1 /****************************************************************************** 2 * 3 * Copyright (C) 2003-2012 Broadcom Corporation 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at: 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 ******************************************************************************/ 18 19 #include <string.h> 20 #include "btif_common.h" 21 #include "device/include/interop.h" 22 #include "include/bt_target.h" 23 #include "stack/btm/btm_int.h" 24 #include "stack/include/l2c_api.h" 25 #include "stack/smp/smp_int.h" 26 #include "utils/include/bt_utils.h" 27 28 extern fixed_queue_t* btu_general_alarm_queue; 29 30 #define SMP_KEY_DIST_TYPE_MAX 4 31 const tSMP_ACT smp_distribute_act[] = {smp_generate_ltk, smp_send_id_info, 32 smp_generate_csrk, 33 smp_set_derive_link_key}; 34 35 static bool lmp_version_below(BD_ADDR bda, uint8_t version) { 36 tACL_CONN* acl = btm_bda_to_acl(bda, BT_TRANSPORT_LE); 37 if (acl == NULL || acl->lmp_version == 0) { 38 SMP_TRACE_WARNING("%s cannot retrieve LMP version...", __func__); 39 return false; 40 } 41 SMP_TRACE_WARNING("%s LMP version %d < %d", __func__, acl->lmp_version, 42 version); 43 return acl->lmp_version < version; 44 } 45 46 static bool pts_test_send_authentication_complete_failure(tSMP_CB* p_cb) { 47 uint8_t reason = 0; 48 49 if (p_cb->cert_failure < 2 || p_cb->cert_failure > 6) return false; 50 51 SMP_TRACE_ERROR("%s failure case = %d", __func__, p_cb->cert_failure); 52 53 switch (p_cb->cert_failure) { 54 case 2: 55 reason = SMP_PAIR_AUTH_FAIL; 56 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 57 break; 58 case 3: 59 reason = SMP_PAIR_FAIL_UNKNOWN; 60 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 61 break; 62 case 4: 63 reason = SMP_PAIR_NOT_SUPPORT; 64 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 65 break; 66 case 5: 67 reason = SMP_PASSKEY_ENTRY_FAIL; 68 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 69 break; 70 case 6: 71 reason = SMP_REPEATED_ATTEMPTS; 72 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 73 break; 74 } 75 76 return true; 77 ; 78 } 79 80 /******************************************************************************* 81 * Function smp_update_key_mask 82 * Description This function updates the key mask for sending or receiving. 83 ******************************************************************************/ 84 static void smp_update_key_mask(tSMP_CB* p_cb, uint8_t key_type, bool recv) { 85 SMP_TRACE_DEBUG( 86 "%s before update role=%d recv=%d local_i_key = %02x, local_r_key = %02x", 87 __func__, p_cb->role, recv, p_cb->local_i_key, p_cb->local_r_key); 88 89 if (((p_cb->le_secure_connections_mode_is_used) || (p_cb->smp_over_br)) && 90 ((key_type == SMP_SEC_KEY_TYPE_ENC) || 91 (key_type == SMP_SEC_KEY_TYPE_LK))) { 92 /* in LE SC mode LTK, CSRK and BR/EDR LK are derived locally instead of 93 ** being exchanged with the peer */ 94 p_cb->local_i_key &= ~key_type; 95 p_cb->local_r_key &= ~key_type; 96 } else if (p_cb->role == HCI_ROLE_SLAVE) { 97 if (recv) 98 p_cb->local_i_key &= ~key_type; 99 else 100 p_cb->local_r_key &= ~key_type; 101 } else { 102 if (recv) 103 p_cb->local_r_key &= ~key_type; 104 else 105 p_cb->local_i_key &= ~key_type; 106 } 107 108 SMP_TRACE_DEBUG("updated local_i_key = %02x, local_r_key = %02x", 109 p_cb->local_i_key, p_cb->local_r_key); 110 } 111 112 /******************************************************************************* 113 * Function smp_send_app_cback 114 * Description notifies application about the events the application is 115 * interested in 116 ******************************************************************************/ 117 void smp_send_app_cback(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 118 tSMP_EVT_DATA cb_data; 119 tSMP_STATUS callback_rc; 120 SMP_TRACE_DEBUG("%s p_cb->cb_evt=%d", __func__, p_cb->cb_evt); 121 if (p_cb->p_callback && p_cb->cb_evt != 0) { 122 switch (p_cb->cb_evt) { 123 case SMP_IO_CAP_REQ_EVT: 124 cb_data.io_req.auth_req = p_cb->peer_auth_req; 125 cb_data.io_req.oob_data = SMP_OOB_NONE; 126 cb_data.io_req.io_cap = SMP_DEFAULT_IO_CAPS; 127 cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE; 128 cb_data.io_req.init_keys = p_cb->local_i_key; 129 cb_data.io_req.resp_keys = p_cb->local_r_key; 130 SMP_TRACE_WARNING("io_cap = %d", cb_data.io_req.io_cap); 131 break; 132 133 case SMP_NC_REQ_EVT: 134 cb_data.passkey = p_data->passkey; 135 break; 136 case SMP_SC_OOB_REQ_EVT: 137 cb_data.req_oob_type = p_data->req_oob_type; 138 break; 139 case SMP_SC_LOC_OOB_DATA_UP_EVT: 140 cb_data.loc_oob_data = p_cb->sc_oob_data.loc_oob_data; 141 break; 142 143 case SMP_BR_KEYS_REQ_EVT: 144 cb_data.io_req.auth_req = 0; 145 cb_data.io_req.oob_data = SMP_OOB_NONE; 146 cb_data.io_req.io_cap = 0; 147 cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE; 148 cb_data.io_req.init_keys = SMP_BR_SEC_DEFAULT_KEY; 149 cb_data.io_req.resp_keys = SMP_BR_SEC_DEFAULT_KEY; 150 break; 151 152 default: 153 break; 154 } 155 156 callback_rc = 157 (*p_cb->p_callback)(p_cb->cb_evt, p_cb->pairing_bda, &cb_data); 158 159 SMP_TRACE_DEBUG("%s: callback_rc=%d p_cb->cb_evt=%d", __func__, 160 callback_rc, p_cb->cb_evt); 161 162 if (callback_rc == SMP_SUCCESS) { 163 switch (p_cb->cb_evt) { 164 case SMP_IO_CAP_REQ_EVT: 165 p_cb->loc_auth_req = cb_data.io_req.auth_req; 166 p_cb->local_io_capability = cb_data.io_req.io_cap; 167 p_cb->loc_oob_flag = cb_data.io_req.oob_data; 168 p_cb->loc_enc_size = cb_data.io_req.max_key_size; 169 p_cb->local_i_key = cb_data.io_req.init_keys; 170 p_cb->local_r_key = cb_data.io_req.resp_keys; 171 172 if (!(p_cb->loc_auth_req & SMP_AUTH_BOND)) { 173 SMP_TRACE_WARNING("Non bonding: No keys will be exchanged"); 174 p_cb->local_i_key = 0; 175 p_cb->local_r_key = 0; 176 } 177 178 SMP_TRACE_WARNING( 179 "rcvd auth_req: 0x%02x, io_cap: %d \ 180 loc_oob_flag: %d loc_enc_size: %d," 181 "local_i_key: 0x%02x, local_r_key: 0x%02x", 182 p_cb->loc_auth_req, p_cb->local_io_capability, p_cb->loc_oob_flag, 183 p_cb->loc_enc_size, p_cb->local_i_key, p_cb->local_r_key); 184 185 p_cb->secure_connections_only_mode_required = 186 (btm_cb.security_mode == BTM_SEC_MODE_SC) ? true : false; 187 188 if (p_cb->secure_connections_only_mode_required) { 189 p_cb->loc_auth_req |= SMP_SC_SUPPORT_BIT; 190 } 191 192 if (!(p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) || 193 lmp_version_below(p_cb->pairing_bda, HCI_PROTO_VERSION_4_2) || 194 interop_match_addr(INTEROP_DISABLE_LE_SECURE_CONNECTIONS, 195 (const bt_bdaddr_t*)&p_cb->pairing_bda)) { 196 p_cb->loc_auth_req &= ~SMP_KP_SUPPORT_BIT; 197 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK; 198 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK; 199 } 200 201 SMP_TRACE_WARNING( 202 "set auth_req: 0x%02x, local_i_key: 0x%02x, local_r_key: 0x%02x", 203 p_cb->loc_auth_req, p_cb->local_i_key, p_cb->local_r_key); 204 205 smp_sm_event(p_cb, SMP_IO_RSP_EVT, NULL); 206 break; 207 208 case SMP_BR_KEYS_REQ_EVT: 209 p_cb->loc_enc_size = cb_data.io_req.max_key_size; 210 p_cb->local_i_key = cb_data.io_req.init_keys; 211 p_cb->local_r_key = cb_data.io_req.resp_keys; 212 p_cb->loc_auth_req |= SMP_H7_SUPPORT_BIT; 213 214 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK; 215 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK; 216 217 SMP_TRACE_WARNING( 218 "for SMP over BR max_key_size: 0x%02x,\ 219 local_i_key: 0x%02x, local_r_key: 0x%02x, p_cb->loc_auth_req: 0x%02x", 220 p_cb->loc_enc_size, p_cb->local_i_key, p_cb->local_r_key, 221 p_cb->loc_auth_req); 222 223 smp_br_state_machine_event(p_cb, SMP_BR_KEYS_RSP_EVT, NULL); 224 break; 225 } 226 } 227 } 228 229 if (!p_cb->cb_evt && p_cb->discard_sec_req) { 230 p_cb->discard_sec_req = false; 231 smp_sm_event(p_cb, SMP_DISCARD_SEC_REQ_EVT, NULL); 232 } 233 234 SMP_TRACE_DEBUG("%s return", __func__); 235 } 236 237 /******************************************************************************* 238 * Function smp_send_pair_fail 239 * Description pairing failure to peer device if needed. 240 ******************************************************************************/ 241 void smp_send_pair_fail(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 242 p_cb->status = *(uint8_t*)p_data; 243 p_cb->failure = *(uint8_t*)p_data; 244 245 SMP_TRACE_DEBUG("%s status=%d failure=%d ", __func__, p_cb->status, 246 p_cb->failure); 247 248 if (p_cb->status <= SMP_MAX_FAIL_RSN_PER_SPEC && 249 p_cb->status != SMP_SUCCESS) { 250 smp_send_cmd(SMP_OPCODE_PAIRING_FAILED, p_cb); 251 p_cb->wait_for_authorization_complete = true; 252 } 253 } 254 255 /******************************************************************************* 256 * Function smp_send_pair_req 257 * Description actions related to sending pairing request 258 ******************************************************************************/ 259 void smp_send_pair_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 260 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda); 261 SMP_TRACE_DEBUG("%s", __func__); 262 263 /* erase all keys when master sends pairing req*/ 264 if (p_dev_rec) btm_sec_clear_ble_keys(p_dev_rec); 265 /* do not manipulate the key, let app decide, 266 leave out to BTM to mandate key distribution for bonding case */ 267 smp_send_cmd(SMP_OPCODE_PAIRING_REQ, p_cb); 268 } 269 270 /******************************************************************************* 271 * Function smp_send_pair_rsp 272 * Description actions related to sending pairing response 273 ******************************************************************************/ 274 void smp_send_pair_rsp(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 275 SMP_TRACE_DEBUG("%s", __func__); 276 277 p_cb->local_i_key &= p_cb->peer_i_key; 278 p_cb->local_r_key &= p_cb->peer_r_key; 279 280 if (smp_send_cmd(SMP_OPCODE_PAIRING_RSP, p_cb)) { 281 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) 282 smp_use_oob_private_key(p_cb, NULL); 283 else 284 smp_decide_association_model(p_cb, NULL); 285 } 286 } 287 288 /******************************************************************************* 289 * Function smp_send_confirm 290 * Description send confirmation to the peer 291 ******************************************************************************/ 292 void smp_send_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 293 SMP_TRACE_DEBUG("%s", __func__); 294 smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb); 295 } 296 297 /******************************************************************************* 298 * Function smp_send_init 299 * Description process pairing initializer to slave device 300 ******************************************************************************/ 301 void smp_send_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 302 SMP_TRACE_DEBUG("%s", __func__); 303 smp_send_cmd(SMP_OPCODE_INIT, p_cb); 304 } 305 306 /******************************************************************************* 307 * Function smp_send_rand 308 * Description send pairing random to the peer 309 ******************************************************************************/ 310 void smp_send_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 311 SMP_TRACE_DEBUG("%s", __func__); 312 smp_send_cmd(SMP_OPCODE_RAND, p_cb); 313 } 314 315 /******************************************************************************* 316 * Function smp_send_pair_public_key 317 * Description send pairing public key command to the peer 318 ******************************************************************************/ 319 void smp_send_pair_public_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 320 SMP_TRACE_DEBUG("%s", __func__); 321 smp_send_cmd(SMP_OPCODE_PAIR_PUBLIC_KEY, p_cb); 322 } 323 324 /******************************************************************************* 325 * Function SMP_SEND_COMMITMENT 326 * Description send commitment command to the peer 327 ******************************************************************************/ 328 void smp_send_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 329 SMP_TRACE_DEBUG("%s", __func__); 330 smp_send_cmd(SMP_OPCODE_PAIR_COMMITM, p_cb); 331 } 332 333 /******************************************************************************* 334 * Function smp_send_dhkey_check 335 * Description send DHKey Check command to the peer 336 ******************************************************************************/ 337 void smp_send_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 338 SMP_TRACE_DEBUG("%s", __func__); 339 smp_send_cmd(SMP_OPCODE_PAIR_DHKEY_CHECK, p_cb); 340 } 341 342 /******************************************************************************* 343 * Function smp_send_keypress_notification 344 * Description send Keypress Notification command to the peer 345 ******************************************************************************/ 346 void smp_send_keypress_notification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 347 p_cb->local_keypress_notification = *(uint8_t*)p_data; 348 smp_send_cmd(SMP_OPCODE_PAIR_KEYPR_NOTIF, p_cb); 349 } 350 351 /******************************************************************************* 352 * Function smp_send_enc_info 353 * Description send encryption information command. 354 ******************************************************************************/ 355 void smp_send_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 356 tBTM_LE_LENC_KEYS le_key; 357 358 SMP_TRACE_DEBUG("%s p_cb->loc_enc_size = %d", __func__, p_cb->loc_enc_size); 359 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false); 360 361 smp_send_cmd(SMP_OPCODE_ENCRYPT_INFO, p_cb); 362 smp_send_cmd(SMP_OPCODE_MASTER_ID, p_cb); 363 364 /* save the DIV and key size information when acting as slave device */ 365 memcpy(le_key.ltk, p_cb->ltk, BT_OCTET16_LEN); 366 le_key.div = p_cb->div; 367 le_key.key_size = p_cb->loc_enc_size; 368 le_key.sec_level = p_cb->sec_level; 369 370 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) && 371 (p_cb->loc_auth_req & SMP_AUTH_BOND)) 372 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, 373 (tBTM_LE_KEY_VALUE*)&le_key, true); 374 375 SMP_TRACE_WARNING("%s", __func__); 376 377 smp_key_distribution(p_cb, NULL); 378 } 379 380 /******************************************************************************* 381 * Function smp_send_id_info 382 * Description send ID information command. 383 ******************************************************************************/ 384 void smp_send_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 385 tBTM_LE_KEY_VALUE le_key; 386 SMP_TRACE_DEBUG("%s", __func__); 387 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, false); 388 389 smp_send_cmd(SMP_OPCODE_IDENTITY_INFO, p_cb); 390 smp_send_cmd(SMP_OPCODE_ID_ADDR, p_cb); 391 392 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) && 393 (p_cb->loc_auth_req & SMP_AUTH_BOND)) 394 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LID, &le_key, true); 395 396 SMP_TRACE_WARNING("%s", __func__); 397 smp_key_distribution_by_transport(p_cb, NULL); 398 } 399 400 /******************************************************************************* 401 * Function smp_send_csrk_info 402 * Description send CSRK command. 403 ******************************************************************************/ 404 void smp_send_csrk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 405 tBTM_LE_LCSRK_KEYS key; 406 SMP_TRACE_DEBUG("%s", __func__); 407 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, false); 408 409 if (smp_send_cmd(SMP_OPCODE_SIGN_INFO, p_cb)) { 410 key.div = p_cb->div; 411 key.sec_level = p_cb->sec_level; 412 key.counter = 0; /* initialize the local counter */ 413 memcpy(key.csrk, p_cb->csrk, BT_OCTET16_LEN); 414 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LCSRK, 415 (tBTM_LE_KEY_VALUE*)&key, true); 416 } 417 418 smp_key_distribution_by_transport(p_cb, NULL); 419 } 420 421 /******************************************************************************* 422 * Function smp_send_ltk_reply 423 * Description send LTK reply 424 ******************************************************************************/ 425 void smp_send_ltk_reply(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 426 SMP_TRACE_DEBUG("%s", __func__); 427 /* send stk as LTK response */ 428 btm_ble_ltk_request_reply(p_cb->pairing_bda, true, p_data->key.p_data); 429 } 430 431 /******************************************************************************* 432 * Function smp_proc_sec_req 433 * Description process security request. 434 ******************************************************************************/ 435 void smp_proc_sec_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 436 tBTM_LE_AUTH_REQ auth_req = *(tBTM_LE_AUTH_REQ*)p_data; 437 tBTM_BLE_SEC_REQ_ACT sec_req_act; 438 uint8_t reason; 439 440 SMP_TRACE_DEBUG("%s auth_req=0x%x", __func__, auth_req); 441 442 p_cb->cb_evt = 0; 443 444 btm_ble_link_sec_check(p_cb->pairing_bda, auth_req, &sec_req_act); 445 446 SMP_TRACE_DEBUG("%s sec_req_act=0x%x", __func__, sec_req_act); 447 448 switch (sec_req_act) { 449 case BTM_BLE_SEC_REQ_ACT_ENCRYPT: 450 SMP_TRACE_DEBUG("%s BTM_BLE_SEC_REQ_ACT_ENCRYPT", __func__); 451 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL); 452 break; 453 454 case BTM_BLE_SEC_REQ_ACT_PAIR: 455 p_cb->secure_connections_only_mode_required = 456 (btm_cb.security_mode == BTM_SEC_MODE_SC) ? true : false; 457 458 /* respond to non SC pairing request as failure in SC only mode */ 459 if (p_cb->secure_connections_only_mode_required && 460 (auth_req & SMP_SC_SUPPORT_BIT) == 0) { 461 reason = SMP_PAIR_AUTH_FAIL; 462 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 463 } else { 464 /* initialize local i/r key to be default keys */ 465 p_cb->peer_auth_req = auth_req; 466 p_cb->local_r_key = p_cb->local_i_key = SMP_SEC_DEFAULT_KEY; 467 p_cb->cb_evt = SMP_SEC_REQUEST_EVT; 468 } 469 break; 470 471 case BTM_BLE_SEC_REQ_ACT_DISCARD: 472 p_cb->discard_sec_req = true; 473 break; 474 475 default: 476 /* do nothing */ 477 break; 478 } 479 } 480 481 /******************************************************************************* 482 * Function smp_proc_sec_grant 483 * Description process security grant. 484 ******************************************************************************/ 485 void smp_proc_sec_grant(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 486 uint8_t res = *(uint8_t*)p_data; 487 SMP_TRACE_DEBUG("%s", __func__); 488 if (res != SMP_SUCCESS) { 489 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, p_data); 490 } else /*otherwise, start pairing */ 491 { 492 /* send IO request callback */ 493 p_cb->cb_evt = SMP_IO_CAP_REQ_EVT; 494 } 495 } 496 497 /******************************************************************************* 498 * Function smp_proc_pair_fail 499 * Description process pairing failure from peer device 500 ******************************************************************************/ 501 void smp_proc_pair_fail(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 502 SMP_TRACE_DEBUG("%s", __func__); 503 p_cb->status = *(uint8_t*)p_data; 504 505 /* Cancel pending auth complete timer if set */ 506 alarm_cancel(p_cb->delayed_auth_timer_ent); 507 } 508 509 /******************************************************************************* 510 * Function smp_proc_pair_cmd 511 * Description Process the SMP pairing request/response from peer device 512 ******************************************************************************/ 513 void smp_proc_pair_cmd(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 514 uint8_t* p = (uint8_t*)p_data; 515 uint8_t reason = SMP_ENC_KEY_SIZE; 516 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda); 517 518 SMP_TRACE_DEBUG("%s", __func__); 519 /* erase all keys if it is slave proc pairing req*/ 520 if (p_dev_rec && (p_cb->role == HCI_ROLE_SLAVE)) 521 btm_sec_clear_ble_keys(p_dev_rec); 522 523 p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR; 524 525 STREAM_TO_UINT8(p_cb->peer_io_caps, p); 526 STREAM_TO_UINT8(p_cb->peer_oob_flag, p); 527 STREAM_TO_UINT8(p_cb->peer_auth_req, p); 528 STREAM_TO_UINT8(p_cb->peer_enc_size, p); 529 STREAM_TO_UINT8(p_cb->peer_i_key, p); 530 STREAM_TO_UINT8(p_cb->peer_r_key, p); 531 532 if (smp_command_has_invalid_parameters(p_cb)) { 533 reason = SMP_INVALID_PARAMETERS; 534 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 535 return; 536 } 537 538 // PTS Testing failure modes 539 if (pts_test_send_authentication_complete_failure(p_cb)) return; 540 541 if (p_cb->role == HCI_ROLE_SLAVE) { 542 if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD)) { 543 /* peer (master) started pairing sending Pairing Request */ 544 p_cb->local_i_key = p_cb->peer_i_key; 545 p_cb->local_r_key = p_cb->peer_r_key; 546 547 p_cb->cb_evt = SMP_SEC_REQUEST_EVT; 548 } else /* update local i/r key according to pairing request */ 549 { 550 /* pairing started with this side (slave) sending Security Request */ 551 p_cb->local_i_key &= p_cb->peer_i_key; 552 p_cb->local_r_key &= p_cb->peer_r_key; 553 p_cb->selected_association_model = smp_select_association_model(p_cb); 554 555 if (p_cb->secure_connections_only_mode_required && 556 (!(p_cb->le_secure_connections_mode_is_used) || 557 (p_cb->selected_association_model == 558 SMP_MODEL_SEC_CONN_JUSTWORKS))) { 559 SMP_TRACE_ERROR( 560 "%s pairing failed - slave requires secure connection only mode", 561 __func__); 562 reason = SMP_PAIR_AUTH_FAIL; 563 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 564 return; 565 } 566 567 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) { 568 if (smp_request_oob_data(p_cb)) return; 569 } else { 570 smp_send_pair_rsp(p_cb, NULL); 571 } 572 } 573 } else /* Master receives pairing response */ 574 { 575 p_cb->selected_association_model = smp_select_association_model(p_cb); 576 577 if (p_cb->secure_connections_only_mode_required && 578 (!(p_cb->le_secure_connections_mode_is_used) || 579 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) { 580 SMP_TRACE_ERROR( 581 "Master requires secure connection only mode \ 582 but it can't be provided -> Master fails pairing"); 583 reason = SMP_PAIR_AUTH_FAIL; 584 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 585 return; 586 } 587 588 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) { 589 if (smp_request_oob_data(p_cb)) return; 590 } else { 591 smp_decide_association_model(p_cb, NULL); 592 } 593 } 594 } 595 596 /******************************************************************************* 597 * Function smp_proc_confirm 598 * Description process pairing confirm from peer device 599 ******************************************************************************/ 600 void smp_proc_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 601 uint8_t* p = (uint8_t*)p_data; 602 uint8_t reason = SMP_INVALID_PARAMETERS; 603 604 SMP_TRACE_DEBUG("%s", __func__); 605 606 if (smp_command_has_invalid_parameters(p_cb)) { 607 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 608 return; 609 } 610 611 if (p != NULL) { 612 /* save the SConfirm for comparison later */ 613 STREAM_TO_ARRAY(p_cb->rconfirm, p, BT_OCTET16_LEN); 614 } 615 616 p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM; 617 } 618 619 /******************************************************************************* 620 * Function smp_proc_init 621 * Description process pairing initializer from peer device 622 ******************************************************************************/ 623 void smp_proc_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 624 uint8_t* p = (uint8_t*)p_data; 625 uint8_t reason = SMP_INVALID_PARAMETERS; 626 627 SMP_TRACE_DEBUG("%s", __func__); 628 629 if (smp_command_has_invalid_parameters(p_cb)) { 630 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 631 return; 632 } 633 634 /* save the SRand for comparison */ 635 STREAM_TO_ARRAY(p_cb->rrand, p, BT_OCTET16_LEN); 636 } 637 638 /******************************************************************************* 639 * Function smp_proc_rand 640 * Description process pairing random (nonce) from peer device 641 ******************************************************************************/ 642 void smp_proc_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 643 uint8_t* p = (uint8_t*)p_data; 644 uint8_t reason = SMP_INVALID_PARAMETERS; 645 646 SMP_TRACE_DEBUG("%s", __func__); 647 648 if (smp_command_has_invalid_parameters(p_cb)) { 649 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 650 return; 651 } 652 653 /* save the SRand for comparison */ 654 STREAM_TO_ARRAY(p_cb->rrand, p, BT_OCTET16_LEN); 655 } 656 657 /******************************************************************************* 658 * Function smp_process_pairing_public_key 659 * Description process pairing public key command from the peer device 660 * - saves the peer public key; 661 * - sets the flag indicating that the peer public key is received; 662 * - calls smp_wait_for_both_public_keys(...). 663 * 664 ******************************************************************************/ 665 void smp_process_pairing_public_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 666 uint8_t* p = (uint8_t*)p_data; 667 uint8_t reason = SMP_INVALID_PARAMETERS; 668 669 SMP_TRACE_DEBUG("%s", __func__); 670 671 if (smp_command_has_invalid_parameters(p_cb)) { 672 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 673 return; 674 } 675 676 STREAM_TO_ARRAY(p_cb->peer_publ_key.x, p, BT_OCTET32_LEN); 677 STREAM_TO_ARRAY(p_cb->peer_publ_key.y, p, BT_OCTET32_LEN); 678 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY; 679 680 smp_wait_for_both_public_keys(p_cb, NULL); 681 } 682 683 /******************************************************************************* 684 * Function smp_process_pairing_commitment 685 * Description process pairing commitment from peer device 686 ******************************************************************************/ 687 void smp_process_pairing_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 688 uint8_t* p = (uint8_t*)p_data; 689 uint8_t reason = SMP_INVALID_PARAMETERS; 690 691 SMP_TRACE_DEBUG("%s", __func__); 692 693 if (smp_command_has_invalid_parameters(p_cb)) { 694 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 695 return; 696 } 697 698 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_COMM; 699 700 if (p != NULL) { 701 STREAM_TO_ARRAY(p_cb->remote_commitment, p, BT_OCTET16_LEN); 702 } 703 } 704 705 /******************************************************************************* 706 * Function smp_process_dhkey_check 707 * Description process DHKey Check from peer device 708 ******************************************************************************/ 709 void smp_process_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 710 uint8_t* p = (uint8_t*)p_data; 711 uint8_t reason = SMP_INVALID_PARAMETERS; 712 713 SMP_TRACE_DEBUG("%s", __func__); 714 715 if (smp_command_has_invalid_parameters(p_cb)) { 716 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 717 return; 718 } 719 720 if (p != NULL) { 721 STREAM_TO_ARRAY(p_cb->remote_dhkey_check, p, BT_OCTET16_LEN); 722 } 723 724 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_DHK_CHK; 725 } 726 727 /******************************************************************************* 728 * Function smp_process_keypress_notification 729 * Description process pairing keypress notification from peer device 730 ******************************************************************************/ 731 void smp_process_keypress_notification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 732 uint8_t* p = (uint8_t*)p_data; 733 uint8_t reason = SMP_INVALID_PARAMETERS; 734 735 SMP_TRACE_DEBUG("%s", __func__); 736 p_cb->status = *(uint8_t*)p_data; 737 738 if (smp_command_has_invalid_parameters(p_cb)) { 739 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 740 return; 741 } 742 743 if (p != NULL) { 744 STREAM_TO_UINT8(p_cb->peer_keypress_notification, p); 745 } else { 746 p_cb->peer_keypress_notification = BTM_SP_KEY_OUT_OF_RANGE; 747 } 748 p_cb->cb_evt = SMP_PEER_KEYPR_NOT_EVT; 749 } 750 751 /******************************************************************************* 752 * Function smp_br_process_pairing_command 753 * Description Process the SMP pairing request/response from peer device via 754 * BR/EDR transport. 755 ******************************************************************************/ 756 void smp_br_process_pairing_command(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 757 uint8_t* p = (uint8_t*)p_data; 758 uint8_t reason = SMP_ENC_KEY_SIZE; 759 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda); 760 761 SMP_TRACE_DEBUG("%s", __func__); 762 /* rejecting BR pairing request over non-SC BR link */ 763 if (!p_dev_rec->new_encryption_key_is_p256 && p_cb->role == HCI_ROLE_SLAVE) { 764 reason = SMP_XTRANS_DERIVE_NOT_ALLOW; 765 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason); 766 return; 767 } 768 769 /* erase all keys if it is slave proc pairing req*/ 770 if (p_dev_rec && (p_cb->role == HCI_ROLE_SLAVE)) 771 btm_sec_clear_ble_keys(p_dev_rec); 772 773 p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR; 774 775 STREAM_TO_UINT8(p_cb->peer_io_caps, p); 776 STREAM_TO_UINT8(p_cb->peer_oob_flag, p); 777 STREAM_TO_UINT8(p_cb->peer_auth_req, p); 778 STREAM_TO_UINT8(p_cb->peer_enc_size, p); 779 STREAM_TO_UINT8(p_cb->peer_i_key, p); 780 STREAM_TO_UINT8(p_cb->peer_r_key, p); 781 782 if (smp_command_has_invalid_parameters(p_cb)) { 783 reason = SMP_INVALID_PARAMETERS; 784 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason); 785 return; 786 } 787 788 /* peer (master) started pairing sending Pairing Request */ 789 /* or being master device always use received i/r key as keys to distribute */ 790 p_cb->local_i_key = p_cb->peer_i_key; 791 p_cb->local_r_key = p_cb->peer_r_key; 792 793 if (p_cb->role == HCI_ROLE_SLAVE) { 794 p_dev_rec->new_encryption_key_is_p256 = false; 795 /* shortcut to skip Security Grant step */ 796 p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT; 797 } else /* Master receives pairing response */ 798 { 799 SMP_TRACE_DEBUG( 800 "%s master rcvs valid PAIRING RESPONSE." 801 " Supposed to move to key distribution phase. ", 802 __func__); 803 } 804 805 /* auth_req received via BR/EDR SM channel is set to 0, 806 but everything derived/exchanged has to be saved */ 807 p_cb->peer_auth_req |= SMP_AUTH_BOND; 808 p_cb->loc_auth_req |= SMP_AUTH_BOND; 809 } 810 811 /******************************************************************************* 812 * Function smp_br_process_security_grant 813 * Description process security grant in case of pairing over BR/EDR transport. 814 ******************************************************************************/ 815 void smp_br_process_security_grant(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 816 uint8_t res = *(uint8_t*)p_data; 817 SMP_TRACE_DEBUG("%s", __func__); 818 if (res != SMP_SUCCESS) { 819 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, p_data); 820 } else /*otherwise, start pairing */ 821 { 822 /* send IO request callback */ 823 p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT; 824 } 825 } 826 827 /******************************************************************************* 828 * Function smp_br_check_authorization_request 829 * Description sets the SMP kes to be derived/distribute over BR/EDR transport 830 * before starting the distribution/derivation 831 ******************************************************************************/ 832 void smp_br_check_authorization_request(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 833 uint8_t reason = SMP_SUCCESS; 834 835 SMP_TRACE_DEBUG( 836 "%s rcvs i_keys=0x%x r_keys=0x%x " 837 "(i-initiator r-responder)", 838 __func__, p_cb->local_i_key, p_cb->local_r_key); 839 840 /* In LE SC mode LK field is ignored when BR/EDR transport is used */ 841 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK; 842 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK; 843 844 /* In LE SC mode only IRK, IAI, CSRK are exchanged with the peer. 845 ** Set local_r_key on master to expect only these keys. */ 846 if (p_cb->role == HCI_ROLE_MASTER) { 847 p_cb->local_r_key &= (SMP_SEC_KEY_TYPE_ID | SMP_SEC_KEY_TYPE_CSRK); 848 } 849 850 /* Check if H7 function needs to be used for key derivation*/ 851 if ((p_cb->loc_auth_req & SMP_H7_SUPPORT_BIT) && 852 (p_cb->peer_auth_req & SMP_H7_SUPPORT_BIT)) { 853 p_cb->key_derivation_h7_used = TRUE; 854 } 855 SMP_TRACE_DEBUG("%s: use h7 = %d", __func__, p_cb->key_derivation_h7_used); 856 857 SMP_TRACE_DEBUG( 858 "%s rcvs upgrades: i_keys=0x%x r_keys=0x%x " 859 "(i-initiator r-responder)", 860 __func__, p_cb->local_i_key, p_cb->local_r_key); 861 862 if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) || 863 (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/ 864 (p_cb->local_i_key || p_cb->local_r_key)) { 865 smp_br_state_machine_event(p_cb, SMP_BR_BOND_REQ_EVT, NULL); 866 867 /* if no peer key is expected, start master key distribution */ 868 if (p_cb->role == HCI_ROLE_MASTER && p_cb->local_r_key == 0) 869 smp_key_distribution_by_transport(p_cb, NULL); 870 } else { 871 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason); 872 } 873 } 874 875 /******************************************************************************* 876 * Function smp_br_select_next_key 877 * Description selects the next key to derive/send when BR/EDR transport is 878 * used. 879 ******************************************************************************/ 880 void smp_br_select_next_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 881 uint8_t reason = SMP_SUCCESS; 882 SMP_TRACE_DEBUG("%s role=%d (0-master) r_keys=0x%x i_keys=0x%x", __func__, 883 p_cb->role, p_cb->local_r_key, p_cb->local_i_key); 884 885 if (p_cb->role == HCI_ROLE_SLAVE || 886 (!p_cb->local_r_key && p_cb->role == HCI_ROLE_MASTER)) { 887 smp_key_pick_key(p_cb, p_data); 888 } 889 890 if (!p_cb->local_i_key && !p_cb->local_r_key) { 891 /* state check to prevent re-entrance */ 892 if (smp_get_br_state() == SMP_BR_STATE_BOND_PENDING) { 893 if (p_cb->total_tx_unacked == 0) 894 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason); 895 else 896 p_cb->wait_for_authorization_complete = true; 897 } 898 } 899 } 900 901 /******************************************************************************* 902 * Function smp_proc_enc_info 903 * Description process encryption information from peer device 904 ******************************************************************************/ 905 void smp_proc_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 906 uint8_t* p = (uint8_t*)p_data; 907 908 SMP_TRACE_DEBUG("%s", __func__); 909 STREAM_TO_ARRAY(p_cb->ltk, p, BT_OCTET16_LEN); 910 911 smp_key_distribution(p_cb, NULL); 912 } 913 /******************************************************************************* 914 * Function smp_proc_master_id 915 * Description process master ID from slave device 916 ******************************************************************************/ 917 void smp_proc_master_id(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 918 uint8_t* p = (uint8_t*)p_data; 919 tBTM_LE_PENC_KEYS le_key; 920 921 SMP_TRACE_DEBUG("%s", __func__); 922 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, true); 923 924 STREAM_TO_UINT16(le_key.ediv, p); 925 STREAM_TO_ARRAY(le_key.rand, p, BT_OCTET8_LEN); 926 927 /* store the encryption keys from peer device */ 928 memcpy(le_key.ltk, p_cb->ltk, BT_OCTET16_LEN); 929 le_key.sec_level = p_cb->sec_level; 930 le_key.key_size = p_cb->loc_enc_size; 931 932 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) && 933 (p_cb->loc_auth_req & SMP_AUTH_BOND)) 934 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, 935 (tBTM_LE_KEY_VALUE*)&le_key, true); 936 937 smp_key_distribution(p_cb, NULL); 938 } 939 940 /******************************************************************************* 941 * Function smp_proc_enc_info 942 * Description process identity information from peer device 943 ******************************************************************************/ 944 void smp_proc_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 945 uint8_t* p = (uint8_t*)p_data; 946 947 SMP_TRACE_DEBUG("%s", __func__); 948 STREAM_TO_ARRAY(p_cb->tk, p, BT_OCTET16_LEN); /* reuse TK for IRK */ 949 smp_key_distribution_by_transport(p_cb, NULL); 950 } 951 952 /******************************************************************************* 953 * Function smp_proc_id_addr 954 * Description process identity address from peer device 955 ******************************************************************************/ 956 void smp_proc_id_addr(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 957 uint8_t* p = (uint8_t*)p_data; 958 tBTM_LE_PID_KEYS pid_key; 959 960 SMP_TRACE_DEBUG("%s", __func__); 961 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, true); 962 963 STREAM_TO_UINT8(pid_key.addr_type, p); 964 STREAM_TO_BDADDR(pid_key.static_addr, p); 965 memcpy(pid_key.irk, p_cb->tk, BT_OCTET16_LEN); 966 967 /* to use as BD_ADDR for lk derived from ltk */ 968 p_cb->id_addr_rcvd = true; 969 p_cb->id_addr_type = pid_key.addr_type; 970 memcpy(p_cb->id_addr, pid_key.static_addr, BD_ADDR_LEN); 971 972 /* store the ID key from peer device */ 973 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) && 974 (p_cb->loc_auth_req & SMP_AUTH_BOND)) 975 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PID, 976 (tBTM_LE_KEY_VALUE*)&pid_key, true); 977 smp_key_distribution_by_transport(p_cb, NULL); 978 } 979 980 /******************************************************************************* 981 * Function smp_proc_srk_info 982 * Description process security information from peer device 983 ******************************************************************************/ 984 void smp_proc_srk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 985 tBTM_LE_PCSRK_KEYS le_key; 986 987 SMP_TRACE_DEBUG("%s", __func__); 988 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, true); 989 990 /* save CSRK to security record */ 991 le_key.sec_level = p_cb->sec_level; 992 maybe_non_aligned_memcpy(le_key.csrk, p_data, 993 BT_OCTET16_LEN); /* get peer CSRK */ 994 le_key.counter = 0; /* initialize the peer counter */ 995 996 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) && 997 (p_cb->loc_auth_req & SMP_AUTH_BOND)) 998 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PCSRK, 999 (tBTM_LE_KEY_VALUE*)&le_key, true); 1000 smp_key_distribution_by_transport(p_cb, NULL); 1001 } 1002 1003 /******************************************************************************* 1004 * Function smp_proc_compare 1005 * Description process compare value 1006 ******************************************************************************/ 1007 void smp_proc_compare(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1008 uint8_t reason; 1009 1010 SMP_TRACE_DEBUG("%s", __func__); 1011 if (!memcmp(p_cb->rconfirm, p_data->key.p_data, BT_OCTET16_LEN)) { 1012 /* compare the max encryption key size, and save the smaller one for the 1013 * link */ 1014 if (p_cb->peer_enc_size < p_cb->loc_enc_size) 1015 p_cb->loc_enc_size = p_cb->peer_enc_size; 1016 1017 if (p_cb->role == HCI_ROLE_SLAVE) 1018 smp_sm_event(p_cb, SMP_RAND_EVT, NULL); 1019 else { 1020 /* master device always use received i/r key as keys to distribute */ 1021 p_cb->local_i_key = p_cb->peer_i_key; 1022 p_cb->local_r_key = p_cb->peer_r_key; 1023 1024 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL); 1025 } 1026 1027 } else { 1028 reason = p_cb->failure = SMP_CONFIRM_VALUE_ERR; 1029 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 1030 } 1031 } 1032 1033 /******************************************************************************* 1034 * Function smp_proc_sl_key 1035 * Description process key ready events. 1036 ******************************************************************************/ 1037 void smp_proc_sl_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1038 uint8_t key_type = p_data->key.key_type; 1039 1040 SMP_TRACE_DEBUG("%s", __func__); 1041 if (key_type == SMP_KEY_TYPE_TK) { 1042 smp_generate_srand_mrand_confirm(p_cb, NULL); 1043 } else if (key_type == SMP_KEY_TYPE_CFM) { 1044 smp_set_state(SMP_STATE_WAIT_CONFIRM); 1045 1046 if (p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM) 1047 smp_sm_event(p_cb, SMP_CONFIRM_EVT, NULL); 1048 } 1049 } 1050 1051 /******************************************************************************* 1052 * Function smp_start_enc 1053 * Description start encryption 1054 ******************************************************************************/ 1055 void smp_start_enc(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1056 tBTM_STATUS cmd; 1057 uint8_t reason = SMP_ENC_FAIL; 1058 1059 SMP_TRACE_DEBUG("%s", __func__); 1060 if (p_data != NULL) 1061 cmd = btm_ble_start_encrypt(p_cb->pairing_bda, true, p_data->key.p_data); 1062 else 1063 cmd = btm_ble_start_encrypt(p_cb->pairing_bda, false, NULL); 1064 1065 if (cmd != BTM_CMD_STARTED && cmd != BTM_BUSY) 1066 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 1067 } 1068 1069 /******************************************************************************* 1070 * Function smp_proc_discard 1071 * Description processing for discard security request 1072 ******************************************************************************/ 1073 void smp_proc_discard(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1074 SMP_TRACE_DEBUG("%s", __func__); 1075 if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD)) 1076 smp_reset_control_value(p_cb); 1077 } 1078 1079 /******************************************************************************* 1080 * Function smp_enc_cmpl 1081 * Description encryption success 1082 ******************************************************************************/ 1083 void smp_enc_cmpl(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1084 uint8_t enc_enable = *(uint8_t*)p_data; 1085 uint8_t reason = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL; 1086 1087 SMP_TRACE_DEBUG("%s", __func__); 1088 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 1089 } 1090 1091 /******************************************************************************* 1092 * Function smp_check_auth_req 1093 * Description check authentication request 1094 ******************************************************************************/ 1095 void smp_check_auth_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1096 uint8_t enc_enable = *(uint8_t*)p_data; 1097 uint8_t reason = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL; 1098 1099 SMP_TRACE_DEBUG( 1100 "%s rcvs enc_enable=%d i_keys=0x%x r_keys=0x%x " 1101 "(i-initiator r-responder)", 1102 __func__, enc_enable, p_cb->local_i_key, p_cb->local_r_key); 1103 if (enc_enable == 1) { 1104 if (p_cb->le_secure_connections_mode_is_used) { 1105 /* In LE SC mode LTK is used instead of STK and has to be always saved */ 1106 p_cb->local_i_key |= SMP_SEC_KEY_TYPE_ENC; 1107 p_cb->local_r_key |= SMP_SEC_KEY_TYPE_ENC; 1108 1109 /* In LE SC mode LK is derived from LTK only if both sides request it */ 1110 if (!(p_cb->local_i_key & SMP_SEC_KEY_TYPE_LK) || 1111 !(p_cb->local_r_key & SMP_SEC_KEY_TYPE_LK)) { 1112 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK; 1113 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK; 1114 } 1115 1116 /* In LE SC mode only IRK, IAI, CSRK are exchanged with the peer. 1117 ** Set local_r_key on master to expect only these keys. 1118 */ 1119 if (p_cb->role == HCI_ROLE_MASTER) { 1120 p_cb->local_r_key &= (SMP_SEC_KEY_TYPE_ID | SMP_SEC_KEY_TYPE_CSRK); 1121 } 1122 } else { 1123 /* in legacy mode derivation of BR/EDR LK is not supported */ 1124 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK; 1125 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK; 1126 } 1127 SMP_TRACE_DEBUG( 1128 "%s rcvs upgrades: i_keys=0x%x r_keys=0x%x " 1129 "(i-initiator r-responder)", 1130 __func__, p_cb->local_i_key, p_cb->local_r_key); 1131 1132 if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) || 1133 (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/ 1134 (p_cb->local_i_key || p_cb->local_r_key)) { 1135 smp_sm_event(p_cb, SMP_BOND_REQ_EVT, NULL); 1136 } else 1137 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 1138 } else if (enc_enable == 0) { 1139 /* if failed for encryption after pairing, send callback */ 1140 if (p_cb->flags & SMP_PAIR_FLAG_ENC_AFTER_PAIR) 1141 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 1142 /* if enc failed for old security information */ 1143 /* if master device, clean up and abck to idle; slave device do nothing */ 1144 else if (p_cb->role == HCI_ROLE_MASTER) { 1145 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 1146 } 1147 } 1148 } 1149 1150 /******************************************************************************* 1151 * Function smp_key_pick_key 1152 * Description Pick a key distribution function based on the key mask. 1153 ******************************************************************************/ 1154 void smp_key_pick_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1155 uint8_t key_to_dist = 1156 (p_cb->role == HCI_ROLE_SLAVE) ? p_cb->local_r_key : p_cb->local_i_key; 1157 uint8_t i = 0; 1158 1159 SMP_TRACE_DEBUG("%s key_to_dist=0x%x", __func__, key_to_dist); 1160 while (i < SMP_KEY_DIST_TYPE_MAX) { 1161 SMP_TRACE_DEBUG("key to send = %02x, i = %d", key_to_dist, i); 1162 1163 if (key_to_dist & (1 << i)) { 1164 SMP_TRACE_DEBUG("smp_distribute_act[%d]", i); 1165 (*smp_distribute_act[i])(p_cb, p_data); 1166 break; 1167 } 1168 i++; 1169 } 1170 } 1171 /******************************************************************************* 1172 * Function smp_key_distribution 1173 * Description start key distribution if required. 1174 ******************************************************************************/ 1175 void smp_key_distribution(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1176 SMP_TRACE_DEBUG("%s role=%d (0-master) r_keys=0x%x i_keys=0x%x", __func__, 1177 p_cb->role, p_cb->local_r_key, p_cb->local_i_key); 1178 1179 if (p_cb->role == HCI_ROLE_SLAVE || 1180 (!p_cb->local_r_key && p_cb->role == HCI_ROLE_MASTER)) { 1181 smp_key_pick_key(p_cb, p_data); 1182 } 1183 1184 if (!p_cb->local_i_key && !p_cb->local_r_key) { 1185 /* state check to prevent re-entrant */ 1186 if (smp_get_state() == SMP_STATE_BOND_PENDING) { 1187 if (p_cb->derive_lk) { 1188 smp_derive_link_key_from_long_term_key(p_cb, NULL); 1189 p_cb->derive_lk = false; 1190 } 1191 1192 if (p_cb->total_tx_unacked == 0) { 1193 /* 1194 * Instead of declaring authorization complete immediately, 1195 * delay the event from being sent by SMP_DELAYED_AUTH_TIMEOUT_MS. 1196 * This allows the slave to send over Pairing Failed if the 1197 * last key is rejected. During this waiting window, the 1198 * state should remain in SMP_STATE_BOND_PENDING. 1199 */ 1200 if (!alarm_is_scheduled(p_cb->delayed_auth_timer_ent)) { 1201 SMP_TRACE_DEBUG("%s delaying auth complete.", __func__); 1202 alarm_set_on_queue( 1203 p_cb->delayed_auth_timer_ent, SMP_DELAYED_AUTH_TIMEOUT_MS, 1204 smp_delayed_auth_complete_timeout, NULL, btu_general_alarm_queue); 1205 } 1206 } else { 1207 p_cb->wait_for_authorization_complete = true; 1208 } 1209 } 1210 } 1211 } 1212 1213 /******************************************************************************* 1214 * Function smp_decide_association_model 1215 * Description This function is called to select assoc model to be used for 1216 * STK generation and to start STK generation process. 1217 * 1218 ******************************************************************************/ 1219 void smp_decide_association_model(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1220 uint8_t failure = SMP_UNKNOWN_IO_CAP; 1221 uint8_t int_evt = 0; 1222 tSMP_KEY key; 1223 tSMP_INT_DATA* p = NULL; 1224 1225 SMP_TRACE_DEBUG("%s Association Model = %d", __func__, 1226 p_cb->selected_association_model); 1227 1228 switch (p_cb->selected_association_model) { 1229 case SMP_MODEL_ENCRYPTION_ONLY: /* TK = 0, go calculate Confirm */ 1230 if (p_cb->role == HCI_ROLE_MASTER && 1231 ((p_cb->peer_auth_req & SMP_AUTH_YN_BIT) != 0) && 1232 ((p_cb->loc_auth_req & SMP_AUTH_YN_BIT) == 0)) { 1233 SMP_TRACE_ERROR( 1234 "IO capability does not meet authentication requirement"); 1235 failure = SMP_PAIR_AUTH_FAIL; 1236 p = (tSMP_INT_DATA*)&failure; 1237 int_evt = SMP_AUTH_CMPL_EVT; 1238 } else { 1239 p_cb->sec_level = SMP_SEC_UNAUTHENTICATE; 1240 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_UNAUTHENTICATE) ", 1241 p_cb->sec_level); 1242 1243 key.key_type = SMP_KEY_TYPE_TK; 1244 key.p_data = p_cb->tk; 1245 p = (tSMP_INT_DATA*)&key; 1246 1247 memset(p_cb->tk, 0, BT_OCTET16_LEN); 1248 /* TK, ready */ 1249 int_evt = SMP_KEY_READY_EVT; 1250 } 1251 break; 1252 1253 case SMP_MODEL_PASSKEY: 1254 p_cb->sec_level = SMP_SEC_AUTHENTICATED; 1255 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ", 1256 p_cb->sec_level); 1257 1258 p_cb->cb_evt = SMP_PASSKEY_REQ_EVT; 1259 int_evt = SMP_TK_REQ_EVT; 1260 break; 1261 1262 case SMP_MODEL_OOB: 1263 SMP_TRACE_ERROR("Association Model = SMP_MODEL_OOB"); 1264 p_cb->sec_level = SMP_SEC_AUTHENTICATED; 1265 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ", 1266 p_cb->sec_level); 1267 1268 p_cb->cb_evt = SMP_OOB_REQ_EVT; 1269 int_evt = SMP_TK_REQ_EVT; 1270 break; 1271 1272 case SMP_MODEL_KEY_NOTIF: 1273 p_cb->sec_level = SMP_SEC_AUTHENTICATED; 1274 SMP_TRACE_DEBUG("Need to generate Passkey"); 1275 1276 /* generate passkey and notify application */ 1277 smp_generate_passkey(p_cb, NULL); 1278 break; 1279 1280 case SMP_MODEL_SEC_CONN_JUSTWORKS: 1281 case SMP_MODEL_SEC_CONN_NUM_COMP: 1282 case SMP_MODEL_SEC_CONN_PASSKEY_ENT: 1283 case SMP_MODEL_SEC_CONN_PASSKEY_DISP: 1284 case SMP_MODEL_SEC_CONN_OOB: 1285 int_evt = SMP_PUBL_KEY_EXCH_REQ_EVT; 1286 break; 1287 1288 case SMP_MODEL_OUT_OF_RANGE: 1289 SMP_TRACE_ERROR("Association Model = SMP_MODEL_OUT_OF_RANGE (failed)"); 1290 p = (tSMP_INT_DATA*)&failure; 1291 int_evt = SMP_AUTH_CMPL_EVT; 1292 break; 1293 1294 default: 1295 SMP_TRACE_ERROR( 1296 "Association Model = %d (SOMETHING IS WRONG WITH THE CODE)", 1297 p_cb->selected_association_model); 1298 p = (tSMP_INT_DATA*)&failure; 1299 int_evt = SMP_AUTH_CMPL_EVT; 1300 } 1301 1302 SMP_TRACE_EVENT("sec_level=%d ", p_cb->sec_level); 1303 if (int_evt) smp_sm_event(p_cb, int_evt, p); 1304 } 1305 1306 /******************************************************************************* 1307 * Function smp_process_io_response 1308 * Description process IO response for a slave device. 1309 ******************************************************************************/ 1310 void smp_process_io_response(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1311 uint8_t reason = SMP_PAIR_AUTH_FAIL; 1312 1313 SMP_TRACE_DEBUG("%s", __func__); 1314 if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD) { 1315 /* pairing started by local (slave) Security Request */ 1316 smp_set_state(SMP_STATE_SEC_REQ_PENDING); 1317 smp_send_cmd(SMP_OPCODE_SEC_REQ, p_cb); 1318 } else /* plan to send pairing respond */ 1319 { 1320 /* pairing started by peer (master) Pairing Request */ 1321 p_cb->selected_association_model = smp_select_association_model(p_cb); 1322 1323 if (p_cb->secure_connections_only_mode_required && 1324 (!(p_cb->le_secure_connections_mode_is_used) || 1325 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) { 1326 SMP_TRACE_ERROR( 1327 "Slave requires secure connection only mode \ 1328 but it can't be provided -> Slave fails pairing"); 1329 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 1330 return; 1331 } 1332 1333 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) { 1334 if (smp_request_oob_data(p_cb)) return; 1335 } 1336 1337 // PTS Testing failure modes 1338 if (pts_test_send_authentication_complete_failure(p_cb)) return; 1339 1340 smp_send_pair_rsp(p_cb, NULL); 1341 } 1342 } 1343 1344 /******************************************************************************* 1345 * Function smp_br_process_slave_keys_response 1346 * Description process application keys response for a slave device 1347 * (BR/EDR transport). 1348 ******************************************************************************/ 1349 void smp_br_process_slave_keys_response(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1350 smp_br_send_pair_response(p_cb, NULL); 1351 } 1352 1353 /******************************************************************************* 1354 * Function smp_br_send_pair_response 1355 * Description actions related to sending pairing response over BR/EDR 1356 * transport. 1357 ******************************************************************************/ 1358 void smp_br_send_pair_response(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1359 SMP_TRACE_DEBUG("%s", __func__); 1360 1361 p_cb->local_i_key &= p_cb->peer_i_key; 1362 p_cb->local_r_key &= p_cb->peer_r_key; 1363 1364 smp_send_cmd(SMP_OPCODE_PAIRING_RSP, p_cb); 1365 } 1366 1367 /******************************************************************************* 1368 * Function smp_pairing_cmpl 1369 * Description This function is called to send the pairing complete 1370 * callback and remove the connection if needed. 1371 ******************************************************************************/ 1372 void smp_pairing_cmpl(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1373 if (p_cb->total_tx_unacked == 0) { 1374 /* process the pairing complete */ 1375 smp_proc_pairing_cmpl(p_cb); 1376 } 1377 } 1378 1379 /******************************************************************************* 1380 * Function smp_pair_terminate 1381 * Description This function is called to send the pairing complete 1382 * callback and remove the connection if needed. 1383 ******************************************************************************/ 1384 void smp_pair_terminate(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1385 SMP_TRACE_DEBUG("%s", __func__); 1386 p_cb->status = SMP_CONN_TOUT; 1387 smp_proc_pairing_cmpl(p_cb); 1388 } 1389 1390 /******************************************************************************* 1391 * Function smp_idle_terminate 1392 * Description This function calledin idle state to determine to send 1393 * authentication complete or not. 1394 ******************************************************************************/ 1395 void smp_idle_terminate(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1396 if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD) { 1397 SMP_TRACE_DEBUG("Pairing terminated at IDLE state."); 1398 p_cb->status = SMP_FAIL; 1399 smp_proc_pairing_cmpl(p_cb); 1400 } 1401 } 1402 1403 /******************************************************************************* 1404 * Function smp_fast_conn_param 1405 * Description apply default connection parameter for pairing process 1406 ******************************************************************************/ 1407 void smp_fast_conn_param(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1408 /* Disable L2CAP connection parameter updates while bonding since 1409 some peripherals are not able to revert to fast connection parameters 1410 during the start of service discovery. Connection paramter updates 1411 get enabled again once service discovery completes. */ 1412 L2CA_EnableUpdateBleConnParams(p_cb->pairing_bda, false); 1413 } 1414 1415 /******************************************************************************* 1416 * Function smp_both_have_public_keys 1417 * Description The function is called when both local and peer public keys are 1418 * saved. 1419 * Actions: 1420 * - invokes DHKey computation; 1421 * - on slave side invokes sending local public key to the peer. 1422 * - invokes SC phase 1 process. 1423 ******************************************************************************/ 1424 void smp_both_have_public_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1425 SMP_TRACE_DEBUG("%s", __func__); 1426 1427 /* invokes DHKey computation */ 1428 smp_compute_dhkey(p_cb); 1429 1430 /* on slave side invokes sending local public key to the peer */ 1431 if (p_cb->role == HCI_ROLE_SLAVE) smp_send_pair_public_key(p_cb, NULL); 1432 1433 smp_sm_event(p_cb, SMP_SC_DHKEY_CMPLT_EVT, NULL); 1434 } 1435 1436 /******************************************************************************* 1437 * Function smp_start_secure_connection_phase1 1438 * Description Start Secure Connection phase1 i.e. invokes initialization of 1439 * Secure Connection phase 1 parameters and starts building/sending 1440 * to the peer messages appropriate for the role and association 1441 * model. 1442 ******************************************************************************/ 1443 void smp_start_secure_connection_phase1(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1444 SMP_TRACE_DEBUG("%s", __func__); 1445 1446 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) { 1447 p_cb->sec_level = SMP_SEC_UNAUTHENTICATE; 1448 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_UNAUTHENTICATE) ", 1449 p_cb->sec_level); 1450 } else { 1451 p_cb->sec_level = SMP_SEC_AUTHENTICATED; 1452 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ", 1453 p_cb->sec_level); 1454 } 1455 1456 switch (p_cb->selected_association_model) { 1457 case SMP_MODEL_SEC_CONN_JUSTWORKS: 1458 case SMP_MODEL_SEC_CONN_NUM_COMP: 1459 memset(p_cb->local_random, 0, BT_OCTET16_LEN); 1460 smp_start_nonce_generation(p_cb); 1461 break; 1462 case SMP_MODEL_SEC_CONN_PASSKEY_ENT: 1463 /* user has to provide passkey */ 1464 p_cb->cb_evt = SMP_PASSKEY_REQ_EVT; 1465 smp_sm_event(p_cb, SMP_TK_REQ_EVT, NULL); 1466 break; 1467 case SMP_MODEL_SEC_CONN_PASSKEY_DISP: 1468 /* passkey has to be provided to user */ 1469 SMP_TRACE_DEBUG("Need to generate SC Passkey"); 1470 smp_generate_passkey(p_cb, NULL); 1471 break; 1472 case SMP_MODEL_SEC_CONN_OOB: 1473 /* use the available OOB information */ 1474 smp_process_secure_connection_oob_data(p_cb, NULL); 1475 break; 1476 default: 1477 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC", 1478 p_cb->selected_association_model); 1479 break; 1480 } 1481 } 1482 1483 /******************************************************************************* 1484 * Function smp_process_local_nonce 1485 * Description The function processes new local nonce. 1486 * 1487 * Note It is supposed to be called in SC phase1. 1488 ******************************************************************************/ 1489 void smp_process_local_nonce(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1490 SMP_TRACE_DEBUG("%s", __func__); 1491 1492 switch (p_cb->selected_association_model) { 1493 case SMP_MODEL_SEC_CONN_JUSTWORKS: 1494 case SMP_MODEL_SEC_CONN_NUM_COMP: 1495 if (p_cb->role == HCI_ROLE_SLAVE) { 1496 /* slave calculates and sends local commitment */ 1497 smp_calculate_local_commitment(p_cb); 1498 smp_send_commitment(p_cb, NULL); 1499 /* slave has to wait for peer nonce */ 1500 smp_set_state(SMP_STATE_WAIT_NONCE); 1501 } else /* i.e. master */ 1502 { 1503 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_COMM) { 1504 /* slave commitment is already received, send local nonce, wait for 1505 * remote nonce*/ 1506 SMP_TRACE_DEBUG( 1507 "master in assoc mode = %d \ 1508 already rcvd slave commitment - race condition", 1509 p_cb->selected_association_model); 1510 p_cb->flags &= ~SMP_PAIR_FLAG_HAVE_PEER_COMM; 1511 smp_send_rand(p_cb, NULL); 1512 smp_set_state(SMP_STATE_WAIT_NONCE); 1513 } 1514 } 1515 break; 1516 case SMP_MODEL_SEC_CONN_PASSKEY_ENT: 1517 case SMP_MODEL_SEC_CONN_PASSKEY_DISP: 1518 smp_calculate_local_commitment(p_cb); 1519 1520 if (p_cb->role == HCI_ROLE_MASTER) { 1521 smp_send_commitment(p_cb, NULL); 1522 } else /* slave */ 1523 { 1524 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_COMM) { 1525 /* master commitment is already received */ 1526 smp_send_commitment(p_cb, NULL); 1527 smp_set_state(SMP_STATE_WAIT_NONCE); 1528 } 1529 } 1530 break; 1531 case SMP_MODEL_SEC_CONN_OOB: 1532 if (p_cb->role == HCI_ROLE_MASTER) { 1533 smp_send_rand(p_cb, NULL); 1534 } 1535 1536 smp_set_state(SMP_STATE_WAIT_NONCE); 1537 break; 1538 default: 1539 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC", 1540 p_cb->selected_association_model); 1541 break; 1542 } 1543 } 1544 1545 /******************************************************************************* 1546 * Function smp_process_peer_nonce 1547 * Description The function processes newly received and saved in CB peer 1548 * nonce. The actions depend on the selected association model and 1549 * the role. 1550 * 1551 * Note It is supposed to be called in SC phase1. 1552 ******************************************************************************/ 1553 void smp_process_peer_nonce(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1554 uint8_t reason; 1555 1556 SMP_TRACE_DEBUG("%s start ", __func__); 1557 1558 // PTS Testing failure modes 1559 if (p_cb->cert_failure == 1) { 1560 SMP_TRACE_ERROR("%s failure case = %d", __func__, p_cb->cert_failure); 1561 reason = p_cb->failure = SMP_CONFIRM_VALUE_ERR; 1562 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 1563 return; 1564 } 1565 1566 switch (p_cb->selected_association_model) { 1567 case SMP_MODEL_SEC_CONN_JUSTWORKS: 1568 case SMP_MODEL_SEC_CONN_NUM_COMP: 1569 /* in these models only master receives commitment */ 1570 if (p_cb->role == HCI_ROLE_MASTER) { 1571 if (!smp_check_commitment(p_cb)) { 1572 reason = p_cb->failure = SMP_CONFIRM_VALUE_ERR; 1573 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 1574 break; 1575 } 1576 } else { 1577 /* slave sends local nonce */ 1578 smp_send_rand(p_cb, NULL); 1579 } 1580 1581 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) { 1582 /* go directly to phase 2 */ 1583 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL); 1584 } else /* numeric comparison */ 1585 { 1586 smp_set_state(SMP_STATE_WAIT_NONCE); 1587 smp_sm_event(p_cb, SMP_SC_CALC_NC_EVT, NULL); 1588 } 1589 break; 1590 case SMP_MODEL_SEC_CONN_PASSKEY_ENT: 1591 case SMP_MODEL_SEC_CONN_PASSKEY_DISP: 1592 if (!smp_check_commitment(p_cb) && p_cb->cert_failure != 9) { 1593 reason = p_cb->failure = SMP_CONFIRM_VALUE_ERR; 1594 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 1595 break; 1596 } 1597 1598 if (p_cb->role == HCI_ROLE_SLAVE) { 1599 smp_send_rand(p_cb, NULL); 1600 } 1601 1602 if (++p_cb->round < 20) { 1603 smp_set_state(SMP_STATE_SEC_CONN_PHS1_START); 1604 p_cb->flags &= ~SMP_PAIR_FLAG_HAVE_PEER_COMM; 1605 smp_start_nonce_generation(p_cb); 1606 break; 1607 } 1608 1609 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL); 1610 break; 1611 case SMP_MODEL_SEC_CONN_OOB: 1612 if (p_cb->role == HCI_ROLE_SLAVE) { 1613 smp_send_rand(p_cb, NULL); 1614 } 1615 1616 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL); 1617 break; 1618 default: 1619 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC", 1620 p_cb->selected_association_model); 1621 break; 1622 } 1623 1624 SMP_TRACE_DEBUG("%s end ", __func__); 1625 } 1626 1627 /******************************************************************************* 1628 * Function smp_match_dhkey_checks 1629 * Description checks if the calculated peer DHKey Check value is the same as 1630 * received from the peer DHKey check value. 1631 ******************************************************************************/ 1632 void smp_match_dhkey_checks(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1633 uint8_t reason = SMP_DHKEY_CHK_FAIL; 1634 1635 SMP_TRACE_DEBUG("%s", __func__); 1636 1637 if (memcmp(p_data->key.p_data, p_cb->remote_dhkey_check, BT_OCTET16_LEN)) { 1638 SMP_TRACE_WARNING("dhkey chcks do no match"); 1639 p_cb->failure = reason; 1640 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 1641 return; 1642 } 1643 1644 SMP_TRACE_EVENT("dhkey chcks match"); 1645 1646 /* compare the max encryption key size, and save the smaller one for the link 1647 */ 1648 if (p_cb->peer_enc_size < p_cb->loc_enc_size) 1649 p_cb->loc_enc_size = p_cb->peer_enc_size; 1650 1651 if (p_cb->role == HCI_ROLE_SLAVE) { 1652 smp_sm_event(p_cb, SMP_PAIR_DHKEY_CHCK_EVT, NULL); 1653 } else { 1654 /* master device always use received i/r key as keys to distribute */ 1655 p_cb->local_i_key = p_cb->peer_i_key; 1656 p_cb->local_r_key = p_cb->peer_r_key; 1657 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL); 1658 } 1659 } 1660 1661 /******************************************************************************* 1662 * Function smp_move_to_secure_connections_phase2 1663 * Description Signal State Machine to start SC phase 2 initialization (to 1664 * compute local DHKey Check value). 1665 * 1666 * Note SM is supposed to be in the state SMP_STATE_SEC_CONN_PHS2_START. 1667 ******************************************************************************/ 1668 void smp_move_to_secure_connections_phase2(tSMP_CB* p_cb, 1669 tSMP_INT_DATA* p_data) { 1670 SMP_TRACE_DEBUG("%s", __func__); 1671 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL); 1672 } 1673 1674 /******************************************************************************* 1675 * Function smp_phase_2_dhkey_checks_are_present 1676 * Description generates event if dhkey check from the peer is already 1677 * received. 1678 * 1679 * Note It is supposed to be used on slave to prevent race condition. 1680 * It is supposed to be called after slave dhkey check is 1681 * calculated. 1682 ******************************************************************************/ 1683 void smp_phase_2_dhkey_checks_are_present(tSMP_CB* p_cb, 1684 tSMP_INT_DATA* p_data) { 1685 SMP_TRACE_DEBUG("%s", __func__); 1686 1687 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_DHK_CHK) 1688 smp_sm_event(p_cb, SMP_SC_2_DHCK_CHKS_PRES_EVT, NULL); 1689 } 1690 1691 /******************************************************************************* 1692 * Function smp_wait_for_both_public_keys 1693 * Description generates SMP_BOTH_PUBL_KEYS_RCVD_EVT event when both local and 1694 * master public keys are available. 1695 * 1696 * Note on the slave it is used to prevent race condition. 1697 * 1698 ******************************************************************************/ 1699 void smp_wait_for_both_public_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1700 SMP_TRACE_DEBUG("%s", __func__); 1701 1702 if ((p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY) && 1703 (p_cb->flags & SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY)) { 1704 if ((p_cb->role == HCI_ROLE_SLAVE) && 1705 ((p_cb->req_oob_type == SMP_OOB_LOCAL) || 1706 (p_cb->req_oob_type == SMP_OOB_BOTH))) { 1707 smp_set_state(SMP_STATE_PUBLIC_KEY_EXCH); 1708 } 1709 smp_sm_event(p_cb, SMP_BOTH_PUBL_KEYS_RCVD_EVT, NULL); 1710 } 1711 } 1712 1713 /******************************************************************************* 1714 * Function smp_start_passkey_verification 1715 * Description Starts SC passkey entry verification. 1716 ******************************************************************************/ 1717 void smp_start_passkey_verification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1718 uint8_t* p = NULL; 1719 1720 SMP_TRACE_DEBUG("%s", __func__); 1721 p = p_cb->local_random; 1722 UINT32_TO_STREAM(p, p_data->passkey); 1723 1724 p = p_cb->peer_random; 1725 UINT32_TO_STREAM(p, p_data->passkey); 1726 1727 p_cb->round = 0; 1728 smp_start_nonce_generation(p_cb); 1729 } 1730 1731 /******************************************************************************* 1732 * Function smp_process_secure_connection_oob_data 1733 * Description Processes local/peer SC OOB data received from somewhere. 1734 ******************************************************************************/ 1735 void smp_process_secure_connection_oob_data(tSMP_CB* p_cb, 1736 tSMP_INT_DATA* p_data) { 1737 SMP_TRACE_DEBUG("%s", __func__); 1738 1739 tSMP_SC_OOB_DATA* p_sc_oob_data = &p_cb->sc_oob_data; 1740 if (p_sc_oob_data->loc_oob_data.present) { 1741 memcpy(p_cb->local_random, p_sc_oob_data->loc_oob_data.randomizer, 1742 sizeof(p_cb->local_random)); 1743 } else { 1744 SMP_TRACE_EVENT("%s: local OOB randomizer is absent", __func__); 1745 memset(p_cb->local_random, 0, sizeof(p_cb->local_random)); 1746 } 1747 1748 if (!p_sc_oob_data->peer_oob_data.present) { 1749 SMP_TRACE_EVENT("%s: peer OOB data is absent", __func__); 1750 memset(p_cb->peer_random, 0, sizeof(p_cb->peer_random)); 1751 } else { 1752 memcpy(p_cb->peer_random, p_sc_oob_data->peer_oob_data.randomizer, 1753 sizeof(p_cb->peer_random)); 1754 memcpy(p_cb->remote_commitment, p_sc_oob_data->peer_oob_data.commitment, 1755 sizeof(p_cb->remote_commitment)); 1756 1757 uint8_t reason = SMP_CONFIRM_VALUE_ERR; 1758 /* check commitment */ 1759 if (!smp_check_commitment(p_cb)) { 1760 p_cb->failure = reason; 1761 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 1762 return; 1763 } 1764 1765 if (p_cb->peer_oob_flag != SMP_OOB_PRESENT) { 1766 /* the peer doesn't have local randomiser */ 1767 SMP_TRACE_EVENT( 1768 "%s: peer didn't receive local OOB data, set local randomizer to 0", 1769 __func__); 1770 memset(p_cb->local_random, 0, sizeof(p_cb->local_random)); 1771 } 1772 } 1773 1774 print128(p_cb->local_random, (const uint8_t*)"local OOB randomizer"); 1775 print128(p_cb->peer_random, (const uint8_t*)"peer OOB randomizer"); 1776 smp_start_nonce_generation(p_cb); 1777 } 1778 1779 /******************************************************************************* 1780 * Function smp_set_local_oob_keys 1781 * Description Saves calculated private/public keys in 1782 * sc_oob_data.loc_oob_data, starts nonce generation 1783 * (to be saved in sc_oob_data.loc_oob_data.randomizer). 1784 ******************************************************************************/ 1785 void smp_set_local_oob_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1786 SMP_TRACE_DEBUG("%s", __func__); 1787 1788 memcpy(p_cb->sc_oob_data.loc_oob_data.private_key_used, p_cb->private_key, 1789 BT_OCTET32_LEN); 1790 p_cb->sc_oob_data.loc_oob_data.publ_key_used = p_cb->loc_publ_key; 1791 smp_start_nonce_generation(p_cb); 1792 } 1793 1794 /******************************************************************************* 1795 * Function smp_set_local_oob_random_commitment 1796 * Description Saves calculated randomizer and commitment in 1797 * sc_oob_data.loc_oob_data, passes sc_oob_data.loc_oob_data up 1798 * for safekeeping. 1799 ******************************************************************************/ 1800 void smp_set_local_oob_random_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1801 SMP_TRACE_DEBUG("%s", __func__); 1802 memcpy(p_cb->sc_oob_data.loc_oob_data.randomizer, p_cb->rand, BT_OCTET16_LEN); 1803 1804 smp_calculate_f4(p_cb->sc_oob_data.loc_oob_data.publ_key_used.x, 1805 p_cb->sc_oob_data.loc_oob_data.publ_key_used.x, 1806 p_cb->sc_oob_data.loc_oob_data.randomizer, 0, 1807 p_cb->sc_oob_data.loc_oob_data.commitment); 1808 1809 #if (SMP_DEBUG == TRUE) 1810 uint8_t* p_print = NULL; 1811 SMP_TRACE_DEBUG("local SC OOB data set:"); 1812 p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.addr_sent_to; 1813 smp_debug_print_nbyte_little_endian(p_print, "addr_sent_to", 1814 sizeof(tBLE_BD_ADDR)); 1815 p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.private_key_used; 1816 smp_debug_print_nbyte_little_endian(p_print, "private_key_used", 1817 BT_OCTET32_LEN); 1818 p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.publ_key_used.x; 1819 smp_debug_print_nbyte_little_endian(p_print, "publ_key_used.x", 1820 BT_OCTET32_LEN); 1821 p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.publ_key_used.y; 1822 smp_debug_print_nbyte_little_endian(p_print, "publ_key_used.y", 1823 BT_OCTET32_LEN); 1824 p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.randomizer; 1825 smp_debug_print_nbyte_little_endian(p_print, "randomizer", BT_OCTET16_LEN); 1826 p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.commitment; 1827 smp_debug_print_nbyte_little_endian(p_print, "commitment", BT_OCTET16_LEN); 1828 SMP_TRACE_DEBUG(""); 1829 #endif 1830 1831 /* pass created OOB data up */ 1832 p_cb->cb_evt = SMP_SC_LOC_OOB_DATA_UP_EVT; 1833 smp_send_app_cback(p_cb, NULL); 1834 1835 smp_cb_cleanup(p_cb); 1836 } 1837 1838 /******************************************************************************* 1839 * 1840 * Function smp_link_encrypted 1841 * 1842 * Description This function is called when link is encrypted and notified 1843 * to the slave device. Proceed to to send LTK, DIV and ER to 1844 * master if bonding the devices. 1845 * 1846 * 1847 * Returns void 1848 * 1849 ******************************************************************************/ 1850 void smp_link_encrypted(BD_ADDR bda, uint8_t encr_enable) { 1851 tSMP_CB* p_cb = &smp_cb; 1852 1853 SMP_TRACE_DEBUG("%s encr_enable=%d", __func__, encr_enable); 1854 1855 if (memcmp(&smp_cb.pairing_bda[0], bda, BD_ADDR_LEN) == 0) { 1856 /* encryption completed with STK, remmeber the key size now, could be 1857 * overwite 1858 * when key exchange happens */ 1859 if (p_cb->loc_enc_size != 0 && encr_enable) { 1860 /* update the link encryption key size if a SMP pairing just performed */ 1861 btm_ble_update_sec_key_size(bda, p_cb->loc_enc_size); 1862 } 1863 1864 smp_sm_event(&smp_cb, SMP_ENCRYPTED_EVT, &encr_enable); 1865 } 1866 } 1867 1868 /******************************************************************************* 1869 * 1870 * Function smp_proc_ltk_request 1871 * 1872 * Description This function is called when LTK request is received from 1873 * controller. 1874 * 1875 * Returns void 1876 * 1877 ******************************************************************************/ 1878 bool smp_proc_ltk_request(BD_ADDR bda) { 1879 SMP_TRACE_DEBUG("%s state = %d", __func__, smp_cb.state); 1880 bool match = false; 1881 1882 if (!memcmp(bda, smp_cb.pairing_bda, BD_ADDR_LEN)) { 1883 match = true; 1884 } else { 1885 BD_ADDR dummy_bda = {0}; 1886 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda); 1887 if (p_dev_rec != NULL && 1888 0 == memcmp(p_dev_rec->ble.pseudo_addr, smp_cb.pairing_bda, 1889 BD_ADDR_LEN) && 1890 0 != memcmp(p_dev_rec->ble.pseudo_addr, dummy_bda, BD_ADDR_LEN)) { 1891 match = true; 1892 } 1893 } 1894 1895 if (match && smp_cb.state == SMP_STATE_ENCRYPTION_PENDING) { 1896 smp_sm_event(&smp_cb, SMP_ENC_REQ_EVT, NULL); 1897 return true; 1898 } 1899 1900 return false; 1901 } 1902 1903 /******************************************************************************* 1904 * 1905 * Function smp_process_secure_connection_long_term_key 1906 * 1907 * Description This function is called to process SC LTK. 1908 * SC LTK is calculated and used instead of STK. 1909 * Here SC LTK is saved in BLE DB. 1910 * 1911 * Returns void 1912 * 1913 ******************************************************************************/ 1914 void smp_process_secure_connection_long_term_key(void) { 1915 tSMP_CB* p_cb = &smp_cb; 1916 1917 SMP_TRACE_DEBUG("%s", __func__); 1918 smp_save_secure_connections_long_term_key(p_cb); 1919 1920 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false); 1921 smp_key_distribution(p_cb, NULL); 1922 } 1923 1924 /******************************************************************************* 1925 * 1926 * Function smp_set_derive_link_key 1927 * 1928 * Description This function is called to set flag that indicates that 1929 * BR/EDR LK has to be derived from LTK after all keys are 1930 * distributed. 1931 * 1932 * Returns void 1933 * 1934 ******************************************************************************/ 1935 void smp_set_derive_link_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1936 SMP_TRACE_DEBUG("%s", __func__); 1937 p_cb->derive_lk = true; 1938 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_LK, false); 1939 smp_key_distribution(p_cb, NULL); 1940 } 1941 1942 /******************************************************************************* 1943 * 1944 * Function smp_derive_link_key_from_long_term_key 1945 * 1946 * Description This function is called to derive BR/EDR LK from LTK. 1947 * 1948 * Returns void 1949 * 1950 ******************************************************************************/ 1951 void smp_derive_link_key_from_long_term_key(tSMP_CB* p_cb, 1952 tSMP_INT_DATA* p_data) { 1953 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN; 1954 1955 SMP_TRACE_DEBUG("%s", __func__); 1956 if (!smp_calculate_link_key_from_long_term_key(p_cb)) { 1957 SMP_TRACE_ERROR("%s failed", __func__); 1958 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status); 1959 return; 1960 } 1961 } 1962 1963 /******************************************************************************* 1964 * 1965 * Function smp_br_process_link_key 1966 * 1967 * Description This function is called to process BR/EDR LK: 1968 * - to derive SMP LTK from BR/EDR LK; 1969 *8 - to save SMP LTK. 1970 * 1971 * Returns void 1972 * 1973 ******************************************************************************/ 1974 void smp_br_process_link_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1975 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN; 1976 1977 SMP_TRACE_DEBUG("%s", __func__); 1978 if (!smp_calculate_long_term_key_from_link_key(p_cb)) { 1979 SMP_TRACE_ERROR("%s failed", __func__); 1980 smp_sm_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &status); 1981 return; 1982 } 1983 1984 SMP_TRACE_DEBUG("%s: LTK derivation from LK successfully completed", 1985 __func__); 1986 smp_save_secure_connections_long_term_key(p_cb); 1987 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false); 1988 smp_br_select_next_key(p_cb, NULL); 1989 } 1990 1991 /******************************************************************************* 1992 * Function smp_key_distribution_by_transport 1993 * Description depending on the transport used at the moment calls either 1994 * smp_key_distribution(...) or smp_br_key_distribution(...). 1995 ******************************************************************************/ 1996 void smp_key_distribution_by_transport(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 1997 SMP_TRACE_DEBUG("%s", __func__); 1998 if (p_cb->smp_over_br) { 1999 smp_br_select_next_key(p_cb, NULL); 2000 } else { 2001 smp_key_distribution(p_cb, NULL); 2002 } 2003 } 2004 2005 /******************************************************************************* 2006 * Function smp_br_pairing_complete 2007 * Description This function is called to send the pairing complete 2008 * callback and remove the connection if needed. 2009 ******************************************************************************/ 2010 void smp_br_pairing_complete(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 2011 SMP_TRACE_DEBUG("%s", __func__); 2012 2013 if (p_cb->total_tx_unacked == 0) { 2014 /* process the pairing complete */ 2015 smp_proc_pairing_cmpl(p_cb); 2016 } 2017 } 2018