1 /****************************************************************************** 2 * 3 * Copyright (C) 1999-2012 Broadcom Corporation 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at: 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 *****************************************************************************/ 18 19 /****************************************************************************** 20 * 21 * This file contains functions for the SMP L2CAP utility functions 22 * 23 ******************************************************************************/ 24 #include "bt_target.h" 25 26 #include <ctype.h> 27 #include <string.h> 28 #include "bt_types.h" 29 #include "bt_utils.h" 30 #include "btm_ble_api.h" 31 #include "btm_int.h" 32 #include "device/include/controller.h" 33 #include "hcidefs.h" 34 #include "l2c_api.h" 35 #include "l2c_int.h" 36 #include "osi/include/osi.h" 37 #include "smp_int.h" 38 39 #define SMP_PAIRING_REQ_SIZE 7 40 #define SMP_CONFIRM_CMD_SIZE (BT_OCTET16_LEN + 1) 41 #define SMP_RAND_CMD_SIZE (BT_OCTET16_LEN + 1) 42 #define SMP_INIT_CMD_SIZE (BT_OCTET16_LEN + 1) 43 #define SMP_ENC_INFO_SIZE (BT_OCTET16_LEN + 1) 44 #define SMP_MASTER_ID_SIZE (BT_OCTET8_LEN + 2 + 1) 45 #define SMP_ID_INFO_SIZE (BT_OCTET16_LEN + 1) 46 #define SMP_ID_ADDR_SIZE (BD_ADDR_LEN + 1 + 1) 47 #define SMP_SIGN_INFO_SIZE (BT_OCTET16_LEN + 1) 48 #define SMP_PAIR_FAIL_SIZE 2 49 #define SMP_SECURITY_REQUEST_SIZE 2 50 #define SMP_PAIR_PUBL_KEY_SIZE (1 /* opcode */ + (2 * BT_OCTET32_LEN)) 51 #define SMP_PAIR_COMMITM_SIZE (1 /* opcode */ + BT_OCTET16_LEN /*Commitment*/) 52 #define SMP_PAIR_DHKEY_CHECK_SIZE \ 53 (1 /* opcode */ + BT_OCTET16_LEN /*DHKey Check*/) 54 #define SMP_PAIR_KEYPR_NOTIF_SIZE (1 /* opcode */ + 1 /*Notif Type*/) 55 56 /* SMP command sizes per spec */ 57 static const uint8_t smp_cmd_size_per_spec[] = { 58 0, 59 SMP_PAIRING_REQ_SIZE, /* 0x01: pairing request */ 60 SMP_PAIRING_REQ_SIZE, /* 0x02: pairing response */ 61 SMP_CONFIRM_CMD_SIZE, /* 0x03: pairing confirm */ 62 SMP_RAND_CMD_SIZE, /* 0x04: pairing random */ 63 SMP_PAIR_FAIL_SIZE, /* 0x05: pairing failed */ 64 SMP_ENC_INFO_SIZE, /* 0x06: encryption information */ 65 SMP_MASTER_ID_SIZE, /* 0x07: master identification */ 66 SMP_ID_INFO_SIZE, /* 0x08: identity information */ 67 SMP_ID_ADDR_SIZE, /* 0x09: identity address information */ 68 SMP_SIGN_INFO_SIZE, /* 0x0A: signing information */ 69 SMP_SECURITY_REQUEST_SIZE, /* 0x0B: security request */ 70 SMP_PAIR_PUBL_KEY_SIZE, /* 0x0C: pairing public key */ 71 SMP_PAIR_DHKEY_CHECK_SIZE, /* 0x0D: pairing dhkey check */ 72 SMP_PAIR_KEYPR_NOTIF_SIZE, /* 0x0E: pairing keypress notification */ 73 SMP_PAIR_COMMITM_SIZE /* 0x0F: pairing commitment */ 74 }; 75 76 static bool smp_parameter_unconditionally_valid(tSMP_CB* p_cb); 77 static bool smp_parameter_unconditionally_invalid(tSMP_CB* p_cb); 78 79 /* type for SMP command length validation functions */ 80 typedef bool (*tSMP_CMD_LEN_VALID)(tSMP_CB* p_cb); 81 82 static bool smp_command_has_valid_fixed_length(tSMP_CB* p_cb); 83 84 static const tSMP_CMD_LEN_VALID smp_cmd_len_is_valid[] = { 85 smp_parameter_unconditionally_invalid, 86 smp_command_has_valid_fixed_length, /* 0x01: pairing request */ 87 smp_command_has_valid_fixed_length, /* 0x02: pairing response */ 88 smp_command_has_valid_fixed_length, /* 0x03: pairing confirm */ 89 smp_command_has_valid_fixed_length, /* 0x04: pairing random */ 90 smp_command_has_valid_fixed_length, /* 0x05: pairing failed */ 91 smp_command_has_valid_fixed_length, /* 0x06: encryption information */ 92 smp_command_has_valid_fixed_length, /* 0x07: master identification */ 93 smp_command_has_valid_fixed_length, /* 0x08: identity information */ 94 smp_command_has_valid_fixed_length, /* 0x09: identity address information */ 95 smp_command_has_valid_fixed_length, /* 0x0A: signing information */ 96 smp_command_has_valid_fixed_length, /* 0x0B: security request */ 97 smp_command_has_valid_fixed_length, /* 0x0C: pairing public key */ 98 smp_command_has_valid_fixed_length, /* 0x0D: pairing dhkey check */ 99 smp_command_has_valid_fixed_length, /* 0x0E: pairing keypress notification*/ 100 smp_command_has_valid_fixed_length /* 0x0F: pairing commitment */ 101 }; 102 103 /* type for SMP command parameter ranges validation functions */ 104 typedef bool (*tSMP_CMD_PARAM_RANGES_VALID)(tSMP_CB* p_cb); 105 106 static bool smp_pairing_request_response_parameters_are_valid(tSMP_CB* p_cb); 107 static bool smp_pairing_keypress_notification_is_valid(tSMP_CB* p_cb); 108 109 static const tSMP_CMD_PARAM_RANGES_VALID smp_cmd_param_ranges_are_valid[] = { 110 smp_parameter_unconditionally_invalid, 111 smp_pairing_request_response_parameters_are_valid, /* 0x01: pairing 112 request */ 113 smp_pairing_request_response_parameters_are_valid, /* 0x02: pairing 114 response */ 115 smp_parameter_unconditionally_valid, /* 0x03: pairing confirm */ 116 smp_parameter_unconditionally_valid, /* 0x04: pairing random */ 117 smp_parameter_unconditionally_valid, /* 0x05: pairing failed */ 118 smp_parameter_unconditionally_valid, /* 0x06: encryption information */ 119 smp_parameter_unconditionally_valid, /* 0x07: master identification */ 120 smp_parameter_unconditionally_valid, /* 0x08: identity information */ 121 smp_parameter_unconditionally_valid, /* 0x09: identity address 122 information */ 123 smp_parameter_unconditionally_valid, /* 0x0A: signing information */ 124 smp_parameter_unconditionally_valid, /* 0x0B: security request */ 125 smp_parameter_unconditionally_valid, /* 0x0C: pairing public key */ 126 smp_parameter_unconditionally_valid, /* 0x0D: pairing dhkey check */ 127 smp_pairing_keypress_notification_is_valid, /* 0x0E: pairing keypress 128 notification */ 129 smp_parameter_unconditionally_valid /* 0x0F: pairing commitment */ 130 }; 131 132 /* type for action functions */ 133 typedef BT_HDR* (*tSMP_CMD_ACT)(uint8_t cmd_code, tSMP_CB* p_cb); 134 135 static BT_HDR* smp_build_pairing_cmd(uint8_t cmd_code, tSMP_CB* p_cb); 136 static BT_HDR* smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code, 137 tSMP_CB* p_cb); 138 static BT_HDR* smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb); 139 static BT_HDR* smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code, 140 tSMP_CB* p_cb); 141 static BT_HDR* smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code, 142 tSMP_CB* p_cb); 143 static BT_HDR* smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code, 144 tSMP_CB* p_cb); 145 static BT_HDR* smp_build_security_request(UNUSED_ATTR uint8_t cmd_code, 146 tSMP_CB* p_cb); 147 static BT_HDR* smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code, 148 tSMP_CB* p_cb); 149 static BT_HDR* smp_build_master_id_cmd(UNUSED_ATTR uint8_t cmd_code, 150 tSMP_CB* p_cb); 151 static BT_HDR* smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code, 152 tSMP_CB* p_cb); 153 static BT_HDR* smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code, 154 tSMP_CB* p_cb); 155 static BT_HDR* smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code, 156 tSMP_CB* p_cb); 157 static BT_HDR* smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code, 158 tSMP_CB* p_cb); 159 static BT_HDR* smp_build_pairing_keypress_notification_cmd( 160 UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb); 161 162 static const tSMP_CMD_ACT smp_cmd_build_act[] = { 163 NULL, smp_build_pairing_cmd, /* 0x01: pairing request */ 164 smp_build_pairing_cmd, /* 0x02: pairing response */ 165 smp_build_confirm_cmd, /* 0x03: pairing confirm */ 166 smp_build_rand_cmd, /* 0x04: pairing random */ 167 smp_build_pairing_fail, /* 0x05: pairing failure */ 168 smp_build_encrypt_info_cmd, /* 0x06: encryption information */ 169 smp_build_master_id_cmd, /* 0x07: master identification */ 170 smp_build_identity_info_cmd, /* 0x08: identity information */ 171 smp_build_id_addr_cmd, /* 0x09: identity address information */ 172 smp_build_signing_info_cmd, /* 0x0A: signing information */ 173 smp_build_security_request, /* 0x0B: security request */ 174 smp_build_pair_public_key_cmd, /* 0x0C: pairing public key */ 175 smp_build_pair_dhkey_check_cmd, /* 0x0D: pairing DHKey check */ 176 smp_build_pairing_keypress_notification_cmd, /* 0x0E: pairing keypress 177 notification */ 178 smp_build_pairing_commitment_cmd /* 0x0F: pairing commitment */ 179 }; 180 181 static const uint8_t smp_association_table[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] = 182 { 183 /* display only */ /* Display Yes/No */ /* keyboard only */ 184 /* No Input/Output */ /* keyboard display */ 185 186 /* initiator */ 187 /* model = tbl[peer_io_caps][loc_io_caps] */ 188 /* Display Only */ 189 {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 190 SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}, 191 192 /* Display Yes/No */ 193 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 194 SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}, 195 196 /* Keyboard only */ 197 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY, 198 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}, 199 200 /* No Input No Output */ 201 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 202 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 203 SMP_MODEL_ENCRYPTION_ONLY}, 204 205 /* keyboard display */ 206 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY, 207 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}}, 208 209 /* responder */ 210 /* model = tbl[loc_io_caps][peer_io_caps] */ 211 /* Display Only */ 212 {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 213 SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}, 214 215 /* Display Yes/No */ 216 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 217 SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}, 218 219 /* keyboard only */ 220 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, 221 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}, 222 223 /* No Input No Output */ 224 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 225 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 226 SMP_MODEL_ENCRYPTION_ONLY}, 227 228 /* keyboard display */ 229 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_KEY_NOTIF, 230 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}}}; 231 232 static const uint8_t 233 smp_association_table_sc[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] = { 234 /* display only */ /* Display Yes/No */ /* keyboard only */ 235 /* No InputOutput */ /* keyboard display */ 236 237 /* initiator */ 238 /* model = tbl[peer_io_caps][loc_io_caps] */ 239 240 /* Display Only */ 241 {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, 242 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS, 243 SMP_MODEL_SEC_CONN_PASSKEY_ENT}, 244 245 /* Display Yes/No */ 246 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP, 247 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS, 248 SMP_MODEL_SEC_CONN_NUM_COMP}, 249 250 /* keyboard only */ 251 {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_PASSKEY_DISP, 252 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS, 253 SMP_MODEL_SEC_CONN_PASSKEY_DISP}, 254 255 /* No Input No Output */ 256 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, 257 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, 258 SMP_MODEL_SEC_CONN_JUSTWORKS}, 259 260 /* keyboard display */ 261 {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_NUM_COMP, 262 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS, 263 SMP_MODEL_SEC_CONN_NUM_COMP}}, 264 265 /* responder */ 266 /* model = tbl[loc_io_caps][peer_io_caps] */ 267 268 /* Display Only */ 269 {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, 270 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS, 271 SMP_MODEL_SEC_CONN_PASSKEY_DISP}, 272 273 /* Display Yes/No */ 274 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP, 275 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS, 276 SMP_MODEL_SEC_CONN_NUM_COMP}, 277 278 /* keyboard only */ 279 {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_PASSKEY_ENT, 280 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS, 281 SMP_MODEL_SEC_CONN_PASSKEY_ENT}, 282 283 /* No Input No Output */ 284 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, 285 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, 286 SMP_MODEL_SEC_CONN_JUSTWORKS}, 287 288 /* keyboard display */ 289 {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_NUM_COMP, 290 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS, 291 SMP_MODEL_SEC_CONN_NUM_COMP}}}; 292 293 static tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB* p_cb); 294 static tSMP_ASSO_MODEL smp_select_association_model_secure_connections( 295 tSMP_CB* p_cb); 296 297 /******************************************************************************* 298 * 299 * Function smp_send_msg_to_L2CAP 300 * 301 * Description Send message to L2CAP. 302 * 303 ******************************************************************************/ 304 bool smp_send_msg_to_L2CAP(const RawAddress& rem_bda, BT_HDR* p_toL2CAP) { 305 uint16_t l2cap_ret; 306 uint16_t fixed_cid = L2CAP_SMP_CID; 307 308 if (smp_cb.smp_over_br) { 309 fixed_cid = L2CAP_SMP_BR_CID; 310 } 311 312 SMP_TRACE_EVENT("%s", __func__); 313 smp_cb.total_tx_unacked += 1; 314 315 l2cap_ret = L2CA_SendFixedChnlData(fixed_cid, rem_bda, p_toL2CAP); 316 if (l2cap_ret == L2CAP_DW_FAILED) { 317 smp_cb.total_tx_unacked -= 1; 318 SMP_TRACE_ERROR("SMP failed to pass msg:0x%0x to L2CAP", 319 *((uint8_t*)(p_toL2CAP + 1) + p_toL2CAP->offset)); 320 return false; 321 } else 322 return true; 323 } 324 325 /******************************************************************************* 326 * 327 * Function smp_send_cmd 328 * 329 * Description send a SMP command on L2CAP channel. 330 * 331 ******************************************************************************/ 332 bool smp_send_cmd(uint8_t cmd_code, tSMP_CB* p_cb) { 333 BT_HDR* p_buf; 334 bool sent = false; 335 uint8_t failure = SMP_PAIR_INTERNAL_ERR; 336 SMP_TRACE_EVENT("smp_send_cmd on l2cap cmd_code=0x%x", cmd_code); 337 if (cmd_code <= (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */) && 338 smp_cmd_build_act[cmd_code] != NULL) { 339 p_buf = (*smp_cmd_build_act[cmd_code])(cmd_code, p_cb); 340 341 if (p_buf != NULL && smp_send_msg_to_L2CAP(p_cb->pairing_bda, p_buf)) { 342 sent = true; 343 alarm_set_on_mloop(p_cb->smp_rsp_timer_ent, SMP_WAIT_FOR_RSP_TIMEOUT_MS, 344 smp_rsp_timeout, NULL); 345 } 346 } 347 348 if (!sent) { 349 if (p_cb->smp_over_br) { 350 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &failure); 351 } else { 352 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &failure); 353 } 354 } 355 return sent; 356 } 357 358 /******************************************************************************* 359 * 360 * Function smp_rsp_timeout 361 * 362 * Description Called when SMP wait for SMP command response timer expires 363 * 364 * Returns void 365 * 366 ******************************************************************************/ 367 void smp_rsp_timeout(UNUSED_ATTR void* data) { 368 tSMP_CB* p_cb = &smp_cb; 369 uint8_t failure = SMP_RSP_TIMEOUT; 370 371 SMP_TRACE_EVENT("%s state:%d br_state:%d", __func__, p_cb->state, 372 p_cb->br_state); 373 374 if (p_cb->smp_over_br) { 375 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &failure); 376 } else { 377 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &failure); 378 } 379 } 380 381 /******************************************************************************* 382 * 383 * Function smp_delayed_auth_complete_timeout 384 * 385 * Description Called when no pairing failed command received within 386 * timeout period. 387 * 388 * Returns void 389 * 390 ******************************************************************************/ 391 void smp_delayed_auth_complete_timeout(UNUSED_ATTR void* data) { 392 /* 393 * Waited for potential pair failure. Send SMP_AUTH_CMPL_EVT if 394 * the state is still in bond pending. 395 */ 396 if (smp_get_state() == SMP_STATE_BOND_PENDING) { 397 uint8_t reason = SMP_SUCCESS; 398 SMP_TRACE_EVENT("%s sending delayed auth complete.", __func__); 399 smp_sm_event(&smp_cb, SMP_AUTH_CMPL_EVT, &reason); 400 } 401 } 402 403 /******************************************************************************* 404 * 405 * Function smp_build_pairing_req_cmd 406 * 407 * Description Build pairing request command. 408 * 409 ******************************************************************************/ 410 BT_HDR* smp_build_pairing_cmd(uint8_t cmd_code, tSMP_CB* p_cb) { 411 uint8_t* p; 412 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIRING_REQ_SIZE + 413 L2CAP_MIN_OFFSET); 414 415 SMP_TRACE_EVENT("%s", __func__); 416 417 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 418 UINT8_TO_STREAM(p, cmd_code); 419 UINT8_TO_STREAM(p, p_cb->local_io_capability); 420 UINT8_TO_STREAM(p, p_cb->loc_oob_flag); 421 UINT8_TO_STREAM(p, p_cb->loc_auth_req); 422 UINT8_TO_STREAM(p, p_cb->loc_enc_size); 423 UINT8_TO_STREAM(p, p_cb->local_i_key); 424 UINT8_TO_STREAM(p, p_cb->local_r_key); 425 426 p_buf->offset = L2CAP_MIN_OFFSET; 427 /* 1B ERR_RSP op code + 1B cmd_op_code + 2B handle + 1B status */ 428 p_buf->len = SMP_PAIRING_REQ_SIZE; 429 430 return p_buf; 431 } 432 433 /******************************************************************************* 434 * 435 * Function smp_build_confirm_cmd 436 * 437 * Description Build confirm request command. 438 * 439 ******************************************************************************/ 440 static BT_HDR* smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code, 441 tSMP_CB* p_cb) { 442 uint8_t* p; 443 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_CONFIRM_CMD_SIZE + 444 L2CAP_MIN_OFFSET); 445 446 SMP_TRACE_EVENT("%s", __func__); 447 448 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 449 450 UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM); 451 ARRAY_TO_STREAM(p, p_cb->confirm, BT_OCTET16_LEN); 452 453 p_buf->offset = L2CAP_MIN_OFFSET; 454 p_buf->len = SMP_CONFIRM_CMD_SIZE; 455 456 return p_buf; 457 } 458 459 /******************************************************************************* 460 * 461 * Function smp_build_rand_cmd 462 * 463 * Description Build Random command. 464 * 465 ******************************************************************************/ 466 static BT_HDR* smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb) { 467 uint8_t* p; 468 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_RAND_CMD_SIZE + 469 L2CAP_MIN_OFFSET); 470 471 SMP_TRACE_EVENT("%s", __func__); 472 473 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 474 UINT8_TO_STREAM(p, SMP_OPCODE_RAND); 475 ARRAY_TO_STREAM(p, p_cb->rand, BT_OCTET16_LEN); 476 477 p_buf->offset = L2CAP_MIN_OFFSET; 478 p_buf->len = SMP_RAND_CMD_SIZE; 479 480 return p_buf; 481 } 482 483 /******************************************************************************* 484 * 485 * Function smp_build_encrypt_info_cmd 486 * 487 * Description Build security information command. 488 * 489 ******************************************************************************/ 490 static BT_HDR* smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code, 491 tSMP_CB* p_cb) { 492 uint8_t* p; 493 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ENC_INFO_SIZE + 494 L2CAP_MIN_OFFSET); 495 496 SMP_TRACE_EVENT("%s", __func__); 497 498 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 499 UINT8_TO_STREAM(p, SMP_OPCODE_ENCRYPT_INFO); 500 ARRAY_TO_STREAM(p, p_cb->ltk, BT_OCTET16_LEN); 501 502 p_buf->offset = L2CAP_MIN_OFFSET; 503 p_buf->len = SMP_ENC_INFO_SIZE; 504 505 return p_buf; 506 } 507 508 /******************************************************************************* 509 * 510 * Function smp_build_master_id_cmd 511 * 512 * Description Build security information command. 513 * 514 ******************************************************************************/ 515 static BT_HDR* smp_build_master_id_cmd(UNUSED_ATTR uint8_t cmd_code, 516 tSMP_CB* p_cb) { 517 uint8_t* p; 518 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_MASTER_ID_SIZE + 519 L2CAP_MIN_OFFSET); 520 521 SMP_TRACE_EVENT("%s", __func__); 522 523 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 524 UINT8_TO_STREAM(p, SMP_OPCODE_MASTER_ID); 525 UINT16_TO_STREAM(p, p_cb->ediv); 526 ARRAY_TO_STREAM(p, p_cb->enc_rand, BT_OCTET8_LEN); 527 528 p_buf->offset = L2CAP_MIN_OFFSET; 529 p_buf->len = SMP_MASTER_ID_SIZE; 530 531 return p_buf; 532 } 533 534 /******************************************************************************* 535 * 536 * Function smp_build_identity_info_cmd 537 * 538 * Description Build identity information command. 539 * 540 ******************************************************************************/ 541 static BT_HDR* smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code, 542 UNUSED_ATTR tSMP_CB* p_cb) { 543 uint8_t* p; 544 BT_OCTET16 irk; 545 BT_HDR* p_buf = 546 (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ID_INFO_SIZE + L2CAP_MIN_OFFSET); 547 548 SMP_TRACE_EVENT("%s", __func__); 549 550 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 551 552 BTM_GetDeviceIDRoot(irk); 553 554 UINT8_TO_STREAM(p, SMP_OPCODE_IDENTITY_INFO); 555 ARRAY_TO_STREAM(p, irk, BT_OCTET16_LEN); 556 557 p_buf->offset = L2CAP_MIN_OFFSET; 558 p_buf->len = SMP_ID_INFO_SIZE; 559 560 return p_buf; 561 } 562 563 /******************************************************************************* 564 * 565 * Function smp_build_id_addr_cmd 566 * 567 * Description Build identity address information command. 568 * 569 ******************************************************************************/ 570 static BT_HDR* smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code, 571 UNUSED_ATTR tSMP_CB* p_cb) { 572 uint8_t* p; 573 BT_HDR* p_buf = 574 (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ID_ADDR_SIZE + L2CAP_MIN_OFFSET); 575 576 SMP_TRACE_EVENT("%s", __func__); 577 578 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 579 UINT8_TO_STREAM(p, SMP_OPCODE_ID_ADDR); 580 UINT8_TO_STREAM(p, 0); 581 BDADDR_TO_STREAM(p, *controller_get_interface()->get_address()); 582 583 p_buf->offset = L2CAP_MIN_OFFSET; 584 p_buf->len = SMP_ID_ADDR_SIZE; 585 586 return p_buf; 587 } 588 589 /******************************************************************************* 590 * 591 * Function smp_build_signing_info_cmd 592 * 593 * Description Build signing information command. 594 * 595 ******************************************************************************/ 596 static BT_HDR* smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code, 597 tSMP_CB* p_cb) { 598 uint8_t* p; 599 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_SIGN_INFO_SIZE + 600 L2CAP_MIN_OFFSET); 601 602 SMP_TRACE_EVENT("%s", __func__); 603 604 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 605 UINT8_TO_STREAM(p, SMP_OPCODE_SIGN_INFO); 606 ARRAY_TO_STREAM(p, p_cb->csrk, BT_OCTET16_LEN); 607 608 p_buf->offset = L2CAP_MIN_OFFSET; 609 p_buf->len = SMP_SIGN_INFO_SIZE; 610 611 return p_buf; 612 } 613 614 /******************************************************************************* 615 * 616 * Function smp_build_pairing_fail 617 * 618 * Description Build Pairing Fail command. 619 * 620 ******************************************************************************/ 621 static BT_HDR* smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code, 622 tSMP_CB* p_cb) { 623 uint8_t* p; 624 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_FAIL_SIZE + 625 L2CAP_MIN_OFFSET); 626 627 SMP_TRACE_EVENT("%s", __func__); 628 629 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 630 UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED); 631 UINT8_TO_STREAM(p, p_cb->failure); 632 633 p_buf->offset = L2CAP_MIN_OFFSET; 634 p_buf->len = SMP_PAIR_FAIL_SIZE; 635 636 return p_buf; 637 } 638 639 /******************************************************************************* 640 * 641 * Function smp_build_security_request 642 * 643 * Description Build security request command. 644 * 645 ******************************************************************************/ 646 static BT_HDR* smp_build_security_request(UNUSED_ATTR uint8_t cmd_code, 647 tSMP_CB* p_cb) { 648 uint8_t* p; 649 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + 2 + L2CAP_MIN_OFFSET); 650 651 SMP_TRACE_EVENT("%s", __func__); 652 653 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 654 UINT8_TO_STREAM(p, SMP_OPCODE_SEC_REQ); 655 UINT8_TO_STREAM(p, p_cb->loc_auth_req); 656 657 p_buf->offset = L2CAP_MIN_OFFSET; 658 p_buf->len = SMP_SECURITY_REQUEST_SIZE; 659 660 SMP_TRACE_EVENT("opcode=%d auth_req=0x%x", SMP_OPCODE_SEC_REQ, 661 p_cb->loc_auth_req); 662 663 return p_buf; 664 } 665 666 /******************************************************************************* 667 * 668 * Function smp_build_pair_public_key_cmd 669 * 670 * Description Build pairing public key command. 671 * 672 ******************************************************************************/ 673 static BT_HDR* smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code, 674 tSMP_CB* p_cb) { 675 uint8_t* p; 676 uint8_t publ_key[2 * BT_OCTET32_LEN]; 677 uint8_t* p_publ_key = publ_key; 678 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_PUBL_KEY_SIZE + 679 L2CAP_MIN_OFFSET); 680 681 SMP_TRACE_EVENT("%s", __func__); 682 683 memcpy(p_publ_key, p_cb->loc_publ_key.x, BT_OCTET32_LEN); 684 memcpy(p_publ_key + BT_OCTET32_LEN, p_cb->loc_publ_key.y, BT_OCTET32_LEN); 685 686 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 687 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_PUBLIC_KEY); 688 ARRAY_TO_STREAM(p, p_publ_key, 2 * BT_OCTET32_LEN); 689 690 p_buf->offset = L2CAP_MIN_OFFSET; 691 p_buf->len = SMP_PAIR_PUBL_KEY_SIZE; 692 693 return p_buf; 694 } 695 696 /******************************************************************************* 697 * 698 * Function smp_build_pairing_commitment_cmd 699 * 700 * Description Build pairing commitment command. 701 * 702 ******************************************************************************/ 703 static BT_HDR* smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code, 704 tSMP_CB* p_cb) { 705 uint8_t* p; 706 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_COMMITM_SIZE + 707 L2CAP_MIN_OFFSET); 708 709 SMP_TRACE_EVENT("%s", __func__); 710 711 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 712 UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM); 713 ARRAY_TO_STREAM(p, p_cb->commitment, BT_OCTET16_LEN); 714 715 p_buf->offset = L2CAP_MIN_OFFSET; 716 p_buf->len = SMP_PAIR_COMMITM_SIZE; 717 718 return p_buf; 719 } 720 721 /******************************************************************************* 722 * 723 * Function smp_build_pair_dhkey_check_cmd 724 * 725 * Description Build pairing DHKey check command. 726 * 727 ******************************************************************************/ 728 static BT_HDR* smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code, 729 tSMP_CB* p_cb) { 730 uint8_t* p; 731 BT_HDR* p_buf = (BT_HDR*)osi_malloc( 732 sizeof(BT_HDR) + SMP_PAIR_DHKEY_CHECK_SIZE + L2CAP_MIN_OFFSET); 733 734 SMP_TRACE_EVENT("%s", __func__); 735 736 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 737 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_DHKEY_CHECK); 738 ARRAY_TO_STREAM(p, p_cb->dhkey_check, BT_OCTET16_LEN); 739 740 p_buf->offset = L2CAP_MIN_OFFSET; 741 p_buf->len = SMP_PAIR_DHKEY_CHECK_SIZE; 742 743 return p_buf; 744 } 745 746 /******************************************************************************* 747 * 748 * Function smp_build_pairing_keypress_notification_cmd 749 * 750 * Description Build keypress notification command. 751 * 752 ******************************************************************************/ 753 static BT_HDR* smp_build_pairing_keypress_notification_cmd( 754 UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb) { 755 uint8_t* p; 756 BT_HDR* p_buf = (BT_HDR*)osi_malloc( 757 sizeof(BT_HDR) + SMP_PAIR_KEYPR_NOTIF_SIZE + L2CAP_MIN_OFFSET); 758 759 SMP_TRACE_EVENT("%s", __func__); 760 761 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 762 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_KEYPR_NOTIF); 763 UINT8_TO_STREAM(p, p_cb->local_keypress_notification); 764 765 p_buf->offset = L2CAP_MIN_OFFSET; 766 p_buf->len = SMP_PAIR_KEYPR_NOTIF_SIZE; 767 768 return p_buf; 769 } 770 771 /******************************************************************************* 772 * 773 * Function smp_convert_string_to_tk 774 * 775 * Description This function is called to convert a 6 to 16 digits numeric 776 * character string into SMP TK. 777 * 778 * 779 * Returns void 780 * 781 ******************************************************************************/ 782 void smp_convert_string_to_tk(BT_OCTET16 tk, uint32_t passkey) { 783 uint8_t* p = tk; 784 tSMP_KEY key; 785 SMP_TRACE_EVENT("smp_convert_string_to_tk"); 786 UINT32_TO_STREAM(p, passkey); 787 788 key.key_type = SMP_KEY_TYPE_TK; 789 key.p_data = tk; 790 791 smp_sm_event(&smp_cb, SMP_KEY_READY_EVT, &key); 792 } 793 794 /******************************************************************************* 795 * 796 * Function smp_mask_enc_key 797 * 798 * Description This function is called to mask off the encryption key based 799 * on the maximum encryption key size. 800 * 801 * 802 * Returns void 803 * 804 ******************************************************************************/ 805 void smp_mask_enc_key(uint8_t loc_enc_size, uint8_t* p_data) { 806 SMP_TRACE_EVENT("smp_mask_enc_key"); 807 if (loc_enc_size < BT_OCTET16_LEN) { 808 for (; loc_enc_size < BT_OCTET16_LEN; loc_enc_size++) 809 *(p_data + loc_enc_size) = 0; 810 } 811 return; 812 } 813 814 /******************************************************************************* 815 * 816 * Function smp_xor_128 817 * 818 * Description utility function to do an biteise exclusive-OR of two bit 819 * strings of the length of BT_OCTET16_LEN. 820 * 821 * Returns void 822 * 823 ******************************************************************************/ 824 void smp_xor_128(BT_OCTET16 a, BT_OCTET16 b) { 825 uint8_t i, *aa = a, *bb = b; 826 827 SMP_TRACE_EVENT("smp_xor_128"); 828 for (i = 0; i < BT_OCTET16_LEN; i++) { 829 aa[i] = aa[i] ^ bb[i]; 830 } 831 } 832 833 /******************************************************************************* 834 * 835 * Function smp_cb_cleanup 836 * 837 * Description Clean up SMP control block 838 * 839 * Returns void 840 * 841 ******************************************************************************/ 842 void smp_cb_cleanup(tSMP_CB* p_cb) { 843 tSMP_CALLBACK* p_callback = p_cb->p_callback; 844 uint8_t trace_level = p_cb->trace_level; 845 alarm_t* smp_rsp_timer_ent = p_cb->smp_rsp_timer_ent; 846 alarm_t* delayed_auth_timer_ent = p_cb->delayed_auth_timer_ent; 847 848 SMP_TRACE_EVENT("smp_cb_cleanup"); 849 850 alarm_cancel(p_cb->smp_rsp_timer_ent); 851 alarm_cancel(p_cb->delayed_auth_timer_ent); 852 memset(p_cb, 0, sizeof(tSMP_CB)); 853 p_cb->p_callback = p_callback; 854 p_cb->trace_level = trace_level; 855 p_cb->smp_rsp_timer_ent = smp_rsp_timer_ent; 856 p_cb->delayed_auth_timer_ent = delayed_auth_timer_ent; 857 } 858 859 /******************************************************************************* 860 * 861 * Function smp_remove_fixed_channel 862 * 863 * Description This function is called to remove the fixed channel 864 * 865 * Returns void 866 * 867 ******************************************************************************/ 868 void smp_remove_fixed_channel(tSMP_CB* p_cb) { 869 SMP_TRACE_DEBUG("%s", __func__); 870 871 if (p_cb->smp_over_br) 872 L2CA_RemoveFixedChnl(L2CAP_SMP_BR_CID, p_cb->pairing_bda); 873 else 874 L2CA_RemoveFixedChnl(L2CAP_SMP_CID, p_cb->pairing_bda); 875 } 876 877 /******************************************************************************* 878 * 879 * Function smp_reset_control_value 880 * 881 * Description This function is called to reset the control block value 882 * when the pairing procedure finished. 883 * 884 * 885 * Returns void 886 * 887 ******************************************************************************/ 888 void smp_reset_control_value(tSMP_CB* p_cb) { 889 SMP_TRACE_EVENT("%s", __func__); 890 891 alarm_cancel(p_cb->smp_rsp_timer_ent); 892 p_cb->flags = 0; 893 /* set the link idle timer to drop the link when pairing is done 894 usually service discovery will follow authentication complete, to avoid 895 racing condition for a link down/up, set link idle timer to be 896 SMP_LINK_TOUT_MIN to guarantee SMP key exchange */ 897 L2CA_SetIdleTimeoutByBdAddr(p_cb->pairing_bda, SMP_LINK_TOUT_MIN, 898 BT_TRANSPORT_LE); 899 900 /* We can tell L2CAP to remove the fixed channel (if it has one) */ 901 smp_remove_fixed_channel(p_cb); 902 smp_cb_cleanup(p_cb); 903 } 904 905 /******************************************************************************* 906 * 907 * Function smp_proc_pairing_cmpl 908 * 909 * Description This function is called to process pairing complete 910 * 911 * 912 * Returns void 913 * 914 ******************************************************************************/ 915 void smp_proc_pairing_cmpl(tSMP_CB* p_cb) { 916 tSMP_EVT_DATA evt_data = {0}; 917 tSMP_CALLBACK* p_callback = p_cb->p_callback; 918 919 SMP_TRACE_DEBUG("smp_proc_pairing_cmpl "); 920 921 evt_data.cmplt.reason = p_cb->status; 922 evt_data.cmplt.smp_over_br = p_cb->smp_over_br; 923 924 if (p_cb->status == SMP_SUCCESS) evt_data.cmplt.sec_level = p_cb->sec_level; 925 926 evt_data.cmplt.is_pair_cancel = false; 927 928 if (p_cb->is_pair_cancel) evt_data.cmplt.is_pair_cancel = true; 929 930 SMP_TRACE_DEBUG("send SMP_COMPLT_EVT reason=0x%0x sec_level=0x%0x", 931 evt_data.cmplt.reason, evt_data.cmplt.sec_level); 932 933 RawAddress pairing_bda = p_cb->pairing_bda; 934 935 smp_reset_control_value(p_cb); 936 937 if (p_callback) (*p_callback)(SMP_COMPLT_EVT, pairing_bda, &evt_data); 938 } 939 940 /******************************************************************************* 941 * 942 * Function smp_command_has_invalid_parameters 943 * 944 * Description Checks if the received SMP command has invalid parameters 945 * i.e. if the command length is valid and the command 946 * parameters are inside specified range. 947 * It returns true if the command has invalid parameters. 948 * 949 * Returns true if the command has invalid parameters, false otherwise. 950 * 951 ******************************************************************************/ 952 bool smp_command_has_invalid_parameters(tSMP_CB* p_cb) { 953 uint8_t cmd_code = p_cb->rcvd_cmd_code; 954 955 if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) || 956 (cmd_code < SMP_OPCODE_MIN)) { 957 SMP_TRACE_WARNING("%s: Received command with RESERVED code 0x%02x", 958 __func__, cmd_code); 959 return true; 960 } 961 962 if (!(*smp_cmd_len_is_valid[cmd_code])(p_cb)) { 963 SMP_TRACE_WARNING("%s: Command length not valid for cmd_code 0x%02x", 964 __func__, cmd_code); 965 return true; 966 } 967 968 if (!(*smp_cmd_param_ranges_are_valid[cmd_code])(p_cb)) { 969 SMP_TRACE_WARNING("%s: Parameter ranges not valid code 0x%02x", __func__, 970 cmd_code); 971 return true; 972 } 973 974 return false; 975 } 976 977 /******************************************************************************* 978 * 979 * Function smp_command_has_valid_fixed_length 980 * 981 * Description Checks if the received command size is equal to the size 982 * according to specs. 983 * 984 * Returns true if the command size is as expected, false otherwise. 985 * 986 * Note The command is expected to have fixed length. 987 ******************************************************************************/ 988 bool smp_command_has_valid_fixed_length(tSMP_CB* p_cb) { 989 uint8_t cmd_code = p_cb->rcvd_cmd_code; 990 991 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, cmd_code); 992 993 if (p_cb->rcvd_cmd_len != smp_cmd_size_per_spec[cmd_code]) { 994 SMP_TRACE_WARNING( 995 "Rcvd from the peer cmd 0x%02x with invalid length " 996 "0x%02x (per spec the length is 0x%02x).", 997 cmd_code, p_cb->rcvd_cmd_len, smp_cmd_size_per_spec[cmd_code]); 998 return false; 999 } 1000 1001 return true; 1002 } 1003 1004 /******************************************************************************* 1005 * 1006 * Function smp_pairing_request_response_parameters_are_valid 1007 * 1008 * Description Validates parameter ranges in the received SMP command 1009 * pairing request or pairing response. 1010 * The parameters to validate: 1011 * IO capability, 1012 * OOB data flag, 1013 * Bonding_flags in AuthReq 1014 * Maximum encryption key size. 1015 * Returns false if at least one of these parameters is out of 1016 * range. 1017 * 1018 ******************************************************************************/ 1019 bool smp_pairing_request_response_parameters_are_valid(tSMP_CB* p_cb) { 1020 uint8_t io_caps = p_cb->peer_io_caps; 1021 uint8_t oob_flag = p_cb->peer_oob_flag; 1022 uint8_t bond_flag = 1023 p_cb->peer_auth_req & 0x03; // 0x03 is gen bond with appropriate mask 1024 uint8_t enc_size = p_cb->peer_enc_size; 1025 1026 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code); 1027 1028 if (io_caps >= BTM_IO_CAP_MAX) { 1029 SMP_TRACE_WARNING( 1030 "Rcvd from the peer cmd 0x%02x with IO Capability " 1031 "value (0x%02x) out of range).", 1032 p_cb->rcvd_cmd_code, io_caps); 1033 return false; 1034 } 1035 1036 if (!((oob_flag == SMP_OOB_NONE) || (oob_flag == SMP_OOB_PRESENT))) { 1037 SMP_TRACE_WARNING( 1038 "Rcvd from the peer cmd 0x%02x with OOB data flag value " 1039 "(0x%02x) out of range).", 1040 p_cb->rcvd_cmd_code, oob_flag); 1041 return false; 1042 } 1043 1044 if (!((bond_flag == SMP_AUTH_NO_BOND) || (bond_flag == SMP_AUTH_BOND))) { 1045 SMP_TRACE_WARNING( 1046 "Rcvd from the peer cmd 0x%02x with Bonding_Flags value (0x%02x) " 1047 "out of range).", 1048 p_cb->rcvd_cmd_code, bond_flag); 1049 return false; 1050 } 1051 1052 if ((enc_size < SMP_ENCR_KEY_SIZE_MIN) || 1053 (enc_size > SMP_ENCR_KEY_SIZE_MAX)) { 1054 SMP_TRACE_WARNING( 1055 "Rcvd from the peer cmd 0x%02x with Maximum Encryption " 1056 "Key value (0x%02x) out of range).", 1057 p_cb->rcvd_cmd_code, enc_size); 1058 return false; 1059 } 1060 1061 return true; 1062 } 1063 1064 /******************************************************************************* 1065 * 1066 * Function smp_pairing_keypress_notification_is_valid 1067 * 1068 * Description Validates Notification Type parameter range in the received 1069 * SMP command pairing keypress notification. 1070 * Returns false if this parameter is out of range. 1071 * 1072 ******************************************************************************/ 1073 bool smp_pairing_keypress_notification_is_valid(tSMP_CB* p_cb) { 1074 tBTM_SP_KEY_TYPE keypress_notification = p_cb->peer_keypress_notification; 1075 1076 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code); 1077 1078 if (keypress_notification >= BTM_SP_KEY_OUT_OF_RANGE) { 1079 SMP_TRACE_WARNING( 1080 "Rcvd from the peer cmd 0x%02x with Pairing Keypress " 1081 "Notification value (0x%02x) out of range).", 1082 p_cb->rcvd_cmd_code, keypress_notification); 1083 return false; 1084 } 1085 1086 return true; 1087 } 1088 1089 /******************************************************************************* 1090 * 1091 * Function smp_parameter_unconditionally_valid 1092 * 1093 * Description Always returns true. 1094 * 1095 ******************************************************************************/ 1096 bool smp_parameter_unconditionally_valid(UNUSED_ATTR tSMP_CB* p_cb) { 1097 return true; 1098 } 1099 1100 /******************************************************************************* 1101 * 1102 * Function smp_parameter_unconditionally_invalid 1103 * 1104 * Description Always returns false. 1105 * 1106 ******************************************************************************/ 1107 bool smp_parameter_unconditionally_invalid(UNUSED_ATTR tSMP_CB* p_cb) { 1108 return false; 1109 } 1110 1111 /******************************************************************************* 1112 * 1113 * Function smp_reject_unexpected_pairing_command 1114 * 1115 * Description send pairing failure to an unexpected pairing command during 1116 * an active pairing process. 1117 * 1118 * Returns void 1119 * 1120 ******************************************************************************/ 1121 void smp_reject_unexpected_pairing_command(const RawAddress& bd_addr) { 1122 uint8_t* p; 1123 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_FAIL_SIZE + 1124 L2CAP_MIN_OFFSET); 1125 1126 SMP_TRACE_DEBUG("%s", __func__); 1127 1128 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 1129 UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED); 1130 UINT8_TO_STREAM(p, SMP_PAIR_NOT_SUPPORT); 1131 1132 p_buf->offset = L2CAP_MIN_OFFSET; 1133 p_buf->len = SMP_PAIR_FAIL_SIZE; 1134 1135 smp_send_msg_to_L2CAP(bd_addr, p_buf); 1136 } 1137 1138 /******************************************************************************* 1139 * Function smp_select_association_model 1140 * 1141 * Description This function selects association model to use for STK 1142 * generation. Selection is based on both sides' io capability, 1143 * oob data flag and authentication request. 1144 * 1145 * Note If Secure Connections Only mode is required locally then we 1146 * come to this point only if both sides support Secure 1147 * Connections mode, i.e. 1148 * if p_cb->secure_connections_only_mode_required = true 1149 * then we come to this point only if 1150 * (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) == 1151 * (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) == 1152 * SMP_SC_SUPPORT_BIT 1153 * 1154 ******************************************************************************/ 1155 tSMP_ASSO_MODEL smp_select_association_model(tSMP_CB* p_cb) { 1156 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE; 1157 p_cb->le_secure_connections_mode_is_used = false; 1158 1159 SMP_TRACE_EVENT("%s", __func__); 1160 SMP_TRACE_DEBUG("%s p_cb->peer_io_caps = %d p_cb->local_io_capability = %d", 1161 __func__, p_cb->peer_io_caps, p_cb->local_io_capability); 1162 SMP_TRACE_DEBUG("%s p_cb->peer_oob_flag = %d p_cb->loc_oob_flag = %d", 1163 __func__, p_cb->peer_oob_flag, p_cb->loc_oob_flag); 1164 SMP_TRACE_DEBUG("%s p_cb->peer_auth_req = 0x%02x p_cb->loc_auth_req = 0x%02x", 1165 __func__, p_cb->peer_auth_req, p_cb->loc_auth_req); 1166 SMP_TRACE_DEBUG( 1167 "%s p_cb->secure_connections_only_mode_required = %s", __func__, 1168 p_cb->secure_connections_only_mode_required ? "true" : "false"); 1169 1170 if ((p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) && 1171 (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT)) { 1172 p_cb->le_secure_connections_mode_is_used = true; 1173 } 1174 1175 if ((p_cb->peer_auth_req & SMP_H7_SUPPORT_BIT) && 1176 (p_cb->loc_auth_req & SMP_H7_SUPPORT_BIT)) { 1177 p_cb->key_derivation_h7_used = TRUE; 1178 } 1179 1180 SMP_TRACE_DEBUG("use_sc_process = %d, h7 use = %d", 1181 p_cb->le_secure_connections_mode_is_used, 1182 p_cb->key_derivation_h7_used); 1183 1184 if (p_cb->le_secure_connections_mode_is_used) { 1185 model = smp_select_association_model_secure_connections(p_cb); 1186 } else { 1187 model = smp_select_legacy_association_model(p_cb); 1188 } 1189 return model; 1190 } 1191 1192 /******************************************************************************* 1193 * Function smp_select_legacy_association_model 1194 * 1195 * Description This function is called to select association mode if at 1196 * least one side doesn't support secure connections. 1197 * 1198 ******************************************************************************/ 1199 tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB* p_cb) { 1200 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE; 1201 1202 SMP_TRACE_DEBUG("%s", __func__); 1203 /* if OOB data is present on both devices, then use OOB association model */ 1204 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT && 1205 p_cb->loc_oob_flag == SMP_OOB_PRESENT) 1206 return SMP_MODEL_OOB; 1207 1208 /* else if neither device requires MITM, then use Just Works association model 1209 */ 1210 if (SMP_NO_MITM_REQUIRED(p_cb->peer_auth_req) && 1211 SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req)) 1212 return SMP_MODEL_ENCRYPTION_ONLY; 1213 1214 /* otherwise use IO capability to select association model */ 1215 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX && 1216 p_cb->local_io_capability < SMP_IO_CAP_MAX) { 1217 if (p_cb->role == HCI_ROLE_MASTER) { 1218 model = smp_association_table[p_cb->role][p_cb->peer_io_caps] 1219 [p_cb->local_io_capability]; 1220 } else { 1221 model = smp_association_table[p_cb->role][p_cb->local_io_capability] 1222 [p_cb->peer_io_caps]; 1223 } 1224 } 1225 1226 return model; 1227 } 1228 1229 /******************************************************************************* 1230 * Function smp_select_association_model_secure_connections 1231 * 1232 * Description This function is called to select association mode if both 1233 * sides support secure connections. 1234 * 1235 ******************************************************************************/ 1236 tSMP_ASSO_MODEL smp_select_association_model_secure_connections(tSMP_CB* p_cb) { 1237 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE; 1238 1239 SMP_TRACE_DEBUG("%s", __func__); 1240 /* if OOB data is present on at least one device, then use OOB association 1241 * model */ 1242 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT || 1243 p_cb->loc_oob_flag == SMP_OOB_PRESENT) 1244 return SMP_MODEL_SEC_CONN_OOB; 1245 1246 /* else if neither device requires MITM, then use Just Works association model 1247 */ 1248 if (SMP_NO_MITM_REQUIRED(p_cb->peer_auth_req) && 1249 SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req)) 1250 return SMP_MODEL_SEC_CONN_JUSTWORKS; 1251 1252 /* otherwise use IO capability to select association model */ 1253 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX && 1254 p_cb->local_io_capability < SMP_IO_CAP_MAX) { 1255 if (p_cb->role == HCI_ROLE_MASTER) { 1256 model = smp_association_table_sc[p_cb->role][p_cb->peer_io_caps] 1257 [p_cb->local_io_capability]; 1258 } else { 1259 model = smp_association_table_sc[p_cb->role][p_cb->local_io_capability] 1260 [p_cb->peer_io_caps]; 1261 } 1262 } 1263 1264 return model; 1265 } 1266 1267 /******************************************************************************* 1268 * Function smp_reverse_array 1269 * 1270 * Description This function reverses array bytes 1271 * 1272 ******************************************************************************/ 1273 void smp_reverse_array(uint8_t* arr, uint8_t len) { 1274 uint8_t i = 0, tmp; 1275 1276 SMP_TRACE_DEBUG("smp_reverse_array"); 1277 1278 for (i = 0; i < len / 2; i++) { 1279 tmp = arr[i]; 1280 arr[i] = arr[len - 1 - i]; 1281 arr[len - 1 - i] = tmp; 1282 } 1283 } 1284 1285 /******************************************************************************* 1286 * Function smp_calculate_random_input 1287 * 1288 * Description This function returns random input value to be used in 1289 * commitment calculation for SC passkey entry association mode 1290 * (if bit["round"] in "random" array == 1 then returns 0x81 1291 * else returns 0x80). 1292 * 1293 * Returns ri value 1294 * 1295 ******************************************************************************/ 1296 uint8_t smp_calculate_random_input(uint8_t* random, uint8_t round) { 1297 uint8_t i = round / 8; 1298 uint8_t j = round % 8; 1299 uint8_t ri; 1300 1301 SMP_TRACE_DEBUG("random: 0x%02x, round: %d, i: %d, j: %d", random[i], round, 1302 i, j); 1303 ri = ((random[i] >> j) & 1) | 0x80; 1304 SMP_TRACE_DEBUG("%s ri=0x%02x", __func__, ri); 1305 return ri; 1306 } 1307 1308 /******************************************************************************* 1309 * Function smp_collect_local_io_capabilities 1310 * 1311 * Description This function puts into IOcap array local device 1312 * IOCapability, OOB data, AuthReq. 1313 * 1314 * Returns void 1315 * 1316 ******************************************************************************/ 1317 void smp_collect_local_io_capabilities(uint8_t* iocap, tSMP_CB* p_cb) { 1318 SMP_TRACE_DEBUG("%s", __func__); 1319 1320 iocap[0] = p_cb->local_io_capability; 1321 iocap[1] = p_cb->loc_oob_flag; 1322 iocap[2] = p_cb->loc_auth_req; 1323 } 1324 1325 /******************************************************************************* 1326 * Function smp_collect_peer_io_capabilities 1327 * 1328 * Description This function puts into IOcap array peer device 1329 * IOCapability, OOB data, AuthReq. 1330 * 1331 * Returns void 1332 * 1333 ******************************************************************************/ 1334 void smp_collect_peer_io_capabilities(uint8_t* iocap, tSMP_CB* p_cb) { 1335 SMP_TRACE_DEBUG("%s", __func__); 1336 1337 iocap[0] = p_cb->peer_io_caps; 1338 iocap[1] = p_cb->peer_oob_flag; 1339 iocap[2] = p_cb->peer_auth_req; 1340 } 1341 1342 /******************************************************************************* 1343 * Function smp_collect_local_ble_address 1344 * 1345 * Description Put the the local device LE address into the le_addr array: 1346 * le_addr[0-5] = local BD ADDR, 1347 * le_addr[6] = local le address type (PUBLIC/RANDOM). 1348 * 1349 * Returns void 1350 * 1351 ******************************************************************************/ 1352 void smp_collect_local_ble_address(uint8_t* le_addr, tSMP_CB* p_cb) { 1353 tBLE_ADDR_TYPE addr_type = 0; 1354 RawAddress bda; 1355 uint8_t* p = le_addr; 1356 1357 SMP_TRACE_DEBUG("%s", __func__); 1358 1359 BTM_ReadConnectionAddr(p_cb->pairing_bda, bda, &addr_type); 1360 BDADDR_TO_STREAM(p, bda); 1361 UINT8_TO_STREAM(p, addr_type); 1362 } 1363 1364 /******************************************************************************* 1365 * Function smp_collect_peer_ble_address 1366 * 1367 * Description Put the peer device LE addr into the le_addr array: 1368 * le_addr[0-5] = peer BD ADDR, 1369 * le_addr[6] = peer le address type (PUBLIC/RANDOM). 1370 * 1371 * Returns void 1372 * 1373 ******************************************************************************/ 1374 void smp_collect_peer_ble_address(uint8_t* le_addr, tSMP_CB* p_cb) { 1375 tBLE_ADDR_TYPE addr_type = 0; 1376 RawAddress bda; 1377 uint8_t* p = le_addr; 1378 1379 SMP_TRACE_DEBUG("%s", __func__); 1380 1381 if (!BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, bda, &addr_type)) { 1382 SMP_TRACE_ERROR( 1383 "can not collect peer le addr information for unknown device"); 1384 return; 1385 } 1386 1387 BDADDR_TO_STREAM(p, bda); 1388 UINT8_TO_STREAM(p, addr_type); 1389 } 1390 1391 /******************************************************************************* 1392 * Function smp_check_commitment 1393 * 1394 * Description This function compares peer commitment values: 1395 * - expected (i.e. calculated locally), 1396 * - received from the peer. 1397 * 1398 * Returns true if the values are the same 1399 * false otherwise 1400 * 1401 ******************************************************************************/ 1402 bool smp_check_commitment(tSMP_CB* p_cb) { 1403 BT_OCTET16 expected; 1404 1405 SMP_TRACE_DEBUG("%s", __func__); 1406 1407 smp_calculate_peer_commitment(p_cb, expected); 1408 print128(expected, (const uint8_t*)"calculated peer commitment"); 1409 print128(p_cb->remote_commitment, (const uint8_t*)"received peer commitment"); 1410 1411 if (memcmp(p_cb->remote_commitment, expected, BT_OCTET16_LEN)) { 1412 SMP_TRACE_WARNING("%s: Commitment check fails", __func__); 1413 return false; 1414 } 1415 1416 SMP_TRACE_DEBUG("%s: Commitment check succeeds", __func__); 1417 return true; 1418 } 1419 1420 /******************************************************************************* 1421 * 1422 * Function smp_save_secure_connections_long_term_key 1423 * 1424 * Description The function saves SC LTK as BLE key for future use as local 1425 * and/or peer key. 1426 * 1427 * Returns void 1428 * 1429 ******************************************************************************/ 1430 void smp_save_secure_connections_long_term_key(tSMP_CB* p_cb) { 1431 tBTM_LE_LENC_KEYS lle_key; 1432 tBTM_LE_PENC_KEYS ple_key; 1433 1434 SMP_TRACE_DEBUG("%s-Save LTK as local LTK key", __func__); 1435 memcpy(lle_key.ltk, p_cb->ltk, BT_OCTET16_LEN); 1436 lle_key.div = 0; 1437 lle_key.key_size = p_cb->loc_enc_size; 1438 lle_key.sec_level = p_cb->sec_level; 1439 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, 1440 (tBTM_LE_KEY_VALUE*)&lle_key, true); 1441 1442 SMP_TRACE_DEBUG("%s-Save LTK as peer LTK key", __func__); 1443 ple_key.ediv = 0; 1444 memset(ple_key.rand, 0, BT_OCTET8_LEN); 1445 memcpy(ple_key.ltk, p_cb->ltk, BT_OCTET16_LEN); 1446 ple_key.sec_level = p_cb->sec_level; 1447 ple_key.key_size = p_cb->loc_enc_size; 1448 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, 1449 (tBTM_LE_KEY_VALUE*)&ple_key, true); 1450 } 1451 1452 /******************************************************************************* 1453 * 1454 * Function smp_calculate_f5_mackey_and_long_term_key 1455 * 1456 * Description The function calculates MacKey and LTK and saves them in CB. 1457 * To calculate MacKey and LTK it calls smp_calc_f5(...). 1458 * MacKey is used in dhkey calculation, LTK is used to encrypt 1459 * the link. 1460 * 1461 * Returns false if out of resources, true otherwise. 1462 * 1463 ******************************************************************************/ 1464 bool smp_calculate_f5_mackey_and_long_term_key(tSMP_CB* p_cb) { 1465 uint8_t a[7]; 1466 uint8_t b[7]; 1467 uint8_t* p_na; 1468 uint8_t* p_nb; 1469 1470 SMP_TRACE_DEBUG("%s", __func__); 1471 1472 if (p_cb->role == HCI_ROLE_MASTER) { 1473 smp_collect_local_ble_address(a, p_cb); 1474 smp_collect_peer_ble_address(b, p_cb); 1475 p_na = p_cb->rand; 1476 p_nb = p_cb->rrand; 1477 } else { 1478 smp_collect_local_ble_address(b, p_cb); 1479 smp_collect_peer_ble_address(a, p_cb); 1480 p_na = p_cb->rrand; 1481 p_nb = p_cb->rand; 1482 } 1483 1484 if (!smp_calculate_f5(p_cb->dhkey, p_na, p_nb, a, b, p_cb->mac_key, 1485 p_cb->ltk)) { 1486 SMP_TRACE_ERROR("%s failed", __func__); 1487 return false; 1488 } 1489 1490 SMP_TRACE_EVENT("%s is completed", __func__); 1491 return true; 1492 } 1493 1494 /******************************************************************************* 1495 * 1496 * Function smp_request_oob_data 1497 * 1498 * Description Requests application to provide OOB data. 1499 * 1500 * Returns true - OOB data has to be provided by application 1501 * false - otherwise (unexpected) 1502 * 1503 ******************************************************************************/ 1504 bool smp_request_oob_data(tSMP_CB* p_cb) { 1505 tSMP_OOB_DATA_TYPE req_oob_type = SMP_OOB_INVALID_TYPE; 1506 1507 SMP_TRACE_DEBUG("%s", __func__); 1508 1509 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT && 1510 p_cb->loc_oob_flag == SMP_OOB_PRESENT) { 1511 /* both local and peer rcvd data OOB */ 1512 req_oob_type = SMP_OOB_BOTH; 1513 } else if (p_cb->peer_oob_flag == SMP_OOB_PRESENT) { 1514 /* peer rcvd OOB local data, local didn't receive OOB peer data */ 1515 req_oob_type = SMP_OOB_LOCAL; 1516 } else if (p_cb->loc_oob_flag == SMP_OOB_PRESENT) { 1517 req_oob_type = SMP_OOB_PEER; 1518 } 1519 1520 SMP_TRACE_DEBUG("req_oob_type = %d", req_oob_type); 1521 1522 if (req_oob_type == SMP_OOB_INVALID_TYPE) return false; 1523 1524 p_cb->req_oob_type = req_oob_type; 1525 p_cb->cb_evt = SMP_SC_OOB_REQ_EVT; 1526 smp_sm_event(p_cb, SMP_TK_REQ_EVT, &req_oob_type); 1527 1528 return true; 1529 } 1530
