk;
115 struct smp_csrk *slave_csrk;
117 struct smp_ltk *slave_ltk;
118 struct smp_irk *remote_irk;
124 /* Secure Connections variables */
131 struct crypto_cipher *tfm_aes;
132 struct crypto_shash *tfm_cmac;
135 /* These debug key values are defined in the SMP section of the core
136 * specification. debug_pk is the public debug key and debug_sk the
139 static const u8 debug_pk[64] = {
140 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
141 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
142 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
143 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
145 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
146 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
147 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
148 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
151 static const u8 debug_sk[32] = {
152 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
153 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
154 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
155 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
158 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
162 for (i = 0; i < len; i++)
163 dst[len - 1 - i] = src[i];
166 /* The following functions map to the LE SC SMP crypto functions
167 * AES-CMAC, f4, f5, f6, g2 and h6.
170 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
171 size_t len, u8 mac[16])
173 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
174 SHASH_DESC_ON_STACK(desc, tfm);
177 if (len > CMAC_MSG_MAX)
181 BT_ERR("tfm %p", tfm);
188 /* Swap key and message from LSB to MSB */
189 swap_buf(k, tmp, 16);
190 swap_buf(m, msg_msb, len);
192 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
193 SMP_DBG("key %16phN", k);
195 err = crypto_shash_setkey(tfm, tmp, 16);
197 BT_ERR("cipher setkey failed: %d", err);
201 err = crypto_shash_digest(desc, msg_msb, len, mac_msb);
202 shash_desc_zero(desc);
204 BT_ERR("Hash computation error %d", err);
208 swap_buf(mac_msb, mac, 16);
210 SMP_DBG("mac %16phN", mac);
215 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
216 const u8 v[32], const u8 x[16], u8 z, u8 res[16])
221 SMP_DBG("u %32phN", u);
222 SMP_DBG("v %32phN", v);
223 SMP_DBG("x %16phN z %02x", x, z);
226 memcpy(m + 1, v, 32);
227 memcpy(m + 33, u, 32);
229 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
233 SMP_DBG("res %16phN", res);
238 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
239 const u8 n1[16], const u8 n2[16], const u8 a1[7],
240 const u8 a2[7], u8 mackey[16], u8 ltk[16])
242 /* The btle, salt and length "magic" values are as defined in
243 * the SMP section of the Bluetooth core specification. In ASCII
244 * the btle value ends up being 'btle'. The salt is just a
245 * random number whereas length is the value 256 in little
248 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
249 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
250 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
251 const u8 length[2] = { 0x00, 0x01 };
255 SMP_DBG("w %32phN", w);
256 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
257 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
259 err = aes_cmac(tfm_cmac, salt, w, 32, t);
263 SMP_DBG("t %16phN", t);
265 memcpy(m, length, 2);
266 memcpy(m + 2, a2, 7);
267 memcpy(m + 9, a1, 7);
268 memcpy(m + 16, n2, 16);
269 memcpy(m + 32, n1, 16);
270 memcpy(m + 48, btle, 4);
272 m[52] = 0; /* Counter */
274 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
278 SMP_DBG("mackey %16phN", mackey);
280 m[52] = 1; /* Counter */
282 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
286 SMP_DBG("ltk %16phN", ltk);
291 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
292 const u8 n1[16], const u8 n2[16], const u8 r[16],
293 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
299 SMP_DBG("w %16phN", w);
300 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
301 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
304 memcpy(m + 7, a1, 7);
305 memcpy(m + 14, io_cap, 3);
306 memcpy(m + 17, r, 16);
307 memcpy(m + 33, n2, 16);
308 memcpy(m + 49, n1, 16);
310 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
314 SMP_DBG("res %16phN", res);
319 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
320 const u8 x[16], const u8 y[16], u32 *val)
325 SMP_DBG("u %32phN", u);
326 SMP_DBG("v %32phN", v);
327 SMP_DBG("x %16phN y %16phN", x, y);
330 memcpy(m + 16, v, 32);
331 memcpy(m + 48, u, 32);
333 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
337 *val = get_unaligned_le32(tmp);
340 SMP_DBG("val %06u", *val);
345 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
346 const u8 key_id[4], u8 res[16])
350 SMP_DBG("w %16phN key_id %4phN", w, key_id);
352 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
356 SMP_DBG("res %16phN", res);
361 /* The following functions map to the legacy SMP crypto functions e, c1,
365 static int smp_e(struct crypto_cipher *tfm, const u8 *k, u8 *r)
367 uint8_t tmp[16], data[16];
370 SMP_DBG("k %16phN r %16phN", k, r);
373 BT_ERR("tfm %p", tfm);
377 /* The most significant octet of key corresponds to k[0] */
378 swap_buf(k, tmp, 16);
380 err = crypto_cipher_setkey(tfm, tmp, 16);
382 BT_ERR("cipher setkey failed: %d", err);
386 /* Most significant octet of plaintextData corresponds to data[0] */
387 swap_buf(r, data, 16);
389 crypto_cipher_encrypt_one(tfm, data, data);
391 /* Most significant octet of encryptedData corresponds to data[0] */
392 swap_buf(data, r, 16);
394 SMP_DBG("r %16phN", r);
399 static int smp_c1(struct crypto_cipher *tfm_aes, const u8 k[16],
400 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
401 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
406 SMP_DBG("k %16phN r %16phN", k, r);
407 SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
408 SMP_DBG("preq %7phN pres %7phN", preq, pres);
412 /* p1 = pres || preq || _rat || _iat */
415 memcpy(p1 + 2, preq, 7);
416 memcpy(p1 + 9, pres, 7);
418 SMP_DBG("p1 %16phN", p1);
421 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
423 /* res = e(k, res) */
424 err = smp_e(tfm_aes, k, res);
426 BT_ERR("Encrypt data error");
430 /* p2 = padding || ia || ra */
432 memcpy(p2 + 6, ia, 6);
433 memset(p2 + 12, 0, 4);
435 SMP_DBG("p2 %16phN", p2);
437 /* res = res XOR p2 */
438 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
440 /* res = e(k, res) */
441 err = smp_e(tfm_aes, k, res);
443 BT_ERR("Encrypt data error");
448 static int smp_s1(struct crypto_cipher *tfm_aes, const u8 k[16],
449 const u8 r1[16], const u8 r2[16], u8 _r[16])
453 /* Just least significant octets from r1 and r2 are considered */
455 memcpy(_r + 8, r1, 8);
457 err = smp_e(tfm_aes, k, _r);
459 BT_ERR("Encrypt data error");
464 static int smp_ah(struct crypto_cipher *tfm, const u8 irk[16],
465 const u8 r[3], u8 res[3])
470 /* r' = padding || r */
472 memset(_res + 3, 0, 13);
474 err = smp_e(tfm, irk, _res);
476 BT_ERR("Encrypt error");
480 /* The output of the random address function ah is:
481 * ah(k, r) = e(k, r') mod 2^24
482 * The output of the security function e is then truncated to 24 bits
483 * by taking the least significant 24 bits of the output of e as the
486 memcpy(res, _res, 3);
491 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
492 const bdaddr_t *bdaddr)
494 struct l2cap_chan *chan = hdev->smp_data;
499 if (!chan || !chan->data)
504 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
506 err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
510 return !crypto_memneq(bdaddr->b, hash, 3);
513 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
515 struct l2cap_chan *chan = hdev->smp_data;
519 if (!chan || !chan->data)
524 get_random_bytes(&rpa->b[3], 3);
526 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
527 rpa->b[5] |= 0x40; /* Set second most significant bit */
529 err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
533 BT_DBG("RPA %pMR", rpa);
538 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
540 struct l2cap_chan *chan = hdev->smp_data;
544 if (!chan || !chan->data)
549 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
550 BT_DBG("Using debug keys");
551 memcpy(smp->local_pk, debug_pk, 64);
552 memcpy(smp->local_sk, debug_sk, 32);
553 smp->debug_key = true;
556 /* Generate local key pair for Secure Connections */
557 if (!ecc_make_key(smp->local_pk, smp->local_sk))
560 /* This is unlikely, but we need to check that
561 * we didn't accidentially generate a debug key.
563 if (crypto_memneq(smp->local_sk, debug_sk, 32))
566 smp->debug_key = false;
569 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
570 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
571 SMP_DBG("OOB Private Key: %32phN", smp->local_sk);
573 get_random_bytes(smp->local_rand, 16);
575 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
576 smp->local_rand, 0, hash);
580 memcpy(rand, smp->local_rand, 16);
585 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
587 struct l2cap_chan *chan = conn->smp;
588 struct smp_chan *smp;
595 BT_DBG("code 0x%2.2x", code);
597 iv[0].iov_base = &code;
600 iv[1].iov_base = data;
603 memset(&msg, 0, sizeof(msg));
605 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
607 l2cap_chan_send(chan, &msg, 1 + len);
614 cancel_delayed_work_sync(&smp->security_timer);
615 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
618 static u8 authreq_to_seclevel(u8 authreq)
620 if (authreq & SMP_AUTH_MITM) {
621 if (authreq & SMP_AUTH_SC)
622 return BT_SECURITY_FIPS;
624 return BT_SECURITY_HIGH;
626 return BT_SECURITY_MEDIUM;
630 static __u8 seclevel_to_authreq(__u8 sec_level)
633 case BT_SECURITY_FIPS:
634 case BT_SECURITY_HIGH:
635 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
636 case BT_SECURITY_MEDIUM:
637 return SMP_AUTH_BONDING;
639 return SMP_AUTH_NONE;
643 static void build_pairing_cmd(struct l2cap_conn *conn,
644 struct smp_cmd_pairing *req,
645 struct smp_cmd_pairing *rsp, __u8 authreq)
647 struct l2cap_chan *chan = conn->smp;
648 struct smp_chan *smp = chan->data;
649 struct hci_conn *hcon = conn->hcon;
650 struct hci_dev *hdev = hcon->hdev;
651 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
653 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
654 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
655 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
656 authreq |= SMP_AUTH_BONDING;
658 authreq &= ~SMP_AUTH_BONDING;
661 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
662 remote_dist |= SMP_DIST_ID_KEY;
664 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
665 local_dist |= SMP_DIST_ID_KEY;
667 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
668 (authreq & SMP_AUTH_SC)) {
669 struct oob_data *oob_data;
672 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
673 local_dist |= SMP_DIST_LINK_KEY;
674 remote_dist |= SMP_DIST_LINK_KEY;
677 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
678 bdaddr_type = BDADDR_LE_PUBLIC;
680 bdaddr_type = BDADDR_LE_RANDOM;
682 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
684 if (oob_data && oob_data->present) {
685 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
686 oob_flag = SMP_OOB_PRESENT;
687 memcpy(smp->rr, oob_data->rand256, 16);
688 memcpy(smp->pcnf, oob_data->hash256, 16);
689 SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
690 SMP_DBG("OOB Remote Random: %16phN", smp->rr);
694 authreq &= ~SMP_AUTH_SC;
698 req->io_capability = conn->hcon->io_capability;
699 req->oob_flag = oob_flag;
700 req->max_key_size = SMP_DEV(hdev)->max_key_size;
701 req->init_key_dist = local_dist;
702 req->resp_key_dist = remote_dist;
703 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
705 smp->remote_key_dist = remote_dist;
709 rsp->io_capability = conn->hcon->io_capability;
710 rsp->oob_flag = oob_flag;
711 rsp->max_key_size = SMP_DEV(hdev)->max_key_size;
712 rsp->init_key_dist = req->init_key_dist & remote_dist;
713 rsp->resp_key_dist = req->resp_key_dist & local_dist;
714 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
716 smp->remote_key_dist = rsp->init_key_dist;
719 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
721 struct l2cap_chan *chan = conn->smp;
722 struct hci_dev *hdev = conn->hcon->hdev;
723 struct smp_chan *smp = chan->data;
725 if (max_key_size > SMP_DEV(hdev)->max_key_size ||
726 max_key_size < SMP_MIN_ENC_KEY_SIZE)
727 return SMP_ENC_KEY_SIZE;
729 smp->enc_key_size = max_key_size;
734 static void smp_chan_destroy(struct l2cap_conn *conn)
736 struct l2cap_chan *chan = conn->smp;
737 struct smp_chan *smp = chan->data;
738 struct hci_conn *hcon = conn->hcon;
743 cancel_delayed_work_sync(&smp->security_timer);
745 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
746 mgmt_smp_complete(hcon, complete);
749 kzfree(smp->slave_csrk);
750 kzfree(smp->link_key);
752 crypto_free_cipher(smp->tfm_aes);
753 crypto_free_shash(smp->tfm_cmac);
755 /* Ensure that we don't leave any debug key around if debug key
756 * support hasn't been explicitly enabled.
758 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
759 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
760 list_del_rcu(&smp->ltk->list);
761 kfree_rcu(smp->ltk, rcu);
765 /* If pairing failed clean up any keys we might have */
768 list_del_rcu(&smp->ltk->list);
769 kfree_rcu(smp->ltk, rcu);
772 if (smp->slave_ltk) {
773 list_del_rcu(&smp->slave_ltk->list);
774 kfree_rcu(smp->slave_ltk, rcu);
777 if (smp->remote_irk) {
778 list_del_rcu(&smp->remote_irk->list);
779 kfree_rcu(smp->remote_irk, rcu);
788 static void smp_failure(struct l2cap_conn *conn, u8 reason)
790 struct hci_conn *hcon = conn->hcon;
791 struct l2cap_chan *chan = conn->smp;
794 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
797 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
800 smp_chan_destroy(conn);
803 #define JUST_WORKS 0x00
804 #define JUST_CFM 0x01
805 #define REQ_PASSKEY 0x02
806 #define CFM_PASSKEY 0x03
808 #define DSP_PASSKEY 0x05
811 static const u8 gen_method[5][5] = {
812 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
813 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
814 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
815 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
816 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
819 static const u8 sc_method[5][5] = {
820 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
821 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
822 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
823 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
824 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
827 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
829 /* If either side has unknown io_caps, use JUST_CFM (which gets
830 * converted later to JUST_WORKS if we're initiators.
832 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
833 remote_io > SMP_IO_KEYBOARD_DISPLAY)
836 if (test_bit(SMP_FLAG_SC, &smp->flags))
837 return sc_method[remote_io][local_io];
839 return gen_method[remote_io][local_io];
842 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
843 u8 local_io, u8 remote_io)
845 struct hci_conn *hcon = conn->hcon;
846 struct l2cap_chan *chan = conn->smp;
847 struct smp_chan *smp = chan->data;
851 /* Initialize key for JUST WORKS */
852 memset(smp->tk, 0, sizeof(smp->tk));
853 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
855 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
857 /* If neither side wants MITM, either "just" confirm an incoming
858 * request or use just-works for outgoing ones. The JUST_CFM
859 * will be converted to JUST_WORKS if necessary later in this
860 * function. If either side has MITM look up the method from the
863 if (!(auth & SMP_AUTH_MITM))
864 smp->method = JUST_CFM;
866 smp->method = get_auth_method(smp, local_io, remote_io);
868 /* Don't confirm locally initiated pairing attempts */
869 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
871 smp->method = JUST_WORKS;
873 /* Don't bother user space with no IO capabilities */
874 if (smp->method == JUST_CFM &&
875 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
876 smp->method = JUST_WORKS;
878 /* If Just Works, Continue with Zero TK */
879 if (smp->method == JUST_WORKS) {
880 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
884 /* If this function is used for SC -> legacy fallback we
885 * can only recover the just-works case.
887 if (test_bit(SMP_FLAG_SC, &smp->flags))
890 /* Not Just Works/Confirm results in MITM Authentication */
891 if (smp->method != JUST_CFM) {
892 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
893 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
894 hcon->pending_sec_level = BT_SECURITY_HIGH;
897 /* If both devices have Keyoard-Display I/O, the master
898 * Confirms and the slave Enters the passkey.
900 if (smp->method == OVERLAP) {
901 if (hcon->role == HCI_ROLE_MASTER)
902 smp->method = CFM_PASSKEY;
904 smp->method = REQ_PASSKEY;
907 /* Generate random passkey. */
908 if (smp->method == CFM_PASSKEY) {
909 memset(smp->tk, 0, sizeof(smp->tk));
910 get_random_bytes(&passkey, sizeof(passkey));
912 put_unaligned_le32(passkey, smp->tk);
913 BT_DBG("PassKey: %d", passkey);
914 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
917 if (smp->method == REQ_PASSKEY)
918 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
919 hcon->type, hcon->dst_type);
920 else if (smp->method == JUST_CFM)
921 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
922 hcon->type, hcon->dst_type,
925 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
926 hcon->type, hcon->dst_type,
932 static u8 smp_confirm(struct smp_chan *smp)
934 struct l2cap_conn *conn = smp->conn;
935 struct smp_cmd_pairing_confirm cp;
938 BT_DBG("conn %p", conn);
940 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
941 conn->hcon->init_addr_type, &conn->hcon->init_addr,
942 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
945 return SMP_UNSPECIFIED;
947 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
949 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
952 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
954 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
959 static u8 smp_random(struct smp_chan *smp)
961 struct l2cap_conn *conn = smp->conn;
962 struct hci_conn *hcon = conn->hcon;
966 if (IS_ERR_OR_NULL(smp->tfm_aes))
967 return SMP_UNSPECIFIED;
969 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
971 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
972 hcon->init_addr_type, &hcon->init_addr,
973 hcon->resp_addr_type, &hcon->resp_addr, confirm);
975 return SMP_UNSPECIFIED;
977 if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
978 BT_ERR("Pairing failed (confirmation values mismatch)");
979 return SMP_CONFIRM_FAILED;
987 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
989 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
990 return SMP_UNSPECIFIED;
992 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
993 hcon->enc_key_size = smp->enc_key_size;
994 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1000 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1003 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
1005 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1010 /* Even though there's no _SLAVE suffix this is the
1011 * slave STK we're adding for later lookup (the master
1012 * STK never needs to be stored).
1014 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1015 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1021 static void smp_notify_keys(struct l2cap_conn *conn)
1023 struct l2cap_chan *chan = conn->smp;
1024 struct smp_chan *smp = chan->data;
1025 struct hci_conn *hcon = conn->hcon;
1026 struct hci_dev *hdev = hcon->hdev;
1027 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1028 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1031 if (hcon->type == ACL_LINK) {
1032 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1035 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1038 /* The LTKs, IRKs and CSRKs should be persistent only if
1039 * both sides had the bonding bit set in their
1040 * authentication requests.
1042 persistent = !!((req->auth_req & rsp->auth_req) &
1046 if (smp->remote_irk) {
1047 mgmt_new_irk(hdev, smp->remote_irk, persistent);
1049 /* Now that user space can be considered to know the
1050 * identity address track the connection based on it
1051 * from now on (assuming this is an LE link).
1053 if (hcon->type == LE_LINK) {
1054 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1055 hcon->dst_type = smp->remote_irk->addr_type;
1056 queue_work(hdev->workqueue, &conn->id_addr_update_work);
1061 smp->csrk->bdaddr_type = hcon->dst_type;
1062 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1063 mgmt_new_csrk(hdev, smp->csrk, persistent);
1066 if (smp->slave_csrk) {
1067 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1068 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1069 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1073 smp->ltk->bdaddr_type = hcon->dst_type;
1074 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1075 mgmt_new_ltk(hdev, smp->ltk, persistent);
1078 if (smp->slave_ltk) {
1079 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1080 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1081 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1084 if (smp->link_key) {
1085 struct link_key *key;
1088 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1089 type = HCI_LK_DEBUG_COMBINATION;
1090 else if (hcon->sec_level == BT_SECURITY_FIPS)
1091 type = HCI_LK_AUTH_COMBINATION_P256;
1093 type = HCI_LK_UNAUTH_COMBINATION_P256;
1095 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1096 smp->link_key, type, 0, &persistent);
1098 mgmt_new_link_key(hdev, key, persistent);
1100 /* Don't keep debug keys around if the relevant
1103 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1104 key->type == HCI_LK_DEBUG_COMBINATION) {
1105 list_del_rcu(&key->list);
1106 kfree_rcu(key, rcu);
1112 static void sc_add_ltk(struct smp_chan *smp)
1114 struct hci_conn *hcon = smp->conn->hcon;
1117 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1118 key_type = SMP_LTK_P256_DEBUG;
1120 key_type = SMP_LTK_P256;
1122 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1127 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1128 key_type, auth, smp->tk, smp->enc_key_size,
1132 static void sc_generate_link_key(struct smp_chan *smp)
1134 /* These constants are as specified in the core specification.
1135 * In ASCII they spell out to 'tmp1' and 'lebr'.
1137 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1138 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1140 smp->link_key = kzalloc(16, GFP_KERNEL);
1144 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1145 kzfree(smp->link_key);
1146 smp->link_key = NULL;
1150 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1151 kzfree(smp->link_key);
1152 smp->link_key = NULL;
1157 static void smp_allow_key_dist(struct smp_chan *smp)
1159 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1160 * will be allowed in each PDU handler to ensure we receive
1161 * them in the correct order.
1163 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1164 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1165 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1166 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1167 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1168 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1171 static void sc_generate_ltk(struct smp_chan *smp)
1173 /* These constants are as specified in the core specification.
1174 * In ASCII they spell out to 'tmp2' and 'brle'.
1176 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1177 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1178 struct hci_conn *hcon = smp->conn->hcon;
1179 struct hci_dev *hdev = hcon->hdev;
1180 struct link_key *key;
1182 key = hci_find_link_key(hdev, &hcon->dst);
1184 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1188 if (key->type == HCI_LK_DEBUG_COMBINATION)
1189 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1191 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1194 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1200 static void smp_distribute_keys(struct smp_chan *smp)
1202 struct smp_cmd_pairing *req, *rsp;
1203 struct l2cap_conn *conn = smp->conn;
1204 struct hci_conn *hcon = conn->hcon;
1205 struct hci_dev *hdev = hcon->hdev;
1208 BT_DBG("conn %p", conn);
1210 rsp = (void *) &smp->prsp[1];
1212 /* The responder sends its keys first */
1213 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1214 smp_allow_key_dist(smp);
1218 req = (void *) &smp->preq[1];
1221 keydist = &rsp->init_key_dist;
1222 *keydist &= req->init_key_dist;
1224 keydist = &rsp->resp_key_dist;
1225 *keydist &= req->resp_key_dist;
1228 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1229 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1230 sc_generate_link_key(smp);
1231 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1232 sc_generate_ltk(smp);
1234 /* Clear the keys which are generated but not distributed */
1235 *keydist &= ~SMP_SC_NO_DIST;
1238 BT_DBG("keydist 0x%x", *keydist);
1240 if (*keydist & SMP_DIST_ENC_KEY) {
1241 struct smp_cmd_encrypt_info enc;
1242 struct smp_cmd_master_ident ident;
1243 struct smp_ltk *ltk;
1248 /* Make sure we generate only the significant amount of
1249 * bytes based on the encryption key size, and set the rest
1250 * of the value to zeroes.
1252 get_random_bytes(enc.ltk, smp->enc_key_size);
1253 memset(enc.ltk + smp->enc_key_size, 0,
1254 sizeof(enc.ltk) - smp->enc_key_size);
1256 get_random_bytes(&ediv, sizeof(ediv));
1257 get_random_bytes(&rand, sizeof(rand));
1259 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1261 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1262 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1263 SMP_LTK_SLAVE, authenticated, enc.ltk,
1264 smp->enc_key_size, ediv, rand);
1265 smp->slave_ltk = ltk;
1270 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1272 *keydist &= ~SMP_DIST_ENC_KEY;
1275 if (*keydist & SMP_DIST_ID_KEY) {
1276 struct smp_cmd_ident_addr_info addrinfo;
1277 struct smp_cmd_ident_info idinfo;
1279 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1281 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1283 /* The hci_conn contains the local identity address
1284 * after the connection has been established.
1286 * This is true even when the connection has been
1287 * established using a resolvable random address.
1289 bacpy(&addrinfo.bdaddr, &hcon->src);
1290 addrinfo.addr_type = hcon->src_type;
1292 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1295 *keydist &= ~SMP_DIST_ID_KEY;
1298 if (*keydist & SMP_DIST_SIGN) {
1299 struct smp_cmd_sign_info sign;
1300 struct smp_csrk *csrk;
1302 /* Generate a new random key */
1303 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1305 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1307 if (hcon->sec_level > BT_SECURITY_MEDIUM)
1308 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1310 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1311 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1313 smp->slave_csrk = csrk;
1315 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1317 *keydist &= ~SMP_DIST_SIGN;
1320 /* If there are still keys to be received wait for them */
1321 if (smp->remote_key_dist & KEY_DIST_MASK) {
1322 smp_allow_key_dist(smp);
1326 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1327 smp_notify_keys(conn);
1329 smp_chan_destroy(conn);
1332 static void smp_timeout(struct work_struct *work)
1334 struct smp_chan *smp = container_of(work, struct smp_chan,
1335 security_timer.work);
1336 struct l2cap_conn *conn = smp->conn;
1338 BT_DBG("conn %p", conn);
1340 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1343 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1345 struct l2cap_chan *chan = conn->smp;
1346 struct smp_chan *smp;
1348 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1352 smp->tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
1353 if (IS_ERR(smp->tfm_aes)) {
1354 BT_ERR("Unable to create AES crypto context");
1359 smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1360 if (IS_ERR(smp->tfm_cmac)) {
1361 BT_ERR("Unable to create CMAC crypto context");
1362 crypto_free_cipher(smp->tfm_aes);
1370 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1372 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1374 hci_conn_hold(conn->hcon);
1379 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1381 struct hci_conn *hcon = smp->conn->hcon;
1382 u8 *na, *nb, a[7], b[7];
1392 memcpy(a, &hcon->init_addr, 6);
1393 memcpy(b, &hcon->resp_addr, 6);
1394 a[6] = hcon->init_addr_type;
1395 b[6] = hcon->resp_addr_type;
1397 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1400 static void sc_dhkey_check(struct smp_chan *smp)
1402 struct hci_conn *hcon = smp->conn->hcon;
1403 struct smp_cmd_dhkey_check check;
1404 u8 a[7], b[7], *local_addr, *remote_addr;
1405 u8 io_cap[3], r[16];
1407 memcpy(a, &hcon->init_addr, 6);
1408 memcpy(b, &hcon->resp_addr, 6);
1409 a[6] = hcon->init_addr_type;
1410 b[6] = hcon->resp_addr_type;
1415 memcpy(io_cap, &smp->preq[1], 3);
1419 memcpy(io_cap, &smp->prsp[1], 3);
1422 memset(r, 0, sizeof(r));
1424 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1425 put_unaligned_le32(hcon->passkey_notify, r);
1427 if (smp->method == REQ_OOB)
1428 memcpy(r, smp->rr, 16);
1430 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1431 local_addr, remote_addr, check.e);
1433 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1436 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1438 struct l2cap_conn *conn = smp->conn;
1439 struct hci_conn *hcon = conn->hcon;
1440 struct smp_cmd_pairing_confirm cfm;
1443 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1446 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1448 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1450 return SMP_UNSPECIFIED;
1452 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1457 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1459 struct l2cap_conn *conn = smp->conn;
1460 struct hci_conn *hcon = conn->hcon;
1461 struct hci_dev *hdev = hcon->hdev;
1464 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1465 if (smp->passkey_round >= 20)
1469 case SMP_CMD_PAIRING_RANDOM:
1470 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1473 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1475 return SMP_UNSPECIFIED;
1477 if (crypto_memneq(smp->pcnf, cfm, 16))
1478 return SMP_CONFIRM_FAILED;
1480 smp->passkey_round++;
1482 if (smp->passkey_round == 20) {
1483 /* Generate MacKey and LTK */
1484 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1485 return SMP_UNSPECIFIED;
1488 /* The round is only complete when the initiator
1489 * receives pairing random.
1492 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1493 sizeof(smp->prnd), smp->prnd);
1494 if (smp->passkey_round == 20)
1495 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1497 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1501 /* Start the next round */
1502 if (smp->passkey_round != 20)
1503 return sc_passkey_round(smp, 0);
1505 /* Passkey rounds are complete - start DHKey Check */
1506 sc_dhkey_check(smp);
1507 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1511 case SMP_CMD_PAIRING_CONFIRM:
1512 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1513 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1517 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1520 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1521 sizeof(smp->prnd), smp->prnd);
1525 return sc_passkey_send_confirm(smp);
1527 case SMP_CMD_PUBLIC_KEY:
1529 /* Initiating device starts the round */
1533 BT_DBG("%s Starting passkey round %u", hdev->name,
1534 smp->passkey_round + 1);
1536 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1538 return sc_passkey_send_confirm(smp);
1544 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1546 struct l2cap_conn *conn = smp->conn;
1547 struct hci_conn *hcon = conn->hcon;
1550 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1553 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1554 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1556 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1557 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1559 case MGMT_OP_USER_PASSKEY_REPLY:
1560 hcon->passkey_notify = le32_to_cpu(passkey);
1561 smp->passkey_round = 0;
1563 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1564 smp_op = SMP_CMD_PAIRING_CONFIRM;
1568 if (sc_passkey_round(smp, smp_op))
1574 /* Initiator sends DHKey check first */
1576 sc_dhkey_check(smp);
1577 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1578 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1579 sc_dhkey_check(smp);
1586 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1588 struct l2cap_conn *conn = hcon->l2cap_data;
1589 struct l2cap_chan *chan;
1590 struct smp_chan *smp;
1603 l2cap_chan_lock(chan);
1611 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1612 err = sc_user_reply(smp, mgmt_op, passkey);
1617 case MGMT_OP_USER_PASSKEY_REPLY:
1618 value = le32_to_cpu(passkey);
1619 memset(smp->tk, 0, sizeof(smp->tk));
1620 BT_DBG("PassKey: %d", value);
1621 put_unaligned_le32(value, smp->tk);
1623 case MGMT_OP_USER_CONFIRM_REPLY:
1624 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1626 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1627 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1628 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1632 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1639 /* If it is our turn to send Pairing Confirm, do so now */
1640 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1641 u8 rsp = smp_confirm(smp);
1643 smp_failure(conn, rsp);
1647 l2cap_chan_unlock(chan);
1651 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1652 struct smp_cmd_pairing *req,
1653 struct smp_cmd_pairing *rsp)
1655 struct l2cap_conn *conn = smp->conn;
1656 struct hci_dev *hdev = conn->hcon->hdev;
1657 u8 local_dist = 0, remote_dist = 0;
1659 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1660 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1661 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1664 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1665 remote_dist |= SMP_DIST_ID_KEY;
1667 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1668 local_dist |= SMP_DIST_ID_KEY;
1671 memset(req, 0, sizeof(*req));
1673 req->init_key_dist = local_dist;
1674 req->resp_key_dist = remote_dist;
1675 req->max_key_size = conn->hcon->enc_key_size;
1677 smp->remote_key_dist = remote_dist;
1682 memset(rsp, 0, sizeof(*rsp));
1684 rsp->max_key_size = conn->hcon->enc_key_size;
1685 rsp->init_key_dist = req->init_key_dist & remote_dist;
1686 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1688 smp->remote_key_dist = rsp->init_key_dist;
1691 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1693 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1694 struct l2cap_chan *chan = conn->smp;
1695 struct hci_dev *hdev = conn->hcon->hdev;
1696 struct smp_chan *smp;
1697 u8 key_size, auth, sec_level;
1700 BT_DBG("conn %p", conn);
1702 if (skb->len < sizeof(*req))
1703 return SMP_INVALID_PARAMS;
1705 if (conn->hcon->role != HCI_ROLE_SLAVE)
1706 return SMP_CMD_NOTSUPP;
1709 smp = smp_chan_create(conn);
1714 return SMP_UNSPECIFIED;
1716 /* We didn't start the pairing, so match remote */
1717 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1719 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1720 (auth & SMP_AUTH_BONDING))
1721 return SMP_PAIRING_NOTSUPP;
1723 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1724 return SMP_AUTH_REQUIREMENTS;
1726 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1727 memcpy(&smp->preq[1], req, sizeof(*req));
1728 skb_pull(skb, sizeof(*req));
1730 /* If the remote side's OOB flag is set it means it has
1731 * successfully received our local OOB data - therefore set the
1732 * flag to indicate that local OOB is in use.
1734 if (req->oob_flag == SMP_OOB_PRESENT)
1735 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1737 /* SMP over BR/EDR requires special treatment */
1738 if (conn->hcon->type == ACL_LINK) {
1739 /* We must have a BR/EDR SC link */
1740 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1741 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1742 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1744 set_bit(SMP_FLAG_SC, &smp->flags);
1746 build_bredr_pairing_cmd(smp, req, &rsp);
1748 key_size = min(req->max_key_size, rsp.max_key_size);
1749 if (check_enc_key_size(conn, key_size))
1750 return SMP_ENC_KEY_SIZE;
1752 /* Clear bits which are generated but not distributed */
1753 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1755 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1756 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1757 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1759 smp_distribute_keys(smp);
1763 build_pairing_cmd(conn, req, &rsp, auth);
1765 if (rsp.auth_req & SMP_AUTH_SC)
1766 set_bit(SMP_FLAG_SC, &smp->flags);
1768 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1769 sec_level = BT_SECURITY_MEDIUM;
1771 sec_level = authreq_to_seclevel(auth);
1773 if (sec_level > conn->hcon->pending_sec_level)
1774 conn->hcon->pending_sec_level = sec_level;
1776 /* If we need MITM check that it can be achieved */
1777 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1780 method = get_auth_method(smp, conn->hcon->io_capability,
1781 req->io_capability);
1782 if (method == JUST_WORKS || method == JUST_CFM)
1783 return SMP_AUTH_REQUIREMENTS;
1786 key_size = min(req->max_key_size, rsp.max_key_size);
1787 if (check_enc_key_size(conn, key_size))
1788 return SMP_ENC_KEY_SIZE;
1790 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1792 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1793 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1795 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1797 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1799 /* Strictly speaking we shouldn't allow Pairing Confirm for the
1800 * SC case, however some implementations incorrectly copy RFU auth
1801 * req bits from our security request, which may create a false
1802 * positive SC enablement.
1804 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1806 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1807 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1808 /* Clear bits which are generated but not distributed */
1809 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1810 /* Wait for Public Key from Initiating Device */
1814 /* Request setup of TK */
1815 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1817 return SMP_UNSPECIFIED;
1822 static u8 sc_send_public_key(struct smp_chan *smp)
1824 struct hci_dev *hdev = smp->conn->hcon->hdev;
1828 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1829 struct l2cap_chan *chan = hdev->smp_data;
1830 struct smp_dev *smp_dev;
1832 if (!chan || !chan->data)
1833 return SMP_UNSPECIFIED;
1835 smp_dev = chan->data;
1837 memcpy(smp->local_pk, smp_dev->local_pk, 64);
1838 memcpy(smp->local_sk, smp_dev->local_sk, 32);
1839 memcpy(smp->lr, smp_dev->local_rand, 16);
1841 if (smp_dev->debug_key)
1842 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1847 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1848 BT_DBG("Using debug keys");
1849 memcpy(smp->local_pk, debug_pk, 64);
1850 memcpy(smp->local_sk, debug_sk, 32);
1851 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1854 /* Generate local key pair for Secure Connections */
1855 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1856 return SMP_UNSPECIFIED;
1858 /* This is unlikely, but we need to check that
1859 * we didn't accidentially generate a debug key.
1861 if (crypto_memneq(smp->local_sk, debug_sk, 32))
1867 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1868 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1869 SMP_DBG("Local Private Key: %32phN", smp->local_sk);
1871 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1876 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1878 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1879 struct l2cap_chan *chan = conn->smp;
1880 struct smp_chan *smp = chan->data;
1881 struct hci_dev *hdev = conn->hcon->hdev;
1885 BT_DBG("conn %p", conn);
1887 if (skb->len < sizeof(*rsp))
1888 return SMP_INVALID_PARAMS;
1890 if (conn->hcon->role != HCI_ROLE_MASTER)
1891 return SMP_CMD_NOTSUPP;
1893 skb_pull(skb, sizeof(*rsp));
1895 req = (void *) &smp->preq[1];
1897 key_size = min(req->max_key_size, rsp->max_key_size);
1898 if (check_enc_key_size(conn, key_size))
1899 return SMP_ENC_KEY_SIZE;
1901 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1903 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1904 return SMP_AUTH_REQUIREMENTS;
1906 /* If the remote side's OOB flag is set it means it has
1907 * successfully received our local OOB data - therefore set the
1908 * flag to indicate that local OOB is in use.
1910 if (rsp->oob_flag == SMP_OOB_PRESENT)
1911 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1913 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1914 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1916 /* Update remote key distribution in case the remote cleared
1917 * some bits that we had enabled in our request.
1919 smp->remote_key_dist &= rsp->resp_key_dist;
1921 /* For BR/EDR this means we're done and can start phase 3 */
1922 if (conn->hcon->type == ACL_LINK) {
1923 /* Clear bits which are generated but not distributed */
1924 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1925 smp_distribute_keys(smp);
1929 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1930 set_bit(SMP_FLAG_SC, &smp->flags);
1931 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1932 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1934 /* If we need MITM check that it can be achieved */
1935 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1938 method = get_auth_method(smp, req->io_capability,
1939 rsp->io_capability);
1940 if (method == JUST_WORKS || method == JUST_CFM)
1941 return SMP_AUTH_REQUIREMENTS;
1944 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1946 /* Update remote key distribution in case the remote cleared
1947 * some bits that we had enabled in our request.
1949 smp->remote_key_dist &= rsp->resp_key_dist;
1951 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1952 /* Clear bits which are generated but not distributed */
1953 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1954 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1955 return sc_send_public_key(smp);
1958 auth |= req->auth_req;
1960 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1962 return SMP_UNSPECIFIED;
1964 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1966 /* Can't compose response until we have been confirmed */
1967 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1968 return smp_confirm(smp);
1973 static u8 sc_check_confirm(struct smp_chan *smp)
1975 struct l2cap_conn *conn = smp->conn;
1979 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1980 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1982 if (conn->hcon->out) {
1983 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1985 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1991 /* Work-around for some implementations that incorrectly copy RFU bits
1992 * from our security request and thereby create the impression that
1993 * we're doing SC when in fact the remote doesn't support it.
1995 static int fixup_sc_false_positive(struct smp_chan *smp)
1997 struct l2cap_conn *conn = smp->conn;
1998 struct hci_conn *hcon = conn->hcon;
1999 struct hci_dev *hdev = hcon->hdev;
2000 struct smp_cmd_pairing *req, *rsp;
2003 /* The issue is only observed when we're in slave role */
2005 return SMP_UNSPECIFIED;
2007 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2008 BT_ERR("Refusing SMP SC -> legacy fallback in SC-only mode");
2009 return SMP_UNSPECIFIED;
2012 BT_ERR("Trying to fall back to legacy SMP");
2014 req = (void *) &smp->preq[1];
2015 rsp = (void *) &smp->prsp[1];
2017 /* Rebuild key dist flags which may have been cleared for SC */
2018 smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2020 auth = req->auth_req & AUTH_REQ_MASK(hdev);
2022 if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2023 BT_ERR("Failed to fall back to legacy SMP");
2024 return SMP_UNSPECIFIED;
2027 clear_bit(SMP_FLAG_SC, &smp->flags);
2032 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2034 struct l2cap_chan *chan = conn->smp;
2035 struct smp_chan *smp = chan->data;
2037 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2039 if (skb->len < sizeof(smp->pcnf))
2040 return SMP_INVALID_PARAMS;
2042 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2043 skb_pull(skb, sizeof(smp->pcnf));
2045 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2048 /* Public Key exchange must happen before any other steps */
2049 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2050 return sc_check_confirm(smp);
2052 BT_ERR("Unexpected SMP Pairing Confirm");
2054 ret = fixup_sc_false_positive(smp);
2059 if (conn->hcon->out) {
2060 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2062 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2066 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2067 return smp_confirm(smp);
2069 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2074 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2076 struct l2cap_chan *chan = conn->smp;
2077 struct smp_chan *smp = chan->data;
2078 struct hci_conn *hcon = conn->hcon;
2079 u8 *pkax, *pkbx, *na, *nb;
2083 BT_DBG("conn %p", conn);
2085 if (skb->len < sizeof(smp->rrnd))
2086 return SMP_INVALID_PARAMS;
2088 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2089 skb_pull(skb, sizeof(smp->rrnd));
2091 if (!test_bit(SMP_FLAG_SC, &smp->flags))
2092 return smp_random(smp);
2095 pkax = smp->local_pk;
2096 pkbx = smp->remote_pk;
2100 pkax = smp->remote_pk;
2101 pkbx = smp->local_pk;
2106 if (smp->method == REQ_OOB) {
2108 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2109 sizeof(smp->prnd), smp->prnd);
2110 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2111 goto mackey_and_ltk;
2114 /* Passkey entry has special treatment */
2115 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2116 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2121 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2124 return SMP_UNSPECIFIED;
2126 if (crypto_memneq(smp->pcnf, cfm, 16))
2127 return SMP_CONFIRM_FAILED;
2129 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2131 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2135 /* Generate MacKey and LTK */
2136 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2138 return SMP_UNSPECIFIED;
2140 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2142 sc_dhkey_check(smp);
2143 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2148 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2150 return SMP_UNSPECIFIED;
2152 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2153 hcon->dst_type, passkey, 0);
2155 return SMP_UNSPECIFIED;
2157 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2162 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2164 struct smp_ltk *key;
2165 struct hci_conn *hcon = conn->hcon;
2167 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2171 if (smp_ltk_sec_level(key) < sec_level)
2174 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2177 hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2178 hcon->enc_key_size = key->enc_size;
2180 /* We never store STKs for master role, so clear this flag */
2181 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2186 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2187 enum smp_key_pref key_pref)
2189 if (sec_level == BT_SECURITY_LOW)
2192 /* If we're encrypted with an STK but the caller prefers using
2193 * LTK claim insufficient security. This way we allow the
2194 * connection to be re-encrypted with an LTK, even if the LTK
2195 * provides the same level of security. Only exception is if we
2196 * don't have an LTK (e.g. because of key distribution bits).
2198 if (key_pref == SMP_USE_LTK &&
2199 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2200 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2203 if (hcon->sec_level >= sec_level)
2209 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2211 struct smp_cmd_security_req *rp = (void *) skb->data;
2212 struct smp_cmd_pairing cp;
2213 struct hci_conn *hcon = conn->hcon;
2214 struct hci_dev *hdev = hcon->hdev;
2215 struct smp_chan *smp;
2218 BT_DBG("conn %p", conn);
2220 if (skb->len < sizeof(*rp))
2221 return SMP_INVALID_PARAMS;
2223 if (hcon->role != HCI_ROLE_MASTER)
2224 return SMP_CMD_NOTSUPP;
2226 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2228 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2229 return SMP_AUTH_REQUIREMENTS;
2231 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2232 sec_level = BT_SECURITY_MEDIUM;
2234 sec_level = authreq_to_seclevel(auth);
2236 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2237 /* If link is already encrypted with sufficient security we
2238 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2241 smp_ltk_encrypt(conn, hcon->sec_level);
2245 if (sec_level > hcon->pending_sec_level)
2246 hcon->pending_sec_level = sec_level;
2248 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2251 smp = smp_chan_create(conn);
2253 return SMP_UNSPECIFIED;
2255 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2256 (auth & SMP_AUTH_BONDING))
2257 return SMP_PAIRING_NOTSUPP;
2259 skb_pull(skb, sizeof(*rp));
2261 memset(&cp, 0, sizeof(cp));
2262 build_pairing_cmd(conn, &cp, NULL, auth);
2264 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2265 memcpy(&smp->preq[1], &cp, sizeof(cp));
2267 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2268 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2273 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2275 struct l2cap_conn *conn = hcon->l2cap_data;
2276 struct l2cap_chan *chan;
2277 struct smp_chan *smp;
2281 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2283 /* This may be NULL if there's an unexpected disconnection */
2287 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2290 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2293 if (sec_level > hcon->pending_sec_level)
2294 hcon->pending_sec_level = sec_level;
2296 if (hcon->role == HCI_ROLE_MASTER)
2297 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2302 BT_ERR("SMP security requested but not available");
2306 l2cap_chan_lock(chan);
2308 /* If SMP is already in progress ignore this request */
2314 smp = smp_chan_create(conn);
2320 authreq = seclevel_to_authreq(sec_level);
2322 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED))
2323 authreq |= SMP_AUTH_SC;
2325 /* Require MITM if IO Capability allows or the security level
2328 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2329 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2330 authreq |= SMP_AUTH_MITM;
2332 if (hcon->role == HCI_ROLE_MASTER) {
2333 struct smp_cmd_pairing cp;
2335 build_pairing_cmd(conn, &cp, NULL, authreq);
2336 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2337 memcpy(&smp->preq[1], &cp, sizeof(cp));
2339 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2340 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2342 struct smp_cmd_security_req cp;
2343 cp.auth_req = authreq;
2344 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2345 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2348 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2352 l2cap_chan_unlock(chan);
2356 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2359 struct hci_conn *hcon;
2360 struct l2cap_conn *conn;
2361 struct l2cap_chan *chan;
2362 struct smp_chan *smp;
2365 err = hci_remove_ltk(hdev, bdaddr, addr_type);
2366 hci_remove_irk(hdev, bdaddr, addr_type);
2368 hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2372 conn = hcon->l2cap_data;
2380 l2cap_chan_lock(chan);
2384 /* Set keys to NULL to make sure smp_failure() does not try to
2385 * remove and free already invalidated rcu list entries. */
2387 smp->slave_ltk = NULL;
2388 smp->remote_irk = NULL;
2390 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2391 smp_failure(conn, 0);
2393 smp_failure(conn, SMP_UNSPECIFIED);
2397 l2cap_chan_unlock(chan);
2403 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2405 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2406 struct l2cap_chan *chan = conn->smp;
2407 struct smp_chan *smp = chan->data;
2409 BT_DBG("conn %p", conn);
2411 if (skb->len < sizeof(*rp))
2412 return SMP_INVALID_PARAMS;
2414 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2416 skb_pull(skb, sizeof(*rp));
2418 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2423 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2425 struct smp_cmd_master_ident *rp = (void *) skb->data;
2426 struct l2cap_chan *chan = conn->smp;
2427 struct smp_chan *smp = chan->data;
2428 struct hci_dev *hdev = conn->hcon->hdev;
2429 struct hci_conn *hcon = conn->hcon;
2430 struct smp_ltk *ltk;
2433 BT_DBG("conn %p", conn);
2435 if (skb->len < sizeof(*rp))
2436 return SMP_INVALID_PARAMS;
2438 /* Mark the information as received */
2439 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2441 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2442 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2443 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2444 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2446 skb_pull(skb, sizeof(*rp));
2448 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2449 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2450 authenticated, smp->tk, smp->enc_key_size,
2451 rp->ediv, rp->rand);
2453 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2454 smp_distribute_keys(smp);
2459 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2461 struct smp_cmd_ident_info *info = (void *) skb->data;
2462 struct l2cap_chan *chan = conn->smp;
2463 struct smp_chan *smp = chan->data;
2467 if (skb->len < sizeof(*info))
2468 return SMP_INVALID_PARAMS;
2470 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2472 skb_pull(skb, sizeof(*info));
2474 memcpy(smp->irk, info->irk, 16);
2479 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2480 struct sk_buff *skb)
2482 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2483 struct l2cap_chan *chan = conn->smp;
2484 struct smp_chan *smp = chan->data;
2485 struct hci_conn *hcon = conn->hcon;
2490 if (skb->len < sizeof(*info))
2491 return SMP_INVALID_PARAMS;
2493 /* Mark the information as received */
2494 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2496 if (smp->remote_key_dist & SMP_DIST_SIGN)
2497 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2499 skb_pull(skb, sizeof(*info));
2501 /* Strictly speaking the Core Specification (4.1) allows sending
2502 * an empty address which would force us to rely on just the IRK
2503 * as "identity information". However, since such
2504 * implementations are not known of and in order to not over
2505 * complicate our implementation, simply pretend that we never
2506 * received an IRK for such a device.
2508 * The Identity Address must also be a Static Random or Public
2509 * Address, which hci_is_identity_address() checks for.
2511 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2512 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2513 BT_ERR("Ignoring IRK with no identity address");
2517 /* Drop IRK if peer is using identity address during pairing but is
2518 * providing different address as identity information.
2520 * Microsoft Surface Precision Mouse is known to have this bug.
2522 if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2523 (bacmp(&info->bdaddr, &hcon->dst) ||
2524 info->addr_type != hcon->dst_type)) {
2525 bt_dev_err(hcon->hdev,
2526 "ignoring IRK with invalid identity address");
2530 bacpy(&smp->id_addr, &info->bdaddr);
2531 smp->id_addr_type = info->addr_type;
2533 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2534 bacpy(&rpa, &hcon->dst);
2536 bacpy(&rpa, BDADDR_ANY);
2538 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2539 smp->id_addr_type, smp->irk, &rpa);
2542 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2543 smp_distribute_keys(smp);
2548 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2550 struct smp_cmd_sign_info *rp = (void *) skb->data;
2551 struct l2cap_chan *chan = conn->smp;
2552 struct smp_chan *smp = chan->data;
2553 struct smp_csrk *csrk;
2555 BT_DBG("conn %p", conn);
2557 if (skb->len < sizeof(*rp))
2558 return SMP_INVALID_PARAMS;
2560 /* Mark the information as received */
2561 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2563 skb_pull(skb, sizeof(*rp));
2565 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2567 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2568 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2570 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2571 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2574 smp_distribute_keys(smp);
2579 static u8 sc_select_method(struct smp_chan *smp)
2581 struct l2cap_conn *conn = smp->conn;
2582 struct hci_conn *hcon = conn->hcon;
2583 struct smp_cmd_pairing *local, *remote;
2584 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2586 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2587 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2590 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2591 * which are needed as inputs to some crypto functions. To get
2592 * the "struct smp_cmd_pairing" from them we need to skip the
2593 * first byte which contains the opcode.
2596 local = (void *) &smp->preq[1];
2597 remote = (void *) &smp->prsp[1];
2599 local = (void *) &smp->prsp[1];
2600 remote = (void *) &smp->preq[1];
2603 local_io = local->io_capability;
2604 remote_io = remote->io_capability;
2606 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2607 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2609 /* If either side wants MITM, look up the method from the table,
2610 * otherwise use JUST WORKS.
2612 if (local_mitm || remote_mitm)
2613 method = get_auth_method(smp, local_io, remote_io);
2615 method = JUST_WORKS;
2617 /* Don't confirm locally initiated pairing attempts */
2618 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2619 method = JUST_WORKS;
2624 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2626 struct smp_cmd_public_key *key = (void *) skb->data;
2627 struct hci_conn *hcon = conn->hcon;
2628 struct l2cap_chan *chan = conn->smp;
2629 struct smp_chan *smp = chan->data;
2630 struct hci_dev *hdev = hcon->hdev;
2631 struct smp_cmd_pairing_confirm cfm;
2634 BT_DBG("conn %p", conn);
2636 if (skb->len < sizeof(*key))
2637 return SMP_INVALID_PARAMS;
2639 /* Check if remote and local public keys are the same and debug key is
2642 if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
2643 !crypto_memneq(key, smp->local_pk, 64)) {
2644 bt_dev_err(hdev, "Remote and local public keys are identical");
2645 return SMP_UNSPECIFIED;
2648 memcpy(smp->remote_pk, key, 64);
2650 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2651 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2652 smp->rr, 0, cfm.confirm_val);
2654 return SMP_UNSPECIFIED;
2656 if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2657 return SMP_CONFIRM_FAILED;
2660 /* Non-initiating device sends its public key after receiving
2661 * the key from the initiating device.
2664 err = sc_send_public_key(smp);
2669 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2670 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2672 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2673 return SMP_UNSPECIFIED;
2675 SMP_DBG("DHKey %32phN", smp->dhkey);
2677 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2679 smp->method = sc_select_method(smp);
2681 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2683 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2684 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2685 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2687 hcon->pending_sec_level = BT_SECURITY_FIPS;
2689 if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2690 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2692 if (smp->method == DSP_PASSKEY) {
2693 get_random_bytes(&hcon->passkey_notify,
2694 sizeof(hcon->passkey_notify));
2695 hcon->passkey_notify %= 1000000;
2696 hcon->passkey_entered = 0;
2697 smp->passkey_round = 0;
2698 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2700 hcon->passkey_notify,
2701 hcon->passkey_entered))
2702 return SMP_UNSPECIFIED;
2703 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2704 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2707 if (smp->method == REQ_OOB) {
2709 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2710 sizeof(smp->prnd), smp->prnd);
2712 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2718 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2720 if (smp->method == REQ_PASSKEY) {
2721 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2723 return SMP_UNSPECIFIED;
2724 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2725 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2729 /* The Initiating device waits for the non-initiating device to
2730 * send the confirm value.
2732 if (conn->hcon->out)
2735 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2736 0, cfm.confirm_val);
2738 return SMP_UNSPECIFIED;
2740 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2741 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2746 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2748 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2749 struct l2cap_chan *chan = conn->smp;
2750 struct hci_conn *hcon = conn->hcon;
2751 struct smp_chan *smp = chan->data;
2752 u8 a[7], b[7], *local_addr, *remote_addr;
2753 u8 io_cap[3], r[16], e[16];
2756 BT_DBG("conn %p", conn);
2758 if (skb->len < sizeof(*check))
2759 return SMP_INVALID_PARAMS;
2761 memcpy(a, &hcon->init_addr, 6);
2762 memcpy(b, &hcon->resp_addr, 6);
2763 a[6] = hcon->init_addr_type;
2764 b[6] = hcon->resp_addr_type;
2769 memcpy(io_cap, &smp->prsp[1], 3);
2773 memcpy(io_cap, &smp->preq[1], 3);
2776 memset(r, 0, sizeof(r));
2778 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2779 put_unaligned_le32(hcon->passkey_notify, r);
2780 else if (smp->method == REQ_OOB)
2781 memcpy(r, smp->lr, 16);
2783 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2784 io_cap, remote_addr, local_addr, e);
2786 return SMP_UNSPECIFIED;
2788 if (crypto_memneq(check->e, e, 16))
2789 return SMP_DHKEY_CHECK_FAILED;
2792 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2793 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2797 /* Slave sends DHKey check as response to master */
2798 sc_dhkey_check(smp);
2804 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2805 hcon->enc_key_size = smp->enc_key_size;
2811 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2812 struct sk_buff *skb)
2814 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2816 BT_DBG("value 0x%02x", kp->value);
2821 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2823 struct l2cap_conn *conn = chan->conn;
2824 struct hci_conn *hcon = conn->hcon;
2825 struct smp_chan *smp;
2832 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2833 reason = SMP_PAIRING_NOTSUPP;
2837 code = skb->data[0];
2838 skb_pull(skb, sizeof(code));
2842 if (code > SMP_CMD_MAX)
2845 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2848 /* If we don't have a context the only allowed commands are
2849 * pairing request and security request.
2851 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2855 case SMP_CMD_PAIRING_REQ:
2856 reason = smp_cmd_pairing_req(conn, skb);
2859 case SMP_CMD_PAIRING_FAIL:
2860 smp_failure(conn, 0);
2864 case SMP_CMD_PAIRING_RSP:
2865 reason = smp_cmd_pairing_rsp(conn, skb);
2868 case SMP_CMD_SECURITY_REQ:
2869 reason = smp_cmd_security_req(conn, skb);
2872 case SMP_CMD_PAIRING_CONFIRM:
2873 reason = smp_cmd_pairing_confirm(conn, skb);
2876 case SMP_CMD_PAIRING_RANDOM:
2877 reason = smp_cmd_pairing_random(conn, skb);
2880 case SMP_CMD_ENCRYPT_INFO:
2881 reason = smp_cmd_encrypt_info(conn, skb);
2884 case SMP_CMD_MASTER_IDENT:
2885 reason = smp_cmd_master_ident(conn, skb);
2888 case SMP_CMD_IDENT_INFO:
2889 reason = smp_cmd_ident_info(conn, skb);
2892 case SMP_CMD_IDENT_ADDR_INFO:
2893 reason = smp_cmd_ident_addr_info(conn, skb);
2896 case SMP_CMD_SIGN_INFO:
2897 reason = smp_cmd_sign_info(conn, skb);
2900 case SMP_CMD_PUBLIC_KEY:
2901 reason = smp_cmd_public_key(conn, skb);
2904 case SMP_CMD_DHKEY_CHECK:
2905 reason = smp_cmd_dhkey_check(conn, skb);
2908 case SMP_CMD_KEYPRESS_NOTIFY:
2909 reason = smp_cmd_keypress_notify(conn, skb);
2913 BT_DBG("Unknown command code 0x%2.2x", code);
2914 reason = SMP_CMD_NOTSUPP;
2921 smp_failure(conn, reason);
2928 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2934 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2936 struct l2cap_conn *conn = chan->conn;
2938 BT_DBG("chan %p", chan);
2941 smp_chan_destroy(conn);
2944 l2cap_chan_put(chan);
2947 static void bredr_pairing(struct l2cap_chan *chan)
2949 struct l2cap_conn *conn = chan->conn;
2950 struct hci_conn *hcon = conn->hcon;
2951 struct hci_dev *hdev = hcon->hdev;
2952 struct smp_cmd_pairing req;
2953 struct smp_chan *smp;
2955 BT_DBG("chan %p", chan);
2957 /* Only new pairings are interesting */
2958 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2961 /* Don't bother if we're not encrypted */
2962 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2965 /* Only master may initiate SMP over BR/EDR */
2966 if (hcon->role != HCI_ROLE_MASTER)
2969 /* Secure Connections support must be enabled */
2970 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
2973 /* BR/EDR must use Secure Connections for SMP */
2974 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2975 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
2978 /* If our LE support is not enabled don't do anything */
2979 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2982 /* Don't bother if remote LE support is not enabled */
2983 if (!lmp_host_le_capable(hcon))
2986 /* Remote must support SMP fixed chan for BR/EDR */
2987 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2990 /* Don't bother if SMP is already ongoing */
2994 smp = smp_chan_create(conn);
2996 BT_ERR("%s unable to create SMP context for BR/EDR",
3001 set_bit(SMP_FLAG_SC, &smp->flags);
3003 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3005 /* Prepare and send the BR/EDR SMP Pairing Request */
3006 build_bredr_pairing_cmd(smp, &req, NULL);
3008 smp->preq[0] = SMP_CMD_PAIRING_REQ;
3009 memcpy(&smp->preq[1], &req, sizeof(req));
3011 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3012 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3015 static void smp_resume_cb(struct l2cap_chan *chan)
3017 struct smp_chan *smp = chan->data;
3018 struct l2cap_conn *conn = chan->conn;
3019 struct hci_conn *hcon = conn->hcon;
3021 BT_DBG("chan %p", chan);
3023 if (hcon->type == ACL_LINK) {
3024 bredr_pairing(chan);
3031 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3034 cancel_delayed_work(&smp->security_timer);
3036 smp_distribute_keys(smp);
3039 static void smp_ready_cb(struct l2cap_chan *chan)
3041 struct l2cap_conn *conn = chan->conn;
3042 struct hci_conn *hcon = conn->hcon;
3044 BT_DBG("chan %p", chan);
3046 /* No need to call l2cap_chan_hold() here since we already own
3047 * the reference taken in smp_new_conn_cb(). This is just the
3048 * first time that we tie it to a specific pointer. The code in
3049 * l2cap_core.c ensures that there's no risk this function wont
3050 * get called if smp_new_conn_cb was previously called.
3054 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3055 bredr_pairing(chan);
3058 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3062 BT_DBG("chan %p", chan);
3064 err = smp_sig_channel(chan, skb);
3066 struct smp_chan *smp = chan->data;
3069 cancel_delayed_work_sync(&smp->security_timer);
3071 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3077 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3078 unsigned long hdr_len,
3079 unsigned long len, int nb)
3081 struct sk_buff *skb;
3083 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3085 return ERR_PTR(-ENOMEM);
3087 skb->priority = HCI_PRIO_MAX;
3088 bt_cb(skb)->l2cap.chan = chan;
3093 static const struct l2cap_ops smp_chan_ops = {
3094 .name = "Security Manager",
3095 .ready = smp_ready_cb,
3096 .recv = smp_recv_cb,
3097 .alloc_skb = smp_alloc_skb_cb,
3098 .teardown = smp_teardown_cb,
3099 .resume = smp_resume_cb,
3101 .new_connection = l2cap_chan_no_new_connection,
3102 .state_change = l2cap_chan_no_state_change,
3103 .close = l2cap_chan_no_close,
3104 .defer = l2cap_chan_no_defer,
3105 .suspend = l2cap_chan_no_suspend,
3106 .set_shutdown = l2cap_chan_no_set_shutdown,
3107 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3110 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3112 struct l2cap_chan *chan;
3114 BT_DBG("pchan %p", pchan);
3116 chan = l2cap_chan_create();
3120 chan->chan_type = pchan->chan_type;
3121 chan->ops = &smp_chan_ops;
3122 chan->scid = pchan->scid;
3123 chan->dcid = chan->scid;
3124 chan->imtu = pchan->imtu;
3125 chan->omtu = pchan->omtu;
3126 chan->mode = pchan->mode;
3128 /* Other L2CAP channels may request SMP routines in order to
3129 * change the security level. This means that the SMP channel
3130 * lock must be considered in its own category to avoid lockdep
3133 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3135 BT_DBG("created chan %p", chan);
3140 static const struct l2cap_ops smp_root_chan_ops = {
3141 .name = "Security Manager Root",
3142 .new_connection = smp_new_conn_cb,
3144 /* None of these are implemented for the root channel */
3145 .close = l2cap_chan_no_close,
3146 .alloc_skb = l2cap_chan_no_alloc_skb,
3147 .recv = l2cap_chan_no_recv,
3148 .state_change = l2cap_chan_no_state_change,
3149 .teardown = l2cap_chan_no_teardown,
3150 .ready = l2cap_chan_no_ready,
3151 .defer = l2cap_chan_no_defer,
3152 .suspend = l2cap_chan_no_suspend,
3153 .resume = l2cap_chan_no_resume,
3154 .set_shutdown = l2cap_chan_no_set_shutdown,
3155 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3158 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3160 struct l2cap_chan *chan;
3161 struct smp_dev *smp;
3162 struct crypto_cipher *tfm_aes;
3163 struct crypto_shash *tfm_cmac;
3165 if (cid == L2CAP_CID_SMP_BREDR) {
3170 smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3172 return ERR_PTR(-ENOMEM);
3174 tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3175 if (IS_ERR(tfm_aes)) {
3176 BT_ERR("Unable to create AES crypto context");
3178 return ERR_CAST(tfm_aes);
3181 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3182 if (IS_ERR(tfm_cmac)) {
3183 BT_ERR("Unable to create CMAC crypto context");
3184 crypto_free_cipher(tfm_aes);
3186 return ERR_CAST(tfm_cmac);
3189 smp->tfm_aes = tfm_aes;
3190 smp->tfm_cmac = tfm_cmac;
3191 smp->min_key_size = SMP_MIN_ENC_KEY_SIZE;
3192 smp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
3195 chan = l2cap_chan_create();
3198 crypto_free_cipher(smp->tfm_aes);
3199 crypto_free_shash(smp->tfm_cmac);
3202 return ERR_PTR(-ENOMEM);
3207 l2cap_add_scid(chan, cid);
3209 l2cap_chan_set_defaults(chan);
3211 if (cid == L2CAP_CID_SMP) {
3214 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3216 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3217 chan->src_type = BDADDR_LE_PUBLIC;
3219 chan->src_type = BDADDR_LE_RANDOM;
3221 bacpy(&chan->src, &hdev->bdaddr);
3222 chan->src_type = BDADDR_BREDR;
3225 chan->state = BT_LISTEN;
3226 chan->mode = L2CAP_MODE_BASIC;
3227 chan->imtu = L2CAP_DEFAULT_MTU;
3228 chan->ops = &smp_root_chan_ops;
3230 /* Set correct nesting level for a parent/listening channel */
3231 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3236 static void smp_del_chan(struct l2cap_chan *chan)
3238 struct smp_dev *smp;
3240 BT_DBG("chan %p", chan);
3245 crypto_free_cipher(smp->tfm_aes);
3246 crypto_free_shash(smp->tfm_cmac);
3250 l2cap_chan_put(chan);
3253 static ssize_t force_bredr_smp_read(struct file *file,
3254 char __user *user_buf,
3255 size_t count, loff_t *ppos)
3257 struct hci_dev *hdev = file->private_data;
3260 buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3263 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3266 static ssize_t force_bredr_smp_write(struct file *file,
3267 const char __user *user_buf,
3268 size_t count, loff_t *ppos)
3270 struct hci_dev *hdev = file->private_data;
3272 size_t buf_size = min(count, (sizeof(buf)-1));
3275 if (copy_from_user(buf, user_buf, buf_size))
3278 buf[buf_size] = '\0';
3279 if (strtobool(buf, &enable))
3282 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3286 struct l2cap_chan *chan;
3288 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3290 return PTR_ERR(chan);
3292 hdev->smp_bredr_data = chan;
3294 struct l2cap_chan *chan;
3296 chan = hdev->smp_bredr_data;
3297 hdev->smp_bredr_data = NULL;
3301 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3306 static const struct file_operations force_bredr_smp_fops = {
3307 .open = simple_open,
3308 .read = force_bredr_smp_read,
3309 .write = force_bredr_smp_write,
3310 .llseek = default_llseek,
3313 static ssize_t le_min_key_size_read(struct file *file,
3314 char __user *user_buf,
3315 size_t count, loff_t *ppos)
3317 struct hci_dev *hdev = file->private_data;
3320 snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->min_key_size);
3322 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3325 static ssize_t le_min_key_size_write(struct file *file,
3326 const char __user *user_buf,
3327 size_t count, loff_t *ppos)
3329 struct hci_dev *hdev = file->private_data;
3331 size_t buf_size = min(count, (sizeof(buf) - 1));
3334 if (copy_from_user(buf, user_buf, buf_size))
3337 buf[buf_size] = '\0';
3339 sscanf(buf, "%hhu", &key_size);
3341 if (key_size > SMP_DEV(hdev)->max_key_size ||
3342 key_size < SMP_MIN_ENC_KEY_SIZE)
3345 SMP_DEV(hdev)->min_key_size = key_size;
3350 static const struct file_operations le_min_key_size_fops = {
3351 .open = simple_open,
3352 .read = le_min_key_size_read,
3353 .write = le_min_key_size_write,
3354 .llseek = default_llseek,
3357 static ssize_t le_max_key_size_read(struct file *file,
3358 char __user *user_buf,
3359 size_t count, loff_t *ppos)
3361 struct hci_dev *hdev = file->private_data;
3364 snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->max_key_size);
3366 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3369 static ssize_t le_max_key_size_write(struct file *file,
3370 const char __user *user_buf,
3371 size_t count, loff_t *ppos)
3373 struct hci_dev *hdev = file->private_data;
3375 size_t buf_size = min(count, (sizeof(buf) - 1));
3378 if (copy_from_user(buf, user_buf, buf_size))
3381 buf[buf_size] = '\0';
3383 sscanf(buf, "%hhu", &key_size);
3385 if (key_size > SMP_MAX_ENC_KEY_SIZE ||
3386 key_size < SMP_DEV(hdev)->min_key_size)
3389 SMP_DEV(hdev)->max_key_size = key_size;
3394 static const struct file_operations le_max_key_size_fops = {
3395 .open = simple_open,
3396 .read = le_max_key_size_read,
3397 .write = le_max_key_size_write,
3398 .llseek = default_llseek,
3401 int smp_register(struct hci_dev *hdev)
3403 struct l2cap_chan *chan;
3405 BT_DBG("%s", hdev->name);
3407 /* If the controller does not support Low Energy operation, then
3408 * there is also no need to register any SMP channel.
3410 if (!lmp_le_capable(hdev))
3413 if (WARN_ON(hdev->smp_data)) {
3414 chan = hdev->smp_data;
3415 hdev->smp_data = NULL;
3419 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3421 return PTR_ERR(chan);
3423 hdev->smp_data = chan;
3425 debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3426 &le_min_key_size_fops);
3427 debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3428 &le_max_key_size_fops);
3430 /* If the controller does not support BR/EDR Secure Connections
3431 * feature, then the BR/EDR SMP channel shall not be present.
3433 * To test this with Bluetooth 4.0 controllers, create a debugfs
3434 * switch that allows forcing BR/EDR SMP support and accepting
3435 * cross-transport pairing on non-AES encrypted connections.
3437 if (!lmp_sc_capable(hdev)) {
3438 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3439 hdev, &force_bredr_smp_fops);
3441 /* Flag can be already set here (due to power toggle) */
3442 if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3446 if (WARN_ON(hdev->smp_bredr_data)) {
3447 chan = hdev->smp_bredr_data;
3448 hdev->smp_bredr_data = NULL;
3452 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3454 int err = PTR_ERR(chan);
3455 chan = hdev->smp_data;
3456 hdev->smp_data = NULL;
3461 hdev->smp_bredr_data = chan;
3466 void smp_unregister(struct hci_dev *hdev)
3468 struct l2cap_chan *chan;
3470 if (hdev->smp_bredr_data) {
3471 chan = hdev->smp_bredr_data;
3472 hdev->smp_bredr_data = NULL;
3476 if (hdev->smp_data) {
3477 chan = hdev->smp_data;
3478 hdev->smp_data = NULL;
3483 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3485 static int __init test_ah(struct crypto_cipher *tfm_aes)
3487 const u8 irk[16] = {
3488 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3489 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3490 const u8 r[3] = { 0x94, 0x81, 0x70 };
3491 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3495 err = smp_ah(tfm_aes, irk, r, res);
3499 if (crypto_memneq(res, exp, 3))
3505 static int __init test_c1(struct crypto_cipher *tfm_aes)
3508 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3509 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3511 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3512 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3513 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3514 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3515 const u8 _iat = 0x01;
3516 const u8 _rat = 0x00;
3517 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3518 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3519 const u8 exp[16] = {
3520 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3521 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3525 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3529 if (crypto_memneq(res, exp, 16))
3535 static int __init test_s1(struct crypto_cipher *tfm_aes)
3538 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3539 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3541 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3543 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3544 const u8 exp[16] = {
3545 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3546 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3550 err = smp_s1(tfm_aes, k, r1, r2, res);
3554 if (crypto_memneq(res, exp, 16))
3560 static int __init test_f4(struct crypto_shash *tfm_cmac)
3563 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3564 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3565 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3566 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3568 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3569 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3570 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3571 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3573 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3574 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3576 const u8 exp[16] = {
3577 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3578 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3582 err = smp_f4(tfm_cmac, u, v, x, z, res);
3586 if (crypto_memneq(res, exp, 16))
3592 static int __init test_f5(struct crypto_shash *tfm_cmac)
3595 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3596 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3597 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3598 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3600 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3601 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3603 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3604 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3605 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3606 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3607 const u8 exp_ltk[16] = {
3608 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3609 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3610 const u8 exp_mackey[16] = {
3611 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3612 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3613 u8 mackey[16], ltk[16];
3616 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3620 if (crypto_memneq(mackey, exp_mackey, 16))
3623 if (crypto_memneq(ltk, exp_ltk, 16))
3629 static int __init test_f6(struct crypto_shash *tfm_cmac)
3632 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3633 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3635 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3636 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3638 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3639 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3641 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3642 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3643 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3644 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3645 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3646 const u8 exp[16] = {
3647 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3648 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3652 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3656 if (crypto_memneq(res, exp, 16))
3662 static int __init test_g2(struct crypto_shash *tfm_cmac)
3665 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3666 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3667 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3668 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3670 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3671 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3672 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3673 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3675 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3676 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3678 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3679 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3680 const u32 exp_val = 0x2f9ed5ba % 1000000;
3684 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3694 static int __init test_h6(struct crypto_shash *tfm_cmac)
3697 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3698 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3699 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3700 const u8 exp[16] = {
3701 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3702 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3706 err = smp_h6(tfm_cmac, w, key_id, res);
3710 if (crypto_memneq(res, exp, 16))
3716 static char test_smp_buffer[32];
3718 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3719 size_t count, loff_t *ppos)
3721 return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3722 strlen(test_smp_buffer));
3725 static const struct file_operations test_smp_fops = {
3726 .open = simple_open,
3727 .read = test_smp_read,
3728 .llseek = default_llseek,
3731 static int __init run_selftests(struct crypto_cipher *tfm_aes,
3732 struct crypto_shash *tfm_cmac)
3734 ktime_t calltime, delta, rettime;
3735 unsigned long long duration;
3738 calltime = ktime_get();
3740 err = test_ah(tfm_aes);
3742 BT_ERR("smp_ah test failed");
3746 err = test_c1(tfm_aes);
3748 BT_ERR("smp_c1 test failed");
3752 err = test_s1(tfm_aes);
3754 BT_ERR("smp_s1 test failed");
3758 err = test_f4(tfm_cmac);
3760 BT_ERR("smp_f4 test failed");
3764 err = test_f5(tfm_cmac);
3766 BT_ERR("smp_f5 test failed");
3770 err = test_f6(tfm_cmac);
3772 BT_ERR("smp_f6 test failed");
3776 err = test_g2(tfm_cmac);
3778 BT_ERR("smp_g2 test failed");
3782 err = test_h6(tfm_cmac);
3784 BT_ERR("smp_h6 test failed");
3788 rettime = ktime_get();
3789 delta = ktime_sub(rettime, calltime);
3790 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3792 BT_INFO("SMP test passed in %llu usecs", duration);
3796 snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3797 "PASS (%llu usecs)\n", duration);
3799 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3801 debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3807 int __init bt_selftest_smp(void)
3809 struct crypto_cipher *tfm_aes;
3810 struct crypto_shash *tfm_cmac;
3813 tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3814 if (IS_ERR(tfm_aes)) {
3815 BT_ERR("Unable to create AES crypto context");
3816 return PTR_ERR(tfm_aes);
3819 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3820 if (IS_ERR(tfm_cmac)) {
3821 BT_ERR("Unable to create CMAC crypto context");
3822 crypto_free_cipher(tfm_aes);
3823 return PTR_ERR(tfm_cmac);
3826 err = run_selftests(tfm_aes, tfm_cmac);
3828 crypto_free_shash(tfm_cmac);
3829 crypto_free_cipher(tfm_aes);