1 /****************************************************************************** 2 * 3 * Copyright (C) 1999-2012 Broadcom Corporation 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at: 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 *****************************************************************************/ 18 19 /****************************************************************************** 20 * 21 * This file contains functions for the SMP L2CAP utility functions 22 * 23 ******************************************************************************/ 24 #include "bt_target.h" 25 26 #include <ctype.h> 27 #include <string.h> 28 #include "bt_types.h" 29 #include "bt_utils.h" 30 #include "btm_ble_api.h" 31 #include "btm_int.h" 32 #include "device/include/controller.h" 33 #include "hcidefs.h" 34 #include "l2c_api.h" 35 #include "l2c_int.h" 36 #include "osi/include/osi.h" 37 #include "smp_int.h" 38 39 extern fixed_queue_t* btu_general_alarm_queue; 40 41 #define SMP_PAIRING_REQ_SIZE 7 42 #define SMP_CONFIRM_CMD_SIZE (BT_OCTET16_LEN + 1) 43 #define SMP_RAND_CMD_SIZE (BT_OCTET16_LEN + 1) 44 #define SMP_INIT_CMD_SIZE (BT_OCTET16_LEN + 1) 45 #define SMP_ENC_INFO_SIZE (BT_OCTET16_LEN + 1) 46 #define SMP_MASTER_ID_SIZE (BT_OCTET8_LEN + 2 + 1) 47 #define SMP_ID_INFO_SIZE (BT_OCTET16_LEN + 1) 48 #define SMP_ID_ADDR_SIZE (BD_ADDR_LEN + 1 + 1) 49 #define SMP_SIGN_INFO_SIZE (BT_OCTET16_LEN + 1) 50 #define SMP_PAIR_FAIL_SIZE 2 51 #define SMP_SECURITY_REQUEST_SIZE 2 52 #define SMP_PAIR_PUBL_KEY_SIZE (1 /* opcode */ + (2 * BT_OCTET32_LEN)) 53 #define SMP_PAIR_COMMITM_SIZE (1 /* opcode */ + BT_OCTET16_LEN /*Commitment*/) 54 #define SMP_PAIR_DHKEY_CHECK_SIZE \ 55 (1 /* opcode */ + BT_OCTET16_LEN /*DHKey Check*/) 56 #define SMP_PAIR_KEYPR_NOTIF_SIZE (1 /* opcode */ + 1 /*Notif Type*/) 57 58 /* SMP command sizes per spec */ 59 static const uint8_t smp_cmd_size_per_spec[] = { 60 0, 61 SMP_PAIRING_REQ_SIZE, /* 0x01: pairing request */ 62 SMP_PAIRING_REQ_SIZE, /* 0x02: pairing response */ 63 SMP_CONFIRM_CMD_SIZE, /* 0x03: pairing confirm */ 64 SMP_RAND_CMD_SIZE, /* 0x04: pairing random */ 65 SMP_PAIR_FAIL_SIZE, /* 0x05: pairing failed */ 66 SMP_ENC_INFO_SIZE, /* 0x06: encryption information */ 67 SMP_MASTER_ID_SIZE, /* 0x07: master identification */ 68 SMP_ID_INFO_SIZE, /* 0x08: identity information */ 69 SMP_ID_ADDR_SIZE, /* 0x09: identity address information */ 70 SMP_SIGN_INFO_SIZE, /* 0x0A: signing information */ 71 SMP_SECURITY_REQUEST_SIZE, /* 0x0B: security request */ 72 SMP_PAIR_PUBL_KEY_SIZE, /* 0x0C: pairing public key */ 73 SMP_PAIR_DHKEY_CHECK_SIZE, /* 0x0D: pairing dhkey check */ 74 SMP_PAIR_KEYPR_NOTIF_SIZE, /* 0x0E: pairing keypress notification */ 75 SMP_PAIR_COMMITM_SIZE /* 0x0F: pairing commitment */ 76 }; 77 78 static bool smp_parameter_unconditionally_valid(tSMP_CB* p_cb); 79 static bool smp_parameter_unconditionally_invalid(tSMP_CB* p_cb); 80 81 /* type for SMP command length validation functions */ 82 typedef bool (*tSMP_CMD_LEN_VALID)(tSMP_CB* p_cb); 83 84 static bool smp_command_has_valid_fixed_length(tSMP_CB* p_cb); 85 86 static const tSMP_CMD_LEN_VALID smp_cmd_len_is_valid[] = { 87 smp_parameter_unconditionally_invalid, 88 smp_command_has_valid_fixed_length, /* 0x01: pairing request */ 89 smp_command_has_valid_fixed_length, /* 0x02: pairing response */ 90 smp_command_has_valid_fixed_length, /* 0x03: pairing confirm */ 91 smp_command_has_valid_fixed_length, /* 0x04: pairing random */ 92 smp_command_has_valid_fixed_length, /* 0x05: pairing failed */ 93 smp_command_has_valid_fixed_length, /* 0x06: encryption information */ 94 smp_command_has_valid_fixed_length, /* 0x07: master identification */ 95 smp_command_has_valid_fixed_length, /* 0x08: identity information */ 96 smp_command_has_valid_fixed_length, /* 0x09: identity address information */ 97 smp_command_has_valid_fixed_length, /* 0x0A: signing information */ 98 smp_command_has_valid_fixed_length, /* 0x0B: security request */ 99 smp_command_has_valid_fixed_length, /* 0x0C: pairing public key */ 100 smp_command_has_valid_fixed_length, /* 0x0D: pairing dhkey check */ 101 smp_command_has_valid_fixed_length, /* 0x0E: pairing keypress notification*/ 102 smp_command_has_valid_fixed_length /* 0x0F: pairing commitment */ 103 }; 104 105 /* type for SMP command parameter ranges validation functions */ 106 typedef bool (*tSMP_CMD_PARAM_RANGES_VALID)(tSMP_CB* p_cb); 107 108 static bool smp_pairing_request_response_parameters_are_valid(tSMP_CB* p_cb); 109 static bool smp_pairing_keypress_notification_is_valid(tSMP_CB* p_cb); 110 111 static const tSMP_CMD_PARAM_RANGES_VALID smp_cmd_param_ranges_are_valid[] = { 112 smp_parameter_unconditionally_invalid, 113 smp_pairing_request_response_parameters_are_valid, /* 0x01: pairing 114 request */ 115 smp_pairing_request_response_parameters_are_valid, /* 0x02: pairing 116 response */ 117 smp_parameter_unconditionally_valid, /* 0x03: pairing confirm */ 118 smp_parameter_unconditionally_valid, /* 0x04: pairing random */ 119 smp_parameter_unconditionally_valid, /* 0x05: pairing failed */ 120 smp_parameter_unconditionally_valid, /* 0x06: encryption information */ 121 smp_parameter_unconditionally_valid, /* 0x07: master identification */ 122 smp_parameter_unconditionally_valid, /* 0x08: identity information */ 123 smp_parameter_unconditionally_valid, /* 0x09: identity address 124 information */ 125 smp_parameter_unconditionally_valid, /* 0x0A: signing information */ 126 smp_parameter_unconditionally_valid, /* 0x0B: security request */ 127 smp_parameter_unconditionally_valid, /* 0x0C: pairing public key */ 128 smp_parameter_unconditionally_valid, /* 0x0D: pairing dhkey check */ 129 smp_pairing_keypress_notification_is_valid, /* 0x0E: pairing keypress 130 notification */ 131 smp_parameter_unconditionally_valid /* 0x0F: pairing commitment */ 132 }; 133 134 /* type for action functions */ 135 typedef BT_HDR* (*tSMP_CMD_ACT)(uint8_t cmd_code, tSMP_CB* p_cb); 136 137 static BT_HDR* smp_build_pairing_cmd(uint8_t cmd_code, tSMP_CB* p_cb); 138 static BT_HDR* smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code, 139 tSMP_CB* p_cb); 140 static BT_HDR* smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb); 141 static BT_HDR* smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code, 142 tSMP_CB* p_cb); 143 static BT_HDR* smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code, 144 tSMP_CB* p_cb); 145 static BT_HDR* smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code, 146 tSMP_CB* p_cb); 147 static BT_HDR* smp_build_security_request(UNUSED_ATTR uint8_t cmd_code, 148 tSMP_CB* p_cb); 149 static BT_HDR* smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code, 150 tSMP_CB* p_cb); 151 static BT_HDR* smp_build_master_id_cmd(UNUSED_ATTR uint8_t cmd_code, 152 tSMP_CB* p_cb); 153 static BT_HDR* smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code, 154 tSMP_CB* p_cb); 155 static BT_HDR* smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code, 156 tSMP_CB* p_cb); 157 static BT_HDR* smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code, 158 tSMP_CB* p_cb); 159 static BT_HDR* smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code, 160 tSMP_CB* p_cb); 161 static BT_HDR* smp_build_pairing_keypress_notification_cmd( 162 UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb); 163 164 static const tSMP_CMD_ACT smp_cmd_build_act[] = { 165 NULL, smp_build_pairing_cmd, /* 0x01: pairing request */ 166 smp_build_pairing_cmd, /* 0x02: pairing response */ 167 smp_build_confirm_cmd, /* 0x03: pairing confirm */ 168 smp_build_rand_cmd, /* 0x04: pairing random */ 169 smp_build_pairing_fail, /* 0x05: pairing failure */ 170 smp_build_encrypt_info_cmd, /* 0x06: encryption information */ 171 smp_build_master_id_cmd, /* 0x07: master identification */ 172 smp_build_identity_info_cmd, /* 0x08: identity information */ 173 smp_build_id_addr_cmd, /* 0x09: identity address information */ 174 smp_build_signing_info_cmd, /* 0x0A: signing information */ 175 smp_build_security_request, /* 0x0B: security request */ 176 smp_build_pair_public_key_cmd, /* 0x0C: pairing public key */ 177 smp_build_pair_dhkey_check_cmd, /* 0x0D: pairing DHKey check */ 178 smp_build_pairing_keypress_notification_cmd, /* 0x0E: pairing keypress 179 notification */ 180 smp_build_pairing_commitment_cmd /* 0x0F: pairing commitment */ 181 }; 182 183 static const uint8_t smp_association_table[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] = 184 { 185 /* display only */ /* Display Yes/No */ /* keyboard only */ 186 /* No Input/Output */ /* keyboard display */ 187 188 /* initiator */ 189 /* model = tbl[peer_io_caps][loc_io_caps] */ 190 /* Display Only */ 191 {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 192 SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}, 193 194 /* Display Yes/No */ 195 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 196 SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}, 197 198 /* Keyboard only */ 199 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY, 200 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}, 201 202 /* No Input No Output */ 203 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 204 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 205 SMP_MODEL_ENCRYPTION_ONLY}, 206 207 /* keyboard display */ 208 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY, 209 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}}, 210 211 /* responder */ 212 /* model = tbl[loc_io_caps][peer_io_caps] */ 213 /* Display Only */ 214 {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 215 SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}, 216 217 /* Display Yes/No */ 218 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 219 SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}, 220 221 /* keyboard only */ 222 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, 223 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}, 224 225 /* No Input No Output */ 226 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 227 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 228 SMP_MODEL_ENCRYPTION_ONLY}, 229 230 /* keyboard display */ 231 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_KEY_NOTIF, 232 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}}}; 233 234 static const uint8_t 235 smp_association_table_sc[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] = { 236 /* display only */ /* Display Yes/No */ /* keyboard only */ 237 /* No InputOutput */ /* keyboard display */ 238 239 /* initiator */ 240 /* model = tbl[peer_io_caps][loc_io_caps] */ 241 242 /* Display Only */ 243 {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, 244 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS, 245 SMP_MODEL_SEC_CONN_PASSKEY_ENT}, 246 247 /* Display Yes/No */ 248 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP, 249 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS, 250 SMP_MODEL_SEC_CONN_NUM_COMP}, 251 252 /* keyboard only */ 253 {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_PASSKEY_DISP, 254 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS, 255 SMP_MODEL_SEC_CONN_PASSKEY_DISP}, 256 257 /* No Input No Output */ 258 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, 259 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, 260 SMP_MODEL_SEC_CONN_JUSTWORKS}, 261 262 /* keyboard display */ 263 {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_NUM_COMP, 264 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS, 265 SMP_MODEL_SEC_CONN_NUM_COMP}}, 266 267 /* responder */ 268 /* model = tbl[loc_io_caps][peer_io_caps] */ 269 270 /* Display Only */ 271 {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, 272 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS, 273 SMP_MODEL_SEC_CONN_PASSKEY_DISP}, 274 275 /* Display Yes/No */ 276 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP, 277 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS, 278 SMP_MODEL_SEC_CONN_NUM_COMP}, 279 280 /* keyboard only */ 281 {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_PASSKEY_ENT, 282 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS, 283 SMP_MODEL_SEC_CONN_PASSKEY_ENT}, 284 285 /* No Input No Output */ 286 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, 287 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, 288 SMP_MODEL_SEC_CONN_JUSTWORKS}, 289 290 /* keyboard display */ 291 {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_NUM_COMP, 292 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS, 293 SMP_MODEL_SEC_CONN_NUM_COMP}}}; 294 295 static tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB* p_cb); 296 static tSMP_ASSO_MODEL smp_select_association_model_secure_connections( 297 tSMP_CB* p_cb); 298 299 /******************************************************************************* 300 * 301 * Function smp_send_msg_to_L2CAP 302 * 303 * Description Send message to L2CAP. 304 * 305 ******************************************************************************/ 306 bool smp_send_msg_to_L2CAP(BD_ADDR rem_bda, BT_HDR* p_toL2CAP) { 307 uint16_t l2cap_ret; 308 uint16_t fixed_cid = L2CAP_SMP_CID; 309 310 if (smp_cb.smp_over_br) { 311 fixed_cid = L2CAP_SMP_BR_CID; 312 } 313 314 SMP_TRACE_EVENT("%s", __func__); 315 smp_cb.total_tx_unacked += 1; 316 317 l2cap_ret = L2CA_SendFixedChnlData(fixed_cid, rem_bda, p_toL2CAP); 318 if (l2cap_ret == L2CAP_DW_FAILED) { 319 smp_cb.total_tx_unacked -= 1; 320 SMP_TRACE_ERROR("SMP failed to pass msg:0x%0x to L2CAP", 321 *((uint8_t*)(p_toL2CAP + 1) + p_toL2CAP->offset)); 322 return false; 323 } else 324 return true; 325 } 326 327 /******************************************************************************* 328 * 329 * Function smp_send_cmd 330 * 331 * Description send a SMP command on L2CAP channel. 332 * 333 ******************************************************************************/ 334 bool smp_send_cmd(uint8_t cmd_code, tSMP_CB* p_cb) { 335 BT_HDR* p_buf; 336 bool sent = false; 337 uint8_t failure = SMP_PAIR_INTERNAL_ERR; 338 SMP_TRACE_EVENT("smp_send_cmd on l2cap cmd_code=0x%x", cmd_code); 339 if (cmd_code <= (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */) && 340 smp_cmd_build_act[cmd_code] != NULL) { 341 p_buf = (*smp_cmd_build_act[cmd_code])(cmd_code, p_cb); 342 343 if (p_buf != NULL && smp_send_msg_to_L2CAP(p_cb->pairing_bda, p_buf)) { 344 sent = true; 345 alarm_set_on_queue(p_cb->smp_rsp_timer_ent, SMP_WAIT_FOR_RSP_TIMEOUT_MS, 346 smp_rsp_timeout, NULL, btu_general_alarm_queue); 347 } 348 } 349 350 if (!sent) { 351 if (p_cb->smp_over_br) { 352 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &failure); 353 } else { 354 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &failure); 355 } 356 } 357 return sent; 358 } 359 360 /******************************************************************************* 361 * 362 * Function smp_rsp_timeout 363 * 364 * Description Called when SMP wait for SMP command response timer expires 365 * 366 * Returns void 367 * 368 ******************************************************************************/ 369 void smp_rsp_timeout(UNUSED_ATTR void* data) { 370 tSMP_CB* p_cb = &smp_cb; 371 uint8_t failure = SMP_RSP_TIMEOUT; 372 373 SMP_TRACE_EVENT("%s state:%d br_state:%d", __func__, p_cb->state, 374 p_cb->br_state); 375 376 if (p_cb->smp_over_br) { 377 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &failure); 378 } else { 379 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &failure); 380 } 381 } 382 383 /******************************************************************************* 384 * 385 * Function smp_delayed_auth_complete_timeout 386 * 387 * Description Called when no pairing failed command received within 388 * timeout period. 389 * 390 * Returns void 391 * 392 ******************************************************************************/ 393 void smp_delayed_auth_complete_timeout(UNUSED_ATTR void* data) { 394 /* 395 * Waited for potential pair failure. Send SMP_AUTH_CMPL_EVT if 396 * the state is still in bond pending. 397 */ 398 if (smp_get_state() == SMP_STATE_BOND_PENDING) { 399 uint8_t reason = SMP_SUCCESS; 400 SMP_TRACE_EVENT("%s sending delayed auth complete.", __func__); 401 smp_sm_event(&smp_cb, SMP_AUTH_CMPL_EVT, &reason); 402 } 403 } 404 405 /******************************************************************************* 406 * 407 * Function smp_build_pairing_req_cmd 408 * 409 * Description Build pairing request command. 410 * 411 ******************************************************************************/ 412 BT_HDR* smp_build_pairing_cmd(uint8_t cmd_code, tSMP_CB* p_cb) { 413 uint8_t* p; 414 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIRING_REQ_SIZE + 415 L2CAP_MIN_OFFSET); 416 417 SMP_TRACE_EVENT("%s", __func__); 418 419 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 420 UINT8_TO_STREAM(p, cmd_code); 421 UINT8_TO_STREAM(p, p_cb->local_io_capability); 422 UINT8_TO_STREAM(p, p_cb->loc_oob_flag); 423 UINT8_TO_STREAM(p, p_cb->loc_auth_req); 424 UINT8_TO_STREAM(p, p_cb->loc_enc_size); 425 UINT8_TO_STREAM(p, p_cb->local_i_key); 426 UINT8_TO_STREAM(p, p_cb->local_r_key); 427 428 p_buf->offset = L2CAP_MIN_OFFSET; 429 /* 1B ERR_RSP op code + 1B cmd_op_code + 2B handle + 1B status */ 430 p_buf->len = SMP_PAIRING_REQ_SIZE; 431 432 return p_buf; 433 } 434 435 /******************************************************************************* 436 * 437 * Function smp_build_confirm_cmd 438 * 439 * Description Build confirm request command. 440 * 441 ******************************************************************************/ 442 static BT_HDR* smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code, 443 tSMP_CB* p_cb) { 444 uint8_t* p; 445 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_CONFIRM_CMD_SIZE + 446 L2CAP_MIN_OFFSET); 447 448 SMP_TRACE_EVENT("%s", __func__); 449 450 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 451 452 UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM); 453 ARRAY_TO_STREAM(p, p_cb->confirm, BT_OCTET16_LEN); 454 455 p_buf->offset = L2CAP_MIN_OFFSET; 456 p_buf->len = SMP_CONFIRM_CMD_SIZE; 457 458 return p_buf; 459 } 460 461 /******************************************************************************* 462 * 463 * Function smp_build_rand_cmd 464 * 465 * Description Build Random command. 466 * 467 ******************************************************************************/ 468 static BT_HDR* smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb) { 469 uint8_t* p; 470 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_RAND_CMD_SIZE + 471 L2CAP_MIN_OFFSET); 472 473 SMP_TRACE_EVENT("%s", __func__); 474 475 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 476 UINT8_TO_STREAM(p, SMP_OPCODE_RAND); 477 ARRAY_TO_STREAM(p, p_cb->rand, BT_OCTET16_LEN); 478 479 p_buf->offset = L2CAP_MIN_OFFSET; 480 p_buf->len = SMP_RAND_CMD_SIZE; 481 482 return p_buf; 483 } 484 485 /******************************************************************************* 486 * 487 * Function smp_build_encrypt_info_cmd 488 * 489 * Description Build security information command. 490 * 491 ******************************************************************************/ 492 static BT_HDR* smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code, 493 tSMP_CB* p_cb) { 494 uint8_t* p; 495 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ENC_INFO_SIZE + 496 L2CAP_MIN_OFFSET); 497 498 SMP_TRACE_EVENT("%s", __func__); 499 500 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 501 UINT8_TO_STREAM(p, SMP_OPCODE_ENCRYPT_INFO); 502 ARRAY_TO_STREAM(p, p_cb->ltk, BT_OCTET16_LEN); 503 504 p_buf->offset = L2CAP_MIN_OFFSET; 505 p_buf->len = SMP_ENC_INFO_SIZE; 506 507 return p_buf; 508 } 509 510 /******************************************************************************* 511 * 512 * Function smp_build_master_id_cmd 513 * 514 * Description Build security information command. 515 * 516 ******************************************************************************/ 517 static BT_HDR* smp_build_master_id_cmd(UNUSED_ATTR uint8_t cmd_code, 518 tSMP_CB* p_cb) { 519 uint8_t* p; 520 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_MASTER_ID_SIZE + 521 L2CAP_MIN_OFFSET); 522 523 SMP_TRACE_EVENT("%s", __func__); 524 525 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 526 UINT8_TO_STREAM(p, SMP_OPCODE_MASTER_ID); 527 UINT16_TO_STREAM(p, p_cb->ediv); 528 ARRAY_TO_STREAM(p, p_cb->enc_rand, BT_OCTET8_LEN); 529 530 p_buf->offset = L2CAP_MIN_OFFSET; 531 p_buf->len = SMP_MASTER_ID_SIZE; 532 533 return p_buf; 534 } 535 536 /******************************************************************************* 537 * 538 * Function smp_build_identity_info_cmd 539 * 540 * Description Build identity information command. 541 * 542 ******************************************************************************/ 543 static BT_HDR* smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code, 544 UNUSED_ATTR tSMP_CB* p_cb) { 545 uint8_t* p; 546 BT_OCTET16 irk; 547 BT_HDR* p_buf = 548 (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ID_INFO_SIZE + L2CAP_MIN_OFFSET); 549 550 SMP_TRACE_EVENT("%s", __func__); 551 552 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 553 554 BTM_GetDeviceIDRoot(irk); 555 556 UINT8_TO_STREAM(p, SMP_OPCODE_IDENTITY_INFO); 557 ARRAY_TO_STREAM(p, irk, BT_OCTET16_LEN); 558 559 p_buf->offset = L2CAP_MIN_OFFSET; 560 p_buf->len = SMP_ID_INFO_SIZE; 561 562 return p_buf; 563 } 564 565 /******************************************************************************* 566 * 567 * Function smp_build_id_addr_cmd 568 * 569 * Description Build identity address information command. 570 * 571 ******************************************************************************/ 572 static BT_HDR* smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code, 573 UNUSED_ATTR tSMP_CB* p_cb) { 574 uint8_t* p; 575 BT_HDR* p_buf = 576 (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ID_ADDR_SIZE + L2CAP_MIN_OFFSET); 577 578 SMP_TRACE_EVENT("%s", __func__); 579 580 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 581 UINT8_TO_STREAM(p, SMP_OPCODE_ID_ADDR); 582 UINT8_TO_STREAM(p, 0); 583 BDADDR_TO_STREAM(p, controller_get_interface()->get_address()->address); 584 585 p_buf->offset = L2CAP_MIN_OFFSET; 586 p_buf->len = SMP_ID_ADDR_SIZE; 587 588 return p_buf; 589 } 590 591 /******************************************************************************* 592 * 593 * Function smp_build_signing_info_cmd 594 * 595 * Description Build signing information command. 596 * 597 ******************************************************************************/ 598 static BT_HDR* smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code, 599 tSMP_CB* p_cb) { 600 uint8_t* p; 601 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_SIGN_INFO_SIZE + 602 L2CAP_MIN_OFFSET); 603 604 SMP_TRACE_EVENT("%s", __func__); 605 606 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 607 UINT8_TO_STREAM(p, SMP_OPCODE_SIGN_INFO); 608 ARRAY_TO_STREAM(p, p_cb->csrk, BT_OCTET16_LEN); 609 610 p_buf->offset = L2CAP_MIN_OFFSET; 611 p_buf->len = SMP_SIGN_INFO_SIZE; 612 613 return p_buf; 614 } 615 616 /******************************************************************************* 617 * 618 * Function smp_build_pairing_fail 619 * 620 * Description Build Pairing Fail command. 621 * 622 ******************************************************************************/ 623 static BT_HDR* smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code, 624 tSMP_CB* p_cb) { 625 uint8_t* p; 626 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_FAIL_SIZE + 627 L2CAP_MIN_OFFSET); 628 629 SMP_TRACE_EVENT("%s", __func__); 630 631 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 632 UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED); 633 UINT8_TO_STREAM(p, p_cb->failure); 634 635 p_buf->offset = L2CAP_MIN_OFFSET; 636 p_buf->len = SMP_PAIR_FAIL_SIZE; 637 638 return p_buf; 639 } 640 641 /******************************************************************************* 642 * 643 * Function smp_build_security_request 644 * 645 * Description Build security request command. 646 * 647 ******************************************************************************/ 648 static BT_HDR* smp_build_security_request(UNUSED_ATTR uint8_t cmd_code, 649 tSMP_CB* p_cb) { 650 uint8_t* p; 651 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + 2 + L2CAP_MIN_OFFSET); 652 653 SMP_TRACE_EVENT("%s", __func__); 654 655 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 656 UINT8_TO_STREAM(p, SMP_OPCODE_SEC_REQ); 657 UINT8_TO_STREAM(p, p_cb->loc_auth_req); 658 659 p_buf->offset = L2CAP_MIN_OFFSET; 660 p_buf->len = SMP_SECURITY_REQUEST_SIZE; 661 662 SMP_TRACE_EVENT("opcode=%d auth_req=0x%x", SMP_OPCODE_SEC_REQ, 663 p_cb->loc_auth_req); 664 665 return p_buf; 666 } 667 668 /******************************************************************************* 669 * 670 * Function smp_build_pair_public_key_cmd 671 * 672 * Description Build pairing public key command. 673 * 674 ******************************************************************************/ 675 static BT_HDR* smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code, 676 tSMP_CB* p_cb) { 677 uint8_t* p; 678 uint8_t publ_key[2 * BT_OCTET32_LEN]; 679 uint8_t* p_publ_key = publ_key; 680 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_PUBL_KEY_SIZE + 681 L2CAP_MIN_OFFSET); 682 683 SMP_TRACE_EVENT("%s", __func__); 684 685 memcpy(p_publ_key, p_cb->loc_publ_key.x, BT_OCTET32_LEN); 686 memcpy(p_publ_key + BT_OCTET32_LEN, p_cb->loc_publ_key.y, BT_OCTET32_LEN); 687 688 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 689 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_PUBLIC_KEY); 690 ARRAY_TO_STREAM(p, p_publ_key, 2 * BT_OCTET32_LEN); 691 692 p_buf->offset = L2CAP_MIN_OFFSET; 693 p_buf->len = SMP_PAIR_PUBL_KEY_SIZE; 694 695 return p_buf; 696 } 697 698 /******************************************************************************* 699 * 700 * Function smp_build_pairing_commitment_cmd 701 * 702 * Description Build pairing commitment command. 703 * 704 ******************************************************************************/ 705 static BT_HDR* smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code, 706 tSMP_CB* p_cb) { 707 uint8_t* p; 708 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_COMMITM_SIZE + 709 L2CAP_MIN_OFFSET); 710 711 SMP_TRACE_EVENT("%s", __func__); 712 713 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 714 UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM); 715 ARRAY_TO_STREAM(p, p_cb->commitment, BT_OCTET16_LEN); 716 717 p_buf->offset = L2CAP_MIN_OFFSET; 718 p_buf->len = SMP_PAIR_COMMITM_SIZE; 719 720 return p_buf; 721 } 722 723 /******************************************************************************* 724 * 725 * Function smp_build_pair_dhkey_check_cmd 726 * 727 * Description Build pairing DHKey check command. 728 * 729 ******************************************************************************/ 730 static BT_HDR* smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code, 731 tSMP_CB* p_cb) { 732 uint8_t* p; 733 BT_HDR* p_buf = (BT_HDR*)osi_malloc( 734 sizeof(BT_HDR) + SMP_PAIR_DHKEY_CHECK_SIZE + L2CAP_MIN_OFFSET); 735 736 SMP_TRACE_EVENT("%s", __func__); 737 738 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 739 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_DHKEY_CHECK); 740 ARRAY_TO_STREAM(p, p_cb->dhkey_check, BT_OCTET16_LEN); 741 742 p_buf->offset = L2CAP_MIN_OFFSET; 743 p_buf->len = SMP_PAIR_DHKEY_CHECK_SIZE; 744 745 return p_buf; 746 } 747 748 /******************************************************************************* 749 * 750 * Function smp_build_pairing_keypress_notification_cmd 751 * 752 * Description Build keypress notification command. 753 * 754 ******************************************************************************/ 755 static BT_HDR* smp_build_pairing_keypress_notification_cmd( 756 UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb) { 757 uint8_t* p; 758 BT_HDR* p_buf = (BT_HDR*)osi_malloc( 759 sizeof(BT_HDR) + SMP_PAIR_KEYPR_NOTIF_SIZE + L2CAP_MIN_OFFSET); 760 761 SMP_TRACE_EVENT("%s", __func__); 762 763 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 764 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_KEYPR_NOTIF); 765 UINT8_TO_STREAM(p, p_cb->local_keypress_notification); 766 767 p_buf->offset = L2CAP_MIN_OFFSET; 768 p_buf->len = SMP_PAIR_KEYPR_NOTIF_SIZE; 769 770 return p_buf; 771 } 772 773 /******************************************************************************* 774 * 775 * Function smp_convert_string_to_tk 776 * 777 * Description This function is called to convert a 6 to 16 digits numeric 778 * character string into SMP TK. 779 * 780 * 781 * Returns void 782 * 783 ******************************************************************************/ 784 void smp_convert_string_to_tk(BT_OCTET16 tk, uint32_t passkey) { 785 uint8_t* p = tk; 786 tSMP_KEY key; 787 SMP_TRACE_EVENT("smp_convert_string_to_tk"); 788 UINT32_TO_STREAM(p, passkey); 789 790 key.key_type = SMP_KEY_TYPE_TK; 791 key.p_data = tk; 792 793 smp_sm_event(&smp_cb, SMP_KEY_READY_EVT, &key); 794 } 795 796 /******************************************************************************* 797 * 798 * Function smp_mask_enc_key 799 * 800 * Description This function is called to mask off the encryption key based 801 * on the maximum encryption key size. 802 * 803 * 804 * Returns void 805 * 806 ******************************************************************************/ 807 void smp_mask_enc_key(uint8_t loc_enc_size, uint8_t* p_data) { 808 SMP_TRACE_EVENT("smp_mask_enc_key"); 809 if (loc_enc_size < BT_OCTET16_LEN) { 810 for (; loc_enc_size < BT_OCTET16_LEN; loc_enc_size++) 811 *(p_data + loc_enc_size) = 0; 812 } 813 return; 814 } 815 816 /******************************************************************************* 817 * 818 * Function smp_xor_128 819 * 820 * Description utility function to do an biteise exclusive-OR of two bit 821 * strings of the length of BT_OCTET16_LEN. 822 * 823 * Returns void 824 * 825 ******************************************************************************/ 826 void smp_xor_128(BT_OCTET16 a, BT_OCTET16 b) { 827 uint8_t i, *aa = a, *bb = b; 828 829 SMP_TRACE_EVENT("smp_xor_128"); 830 for (i = 0; i < BT_OCTET16_LEN; i++) { 831 aa[i] = aa[i] ^ bb[i]; 832 } 833 } 834 835 /******************************************************************************* 836 * 837 * Function smp_cb_cleanup 838 * 839 * Description Clean up SMP control block 840 * 841 * Returns void 842 * 843 ******************************************************************************/ 844 void smp_cb_cleanup(tSMP_CB* p_cb) { 845 tSMP_CALLBACK* p_callback = p_cb->p_callback; 846 uint8_t trace_level = p_cb->trace_level; 847 alarm_t* smp_rsp_timer_ent = p_cb->smp_rsp_timer_ent; 848 alarm_t* delayed_auth_timer_ent = p_cb->delayed_auth_timer_ent; 849 850 SMP_TRACE_EVENT("smp_cb_cleanup"); 851 852 alarm_cancel(p_cb->smp_rsp_timer_ent); 853 alarm_cancel(p_cb->delayed_auth_timer_ent); 854 memset(p_cb, 0, sizeof(tSMP_CB)); 855 p_cb->p_callback = p_callback; 856 p_cb->trace_level = trace_level; 857 p_cb->smp_rsp_timer_ent = smp_rsp_timer_ent; 858 p_cb->delayed_auth_timer_ent = delayed_auth_timer_ent; 859 } 860 861 /******************************************************************************* 862 * 863 * Function smp_remove_fixed_channel 864 * 865 * Description This function is called to remove the fixed channel 866 * 867 * Returns void 868 * 869 ******************************************************************************/ 870 void smp_remove_fixed_channel(tSMP_CB* p_cb) { 871 SMP_TRACE_DEBUG("%s", __func__); 872 873 if (p_cb->smp_over_br) 874 L2CA_RemoveFixedChnl(L2CAP_SMP_BR_CID, p_cb->pairing_bda); 875 else 876 L2CA_RemoveFixedChnl(L2CAP_SMP_CID, p_cb->pairing_bda); 877 } 878 879 /******************************************************************************* 880 * 881 * Function smp_reset_control_value 882 * 883 * Description This function is called to reset the control block value 884 * when the pairing procedure finished. 885 * 886 * 887 * Returns void 888 * 889 ******************************************************************************/ 890 void smp_reset_control_value(tSMP_CB* p_cb) { 891 SMP_TRACE_EVENT("%s", __func__); 892 893 alarm_cancel(p_cb->smp_rsp_timer_ent); 894 p_cb->flags = 0; 895 /* set the link idle timer to drop the link when pairing is done 896 usually service discovery will follow authentication complete, to avoid 897 racing condition for a link down/up, set link idle timer to be 898 SMP_LINK_TOUT_MIN to guarantee SMP key exchange */ 899 L2CA_SetIdleTimeoutByBdAddr(p_cb->pairing_bda, SMP_LINK_TOUT_MIN, 900 BT_TRANSPORT_LE); 901 902 /* We can tell L2CAP to remove the fixed channel (if it has one) */ 903 smp_remove_fixed_channel(p_cb); 904 smp_cb_cleanup(p_cb); 905 } 906 907 /******************************************************************************* 908 * 909 * Function smp_proc_pairing_cmpl 910 * 911 * Description This function is called to process pairing complete 912 * 913 * 914 * Returns void 915 * 916 ******************************************************************************/ 917 void smp_proc_pairing_cmpl(tSMP_CB* p_cb) { 918 tSMP_EVT_DATA evt_data = {0}; 919 tSMP_CALLBACK* p_callback = p_cb->p_callback; 920 BD_ADDR pairing_bda; 921 922 SMP_TRACE_DEBUG("smp_proc_pairing_cmpl "); 923 924 evt_data.cmplt.reason = p_cb->status; 925 evt_data.cmplt.smp_over_br = p_cb->smp_over_br; 926 927 if (p_cb->status == SMP_SUCCESS) evt_data.cmplt.sec_level = p_cb->sec_level; 928 929 evt_data.cmplt.is_pair_cancel = false; 930 931 if (p_cb->is_pair_cancel) evt_data.cmplt.is_pair_cancel = true; 932 933 SMP_TRACE_DEBUG("send SMP_COMPLT_EVT reason=0x%0x sec_level=0x%0x", 934 evt_data.cmplt.reason, evt_data.cmplt.sec_level); 935 936 memcpy(pairing_bda, p_cb->pairing_bda, BD_ADDR_LEN); 937 938 smp_reset_control_value(p_cb); 939 940 if (p_callback) (*p_callback)(SMP_COMPLT_EVT, pairing_bda, &evt_data); 941 } 942 943 /******************************************************************************* 944 * 945 * Function smp_command_has_invalid_parameters 946 * 947 * Description Checks if the received SMP command has invalid parameters 948 * i.e. if the command length is valid and the command 949 * parameters are inside specified range. 950 * It returns true if the command has invalid parameters. 951 * 952 * Returns true if the command has invalid parameters, false otherwise. 953 * 954 ******************************************************************************/ 955 bool smp_command_has_invalid_parameters(tSMP_CB* p_cb) { 956 uint8_t cmd_code = p_cb->rcvd_cmd_code; 957 958 if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) || 959 (cmd_code < SMP_OPCODE_MIN)) { 960 SMP_TRACE_WARNING("%s: Received command with RESERVED code 0x%02x", 961 __func__, cmd_code); 962 return true; 963 } 964 965 if (!(*smp_cmd_len_is_valid[cmd_code])(p_cb)) { 966 SMP_TRACE_WARNING("%s: Command length not valid for cmd_code 0x%02x", 967 __func__, cmd_code); 968 return true; 969 } 970 971 if (!(*smp_cmd_param_ranges_are_valid[cmd_code])(p_cb)) { 972 SMP_TRACE_WARNING("%s: Parameter ranges not valid code 0x%02x", __func__, 973 cmd_code); 974 return true; 975 } 976 977 return false; 978 } 979 980 /******************************************************************************* 981 * 982 * Function smp_command_has_valid_fixed_length 983 * 984 * Description Checks if the received command size is equal to the size 985 * according to specs. 986 * 987 * Returns true if the command size is as expected, false otherwise. 988 * 989 * Note The command is expected to have fixed length. 990 ******************************************************************************/ 991 bool smp_command_has_valid_fixed_length(tSMP_CB* p_cb) { 992 uint8_t cmd_code = p_cb->rcvd_cmd_code; 993 994 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, cmd_code); 995 996 if (p_cb->rcvd_cmd_len != smp_cmd_size_per_spec[cmd_code]) { 997 SMP_TRACE_WARNING( 998 "Rcvd from the peer cmd 0x%02x with invalid length\ 999 0x%02x (per spec the length is 0x%02x).", 1000 cmd_code, p_cb->rcvd_cmd_len, smp_cmd_size_per_spec[cmd_code]); 1001 return false; 1002 } 1003 1004 return true; 1005 } 1006 1007 /******************************************************************************* 1008 * 1009 * Function smp_pairing_request_response_parameters_are_valid 1010 * 1011 * Description Validates parameter ranges in the received SMP command 1012 * pairing request or pairing response. 1013 * The parameters to validate: 1014 * IO capability, 1015 * OOB data flag, 1016 * Bonding_flags in AuthReq 1017 * Maximum encryption key size. 1018 * Returns false if at least one of these parameters is out of 1019 * range. 1020 * 1021 ******************************************************************************/ 1022 bool smp_pairing_request_response_parameters_are_valid(tSMP_CB* p_cb) { 1023 uint8_t io_caps = p_cb->peer_io_caps; 1024 uint8_t oob_flag = p_cb->peer_oob_flag; 1025 uint8_t bond_flag = 1026 p_cb->peer_auth_req & 0x03; // 0x03 is gen bond with appropriate mask 1027 uint8_t enc_size = p_cb->peer_enc_size; 1028 1029 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code); 1030 1031 if (io_caps >= BTM_IO_CAP_MAX) { 1032 SMP_TRACE_WARNING( 1033 "Rcvd from the peer cmd 0x%02x with IO Capabilty \ 1034 value (0x%02x) out of range).", 1035 p_cb->rcvd_cmd_code, io_caps); 1036 return false; 1037 } 1038 1039 if (!((oob_flag == SMP_OOB_NONE) || (oob_flag == SMP_OOB_PRESENT))) { 1040 SMP_TRACE_WARNING( 1041 "Rcvd from the peer cmd 0x%02x with OOB data flag value \ 1042 (0x%02x) out of range).", 1043 p_cb->rcvd_cmd_code, oob_flag); 1044 return false; 1045 } 1046 1047 if (!((bond_flag == SMP_AUTH_NO_BOND) || (bond_flag == SMP_AUTH_BOND))) { 1048 SMP_TRACE_WARNING( 1049 "Rcvd from the peer cmd 0x%02x with Bonding_Flags value (0x%02x)\ 1050 out of range).", 1051 p_cb->rcvd_cmd_code, bond_flag); 1052 return false; 1053 } 1054 1055 if ((enc_size < SMP_ENCR_KEY_SIZE_MIN) || 1056 (enc_size > SMP_ENCR_KEY_SIZE_MAX)) { 1057 SMP_TRACE_WARNING( 1058 "Rcvd from the peer cmd 0x%02x with Maximum Encryption \ 1059 Key value (0x%02x) out of range).", 1060 p_cb->rcvd_cmd_code, enc_size); 1061 return false; 1062 } 1063 1064 return true; 1065 } 1066 1067 /******************************************************************************* 1068 * 1069 * Function smp_pairing_keypress_notification_is_valid 1070 * 1071 * Description Validates Notification Type parameter range in the received 1072 * SMP command pairing keypress notification. 1073 * Returns false if this parameter is out of range. 1074 * 1075 ******************************************************************************/ 1076 bool smp_pairing_keypress_notification_is_valid(tSMP_CB* p_cb) { 1077 tBTM_SP_KEY_TYPE keypress_notification = p_cb->peer_keypress_notification; 1078 1079 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code); 1080 1081 if (keypress_notification >= BTM_SP_KEY_OUT_OF_RANGE) { 1082 SMP_TRACE_WARNING( 1083 "Rcvd from the peer cmd 0x%02x with Pairing Keypress \ 1084 Notification value (0x%02x) out of range).", 1085 p_cb->rcvd_cmd_code, keypress_notification); 1086 return false; 1087 } 1088 1089 return true; 1090 } 1091 1092 /******************************************************************************* 1093 * 1094 * Function smp_parameter_unconditionally_valid 1095 * 1096 * Description Always returns true. 1097 * 1098 ******************************************************************************/ 1099 bool smp_parameter_unconditionally_valid(UNUSED_ATTR tSMP_CB* p_cb) { 1100 return true; 1101 } 1102 1103 /******************************************************************************* 1104 * 1105 * Function smp_parameter_unconditionally_invalid 1106 * 1107 * Description Always returns false. 1108 * 1109 ******************************************************************************/ 1110 bool smp_parameter_unconditionally_invalid(UNUSED_ATTR tSMP_CB* p_cb) { 1111 return false; 1112 } 1113 1114 /******************************************************************************* 1115 * 1116 * Function smp_reject_unexpected_pairing_command 1117 * 1118 * Description send pairing failure to an unexpected pairing command during 1119 * an active pairing process. 1120 * 1121 * Returns void 1122 * 1123 ******************************************************************************/ 1124 void smp_reject_unexpected_pairing_command(BD_ADDR bd_addr) { 1125 uint8_t* p; 1126 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_FAIL_SIZE + 1127 L2CAP_MIN_OFFSET); 1128 1129 SMP_TRACE_DEBUG("%s", __func__); 1130 1131 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 1132 UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED); 1133 UINT8_TO_STREAM(p, SMP_PAIR_NOT_SUPPORT); 1134 1135 p_buf->offset = L2CAP_MIN_OFFSET; 1136 p_buf->len = SMP_PAIR_FAIL_SIZE; 1137 1138 smp_send_msg_to_L2CAP(bd_addr, p_buf); 1139 } 1140 1141 /******************************************************************************* 1142 * Function smp_select_association_model 1143 * 1144 * Description This function selects association model to use for STK 1145 * generation. Selection is based on both sides' io capability, 1146 * oob data flag and authentication request. 1147 * 1148 * Note If Secure Connections Only mode is required locally then we 1149 * come to this point only if both sides support Secure 1150 * Connections mode, i.e. 1151 * if p_cb->secure_connections_only_mode_required = true 1152 * then we come to this point only if 1153 * (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) == 1154 * (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) == 1155 * SMP_SC_SUPPORT_BIT 1156 * 1157 ******************************************************************************/ 1158 tSMP_ASSO_MODEL smp_select_association_model(tSMP_CB* p_cb) { 1159 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE; 1160 p_cb->le_secure_connections_mode_is_used = false; 1161 1162 SMP_TRACE_EVENT("%s", __func__); 1163 SMP_TRACE_DEBUG("%s p_cb->peer_io_caps = %d p_cb->local_io_capability = %d", 1164 __func__, p_cb->peer_io_caps, p_cb->local_io_capability); 1165 SMP_TRACE_DEBUG("%s p_cb->peer_oob_flag = %d p_cb->loc_oob_flag = %d", 1166 __func__, p_cb->peer_oob_flag, p_cb->loc_oob_flag); 1167 SMP_TRACE_DEBUG("%s p_cb->peer_auth_req = 0x%02x p_cb->loc_auth_req = 0x%02x", 1168 __func__, p_cb->peer_auth_req, p_cb->loc_auth_req); 1169 SMP_TRACE_DEBUG( 1170 "%s p_cb->secure_connections_only_mode_required = %s", __func__, 1171 p_cb->secure_connections_only_mode_required ? "true" : "false"); 1172 1173 if ((p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) && 1174 (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT)) { 1175 p_cb->le_secure_connections_mode_is_used = true; 1176 } 1177 1178 if ((p_cb->peer_auth_req & SMP_H7_SUPPORT_BIT) && 1179 (p_cb->loc_auth_req & SMP_H7_SUPPORT_BIT)) { 1180 p_cb->key_derivation_h7_used = TRUE; 1181 } 1182 1183 SMP_TRACE_DEBUG("use_sc_process = %d, h7 use = %d", 1184 p_cb->le_secure_connections_mode_is_used, 1185 p_cb->key_derivation_h7_used); 1186 1187 if (p_cb->le_secure_connections_mode_is_used) { 1188 model = smp_select_association_model_secure_connections(p_cb); 1189 } else { 1190 model = smp_select_legacy_association_model(p_cb); 1191 } 1192 return model; 1193 } 1194 1195 /******************************************************************************* 1196 * Function smp_select_legacy_association_model 1197 * 1198 * Description This function is called to select association mode if at 1199 * least one side doesn't support secure connections. 1200 * 1201 ******************************************************************************/ 1202 tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB* p_cb) { 1203 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE; 1204 1205 SMP_TRACE_DEBUG("%s", __func__); 1206 /* if OOB data is present on both devices, then use OOB association model */ 1207 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT && 1208 p_cb->loc_oob_flag == SMP_OOB_PRESENT) 1209 return SMP_MODEL_OOB; 1210 1211 /* else if neither device requires MITM, then use Just Works association model 1212 */ 1213 if (SMP_NO_MITM_REQUIRED(p_cb->peer_auth_req) && 1214 SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req)) 1215 return SMP_MODEL_ENCRYPTION_ONLY; 1216 1217 /* otherwise use IO capability to select association model */ 1218 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX && 1219 p_cb->local_io_capability < SMP_IO_CAP_MAX) { 1220 if (p_cb->role == HCI_ROLE_MASTER) { 1221 model = smp_association_table[p_cb->role][p_cb->peer_io_caps] 1222 [p_cb->local_io_capability]; 1223 } else { 1224 model = smp_association_table[p_cb->role][p_cb->local_io_capability] 1225 [p_cb->peer_io_caps]; 1226 } 1227 } 1228 1229 return model; 1230 } 1231 1232 /******************************************************************************* 1233 * Function smp_select_association_model_secure_connections 1234 * 1235 * Description This function is called to select association mode if both 1236 * sides support secure connections. 1237 * 1238 ******************************************************************************/ 1239 tSMP_ASSO_MODEL smp_select_association_model_secure_connections(tSMP_CB* p_cb) { 1240 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE; 1241 1242 SMP_TRACE_DEBUG("%s", __func__); 1243 /* if OOB data is present on at least one device, then use OOB association 1244 * model */ 1245 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT || 1246 p_cb->loc_oob_flag == SMP_OOB_PRESENT) 1247 return SMP_MODEL_SEC_CONN_OOB; 1248 1249 /* else if neither device requires MITM, then use Just Works association model 1250 */ 1251 if (SMP_NO_MITM_REQUIRED(p_cb->peer_auth_req) && 1252 SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req)) 1253 return SMP_MODEL_SEC_CONN_JUSTWORKS; 1254 1255 /* otherwise use IO capability to select association model */ 1256 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX && 1257 p_cb->local_io_capability < SMP_IO_CAP_MAX) { 1258 if (p_cb->role == HCI_ROLE_MASTER) { 1259 model = smp_association_table_sc[p_cb->role][p_cb->peer_io_caps] 1260 [p_cb->local_io_capability]; 1261 } else { 1262 model = smp_association_table_sc[p_cb->role][p_cb->local_io_capability] 1263 [p_cb->peer_io_caps]; 1264 } 1265 } 1266 1267 return model; 1268 } 1269 1270 /******************************************************************************* 1271 * Function smp_reverse_array 1272 * 1273 * Description This function reverses array bytes 1274 * 1275 ******************************************************************************/ 1276 void smp_reverse_array(uint8_t* arr, uint8_t len) { 1277 uint8_t i = 0, tmp; 1278 1279 SMP_TRACE_DEBUG("smp_reverse_array"); 1280 1281 for (i = 0; i < len / 2; i++) { 1282 tmp = arr[i]; 1283 arr[i] = arr[len - 1 - i]; 1284 arr[len - 1 - i] = tmp; 1285 } 1286 } 1287 1288 /******************************************************************************* 1289 * Function smp_calculate_random_input 1290 * 1291 * Description This function returns random input value to be used in 1292 * commitment calculation for SC passkey entry association mode 1293 * (if bit["round"] in "random" array == 1 then returns 0x81 1294 * else returns 0x80). 1295 * 1296 * Returns ri value 1297 * 1298 ******************************************************************************/ 1299 uint8_t smp_calculate_random_input(uint8_t* random, uint8_t round) { 1300 uint8_t i = round / 8; 1301 uint8_t j = round % 8; 1302 uint8_t ri; 1303 1304 SMP_TRACE_DEBUG("random: 0x%02x, round: %d, i: %d, j: %d", random[i], round, 1305 i, j); 1306 ri = ((random[i] >> j) & 1) | 0x80; 1307 SMP_TRACE_DEBUG("%s ri=0x%02x", __func__, ri); 1308 return ri; 1309 } 1310 1311 /******************************************************************************* 1312 * Function smp_collect_local_io_capabilities 1313 * 1314 * Description This function puts into IOcap array local device 1315 * IOCapability, OOB data, AuthReq. 1316 * 1317 * Returns void 1318 * 1319 ******************************************************************************/ 1320 void smp_collect_local_io_capabilities(uint8_t* iocap, tSMP_CB* p_cb) { 1321 SMP_TRACE_DEBUG("%s", __func__); 1322 1323 iocap[0] = p_cb->local_io_capability; 1324 iocap[1] = p_cb->loc_oob_flag; 1325 iocap[2] = p_cb->loc_auth_req; 1326 } 1327 1328 /******************************************************************************* 1329 * Function smp_collect_peer_io_capabilities 1330 * 1331 * Description This function puts into IOcap array peer device 1332 * IOCapability, OOB data, AuthReq. 1333 * 1334 * Returns void 1335 * 1336 ******************************************************************************/ 1337 void smp_collect_peer_io_capabilities(uint8_t* iocap, tSMP_CB* p_cb) { 1338 SMP_TRACE_DEBUG("%s", __func__); 1339 1340 iocap[0] = p_cb->peer_io_caps; 1341 iocap[1] = p_cb->peer_oob_flag; 1342 iocap[2] = p_cb->peer_auth_req; 1343 } 1344 1345 /******************************************************************************* 1346 * Function smp_collect_local_ble_address 1347 * 1348 * Description Put the the local device LE address into the le_addr array: 1349 * le_addr[0-5] = local BD ADDR, 1350 * le_addr[6] = local le address type (PUBLIC/RANDOM). 1351 * 1352 * Returns void 1353 * 1354 ******************************************************************************/ 1355 void smp_collect_local_ble_address(uint8_t* le_addr, tSMP_CB* p_cb) { 1356 tBLE_ADDR_TYPE addr_type = 0; 1357 BD_ADDR bda; 1358 uint8_t* p = le_addr; 1359 1360 SMP_TRACE_DEBUG("%s", __func__); 1361 1362 BTM_ReadConnectionAddr(p_cb->pairing_bda, bda, &addr_type); 1363 BDADDR_TO_STREAM(p, bda); 1364 UINT8_TO_STREAM(p, addr_type); 1365 } 1366 1367 /******************************************************************************* 1368 * Function smp_collect_peer_ble_address 1369 * 1370 * Description Put the peer device LE addr into the le_addr array: 1371 * le_addr[0-5] = peer BD ADDR, 1372 * le_addr[6] = peer le address type (PUBLIC/RANDOM). 1373 * 1374 * Returns void 1375 * 1376 ******************************************************************************/ 1377 void smp_collect_peer_ble_address(uint8_t* le_addr, tSMP_CB* p_cb) { 1378 tBLE_ADDR_TYPE addr_type = 0; 1379 BD_ADDR bda; 1380 uint8_t* p = le_addr; 1381 1382 SMP_TRACE_DEBUG("%s", __func__); 1383 1384 if (!BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, bda, &addr_type)) { 1385 SMP_TRACE_ERROR( 1386 "can not collect peer le addr information for unknown device"); 1387 return; 1388 } 1389 1390 BDADDR_TO_STREAM(p, bda); 1391 UINT8_TO_STREAM(p, addr_type); 1392 } 1393 1394 /******************************************************************************* 1395 * Function smp_check_commitment 1396 * 1397 * Description This function compares peer commitment values: 1398 * - expected (i.e. calculated locally), 1399 * - received from the peer. 1400 * 1401 * Returns true if the values are the same 1402 * false otherwise 1403 * 1404 ******************************************************************************/ 1405 bool smp_check_commitment(tSMP_CB* p_cb) { 1406 BT_OCTET16 expected; 1407 1408 SMP_TRACE_DEBUG("%s", __func__); 1409 1410 smp_calculate_peer_commitment(p_cb, expected); 1411 print128(expected, (const uint8_t*)"calculated peer commitment"); 1412 print128(p_cb->remote_commitment, (const uint8_t*)"received peer commitment"); 1413 1414 if (memcmp(p_cb->remote_commitment, expected, BT_OCTET16_LEN)) { 1415 SMP_TRACE_WARNING("%s: Commitment check fails", __func__); 1416 return false; 1417 } 1418 1419 SMP_TRACE_DEBUG("%s: Commitment check succeeds", __func__); 1420 return true; 1421 } 1422 1423 /******************************************************************************* 1424 * 1425 * Function smp_save_secure_connections_long_term_key 1426 * 1427 * Description The function saves SC LTK as BLE key for future use as local 1428 * and/or peer key. 1429 * 1430 * Returns void 1431 * 1432 ******************************************************************************/ 1433 void smp_save_secure_connections_long_term_key(tSMP_CB* p_cb) { 1434 tBTM_LE_LENC_KEYS lle_key; 1435 tBTM_LE_PENC_KEYS ple_key; 1436 1437 SMP_TRACE_DEBUG("%s-Save LTK as local LTK key", __func__); 1438 memcpy(lle_key.ltk, p_cb->ltk, BT_OCTET16_LEN); 1439 lle_key.div = 0; 1440 lle_key.key_size = p_cb->loc_enc_size; 1441 lle_key.sec_level = p_cb->sec_level; 1442 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, 1443 (tBTM_LE_KEY_VALUE*)&lle_key, true); 1444 1445 SMP_TRACE_DEBUG("%s-Save LTK as peer LTK key", __func__); 1446 ple_key.ediv = 0; 1447 memset(ple_key.rand, 0, BT_OCTET8_LEN); 1448 memcpy(ple_key.ltk, p_cb->ltk, BT_OCTET16_LEN); 1449 ple_key.sec_level = p_cb->sec_level; 1450 ple_key.key_size = p_cb->loc_enc_size; 1451 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, 1452 (tBTM_LE_KEY_VALUE*)&ple_key, true); 1453 } 1454 1455 /******************************************************************************* 1456 * 1457 * Function smp_calculate_f5_mackey_and_long_term_key 1458 * 1459 * Description The function calculates MacKey and LTK and saves them in CB. 1460 * To calculate MacKey and LTK it calls smp_calc_f5(...). 1461 * MacKey is used in dhkey calculation, LTK is used to encrypt 1462 * the link. 1463 * 1464 * Returns false if out of resources, true otherwise. 1465 * 1466 ******************************************************************************/ 1467 bool smp_calculate_f5_mackey_and_long_term_key(tSMP_CB* p_cb) { 1468 uint8_t a[7]; 1469 uint8_t b[7]; 1470 uint8_t* p_na; 1471 uint8_t* p_nb; 1472 1473 SMP_TRACE_DEBUG("%s", __func__); 1474 1475 if (p_cb->role == HCI_ROLE_MASTER) { 1476 smp_collect_local_ble_address(a, p_cb); 1477 smp_collect_peer_ble_address(b, p_cb); 1478 p_na = p_cb->rand; 1479 p_nb = p_cb->rrand; 1480 } else { 1481 smp_collect_local_ble_address(b, p_cb); 1482 smp_collect_peer_ble_address(a, p_cb); 1483 p_na = p_cb->rrand; 1484 p_nb = p_cb->rand; 1485 } 1486 1487 if (!smp_calculate_f5(p_cb->dhkey, p_na, p_nb, a, b, p_cb->mac_key, 1488 p_cb->ltk)) { 1489 SMP_TRACE_ERROR("%s failed", __func__); 1490 return false; 1491 } 1492 1493 SMP_TRACE_EVENT("%s is completed", __func__); 1494 return true; 1495 } 1496 1497 /******************************************************************************* 1498 * 1499 * Function smp_request_oob_data 1500 * 1501 * Description Requests application to provide OOB data. 1502 * 1503 * Returns true - OOB data has to be provided by application 1504 * false - otherwise (unexpected) 1505 * 1506 ******************************************************************************/ 1507 bool smp_request_oob_data(tSMP_CB* p_cb) { 1508 tSMP_OOB_DATA_TYPE req_oob_type = SMP_OOB_INVALID_TYPE; 1509 1510 SMP_TRACE_DEBUG("%s", __func__); 1511 1512 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT && 1513 p_cb->loc_oob_flag == SMP_OOB_PRESENT) { 1514 /* both local and peer rcvd data OOB */ 1515 req_oob_type = SMP_OOB_BOTH; 1516 } else if (p_cb->peer_oob_flag == SMP_OOB_PRESENT) { 1517 /* peer rcvd OOB local data, local didn't receive OOB peer data */ 1518 req_oob_type = SMP_OOB_LOCAL; 1519 } else if (p_cb->loc_oob_flag == SMP_OOB_PRESENT) { 1520 req_oob_type = SMP_OOB_PEER; 1521 } 1522 1523 SMP_TRACE_DEBUG("req_oob_type = %d", req_oob_type); 1524 1525 if (req_oob_type == SMP_OOB_INVALID_TYPE) return false; 1526 1527 p_cb->req_oob_type = req_oob_type; 1528 p_cb->cb_evt = SMP_SC_OOB_REQ_EVT; 1529 smp_sm_event(p_cb, SMP_TK_REQ_EVT, &req_oob_type); 1530 1531 return true; 1532 } 1533
