smp.c 85.1 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
/*
   BlueZ - Bluetooth protocol stack for Linux
   Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License version 2 as
   published by the Free Software Foundation;

   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
   SOFTWARE IS DISCLAIMED.
*/

23
#include <linux/debugfs.h>
24 25 26 27
#include <linux/crypto.h>
#include <linux/scatterlist.h>
#include <crypto/b128ops.h>

28 29 30
#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/l2cap.h>
31
#include <net/bluetooth/mgmt.h>
32

33
#include "ecc.h"
34
#include "smp.h"
35

36 37 38 39 40 41 42 43 44 45 46 47
/* Low-level debug macros to be used for stuff that we don't want
 * accidentially in dmesg, i.e. the values of the various crypto keys
 * and the inputs & outputs of crypto functions.
 */
#ifdef DEBUG
#define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
				 ##__VA_ARGS__)
#else
#define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
				    ##__VA_ARGS__)
#endif

48 49
#define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)

50 51 52
/* Keys which are not distributed with Secure Connections */
#define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);

53
#define SMP_TIMEOUT	msecs_to_jiffies(30000)
54

55
#define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
56 57
				 0x1f : 0x07)
#define KEY_DIST_MASK		0x07
58

59 60 61
/* Maximum message length that can be passed to aes_cmac */
#define CMAC_MSG_MAX	80

62 63 64 65 66 67
enum {
	SMP_FLAG_TK_VALID,
	SMP_FLAG_CFM_PENDING,
	SMP_FLAG_MITM_AUTH,
	SMP_FLAG_COMPLETE,
	SMP_FLAG_INITIATOR,
68
	SMP_FLAG_SC,
69
	SMP_FLAG_REMOTE_PK,
70
	SMP_FLAG_DEBUG_KEY,
71
	SMP_FLAG_WAIT_USER,
72
	SMP_FLAG_DHKEY_PENDING,
73
	SMP_FLAG_OOB,
74
};
75

76
struct smp_dev {
77 78 79 80 81 82
	/* Secure Connections OOB data */
	u8			local_pk[64];
	u8			local_sk[32];
	u8			local_rr[16];
	bool			debug_key;

83
	struct crypto_blkcipher	*tfm_aes;
84
	struct crypto_hash	*tfm_cmac;
85 86
};

87
struct smp_chan {
88 89
	struct l2cap_conn	*conn;
	struct delayed_work	security_timer;
90
	unsigned long           allow_cmd; /* Bitmask of allowed commands */
91

92 93 94 95 96 97
	u8		preq[7]; /* SMP Pairing Request */
	u8		prsp[7]; /* SMP Pairing Response */
	u8		prnd[16]; /* SMP Pairing Random (local) */
	u8		rrnd[16]; /* SMP Pairing Random (remote) */
	u8		pcnf[16]; /* SMP Pairing Confirm */
	u8		tk[16]; /* SMP Temporary Key */
98
	u8		rr[16];
99 100 101 102 103 104 105 106 107 108
	u8		enc_key_size;
	u8		remote_key_dist;
	bdaddr_t	id_addr;
	u8		id_addr_type;
	u8		irk[16];
	struct smp_csrk	*csrk;
	struct smp_csrk	*slave_csrk;
	struct smp_ltk	*ltk;
	struct smp_ltk	*slave_ltk;
	struct smp_irk	*remote_irk;
109
	u8		*link_key;
110
	unsigned long	flags;
111
	u8		method;
112
	u8		passkey_round;
113

114 115 116
	/* Secure Connections variables */
	u8			local_pk[64];
	u8			local_sk[32];
117 118
	u8			remote_pk[64];
	u8			dhkey[32];
119
	u8			mackey[16];
120

121
	struct crypto_blkcipher	*tfm_aes;
122
	struct crypto_hash	*tfm_cmac;
123 124
};

125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147
/* These debug key values are defined in the SMP section of the core
 * specification. debug_pk is the public debug key and debug_sk the
 * private debug key.
 */
static const u8 debug_pk[64] = {
		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,

		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
};

static const u8 debug_sk[32] = {
		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
};

148
static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
149
{
150
	size_t i;
151

152 153
	for (i = 0; i < len; i++)
		dst[len - 1 - i] = src[i];
154 155
}

156 157 158 159
/* The following functions map to the LE SC SMP crypto functions
 * AES-CMAC, f4, f5, f6, g2 and h6.
 */

160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184
static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
		    size_t len, u8 mac[16])
{
	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
	struct hash_desc desc;
	struct scatterlist sg;
	int err;

	if (len > CMAC_MSG_MAX)
		return -EFBIG;

	if (!tfm) {
		BT_ERR("tfm %p", tfm);
		return -EINVAL;
	}

	desc.tfm = tfm;
	desc.flags = 0;

	crypto_hash_init(&desc);

	/* Swap key and message from LSB to MSB */
	swap_buf(k, tmp, 16);
	swap_buf(m, msg_msb, len);

185 186
	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
	SMP_DBG("key %16phN", k);
187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209

	err = crypto_hash_setkey(tfm, tmp, 16);
	if (err) {
		BT_ERR("cipher setkey failed: %d", err);
		return err;
	}

	sg_init_one(&sg, msg_msb, len);

	err = crypto_hash_update(&desc, &sg, len);
	if (err) {
		BT_ERR("Hash update error %d", err);
		return err;
	}

	err = crypto_hash_final(&desc, mac_msb);
	if (err) {
		BT_ERR("Hash final error %d", err);
		return err;
	}

	swap_buf(mac_msb, mac, 16);

210
	SMP_DBG("mac %16phN", mac);
211 212 213 214 215 216 217 218 219 220

	return 0;
}

static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
		  const u8 x[16], u8 z, u8 res[16])
{
	u8 m[65];
	int err;

221 222 223
	SMP_DBG("u %32phN", u);
	SMP_DBG("v %32phN", v);
	SMP_DBG("x %16phN z %02x", x, z);
224 225 226 227 228 229 230 231 232

	m[0] = z;
	memcpy(m + 1, v, 32);
	memcpy(m + 33, u, 32);

	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
	if (err)
		return err;

233
	SMP_DBG("res %16phN", res);
234 235 236 237

	return err;
}

238 239 240
static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32],
		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
241 242 243 244 245 246 247 248 249 250 251 252 253 254
{
	/* The btle, salt and length "magic" values are as defined in
	 * the SMP section of the Bluetooth core specification. In ASCII
	 * the btle value ends up being 'btle'. The salt is just a
	 * random number whereas length is the value 256 in little
	 * endian format.
	 */
	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
	const u8 length[2] = { 0x00, 0x01 };
	u8 m[53], t[16];
	int err;

255 256 257
	SMP_DBG("w %32phN", w);
	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
258 259 260 261 262

	err = aes_cmac(tfm_cmac, salt, w, 32, t);
	if (err)
		return err;

263
	SMP_DBG("t %16phN", t);
264 265 266 267 268 269 270 271 272 273 274 275 276 277

	memcpy(m, length, 2);
	memcpy(m + 2, a2, 7);
	memcpy(m + 9, a1, 7);
	memcpy(m + 16, n2, 16);
	memcpy(m + 32, n1, 16);
	memcpy(m + 48, btle, 4);

	m[52] = 0; /* Counter */

	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
	if (err)
		return err;

278
	SMP_DBG("mackey %16phN", mackey);
279 280 281 282 283 284 285

	m[52] = 1; /* Counter */

	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
	if (err)
		return err;

286
	SMP_DBG("ltk %16phN", ltk);
287 288 289 290 291

	return 0;
}

static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
292
		  const u8 n1[16], const u8 n2[16], const u8 r[16],
293 294 295 296 297 298
		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
		  u8 res[16])
{
	u8 m[65];
	int err;

299 300 301
	SMP_DBG("w %16phN", w);
	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
302 303 304 305 306 307 308 309 310 311 312 313

	memcpy(m, a2, 7);
	memcpy(m + 7, a1, 7);
	memcpy(m + 14, io_cap, 3);
	memcpy(m + 17, r, 16);
	memcpy(m + 33, n2, 16);
	memcpy(m + 49, n1, 16);

	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
	if (err)
		return err;

314
	SMP_DBG("res %16phN", res);
315 316 317 318

	return err;
}

319 320 321 322 323 324
static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
		  const u8 x[16], const u8 y[16], u32 *val)
{
	u8 m[80], tmp[16];
	int err;

325 326 327
	SMP_DBG("u %32phN", u);
	SMP_DBG("v %32phN", v);
	SMP_DBG("x %16phN y %16phN", x, y);
328 329 330 331 332 333 334 335 336 337 338 339

	memcpy(m, y, 16);
	memcpy(m + 16, v, 32);
	memcpy(m + 48, u, 32);

	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
	if (err)
		return err;

	*val = get_unaligned_le32(tmp);
	*val %= 1000000;

340
	SMP_DBG("val %06u", *val);
341 342 343 344

	return 0;
}

345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364
static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
		  const u8 key_id[4], u8 res[16])
{
	int err;

	SMP_DBG("w %16phN key_id %4phN", w, key_id);

	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
	if (err)
		return err;

	SMP_DBG("res %16phN", res);

	return err;
}

/* The following functions map to the legacy SMP crypto functions e, c1,
 * s1 and ah.
 */

365 366 367 368
static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
{
	struct blkcipher_desc desc;
	struct scatterlist sg;
369
	uint8_t tmp[16], data[16];
370
	int err;
371

372
	if (!tfm) {
373 374 375 376 377 378 379
		BT_ERR("tfm %p", tfm);
		return -EINVAL;
	}

	desc.tfm = tfm;
	desc.flags = 0;

380
	/* The most significant octet of key corresponds to k[0] */
381
	swap_buf(k, tmp, 16);
382 383

	err = crypto_blkcipher_setkey(tfm, tmp, 16);
384 385 386 387 388
	if (err) {
		BT_ERR("cipher setkey failed: %d", err);
		return err;
	}

389
	/* Most significant octet of plaintextData corresponds to data[0] */
390
	swap_buf(r, data, 16);
391 392

	sg_init_one(&sg, data, 16);
393 394 395 396 397

	err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
	if (err)
		BT_ERR("Encrypt data error %d", err);

398
	/* Most significant octet of encryptedData corresponds to data[0] */
399
	swap_buf(data, r, 16);
400

401 402 403
	return err;
}

404 405 406
static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
407
{
408
	u8 p1[16], p2[16];
409 410
	int err;

411
	memset(p1, 0, 16);
412

413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430
	/* p1 = pres || preq || _rat || _iat */
	p1[0] = _iat;
	p1[1] = _rat;
	memcpy(p1 + 2, preq, 7);
	memcpy(p1 + 9, pres, 7);

	/* p2 = padding || ia || ra */
	memcpy(p2, ra, 6);
	memcpy(p2 + 6, ia, 6);
	memset(p2 + 12, 0, 4);

	/* res = r XOR p1 */
	u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);

	/* res = e(k, res) */
	err = smp_e(tfm_aes, k, res);
	if (err) {
		BT_ERR("Encrypt data error");
431
		return err;
432
	}
433

434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456
	/* res = res XOR p2 */
	u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);

	/* res = e(k, res) */
	err = smp_e(tfm_aes, k, res);
	if (err)
		BT_ERR("Encrypt data error");

	return err;
}

static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
		  const u8 r1[16], const u8 r2[16], u8 _r[16])
{
	int err;

	/* Just least significant octets from r1 and r2 are considered */
	memcpy(_r, r2, 8);
	memcpy(_r + 8, r1, 8);

	err = smp_e(tfm_aes, k, _r);
	if (err)
		BT_ERR("Encrypt data error");
457 458 459 460

	return err;
}

461 462
static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
		  const u8 r[3], u8 res[3])
463
{
464
	u8 _res[16];
465 466 467
	int err;

	/* r' = padding || r */
468 469
	memcpy(_res, r, 3);
	memset(_res + 3, 0, 13);
470

471
	err = smp_e(tfm, irk, _res);
472 473 474 475 476 477 478 479 480 481 482
	if (err) {
		BT_ERR("Encrypt error");
		return err;
	}

	/* The output of the random address function ah is:
	 *	ah(h, r) = e(k, r') mod 2^24
	 * The output of the security function e is then truncated to 24 bits
	 * by taking the least significant 24 bits of the output of e as the
	 * result of ah.
	 */
483
	memcpy(res, _res, 3);
484 485 486 487

	return 0;
}

488 489
bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
		     const bdaddr_t *bdaddr)
490
{
491
	struct l2cap_chan *chan = hdev->smp_data;
492
	struct smp_dev *smp;
493 494 495
	u8 hash[3];
	int err;

496 497 498
	if (!chan || !chan->data)
		return false;

499
	smp = chan->data;
500

501 502
	BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);

503
	err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
504 505 506 507 508 509
	if (err)
		return false;

	return !memcmp(bdaddr->b, hash, 3);
}

510
int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
511
{
512
	struct l2cap_chan *chan = hdev->smp_data;
513
	struct smp_dev *smp;
514 515
	int err;

516 517 518
	if (!chan || !chan->data)
		return -EOPNOTSUPP;

519
	smp = chan->data;
520

521 522 523 524 525
	get_random_bytes(&rpa->b[3], 3);

	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
	rpa->b[5] |= 0x40;	/* Set second most significant bit */

526
	err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
527 528 529 530 531 532 533 534
	if (err < 0)
		return err;

	BT_DBG("RPA %pMR", rpa);

	return 0;
}

535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581
int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
{
	struct l2cap_chan *chan = hdev->smp_data;
	struct smp_dev *smp;
	int err;

	if (!chan || !chan->data)
		return -EOPNOTSUPP;

	smp = chan->data;

	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
		BT_DBG("Using debug keys");
		memcpy(smp->local_pk, debug_pk, 64);
		memcpy(smp->local_sk, debug_sk, 32);
		smp->debug_key = true;
	} else {
		while (true) {
			/* Generate local key pair for Secure Connections */
			if (!ecc_make_key(smp->local_pk, smp->local_sk))
				return -EIO;

			/* This is unlikely, but we need to check that
			 * we didn't accidentially generate a debug key.
			 */
			if (memcmp(smp->local_sk, debug_sk, 32))
				break;
		}
		smp->debug_key = false;
	}

	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
	SMP_DBG("OOB Private Key:  %32phN", smp->local_sk);

	get_random_bytes(smp->local_rr, 16);

	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
		     smp->local_rr, 0, hash);
	if (err < 0)
		return err;

	memcpy(rand, smp->local_rr, 16);

	return 0;
}

582
static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
583
{
584
	struct l2cap_chan *chan = conn->smp;
585
	struct smp_chan *smp;
586 587
	struct kvec iv[2];
	struct msghdr msg;
588

589 590
	if (!chan)
		return;
591

592
	BT_DBG("code 0x%2.2x", code);
593

594 595
	iv[0].iov_base = &code;
	iv[0].iov_len = 1;
596

597 598
	iv[1].iov_base = data;
	iv[1].iov_len = len;
599

600
	memset(&msg, 0, sizeof(msg));
601

602
	iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
603

604
	l2cap_chan_send(chan, &msg, 1 + len);
605

606 607 608 609 610 611
	if (!chan->data)
		return;

	smp = chan->data;

	cancel_delayed_work_sync(&smp->security_timer);
612
	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
613 614
}

615
static u8 authreq_to_seclevel(u8 authreq)
616
{
617 618 619 620 621 622
	if (authreq & SMP_AUTH_MITM) {
		if (authreq & SMP_AUTH_SC)
			return BT_SECURITY_FIPS;
		else
			return BT_SECURITY_HIGH;
	} else {
623
		return BT_SECURITY_MEDIUM;
624
	}
625 626 627 628 629
}

static __u8 seclevel_to_authreq(__u8 sec_level)
{
	switch (sec_level) {
630
	case BT_SECURITY_FIPS:
631 632 633 634 635 636 637 638 639
	case BT_SECURITY_HIGH:
		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
	case BT_SECURITY_MEDIUM:
		return SMP_AUTH_BONDING;
	default:
		return SMP_AUTH_NONE;
	}
}

640
static void build_pairing_cmd(struct l2cap_conn *conn,
641 642
			      struct smp_cmd_pairing *req,
			      struct smp_cmd_pairing *rsp, __u8 authreq)
643
{
644 645
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
646 647
	struct hci_conn *hcon = conn->hcon;
	struct hci_dev *hdev = hcon->hdev;
648
	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
649

650
	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
651 652
		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
653
		authreq |= SMP_AUTH_BONDING;
654 655
	} else {
		authreq &= ~SMP_AUTH_BONDING;
656 657
	}

658
	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
659 660
		remote_dist |= SMP_DIST_ID_KEY;

661
	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
662 663
		local_dist |= SMP_DIST_ID_KEY;

664
	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
665 666 667 668
	    (authreq & SMP_AUTH_SC)) {
		struct oob_data *oob_data;
		u8 bdaddr_type;

669
		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
670 671 672
			local_dist |= SMP_DIST_LINK_KEY;
			remote_dist |= SMP_DIST_LINK_KEY;
		}
673 674 675 676 677 678 679 680

		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
			bdaddr_type = BDADDR_LE_PUBLIC;
		else
			bdaddr_type = BDADDR_LE_RANDOM;

		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
						    bdaddr_type);
681
		if (oob_data && oob_data->present) {
682 683
			set_bit(SMP_FLAG_OOB, &smp->flags);
			oob_flag = SMP_OOB_PRESENT;
684
			memcpy(smp->rr, oob_data->rand256, 16);
685 686 687
			memcpy(smp->pcnf, oob_data->hash256, 16);
		}

688 689 690 691
	} else {
		authreq &= ~SMP_AUTH_SC;
	}

692 693
	if (rsp == NULL) {
		req->io_capability = conn->hcon->io_capability;
694
		req->oob_flag = oob_flag;
695
		req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
696 697
		req->init_key_dist = local_dist;
		req->resp_key_dist = remote_dist;
698
		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
699 700

		smp->remote_key_dist = remote_dist;
701 702 703 704
		return;
	}

	rsp->io_capability = conn->hcon->io_capability;
705
	rsp->oob_flag = oob_flag;
706
	rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
707 708
	rsp->init_key_dist = req->init_key_dist & remote_dist;
	rsp->resp_key_dist = req->resp_key_dist & local_dist;
709
	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
710 711

	smp->remote_key_dist = rsp->init_key_dist;
712 713
}

714 715
static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
{
716 717
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
718

719
	if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
720
	    (max_key_size < SMP_MIN_ENC_KEY_SIZE))
721 722
		return SMP_ENC_KEY_SIZE;

723
	smp->enc_key_size = max_key_size;
724 725 726 727

	return 0;
}

728 729 730 731
static void smp_chan_destroy(struct l2cap_conn *conn)
{
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
732
	struct hci_conn *hcon = conn->hcon;
733 734 735 736 737 738 739
	bool complete;

	BUG_ON(!smp);

	cancel_delayed_work_sync(&smp->security_timer);

	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
740
	mgmt_smp_complete(hcon, complete);
741

742 743 744
	kzfree(smp->csrk);
	kzfree(smp->slave_csrk);
	kzfree(smp->link_key);
745 746

	crypto_free_blkcipher(smp->tfm_aes);
747
	crypto_free_hash(smp->tfm_cmac);
748

749 750 751 752
	/* Ensure that we don't leave any debug key around if debug key
	 * support hasn't been explicitly enabled.
	 */
	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
753
	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
754 755 756 757 758
		list_del_rcu(&smp->ltk->list);
		kfree_rcu(smp->ltk, rcu);
		smp->ltk = NULL;
	}

759 760 761
	/* If pairing failed clean up any keys we might have */
	if (!complete) {
		if (smp->ltk) {
762 763
			list_del_rcu(&smp->ltk->list);
			kfree_rcu(smp->ltk, rcu);
764 765 766
		}

		if (smp->slave_ltk) {
767 768
			list_del_rcu(&smp->slave_ltk->list);
			kfree_rcu(smp->slave_ltk, rcu);
769 770 771
		}

		if (smp->remote_irk) {
772 773
			list_del_rcu(&smp->remote_irk->list);
			kfree_rcu(smp->remote_irk, rcu);
774 775 776 777
		}
	}

	chan->data = NULL;
778
	kzfree(smp);
779
	hci_conn_drop(hcon);
780 781
}

782
static void smp_failure(struct l2cap_conn *conn, u8 reason)
783
{
784
	struct hci_conn *hcon = conn->hcon;
785
	struct l2cap_chan *chan = conn->smp;
786

787
	if (reason)
788
		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
789
			     &reason);
790

791
	clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
792
	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
793

794
	if (chan->data)
795
		smp_chan_destroy(conn);
796 797
}

798 799 800 801 802
#define JUST_WORKS	0x00
#define JUST_CFM	0x01
#define REQ_PASSKEY	0x02
#define CFM_PASSKEY	0x03
#define REQ_OOB		0x04
803
#define DSP_PASSKEY	0x05
804 805 806 807 808 809 810 811 812 813
#define OVERLAP		0xFF

static const u8 gen_method[5][5] = {
	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
};

814 815 816 817 818 819 820 821
static const u8 sc_method[5][5] = {
	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
};

822 823
static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
{
824 825 826
	/* If either side has unknown io_caps, use JUST_CFM (which gets
	 * converted later to JUST_WORKS if we're initiators.
	 */
827 828
	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
829
		return JUST_CFM;
830

831 832 833
	if (test_bit(SMP_FLAG_SC, &smp->flags))
		return sc_method[remote_io][local_io];

834 835 836
	return gen_method[remote_io][local_io];
}

837 838 839 840
static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
						u8 local_io, u8 remote_io)
{
	struct hci_conn *hcon = conn->hcon;
841 842
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
843 844 845 846 847
	u32 passkey = 0;
	int ret = 0;

	/* Initialize key for JUST WORKS */
	memset(smp->tk, 0, sizeof(smp->tk));
848
	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
849 850 851

	BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);

852 853 854 855 856 857
	/* If neither side wants MITM, either "just" confirm an incoming
	 * request or use just-works for outgoing ones. The JUST_CFM
	 * will be converted to JUST_WORKS if necessary later in this
	 * function. If either side has MITM look up the method from the
	 * table.
	 */
858
	if (!(auth & SMP_AUTH_MITM))
859
		smp->method = JUST_CFM;
860
	else
861
		smp->method = get_auth_method(smp, local_io, remote_io);
862

863
	/* Don't confirm locally initiated pairing attempts */
864 865 866
	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
						&smp->flags))
		smp->method = JUST_WORKS;
867

868
	/* Don't bother user space with no IO capabilities */
869 870 871
	if (smp->method == JUST_CFM &&
	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
		smp->method = JUST_WORKS;
872

873
	/* If Just Works, Continue with Zero TK */
874
	if (smp->method == JUST_WORKS) {
875
		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
876 877 878 879
		return 0;
	}

	/* Not Just Works/Confirm results in MITM Authentication */
880
	if (smp->method != JUST_CFM) {
881
		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
882 883 884
		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
			hcon->pending_sec_level = BT_SECURITY_HIGH;
	}
885 886 887 888

	/* If both devices have Keyoard-Display I/O, the master
	 * Confirms and the slave Enters the passkey.
	 */
889
	if (smp->method == OVERLAP) {
890
		if (hcon->role == HCI_ROLE_MASTER)
891
			smp->method = CFM_PASSKEY;
892
		else
893
			smp->method = REQ_PASSKEY;
894 895
	}

896
	/* Generate random passkey. */
897
	if (smp->method == CFM_PASSKEY) {
898
		memset(smp->tk, 0, sizeof(smp->tk));
899 900
		get_random_bytes(&passkey, sizeof(passkey));
		passkey %= 1000000;
901
		put_unaligned_le32(passkey, smp->tk);
902
		BT_DBG("PassKey: %d", passkey);
903
		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
904 905
	}

906
	if (smp->method == REQ_PASSKEY)
907
		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
908
						hcon->type, hcon->dst_type);
909
	else if (smp->method == JUST_CFM)
910 911 912
		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
						hcon->type, hcon->dst_type,
						passkey, 1);
913
	else
914
		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
915
						hcon->type, hcon->dst_type,
916
						passkey, 0);
917 918 919 920

	return ret;
}

921
static u8 smp_confirm(struct smp_chan *smp)
922 923 924 925 926 927 928
{
	struct l2cap_conn *conn = smp->conn;
	struct smp_cmd_pairing_confirm cp;
	int ret;

	BT_DBG("conn %p", conn);

929
	ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
930
		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
931 932
		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
		     cp.confirm_val);
933 934
	if (ret)
		return SMP_UNSPECIFIED;
935

936
	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
937

938 939
	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);

940 941 942 943 944
	if (conn->hcon->out)
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
	else
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);

945
	return 0;
946 947
}

948
static u8 smp_random(struct smp_chan *smp)
949 950 951
{
	struct l2cap_conn *conn = smp->conn;
	struct hci_conn *hcon = conn->hcon;
952
	u8 confirm[16];
953 954
	int ret;

955
	if (IS_ERR_OR_NULL(smp->tfm_aes))
956
		return SMP_UNSPECIFIED;
957 958 959

	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");

960
	ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
961
		     hcon->init_addr_type, &hcon->init_addr,
962
		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
963 964
	if (ret)
		return SMP_UNSPECIFIED;
965 966 967

	if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
		BT_ERR("Pairing failed (confirmation values mismatch)");
968
		return SMP_CONFIRM_FAILED;
969 970 971
	}

	if (hcon->out) {
972 973 974
		u8 stk[16];
		__le64 rand = 0;
		__le16 ediv = 0;
975

976
		smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
977

978
		memset(stk + smp->enc_key_size, 0,
979
		       SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
980

981 982
		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
			return SMP_UNSPECIFIED;
983 984

		hci_le_start_enc(hcon, ediv, rand, stk);
985
		hcon->enc_key_size = smp->enc_key_size;
986
		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
987
	} else {
988
		u8 stk[16], auth;
989 990
		__le64 rand = 0;
		__le16 ediv = 0;
991

992 993
		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
			     smp->prnd);
994

995
		smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
996

997
		memset(stk + smp->enc_key_size, 0,
998
		       SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
999

1000 1001 1002 1003 1004
		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
			auth = 1;
		else
			auth = 0;

1005 1006 1007 1008
		/* Even though there's no _SLAVE suffix this is the
		 * slave STK we're adding for later lookup (the master
		 * STK never needs to be stored).
		 */
1009
		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1010
			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1011 1012
	}

1013
	return 0;
1014 1015
}

1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029
static void smp_notify_keys(struct l2cap_conn *conn)
{
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
	struct hci_conn *hcon = conn->hcon;
	struct hci_dev *hdev = hcon->hdev;
	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
	bool persistent;

	if (smp->remote_irk) {
		mgmt_new_irk(hdev, smp->remote_irk);
		/* Now that user space can be considered to know the
		 * identity address track the connection based on it
1030
		 * from now on (assuming this is an LE link).
1031
		 */
1032 1033 1034 1035 1036
		if (hcon->type == LE_LINK) {
			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
			hcon->dst_type = smp->remote_irk->addr_type;
			queue_work(hdev->workqueue, &conn->id_addr_update_work);
		}
1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048

		/* When receiving an indentity resolving key for
		 * a remote device that does not use a resolvable
		 * private address, just remove the key so that
		 * it is possible to use the controller white
		 * list for scanning.
		 *
		 * Userspace will have been told to not store
		 * this key at this point. So it is safe to
		 * just remove it.
		 */
		if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
1049 1050
			list_del_rcu(&smp->remote_irk->list);
			kfree_rcu(smp->remote_irk, rcu);
1051 1052 1053 1054
			smp->remote_irk = NULL;
		}
	}

1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068
	if (hcon->type == ACL_LINK) {
		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
			persistent = false;
		else
			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
					       &hcon->flags);
	} else {
		/* The LTKs and CSRKs should be persistent only if both sides
		 * had the bonding bit set in their authentication requests.
		 */
		persistent = !!((req->auth_req & rsp->auth_req) &
				SMP_AUTH_BONDING);
	}

1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092

	if (smp->csrk) {
		smp->csrk->bdaddr_type = hcon->dst_type;
		bacpy(&smp->csrk->bdaddr, &hcon->dst);
		mgmt_new_csrk(hdev, smp->csrk, persistent);
	}

	if (smp->slave_csrk) {
		smp->slave_csrk->bdaddr_type = hcon->dst_type;
		bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
		mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
	}

	if (smp->ltk) {
		smp->ltk->bdaddr_type = hcon->dst_type;
		bacpy(&smp->ltk->bdaddr, &hcon->dst);
		mgmt_new_ltk(hdev, smp->ltk, persistent);
	}

	if (smp->slave_ltk) {
		smp->slave_ltk->bdaddr_type = hcon->dst_type;
		bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
		mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
	}
1093 1094

	if (smp->link_key) {
1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112
		struct link_key *key;
		u8 type;

		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
			type = HCI_LK_DEBUG_COMBINATION;
		else if (hcon->sec_level == BT_SECURITY_FIPS)
			type = HCI_LK_AUTH_COMBINATION_P256;
		else
			type = HCI_LK_UNAUTH_COMBINATION_P256;

		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
				       smp->link_key, type, 0, &persistent);
		if (key) {
			mgmt_new_link_key(hdev, key, persistent);

			/* Don't keep debug keys around if the relevant
			 * flag is not set.
			 */
1113
			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1114 1115 1116 1117 1118
			    key->type == HCI_LK_DEBUG_COMBINATION) {
				list_del_rcu(&key->list);
				kfree_rcu(key, rcu);
			}
		}
1119 1120 1121
	}
}

1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144
static void sc_add_ltk(struct smp_chan *smp)
{
	struct hci_conn *hcon = smp->conn->hcon;
	u8 key_type, auth;

	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
		key_type = SMP_LTK_P256_DEBUG;
	else
		key_type = SMP_LTK_P256;

	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
		auth = 1;
	else
		auth = 0;

	memset(smp->tk + smp->enc_key_size, 0,
	       SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);

	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
			       key_type, auth, smp->tk, smp->enc_key_size,
			       0, 0);
}

1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157
static void sc_generate_link_key(struct smp_chan *smp)
{
	/* These constants are as specified in the core specification.
	 * In ASCII they spell out to 'tmp1' and 'lebr'.
	 */
	const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };

	smp->link_key = kzalloc(16, GFP_KERNEL);
	if (!smp->link_key)
		return;

	if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1158
		kzfree(smp->link_key);
1159 1160 1161 1162 1163
		smp->link_key = NULL;
		return;
	}

	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1164
		kzfree(smp->link_key);
1165 1166 1167
		smp->link_key = NULL;
		return;
	}
1168 1169
}

1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183
static void smp_allow_key_dist(struct smp_chan *smp)
{
	/* Allow the first expected phase 3 PDU. The rest of the PDUs
	 * will be allowed in each PDU handler to ensure we receive
	 * them in the correct order.
	 */
	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
	else if (smp->remote_key_dist & SMP_DIST_SIGN)
		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
}

1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212
static void sc_generate_ltk(struct smp_chan *smp)
{
	/* These constants are as specified in the core specification.
	 * In ASCII they spell out to 'tmp2' and 'brle'.
	 */
	const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
	struct hci_conn *hcon = smp->conn->hcon;
	struct hci_dev *hdev = hcon->hdev;
	struct link_key *key;

	key = hci_find_link_key(hdev, &hcon->dst);
	if (!key) {
		BT_ERR("%s No Link Key found to generate LTK", hdev->name);
		return;
	}

	if (key->type == HCI_LK_DEBUG_COMBINATION)
		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);

	if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
		return;

	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
		return;

	sc_add_ltk(smp);
}

1213
static void smp_distribute_keys(struct smp_chan *smp)
1214 1215
{
	struct smp_cmd_pairing *req, *rsp;
1216
	struct l2cap_conn *conn = smp->conn;
1217 1218 1219 1220 1221 1222 1223 1224 1225
	struct hci_conn *hcon = conn->hcon;
	struct hci_dev *hdev = hcon->hdev;
	__u8 *keydist;

	BT_DBG("conn %p", conn);

	rsp = (void *) &smp->prsp[1];

	/* The responder sends its keys first */
1226 1227
	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
		smp_allow_key_dist(smp);
1228
		return;
1229
	}