1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 *****************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for the SMP L2CAP utility functions
22 *
23 ******************************************************************************/
24 #include <base/logging.h>
25 #include <ctype.h>
26 #include <string.h>
27
28 #include "bt_target.h"
29 #include "bt_utils.h"
30 #include "btm_ble_api.h"
31 #include "device/include/controller.h"
32 #include "l2c_api.h"
33 #include "osi/include/log.h"
34 #include "osi/include/osi.h"
35 #include "smp_int.h"
36 #include "stack/btm/btm_ble_int.h"
37 #include "stack/include/acl_api.h"
38 #include "stack/include/bt_hdr.h"
39 #include "stack/include/bt_octets.h"
40 #include "stack/include/btm_log_history.h"
41 #include "stack/include/stack_metrics_logging.h"
42 #include "types/raw_address.h"
43
44 void btm_dev_consolidate_existing_connections(const RawAddress& bd_addr);
45
46 #define SMP_PAIRING_REQ_SIZE 7
47 #define SMP_CONFIRM_CMD_SIZE (OCTET16_LEN + 1)
48 #define SMP_RAND_CMD_SIZE (OCTET16_LEN + 1)
49 #define SMP_INIT_CMD_SIZE (OCTET16_LEN + 1)
50 #define SMP_ENC_INFO_SIZE (OCTET16_LEN + 1)
51 #define SMP_CENTRAL_ID_SIZE (BT_OCTET8_LEN + 2 + 1)
52 #define SMP_ID_INFO_SIZE (OCTET16_LEN + 1)
53 #define SMP_ID_ADDR_SIZE (BD_ADDR_LEN + 1 + 1)
54 #define SMP_SIGN_INFO_SIZE (OCTET16_LEN + 1)
55 #define SMP_PAIR_FAIL_SIZE 2
56 #define SMP_SECURITY_REQUEST_SIZE 2
57 #define SMP_PAIR_PUBL_KEY_SIZE (1 /* opcode */ + (2 * BT_OCTET32_LEN))
58 #define SMP_PAIR_COMMITM_SIZE (1 /* opcode */ + OCTET16_LEN /*Commitment*/)
59 #define SMP_PAIR_DHKEY_CHECK_SIZE \
60 (1 /* opcode */ + OCTET16_LEN /*DHKey \
61 Check*/)
62 #define SMP_PAIR_KEYPR_NOTIF_SIZE (1 /* opcode */ + 1 /*Notif Type*/)
63
64 namespace {
65 constexpr char kBtmLogTag[] = "SMP";
66 }
67
68 /* SMP command sizes per spec */
69 static const uint8_t smp_cmd_size_per_spec[] = {
70 0,
71 SMP_PAIRING_REQ_SIZE, /* 0x01: pairing request */
72 SMP_PAIRING_REQ_SIZE, /* 0x02: pairing response */
73 SMP_CONFIRM_CMD_SIZE, /* 0x03: pairing confirm */
74 SMP_RAND_CMD_SIZE, /* 0x04: pairing random */
75 SMP_PAIR_FAIL_SIZE, /* 0x05: pairing failed */
76 SMP_ENC_INFO_SIZE, /* 0x06: encryption information */
77 SMP_CENTRAL_ID_SIZE, /* 0x07: central identification */
78 SMP_ID_INFO_SIZE, /* 0x08: identity information */
79 SMP_ID_ADDR_SIZE, /* 0x09: identity address information */
80 SMP_SIGN_INFO_SIZE, /* 0x0A: signing information */
81 SMP_SECURITY_REQUEST_SIZE, /* 0x0B: security request */
82 SMP_PAIR_PUBL_KEY_SIZE, /* 0x0C: pairing public key */
83 SMP_PAIR_DHKEY_CHECK_SIZE, /* 0x0D: pairing dhkey check */
84 SMP_PAIR_KEYPR_NOTIF_SIZE, /* 0x0E: pairing keypress notification */
85 SMP_PAIR_COMMITM_SIZE /* 0x0F: pairing commitment */
86 };
87
88 static bool smp_parameter_unconditionally_valid(tSMP_CB* p_cb);
89 static bool smp_parameter_unconditionally_invalid(tSMP_CB* p_cb);
90
91 /* type for SMP command length validation functions */
92 typedef bool (*tSMP_CMD_LEN_VALID)(tSMP_CB* p_cb);
93
94 static bool smp_command_has_valid_fixed_length(tSMP_CB* p_cb);
95
96 static const tSMP_CMD_LEN_VALID smp_cmd_len_is_valid[] = {
97 smp_parameter_unconditionally_invalid,
98 smp_command_has_valid_fixed_length, /* 0x01: pairing request */
99 smp_command_has_valid_fixed_length, /* 0x02: pairing response */
100 smp_command_has_valid_fixed_length, /* 0x03: pairing confirm */
101 smp_command_has_valid_fixed_length, /* 0x04: pairing random */
102 smp_command_has_valid_fixed_length, /* 0x05: pairing failed */
103 smp_command_has_valid_fixed_length, /* 0x06: encryption information */
104 smp_command_has_valid_fixed_length, /* 0x07: central identification */
105 smp_command_has_valid_fixed_length, /* 0x08: identity information */
106 smp_command_has_valid_fixed_length, /* 0x09: identity address information */
107 smp_command_has_valid_fixed_length, /* 0x0A: signing information */
108 smp_command_has_valid_fixed_length, /* 0x0B: security request */
109 smp_command_has_valid_fixed_length, /* 0x0C: pairing public key */
110 smp_command_has_valid_fixed_length, /* 0x0D: pairing dhkey check */
111 smp_command_has_valid_fixed_length, /* 0x0E: pairing keypress notification*/
112 smp_command_has_valid_fixed_length /* 0x0F: pairing commitment */
113 };
114
115 /* type for SMP command parameter ranges validation functions */
116 typedef bool (*tSMP_CMD_PARAM_RANGES_VALID)(tSMP_CB* p_cb);
117
118 static bool smp_pairing_request_response_parameters_are_valid(tSMP_CB* p_cb);
119 static bool smp_pairing_keypress_notification_is_valid(tSMP_CB* p_cb);
120
121 static const tSMP_CMD_PARAM_RANGES_VALID smp_cmd_param_ranges_are_valid[] = {
122 smp_parameter_unconditionally_invalid,
123 smp_pairing_request_response_parameters_are_valid, /* 0x01: pairing
124 request */
125 smp_pairing_request_response_parameters_are_valid, /* 0x02: pairing
126 response */
127 smp_parameter_unconditionally_valid, /* 0x03: pairing confirm */
128 smp_parameter_unconditionally_valid, /* 0x04: pairing random */
129 smp_parameter_unconditionally_valid, /* 0x05: pairing failed */
130 smp_parameter_unconditionally_valid, /* 0x06: encryption information */
131 smp_parameter_unconditionally_valid, /* 0x07: central identification */
132 smp_parameter_unconditionally_valid, /* 0x08: identity information */
133 smp_parameter_unconditionally_valid, /* 0x09: identity address
134 information */
135 smp_parameter_unconditionally_valid, /* 0x0A: signing information */
136 smp_parameter_unconditionally_valid, /* 0x0B: security request */
137 smp_parameter_unconditionally_valid, /* 0x0C: pairing public key */
138 smp_parameter_unconditionally_valid, /* 0x0D: pairing dhkey check */
139 smp_pairing_keypress_notification_is_valid, /* 0x0E: pairing keypress
140 notification */
141 smp_parameter_unconditionally_valid /* 0x0F: pairing commitment */
142 };
143
144 /* type for action functions */
145 typedef BT_HDR* (*tSMP_CMD_ACT)(uint8_t cmd_code, tSMP_CB* p_cb);
146
147 static BT_HDR* smp_build_pairing_cmd(uint8_t cmd_code, tSMP_CB* p_cb);
148 static BT_HDR* smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code,
149 tSMP_CB* p_cb);
150 static BT_HDR* smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb);
151 static BT_HDR* smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code,
152 tSMP_CB* p_cb);
153 static BT_HDR* smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code,
154 tSMP_CB* p_cb);
155 static BT_HDR* smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code,
156 tSMP_CB* p_cb);
157 static BT_HDR* smp_build_security_request(UNUSED_ATTR uint8_t cmd_code,
158 tSMP_CB* p_cb);
159 static BT_HDR* smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code,
160 tSMP_CB* p_cb);
161 static BT_HDR* smp_build_central_id_cmd(UNUSED_ATTR uint8_t cmd_code,
162 tSMP_CB* p_cb);
163 static BT_HDR* smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code,
164 tSMP_CB* p_cb);
165 static BT_HDR* smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code,
166 tSMP_CB* p_cb);
167 static BT_HDR* smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code,
168 tSMP_CB* p_cb);
169 static BT_HDR* smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code,
170 tSMP_CB* p_cb);
171 static BT_HDR* smp_build_pairing_keypress_notification_cmd(
172 UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb);
173
174 static const tSMP_CMD_ACT smp_cmd_build_act[] = {
175 NULL,
176 smp_build_pairing_cmd, /* 0x01: pairing request */
177 smp_build_pairing_cmd, /* 0x02: pairing response */
178 smp_build_confirm_cmd, /* 0x03: pairing confirm */
179 smp_build_rand_cmd, /* 0x04: pairing random */
180 smp_build_pairing_fail, /* 0x05: pairing failure */
181 smp_build_encrypt_info_cmd, /* 0x06: encryption information */
182 smp_build_central_id_cmd, /* 0x07: central identification */
183 smp_build_identity_info_cmd, /* 0x08: identity information */
184 smp_build_id_addr_cmd, /* 0x09: identity address information */
185 smp_build_signing_info_cmd, /* 0x0A: signing information */
186 smp_build_security_request, /* 0x0B: security request */
187 smp_build_pair_public_key_cmd, /* 0x0C: pairing public key */
188 smp_build_pair_dhkey_check_cmd, /* 0x0D: pairing DHKey check */
189 smp_build_pairing_keypress_notification_cmd, /* 0x0E: pairing keypress
190 notification */
191 smp_build_pairing_commitment_cmd /* 0x0F: pairing commitment */
192 };
193
194 static const tSMP_ASSO_MODEL
195 smp_association_table[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] = {
196 /* display only */ /* Display Yes/No */ /* keyboard only */
197 /* No Input/Output */ /* keyboard display */
198
199 /* initiator */
200 /* model = tbl[peer_io_caps][loc_io_caps] */
201 /* Display Only */
202 {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
203 SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
204
205 /* Display Yes/No */
206 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
207 SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
208
209 /* Keyboard only */
210 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY,
211 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
212
213 /* No Input No Output */
214 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
215 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
216 SMP_MODEL_ENCRYPTION_ONLY},
217
218 /* keyboard display */
219 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY,
220 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}},
221
222 /* responder */
223 /* model = tbl[loc_io_caps][peer_io_caps] */
224 /* Display Only */
225 {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
226 SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
227
228 /* Display Yes/No */
229 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
230 SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
231
232 /* keyboard only */
233 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY,
234 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
235
236 /* No Input No Output */
237 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
238 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
239 SMP_MODEL_ENCRYPTION_ONLY},
240
241 /* keyboard display */
242 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_KEY_NOTIF,
243 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}}};
244
245 static const tSMP_ASSO_MODEL
246 smp_association_table_sc[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] = {
247 /* display only */ /* Display Yes/No */ /* keyboard only */
248 /* No InputOutput */ /* keyboard display */
249
250 /* initiator */
251 /* model = tbl[peer_io_caps][loc_io_caps] */
252
253 /* Display Only */
254 {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
255 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
256 SMP_MODEL_SEC_CONN_PASSKEY_ENT},
257
258 /* Display Yes/No */
259 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP,
260 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
261 SMP_MODEL_SEC_CONN_NUM_COMP},
262
263 /* keyboard only */
264 {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_PASSKEY_DISP,
265 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
266 SMP_MODEL_SEC_CONN_PASSKEY_DISP},
267
268 /* No Input No Output */
269 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
270 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
271 SMP_MODEL_SEC_CONN_JUSTWORKS},
272
273 /* keyboard display */
274 {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_NUM_COMP,
275 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
276 SMP_MODEL_SEC_CONN_NUM_COMP}},
277
278 /* responder */
279 /* model = tbl[loc_io_caps][peer_io_caps] */
280
281 /* Display Only */
282 {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
283 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
284 SMP_MODEL_SEC_CONN_PASSKEY_DISP},
285
286 /* Display Yes/No */
287 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP,
288 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
289 SMP_MODEL_SEC_CONN_NUM_COMP},
290
291 /* keyboard only */
292 {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_PASSKEY_ENT,
293 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
294 SMP_MODEL_SEC_CONN_PASSKEY_ENT},
295
296 /* No Input No Output */
297 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
298 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
299 SMP_MODEL_SEC_CONN_JUSTWORKS},
300
301 /* keyboard display */
302 {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_NUM_COMP,
303 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
304 SMP_MODEL_SEC_CONN_NUM_COMP}}};
305
306 static tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB* p_cb);
307 static tSMP_ASSO_MODEL smp_select_association_model_secure_connections(
308 tSMP_CB* p_cb);
309
310 /**
311 * Log metrics data for SMP command
312 *
313 * @param bd_addr current pairing address
314 * @param is_outgoing whether this command is outgoing
315 * @param p_buf buffer to the beginning of SMP command
316 * @param buf_len length available to read for p_buf
317 */
smp_log_metrics(const RawAddress & bd_addr,bool is_outgoing,const uint8_t * p_buf,size_t buf_len,bool is_over_br)318 void smp_log_metrics(const RawAddress& bd_addr, bool is_outgoing,
319 const uint8_t* p_buf, size_t buf_len, bool is_over_br) {
320 if (buf_len < 1) {
321 LOG(WARNING) << __func__ << ": buffer is too small, size is " << buf_len;
322 return;
323 }
324 uint8_t raw_cmd;
325 STREAM_TO_UINT8(raw_cmd, p_buf);
326 buf_len--;
327 uint8_t failure_reason = 0;
328 if (raw_cmd == SMP_OPCODE_PAIRING_FAILED && buf_len >= 1) {
329 STREAM_TO_UINT8(failure_reason, p_buf);
330 }
331 uint16_t metric_cmd =
332 is_over_br ? SMP_METRIC_COMMAND_BR_FLAG : SMP_METRIC_COMMAND_LE_FLAG;
333 metric_cmd |= static_cast<uint16_t>(raw_cmd);
334 android::bluetooth::DirectionEnum direction =
335 is_outgoing ? android::bluetooth::DirectionEnum::DIRECTION_OUTGOING
336 : android::bluetooth::DirectionEnum::DIRECTION_INCOMING;
337 log_smp_pairing_event(bd_addr, metric_cmd, direction,
338 static_cast<uint16_t>(failure_reason));
339 }
340
341 /*******************************************************************************
342 *
343 * Function smp_send_msg_to_L2CAP
344 *
345 * Description Send message to L2CAP.
346 *
347 ******************************************************************************/
smp_send_msg_to_L2CAP(const RawAddress & rem_bda,BT_HDR * p_toL2CAP)348 bool smp_send_msg_to_L2CAP(const RawAddress& rem_bda, BT_HDR* p_toL2CAP) {
349 uint16_t l2cap_ret;
350 uint16_t fixed_cid = L2CAP_SMP_CID;
351
352 if (smp_cb.smp_over_br) {
353 fixed_cid = L2CAP_SMP_BR_CID;
354 }
355
356 SMP_TRACE_EVENT("%s", __func__);
357
358 smp_log_metrics(rem_bda, true /* outgoing */,
359 p_toL2CAP->data + p_toL2CAP->offset, p_toL2CAP->len,
360 smp_cb.smp_over_br /* is_over_br */);
361
362 l2cap_ret = L2CA_SendFixedChnlData(fixed_cid, rem_bda, p_toL2CAP);
363 if (l2cap_ret == L2CAP_DW_FAILED) {
364 SMP_TRACE_ERROR("SMP failed to pass msg to L2CAP");
365 return false;
366 } else {
367 tSMP_CB* p_cb = &smp_cb;
368
369 if (p_cb->wait_for_authorization_complete) {
370 tSMP_INT_DATA smp_int_data;
371 smp_int_data.status = SMP_SUCCESS;
372 if (fixed_cid == L2CAP_SMP_CID) {
373 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
374 } else {
375 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
376 }
377 }
378 return true;
379 }
380 }
381
382 /*******************************************************************************
383 *
384 * Function smp_send_cmd
385 *
386 * Description send a SMP command on L2CAP channel.
387 *
388 ******************************************************************************/
smp_send_cmd(uint8_t cmd_code,tSMP_CB * p_cb)389 bool smp_send_cmd(uint8_t cmd_code, tSMP_CB* p_cb) {
390 BT_HDR* p_buf;
391 bool sent = false;
392
393 LOG_DEBUG("Sending SMP command:%s[0x%x] pairing_bda=%s",
394 smp_opcode_text(static_cast<tSMP_OPCODE>(cmd_code)).c_str(),
395 cmd_code, PRIVATE_ADDRESS(p_cb->pairing_bda));
396
397 if (cmd_code <= (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */) &&
398 smp_cmd_build_act[cmd_code] != NULL) {
399 p_buf = (*smp_cmd_build_act[cmd_code])(cmd_code, p_cb);
400
401 if (p_buf != NULL && smp_send_msg_to_L2CAP(p_cb->pairing_bda, p_buf)) {
402 sent = true;
403 alarm_set_on_mloop(p_cb->smp_rsp_timer_ent, SMP_WAIT_FOR_RSP_TIMEOUT_MS,
404 smp_rsp_timeout, NULL);
405 }
406 }
407
408 if (!sent) {
409 tSMP_INT_DATA smp_int_data;
410 smp_int_data.status = SMP_PAIR_INTERNAL_ERR;
411 if (p_cb->smp_over_br) {
412 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
413 } else {
414 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
415 }
416 }
417 return sent;
418 }
419
420 /*******************************************************************************
421 *
422 * Function smp_rsp_timeout
423 *
424 * Description Called when SMP wait for SMP command response timer expires
425 *
426 * Returns void
427 *
428 ******************************************************************************/
smp_rsp_timeout(UNUSED_ATTR void * data)429 void smp_rsp_timeout(UNUSED_ATTR void* data) {
430 tSMP_CB* p_cb = &smp_cb;
431
432 SMP_TRACE_EVENT("%s state:%d br_state:%d", __func__, p_cb->state,
433 p_cb->br_state);
434
435 tSMP_INT_DATA smp_int_data;
436 smp_int_data.status = SMP_RSP_TIMEOUT;
437 if (p_cb->smp_over_br) {
438 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
439 } else {
440 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
441 }
442 }
443
444 /*******************************************************************************
445 *
446 * Function smp_delayed_auth_complete_timeout
447 *
448 * Description Called when no pairing failed command received within
449 * timeout period.
450 *
451 * Returns void
452 *
453 ******************************************************************************/
smp_delayed_auth_complete_timeout(UNUSED_ATTR void * data)454 void smp_delayed_auth_complete_timeout(UNUSED_ATTR void* data) {
455 /*
456 * Waited for potential pair failure. Send SMP_AUTH_CMPL_EVT if
457 * the state is still in bond pending.
458 */
459 if (smp_get_state() == SMP_STATE_BOND_PENDING) {
460 SMP_TRACE_EVENT("%s sending delayed auth complete.", __func__);
461 tSMP_INT_DATA smp_int_data;
462 smp_int_data.status = SMP_SUCCESS;
463 smp_sm_event(&smp_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
464 }
465 }
466
467 /*******************************************************************************
468 *
469 * Function smp_build_pairing_req_cmd
470 *
471 * Description Build pairing request command.
472 *
473 ******************************************************************************/
smp_build_pairing_cmd(uint8_t cmd_code,tSMP_CB * p_cb)474 BT_HDR* smp_build_pairing_cmd(uint8_t cmd_code, tSMP_CB* p_cb) {
475 uint8_t* p;
476 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIRING_REQ_SIZE +
477 L2CAP_MIN_OFFSET);
478
479 SMP_TRACE_EVENT("%s", __func__);
480
481 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
482 UINT8_TO_STREAM(p, cmd_code);
483 UINT8_TO_STREAM(p, p_cb->local_io_capability);
484 UINT8_TO_STREAM(p, p_cb->loc_oob_flag);
485 UINT8_TO_STREAM(p, p_cb->loc_auth_req);
486 UINT8_TO_STREAM(p, p_cb->loc_enc_size);
487 UINT8_TO_STREAM(p, p_cb->local_i_key);
488 UINT8_TO_STREAM(p, p_cb->local_r_key);
489
490 p_buf->offset = L2CAP_MIN_OFFSET;
491 /* 1B ERR_RSP op code + 1B cmd_op_code + 2B handle + 1B status */
492 p_buf->len = SMP_PAIRING_REQ_SIZE;
493
494 return p_buf;
495 }
496
497 /*******************************************************************************
498 *
499 * Function smp_build_confirm_cmd
500 *
501 * Description Build confirm request command.
502 *
503 ******************************************************************************/
smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)504 static BT_HDR* smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code,
505 tSMP_CB* p_cb) {
506 uint8_t* p;
507 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_CONFIRM_CMD_SIZE +
508 L2CAP_MIN_OFFSET);
509
510 SMP_TRACE_EVENT("%s", __func__);
511
512 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
513
514 UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM);
515 ARRAY_TO_STREAM(p, p_cb->confirm, OCTET16_LEN);
516
517 p_buf->offset = L2CAP_MIN_OFFSET;
518 p_buf->len = SMP_CONFIRM_CMD_SIZE;
519
520 return p_buf;
521 }
522
523 /*******************************************************************************
524 *
525 * Function smp_build_rand_cmd
526 *
527 * Description Build Random command.
528 *
529 ******************************************************************************/
smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)530 static BT_HDR* smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb) {
531 uint8_t* p;
532 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_RAND_CMD_SIZE +
533 L2CAP_MIN_OFFSET);
534
535 SMP_TRACE_EVENT("%s", __func__);
536
537 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
538 UINT8_TO_STREAM(p, SMP_OPCODE_RAND);
539 ARRAY_TO_STREAM(p, p_cb->rand, OCTET16_LEN);
540
541 p_buf->offset = L2CAP_MIN_OFFSET;
542 p_buf->len = SMP_RAND_CMD_SIZE;
543
544 return p_buf;
545 }
546
547 /*******************************************************************************
548 *
549 * Function smp_build_encrypt_info_cmd
550 *
551 * Description Build security information command.
552 *
553 ******************************************************************************/
smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)554 static BT_HDR* smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code,
555 tSMP_CB* p_cb) {
556 uint8_t* p;
557 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ENC_INFO_SIZE +
558 L2CAP_MIN_OFFSET);
559
560 SMP_TRACE_EVENT("%s", __func__);
561
562 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
563 UINT8_TO_STREAM(p, SMP_OPCODE_ENCRYPT_INFO);
564 ARRAY_TO_STREAM(p, p_cb->ltk, OCTET16_LEN);
565
566 p_buf->offset = L2CAP_MIN_OFFSET;
567 p_buf->len = SMP_ENC_INFO_SIZE;
568
569 return p_buf;
570 }
571
572 /*******************************************************************************
573 *
574 * Function smp_build_central_id_cmd
575 *
576 * Description Build security information command.
577 *
578 ******************************************************************************/
smp_build_central_id_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)579 static BT_HDR* smp_build_central_id_cmd(UNUSED_ATTR uint8_t cmd_code,
580 tSMP_CB* p_cb) {
581 uint8_t* p;
582 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_CENTRAL_ID_SIZE +
583 L2CAP_MIN_OFFSET);
584
585 SMP_TRACE_EVENT("%s", __func__);
586
587 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
588 UINT8_TO_STREAM(p, SMP_OPCODE_CENTRAL_ID);
589 UINT16_TO_STREAM(p, p_cb->ediv);
590 ARRAY_TO_STREAM(p, p_cb->enc_rand, BT_OCTET8_LEN);
591
592 p_buf->offset = L2CAP_MIN_OFFSET;
593 p_buf->len = SMP_CENTRAL_ID_SIZE;
594
595 return p_buf;
596 }
597
598 /*******************************************************************************
599 *
600 * Function smp_build_identity_info_cmd
601 *
602 * Description Build identity information command.
603 *
604 ******************************************************************************/
smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code,UNUSED_ATTR tSMP_CB * p_cb)605 static BT_HDR* smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code,
606 UNUSED_ATTR tSMP_CB* p_cb) {
607 uint8_t* p;
608 BT_HDR* p_buf =
609 (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ID_INFO_SIZE + L2CAP_MIN_OFFSET);
610
611 SMP_TRACE_EVENT("%s", __func__);
612
613 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
614
615 const Octet16& irk = BTM_GetDeviceIDRoot();
616
617 UINT8_TO_STREAM(p, SMP_OPCODE_IDENTITY_INFO);
618 ARRAY_TO_STREAM(p, irk.data(), OCTET16_LEN);
619
620 p_buf->offset = L2CAP_MIN_OFFSET;
621 p_buf->len = SMP_ID_INFO_SIZE;
622
623 return p_buf;
624 }
625
626 /*******************************************************************************
627 *
628 * Function smp_build_id_addr_cmd
629 *
630 * Description Build identity address information command.
631 *
632 ******************************************************************************/
smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code,UNUSED_ATTR tSMP_CB * p_cb)633 static BT_HDR* smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code,
634 UNUSED_ATTR tSMP_CB* p_cb) {
635 uint8_t* p;
636 BT_HDR* p_buf =
637 (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ID_ADDR_SIZE + L2CAP_MIN_OFFSET);
638
639 SMP_TRACE_EVENT("%s", __func__);
640
641 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
642 UINT8_TO_STREAM(p, SMP_OPCODE_ID_ADDR);
643 UINT8_TO_STREAM(p, 0);
644 BDADDR_TO_STREAM(p, *controller_get_interface()->get_address());
645
646 p_buf->offset = L2CAP_MIN_OFFSET;
647 p_buf->len = SMP_ID_ADDR_SIZE;
648
649 return p_buf;
650 }
651
652 /*******************************************************************************
653 *
654 * Function smp_build_signing_info_cmd
655 *
656 * Description Build signing information command.
657 *
658 ******************************************************************************/
smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)659 static BT_HDR* smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code,
660 tSMP_CB* p_cb) {
661 uint8_t* p;
662 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_SIGN_INFO_SIZE +
663 L2CAP_MIN_OFFSET);
664
665 SMP_TRACE_EVENT("%s", __func__);
666
667 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
668 UINT8_TO_STREAM(p, SMP_OPCODE_SIGN_INFO);
669 ARRAY_TO_STREAM(p, p_cb->csrk, OCTET16_LEN);
670
671 p_buf->offset = L2CAP_MIN_OFFSET;
672 p_buf->len = SMP_SIGN_INFO_SIZE;
673
674 return p_buf;
675 }
676
677 /*******************************************************************************
678 *
679 * Function smp_build_pairing_fail
680 *
681 * Description Build Pairing Fail command.
682 *
683 ******************************************************************************/
smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)684 static BT_HDR* smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code,
685 tSMP_CB* p_cb) {
686 uint8_t* p;
687 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_FAIL_SIZE +
688 L2CAP_MIN_OFFSET);
689
690 SMP_TRACE_EVENT("%s", __func__);
691
692 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
693 UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED);
694 UINT8_TO_STREAM(p, p_cb->failure);
695
696 p_buf->offset = L2CAP_MIN_OFFSET;
697 p_buf->len = SMP_PAIR_FAIL_SIZE;
698
699 return p_buf;
700 }
701
702 /*******************************************************************************
703 *
704 * Function smp_build_security_request
705 *
706 * Description Build security request command.
707 *
708 ******************************************************************************/
smp_build_security_request(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)709 static BT_HDR* smp_build_security_request(UNUSED_ATTR uint8_t cmd_code,
710 tSMP_CB* p_cb) {
711 uint8_t* p;
712 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + 2 + L2CAP_MIN_OFFSET);
713
714 SMP_TRACE_EVENT("%s", __func__);
715
716 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
717 UINT8_TO_STREAM(p, SMP_OPCODE_SEC_REQ);
718 UINT8_TO_STREAM(p, p_cb->loc_auth_req);
719
720 p_buf->offset = L2CAP_MIN_OFFSET;
721 p_buf->len = SMP_SECURITY_REQUEST_SIZE;
722
723 SMP_TRACE_EVENT("opcode=%d auth_req=0x%x", SMP_OPCODE_SEC_REQ,
724 p_cb->loc_auth_req);
725
726 return p_buf;
727 }
728
729 /*******************************************************************************
730 *
731 * Function smp_build_pair_public_key_cmd
732 *
733 * Description Build pairing public key command.
734 *
735 ******************************************************************************/
smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)736 static BT_HDR* smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code,
737 tSMP_CB* p_cb) {
738 uint8_t* p;
739 uint8_t publ_key[2 * BT_OCTET32_LEN];
740 uint8_t* p_publ_key = publ_key;
741 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_PUBL_KEY_SIZE +
742 L2CAP_MIN_OFFSET);
743
744 SMP_TRACE_EVENT("%s", __func__);
745
746 memcpy(p_publ_key, p_cb->loc_publ_key.x, BT_OCTET32_LEN);
747 memcpy(p_publ_key + BT_OCTET32_LEN, p_cb->loc_publ_key.y, BT_OCTET32_LEN);
748
749 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
750 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_PUBLIC_KEY);
751 ARRAY_TO_STREAM(p, p_publ_key, 2 * BT_OCTET32_LEN);
752
753 p_buf->offset = L2CAP_MIN_OFFSET;
754 p_buf->len = SMP_PAIR_PUBL_KEY_SIZE;
755
756 return p_buf;
757 }
758
759 /*******************************************************************************
760 *
761 * Function smp_build_pairing_commitment_cmd
762 *
763 * Description Build pairing commitment command.
764 *
765 ******************************************************************************/
smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)766 static BT_HDR* smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code,
767 tSMP_CB* p_cb) {
768 uint8_t* p;
769 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_COMMITM_SIZE +
770 L2CAP_MIN_OFFSET);
771
772 SMP_TRACE_EVENT("%s", __func__);
773
774 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
775 UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM);
776 ARRAY_TO_STREAM(p, p_cb->commitment, OCTET16_LEN);
777
778 p_buf->offset = L2CAP_MIN_OFFSET;
779 p_buf->len = SMP_PAIR_COMMITM_SIZE;
780
781 return p_buf;
782 }
783
784 /*******************************************************************************
785 *
786 * Function smp_build_pair_dhkey_check_cmd
787 *
788 * Description Build pairing DHKey check command.
789 *
790 ******************************************************************************/
smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)791 static BT_HDR* smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code,
792 tSMP_CB* p_cb) {
793 uint8_t* p;
794 BT_HDR* p_buf = (BT_HDR*)osi_malloc(
795 sizeof(BT_HDR) + SMP_PAIR_DHKEY_CHECK_SIZE + L2CAP_MIN_OFFSET);
796
797 SMP_TRACE_EVENT("%s", __func__);
798
799 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
800 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_DHKEY_CHECK);
801 ARRAY_TO_STREAM(p, p_cb->dhkey_check, OCTET16_LEN);
802
803 p_buf->offset = L2CAP_MIN_OFFSET;
804 p_buf->len = SMP_PAIR_DHKEY_CHECK_SIZE;
805
806 return p_buf;
807 }
808
809 /*******************************************************************************
810 *
811 * Function smp_build_pairing_keypress_notification_cmd
812 *
813 * Description Build keypress notification command.
814 *
815 ******************************************************************************/
smp_build_pairing_keypress_notification_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)816 static BT_HDR* smp_build_pairing_keypress_notification_cmd(
817 UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb) {
818 uint8_t* p;
819 BT_HDR* p_buf = (BT_HDR*)osi_malloc(
820 sizeof(BT_HDR) + SMP_PAIR_KEYPR_NOTIF_SIZE + L2CAP_MIN_OFFSET);
821
822 SMP_TRACE_EVENT("%s", __func__);
823
824 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
825 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_KEYPR_NOTIF);
826 UINT8_TO_STREAM(p, p_cb->local_keypress_notification);
827
828 p_buf->offset = L2CAP_MIN_OFFSET;
829 p_buf->len = SMP_PAIR_KEYPR_NOTIF_SIZE;
830
831 return p_buf;
832 }
833
834 /** This function is called to convert a 6 to 16 digits numeric character string
835 * into SMP TK. */
smp_convert_string_to_tk(Octet16 * tk,uint32_t passkey)836 void smp_convert_string_to_tk(Octet16* tk, uint32_t passkey) {
837 uint8_t* p = tk->data();
838 tSMP_KEY key;
839 SMP_TRACE_EVENT("smp_convert_string_to_tk");
840 UINT32_TO_STREAM(p, passkey);
841
842 key.key_type = SMP_KEY_TYPE_TK;
843 key.p_data = tk->data();
844
845 tSMP_INT_DATA smp_int_data;
846 smp_int_data.key = key;
847 smp_sm_event(&smp_cb, SMP_KEY_READY_EVT, &smp_int_data);
848 }
849
850 /** This function is called to mask off the encryption key based on the maximum
851 * encryption key size. */
smp_mask_enc_key(uint8_t loc_enc_size,Octet16 * p_data)852 void smp_mask_enc_key(uint8_t loc_enc_size, Octet16* p_data) {
853 SMP_TRACE_EVENT("smp_mask_enc_key");
854 if (loc_enc_size < OCTET16_LEN) {
855 for (; loc_enc_size < OCTET16_LEN; loc_enc_size++)
856 (*p_data)[loc_enc_size] = 0;
857 }
858 return;
859 }
860
861 /** utility function to do an biteise exclusive-OR of two bit strings of the
862 * length of OCTET16_LEN. Result is stored in first argument.
863 */
smp_xor_128(Octet16 * a,const Octet16 & b)864 void smp_xor_128(Octet16* a, const Octet16& b) {
865 CHECK(a);
866 uint8_t i, *aa = a->data();
867 const uint8_t* bb = b.data();
868
869 for (i = 0; i < OCTET16_LEN; i++) {
870 aa[i] = aa[i] ^ bb[i];
871 }
872 }
873
874 /*******************************************************************************
875 *
876 * Function smp_cb_cleanup
877 *
878 * Description Clean up SMP control block
879 *
880 * Returns void
881 *
882 ******************************************************************************/
smp_cb_cleanup(tSMP_CB * p_cb)883 void smp_cb_cleanup(tSMP_CB* p_cb) {
884 tSMP_CALLBACK* p_callback = p_cb->p_callback;
885 uint8_t trace_level = p_cb->trace_level;
886 alarm_t* smp_rsp_timer_ent = p_cb->smp_rsp_timer_ent;
887 alarm_t* delayed_auth_timer_ent = p_cb->delayed_auth_timer_ent;
888
889 SMP_TRACE_EVENT("smp_cb_cleanup");
890
891 alarm_cancel(p_cb->smp_rsp_timer_ent);
892 alarm_cancel(p_cb->delayed_auth_timer_ent);
893 memset(p_cb, 0, sizeof(tSMP_CB));
894 p_cb->p_callback = p_callback;
895 p_cb->trace_level = trace_level;
896 p_cb->smp_rsp_timer_ent = smp_rsp_timer_ent;
897 p_cb->delayed_auth_timer_ent = delayed_auth_timer_ent;
898 }
899
900 /*******************************************************************************
901 *
902 * Function smp_remove_fixed_channel
903 *
904 * Description This function is called to remove the fixed channel
905 *
906 * Returns void
907 *
908 ******************************************************************************/
smp_remove_fixed_channel(tSMP_CB * p_cb)909 void smp_remove_fixed_channel(tSMP_CB* p_cb) {
910 SMP_TRACE_DEBUG("%s", __func__);
911
912 if (p_cb->smp_over_br)
913 L2CA_RemoveFixedChnl(L2CAP_SMP_BR_CID, p_cb->pairing_bda);
914 else
915 L2CA_RemoveFixedChnl(L2CAP_SMP_CID, p_cb->pairing_bda);
916 }
917
918 /*******************************************************************************
919 *
920 * Function smp_reset_control_value
921 *
922 * Description This function is called to reset the control block value
923 * when the pairing procedure finished.
924 *
925 *
926 * Returns void
927 *
928 ******************************************************************************/
smp_reset_control_value(tSMP_CB * p_cb)929 void smp_reset_control_value(tSMP_CB* p_cb) {
930 SMP_TRACE_EVENT("%s", __func__);
931
932 alarm_cancel(p_cb->smp_rsp_timer_ent);
933 p_cb->flags = 0;
934 /* set the link idle timer to drop the link when pairing is done
935 usually service discovery will follow authentication complete, to avoid
936 racing condition for a link down/up, set link idle timer to be
937 SMP_LINK_TOUT_MIN to guarantee SMP key exchange */
938 L2CA_SetIdleTimeoutByBdAddr(p_cb->pairing_bda, SMP_LINK_TOUT_MIN,
939 BT_TRANSPORT_LE);
940
941 /* We can tell L2CAP to remove the fixed channel (if it has one) */
942 smp_remove_fixed_channel(p_cb);
943 smp_cb_cleanup(p_cb);
944 }
945
946 /*******************************************************************************
947 *
948 * Function smp_proc_pairing_cmpl
949 *
950 * Description This function is called to process pairing complete
951 *
952 *
953 * Returns void
954 *
955 ******************************************************************************/
smp_proc_pairing_cmpl(tSMP_CB * p_cb)956 void smp_proc_pairing_cmpl(tSMP_CB* p_cb) {
957 tSMP_CALLBACK* p_callback = p_cb->p_callback;
958 const RawAddress pairing_bda = p_cb->pairing_bda;
959
960 const tSMP_EVT_DATA evt_data = {
961 .cmplt =
962 {
963 .reason = p_cb->status,
964 .sec_level = (p_cb->status == SMP_SUCCESS) ? p_cb->sec_level
965 : SMP_SEC_NONE,
966 .is_pair_cancel = p_cb->is_pair_cancel,
967 .smp_over_br = p_cb->smp_over_br,
968 },
969 };
970
971 if (p_cb->status == SMP_SUCCESS) {
972 LOG_DEBUG(
973 "Pairing process has completed successfully remote:%s sec_level:0x%0x",
974 PRIVATE_ADDRESS(p_cb->pairing_bda), evt_data.cmplt.sec_level);
975 BTM_LogHistory(kBtmLogTag, pairing_bda, "Pairing success");
976 } else {
977 LOG_WARN(
978 "Pairing process has failed to remote:%s smp_reason:%s sec_level:0x%0x",
979 PRIVATE_ADDRESS(p_cb->pairing_bda),
980 smp_status_text(evt_data.cmplt.reason).c_str(),
981 evt_data.cmplt.sec_level);
982 BTM_LogHistory(
983 kBtmLogTag, pairing_bda, "Pairing failed",
984 base::StringPrintf("reason:%s",
985 smp_status_text(evt_data.cmplt.reason).c_str()));
986 }
987
988 // Log pairing complete event
989 {
990 auto direction =
991 p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD
992 ? android::bluetooth::DirectionEnum::DIRECTION_OUTGOING
993 : android::bluetooth::DirectionEnum::DIRECTION_INCOMING;
994 uint16_t metric_cmd = p_cb->smp_over_br
995 ? SMP_METRIC_COMMAND_BR_PAIRING_CMPL
996 : SMP_METRIC_COMMAND_LE_PAIRING_CMPL;
997 uint16_t metric_status = p_cb->status;
998 if (metric_status > SMP_MAX_FAIL_RSN_PER_SPEC) {
999 metric_status |= SMP_METRIC_STATUS_INTERNAL_FLAG;
1000 }
1001 log_smp_pairing_event(p_cb->pairing_bda, metric_cmd, direction,
1002 metric_status);
1003 }
1004
1005 if (p_cb->status == SMP_SUCCESS && p_cb->smp_over_br) {
1006 btm_dev_consolidate_existing_connections(pairing_bda);
1007 }
1008
1009 smp_reset_control_value(p_cb);
1010
1011 if (p_callback) (*p_callback)(SMP_COMPLT_EVT, pairing_bda, &evt_data);
1012 }
1013
1014 /*******************************************************************************
1015 *
1016 * Function smp_command_has_invalid_length
1017 *
1018 * Description Checks if the received SMP command has invalid length
1019 * It returns true if the command has invalid length.
1020 *
1021 * Returns true if the command has invalid length, false otherwise.
1022 *
1023 ******************************************************************************/
smp_command_has_invalid_length(tSMP_CB * p_cb)1024 bool smp_command_has_invalid_length(tSMP_CB* p_cb) {
1025 uint8_t cmd_code = p_cb->rcvd_cmd_code;
1026
1027 if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) ||
1028 (cmd_code < SMP_OPCODE_MIN)) {
1029 SMP_TRACE_WARNING("%s: Received command with RESERVED code 0x%02x",
1030 __func__, cmd_code);
1031 return true;
1032 }
1033
1034 if (!smp_command_has_valid_fixed_length(p_cb)) {
1035 return true;
1036 }
1037
1038 return false;
1039 }
1040
1041 /*******************************************************************************
1042 *
1043 * Function smp_command_has_invalid_parameters
1044 *
1045 * Description Checks if the received SMP command has invalid parameters
1046 * i.e. if the command length is valid and the command
1047 * parameters are inside specified range.
1048 * It returns true if the command has invalid parameters.
1049 *
1050 * Returns true if the command has invalid parameters, false otherwise.
1051 *
1052 ******************************************************************************/
smp_command_has_invalid_parameters(tSMP_CB * p_cb)1053 bool smp_command_has_invalid_parameters(tSMP_CB* p_cb) {
1054 uint8_t cmd_code = p_cb->rcvd_cmd_code;
1055
1056 if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) ||
1057 (cmd_code < SMP_OPCODE_MIN)) {
1058 SMP_TRACE_WARNING("%s: Received command with RESERVED code 0x%02x",
1059 __func__, cmd_code);
1060 return true;
1061 }
1062
1063 if (!(*smp_cmd_len_is_valid[cmd_code])(p_cb)) {
1064 SMP_TRACE_WARNING("%s: Command length not valid for cmd_code 0x%02x",
1065 __func__, cmd_code);
1066 return true;
1067 }
1068
1069 if (!(*smp_cmd_param_ranges_are_valid[cmd_code])(p_cb)) {
1070 SMP_TRACE_WARNING("%s: Parameter ranges not valid code 0x%02x", __func__,
1071 cmd_code);
1072 return true;
1073 }
1074
1075 return false;
1076 }
1077
1078 /*******************************************************************************
1079 *
1080 * Function smp_command_has_valid_fixed_length
1081 *
1082 * Description Checks if the received command size is equal to the size
1083 * according to specs.
1084 *
1085 * Returns true if the command size is as expected, false otherwise.
1086 *
1087 * Note The command is expected to have fixed length.
1088 ******************************************************************************/
smp_command_has_valid_fixed_length(tSMP_CB * p_cb)1089 bool smp_command_has_valid_fixed_length(tSMP_CB* p_cb) {
1090 uint8_t cmd_code = p_cb->rcvd_cmd_code;
1091
1092 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, cmd_code);
1093
1094 if (p_cb->rcvd_cmd_len != smp_cmd_size_per_spec[cmd_code]) {
1095 SMP_TRACE_WARNING(
1096 "Rcvd from the peer cmd 0x%02x with invalid length "
1097 "0x%02x (per spec the length is 0x%02x).",
1098 cmd_code, p_cb->rcvd_cmd_len, smp_cmd_size_per_spec[cmd_code]);
1099 return false;
1100 }
1101
1102 return true;
1103 }
1104
1105 /*******************************************************************************
1106 *
1107 * Function smp_pairing_request_response_parameters_are_valid
1108 *
1109 * Description Validates parameter ranges in the received SMP command
1110 * pairing request or pairing response.
1111 * The parameters to validate:
1112 * IO capability,
1113 * OOB data flag,
1114 * Bonding_flags in AuthReq
1115 * Maximum encryption key size.
1116 * Returns false if at least one of these parameters is out of
1117 * range.
1118 *
1119 ******************************************************************************/
smp_pairing_request_response_parameters_are_valid(tSMP_CB * p_cb)1120 bool smp_pairing_request_response_parameters_are_valid(tSMP_CB* p_cb) {
1121 uint8_t io_caps = p_cb->peer_io_caps;
1122 uint8_t oob_flag = p_cb->peer_oob_flag;
1123 uint8_t bond_flag =
1124 p_cb->peer_auth_req & 0x03; // 0x03 is gen bond with appropriate mask
1125 uint8_t enc_size = p_cb->peer_enc_size;
1126
1127 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code);
1128
1129 if (io_caps >= BTM_IO_CAP_MAX) {
1130 SMP_TRACE_WARNING(
1131 "Rcvd from the peer cmd 0x%02x with IO Capability "
1132 "value (0x%02x) out of range).",
1133 p_cb->rcvd_cmd_code, io_caps);
1134 return false;
1135 }
1136
1137 if (!((oob_flag == SMP_OOB_NONE) || (oob_flag == SMP_OOB_PRESENT))) {
1138 SMP_TRACE_WARNING(
1139 "Rcvd from the peer cmd 0x%02x with OOB data flag value "
1140 "(0x%02x) out of range).",
1141 p_cb->rcvd_cmd_code, oob_flag);
1142 return false;
1143 }
1144
1145 if (!((bond_flag == SMP_AUTH_NO_BOND) || (bond_flag == SMP_AUTH_BOND))) {
1146 SMP_TRACE_WARNING(
1147 "Rcvd from the peer cmd 0x%02x with Bonding_Flags value (0x%02x) "
1148 "out of range).",
1149 p_cb->rcvd_cmd_code, bond_flag);
1150 return false;
1151 }
1152
1153 if ((enc_size < SMP_ENCR_KEY_SIZE_MIN) ||
1154 (enc_size > SMP_ENCR_KEY_SIZE_MAX)) {
1155 SMP_TRACE_WARNING(
1156 "Rcvd from the peer cmd 0x%02x with Maximum Encryption "
1157 "Key value (0x%02x) out of range).",
1158 p_cb->rcvd_cmd_code, enc_size);
1159 return false;
1160 }
1161
1162 return true;
1163 }
1164
1165 /*******************************************************************************
1166 *
1167 * Function smp_pairing_keypress_notification_is_valid
1168 *
1169 * Description Validates Notification Type parameter range in the received
1170 * SMP command pairing keypress notification.
1171 * Returns false if this parameter is out of range.
1172 *
1173 ******************************************************************************/
smp_pairing_keypress_notification_is_valid(tSMP_CB * p_cb)1174 bool smp_pairing_keypress_notification_is_valid(tSMP_CB* p_cb) {
1175 tSMP_SC_KEY_TYPE keypress_notification = p_cb->peer_keypress_notification;
1176
1177 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code);
1178
1179 if (keypress_notification >= SMP_SC_KEY_OUT_OF_RANGE) {
1180 SMP_TRACE_WARNING(
1181 "Rcvd from the peer cmd 0x%02x with Pairing Keypress "
1182 "Notification value (0x%02x) out of range).",
1183 p_cb->rcvd_cmd_code, keypress_notification);
1184 return false;
1185 }
1186
1187 return true;
1188 }
1189
1190 /*******************************************************************************
1191 *
1192 * Function smp_parameter_unconditionally_valid
1193 *
1194 * Description Always returns true.
1195 *
1196 ******************************************************************************/
smp_parameter_unconditionally_valid(UNUSED_ATTR tSMP_CB * p_cb)1197 bool smp_parameter_unconditionally_valid(UNUSED_ATTR tSMP_CB* p_cb) {
1198 return true;
1199 }
1200
1201 /*******************************************************************************
1202 *
1203 * Function smp_parameter_unconditionally_invalid
1204 *
1205 * Description Always returns false.
1206 *
1207 ******************************************************************************/
smp_parameter_unconditionally_invalid(UNUSED_ATTR tSMP_CB * p_cb)1208 bool smp_parameter_unconditionally_invalid(UNUSED_ATTR tSMP_CB* p_cb) {
1209 return false;
1210 }
1211
1212 /*******************************************************************************
1213 *
1214 * Function smp_reject_unexpected_pairing_command
1215 *
1216 * Description send pairing failure to an unexpected pairing command during
1217 * an active pairing process.
1218 *
1219 * Returns void
1220 *
1221 ******************************************************************************/
smp_reject_unexpected_pairing_command(const RawAddress & bd_addr)1222 void smp_reject_unexpected_pairing_command(const RawAddress& bd_addr) {
1223 uint8_t* p;
1224 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_FAIL_SIZE +
1225 L2CAP_MIN_OFFSET);
1226
1227 SMP_TRACE_DEBUG("%s", __func__);
1228
1229 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
1230 UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED);
1231 UINT8_TO_STREAM(p, SMP_PAIR_NOT_SUPPORT);
1232
1233 p_buf->offset = L2CAP_MIN_OFFSET;
1234 p_buf->len = SMP_PAIR_FAIL_SIZE;
1235
1236 smp_send_msg_to_L2CAP(bd_addr, p_buf);
1237 }
1238
1239 /*******************************************************************************
1240 * Function smp_select_association_model
1241 *
1242 * Description This function selects association model to use for STK
1243 * generation. Selection is based on both sides' io capability,
1244 * oob data flag and authentication request.
1245 *
1246 * Note If Secure Connections Only mode is required locally then we
1247 * come to this point only if both sides support Secure
1248 * Connections mode, i.e.
1249 * if p_cb->secure_connections_only_mode_required = true
1250 * then we come to this point only if
1251 * (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) ==
1252 * (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) ==
1253 * SMP_SC_SUPPORT_BIT
1254 *
1255 ******************************************************************************/
smp_select_association_model(tSMP_CB * p_cb)1256 tSMP_ASSO_MODEL smp_select_association_model(tSMP_CB* p_cb) {
1257 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1258 p_cb->le_secure_connections_mode_is_used = false;
1259
1260 SMP_TRACE_EVENT("%s", __func__);
1261 SMP_TRACE_DEBUG("%s p_cb->peer_io_caps = %d p_cb->local_io_capability = %d",
1262 __func__, p_cb->peer_io_caps, p_cb->local_io_capability);
1263 SMP_TRACE_DEBUG("%s p_cb->peer_oob_flag = %d p_cb->loc_oob_flag = %d",
1264 __func__, p_cb->peer_oob_flag, p_cb->loc_oob_flag);
1265 SMP_TRACE_DEBUG("%s p_cb->peer_auth_req = 0x%02x p_cb->loc_auth_req = 0x%02x",
1266 __func__, p_cb->peer_auth_req, p_cb->loc_auth_req);
1267 SMP_TRACE_DEBUG(
1268 "%s p_cb->secure_connections_only_mode_required = %s", __func__,
1269 p_cb->secure_connections_only_mode_required ? "true" : "false");
1270
1271 if ((p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) &&
1272 (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT)) {
1273 p_cb->le_secure_connections_mode_is_used = true;
1274 }
1275
1276 if ((p_cb->peer_auth_req & SMP_H7_SUPPORT_BIT) &&
1277 (p_cb->loc_auth_req & SMP_H7_SUPPORT_BIT)) {
1278 p_cb->key_derivation_h7_used = TRUE;
1279 }
1280
1281 SMP_TRACE_DEBUG("use_sc_process = %d, h7 use = %d",
1282 p_cb->le_secure_connections_mode_is_used,
1283 p_cb->key_derivation_h7_used);
1284
1285 if (p_cb->le_secure_connections_mode_is_used) {
1286 model = smp_select_association_model_secure_connections(p_cb);
1287 } else {
1288 model = smp_select_legacy_association_model(p_cb);
1289 }
1290 return model;
1291 }
1292
1293 /*******************************************************************************
1294 * Function smp_select_legacy_association_model
1295 *
1296 * Description This function is called to select association mode if at
1297 * least one side doesn't support secure connections.
1298 *
1299 ******************************************************************************/
smp_select_legacy_association_model(tSMP_CB * p_cb)1300 tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB* p_cb) {
1301 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1302
1303 SMP_TRACE_DEBUG("%s", __func__);
1304 /* if OOB data is present on both devices, then use OOB association model */
1305 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT &&
1306 p_cb->loc_oob_flag == SMP_OOB_PRESENT)
1307 return SMP_MODEL_OOB;
1308
1309 /* else if neither device requires MITM, then use Just Works association model
1310 */
1311 if (SMP_NO_MITM_REQUIRED(p_cb->peer_auth_req) &&
1312 SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req))
1313 return SMP_MODEL_ENCRYPTION_ONLY;
1314
1315 /* otherwise use IO capability to select association model */
1316 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX &&
1317 p_cb->local_io_capability < SMP_IO_CAP_MAX) {
1318 if (p_cb->role == HCI_ROLE_CENTRAL) {
1319 model = smp_association_table[p_cb->role][p_cb->peer_io_caps]
1320 [p_cb->local_io_capability];
1321 } else {
1322 model = smp_association_table[p_cb->role][p_cb->local_io_capability]
1323 [p_cb->peer_io_caps];
1324 }
1325 }
1326
1327 return model;
1328 }
1329
1330 /*******************************************************************************
1331 * Function smp_select_association_model_secure_connections
1332 *
1333 * Description This function is called to select association mode if both
1334 * sides support secure connections.
1335 *
1336 ******************************************************************************/
smp_select_association_model_secure_connections(tSMP_CB * p_cb)1337 tSMP_ASSO_MODEL smp_select_association_model_secure_connections(tSMP_CB* p_cb) {
1338 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1339
1340 SMP_TRACE_DEBUG("%s", __func__);
1341 /* if OOB data is present on at least one device, then use OOB association
1342 * model */
1343 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT ||
1344 p_cb->loc_oob_flag == SMP_OOB_PRESENT)
1345 return SMP_MODEL_SEC_CONN_OOB;
1346
1347 /* else if neither device requires MITM, then use Just Works association model
1348 */
1349 if (SMP_NO_MITM_REQUIRED(p_cb->peer_auth_req) &&
1350 SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req))
1351 return SMP_MODEL_SEC_CONN_JUSTWORKS;
1352
1353 /* otherwise use IO capability to select association model */
1354 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX &&
1355 p_cb->local_io_capability < SMP_IO_CAP_MAX) {
1356 if (p_cb->role == HCI_ROLE_CENTRAL) {
1357 model = smp_association_table_sc[p_cb->role][p_cb->peer_io_caps]
1358 [p_cb->local_io_capability];
1359 } else {
1360 model = smp_association_table_sc[p_cb->role][p_cb->local_io_capability]
1361 [p_cb->peer_io_caps];
1362 }
1363 }
1364
1365 return model;
1366 }
1367
1368 /*******************************************************************************
1369 * Function smp_calculate_random_input
1370 *
1371 * Description This function returns random input value to be used in
1372 * commitment calculation for SC passkey entry association mode
1373 * (if bit["round"] in "random" array == 1 then returns 0x81
1374 * else returns 0x80).
1375 *
1376 * Returns ri value
1377 *
1378 ******************************************************************************/
smp_calculate_random_input(uint8_t * random,uint8_t round)1379 uint8_t smp_calculate_random_input(uint8_t* random, uint8_t round) {
1380 uint8_t i = round / 8;
1381 uint8_t j = round % 8;
1382 uint8_t ri;
1383
1384 SMP_TRACE_DEBUG("random: 0x%02x, round: %d, i: %d, j: %d", random[i], round,
1385 i, j);
1386 ri = ((random[i] >> j) & 1) | 0x80;
1387 SMP_TRACE_DEBUG("%s ri=0x%02x", __func__, ri);
1388 return ri;
1389 }
1390
1391 /*******************************************************************************
1392 * Function smp_collect_local_io_capabilities
1393 *
1394 * Description This function puts into IOcap array local device
1395 * IOCapability, OOB data, AuthReq.
1396 *
1397 * Returns void
1398 *
1399 ******************************************************************************/
smp_collect_local_io_capabilities(uint8_t * iocap,tSMP_CB * p_cb)1400 void smp_collect_local_io_capabilities(uint8_t* iocap, tSMP_CB* p_cb) {
1401 SMP_TRACE_DEBUG("%s", __func__);
1402
1403 iocap[0] = p_cb->local_io_capability;
1404 iocap[1] = p_cb->loc_oob_flag;
1405 iocap[2] = p_cb->loc_auth_req;
1406 }
1407
1408 /*******************************************************************************
1409 * Function smp_collect_peer_io_capabilities
1410 *
1411 * Description This function puts into IOcap array peer device
1412 * IOCapability, OOB data, AuthReq.
1413 *
1414 * Returns void
1415 *
1416 ******************************************************************************/
smp_collect_peer_io_capabilities(uint8_t * iocap,tSMP_CB * p_cb)1417 void smp_collect_peer_io_capabilities(uint8_t* iocap, tSMP_CB* p_cb) {
1418 SMP_TRACE_DEBUG("%s", __func__);
1419
1420 iocap[0] = p_cb->peer_io_caps;
1421 iocap[1] = p_cb->peer_oob_flag;
1422 iocap[2] = p_cb->peer_auth_req;
1423 }
1424
1425 /*******************************************************************************
1426 * Function smp_collect_local_ble_address
1427 *
1428 * Description Put the the local device LE address into the le_addr array:
1429 * le_addr[0-5] = local BD ADDR,
1430 * le_addr[6] = local le address type (PUBLIC/RANDOM).
1431 *
1432 * Returns void
1433 *
1434 ******************************************************************************/
smp_collect_local_ble_address(uint8_t * le_addr,tSMP_CB * p_cb)1435 void smp_collect_local_ble_address(uint8_t* le_addr, tSMP_CB* p_cb) {
1436 tBLE_ADDR_TYPE addr_type = BLE_ADDR_PUBLIC;
1437 RawAddress bda;
1438 uint8_t* p = le_addr;
1439
1440 SMP_TRACE_DEBUG("%s", __func__);
1441
1442 BTM_ReadConnectionAddr(p_cb->pairing_bda, bda, &addr_type);
1443 BDADDR_TO_STREAM(p, bda);
1444 UINT8_TO_STREAM(p, addr_type);
1445 }
1446
1447 /*******************************************************************************
1448 * Function smp_collect_peer_ble_address
1449 *
1450 * Description Put the peer device LE addr into the le_addr array:
1451 * le_addr[0-5] = peer BD ADDR,
1452 * le_addr[6] = peer le address type (PUBLIC/RANDOM).
1453 *
1454 * Returns void
1455 *
1456 ******************************************************************************/
smp_collect_peer_ble_address(uint8_t * le_addr,tSMP_CB * p_cb)1457 void smp_collect_peer_ble_address(uint8_t* le_addr, tSMP_CB* p_cb) {
1458 tBLE_ADDR_TYPE addr_type = BLE_ADDR_PUBLIC;
1459 RawAddress bda;
1460 uint8_t* p = le_addr;
1461
1462 SMP_TRACE_DEBUG("%s", __func__);
1463
1464 if (!BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, bda, &addr_type)) {
1465 SMP_TRACE_ERROR(
1466 "can not collect peer le addr information for unknown device");
1467 return;
1468 }
1469
1470 BDADDR_TO_STREAM(p, bda);
1471 UINT8_TO_STREAM(p, addr_type);
1472 }
1473
1474 /*******************************************************************************
1475 * Function smp_check_commitment
1476 *
1477 * Description This function compares peer commitment values:
1478 * - expected (i.e. calculated locally),
1479 * - received from the peer.
1480 *
1481 * Returns true if the values are the same
1482 * false otherwise
1483 *
1484 ******************************************************************************/
smp_check_commitment(tSMP_CB * p_cb)1485 bool smp_check_commitment(tSMP_CB* p_cb) {
1486
1487 SMP_TRACE_DEBUG("%s", __func__);
1488
1489 Octet16 expected = smp_calculate_peer_commitment(p_cb);
1490 print128(expected, (const uint8_t*)"calculated peer commitment");
1491 print128(p_cb->remote_commitment, (const uint8_t*)"received peer commitment");
1492
1493 if (memcmp(p_cb->remote_commitment.data(), expected.data(), OCTET16_LEN)) {
1494 SMP_TRACE_WARNING("%s: Commitment check fails", __func__);
1495 return false;
1496 }
1497
1498 SMP_TRACE_DEBUG("%s: Commitment check succeeds", __func__);
1499 return true;
1500 }
1501
1502 /*******************************************************************************
1503 *
1504 * Function smp_save_secure_connections_long_term_key
1505 *
1506 * Description The function saves SC LTK as BLE key for future use as local
1507 * and/or peer key.
1508 *
1509 * Returns void
1510 *
1511 ******************************************************************************/
smp_save_secure_connections_long_term_key(tSMP_CB * p_cb)1512 void smp_save_secure_connections_long_term_key(tSMP_CB* p_cb) {
1513
1514 SMP_TRACE_DEBUG("%s-Save LTK as local LTK key", __func__);
1515 tBTM_LE_KEY_VALUE lle_key = {
1516 .lenc_key =
1517 {
1518 .ltk = p_cb->ltk,
1519 .div = 0,
1520 .key_size = p_cb->loc_enc_size,
1521 .sec_level = p_cb->sec_level,
1522 },
1523 };
1524 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, &lle_key, true);
1525
1526 SMP_TRACE_DEBUG("%s-Save LTK as peer LTK key", __func__);
1527 tBTM_LE_KEY_VALUE ple_key = {
1528 .penc_key =
1529 {
1530 .ltk = p_cb->ltk,
1531 .sec_level = p_cb->sec_level,
1532 .key_size = p_cb->loc_enc_size,
1533 .ediv = 0,
1534 },
1535 };
1536 memset(ple_key.penc_key.rand, 0, BT_OCTET8_LEN);
1537 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, &ple_key, true);
1538 }
1539
1540 /** The function calculates MacKey and LTK and saves them in CB. To calculate
1541 * MacKey and LTK it calls smp_calc_f5(...). MacKey is used in dhkey
1542 * calculation, LTK is used to encrypt the link. */
smp_calculate_f5_mackey_and_long_term_key(tSMP_CB * p_cb)1543 void smp_calculate_f5_mackey_and_long_term_key(tSMP_CB* p_cb) {
1544 uint8_t a[7];
1545 uint8_t b[7];
1546 Octet16 na;
1547 Octet16 nb;
1548
1549 SMP_TRACE_DEBUG("%s", __func__);
1550
1551 if (p_cb->role == HCI_ROLE_CENTRAL) {
1552 smp_collect_local_ble_address(a, p_cb);
1553 smp_collect_peer_ble_address(b, p_cb);
1554 na = p_cb->rand;
1555 nb = p_cb->rrand;
1556 } else {
1557 smp_collect_local_ble_address(b, p_cb);
1558 smp_collect_peer_ble_address(a, p_cb);
1559 na = p_cb->rrand;
1560 nb = p_cb->rand;
1561 }
1562
1563 crypto_toolbox::f5(p_cb->dhkey, na, nb, a, b, &p_cb->mac_key, &p_cb->ltk);
1564
1565 SMP_TRACE_EVENT("%s is completed", __func__);
1566 }
1567
1568 /*******************************************************************************
1569 *
1570 * Function smp_request_oob_data
1571 *
1572 * Description Requests application to provide OOB data.
1573 *
1574 * Returns true - OOB data has to be provided by application
1575 * false - otherwise (unexpected)
1576 *
1577 ******************************************************************************/
smp_request_oob_data(tSMP_CB * p_cb)1578 bool smp_request_oob_data(tSMP_CB* p_cb) {
1579 tSMP_OOB_DATA_TYPE req_oob_type = SMP_OOB_INVALID_TYPE;
1580
1581 SMP_TRACE_DEBUG("%s", __func__);
1582
1583 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT &&
1584 p_cb->loc_oob_flag == SMP_OOB_PRESENT) {
1585 /* both local and peer rcvd data OOB */
1586 req_oob_type = SMP_OOB_BOTH;
1587 } else if (p_cb->peer_oob_flag == SMP_OOB_PRESENT) {
1588 /* peer rcvd OOB local data, local didn't receive OOB peer data */
1589 req_oob_type = SMP_OOB_LOCAL;
1590 } else if (p_cb->loc_oob_flag == SMP_OOB_PRESENT) {
1591 req_oob_type = SMP_OOB_PEER;
1592 }
1593
1594 SMP_TRACE_DEBUG("req_oob_type = %d", req_oob_type);
1595
1596 if (req_oob_type == SMP_OOB_INVALID_TYPE) return false;
1597
1598 p_cb->req_oob_type = req_oob_type;
1599 p_cb->cb_evt = SMP_SC_OOB_REQ_EVT;
1600 tSMP_INT_DATA smp_int_data;
1601 smp_int_data.req_oob_type = req_oob_type;
1602 smp_sm_event(p_cb, SMP_TK_REQ_EVT, &smp_int_data);
1603
1604 return true;
1605 }
1606
print128(const Octet16 & x,const uint8_t * key_name)1607 void print128(const Octet16& x, const uint8_t* key_name) {
1608 if (VLOG_IS_ON(2) && DLOG_IS_ON(INFO)) {
1609 uint8_t* p = (uint8_t*)x.data();
1610
1611 DVLOG(2) << key_name << " (MSB ~ LSB) = ";
1612 for (int i = 0; i < 4; i++) {
1613 DVLOG(2) << +p[OCTET16_LEN - i * 4 - 1] << +p[OCTET16_LEN - i * 4 - 2]
1614 << +p[OCTET16_LEN - i * 4 - 3] << +p[OCTET16_LEN - i * 4 - 4];
1615 }
1616 }
1617 }
1618