2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
23 #include <linux/debugfs.h>
24 #include <linux/crypto.h>
25 #include <linux/scatterlist.h>
26 #include <crypto/algapi.h>
27 #include <crypto/b128ops.h>
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/l2cap.h>
32 #include <net/bluetooth/mgmt.h>
37 #define SMP_DEV(hdev) \
38 ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
40 /* Low-level debug macros to be used for stuff that we don't want
41 * accidentially in dmesg, i.e. the values of the various crypto keys
42 * and the inputs & outputs of crypto functions.
45 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
48 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
52 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
54 /* Keys which are not distributed with Secure Connections */
55 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
57 #define SMP_TIMEOUT msecs_to_jiffies(30000)
59 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
61 #define KEY_DIST_MASK 0x07
63 /* Maximum message length that can be passed to aes_cmac */
64 #define CMAC_MSG_MAX 80
76 SMP_FLAG_DHKEY_PENDING,
82 /* Secure Connections OOB data */
91 struct crypto_blkcipher *tfm_aes;
92 struct crypto_hash *tfm_cmac;
96 struct l2cap_conn *conn;
97 struct delayed_work security_timer;
98 unsigned long allow_cmd; /* Bitmask of allowed commands */
100 u8 preq[7]; /* SMP Pairing Request */
101 u8 prsp[7]; /* SMP Pairing Response */
102 u8 prnd[16]; /* SMP Pairing Random (local) */
103 u8 rrnd[16]; /* SMP Pairing Random (remote) */
104 u8 pcnf[16]; /* SMP Pairing Confirm */
105 u8 tk[16]; /* SMP Temporary Key */
106 u8 rr[16]; /* Remote OOB ra/rb value */
107 u8 lr[16]; /* Local OOB ra/rb value */
113 struct smp_csrk *csrk;
114 struct smp_csrk *slave_csrk;
116 struct smp_ltk *slave_ltk;
117 struct smp_irk *remote_irk;
123 /* Secure Connections variables */
130 struct crypto_blkcipher *tfm_aes;
131 struct crypto_hash *tfm_cmac;
134 /* These debug key values are defined in the SMP section of the core
135 * specification. debug_pk is the public debug key and debug_sk the
138 static const u8 debug_pk[64] = {
139 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
140 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
141 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
142 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
144 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
145 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
146 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
147 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
150 static const u8 debug_sk[32] = {
151 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
152 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
153 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
154 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
157 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
161 for (i = 0; i < len; i++)
162 dst[len - 1 - i] = src[i];
165 /* The following functions map to the LE SC SMP crypto functions
166 * AES-CMAC, f4, f5, f6, g2 and h6.
169 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
170 size_t len, u8 mac[16])
172 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
173 struct hash_desc desc;
174 struct scatterlist sg;
177 if (len > CMAC_MSG_MAX)
181 BT_ERR("tfm %p", tfm);
188 crypto_hash_init(&desc);
190 /* Swap key and message from LSB to MSB */
191 swap_buf(k, tmp, 16);
192 swap_buf(m, msg_msb, len);
194 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
195 SMP_DBG("key %16phN", k);
197 err = crypto_hash_setkey(tfm, tmp, 16);
199 BT_ERR("cipher setkey failed: %d", err);
203 sg_init_one(&sg, msg_msb, len);
205 err = crypto_hash_update(&desc, &sg, len);
207 BT_ERR("Hash update error %d", err);
211 err = crypto_hash_final(&desc, mac_msb);
213 BT_ERR("Hash final error %d", err);
217 swap_buf(mac_msb, mac, 16);
219 SMP_DBG("mac %16phN", mac);
224 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
225 const u8 x[16], u8 z, u8 res[16])
230 SMP_DBG("u %32phN", u);
231 SMP_DBG("v %32phN", v);
232 SMP_DBG("x %16phN z %02x", x, z);
235 memcpy(m + 1, v, 32);
236 memcpy(m + 33, u, 32);
238 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
242 SMP_DBG("res %16phN", res);
247 static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32],
248 const u8 n1[16], const u8 n2[16], const u8 a1[7],
249 const u8 a2[7], u8 mackey[16], u8 ltk[16])
251 /* The btle, salt and length "magic" values are as defined in
252 * the SMP section of the Bluetooth core specification. In ASCII
253 * the btle value ends up being 'btle'. The salt is just a
254 * random number whereas length is the value 256 in little
257 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
258 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
259 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
260 const u8 length[2] = { 0x00, 0x01 };
264 SMP_DBG("w %32phN", w);
265 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
266 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
268 err = aes_cmac(tfm_cmac, salt, w, 32, t);
272 SMP_DBG("t %16phN", t);
274 memcpy(m, length, 2);
275 memcpy(m + 2, a2, 7);
276 memcpy(m + 9, a1, 7);
277 memcpy(m + 16, n2, 16);
278 memcpy(m + 32, n1, 16);
279 memcpy(m + 48, btle, 4);
281 m[52] = 0; /* Counter */
283 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
287 SMP_DBG("mackey %16phN", mackey);
289 m[52] = 1; /* Counter */
291 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
295 SMP_DBG("ltk %16phN", ltk);
300 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
301 const u8 n1[16], const u8 n2[16], const u8 r[16],
302 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
308 SMP_DBG("w %16phN", w);
309 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
310 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
313 memcpy(m + 7, a1, 7);
314 memcpy(m + 14, io_cap, 3);
315 memcpy(m + 17, r, 16);
316 memcpy(m + 33, n2, 16);
317 memcpy(m + 49, n1, 16);
319 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
323 SMP_DBG("res %16phN", res);
328 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
329 const u8 x[16], const u8 y[16], u32 *val)
334 SMP_DBG("u %32phN", u);
335 SMP_DBG("v %32phN", v);
336 SMP_DBG("x %16phN y %16phN", x, y);
339 memcpy(m + 16, v, 32);
340 memcpy(m + 48, u, 32);
342 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
346 *val = get_unaligned_le32(tmp);
349 SMP_DBG("val %06u", *val);
354 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
355 const u8 key_id[4], u8 res[16])
359 SMP_DBG("w %16phN key_id %4phN", w, key_id);
361 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
365 SMP_DBG("res %16phN", res);
370 /* The following functions map to the legacy SMP crypto functions e, c1,
374 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
376 struct blkcipher_desc desc;
377 struct scatterlist sg;
378 uint8_t tmp[16], data[16];
381 SMP_DBG("k %16phN r %16phN", k, r);
384 BT_ERR("tfm %p", tfm);
391 /* The most significant octet of key corresponds to k[0] */
392 swap_buf(k, tmp, 16);
394 err = crypto_blkcipher_setkey(tfm, tmp, 16);
396 BT_ERR("cipher setkey failed: %d", err);
400 /* Most significant octet of plaintextData corresponds to data[0] */
401 swap_buf(r, data, 16);
403 sg_init_one(&sg, data, 16);
405 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
407 BT_ERR("Encrypt data error %d", err);
409 /* Most significant octet of encryptedData corresponds to data[0] */
410 swap_buf(data, r, 16);
412 SMP_DBG("r %16phN", r);
417 static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
418 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
419 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
424 SMP_DBG("k %16phN r %16phN", k, r);
425 SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
426 SMP_DBG("preq %7phN pres %7phN", preq, pres);
430 /* p1 = pres || preq || _rat || _iat */
433 memcpy(p1 + 2, preq, 7);
434 memcpy(p1 + 9, pres, 7);
436 SMP_DBG("p1 %16phN", p1);
439 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
441 /* res = e(k, res) */
442 err = smp_e(tfm_aes, k, res);
444 BT_ERR("Encrypt data error");
448 /* p2 = padding || ia || ra */
450 memcpy(p2 + 6, ia, 6);
451 memset(p2 + 12, 0, 4);
453 SMP_DBG("p2 %16phN", p2);
455 /* res = res XOR p2 */
456 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
458 /* res = e(k, res) */
459 err = smp_e(tfm_aes, k, res);
461 BT_ERR("Encrypt data error");
466 static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
467 const u8 r1[16], const u8 r2[16], u8 _r[16])
471 /* Just least significant octets from r1 and r2 are considered */
473 memcpy(_r + 8, r1, 8);
475 err = smp_e(tfm_aes, k, _r);
477 BT_ERR("Encrypt data error");
482 static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
483 const u8 r[3], u8 res[3])
488 /* r' = padding || r */
490 memset(_res + 3, 0, 13);
492 err = smp_e(tfm, irk, _res);
494 BT_ERR("Encrypt error");
498 /* The output of the random address function ah is:
499 * ah(k, r) = e(k, r') mod 2^24
500 * The output of the security function e is then truncated to 24 bits
501 * by taking the least significant 24 bits of the output of e as the
504 memcpy(res, _res, 3);
509 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
510 const bdaddr_t *bdaddr)
512 struct l2cap_chan *chan = hdev->smp_data;
517 if (!chan || !chan->data)
522 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
524 err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
528 return !crypto_memneq(bdaddr->b, hash, 3);
531 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
533 struct l2cap_chan *chan = hdev->smp_data;
537 if (!chan || !chan->data)
542 get_random_bytes(&rpa->b[3], 3);
544 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
545 rpa->b[5] |= 0x40; /* Set second most significant bit */
547 err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
551 BT_DBG("RPA %pMR", rpa);
556 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
558 struct l2cap_chan *chan = hdev->smp_data;
562 if (!chan || !chan->data)
567 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
568 BT_DBG("Using debug keys");
569 memcpy(smp->local_pk, debug_pk, 64);
570 memcpy(smp->local_sk, debug_sk, 32);
571 smp->debug_key = true;
574 /* Generate local key pair for Secure Connections */
575 if (!ecc_make_key(smp->local_pk, smp->local_sk))
578 /* This is unlikely, but we need to check that
579 * we didn't accidentially generate a debug key.
581 if (crypto_memneq(smp->local_sk, debug_sk, 32))
584 smp->debug_key = false;
587 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
588 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
589 SMP_DBG("OOB Private Key: %32phN", smp->local_sk);
591 get_random_bytes(smp->local_rand, 16);
593 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
594 smp->local_rand, 0, hash);
598 memcpy(rand, smp->local_rand, 16);
603 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
605 struct l2cap_chan *chan = conn->smp;
606 struct smp_chan *smp;
613 BT_DBG("code 0x%2.2x", code);
615 iv[0].iov_base = &code;
618 iv[1].iov_base = data;
621 memset(&msg, 0, sizeof(msg));
623 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
625 l2cap_chan_send(chan, &msg, 1 + len);
632 cancel_delayed_work_sync(&smp->security_timer);
633 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
636 static u8 authreq_to_seclevel(u8 authreq)
638 if (authreq & SMP_AUTH_MITM) {
639 if (authreq & SMP_AUTH_SC)
640 return BT_SECURITY_FIPS;
642 return BT_SECURITY_HIGH;
644 return BT_SECURITY_MEDIUM;
648 static __u8 seclevel_to_authreq(__u8 sec_level)
651 case BT_SECURITY_FIPS:
652 case BT_SECURITY_HIGH:
653 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
654 case BT_SECURITY_MEDIUM:
655 return SMP_AUTH_BONDING;
657 return SMP_AUTH_NONE;
661 static void build_pairing_cmd(struct l2cap_conn *conn,
662 struct smp_cmd_pairing *req,
663 struct smp_cmd_pairing *rsp, __u8 authreq)
665 struct l2cap_chan *chan = conn->smp;
666 struct smp_chan *smp = chan->data;
667 struct hci_conn *hcon = conn->hcon;
668 struct hci_dev *hdev = hcon->hdev;
669 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
671 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
672 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
673 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
674 authreq |= SMP_AUTH_BONDING;
676 authreq &= ~SMP_AUTH_BONDING;
679 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
680 remote_dist |= SMP_DIST_ID_KEY;
682 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
683 local_dist |= SMP_DIST_ID_KEY;
685 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
686 (authreq & SMP_AUTH_SC)) {
687 struct oob_data *oob_data;
690 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
691 local_dist |= SMP_DIST_LINK_KEY;
692 remote_dist |= SMP_DIST_LINK_KEY;
695 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
696 bdaddr_type = BDADDR_LE_PUBLIC;
698 bdaddr_type = BDADDR_LE_RANDOM;
700 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
702 if (oob_data && oob_data->present) {
703 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
704 oob_flag = SMP_OOB_PRESENT;
705 memcpy(smp->rr, oob_data->rand256, 16);
706 memcpy(smp->pcnf, oob_data->hash256, 16);
707 SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
708 SMP_DBG("OOB Remote Random: %16phN", smp->rr);
712 authreq &= ~SMP_AUTH_SC;
716 req->io_capability = conn->hcon->io_capability;
717 req->oob_flag = oob_flag;
718 req->max_key_size = SMP_DEV(hdev)->max_key_size;
719 req->init_key_dist = local_dist;
720 req->resp_key_dist = remote_dist;
721 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
723 smp->remote_key_dist = remote_dist;
727 rsp->io_capability = conn->hcon->io_capability;
728 rsp->oob_flag = oob_flag;
729 rsp->max_key_size = SMP_DEV(hdev)->max_key_size;
730 rsp->init_key_dist = req->init_key_dist & remote_dist;
731 rsp->resp_key_dist = req->resp_key_dist & local_dist;
732 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
734 smp->remote_key_dist = rsp->init_key_dist;
737 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
739 struct l2cap_chan *chan = conn->smp;
740 struct hci_dev *hdev = conn->hcon->hdev;
741 struct smp_chan *smp = chan->data;
743 if (max_key_size > SMP_DEV(hdev)->max_key_size ||
744 max_key_size < SMP_MIN_ENC_KEY_SIZE)
745 return SMP_ENC_KEY_SIZE;
747 smp->enc_key_size = max_key_size;
752 static void smp_chan_destroy(struct l2cap_conn *conn)
754 struct l2cap_chan *chan = conn->smp;
755 struct smp_chan *smp = chan->data;
756 struct hci_conn *hcon = conn->hcon;
761 cancel_delayed_work_sync(&smp->security_timer);
763 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
764 mgmt_smp_complete(hcon, complete);
767 kzfree(smp->slave_csrk);
768 kzfree(smp->link_key);
770 crypto_free_blkcipher(smp->tfm_aes);
771 crypto_free_hash(smp->tfm_cmac);
773 /* Ensure that we don't leave any debug key around if debug key
774 * support hasn't been explicitly enabled.
776 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
777 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
778 list_del_rcu(&smp->ltk->list);
779 kfree_rcu(smp->ltk, rcu);
783 /* If pairing failed clean up any keys we might have */
786 list_del_rcu(&smp->ltk->list);
787 kfree_rcu(smp->ltk, rcu);
790 if (smp->slave_ltk) {
791 list_del_rcu(&smp->slave_ltk->list);
792 kfree_rcu(smp->slave_ltk, rcu);
795 if (smp->remote_irk) {
796 list_del_rcu(&smp->remote_irk->list);
797 kfree_rcu(smp->remote_irk, rcu);
806 static void smp_failure(struct l2cap_conn *conn, u8 reason)
808 struct hci_conn *hcon = conn->hcon;
809 struct l2cap_chan *chan = conn->smp;
812 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
815 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
818 smp_chan_destroy(conn);
821 #define JUST_WORKS 0x00
822 #define JUST_CFM 0x01
823 #define REQ_PASSKEY 0x02
824 #define CFM_PASSKEY 0x03
826 #define DSP_PASSKEY 0x05
829 static const u8 gen_method[5][5] = {
830 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
831 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
832 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
833 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
834 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
837 static const u8 sc_method[5][5] = {
838 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
839 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
840 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
841 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
842 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
845 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
847 /* If either side has unknown io_caps, use JUST_CFM (which gets
848 * converted later to JUST_WORKS if we're initiators.
850 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
851 remote_io > SMP_IO_KEYBOARD_DISPLAY)
854 if (test_bit(SMP_FLAG_SC, &smp->flags))
855 return sc_method[remote_io][local_io];
857 return gen_method[remote_io][local_io];
860 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
861 u8 local_io, u8 remote_io)
863 struct hci_conn *hcon = conn->hcon;
864 struct l2cap_chan *chan = conn->smp;
865 struct smp_chan *smp = chan->data;
869 /* Initialize key for JUST WORKS */
870 memset(smp->tk, 0, sizeof(smp->tk));
871 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
873 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
875 /* If neither side wants MITM, either "just" confirm an incoming
876 * request or use just-works for outgoing ones. The JUST_CFM
877 * will be converted to JUST_WORKS if necessary later in this
878 * function. If either side has MITM look up the method from the
881 if (!(auth & SMP_AUTH_MITM))
882 smp->method = JUST_CFM;
884 smp->method = get_auth_method(smp, local_io, remote_io);
886 /* Don't confirm locally initiated pairing attempts */
887 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
889 smp->method = JUST_WORKS;
891 /* Don't bother user space with no IO capabilities */
892 if (smp->method == JUST_CFM &&
893 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
894 smp->method = JUST_WORKS;
896 /* If Just Works, Continue with Zero TK */
897 if (smp->method == JUST_WORKS) {
898 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
902 /* If this function is used for SC -> legacy fallback we
903 * can only recover the just-works case.
905 if (test_bit(SMP_FLAG_SC, &smp->flags))
908 /* Not Just Works/Confirm results in MITM Authentication */
909 if (smp->method != JUST_CFM) {
910 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
911 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
912 hcon->pending_sec_level = BT_SECURITY_HIGH;
915 /* If both devices have Keyoard-Display I/O, the master
916 * Confirms and the slave Enters the passkey.
918 if (smp->method == OVERLAP) {
919 if (hcon->role == HCI_ROLE_MASTER)
920 smp->method = CFM_PASSKEY;
922 smp->method = REQ_PASSKEY;
925 /* Generate random passkey. */
926 if (smp->method == CFM_PASSKEY) {
927 memset(smp->tk, 0, sizeof(smp->tk));
928 get_random_bytes(&passkey, sizeof(passkey));
930 put_unaligned_le32(passkey, smp->tk);
931 BT_DBG("PassKey: %d", passkey);
932 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
935 if (smp->method == REQ_PASSKEY)
936 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
937 hcon->type, hcon->dst_type);
938 else if (smp->method == JUST_CFM)
939 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
940 hcon->type, hcon->dst_type,
943 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
944 hcon->type, hcon->dst_type,
950 static u8 smp_confirm(struct smp_chan *smp)
952 struct l2cap_conn *conn = smp->conn;
953 struct smp_cmd_pairing_confirm cp;
956 BT_DBG("conn %p", conn);
958 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
959 conn->hcon->init_addr_type, &conn->hcon->init_addr,
960 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
963 return SMP_UNSPECIFIED;
965 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
967 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
970 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
972 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
977 static u8 smp_random(struct smp_chan *smp)
979 struct l2cap_conn *conn = smp->conn;
980 struct hci_conn *hcon = conn->hcon;
984 if (IS_ERR_OR_NULL(smp->tfm_aes))
985 return SMP_UNSPECIFIED;
987 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
989 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
990 hcon->init_addr_type, &hcon->init_addr,
991 hcon->resp_addr_type, &hcon->resp_addr, confirm);
993 return SMP_UNSPECIFIED;
995 if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
996 BT_ERR("Pairing failed (confirmation values mismatch)");
997 return SMP_CONFIRM_FAILED;
1005 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
1007 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1008 return SMP_UNSPECIFIED;
1010 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1011 hcon->enc_key_size = smp->enc_key_size;
1012 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1018 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1021 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
1023 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1028 /* Even though there's no _SLAVE suffix this is the
1029 * slave STK we're adding for later lookup (the master
1030 * STK never needs to be stored).
1032 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1033 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1039 static void smp_notify_keys(struct l2cap_conn *conn)
1041 struct l2cap_chan *chan = conn->smp;
1042 struct smp_chan *smp = chan->data;
1043 struct hci_conn *hcon = conn->hcon;
1044 struct hci_dev *hdev = hcon->hdev;
1045 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1046 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1049 if (hcon->type == ACL_LINK) {
1050 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1053 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1056 /* The LTKs, IRKs and CSRKs should be persistent only if
1057 * both sides had the bonding bit set in their
1058 * authentication requests.
1060 persistent = !!((req->auth_req & rsp->auth_req) &
1064 if (smp->remote_irk) {
1065 mgmt_new_irk(hdev, smp->remote_irk, persistent);
1067 /* Now that user space can be considered to know the
1068 * identity address track the connection based on it
1069 * from now on (assuming this is an LE link).
1071 if (hcon->type == LE_LINK) {
1072 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1073 hcon->dst_type = smp->remote_irk->addr_type;
1074 queue_work(hdev->workqueue, &conn->id_addr_update_work);
1079 smp->csrk->bdaddr_type = hcon->dst_type;
1080 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1081 mgmt_new_csrk(hdev, smp->csrk, persistent);
1084 if (smp->slave_csrk) {
1085 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1086 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1087 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1091 smp->ltk->bdaddr_type = hcon->dst_type;
1092 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1093 mgmt_new_ltk(hdev, smp->ltk, persistent);
1096 if (smp->slave_ltk) {
1097 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1098 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1099 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1102 if (smp->link_key) {
1103 struct link_key *key;
1106 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1107 type = HCI_LK_DEBUG_COMBINATION;
1108 else if (hcon->sec_level == BT_SECURITY_FIPS)
1109 type = HCI_LK_AUTH_COMBINATION_P256;
1111 type = HCI_LK_UNAUTH_COMBINATION_P256;
1113 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1114 smp->link_key, type, 0, &persistent);
1116 mgmt_new_link_key(hdev, key, persistent);
1118 /* Don't keep debug keys around if the relevant
1121 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1122 key->type == HCI_LK_DEBUG_COMBINATION) {
1123 list_del_rcu(&key->list);
1124 kfree_rcu(key, rcu);
1130 static void sc_add_ltk(struct smp_chan *smp)
1132 struct hci_conn *hcon = smp->conn->hcon;
1135 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1136 key_type = SMP_LTK_P256_DEBUG;
1138 key_type = SMP_LTK_P256;
1140 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1145 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1146 key_type, auth, smp->tk, smp->enc_key_size,
1150 static void sc_generate_link_key(struct smp_chan *smp)
1152 /* These constants are as specified in the core specification.
1153 * In ASCII they spell out to 'tmp1' and 'lebr'.
1155 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1156 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1158 smp->link_key = kzalloc(16, GFP_KERNEL);
1162 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1163 kzfree(smp->link_key);
1164 smp->link_key = NULL;
1168 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1169 kzfree(smp->link_key);
1170 smp->link_key = NULL;
1175 static void smp_allow_key_dist(struct smp_chan *smp)
1177 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1178 * will be allowed in each PDU handler to ensure we receive
1179 * them in the correct order.
1181 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1182 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1183 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1184 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1185 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1186 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1189 static void sc_generate_ltk(struct smp_chan *smp)
1191 /* These constants are as specified in the core specification.
1192 * In ASCII they spell out to 'tmp2' and 'brle'.
1194 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1195 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1196 struct hci_conn *hcon = smp->conn->hcon;
1197 struct hci_dev *hdev = hcon->hdev;
1198 struct link_key *key;
1200 key = hci_find_link_key(hdev, &hcon->dst);
1202 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1206 if (key->type == HCI_LK_DEBUG_COMBINATION)
1207 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1209 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1212 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1218 static void smp_distribute_keys(struct smp_chan *smp)
1220 struct smp_cmd_pairing *req, *rsp;
1221 struct l2cap_conn *conn = smp->conn;
1222 struct hci_conn *hcon = conn->hcon;
1223 struct hci_dev *hdev = hcon->hdev;
1226 BT_DBG("conn %p", conn);
1228 rsp = (void *) &smp->prsp[1];
1230 /* The responder sends its keys first */
1231 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1232 smp_allow_key_dist(smp);
1236 req = (void *) &smp->preq[1];
1239 keydist = &rsp->init_key_dist;
1240 *keydist &= req->init_key_dist;
1242 keydist = &rsp->resp_key_dist;
1243 *keydist &= req->resp_key_dist;
1246 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1247 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1248 sc_generate_link_key(smp);
1249 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1250 sc_generate_ltk(smp);
1252 /* Clear the keys which are generated but not distributed */
1253 *keydist &= ~SMP_SC_NO_DIST;
1256 BT_DBG("keydist 0x%x", *keydist);
1258 if (*keydist & SMP_DIST_ENC_KEY) {
1259 struct smp_cmd_encrypt_info enc;
1260 struct smp_cmd_master_ident ident;
1261 struct smp_ltk *ltk;
1266 /* Make sure we generate only the significant amount of
1267 * bytes based on the encryption key size, and set the rest
1268 * of the value to zeroes.
1270 get_random_bytes(enc.ltk, smp->enc_key_size);
1271 memset(enc.ltk + smp->enc_key_size, 0,
1272 sizeof(enc.ltk) - smp->enc_key_size);
1274 get_random_bytes(&ediv, sizeof(ediv));
1275 get_random_bytes(&rand, sizeof(rand));
1277 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1279 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1280 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1281 SMP_LTK_SLAVE, authenticated, enc.ltk,
1282 smp->enc_key_size, ediv, rand);
1283 smp->slave_ltk = ltk;
1288 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1290 *keydist &= ~SMP_DIST_ENC_KEY;
1293 if (*keydist & SMP_DIST_ID_KEY) {
1294 struct smp_cmd_ident_addr_info addrinfo;
1295 struct smp_cmd_ident_info idinfo;
1297 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1299 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1301 /* The hci_conn contains the local identity address
1302 * after the connection has been established.
1304 * This is true even when the connection has been
1305 * established using a resolvable random address.
1307 bacpy(&addrinfo.bdaddr, &hcon->src);
1308 addrinfo.addr_type = hcon->src_type;
1310 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1313 *keydist &= ~SMP_DIST_ID_KEY;
1316 if (*keydist & SMP_DIST_SIGN) {
1317 struct smp_cmd_sign_info sign;
1318 struct smp_csrk *csrk;
1320 /* Generate a new random key */
1321 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1323 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1325 if (hcon->sec_level > BT_SECURITY_MEDIUM)
1326 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1328 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1329 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1331 smp->slave_csrk = csrk;
1333 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1335 *keydist &= ~SMP_DIST_SIGN;
1338 /* If there are still keys to be received wait for them */
1339 if (smp->remote_key_dist & KEY_DIST_MASK) {
1340 smp_allow_key_dist(smp);
1344 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1345 smp_notify_keys(conn);
1347 smp_chan_destroy(conn);
1350 static void smp_timeout(struct work_struct *work)
1352 struct smp_chan *smp = container_of(work, struct smp_chan,
1353 security_timer.work);
1354 struct l2cap_conn *conn = smp->conn;
1356 BT_DBG("conn %p", conn);
1358 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1361 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1363 struct l2cap_chan *chan = conn->smp;
1364 struct smp_chan *smp;
1366 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1370 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1371 if (IS_ERR(smp->tfm_aes)) {
1372 BT_ERR("Unable to create ECB crypto context");
1377 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1378 if (IS_ERR(smp->tfm_cmac)) {
1379 BT_ERR("Unable to create CMAC crypto context");
1380 crypto_free_blkcipher(smp->tfm_aes);
1388 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1390 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1392 hci_conn_hold(conn->hcon);
1397 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1399 struct hci_conn *hcon = smp->conn->hcon;
1400 u8 *na, *nb, a[7], b[7];
1410 memcpy(a, &hcon->init_addr, 6);
1411 memcpy(b, &hcon->resp_addr, 6);
1412 a[6] = hcon->init_addr_type;
1413 b[6] = hcon->resp_addr_type;
1415 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1418 static void sc_dhkey_check(struct smp_chan *smp)
1420 struct hci_conn *hcon = smp->conn->hcon;
1421 struct smp_cmd_dhkey_check check;
1422 u8 a[7], b[7], *local_addr, *remote_addr;
1423 u8 io_cap[3], r[16];
1425 memcpy(a, &hcon->init_addr, 6);
1426 memcpy(b, &hcon->resp_addr, 6);
1427 a[6] = hcon->init_addr_type;
1428 b[6] = hcon->resp_addr_type;
1433 memcpy(io_cap, &smp->preq[1], 3);
1437 memcpy(io_cap, &smp->prsp[1], 3);
1440 memset(r, 0, sizeof(r));
1442 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1443 put_unaligned_le32(hcon->passkey_notify, r);
1445 if (smp->method == REQ_OOB)
1446 memcpy(r, smp->rr, 16);
1448 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1449 local_addr, remote_addr, check.e);
1451 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1454 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1456 struct l2cap_conn *conn = smp->conn;
1457 struct hci_conn *hcon = conn->hcon;
1458 struct smp_cmd_pairing_confirm cfm;
1461 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1464 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1466 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1468 return SMP_UNSPECIFIED;
1470 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1475 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1477 struct l2cap_conn *conn = smp->conn;
1478 struct hci_conn *hcon = conn->hcon;
1479 struct hci_dev *hdev = hcon->hdev;
1482 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1483 if (smp->passkey_round >= 20)
1487 case SMP_CMD_PAIRING_RANDOM:
1488 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1491 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1493 return SMP_UNSPECIFIED;
1495 if (crypto_memneq(smp->pcnf, cfm, 16))
1496 return SMP_CONFIRM_FAILED;
1498 smp->passkey_round++;
1500 if (smp->passkey_round == 20) {
1501 /* Generate MacKey and LTK */
1502 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1503 return SMP_UNSPECIFIED;
1506 /* The round is only complete when the initiator
1507 * receives pairing random.
1510 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1511 sizeof(smp->prnd), smp->prnd);
1512 if (smp->passkey_round == 20)
1513 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1515 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1519 /* Start the next round */
1520 if (smp->passkey_round != 20)
1521 return sc_passkey_round(smp, 0);
1523 /* Passkey rounds are complete - start DHKey Check */
1524 sc_dhkey_check(smp);
1525 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1529 case SMP_CMD_PAIRING_CONFIRM:
1530 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1531 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1535 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1538 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1539 sizeof(smp->prnd), smp->prnd);
1543 return sc_passkey_send_confirm(smp);
1545 case SMP_CMD_PUBLIC_KEY:
1547 /* Initiating device starts the round */
1551 BT_DBG("%s Starting passkey round %u", hdev->name,
1552 smp->passkey_round + 1);
1554 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1556 return sc_passkey_send_confirm(smp);
1562 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1564 struct l2cap_conn *conn = smp->conn;
1565 struct hci_conn *hcon = conn->hcon;
1568 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1571 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1572 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1574 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1575 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1577 case MGMT_OP_USER_PASSKEY_REPLY:
1578 hcon->passkey_notify = le32_to_cpu(passkey);
1579 smp->passkey_round = 0;
1581 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1582 smp_op = SMP_CMD_PAIRING_CONFIRM;
1586 if (sc_passkey_round(smp, smp_op))
1592 /* Initiator sends DHKey check first */
1594 sc_dhkey_check(smp);
1595 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1596 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1597 sc_dhkey_check(smp);
1604 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1606 struct l2cap_conn *conn = hcon->l2cap_data;
1607 struct l2cap_chan *chan;
1608 struct smp_chan *smp;
1621 l2cap_chan_lock(chan);
1629 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1630 err = sc_user_reply(smp, mgmt_op, passkey);
1635 case MGMT_OP_USER_PASSKEY_REPLY:
1636 value = le32_to_cpu(passkey);
1637 memset(smp->tk, 0, sizeof(smp->tk));
1638 BT_DBG("PassKey: %d", value);
1639 put_unaligned_le32(value, smp->tk);
1641 case MGMT_OP_USER_CONFIRM_REPLY:
1642 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1644 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1645 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1646 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1650 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1657 /* If it is our turn to send Pairing Confirm, do so now */
1658 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1659 u8 rsp = smp_confirm(smp);
1661 smp_failure(conn, rsp);
1665 l2cap_chan_unlock(chan);
1669 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1670 struct smp_cmd_pairing *req,
1671 struct smp_cmd_pairing *rsp)
1673 struct l2cap_conn *conn = smp->conn;
1674 struct hci_dev *hdev = conn->hcon->hdev;
1675 u8 local_dist = 0, remote_dist = 0;
1677 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1678 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1679 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1682 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1683 remote_dist |= SMP_DIST_ID_KEY;
1685 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1686 local_dist |= SMP_DIST_ID_KEY;
1689 memset(req, 0, sizeof(*req));
1691 req->init_key_dist = local_dist;
1692 req->resp_key_dist = remote_dist;
1693 req->max_key_size = conn->hcon->enc_key_size;
1695 smp->remote_key_dist = remote_dist;
1700 memset(rsp, 0, sizeof(*rsp));
1702 rsp->max_key_size = conn->hcon->enc_key_size;
1703 rsp->init_key_dist = req->init_key_dist & remote_dist;
1704 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1706 smp->remote_key_dist = rsp->init_key_dist;
1709 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1711 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1712 struct l2cap_chan *chan = conn->smp;
1713 struct hci_dev *hdev = conn->hcon->hdev;
1714 struct smp_chan *smp;
1715 u8 key_size, auth, sec_level;
1718 BT_DBG("conn %p", conn);
1720 if (skb->len < sizeof(*req))
1721 return SMP_INVALID_PARAMS;
1723 if (conn->hcon->role != HCI_ROLE_SLAVE)
1724 return SMP_CMD_NOTSUPP;
1727 smp = smp_chan_create(conn);
1732 return SMP_UNSPECIFIED;
1734 /* We didn't start the pairing, so match remote */
1735 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1737 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1738 (auth & SMP_AUTH_BONDING))
1739 return SMP_PAIRING_NOTSUPP;
1741 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1742 return SMP_AUTH_REQUIREMENTS;
1744 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1745 memcpy(&smp->preq[1], req, sizeof(*req));
1746 skb_pull(skb, sizeof(*req));
1748 /* If the remote side's OOB flag is set it means it has
1749 * successfully received our local OOB data - therefore set the
1750 * flag to indicate that local OOB is in use.
1752 if (req->oob_flag == SMP_OOB_PRESENT)
1753 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1755 /* SMP over BR/EDR requires special treatment */
1756 if (conn->hcon->type == ACL_LINK) {
1757 /* We must have a BR/EDR SC link */
1758 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1759 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1760 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1762 set_bit(SMP_FLAG_SC, &smp->flags);
1764 build_bredr_pairing_cmd(smp, req, &rsp);
1766 key_size = min(req->max_key_size, rsp.max_key_size);
1767 if (check_enc_key_size(conn, key_size))
1768 return SMP_ENC_KEY_SIZE;
1770 /* Clear bits which are generated but not distributed */
1771 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1773 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1774 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1775 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1777 smp_distribute_keys(smp);
1781 build_pairing_cmd(conn, req, &rsp, auth);
1783 if (rsp.auth_req & SMP_AUTH_SC)
1784 set_bit(SMP_FLAG_SC, &smp->flags);
1786 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1787 sec_level = BT_SECURITY_MEDIUM;
1789 sec_level = authreq_to_seclevel(auth);
1791 if (sec_level > conn->hcon->pending_sec_level)
1792 conn->hcon->pending_sec_level = sec_level;
1794 /* If we need MITM check that it can be achieved */
1795 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1798 method = get_auth_method(smp, conn->hcon->io_capability,
1799 req->io_capability);
1800 if (method == JUST_WORKS || method == JUST_CFM)
1801 return SMP_AUTH_REQUIREMENTS;
1804 key_size = min(req->max_key_size, rsp.max_key_size);
1805 if (check_enc_key_size(conn, key_size))
1806 return SMP_ENC_KEY_SIZE;
1808 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1810 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1811 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1813 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1815 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1817 /* Strictly speaking we shouldn't allow Pairing Confirm for the
1818 * SC case, however some implementations incorrectly copy RFU auth
1819 * req bits from our security request, which may create a false
1820 * positive SC enablement.
1822 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1824 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1825 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1826 /* Clear bits which are generated but not distributed */
1827 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1828 /* Wait for Public Key from Initiating Device */
1832 /* Request setup of TK */
1833 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1835 return SMP_UNSPECIFIED;
1840 static u8 sc_send_public_key(struct smp_chan *smp)
1842 struct hci_dev *hdev = smp->conn->hcon->hdev;
1846 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1847 struct l2cap_chan *chan = hdev->smp_data;
1848 struct smp_dev *smp_dev;
1850 if (!chan || !chan->data)
1851 return SMP_UNSPECIFIED;
1853 smp_dev = chan->data;
1855 memcpy(smp->local_pk, smp_dev->local_pk, 64);
1856 memcpy(smp->local_sk, smp_dev->local_sk, 32);
1857 memcpy(smp->lr, smp_dev->local_rand, 16);
1859 if (smp_dev->debug_key)
1860 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1865 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1866 BT_DBG("Using debug keys");
1867 memcpy(smp->local_pk, debug_pk, 64);
1868 memcpy(smp->local_sk, debug_sk, 32);
1869 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1872 /* Generate local key pair for Secure Connections */
1873 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1874 return SMP_UNSPECIFIED;
1876 /* This is unlikely, but we need to check that
1877 * we didn't accidentially generate a debug key.
1879 if (crypto_memneq(smp->local_sk, debug_sk, 32))
1885 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1886 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1887 SMP_DBG("Local Private Key: %32phN", smp->local_sk);
1889 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1894 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1896 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1897 struct l2cap_chan *chan = conn->smp;
1898 struct smp_chan *smp = chan->data;
1899 struct hci_dev *hdev = conn->hcon->hdev;
1903 BT_DBG("conn %p", conn);
1905 if (skb->len < sizeof(*rsp))
1906 return SMP_INVALID_PARAMS;
1908 if (conn->hcon->role != HCI_ROLE_MASTER)
1909 return SMP_CMD_NOTSUPP;
1911 skb_pull(skb, sizeof(*rsp));
1913 req = (void *) &smp->preq[1];
1915 key_size = min(req->max_key_size, rsp->max_key_size);
1916 if (check_enc_key_size(conn, key_size))
1917 return SMP_ENC_KEY_SIZE;
1919 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1921 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1922 return SMP_AUTH_REQUIREMENTS;
1924 /* If the remote side's OOB flag is set it means it has
1925 * successfully received our local OOB data - therefore set the
1926 * flag to indicate that local OOB is in use.
1928 if (rsp->oob_flag == SMP_OOB_PRESENT)
1929 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1931 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1932 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1934 /* Update remote key distribution in case the remote cleared
1935 * some bits that we had enabled in our request.
1937 smp->remote_key_dist &= rsp->resp_key_dist;
1939 /* For BR/EDR this means we're done and can start phase 3 */
1940 if (conn->hcon->type == ACL_LINK) {
1941 /* Clear bits which are generated but not distributed */
1942 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1943 smp_distribute_keys(smp);
1947 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1948 set_bit(SMP_FLAG_SC, &smp->flags);
1949 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1950 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1952 /* If we need MITM check that it can be achieved */
1953 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1956 method = get_auth_method(smp, req->io_capability,
1957 rsp->io_capability);
1958 if (method == JUST_WORKS || method == JUST_CFM)
1959 return SMP_AUTH_REQUIREMENTS;
1962 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1964 /* Update remote key distribution in case the remote cleared
1965 * some bits that we had enabled in our request.
1967 smp->remote_key_dist &= rsp->resp_key_dist;
1969 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1970 /* Clear bits which are generated but not distributed */
1971 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1972 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1973 return sc_send_public_key(smp);
1976 auth |= req->auth_req;
1978 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1980 return SMP_UNSPECIFIED;
1982 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1984 /* Can't compose response until we have been confirmed */
1985 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1986 return smp_confirm(smp);
1991 static u8 sc_check_confirm(struct smp_chan *smp)
1993 struct l2cap_conn *conn = smp->conn;
1997 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1998 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2000 if (conn->hcon->out) {
2001 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2003 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2009 /* Work-around for some implementations that incorrectly copy RFU bits
2010 * from our security request and thereby create the impression that
2011 * we're doing SC when in fact the remote doesn't support it.
2013 static int fixup_sc_false_positive(struct smp_chan *smp)
2015 struct l2cap_conn *conn = smp->conn;
2016 struct hci_conn *hcon = conn->hcon;
2017 struct hci_dev *hdev = hcon->hdev;
2018 struct smp_cmd_pairing *req, *rsp;
2021 /* The issue is only observed when we're in slave role */
2023 return SMP_UNSPECIFIED;
2025 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2026 BT_ERR("Refusing SMP SC -> legacy fallback in SC-only mode");
2027 return SMP_UNSPECIFIED;
2030 BT_ERR("Trying to fall back to legacy SMP");
2032 req = (void *) &smp->preq[1];
2033 rsp = (void *) &smp->prsp[1];
2035 /* Rebuild key dist flags which may have been cleared for SC */
2036 smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2038 auth = req->auth_req & AUTH_REQ_MASK(hdev);
2040 if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2041 BT_ERR("Failed to fall back to legacy SMP");
2042 return SMP_UNSPECIFIED;
2045 clear_bit(SMP_FLAG_SC, &smp->flags);
2050 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2052 struct l2cap_chan *chan = conn->smp;
2053 struct smp_chan *smp = chan->data;
2055 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2057 if (skb->len < sizeof(smp->pcnf))
2058 return SMP_INVALID_PARAMS;
2060 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2061 skb_pull(skb, sizeof(smp->pcnf));
2063 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2066 /* Public Key exchange must happen before any other steps */
2067 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2068 return sc_check_confirm(smp);
2070 BT_ERR("Unexpected SMP Pairing Confirm");
2072 ret = fixup_sc_false_positive(smp);
2077 if (conn->hcon->out) {
2078 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2080 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2084 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2085 return smp_confirm(smp);
2087 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2092 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2094 struct l2cap_chan *chan = conn->smp;
2095 struct smp_chan *smp = chan->data;
2096 struct hci_conn *hcon = conn->hcon;
2097 u8 *pkax, *pkbx, *na, *nb;
2101 BT_DBG("conn %p", conn);
2103 if (skb->len < sizeof(smp->rrnd))
2104 return SMP_INVALID_PARAMS;
2106 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2107 skb_pull(skb, sizeof(smp->rrnd));
2109 if (!test_bit(SMP_FLAG_SC, &smp->flags))
2110 return smp_random(smp);
2113 pkax = smp->local_pk;
2114 pkbx = smp->remote_pk;
2118 pkax = smp->remote_pk;
2119 pkbx = smp->local_pk;
2124 if (smp->method == REQ_OOB) {
2126 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2127 sizeof(smp->prnd), smp->prnd);
2128 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2129 goto mackey_and_ltk;
2132 /* Passkey entry has special treatment */
2133 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2134 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2139 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2142 return SMP_UNSPECIFIED;
2144 if (crypto_memneq(smp->pcnf, cfm, 16))
2145 return SMP_CONFIRM_FAILED;
2147 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2149 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2153 /* Generate MacKey and LTK */
2154 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2156 return SMP_UNSPECIFIED;
2158 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2160 sc_dhkey_check(smp);
2161 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2166 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2168 return SMP_UNSPECIFIED;
2170 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2171 hcon->dst_type, passkey, 0);
2173 return SMP_UNSPECIFIED;
2175 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2180 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2182 struct smp_ltk *key;
2183 struct hci_conn *hcon = conn->hcon;
2185 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2189 if (smp_ltk_sec_level(key) < sec_level)
2192 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2195 hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2196 hcon->enc_key_size = key->enc_size;
2198 /* We never store STKs for master role, so clear this flag */
2199 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2204 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2205 enum smp_key_pref key_pref)
2207 if (sec_level == BT_SECURITY_LOW)
2210 /* If we're encrypted with an STK but the caller prefers using
2211 * LTK claim insufficient security. This way we allow the
2212 * connection to be re-encrypted with an LTK, even if the LTK
2213 * provides the same level of security. Only exception is if we
2214 * don't have an LTK (e.g. because of key distribution bits).
2216 if (key_pref == SMP_USE_LTK &&
2217 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2218 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2221 if (hcon->sec_level >= sec_level)
2227 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2229 struct smp_cmd_security_req *rp = (void *) skb->data;
2230 struct smp_cmd_pairing cp;
2231 struct hci_conn *hcon = conn->hcon;
2232 struct hci_dev *hdev = hcon->hdev;
2233 struct smp_chan *smp;
2236 BT_DBG("conn %p", conn);
2238 if (skb->len < sizeof(*rp))
2239 return SMP_INVALID_PARAMS;
2241 if (hcon->role != HCI_ROLE_MASTER)
2242 return SMP_CMD_NOTSUPP;
2244 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2246 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2247 return SMP_AUTH_REQUIREMENTS;
2249 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2250 sec_level = BT_SECURITY_MEDIUM;
2252 sec_level = authreq_to_seclevel(auth);
2254 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2255 /* If link is already encrypted with sufficient security we
2256 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2259 smp_ltk_encrypt(conn, hcon->sec_level);
2263 if (sec_level > hcon->pending_sec_level)
2264 hcon->pending_sec_level = sec_level;
2266 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2269 smp = smp_chan_create(conn);
2271 return SMP_UNSPECIFIED;
2273 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2274 (auth & SMP_AUTH_BONDING))
2275 return SMP_PAIRING_NOTSUPP;
2277 skb_pull(skb, sizeof(*rp));
2279 memset(&cp, 0, sizeof(cp));
2280 build_pairing_cmd(conn, &cp, NULL, auth);
2282 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2283 memcpy(&smp->preq[1], &cp, sizeof(cp));
2285 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2286 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2291 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2293 struct l2cap_conn *conn = hcon->l2cap_data;
2294 struct l2cap_chan *chan;
2295 struct smp_chan *smp;
2299 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2301 /* This may be NULL if there's an unexpected disconnection */
2305 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2308 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2311 if (sec_level > hcon->pending_sec_level)
2312 hcon->pending_sec_level = sec_level;
2314 if (hcon->role == HCI_ROLE_MASTER)
2315 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2320 BT_ERR("SMP security requested but not available");
2324 l2cap_chan_lock(chan);
2326 /* If SMP is already in progress ignore this request */
2332 smp = smp_chan_create(conn);
2338 authreq = seclevel_to_authreq(sec_level);
2340 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED))
2341 authreq |= SMP_AUTH_SC;
2343 /* Require MITM if IO Capability allows or the security level
2346 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2347 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2348 authreq |= SMP_AUTH_MITM;
2350 if (hcon->role == HCI_ROLE_MASTER) {
2351 struct smp_cmd_pairing cp;
2353 build_pairing_cmd(conn, &cp, NULL, authreq);
2354 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2355 memcpy(&smp->preq[1], &cp, sizeof(cp));
2357 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2358 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2360 struct smp_cmd_security_req cp;
2361 cp.auth_req = authreq;
2362 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2363 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2366 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2370 l2cap_chan_unlock(chan);
2374 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2377 struct hci_conn *hcon;
2378 struct l2cap_conn *conn;
2379 struct l2cap_chan *chan;
2380 struct smp_chan *smp;
2383 err = hci_remove_ltk(hdev, bdaddr, addr_type);
2384 hci_remove_irk(hdev, bdaddr, addr_type);
2386 hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2390 conn = hcon->l2cap_data;
2398 l2cap_chan_lock(chan);
2402 /* Set keys to NULL to make sure smp_failure() does not try to
2403 * remove and free already invalidated rcu list entries. */
2405 smp->slave_ltk = NULL;
2406 smp->remote_irk = NULL;
2408 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2409 smp_failure(conn, 0);
2411 smp_failure(conn, SMP_UNSPECIFIED);
2415 l2cap_chan_unlock(chan);
2421 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2423 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2424 struct l2cap_chan *chan = conn->smp;
2425 struct smp_chan *smp = chan->data;
2427 BT_DBG("conn %p", conn);
2429 if (skb->len < sizeof(*rp))
2430 return SMP_INVALID_PARAMS;
2432 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2434 skb_pull(skb, sizeof(*rp));
2436 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2441 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2443 struct smp_cmd_master_ident *rp = (void *) skb->data;
2444 struct l2cap_chan *chan = conn->smp;
2445 struct smp_chan *smp = chan->data;
2446 struct hci_dev *hdev = conn->hcon->hdev;
2447 struct hci_conn *hcon = conn->hcon;
2448 struct smp_ltk *ltk;
2451 BT_DBG("conn %p", conn);
2453 if (skb->len < sizeof(*rp))
2454 return SMP_INVALID_PARAMS;
2456 /* Mark the information as received */
2457 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2459 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2460 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2461 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2462 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2464 skb_pull(skb, sizeof(*rp));
2466 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2467 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2468 authenticated, smp->tk, smp->enc_key_size,
2469 rp->ediv, rp->rand);
2471 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2472 smp_distribute_keys(smp);
2477 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2479 struct smp_cmd_ident_info *info = (void *) skb->data;
2480 struct l2cap_chan *chan = conn->smp;
2481 struct smp_chan *smp = chan->data;
2485 if (skb->len < sizeof(*info))
2486 return SMP_INVALID_PARAMS;
2488 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2490 skb_pull(skb, sizeof(*info));
2492 memcpy(smp->irk, info->irk, 16);
2497 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2498 struct sk_buff *skb)
2500 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2501 struct l2cap_chan *chan = conn->smp;
2502 struct smp_chan *smp = chan->data;
2503 struct hci_conn *hcon = conn->hcon;
2508 if (skb->len < sizeof(*info))
2509 return SMP_INVALID_PARAMS;
2511 /* Mark the information as received */
2512 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2514 if (smp->remote_key_dist & SMP_DIST_SIGN)
2515 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2517 skb_pull(skb, sizeof(*info));
2519 /* Strictly speaking the Core Specification (4.1) allows sending
2520 * an empty address which would force us to rely on just the IRK
2521 * as "identity information". However, since such
2522 * implementations are not known of and in order to not over
2523 * complicate our implementation, simply pretend that we never
2524 * received an IRK for such a device.
2526 * The Identity Address must also be a Static Random or Public
2527 * Address, which hci_is_identity_address() checks for.
2529 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2530 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2531 BT_ERR("Ignoring IRK with no identity address");
2535 /* Drop IRK if peer is using identity address during pairing but is
2536 * providing different address as identity information.
2538 * Microsoft Surface Precision Mouse is known to have this bug.
2540 if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2541 (bacmp(&info->bdaddr, &hcon->dst) ||
2542 info->addr_type != hcon->dst_type)) {
2543 bt_dev_err(hcon->hdev,
2544 "ignoring IRK with invalid identity address");
2548 bacpy(&smp->id_addr, &info->bdaddr);
2549 smp->id_addr_type = info->addr_type;
2551 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2552 bacpy(&rpa, &hcon->dst);
2554 bacpy(&rpa, BDADDR_ANY);
2556 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2557 smp->id_addr_type, smp->irk, &rpa);
2560 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2561 smp_distribute_keys(smp);
2566 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2568 struct smp_cmd_sign_info *rp = (void *) skb->data;
2569 struct l2cap_chan *chan = conn->smp;
2570 struct smp_chan *smp = chan->data;
2571 struct smp_csrk *csrk;
2573 BT_DBG("conn %p", conn);
2575 if (skb->len < sizeof(*rp))
2576 return SMP_INVALID_PARAMS;
2578 /* Mark the information as received */
2579 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2581 skb_pull(skb, sizeof(*rp));
2583 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2585 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2586 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2588 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2589 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2592 smp_distribute_keys(smp);
2597 static u8 sc_select_method(struct smp_chan *smp)
2599 struct l2cap_conn *conn = smp->conn;
2600 struct hci_conn *hcon = conn->hcon;
2601 struct smp_cmd_pairing *local, *remote;
2602 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2604 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2605 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2608 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2609 * which are needed as inputs to some crypto functions. To get
2610 * the "struct smp_cmd_pairing" from them we need to skip the
2611 * first byte which contains the opcode.
2614 local = (void *) &smp->preq[1];
2615 remote = (void *) &smp->prsp[1];
2617 local = (void *) &smp->prsp[1];
2618 remote = (void *) &smp->preq[1];
2621 local_io = local->io_capability;
2622 remote_io = remote->io_capability;
2624 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2625 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2627 /* If either side wants MITM, look up the method from the table,
2628 * otherwise use JUST WORKS.
2630 if (local_mitm || remote_mitm)
2631 method = get_auth_method(smp, local_io, remote_io);
2633 method = JUST_WORKS;
2635 /* Don't confirm locally initiated pairing attempts */
2636 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2637 method = JUST_WORKS;
2642 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2644 struct smp_cmd_public_key *key = (void *) skb->data;
2645 struct hci_conn *hcon = conn->hcon;
2646 struct l2cap_chan *chan = conn->smp;
2647 struct smp_chan *smp = chan->data;
2648 struct hci_dev *hdev = hcon->hdev;
2649 struct smp_cmd_pairing_confirm cfm;
2652 BT_DBG("conn %p", conn);
2654 if (skb->len < sizeof(*key))
2655 return SMP_INVALID_PARAMS;
2657 /* Check if remote and local public keys are the same and debug key is
2660 if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
2661 !crypto_memneq(key, smp->local_pk, 64)) {
2662 bt_dev_err(hdev, "Remote and local public keys are identical");
2663 return SMP_UNSPECIFIED;
2666 memcpy(smp->remote_pk, key, 64);
2668 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2669 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2670 smp->rr, 0, cfm.confirm_val);
2672 return SMP_UNSPECIFIED;
2674 if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2675 return SMP_CONFIRM_FAILED;
2678 /* Non-initiating device sends its public key after receiving
2679 * the key from the initiating device.
2682 err = sc_send_public_key(smp);
2687 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2688 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2690 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2691 return SMP_UNSPECIFIED;
2693 SMP_DBG("DHKey %32phN", smp->dhkey);
2695 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2697 smp->method = sc_select_method(smp);
2699 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2701 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2702 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2703 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2705 hcon->pending_sec_level = BT_SECURITY_FIPS;
2707 if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2708 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2710 if (smp->method == DSP_PASSKEY) {
2711 get_random_bytes(&hcon->passkey_notify,
2712 sizeof(hcon->passkey_notify));
2713 hcon->passkey_notify %= 1000000;
2714 hcon->passkey_entered = 0;
2715 smp->passkey_round = 0;
2716 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2718 hcon->passkey_notify,
2719 hcon->passkey_entered))
2720 return SMP_UNSPECIFIED;
2721 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2722 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2725 if (smp->method == REQ_OOB) {
2727 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2728 sizeof(smp->prnd), smp->prnd);
2730 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2736 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2738 if (smp->method == REQ_PASSKEY) {
2739 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2741 return SMP_UNSPECIFIED;
2742 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2743 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2747 /* The Initiating device waits for the non-initiating device to
2748 * send the confirm value.
2750 if (conn->hcon->out)
2753 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2754 0, cfm.confirm_val);
2756 return SMP_UNSPECIFIED;
2758 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2759 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2764 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2766 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2767 struct l2cap_chan *chan = conn->smp;
2768 struct hci_conn *hcon = conn->hcon;
2769 struct smp_chan *smp = chan->data;
2770 u8 a[7], b[7], *local_addr, *remote_addr;
2771 u8 io_cap[3], r[16], e[16];
2774 BT_DBG("conn %p", conn);
2776 if (skb->len < sizeof(*check))
2777 return SMP_INVALID_PARAMS;
2779 memcpy(a, &hcon->init_addr, 6);
2780 memcpy(b, &hcon->resp_addr, 6);
2781 a[6] = hcon->init_addr_type;
2782 b[6] = hcon->resp_addr_type;
2787 memcpy(io_cap, &smp->prsp[1], 3);
2791 memcpy(io_cap, &smp->preq[1], 3);
2794 memset(r, 0, sizeof(r));
2796 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2797 put_unaligned_le32(hcon->passkey_notify, r);
2798 else if (smp->method == REQ_OOB)
2799 memcpy(r, smp->lr, 16);
2801 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2802 io_cap, remote_addr, local_addr, e);
2804 return SMP_UNSPECIFIED;
2806 if (crypto_memneq(check->e, e, 16))
2807 return SMP_DHKEY_CHECK_FAILED;
2810 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2811 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2815 /* Slave sends DHKey check as response to master */
2816 sc_dhkey_check(smp);
2822 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2823 hcon->enc_key_size = smp->enc_key_size;
2829 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2830 struct sk_buff *skb)
2832 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2834 BT_DBG("value 0x%02x", kp->value);
2839 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2841 struct l2cap_conn *conn = chan->conn;
2842 struct hci_conn *hcon = conn->hcon;
2843 struct smp_chan *smp;
2850 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2851 reason = SMP_PAIRING_NOTSUPP;
2855 code = skb->data[0];
2856 skb_pull(skb, sizeof(code));
2860 if (code > SMP_CMD_MAX)
2863 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2866 /* If we don't have a context the only allowed commands are
2867 * pairing request and security request.
2869 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2873 case SMP_CMD_PAIRING_REQ:
2874 reason = smp_cmd_pairing_req(conn, skb);
2877 case SMP_CMD_PAIRING_FAIL:
2878 smp_failure(conn, 0);
2882 case SMP_CMD_PAIRING_RSP:
2883 reason = smp_cmd_pairing_rsp(conn, skb);
2886 case SMP_CMD_SECURITY_REQ:
2887 reason = smp_cmd_security_req(conn, skb);
2890 case SMP_CMD_PAIRING_CONFIRM:
2891 reason = smp_cmd_pairing_confirm(conn, skb);
2894 case SMP_CMD_PAIRING_RANDOM:
2895 reason = smp_cmd_pairing_random(conn, skb);
2898 case SMP_CMD_ENCRYPT_INFO:
2899 reason = smp_cmd_encrypt_info(conn, skb);
2902 case SMP_CMD_MASTER_IDENT:
2903 reason = smp_cmd_master_ident(conn, skb);
2906 case SMP_CMD_IDENT_INFO:
2907 reason = smp_cmd_ident_info(conn, skb);
2910 case SMP_CMD_IDENT_ADDR_INFO:
2911 reason = smp_cmd_ident_addr_info(conn, skb);
2914 case SMP_CMD_SIGN_INFO:
2915 reason = smp_cmd_sign_info(conn, skb);
2918 case SMP_CMD_PUBLIC_KEY:
2919 reason = smp_cmd_public_key(conn, skb);
2922 case SMP_CMD_DHKEY_CHECK:
2923 reason = smp_cmd_dhkey_check(conn, skb);
2926 case SMP_CMD_KEYPRESS_NOTIFY:
2927 reason = smp_cmd_keypress_notify(conn, skb);
2931 BT_DBG("Unknown command code 0x%2.2x", code);
2932 reason = SMP_CMD_NOTSUPP;
2939 smp_failure(conn, reason);
2946 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2952 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2954 struct l2cap_conn *conn = chan->conn;
2956 BT_DBG("chan %p", chan);
2959 smp_chan_destroy(conn);
2962 l2cap_chan_put(chan);
2965 static void bredr_pairing(struct l2cap_chan *chan)
2967 struct l2cap_conn *conn = chan->conn;
2968 struct hci_conn *hcon = conn->hcon;
2969 struct hci_dev *hdev = hcon->hdev;
2970 struct smp_cmd_pairing req;
2971 struct smp_chan *smp;
2973 BT_DBG("chan %p", chan);
2975 /* Only new pairings are interesting */
2976 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2979 /* Don't bother if we're not encrypted */
2980 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2983 /* Only master may initiate SMP over BR/EDR */
2984 if (hcon->role != HCI_ROLE_MASTER)
2987 /* Secure Connections support must be enabled */
2988 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
2991 /* BR/EDR must use Secure Connections for SMP */
2992 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2993 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
2996 /* If our LE support is not enabled don't do anything */
2997 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3000 /* Don't bother if remote LE support is not enabled */
3001 if (!lmp_host_le_capable(hcon))
3004 /* Remote must support SMP fixed chan for BR/EDR */
3005 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3008 /* Don't bother if SMP is already ongoing */
3012 smp = smp_chan_create(conn);
3014 BT_ERR("%s unable to create SMP context for BR/EDR",
3019 set_bit(SMP_FLAG_SC, &smp->flags);
3021 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3023 /* Prepare and send the BR/EDR SMP Pairing Request */
3024 build_bredr_pairing_cmd(smp, &req, NULL);
3026 smp->preq[0] = SMP_CMD_PAIRING_REQ;
3027 memcpy(&smp->preq[1], &req, sizeof(req));
3029 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3030 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3033 static void smp_resume_cb(struct l2cap_chan *chan)
3035 struct smp_chan *smp = chan->data;
3036 struct l2cap_conn *conn = chan->conn;
3037 struct hci_conn *hcon = conn->hcon;
3039 BT_DBG("chan %p", chan);
3041 if (hcon->type == ACL_LINK) {
3042 bredr_pairing(chan);
3049 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3052 cancel_delayed_work(&smp->security_timer);
3054 smp_distribute_keys(smp);
3057 static void smp_ready_cb(struct l2cap_chan *chan)
3059 struct l2cap_conn *conn = chan->conn;
3060 struct hci_conn *hcon = conn->hcon;
3062 BT_DBG("chan %p", chan);
3064 /* No need to call l2cap_chan_hold() here since we already own
3065 * the reference taken in smp_new_conn_cb(). This is just the
3066 * first time that we tie it to a specific pointer. The code in
3067 * l2cap_core.c ensures that there's no risk this function wont
3068 * get called if smp_new_conn_cb was previously called.
3072 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3073 bredr_pairing(chan);
3076 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3080 BT_DBG("chan %p", chan);
3082 err = smp_sig_channel(chan, skb);
3084 struct smp_chan *smp = chan->data;
3087 cancel_delayed_work_sync(&smp->security_timer);
3089 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3095 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3096 unsigned long hdr_len,
3097 unsigned long len, int nb)
3099 struct sk_buff *skb;
3101 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3103 return ERR_PTR(-ENOMEM);
3105 skb->priority = HCI_PRIO_MAX;
3106 bt_cb(skb)->l2cap.chan = chan;
3111 static const struct l2cap_ops smp_chan_ops = {
3112 .name = "Security Manager",
3113 .ready = smp_ready_cb,
3114 .recv = smp_recv_cb,
3115 .alloc_skb = smp_alloc_skb_cb,
3116 .teardown = smp_teardown_cb,
3117 .resume = smp_resume_cb,
3119 .new_connection = l2cap_chan_no_new_connection,
3120 .state_change = l2cap_chan_no_state_change,
3121 .close = l2cap_chan_no_close,
3122 .defer = l2cap_chan_no_defer,
3123 .suspend = l2cap_chan_no_suspend,
3124 .set_shutdown = l2cap_chan_no_set_shutdown,
3125 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3128 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3130 struct l2cap_chan *chan;
3132 BT_DBG("pchan %p", pchan);
3134 chan = l2cap_chan_create();
3138 chan->chan_type = pchan->chan_type;
3139 chan->ops = &smp_chan_ops;
3140 chan->scid = pchan->scid;
3141 chan->dcid = chan->scid;
3142 chan->imtu = pchan->imtu;
3143 chan->omtu = pchan->omtu;
3144 chan->mode = pchan->mode;
3146 /* Other L2CAP channels may request SMP routines in order to
3147 * change the security level. This means that the SMP channel
3148 * lock must be considered in its own category to avoid lockdep
3151 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3153 BT_DBG("created chan %p", chan);
3158 static const struct l2cap_ops smp_root_chan_ops = {
3159 .name = "Security Manager Root",
3160 .new_connection = smp_new_conn_cb,
3162 /* None of these are implemented for the root channel */
3163 .close = l2cap_chan_no_close,
3164 .alloc_skb = l2cap_chan_no_alloc_skb,
3165 .recv = l2cap_chan_no_recv,
3166 .state_change = l2cap_chan_no_state_change,
3167 .teardown = l2cap_chan_no_teardown,
3168 .ready = l2cap_chan_no_ready,
3169 .defer = l2cap_chan_no_defer,
3170 .suspend = l2cap_chan_no_suspend,
3171 .resume = l2cap_chan_no_resume,
3172 .set_shutdown = l2cap_chan_no_set_shutdown,
3173 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3176 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3178 struct l2cap_chan *chan;
3179 struct smp_dev *smp;
3180 struct crypto_blkcipher *tfm_aes;
3181 struct crypto_hash *tfm_cmac;
3183 if (cid == L2CAP_CID_SMP_BREDR) {
3188 smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3190 return ERR_PTR(-ENOMEM);
3192 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3193 if (IS_ERR(tfm_aes)) {
3194 BT_ERR("Unable to create ECB crypto context");
3196 return ERR_CAST(tfm_aes);
3199 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3200 if (IS_ERR(tfm_cmac)) {
3201 BT_ERR("Unable to create CMAC crypto context");
3202 crypto_free_blkcipher(tfm_aes);
3204 return ERR_CAST(tfm_cmac);
3207 smp->tfm_aes = tfm_aes;
3208 smp->tfm_cmac = tfm_cmac;
3209 smp->min_key_size = SMP_MIN_ENC_KEY_SIZE;
3210 smp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
3213 chan = l2cap_chan_create();
3216 crypto_free_blkcipher(smp->tfm_aes);
3217 crypto_free_hash(smp->tfm_cmac);
3220 return ERR_PTR(-ENOMEM);
3225 l2cap_add_scid(chan, cid);
3227 l2cap_chan_set_defaults(chan);
3229 if (cid == L2CAP_CID_SMP) {
3232 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3234 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3235 chan->src_type = BDADDR_LE_PUBLIC;
3237 chan->src_type = BDADDR_LE_RANDOM;
3239 bacpy(&chan->src, &hdev->bdaddr);
3240 chan->src_type = BDADDR_BREDR;
3243 chan->state = BT_LISTEN;
3244 chan->mode = L2CAP_MODE_BASIC;
3245 chan->imtu = L2CAP_DEFAULT_MTU;
3246 chan->ops = &smp_root_chan_ops;
3248 /* Set correct nesting level for a parent/listening channel */
3249 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3254 static void smp_del_chan(struct l2cap_chan *chan)
3256 struct smp_dev *smp;
3258 BT_DBG("chan %p", chan);
3264 crypto_free_blkcipher(smp->tfm_aes);
3266 crypto_free_hash(smp->tfm_cmac);
3270 l2cap_chan_put(chan);
3273 static ssize_t force_bredr_smp_read(struct file *file,
3274 char __user *user_buf,
3275 size_t count, loff_t *ppos)
3277 struct hci_dev *hdev = file->private_data;
3280 buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3283 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3286 static ssize_t force_bredr_smp_write(struct file *file,
3287 const char __user *user_buf,
3288 size_t count, loff_t *ppos)
3290 struct hci_dev *hdev = file->private_data;
3292 size_t buf_size = min(count, (sizeof(buf)-1));
3295 if (copy_from_user(buf, user_buf, buf_size))
3298 buf[buf_size] = '\0';
3299 if (strtobool(buf, &enable))
3302 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3306 struct l2cap_chan *chan;
3308 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3310 return PTR_ERR(chan);
3312 hdev->smp_bredr_data = chan;
3314 struct l2cap_chan *chan;
3316 chan = hdev->smp_bredr_data;
3317 hdev->smp_bredr_data = NULL;
3321 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3326 static const struct file_operations force_bredr_smp_fops = {
3327 .open = simple_open,
3328 .read = force_bredr_smp_read,
3329 .write = force_bredr_smp_write,
3330 .llseek = default_llseek,
3333 static ssize_t le_min_key_size_read(struct file *file,
3334 char __user *user_buf,
3335 size_t count, loff_t *ppos)
3337 struct hci_dev *hdev = file->private_data;
3340 snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->min_key_size);
3342 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3345 static ssize_t le_min_key_size_write(struct file *file,
3346 const char __user *user_buf,
3347 size_t count, loff_t *ppos)
3349 struct hci_dev *hdev = file->private_data;
3351 size_t buf_size = min(count, (sizeof(buf) - 1));
3354 if (copy_from_user(buf, user_buf, buf_size))
3357 buf[buf_size] = '\0';
3359 sscanf(buf, "%hhu", &key_size);
3361 if (key_size > SMP_DEV(hdev)->max_key_size ||
3362 key_size < SMP_MIN_ENC_KEY_SIZE)
3365 SMP_DEV(hdev)->min_key_size = key_size;
3370 static const struct file_operations le_min_key_size_fops = {
3371 .open = simple_open,
3372 .read = le_min_key_size_read,
3373 .write = le_min_key_size_write,
3374 .llseek = default_llseek,
3377 static ssize_t le_max_key_size_read(struct file *file,
3378 char __user *user_buf,
3379 size_t count, loff_t *ppos)
3381 struct hci_dev *hdev = file->private_data;
3384 snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->max_key_size);
3386 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3389 static ssize_t le_max_key_size_write(struct file *file,
3390 const char __user *user_buf,
3391 size_t count, loff_t *ppos)
3393 struct hci_dev *hdev = file->private_data;
3395 size_t buf_size = min(count, (sizeof(buf) - 1));
3398 if (copy_from_user(buf, user_buf, buf_size))
3401 buf[buf_size] = '\0';
3403 sscanf(buf, "%hhu", &key_size);
3405 if (key_size > SMP_MAX_ENC_KEY_SIZE ||
3406 key_size < SMP_DEV(hdev)->min_key_size)
3409 SMP_DEV(hdev)->max_key_size = key_size;
3414 static const struct file_operations le_max_key_size_fops = {
3415 .open = simple_open,
3416 .read = le_max_key_size_read,
3417 .write = le_max_key_size_write,
3418 .llseek = default_llseek,
3421 int smp_register(struct hci_dev *hdev)
3423 struct l2cap_chan *chan;
3425 BT_DBG("%s", hdev->name);
3427 /* If the controller does not support Low Energy operation, then
3428 * there is also no need to register any SMP channel.
3430 if (!lmp_le_capable(hdev))
3433 if (WARN_ON(hdev->smp_data)) {
3434 chan = hdev->smp_data;
3435 hdev->smp_data = NULL;
3439 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3441 return PTR_ERR(chan);
3443 hdev->smp_data = chan;
3445 debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3446 &le_min_key_size_fops);
3447 debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3448 &le_max_key_size_fops);
3450 /* If the controller does not support BR/EDR Secure Connections
3451 * feature, then the BR/EDR SMP channel shall not be present.
3453 * To test this with Bluetooth 4.0 controllers, create a debugfs
3454 * switch that allows forcing BR/EDR SMP support and accepting
3455 * cross-transport pairing on non-AES encrypted connections.
3457 if (!lmp_sc_capable(hdev)) {
3458 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3459 hdev, &force_bredr_smp_fops);
3463 if (WARN_ON(hdev->smp_bredr_data)) {
3464 chan = hdev->smp_bredr_data;
3465 hdev->smp_bredr_data = NULL;
3469 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3471 int err = PTR_ERR(chan);
3472 chan = hdev->smp_data;
3473 hdev->smp_data = NULL;
3478 hdev->smp_bredr_data = chan;
3483 void smp_unregister(struct hci_dev *hdev)
3485 struct l2cap_chan *chan;
3487 if (hdev->smp_bredr_data) {
3488 chan = hdev->smp_bredr_data;
3489 hdev->smp_bredr_data = NULL;
3493 if (hdev->smp_data) {
3494 chan = hdev->smp_data;
3495 hdev->smp_data = NULL;
3500 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3502 static int __init test_ah(struct crypto_blkcipher *tfm_aes)
3504 const u8 irk[16] = {
3505 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3506 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3507 const u8 r[3] = { 0x94, 0x81, 0x70 };
3508 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3512 err = smp_ah(tfm_aes, irk, r, res);
3516 if (crypto_memneq(res, exp, 3))
3522 static int __init test_c1(struct crypto_blkcipher *tfm_aes)
3525 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3526 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3528 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3529 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3530 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3531 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3532 const u8 _iat = 0x01;
3533 const u8 _rat = 0x00;
3534 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3535 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3536 const u8 exp[16] = {
3537 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3538 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3542 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3546 if (crypto_memneq(res, exp, 16))
3552 static int __init test_s1(struct crypto_blkcipher *tfm_aes)
3555 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3556 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3558 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3560 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3561 const u8 exp[16] = {
3562 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3563 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3567 err = smp_s1(tfm_aes, k, r1, r2, res);
3571 if (crypto_memneq(res, exp, 16))
3577 static int __init test_f4(struct crypto_hash *tfm_cmac)
3580 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3581 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3582 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3583 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3585 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3586 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3587 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3588 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3590 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3591 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3593 const u8 exp[16] = {
3594 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3595 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3599 err = smp_f4(tfm_cmac, u, v, x, z, res);
3603 if (crypto_memneq(res, exp, 16))
3609 static int __init test_f5(struct crypto_hash *tfm_cmac)
3612 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3613 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3614 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3615 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3617 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3618 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3620 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3621 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3622 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3623 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3624 const u8 exp_ltk[16] = {
3625 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3626 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3627 const u8 exp_mackey[16] = {
3628 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3629 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3630 u8 mackey[16], ltk[16];
3633 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3637 if (crypto_memneq(mackey, exp_mackey, 16))
3640 if (crypto_memneq(ltk, exp_ltk, 16))
3646 static int __init test_f6(struct crypto_hash *tfm_cmac)
3649 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3650 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3652 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3653 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3655 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3656 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3658 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3659 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3660 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3661 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3662 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3663 const u8 exp[16] = {
3664 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3665 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3669 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3673 if (crypto_memneq(res, exp, 16))
3679 static int __init test_g2(struct crypto_hash *tfm_cmac)
3682 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3683 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3684 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3685 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3687 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3688 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3689 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3690 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3692 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3693 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3695 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3696 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3697 const u32 exp_val = 0x2f9ed5ba % 1000000;
3701 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3711 static int __init test_h6(struct crypto_hash *tfm_cmac)
3714 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3715 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3716 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3717 const u8 exp[16] = {
3718 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3719 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3723 err = smp_h6(tfm_cmac, w, key_id, res);
3727 if (crypto_memneq(res, exp, 16))
3733 static char test_smp_buffer[32];
3735 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3736 size_t count, loff_t *ppos)
3738 return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3739 strlen(test_smp_buffer));
3742 static const struct file_operations test_smp_fops = {
3743 .open = simple_open,
3744 .read = test_smp_read,
3745 .llseek = default_llseek,
3748 static int __init run_selftests(struct crypto_blkcipher *tfm_aes,
3749 struct crypto_hash *tfm_cmac)
3751 ktime_t calltime, delta, rettime;
3752 unsigned long long duration;
3755 calltime = ktime_get();
3757 err = test_ah(tfm_aes);
3759 BT_ERR("smp_ah test failed");
3763 err = test_c1(tfm_aes);
3765 BT_ERR("smp_c1 test failed");
3769 err = test_s1(tfm_aes);
3771 BT_ERR("smp_s1 test failed");
3775 err = test_f4(tfm_cmac);
3777 BT_ERR("smp_f4 test failed");
3781 err = test_f5(tfm_cmac);
3783 BT_ERR("smp_f5 test failed");
3787 err = test_f6(tfm_cmac);
3789 BT_ERR("smp_f6 test failed");
3793 err = test_g2(tfm_cmac);
3795 BT_ERR("smp_g2 test failed");
3799 err = test_h6(tfm_cmac);
3801 BT_ERR("smp_h6 test failed");
3805 rettime = ktime_get();
3806 delta = ktime_sub(rettime, calltime);
3807 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3809 BT_INFO("SMP test passed in %llu usecs", duration);
3813 snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3814 "PASS (%llu usecs)\n", duration);
3816 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3818 debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3824 int __init bt_selftest_smp(void)
3826 struct crypto_blkcipher *tfm_aes;
3827 struct crypto_hash *tfm_cmac;
3830 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3831 if (IS_ERR(tfm_aes)) {
3832 BT_ERR("Unable to create ECB crypto context");
3833 return PTR_ERR(tfm_aes);
3836 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3837 if (IS_ERR(tfm_cmac)) {
3838 BT_ERR("Unable to create CMAC crypto context");
3839 crypto_free_blkcipher(tfm_aes);
3840 return PTR_ERR(tfm_cmac);
3843 err = run_selftests(tfm_aes, tfm_cmac);
3845 crypto_free_hash(tfm_cmac);
3846 crypto_free_blkcipher(tfm_aes);
projects / releases.git / blob