2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
23 #include <linux/debugfs.h>
24 #include <linux/crypto.h>
25 #include <linux/scatterlist.h>
26 #include <crypto/b128ops.h>
28 #include <net/bluetooth/bluetooth.h>
29 #include <net/bluetooth/hci_core.h>
30 #include <net/bluetooth/l2cap.h>
31 #include <net/bluetooth/mgmt.h>
36 #define SMP_DEV(hdev) \
37 ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
39 /* Low-level debug macros to be used for stuff that we don't want
40 * accidentially in dmesg, i.e. the values of the various crypto keys
41 * and the inputs & outputs of crypto functions.
44 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
47 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
51 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
53 /* Keys which are not distributed with Secure Connections */
54 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
56 #define SMP_TIMEOUT msecs_to_jiffies(30000)
58 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
60 #define KEY_DIST_MASK 0x07
62 /* Maximum message length that can be passed to aes_cmac */
63 #define CMAC_MSG_MAX 80
75 SMP_FLAG_DHKEY_PENDING,
81 /* Secure Connections OOB data */
90 struct crypto_blkcipher *tfm_aes;
91 struct crypto_hash *tfm_cmac;
95 struct l2cap_conn *conn;
96 struct delayed_work security_timer;
97 unsigned long allow_cmd; /* Bitmask of allowed commands */
99 u8 preq[7]; /* SMP Pairing Request */
100 u8 prsp[7]; /* SMP Pairing Response */
101 u8 prnd[16]; /* SMP Pairing Random (local) */
102 u8 rrnd[16]; /* SMP Pairing Random (remote) */
103 u8 pcnf[16]; /* SMP Pairing Confirm */
104 u8 tk[16]; /* SMP Temporary Key */
105 u8 rr[16]; /* Remote OOB ra/rb value */
106 u8 lr[16]; /* Local OOB ra/rb value */
112 struct smp_csrk *csrk;
113 struct smp_csrk *slave_csrk;
115 struct smp_ltk *slave_ltk;
116 struct smp_irk *remote_irk;
122 /* Secure Connections variables */
129 struct crypto_blkcipher *tfm_aes;
130 struct crypto_hash *tfm_cmac;
133 /* These debug key values are defined in the SMP section of the core
134 * specification. debug_pk is the public debug key and debug_sk the
137 static const u8 debug_pk[64] = {
138 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
139 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
140 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
141 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
143 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
144 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
145 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
146 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
149 static const u8 debug_sk[32] = {
150 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
151 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
152 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
153 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
156 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
160 for (i = 0; i < len; i++)
161 dst[len - 1 - i] = src[i];
164 /* The following functions map to the LE SC SMP crypto functions
165 * AES-CMAC, f4, f5, f6, g2 and h6.
168 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
169 size_t len, u8 mac[16])
171 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
172 struct hash_desc desc;
173 struct scatterlist sg;
176 if (len > CMAC_MSG_MAX)
180 BT_ERR("tfm %p", tfm);
187 crypto_hash_init(&desc);
189 /* Swap key and message from LSB to MSB */
190 swap_buf(k, tmp, 16);
191 swap_buf(m, msg_msb, len);
193 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
194 SMP_DBG("key %16phN", k);
196 err = crypto_hash_setkey(tfm, tmp, 16);
198 BT_ERR("cipher setkey failed: %d", err);
202 sg_init_one(&sg, msg_msb, len);
204 err = crypto_hash_update(&desc, &sg, len);
206 BT_ERR("Hash update error %d", err);
210 err = crypto_hash_final(&desc, mac_msb);
212 BT_ERR("Hash final error %d", err);
216 swap_buf(mac_msb, mac, 16);
218 SMP_DBG("mac %16phN", mac);
223 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
224 const u8 x[16], u8 z, u8 res[16])
229 SMP_DBG("u %32phN", u);
230 SMP_DBG("v %32phN", v);
231 SMP_DBG("x %16phN z %02x", x, z);
234 memcpy(m + 1, v, 32);
235 memcpy(m + 33, u, 32);
237 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
241 SMP_DBG("res %16phN", res);
246 static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32],
247 const u8 n1[16], const u8 n2[16], const u8 a1[7],
248 const u8 a2[7], u8 mackey[16], u8 ltk[16])
250 /* The btle, salt and length "magic" values are as defined in
251 * the SMP section of the Bluetooth core specification. In ASCII
252 * the btle value ends up being 'btle'. The salt is just a
253 * random number whereas length is the value 256 in little
256 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
257 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
258 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
259 const u8 length[2] = { 0x00, 0x01 };
263 SMP_DBG("w %32phN", w);
264 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
265 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
267 err = aes_cmac(tfm_cmac, salt, w, 32, t);
271 SMP_DBG("t %16phN", t);
273 memcpy(m, length, 2);
274 memcpy(m + 2, a2, 7);
275 memcpy(m + 9, a1, 7);
276 memcpy(m + 16, n2, 16);
277 memcpy(m + 32, n1, 16);
278 memcpy(m + 48, btle, 4);
280 m[52] = 0; /* Counter */
282 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
286 SMP_DBG("mackey %16phN", mackey);
288 m[52] = 1; /* Counter */
290 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
294 SMP_DBG("ltk %16phN", ltk);
299 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
300 const u8 n1[16], const u8 n2[16], const u8 r[16],
301 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
307 SMP_DBG("w %16phN", w);
308 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
309 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
312 memcpy(m + 7, a1, 7);
313 memcpy(m + 14, io_cap, 3);
314 memcpy(m + 17, r, 16);
315 memcpy(m + 33, n2, 16);
316 memcpy(m + 49, n1, 16);
318 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
322 SMP_DBG("res %16phN", res);
327 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
328 const u8 x[16], const u8 y[16], u32 *val)
333 SMP_DBG("u %32phN", u);
334 SMP_DBG("v %32phN", v);
335 SMP_DBG("x %16phN y %16phN", x, y);
338 memcpy(m + 16, v, 32);
339 memcpy(m + 48, u, 32);
341 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
345 *val = get_unaligned_le32(tmp);
348 SMP_DBG("val %06u", *val);
353 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
354 const u8 key_id[4], u8 res[16])
358 SMP_DBG("w %16phN key_id %4phN", w, key_id);
360 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
364 SMP_DBG("res %16phN", res);
369 /* The following functions map to the legacy SMP crypto functions e, c1,
373 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
375 struct blkcipher_desc desc;
376 struct scatterlist sg;
377 uint8_t tmp[16], data[16];
380 SMP_DBG("k %16phN r %16phN", k, r);
383 BT_ERR("tfm %p", tfm);
390 /* The most significant octet of key corresponds to k[0] */
391 swap_buf(k, tmp, 16);
393 err = crypto_blkcipher_setkey(tfm, tmp, 16);
395 BT_ERR("cipher setkey failed: %d", err);
399 /* Most significant octet of plaintextData corresponds to data[0] */
400 swap_buf(r, data, 16);
402 sg_init_one(&sg, data, 16);
404 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
406 BT_ERR("Encrypt data error %d", err);
408 /* Most significant octet of encryptedData corresponds to data[0] */
409 swap_buf(data, r, 16);
411 SMP_DBG("r %16phN", r);
416 static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
417 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
418 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
423 SMP_DBG("k %16phN r %16phN", k, r);
424 SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
425 SMP_DBG("preq %7phN pres %7phN", preq, pres);
429 /* p1 = pres || preq || _rat || _iat */
432 memcpy(p1 + 2, preq, 7);
433 memcpy(p1 + 9, pres, 7);
435 SMP_DBG("p1 %16phN", p1);
438 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
440 /* res = e(k, res) */
441 err = smp_e(tfm_aes, k, res);
443 BT_ERR("Encrypt data error");
447 /* p2 = padding || ia || ra */
449 memcpy(p2 + 6, ia, 6);
450 memset(p2 + 12, 0, 4);
452 SMP_DBG("p2 %16phN", p2);
454 /* res = res XOR p2 */
455 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
457 /* res = e(k, res) */
458 err = smp_e(tfm_aes, k, res);
460 BT_ERR("Encrypt data error");
465 static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
466 const u8 r1[16], const u8 r2[16], u8 _r[16])
470 /* Just least significant octets from r1 and r2 are considered */
472 memcpy(_r + 8, r1, 8);
474 err = smp_e(tfm_aes, k, _r);
476 BT_ERR("Encrypt data error");
481 static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
482 const u8 r[3], u8 res[3])
487 /* r' = padding || r */
489 memset(_res + 3, 0, 13);
491 err = smp_e(tfm, irk, _res);
493 BT_ERR("Encrypt error");
497 /* The output of the random address function ah is:
498 * ah(k, r) = e(k, r') mod 2^24
499 * The output of the security function e is then truncated to 24 bits
500 * by taking the least significant 24 bits of the output of e as the
503 memcpy(res, _res, 3);
508 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
509 const bdaddr_t *bdaddr)
511 struct l2cap_chan *chan = hdev->smp_data;
516 if (!chan || !chan->data)
521 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
523 err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
527 return !memcmp(bdaddr->b, hash, 3);
530 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
532 struct l2cap_chan *chan = hdev->smp_data;
536 if (!chan || !chan->data)
541 get_random_bytes(&rpa->b[3], 3);
543 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
544 rpa->b[5] |= 0x40; /* Set second most significant bit */
546 err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
550 BT_DBG("RPA %pMR", rpa);
555 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
557 struct l2cap_chan *chan = hdev->smp_data;
561 if (!chan || !chan->data)
566 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
567 BT_DBG("Using debug keys");
568 memcpy(smp->local_pk, debug_pk, 64);
569 memcpy(smp->local_sk, debug_sk, 32);
570 smp->debug_key = true;
573 /* Generate local key pair for Secure Connections */
574 if (!ecc_make_key(smp->local_pk, smp->local_sk))
577 /* This is unlikely, but we need to check that
578 * we didn't accidentially generate a debug key.
580 if (memcmp(smp->local_sk, debug_sk, 32))
583 smp->debug_key = false;
586 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
587 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
588 SMP_DBG("OOB Private Key: %32phN", smp->local_sk);
590 get_random_bytes(smp->local_rand, 16);
592 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
593 smp->local_rand, 0, hash);
597 memcpy(rand, smp->local_rand, 16);
602 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
604 struct l2cap_chan *chan = conn->smp;
605 struct smp_chan *smp;
612 BT_DBG("code 0x%2.2x", code);
614 iv[0].iov_base = &code;
617 iv[1].iov_base = data;
620 memset(&msg, 0, sizeof(msg));
622 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
624 l2cap_chan_send(chan, &msg, 1 + len);
631 cancel_delayed_work_sync(&smp->security_timer);
632 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
635 static u8 authreq_to_seclevel(u8 authreq)
637 if (authreq & SMP_AUTH_MITM) {
638 if (authreq & SMP_AUTH_SC)
639 return BT_SECURITY_FIPS;
641 return BT_SECURITY_HIGH;
643 return BT_SECURITY_MEDIUM;
647 static __u8 seclevel_to_authreq(__u8 sec_level)
650 case BT_SECURITY_FIPS:
651 case BT_SECURITY_HIGH:
652 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
653 case BT_SECURITY_MEDIUM:
654 return SMP_AUTH_BONDING;
656 return SMP_AUTH_NONE;
660 static void build_pairing_cmd(struct l2cap_conn *conn,
661 struct smp_cmd_pairing *req,
662 struct smp_cmd_pairing *rsp, __u8 authreq)
664 struct l2cap_chan *chan = conn->smp;
665 struct smp_chan *smp = chan->data;
666 struct hci_conn *hcon = conn->hcon;
667 struct hci_dev *hdev = hcon->hdev;
668 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
670 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
671 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
672 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
673 authreq |= SMP_AUTH_BONDING;
675 authreq &= ~SMP_AUTH_BONDING;
678 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
679 remote_dist |= SMP_DIST_ID_KEY;
681 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
682 local_dist |= SMP_DIST_ID_KEY;
684 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
685 (authreq & SMP_AUTH_SC)) {
686 struct oob_data *oob_data;
689 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
690 local_dist |= SMP_DIST_LINK_KEY;
691 remote_dist |= SMP_DIST_LINK_KEY;
694 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
695 bdaddr_type = BDADDR_LE_PUBLIC;
697 bdaddr_type = BDADDR_LE_RANDOM;
699 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
701 if (oob_data && oob_data->present) {
702 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
703 oob_flag = SMP_OOB_PRESENT;
704 memcpy(smp->rr, oob_data->rand256, 16);
705 memcpy(smp->pcnf, oob_data->hash256, 16);
706 SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
707 SMP_DBG("OOB Remote Random: %16phN", smp->rr);
711 authreq &= ~SMP_AUTH_SC;
715 req->io_capability = conn->hcon->io_capability;
716 req->oob_flag = oob_flag;
717 req->max_key_size = SMP_DEV(hdev)->max_key_size;
718 req->init_key_dist = local_dist;
719 req->resp_key_dist = remote_dist;
720 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
722 smp->remote_key_dist = remote_dist;
726 rsp->io_capability = conn->hcon->io_capability;
727 rsp->oob_flag = oob_flag;
728 rsp->max_key_size = SMP_DEV(hdev)->max_key_size;
729 rsp->init_key_dist = req->init_key_dist & remote_dist;
730 rsp->resp_key_dist = req->resp_key_dist & local_dist;
731 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
733 smp->remote_key_dist = rsp->init_key_dist;
736 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
738 struct l2cap_chan *chan = conn->smp;
739 struct hci_dev *hdev = conn->hcon->hdev;
740 struct smp_chan *smp = chan->data;
742 if (max_key_size > SMP_DEV(hdev)->max_key_size ||
743 max_key_size < SMP_MIN_ENC_KEY_SIZE)
744 return SMP_ENC_KEY_SIZE;
746 smp->enc_key_size = max_key_size;
751 static void smp_chan_destroy(struct l2cap_conn *conn)
753 struct l2cap_chan *chan = conn->smp;
754 struct smp_chan *smp = chan->data;
755 struct hci_conn *hcon = conn->hcon;
760 cancel_delayed_work_sync(&smp->security_timer);
762 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
763 mgmt_smp_complete(hcon, complete);
766 kzfree(smp->slave_csrk);
767 kzfree(smp->link_key);
769 crypto_free_blkcipher(smp->tfm_aes);
770 crypto_free_hash(smp->tfm_cmac);
772 /* Ensure that we don't leave any debug key around if debug key
773 * support hasn't been explicitly enabled.
775 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
776 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
777 list_del_rcu(&smp->ltk->list);
778 kfree_rcu(smp->ltk, rcu);
782 /* If pairing failed clean up any keys we might have */
785 list_del_rcu(&smp->ltk->list);
786 kfree_rcu(smp->ltk, rcu);
789 if (smp->slave_ltk) {
790 list_del_rcu(&smp->slave_ltk->list);
791 kfree_rcu(smp->slave_ltk, rcu);
794 if (smp->remote_irk) {
795 list_del_rcu(&smp->remote_irk->list);
796 kfree_rcu(smp->remote_irk, rcu);
805 static void smp_failure(struct l2cap_conn *conn, u8 reason)
807 struct hci_conn *hcon = conn->hcon;
808 struct l2cap_chan *chan = conn->smp;
811 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
814 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
817 smp_chan_destroy(conn);
820 #define JUST_WORKS 0x00
821 #define JUST_CFM 0x01
822 #define REQ_PASSKEY 0x02
823 #define CFM_PASSKEY 0x03
825 #define DSP_PASSKEY 0x05
828 static const u8 gen_method[5][5] = {
829 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
830 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
831 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
832 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
833 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
836 static const u8 sc_method[5][5] = {
837 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
838 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
839 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
840 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
841 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
844 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
846 /* If either side has unknown io_caps, use JUST_CFM (which gets
847 * converted later to JUST_WORKS if we're initiators.
849 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
850 remote_io > SMP_IO_KEYBOARD_DISPLAY)
853 if (test_bit(SMP_FLAG_SC, &smp->flags))
854 return sc_method[remote_io][local_io];
856 return gen_method[remote_io][local_io];
859 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
860 u8 local_io, u8 remote_io)
862 struct hci_conn *hcon = conn->hcon;
863 struct l2cap_chan *chan = conn->smp;
864 struct smp_chan *smp = chan->data;
868 /* Initialize key for JUST WORKS */
869 memset(smp->tk, 0, sizeof(smp->tk));
870 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
872 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
874 /* If neither side wants MITM, either "just" confirm an incoming
875 * request or use just-works for outgoing ones. The JUST_CFM
876 * will be converted to JUST_WORKS if necessary later in this
877 * function. If either side has MITM look up the method from the
880 if (!(auth & SMP_AUTH_MITM))
881 smp->method = JUST_CFM;
883 smp->method = get_auth_method(smp, local_io, remote_io);
885 /* Don't confirm locally initiated pairing attempts */
886 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
888 smp->method = JUST_WORKS;
890 /* Don't bother user space with no IO capabilities */
891 if (smp->method == JUST_CFM &&
892 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
893 smp->method = JUST_WORKS;
895 /* If Just Works, Continue with Zero TK */
896 if (smp->method == JUST_WORKS) {
897 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
901 /* If this function is used for SC -> legacy fallback we
902 * can only recover the just-works case.
904 if (test_bit(SMP_FLAG_SC, &smp->flags))
907 /* Not Just Works/Confirm results in MITM Authentication */
908 if (smp->method != JUST_CFM) {
909 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
910 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
911 hcon->pending_sec_level = BT_SECURITY_HIGH;
914 /* If both devices have Keyoard-Display I/O, the master
915 * Confirms and the slave Enters the passkey.
917 if (smp->method == OVERLAP) {
918 if (hcon->role == HCI_ROLE_MASTER)
919 smp->method = CFM_PASSKEY;
921 smp->method = REQ_PASSKEY;
924 /* Generate random passkey. */
925 if (smp->method == CFM_PASSKEY) {
926 memset(smp->tk, 0, sizeof(smp->tk));
927 get_random_bytes(&passkey, sizeof(passkey));
929 put_unaligned_le32(passkey, smp->tk);
930 BT_DBG("PassKey: %d", passkey);
931 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
934 if (smp->method == REQ_PASSKEY)
935 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
936 hcon->type, hcon->dst_type);
937 else if (smp->method == JUST_CFM)
938 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
939 hcon->type, hcon->dst_type,
942 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
943 hcon->type, hcon->dst_type,
949 static u8 smp_confirm(struct smp_chan *smp)
951 struct l2cap_conn *conn = smp->conn;
952 struct smp_cmd_pairing_confirm cp;
955 BT_DBG("conn %p", conn);
957 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
958 conn->hcon->init_addr_type, &conn->hcon->init_addr,
959 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
962 return SMP_UNSPECIFIED;
964 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
966 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
969 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
971 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
976 static u8 smp_random(struct smp_chan *smp)
978 struct l2cap_conn *conn = smp->conn;
979 struct hci_conn *hcon = conn->hcon;
983 if (IS_ERR_OR_NULL(smp->tfm_aes))
984 return SMP_UNSPECIFIED;
986 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
988 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
989 hcon->init_addr_type, &hcon->init_addr,
990 hcon->resp_addr_type, &hcon->resp_addr, confirm);
992 return SMP_UNSPECIFIED;
994 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
995 BT_ERR("Pairing failed (confirmation values mismatch)");
996 return SMP_CONFIRM_FAILED;
1004 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
1006 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1007 return SMP_UNSPECIFIED;
1009 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1010 hcon->enc_key_size = smp->enc_key_size;
1011 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1017 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1020 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
1022 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1027 /* Even though there's no _SLAVE suffix this is the
1028 * slave STK we're adding for later lookup (the master
1029 * STK never needs to be stored).
1031 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1032 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1038 static void smp_notify_keys(struct l2cap_conn *conn)
1040 struct l2cap_chan *chan = conn->smp;
1041 struct smp_chan *smp = chan->data;
1042 struct hci_conn *hcon = conn->hcon;
1043 struct hci_dev *hdev = hcon->hdev;
1044 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1045 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1048 if (hcon->type == ACL_LINK) {
1049 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1052 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1055 /* The LTKs, IRKs and CSRKs should be persistent only if
1056 * both sides had the bonding bit set in their
1057 * authentication requests.
1059 persistent = !!((req->auth_req & rsp->auth_req) &
1063 if (smp->remote_irk) {
1064 mgmt_new_irk(hdev, smp->remote_irk, persistent);
1066 /* Now that user space can be considered to know the
1067 * identity address track the connection based on it
1068 * from now on (assuming this is an LE link).
1070 if (hcon->type == LE_LINK) {
1071 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1072 hcon->dst_type = smp->remote_irk->addr_type;
1073 queue_work(hdev->workqueue, &conn->id_addr_update_work);
1078 smp->csrk->bdaddr_type = hcon->dst_type;
1079 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1080 mgmt_new_csrk(hdev, smp->csrk, persistent);
1083 if (smp->slave_csrk) {
1084 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1085 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1086 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1090 smp->ltk->bdaddr_type = hcon->dst_type;
1091 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1092 mgmt_new_ltk(hdev, smp->ltk, persistent);
1095 if (smp->slave_ltk) {
1096 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1097 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1098 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1101 if (smp->link_key) {
1102 struct link_key *key;
1105 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1106 type = HCI_LK_DEBUG_COMBINATION;
1107 else if (hcon->sec_level == BT_SECURITY_FIPS)
1108 type = HCI_LK_AUTH_COMBINATION_P256;
1110 type = HCI_LK_UNAUTH_COMBINATION_P256;
1112 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1113 smp->link_key, type, 0, &persistent);
1115 mgmt_new_link_key(hdev, key, persistent);
1117 /* Don't keep debug keys around if the relevant
1120 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1121 key->type == HCI_LK_DEBUG_COMBINATION) {
1122 list_del_rcu(&key->list);
1123 kfree_rcu(key, rcu);
1129 static void sc_add_ltk(struct smp_chan *smp)
1131 struct hci_conn *hcon = smp->conn->hcon;
1134 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1135 key_type = SMP_LTK_P256_DEBUG;
1137 key_type = SMP_LTK_P256;
1139 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1144 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1145 key_type, auth, smp->tk, smp->enc_key_size,
1149 static void sc_generate_link_key(struct smp_chan *smp)
1151 /* These constants are as specified in the core specification.
1152 * In ASCII they spell out to 'tmp1' and 'lebr'.
1154 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1155 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1157 smp->link_key = kzalloc(16, GFP_KERNEL);
1161 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1162 kzfree(smp->link_key);
1163 smp->link_key = NULL;
1167 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1168 kzfree(smp->link_key);
1169 smp->link_key = NULL;
1174 static void smp_allow_key_dist(struct smp_chan *smp)
1176 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1177 * will be allowed in each PDU handler to ensure we receive
1178 * them in the correct order.
1180 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1181 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1182 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1183 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1184 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1185 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1188 static void sc_generate_ltk(struct smp_chan *smp)
1190 /* These constants are as specified in the core specification.
1191 * In ASCII they spell out to 'tmp2' and 'brle'.
1193 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1194 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1195 struct hci_conn *hcon = smp->conn->hcon;
1196 struct hci_dev *hdev = hcon->hdev;
1197 struct link_key *key;
1199 key = hci_find_link_key(hdev, &hcon->dst);
1201 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1205 if (key->type == HCI_LK_DEBUG_COMBINATION)
1206 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1208 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1211 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1217 static void smp_distribute_keys(struct smp_chan *smp)
1219 struct smp_cmd_pairing *req, *rsp;
1220 struct l2cap_conn *conn = smp->conn;
1221 struct hci_conn *hcon = conn->hcon;
1222 struct hci_dev *hdev = hcon->hdev;
1225 BT_DBG("conn %p", conn);
1227 rsp = (void *) &smp->prsp[1];
1229 /* The responder sends its keys first */
1230 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1231 smp_allow_key_dist(smp);
1235 req = (void *) &smp->preq[1];
1238 keydist = &rsp->init_key_dist;
1239 *keydist &= req->init_key_dist;
1241 keydist = &rsp->resp_key_dist;
1242 *keydist &= req->resp_key_dist;
1245 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1246 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1247 sc_generate_link_key(smp);
1248 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1249 sc_generate_ltk(smp);
1251 /* Clear the keys which are generated but not distributed */
1252 *keydist &= ~SMP_SC_NO_DIST;
1255 BT_DBG("keydist 0x%x", *keydist);
1257 if (*keydist & SMP_DIST_ENC_KEY) {
1258 struct smp_cmd_encrypt_info enc;
1259 struct smp_cmd_master_ident ident;
1260 struct smp_ltk *ltk;
1265 /* Make sure we generate only the significant amount of
1266 * bytes based on the encryption key size, and set the rest
1267 * of the value to zeroes.
1269 get_random_bytes(enc.ltk, smp->enc_key_size);
1270 memset(enc.ltk + smp->enc_key_size, 0,
1271 sizeof(enc.ltk) - smp->enc_key_size);
1273 get_random_bytes(&ediv, sizeof(ediv));
1274 get_random_bytes(&rand, sizeof(rand));
1276 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1278 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1279 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1280 SMP_LTK_SLAVE, authenticated, enc.ltk,
1281 smp->enc_key_size, ediv, rand);
1282 smp->slave_ltk = ltk;
1287 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1289 *keydist &= ~SMP_DIST_ENC_KEY;
1292 if (*keydist & SMP_DIST_ID_KEY) {
1293 struct smp_cmd_ident_addr_info addrinfo;
1294 struct smp_cmd_ident_info idinfo;
1296 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1298 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1300 /* The hci_conn contains the local identity address
1301 * after the connection has been established.
1303 * This is true even when the connection has been
1304 * established using a resolvable random address.
1306 bacpy(&addrinfo.bdaddr, &hcon->src);
1307 addrinfo.addr_type = hcon->src_type;
1309 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1312 *keydist &= ~SMP_DIST_ID_KEY;
1315 if (*keydist & SMP_DIST_SIGN) {
1316 struct smp_cmd_sign_info sign;
1317 struct smp_csrk *csrk;
1319 /* Generate a new random key */
1320 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1322 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1324 if (hcon->sec_level > BT_SECURITY_MEDIUM)
1325 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1327 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1328 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1330 smp->slave_csrk = csrk;
1332 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1334 *keydist &= ~SMP_DIST_SIGN;
1337 /* If there are still keys to be received wait for them */
1338 if (smp->remote_key_dist & KEY_DIST_MASK) {
1339 smp_allow_key_dist(smp);
1343 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1344 smp_notify_keys(conn);
1346 smp_chan_destroy(conn);
1349 static void smp_timeout(struct work_struct *work)
1351 struct smp_chan *smp = container_of(work, struct smp_chan,
1352 security_timer.work);
1353 struct l2cap_conn *conn = smp->conn;
1355 BT_DBG("conn %p", conn);
1357 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1360 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1362 struct l2cap_chan *chan = conn->smp;
1363 struct smp_chan *smp;
1365 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1369 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1370 if (IS_ERR(smp->tfm_aes)) {
1371 BT_ERR("Unable to create ECB crypto context");
1376 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1377 if (IS_ERR(smp->tfm_cmac)) {
1378 BT_ERR("Unable to create CMAC crypto context");
1379 crypto_free_blkcipher(smp->tfm_aes);
1387 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1389 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1391 hci_conn_hold(conn->hcon);
1396 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1398 struct hci_conn *hcon = smp->conn->hcon;
1399 u8 *na, *nb, a[7], b[7];
1409 memcpy(a, &hcon->init_addr, 6);
1410 memcpy(b, &hcon->resp_addr, 6);
1411 a[6] = hcon->init_addr_type;
1412 b[6] = hcon->resp_addr_type;
1414 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1417 static void sc_dhkey_check(struct smp_chan *smp)
1419 struct hci_conn *hcon = smp->conn->hcon;
1420 struct smp_cmd_dhkey_check check;
1421 u8 a[7], b[7], *local_addr, *remote_addr;
1422 u8 io_cap[3], r[16];
1424 memcpy(a, &hcon->init_addr, 6);
1425 memcpy(b, &hcon->resp_addr, 6);
1426 a[6] = hcon->init_addr_type;
1427 b[6] = hcon->resp_addr_type;
1432 memcpy(io_cap, &smp->preq[1], 3);
1436 memcpy(io_cap, &smp->prsp[1], 3);
1439 memset(r, 0, sizeof(r));
1441 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1442 put_unaligned_le32(hcon->passkey_notify, r);
1444 if (smp->method == REQ_OOB)
1445 memcpy(r, smp->rr, 16);
1447 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1448 local_addr, remote_addr, check.e);
1450 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1453 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1455 struct l2cap_conn *conn = smp->conn;
1456 struct hci_conn *hcon = conn->hcon;
1457 struct smp_cmd_pairing_confirm cfm;
1460 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1463 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1465 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1467 return SMP_UNSPECIFIED;
1469 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1474 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1476 struct l2cap_conn *conn = smp->conn;
1477 struct hci_conn *hcon = conn->hcon;
1478 struct hci_dev *hdev = hcon->hdev;
1481 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1482 if (smp->passkey_round >= 20)
1486 case SMP_CMD_PAIRING_RANDOM:
1487 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1490 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1492 return SMP_UNSPECIFIED;
1494 if (memcmp(smp->pcnf, cfm, 16))
1495 return SMP_CONFIRM_FAILED;
1497 smp->passkey_round++;
1499 if (smp->passkey_round == 20) {
1500 /* Generate MacKey and LTK */
1501 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1502 return SMP_UNSPECIFIED;
1505 /* The round is only complete when the initiator
1506 * receives pairing random.
1509 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1510 sizeof(smp->prnd), smp->prnd);
1511 if (smp->passkey_round == 20)
1512 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1514 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1518 /* Start the next round */
1519 if (smp->passkey_round != 20)
1520 return sc_passkey_round(smp, 0);
1522 /* Passkey rounds are complete - start DHKey Check */
1523 sc_dhkey_check(smp);
1524 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1528 case SMP_CMD_PAIRING_CONFIRM:
1529 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1530 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1534 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1537 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1538 sizeof(smp->prnd), smp->prnd);
1542 return sc_passkey_send_confirm(smp);
1544 case SMP_CMD_PUBLIC_KEY:
1546 /* Initiating device starts the round */
1550 BT_DBG("%s Starting passkey round %u", hdev->name,
1551 smp->passkey_round + 1);
1553 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1555 return sc_passkey_send_confirm(smp);
1561 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1563 struct l2cap_conn *conn = smp->conn;
1564 struct hci_conn *hcon = conn->hcon;
1567 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1570 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1571 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1573 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1574 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1576 case MGMT_OP_USER_PASSKEY_REPLY:
1577 hcon->passkey_notify = le32_to_cpu(passkey);
1578 smp->passkey_round = 0;
1580 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1581 smp_op = SMP_CMD_PAIRING_CONFIRM;
1585 if (sc_passkey_round(smp, smp_op))
1591 /* Initiator sends DHKey check first */
1593 sc_dhkey_check(smp);
1594 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1595 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1596 sc_dhkey_check(smp);
1603 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1605 struct l2cap_conn *conn = hcon->l2cap_data;
1606 struct l2cap_chan *chan;
1607 struct smp_chan *smp;
1620 l2cap_chan_lock(chan);
1628 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1629 err = sc_user_reply(smp, mgmt_op, passkey);
1634 case MGMT_OP_USER_PASSKEY_REPLY:
1635 value = le32_to_cpu(passkey);
1636 memset(smp->tk, 0, sizeof(smp->tk));
1637 BT_DBG("PassKey: %d", value);
1638 put_unaligned_le32(value, smp->tk);
1640 case MGMT_OP_USER_CONFIRM_REPLY:
1641 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1643 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1644 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1645 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1649 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1656 /* If it is our turn to send Pairing Confirm, do so now */
1657 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1658 u8 rsp = smp_confirm(smp);
1660 smp_failure(conn, rsp);
1664 l2cap_chan_unlock(chan);
1668 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1669 struct smp_cmd_pairing *req,
1670 struct smp_cmd_pairing *rsp)
1672 struct l2cap_conn *conn = smp->conn;
1673 struct hci_dev *hdev = conn->hcon->hdev;
1674 u8 local_dist = 0, remote_dist = 0;
1676 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1677 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1678 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1681 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1682 remote_dist |= SMP_DIST_ID_KEY;
1684 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1685 local_dist |= SMP_DIST_ID_KEY;
1688 memset(req, 0, sizeof(*req));
1690 req->init_key_dist = local_dist;
1691 req->resp_key_dist = remote_dist;
1692 req->max_key_size = conn->hcon->enc_key_size;
1694 smp->remote_key_dist = remote_dist;
1699 memset(rsp, 0, sizeof(*rsp));
1701 rsp->max_key_size = conn->hcon->enc_key_size;
1702 rsp->init_key_dist = req->init_key_dist & remote_dist;
1703 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1705 smp->remote_key_dist = rsp->init_key_dist;
1708 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1710 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1711 struct l2cap_chan *chan = conn->smp;
1712 struct hci_dev *hdev = conn->hcon->hdev;
1713 struct smp_chan *smp;
1714 u8 key_size, auth, sec_level;
1717 BT_DBG("conn %p", conn);
1719 if (skb->len < sizeof(*req))
1720 return SMP_INVALID_PARAMS;
1722 if (conn->hcon->role != HCI_ROLE_SLAVE)
1723 return SMP_CMD_NOTSUPP;
1726 smp = smp_chan_create(conn);
1731 return SMP_UNSPECIFIED;
1733 /* We didn't start the pairing, so match remote */
1734 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1736 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1737 (auth & SMP_AUTH_BONDING))
1738 return SMP_PAIRING_NOTSUPP;
1740 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1741 return SMP_AUTH_REQUIREMENTS;
1743 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1744 memcpy(&smp->preq[1], req, sizeof(*req));
1745 skb_pull(skb, sizeof(*req));
1747 /* If the remote side's OOB flag is set it means it has
1748 * successfully received our local OOB data - therefore set the
1749 * flag to indicate that local OOB is in use.
1751 if (req->oob_flag == SMP_OOB_PRESENT)
1752 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1754 /* SMP over BR/EDR requires special treatment */
1755 if (conn->hcon->type == ACL_LINK) {
1756 /* We must have a BR/EDR SC link */
1757 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1758 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1759 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1761 set_bit(SMP_FLAG_SC, &smp->flags);
1763 build_bredr_pairing_cmd(smp, req, &rsp);
1765 key_size = min(req->max_key_size, rsp.max_key_size);
1766 if (check_enc_key_size(conn, key_size))
1767 return SMP_ENC_KEY_SIZE;
1769 /* Clear bits which are generated but not distributed */
1770 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1772 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1773 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1774 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1776 smp_distribute_keys(smp);
1780 build_pairing_cmd(conn, req, &rsp, auth);
1782 if (rsp.auth_req & SMP_AUTH_SC)
1783 set_bit(SMP_FLAG_SC, &smp->flags);
1785 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1786 sec_level = BT_SECURITY_MEDIUM;
1788 sec_level = authreq_to_seclevel(auth);
1790 if (sec_level > conn->hcon->pending_sec_level)
1791 conn->hcon->pending_sec_level = sec_level;
1793 /* If we need MITM check that it can be achieved */
1794 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1797 method = get_auth_method(smp, conn->hcon->io_capability,
1798 req->io_capability);
1799 if (method == JUST_WORKS || method == JUST_CFM)
1800 return SMP_AUTH_REQUIREMENTS;
1803 key_size = min(req->max_key_size, rsp.max_key_size);
1804 if (check_enc_key_size(conn, key_size))
1805 return SMP_ENC_KEY_SIZE;
1807 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1809 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1810 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1812 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1814 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1816 /* Strictly speaking we shouldn't allow Pairing Confirm for the
1817 * SC case, however some implementations incorrectly copy RFU auth
1818 * req bits from our security request, which may create a false
1819 * positive SC enablement.
1821 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1823 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1824 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1825 /* Clear bits which are generated but not distributed */
1826 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1827 /* Wait for Public Key from Initiating Device */
1831 /* Request setup of TK */
1832 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1834 return SMP_UNSPECIFIED;
1839 static u8 sc_send_public_key(struct smp_chan *smp)
1841 struct hci_dev *hdev = smp->conn->hcon->hdev;
1845 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1846 struct l2cap_chan *chan = hdev->smp_data;
1847 struct smp_dev *smp_dev;
1849 if (!chan || !chan->data)
1850 return SMP_UNSPECIFIED;
1852 smp_dev = chan->data;
1854 memcpy(smp->local_pk, smp_dev->local_pk, 64);
1855 memcpy(smp->local_sk, smp_dev->local_sk, 32);
1856 memcpy(smp->lr, smp_dev->local_rand, 16);
1858 if (smp_dev->debug_key)
1859 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1864 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1865 BT_DBG("Using debug keys");
1866 memcpy(smp->local_pk, debug_pk, 64);
1867 memcpy(smp->local_sk, debug_sk, 32);
1868 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1871 /* Generate local key pair for Secure Connections */
1872 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1873 return SMP_UNSPECIFIED;
1875 /* This is unlikely, but we need to check that
1876 * we didn't accidentially generate a debug key.
1878 if (memcmp(smp->local_sk, debug_sk, 32))
1884 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1885 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1886 SMP_DBG("Local Private Key: %32phN", smp->local_sk);
1888 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1893 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1895 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1896 struct l2cap_chan *chan = conn->smp;
1897 struct smp_chan *smp = chan->data;
1898 struct hci_dev *hdev = conn->hcon->hdev;
1902 BT_DBG("conn %p", conn);
1904 if (skb->len < sizeof(*rsp))
1905 return SMP_INVALID_PARAMS;
1907 if (conn->hcon->role != HCI_ROLE_MASTER)
1908 return SMP_CMD_NOTSUPP;
1910 skb_pull(skb, sizeof(*rsp));
1912 req = (void *) &smp->preq[1];
1914 key_size = min(req->max_key_size, rsp->max_key_size);
1915 if (check_enc_key_size(conn, key_size))
1916 return SMP_ENC_KEY_SIZE;
1918 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1920 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1921 return SMP_AUTH_REQUIREMENTS;
1923 /* If the remote side's OOB flag is set it means it has
1924 * successfully received our local OOB data - therefore set the
1925 * flag to indicate that local OOB is in use.
1927 if (rsp->oob_flag == SMP_OOB_PRESENT)
1928 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1930 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1931 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1933 /* Update remote key distribution in case the remote cleared
1934 * some bits that we had enabled in our request.
1936 smp->remote_key_dist &= rsp->resp_key_dist;
1938 /* For BR/EDR this means we're done and can start phase 3 */
1939 if (conn->hcon->type == ACL_LINK) {
1940 /* Clear bits which are generated but not distributed */
1941 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1942 smp_distribute_keys(smp);
1946 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1947 set_bit(SMP_FLAG_SC, &smp->flags);
1948 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1949 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1951 /* If we need MITM check that it can be achieved */
1952 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1955 method = get_auth_method(smp, req->io_capability,
1956 rsp->io_capability);
1957 if (method == JUST_WORKS || method == JUST_CFM)
1958 return SMP_AUTH_REQUIREMENTS;
1961 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1963 /* Update remote key distribution in case the remote cleared
1964 * some bits that we had enabled in our request.
1966 smp->remote_key_dist &= rsp->resp_key_dist;
1968 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1969 /* Clear bits which are generated but not distributed */
1970 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1971 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1972 return sc_send_public_key(smp);
1975 auth |= req->auth_req;
1977 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1979 return SMP_UNSPECIFIED;
1981 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1983 /* Can't compose response until we have been confirmed */
1984 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1985 return smp_confirm(smp);
1990 static u8 sc_check_confirm(struct smp_chan *smp)
1992 struct l2cap_conn *conn = smp->conn;
1996 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1997 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1999 if (conn->hcon->out) {
2000 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2002 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2008 /* Work-around for some implementations that incorrectly copy RFU bits
2009 * from our security request and thereby create the impression that
2010 * we're doing SC when in fact the remote doesn't support it.
2012 static int fixup_sc_false_positive(struct smp_chan *smp)
2014 struct l2cap_conn *conn = smp->conn;
2015 struct hci_conn *hcon = conn->hcon;
2016 struct hci_dev *hdev = hcon->hdev;
2017 struct smp_cmd_pairing *req, *rsp;
2020 /* The issue is only observed when we're in slave role */
2022 return SMP_UNSPECIFIED;
2024 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2025 BT_ERR("Refusing SMP SC -> legacy fallback in SC-only mode");
2026 return SMP_UNSPECIFIED;
2029 BT_ERR("Trying to fall back to legacy SMP");
2031 req = (void *) &smp->preq[1];
2032 rsp = (void *) &smp->prsp[1];
2034 /* Rebuild key dist flags which may have been cleared for SC */
2035 smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2037 auth = req->auth_req & AUTH_REQ_MASK(hdev);
2039 if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2040 BT_ERR("Failed to fall back to legacy SMP");
2041 return SMP_UNSPECIFIED;
2044 clear_bit(SMP_FLAG_SC, &smp->flags);
2049 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2051 struct l2cap_chan *chan = conn->smp;
2052 struct smp_chan *smp = chan->data;
2054 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2056 if (skb->len < sizeof(smp->pcnf))
2057 return SMP_INVALID_PARAMS;
2059 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2060 skb_pull(skb, sizeof(smp->pcnf));
2062 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2065 /* Public Key exchange must happen before any other steps */
2066 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2067 return sc_check_confirm(smp);
2069 BT_ERR("Unexpected SMP Pairing Confirm");
2071 ret = fixup_sc_false_positive(smp);
2076 if (conn->hcon->out) {
2077 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2079 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2083 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2084 return smp_confirm(smp);
2086 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2091 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2093 struct l2cap_chan *chan = conn->smp;
2094 struct smp_chan *smp = chan->data;
2095 struct hci_conn *hcon = conn->hcon;
2096 u8 *pkax, *pkbx, *na, *nb;
2100 BT_DBG("conn %p", conn);
2102 if (skb->len < sizeof(smp->rrnd))
2103 return SMP_INVALID_PARAMS;
2105 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2106 skb_pull(skb, sizeof(smp->rrnd));
2108 if (!test_bit(SMP_FLAG_SC, &smp->flags))
2109 return smp_random(smp);
2112 pkax = smp->local_pk;
2113 pkbx = smp->remote_pk;
2117 pkax = smp->remote_pk;
2118 pkbx = smp->local_pk;
2123 if (smp->method == REQ_OOB) {
2125 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2126 sizeof(smp->prnd), smp->prnd);
2127 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2128 goto mackey_and_ltk;
2131 /* Passkey entry has special treatment */
2132 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2133 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2138 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2141 return SMP_UNSPECIFIED;
2143 if (memcmp(smp->pcnf, cfm, 16))
2144 return SMP_CONFIRM_FAILED;
2146 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2148 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2152 /* Generate MacKey and LTK */
2153 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2155 return SMP_UNSPECIFIED;
2157 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2159 sc_dhkey_check(smp);
2160 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2165 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2167 return SMP_UNSPECIFIED;
2169 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2170 hcon->dst_type, passkey, 0);
2172 return SMP_UNSPECIFIED;
2174 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2179 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2181 struct smp_ltk *key;
2182 struct hci_conn *hcon = conn->hcon;
2184 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2188 if (smp_ltk_sec_level(key) < sec_level)
2191 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2194 hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2195 hcon->enc_key_size = key->enc_size;
2197 /* We never store STKs for master role, so clear this flag */
2198 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2203 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2204 enum smp_key_pref key_pref)
2206 if (sec_level == BT_SECURITY_LOW)
2209 /* If we're encrypted with an STK but the caller prefers using
2210 * LTK claim insufficient security. This way we allow the
2211 * connection to be re-encrypted with an LTK, even if the LTK
2212 * provides the same level of security. Only exception is if we
2213 * don't have an LTK (e.g. because of key distribution bits).
2215 if (key_pref == SMP_USE_LTK &&
2216 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2217 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2220 if (hcon->sec_level >= sec_level)
2226 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2228 struct smp_cmd_security_req *rp = (void *) skb->data;
2229 struct smp_cmd_pairing cp;
2230 struct hci_conn *hcon = conn->hcon;
2231 struct hci_dev *hdev = hcon->hdev;
2232 struct smp_chan *smp;
2235 BT_DBG("conn %p", conn);
2237 if (skb->len < sizeof(*rp))
2238 return SMP_INVALID_PARAMS;
2240 if (hcon->role != HCI_ROLE_MASTER)
2241 return SMP_CMD_NOTSUPP;
2243 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2245 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2246 return SMP_AUTH_REQUIREMENTS;
2248 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2249 sec_level = BT_SECURITY_MEDIUM;
2251 sec_level = authreq_to_seclevel(auth);
2253 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2256 if (sec_level > hcon->pending_sec_level)
2257 hcon->pending_sec_level = sec_level;
2259 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2262 smp = smp_chan_create(conn);
2264 return SMP_UNSPECIFIED;
2266 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2267 (auth & SMP_AUTH_BONDING))
2268 return SMP_PAIRING_NOTSUPP;
2270 skb_pull(skb, sizeof(*rp));
2272 memset(&cp, 0, sizeof(cp));
2273 build_pairing_cmd(conn, &cp, NULL, auth);
2275 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2276 memcpy(&smp->preq[1], &cp, sizeof(cp));
2278 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2279 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2284 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2286 struct l2cap_conn *conn = hcon->l2cap_data;
2287 struct l2cap_chan *chan;
2288 struct smp_chan *smp;
2292 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2294 /* This may be NULL if there's an unexpected disconnection */
2298 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2301 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2304 if (sec_level > hcon->pending_sec_level)
2305 hcon->pending_sec_level = sec_level;
2307 if (hcon->role == HCI_ROLE_MASTER)
2308 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2313 BT_ERR("SMP security requested but not available");
2317 l2cap_chan_lock(chan);
2319 /* If SMP is already in progress ignore this request */
2325 smp = smp_chan_create(conn);
2331 authreq = seclevel_to_authreq(sec_level);
2333 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED))
2334 authreq |= SMP_AUTH_SC;
2336 /* Require MITM if IO Capability allows or the security level
2339 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2340 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2341 authreq |= SMP_AUTH_MITM;
2343 if (hcon->role == HCI_ROLE_MASTER) {
2344 struct smp_cmd_pairing cp;
2346 build_pairing_cmd(conn, &cp, NULL, authreq);
2347 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2348 memcpy(&smp->preq[1], &cp, sizeof(cp));
2350 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2351 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2353 struct smp_cmd_security_req cp;
2354 cp.auth_req = authreq;
2355 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2356 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2359 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2363 l2cap_chan_unlock(chan);
2367 void smp_cancel_pairing(struct hci_conn *hcon)
2369 struct l2cap_conn *conn = hcon->l2cap_data;
2370 struct l2cap_chan *chan;
2371 struct smp_chan *smp;
2380 l2cap_chan_lock(chan);
2384 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2385 smp_failure(conn, 0);
2387 smp_failure(conn, SMP_UNSPECIFIED);
2390 l2cap_chan_unlock(chan);
2393 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2395 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2396 struct l2cap_chan *chan = conn->smp;
2397 struct smp_chan *smp = chan->data;
2399 BT_DBG("conn %p", conn);
2401 if (skb->len < sizeof(*rp))
2402 return SMP_INVALID_PARAMS;
2404 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2406 skb_pull(skb, sizeof(*rp));
2408 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2413 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2415 struct smp_cmd_master_ident *rp = (void *) skb->data;
2416 struct l2cap_chan *chan = conn->smp;
2417 struct smp_chan *smp = chan->data;
2418 struct hci_dev *hdev = conn->hcon->hdev;
2419 struct hci_conn *hcon = conn->hcon;
2420 struct smp_ltk *ltk;
2423 BT_DBG("conn %p", conn);
2425 if (skb->len < sizeof(*rp))
2426 return SMP_INVALID_PARAMS;
2428 /* Mark the information as received */
2429 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2431 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2432 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2433 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2434 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2436 skb_pull(skb, sizeof(*rp));
2438 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2439 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2440 authenticated, smp->tk, smp->enc_key_size,
2441 rp->ediv, rp->rand);
2443 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2444 smp_distribute_keys(smp);
2449 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2451 struct smp_cmd_ident_info *info = (void *) skb->data;
2452 struct l2cap_chan *chan = conn->smp;
2453 struct smp_chan *smp = chan->data;
2457 if (skb->len < sizeof(*info))
2458 return SMP_INVALID_PARAMS;
2460 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2462 skb_pull(skb, sizeof(*info));
2464 memcpy(smp->irk, info->irk, 16);
2469 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2470 struct sk_buff *skb)
2472 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2473 struct l2cap_chan *chan = conn->smp;
2474 struct smp_chan *smp = chan->data;
2475 struct hci_conn *hcon = conn->hcon;
2480 if (skb->len < sizeof(*info))
2481 return SMP_INVALID_PARAMS;
2483 /* Mark the information as received */
2484 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2486 if (smp->remote_key_dist & SMP_DIST_SIGN)
2487 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2489 skb_pull(skb, sizeof(*info));
2491 /* Strictly speaking the Core Specification (4.1) allows sending
2492 * an empty address which would force us to rely on just the IRK
2493 * as "identity information". However, since such
2494 * implementations are not known of and in order to not over
2495 * complicate our implementation, simply pretend that we never
2496 * received an IRK for such a device.
2498 * The Identity Address must also be a Static Random or Public
2499 * Address, which hci_is_identity_address() checks for.
2501 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2502 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2503 BT_ERR("Ignoring IRK with no identity address");
2507 bacpy(&smp->id_addr, &info->bdaddr);
2508 smp->id_addr_type = info->addr_type;
2510 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2511 bacpy(&rpa, &hcon->dst);
2513 bacpy(&rpa, BDADDR_ANY);
2515 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2516 smp->id_addr_type, smp->irk, &rpa);
2519 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2520 smp_distribute_keys(smp);
2525 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2527 struct smp_cmd_sign_info *rp = (void *) skb->data;
2528 struct l2cap_chan *chan = conn->smp;
2529 struct smp_chan *smp = chan->data;
2530 struct smp_csrk *csrk;
2532 BT_DBG("conn %p", conn);
2534 if (skb->len < sizeof(*rp))
2535 return SMP_INVALID_PARAMS;
2537 /* Mark the information as received */
2538 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2540 skb_pull(skb, sizeof(*rp));
2542 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2544 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2545 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2547 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2548 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2551 smp_distribute_keys(smp);
2556 static u8 sc_select_method(struct smp_chan *smp)
2558 struct l2cap_conn *conn = smp->conn;
2559 struct hci_conn *hcon = conn->hcon;
2560 struct smp_cmd_pairing *local, *remote;
2561 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2563 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2564 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2567 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2568 * which are needed as inputs to some crypto functions. To get
2569 * the "struct smp_cmd_pairing" from them we need to skip the
2570 * first byte which contains the opcode.
2573 local = (void *) &smp->preq[1];
2574 remote = (void *) &smp->prsp[1];
2576 local = (void *) &smp->prsp[1];
2577 remote = (void *) &smp->preq[1];
2580 local_io = local->io_capability;
2581 remote_io = remote->io_capability;
2583 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2584 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2586 /* If either side wants MITM, look up the method from the table,
2587 * otherwise use JUST WORKS.
2589 if (local_mitm || remote_mitm)
2590 method = get_auth_method(smp, local_io, remote_io);
2592 method = JUST_WORKS;
2594 /* Don't confirm locally initiated pairing attempts */
2595 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2596 method = JUST_WORKS;
2601 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2603 struct smp_cmd_public_key *key = (void *) skb->data;
2604 struct hci_conn *hcon = conn->hcon;
2605 struct l2cap_chan *chan = conn->smp;
2606 struct smp_chan *smp = chan->data;
2607 struct hci_dev *hdev = hcon->hdev;
2608 struct smp_cmd_pairing_confirm cfm;
2611 BT_DBG("conn %p", conn);
2613 if (skb->len < sizeof(*key))
2614 return SMP_INVALID_PARAMS;
2616 memcpy(smp->remote_pk, key, 64);
2618 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2619 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2620 smp->rr, 0, cfm.confirm_val);
2622 return SMP_UNSPECIFIED;
2624 if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2625 return SMP_CONFIRM_FAILED;
2628 /* Non-initiating device sends its public key after receiving
2629 * the key from the initiating device.
2632 err = sc_send_public_key(smp);
2637 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2638 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2640 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2641 return SMP_UNSPECIFIED;
2643 SMP_DBG("DHKey %32phN", smp->dhkey);
2645 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2647 smp->method = sc_select_method(smp);
2649 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2651 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2652 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2653 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2655 hcon->pending_sec_level = BT_SECURITY_FIPS;
2657 if (!memcmp(debug_pk, smp->remote_pk, 64))
2658 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2660 if (smp->method == DSP_PASSKEY) {
2661 get_random_bytes(&hcon->passkey_notify,
2662 sizeof(hcon->passkey_notify));
2663 hcon->passkey_notify %= 1000000;
2664 hcon->passkey_entered = 0;
2665 smp->passkey_round = 0;
2666 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2668 hcon->passkey_notify,
2669 hcon->passkey_entered))
2670 return SMP_UNSPECIFIED;
2671 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2672 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2675 if (smp->method == REQ_OOB) {
2677 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2678 sizeof(smp->prnd), smp->prnd);
2680 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2686 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2688 if (smp->method == REQ_PASSKEY) {
2689 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2691 return SMP_UNSPECIFIED;
2692 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2693 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2697 /* The Initiating device waits for the non-initiating device to
2698 * send the confirm value.
2700 if (conn->hcon->out)
2703 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2704 0, cfm.confirm_val);
2706 return SMP_UNSPECIFIED;
2708 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2709 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2714 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2716 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2717 struct l2cap_chan *chan = conn->smp;
2718 struct hci_conn *hcon = conn->hcon;
2719 struct smp_chan *smp = chan->data;
2720 u8 a[7], b[7], *local_addr, *remote_addr;
2721 u8 io_cap[3], r[16], e[16];
2724 BT_DBG("conn %p", conn);
2726 if (skb->len < sizeof(*check))
2727 return SMP_INVALID_PARAMS;
2729 memcpy(a, &hcon->init_addr, 6);
2730 memcpy(b, &hcon->resp_addr, 6);
2731 a[6] = hcon->init_addr_type;
2732 b[6] = hcon->resp_addr_type;
2737 memcpy(io_cap, &smp->prsp[1], 3);
2741 memcpy(io_cap, &smp->preq[1], 3);
2744 memset(r, 0, sizeof(r));
2746 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2747 put_unaligned_le32(hcon->passkey_notify, r);
2748 else if (smp->method == REQ_OOB)
2749 memcpy(r, smp->lr, 16);
2751 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2752 io_cap, remote_addr, local_addr, e);
2754 return SMP_UNSPECIFIED;
2756 if (memcmp(check->e, e, 16))
2757 return SMP_DHKEY_CHECK_FAILED;
2760 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2761 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2765 /* Slave sends DHKey check as response to master */
2766 sc_dhkey_check(smp);
2772 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2773 hcon->enc_key_size = smp->enc_key_size;
2779 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2780 struct sk_buff *skb)
2782 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2784 BT_DBG("value 0x%02x", kp->value);
2789 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2791 struct l2cap_conn *conn = chan->conn;
2792 struct hci_conn *hcon = conn->hcon;
2793 struct smp_chan *smp;
2800 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2801 reason = SMP_PAIRING_NOTSUPP;
2805 code = skb->data[0];
2806 skb_pull(skb, sizeof(code));
2810 if (code > SMP_CMD_MAX)
2813 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2816 /* If we don't have a context the only allowed commands are
2817 * pairing request and security request.
2819 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2823 case SMP_CMD_PAIRING_REQ:
2824 reason = smp_cmd_pairing_req(conn, skb);
2827 case SMP_CMD_PAIRING_FAIL:
2828 smp_failure(conn, 0);
2832 case SMP_CMD_PAIRING_RSP:
2833 reason = smp_cmd_pairing_rsp(conn, skb);
2836 case SMP_CMD_SECURITY_REQ:
2837 reason = smp_cmd_security_req(conn, skb);
2840 case SMP_CMD_PAIRING_CONFIRM:
2841 reason = smp_cmd_pairing_confirm(conn, skb);
2844 case SMP_CMD_PAIRING_RANDOM:
2845 reason = smp_cmd_pairing_random(conn, skb);
2848 case SMP_CMD_ENCRYPT_INFO:
2849 reason = smp_cmd_encrypt_info(conn, skb);
2852 case SMP_CMD_MASTER_IDENT:
2853 reason = smp_cmd_master_ident(conn, skb);
2856 case SMP_CMD_IDENT_INFO:
2857 reason = smp_cmd_ident_info(conn, skb);
2860 case SMP_CMD_IDENT_ADDR_INFO:
2861 reason = smp_cmd_ident_addr_info(conn, skb);
2864 case SMP_CMD_SIGN_INFO:
2865 reason = smp_cmd_sign_info(conn, skb);
2868 case SMP_CMD_PUBLIC_KEY:
2869 reason = smp_cmd_public_key(conn, skb);
2872 case SMP_CMD_DHKEY_CHECK:
2873 reason = smp_cmd_dhkey_check(conn, skb);
2876 case SMP_CMD_KEYPRESS_NOTIFY:
2877 reason = smp_cmd_keypress_notify(conn, skb);
2881 BT_DBG("Unknown command code 0x%2.2x", code);
2882 reason = SMP_CMD_NOTSUPP;
2889 smp_failure(conn, reason);
2896 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2902 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2904 struct l2cap_conn *conn = chan->conn;
2906 BT_DBG("chan %p", chan);
2909 smp_chan_destroy(conn);
2912 l2cap_chan_put(chan);
2915 static void bredr_pairing(struct l2cap_chan *chan)
2917 struct l2cap_conn *conn = chan->conn;
2918 struct hci_conn *hcon = conn->hcon;
2919 struct hci_dev *hdev = hcon->hdev;
2920 struct smp_cmd_pairing req;
2921 struct smp_chan *smp;
2923 BT_DBG("chan %p", chan);
2925 /* Only new pairings are interesting */
2926 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2929 /* Don't bother if we're not encrypted */
2930 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2933 /* Only master may initiate SMP over BR/EDR */
2934 if (hcon->role != HCI_ROLE_MASTER)
2937 /* Secure Connections support must be enabled */
2938 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
2941 /* BR/EDR must use Secure Connections for SMP */
2942 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2943 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
2946 /* If our LE support is not enabled don't do anything */
2947 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2950 /* Don't bother if remote LE support is not enabled */
2951 if (!lmp_host_le_capable(hcon))
2954 /* Remote must support SMP fixed chan for BR/EDR */
2955 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2958 /* Don't bother if SMP is already ongoing */
2962 smp = smp_chan_create(conn);
2964 BT_ERR("%s unable to create SMP context for BR/EDR",
2969 set_bit(SMP_FLAG_SC, &smp->flags);
2971 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2973 /* Prepare and send the BR/EDR SMP Pairing Request */
2974 build_bredr_pairing_cmd(smp, &req, NULL);
2976 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2977 memcpy(&smp->preq[1], &req, sizeof(req));
2979 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2980 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2983 static void smp_resume_cb(struct l2cap_chan *chan)
2985 struct smp_chan *smp = chan->data;
2986 struct l2cap_conn *conn = chan->conn;
2987 struct hci_conn *hcon = conn->hcon;
2989 BT_DBG("chan %p", chan);
2991 if (hcon->type == ACL_LINK) {
2992 bredr_pairing(chan);
2999 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3002 cancel_delayed_work(&smp->security_timer);
3004 smp_distribute_keys(smp);
3007 static void smp_ready_cb(struct l2cap_chan *chan)
3009 struct l2cap_conn *conn = chan->conn;
3010 struct hci_conn *hcon = conn->hcon;
3012 BT_DBG("chan %p", chan);
3014 /* No need to call l2cap_chan_hold() here since we already own
3015 * the reference taken in smp_new_conn_cb(). This is just the
3016 * first time that we tie it to a specific pointer. The code in
3017 * l2cap_core.c ensures that there's no risk this function wont
3018 * get called if smp_new_conn_cb was previously called.
3022 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3023 bredr_pairing(chan);
3026 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3030 BT_DBG("chan %p", chan);
3032 err = smp_sig_channel(chan, skb);
3034 struct smp_chan *smp = chan->data;
3037 cancel_delayed_work_sync(&smp->security_timer);
3039 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3045 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3046 unsigned long hdr_len,
3047 unsigned long len, int nb)
3049 struct sk_buff *skb;
3051 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3053 return ERR_PTR(-ENOMEM);
3055 skb->priority = HCI_PRIO_MAX;
3056 bt_cb(skb)->l2cap.chan = chan;
3061 static const struct l2cap_ops smp_chan_ops = {
3062 .name = "Security Manager",
3063 .ready = smp_ready_cb,
3064 .recv = smp_recv_cb,
3065 .alloc_skb = smp_alloc_skb_cb,
3066 .teardown = smp_teardown_cb,
3067 .resume = smp_resume_cb,
3069 .new_connection = l2cap_chan_no_new_connection,
3070 .state_change = l2cap_chan_no_state_change,
3071 .close = l2cap_chan_no_close,
3072 .defer = l2cap_chan_no_defer,
3073 .suspend = l2cap_chan_no_suspend,
3074 .set_shutdown = l2cap_chan_no_set_shutdown,
3075 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3078 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3080 struct l2cap_chan *chan;
3082 BT_DBG("pchan %p", pchan);
3084 chan = l2cap_chan_create();
3088 chan->chan_type = pchan->chan_type;
3089 chan->ops = &smp_chan_ops;
3090 chan->scid = pchan->scid;
3091 chan->dcid = chan->scid;
3092 chan->imtu = pchan->imtu;
3093 chan->omtu = pchan->omtu;
3094 chan->mode = pchan->mode;
3096 /* Other L2CAP channels may request SMP routines in order to
3097 * change the security level. This means that the SMP channel
3098 * lock must be considered in its own category to avoid lockdep
3101 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3103 BT_DBG("created chan %p", chan);
3108 static const struct l2cap_ops smp_root_chan_ops = {
3109 .name = "Security Manager Root",
3110 .new_connection = smp_new_conn_cb,
3112 /* None of these are implemented for the root channel */
3113 .close = l2cap_chan_no_close,
3114 .alloc_skb = l2cap_chan_no_alloc_skb,
3115 .recv = l2cap_chan_no_recv,
3116 .state_change = l2cap_chan_no_state_change,
3117 .teardown = l2cap_chan_no_teardown,
3118 .ready = l2cap_chan_no_ready,
3119 .defer = l2cap_chan_no_defer,
3120 .suspend = l2cap_chan_no_suspend,
3121 .resume = l2cap_chan_no_resume,
3122 .set_shutdown = l2cap_chan_no_set_shutdown,
3123 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3126 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3128 struct l2cap_chan *chan;
3129 struct smp_dev *smp;
3130 struct crypto_blkcipher *tfm_aes;
3131 struct crypto_hash *tfm_cmac;
3133 if (cid == L2CAP_CID_SMP_BREDR) {
3138 smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3140 return ERR_PTR(-ENOMEM);
3142 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3143 if (IS_ERR(tfm_aes)) {
3144 BT_ERR("Unable to create ECB crypto context");
3146 return ERR_CAST(tfm_aes);
3149 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3150 if (IS_ERR(tfm_cmac)) {
3151 BT_ERR("Unable to create CMAC crypto context");
3152 crypto_free_blkcipher(tfm_aes);
3154 return ERR_CAST(tfm_cmac);
3157 smp->tfm_aes = tfm_aes;
3158 smp->tfm_cmac = tfm_cmac;
3159 smp->min_key_size = SMP_MIN_ENC_KEY_SIZE;
3160 smp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
3163 chan = l2cap_chan_create();
3166 crypto_free_blkcipher(smp->tfm_aes);
3167 crypto_free_hash(smp->tfm_cmac);
3170 return ERR_PTR(-ENOMEM);
3175 l2cap_add_scid(chan, cid);
3177 l2cap_chan_set_defaults(chan);
3179 if (cid == L2CAP_CID_SMP) {
3182 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3184 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3185 chan->src_type = BDADDR_LE_PUBLIC;
3187 chan->src_type = BDADDR_LE_RANDOM;
3189 bacpy(&chan->src, &hdev->bdaddr);
3190 chan->src_type = BDADDR_BREDR;
3193 chan->state = BT_LISTEN;
3194 chan->mode = L2CAP_MODE_BASIC;
3195 chan->imtu = L2CAP_DEFAULT_MTU;
3196 chan->ops = &smp_root_chan_ops;
3198 /* Set correct nesting level for a parent/listening channel */
3199 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3204 static void smp_del_chan(struct l2cap_chan *chan)
3206 struct smp_dev *smp;
3208 BT_DBG("chan %p", chan);
3214 crypto_free_blkcipher(smp->tfm_aes);
3216 crypto_free_hash(smp->tfm_cmac);
3220 l2cap_chan_put(chan);
3223 static ssize_t force_bredr_smp_read(struct file *file,
3224 char __user *user_buf,
3225 size_t count, loff_t *ppos)
3227 struct hci_dev *hdev = file->private_data;
3230 buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3233 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3236 static ssize_t force_bredr_smp_write(struct file *file,
3237 const char __user *user_buf,
3238 size_t count, loff_t *ppos)
3240 struct hci_dev *hdev = file->private_data;
3242 size_t buf_size = min(count, (sizeof(buf)-1));
3245 if (copy_from_user(buf, user_buf, buf_size))
3248 buf[buf_size] = '\0';
3249 if (strtobool(buf, &enable))
3252 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3256 struct l2cap_chan *chan;
3258 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3260 return PTR_ERR(chan);
3262 hdev->smp_bredr_data = chan;
3264 struct l2cap_chan *chan;
3266 chan = hdev->smp_bredr_data;
3267 hdev->smp_bredr_data = NULL;
3271 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3276 static const struct file_operations force_bredr_smp_fops = {
3277 .open = simple_open,
3278 .read = force_bredr_smp_read,
3279 .write = force_bredr_smp_write,
3280 .llseek = default_llseek,
3283 static ssize_t le_min_key_size_read(struct file *file,
3284 char __user *user_buf,
3285 size_t count, loff_t *ppos)
3287 struct hci_dev *hdev = file->private_data;
3290 snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->min_key_size);
3292 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3295 static ssize_t le_min_key_size_write(struct file *file,
3296 const char __user *user_buf,
3297 size_t count, loff_t *ppos)
3299 struct hci_dev *hdev = file->private_data;
3301 size_t buf_size = min(count, (sizeof(buf) - 1));
3304 if (copy_from_user(buf, user_buf, buf_size))
3307 buf[buf_size] = '\0';
3309 sscanf(buf, "%hhu", &key_size);
3311 if (key_size > SMP_DEV(hdev)->max_key_size ||
3312 key_size < SMP_MIN_ENC_KEY_SIZE)
3315 SMP_DEV(hdev)->min_key_size = key_size;
3320 static const struct file_operations le_min_key_size_fops = {
3321 .open = simple_open,
3322 .read = le_min_key_size_read,
3323 .write = le_min_key_size_write,
3324 .llseek = default_llseek,
3327 static ssize_t le_max_key_size_read(struct file *file,
3328 char __user *user_buf,
3329 size_t count, loff_t *ppos)
3331 struct hci_dev *hdev = file->private_data;
3334 snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->max_key_size);
3336 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3339 static ssize_t le_max_key_size_write(struct file *file,
3340 const char __user *user_buf,
3341 size_t count, loff_t *ppos)
3343 struct hci_dev *hdev = file->private_data;
3345 size_t buf_size = min(count, (sizeof(buf) - 1));
3348 if (copy_from_user(buf, user_buf, buf_size))
3351 buf[buf_size] = '\0';
3353 sscanf(buf, "%hhu", &key_size);
3355 if (key_size > SMP_MAX_ENC_KEY_SIZE ||
3356 key_size < SMP_DEV(hdev)->min_key_size)
3359 SMP_DEV(hdev)->max_key_size = key_size;
3364 static const struct file_operations le_max_key_size_fops = {
3365 .open = simple_open,
3366 .read = le_max_key_size_read,
3367 .write = le_max_key_size_write,
3368 .llseek = default_llseek,
3371 int smp_register(struct hci_dev *hdev)
3373 struct l2cap_chan *chan;
3375 BT_DBG("%s", hdev->name);
3377 /* If the controller does not support Low Energy operation, then
3378 * there is also no need to register any SMP channel.
3380 if (!lmp_le_capable(hdev))
3383 if (WARN_ON(hdev->smp_data)) {
3384 chan = hdev->smp_data;
3385 hdev->smp_data = NULL;
3389 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3391 return PTR_ERR(chan);
3393 hdev->smp_data = chan;
3395 debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3396 &le_min_key_size_fops);
3397 debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3398 &le_max_key_size_fops);
3400 /* If the controller does not support BR/EDR Secure Connections
3401 * feature, then the BR/EDR SMP channel shall not be present.
3403 * To test this with Bluetooth 4.0 controllers, create a debugfs
3404 * switch that allows forcing BR/EDR SMP support and accepting
3405 * cross-transport pairing on non-AES encrypted connections.
3407 if (!lmp_sc_capable(hdev)) {
3408 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3409 hdev, &force_bredr_smp_fops);
3413 if (WARN_ON(hdev->smp_bredr_data)) {
3414 chan = hdev->smp_bredr_data;
3415 hdev->smp_bredr_data = NULL;
3419 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3421 int err = PTR_ERR(chan);
3422 chan = hdev->smp_data;
3423 hdev->smp_data = NULL;
3428 hdev->smp_bredr_data = chan;
3433 void smp_unregister(struct hci_dev *hdev)
3435 struct l2cap_chan *chan;
3437 if (hdev->smp_bredr_data) {
3438 chan = hdev->smp_bredr_data;
3439 hdev->smp_bredr_data = NULL;
3443 if (hdev->smp_data) {
3444 chan = hdev->smp_data;
3445 hdev->smp_data = NULL;
3450 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3452 static int __init test_ah(struct crypto_blkcipher *tfm_aes)
3454 const u8 irk[16] = {
3455 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3456 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3457 const u8 r[3] = { 0x94, 0x81, 0x70 };
3458 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3462 err = smp_ah(tfm_aes, irk, r, res);
3466 if (memcmp(res, exp, 3))
3472 static int __init test_c1(struct crypto_blkcipher *tfm_aes)
3475 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3476 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3478 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3479 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3480 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3481 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3482 const u8 _iat = 0x01;
3483 const u8 _rat = 0x00;
3484 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3485 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3486 const u8 exp[16] = {
3487 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3488 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3492 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3496 if (memcmp(res, exp, 16))
3502 static int __init test_s1(struct crypto_blkcipher *tfm_aes)
3505 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3506 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3508 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3510 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3511 const u8 exp[16] = {
3512 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3513 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3517 err = smp_s1(tfm_aes, k, r1, r2, res);
3521 if (memcmp(res, exp, 16))
3527 static int __init test_f4(struct crypto_hash *tfm_cmac)
3530 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3531 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3532 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3533 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3535 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3536 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3537 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3538 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3540 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3541 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3543 const u8 exp[16] = {
3544 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3545 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3549 err = smp_f4(tfm_cmac, u, v, x, z, res);
3553 if (memcmp(res, exp, 16))
3559 static int __init test_f5(struct crypto_hash *tfm_cmac)
3562 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3563 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3564 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3565 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3567 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3568 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3570 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3571 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3572 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3573 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3574 const u8 exp_ltk[16] = {
3575 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3576 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3577 const u8 exp_mackey[16] = {
3578 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3579 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3580 u8 mackey[16], ltk[16];
3583 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3587 if (memcmp(mackey, exp_mackey, 16))
3590 if (memcmp(ltk, exp_ltk, 16))
3596 static int __init test_f6(struct crypto_hash *tfm_cmac)
3599 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3600 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3602 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3603 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3605 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3606 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3608 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3609 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3610 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3611 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3612 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3613 const u8 exp[16] = {
3614 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3615 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3619 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3623 if (memcmp(res, exp, 16))
3629 static int __init test_g2(struct crypto_hash *tfm_cmac)
3632 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3633 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3634 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3635 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3637 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3638 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3639 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3640 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3642 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3643 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3645 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3646 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3647 const u32 exp_val = 0x2f9ed5ba % 1000000;
3651 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3661 static int __init test_h6(struct crypto_hash *tfm_cmac)
3664 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3665 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3666 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3667 const u8 exp[16] = {
3668 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3669 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3673 err = smp_h6(tfm_cmac, w, key_id, res);
3677 if (memcmp(res, exp, 16))
3683 static char test_smp_buffer[32];
3685 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3686 size_t count, loff_t *ppos)
3688 return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3689 strlen(test_smp_buffer));
3692 static const struct file_operations test_smp_fops = {
3693 .open = simple_open,
3694 .read = test_smp_read,
3695 .llseek = default_llseek,
3698 static int __init run_selftests(struct crypto_blkcipher *tfm_aes,
3699 struct crypto_hash *tfm_cmac)
3701 ktime_t calltime, delta, rettime;
3702 unsigned long long duration;
3705 calltime = ktime_get();
3707 err = test_ah(tfm_aes);
3709 BT_ERR("smp_ah test failed");
3713 err = test_c1(tfm_aes);
3715 BT_ERR("smp_c1 test failed");
3719 err = test_s1(tfm_aes);
3721 BT_ERR("smp_s1 test failed");
3725 err = test_f4(tfm_cmac);
3727 BT_ERR("smp_f4 test failed");
3731 err = test_f5(tfm_cmac);
3733 BT_ERR("smp_f5 test failed");
3737 err = test_f6(tfm_cmac);
3739 BT_ERR("smp_f6 test failed");
3743 err = test_g2(tfm_cmac);
3745 BT_ERR("smp_g2 test failed");
3749 err = test_h6(tfm_cmac);
3751 BT_ERR("smp_h6 test failed");
3755 rettime = ktime_get();
3756 delta = ktime_sub(rettime, calltime);
3757 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3759 BT_INFO("SMP test passed in %llu usecs", duration);
3763 snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3764 "PASS (%llu usecs)\n", duration);
3766 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3768 debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3774 int __init bt_selftest_smp(void)
3776 struct crypto_blkcipher *tfm_aes;
3777 struct crypto_hash *tfm_cmac;
3780 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3781 if (IS_ERR(tfm_aes)) {
3782 BT_ERR("Unable to create ECB crypto context");
3783 return PTR_ERR(tfm_aes);
3786 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3787 if (IS_ERR(tfm_cmac)) {
3788 BT_ERR("Unable to create CMAC crypto context");
3789 crypto_free_blkcipher(tfm_aes);
3790 return PTR_ERR(tfm_cmac);
3793 err = run_selftests(tfm_aes, tfm_cmac);
3795 crypto_free_hash(tfm_cmac);
3796 crypto_free_blkcipher(tfm_aes);
Code Review / kvmfornfv.git / blob