1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 *****************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for the SMP L2CAP utility functions
22 *
23 ******************************************************************************/
24 #include "bt_target.h"
25
26 #include <ctype.h>
27 #include <string.h>
28 #include "bt_types.h"
29 #include "bt_utils.h"
30 #include "btm_ble_api.h"
31 #include "btm_int.h"
32 #include "common/metrics.h"
33 #include "device/include/controller.h"
34 #include "hcidefs.h"
35 #include "l2c_api.h"
36 #include "l2c_int.h"
37 #include "osi/include/osi.h"
38 #include "smp_int.h"
39
40 #define SMP_PAIRING_REQ_SIZE 7
41 #define SMP_CONFIRM_CMD_SIZE (OCTET16_LEN + 1)
42 #define SMP_RAND_CMD_SIZE (OCTET16_LEN + 1)
43 #define SMP_INIT_CMD_SIZE (OCTET16_LEN + 1)
44 #define SMP_ENC_INFO_SIZE (OCTET16_LEN + 1)
45 #define SMP_MASTER_ID_SIZE (BT_OCTET8_LEN + 2 + 1)
46 #define SMP_ID_INFO_SIZE (OCTET16_LEN + 1)
47 #define SMP_ID_ADDR_SIZE (BD_ADDR_LEN + 1 + 1)
48 #define SMP_SIGN_INFO_SIZE (OCTET16_LEN + 1)
49 #define SMP_PAIR_FAIL_SIZE 2
50 #define SMP_SECURITY_REQUEST_SIZE 2
51 #define SMP_PAIR_PUBL_KEY_SIZE (1 /* opcode */ + (2 * BT_OCTET32_LEN))
52 #define SMP_PAIR_COMMITM_SIZE (1 /* opcode */ + OCTET16_LEN /*Commitment*/)
53 #define SMP_PAIR_DHKEY_CHECK_SIZE \
54 (1 /* opcode */ + OCTET16_LEN /*DHKey \
55 Check*/)
56 #define SMP_PAIR_KEYPR_NOTIF_SIZE (1 /* opcode */ + 1 /*Notif Type*/)
57
58 /* SMP command sizes per spec */
59 static const uint8_t smp_cmd_size_per_spec[] = {
60 0,
61 SMP_PAIRING_REQ_SIZE, /* 0x01: pairing request */
62 SMP_PAIRING_REQ_SIZE, /* 0x02: pairing response */
63 SMP_CONFIRM_CMD_SIZE, /* 0x03: pairing confirm */
64 SMP_RAND_CMD_SIZE, /* 0x04: pairing random */
65 SMP_PAIR_FAIL_SIZE, /* 0x05: pairing failed */
66 SMP_ENC_INFO_SIZE, /* 0x06: encryption information */
67 SMP_MASTER_ID_SIZE, /* 0x07: master identification */
68 SMP_ID_INFO_SIZE, /* 0x08: identity information */
69 SMP_ID_ADDR_SIZE, /* 0x09: identity address information */
70 SMP_SIGN_INFO_SIZE, /* 0x0A: signing information */
71 SMP_SECURITY_REQUEST_SIZE, /* 0x0B: security request */
72 SMP_PAIR_PUBL_KEY_SIZE, /* 0x0C: pairing public key */
73 SMP_PAIR_DHKEY_CHECK_SIZE, /* 0x0D: pairing dhkey check */
74 SMP_PAIR_KEYPR_NOTIF_SIZE, /* 0x0E: pairing keypress notification */
75 SMP_PAIR_COMMITM_SIZE /* 0x0F: pairing commitment */
76 };
77
78 static bool smp_parameter_unconditionally_valid(tSMP_CB* p_cb);
79 static bool smp_parameter_unconditionally_invalid(tSMP_CB* p_cb);
80
81 /* type for SMP command length validation functions */
82 typedef bool (*tSMP_CMD_LEN_VALID)(tSMP_CB* p_cb);
83
84 static bool smp_command_has_valid_fixed_length(tSMP_CB* p_cb);
85
86 static const tSMP_CMD_LEN_VALID smp_cmd_len_is_valid[] = {
87 smp_parameter_unconditionally_invalid,
88 smp_command_has_valid_fixed_length, /* 0x01: pairing request */
89 smp_command_has_valid_fixed_length, /* 0x02: pairing response */
90 smp_command_has_valid_fixed_length, /* 0x03: pairing confirm */
91 smp_command_has_valid_fixed_length, /* 0x04: pairing random */
92 smp_command_has_valid_fixed_length, /* 0x05: pairing failed */
93 smp_command_has_valid_fixed_length, /* 0x06: encryption information */
94 smp_command_has_valid_fixed_length, /* 0x07: master identification */
95 smp_command_has_valid_fixed_length, /* 0x08: identity information */
96 smp_command_has_valid_fixed_length, /* 0x09: identity address information */
97 smp_command_has_valid_fixed_length, /* 0x0A: signing information */
98 smp_command_has_valid_fixed_length, /* 0x0B: security request */
99 smp_command_has_valid_fixed_length, /* 0x0C: pairing public key */
100 smp_command_has_valid_fixed_length, /* 0x0D: pairing dhkey check */
101 smp_command_has_valid_fixed_length, /* 0x0E: pairing keypress notification*/
102 smp_command_has_valid_fixed_length /* 0x0F: pairing commitment */
103 };
104
105 /* type for SMP command parameter ranges validation functions */
106 typedef bool (*tSMP_CMD_PARAM_RANGES_VALID)(tSMP_CB* p_cb);
107
108 static bool smp_pairing_request_response_parameters_are_valid(tSMP_CB* p_cb);
109 static bool smp_pairing_keypress_notification_is_valid(tSMP_CB* p_cb);
110
111 static const tSMP_CMD_PARAM_RANGES_VALID smp_cmd_param_ranges_are_valid[] = {
112 smp_parameter_unconditionally_invalid,
113 smp_pairing_request_response_parameters_are_valid, /* 0x01: pairing
114 request */
115 smp_pairing_request_response_parameters_are_valid, /* 0x02: pairing
116 response */
117 smp_parameter_unconditionally_valid, /* 0x03: pairing confirm */
118 smp_parameter_unconditionally_valid, /* 0x04: pairing random */
119 smp_parameter_unconditionally_valid, /* 0x05: pairing failed */
120 smp_parameter_unconditionally_valid, /* 0x06: encryption information */
121 smp_parameter_unconditionally_valid, /* 0x07: master identification */
122 smp_parameter_unconditionally_valid, /* 0x08: identity information */
123 smp_parameter_unconditionally_valid, /* 0x09: identity address
124 information */
125 smp_parameter_unconditionally_valid, /* 0x0A: signing information */
126 smp_parameter_unconditionally_valid, /* 0x0B: security request */
127 smp_parameter_unconditionally_valid, /* 0x0C: pairing public key */
128 smp_parameter_unconditionally_valid, /* 0x0D: pairing dhkey check */
129 smp_pairing_keypress_notification_is_valid, /* 0x0E: pairing keypress
130 notification */
131 smp_parameter_unconditionally_valid /* 0x0F: pairing commitment */
132 };
133
134 /* type for action functions */
135 typedef BT_HDR* (*tSMP_CMD_ACT)(uint8_t cmd_code, tSMP_CB* p_cb);
136
137 static BT_HDR* smp_build_pairing_cmd(uint8_t cmd_code, tSMP_CB* p_cb);
138 static BT_HDR* smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code,
139 tSMP_CB* p_cb);
140 static BT_HDR* smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb);
141 static BT_HDR* smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code,
142 tSMP_CB* p_cb);
143 static BT_HDR* smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code,
144 tSMP_CB* p_cb);
145 static BT_HDR* smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code,
146 tSMP_CB* p_cb);
147 static BT_HDR* smp_build_security_request(UNUSED_ATTR uint8_t cmd_code,
148 tSMP_CB* p_cb);
149 static BT_HDR* smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code,
150 tSMP_CB* p_cb);
151 static BT_HDR* smp_build_master_id_cmd(UNUSED_ATTR uint8_t cmd_code,
152 tSMP_CB* p_cb);
153 static BT_HDR* smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code,
154 tSMP_CB* p_cb);
155 static BT_HDR* smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code,
156 tSMP_CB* p_cb);
157 static BT_HDR* smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code,
158 tSMP_CB* p_cb);
159 static BT_HDR* smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code,
160 tSMP_CB* p_cb);
161 static BT_HDR* smp_build_pairing_keypress_notification_cmd(
162 UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb);
163
164 static const tSMP_CMD_ACT smp_cmd_build_act[] = {
165 NULL, smp_build_pairing_cmd, /* 0x01: pairing request */
166 smp_build_pairing_cmd, /* 0x02: pairing response */
167 smp_build_confirm_cmd, /* 0x03: pairing confirm */
168 smp_build_rand_cmd, /* 0x04: pairing random */
169 smp_build_pairing_fail, /* 0x05: pairing failure */
170 smp_build_encrypt_info_cmd, /* 0x06: encryption information */
171 smp_build_master_id_cmd, /* 0x07: master identification */
172 smp_build_identity_info_cmd, /* 0x08: identity information */
173 smp_build_id_addr_cmd, /* 0x09: identity address information */
174 smp_build_signing_info_cmd, /* 0x0A: signing information */
175 smp_build_security_request, /* 0x0B: security request */
176 smp_build_pair_public_key_cmd, /* 0x0C: pairing public key */
177 smp_build_pair_dhkey_check_cmd, /* 0x0D: pairing DHKey check */
178 smp_build_pairing_keypress_notification_cmd, /* 0x0E: pairing keypress
179 notification */
180 smp_build_pairing_commitment_cmd /* 0x0F: pairing commitment */
181 };
182
183 static const uint8_t smp_association_table[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] =
184 {
185 /* display only */ /* Display Yes/No */ /* keyboard only */
186 /* No Input/Output */ /* keyboard display */
187
188 /* initiator */
189 /* model = tbl[peer_io_caps][loc_io_caps] */
190 /* Display Only */
191 {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
192 SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
193
194 /* Display Yes/No */
195 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
196 SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
197
198 /* Keyboard only */
199 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY,
200 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
201
202 /* No Input No Output */
203 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
204 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
205 SMP_MODEL_ENCRYPTION_ONLY},
206
207 /* keyboard display */
208 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY,
209 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}},
210
211 /* responder */
212 /* model = tbl[loc_io_caps][peer_io_caps] */
213 /* Display Only */
214 {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
215 SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
216
217 /* Display Yes/No */
218 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
219 SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
220
221 /* keyboard only */
222 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY,
223 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
224
225 /* No Input No Output */
226 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
227 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
228 SMP_MODEL_ENCRYPTION_ONLY},
229
230 /* keyboard display */
231 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_KEY_NOTIF,
232 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}}};
233
234 static const uint8_t
235 smp_association_table_sc[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] = {
236 /* display only */ /* Display Yes/No */ /* keyboard only */
237 /* No InputOutput */ /* keyboard display */
238
239 /* initiator */
240 /* model = tbl[peer_io_caps][loc_io_caps] */
241
242 /* Display Only */
243 {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
244 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
245 SMP_MODEL_SEC_CONN_PASSKEY_ENT},
246
247 /* Display Yes/No */
248 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP,
249 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
250 SMP_MODEL_SEC_CONN_NUM_COMP},
251
252 /* keyboard only */
253 {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_PASSKEY_DISP,
254 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
255 SMP_MODEL_SEC_CONN_PASSKEY_DISP},
256
257 /* No Input No Output */
258 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
259 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
260 SMP_MODEL_SEC_CONN_JUSTWORKS},
261
262 /* keyboard display */
263 {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_NUM_COMP,
264 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
265 SMP_MODEL_SEC_CONN_NUM_COMP}},
266
267 /* responder */
268 /* model = tbl[loc_io_caps][peer_io_caps] */
269
270 /* Display Only */
271 {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
272 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
273 SMP_MODEL_SEC_CONN_PASSKEY_DISP},
274
275 /* Display Yes/No */
276 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP,
277 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
278 SMP_MODEL_SEC_CONN_NUM_COMP},
279
280 /* keyboard only */
281 {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_PASSKEY_ENT,
282 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
283 SMP_MODEL_SEC_CONN_PASSKEY_ENT},
284
285 /* No Input No Output */
286 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
287 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
288 SMP_MODEL_SEC_CONN_JUSTWORKS},
289
290 /* keyboard display */
291 {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_NUM_COMP,
292 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
293 SMP_MODEL_SEC_CONN_NUM_COMP}}};
294
295 static tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB* p_cb);
296 static tSMP_ASSO_MODEL smp_select_association_model_secure_connections(
297 tSMP_CB* p_cb);
298
299 /**
300 * Log metrics data for SMP command
301 *
302 * @param bd_addr current pairing address
303 * @param is_outgoing whether this command is outgoing
304 * @param p_buf buffer to the beginning of SMP command
305 * @param buf_len length available to read for p_buf
306 */
smp_log_metrics(const RawAddress & bd_addr,bool is_outgoing,const uint8_t * p_buf,size_t buf_len)307 void smp_log_metrics(const RawAddress& bd_addr, bool is_outgoing,
308 const uint8_t* p_buf, size_t buf_len) {
309 if (buf_len < 1) {
310 LOG(WARNING) << __func__ << ": buffer is too small, size is " << buf_len;
311 return;
312 }
313 uint8_t cmd;
314 STREAM_TO_UINT8(cmd, p_buf);
315 buf_len--;
316 uint8_t failure_reason = 0;
317 if (cmd == SMP_OPCODE_PAIRING_FAILED && buf_len >= 1) {
318 STREAM_TO_UINT8(failure_reason, p_buf);
319 }
320 android::bluetooth::DirectionEnum direction =
321 is_outgoing ? android::bluetooth::DirectionEnum::DIRECTION_OUTGOING
322 : android::bluetooth::DirectionEnum::DIRECTION_INCOMING;
323 bluetooth::common::LogSmpPairingEvent(bd_addr, cmd, direction,
324 failure_reason);
325 }
326
327 /*******************************************************************************
328 *
329 * Function smp_send_msg_to_L2CAP
330 *
331 * Description Send message to L2CAP.
332 *
333 ******************************************************************************/
smp_send_msg_to_L2CAP(const RawAddress & rem_bda,BT_HDR * p_toL2CAP)334 bool smp_send_msg_to_L2CAP(const RawAddress& rem_bda, BT_HDR* p_toL2CAP) {
335 uint16_t l2cap_ret;
336 uint16_t fixed_cid = L2CAP_SMP_CID;
337
338 if (smp_cb.smp_over_br) {
339 fixed_cid = L2CAP_SMP_BR_CID;
340 }
341
342 SMP_TRACE_EVENT("%s", __func__);
343 smp_cb.total_tx_unacked += 1;
344
345 smp_log_metrics(rem_bda, true /* outgoing */,
346 p_toL2CAP->data + p_toL2CAP->offset, p_toL2CAP->len);
347
348 l2cap_ret = L2CA_SendFixedChnlData(fixed_cid, rem_bda, p_toL2CAP);
349 if (l2cap_ret == L2CAP_DW_FAILED) {
350 smp_cb.total_tx_unacked -= 1;
351 SMP_TRACE_ERROR("SMP failed to pass msg to L2CAP");
352 return false;
353 } else
354 return true;
355 }
356
357 /*******************************************************************************
358 *
359 * Function smp_send_cmd
360 *
361 * Description send a SMP command on L2CAP channel.
362 *
363 ******************************************************************************/
smp_send_cmd(uint8_t cmd_code,tSMP_CB * p_cb)364 bool smp_send_cmd(uint8_t cmd_code, tSMP_CB* p_cb) {
365 BT_HDR* p_buf;
366 bool sent = false;
367
368 SMP_TRACE_EVENT("%s: on l2cap cmd_code=0x%x, pairing_bda=%s", __func__,
369 cmd_code, p_cb->pairing_bda.ToString().c_str());
370
371 if (cmd_code <= (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */) &&
372 smp_cmd_build_act[cmd_code] != NULL) {
373 p_buf = (*smp_cmd_build_act[cmd_code])(cmd_code, p_cb);
374
375 if (p_buf != NULL && smp_send_msg_to_L2CAP(p_cb->pairing_bda, p_buf)) {
376 sent = true;
377 alarm_set_on_mloop(p_cb->smp_rsp_timer_ent, SMP_WAIT_FOR_RSP_TIMEOUT_MS,
378 smp_rsp_timeout, NULL);
379 }
380 }
381
382 if (!sent) {
383 tSMP_INT_DATA smp_int_data;
384 smp_int_data.status = SMP_PAIR_INTERNAL_ERR;
385 if (p_cb->smp_over_br) {
386 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
387 } else {
388 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
389 }
390 }
391 return sent;
392 }
393
394 /*******************************************************************************
395 *
396 * Function smp_rsp_timeout
397 *
398 * Description Called when SMP wait for SMP command response timer expires
399 *
400 * Returns void
401 *
402 ******************************************************************************/
smp_rsp_timeout(UNUSED_ATTR void * data)403 void smp_rsp_timeout(UNUSED_ATTR void* data) {
404 tSMP_CB* p_cb = &smp_cb;
405
406 SMP_TRACE_EVENT("%s state:%d br_state:%d", __func__, p_cb->state,
407 p_cb->br_state);
408
409 tSMP_INT_DATA smp_int_data;
410 smp_int_data.status = SMP_RSP_TIMEOUT;
411 if (p_cb->smp_over_br) {
412 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
413 } else {
414 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
415 }
416 }
417
418 /*******************************************************************************
419 *
420 * Function smp_delayed_auth_complete_timeout
421 *
422 * Description Called when no pairing failed command received within
423 * timeout period.
424 *
425 * Returns void
426 *
427 ******************************************************************************/
smp_delayed_auth_complete_timeout(UNUSED_ATTR void * data)428 void smp_delayed_auth_complete_timeout(UNUSED_ATTR void* data) {
429 /*
430 * Waited for potential pair failure. Send SMP_AUTH_CMPL_EVT if
431 * the state is still in bond pending.
432 */
433 if (smp_get_state() == SMP_STATE_BOND_PENDING) {
434 SMP_TRACE_EVENT("%s sending delayed auth complete.", __func__);
435 tSMP_INT_DATA smp_int_data;
436 smp_int_data.status = SMP_SUCCESS;
437 smp_sm_event(&smp_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
438 }
439 }
440
441 /*******************************************************************************
442 *
443 * Function smp_build_pairing_req_cmd
444 *
445 * Description Build pairing request command.
446 *
447 ******************************************************************************/
smp_build_pairing_cmd(uint8_t cmd_code,tSMP_CB * p_cb)448 BT_HDR* smp_build_pairing_cmd(uint8_t cmd_code, tSMP_CB* p_cb) {
449 uint8_t* p;
450 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIRING_REQ_SIZE +
451 L2CAP_MIN_OFFSET);
452
453 SMP_TRACE_EVENT("%s", __func__);
454
455 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
456 UINT8_TO_STREAM(p, cmd_code);
457 UINT8_TO_STREAM(p, p_cb->local_io_capability);
458 UINT8_TO_STREAM(p, p_cb->loc_oob_flag);
459 UINT8_TO_STREAM(p, p_cb->loc_auth_req);
460 UINT8_TO_STREAM(p, p_cb->loc_enc_size);
461 UINT8_TO_STREAM(p, p_cb->local_i_key);
462 UINT8_TO_STREAM(p, p_cb->local_r_key);
463
464 p_buf->offset = L2CAP_MIN_OFFSET;
465 /* 1B ERR_RSP op code + 1B cmd_op_code + 2B handle + 1B status */
466 p_buf->len = SMP_PAIRING_REQ_SIZE;
467
468 return p_buf;
469 }
470
471 /*******************************************************************************
472 *
473 * Function smp_build_confirm_cmd
474 *
475 * Description Build confirm request command.
476 *
477 ******************************************************************************/
smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)478 static BT_HDR* smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code,
479 tSMP_CB* p_cb) {
480 uint8_t* p;
481 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_CONFIRM_CMD_SIZE +
482 L2CAP_MIN_OFFSET);
483
484 SMP_TRACE_EVENT("%s", __func__);
485
486 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
487
488 UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM);
489 ARRAY_TO_STREAM(p, p_cb->confirm, OCTET16_LEN);
490
491 p_buf->offset = L2CAP_MIN_OFFSET;
492 p_buf->len = SMP_CONFIRM_CMD_SIZE;
493
494 return p_buf;
495 }
496
497 /*******************************************************************************
498 *
499 * Function smp_build_rand_cmd
500 *
501 * Description Build Random command.
502 *
503 ******************************************************************************/
smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)504 static BT_HDR* smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb) {
505 uint8_t* p;
506 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_RAND_CMD_SIZE +
507 L2CAP_MIN_OFFSET);
508
509 SMP_TRACE_EVENT("%s", __func__);
510
511 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
512 UINT8_TO_STREAM(p, SMP_OPCODE_RAND);
513 ARRAY_TO_STREAM(p, p_cb->rand, OCTET16_LEN);
514
515 p_buf->offset = L2CAP_MIN_OFFSET;
516 p_buf->len = SMP_RAND_CMD_SIZE;
517
518 return p_buf;
519 }
520
521 /*******************************************************************************
522 *
523 * Function smp_build_encrypt_info_cmd
524 *
525 * Description Build security information command.
526 *
527 ******************************************************************************/
smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)528 static BT_HDR* smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code,
529 tSMP_CB* p_cb) {
530 uint8_t* p;
531 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ENC_INFO_SIZE +
532 L2CAP_MIN_OFFSET);
533
534 SMP_TRACE_EVENT("%s", __func__);
535
536 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
537 UINT8_TO_STREAM(p, SMP_OPCODE_ENCRYPT_INFO);
538 ARRAY_TO_STREAM(p, p_cb->ltk, OCTET16_LEN);
539
540 p_buf->offset = L2CAP_MIN_OFFSET;
541 p_buf->len = SMP_ENC_INFO_SIZE;
542
543 return p_buf;
544 }
545
546 /*******************************************************************************
547 *
548 * Function smp_build_master_id_cmd
549 *
550 * Description Build security information command.
551 *
552 ******************************************************************************/
smp_build_master_id_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)553 static BT_HDR* smp_build_master_id_cmd(UNUSED_ATTR uint8_t cmd_code,
554 tSMP_CB* p_cb) {
555 uint8_t* p;
556 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_MASTER_ID_SIZE +
557 L2CAP_MIN_OFFSET);
558
559 SMP_TRACE_EVENT("%s", __func__);
560
561 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
562 UINT8_TO_STREAM(p, SMP_OPCODE_MASTER_ID);
563 UINT16_TO_STREAM(p, p_cb->ediv);
564 ARRAY_TO_STREAM(p, p_cb->enc_rand, BT_OCTET8_LEN);
565
566 p_buf->offset = L2CAP_MIN_OFFSET;
567 p_buf->len = SMP_MASTER_ID_SIZE;
568
569 return p_buf;
570 }
571
572 /*******************************************************************************
573 *
574 * Function smp_build_identity_info_cmd
575 *
576 * Description Build identity information command.
577 *
578 ******************************************************************************/
smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code,UNUSED_ATTR tSMP_CB * p_cb)579 static BT_HDR* smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code,
580 UNUSED_ATTR tSMP_CB* p_cb) {
581 uint8_t* p;
582 BT_HDR* p_buf =
583 (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ID_INFO_SIZE + L2CAP_MIN_OFFSET);
584
585 SMP_TRACE_EVENT("%s", __func__);
586
587 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
588
589 const Octet16& irk = BTM_GetDeviceIDRoot();
590
591 UINT8_TO_STREAM(p, SMP_OPCODE_IDENTITY_INFO);
592 ARRAY_TO_STREAM(p, irk.data(), OCTET16_LEN);
593
594 p_buf->offset = L2CAP_MIN_OFFSET;
595 p_buf->len = SMP_ID_INFO_SIZE;
596
597 return p_buf;
598 }
599
600 /*******************************************************************************
601 *
602 * Function smp_build_id_addr_cmd
603 *
604 * Description Build identity address information command.
605 *
606 ******************************************************************************/
smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code,UNUSED_ATTR tSMP_CB * p_cb)607 static BT_HDR* smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code,
608 UNUSED_ATTR tSMP_CB* p_cb) {
609 uint8_t* p;
610 BT_HDR* p_buf =
611 (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ID_ADDR_SIZE + L2CAP_MIN_OFFSET);
612
613 SMP_TRACE_EVENT("%s", __func__);
614
615 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
616 UINT8_TO_STREAM(p, SMP_OPCODE_ID_ADDR);
617 UINT8_TO_STREAM(p, 0);
618 BDADDR_TO_STREAM(p, *controller_get_interface()->get_address());
619
620 p_buf->offset = L2CAP_MIN_OFFSET;
621 p_buf->len = SMP_ID_ADDR_SIZE;
622
623 return p_buf;
624 }
625
626 /*******************************************************************************
627 *
628 * Function smp_build_signing_info_cmd
629 *
630 * Description Build signing information command.
631 *
632 ******************************************************************************/
smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)633 static BT_HDR* smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code,
634 tSMP_CB* p_cb) {
635 uint8_t* p;
636 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_SIGN_INFO_SIZE +
637 L2CAP_MIN_OFFSET);
638
639 SMP_TRACE_EVENT("%s", __func__);
640
641 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
642 UINT8_TO_STREAM(p, SMP_OPCODE_SIGN_INFO);
643 ARRAY_TO_STREAM(p, p_cb->csrk, OCTET16_LEN);
644
645 p_buf->offset = L2CAP_MIN_OFFSET;
646 p_buf->len = SMP_SIGN_INFO_SIZE;
647
648 return p_buf;
649 }
650
651 /*******************************************************************************
652 *
653 * Function smp_build_pairing_fail
654 *
655 * Description Build Pairing Fail command.
656 *
657 ******************************************************************************/
smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)658 static BT_HDR* smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code,
659 tSMP_CB* p_cb) {
660 uint8_t* p;
661 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_FAIL_SIZE +
662 L2CAP_MIN_OFFSET);
663
664 SMP_TRACE_EVENT("%s", __func__);
665
666 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
667 UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED);
668 UINT8_TO_STREAM(p, p_cb->failure);
669
670 p_buf->offset = L2CAP_MIN_OFFSET;
671 p_buf->len = SMP_PAIR_FAIL_SIZE;
672
673 return p_buf;
674 }
675
676 /*******************************************************************************
677 *
678 * Function smp_build_security_request
679 *
680 * Description Build security request command.
681 *
682 ******************************************************************************/
smp_build_security_request(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)683 static BT_HDR* smp_build_security_request(UNUSED_ATTR uint8_t cmd_code,
684 tSMP_CB* p_cb) {
685 uint8_t* p;
686 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + 2 + L2CAP_MIN_OFFSET);
687
688 SMP_TRACE_EVENT("%s", __func__);
689
690 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
691 UINT8_TO_STREAM(p, SMP_OPCODE_SEC_REQ);
692 UINT8_TO_STREAM(p, p_cb->loc_auth_req);
693
694 p_buf->offset = L2CAP_MIN_OFFSET;
695 p_buf->len = SMP_SECURITY_REQUEST_SIZE;
696
697 SMP_TRACE_EVENT("opcode=%d auth_req=0x%x", SMP_OPCODE_SEC_REQ,
698 p_cb->loc_auth_req);
699
700 return p_buf;
701 }
702
703 /*******************************************************************************
704 *
705 * Function smp_build_pair_public_key_cmd
706 *
707 * Description Build pairing public key command.
708 *
709 ******************************************************************************/
smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)710 static BT_HDR* smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code,
711 tSMP_CB* p_cb) {
712 uint8_t* p;
713 uint8_t publ_key[2 * BT_OCTET32_LEN];
714 uint8_t* p_publ_key = publ_key;
715 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_PUBL_KEY_SIZE +
716 L2CAP_MIN_OFFSET);
717
718 SMP_TRACE_EVENT("%s", __func__);
719
720 memcpy(p_publ_key, p_cb->loc_publ_key.x, BT_OCTET32_LEN);
721 memcpy(p_publ_key + BT_OCTET32_LEN, p_cb->loc_publ_key.y, BT_OCTET32_LEN);
722
723 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
724 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_PUBLIC_KEY);
725 ARRAY_TO_STREAM(p, p_publ_key, 2 * BT_OCTET32_LEN);
726
727 p_buf->offset = L2CAP_MIN_OFFSET;
728 p_buf->len = SMP_PAIR_PUBL_KEY_SIZE;
729
730 return p_buf;
731 }
732
733 /*******************************************************************************
734 *
735 * Function smp_build_pairing_commitment_cmd
736 *
737 * Description Build pairing commitment command.
738 *
739 ******************************************************************************/
smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)740 static BT_HDR* smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code,
741 tSMP_CB* p_cb) {
742 uint8_t* p;
743 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_COMMITM_SIZE +
744 L2CAP_MIN_OFFSET);
745
746 SMP_TRACE_EVENT("%s", __func__);
747
748 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
749 UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM);
750 ARRAY_TO_STREAM(p, p_cb->commitment, OCTET16_LEN);
751
752 p_buf->offset = L2CAP_MIN_OFFSET;
753 p_buf->len = SMP_PAIR_COMMITM_SIZE;
754
755 return p_buf;
756 }
757
758 /*******************************************************************************
759 *
760 * Function smp_build_pair_dhkey_check_cmd
761 *
762 * Description Build pairing DHKey check command.
763 *
764 ******************************************************************************/
smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)765 static BT_HDR* smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code,
766 tSMP_CB* p_cb) {
767 uint8_t* p;
768 BT_HDR* p_buf = (BT_HDR*)osi_malloc(
769 sizeof(BT_HDR) + SMP_PAIR_DHKEY_CHECK_SIZE + L2CAP_MIN_OFFSET);
770
771 SMP_TRACE_EVENT("%s", __func__);
772
773 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
774 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_DHKEY_CHECK);
775 ARRAY_TO_STREAM(p, p_cb->dhkey_check, OCTET16_LEN);
776
777 p_buf->offset = L2CAP_MIN_OFFSET;
778 p_buf->len = SMP_PAIR_DHKEY_CHECK_SIZE;
779
780 return p_buf;
781 }
782
783 /*******************************************************************************
784 *
785 * Function smp_build_pairing_keypress_notification_cmd
786 *
787 * Description Build keypress notification command.
788 *
789 ******************************************************************************/
smp_build_pairing_keypress_notification_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)790 static BT_HDR* smp_build_pairing_keypress_notification_cmd(
791 UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb) {
792 uint8_t* p;
793 BT_HDR* p_buf = (BT_HDR*)osi_malloc(
794 sizeof(BT_HDR) + SMP_PAIR_KEYPR_NOTIF_SIZE + L2CAP_MIN_OFFSET);
795
796 SMP_TRACE_EVENT("%s", __func__);
797
798 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
799 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_KEYPR_NOTIF);
800 UINT8_TO_STREAM(p, p_cb->local_keypress_notification);
801
802 p_buf->offset = L2CAP_MIN_OFFSET;
803 p_buf->len = SMP_PAIR_KEYPR_NOTIF_SIZE;
804
805 return p_buf;
806 }
807
808 /** This function is called to convert a 6 to 16 digits numeric character string
809 * into SMP TK. */
smp_convert_string_to_tk(Octet16 * tk,uint32_t passkey)810 void smp_convert_string_to_tk(Octet16* tk, uint32_t passkey) {
811 uint8_t* p = tk->data();
812 tSMP_KEY key;
813 SMP_TRACE_EVENT("smp_convert_string_to_tk");
814 UINT32_TO_STREAM(p, passkey);
815
816 key.key_type = SMP_KEY_TYPE_TK;
817 key.p_data = tk->data();
818
819 tSMP_INT_DATA smp_int_data;
820 smp_int_data.key = key;
821 smp_sm_event(&smp_cb, SMP_KEY_READY_EVT, &smp_int_data);
822 }
823
824 /** This function is called to mask off the encryption key based on the maximum
825 * encryption key size. */
smp_mask_enc_key(uint8_t loc_enc_size,Octet16 * p_data)826 void smp_mask_enc_key(uint8_t loc_enc_size, Octet16* p_data) {
827 SMP_TRACE_EVENT("smp_mask_enc_key");
828 if (loc_enc_size < OCTET16_LEN) {
829 for (; loc_enc_size < OCTET16_LEN; loc_enc_size++)
830 (*p_data)[loc_enc_size] = 0;
831 }
832 return;
833 }
834
835 /** utility function to do an biteise exclusive-OR of two bit strings of the
836 * length of OCTET16_LEN. Result is stored in first argument.
837 */
smp_xor_128(Octet16 * a,const Octet16 & b)838 void smp_xor_128(Octet16* a, const Octet16& b) {
839 CHECK(a);
840 uint8_t i, *aa = a->data();
841 const uint8_t* bb = b.data();
842
843 for (i = 0; i < OCTET16_LEN; i++) {
844 aa[i] = aa[i] ^ bb[i];
845 }
846 }
847
848 /*******************************************************************************
849 *
850 * Function smp_cb_cleanup
851 *
852 * Description Clean up SMP control block
853 *
854 * Returns void
855 *
856 ******************************************************************************/
smp_cb_cleanup(tSMP_CB * p_cb)857 void smp_cb_cleanup(tSMP_CB* p_cb) {
858 tSMP_CALLBACK* p_callback = p_cb->p_callback;
859 uint8_t trace_level = p_cb->trace_level;
860 alarm_t* smp_rsp_timer_ent = p_cb->smp_rsp_timer_ent;
861 alarm_t* delayed_auth_timer_ent = p_cb->delayed_auth_timer_ent;
862
863 SMP_TRACE_EVENT("smp_cb_cleanup");
864
865 alarm_cancel(p_cb->smp_rsp_timer_ent);
866 alarm_cancel(p_cb->delayed_auth_timer_ent);
867 memset(p_cb, 0, sizeof(tSMP_CB));
868 p_cb->p_callback = p_callback;
869 p_cb->trace_level = trace_level;
870 p_cb->smp_rsp_timer_ent = smp_rsp_timer_ent;
871 p_cb->delayed_auth_timer_ent = delayed_auth_timer_ent;
872 }
873
874 /*******************************************************************************
875 *
876 * Function smp_remove_fixed_channel
877 *
878 * Description This function is called to remove the fixed channel
879 *
880 * Returns void
881 *
882 ******************************************************************************/
smp_remove_fixed_channel(tSMP_CB * p_cb)883 void smp_remove_fixed_channel(tSMP_CB* p_cb) {
884 SMP_TRACE_DEBUG("%s", __func__);
885
886 if (p_cb->smp_over_br)
887 L2CA_RemoveFixedChnl(L2CAP_SMP_BR_CID, p_cb->pairing_bda);
888 else
889 L2CA_RemoveFixedChnl(L2CAP_SMP_CID, p_cb->pairing_bda);
890 }
891
892 /*******************************************************************************
893 *
894 * Function smp_reset_control_value
895 *
896 * Description This function is called to reset the control block value
897 * when the pairing procedure finished.
898 *
899 *
900 * Returns void
901 *
902 ******************************************************************************/
smp_reset_control_value(tSMP_CB * p_cb)903 void smp_reset_control_value(tSMP_CB* p_cb) {
904 SMP_TRACE_EVENT("%s", __func__);
905
906 alarm_cancel(p_cb->smp_rsp_timer_ent);
907 p_cb->flags = 0;
908 /* set the link idle timer to drop the link when pairing is done
909 usually service discovery will follow authentication complete, to avoid
910 racing condition for a link down/up, set link idle timer to be
911 SMP_LINK_TOUT_MIN to guarantee SMP key exchange */
912 L2CA_SetIdleTimeoutByBdAddr(p_cb->pairing_bda, SMP_LINK_TOUT_MIN,
913 BT_TRANSPORT_LE);
914
915 /* We can tell L2CAP to remove the fixed channel (if it has one) */
916 smp_remove_fixed_channel(p_cb);
917 smp_cb_cleanup(p_cb);
918 }
919
920 /*******************************************************************************
921 *
922 * Function smp_proc_pairing_cmpl
923 *
924 * Description This function is called to process pairing complete
925 *
926 *
927 * Returns void
928 *
929 ******************************************************************************/
smp_proc_pairing_cmpl(tSMP_CB * p_cb)930 void smp_proc_pairing_cmpl(tSMP_CB* p_cb) {
931 tSMP_EVT_DATA evt_data = {0};
932 tSMP_CALLBACK* p_callback = p_cb->p_callback;
933
934 SMP_TRACE_DEBUG("%s: pairing_bda=%s", __func__,
935 p_cb->pairing_bda.ToString().c_str());
936
937 evt_data.cmplt.reason = p_cb->status;
938 evt_data.cmplt.smp_over_br = p_cb->smp_over_br;
939
940 if (p_cb->status == SMP_SUCCESS) evt_data.cmplt.sec_level = p_cb->sec_level;
941
942 evt_data.cmplt.is_pair_cancel = false;
943
944 if (p_cb->is_pair_cancel) evt_data.cmplt.is_pair_cancel = true;
945
946 SMP_TRACE_DEBUG("send SMP_COMPLT_EVT reason=0x%0x sec_level=0x%0x",
947 evt_data.cmplt.reason, evt_data.cmplt.sec_level);
948
949 RawAddress pairing_bda = p_cb->pairing_bda;
950
951 smp_reset_control_value(p_cb);
952
953 if (p_callback) (*p_callback)(SMP_COMPLT_EVT, pairing_bda, &evt_data);
954 }
955
956 /*******************************************************************************
957 *
958 * Function smp_command_has_invalid_length
959 *
960 * Description Checks if the received SMP command has invalid length
961 * It returns true if the command has invalid length.
962 *
963 * Returns true if the command has invalid length, false otherwise.
964 *
965 ******************************************************************************/
smp_command_has_invalid_length(tSMP_CB * p_cb)966 bool smp_command_has_invalid_length(tSMP_CB* p_cb) {
967 uint8_t cmd_code = p_cb->rcvd_cmd_code;
968
969 if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) ||
970 (cmd_code < SMP_OPCODE_MIN)) {
971 SMP_TRACE_WARNING("%s: Received command with RESERVED code 0x%02x",
972 __func__, cmd_code);
973 return true;
974 }
975
976 if (!smp_command_has_valid_fixed_length(p_cb)) {
977 return true;
978 }
979
980 return false;
981 }
982
983 /*******************************************************************************
984 *
985 * Function smp_command_has_invalid_parameters
986 *
987 * Description Checks if the received SMP command has invalid parameters
988 * i.e. if the command length is valid and the command
989 * parameters are inside specified range.
990 * It returns true if the command has invalid parameters.
991 *
992 * Returns true if the command has invalid parameters, false otherwise.
993 *
994 ******************************************************************************/
smp_command_has_invalid_parameters(tSMP_CB * p_cb)995 bool smp_command_has_invalid_parameters(tSMP_CB* p_cb) {
996 uint8_t cmd_code = p_cb->rcvd_cmd_code;
997
998 if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) ||
999 (cmd_code < SMP_OPCODE_MIN)) {
1000 SMP_TRACE_WARNING("%s: Received command with RESERVED code 0x%02x",
1001 __func__, cmd_code);
1002 return true;
1003 }
1004
1005 if (!(*smp_cmd_len_is_valid[cmd_code])(p_cb)) {
1006 SMP_TRACE_WARNING("%s: Command length not valid for cmd_code 0x%02x",
1007 __func__, cmd_code);
1008 return true;
1009 }
1010
1011 if (!(*smp_cmd_param_ranges_are_valid[cmd_code])(p_cb)) {
1012 SMP_TRACE_WARNING("%s: Parameter ranges not valid code 0x%02x", __func__,
1013 cmd_code);
1014 return true;
1015 }
1016
1017 return false;
1018 }
1019
1020 /*******************************************************************************
1021 *
1022 * Function smp_command_has_valid_fixed_length
1023 *
1024 * Description Checks if the received command size is equal to the size
1025 * according to specs.
1026 *
1027 * Returns true if the command size is as expected, false otherwise.
1028 *
1029 * Note The command is expected to have fixed length.
1030 ******************************************************************************/
smp_command_has_valid_fixed_length(tSMP_CB * p_cb)1031 bool smp_command_has_valid_fixed_length(tSMP_CB* p_cb) {
1032 uint8_t cmd_code = p_cb->rcvd_cmd_code;
1033
1034 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, cmd_code);
1035
1036 if (p_cb->rcvd_cmd_len != smp_cmd_size_per_spec[cmd_code]) {
1037 SMP_TRACE_WARNING(
1038 "Rcvd from the peer cmd 0x%02x with invalid length "
1039 "0x%02x (per spec the length is 0x%02x).",
1040 cmd_code, p_cb->rcvd_cmd_len, smp_cmd_size_per_spec[cmd_code]);
1041 return false;
1042 }
1043
1044 return true;
1045 }
1046
1047 /*******************************************************************************
1048 *
1049 * Function smp_pairing_request_response_parameters_are_valid
1050 *
1051 * Description Validates parameter ranges in the received SMP command
1052 * pairing request or pairing response.
1053 * The parameters to validate:
1054 * IO capability,
1055 * OOB data flag,
1056 * Bonding_flags in AuthReq
1057 * Maximum encryption key size.
1058 * Returns false if at least one of these parameters is out of
1059 * range.
1060 *
1061 ******************************************************************************/
smp_pairing_request_response_parameters_are_valid(tSMP_CB * p_cb)1062 bool smp_pairing_request_response_parameters_are_valid(tSMP_CB* p_cb) {
1063 uint8_t io_caps = p_cb->peer_io_caps;
1064 uint8_t oob_flag = p_cb->peer_oob_flag;
1065 uint8_t bond_flag =
1066 p_cb->peer_auth_req & 0x03; // 0x03 is gen bond with appropriate mask
1067 uint8_t enc_size = p_cb->peer_enc_size;
1068
1069 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code);
1070
1071 if (io_caps >= BTM_IO_CAP_MAX) {
1072 SMP_TRACE_WARNING(
1073 "Rcvd from the peer cmd 0x%02x with IO Capability "
1074 "value (0x%02x) out of range).",
1075 p_cb->rcvd_cmd_code, io_caps);
1076 return false;
1077 }
1078
1079 if (!((oob_flag == SMP_OOB_NONE) || (oob_flag == SMP_OOB_PRESENT))) {
1080 SMP_TRACE_WARNING(
1081 "Rcvd from the peer cmd 0x%02x with OOB data flag value "
1082 "(0x%02x) out of range).",
1083 p_cb->rcvd_cmd_code, oob_flag);
1084 return false;
1085 }
1086
1087 if (!((bond_flag == SMP_AUTH_NO_BOND) || (bond_flag == SMP_AUTH_BOND))) {
1088 SMP_TRACE_WARNING(
1089 "Rcvd from the peer cmd 0x%02x with Bonding_Flags value (0x%02x) "
1090 "out of range).",
1091 p_cb->rcvd_cmd_code, bond_flag);
1092 return false;
1093 }
1094
1095 if ((enc_size < SMP_ENCR_KEY_SIZE_MIN) ||
1096 (enc_size > SMP_ENCR_KEY_SIZE_MAX)) {
1097 SMP_TRACE_WARNING(
1098 "Rcvd from the peer cmd 0x%02x with Maximum Encryption "
1099 "Key value (0x%02x) out of range).",
1100 p_cb->rcvd_cmd_code, enc_size);
1101 return false;
1102 }
1103
1104 return true;
1105 }
1106
1107 /*******************************************************************************
1108 *
1109 * Function smp_pairing_keypress_notification_is_valid
1110 *
1111 * Description Validates Notification Type parameter range in the received
1112 * SMP command pairing keypress notification.
1113 * Returns false if this parameter is out of range.
1114 *
1115 ******************************************************************************/
smp_pairing_keypress_notification_is_valid(tSMP_CB * p_cb)1116 bool smp_pairing_keypress_notification_is_valid(tSMP_CB* p_cb) {
1117 tBTM_SP_KEY_TYPE keypress_notification = p_cb->peer_keypress_notification;
1118
1119 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code);
1120
1121 if (keypress_notification >= BTM_SP_KEY_OUT_OF_RANGE) {
1122 SMP_TRACE_WARNING(
1123 "Rcvd from the peer cmd 0x%02x with Pairing Keypress "
1124 "Notification value (0x%02x) out of range).",
1125 p_cb->rcvd_cmd_code, keypress_notification);
1126 return false;
1127 }
1128
1129 return true;
1130 }
1131
1132 /*******************************************************************************
1133 *
1134 * Function smp_parameter_unconditionally_valid
1135 *
1136 * Description Always returns true.
1137 *
1138 ******************************************************************************/
smp_parameter_unconditionally_valid(UNUSED_ATTR tSMP_CB * p_cb)1139 bool smp_parameter_unconditionally_valid(UNUSED_ATTR tSMP_CB* p_cb) {
1140 return true;
1141 }
1142
1143 /*******************************************************************************
1144 *
1145 * Function smp_parameter_unconditionally_invalid
1146 *
1147 * Description Always returns false.
1148 *
1149 ******************************************************************************/
smp_parameter_unconditionally_invalid(UNUSED_ATTR tSMP_CB * p_cb)1150 bool smp_parameter_unconditionally_invalid(UNUSED_ATTR tSMP_CB* p_cb) {
1151 return false;
1152 }
1153
1154 /*******************************************************************************
1155 *
1156 * Function smp_reject_unexpected_pairing_command
1157 *
1158 * Description send pairing failure to an unexpected pairing command during
1159 * an active pairing process.
1160 *
1161 * Returns void
1162 *
1163 ******************************************************************************/
smp_reject_unexpected_pairing_command(const RawAddress & bd_addr)1164 void smp_reject_unexpected_pairing_command(const RawAddress& bd_addr) {
1165 uint8_t* p;
1166 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_FAIL_SIZE +
1167 L2CAP_MIN_OFFSET);
1168
1169 SMP_TRACE_DEBUG("%s", __func__);
1170
1171 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
1172 UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED);
1173 UINT8_TO_STREAM(p, SMP_PAIR_NOT_SUPPORT);
1174
1175 p_buf->offset = L2CAP_MIN_OFFSET;
1176 p_buf->len = SMP_PAIR_FAIL_SIZE;
1177
1178 smp_send_msg_to_L2CAP(bd_addr, p_buf);
1179 }
1180
1181 /*******************************************************************************
1182 * Function smp_select_association_model
1183 *
1184 * Description This function selects association model to use for STK
1185 * generation. Selection is based on both sides' io capability,
1186 * oob data flag and authentication request.
1187 *
1188 * Note If Secure Connections Only mode is required locally then we
1189 * come to this point only if both sides support Secure
1190 * Connections mode, i.e.
1191 * if p_cb->secure_connections_only_mode_required = true
1192 * then we come to this point only if
1193 * (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) ==
1194 * (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) ==
1195 * SMP_SC_SUPPORT_BIT
1196 *
1197 ******************************************************************************/
smp_select_association_model(tSMP_CB * p_cb)1198 tSMP_ASSO_MODEL smp_select_association_model(tSMP_CB* p_cb) {
1199 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1200 p_cb->le_secure_connections_mode_is_used = false;
1201
1202 SMP_TRACE_EVENT("%s", __func__);
1203 SMP_TRACE_DEBUG("%s p_cb->peer_io_caps = %d p_cb->local_io_capability = %d",
1204 __func__, p_cb->peer_io_caps, p_cb->local_io_capability);
1205 SMP_TRACE_DEBUG("%s p_cb->peer_oob_flag = %d p_cb->loc_oob_flag = %d",
1206 __func__, p_cb->peer_oob_flag, p_cb->loc_oob_flag);
1207 SMP_TRACE_DEBUG("%s p_cb->peer_auth_req = 0x%02x p_cb->loc_auth_req = 0x%02x",
1208 __func__, p_cb->peer_auth_req, p_cb->loc_auth_req);
1209 SMP_TRACE_DEBUG(
1210 "%s p_cb->secure_connections_only_mode_required = %s", __func__,
1211 p_cb->secure_connections_only_mode_required ? "true" : "false");
1212
1213 if ((p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) &&
1214 (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT)) {
1215 p_cb->le_secure_connections_mode_is_used = true;
1216 }
1217
1218 if ((p_cb->peer_auth_req & SMP_H7_SUPPORT_BIT) &&
1219 (p_cb->loc_auth_req & SMP_H7_SUPPORT_BIT)) {
1220 p_cb->key_derivation_h7_used = TRUE;
1221 }
1222
1223 SMP_TRACE_DEBUG("use_sc_process = %d, h7 use = %d",
1224 p_cb->le_secure_connections_mode_is_used,
1225 p_cb->key_derivation_h7_used);
1226
1227 if (p_cb->le_secure_connections_mode_is_used) {
1228 model = smp_select_association_model_secure_connections(p_cb);
1229 } else {
1230 model = smp_select_legacy_association_model(p_cb);
1231 }
1232 return model;
1233 }
1234
1235 /*******************************************************************************
1236 * Function smp_select_legacy_association_model
1237 *
1238 * Description This function is called to select association mode if at
1239 * least one side doesn't support secure connections.
1240 *
1241 ******************************************************************************/
smp_select_legacy_association_model(tSMP_CB * p_cb)1242 tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB* p_cb) {
1243 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1244
1245 SMP_TRACE_DEBUG("%s", __func__);
1246 /* if OOB data is present on both devices, then use OOB association model */
1247 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT &&
1248 p_cb->loc_oob_flag == SMP_OOB_PRESENT)
1249 return SMP_MODEL_OOB;
1250
1251 /* else if neither device requires MITM, then use Just Works association model
1252 */
1253 if (SMP_NO_MITM_REQUIRED(p_cb->peer_auth_req) &&
1254 SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req))
1255 return SMP_MODEL_ENCRYPTION_ONLY;
1256
1257 /* otherwise use IO capability to select association model */
1258 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX &&
1259 p_cb->local_io_capability < SMP_IO_CAP_MAX) {
1260 if (p_cb->role == HCI_ROLE_MASTER) {
1261 model = smp_association_table[p_cb->role][p_cb->peer_io_caps]
1262 [p_cb->local_io_capability];
1263 } else {
1264 model = smp_association_table[p_cb->role][p_cb->local_io_capability]
1265 [p_cb->peer_io_caps];
1266 }
1267 }
1268
1269 return model;
1270 }
1271
1272 /*******************************************************************************
1273 * Function smp_select_association_model_secure_connections
1274 *
1275 * Description This function is called to select association mode if both
1276 * sides support secure connections.
1277 *
1278 ******************************************************************************/
smp_select_association_model_secure_connections(tSMP_CB * p_cb)1279 tSMP_ASSO_MODEL smp_select_association_model_secure_connections(tSMP_CB* p_cb) {
1280 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1281
1282 SMP_TRACE_DEBUG("%s", __func__);
1283 /* if OOB data is present on at least one device, then use OOB association
1284 * model */
1285 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT ||
1286 p_cb->loc_oob_flag == SMP_OOB_PRESENT)
1287 return SMP_MODEL_SEC_CONN_OOB;
1288
1289 /* else if neither device requires MITM, then use Just Works association model
1290 */
1291 if (SMP_NO_MITM_REQUIRED(p_cb->peer_auth_req) &&
1292 SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req))
1293 return SMP_MODEL_SEC_CONN_JUSTWORKS;
1294
1295 /* otherwise use IO capability to select association model */
1296 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX &&
1297 p_cb->local_io_capability < SMP_IO_CAP_MAX) {
1298 if (p_cb->role == HCI_ROLE_MASTER) {
1299 model = smp_association_table_sc[p_cb->role][p_cb->peer_io_caps]
1300 [p_cb->local_io_capability];
1301 } else {
1302 model = smp_association_table_sc[p_cb->role][p_cb->local_io_capability]
1303 [p_cb->peer_io_caps];
1304 }
1305 }
1306
1307 return model;
1308 }
1309
1310 /*******************************************************************************
1311 * Function smp_reverse_array
1312 *
1313 * Description This function reverses array bytes
1314 *
1315 ******************************************************************************/
smp_reverse_array(uint8_t * arr,uint8_t len)1316 void smp_reverse_array(uint8_t* arr, uint8_t len) {
1317 uint8_t i = 0, tmp;
1318
1319 SMP_TRACE_DEBUG("smp_reverse_array");
1320
1321 for (i = 0; i < len / 2; i++) {
1322 tmp = arr[i];
1323 arr[i] = arr[len - 1 - i];
1324 arr[len - 1 - i] = tmp;
1325 }
1326 }
1327
1328 /*******************************************************************************
1329 * Function smp_calculate_random_input
1330 *
1331 * Description This function returns random input value to be used in
1332 * commitment calculation for SC passkey entry association mode
1333 * (if bit["round"] in "random" array == 1 then returns 0x81
1334 * else returns 0x80).
1335 *
1336 * Returns ri value
1337 *
1338 ******************************************************************************/
smp_calculate_random_input(uint8_t * random,uint8_t round)1339 uint8_t smp_calculate_random_input(uint8_t* random, uint8_t round) {
1340 uint8_t i = round / 8;
1341 uint8_t j = round % 8;
1342 uint8_t ri;
1343
1344 SMP_TRACE_DEBUG("random: 0x%02x, round: %d, i: %d, j: %d", random[i], round,
1345 i, j);
1346 ri = ((random[i] >> j) & 1) | 0x80;
1347 SMP_TRACE_DEBUG("%s ri=0x%02x", __func__, ri);
1348 return ri;
1349 }
1350
1351 /*******************************************************************************
1352 * Function smp_collect_local_io_capabilities
1353 *
1354 * Description This function puts into IOcap array local device
1355 * IOCapability, OOB data, AuthReq.
1356 *
1357 * Returns void
1358 *
1359 ******************************************************************************/
smp_collect_local_io_capabilities(uint8_t * iocap,tSMP_CB * p_cb)1360 void smp_collect_local_io_capabilities(uint8_t* iocap, tSMP_CB* p_cb) {
1361 SMP_TRACE_DEBUG("%s", __func__);
1362
1363 iocap[0] = p_cb->local_io_capability;
1364 iocap[1] = p_cb->loc_oob_flag;
1365 iocap[2] = p_cb->loc_auth_req;
1366 }
1367
1368 /*******************************************************************************
1369 * Function smp_collect_peer_io_capabilities
1370 *
1371 * Description This function puts into IOcap array peer device
1372 * IOCapability, OOB data, AuthReq.
1373 *
1374 * Returns void
1375 *
1376 ******************************************************************************/
smp_collect_peer_io_capabilities(uint8_t * iocap,tSMP_CB * p_cb)1377 void smp_collect_peer_io_capabilities(uint8_t* iocap, tSMP_CB* p_cb) {
1378 SMP_TRACE_DEBUG("%s", __func__);
1379
1380 iocap[0] = p_cb->peer_io_caps;
1381 iocap[1] = p_cb->peer_oob_flag;
1382 iocap[2] = p_cb->peer_auth_req;
1383 }
1384
1385 /*******************************************************************************
1386 * Function smp_collect_local_ble_address
1387 *
1388 * Description Put the the local device LE address into the le_addr array:
1389 * le_addr[0-5] = local BD ADDR,
1390 * le_addr[6] = local le address type (PUBLIC/RANDOM).
1391 *
1392 * Returns void
1393 *
1394 ******************************************************************************/
smp_collect_local_ble_address(uint8_t * le_addr,tSMP_CB * p_cb)1395 void smp_collect_local_ble_address(uint8_t* le_addr, tSMP_CB* p_cb) {
1396 tBLE_ADDR_TYPE addr_type = 0;
1397 RawAddress bda;
1398 uint8_t* p = le_addr;
1399
1400 SMP_TRACE_DEBUG("%s", __func__);
1401
1402 BTM_ReadConnectionAddr(p_cb->pairing_bda, bda, &addr_type);
1403 BDADDR_TO_STREAM(p, bda);
1404 UINT8_TO_STREAM(p, addr_type);
1405 }
1406
1407 /*******************************************************************************
1408 * Function smp_collect_peer_ble_address
1409 *
1410 * Description Put the peer device LE addr into the le_addr array:
1411 * le_addr[0-5] = peer BD ADDR,
1412 * le_addr[6] = peer le address type (PUBLIC/RANDOM).
1413 *
1414 * Returns void
1415 *
1416 ******************************************************************************/
smp_collect_peer_ble_address(uint8_t * le_addr,tSMP_CB * p_cb)1417 void smp_collect_peer_ble_address(uint8_t* le_addr, tSMP_CB* p_cb) {
1418 tBLE_ADDR_TYPE addr_type = 0;
1419 RawAddress bda;
1420 uint8_t* p = le_addr;
1421
1422 SMP_TRACE_DEBUG("%s", __func__);
1423
1424 if (!BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, bda, &addr_type)) {
1425 SMP_TRACE_ERROR(
1426 "can not collect peer le addr information for unknown device");
1427 return;
1428 }
1429
1430 BDADDR_TO_STREAM(p, bda);
1431 UINT8_TO_STREAM(p, addr_type);
1432 }
1433
1434 /*******************************************************************************
1435 * Function smp_check_commitment
1436 *
1437 * Description This function compares peer commitment values:
1438 * - expected (i.e. calculated locally),
1439 * - received from the peer.
1440 *
1441 * Returns true if the values are the same
1442 * false otherwise
1443 *
1444 ******************************************************************************/
smp_check_commitment(tSMP_CB * p_cb)1445 bool smp_check_commitment(tSMP_CB* p_cb) {
1446
1447 SMP_TRACE_DEBUG("%s", __func__);
1448
1449 Octet16 expected = smp_calculate_peer_commitment(p_cb);
1450 print128(expected, (const uint8_t*)"calculated peer commitment");
1451 print128(p_cb->remote_commitment, (const uint8_t*)"received peer commitment");
1452
1453 if (memcmp(p_cb->remote_commitment.data(), expected.data(), OCTET16_LEN)) {
1454 SMP_TRACE_WARNING("%s: Commitment check fails", __func__);
1455 return false;
1456 }
1457
1458 SMP_TRACE_DEBUG("%s: Commitment check succeeds", __func__);
1459 return true;
1460 }
1461
1462 /*******************************************************************************
1463 *
1464 * Function smp_save_secure_connections_long_term_key
1465 *
1466 * Description The function saves SC LTK as BLE key for future use as local
1467 * and/or peer key.
1468 *
1469 * Returns void
1470 *
1471 ******************************************************************************/
smp_save_secure_connections_long_term_key(tSMP_CB * p_cb)1472 void smp_save_secure_connections_long_term_key(tSMP_CB* p_cb) {
1473 tBTM_LE_KEY_VALUE lle_key;
1474 tBTM_LE_KEY_VALUE ple_key;
1475
1476 SMP_TRACE_DEBUG("%s-Save LTK as local LTK key", __func__);
1477 lle_key.lenc_key.ltk = p_cb->ltk;
1478 lle_key.lenc_key.div = 0;
1479 lle_key.lenc_key.key_size = p_cb->loc_enc_size;
1480 lle_key.lenc_key.sec_level = p_cb->sec_level;
1481 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, &lle_key, true);
1482
1483 SMP_TRACE_DEBUG("%s-Save LTK as peer LTK key", __func__);
1484 ple_key.penc_key.ediv = 0;
1485 memset(ple_key.penc_key.rand, 0, BT_OCTET8_LEN);
1486 ple_key.penc_key.ltk = p_cb->ltk;
1487 ple_key.penc_key.sec_level = p_cb->sec_level;
1488 ple_key.penc_key.key_size = p_cb->loc_enc_size;
1489 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, &ple_key, true);
1490 }
1491
1492 /** The function calculates MacKey and LTK and saves them in CB. To calculate
1493 * MacKey and LTK it calls smp_calc_f5(...). MacKey is used in dhkey
1494 * calculation, LTK is used to encrypt the link. */
smp_calculate_f5_mackey_and_long_term_key(tSMP_CB * p_cb)1495 void smp_calculate_f5_mackey_and_long_term_key(tSMP_CB* p_cb) {
1496 uint8_t a[7];
1497 uint8_t b[7];
1498 Octet16 na;
1499 Octet16 nb;
1500
1501 SMP_TRACE_DEBUG("%s", __func__);
1502
1503 if (p_cb->role == HCI_ROLE_MASTER) {
1504 smp_collect_local_ble_address(a, p_cb);
1505 smp_collect_peer_ble_address(b, p_cb);
1506 na = p_cb->rand;
1507 nb = p_cb->rrand;
1508 } else {
1509 smp_collect_local_ble_address(b, p_cb);
1510 smp_collect_peer_ble_address(a, p_cb);
1511 na = p_cb->rrand;
1512 nb = p_cb->rand;
1513 }
1514
1515 crypto_toolbox::f5(p_cb->dhkey, na, nb, a, b, &p_cb->mac_key, &p_cb->ltk);
1516
1517 SMP_TRACE_EVENT("%s is completed", __func__);
1518 }
1519
1520 /*******************************************************************************
1521 *
1522 * Function smp_request_oob_data
1523 *
1524 * Description Requests application to provide OOB data.
1525 *
1526 * Returns true - OOB data has to be provided by application
1527 * false - otherwise (unexpected)
1528 *
1529 ******************************************************************************/
smp_request_oob_data(tSMP_CB * p_cb)1530 bool smp_request_oob_data(tSMP_CB* p_cb) {
1531 tSMP_OOB_DATA_TYPE req_oob_type = SMP_OOB_INVALID_TYPE;
1532
1533 SMP_TRACE_DEBUG("%s", __func__);
1534
1535 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT &&
1536 p_cb->loc_oob_flag == SMP_OOB_PRESENT) {
1537 /* both local and peer rcvd data OOB */
1538 req_oob_type = SMP_OOB_BOTH;
1539 } else if (p_cb->peer_oob_flag == SMP_OOB_PRESENT) {
1540 /* peer rcvd OOB local data, local didn't receive OOB peer data */
1541 req_oob_type = SMP_OOB_LOCAL;
1542 } else if (p_cb->loc_oob_flag == SMP_OOB_PRESENT) {
1543 req_oob_type = SMP_OOB_PEER;
1544 }
1545
1546 SMP_TRACE_DEBUG("req_oob_type = %d", req_oob_type);
1547
1548 if (req_oob_type == SMP_OOB_INVALID_TYPE) return false;
1549
1550 p_cb->req_oob_type = req_oob_type;
1551 p_cb->cb_evt = SMP_SC_OOB_REQ_EVT;
1552 tSMP_INT_DATA smp_int_data;
1553 smp_int_data.req_oob_type = req_oob_type;
1554 smp_sm_event(p_cb, SMP_TK_REQ_EVT, &smp_int_data);
1555
1556 return true;
1557 }
1558
print128(const Octet16 & x,const uint8_t * key_name)1559 void print128(const Octet16& x, const uint8_t* key_name) {
1560 if (VLOG_IS_ON(2) && DLOG_IS_ON(INFO)) {
1561 uint8_t* p = (uint8_t*)x.data();
1562
1563 DVLOG(2) << key_name << " (MSB ~ LSB) = ";
1564 for (int i = 0; i < 4; i++) {
1565 DVLOG(2) << +p[OCTET16_LEN - i * 4 - 1] << +p[OCTET16_LEN - i * 4 - 2]
1566 << +p[OCTET16_LEN - i * 4 - 3] << +p[OCTET16_LEN - i * 4 - 4];
1567 }
1568 }
1569 }
1570