1 /****************************************************************************** 2 * 3 * Copyright (C) 1999-2012 Broadcom Corporation 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at: 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 ******************************************************************************/ 18 19 /****************************************************************************** 20 * 21 * This file contains security manager protocol utility functions 22 * 23 ******************************************************************************/ 24 #include "bt_target.h" 25 26 #if SMP_INCLUDED == TRUE 27 #if SMP_DEBUG == TRUE 28 #include <stdio.h> 29 #endif 30 #include <string.h> 31 #include "bt_utils.h" 32 #include "btm_ble_api.h" 33 #include "smp_int.h" 34 #include "btm_int.h" 35 #include "btm_ble_int.h" 36 #include "hcimsgs.h" 37 #include "aes.h" 38 #include "p_256_ecc_pp.h" 39 #include "device/include/controller.h" 40 41 #ifndef SMP_MAX_ENC_REPEAT 42 #define SMP_MAX_ENC_REPEAT 3 43 #endif 44 45 static void smp_rand_back(tBTM_RAND_ENC *p); 46 static void smp_generate_confirm(tSMP_CB *p_cb, tSMP_INT_DATA *p_data); 47 static void smp_generate_ltk_cont(tSMP_CB *p_cb, tSMP_INT_DATA *p_data); 48 static void smp_generate_y(tSMP_CB *p_cb, tSMP_INT_DATA *p); 49 static void smp_generate_rand_vector (tSMP_CB *p_cb, tSMP_INT_DATA *p); 50 static void smp_process_stk(tSMP_CB *p_cb, tSMP_ENC *p); 51 static void smp_calculate_comfirm_cont(tSMP_CB *p_cb, tSMP_ENC *p); 52 static void smp_process_confirm(tSMP_CB *p_cb, tSMP_ENC *p); 53 static void smp_process_compare(tSMP_CB *p_cb, tSMP_ENC *p); 54 static void smp_process_ediv(tSMP_CB *p_cb, tSMP_ENC *p); 55 static BOOLEAN smp_calculate_legacy_short_term_key(tSMP_CB *p_cb, tSMP_ENC *output); 56 static void smp_continue_private_key_creation(tSMP_CB *p_cb, tBTM_RAND_ENC *p); 57 static void smp_process_private_key(tSMP_CB *p_cb); 58 static void smp_finish_nonce_generation(tSMP_CB *p_cb); 59 static void smp_process_new_nonce(tSMP_CB *p_cb); 60 61 #define SMP_PASSKEY_MASK 0xfff00000 62 63 void smp_debug_print_nbyte_little_endian(UINT8 *p, const UINT8 *key_name, UINT8 len) 64 { 65 #if SMP_DEBUG == TRUE 66 int ind, x; 67 int col_count = 32; 68 int row_count; 69 UINT8 p_buf[512]; 70 71 SMP_TRACE_WARNING("%s(LSB ~ MSB):", key_name); 72 memset(p_buf, 0, sizeof(p_buf)); 73 row_count = len % col_count ? len / col_count + 1: len / col_count; 74 75 ind = 0; 76 for (int row = 0; row < row_count; row++) 77 { 78 for (int column = 0, x = 0; (ind < len) && (column < col_count); column++, ind++) 79 { 80 x += sprintf((char *)&p_buf[x], "%02x ", p[ind]); 81 } 82 SMP_TRACE_WARNING(" [%03d]: %s", row * col_count, p_buf); 83 } 84 #endif 85 } 86 87 void smp_debug_print_nbyte_big_endian (UINT8 *p, const UINT8 *key_name, UINT8 len) 88 { 89 #if SMP_DEBUG == TRUE 90 UINT8 p_buf[512]; 91 92 SMP_TRACE_WARNING("%s(MSB ~ LSB):", key_name); 93 memset(p_buf, 0, sizeof(p_buf)); 94 95 int ind = 0; 96 int ncols = 32; /* num entries in one line */ 97 int nrows; /* num lines */ 98 int x; 99 100 nrows = len % ncols ? len / ncols + 1: len / ncols; 101 for (int row = 0; row < nrows; row++) 102 { 103 for (int col = 0, x = 0; (ind < len) && (col < ncols); col++, ind++) 104 { 105 x += sprintf ((char *)&p_buf[len-x-1], "%02x ", p[ind]); 106 } 107 SMP_TRACE_WARNING("[%03d]: %s", row * ncols, p_buf); 108 } 109 #endif 110 } 111 112 /******************************************************************************* 113 ** 114 ** Function smp_encrypt_data 115 ** 116 ** Description This function is called to encrypt data. 117 ** It uses AES-128 encryption algorithm. 118 ** Plain_text is encrypted using key, the result is at p_out. 119 ** 120 ** Returns void 121 ** 122 *******************************************************************************/ 123 BOOLEAN smp_encrypt_data (UINT8 *key, UINT8 key_len, 124 UINT8 *plain_text, UINT8 pt_len, 125 tSMP_ENC *p_out) 126 { 127 aes_context ctx; 128 UINT8 *p_start = NULL; 129 UINT8 *p = NULL; 130 UINT8 *p_rev_data = NULL; /* input data in big endilan format */ 131 UINT8 *p_rev_key = NULL; /* input key in big endilan format */ 132 UINT8 *p_rev_output = NULL; /* encrypted output in big endilan format */ 133 134 SMP_TRACE_DEBUG ("%s", __func__); 135 if ( (p_out == NULL ) || (key_len != SMP_ENCRYT_KEY_SIZE) ) 136 { 137 SMP_TRACE_ERROR ("%s failed", __func__); 138 return FALSE; 139 } 140 141 p_start = (UINT8 *)osi_calloc(SMP_ENCRYT_DATA_SIZE * 4); 142 143 if (pt_len > SMP_ENCRYT_DATA_SIZE) 144 pt_len = SMP_ENCRYT_DATA_SIZE; 145 146 p = p_start; 147 ARRAY_TO_STREAM (p, plain_text, pt_len); /* byte 0 to byte 15 */ 148 p_rev_data = p = p_start + SMP_ENCRYT_DATA_SIZE; /* start at byte 16 */ 149 REVERSE_ARRAY_TO_STREAM (p, p_start, SMP_ENCRYT_DATA_SIZE); /* byte 16 to byte 31 */ 150 p_rev_key = p; /* start at byte 32 */ 151 REVERSE_ARRAY_TO_STREAM (p, key, SMP_ENCRYT_KEY_SIZE); /* byte 32 to byte 47 */ 152 153 #if SMP_DEBUG == TRUE && SMP_DEBUG_VERBOSE == TRUE 154 smp_debug_print_nbyte_little_endian(key, (const UINT8 *)"Key", SMP_ENCRYT_KEY_SIZE); 155 smp_debug_print_nbyte_little_endian(p_start, (const UINT8 *)"Plain text", SMP_ENCRYT_DATA_SIZE); 156 #endif 157 p_rev_output = p; 158 aes_set_key(p_rev_key, SMP_ENCRYT_KEY_SIZE, &ctx); 159 aes_encrypt(p_rev_data, p, &ctx); /* outputs in byte 48 to byte 63 */ 160 161 p = p_out->param_buf; 162 REVERSE_ARRAY_TO_STREAM (p, p_rev_output, SMP_ENCRYT_DATA_SIZE); 163 #if SMP_DEBUG == TRUE && SMP_DEBUG_VERBOSE == TRUE 164 smp_debug_print_nbyte_little_endian(p_out->param_buf, (const UINT8 *)"Encrypted text", SMP_ENCRYT_KEY_SIZE); 165 #endif 166 167 p_out->param_len = SMP_ENCRYT_KEY_SIZE; 168 p_out->status = HCI_SUCCESS; 169 p_out->opcode = HCI_BLE_ENCRYPT; 170 171 osi_free(p_start); 172 173 return TRUE; 174 } 175 176 /******************************************************************************* 177 ** 178 ** Function smp_generate_passkey 179 ** 180 ** Description This function is called to generate passkey. 181 ** 182 ** Returns void 183 ** 184 *******************************************************************************/ 185 void smp_generate_passkey(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 186 { 187 UNUSED(p_data); 188 189 SMP_TRACE_DEBUG ("%s", __func__); 190 p_cb->rand_enc_proc_state = SMP_GEN_TK; 191 192 /* generate MRand or SRand */ 193 if (!btsnd_hcic_ble_rand((void *)smp_rand_back)) 194 smp_rand_back(NULL); 195 } 196 197 /******************************************************************************* 198 ** 199 ** Function smp_proc_passkey 200 ** 201 ** Description This function is called to process a passkey. 202 ** 203 ** Returns void 204 ** 205 *******************************************************************************/ 206 void smp_proc_passkey(tSMP_CB *p_cb , tBTM_RAND_ENC *p) 207 { 208 UINT8 *tt = p_cb->tk; 209 tSMP_KEY key; 210 UINT32 passkey; /* 19655 test number; */ 211 UINT8 *pp = p->param_buf; 212 213 SMP_TRACE_DEBUG ("%s", __func__); 214 STREAM_TO_UINT32(passkey, pp); 215 passkey &= ~SMP_PASSKEY_MASK; 216 217 /* truncate by maximum value */ 218 while (passkey > BTM_MAX_PASSKEY_VAL) 219 passkey >>= 1; 220 221 /* save the TK */ 222 memset(p_cb->tk, 0, BT_OCTET16_LEN); 223 UINT32_TO_STREAM(tt, passkey); 224 225 key.key_type = SMP_KEY_TYPE_TK; 226 key.p_data = p_cb->tk; 227 228 if (p_cb->p_callback) 229 { 230 (*p_cb->p_callback)(SMP_PASSKEY_NOTIF_EVT, p_cb->pairing_bda, (tSMP_EVT_DATA *)&passkey); 231 } 232 233 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_PASSKEY_DISP) 234 { 235 smp_sm_event(&smp_cb, SMP_KEY_READY_EVT, &passkey); 236 } 237 else 238 { 239 smp_sm_event(p_cb, SMP_KEY_READY_EVT, (tSMP_INT_DATA *)&key); 240 } 241 } 242 243 /******************************************************************************* 244 ** 245 ** Function smp_generate_stk 246 ** 247 ** Description This function is called to generate STK calculated by running 248 ** AES with the TK value as key and a concatenation of the random 249 ** values. 250 ** 251 ** Returns void 252 ** 253 *******************************************************************************/ 254 void smp_generate_stk(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 255 { 256 UNUSED(p_data); 257 258 tSMP_ENC output; 259 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN; 260 261 SMP_TRACE_DEBUG ("%s", __func__); 262 263 if (p_cb->le_secure_connections_mode_is_used) 264 { 265 SMP_TRACE_WARNING ("FOR LE SC LTK IS USED INSTEAD OF STK"); 266 output.param_len = SMP_ENCRYT_KEY_SIZE; 267 output.status = HCI_SUCCESS; 268 output.opcode = HCI_BLE_ENCRYPT; 269 memcpy(output.param_buf, p_cb->ltk, SMP_ENCRYT_DATA_SIZE); 270 } 271 else if (!smp_calculate_legacy_short_term_key(p_cb, &output)) 272 { 273 SMP_TRACE_ERROR("%s failed", __func__); 274 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status); 275 return; 276 } 277 278 smp_process_stk(p_cb, &output); 279 } 280 281 /******************************************************************************* 282 ** 283 ** Function smp_generate_srand_mrand_confirm 284 ** 285 ** Description This function is called to start the second pairing phase by 286 ** start generating random number. 287 ** 288 ** 289 ** Returns void 290 ** 291 *******************************************************************************/ 292 void smp_generate_srand_mrand_confirm(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 293 { 294 UNUSED(p_data); 295 296 SMP_TRACE_DEBUG ("%s", __func__); 297 p_cb->rand_enc_proc_state = SMP_GEN_SRAND_MRAND; 298 /* generate MRand or SRand */ 299 if (!btsnd_hcic_ble_rand((void *)smp_rand_back)) 300 smp_rand_back(NULL); 301 } 302 303 /******************************************************************************* 304 ** 305 ** Function smp_generate_rand_cont 306 ** 307 ** Description This function is called to generate another 64 bits random for 308 ** MRand or Srand. 309 ** 310 ** Returns void 311 ** 312 *******************************************************************************/ 313 void smp_generate_rand_cont(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 314 { 315 UNUSED(p_data); 316 317 SMP_TRACE_DEBUG ("%s", __func__); 318 p_cb->rand_enc_proc_state = SMP_GEN_SRAND_MRAND_CONT; 319 /* generate 64 MSB of MRand or SRand */ 320 if (!btsnd_hcic_ble_rand((void *)smp_rand_back)) 321 smp_rand_back(NULL); 322 } 323 324 /******************************************************************************* 325 ** 326 ** Function smp_generate_ltk 327 ** 328 ** Description This function is called: 329 ** - in legacy pairing - to calculate LTK, starting with DIV 330 ** generation; 331 ** - in LE Secure Connections pairing over LE transport - to process LTK 332 ** already generated to encrypt LE link; 333 ** - in LE Secure Connections pairing over BR/EDR transport - to start 334 ** BR/EDR Link Key processing. 335 ** 336 ** Returns void 337 ** 338 *******************************************************************************/ 339 void smp_generate_ltk(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 340 { 341 UNUSED(p_data); 342 343 BOOLEAN div_status; 344 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 345 if (smp_get_br_state() == SMP_BR_STATE_BOND_PENDING) 346 { 347 smp_br_process_link_key(p_cb, NULL); 348 return; 349 } 350 else if (p_cb->le_secure_connections_mode_is_used) 351 { 352 smp_process_secure_connection_long_term_key(); 353 return; 354 } 355 356 div_status = btm_get_local_div(p_cb->pairing_bda, &p_cb->div); 357 358 if (div_status) 359 { 360 smp_generate_ltk_cont(p_cb, NULL); 361 } 362 else 363 { 364 SMP_TRACE_DEBUG ("Generate DIV for LTK"); 365 p_cb->rand_enc_proc_state = SMP_GEN_DIV_LTK; 366 /* generate MRand or SRand */ 367 if (!btsnd_hcic_ble_rand((void *)smp_rand_back)) 368 smp_rand_back(NULL); 369 } 370 } 371 372 /******************************************************************************* 373 ** 374 ** Function smp_compute_csrk 375 ** 376 ** Description This function is called to calculate CSRK 377 ** 378 ** 379 ** Returns void 380 ** 381 *******************************************************************************/ 382 void smp_compute_csrk(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 383 { 384 UNUSED(p_data); 385 386 BT_OCTET16 er; 387 UINT8 buffer[4]; /* for (r || DIV) r=1*/ 388 UINT16 r=1; 389 UINT8 *p=buffer; 390 tSMP_ENC output; 391 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN; 392 393 SMP_TRACE_DEBUG ("smp_compute_csrk div=%x", p_cb->div); 394 BTM_GetDeviceEncRoot(er); 395 /* CSRK = d1(ER, DIV, 1) */ 396 UINT16_TO_STREAM(p, p_cb->div); 397 UINT16_TO_STREAM(p, r); 398 399 if (!SMP_Encrypt(er, BT_OCTET16_LEN, buffer, 4, &output)) 400 { 401 SMP_TRACE_ERROR("smp_generate_csrk failed"); 402 if (p_cb->smp_over_br) 403 { 404 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &status); 405 } 406 else 407 { 408 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status); 409 } 410 } 411 else 412 { 413 memcpy((void *)p_cb->csrk, output.param_buf, BT_OCTET16_LEN); 414 smp_send_csrk_info(p_cb, NULL); 415 } 416 } 417 418 /******************************************************************************* 419 ** 420 ** Function smp_generate_csrk 421 ** 422 ** Description This function is called to calculate CSRK, starting with DIV 423 ** generation. 424 ** 425 ** 426 ** Returns void 427 ** 428 *******************************************************************************/ 429 void smp_generate_csrk(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 430 { 431 UNUSED(p_data); 432 433 BOOLEAN div_status; 434 435 SMP_TRACE_DEBUG ("smp_generate_csrk"); 436 437 div_status = btm_get_local_div(p_cb->pairing_bda, &p_cb->div); 438 if (div_status) 439 { 440 smp_compute_csrk(p_cb, NULL); 441 } 442 else 443 { 444 SMP_TRACE_DEBUG ("Generate DIV for CSRK"); 445 p_cb->rand_enc_proc_state = SMP_GEN_DIV_CSRK; 446 if (!btsnd_hcic_ble_rand((void *)smp_rand_back)) 447 smp_rand_back(NULL); 448 } 449 } 450 451 /******************************************************************************* 452 ** Function smp_concatenate_peer 453 ** add pairing command sent from local device into p1. 454 *******************************************************************************/ 455 void smp_concatenate_local( tSMP_CB *p_cb, UINT8 **p_data, UINT8 op_code) 456 { 457 UINT8 *p = *p_data; 458 459 SMP_TRACE_DEBUG ("%s", __func__); 460 UINT8_TO_STREAM(p, op_code); 461 UINT8_TO_STREAM(p, p_cb->local_io_capability); 462 UINT8_TO_STREAM(p, p_cb->loc_oob_flag); 463 UINT8_TO_STREAM(p, p_cb->loc_auth_req); 464 UINT8_TO_STREAM(p, p_cb->loc_enc_size); 465 UINT8_TO_STREAM(p, p_cb->local_i_key); 466 UINT8_TO_STREAM(p, p_cb->local_r_key); 467 468 *p_data = p; 469 } 470 471 /******************************************************************************* 472 ** Function smp_concatenate_peer 473 ** add pairing command received from peer device into p1. 474 *******************************************************************************/ 475 void smp_concatenate_peer( tSMP_CB *p_cb, UINT8 **p_data, UINT8 op_code) 476 { 477 UINT8 *p = *p_data; 478 479 SMP_TRACE_DEBUG ("smp_concatenate_peer "); 480 UINT8_TO_STREAM(p, op_code); 481 UINT8_TO_STREAM(p, p_cb->peer_io_caps); 482 UINT8_TO_STREAM(p, p_cb->peer_oob_flag); 483 UINT8_TO_STREAM(p, p_cb->peer_auth_req); 484 UINT8_TO_STREAM(p, p_cb->peer_enc_size); 485 UINT8_TO_STREAM(p, p_cb->peer_i_key); 486 UINT8_TO_STREAM(p, p_cb->peer_r_key); 487 488 *p_data = p; 489 } 490 491 /******************************************************************************* 492 ** 493 ** Function smp_gen_p1_4_confirm 494 ** 495 ** Description Generate Confirm/Compare Step1: 496 ** p1 = pres || preq || rat' || iat' 497 ** 498 ** Returns void 499 ** 500 *******************************************************************************/ 501 void smp_gen_p1_4_confirm( tSMP_CB *p_cb, BT_OCTET16 p1) 502 { 503 UINT8 *p = (UINT8 *)p1; 504 tBLE_ADDR_TYPE addr_type = 0; 505 BD_ADDR remote_bda; 506 507 SMP_TRACE_DEBUG ("smp_gen_p1_4_confirm"); 508 509 if (!BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, remote_bda, &addr_type)) 510 { 511 SMP_TRACE_ERROR("can not generate confirm for unknown device"); 512 return; 513 } 514 515 BTM_ReadConnectionAddr( p_cb->pairing_bda, p_cb->local_bda, &p_cb->addr_type); 516 517 if (p_cb->role == HCI_ROLE_MASTER) 518 { 519 /* LSB : rat': initiator's(local) address type */ 520 UINT8_TO_STREAM(p, p_cb->addr_type); 521 /* LSB : iat': responder's address type */ 522 UINT8_TO_STREAM(p, addr_type); 523 /* concatinate preq */ 524 smp_concatenate_local(p_cb, &p, SMP_OPCODE_PAIRING_REQ); 525 /* concatinate pres */ 526 smp_concatenate_peer(p_cb, &p, SMP_OPCODE_PAIRING_RSP); 527 } 528 else 529 { 530 /* LSB : iat': initiator's address type */ 531 UINT8_TO_STREAM(p, addr_type); 532 /* LSB : rat': responder's(local) address type */ 533 UINT8_TO_STREAM(p, p_cb->addr_type); 534 /* concatinate preq */ 535 smp_concatenate_peer(p_cb, &p, SMP_OPCODE_PAIRING_REQ); 536 /* concatinate pres */ 537 smp_concatenate_local(p_cb, &p, SMP_OPCODE_PAIRING_RSP); 538 } 539 #if SMP_DEBUG == TRUE 540 SMP_TRACE_DEBUG("p1 = pres || preq || rat' || iat'"); 541 smp_debug_print_nbyte_little_endian ((UINT8 *)p1, (const UINT8 *)"P1", 16); 542 #endif 543 } 544 545 /******************************************************************************* 546 ** 547 ** Function smp_gen_p2_4_confirm 548 ** 549 ** Description Generate Confirm/Compare Step2: 550 ** p2 = padding || ia || ra 551 ** 552 ** Returns void 553 ** 554 *******************************************************************************/ 555 void smp_gen_p2_4_confirm( tSMP_CB *p_cb, BT_OCTET16 p2) 556 { 557 UINT8 *p = (UINT8 *)p2; 558 BD_ADDR remote_bda; 559 tBLE_ADDR_TYPE addr_type = 0; 560 561 if (!BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, remote_bda, &addr_type)) 562 { 563 SMP_TRACE_ERROR("can not generate confirm p2 for unknown device"); 564 return; 565 } 566 567 SMP_TRACE_DEBUG ("smp_gen_p2_4_confirm"); 568 569 memset(p, 0, sizeof(BT_OCTET16)); 570 571 if (p_cb->role == HCI_ROLE_MASTER) 572 { 573 /* LSB ra */ 574 BDADDR_TO_STREAM(p, remote_bda); 575 /* ia */ 576 BDADDR_TO_STREAM(p, p_cb->local_bda); 577 } 578 else 579 { 580 /* LSB ra */ 581 BDADDR_TO_STREAM(p, p_cb->local_bda); 582 /* ia */ 583 BDADDR_TO_STREAM(p, remote_bda); 584 } 585 #if SMP_DEBUG == TRUE 586 SMP_TRACE_DEBUG("p2 = padding || ia || ra"); 587 smp_debug_print_nbyte_little_endian(p2, (const UINT8 *)"p2", 16); 588 #endif 589 } 590 591 /******************************************************************************* 592 ** 593 ** Function smp_calculate_comfirm 594 ** 595 ** Description This function is called to calculate Confirm value. 596 ** 597 ** Returns void 598 ** 599 *******************************************************************************/ 600 void smp_calculate_comfirm (tSMP_CB *p_cb, BT_OCTET16 rand, BD_ADDR bda) 601 { 602 UNUSED(bda); 603 604 BT_OCTET16 p1; 605 tSMP_ENC output; 606 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN; 607 608 SMP_TRACE_DEBUG ("smp_calculate_comfirm "); 609 /* generate p1 = pres || preq || rat' || iat' */ 610 smp_gen_p1_4_confirm(p_cb, p1); 611 612 /* p1 = rand XOR p1 */ 613 smp_xor_128(p1, rand); 614 615 smp_debug_print_nbyte_little_endian ((UINT8 *)p1, (const UINT8 *)"P1' = r XOR p1", 16); 616 617 /* calculate e(k, r XOR p1), where k = TK */ 618 if (!SMP_Encrypt(p_cb->tk, BT_OCTET16_LEN, p1, BT_OCTET16_LEN, &output)) 619 { 620 SMP_TRACE_ERROR("smp_generate_csrk failed"); 621 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status); 622 } 623 else 624 { 625 smp_calculate_comfirm_cont(p_cb, &output); 626 } 627 } 628 629 /******************************************************************************* 630 ** 631 ** Function smp_calculate_comfirm_cont 632 ** 633 ** Description This function is called when SConfirm/MConfirm is generated 634 ** proceed to send the Confirm request/response to peer device. 635 ** 636 ** Returns void 637 ** 638 *******************************************************************************/ 639 static void smp_calculate_comfirm_cont(tSMP_CB *p_cb, tSMP_ENC *p) 640 { 641 BT_OCTET16 p2; 642 tSMP_ENC output; 643 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN; 644 645 SMP_TRACE_DEBUG ("smp_calculate_comfirm_cont "); 646 #if SMP_DEBUG == TRUE 647 SMP_TRACE_DEBUG("Confirm step 1 p1' = e(k, r XOR p1) Generated"); 648 smp_debug_print_nbyte_little_endian (p->param_buf, (const UINT8 *)"C1", 16); 649 #endif 650 651 smp_gen_p2_4_confirm(p_cb, p2); 652 653 /* calculate p2 = (p1' XOR p2) */ 654 smp_xor_128(p2, p->param_buf); 655 smp_debug_print_nbyte_little_endian ((UINT8 *)p2, (const UINT8 *)"p2' = C1 xor p2", 16); 656 657 /* calculate: Confirm = E(k, p1' XOR p2) */ 658 if (!SMP_Encrypt(p_cb->tk, BT_OCTET16_LEN, p2, BT_OCTET16_LEN, &output)) 659 { 660 SMP_TRACE_ERROR("smp_calculate_comfirm_cont failed"); 661 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status); 662 } 663 else 664 { 665 switch (p_cb->rand_enc_proc_state) 666 { 667 case SMP_GEN_CONFIRM: 668 smp_process_confirm(p_cb, &output); 669 break; 670 671 case SMP_GEN_COMPARE: 672 smp_process_compare(p_cb, &output); 673 break; 674 } 675 } 676 } 677 678 /******************************************************************************* 679 ** 680 ** Function smp_generate_confirm 681 ** 682 ** Description This function is called when a 48 bits random number is generated 683 ** as SRand or MRand, continue to calculate Sconfirm or MConfirm. 684 ** 685 ** Returns void 686 ** 687 *******************************************************************************/ 688 static void smp_generate_confirm(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 689 { 690 UNUSED(p_data); 691 692 SMP_TRACE_DEBUG ("%s", __func__); 693 p_cb->rand_enc_proc_state = SMP_GEN_CONFIRM; 694 smp_debug_print_nbyte_little_endian ((UINT8 *)p_cb->rand, (const UINT8 *)"local rand", 16); 695 smp_calculate_comfirm(p_cb, p_cb->rand, p_cb->pairing_bda); 696 } 697 698 /******************************************************************************* 699 ** 700 ** Function smp_generate_compare 701 ** 702 ** Description This function is called to generate SConfirm for Slave device, 703 ** or MSlave for Master device. This function can be also used for 704 ** generating Compare number for confirm value check. 705 ** 706 ** Returns void 707 ** 708 *******************************************************************************/ 709 void smp_generate_compare (tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 710 { 711 UNUSED(p_data); 712 713 SMP_TRACE_DEBUG ("smp_generate_compare "); 714 p_cb->rand_enc_proc_state = SMP_GEN_COMPARE; 715 smp_debug_print_nbyte_little_endian ((UINT8 *)p_cb->rrand, (const UINT8 *)"peer rand", 16); 716 smp_calculate_comfirm(p_cb, p_cb->rrand, p_cb->local_bda); 717 } 718 719 /******************************************************************************* 720 ** 721 ** Function smp_process_confirm 722 ** 723 ** Description This function is called when SConfirm/MConfirm is generated 724 ** proceed to send the Confirm request/response to peer device. 725 ** 726 ** Returns void 727 ** 728 *******************************************************************************/ 729 static void smp_process_confirm(tSMP_CB *p_cb, tSMP_ENC *p) 730 { 731 tSMP_KEY key; 732 733 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 734 memcpy(p_cb->confirm, p->param_buf, BT_OCTET16_LEN); 735 736 #if (SMP_DEBUG == TRUE) 737 SMP_TRACE_DEBUG("Confirm Generated"); 738 smp_debug_print_nbyte_little_endian ((UINT8 *)p_cb->confirm, (const UINT8 *)"Confirm", 16); 739 #endif 740 741 key.key_type = SMP_KEY_TYPE_CFM; 742 key.p_data = p->param_buf; 743 smp_sm_event(p_cb, SMP_KEY_READY_EVT, &key); 744 } 745 746 /******************************************************************************* 747 ** 748 ** Function smp_process_compare 749 ** 750 ** Description This function is called when Compare is generated using the 751 ** RRand and local BDA, TK information. 752 ** 753 ** Returns void 754 ** 755 *******************************************************************************/ 756 static void smp_process_compare(tSMP_CB *p_cb, tSMP_ENC *p) 757 { 758 tSMP_KEY key; 759 760 SMP_TRACE_DEBUG ("smp_process_compare "); 761 #if (SMP_DEBUG == TRUE) 762 SMP_TRACE_DEBUG("Compare Generated"); 763 smp_debug_print_nbyte_little_endian (p->param_buf, (const UINT8 *)"Compare", 16); 764 #endif 765 key.key_type = SMP_KEY_TYPE_CMP; 766 key.p_data = p->param_buf; 767 768 smp_sm_event(p_cb, SMP_KEY_READY_EVT, &key); 769 } 770 771 /******************************************************************************* 772 ** 773 ** Function smp_process_stk 774 ** 775 ** Description This function is called when STK is generated 776 ** proceed to send the encrypt the link using STK. 777 ** 778 ** Returns void 779 ** 780 *******************************************************************************/ 781 static void smp_process_stk(tSMP_CB *p_cb, tSMP_ENC *p) 782 { 783 tSMP_KEY key; 784 785 SMP_TRACE_DEBUG ("smp_process_stk "); 786 #if (SMP_DEBUG == TRUE) 787 SMP_TRACE_ERROR("STK Generated"); 788 #endif 789 smp_mask_enc_key(p_cb->loc_enc_size, p->param_buf); 790 791 key.key_type = SMP_KEY_TYPE_STK; 792 key.p_data = p->param_buf; 793 794 smp_sm_event(p_cb, SMP_KEY_READY_EVT, &key); 795 } 796 797 /******************************************************************************* 798 ** 799 ** Function smp_generate_ltk_cont 800 ** 801 ** Description This function is to calculate LTK = d1(ER, DIV, 0)= e(ER, DIV) 802 ** 803 ** Returns void 804 ** 805 *******************************************************************************/ 806 static void smp_generate_ltk_cont(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 807 { 808 UNUSED(p_data); 809 810 BT_OCTET16 er; 811 tSMP_ENC output; 812 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN; 813 814 SMP_TRACE_DEBUG ("%s", __func__); 815 BTM_GetDeviceEncRoot(er); 816 817 /* LTK = d1(ER, DIV, 0)= e(ER, DIV)*/ 818 if (!SMP_Encrypt(er, BT_OCTET16_LEN, (UINT8 *)&p_cb->div, 819 sizeof(UINT16), &output)) 820 { 821 SMP_TRACE_ERROR("%s failed", __func__); 822 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status); 823 } 824 else 825 { 826 /* mask the LTK */ 827 smp_mask_enc_key(p_cb->loc_enc_size, output.param_buf); 828 memcpy((void *)p_cb->ltk, output.param_buf, BT_OCTET16_LEN); 829 smp_generate_rand_vector(p_cb, NULL); 830 } 831 } 832 833 /******************************************************************************* 834 ** 835 ** Function smp_generate_y 836 ** 837 ** Description This function is to proceed generate Y = E(DHK, Rand) 838 ** 839 ** Returns void 840 ** 841 *******************************************************************************/ 842 static void smp_generate_y(tSMP_CB *p_cb, tSMP_INT_DATA *p) 843 { 844 UNUSED(p); 845 846 BT_OCTET16 dhk; 847 tSMP_ENC output; 848 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN; 849 850 851 SMP_TRACE_DEBUG ("smp_generate_y "); 852 BTM_GetDeviceDHK(dhk); 853 854 if (!SMP_Encrypt(dhk, BT_OCTET16_LEN, p_cb->enc_rand, 855 BT_OCTET8_LEN, &output)) 856 { 857 SMP_TRACE_ERROR("smp_generate_y failed"); 858 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status); 859 } 860 else 861 { 862 smp_process_ediv(p_cb, &output); 863 } 864 } 865 866 /******************************************************************************* 867 ** 868 ** Function smp_generate_rand_vector 869 ** 870 ** Description This function is called when LTK is generated, send state machine 871 ** event to SMP. 872 ** 873 ** Returns void 874 ** 875 *******************************************************************************/ 876 static void smp_generate_rand_vector (tSMP_CB *p_cb, tSMP_INT_DATA *p) 877 { 878 UNUSED(p); 879 880 /* generate EDIV and rand now */ 881 /* generate random vector */ 882 SMP_TRACE_DEBUG ("smp_generate_rand_vector "); 883 p_cb->rand_enc_proc_state = SMP_GEN_RAND_V; 884 if (!btsnd_hcic_ble_rand((void *)smp_rand_back)) 885 smp_rand_back(NULL); 886 } 887 888 /******************************************************************************* 889 ** 890 ** Function smp_process_ediv 891 ** 892 ** Description This function is to calculate EDIV = Y xor DIV 893 ** 894 ** Returns void 895 ** 896 *******************************************************************************/ 897 static void smp_process_ediv(tSMP_CB *p_cb, tSMP_ENC *p) 898 { 899 tSMP_KEY key; 900 UINT8 *pp= p->param_buf; 901 UINT16 y; 902 903 SMP_TRACE_DEBUG ("smp_process_ediv "); 904 STREAM_TO_UINT16(y, pp); 905 906 /* EDIV = Y xor DIV */ 907 p_cb->ediv = p_cb->div ^ y; 908 /* send LTK ready */ 909 SMP_TRACE_ERROR("LTK ready"); 910 key.key_type = SMP_KEY_TYPE_LTK; 911 key.p_data = p->param_buf; 912 913 smp_sm_event(p_cb, SMP_KEY_READY_EVT, &key); 914 } 915 916 /******************************************************************************* 917 ** 918 ** Function smp_calculate_legacy_short_term_key 919 ** 920 ** Description The function calculates legacy STK. 921 ** 922 ** Returns FALSE if out of resources, TRUE in other cases. 923 ** 924 *******************************************************************************/ 925 BOOLEAN smp_calculate_legacy_short_term_key(tSMP_CB *p_cb, tSMP_ENC *output) 926 { 927 BT_OCTET16 ptext; 928 UINT8 *p = ptext; 929 930 SMP_TRACE_DEBUG ("%s", __func__); 931 memset(p, 0, BT_OCTET16_LEN); 932 if (p_cb->role == HCI_ROLE_MASTER) 933 { 934 memcpy(p, p_cb->rand, BT_OCTET8_LEN); 935 memcpy(&p[BT_OCTET8_LEN], p_cb->rrand, BT_OCTET8_LEN); 936 } 937 else 938 { 939 memcpy(p, p_cb->rrand, BT_OCTET8_LEN); 940 memcpy(&p[BT_OCTET8_LEN], p_cb->rand, BT_OCTET8_LEN); 941 } 942 943 BOOLEAN encrypted; 944 /* generate STK = Etk(rand|rrand)*/ 945 encrypted = SMP_Encrypt( p_cb->tk, BT_OCTET16_LEN, ptext, BT_OCTET16_LEN, output); 946 if (!encrypted) 947 { 948 SMP_TRACE_ERROR("%s failed", __func__); 949 } 950 return encrypted; 951 } 952 953 /******************************************************************************* 954 ** 955 ** Function smp_create_private_key 956 ** 957 ** Description This function is called to create private key used to 958 ** calculate public key and DHKey. 959 ** The function starts private key creation requesting controller 960 ** to generate [0-7] octets of private key. 961 ** 962 ** Returns void 963 ** 964 *******************************************************************************/ 965 void smp_create_private_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 966 { 967 SMP_TRACE_DEBUG ("%s",__FUNCTION__); 968 p_cb->rand_enc_proc_state = SMP_GENERATE_PRIVATE_KEY_0_7; 969 if (!btsnd_hcic_ble_rand((void *)smp_rand_back)) 970 smp_rand_back(NULL); 971 } 972 973 /******************************************************************************* 974 ** 975 ** Function smp_use_oob_private_key 976 ** 977 ** Description This function is called 978 ** - to save the secret key used to calculate the public key used 979 ** in calculations of commitment sent OOB to a peer 980 ** - to use this secret key to recalculate the public key and 981 ** start the process of sending this public key to the peer 982 ** if secret/public keys have to be reused. 983 ** If the keys aren't supposed to be reused, continue from the 984 ** point from which request for OOB data was issued. 985 ** 986 ** Returns void 987 ** 988 *******************************************************************************/ 989 void smp_use_oob_private_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 990 { 991 SMP_TRACE_DEBUG ("%s req_oob_type: %d, role: %d", 992 __func__, p_cb->req_oob_type, p_cb->role); 993 994 switch (p_cb->req_oob_type) 995 { 996 case SMP_OOB_BOTH: 997 case SMP_OOB_LOCAL: 998 SMP_TRACE_DEBUG("%s restore secret key", __func__) 999 memcpy(p_cb->private_key, p_cb->sc_oob_data.loc_oob_data.private_key_used, BT_OCTET32_LEN); 1000 smp_process_private_key(p_cb); 1001 break; 1002 default: 1003 SMP_TRACE_DEBUG("%s create secret key anew", __func__); 1004 smp_set_state(SMP_STATE_PAIR_REQ_RSP); 1005 smp_decide_association_model(p_cb, NULL); 1006 break; 1007 } 1008 } 1009 1010 /******************************************************************************* 1011 ** 1012 ** Function smp_continue_private_key_creation 1013 ** 1014 ** Description This function is used to continue private key creation. 1015 ** 1016 ** Returns void 1017 ** 1018 *******************************************************************************/ 1019 void smp_continue_private_key_creation (tSMP_CB *p_cb, tBTM_RAND_ENC *p) 1020 { 1021 UINT8 state = p_cb->rand_enc_proc_state & ~0x80; 1022 SMP_TRACE_DEBUG ("%s state=0x%x", __func__, state); 1023 1024 switch (state) 1025 { 1026 case SMP_GENERATE_PRIVATE_KEY_0_7: 1027 memcpy((void *)p_cb->private_key, p->param_buf, p->param_len); 1028 p_cb->rand_enc_proc_state = SMP_GENERATE_PRIVATE_KEY_8_15; 1029 if (!btsnd_hcic_ble_rand((void *)smp_rand_back)) 1030 smp_rand_back(NULL); 1031 break; 1032 1033 case SMP_GENERATE_PRIVATE_KEY_8_15: 1034 memcpy((void *)&p_cb->private_key[8], p->param_buf, p->param_len); 1035 p_cb->rand_enc_proc_state = SMP_GENERATE_PRIVATE_KEY_16_23; 1036 if (!btsnd_hcic_ble_rand((void *)smp_rand_back)) 1037 smp_rand_back(NULL); 1038 break; 1039 1040 case SMP_GENERATE_PRIVATE_KEY_16_23: 1041 memcpy((void *)&p_cb->private_key[16], p->param_buf, p->param_len); 1042 p_cb->rand_enc_proc_state = SMP_GENERATE_PRIVATE_KEY_24_31; 1043 if (!btsnd_hcic_ble_rand((void *)smp_rand_back)) 1044 smp_rand_back(NULL); 1045 break; 1046 1047 case SMP_GENERATE_PRIVATE_KEY_24_31: 1048 memcpy((void *)&p_cb->private_key[24], p->param_buf, p->param_len); 1049 smp_process_private_key (p_cb); 1050 break; 1051 1052 default: 1053 break; 1054 } 1055 1056 return; 1057 } 1058 1059 /******************************************************************************* 1060 ** 1061 ** Function smp_process_private_key 1062 ** 1063 ** Description This function processes private key. 1064 ** It calculates public key and notifies SM that private key / 1065 ** public key pair is created. 1066 ** 1067 ** Returns void 1068 ** 1069 *******************************************************************************/ 1070 void smp_process_private_key(tSMP_CB *p_cb) 1071 { 1072 Point public_key; 1073 BT_OCTET32 private_key; 1074 1075 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 1076 1077 memcpy(private_key, p_cb->private_key, BT_OCTET32_LEN); 1078 ECC_PointMult(&public_key, &(curve_p256.G), (DWORD*) private_key, KEY_LENGTH_DWORDS_P256); 1079 memcpy(p_cb->loc_publ_key.x, public_key.x, BT_OCTET32_LEN); 1080 memcpy(p_cb->loc_publ_key.y, public_key.y, BT_OCTET32_LEN); 1081 1082 smp_debug_print_nbyte_little_endian (p_cb->private_key, (const UINT8 *)"private", 1083 BT_OCTET32_LEN); 1084 smp_debug_print_nbyte_little_endian (p_cb->loc_publ_key.x, (const UINT8 *)"local public(x)", 1085 BT_OCTET32_LEN); 1086 smp_debug_print_nbyte_little_endian (p_cb->loc_publ_key.y, (const UINT8 *)"local public(y)", 1087 BT_OCTET32_LEN); 1088 p_cb->flags |= SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY; 1089 smp_sm_event(p_cb, SMP_LOC_PUBL_KEY_CRTD_EVT, NULL); 1090 } 1091 1092 /******************************************************************************* 1093 ** 1094 ** Function smp_compute_dhkey 1095 ** 1096 ** Description The function: 1097 ** - calculates a new public key using as input local private 1098 ** key and peer public key; 1099 ** - saves the new public key x-coordinate as DHKey. 1100 ** 1101 ** Returns void 1102 ** 1103 *******************************************************************************/ 1104 void smp_compute_dhkey (tSMP_CB *p_cb) 1105 { 1106 Point peer_publ_key, new_publ_key; 1107 BT_OCTET32 private_key; 1108 1109 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 1110 1111 memcpy(private_key, p_cb->private_key, BT_OCTET32_LEN); 1112 memcpy(peer_publ_key.x, p_cb->peer_publ_key.x, BT_OCTET32_LEN); 1113 memcpy(peer_publ_key.y, p_cb->peer_publ_key.y, BT_OCTET32_LEN); 1114 1115 ECC_PointMult(&new_publ_key, &peer_publ_key, (DWORD*) private_key, KEY_LENGTH_DWORDS_P256); 1116 1117 memcpy(p_cb->dhkey, new_publ_key.x, BT_OCTET32_LEN); 1118 1119 smp_debug_print_nbyte_little_endian (p_cb->dhkey, (const UINT8 *)"Old DHKey", 1120 BT_OCTET32_LEN); 1121 1122 smp_debug_print_nbyte_little_endian (p_cb->private_key, (const UINT8 *)"private", 1123 BT_OCTET32_LEN); 1124 smp_debug_print_nbyte_little_endian (p_cb->peer_publ_key.x, (const UINT8 *)"rem public(x)", 1125 BT_OCTET32_LEN); 1126 smp_debug_print_nbyte_little_endian (p_cb->peer_publ_key.y, (const UINT8 *)"rem public(y)", 1127 BT_OCTET32_LEN); 1128 smp_debug_print_nbyte_little_endian (p_cb->dhkey, (const UINT8 *)"Reverted DHKey", 1129 BT_OCTET32_LEN); 1130 } 1131 1132 /******************************************************************************* 1133 ** 1134 ** Function smp_calculate_local_commitment 1135 ** 1136 ** Description The function calculates and saves local commmitment in CB. 1137 ** 1138 ** Returns void 1139 ** 1140 *******************************************************************************/ 1141 void smp_calculate_local_commitment(tSMP_CB *p_cb) 1142 { 1143 UINT8 random_input; 1144 1145 SMP_TRACE_DEBUG("%s", __FUNCTION__); 1146 1147 switch (p_cb->selected_association_model) 1148 { 1149 case SMP_MODEL_SEC_CONN_JUSTWORKS: 1150 case SMP_MODEL_SEC_CONN_NUM_COMP: 1151 if (p_cb->role == HCI_ROLE_MASTER) 1152 SMP_TRACE_WARNING ("local commitment calc on master is not expected \ 1153 for Just Works/Numeric Comparison models"); 1154 smp_calculate_f4(p_cb->loc_publ_key.x, p_cb->peer_publ_key.x, p_cb->rand, 0, 1155 p_cb->commitment); 1156 break; 1157 case SMP_MODEL_SEC_CONN_PASSKEY_ENT: 1158 case SMP_MODEL_SEC_CONN_PASSKEY_DISP: 1159 random_input = smp_calculate_random_input(p_cb->local_random, p_cb->round); 1160 smp_calculate_f4(p_cb->loc_publ_key.x, p_cb->peer_publ_key.x, p_cb->rand, 1161 random_input, p_cb->commitment); 1162 break; 1163 case SMP_MODEL_SEC_CONN_OOB: 1164 SMP_TRACE_WARNING ("local commitment calc is expected for OOB model BEFORE pairing"); 1165 smp_calculate_f4(p_cb->loc_publ_key.x, p_cb->loc_publ_key.x, p_cb->local_random, 0, 1166 p_cb->commitment); 1167 break; 1168 default: 1169 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC", 1170 p_cb->selected_association_model); 1171 return; 1172 } 1173 1174 SMP_TRACE_EVENT ("local commitment calculation is completed"); 1175 } 1176 1177 /******************************************************************************* 1178 ** 1179 ** Function smp_calculate_peer_commitment 1180 ** 1181 ** Description The function calculates and saves peer commmitment at the 1182 ** provided output buffer. 1183 ** 1184 ** Returns void 1185 ** 1186 *******************************************************************************/ 1187 void smp_calculate_peer_commitment(tSMP_CB *p_cb, BT_OCTET16 output_buf) 1188 { 1189 UINT8 ri; 1190 1191 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 1192 1193 switch (p_cb->selected_association_model) 1194 { 1195 case SMP_MODEL_SEC_CONN_JUSTWORKS: 1196 case SMP_MODEL_SEC_CONN_NUM_COMP: 1197 if (p_cb->role == HCI_ROLE_SLAVE) 1198 SMP_TRACE_WARNING ("peer commitment calc on slave is not expected \ 1199 for Just Works/Numeric Comparison models"); 1200 smp_calculate_f4(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, p_cb->rrand, 0, 1201 output_buf); 1202 break; 1203 case SMP_MODEL_SEC_CONN_PASSKEY_ENT: 1204 case SMP_MODEL_SEC_CONN_PASSKEY_DISP: 1205 ri = smp_calculate_random_input(p_cb->peer_random, p_cb->round); 1206 smp_calculate_f4(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, p_cb->rrand, ri, 1207 output_buf); 1208 break; 1209 case SMP_MODEL_SEC_CONN_OOB: 1210 smp_calculate_f4(p_cb->peer_publ_key.x, p_cb->peer_publ_key.x, p_cb->peer_random, 0, 1211 output_buf); 1212 break; 1213 default: 1214 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC", 1215 p_cb->selected_association_model); 1216 return; 1217 } 1218 1219 SMP_TRACE_EVENT ("peer commitment calculation is completed"); 1220 } 1221 1222 /******************************************************************************* 1223 ** 1224 ** Function smp_calculate_f4 1225 ** 1226 ** Description The function calculates 1227 ** C = f4(U, V, X, Z) = AES-CMAC (U||V||Z) 1228 ** X 1229 ** where 1230 ** input: U is 256 bit, 1231 ** V is 256 bit, 1232 ** X is 128 bit, 1233 ** Z is 8 bit, 1234 ** output: C is 128 bit. 1235 ** 1236 ** Returns void 1237 ** 1238 ** Note The LSB is the first octet, the MSB is the last octet of 1239 ** the AES-CMAC input/output stream. 1240 ** 1241 *******************************************************************************/ 1242 void smp_calculate_f4(UINT8 *u, UINT8 *v, UINT8 *x, UINT8 z, UINT8 *c) 1243 { 1244 UINT8 msg_len = BT_OCTET32_LEN /* U size */ + BT_OCTET32_LEN /* V size */ + 1 /* Z size */; 1245 UINT8 msg[BT_OCTET32_LEN + BT_OCTET32_LEN + 1]; 1246 UINT8 key[BT_OCTET16_LEN]; 1247 UINT8 cmac[BT_OCTET16_LEN]; 1248 UINT8 *p = NULL; 1249 #if SMP_DEBUG == TRUE 1250 UINT8 *p_prnt = NULL; 1251 #endif 1252 1253 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 1254 1255 #if SMP_DEBUG == TRUE 1256 p_prnt = u; 1257 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"U", BT_OCTET32_LEN); 1258 p_prnt = v; 1259 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"V", BT_OCTET32_LEN); 1260 p_prnt = x; 1261 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"X", BT_OCTET16_LEN); 1262 p_prnt = &z; 1263 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"Z", 1); 1264 #endif 1265 1266 p = msg; 1267 UINT8_TO_STREAM(p, z); 1268 ARRAY_TO_STREAM(p, v, BT_OCTET32_LEN); 1269 ARRAY_TO_STREAM(p, u, BT_OCTET32_LEN); 1270 #if SMP_DEBUG == TRUE 1271 p_prnt = msg; 1272 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"M", msg_len); 1273 #endif 1274 1275 p = key; 1276 ARRAY_TO_STREAM(p, x, BT_OCTET16_LEN); 1277 #if SMP_DEBUG == TRUE 1278 p_prnt = key; 1279 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"K", BT_OCTET16_LEN); 1280 #endif 1281 1282 aes_cipher_msg_auth_code(key, msg, msg_len, BT_OCTET16_LEN, cmac); 1283 #if SMP_DEBUG == TRUE 1284 p_prnt = cmac; 1285 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"AES_CMAC", BT_OCTET16_LEN); 1286 #endif 1287 1288 p = c; 1289 ARRAY_TO_STREAM(p, cmac, BT_OCTET16_LEN); 1290 } 1291 1292 /******************************************************************************* 1293 ** 1294 ** Function smp_calculate_numeric_comparison_display_number 1295 ** 1296 ** Description The function calculates and saves number to display in numeric 1297 ** comparison association mode. 1298 ** 1299 ** Returns void 1300 ** 1301 *******************************************************************************/ 1302 void smp_calculate_numeric_comparison_display_number(tSMP_CB *p_cb, 1303 tSMP_INT_DATA *p_data) 1304 { 1305 SMP_TRACE_DEBUG ("%s", __func__); 1306 1307 if (p_cb->role == HCI_ROLE_MASTER) 1308 { 1309 p_cb->number_to_display = 1310 smp_calculate_g2(p_cb->loc_publ_key.x, p_cb->peer_publ_key.x, p_cb->rand, 1311 p_cb->rrand); 1312 } 1313 else 1314 { 1315 p_cb->number_to_display = 1316 smp_calculate_g2(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, p_cb->rrand, 1317 p_cb->rand); 1318 } 1319 1320 if (p_cb->number_to_display >= (BTM_MAX_PASSKEY_VAL + 1)) 1321 { 1322 UINT8 reason; 1323 reason = p_cb->failure = SMP_PAIR_FAIL_UNKNOWN; 1324 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 1325 return; 1326 } 1327 1328 SMP_TRACE_EVENT("Number to display in numeric comparison = %d", p_cb->number_to_display); 1329 p_cb->cb_evt = SMP_NC_REQ_EVT; 1330 smp_sm_event(p_cb, SMP_SC_DSPL_NC_EVT, &p_cb->number_to_display); 1331 return; 1332 } 1333 1334 /******************************************************************************* 1335 ** 1336 ** Function smp_calculate_g2 1337 ** 1338 ** Description The function calculates 1339 ** g2(U, V, X, Y) = AES-CMAC (U||V||Y) mod 2**32 mod 10**6 1340 ** X 1341 ** and 1342 ** Vres = g2(U, V, X, Y) mod 10**6 1343 ** where 1344 ** input: U is 256 bit, 1345 ** V is 256 bit, 1346 ** X is 128 bit, 1347 ** Y is 128 bit, 1348 ** 1349 ** Returns Vres. 1350 ** Expected value has to be in the range [0 - 999999] i.e. [0 - 0xF423F]. 1351 ** Vres = 1000000 means that the calculation fails. 1352 ** 1353 ** Note The LSB is the first octet, the MSB is the last octet of 1354 ** the AES-CMAC input/output stream. 1355 ** 1356 *******************************************************************************/ 1357 UINT32 smp_calculate_g2(UINT8 *u, UINT8 *v, UINT8 *x, UINT8 *y) 1358 { 1359 UINT8 msg_len = BT_OCTET32_LEN /* U size */ + BT_OCTET32_LEN /* V size */ 1360 + BT_OCTET16_LEN /* Y size */; 1361 UINT8 msg[BT_OCTET32_LEN + BT_OCTET32_LEN + BT_OCTET16_LEN]; 1362 UINT8 key[BT_OCTET16_LEN]; 1363 UINT8 cmac[BT_OCTET16_LEN]; 1364 UINT8 *p = NULL; 1365 UINT32 vres; 1366 #if SMP_DEBUG == TRUE 1367 UINT8 *p_prnt = NULL; 1368 #endif 1369 1370 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 1371 1372 p = msg; 1373 ARRAY_TO_STREAM(p, y, BT_OCTET16_LEN); 1374 ARRAY_TO_STREAM(p, v, BT_OCTET32_LEN); 1375 ARRAY_TO_STREAM(p, u, BT_OCTET32_LEN); 1376 #if SMP_DEBUG == TRUE 1377 p_prnt = u; 1378 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"U", BT_OCTET32_LEN); 1379 p_prnt = v; 1380 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"V", BT_OCTET32_LEN); 1381 p_prnt = x; 1382 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"X", BT_OCTET16_LEN); 1383 p_prnt = y; 1384 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"Y", BT_OCTET16_LEN); 1385 #endif 1386 1387 p = key; 1388 ARRAY_TO_STREAM(p, x, BT_OCTET16_LEN); 1389 #if SMP_DEBUG == TRUE 1390 p_prnt = key; 1391 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"K", BT_OCTET16_LEN); 1392 #endif 1393 1394 if(!aes_cipher_msg_auth_code(key, msg, msg_len, BT_OCTET16_LEN, cmac)) 1395 { 1396 SMP_TRACE_ERROR("%s failed",__FUNCTION__); 1397 return (BTM_MAX_PASSKEY_VAL + 1); 1398 } 1399 1400 #if SMP_DEBUG == TRUE 1401 p_prnt = cmac; 1402 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"AES-CMAC", BT_OCTET16_LEN); 1403 #endif 1404 1405 /* vres = cmac mod 2**32 mod 10**6 */ 1406 p = &cmac[0]; 1407 STREAM_TO_UINT32(vres, p); 1408 #if SMP_DEBUG == TRUE 1409 p_prnt = (UINT8 *) &vres; 1410 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"cmac mod 2**32", 4); 1411 #endif 1412 1413 while (vres > BTM_MAX_PASSKEY_VAL) 1414 vres -= (BTM_MAX_PASSKEY_VAL + 1); 1415 #if SMP_DEBUG == TRUE 1416 p_prnt = (UINT8 *) &vres; 1417 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"cmac mod 2**32 mod 10**6", 4); 1418 #endif 1419 1420 SMP_TRACE_ERROR("Value for numeric comparison = %d", vres); 1421 return vres; 1422 } 1423 1424 /******************************************************************************* 1425 ** 1426 ** Function smp_calculate_f5 1427 ** 1428 ** Description The function provides two AES-CMAC that are supposed to be used as 1429 ** - MacKey (MacKey is used in pairing DHKey check calculation); 1430 ** - LTK (LTK is used to ecrypt the link after completion of Phase 2 1431 ** and on reconnection, to derive BR/EDR LK). 1432 ** The function inputs are W, N1, N2, A1, A2. 1433 ** F5 rules: 1434 ** - the value used as key in MacKey/LTK (T) is calculated 1435 ** (function smp_calculate_f5_key(...)); 1436 ** The formula is: 1437 ** T = AES-CMAC (W) 1438 ** salt 1439 ** where salt is internal parameter of smp_calculate_f5_key(...). 1440 ** - MacKey and LTK are calculated as AES-MAC values received with the 1441 ** key T calculated in the previous step and the plaintext message 1442 ** built from the external parameters N1, N2, A1, A2 and the internal 1443 ** parameters counter, keyID, length. 1444 ** The function smp_calculate_f5_mackey_or_long_term_key(...) is used in the 1445 ** calculations. 1446 ** The same formula is used in calculation of MacKey and LTK and the 1447 ** same parameter values except the value of the internal parameter 1448 ** counter: 1449 ** - in MacKey calculations the value is 0; 1450 ** - in LTK calculations the value is 1. 1451 ** MacKey = AES-CMAC (Counter=0||keyID||N1||N2||A1||A2||Length=256) 1452 ** T 1453 ** LTK = AES-CMAC (Counter=1||keyID||N1||N2||A1||A2||Length=256) 1454 ** T 1455 ** The parameters are 1456 ** input: 1457 ** W is 256 bits, 1458 ** N1 is 128 bits, 1459 ** N2 is 128 bits, 1460 ** A1 is 56 bit, 1461 ** A2 is 56 bit. 1462 ** internal: 1463 ** Counter is 8 bits, its value is 0 for MacKey, 1464 ** 1 for LTK; 1465 ** KeyId is 32 bits, its value is 1466 ** 0x62746c65 (MSB~LSB); 1467 ** Length is 16 bits, its value is 0x0100 1468 ** (MSB~LSB). 1469 ** output: 1470 ** MacKey is 128 bits; 1471 ** LTK is 128 bits 1472 ** 1473 ** Returns FALSE if out of resources, TRUE in other cases. 1474 ** 1475 ** Note The LSB is the first octet, the MSB is the last octet of 1476 ** the AES-CMAC input/output stream. 1477 ** 1478 *******************************************************************************/ 1479 BOOLEAN smp_calculate_f5(UINT8 *w, UINT8 *n1, UINT8 *n2, UINT8 *a1, UINT8 *a2, 1480 UINT8 *mac_key, UINT8 *ltk) 1481 { 1482 BT_OCTET16 t; /* AES-CMAC output in smp_calculate_f5_key(...), key in */ 1483 /* smp_calculate_f5_mackey_or_long_term_key(...) */ 1484 #if SMP_DEBUG == TRUE 1485 UINT8 *p_prnt = NULL; 1486 #endif 1487 /* internal parameters: */ 1488 1489 /* 1490 counter is 0 for MacKey, 1491 is 1 for LTK 1492 */ 1493 UINT8 counter_mac_key[1] = {0}; 1494 UINT8 counter_ltk[1] = {1}; 1495 /* 1496 keyID 62746c65 1497 */ 1498 UINT8 key_id[4] = {0x65, 0x6c, 0x74, 0x62}; 1499 /* 1500 length 0100 1501 */ 1502 UINT8 length[2] = {0x00, 0x01}; 1503 1504 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 1505 #if SMP_DEBUG == TRUE 1506 p_prnt = w; 1507 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"W", BT_OCTET32_LEN); 1508 p_prnt = n1; 1509 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"N1", BT_OCTET16_LEN); 1510 p_prnt = n2; 1511 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"N2", BT_OCTET16_LEN); 1512 p_prnt = a1; 1513 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"A1", 7); 1514 p_prnt = a2; 1515 smp_debug_print_nbyte_little_endian (p_prnt,(const UINT8 *) "A2", 7); 1516 #endif 1517 1518 if (!smp_calculate_f5_key(w, t)) 1519 { 1520 SMP_TRACE_ERROR("%s failed to calc T",__FUNCTION__); 1521 return FALSE; 1522 } 1523 #if SMP_DEBUG == TRUE 1524 p_prnt = t; 1525 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"T", BT_OCTET16_LEN); 1526 #endif 1527 1528 if (!smp_calculate_f5_mackey_or_long_term_key(t, counter_mac_key, key_id, n1, n2, a1, a2, 1529 length, mac_key)) 1530 { 1531 SMP_TRACE_ERROR("%s failed to calc MacKey", __FUNCTION__); 1532 return FALSE; 1533 } 1534 #if SMP_DEBUG == TRUE 1535 p_prnt = mac_key; 1536 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"MacKey", BT_OCTET16_LEN); 1537 #endif 1538 1539 if (!smp_calculate_f5_mackey_or_long_term_key(t, counter_ltk, key_id, n1, n2, a1, a2, 1540 length, ltk)) 1541 { 1542 SMP_TRACE_ERROR("%s failed to calc LTK",__FUNCTION__); 1543 return FALSE; 1544 } 1545 #if SMP_DEBUG == TRUE 1546 p_prnt = ltk; 1547 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"LTK", BT_OCTET16_LEN); 1548 #endif 1549 1550 return TRUE; 1551 } 1552 1553 /******************************************************************************* 1554 ** 1555 ** Function smp_calculate_f5_mackey_or_long_term_key 1556 ** 1557 ** Description The function calculates the value of MacKey or LTK by the rules 1558 ** defined for f5 function. 1559 ** At the moment exactly the same formula is used to calculate 1560 ** LTK and MacKey. 1561 ** The difference is the value of input parameter Counter: 1562 ** - in MacKey calculations the value is 0; 1563 ** - in LTK calculations the value is 1. 1564 ** The formula: 1565 ** mac = AES-CMAC (Counter||keyID||N1||N2||A1||A2||Length) 1566 ** T 1567 ** where 1568 ** input: T is 256 bits; 1569 ** Counter is 8 bits, its value is 0 for MacKey, 1570 ** 1 for LTK; 1571 ** keyID is 32 bits, its value is 0x62746c65; 1572 ** N1 is 128 bits; 1573 ** N2 is 128 bits; 1574 ** A1 is 56 bits; 1575 ** A2 is 56 bits; 1576 ** Length is 16 bits, its value is 0x0100 1577 ** output: LTK is 128 bit. 1578 ** 1579 ** Returns FALSE if out of resources, TRUE in other cases. 1580 ** 1581 ** Note The LSB is the first octet, the MSB is the last octet of 1582 ** the AES-CMAC input/output stream. 1583 ** 1584 *******************************************************************************/ 1585 BOOLEAN smp_calculate_f5_mackey_or_long_term_key(UINT8 *t, UINT8 *counter, 1586 UINT8 *key_id, UINT8 *n1, UINT8 *n2, UINT8 *a1, UINT8 *a2, 1587 UINT8 *length, UINT8 *mac) 1588 { 1589 UINT8 *p = NULL; 1590 UINT8 cmac[BT_OCTET16_LEN]; 1591 UINT8 key[BT_OCTET16_LEN]; 1592 UINT8 msg_len = 1 /* Counter size */ + 4 /* keyID size */ + 1593 BT_OCTET16_LEN /* N1 size */ + BT_OCTET16_LEN /* N2 size */ + 1594 7 /* A1 size*/ + 7 /* A2 size*/ + 2 /* Length size */; 1595 UINT8 msg[1 + 4 + BT_OCTET16_LEN + BT_OCTET16_LEN + 7 + 7 + 2]; 1596 BOOLEAN ret = TRUE; 1597 #if SMP_DEBUG == TRUE 1598 UINT8 *p_prnt = NULL; 1599 #endif 1600 1601 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 1602 #if SMP_DEBUG == TRUE 1603 p_prnt = t; 1604 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"T", BT_OCTET16_LEN); 1605 p_prnt = counter; 1606 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"Counter", 1); 1607 p_prnt = key_id; 1608 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"KeyID", 4); 1609 p_prnt = n1; 1610 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"N1", BT_OCTET16_LEN); 1611 p_prnt = n2; 1612 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"N2", BT_OCTET16_LEN); 1613 p_prnt = a1; 1614 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"A1", 7); 1615 p_prnt = a2; 1616 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"A2", 7); 1617 p_prnt = length; 1618 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"Length", 2); 1619 #endif 1620 1621 p = key; 1622 ARRAY_TO_STREAM(p, t, BT_OCTET16_LEN); 1623 #if SMP_DEBUG == TRUE 1624 p_prnt = key; 1625 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"K", BT_OCTET16_LEN); 1626 #endif 1627 p = msg; 1628 ARRAY_TO_STREAM(p, length, 2); 1629 ARRAY_TO_STREAM(p, a2, 7); 1630 ARRAY_TO_STREAM(p, a1, 7); 1631 ARRAY_TO_STREAM(p, n2, BT_OCTET16_LEN); 1632 ARRAY_TO_STREAM(p, n1, BT_OCTET16_LEN); 1633 ARRAY_TO_STREAM(p, key_id, 4); 1634 ARRAY_TO_STREAM(p, counter, 1); 1635 #if SMP_DEBUG == TRUE 1636 p_prnt = msg; 1637 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"M", msg_len); 1638 #endif 1639 1640 if (!aes_cipher_msg_auth_code(key, msg, msg_len, BT_OCTET16_LEN, cmac)) 1641 { 1642 SMP_TRACE_ERROR("%s failed", __FUNCTION__); 1643 ret = FALSE; 1644 } 1645 1646 #if SMP_DEBUG == TRUE 1647 p_prnt = cmac; 1648 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"AES-CMAC", BT_OCTET16_LEN); 1649 #endif 1650 1651 p = mac; 1652 ARRAY_TO_STREAM(p, cmac, BT_OCTET16_LEN); 1653 return ret; 1654 } 1655 1656 /******************************************************************************* 1657 ** 1658 ** Function smp_calculate_f5_key 1659 ** 1660 ** Description The function calculates key T used in calculation of 1661 ** MacKey and LTK (f5 output is defined as MacKey || LTK). 1662 ** T = AES-CMAC (W) 1663 ** salt 1664 ** where 1665 ** Internal: salt is 128 bit. 1666 ** input: W is 256 bit. 1667 ** Output: T is 128 bit. 1668 ** 1669 ** Returns FALSE if out of resources, TRUE in other cases. 1670 ** 1671 ** Note The LSB is the first octet, the MSB is the last octet of 1672 ** the AES-CMAC input/output stream. 1673 ** 1674 *******************************************************************************/ 1675 BOOLEAN smp_calculate_f5_key(UINT8 *w, UINT8 *t) 1676 { 1677 UINT8 *p = NULL; 1678 /* Please see 2.2.7 LE Secure Connections Key Generation Function f5 */ 1679 /* 1680 salt: 6C88 8391 AAF5 A538 6037 0BDB 5A60 83BE 1681 */ 1682 BT_OCTET16 salt = { 1683 0xBE, 0x83, 0x60, 0x5A, 0xDB, 0x0B, 0x37, 0x60, 1684 0x38, 0xA5, 0xF5, 0xAA, 0x91, 0x83, 0x88, 0x6C 1685 }; 1686 #if SMP_DEBUG == TRUE 1687 UINT8 *p_prnt = NULL; 1688 #endif 1689 1690 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 1691 #if SMP_DEBUG == TRUE 1692 p_prnt = salt; 1693 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"salt", BT_OCTET16_LEN); 1694 p_prnt = w; 1695 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"W", BT_OCTET32_LEN); 1696 #endif 1697 1698 BT_OCTET16 key; 1699 BT_OCTET32 msg; 1700 1701 p = key; 1702 ARRAY_TO_STREAM(p, salt, BT_OCTET16_LEN); 1703 p = msg; 1704 ARRAY_TO_STREAM(p, w, BT_OCTET32_LEN); 1705 #if SMP_DEBUG == TRUE 1706 p_prnt = key; 1707 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"K", BT_OCTET16_LEN); 1708 p_prnt = msg; 1709 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"M", BT_OCTET32_LEN); 1710 #endif 1711 1712 BT_OCTET16 cmac; 1713 BOOLEAN ret = TRUE; 1714 if (!aes_cipher_msg_auth_code(key, msg, BT_OCTET32_LEN, BT_OCTET16_LEN, cmac)) 1715 { 1716 SMP_TRACE_ERROR("%s failed", __FUNCTION__); 1717 ret = FALSE; 1718 } 1719 1720 #if SMP_DEBUG == TRUE 1721 p_prnt = cmac; 1722 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"AES-CMAC", BT_OCTET16_LEN); 1723 #endif 1724 1725 p = t; 1726 ARRAY_TO_STREAM(p, cmac, BT_OCTET16_LEN); 1727 return ret; 1728 } 1729 1730 /******************************************************************************* 1731 ** 1732 ** Function smp_calculate_local_dhkey_check 1733 ** 1734 ** Description The function calculates and saves local device DHKey check 1735 ** value in CB. 1736 ** Before doing this it calls smp_calculate_f5_mackey_and_long_term_key(...). 1737 ** to calculate MacKey and LTK. 1738 ** MacKey is used in dhkey calculation. 1739 ** 1740 ** Returns void 1741 ** 1742 *******************************************************************************/ 1743 void smp_calculate_local_dhkey_check(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 1744 { 1745 UINT8 iocap[3], a[7], b[7]; 1746 1747 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 1748 1749 smp_calculate_f5_mackey_and_long_term_key(p_cb); 1750 1751 smp_collect_local_io_capabilities(iocap, p_cb); 1752 1753 smp_collect_local_ble_address(a, p_cb); 1754 smp_collect_peer_ble_address(b, p_cb); 1755 smp_calculate_f6(p_cb->mac_key, p_cb->rand, p_cb->rrand, p_cb->peer_random, iocap, a, b, 1756 p_cb->dhkey_check); 1757 1758 SMP_TRACE_EVENT ("local DHKey check calculation is completed"); 1759 } 1760 1761 /******************************************************************************* 1762 ** 1763 ** Function smp_calculate_peer_dhkey_check 1764 ** 1765 ** Description The function calculates peer device DHKey check value. 1766 ** 1767 ** Returns void 1768 ** 1769 *******************************************************************************/ 1770 void smp_calculate_peer_dhkey_check(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 1771 { 1772 UINT8 iocap[3], a[7], b[7]; 1773 BT_OCTET16 param_buf; 1774 BOOLEAN ret; 1775 tSMP_KEY key; 1776 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN; 1777 1778 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 1779 1780 smp_collect_peer_io_capabilities(iocap, p_cb); 1781 1782 smp_collect_local_ble_address(a, p_cb); 1783 smp_collect_peer_ble_address(b, p_cb); 1784 ret = smp_calculate_f6(p_cb->mac_key, p_cb->rrand, p_cb->rand, p_cb->local_random, iocap, 1785 b, a, param_buf); 1786 1787 if (ret) 1788 { 1789 SMP_TRACE_EVENT ("peer DHKey check calculation is completed"); 1790 #if (SMP_DEBUG == TRUE) 1791 smp_debug_print_nbyte_little_endian (param_buf, (const UINT8 *)"peer DHKey check", 1792 BT_OCTET16_LEN); 1793 #endif 1794 key.key_type = SMP_KEY_TYPE_PEER_DHK_CHCK; 1795 key.p_data = param_buf; 1796 smp_sm_event(p_cb, SMP_SC_KEY_READY_EVT, &key); 1797 } 1798 else 1799 { 1800 SMP_TRACE_EVENT ("peer DHKey check calculation failed"); 1801 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status); 1802 } 1803 } 1804 1805 /******************************************************************************* 1806 ** 1807 ** Function smp_calculate_f6 1808 ** 1809 ** Description The function calculates 1810 ** C = f6(W, N1, N2, R, IOcap, A1, A2) = AES-CMAC (N1||N2||R||IOcap||A1||A2) 1811 ** W 1812 ** where 1813 ** input: W is 128 bit, 1814 ** N1 is 128 bit, 1815 ** N2 is 128 bit, 1816 ** R is 128 bit, 1817 ** IOcap is 24 bit, 1818 ** A1 is 56 bit, 1819 ** A2 is 56 bit, 1820 ** output: C is 128 bit. 1821 ** 1822 ** Returns FALSE if out of resources, TRUE in other cases. 1823 ** 1824 ** Note The LSB is the first octet, the MSB is the last octet of 1825 ** the AES-CMAC input/output stream. 1826 ** 1827 *******************************************************************************/ 1828 BOOLEAN smp_calculate_f6(UINT8 *w, UINT8 *n1, UINT8 *n2, UINT8 *r, UINT8 *iocap, UINT8 *a1, 1829 UINT8 *a2, UINT8 *c) 1830 { 1831 UINT8 *p = NULL; 1832 UINT8 msg_len = BT_OCTET16_LEN /* N1 size */ + BT_OCTET16_LEN /* N2 size */ + 1833 BT_OCTET16_LEN /* R size */ + 3 /* IOcap size */ + 7 /* A1 size*/ 1834 + 7 /* A2 size*/; 1835 UINT8 msg[BT_OCTET16_LEN + BT_OCTET16_LEN + BT_OCTET16_LEN + 3 + 7 + 7]; 1836 #if SMP_DEBUG == TRUE 1837 UINT8 *p_print = NULL; 1838 #endif 1839 1840 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 1841 #if SMP_DEBUG == TRUE 1842 p_print = w; 1843 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"W", BT_OCTET16_LEN); 1844 p_print = n1; 1845 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"N1", BT_OCTET16_LEN); 1846 p_print = n2; 1847 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"N2", BT_OCTET16_LEN); 1848 p_print = r; 1849 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"R", BT_OCTET16_LEN); 1850 p_print = iocap; 1851 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"IOcap", 3); 1852 p_print = a1; 1853 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"A1", 7); 1854 p_print = a2; 1855 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"A2", 7); 1856 #endif 1857 1858 UINT8 cmac[BT_OCTET16_LEN]; 1859 UINT8 key[BT_OCTET16_LEN]; 1860 1861 p = key; 1862 ARRAY_TO_STREAM(p, w, BT_OCTET16_LEN); 1863 #if SMP_DEBUG == TRUE 1864 p_print = key; 1865 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"K", BT_OCTET16_LEN); 1866 #endif 1867 1868 p = msg; 1869 ARRAY_TO_STREAM(p, a2, 7); 1870 ARRAY_TO_STREAM(p, a1, 7); 1871 ARRAY_TO_STREAM(p, iocap, 3); 1872 ARRAY_TO_STREAM(p, r, BT_OCTET16_LEN); 1873 ARRAY_TO_STREAM(p, n2, BT_OCTET16_LEN); 1874 ARRAY_TO_STREAM(p, n1, BT_OCTET16_LEN); 1875 #if SMP_DEBUG == TRUE 1876 p_print = msg; 1877 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"M", msg_len); 1878 #endif 1879 1880 BOOLEAN ret = TRUE; 1881 if(!aes_cipher_msg_auth_code(key, msg, msg_len, BT_OCTET16_LEN, cmac)) 1882 { 1883 SMP_TRACE_ERROR("%s failed", __FUNCTION__); 1884 ret = FALSE; 1885 } 1886 1887 #if SMP_DEBUG == TRUE 1888 p_print = cmac; 1889 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"AES-CMAC", BT_OCTET16_LEN); 1890 #endif 1891 1892 p = c; 1893 ARRAY_TO_STREAM(p, cmac, BT_OCTET16_LEN); 1894 return ret; 1895 } 1896 1897 /******************************************************************************* 1898 ** 1899 ** Function smp_calculate_link_key_from_long_term_key 1900 ** 1901 ** Description The function calculates and saves BR/EDR link key derived from 1902 ** LE SC LTK. 1903 ** 1904 ** Returns FALSE if out of resources, TRUE in other cases. 1905 ** 1906 *******************************************************************************/ 1907 BOOLEAN smp_calculate_link_key_from_long_term_key(tSMP_CB *p_cb) 1908 { 1909 tBTM_SEC_DEV_REC *p_dev_rec; 1910 BD_ADDR bda_for_lk; 1911 tBLE_ADDR_TYPE conn_addr_type; 1912 1913 SMP_TRACE_DEBUG ("%s", __func__); 1914 1915 if (p_cb->id_addr_rcvd && p_cb->id_addr_type == BLE_ADDR_PUBLIC) 1916 { 1917 SMP_TRACE_DEBUG ("Use rcvd identity address as BD_ADDR of LK rcvd identity address"); 1918 memcpy(bda_for_lk, p_cb->id_addr, BD_ADDR_LEN); 1919 } 1920 else if ((BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, bda_for_lk, &conn_addr_type)) && 1921 conn_addr_type == BLE_ADDR_PUBLIC) 1922 { 1923 SMP_TRACE_DEBUG ("Use rcvd connection address as BD_ADDR of LK"); 1924 } 1925 else 1926 { 1927 SMP_TRACE_WARNING ("Don't have peer public address to associate with LK"); 1928 return FALSE; 1929 } 1930 1931 if ((p_dev_rec = btm_find_dev (p_cb->pairing_bda)) == NULL) 1932 { 1933 SMP_TRACE_ERROR("%s failed to find Security Record", __func__); 1934 return FALSE; 1935 } 1936 1937 BT_OCTET16 intermediate_link_key; 1938 BOOLEAN ret = TRUE; 1939 1940 ret = smp_calculate_h6(p_cb->ltk, (UINT8 *)"1pmt" /* reversed "tmp1" */,intermediate_link_key); 1941 if (!ret) 1942 { 1943 SMP_TRACE_ERROR("%s failed to derive intermediate_link_key", __func__); 1944 return ret; 1945 } 1946 1947 BT_OCTET16 link_key; 1948 ret = smp_calculate_h6(intermediate_link_key, (UINT8 *) "rbel" /* reversed "lebr" */, link_key); 1949 if (!ret) 1950 { 1951 SMP_TRACE_ERROR("%s failed", __func__); 1952 } 1953 else 1954 { 1955 UINT8 link_key_type; 1956 if (btm_cb.security_mode == BTM_SEC_MODE_SC) 1957 { 1958 /* Secure Connections Only Mode */ 1959 link_key_type = BTM_LKEY_TYPE_AUTH_COMB_P_256; 1960 } 1961 else if (controller_get_interface()->supports_secure_connections()) 1962 { 1963 /* both transports are SC capable */ 1964 if (p_cb->sec_level == SMP_SEC_AUTHENTICATED) 1965 link_key_type = BTM_LKEY_TYPE_AUTH_COMB_P_256; 1966 else 1967 link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB_P_256; 1968 } 1969 else if (btm_cb.security_mode == BTM_SEC_MODE_SP) 1970 { 1971 /* BR/EDR transport is SSP capable */ 1972 if (p_cb->sec_level == SMP_SEC_AUTHENTICATED) 1973 link_key_type = BTM_LKEY_TYPE_AUTH_COMB; 1974 else 1975 link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB; 1976 } 1977 else 1978 { 1979 SMP_TRACE_ERROR ("%s failed to update link_key. Sec Mode = %d, sm4 = 0x%02x", 1980 __func__, btm_cb.security_mode, p_dev_rec->sm4); 1981 return FALSE; 1982 } 1983 1984 link_key_type += BTM_LTK_DERIVED_LKEY_OFFSET; 1985 1986 UINT8 *p; 1987 BT_OCTET16 notif_link_key; 1988 p = notif_link_key; 1989 ARRAY16_TO_STREAM(p, link_key); 1990 1991 btm_sec_link_key_notification (bda_for_lk, notif_link_key, link_key_type); 1992 1993 SMP_TRACE_EVENT ("%s is completed", __func__); 1994 } 1995 1996 return ret; 1997 } 1998 1999 /******************************************************************************* 2000 ** 2001 ** Function smp_calculate_long_term_key_from_link_key 2002 ** 2003 ** Description The function calculates and saves SC LTK derived from BR/EDR 2004 ** link key. 2005 ** 2006 ** Returns FALSE if out of resources, TRUE in other cases. 2007 ** 2008 *******************************************************************************/ 2009 BOOLEAN smp_calculate_long_term_key_from_link_key(tSMP_CB *p_cb) 2010 { 2011 BOOLEAN ret = TRUE; 2012 tBTM_SEC_DEV_REC *p_dev_rec; 2013 UINT8 rev_link_key[16]; 2014 2015 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 2016 2017 if ((p_dev_rec = btm_find_dev (p_cb->pairing_bda)) == NULL) 2018 { 2019 SMP_TRACE_ERROR("%s failed to find Security Record",__FUNCTION__); 2020 return FALSE; 2021 } 2022 2023 UINT8 br_link_key_type; 2024 if ((br_link_key_type = BTM_SecGetDeviceLinkKeyType (p_cb->pairing_bda)) 2025 == BTM_LKEY_TYPE_IGNORE) 2026 { 2027 SMP_TRACE_ERROR("%s failed to retrieve BR link type",__FUNCTION__); 2028 return FALSE; 2029 } 2030 2031 if ((br_link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256) && 2032 (br_link_key_type != BTM_LKEY_TYPE_UNAUTH_COMB_P_256)) 2033 { 2034 SMP_TRACE_ERROR("%s LE SC LTK can't be derived from LK %d", 2035 __FUNCTION__, br_link_key_type); 2036 return FALSE; 2037 } 2038 2039 UINT8 *p1; 2040 UINT8 *p2; 2041 p1 = rev_link_key; 2042 p2 = p_dev_rec->link_key; 2043 REVERSE_ARRAY_TO_STREAM(p1, p2, 16); 2044 2045 BT_OCTET16 intermediate_long_term_key; 2046 /* "tmp2" obtained from the spec */ 2047 ret = smp_calculate_h6(rev_link_key, (UINT8 *) "2pmt" /* reversed "tmp2" */, 2048 intermediate_long_term_key); 2049 2050 if (!ret) 2051 { 2052 SMP_TRACE_ERROR("%s failed to derive intermediate_long_term_key",__FUNCTION__); 2053 return ret; 2054 } 2055 2056 /* "brle" obtained from the spec */ 2057 ret = smp_calculate_h6(intermediate_long_term_key, (UINT8 *) "elrb" /* reversed "brle" */, 2058 p_cb->ltk); 2059 2060 if (!ret) 2061 { 2062 SMP_TRACE_ERROR("%s failed",__FUNCTION__); 2063 } 2064 else 2065 { 2066 p_cb->sec_level = (br_link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) 2067 ? SMP_SEC_AUTHENTICATED : SMP_SEC_UNAUTHENTICATE; 2068 SMP_TRACE_EVENT ("%s is completed",__FUNCTION__); 2069 } 2070 2071 return ret; 2072 } 2073 2074 /******************************************************************************* 2075 ** 2076 ** Function smp_calculate_h6 2077 ** 2078 ** Description The function calculates 2079 ** C = h6(W, KeyID) = AES-CMAC (KeyID) 2080 ** W 2081 ** where 2082 ** input: W is 128 bit, 2083 ** KeyId is 32 bit, 2084 ** output: C is 128 bit. 2085 ** 2086 ** Returns FALSE if out of resources, TRUE in other cases. 2087 ** 2088 ** Note The LSB is the first octet, the MSB is the last octet of 2089 ** the AES-CMAC input/output stream. 2090 ** 2091 *******************************************************************************/ 2092 BOOLEAN smp_calculate_h6(UINT8 *w, UINT8 *keyid, UINT8 *c) 2093 { 2094 #if SMP_DEBUG == TRUE 2095 UINT8 *p_print = NULL; 2096 #endif 2097 2098 SMP_TRACE_DEBUG ("%s",__FUNCTION__); 2099 #if SMP_DEBUG == TRUE 2100 p_print = w; 2101 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"W", BT_OCTET16_LEN); 2102 p_print = keyid; 2103 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"keyID", 4); 2104 #endif 2105 2106 UINT8 *p = NULL; 2107 UINT8 key[BT_OCTET16_LEN]; 2108 2109 p = key; 2110 ARRAY_TO_STREAM(p, w, BT_OCTET16_LEN); 2111 2112 #if SMP_DEBUG == TRUE 2113 p_print = key; 2114 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"K", BT_OCTET16_LEN); 2115 #endif 2116 2117 UINT8 msg_len = 4 /* KeyID size */; 2118 UINT8 msg[4]; 2119 2120 p = msg; 2121 ARRAY_TO_STREAM(p, keyid, 4); 2122 2123 #if SMP_DEBUG == TRUE 2124 p_print = msg; 2125 smp_debug_print_nbyte_little_endian (p_print,(const UINT8 *) "M", msg_len); 2126 #endif 2127 2128 BOOLEAN ret = TRUE; 2129 UINT8 cmac[BT_OCTET16_LEN]; 2130 if (!aes_cipher_msg_auth_code(key, msg, msg_len, BT_OCTET16_LEN, cmac)) 2131 { 2132 SMP_TRACE_ERROR("%s failed",__FUNCTION__); 2133 ret = FALSE; 2134 } 2135 2136 #if SMP_DEBUG == TRUE 2137 p_print = cmac; 2138 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"AES-CMAC", BT_OCTET16_LEN); 2139 #endif 2140 2141 p = c; 2142 ARRAY_TO_STREAM(p, cmac, BT_OCTET16_LEN); 2143 return ret; 2144 } 2145 2146 /******************************************************************************* 2147 ** 2148 ** Function smp_start_nonce_generation 2149 ** 2150 ** Description This function starts nonce generation. 2151 ** 2152 ** Returns void 2153 ** 2154 *******************************************************************************/ 2155 void smp_start_nonce_generation(tSMP_CB *p_cb) 2156 { 2157 SMP_TRACE_DEBUG("%s", __FUNCTION__); 2158 p_cb->rand_enc_proc_state = SMP_GEN_NONCE_0_7; 2159 if (!btsnd_hcic_ble_rand((void *)smp_rand_back)) 2160 smp_rand_back(NULL); 2161 } 2162 2163 /******************************************************************************* 2164 ** 2165 ** Function smp_finish_nonce_generation 2166 ** 2167 ** Description This function finishes nonce generation. 2168 ** 2169 ** Returns void 2170 ** 2171 *******************************************************************************/ 2172 void smp_finish_nonce_generation(tSMP_CB *p_cb) 2173 { 2174 SMP_TRACE_DEBUG("%s", __FUNCTION__); 2175 p_cb->rand_enc_proc_state = SMP_GEN_NONCE_8_15; 2176 if (!btsnd_hcic_ble_rand((void *)smp_rand_back)) 2177 smp_rand_back(NULL); 2178 } 2179 2180 /******************************************************************************* 2181 ** 2182 ** Function smp_process_new_nonce 2183 ** 2184 ** Description This function notifies SM that it has new nonce. 2185 ** 2186 ** Returns void 2187 ** 2188 *******************************************************************************/ 2189 void smp_process_new_nonce(tSMP_CB *p_cb) 2190 { 2191 SMP_TRACE_DEBUG ("%s round %d", __FUNCTION__, p_cb->round); 2192 smp_sm_event(p_cb, SMP_HAVE_LOC_NONCE_EVT, NULL); 2193 } 2194 2195 /******************************************************************************* 2196 ** 2197 ** Function smp_rand_back 2198 ** 2199 ** Description This function is to process the rand command finished, 2200 ** process the random/encrypted number for further action. 2201 ** 2202 ** Returns void 2203 ** 2204 *******************************************************************************/ 2205 static void smp_rand_back(tBTM_RAND_ENC *p) 2206 { 2207 tSMP_CB *p_cb = &smp_cb; 2208 UINT8 *pp = p->param_buf; 2209 UINT8 failure = SMP_PAIR_FAIL_UNKNOWN; 2210 UINT8 state = p_cb->rand_enc_proc_state & ~0x80; 2211 2212 SMP_TRACE_DEBUG ("%s state=0x%x", __FUNCTION__, state); 2213 if (p && p->status == HCI_SUCCESS) 2214 { 2215 switch (state) 2216 { 2217 case SMP_GEN_SRAND_MRAND: 2218 memcpy((void *)p_cb->rand, p->param_buf, p->param_len); 2219 smp_generate_rand_cont(p_cb, NULL); 2220 break; 2221 2222 case SMP_GEN_SRAND_MRAND_CONT: 2223 memcpy((void *)&p_cb->rand[8], p->param_buf, p->param_len); 2224 smp_generate_confirm(p_cb, NULL); 2225 break; 2226 2227 case SMP_GEN_DIV_LTK: 2228 STREAM_TO_UINT16(p_cb->div, pp); 2229 smp_generate_ltk_cont(p_cb, NULL); 2230 break; 2231 2232 case SMP_GEN_DIV_CSRK: 2233 STREAM_TO_UINT16(p_cb->div, pp); 2234 smp_compute_csrk(p_cb, NULL); 2235 break; 2236 2237 case SMP_GEN_TK: 2238 smp_proc_passkey(p_cb, p); 2239 break; 2240 2241 case SMP_GEN_RAND_V: 2242 memcpy(p_cb->enc_rand, p->param_buf, BT_OCTET8_LEN); 2243 smp_generate_y(p_cb, NULL); 2244 break; 2245 2246 case SMP_GENERATE_PRIVATE_KEY_0_7: 2247 case SMP_GENERATE_PRIVATE_KEY_8_15: 2248 case SMP_GENERATE_PRIVATE_KEY_16_23: 2249 case SMP_GENERATE_PRIVATE_KEY_24_31: 2250 smp_continue_private_key_creation(p_cb, p); 2251 break; 2252 2253 case SMP_GEN_NONCE_0_7: 2254 memcpy((void *)p_cb->rand, p->param_buf, p->param_len); 2255 smp_finish_nonce_generation(p_cb); 2256 break; 2257 2258 case SMP_GEN_NONCE_8_15: 2259 memcpy((void *)&p_cb->rand[8], p->param_buf, p->param_len); 2260 smp_process_new_nonce(p_cb); 2261 break; 2262 } 2263 2264 return; 2265 } 2266 2267 SMP_TRACE_ERROR("%s key generation failed: (%d)", __FUNCTION__, p_cb->rand_enc_proc_state); 2268 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &failure); 2269 } 2270 2271 #endif 2272 2273