2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
23 #include <linux/crypto.h>
24 #include <linux/scatterlist.h>
25 #include <crypto/b128ops.h>
27 #include <net/bluetooth/bluetooth.h>
28 #include <net/bluetooth/hci_core.h>
29 #include <net/bluetooth/l2cap.h>
30 #include <net/bluetooth/mgmt.h>
35 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
37 /* Keys which are not distributed with Secure Connections */
38 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
40 #define SMP_TIMEOUT msecs_to_jiffies(30000)
42 #define AUTH_REQ_MASK(dev) (test_bit(HCI_SC_ENABLED, &(dev)->dev_flags) ? \
44 #define KEY_DIST_MASK 0x07
46 /* Maximum message length that can be passed to aes_cmac */
47 #define CMAC_MSG_MAX 80
59 SMP_FLAG_DHKEY_PENDING
,
63 struct l2cap_conn
*conn
;
64 struct delayed_work security_timer
;
65 unsigned long allow_cmd
; /* Bitmask of allowed commands */
67 u8 preq
[7]; /* SMP Pairing Request */
68 u8 prsp
[7]; /* SMP Pairing Response */
69 u8 prnd
[16]; /* SMP Pairing Random (local) */
70 u8 rrnd
[16]; /* SMP Pairing Random (remote) */
71 u8 pcnf
[16]; /* SMP Pairing Confirm */
72 u8 tk
[16]; /* SMP Temporary Key */
78 struct smp_csrk
*csrk
;
79 struct smp_csrk
*slave_csrk
;
81 struct smp_ltk
*slave_ltk
;
82 struct smp_irk
*remote_irk
;
88 /* Secure Connections variables */
95 struct crypto_blkcipher
*tfm_aes
;
96 struct crypto_hash
*tfm_cmac
;
99 /* These debug key values are defined in the SMP section of the core
100 * specification. debug_pk is the public debug key and debug_sk the
103 static const u8 debug_pk
[64] = {
104 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
105 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
106 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
107 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
109 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
110 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
111 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
112 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
115 static const u8 debug_sk
[32] = {
116 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
117 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
118 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
119 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
122 static inline void swap_buf(const u8
*src
, u8
*dst
, size_t len
)
126 for (i
= 0; i
< len
; i
++)
127 dst
[len
- 1 - i
] = src
[i
];
130 static int aes_cmac(struct crypto_hash
*tfm
, const u8 k
[16], const u8
*m
,
131 size_t len
, u8 mac
[16])
133 uint8_t tmp
[16], mac_msb
[16], msg_msb
[CMAC_MSG_MAX
];
134 struct hash_desc desc
;
135 struct scatterlist sg
;
138 if (len
> CMAC_MSG_MAX
)
142 BT_ERR("tfm %p", tfm
);
149 crypto_hash_init(&desc
);
151 /* Swap key and message from LSB to MSB */
152 swap_buf(k
, tmp
, 16);
153 swap_buf(m
, msg_msb
, len
);
155 BT_DBG("msg (len %zu) %*phN", len
, (int) len
, m
);
156 BT_DBG("key %16phN", k
);
158 err
= crypto_hash_setkey(tfm
, tmp
, 16);
160 BT_ERR("cipher setkey failed: %d", err
);
164 sg_init_one(&sg
, msg_msb
, len
);
166 err
= crypto_hash_update(&desc
, &sg
, len
);
168 BT_ERR("Hash update error %d", err
);
172 err
= crypto_hash_final(&desc
, mac_msb
);
174 BT_ERR("Hash final error %d", err
);
178 swap_buf(mac_msb
, mac
, 16);
180 BT_DBG("mac %16phN", mac
);
185 static int smp_f4(struct crypto_hash
*tfm_cmac
, const u8 u
[32], const u8 v
[32],
186 const u8 x
[16], u8 z
, u8 res
[16])
191 BT_DBG("u %32phN", u
);
192 BT_DBG("v %32phN", v
);
193 BT_DBG("x %16phN z %02x", x
, z
);
196 memcpy(m
+ 1, v
, 32);
197 memcpy(m
+ 33, u
, 32);
199 err
= aes_cmac(tfm_cmac
, x
, m
, sizeof(m
), res
);
203 BT_DBG("res %16phN", res
);
208 static int smp_f5(struct crypto_hash
*tfm_cmac
, u8 w
[32], u8 n1
[16], u8 n2
[16],
209 u8 a1
[7], u8 a2
[7], u8 mackey
[16], u8 ltk
[16])
211 /* The btle, salt and length "magic" values are as defined in
212 * the SMP section of the Bluetooth core specification. In ASCII
213 * the btle value ends up being 'btle'. The salt is just a
214 * random number whereas length is the value 256 in little
217 const u8 btle
[4] = { 0x65, 0x6c, 0x74, 0x62 };
218 const u8 salt
[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
219 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
220 const u8 length
[2] = { 0x00, 0x01 };
224 BT_DBG("w %32phN", w
);
225 BT_DBG("n1 %16phN n2 %16phN", n1
, n2
);
226 BT_DBG("a1 %7phN a2 %7phN", a1
, a2
);
228 err
= aes_cmac(tfm_cmac
, salt
, w
, 32, t
);
232 BT_DBG("t %16phN", t
);
234 memcpy(m
, length
, 2);
235 memcpy(m
+ 2, a2
, 7);
236 memcpy(m
+ 9, a1
, 7);
237 memcpy(m
+ 16, n2
, 16);
238 memcpy(m
+ 32, n1
, 16);
239 memcpy(m
+ 48, btle
, 4);
241 m
[52] = 0; /* Counter */
243 err
= aes_cmac(tfm_cmac
, t
, m
, sizeof(m
), mackey
);
247 BT_DBG("mackey %16phN", mackey
);
249 m
[52] = 1; /* Counter */
251 err
= aes_cmac(tfm_cmac
, t
, m
, sizeof(m
), ltk
);
255 BT_DBG("ltk %16phN", ltk
);
260 static int smp_f6(struct crypto_hash
*tfm_cmac
, const u8 w
[16],
261 const u8 n1
[16], u8 n2
[16], const u8 r
[16],
262 const u8 io_cap
[3], const u8 a1
[7], const u8 a2
[7],
268 BT_DBG("w %16phN", w
);
269 BT_DBG("n1 %16phN n2 %16phN", n1
, n2
);
270 BT_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r
, io_cap
, a1
, a2
);
273 memcpy(m
+ 7, a1
, 7);
274 memcpy(m
+ 14, io_cap
, 3);
275 memcpy(m
+ 17, r
, 16);
276 memcpy(m
+ 33, n2
, 16);
277 memcpy(m
+ 49, n1
, 16);
279 err
= aes_cmac(tfm_cmac
, w
, m
, sizeof(m
), res
);
283 BT_DBG("res %16phN", res
);
288 static int smp_g2(struct crypto_hash
*tfm_cmac
, const u8 u
[32], const u8 v
[32],
289 const u8 x
[16], const u8 y
[16], u32
*val
)
294 BT_DBG("u %32phN", u
);
295 BT_DBG("v %32phN", v
);
296 BT_DBG("x %16phN y %16phN", x
, y
);
299 memcpy(m
+ 16, v
, 32);
300 memcpy(m
+ 48, u
, 32);
302 err
= aes_cmac(tfm_cmac
, x
, m
, sizeof(m
), tmp
);
306 *val
= get_unaligned_le32(tmp
);
309 BT_DBG("val %06u", *val
);
314 static int smp_e(struct crypto_blkcipher
*tfm
, const u8
*k
, u8
*r
)
316 struct blkcipher_desc desc
;
317 struct scatterlist sg
;
318 uint8_t tmp
[16], data
[16];
322 BT_ERR("tfm %p", tfm
);
329 /* The most significant octet of key corresponds to k[0] */
330 swap_buf(k
, tmp
, 16);
332 err
= crypto_blkcipher_setkey(tfm
, tmp
, 16);
334 BT_ERR("cipher setkey failed: %d", err
);
338 /* Most significant octet of plaintextData corresponds to data[0] */
339 swap_buf(r
, data
, 16);
341 sg_init_one(&sg
, data
, 16);
343 err
= crypto_blkcipher_encrypt(&desc
, &sg
, &sg
, 16);
345 BT_ERR("Encrypt data error %d", err
);
347 /* Most significant octet of encryptedData corresponds to data[0] */
348 swap_buf(data
, r
, 16);
353 static int smp_h6(struct crypto_hash
*tfm_cmac
, const u8 w
[16],
354 const u8 key_id
[4], u8 res
[16])
358 BT_DBG("w %16phN key_id %4phN", w
, key_id
);
360 err
= aes_cmac(tfm_cmac
, w
, key_id
, 4, res
);
364 BT_DBG("res %16phN", res
);
369 static int smp_ah(struct crypto_blkcipher
*tfm
, u8 irk
[16], u8 r
[3], u8 res
[3])
374 /* r' = padding || r */
376 memset(_res
+ 3, 0, 13);
378 err
= smp_e(tfm
, irk
, _res
);
380 BT_ERR("Encrypt error");
384 /* The output of the random address function ah is:
385 * ah(h, r) = e(k, r') mod 2^24
386 * The output of the security function e is then truncated to 24 bits
387 * by taking the least significant 24 bits of the output of e as the
390 memcpy(res
, _res
, 3);
395 bool smp_irk_matches(struct hci_dev
*hdev
, u8 irk
[16], bdaddr_t
*bdaddr
)
397 struct l2cap_chan
*chan
= hdev
->smp_data
;
398 struct crypto_blkcipher
*tfm
;
402 if (!chan
|| !chan
->data
)
407 BT_DBG("RPA %pMR IRK %*phN", bdaddr
, 16, irk
);
409 err
= smp_ah(tfm
, irk
, &bdaddr
->b
[3], hash
);
413 return !memcmp(bdaddr
->b
, hash
, 3);
416 int smp_generate_rpa(struct hci_dev
*hdev
, u8 irk
[16], bdaddr_t
*rpa
)
418 struct l2cap_chan
*chan
= hdev
->smp_data
;
419 struct crypto_blkcipher
*tfm
;
422 if (!chan
|| !chan
->data
)
427 get_random_bytes(&rpa
->b
[3], 3);
429 rpa
->b
[5] &= 0x3f; /* Clear two most significant bits */
430 rpa
->b
[5] |= 0x40; /* Set second most significant bit */
432 err
= smp_ah(tfm
, irk
, &rpa
->b
[3], rpa
->b
);
436 BT_DBG("RPA %pMR", rpa
);
441 static int smp_c1(struct crypto_blkcipher
*tfm_aes
, u8 k
[16], u8 r
[16],
442 u8 preq
[7], u8 pres
[7], u8 _iat
, bdaddr_t
*ia
, u8 _rat
,
443 bdaddr_t
*ra
, u8 res
[16])
450 /* p1 = pres || preq || _rat || _iat */
453 memcpy(p1
+ 2, preq
, 7);
454 memcpy(p1
+ 9, pres
, 7);
456 /* p2 = padding || ia || ra */
458 memcpy(p2
+ 6, ia
, 6);
459 memset(p2
+ 12, 0, 4);
462 u128_xor((u128
*) res
, (u128
*) r
, (u128
*) p1
);
464 /* res = e(k, res) */
465 err
= smp_e(tfm_aes
, k
, res
);
467 BT_ERR("Encrypt data error");
471 /* res = res XOR p2 */
472 u128_xor((u128
*) res
, (u128
*) res
, (u128
*) p2
);
474 /* res = e(k, res) */
475 err
= smp_e(tfm_aes
, k
, res
);
477 BT_ERR("Encrypt data error");
482 static int smp_s1(struct crypto_blkcipher
*tfm_aes
, u8 k
[16], u8 r1
[16],
483 u8 r2
[16], u8 _r
[16])
487 /* Just least significant octets from r1 and r2 are considered */
489 memcpy(_r
+ 8, r1
, 8);
491 err
= smp_e(tfm_aes
, k
, _r
);
493 BT_ERR("Encrypt data error");
498 static void smp_send_cmd(struct l2cap_conn
*conn
, u8 code
, u16 len
, void *data
)
500 struct l2cap_chan
*chan
= conn
->smp
;
501 struct smp_chan
*smp
;
508 BT_DBG("code 0x%2.2x", code
);
510 iv
[0].iov_base
= &code
;
513 iv
[1].iov_base
= data
;
516 memset(&msg
, 0, sizeof(msg
));
518 msg
.msg_iov
= (struct iovec
*) &iv
;
521 l2cap_chan_send(chan
, &msg
, 1 + len
);
528 cancel_delayed_work_sync(&smp
->security_timer
);
529 schedule_delayed_work(&smp
->security_timer
, SMP_TIMEOUT
);
532 static u8
authreq_to_seclevel(u8 authreq
)
534 if (authreq
& SMP_AUTH_MITM
) {
535 if (authreq
& SMP_AUTH_SC
)
536 return BT_SECURITY_FIPS
;
538 return BT_SECURITY_HIGH
;
540 return BT_SECURITY_MEDIUM
;
544 static __u8
seclevel_to_authreq(__u8 sec_level
)
547 case BT_SECURITY_FIPS
:
548 case BT_SECURITY_HIGH
:
549 return SMP_AUTH_MITM
| SMP_AUTH_BONDING
;
550 case BT_SECURITY_MEDIUM
:
551 return SMP_AUTH_BONDING
;
553 return SMP_AUTH_NONE
;
557 static void build_pairing_cmd(struct l2cap_conn
*conn
,
558 struct smp_cmd_pairing
*req
,
559 struct smp_cmd_pairing
*rsp
, __u8 authreq
)
561 struct l2cap_chan
*chan
= conn
->smp
;
562 struct smp_chan
*smp
= chan
->data
;
563 struct hci_conn
*hcon
= conn
->hcon
;
564 struct hci_dev
*hdev
= hcon
->hdev
;
565 u8 local_dist
= 0, remote_dist
= 0;
567 if (test_bit(HCI_BONDABLE
, &conn
->hcon
->hdev
->dev_flags
)) {
568 local_dist
= SMP_DIST_ENC_KEY
| SMP_DIST_SIGN
;
569 remote_dist
= SMP_DIST_ENC_KEY
| SMP_DIST_SIGN
;
570 authreq
|= SMP_AUTH_BONDING
;
572 authreq
&= ~SMP_AUTH_BONDING
;
575 if (test_bit(HCI_RPA_RESOLVING
, &hdev
->dev_flags
))
576 remote_dist
|= SMP_DIST_ID_KEY
;
578 if (test_bit(HCI_PRIVACY
, &hdev
->dev_flags
))
579 local_dist
|= SMP_DIST_ID_KEY
;
581 if (test_bit(HCI_SC_ENABLED
, &hdev
->dev_flags
)) {
582 if ((authreq
& SMP_AUTH_SC
) &&
583 test_bit(HCI_SSP_ENABLED
, &hdev
->dev_flags
)) {
584 local_dist
|= SMP_DIST_LINK_KEY
;
585 remote_dist
|= SMP_DIST_LINK_KEY
;
588 authreq
&= ~SMP_AUTH_SC
;
592 req
->io_capability
= conn
->hcon
->io_capability
;
593 req
->oob_flag
= SMP_OOB_NOT_PRESENT
;
594 req
->max_key_size
= SMP_MAX_ENC_KEY_SIZE
;
595 req
->init_key_dist
= local_dist
;
596 req
->resp_key_dist
= remote_dist
;
597 req
->auth_req
= (authreq
& AUTH_REQ_MASK(hdev
));
599 smp
->remote_key_dist
= remote_dist
;
603 rsp
->io_capability
= conn
->hcon
->io_capability
;
604 rsp
->oob_flag
= SMP_OOB_NOT_PRESENT
;
605 rsp
->max_key_size
= SMP_MAX_ENC_KEY_SIZE
;
606 rsp
->init_key_dist
= req
->init_key_dist
& remote_dist
;
607 rsp
->resp_key_dist
= req
->resp_key_dist
& local_dist
;
608 rsp
->auth_req
= (authreq
& AUTH_REQ_MASK(hdev
));
610 smp
->remote_key_dist
= rsp
->init_key_dist
;
613 static u8
check_enc_key_size(struct l2cap_conn
*conn
, __u8 max_key_size
)
615 struct l2cap_chan
*chan
= conn
->smp
;
616 struct smp_chan
*smp
= chan
->data
;
618 if ((max_key_size
> SMP_MAX_ENC_KEY_SIZE
) ||
619 (max_key_size
< SMP_MIN_ENC_KEY_SIZE
))
620 return SMP_ENC_KEY_SIZE
;
622 smp
->enc_key_size
= max_key_size
;
627 static void smp_chan_destroy(struct l2cap_conn
*conn
)
629 struct l2cap_chan
*chan
= conn
->smp
;
630 struct smp_chan
*smp
= chan
->data
;
635 cancel_delayed_work_sync(&smp
->security_timer
);
637 complete
= test_bit(SMP_FLAG_COMPLETE
, &smp
->flags
);
638 mgmt_smp_complete(conn
->hcon
, complete
);
641 kfree(smp
->slave_csrk
);
642 kfree(smp
->link_key
);
644 crypto_free_blkcipher(smp
->tfm_aes
);
645 crypto_free_hash(smp
->tfm_cmac
);
647 /* If pairing failed clean up any keys we might have */
650 list_del_rcu(&smp
->ltk
->list
);
651 kfree_rcu(smp
->ltk
, rcu
);
654 if (smp
->slave_ltk
) {
655 list_del_rcu(&smp
->slave_ltk
->list
);
656 kfree_rcu(smp
->slave_ltk
, rcu
);
659 if (smp
->remote_irk
) {
660 list_del_rcu(&smp
->remote_irk
->list
);
661 kfree_rcu(smp
->remote_irk
, rcu
);
667 hci_conn_drop(conn
->hcon
);
670 static void smp_failure(struct l2cap_conn
*conn
, u8 reason
)
672 struct hci_conn
*hcon
= conn
->hcon
;
673 struct l2cap_chan
*chan
= conn
->smp
;
676 smp_send_cmd(conn
, SMP_CMD_PAIRING_FAIL
, sizeof(reason
),
679 clear_bit(HCI_CONN_ENCRYPT_PEND
, &hcon
->flags
);
680 mgmt_auth_failed(hcon
, HCI_ERROR_AUTH_FAILURE
);
683 smp_chan_destroy(conn
);
686 #define JUST_WORKS 0x00
687 #define JUST_CFM 0x01
688 #define REQ_PASSKEY 0x02
689 #define CFM_PASSKEY 0x03
691 #define DSP_PASSKEY 0x05
694 static const u8 gen_method
[5][5] = {
695 { JUST_WORKS
, JUST_CFM
, REQ_PASSKEY
, JUST_WORKS
, REQ_PASSKEY
},
696 { JUST_WORKS
, JUST_CFM
, REQ_PASSKEY
, JUST_WORKS
, REQ_PASSKEY
},
697 { CFM_PASSKEY
, CFM_PASSKEY
, REQ_PASSKEY
, JUST_WORKS
, CFM_PASSKEY
},
698 { JUST_WORKS
, JUST_CFM
, JUST_WORKS
, JUST_WORKS
, JUST_CFM
},
699 { CFM_PASSKEY
, CFM_PASSKEY
, REQ_PASSKEY
, JUST_WORKS
, OVERLAP
},
702 static const u8 sc_method
[5][5] = {
703 { JUST_WORKS
, JUST_CFM
, REQ_PASSKEY
, JUST_WORKS
, REQ_PASSKEY
},
704 { JUST_WORKS
, CFM_PASSKEY
, REQ_PASSKEY
, JUST_WORKS
, CFM_PASSKEY
},
705 { DSP_PASSKEY
, DSP_PASSKEY
, REQ_PASSKEY
, JUST_WORKS
, DSP_PASSKEY
},
706 { JUST_WORKS
, JUST_CFM
, JUST_WORKS
, JUST_WORKS
, JUST_CFM
},
707 { DSP_PASSKEY
, CFM_PASSKEY
, REQ_PASSKEY
, JUST_WORKS
, CFM_PASSKEY
},
710 static u8
get_auth_method(struct smp_chan
*smp
, u8 local_io
, u8 remote_io
)
712 /* If either side has unknown io_caps, use JUST_CFM (which gets
713 * converted later to JUST_WORKS if we're initiators.
715 if (local_io
> SMP_IO_KEYBOARD_DISPLAY
||
716 remote_io
> SMP_IO_KEYBOARD_DISPLAY
)
719 if (test_bit(SMP_FLAG_SC
, &smp
->flags
))
720 return sc_method
[remote_io
][local_io
];
722 return gen_method
[remote_io
][local_io
];
725 static int tk_request(struct l2cap_conn
*conn
, u8 remote_oob
, u8 auth
,
726 u8 local_io
, u8 remote_io
)
728 struct hci_conn
*hcon
= conn
->hcon
;
729 struct l2cap_chan
*chan
= conn
->smp
;
730 struct smp_chan
*smp
= chan
->data
;
734 /* Initialize key for JUST WORKS */
735 memset(smp
->tk
, 0, sizeof(smp
->tk
));
736 clear_bit(SMP_FLAG_TK_VALID
, &smp
->flags
);
738 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth
, local_io
, remote_io
);
740 /* If neither side wants MITM, either "just" confirm an incoming
741 * request or use just-works for outgoing ones. The JUST_CFM
742 * will be converted to JUST_WORKS if necessary later in this
743 * function. If either side has MITM look up the method from the
746 if (!(auth
& SMP_AUTH_MITM
))
747 smp
->method
= JUST_CFM
;
749 smp
->method
= get_auth_method(smp
, local_io
, remote_io
);
751 /* Don't confirm locally initiated pairing attempts */
752 if (smp
->method
== JUST_CFM
&& test_bit(SMP_FLAG_INITIATOR
,
754 smp
->method
= JUST_WORKS
;
756 /* Don't bother user space with no IO capabilities */
757 if (smp
->method
== JUST_CFM
&&
758 hcon
->io_capability
== HCI_IO_NO_INPUT_OUTPUT
)
759 smp
->method
= JUST_WORKS
;
761 /* If Just Works, Continue with Zero TK */
762 if (smp
->method
== JUST_WORKS
) {
763 set_bit(SMP_FLAG_TK_VALID
, &smp
->flags
);
767 /* Not Just Works/Confirm results in MITM Authentication */
768 if (smp
->method
!= JUST_CFM
) {
769 set_bit(SMP_FLAG_MITM_AUTH
, &smp
->flags
);
770 if (hcon
->pending_sec_level
< BT_SECURITY_HIGH
)
771 hcon
->pending_sec_level
= BT_SECURITY_HIGH
;
774 /* If both devices have Keyoard-Display I/O, the master
775 * Confirms and the slave Enters the passkey.
777 if (smp
->method
== OVERLAP
) {
778 if (hcon
->role
== HCI_ROLE_MASTER
)
779 smp
->method
= CFM_PASSKEY
;
781 smp
->method
= REQ_PASSKEY
;
784 /* Generate random passkey. */
785 if (smp
->method
== CFM_PASSKEY
) {
786 memset(smp
->tk
, 0, sizeof(smp
->tk
));
787 get_random_bytes(&passkey
, sizeof(passkey
));
789 put_unaligned_le32(passkey
, smp
->tk
);
790 BT_DBG("PassKey: %d", passkey
);
791 set_bit(SMP_FLAG_TK_VALID
, &smp
->flags
);
794 if (smp
->method
== REQ_PASSKEY
)
795 ret
= mgmt_user_passkey_request(hcon
->hdev
, &hcon
->dst
,
796 hcon
->type
, hcon
->dst_type
);
797 else if (smp
->method
== JUST_CFM
)
798 ret
= mgmt_user_confirm_request(hcon
->hdev
, &hcon
->dst
,
799 hcon
->type
, hcon
->dst_type
,
802 ret
= mgmt_user_passkey_notify(hcon
->hdev
, &hcon
->dst
,
803 hcon
->type
, hcon
->dst_type
,
809 static u8
smp_confirm(struct smp_chan
*smp
)
811 struct l2cap_conn
*conn
= smp
->conn
;
812 struct smp_cmd_pairing_confirm cp
;
815 BT_DBG("conn %p", conn
);
817 ret
= smp_c1(smp
->tfm_aes
, smp
->tk
, smp
->prnd
, smp
->preq
, smp
->prsp
,
818 conn
->hcon
->init_addr_type
, &conn
->hcon
->init_addr
,
819 conn
->hcon
->resp_addr_type
, &conn
->hcon
->resp_addr
,
822 return SMP_UNSPECIFIED
;
824 clear_bit(SMP_FLAG_CFM_PENDING
, &smp
->flags
);
826 smp_send_cmd(smp
->conn
, SMP_CMD_PAIRING_CONFIRM
, sizeof(cp
), &cp
);
829 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_CONFIRM
);
831 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_RANDOM
);
836 static u8
smp_random(struct smp_chan
*smp
)
838 struct l2cap_conn
*conn
= smp
->conn
;
839 struct hci_conn
*hcon
= conn
->hcon
;
843 if (IS_ERR_OR_NULL(smp
->tfm_aes
))
844 return SMP_UNSPECIFIED
;
846 BT_DBG("conn %p %s", conn
, conn
->hcon
->out
? "master" : "slave");
848 ret
= smp_c1(smp
->tfm_aes
, smp
->tk
, smp
->rrnd
, smp
->preq
, smp
->prsp
,
849 hcon
->init_addr_type
, &hcon
->init_addr
,
850 hcon
->resp_addr_type
, &hcon
->resp_addr
, confirm
);
852 return SMP_UNSPECIFIED
;
854 if (memcmp(smp
->pcnf
, confirm
, sizeof(smp
->pcnf
)) != 0) {
855 BT_ERR("Pairing failed (confirmation values mismatch)");
856 return SMP_CONFIRM_FAILED
;
864 smp_s1(smp
->tfm_aes
, smp
->tk
, smp
->rrnd
, smp
->prnd
, stk
);
866 memset(stk
+ smp
->enc_key_size
, 0,
867 SMP_MAX_ENC_KEY_SIZE
- smp
->enc_key_size
);
869 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND
, &hcon
->flags
))
870 return SMP_UNSPECIFIED
;
872 hci_le_start_enc(hcon
, ediv
, rand
, stk
);
873 hcon
->enc_key_size
= smp
->enc_key_size
;
874 set_bit(HCI_CONN_STK_ENCRYPT
, &hcon
->flags
);
880 smp_send_cmd(conn
, SMP_CMD_PAIRING_RANDOM
, sizeof(smp
->prnd
),
883 smp_s1(smp
->tfm_aes
, smp
->tk
, smp
->prnd
, smp
->rrnd
, stk
);
885 memset(stk
+ smp
->enc_key_size
, 0,
886 SMP_MAX_ENC_KEY_SIZE
- smp
->enc_key_size
);
888 if (hcon
->pending_sec_level
== BT_SECURITY_HIGH
)
893 /* Even though there's no _SLAVE suffix this is the
894 * slave STK we're adding for later lookup (the master
895 * STK never needs to be stored).
897 hci_add_ltk(hcon
->hdev
, &hcon
->dst
, hcon
->dst_type
,
898 SMP_STK
, auth
, stk
, smp
->enc_key_size
, ediv
, rand
);
904 static void smp_notify_keys(struct l2cap_conn
*conn
)
906 struct l2cap_chan
*chan
= conn
->smp
;
907 struct smp_chan
*smp
= chan
->data
;
908 struct hci_conn
*hcon
= conn
->hcon
;
909 struct hci_dev
*hdev
= hcon
->hdev
;
910 struct smp_cmd_pairing
*req
= (void *) &smp
->preq
[1];
911 struct smp_cmd_pairing
*rsp
= (void *) &smp
->prsp
[1];
914 if (smp
->remote_irk
) {
915 mgmt_new_irk(hdev
, smp
->remote_irk
);
916 /* Now that user space can be considered to know the
917 * identity address track the connection based on it
920 bacpy(&hcon
->dst
, &smp
->remote_irk
->bdaddr
);
921 hcon
->dst_type
= smp
->remote_irk
->addr_type
;
922 queue_work(hdev
->workqueue
, &conn
->id_addr_update_work
);
924 /* When receiving an indentity resolving key for
925 * a remote device that does not use a resolvable
926 * private address, just remove the key so that
927 * it is possible to use the controller white
930 * Userspace will have been told to not store
931 * this key at this point. So it is safe to
934 if (!bacmp(&smp
->remote_irk
->rpa
, BDADDR_ANY
)) {
935 list_del_rcu(&smp
->remote_irk
->list
);
936 kfree_rcu(smp
->remote_irk
, rcu
);
937 smp
->remote_irk
= NULL
;
941 /* The LTKs and CSRKs should be persistent only if both sides
942 * had the bonding bit set in their authentication requests.
944 persistent
= !!((req
->auth_req
& rsp
->auth_req
) & SMP_AUTH_BONDING
);
947 smp
->csrk
->bdaddr_type
= hcon
->dst_type
;
948 bacpy(&smp
->csrk
->bdaddr
, &hcon
->dst
);
949 mgmt_new_csrk(hdev
, smp
->csrk
, persistent
);
952 if (smp
->slave_csrk
) {
953 smp
->slave_csrk
->bdaddr_type
= hcon
->dst_type
;
954 bacpy(&smp
->slave_csrk
->bdaddr
, &hcon
->dst
);
955 mgmt_new_csrk(hdev
, smp
->slave_csrk
, persistent
);
959 smp
->ltk
->bdaddr_type
= hcon
->dst_type
;
960 bacpy(&smp
->ltk
->bdaddr
, &hcon
->dst
);
961 mgmt_new_ltk(hdev
, smp
->ltk
, persistent
);
964 if (smp
->slave_ltk
) {
965 smp
->slave_ltk
->bdaddr_type
= hcon
->dst_type
;
966 bacpy(&smp
->slave_ltk
->bdaddr
, &hcon
->dst
);
967 mgmt_new_ltk(hdev
, smp
->slave_ltk
, persistent
);
971 struct link_key
*key
;
974 if (test_bit(SMP_FLAG_DEBUG_KEY
, &smp
->flags
))
975 type
= HCI_LK_DEBUG_COMBINATION
;
976 else if (hcon
->sec_level
== BT_SECURITY_FIPS
)
977 type
= HCI_LK_AUTH_COMBINATION_P256
;
979 type
= HCI_LK_UNAUTH_COMBINATION_P256
;
981 key
= hci_add_link_key(hdev
, smp
->conn
->hcon
, &hcon
->dst
,
982 smp
->link_key
, type
, 0, &persistent
);
984 mgmt_new_link_key(hdev
, key
, persistent
);
986 /* Don't keep debug keys around if the relevant
989 if (!test_bit(HCI_KEEP_DEBUG_KEYS
, &hdev
->dev_flags
) &&
990 key
->type
== HCI_LK_DEBUG_COMBINATION
) {
991 list_del_rcu(&key
->list
);
998 static void sc_add_ltk(struct smp_chan
*smp
)
1000 struct hci_conn
*hcon
= smp
->conn
->hcon
;
1003 if (test_bit(SMP_FLAG_DEBUG_KEY
, &smp
->flags
))
1004 key_type
= SMP_LTK_P256_DEBUG
;
1006 key_type
= SMP_LTK_P256
;
1008 if (hcon
->pending_sec_level
== BT_SECURITY_FIPS
)
1013 memset(smp
->tk
+ smp
->enc_key_size
, 0,
1014 SMP_MAX_ENC_KEY_SIZE
- smp
->enc_key_size
);
1016 smp
->ltk
= hci_add_ltk(hcon
->hdev
, &hcon
->dst
, hcon
->dst_type
,
1017 key_type
, auth
, smp
->tk
, smp
->enc_key_size
,
1021 static void sc_generate_link_key(struct smp_chan
*smp
)
1023 /* These constants are as specified in the core specification.
1024 * In ASCII they spell out to 'tmp1' and 'lebr'.
1026 const u8 tmp1
[4] = { 0x31, 0x70, 0x6d, 0x74 };
1027 const u8 lebr
[4] = { 0x72, 0x62, 0x65, 0x6c };
1029 smp
->link_key
= kzalloc(16, GFP_KERNEL
);
1033 if (smp_h6(smp
->tfm_cmac
, smp
->tk
, tmp1
, smp
->link_key
)) {
1034 kfree(smp
->link_key
);
1035 smp
->link_key
= NULL
;
1039 if (smp_h6(smp
->tfm_cmac
, smp
->link_key
, lebr
, smp
->link_key
)) {
1040 kfree(smp
->link_key
);
1041 smp
->link_key
= NULL
;
1046 static void smp_allow_key_dist(struct smp_chan
*smp
)
1048 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1049 * will be allowed in each PDU handler to ensure we receive
1050 * them in the correct order.
1052 if (smp
->remote_key_dist
& SMP_DIST_ENC_KEY
)
1053 SMP_ALLOW_CMD(smp
, SMP_CMD_ENCRYPT_INFO
);
1054 else if (smp
->remote_key_dist
& SMP_DIST_ID_KEY
)
1055 SMP_ALLOW_CMD(smp
, SMP_CMD_IDENT_INFO
);
1056 else if (smp
->remote_key_dist
& SMP_DIST_SIGN
)
1057 SMP_ALLOW_CMD(smp
, SMP_CMD_SIGN_INFO
);
1060 static void smp_distribute_keys(struct smp_chan
*smp
)
1062 struct smp_cmd_pairing
*req
, *rsp
;
1063 struct l2cap_conn
*conn
= smp
->conn
;
1064 struct hci_conn
*hcon
= conn
->hcon
;
1065 struct hci_dev
*hdev
= hcon
->hdev
;
1068 BT_DBG("conn %p", conn
);
1070 rsp
= (void *) &smp
->prsp
[1];
1072 /* The responder sends its keys first */
1073 if (hcon
->out
&& (smp
->remote_key_dist
& KEY_DIST_MASK
)) {
1074 smp_allow_key_dist(smp
);
1078 req
= (void *) &smp
->preq
[1];
1081 keydist
= &rsp
->init_key_dist
;
1082 *keydist
&= req
->init_key_dist
;
1084 keydist
= &rsp
->resp_key_dist
;
1085 *keydist
&= req
->resp_key_dist
;
1088 if (test_bit(SMP_FLAG_SC
, &smp
->flags
)) {
1089 if (*keydist
& SMP_DIST_LINK_KEY
)
1090 sc_generate_link_key(smp
);
1092 /* Clear the keys which are generated but not distributed */
1093 *keydist
&= ~SMP_SC_NO_DIST
;
1096 BT_DBG("keydist 0x%x", *keydist
);
1098 if (*keydist
& SMP_DIST_ENC_KEY
) {
1099 struct smp_cmd_encrypt_info enc
;
1100 struct smp_cmd_master_ident ident
;
1101 struct smp_ltk
*ltk
;
1106 get_random_bytes(enc
.ltk
, sizeof(enc
.ltk
));
1107 get_random_bytes(&ediv
, sizeof(ediv
));
1108 get_random_bytes(&rand
, sizeof(rand
));
1110 smp_send_cmd(conn
, SMP_CMD_ENCRYPT_INFO
, sizeof(enc
), &enc
);
1112 authenticated
= hcon
->sec_level
== BT_SECURITY_HIGH
;
1113 ltk
= hci_add_ltk(hdev
, &hcon
->dst
, hcon
->dst_type
,
1114 SMP_LTK_SLAVE
, authenticated
, enc
.ltk
,
1115 smp
->enc_key_size
, ediv
, rand
);
1116 smp
->slave_ltk
= ltk
;
1121 smp_send_cmd(conn
, SMP_CMD_MASTER_IDENT
, sizeof(ident
), &ident
);
1123 *keydist
&= ~SMP_DIST_ENC_KEY
;
1126 if (*keydist
& SMP_DIST_ID_KEY
) {
1127 struct smp_cmd_ident_addr_info addrinfo
;
1128 struct smp_cmd_ident_info idinfo
;
1130 memcpy(idinfo
.irk
, hdev
->irk
, sizeof(idinfo
.irk
));
1132 smp_send_cmd(conn
, SMP_CMD_IDENT_INFO
, sizeof(idinfo
), &idinfo
);
1134 /* The hci_conn contains the local identity address
1135 * after the connection has been established.
1137 * This is true even when the connection has been
1138 * established using a resolvable random address.
1140 bacpy(&addrinfo
.bdaddr
, &hcon
->src
);
1141 addrinfo
.addr_type
= hcon
->src_type
;
1143 smp_send_cmd(conn
, SMP_CMD_IDENT_ADDR_INFO
, sizeof(addrinfo
),
1146 *keydist
&= ~SMP_DIST_ID_KEY
;
1149 if (*keydist
& SMP_DIST_SIGN
) {
1150 struct smp_cmd_sign_info sign
;
1151 struct smp_csrk
*csrk
;
1153 /* Generate a new random key */
1154 get_random_bytes(sign
.csrk
, sizeof(sign
.csrk
));
1156 csrk
= kzalloc(sizeof(*csrk
), GFP_KERNEL
);
1158 csrk
->master
= 0x00;
1159 memcpy(csrk
->val
, sign
.csrk
, sizeof(csrk
->val
));
1161 smp
->slave_csrk
= csrk
;
1163 smp_send_cmd(conn
, SMP_CMD_SIGN_INFO
, sizeof(sign
), &sign
);
1165 *keydist
&= ~SMP_DIST_SIGN
;
1168 /* If there are still keys to be received wait for them */
1169 if (smp
->remote_key_dist
& KEY_DIST_MASK
) {
1170 smp_allow_key_dist(smp
);
1174 set_bit(SMP_FLAG_COMPLETE
, &smp
->flags
);
1175 smp_notify_keys(conn
);
1177 smp_chan_destroy(conn
);
1180 static void smp_timeout(struct work_struct
*work
)
1182 struct smp_chan
*smp
= container_of(work
, struct smp_chan
,
1183 security_timer
.work
);
1184 struct l2cap_conn
*conn
= smp
->conn
;
1186 BT_DBG("conn %p", conn
);
1188 hci_disconnect(conn
->hcon
, HCI_ERROR_REMOTE_USER_TERM
);
1191 static struct smp_chan
*smp_chan_create(struct l2cap_conn
*conn
)
1193 struct l2cap_chan
*chan
= conn
->smp
;
1194 struct smp_chan
*smp
;
1196 smp
= kzalloc(sizeof(*smp
), GFP_ATOMIC
);
1200 smp
->tfm_aes
= crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC
);
1201 if (IS_ERR(smp
->tfm_aes
)) {
1202 BT_ERR("Unable to create ECB crypto context");
1207 smp
->tfm_cmac
= crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC
);
1208 if (IS_ERR(smp
->tfm_cmac
)) {
1209 BT_ERR("Unable to create CMAC crypto context");
1210 crypto_free_blkcipher(smp
->tfm_aes
);
1218 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_FAIL
);
1220 INIT_DELAYED_WORK(&smp
->security_timer
, smp_timeout
);
1222 hci_conn_hold(conn
->hcon
);
1227 static int sc_mackey_and_ltk(struct smp_chan
*smp
, u8 mackey
[16], u8 ltk
[16])
1229 struct hci_conn
*hcon
= smp
->conn
->hcon
;
1230 u8
*na
, *nb
, a
[7], b
[7];
1240 memcpy(a
, &hcon
->init_addr
, 6);
1241 memcpy(b
, &hcon
->resp_addr
, 6);
1242 a
[6] = hcon
->init_addr_type
;
1243 b
[6] = hcon
->resp_addr_type
;
1245 return smp_f5(smp
->tfm_cmac
, smp
->dhkey
, na
, nb
, a
, b
, mackey
, ltk
);
1248 static void sc_dhkey_check(struct smp_chan
*smp
)
1250 struct hci_conn
*hcon
= smp
->conn
->hcon
;
1251 struct smp_cmd_dhkey_check check
;
1252 u8 a
[7], b
[7], *local_addr
, *remote_addr
;
1253 u8 io_cap
[3], r
[16];
1255 memcpy(a
, &hcon
->init_addr
, 6);
1256 memcpy(b
, &hcon
->resp_addr
, 6);
1257 a
[6] = hcon
->init_addr_type
;
1258 b
[6] = hcon
->resp_addr_type
;
1263 memcpy(io_cap
, &smp
->preq
[1], 3);
1267 memcpy(io_cap
, &smp
->prsp
[1], 3);
1270 memset(r
, 0, sizeof(r
));
1272 if (smp
->method
== REQ_PASSKEY
|| smp
->method
== DSP_PASSKEY
)
1273 put_unaligned_le32(hcon
->passkey_notify
, r
);
1275 smp_f6(smp
->tfm_cmac
, smp
->mackey
, smp
->prnd
, smp
->rrnd
, r
, io_cap
,
1276 local_addr
, remote_addr
, check
.e
);
1278 smp_send_cmd(smp
->conn
, SMP_CMD_DHKEY_CHECK
, sizeof(check
), &check
);
1281 static u8
sc_passkey_send_confirm(struct smp_chan
*smp
)
1283 struct l2cap_conn
*conn
= smp
->conn
;
1284 struct hci_conn
*hcon
= conn
->hcon
;
1285 struct smp_cmd_pairing_confirm cfm
;
1288 r
= ((hcon
->passkey_notify
>> smp
->passkey_round
) & 0x01);
1291 get_random_bytes(smp
->prnd
, sizeof(smp
->prnd
));
1293 if (smp_f4(smp
->tfm_cmac
, smp
->local_pk
, smp
->remote_pk
, smp
->prnd
, r
,
1295 return SMP_UNSPECIFIED
;
1297 smp_send_cmd(conn
, SMP_CMD_PAIRING_CONFIRM
, sizeof(cfm
), &cfm
);
1302 static u8
sc_passkey_round(struct smp_chan
*smp
, u8 smp_op
)
1304 struct l2cap_conn
*conn
= smp
->conn
;
1305 struct hci_conn
*hcon
= conn
->hcon
;
1306 struct hci_dev
*hdev
= hcon
->hdev
;
1309 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1310 if (smp
->passkey_round
>= 20)
1314 case SMP_CMD_PAIRING_RANDOM
:
1315 r
= ((hcon
->passkey_notify
>> smp
->passkey_round
) & 0x01);
1318 if (smp_f4(smp
->tfm_cmac
, smp
->remote_pk
, smp
->local_pk
,
1320 return SMP_UNSPECIFIED
;
1322 if (memcmp(smp
->pcnf
, cfm
, 16))
1323 return SMP_CONFIRM_FAILED
;
1325 smp
->passkey_round
++;
1327 if (smp
->passkey_round
== 20) {
1328 /* Generate MacKey and LTK */
1329 if (sc_mackey_and_ltk(smp
, smp
->mackey
, smp
->tk
))
1330 return SMP_UNSPECIFIED
;
1333 /* The round is only complete when the initiator
1334 * receives pairing random.
1337 smp_send_cmd(conn
, SMP_CMD_PAIRING_RANDOM
,
1338 sizeof(smp
->prnd
), smp
->prnd
);
1339 if (smp
->passkey_round
== 20)
1340 SMP_ALLOW_CMD(smp
, SMP_CMD_DHKEY_CHECK
);
1342 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_CONFIRM
);
1346 /* Start the next round */
1347 if (smp
->passkey_round
!= 20)
1348 return sc_passkey_round(smp
, 0);
1350 /* Passkey rounds are complete - start DHKey Check */
1351 sc_dhkey_check(smp
);
1352 SMP_ALLOW_CMD(smp
, SMP_CMD_DHKEY_CHECK
);
1356 case SMP_CMD_PAIRING_CONFIRM
:
1357 if (test_bit(SMP_FLAG_WAIT_USER
, &smp
->flags
)) {
1358 set_bit(SMP_FLAG_CFM_PENDING
, &smp
->flags
);
1362 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_RANDOM
);
1365 smp_send_cmd(conn
, SMP_CMD_PAIRING_RANDOM
,
1366 sizeof(smp
->prnd
), smp
->prnd
);
1370 return sc_passkey_send_confirm(smp
);
1372 case SMP_CMD_PUBLIC_KEY
:
1374 /* Initiating device starts the round */
1378 BT_DBG("%s Starting passkey round %u", hdev
->name
,
1379 smp
->passkey_round
+ 1);
1381 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_CONFIRM
);
1383 return sc_passkey_send_confirm(smp
);
1389 static int sc_user_reply(struct smp_chan
*smp
, u16 mgmt_op
, __le32 passkey
)
1391 struct l2cap_conn
*conn
= smp
->conn
;
1392 struct hci_conn
*hcon
= conn
->hcon
;
1395 clear_bit(SMP_FLAG_WAIT_USER
, &smp
->flags
);
1398 case MGMT_OP_USER_PASSKEY_NEG_REPLY
:
1399 smp_failure(smp
->conn
, SMP_PASSKEY_ENTRY_FAILED
);
1401 case MGMT_OP_USER_CONFIRM_NEG_REPLY
:
1402 smp_failure(smp
->conn
, SMP_NUMERIC_COMP_FAILED
);
1404 case MGMT_OP_USER_PASSKEY_REPLY
:
1405 hcon
->passkey_notify
= le32_to_cpu(passkey
);
1406 smp
->passkey_round
= 0;
1408 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING
, &smp
->flags
))
1409 smp_op
= SMP_CMD_PAIRING_CONFIRM
;
1413 if (sc_passkey_round(smp
, smp_op
))
1419 /* Initiator sends DHKey check first */
1421 sc_dhkey_check(smp
);
1422 SMP_ALLOW_CMD(smp
, SMP_CMD_DHKEY_CHECK
);
1423 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING
, &smp
->flags
)) {
1424 sc_dhkey_check(smp
);
1431 int smp_user_confirm_reply(struct hci_conn
*hcon
, u16 mgmt_op
, __le32 passkey
)
1433 struct l2cap_conn
*conn
= hcon
->l2cap_data
;
1434 struct l2cap_chan
*chan
;
1435 struct smp_chan
*smp
;
1448 l2cap_chan_lock(chan
);
1456 if (test_bit(SMP_FLAG_SC
, &smp
->flags
)) {
1457 err
= sc_user_reply(smp
, mgmt_op
, passkey
);
1462 case MGMT_OP_USER_PASSKEY_REPLY
:
1463 value
= le32_to_cpu(passkey
);
1464 memset(smp
->tk
, 0, sizeof(smp
->tk
));
1465 BT_DBG("PassKey: %d", value
);
1466 put_unaligned_le32(value
, smp
->tk
);
1468 case MGMT_OP_USER_CONFIRM_REPLY
:
1469 set_bit(SMP_FLAG_TK_VALID
, &smp
->flags
);
1471 case MGMT_OP_USER_PASSKEY_NEG_REPLY
:
1472 case MGMT_OP_USER_CONFIRM_NEG_REPLY
:
1473 smp_failure(conn
, SMP_PASSKEY_ENTRY_FAILED
);
1477 smp_failure(conn
, SMP_PASSKEY_ENTRY_FAILED
);
1484 /* If it is our turn to send Pairing Confirm, do so now */
1485 if (test_bit(SMP_FLAG_CFM_PENDING
, &smp
->flags
)) {
1486 u8 rsp
= smp_confirm(smp
);
1488 smp_failure(conn
, rsp
);
1492 l2cap_chan_unlock(chan
);
1496 static u8
smp_cmd_pairing_req(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
1498 struct smp_cmd_pairing rsp
, *req
= (void *) skb
->data
;
1499 struct l2cap_chan
*chan
= conn
->smp
;
1500 struct hci_dev
*hdev
= conn
->hcon
->hdev
;
1501 struct smp_chan
*smp
;
1502 u8 key_size
, auth
, sec_level
;
1505 BT_DBG("conn %p", conn
);
1507 if (skb
->len
< sizeof(*req
))
1508 return SMP_INVALID_PARAMS
;
1510 if (conn
->hcon
->role
!= HCI_ROLE_SLAVE
)
1511 return SMP_CMD_NOTSUPP
;
1514 smp
= smp_chan_create(conn
);
1519 return SMP_UNSPECIFIED
;
1521 /* We didn't start the pairing, so match remote */
1522 auth
= req
->auth_req
& AUTH_REQ_MASK(hdev
);
1524 if (!test_bit(HCI_BONDABLE
, &hdev
->dev_flags
) &&
1525 (auth
& SMP_AUTH_BONDING
))
1526 return SMP_PAIRING_NOTSUPP
;
1528 smp
->preq
[0] = SMP_CMD_PAIRING_REQ
;
1529 memcpy(&smp
->preq
[1], req
, sizeof(*req
));
1530 skb_pull(skb
, sizeof(*req
));
1532 build_pairing_cmd(conn
, req
, &rsp
, auth
);
1534 if (rsp
.auth_req
& SMP_AUTH_SC
)
1535 set_bit(SMP_FLAG_SC
, &smp
->flags
);
1537 if (conn
->hcon
->io_capability
== HCI_IO_NO_INPUT_OUTPUT
)
1538 sec_level
= BT_SECURITY_MEDIUM
;
1540 sec_level
= authreq_to_seclevel(auth
);
1542 if (sec_level
> conn
->hcon
->pending_sec_level
)
1543 conn
->hcon
->pending_sec_level
= sec_level
;
1545 /* If we need MITM check that it can be achieved */
1546 if (conn
->hcon
->pending_sec_level
>= BT_SECURITY_HIGH
) {
1549 method
= get_auth_method(smp
, conn
->hcon
->io_capability
,
1550 req
->io_capability
);
1551 if (method
== JUST_WORKS
|| method
== JUST_CFM
)
1552 return SMP_AUTH_REQUIREMENTS
;
1555 key_size
= min(req
->max_key_size
, rsp
.max_key_size
);
1556 if (check_enc_key_size(conn
, key_size
))
1557 return SMP_ENC_KEY_SIZE
;
1559 get_random_bytes(smp
->prnd
, sizeof(smp
->prnd
));
1561 smp
->prsp
[0] = SMP_CMD_PAIRING_RSP
;
1562 memcpy(&smp
->prsp
[1], &rsp
, sizeof(rsp
));
1564 smp_send_cmd(conn
, SMP_CMD_PAIRING_RSP
, sizeof(rsp
), &rsp
);
1566 clear_bit(SMP_FLAG_INITIATOR
, &smp
->flags
);
1568 if (test_bit(SMP_FLAG_SC
, &smp
->flags
)) {
1569 SMP_ALLOW_CMD(smp
, SMP_CMD_PUBLIC_KEY
);
1570 /* Clear bits which are generated but not distributed */
1571 smp
->remote_key_dist
&= ~SMP_SC_NO_DIST
;
1572 /* Wait for Public Key from Initiating Device */
1575 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_CONFIRM
);
1578 /* Request setup of TK */
1579 ret
= tk_request(conn
, 0, auth
, rsp
.io_capability
, req
->io_capability
);
1581 return SMP_UNSPECIFIED
;
1586 static u8
sc_send_public_key(struct smp_chan
*smp
)
1591 /* Generate local key pair for Secure Connections */
1592 if (!ecc_make_key(smp
->local_pk
, smp
->local_sk
))
1593 return SMP_UNSPECIFIED
;
1595 /* This is unlikely, but we need to check that we didn't
1596 * accidentially generate a debug key.
1598 if (memcmp(smp
->local_sk
, debug_sk
, 32))
1602 BT_DBG("Local Public Key X: %32phN", smp
->local_pk
);
1603 BT_DBG("Local Public Key Y: %32phN", &smp
->local_pk
[32]);
1604 BT_DBG("Local Private Key: %32phN", smp
->local_sk
);
1606 smp_send_cmd(smp
->conn
, SMP_CMD_PUBLIC_KEY
, 64, smp
->local_pk
);
1611 static u8
smp_cmd_pairing_rsp(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
1613 struct smp_cmd_pairing
*req
, *rsp
= (void *) skb
->data
;
1614 struct l2cap_chan
*chan
= conn
->smp
;
1615 struct smp_chan
*smp
= chan
->data
;
1616 struct hci_dev
*hdev
= conn
->hcon
->hdev
;
1620 BT_DBG("conn %p", conn
);
1622 if (skb
->len
< sizeof(*rsp
))
1623 return SMP_INVALID_PARAMS
;
1625 if (conn
->hcon
->role
!= HCI_ROLE_MASTER
)
1626 return SMP_CMD_NOTSUPP
;
1628 skb_pull(skb
, sizeof(*rsp
));
1630 req
= (void *) &smp
->preq
[1];
1632 key_size
= min(req
->max_key_size
, rsp
->max_key_size
);
1633 if (check_enc_key_size(conn
, key_size
))
1634 return SMP_ENC_KEY_SIZE
;
1636 auth
= rsp
->auth_req
& AUTH_REQ_MASK(hdev
);
1638 if ((req
->auth_req
& SMP_AUTH_SC
) && (auth
& SMP_AUTH_SC
))
1639 set_bit(SMP_FLAG_SC
, &smp
->flags
);
1640 else if (conn
->hcon
->pending_sec_level
> BT_SECURITY_HIGH
)
1641 conn
->hcon
->pending_sec_level
= BT_SECURITY_HIGH
;
1643 /* If we need MITM check that it can be achieved */
1644 if (conn
->hcon
->pending_sec_level
>= BT_SECURITY_HIGH
) {
1647 method
= get_auth_method(smp
, req
->io_capability
,
1648 rsp
->io_capability
);
1649 if (method
== JUST_WORKS
|| method
== JUST_CFM
)
1650 return SMP_AUTH_REQUIREMENTS
;
1653 get_random_bytes(smp
->prnd
, sizeof(smp
->prnd
));
1655 smp
->prsp
[0] = SMP_CMD_PAIRING_RSP
;
1656 memcpy(&smp
->prsp
[1], rsp
, sizeof(*rsp
));
1658 /* Update remote key distribution in case the remote cleared
1659 * some bits that we had enabled in our request.
1661 smp
->remote_key_dist
&= rsp
->resp_key_dist
;
1663 if (test_bit(SMP_FLAG_SC
, &smp
->flags
)) {
1664 /* Clear bits which are generated but not distributed */
1665 smp
->remote_key_dist
&= ~SMP_SC_NO_DIST
;
1666 SMP_ALLOW_CMD(smp
, SMP_CMD_PUBLIC_KEY
);
1667 return sc_send_public_key(smp
);
1670 auth
|= req
->auth_req
;
1672 ret
= tk_request(conn
, 0, auth
, req
->io_capability
, rsp
->io_capability
);
1674 return SMP_UNSPECIFIED
;
1676 set_bit(SMP_FLAG_CFM_PENDING
, &smp
->flags
);
1678 /* Can't compose response until we have been confirmed */
1679 if (test_bit(SMP_FLAG_TK_VALID
, &smp
->flags
))
1680 return smp_confirm(smp
);
1685 static u8
sc_check_confirm(struct smp_chan
*smp
)
1687 struct l2cap_conn
*conn
= smp
->conn
;
1691 /* Public Key exchange must happen before any other steps */
1692 if (!test_bit(SMP_FLAG_REMOTE_PK
, &smp
->flags
))
1693 return SMP_UNSPECIFIED
;
1695 if (smp
->method
== REQ_PASSKEY
|| smp
->method
== DSP_PASSKEY
)
1696 return sc_passkey_round(smp
, SMP_CMD_PAIRING_CONFIRM
);
1698 if (conn
->hcon
->out
) {
1699 smp_send_cmd(conn
, SMP_CMD_PAIRING_RANDOM
, sizeof(smp
->prnd
),
1701 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_RANDOM
);
1707 static u8
smp_cmd_pairing_confirm(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
1709 struct l2cap_chan
*chan
= conn
->smp
;
1710 struct smp_chan
*smp
= chan
->data
;
1712 BT_DBG("conn %p %s", conn
, conn
->hcon
->out
? "master" : "slave");
1714 if (skb
->len
< sizeof(smp
->pcnf
))
1715 return SMP_INVALID_PARAMS
;
1717 memcpy(smp
->pcnf
, skb
->data
, sizeof(smp
->pcnf
));
1718 skb_pull(skb
, sizeof(smp
->pcnf
));
1720 if (test_bit(SMP_FLAG_SC
, &smp
->flags
))
1721 return sc_check_confirm(smp
);
1723 if (conn
->hcon
->out
) {
1724 smp_send_cmd(conn
, SMP_CMD_PAIRING_RANDOM
, sizeof(smp
->prnd
),
1726 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_RANDOM
);
1730 if (test_bit(SMP_FLAG_TK_VALID
, &smp
->flags
))
1731 return smp_confirm(smp
);
1733 set_bit(SMP_FLAG_CFM_PENDING
, &smp
->flags
);
1738 static u8
smp_cmd_pairing_random(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
1740 struct l2cap_chan
*chan
= conn
->smp
;
1741 struct smp_chan
*smp
= chan
->data
;
1742 struct hci_conn
*hcon
= conn
->hcon
;
1743 u8
*pkax
, *pkbx
, *na
, *nb
;
1747 BT_DBG("conn %p", conn
);
1749 if (skb
->len
< sizeof(smp
->rrnd
))
1750 return SMP_INVALID_PARAMS
;
1752 memcpy(smp
->rrnd
, skb
->data
, sizeof(smp
->rrnd
));
1753 skb_pull(skb
, sizeof(smp
->rrnd
));
1755 if (!test_bit(SMP_FLAG_SC
, &smp
->flags
))
1756 return smp_random(smp
);
1758 /* Passkey entry has special treatment */
1759 if (smp
->method
== REQ_PASSKEY
|| smp
->method
== DSP_PASSKEY
)
1760 return sc_passkey_round(smp
, SMP_CMD_PAIRING_RANDOM
);
1765 err
= smp_f4(smp
->tfm_cmac
, smp
->remote_pk
, smp
->local_pk
,
1768 return SMP_UNSPECIFIED
;
1770 if (memcmp(smp
->pcnf
, cfm
, 16))
1771 return SMP_CONFIRM_FAILED
;
1773 pkax
= smp
->local_pk
;
1774 pkbx
= smp
->remote_pk
;
1778 smp_send_cmd(conn
, SMP_CMD_PAIRING_RANDOM
, sizeof(smp
->prnd
),
1780 SMP_ALLOW_CMD(smp
, SMP_CMD_DHKEY_CHECK
);
1782 pkax
= smp
->remote_pk
;
1783 pkbx
= smp
->local_pk
;
1788 /* Generate MacKey and LTK */
1789 err
= sc_mackey_and_ltk(smp
, smp
->mackey
, smp
->tk
);
1791 return SMP_UNSPECIFIED
;
1793 if (smp
->method
== JUST_WORKS
) {
1795 sc_dhkey_check(smp
);
1796 SMP_ALLOW_CMD(smp
, SMP_CMD_DHKEY_CHECK
);
1801 err
= smp_g2(smp
->tfm_cmac
, pkax
, pkbx
, na
, nb
, &passkey
);
1803 return SMP_UNSPECIFIED
;
1805 err
= mgmt_user_confirm_request(hcon
->hdev
, &hcon
->dst
, hcon
->type
,
1806 hcon
->dst_type
, passkey
, 0);
1808 return SMP_UNSPECIFIED
;
1810 set_bit(SMP_FLAG_WAIT_USER
, &smp
->flags
);
1815 static bool smp_ltk_encrypt(struct l2cap_conn
*conn
, u8 sec_level
)
1817 struct smp_ltk
*key
;
1818 struct hci_conn
*hcon
= conn
->hcon
;
1820 key
= hci_find_ltk(hcon
->hdev
, &hcon
->dst
, hcon
->dst_type
, hcon
->role
);
1824 if (smp_ltk_sec_level(key
) < sec_level
)
1827 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND
, &hcon
->flags
))
1830 hci_le_start_enc(hcon
, key
->ediv
, key
->rand
, key
->val
);
1831 hcon
->enc_key_size
= key
->enc_size
;
1833 /* We never store STKs for master role, so clear this flag */
1834 clear_bit(HCI_CONN_STK_ENCRYPT
, &hcon
->flags
);
1839 bool smp_sufficient_security(struct hci_conn
*hcon
, u8 sec_level
,
1840 enum smp_key_pref key_pref
)
1842 if (sec_level
== BT_SECURITY_LOW
)
1845 /* If we're encrypted with an STK but the caller prefers using
1846 * LTK claim insufficient security. This way we allow the
1847 * connection to be re-encrypted with an LTK, even if the LTK
1848 * provides the same level of security. Only exception is if we
1849 * don't have an LTK (e.g. because of key distribution bits).
1851 if (key_pref
== SMP_USE_LTK
&&
1852 test_bit(HCI_CONN_STK_ENCRYPT
, &hcon
->flags
) &&
1853 hci_find_ltk(hcon
->hdev
, &hcon
->dst
, hcon
->dst_type
, hcon
->role
))
1856 if (hcon
->sec_level
>= sec_level
)
1862 static u8
smp_cmd_security_req(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
1864 struct smp_cmd_security_req
*rp
= (void *) skb
->data
;
1865 struct smp_cmd_pairing cp
;
1866 struct hci_conn
*hcon
= conn
->hcon
;
1867 struct hci_dev
*hdev
= hcon
->hdev
;
1868 struct smp_chan
*smp
;
1871 BT_DBG("conn %p", conn
);
1873 if (skb
->len
< sizeof(*rp
))
1874 return SMP_INVALID_PARAMS
;
1876 if (hcon
->role
!= HCI_ROLE_MASTER
)
1877 return SMP_CMD_NOTSUPP
;
1879 auth
= rp
->auth_req
& AUTH_REQ_MASK(hdev
);
1881 if (hcon
->io_capability
== HCI_IO_NO_INPUT_OUTPUT
)
1882 sec_level
= BT_SECURITY_MEDIUM
;
1884 sec_level
= authreq_to_seclevel(auth
);
1886 if (smp_sufficient_security(hcon
, sec_level
, SMP_USE_LTK
))
1889 if (sec_level
> hcon
->pending_sec_level
)
1890 hcon
->pending_sec_level
= sec_level
;
1892 if (smp_ltk_encrypt(conn
, hcon
->pending_sec_level
))
1895 smp
= smp_chan_create(conn
);
1897 return SMP_UNSPECIFIED
;
1899 if (!test_bit(HCI_BONDABLE
, &hcon
->hdev
->dev_flags
) &&
1900 (auth
& SMP_AUTH_BONDING
))
1901 return SMP_PAIRING_NOTSUPP
;
1903 skb_pull(skb
, sizeof(*rp
));
1905 memset(&cp
, 0, sizeof(cp
));
1906 build_pairing_cmd(conn
, &cp
, NULL
, auth
);
1908 smp
->preq
[0] = SMP_CMD_PAIRING_REQ
;
1909 memcpy(&smp
->preq
[1], &cp
, sizeof(cp
));
1911 smp_send_cmd(conn
, SMP_CMD_PAIRING_REQ
, sizeof(cp
), &cp
);
1912 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_RSP
);
1917 int smp_conn_security(struct hci_conn
*hcon
, __u8 sec_level
)
1919 struct l2cap_conn
*conn
= hcon
->l2cap_data
;
1920 struct l2cap_chan
*chan
;
1921 struct smp_chan
*smp
;
1925 BT_DBG("conn %p hcon %p level 0x%2.2x", conn
, hcon
, sec_level
);
1927 /* This may be NULL if there's an unexpected disconnection */
1933 if (!test_bit(HCI_LE_ENABLED
, &hcon
->hdev
->dev_flags
))
1936 if (smp_sufficient_security(hcon
, sec_level
, SMP_USE_LTK
))
1939 if (sec_level
> hcon
->pending_sec_level
)
1940 hcon
->pending_sec_level
= sec_level
;
1942 if (hcon
->role
== HCI_ROLE_MASTER
)
1943 if (smp_ltk_encrypt(conn
, hcon
->pending_sec_level
))
1946 l2cap_chan_lock(chan
);
1948 /* If SMP is already in progress ignore this request */
1954 smp
= smp_chan_create(conn
);
1960 authreq
= seclevel_to_authreq(sec_level
);
1962 if (test_bit(HCI_SC_ENABLED
, &hcon
->hdev
->dev_flags
))
1963 authreq
|= SMP_AUTH_SC
;
1965 /* Require MITM if IO Capability allows or the security level
1968 if (hcon
->io_capability
!= HCI_IO_NO_INPUT_OUTPUT
||
1969 hcon
->pending_sec_level
> BT_SECURITY_MEDIUM
)
1970 authreq
|= SMP_AUTH_MITM
;
1972 if (hcon
->role
== HCI_ROLE_MASTER
) {
1973 struct smp_cmd_pairing cp
;
1975 build_pairing_cmd(conn
, &cp
, NULL
, authreq
);
1976 smp
->preq
[0] = SMP_CMD_PAIRING_REQ
;
1977 memcpy(&smp
->preq
[1], &cp
, sizeof(cp
));
1979 smp_send_cmd(conn
, SMP_CMD_PAIRING_REQ
, sizeof(cp
), &cp
);
1980 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_RSP
);
1982 struct smp_cmd_security_req cp
;
1983 cp
.auth_req
= authreq
;
1984 smp_send_cmd(conn
, SMP_CMD_SECURITY_REQ
, sizeof(cp
), &cp
);
1985 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_REQ
);
1988 set_bit(SMP_FLAG_INITIATOR
, &smp
->flags
);
1992 l2cap_chan_unlock(chan
);
1996 static int smp_cmd_encrypt_info(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
1998 struct smp_cmd_encrypt_info
*rp
= (void *) skb
->data
;
1999 struct l2cap_chan
*chan
= conn
->smp
;
2000 struct smp_chan
*smp
= chan
->data
;
2002 BT_DBG("conn %p", conn
);
2004 if (skb
->len
< sizeof(*rp
))
2005 return SMP_INVALID_PARAMS
;
2007 SMP_ALLOW_CMD(smp
, SMP_CMD_MASTER_IDENT
);
2009 skb_pull(skb
, sizeof(*rp
));
2011 memcpy(smp
->tk
, rp
->ltk
, sizeof(smp
->tk
));
2016 static int smp_cmd_master_ident(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
2018 struct smp_cmd_master_ident
*rp
= (void *) skb
->data
;
2019 struct l2cap_chan
*chan
= conn
->smp
;
2020 struct smp_chan
*smp
= chan
->data
;
2021 struct hci_dev
*hdev
= conn
->hcon
->hdev
;
2022 struct hci_conn
*hcon
= conn
->hcon
;
2023 struct smp_ltk
*ltk
;
2026 BT_DBG("conn %p", conn
);
2028 if (skb
->len
< sizeof(*rp
))
2029 return SMP_INVALID_PARAMS
;
2031 /* Mark the information as received */
2032 smp
->remote_key_dist
&= ~SMP_DIST_ENC_KEY
;
2034 if (smp
->remote_key_dist
& SMP_DIST_ID_KEY
)
2035 SMP_ALLOW_CMD(smp
, SMP_CMD_IDENT_INFO
);
2036 else if (smp
->remote_key_dist
& SMP_DIST_SIGN
)
2037 SMP_ALLOW_CMD(smp
, SMP_CMD_SIGN_INFO
);
2039 skb_pull(skb
, sizeof(*rp
));
2041 authenticated
= (hcon
->sec_level
== BT_SECURITY_HIGH
);
2042 ltk
= hci_add_ltk(hdev
, &hcon
->dst
, hcon
->dst_type
, SMP_LTK
,
2043 authenticated
, smp
->tk
, smp
->enc_key_size
,
2044 rp
->ediv
, rp
->rand
);
2046 if (!(smp
->remote_key_dist
& KEY_DIST_MASK
))
2047 smp_distribute_keys(smp
);
2052 static int smp_cmd_ident_info(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
2054 struct smp_cmd_ident_info
*info
= (void *) skb
->data
;
2055 struct l2cap_chan
*chan
= conn
->smp
;
2056 struct smp_chan
*smp
= chan
->data
;
2060 if (skb
->len
< sizeof(*info
))
2061 return SMP_INVALID_PARAMS
;
2063 SMP_ALLOW_CMD(smp
, SMP_CMD_IDENT_ADDR_INFO
);
2065 skb_pull(skb
, sizeof(*info
));
2067 memcpy(smp
->irk
, info
->irk
, 16);
2072 static int smp_cmd_ident_addr_info(struct l2cap_conn
*conn
,
2073 struct sk_buff
*skb
)
2075 struct smp_cmd_ident_addr_info
*info
= (void *) skb
->data
;
2076 struct l2cap_chan
*chan
= conn
->smp
;
2077 struct smp_chan
*smp
= chan
->data
;
2078 struct hci_conn
*hcon
= conn
->hcon
;
2083 if (skb
->len
< sizeof(*info
))
2084 return SMP_INVALID_PARAMS
;
2086 /* Mark the information as received */
2087 smp
->remote_key_dist
&= ~SMP_DIST_ID_KEY
;
2089 if (smp
->remote_key_dist
& SMP_DIST_SIGN
)
2090 SMP_ALLOW_CMD(smp
, SMP_CMD_SIGN_INFO
);
2092 skb_pull(skb
, sizeof(*info
));
2094 /* Strictly speaking the Core Specification (4.1) allows sending
2095 * an empty address which would force us to rely on just the IRK
2096 * as "identity information". However, since such
2097 * implementations are not known of and in order to not over
2098 * complicate our implementation, simply pretend that we never
2099 * received an IRK for such a device.
2101 if (!bacmp(&info
->bdaddr
, BDADDR_ANY
)) {
2102 BT_ERR("Ignoring IRK with no identity address");
2106 bacpy(&smp
->id_addr
, &info
->bdaddr
);
2107 smp
->id_addr_type
= info
->addr_type
;
2109 if (hci_bdaddr_is_rpa(&hcon
->dst
, hcon
->dst_type
))
2110 bacpy(&rpa
, &hcon
->dst
);
2112 bacpy(&rpa
, BDADDR_ANY
);
2114 smp
->remote_irk
= hci_add_irk(conn
->hcon
->hdev
, &smp
->id_addr
,
2115 smp
->id_addr_type
, smp
->irk
, &rpa
);
2118 if (!(smp
->remote_key_dist
& KEY_DIST_MASK
))
2119 smp_distribute_keys(smp
);
2124 static int smp_cmd_sign_info(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
2126 struct smp_cmd_sign_info
*rp
= (void *) skb
->data
;
2127 struct l2cap_chan
*chan
= conn
->smp
;
2128 struct smp_chan
*smp
= chan
->data
;
2129 struct smp_csrk
*csrk
;
2131 BT_DBG("conn %p", conn
);
2133 if (skb
->len
< sizeof(*rp
))
2134 return SMP_INVALID_PARAMS
;
2136 /* Mark the information as received */
2137 smp
->remote_key_dist
&= ~SMP_DIST_SIGN
;
2139 skb_pull(skb
, sizeof(*rp
));
2141 csrk
= kzalloc(sizeof(*csrk
), GFP_KERNEL
);
2143 csrk
->master
= 0x01;
2144 memcpy(csrk
->val
, rp
->csrk
, sizeof(csrk
->val
));
2147 smp_distribute_keys(smp
);
2152 static u8
sc_select_method(struct smp_chan
*smp
)
2154 struct l2cap_conn
*conn
= smp
->conn
;
2155 struct hci_conn
*hcon
= conn
->hcon
;
2156 struct smp_cmd_pairing
*local
, *remote
;
2157 u8 local_mitm
, remote_mitm
, local_io
, remote_io
, method
;
2159 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2160 * which are needed as inputs to some crypto functions. To get
2161 * the "struct smp_cmd_pairing" from them we need to skip the
2162 * first byte which contains the opcode.
2165 local
= (void *) &smp
->preq
[1];
2166 remote
= (void *) &smp
->prsp
[1];
2168 local
= (void *) &smp
->prsp
[1];
2169 remote
= (void *) &smp
->preq
[1];
2172 local_io
= local
->io_capability
;
2173 remote_io
= remote
->io_capability
;
2175 local_mitm
= (local
->auth_req
& SMP_AUTH_MITM
);
2176 remote_mitm
= (remote
->auth_req
& SMP_AUTH_MITM
);
2178 /* If either side wants MITM, look up the method from the table,
2179 * otherwise use JUST WORKS.
2181 if (local_mitm
|| remote_mitm
)
2182 method
= get_auth_method(smp
, local_io
, remote_io
);
2184 method
= JUST_WORKS
;
2186 /* Don't confirm locally initiated pairing attempts */
2187 if (method
== JUST_CFM
&& test_bit(SMP_FLAG_INITIATOR
, &smp
->flags
))
2188 method
= JUST_WORKS
;
2193 static int smp_cmd_public_key(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
2195 struct smp_cmd_public_key
*key
= (void *) skb
->data
;
2196 struct hci_conn
*hcon
= conn
->hcon
;
2197 struct l2cap_chan
*chan
= conn
->smp
;
2198 struct smp_chan
*smp
= chan
->data
;
2199 struct hci_dev
*hdev
= hcon
->hdev
;
2200 struct smp_cmd_pairing_confirm cfm
;
2203 BT_DBG("conn %p", conn
);
2205 if (skb
->len
< sizeof(*key
))
2206 return SMP_INVALID_PARAMS
;
2208 memcpy(smp
->remote_pk
, key
, 64);
2210 /* Non-initiating device sends its public key after receiving
2211 * the key from the initiating device.
2214 err
= sc_send_public_key(smp
);
2219 BT_DBG("Remote Public Key X: %32phN", smp
->remote_pk
);
2220 BT_DBG("Remote Public Key Y: %32phN", &smp
->remote_pk
[32]);
2222 if (!ecdh_shared_secret(smp
->remote_pk
, smp
->local_sk
, smp
->dhkey
))
2223 return SMP_UNSPECIFIED
;
2225 BT_DBG("DHKey %32phN", smp
->dhkey
);
2227 set_bit(SMP_FLAG_REMOTE_PK
, &smp
->flags
);
2229 smp
->method
= sc_select_method(smp
);
2231 BT_DBG("%s selected method 0x%02x", hdev
->name
, smp
->method
);
2233 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2234 if (smp
->method
== JUST_WORKS
|| smp
->method
== JUST_CFM
)
2235 hcon
->pending_sec_level
= BT_SECURITY_MEDIUM
;
2237 hcon
->pending_sec_level
= BT_SECURITY_FIPS
;
2239 if (!memcmp(debug_pk
, smp
->remote_pk
, 64))
2240 set_bit(SMP_FLAG_DEBUG_KEY
, &smp
->flags
);
2242 if (smp
->method
== DSP_PASSKEY
) {
2243 get_random_bytes(&hcon
->passkey_notify
,
2244 sizeof(hcon
->passkey_notify
));
2245 hcon
->passkey_notify
%= 1000000;
2246 hcon
->passkey_entered
= 0;
2247 smp
->passkey_round
= 0;
2248 if (mgmt_user_passkey_notify(hdev
, &hcon
->dst
, hcon
->type
,
2250 hcon
->passkey_notify
,
2251 hcon
->passkey_entered
))
2252 return SMP_UNSPECIFIED
;
2253 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_CONFIRM
);
2254 return sc_passkey_round(smp
, SMP_CMD_PUBLIC_KEY
);
2258 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_CONFIRM
);
2260 if (smp
->method
== REQ_PASSKEY
) {
2261 if (mgmt_user_passkey_request(hdev
, &hcon
->dst
, hcon
->type
,
2263 return SMP_UNSPECIFIED
;
2264 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_CONFIRM
);
2265 set_bit(SMP_FLAG_WAIT_USER
, &smp
->flags
);
2269 /* The Initiating device waits for the non-initiating device to
2270 * send the confirm value.
2272 if (conn
->hcon
->out
)
2275 err
= smp_f4(smp
->tfm_cmac
, smp
->local_pk
, smp
->remote_pk
, smp
->prnd
,
2276 0, cfm
.confirm_val
);
2278 return SMP_UNSPECIFIED
;
2280 smp_send_cmd(conn
, SMP_CMD_PAIRING_CONFIRM
, sizeof(cfm
), &cfm
);
2281 SMP_ALLOW_CMD(smp
, SMP_CMD_PAIRING_RANDOM
);
2286 static int smp_cmd_dhkey_check(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
2288 struct smp_cmd_dhkey_check
*check
= (void *) skb
->data
;
2289 struct l2cap_chan
*chan
= conn
->smp
;
2290 struct hci_conn
*hcon
= conn
->hcon
;
2291 struct smp_chan
*smp
= chan
->data
;
2292 u8 a
[7], b
[7], *local_addr
, *remote_addr
;
2293 u8 io_cap
[3], r
[16], e
[16];
2296 BT_DBG("conn %p", conn
);
2298 if (skb
->len
< sizeof(*check
))
2299 return SMP_INVALID_PARAMS
;
2301 memcpy(a
, &hcon
->init_addr
, 6);
2302 memcpy(b
, &hcon
->resp_addr
, 6);
2303 a
[6] = hcon
->init_addr_type
;
2304 b
[6] = hcon
->resp_addr_type
;
2309 memcpy(io_cap
, &smp
->prsp
[1], 3);
2313 memcpy(io_cap
, &smp
->preq
[1], 3);
2316 memset(r
, 0, sizeof(r
));
2318 if (smp
->method
== REQ_PASSKEY
|| smp
->method
== DSP_PASSKEY
)
2319 put_unaligned_le32(hcon
->passkey_notify
, r
);
2321 err
= smp_f6(smp
->tfm_cmac
, smp
->mackey
, smp
->rrnd
, smp
->prnd
, r
,
2322 io_cap
, remote_addr
, local_addr
, e
);
2324 return SMP_UNSPECIFIED
;
2326 if (memcmp(check
->e
, e
, 16))
2327 return SMP_DHKEY_CHECK_FAILED
;
2330 if (test_bit(SMP_FLAG_WAIT_USER
, &smp
->flags
)) {
2331 set_bit(SMP_FLAG_DHKEY_PENDING
, &smp
->flags
);
2335 /* Slave sends DHKey check as response to master */
2336 sc_dhkey_check(smp
);
2342 hci_le_start_enc(hcon
, 0, 0, smp
->tk
);
2343 hcon
->enc_key_size
= smp
->enc_key_size
;
2349 static int smp_cmd_keypress_notify(struct l2cap_conn
*conn
,
2350 struct sk_buff
*skb
)
2352 struct smp_cmd_keypress_notify
*kp
= (void *) skb
->data
;
2354 BT_DBG("value 0x%02x", kp
->value
);
2359 static int smp_sig_channel(struct l2cap_chan
*chan
, struct sk_buff
*skb
)
2361 struct l2cap_conn
*conn
= chan
->conn
;
2362 struct hci_conn
*hcon
= conn
->hcon
;
2363 struct smp_chan
*smp
;
2367 if (hcon
->type
!= LE_LINK
) {
2375 if (!test_bit(HCI_LE_ENABLED
, &hcon
->hdev
->dev_flags
)) {
2376 reason
= SMP_PAIRING_NOTSUPP
;
2380 code
= skb
->data
[0];
2381 skb_pull(skb
, sizeof(code
));
2385 if (code
> SMP_CMD_MAX
)
2388 if (smp
&& !test_and_clear_bit(code
, &smp
->allow_cmd
))
2391 /* If we don't have a context the only allowed commands are
2392 * pairing request and security request.
2394 if (!smp
&& code
!= SMP_CMD_PAIRING_REQ
&& code
!= SMP_CMD_SECURITY_REQ
)
2398 case SMP_CMD_PAIRING_REQ
:
2399 reason
= smp_cmd_pairing_req(conn
, skb
);
2402 case SMP_CMD_PAIRING_FAIL
:
2403 smp_failure(conn
, 0);
2407 case SMP_CMD_PAIRING_RSP
:
2408 reason
= smp_cmd_pairing_rsp(conn
, skb
);
2411 case SMP_CMD_SECURITY_REQ
:
2412 reason
= smp_cmd_security_req(conn
, skb
);
2415 case SMP_CMD_PAIRING_CONFIRM
:
2416 reason
= smp_cmd_pairing_confirm(conn
, skb
);
2419 case SMP_CMD_PAIRING_RANDOM
:
2420 reason
= smp_cmd_pairing_random(conn
, skb
);
2423 case SMP_CMD_ENCRYPT_INFO
:
2424 reason
= smp_cmd_encrypt_info(conn
, skb
);
2427 case SMP_CMD_MASTER_IDENT
:
2428 reason
= smp_cmd_master_ident(conn
, skb
);
2431 case SMP_CMD_IDENT_INFO
:
2432 reason
= smp_cmd_ident_info(conn
, skb
);
2435 case SMP_CMD_IDENT_ADDR_INFO
:
2436 reason
= smp_cmd_ident_addr_info(conn
, skb
);
2439 case SMP_CMD_SIGN_INFO
:
2440 reason
= smp_cmd_sign_info(conn
, skb
);
2443 case SMP_CMD_PUBLIC_KEY
:
2444 reason
= smp_cmd_public_key(conn
, skb
);
2447 case SMP_CMD_DHKEY_CHECK
:
2448 reason
= smp_cmd_dhkey_check(conn
, skb
);
2451 case SMP_CMD_KEYPRESS_NOTIFY
:
2452 reason
= smp_cmd_keypress_notify(conn
, skb
);
2456 BT_DBG("Unknown command code 0x%2.2x", code
);
2457 reason
= SMP_CMD_NOTSUPP
;
2464 smp_failure(conn
, reason
);
2471 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon
->hdev
->name
,
2477 static void smp_teardown_cb(struct l2cap_chan
*chan
, int err
)
2479 struct l2cap_conn
*conn
= chan
->conn
;
2481 BT_DBG("chan %p", chan
);
2484 smp_chan_destroy(conn
);
2487 l2cap_chan_put(chan
);
2490 static void smp_resume_cb(struct l2cap_chan
*chan
)
2492 struct smp_chan
*smp
= chan
->data
;
2493 struct l2cap_conn
*conn
= chan
->conn
;
2494 struct hci_conn
*hcon
= conn
->hcon
;
2496 BT_DBG("chan %p", chan
);
2501 if (!test_bit(HCI_CONN_ENCRYPT
, &hcon
->flags
))
2504 cancel_delayed_work(&smp
->security_timer
);
2506 smp_distribute_keys(smp
);
2509 static void smp_ready_cb(struct l2cap_chan
*chan
)
2511 struct l2cap_conn
*conn
= chan
->conn
;
2513 BT_DBG("chan %p", chan
);
2516 l2cap_chan_hold(chan
);
2519 static int smp_recv_cb(struct l2cap_chan
*chan
, struct sk_buff
*skb
)
2523 BT_DBG("chan %p", chan
);
2525 err
= smp_sig_channel(chan
, skb
);
2527 struct smp_chan
*smp
= chan
->data
;
2530 cancel_delayed_work_sync(&smp
->security_timer
);
2532 hci_disconnect(chan
->conn
->hcon
, HCI_ERROR_AUTH_FAILURE
);
2538 static struct sk_buff
*smp_alloc_skb_cb(struct l2cap_chan
*chan
,
2539 unsigned long hdr_len
,
2540 unsigned long len
, int nb
)
2542 struct sk_buff
*skb
;
2544 skb
= bt_skb_alloc(hdr_len
+ len
, GFP_KERNEL
);
2546 return ERR_PTR(-ENOMEM
);
2548 skb
->priority
= HCI_PRIO_MAX
;
2549 bt_cb(skb
)->chan
= chan
;
2554 static const struct l2cap_ops smp_chan_ops
= {
2555 .name
= "Security Manager",
2556 .ready
= smp_ready_cb
,
2557 .recv
= smp_recv_cb
,
2558 .alloc_skb
= smp_alloc_skb_cb
,
2559 .teardown
= smp_teardown_cb
,
2560 .resume
= smp_resume_cb
,
2562 .new_connection
= l2cap_chan_no_new_connection
,
2563 .state_change
= l2cap_chan_no_state_change
,
2564 .close
= l2cap_chan_no_close
,
2565 .defer
= l2cap_chan_no_defer
,
2566 .suspend
= l2cap_chan_no_suspend
,
2567 .set_shutdown
= l2cap_chan_no_set_shutdown
,
2568 .get_sndtimeo
= l2cap_chan_no_get_sndtimeo
,
2569 .memcpy_fromiovec
= l2cap_chan_no_memcpy_fromiovec
,
2572 static inline struct l2cap_chan
*smp_new_conn_cb(struct l2cap_chan
*pchan
)
2574 struct l2cap_chan
*chan
;
2576 BT_DBG("pchan %p", pchan
);
2578 chan
= l2cap_chan_create();
2582 chan
->chan_type
= pchan
->chan_type
;
2583 chan
->ops
= &smp_chan_ops
;
2584 chan
->scid
= pchan
->scid
;
2585 chan
->dcid
= chan
->scid
;
2586 chan
->imtu
= pchan
->imtu
;
2587 chan
->omtu
= pchan
->omtu
;
2588 chan
->mode
= pchan
->mode
;
2590 /* Other L2CAP channels may request SMP routines in order to
2591 * change the security level. This means that the SMP channel
2592 * lock must be considered in its own category to avoid lockdep
2595 atomic_set(&chan
->nesting
, L2CAP_NESTING_SMP
);
2597 BT_DBG("created chan %p", chan
);
2602 static const struct l2cap_ops smp_root_chan_ops
= {
2603 .name
= "Security Manager Root",
2604 .new_connection
= smp_new_conn_cb
,
2606 /* None of these are implemented for the root channel */
2607 .close
= l2cap_chan_no_close
,
2608 .alloc_skb
= l2cap_chan_no_alloc_skb
,
2609 .recv
= l2cap_chan_no_recv
,
2610 .state_change
= l2cap_chan_no_state_change
,
2611 .teardown
= l2cap_chan_no_teardown
,
2612 .ready
= l2cap_chan_no_ready
,
2613 .defer
= l2cap_chan_no_defer
,
2614 .suspend
= l2cap_chan_no_suspend
,
2615 .resume
= l2cap_chan_no_resume
,
2616 .set_shutdown
= l2cap_chan_no_set_shutdown
,
2617 .get_sndtimeo
= l2cap_chan_no_get_sndtimeo
,
2618 .memcpy_fromiovec
= l2cap_chan_no_memcpy_fromiovec
,
2621 int smp_register(struct hci_dev
*hdev
)
2623 struct l2cap_chan
*chan
;
2624 struct crypto_blkcipher
*tfm_aes
;
2626 BT_DBG("%s", hdev
->name
);
2628 tfm_aes
= crypto_alloc_blkcipher("ecb(aes)", 0, 0);
2629 if (IS_ERR(tfm_aes
)) {
2630 int err
= PTR_ERR(tfm_aes
);
2631 BT_ERR("Unable to create crypto context");
2635 chan
= l2cap_chan_create();
2637 crypto_free_blkcipher(tfm_aes
);
2641 chan
->data
= tfm_aes
;
2643 l2cap_add_scid(chan
, L2CAP_CID_SMP
);
2645 l2cap_chan_set_defaults(chan
);
2647 bacpy(&chan
->src
, &hdev
->bdaddr
);
2648 chan
->src_type
= BDADDR_LE_PUBLIC
;
2649 chan
->state
= BT_LISTEN
;
2650 chan
->mode
= L2CAP_MODE_BASIC
;
2651 chan
->imtu
= L2CAP_DEFAULT_MTU
;
2652 chan
->ops
= &smp_root_chan_ops
;
2654 /* Set correct nesting level for a parent/listening channel */
2655 atomic_set(&chan
->nesting
, L2CAP_NESTING_PARENT
);
2657 hdev
->smp_data
= chan
;
2662 void smp_unregister(struct hci_dev
*hdev
)
2664 struct l2cap_chan
*chan
= hdev
->smp_data
;
2665 struct crypto_blkcipher
*tfm_aes
;
2670 BT_DBG("%s chan %p", hdev
->name
, chan
);
2672 tfm_aes
= chan
->data
;
2675 crypto_free_blkcipher(tfm_aes
);
2678 hdev
->smp_data
= NULL
;
2679 l2cap_chan_put(chan
);