2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
23 #include <linux/crypto.h>
24 #include <linux/scatterlist.h>
25 #include <crypto/b128ops.h>
27 #include <net/bluetooth/bluetooth.h>
28 #include <net/bluetooth/hci_core.h>
29 #include <net/bluetooth/l2cap.h>
30 #include <net/bluetooth/mgmt.h>
35 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
37 /* Keys which are not distributed with Secure Connections */
38 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
40 #define SMP_TIMEOUT msecs_to_jiffies(30000)
42 #define AUTH_REQ_MASK(dev) (test_bit(HCI_SC_ENABLED, &(dev)->dev_flags) ? \
44 #define KEY_DIST_MASK 0x07
46 /* Maximum message length that can be passed to aes_cmac */
47 #define CMAC_MSG_MAX 80
61 struct l2cap_conn
*conn
;
62 struct delayed_work security_timer
;
63 unsigned long allow_cmd
; /* Bitmask of allowed commands */
65 u8 preq
[7]; /* SMP Pairing Request */
66 u8 prsp
[7]; /* SMP Pairing Response */
67 u8 prnd
[16]; /* SMP Pairing Random (local) */
68 u8 rrnd
[16]; /* SMP Pairing Random (remote) */
69 u8 pcnf
[16]; /* SMP Pairing Confirm */
70 u8 tk
[16]; /* SMP Temporary Key */
76 struct smp_csrk
*csrk
;
77 struct smp_csrk
*slave_csrk
;
79 struct smp_ltk
*slave_ltk
;
80 struct smp_irk
*remote_irk
;
85 /* Secure Connections variables */
92 struct crypto_blkcipher
*tfm_aes
;
93 struct crypto_hash
*tfm_cmac
;
96 /* These debug key values are defined in the SMP section of the core
97 * specification. debug_pk is the public debug key and debug_sk the
100 static const u8 debug_pk
[64] = {
101 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
102 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
103 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
104 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
106 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
107 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
108 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
109 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
112 static const u8 debug_sk
[32] = {
113 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
114 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
115 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
116 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
119 static inline void swap_buf(const u8
*src
, u8
*dst
, size_t len
)
123 for (i
= 0; i
< len
; i
++)
124 dst
[len
- 1 - i
] = src
[i
];
127 static int aes_cmac(struct crypto_hash
*tfm
, const u8 k
[16], const u8
*m
,
128 size_t len
, u8 mac
[16])
130 uint8_t tmp
[16], mac_msb
[16], msg_msb
[CMAC_MSG_MAX
];
131 struct hash_desc desc
;
132 struct scatterlist sg
;
135 if (len
> CMAC_MSG_MAX
)
139 BT_ERR("tfm %p", tfm
);
146 crypto_hash_init(&desc
);
148 /* Swap key and message from LSB to MSB */
149 swap_buf(k
, tmp
, 16);
150 swap_buf(m
, msg_msb
, len
);
152 BT_DBG("msg (len %zu) %*phN", len
, (int) len
, m
);
153 BT_DBG("key %16phN", k
);
155 err
= crypto_hash_setkey(tfm
, tmp
, 16);
157 BT_ERR("cipher setkey failed: %d", err
);
161 sg_init_one(&sg
, msg_msb
, len
);
163 err
= crypto_hash_update(&desc
, &sg
, len
);
165 BT_ERR("Hash update error %d", err
);
169 err
= crypto_hash_final(&desc
, mac_msb
);
171 BT_ERR("Hash final error %d", err
);
175 swap_buf(mac_msb
, mac
, 16);
177 BT_DBG("mac %16phN", mac
);
182 static int smp_f4(struct crypto_hash
*tfm_cmac
, const u8 u
[32], const u8 v
[32],
183 const u8 x
[16], u8 z
, u8 res
[16])
188 BT_DBG("u %32phN", u
);
189 BT_DBG("v %32phN", v
);
190 BT_DBG("x %16phN z %02x", x
, z
);
193 memcpy(m
+ 1, v
, 32);
194 memcpy(m
+ 33, u
, 32);
196 err
= aes_cmac(tfm_cmac
, x
, m
, sizeof(m
), res
);
200 BT_DBG("res %16phN", res
);
205 static int smp_f5(struct crypto_hash
*tfm_cmac
, u8 w
[32], u8 n1
[16], u8 n2
[16],
206 u8 a1
[7], u8 a2
[7], u8 mackey
[16], u8 ltk
[16])
208 /* The btle, salt and length "magic" values are as defined in
209 * the SMP section of the Bluetooth core specification. In ASCII
210 * the btle value ends up being 'btle'. The salt is just a
211 * random number whereas length is the value 256 in little
214 const u8 btle
[4] = { 0x65, 0x6c, 0x74, 0x62 };
215 const u8 salt
[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
216 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
217 const u8 length
[2] = { 0x00, 0x01 };
221 BT_DBG("w %32phN", w
);
222 BT_DBG("n1 %16phN n2 %16phN", n1
, n2
);
223 BT_DBG("a1 %7phN a2 %7phN", a1
, a2
);
225 err
= aes_cmac(tfm_cmac
, salt
, w
, 32, t
);
229 BT_DBG("t %16phN", t
);
231 memcpy(m
, length
, 2);
232 memcpy(m
+ 2, a2
, 7);
233 memcpy(m
+ 9, a1
, 7);
234 memcpy(m
+ 16, n2
, 16);
235 memcpy(m
+ 32, n1
, 16);
236 memcpy(m
+ 48, btle
, 4);
238 m
[52] = 0; /* Counter */
240 err
= aes_cmac(tfm_cmac
, t
, m
, sizeof(m
), mackey
);
244 BT_DBG("mackey %16phN", mackey
);
246 m
[52] = 1; /* Counter */
248 err
= aes_cmac(tfm_cmac
, t
, m
, sizeof(m
), ltk
);
252 BT_DBG("ltk %16phN", ltk
);
257 static int smp_f6(struct crypto_hash
*tfm_cmac
, const u8 w
[16],
258 const u8 n1
[16], u8 n2
[16], const u8 r
[16],
259 const u8 io_cap
[3], const u8 a1
[7], const u8 a2
[7],
265 BT_DBG("w %16phN", w
);
266 BT_DBG("n1 %16phN n2 %16phN", n1
, n2
);
267 BT_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r
, io_cap
, a1
, a2
);
270 memcpy(m
+ 7, a1
, 7);
271 memcpy(m
+ 14, io_cap
, 3);
272 memcpy(m
+ 17, r
, 16);
273 memcpy(m
+ 33, n2
, 16);
274 memcpy(m
+ 49, n1
, 16);
276 err
= aes_cmac(tfm_cmac
, w
, m
, sizeof(m
), res
);
280 BT_DBG("res %16phN", res
);
285 static int smp_g2(struct crypto_hash
*tfm_cmac
, const u8 u
[32], const u8 v
[32],
286 const u8 x
[16], const u8 y
[16], u32
*val
)
291 BT_DBG("u %32phN", u
);
292 BT_DBG("v %32phN", v
);
293 BT_DBG("x %16phN y %16phN", x
, y
);
296 memcpy(m
+ 16, v
, 32);
297 memcpy(m
+ 48, u
, 32);
299 err
= aes_cmac(tfm_cmac
, x
, m
, sizeof(m
), tmp
);
303 *val
= get_unaligned_le32(tmp
);
306 BT_DBG("val %06u", *val
);
311 static int smp_e(struct crypto_blkcipher
*tfm
, const u8
*k
, u8
*r
)
313 struct blkcipher_desc desc
;
314 struct scatterlist sg
;
315 uint8_t tmp
[16], data
[16];
319 BT_ERR("tfm %p", tfm
);
326 /* The most significant octet of key corresponds to k[0] */
327 swap_buf(k
, tmp
, 16);
329 err
= crypto_blkcipher_setkey(tfm
, tmp
, 16);
331 BT_ERR("cipher setkey failed: %d", err
);
335 /* Most significant octet of plaintextData corresponds to data[0] */
336 swap_buf(r
, data
, 16);
338 sg_init_one(&sg
, data
, 16);
340 err
= crypto_blkcipher_encrypt(&desc
, &sg
, &sg
, 16);
342 BT_ERR("Encrypt data error %d", err
);
344 /* Most significant octet of encryptedData corresponds to data[0] */
345 swap_buf(data
, r
, 16);
350 static int smp_h6(struct crypto_hash
*tfm_cmac
, const u8 w
[16],
351 const u8 key_id
[4], u8 res
[16])
355 BT_DBG("w %16phN key_id %4phN", w
, key_id
);
357 err
= aes_cmac(tfm_cmac
, w
, key_id
, 4, res
);
361 BT_DBG("res %16phN", res
);
366 static int smp_ah(struct crypto_blkcipher
*tfm
, u8 irk
[16], u8 r
[3], u8 res
[3])
371 /* r' = padding || r */
373 memset(_res
+ 3, 0, 13);
375 err
= smp_e(tfm
, irk
, _res
);
377 BT_ERR("Encrypt error");
381 /* The output of the random address function ah is:
382 * ah(h, r) = e(k, r') mod 2^24
383 * The output of the security function e is then truncated to 24 bits
384 * by taking the least significant 24 bits of the output of e as the
387 memcpy(res
, _res
, 3);
392 bool smp_irk_matches(struct hci_dev
*hdev
, u8 irk
[16], bdaddr_t
*bdaddr
)
394 struct l2cap_chan
*chan
= hdev
->smp_data
;
395 struct crypto_blkcipher
*tfm
;
399 if (!chan
|| !chan
->data
)
404 BT_DBG("RPA %pMR IRK %*phN", bdaddr
, 16, irk
);
406 err
= smp_ah(tfm
, irk
, &bdaddr
->b
[3], hash
);
410 return !memcmp(bdaddr
->b
, hash
, 3);
413 int smp_generate_rpa(struct hci_dev
*hdev
, u8 irk
[16], bdaddr_t
*rpa
)
415 struct l2cap_chan
*chan
= hdev
->smp_data
;
416 struct crypto_blkcipher
*tfm
;
419 if (!chan
|| !chan
->data
)
424 get_random_bytes(&rpa
->b
[3], 3);
426 rpa
->b
[5] &= 0x3f; /* Clear two most significant bits */
427 rpa
->b
[5] |= 0x40; /* Set second most significant bit */
429 err
= smp_ah(tfm
, irk
, &rpa
->b
[3], rpa
->b
);
433 BT_DBG("RPA %pMR", rpa
);
438 static int smp_c1(struct crypto_blkcipher
*tfm_aes
, u8 k
[16], u8 r
[16],
439 u8 preq
[7], u8 pres
[7], u8 _iat
, bdaddr_t
*ia
, u8 _rat
,
440 bdaddr_t
*ra
, u8 res
[16])
447 /* p1 = pres || preq || _rat || _iat */
450 memcpy(p1
+ 2, preq
, 7);
451 memcpy(p1
+ 9, pres
, 7);
453 /* p2 = padding || ia || ra */
455 memcpy(p2
+ 6, ia
, 6);
456 memset(p2
+ 12, 0, 4);
459 u128_xor((u128
*) res
, (u128
*) r
, (u128
*) p1
);
461 /* res = e(k, res) */
462 err
= smp_e(tfm_aes
, k
, res
);
464 BT_ERR("Encrypt data error");
468 /* res = res XOR p2 */
469 u128_xor((u128
*) res
, (u128
*) res
, (u128
*) p2
);
471 /* res = e(k, res) */
472 err
= smp_e(tfm_aes
, k
, res
);
474 BT_ERR("Encrypt data error");
479 static int smp_s1(struct crypto_blkcipher
*tfm_aes
, u8 k
[16], u8 r1
[16],
480 u8 r2
[16], u8 _r
[16])
484 /* Just least significant octets from r1 and r2 are considered */
486 memcpy(_r
+ 8, r1
, 8);
488 err
= smp_e(tfm_aes
, k
, _r
);
490 BT_ERR("Encrypt data error");
495 static void smp_send_cmd(struct l2cap_conn
*conn
, u8 code
, u16 len
, void *data
)
497 struct l2cap_chan
*chan
= conn
->smp
;
498 struct smp_chan
*smp
;
505 BT_DBG("code 0x%2.2x", code
);
507 iv
[0].iov_base
= &code
;
510 iv
[1].iov_base
= data
;
513 memset(&msg
, 0, sizeof(msg
));
515 msg
.msg_iov
= (struct iovec
*) &iv
;
518 l2cap_chan_send(chan
, &msg
, 1 + len
);
525 cancel_delayed_work_sync(&smp
->security_timer
);
526 schedule_delayed_work(&smp
->security_timer
, SMP_TIMEOUT
);
529 static u8
authreq_to_seclevel(u8 authreq
)
531 if (authreq
& SMP_AUTH_MITM
) {
532 if (authreq
& SMP_AUTH_SC
)
533 return BT_SECURITY_FIPS
;
535 return BT_SECURITY_HIGH
;
537 return BT_SECURITY_MEDIUM
;
541 static __u8
seclevel_to_authreq(__u8 sec_level
)
544 case BT_SECURITY_FIPS
:
545 case BT_SECURITY_HIGH
:
546 return SMP_AUTH_MITM
| SMP_AUTH_BONDING
;
547 case BT_SECURITY_MEDIUM
:
548 return SMP_AUTH_BONDING
;
550 return SMP_AUTH_NONE
;
554 static void build_pairing_cmd(struct l2cap_conn
*conn
,
555 struct smp_cmd_pairing
*req
,
556 struct smp_cmd_pairing
*rsp
, __u8 authreq
)
558 struct l2cap_chan
*chan
= conn
->smp
;
559 struct smp_chan
*smp
= chan
->data
;
560 struct hci_conn
*hcon
= conn
->hcon
;
561 struct hci_dev
*hdev
= hcon
->hdev
;
562 u8 local_dist
= 0, remote_dist
= 0;
564 if (test_bit(HCI_BONDABLE
, &conn
->hcon
->hdev
->dev_flags
)) {
565 local_dist
= SMP_DIST_ENC_KEY
| SMP_DIST_SIGN
;
566 remote_dist
= SMP_DIST_ENC_KEY
| SMP_DIST_SIGN
;
567 authreq
|= SMP_AUTH_BONDING
;
569 authreq
&= ~SMP_AUTH_BONDING
;
572 if (test_bit(HCI_RPA_RESOLVING
, &hdev
->dev_flags
))
573 remote_dist
|= SMP_DIST_ID_KEY
;
575 if (test_bit(HCI_PRIVACY
, &hdev
->dev_flags
))
576 local_dist
|= SMP_DIST_ID_KEY
;
578 if (test_bit(HCI_SC_ENABLED
, &hdev
->dev_flags
)) {
579 if ((authreq
& SMP_AUTH_SC
) &&
580 test_bit(HCI_SSP_ENABLED
, &hdev
->dev_flags
)) {
581 local_dist
|= SMP_DIST_LINK_KEY
;
582 remote_dist
|= SMP_DIST_LINK_KEY
;
585 authreq
&= ~SMP_AUTH_SC
;
589 req
->io_capability
= conn
->hcon
->io_capability
;
590 req
->oob_flag
= SMP_OOB_NOT_PRESENT
;
591 req
->max_key_size
= SMP_MAX_ENC_KEY_SIZE
;
592 req
->init_key_dist
= local_dist
;
593 req
->resp_key_dist
= remote_dist
;
594 req
->auth_req
= (authreq
& AUTH_REQ_MASK(hdev
));
596 smp
->remote_key_dist
= remote_dist
;
600 rsp
->io_capability
= conn
->hcon
->io_capability
;
601 rsp
->oob_flag
= SMP_OOB_NOT_PRESENT
;
602 rsp
->max_key_size
= SMP_MAX_ENC_KEY_SIZE
;
603 rsp
->init_key_dist
= req
->init_key_dist
& remote_dist
;
604 rsp
->resp_key_dist
= req
->resp_key_dist
& local_dist
;
605 rsp
->auth_req
= (authreq
& AUTH_REQ_MASK(hdev
));
607 smp
->remote_key_dist
= rsp
->init_key_dist
;
610 static u8
check_enc_key_size(struct l2cap_conn
*conn
, __u8 max_key_size
)
612 struct l2cap_chan
*chan
= conn
->smp
;
613 struct smp_chan
*smp
= chan
->data
;
615 if ((max_key_size
> SMP_MAX_ENC_KEY_SIZE
) ||
616 (max_key_size
< SMP_MIN_ENC_KEY_SIZE
))
617 return SMP_ENC_KEY_SIZE
;
619 smp
->enc_key_size
= max_key_size
;
624 static void smp_chan_destroy(struct l2cap_conn
*conn
)
626 struct l2cap_chan
*chan
= conn
->smp
;
627 struct smp_chan
*smp
= chan
->data
;
632 cancel_delayed_work_sync(&smp
->security_timer
);
634 complete
= test_bit(SMP_FLAG_COMPLETE
, &smp
->flags
);
635 mgmt_smp_complete(conn
->hcon
, complete
);
638 kfree(smp
->slave_csrk
);
639 kfree(smp
->link_key
);
641 crypto_free_blkcipher(smp
->tfm_aes
);
642 crypto_free_hash(smp
->tfm_cmac
);
644 /* If pairing failed clean up any keys we might have */
647 list_del_rcu(&smp
->ltk
->list
);
648 kfree_rcu(smp
->ltk
, rcu
);
651 if (smp
->slave_ltk
) {
652 list_del_rcu(&smp
->slave_ltk
->list
);
653 kfree_rcu(smp
->slave_ltk
, rcu
);
656 if (smp
->remote_irk
) {
657 list_del_rcu(&smp
->remote_irk
->list
);
658 kfree_rcu(smp
->remote_irk
, rcu
);
664 hci_conn_drop(conn
->hcon
);
667 static void smp_failure(struct l2cap_conn
*conn
, u8 reason
)
669 struct hci_conn
*hcon
= conn
->hcon
;
670 struct l2cap_chan
*chan
= conn
->smp
;
673 smp_send_cmd(conn
, SMP_CMD_PAIRING_FAIL
, sizeof(reason
),
676 clear_bit(HCI_CONN_ENCRYPT_PEND
, &hcon
->flags
);
677 mgmt_auth_failed(hcon
, HCI_ERROR_AUTH_FAILURE
);
680 smp_chan_destroy(conn
);
683 #define JUST_WORKS 0x00
684 #define JUST_CFM 0x01
685 #define REQ_PASSKEY 0x02
686 #define CFM_PASSKEY 0x03
688 #define DSP_PASSKEY 0x05
691 static const u8 gen_method
[5][5] = {
692 { JUST_WORKS
, JUST_CFM
, REQ_PASSKEY
, JUST_WORKS
, REQ_PASSKEY
},
693 { JUST_WORKS
, JUST_CFM
, REQ_PASSKEY
, JUST_WORKS
, REQ_PASSKEY
},
694 { CFM_PASSKEY
, CFM_PASSKEY
, REQ_PASSKEY
, JUST_WORKS
, CFM_PASSKEY
},
695 { JUST_WORKS
, JUST_CFM
, JUST_WORKS
, JUST_WORKS
, JUST_CFM
},
696 { CFM_PASSKEY
, CFM_PASSKEY
, REQ_PASSKEY
, JUST_WORKS
, OVERLAP
},
699 static const u8 sc_method
[5][5] = {
700 { JUST_WORKS
, JUST_CFM
, REQ_PASSKEY
, JUST_WORKS
, REQ_PASSKEY
},
701 { JUST_WORKS
, CFM_PASSKEY
, REQ_PASSKEY
, JUST_WORKS
, CFM_PASSKEY
},
702 { DSP_PASSKEY
, DSP_PASSKEY
, REQ_PASSKEY
, JUST_WORKS
, DSP_PASSKEY
},
703 { JUST_WORKS
, JUST_CFM
, JUST_WORKS
, JUST_WORKS
, JUST_CFM
},
704 { DSP_PASSKEY
, CFM_PASSKEY
, REQ_PASSKEY
, JUST_WORKS
, CFM_PASSKEY
},
707 static u8
get_auth_method(struct smp_chan
*smp
, u8 local_io
, u8 remote_io
)
709 /* If either side has unknown io_caps, use JUST_CFM (which gets
710 * converted later to JUST_WORKS if we're initiators.
712 if (local_io
> SMP_IO_KEYBOARD_DISPLAY
||
713 remote_io
> SMP_IO_KEYBOARD_DISPLAY
)
716 if (test_bit(SMP_FLAG_SC
, &smp
->flags
))
717 return sc_method
[remote_io
][local_io
];
719 return gen_method
[remote_io
][local_io
];
722 static int tk_request(struct l2cap_conn
*conn
, u8 remote_oob
, u8 auth
,
723 u8 local_io
, u8 remote_io
)
725 struct hci_conn
*hcon
= conn
->hcon
;
726 struct l2cap_chan
*chan
= conn
->smp
;
727 struct smp_chan
*smp
= chan
->data
;
731 /* Initialize key for JUST WORKS */
732 memset(smp
->tk
, 0, sizeof(smp
->tk
));
733 clear_bit(SMP_FLAG_TK_VALID
, &smp
->flags
);
735 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth
, local_io
, remote_io
);
737 /* If neither side wants MITM, either "just" confirm an incoming
738 * request or use just-works for outgoing ones. The JUST_CFM
739 * will be converted to JUST_WORKS if necessary later in this
740 * function. If either side has MITM look up the method from the
743 if (!(auth
& SMP_AUTH_MITM
))
744 smp
->method
= JUST_CFM
;
746 smp
->method
= get_auth_method(smp
, local_io
, remote_io
);
748 /* Don't confirm locally initiated pairing attempts */
749 if (smp
->method
== JUST_CFM
&& test_bit(SMP_FLAG_INITIATOR
,
751 smp
->method
= JUST_WORKS
;
753 /* Don't bother user space with no IO capabilities */
754 if (smp
->method
== JUST_CFM
&&
755 hcon
->io_capability
== HCI_IO_NO_INPUT_OUTPUT
)
756 smp
->method
= JUST_WORKS
;
758 /* If Just Works, Continue with Zero TK */
759 if (smp
->method
== JUST_WORKS
) {
760 set_bit(SMP_FLAG_TK_VALID
, &smp
->flags
);
764 /* Not Just Works/Confirm results in MITM Authentication */
765 if (smp
->method
!= JUST_CFM
) {
766 set_bit(SMP_FLAG_MITM_AUTH
, &smp
->flags
);
767 if (hcon
->pending_sec_level
< BT_SECURITY_HIGH
)
768 hcon
->pending_sec_level
= BT_SECURITY_HIGH
;
771 /* If both devices have Keyoard-Display I/O, the master
772 * Confirms and the slave Enters the passkey.
774 if (smp
->method
== OVERLAP
) {
775 if (hcon
->role
== HCI_ROLE_MASTER
)
776 smp
->method
= CFM_PASSKEY
;
778 smp
->method
= REQ_PASSKEY
;
781 /* Generate random passkey. */
782 if (smp
->method
== CFM_PASSKEY
) {
783 memset(smp
->tk
, 0, sizeof(smp
->tk
));
784 get_random_bytes(&passkey
, sizeof(passkey
));
786 put_unaligned_le32(passkey
, smp
->tk
);
787 BT_DBG("PassKey: %d", passkey
);
788 set_bit(SMP_FLAG_TK_VALID
, &smp
->flags
);
791 if (smp
->method
== REQ_PASSKEY
)
792 ret
= mgmt_user_passkey_request(hcon
->hdev
, &hcon
->dst
,
793 hcon
->type
, hcon
->dst_type
);
794 else if (smp
->method
== JUST_CFM
)
795 ret
= mgmt_user_confirm_request(hcon
->hdev
, &hcon
->dst
,
796 hcon
->type
, hcon
->dst_type
,
799 ret
= mgmt_user_passkey_notify(hcon
->hdev
, &hcon
->dst
,
800 hcon
->type
, hcon
->dst_type
,
806 static u8
smp_confirm(struct smp_chan
*smp
)
808 struct l2cap_conn
*conn
= smp
->conn
;
809 struct smp_cmd_pairing_confirm cp
;
812 BT_DBG("conn %p", conn
);
814 ret
= smp_c1(smp
->tfm_aes
, smp
->tk
, smp
->prnd
, smp
->preq
, smp
->prsp
,
815 conn
->hcon
->init_addr_type
, &conn
->hcon
->init_addr
,
816 conn
->hcon
->resp_addr_type
, &conn
->hcon
->resp_addr
,
819 return SMP_UNSPECIFIED
;
821 clear_bit(SMP_FLAG_CFM_PENDING
, &smp
->flags
);
823 smp_send_cmd(smp
->conn
, SMP_CMD_PAIRING_CONFIRM
, sizeof(cp
), &cp
);
826 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_CONFIRM
);
828 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_RANDOM
);
833 static u8
smp_random(struct smp_chan
*smp
)
835 struct l2cap_conn
*conn
= smp
->conn
;
836 struct hci_conn
*hcon
= conn
->hcon
;
840 if (IS_ERR_OR_NULL(smp
->tfm_aes
))
841 return SMP_UNSPECIFIED
;
843 BT_DBG("conn %p %s", conn
, conn
->hcon
->out
? "master" : "slave");
845 ret
= smp_c1(smp
->tfm_aes
, smp
->tk
, smp
->rrnd
, smp
->preq
, smp
->prsp
,
846 hcon
->init_addr_type
, &hcon
->init_addr
,
847 hcon
->resp_addr_type
, &hcon
->resp_addr
, confirm
);
849 return SMP_UNSPECIFIED
;
851 if (memcmp(smp
->pcnf
, confirm
, sizeof(smp
->pcnf
)) != 0) {
852 BT_ERR("Pairing failed (confirmation values mismatch)");
853 return SMP_CONFIRM_FAILED
;
861 smp_s1(smp
->tfm_aes
, smp
->tk
, smp
->rrnd
, smp
->prnd
, stk
);
863 memset(stk
+ smp
->enc_key_size
, 0,
864 SMP_MAX_ENC_KEY_SIZE
- smp
->enc_key_size
);
866 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND
, &hcon
->flags
))
867 return SMP_UNSPECIFIED
;
869 hci_le_start_enc(hcon
, ediv
, rand
, stk
);
870 hcon
->enc_key_size
= smp
->enc_key_size
;
871 set_bit(HCI_CONN_STK_ENCRYPT
, &hcon
->flags
);
877 smp_send_cmd(conn
, SMP_CMD_PAIRING_RANDOM
, sizeof(smp
->prnd
),
880 smp_s1(smp
->tfm_aes
, smp
->tk
, smp
->prnd
, smp
->rrnd
, stk
);
882 memset(stk
+ smp
->enc_key_size
, 0,
883 SMP_MAX_ENC_KEY_SIZE
- smp
->enc_key_size
);
885 if (hcon
->pending_sec_level
== BT_SECURITY_HIGH
)
890 /* Even though there's no _SLAVE suffix this is the
891 * slave STK we're adding for later lookup (the master
892 * STK never needs to be stored).
894 hci_add_ltk(hcon
->hdev
, &hcon
->dst
, hcon
->dst_type
,
895 SMP_STK
, auth
, stk
, smp
->enc_key_size
, ediv
, rand
);
901 static void smp_notify_keys(struct l2cap_conn
*conn
)
903 struct l2cap_chan
*chan
= conn
->smp
;
904 struct smp_chan
*smp
= chan
->data
;
905 struct hci_conn
*hcon
= conn
->hcon
;
906 struct hci_dev
*hdev
= hcon
->hdev
;
907 struct smp_cmd_pairing
*req
= (void *) &smp
->preq
[1];
908 struct smp_cmd_pairing
*rsp
= (void *) &smp
->prsp
[1];
911 if (smp
->remote_irk
) {
912 mgmt_new_irk(hdev
, smp
->remote_irk
);
913 /* Now that user space can be considered to know the
914 * identity address track the connection based on it
917 bacpy(&hcon
->dst
, &smp
->remote_irk
->bdaddr
);
918 hcon
->dst_type
= smp
->remote_irk
->addr_type
;
919 queue_work(hdev
->workqueue
, &conn
->id_addr_update_work
);
921 /* When receiving an indentity resolving key for
922 * a remote device that does not use a resolvable
923 * private address, just remove the key so that
924 * it is possible to use the controller white
927 * Userspace will have been told to not store
928 * this key at this point. So it is safe to
931 if (!bacmp(&smp
->remote_irk
->rpa
, BDADDR_ANY
)) {
932 list_del_rcu(&smp
->remote_irk
->list
);
933 kfree_rcu(smp
->remote_irk
, rcu
);
934 smp
->remote_irk
= NULL
;
938 /* The LTKs and CSRKs should be persistent only if both sides
939 * had the bonding bit set in their authentication requests.
941 persistent
= !!((req
->auth_req
& rsp
->auth_req
) & SMP_AUTH_BONDING
);
944 smp
->csrk
->bdaddr_type
= hcon
->dst_type
;
945 bacpy(&smp
->csrk
->bdaddr
, &hcon
->dst
);
946 mgmt_new_csrk(hdev
, smp
->csrk
, persistent
);
949 if (smp
->slave_csrk
) {
950 smp
->slave_csrk
->bdaddr_type
= hcon
->dst_type
;
951 bacpy(&smp
->slave_csrk
->bdaddr
, &hcon
->dst
);
952 mgmt_new_csrk(hdev
, smp
->slave_csrk
, persistent
);
956 smp
->ltk
->bdaddr_type
= hcon
->dst_type
;
957 bacpy(&smp
->ltk
->bdaddr
, &hcon
->dst
);
958 mgmt_new_ltk(hdev
, smp
->ltk
, persistent
);
961 if (smp
->slave_ltk
) {
962 smp
->slave_ltk
->bdaddr_type
= hcon
->dst_type
;
963 bacpy(&smp
->slave_ltk
->bdaddr
, &hcon
->dst
);
964 mgmt_new_ltk(hdev
, smp
->slave_ltk
, persistent
);
968 hci_add_link_key(hdev
, smp
->conn
->hcon
, &hcon
->dst
,
969 smp
->link_key
, HCI_LK_AUTH_COMBINATION_P256
,
974 static void sc_generate_link_key(struct smp_chan
*smp
)
976 /* These constants are as specified in the core specification.
977 * In ASCII they spell out to 'tmp1' and 'lebr'.
979 const u8 tmp1
[4] = { 0x31, 0x70, 0x6d, 0x74 };
980 const u8 lebr
[4] = { 0x72, 0x62, 0x65, 0x6c };
982 smp
->link_key
= kzalloc(16, GFP_KERNEL
);
986 if (smp_h6(smp
->tfm_cmac
, smp
->tk
, tmp1
, smp
->link_key
)) {
987 kfree(smp
->link_key
);
988 smp
->link_key
= NULL
;
992 if (smp_h6(smp
->tfm_cmac
, smp
->link_key
, lebr
, smp
->link_key
)) {
993 kfree(smp
->link_key
);
994 smp
->link_key
= NULL
;
999 static void smp_allow_key_dist(struct smp_chan
*smp
)
1001 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1002 * will be allowed in each PDU handler to ensure we receive
1003 * them in the correct order.
1005 if (smp
->remote_key_dist
& SMP_DIST_ENC_KEY
)
1006 SMP_ALLOW_CMD(smp
, SMP_CMD_ENCRYPT_INFO
);
1007 else if (smp
->remote_key_dist
& SMP_DIST_ID_KEY
)
1008 SMP_ALLOW_CMD(smp
, SMP_CMD_IDENT_INFO
);
1009 else if (smp
->remote_key_dist
& SMP_DIST_SIGN
)
1010 SMP_ALLOW_CMD(smp
, SMP_CMD_SIGN_INFO
);
1013 static void smp_distribute_keys(struct smp_chan
*smp
)
1015 struct smp_cmd_pairing
*req
, *rsp
;
1016 struct l2cap_conn
*conn
= smp
->conn
;
1017 struct hci_conn
*hcon
= conn
->hcon
;
1018 struct hci_dev
*hdev
= hcon
->hdev
;
1021 BT_DBG("conn %p", conn
);
1023 rsp
= (void *) &smp
->prsp
[1];
1025 /* The responder sends its keys first */
1026 if (hcon
->out
&& (smp
->remote_key_dist
& KEY_DIST_MASK
)) {
1027 smp_allow_key_dist(smp
);
1031 req
= (void *) &smp
->preq
[1];
1034 keydist
= &rsp
->init_key_dist
;
1035 *keydist
&= req
->init_key_dist
;
1037 keydist
= &rsp
->resp_key_dist
;
1038 *keydist
&= req
->resp_key_dist
;
1041 if (test_bit(SMP_FLAG_SC
, &smp
->flags
)) {
1042 if (*keydist
& SMP_DIST_LINK_KEY
)
1043 sc_generate_link_key(smp
);
1045 /* Clear the keys which are generated but not distributed */
1046 *keydist
&= ~SMP_SC_NO_DIST
;
1049 BT_DBG("keydist 0x%x", *keydist
);
1051 if (*keydist
& SMP_DIST_ENC_KEY
) {
1052 struct smp_cmd_encrypt_info enc
;
1053 struct smp_cmd_master_ident ident
;
1054 struct smp_ltk
*ltk
;
1059 get_random_bytes(enc
.ltk
, sizeof(enc
.ltk
));
1060 get_random_bytes(&ediv
, sizeof(ediv
));
1061 get_random_bytes(&rand
, sizeof(rand
));
1063 smp_send_cmd(conn
, SMP_CMD_ENCRYPT_INFO
, sizeof(enc
), &enc
);
1065 authenticated
= hcon
->sec_level
== BT_SECURITY_HIGH
;
1066 ltk
= hci_add_ltk(hdev
, &hcon
->dst
, hcon
->dst_type
,
1067 SMP_LTK_SLAVE
, authenticated
, enc
.ltk
,
1068 smp
->enc_key_size
, ediv
, rand
);
1069 smp
->slave_ltk
= ltk
;
1074 smp_send_cmd(conn
, SMP_CMD_MASTER_IDENT
, sizeof(ident
), &ident
);
1076 *keydist
&= ~SMP_DIST_ENC_KEY
;
1079 if (*keydist
& SMP_DIST_ID_KEY
) {
1080 struct smp_cmd_ident_addr_info addrinfo
;
1081 struct smp_cmd_ident_info idinfo
;
1083 memcpy(idinfo
.irk
, hdev
->irk
, sizeof(idinfo
.irk
));
1085 smp_send_cmd(conn
, SMP_CMD_IDENT_INFO
, sizeof(idinfo
), &idinfo
);
1087 /* The hci_conn contains the local identity address
1088 * after the connection has been established.
1090 * This is true even when the connection has been
1091 * established using a resolvable random address.
1093 bacpy(&addrinfo
.bdaddr
, &hcon
->src
);
1094 addrinfo
.addr_type
= hcon
->src_type
;
1096 smp_send_cmd(conn
, SMP_CMD_IDENT_ADDR_INFO
, sizeof(addrinfo
),
1099 *keydist
&= ~SMP_DIST_ID_KEY
;
1102 if (*keydist
& SMP_DIST_SIGN
) {
1103 struct smp_cmd_sign_info sign
;
1104 struct smp_csrk
*csrk
;
1106 /* Generate a new random key */
1107 get_random_bytes(sign
.csrk
, sizeof(sign
.csrk
));
1109 csrk
= kzalloc(sizeof(*csrk
), GFP_KERNEL
);
1111 csrk
->master
= 0x00;
1112 memcpy(csrk
->val
, sign
.csrk
, sizeof(csrk
->val
));
1114 smp
->slave_csrk
= csrk
;
1116 smp_send_cmd(conn
, SMP_CMD_SIGN_INFO
, sizeof(sign
), &sign
);
1118 *keydist
&= ~SMP_DIST_SIGN
;
1121 /* If there are still keys to be received wait for them */
1122 if (smp
->remote_key_dist
& KEY_DIST_MASK
) {
1123 smp_allow_key_dist(smp
);
1127 set_bit(SMP_FLAG_COMPLETE
, &smp
->flags
);
1128 smp_notify_keys(conn
);
1130 smp_chan_destroy(conn
);
1133 static void smp_timeout(struct work_struct
*work
)
1135 struct smp_chan
*smp
= container_of(work
, struct smp_chan
,
1136 security_timer
.work
);
1137 struct l2cap_conn
*conn
= smp
->conn
;
1139 BT_DBG("conn %p", conn
);
1141 hci_disconnect(conn
->hcon
, HCI_ERROR_REMOTE_USER_TERM
);
1144 static struct smp_chan
*smp_chan_create(struct l2cap_conn
*conn
)
1146 struct l2cap_chan
*chan
= conn
->smp
;
1147 struct smp_chan
*smp
;
1149 smp
= kzalloc(sizeof(*smp
), GFP_ATOMIC
);
1153 smp
->tfm_aes
= crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC
);
1154 if (IS_ERR(smp
->tfm_aes
)) {
1155 BT_ERR("Unable to create ECB crypto context");
1160 smp
->tfm_cmac
= crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC
);
1161 if (IS_ERR(smp
->tfm_cmac
)) {
1162 BT_ERR("Unable to create CMAC crypto context");
1163 crypto_free_blkcipher(smp
->tfm_aes
);
1171 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_FAIL
);
1173 INIT_DELAYED_WORK(&smp
->security_timer
, smp_timeout
);
1175 hci_conn_hold(conn
->hcon
);
1180 static int sc_mackey_and_ltk(struct smp_chan
*smp
, u8 mackey
[16], u8 ltk
[16])
1182 struct hci_conn
*hcon
= smp
->conn
->hcon
;
1183 u8
*na
, *nb
, a
[7], b
[7];
1193 memcpy(a
, &hcon
->init_addr
, 6);
1194 memcpy(b
, &hcon
->resp_addr
, 6);
1195 a
[6] = hcon
->init_addr_type
;
1196 b
[6] = hcon
->resp_addr_type
;
1198 return smp_f5(smp
->tfm_cmac
, smp
->dhkey
, na
, nb
, a
, b
, mackey
, ltk
);
1201 static void sc_dhkey_check(struct smp_chan
*smp
, __le32 passkey
)
1203 struct hci_conn
*hcon
= smp
->conn
->hcon
;
1204 struct smp_cmd_dhkey_check check
;
1205 u8 a
[7], b
[7], *local_addr
, *remote_addr
;
1206 u8 io_cap
[3], r
[16];
1208 memcpy(a
, &hcon
->init_addr
, 6);
1209 memcpy(b
, &hcon
->resp_addr
, 6);
1210 a
[6] = hcon
->init_addr_type
;
1211 b
[6] = hcon
->resp_addr_type
;
1216 memcpy(io_cap
, &smp
->preq
[1], 3);
1220 memcpy(io_cap
, &smp
->prsp
[1], 3);
1223 memset(r
, 0, sizeof(r
));
1225 if (smp
->method
== REQ_PASSKEY
|| smp
->method
== DSP_PASSKEY
)
1226 memcpy(r
, &passkey
, sizeof(passkey
));
1228 smp_f6(smp
->tfm_cmac
, smp
->mackey
, smp
->prnd
, smp
->rrnd
, r
, io_cap
,
1229 local_addr
, remote_addr
, check
.e
);
1231 smp_send_cmd(smp
->conn
, SMP_CMD_DHKEY_CHECK
, sizeof(check
), &check
);
1234 static int sc_user_reply(struct smp_chan
*smp
, u16 mgmt_op
, __le32 passkey
)
1237 case MGMT_OP_USER_PASSKEY_NEG_REPLY
:
1238 smp_failure(smp
->conn
, SMP_PASSKEY_ENTRY_FAILED
);
1240 case MGMT_OP_USER_CONFIRM_NEG_REPLY
:
1241 smp_failure(smp
->conn
, SMP_NUMERIC_COMP_FAILED
);
1245 sc_dhkey_check(smp
, passkey
);
1250 int smp_user_confirm_reply(struct hci_conn
*hcon
, u16 mgmt_op
, __le32 passkey
)
1252 struct l2cap_conn
*conn
= hcon
->l2cap_data
;
1253 struct l2cap_chan
*chan
;
1254 struct smp_chan
*smp
;
1267 l2cap_chan_lock(chan
);
1275 if (test_bit(SMP_FLAG_SC
, &smp
->flags
)) {
1276 err
= sc_user_reply(smp
, mgmt_op
, passkey
);
1281 case MGMT_OP_USER_PASSKEY_REPLY
:
1282 value
= le32_to_cpu(passkey
);
1283 memset(smp
->tk
, 0, sizeof(smp
->tk
));
1284 BT_DBG("PassKey: %d", value
);
1285 put_unaligned_le32(value
, smp
->tk
);
1287 case MGMT_OP_USER_CONFIRM_REPLY
:
1288 set_bit(SMP_FLAG_TK_VALID
, &smp
->flags
);
1290 case MGMT_OP_USER_PASSKEY_NEG_REPLY
:
1291 case MGMT_OP_USER_CONFIRM_NEG_REPLY
:
1292 smp_failure(conn
, SMP_PASSKEY_ENTRY_FAILED
);
1296 smp_failure(conn
, SMP_PASSKEY_ENTRY_FAILED
);
1303 /* If it is our turn to send Pairing Confirm, do so now */
1304 if (test_bit(SMP_FLAG_CFM_PENDING
, &smp
->flags
)) {
1305 u8 rsp
= smp_confirm(smp
);
1307 smp_failure(conn
, rsp
);
1311 l2cap_chan_unlock(chan
);
1315 static u8
smp_cmd_pairing_req(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
1317 struct smp_cmd_pairing rsp
, *req
= (void *) skb
->data
;
1318 struct l2cap_chan
*chan
= conn
->smp
;
1319 struct hci_dev
*hdev
= conn
->hcon
->hdev
;
1320 struct smp_chan
*smp
;
1321 u8 key_size
, auth
, sec_level
;
1324 BT_DBG("conn %p", conn
);
1326 if (skb
->len
< sizeof(*req
))
1327 return SMP_INVALID_PARAMS
;
1329 if (conn
->hcon
->role
!= HCI_ROLE_SLAVE
)
1330 return SMP_CMD_NOTSUPP
;
1333 smp
= smp_chan_create(conn
);
1338 return SMP_UNSPECIFIED
;
1340 /* We didn't start the pairing, so match remote */
1341 auth
= req
->auth_req
& AUTH_REQ_MASK(hdev
);
1343 if (!test_bit(HCI_BONDABLE
, &hdev
->dev_flags
) &&
1344 (auth
& SMP_AUTH_BONDING
))
1345 return SMP_PAIRING_NOTSUPP
;
1347 smp
->preq
[0] = SMP_CMD_PAIRING_REQ
;
1348 memcpy(&smp
->preq
[1], req
, sizeof(*req
));
1349 skb_pull(skb
, sizeof(*req
));
1351 build_pairing_cmd(conn
, req
, &rsp
, auth
);
1353 if (rsp
.auth_req
& SMP_AUTH_SC
)
1354 set_bit(SMP_FLAG_SC
, &smp
->flags
);
1356 if (conn
->hcon
->io_capability
== HCI_IO_NO_INPUT_OUTPUT
)
1357 sec_level
= BT_SECURITY_MEDIUM
;
1359 sec_level
= authreq_to_seclevel(auth
);
1361 if (sec_level
> conn
->hcon
->pending_sec_level
)
1362 conn
->hcon
->pending_sec_level
= sec_level
;
1364 /* If we need MITM check that it can be achieved */
1365 if (conn
->hcon
->pending_sec_level
>= BT_SECURITY_HIGH
) {
1368 method
= get_auth_method(smp
, conn
->hcon
->io_capability
,
1369 req
->io_capability
);
1370 if (method
== JUST_WORKS
|| method
== JUST_CFM
)
1371 return SMP_AUTH_REQUIREMENTS
;
1374 key_size
= min(req
->max_key_size
, rsp
.max_key_size
);
1375 if (check_enc_key_size(conn
, key_size
))
1376 return SMP_ENC_KEY_SIZE
;
1378 get_random_bytes(smp
->prnd
, sizeof(smp
->prnd
));
1380 smp
->prsp
[0] = SMP_CMD_PAIRING_RSP
;
1381 memcpy(&smp
->prsp
[1], &rsp
, sizeof(rsp
));
1383 smp_send_cmd(conn
, SMP_CMD_PAIRING_RSP
, sizeof(rsp
), &rsp
);
1385 clear_bit(SMP_FLAG_INITIATOR
, &smp
->flags
);
1387 if (test_bit(SMP_FLAG_SC
, &smp
->flags
)) {
1388 SMP_ALLOW_CMD(smp
, SMP_CMD_PUBLIC_KEY
);
1389 /* Clear bits which are generated but not distributed */
1390 smp
->remote_key_dist
&= ~SMP_SC_NO_DIST
;
1391 /* Wait for Public Key from Initiating Device */
1394 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_CONFIRM
);
1397 /* Request setup of TK */
1398 ret
= tk_request(conn
, 0, auth
, rsp
.io_capability
, req
->io_capability
);
1400 return SMP_UNSPECIFIED
;
1405 static u8
sc_send_public_key(struct smp_chan
*smp
)
1410 /* Generate local key pair for Secure Connections */
1411 if (!ecc_make_key(smp
->local_pk
, smp
->local_sk
))
1412 return SMP_UNSPECIFIED
;
1414 /* This is unlikely, but we need to check that we didn't
1415 * accidentially generate a debug key.
1417 if (memcmp(smp
->local_sk
, debug_sk
, 32))
1421 BT_DBG("Local Public Key X: %32phN", smp
->local_pk
);
1422 BT_DBG("Local Public Key Y: %32phN", &smp
->local_pk
[32]);
1423 BT_DBG("Local Private Key: %32phN", smp
->local_sk
);
1425 smp_send_cmd(smp
->conn
, SMP_CMD_PUBLIC_KEY
, 64, smp
->local_pk
);
1430 static u8
smp_cmd_pairing_rsp(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
1432 struct smp_cmd_pairing
*req
, *rsp
= (void *) skb
->data
;
1433 struct l2cap_chan
*chan
= conn
->smp
;
1434 struct smp_chan
*smp
= chan
->data
;
1435 struct hci_dev
*hdev
= conn
->hcon
->hdev
;
1439 BT_DBG("conn %p", conn
);
1441 if (skb
->len
< sizeof(*rsp
))
1442 return SMP_INVALID_PARAMS
;
1444 if (conn
->hcon
->role
!= HCI_ROLE_MASTER
)
1445 return SMP_CMD_NOTSUPP
;
1447 skb_pull(skb
, sizeof(*rsp
));
1449 req
= (void *) &smp
->preq
[1];
1451 key_size
= min(req
->max_key_size
, rsp
->max_key_size
);
1452 if (check_enc_key_size(conn
, key_size
))
1453 return SMP_ENC_KEY_SIZE
;
1455 auth
= rsp
->auth_req
& AUTH_REQ_MASK(hdev
);
1457 if ((req
->auth_req
& SMP_AUTH_SC
) && (auth
& SMP_AUTH_SC
))
1458 set_bit(SMP_FLAG_SC
, &smp
->flags
);
1459 else if (conn
->hcon
->pending_sec_level
> BT_SECURITY_HIGH
)
1460 conn
->hcon
->pending_sec_level
= BT_SECURITY_HIGH
;
1462 /* If we need MITM check that it can be achieved */
1463 if (conn
->hcon
->pending_sec_level
>= BT_SECURITY_HIGH
) {
1466 method
= get_auth_method(smp
, req
->io_capability
,
1467 rsp
->io_capability
);
1468 if (method
== JUST_WORKS
|| method
== JUST_CFM
)
1469 return SMP_AUTH_REQUIREMENTS
;
1472 get_random_bytes(smp
->prnd
, sizeof(smp
->prnd
));
1474 smp
->prsp
[0] = SMP_CMD_PAIRING_RSP
;
1475 memcpy(&smp
->prsp
[1], rsp
, sizeof(*rsp
));
1477 /* Update remote key distribution in case the remote cleared
1478 * some bits that we had enabled in our request.
1480 smp
->remote_key_dist
&= rsp
->resp_key_dist
;
1482 if (test_bit(SMP_FLAG_SC
, &smp
->flags
)) {
1483 /* Clear bits which are generated but not distributed */
1484 smp
->remote_key_dist
&= ~SMP_SC_NO_DIST
;
1485 SMP_ALLOW_CMD(smp
, SMP_CMD_PUBLIC_KEY
);
1486 return sc_send_public_key(smp
);
1489 auth
|= req
->auth_req
;
1491 ret
= tk_request(conn
, 0, auth
, req
->io_capability
, rsp
->io_capability
);
1493 return SMP_UNSPECIFIED
;
1495 set_bit(SMP_FLAG_CFM_PENDING
, &smp
->flags
);
1497 /* Can't compose response until we have been confirmed */
1498 if (test_bit(SMP_FLAG_TK_VALID
, &smp
->flags
))
1499 return smp_confirm(smp
);
1504 static u8
sc_check_confirm(struct smp_chan
*smp
)
1506 struct l2cap_conn
*conn
= smp
->conn
;
1510 /* Public Key exchange must happen before any other steps */
1511 if (!test_bit(SMP_FLAG_REMOTE_PK
, &smp
->flags
))
1512 return SMP_UNSPECIFIED
;
1514 if (conn
->hcon
->out
) {
1515 smp_send_cmd(conn
, SMP_CMD_PAIRING_RANDOM
, sizeof(smp
->prnd
),
1517 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_RANDOM
);
1523 static u8
smp_cmd_pairing_confirm(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
1525 struct l2cap_chan
*chan
= conn
->smp
;
1526 struct smp_chan
*smp
= chan
->data
;
1528 BT_DBG("conn %p %s", conn
, conn
->hcon
->out
? "master" : "slave");
1530 if (skb
->len
< sizeof(smp
->pcnf
))
1531 return SMP_INVALID_PARAMS
;
1533 memcpy(smp
->pcnf
, skb
->data
, sizeof(smp
->pcnf
));
1534 skb_pull(skb
, sizeof(smp
->pcnf
));
1536 if (test_bit(SMP_FLAG_SC
, &smp
->flags
))
1537 return sc_check_confirm(smp
);
1539 if (conn
->hcon
->out
) {
1540 smp_send_cmd(conn
, SMP_CMD_PAIRING_RANDOM
, sizeof(smp
->prnd
),
1542 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_RANDOM
);
1546 if (test_bit(SMP_FLAG_TK_VALID
, &smp
->flags
))
1547 return smp_confirm(smp
);
1549 set_bit(SMP_FLAG_CFM_PENDING
, &smp
->flags
);
1554 static u8
smp_cmd_pairing_random(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
1556 struct l2cap_chan
*chan
= conn
->smp
;
1557 struct smp_chan
*smp
= chan
->data
;
1558 struct hci_conn
*hcon
= conn
->hcon
;
1559 u8
*pkax
, *pkbx
, *na
, *nb
;
1563 BT_DBG("conn %p", conn
);
1565 if (skb
->len
< sizeof(smp
->rrnd
))
1566 return SMP_INVALID_PARAMS
;
1568 memcpy(smp
->rrnd
, skb
->data
, sizeof(smp
->rrnd
));
1569 skb_pull(skb
, sizeof(smp
->rrnd
));
1571 if (!test_bit(SMP_FLAG_SC
, &smp
->flags
))
1572 return smp_random(smp
);
1577 err
= smp_f4(smp
->tfm_cmac
, smp
->remote_pk
, smp
->local_pk
,
1580 return SMP_UNSPECIFIED
;
1582 if (memcmp(smp
->pcnf
, cfm
, 16))
1583 return SMP_CONFIRM_FAILED
;
1585 pkax
= smp
->local_pk
;
1586 pkbx
= smp
->remote_pk
;
1590 smp_send_cmd(conn
, SMP_CMD_PAIRING_RANDOM
, sizeof(smp
->prnd
),
1592 SMP_ALLOW_CMD(smp
, SMP_CMD_DHKEY_CHECK
);
1594 pkax
= smp
->remote_pk
;
1595 pkbx
= smp
->local_pk
;
1600 /* Generate MacKey and LTK */
1601 err
= sc_mackey_and_ltk(smp
, smp
->mackey
, smp
->tk
);
1603 return SMP_UNSPECIFIED
;
1605 err
= smp_g2(smp
->tfm_cmac
, pkax
, pkbx
, na
, nb
, &passkey
);
1607 return SMP_UNSPECIFIED
;
1609 if (smp
->method
== JUST_WORKS
) {
1611 sc_dhkey_check(smp
, passkey
);
1612 SMP_ALLOW_CMD(smp
, SMP_CMD_DHKEY_CHECK
);
1617 err
= mgmt_user_confirm_request(hcon
->hdev
, &hcon
->dst
,
1618 hcon
->type
, hcon
->dst_type
,
1621 return SMP_UNSPECIFIED
;
1626 static bool smp_ltk_encrypt(struct l2cap_conn
*conn
, u8 sec_level
)
1628 struct smp_ltk
*key
;
1629 struct hci_conn
*hcon
= conn
->hcon
;
1631 key
= hci_find_ltk(hcon
->hdev
, &hcon
->dst
, hcon
->dst_type
, hcon
->role
);
1635 if (smp_ltk_sec_level(key
) < sec_level
)
1638 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND
, &hcon
->flags
))
1641 hci_le_start_enc(hcon
, key
->ediv
, key
->rand
, key
->val
);
1642 hcon
->enc_key_size
= key
->enc_size
;
1644 /* We never store STKs for master role, so clear this flag */
1645 clear_bit(HCI_CONN_STK_ENCRYPT
, &hcon
->flags
);
1650 bool smp_sufficient_security(struct hci_conn
*hcon
, u8 sec_level
,
1651 enum smp_key_pref key_pref
)
1653 if (sec_level
== BT_SECURITY_LOW
)
1656 /* If we're encrypted with an STK but the caller prefers using
1657 * LTK claim insufficient security. This way we allow the
1658 * connection to be re-encrypted with an LTK, even if the LTK
1659 * provides the same level of security. Only exception is if we
1660 * don't have an LTK (e.g. because of key distribution bits).
1662 if (key_pref
== SMP_USE_LTK
&&
1663 test_bit(HCI_CONN_STK_ENCRYPT
, &hcon
->flags
) &&
1664 hci_find_ltk(hcon
->hdev
, &hcon
->dst
, hcon
->dst_type
, hcon
->role
))
1667 if (hcon
->sec_level
>= sec_level
)
1673 static u8
smp_cmd_security_req(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
1675 struct smp_cmd_security_req
*rp
= (void *) skb
->data
;
1676 struct smp_cmd_pairing cp
;
1677 struct hci_conn
*hcon
= conn
->hcon
;
1678 struct hci_dev
*hdev
= hcon
->hdev
;
1679 struct smp_chan
*smp
;
1682 BT_DBG("conn %p", conn
);
1684 if (skb
->len
< sizeof(*rp
))
1685 return SMP_INVALID_PARAMS
;
1687 if (hcon
->role
!= HCI_ROLE_MASTER
)
1688 return SMP_CMD_NOTSUPP
;
1690 auth
= rp
->auth_req
& AUTH_REQ_MASK(hdev
);
1692 if (hcon
->io_capability
== HCI_IO_NO_INPUT_OUTPUT
)
1693 sec_level
= BT_SECURITY_MEDIUM
;
1695 sec_level
= authreq_to_seclevel(auth
);
1697 if (smp_sufficient_security(hcon
, sec_level
, SMP_USE_LTK
))
1700 if (sec_level
> hcon
->pending_sec_level
)
1701 hcon
->pending_sec_level
= sec_level
;
1703 if (smp_ltk_encrypt(conn
, hcon
->pending_sec_level
))
1706 smp
= smp_chan_create(conn
);
1708 return SMP_UNSPECIFIED
;
1710 if (!test_bit(HCI_BONDABLE
, &hcon
->hdev
->dev_flags
) &&
1711 (auth
& SMP_AUTH_BONDING
))
1712 return SMP_PAIRING_NOTSUPP
;
1714 skb_pull(skb
, sizeof(*rp
));
1716 memset(&cp
, 0, sizeof(cp
));
1717 build_pairing_cmd(conn
, &cp
, NULL
, auth
);
1719 smp
->preq
[0] = SMP_CMD_PAIRING_REQ
;
1720 memcpy(&smp
->preq
[1], &cp
, sizeof(cp
));
1722 smp_send_cmd(conn
, SMP_CMD_PAIRING_REQ
, sizeof(cp
), &cp
);
1723 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_RSP
);
1728 int smp_conn_security(struct hci_conn
*hcon
, __u8 sec_level
)
1730 struct l2cap_conn
*conn
= hcon
->l2cap_data
;
1731 struct l2cap_chan
*chan
;
1732 struct smp_chan
*smp
;
1736 BT_DBG("conn %p hcon %p level 0x%2.2x", conn
, hcon
, sec_level
);
1738 /* This may be NULL if there's an unexpected disconnection */
1744 if (!test_bit(HCI_LE_ENABLED
, &hcon
->hdev
->dev_flags
))
1747 if (smp_sufficient_security(hcon
, sec_level
, SMP_USE_LTK
))
1750 if (sec_level
> hcon
->pending_sec_level
)
1751 hcon
->pending_sec_level
= sec_level
;
1753 if (hcon
->role
== HCI_ROLE_MASTER
)
1754 if (smp_ltk_encrypt(conn
, hcon
->pending_sec_level
))
1757 l2cap_chan_lock(chan
);
1759 /* If SMP is already in progress ignore this request */
1765 smp
= smp_chan_create(conn
);
1771 authreq
= seclevel_to_authreq(sec_level
);
1773 if (test_bit(HCI_SC_ENABLED
, &hcon
->hdev
->dev_flags
))
1774 authreq
|= SMP_AUTH_SC
;
1776 /* Require MITM if IO Capability allows or the security level
1779 if (hcon
->io_capability
!= HCI_IO_NO_INPUT_OUTPUT
||
1780 hcon
->pending_sec_level
> BT_SECURITY_MEDIUM
)
1781 authreq
|= SMP_AUTH_MITM
;
1783 if (hcon
->role
== HCI_ROLE_MASTER
) {
1784 struct smp_cmd_pairing cp
;
1786 build_pairing_cmd(conn
, &cp
, NULL
, authreq
);
1787 smp
->preq
[0] = SMP_CMD_PAIRING_REQ
;
1788 memcpy(&smp
->preq
[1], &cp
, sizeof(cp
));
1790 smp_send_cmd(conn
, SMP_CMD_PAIRING_REQ
, sizeof(cp
), &cp
);
1791 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_RSP
);
1793 struct smp_cmd_security_req cp
;
1794 cp
.auth_req
= authreq
;
1795 smp_send_cmd(conn
, SMP_CMD_SECURITY_REQ
, sizeof(cp
), &cp
);
1796 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_REQ
);
1799 set_bit(SMP_FLAG_INITIATOR
, &smp
->flags
);
1803 l2cap_chan_unlock(chan
);
1807 static int smp_cmd_encrypt_info(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
1809 struct smp_cmd_encrypt_info
*rp
= (void *) skb
->data
;
1810 struct l2cap_chan
*chan
= conn
->smp
;
1811 struct smp_chan
*smp
= chan
->data
;
1813 BT_DBG("conn %p", conn
);
1815 if (skb
->len
< sizeof(*rp
))
1816 return SMP_INVALID_PARAMS
;
1818 SMP_ALLOW_CMD(smp
, SMP_CMD_MASTER_IDENT
);
1820 skb_pull(skb
, sizeof(*rp
));
1822 memcpy(smp
->tk
, rp
->ltk
, sizeof(smp
->tk
));
1827 static int smp_cmd_master_ident(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
1829 struct smp_cmd_master_ident
*rp
= (void *) skb
->data
;
1830 struct l2cap_chan
*chan
= conn
->smp
;
1831 struct smp_chan
*smp
= chan
->data
;
1832 struct hci_dev
*hdev
= conn
->hcon
->hdev
;
1833 struct hci_conn
*hcon
= conn
->hcon
;
1834 struct smp_ltk
*ltk
;
1837 BT_DBG("conn %p", conn
);
1839 if (skb
->len
< sizeof(*rp
))
1840 return SMP_INVALID_PARAMS
;
1842 /* Mark the information as received */
1843 smp
->remote_key_dist
&= ~SMP_DIST_ENC_KEY
;
1845 if (smp
->remote_key_dist
& SMP_DIST_ID_KEY
)
1846 SMP_ALLOW_CMD(smp
, SMP_CMD_IDENT_INFO
);
1847 else if (smp
->remote_key_dist
& SMP_DIST_SIGN
)
1848 SMP_ALLOW_CMD(smp
, SMP_CMD_SIGN_INFO
);
1850 skb_pull(skb
, sizeof(*rp
));
1852 authenticated
= (hcon
->sec_level
== BT_SECURITY_HIGH
);
1853 ltk
= hci_add_ltk(hdev
, &hcon
->dst
, hcon
->dst_type
, SMP_LTK
,
1854 authenticated
, smp
->tk
, smp
->enc_key_size
,
1855 rp
->ediv
, rp
->rand
);
1857 if (!(smp
->remote_key_dist
& KEY_DIST_MASK
))
1858 smp_distribute_keys(smp
);
1863 static int smp_cmd_ident_info(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
1865 struct smp_cmd_ident_info
*info
= (void *) skb
->data
;
1866 struct l2cap_chan
*chan
= conn
->smp
;
1867 struct smp_chan
*smp
= chan
->data
;
1871 if (skb
->len
< sizeof(*info
))
1872 return SMP_INVALID_PARAMS
;
1874 SMP_ALLOW_CMD(smp
, SMP_CMD_IDENT_ADDR_INFO
);
1876 skb_pull(skb
, sizeof(*info
));
1878 memcpy(smp
->irk
, info
->irk
, 16);
1883 static int smp_cmd_ident_addr_info(struct l2cap_conn
*conn
,
1884 struct sk_buff
*skb
)
1886 struct smp_cmd_ident_addr_info
*info
= (void *) skb
->data
;
1887 struct l2cap_chan
*chan
= conn
->smp
;
1888 struct smp_chan
*smp
= chan
->data
;
1889 struct hci_conn
*hcon
= conn
->hcon
;
1894 if (skb
->len
< sizeof(*info
))
1895 return SMP_INVALID_PARAMS
;
1897 /* Mark the information as received */
1898 smp
->remote_key_dist
&= ~SMP_DIST_ID_KEY
;
1900 if (smp
->remote_key_dist
& SMP_DIST_SIGN
)
1901 SMP_ALLOW_CMD(smp
, SMP_CMD_SIGN_INFO
);
1903 skb_pull(skb
, sizeof(*info
));
1905 /* Strictly speaking the Core Specification (4.1) allows sending
1906 * an empty address which would force us to rely on just the IRK
1907 * as "identity information". However, since such
1908 * implementations are not known of and in order to not over
1909 * complicate our implementation, simply pretend that we never
1910 * received an IRK for such a device.
1912 if (!bacmp(&info
->bdaddr
, BDADDR_ANY
)) {
1913 BT_ERR("Ignoring IRK with no identity address");
1917 bacpy(&smp
->id_addr
, &info
->bdaddr
);
1918 smp
->id_addr_type
= info
->addr_type
;
1920 if (hci_bdaddr_is_rpa(&hcon
->dst
, hcon
->dst_type
))
1921 bacpy(&rpa
, &hcon
->dst
);
1923 bacpy(&rpa
, BDADDR_ANY
);
1925 smp
->remote_irk
= hci_add_irk(conn
->hcon
->hdev
, &smp
->id_addr
,
1926 smp
->id_addr_type
, smp
->irk
, &rpa
);
1929 if (!(smp
->remote_key_dist
& KEY_DIST_MASK
))
1930 smp_distribute_keys(smp
);
1935 static int smp_cmd_sign_info(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
1937 struct smp_cmd_sign_info
*rp
= (void *) skb
->data
;
1938 struct l2cap_chan
*chan
= conn
->smp
;
1939 struct smp_chan
*smp
= chan
->data
;
1940 struct smp_csrk
*csrk
;
1942 BT_DBG("conn %p", conn
);
1944 if (skb
->len
< sizeof(*rp
))
1945 return SMP_INVALID_PARAMS
;
1947 /* Mark the information as received */
1948 smp
->remote_key_dist
&= ~SMP_DIST_SIGN
;
1950 skb_pull(skb
, sizeof(*rp
));
1952 csrk
= kzalloc(sizeof(*csrk
), GFP_KERNEL
);
1954 csrk
->master
= 0x01;
1955 memcpy(csrk
->val
, rp
->csrk
, sizeof(csrk
->val
));
1958 smp_distribute_keys(smp
);
1963 static u8
sc_select_method(struct smp_chan
*smp
)
1965 struct l2cap_conn
*conn
= smp
->conn
;
1966 struct hci_conn
*hcon
= conn
->hcon
;
1967 struct smp_cmd_pairing
*local
, *remote
;
1968 u8 local_mitm
, remote_mitm
, local_io
, remote_io
, method
;
1970 /* The preq/prsp contain the raw Pairing Request/Response PDUs
1971 * which are needed as inputs to some crypto functions. To get
1972 * the "struct smp_cmd_pairing" from them we need to skip the
1973 * first byte which contains the opcode.
1976 local
= (void *) &smp
->preq
[1];
1977 remote
= (void *) &smp
->prsp
[1];
1979 local
= (void *) &smp
->prsp
[1];
1980 remote
= (void *) &smp
->preq
[1];
1983 local_io
= local
->io_capability
;
1984 remote_io
= remote
->io_capability
;
1986 local_mitm
= (local
->auth_req
& SMP_AUTH_MITM
);
1987 remote_mitm
= (remote
->auth_req
& SMP_AUTH_MITM
);
1989 /* If either side wants MITM, look up the method from the table,
1990 * otherwise use JUST WORKS.
1992 if (local_mitm
|| remote_mitm
)
1993 method
= get_auth_method(smp
, local_io
, remote_io
);
1995 method
= JUST_WORKS
;
1997 /* Don't confirm locally initiated pairing attempts */
1998 if (method
== JUST_CFM
&& test_bit(SMP_FLAG_INITIATOR
, &smp
->flags
))
1999 method
= JUST_WORKS
;
2004 static int smp_cmd_public_key(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
2006 struct smp_cmd_public_key
*key
= (void *) skb
->data
;
2007 struct hci_conn
*hcon
= conn
->hcon
;
2008 struct l2cap_chan
*chan
= conn
->smp
;
2009 struct smp_chan
*smp
= chan
->data
;
2010 struct hci_dev
*hdev
= hcon
->hdev
;
2011 struct smp_cmd_pairing_confirm cfm
;
2014 BT_DBG("conn %p", conn
);
2016 if (skb
->len
< sizeof(*key
))
2017 return SMP_INVALID_PARAMS
;
2019 memcpy(smp
->remote_pk
, key
, 64);
2021 /* Non-initiating device sends its public key after receiving
2022 * the key from the initiating device.
2025 err
= sc_send_public_key(smp
);
2030 BT_DBG("Remote Public Key X: %32phN", smp
->remote_pk
);
2031 BT_DBG("Remote Public Key Y: %32phN", &smp
->remote_pk
[32]);
2033 if (!ecdh_shared_secret(smp
->remote_pk
, smp
->local_sk
, smp
->dhkey
))
2034 return SMP_UNSPECIFIED
;
2036 BT_DBG("DHKey %32phN", smp
->dhkey
);
2038 set_bit(SMP_FLAG_REMOTE_PK
, &smp
->flags
);
2040 smp
->method
= sc_select_method(smp
);
2042 BT_DBG("%s selected method 0x%02x", hdev
->name
, smp
->method
);
2044 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2045 if (smp
->method
== JUST_WORKS
|| smp
->method
== JUST_CFM
)
2046 hcon
->pending_sec_level
= BT_SECURITY_MEDIUM
;
2048 hcon
->pending_sec_level
= BT_SECURITY_FIPS
;
2050 if (!memcmp(debug_pk
, smp
->remote_pk
, 64))
2051 set_bit(SMP_FLAG_DEBUG_KEY
, &smp
->flags
);
2053 /* The Initiating device waits for the non-initiating device to
2054 * send the confirm value.
2056 if (conn
->hcon
->out
)
2059 err
= smp_f4(smp
->tfm_cmac
, smp
->local_pk
, smp
->remote_pk
, smp
->prnd
,
2060 0, cfm
.confirm_val
);
2062 return SMP_UNSPECIFIED
;
2064 smp_send_cmd(conn
, SMP_CMD_PAIRING_CONFIRM
, sizeof(cfm
), &cfm
);
2065 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_RANDOM
);
2070 static int smp_cmd_dhkey_check(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
2072 struct smp_cmd_dhkey_check
*check
= (void *) skb
->data
;
2073 struct l2cap_chan
*chan
= conn
->smp
;
2074 struct hci_conn
*hcon
= conn
->hcon
;
2075 struct smp_chan
*smp
= chan
->data
;
2076 u8 a
[7], b
[7], *local_addr
, *remote_addr
;
2077 u8 io_cap
[3], r
[16], e
[16];
2081 BT_DBG("conn %p", conn
);
2083 if (skb
->len
< sizeof(*check
))
2084 return SMP_INVALID_PARAMS
;
2086 memcpy(a
, &hcon
->init_addr
, 6);
2087 memcpy(b
, &hcon
->resp_addr
, 6);
2088 a
[6] = hcon
->init_addr_type
;
2089 b
[6] = hcon
->resp_addr_type
;
2094 memcpy(io_cap
, &smp
->prsp
[1], 3);
2098 memcpy(io_cap
, &smp
->preq
[1], 3);
2101 memset(r
, 0, sizeof(r
));
2103 err
= smp_f6(smp
->tfm_cmac
, smp
->mackey
, smp
->rrnd
, smp
->prnd
, r
,
2104 io_cap
, remote_addr
, local_addr
, e
);
2106 return SMP_UNSPECIFIED
;
2108 if (memcmp(check
->e
, e
, 16))
2109 return SMP_DHKEY_CHECK_FAILED
;
2111 if (test_bit(SMP_FLAG_DEBUG_KEY
, &smp
->flags
))
2112 key_type
= SMP_LTK_P256_DEBUG
;
2114 key_type
= SMP_LTK_P256
;
2116 if (hcon
->pending_sec_level
== BT_SECURITY_FIPS
)
2121 smp
->ltk
= hci_add_ltk(hcon
->hdev
, &hcon
->dst
, hcon
->dst_type
,
2122 key_type
, auth
, smp
->tk
, smp
->enc_key_size
,
2126 hci_le_start_enc(hcon
, 0, 0, smp
->tk
);
2127 hcon
->enc_key_size
= smp
->enc_key_size
;
2133 static int smp_sig_channel(struct l2cap_chan
*chan
, struct sk_buff
*skb
)
2135 struct l2cap_conn
*conn
= chan
->conn
;
2136 struct hci_conn
*hcon
= conn
->hcon
;
2137 struct smp_chan
*smp
;
2141 if (hcon
->type
!= LE_LINK
) {
2149 if (!test_bit(HCI_LE_ENABLED
, &hcon
->hdev
->dev_flags
)) {
2150 reason
= SMP_PAIRING_NOTSUPP
;
2154 code
= skb
->data
[0];
2155 skb_pull(skb
, sizeof(code
));
2159 if (code
> SMP_CMD_MAX
)
2162 if (smp
&& !test_and_clear_bit(code
, &smp
->allow_cmd
))
2165 /* If we don't have a context the only allowed commands are
2166 * pairing request and security request.
2168 if (!smp
&& code
!= SMP_CMD_PAIRING_REQ
&& code
!= SMP_CMD_SECURITY_REQ
)
2172 case SMP_CMD_PAIRING_REQ
:
2173 reason
= smp_cmd_pairing_req(conn
, skb
);
2176 case SMP_CMD_PAIRING_FAIL
:
2177 smp_failure(conn
, 0);
2181 case SMP_CMD_PAIRING_RSP
:
2182 reason
= smp_cmd_pairing_rsp(conn
, skb
);
2185 case SMP_CMD_SECURITY_REQ
:
2186 reason
= smp_cmd_security_req(conn
, skb
);
2189 case SMP_CMD_PAIRING_CONFIRM
:
2190 reason
= smp_cmd_pairing_confirm(conn
, skb
);
2193 case SMP_CMD_PAIRING_RANDOM
:
2194 reason
= smp_cmd_pairing_random(conn
, skb
);
2197 case SMP_CMD_ENCRYPT_INFO
:
2198 reason
= smp_cmd_encrypt_info(conn
, skb
);
2201 case SMP_CMD_MASTER_IDENT
:
2202 reason
= smp_cmd_master_ident(conn
, skb
);
2205 case SMP_CMD_IDENT_INFO
:
2206 reason
= smp_cmd_ident_info(conn
, skb
);
2209 case SMP_CMD_IDENT_ADDR_INFO
:
2210 reason
= smp_cmd_ident_addr_info(conn
, skb
);
2213 case SMP_CMD_SIGN_INFO
:
2214 reason
= smp_cmd_sign_info(conn
, skb
);
2217 case SMP_CMD_PUBLIC_KEY
:
2218 reason
= smp_cmd_public_key(conn
, skb
);
2221 case SMP_CMD_DHKEY_CHECK
:
2222 reason
= smp_cmd_dhkey_check(conn
, skb
);
2226 BT_DBG("Unknown command code 0x%2.2x", code
);
2227 reason
= SMP_CMD_NOTSUPP
;
2234 smp_failure(conn
, reason
);
2241 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon
->hdev
->name
,
2247 static void smp_teardown_cb(struct l2cap_chan
*chan
, int err
)
2249 struct l2cap_conn
*conn
= chan
->conn
;
2251 BT_DBG("chan %p", chan
);
2254 smp_chan_destroy(conn
);
2257 l2cap_chan_put(chan
);
2260 static void smp_resume_cb(struct l2cap_chan
*chan
)
2262 struct smp_chan
*smp
= chan
->data
;
2263 struct l2cap_conn
*conn
= chan
->conn
;
2264 struct hci_conn
*hcon
= conn
->hcon
;
2266 BT_DBG("chan %p", chan
);
2271 if (!test_bit(HCI_CONN_ENCRYPT
, &hcon
->flags
))
2274 cancel_delayed_work(&smp
->security_timer
);
2276 smp_distribute_keys(smp
);
2279 static void smp_ready_cb(struct l2cap_chan
*chan
)
2281 struct l2cap_conn
*conn
= chan
->conn
;
2283 BT_DBG("chan %p", chan
);
2286 l2cap_chan_hold(chan
);
2289 static int smp_recv_cb(struct l2cap_chan
*chan
, struct sk_buff
*skb
)
2293 BT_DBG("chan %p", chan
);
2295 err
= smp_sig_channel(chan
, skb
);
2297 struct smp_chan
*smp
= chan
->data
;
2300 cancel_delayed_work_sync(&smp
->security_timer
);
2302 hci_disconnect(chan
->conn
->hcon
, HCI_ERROR_AUTH_FAILURE
);
2308 static struct sk_buff
*smp_alloc_skb_cb(struct l2cap_chan
*chan
,
2309 unsigned long hdr_len
,
2310 unsigned long len
, int nb
)
2312 struct sk_buff
*skb
;
2314 skb
= bt_skb_alloc(hdr_len
+ len
, GFP_KERNEL
);
2316 return ERR_PTR(-ENOMEM
);
2318 skb
->priority
= HCI_PRIO_MAX
;
2319 bt_cb(skb
)->chan
= chan
;
2324 static const struct l2cap_ops smp_chan_ops
= {
2325 .name
= "Security Manager",
2326 .ready
= smp_ready_cb
,
2327 .recv
= smp_recv_cb
,
2328 .alloc_skb
= smp_alloc_skb_cb
,
2329 .teardown
= smp_teardown_cb
,
2330 .resume
= smp_resume_cb
,
2332 .new_connection
= l2cap_chan_no_new_connection
,
2333 .state_change
= l2cap_chan_no_state_change
,
2334 .close
= l2cap_chan_no_close
,
2335 .defer
= l2cap_chan_no_defer
,
2336 .suspend
= l2cap_chan_no_suspend
,
2337 .set_shutdown
= l2cap_chan_no_set_shutdown
,
2338 .get_sndtimeo
= l2cap_chan_no_get_sndtimeo
,
2339 .memcpy_fromiovec
= l2cap_chan_no_memcpy_fromiovec
,
2342 static inline struct l2cap_chan
*smp_new_conn_cb(struct l2cap_chan
*pchan
)
2344 struct l2cap_chan
*chan
;
2346 BT_DBG("pchan %p", pchan
);
2348 chan
= l2cap_chan_create();
2352 chan
->chan_type
= pchan
->chan_type
;
2353 chan
->ops
= &smp_chan_ops
;
2354 chan
->scid
= pchan
->scid
;
2355 chan
->dcid
= chan
->scid
;
2356 chan
->imtu
= pchan
->imtu
;
2357 chan
->omtu
= pchan
->omtu
;
2358 chan
->mode
= pchan
->mode
;
2360 /* Other L2CAP channels may request SMP routines in order to
2361 * change the security level. This means that the SMP channel
2362 * lock must be considered in its own category to avoid lockdep
2365 atomic_set(&chan
->nesting
, L2CAP_NESTING_SMP
);
2367 BT_DBG("created chan %p", chan
);
2372 static const struct l2cap_ops smp_root_chan_ops
= {
2373 .name
= "Security Manager Root",
2374 .new_connection
= smp_new_conn_cb
,
2376 /* None of these are implemented for the root channel */
2377 .close
= l2cap_chan_no_close
,
2378 .alloc_skb
= l2cap_chan_no_alloc_skb
,
2379 .recv
= l2cap_chan_no_recv
,
2380 .state_change
= l2cap_chan_no_state_change
,
2381 .teardown
= l2cap_chan_no_teardown
,
2382 .ready
= l2cap_chan_no_ready
,
2383 .defer
= l2cap_chan_no_defer
,
2384 .suspend
= l2cap_chan_no_suspend
,
2385 .resume
= l2cap_chan_no_resume
,
2386 .set_shutdown
= l2cap_chan_no_set_shutdown
,
2387 .get_sndtimeo
= l2cap_chan_no_get_sndtimeo
,
2388 .memcpy_fromiovec
= l2cap_chan_no_memcpy_fromiovec
,
2391 int smp_register(struct hci_dev
*hdev
)
2393 struct l2cap_chan
*chan
;
2394 struct crypto_blkcipher
*tfm_aes
;
2396 BT_DBG("%s", hdev
->name
);
2398 tfm_aes
= crypto_alloc_blkcipher("ecb(aes)", 0, 0);
2399 if (IS_ERR(tfm_aes
)) {
2400 int err
= PTR_ERR(tfm_aes
);
2401 BT_ERR("Unable to create crypto context");
2405 chan
= l2cap_chan_create();
2407 crypto_free_blkcipher(tfm_aes
);
2411 chan
->data
= tfm_aes
;
2413 l2cap_add_scid(chan
, L2CAP_CID_SMP
);
2415 l2cap_chan_set_defaults(chan
);
2417 bacpy(&chan
->src
, &hdev
->bdaddr
);
2418 chan
->src_type
= BDADDR_LE_PUBLIC
;
2419 chan
->state
= BT_LISTEN
;
2420 chan
->mode
= L2CAP_MODE_BASIC
;
2421 chan
->imtu
= L2CAP_DEFAULT_MTU
;
2422 chan
->ops
= &smp_root_chan_ops
;
2424 /* Set correct nesting level for a parent/listening channel */
2425 atomic_set(&chan
->nesting
, L2CAP_NESTING_PARENT
);
2427 hdev
->smp_data
= chan
;
2432 void smp_unregister(struct hci_dev
*hdev
)
2434 struct l2cap_chan
*chan
= hdev
->smp_data
;
2435 struct crypto_blkcipher
*tfm_aes
;
2440 BT_DBG("%s chan %p", hdev
->name
, chan
);
2442 tfm_aes
= chan
->data
;
2445 crypto_free_blkcipher(tfm_aes
);
2448 hdev
->smp_data
= NULL
;
2449 l2cap_chan_put(chan
);