]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blob - net/bluetooth/smp.c
Bluetooth: Update smp_confirm to return a response code
[mirror_ubuntu-bionic-kernel.git] / net / bluetooth / smp.c
1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21 */
22
23 #include <linux/crypto.h>
24 #include <linux/scatterlist.h>
25 #include <crypto/b128ops.h>
26
27 #include <net/bluetooth/bluetooth.h>
28 #include <net/bluetooth/hci_core.h>
29 #include <net/bluetooth/l2cap.h>
30 #include <net/bluetooth/mgmt.h>
31
32 #include "smp.h"
33
34 #define SMP_TIMEOUT msecs_to_jiffies(30000)
35
36 #define AUTH_REQ_MASK 0x07
37
38 #define SMP_FLAG_TK_VALID 1
39 #define SMP_FLAG_CFM_PENDING 2
40 #define SMP_FLAG_MITM_AUTH 3
41 #define SMP_FLAG_COMPLETE 4
42 #define SMP_FLAG_INITIATOR 5
43
44 struct smp_chan {
45 struct l2cap_conn *conn;
46 u8 preq[7]; /* SMP Pairing Request */
47 u8 prsp[7]; /* SMP Pairing Response */
48 u8 prnd[16]; /* SMP Pairing Random (local) */
49 u8 rrnd[16]; /* SMP Pairing Random (remote) */
50 u8 pcnf[16]; /* SMP Pairing Confirm */
51 u8 tk[16]; /* SMP Temporary Key */
52 u8 enc_key_size;
53 u8 remote_key_dist;
54 bdaddr_t id_addr;
55 u8 id_addr_type;
56 u8 irk[16];
57 struct smp_csrk *csrk;
58 struct smp_csrk *slave_csrk;
59 struct smp_ltk *ltk;
60 struct smp_ltk *slave_ltk;
61 struct smp_irk *remote_irk;
62 unsigned long flags;
63 };
64
65 static inline void swap128(const u8 src[16], u8 dst[16])
66 {
67 int i;
68 for (i = 0; i < 16; i++)
69 dst[15 - i] = src[i];
70 }
71
72 static inline void swap56(const u8 src[7], u8 dst[7])
73 {
74 int i;
75 for (i = 0; i < 7; i++)
76 dst[6 - i] = src[i];
77 }
78
79 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
80 {
81 struct blkcipher_desc desc;
82 struct scatterlist sg;
83 uint8_t tmp[16], data[16];
84 int err;
85
86 if (tfm == NULL) {
87 BT_ERR("tfm %p", tfm);
88 return -EINVAL;
89 }
90
91 desc.tfm = tfm;
92 desc.flags = 0;
93
94 /* The most significant octet of key corresponds to k[0] */
95 swap128(k, tmp);
96
97 err = crypto_blkcipher_setkey(tfm, tmp, 16);
98 if (err) {
99 BT_ERR("cipher setkey failed: %d", err);
100 return err;
101 }
102
103 /* Most significant octet of plaintextData corresponds to data[0] */
104 swap128(r, data);
105
106 sg_init_one(&sg, data, 16);
107
108 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
109 if (err)
110 BT_ERR("Encrypt data error %d", err);
111
112 /* Most significant octet of encryptedData corresponds to data[0] */
113 swap128(data, r);
114
115 return err;
116 }
117
118 static int smp_ah(struct crypto_blkcipher *tfm, u8 irk[16], u8 r[3], u8 res[3])
119 {
120 u8 _res[16];
121 int err;
122
123 /* r' = padding || r */
124 memcpy(_res, r, 3);
125 memset(_res + 3, 0, 13);
126
127 err = smp_e(tfm, irk, _res);
128 if (err) {
129 BT_ERR("Encrypt error");
130 return err;
131 }
132
133 /* The output of the random address function ah is:
134 * ah(h, r) = e(k, r') mod 2^24
135 * The output of the security function e is then truncated to 24 bits
136 * by taking the least significant 24 bits of the output of e as the
137 * result of ah.
138 */
139 memcpy(res, _res, 3);
140
141 return 0;
142 }
143
144 bool smp_irk_matches(struct crypto_blkcipher *tfm, u8 irk[16],
145 bdaddr_t *bdaddr)
146 {
147 u8 hash[3];
148 int err;
149
150 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
151
152 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
153 if (err)
154 return false;
155
156 return !memcmp(bdaddr->b, hash, 3);
157 }
158
159 int smp_generate_rpa(struct crypto_blkcipher *tfm, u8 irk[16], bdaddr_t *rpa)
160 {
161 int err;
162
163 get_random_bytes(&rpa->b[3], 3);
164
165 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
166 rpa->b[5] |= 0x40; /* Set second most significant bit */
167
168 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
169 if (err < 0)
170 return err;
171
172 BT_DBG("RPA %pMR", rpa);
173
174 return 0;
175 }
176
177 static int smp_c1(struct crypto_blkcipher *tfm, u8 k[16], u8 r[16],
178 u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia,
179 u8 _rat, bdaddr_t *ra, u8 res[16])
180 {
181 u8 p1[16], p2[16];
182 int err;
183
184 memset(p1, 0, 16);
185
186 /* p1 = pres || preq || _rat || _iat */
187 p1[0] = _iat;
188 p1[1] = _rat;
189 memcpy(p1 + 2, preq, 7);
190 memcpy(p1 + 9, pres, 7);
191
192 /* p2 = padding || ia || ra */
193 memcpy(p2, ra, 6);
194 memcpy(p2 + 6, ia, 6);
195 memset(p2 + 12, 0, 4);
196
197 /* res = r XOR p1 */
198 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
199
200 /* res = e(k, res) */
201 err = smp_e(tfm, k, res);
202 if (err) {
203 BT_ERR("Encrypt data error");
204 return err;
205 }
206
207 /* res = res XOR p2 */
208 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
209
210 /* res = e(k, res) */
211 err = smp_e(tfm, k, res);
212 if (err)
213 BT_ERR("Encrypt data error");
214
215 return err;
216 }
217
218 static int smp_s1(struct crypto_blkcipher *tfm, u8 k[16], u8 r1[16],
219 u8 r2[16], u8 _r[16])
220 {
221 int err;
222
223 /* Just least significant octets from r1 and r2 are considered */
224 memcpy(_r, r2, 8);
225 memcpy(_r + 8, r1, 8);
226
227 err = smp_e(tfm, k, _r);
228 if (err)
229 BT_ERR("Encrypt data error");
230
231 return err;
232 }
233
234 static struct sk_buff *smp_build_cmd(struct l2cap_conn *conn, u8 code,
235 u16 dlen, void *data)
236 {
237 struct sk_buff *skb;
238 struct l2cap_hdr *lh;
239 int len;
240
241 len = L2CAP_HDR_SIZE + sizeof(code) + dlen;
242
243 if (len > conn->mtu)
244 return NULL;
245
246 skb = bt_skb_alloc(len, GFP_ATOMIC);
247 if (!skb)
248 return NULL;
249
250 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
251 lh->len = cpu_to_le16(sizeof(code) + dlen);
252 lh->cid = cpu_to_le16(L2CAP_CID_SMP);
253
254 memcpy(skb_put(skb, sizeof(code)), &code, sizeof(code));
255
256 memcpy(skb_put(skb, dlen), data, dlen);
257
258 return skb;
259 }
260
261 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
262 {
263 struct sk_buff *skb = smp_build_cmd(conn, code, len, data);
264
265 BT_DBG("code 0x%2.2x", code);
266
267 if (!skb)
268 return;
269
270 skb->priority = HCI_PRIO_MAX;
271 hci_send_acl(conn->hchan, skb, 0);
272
273 cancel_delayed_work_sync(&conn->security_timer);
274 schedule_delayed_work(&conn->security_timer, SMP_TIMEOUT);
275 }
276
277 static __u8 authreq_to_seclevel(__u8 authreq)
278 {
279 if (authreq & SMP_AUTH_MITM)
280 return BT_SECURITY_HIGH;
281 else
282 return BT_SECURITY_MEDIUM;
283 }
284
285 static __u8 seclevel_to_authreq(__u8 sec_level)
286 {
287 switch (sec_level) {
288 case BT_SECURITY_HIGH:
289 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
290 case BT_SECURITY_MEDIUM:
291 return SMP_AUTH_BONDING;
292 default:
293 return SMP_AUTH_NONE;
294 }
295 }
296
297 static void build_pairing_cmd(struct l2cap_conn *conn,
298 struct smp_cmd_pairing *req,
299 struct smp_cmd_pairing *rsp, __u8 authreq)
300 {
301 struct smp_chan *smp = conn->smp_chan;
302 struct hci_conn *hcon = conn->hcon;
303 struct hci_dev *hdev = hcon->hdev;
304 u8 local_dist = 0, remote_dist = 0;
305
306 if (test_bit(HCI_PAIRABLE, &conn->hcon->hdev->dev_flags)) {
307 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
308 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
309 authreq |= SMP_AUTH_BONDING;
310 } else {
311 authreq &= ~SMP_AUTH_BONDING;
312 }
313
314 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
315 remote_dist |= SMP_DIST_ID_KEY;
316
317 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
318 local_dist |= SMP_DIST_ID_KEY;
319
320 if (rsp == NULL) {
321 req->io_capability = conn->hcon->io_capability;
322 req->oob_flag = SMP_OOB_NOT_PRESENT;
323 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
324 req->init_key_dist = local_dist;
325 req->resp_key_dist = remote_dist;
326 req->auth_req = (authreq & AUTH_REQ_MASK);
327
328 smp->remote_key_dist = remote_dist;
329 return;
330 }
331
332 rsp->io_capability = conn->hcon->io_capability;
333 rsp->oob_flag = SMP_OOB_NOT_PRESENT;
334 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
335 rsp->init_key_dist = req->init_key_dist & remote_dist;
336 rsp->resp_key_dist = req->resp_key_dist & local_dist;
337 rsp->auth_req = (authreq & AUTH_REQ_MASK);
338
339 smp->remote_key_dist = rsp->init_key_dist;
340 }
341
342 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
343 {
344 struct smp_chan *smp = conn->smp_chan;
345
346 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
347 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
348 return SMP_ENC_KEY_SIZE;
349
350 smp->enc_key_size = max_key_size;
351
352 return 0;
353 }
354
355 static void smp_failure(struct l2cap_conn *conn, u8 reason)
356 {
357 struct hci_conn *hcon = conn->hcon;
358
359 if (reason)
360 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
361 &reason);
362
363 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
364 mgmt_auth_failed(hcon->hdev, &hcon->dst, hcon->type, hcon->dst_type,
365 HCI_ERROR_AUTH_FAILURE);
366
367 cancel_delayed_work_sync(&conn->security_timer);
368
369 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
370 smp_chan_destroy(conn);
371 }
372
373 #define JUST_WORKS 0x00
374 #define JUST_CFM 0x01
375 #define REQ_PASSKEY 0x02
376 #define CFM_PASSKEY 0x03
377 #define REQ_OOB 0x04
378 #define OVERLAP 0xFF
379
380 static const u8 gen_method[5][5] = {
381 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
382 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
383 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
384 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
385 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
386 };
387
388 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
389 u8 local_io, u8 remote_io)
390 {
391 struct hci_conn *hcon = conn->hcon;
392 struct smp_chan *smp = conn->smp_chan;
393 u8 method;
394 u32 passkey = 0;
395 int ret = 0;
396
397 /* Initialize key for JUST WORKS */
398 memset(smp->tk, 0, sizeof(smp->tk));
399 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
400
401 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
402
403 /* If neither side wants MITM, use JUST WORKS */
404 /* If either side has unknown io_caps, use JUST WORKS */
405 /* Otherwise, look up method from the table */
406 if (!(auth & SMP_AUTH_MITM) ||
407 local_io > SMP_IO_KEYBOARD_DISPLAY ||
408 remote_io > SMP_IO_KEYBOARD_DISPLAY)
409 method = JUST_WORKS;
410 else
411 method = gen_method[remote_io][local_io];
412
413 /* If not bonding, don't ask user to confirm a Zero TK */
414 if (!(auth & SMP_AUTH_BONDING) && method == JUST_CFM)
415 method = JUST_WORKS;
416
417 /* Don't confirm locally initiated pairing attempts */
418 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
419 method = JUST_WORKS;
420
421 /* If Just Works, Continue with Zero TK */
422 if (method == JUST_WORKS) {
423 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
424 return 0;
425 }
426
427 /* Not Just Works/Confirm results in MITM Authentication */
428 if (method != JUST_CFM)
429 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
430
431 /* If both devices have Keyoard-Display I/O, the master
432 * Confirms and the slave Enters the passkey.
433 */
434 if (method == OVERLAP) {
435 if (hcon->link_mode & HCI_LM_MASTER)
436 method = CFM_PASSKEY;
437 else
438 method = REQ_PASSKEY;
439 }
440
441 /* Generate random passkey. */
442 if (method == CFM_PASSKEY) {
443 memset(smp->tk, 0, sizeof(smp->tk));
444 get_random_bytes(&passkey, sizeof(passkey));
445 passkey %= 1000000;
446 put_unaligned_le32(passkey, smp->tk);
447 BT_DBG("PassKey: %d", passkey);
448 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
449 }
450
451 hci_dev_lock(hcon->hdev);
452
453 if (method == REQ_PASSKEY)
454 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
455 hcon->type, hcon->dst_type);
456 else if (method == JUST_CFM)
457 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
458 hcon->type, hcon->dst_type,
459 passkey, 1);
460 else
461 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
462 hcon->type, hcon->dst_type,
463 passkey, 0);
464
465 hci_dev_unlock(hcon->hdev);
466
467 return ret;
468 }
469
470 static u8 smp_confirm(struct smp_chan *smp)
471 {
472 struct l2cap_conn *conn = smp->conn;
473 struct hci_dev *hdev = conn->hcon->hdev;
474 struct crypto_blkcipher *tfm = hdev->tfm_aes;
475 struct smp_cmd_pairing_confirm cp;
476 int ret;
477
478 BT_DBG("conn %p", conn);
479
480 /* Prevent mutual access to hdev->tfm_aes */
481 hci_dev_lock(hdev);
482
483 ret = smp_c1(tfm, smp->tk, smp->prnd, smp->preq, smp->prsp,
484 conn->hcon->init_addr_type, &conn->hcon->init_addr,
485 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
486 cp.confirm_val);
487
488 hci_dev_unlock(hdev);
489
490 if (ret)
491 return SMP_UNSPECIFIED;
492
493 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
494
495 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
496
497 return 0;
498 }
499
500 static u8 smp_random(struct smp_chan *smp)
501 {
502 struct l2cap_conn *conn = smp->conn;
503 struct hci_conn *hcon = conn->hcon;
504 struct hci_dev *hdev = hcon->hdev;
505 struct crypto_blkcipher *tfm = hdev->tfm_aes;
506 u8 confirm[16];
507 int ret;
508
509 if (IS_ERR_OR_NULL(tfm))
510 return SMP_UNSPECIFIED;
511
512 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
513
514 /* Prevent mutual access to hdev->tfm_aes */
515 hci_dev_lock(hdev);
516
517 ret = smp_c1(tfm, smp->tk, smp->rrnd, smp->preq, smp->prsp,
518 hcon->init_addr_type, &hcon->init_addr,
519 hcon->resp_addr_type, &hcon->resp_addr, confirm);
520
521 hci_dev_unlock(hdev);
522
523 if (ret)
524 return SMP_UNSPECIFIED;
525
526 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
527 BT_ERR("Pairing failed (confirmation values mismatch)");
528 return SMP_CONFIRM_FAILED;
529 }
530
531 if (hcon->out) {
532 u8 stk[16];
533 __le64 rand = 0;
534 __le16 ediv = 0;
535
536 smp_s1(tfm, smp->tk, smp->rrnd, smp->prnd, stk);
537
538 memset(stk + smp->enc_key_size, 0,
539 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
540
541 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
542 return SMP_UNSPECIFIED;
543
544 hci_le_start_enc(hcon, ediv, rand, stk);
545 hcon->enc_key_size = smp->enc_key_size;
546 } else {
547 u8 stk[16];
548 __le64 rand = 0;
549 __le16 ediv = 0;
550
551 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
552 smp->prnd);
553
554 smp_s1(tfm, smp->tk, smp->prnd, smp->rrnd, stk);
555
556 memset(stk + smp->enc_key_size, 0,
557 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
558
559 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
560 HCI_SMP_STK_SLAVE, 0, stk, smp->enc_key_size,
561 ediv, rand);
562 }
563
564 return 0;
565 }
566
567 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
568 {
569 struct smp_chan *smp;
570
571 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
572 if (!smp)
573 return NULL;
574
575 smp->conn = conn;
576 conn->smp_chan = smp;
577 conn->hcon->smp_conn = conn;
578
579 hci_conn_hold(conn->hcon);
580
581 return smp;
582 }
583
584 void smp_chan_destroy(struct l2cap_conn *conn)
585 {
586 struct smp_chan *smp = conn->smp_chan;
587 bool complete;
588
589 BUG_ON(!smp);
590
591 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
592 mgmt_smp_complete(conn->hcon, complete);
593
594 kfree(smp->csrk);
595 kfree(smp->slave_csrk);
596
597 /* If pairing failed clean up any keys we might have */
598 if (!complete) {
599 if (smp->ltk) {
600 list_del(&smp->ltk->list);
601 kfree(smp->ltk);
602 }
603
604 if (smp->slave_ltk) {
605 list_del(&smp->slave_ltk->list);
606 kfree(smp->slave_ltk);
607 }
608
609 if (smp->remote_irk) {
610 list_del(&smp->remote_irk->list);
611 kfree(smp->remote_irk);
612 }
613 }
614
615 kfree(smp);
616 conn->smp_chan = NULL;
617 conn->hcon->smp_conn = NULL;
618 hci_conn_drop(conn->hcon);
619 }
620
621 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
622 {
623 struct l2cap_conn *conn = hcon->smp_conn;
624 struct smp_chan *smp;
625 u32 value;
626
627 BT_DBG("");
628
629 if (!conn)
630 return -ENOTCONN;
631
632 smp = conn->smp_chan;
633
634 switch (mgmt_op) {
635 case MGMT_OP_USER_PASSKEY_REPLY:
636 value = le32_to_cpu(passkey);
637 memset(smp->tk, 0, sizeof(smp->tk));
638 BT_DBG("PassKey: %d", value);
639 put_unaligned_le32(value, smp->tk);
640 /* Fall Through */
641 case MGMT_OP_USER_CONFIRM_REPLY:
642 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
643 break;
644 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
645 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
646 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
647 return 0;
648 default:
649 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
650 return -EOPNOTSUPP;
651 }
652
653 /* If it is our turn to send Pairing Confirm, do so now */
654 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
655 u8 rsp = smp_confirm(smp);
656 if (rsp)
657 smp_failure(conn, rsp);
658 }
659
660 return 0;
661 }
662
663 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
664 {
665 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
666 struct smp_chan *smp;
667 u8 key_size, auth;
668 int ret;
669
670 BT_DBG("conn %p", conn);
671
672 if (skb->len < sizeof(*req))
673 return SMP_INVALID_PARAMS;
674
675 if (conn->hcon->link_mode & HCI_LM_MASTER)
676 return SMP_CMD_NOTSUPP;
677
678 if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags))
679 smp = smp_chan_create(conn);
680 else
681 smp = conn->smp_chan;
682
683 if (!smp)
684 return SMP_UNSPECIFIED;
685
686 smp->preq[0] = SMP_CMD_PAIRING_REQ;
687 memcpy(&smp->preq[1], req, sizeof(*req));
688 skb_pull(skb, sizeof(*req));
689
690 /* We didn't start the pairing, so match remote */
691 auth = req->auth_req;
692
693 conn->hcon->pending_sec_level = authreq_to_seclevel(auth);
694
695 build_pairing_cmd(conn, req, &rsp, auth);
696
697 key_size = min(req->max_key_size, rsp.max_key_size);
698 if (check_enc_key_size(conn, key_size))
699 return SMP_ENC_KEY_SIZE;
700
701 get_random_bytes(smp->prnd, sizeof(smp->prnd));
702
703 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
704 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
705
706 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
707
708 /* Request setup of TK */
709 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
710 if (ret)
711 return SMP_UNSPECIFIED;
712
713 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
714
715 return 0;
716 }
717
718 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
719 {
720 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
721 struct smp_chan *smp = conn->smp_chan;
722 u8 key_size, auth = SMP_AUTH_NONE;
723 int ret;
724
725 BT_DBG("conn %p", conn);
726
727 if (skb->len < sizeof(*rsp))
728 return SMP_INVALID_PARAMS;
729
730 if (!(conn->hcon->link_mode & HCI_LM_MASTER))
731 return SMP_CMD_NOTSUPP;
732
733 skb_pull(skb, sizeof(*rsp));
734
735 req = (void *) &smp->preq[1];
736
737 key_size = min(req->max_key_size, rsp->max_key_size);
738 if (check_enc_key_size(conn, key_size))
739 return SMP_ENC_KEY_SIZE;
740
741 get_random_bytes(smp->prnd, sizeof(smp->prnd));
742
743 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
744 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
745
746 /* Update remote key distribution in case the remote cleared
747 * some bits that we had enabled in our request.
748 */
749 smp->remote_key_dist &= rsp->resp_key_dist;
750
751 if ((req->auth_req & SMP_AUTH_BONDING) &&
752 (rsp->auth_req & SMP_AUTH_BONDING))
753 auth = SMP_AUTH_BONDING;
754
755 auth |= (req->auth_req | rsp->auth_req) & SMP_AUTH_MITM;
756
757 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
758 if (ret)
759 return SMP_UNSPECIFIED;
760
761 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
762
763 /* Can't compose response until we have been confirmed */
764 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
765 return smp_confirm(smp);
766
767 return 0;
768 }
769
770 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
771 {
772 struct smp_chan *smp = conn->smp_chan;
773
774 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
775
776 if (skb->len < sizeof(smp->pcnf))
777 return SMP_INVALID_PARAMS;
778
779 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
780 skb_pull(skb, sizeof(smp->pcnf));
781
782 if (conn->hcon->out)
783 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
784 smp->prnd);
785 else if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
786 return smp_confirm(smp);
787 else
788 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
789
790 return 0;
791 }
792
793 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
794 {
795 struct smp_chan *smp = conn->smp_chan;
796
797 BT_DBG("conn %p", conn);
798
799 if (skb->len < sizeof(smp->rrnd))
800 return SMP_INVALID_PARAMS;
801
802 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
803 skb_pull(skb, sizeof(smp->rrnd));
804
805 return smp_random(smp);
806 }
807
808 static u8 smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
809 {
810 struct smp_ltk *key;
811 struct hci_conn *hcon = conn->hcon;
812
813 key = hci_find_ltk_by_addr(hcon->hdev, &hcon->dst, hcon->dst_type,
814 hcon->out);
815 if (!key)
816 return 0;
817
818 if (sec_level > BT_SECURITY_MEDIUM && !key->authenticated)
819 return 0;
820
821 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
822 return 1;
823
824 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
825 hcon->enc_key_size = key->enc_size;
826
827 return 1;
828 }
829
830 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
831 {
832 struct smp_cmd_security_req *rp = (void *) skb->data;
833 struct smp_cmd_pairing cp;
834 struct hci_conn *hcon = conn->hcon;
835 struct smp_chan *smp;
836
837 BT_DBG("conn %p", conn);
838
839 if (skb->len < sizeof(*rp))
840 return SMP_INVALID_PARAMS;
841
842 if (!(conn->hcon->link_mode & HCI_LM_MASTER))
843 return SMP_CMD_NOTSUPP;
844
845 hcon->pending_sec_level = authreq_to_seclevel(rp->auth_req);
846
847 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
848 return 0;
849
850 if (test_and_set_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
851 return 0;
852
853 smp = smp_chan_create(conn);
854
855 skb_pull(skb, sizeof(*rp));
856
857 memset(&cp, 0, sizeof(cp));
858 build_pairing_cmd(conn, &cp, NULL, rp->auth_req);
859
860 smp->preq[0] = SMP_CMD_PAIRING_REQ;
861 memcpy(&smp->preq[1], &cp, sizeof(cp));
862
863 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
864
865 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
866
867 return 0;
868 }
869
870 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level)
871 {
872 if (sec_level == BT_SECURITY_LOW)
873 return true;
874
875 if (hcon->sec_level >= sec_level)
876 return true;
877
878 return false;
879 }
880
881 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
882 {
883 struct l2cap_conn *conn = hcon->l2cap_data;
884 struct smp_chan *smp;
885 __u8 authreq;
886
887 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
888
889 /* This may be NULL if there's an unexpected disconnection */
890 if (!conn)
891 return 1;
892
893 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
894 return 1;
895
896 if (smp_sufficient_security(hcon, sec_level))
897 return 1;
898
899 if (hcon->link_mode & HCI_LM_MASTER)
900 if (smp_ltk_encrypt(conn, sec_level))
901 goto done;
902
903 if (test_and_set_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
904 return 0;
905
906 smp = smp_chan_create(conn);
907 if (!smp)
908 return 1;
909
910 authreq = seclevel_to_authreq(sec_level);
911
912 /* hcon->auth_type is set by pair_device in mgmt.c. If the MITM
913 * flag is set we should also set it for the SMP request.
914 */
915 if ((hcon->auth_type & 0x01))
916 authreq |= SMP_AUTH_MITM;
917
918 if (hcon->link_mode & HCI_LM_MASTER) {
919 struct smp_cmd_pairing cp;
920
921 build_pairing_cmd(conn, &cp, NULL, authreq);
922 smp->preq[0] = SMP_CMD_PAIRING_REQ;
923 memcpy(&smp->preq[1], &cp, sizeof(cp));
924
925 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
926 } else {
927 struct smp_cmd_security_req cp;
928 cp.auth_req = authreq;
929 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
930 }
931
932 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
933
934 done:
935 hcon->pending_sec_level = sec_level;
936
937 return 0;
938 }
939
940 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
941 {
942 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
943 struct smp_chan *smp = conn->smp_chan;
944
945 BT_DBG("conn %p", conn);
946
947 if (skb->len < sizeof(*rp))
948 return SMP_INVALID_PARAMS;
949
950 /* Ignore this PDU if it wasn't requested */
951 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
952 return 0;
953
954 skb_pull(skb, sizeof(*rp));
955
956 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
957
958 return 0;
959 }
960
961 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
962 {
963 struct smp_cmd_master_ident *rp = (void *) skb->data;
964 struct smp_chan *smp = conn->smp_chan;
965 struct hci_dev *hdev = conn->hcon->hdev;
966 struct hci_conn *hcon = conn->hcon;
967 struct smp_ltk *ltk;
968 u8 authenticated;
969
970 BT_DBG("conn %p", conn);
971
972 if (skb->len < sizeof(*rp))
973 return SMP_INVALID_PARAMS;
974
975 /* Ignore this PDU if it wasn't requested */
976 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
977 return 0;
978
979 /* Mark the information as received */
980 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
981
982 skb_pull(skb, sizeof(*rp));
983
984 hci_dev_lock(hdev);
985 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
986 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, HCI_SMP_LTK,
987 authenticated, smp->tk, smp->enc_key_size,
988 rp->ediv, rp->rand);
989 smp->ltk = ltk;
990 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
991 smp_distribute_keys(conn);
992 hci_dev_unlock(hdev);
993
994 return 0;
995 }
996
997 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
998 {
999 struct smp_cmd_ident_info *info = (void *) skb->data;
1000 struct smp_chan *smp = conn->smp_chan;
1001
1002 BT_DBG("");
1003
1004 if (skb->len < sizeof(*info))
1005 return SMP_INVALID_PARAMS;
1006
1007 /* Ignore this PDU if it wasn't requested */
1008 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
1009 return 0;
1010
1011 skb_pull(skb, sizeof(*info));
1012
1013 memcpy(smp->irk, info->irk, 16);
1014
1015 return 0;
1016 }
1017
1018 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
1019 struct sk_buff *skb)
1020 {
1021 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
1022 struct smp_chan *smp = conn->smp_chan;
1023 struct hci_conn *hcon = conn->hcon;
1024 bdaddr_t rpa;
1025
1026 BT_DBG("");
1027
1028 if (skb->len < sizeof(*info))
1029 return SMP_INVALID_PARAMS;
1030
1031 /* Ignore this PDU if it wasn't requested */
1032 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
1033 return 0;
1034
1035 /* Mark the information as received */
1036 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
1037
1038 skb_pull(skb, sizeof(*info));
1039
1040 /* Strictly speaking the Core Specification (4.1) allows sending
1041 * an empty address which would force us to rely on just the IRK
1042 * as "identity information". However, since such
1043 * implementations are not known of and in order to not over
1044 * complicate our implementation, simply pretend that we never
1045 * received an IRK for such a device.
1046 */
1047 if (!bacmp(&info->bdaddr, BDADDR_ANY)) {
1048 BT_ERR("Ignoring IRK with no identity address");
1049 smp_distribute_keys(conn);
1050 return 0;
1051 }
1052
1053 bacpy(&smp->id_addr, &info->bdaddr);
1054 smp->id_addr_type = info->addr_type;
1055
1056 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
1057 bacpy(&rpa, &hcon->dst);
1058 else
1059 bacpy(&rpa, BDADDR_ANY);
1060
1061 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
1062 smp->id_addr_type, smp->irk, &rpa);
1063
1064 smp_distribute_keys(conn);
1065
1066 return 0;
1067 }
1068
1069 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
1070 {
1071 struct smp_cmd_sign_info *rp = (void *) skb->data;
1072 struct smp_chan *smp = conn->smp_chan;
1073 struct hci_dev *hdev = conn->hcon->hdev;
1074 struct smp_csrk *csrk;
1075
1076 BT_DBG("conn %p", conn);
1077
1078 if (skb->len < sizeof(*rp))
1079 return SMP_INVALID_PARAMS;
1080
1081 /* Ignore this PDU if it wasn't requested */
1082 if (!(smp->remote_key_dist & SMP_DIST_SIGN))
1083 return 0;
1084
1085 /* Mark the information as received */
1086 smp->remote_key_dist &= ~SMP_DIST_SIGN;
1087
1088 skb_pull(skb, sizeof(*rp));
1089
1090 hci_dev_lock(hdev);
1091 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1092 if (csrk) {
1093 csrk->master = 0x01;
1094 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
1095 }
1096 smp->csrk = csrk;
1097 if (!(smp->remote_key_dist & SMP_DIST_SIGN))
1098 smp_distribute_keys(conn);
1099 hci_dev_unlock(hdev);
1100
1101 return 0;
1102 }
1103
1104 int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
1105 {
1106 struct hci_conn *hcon = conn->hcon;
1107 __u8 code, reason;
1108 int err = 0;
1109
1110 if (hcon->type != LE_LINK) {
1111 kfree_skb(skb);
1112 return 0;
1113 }
1114
1115 if (skb->len < 1) {
1116 kfree_skb(skb);
1117 return -EILSEQ;
1118 }
1119
1120 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
1121 err = -ENOTSUPP;
1122 reason = SMP_PAIRING_NOTSUPP;
1123 goto done;
1124 }
1125
1126 code = skb->data[0];
1127 skb_pull(skb, sizeof(code));
1128
1129 /*
1130 * The SMP context must be initialized for all other PDUs except
1131 * pairing and security requests. If we get any other PDU when
1132 * not initialized simply disconnect (done if this function
1133 * returns an error).
1134 */
1135 if (code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ &&
1136 !conn->smp_chan) {
1137 BT_ERR("Unexpected SMP command 0x%02x. Disconnecting.", code);
1138 kfree_skb(skb);
1139 return -ENOTSUPP;
1140 }
1141
1142 switch (code) {
1143 case SMP_CMD_PAIRING_REQ:
1144 reason = smp_cmd_pairing_req(conn, skb);
1145 break;
1146
1147 case SMP_CMD_PAIRING_FAIL:
1148 smp_failure(conn, 0);
1149 reason = 0;
1150 err = -EPERM;
1151 break;
1152
1153 case SMP_CMD_PAIRING_RSP:
1154 reason = smp_cmd_pairing_rsp(conn, skb);
1155 break;
1156
1157 case SMP_CMD_SECURITY_REQ:
1158 reason = smp_cmd_security_req(conn, skb);
1159 break;
1160
1161 case SMP_CMD_PAIRING_CONFIRM:
1162 reason = smp_cmd_pairing_confirm(conn, skb);
1163 break;
1164
1165 case SMP_CMD_PAIRING_RANDOM:
1166 reason = smp_cmd_pairing_random(conn, skb);
1167 break;
1168
1169 case SMP_CMD_ENCRYPT_INFO:
1170 reason = smp_cmd_encrypt_info(conn, skb);
1171 break;
1172
1173 case SMP_CMD_MASTER_IDENT:
1174 reason = smp_cmd_master_ident(conn, skb);
1175 break;
1176
1177 case SMP_CMD_IDENT_INFO:
1178 reason = smp_cmd_ident_info(conn, skb);
1179 break;
1180
1181 case SMP_CMD_IDENT_ADDR_INFO:
1182 reason = smp_cmd_ident_addr_info(conn, skb);
1183 break;
1184
1185 case SMP_CMD_SIGN_INFO:
1186 reason = smp_cmd_sign_info(conn, skb);
1187 break;
1188
1189 default:
1190 BT_DBG("Unknown command code 0x%2.2x", code);
1191
1192 reason = SMP_CMD_NOTSUPP;
1193 err = -EOPNOTSUPP;
1194 goto done;
1195 }
1196
1197 done:
1198 if (reason)
1199 smp_failure(conn, reason);
1200
1201 kfree_skb(skb);
1202 return err;
1203 }
1204
1205 static void smp_notify_keys(struct l2cap_conn *conn)
1206 {
1207 struct smp_chan *smp = conn->smp_chan;
1208 struct hci_conn *hcon = conn->hcon;
1209 struct hci_dev *hdev = hcon->hdev;
1210 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1211 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1212 bool persistent;
1213
1214 if (smp->remote_irk) {
1215 mgmt_new_irk(hdev, smp->remote_irk);
1216 /* Now that user space can be considered to know the
1217 * identity address track the connection based on it
1218 * from now on.
1219 */
1220 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1221 hcon->dst_type = smp->remote_irk->addr_type;
1222 l2cap_conn_update_id_addr(hcon);
1223 }
1224
1225 /* The LTKs and CSRKs should be persistent only if both sides
1226 * had the bonding bit set in their authentication requests.
1227 */
1228 persistent = !!((req->auth_req & rsp->auth_req) & SMP_AUTH_BONDING);
1229
1230 if (smp->csrk) {
1231 smp->csrk->bdaddr_type = hcon->dst_type;
1232 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1233 mgmt_new_csrk(hdev, smp->csrk, persistent);
1234 }
1235
1236 if (smp->slave_csrk) {
1237 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1238 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1239 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1240 }
1241
1242 if (smp->ltk) {
1243 smp->ltk->bdaddr_type = hcon->dst_type;
1244 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1245 mgmt_new_ltk(hdev, smp->ltk, persistent);
1246 }
1247
1248 if (smp->slave_ltk) {
1249 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1250 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1251 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1252 }
1253 }
1254
1255 int smp_distribute_keys(struct l2cap_conn *conn)
1256 {
1257 struct smp_cmd_pairing *req, *rsp;
1258 struct smp_chan *smp = conn->smp_chan;
1259 struct hci_conn *hcon = conn->hcon;
1260 struct hci_dev *hdev = hcon->hdev;
1261 __u8 *keydist;
1262
1263 BT_DBG("conn %p", conn);
1264
1265 if (!test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
1266 return 0;
1267
1268 rsp = (void *) &smp->prsp[1];
1269
1270 /* The responder sends its keys first */
1271 if (hcon->out && (smp->remote_key_dist & 0x07))
1272 return 0;
1273
1274 req = (void *) &smp->preq[1];
1275
1276 if (hcon->out) {
1277 keydist = &rsp->init_key_dist;
1278 *keydist &= req->init_key_dist;
1279 } else {
1280 keydist = &rsp->resp_key_dist;
1281 *keydist &= req->resp_key_dist;
1282 }
1283
1284 BT_DBG("keydist 0x%x", *keydist);
1285
1286 if (*keydist & SMP_DIST_ENC_KEY) {
1287 struct smp_cmd_encrypt_info enc;
1288 struct smp_cmd_master_ident ident;
1289 struct smp_ltk *ltk;
1290 u8 authenticated;
1291 __le16 ediv;
1292 __le64 rand;
1293
1294 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1295 get_random_bytes(&ediv, sizeof(ediv));
1296 get_random_bytes(&rand, sizeof(rand));
1297
1298 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1299
1300 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1301 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1302 HCI_SMP_LTK_SLAVE, authenticated, enc.ltk,
1303 smp->enc_key_size, ediv, rand);
1304 smp->slave_ltk = ltk;
1305
1306 ident.ediv = ediv;
1307 ident.rand = rand;
1308
1309 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1310
1311 *keydist &= ~SMP_DIST_ENC_KEY;
1312 }
1313
1314 if (*keydist & SMP_DIST_ID_KEY) {
1315 struct smp_cmd_ident_addr_info addrinfo;
1316 struct smp_cmd_ident_info idinfo;
1317
1318 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1319
1320 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1321
1322 /* The hci_conn contains the local identity address
1323 * after the connection has been established.
1324 *
1325 * This is true even when the connection has been
1326 * established using a resolvable random address.
1327 */
1328 bacpy(&addrinfo.bdaddr, &hcon->src);
1329 addrinfo.addr_type = hcon->src_type;
1330
1331 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1332 &addrinfo);
1333
1334 *keydist &= ~SMP_DIST_ID_KEY;
1335 }
1336
1337 if (*keydist & SMP_DIST_SIGN) {
1338 struct smp_cmd_sign_info sign;
1339 struct smp_csrk *csrk;
1340
1341 /* Generate a new random key */
1342 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1343
1344 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1345 if (csrk) {
1346 csrk->master = 0x00;
1347 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1348 }
1349 smp->slave_csrk = csrk;
1350
1351 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1352
1353 *keydist &= ~SMP_DIST_SIGN;
1354 }
1355
1356 /* If there are still keys to be received wait for them */
1357 if ((smp->remote_key_dist & 0x07))
1358 return 0;
1359
1360 clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags);
1361 cancel_delayed_work_sync(&conn->security_timer);
1362 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1363 smp_notify_keys(conn);
1364
1365 smp_chan_destroy(conn);
1366
1367 return 0;
1368 }