1 /******************************************************************************
2 *
3 * Copyright (C) 2003-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 #include <string.h>
20 #include "device/interop.h"
21 #include "common/bt_target.h"
22 #include "btm_int.h"
23 #include "stack/l2c_api.h"
24 #include "smp_int.h"
25 #include "p_256_ecc_pp.h"
26 //#include "utils/include/bt_utils.h"
27
28 #if SMP_INCLUDED == TRUE
29 const UINT8 smp_association_table[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] = {
30 /* initiator */
31 { {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}, /* Display Only */
32 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}, /* SMP_CAP_IO = 1 */
33 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}, /* keyboard only */
34 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY},/* No Input No Output */
35 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}
36 }, /* keyboard display */
37 /* responder */
38 { {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}, /* Display Only */
39 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}, /* SMP_CAP_IO = 1 */
40 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}, /* keyboard only */
41 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY},/* No Input No Output */
42 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}
43 } /* keyboard display */
44 /* display only */ /*SMP_CAP_IO = 1 */ /* keyboard only */ /* No InputOutput */ /* keyboard display */
45 };
46
47 #define SMP_KEY_DIST_TYPE_MAX 4
48 const tSMP_ACT smp_distribute_act [] = {
49 #if (BLE_INCLUDED == TRUE)
50 smp_generate_ltk,
51 smp_send_id_info,
52 smp_generate_csrk,
53 smp_set_derive_link_key
54 #else
55 NULL,
56 NULL,
57 NULL,
58 NULL
59 #endif ///BLE_INCLUDED == TRUE
60 };
61
62 extern UINT8 bta_dm_co_ble_get_accept_auth_enable(void);
63 extern UINT8 bta_dm_co_ble_get_auth_req(void);
64
lmp_version_below(BD_ADDR bda,uint8_t version)65 static bool lmp_version_below(BD_ADDR bda, uint8_t version)
66 {
67 tACL_CONN *acl = btm_bda_to_acl(bda, BT_TRANSPORT_LE);
68 if (acl == NULL || acl->lmp_version == 0) {
69 SMP_TRACE_WARNING("%s cannot retrieve LMP version...", __func__);
70 return false;
71 }
72 SMP_TRACE_DEBUG("%s LMP version %d < %d", __func__, acl->lmp_version, version);
73 return acl->lmp_version < version;
74 }
75
76 /*******************************************************************************
77 ** Function smp_update_key_mask
78 ** Description This function updates the key mask for sending or receiving.
79 *******************************************************************************/
smp_update_key_mask(tSMP_CB * p_cb,UINT8 key_type,BOOLEAN recv)80 static void smp_update_key_mask (tSMP_CB *p_cb, UINT8 key_type, BOOLEAN recv)
81 {
82 SMP_TRACE_DEBUG("%s before update role=%d recv=%d local_i_key = %02x, local_r_key = %02x\n",
83 __func__, p_cb->role, recv, p_cb->local_i_key, p_cb->local_r_key);
84
85 if (((p_cb->le_secure_connections_mode_is_used) ||
86 (p_cb->smp_over_br)) &&
87 ((key_type == SMP_SEC_KEY_TYPE_ENC) || (key_type == SMP_SEC_KEY_TYPE_LK))) {
88 /* in LE SC mode LTK, CSRK and BR/EDR LK are derived locally instead of
89 ** being exchanged with the peer */
90 p_cb->local_i_key &= ~key_type;
91 p_cb->local_r_key &= ~key_type;
92 } else if (p_cb->role == HCI_ROLE_SLAVE) {
93 if (recv) {
94 p_cb->local_i_key &= ~key_type;
95 } else {
96 p_cb->local_r_key &= ~key_type;
97 }
98 } else {
99 if (recv) {
100 p_cb->local_r_key &= ~key_type;
101 } else {
102 p_cb->local_i_key &= ~key_type;
103 }
104 }
105
106 SMP_TRACE_DEBUG("updated local_i_key = %02x, local_r_key = %02x\n", p_cb->local_i_key,
107 p_cb->local_r_key);
108 }
109
110 /*******************************************************************************
111 ** Function smp_send_app_cback
112 ** Description notifies application about the events the application is interested in
113 *******************************************************************************/
smp_send_app_cback(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)114 void smp_send_app_cback(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
115 {
116 tSMP_EVT_DATA cb_data;
117 tSMP_STATUS callback_rc;
118 SMP_TRACE_DEBUG("%s p_cb->cb_evt=%d\n", __func__, p_cb->cb_evt);
119 if (p_cb->p_callback && p_cb->cb_evt != 0) {
120 switch (p_cb->cb_evt) {
121 case SMP_IO_CAP_REQ_EVT:
122 cb_data.io_req.auth_req = p_cb->peer_auth_req;
123 cb_data.io_req.oob_data = SMP_OOB_NONE;
124 cb_data.io_req.io_cap = SMP_DEFAULT_IO_CAPS;
125 cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE;
126 cb_data.io_req.init_keys = p_cb->local_i_key ;
127 cb_data.io_req.resp_keys = p_cb->local_r_key ;
128 SMP_TRACE_DEBUG ( "io_cap = %d", cb_data.io_req.io_cap);
129 break;
130
131 case SMP_NC_REQ_EVT:
132 cb_data.passkey = p_data->passkey;
133 break;
134 case SMP_SC_OOB_REQ_EVT:
135 cb_data.req_oob_type = p_data->req_oob_type;
136 break;
137 case SMP_SC_LOC_OOB_DATA_UP_EVT:
138 cb_data.loc_oob_data = p_cb->sc_oob_data.loc_oob_data;
139 break;
140
141 case SMP_BR_KEYS_REQ_EVT:
142 cb_data.io_req.auth_req = 0;
143 cb_data.io_req.oob_data = SMP_OOB_NONE;
144 cb_data.io_req.io_cap = 0;
145 cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE;
146 cb_data.io_req.init_keys = SMP_BR_SEC_DEFAULT_KEY;
147 cb_data.io_req.resp_keys = SMP_BR_SEC_DEFAULT_KEY;
148 break;
149
150 default:
151 break;
152 }
153
154 callback_rc = (*p_cb->p_callback)(p_cb->cb_evt, p_cb->pairing_bda, &cb_data);
155
156 SMP_TRACE_DEBUG("callback_rc=%d p_cb->cb_evt=%d\n", callback_rc, p_cb->cb_evt );
157
158 if (callback_rc == SMP_SUCCESS) {
159 switch (p_cb->cb_evt) {
160 case SMP_IO_CAP_REQ_EVT:
161 p_cb->loc_auth_req = cb_data.io_req.auth_req;
162 p_cb->local_io_capability = cb_data.io_req.io_cap;
163 p_cb->loc_oob_flag = cb_data.io_req.oob_data;
164 p_cb->loc_enc_size = cb_data.io_req.max_key_size;
165 p_cb->local_i_key = cb_data.io_req.init_keys;
166 p_cb->local_r_key = cb_data.io_req.resp_keys;
167
168 if (!(p_cb->loc_auth_req & SMP_AUTH_BOND)) {
169 SMP_TRACE_WARNING ("Non bonding: No keys will be exchanged");
170 p_cb->local_i_key = 0;
171 p_cb->local_r_key = 0;
172 }
173
174 SMP_TRACE_DEBUG ("rcvd auth_req: 0x%02x, io_cap: %d \
175 loc_oob_flag: %d loc_enc_size: %d,"
176 "local_i_key: 0x%02x, local_r_key: 0x%02x\n",
177 p_cb->loc_auth_req, p_cb->local_io_capability, p_cb->loc_oob_flag,
178 p_cb->loc_enc_size, p_cb->local_i_key, p_cb->local_r_key);
179
180 p_cb->secure_connections_only_mode_required =
181 (btm_cb.security_mode == BTM_SEC_MODE_SC) ? TRUE : FALSE;
182
183 if (p_cb->secure_connections_only_mode_required) {
184 p_cb->loc_auth_req |= SMP_SC_SUPPORT_BIT;
185 }
186
187 if (!(p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT)
188 || lmp_version_below(p_cb->pairing_bda, HCI_PROTO_VERSION_4_2)
189 || interop_match(INTEROP_DISABLE_LE_SECURE_CONNECTIONS,
190 (const bt_bdaddr_t *)&p_cb->pairing_bda)) {
191 p_cb->loc_auth_req &= ~SMP_KP_SUPPORT_BIT;
192 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
193 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
194 }
195
196 SMP_TRACE_DEBUG("set auth_req: 0x%02x, local_i_key: 0x%02x, local_r_key: 0x%02x\n",
197 p_cb->loc_auth_req, p_cb->local_i_key, p_cb->local_r_key);
198
199 smp_sm_event(p_cb, SMP_IO_RSP_EVT, NULL);
200 break;
201 #if (CLASSIC_BT_INCLUDED == TRUE)
202 case SMP_BR_KEYS_REQ_EVT:
203 p_cb->loc_enc_size = cb_data.io_req.max_key_size;
204 p_cb->local_i_key = cb_data.io_req.init_keys;
205 p_cb->local_r_key = cb_data.io_req.resp_keys;
206
207 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
208 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
209
210 SMP_TRACE_WARNING ( "for SMP over BR max_key_size: 0x%02x,\
211 local_i_key: 0x%02x, local_r_key: 0x%02x\n",
212 p_cb->loc_enc_size, p_cb->local_i_key, p_cb->local_r_key);
213
214 smp_br_state_machine_event(p_cb, SMP_BR_KEYS_RSP_EVT, NULL);
215 break;
216 #endif ///CLASSIC_BT_INCLUDED == TRUE
217 }
218 }
219 }
220
221 if (!p_cb->cb_evt && p_cb->discard_sec_req) {
222 p_cb->discard_sec_req = FALSE;
223 smp_sm_event(p_cb, SMP_DISCARD_SEC_REQ_EVT, NULL);
224 }
225
226 SMP_TRACE_DEBUG("%s return\n", __func__);
227 }
228
229 /*******************************************************************************
230 ** Function smp_send_pair_fail
231 ** Description pairing failure to peer device if needed.
232 *******************************************************************************/
smp_send_pair_fail(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)233 void smp_send_pair_fail(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
234 {
235 p_cb->status = *(UINT8 *)p_data;
236 p_cb->failure = *(UINT8 *)p_data;
237
238 SMP_TRACE_DEBUG("%s status=%d failure=%d ", __func__, p_cb->status, p_cb->failure);
239
240 if (p_cb->status <= SMP_MAX_FAIL_RSN_PER_SPEC && p_cb->status != SMP_SUCCESS) {
241 smp_send_cmd(SMP_OPCODE_PAIRING_FAILED, p_cb);
242 p_cb->wait_for_authorization_complete = TRUE;
243 }
244 }
245
246 /*******************************************************************************
247 ** Function smp_send_pair_req
248 ** Description actions related to sending pairing request
249 *******************************************************************************/
smp_send_pair_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)250 void smp_send_pair_req(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
251 {
252 SMP_TRACE_DEBUG("%s\n", __func__);
253
254 #if (BLE_INCLUDED == TRUE)
255 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (p_cb->pairing_bda);
256 /* erase all keys when master sends pairing req*/
257 if (p_dev_rec) {
258 btm_sec_clear_ble_keys(p_dev_rec);
259 }
260 #endif ///BLE_INCLUDED == TRUE
261 /* do not manipulate the key, let app decide,
262 leave out to BTM to mandate key distribution for bonding case */
263 smp_send_cmd(SMP_OPCODE_PAIRING_REQ, p_cb);
264 }
265
266 /*******************************************************************************
267 ** Function smp_send_pair_rsp
268 ** Description actions related to sending pairing response
269 *******************************************************************************/
smp_send_pair_rsp(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)270 void smp_send_pair_rsp(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
271 {
272 SMP_TRACE_DEBUG("%s\n", __func__);
273
274 #if (BLE_INCLUDED == TRUE)
275 p_cb->local_i_key &= p_cb->peer_i_key;
276 p_cb->local_r_key &= p_cb->peer_r_key;
277
278 if (smp_send_cmd (SMP_OPCODE_PAIRING_RSP, p_cb)) {
279 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
280 smp_use_oob_private_key(p_cb, NULL);
281 } else {
282 smp_decide_association_model(p_cb, NULL);
283 }
284 }
285 #endif ///BLE_INCLUDED == TRUE
286 }
287
288 /*******************************************************************************
289 ** Function smp_send_confirm
290 ** Description send confirmation to the peer
291 *******************************************************************************/
smp_send_confirm(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)292 void smp_send_confirm(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
293 {
294 SMP_TRACE_DEBUG("%s\n", __func__);
295 smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);
296 }
297
298 #if 0 //Unused
299 /*******************************************************************************
300 ** Function smp_send_init
301 ** Description process pairing initializer to slave device
302 *******************************************************************************/
303 void smp_send_init(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
304 {
305 SMP_TRACE_DEBUG("%s\n", __func__);
306 smp_send_cmd(SMP_OPCODE_INIT, p_cb);
307 }
308 #endif
309
310 /*******************************************************************************
311 ** Function smp_send_rand
312 ** Description send pairing random to the peer
313 *******************************************************************************/
smp_send_rand(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)314 void smp_send_rand(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
315 {
316 SMP_TRACE_DEBUG("%s\n", __func__);
317 smp_send_cmd(SMP_OPCODE_RAND, p_cb);
318 }
319
320 /*******************************************************************************
321 ** Function smp_send_pair_public_key
322 ** Description send pairing public key command to the peer
323 *******************************************************************************/
smp_send_pair_public_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)324 void smp_send_pair_public_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
325 {
326 SMP_TRACE_DEBUG("%s\n", __func__);
327 smp_send_cmd(SMP_OPCODE_PAIR_PUBLIC_KEY, p_cb);
328 }
329
330 /*******************************************************************************
331 ** Function SMP_SEND_COMMITMENT
332 ** Description send commitment command to the peer
333 *******************************************************************************/
smp_send_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)334 void smp_send_commitment(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
335 {
336 SMP_TRACE_DEBUG("%s", __func__);
337 smp_send_cmd(SMP_OPCODE_PAIR_COMMITM, p_cb);
338 }
339
340 /*******************************************************************************
341 ** Function smp_send_dhkey_check
342 ** Description send DHKey Check command to the peer
343 *******************************************************************************/
smp_send_dhkey_check(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)344 void smp_send_dhkey_check(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
345 {
346 SMP_TRACE_DEBUG("%s", __func__);
347 smp_send_cmd(SMP_OPCODE_PAIR_DHKEY_CHECK, p_cb);
348 }
349
350 /*******************************************************************************
351 ** Function smp_send_keypress_notification
352 ** Description send Keypress Notification command to the peer
353 *******************************************************************************/
smp_send_keypress_notification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)354 void smp_send_keypress_notification(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
355 {
356 p_cb->local_keypress_notification = *(UINT8 *) p_data;
357 smp_send_cmd(SMP_OPCODE_PAIR_KEYPR_NOTIF, p_cb);
358 }
359
360 /*******************************************************************************
361 ** Function smp_send_enc_info
362 ** Description send encryption information command.
363 *******************************************************************************/
smp_send_enc_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)364 void smp_send_enc_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
365 {
366 tBTM_LE_LENC_KEYS le_key;
367
368 SMP_TRACE_DEBUG("%s p_cb->loc_enc_size = %d\n", __func__, p_cb->loc_enc_size);
369 smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_ENC, FALSE);
370
371 smp_send_cmd(SMP_OPCODE_ENCRYPT_INFO, p_cb);
372 smp_send_cmd(SMP_OPCODE_MASTER_ID, p_cb);
373
374 /* save the DIV and key size information when acting as slave device */
375 memcpy(le_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
376 le_key.div = p_cb->div;
377 le_key.key_size = p_cb->loc_enc_size;
378 le_key.sec_level = p_cb->sec_level;
379
380 #if (BLE_INCLUDED == TRUE)
381 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) && (p_cb->loc_auth_req & SMP_AUTH_BOND)) {
382 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC,
383 (tBTM_LE_KEY_VALUE *)&le_key, TRUE);
384 }
385
386 SMP_TRACE_DEBUG ("%s\n", __func__);
387
388 smp_key_distribution(p_cb, NULL);
389 #endif ///BLE_INCLUDED == TRUE
390 }
391
392 /*******************************************************************************
393 ** Function smp_send_id_info
394 ** Description send ID information command.
395 *******************************************************************************/
smp_send_id_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)396 void smp_send_id_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
397 {
398 SMP_TRACE_DEBUG("%s\n", __func__);
399 smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_ID, FALSE);
400
401 smp_send_cmd(SMP_OPCODE_IDENTITY_INFO, p_cb);
402 smp_send_cmd(SMP_OPCODE_ID_ADDR, p_cb);
403
404 #if (BLE_INCLUDED == TRUE)
405 tBTM_LE_KEY_VALUE le_key;
406 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) && (p_cb->loc_auth_req & SMP_AUTH_BOND)) {
407 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LID,
408 &le_key, TRUE);
409 }
410 #endif ///BLE_INCLUDED == TRUE
411
412 smp_key_distribution_by_transport(p_cb, NULL);
413 }
414
415 #if (BLE_INCLUDED == TRUE)
416 /*******************************************************************************
417 ** Function smp_send_csrk_info
418 ** Description send CSRK command.
419 *******************************************************************************/
smp_send_csrk_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)420 void smp_send_csrk_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
421 {
422 tBTM_LE_LCSRK_KEYS key;
423 SMP_TRACE_DEBUG("%s\n", __func__);
424 smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_CSRK, FALSE);
425
426 if (smp_send_cmd(SMP_OPCODE_SIGN_INFO, p_cb)) {
427 key.div = p_cb->div;
428 key.sec_level = p_cb->sec_level;
429 key.counter = 0; /* initialize the local counter */
430 memcpy (key.csrk, p_cb->csrk, BT_OCTET16_LEN);
431 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LCSRK, (tBTM_LE_KEY_VALUE *)&key, TRUE);
432 }
433
434 smp_key_distribution_by_transport(p_cb, NULL);
435 }
436
437 /*******************************************************************************
438 ** Function smp_send_ltk_reply
439 ** Description send LTK reply
440 *******************************************************************************/
smp_send_ltk_reply(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)441 void smp_send_ltk_reply(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
442 {
443 SMP_TRACE_DEBUG("%s", __func__);
444 /* send stk as LTK response */
445 btm_ble_ltk_request_reply(p_cb->pairing_bda, TRUE, p_data->key.p_data);
446 }
447
448 /*******************************************************************************
449 ** Function smp_proc_sec_req
450 ** Description process security request.
451 *******************************************************************************/
smp_proc_sec_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)452 void smp_proc_sec_req(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
453 {
454 tBTM_LE_AUTH_REQ auth_req = *(tBTM_LE_AUTH_REQ *)p_data;
455 tBTM_BLE_SEC_REQ_ACT sec_req_act;
456 UINT8 reason;
457
458 SMP_TRACE_DEBUG("%s auth_req=0x%x", __func__, auth_req);
459
460 p_cb->cb_evt = 0;
461 btm_ble_link_sec_check(p_cb->pairing_bda, auth_req, &sec_req_act);
462
463 SMP_TRACE_DEBUG("%s sec_req_act=0x%x", __func__, sec_req_act);
464
465 switch (sec_req_act) {
466 case BTM_BLE_SEC_REQ_ACT_ENCRYPT:
467 SMP_TRACE_DEBUG("%s BTM_BLE_SEC_REQ_ACT_ENCRYPT", __func__);
468 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
469 break;
470
471 case BTM_BLE_SEC_REQ_ACT_PAIR:
472 p_cb->secure_connections_only_mode_required =
473 (btm_cb.security_mode == BTM_SEC_MODE_SC) ? TRUE : FALSE;
474
475 /* respond to non SC pairing request as failure in SC only mode */
476 if (p_cb->secure_connections_only_mode_required &&
477 (auth_req & SMP_SC_SUPPORT_BIT) == 0) {
478 reason = SMP_PAIR_AUTH_FAIL;
479 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
480 } else {
481 /* initialize local i/r key to be default keys */
482 p_cb->peer_auth_req = auth_req;
483 p_cb->local_r_key = p_cb->local_i_key = SMP_SEC_DEFAULT_KEY ;
484 p_cb->cb_evt = SMP_SEC_REQUEST_EVT;
485 }
486 break;
487
488 case BTM_BLE_SEC_REQ_ACT_DISCARD:
489 p_cb->discard_sec_req = TRUE;
490 break;
491
492 default:
493 /* do nothing */
494 break;
495 }
496 }
497 #endif ///BLE_INCLUDED == TRUE
498
499 /*******************************************************************************
500 ** Function smp_proc_sec_grant
501 ** Description process security grant.
502 *******************************************************************************/
smp_proc_sec_grant(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)503 void smp_proc_sec_grant(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
504 {
505 UINT8 res = *(UINT8 *)p_data;
506 SMP_TRACE_DEBUG("%s", __func__);
507 if (res != SMP_SUCCESS) {
508 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, p_data);
509 } else { /*otherwise, start pairing */
510 /* send IO request callback */
511 p_cb->cb_evt = SMP_IO_CAP_REQ_EVT;
512 }
513 }
514
515 /*******************************************************************************
516 ** Function smp_proc_pair_fail
517 ** Description process pairing failure from peer device
518 *******************************************************************************/
smp_proc_pair_fail(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)519 void smp_proc_pair_fail(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
520 {
521 SMP_TRACE_DEBUG("%s", __func__);
522 p_cb->status = *(UINT8 *)p_data;
523 }
524
525 /*******************************************************************************
526 ** Function smp_get_auth_mode
527 ** Description Get the SMP pairing auth mode
528 *******************************************************************************/
smp_get_auth_mode(tSMP_ASSO_MODEL model)529 uint16_t smp_get_auth_mode (tSMP_ASSO_MODEL model)
530 {
531 SMP_TRACE_DEBUG("%s model %d", __func__, model);
532 uint16_t auth = 0;
533 if (model == SMP_MODEL_ENCRYPTION_ONLY || model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
534 //No MITM
535 if(model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
536 //SC SMP_SC_SUPPORT_BIT
537 auth |= SMP_SC_SUPPORT_BIT;
538 }
539 } else if (model <= SMP_MODEL_KEY_NOTIF) {
540 //NO SC, MITM
541 auth |= SMP_AUTH_YN_BIT;
542 } else if (model <= SMP_MODEL_SEC_CONN_OOB) {
543 //SC, MITM
544 auth |= SMP_SC_SUPPORT_BIT;
545 auth |= SMP_AUTH_YN_BIT;
546 } else {
547 auth = 0;
548 }
549 return auth;
550 }
551
552 #if (BLE_INCLUDED == TRUE)
553 /*******************************************************************************
554 ** Function smp_proc_pair_cmd
555 ** Description Process the SMP pairing request/response from peer device
556 *******************************************************************************/
smp_proc_pair_cmd(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)557 void smp_proc_pair_cmd(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
558 {
559 UINT8 *p = (UINT8 *)p_data;
560 UINT8 reason = SMP_ENC_KEY_SIZE;
561 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (p_cb->pairing_bda);
562
563 SMP_TRACE_DEBUG("%s\n", __func__);
564 /* erase all keys if it is slave proc pairing req*/
565 if (p_dev_rec && (p_cb->role == HCI_ROLE_SLAVE)) {
566 btm_sec_clear_ble_keys(p_dev_rec);
567 }
568
569 p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
570
571 STREAM_TO_UINT8(p_cb->peer_io_caps, p);
572 STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
573 STREAM_TO_UINT8(p_cb->peer_auth_req, p);
574 STREAM_TO_UINT8(p_cb->peer_enc_size, p);
575 STREAM_TO_UINT8(p_cb->peer_i_key, p);
576 STREAM_TO_UINT8(p_cb->peer_r_key, p);
577
578 if (smp_command_has_invalid_parameters(p_cb)) {
579 reason = SMP_INVALID_PARAMETERS;
580 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
581 return;
582 }
583 p_cb->accept_specified_sec_auth = bta_dm_co_ble_get_accept_auth_enable();
584 p_cb->origin_loc_auth_req = bta_dm_co_ble_get_auth_req();
585 if (p_cb->role == HCI_ROLE_SLAVE) {
586 if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD)) {
587 /* peer (master) started pairing sending Pairing Request */
588 p_cb->local_i_key = p_cb->peer_i_key;
589 p_cb->local_r_key = p_cb->peer_r_key;
590
591 p_cb->cb_evt = SMP_SEC_REQUEST_EVT;
592 } else { /* update local i/r key according to pairing request */
593 /* pairing started with this side (slave) sending Security Request */
594 p_cb->local_i_key &= p_cb->peer_i_key;
595 p_cb->local_r_key &= p_cb->peer_r_key;
596 p_cb->selected_association_model = smp_select_association_model(p_cb);
597
598 if (p_cb->secure_connections_only_mode_required &&
599 (!(p_cb->le_secure_connections_mode_is_used) ||
600 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) {
601 SMP_TRACE_ERROR("%s pairing failed - slave requires secure connection only mode",
602 __func__);
603 reason = SMP_PAIR_AUTH_FAIL;
604 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
605 return;
606 }
607 uint16_t auth = smp_get_auth_mode(p_cb->selected_association_model);
608 if(p_cb->peer_auth_req & p_cb->loc_auth_req & SMP_AUTH_GEN_BOND) {
609 auth |= SMP_AUTH_GEN_BOND;
610 }
611 p_cb->auth_mode = auth;
612 if (p_cb->accept_specified_sec_auth) {
613 if ((auth & p_cb->origin_loc_auth_req) != p_cb->origin_loc_auth_req ) {
614 SMP_TRACE_ERROR("%s pairing failed - slave requires auth is 0x%x but peer auth is 0x%x local auth is 0x%x",
615 __func__, p_cb->origin_loc_auth_req, p_cb->peer_auth_req, p_cb->loc_auth_req);
616 if (BTM_IsAclConnectionUp(p_cb->pairing_bda, BT_TRANSPORT_LE)) {
617 btm_remove_acl (p_cb->pairing_bda, BT_TRANSPORT_LE);
618 }
619 reason = SMP_PAIR_AUTH_FAIL;
620 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
621 return;
622 }
623 }
624
625 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB && p_cb->loc_oob_flag == SMP_OOB_PRESENT) {
626 if (smp_request_oob_data(p_cb)) {
627 return;
628 }
629 } else {
630 smp_send_pair_rsp(p_cb, NULL);
631 }
632 }
633 } else { /* Master receives pairing response */
634 p_cb->selected_association_model = smp_select_association_model(p_cb);
635
636 if (p_cb->secure_connections_only_mode_required &&
637 (!(p_cb->le_secure_connections_mode_is_used) ||
638 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) {
639 SMP_TRACE_ERROR ("Master requires secure connection only mode \
640 but it can't be provided -> Master fails pairing");
641 reason = SMP_PAIR_AUTH_FAIL;
642 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
643 return;
644 }
645
646 uint16_t auth = smp_get_auth_mode(p_cb->selected_association_model);
647 if(p_cb->peer_auth_req & p_cb->loc_auth_req & SMP_AUTH_GEN_BOND) {
648 auth |= SMP_AUTH_GEN_BOND;
649 }
650 p_cb->auth_mode = auth;
651 if (p_cb->accept_specified_sec_auth) {
652 if ((auth & p_cb->origin_loc_auth_req) != p_cb->origin_loc_auth_req ) {
653 SMP_TRACE_ERROR("%s pairing failed - master requires auth is 0x%x but peer auth is 0x%x local auth is 0x%x",
654 __func__, p_cb->origin_loc_auth_req, p_cb->peer_auth_req, p_cb->loc_auth_req);
655 if (BTM_IsAclConnectionUp(p_cb->pairing_bda, BT_TRANSPORT_LE)) {
656 btm_remove_acl (p_cb->pairing_bda, BT_TRANSPORT_LE);
657 }
658 reason = SMP_PAIR_AUTH_FAIL;
659 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
660 return;
661 }
662 }
663
664 /* Only if peer oob data present, then should request peer oob data */
665 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB && p_cb->loc_oob_flag == SMP_OOB_PRESENT) {
666 if (smp_request_oob_data(p_cb)) {
667 return;
668 }
669 } else {
670 smp_decide_association_model(p_cb, NULL);
671 }
672 }
673 }
674 #endif ///BLE_INCLUDED == TRUE
675
676 /*******************************************************************************
677 ** Function smp_proc_confirm
678 ** Description process pairing confirm from peer device
679 *******************************************************************************/
smp_proc_confirm(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)680 void smp_proc_confirm(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
681 {
682 UINT8 *p = (UINT8 *)p_data;
683 UINT8 reason = SMP_INVALID_PARAMETERS;
684
685 SMP_TRACE_DEBUG("%s\n", __func__);
686
687 if (smp_command_has_invalid_parameters(p_cb)) {
688 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
689 return;
690 }
691
692 if (p != NULL) {
693 /* save the SConfirm for comparison later */
694 STREAM_TO_ARRAY(p_cb->rconfirm, p, BT_OCTET16_LEN);
695 }
696
697 p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM;
698 }
699
700 #if 0 //Unused
701 /*******************************************************************************
702 ** Function smp_proc_init
703 ** Description process pairing initializer from peer device
704 *******************************************************************************/
705 void smp_proc_init(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
706 {
707 UINT8 *p = (UINT8 *)p_data;
708 UINT8 reason = SMP_INVALID_PARAMETERS;
709
710 SMP_TRACE_DEBUG("%s", __func__);
711
712 if (smp_command_has_invalid_parameters(p_cb)) {
713 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
714 return;
715 }
716
717 /* save the SRand for comparison */
718 STREAM_TO_ARRAY(p_cb->rrand, p, BT_OCTET16_LEN);
719 }
720 #endif
721
722 /*******************************************************************************
723 ** Function smp_proc_rand
724 ** Description process pairing random (nonce) from peer device
725 *******************************************************************************/
smp_proc_rand(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)726 void smp_proc_rand(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
727 {
728 UINT8 *p = (UINT8 *)p_data;
729 UINT8 reason = SMP_INVALID_PARAMETERS;
730
731 SMP_TRACE_DEBUG("%s\n", __func__);
732
733 if (smp_command_has_invalid_parameters(p_cb)) {
734 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
735 return;
736 }
737
738 /* save the SRand for comparison */
739 STREAM_TO_ARRAY(p_cb->rrand, p, BT_OCTET16_LEN);
740 }
741
742 /*******************************************************************************
743 ** Function smp_process_pairing_public_key
744 ** Description process pairing public key command from the peer device
745 ** - saves the peer public key;
746 ** - sets the flag indicating that the peer public key is received;
747 ** - calls smp_wait_for_both_public_keys(...).
748 **
749 *******************************************************************************/
smp_process_pairing_public_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)750 void smp_process_pairing_public_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
751 {
752 UINT8 *p = (UINT8 *)p_data;
753 UINT8 reason = SMP_INVALID_PARAMETERS;
754
755 SMP_TRACE_DEBUG("%s", __func__);
756
757 if (smp_command_has_invalid_parameters(p_cb)) {
758 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
759 return;
760 }
761
762 STREAM_TO_ARRAY(p_cb->peer_publ_key.x, p, BT_OCTET32_LEN);
763 STREAM_TO_ARRAY(p_cb->peer_publ_key.y, p, BT_OCTET32_LEN);
764
765 /* Check if the peer device's and own public key are not same. If they are same then
766 * return pairing fail. This check is needed to avoid 'Impersonation in Passkey entry
767 * protocol' vulnerability (CVE-2020-26558).*/
768 if ((memcmp(p_cb->loc_publ_key.x, p_cb->peer_publ_key.x, sizeof(BT_OCTET32)) == 0)) {
769 p_cb->status = SMP_PAIR_AUTH_FAIL;
770 p_cb->failure = SMP_PAIR_AUTH_FAIL;
771 reason = SMP_PAIR_AUTH_FAIL;
772 SMP_TRACE_ERROR("%s, Peer and own device cannot have same public key.", __func__);
773 smp_sm_event(p_cb, SMP_PAIRING_FAILED_EVT, &reason);
774 return ;
775 }
776 /* In order to prevent the x and y coordinates of the public key from being modified,
777 we need to check whether the x and y coordinates are on the given elliptic curve. */
778 if (!ECC_CheckPointIsInElliCur_P256((Point *)&p_cb->peer_publ_key)) {
779 SMP_TRACE_ERROR("%s, Invalid Public key.", __func__);
780 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
781 }
782 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY;
783
784 smp_wait_for_both_public_keys(p_cb, NULL);
785 }
786
787 /*******************************************************************************
788 ** Function smp_process_pairing_commitment
789 ** Description process pairing commitment from peer device
790 *******************************************************************************/
smp_process_pairing_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)791 void smp_process_pairing_commitment(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
792 {
793 UINT8 *p = (UINT8 *)p_data;
794 UINT8 reason = SMP_INVALID_PARAMETERS;
795
796 SMP_TRACE_DEBUG("%s", __func__);
797
798 if (smp_command_has_invalid_parameters(p_cb)) {
799 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
800 return;
801 }
802
803 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_COMM;
804
805 if (p != NULL) {
806 STREAM_TO_ARRAY(p_cb->remote_commitment, p, BT_OCTET16_LEN);
807 }
808 }
809
810 /*******************************************************************************
811 ** Function smp_process_dhkey_check
812 ** Description process DHKey Check from peer device
813 *******************************************************************************/
smp_process_dhkey_check(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)814 void smp_process_dhkey_check(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
815 {
816 UINT8 *p = (UINT8 *)p_data;
817 UINT8 reason = SMP_INVALID_PARAMETERS;
818
819 SMP_TRACE_DEBUG("%s", __func__);
820
821 if (smp_command_has_invalid_parameters(p_cb)) {
822 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
823 return;
824 }
825
826 if (p != NULL) {
827 STREAM_TO_ARRAY(p_cb->remote_dhkey_check, p, BT_OCTET16_LEN);
828 }
829
830 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_DHK_CHK;
831 }
832
833 /*******************************************************************************
834 ** Function smp_process_keypress_notification
835 ** Description process pairing keypress notification from peer device
836 *******************************************************************************/
smp_process_keypress_notification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)837 void smp_process_keypress_notification(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
838 {
839 UINT8 *p = (UINT8 *)p_data;
840 UINT8 reason = SMP_INVALID_PARAMETERS;
841
842 SMP_TRACE_DEBUG("%s", __func__);
843 p_cb->status = *(UINT8 *)p_data;
844
845 if (smp_command_has_invalid_parameters(p_cb)) {
846 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
847 return;
848 }
849
850 if (p != NULL) {
851 STREAM_TO_UINT8(p_cb->peer_keypress_notification, p);
852 } else {
853 p_cb->peer_keypress_notification = BTM_SP_KEY_OUT_OF_RANGE;
854 }
855 p_cb->cb_evt = SMP_PEER_KEYPR_NOT_EVT;
856 }
857
858 #if (CLASSIC_BT_INCLUDED == TRUE)
859 /*******************************************************************************
860 ** Function smp_br_process_pairing_command
861 ** Description Process the SMP pairing request/response from peer device via
862 ** BR/EDR transport.
863 *******************************************************************************/
smp_br_process_pairing_command(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)864 void smp_br_process_pairing_command(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
865 {
866 UINT8 *p = (UINT8 *)p_data;
867 UINT8 reason = SMP_ENC_KEY_SIZE;
868 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (p_cb->pairing_bda);
869
870 SMP_TRACE_DEBUG("%s", __func__);
871 /* rejecting BR pairing request over non-SC BR link */
872 if (!p_dev_rec->new_encryption_key_is_p256 && p_cb->role == HCI_ROLE_SLAVE) {
873 reason = SMP_XTRANS_DERIVE_NOT_ALLOW;
874 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason);
875 return;
876 }
877
878 #if (BLE_INCLUDED == TRUE)
879 /* erase all keys if it is slave proc pairing req*/
880 if (p_dev_rec && (p_cb->role == HCI_ROLE_SLAVE)) {
881 btm_sec_clear_ble_keys(p_dev_rec);
882 }
883 #endif ///BLE_INCLUDED == TRUE
884
885 p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
886
887 STREAM_TO_UINT8(p_cb->peer_io_caps, p);
888 STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
889 STREAM_TO_UINT8(p_cb->peer_auth_req, p);
890 STREAM_TO_UINT8(p_cb->peer_enc_size, p);
891 STREAM_TO_UINT8(p_cb->peer_i_key, p);
892 STREAM_TO_UINT8(p_cb->peer_r_key, p);
893
894 if (smp_command_has_invalid_parameters(p_cb)) {
895 reason = SMP_INVALID_PARAMETERS;
896 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason);
897 return;
898 }
899
900 /* peer (master) started pairing sending Pairing Request */
901 /* or being master device always use received i/r key as keys to distribute */
902 p_cb->local_i_key = p_cb->peer_i_key;
903 p_cb->local_r_key = p_cb->peer_r_key;
904
905 if (p_cb->role == HCI_ROLE_SLAVE) {
906 p_dev_rec->new_encryption_key_is_p256 = FALSE;
907 /* shortcut to skip Security Grant step */
908 p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT;
909 } else { /* Master receives pairing response */
910 SMP_TRACE_DEBUG("%s master rcvs valid PAIRING RESPONSE."
911 " Supposed to move to key distribution phase. ", __func__);
912 }
913
914 /* auth_req received via BR/EDR SM channel is set to 0,
915 but everything derived/exchanged has to be saved */
916 p_cb->peer_auth_req |= SMP_AUTH_BOND;
917 p_cb->loc_auth_req |= SMP_AUTH_BOND;
918 }
919
920 /*******************************************************************************
921 ** Function smp_br_process_security_grant
922 ** Description process security grant in case of pairing over BR/EDR transport.
923 *******************************************************************************/
smp_br_process_security_grant(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)924 void smp_br_process_security_grant(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
925 {
926 UINT8 res = *(UINT8 *)p_data;
927 SMP_TRACE_DEBUG("%s", __func__);
928 if (res != SMP_SUCCESS) {
929 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, p_data);
930 } else { /*otherwise, start pairing */
931 /* send IO request callback */
932 p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT;
933 }
934 }
935
936 /*******************************************************************************
937 ** Function smp_br_check_authorization_request
938 ** Description sets the SMP kes to be derived/distribute over BR/EDR transport
939 ** before starting the distribution/derivation
940 *******************************************************************************/
smp_br_check_authorization_request(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)941 void smp_br_check_authorization_request(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
942 {
943 UINT8 reason = SMP_SUCCESS;
944
945 SMP_TRACE_DEBUG("%s rcvs i_keys=0x%x r_keys=0x%x "
946 "(i-initiator r-responder)", __FUNCTION__, p_cb->local_i_key,
947 p_cb->local_r_key);
948
949 /* In LE SC mode LK field is ignored when BR/EDR transport is used */
950 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
951 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
952
953 /* In LE SC mode only IRK, IAI, CSRK are exchanged with the peer.
954 ** Set local_r_key on master to expect only these keys. */
955 if (p_cb->role == HCI_ROLE_MASTER) {
956 p_cb->local_r_key &= (SMP_SEC_KEY_TYPE_ID | SMP_SEC_KEY_TYPE_CSRK);
957 }
958
959 SMP_TRACE_DEBUG("%s rcvs upgrades: i_keys=0x%x r_keys=0x%x "
960 "(i-initiator r-responder)", __FUNCTION__, p_cb->local_i_key,
961 p_cb->local_r_key);
962
963 if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) ||
964 (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/
965 (p_cb->local_i_key || p_cb->local_r_key)) {
966 smp_br_state_machine_event(p_cb, SMP_BR_BOND_REQ_EVT, NULL);
967
968 /* if no peer key is expected, start master key distribution */
969 if (p_cb->role == HCI_ROLE_MASTER && p_cb->local_r_key == 0) {
970 smp_key_distribution_by_transport(p_cb, NULL);
971 }
972 } else {
973 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason);
974 }
975 }
976
977 /*******************************************************************************
978 ** Function smp_br_select_next_key
979 ** Description selects the next key to derive/send when BR/EDR transport is
980 ** used.
981 *******************************************************************************/
smp_br_select_next_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)982 void smp_br_select_next_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
983 {
984 UINT8 reason = SMP_SUCCESS;
985 SMP_TRACE_DEBUG("%s role=%d (0-master) r_keys=0x%x i_keys=0x%x",
986 __func__, p_cb->role, p_cb->local_r_key, p_cb->local_i_key);
987
988 if (p_cb->role == HCI_ROLE_SLAVE ||
989 (!p_cb->local_r_key && p_cb->role == HCI_ROLE_MASTER)) {
990 smp_key_pick_key(p_cb, p_data);
991 }
992
993 if (!p_cb->local_i_key && !p_cb->local_r_key) {
994 /* state check to prevent re-entrance */
995 if (smp_get_br_state() == SMP_BR_STATE_BOND_PENDING) {
996 if (p_cb->total_tx_unacked == 0) {
997 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason);
998 } else {
999 p_cb->wait_for_authorization_complete = TRUE;
1000 }
1001 }
1002 }
1003 }
1004 #endif ///CLASSIC_BT_INCLUDED == TRUE
1005
1006 #if (BLE_INCLUDED == TRUE)
1007 /*******************************************************************************
1008 ** Function smp_proc_enc_info
1009 ** Description process encryption information from peer device
1010 *******************************************************************************/
smp_proc_enc_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1011 void smp_proc_enc_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1012 {
1013 UINT8 *p = (UINT8 *)p_data;
1014
1015 SMP_TRACE_DEBUG("%s\n", __func__);
1016 STREAM_TO_ARRAY(p_cb->ltk, p, BT_OCTET16_LEN);
1017
1018 smp_key_distribution(p_cb, NULL);
1019 }
1020 #endif ///BLE_INCLUDED == TRUE
1021
1022 /*******************************************************************************
1023 ** Function smp_proc_master_id
1024 ** Description process master ID from slave device
1025 *******************************************************************************/
smp_proc_master_id(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1026 void smp_proc_master_id(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1027 {
1028 UINT8 *p = (UINT8 *)p_data;
1029 tBTM_LE_PENC_KEYS le_key;
1030
1031 SMP_TRACE_DEBUG("%s\np_cb->peer_auth_req = %d,p_cb->loc_auth_req= %d\n", __func__,
1032 p_cb->peer_auth_req, p_cb->loc_auth_req);
1033 smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_ENC, TRUE);
1034
1035 STREAM_TO_UINT16(le_key.ediv, p);
1036 STREAM_TO_ARRAY(le_key.rand, p, BT_OCTET8_LEN );
1037
1038 /* store the encryption keys from peer device */
1039 memcpy(le_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
1040 le_key.sec_level = p_cb->sec_level;
1041 le_key.key_size = p_cb->loc_enc_size;
1042
1043 #if (BLE_INCLUDED == TRUE)
1044 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) && (p_cb->loc_auth_req & SMP_AUTH_BOND)) {
1045 btm_sec_save_le_key(p_cb->pairing_bda,
1046 BTM_LE_KEY_PENC,
1047 (tBTM_LE_KEY_VALUE *)&le_key, TRUE);
1048 }
1049
1050 smp_key_distribution(p_cb, NULL);
1051 #endif ///BLE_INCLUDED == TRUE
1052 }
1053
1054 /*******************************************************************************
1055 ** Function smp_proc_enc_info
1056 ** Description process identity information from peer device
1057 *******************************************************************************/
smp_proc_id_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1058 void smp_proc_id_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1059 {
1060 UINT8 *p = (UINT8 *)p_data;
1061
1062 SMP_TRACE_DEBUG("%s", __func__);
1063 STREAM_TO_ARRAY (p_cb->tk, p, BT_OCTET16_LEN); /* reuse TK for IRK */
1064 smp_key_distribution_by_transport(p_cb, NULL);
1065 }
1066
1067 /*******************************************************************************
1068 ** Function smp_proc_id_addr
1069 ** Description process identity address from peer device
1070 *******************************************************************************/
smp_proc_id_addr(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1071 void smp_proc_id_addr(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1072 {
1073 UINT8 *p = (UINT8 *)p_data;
1074 tBTM_LE_PID_KEYS pid_key;
1075
1076 SMP_TRACE_DEBUG("%s", __func__);
1077 smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_ID, TRUE);
1078
1079 STREAM_TO_UINT8(pid_key.addr_type, p);
1080 STREAM_TO_BDADDR(pid_key.static_addr, p);
1081 memcpy(pid_key.irk, p_cb->tk, BT_OCTET16_LEN);
1082
1083 /* to use as BD_ADDR for lk derived from ltk */
1084 p_cb->id_addr_rcvd = TRUE;
1085 p_cb->id_addr_type = pid_key.addr_type;
1086 memcpy(p_cb->id_addr, pid_key.static_addr, BD_ADDR_LEN);
1087
1088 #if (BLE_INCLUDED == TRUE)
1089 /* store the ID key from peer device */
1090 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) && (p_cb->loc_auth_req & SMP_AUTH_BOND)) {
1091 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PID,
1092 (tBTM_LE_KEY_VALUE *)&pid_key, TRUE);
1093 }
1094 #endif ///BLE_INCLUDED == TRUE
1095
1096 smp_key_distribution_by_transport(p_cb, NULL);
1097 }
1098
1099 /*******************************************************************************
1100 ** Function smp_proc_srk_info
1101 ** Description process security information from peer device
1102 *******************************************************************************/
smp_proc_srk_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1103 void smp_proc_srk_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1104 {
1105 #if (BLE_INCLUDED == TRUE)
1106 tBTM_LE_PCSRK_KEYS le_key;
1107
1108 SMP_TRACE_DEBUG("%s", __func__);
1109 smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_CSRK, TRUE);
1110
1111 /* save CSRK to security record */
1112 le_key.sec_level = p_cb->sec_level;
1113 memcpy (le_key.csrk, p_data, BT_OCTET16_LEN); /* get peer CSRK */
1114 le_key.counter = 0; /* initialize the peer counter */
1115
1116 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) && (p_cb->loc_auth_req & SMP_AUTH_BOND)) {
1117 btm_sec_save_le_key(p_cb->pairing_bda,
1118 BTM_LE_KEY_PCSRK,
1119 (tBTM_LE_KEY_VALUE *)&le_key, TRUE);
1120 }
1121
1122 #endif ///BLE_INCLUDED == TRUE
1123 smp_key_distribution_by_transport(p_cb, NULL);
1124 }
1125
1126 /*******************************************************************************
1127 ** Function smp_proc_compare
1128 ** Description process compare value
1129 *******************************************************************************/
smp_proc_compare(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1130 void smp_proc_compare(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1131 {
1132 UINT8 reason;
1133
1134 SMP_TRACE_DEBUG("%s\n", __func__);
1135 if (!memcmp(p_cb->rconfirm, p_data->key.p_data, BT_OCTET16_LEN)) {
1136 /* compare the max encryption key size, and save the smaller one for the link */
1137 if ( p_cb->peer_enc_size < p_cb->loc_enc_size) {
1138 p_cb->loc_enc_size = p_cb->peer_enc_size;
1139 }
1140
1141 if (p_cb->role == HCI_ROLE_SLAVE) {
1142 smp_sm_event(p_cb, SMP_RAND_EVT, NULL);
1143 } else {
1144 /* master device always use received i/r key as keys to distribute */
1145 p_cb->local_i_key = p_cb->peer_i_key;
1146 p_cb->local_r_key = p_cb->peer_r_key;
1147
1148 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
1149 }
1150
1151 } else {
1152 reason = p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1153 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1154 }
1155 }
1156
1157 #if (BLE_INCLUDED == TRUE)
1158 /*******************************************************************************
1159 ** Function smp_proc_sl_key
1160 ** Description process key ready events.
1161 *******************************************************************************/
smp_proc_sl_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1162 void smp_proc_sl_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1163 {
1164 UINT8 key_type = p_data->key.key_type;
1165
1166 SMP_TRACE_DEBUG("%s\n", __func__);
1167 if (key_type == SMP_KEY_TYPE_TK) {
1168 smp_generate_srand_mrand_confirm(p_cb, NULL);
1169 } else if (key_type == SMP_KEY_TYPE_CFM) {
1170 smp_set_state(SMP_STATE_WAIT_CONFIRM);
1171
1172 if (p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM) {
1173 smp_sm_event(p_cb, SMP_CONFIRM_EVT, NULL);
1174 }
1175 }
1176 }
1177
1178 /*******************************************************************************
1179 ** Function smp_start_enc
1180 ** Description start encryption
1181 *******************************************************************************/
smp_start_enc(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1182 void smp_start_enc(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1183 {
1184 tBTM_STATUS cmd;
1185 UINT8 reason = SMP_ENC_FAIL;
1186
1187 SMP_TRACE_DEBUG("%s\n", __func__);
1188 if (p_data != NULL) {
1189 cmd = btm_ble_start_encrypt(p_cb->pairing_bda, TRUE, p_data->key.p_data);
1190 } else {
1191 cmd = btm_ble_start_encrypt(p_cb->pairing_bda, FALSE, NULL);
1192 }
1193
1194 if (cmd != BTM_CMD_STARTED && cmd != BTM_BUSY) {
1195 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1196 }
1197 }
1198 #endif ///BLE_INCLUDED == TRUE
1199
1200 /*******************************************************************************
1201 ** Function smp_proc_discard
1202 ** Description processing for discard security request
1203 *******************************************************************************/
smp_proc_discard(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1204 void smp_proc_discard(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1205 {
1206 SMP_TRACE_DEBUG("%s\n", __func__);
1207 if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD)) {
1208 smp_reset_control_value(p_cb);
1209 }
1210 }
1211
1212 /*******************************************************************************
1213 ** Function smp_enc_cmpl
1214 ** Description encryption success
1215 *******************************************************************************/
smp_enc_cmpl(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1216 void smp_enc_cmpl(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1217 {
1218 UINT8 enc_enable = *(UINT8 *)p_data;
1219 UINT8 reason = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1220
1221 SMP_TRACE_DEBUG("%s\n", __func__);
1222 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1223 }
1224
1225 /*******************************************************************************
1226 ** Function smp_check_auth_req
1227 ** Description check authentication request
1228 *******************************************************************************/
smp_check_auth_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1229 void smp_check_auth_req(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1230 {
1231 UINT8 enc_enable = *(UINT8 *)p_data;
1232 UINT8 reason = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1233
1234 SMP_TRACE_DEBUG("%s rcvs enc_enable=%d i_keys=0x%x r_keys=0x%x "
1235 "(i-initiator r-responder)\n",
1236 __func__, enc_enable, p_cb->local_i_key, p_cb->local_r_key);
1237 if (enc_enable == 1) {
1238 if (p_cb->le_secure_connections_mode_is_used) {
1239 /* In LE SC mode LTK is used instead of STK and has to be always saved */
1240 p_cb->local_i_key |= SMP_SEC_KEY_TYPE_ENC;
1241 p_cb->local_r_key |= SMP_SEC_KEY_TYPE_ENC;
1242
1243 /* In LE SC mode LK is derived from LTK only if both sides request it */
1244 if (!(p_cb->local_i_key & SMP_SEC_KEY_TYPE_LK) ||
1245 !(p_cb->local_r_key & SMP_SEC_KEY_TYPE_LK)) {
1246 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
1247 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
1248 }
1249
1250 /* In LE SC mode only IRK, IAI, CSRK are exchanged with the peer.
1251 ** Set local_r_key on master to expect only these keys.
1252 */
1253 if (p_cb->role == HCI_ROLE_MASTER) {
1254 p_cb->local_r_key &= (SMP_SEC_KEY_TYPE_ID | SMP_SEC_KEY_TYPE_CSRK);
1255 }
1256 } else {
1257 /* in legacy mode derivation of BR/EDR LK is not supported */
1258 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
1259 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
1260 }
1261 SMP_TRACE_DEBUG("%s rcvs upgrades: i_keys=0x%x r_keys=0x%x "
1262 "(i-initiator r-responder)\n",
1263 __func__, p_cb->local_i_key, p_cb->local_r_key);
1264
1265 if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) ||
1266 (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/
1267 (p_cb->local_i_key || p_cb->local_r_key)) {
1268 smp_sm_event(p_cb, SMP_BOND_REQ_EVT, NULL);
1269 } else {
1270 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1271 }
1272 } else if (enc_enable == 0) {
1273 /* if failed for encryption after pairing, send callback */
1274 if (p_cb->flags & SMP_PAIR_FLAG_ENC_AFTER_PAIR) {
1275 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1276 }
1277 /* if enc failed for old security information */
1278 /* if master device, clean up and abck to idle; slave device do nothing */
1279 else if (p_cb->role == HCI_ROLE_MASTER) {
1280 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1281 }
1282 }
1283 }
1284
1285 /*******************************************************************************
1286 ** Function smp_key_pick_key
1287 ** Description Pick a key distribution function based on the key mask.
1288 *******************************************************************************/
smp_key_pick_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1289 void smp_key_pick_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1290 {
1291 UINT8 key_to_dist = (p_cb->role == HCI_ROLE_SLAVE) ? p_cb->local_r_key : p_cb->local_i_key;
1292 UINT8 i = 0;
1293
1294 SMP_TRACE_DEBUG("%s key_to_dist=0x%x\n", __func__, key_to_dist);
1295 while (i < SMP_KEY_DIST_TYPE_MAX) {
1296 SMP_TRACE_DEBUG("key to send = %02x, i = %d\n", key_to_dist, i);
1297
1298 if (key_to_dist & (1 << i) && smp_distribute_act[i] != NULL) {
1299 SMP_TRACE_DEBUG("smp_distribute_act[%d]\n", i);
1300 (* smp_distribute_act[i])(p_cb, p_data);
1301 break;
1302 }
1303 i ++;
1304 }
1305 }
1306
1307 #if (BLE_INCLUDED == TRUE)
1308 /*******************************************************************************
1309 ** Function smp_key_distribution
1310 ** Description start key distribution if required.
1311 *******************************************************************************/
smp_key_distribution(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1312 void smp_key_distribution(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1313 {
1314 UINT8 reason = SMP_SUCCESS;
1315 SMP_TRACE_DEBUG("\n%s role=%d (0-master) r_keys=0x%x i_keys=0x%x\n",
1316 __func__, p_cb->role, p_cb->local_r_key, p_cb->local_i_key);
1317
1318 if (p_cb->role == HCI_ROLE_SLAVE ||
1319 (!p_cb->local_r_key && p_cb->role == HCI_ROLE_MASTER)) {
1320 smp_key_pick_key(p_cb, p_data);
1321 }
1322
1323 if (!p_cb->local_i_key && !p_cb->local_r_key) {
1324 /* state check to prevent re-entrant */
1325 if (smp_get_state() == SMP_STATE_BOND_PENDING) {
1326 if (p_cb->derive_lk) {
1327 smp_derive_link_key_from_long_term_key(p_cb, NULL);
1328 p_cb->derive_lk = FALSE;
1329 }
1330
1331 if (p_cb->total_tx_unacked == 0) {
1332 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1333 } else {
1334 p_cb->wait_for_authorization_complete = TRUE;
1335 }
1336 }
1337 }
1338 }
1339
1340 /*******************************************************************************
1341 ** Function smp_decide_association_model
1342 ** Description This function is called to select assoc model to be used for
1343 ** STK generation and to start STK generation process.
1344 **
1345 *******************************************************************************/
smp_decide_association_model(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1346 void smp_decide_association_model(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1347 {
1348 UINT8 failure = SMP_UNKNOWN_IO_CAP;
1349 UINT8 int_evt = 0;
1350 tSMP_KEY key;
1351 tSMP_INT_DATA *p = NULL;
1352
1353 SMP_TRACE_DEBUG("%s Association Model = %d\n", __func__, p_cb->selected_association_model);
1354
1355 switch (p_cb->selected_association_model) {
1356 case SMP_MODEL_ENCRYPTION_ONLY: /* TK = 0, go calculate Confirm */
1357 p_cb->sec_level = SMP_SEC_UNAUTHENTICATE;
1358 SMP_TRACE_EVENT ("p_cb->sec_level =%d (SMP_SEC_UNAUTHENTICATE) \n", p_cb->sec_level );
1359
1360 key.key_type = SMP_KEY_TYPE_TK;
1361 key.p_data = p_cb->tk;
1362 p = (tSMP_INT_DATA *)&key;
1363
1364 memset(p_cb->tk, 0, BT_OCTET16_LEN);
1365 /* TK, ready */
1366 int_evt = SMP_KEY_READY_EVT;
1367 break;
1368
1369 case SMP_MODEL_PASSKEY:
1370 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1371 SMP_TRACE_EVENT ("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) \n", p_cb->sec_level );
1372
1373 p_cb->cb_evt = SMP_PASSKEY_REQ_EVT;
1374 int_evt = SMP_TK_REQ_EVT;
1375 break;
1376
1377 case SMP_MODEL_OOB:
1378 SMP_TRACE_ERROR ("Association Model = SMP_MODEL_OOB\n");
1379 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1380 SMP_TRACE_EVENT ("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) \n", p_cb->sec_level );
1381
1382 p_cb->cb_evt = SMP_OOB_REQ_EVT;
1383 int_evt = SMP_TK_REQ_EVT;
1384 break;
1385
1386 case SMP_MODEL_KEY_NOTIF:
1387 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1388 SMP_TRACE_DEBUG("Need to generate Passkey\n");
1389
1390 /* generate passkey and notify application */
1391 smp_generate_passkey(p_cb, NULL);
1392 break;
1393
1394 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1395 case SMP_MODEL_SEC_CONN_NUM_COMP:
1396 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1397 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1398 case SMP_MODEL_SEC_CONN_OOB:
1399 int_evt = SMP_PUBL_KEY_EXCH_REQ_EVT;
1400 break;
1401
1402 case SMP_MODEL_OUT_OF_RANGE:
1403 SMP_TRACE_ERROR("Association Model = SMP_MODEL_OUT_OF_RANGE (failed)\n");
1404 p = (tSMP_INT_DATA *)&failure;
1405 int_evt = SMP_AUTH_CMPL_EVT;
1406 break;
1407
1408 default:
1409 SMP_TRACE_ERROR("Association Model = %d (SOMETHING IS WRONG WITH THE CODE)\n",
1410 p_cb->selected_association_model);
1411 p = (tSMP_INT_DATA *)&failure;
1412 int_evt = SMP_AUTH_CMPL_EVT;
1413 }
1414
1415 SMP_TRACE_EVENT ("sec_level=%d \n", p_cb->sec_level );
1416 if (int_evt) {
1417 smp_sm_event(p_cb, int_evt, p);
1418 }
1419 }
1420
1421 /*******************************************************************************
1422 ** Function smp_process_io_response
1423 ** Description process IO response for a slave device.
1424 *******************************************************************************/
smp_process_io_response(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1425 void smp_process_io_response(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1426 {
1427 uint8_t reason = SMP_PAIR_AUTH_FAIL;
1428 SMP_TRACE_DEBUG("%s\n", __func__);
1429 if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD) {
1430 /* pairing started by local (slave) Security Request */
1431 smp_set_state(SMP_STATE_SEC_REQ_PENDING);
1432 smp_send_cmd(SMP_OPCODE_SEC_REQ, p_cb);
1433 } else { /* plan to send pairing respond */
1434 /* pairing started by peer (master) Pairing Request */
1435 p_cb->selected_association_model = smp_select_association_model(p_cb);
1436
1437 if (p_cb->secure_connections_only_mode_required &&
1438 (!(p_cb->le_secure_connections_mode_is_used) ||
1439 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) {
1440 SMP_TRACE_ERROR ("Slave requires secure connection only mode \
1441 but it can't be provided -> Slave fails pairing\n");
1442 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1443 return;
1444 }
1445 uint16_t auth = smp_get_auth_mode(p_cb->selected_association_model);
1446 if(p_cb->peer_auth_req & p_cb->loc_auth_req & SMP_AUTH_GEN_BOND) {
1447 auth |= SMP_AUTH_GEN_BOND;
1448 }
1449 p_cb->auth_mode = auth;
1450 if (p_cb->accept_specified_sec_auth) {
1451 if ((auth & p_cb->origin_loc_auth_req) != p_cb->origin_loc_auth_req ) {
1452 SMP_TRACE_ERROR("pairing failed - slave requires auth is 0x%x but peer auth is 0x%x local auth is 0x%x",
1453 p_cb->origin_loc_auth_req, p_cb->peer_auth_req, p_cb->loc_auth_req);
1454 if (BTM_IsAclConnectionUp(p_cb->pairing_bda, BT_TRANSPORT_LE)) {
1455 btm_remove_acl (p_cb->pairing_bda, BT_TRANSPORT_LE);
1456 }
1457 reason = SMP_PAIR_AUTH_FAIL;
1458 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1459 return;
1460 }
1461 }
1462
1463 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB && p_cb->loc_oob_flag == SMP_OOB_PRESENT) {
1464 if (smp_request_oob_data(p_cb)) {
1465 return;
1466 }
1467 }
1468 smp_send_pair_rsp(p_cb, NULL);
1469 }
1470 }
1471 #endif ///BLE_INCLUDED == TRUE
1472
1473 /*******************************************************************************
1474 ** Function smp_br_process_slave_keys_response
1475 ** Description process application keys response for a slave device
1476 ** (BR/EDR transport).
1477 *******************************************************************************/
smp_br_process_slave_keys_response(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1478 void smp_br_process_slave_keys_response(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1479 {
1480 smp_br_send_pair_response(p_cb, NULL);
1481 }
1482
1483 /*******************************************************************************
1484 ** Function smp_br_send_pair_response
1485 ** Description actions related to sending pairing response over BR/EDR transport.
1486 *******************************************************************************/
smp_br_send_pair_response(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1487 void smp_br_send_pair_response(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1488 {
1489 SMP_TRACE_DEBUG("%s\n", __func__);
1490
1491 p_cb->local_i_key &= p_cb->peer_i_key;
1492 p_cb->local_r_key &= p_cb->peer_r_key;
1493
1494 smp_send_cmd (SMP_OPCODE_PAIRING_RSP, p_cb);
1495 }
1496
1497 /*******************************************************************************
1498 ** Function smp_pairing_cmpl
1499 ** Description This function is called to send the pairing complete callback
1500 ** and remove the connection if needed.
1501 *******************************************************************************/
smp_pairing_cmpl(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1502 void smp_pairing_cmpl(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1503 {
1504 if (p_cb->total_tx_unacked == 0) {
1505 /* process the pairing complete */
1506 smp_proc_pairing_cmpl(p_cb);
1507 }
1508 }
1509
1510 /*******************************************************************************
1511 ** Function smp_pair_terminate
1512 ** Description This function is called to send the pairing complete callback
1513 ** and remove the connection if needed.
1514 *******************************************************************************/
smp_pair_terminate(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1515 void smp_pair_terminate(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1516 {
1517 SMP_TRACE_DEBUG("%s\n", __func__);
1518 p_cb->status = SMP_CONN_TOUT;
1519 smp_proc_pairing_cmpl(p_cb);
1520 }
1521
1522 /*******************************************************************************
1523 ** Function smp_idle_terminate
1524 ** Description This function calledin idle state to determine to send authentication
1525 ** complete or not.
1526 *******************************************************************************/
smp_idle_terminate(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1527 void smp_idle_terminate(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1528 {
1529 if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD) {
1530 SMP_TRACE_DEBUG("Pairing terminated at IDLE state.\n");
1531 p_cb->status = SMP_FAIL;
1532 smp_proc_pairing_cmpl(p_cb);
1533 }
1534 }
1535
1536 #if (BLE_INCLUDED == TRUE)
1537 /*******************************************************************************
1538 ** Function smp_fast_conn_param
1539 ** Description apply default connection parameter for pairing process
1540 *******************************************************************************/
smp_fast_conn_param(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1541 void smp_fast_conn_param(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1542 {
1543 if(p_cb->role == BTM_ROLE_MASTER) {
1544 #if (BT_MULTI_CONNECTION_ENBALE == FALSE)
1545 L2CA_EnableUpdateBleConnParams(p_cb->pairing_bda, FALSE);
1546 #endif
1547 } else {
1548 #if (SMP_SLAVE_CON_PARAMS_UPD_ENABLE == TRUE)
1549 tBTM_SEC_DEV_REC *p_rec = btm_find_dev (p_cb->pairing_bda);
1550 if(p_rec && p_rec->ble.skip_update_conn_param) {
1551 //do nothing
1552 return;
1553 }
1554 /* Disable L2CAP connection parameter updates while bonding since
1555 some peripherals are not able to revert to fast connection parameters
1556 during the start of service discovery. Connection paramter updates
1557 get enabled again once service discovery completes. */
1558 #if (BT_MULTI_CONNECTION_ENBALE == FALSE)
1559 L2CA_EnableUpdateBleConnParams(p_cb->pairing_bda, FALSE);
1560 #endif
1561 #endif
1562 }
1563 }
1564
1565 /*******************************************************************************
1566 ** Function smp_both_have_public_keys
1567 ** Description The function is called when both local and peer public keys are
1568 ** saved.
1569 ** Actions:
1570 ** - invokes DHKey computation;
1571 ** - on slave side invokes sending local public key to the peer.
1572 ** - invokes SC phase 1 process.
1573 *******************************************************************************/
smp_both_have_public_keys(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1574 void smp_both_have_public_keys(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1575 {
1576 SMP_TRACE_DEBUG("%s\n", __func__);
1577
1578 /* invokes DHKey computation */
1579 smp_compute_dhkey(p_cb);
1580
1581 /* on slave side invokes sending local public key to the peer */
1582 if (p_cb->role == HCI_ROLE_SLAVE) {
1583 smp_send_pair_public_key(p_cb, NULL);
1584 }
1585
1586 smp_sm_event(p_cb, SMP_SC_DHKEY_CMPLT_EVT, NULL);
1587 }
1588
1589 /*******************************************************************************
1590 ** Function smp_start_secure_connection_phase1
1591 ** Description The function starts Secure Connection phase1 i.e. invokes initialization of Secure Connection
1592 ** phase 1 parameters and starts building/sending to the peer
1593 ** messages appropriate for the role and association model.
1594 *******************************************************************************/
smp_start_secure_connection_phase1(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1595 void smp_start_secure_connection_phase1(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1596 {
1597 SMP_TRACE_DEBUG("%s\n", __func__);
1598
1599 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
1600 p_cb->sec_level = SMP_SEC_UNAUTHENTICATE;
1601 SMP_TRACE_EVENT ("p_cb->sec_level =%d (SMP_SEC_UNAUTHENTICATE)\n ", p_cb->sec_level );
1602 } else {
1603 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1604 SMP_TRACE_EVENT ("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED)\n ", p_cb->sec_level );
1605 }
1606
1607 switch (p_cb->selected_association_model) {
1608 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1609 case SMP_MODEL_SEC_CONN_NUM_COMP:
1610 memset(p_cb->local_random, 0, BT_OCTET16_LEN);
1611 smp_start_nonce_generation(p_cb);
1612 break;
1613 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1614 /* user has to provide passkey */
1615 p_cb->cb_evt = SMP_PASSKEY_REQ_EVT;
1616 smp_sm_event(p_cb, SMP_TK_REQ_EVT, NULL);
1617 break;
1618 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1619 /* passkey has to be provided to user */
1620 SMP_TRACE_DEBUG("Need to generate SC Passkey\n");
1621 smp_generate_passkey(p_cb, NULL);
1622 break;
1623 case SMP_MODEL_SEC_CONN_OOB:
1624 /* use the available OOB information */
1625 smp_process_secure_connection_oob_data(p_cb, NULL);
1626 break;
1627 default:
1628 SMP_TRACE_ERROR ("Association Model = %d is not used in LE SC\n",
1629 p_cb->selected_association_model);
1630 break;
1631 }
1632 }
1633
1634 /*******************************************************************************
1635 ** Function smp_process_local_nonce
1636 ** Description The function processes new local nonce.
1637 **
1638 ** Note It is supposed to be called in SC phase1.
1639 *******************************************************************************/
smp_process_local_nonce(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1640 void smp_process_local_nonce(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1641 {
1642 SMP_TRACE_DEBUG("%s\n", __func__);
1643
1644 switch (p_cb->selected_association_model) {
1645 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1646 case SMP_MODEL_SEC_CONN_NUM_COMP:
1647 if (p_cb->role == HCI_ROLE_SLAVE) {
1648 /* slave calculates and sends local commitment */
1649 smp_calculate_local_commitment(p_cb);
1650 smp_send_commitment(p_cb, NULL);
1651 /* slave has to wait for peer nonce */
1652 smp_set_state(SMP_STATE_WAIT_NONCE);
1653 } else { /* i.e. master */
1654 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_COMM) {
1655 /* slave commitment is already received, send local nonce, wait for remote nonce*/
1656 SMP_TRACE_DEBUG("master in assoc mode = %d \
1657 already rcvd slave commitment - race condition\n",
1658 p_cb->selected_association_model);
1659 p_cb->flags &= ~SMP_PAIR_FLAG_HAVE_PEER_COMM;
1660 smp_send_rand(p_cb, NULL);
1661 smp_set_state(SMP_STATE_WAIT_NONCE);
1662 }
1663 }
1664 break;
1665 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1666 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1667 smp_calculate_local_commitment(p_cb);
1668
1669 if (p_cb->role == HCI_ROLE_MASTER) {
1670 smp_send_commitment(p_cb, NULL);
1671 } else { /* slave */
1672 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_COMM) {
1673 /* master commitment is already received */
1674 smp_send_commitment(p_cb, NULL);
1675 smp_set_state(SMP_STATE_WAIT_NONCE);
1676 }
1677 }
1678 break;
1679 case SMP_MODEL_SEC_CONN_OOB:
1680 if (p_cb->role == HCI_ROLE_MASTER) {
1681 smp_send_rand(p_cb, NULL);
1682 }
1683
1684 smp_set_state(SMP_STATE_WAIT_NONCE);
1685 break;
1686 default:
1687 SMP_TRACE_ERROR ("Association Model = %d is not used in LE SC\n",
1688 p_cb->selected_association_model);
1689 break;
1690 }
1691 }
1692
1693 /*******************************************************************************
1694 ** Function smp_process_peer_nonce
1695 ** Description The function processes newly received and saved in CB peer nonce.
1696 ** The actions depend on the selected association model and the role.
1697 **
1698 ** Note It is supposed to be called in SC phase1.
1699 *******************************************************************************/
smp_process_peer_nonce(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1700 void smp_process_peer_nonce(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1701 {
1702 UINT8 reason;
1703
1704 SMP_TRACE_DEBUG("%s start \n", __func__);
1705
1706 switch (p_cb->selected_association_model) {
1707 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1708 case SMP_MODEL_SEC_CONN_NUM_COMP:
1709 /* in these models only master receives commitment */
1710 if (p_cb->role == HCI_ROLE_MASTER) {
1711 if (!smp_check_commitment(p_cb)) {
1712 reason = p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1713 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1714 break;
1715 }
1716 } else {
1717 /* slave sends local nonce */
1718 smp_send_rand(p_cb, NULL);
1719 }
1720
1721 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
1722 /* go directly to phase 2 */
1723 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1724 } else { /* numeric comparison */
1725 smp_set_state(SMP_STATE_WAIT_NONCE);
1726 smp_sm_event(p_cb, SMP_SC_CALC_NC_EVT, NULL);
1727 }
1728 break;
1729 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1730 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1731 if (!smp_check_commitment(p_cb)) {
1732 reason = p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1733 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1734 break;
1735 }
1736
1737 if (p_cb->role == HCI_ROLE_SLAVE) {
1738 smp_send_rand(p_cb, NULL);
1739 }
1740
1741 if (++p_cb->round < 20) {
1742 smp_set_state(SMP_STATE_SEC_CONN_PHS1_START);
1743 p_cb->flags &= ~SMP_PAIR_FLAG_HAVE_PEER_COMM;
1744 smp_start_nonce_generation(p_cb);
1745 break;
1746 }
1747
1748 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1749 break;
1750 case SMP_MODEL_SEC_CONN_OOB:
1751 if (p_cb->role == HCI_ROLE_SLAVE) {
1752 smp_send_rand(p_cb, NULL);
1753 }
1754
1755 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1756 break;
1757 default:
1758 SMP_TRACE_ERROR ("Association Model = %d is not used in LE SC\n",
1759 p_cb->selected_association_model);
1760 break;
1761 }
1762
1763 SMP_TRACE_DEBUG("%s end\n ", __FUNCTION__);
1764 }
1765 #endif ///BLE_INCLUDED == TRUE
1766
1767 /*******************************************************************************
1768 ** Function smp_match_dhkey_checks
1769 ** Description checks if the calculated peer DHKey Check value is the same as
1770 ** received from the peer DHKey check value.
1771 *******************************************************************************/
smp_match_dhkey_checks(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1772 void smp_match_dhkey_checks(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1773 {
1774 UINT8 reason = SMP_DHKEY_CHK_FAIL;
1775
1776 SMP_TRACE_DEBUG("%s\n", __func__);
1777
1778 if (memcmp(p_data->key.p_data, p_cb->remote_dhkey_check, BT_OCTET16_LEN)) {
1779 SMP_TRACE_WARNING ("dhkey checks do no match\n");
1780 p_cb->failure = reason;
1781 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1782 return;
1783 }
1784
1785 SMP_TRACE_EVENT ("dhkey checks match\n");
1786
1787 /* compare the max encryption key size, and save the smaller one for the link */
1788 if (p_cb->peer_enc_size < p_cb->loc_enc_size) {
1789 p_cb->loc_enc_size = p_cb->peer_enc_size;
1790 }
1791
1792 if (p_cb->role == HCI_ROLE_SLAVE) {
1793 smp_sm_event(p_cb, SMP_PAIR_DHKEY_CHCK_EVT, NULL);
1794 } else {
1795 /* master device always use received i/r key as keys to distribute */
1796 p_cb->local_i_key = p_cb->peer_i_key;
1797 p_cb->local_r_key = p_cb->peer_r_key;
1798 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
1799 }
1800 }
1801
1802 /*******************************************************************************
1803 ** Function smp_move_to_secure_connections_phase2
1804 ** Description Signal State Machine to start SC phase 2 initialization (to
1805 ** compute local DHKey Check value).
1806 **
1807 ** Note SM is supposed to be in the state SMP_STATE_SEC_CONN_PHS2_START.
1808 *******************************************************************************/
smp_move_to_secure_connections_phase2(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1809 void smp_move_to_secure_connections_phase2(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1810 {
1811 SMP_TRACE_DEBUG("%s\n", __func__);
1812 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1813 }
1814
1815 /*******************************************************************************
1816 ** Function smp_phase_2_dhkey_checks_are_present
1817 ** Description generates event if dhkey check from the peer is already received.
1818 **
1819 ** Note It is supposed to be used on slave to prevent race condition.
1820 ** It is supposed to be called after slave dhkey check is calculated.
1821 *******************************************************************************/
smp_phase_2_dhkey_checks_are_present(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1822 void smp_phase_2_dhkey_checks_are_present(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1823 {
1824 SMP_TRACE_DEBUG("%s\n", __func__);
1825
1826 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_DHK_CHK) {
1827 smp_sm_event(p_cb, SMP_SC_2_DHCK_CHKS_PRES_EVT, NULL);
1828 }
1829 }
1830
1831 /*******************************************************************************
1832 ** Function smp_wait_for_both_public_keys
1833 ** Description generates SMP_BOTH_PUBL_KEYS_RCVD_EVT event when both local and master
1834 ** public keys are available.
1835 **
1836 ** Note on the slave it is used to prevent race condition.
1837 **
1838 *******************************************************************************/
smp_wait_for_both_public_keys(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1839 void smp_wait_for_both_public_keys(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1840 {
1841 SMP_TRACE_DEBUG("%s\n", __func__);
1842
1843 if ((p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY) &&
1844 (p_cb->flags & SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY)) {
1845 if ((p_cb->role == HCI_ROLE_SLAVE) &&
1846 ((p_cb->req_oob_type == SMP_OOB_LOCAL) || (p_cb->req_oob_type == SMP_OOB_BOTH))) {
1847 smp_set_state(SMP_STATE_PUBLIC_KEY_EXCH);
1848 }
1849 smp_sm_event(p_cb, SMP_BOTH_PUBL_KEYS_RCVD_EVT, NULL);
1850 }
1851 }
1852
1853 #if (BLE_INCLUDED == TRUE)
1854 /*******************************************************************************
1855 ** Function smp_start_passkey_verification
1856 ** Description Starts SC passkey entry verification.
1857 *******************************************************************************/
smp_start_passkey_verification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1858 void smp_start_passkey_verification(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1859 {
1860 UINT8 *p = NULL;
1861
1862 SMP_TRACE_DEBUG("%s\n", __func__);
1863 p = p_cb->local_random;
1864 UINT32_TO_STREAM(p, p_data->passkey);
1865
1866 p = p_cb->peer_random;
1867 UINT32_TO_STREAM(p, p_data->passkey);
1868
1869 p_cb->round = 0;
1870 smp_start_nonce_generation(p_cb);
1871 }
1872
1873 /*******************************************************************************
1874 ** Function smp_process_secure_connection_oob_data
1875 ** Description Processes local/peer SC OOB data received from somewhere.
1876 *******************************************************************************/
smp_process_secure_connection_oob_data(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1877 void smp_process_secure_connection_oob_data(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1878 {
1879 SMP_TRACE_DEBUG("%s\n", __func__);
1880
1881 tSMP_SC_OOB_DATA *p_sc_oob_data = &p_cb->sc_oob_data;
1882 if (p_sc_oob_data->loc_oob_data.present) {
1883 memcpy(p_cb->local_random, p_sc_oob_data->loc_oob_data.randomizer,
1884 sizeof(p_cb->local_random));
1885 } else {
1886 SMP_TRACE_EVENT ("local OOB randomizer is absent\n");
1887 memset(p_cb->local_random, 0, sizeof (p_cb->local_random));
1888 }
1889
1890 if (!p_sc_oob_data->peer_oob_data.present) {
1891 SMP_TRACE_EVENT ("peer OOB data is absent\n");
1892 memset(p_cb->peer_random, 0, sizeof (p_cb->peer_random));
1893 } else {
1894 memcpy(p_cb->peer_random, p_sc_oob_data->peer_oob_data.randomizer,
1895 sizeof(p_cb->peer_random));
1896 memcpy(p_cb->remote_commitment, p_sc_oob_data->peer_oob_data.commitment,
1897 sizeof(p_cb->remote_commitment));
1898
1899 UINT8 reason = SMP_CONFIRM_VALUE_ERR;
1900 /* check commitment */
1901 if (!smp_check_commitment(p_cb)) {
1902 p_cb->failure = reason;
1903 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1904 return;
1905 }
1906
1907 if (p_cb->peer_oob_flag != SMP_OOB_PRESENT) {
1908 /* the peer doesn't have local randomiser */
1909 SMP_TRACE_EVENT ("peer didn't receive local OOB data, set local randomizer to 0\n");
1910 memset(p_cb->local_random, 0, sizeof (p_cb->local_random));
1911 }
1912 }
1913
1914 print128(p_cb->local_random, (const UINT8 *)"local OOB randomizer");
1915 print128(p_cb->peer_random, (const UINT8 *)"peer OOB randomizer");
1916 smp_start_nonce_generation(p_cb);
1917 }
1918
1919 /*******************************************************************************
1920 ** Function smp_set_local_oob_keys
1921 ** Description Saves calculated private/public keys in sc_oob_data.loc_oob_data,
1922 ** starts nonce generation
1923 ** (to be saved in sc_oob_data.loc_oob_data.randomizer).
1924 *******************************************************************************/
smp_set_local_oob_keys(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1925 void smp_set_local_oob_keys(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1926 {
1927 SMP_TRACE_DEBUG("%s\n", __func__);
1928
1929 memcpy(p_cb->sc_oob_data.loc_oob_data.private_key_used, p_cb->private_key,
1930 BT_OCTET32_LEN);
1931 p_cb->sc_oob_data.loc_oob_data.publ_key_used = p_cb->loc_publ_key;
1932 smp_start_nonce_generation(p_cb);
1933 }
1934
1935 /*******************************************************************************
1936 ** Function smp_set_local_oob_random_commitment
1937 ** Description Saves calculated randomizer and commitment in sc_oob_data.loc_oob_data,
1938 ** passes sc_oob_data.loc_oob_data up for safekeeping.
1939 *******************************************************************************/
smp_set_local_oob_random_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1940 void smp_set_local_oob_random_commitment(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1941 {
1942 SMP_TRACE_DEBUG("%s\n", __func__);
1943 memcpy(p_cb->sc_oob_data.loc_oob_data.randomizer, p_cb->rand,
1944 BT_OCTET16_LEN);
1945
1946 smp_calculate_f4(p_cb->sc_oob_data.loc_oob_data.publ_key_used.x,
1947 p_cb->sc_oob_data.loc_oob_data.publ_key_used.x,
1948 p_cb->sc_oob_data.loc_oob_data.randomizer, 0,
1949 p_cb->sc_oob_data.loc_oob_data.commitment);
1950
1951 p_cb->sc_oob_data.loc_oob_data.present = true;
1952 #if SMP_DEBUG == TRUE
1953 UINT8 *p_print = NULL;
1954 SMP_TRACE_DEBUG("local SC OOB data set:\n");
1955 p_print = (UINT8 *) &p_cb->sc_oob_data.loc_oob_data.addr_sent_to;
1956 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"addr_sent_to",
1957 sizeof(tBLE_BD_ADDR));
1958 p_print = (UINT8 *) &p_cb->sc_oob_data.loc_oob_data.private_key_used;
1959 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"private_key_used",
1960 BT_OCTET32_LEN);
1961 p_print = (UINT8 *) &p_cb->sc_oob_data.loc_oob_data.publ_key_used.x;
1962 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"publ_key_used.x",
1963 BT_OCTET32_LEN);
1964 p_print = (UINT8 *) &p_cb->sc_oob_data.loc_oob_data.publ_key_used.y;
1965 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"publ_key_used.y",
1966 BT_OCTET32_LEN);
1967 p_print = (UINT8 *) &p_cb->sc_oob_data.loc_oob_data.randomizer;
1968 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"randomizer",
1969 BT_OCTET16_LEN);
1970 p_print = (UINT8 *) &p_cb->sc_oob_data.loc_oob_data.commitment;
1971 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *) "commitment",
1972 BT_OCTET16_LEN);
1973 SMP_TRACE_DEBUG("");
1974 #endif
1975
1976 /* pass created OOB data up */
1977 p_cb->cb_evt = SMP_SC_LOC_OOB_DATA_UP_EVT;
1978 smp_send_app_cback(p_cb, NULL);
1979
1980 // Store the data for later use when we are paired with
1981 smp_save_local_oob_data(p_cb);
1982
1983 smp_cb_cleanup(p_cb);
1984 }
1985
1986 /*******************************************************************************
1987 **
1988 ** Function smp_link_encrypted
1989 **
1990 ** Description This function is called when link is encrypted and notified to
1991 ** slave device. Proceed to to send LTK, DIV and ER to master if
1992 ** bonding the devices.
1993 **
1994 **
1995 ** Returns void
1996 **
1997 *******************************************************************************/
smp_link_encrypted(BD_ADDR bda,UINT8 encr_enable)1998 void smp_link_encrypted(BD_ADDR bda, UINT8 encr_enable)
1999 {
2000 tSMP_CB *p_cb = &smp_cb;
2001 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
2002 SMP_TRACE_DEBUG("%s encr_enable=%d\n", __func__, encr_enable);
2003
2004 if (memcmp(&smp_cb.pairing_bda[0], bda, BD_ADDR_LEN) == 0) {
2005 /* encryption completed with STK, remmeber the key size now, could be overwite
2006 * when key exchange happens */
2007 if (p_cb->loc_enc_size != 0 && encr_enable) {
2008 /* update the link encryption key size if a SMP pairing just performed */
2009 btm_ble_update_sec_key_size(bda, p_cb->loc_enc_size);
2010 }
2011
2012 smp_sm_event(&smp_cb, SMP_ENCRYPTED_EVT, &encr_enable);
2013 } else if (p_dev_rec && !p_dev_rec->role_master && !p_dev_rec->enc_init_by_we ){
2014 /*
2015 if enc_init_by_we is false, it means that client initiates encryption before slave calls esp_ble_set_encryption()
2016 we need initiate pairing_bda and p_cb->role then encryption, for example iPhones
2017 */
2018 memcpy(&smp_cb.pairing_bda[0], bda, BD_ADDR_LEN);
2019 p_cb->state = SMP_STATE_ENCRYPTION_PENDING;
2020 p_cb->role = HCI_ROLE_SLAVE;
2021 p_dev_rec->enc_init_by_we = FALSE;
2022 smp_sm_event(&smp_cb, SMP_ENCRYPTED_EVT, &encr_enable);
2023 } else if (p_dev_rec && p_dev_rec->role_master && p_dev_rec->enc_init_by_we){
2024 memcpy(&smp_cb.pairing_bda[0], bda, BD_ADDR_LEN);
2025 p_cb->state = SMP_STATE_ENCRYPTION_PENDING;
2026 p_cb->role = HCI_ROLE_MASTER;
2027 p_dev_rec->enc_init_by_we = FALSE;
2028 smp_sm_event(&smp_cb, SMP_ENCRYPTED_EVT, &encr_enable);
2029 }
2030 }
2031
2032 /*******************************************************************************
2033 **
2034 ** Function smp_proc_ltk_request
2035 **
2036 ** Description This function is called when LTK request is received from
2037 ** controller.
2038 **
2039 ** Returns void
2040 **
2041 *******************************************************************************/
smp_proc_ltk_request(BD_ADDR bda)2042 BOOLEAN smp_proc_ltk_request(BD_ADDR bda)
2043 {
2044 SMP_TRACE_DEBUG("%s state = %d\n", __func__, smp_cb.state);
2045 BOOLEAN match = FALSE;
2046
2047 if (!memcmp(bda, smp_cb.pairing_bda, BD_ADDR_LEN)) {
2048 match = TRUE;
2049 } else {
2050 BD_ADDR dummy_bda = {0};
2051 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev(bda);
2052 if (p_dev_rec != NULL &&
2053 0 == memcmp(p_dev_rec->ble.pseudo_addr, smp_cb.pairing_bda, BD_ADDR_LEN) &&
2054 0 != memcmp(p_dev_rec->ble.pseudo_addr, dummy_bda, BD_ADDR_LEN)) {
2055 match = TRUE;
2056 }
2057 }
2058
2059 if (match && smp_cb.state == SMP_STATE_ENCRYPTION_PENDING) {
2060 smp_sm_event(&smp_cb, SMP_ENC_REQ_EVT, NULL);
2061 return TRUE;
2062 }
2063
2064 return FALSE;
2065 }
2066
2067 /*******************************************************************************
2068 **
2069 ** Function smp_process_secure_connection_long_term_key
2070 **
2071 ** Description This function is called to process SC LTK.
2072 ** SC LTK is calculated and used instead of STK.
2073 ** Here SC LTK is saved in BLE DB.
2074 **
2075 ** Returns void
2076 **
2077 *******************************************************************************/
smp_process_secure_connection_long_term_key(void)2078 void smp_process_secure_connection_long_term_key(void)
2079 {
2080 tSMP_CB *p_cb = &smp_cb;
2081
2082 SMP_TRACE_DEBUG("%s\n", __func__);
2083 smp_save_secure_connections_long_term_key(p_cb);
2084
2085 smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_ENC, FALSE);
2086 smp_key_distribution(p_cb, NULL);
2087 }
2088
2089 /*******************************************************************************
2090 **
2091 ** Function smp_set_derive_link_key
2092 **
2093 ** Description This function is called to set flag that indicates that
2094 ** BR/EDR LK has to be derived from LTK after all keys are
2095 ** distributed.
2096 **
2097 ** Returns void
2098 **
2099 *******************************************************************************/
smp_set_derive_link_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2100 void smp_set_derive_link_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
2101 {
2102 SMP_TRACE_DEBUG ("%s\n", __func__);
2103 p_cb->derive_lk = TRUE;
2104 smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_LK, FALSE);
2105 smp_key_distribution(p_cb, NULL);
2106 }
2107
2108 /*******************************************************************************
2109 **
2110 ** Function smp_derive_link_key_from_long_term_key
2111 **
2112 ** Description This function is called to derive BR/EDR LK from LTK.
2113 **
2114 ** Returns void
2115 **
2116 *******************************************************************************/
smp_derive_link_key_from_long_term_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2117 void smp_derive_link_key_from_long_term_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
2118 {
2119 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
2120
2121 SMP_TRACE_DEBUG("%s\n", __func__);
2122 if (!smp_calculate_link_key_from_long_term_key(p_cb)) {
2123 SMP_TRACE_ERROR("%s failed\n", __FUNCTION__);
2124 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status);
2125 return;
2126 }
2127 }
2128 #endif ///BLE_INCLUDED == TRUE
2129
2130 #if (CLASSIC_BT_INCLUDED == TRUE)
2131 /*******************************************************************************
2132 **
2133 ** Function smp_br_process_link_key
2134 **
2135 ** Description This function is called to process BR/EDR LK:
2136 ** - to derive SMP LTK from BR/EDR LK;
2137 *8 - to save SMP LTK.
2138 **
2139 ** Returns void
2140 **
2141 *******************************************************************************/
smp_br_process_link_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2142 void smp_br_process_link_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
2143 {
2144 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
2145
2146 SMP_TRACE_DEBUG("%s\n", __func__);
2147 if (!smp_calculate_long_term_key_from_link_key(p_cb)) {
2148 SMP_TRACE_ERROR ("%s failed\n", __FUNCTION__);
2149 smp_sm_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &status);
2150 return;
2151 }
2152
2153 SMP_TRACE_DEBUG("%s: LTK derivation from LK successfully completed\n", __FUNCTION__);
2154 smp_save_secure_connections_long_term_key(p_cb);
2155 smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_ENC, FALSE);
2156 smp_br_select_next_key(p_cb, NULL);
2157 }
2158 #endif ///CLASSIC_BT_INCLUDED == TRUE
2159
2160 /*******************************************************************************
2161 ** Function smp_key_distribution_by_transport
2162 ** Description depending on the transport used at the moment calls either
2163 ** smp_key_distribution(...) or smp_br_key_distribution(...).
2164 *******************************************************************************/
smp_key_distribution_by_transport(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2165 void smp_key_distribution_by_transport(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
2166 {
2167 SMP_TRACE_DEBUG("%s\n", __func__);
2168 if (p_cb->smp_over_br) {
2169 #if (CLASSIC_BT_INCLUDED == TRUE)
2170 smp_br_select_next_key(p_cb, NULL);
2171 #endif ///CLASSIC_BT_INCLUDED == TRUE
2172 } else {
2173 #if (BLE_INCLUDED == TRUE)
2174 smp_key_distribution(p_cb, NULL);
2175 #endif ///BLE_INCLUDED == TRUE
2176 }
2177 }
2178
2179 /*******************************************************************************
2180 ** Function smp_br_pairing_complete
2181 ** Description This function is called to send the pairing complete callback
2182 ** and remove the connection if needed.
2183 *******************************************************************************/
smp_br_pairing_complete(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2184 void smp_br_pairing_complete(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
2185 {
2186 SMP_TRACE_DEBUG("%s\n", __func__);
2187
2188 if (p_cb->total_tx_unacked == 0) {
2189 /* process the pairing complete */
2190 smp_proc_pairing_cmpl(p_cb);
2191 }
2192 }
2193
2194 #endif
2195
