1 /****************************************************************************** 2 * 3 * Copyright 1999-2012 Broadcom Corporation 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at: 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 *****************************************************************************/ 18 19 /****************************************************************************** 20 * 21 * This file contains functions for the SMP L2CAP utility functions 22 * 23 ******************************************************************************/ 24 #include "bt_target.h" 25 26 #include <ctype.h> 27 #include <string.h> 28 #include "bt_types.h" 29 #include "bt_utils.h" 30 #include "btm_ble_api.h" 31 #include "btm_int.h" 32 #include "device/include/controller.h" 33 #include "hcidefs.h" 34 #include "l2c_api.h" 35 #include "l2c_int.h" 36 #include "osi/include/osi.h" 37 #include "smp_int.h" 38 39 #define SMP_PAIRING_REQ_SIZE 7 40 #define SMP_CONFIRM_CMD_SIZE (BT_OCTET16_LEN + 1) 41 #define SMP_RAND_CMD_SIZE (BT_OCTET16_LEN + 1) 42 #define SMP_INIT_CMD_SIZE (BT_OCTET16_LEN + 1) 43 #define SMP_ENC_INFO_SIZE (BT_OCTET16_LEN + 1) 44 #define SMP_MASTER_ID_SIZE (BT_OCTET8_LEN + 2 + 1) 45 #define SMP_ID_INFO_SIZE (BT_OCTET16_LEN + 1) 46 #define SMP_ID_ADDR_SIZE (BD_ADDR_LEN + 1 + 1) 47 #define SMP_SIGN_INFO_SIZE (BT_OCTET16_LEN + 1) 48 #define SMP_PAIR_FAIL_SIZE 2 49 #define SMP_SECURITY_REQUEST_SIZE 2 50 #define SMP_PAIR_PUBL_KEY_SIZE (1 /* opcode */ + (2 * BT_OCTET32_LEN)) 51 #define SMP_PAIR_COMMITM_SIZE (1 /* opcode */ + BT_OCTET16_LEN /*Commitment*/) 52 #define SMP_PAIR_DHKEY_CHECK_SIZE \ 53 (1 /* opcode */ + BT_OCTET16_LEN /*DHKey Check*/) 54 #define SMP_PAIR_KEYPR_NOTIF_SIZE (1 /* opcode */ + 1 /*Notif Type*/) 55 56 /* SMP command sizes per spec */ 57 static const uint8_t smp_cmd_size_per_spec[] = { 58 0, 59 SMP_PAIRING_REQ_SIZE, /* 0x01: pairing request */ 60 SMP_PAIRING_REQ_SIZE, /* 0x02: pairing response */ 61 SMP_CONFIRM_CMD_SIZE, /* 0x03: pairing confirm */ 62 SMP_RAND_CMD_SIZE, /* 0x04: pairing random */ 63 SMP_PAIR_FAIL_SIZE, /* 0x05: pairing failed */ 64 SMP_ENC_INFO_SIZE, /* 0x06: encryption information */ 65 SMP_MASTER_ID_SIZE, /* 0x07: master identification */ 66 SMP_ID_INFO_SIZE, /* 0x08: identity information */ 67 SMP_ID_ADDR_SIZE, /* 0x09: identity address information */ 68 SMP_SIGN_INFO_SIZE, /* 0x0A: signing information */ 69 SMP_SECURITY_REQUEST_SIZE, /* 0x0B: security request */ 70 SMP_PAIR_PUBL_KEY_SIZE, /* 0x0C: pairing public key */ 71 SMP_PAIR_DHKEY_CHECK_SIZE, /* 0x0D: pairing dhkey check */ 72 SMP_PAIR_KEYPR_NOTIF_SIZE, /* 0x0E: pairing keypress notification */ 73 SMP_PAIR_COMMITM_SIZE /* 0x0F: pairing commitment */ 74 }; 75 76 static bool smp_parameter_unconditionally_valid(tSMP_CB* p_cb); 77 static bool smp_parameter_unconditionally_invalid(tSMP_CB* p_cb); 78 79 /* type for SMP command length validation functions */ 80 typedef bool (*tSMP_CMD_LEN_VALID)(tSMP_CB* p_cb); 81 82 static bool smp_command_has_valid_fixed_length(tSMP_CB* p_cb); 83 84 static const tSMP_CMD_LEN_VALID smp_cmd_len_is_valid[] = { 85 smp_parameter_unconditionally_invalid, 86 smp_command_has_valid_fixed_length, /* 0x01: pairing request */ 87 smp_command_has_valid_fixed_length, /* 0x02: pairing response */ 88 smp_command_has_valid_fixed_length, /* 0x03: pairing confirm */ 89 smp_command_has_valid_fixed_length, /* 0x04: pairing random */ 90 smp_command_has_valid_fixed_length, /* 0x05: pairing failed */ 91 smp_command_has_valid_fixed_length, /* 0x06: encryption information */ 92 smp_command_has_valid_fixed_length, /* 0x07: master identification */ 93 smp_command_has_valid_fixed_length, /* 0x08: identity information */ 94 smp_command_has_valid_fixed_length, /* 0x09: identity address information */ 95 smp_command_has_valid_fixed_length, /* 0x0A: signing information */ 96 smp_command_has_valid_fixed_length, /* 0x0B: security request */ 97 smp_command_has_valid_fixed_length, /* 0x0C: pairing public key */ 98 smp_command_has_valid_fixed_length, /* 0x0D: pairing dhkey check */ 99 smp_command_has_valid_fixed_length, /* 0x0E: pairing keypress notification*/ 100 smp_command_has_valid_fixed_length /* 0x0F: pairing commitment */ 101 }; 102 103 /* type for SMP command parameter ranges validation functions */ 104 typedef bool (*tSMP_CMD_PARAM_RANGES_VALID)(tSMP_CB* p_cb); 105 106 static bool smp_pairing_request_response_parameters_are_valid(tSMP_CB* p_cb); 107 static bool smp_pairing_keypress_notification_is_valid(tSMP_CB* p_cb); 108 109 static const tSMP_CMD_PARAM_RANGES_VALID smp_cmd_param_ranges_are_valid[] = { 110 smp_parameter_unconditionally_invalid, 111 smp_pairing_request_response_parameters_are_valid, /* 0x01: pairing 112 request */ 113 smp_pairing_request_response_parameters_are_valid, /* 0x02: pairing 114 response */ 115 smp_parameter_unconditionally_valid, /* 0x03: pairing confirm */ 116 smp_parameter_unconditionally_valid, /* 0x04: pairing random */ 117 smp_parameter_unconditionally_valid, /* 0x05: pairing failed */ 118 smp_parameter_unconditionally_valid, /* 0x06: encryption information */ 119 smp_parameter_unconditionally_valid, /* 0x07: master identification */ 120 smp_parameter_unconditionally_valid, /* 0x08: identity information */ 121 smp_parameter_unconditionally_valid, /* 0x09: identity address 122 information */ 123 smp_parameter_unconditionally_valid, /* 0x0A: signing information */ 124 smp_parameter_unconditionally_valid, /* 0x0B: security request */ 125 smp_parameter_unconditionally_valid, /* 0x0C: pairing public key */ 126 smp_parameter_unconditionally_valid, /* 0x0D: pairing dhkey check */ 127 smp_pairing_keypress_notification_is_valid, /* 0x0E: pairing keypress 128 notification */ 129 smp_parameter_unconditionally_valid /* 0x0F: pairing commitment */ 130 }; 131 132 /* type for action functions */ 133 typedef BT_HDR* (*tSMP_CMD_ACT)(uint8_t cmd_code, tSMP_CB* p_cb); 134 135 static BT_HDR* smp_build_pairing_cmd(uint8_t cmd_code, tSMP_CB* p_cb); 136 static BT_HDR* smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code, 137 tSMP_CB* p_cb); 138 static BT_HDR* smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb); 139 static BT_HDR* smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code, 140 tSMP_CB* p_cb); 141 static BT_HDR* smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code, 142 tSMP_CB* p_cb); 143 static BT_HDR* smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code, 144 tSMP_CB* p_cb); 145 static BT_HDR* smp_build_security_request(UNUSED_ATTR uint8_t cmd_code, 146 tSMP_CB* p_cb); 147 static BT_HDR* smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code, 148 tSMP_CB* p_cb); 149 static BT_HDR* smp_build_master_id_cmd(UNUSED_ATTR uint8_t cmd_code, 150 tSMP_CB* p_cb); 151 static BT_HDR* smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code, 152 tSMP_CB* p_cb); 153 static BT_HDR* smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code, 154 tSMP_CB* p_cb); 155 static BT_HDR* smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code, 156 tSMP_CB* p_cb); 157 static BT_HDR* smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code, 158 tSMP_CB* p_cb); 159 static BT_HDR* smp_build_pairing_keypress_notification_cmd( 160 UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb); 161 162 static const tSMP_CMD_ACT smp_cmd_build_act[] = { 163 NULL, smp_build_pairing_cmd, /* 0x01: pairing request */ 164 smp_build_pairing_cmd, /* 0x02: pairing response */ 165 smp_build_confirm_cmd, /* 0x03: pairing confirm */ 166 smp_build_rand_cmd, /* 0x04: pairing random */ 167 smp_build_pairing_fail, /* 0x05: pairing failure */ 168 smp_build_encrypt_info_cmd, /* 0x06: encryption information */ 169 smp_build_master_id_cmd, /* 0x07: master identification */ 170 smp_build_identity_info_cmd, /* 0x08: identity information */ 171 smp_build_id_addr_cmd, /* 0x09: identity address information */ 172 smp_build_signing_info_cmd, /* 0x0A: signing information */ 173 smp_build_security_request, /* 0x0B: security request */ 174 smp_build_pair_public_key_cmd, /* 0x0C: pairing public key */ 175 smp_build_pair_dhkey_check_cmd, /* 0x0D: pairing DHKey check */ 176 smp_build_pairing_keypress_notification_cmd, /* 0x0E: pairing keypress 177 notification */ 178 smp_build_pairing_commitment_cmd /* 0x0F: pairing commitment */ 179 }; 180 181 static const uint8_t smp_association_table[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] = 182 { 183 /* display only */ /* Display Yes/No */ /* keyboard only */ 184 /* No Input/Output */ /* keyboard display */ 185 186 /* initiator */ 187 /* model = tbl[peer_io_caps][loc_io_caps] */ 188 /* Display Only */ 189 {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 190 SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}, 191 192 /* Display Yes/No */ 193 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 194 SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}, 195 196 /* Keyboard only */ 197 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY, 198 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}, 199 200 /* No Input No Output */ 201 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 202 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 203 SMP_MODEL_ENCRYPTION_ONLY}, 204 205 /* keyboard display */ 206 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY, 207 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}}, 208 209 /* responder */ 210 /* model = tbl[loc_io_caps][peer_io_caps] */ 211 /* Display Only */ 212 {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 213 SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}, 214 215 /* Display Yes/No */ 216 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 217 SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}, 218 219 /* keyboard only */ 220 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, 221 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}, 222 223 /* No Input No Output */ 224 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 225 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, 226 SMP_MODEL_ENCRYPTION_ONLY}, 227 228 /* keyboard display */ 229 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_KEY_NOTIF, 230 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}}}; 231 232 static const uint8_t 233 smp_association_table_sc[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] = { 234 /* display only */ /* Display Yes/No */ /* keyboard only */ 235 /* No InputOutput */ /* keyboard display */ 236 237 /* initiator */ 238 /* model = tbl[peer_io_caps][loc_io_caps] */ 239 240 /* Display Only */ 241 {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, 242 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS, 243 SMP_MODEL_SEC_CONN_PASSKEY_ENT}, 244 245 /* Display Yes/No */ 246 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP, 247 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS, 248 SMP_MODEL_SEC_CONN_NUM_COMP}, 249 250 /* keyboard only */ 251 {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_PASSKEY_DISP, 252 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS, 253 SMP_MODEL_SEC_CONN_PASSKEY_DISP}, 254 255 /* No Input No Output */ 256 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, 257 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, 258 SMP_MODEL_SEC_CONN_JUSTWORKS}, 259 260 /* keyboard display */ 261 {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_NUM_COMP, 262 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS, 263 SMP_MODEL_SEC_CONN_NUM_COMP}}, 264 265 /* responder */ 266 /* model = tbl[loc_io_caps][peer_io_caps] */ 267 268 /* Display Only */ 269 {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, 270 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS, 271 SMP_MODEL_SEC_CONN_PASSKEY_DISP}, 272 273 /* Display Yes/No */ 274 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP, 275 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS, 276 SMP_MODEL_SEC_CONN_NUM_COMP}, 277 278 /* keyboard only */ 279 {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_PASSKEY_ENT, 280 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS, 281 SMP_MODEL_SEC_CONN_PASSKEY_ENT}, 282 283 /* No Input No Output */ 284 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, 285 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, 286 SMP_MODEL_SEC_CONN_JUSTWORKS}, 287 288 /* keyboard display */ 289 {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_NUM_COMP, 290 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS, 291 SMP_MODEL_SEC_CONN_NUM_COMP}}}; 292 293 static tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB* p_cb); 294 static tSMP_ASSO_MODEL smp_select_association_model_secure_connections( 295 tSMP_CB* p_cb); 296 297 /******************************************************************************* 298 * 299 * Function smp_send_msg_to_L2CAP 300 * 301 * Description Send message to L2CAP. 302 * 303 ******************************************************************************/ 304 bool smp_send_msg_to_L2CAP(const RawAddress& rem_bda, BT_HDR* p_toL2CAP) { 305 uint16_t l2cap_ret; 306 uint16_t fixed_cid = L2CAP_SMP_CID; 307 308 if (smp_cb.smp_over_br) { 309 fixed_cid = L2CAP_SMP_BR_CID; 310 } 311 312 SMP_TRACE_EVENT("%s", __func__); 313 smp_cb.total_tx_unacked += 1; 314 315 l2cap_ret = L2CA_SendFixedChnlData(fixed_cid, rem_bda, p_toL2CAP); 316 if (l2cap_ret == L2CAP_DW_FAILED) { 317 smp_cb.total_tx_unacked -= 1; 318 SMP_TRACE_ERROR("SMP failed to pass msg to L2CAP"); 319 return false; 320 } else 321 return true; 322 } 323 324 /******************************************************************************* 325 * 326 * Function smp_send_cmd 327 * 328 * Description send a SMP command on L2CAP channel. 329 * 330 ******************************************************************************/ 331 bool smp_send_cmd(uint8_t cmd_code, tSMP_CB* p_cb) { 332 BT_HDR* p_buf; 333 bool sent = false; 334 335 SMP_TRACE_EVENT("%s: on l2cap cmd_code=0x%x, pairing_bda=%s", __func__, 336 cmd_code, p_cb->pairing_bda.ToString().c_str()); 337 338 if (cmd_code <= (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */) && 339 smp_cmd_build_act[cmd_code] != NULL) { 340 p_buf = (*smp_cmd_build_act[cmd_code])(cmd_code, p_cb); 341 342 if (p_buf != NULL && smp_send_msg_to_L2CAP(p_cb->pairing_bda, p_buf)) { 343 sent = true; 344 alarm_set_on_mloop(p_cb->smp_rsp_timer_ent, SMP_WAIT_FOR_RSP_TIMEOUT_MS, 345 smp_rsp_timeout, NULL); 346 } 347 } 348 349 if (!sent) { 350 tSMP_INT_DATA smp_int_data; 351 smp_int_data.status = SMP_PAIR_INTERNAL_ERR; 352 if (p_cb->smp_over_br) { 353 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data); 354 } else { 355 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data); 356 } 357 } 358 return sent; 359 } 360 361 /******************************************************************************* 362 * 363 * Function smp_rsp_timeout 364 * 365 * Description Called when SMP wait for SMP command response timer expires 366 * 367 * Returns void 368 * 369 ******************************************************************************/ 370 void smp_rsp_timeout(UNUSED_ATTR void* data) { 371 tSMP_CB* p_cb = &smp_cb; 372 373 SMP_TRACE_EVENT("%s state:%d br_state:%d", __func__, p_cb->state, 374 p_cb->br_state); 375 376 tSMP_INT_DATA smp_int_data; 377 smp_int_data.status = SMP_RSP_TIMEOUT; 378 if (p_cb->smp_over_br) { 379 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data); 380 } else { 381 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data); 382 } 383 } 384 385 /******************************************************************************* 386 * 387 * Function smp_delayed_auth_complete_timeout 388 * 389 * Description Called when no pairing failed command received within 390 * timeout period. 391 * 392 * Returns void 393 * 394 ******************************************************************************/ 395 void smp_delayed_auth_complete_timeout(UNUSED_ATTR void* data) { 396 /* 397 * Waited for potential pair failure. Send SMP_AUTH_CMPL_EVT if 398 * the state is still in bond pending. 399 */ 400 if (smp_get_state() == SMP_STATE_BOND_PENDING) { 401 SMP_TRACE_EVENT("%s sending delayed auth complete.", __func__); 402 tSMP_INT_DATA smp_int_data; 403 smp_int_data.status = SMP_SUCCESS; 404 smp_sm_event(&smp_cb, SMP_AUTH_CMPL_EVT, &smp_int_data); 405 } 406 } 407 408 /******************************************************************************* 409 * 410 * Function smp_build_pairing_req_cmd 411 * 412 * Description Build pairing request command. 413 * 414 ******************************************************************************/ 415 BT_HDR* smp_build_pairing_cmd(uint8_t cmd_code, tSMP_CB* p_cb) { 416 uint8_t* p; 417 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIRING_REQ_SIZE + 418 L2CAP_MIN_OFFSET); 419 420 SMP_TRACE_EVENT("%s", __func__); 421 422 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 423 UINT8_TO_STREAM(p, cmd_code); 424 UINT8_TO_STREAM(p, p_cb->local_io_capability); 425 UINT8_TO_STREAM(p, p_cb->loc_oob_flag); 426 UINT8_TO_STREAM(p, p_cb->loc_auth_req); 427 UINT8_TO_STREAM(p, p_cb->loc_enc_size); 428 UINT8_TO_STREAM(p, p_cb->local_i_key); 429 UINT8_TO_STREAM(p, p_cb->local_r_key); 430 431 p_buf->offset = L2CAP_MIN_OFFSET; 432 /* 1B ERR_RSP op code + 1B cmd_op_code + 2B handle + 1B status */ 433 p_buf->len = SMP_PAIRING_REQ_SIZE; 434 435 return p_buf; 436 } 437 438 /******************************************************************************* 439 * 440 * Function smp_build_confirm_cmd 441 * 442 * Description Build confirm request command. 443 * 444 ******************************************************************************/ 445 static BT_HDR* smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code, 446 tSMP_CB* p_cb) { 447 uint8_t* p; 448 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_CONFIRM_CMD_SIZE + 449 L2CAP_MIN_OFFSET); 450 451 SMP_TRACE_EVENT("%s", __func__); 452 453 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 454 455 UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM); 456 ARRAY_TO_STREAM(p, p_cb->confirm, BT_OCTET16_LEN); 457 458 p_buf->offset = L2CAP_MIN_OFFSET; 459 p_buf->len = SMP_CONFIRM_CMD_SIZE; 460 461 return p_buf; 462 } 463 464 /******************************************************************************* 465 * 466 * Function smp_build_rand_cmd 467 * 468 * Description Build Random command. 469 * 470 ******************************************************************************/ 471 static BT_HDR* smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb) { 472 uint8_t* p; 473 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_RAND_CMD_SIZE + 474 L2CAP_MIN_OFFSET); 475 476 SMP_TRACE_EVENT("%s", __func__); 477 478 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 479 UINT8_TO_STREAM(p, SMP_OPCODE_RAND); 480 ARRAY_TO_STREAM(p, p_cb->rand, BT_OCTET16_LEN); 481 482 p_buf->offset = L2CAP_MIN_OFFSET; 483 p_buf->len = SMP_RAND_CMD_SIZE; 484 485 return p_buf; 486 } 487 488 /******************************************************************************* 489 * 490 * Function smp_build_encrypt_info_cmd 491 * 492 * Description Build security information command. 493 * 494 ******************************************************************************/ 495 static BT_HDR* smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code, 496 tSMP_CB* p_cb) { 497 uint8_t* p; 498 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ENC_INFO_SIZE + 499 L2CAP_MIN_OFFSET); 500 501 SMP_TRACE_EVENT("%s", __func__); 502 503 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 504 UINT8_TO_STREAM(p, SMP_OPCODE_ENCRYPT_INFO); 505 ARRAY_TO_STREAM(p, p_cb->ltk, BT_OCTET16_LEN); 506 507 p_buf->offset = L2CAP_MIN_OFFSET; 508 p_buf->len = SMP_ENC_INFO_SIZE; 509 510 return p_buf; 511 } 512 513 /******************************************************************************* 514 * 515 * Function smp_build_master_id_cmd 516 * 517 * Description Build security information command. 518 * 519 ******************************************************************************/ 520 static BT_HDR* smp_build_master_id_cmd(UNUSED_ATTR uint8_t cmd_code, 521 tSMP_CB* p_cb) { 522 uint8_t* p; 523 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_MASTER_ID_SIZE + 524 L2CAP_MIN_OFFSET); 525 526 SMP_TRACE_EVENT("%s", __func__); 527 528 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 529 UINT8_TO_STREAM(p, SMP_OPCODE_MASTER_ID); 530 UINT16_TO_STREAM(p, p_cb->ediv); 531 ARRAY_TO_STREAM(p, p_cb->enc_rand, BT_OCTET8_LEN); 532 533 p_buf->offset = L2CAP_MIN_OFFSET; 534 p_buf->len = SMP_MASTER_ID_SIZE; 535 536 return p_buf; 537 } 538 539 /******************************************************************************* 540 * 541 * Function smp_build_identity_info_cmd 542 * 543 * Description Build identity information command. 544 * 545 ******************************************************************************/ 546 static BT_HDR* smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code, 547 UNUSED_ATTR tSMP_CB* p_cb) { 548 uint8_t* p; 549 BT_OCTET16 irk; 550 BT_HDR* p_buf = 551 (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ID_INFO_SIZE + L2CAP_MIN_OFFSET); 552 553 SMP_TRACE_EVENT("%s", __func__); 554 555 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 556 557 BTM_GetDeviceIDRoot(irk); 558 559 UINT8_TO_STREAM(p, SMP_OPCODE_IDENTITY_INFO); 560 ARRAY_TO_STREAM(p, irk, BT_OCTET16_LEN); 561 562 p_buf->offset = L2CAP_MIN_OFFSET; 563 p_buf->len = SMP_ID_INFO_SIZE; 564 565 return p_buf; 566 } 567 568 /******************************************************************************* 569 * 570 * Function smp_build_id_addr_cmd 571 * 572 * Description Build identity address information command. 573 * 574 ******************************************************************************/ 575 static BT_HDR* smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code, 576 UNUSED_ATTR tSMP_CB* p_cb) { 577 uint8_t* p; 578 BT_HDR* p_buf = 579 (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ID_ADDR_SIZE + L2CAP_MIN_OFFSET); 580 581 SMP_TRACE_EVENT("%s", __func__); 582 583 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 584 UINT8_TO_STREAM(p, SMP_OPCODE_ID_ADDR); 585 UINT8_TO_STREAM(p, 0); 586 BDADDR_TO_STREAM(p, *controller_get_interface()->get_address()); 587 588 p_buf->offset = L2CAP_MIN_OFFSET; 589 p_buf->len = SMP_ID_ADDR_SIZE; 590 591 return p_buf; 592 } 593 594 /******************************************************************************* 595 * 596 * Function smp_build_signing_info_cmd 597 * 598 * Description Build signing information command. 599 * 600 ******************************************************************************/ 601 static BT_HDR* smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code, 602 tSMP_CB* p_cb) { 603 uint8_t* p; 604 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_SIGN_INFO_SIZE + 605 L2CAP_MIN_OFFSET); 606 607 SMP_TRACE_EVENT("%s", __func__); 608 609 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 610 UINT8_TO_STREAM(p, SMP_OPCODE_SIGN_INFO); 611 ARRAY_TO_STREAM(p, p_cb->csrk, BT_OCTET16_LEN); 612 613 p_buf->offset = L2CAP_MIN_OFFSET; 614 p_buf->len = SMP_SIGN_INFO_SIZE; 615 616 return p_buf; 617 } 618 619 /******************************************************************************* 620 * 621 * Function smp_build_pairing_fail 622 * 623 * Description Build Pairing Fail command. 624 * 625 ******************************************************************************/ 626 static BT_HDR* smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code, 627 tSMP_CB* p_cb) { 628 uint8_t* p; 629 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_FAIL_SIZE + 630 L2CAP_MIN_OFFSET); 631 632 SMP_TRACE_EVENT("%s", __func__); 633 634 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 635 UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED); 636 UINT8_TO_STREAM(p, p_cb->failure); 637 638 p_buf->offset = L2CAP_MIN_OFFSET; 639 p_buf->len = SMP_PAIR_FAIL_SIZE; 640 641 return p_buf; 642 } 643 644 /******************************************************************************* 645 * 646 * Function smp_build_security_request 647 * 648 * Description Build security request command. 649 * 650 ******************************************************************************/ 651 static BT_HDR* smp_build_security_request(UNUSED_ATTR uint8_t cmd_code, 652 tSMP_CB* p_cb) { 653 uint8_t* p; 654 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + 2 + L2CAP_MIN_OFFSET); 655 656 SMP_TRACE_EVENT("%s", __func__); 657 658 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 659 UINT8_TO_STREAM(p, SMP_OPCODE_SEC_REQ); 660 UINT8_TO_STREAM(p, p_cb->loc_auth_req); 661 662 p_buf->offset = L2CAP_MIN_OFFSET; 663 p_buf->len = SMP_SECURITY_REQUEST_SIZE; 664 665 SMP_TRACE_EVENT("opcode=%d auth_req=0x%x", SMP_OPCODE_SEC_REQ, 666 p_cb->loc_auth_req); 667 668 return p_buf; 669 } 670 671 /******************************************************************************* 672 * 673 * Function smp_build_pair_public_key_cmd 674 * 675 * Description Build pairing public key command. 676 * 677 ******************************************************************************/ 678 static BT_HDR* smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code, 679 tSMP_CB* p_cb) { 680 uint8_t* p; 681 uint8_t publ_key[2 * BT_OCTET32_LEN]; 682 uint8_t* p_publ_key = publ_key; 683 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_PUBL_KEY_SIZE + 684 L2CAP_MIN_OFFSET); 685 686 SMP_TRACE_EVENT("%s", __func__); 687 688 memcpy(p_publ_key, p_cb->loc_publ_key.x, BT_OCTET32_LEN); 689 memcpy(p_publ_key + BT_OCTET32_LEN, p_cb->loc_publ_key.y, BT_OCTET32_LEN); 690 691 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 692 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_PUBLIC_KEY); 693 ARRAY_TO_STREAM(p, p_publ_key, 2 * BT_OCTET32_LEN); 694 695 p_buf->offset = L2CAP_MIN_OFFSET; 696 p_buf->len = SMP_PAIR_PUBL_KEY_SIZE; 697 698 return p_buf; 699 } 700 701 /******************************************************************************* 702 * 703 * Function smp_build_pairing_commitment_cmd 704 * 705 * Description Build pairing commitment command. 706 * 707 ******************************************************************************/ 708 static BT_HDR* smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code, 709 tSMP_CB* p_cb) { 710 uint8_t* p; 711 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_COMMITM_SIZE + 712 L2CAP_MIN_OFFSET); 713 714 SMP_TRACE_EVENT("%s", __func__); 715 716 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 717 UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM); 718 ARRAY_TO_STREAM(p, p_cb->commitment, BT_OCTET16_LEN); 719 720 p_buf->offset = L2CAP_MIN_OFFSET; 721 p_buf->len = SMP_PAIR_COMMITM_SIZE; 722 723 return p_buf; 724 } 725 726 /******************************************************************************* 727 * 728 * Function smp_build_pair_dhkey_check_cmd 729 * 730 * Description Build pairing DHKey check command. 731 * 732 ******************************************************************************/ 733 static BT_HDR* smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code, 734 tSMP_CB* p_cb) { 735 uint8_t* p; 736 BT_HDR* p_buf = (BT_HDR*)osi_malloc( 737 sizeof(BT_HDR) + SMP_PAIR_DHKEY_CHECK_SIZE + L2CAP_MIN_OFFSET); 738 739 SMP_TRACE_EVENT("%s", __func__); 740 741 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 742 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_DHKEY_CHECK); 743 ARRAY_TO_STREAM(p, p_cb->dhkey_check, BT_OCTET16_LEN); 744 745 p_buf->offset = L2CAP_MIN_OFFSET; 746 p_buf->len = SMP_PAIR_DHKEY_CHECK_SIZE; 747 748 return p_buf; 749 } 750 751 /******************************************************************************* 752 * 753 * Function smp_build_pairing_keypress_notification_cmd 754 * 755 * Description Build keypress notification command. 756 * 757 ******************************************************************************/ 758 static BT_HDR* smp_build_pairing_keypress_notification_cmd( 759 UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb) { 760 uint8_t* p; 761 BT_HDR* p_buf = (BT_HDR*)osi_malloc( 762 sizeof(BT_HDR) + SMP_PAIR_KEYPR_NOTIF_SIZE + L2CAP_MIN_OFFSET); 763 764 SMP_TRACE_EVENT("%s", __func__); 765 766 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 767 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_KEYPR_NOTIF); 768 UINT8_TO_STREAM(p, p_cb->local_keypress_notification); 769 770 p_buf->offset = L2CAP_MIN_OFFSET; 771 p_buf->len = SMP_PAIR_KEYPR_NOTIF_SIZE; 772 773 return p_buf; 774 } 775 776 /******************************************************************************* 777 * 778 * Function smp_convert_string_to_tk 779 * 780 * Description This function is called to convert a 6 to 16 digits numeric 781 * character string into SMP TK. 782 * 783 * 784 * Returns void 785 * 786 ******************************************************************************/ 787 void smp_convert_string_to_tk(BT_OCTET16 tk, uint32_t passkey) { 788 uint8_t* p = tk; 789 tSMP_KEY key; 790 SMP_TRACE_EVENT("smp_convert_string_to_tk"); 791 UINT32_TO_STREAM(p, passkey); 792 793 key.key_type = SMP_KEY_TYPE_TK; 794 key.p_data = tk; 795 796 tSMP_INT_DATA smp_int_data; 797 smp_int_data.key = key; 798 smp_sm_event(&smp_cb, SMP_KEY_READY_EVT, &smp_int_data); 799 } 800 801 /******************************************************************************* 802 * 803 * Function smp_mask_enc_key 804 * 805 * Description This function is called to mask off the encryption key based 806 * on the maximum encryption key size. 807 * 808 * 809 * Returns void 810 * 811 ******************************************************************************/ 812 void smp_mask_enc_key(uint8_t loc_enc_size, uint8_t* p_data) { 813 SMP_TRACE_EVENT("smp_mask_enc_key"); 814 if (loc_enc_size < BT_OCTET16_LEN) { 815 for (; loc_enc_size < BT_OCTET16_LEN; loc_enc_size++) 816 *(p_data + loc_enc_size) = 0; 817 } 818 return; 819 } 820 821 /******************************************************************************* 822 * 823 * Function smp_xor_128 824 * 825 * Description utility function to do an biteise exclusive-OR of two bit 826 * strings of the length of BT_OCTET16_LEN. 827 * 828 * Returns void 829 * 830 ******************************************************************************/ 831 void smp_xor_128(BT_OCTET16 a, BT_OCTET16 b) { 832 uint8_t i, *aa = a, *bb = b; 833 834 SMP_TRACE_EVENT("smp_xor_128"); 835 for (i = 0; i < BT_OCTET16_LEN; i++) { 836 aa[i] = aa[i] ^ bb[i]; 837 } 838 } 839 840 /******************************************************************************* 841 * 842 * Function smp_cb_cleanup 843 * 844 * Description Clean up SMP control block 845 * 846 * Returns void 847 * 848 ******************************************************************************/ 849 void smp_cb_cleanup(tSMP_CB* p_cb) { 850 tSMP_CALLBACK* p_callback = p_cb->p_callback; 851 uint8_t trace_level = p_cb->trace_level; 852 alarm_t* smp_rsp_timer_ent = p_cb->smp_rsp_timer_ent; 853 alarm_t* delayed_auth_timer_ent = p_cb->delayed_auth_timer_ent; 854 855 SMP_TRACE_EVENT("smp_cb_cleanup"); 856 857 alarm_cancel(p_cb->smp_rsp_timer_ent); 858 alarm_cancel(p_cb->delayed_auth_timer_ent); 859 memset(p_cb, 0, sizeof(tSMP_CB)); 860 p_cb->p_callback = p_callback; 861 p_cb->trace_level = trace_level; 862 p_cb->smp_rsp_timer_ent = smp_rsp_timer_ent; 863 p_cb->delayed_auth_timer_ent = delayed_auth_timer_ent; 864 } 865 866 /******************************************************************************* 867 * 868 * Function smp_remove_fixed_channel 869 * 870 * Description This function is called to remove the fixed channel 871 * 872 * Returns void 873 * 874 ******************************************************************************/ 875 void smp_remove_fixed_channel(tSMP_CB* p_cb) { 876 SMP_TRACE_DEBUG("%s", __func__); 877 878 if (p_cb->smp_over_br) 879 L2CA_RemoveFixedChnl(L2CAP_SMP_BR_CID, p_cb->pairing_bda); 880 else 881 L2CA_RemoveFixedChnl(L2CAP_SMP_CID, p_cb->pairing_bda); 882 } 883 884 /******************************************************************************* 885 * 886 * Function smp_reset_control_value 887 * 888 * Description This function is called to reset the control block value 889 * when the pairing procedure finished. 890 * 891 * 892 * Returns void 893 * 894 ******************************************************************************/ 895 void smp_reset_control_value(tSMP_CB* p_cb) { 896 SMP_TRACE_EVENT("%s", __func__); 897 898 alarm_cancel(p_cb->smp_rsp_timer_ent); 899 p_cb->flags = 0; 900 /* set the link idle timer to drop the link when pairing is done 901 usually service discovery will follow authentication complete, to avoid 902 racing condition for a link down/up, set link idle timer to be 903 SMP_LINK_TOUT_MIN to guarantee SMP key exchange */ 904 L2CA_SetIdleTimeoutByBdAddr(p_cb->pairing_bda, SMP_LINK_TOUT_MIN, 905 BT_TRANSPORT_LE); 906 907 /* We can tell L2CAP to remove the fixed channel (if it has one) */ 908 smp_remove_fixed_channel(p_cb); 909 smp_cb_cleanup(p_cb); 910 } 911 912 /******************************************************************************* 913 * 914 * Function smp_proc_pairing_cmpl 915 * 916 * Description This function is called to process pairing complete 917 * 918 * 919 * Returns void 920 * 921 ******************************************************************************/ 922 void smp_proc_pairing_cmpl(tSMP_CB* p_cb) { 923 tSMP_EVT_DATA evt_data = {0}; 924 tSMP_CALLBACK* p_callback = p_cb->p_callback; 925 926 SMP_TRACE_DEBUG("%s: pairing_bda=%s", __func__, 927 p_cb->pairing_bda.ToString().c_str()); 928 929 evt_data.cmplt.reason = p_cb->status; 930 evt_data.cmplt.smp_over_br = p_cb->smp_over_br; 931 932 if (p_cb->status == SMP_SUCCESS) evt_data.cmplt.sec_level = p_cb->sec_level; 933 934 evt_data.cmplt.is_pair_cancel = false; 935 936 if (p_cb->is_pair_cancel) evt_data.cmplt.is_pair_cancel = true; 937 938 SMP_TRACE_DEBUG("send SMP_COMPLT_EVT reason=0x%0x sec_level=0x%0x", 939 evt_data.cmplt.reason, evt_data.cmplt.sec_level); 940 941 RawAddress pairing_bda = p_cb->pairing_bda; 942 943 smp_reset_control_value(p_cb); 944 945 if (p_callback) (*p_callback)(SMP_COMPLT_EVT, pairing_bda, &evt_data); 946 } 947 948 /******************************************************************************* 949 * 950 * Function smp_command_has_invalid_parameters 951 * 952 * Description Checks if the received SMP command has invalid parameters 953 * i.e. if the command length is valid and the command 954 * parameters are inside specified range. 955 * It returns true if the command has invalid parameters. 956 * 957 * Returns true if the command has invalid parameters, false otherwise. 958 * 959 ******************************************************************************/ 960 bool smp_command_has_invalid_parameters(tSMP_CB* p_cb) { 961 uint8_t cmd_code = p_cb->rcvd_cmd_code; 962 963 if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) || 964 (cmd_code < SMP_OPCODE_MIN)) { 965 SMP_TRACE_WARNING("%s: Received command with RESERVED code 0x%02x", 966 __func__, cmd_code); 967 return true; 968 } 969 970 if (!(*smp_cmd_len_is_valid[cmd_code])(p_cb)) { 971 SMP_TRACE_WARNING("%s: Command length not valid for cmd_code 0x%02x", 972 __func__, cmd_code); 973 return true; 974 } 975 976 if (!(*smp_cmd_param_ranges_are_valid[cmd_code])(p_cb)) { 977 SMP_TRACE_WARNING("%s: Parameter ranges not valid code 0x%02x", __func__, 978 cmd_code); 979 return true; 980 } 981 982 return false; 983 } 984 985 /******************************************************************************* 986 * 987 * Function smp_command_has_valid_fixed_length 988 * 989 * Description Checks if the received command size is equal to the size 990 * according to specs. 991 * 992 * Returns true if the command size is as expected, false otherwise. 993 * 994 * Note The command is expected to have fixed length. 995 ******************************************************************************/ 996 bool smp_command_has_valid_fixed_length(tSMP_CB* p_cb) { 997 uint8_t cmd_code = p_cb->rcvd_cmd_code; 998 999 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, cmd_code); 1000 1001 if (p_cb->rcvd_cmd_len != smp_cmd_size_per_spec[cmd_code]) { 1002 SMP_TRACE_WARNING( 1003 "Rcvd from the peer cmd 0x%02x with invalid length " 1004 "0x%02x (per spec the length is 0x%02x).", 1005 cmd_code, p_cb->rcvd_cmd_len, smp_cmd_size_per_spec[cmd_code]); 1006 return false; 1007 } 1008 1009 return true; 1010 } 1011 1012 /******************************************************************************* 1013 * 1014 * Function smp_pairing_request_response_parameters_are_valid 1015 * 1016 * Description Validates parameter ranges in the received SMP command 1017 * pairing request or pairing response. 1018 * The parameters to validate: 1019 * IO capability, 1020 * OOB data flag, 1021 * Bonding_flags in AuthReq 1022 * Maximum encryption key size. 1023 * Returns false if at least one of these parameters is out of 1024 * range. 1025 * 1026 ******************************************************************************/ 1027 bool smp_pairing_request_response_parameters_are_valid(tSMP_CB* p_cb) { 1028 uint8_t io_caps = p_cb->peer_io_caps; 1029 uint8_t oob_flag = p_cb->peer_oob_flag; 1030 uint8_t bond_flag = 1031 p_cb->peer_auth_req & 0x03; // 0x03 is gen bond with appropriate mask 1032 uint8_t enc_size = p_cb->peer_enc_size; 1033 1034 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code); 1035 1036 if (io_caps >= BTM_IO_CAP_MAX) { 1037 SMP_TRACE_WARNING( 1038 "Rcvd from the peer cmd 0x%02x with IO Capability " 1039 "value (0x%02x) out of range).", 1040 p_cb->rcvd_cmd_code, io_caps); 1041 return false; 1042 } 1043 1044 if (!((oob_flag == SMP_OOB_NONE) || (oob_flag == SMP_OOB_PRESENT))) { 1045 SMP_TRACE_WARNING( 1046 "Rcvd from the peer cmd 0x%02x with OOB data flag value " 1047 "(0x%02x) out of range).", 1048 p_cb->rcvd_cmd_code, oob_flag); 1049 return false; 1050 } 1051 1052 if (!((bond_flag == SMP_AUTH_NO_BOND) || (bond_flag == SMP_AUTH_BOND))) { 1053 SMP_TRACE_WARNING( 1054 "Rcvd from the peer cmd 0x%02x with Bonding_Flags value (0x%02x) " 1055 "out of range).", 1056 p_cb->rcvd_cmd_code, bond_flag); 1057 return false; 1058 } 1059 1060 if ((enc_size < SMP_ENCR_KEY_SIZE_MIN) || 1061 (enc_size > SMP_ENCR_KEY_SIZE_MAX)) { 1062 SMP_TRACE_WARNING( 1063 "Rcvd from the peer cmd 0x%02x with Maximum Encryption " 1064 "Key value (0x%02x) out of range).", 1065 p_cb->rcvd_cmd_code, enc_size); 1066 return false; 1067 } 1068 1069 return true; 1070 } 1071 1072 /******************************************************************************* 1073 * 1074 * Function smp_pairing_keypress_notification_is_valid 1075 * 1076 * Description Validates Notification Type parameter range in the received 1077 * SMP command pairing keypress notification. 1078 * Returns false if this parameter is out of range. 1079 * 1080 ******************************************************************************/ 1081 bool smp_pairing_keypress_notification_is_valid(tSMP_CB* p_cb) { 1082 tBTM_SP_KEY_TYPE keypress_notification = p_cb->peer_keypress_notification; 1083 1084 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code); 1085 1086 if (keypress_notification >= BTM_SP_KEY_OUT_OF_RANGE) { 1087 SMP_TRACE_WARNING( 1088 "Rcvd from the peer cmd 0x%02x with Pairing Keypress " 1089 "Notification value (0x%02x) out of range).", 1090 p_cb->rcvd_cmd_code, keypress_notification); 1091 return false; 1092 } 1093 1094 return true; 1095 } 1096 1097 /******************************************************************************* 1098 * 1099 * Function smp_parameter_unconditionally_valid 1100 * 1101 * Description Always returns true. 1102 * 1103 ******************************************************************************/ 1104 bool smp_parameter_unconditionally_valid(UNUSED_ATTR tSMP_CB* p_cb) { 1105 return true; 1106 } 1107 1108 /******************************************************************************* 1109 * 1110 * Function smp_parameter_unconditionally_invalid 1111 * 1112 * Description Always returns false. 1113 * 1114 ******************************************************************************/ 1115 bool smp_parameter_unconditionally_invalid(UNUSED_ATTR tSMP_CB* p_cb) { 1116 return false; 1117 } 1118 1119 /******************************************************************************* 1120 * 1121 * Function smp_reject_unexpected_pairing_command 1122 * 1123 * Description send pairing failure to an unexpected pairing command during 1124 * an active pairing process. 1125 * 1126 * Returns void 1127 * 1128 ******************************************************************************/ 1129 void smp_reject_unexpected_pairing_command(const RawAddress& bd_addr) { 1130 uint8_t* p; 1131 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_FAIL_SIZE + 1132 L2CAP_MIN_OFFSET); 1133 1134 SMP_TRACE_DEBUG("%s", __func__); 1135 1136 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; 1137 UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED); 1138 UINT8_TO_STREAM(p, SMP_PAIR_NOT_SUPPORT); 1139 1140 p_buf->offset = L2CAP_MIN_OFFSET; 1141 p_buf->len = SMP_PAIR_FAIL_SIZE; 1142 1143 smp_send_msg_to_L2CAP(bd_addr, p_buf); 1144 } 1145 1146 /******************************************************************************* 1147 * Function smp_select_association_model 1148 * 1149 * Description This function selects association model to use for STK 1150 * generation. Selection is based on both sides' io capability, 1151 * oob data flag and authentication request. 1152 * 1153 * Note If Secure Connections Only mode is required locally then we 1154 * come to this point only if both sides support Secure 1155 * Connections mode, i.e. 1156 * if p_cb->secure_connections_only_mode_required = true 1157 * then we come to this point only if 1158 * (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) == 1159 * (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) == 1160 * SMP_SC_SUPPORT_BIT 1161 * 1162 ******************************************************************************/ 1163 tSMP_ASSO_MODEL smp_select_association_model(tSMP_CB* p_cb) { 1164 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE; 1165 p_cb->le_secure_connections_mode_is_used = false; 1166 1167 SMP_TRACE_EVENT("%s", __func__); 1168 SMP_TRACE_DEBUG("%s p_cb->peer_io_caps = %d p_cb->local_io_capability = %d", 1169 __func__, p_cb->peer_io_caps, p_cb->local_io_capability); 1170 SMP_TRACE_DEBUG("%s p_cb->peer_oob_flag = %d p_cb->loc_oob_flag = %d", 1171 __func__, p_cb->peer_oob_flag, p_cb->loc_oob_flag); 1172 SMP_TRACE_DEBUG("%s p_cb->peer_auth_req = 0x%02x p_cb->loc_auth_req = 0x%02x", 1173 __func__, p_cb->peer_auth_req, p_cb->loc_auth_req); 1174 SMP_TRACE_DEBUG( 1175 "%s p_cb->secure_connections_only_mode_required = %s", __func__, 1176 p_cb->secure_connections_only_mode_required ? "true" : "false"); 1177 1178 if ((p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) && 1179 (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT)) { 1180 p_cb->le_secure_connections_mode_is_used = true; 1181 } 1182 1183 if ((p_cb->peer_auth_req & SMP_H7_SUPPORT_BIT) && 1184 (p_cb->loc_auth_req & SMP_H7_SUPPORT_BIT)) { 1185 p_cb->key_derivation_h7_used = TRUE; 1186 } 1187 1188 SMP_TRACE_DEBUG("use_sc_process = %d, h7 use = %d", 1189 p_cb->le_secure_connections_mode_is_used, 1190 p_cb->key_derivation_h7_used); 1191 1192 if (p_cb->le_secure_connections_mode_is_used) { 1193 model = smp_select_association_model_secure_connections(p_cb); 1194 } else { 1195 model = smp_select_legacy_association_model(p_cb); 1196 } 1197 return model; 1198 } 1199 1200 /******************************************************************************* 1201 * Function smp_select_legacy_association_model 1202 * 1203 * Description This function is called to select association mode if at 1204 * least one side doesn't support secure connections. 1205 * 1206 ******************************************************************************/ 1207 tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB* p_cb) { 1208 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE; 1209 1210 SMP_TRACE_DEBUG("%s", __func__); 1211 /* if OOB data is present on both devices, then use OOB association model */ 1212 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT && 1213 p_cb->loc_oob_flag == SMP_OOB_PRESENT) 1214 return SMP_MODEL_OOB; 1215 1216 /* else if neither device requires MITM, then use Just Works association model 1217 */ 1218 if (SMP_NO_MITM_REQUIRED(p_cb->peer_auth_req) && 1219 SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req)) 1220 return SMP_MODEL_ENCRYPTION_ONLY; 1221 1222 /* otherwise use IO capability to select association model */ 1223 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX && 1224 p_cb->local_io_capability < SMP_IO_CAP_MAX) { 1225 if (p_cb->role == HCI_ROLE_MASTER) { 1226 model = smp_association_table[p_cb->role][p_cb->peer_io_caps] 1227 [p_cb->local_io_capability]; 1228 } else { 1229 model = smp_association_table[p_cb->role][p_cb->local_io_capability] 1230 [p_cb->peer_io_caps]; 1231 } 1232 } 1233 1234 return model; 1235 } 1236 1237 /******************************************************************************* 1238 * Function smp_select_association_model_secure_connections 1239 * 1240 * Description This function is called to select association mode if both 1241 * sides support secure connections. 1242 * 1243 ******************************************************************************/ 1244 tSMP_ASSO_MODEL smp_select_association_model_secure_connections(tSMP_CB* p_cb) { 1245 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE; 1246 1247 SMP_TRACE_DEBUG("%s", __func__); 1248 /* if OOB data is present on at least one device, then use OOB association 1249 * model */ 1250 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT || 1251 p_cb->loc_oob_flag == SMP_OOB_PRESENT) 1252 return SMP_MODEL_SEC_CONN_OOB; 1253 1254 /* else if neither device requires MITM, then use Just Works association model 1255 */ 1256 if (SMP_NO_MITM_REQUIRED(p_cb->peer_auth_req) && 1257 SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req)) 1258 return SMP_MODEL_SEC_CONN_JUSTWORKS; 1259 1260 /* otherwise use IO capability to select association model */ 1261 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX && 1262 p_cb->local_io_capability < SMP_IO_CAP_MAX) { 1263 if (p_cb->role == HCI_ROLE_MASTER) { 1264 model = smp_association_table_sc[p_cb->role][p_cb->peer_io_caps] 1265 [p_cb->local_io_capability]; 1266 } else { 1267 model = smp_association_table_sc[p_cb->role][p_cb->local_io_capability] 1268 [p_cb->peer_io_caps]; 1269 } 1270 } 1271 1272 return model; 1273 } 1274 1275 /******************************************************************************* 1276 * Function smp_reverse_array 1277 * 1278 * Description This function reverses array bytes 1279 * 1280 ******************************************************************************/ 1281 void smp_reverse_array(uint8_t* arr, uint8_t len) { 1282 uint8_t i = 0, tmp; 1283 1284 SMP_TRACE_DEBUG("smp_reverse_array"); 1285 1286 for (i = 0; i < len / 2; i++) { 1287 tmp = arr[i]; 1288 arr[i] = arr[len - 1 - i]; 1289 arr[len - 1 - i] = tmp; 1290 } 1291 } 1292 1293 /******************************************************************************* 1294 * Function smp_calculate_random_input 1295 * 1296 * Description This function returns random input value to be used in 1297 * commitment calculation for SC passkey entry association mode 1298 * (if bit["round"] in "random" array == 1 then returns 0x81 1299 * else returns 0x80). 1300 * 1301 * Returns ri value 1302 * 1303 ******************************************************************************/ 1304 uint8_t smp_calculate_random_input(uint8_t* random, uint8_t round) { 1305 uint8_t i = round / 8; 1306 uint8_t j = round % 8; 1307 uint8_t ri; 1308 1309 SMP_TRACE_DEBUG("random: 0x%02x, round: %d, i: %d, j: %d", random[i], round, 1310 i, j); 1311 ri = ((random[i] >> j) & 1) | 0x80; 1312 SMP_TRACE_DEBUG("%s ri=0x%02x", __func__, ri); 1313 return ri; 1314 } 1315 1316 /******************************************************************************* 1317 * Function smp_collect_local_io_capabilities 1318 * 1319 * Description This function puts into IOcap array local device 1320 * IOCapability, OOB data, AuthReq. 1321 * 1322 * Returns void 1323 * 1324 ******************************************************************************/ 1325 void smp_collect_local_io_capabilities(uint8_t* iocap, tSMP_CB* p_cb) { 1326 SMP_TRACE_DEBUG("%s", __func__); 1327 1328 iocap[0] = p_cb->local_io_capability; 1329 iocap[1] = p_cb->loc_oob_flag; 1330 iocap[2] = p_cb->loc_auth_req; 1331 } 1332 1333 /******************************************************************************* 1334 * Function smp_collect_peer_io_capabilities 1335 * 1336 * Description This function puts into IOcap array peer device 1337 * IOCapability, OOB data, AuthReq. 1338 * 1339 * Returns void 1340 * 1341 ******************************************************************************/ 1342 void smp_collect_peer_io_capabilities(uint8_t* iocap, tSMP_CB* p_cb) { 1343 SMP_TRACE_DEBUG("%s", __func__); 1344 1345 iocap[0] = p_cb->peer_io_caps; 1346 iocap[1] = p_cb->peer_oob_flag; 1347 iocap[2] = p_cb->peer_auth_req; 1348 } 1349 1350 /******************************************************************************* 1351 * Function smp_collect_local_ble_address 1352 * 1353 * Description Put the the local device LE address into the le_addr array: 1354 * le_addr[0-5] = local BD ADDR, 1355 * le_addr[6] = local le address type (PUBLIC/RANDOM). 1356 * 1357 * Returns void 1358 * 1359 ******************************************************************************/ 1360 void smp_collect_local_ble_address(uint8_t* le_addr, tSMP_CB* p_cb) { 1361 tBLE_ADDR_TYPE addr_type = 0; 1362 RawAddress bda; 1363 uint8_t* p = le_addr; 1364 1365 SMP_TRACE_DEBUG("%s", __func__); 1366 1367 BTM_ReadConnectionAddr(p_cb->pairing_bda, bda, &addr_type); 1368 BDADDR_TO_STREAM(p, bda); 1369 UINT8_TO_STREAM(p, addr_type); 1370 } 1371 1372 /******************************************************************************* 1373 * Function smp_collect_peer_ble_address 1374 * 1375 * Description Put the peer device LE addr into the le_addr array: 1376 * le_addr[0-5] = peer BD ADDR, 1377 * le_addr[6] = peer le address type (PUBLIC/RANDOM). 1378 * 1379 * Returns void 1380 * 1381 ******************************************************************************/ 1382 void smp_collect_peer_ble_address(uint8_t* le_addr, tSMP_CB* p_cb) { 1383 tBLE_ADDR_TYPE addr_type = 0; 1384 RawAddress bda; 1385 uint8_t* p = le_addr; 1386 1387 SMP_TRACE_DEBUG("%s", __func__); 1388 1389 if (!BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, bda, &addr_type)) { 1390 SMP_TRACE_ERROR( 1391 "can not collect peer le addr information for unknown device"); 1392 return; 1393 } 1394 1395 BDADDR_TO_STREAM(p, bda); 1396 UINT8_TO_STREAM(p, addr_type); 1397 } 1398 1399 /******************************************************************************* 1400 * Function smp_check_commitment 1401 * 1402 * Description This function compares peer commitment values: 1403 * - expected (i.e. calculated locally), 1404 * - received from the peer. 1405 * 1406 * Returns true if the values are the same 1407 * false otherwise 1408 * 1409 ******************************************************************************/ 1410 bool smp_check_commitment(tSMP_CB* p_cb) { 1411 BT_OCTET16 expected; 1412 1413 SMP_TRACE_DEBUG("%s", __func__); 1414 1415 smp_calculate_peer_commitment(p_cb, expected); 1416 print128(expected, (const uint8_t*)"calculated peer commitment"); 1417 print128(p_cb->remote_commitment, (const uint8_t*)"received peer commitment"); 1418 1419 if (memcmp(p_cb->remote_commitment, expected, BT_OCTET16_LEN)) { 1420 SMP_TRACE_WARNING("%s: Commitment check fails", __func__); 1421 return false; 1422 } 1423 1424 SMP_TRACE_DEBUG("%s: Commitment check succeeds", __func__); 1425 return true; 1426 } 1427 1428 /******************************************************************************* 1429 * 1430 * Function smp_save_secure_connections_long_term_key 1431 * 1432 * Description The function saves SC LTK as BLE key for future use as local 1433 * and/or peer key. 1434 * 1435 * Returns void 1436 * 1437 ******************************************************************************/ 1438 void smp_save_secure_connections_long_term_key(tSMP_CB* p_cb) { 1439 tBTM_LE_LENC_KEYS lle_key; 1440 tBTM_LE_PENC_KEYS ple_key; 1441 1442 SMP_TRACE_DEBUG("%s-Save LTK as local LTK key", __func__); 1443 memcpy(lle_key.ltk, p_cb->ltk, BT_OCTET16_LEN); 1444 lle_key.div = 0; 1445 lle_key.key_size = p_cb->loc_enc_size; 1446 lle_key.sec_level = p_cb->sec_level; 1447 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, 1448 (tBTM_LE_KEY_VALUE*)&lle_key, true); 1449 1450 SMP_TRACE_DEBUG("%s-Save LTK as peer LTK key", __func__); 1451 ple_key.ediv = 0; 1452 memset(ple_key.rand, 0, BT_OCTET8_LEN); 1453 memcpy(ple_key.ltk, p_cb->ltk, BT_OCTET16_LEN); 1454 ple_key.sec_level = p_cb->sec_level; 1455 ple_key.key_size = p_cb->loc_enc_size; 1456 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, 1457 (tBTM_LE_KEY_VALUE*)&ple_key, true); 1458 } 1459 1460 /******************************************************************************* 1461 * 1462 * Function smp_calculate_f5_mackey_and_long_term_key 1463 * 1464 * Description The function calculates MacKey and LTK and saves them in CB. 1465 * To calculate MacKey and LTK it calls smp_calc_f5(...). 1466 * MacKey is used in dhkey calculation, LTK is used to encrypt 1467 * the link. 1468 * 1469 * Returns false if out of resources, true otherwise. 1470 * 1471 ******************************************************************************/ 1472 bool smp_calculate_f5_mackey_and_long_term_key(tSMP_CB* p_cb) { 1473 uint8_t a[7]; 1474 uint8_t b[7]; 1475 uint8_t* p_na; 1476 uint8_t* p_nb; 1477 1478 SMP_TRACE_DEBUG("%s", __func__); 1479 1480 if (p_cb->role == HCI_ROLE_MASTER) { 1481 smp_collect_local_ble_address(a, p_cb); 1482 smp_collect_peer_ble_address(b, p_cb); 1483 p_na = p_cb->rand; 1484 p_nb = p_cb->rrand; 1485 } else { 1486 smp_collect_local_ble_address(b, p_cb); 1487 smp_collect_peer_ble_address(a, p_cb); 1488 p_na = p_cb->rrand; 1489 p_nb = p_cb->rand; 1490 } 1491 1492 if (!smp_calculate_f5(p_cb->dhkey, p_na, p_nb, a, b, p_cb->mac_key, 1493 p_cb->ltk)) { 1494 SMP_TRACE_ERROR("%s failed", __func__); 1495 return false; 1496 } 1497 1498 SMP_TRACE_EVENT("%s is completed", __func__); 1499 return true; 1500 } 1501 1502 /******************************************************************************* 1503 * 1504 * Function smp_request_oob_data 1505 * 1506 * Description Requests application to provide OOB data. 1507 * 1508 * Returns true - OOB data has to be provided by application 1509 * false - otherwise (unexpected) 1510 * 1511 ******************************************************************************/ 1512 bool smp_request_oob_data(tSMP_CB* p_cb) { 1513 tSMP_OOB_DATA_TYPE req_oob_type = SMP_OOB_INVALID_TYPE; 1514 1515 SMP_TRACE_DEBUG("%s", __func__); 1516 1517 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT && 1518 p_cb->loc_oob_flag == SMP_OOB_PRESENT) { 1519 /* both local and peer rcvd data OOB */ 1520 req_oob_type = SMP_OOB_BOTH; 1521 } else if (p_cb->peer_oob_flag == SMP_OOB_PRESENT) { 1522 /* peer rcvd OOB local data, local didn't receive OOB peer data */ 1523 req_oob_type = SMP_OOB_LOCAL; 1524 } else if (p_cb->loc_oob_flag == SMP_OOB_PRESENT) { 1525 req_oob_type = SMP_OOB_PEER; 1526 } 1527 1528 SMP_TRACE_DEBUG("req_oob_type = %d", req_oob_type); 1529 1530 if (req_oob_type == SMP_OOB_INVALID_TYPE) return false; 1531 1532 p_cb->req_oob_type = req_oob_type; 1533 p_cb->cb_evt = SMP_SC_OOB_REQ_EVT; 1534 tSMP_INT_DATA smp_int_data; 1535 smp_int_data.req_oob_type = req_oob_type; 1536 smp_sm_event(p_cb, SMP_TK_REQ_EVT, &smp_int_data); 1537 1538 return true; 1539 } 1540