1 /****************************************************************************** 2 * 3 * Copyright (C) 1999-2012 Broadcom Corporation 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at: 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 ******************************************************************************/ 18 19 /****************************************************************************** 20 * 21 * This file contains functions for the SMP L2CAP utility functions 22 * 23 ******************************************************************************/ 24 #include "bt_target.h" 25 26 #if SMP_INCLUDED == TRUE 27 28 #include "bt_types.h" 29 #include "bt_utils.h" 30 #include <string.h> 31 #include <ctype.h> 32 #include "hcidefs.h" 33 #include "btm_ble_api.h" 34 #include "l2c_api.h" 35 #include "l2c_int.h" 36 #include "smp_int.h" 37 #include "device/include/controller.h" 38 #include "btm_int.h" 39 40 41 extern fixed_queue_t *btu_general_alarm_queue; 42 43 #define SMP_PAIRING_REQ_SIZE 7 44 #define SMP_CONFIRM_CMD_SIZE (BT_OCTET16_LEN + 1) 45 #define SMP_RAND_CMD_SIZE (BT_OCTET16_LEN + 1) 46 #define SMP_INIT_CMD_SIZE (BT_OCTET16_LEN + 1) 47 #define SMP_ENC_INFO_SIZE (BT_OCTET16_LEN + 1) 48 #define SMP_MASTER_ID_SIZE (BT_OCTET8_LEN + 2 + 1) 49 #define SMP_ID_INFO_SIZE (BT_OCTET16_LEN + 1) 50 #define SMP_ID_ADDR_SIZE (BD_ADDR_LEN + 1 + 1) 51 #define SMP_SIGN_INFO_SIZE (BT_OCTET16_LEN + 1) 52 #define SMP_PAIR_FAIL_SIZE 2 53 #define SMP_SECURITY_REQUEST_SIZE 2 54 #define SMP_PAIR_PUBL_KEY_SIZE (1 /* opcode */ + (2*BT_OCTET32_LEN)) 55 #define SMP_PAIR_COMMITM_SIZE (1 /* opcode */ + BT_OCTET16_LEN /*Commitment*/) 56 #define SMP_PAIR_DHKEY_CHECK_SIZE (1 /* opcode */ + BT_OCTET16_LEN /*DHKey Check*/) 57 #define SMP_PAIR_KEYPR_NOTIF_SIZE (1 /* opcode */ + 1 /*Notif Type*/) 58 59 /* SMP command sizes per spec */ 60 static const UINT8 smp_cmd_size_per_spec[] = 61 { 62 0, 63 SMP_PAIRING_REQ_SIZE, /* 0x01: pairing request */ 64 SMP_PAIRING_REQ_SIZE, /* 0x02: pairing response */ 65 SMP_CONFIRM_CMD_SIZE, /* 0x03: pairing confirm */ 66 SMP_RAND_CMD_SIZE, /* 0x04: pairing random */ 67 SMP_PAIR_FAIL_SIZE, /* 0x05: pairing failed */ 68 SMP_ENC_INFO_SIZE, /* 0x06: encryption information */ 69 SMP_MASTER_ID_SIZE, /* 0x07: master identification */ 70 SMP_ID_INFO_SIZE, /* 0x08: identity information */ 71 SMP_ID_ADDR_SIZE, /* 0x09: identity address information */ 72 SMP_SIGN_INFO_SIZE, /* 0x0A: signing information */ 73 SMP_SECURITY_REQUEST_SIZE, /* 0x0B: security request */ 74 SMP_PAIR_PUBL_KEY_SIZE, /* 0x0C: pairing public key */ 75 SMP_PAIR_DHKEY_CHECK_SIZE, /* 0x0D: pairing dhkey check */ 76 SMP_PAIR_KEYPR_NOTIF_SIZE, /* 0x0E: pairing keypress notification */ 77 SMP_PAIR_COMMITM_SIZE /* 0x0F: pairing commitment */ 78 }; 79 80 static BOOLEAN smp_parameter_unconditionally_valid(tSMP_CB *p_cb); 81 static BOOLEAN smp_parameter_unconditionally_invalid(tSMP_CB *p_cb); 82 83 /* type for SMP command length validation functions */ 84 typedef BOOLEAN (*tSMP_CMD_LEN_VALID)(tSMP_CB *p_cb); 85 86 static BOOLEAN smp_command_has_valid_fixed_length(tSMP_CB *p_cb); 87 88 static const tSMP_CMD_LEN_VALID smp_cmd_len_is_valid[] = 89 { 90 smp_parameter_unconditionally_invalid, 91 smp_command_has_valid_fixed_length, /* 0x01: pairing request */ 92 smp_command_has_valid_fixed_length, /* 0x02: pairing response */ 93 smp_command_has_valid_fixed_length, /* 0x03: pairing confirm */ 94 smp_command_has_valid_fixed_length, /* 0x04: pairing random */ 95 smp_command_has_valid_fixed_length, /* 0x05: pairing failed */ 96 smp_command_has_valid_fixed_length, /* 0x06: encryption information */ 97 smp_command_has_valid_fixed_length, /* 0x07: master identification */ 98 smp_command_has_valid_fixed_length, /* 0x08: identity information */ 99 smp_command_has_valid_fixed_length, /* 0x09: identity address information */ 100 smp_command_has_valid_fixed_length, /* 0x0A: signing information */ 101 smp_command_has_valid_fixed_length, /* 0x0B: security request */ 102 smp_command_has_valid_fixed_length, /* 0x0C: pairing public key */ 103 smp_command_has_valid_fixed_length, /* 0x0D: pairing dhkey check */ 104 smp_command_has_valid_fixed_length, /* 0x0E: pairing keypress notification */ 105 smp_command_has_valid_fixed_length /* 0x0F: pairing commitment */ 106 }; 107 108 /* type for SMP command parameter ranges validation functions */ 109 typedef BOOLEAN (*tSMP_CMD_PARAM_RANGES_VALID)(tSMP_CB *p_cb); 110 111 static BOOLEAN smp_pairing_request_response_parameters_are_valid(tSMP_CB *p_cb); 112 static BOOLEAN smp_pairing_keypress_notification_is_valid(tSMP_CB *p_cb); 113 114 static const tSMP_CMD_PARAM_RANGES_VALID smp_cmd_param_ranges_are_valid[] = 115 { 116 smp_parameter_unconditionally_invalid, 117 smp_pairing_request_response_parameters_are_valid, /* 0x01: pairing request */ 118 smp_pairing_request_response_parameters_are_valid, /* 0x02: pairing response */ 119 smp_parameter_unconditionally_valid, /* 0x03: pairing confirm */ 120 smp_parameter_unconditionally_valid, /* 0x04: pairing random */ 121 smp_parameter_unconditionally_valid, /* 0x05: pairing failed */ 122 smp_parameter_unconditionally_valid, /* 0x06: encryption information */ 123 smp_parameter_unconditionally_valid, /* 0x07: master identification */ 124 smp_parameter_unconditionally_valid, /* 0x08: identity information */ 125 smp_parameter_unconditionally_valid, /* 0x09: identity address information */ 126 smp_parameter_unconditionally_valid, /* 0x0A: signing information */ 127 smp_parameter_unconditionally_valid, /* 0x0B: security request */ 128 smp_parameter_unconditionally_valid, /* 0x0C: pairing public key */ 129 smp_parameter_unconditionally_valid, /* 0x0D: pairing dhkey check */ 130 smp_pairing_keypress_notification_is_valid, /* 0x0E: pairing keypress notification */ 131 smp_parameter_unconditionally_valid /* 0x0F: pairing commitment */ 132 }; 133 134 /* type for action functions */ 135 typedef BT_HDR * (*tSMP_CMD_ACT)(UINT8 cmd_code, tSMP_CB *p_cb); 136 137 static BT_HDR *smp_build_pairing_cmd(UINT8 cmd_code, tSMP_CB *p_cb); 138 static BT_HDR *smp_build_confirm_cmd(UINT8 cmd_code, tSMP_CB *p_cb); 139 static BT_HDR *smp_build_rand_cmd(UINT8 cmd_code, tSMP_CB *p_cb); 140 static BT_HDR *smp_build_pairing_fail(UINT8 cmd_code, tSMP_CB *p_cb); 141 static BT_HDR *smp_build_identity_info_cmd(UINT8 cmd_code, tSMP_CB *p_cb); 142 static BT_HDR *smp_build_encrypt_info_cmd(UINT8 cmd_code, tSMP_CB *p_cb); 143 static BT_HDR *smp_build_security_request(UINT8 cmd_code, tSMP_CB *p_cb); 144 static BT_HDR *smp_build_signing_info_cmd(UINT8 cmd_code, tSMP_CB *p_cb); 145 static BT_HDR *smp_build_master_id_cmd(UINT8 cmd_code, tSMP_CB *p_cb); 146 static BT_HDR *smp_build_id_addr_cmd(UINT8 cmd_code, tSMP_CB *p_cb); 147 static BT_HDR *smp_build_pair_public_key_cmd(UINT8 cmd_code, tSMP_CB *p_cb); 148 static BT_HDR *smp_build_pairing_commitment_cmd(UINT8 cmd_code, tSMP_CB *p_cb); 149 static BT_HDR *smp_build_pair_dhkey_check_cmd(UINT8 cmd_code, tSMP_CB *p_cb); 150 static BT_HDR *smp_build_pairing_keypress_notification_cmd(UINT8 cmd_code, tSMP_CB *p_cb); 151 152 static const tSMP_CMD_ACT smp_cmd_build_act[] = 153 { 154 NULL, 155 smp_build_pairing_cmd, /* 0x01: pairing request */ 156 smp_build_pairing_cmd, /* 0x02: pairing response */ 157 smp_build_confirm_cmd, /* 0x03: pairing confirm */ 158 smp_build_rand_cmd, /* 0x04: pairing random */ 159 smp_build_pairing_fail, /* 0x05: pairing failure */ 160 smp_build_encrypt_info_cmd, /* 0x06: encryption information */ 161 smp_build_master_id_cmd, /* 0x07: master identification */ 162 smp_build_identity_info_cmd, /* 0x08: identity information */ 163 smp_build_id_addr_cmd, /* 0x09: identity address information */ 164 smp_build_signing_info_cmd, /* 0x0A: signing information */ 165 smp_build_security_request, /* 0x0B: security request */ 166 smp_build_pair_public_key_cmd, /* 0x0C: pairing public key */ 167 smp_build_pair_dhkey_check_cmd, /* 0x0D: pairing DHKey check */ 168 smp_build_pairing_keypress_notification_cmd, /* 0x0E: pairing keypress notification */ 169 smp_build_pairing_commitment_cmd /* 0x0F: pairing commitment */ 170 }; 171 172 static const UINT8 smp_association_table[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] = 173 { 174 /* display only */ /* Display Yes/No */ /* keyboard only */ 175 /* No Input/Output */ /* keyboard display */ 176 177 /* initiator */ 178 /* model = tbl[peer_io_caps][loc_io_caps] */ 179 /* Display Only */ 180 {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY, 181 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}, 182 183 /* Display Yes/No */ 184 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY, 185 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}, 186 187 /* Keyboard only */ 188 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY, 189 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}, 190 191 /* No Input No Output */ 192 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 193 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY}, 194 195 /* keyboard display */ 196 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY, 197 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}}, 198 199 /* responder */ 200 /* model = tbl[loc_io_caps][peer_io_caps] */ 201 /* Display Only */ 202 {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF, 203 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}, 204 205 /* Display Yes/No */ 206 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF, 207 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}, 208 209 /* keyboard only */ 210 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, 211 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}, 212 213 /* No Input No Output */ 214 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 215 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY}, 216 217 /* keyboard display */ 218 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_KEY_NOTIF, 219 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}} 220 }; 221 222 static const UINT8 smp_association_table_sc[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] = 223 { 224 /* display only */ /* Display Yes/No */ /* keyboard only */ 225 /* No InputOutput */ /* keyboard display */ 226 227 /* initiator */ 228 /* model = tbl[peer_io_caps][loc_io_caps] */ 229 230 /* Display Only */ 231 {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_PASSKEY_ENT, 232 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_PASSKEY_ENT}, 233 234 /* Display Yes/No */ 235 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP, SMP_MODEL_SEC_CONN_PASSKEY_ENT, 236 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP}, 237 238 /* keyboard only */ 239 {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_PASSKEY_ENT, 240 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_PASSKEY_DISP}, 241 242 /* No Input No Output */ 243 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, 244 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS}, 245 246 /* keyboard display */ 247 {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_NUM_COMP, SMP_MODEL_SEC_CONN_PASSKEY_ENT, 248 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP}}, 249 250 /* responder */ 251 /* model = tbl[loc_io_caps][peer_io_caps] */ 252 253 /* Display Only */ 254 {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_PASSKEY_DISP, 255 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_PASSKEY_DISP}, 256 257 /* Display Yes/No */ 258 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP, SMP_MODEL_SEC_CONN_PASSKEY_DISP, 259 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP}, 260 261 /* keyboard only */ 262 {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_PASSKEY_ENT, 263 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_PASSKEY_ENT}, 264 265 /* No Input No Output */ 266 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, 267 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS}, 268 269 /* keyboard display */ 270 {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_NUM_COMP, SMP_MODEL_SEC_CONN_PASSKEY_DISP, 271 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP}} 272 }; 273 274 static tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB *p_cb); 275 static tSMP_ASSO_MODEL smp_select_association_model_secure_connections(tSMP_CB *p_cb); 276 277 /******************************************************************************* 278 ** 279 ** Function smp_send_msg_to_L2CAP 280 ** 281 ** Description Send message to L2CAP. 282 ** 283 *******************************************************************************/ 284 BOOLEAN smp_send_msg_to_L2CAP(BD_ADDR rem_bda, BT_HDR *p_toL2CAP) 285 { 286 UINT16 l2cap_ret; 287 UINT16 fixed_cid = L2CAP_SMP_CID; 288 289 if (smp_cb.smp_over_br) 290 { 291 fixed_cid = L2CAP_SMP_BR_CID; 292 } 293 294 SMP_TRACE_EVENT("%s", __FUNCTION__); 295 smp_cb.total_tx_unacked += 1; 296 297 if ((l2cap_ret = L2CA_SendFixedChnlData (fixed_cid, rem_bda, p_toL2CAP)) == L2CAP_DW_FAILED) 298 { 299 smp_cb.total_tx_unacked -= 1; 300 SMP_TRACE_ERROR("SMP failed to pass msg:0x%0x to L2CAP", 301 *((UINT8 *)(p_toL2CAP + 1) + p_toL2CAP->offset)); 302 return FALSE; 303 } 304 else 305 return TRUE; 306 } 307 308 /******************************************************************************* 309 ** 310 ** Function smp_send_cmd 311 ** 312 ** Description send a SMP command on L2CAP channel. 313 ** 314 *******************************************************************************/ 315 BOOLEAN smp_send_cmd(UINT8 cmd_code, tSMP_CB *p_cb) 316 { 317 BT_HDR *p_buf; 318 BOOLEAN sent = FALSE; 319 UINT8 failure = SMP_PAIR_INTERNAL_ERR; 320 SMP_TRACE_EVENT("smp_send_cmd on l2cap cmd_code=0x%x", cmd_code); 321 if ( cmd_code <= (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */) && 322 smp_cmd_build_act[cmd_code] != NULL) 323 { 324 p_buf = (*smp_cmd_build_act[cmd_code])(cmd_code, p_cb); 325 326 if (p_buf != NULL && 327 smp_send_msg_to_L2CAP(p_cb->pairing_bda, p_buf)) 328 { 329 sent = TRUE; 330 alarm_set_on_queue(p_cb->smp_rsp_timer_ent, 331 SMP_WAIT_FOR_RSP_TIMEOUT_MS, smp_rsp_timeout, 332 NULL, btu_general_alarm_queue); 333 } 334 } 335 336 if (!sent) 337 { 338 if (p_cb->smp_over_br) 339 { 340 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &failure); 341 } 342 else 343 { 344 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &failure); 345 } 346 } 347 return sent; 348 } 349 350 /******************************************************************************* 351 ** 352 ** Function smp_rsp_timeout 353 ** 354 ** Description Called when SMP wait for SMP command response timer expires 355 ** 356 ** Returns void 357 ** 358 *******************************************************************************/ 359 void smp_rsp_timeout(UNUSED_ATTR void *data) 360 { 361 tSMP_CB *p_cb = &smp_cb; 362 UINT8 failure = SMP_RSP_TIMEOUT; 363 364 SMP_TRACE_EVENT("%s state:%d br_state:%d", __FUNCTION__, p_cb->state, p_cb->br_state); 365 366 if (p_cb->smp_over_br) 367 { 368 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &failure); 369 } 370 else 371 { 372 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &failure); 373 } 374 } 375 376 /******************************************************************************* 377 ** 378 ** Function smp_delayed_auth_complete_timeout 379 ** 380 ** Description Called when no pairing failed command received within timeout 381 ** period. 382 ** 383 ** Returns void 384 ** 385 *******************************************************************************/ 386 void smp_delayed_auth_complete_timeout(UNUSED_ATTR void *data) 387 { 388 /* 389 * Waited for potential pair failure. Send SMP_AUTH_CMPL_EVT if 390 * the state is still in bond pending. 391 */ 392 if (smp_get_state() == SMP_STATE_BOND_PENDING) 393 { 394 UINT8 reason = SMP_SUCCESS; 395 SMP_TRACE_EVENT("%s sending delayed auth complete.", __func__); 396 smp_sm_event(&smp_cb, SMP_AUTH_CMPL_EVT, &reason); 397 } 398 } 399 400 /******************************************************************************* 401 ** 402 ** Function smp_build_pairing_req_cmd 403 ** 404 ** Description Build pairing request command. 405 ** 406 *******************************************************************************/ 407 BT_HDR * smp_build_pairing_cmd(UINT8 cmd_code, tSMP_CB *p_cb) 408 { 409 UINT8 *p; 410 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) + 411 SMP_PAIRING_REQ_SIZE + L2CAP_MIN_OFFSET); 412 413 SMP_TRACE_EVENT("%s", __func__); 414 415 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET; 416 UINT8_TO_STREAM(p, cmd_code); 417 UINT8_TO_STREAM(p, p_cb->local_io_capability); 418 UINT8_TO_STREAM(p, p_cb->loc_oob_flag); 419 UINT8_TO_STREAM(p, p_cb->loc_auth_req); 420 UINT8_TO_STREAM(p, p_cb->loc_enc_size); 421 UINT8_TO_STREAM(p, p_cb->local_i_key); 422 UINT8_TO_STREAM(p, p_cb->local_r_key); 423 424 p_buf->offset = L2CAP_MIN_OFFSET; 425 /* 1B ERR_RSP op code + 1B cmd_op_code + 2B handle + 1B status */ 426 p_buf->len = SMP_PAIRING_REQ_SIZE; 427 428 return p_buf; 429 } 430 431 /******************************************************************************* 432 ** 433 ** Function smp_build_confirm_cmd 434 ** 435 ** Description Build confirm request command. 436 ** 437 *******************************************************************************/ 438 static BT_HDR * smp_build_confirm_cmd(UINT8 cmd_code, tSMP_CB *p_cb) 439 { 440 UINT8 *p; 441 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) + 442 SMP_CONFIRM_CMD_SIZE + L2CAP_MIN_OFFSET); 443 444 UNUSED(cmd_code); 445 SMP_TRACE_EVENT("%s", __func__); 446 447 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET; 448 449 UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM); 450 ARRAY_TO_STREAM(p, p_cb->confirm, BT_OCTET16_LEN); 451 452 p_buf->offset = L2CAP_MIN_OFFSET; 453 p_buf->len = SMP_CONFIRM_CMD_SIZE; 454 455 return p_buf; 456 } 457 458 /******************************************************************************* 459 ** 460 ** Function smp_build_rand_cmd 461 ** 462 ** Description Build Random command. 463 ** 464 *******************************************************************************/ 465 static BT_HDR * smp_build_rand_cmd(UINT8 cmd_code, tSMP_CB *p_cb) 466 { 467 UINT8 *p; 468 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) + 469 SMP_RAND_CMD_SIZE + L2CAP_MIN_OFFSET); 470 471 UNUSED(cmd_code); 472 SMP_TRACE_EVENT("%s", __func__); 473 474 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET; 475 UINT8_TO_STREAM(p, SMP_OPCODE_RAND); 476 ARRAY_TO_STREAM(p, p_cb->rand, BT_OCTET16_LEN); 477 478 p_buf->offset = L2CAP_MIN_OFFSET; 479 p_buf->len = SMP_RAND_CMD_SIZE; 480 481 return p_buf; 482 } 483 484 /******************************************************************************* 485 ** 486 ** Function smp_build_encrypt_info_cmd 487 ** 488 ** Description Build security information command. 489 ** 490 *******************************************************************************/ 491 static BT_HDR * smp_build_encrypt_info_cmd(UINT8 cmd_code, tSMP_CB *p_cb) 492 { 493 UINT8 *p; 494 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) + 495 SMP_ENC_INFO_SIZE + L2CAP_MIN_OFFSET); 496 497 UNUSED(cmd_code); 498 SMP_TRACE_EVENT("%s", __func__); 499 500 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET; 501 UINT8_TO_STREAM(p, SMP_OPCODE_ENCRYPT_INFO); 502 ARRAY_TO_STREAM(p, p_cb->ltk, BT_OCTET16_LEN); 503 504 p_buf->offset = L2CAP_MIN_OFFSET; 505 p_buf->len = SMP_ENC_INFO_SIZE; 506 507 return p_buf; 508 } 509 510 /******************************************************************************* 511 ** 512 ** Function smp_build_master_id_cmd 513 ** 514 ** Description Build security information command. 515 ** 516 *******************************************************************************/ 517 static BT_HDR * smp_build_master_id_cmd(UINT8 cmd_code, tSMP_CB *p_cb) 518 { 519 UINT8 *p; 520 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) + 521 SMP_MASTER_ID_SIZE + L2CAP_MIN_OFFSET); 522 523 UNUSED(cmd_code); 524 SMP_TRACE_EVENT("%s", __func__); 525 526 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET; 527 UINT8_TO_STREAM(p, SMP_OPCODE_MASTER_ID); 528 UINT16_TO_STREAM(p, p_cb->ediv); 529 ARRAY_TO_STREAM(p, p_cb->enc_rand, BT_OCTET8_LEN); 530 531 p_buf->offset = L2CAP_MIN_OFFSET; 532 p_buf->len = SMP_MASTER_ID_SIZE; 533 534 return p_buf; 535 } 536 537 /******************************************************************************* 538 ** 539 ** Function smp_build_identity_info_cmd 540 ** 541 ** Description Build identity information command. 542 ** 543 *******************************************************************************/ 544 static BT_HDR * smp_build_identity_info_cmd(UINT8 cmd_code, tSMP_CB *p_cb) 545 { 546 UINT8 *p; 547 BT_OCTET16 irk; 548 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) + 549 SMP_ID_INFO_SIZE + L2CAP_MIN_OFFSET); 550 551 UNUSED(cmd_code); 552 UNUSED(p_cb); 553 SMP_TRACE_EVENT("%s", __func__); 554 555 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET; 556 557 BTM_GetDeviceIDRoot(irk); 558 559 UINT8_TO_STREAM(p, SMP_OPCODE_IDENTITY_INFO); 560 ARRAY_TO_STREAM(p, irk, BT_OCTET16_LEN); 561 562 p_buf->offset = L2CAP_MIN_OFFSET; 563 p_buf->len = SMP_ID_INFO_SIZE; 564 565 return p_buf; 566 } 567 568 /******************************************************************************* 569 ** 570 ** Function smp_build_id_addr_cmd 571 ** 572 ** Description Build identity address information command. 573 ** 574 *******************************************************************************/ 575 static BT_HDR * smp_build_id_addr_cmd(UINT8 cmd_code, tSMP_CB *p_cb) 576 { 577 UINT8 *p; 578 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) + 579 SMP_ID_ADDR_SIZE + L2CAP_MIN_OFFSET); 580 581 UNUSED(cmd_code); 582 UNUSED(p_cb); 583 SMP_TRACE_EVENT("%s", __func__); 584 585 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET; 586 UINT8_TO_STREAM(p, SMP_OPCODE_ID_ADDR); 587 UINT8_TO_STREAM(p, 0); 588 BDADDR_TO_STREAM(p, controller_get_interface()->get_address()->address); 589 590 p_buf->offset = L2CAP_MIN_OFFSET; 591 p_buf->len = SMP_ID_ADDR_SIZE; 592 593 return p_buf; 594 } 595 596 /******************************************************************************* 597 ** 598 ** Function smp_build_signing_info_cmd 599 ** 600 ** Description Build signing information command. 601 ** 602 *******************************************************************************/ 603 static BT_HDR * smp_build_signing_info_cmd(UINT8 cmd_code, tSMP_CB *p_cb) 604 { 605 UINT8 *p; 606 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) + 607 SMP_SIGN_INFO_SIZE + L2CAP_MIN_OFFSET); 608 609 UNUSED(cmd_code); 610 SMP_TRACE_EVENT("%s", __func__); 611 612 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET; 613 UINT8_TO_STREAM(p, SMP_OPCODE_SIGN_INFO); 614 ARRAY_TO_STREAM(p, p_cb->csrk, BT_OCTET16_LEN); 615 616 p_buf->offset = L2CAP_MIN_OFFSET; 617 p_buf->len = SMP_SIGN_INFO_SIZE; 618 619 return p_buf; 620 } 621 622 /******************************************************************************* 623 ** 624 ** Function smp_build_pairing_fail 625 ** 626 ** Description Build Pairing Fail command. 627 ** 628 *******************************************************************************/ 629 static BT_HDR * smp_build_pairing_fail(UINT8 cmd_code, tSMP_CB *p_cb) 630 { 631 UINT8 *p; 632 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) + 633 SMP_PAIR_FAIL_SIZE + L2CAP_MIN_OFFSET); 634 635 UNUSED(cmd_code); 636 SMP_TRACE_EVENT("%s", __func__); 637 638 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET; 639 UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED); 640 UINT8_TO_STREAM(p, p_cb->failure); 641 642 p_buf->offset = L2CAP_MIN_OFFSET; 643 p_buf->len = SMP_PAIR_FAIL_SIZE; 644 645 return p_buf; 646 } 647 648 /******************************************************************************* 649 ** 650 ** Function smp_build_security_request 651 ** 652 ** Description Build security request command. 653 ** 654 *******************************************************************************/ 655 static BT_HDR *smp_build_security_request(UINT8 cmd_code, tSMP_CB *p_cb) 656 { 657 UINT8 *p; 658 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) + 659 2 + L2CAP_MIN_OFFSET); 660 661 UNUSED(cmd_code); 662 SMP_TRACE_EVENT("%s", __func__); 663 664 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET; 665 UINT8_TO_STREAM(p, SMP_OPCODE_SEC_REQ); 666 UINT8_TO_STREAM(p, p_cb->loc_auth_req); 667 668 p_buf->offset = L2CAP_MIN_OFFSET; 669 p_buf->len = SMP_SECURITY_REQUEST_SIZE; 670 671 SMP_TRACE_EVENT("opcode=%d auth_req=0x%x",SMP_OPCODE_SEC_REQ, p_cb->loc_auth_req ); 672 673 return p_buf; 674 } 675 676 /******************************************************************************* 677 ** 678 ** Function smp_build_pair_public_key_cmd 679 ** 680 ** Description Build pairing public key command. 681 ** 682 *******************************************************************************/ 683 static BT_HDR *smp_build_pair_public_key_cmd(UINT8 cmd_code, tSMP_CB *p_cb) 684 { 685 UINT8 *p; 686 UINT8 publ_key[2*BT_OCTET32_LEN]; 687 UINT8 *p_publ_key = publ_key; 688 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) + 689 SMP_PAIR_PUBL_KEY_SIZE + L2CAP_MIN_OFFSET); 690 691 UNUSED(cmd_code); 692 SMP_TRACE_EVENT("%s", __func__); 693 694 memcpy(p_publ_key, p_cb->loc_publ_key.x, BT_OCTET32_LEN); 695 memcpy(p_publ_key + BT_OCTET32_LEN, p_cb->loc_publ_key.y, BT_OCTET32_LEN); 696 697 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET; 698 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_PUBLIC_KEY); 699 ARRAY_TO_STREAM(p, p_publ_key, 2*BT_OCTET32_LEN); 700 701 p_buf->offset = L2CAP_MIN_OFFSET; 702 p_buf->len = SMP_PAIR_PUBL_KEY_SIZE; 703 704 return p_buf; 705 } 706 707 /******************************************************************************* 708 ** 709 ** Function smp_build_pairing_commitment_cmd 710 ** 711 ** Description Build pairing commitment command. 712 ** 713 *******************************************************************************/ 714 static BT_HDR *smp_build_pairing_commitment_cmd(UINT8 cmd_code, tSMP_CB *p_cb) 715 { 716 UINT8 *p; 717 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) + 718 SMP_PAIR_COMMITM_SIZE + L2CAP_MIN_OFFSET); 719 720 UNUSED(cmd_code); 721 SMP_TRACE_EVENT("%s", __func__); 722 723 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET; 724 UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM); 725 ARRAY_TO_STREAM(p, p_cb->commitment, BT_OCTET16_LEN); 726 727 p_buf->offset = L2CAP_MIN_OFFSET; 728 p_buf->len = SMP_PAIR_COMMITM_SIZE; 729 730 return p_buf; 731 } 732 733 /******************************************************************************* 734 ** 735 ** Function smp_build_pair_dhkey_check_cmd 736 ** 737 ** Description Build pairing DHKey check command. 738 ** 739 *******************************************************************************/ 740 static BT_HDR *smp_build_pair_dhkey_check_cmd(UINT8 cmd_code, tSMP_CB *p_cb) 741 { 742 UINT8 *p; 743 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) + 744 SMP_PAIR_DHKEY_CHECK_SIZE + L2CAP_MIN_OFFSET); 745 746 UNUSED(cmd_code); 747 SMP_TRACE_EVENT("%s", __func__); 748 749 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET; 750 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_DHKEY_CHECK); 751 ARRAY_TO_STREAM(p, p_cb->dhkey_check, BT_OCTET16_LEN); 752 753 p_buf->offset = L2CAP_MIN_OFFSET; 754 p_buf->len = SMP_PAIR_DHKEY_CHECK_SIZE; 755 756 return p_buf; 757 } 758 759 /******************************************************************************* 760 ** 761 ** Function smp_build_pairing_keypress_notification_cmd 762 ** 763 ** Description Build keypress notification command. 764 ** 765 *******************************************************************************/ 766 static BT_HDR * smp_build_pairing_keypress_notification_cmd(UINT8 cmd_code, tSMP_CB *p_cb) 767 { 768 UINT8 *p; 769 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) + 770 SMP_PAIR_KEYPR_NOTIF_SIZE + L2CAP_MIN_OFFSET); 771 772 UNUSED(cmd_code); 773 SMP_TRACE_EVENT("%s", __func__); 774 775 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET; 776 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_KEYPR_NOTIF); 777 UINT8_TO_STREAM(p, p_cb->local_keypress_notification); 778 779 p_buf->offset = L2CAP_MIN_OFFSET; 780 p_buf->len = SMP_PAIR_KEYPR_NOTIF_SIZE; 781 782 return p_buf; 783 } 784 785 /******************************************************************************* 786 ** 787 ** Function smp_convert_string_to_tk 788 ** 789 ** Description This function is called to convert a 6 to 16 digits numeric 790 ** character string into SMP TK. 791 ** 792 ** 793 ** Returns void 794 ** 795 *******************************************************************************/ 796 void smp_convert_string_to_tk(BT_OCTET16 tk, UINT32 passkey) 797 { 798 UINT8 *p = tk; 799 tSMP_KEY key; 800 SMP_TRACE_EVENT("smp_convert_string_to_tk"); 801 UINT32_TO_STREAM(p, passkey); 802 803 key.key_type = SMP_KEY_TYPE_TK; 804 key.p_data = tk; 805 806 smp_sm_event(&smp_cb, SMP_KEY_READY_EVT, &key); 807 } 808 809 /******************************************************************************* 810 ** 811 ** Function smp_mask_enc_key 812 ** 813 ** Description This function is called to mask off the encryption key based 814 ** on the maximum encryption key size. 815 ** 816 ** 817 ** Returns void 818 ** 819 *******************************************************************************/ 820 void smp_mask_enc_key(UINT8 loc_enc_size, UINT8 * p_data) 821 { 822 SMP_TRACE_EVENT("smp_mask_enc_key"); 823 if (loc_enc_size < BT_OCTET16_LEN) 824 { 825 for (; loc_enc_size < BT_OCTET16_LEN; loc_enc_size ++) 826 * (p_data + loc_enc_size) = 0; 827 } 828 return; 829 } 830 831 /******************************************************************************* 832 ** 833 ** Function smp_xor_128 834 ** 835 ** Description utility function to do an biteise exclusive-OR of two bit 836 ** strings of the length of BT_OCTET16_LEN. 837 ** 838 ** Returns void 839 ** 840 *******************************************************************************/ 841 void smp_xor_128(BT_OCTET16 a, BT_OCTET16 b) 842 { 843 UINT8 i, *aa = a, *bb = b; 844 845 SMP_TRACE_EVENT("smp_xor_128"); 846 for (i = 0; i < BT_OCTET16_LEN; i++) 847 { 848 aa[i] = aa[i] ^ bb[i]; 849 } 850 } 851 852 /******************************************************************************* 853 ** 854 ** Function smp_cb_cleanup 855 ** 856 ** Description Clean up SMP control block 857 ** 858 ** Returns void 859 ** 860 *******************************************************************************/ 861 void smp_cb_cleanup(tSMP_CB *p_cb) 862 { 863 tSMP_CALLBACK *p_callback = p_cb->p_callback; 864 UINT8 trace_level = p_cb->trace_level; 865 866 SMP_TRACE_EVENT("smp_cb_cleanup"); 867 868 alarm_free(p_cb->smp_rsp_timer_ent); 869 alarm_free(p_cb->delayed_auth_timer_ent); 870 memset(p_cb, 0, sizeof(tSMP_CB)); 871 p_cb->p_callback = p_callback; 872 p_cb->trace_level = trace_level; 873 p_cb->smp_rsp_timer_ent = alarm_new("smp.smp_rsp_timer_ent"); 874 p_cb->delayed_auth_timer_ent = alarm_new("smp.delayed_auth_timer_ent"); 875 } 876 877 /******************************************************************************* 878 ** 879 ** Function smp_remove_fixed_channel 880 ** 881 ** Description This function is called to remove the fixed channel 882 ** 883 ** Returns void 884 ** 885 *******************************************************************************/ 886 void smp_remove_fixed_channel(tSMP_CB *p_cb) 887 { 888 SMP_TRACE_DEBUG("%s", __func__); 889 890 if (p_cb->smp_over_br) 891 L2CA_RemoveFixedChnl (L2CAP_SMP_BR_CID, p_cb->pairing_bda); 892 else 893 L2CA_RemoveFixedChnl (L2CAP_SMP_CID, p_cb->pairing_bda); 894 } 895 896 /******************************************************************************* 897 ** 898 ** Function smp_reset_control_value 899 ** 900 ** Description This function is called to reset the control block value when 901 ** pairing procedure finished. 902 ** 903 ** 904 ** Returns void 905 ** 906 *******************************************************************************/ 907 void smp_reset_control_value(tSMP_CB *p_cb) 908 { 909 SMP_TRACE_EVENT("%s", __func__); 910 911 alarm_cancel(p_cb->smp_rsp_timer_ent); 912 p_cb->flags = 0; 913 /* set the link idle timer to drop the link when pairing is done 914 usually service discovery will follow authentication complete, to avoid 915 racing condition for a link down/up, set link idle timer to be 916 SMP_LINK_TOUT_MIN to guarantee SMP key exchange */ 917 L2CA_SetIdleTimeoutByBdAddr(p_cb->pairing_bda, SMP_LINK_TOUT_MIN, BT_TRANSPORT_LE); 918 919 /* We can tell L2CAP to remove the fixed channel (if it has one) */ 920 smp_remove_fixed_channel(p_cb); 921 smp_cb_cleanup(p_cb); 922 } 923 924 /******************************************************************************* 925 ** 926 ** Function smp_proc_pairing_cmpl 927 ** 928 ** Description This function is called to process pairing complete 929 ** 930 ** 931 ** Returns void 932 ** 933 *******************************************************************************/ 934 void smp_proc_pairing_cmpl(tSMP_CB *p_cb) 935 { 936 tSMP_EVT_DATA evt_data = {0}; 937 tSMP_CALLBACK *p_callback = p_cb->p_callback; 938 BD_ADDR pairing_bda; 939 940 SMP_TRACE_DEBUG ("smp_proc_pairing_cmpl "); 941 942 evt_data.cmplt.reason = p_cb->status; 943 evt_data.cmplt.smp_over_br = p_cb->smp_over_br; 944 945 if (p_cb->status == SMP_SUCCESS) 946 evt_data.cmplt.sec_level = p_cb->sec_level; 947 948 evt_data.cmplt.is_pair_cancel = FALSE; 949 950 if (p_cb->is_pair_cancel) 951 evt_data.cmplt.is_pair_cancel = TRUE; 952 953 954 SMP_TRACE_DEBUG ("send SMP_COMPLT_EVT reason=0x%0x sec_level=0x%0x", 955 evt_data.cmplt.reason, 956 evt_data.cmplt.sec_level ); 957 958 memcpy (pairing_bda, p_cb->pairing_bda, BD_ADDR_LEN); 959 960 smp_reset_control_value(p_cb); 961 962 if (p_callback) 963 (*p_callback) (SMP_COMPLT_EVT, pairing_bda, &evt_data); 964 } 965 966 /******************************************************************************* 967 ** 968 ** Function smp_command_has_invalid_parameters 969 ** 970 ** Description Checks if the received SMP command has invalid parameters i.e. 971 ** if the command length is valid and the command parameters are 972 ** inside specified range. 973 ** It returns TRUE if the command has invalid parameters. 974 ** 975 ** Returns TRUE if the command has invalid parameters, FALSE otherwise. 976 ** 977 *******************************************************************************/ 978 BOOLEAN smp_command_has_invalid_parameters(tSMP_CB *p_cb) 979 { 980 UINT8 cmd_code = p_cb->rcvd_cmd_code; 981 982 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, cmd_code); 983 984 if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) || 985 (cmd_code < SMP_OPCODE_MIN)) 986 { 987 SMP_TRACE_WARNING("Somehow received command with the RESERVED code 0x%02x", cmd_code); 988 return TRUE; 989 } 990 991 if (!(*smp_cmd_len_is_valid[cmd_code])(p_cb)) 992 return TRUE; 993 994 if (!(*smp_cmd_param_ranges_are_valid[cmd_code])(p_cb)) 995 return TRUE; 996 997 return FALSE; 998 } 999 1000 /******************************************************************************* 1001 ** 1002 ** Function smp_command_has_valid_fixed_length 1003 ** 1004 ** Description Checks if the received command size is equal to the size 1005 ** according to specs. 1006 ** 1007 ** Returns TRUE if the command size is as expected, FALSE otherwise. 1008 ** 1009 ** Note The command is expected to have fixed length. 1010 *******************************************************************************/ 1011 BOOLEAN smp_command_has_valid_fixed_length(tSMP_CB *p_cb) 1012 { 1013 UINT8 cmd_code = p_cb->rcvd_cmd_code; 1014 1015 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, cmd_code); 1016 1017 if (p_cb->rcvd_cmd_len != smp_cmd_size_per_spec[cmd_code]) 1018 { 1019 SMP_TRACE_WARNING("Rcvd from the peer cmd 0x%02x with invalid length\ 1020 0x%02x (per spec the length is 0x%02x).", 1021 cmd_code, p_cb->rcvd_cmd_len, smp_cmd_size_per_spec[cmd_code]); 1022 return FALSE; 1023 } 1024 1025 return TRUE; 1026 } 1027 1028 /******************************************************************************* 1029 ** 1030 ** Function smp_pairing_request_response_parameters_are_valid 1031 ** 1032 ** Description Validates parameter ranges in the received SMP command 1033 ** pairing request or pairing response. 1034 ** The parameters to validate: 1035 ** IO capability, 1036 ** OOB data flag, 1037 ** Bonding_flags in AuthReq 1038 ** Maximum encryption key size. 1039 ** Returns FALSE if at least one of these parameters is out of range. 1040 ** 1041 *******************************************************************************/ 1042 BOOLEAN smp_pairing_request_response_parameters_are_valid(tSMP_CB *p_cb) 1043 { 1044 UINT8 io_caps = p_cb->peer_io_caps; 1045 UINT8 oob_flag = p_cb->peer_oob_flag; 1046 UINT8 bond_flag = p_cb->peer_auth_req & 0x03; //0x03 is gen bond with appropriate mask 1047 UINT8 enc_size = p_cb->peer_enc_size; 1048 1049 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code); 1050 1051 if (io_caps >= BTM_IO_CAP_MAX) 1052 { 1053 SMP_TRACE_WARNING("Rcvd from the peer cmd 0x%02x with IO Capabilty \ 1054 value (0x%02x) out of range).", 1055 p_cb->rcvd_cmd_code, io_caps); 1056 return FALSE; 1057 } 1058 1059 if (!((oob_flag == SMP_OOB_NONE) || (oob_flag == SMP_OOB_PRESENT))) 1060 { 1061 SMP_TRACE_WARNING("Rcvd from the peer cmd 0x%02x with OOB data flag value \ 1062 (0x%02x) out of range).", 1063 p_cb->rcvd_cmd_code, oob_flag); 1064 return FALSE; 1065 } 1066 1067 if (!((bond_flag == SMP_AUTH_NO_BOND) || (bond_flag == SMP_AUTH_BOND))) 1068 { 1069 SMP_TRACE_WARNING("Rcvd from the peer cmd 0x%02x with Bonding_Flags value (0x%02x)\ 1070 out of range).", 1071 p_cb->rcvd_cmd_code, bond_flag); 1072 return FALSE; 1073 } 1074 1075 if ((enc_size < SMP_ENCR_KEY_SIZE_MIN) || (enc_size > SMP_ENCR_KEY_SIZE_MAX)) 1076 { 1077 SMP_TRACE_WARNING("Rcvd from the peer cmd 0x%02x with Maximum Encryption \ 1078 Key value (0x%02x) out of range).", 1079 p_cb->rcvd_cmd_code, enc_size); 1080 return FALSE; 1081 } 1082 1083 return TRUE; 1084 } 1085 1086 /******************************************************************************* 1087 ** 1088 ** Function smp_pairing_keypress_notification_is_valid 1089 ** 1090 ** Description Validates Notification Type parameter range in the received SMP command 1091 ** pairing keypress notification. 1092 ** Returns FALSE if this parameter is out of range. 1093 ** 1094 *******************************************************************************/ 1095 BOOLEAN smp_pairing_keypress_notification_is_valid(tSMP_CB *p_cb) 1096 { 1097 tBTM_SP_KEY_TYPE keypress_notification = p_cb->peer_keypress_notification; 1098 1099 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code); 1100 1101 if (keypress_notification >= BTM_SP_KEY_OUT_OF_RANGE) 1102 { 1103 SMP_TRACE_WARNING("Rcvd from the peer cmd 0x%02x with Pairing Keypress \ 1104 Notification value (0x%02x) out of range).", 1105 p_cb->rcvd_cmd_code, keypress_notification); 1106 return FALSE; 1107 } 1108 1109 return TRUE; 1110 } 1111 1112 /******************************************************************************* 1113 ** 1114 ** Function smp_parameter_unconditionally_valid 1115 ** 1116 ** Description Always returns TRUE. 1117 ** 1118 *******************************************************************************/ 1119 BOOLEAN smp_parameter_unconditionally_valid(UNUSED_ATTR tSMP_CB *p_cb) 1120 { 1121 return TRUE; 1122 } 1123 1124 /******************************************************************************* 1125 ** 1126 ** Function smp_parameter_unconditionally_invalid 1127 ** 1128 ** Description Always returns FALSE. 1129 ** 1130 *******************************************************************************/ 1131 BOOLEAN smp_parameter_unconditionally_invalid(UNUSED_ATTR tSMP_CB *p_cb) 1132 { 1133 return FALSE; 1134 } 1135 1136 /******************************************************************************* 1137 ** 1138 ** Function smp_reject_unexpected_pairing_command 1139 ** 1140 ** Description send pairing failure to an unexpected pairing command during 1141 ** an active pairing process. 1142 ** 1143 ** Returns void 1144 ** 1145 *******************************************************************************/ 1146 void smp_reject_unexpected_pairing_command(BD_ADDR bd_addr) 1147 { 1148 UINT8 *p; 1149 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) + 1150 SMP_PAIR_FAIL_SIZE + L2CAP_MIN_OFFSET); 1151 1152 SMP_TRACE_DEBUG("%s", __func__); 1153 1154 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET; 1155 UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED); 1156 UINT8_TO_STREAM(p, SMP_PAIR_NOT_SUPPORT); 1157 1158 p_buf->offset = L2CAP_MIN_OFFSET; 1159 p_buf->len = SMP_PAIR_FAIL_SIZE; 1160 1161 smp_send_msg_to_L2CAP(bd_addr, p_buf); 1162 } 1163 1164 /******************************************************************************* 1165 ** Function smp_select_association_model 1166 ** 1167 ** Description This function selects association model to use for STK 1168 ** generation. Selection is based on both sides' io capability, 1169 ** oob data flag and authentication request. 1170 ** 1171 ** Note If Secure Connections Only mode is required locally then we 1172 ** come to this point only if both sides support Secure Connections 1173 ** mode, i.e. if p_cb->secure_connections_only_mode_required = TRUE then we come 1174 ** to this point only if 1175 ** (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) == 1176 ** (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) == 1177 ** SMP_SC_SUPPORT_BIT 1178 ** 1179 *******************************************************************************/ 1180 tSMP_ASSO_MODEL smp_select_association_model(tSMP_CB *p_cb) 1181 { 1182 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE; 1183 p_cb->le_secure_connections_mode_is_used = FALSE; 1184 1185 SMP_TRACE_EVENT("%s", __FUNCTION__); 1186 SMP_TRACE_DEBUG("%s p_cb->peer_io_caps = %d p_cb->local_io_capability = %d", 1187 __FUNCTION__, p_cb->peer_io_caps, p_cb->local_io_capability); 1188 SMP_TRACE_DEBUG("%s p_cb->peer_oob_flag = %d p_cb->loc_oob_flag = %d", 1189 __FUNCTION__, p_cb->peer_oob_flag, p_cb->loc_oob_flag); 1190 SMP_TRACE_DEBUG("%s p_cb->peer_auth_req = 0x%02x p_cb->loc_auth_req = 0x%02x", 1191 __FUNCTION__, p_cb->peer_auth_req, p_cb->loc_auth_req); 1192 SMP_TRACE_DEBUG("%s p_cb->secure_connections_only_mode_required = %s", 1193 __FUNCTION__, p_cb->secure_connections_only_mode_required ? 1194 "TRUE" : "FALSE"); 1195 1196 if ((p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) && (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT)) 1197 { 1198 p_cb->le_secure_connections_mode_is_used = TRUE; 1199 } 1200 1201 SMP_TRACE_DEBUG("use_sc_process = %d", p_cb->le_secure_connections_mode_is_used); 1202 1203 if (p_cb->le_secure_connections_mode_is_used) 1204 { 1205 model = smp_select_association_model_secure_connections(p_cb); 1206 } 1207 else 1208 { 1209 model = smp_select_legacy_association_model(p_cb); 1210 } 1211 return model; 1212 } 1213 1214 /******************************************************************************* 1215 ** Function smp_select_legacy_association_model 1216 ** 1217 ** Description This function is called to select association mode if at least 1218 ** one side doesn't support secure connections. 1219 ** 1220 *******************************************************************************/ 1221 tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB *p_cb) 1222 { 1223 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE; 1224 1225 SMP_TRACE_DEBUG("%s", __func__); 1226 /* if OOB data is present on both devices, then use OOB association model */ 1227 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT && p_cb->loc_oob_flag == SMP_OOB_PRESENT) 1228 return SMP_MODEL_OOB; 1229 1230 /* else if neither device requires MITM, then use Just Works association model */ 1231 if (SMP_NO_MITM_REQUIRED (p_cb->peer_auth_req) && SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req)) 1232 return SMP_MODEL_ENCRYPTION_ONLY; 1233 1234 /* otherwise use IO capability to select association model */ 1235 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX && p_cb->local_io_capability < SMP_IO_CAP_MAX) 1236 { 1237 if (p_cb->role == HCI_ROLE_MASTER) 1238 { 1239 model = smp_association_table[p_cb->role][p_cb->peer_io_caps] 1240 [p_cb->local_io_capability]; 1241 } 1242 else 1243 { 1244 model = smp_association_table[p_cb->role][p_cb->local_io_capability] 1245 [p_cb->peer_io_caps]; 1246 } 1247 } 1248 1249 return model; 1250 } 1251 1252 /******************************************************************************* 1253 ** Function smp_select_association_model_secure_connections 1254 ** 1255 ** Description This function is called to select association mode if both 1256 ** sides support secure connections. 1257 ** 1258 *******************************************************************************/ 1259 tSMP_ASSO_MODEL smp_select_association_model_secure_connections(tSMP_CB *p_cb) 1260 { 1261 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE; 1262 1263 SMP_TRACE_DEBUG("%s", __func__); 1264 /* if OOB data is present on at least one device, then use OOB association model */ 1265 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT || p_cb->loc_oob_flag == SMP_OOB_PRESENT) 1266 return SMP_MODEL_SEC_CONN_OOB; 1267 1268 /* else if neither device requires MITM, then use Just Works association model */ 1269 if (SMP_NO_MITM_REQUIRED (p_cb->peer_auth_req) && SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req)) 1270 return SMP_MODEL_SEC_CONN_JUSTWORKS; 1271 1272 /* otherwise use IO capability to select association model */ 1273 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX && p_cb->local_io_capability < SMP_IO_CAP_MAX) 1274 { 1275 if (p_cb->role == HCI_ROLE_MASTER) 1276 { 1277 model = smp_association_table_sc[p_cb->role][p_cb->peer_io_caps] 1278 [p_cb->local_io_capability]; 1279 } 1280 else 1281 { 1282 model = smp_association_table_sc[p_cb->role][p_cb->local_io_capability] 1283 [p_cb->peer_io_caps]; 1284 } 1285 } 1286 1287 return model; 1288 } 1289 1290 /******************************************************************************* 1291 ** Function smp_reverse_array 1292 ** 1293 ** Description This function reverses array bytes 1294 ** 1295 *******************************************************************************/ 1296 void smp_reverse_array(UINT8 *arr, UINT8 len) 1297 { 1298 UINT8 i =0, tmp; 1299 1300 SMP_TRACE_DEBUG("smp_reverse_array"); 1301 1302 for (i = 0; i < len/2; i ++) 1303 { 1304 tmp = arr[i]; 1305 arr[i] = arr[len -1 - i]; 1306 arr[len -1 - i] = tmp; 1307 } 1308 } 1309 1310 /******************************************************************************* 1311 ** Function smp_calculate_random_input 1312 ** 1313 ** Description This function returns random input value to be used in commitment 1314 ** calculation for SC passkey entry association mode 1315 ** (if bit["round"] in "random" array == 1 then returns 0x81 1316 ** else returns 0x80). 1317 ** 1318 ** Returns ri value 1319 ** 1320 *******************************************************************************/ 1321 UINT8 smp_calculate_random_input(UINT8 *random, UINT8 round) 1322 { 1323 UINT8 i = round/8; 1324 UINT8 j = round%8; 1325 UINT8 ri; 1326 1327 SMP_TRACE_DEBUG("random: 0x%02x, round: %d, i: %d, j: %d", random[i], round, i, j); 1328 ri = ((random[i] >> j) & 1) | 0x80; 1329 SMP_TRACE_DEBUG("%s ri=0x%02x", __func__, ri); 1330 return ri; 1331 } 1332 1333 /******************************************************************************* 1334 ** Function smp_collect_local_io_capabilities 1335 ** 1336 ** Description This function puts into IOcap array local device 1337 ** IOCapability, OOB data, AuthReq. 1338 ** 1339 ** Returns void 1340 ** 1341 *******************************************************************************/ 1342 void smp_collect_local_io_capabilities(UINT8 *iocap, tSMP_CB *p_cb) 1343 { 1344 SMP_TRACE_DEBUG("%s", __func__); 1345 1346 iocap[0] = p_cb->local_io_capability; 1347 iocap[1] = p_cb->loc_oob_flag; 1348 iocap[2] = p_cb->loc_auth_req; 1349 } 1350 1351 /******************************************************************************* 1352 ** Function smp_collect_peer_io_capabilities 1353 ** 1354 ** Description This function puts into IOcap array peer device 1355 ** IOCapability, OOB data, AuthReq. 1356 ** 1357 ** Returns void 1358 ** 1359 *******************************************************************************/ 1360 void smp_collect_peer_io_capabilities(UINT8 *iocap, tSMP_CB *p_cb) 1361 { 1362 SMP_TRACE_DEBUG("%s", __func__); 1363 1364 iocap[0] = p_cb->peer_io_caps; 1365 iocap[1] = p_cb->peer_oob_flag; 1366 iocap[2] = p_cb->peer_auth_req; 1367 } 1368 1369 /******************************************************************************* 1370 ** Function smp_collect_local_ble_address 1371 ** 1372 ** Description This function puts into le_addr array local device le address: 1373 ** le_addr[0-5] = local BD ADDR, 1374 ** le_addr[6] = local le address type (PUBLIC/RANDOM). 1375 ** 1376 ** Returns void 1377 ** 1378 *******************************************************************************/ 1379 void smp_collect_local_ble_address(UINT8 *le_addr, tSMP_CB *p_cb) 1380 { 1381 tBLE_ADDR_TYPE addr_type = 0; 1382 BD_ADDR bda; 1383 UINT8 *p = le_addr; 1384 1385 SMP_TRACE_DEBUG("%s", __func__); 1386 1387 BTM_ReadConnectionAddr( p_cb->pairing_bda, bda, &addr_type); 1388 BDADDR_TO_STREAM(p, bda); 1389 UINT8_TO_STREAM(p, addr_type); 1390 } 1391 1392 /******************************************************************************* 1393 ** Function smp_collect_peer_ble_address 1394 ** 1395 ** Description This function puts into le_addr array peer device le address: 1396 ** le_addr[0-5] = peer BD ADDR, 1397 ** le_addr[6] = peer le address type (PUBLIC/RANDOM). 1398 ** 1399 ** Returns void 1400 ** 1401 *******************************************************************************/ 1402 void smp_collect_peer_ble_address(UINT8 *le_addr, tSMP_CB *p_cb) 1403 { 1404 tBLE_ADDR_TYPE addr_type = 0; 1405 BD_ADDR bda; 1406 UINT8 *p = le_addr; 1407 1408 SMP_TRACE_DEBUG("%s", __func__); 1409 1410 if (!BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, bda, &addr_type)) 1411 { 1412 SMP_TRACE_ERROR("can not collect peer le addr information for unknown device"); 1413 return; 1414 } 1415 1416 BDADDR_TO_STREAM(p, bda); 1417 UINT8_TO_STREAM(p, addr_type); 1418 } 1419 1420 /******************************************************************************* 1421 ** Function smp_check_commitment 1422 ** 1423 ** Description This function compares peer commitment values: 1424 ** - expected (i.e. calculated locally), 1425 ** - received from the peer. 1426 ** 1427 ** Returns TRUE if the values are the same 1428 ** FALSE otherwise 1429 ** 1430 *******************************************************************************/ 1431 BOOLEAN smp_check_commitment(tSMP_CB *p_cb) 1432 { 1433 BT_OCTET16 expected; 1434 1435 SMP_TRACE_DEBUG("%s", __func__); 1436 1437 smp_calculate_peer_commitment(p_cb, expected); 1438 print128(expected, (const UINT8 *)"calculated peer commitment"); 1439 print128(p_cb->remote_commitment, (const UINT8 *)"received peer commitment"); 1440 1441 if (memcmp(p_cb->remote_commitment, expected, BT_OCTET16_LEN)) 1442 { 1443 SMP_TRACE_WARNING("Commitment check fails"); 1444 return FALSE; 1445 } 1446 1447 SMP_TRACE_DEBUG("Commitment check succeeds"); 1448 return TRUE; 1449 } 1450 1451 /******************************************************************************* 1452 ** 1453 ** Function smp_save_secure_connections_long_term_key 1454 ** 1455 ** Description The function saves SC LTK as BLE key for future use as local 1456 ** and/or peer key. 1457 ** 1458 ** Returns void 1459 ** 1460 *******************************************************************************/ 1461 void smp_save_secure_connections_long_term_key(tSMP_CB *p_cb) 1462 { 1463 tBTM_LE_LENC_KEYS lle_key; 1464 tBTM_LE_PENC_KEYS ple_key; 1465 1466 SMP_TRACE_DEBUG("%s-Save LTK as local LTK key", __func__); 1467 memcpy(lle_key.ltk, p_cb->ltk, BT_OCTET16_LEN); 1468 lle_key.div = 0; 1469 lle_key.key_size = p_cb->loc_enc_size; 1470 lle_key.sec_level = p_cb->sec_level; 1471 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, (tBTM_LE_KEY_VALUE *)&lle_key, TRUE); 1472 1473 SMP_TRACE_DEBUG("%s-Save LTK as peer LTK key", __func__); 1474 ple_key.ediv = 0; 1475 memset(ple_key.rand, 0, BT_OCTET8_LEN); 1476 memcpy(ple_key.ltk, p_cb->ltk, BT_OCTET16_LEN); 1477 ple_key.sec_level = p_cb->sec_level; 1478 ple_key.key_size = p_cb->loc_enc_size; 1479 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, (tBTM_LE_KEY_VALUE *)&ple_key, TRUE); 1480 } 1481 1482 /******************************************************************************* 1483 ** 1484 ** Function smp_calculate_f5_mackey_and_long_term_key 1485 ** 1486 ** Description The function calculates MacKey and LTK and saves them in CB. 1487 ** To calculate MacKey and LTK it calls smp_calc_f5(...). 1488 ** MacKey is used in dhkey calculation, LTK is used to encrypt 1489 ** the link. 1490 ** 1491 ** Returns FALSE if out of resources, TRUE otherwise. 1492 ** 1493 *******************************************************************************/ 1494 BOOLEAN smp_calculate_f5_mackey_and_long_term_key(tSMP_CB *p_cb) 1495 { 1496 UINT8 a[7]; 1497 UINT8 b[7]; 1498 UINT8 *p_na; 1499 UINT8 *p_nb; 1500 1501 SMP_TRACE_DEBUG("%s", __func__); 1502 1503 if (p_cb->role == HCI_ROLE_MASTER) 1504 { 1505 smp_collect_local_ble_address(a, p_cb); 1506 smp_collect_peer_ble_address(b, p_cb); 1507 p_na = p_cb->rand; 1508 p_nb = p_cb->rrand; 1509 } 1510 else 1511 { 1512 smp_collect_local_ble_address(b, p_cb); 1513 smp_collect_peer_ble_address(a, p_cb); 1514 p_na = p_cb->rrand; 1515 p_nb = p_cb->rand; 1516 } 1517 1518 if(!smp_calculate_f5(p_cb->dhkey, p_na, p_nb, a, b, p_cb->mac_key, p_cb->ltk)) 1519 { 1520 SMP_TRACE_ERROR("%s failed", __func__); 1521 return FALSE; 1522 } 1523 1524 SMP_TRACE_EVENT ("%s is completed", __func__); 1525 return TRUE; 1526 } 1527 1528 /******************************************************************************* 1529 ** 1530 ** Function smp_request_oob_data 1531 ** 1532 ** Description Requests application to provide OOB data. 1533 ** 1534 ** Returns TRUE - OOB data has to be provided by application 1535 ** FALSE - otherwise (unexpected) 1536 ** 1537 *******************************************************************************/ 1538 BOOLEAN smp_request_oob_data(tSMP_CB *p_cb) 1539 { 1540 tSMP_OOB_DATA_TYPE req_oob_type = SMP_OOB_INVALID_TYPE; 1541 1542 SMP_TRACE_DEBUG("%s", __func__); 1543 1544 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT && p_cb->loc_oob_flag == SMP_OOB_PRESENT) 1545 { 1546 /* both local and peer rcvd data OOB */ 1547 req_oob_type = SMP_OOB_BOTH; 1548 } 1549 else if (p_cb->peer_oob_flag == SMP_OOB_PRESENT) 1550 { 1551 /* peer rcvd OOB local data, local didn't receive OOB peer data */ 1552 req_oob_type = SMP_OOB_LOCAL; 1553 } 1554 else if (p_cb->loc_oob_flag == SMP_OOB_PRESENT) 1555 { 1556 req_oob_type = SMP_OOB_PEER; 1557 } 1558 1559 SMP_TRACE_DEBUG("req_oob_type = %d", req_oob_type); 1560 1561 if (req_oob_type == SMP_OOB_INVALID_TYPE) 1562 return FALSE; 1563 1564 p_cb->req_oob_type = req_oob_type; 1565 p_cb->cb_evt = SMP_SC_OOB_REQ_EVT; 1566 smp_sm_event(p_cb, SMP_TK_REQ_EVT, &req_oob_type); 1567 1568 return TRUE; 1569 } 1570 1571 1572 #endif 1573 1574
