1 /******************************************************************************
2 *
3 * Copyright 2003-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 #include <cutils/log.h>
20 #include <log/log.h>
21 #include <string.h>
22 #include "btif_api.h"
23 #include "btif_common.h"
24 #include "btif_storage.h"
25 #include "device/include/interop.h"
26 #include "internal_include/bt_target.h"
27 #include "stack/btm/btm_int.h"
28 #include "stack/include/l2c_api.h"
29 #include "stack/smp/p_256_ecc_pp.h"
30 #include "stack/smp/smp_int.h"
31 #include "utils/include/bt_utils.h"
32
33 #define SMP_KEY_DIST_TYPE_MAX 4
34
35 const tSMP_ACT smp_distribute_act[] = {
36 smp_generate_ltk, /* SMP_SEC_KEY_TYPE_ENC - '1' bit index */
37 smp_send_id_info, /* SMP_SEC_KEY_TYPE_ID - '1' bit index */
38 smp_generate_csrk, /* SMP_SEC_KEY_TYPE_CSRK - '1' bit index */
39 smp_set_derive_link_key /* SMP_SEC_KEY_TYPE_LK - '1' bit index */
40 };
41
lmp_version_below(const RawAddress & bda,uint8_t version)42 static bool lmp_version_below(const RawAddress& bda, uint8_t version) {
43 tACL_CONN* acl = btm_bda_to_acl(bda, BT_TRANSPORT_LE);
44 if (acl == NULL || acl->lmp_version == 0) {
45 SMP_TRACE_WARNING("%s cannot retrieve LMP version...", __func__);
46 return false;
47 }
48 SMP_TRACE_WARNING("%s LMP version %d < %d", __func__, acl->lmp_version,
49 version);
50 return acl->lmp_version < version;
51 }
52
pts_test_send_authentication_complete_failure(tSMP_CB * p_cb)53 static bool pts_test_send_authentication_complete_failure(tSMP_CB* p_cb) {
54 uint8_t reason = p_cb->cert_failure;
55 if (reason == SMP_PAIR_AUTH_FAIL || reason == SMP_PAIR_FAIL_UNKNOWN ||
56 reason == SMP_PAIR_NOT_SUPPORT || reason == SMP_PASSKEY_ENTRY_FAIL ||
57 reason == SMP_REPEATED_ATTEMPTS) {
58 tSMP_INT_DATA smp_int_data;
59 smp_int_data.status = reason;
60 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
61 return true;
62 }
63 return false;
64 }
65
66 /*******************************************************************************
67 * Function smp_update_key_mask
68 * Description This function updates the key mask for sending or receiving.
69 ******************************************************************************/
smp_update_key_mask(tSMP_CB * p_cb,uint8_t key_type,bool recv)70 static void smp_update_key_mask(tSMP_CB* p_cb, uint8_t key_type, bool recv) {
71 SMP_TRACE_DEBUG(
72 "%s before update role=%d recv=%d local_i_key = %02x, local_r_key = %02x",
73 __func__, p_cb->role, recv, p_cb->local_i_key, p_cb->local_r_key);
74
75 if (((p_cb->le_secure_connections_mode_is_used) || (p_cb->smp_over_br)) &&
76 ((key_type == SMP_SEC_KEY_TYPE_ENC) ||
77 (key_type == SMP_SEC_KEY_TYPE_LK))) {
78 /* in LE SC mode LTK, CSRK and BR/EDR LK are derived locally instead of
79 ** being exchanged with the peer */
80 p_cb->local_i_key &= ~key_type;
81 p_cb->local_r_key &= ~key_type;
82 } else if (p_cb->role == HCI_ROLE_SLAVE) {
83 if (recv)
84 p_cb->local_i_key &= ~key_type;
85 else
86 p_cb->local_r_key &= ~key_type;
87 } else {
88 if (recv)
89 p_cb->local_r_key &= ~key_type;
90 else
91 p_cb->local_i_key &= ~key_type;
92 }
93
94 SMP_TRACE_DEBUG("updated local_i_key = %02x, local_r_key = %02x",
95 p_cb->local_i_key, p_cb->local_r_key);
96 }
97
98 /*******************************************************************************
99 * Function smp_send_app_cback
100 * Description notifies application about the events the application is
101 * interested in
102 ******************************************************************************/
smp_send_app_cback(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)103 void smp_send_app_cback(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
104 tSMP_EVT_DATA cb_data;
105 tSMP_STATUS callback_rc;
106 SMP_TRACE_DEBUG("%s p_cb->cb_evt=%d", __func__, p_cb->cb_evt);
107 if (p_cb->p_callback && p_cb->cb_evt != 0) {
108 switch (p_cb->cb_evt) {
109 case SMP_IO_CAP_REQ_EVT:
110 cb_data.io_req.auth_req = p_cb->peer_auth_req;
111 cb_data.io_req.oob_data = SMP_OOB_NONE;
112 cb_data.io_req.io_cap = btif_storage_get_local_io_caps_ble();
113 cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE;
114 cb_data.io_req.init_keys = p_cb->local_i_key;
115 cb_data.io_req.resp_keys = p_cb->local_r_key;
116 SMP_TRACE_WARNING("io_cap = %d", cb_data.io_req.io_cap);
117 break;
118
119 case SMP_NC_REQ_EVT:
120 cb_data.passkey = p_data->passkey;
121 break;
122 case SMP_SC_OOB_REQ_EVT:
123 cb_data.req_oob_type = p_data->req_oob_type;
124 break;
125 case SMP_SC_LOC_OOB_DATA_UP_EVT:
126 cb_data.loc_oob_data = p_cb->sc_oob_data.loc_oob_data;
127 break;
128
129 case SMP_BR_KEYS_REQ_EVT:
130 cb_data.io_req.auth_req = 0;
131 cb_data.io_req.oob_data = SMP_OOB_NONE;
132 cb_data.io_req.io_cap = 0;
133 cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE;
134 cb_data.io_req.init_keys = SMP_BR_SEC_DEFAULT_KEY;
135 cb_data.io_req.resp_keys = SMP_BR_SEC_DEFAULT_KEY;
136 break;
137
138 default:
139 break;
140 }
141
142 callback_rc =
143 (*p_cb->p_callback)(p_cb->cb_evt, p_cb->pairing_bda, &cb_data);
144
145 SMP_TRACE_DEBUG("%s: callback_rc=%d p_cb->cb_evt=%d", __func__,
146 callback_rc, p_cb->cb_evt);
147
148 if (callback_rc == SMP_SUCCESS) {
149 switch (p_cb->cb_evt) {
150 case SMP_IO_CAP_REQ_EVT:
151 p_cb->loc_auth_req = cb_data.io_req.auth_req;
152 p_cb->local_io_capability = cb_data.io_req.io_cap;
153 p_cb->loc_oob_flag = cb_data.io_req.oob_data;
154 p_cb->loc_enc_size = cb_data.io_req.max_key_size;
155 p_cb->local_i_key = cb_data.io_req.init_keys;
156 p_cb->local_r_key = cb_data.io_req.resp_keys;
157
158 if (!(p_cb->loc_auth_req & SMP_AUTH_BOND)) {
159 SMP_TRACE_WARNING("Non bonding: No keys will be exchanged");
160 p_cb->local_i_key = 0;
161 p_cb->local_r_key = 0;
162 }
163
164 SMP_TRACE_WARNING(
165 "rcvd auth_req: 0x%02x, io_cap: %d "
166 "loc_oob_flag: %d loc_enc_size: %d, "
167 "local_i_key: 0x%02x, local_r_key: 0x%02x",
168 p_cb->loc_auth_req, p_cb->local_io_capability, p_cb->loc_oob_flag,
169 p_cb->loc_enc_size, p_cb->local_i_key, p_cb->local_r_key);
170
171 p_cb->secure_connections_only_mode_required =
172 (btm_cb.security_mode == BTM_SEC_MODE_SC) ? true : false;
173 /* just for PTS, force SC bit */
174 if (p_cb->secure_connections_only_mode_required) {
175 p_cb->loc_auth_req |= SMP_SC_SUPPORT_BIT;
176 }
177
178 if (!p_cb->secure_connections_only_mode_required &&
179 (!(p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) ||
180 lmp_version_below(p_cb->pairing_bda, HCI_PROTO_VERSION_4_2) ||
181 interop_match_addr(INTEROP_DISABLE_LE_SECURE_CONNECTIONS,
182 (const RawAddress*)&p_cb->pairing_bda))) {
183 p_cb->loc_auth_req &= ~SMP_SC_SUPPORT_BIT;
184 p_cb->loc_auth_req &= ~SMP_KP_SUPPORT_BIT;
185 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
186 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
187 }
188
189 if (lmp_version_below(p_cb->pairing_bda, HCI_PROTO_VERSION_5_0)) {
190 p_cb->loc_auth_req &= ~SMP_H7_SUPPORT_BIT;
191 }
192
193 SMP_TRACE_WARNING(
194 "set auth_req: 0x%02x, local_i_key: 0x%02x, local_r_key: 0x%02x",
195 p_cb->loc_auth_req, p_cb->local_i_key, p_cb->local_r_key);
196
197 smp_sm_event(p_cb, SMP_IO_RSP_EVT, NULL);
198 break;
199
200 case SMP_BR_KEYS_REQ_EVT:
201 p_cb->loc_enc_size = cb_data.io_req.max_key_size;
202 p_cb->local_i_key = cb_data.io_req.init_keys;
203 p_cb->local_r_key = cb_data.io_req.resp_keys;
204 p_cb->loc_auth_req |= SMP_H7_SUPPORT_BIT;
205
206 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
207 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
208
209 SMP_TRACE_WARNING(
210 "for SMP over BR max_key_size: 0x%02x, local_i_key: 0x%02x, "
211 "local_r_key: 0x%02x, p_cb->loc_auth_req: 0x%02x",
212 p_cb->loc_enc_size, p_cb->local_i_key, p_cb->local_r_key,
213 p_cb->loc_auth_req);
214
215 smp_br_state_machine_event(p_cb, SMP_BR_KEYS_RSP_EVT, NULL);
216 break;
217 }
218 }
219 }
220
221 if (!p_cb->cb_evt && p_cb->discard_sec_req) {
222 p_cb->discard_sec_req = false;
223 smp_sm_event(p_cb, SMP_DISCARD_SEC_REQ_EVT, NULL);
224 }
225
226 SMP_TRACE_DEBUG("%s: return", __func__);
227 }
228
229 /*******************************************************************************
230 * Function smp_send_pair_fail
231 * Description pairing failure to peer device if needed.
232 ******************************************************************************/
smp_send_pair_fail(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)233 void smp_send_pair_fail(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
234 p_cb->status = p_data->status;
235 p_cb->failure = p_data->status;
236
237 SMP_TRACE_DEBUG("%s: status=%d failure=%d ", __func__, p_cb->status,
238 p_cb->failure);
239
240 if (p_cb->status <= SMP_MAX_FAIL_RSN_PER_SPEC &&
241 p_cb->status != SMP_SUCCESS) {
242 smp_send_cmd(SMP_OPCODE_PAIRING_FAILED, p_cb);
243 p_cb->wait_for_authorization_complete = true;
244 }
245 }
246
247 /*******************************************************************************
248 * Function smp_send_pair_req
249 * Description actions related to sending pairing request
250 ******************************************************************************/
smp_send_pair_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)251 void smp_send_pair_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
252 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
253 SMP_TRACE_DEBUG("%s", __func__);
254
255 /* erase all keys when master sends pairing req*/
256 if (p_dev_rec) btm_sec_clear_ble_keys(p_dev_rec);
257 /* do not manipulate the key, let app decide,
258 leave out to BTM to mandate key distribution for bonding case */
259 smp_send_cmd(SMP_OPCODE_PAIRING_REQ, p_cb);
260 }
261
262 /*******************************************************************************
263 * Function smp_send_pair_rsp
264 * Description actions related to sending pairing response
265 ******************************************************************************/
smp_send_pair_rsp(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)266 void smp_send_pair_rsp(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
267 SMP_TRACE_DEBUG("%s", __func__);
268
269 p_cb->local_i_key &= p_cb->peer_i_key;
270 p_cb->local_r_key &= p_cb->peer_r_key;
271
272 if (smp_send_cmd(SMP_OPCODE_PAIRING_RSP, p_cb)) {
273 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB)
274 smp_use_oob_private_key(p_cb, NULL);
275 else
276 smp_decide_association_model(p_cb, NULL);
277 }
278 }
279
280 /*******************************************************************************
281 * Function smp_send_confirm
282 * Description send confirmation to the peer
283 ******************************************************************************/
smp_send_confirm(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)284 void smp_send_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
285 SMP_TRACE_DEBUG("%s", __func__);
286 smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);
287 }
288
289 /*******************************************************************************
290 * Function smp_send_init
291 * Description process pairing initializer to slave device
292 ******************************************************************************/
smp_send_init(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)293 void smp_send_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
294 SMP_TRACE_DEBUG("%s", __func__);
295 smp_send_cmd(SMP_OPCODE_INIT, p_cb);
296 }
297
298 /*******************************************************************************
299 * Function smp_send_rand
300 * Description send pairing random to the peer
301 ******************************************************************************/
smp_send_rand(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)302 void smp_send_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
303 SMP_TRACE_DEBUG("%s", __func__);
304 smp_send_cmd(SMP_OPCODE_RAND, p_cb);
305 }
306
307 /*******************************************************************************
308 * Function smp_send_pair_public_key
309 * Description send pairing public key command to the peer
310 ******************************************************************************/
smp_send_pair_public_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)311 void smp_send_pair_public_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
312 SMP_TRACE_DEBUG("%s", __func__);
313 smp_send_cmd(SMP_OPCODE_PAIR_PUBLIC_KEY, p_cb);
314 }
315
316 /*******************************************************************************
317 * Function SMP_SEND_COMMITMENT
318 * Description send commitment command to the peer
319 ******************************************************************************/
smp_send_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)320 void smp_send_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
321 SMP_TRACE_DEBUG("%s", __func__);
322 smp_send_cmd(SMP_OPCODE_PAIR_COMMITM, p_cb);
323 }
324
325 /*******************************************************************************
326 * Function smp_send_dhkey_check
327 * Description send DHKey Check command to the peer
328 ******************************************************************************/
smp_send_dhkey_check(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)329 void smp_send_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
330 SMP_TRACE_DEBUG("%s", __func__);
331 smp_send_cmd(SMP_OPCODE_PAIR_DHKEY_CHECK, p_cb);
332 }
333
334 /*******************************************************************************
335 * Function smp_send_keypress_notification
336 * Description send Keypress Notification command to the peer
337 ******************************************************************************/
smp_send_keypress_notification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)338 void smp_send_keypress_notification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
339 p_cb->local_keypress_notification = p_data->status;
340 smp_send_cmd(SMP_OPCODE_PAIR_KEYPR_NOTIF, p_cb);
341 }
342
343 /*******************************************************************************
344 * Function smp_send_enc_info
345 * Description send encryption information command.
346 ******************************************************************************/
smp_send_enc_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)347 void smp_send_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
348 tBTM_LE_KEY_VALUE le_key;
349
350 SMP_TRACE_DEBUG("%s: p_cb->loc_enc_size = %d", __func__, p_cb->loc_enc_size);
351 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
352
353 smp_send_cmd(SMP_OPCODE_ENCRYPT_INFO, p_cb);
354 smp_send_cmd(SMP_OPCODE_MASTER_ID, p_cb);
355
356 /* save the DIV and key size information when acting as slave device */
357 le_key.lenc_key.ltk = p_cb->ltk;
358 le_key.lenc_key.div = p_cb->div;
359 le_key.lenc_key.key_size = p_cb->loc_enc_size;
360 le_key.lenc_key.sec_level = p_cb->sec_level;
361
362 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
363 (p_cb->loc_auth_req & SMP_AUTH_BOND))
364 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, &le_key, true);
365
366 SMP_TRACE_WARNING("%s", __func__);
367
368 smp_key_distribution(p_cb, NULL);
369 }
370
371 /*******************************************************************************
372 * Function smp_send_id_info
373 * Description send ID information command.
374 ******************************************************************************/
smp_send_id_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)375 void smp_send_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
376 tBTM_LE_KEY_VALUE le_key;
377 SMP_TRACE_DEBUG("%s", __func__);
378 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, false);
379
380 smp_send_cmd(SMP_OPCODE_IDENTITY_INFO, p_cb);
381 smp_send_cmd(SMP_OPCODE_ID_ADDR, p_cb);
382
383 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
384 (p_cb->loc_auth_req & SMP_AUTH_BOND))
385 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LID, &le_key, true);
386
387 SMP_TRACE_WARNING("%s", __func__);
388 smp_key_distribution_by_transport(p_cb, NULL);
389 }
390
391 /** send CSRK command. */
smp_send_csrk_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)392 void smp_send_csrk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
393 tBTM_LE_KEY_VALUE key;
394 SMP_TRACE_DEBUG("%s", __func__);
395 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, false);
396
397 if (smp_send_cmd(SMP_OPCODE_SIGN_INFO, p_cb)) {
398 key.lcsrk_key.div = p_cb->div;
399 key.lcsrk_key.sec_level = p_cb->sec_level;
400 key.lcsrk_key.counter = 0; /* initialize the local counter */
401 key.lcsrk_key.csrk = p_cb->csrk;
402 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LCSRK, &key, true);
403 }
404
405 smp_key_distribution_by_transport(p_cb, NULL);
406 }
407
408 /*******************************************************************************
409 * Function smp_send_ltk_reply
410 * Description send LTK reply
411 ******************************************************************************/
smp_send_ltk_reply(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)412 void smp_send_ltk_reply(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
413 SMP_TRACE_DEBUG("%s", __func__);
414
415 Octet16 stk;
416 memcpy(stk.data(), p_data->key.p_data, stk.size());
417 /* send stk as LTK response */
418 btm_ble_ltk_request_reply(p_cb->pairing_bda, true, stk);
419 }
420
421 /*******************************************************************************
422 * Function smp_proc_sec_req
423 * Description process security request.
424 ******************************************************************************/
smp_proc_sec_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)425 void smp_proc_sec_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
426 tBTM_LE_AUTH_REQ auth_req = *(tBTM_LE_AUTH_REQ*)p_data->p_data;
427 tBTM_BLE_SEC_REQ_ACT sec_req_act;
428
429 SMP_TRACE_DEBUG("%s: auth_req=0x%x", __func__, auth_req);
430
431 p_cb->cb_evt = 0;
432
433 btm_ble_link_sec_check(p_cb->pairing_bda, auth_req, &sec_req_act);
434
435 SMP_TRACE_DEBUG("%s: sec_req_act=0x%x", __func__, sec_req_act);
436
437 switch (sec_req_act) {
438 case BTM_BLE_SEC_REQ_ACT_ENCRYPT:
439 SMP_TRACE_DEBUG("%s: BTM_BLE_SEC_REQ_ACT_ENCRYPT", __func__);
440 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
441 break;
442
443 case BTM_BLE_SEC_REQ_ACT_PAIR:
444 p_cb->secure_connections_only_mode_required =
445 (btm_cb.security_mode == BTM_SEC_MODE_SC) ? true : false;
446
447 /* respond to non SC pairing request as failure in SC only mode */
448 if (p_cb->secure_connections_only_mode_required &&
449 (auth_req & SMP_SC_SUPPORT_BIT) == 0) {
450 tSMP_INT_DATA smp_int_data;
451 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
452 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
453 } else {
454 /* initialize local i/r key to be default keys */
455 p_cb->peer_auth_req = auth_req;
456 p_cb->local_r_key = p_cb->local_i_key = SMP_SEC_DEFAULT_KEY;
457 p_cb->cb_evt = SMP_SEC_REQUEST_EVT;
458 }
459 break;
460
461 case BTM_BLE_SEC_REQ_ACT_DISCARD:
462 p_cb->discard_sec_req = true;
463 break;
464
465 default:
466 /* do nothing */
467 break;
468 }
469 }
470
471 /*******************************************************************************
472 * Function smp_proc_sec_grant
473 * Description process security grant.
474 ******************************************************************************/
smp_proc_sec_grant(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)475 void smp_proc_sec_grant(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
476 uint8_t res = p_data->status;
477 SMP_TRACE_DEBUG("%s", __func__);
478 if (res != SMP_SUCCESS) {
479 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, p_data);
480 } else /*otherwise, start pairing */
481 {
482 /* send IO request callback */
483 p_cb->cb_evt = SMP_IO_CAP_REQ_EVT;
484 }
485 }
486
487 /*******************************************************************************
488 * Function smp_proc_pair_fail
489 * Description process pairing failure from peer device
490 ******************************************************************************/
smp_proc_pair_fail(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)491 void smp_proc_pair_fail(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
492 SMP_TRACE_DEBUG("%s", __func__);
493
494 if (p_cb->rcvd_cmd_len < 2) {
495 android_errorWriteLog(0x534e4554, "111214739");
496 SMP_TRACE_WARNING("%s: rcvd_cmd_len %d too short: must be at least 2",
497 __func__, p_cb->rcvd_cmd_len);
498 p_cb->status = SMP_INVALID_PARAMETERS;
499 } else {
500 p_cb->status = p_data->status;
501 }
502
503 /* Cancel pending auth complete timer if set */
504 alarm_cancel(p_cb->delayed_auth_timer_ent);
505 }
506
507 /*******************************************************************************
508 * Function smp_proc_pair_cmd
509 * Description Process the SMP pairing request/response from peer device
510 ******************************************************************************/
smp_proc_pair_cmd(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)511 void smp_proc_pair_cmd(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
512 uint8_t* p = p_data->p_data;
513 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
514
515 SMP_TRACE_DEBUG("%s: pairing_bda=%s", __func__,
516 p_cb->pairing_bda.ToString().c_str());
517
518 /* erase all keys if it is slave proc pairing req */
519 if (p_dev_rec && (p_cb->role == HCI_ROLE_SLAVE))
520 btm_sec_clear_ble_keys(p_dev_rec);
521
522 p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
523
524 if (smp_command_has_invalid_length(p_cb)) {
525 tSMP_INT_DATA smp_int_data;
526 smp_int_data.status = SMP_INVALID_PARAMETERS;
527 android_errorWriteLog(0x534e4554, "111850706");
528 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
529 return;
530 }
531
532 STREAM_TO_UINT8(p_cb->peer_io_caps, p);
533 STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
534 STREAM_TO_UINT8(p_cb->peer_auth_req, p);
535 STREAM_TO_UINT8(p_cb->peer_enc_size, p);
536 STREAM_TO_UINT8(p_cb->peer_i_key, p);
537 STREAM_TO_UINT8(p_cb->peer_r_key, p);
538
539 if (smp_command_has_invalid_parameters(p_cb)) {
540 tSMP_INT_DATA smp_int_data;
541 smp_int_data.status = SMP_INVALID_PARAMETERS;
542 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
543 return;
544 }
545
546 // PTS Testing failure modes
547 if (pts_test_send_authentication_complete_failure(p_cb)) return;
548
549 if (p_cb->role == HCI_ROLE_SLAVE) {
550 if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD)) {
551 /* peer (master) started pairing sending Pairing Request */
552 p_cb->local_i_key = p_cb->peer_i_key;
553 p_cb->local_r_key = p_cb->peer_r_key;
554
555 p_cb->cb_evt = SMP_SEC_REQUEST_EVT;
556 } else /* update local i/r key according to pairing request */
557 {
558 /* pairing started with this side (slave) sending Security Request */
559 p_cb->local_i_key &= p_cb->peer_i_key;
560 p_cb->local_r_key &= p_cb->peer_r_key;
561 p_cb->selected_association_model = smp_select_association_model(p_cb);
562
563 if (p_cb->secure_connections_only_mode_required &&
564 (!(p_cb->le_secure_connections_mode_is_used) ||
565 (p_cb->selected_association_model ==
566 SMP_MODEL_SEC_CONN_JUSTWORKS))) {
567 SMP_TRACE_ERROR(
568 "%s: pairing failed - slave requires secure connection only mode",
569 __func__);
570 tSMP_INT_DATA smp_int_data;
571 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
572 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
573 return;
574 }
575
576 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
577 if (smp_request_oob_data(p_cb)) return;
578 } else {
579 smp_send_pair_rsp(p_cb, NULL);
580 }
581 }
582 } else /* Master receives pairing response */
583 {
584 p_cb->selected_association_model = smp_select_association_model(p_cb);
585
586 if (p_cb->secure_connections_only_mode_required &&
587 (!(p_cb->le_secure_connections_mode_is_used) ||
588 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) {
589 SMP_TRACE_ERROR(
590 "Master requires secure connection only mode "
591 "but it can't be provided -> Master fails pairing");
592 tSMP_INT_DATA smp_int_data;
593 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
594 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
595 return;
596 }
597
598 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
599 if (smp_request_oob_data(p_cb)) return;
600 } else {
601 smp_decide_association_model(p_cb, NULL);
602 }
603 }
604 }
605
606 /** process pairing confirm from peer device */
smp_proc_confirm(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)607 void smp_proc_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
608 SMP_TRACE_DEBUG("%s", __func__);
609
610 if (smp_command_has_invalid_parameters(p_cb)) {
611 tSMP_INT_DATA smp_int_data;
612 smp_int_data.status = SMP_INVALID_PARAMETERS;
613 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
614 return;
615 }
616
617 if (p_data) {
618 uint8_t* p = p_data->p_data;
619 if (p != NULL) {
620 /* save the SConfirm for comparison later */
621 STREAM_TO_ARRAY(p_cb->rconfirm.data(), p, OCTET16_LEN);
622 }
623 }
624
625 p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM;
626 }
627
628 /** process pairing initializer from peer device */
smp_proc_init(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)629 void smp_proc_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
630 uint8_t* p = p_data->p_data;
631
632 SMP_TRACE_DEBUG("%s", __func__);
633
634 if (smp_command_has_invalid_parameters(p_cb)) {
635 tSMP_INT_DATA smp_int_data;
636 smp_int_data.status = SMP_INVALID_PARAMETERS;
637 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
638 return;
639 }
640
641 /* save the SRand for comparison */
642 STREAM_TO_ARRAY(p_cb->rrand.data(), p, OCTET16_LEN);
643 }
644
645 /*******************************************************************************
646 * Function smp_proc_rand
647 * Description process pairing random (nonce) from peer device
648 ******************************************************************************/
smp_proc_rand(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)649 void smp_proc_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
650 uint8_t* p = p_data->p_data;
651
652 SMP_TRACE_DEBUG("%s", __func__);
653
654 if (smp_command_has_invalid_parameters(p_cb)) {
655 tSMP_INT_DATA smp_int_data;
656 smp_int_data.status = SMP_INVALID_PARAMETERS;
657 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
658 return;
659 }
660
661 /* save the SRand for comparison */
662 STREAM_TO_ARRAY(p_cb->rrand.data(), p, OCTET16_LEN);
663 }
664
665 /*******************************************************************************
666 * Function smp_process_pairing_public_key
667 * Description process pairing public key command from the peer device
668 * - saves the peer public key;
669 * - sets the flag indicating that the peer public key is received;
670 * - calls smp_wait_for_both_public_keys(...).
671 *
672 ******************************************************************************/
smp_process_pairing_public_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)673 void smp_process_pairing_public_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
674 uint8_t* p = p_data->p_data;
675
676 SMP_TRACE_DEBUG("%s", __func__);
677
678 if (smp_command_has_invalid_parameters(p_cb)) {
679 tSMP_INT_DATA smp_int_data;
680 smp_int_data.status = SMP_INVALID_PARAMETERS;
681 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
682 return;
683 }
684
685 STREAM_TO_ARRAY(p_cb->peer_publ_key.x, p, BT_OCTET32_LEN);
686 STREAM_TO_ARRAY(p_cb->peer_publ_key.y, p, BT_OCTET32_LEN);
687
688 Point pt;
689 memcpy(pt.x, p_cb->peer_publ_key.x, BT_OCTET32_LEN);
690 memcpy(pt.y, p_cb->peer_publ_key.y, BT_OCTET32_LEN);
691
692 if (!memcmp(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, BT_OCTET32_LEN)) {
693 android_errorWriteLog(0x534e4554, "174886838");
694 SMP_TRACE_WARNING("Remote and local public keys can't match");
695 tSMP_INT_DATA smp;
696 smp.status = SMP_PAIR_AUTH_FAIL;
697 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp);
698 return;
699 }
700
701 if (!ECC_ValidatePoint(pt)) {
702 android_errorWriteLog(0x534e4554, "72377774");
703 tSMP_INT_DATA smp;
704 smp.status = SMP_PAIR_AUTH_FAIL;
705 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp);
706 return;
707 }
708
709 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY;
710
711 smp_wait_for_both_public_keys(p_cb, NULL);
712 }
713
714 /*******************************************************************************
715 * Function smp_process_pairing_commitment
716 * Description process pairing commitment from peer device
717 ******************************************************************************/
smp_process_pairing_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)718 void smp_process_pairing_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
719 uint8_t* p = p_data->p_data;
720
721 SMP_TRACE_DEBUG("%s", __func__);
722
723 if (smp_command_has_invalid_parameters(p_cb)) {
724 tSMP_INT_DATA smp_int_data;
725 smp_int_data.status = SMP_INVALID_PARAMETERS;
726 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
727 return;
728 }
729
730 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_COMM;
731
732 if (p != NULL) {
733 STREAM_TO_ARRAY(p_cb->remote_commitment.data(), p, OCTET16_LEN);
734 }
735 }
736
737 /*******************************************************************************
738 * Function smp_process_dhkey_check
739 * Description process DHKey Check from peer device
740 ******************************************************************************/
smp_process_dhkey_check(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)741 void smp_process_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
742 uint8_t* p = p_data->p_data;
743
744 SMP_TRACE_DEBUG("%s", __func__);
745
746 if (smp_command_has_invalid_parameters(p_cb)) {
747 tSMP_INT_DATA smp_int_data;
748 smp_int_data.status = SMP_INVALID_PARAMETERS;
749 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
750 return;
751 }
752
753 if (p != NULL) {
754 STREAM_TO_ARRAY(p_cb->remote_dhkey_check.data(), p, OCTET16_LEN);
755 }
756
757 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_DHK_CHK;
758 }
759
760 /*******************************************************************************
761 * Function smp_process_keypress_notification
762 * Description process pairing keypress notification from peer device
763 ******************************************************************************/
smp_process_keypress_notification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)764 void smp_process_keypress_notification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
765 uint8_t* p = p_data->p_data;
766
767 SMP_TRACE_DEBUG("%s", __func__);
768 p_cb->status = p_data->status;
769
770 if (smp_command_has_invalid_parameters(p_cb)) {
771 tSMP_INT_DATA smp_int_data;
772 smp_int_data.status = SMP_INVALID_PARAMETERS;
773 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
774 return;
775 }
776
777 if (p != NULL) {
778 STREAM_TO_UINT8(p_cb->peer_keypress_notification, p);
779 } else {
780 p_cb->peer_keypress_notification = BTM_SP_KEY_OUT_OF_RANGE;
781 }
782 p_cb->cb_evt = SMP_PEER_KEYPR_NOT_EVT;
783 }
784
785 /*******************************************************************************
786 * Function smp_br_process_pairing_command
787 * Description Process the SMP pairing request/response from peer device via
788 * BR/EDR transport.
789 ******************************************************************************/
smp_br_process_pairing_command(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)790 void smp_br_process_pairing_command(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
791 uint8_t* p = p_data->p_data;
792 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
793
794 SMP_TRACE_DEBUG("%s", __func__);
795 /* rejecting BR pairing request over non-SC BR link */
796 if (!p_dev_rec->new_encryption_key_is_p256 && p_cb->role == HCI_ROLE_SLAVE) {
797 tSMP_INT_DATA smp_int_data;
798 smp_int_data.status = SMP_XTRANS_DERIVE_NOT_ALLOW;
799 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
800 return;
801 }
802
803 /* erase all keys if it is slave proc pairing req*/
804 if (p_dev_rec && (p_cb->role == HCI_ROLE_SLAVE))
805 btm_sec_clear_ble_keys(p_dev_rec);
806
807 p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
808
809 if (smp_command_has_invalid_length(p_cb)) {
810 tSMP_INT_DATA smp_int_data;
811 smp_int_data.status = SMP_INVALID_PARAMETERS;
812 android_errorWriteLog(0x534e4554, "111213909");
813 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
814 return;
815 }
816
817 STREAM_TO_UINT8(p_cb->peer_io_caps, p);
818 STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
819 STREAM_TO_UINT8(p_cb->peer_auth_req, p);
820 STREAM_TO_UINT8(p_cb->peer_enc_size, p);
821 STREAM_TO_UINT8(p_cb->peer_i_key, p);
822 STREAM_TO_UINT8(p_cb->peer_r_key, p);
823
824 if (smp_command_has_invalid_parameters(p_cb)) {
825 tSMP_INT_DATA smp_int_data;
826 smp_int_data.status = SMP_INVALID_PARAMETERS;
827 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
828 return;
829 }
830
831 /* peer (master) started pairing sending Pairing Request */
832 /* or being master device always use received i/r key as keys to distribute */
833 p_cb->local_i_key = p_cb->peer_i_key;
834 p_cb->local_r_key = p_cb->peer_r_key;
835
836 if (p_cb->role == HCI_ROLE_SLAVE) {
837 p_dev_rec->new_encryption_key_is_p256 = false;
838 /* shortcut to skip Security Grant step */
839 p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT;
840 } else {
841 /* Master receives pairing response */
842 SMP_TRACE_DEBUG(
843 "%s master rcvs valid PAIRING RESPONSE."
844 " Supposed to move to key distribution phase. ",
845 __func__);
846 }
847
848 /* auth_req received via BR/EDR SM channel is set to 0,
849 but everything derived/exchanged has to be saved */
850 p_cb->peer_auth_req |= SMP_AUTH_BOND;
851 p_cb->loc_auth_req |= SMP_AUTH_BOND;
852 }
853
854 /*******************************************************************************
855 * Function smp_br_process_security_grant
856 * Description process security grant in case of pairing over BR/EDR transport.
857 ******************************************************************************/
smp_br_process_security_grant(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)858 void smp_br_process_security_grant(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
859 SMP_TRACE_DEBUG("%s", __func__);
860 if (p_data->status != SMP_SUCCESS) {
861 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, p_data);
862 } else {
863 /* otherwise, start pairing; send IO request callback */
864 p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT;
865 }
866 }
867
868 /*******************************************************************************
869 * Function smp_br_check_authorization_request
870 * Description sets the SMP kes to be derived/distribute over BR/EDR transport
871 * before starting the distribution/derivation
872 ******************************************************************************/
smp_br_check_authorization_request(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)873 void smp_br_check_authorization_request(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
874 SMP_TRACE_DEBUG("%s rcvs i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
875 __func__, p_cb->local_i_key, p_cb->local_r_key);
876
877 /* In LE SC mode LK field is ignored when BR/EDR transport is used */
878 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
879 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
880
881 /* In LE SC mode only IRK, IAI, CSRK are exchanged with the peer.
882 ** Set local_r_key on master to expect only these keys. */
883 if (p_cb->role == HCI_ROLE_MASTER) {
884 p_cb->local_r_key &= (SMP_SEC_KEY_TYPE_ID | SMP_SEC_KEY_TYPE_CSRK);
885 }
886
887 /* Check if H7 function needs to be used for key derivation*/
888 if ((p_cb->loc_auth_req & SMP_H7_SUPPORT_BIT) &&
889 (p_cb->peer_auth_req & SMP_H7_SUPPORT_BIT)) {
890 p_cb->key_derivation_h7_used = TRUE;
891 }
892 SMP_TRACE_DEBUG("%s: use h7 = %d", __func__, p_cb->key_derivation_h7_used);
893
894 SMP_TRACE_DEBUG(
895 "%s rcvs upgrades: i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
896 __func__, p_cb->local_i_key, p_cb->local_r_key);
897
898 if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) ||
899 (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/
900 (p_cb->local_i_key || p_cb->local_r_key)) {
901 smp_br_state_machine_event(p_cb, SMP_BR_BOND_REQ_EVT, NULL);
902
903 /* if no peer key is expected, start master key distribution */
904 if (p_cb->role == HCI_ROLE_MASTER && p_cb->local_r_key == 0)
905 smp_key_distribution_by_transport(p_cb, NULL);
906 } else {
907 tSMP_INT_DATA smp_int_data;
908 smp_int_data.status = SMP_SUCCESS;
909 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
910 }
911 }
912
913 /*******************************************************************************
914 * Function smp_br_select_next_key
915 * Description selects the next key to derive/send when BR/EDR transport is
916 * used.
917 ******************************************************************************/
smp_br_select_next_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)918 void smp_br_select_next_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
919 SMP_TRACE_DEBUG("%s role=%d (0-master) r_keys=0x%x i_keys=0x%x", __func__,
920 p_cb->role, p_cb->local_r_key, p_cb->local_i_key);
921
922 if (p_cb->role == HCI_ROLE_SLAVE ||
923 (!p_cb->local_r_key && p_cb->role == HCI_ROLE_MASTER)) {
924 smp_key_pick_key(p_cb, p_data);
925 }
926
927 if (!p_cb->local_i_key && !p_cb->local_r_key) {
928 /* state check to prevent re-entrance */
929 if (smp_get_br_state() == SMP_BR_STATE_BOND_PENDING) {
930 if (p_cb->total_tx_unacked == 0) {
931 tSMP_INT_DATA smp_int_data;
932 smp_int_data.status = SMP_SUCCESS;
933 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
934 } else {
935 p_cb->wait_for_authorization_complete = true;
936 }
937 }
938 }
939 }
940
941 /** process encryption information from peer device */
smp_proc_enc_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)942 void smp_proc_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
943 uint8_t* p = p_data->p_data;
944
945 SMP_TRACE_DEBUG("%s", __func__);
946
947 if (smp_command_has_invalid_parameters(p_cb)) {
948 tSMP_INT_DATA smp_int_data;
949 smp_int_data.status = SMP_INVALID_PARAMETERS;
950 android_errorWriteLog(0x534e4554, "111937065");
951 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
952 return;
953 }
954
955 STREAM_TO_ARRAY(p_cb->ltk.data(), p, OCTET16_LEN);
956
957 smp_key_distribution(p_cb, NULL);
958 }
959
960 /** process master ID from slave device */
smp_proc_master_id(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)961 void smp_proc_master_id(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
962 uint8_t* p = p_data->p_data;
963 tBTM_LE_KEY_VALUE le_key;
964
965 SMP_TRACE_DEBUG("%s", __func__);
966
967 if (p_cb->rcvd_cmd_len < 11) { // 1(Code) + 2(EDIV) + 8(Rand)
968 android_errorWriteLog(0x534e4554, "111937027");
969 SMP_TRACE_ERROR("%s: Invalid command length: %d, should be at least 11",
970 __func__, p_cb->rcvd_cmd_len);
971 return;
972 }
973
974 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, true);
975
976 STREAM_TO_UINT16(le_key.penc_key.ediv, p);
977 STREAM_TO_ARRAY(le_key.penc_key.rand, p, BT_OCTET8_LEN);
978
979 /* store the encryption keys from peer device */
980 le_key.penc_key.ltk = p_cb->ltk;
981 le_key.penc_key.sec_level = p_cb->sec_level;
982 le_key.penc_key.key_size = p_cb->loc_enc_size;
983
984 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
985 (p_cb->loc_auth_req & SMP_AUTH_BOND))
986 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, &le_key, true);
987
988 smp_key_distribution(p_cb, NULL);
989 }
990
991 /** process identity information from peer device */
smp_proc_id_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)992 void smp_proc_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
993 uint8_t* p = p_data->p_data;
994
995 SMP_TRACE_DEBUG("%s", __func__);
996
997 if (smp_command_has_invalid_parameters(p_cb)) {
998 tSMP_INT_DATA smp_int_data;
999 smp_int_data.status = SMP_INVALID_PARAMETERS;
1000 android_errorWriteLog(0x534e4554, "111937065");
1001 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1002 return;
1003 }
1004
1005 STREAM_TO_ARRAY(p_cb->tk.data(), p, OCTET16_LEN); /* reuse TK for IRK */
1006 smp_key_distribution_by_transport(p_cb, NULL);
1007 }
1008
1009 /** process identity address from peer device */
smp_proc_id_addr(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1010 void smp_proc_id_addr(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1011 uint8_t* p = p_data->p_data;
1012 tBTM_LE_KEY_VALUE pid_key;
1013
1014 SMP_TRACE_DEBUG("%s", __func__);
1015
1016 if (smp_command_has_invalid_parameters(p_cb)) {
1017 tSMP_INT_DATA smp_int_data;
1018 smp_int_data.status = SMP_INVALID_PARAMETERS;
1019 android_errorWriteLog(0x534e4554, "111214770");
1020 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1021 return;
1022 }
1023
1024 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, true);
1025
1026 STREAM_TO_UINT8(pid_key.pid_key.identity_addr_type, p);
1027 STREAM_TO_BDADDR(pid_key.pid_key.identity_addr, p);
1028 pid_key.pid_key.irk = p_cb->tk;
1029
1030 /* to use as BD_ADDR for lk derived from ltk */
1031 p_cb->id_addr_rcvd = true;
1032 p_cb->id_addr_type = pid_key.pid_key.identity_addr_type;
1033 p_cb->id_addr = pid_key.pid_key.identity_addr;
1034
1035 /* store the ID key from peer device */
1036 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
1037 (p_cb->loc_auth_req & SMP_AUTH_BOND))
1038 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PID, &pid_key, true);
1039 smp_key_distribution_by_transport(p_cb, NULL);
1040 }
1041
1042 /* process security information from peer device */
smp_proc_srk_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1043 void smp_proc_srk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1044 tBTM_LE_KEY_VALUE le_key;
1045
1046 SMP_TRACE_DEBUG("%s", __func__);
1047
1048 if (smp_command_has_invalid_parameters(p_cb)) {
1049 tSMP_INT_DATA smp_int_data;
1050 smp_int_data.status = SMP_INVALID_PARAMETERS;
1051 android_errorWriteLog(0x534e4554, "111214470");
1052 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1053 return;
1054 }
1055
1056 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, true);
1057
1058 /* save CSRK to security record */
1059 le_key.pcsrk_key.sec_level = p_cb->sec_level;
1060
1061 /* get peer CSRK */
1062 maybe_non_aligned_memcpy(le_key.pcsrk_key.csrk.data(), p_data->p_data,
1063 OCTET16_LEN);
1064
1065 /* initialize the peer counter */
1066 le_key.pcsrk_key.counter = 0;
1067
1068 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
1069 (p_cb->loc_auth_req & SMP_AUTH_BOND))
1070 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PCSRK, &le_key, true);
1071 smp_key_distribution_by_transport(p_cb, NULL);
1072 }
1073
1074 /*******************************************************************************
1075 * Function smp_proc_compare
1076 * Description process compare value
1077 ******************************************************************************/
smp_proc_compare(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1078 void smp_proc_compare(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1079 SMP_TRACE_DEBUG("%s", __func__);
1080 if (!memcmp(p_cb->rconfirm.data(), p_data->key.p_data, OCTET16_LEN)) {
1081 /* compare the max encryption key size, and save the smaller one for the
1082 * link */
1083 if (p_cb->peer_enc_size < p_cb->loc_enc_size)
1084 p_cb->loc_enc_size = p_cb->peer_enc_size;
1085
1086 if (p_cb->role == HCI_ROLE_SLAVE)
1087 smp_sm_event(p_cb, SMP_RAND_EVT, NULL);
1088 else {
1089 /* master device always use received i/r key as keys to distribute */
1090 p_cb->local_i_key = p_cb->peer_i_key;
1091 p_cb->local_r_key = p_cb->peer_r_key;
1092
1093 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
1094 }
1095
1096 } else {
1097 tSMP_INT_DATA smp_int_data;
1098 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1099 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1100 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1101 }
1102 }
1103
1104 /*******************************************************************************
1105 * Function smp_proc_sl_key
1106 * Description process key ready events.
1107 ******************************************************************************/
smp_proc_sl_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1108 void smp_proc_sl_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1109 uint8_t key_type = p_data->key.key_type;
1110
1111 SMP_TRACE_DEBUG("%s", __func__);
1112 if (key_type == SMP_KEY_TYPE_TK) {
1113 smp_generate_srand_mrand_confirm(p_cb, NULL);
1114 } else if (key_type == SMP_KEY_TYPE_CFM) {
1115 smp_set_state(SMP_STATE_WAIT_CONFIRM);
1116
1117 if (p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM)
1118 smp_sm_event(p_cb, SMP_CONFIRM_EVT, NULL);
1119 }
1120 }
1121
1122 /*******************************************************************************
1123 * Function smp_start_enc
1124 * Description start encryption
1125 ******************************************************************************/
smp_start_enc(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1126 void smp_start_enc(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1127 tBTM_STATUS cmd;
1128
1129 SMP_TRACE_DEBUG("%s", __func__);
1130 if (p_data != NULL) {
1131 cmd = btm_ble_start_encrypt(p_cb->pairing_bda, true,
1132 (Octet16*)p_data->key.p_data);
1133 } else {
1134 cmd = btm_ble_start_encrypt(p_cb->pairing_bda, false, NULL);
1135 }
1136
1137 if (cmd != BTM_CMD_STARTED && cmd != BTM_BUSY) {
1138 tSMP_INT_DATA smp_int_data;
1139 smp_int_data.status = SMP_ENC_FAIL;
1140 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1141 }
1142 }
1143
1144 /*******************************************************************************
1145 * Function smp_proc_discard
1146 * Description processing for discard security request
1147 ******************************************************************************/
smp_proc_discard(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1148 void smp_proc_discard(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1149 SMP_TRACE_DEBUG("%s", __func__);
1150 if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD))
1151 smp_reset_control_value(p_cb);
1152 }
1153
1154 /*******************************************************************************
1155 * Function smp_enc_cmpl
1156 * Description encryption success
1157 ******************************************************************************/
smp_enc_cmpl(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1158 void smp_enc_cmpl(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1159 uint8_t enc_enable = p_data->status;
1160
1161 SMP_TRACE_DEBUG("%s", __func__);
1162 tSMP_INT_DATA smp_int_data;
1163 smp_int_data.status = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1164 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1165 }
1166
1167 /*******************************************************************************
1168 * Function smp_check_auth_req
1169 * Description check authentication request
1170 ******************************************************************************/
smp_check_auth_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1171 void smp_check_auth_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1172 uint8_t enc_enable = p_data->status;
1173
1174 SMP_TRACE_DEBUG(
1175 "%s rcvs enc_enable=%d i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
1176 __func__, enc_enable, p_cb->local_i_key, p_cb->local_r_key);
1177 if (enc_enable == 1) {
1178 if (p_cb->le_secure_connections_mode_is_used) {
1179 /* In LE SC mode LTK is used instead of STK and has to be always saved */
1180 p_cb->local_i_key |= SMP_SEC_KEY_TYPE_ENC;
1181 p_cb->local_r_key |= SMP_SEC_KEY_TYPE_ENC;
1182
1183 /* In LE SC mode LK is derived from LTK only if both sides request it */
1184 if (!(p_cb->local_i_key & SMP_SEC_KEY_TYPE_LK) ||
1185 !(p_cb->local_r_key & SMP_SEC_KEY_TYPE_LK)) {
1186 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
1187 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
1188 }
1189
1190 /* In LE SC mode only IRK, IAI, CSRK are exchanged with the peer.
1191 ** Set local_r_key on master to expect only these keys.
1192 */
1193 if (p_cb->role == HCI_ROLE_MASTER) {
1194 p_cb->local_r_key &= (SMP_SEC_KEY_TYPE_ID | SMP_SEC_KEY_TYPE_CSRK);
1195 }
1196 } else {
1197 /* in legacy mode derivation of BR/EDR LK is not supported */
1198 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
1199 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
1200 }
1201 SMP_TRACE_DEBUG(
1202 "%s rcvs upgrades: i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
1203 __func__, p_cb->local_i_key, p_cb->local_r_key);
1204
1205 if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) ||
1206 (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/
1207 (p_cb->local_i_key || p_cb->local_r_key)) {
1208 smp_sm_event(p_cb, SMP_BOND_REQ_EVT, NULL);
1209 } else {
1210 tSMP_INT_DATA smp_int_data;
1211 smp_int_data.status = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1212 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1213 }
1214 } else if (enc_enable == 0) {
1215 tSMP_INT_DATA smp_int_data;
1216 smp_int_data.status = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1217 /* if failed for encryption after pairing, send callback */
1218 if (p_cb->flags & SMP_PAIR_FLAG_ENC_AFTER_PAIR)
1219 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1220 /* if enc failed for old security information */
1221 /* if master device, clean up and abck to idle; slave device do nothing */
1222 else if (p_cb->role == HCI_ROLE_MASTER) {
1223 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1224 }
1225 }
1226 }
1227
1228 /*******************************************************************************
1229 * Function smp_key_pick_key
1230 * Description Pick a key distribution function based on the key mask.
1231 ******************************************************************************/
smp_key_pick_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1232 void smp_key_pick_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1233 uint8_t key_to_dist =
1234 (p_cb->role == HCI_ROLE_SLAVE) ? p_cb->local_r_key : p_cb->local_i_key;
1235 uint8_t i = 0;
1236
1237 SMP_TRACE_DEBUG("%s key_to_dist=0x%x", __func__, key_to_dist);
1238 while (i < SMP_KEY_DIST_TYPE_MAX) {
1239 SMP_TRACE_DEBUG("key to send = %02x, i = %d", key_to_dist, i);
1240
1241 if (key_to_dist & (1 << i)) {
1242 SMP_TRACE_DEBUG("smp_distribute_act[%d]", i);
1243 (*smp_distribute_act[i])(p_cb, p_data);
1244 break;
1245 }
1246 i++;
1247 }
1248 }
1249 /*******************************************************************************
1250 * Function smp_key_distribution
1251 * Description start key distribution if required.
1252 ******************************************************************************/
smp_key_distribution(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1253 void smp_key_distribution(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1254 SMP_TRACE_DEBUG("%s role=%d (0-master) r_keys=0x%x i_keys=0x%x", __func__,
1255 p_cb->role, p_cb->local_r_key, p_cb->local_i_key);
1256
1257 if (p_cb->role == HCI_ROLE_SLAVE ||
1258 (!p_cb->local_r_key && p_cb->role == HCI_ROLE_MASTER)) {
1259 smp_key_pick_key(p_cb, p_data);
1260 }
1261
1262 if (!p_cb->local_i_key && !p_cb->local_r_key) {
1263 /* state check to prevent re-entrant */
1264 if (smp_get_state() == SMP_STATE_BOND_PENDING) {
1265 if (p_cb->derive_lk) {
1266 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
1267 if (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED) &&
1268 (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)) {
1269 SMP_TRACE_DEBUG(
1270 "%s BR key is higher security than existing LE keys, don't "
1271 "derive LK from LTK",
1272 __func__);
1273 android_errorWriteLog(0x534e4554, "158854097");
1274 } else {
1275 smp_derive_link_key_from_long_term_key(p_cb, NULL);
1276 }
1277 p_cb->derive_lk = false;
1278 }
1279
1280 if (p_cb->total_tx_unacked == 0) {
1281 /*
1282 * Instead of declaring authorization complete immediately,
1283 * delay the event from being sent by SMP_DELAYED_AUTH_TIMEOUT_MS.
1284 * This allows the slave to send over Pairing Failed if the
1285 * last key is rejected. During this waiting window, the
1286 * state should remain in SMP_STATE_BOND_PENDING.
1287 */
1288 if (!alarm_is_scheduled(p_cb->delayed_auth_timer_ent)) {
1289 SMP_TRACE_DEBUG("%s delaying auth complete.", __func__);
1290 alarm_set_on_mloop(p_cb->delayed_auth_timer_ent,
1291 SMP_DELAYED_AUTH_TIMEOUT_MS,
1292 smp_delayed_auth_complete_timeout, NULL);
1293 }
1294 } else {
1295 p_cb->wait_for_authorization_complete = true;
1296 }
1297 }
1298 }
1299 }
1300
1301 /*******************************************************************************
1302 * Function smp_decide_association_model
1303 * Description This function is called to select assoc model to be used for
1304 * STK generation and to start STK generation process.
1305 *
1306 ******************************************************************************/
smp_decide_association_model(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1307 void smp_decide_association_model(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1308 uint8_t int_evt = 0;
1309 tSMP_INT_DATA smp_int_data;
1310
1311 SMP_TRACE_DEBUG("%s Association Model = %d", __func__,
1312 p_cb->selected_association_model);
1313
1314 switch (p_cb->selected_association_model) {
1315 case SMP_MODEL_ENCRYPTION_ONLY: /* TK = 0, go calculate Confirm */
1316 if (p_cb->role == HCI_ROLE_MASTER &&
1317 ((p_cb->peer_auth_req & SMP_AUTH_YN_BIT) != 0) &&
1318 ((p_cb->loc_auth_req & SMP_AUTH_YN_BIT) == 0)) {
1319 SMP_TRACE_ERROR(
1320 "IO capability does not meet authentication requirement");
1321 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
1322 int_evt = SMP_AUTH_CMPL_EVT;
1323 } else {
1324 if (!is_atv_device() &&
1325 (p_cb->local_io_capability == SMP_IO_CAP_IO ||
1326 p_cb->local_io_capability == SMP_IO_CAP_KBDISP)) {
1327 /* display consent dialog if this device has a display */
1328 SMP_TRACE_DEBUG("ENCRYPTION_ONLY showing Consent Dialog");
1329 p_cb->cb_evt = SMP_CONSENT_REQ_EVT;
1330 smp_set_state(SMP_STATE_WAIT_NONCE);
1331 smp_sm_event(p_cb, SMP_SC_DSPL_NC_EVT, NULL);
1332 } else {
1333 p_cb->sec_level = SMP_SEC_UNAUTHENTICATE;
1334 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_UNAUTHENTICATE) ",
1335 p_cb->sec_level);
1336
1337 tSMP_KEY key;
1338 key.key_type = SMP_KEY_TYPE_TK;
1339 key.p_data = p_cb->tk.data();
1340 smp_int_data.key = key;
1341
1342 p_cb->tk = {0};
1343 /* TK, ready */
1344 int_evt = SMP_KEY_READY_EVT;
1345 }
1346 }
1347 break;
1348
1349 case SMP_MODEL_PASSKEY:
1350 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1351 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ",
1352 p_cb->sec_level);
1353
1354 p_cb->cb_evt = SMP_PASSKEY_REQ_EVT;
1355 int_evt = SMP_TK_REQ_EVT;
1356 break;
1357
1358 case SMP_MODEL_OOB:
1359 SMP_TRACE_ERROR("Association Model = SMP_MODEL_OOB");
1360 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1361 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ",
1362 p_cb->sec_level);
1363
1364 p_cb->cb_evt = SMP_OOB_REQ_EVT;
1365 int_evt = SMP_TK_REQ_EVT;
1366 break;
1367
1368 case SMP_MODEL_KEY_NOTIF:
1369 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1370 SMP_TRACE_DEBUG("Need to generate Passkey");
1371
1372 /* generate passkey and notify application */
1373 smp_generate_passkey(p_cb, NULL);
1374 break;
1375
1376 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1377 case SMP_MODEL_SEC_CONN_NUM_COMP:
1378 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1379 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1380 case SMP_MODEL_SEC_CONN_OOB:
1381 int_evt = SMP_PUBL_KEY_EXCH_REQ_EVT;
1382 break;
1383
1384 case SMP_MODEL_OUT_OF_RANGE:
1385 SMP_TRACE_ERROR("Association Model = SMP_MODEL_OUT_OF_RANGE (failed)");
1386 smp_int_data.status = SMP_UNKNOWN_IO_CAP;
1387 int_evt = SMP_AUTH_CMPL_EVT;
1388 break;
1389
1390 default:
1391 SMP_TRACE_ERROR(
1392 "Association Model = %d (SOMETHING IS WRONG WITH THE CODE)",
1393 p_cb->selected_association_model);
1394 smp_int_data.status = SMP_UNKNOWN_IO_CAP;
1395 int_evt = SMP_AUTH_CMPL_EVT;
1396 }
1397
1398 SMP_TRACE_EVENT("sec_level=%d ", p_cb->sec_level);
1399 if (int_evt) smp_sm_event(p_cb, int_evt, &smp_int_data);
1400 }
1401
1402 /*******************************************************************************
1403 * Function smp_process_io_response
1404 * Description process IO response for a slave device.
1405 ******************************************************************************/
smp_process_io_response(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1406 void smp_process_io_response(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1407
1408 SMP_TRACE_DEBUG("%s", __func__);
1409 if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD) {
1410 /* pairing started by local (slave) Security Request */
1411 smp_set_state(SMP_STATE_SEC_REQ_PENDING);
1412 smp_send_cmd(SMP_OPCODE_SEC_REQ, p_cb);
1413 } else /* plan to send pairing respond */
1414 {
1415 /* pairing started by peer (master) Pairing Request */
1416 p_cb->selected_association_model = smp_select_association_model(p_cb);
1417
1418 if (p_cb->secure_connections_only_mode_required &&
1419 (!(p_cb->le_secure_connections_mode_is_used) ||
1420 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) {
1421 SMP_TRACE_ERROR(
1422 "Slave requires secure connection only mode "
1423 "but it can't be provided -> Slave fails pairing");
1424 tSMP_INT_DATA smp_int_data;
1425 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
1426 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1427 return;
1428 }
1429
1430 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
1431 if (smp_request_oob_data(p_cb)) return;
1432 }
1433
1434 // PTS Testing failure modes
1435 if (pts_test_send_authentication_complete_failure(p_cb)) return;
1436
1437 smp_send_pair_rsp(p_cb, NULL);
1438 }
1439 }
1440
1441 /*******************************************************************************
1442 * Function smp_br_process_slave_keys_response
1443 * Description process application keys response for a slave device
1444 * (BR/EDR transport).
1445 ******************************************************************************/
smp_br_process_slave_keys_response(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1446 void smp_br_process_slave_keys_response(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1447 smp_br_send_pair_response(p_cb, NULL);
1448 }
1449
1450 /*******************************************************************************
1451 * Function smp_br_send_pair_response
1452 * Description actions related to sending pairing response over BR/EDR
1453 * transport.
1454 ******************************************************************************/
smp_br_send_pair_response(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1455 void smp_br_send_pair_response(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1456 SMP_TRACE_DEBUG("%s", __func__);
1457
1458 p_cb->local_i_key &= p_cb->peer_i_key;
1459 p_cb->local_r_key &= p_cb->peer_r_key;
1460
1461 smp_send_cmd(SMP_OPCODE_PAIRING_RSP, p_cb);
1462 }
1463
1464 /*******************************************************************************
1465 * Function smp_pairing_cmpl
1466 * Description This function is called to send the pairing complete
1467 * callback and remove the connection if needed.
1468 ******************************************************************************/
smp_pairing_cmpl(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1469 void smp_pairing_cmpl(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1470 if (p_cb->total_tx_unacked == 0) {
1471 /* process the pairing complete */
1472 smp_proc_pairing_cmpl(p_cb);
1473 }
1474 }
1475
1476 /*******************************************************************************
1477 * Function smp_pair_terminate
1478 * Description This function is called to send the pairing complete
1479 * callback and remove the connection if needed.
1480 ******************************************************************************/
smp_pair_terminate(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1481 void smp_pair_terminate(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1482 SMP_TRACE_DEBUG("%s", __func__);
1483 p_cb->status = SMP_CONN_TOUT;
1484 smp_proc_pairing_cmpl(p_cb);
1485 }
1486
1487 /*******************************************************************************
1488 * Function smp_idle_terminate
1489 * Description This function calledin idle state to determine to send
1490 * authentication complete or not.
1491 ******************************************************************************/
smp_idle_terminate(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1492 void smp_idle_terminate(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1493 if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD) {
1494 SMP_TRACE_DEBUG("Pairing terminated at IDLE state.");
1495 p_cb->status = SMP_FAIL;
1496 smp_proc_pairing_cmpl(p_cb);
1497 }
1498 }
1499
1500 /*******************************************************************************
1501 * Function smp_both_have_public_keys
1502 * Description The function is called when both local and peer public keys are
1503 * saved.
1504 * Actions:
1505 * - invokes DHKey computation;
1506 * - on slave side invokes sending local public key to the peer.
1507 * - invokes SC phase 1 process.
1508 ******************************************************************************/
smp_both_have_public_keys(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1509 void smp_both_have_public_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1510 SMP_TRACE_DEBUG("%s", __func__);
1511
1512 /* invokes DHKey computation */
1513 smp_compute_dhkey(p_cb);
1514
1515 /* on slave side invokes sending local public key to the peer */
1516 if (p_cb->role == HCI_ROLE_SLAVE) smp_send_pair_public_key(p_cb, NULL);
1517
1518 smp_sm_event(p_cb, SMP_SC_DHKEY_CMPLT_EVT, NULL);
1519 }
1520
1521 /*******************************************************************************
1522 * Function smp_start_secure_connection_phase1
1523 * Description Start Secure Connection phase1 i.e. invokes initialization of
1524 * Secure Connection phase 1 parameters and starts building/sending
1525 * to the peer messages appropriate for the role and association
1526 * model.
1527 ******************************************************************************/
smp_start_secure_connection_phase1(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1528 void smp_start_secure_connection_phase1(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1529 SMP_TRACE_DEBUG("%s", __func__);
1530
1531 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
1532 p_cb->sec_level = SMP_SEC_UNAUTHENTICATE;
1533 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_UNAUTHENTICATE) ",
1534 p_cb->sec_level);
1535 } else {
1536 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1537 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ",
1538 p_cb->sec_level);
1539 }
1540
1541 switch (p_cb->selected_association_model) {
1542 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1543 case SMP_MODEL_SEC_CONN_NUM_COMP:
1544 p_cb->local_random = {0};
1545 smp_start_nonce_generation(p_cb);
1546 break;
1547 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1548 /* user has to provide passkey */
1549 p_cb->cb_evt = SMP_PASSKEY_REQ_EVT;
1550 smp_sm_event(p_cb, SMP_TK_REQ_EVT, NULL);
1551 break;
1552 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1553 /* passkey has to be provided to user */
1554 SMP_TRACE_DEBUG("Need to generate SC Passkey");
1555 smp_generate_passkey(p_cb, NULL);
1556 break;
1557 case SMP_MODEL_SEC_CONN_OOB:
1558 /* use the available OOB information */
1559 smp_process_secure_connection_oob_data(p_cb, NULL);
1560 break;
1561 default:
1562 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
1563 p_cb->selected_association_model);
1564 break;
1565 }
1566 }
1567
1568 /*******************************************************************************
1569 * Function smp_process_local_nonce
1570 * Description The function processes new local nonce.
1571 *
1572 * Note It is supposed to be called in SC phase1.
1573 ******************************************************************************/
smp_process_local_nonce(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1574 void smp_process_local_nonce(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1575 SMP_TRACE_DEBUG("%s", __func__);
1576
1577 switch (p_cb->selected_association_model) {
1578 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1579 case SMP_MODEL_SEC_CONN_NUM_COMP:
1580 if (p_cb->role == HCI_ROLE_SLAVE) {
1581 /* slave calculates and sends local commitment */
1582 smp_calculate_local_commitment(p_cb);
1583 smp_send_commitment(p_cb, NULL);
1584 /* slave has to wait for peer nonce */
1585 smp_set_state(SMP_STATE_WAIT_NONCE);
1586 } else /* i.e. master */
1587 {
1588 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_COMM) {
1589 /* slave commitment is already received, send local nonce, wait for
1590 * remote nonce*/
1591 SMP_TRACE_DEBUG(
1592 "master in assoc mode = %d "
1593 "already rcvd slave commitment - race condition",
1594 p_cb->selected_association_model);
1595 p_cb->flags &= ~SMP_PAIR_FLAG_HAVE_PEER_COMM;
1596 smp_send_rand(p_cb, NULL);
1597 smp_set_state(SMP_STATE_WAIT_NONCE);
1598 }
1599 }
1600 break;
1601 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1602 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1603 smp_calculate_local_commitment(p_cb);
1604
1605 if (p_cb->role == HCI_ROLE_MASTER) {
1606 smp_send_commitment(p_cb, NULL);
1607 } else /* slave */
1608 {
1609 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_COMM) {
1610 /* master commitment is already received */
1611 smp_send_commitment(p_cb, NULL);
1612 smp_set_state(SMP_STATE_WAIT_NONCE);
1613 }
1614 }
1615 break;
1616 case SMP_MODEL_SEC_CONN_OOB:
1617 if (p_cb->role == HCI_ROLE_MASTER) {
1618 smp_send_rand(p_cb, NULL);
1619 }
1620
1621 smp_set_state(SMP_STATE_WAIT_NONCE);
1622 break;
1623 default:
1624 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
1625 p_cb->selected_association_model);
1626 break;
1627 }
1628 }
1629
1630 /*******************************************************************************
1631 * Function smp_process_peer_nonce
1632 * Description The function processes newly received and saved in CB peer
1633 * nonce. The actions depend on the selected association model and
1634 * the role.
1635 *
1636 * Note It is supposed to be called in SC phase1.
1637 ******************************************************************************/
smp_process_peer_nonce(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1638 void smp_process_peer_nonce(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1639 SMP_TRACE_DEBUG("%s start ", __func__);
1640
1641 // PTS Testing failure modes
1642 if (p_cb->cert_failure == SMP_CONFIRM_VALUE_ERR) {
1643 SMP_TRACE_ERROR("%s failure case = %d", __func__, p_cb->cert_failure);
1644 tSMP_INT_DATA smp_int_data;
1645 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1646 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1647 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1648 return;
1649 }
1650 // PTS Testing failure modes (for LT)
1651 if ((p_cb->cert_failure == SMP_NUMERIC_COMPAR_FAIL) &&
1652 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) &&
1653 (p_cb->role == HCI_ROLE_SLAVE)) {
1654 SMP_TRACE_ERROR("%s failure case = %d", __func__, p_cb->cert_failure);
1655 tSMP_INT_DATA smp_int_data;
1656 smp_int_data.status = SMP_NUMERIC_COMPAR_FAIL;
1657 p_cb->failure = SMP_NUMERIC_COMPAR_FAIL;
1658 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1659 return;
1660 }
1661
1662 switch (p_cb->selected_association_model) {
1663 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1664 case SMP_MODEL_SEC_CONN_NUM_COMP:
1665 /* in these models only master receives commitment */
1666 if (p_cb->role == HCI_ROLE_MASTER) {
1667 if (!smp_check_commitment(p_cb)) {
1668 tSMP_INT_DATA smp_int_data;
1669 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1670 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1671 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1672 break;
1673 }
1674 } else {
1675 /* slave sends local nonce */
1676 smp_send_rand(p_cb, NULL);
1677 }
1678
1679 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
1680 if (!is_atv_device() &&
1681 (p_cb->local_io_capability == SMP_IO_CAP_IO ||
1682 p_cb->local_io_capability == SMP_IO_CAP_KBDISP)) {
1683 /* display consent dialog */
1684 SMP_TRACE_DEBUG("JUST WORKS showing Consent Dialog");
1685 p_cb->cb_evt = SMP_CONSENT_REQ_EVT;
1686 smp_set_state(SMP_STATE_WAIT_NONCE);
1687 smp_sm_event(p_cb, SMP_SC_DSPL_NC_EVT, NULL);
1688 } else {
1689 /* go directly to phase 2 */
1690 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1691 }
1692 } else /* numeric comparison */
1693 {
1694 smp_set_state(SMP_STATE_WAIT_NONCE);
1695 smp_sm_event(p_cb, SMP_SC_CALC_NC_EVT, NULL);
1696 }
1697 break;
1698 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1699 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1700 if (!smp_check_commitment(p_cb) &&
1701 p_cb->cert_failure != SMP_NUMERIC_COMPAR_FAIL) {
1702 tSMP_INT_DATA smp_int_data;
1703 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1704 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1705 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1706 break;
1707 }
1708
1709 if (p_cb->role == HCI_ROLE_SLAVE) {
1710 smp_send_rand(p_cb, NULL);
1711 }
1712
1713 if (++p_cb->round < 20) {
1714 smp_set_state(SMP_STATE_SEC_CONN_PHS1_START);
1715 p_cb->flags &= ~SMP_PAIR_FLAG_HAVE_PEER_COMM;
1716 smp_start_nonce_generation(p_cb);
1717 break;
1718 }
1719
1720 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1721 break;
1722 case SMP_MODEL_SEC_CONN_OOB:
1723 if (p_cb->role == HCI_ROLE_SLAVE) {
1724 smp_send_rand(p_cb, NULL);
1725 }
1726
1727 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1728 break;
1729 default:
1730 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
1731 p_cb->selected_association_model);
1732 break;
1733 }
1734
1735 SMP_TRACE_DEBUG("%s end ", __func__);
1736 }
1737
1738 /*******************************************************************************
1739 * Function smp_match_dhkey_checks
1740 * Description checks if the calculated peer DHKey Check value is the same as
1741 * received from the peer DHKey check value.
1742 ******************************************************************************/
smp_match_dhkey_checks(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1743 void smp_match_dhkey_checks(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1744 SMP_TRACE_DEBUG("%s", __func__);
1745
1746 if (memcmp(p_data->key.p_data, p_cb->remote_dhkey_check.data(),
1747 OCTET16_LEN)) {
1748 SMP_TRACE_WARNING("dhkey chcks do no match");
1749 tSMP_INT_DATA smp_int_data;
1750 smp_int_data.status = SMP_DHKEY_CHK_FAIL;
1751 p_cb->failure = SMP_DHKEY_CHK_FAIL;
1752 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1753 return;
1754 }
1755
1756 SMP_TRACE_EVENT("dhkey chcks match");
1757
1758 /* compare the max encryption key size, and save the smaller one for the link
1759 */
1760 if (p_cb->peer_enc_size < p_cb->loc_enc_size)
1761 p_cb->loc_enc_size = p_cb->peer_enc_size;
1762
1763 if (p_cb->role == HCI_ROLE_SLAVE) {
1764 smp_sm_event(p_cb, SMP_PAIR_DHKEY_CHCK_EVT, NULL);
1765 } else {
1766 /* master device always use received i/r key as keys to distribute */
1767 p_cb->local_i_key = p_cb->peer_i_key;
1768 p_cb->local_r_key = p_cb->peer_r_key;
1769 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
1770 }
1771 }
1772
1773 /*******************************************************************************
1774 * Function smp_move_to_secure_connections_phase2
1775 * Description Signal State Machine to start SC phase 2 initialization (to
1776 * compute local DHKey Check value).
1777 *
1778 * Note SM is supposed to be in the state SMP_STATE_SEC_CONN_PHS2_START.
1779 ******************************************************************************/
smp_move_to_secure_connections_phase2(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1780 void smp_move_to_secure_connections_phase2(tSMP_CB* p_cb,
1781 tSMP_INT_DATA* p_data) {
1782 SMP_TRACE_DEBUG("%s", __func__);
1783 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1784 }
1785
1786 /*******************************************************************************
1787 * Function smp_phase_2_dhkey_checks_are_present
1788 * Description generates event if dhkey check from the peer is already
1789 * received.
1790 *
1791 * Note It is supposed to be used on slave to prevent race condition.
1792 * It is supposed to be called after slave dhkey check is
1793 * calculated.
1794 ******************************************************************************/
smp_phase_2_dhkey_checks_are_present(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1795 void smp_phase_2_dhkey_checks_are_present(tSMP_CB* p_cb,
1796 tSMP_INT_DATA* p_data) {
1797 SMP_TRACE_DEBUG("%s", __func__);
1798
1799 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_DHK_CHK)
1800 smp_sm_event(p_cb, SMP_SC_2_DHCK_CHKS_PRES_EVT, NULL);
1801 }
1802
1803 /*******************************************************************************
1804 * Function smp_wait_for_both_public_keys
1805 * Description generates SMP_BOTH_PUBL_KEYS_RCVD_EVT event when both local and
1806 * master public keys are available.
1807 *
1808 * Note on the slave it is used to prevent race condition.
1809 *
1810 ******************************************************************************/
smp_wait_for_both_public_keys(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1811 void smp_wait_for_both_public_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1812 SMP_TRACE_DEBUG("%s", __func__);
1813
1814 if ((p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY) &&
1815 (p_cb->flags & SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY)) {
1816 if ((p_cb->role == HCI_ROLE_SLAVE) &&
1817 ((p_cb->req_oob_type == SMP_OOB_LOCAL) ||
1818 (p_cb->req_oob_type == SMP_OOB_BOTH))) {
1819 smp_set_state(SMP_STATE_PUBLIC_KEY_EXCH);
1820 }
1821 smp_sm_event(p_cb, SMP_BOTH_PUBL_KEYS_RCVD_EVT, NULL);
1822 }
1823 }
1824
1825 /*******************************************************************************
1826 * Function smp_start_passkey_verification
1827 * Description Starts SC passkey entry verification.
1828 ******************************************************************************/
smp_start_passkey_verification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1829 void smp_start_passkey_verification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1830 uint8_t* p = NULL;
1831
1832 SMP_TRACE_DEBUG("%s", __func__);
1833 p = p_cb->local_random.data();
1834 UINT32_TO_STREAM(p, p_data->passkey);
1835
1836 p = p_cb->peer_random.data();
1837 UINT32_TO_STREAM(p, p_data->passkey);
1838
1839 p_cb->round = 0;
1840 smp_start_nonce_generation(p_cb);
1841 }
1842
1843 /*******************************************************************************
1844 * Function smp_process_secure_connection_oob_data
1845 * Description Processes local/peer SC OOB data received from somewhere.
1846 ******************************************************************************/
smp_process_secure_connection_oob_data(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1847 void smp_process_secure_connection_oob_data(tSMP_CB* p_cb,
1848 tSMP_INT_DATA* p_data) {
1849 SMP_TRACE_DEBUG("%s", __func__);
1850
1851 tSMP_SC_OOB_DATA* p_sc_oob_data = &p_cb->sc_oob_data;
1852 if (p_sc_oob_data->loc_oob_data.present) {
1853 p_cb->local_random = p_sc_oob_data->loc_oob_data.randomizer;
1854 } else {
1855 SMP_TRACE_EVENT("%s: local OOB randomizer is absent", __func__);
1856 p_cb->local_random = {0};
1857 }
1858
1859 if (!p_sc_oob_data->peer_oob_data.present) {
1860 SMP_TRACE_EVENT("%s: peer OOB data is absent", __func__);
1861 p_cb->peer_random = {0};
1862 } else {
1863 p_cb->peer_random = p_sc_oob_data->peer_oob_data.randomizer;
1864 p_cb->remote_commitment = p_sc_oob_data->peer_oob_data.commitment;
1865
1866 /* check commitment */
1867 if (!smp_check_commitment(p_cb)) {
1868 tSMP_INT_DATA smp_int_data;
1869 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1870 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1871 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1872 return;
1873 }
1874
1875 if (p_cb->peer_oob_flag != SMP_OOB_PRESENT) {
1876 /* the peer doesn't have local randomiser */
1877 SMP_TRACE_EVENT(
1878 "%s: peer didn't receive local OOB data, set local randomizer to 0",
1879 __func__);
1880 p_cb->local_random = {0};
1881 }
1882 }
1883
1884 print128(p_cb->local_random, (const uint8_t*)"local OOB randomizer");
1885 print128(p_cb->peer_random, (const uint8_t*)"peer OOB randomizer");
1886 smp_start_nonce_generation(p_cb);
1887 }
1888
1889 /*******************************************************************************
1890 * Function smp_set_local_oob_keys
1891 * Description Saves calculated private/public keys in
1892 * sc_oob_data.loc_oob_data, starts nonce generation
1893 * (to be saved in sc_oob_data.loc_oob_data.randomizer).
1894 ******************************************************************************/
smp_set_local_oob_keys(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1895 void smp_set_local_oob_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1896 SMP_TRACE_DEBUG("%s", __func__);
1897
1898 memcpy(p_cb->sc_oob_data.loc_oob_data.private_key_used, p_cb->private_key,
1899 BT_OCTET32_LEN);
1900 p_cb->sc_oob_data.loc_oob_data.publ_key_used = p_cb->loc_publ_key;
1901 smp_start_nonce_generation(p_cb);
1902 }
1903
1904 /*******************************************************************************
1905 * Function smp_set_local_oob_random_commitment
1906 * Description Saves calculated randomizer and commitment in
1907 * sc_oob_data.loc_oob_data, passes sc_oob_data.loc_oob_data up
1908 * for safekeeping.
1909 ******************************************************************************/
smp_set_local_oob_random_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1910 void smp_set_local_oob_random_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1911 SMP_TRACE_DEBUG("%s", __func__);
1912 p_cb->sc_oob_data.loc_oob_data.randomizer = p_cb->rand;
1913
1914 p_cb->sc_oob_data.loc_oob_data.commitment =
1915 crypto_toolbox::f4(p_cb->sc_oob_data.loc_oob_data.publ_key_used.x,
1916 p_cb->sc_oob_data.loc_oob_data.publ_key_used.x,
1917 p_cb->sc_oob_data.loc_oob_data.randomizer, 0);
1918
1919 #if (SMP_DEBUG == TRUE)
1920 uint8_t* p_print = NULL;
1921 SMP_TRACE_DEBUG("local SC OOB data set:");
1922 p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.addr_sent_to;
1923 smp_debug_print_nbyte_little_endian(p_print, "addr_sent_to",
1924 sizeof(tBLE_BD_ADDR));
1925 p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.private_key_used;
1926 smp_debug_print_nbyte_little_endian(p_print, "private_key_used",
1927 BT_OCTET32_LEN);
1928 p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.publ_key_used.x;
1929 smp_debug_print_nbyte_little_endian(p_print, "publ_key_used.x",
1930 BT_OCTET32_LEN);
1931 p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.publ_key_used.y;
1932 smp_debug_print_nbyte_little_endian(p_print, "publ_key_used.y",
1933 BT_OCTET32_LEN);
1934 p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.randomizer;
1935 smp_debug_print_nbyte_little_endian(p_print, "randomizer", OCTET16_LEN);
1936 p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.commitment;
1937 smp_debug_print_nbyte_little_endian(p_print, "commitment", OCTET16_LEN);
1938 SMP_TRACE_DEBUG("");
1939 #endif
1940
1941 /* pass created OOB data up */
1942 p_cb->cb_evt = SMP_SC_LOC_OOB_DATA_UP_EVT;
1943 smp_send_app_cback(p_cb, NULL);
1944
1945 smp_cb_cleanup(p_cb);
1946 }
1947
1948 /*******************************************************************************
1949 *
1950 * Function smp_link_encrypted
1951 *
1952 * Description This function is called when link is encrypted and notified
1953 * to the slave device. Proceed to to send LTK, DIV and ER to
1954 * master if bonding the devices.
1955 *
1956 *
1957 * Returns void
1958 *
1959 ******************************************************************************/
smp_link_encrypted(const RawAddress & bda,uint8_t encr_enable)1960 void smp_link_encrypted(const RawAddress& bda, uint8_t encr_enable) {
1961 tSMP_CB* p_cb = &smp_cb;
1962
1963 SMP_TRACE_DEBUG("%s: encr_enable=%d", __func__, encr_enable);
1964
1965 if (smp_cb.pairing_bda == bda) {
1966 /* encryption completed with STK, remember the key size now, could be
1967 * overwritten when key exchange happens */
1968 if (p_cb->loc_enc_size != 0 && encr_enable) {
1969 /* update the link encryption key size if a SMP pairing just performed */
1970 btm_ble_update_sec_key_size(bda, p_cb->loc_enc_size);
1971 }
1972
1973 tSMP_INT_DATA smp_int_data;
1974 smp_int_data.status = encr_enable;
1975 smp_sm_event(&smp_cb, SMP_ENCRYPTED_EVT, &smp_int_data);
1976 }
1977 }
1978
smp_cancel_start_encryption_attempt()1979 void smp_cancel_start_encryption_attempt() {
1980 SMP_TRACE_ERROR("%s: Encryption request cancelled", __func__);
1981 smp_sm_event(&smp_cb, SMP_DISCARD_SEC_REQ_EVT, NULL);
1982 }
1983
1984 /*******************************************************************************
1985 *
1986 * Function smp_proc_ltk_request
1987 *
1988 * Description This function is called when LTK request is received from
1989 * controller.
1990 *
1991 * Returns void
1992 *
1993 ******************************************************************************/
smp_proc_ltk_request(const RawAddress & bda)1994 bool smp_proc_ltk_request(const RawAddress& bda) {
1995 SMP_TRACE_DEBUG("%s state = %d", __func__, smp_cb.state);
1996 bool match = false;
1997
1998 if (bda == smp_cb.pairing_bda) {
1999 match = true;
2000 } else {
2001 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda);
2002 if (p_dev_rec != NULL && p_dev_rec->ble.pseudo_addr == smp_cb.pairing_bda &&
2003 p_dev_rec->ble.pseudo_addr != RawAddress::kEmpty) {
2004 match = true;
2005 }
2006 }
2007
2008 if (match && smp_cb.state == SMP_STATE_ENCRYPTION_PENDING) {
2009 smp_sm_event(&smp_cb, SMP_ENC_REQ_EVT, NULL);
2010 return true;
2011 }
2012
2013 return false;
2014 }
2015
2016 /*******************************************************************************
2017 *
2018 * Function smp_process_secure_connection_long_term_key
2019 *
2020 * Description This function is called to process SC LTK.
2021 * SC LTK is calculated and used instead of STK.
2022 * Here SC LTK is saved in BLE DB.
2023 *
2024 * Returns void
2025 *
2026 ******************************************************************************/
smp_process_secure_connection_long_term_key(void)2027 void smp_process_secure_connection_long_term_key(void) {
2028 tSMP_CB* p_cb = &smp_cb;
2029
2030 SMP_TRACE_DEBUG("%s", __func__);
2031 smp_save_secure_connections_long_term_key(p_cb);
2032
2033 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
2034 smp_key_distribution(p_cb, NULL);
2035 }
2036
2037 /*******************************************************************************
2038 *
2039 * Function smp_set_derive_link_key
2040 *
2041 * Description This function is called to set flag that indicates that
2042 * BR/EDR LK has to be derived from LTK after all keys are
2043 * distributed.
2044 *
2045 * Returns void
2046 *
2047 ******************************************************************************/
smp_set_derive_link_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2048 void smp_set_derive_link_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
2049 SMP_TRACE_DEBUG("%s", __func__);
2050 p_cb->derive_lk = true;
2051 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_LK, false);
2052 smp_key_distribution(p_cb, NULL);
2053 }
2054
2055 /*******************************************************************************
2056 *
2057 * Function smp_derive_link_key_from_long_term_key
2058 *
2059 * Description This function is called to derive BR/EDR LK from LTK.
2060 *
2061 * Returns void
2062 *
2063 ******************************************************************************/
smp_derive_link_key_from_long_term_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2064 void smp_derive_link_key_from_long_term_key(tSMP_CB* p_cb,
2065 tSMP_INT_DATA* p_data) {
2066 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
2067
2068 SMP_TRACE_DEBUG("%s", __func__);
2069 if (!smp_calculate_link_key_from_long_term_key(p_cb)) {
2070 SMP_TRACE_ERROR("%s failed", __func__);
2071 tSMP_INT_DATA smp_int_data;
2072 smp_int_data.status = status;
2073 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
2074 return;
2075 }
2076 }
2077
2078 /*******************************************************************************
2079 *
2080 * Function smp_br_process_link_key
2081 *
2082 * Description This function is called to process BR/EDR LK:
2083 * - to derive SMP LTK from BR/EDR LK;
2084 * - to save SMP LTK.
2085 *
2086 * Returns void
2087 *
2088 ******************************************************************************/
smp_br_process_link_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2089 void smp_br_process_link_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
2090 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
2091
2092 SMP_TRACE_DEBUG("%s", __func__);
2093 if (!smp_calculate_long_term_key_from_link_key(p_cb)) {
2094 SMP_TRACE_ERROR("%s: failed", __func__);
2095 tSMP_INT_DATA smp_int_data;
2096 smp_int_data.status = status;
2097 smp_sm_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
2098 return;
2099 }
2100
2101 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
2102 if (p_dev_rec) {
2103 SMP_TRACE_DEBUG("%s: dev_type = %d ", __func__, p_dev_rec->device_type);
2104 p_dev_rec->device_type |= BT_DEVICE_TYPE_BLE;
2105 } else {
2106 SMP_TRACE_ERROR("%s failed to find Security Record", __func__);
2107 }
2108
2109 SMP_TRACE_DEBUG("%s: LTK derivation from LK successfully completed",
2110 __func__);
2111 smp_save_secure_connections_long_term_key(p_cb);
2112 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
2113 smp_br_select_next_key(p_cb, NULL);
2114 }
2115
2116 /*******************************************************************************
2117 * Function smp_key_distribution_by_transport
2118 * Description depending on the transport used at the moment calls either
2119 * smp_key_distribution(...) or smp_br_key_distribution(...).
2120 ******************************************************************************/
smp_key_distribution_by_transport(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2121 void smp_key_distribution_by_transport(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
2122 SMP_TRACE_DEBUG("%s", __func__);
2123 if (p_cb->smp_over_br) {
2124 smp_br_select_next_key(p_cb, NULL);
2125 } else {
2126 smp_key_distribution(p_cb, NULL);
2127 }
2128 }
2129
2130 /*******************************************************************************
2131 * Function smp_br_pairing_complete
2132 * Description This function is called to send the pairing complete
2133 * callback and remove the connection if needed.
2134 ******************************************************************************/
smp_br_pairing_complete(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2135 void smp_br_pairing_complete(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
2136 SMP_TRACE_DEBUG("%s", __func__);
2137
2138 if (p_cb->total_tx_unacked == 0) {
2139 /* process the pairing complete */
2140 smp_proc_pairing_cmpl(p_cb);
2141 }
2142 }
2143