1 /******************************************************************************
2 *
3 * Copyright (C) 2003-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 #include <string.h>
20 #include "device/interop.h"
21 #include "common/bt_target.h"
22 #include "btm_int.h"
23 #include "stack/l2c_api.h"
24 #include "smp_int.h"
25 #include "p_256_ecc_pp.h"
26 //#include "utils/include/bt_utils.h"
27
28 #if SMP_INCLUDED == 1
29 const UINT8 smp_association_table[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] = {
30 /* initiator */
31 { {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}, /* Display Only */
32 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}, /* SMP_CAP_IO = 1 */
33 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}, /* keyboard only */
34 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY},/* No Input No Output */
35 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}
36 }, /* keyboard display */
37 /* responder */
38 { {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}, /* Display Only */
39 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}, /* SMP_CAP_IO = 1 */
40 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}, /* keyboard only */
41 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY},/* No Input No Output */
42 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}
43 } /* keyboard display */
44 /* display only */ /*SMP_CAP_IO = 1 */ /* keyboard only */ /* No InputOutput */ /* keyboard display */
45 };
46
47 #define SMP_KEY_DIST_TYPE_MAX 4
48 const tSMP_ACT smp_distribute_act [] = {
49 #if (BLE_INCLUDED == 1)
50 smp_generate_ltk,
51 smp_send_id_info,
52 smp_generate_csrk,
53 smp_set_derive_link_key
54 #else
55 NULL,
56 NULL,
57 NULL,
58 NULL
59 #endif ///BLE_INCLUDED == 1
60 };
61
62 extern UINT8 bta_dm_co_ble_get_accept_auth_enable(void);
63 extern UINT8 bta_dm_co_ble_get_auth_req(void);
64
lmp_version_below(BD_ADDR bda,uint8_t version)65 static bool lmp_version_below(BD_ADDR bda, uint8_t version)
66 {
67 tACL_CONN *acl = btm_bda_to_acl(bda, BT_TRANSPORT_LE);
68 if (acl == NULL || acl->lmp_version == 0) {
69 SMP_TRACE_WARNING("%s cannot retrieve LMP version...", __func__);
70 return false;
71 }
72 SMP_TRACE_DEBUG("%s LMP version %d < %d", __func__, acl->lmp_version, version);
73 return acl->lmp_version < version;
74 }
75
76 /*******************************************************************************
77 ** Function smp_update_key_mask
78 ** Description This function updates the key mask for sending or receiving.
79 *******************************************************************************/
smp_update_key_mask(tSMP_CB * p_cb,UINT8 key_type,BOOLEAN recv)80 static void smp_update_key_mask (tSMP_CB *p_cb, UINT8 key_type, BOOLEAN recv)
81 {
82 SMP_TRACE_DEBUG("%s before update role=%d recv=%d local_i_key = %02x, local_r_key = %02x\n",
83 __func__, p_cb->role, recv, p_cb->local_i_key, p_cb->local_r_key);
84
85 if (((p_cb->le_secure_connections_mode_is_used) ||
86 (p_cb->smp_over_br)) &&
87 ((key_type == SMP_SEC_KEY_TYPE_ENC) || (key_type == SMP_SEC_KEY_TYPE_LK))) {
88 /* in LE SC mode LTK, CSRK and BR/EDR LK are derived locally instead of
89 ** being exchanged with the peer */
90 p_cb->local_i_key &= ~key_type;
91 p_cb->local_r_key &= ~key_type;
92 } else if (p_cb->role == HCI_ROLE_SLAVE) {
93 if (recv) {
94 p_cb->local_i_key &= ~key_type;
95 } else {
96 p_cb->local_r_key &= ~key_type;
97 }
98 } else {
99 if (recv) {
100 p_cb->local_r_key &= ~key_type;
101 } else {
102 p_cb->local_i_key &= ~key_type;
103 }
104 }
105
106 SMP_TRACE_DEBUG("updated local_i_key = %02x, local_r_key = %02x\n", p_cb->local_i_key,
107 p_cb->local_r_key);
108 }
109
110 /*******************************************************************************
111 ** Function smp_send_app_cback
112 ** Description notifies application about the events the application is interested in
113 *******************************************************************************/
smp_send_app_cback(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)114 void smp_send_app_cback(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
115 {
116 tSMP_EVT_DATA cb_data;
117 tSMP_STATUS callback_rc;
118 SMP_TRACE_DEBUG("%s p_cb->cb_evt=%d\n", __func__, p_cb->cb_evt);
119 if (p_cb->p_callback && p_cb->cb_evt != 0) {
120 switch (p_cb->cb_evt) {
121 case SMP_IO_CAP_REQ_EVT:
122 cb_data.io_req.auth_req = p_cb->peer_auth_req;
123 cb_data.io_req.oob_data = SMP_OOB_NONE;
124 cb_data.io_req.io_cap = SMP_DEFAULT_IO_CAPS;
125 cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE;
126 cb_data.io_req.init_keys = p_cb->local_i_key ;
127 cb_data.io_req.resp_keys = p_cb->local_r_key ;
128 SMP_TRACE_DEBUG ( "io_cap = %d", cb_data.io_req.io_cap);
129 break;
130
131 case SMP_NC_REQ_EVT:
132 cb_data.passkey = p_data->passkey;
133 break;
134 case SMP_SC_OOB_REQ_EVT:
135 cb_data.req_oob_type = p_data->req_oob_type;
136 break;
137 case SMP_SC_LOC_OOB_DATA_UP_EVT:
138 cb_data.loc_oob_data = p_cb->sc_oob_data.loc_oob_data;
139 break;
140
141 case SMP_BR_KEYS_REQ_EVT:
142 cb_data.io_req.auth_req = 0;
143 cb_data.io_req.oob_data = SMP_OOB_NONE;
144 cb_data.io_req.io_cap = 0;
145 cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE;
146 cb_data.io_req.init_keys = SMP_BR_SEC_DEFAULT_KEY;
147 cb_data.io_req.resp_keys = SMP_BR_SEC_DEFAULT_KEY;
148 break;
149
150 default:
151 break;
152 }
153
154 callback_rc = (*p_cb->p_callback)(p_cb->cb_evt, p_cb->pairing_bda, &cb_data);
155
156 SMP_TRACE_DEBUG("callback_rc=%d p_cb->cb_evt=%d\n", callback_rc, p_cb->cb_evt );
157
158 if (callback_rc == SMP_SUCCESS) {
159 switch (p_cb->cb_evt) {
160 case SMP_IO_CAP_REQ_EVT:
161 p_cb->loc_auth_req = cb_data.io_req.auth_req;
162 p_cb->local_io_capability = cb_data.io_req.io_cap;
163 p_cb->loc_oob_flag = cb_data.io_req.oob_data;
164 p_cb->loc_enc_size = cb_data.io_req.max_key_size;
165 p_cb->local_i_key = cb_data.io_req.init_keys;
166 p_cb->local_r_key = cb_data.io_req.resp_keys;
167
168 if (!(p_cb->loc_auth_req & SMP_AUTH_BOND)) {
169 SMP_TRACE_WARNING ("Non bonding: No keys will be exchanged");
170 p_cb->local_i_key = 0;
171 p_cb->local_r_key = 0;
172 }
173
174 SMP_TRACE_DEBUG ("rcvd auth_req: 0x%02x, io_cap: %d \
175 loc_oob_flag: %d loc_enc_size: %d,"
176 "local_i_key: 0x%02x, local_r_key: 0x%02x\n",
177 p_cb->loc_auth_req, p_cb->local_io_capability, p_cb->loc_oob_flag,
178 p_cb->loc_enc_size, p_cb->local_i_key, p_cb->local_r_key);
179
180 p_cb->secure_connections_only_mode_required =
181 (btm_cb.security_mode == BTM_SEC_MODE_SC) ? 1 : 0;
182
183 if (p_cb->secure_connections_only_mode_required) {
184 p_cb->loc_auth_req |= SMP_SC_SUPPORT_BIT;
185 }
186
187 if (!(p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT)
188 || lmp_version_below(p_cb->pairing_bda, HCI_PROTO_VERSION_4_2)
189 || interop_match(INTEROP_DISABLE_LE_SECURE_CONNECTIONS,
190 (const bt_bdaddr_t *)&p_cb->pairing_bda)) {
191 p_cb->loc_auth_req &= ~SMP_KP_SUPPORT_BIT;
192 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
193 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
194 }
195
196 SMP_TRACE_DEBUG("set auth_req: 0x%02x, local_i_key: 0x%02x, local_r_key: 0x%02x\n",
197 p_cb->loc_auth_req, p_cb->local_i_key, p_cb->local_r_key);
198
199 smp_sm_event(p_cb, SMP_IO_RSP_EVT, NULL);
200 break;
201 #if (CLASSIC_BT_INCLUDED == 1)
202 case SMP_BR_KEYS_REQ_EVT:
203 p_cb->loc_enc_size = cb_data.io_req.max_key_size;
204 p_cb->local_i_key = cb_data.io_req.init_keys;
205 p_cb->local_r_key = cb_data.io_req.resp_keys;
206
207 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
208 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
209
210 SMP_TRACE_WARNING ( "for SMP over BR max_key_size: 0x%02x,\
211 local_i_key: 0x%02x, local_r_key: 0x%02x\n",
212 p_cb->loc_enc_size, p_cb->local_i_key, p_cb->local_r_key);
213
214 smp_br_state_machine_event(p_cb, SMP_BR_KEYS_RSP_EVT, NULL);
215 break;
216 #endif ///CLASSIC_BT_INCLUDED == 1
217 }
218 }
219 }
220
221 if (!p_cb->cb_evt && p_cb->discard_sec_req) {
222 p_cb->discard_sec_req = 0;
223 smp_sm_event(p_cb, SMP_DISCARD_SEC_REQ_EVT, NULL);
224 }
225
226 SMP_TRACE_DEBUG("%s return\n", __func__);
227 }
228
229 /*******************************************************************************
230 ** Function smp_send_pair_fail
231 ** Description pairing failure to peer device if needed.
232 *******************************************************************************/
smp_send_pair_fail(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)233 void smp_send_pair_fail(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
234 {
235 p_cb->status = *(UINT8 *)p_data;
236 p_cb->failure = *(UINT8 *)p_data;
237
238 SMP_TRACE_DEBUG("%s status=%d failure=%d ", __func__, p_cb->status, p_cb->failure);
239
240 if (p_cb->status <= SMP_MAX_FAIL_RSN_PER_SPEC && p_cb->status != SMP_SUCCESS) {
241 smp_send_cmd(SMP_OPCODE_PAIRING_FAILED, p_cb);
242 p_cb->wait_for_authorization_complete = 1;
243 }
244 }
245
246 /*******************************************************************************
247 ** Function smp_send_pair_req
248 ** Description actions related to sending pairing request
249 *******************************************************************************/
smp_send_pair_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)250 void smp_send_pair_req(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
251 {
252 SMP_TRACE_DEBUG("%s\n", __func__);
253
254 #if (BLE_INCLUDED == 1)
255 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (p_cb->pairing_bda);
256 /* erase all keys when master sends pairing req*/
257 if (p_dev_rec) {
258 btm_sec_clear_ble_keys(p_dev_rec);
259 }
260 #endif ///BLE_INCLUDED == 1
261 /* do not manipulate the key, let app decide,
262 leave out to BTM to mandate key distribution for bonding case */
263 smp_send_cmd(SMP_OPCODE_PAIRING_REQ, p_cb);
264 }
265
266 /*******************************************************************************
267 ** Function smp_send_pair_rsp
268 ** Description actions related to sending pairing response
269 *******************************************************************************/
smp_send_pair_rsp(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)270 void smp_send_pair_rsp(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
271 {
272 SMP_TRACE_DEBUG("%s\n", __func__);
273
274 #if (BLE_INCLUDED == 1)
275 p_cb->local_i_key &= p_cb->peer_i_key;
276 p_cb->local_r_key &= p_cb->peer_r_key;
277
278 if (smp_send_cmd (SMP_OPCODE_PAIRING_RSP, p_cb)) {
279 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
280 smp_use_oob_private_key(p_cb, NULL);
281 } else {
282 smp_decide_association_model(p_cb, NULL);
283 }
284 }
285 #endif ///BLE_INCLUDED == 1
286 }
287
288 /*******************************************************************************
289 ** Function smp_send_confirm
290 ** Description send confirmation to the peer
291 *******************************************************************************/
smp_send_confirm(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)292 void smp_send_confirm(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
293 {
294 SMP_TRACE_DEBUG("%s\n", __func__);
295 smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);
296 }
297
298 #if 0 //Unused
299 /*******************************************************************************
300 ** Function smp_send_init
301 ** Description process pairing initializer to slave device
302 *******************************************************************************/
303 void smp_send_init(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
304 {
305 SMP_TRACE_DEBUG("%s\n", __func__);
306 smp_send_cmd(SMP_OPCODE_INIT, p_cb);
307 }
308 #endif
309
310 /*******************************************************************************
311 ** Function smp_send_rand
312 ** Description send pairing random to the peer
313 *******************************************************************************/
smp_send_rand(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)314 void smp_send_rand(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
315 {
316 SMP_TRACE_DEBUG("%s\n", __func__);
317 smp_send_cmd(SMP_OPCODE_RAND, p_cb);
318 }
319
320 /*******************************************************************************
321 ** Function smp_send_pair_public_key
322 ** Description send pairing public key command to the peer
323 *******************************************************************************/
smp_send_pair_public_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)324 void smp_send_pair_public_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
325 {
326 SMP_TRACE_DEBUG("%s\n", __func__);
327 smp_send_cmd(SMP_OPCODE_PAIR_PUBLIC_KEY, p_cb);
328 }
329
330 /*******************************************************************************
331 ** Function SMP_SEND_COMMITMENT
332 ** Description send commitment command to the peer
333 *******************************************************************************/
smp_send_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)334 void smp_send_commitment(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
335 {
336 SMP_TRACE_DEBUG("%s", __func__);
337 smp_send_cmd(SMP_OPCODE_PAIR_COMMITM, p_cb);
338 }
339
340 /*******************************************************************************
341 ** Function smp_send_dhkey_check
342 ** Description send DHKey Check command to the peer
343 *******************************************************************************/
smp_send_dhkey_check(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)344 void smp_send_dhkey_check(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
345 {
346 SMP_TRACE_DEBUG("%s", __func__);
347 smp_send_cmd(SMP_OPCODE_PAIR_DHKEY_CHECK, p_cb);
348 }
349
350 /*******************************************************************************
351 ** Function smp_send_keypress_notification
352 ** Description send Keypress Notification command to the peer
353 *******************************************************************************/
smp_send_keypress_notification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)354 void smp_send_keypress_notification(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
355 {
356 p_cb->local_keypress_notification = *(UINT8 *) p_data;
357 smp_send_cmd(SMP_OPCODE_PAIR_KEYPR_NOTIF, p_cb);
358 }
359
360 /*******************************************************************************
361 ** Function smp_send_enc_info
362 ** Description send encryption information command.
363 *******************************************************************************/
smp_send_enc_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)364 void smp_send_enc_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
365 {
366 tBTM_LE_LENC_KEYS le_key;
367
368 SMP_TRACE_DEBUG("%s p_cb->loc_enc_size = %d\n", __func__, p_cb->loc_enc_size);
369 smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_ENC, 0);
370
371 smp_send_cmd(SMP_OPCODE_ENCRYPT_INFO, p_cb);
372 smp_send_cmd(SMP_OPCODE_MASTER_ID, p_cb);
373
374 /* save the DIV and key size information when acting as slave device */
375 memcpy(le_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
376 le_key.div = p_cb->div;
377 le_key.key_size = p_cb->loc_enc_size;
378 le_key.sec_level = p_cb->sec_level;
379
380 #if (BLE_INCLUDED == 1)
381 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) && (p_cb->loc_auth_req & SMP_AUTH_BOND)) {
382 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC,
383 (tBTM_LE_KEY_VALUE *)&le_key, 1);
384 }
385
386 SMP_TRACE_DEBUG ("%s\n", __func__);
387
388 smp_key_distribution(p_cb, NULL);
389 #endif ///BLE_INCLUDED == 1
390 }
391
392 /*******************************************************************************
393 ** Function smp_send_id_info
394 ** Description send ID information command.
395 *******************************************************************************/
smp_send_id_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)396 void smp_send_id_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
397 {
398 SMP_TRACE_DEBUG("%s\n", __func__);
399 smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_ID, 0);
400
401 smp_send_cmd(SMP_OPCODE_IDENTITY_INFO, p_cb);
402 smp_send_cmd(SMP_OPCODE_ID_ADDR, p_cb);
403
404 #if (BLE_INCLUDED == 1)
405 tBTM_LE_KEY_VALUE le_key;
406 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) && (p_cb->loc_auth_req & SMP_AUTH_BOND)) {
407 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LID,
408 &le_key, 1);
409 }
410 #endif ///BLE_INCLUDED == 1
411
412 smp_key_distribution_by_transport(p_cb, NULL);
413 }
414
415 #if (BLE_INCLUDED == 1)
416 /*******************************************************************************
417 ** Function smp_send_csrk_info
418 ** Description send CSRK command.
419 *******************************************************************************/
smp_send_csrk_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)420 void smp_send_csrk_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
421 {
422 tBTM_LE_LCSRK_KEYS key;
423 SMP_TRACE_DEBUG("%s\n", __func__);
424 smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_CSRK, 0);
425
426 if (smp_send_cmd(SMP_OPCODE_SIGN_INFO, p_cb)) {
427 key.div = p_cb->div;
428 key.sec_level = p_cb->sec_level;
429 key.counter = 0; /* initialize the local counter */
430 memcpy (key.csrk, p_cb->csrk, BT_OCTET16_LEN);
431 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LCSRK, (tBTM_LE_KEY_VALUE *)&key, 1);
432 }
433
434 smp_key_distribution_by_transport(p_cb, NULL);
435 }
436
437 /*******************************************************************************
438 ** Function smp_send_ltk_reply
439 ** Description send LTK reply
440 *******************************************************************************/
smp_send_ltk_reply(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)441 void smp_send_ltk_reply(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
442 {
443 SMP_TRACE_DEBUG("%s", __func__);
444 /* send stk as LTK response */
445 btm_ble_ltk_request_reply(p_cb->pairing_bda, 1, p_data->key.p_data);
446 }
447
448 /*******************************************************************************
449 ** Function smp_proc_sec_req
450 ** Description process security request.
451 *******************************************************************************/
smp_proc_sec_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)452 void smp_proc_sec_req(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
453 {
454 tBTM_LE_AUTH_REQ auth_req = *(tBTM_LE_AUTH_REQ *)p_data;
455 tBTM_BLE_SEC_REQ_ACT sec_req_act;
456 UINT8 reason;
457
458 SMP_TRACE_DEBUG("%s auth_req=0x%x", __func__, auth_req);
459
460 p_cb->cb_evt = 0;
461 btm_ble_link_sec_check(p_cb->pairing_bda, auth_req, &sec_req_act);
462
463 SMP_TRACE_DEBUG("%s sec_req_act=0x%x", __func__, sec_req_act);
464
465 switch (sec_req_act) {
466 case BTM_BLE_SEC_REQ_ACT_ENCRYPT:
467 SMP_TRACE_DEBUG("%s BTM_BLE_SEC_REQ_ACT_ENCRYPT", __func__);
468 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
469 break;
470
471 case BTM_BLE_SEC_REQ_ACT_PAIR:
472 p_cb->secure_connections_only_mode_required =
473 (btm_cb.security_mode == BTM_SEC_MODE_SC) ? 1 : 0;
474
475 /* respond to non SC pairing request as failure in SC only mode */
476 if (p_cb->secure_connections_only_mode_required &&
477 (auth_req & SMP_SC_SUPPORT_BIT) == 0) {
478 reason = SMP_PAIR_AUTH_FAIL;
479 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
480 } else {
481 /* initialize local i/r key to be default keys */
482 p_cb->peer_auth_req = auth_req;
483 p_cb->local_r_key = p_cb->local_i_key = SMP_SEC_DEFAULT_KEY ;
484 p_cb->cb_evt = SMP_SEC_REQUEST_EVT;
485 }
486 break;
487
488 case BTM_BLE_SEC_REQ_ACT_DISCARD:
489 p_cb->discard_sec_req = 1;
490 break;
491
492 default:
493 /* do nothing */
494 break;
495 }
496 }
497 #endif ///BLE_INCLUDED == 1
498
499 /*******************************************************************************
500 ** Function smp_proc_sec_grant
501 ** Description process security grant.
502 *******************************************************************************/
smp_proc_sec_grant(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)503 void smp_proc_sec_grant(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
504 {
505 UINT8 res = *(UINT8 *)p_data;
506 SMP_TRACE_DEBUG("%s", __func__);
507 if (res != SMP_SUCCESS) {
508 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, p_data);
509 } else { /*otherwise, start pairing */
510 /* send IO request callback */
511 p_cb->cb_evt = SMP_IO_CAP_REQ_EVT;
512 }
513 }
514
515 /*******************************************************************************
516 ** Function smp_proc_pair_fail
517 ** Description process pairing failure from peer device
518 *******************************************************************************/
smp_proc_pair_fail(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)519 void smp_proc_pair_fail(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
520 {
521 SMP_TRACE_DEBUG("%s", __func__);
522 p_cb->status = *(UINT8 *)p_data;
523 }
524
525 /*******************************************************************************
526 ** Function smp_get_auth_mode
527 ** Description Get the SMP pairing auth mode
528 *******************************************************************************/
smp_get_auth_mode(tSMP_ASSO_MODEL model)529 uint16_t smp_get_auth_mode (tSMP_ASSO_MODEL model)
530 {
531 SMP_TRACE_DEBUG("%s model %d", __func__, model);
532 uint16_t auth = 0;
533 if (model == SMP_MODEL_ENCRYPTION_ONLY || model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
534 //No MITM
535 if(model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
536 //SC SMP_SC_SUPPORT_BIT
537 auth |= SMP_SC_SUPPORT_BIT;
538 }
539 } else if (model <= SMP_MODEL_KEY_NOTIF) {
540 //NO SC, MITM
541 auth |= SMP_AUTH_YN_BIT;
542 } else if (model <= SMP_MODEL_SEC_CONN_OOB) {
543 //SC, MITM
544 auth |= SMP_SC_SUPPORT_BIT;
545 auth |= SMP_AUTH_YN_BIT;
546 } else {
547 auth = 0;
548 }
549 return auth;
550 }
551
552 #if (BLE_INCLUDED == 1)
553 /*******************************************************************************
554 ** Function smp_proc_pair_cmd
555 ** Description Process the SMP pairing request/response from peer device
556 *******************************************************************************/
smp_proc_pair_cmd(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)557 void smp_proc_pair_cmd(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
558 {
559 UINT8 *p = (UINT8 *)p_data;
560 UINT8 reason = SMP_ENC_KEY_SIZE;
561 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (p_cb->pairing_bda);
562
563 SMP_TRACE_DEBUG("%s\n", __func__);
564 /* erase all keys if it is slave proc pairing req*/
565 if (p_dev_rec && (p_cb->role == HCI_ROLE_SLAVE)) {
566 btm_sec_clear_ble_keys(p_dev_rec);
567 }
568
569 p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
570
571 STREAM_TO_UINT8(p_cb->peer_io_caps, p);
572 STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
573 STREAM_TO_UINT8(p_cb->peer_auth_req, p);
574 STREAM_TO_UINT8(p_cb->peer_enc_size, p);
575 STREAM_TO_UINT8(p_cb->peer_i_key, p);
576 STREAM_TO_UINT8(p_cb->peer_r_key, p);
577
578 if (smp_command_has_invalid_parameters(p_cb)) {
579 reason = SMP_INVALID_PARAMETERS;
580 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
581 return;
582 }
583 p_cb->accept_specified_sec_auth = bta_dm_co_ble_get_accept_auth_enable();
584 p_cb->origin_loc_auth_req = bta_dm_co_ble_get_auth_req();
585 if (p_cb->role == HCI_ROLE_SLAVE) {
586 if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD)) {
587 /* peer (master) started pairing sending Pairing Request */
588 p_cb->local_i_key = p_cb->peer_i_key;
589 p_cb->local_r_key = p_cb->peer_r_key;
590
591 p_cb->cb_evt = SMP_SEC_REQUEST_EVT;
592 } else { /* update local i/r key according to pairing request */
593 /* pairing started with this side (slave) sending Security Request */
594 p_cb->local_i_key &= p_cb->peer_i_key;
595 p_cb->local_r_key &= p_cb->peer_r_key;
596 p_cb->selected_association_model = smp_select_association_model(p_cb);
597
598 if (p_cb->secure_connections_only_mode_required &&
599 (!(p_cb->le_secure_connections_mode_is_used) ||
600 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) {
601 SMP_TRACE_ERROR("%s pairing failed - slave requires secure connection only mode",
602 __func__);
603 reason = SMP_PAIR_AUTH_FAIL;
604 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
605 return;
606 }
607 uint16_t auth = smp_get_auth_mode(p_cb->selected_association_model);
608 if(p_cb->peer_auth_req & p_cb->loc_auth_req & SMP_AUTH_GEN_BOND) {
609 auth |= SMP_AUTH_GEN_BOND;
610 }
611 p_cb->auth_mode = auth;
612 if (p_cb->accept_specified_sec_auth) {
613 if ((auth & p_cb->origin_loc_auth_req) != p_cb->origin_loc_auth_req ) {
614 SMP_TRACE_ERROR("%s pairing failed - slave requires auth is 0x%x but peer auth is 0x%x local auth is 0x%x",
615 __func__, p_cb->origin_loc_auth_req, p_cb->peer_auth_req, p_cb->loc_auth_req);
616 if (BTM_IsAclConnectionUp(p_cb->pairing_bda, BT_TRANSPORT_LE)) {
617 btm_remove_acl (p_cb->pairing_bda, BT_TRANSPORT_LE);
618 }
619 reason = SMP_PAIR_AUTH_FAIL;
620 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
621 return;
622 }
623 }
624
625 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
626 if (smp_request_oob_data(p_cb)) {
627 return;
628 }
629 } else {
630 smp_send_pair_rsp(p_cb, NULL);
631 }
632 }
633 } else { /* Master receives pairing response */
634 p_cb->selected_association_model = smp_select_association_model(p_cb);
635
636 if (p_cb->secure_connections_only_mode_required &&
637 (!(p_cb->le_secure_connections_mode_is_used) ||
638 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) {
639 SMP_TRACE_ERROR ("Master requires secure connection only mode \
640 but it can't be provided -> Master fails pairing");
641 reason = SMP_PAIR_AUTH_FAIL;
642 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
643 return;
644 }
645
646 uint16_t auth = smp_get_auth_mode(p_cb->selected_association_model);
647 if(p_cb->peer_auth_req & p_cb->loc_auth_req & SMP_AUTH_GEN_BOND) {
648 auth |= SMP_AUTH_GEN_BOND;
649 }
650 p_cb->auth_mode = auth;
651 if (p_cb->accept_specified_sec_auth) {
652 if ((auth & p_cb->origin_loc_auth_req) != p_cb->origin_loc_auth_req ) {
653 SMP_TRACE_ERROR("%s pairing failed - master requires auth is 0x%x but peer auth is 0x%x local auth is 0x%x",
654 __func__, p_cb->origin_loc_auth_req, p_cb->peer_auth_req, p_cb->loc_auth_req);
655 if (BTM_IsAclConnectionUp(p_cb->pairing_bda, BT_TRANSPORT_LE)) {
656 btm_remove_acl (p_cb->pairing_bda, BT_TRANSPORT_LE);
657 }
658 reason = SMP_PAIR_AUTH_FAIL;
659 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
660 return;
661 }
662 }
663
664 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
665 if (smp_request_oob_data(p_cb)) {
666 return;
667 }
668 } else {
669 smp_decide_association_model(p_cb, NULL);
670 }
671 }
672 }
673 #endif ///BLE_INCLUDED == 1
674
675 /*******************************************************************************
676 ** Function smp_proc_confirm
677 ** Description process pairing confirm from peer device
678 *******************************************************************************/
smp_proc_confirm(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)679 void smp_proc_confirm(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
680 {
681 UINT8 *p = (UINT8 *)p_data;
682 UINT8 reason = SMP_INVALID_PARAMETERS;
683
684 SMP_TRACE_DEBUG("%s\n", __func__);
685
686 if (smp_command_has_invalid_parameters(p_cb)) {
687 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
688 return;
689 }
690
691 if (p != NULL) {
692 /* save the SConfirm for comparison later */
693 STREAM_TO_ARRAY(p_cb->rconfirm, p, BT_OCTET16_LEN);
694 }
695
696 p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM;
697 }
698
699 #if 0 //Unused
700 /*******************************************************************************
701 ** Function smp_proc_init
702 ** Description process pairing initializer from peer device
703 *******************************************************************************/
704 void smp_proc_init(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
705 {
706 UINT8 *p = (UINT8 *)p_data;
707 UINT8 reason = SMP_INVALID_PARAMETERS;
708
709 SMP_TRACE_DEBUG("%s", __func__);
710
711 if (smp_command_has_invalid_parameters(p_cb)) {
712 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
713 return;
714 }
715
716 /* save the SRand for comparison */
717 STREAM_TO_ARRAY(p_cb->rrand, p, BT_OCTET16_LEN);
718 }
719 #endif
720
721 /*******************************************************************************
722 ** Function smp_proc_rand
723 ** Description process pairing random (nonce) from peer device
724 *******************************************************************************/
smp_proc_rand(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)725 void smp_proc_rand(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
726 {
727 UINT8 *p = (UINT8 *)p_data;
728 UINT8 reason = SMP_INVALID_PARAMETERS;
729
730 SMP_TRACE_DEBUG("%s\n", __func__);
731
732 if (smp_command_has_invalid_parameters(p_cb)) {
733 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
734 return;
735 }
736
737 /* save the SRand for comparison */
738 STREAM_TO_ARRAY(p_cb->rrand, p, BT_OCTET16_LEN);
739 }
740
741 /*******************************************************************************
742 ** Function smp_process_pairing_public_key
743 ** Description process pairing public key command from the peer device
744 ** - saves the peer public key;
745 ** - sets the flag indicating that the peer public key is received;
746 ** - calls smp_wait_for_both_public_keys(...).
747 **
748 *******************************************************************************/
smp_process_pairing_public_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)749 void smp_process_pairing_public_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
750 {
751 UINT8 *p = (UINT8 *)p_data;
752 UINT8 reason = SMP_INVALID_PARAMETERS;
753
754 SMP_TRACE_DEBUG("%s", __func__);
755
756 if (smp_command_has_invalid_parameters(p_cb)) {
757 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
758 return;
759 }
760
761 STREAM_TO_ARRAY(p_cb->peer_publ_key.x, p, BT_OCTET32_LEN);
762 STREAM_TO_ARRAY(p_cb->peer_publ_key.y, p, BT_OCTET32_LEN);
763
764 /* Check if the peer device's and own public key are not same. If they are same then
765 * return pairing fail. This check is needed to avoid 'Impersonation in Passkey entry
766 * protocol' vulnerability (CVE-2020-26558).*/
767 if ((memcmp(p_cb->loc_publ_key.x, p_cb->peer_publ_key.x, sizeof(BT_OCTET32)) == 0)) {
768 p_cb->status = SMP_PAIR_AUTH_FAIL;
769 p_cb->failure = SMP_PAIR_AUTH_FAIL;
770 reason = SMP_PAIR_AUTH_FAIL;
771 SMP_TRACE_ERROR("%s, Peer and own device cannot have same public key.", __func__);
772 smp_sm_event(p_cb, SMP_PAIRING_FAILED_EVT, &reason);
773 return ;
774 }
775 /* In order to prevent the x and y coordinates of the public key from being modified,
776 we need to check whether the x and y coordinates are on the given elliptic curve. */
777 if (!ECC_CheckPointIsInElliCur_P256((Point *)&p_cb->peer_publ_key)) {
778 SMP_TRACE_ERROR("%s, Invalid Public key.", __func__);
779 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
780 }
781 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY;
782
783 smp_wait_for_both_public_keys(p_cb, NULL);
784 }
785
786 /*******************************************************************************
787 ** Function smp_process_pairing_commitment
788 ** Description process pairing commitment from peer device
789 *******************************************************************************/
smp_process_pairing_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)790 void smp_process_pairing_commitment(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
791 {
792 UINT8 *p = (UINT8 *)p_data;
793 UINT8 reason = SMP_INVALID_PARAMETERS;
794
795 SMP_TRACE_DEBUG("%s", __func__);
796
797 if (smp_command_has_invalid_parameters(p_cb)) {
798 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
799 return;
800 }
801
802 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_COMM;
803
804 if (p != NULL) {
805 STREAM_TO_ARRAY(p_cb->remote_commitment, p, BT_OCTET16_LEN);
806 }
807 }
808
809 /*******************************************************************************
810 ** Function smp_process_dhkey_check
811 ** Description process DHKey Check from peer device
812 *******************************************************************************/
smp_process_dhkey_check(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)813 void smp_process_dhkey_check(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
814 {
815 UINT8 *p = (UINT8 *)p_data;
816 UINT8 reason = SMP_INVALID_PARAMETERS;
817
818 SMP_TRACE_DEBUG("%s", __func__);
819
820 if (smp_command_has_invalid_parameters(p_cb)) {
821 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
822 return;
823 }
824
825 if (p != NULL) {
826 STREAM_TO_ARRAY(p_cb->remote_dhkey_check, p, BT_OCTET16_LEN);
827 }
828
829 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_DHK_CHK;
830 }
831
832 /*******************************************************************************
833 ** Function smp_process_keypress_notification
834 ** Description process pairing keypress notification from peer device
835 *******************************************************************************/
smp_process_keypress_notification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)836 void smp_process_keypress_notification(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
837 {
838 UINT8 *p = (UINT8 *)p_data;
839 UINT8 reason = SMP_INVALID_PARAMETERS;
840
841 SMP_TRACE_DEBUG("%s", __func__);
842 p_cb->status = *(UINT8 *)p_data;
843
844 if (smp_command_has_invalid_parameters(p_cb)) {
845 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
846 return;
847 }
848
849 if (p != NULL) {
850 STREAM_TO_UINT8(p_cb->peer_keypress_notification, p);
851 } else {
852 p_cb->peer_keypress_notification = BTM_SP_KEY_OUT_OF_RANGE;
853 }
854 p_cb->cb_evt = SMP_PEER_KEYPR_NOT_EVT;
855 }
856
857 #if (CLASSIC_BT_INCLUDED == 1)
858 /*******************************************************************************
859 ** Function smp_br_process_pairing_command
860 ** Description Process the SMP pairing request/response from peer device via
861 ** BR/EDR transport.
862 *******************************************************************************/
smp_br_process_pairing_command(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)863 void smp_br_process_pairing_command(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
864 {
865 UINT8 *p = (UINT8 *)p_data;
866 UINT8 reason = SMP_ENC_KEY_SIZE;
867 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (p_cb->pairing_bda);
868
869 SMP_TRACE_DEBUG("%s", __func__);
870 /* rejecting BR pairing request over non-SC BR link */
871 if (!p_dev_rec->new_encryption_key_is_p256 && p_cb->role == HCI_ROLE_SLAVE) {
872 reason = SMP_XTRANS_DERIVE_NOT_ALLOW;
873 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason);
874 return;
875 }
876
877 #if (BLE_INCLUDED == 1)
878 /* erase all keys if it is slave proc pairing req*/
879 if (p_dev_rec && (p_cb->role == HCI_ROLE_SLAVE)) {
880 btm_sec_clear_ble_keys(p_dev_rec);
881 }
882 #endif ///BLE_INCLUDED == 1
883
884 p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
885
886 STREAM_TO_UINT8(p_cb->peer_io_caps, p);
887 STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
888 STREAM_TO_UINT8(p_cb->peer_auth_req, p);
889 STREAM_TO_UINT8(p_cb->peer_enc_size, p);
890 STREAM_TO_UINT8(p_cb->peer_i_key, p);
891 STREAM_TO_UINT8(p_cb->peer_r_key, p);
892
893 if (smp_command_has_invalid_parameters(p_cb)) {
894 reason = SMP_INVALID_PARAMETERS;
895 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason);
896 return;
897 }
898
899 /* peer (master) started pairing sending Pairing Request */
900 /* or being master device always use received i/r key as keys to distribute */
901 p_cb->local_i_key = p_cb->peer_i_key;
902 p_cb->local_r_key = p_cb->peer_r_key;
903
904 if (p_cb->role == HCI_ROLE_SLAVE) {
905 p_dev_rec->new_encryption_key_is_p256 = 0;
906 /* shortcut to skip Security Grant step */
907 p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT;
908 } else { /* Master receives pairing response */
909 SMP_TRACE_DEBUG("%s master rcvs valid PAIRING RESPONSE."
910 " Supposed to move to key distribution phase. ", __func__);
911 }
912
913 /* auth_req received via BR/EDR SM channel is set to 0,
914 but everything derived/exchanged has to be saved */
915 p_cb->peer_auth_req |= SMP_AUTH_BOND;
916 p_cb->loc_auth_req |= SMP_AUTH_BOND;
917 }
918
919 /*******************************************************************************
920 ** Function smp_br_process_security_grant
921 ** Description process security grant in case of pairing over BR/EDR transport.
922 *******************************************************************************/
smp_br_process_security_grant(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)923 void smp_br_process_security_grant(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
924 {
925 UINT8 res = *(UINT8 *)p_data;
926 SMP_TRACE_DEBUG("%s", __func__);
927 if (res != SMP_SUCCESS) {
928 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, p_data);
929 } else { /*otherwise, start pairing */
930 /* send IO request callback */
931 p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT;
932 }
933 }
934
935 /*******************************************************************************
936 ** Function smp_br_check_authorization_request
937 ** Description sets the SMP kes to be derived/distribute over BR/EDR transport
938 ** before starting the distribution/derivation
939 *******************************************************************************/
smp_br_check_authorization_request(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)940 void smp_br_check_authorization_request(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
941 {
942 UINT8 reason = SMP_SUCCESS;
943
944 SMP_TRACE_DEBUG("%s rcvs i_keys=0x%x r_keys=0x%x "
945 "(i-initiator r-responder)", __FUNCTION__, p_cb->local_i_key,
946 p_cb->local_r_key);
947
948 /* In LE SC mode LK field is ignored when BR/EDR transport is used */
949 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
950 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
951
952 /* In LE SC mode only IRK, IAI, CSRK are exchanged with the peer.
953 ** Set local_r_key on master to expect only these keys. */
954 if (p_cb->role == HCI_ROLE_MASTER) {
955 p_cb->local_r_key &= (SMP_SEC_KEY_TYPE_ID | SMP_SEC_KEY_TYPE_CSRK);
956 }
957
958 SMP_TRACE_DEBUG("%s rcvs upgrades: i_keys=0x%x r_keys=0x%x "
959 "(i-initiator r-responder)", __FUNCTION__, p_cb->local_i_key,
960 p_cb->local_r_key);
961
962 if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) ||
963 (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/
964 (p_cb->local_i_key || p_cb->local_r_key)) {
965 smp_br_state_machine_event(p_cb, SMP_BR_BOND_REQ_EVT, NULL);
966
967 /* if no peer key is expected, start master key distribution */
968 if (p_cb->role == HCI_ROLE_MASTER && p_cb->local_r_key == 0) {
969 smp_key_distribution_by_transport(p_cb, NULL);
970 }
971 } else {
972 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason);
973 }
974 }
975
976 /*******************************************************************************
977 ** Function smp_br_select_next_key
978 ** Description selects the next key to derive/send when BR/EDR transport is
979 ** used.
980 *******************************************************************************/
smp_br_select_next_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)981 void smp_br_select_next_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
982 {
983 UINT8 reason = SMP_SUCCESS;
984 SMP_TRACE_DEBUG("%s role=%d (0-master) r_keys=0x%x i_keys=0x%x",
985 __func__, p_cb->role, p_cb->local_r_key, p_cb->local_i_key);
986
987 if (p_cb->role == HCI_ROLE_SLAVE ||
988 (!p_cb->local_r_key && p_cb->role == HCI_ROLE_MASTER)) {
989 smp_key_pick_key(p_cb, p_data);
990 }
991
992 if (!p_cb->local_i_key && !p_cb->local_r_key) {
993 /* state check to prevent re-entrance */
994 if (smp_get_br_state() == SMP_BR_STATE_BOND_PENDING) {
995 if (p_cb->total_tx_unacked == 0) {
996 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason);
997 } else {
998 p_cb->wait_for_authorization_complete = 1;
999 }
1000 }
1001 }
1002 }
1003 #endif ///CLASSIC_BT_INCLUDED == 1
1004
1005 #if (BLE_INCLUDED == 1)
1006 /*******************************************************************************
1007 ** Function smp_proc_enc_info
1008 ** Description process encryption information from peer device
1009 *******************************************************************************/
smp_proc_enc_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1010 void smp_proc_enc_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1011 {
1012 UINT8 *p = (UINT8 *)p_data;
1013
1014 SMP_TRACE_DEBUG("%s\n", __func__);
1015 STREAM_TO_ARRAY(p_cb->ltk, p, BT_OCTET16_LEN);
1016
1017 smp_key_distribution(p_cb, NULL);
1018 }
1019 #endif ///BLE_INCLUDED == 1
1020
1021 /*******************************************************************************
1022 ** Function smp_proc_master_id
1023 ** Description process master ID from slave device
1024 *******************************************************************************/
smp_proc_master_id(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1025 void smp_proc_master_id(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1026 {
1027 UINT8 *p = (UINT8 *)p_data;
1028 tBTM_LE_PENC_KEYS le_key;
1029
1030 SMP_TRACE_DEBUG("%s\np_cb->peer_auth_req = %d,p_cb->loc_auth_req= %d\n", __func__,
1031 p_cb->peer_auth_req, p_cb->loc_auth_req);
1032 smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_ENC, 1);
1033
1034 STREAM_TO_UINT16(le_key.ediv, p);
1035 STREAM_TO_ARRAY(le_key.rand, p, BT_OCTET8_LEN );
1036
1037 /* store the encryption keys from peer device */
1038 memcpy(le_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
1039 le_key.sec_level = p_cb->sec_level;
1040 le_key.key_size = p_cb->loc_enc_size;
1041
1042 #if (BLE_INCLUDED == 1)
1043 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) && (p_cb->loc_auth_req & SMP_AUTH_BOND)) {
1044 btm_sec_save_le_key(p_cb->pairing_bda,
1045 BTM_LE_KEY_PENC,
1046 (tBTM_LE_KEY_VALUE *)&le_key, 1);
1047 }
1048
1049 smp_key_distribution(p_cb, NULL);
1050 #endif ///BLE_INCLUDED == 1
1051 }
1052
1053 /*******************************************************************************
1054 ** Function smp_proc_enc_info
1055 ** Description process identity information from peer device
1056 *******************************************************************************/
smp_proc_id_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1057 void smp_proc_id_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1058 {
1059 UINT8 *p = (UINT8 *)p_data;
1060
1061 SMP_TRACE_DEBUG("%s", __func__);
1062 STREAM_TO_ARRAY (p_cb->tk, p, BT_OCTET16_LEN); /* reuse TK for IRK */
1063 smp_key_distribution_by_transport(p_cb, NULL);
1064 }
1065
1066 /*******************************************************************************
1067 ** Function smp_proc_id_addr
1068 ** Description process identity address from peer device
1069 *******************************************************************************/
smp_proc_id_addr(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1070 void smp_proc_id_addr(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1071 {
1072 UINT8 *p = (UINT8 *)p_data;
1073 tBTM_LE_PID_KEYS pid_key;
1074
1075 SMP_TRACE_DEBUG("%s", __func__);
1076 smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_ID, 1);
1077
1078 STREAM_TO_UINT8(pid_key.addr_type, p);
1079 STREAM_TO_BDADDR(pid_key.static_addr, p);
1080 memcpy(pid_key.irk, p_cb->tk, BT_OCTET16_LEN);
1081
1082 /* to use as BD_ADDR for lk derived from ltk */
1083 p_cb->id_addr_rcvd = 1;
1084 p_cb->id_addr_type = pid_key.addr_type;
1085 memcpy(p_cb->id_addr, pid_key.static_addr, BD_ADDR_LEN);
1086
1087 #if (BLE_INCLUDED == 1)
1088 /* store the ID key from peer device */
1089 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) && (p_cb->loc_auth_req & SMP_AUTH_BOND)) {
1090 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PID,
1091 (tBTM_LE_KEY_VALUE *)&pid_key, 1);
1092 }
1093 #endif ///BLE_INCLUDED == 1
1094
1095 smp_key_distribution_by_transport(p_cb, NULL);
1096 }
1097
1098 /*******************************************************************************
1099 ** Function smp_proc_srk_info
1100 ** Description process security information from peer device
1101 *******************************************************************************/
smp_proc_srk_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1102 void smp_proc_srk_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1103 {
1104 #if (BLE_INCLUDED == 1)
1105 tBTM_LE_PCSRK_KEYS le_key;
1106
1107 SMP_TRACE_DEBUG("%s", __func__);
1108 smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_CSRK, 1);
1109
1110 /* save CSRK to security record */
1111 le_key.sec_level = p_cb->sec_level;
1112 memcpy (le_key.csrk, p_data, BT_OCTET16_LEN); /* get peer CSRK */
1113 le_key.counter = 0; /* initialize the peer counter */
1114
1115 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) && (p_cb->loc_auth_req & SMP_AUTH_BOND)) {
1116 btm_sec_save_le_key(p_cb->pairing_bda,
1117 BTM_LE_KEY_PCSRK,
1118 (tBTM_LE_KEY_VALUE *)&le_key, 1);
1119 }
1120
1121 #endif ///BLE_INCLUDED == 1
1122 smp_key_distribution_by_transport(p_cb, NULL);
1123 }
1124
1125 /*******************************************************************************
1126 ** Function smp_proc_compare
1127 ** Description process compare value
1128 *******************************************************************************/
smp_proc_compare(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1129 void smp_proc_compare(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1130 {
1131 UINT8 reason;
1132
1133 SMP_TRACE_DEBUG("%s\n", __func__);
1134 if (!memcmp(p_cb->rconfirm, p_data->key.p_data, BT_OCTET16_LEN)) {
1135 /* compare the max encryption key size, and save the smaller one for the link */
1136 if ( p_cb->peer_enc_size < p_cb->loc_enc_size) {
1137 p_cb->loc_enc_size = p_cb->peer_enc_size;
1138 }
1139
1140 if (p_cb->role == HCI_ROLE_SLAVE) {
1141 smp_sm_event(p_cb, SMP_RAND_EVT, NULL);
1142 } else {
1143 /* master device always use received i/r key as keys to distribute */
1144 p_cb->local_i_key = p_cb->peer_i_key;
1145 p_cb->local_r_key = p_cb->peer_r_key;
1146
1147 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
1148 }
1149
1150 } else {
1151 reason = p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1152 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1153 }
1154 }
1155
1156 #if (BLE_INCLUDED == 1)
1157 /*******************************************************************************
1158 ** Function smp_proc_sl_key
1159 ** Description process key ready events.
1160 *******************************************************************************/
smp_proc_sl_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1161 void smp_proc_sl_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1162 {
1163 UINT8 key_type = p_data->key.key_type;
1164
1165 SMP_TRACE_DEBUG("%s\n", __func__);
1166 if (key_type == SMP_KEY_TYPE_TK) {
1167 smp_generate_srand_mrand_confirm(p_cb, NULL);
1168 } else if (key_type == SMP_KEY_TYPE_CFM) {
1169 smp_set_state(SMP_STATE_WAIT_CONFIRM);
1170
1171 if (p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM) {
1172 smp_sm_event(p_cb, SMP_CONFIRM_EVT, NULL);
1173 }
1174 }
1175 }
1176
1177 /*******************************************************************************
1178 ** Function smp_start_enc
1179 ** Description start encryption
1180 *******************************************************************************/
smp_start_enc(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1181 void smp_start_enc(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1182 {
1183 tBTM_STATUS cmd;
1184 UINT8 reason = SMP_ENC_FAIL;
1185
1186 SMP_TRACE_DEBUG("%s\n", __func__);
1187 if (p_data != NULL) {
1188 cmd = btm_ble_start_encrypt(p_cb->pairing_bda, 1, p_data->key.p_data);
1189 } else {
1190 cmd = btm_ble_start_encrypt(p_cb->pairing_bda, 0, NULL);
1191 }
1192
1193 if (cmd != BTM_CMD_STARTED && cmd != BTM_BUSY) {
1194 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1195 }
1196 }
1197 #endif ///BLE_INCLUDED == 1
1198
1199 /*******************************************************************************
1200 ** Function smp_proc_discard
1201 ** Description processing for discard security request
1202 *******************************************************************************/
smp_proc_discard(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1203 void smp_proc_discard(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1204 {
1205 SMP_TRACE_DEBUG("%s\n", __func__);
1206 if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD)) {
1207 smp_reset_control_value(p_cb);
1208 }
1209 }
1210
1211 /*******************************************************************************
1212 ** Function smp_enc_cmpl
1213 ** Description encryption success
1214 *******************************************************************************/
smp_enc_cmpl(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1215 void smp_enc_cmpl(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1216 {
1217 UINT8 enc_enable = *(UINT8 *)p_data;
1218 UINT8 reason = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1219
1220 SMP_TRACE_DEBUG("%s\n", __func__);
1221 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1222 }
1223
1224 /*******************************************************************************
1225 ** Function smp_check_auth_req
1226 ** Description check authentication request
1227 *******************************************************************************/
smp_check_auth_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1228 void smp_check_auth_req(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1229 {
1230 UINT8 enc_enable = *(UINT8 *)p_data;
1231 UINT8 reason = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1232
1233 SMP_TRACE_DEBUG("%s rcvs enc_enable=%d i_keys=0x%x r_keys=0x%x "
1234 "(i-initiator r-responder)\n",
1235 __func__, enc_enable, p_cb->local_i_key, p_cb->local_r_key);
1236 if (enc_enable == 1) {
1237 if (p_cb->le_secure_connections_mode_is_used) {
1238 /* In LE SC mode LTK is used instead of STK and has to be always saved */
1239 p_cb->local_i_key |= SMP_SEC_KEY_TYPE_ENC;
1240 p_cb->local_r_key |= SMP_SEC_KEY_TYPE_ENC;
1241
1242 /* In LE SC mode LK is derived from LTK only if both sides request it */
1243 if (!(p_cb->local_i_key & SMP_SEC_KEY_TYPE_LK) ||
1244 !(p_cb->local_r_key & SMP_SEC_KEY_TYPE_LK)) {
1245 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
1246 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
1247 }
1248
1249 /* In LE SC mode only IRK, IAI, CSRK are exchanged with the peer.
1250 ** Set local_r_key on master to expect only these keys.
1251 */
1252 if (p_cb->role == HCI_ROLE_MASTER) {
1253 p_cb->local_r_key &= (SMP_SEC_KEY_TYPE_ID | SMP_SEC_KEY_TYPE_CSRK);
1254 }
1255 } else {
1256 /* in legacy mode derivation of BR/EDR LK is not supported */
1257 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
1258 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
1259 }
1260 SMP_TRACE_DEBUG("%s rcvs upgrades: i_keys=0x%x r_keys=0x%x "
1261 "(i-initiator r-responder)\n",
1262 __func__, p_cb->local_i_key, p_cb->local_r_key);
1263
1264 if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) ||
1265 (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/
1266 (p_cb->local_i_key || p_cb->local_r_key)) {
1267 smp_sm_event(p_cb, SMP_BOND_REQ_EVT, NULL);
1268 } else {
1269 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1270 }
1271 } else if (enc_enable == 0) {
1272 /* if failed for encryption after pairing, send callback */
1273 if (p_cb->flags & SMP_PAIR_FLAG_ENC_AFTER_PAIR) {
1274 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1275 }
1276 /* if enc failed for old security information */
1277 /* if master device, clean up and abck to idle; slave device do nothing */
1278 else if (p_cb->role == HCI_ROLE_MASTER) {
1279 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1280 }
1281 }
1282 }
1283
1284 /*******************************************************************************
1285 ** Function smp_key_pick_key
1286 ** Description Pick a key distribution function based on the key mask.
1287 *******************************************************************************/
smp_key_pick_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1288 void smp_key_pick_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1289 {
1290 UINT8 key_to_dist = (p_cb->role == HCI_ROLE_SLAVE) ? p_cb->local_r_key : p_cb->local_i_key;
1291 UINT8 i = 0;
1292
1293 SMP_TRACE_DEBUG("%s key_to_dist=0x%x\n", __func__, key_to_dist);
1294 while (i < SMP_KEY_DIST_TYPE_MAX) {
1295 SMP_TRACE_DEBUG("key to send = %02x, i = %d\n", key_to_dist, i);
1296
1297 if (key_to_dist & (1 << i) && smp_distribute_act[i] != NULL) {
1298 SMP_TRACE_DEBUG("smp_distribute_act[%d]\n", i);
1299 (* smp_distribute_act[i])(p_cb, p_data);
1300 break;
1301 }
1302 i ++;
1303 }
1304 }
1305
1306 #if (BLE_INCLUDED == 1)
1307 /*******************************************************************************
1308 ** Function smp_key_distribution
1309 ** Description start key distribution if required.
1310 *******************************************************************************/
smp_key_distribution(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1311 void smp_key_distribution(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1312 {
1313 UINT8 reason = SMP_SUCCESS;
1314 SMP_TRACE_DEBUG("\n%s role=%d (0-master) r_keys=0x%x i_keys=0x%x\n",
1315 __func__, p_cb->role, p_cb->local_r_key, p_cb->local_i_key);
1316
1317 if (p_cb->role == HCI_ROLE_SLAVE ||
1318 (!p_cb->local_r_key && p_cb->role == HCI_ROLE_MASTER)) {
1319 smp_key_pick_key(p_cb, p_data);
1320 }
1321
1322 if (!p_cb->local_i_key && !p_cb->local_r_key) {
1323 /* state check to prevent re-entrant */
1324 if (smp_get_state() == SMP_STATE_BOND_PENDING) {
1325 if (p_cb->derive_lk) {
1326 smp_derive_link_key_from_long_term_key(p_cb, NULL);
1327 p_cb->derive_lk = 0;
1328 }
1329
1330 if (p_cb->total_tx_unacked == 0) {
1331 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1332 } else {
1333 p_cb->wait_for_authorization_complete = 1;
1334 }
1335 }
1336 }
1337 }
1338
1339 /*******************************************************************************
1340 ** Function smp_decide_association_model
1341 ** Description This function is called to select assoc model to be used for
1342 ** STK generation and to start STK generation process.
1343 **
1344 *******************************************************************************/
smp_decide_association_model(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1345 void smp_decide_association_model(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1346 {
1347 UINT8 failure = SMP_UNKNOWN_IO_CAP;
1348 UINT8 int_evt = 0;
1349 tSMP_KEY key;
1350 tSMP_INT_DATA *p = NULL;
1351
1352 SMP_TRACE_DEBUG("%s Association Model = %d\n", __func__, p_cb->selected_association_model);
1353
1354 switch (p_cb->selected_association_model) {
1355 case SMP_MODEL_ENCRYPTION_ONLY: /* TK = 0, go calculate Confirm */
1356 p_cb->sec_level = SMP_SEC_UNAUTHENTICATE;
1357 SMP_TRACE_EVENT ("p_cb->sec_level =%d (SMP_SEC_UNAUTHENTICATE) \n", p_cb->sec_level );
1358
1359 key.key_type = SMP_KEY_TYPE_TK;
1360 key.p_data = p_cb->tk;
1361 p = (tSMP_INT_DATA *)&key;
1362
1363 memset(p_cb->tk, 0, BT_OCTET16_LEN);
1364 /* TK, ready */
1365 int_evt = SMP_KEY_READY_EVT;
1366 break;
1367
1368 case SMP_MODEL_PASSKEY:
1369 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1370 SMP_TRACE_EVENT ("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) \n", p_cb->sec_level );
1371
1372 p_cb->cb_evt = SMP_PASSKEY_REQ_EVT;
1373 int_evt = SMP_TK_REQ_EVT;
1374 break;
1375
1376 case SMP_MODEL_OOB:
1377 SMP_TRACE_ERROR ("Association Model = SMP_MODEL_OOB\n");
1378 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1379 SMP_TRACE_EVENT ("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) \n", p_cb->sec_level );
1380
1381 p_cb->cb_evt = SMP_OOB_REQ_EVT;
1382 int_evt = SMP_TK_REQ_EVT;
1383 break;
1384
1385 case SMP_MODEL_KEY_NOTIF:
1386 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1387 SMP_TRACE_DEBUG("Need to generate Passkey\n");
1388
1389 /* generate passkey and notify application */
1390 smp_generate_passkey(p_cb, NULL);
1391 break;
1392
1393 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1394 case SMP_MODEL_SEC_CONN_NUM_COMP:
1395 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1396 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1397 case SMP_MODEL_SEC_CONN_OOB:
1398 int_evt = SMP_PUBL_KEY_EXCH_REQ_EVT;
1399 break;
1400
1401 case SMP_MODEL_OUT_OF_RANGE:
1402 SMP_TRACE_ERROR("Association Model = SMP_MODEL_OUT_OF_RANGE (failed)\n");
1403 p = (tSMP_INT_DATA *)&failure;
1404 int_evt = SMP_AUTH_CMPL_EVT;
1405 break;
1406
1407 default:
1408 SMP_TRACE_ERROR("Association Model = %d (SOMETHING IS WRONG WITH THE CODE)\n",
1409 p_cb->selected_association_model);
1410 p = (tSMP_INT_DATA *)&failure;
1411 int_evt = SMP_AUTH_CMPL_EVT;
1412 }
1413
1414 SMP_TRACE_EVENT ("sec_level=%d \n", p_cb->sec_level );
1415 if (int_evt) {
1416 smp_sm_event(p_cb, int_evt, p);
1417 }
1418 }
1419
1420 /*******************************************************************************
1421 ** Function smp_process_io_response
1422 ** Description process IO response for a slave device.
1423 *******************************************************************************/
smp_process_io_response(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1424 void smp_process_io_response(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1425 {
1426 uint8_t reason = SMP_PAIR_AUTH_FAIL;
1427 SMP_TRACE_DEBUG("%s\n", __func__);
1428 if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD) {
1429 /* pairing started by local (slave) Security Request */
1430 smp_set_state(SMP_STATE_SEC_REQ_PENDING);
1431 smp_send_cmd(SMP_OPCODE_SEC_REQ, p_cb);
1432 } else { /* plan to send pairing respond */
1433 /* pairing started by peer (master) Pairing Request */
1434 p_cb->selected_association_model = smp_select_association_model(p_cb);
1435
1436 if (p_cb->secure_connections_only_mode_required &&
1437 (!(p_cb->le_secure_connections_mode_is_used) ||
1438 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) {
1439 SMP_TRACE_ERROR ("Slave requires secure connection only mode \
1440 but it can't be provided -> Slave fails pairing\n");
1441 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1442 return;
1443 }
1444 uint16_t auth = smp_get_auth_mode(p_cb->selected_association_model);
1445 if(p_cb->peer_auth_req & p_cb->loc_auth_req & SMP_AUTH_GEN_BOND) {
1446 auth |= SMP_AUTH_GEN_BOND;
1447 }
1448 p_cb->auth_mode = auth;
1449 if (p_cb->accept_specified_sec_auth) {
1450 if ((auth & p_cb->origin_loc_auth_req) != p_cb->origin_loc_auth_req ) {
1451 SMP_TRACE_ERROR("pairing failed - slave requires auth is 0x%x but peer auth is 0x%x local auth is 0x%x",
1452 p_cb->origin_loc_auth_req, p_cb->peer_auth_req, p_cb->loc_auth_req);
1453 if (BTM_IsAclConnectionUp(p_cb->pairing_bda, BT_TRANSPORT_LE)) {
1454 btm_remove_acl (p_cb->pairing_bda, BT_TRANSPORT_LE);
1455 }
1456 reason = SMP_PAIR_AUTH_FAIL;
1457 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1458 return;
1459 }
1460 }
1461
1462 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
1463 if (smp_request_oob_data(p_cb)) {
1464 return;
1465 }
1466 }
1467 smp_send_pair_rsp(p_cb, NULL);
1468 }
1469 }
1470 #endif ///BLE_INCLUDED == 1
1471
1472 /*******************************************************************************
1473 ** Function smp_br_process_slave_keys_response
1474 ** Description process application keys response for a slave device
1475 ** (BR/EDR transport).
1476 *******************************************************************************/
smp_br_process_slave_keys_response(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1477 void smp_br_process_slave_keys_response(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1478 {
1479 smp_br_send_pair_response(p_cb, NULL);
1480 }
1481
1482 /*******************************************************************************
1483 ** Function smp_br_send_pair_response
1484 ** Description actions related to sending pairing response over BR/EDR transport.
1485 *******************************************************************************/
smp_br_send_pair_response(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1486 void smp_br_send_pair_response(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1487 {
1488 SMP_TRACE_DEBUG("%s\n", __func__);
1489
1490 p_cb->local_i_key &= p_cb->peer_i_key;
1491 p_cb->local_r_key &= p_cb->peer_r_key;
1492
1493 smp_send_cmd (SMP_OPCODE_PAIRING_RSP, p_cb);
1494 }
1495
1496 /*******************************************************************************
1497 ** Function smp_pairing_cmpl
1498 ** Description This function is called to send the pairing complete callback
1499 ** and remove the connection if needed.
1500 *******************************************************************************/
smp_pairing_cmpl(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1501 void smp_pairing_cmpl(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1502 {
1503 if (p_cb->total_tx_unacked == 0) {
1504 /* process the pairing complete */
1505 smp_proc_pairing_cmpl(p_cb);
1506 }
1507 }
1508
1509 /*******************************************************************************
1510 ** Function smp_pair_terminate
1511 ** Description This function is called to send the pairing complete callback
1512 ** and remove the connection if needed.
1513 *******************************************************************************/
smp_pair_terminate(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1514 void smp_pair_terminate(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1515 {
1516 SMP_TRACE_DEBUG("%s\n", __func__);
1517 p_cb->status = SMP_CONN_TOUT;
1518 smp_proc_pairing_cmpl(p_cb);
1519 }
1520
1521 /*******************************************************************************
1522 ** Function smp_idle_terminate
1523 ** Description This function calledin idle state to determine to send authentication
1524 ** complete or not.
1525 *******************************************************************************/
smp_idle_terminate(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1526 void smp_idle_terminate(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1527 {
1528 if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD) {
1529 SMP_TRACE_DEBUG("Pairing terminated at IDLE state.\n");
1530 p_cb->status = SMP_FAIL;
1531 smp_proc_pairing_cmpl(p_cb);
1532 }
1533 }
1534
1535 #if (BLE_INCLUDED == 1)
1536 /*******************************************************************************
1537 ** Function smp_fast_conn_param
1538 ** Description apply default connection parameter for pairing process
1539 *******************************************************************************/
smp_fast_conn_param(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1540 void smp_fast_conn_param(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1541 {
1542 #if (BT_MULTI_CONNECTION_ENBALE == 0)
1543 if(p_cb->role == BTM_ROLE_MASTER) {
1544 L2CA_EnableUpdateBleConnParams(p_cb->pairing_bda, 0);
1545 }
1546 #endif
1547 #if (SMP_SLAVE_CON_PARAMS_UPD_ENABLE == 1)
1548 else {
1549 tBTM_SEC_DEV_REC *p_rec = btm_find_dev (p_cb->pairing_bda);
1550 if(p_rec && p_rec->ble.skip_update_conn_param) {
1551 //do nothing
1552 return;
1553 }
1554 /* Disable L2CAP connection parameter updates while bonding since
1555 some peripherals are not able to revert to fast connection parameters
1556 during the start of service discovery. Connection paramter updates
1557 get enabled again once service discovery completes. */
1558 #if (BT_MULTI_CONNECTION_ENBALE == 0)
1559 L2CA_EnableUpdateBleConnParams(p_cb->pairing_bda, 0);
1560 #endif
1561 }
1562 #endif
1563 }
1564
1565 /*******************************************************************************
1566 ** Function smp_both_have_public_keys
1567 ** Description The function is called when both local and peer public keys are
1568 ** saved.
1569 ** Actions:
1570 ** - invokes DHKey computation;
1571 ** - on slave side invokes sending local public key to the peer.
1572 ** - invokes SC phase 1 process.
1573 *******************************************************************************/
smp_both_have_public_keys(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1574 void smp_both_have_public_keys(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1575 {
1576 SMP_TRACE_DEBUG("%s\n", __func__);
1577
1578 /* invokes DHKey computation */
1579 smp_compute_dhkey(p_cb);
1580
1581 /* on slave side invokes sending local public key to the peer */
1582 if (p_cb->role == HCI_ROLE_SLAVE) {
1583 smp_send_pair_public_key(p_cb, NULL);
1584 }
1585
1586 smp_sm_event(p_cb, SMP_SC_DHKEY_CMPLT_EVT, NULL);
1587 }
1588
1589 /*******************************************************************************
1590 ** Function smp_start_secure_connection_phase1
1591 ** Description The function starts Secure Connection phase1 i.e. invokes initialization of Secure Connection
1592 ** phase 1 parameters and starts building/sending to the peer
1593 ** messages appropriate for the role and association model.
1594 *******************************************************************************/
smp_start_secure_connection_phase1(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1595 void smp_start_secure_connection_phase1(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1596 {
1597 SMP_TRACE_DEBUG("%s\n", __func__);
1598
1599 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
1600 p_cb->sec_level = SMP_SEC_UNAUTHENTICATE;
1601 SMP_TRACE_EVENT ("p_cb->sec_level =%d (SMP_SEC_UNAUTHENTICATE)\n ", p_cb->sec_level );
1602 } else {
1603 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1604 SMP_TRACE_EVENT ("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED)\n ", p_cb->sec_level );
1605 }
1606
1607 switch (p_cb->selected_association_model) {
1608 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1609 case SMP_MODEL_SEC_CONN_NUM_COMP:
1610 memset(p_cb->local_random, 0, BT_OCTET16_LEN);
1611 smp_start_nonce_generation(p_cb);
1612 break;
1613 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1614 /* user has to provide passkey */
1615 p_cb->cb_evt = SMP_PASSKEY_REQ_EVT;
1616 smp_sm_event(p_cb, SMP_TK_REQ_EVT, NULL);
1617 break;
1618 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1619 /* passkey has to be provided to user */
1620 SMP_TRACE_DEBUG("Need to generate SC Passkey\n");
1621 smp_generate_passkey(p_cb, NULL);
1622 break;
1623 case SMP_MODEL_SEC_CONN_OOB:
1624 /* use the available OOB information */
1625 smp_process_secure_connection_oob_data(p_cb, NULL);
1626 break;
1627 default:
1628 SMP_TRACE_ERROR ("Association Model = %d is not used in LE SC\n",
1629 p_cb->selected_association_model);
1630 break;
1631 }
1632 }
1633
1634 /*******************************************************************************
1635 ** Function smp_process_local_nonce
1636 ** Description The function processes new local nonce.
1637 **
1638 ** Note It is supposed to be called in SC phase1.
1639 *******************************************************************************/
smp_process_local_nonce(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1640 void smp_process_local_nonce(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1641 {
1642 SMP_TRACE_DEBUG("%s\n", __func__);
1643
1644 switch (p_cb->selected_association_model) {
1645 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1646 case SMP_MODEL_SEC_CONN_NUM_COMP:
1647 if (p_cb->role == HCI_ROLE_SLAVE) {
1648 /* slave calculates and sends local commitment */
1649 smp_calculate_local_commitment(p_cb);
1650 smp_send_commitment(p_cb, NULL);
1651 /* slave has to wait for peer nonce */
1652 smp_set_state(SMP_STATE_WAIT_NONCE);
1653 } else { /* i.e. master */
1654 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_COMM) {
1655 /* slave commitment is already received, send local nonce, wait for remote nonce*/
1656 SMP_TRACE_DEBUG("master in assoc mode = %d \
1657 already rcvd slave commitment - race condition\n",
1658 p_cb->selected_association_model);
1659 p_cb->flags &= ~SMP_PAIR_FLAG_HAVE_PEER_COMM;
1660 smp_send_rand(p_cb, NULL);
1661 smp_set_state(SMP_STATE_WAIT_NONCE);
1662 }
1663 }
1664 break;
1665 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1666 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1667 smp_calculate_local_commitment(p_cb);
1668
1669 if (p_cb->role == HCI_ROLE_MASTER) {
1670 smp_send_commitment(p_cb, NULL);
1671 } else { /* slave */
1672 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_COMM) {
1673 /* master commitment is already received */
1674 smp_send_commitment(p_cb, NULL);
1675 smp_set_state(SMP_STATE_WAIT_NONCE);
1676 }
1677 }
1678 break;
1679 case SMP_MODEL_SEC_CONN_OOB:
1680 if (p_cb->role == HCI_ROLE_MASTER) {
1681 smp_send_rand(p_cb, NULL);
1682 }
1683
1684 smp_set_state(SMP_STATE_WAIT_NONCE);
1685 break;
1686 default:
1687 SMP_TRACE_ERROR ("Association Model = %d is not used in LE SC\n",
1688 p_cb->selected_association_model);
1689 break;
1690 }
1691 }
1692
1693 /*******************************************************************************
1694 ** Function smp_process_peer_nonce
1695 ** Description The function processes newly received and saved in CB peer nonce.
1696 ** The actions depend on the selected association model and the role.
1697 **
1698 ** Note It is supposed to be called in SC phase1.
1699 *******************************************************************************/
smp_process_peer_nonce(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1700 void smp_process_peer_nonce(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1701 {
1702 UINT8 reason;
1703
1704 SMP_TRACE_DEBUG("%s start \n", __func__);
1705
1706 switch (p_cb->selected_association_model) {
1707 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1708 case SMP_MODEL_SEC_CONN_NUM_COMP:
1709 /* in these models only master receives commitment */
1710 if (p_cb->role == HCI_ROLE_MASTER) {
1711 if (!smp_check_commitment(p_cb)) {
1712 reason = p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1713 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1714 break;
1715 }
1716 } else {
1717 /* slave sends local nonce */
1718 smp_send_rand(p_cb, NULL);
1719 }
1720
1721 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
1722 /* go directly to phase 2 */
1723 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1724 } else { /* numeric comparison */
1725 smp_set_state(SMP_STATE_WAIT_NONCE);
1726 smp_sm_event(p_cb, SMP_SC_CALC_NC_EVT, NULL);
1727 }
1728 break;
1729 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1730 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1731 if (!smp_check_commitment(p_cb)) {
1732 reason = p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1733 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1734 break;
1735 }
1736
1737 if (p_cb->role == HCI_ROLE_SLAVE) {
1738 smp_send_rand(p_cb, NULL);
1739 }
1740
1741 if (++p_cb->round < 20) {
1742 smp_set_state(SMP_STATE_SEC_CONN_PHS1_START);
1743 p_cb->flags &= ~SMP_PAIR_FLAG_HAVE_PEER_COMM;
1744 smp_start_nonce_generation(p_cb);
1745 break;
1746 }
1747
1748 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1749 break;
1750 case SMP_MODEL_SEC_CONN_OOB:
1751 if (p_cb->role == HCI_ROLE_SLAVE) {
1752 smp_send_rand(p_cb, NULL);
1753 }
1754
1755 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1756 break;
1757 default:
1758 SMP_TRACE_ERROR ("Association Model = %d is not used in LE SC\n",
1759 p_cb->selected_association_model);
1760 break;
1761 }
1762
1763 SMP_TRACE_DEBUG("%s end\n ", __FUNCTION__);
1764 }
1765 #endif ///BLE_INCLUDED == 1
1766
1767 /*******************************************************************************
1768 ** Function smp_match_dhkey_checks
1769 ** Description checks if the calculated peer DHKey Check value is the same as
1770 ** received from the peer DHKey check value.
1771 *******************************************************************************/
smp_match_dhkey_checks(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1772 void smp_match_dhkey_checks(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1773 {
1774 UINT8 reason = SMP_DHKEY_CHK_FAIL;
1775
1776 SMP_TRACE_DEBUG("%s\n", __func__);
1777
1778 if (memcmp(p_data->key.p_data, p_cb->remote_dhkey_check, BT_OCTET16_LEN)) {
1779 SMP_TRACE_WARNING ("dhkey checks do no match\n");
1780 p_cb->failure = reason;
1781 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1782 return;
1783 }
1784
1785 SMP_TRACE_EVENT ("dhkey checks match\n");
1786
1787 /* compare the max encryption key size, and save the smaller one for the link */
1788 if (p_cb->peer_enc_size < p_cb->loc_enc_size) {
1789 p_cb->loc_enc_size = p_cb->peer_enc_size;
1790 }
1791
1792 if (p_cb->role == HCI_ROLE_SLAVE) {
1793 smp_sm_event(p_cb, SMP_PAIR_DHKEY_CHCK_EVT, NULL);
1794 } else {
1795 /* master device always use received i/r key as keys to distribute */
1796 p_cb->local_i_key = p_cb->peer_i_key;
1797 p_cb->local_r_key = p_cb->peer_r_key;
1798 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
1799 }
1800 }
1801
1802 /*******************************************************************************
1803 ** Function smp_move_to_secure_connections_phase2
1804 ** Description Signal State Machine to start SC phase 2 initialization (to
1805 ** compute local DHKey Check value).
1806 **
1807 ** Note SM is supposed to be in the state SMP_STATE_SEC_CONN_PHS2_START.
1808 *******************************************************************************/
smp_move_to_secure_connections_phase2(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1809 void smp_move_to_secure_connections_phase2(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1810 {
1811 SMP_TRACE_DEBUG("%s\n", __func__);
1812 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1813 }
1814
1815 /*******************************************************************************
1816 ** Function smp_phase_2_dhkey_checks_are_present
1817 ** Description generates event if dhkey check from the peer is already received.
1818 **
1819 ** Note It is supposed to be used on slave to prevent race condition.
1820 ** It is supposed to be called after slave dhkey check is calculated.
1821 *******************************************************************************/
smp_phase_2_dhkey_checks_are_present(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1822 void smp_phase_2_dhkey_checks_are_present(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1823 {
1824 SMP_TRACE_DEBUG("%s\n", __func__);
1825
1826 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_DHK_CHK) {
1827 smp_sm_event(p_cb, SMP_SC_2_DHCK_CHKS_PRES_EVT, NULL);
1828 }
1829 }
1830
1831 /*******************************************************************************
1832 ** Function smp_wait_for_both_public_keys
1833 ** Description generates SMP_BOTH_PUBL_KEYS_RCVD_EVT event when both local and master
1834 ** public keys are available.
1835 **
1836 ** Note on the slave it is used to prevent race condition.
1837 **
1838 *******************************************************************************/
smp_wait_for_both_public_keys(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1839 void smp_wait_for_both_public_keys(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1840 {
1841 SMP_TRACE_DEBUG("%s\n", __func__);
1842
1843 if ((p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY) &&
1844 (p_cb->flags & SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY)) {
1845 if ((p_cb->role == HCI_ROLE_SLAVE) &&
1846 ((p_cb->req_oob_type == SMP_OOB_LOCAL) || (p_cb->req_oob_type == SMP_OOB_BOTH))) {
1847 smp_set_state(SMP_STATE_PUBLIC_KEY_EXCH);
1848 }
1849 smp_sm_event(p_cb, SMP_BOTH_PUBL_KEYS_RCVD_EVT, NULL);
1850 }
1851 }
1852
1853 #if (BLE_INCLUDED == 1)
1854 /*******************************************************************************
1855 ** Function smp_start_passkey_verification
1856 ** Description Starts SC passkey entry verification.
1857 *******************************************************************************/
smp_start_passkey_verification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1858 void smp_start_passkey_verification(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1859 {
1860 UINT8 *p = NULL;
1861
1862 SMP_TRACE_DEBUG("%s\n", __func__);
1863 p = p_cb->local_random;
1864 UINT32_TO_STREAM(p, p_data->passkey);
1865
1866 p = p_cb->peer_random;
1867 UINT32_TO_STREAM(p, p_data->passkey);
1868
1869 p_cb->round = 0;
1870 smp_start_nonce_generation(p_cb);
1871 }
1872
1873 /*******************************************************************************
1874 ** Function smp_process_secure_connection_oob_data
1875 ** Description Processes local/peer SC OOB data received from somewhere.
1876 *******************************************************************************/
smp_process_secure_connection_oob_data(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1877 void smp_process_secure_connection_oob_data(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1878 {
1879 SMP_TRACE_DEBUG("%s\n", __func__);
1880
1881 tSMP_SC_OOB_DATA *p_sc_oob_data = &p_cb->sc_oob_data;
1882 if (p_sc_oob_data->loc_oob_data.present) {
1883 memcpy(p_cb->local_random, p_sc_oob_data->loc_oob_data.randomizer,
1884 sizeof(p_cb->local_random));
1885 } else {
1886 SMP_TRACE_EVENT ("local OOB randomizer is absent\n");
1887 memset(p_cb->local_random, 0, sizeof (p_cb->local_random));
1888 }
1889
1890 if (!p_sc_oob_data->peer_oob_data.present) {
1891 SMP_TRACE_EVENT ("peer OOB data is absent\n");
1892 memset(p_cb->peer_random, 0, sizeof (p_cb->peer_random));
1893 } else {
1894 memcpy(p_cb->peer_random, p_sc_oob_data->peer_oob_data.randomizer,
1895 sizeof(p_cb->peer_random));
1896 memcpy(p_cb->remote_commitment, p_sc_oob_data->peer_oob_data.commitment,
1897 sizeof(p_cb->remote_commitment));
1898
1899 UINT8 reason = SMP_CONFIRM_VALUE_ERR;
1900 /* check commitment */
1901 if (!smp_check_commitment(p_cb)) {
1902 p_cb->failure = reason;
1903 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1904 return;
1905 }
1906
1907 if (p_cb->peer_oob_flag != SMP_OOB_PRESENT) {
1908 /* the peer doesn't have local randomiser */
1909 SMP_TRACE_EVENT ("peer didn't receive local OOB data, set local randomizer to 0\n");
1910 memset(p_cb->local_random, 0, sizeof (p_cb->local_random));
1911 }
1912 }
1913
1914 print128(p_cb->local_random, (const UINT8 *)"local OOB randomizer");
1915 print128(p_cb->peer_random, (const UINT8 *)"peer OOB randomizer");
1916 smp_start_nonce_generation(p_cb);
1917 }
1918
1919 /*******************************************************************************
1920 ** Function smp_set_local_oob_keys
1921 ** Description Saves calculated private/public keys in sc_oob_data.loc_oob_data,
1922 ** starts nonce generation
1923 ** (to be saved in sc_oob_data.loc_oob_data.randomizer).
1924 *******************************************************************************/
smp_set_local_oob_keys(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1925 void smp_set_local_oob_keys(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1926 {
1927 SMP_TRACE_DEBUG("%s\n", __func__);
1928
1929 memcpy(p_cb->sc_oob_data.loc_oob_data.private_key_used, p_cb->private_key,
1930 BT_OCTET32_LEN);
1931 p_cb->sc_oob_data.loc_oob_data.publ_key_used = p_cb->loc_publ_key;
1932 smp_start_nonce_generation(p_cb);
1933 }
1934
1935 /*******************************************************************************
1936 ** Function smp_set_local_oob_random_commitment
1937 ** Description Saves calculated randomizer and commitment in sc_oob_data.loc_oob_data,
1938 ** passes sc_oob_data.loc_oob_data up for safekeeping.
1939 *******************************************************************************/
smp_set_local_oob_random_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1940 void smp_set_local_oob_random_commitment(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
1941 {
1942 SMP_TRACE_DEBUG("%s\n", __func__);
1943 memcpy(p_cb->sc_oob_data.loc_oob_data.randomizer, p_cb->rand,
1944 BT_OCTET16_LEN);
1945
1946 smp_calculate_f4(p_cb->sc_oob_data.loc_oob_data.publ_key_used.x,
1947 p_cb->sc_oob_data.loc_oob_data.publ_key_used.x,
1948 p_cb->sc_oob_data.loc_oob_data.randomizer, 0,
1949 p_cb->sc_oob_data.loc_oob_data.commitment);
1950
1951 #if SMP_DEBUG == 1
1952 UINT8 *p_print = NULL;
1953 SMP_TRACE_DEBUG("local SC OOB data set:\n");
1954 p_print = (UINT8 *) &p_cb->sc_oob_data.loc_oob_data.addr_sent_to;
1955 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"addr_sent_to",
1956 sizeof(tBLE_BD_ADDR));
1957 p_print = (UINT8 *) &p_cb->sc_oob_data.loc_oob_data.private_key_used;
1958 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"private_key_used",
1959 BT_OCTET32_LEN);
1960 p_print = (UINT8 *) &p_cb->sc_oob_data.loc_oob_data.publ_key_used.x;
1961 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"publ_key_used.x",
1962 BT_OCTET32_LEN);
1963 p_print = (UINT8 *) &p_cb->sc_oob_data.loc_oob_data.publ_key_used.y;
1964 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"publ_key_used.y",
1965 BT_OCTET32_LEN);
1966 p_print = (UINT8 *) &p_cb->sc_oob_data.loc_oob_data.randomizer;
1967 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"randomizer",
1968 BT_OCTET16_LEN);
1969 p_print = (UINT8 *) &p_cb->sc_oob_data.loc_oob_data.commitment;
1970 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *) "commitment",
1971 BT_OCTET16_LEN);
1972 SMP_TRACE_DEBUG("");
1973 #endif
1974
1975 /* pass created OOB data up */
1976 p_cb->cb_evt = SMP_SC_LOC_OOB_DATA_UP_EVT;
1977 smp_send_app_cback(p_cb, NULL);
1978
1979 smp_cb_cleanup(p_cb);
1980 }
1981
1982 /*******************************************************************************
1983 **
1984 ** Function smp_link_encrypted
1985 **
1986 ** Description This function is called when link is encrypted and notified to
1987 ** slave device. Proceed to to send LTK, DIV and ER to master if
1988 ** bonding the devices.
1989 **
1990 **
1991 ** Returns void
1992 **
1993 *******************************************************************************/
smp_link_encrypted(BD_ADDR bda,UINT8 encr_enable)1994 void smp_link_encrypted(BD_ADDR bda, UINT8 encr_enable)
1995 {
1996 tSMP_CB *p_cb = &smp_cb;
1997 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
1998 SMP_TRACE_DEBUG("%s encr_enable=%d\n", __func__, encr_enable);
1999
2000 if (memcmp(&smp_cb.pairing_bda[0], bda, BD_ADDR_LEN) == 0) {
2001 /* encryption completed with STK, remmeber the key size now, could be overwite
2002 * when key exchange happens */
2003 if (p_cb->loc_enc_size != 0 && encr_enable) {
2004 /* update the link encryption key size if a SMP pairing just performed */
2005 btm_ble_update_sec_key_size(bda, p_cb->loc_enc_size);
2006 }
2007
2008 smp_sm_event(&smp_cb, SMP_ENCRYPTED_EVT, &encr_enable);
2009 } else if (p_dev_rec && !p_dev_rec->role_master && !p_dev_rec->enc_init_by_we ){
2010 /*
2011 if enc_init_by_we is false, it means that client initiates encryption before slave calls esp_ble_set_encryption()
2012 we need initiate pairing_bda and p_cb->role then encryption, for example iPhones
2013 */
2014 memcpy(&smp_cb.pairing_bda[0], bda, BD_ADDR_LEN);
2015 p_cb->state = SMP_STATE_ENCRYPTION_PENDING;
2016 p_cb->role = HCI_ROLE_SLAVE;
2017 p_dev_rec->enc_init_by_we = 0;
2018 smp_sm_event(&smp_cb, SMP_ENCRYPTED_EVT, &encr_enable);
2019 } else if (p_dev_rec && p_dev_rec->role_master && p_dev_rec->enc_init_by_we){
2020 memcpy(&smp_cb.pairing_bda[0], bda, BD_ADDR_LEN);
2021 p_cb->state = SMP_STATE_ENCRYPTION_PENDING;
2022 p_cb->role = HCI_ROLE_MASTER;
2023 p_dev_rec->enc_init_by_we = 0;
2024 smp_sm_event(&smp_cb, SMP_ENCRYPTED_EVT, &encr_enable);
2025 }
2026 }
2027
2028 /*******************************************************************************
2029 **
2030 ** Function smp_proc_ltk_request
2031 **
2032 ** Description This function is called when LTK request is received from
2033 ** controller.
2034 **
2035 ** Returns void
2036 **
2037 *******************************************************************************/
smp_proc_ltk_request(BD_ADDR bda)2038 BOOLEAN smp_proc_ltk_request(BD_ADDR bda)
2039 {
2040 SMP_TRACE_DEBUG("%s state = %d\n", __func__, smp_cb.state);
2041 BOOLEAN match = 0;
2042
2043 if (!memcmp(bda, smp_cb.pairing_bda, BD_ADDR_LEN)) {
2044 match = 1;
2045 } else {
2046 BD_ADDR dummy_bda = {0};
2047 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev(bda);
2048 if (p_dev_rec != NULL &&
2049 0 == memcmp(p_dev_rec->ble.pseudo_addr, smp_cb.pairing_bda, BD_ADDR_LEN) &&
2050 0 != memcmp(p_dev_rec->ble.pseudo_addr, dummy_bda, BD_ADDR_LEN)) {
2051 match = 1;
2052 }
2053 }
2054
2055 if (match && smp_cb.state == SMP_STATE_ENCRYPTION_PENDING) {
2056 smp_sm_event(&smp_cb, SMP_ENC_REQ_EVT, NULL);
2057 return 1;
2058 }
2059
2060 return 0;
2061 }
2062
2063 /*******************************************************************************
2064 **
2065 ** Function smp_process_secure_connection_long_term_key
2066 **
2067 ** Description This function is called to process SC LTK.
2068 ** SC LTK is calculated and used instead of STK.
2069 ** Here SC LTK is saved in BLE DB.
2070 **
2071 ** Returns void
2072 **
2073 *******************************************************************************/
smp_process_secure_connection_long_term_key(void)2074 void smp_process_secure_connection_long_term_key(void)
2075 {
2076 tSMP_CB *p_cb = &smp_cb;
2077
2078 SMP_TRACE_DEBUG("%s\n", __func__);
2079 smp_save_secure_connections_long_term_key(p_cb);
2080
2081 smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_ENC, 0);
2082 smp_key_distribution(p_cb, NULL);
2083 }
2084
2085 /*******************************************************************************
2086 **
2087 ** Function smp_set_derive_link_key
2088 **
2089 ** Description This function is called to set flag that indicates that
2090 ** BR/EDR LK has to be derived from LTK after all keys are
2091 ** distributed.
2092 **
2093 ** Returns void
2094 **
2095 *******************************************************************************/
smp_set_derive_link_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2096 void smp_set_derive_link_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
2097 {
2098 SMP_TRACE_DEBUG ("%s\n", __func__);
2099 p_cb->derive_lk = 1;
2100 smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_LK, 0);
2101 smp_key_distribution(p_cb, NULL);
2102 }
2103
2104 /*******************************************************************************
2105 **
2106 ** Function smp_derive_link_key_from_long_term_key
2107 **
2108 ** Description This function is called to derive BR/EDR LK from LTK.
2109 **
2110 ** Returns void
2111 **
2112 *******************************************************************************/
smp_derive_link_key_from_long_term_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2113 void smp_derive_link_key_from_long_term_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
2114 {
2115 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
2116
2117 SMP_TRACE_DEBUG("%s\n", __func__);
2118 if (!smp_calculate_link_key_from_long_term_key(p_cb)) {
2119 SMP_TRACE_ERROR("%s failed\n", __FUNCTION__);
2120 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status);
2121 return;
2122 }
2123 }
2124 #endif ///BLE_INCLUDED == 1
2125
2126 #if (CLASSIC_BT_INCLUDED == 1)
2127 /*******************************************************************************
2128 **
2129 ** Function smp_br_process_link_key
2130 **
2131 ** Description This function is called to process BR/EDR LK:
2132 ** - to derive SMP LTK from BR/EDR LK;
2133 *8 - to save SMP LTK.
2134 **
2135 ** Returns void
2136 **
2137 *******************************************************************************/
smp_br_process_link_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2138 void smp_br_process_link_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
2139 {
2140 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
2141
2142 SMP_TRACE_DEBUG("%s\n", __func__);
2143 if (!smp_calculate_long_term_key_from_link_key(p_cb)) {
2144 SMP_TRACE_ERROR ("%s failed\n", __FUNCTION__);
2145 smp_sm_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &status);
2146 return;
2147 }
2148
2149 SMP_TRACE_DEBUG("%s: LTK derivation from LK successfully completed\n", __FUNCTION__);
2150 smp_save_secure_connections_long_term_key(p_cb);
2151 smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_ENC, 0);
2152 smp_br_select_next_key(p_cb, NULL);
2153 }
2154 #endif ///CLASSIC_BT_INCLUDED == 1
2155
2156 /*******************************************************************************
2157 ** Function smp_key_distribution_by_transport
2158 ** Description depending on the transport used at the moment calls either
2159 ** smp_key_distribution(...) or smp_br_key_distribution(...).
2160 *******************************************************************************/
smp_key_distribution_by_transport(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2161 void smp_key_distribution_by_transport(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
2162 {
2163 SMP_TRACE_DEBUG("%s\n", __func__);
2164 if (p_cb->smp_over_br) {
2165 #if (CLASSIC_BT_INCLUDED == 1)
2166 smp_br_select_next_key(p_cb, NULL);
2167 #endif ///CLASSIC_BT_INCLUDED == 1
2168 } else {
2169 #if (BLE_INCLUDED == 1)
2170 smp_key_distribution(p_cb, NULL);
2171 #endif ///BLE_INCLUDED == 1
2172 }
2173 }
2174
2175 /*******************************************************************************
2176 ** Function smp_br_pairing_complete
2177 ** Description This function is called to send the pairing complete callback
2178 ** and remove the connection if needed.
2179 *******************************************************************************/
smp_br_pairing_complete(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2180 void smp_br_pairing_complete(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
2181 {
2182 SMP_TRACE_DEBUG("%s\n", __func__);
2183
2184 if (p_cb->total_tx_unacked == 0) {
2185 /* process the pairing complete */
2186 smp_proc_pairing_cmpl(p_cb);
2187 }
2188 }
2189
2190 #endif
2191