commit 882fafad71a4bac8e8a2445dfb08c38a71b4eef1
author Johan Hedberg <johan.hedberg@intel.com> Mon Mar 16 11:45:43 2015 +0200
committer Marcel Holtmann <marcel@holtmann.org> Mon Mar 16 17:16:45 2015 +0100
tree c077fd85428f65fc858f124eb5d576670dc99b92
parent 8e4e2ee5d80875177e03d57b807e0784f3d91e0e

Bluetooth: Fix local OOB data handling for SMP

We need to store the local ra/rb value in order to verify the Check
value received from the remote. This patch adds a new 'lr' for the local
ra/rb value and makes sure it gets used when verifying the DHKey Check
PDU received from the remote.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

net/bluetooth/smp.c

diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index f0c5c28..1cc15de 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -95,7 +95,8 @@
 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
 	u8		pcnf[16]; /* SMP Pairing Confirm */
 	u8		tk[16]; /* SMP Temporary Key */
-	u8		rr[16];
+	u8		rr[16]; /* Remote OOB ra/rb value */
+	u8		lr[16]; /* Local OOB ra/rb value */
 	u8		enc_key_size;
 	u8		remote_key_dist;
 	bdaddr_t	id_addr;
@@ -1830,7 +1831,7 @@
 
 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
 		memcpy(smp->local_sk, smp_dev->local_sk, 32);
-		memcpy(smp->rr, smp_dev->local_rr, 16);
+		memcpy(smp->lr, smp_dev->local_rr, 16);
 
 		if (smp_dev->debug_key)
 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
@@ -2634,6 +2635,8 @@
 
 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
 		put_unaligned_le32(hcon->passkey_notify, r);
+	else if (smp->method == REQ_OOB)
+		memcpy(r, smp->lr, 16);
 
 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
 		     io_cap, remote_addr, local_addr, e);