1 /******************************************************************************
2 *
3 * Copyright 2003-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 #define LOG_TAG "smp_act"
20
21 #include <string.h>
22 #include "btif_api.h"
23 #include "btif_common.h"
24 #include "btif_storage.h"
25 #include "device/include/interop.h"
26 #include "internal_include/bt_target.h"
27 #include "main/shim/shim.h"
28 #include "osi/include/log.h"
29 #include "stack/btm/btm_dev.h"
30 #include "stack/btm/btm_sec.h"
31 #include "stack/include/acl_api.h"
32 #include "stack/include/l2c_api.h"
33 #include "stack/include/smp_api_types.h"
34 #include "stack/smp/p_256_ecc_pp.h"
35 #include "stack/smp/smp_int.h"
36 #include "types/raw_address.h"
37
38 extern tBTM_CB btm_cb;
39
40 #define SMP_KEY_DIST_TYPE_MAX 4
41
42 const tSMP_ACT smp_distribute_act[] = {
43 smp_generate_ltk, /* SMP_SEC_KEY_TYPE_ENC - '1' bit index */
44 smp_send_id_info, /* SMP_SEC_KEY_TYPE_ID - '1' bit index */
45 smp_generate_csrk, /* SMP_SEC_KEY_TYPE_CSRK - '1' bit index */
46 smp_set_derive_link_key /* SMP_SEC_KEY_TYPE_LK - '1' bit index */
47 };
48
pts_test_send_authentication_complete_failure(tSMP_CB * p_cb)49 static bool pts_test_send_authentication_complete_failure(tSMP_CB* p_cb) {
50 tSMP_STATUS reason = p_cb->cert_failure;
51 if (reason == SMP_PAIR_AUTH_FAIL || reason == SMP_PAIR_FAIL_UNKNOWN ||
52 reason == SMP_PAIR_NOT_SUPPORT || reason == SMP_PASSKEY_ENTRY_FAIL ||
53 reason == SMP_REPEATED_ATTEMPTS) {
54 tSMP_INT_DATA smp_int_data;
55 smp_int_data.status = reason;
56 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
57 return true;
58 }
59 return false;
60 }
61
62 /*******************************************************************************
63 * Function smp_update_key_mask
64 * Description This function updates the key mask for sending or receiving.
65 ******************************************************************************/
smp_update_key_mask(tSMP_CB * p_cb,uint8_t key_type,bool recv)66 static void smp_update_key_mask(tSMP_CB* p_cb, uint8_t key_type, bool recv) {
67 SMP_TRACE_DEBUG(
68 "%s before update role=%d recv=%d local_i_key = %02x, local_r_key = %02x",
69 __func__, p_cb->role, recv, p_cb->local_i_key, p_cb->local_r_key);
70
71 if (((p_cb->le_secure_connections_mode_is_used) || (p_cb->smp_over_br)) &&
72 ((key_type == SMP_SEC_KEY_TYPE_ENC) ||
73 (key_type == SMP_SEC_KEY_TYPE_LK))) {
74 /* in LE SC mode LTK, CSRK and BR/EDR LK are derived locally instead of
75 ** being exchanged with the peer */
76 p_cb->local_i_key &= ~key_type;
77 p_cb->local_r_key &= ~key_type;
78 } else if (p_cb->role == HCI_ROLE_PERIPHERAL) {
79 if (recv)
80 p_cb->local_i_key &= ~key_type;
81 else
82 p_cb->local_r_key &= ~key_type;
83 } else {
84 if (recv)
85 p_cb->local_r_key &= ~key_type;
86 else
87 p_cb->local_i_key &= ~key_type;
88 }
89
90 SMP_TRACE_DEBUG("updated local_i_key = %02x, local_r_key = %02x",
91 p_cb->local_i_key, p_cb->local_r_key);
92 }
93
94 /*******************************************************************************
95 * Function smp_send_app_cback
96 * Description notifies application about the events the application is
97 * interested in
98 ******************************************************************************/
smp_send_app_cback(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)99 void smp_send_app_cback(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
100 tSMP_EVT_DATA cb_data;
101 tBTM_STATUS callback_rc;
102 uint8_t remote_lmp_version = 0;
103 if (p_cb->p_callback && p_cb->cb_evt != 0) {
104 switch (p_cb->cb_evt) {
105 case SMP_IO_CAP_REQ_EVT:
106 cb_data.io_req.auth_req = p_cb->peer_auth_req;
107 cb_data.io_req.oob_data = SMP_OOB_NONE;
108 cb_data.io_req.io_cap = btif_storage_get_local_io_caps_ble();
109 cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE;
110 cb_data.io_req.init_keys = p_cb->local_i_key;
111 cb_data.io_req.resp_keys = p_cb->local_r_key;
112 LOG_DEBUG("Notify app io_cap = %hhu", cb_data.io_req.io_cap);
113 break;
114
115 case SMP_NC_REQ_EVT:
116 cb_data.passkey = p_data->passkey;
117 break;
118 case SMP_SC_OOB_REQ_EVT:
119 cb_data.req_oob_type = p_data->req_oob_type;
120 break;
121 case SMP_SC_LOC_OOB_DATA_UP_EVT:
122 cb_data.loc_oob_data = p_cb->sc_oob_data.loc_oob_data;
123 break;
124
125 case SMP_BR_KEYS_REQ_EVT:
126 cb_data.io_req.auth_req = 0;
127 cb_data.io_req.oob_data = SMP_OOB_NONE;
128 cb_data.io_req.io_cap = 0;
129 cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE;
130 cb_data.io_req.init_keys = SMP_BR_SEC_DEFAULT_KEY;
131 cb_data.io_req.resp_keys = SMP_BR_SEC_DEFAULT_KEY;
132 break;
133
134 default:
135 LOG_ERROR("Unexpected event:%hhu", p_cb->cb_evt);
136 break;
137 }
138
139 callback_rc =
140 (*p_cb->p_callback)(p_cb->cb_evt, p_cb->pairing_bda, &cb_data);
141
142 if (callback_rc == BTM_SUCCESS) {
143 switch (p_cb->cb_evt) {
144 case SMP_IO_CAP_REQ_EVT:
145 p_cb->loc_auth_req = cb_data.io_req.auth_req;
146 p_cb->local_io_capability = cb_data.io_req.io_cap;
147 p_cb->loc_oob_flag = cb_data.io_req.oob_data;
148 p_cb->loc_enc_size = cb_data.io_req.max_key_size;
149 p_cb->local_i_key = cb_data.io_req.init_keys;
150 p_cb->local_r_key = cb_data.io_req.resp_keys;
151
152 if (!(p_cb->loc_auth_req & SMP_AUTH_BOND)) {
153 LOG_INFO("Non bonding: No keys will be exchanged");
154 p_cb->local_i_key = 0;
155 p_cb->local_r_key = 0;
156 }
157
158 LOG_DEBUG(
159 "Remote request IO capabilities precondition auth_req: 0x%02x,"
160 " io_cap: %d loc_oob_flag: %d loc_enc_size: %d, "
161 "local_i_key: 0x%02x, local_r_key: 0x%02x",
162 p_cb->loc_auth_req, p_cb->local_io_capability, p_cb->loc_oob_flag,
163 p_cb->loc_enc_size, p_cb->local_i_key, p_cb->local_r_key);
164
165 p_cb->secure_connections_only_mode_required =
166 (btm_cb.security_mode == BTM_SEC_MODE_SC) ? true : false;
167 /* just for PTS, force SC bit */
168 if (p_cb->secure_connections_only_mode_required) {
169 p_cb->loc_auth_req |= SMP_SC_SUPPORT_BIT;
170 }
171
172 if (!BTM_ReadRemoteVersion(p_cb->pairing_bda, &remote_lmp_version,
173 nullptr, nullptr)) {
174 LOG_WARN(
175 "SMP Unable to determine remote security authentication "
176 "remote_lmp_version:%hu",
177 remote_lmp_version);
178 }
179
180 if (!bluetooth::shim::is_gd_acl_enabled()) {
181 if (!p_cb->secure_connections_only_mode_required &&
182 (!(p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) ||
183 remote_lmp_version < HCI_PROTO_VERSION_4_2 ||
184 interop_match_addr(INTEROP_DISABLE_LE_SECURE_CONNECTIONS,
185 (const RawAddress*)&p_cb->pairing_bda))) {
186 p_cb->loc_auth_req &= ~SMP_SC_SUPPORT_BIT;
187 p_cb->loc_auth_req &= ~SMP_KP_SUPPORT_BIT;
188 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
189 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
190 }
191
192 if (remote_lmp_version < HCI_PROTO_VERSION_5_0) {
193 p_cb->loc_auth_req &= ~SMP_H7_SUPPORT_BIT;
194 }
195 }
196
197 LOG_DEBUG(
198 "Remote request IO capabilities postcondition auth_req: 0x%02x,"
199 " local_i_key: 0x%02x, local_r_key: 0x%02x",
200 p_cb->loc_auth_req, p_cb->local_i_key, p_cb->local_r_key);
201
202 smp_sm_event(p_cb, SMP_IO_RSP_EVT, NULL);
203 break;
204
205 case SMP_BR_KEYS_REQ_EVT:
206 p_cb->loc_enc_size = cb_data.io_req.max_key_size;
207 p_cb->local_i_key = cb_data.io_req.init_keys;
208 p_cb->local_r_key = cb_data.io_req.resp_keys;
209 p_cb->loc_auth_req |= SMP_H7_SUPPORT_BIT;
210
211 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
212 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
213
214 LOG_DEBUG(
215 "for SMP over BR max_key_size: 0x%02x, local_i_key: 0x%02x, "
216 "local_r_key: 0x%02x, p_cb->loc_auth_req: 0x%02x",
217 p_cb->loc_enc_size, p_cb->local_i_key, p_cb->local_r_key,
218 p_cb->loc_auth_req);
219
220 smp_br_state_machine_event(p_cb, SMP_BR_KEYS_RSP_EVT, NULL);
221 break;
222
223 // Expected, but nothing to do
224 case SMP_SC_LOC_OOB_DATA_UP_EVT:
225 break;
226
227 default:
228 LOG_ERROR("Unexpected event: %hhu", p_cb->cb_evt);
229 }
230 }
231 }
232
233 if (!p_cb->cb_evt && p_cb->discard_sec_req) {
234 p_cb->discard_sec_req = false;
235 smp_sm_event(p_cb, SMP_DISCARD_SEC_REQ_EVT, NULL);
236 }
237 }
238
239 /*******************************************************************************
240 * Function smp_send_pair_fail
241 * Description pairing failure to peer device if needed.
242 ******************************************************************************/
smp_send_pair_fail(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)243 void smp_send_pair_fail(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
244 p_cb->status = p_data->status;
245 p_cb->failure = p_data->status;
246
247 SMP_TRACE_DEBUG("%s: status=%d failure=%d ", __func__, p_cb->status,
248 p_cb->failure);
249
250 if (p_cb->status <= SMP_MAX_FAIL_RSN_PER_SPEC &&
251 p_cb->status != SMP_SUCCESS) {
252 smp_send_cmd(SMP_OPCODE_PAIRING_FAILED, p_cb);
253 p_cb->wait_for_authorization_complete = true;
254 }
255 }
256
257 /*******************************************************************************
258 * Function smp_send_pair_req
259 * Description actions related to sending pairing request
260 ******************************************************************************/
smp_send_pair_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)261 void smp_send_pair_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
262 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
263 SMP_TRACE_DEBUG("%s", __func__);
264
265 /* erase all keys when central sends pairing req*/
266 if (p_dev_rec) btm_sec_clear_ble_keys(p_dev_rec);
267 /* do not manipulate the key, let app decide,
268 leave out to BTM to mandate key distribution for bonding case */
269 smp_send_cmd(SMP_OPCODE_PAIRING_REQ, p_cb);
270 }
271
272 /*******************************************************************************
273 * Function smp_send_pair_rsp
274 * Description actions related to sending pairing response
275 ******************************************************************************/
smp_send_pair_rsp(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)276 void smp_send_pair_rsp(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
277 SMP_TRACE_DEBUG("%s", __func__);
278
279 p_cb->local_i_key &= p_cb->peer_i_key;
280 p_cb->local_r_key &= p_cb->peer_r_key;
281
282 if (smp_send_cmd(SMP_OPCODE_PAIRING_RSP, p_cb)) {
283 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB)
284 smp_use_oob_private_key(p_cb, NULL);
285 else
286 smp_decide_association_model(p_cb, NULL);
287 }
288 }
289
290 /*******************************************************************************
291 * Function smp_send_confirm
292 * Description send confirmation to the peer
293 ******************************************************************************/
smp_send_confirm(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)294 void smp_send_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
295 SMP_TRACE_DEBUG("%s", __func__);
296 smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);
297 }
298
299 /*******************************************************************************
300 * Function smp_send_init
301 * Description process pairing initializer to peripheral device
302 ******************************************************************************/
smp_send_init(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)303 void smp_send_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
304 SMP_TRACE_DEBUG("%s", __func__);
305 smp_send_cmd(SMP_OPCODE_INIT, p_cb);
306 }
307
308 /*******************************************************************************
309 * Function smp_send_rand
310 * Description send pairing random to the peer
311 ******************************************************************************/
smp_send_rand(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)312 void smp_send_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
313 SMP_TRACE_DEBUG("%s", __func__);
314 smp_send_cmd(SMP_OPCODE_RAND, p_cb);
315 }
316
317 /*******************************************************************************
318 * Function smp_send_pair_public_key
319 * Description send pairing public key command to the peer
320 ******************************************************************************/
smp_send_pair_public_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)321 void smp_send_pair_public_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
322 SMP_TRACE_DEBUG("%s", __func__);
323 smp_send_cmd(SMP_OPCODE_PAIR_PUBLIC_KEY, p_cb);
324 }
325
326 /*******************************************************************************
327 * Function SMP_SEND_COMMITMENT
328 * Description send commitment command to the peer
329 ******************************************************************************/
smp_send_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)330 void smp_send_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
331 SMP_TRACE_DEBUG("%s", __func__);
332 smp_send_cmd(SMP_OPCODE_PAIR_COMMITM, p_cb);
333 }
334
335 /*******************************************************************************
336 * Function smp_send_dhkey_check
337 * Description send DHKey Check command to the peer
338 ******************************************************************************/
smp_send_dhkey_check(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)339 void smp_send_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
340 SMP_TRACE_DEBUG("%s", __func__);
341 smp_send_cmd(SMP_OPCODE_PAIR_DHKEY_CHECK, p_cb);
342 }
343
344 /*******************************************************************************
345 * Function smp_send_keypress_notification
346 * Description send Keypress Notification command to the peer
347 ******************************************************************************/
smp_send_keypress_notification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)348 void smp_send_keypress_notification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
349 p_cb->local_keypress_notification = p_data->status;
350 smp_send_cmd(SMP_OPCODE_PAIR_KEYPR_NOTIF, p_cb);
351 }
352
353 /*******************************************************************************
354 * Function smp_send_enc_info
355 * Description send encryption information command.
356 ******************************************************************************/
smp_send_enc_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)357 void smp_send_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
358 tBTM_LE_KEY_VALUE le_key;
359
360 SMP_TRACE_DEBUG("%s: p_cb->loc_enc_size = %d", __func__, p_cb->loc_enc_size);
361 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
362
363 smp_send_cmd(SMP_OPCODE_ENCRYPT_INFO, p_cb);
364 smp_send_cmd(SMP_OPCODE_CENTRAL_ID, p_cb);
365
366 /* save the DIV and key size information when acting as peripheral device */
367 le_key.lenc_key.ltk = p_cb->ltk;
368 le_key.lenc_key.div = p_cb->div;
369 le_key.lenc_key.key_size = p_cb->loc_enc_size;
370 le_key.lenc_key.sec_level = p_cb->sec_level;
371
372 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
373 (p_cb->loc_auth_req & SMP_AUTH_BOND))
374 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, &le_key, true);
375
376 SMP_TRACE_WARNING("%s", __func__);
377
378 smp_key_distribution(p_cb, NULL);
379 }
380
381 /*******************************************************************************
382 * Function smp_send_id_info
383 * Description send ID information command.
384 ******************************************************************************/
smp_send_id_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)385 void smp_send_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
386 tBTM_LE_KEY_VALUE le_key;
387 SMP_TRACE_DEBUG("%s", __func__);
388 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, false);
389
390 smp_send_cmd(SMP_OPCODE_IDENTITY_INFO, p_cb);
391 smp_send_cmd(SMP_OPCODE_ID_ADDR, p_cb);
392
393 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
394 (p_cb->loc_auth_req & SMP_AUTH_BOND))
395 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LID, &le_key, true);
396
397 smp_key_distribution_by_transport(p_cb, NULL);
398 }
399
400 /** send CSRK command. */
smp_send_csrk_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)401 void smp_send_csrk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
402 tBTM_LE_KEY_VALUE key;
403 SMP_TRACE_DEBUG("%s", __func__);
404 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, false);
405
406 if (smp_send_cmd(SMP_OPCODE_SIGN_INFO, p_cb)) {
407 key.lcsrk_key.div = p_cb->div;
408 key.lcsrk_key.sec_level = p_cb->sec_level;
409 key.lcsrk_key.counter = 0; /* initialize the local counter */
410 key.lcsrk_key.csrk = p_cb->csrk;
411 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LCSRK, &key, true);
412 }
413
414 smp_key_distribution_by_transport(p_cb, NULL);
415 }
416
417 /*******************************************************************************
418 * Function smp_send_ltk_reply
419 * Description send LTK reply
420 ******************************************************************************/
smp_send_ltk_reply(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)421 void smp_send_ltk_reply(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
422 SMP_TRACE_DEBUG("%s", __func__);
423
424 Octet16 stk;
425 memcpy(stk.data(), p_data->key.p_data, stk.size());
426 /* send stk as LTK response */
427 btm_ble_ltk_request_reply(p_cb->pairing_bda, true, stk);
428 }
429
430 /*******************************************************************************
431 * Function smp_proc_sec_req
432 * Description process security request.
433 ******************************************************************************/
smp_proc_sec_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)434 void smp_proc_sec_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
435 tBTM_LE_AUTH_REQ auth_req = *(tBTM_LE_AUTH_REQ*)p_data->p_data;
436 tBTM_BLE_SEC_REQ_ACT sec_req_act;
437
438 SMP_TRACE_DEBUG("%s: auth_req=0x%x", __func__, auth_req);
439
440 p_cb->cb_evt = SMP_EVT_NONE;
441
442 btm_ble_link_sec_check(p_cb->pairing_bda, auth_req, &sec_req_act);
443
444 SMP_TRACE_DEBUG("%s: sec_req_act=0x%x", __func__, sec_req_act);
445
446 switch (sec_req_act) {
447 case BTM_BLE_SEC_REQ_ACT_ENCRYPT:
448 SMP_TRACE_DEBUG("%s: BTM_BLE_SEC_REQ_ACT_ENCRYPT", __func__);
449 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
450 break;
451
452 case BTM_BLE_SEC_REQ_ACT_PAIR:
453 p_cb->secure_connections_only_mode_required =
454 (btm_cb.security_mode == BTM_SEC_MODE_SC) ? true : false;
455
456 /* respond to non SC pairing request as failure in SC only mode */
457 if (p_cb->secure_connections_only_mode_required &&
458 (auth_req & SMP_SC_SUPPORT_BIT) == 0) {
459 tSMP_INT_DATA smp_int_data;
460 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
461 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
462 } else {
463 /* initialize local i/r key to be default keys */
464 p_cb->peer_auth_req = auth_req;
465 p_cb->local_r_key = p_cb->local_i_key = SMP_SEC_DEFAULT_KEY;
466 p_cb->cb_evt = SMP_SEC_REQUEST_EVT;
467 }
468 break;
469
470 case BTM_BLE_SEC_REQ_ACT_DISCARD:
471 p_cb->discard_sec_req = true;
472 break;
473
474 default:
475 /* do nothing */
476 break;
477 }
478 }
479
480 /*******************************************************************************
481 * Function smp_proc_sec_grant
482 * Description process security grant.
483 ******************************************************************************/
smp_proc_sec_grant(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)484 void smp_proc_sec_grant(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
485 uint8_t res = p_data->status;
486 SMP_TRACE_DEBUG("%s", __func__);
487 if (res != SMP_SUCCESS) {
488 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, p_data);
489 } else /*otherwise, start pairing */
490 {
491 /* send IO request callback */
492 p_cb->cb_evt = SMP_IO_CAP_REQ_EVT;
493 }
494 }
495
496 /*******************************************************************************
497 * Function smp_proc_pair_fail
498 * Description process pairing failure from peer device
499 ******************************************************************************/
smp_proc_pair_fail(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)500 void smp_proc_pair_fail(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
501 SMP_TRACE_DEBUG("%s", __func__);
502
503 if (p_cb->rcvd_cmd_len < 2) {
504 android_errorWriteLog(0x534e4554, "111214739");
505 SMP_TRACE_WARNING("%s: rcvd_cmd_len %d too short: must be at least 2",
506 __func__, p_cb->rcvd_cmd_len);
507 p_cb->status = SMP_INVALID_PARAMETERS;
508 } else {
509 p_cb->status = p_data->status;
510 }
511
512 /* Cancel pending auth complete timer if set */
513 alarm_cancel(p_cb->delayed_auth_timer_ent);
514 }
515
516 /*******************************************************************************
517 * Function smp_proc_pair_cmd
518 * Description Process the SMP pairing request/response from peer device
519 ******************************************************************************/
smp_proc_pair_cmd(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)520 void smp_proc_pair_cmd(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
521 uint8_t* p = p_data->p_data;
522 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
523
524 SMP_TRACE_DEBUG("%s: pairing_bda=%s", __func__,
525 p_cb->pairing_bda.ToString().c_str());
526
527 /* erase all keys if it is peripheral proc pairing req */
528 if (p_dev_rec && (p_cb->role == HCI_ROLE_PERIPHERAL))
529 btm_sec_clear_ble_keys(p_dev_rec);
530
531 p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
532
533 if (smp_command_has_invalid_length(p_cb)) {
534 tSMP_INT_DATA smp_int_data;
535 smp_int_data.status = SMP_INVALID_PARAMETERS;
536 android_errorWriteLog(0x534e4554, "111850706");
537 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
538 return;
539 }
540
541 STREAM_TO_UINT8(p_cb->peer_io_caps, p);
542 STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
543 STREAM_TO_UINT8(p_cb->peer_auth_req, p);
544 STREAM_TO_UINT8(p_cb->peer_enc_size, p);
545 STREAM_TO_UINT8(p_cb->peer_i_key, p);
546 STREAM_TO_UINT8(p_cb->peer_r_key, p);
547
548 if (smp_command_has_invalid_parameters(p_cb)) {
549 tSMP_INT_DATA smp_int_data;
550 smp_int_data.status = SMP_INVALID_PARAMETERS;
551 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
552 return;
553 }
554
555 // PTS Testing failure modes
556 if (pts_test_send_authentication_complete_failure(p_cb)) return;
557
558 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
559 if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD)) {
560 /* peer (central) started pairing sending Pairing Request */
561 p_cb->local_i_key = p_cb->peer_i_key;
562 p_cb->local_r_key = p_cb->peer_r_key;
563
564 p_cb->cb_evt = SMP_SEC_REQUEST_EVT;
565 } else /* update local i/r key according to pairing request */
566 {
567 /* pairing started with this side (peripheral) sending Security Request */
568 p_cb->local_i_key &= p_cb->peer_i_key;
569 p_cb->local_r_key &= p_cb->peer_r_key;
570 p_cb->selected_association_model = smp_select_association_model(p_cb);
571
572 if (p_cb->secure_connections_only_mode_required &&
573 (!(p_cb->le_secure_connections_mode_is_used) ||
574 (p_cb->selected_association_model ==
575 SMP_MODEL_SEC_CONN_JUSTWORKS))) {
576 SMP_TRACE_ERROR(
577 "%s: pairing failed - peripheral requires secure connection only "
578 "mode",
579 __func__);
580 tSMP_INT_DATA smp_int_data;
581 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
582 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
583 return;
584 }
585
586 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
587 if (smp_request_oob_data(p_cb)) return;
588 } else {
589 smp_send_pair_rsp(p_cb, NULL);
590 }
591 }
592 } else /* Central receives pairing response */
593 {
594 p_cb->selected_association_model = smp_select_association_model(p_cb);
595
596 if (p_cb->secure_connections_only_mode_required &&
597 (!(p_cb->le_secure_connections_mode_is_used) ||
598 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) {
599 SMP_TRACE_ERROR(
600 "Central requires secure connection only mode "
601 "but it can't be provided -> Central fails pairing");
602 tSMP_INT_DATA smp_int_data;
603 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
604 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
605 return;
606 }
607
608 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
609 if (smp_request_oob_data(p_cb)) return;
610 } else {
611 smp_decide_association_model(p_cb, NULL);
612 }
613 }
614 }
615
616 /** process pairing confirm from peer device */
smp_proc_confirm(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)617 void smp_proc_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
618 SMP_TRACE_DEBUG("%s", __func__);
619
620 if (smp_command_has_invalid_parameters(p_cb)) {
621 tSMP_INT_DATA smp_int_data;
622 smp_int_data.status = SMP_INVALID_PARAMETERS;
623 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
624 return;
625 }
626
627 if (p_data) {
628 uint8_t* p = p_data->p_data;
629 if (p != NULL) {
630 /* save the SConfirm for comparison later */
631 STREAM_TO_ARRAY(p_cb->rconfirm.data(), p, OCTET16_LEN);
632 }
633 }
634
635 p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM;
636 }
637
638 /** process pairing initializer from peer device */
smp_proc_init(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)639 void smp_proc_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
640 uint8_t* p = p_data->p_data;
641
642 SMP_TRACE_DEBUG("%s", __func__);
643
644 if (smp_command_has_invalid_parameters(p_cb)) {
645 tSMP_INT_DATA smp_int_data;
646 smp_int_data.status = SMP_INVALID_PARAMETERS;
647 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
648 return;
649 }
650
651 /* save the SRand for comparison */
652 STREAM_TO_ARRAY(p_cb->rrand.data(), p, OCTET16_LEN);
653 }
654
655 /*******************************************************************************
656 * Function smp_proc_rand
657 * Description process pairing random (nonce) from peer device
658 ******************************************************************************/
smp_proc_rand(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)659 void smp_proc_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
660 uint8_t* p = p_data->p_data;
661
662 SMP_TRACE_DEBUG("%s", __func__);
663
664 if (smp_command_has_invalid_parameters(p_cb)) {
665 tSMP_INT_DATA smp_int_data;
666 smp_int_data.status = SMP_INVALID_PARAMETERS;
667 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
668 return;
669 }
670
671 /* save the SRand for comparison */
672 STREAM_TO_ARRAY(p_cb->rrand.data(), p, OCTET16_LEN);
673 }
674
675 /*******************************************************************************
676 * Function smp_process_pairing_public_key
677 * Description process pairing public key command from the peer device
678 * - saves the peer public key;
679 * - sets the flag indicating that the peer public key is received;
680 * - calls smp_wait_for_both_public_keys(...).
681 *
682 ******************************************************************************/
smp_process_pairing_public_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)683 void smp_process_pairing_public_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
684 uint8_t* p = p_data->p_data;
685
686 SMP_TRACE_DEBUG("%s", __func__);
687
688 if (smp_command_has_invalid_parameters(p_cb)) {
689 tSMP_INT_DATA smp_int_data;
690 smp_int_data.status = SMP_INVALID_PARAMETERS;
691 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
692 return;
693 }
694
695 STREAM_TO_ARRAY(p_cb->peer_publ_key.x, p, BT_OCTET32_LEN);
696 STREAM_TO_ARRAY(p_cb->peer_publ_key.y, p, BT_OCTET32_LEN);
697
698 Point pt;
699 memcpy(pt.x, p_cb->peer_publ_key.x, BT_OCTET32_LEN);
700 memcpy(pt.y, p_cb->peer_publ_key.y, BT_OCTET32_LEN);
701
702 if (!memcmp(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, BT_OCTET32_LEN)) {
703 android_errorWriteLog(0x534e4554, "174886838");
704 SMP_TRACE_WARNING("Remote and local public keys can't match");
705 tSMP_INT_DATA smp;
706 smp.status = SMP_PAIR_AUTH_FAIL;
707 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp);
708 return;
709 }
710
711 if (!ECC_ValidatePoint(pt)) {
712 android_errorWriteLog(0x534e4554, "72377774");
713 tSMP_INT_DATA smp;
714 smp.status = SMP_PAIR_AUTH_FAIL;
715 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp);
716 return;
717 }
718
719 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY;
720
721 smp_wait_for_both_public_keys(p_cb, NULL);
722 }
723
724 /*******************************************************************************
725 * Function smp_process_pairing_commitment
726 * Description process pairing commitment from peer device
727 ******************************************************************************/
smp_process_pairing_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)728 void smp_process_pairing_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
729 uint8_t* p = p_data->p_data;
730
731 SMP_TRACE_DEBUG("%s", __func__);
732
733 if (smp_command_has_invalid_parameters(p_cb)) {
734 tSMP_INT_DATA smp_int_data;
735 smp_int_data.status = SMP_INVALID_PARAMETERS;
736 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
737 return;
738 }
739
740 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_COMM;
741
742 if (p != NULL) {
743 STREAM_TO_ARRAY(p_cb->remote_commitment.data(), p, OCTET16_LEN);
744 }
745 }
746
747 /*******************************************************************************
748 * Function smp_process_dhkey_check
749 * Description process DHKey Check from peer device
750 ******************************************************************************/
smp_process_dhkey_check(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)751 void smp_process_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
752 uint8_t* p = p_data->p_data;
753
754 SMP_TRACE_DEBUG("%s", __func__);
755
756 if (smp_command_has_invalid_parameters(p_cb)) {
757 tSMP_INT_DATA smp_int_data;
758 smp_int_data.status = SMP_INVALID_PARAMETERS;
759 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
760 return;
761 }
762
763 if (p != NULL) {
764 STREAM_TO_ARRAY(p_cb->remote_dhkey_check.data(), p, OCTET16_LEN);
765 }
766
767 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_DHK_CHK;
768 }
769
770 /*******************************************************************************
771 * Function smp_process_keypress_notification
772 * Description process pairing keypress notification from peer device
773 ******************************************************************************/
smp_process_keypress_notification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)774 void smp_process_keypress_notification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
775 uint8_t* p = p_data->p_data;
776
777 SMP_TRACE_DEBUG("%s", __func__);
778 p_cb->status = p_data->status;
779
780 if (smp_command_has_invalid_parameters(p_cb)) {
781 tSMP_INT_DATA smp_int_data;
782 smp_int_data.status = SMP_INVALID_PARAMETERS;
783 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
784 return;
785 }
786
787 if (p != NULL) {
788 STREAM_TO_UINT8(p_cb->peer_keypress_notification, p);
789 } else {
790 p_cb->peer_keypress_notification = SMP_SC_KEY_OUT_OF_RANGE;
791 }
792 p_cb->cb_evt = SMP_PEER_KEYPR_NOT_EVT;
793 }
794
795 /*******************************************************************************
796 * Function smp_br_process_pairing_command
797 * Description Process the SMP pairing request/response from peer device via
798 * BR/EDR transport.
799 ******************************************************************************/
smp_br_process_pairing_command(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)800 void smp_br_process_pairing_command(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
801 uint8_t* p = p_data->p_data;
802 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
803
804 SMP_TRACE_DEBUG("%s", __func__);
805 /* rejecting BR pairing request over non-SC BR link */
806 if (!p_dev_rec->new_encryption_key_is_p256 &&
807 p_cb->role == HCI_ROLE_PERIPHERAL) {
808 tSMP_INT_DATA smp_int_data;
809 smp_int_data.status = SMP_XTRANS_DERIVE_NOT_ALLOW;
810 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
811 return;
812 }
813
814 /* erase all keys if it is peripheral proc pairing req*/
815 if (p_dev_rec && (p_cb->role == HCI_ROLE_PERIPHERAL))
816 btm_sec_clear_ble_keys(p_dev_rec);
817
818 p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
819
820 if (smp_command_has_invalid_length(p_cb)) {
821 tSMP_INT_DATA smp_int_data;
822 smp_int_data.status = SMP_INVALID_PARAMETERS;
823 android_errorWriteLog(0x534e4554, "111213909");
824 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
825 return;
826 }
827
828 STREAM_TO_UINT8(p_cb->peer_io_caps, p);
829 STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
830 STREAM_TO_UINT8(p_cb->peer_auth_req, p);
831 STREAM_TO_UINT8(p_cb->peer_enc_size, p);
832 STREAM_TO_UINT8(p_cb->peer_i_key, p);
833 STREAM_TO_UINT8(p_cb->peer_r_key, p);
834
835 if (smp_command_has_invalid_parameters(p_cb)) {
836 tSMP_INT_DATA smp_int_data;
837 smp_int_data.status = SMP_INVALID_PARAMETERS;
838 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
839 return;
840 }
841
842 /* peer (central) started pairing sending Pairing Request */
843 /* or being central device always use received i/r key as keys to distribute
844 */
845 p_cb->local_i_key = p_cb->peer_i_key;
846 p_cb->local_r_key = p_cb->peer_r_key;
847
848 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
849 p_dev_rec->new_encryption_key_is_p256 = false;
850 /* shortcut to skip Security Grant step */
851 p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT;
852 } else {
853 /* Central receives pairing response */
854 SMP_TRACE_DEBUG(
855 "%s central rcvs valid PAIRING RESPONSE."
856 " Supposed to move to key distribution phase. ",
857 __func__);
858 }
859
860 /* auth_req received via BR/EDR SM channel is set to 0,
861 but everything derived/exchanged has to be saved */
862 p_cb->peer_auth_req |= SMP_AUTH_BOND;
863 p_cb->loc_auth_req |= SMP_AUTH_BOND;
864 }
865
866 /*******************************************************************************
867 * Function smp_br_process_security_grant
868 * Description process security grant in case of pairing over BR/EDR transport.
869 ******************************************************************************/
smp_br_process_security_grant(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)870 void smp_br_process_security_grant(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
871 SMP_TRACE_DEBUG("%s", __func__);
872 if (p_data->status != SMP_SUCCESS) {
873 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, p_data);
874 } else {
875 /* otherwise, start pairing; send IO request callback */
876 p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT;
877 }
878 }
879
880 /*******************************************************************************
881 * Function smp_br_check_authorization_request
882 * Description sets the SMP kes to be derived/distribute over BR/EDR transport
883 * before starting the distribution/derivation
884 ******************************************************************************/
smp_br_check_authorization_request(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)885 void smp_br_check_authorization_request(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
886 SMP_TRACE_DEBUG("%s rcvs i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
887 __func__, p_cb->local_i_key, p_cb->local_r_key);
888
889 /* In LE SC mode LK field is ignored when BR/EDR transport is used */
890 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
891 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
892
893 /* In LE SC mode only IRK, IAI, CSRK are exchanged with the peer.
894 ** Set local_r_key on central to expect only these keys. */
895 if (p_cb->role == HCI_ROLE_CENTRAL) {
896 p_cb->local_r_key &= (SMP_SEC_KEY_TYPE_ID | SMP_SEC_KEY_TYPE_CSRK);
897 }
898
899 /* Check if H7 function needs to be used for key derivation*/
900 if ((p_cb->loc_auth_req & SMP_H7_SUPPORT_BIT) &&
901 (p_cb->peer_auth_req & SMP_H7_SUPPORT_BIT)) {
902 p_cb->key_derivation_h7_used = TRUE;
903 }
904 SMP_TRACE_DEBUG("%s: use h7 = %d", __func__, p_cb->key_derivation_h7_used);
905
906 SMP_TRACE_DEBUG(
907 "%s rcvs upgrades: i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
908 __func__, p_cb->local_i_key, p_cb->local_r_key);
909
910 if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) ||
911 (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/
912 (p_cb->local_i_key || p_cb->local_r_key)) {
913 smp_br_state_machine_event(p_cb, SMP_BR_BOND_REQ_EVT, NULL);
914
915 /* if no peer key is expected, start central key distribution */
916 if (p_cb->role == HCI_ROLE_CENTRAL && p_cb->local_r_key == 0)
917 smp_key_distribution_by_transport(p_cb, NULL);
918 } else {
919 tSMP_INT_DATA smp_int_data;
920 smp_int_data.status = SMP_SUCCESS;
921 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
922 }
923 }
924
925 /*******************************************************************************
926 * Function smp_br_select_next_key
927 * Description selects the next key to derive/send when BR/EDR transport is
928 * used.
929 ******************************************************************************/
smp_br_select_next_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)930 void smp_br_select_next_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
931 SMP_TRACE_DEBUG("%s role=%d (0-central) r_keys=0x%x i_keys=0x%x", __func__,
932 p_cb->role, p_cb->local_r_key, p_cb->local_i_key);
933
934 if (p_cb->role == HCI_ROLE_PERIPHERAL ||
935 (!p_cb->local_r_key && p_cb->role == HCI_ROLE_CENTRAL)) {
936 smp_key_pick_key(p_cb, p_data);
937 }
938
939 if (!p_cb->local_i_key && !p_cb->local_r_key) {
940 /* state check to prevent re-entrance */
941 if (smp_get_br_state() == SMP_BR_STATE_BOND_PENDING) {
942 if (p_cb->total_tx_unacked == 0) {
943 tSMP_INT_DATA smp_int_data;
944 smp_int_data.status = SMP_SUCCESS;
945 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
946 } else {
947 p_cb->wait_for_authorization_complete = true;
948 }
949 }
950 }
951 }
952
953 /** process encryption information from peer device */
smp_proc_enc_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)954 void smp_proc_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
955 uint8_t* p = p_data->p_data;
956
957 SMP_TRACE_DEBUG("%s", __func__);
958
959 if (smp_command_has_invalid_parameters(p_cb)) {
960 tSMP_INT_DATA smp_int_data;
961 smp_int_data.status = SMP_INVALID_PARAMETERS;
962 android_errorWriteLog(0x534e4554, "111937065");
963 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
964 return;
965 }
966
967 STREAM_TO_ARRAY(p_cb->ltk.data(), p, OCTET16_LEN);
968
969 smp_key_distribution(p_cb, NULL);
970 }
971
972 /** process central ID from peripheral device */
smp_proc_central_id(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)973 void smp_proc_central_id(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
974 uint8_t* p = p_data->p_data;
975 tBTM_LE_KEY_VALUE le_key;
976
977 SMP_TRACE_DEBUG("%s", __func__);
978
979 if (p_cb->rcvd_cmd_len < 11) { // 1(Code) + 2(EDIV) + 8(Rand)
980 android_errorWriteLog(0x534e4554, "111937027");
981 SMP_TRACE_ERROR("%s: Invalid command length: %d, should be at least 11",
982 __func__, p_cb->rcvd_cmd_len);
983 return;
984 }
985
986 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, true);
987
988 STREAM_TO_UINT16(le_key.penc_key.ediv, p);
989 STREAM_TO_ARRAY(le_key.penc_key.rand, p, BT_OCTET8_LEN);
990
991 /* store the encryption keys from peer device */
992 le_key.penc_key.ltk = p_cb->ltk;
993 le_key.penc_key.sec_level = p_cb->sec_level;
994 le_key.penc_key.key_size = p_cb->loc_enc_size;
995
996 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
997 (p_cb->loc_auth_req & SMP_AUTH_BOND))
998 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, &le_key, true);
999
1000 smp_key_distribution(p_cb, NULL);
1001 }
1002
1003 /** process identity information from peer device */
smp_proc_id_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1004 void smp_proc_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1005 uint8_t* p = p_data->p_data;
1006
1007 SMP_TRACE_DEBUG("%s", __func__);
1008
1009 if (smp_command_has_invalid_parameters(p_cb)) {
1010 tSMP_INT_DATA smp_int_data;
1011 smp_int_data.status = SMP_INVALID_PARAMETERS;
1012 android_errorWriteLog(0x534e4554, "111937065");
1013 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1014 return;
1015 }
1016
1017 STREAM_TO_ARRAY(p_cb->tk.data(), p, OCTET16_LEN); /* reuse TK for IRK */
1018 smp_key_distribution_by_transport(p_cb, NULL);
1019 }
1020
1021 /** process identity address from peer device */
smp_proc_id_addr(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1022 void smp_proc_id_addr(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1023 uint8_t* p = p_data->p_data;
1024 tBTM_LE_KEY_VALUE pid_key;
1025
1026 SMP_TRACE_DEBUG("%s", __func__);
1027
1028 if (smp_command_has_invalid_parameters(p_cb)) {
1029 tSMP_INT_DATA smp_int_data;
1030 smp_int_data.status = SMP_INVALID_PARAMETERS;
1031 android_errorWriteLog(0x534e4554, "111214770");
1032 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1033 return;
1034 }
1035
1036 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, true);
1037
1038 STREAM_TO_UINT8(pid_key.pid_key.identity_addr_type, p);
1039 STREAM_TO_BDADDR(pid_key.pid_key.identity_addr, p);
1040 pid_key.pid_key.irk = p_cb->tk;
1041
1042 /* to use as BD_ADDR for lk derived from ltk */
1043 p_cb->id_addr_rcvd = true;
1044 p_cb->id_addr_type = pid_key.pid_key.identity_addr_type;
1045 p_cb->id_addr = pid_key.pid_key.identity_addr;
1046
1047 /* store the ID key from peer device */
1048 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
1049 (p_cb->loc_auth_req & SMP_AUTH_BOND))
1050 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PID, &pid_key, true);
1051 smp_key_distribution_by_transport(p_cb, NULL);
1052 }
1053
1054 /* process security information from peer device */
smp_proc_srk_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1055 void smp_proc_srk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1056 tBTM_LE_KEY_VALUE le_key;
1057
1058 SMP_TRACE_DEBUG("%s", __func__);
1059
1060 if (smp_command_has_invalid_parameters(p_cb)) {
1061 tSMP_INT_DATA smp_int_data;
1062 smp_int_data.status = SMP_INVALID_PARAMETERS;
1063 android_errorWriteLog(0x534e4554, "111214470");
1064 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1065 return;
1066 }
1067
1068 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, true);
1069
1070 /* save CSRK to security record */
1071 le_key.pcsrk_key.sec_level = p_cb->sec_level;
1072
1073 /* get peer CSRK */
1074 maybe_non_aligned_memcpy(le_key.pcsrk_key.csrk.data(), p_data->p_data,
1075 OCTET16_LEN);
1076
1077 /* initialize the peer counter */
1078 le_key.pcsrk_key.counter = 0;
1079
1080 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
1081 (p_cb->loc_auth_req & SMP_AUTH_BOND))
1082 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PCSRK, &le_key, true);
1083 smp_key_distribution_by_transport(p_cb, NULL);
1084 }
1085
1086 /*******************************************************************************
1087 * Function smp_proc_compare
1088 * Description process compare value
1089 ******************************************************************************/
smp_proc_compare(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1090 void smp_proc_compare(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1091 SMP_TRACE_DEBUG("%s", __func__);
1092 if (!memcmp(p_cb->rconfirm.data(), p_data->key.p_data, OCTET16_LEN)) {
1093 /* compare the max encryption key size, and save the smaller one for the
1094 * link */
1095 if (p_cb->peer_enc_size < p_cb->loc_enc_size)
1096 p_cb->loc_enc_size = p_cb->peer_enc_size;
1097
1098 if (p_cb->role == HCI_ROLE_PERIPHERAL)
1099 smp_sm_event(p_cb, SMP_RAND_EVT, NULL);
1100 else {
1101 /* central device always use received i/r key as keys to distribute */
1102 p_cb->local_i_key = p_cb->peer_i_key;
1103 p_cb->local_r_key = p_cb->peer_r_key;
1104
1105 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
1106 }
1107
1108 } else {
1109 tSMP_INT_DATA smp_int_data;
1110 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1111 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1112 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1113 }
1114 }
1115
1116 /*******************************************************************************
1117 * Function smp_proc_sl_key
1118 * Description process key ready events.
1119 ******************************************************************************/
smp_proc_sl_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1120 void smp_proc_sl_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1121 uint8_t key_type = p_data->key.key_type;
1122
1123 SMP_TRACE_DEBUG("%s", __func__);
1124 if (key_type == SMP_KEY_TYPE_TK) {
1125 smp_generate_srand_mrand_confirm(p_cb, NULL);
1126 } else if (key_type == SMP_KEY_TYPE_CFM) {
1127 smp_set_state(SMP_STATE_WAIT_CONFIRM);
1128
1129 if (p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM)
1130 smp_sm_event(p_cb, SMP_CONFIRM_EVT, NULL);
1131 }
1132 }
1133
1134 /*******************************************************************************
1135 * Function smp_start_enc
1136 * Description start encryption
1137 ******************************************************************************/
smp_start_enc(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1138 void smp_start_enc(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1139 tBTM_STATUS cmd;
1140
1141 SMP_TRACE_DEBUG("%s", __func__);
1142 if (p_data != NULL) {
1143 cmd = btm_ble_start_encrypt(p_cb->pairing_bda, true,
1144 (Octet16*)p_data->key.p_data);
1145 } else {
1146 cmd = btm_ble_start_encrypt(p_cb->pairing_bda, false, NULL);
1147 }
1148
1149 if (cmd != BTM_CMD_STARTED && cmd != BTM_BUSY) {
1150 tSMP_INT_DATA smp_int_data;
1151 smp_int_data.status = SMP_ENC_FAIL;
1152 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1153 }
1154 }
1155
1156 /*******************************************************************************
1157 * Function smp_proc_discard
1158 * Description processing for discard security request
1159 ******************************************************************************/
smp_proc_discard(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1160 void smp_proc_discard(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1161 SMP_TRACE_DEBUG("%s", __func__);
1162 if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD))
1163 smp_reset_control_value(p_cb);
1164 }
1165
1166 /*******************************************************************************
1167 * Function smp_enc_cmpl
1168 * Description encryption success
1169 ******************************************************************************/
smp_enc_cmpl(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1170 void smp_enc_cmpl(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1171 uint8_t enc_enable = p_data->status;
1172
1173 SMP_TRACE_DEBUG("%s", __func__);
1174 tSMP_INT_DATA smp_int_data;
1175 smp_int_data.status = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1176 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1177 }
1178
1179 /*******************************************************************************
1180 * Function smp_check_auth_req
1181 * Description check authentication request
1182 ******************************************************************************/
smp_check_auth_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1183 void smp_check_auth_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1184 uint8_t enc_enable = p_data->status;
1185
1186 SMP_TRACE_DEBUG(
1187 "%s rcvs enc_enable=%d i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
1188 __func__, enc_enable, p_cb->local_i_key, p_cb->local_r_key);
1189 if (enc_enable == 1) {
1190 if (p_cb->le_secure_connections_mode_is_used) {
1191 /* In LE SC mode LTK is used instead of STK and has to be always saved */
1192 p_cb->local_i_key |= SMP_SEC_KEY_TYPE_ENC;
1193 p_cb->local_r_key |= SMP_SEC_KEY_TYPE_ENC;
1194
1195 /* In LE SC mode LK is derived from LTK only if both sides request it */
1196 if (!(p_cb->local_i_key & SMP_SEC_KEY_TYPE_LK) ||
1197 !(p_cb->local_r_key & SMP_SEC_KEY_TYPE_LK)) {
1198 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
1199 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
1200 }
1201
1202 /* In LE SC mode only IRK, IAI, CSRK are exchanged with the peer.
1203 ** Set local_r_key on central to expect only these keys.
1204 */
1205 if (p_cb->role == HCI_ROLE_CENTRAL) {
1206 p_cb->local_r_key &= (SMP_SEC_KEY_TYPE_ID | SMP_SEC_KEY_TYPE_CSRK);
1207 }
1208 } else {
1209 /* in legacy mode derivation of BR/EDR LK is not supported */
1210 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
1211 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
1212 }
1213 SMP_TRACE_DEBUG(
1214 "%s rcvs upgrades: i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
1215 __func__, p_cb->local_i_key, p_cb->local_r_key);
1216
1217 if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) ||
1218 (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/
1219 (p_cb->local_i_key || p_cb->local_r_key)) {
1220 smp_sm_event(p_cb, SMP_BOND_REQ_EVT, NULL);
1221 } else {
1222 tSMP_INT_DATA smp_int_data;
1223 smp_int_data.status = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1224 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1225 }
1226 } else if (enc_enable == 0) {
1227 tSMP_INT_DATA smp_int_data;
1228 smp_int_data.status = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1229 /* if failed for encryption after pairing, send callback */
1230 if (p_cb->flags & SMP_PAIR_FLAG_ENC_AFTER_PAIR)
1231 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1232 /* if enc failed for old security information */
1233 /* if central device, clean up and abck to idle; peripheral device do
1234 * nothing */
1235 else if (p_cb->role == HCI_ROLE_CENTRAL) {
1236 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1237 }
1238 }
1239 }
1240
1241 /*******************************************************************************
1242 * Function smp_key_pick_key
1243 * Description Pick a key distribution function based on the key mask.
1244 ******************************************************************************/
smp_key_pick_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1245 void smp_key_pick_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1246 uint8_t key_to_dist = (p_cb->role == HCI_ROLE_PERIPHERAL) ? p_cb->local_r_key
1247 : p_cb->local_i_key;
1248 uint8_t i = 0;
1249
1250 SMP_TRACE_DEBUG("%s key_to_dist=0x%x", __func__, key_to_dist);
1251 while (i < SMP_KEY_DIST_TYPE_MAX) {
1252 SMP_TRACE_DEBUG("key to send = %02x, i = %d", key_to_dist, i);
1253
1254 if (key_to_dist & (1 << i)) {
1255 SMP_TRACE_DEBUG("smp_distribute_act[%d]", i);
1256 (*smp_distribute_act[i])(p_cb, p_data);
1257 break;
1258 }
1259 i++;
1260 }
1261 }
1262 /*******************************************************************************
1263 * Function smp_key_distribution
1264 * Description start key distribution if required.
1265 ******************************************************************************/
smp_key_distribution(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1266 void smp_key_distribution(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1267 SMP_TRACE_DEBUG("%s role=%d (0-central) r_keys=0x%x i_keys=0x%x", __func__,
1268 p_cb->role, p_cb->local_r_key, p_cb->local_i_key);
1269
1270 if (p_cb->role == HCI_ROLE_PERIPHERAL ||
1271 (!p_cb->local_r_key && p_cb->role == HCI_ROLE_CENTRAL)) {
1272 smp_key_pick_key(p_cb, p_data);
1273 }
1274
1275 if (!p_cb->local_i_key && !p_cb->local_r_key) {
1276 /* state check to prevent re-entrant */
1277 if (smp_get_state() == SMP_STATE_BOND_PENDING) {
1278 if (p_cb->derive_lk) {
1279 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
1280 if (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED) &&
1281 (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)) {
1282 SMP_TRACE_DEBUG(
1283 "%s BR key is higher security than existing LE keys, don't "
1284 "derive LK from LTK",
1285 __func__);
1286 android_errorWriteLog(0x534e4554, "158854097");
1287 } else {
1288 smp_derive_link_key_from_long_term_key(p_cb, NULL);
1289 }
1290 p_cb->derive_lk = false;
1291 }
1292
1293 if (p_cb->total_tx_unacked == 0) {
1294 /*
1295 * Instead of declaring authorization complete immediately,
1296 * delay the event from being sent by SMP_DELAYED_AUTH_TIMEOUT_MS.
1297 * This allows the peripheral to send over Pairing Failed if the
1298 * last key is rejected. During this waiting window, the
1299 * state should remain in SMP_STATE_BOND_PENDING.
1300 */
1301 if (!alarm_is_scheduled(p_cb->delayed_auth_timer_ent)) {
1302 SMP_TRACE_DEBUG("%s delaying auth complete.", __func__);
1303 alarm_set_on_mloop(p_cb->delayed_auth_timer_ent,
1304 SMP_DELAYED_AUTH_TIMEOUT_MS,
1305 smp_delayed_auth_complete_timeout, NULL);
1306 }
1307 } else {
1308 p_cb->wait_for_authorization_complete = true;
1309 }
1310 }
1311 }
1312 }
1313
1314 /*******************************************************************************
1315 * Function smp_decide_association_model
1316 * Description This function is called to select assoc model to be used for
1317 * STK generation and to start STK generation process.
1318 *
1319 ******************************************************************************/
smp_decide_association_model(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1320 void smp_decide_association_model(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1321 tSMP_EVENT int_evt = SMP_NOP_EVT;
1322 tSMP_INT_DATA smp_int_data;
1323
1324 SMP_TRACE_DEBUG("%s Association Model = %d", __func__,
1325 p_cb->selected_association_model);
1326
1327 switch (p_cb->selected_association_model) {
1328 case SMP_MODEL_ENCRYPTION_ONLY: /* TK = 0, go calculate Confirm */
1329 if (p_cb->role == HCI_ROLE_CENTRAL &&
1330 ((p_cb->peer_auth_req & SMP_AUTH_YN_BIT) != 0) &&
1331 ((p_cb->loc_auth_req & SMP_AUTH_YN_BIT) == 0)) {
1332 SMP_TRACE_ERROR(
1333 "IO capability does not meet authentication requirement");
1334 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
1335 int_evt = SMP_AUTH_CMPL_EVT;
1336 } else {
1337 if (!is_atv_device() &&
1338 (p_cb->local_io_capability == SMP_IO_CAP_IO ||
1339 p_cb->local_io_capability == SMP_IO_CAP_KBDISP)) {
1340 /* display consent dialog if this device has a display */
1341 SMP_TRACE_DEBUG("ENCRYPTION_ONLY showing Consent Dialog");
1342 p_cb->cb_evt = SMP_CONSENT_REQ_EVT;
1343 smp_set_state(SMP_STATE_WAIT_NONCE);
1344 smp_sm_event(p_cb, SMP_SC_DSPL_NC_EVT, NULL);
1345 } else {
1346 p_cb->sec_level = SMP_SEC_UNAUTHENTICATE;
1347 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_UNAUTHENTICATE) ",
1348 p_cb->sec_level);
1349
1350 tSMP_KEY key;
1351 key.key_type = SMP_KEY_TYPE_TK;
1352 key.p_data = p_cb->tk.data();
1353 smp_int_data.key = key;
1354
1355 p_cb->tk = {0};
1356 /* TK, ready */
1357 int_evt = SMP_KEY_READY_EVT;
1358 }
1359 }
1360 break;
1361
1362 case SMP_MODEL_PASSKEY:
1363 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1364 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ",
1365 p_cb->sec_level);
1366
1367 p_cb->cb_evt = SMP_PASSKEY_REQ_EVT;
1368 int_evt = SMP_TK_REQ_EVT;
1369 break;
1370
1371 case SMP_MODEL_OOB:
1372 SMP_TRACE_ERROR("Association Model = SMP_MODEL_OOB");
1373 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1374 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ",
1375 p_cb->sec_level);
1376
1377 p_cb->cb_evt = SMP_OOB_REQ_EVT;
1378 int_evt = SMP_TK_REQ_EVT;
1379 break;
1380
1381 case SMP_MODEL_KEY_NOTIF:
1382 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1383 SMP_TRACE_DEBUG("Need to generate Passkey");
1384
1385 /* generate passkey and notify application */
1386 smp_generate_passkey(p_cb, NULL);
1387 break;
1388
1389 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1390 case SMP_MODEL_SEC_CONN_NUM_COMP:
1391 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1392 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1393 case SMP_MODEL_SEC_CONN_OOB:
1394 int_evt = SMP_PUBL_KEY_EXCH_REQ_EVT;
1395 break;
1396
1397 case SMP_MODEL_OUT_OF_RANGE:
1398 SMP_TRACE_ERROR("Association Model = SMP_MODEL_OUT_OF_RANGE (failed)");
1399 smp_int_data.status = SMP_UNKNOWN_IO_CAP;
1400 int_evt = SMP_AUTH_CMPL_EVT;
1401 break;
1402
1403 default:
1404 SMP_TRACE_ERROR(
1405 "Association Model = %d (SOMETHING IS WRONG WITH THE CODE)",
1406 p_cb->selected_association_model);
1407 smp_int_data.status = SMP_UNKNOWN_IO_CAP;
1408 int_evt = SMP_AUTH_CMPL_EVT;
1409 }
1410
1411 SMP_TRACE_EVENT("sec_level=%d ", p_cb->sec_level);
1412 if (int_evt) smp_sm_event(p_cb, int_evt, &smp_int_data);
1413 }
1414
1415 /*******************************************************************************
1416 * Function smp_process_io_response
1417 * Description process IO response for a peripheral device.
1418 ******************************************************************************/
smp_process_io_response(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1419 void smp_process_io_response(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1420
1421 SMP_TRACE_DEBUG("%s", __func__);
1422 if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD) {
1423 /* pairing started by local (peripheral) Security Request */
1424 smp_set_state(SMP_STATE_SEC_REQ_PENDING);
1425 smp_send_cmd(SMP_OPCODE_SEC_REQ, p_cb);
1426 } else /* plan to send pairing respond */
1427 {
1428 /* pairing started by peer (central) Pairing Request */
1429 p_cb->selected_association_model = smp_select_association_model(p_cb);
1430
1431 if (p_cb->secure_connections_only_mode_required &&
1432 (!(p_cb->le_secure_connections_mode_is_used) ||
1433 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) {
1434 SMP_TRACE_ERROR(
1435 "Peripheral requires secure connection only mode "
1436 "but it can't be provided -> Peripheral fails pairing");
1437 tSMP_INT_DATA smp_int_data;
1438 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
1439 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1440 return;
1441 }
1442
1443 // If we are doing SMP_MODEL_SEC_CONN_OOB we don't need to request OOB data
1444 // locally if loc_oob_flag == 0x00 b/c there is no OOB data to give. In the
1445 // event the loc_oob_flag is another value, we should request the OOB data
1446 // locally. Which seems to cause it to make a TK REQUEST which is used for
1447 // the legacy flow which requires both sides to have OOB data.
1448 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB &&
1449 p_cb->loc_oob_flag != 0x00) {
1450 if (smp_request_oob_data(p_cb)) return;
1451 }
1452
1453 // PTS Testing failure modes
1454 if (pts_test_send_authentication_complete_failure(p_cb)) return;
1455
1456 smp_send_pair_rsp(p_cb, NULL);
1457 }
1458 }
1459
1460 /*******************************************************************************
1461 * Function smp_br_process_peripheral_keys_response
1462 * Description process application keys response for a peripheral device
1463 * (BR/EDR transport).
1464 ******************************************************************************/
smp_br_process_peripheral_keys_response(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1465 void smp_br_process_peripheral_keys_response(tSMP_CB* p_cb,
1466 tSMP_INT_DATA* p_data) {
1467 smp_br_send_pair_response(p_cb, NULL);
1468 }
1469
1470 /*******************************************************************************
1471 * Function smp_br_send_pair_response
1472 * Description actions related to sending pairing response over BR/EDR
1473 * transport.
1474 ******************************************************************************/
smp_br_send_pair_response(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1475 void smp_br_send_pair_response(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1476 SMP_TRACE_DEBUG("%s", __func__);
1477
1478 p_cb->local_i_key &= p_cb->peer_i_key;
1479 p_cb->local_r_key &= p_cb->peer_r_key;
1480
1481 smp_send_cmd(SMP_OPCODE_PAIRING_RSP, p_cb);
1482 }
1483
1484 /*******************************************************************************
1485 * Function smp_pairing_cmpl
1486 * Description This function is called to send the pairing complete
1487 * callback and remove the connection if needed.
1488 ******************************************************************************/
smp_pairing_cmpl(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1489 void smp_pairing_cmpl(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1490 if (p_cb->total_tx_unacked == 0) {
1491 /* process the pairing complete */
1492 smp_proc_pairing_cmpl(p_cb);
1493 }
1494 }
1495
1496 /*******************************************************************************
1497 * Function smp_pair_terminate
1498 * Description This function is called to send the pairing complete
1499 * callback and remove the connection if needed.
1500 ******************************************************************************/
smp_pair_terminate(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1501 void smp_pair_terminate(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1502 SMP_TRACE_DEBUG("%s", __func__);
1503 p_cb->status = SMP_CONN_TOUT;
1504 smp_proc_pairing_cmpl(p_cb);
1505 }
1506
1507 /*******************************************************************************
1508 * Function smp_idle_terminate
1509 * Description This function calledin idle state to determine to send
1510 * authentication complete or not.
1511 ******************************************************************************/
smp_idle_terminate(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1512 void smp_idle_terminate(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1513 if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD) {
1514 SMP_TRACE_DEBUG("Pairing terminated at IDLE state.");
1515 p_cb->status = SMP_FAIL;
1516 smp_proc_pairing_cmpl(p_cb);
1517 }
1518 }
1519
1520 /*******************************************************************************
1521 * Function smp_both_have_public_keys
1522 * Description The function is called when both local and peer public keys are
1523 * saved.
1524 * Actions:
1525 * - invokes DHKey computation;
1526 * - on peripheral side invokes sending local public key to the
1527 *peer.
1528 * - invokes SC phase 1 process.
1529 ******************************************************************************/
smp_both_have_public_keys(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1530 void smp_both_have_public_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1531 SMP_TRACE_DEBUG("%s", __func__);
1532
1533 /* invokes DHKey computation */
1534 smp_compute_dhkey(p_cb);
1535
1536 /* on peripheral side invokes sending local public key to the peer */
1537 if (p_cb->role == HCI_ROLE_PERIPHERAL) smp_send_pair_public_key(p_cb, NULL);
1538
1539 smp_sm_event(p_cb, SMP_SC_DHKEY_CMPLT_EVT, NULL);
1540 }
1541
1542 /*******************************************************************************
1543 * Function smp_start_secure_connection_phase1
1544 * Description Start Secure Connection phase1 i.e. invokes initialization of
1545 * Secure Connection phase 1 parameters and starts building/sending
1546 * to the peer messages appropriate for the role and association
1547 * model.
1548 ******************************************************************************/
smp_start_secure_connection_phase1(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1549 void smp_start_secure_connection_phase1(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1550 SMP_TRACE_DEBUG("%s", __func__);
1551
1552 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
1553 p_cb->sec_level = SMP_SEC_UNAUTHENTICATE;
1554 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_UNAUTHENTICATE) ",
1555 p_cb->sec_level);
1556 } else {
1557 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1558 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ",
1559 p_cb->sec_level);
1560 }
1561
1562 switch (p_cb->selected_association_model) {
1563 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1564 case SMP_MODEL_SEC_CONN_NUM_COMP:
1565 p_cb->local_random = {0};
1566 smp_start_nonce_generation(p_cb);
1567 break;
1568 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1569 /* user has to provide passkey */
1570 p_cb->cb_evt = SMP_PASSKEY_REQ_EVT;
1571 smp_sm_event(p_cb, SMP_TK_REQ_EVT, NULL);
1572 break;
1573 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1574 /* passkey has to be provided to user */
1575 SMP_TRACE_DEBUG("Need to generate SC Passkey");
1576 smp_generate_passkey(p_cb, NULL);
1577 break;
1578 case SMP_MODEL_SEC_CONN_OOB:
1579 /* use the available OOB information */
1580 smp_process_secure_connection_oob_data(p_cb, NULL);
1581 break;
1582 default:
1583 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
1584 p_cb->selected_association_model);
1585 break;
1586 }
1587 }
1588
1589 /*******************************************************************************
1590 * Function smp_process_local_nonce
1591 * Description The function processes new local nonce.
1592 *
1593 * Note It is supposed to be called in SC phase1.
1594 ******************************************************************************/
smp_process_local_nonce(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1595 void smp_process_local_nonce(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1596 SMP_TRACE_DEBUG("%s", __func__);
1597
1598 switch (p_cb->selected_association_model) {
1599 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1600 case SMP_MODEL_SEC_CONN_NUM_COMP:
1601 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
1602 /* peripheral calculates and sends local commitment */
1603 smp_calculate_local_commitment(p_cb);
1604 smp_send_commitment(p_cb, NULL);
1605 /* peripheral has to wait for peer nonce */
1606 smp_set_state(SMP_STATE_WAIT_NONCE);
1607 } else /* i.e. central */
1608 {
1609 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_COMM) {
1610 /* peripheral commitment is already received, send local nonce, wait
1611 * for remote nonce*/
1612 SMP_TRACE_DEBUG(
1613 "central in assoc mode = %d "
1614 "already rcvd peripheral commitment - race condition",
1615 p_cb->selected_association_model);
1616 p_cb->flags &= ~SMP_PAIR_FLAG_HAVE_PEER_COMM;
1617 smp_send_rand(p_cb, NULL);
1618 smp_set_state(SMP_STATE_WAIT_NONCE);
1619 }
1620 }
1621 break;
1622 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1623 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1624 smp_calculate_local_commitment(p_cb);
1625
1626 if (p_cb->role == HCI_ROLE_CENTRAL) {
1627 smp_send_commitment(p_cb, NULL);
1628 } else /* peripheral */
1629 {
1630 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_COMM) {
1631 /* central commitment is already received */
1632 smp_send_commitment(p_cb, NULL);
1633 smp_set_state(SMP_STATE_WAIT_NONCE);
1634 }
1635 }
1636 break;
1637 case SMP_MODEL_SEC_CONN_OOB:
1638 if (p_cb->role == HCI_ROLE_CENTRAL) {
1639 smp_send_rand(p_cb, NULL);
1640 }
1641
1642 smp_set_state(SMP_STATE_WAIT_NONCE);
1643 break;
1644 default:
1645 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
1646 p_cb->selected_association_model);
1647 break;
1648 }
1649 }
1650
1651 /*******************************************************************************
1652 * Function smp_process_peer_nonce
1653 * Description The function processes newly received and saved in CB peer
1654 * nonce. The actions depend on the selected association model and
1655 * the role.
1656 *
1657 * Note It is supposed to be called in SC phase1.
1658 ******************************************************************************/
smp_process_peer_nonce(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1659 void smp_process_peer_nonce(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1660 SMP_TRACE_DEBUG("%s start ", __func__);
1661
1662 // PTS Testing failure modes
1663 if (p_cb->cert_failure == SMP_CONFIRM_VALUE_ERR) {
1664 SMP_TRACE_ERROR("%s failure case = %d", __func__, p_cb->cert_failure);
1665 tSMP_INT_DATA smp_int_data;
1666 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1667 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1668 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1669 return;
1670 }
1671 // PTS Testing failure modes (for LT)
1672 if ((p_cb->cert_failure == SMP_NUMERIC_COMPAR_FAIL) &&
1673 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) &&
1674 (p_cb->role == HCI_ROLE_PERIPHERAL)) {
1675 SMP_TRACE_ERROR("%s failure case = %d", __func__, p_cb->cert_failure);
1676 tSMP_INT_DATA smp_int_data;
1677 smp_int_data.status = SMP_NUMERIC_COMPAR_FAIL;
1678 p_cb->failure = SMP_NUMERIC_COMPAR_FAIL;
1679 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1680 return;
1681 }
1682
1683 switch (p_cb->selected_association_model) {
1684 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1685 case SMP_MODEL_SEC_CONN_NUM_COMP:
1686 /* in these models only central receives commitment */
1687 if (p_cb->role == HCI_ROLE_CENTRAL) {
1688 if (!smp_check_commitment(p_cb)) {
1689 tSMP_INT_DATA smp_int_data;
1690 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1691 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1692 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1693 break;
1694 }
1695 } else {
1696 /* peripheral sends local nonce */
1697 smp_send_rand(p_cb, NULL);
1698 }
1699
1700 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
1701 if (!is_atv_device() &&
1702 (p_cb->local_io_capability == SMP_IO_CAP_IO ||
1703 p_cb->local_io_capability == SMP_IO_CAP_KBDISP)) {
1704 /* display consent dialog */
1705 SMP_TRACE_DEBUG("JUST WORKS showing Consent Dialog");
1706 p_cb->cb_evt = SMP_CONSENT_REQ_EVT;
1707 smp_set_state(SMP_STATE_WAIT_NONCE);
1708 smp_sm_event(p_cb, SMP_SC_DSPL_NC_EVT, NULL);
1709 } else {
1710 /* go directly to phase 2 */
1711 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1712 }
1713 } else /* numeric comparison */
1714 {
1715 smp_set_state(SMP_STATE_WAIT_NONCE);
1716 smp_sm_event(p_cb, SMP_SC_CALC_NC_EVT, NULL);
1717 }
1718 break;
1719 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1720 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1721 if (!smp_check_commitment(p_cb) &&
1722 p_cb->cert_failure != SMP_NUMERIC_COMPAR_FAIL) {
1723 tSMP_INT_DATA smp_int_data;
1724 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1725 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1726 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1727 break;
1728 }
1729
1730 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
1731 smp_send_rand(p_cb, NULL);
1732 }
1733
1734 if (++p_cb->round < 20) {
1735 smp_set_state(SMP_STATE_SEC_CONN_PHS1_START);
1736 p_cb->flags &= ~SMP_PAIR_FLAG_HAVE_PEER_COMM;
1737 smp_start_nonce_generation(p_cb);
1738 break;
1739 }
1740
1741 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1742 break;
1743 case SMP_MODEL_SEC_CONN_OOB:
1744 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
1745 smp_send_rand(p_cb, NULL);
1746 }
1747
1748 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1749 break;
1750 default:
1751 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
1752 p_cb->selected_association_model);
1753 break;
1754 }
1755
1756 SMP_TRACE_DEBUG("%s end ", __func__);
1757 }
1758
1759 /*******************************************************************************
1760 * Function smp_match_dhkey_checks
1761 * Description checks if the calculated peer DHKey Check value is the same as
1762 * received from the peer DHKey check value.
1763 ******************************************************************************/
smp_match_dhkey_checks(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1764 void smp_match_dhkey_checks(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1765 SMP_TRACE_DEBUG("%s", __func__);
1766
1767 if (memcmp(p_data->key.p_data, p_cb->remote_dhkey_check.data(),
1768 OCTET16_LEN)) {
1769 SMP_TRACE_WARNING("dhkey chcks do no match");
1770 tSMP_INT_DATA smp_int_data;
1771 smp_int_data.status = SMP_DHKEY_CHK_FAIL;
1772 p_cb->failure = SMP_DHKEY_CHK_FAIL;
1773 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1774 return;
1775 }
1776
1777 SMP_TRACE_EVENT("dhkey chcks match");
1778
1779 /* compare the max encryption key size, and save the smaller one for the link
1780 */
1781 if (p_cb->peer_enc_size < p_cb->loc_enc_size)
1782 p_cb->loc_enc_size = p_cb->peer_enc_size;
1783
1784 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
1785 smp_sm_event(p_cb, SMP_PAIR_DHKEY_CHCK_EVT, NULL);
1786 } else {
1787 /* central device always use received i/r key as keys to distribute */
1788 p_cb->local_i_key = p_cb->peer_i_key;
1789 p_cb->local_r_key = p_cb->peer_r_key;
1790 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
1791 }
1792 }
1793
1794 /*******************************************************************************
1795 * Function smp_move_to_secure_connections_phase2
1796 * Description Signal State Machine to start SC phase 2 initialization (to
1797 * compute local DHKey Check value).
1798 *
1799 * Note SM is supposed to be in the state SMP_STATE_SEC_CONN_PHS2_START.
1800 ******************************************************************************/
smp_move_to_secure_connections_phase2(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1801 void smp_move_to_secure_connections_phase2(tSMP_CB* p_cb,
1802 tSMP_INT_DATA* p_data) {
1803 SMP_TRACE_DEBUG("%s", __func__);
1804 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1805 }
1806
1807 /*******************************************************************************
1808 * Function smp_phase_2_dhkey_checks_are_present
1809 * Description generates event if dhkey check from the peer is already
1810 * received.
1811 *
1812 * Note It is supposed to be used on peripheral to prevent race
1813 *condition. It is supposed to be called after peripheral dhkey check is
1814 * calculated.
1815 ******************************************************************************/
smp_phase_2_dhkey_checks_are_present(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1816 void smp_phase_2_dhkey_checks_are_present(tSMP_CB* p_cb,
1817 tSMP_INT_DATA* p_data) {
1818 SMP_TRACE_DEBUG("%s", __func__);
1819
1820 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_DHK_CHK)
1821 smp_sm_event(p_cb, SMP_SC_2_DHCK_CHKS_PRES_EVT, NULL);
1822 }
1823
1824 /*******************************************************************************
1825 * Function smp_wait_for_both_public_keys
1826 * Description generates SMP_BOTH_PUBL_KEYS_RCVD_EVT event when both local and
1827 * central public keys are available.
1828 *
1829 * Note on the peripheral it is used to prevent race condition.
1830 *
1831 ******************************************************************************/
smp_wait_for_both_public_keys(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1832 void smp_wait_for_both_public_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1833 SMP_TRACE_DEBUG("%s", __func__);
1834
1835 if ((p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY) &&
1836 (p_cb->flags & SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY)) {
1837 if ((p_cb->role == HCI_ROLE_PERIPHERAL) &&
1838 ((p_cb->req_oob_type == SMP_OOB_LOCAL) ||
1839 (p_cb->req_oob_type == SMP_OOB_BOTH))) {
1840 smp_set_state(SMP_STATE_PUBLIC_KEY_EXCH);
1841 }
1842 smp_sm_event(p_cb, SMP_BOTH_PUBL_KEYS_RCVD_EVT, NULL);
1843 }
1844 }
1845
1846 /*******************************************************************************
1847 * Function smp_start_passkey_verification
1848 * Description Starts SC passkey entry verification.
1849 ******************************************************************************/
smp_start_passkey_verification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1850 void smp_start_passkey_verification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1851 uint8_t* p = NULL;
1852
1853 SMP_TRACE_DEBUG("%s", __func__);
1854 p = p_cb->local_random.data();
1855 UINT32_TO_STREAM(p, p_data->passkey);
1856
1857 p = p_cb->peer_random.data();
1858 UINT32_TO_STREAM(p, p_data->passkey);
1859
1860 p_cb->round = 0;
1861 smp_start_nonce_generation(p_cb);
1862 }
1863
1864 /*******************************************************************************
1865 * Function smp_process_secure_connection_oob_data
1866 * Description Processes local/peer SC OOB data received from somewhere.
1867 ******************************************************************************/
smp_process_secure_connection_oob_data(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1868 void smp_process_secure_connection_oob_data(tSMP_CB* p_cb,
1869 tSMP_INT_DATA* p_data) {
1870 SMP_TRACE_DEBUG("%s", __func__);
1871
1872 tSMP_SC_OOB_DATA* p_sc_oob_data = &p_cb->sc_oob_data;
1873 if (p_sc_oob_data->loc_oob_data.present) {
1874 p_cb->local_random = p_sc_oob_data->loc_oob_data.randomizer;
1875 } else {
1876 SMP_TRACE_EVENT("%s: local OOB randomizer is absent", __func__);
1877 p_cb->local_random = {0};
1878 }
1879
1880 if (!p_sc_oob_data->peer_oob_data.present) {
1881 SMP_TRACE_EVENT("%s: peer OOB data is absent", __func__);
1882 p_cb->peer_random = {0};
1883 } else {
1884 p_cb->peer_random = p_sc_oob_data->peer_oob_data.randomizer;
1885 p_cb->remote_commitment = p_sc_oob_data->peer_oob_data.commitment;
1886
1887 /* check commitment */
1888 if (!smp_check_commitment(p_cb)) {
1889 tSMP_INT_DATA smp_int_data;
1890 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1891 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1892 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1893 return;
1894 }
1895
1896 if (p_cb->peer_oob_flag != SMP_OOB_PRESENT) {
1897 /* the peer doesn't have local randomiser */
1898 SMP_TRACE_EVENT(
1899 "%s: peer didn't receive local OOB data, set local randomizer to 0",
1900 __func__);
1901 p_cb->local_random = {0};
1902 }
1903 }
1904
1905 print128(p_cb->local_random, (const uint8_t*)"local OOB randomizer");
1906 print128(p_cb->peer_random, (const uint8_t*)"peer OOB randomizer");
1907 smp_start_nonce_generation(p_cb);
1908 }
1909
1910 /*******************************************************************************
1911 * Function smp_set_local_oob_keys
1912 * Description Saves calculated private/public keys in
1913 * sc_oob_data.loc_oob_data, starts nonce generation
1914 * (to be saved in sc_oob_data.loc_oob_data.randomizer).
1915 ******************************************************************************/
smp_set_local_oob_keys(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1916 void smp_set_local_oob_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1917 SMP_TRACE_DEBUG("%s", __func__);
1918
1919 memcpy(p_cb->sc_oob_data.loc_oob_data.private_key_used, p_cb->private_key,
1920 BT_OCTET32_LEN);
1921 p_cb->sc_oob_data.loc_oob_data.publ_key_used = p_cb->loc_publ_key;
1922 smp_start_nonce_generation(p_cb);
1923 }
1924
1925 /*******************************************************************************
1926 * Function smp_set_local_oob_random_commitment
1927 * Description Saves calculated randomizer and commitment in
1928 * sc_oob_data.loc_oob_data, passes sc_oob_data.loc_oob_data up
1929 * for safekeeping.
1930 ******************************************************************************/
smp_set_local_oob_random_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1931 void smp_set_local_oob_random_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1932 SMP_TRACE_DEBUG("%s", __func__);
1933 p_cb->sc_oob_data.loc_oob_data.randomizer = p_cb->rand;
1934
1935 p_cb->sc_oob_data.loc_oob_data.commitment =
1936 crypto_toolbox::f4(p_cb->sc_oob_data.loc_oob_data.publ_key_used.x,
1937 p_cb->sc_oob_data.loc_oob_data.publ_key_used.x,
1938 p_cb->sc_oob_data.loc_oob_data.randomizer, 0);
1939
1940 p_cb->sc_oob_data.loc_oob_data.present = true;
1941
1942 /* pass created OOB data up */
1943 p_cb->cb_evt = SMP_SC_LOC_OOB_DATA_UP_EVT;
1944 smp_send_app_cback(p_cb, NULL);
1945
1946 // Store the data for later use when we are paired with
1947 // Event though the doc above says to pass up for safe keeping it never gets
1948 // kept safe. Additionally, when we need the data to make a decision we
1949 // wouldn't have it. This will save the sc_oob_data in the smp_keys.cc such
1950 // that when we receive a request to create new keys we check to see if the
1951 // sc_oob_data exists and utilize the keys that are stored there otherwise the
1952 // connector will fail commitment check and dhkey exchange.
1953 smp_save_local_oob_data(p_cb);
1954
1955 smp_cb_cleanup(p_cb);
1956 }
1957
1958 /*******************************************************************************
1959 *
1960 * Function smp_link_encrypted
1961 *
1962 * Description This function is called when link is encrypted and notified
1963 * to the peripheral device. Proceed to to send LTK, DIV and ER
1964 *to central if bonding the devices.
1965 *
1966 *
1967 * Returns void
1968 *
1969 ******************************************************************************/
smp_link_encrypted(const RawAddress & bda,uint8_t encr_enable)1970 void smp_link_encrypted(const RawAddress& bda, uint8_t encr_enable) {
1971 tSMP_CB* p_cb = &smp_cb;
1972
1973 SMP_TRACE_DEBUG("%s: encr_enable=%d", __func__, encr_enable);
1974
1975 if (smp_cb.pairing_bda == bda) {
1976 /* encryption completed with STK, remember the key size now, could be
1977 * overwritten when key exchange happens */
1978 if (p_cb->loc_enc_size != 0 && encr_enable) {
1979 /* update the link encryption key size if a SMP pairing just performed */
1980 btm_ble_update_sec_key_size(bda, p_cb->loc_enc_size);
1981 }
1982
1983 tSMP_INT_DATA smp_int_data = {
1984 // TODO This is not a tSMP_STATUS
1985 .status = static_cast<tSMP_STATUS>(encr_enable),
1986 };
1987
1988 smp_sm_event(&smp_cb, SMP_ENCRYPTED_EVT, &smp_int_data);
1989 }
1990 }
1991
smp_cancel_start_encryption_attempt()1992 void smp_cancel_start_encryption_attempt() {
1993 SMP_TRACE_ERROR("%s: Encryption request cancelled", __func__);
1994 smp_sm_event(&smp_cb, SMP_DISCARD_SEC_REQ_EVT, NULL);
1995 }
1996
1997 /*******************************************************************************
1998 *
1999 * Function smp_proc_ltk_request
2000 *
2001 * Description This function is called when LTK request is received from
2002 * controller.
2003 *
2004 * Returns void
2005 *
2006 ******************************************************************************/
smp_proc_ltk_request(const RawAddress & bda)2007 bool smp_proc_ltk_request(const RawAddress& bda) {
2008 SMP_TRACE_DEBUG("%s state = %d", __func__, smp_cb.state);
2009 bool match = false;
2010
2011 if (bda == smp_cb.pairing_bda) {
2012 match = true;
2013 } else {
2014 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda);
2015 if (p_dev_rec != NULL && p_dev_rec->ble.pseudo_addr == smp_cb.pairing_bda &&
2016 p_dev_rec->ble.pseudo_addr != RawAddress::kEmpty) {
2017 match = true;
2018 }
2019 }
2020
2021 if (match && smp_cb.state == SMP_STATE_ENCRYPTION_PENDING) {
2022 smp_sm_event(&smp_cb, SMP_ENC_REQ_EVT, NULL);
2023 return true;
2024 }
2025
2026 return false;
2027 }
2028
2029 /*******************************************************************************
2030 *
2031 * Function smp_process_secure_connection_long_term_key
2032 *
2033 * Description This function is called to process SC LTK.
2034 * SC LTK is calculated and used instead of STK.
2035 * Here SC LTK is saved in BLE DB.
2036 *
2037 * Returns void
2038 *
2039 ******************************************************************************/
smp_process_secure_connection_long_term_key(void)2040 void smp_process_secure_connection_long_term_key(void) {
2041 tSMP_CB* p_cb = &smp_cb;
2042
2043 SMP_TRACE_DEBUG("%s", __func__);
2044 smp_save_secure_connections_long_term_key(p_cb);
2045
2046 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
2047 smp_key_distribution(p_cb, NULL);
2048 }
2049
2050 /*******************************************************************************
2051 *
2052 * Function smp_set_derive_link_key
2053 *
2054 * Description This function is called to set flag that indicates that
2055 * BR/EDR LK has to be derived from LTK after all keys are
2056 * distributed.
2057 *
2058 * Returns void
2059 *
2060 ******************************************************************************/
smp_set_derive_link_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2061 void smp_set_derive_link_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
2062 SMP_TRACE_DEBUG("%s", __func__);
2063 p_cb->derive_lk = true;
2064 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_LK, false);
2065 smp_key_distribution(p_cb, NULL);
2066 }
2067
2068 /*******************************************************************************
2069 *
2070 * Function smp_derive_link_key_from_long_term_key
2071 *
2072 * Description This function is called to derive BR/EDR LK from LTK.
2073 *
2074 * Returns void
2075 *
2076 ******************************************************************************/
smp_derive_link_key_from_long_term_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2077 void smp_derive_link_key_from_long_term_key(tSMP_CB* p_cb,
2078 tSMP_INT_DATA* p_data) {
2079 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
2080
2081 SMP_TRACE_DEBUG("%s", __func__);
2082 if (!smp_calculate_link_key_from_long_term_key(p_cb)) {
2083 SMP_TRACE_ERROR("%s failed", __func__);
2084 tSMP_INT_DATA smp_int_data;
2085 smp_int_data.status = status;
2086 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
2087 return;
2088 }
2089 }
2090
2091 /*******************************************************************************
2092 *
2093 * Function smp_br_process_link_key
2094 *
2095 * Description This function is called to process BR/EDR LK:
2096 * - to derive SMP LTK from BR/EDR LK;
2097 * - to save SMP LTK.
2098 *
2099 * Returns void
2100 *
2101 ******************************************************************************/
smp_br_process_link_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2102 void smp_br_process_link_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
2103 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
2104
2105 SMP_TRACE_DEBUG("%s", __func__);
2106 if (!smp_calculate_long_term_key_from_link_key(p_cb)) {
2107 SMP_TRACE_ERROR("%s: failed", __func__);
2108 tSMP_INT_DATA smp_int_data;
2109 smp_int_data.status = status;
2110 smp_sm_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
2111 return;
2112 }
2113
2114 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
2115 if (p_dev_rec) {
2116 SMP_TRACE_DEBUG("%s: dev_type = %d ", __func__, p_dev_rec->device_type);
2117 p_dev_rec->device_type |= BT_DEVICE_TYPE_BLE;
2118 } else {
2119 SMP_TRACE_ERROR("%s failed to find Security Record", __func__);
2120 }
2121
2122 SMP_TRACE_DEBUG("%s: LTK derivation from LK successfully completed",
2123 __func__);
2124 smp_save_secure_connections_long_term_key(p_cb);
2125 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
2126 smp_br_select_next_key(p_cb, NULL);
2127 }
2128
2129 /*******************************************************************************
2130 * Function smp_key_distribution_by_transport
2131 * Description depending on the transport used at the moment calls either
2132 * smp_key_distribution(...) or smp_br_key_distribution(...).
2133 ******************************************************************************/
smp_key_distribution_by_transport(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2134 void smp_key_distribution_by_transport(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
2135 SMP_TRACE_DEBUG("%s", __func__);
2136 if (p_cb->smp_over_br) {
2137 smp_br_select_next_key(p_cb, NULL);
2138 } else {
2139 smp_key_distribution(p_cb, NULL);
2140 }
2141 }
2142
2143 /*******************************************************************************
2144 * Function smp_br_pairing_complete
2145 * Description This function is called to send the pairing complete
2146 * callback and remove the connection if needed.
2147 ******************************************************************************/
smp_br_pairing_complete(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2148 void smp_br_pairing_complete(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
2149 SMP_TRACE_DEBUG("%s", __func__);
2150
2151 if (p_cb->total_tx_unacked == 0) {
2152 /* process the pairing complete */
2153 smp_proc_pairing_cmpl(p_cb);
2154 }
2155 }
2156