Home | History | Annotate | Download | only in smp
      1 /******************************************************************************
      2  *
      3  *  Copyright (C) 2003-2012 Broadcom Corporation
      4  *
      5  *  Licensed under the Apache License, Version 2.0 (the "License");
      6  *  you may not use this file except in compliance with the License.
      7  *  You may obtain a copy of the License at:
      8  *
      9  *  http://www.apache.org/licenses/LICENSE-2.0
     10  *
     11  *  Unless required by applicable law or agreed to in writing, software
     12  *  distributed under the License is distributed on an "AS IS" BASIS,
     13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     14  *  See the License for the specific language governing permissions and
     15  *  limitations under the License.
     16  *
     17  ******************************************************************************/
     18 
     19 #include <string.h>
     20 #include "btif_common.h"
     21 #include "device/include/interop.h"
     22 #include "include/bt_target.h"
     23 #include "stack/btm/btm_int.h"
     24 #include "stack/include/l2c_api.h"
     25 #include "stack/smp/smp_int.h"
     26 #include "utils/include/bt_utils.h"
     27 
     28 extern fixed_queue_t* btu_general_alarm_queue;
     29 
     30 #define SMP_KEY_DIST_TYPE_MAX 4
     31 const tSMP_ACT smp_distribute_act[] = {smp_generate_ltk, smp_send_id_info,
     32                                        smp_generate_csrk,
     33                                        smp_set_derive_link_key};
     34 
     35 static bool lmp_version_below(BD_ADDR bda, uint8_t version) {
     36   tACL_CONN* acl = btm_bda_to_acl(bda, BT_TRANSPORT_LE);
     37   if (acl == NULL || acl->lmp_version == 0) {
     38     SMP_TRACE_WARNING("%s cannot retrieve LMP version...", __func__);
     39     return false;
     40   }
     41   SMP_TRACE_WARNING("%s LMP version %d < %d", __func__, acl->lmp_version,
     42                     version);
     43   return acl->lmp_version < version;
     44 }
     45 
     46 static bool pts_test_send_authentication_complete_failure(tSMP_CB* p_cb) {
     47   uint8_t reason = 0;
     48 
     49   if (p_cb->cert_failure < 2 || p_cb->cert_failure > 6) return false;
     50 
     51   SMP_TRACE_ERROR("%s failure case = %d", __func__, p_cb->cert_failure);
     52 
     53   switch (p_cb->cert_failure) {
     54     case 2:
     55       reason = SMP_PAIR_AUTH_FAIL;
     56       smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
     57       break;
     58     case 3:
     59       reason = SMP_PAIR_FAIL_UNKNOWN;
     60       smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
     61       break;
     62     case 4:
     63       reason = SMP_PAIR_NOT_SUPPORT;
     64       smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
     65       break;
     66     case 5:
     67       reason = SMP_PASSKEY_ENTRY_FAIL;
     68       smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
     69       break;
     70     case 6:
     71       reason = SMP_REPEATED_ATTEMPTS;
     72       smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
     73       break;
     74   }
     75 
     76   return true;
     77   ;
     78 }
     79 
     80 /*******************************************************************************
     81  * Function         smp_update_key_mask
     82  * Description      This function updates the key mask for sending or receiving.
     83  ******************************************************************************/
     84 static void smp_update_key_mask(tSMP_CB* p_cb, uint8_t key_type, bool recv) {
     85   SMP_TRACE_DEBUG(
     86       "%s before update role=%d recv=%d local_i_key = %02x, local_r_key = %02x",
     87       __func__, p_cb->role, recv, p_cb->local_i_key, p_cb->local_r_key);
     88 
     89   if (((p_cb->le_secure_connections_mode_is_used) || (p_cb->smp_over_br)) &&
     90       ((key_type == SMP_SEC_KEY_TYPE_ENC) ||
     91        (key_type == SMP_SEC_KEY_TYPE_LK))) {
     92     /* in LE SC mode LTK, CSRK and BR/EDR LK are derived locally instead of
     93     ** being exchanged with the peer */
     94     p_cb->local_i_key &= ~key_type;
     95     p_cb->local_r_key &= ~key_type;
     96   } else if (p_cb->role == HCI_ROLE_SLAVE) {
     97     if (recv)
     98       p_cb->local_i_key &= ~key_type;
     99     else
    100       p_cb->local_r_key &= ~key_type;
    101   } else {
    102     if (recv)
    103       p_cb->local_r_key &= ~key_type;
    104     else
    105       p_cb->local_i_key &= ~key_type;
    106   }
    107 
    108   SMP_TRACE_DEBUG("updated local_i_key = %02x, local_r_key = %02x",
    109                   p_cb->local_i_key, p_cb->local_r_key);
    110 }
    111 
    112 /*******************************************************************************
    113  * Function     smp_send_app_cback
    114  * Description  notifies application about the events the application is
    115  *              interested in
    116  ******************************************************************************/
    117 void smp_send_app_cback(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    118   tSMP_EVT_DATA cb_data;
    119   tSMP_STATUS callback_rc;
    120   SMP_TRACE_DEBUG("%s p_cb->cb_evt=%d", __func__, p_cb->cb_evt);
    121   if (p_cb->p_callback && p_cb->cb_evt != 0) {
    122     switch (p_cb->cb_evt) {
    123       case SMP_IO_CAP_REQ_EVT:
    124         cb_data.io_req.auth_req = p_cb->peer_auth_req;
    125         cb_data.io_req.oob_data = SMP_OOB_NONE;
    126         cb_data.io_req.io_cap = SMP_DEFAULT_IO_CAPS;
    127         cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE;
    128         cb_data.io_req.init_keys = p_cb->local_i_key;
    129         cb_data.io_req.resp_keys = p_cb->local_r_key;
    130         SMP_TRACE_WARNING("io_cap = %d", cb_data.io_req.io_cap);
    131         break;
    132 
    133       case SMP_NC_REQ_EVT:
    134         cb_data.passkey = p_data->passkey;
    135         break;
    136       case SMP_SC_OOB_REQ_EVT:
    137         cb_data.req_oob_type = p_data->req_oob_type;
    138         break;
    139       case SMP_SC_LOC_OOB_DATA_UP_EVT:
    140         cb_data.loc_oob_data = p_cb->sc_oob_data.loc_oob_data;
    141         break;
    142 
    143       case SMP_BR_KEYS_REQ_EVT:
    144         cb_data.io_req.auth_req = 0;
    145         cb_data.io_req.oob_data = SMP_OOB_NONE;
    146         cb_data.io_req.io_cap = 0;
    147         cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE;
    148         cb_data.io_req.init_keys = SMP_BR_SEC_DEFAULT_KEY;
    149         cb_data.io_req.resp_keys = SMP_BR_SEC_DEFAULT_KEY;
    150         break;
    151 
    152       default:
    153         break;
    154     }
    155 
    156     callback_rc =
    157         (*p_cb->p_callback)(p_cb->cb_evt, p_cb->pairing_bda, &cb_data);
    158 
    159     SMP_TRACE_DEBUG("%s: callback_rc=%d  p_cb->cb_evt=%d", __func__,
    160                     callback_rc, p_cb->cb_evt);
    161 
    162     if (callback_rc == SMP_SUCCESS) {
    163       switch (p_cb->cb_evt) {
    164         case SMP_IO_CAP_REQ_EVT:
    165           p_cb->loc_auth_req = cb_data.io_req.auth_req;
    166           p_cb->local_io_capability = cb_data.io_req.io_cap;
    167           p_cb->loc_oob_flag = cb_data.io_req.oob_data;
    168           p_cb->loc_enc_size = cb_data.io_req.max_key_size;
    169           p_cb->local_i_key = cb_data.io_req.init_keys;
    170           p_cb->local_r_key = cb_data.io_req.resp_keys;
    171 
    172           if (!(p_cb->loc_auth_req & SMP_AUTH_BOND)) {
    173             SMP_TRACE_WARNING("Non bonding: No keys will be exchanged");
    174             p_cb->local_i_key = 0;
    175             p_cb->local_r_key = 0;
    176           }
    177 
    178           SMP_TRACE_WARNING(
    179               "rcvd auth_req: 0x%02x, io_cap: %d \
    180                         loc_oob_flag: %d loc_enc_size: %d,"
    181               "local_i_key: 0x%02x, local_r_key: 0x%02x",
    182               p_cb->loc_auth_req, p_cb->local_io_capability, p_cb->loc_oob_flag,
    183               p_cb->loc_enc_size, p_cb->local_i_key, p_cb->local_r_key);
    184 
    185           p_cb->secure_connections_only_mode_required =
    186               (btm_cb.security_mode == BTM_SEC_MODE_SC) ? true : false;
    187 
    188           if (p_cb->secure_connections_only_mode_required) {
    189             p_cb->loc_auth_req |= SMP_SC_SUPPORT_BIT;
    190           }
    191 
    192           if (!(p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) ||
    193               lmp_version_below(p_cb->pairing_bda, HCI_PROTO_VERSION_4_2) ||
    194               interop_match_addr(INTEROP_DISABLE_LE_SECURE_CONNECTIONS,
    195                                  (const bt_bdaddr_t*)&p_cb->pairing_bda)) {
    196             p_cb->loc_auth_req &= ~SMP_KP_SUPPORT_BIT;
    197             p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
    198             p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
    199           }
    200 
    201           SMP_TRACE_WARNING(
    202               "set auth_req: 0x%02x, local_i_key: 0x%02x, local_r_key: 0x%02x",
    203               p_cb->loc_auth_req, p_cb->local_i_key, p_cb->local_r_key);
    204 
    205           smp_sm_event(p_cb, SMP_IO_RSP_EVT, NULL);
    206           break;
    207 
    208         case SMP_BR_KEYS_REQ_EVT:
    209           p_cb->loc_enc_size = cb_data.io_req.max_key_size;
    210           p_cb->local_i_key = cb_data.io_req.init_keys;
    211           p_cb->local_r_key = cb_data.io_req.resp_keys;
    212           p_cb->loc_auth_req |= SMP_H7_SUPPORT_BIT;
    213 
    214           p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
    215           p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
    216 
    217           SMP_TRACE_WARNING(
    218               "for SMP over BR max_key_size: 0x%02x,\
    219                         local_i_key: 0x%02x, local_r_key: 0x%02x, p_cb->loc_auth_req: 0x%02x",
    220               p_cb->loc_enc_size, p_cb->local_i_key, p_cb->local_r_key,
    221               p_cb->loc_auth_req);
    222 
    223           smp_br_state_machine_event(p_cb, SMP_BR_KEYS_RSP_EVT, NULL);
    224           break;
    225       }
    226     }
    227   }
    228 
    229   if (!p_cb->cb_evt && p_cb->discard_sec_req) {
    230     p_cb->discard_sec_req = false;
    231     smp_sm_event(p_cb, SMP_DISCARD_SEC_REQ_EVT, NULL);
    232   }
    233 
    234   SMP_TRACE_DEBUG("%s return", __func__);
    235 }
    236 
    237 /*******************************************************************************
    238  * Function     smp_send_pair_fail
    239  * Description  pairing failure to peer device if needed.
    240  ******************************************************************************/
    241 void smp_send_pair_fail(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    242   p_cb->status = *(uint8_t*)p_data;
    243   p_cb->failure = *(uint8_t*)p_data;
    244 
    245   SMP_TRACE_DEBUG("%s status=%d failure=%d ", __func__, p_cb->status,
    246                   p_cb->failure);
    247 
    248   if (p_cb->status <= SMP_MAX_FAIL_RSN_PER_SPEC &&
    249       p_cb->status != SMP_SUCCESS) {
    250     smp_send_cmd(SMP_OPCODE_PAIRING_FAILED, p_cb);
    251     p_cb->wait_for_authorization_complete = true;
    252   }
    253 }
    254 
    255 /*******************************************************************************
    256  * Function     smp_send_pair_req
    257  * Description  actions related to sending pairing request
    258  ******************************************************************************/
    259 void smp_send_pair_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    260   tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
    261   SMP_TRACE_DEBUG("%s", __func__);
    262 
    263   /* erase all keys when master sends pairing req*/
    264   if (p_dev_rec) btm_sec_clear_ble_keys(p_dev_rec);
    265   /* do not manipulate the key, let app decide,
    266      leave out to BTM to mandate key distribution for bonding case */
    267   smp_send_cmd(SMP_OPCODE_PAIRING_REQ, p_cb);
    268 }
    269 
    270 /*******************************************************************************
    271  * Function     smp_send_pair_rsp
    272  * Description  actions related to sending pairing response
    273  ******************************************************************************/
    274 void smp_send_pair_rsp(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    275   SMP_TRACE_DEBUG("%s", __func__);
    276 
    277   p_cb->local_i_key &= p_cb->peer_i_key;
    278   p_cb->local_r_key &= p_cb->peer_r_key;
    279 
    280   if (smp_send_cmd(SMP_OPCODE_PAIRING_RSP, p_cb)) {
    281     if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB)
    282       smp_use_oob_private_key(p_cb, NULL);
    283     else
    284       smp_decide_association_model(p_cb, NULL);
    285   }
    286 }
    287 
    288 /*******************************************************************************
    289  * Function     smp_send_confirm
    290  * Description  send confirmation to the peer
    291  ******************************************************************************/
    292 void smp_send_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    293   SMP_TRACE_DEBUG("%s", __func__);
    294   smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);
    295 }
    296 
    297 /*******************************************************************************
    298  * Function     smp_send_init
    299  * Description  process pairing initializer to slave device
    300  ******************************************************************************/
    301 void smp_send_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    302   SMP_TRACE_DEBUG("%s", __func__);
    303   smp_send_cmd(SMP_OPCODE_INIT, p_cb);
    304 }
    305 
    306 /*******************************************************************************
    307  * Function     smp_send_rand
    308  * Description  send pairing random to the peer
    309  ******************************************************************************/
    310 void smp_send_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    311   SMP_TRACE_DEBUG("%s", __func__);
    312   smp_send_cmd(SMP_OPCODE_RAND, p_cb);
    313 }
    314 
    315 /*******************************************************************************
    316  * Function     smp_send_pair_public_key
    317  * Description  send pairing public key command to the peer
    318  ******************************************************************************/
    319 void smp_send_pair_public_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    320   SMP_TRACE_DEBUG("%s", __func__);
    321   smp_send_cmd(SMP_OPCODE_PAIR_PUBLIC_KEY, p_cb);
    322 }
    323 
    324 /*******************************************************************************
    325  * Function     SMP_SEND_COMMITMENT
    326  * Description send commitment command to the peer
    327  ******************************************************************************/
    328 void smp_send_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    329   SMP_TRACE_DEBUG("%s", __func__);
    330   smp_send_cmd(SMP_OPCODE_PAIR_COMMITM, p_cb);
    331 }
    332 
    333 /*******************************************************************************
    334  * Function     smp_send_dhkey_check
    335  * Description send DHKey Check command to the peer
    336  ******************************************************************************/
    337 void smp_send_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    338   SMP_TRACE_DEBUG("%s", __func__);
    339   smp_send_cmd(SMP_OPCODE_PAIR_DHKEY_CHECK, p_cb);
    340 }
    341 
    342 /*******************************************************************************
    343  * Function     smp_send_keypress_notification
    344  * Description send Keypress Notification command to the peer
    345  ******************************************************************************/
    346 void smp_send_keypress_notification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    347   p_cb->local_keypress_notification = *(uint8_t*)p_data;
    348   smp_send_cmd(SMP_OPCODE_PAIR_KEYPR_NOTIF, p_cb);
    349 }
    350 
    351 /*******************************************************************************
    352  * Function     smp_send_enc_info
    353  * Description  send encryption information command.
    354  ******************************************************************************/
    355 void smp_send_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    356   tBTM_LE_LENC_KEYS le_key;
    357 
    358   SMP_TRACE_DEBUG("%s p_cb->loc_enc_size = %d", __func__, p_cb->loc_enc_size);
    359   smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
    360 
    361   smp_send_cmd(SMP_OPCODE_ENCRYPT_INFO, p_cb);
    362   smp_send_cmd(SMP_OPCODE_MASTER_ID, p_cb);
    363 
    364   /* save the DIV and key size information when acting as slave device */
    365   memcpy(le_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
    366   le_key.div = p_cb->div;
    367   le_key.key_size = p_cb->loc_enc_size;
    368   le_key.sec_level = p_cb->sec_level;
    369 
    370   if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
    371       (p_cb->loc_auth_req & SMP_AUTH_BOND))
    372     btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC,
    373                         (tBTM_LE_KEY_VALUE*)&le_key, true);
    374 
    375   SMP_TRACE_WARNING("%s", __func__);
    376 
    377   smp_key_distribution(p_cb, NULL);
    378 }
    379 
    380 /*******************************************************************************
    381  * Function     smp_send_id_info
    382  * Description  send ID information command.
    383  ******************************************************************************/
    384 void smp_send_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    385   tBTM_LE_KEY_VALUE le_key;
    386   SMP_TRACE_DEBUG("%s", __func__);
    387   smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, false);
    388 
    389   smp_send_cmd(SMP_OPCODE_IDENTITY_INFO, p_cb);
    390   smp_send_cmd(SMP_OPCODE_ID_ADDR, p_cb);
    391 
    392   if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
    393       (p_cb->loc_auth_req & SMP_AUTH_BOND))
    394     btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LID, &le_key, true);
    395 
    396   SMP_TRACE_WARNING("%s", __func__);
    397   smp_key_distribution_by_transport(p_cb, NULL);
    398 }
    399 
    400 /*******************************************************************************
    401  * Function     smp_send_csrk_info
    402  * Description  send CSRK command.
    403  ******************************************************************************/
    404 void smp_send_csrk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    405   tBTM_LE_LCSRK_KEYS key;
    406   SMP_TRACE_DEBUG("%s", __func__);
    407   smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, false);
    408 
    409   if (smp_send_cmd(SMP_OPCODE_SIGN_INFO, p_cb)) {
    410     key.div = p_cb->div;
    411     key.sec_level = p_cb->sec_level;
    412     key.counter = 0; /* initialize the local counter */
    413     memcpy(key.csrk, p_cb->csrk, BT_OCTET16_LEN);
    414     btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LCSRK,
    415                         (tBTM_LE_KEY_VALUE*)&key, true);
    416   }
    417 
    418   smp_key_distribution_by_transport(p_cb, NULL);
    419 }
    420 
    421 /*******************************************************************************
    422  * Function     smp_send_ltk_reply
    423  * Description  send LTK reply
    424  ******************************************************************************/
    425 void smp_send_ltk_reply(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    426   SMP_TRACE_DEBUG("%s", __func__);
    427   /* send stk as LTK response */
    428   btm_ble_ltk_request_reply(p_cb->pairing_bda, true, p_data->key.p_data);
    429 }
    430 
    431 /*******************************************************************************
    432  * Function     smp_proc_sec_req
    433  * Description  process security request.
    434  ******************************************************************************/
    435 void smp_proc_sec_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    436   tBTM_LE_AUTH_REQ auth_req = *(tBTM_LE_AUTH_REQ*)p_data;
    437   tBTM_BLE_SEC_REQ_ACT sec_req_act;
    438   uint8_t reason;
    439 
    440   SMP_TRACE_DEBUG("%s auth_req=0x%x", __func__, auth_req);
    441 
    442   p_cb->cb_evt = 0;
    443 
    444   btm_ble_link_sec_check(p_cb->pairing_bda, auth_req, &sec_req_act);
    445 
    446   SMP_TRACE_DEBUG("%s sec_req_act=0x%x", __func__, sec_req_act);
    447 
    448   switch (sec_req_act) {
    449     case BTM_BLE_SEC_REQ_ACT_ENCRYPT:
    450       SMP_TRACE_DEBUG("%s BTM_BLE_SEC_REQ_ACT_ENCRYPT", __func__);
    451       smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
    452       break;
    453 
    454     case BTM_BLE_SEC_REQ_ACT_PAIR:
    455       p_cb->secure_connections_only_mode_required =
    456           (btm_cb.security_mode == BTM_SEC_MODE_SC) ? true : false;
    457 
    458       /* respond to non SC pairing request as failure in SC only mode */
    459       if (p_cb->secure_connections_only_mode_required &&
    460           (auth_req & SMP_SC_SUPPORT_BIT) == 0) {
    461         reason = SMP_PAIR_AUTH_FAIL;
    462         smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
    463       } else {
    464         /* initialize local i/r key to be default keys */
    465         p_cb->peer_auth_req = auth_req;
    466         p_cb->local_r_key = p_cb->local_i_key = SMP_SEC_DEFAULT_KEY;
    467         p_cb->cb_evt = SMP_SEC_REQUEST_EVT;
    468       }
    469       break;
    470 
    471     case BTM_BLE_SEC_REQ_ACT_DISCARD:
    472       p_cb->discard_sec_req = true;
    473       break;
    474 
    475     default:
    476       /* do nothing */
    477       break;
    478   }
    479 }
    480 
    481 /*******************************************************************************
    482  * Function     smp_proc_sec_grant
    483  * Description  process security grant.
    484  ******************************************************************************/
    485 void smp_proc_sec_grant(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    486   uint8_t res = *(uint8_t*)p_data;
    487   SMP_TRACE_DEBUG("%s", __func__);
    488   if (res != SMP_SUCCESS) {
    489     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, p_data);
    490   } else /*otherwise, start pairing */
    491   {
    492     /* send IO request callback */
    493     p_cb->cb_evt = SMP_IO_CAP_REQ_EVT;
    494   }
    495 }
    496 
    497 /*******************************************************************************
    498  * Function     smp_proc_pair_fail
    499  * Description  process pairing failure from peer device
    500  ******************************************************************************/
    501 void smp_proc_pair_fail(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    502   SMP_TRACE_DEBUG("%s", __func__);
    503   p_cb->status = *(uint8_t*)p_data;
    504 
    505   /* Cancel pending auth complete timer if set */
    506   alarm_cancel(p_cb->delayed_auth_timer_ent);
    507 }
    508 
    509 /*******************************************************************************
    510  * Function     smp_proc_pair_cmd
    511  * Description  Process the SMP pairing request/response from peer device
    512  ******************************************************************************/
    513 void smp_proc_pair_cmd(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    514   uint8_t* p = (uint8_t*)p_data;
    515   uint8_t reason = SMP_ENC_KEY_SIZE;
    516   tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
    517 
    518   SMP_TRACE_DEBUG("%s", __func__);
    519   /* erase all keys if it is slave proc pairing req*/
    520   if (p_dev_rec && (p_cb->role == HCI_ROLE_SLAVE))
    521     btm_sec_clear_ble_keys(p_dev_rec);
    522 
    523   p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
    524 
    525   STREAM_TO_UINT8(p_cb->peer_io_caps, p);
    526   STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
    527   STREAM_TO_UINT8(p_cb->peer_auth_req, p);
    528   STREAM_TO_UINT8(p_cb->peer_enc_size, p);
    529   STREAM_TO_UINT8(p_cb->peer_i_key, p);
    530   STREAM_TO_UINT8(p_cb->peer_r_key, p);
    531 
    532   if (smp_command_has_invalid_parameters(p_cb)) {
    533     reason = SMP_INVALID_PARAMETERS;
    534     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
    535     return;
    536   }
    537 
    538   // PTS Testing failure modes
    539   if (pts_test_send_authentication_complete_failure(p_cb)) return;
    540 
    541   if (p_cb->role == HCI_ROLE_SLAVE) {
    542     if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD)) {
    543       /* peer (master) started pairing sending Pairing Request */
    544       p_cb->local_i_key = p_cb->peer_i_key;
    545       p_cb->local_r_key = p_cb->peer_r_key;
    546 
    547       p_cb->cb_evt = SMP_SEC_REQUEST_EVT;
    548     } else /* update local i/r key according to pairing request */
    549     {
    550       /* pairing started with this side (slave) sending Security Request */
    551       p_cb->local_i_key &= p_cb->peer_i_key;
    552       p_cb->local_r_key &= p_cb->peer_r_key;
    553       p_cb->selected_association_model = smp_select_association_model(p_cb);
    554 
    555       if (p_cb->secure_connections_only_mode_required &&
    556           (!(p_cb->le_secure_connections_mode_is_used) ||
    557            (p_cb->selected_association_model ==
    558             SMP_MODEL_SEC_CONN_JUSTWORKS))) {
    559         SMP_TRACE_ERROR(
    560             "%s pairing failed - slave requires secure connection only mode",
    561             __func__);
    562         reason = SMP_PAIR_AUTH_FAIL;
    563         smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
    564         return;
    565       }
    566 
    567       if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
    568         if (smp_request_oob_data(p_cb)) return;
    569       } else {
    570         smp_send_pair_rsp(p_cb, NULL);
    571       }
    572     }
    573   } else /* Master receives pairing response */
    574   {
    575     p_cb->selected_association_model = smp_select_association_model(p_cb);
    576 
    577     if (p_cb->secure_connections_only_mode_required &&
    578         (!(p_cb->le_secure_connections_mode_is_used) ||
    579          (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) {
    580       SMP_TRACE_ERROR(
    581           "Master requires secure connection only mode \
    582                 but it can't be provided -> Master fails pairing");
    583       reason = SMP_PAIR_AUTH_FAIL;
    584       smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
    585       return;
    586     }
    587 
    588     if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
    589       if (smp_request_oob_data(p_cb)) return;
    590     } else {
    591       smp_decide_association_model(p_cb, NULL);
    592     }
    593   }
    594 }
    595 
    596 /*******************************************************************************
    597  * Function     smp_proc_confirm
    598  * Description  process pairing confirm from peer device
    599  ******************************************************************************/
    600 void smp_proc_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    601   uint8_t* p = (uint8_t*)p_data;
    602   uint8_t reason = SMP_INVALID_PARAMETERS;
    603 
    604   SMP_TRACE_DEBUG("%s", __func__);
    605 
    606   if (smp_command_has_invalid_parameters(p_cb)) {
    607     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
    608     return;
    609   }
    610 
    611   if (p != NULL) {
    612     /* save the SConfirm for comparison later */
    613     STREAM_TO_ARRAY(p_cb->rconfirm, p, BT_OCTET16_LEN);
    614   }
    615 
    616   p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM;
    617 }
    618 
    619 /*******************************************************************************
    620  * Function     smp_proc_init
    621  * Description  process pairing initializer from peer device
    622  ******************************************************************************/
    623 void smp_proc_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    624   uint8_t* p = (uint8_t*)p_data;
    625   uint8_t reason = SMP_INVALID_PARAMETERS;
    626 
    627   SMP_TRACE_DEBUG("%s", __func__);
    628 
    629   if (smp_command_has_invalid_parameters(p_cb)) {
    630     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
    631     return;
    632   }
    633 
    634   /* save the SRand for comparison */
    635   STREAM_TO_ARRAY(p_cb->rrand, p, BT_OCTET16_LEN);
    636 }
    637 
    638 /*******************************************************************************
    639  * Function     smp_proc_rand
    640  * Description  process pairing random (nonce) from peer device
    641  ******************************************************************************/
    642 void smp_proc_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    643   uint8_t* p = (uint8_t*)p_data;
    644   uint8_t reason = SMP_INVALID_PARAMETERS;
    645 
    646   SMP_TRACE_DEBUG("%s", __func__);
    647 
    648   if (smp_command_has_invalid_parameters(p_cb)) {
    649     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
    650     return;
    651   }
    652 
    653   /* save the SRand for comparison */
    654   STREAM_TO_ARRAY(p_cb->rrand, p, BT_OCTET16_LEN);
    655 }
    656 
    657 /*******************************************************************************
    658  * Function     smp_process_pairing_public_key
    659  * Description  process pairing public key command from the peer device
    660  *              - saves the peer public key;
    661  *              - sets the flag indicating that the peer public key is received;
    662  *              - calls smp_wait_for_both_public_keys(...).
    663  *
    664  ******************************************************************************/
    665 void smp_process_pairing_public_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    666   uint8_t* p = (uint8_t*)p_data;
    667   uint8_t reason = SMP_INVALID_PARAMETERS;
    668 
    669   SMP_TRACE_DEBUG("%s", __func__);
    670 
    671   if (smp_command_has_invalid_parameters(p_cb)) {
    672     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
    673     return;
    674   }
    675 
    676   STREAM_TO_ARRAY(p_cb->peer_publ_key.x, p, BT_OCTET32_LEN);
    677   STREAM_TO_ARRAY(p_cb->peer_publ_key.y, p, BT_OCTET32_LEN);
    678   p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY;
    679 
    680   smp_wait_for_both_public_keys(p_cb, NULL);
    681 }
    682 
    683 /*******************************************************************************
    684  * Function     smp_process_pairing_commitment
    685  * Description  process pairing commitment from peer device
    686  ******************************************************************************/
    687 void smp_process_pairing_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    688   uint8_t* p = (uint8_t*)p_data;
    689   uint8_t reason = SMP_INVALID_PARAMETERS;
    690 
    691   SMP_TRACE_DEBUG("%s", __func__);
    692 
    693   if (smp_command_has_invalid_parameters(p_cb)) {
    694     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
    695     return;
    696   }
    697 
    698   p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_COMM;
    699 
    700   if (p != NULL) {
    701     STREAM_TO_ARRAY(p_cb->remote_commitment, p, BT_OCTET16_LEN);
    702   }
    703 }
    704 
    705 /*******************************************************************************
    706  * Function     smp_process_dhkey_check
    707  * Description  process DHKey Check from peer device
    708  ******************************************************************************/
    709 void smp_process_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    710   uint8_t* p = (uint8_t*)p_data;
    711   uint8_t reason = SMP_INVALID_PARAMETERS;
    712 
    713   SMP_TRACE_DEBUG("%s", __func__);
    714 
    715   if (smp_command_has_invalid_parameters(p_cb)) {
    716     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
    717     return;
    718   }
    719 
    720   if (p != NULL) {
    721     STREAM_TO_ARRAY(p_cb->remote_dhkey_check, p, BT_OCTET16_LEN);
    722   }
    723 
    724   p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_DHK_CHK;
    725 }
    726 
    727 /*******************************************************************************
    728  * Function     smp_process_keypress_notification
    729  * Description  process pairing keypress notification from peer device
    730  ******************************************************************************/
    731 void smp_process_keypress_notification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    732   uint8_t* p = (uint8_t*)p_data;
    733   uint8_t reason = SMP_INVALID_PARAMETERS;
    734 
    735   SMP_TRACE_DEBUG("%s", __func__);
    736   p_cb->status = *(uint8_t*)p_data;
    737 
    738   if (smp_command_has_invalid_parameters(p_cb)) {
    739     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
    740     return;
    741   }
    742 
    743   if (p != NULL) {
    744     STREAM_TO_UINT8(p_cb->peer_keypress_notification, p);
    745   } else {
    746     p_cb->peer_keypress_notification = BTM_SP_KEY_OUT_OF_RANGE;
    747   }
    748   p_cb->cb_evt = SMP_PEER_KEYPR_NOT_EVT;
    749 }
    750 
    751 /*******************************************************************************
    752  * Function     smp_br_process_pairing_command
    753  * Description  Process the SMP pairing request/response from peer device via
    754  *              BR/EDR transport.
    755  ******************************************************************************/
    756 void smp_br_process_pairing_command(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    757   uint8_t* p = (uint8_t*)p_data;
    758   uint8_t reason = SMP_ENC_KEY_SIZE;
    759   tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
    760 
    761   SMP_TRACE_DEBUG("%s", __func__);
    762   /* rejecting BR pairing request over non-SC BR link */
    763   if (!p_dev_rec->new_encryption_key_is_p256 && p_cb->role == HCI_ROLE_SLAVE) {
    764     reason = SMP_XTRANS_DERIVE_NOT_ALLOW;
    765     smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason);
    766     return;
    767   }
    768 
    769   /* erase all keys if it is slave proc pairing req*/
    770   if (p_dev_rec && (p_cb->role == HCI_ROLE_SLAVE))
    771     btm_sec_clear_ble_keys(p_dev_rec);
    772 
    773   p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
    774 
    775   STREAM_TO_UINT8(p_cb->peer_io_caps, p);
    776   STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
    777   STREAM_TO_UINT8(p_cb->peer_auth_req, p);
    778   STREAM_TO_UINT8(p_cb->peer_enc_size, p);
    779   STREAM_TO_UINT8(p_cb->peer_i_key, p);
    780   STREAM_TO_UINT8(p_cb->peer_r_key, p);
    781 
    782   if (smp_command_has_invalid_parameters(p_cb)) {
    783     reason = SMP_INVALID_PARAMETERS;
    784     smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason);
    785     return;
    786   }
    787 
    788   /* peer (master) started pairing sending Pairing Request */
    789   /* or being master device always use received i/r key as keys to distribute */
    790   p_cb->local_i_key = p_cb->peer_i_key;
    791   p_cb->local_r_key = p_cb->peer_r_key;
    792 
    793   if (p_cb->role == HCI_ROLE_SLAVE) {
    794     p_dev_rec->new_encryption_key_is_p256 = false;
    795     /* shortcut to skip Security Grant step */
    796     p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT;
    797   } else /* Master receives pairing response */
    798   {
    799     SMP_TRACE_DEBUG(
    800         "%s master rcvs valid PAIRING RESPONSE."
    801         " Supposed to move to key distribution phase. ",
    802         __func__);
    803   }
    804 
    805   /* auth_req received via BR/EDR SM channel is set to 0,
    806      but everything derived/exchanged has to be saved */
    807   p_cb->peer_auth_req |= SMP_AUTH_BOND;
    808   p_cb->loc_auth_req |= SMP_AUTH_BOND;
    809 }
    810 
    811 /*******************************************************************************
    812  * Function     smp_br_process_security_grant
    813  * Description  process security grant in case of pairing over BR/EDR transport.
    814  ******************************************************************************/
    815 void smp_br_process_security_grant(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    816   uint8_t res = *(uint8_t*)p_data;
    817   SMP_TRACE_DEBUG("%s", __func__);
    818   if (res != SMP_SUCCESS) {
    819     smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, p_data);
    820   } else /*otherwise, start pairing */
    821   {
    822     /* send IO request callback */
    823     p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT;
    824   }
    825 }
    826 
    827 /*******************************************************************************
    828  * Function     smp_br_check_authorization_request
    829  * Description  sets the SMP kes to be derived/distribute over BR/EDR transport
    830  *              before starting the distribution/derivation
    831  ******************************************************************************/
    832 void smp_br_check_authorization_request(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    833   uint8_t reason = SMP_SUCCESS;
    834 
    835   SMP_TRACE_DEBUG(
    836       "%s rcvs i_keys=0x%x r_keys=0x%x "
    837       "(i-initiator r-responder)",
    838       __func__, p_cb->local_i_key, p_cb->local_r_key);
    839 
    840   /* In LE SC mode LK field is ignored when BR/EDR transport is used */
    841   p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
    842   p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
    843 
    844   /* In LE SC mode only IRK, IAI, CSRK are exchanged with the peer.
    845   ** Set local_r_key on master to expect only these keys. */
    846   if (p_cb->role == HCI_ROLE_MASTER) {
    847     p_cb->local_r_key &= (SMP_SEC_KEY_TYPE_ID | SMP_SEC_KEY_TYPE_CSRK);
    848   }
    849 
    850   /* Check if H7 function needs to be used for key derivation*/
    851   if ((p_cb->loc_auth_req & SMP_H7_SUPPORT_BIT) &&
    852       (p_cb->peer_auth_req & SMP_H7_SUPPORT_BIT)) {
    853     p_cb->key_derivation_h7_used = TRUE;
    854   }
    855   SMP_TRACE_DEBUG("%s: use h7 = %d", __func__, p_cb->key_derivation_h7_used);
    856 
    857   SMP_TRACE_DEBUG(
    858       "%s rcvs upgrades: i_keys=0x%x r_keys=0x%x "
    859       "(i-initiator r-responder)",
    860       __func__, p_cb->local_i_key, p_cb->local_r_key);
    861 
    862   if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) ||
    863           (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/
    864       (p_cb->local_i_key || p_cb->local_r_key)) {
    865     smp_br_state_machine_event(p_cb, SMP_BR_BOND_REQ_EVT, NULL);
    866 
    867     /* if no peer key is expected, start master key distribution */
    868     if (p_cb->role == HCI_ROLE_MASTER && p_cb->local_r_key == 0)
    869       smp_key_distribution_by_transport(p_cb, NULL);
    870   } else {
    871     smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason);
    872   }
    873 }
    874 
    875 /*******************************************************************************
    876  * Function     smp_br_select_next_key
    877  * Description  selects the next key to derive/send when BR/EDR transport is
    878  *              used.
    879  ******************************************************************************/
    880 void smp_br_select_next_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    881   uint8_t reason = SMP_SUCCESS;
    882   SMP_TRACE_DEBUG("%s role=%d (0-master) r_keys=0x%x i_keys=0x%x", __func__,
    883                   p_cb->role, p_cb->local_r_key, p_cb->local_i_key);
    884 
    885   if (p_cb->role == HCI_ROLE_SLAVE ||
    886       (!p_cb->local_r_key && p_cb->role == HCI_ROLE_MASTER)) {
    887     smp_key_pick_key(p_cb, p_data);
    888   }
    889 
    890   if (!p_cb->local_i_key && !p_cb->local_r_key) {
    891     /* state check to prevent re-entrance */
    892     if (smp_get_br_state() == SMP_BR_STATE_BOND_PENDING) {
    893       if (p_cb->total_tx_unacked == 0)
    894         smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason);
    895       else
    896         p_cb->wait_for_authorization_complete = true;
    897     }
    898   }
    899 }
    900 
    901 /*******************************************************************************
    902  * Function     smp_proc_enc_info
    903  * Description  process encryption information from peer device
    904  ******************************************************************************/
    905 void smp_proc_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    906   uint8_t* p = (uint8_t*)p_data;
    907 
    908   SMP_TRACE_DEBUG("%s", __func__);
    909   STREAM_TO_ARRAY(p_cb->ltk, p, BT_OCTET16_LEN);
    910 
    911   smp_key_distribution(p_cb, NULL);
    912 }
    913 /*******************************************************************************
    914  * Function     smp_proc_master_id
    915  * Description  process master ID from slave device
    916  ******************************************************************************/
    917 void smp_proc_master_id(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    918   uint8_t* p = (uint8_t*)p_data;
    919   tBTM_LE_PENC_KEYS le_key;
    920 
    921   SMP_TRACE_DEBUG("%s", __func__);
    922   smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, true);
    923 
    924   STREAM_TO_UINT16(le_key.ediv, p);
    925   STREAM_TO_ARRAY(le_key.rand, p, BT_OCTET8_LEN);
    926 
    927   /* store the encryption keys from peer device */
    928   memcpy(le_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
    929   le_key.sec_level = p_cb->sec_level;
    930   le_key.key_size = p_cb->loc_enc_size;
    931 
    932   if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
    933       (p_cb->loc_auth_req & SMP_AUTH_BOND))
    934     btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC,
    935                         (tBTM_LE_KEY_VALUE*)&le_key, true);
    936 
    937   smp_key_distribution(p_cb, NULL);
    938 }
    939 
    940 /*******************************************************************************
    941  * Function     smp_proc_enc_info
    942  * Description  process identity information from peer device
    943  ******************************************************************************/
    944 void smp_proc_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    945   uint8_t* p = (uint8_t*)p_data;
    946 
    947   SMP_TRACE_DEBUG("%s", __func__);
    948   STREAM_TO_ARRAY(p_cb->tk, p, BT_OCTET16_LEN); /* reuse TK for IRK */
    949   smp_key_distribution_by_transport(p_cb, NULL);
    950 }
    951 
    952 /*******************************************************************************
    953  * Function     smp_proc_id_addr
    954  * Description  process identity address from peer device
    955  ******************************************************************************/
    956 void smp_proc_id_addr(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    957   uint8_t* p = (uint8_t*)p_data;
    958   tBTM_LE_PID_KEYS pid_key;
    959 
    960   SMP_TRACE_DEBUG("%s", __func__);
    961   smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, true);
    962 
    963   STREAM_TO_UINT8(pid_key.addr_type, p);
    964   STREAM_TO_BDADDR(pid_key.static_addr, p);
    965   memcpy(pid_key.irk, p_cb->tk, BT_OCTET16_LEN);
    966 
    967   /* to use as BD_ADDR for lk derived from ltk */
    968   p_cb->id_addr_rcvd = true;
    969   p_cb->id_addr_type = pid_key.addr_type;
    970   memcpy(p_cb->id_addr, pid_key.static_addr, BD_ADDR_LEN);
    971 
    972   /* store the ID key from peer device */
    973   if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
    974       (p_cb->loc_auth_req & SMP_AUTH_BOND))
    975     btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PID,
    976                         (tBTM_LE_KEY_VALUE*)&pid_key, true);
    977   smp_key_distribution_by_transport(p_cb, NULL);
    978 }
    979 
    980 /*******************************************************************************
    981  * Function     smp_proc_srk_info
    982  * Description  process security information from peer device
    983  ******************************************************************************/
    984 void smp_proc_srk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
    985   tBTM_LE_PCSRK_KEYS le_key;
    986 
    987   SMP_TRACE_DEBUG("%s", __func__);
    988   smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, true);
    989 
    990   /* save CSRK to security record */
    991   le_key.sec_level = p_cb->sec_level;
    992   maybe_non_aligned_memcpy(le_key.csrk, p_data,
    993                            BT_OCTET16_LEN);    /* get peer CSRK */
    994   le_key.counter = 0;                          /* initialize the peer counter */
    995 
    996   if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
    997       (p_cb->loc_auth_req & SMP_AUTH_BOND))
    998     btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PCSRK,
    999                         (tBTM_LE_KEY_VALUE*)&le_key, true);
   1000   smp_key_distribution_by_transport(p_cb, NULL);
   1001 }
   1002 
   1003 /*******************************************************************************
   1004  * Function     smp_proc_compare
   1005  * Description  process compare value
   1006  ******************************************************************************/
   1007 void smp_proc_compare(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1008   uint8_t reason;
   1009 
   1010   SMP_TRACE_DEBUG("%s", __func__);
   1011   if (!memcmp(p_cb->rconfirm, p_data->key.p_data, BT_OCTET16_LEN)) {
   1012     /* compare the max encryption key size, and save the smaller one for the
   1013      * link */
   1014     if (p_cb->peer_enc_size < p_cb->loc_enc_size)
   1015       p_cb->loc_enc_size = p_cb->peer_enc_size;
   1016 
   1017     if (p_cb->role == HCI_ROLE_SLAVE)
   1018       smp_sm_event(p_cb, SMP_RAND_EVT, NULL);
   1019     else {
   1020       /* master device always use received i/r key as keys to distribute */
   1021       p_cb->local_i_key = p_cb->peer_i_key;
   1022       p_cb->local_r_key = p_cb->peer_r_key;
   1023 
   1024       smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
   1025     }
   1026 
   1027   } else {
   1028     reason = p_cb->failure = SMP_CONFIRM_VALUE_ERR;
   1029     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
   1030   }
   1031 }
   1032 
   1033 /*******************************************************************************
   1034  * Function     smp_proc_sl_key
   1035  * Description  process key ready events.
   1036  ******************************************************************************/
   1037 void smp_proc_sl_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1038   uint8_t key_type = p_data->key.key_type;
   1039 
   1040   SMP_TRACE_DEBUG("%s", __func__);
   1041   if (key_type == SMP_KEY_TYPE_TK) {
   1042     smp_generate_srand_mrand_confirm(p_cb, NULL);
   1043   } else if (key_type == SMP_KEY_TYPE_CFM) {
   1044     smp_set_state(SMP_STATE_WAIT_CONFIRM);
   1045 
   1046     if (p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM)
   1047       smp_sm_event(p_cb, SMP_CONFIRM_EVT, NULL);
   1048   }
   1049 }
   1050 
   1051 /*******************************************************************************
   1052  * Function     smp_start_enc
   1053  * Description  start encryption
   1054  ******************************************************************************/
   1055 void smp_start_enc(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1056   tBTM_STATUS cmd;
   1057   uint8_t reason = SMP_ENC_FAIL;
   1058 
   1059   SMP_TRACE_DEBUG("%s", __func__);
   1060   if (p_data != NULL)
   1061     cmd = btm_ble_start_encrypt(p_cb->pairing_bda, true, p_data->key.p_data);
   1062   else
   1063     cmd = btm_ble_start_encrypt(p_cb->pairing_bda, false, NULL);
   1064 
   1065   if (cmd != BTM_CMD_STARTED && cmd != BTM_BUSY)
   1066     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
   1067 }
   1068 
   1069 /*******************************************************************************
   1070  * Function     smp_proc_discard
   1071  * Description   processing for discard security request
   1072  ******************************************************************************/
   1073 void smp_proc_discard(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1074   SMP_TRACE_DEBUG("%s", __func__);
   1075   if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD))
   1076     smp_reset_control_value(p_cb);
   1077 }
   1078 
   1079 /*******************************************************************************
   1080  * Function     smp_enc_cmpl
   1081  * Description   encryption success
   1082  ******************************************************************************/
   1083 void smp_enc_cmpl(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1084   uint8_t enc_enable = *(uint8_t*)p_data;
   1085   uint8_t reason = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
   1086 
   1087   SMP_TRACE_DEBUG("%s", __func__);
   1088   smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
   1089 }
   1090 
   1091 /*******************************************************************************
   1092  * Function     smp_check_auth_req
   1093  * Description  check authentication request
   1094  ******************************************************************************/
   1095 void smp_check_auth_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1096   uint8_t enc_enable = *(uint8_t*)p_data;
   1097   uint8_t reason = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
   1098 
   1099   SMP_TRACE_DEBUG(
   1100       "%s rcvs enc_enable=%d i_keys=0x%x r_keys=0x%x "
   1101       "(i-initiator r-responder)",
   1102       __func__, enc_enable, p_cb->local_i_key, p_cb->local_r_key);
   1103   if (enc_enable == 1) {
   1104     if (p_cb->le_secure_connections_mode_is_used) {
   1105       /* In LE SC mode LTK is used instead of STK and has to be always saved */
   1106       p_cb->local_i_key |= SMP_SEC_KEY_TYPE_ENC;
   1107       p_cb->local_r_key |= SMP_SEC_KEY_TYPE_ENC;
   1108 
   1109       /* In LE SC mode LK is derived from LTK only if both sides request it */
   1110       if (!(p_cb->local_i_key & SMP_SEC_KEY_TYPE_LK) ||
   1111           !(p_cb->local_r_key & SMP_SEC_KEY_TYPE_LK)) {
   1112         p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
   1113         p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
   1114       }
   1115 
   1116       /* In LE SC mode only IRK, IAI, CSRK are exchanged with the peer.
   1117       ** Set local_r_key on master to expect only these keys.
   1118       */
   1119       if (p_cb->role == HCI_ROLE_MASTER) {
   1120         p_cb->local_r_key &= (SMP_SEC_KEY_TYPE_ID | SMP_SEC_KEY_TYPE_CSRK);
   1121       }
   1122     } else {
   1123       /* in legacy mode derivation of BR/EDR LK is not supported */
   1124       p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
   1125       p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
   1126     }
   1127     SMP_TRACE_DEBUG(
   1128         "%s rcvs upgrades: i_keys=0x%x r_keys=0x%x "
   1129         "(i-initiator r-responder)",
   1130         __func__, p_cb->local_i_key, p_cb->local_r_key);
   1131 
   1132     if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) ||
   1133          (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/
   1134         (p_cb->local_i_key || p_cb->local_r_key)) {
   1135       smp_sm_event(p_cb, SMP_BOND_REQ_EVT, NULL);
   1136     } else
   1137       smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
   1138   } else if (enc_enable == 0) {
   1139     /* if failed for encryption after pairing, send callback */
   1140     if (p_cb->flags & SMP_PAIR_FLAG_ENC_AFTER_PAIR)
   1141       smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
   1142     /* if enc failed for old security information */
   1143     /* if master device, clean up and abck to idle; slave device do nothing */
   1144     else if (p_cb->role == HCI_ROLE_MASTER) {
   1145       smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
   1146     }
   1147   }
   1148 }
   1149 
   1150 /*******************************************************************************
   1151  * Function     smp_key_pick_key
   1152  * Description  Pick a key distribution function based on the key mask.
   1153  ******************************************************************************/
   1154 void smp_key_pick_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1155   uint8_t key_to_dist =
   1156       (p_cb->role == HCI_ROLE_SLAVE) ? p_cb->local_r_key : p_cb->local_i_key;
   1157   uint8_t i = 0;
   1158 
   1159   SMP_TRACE_DEBUG("%s key_to_dist=0x%x", __func__, key_to_dist);
   1160   while (i < SMP_KEY_DIST_TYPE_MAX) {
   1161     SMP_TRACE_DEBUG("key to send = %02x, i = %d", key_to_dist, i);
   1162 
   1163     if (key_to_dist & (1 << i)) {
   1164       SMP_TRACE_DEBUG("smp_distribute_act[%d]", i);
   1165       (*smp_distribute_act[i])(p_cb, p_data);
   1166       break;
   1167     }
   1168     i++;
   1169   }
   1170 }
   1171 /*******************************************************************************
   1172  * Function     smp_key_distribution
   1173  * Description  start key distribution if required.
   1174  ******************************************************************************/
   1175 void smp_key_distribution(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1176   SMP_TRACE_DEBUG("%s role=%d (0-master) r_keys=0x%x i_keys=0x%x", __func__,
   1177                   p_cb->role, p_cb->local_r_key, p_cb->local_i_key);
   1178 
   1179   if (p_cb->role == HCI_ROLE_SLAVE ||
   1180       (!p_cb->local_r_key && p_cb->role == HCI_ROLE_MASTER)) {
   1181     smp_key_pick_key(p_cb, p_data);
   1182   }
   1183 
   1184   if (!p_cb->local_i_key && !p_cb->local_r_key) {
   1185     /* state check to prevent re-entrant */
   1186     if (smp_get_state() == SMP_STATE_BOND_PENDING) {
   1187       if (p_cb->derive_lk) {
   1188         smp_derive_link_key_from_long_term_key(p_cb, NULL);
   1189         p_cb->derive_lk = false;
   1190       }
   1191 
   1192       if (p_cb->total_tx_unacked == 0) {
   1193         /*
   1194          * Instead of declaring authorization complete immediately,
   1195          * delay the event from being sent by SMP_DELAYED_AUTH_TIMEOUT_MS.
   1196          * This allows the slave to send over Pairing Failed if the
   1197          * last key is rejected.  During this waiting window, the
   1198          * state should remain in SMP_STATE_BOND_PENDING.
   1199          */
   1200         if (!alarm_is_scheduled(p_cb->delayed_auth_timer_ent)) {
   1201           SMP_TRACE_DEBUG("%s delaying auth complete.", __func__);
   1202           alarm_set_on_queue(
   1203               p_cb->delayed_auth_timer_ent, SMP_DELAYED_AUTH_TIMEOUT_MS,
   1204               smp_delayed_auth_complete_timeout, NULL, btu_general_alarm_queue);
   1205         }
   1206       } else {
   1207         p_cb->wait_for_authorization_complete = true;
   1208       }
   1209     }
   1210   }
   1211 }
   1212 
   1213 /*******************************************************************************
   1214  * Function         smp_decide_association_model
   1215  * Description      This function is called to select assoc model to be used for
   1216  *                  STK generation and to start STK generation process.
   1217  *
   1218  ******************************************************************************/
   1219 void smp_decide_association_model(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1220   uint8_t failure = SMP_UNKNOWN_IO_CAP;
   1221   uint8_t int_evt = 0;
   1222   tSMP_KEY key;
   1223   tSMP_INT_DATA* p = NULL;
   1224 
   1225   SMP_TRACE_DEBUG("%s Association Model = %d", __func__,
   1226                   p_cb->selected_association_model);
   1227 
   1228   switch (p_cb->selected_association_model) {
   1229     case SMP_MODEL_ENCRYPTION_ONLY: /* TK = 0, go calculate Confirm */
   1230       if (p_cb->role == HCI_ROLE_MASTER &&
   1231           ((p_cb->peer_auth_req & SMP_AUTH_YN_BIT) != 0) &&
   1232           ((p_cb->loc_auth_req & SMP_AUTH_YN_BIT) == 0)) {
   1233         SMP_TRACE_ERROR(
   1234             "IO capability does not meet authentication requirement");
   1235         failure = SMP_PAIR_AUTH_FAIL;
   1236         p = (tSMP_INT_DATA*)&failure;
   1237         int_evt = SMP_AUTH_CMPL_EVT;
   1238       } else {
   1239         p_cb->sec_level = SMP_SEC_UNAUTHENTICATE;
   1240         SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_UNAUTHENTICATE) ",
   1241                         p_cb->sec_level);
   1242 
   1243         key.key_type = SMP_KEY_TYPE_TK;
   1244         key.p_data = p_cb->tk;
   1245         p = (tSMP_INT_DATA*)&key;
   1246 
   1247         memset(p_cb->tk, 0, BT_OCTET16_LEN);
   1248         /* TK, ready  */
   1249         int_evt = SMP_KEY_READY_EVT;
   1250       }
   1251       break;
   1252 
   1253     case SMP_MODEL_PASSKEY:
   1254       p_cb->sec_level = SMP_SEC_AUTHENTICATED;
   1255       SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ",
   1256                       p_cb->sec_level);
   1257 
   1258       p_cb->cb_evt = SMP_PASSKEY_REQ_EVT;
   1259       int_evt = SMP_TK_REQ_EVT;
   1260       break;
   1261 
   1262     case SMP_MODEL_OOB:
   1263       SMP_TRACE_ERROR("Association Model = SMP_MODEL_OOB");
   1264       p_cb->sec_level = SMP_SEC_AUTHENTICATED;
   1265       SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ",
   1266                       p_cb->sec_level);
   1267 
   1268       p_cb->cb_evt = SMP_OOB_REQ_EVT;
   1269       int_evt = SMP_TK_REQ_EVT;
   1270       break;
   1271 
   1272     case SMP_MODEL_KEY_NOTIF:
   1273       p_cb->sec_level = SMP_SEC_AUTHENTICATED;
   1274       SMP_TRACE_DEBUG("Need to generate Passkey");
   1275 
   1276       /* generate passkey and notify application */
   1277       smp_generate_passkey(p_cb, NULL);
   1278       break;
   1279 
   1280     case SMP_MODEL_SEC_CONN_JUSTWORKS:
   1281     case SMP_MODEL_SEC_CONN_NUM_COMP:
   1282     case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
   1283     case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
   1284     case SMP_MODEL_SEC_CONN_OOB:
   1285       int_evt = SMP_PUBL_KEY_EXCH_REQ_EVT;
   1286       break;
   1287 
   1288     case SMP_MODEL_OUT_OF_RANGE:
   1289       SMP_TRACE_ERROR("Association Model = SMP_MODEL_OUT_OF_RANGE (failed)");
   1290       p = (tSMP_INT_DATA*)&failure;
   1291       int_evt = SMP_AUTH_CMPL_EVT;
   1292       break;
   1293 
   1294     default:
   1295       SMP_TRACE_ERROR(
   1296           "Association Model = %d (SOMETHING IS WRONG WITH THE CODE)",
   1297           p_cb->selected_association_model);
   1298       p = (tSMP_INT_DATA*)&failure;
   1299       int_evt = SMP_AUTH_CMPL_EVT;
   1300   }
   1301 
   1302   SMP_TRACE_EVENT("sec_level=%d ", p_cb->sec_level);
   1303   if (int_evt) smp_sm_event(p_cb, int_evt, p);
   1304 }
   1305 
   1306 /*******************************************************************************
   1307  * Function     smp_process_io_response
   1308  * Description  process IO response for a slave device.
   1309  ******************************************************************************/
   1310 void smp_process_io_response(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1311   uint8_t reason = SMP_PAIR_AUTH_FAIL;
   1312 
   1313   SMP_TRACE_DEBUG("%s", __func__);
   1314   if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD) {
   1315     /* pairing started by local (slave) Security Request */
   1316     smp_set_state(SMP_STATE_SEC_REQ_PENDING);
   1317     smp_send_cmd(SMP_OPCODE_SEC_REQ, p_cb);
   1318   } else /* plan to send pairing respond */
   1319   {
   1320     /* pairing started by peer (master) Pairing Request */
   1321     p_cb->selected_association_model = smp_select_association_model(p_cb);
   1322 
   1323     if (p_cb->secure_connections_only_mode_required &&
   1324         (!(p_cb->le_secure_connections_mode_is_used) ||
   1325          (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) {
   1326       SMP_TRACE_ERROR(
   1327           "Slave requires secure connection only mode \
   1328                               but it can't be provided -> Slave fails pairing");
   1329       smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
   1330       return;
   1331     }
   1332 
   1333     if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
   1334       if (smp_request_oob_data(p_cb)) return;
   1335     }
   1336 
   1337     // PTS Testing failure modes
   1338     if (pts_test_send_authentication_complete_failure(p_cb)) return;
   1339 
   1340     smp_send_pair_rsp(p_cb, NULL);
   1341   }
   1342 }
   1343 
   1344 /*******************************************************************************
   1345  * Function     smp_br_process_slave_keys_response
   1346  * Description  process application keys response for a slave device
   1347  *              (BR/EDR transport).
   1348  ******************************************************************************/
   1349 void smp_br_process_slave_keys_response(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1350   smp_br_send_pair_response(p_cb, NULL);
   1351 }
   1352 
   1353 /*******************************************************************************
   1354  * Function     smp_br_send_pair_response
   1355  * Description  actions related to sending pairing response over BR/EDR
   1356  *              transport.
   1357  ******************************************************************************/
   1358 void smp_br_send_pair_response(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1359   SMP_TRACE_DEBUG("%s", __func__);
   1360 
   1361   p_cb->local_i_key &= p_cb->peer_i_key;
   1362   p_cb->local_r_key &= p_cb->peer_r_key;
   1363 
   1364   smp_send_cmd(SMP_OPCODE_PAIRING_RSP, p_cb);
   1365 }
   1366 
   1367 /*******************************************************************************
   1368  * Function         smp_pairing_cmpl
   1369  * Description      This function is called to send the pairing complete
   1370  *                  callback and remove the connection if needed.
   1371  ******************************************************************************/
   1372 void smp_pairing_cmpl(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1373   if (p_cb->total_tx_unacked == 0) {
   1374     /* process the pairing complete */
   1375     smp_proc_pairing_cmpl(p_cb);
   1376   }
   1377 }
   1378 
   1379 /*******************************************************************************
   1380  * Function         smp_pair_terminate
   1381  * Description      This function is called to send the pairing complete
   1382  *                  callback and remove the connection if needed.
   1383  ******************************************************************************/
   1384 void smp_pair_terminate(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1385   SMP_TRACE_DEBUG("%s", __func__);
   1386   p_cb->status = SMP_CONN_TOUT;
   1387   smp_proc_pairing_cmpl(p_cb);
   1388 }
   1389 
   1390 /*******************************************************************************
   1391  * Function         smp_idle_terminate
   1392  * Description      This function calledin idle state to determine to send
   1393  *                  authentication complete or not.
   1394  ******************************************************************************/
   1395 void smp_idle_terminate(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1396   if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD) {
   1397     SMP_TRACE_DEBUG("Pairing terminated at IDLE state.");
   1398     p_cb->status = SMP_FAIL;
   1399     smp_proc_pairing_cmpl(p_cb);
   1400   }
   1401 }
   1402 
   1403 /*******************************************************************************
   1404  * Function     smp_fast_conn_param
   1405  * Description  apply default connection parameter for pairing process
   1406  ******************************************************************************/
   1407 void smp_fast_conn_param(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1408   /* Disable L2CAP connection parameter updates while bonding since
   1409      some peripherals are not able to revert to fast connection parameters
   1410      during the start of service discovery. Connection paramter updates
   1411      get enabled again once service discovery completes. */
   1412   L2CA_EnableUpdateBleConnParams(p_cb->pairing_bda, false);
   1413 }
   1414 
   1415 /*******************************************************************************
   1416  * Function     smp_both_have_public_keys
   1417  * Description  The function is called when both local and peer public keys are
   1418  *              saved.
   1419  *              Actions:
   1420  *              - invokes DHKey computation;
   1421  *              - on slave side invokes sending local public key to the peer.
   1422  *              - invokes SC phase 1 process.
   1423  ******************************************************************************/
   1424 void smp_both_have_public_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1425   SMP_TRACE_DEBUG("%s", __func__);
   1426 
   1427   /* invokes DHKey computation */
   1428   smp_compute_dhkey(p_cb);
   1429 
   1430   /* on slave side invokes sending local public key to the peer */
   1431   if (p_cb->role == HCI_ROLE_SLAVE) smp_send_pair_public_key(p_cb, NULL);
   1432 
   1433   smp_sm_event(p_cb, SMP_SC_DHKEY_CMPLT_EVT, NULL);
   1434 }
   1435 
   1436 /*******************************************************************************
   1437  * Function     smp_start_secure_connection_phase1
   1438  * Description  Start Secure Connection phase1 i.e. invokes initialization of
   1439  *              Secure Connection phase 1 parameters and starts building/sending
   1440  *              to the peer messages appropriate for the role and association
   1441  *              model.
   1442  ******************************************************************************/
   1443 void smp_start_secure_connection_phase1(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1444   SMP_TRACE_DEBUG("%s", __func__);
   1445 
   1446   if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
   1447     p_cb->sec_level = SMP_SEC_UNAUTHENTICATE;
   1448     SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_UNAUTHENTICATE) ",
   1449                     p_cb->sec_level);
   1450   } else {
   1451     p_cb->sec_level = SMP_SEC_AUTHENTICATED;
   1452     SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ",
   1453                     p_cb->sec_level);
   1454   }
   1455 
   1456   switch (p_cb->selected_association_model) {
   1457     case SMP_MODEL_SEC_CONN_JUSTWORKS:
   1458     case SMP_MODEL_SEC_CONN_NUM_COMP:
   1459       memset(p_cb->local_random, 0, BT_OCTET16_LEN);
   1460       smp_start_nonce_generation(p_cb);
   1461       break;
   1462     case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
   1463       /* user has to provide passkey */
   1464       p_cb->cb_evt = SMP_PASSKEY_REQ_EVT;
   1465       smp_sm_event(p_cb, SMP_TK_REQ_EVT, NULL);
   1466       break;
   1467     case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
   1468       /* passkey has to be provided to user */
   1469       SMP_TRACE_DEBUG("Need to generate SC Passkey");
   1470       smp_generate_passkey(p_cb, NULL);
   1471       break;
   1472     case SMP_MODEL_SEC_CONN_OOB:
   1473       /* use the available OOB information */
   1474       smp_process_secure_connection_oob_data(p_cb, NULL);
   1475       break;
   1476     default:
   1477       SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
   1478                       p_cb->selected_association_model);
   1479       break;
   1480   }
   1481 }
   1482 
   1483 /*******************************************************************************
   1484  * Function     smp_process_local_nonce
   1485  * Description  The function processes new local nonce.
   1486  *
   1487  * Note         It is supposed to be called in SC phase1.
   1488  ******************************************************************************/
   1489 void smp_process_local_nonce(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1490   SMP_TRACE_DEBUG("%s", __func__);
   1491 
   1492   switch (p_cb->selected_association_model) {
   1493     case SMP_MODEL_SEC_CONN_JUSTWORKS:
   1494     case SMP_MODEL_SEC_CONN_NUM_COMP:
   1495       if (p_cb->role == HCI_ROLE_SLAVE) {
   1496         /* slave calculates and sends local commitment */
   1497         smp_calculate_local_commitment(p_cb);
   1498         smp_send_commitment(p_cb, NULL);
   1499         /* slave has to wait for peer nonce */
   1500         smp_set_state(SMP_STATE_WAIT_NONCE);
   1501       } else /* i.e. master */
   1502       {
   1503         if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_COMM) {
   1504           /* slave commitment is already received, send local nonce, wait for
   1505            * remote nonce*/
   1506           SMP_TRACE_DEBUG(
   1507               "master in assoc mode = %d \
   1508                     already rcvd slave commitment - race condition",
   1509               p_cb->selected_association_model);
   1510           p_cb->flags &= ~SMP_PAIR_FLAG_HAVE_PEER_COMM;
   1511           smp_send_rand(p_cb, NULL);
   1512           smp_set_state(SMP_STATE_WAIT_NONCE);
   1513         }
   1514       }
   1515       break;
   1516     case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
   1517     case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
   1518       smp_calculate_local_commitment(p_cb);
   1519 
   1520       if (p_cb->role == HCI_ROLE_MASTER) {
   1521         smp_send_commitment(p_cb, NULL);
   1522       } else /* slave */
   1523       {
   1524         if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_COMM) {
   1525           /* master commitment is already received */
   1526           smp_send_commitment(p_cb, NULL);
   1527           smp_set_state(SMP_STATE_WAIT_NONCE);
   1528         }
   1529       }
   1530       break;
   1531     case SMP_MODEL_SEC_CONN_OOB:
   1532       if (p_cb->role == HCI_ROLE_MASTER) {
   1533         smp_send_rand(p_cb, NULL);
   1534       }
   1535 
   1536       smp_set_state(SMP_STATE_WAIT_NONCE);
   1537       break;
   1538     default:
   1539       SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
   1540                       p_cb->selected_association_model);
   1541       break;
   1542   }
   1543 }
   1544 
   1545 /*******************************************************************************
   1546  * Function     smp_process_peer_nonce
   1547  * Description  The function processes newly received and saved in CB peer
   1548  *              nonce. The actions depend on the selected association model and
   1549  *              the role.
   1550  *
   1551  * Note         It is supposed to be called in SC phase1.
   1552  ******************************************************************************/
   1553 void smp_process_peer_nonce(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1554   uint8_t reason;
   1555 
   1556   SMP_TRACE_DEBUG("%s start ", __func__);
   1557 
   1558   // PTS Testing failure modes
   1559   if (p_cb->cert_failure == 1) {
   1560     SMP_TRACE_ERROR("%s failure case = %d", __func__, p_cb->cert_failure);
   1561     reason = p_cb->failure = SMP_CONFIRM_VALUE_ERR;
   1562     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
   1563     return;
   1564   }
   1565 
   1566   switch (p_cb->selected_association_model) {
   1567     case SMP_MODEL_SEC_CONN_JUSTWORKS:
   1568     case SMP_MODEL_SEC_CONN_NUM_COMP:
   1569       /* in these models only master receives commitment */
   1570       if (p_cb->role == HCI_ROLE_MASTER) {
   1571         if (!smp_check_commitment(p_cb)) {
   1572           reason = p_cb->failure = SMP_CONFIRM_VALUE_ERR;
   1573           smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
   1574           break;
   1575         }
   1576       } else {
   1577         /* slave sends local nonce */
   1578         smp_send_rand(p_cb, NULL);
   1579       }
   1580 
   1581       if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
   1582         /* go directly to phase 2 */
   1583         smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
   1584       } else /* numeric comparison */
   1585       {
   1586         smp_set_state(SMP_STATE_WAIT_NONCE);
   1587         smp_sm_event(p_cb, SMP_SC_CALC_NC_EVT, NULL);
   1588       }
   1589       break;
   1590     case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
   1591     case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
   1592       if (!smp_check_commitment(p_cb) && p_cb->cert_failure != 9) {
   1593         reason = p_cb->failure = SMP_CONFIRM_VALUE_ERR;
   1594         smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
   1595         break;
   1596       }
   1597 
   1598       if (p_cb->role == HCI_ROLE_SLAVE) {
   1599         smp_send_rand(p_cb, NULL);
   1600       }
   1601 
   1602       if (++p_cb->round < 20) {
   1603         smp_set_state(SMP_STATE_SEC_CONN_PHS1_START);
   1604         p_cb->flags &= ~SMP_PAIR_FLAG_HAVE_PEER_COMM;
   1605         smp_start_nonce_generation(p_cb);
   1606         break;
   1607       }
   1608 
   1609       smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
   1610       break;
   1611     case SMP_MODEL_SEC_CONN_OOB:
   1612       if (p_cb->role == HCI_ROLE_SLAVE) {
   1613         smp_send_rand(p_cb, NULL);
   1614       }
   1615 
   1616       smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
   1617       break;
   1618     default:
   1619       SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
   1620                       p_cb->selected_association_model);
   1621       break;
   1622   }
   1623 
   1624   SMP_TRACE_DEBUG("%s end ", __func__);
   1625 }
   1626 
   1627 /*******************************************************************************
   1628  * Function     smp_match_dhkey_checks
   1629  * Description  checks if the calculated peer DHKey Check value is the same as
   1630  *              received from the peer DHKey check value.
   1631  ******************************************************************************/
   1632 void smp_match_dhkey_checks(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1633   uint8_t reason = SMP_DHKEY_CHK_FAIL;
   1634 
   1635   SMP_TRACE_DEBUG("%s", __func__);
   1636 
   1637   if (memcmp(p_data->key.p_data, p_cb->remote_dhkey_check, BT_OCTET16_LEN)) {
   1638     SMP_TRACE_WARNING("dhkey chcks do no match");
   1639     p_cb->failure = reason;
   1640     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
   1641     return;
   1642   }
   1643 
   1644   SMP_TRACE_EVENT("dhkey chcks match");
   1645 
   1646   /* compare the max encryption key size, and save the smaller one for the link
   1647    */
   1648   if (p_cb->peer_enc_size < p_cb->loc_enc_size)
   1649     p_cb->loc_enc_size = p_cb->peer_enc_size;
   1650 
   1651   if (p_cb->role == HCI_ROLE_SLAVE) {
   1652     smp_sm_event(p_cb, SMP_PAIR_DHKEY_CHCK_EVT, NULL);
   1653   } else {
   1654     /* master device always use received i/r key as keys to distribute */
   1655     p_cb->local_i_key = p_cb->peer_i_key;
   1656     p_cb->local_r_key = p_cb->peer_r_key;
   1657     smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
   1658   }
   1659 }
   1660 
   1661 /*******************************************************************************
   1662  * Function     smp_move_to_secure_connections_phase2
   1663  * Description  Signal State Machine to start SC phase 2 initialization (to
   1664  *              compute local DHKey Check value).
   1665  *
   1666  * Note         SM is supposed to be in the state SMP_STATE_SEC_CONN_PHS2_START.
   1667  ******************************************************************************/
   1668 void smp_move_to_secure_connections_phase2(tSMP_CB* p_cb,
   1669                                            tSMP_INT_DATA* p_data) {
   1670   SMP_TRACE_DEBUG("%s", __func__);
   1671   smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
   1672 }
   1673 
   1674 /*******************************************************************************
   1675  * Function     smp_phase_2_dhkey_checks_are_present
   1676  * Description  generates event if dhkey check from the peer is already
   1677  *              received.
   1678  *
   1679  * Note         It is supposed to be used on slave to prevent race condition.
   1680  *              It is supposed to be called after slave dhkey check is
   1681  *              calculated.
   1682  ******************************************************************************/
   1683 void smp_phase_2_dhkey_checks_are_present(tSMP_CB* p_cb,
   1684                                           tSMP_INT_DATA* p_data) {
   1685   SMP_TRACE_DEBUG("%s", __func__);
   1686 
   1687   if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_DHK_CHK)
   1688     smp_sm_event(p_cb, SMP_SC_2_DHCK_CHKS_PRES_EVT, NULL);
   1689 }
   1690 
   1691 /*******************************************************************************
   1692  * Function     smp_wait_for_both_public_keys
   1693  * Description  generates SMP_BOTH_PUBL_KEYS_RCVD_EVT event when both local and
   1694  *              master public keys are available.
   1695  *
   1696  * Note         on the slave it is used to prevent race condition.
   1697  *
   1698  ******************************************************************************/
   1699 void smp_wait_for_both_public_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1700   SMP_TRACE_DEBUG("%s", __func__);
   1701 
   1702   if ((p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY) &&
   1703       (p_cb->flags & SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY)) {
   1704     if ((p_cb->role == HCI_ROLE_SLAVE) &&
   1705         ((p_cb->req_oob_type == SMP_OOB_LOCAL) ||
   1706          (p_cb->req_oob_type == SMP_OOB_BOTH))) {
   1707       smp_set_state(SMP_STATE_PUBLIC_KEY_EXCH);
   1708     }
   1709     smp_sm_event(p_cb, SMP_BOTH_PUBL_KEYS_RCVD_EVT, NULL);
   1710   }
   1711 }
   1712 
   1713 /*******************************************************************************
   1714  * Function     smp_start_passkey_verification
   1715  * Description  Starts SC passkey entry verification.
   1716  ******************************************************************************/
   1717 void smp_start_passkey_verification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1718   uint8_t* p = NULL;
   1719 
   1720   SMP_TRACE_DEBUG("%s", __func__);
   1721   p = p_cb->local_random;
   1722   UINT32_TO_STREAM(p, p_data->passkey);
   1723 
   1724   p = p_cb->peer_random;
   1725   UINT32_TO_STREAM(p, p_data->passkey);
   1726 
   1727   p_cb->round = 0;
   1728   smp_start_nonce_generation(p_cb);
   1729 }
   1730 
   1731 /*******************************************************************************
   1732  * Function     smp_process_secure_connection_oob_data
   1733  * Description  Processes local/peer SC OOB data received from somewhere.
   1734  ******************************************************************************/
   1735 void smp_process_secure_connection_oob_data(tSMP_CB* p_cb,
   1736                                             tSMP_INT_DATA* p_data) {
   1737   SMP_TRACE_DEBUG("%s", __func__);
   1738 
   1739   tSMP_SC_OOB_DATA* p_sc_oob_data = &p_cb->sc_oob_data;
   1740   if (p_sc_oob_data->loc_oob_data.present) {
   1741     memcpy(p_cb->local_random, p_sc_oob_data->loc_oob_data.randomizer,
   1742            sizeof(p_cb->local_random));
   1743   } else {
   1744     SMP_TRACE_EVENT("%s: local OOB randomizer is absent", __func__);
   1745     memset(p_cb->local_random, 0, sizeof(p_cb->local_random));
   1746   }
   1747 
   1748   if (!p_sc_oob_data->peer_oob_data.present) {
   1749     SMP_TRACE_EVENT("%s: peer OOB data is absent", __func__);
   1750     memset(p_cb->peer_random, 0, sizeof(p_cb->peer_random));
   1751   } else {
   1752     memcpy(p_cb->peer_random, p_sc_oob_data->peer_oob_data.randomizer,
   1753            sizeof(p_cb->peer_random));
   1754     memcpy(p_cb->remote_commitment, p_sc_oob_data->peer_oob_data.commitment,
   1755            sizeof(p_cb->remote_commitment));
   1756 
   1757     uint8_t reason = SMP_CONFIRM_VALUE_ERR;
   1758     /* check commitment */
   1759     if (!smp_check_commitment(p_cb)) {
   1760       p_cb->failure = reason;
   1761       smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
   1762       return;
   1763     }
   1764 
   1765     if (p_cb->peer_oob_flag != SMP_OOB_PRESENT) {
   1766       /* the peer doesn't have local randomiser */
   1767       SMP_TRACE_EVENT(
   1768           "%s: peer didn't receive local OOB data, set local randomizer to 0",
   1769           __func__);
   1770       memset(p_cb->local_random, 0, sizeof(p_cb->local_random));
   1771     }
   1772   }
   1773 
   1774   print128(p_cb->local_random, (const uint8_t*)"local OOB randomizer");
   1775   print128(p_cb->peer_random, (const uint8_t*)"peer OOB randomizer");
   1776   smp_start_nonce_generation(p_cb);
   1777 }
   1778 
   1779 /*******************************************************************************
   1780  * Function     smp_set_local_oob_keys
   1781  * Description  Saves calculated private/public keys in
   1782  *              sc_oob_data.loc_oob_data, starts nonce generation
   1783  *              (to be saved in sc_oob_data.loc_oob_data.randomizer).
   1784  ******************************************************************************/
   1785 void smp_set_local_oob_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1786   SMP_TRACE_DEBUG("%s", __func__);
   1787 
   1788   memcpy(p_cb->sc_oob_data.loc_oob_data.private_key_used, p_cb->private_key,
   1789          BT_OCTET32_LEN);
   1790   p_cb->sc_oob_data.loc_oob_data.publ_key_used = p_cb->loc_publ_key;
   1791   smp_start_nonce_generation(p_cb);
   1792 }
   1793 
   1794 /*******************************************************************************
   1795  * Function     smp_set_local_oob_random_commitment
   1796  * Description  Saves calculated randomizer and commitment in
   1797  *              sc_oob_data.loc_oob_data, passes sc_oob_data.loc_oob_data up
   1798  *              for safekeeping.
   1799  ******************************************************************************/
   1800 void smp_set_local_oob_random_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1801   SMP_TRACE_DEBUG("%s", __func__);
   1802   memcpy(p_cb->sc_oob_data.loc_oob_data.randomizer, p_cb->rand, BT_OCTET16_LEN);
   1803 
   1804   smp_calculate_f4(p_cb->sc_oob_data.loc_oob_data.publ_key_used.x,
   1805                    p_cb->sc_oob_data.loc_oob_data.publ_key_used.x,
   1806                    p_cb->sc_oob_data.loc_oob_data.randomizer, 0,
   1807                    p_cb->sc_oob_data.loc_oob_data.commitment);
   1808 
   1809 #if (SMP_DEBUG == TRUE)
   1810   uint8_t* p_print = NULL;
   1811   SMP_TRACE_DEBUG("local SC OOB data set:");
   1812   p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.addr_sent_to;
   1813   smp_debug_print_nbyte_little_endian(p_print, "addr_sent_to",
   1814                                       sizeof(tBLE_BD_ADDR));
   1815   p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.private_key_used;
   1816   smp_debug_print_nbyte_little_endian(p_print, "private_key_used",
   1817                                       BT_OCTET32_LEN);
   1818   p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.publ_key_used.x;
   1819   smp_debug_print_nbyte_little_endian(p_print, "publ_key_used.x",
   1820                                       BT_OCTET32_LEN);
   1821   p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.publ_key_used.y;
   1822   smp_debug_print_nbyte_little_endian(p_print, "publ_key_used.y",
   1823                                       BT_OCTET32_LEN);
   1824   p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.randomizer;
   1825   smp_debug_print_nbyte_little_endian(p_print, "randomizer", BT_OCTET16_LEN);
   1826   p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.commitment;
   1827   smp_debug_print_nbyte_little_endian(p_print, "commitment", BT_OCTET16_LEN);
   1828   SMP_TRACE_DEBUG("");
   1829 #endif
   1830 
   1831   /* pass created OOB data up */
   1832   p_cb->cb_evt = SMP_SC_LOC_OOB_DATA_UP_EVT;
   1833   smp_send_app_cback(p_cb, NULL);
   1834 
   1835   smp_cb_cleanup(p_cb);
   1836 }
   1837 
   1838 /*******************************************************************************
   1839  *
   1840  * Function         smp_link_encrypted
   1841  *
   1842  * Description      This function is called when link is encrypted and notified
   1843  *                  to the slave device. Proceed to to send LTK, DIV and ER to
   1844  *                  master if bonding the devices.
   1845  *
   1846  *
   1847  * Returns          void
   1848  *
   1849  ******************************************************************************/
   1850 void smp_link_encrypted(BD_ADDR bda, uint8_t encr_enable) {
   1851   tSMP_CB* p_cb = &smp_cb;
   1852 
   1853   SMP_TRACE_DEBUG("%s encr_enable=%d", __func__, encr_enable);
   1854 
   1855   if (memcmp(&smp_cb.pairing_bda[0], bda, BD_ADDR_LEN) == 0) {
   1856     /* encryption completed with STK, remmeber the key size now, could be
   1857     * overwite
   1858     *  when key exchange happens                                        */
   1859     if (p_cb->loc_enc_size != 0 && encr_enable) {
   1860       /* update the link encryption key size if a SMP pairing just performed */
   1861       btm_ble_update_sec_key_size(bda, p_cb->loc_enc_size);
   1862     }
   1863 
   1864     smp_sm_event(&smp_cb, SMP_ENCRYPTED_EVT, &encr_enable);
   1865   }
   1866 }
   1867 
   1868 /*******************************************************************************
   1869  *
   1870  * Function         smp_proc_ltk_request
   1871  *
   1872  * Description      This function is called when LTK request is received from
   1873  *                  controller.
   1874  *
   1875  * Returns          void
   1876  *
   1877  ******************************************************************************/
   1878 bool smp_proc_ltk_request(BD_ADDR bda) {
   1879   SMP_TRACE_DEBUG("%s state = %d", __func__, smp_cb.state);
   1880   bool match = false;
   1881 
   1882   if (!memcmp(bda, smp_cb.pairing_bda, BD_ADDR_LEN)) {
   1883     match = true;
   1884   } else {
   1885     BD_ADDR dummy_bda = {0};
   1886     tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda);
   1887     if (p_dev_rec != NULL &&
   1888         0 == memcmp(p_dev_rec->ble.pseudo_addr, smp_cb.pairing_bda,
   1889                     BD_ADDR_LEN) &&
   1890         0 != memcmp(p_dev_rec->ble.pseudo_addr, dummy_bda, BD_ADDR_LEN)) {
   1891       match = true;
   1892     }
   1893   }
   1894 
   1895   if (match && smp_cb.state == SMP_STATE_ENCRYPTION_PENDING) {
   1896     smp_sm_event(&smp_cb, SMP_ENC_REQ_EVT, NULL);
   1897     return true;
   1898   }
   1899 
   1900   return false;
   1901 }
   1902 
   1903 /*******************************************************************************
   1904  *
   1905  * Function         smp_process_secure_connection_long_term_key
   1906  *
   1907  * Description      This function is called to process SC LTK.
   1908  *                  SC LTK is calculated and used instead of STK.
   1909  *                  Here SC LTK is saved in BLE DB.
   1910  *
   1911  * Returns          void
   1912  *
   1913  ******************************************************************************/
   1914 void smp_process_secure_connection_long_term_key(void) {
   1915   tSMP_CB* p_cb = &smp_cb;
   1916 
   1917   SMP_TRACE_DEBUG("%s", __func__);
   1918   smp_save_secure_connections_long_term_key(p_cb);
   1919 
   1920   smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
   1921   smp_key_distribution(p_cb, NULL);
   1922 }
   1923 
   1924 /*******************************************************************************
   1925  *
   1926  * Function         smp_set_derive_link_key
   1927  *
   1928  * Description      This function is called to set flag that indicates that
   1929  *                  BR/EDR LK has to be derived from LTK after all keys are
   1930  *                  distributed.
   1931  *
   1932  * Returns          void
   1933  *
   1934  ******************************************************************************/
   1935 void smp_set_derive_link_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1936   SMP_TRACE_DEBUG("%s", __func__);
   1937   p_cb->derive_lk = true;
   1938   smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_LK, false);
   1939   smp_key_distribution(p_cb, NULL);
   1940 }
   1941 
   1942 /*******************************************************************************
   1943  *
   1944  * Function         smp_derive_link_key_from_long_term_key
   1945  *
   1946  * Description      This function is called to derive BR/EDR LK from LTK.
   1947  *
   1948  * Returns          void
   1949  *
   1950  ******************************************************************************/
   1951 void smp_derive_link_key_from_long_term_key(tSMP_CB* p_cb,
   1952                                             tSMP_INT_DATA* p_data) {
   1953   tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
   1954 
   1955   SMP_TRACE_DEBUG("%s", __func__);
   1956   if (!smp_calculate_link_key_from_long_term_key(p_cb)) {
   1957     SMP_TRACE_ERROR("%s failed", __func__);
   1958     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status);
   1959     return;
   1960   }
   1961 }
   1962 
   1963 /*******************************************************************************
   1964  *
   1965  * Function         smp_br_process_link_key
   1966  *
   1967  * Description      This function is called to process BR/EDR LK:
   1968  *                  - to derive SMP LTK from BR/EDR LK;
   1969 *8                  - to save SMP LTK.
   1970  *
   1971  * Returns          void
   1972  *
   1973  ******************************************************************************/
   1974 void smp_br_process_link_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1975   tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
   1976 
   1977   SMP_TRACE_DEBUG("%s", __func__);
   1978   if (!smp_calculate_long_term_key_from_link_key(p_cb)) {
   1979     SMP_TRACE_ERROR("%s failed", __func__);
   1980     smp_sm_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &status);
   1981     return;
   1982   }
   1983 
   1984   SMP_TRACE_DEBUG("%s: LTK derivation from LK successfully completed",
   1985                   __func__);
   1986   smp_save_secure_connections_long_term_key(p_cb);
   1987   smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
   1988   smp_br_select_next_key(p_cb, NULL);
   1989 }
   1990 
   1991 /*******************************************************************************
   1992  * Function     smp_key_distribution_by_transport
   1993  * Description  depending on the transport used at the moment calls either
   1994  *              smp_key_distribution(...) or smp_br_key_distribution(...).
   1995  ******************************************************************************/
   1996 void smp_key_distribution_by_transport(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   1997   SMP_TRACE_DEBUG("%s", __func__);
   1998   if (p_cb->smp_over_br) {
   1999     smp_br_select_next_key(p_cb, NULL);
   2000   } else {
   2001     smp_key_distribution(p_cb, NULL);
   2002   }
   2003 }
   2004 
   2005 /*******************************************************************************
   2006  * Function         smp_br_pairing_complete
   2007  * Description      This function is called to send the pairing complete
   2008  *                  callback and remove the connection if needed.
   2009  ******************************************************************************/
   2010 void smp_br_pairing_complete(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   2011   SMP_TRACE_DEBUG("%s", __func__);
   2012 
   2013   if (p_cb->total_tx_unacked == 0) {
   2014     /* process the pairing complete */
   2015     smp_proc_pairing_cmpl(p_cb);
   2016   }
   2017 }
   2018