1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 *****************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for the SMP L2CAP utility functions
22 *
23 ******************************************************************************/
24 #include <base/logging.h>
25 #include <ctype.h>
26 #include <string.h>
27
28 #include "bt_target.h"
29 #include "btm_ble_api.h"
30 #include "device/include/controller.h"
31 #include "l2c_api.h"
32 #include "osi/include/log.h"
33 #include "osi/include/osi.h"
34 #include "smp_int.h"
35 #include "stack/btm/btm_ble_int.h"
36 #include "stack/include/acl_api.h"
37 #include "stack/include/bt_hdr.h"
38 #include "stack/include/bt_octets.h"
39 #include "stack/include/btm_log_history.h"
40 #include "stack/include/stack_metrics_logging.h"
41 #include "types/raw_address.h"
42
43 void btm_dev_consolidate_existing_connections(const RawAddress& bd_addr);
44
45 #define SMP_PAIRING_REQ_SIZE 7
46 #define SMP_CONFIRM_CMD_SIZE (OCTET16_LEN + 1)
47 #define SMP_RAND_CMD_SIZE (OCTET16_LEN + 1)
48 #define SMP_INIT_CMD_SIZE (OCTET16_LEN + 1)
49 #define SMP_ENC_INFO_SIZE (OCTET16_LEN + 1)
50 #define SMP_CENTRAL_ID_SIZE (BT_OCTET8_LEN + 2 + 1)
51 #define SMP_ID_INFO_SIZE (OCTET16_LEN + 1)
52 #define SMP_ID_ADDR_SIZE (BD_ADDR_LEN + 1 + 1)
53 #define SMP_SIGN_INFO_SIZE (OCTET16_LEN + 1)
54 #define SMP_PAIR_FAIL_SIZE 2
55 #define SMP_SECURITY_REQUEST_SIZE 2
56 #define SMP_PAIR_PUBL_KEY_SIZE (1 /* opcode */ + (2 * BT_OCTET32_LEN))
57 #define SMP_PAIR_COMMITM_SIZE (1 /* opcode */ + OCTET16_LEN /*Commitment*/)
58 #define SMP_PAIR_DHKEY_CHECK_SIZE \
59 (1 /* opcode */ + OCTET16_LEN /*DHKey \
60 Check*/)
61 #define SMP_PAIR_KEYPR_NOTIF_SIZE (1 /* opcode */ + 1 /*Notif Type*/)
62
63 namespace {
64 constexpr char kBtmLogTag[] = "SMP";
65 }
66
67 /* SMP command sizes per spec */
68 static const uint8_t smp_cmd_size_per_spec[] = {
69 0,
70 SMP_PAIRING_REQ_SIZE, /* 0x01: pairing request */
71 SMP_PAIRING_REQ_SIZE, /* 0x02: pairing response */
72 SMP_CONFIRM_CMD_SIZE, /* 0x03: pairing confirm */
73 SMP_RAND_CMD_SIZE, /* 0x04: pairing random */
74 SMP_PAIR_FAIL_SIZE, /* 0x05: pairing failed */
75 SMP_ENC_INFO_SIZE, /* 0x06: encryption information */
76 SMP_CENTRAL_ID_SIZE, /* 0x07: central identification */
77 SMP_ID_INFO_SIZE, /* 0x08: identity information */
78 SMP_ID_ADDR_SIZE, /* 0x09: identity address information */
79 SMP_SIGN_INFO_SIZE, /* 0x0A: signing information */
80 SMP_SECURITY_REQUEST_SIZE, /* 0x0B: security request */
81 SMP_PAIR_PUBL_KEY_SIZE, /* 0x0C: pairing public key */
82 SMP_PAIR_DHKEY_CHECK_SIZE, /* 0x0D: pairing dhkey check */
83 SMP_PAIR_KEYPR_NOTIF_SIZE, /* 0x0E: pairing keypress notification */
84 SMP_PAIR_COMMITM_SIZE /* 0x0F: pairing commitment */
85 };
86
87 static bool smp_parameter_unconditionally_valid(tSMP_CB* p_cb);
88 static bool smp_parameter_unconditionally_invalid(tSMP_CB* p_cb);
89
90 /* type for SMP command length validation functions */
91 typedef bool (*tSMP_CMD_LEN_VALID)(tSMP_CB* p_cb);
92
93 static bool smp_command_has_valid_fixed_length(tSMP_CB* p_cb);
94
95 static const tSMP_CMD_LEN_VALID smp_cmd_len_is_valid[] = {
96 smp_parameter_unconditionally_invalid,
97 smp_command_has_valid_fixed_length, /* 0x01: pairing request */
98 smp_command_has_valid_fixed_length, /* 0x02: pairing response */
99 smp_command_has_valid_fixed_length, /* 0x03: pairing confirm */
100 smp_command_has_valid_fixed_length, /* 0x04: pairing random */
101 smp_command_has_valid_fixed_length, /* 0x05: pairing failed */
102 smp_command_has_valid_fixed_length, /* 0x06: encryption information */
103 smp_command_has_valid_fixed_length, /* 0x07: central identification */
104 smp_command_has_valid_fixed_length, /* 0x08: identity information */
105 smp_command_has_valid_fixed_length, /* 0x09: identity address information */
106 smp_command_has_valid_fixed_length, /* 0x0A: signing information */
107 smp_command_has_valid_fixed_length, /* 0x0B: security request */
108 smp_command_has_valid_fixed_length, /* 0x0C: pairing public key */
109 smp_command_has_valid_fixed_length, /* 0x0D: pairing dhkey check */
110 smp_command_has_valid_fixed_length, /* 0x0E: pairing keypress notification*/
111 smp_command_has_valid_fixed_length /* 0x0F: pairing commitment */
112 };
113
114 /* type for SMP command parameter ranges validation functions */
115 typedef bool (*tSMP_CMD_PARAM_RANGES_VALID)(tSMP_CB* p_cb);
116
117 static bool smp_pairing_request_response_parameters_are_valid(tSMP_CB* p_cb);
118 static bool smp_pairing_keypress_notification_is_valid(tSMP_CB* p_cb);
119
120 static const tSMP_CMD_PARAM_RANGES_VALID smp_cmd_param_ranges_are_valid[] = {
121 smp_parameter_unconditionally_invalid,
122 smp_pairing_request_response_parameters_are_valid, /* 0x01: pairing
123 request */
124 smp_pairing_request_response_parameters_are_valid, /* 0x02: pairing
125 response */
126 smp_parameter_unconditionally_valid, /* 0x03: pairing confirm */
127 smp_parameter_unconditionally_valid, /* 0x04: pairing random */
128 smp_parameter_unconditionally_valid, /* 0x05: pairing failed */
129 smp_parameter_unconditionally_valid, /* 0x06: encryption information */
130 smp_parameter_unconditionally_valid, /* 0x07: central identification */
131 smp_parameter_unconditionally_valid, /* 0x08: identity information */
132 smp_parameter_unconditionally_valid, /* 0x09: identity address
133 information */
134 smp_parameter_unconditionally_valid, /* 0x0A: signing information */
135 smp_parameter_unconditionally_valid, /* 0x0B: security request */
136 smp_parameter_unconditionally_valid, /* 0x0C: pairing public key */
137 smp_parameter_unconditionally_valid, /* 0x0D: pairing dhkey check */
138 smp_pairing_keypress_notification_is_valid, /* 0x0E: pairing keypress
139 notification */
140 smp_parameter_unconditionally_valid /* 0x0F: pairing commitment */
141 };
142
143 /* type for action functions */
144 typedef BT_HDR* (*tSMP_CMD_ACT)(uint8_t cmd_code, tSMP_CB* p_cb);
145
146 static BT_HDR* smp_build_pairing_cmd(uint8_t cmd_code, tSMP_CB* p_cb);
147 static BT_HDR* smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code,
148 tSMP_CB* p_cb);
149 static BT_HDR* smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb);
150 static BT_HDR* smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code,
151 tSMP_CB* p_cb);
152 static BT_HDR* smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code,
153 tSMP_CB* p_cb);
154 static BT_HDR* smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code,
155 tSMP_CB* p_cb);
156 static BT_HDR* smp_build_security_request(UNUSED_ATTR uint8_t cmd_code,
157 tSMP_CB* p_cb);
158 static BT_HDR* smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code,
159 tSMP_CB* p_cb);
160 static BT_HDR* smp_build_central_id_cmd(UNUSED_ATTR uint8_t cmd_code,
161 tSMP_CB* p_cb);
162 static BT_HDR* smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code,
163 tSMP_CB* p_cb);
164 static BT_HDR* smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code,
165 tSMP_CB* p_cb);
166 static BT_HDR* smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code,
167 tSMP_CB* p_cb);
168 static BT_HDR* smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code,
169 tSMP_CB* p_cb);
170 static BT_HDR* smp_build_pairing_keypress_notification_cmd(
171 UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb);
172
173 static const tSMP_CMD_ACT smp_cmd_build_act[] = {
174 NULL,
175 smp_build_pairing_cmd, /* 0x01: pairing request */
176 smp_build_pairing_cmd, /* 0x02: pairing response */
177 smp_build_confirm_cmd, /* 0x03: pairing confirm */
178 smp_build_rand_cmd, /* 0x04: pairing random */
179 smp_build_pairing_fail, /* 0x05: pairing failure */
180 smp_build_encrypt_info_cmd, /* 0x06: encryption information */
181 smp_build_central_id_cmd, /* 0x07: central identification */
182 smp_build_identity_info_cmd, /* 0x08: identity information */
183 smp_build_id_addr_cmd, /* 0x09: identity address information */
184 smp_build_signing_info_cmd, /* 0x0A: signing information */
185 smp_build_security_request, /* 0x0B: security request */
186 smp_build_pair_public_key_cmd, /* 0x0C: pairing public key */
187 smp_build_pair_dhkey_check_cmd, /* 0x0D: pairing DHKey check */
188 smp_build_pairing_keypress_notification_cmd, /* 0x0E: pairing keypress
189 notification */
190 smp_build_pairing_commitment_cmd /* 0x0F: pairing commitment */
191 };
192
193 static const tSMP_ASSO_MODEL
194 smp_association_table[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] = {
195 /* display only */ /* Display Yes/No */ /* keyboard only */
196 /* No Input/Output */ /* keyboard display */
197
198 /* initiator */
199 /* model = tbl[peer_io_caps][loc_io_caps] */
200 /* Display Only */
201 {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
202 SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
203
204 /* Display Yes/No */
205 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
206 SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
207
208 /* Keyboard only */
209 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY,
210 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
211
212 /* No Input No Output */
213 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
214 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
215 SMP_MODEL_ENCRYPTION_ONLY},
216
217 /* keyboard display */
218 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY,
219 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}},
220
221 /* responder */
222 /* model = tbl[loc_io_caps][peer_io_caps] */
223 /* Display Only */
224 {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
225 SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
226
227 /* Display Yes/No */
228 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
229 SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
230
231 /* keyboard only */
232 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY,
233 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
234
235 /* No Input No Output */
236 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
237 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
238 SMP_MODEL_ENCRYPTION_ONLY},
239
240 /* keyboard display */
241 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_KEY_NOTIF,
242 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}}};
243
244 static const tSMP_ASSO_MODEL
245 smp_association_table_sc[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] = {
246 /* display only */ /* Display Yes/No */ /* keyboard only */
247 /* No InputOutput */ /* keyboard display */
248
249 /* initiator */
250 /* model = tbl[peer_io_caps][loc_io_caps] */
251
252 /* Display Only */
253 {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
254 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
255 SMP_MODEL_SEC_CONN_PASSKEY_ENT},
256
257 /* Display Yes/No */
258 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP,
259 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
260 SMP_MODEL_SEC_CONN_NUM_COMP},
261
262 /* keyboard only */
263 {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_PASSKEY_DISP,
264 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
265 SMP_MODEL_SEC_CONN_PASSKEY_DISP},
266
267 /* No Input No Output */
268 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
269 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
270 SMP_MODEL_SEC_CONN_JUSTWORKS},
271
272 /* keyboard display */
273 {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_NUM_COMP,
274 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
275 SMP_MODEL_SEC_CONN_NUM_COMP}},
276
277 /* responder */
278 /* model = tbl[loc_io_caps][peer_io_caps] */
279
280 /* Display Only */
281 {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
282 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
283 SMP_MODEL_SEC_CONN_PASSKEY_DISP},
284
285 /* Display Yes/No */
286 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP,
287 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
288 SMP_MODEL_SEC_CONN_NUM_COMP},
289
290 /* keyboard only */
291 {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_PASSKEY_ENT,
292 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
293 SMP_MODEL_SEC_CONN_PASSKEY_ENT},
294
295 /* No Input No Output */
296 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
297 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
298 SMP_MODEL_SEC_CONN_JUSTWORKS},
299
300 /* keyboard display */
301 {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_NUM_COMP,
302 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
303 SMP_MODEL_SEC_CONN_NUM_COMP}}};
304
305 static tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB* p_cb);
306 static tSMP_ASSO_MODEL smp_select_association_model_secure_connections(
307 tSMP_CB* p_cb);
308
309 /**
310 * Log metrics data for SMP command
311 *
312 * @param bd_addr current pairing address
313 * @param is_outgoing whether this command is outgoing
314 * @param p_buf buffer to the beginning of SMP command
315 * @param buf_len length available to read for p_buf
316 */
smp_log_metrics(const RawAddress & bd_addr,bool is_outgoing,const uint8_t * p_buf,size_t buf_len,bool is_over_br)317 void smp_log_metrics(const RawAddress& bd_addr, bool is_outgoing,
318 const uint8_t* p_buf, size_t buf_len, bool is_over_br) {
319 if (buf_len < 1) {
320 LOG(WARNING) << __func__ << ": buffer is too small, size is " << buf_len;
321 return;
322 }
323 uint8_t raw_cmd;
324 STREAM_TO_UINT8(raw_cmd, p_buf);
325 buf_len--;
326 uint8_t failure_reason = 0;
327 if (raw_cmd == SMP_OPCODE_PAIRING_FAILED && buf_len >= 1) {
328 STREAM_TO_UINT8(failure_reason, p_buf);
329 }
330 uint16_t metric_cmd =
331 is_over_br ? SMP_METRIC_COMMAND_BR_FLAG : SMP_METRIC_COMMAND_LE_FLAG;
332 metric_cmd |= static_cast<uint16_t>(raw_cmd);
333 android::bluetooth::DirectionEnum direction =
334 is_outgoing ? android::bluetooth::DirectionEnum::DIRECTION_OUTGOING
335 : android::bluetooth::DirectionEnum::DIRECTION_INCOMING;
336 log_smp_pairing_event(bd_addr, metric_cmd, direction,
337 static_cast<uint16_t>(failure_reason));
338 }
339
340 /*******************************************************************************
341 *
342 * Function smp_send_msg_to_L2CAP
343 *
344 * Description Send message to L2CAP.
345 *
346 ******************************************************************************/
smp_send_msg_to_L2CAP(const RawAddress & rem_bda,BT_HDR * p_toL2CAP)347 bool smp_send_msg_to_L2CAP(const RawAddress& rem_bda, BT_HDR* p_toL2CAP) {
348 uint16_t l2cap_ret;
349 uint16_t fixed_cid = L2CAP_SMP_CID;
350
351 if (smp_cb.smp_over_br) {
352 fixed_cid = L2CAP_SMP_BR_CID;
353 }
354
355 SMP_TRACE_EVENT("%s", __func__);
356
357 smp_log_metrics(rem_bda, true /* outgoing */,
358 p_toL2CAP->data + p_toL2CAP->offset, p_toL2CAP->len,
359 smp_cb.smp_over_br /* is_over_br */);
360
361 l2cap_ret = L2CA_SendFixedChnlData(fixed_cid, rem_bda, p_toL2CAP);
362 if (l2cap_ret == L2CAP_DW_FAILED) {
363 SMP_TRACE_ERROR("SMP failed to pass msg to L2CAP");
364 return false;
365 } else {
366 tSMP_CB* p_cb = &smp_cb;
367
368 if (p_cb->wait_for_authorization_complete) {
369 tSMP_INT_DATA smp_int_data;
370 smp_int_data.status = SMP_SUCCESS;
371 if (fixed_cid == L2CAP_SMP_CID) {
372 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
373 } else {
374 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
375 }
376 }
377 return true;
378 }
379 }
380
381 /*******************************************************************************
382 *
383 * Function smp_send_cmd
384 *
385 * Description send a SMP command on L2CAP channel.
386 *
387 ******************************************************************************/
smp_send_cmd(uint8_t cmd_code,tSMP_CB * p_cb)388 bool smp_send_cmd(uint8_t cmd_code, tSMP_CB* p_cb) {
389 BT_HDR* p_buf;
390 bool sent = false;
391
392 LOG_DEBUG("Sending SMP command:%s[0x%x] pairing_bda=%s",
393 smp_opcode_text(static_cast<tSMP_OPCODE>(cmd_code)).c_str(),
394 cmd_code, ADDRESS_TO_LOGGABLE_CSTR(p_cb->pairing_bda));
395
396 if (cmd_code <= (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */) &&
397 smp_cmd_build_act[cmd_code] != NULL) {
398 p_buf = (*smp_cmd_build_act[cmd_code])(cmd_code, p_cb);
399
400 if (p_buf != NULL && smp_send_msg_to_L2CAP(p_cb->pairing_bda, p_buf)) {
401 sent = true;
402 alarm_set_on_mloop(p_cb->smp_rsp_timer_ent, SMP_WAIT_FOR_RSP_TIMEOUT_MS,
403 smp_rsp_timeout, NULL);
404 }
405 }
406
407 if (!sent) {
408 tSMP_INT_DATA smp_int_data;
409 smp_int_data.status = SMP_PAIR_INTERNAL_ERR;
410 if (p_cb->smp_over_br) {
411 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
412 } else {
413 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
414 }
415 }
416 return sent;
417 }
418
419 /*******************************************************************************
420 *
421 * Function smp_rsp_timeout
422 *
423 * Description Called when SMP wait for SMP command response timer expires
424 *
425 * Returns void
426 *
427 ******************************************************************************/
smp_rsp_timeout(UNUSED_ATTR void * data)428 void smp_rsp_timeout(UNUSED_ATTR void* data) {
429 tSMP_CB* p_cb = &smp_cb;
430
431 SMP_TRACE_EVENT("%s state:%d br_state:%d", __func__, p_cb->state,
432 p_cb->br_state);
433
434 tSMP_INT_DATA smp_int_data;
435 smp_int_data.status = SMP_RSP_TIMEOUT;
436 if (p_cb->smp_over_br) {
437 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
438 } else {
439 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
440 }
441 }
442
443 /*******************************************************************************
444 *
445 * Function smp_delayed_auth_complete_timeout
446 *
447 * Description Called when no pairing failed command received within
448 * timeout period.
449 *
450 * Returns void
451 *
452 ******************************************************************************/
smp_delayed_auth_complete_timeout(UNUSED_ATTR void * data)453 void smp_delayed_auth_complete_timeout(UNUSED_ATTR void* data) {
454 /*
455 * Waited for potential pair failure. Send SMP_AUTH_CMPL_EVT if
456 * the state is still in bond pending.
457 */
458 if (smp_get_state() == SMP_STATE_BOND_PENDING) {
459 SMP_TRACE_EVENT("%s sending delayed auth complete.", __func__);
460 tSMP_INT_DATA smp_int_data;
461 smp_int_data.status = SMP_SUCCESS;
462 smp_sm_event(&smp_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
463 }
464 }
465
466 /*******************************************************************************
467 *
468 * Function smp_build_pairing_req_cmd
469 *
470 * Description Build pairing request command.
471 *
472 ******************************************************************************/
smp_build_pairing_cmd(uint8_t cmd_code,tSMP_CB * p_cb)473 BT_HDR* smp_build_pairing_cmd(uint8_t cmd_code, tSMP_CB* p_cb) {
474 uint8_t* p;
475 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIRING_REQ_SIZE +
476 L2CAP_MIN_OFFSET);
477
478 SMP_TRACE_EVENT("%s", __func__);
479
480 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
481 UINT8_TO_STREAM(p, cmd_code);
482 UINT8_TO_STREAM(p, p_cb->local_io_capability);
483 UINT8_TO_STREAM(p, p_cb->loc_oob_flag);
484 UINT8_TO_STREAM(p, p_cb->loc_auth_req);
485 UINT8_TO_STREAM(p, p_cb->loc_enc_size);
486 UINT8_TO_STREAM(p, p_cb->local_i_key);
487 UINT8_TO_STREAM(p, p_cb->local_r_key);
488
489 p_buf->offset = L2CAP_MIN_OFFSET;
490 /* 1B ERR_RSP op code + 1B cmd_op_code + 2B handle + 1B status */
491 p_buf->len = SMP_PAIRING_REQ_SIZE;
492
493 return p_buf;
494 }
495
496 /*******************************************************************************
497 *
498 * Function smp_build_confirm_cmd
499 *
500 * Description Build confirm request command.
501 *
502 ******************************************************************************/
smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)503 static BT_HDR* smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code,
504 tSMP_CB* p_cb) {
505 uint8_t* p;
506 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_CONFIRM_CMD_SIZE +
507 L2CAP_MIN_OFFSET);
508
509 SMP_TRACE_EVENT("%s", __func__);
510
511 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
512
513 UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM);
514 ARRAY_TO_STREAM(p, p_cb->confirm, OCTET16_LEN);
515
516 p_buf->offset = L2CAP_MIN_OFFSET;
517 p_buf->len = SMP_CONFIRM_CMD_SIZE;
518
519 return p_buf;
520 }
521
522 /*******************************************************************************
523 *
524 * Function smp_build_rand_cmd
525 *
526 * Description Build Random command.
527 *
528 ******************************************************************************/
smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)529 static BT_HDR* smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb) {
530 uint8_t* p;
531 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_RAND_CMD_SIZE +
532 L2CAP_MIN_OFFSET);
533
534 SMP_TRACE_EVENT("%s", __func__);
535
536 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
537 UINT8_TO_STREAM(p, SMP_OPCODE_RAND);
538 ARRAY_TO_STREAM(p, p_cb->rand, OCTET16_LEN);
539
540 p_buf->offset = L2CAP_MIN_OFFSET;
541 p_buf->len = SMP_RAND_CMD_SIZE;
542
543 return p_buf;
544 }
545
546 /*******************************************************************************
547 *
548 * Function smp_build_encrypt_info_cmd
549 *
550 * Description Build security information command.
551 *
552 ******************************************************************************/
smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)553 static BT_HDR* smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code,
554 tSMP_CB* p_cb) {
555 uint8_t* p;
556 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ENC_INFO_SIZE +
557 L2CAP_MIN_OFFSET);
558
559 SMP_TRACE_EVENT("%s", __func__);
560
561 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
562 UINT8_TO_STREAM(p, SMP_OPCODE_ENCRYPT_INFO);
563 ARRAY_TO_STREAM(p, p_cb->ltk, OCTET16_LEN);
564
565 p_buf->offset = L2CAP_MIN_OFFSET;
566 p_buf->len = SMP_ENC_INFO_SIZE;
567
568 return p_buf;
569 }
570
571 /*******************************************************************************
572 *
573 * Function smp_build_central_id_cmd
574 *
575 * Description Build security information command.
576 *
577 ******************************************************************************/
smp_build_central_id_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)578 static BT_HDR* smp_build_central_id_cmd(UNUSED_ATTR uint8_t cmd_code,
579 tSMP_CB* p_cb) {
580 uint8_t* p;
581 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_CENTRAL_ID_SIZE +
582 L2CAP_MIN_OFFSET);
583
584 SMP_TRACE_EVENT("%s", __func__);
585
586 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
587 UINT8_TO_STREAM(p, SMP_OPCODE_CENTRAL_ID);
588 UINT16_TO_STREAM(p, p_cb->ediv);
589 ARRAY_TO_STREAM(p, p_cb->enc_rand, BT_OCTET8_LEN);
590
591 p_buf->offset = L2CAP_MIN_OFFSET;
592 p_buf->len = SMP_CENTRAL_ID_SIZE;
593
594 return p_buf;
595 }
596
597 /*******************************************************************************
598 *
599 * Function smp_build_identity_info_cmd
600 *
601 * Description Build identity information command.
602 *
603 ******************************************************************************/
smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code,UNUSED_ATTR tSMP_CB * p_cb)604 static BT_HDR* smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code,
605 UNUSED_ATTR tSMP_CB* p_cb) {
606 uint8_t* p;
607 BT_HDR* p_buf =
608 (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ID_INFO_SIZE + L2CAP_MIN_OFFSET);
609
610 SMP_TRACE_EVENT("%s", __func__);
611
612 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
613
614 const Octet16& irk = BTM_GetDeviceIDRoot();
615
616 UINT8_TO_STREAM(p, SMP_OPCODE_IDENTITY_INFO);
617 ARRAY_TO_STREAM(p, irk.data(), OCTET16_LEN);
618
619 p_buf->offset = L2CAP_MIN_OFFSET;
620 p_buf->len = SMP_ID_INFO_SIZE;
621
622 return p_buf;
623 }
624
625 /*******************************************************************************
626 *
627 * Function smp_build_id_addr_cmd
628 *
629 * Description Build identity address information command.
630 *
631 ******************************************************************************/
smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code,UNUSED_ATTR tSMP_CB * p_cb)632 static BT_HDR* smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code,
633 UNUSED_ATTR tSMP_CB* p_cb) {
634 uint8_t* p;
635 BT_HDR* p_buf =
636 (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ID_ADDR_SIZE + L2CAP_MIN_OFFSET);
637
638 SMP_TRACE_EVENT("%s", __func__);
639
640 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
641 UINT8_TO_STREAM(p, SMP_OPCODE_ID_ADDR);
642 UINT8_TO_STREAM(p, 0);
643 BDADDR_TO_STREAM(p, *controller_get_interface()->get_address());
644
645 p_buf->offset = L2CAP_MIN_OFFSET;
646 p_buf->len = SMP_ID_ADDR_SIZE;
647
648 return p_buf;
649 }
650
651 /*******************************************************************************
652 *
653 * Function smp_build_signing_info_cmd
654 *
655 * Description Build signing information command.
656 *
657 ******************************************************************************/
smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)658 static BT_HDR* smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code,
659 tSMP_CB* p_cb) {
660 uint8_t* p;
661 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_SIGN_INFO_SIZE +
662 L2CAP_MIN_OFFSET);
663
664 SMP_TRACE_EVENT("%s", __func__);
665
666 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
667 UINT8_TO_STREAM(p, SMP_OPCODE_SIGN_INFO);
668 ARRAY_TO_STREAM(p, p_cb->csrk, OCTET16_LEN);
669
670 p_buf->offset = L2CAP_MIN_OFFSET;
671 p_buf->len = SMP_SIGN_INFO_SIZE;
672
673 return p_buf;
674 }
675
676 /*******************************************************************************
677 *
678 * Function smp_build_pairing_fail
679 *
680 * Description Build Pairing Fail command.
681 *
682 ******************************************************************************/
smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)683 static BT_HDR* smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code,
684 tSMP_CB* p_cb) {
685 uint8_t* p;
686 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_FAIL_SIZE +
687 L2CAP_MIN_OFFSET);
688
689 SMP_TRACE_EVENT("%s", __func__);
690
691 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
692 UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED);
693 UINT8_TO_STREAM(p, p_cb->failure);
694
695 p_buf->offset = L2CAP_MIN_OFFSET;
696 p_buf->len = SMP_PAIR_FAIL_SIZE;
697
698 return p_buf;
699 }
700
701 /*******************************************************************************
702 *
703 * Function smp_build_security_request
704 *
705 * Description Build security request command.
706 *
707 ******************************************************************************/
smp_build_security_request(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)708 static BT_HDR* smp_build_security_request(UNUSED_ATTR uint8_t cmd_code,
709 tSMP_CB* p_cb) {
710 uint8_t* p;
711 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + 2 + L2CAP_MIN_OFFSET);
712
713 SMP_TRACE_EVENT("%s", __func__);
714
715 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
716 UINT8_TO_STREAM(p, SMP_OPCODE_SEC_REQ);
717 UINT8_TO_STREAM(p, p_cb->loc_auth_req);
718
719 p_buf->offset = L2CAP_MIN_OFFSET;
720 p_buf->len = SMP_SECURITY_REQUEST_SIZE;
721
722 SMP_TRACE_EVENT("opcode=%d auth_req=0x%x", SMP_OPCODE_SEC_REQ,
723 p_cb->loc_auth_req);
724
725 return p_buf;
726 }
727
728 /*******************************************************************************
729 *
730 * Function smp_build_pair_public_key_cmd
731 *
732 * Description Build pairing public key command.
733 *
734 ******************************************************************************/
smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)735 static BT_HDR* smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code,
736 tSMP_CB* p_cb) {
737 uint8_t* p;
738 uint8_t publ_key[2 * BT_OCTET32_LEN];
739 uint8_t* p_publ_key = publ_key;
740 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_PUBL_KEY_SIZE +
741 L2CAP_MIN_OFFSET);
742
743 SMP_TRACE_EVENT("%s", __func__);
744
745 memcpy(p_publ_key, p_cb->loc_publ_key.x, BT_OCTET32_LEN);
746 memcpy(p_publ_key + BT_OCTET32_LEN, p_cb->loc_publ_key.y, BT_OCTET32_LEN);
747
748 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
749 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_PUBLIC_KEY);
750 ARRAY_TO_STREAM(p, p_publ_key, 2 * BT_OCTET32_LEN);
751
752 p_buf->offset = L2CAP_MIN_OFFSET;
753 p_buf->len = SMP_PAIR_PUBL_KEY_SIZE;
754
755 return p_buf;
756 }
757
758 /*******************************************************************************
759 *
760 * Function smp_build_pairing_commitment_cmd
761 *
762 * Description Build pairing commitment command.
763 *
764 ******************************************************************************/
smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)765 static BT_HDR* smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code,
766 tSMP_CB* p_cb) {
767 uint8_t* p;
768 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_COMMITM_SIZE +
769 L2CAP_MIN_OFFSET);
770
771 SMP_TRACE_EVENT("%s", __func__);
772
773 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
774 UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM);
775 ARRAY_TO_STREAM(p, p_cb->commitment, OCTET16_LEN);
776
777 p_buf->offset = L2CAP_MIN_OFFSET;
778 p_buf->len = SMP_PAIR_COMMITM_SIZE;
779
780 return p_buf;
781 }
782
783 /*******************************************************************************
784 *
785 * Function smp_build_pair_dhkey_check_cmd
786 *
787 * Description Build pairing DHKey check command.
788 *
789 ******************************************************************************/
smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)790 static BT_HDR* smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code,
791 tSMP_CB* p_cb) {
792 uint8_t* p;
793 BT_HDR* p_buf = (BT_HDR*)osi_malloc(
794 sizeof(BT_HDR) + SMP_PAIR_DHKEY_CHECK_SIZE + L2CAP_MIN_OFFSET);
795
796 SMP_TRACE_EVENT("%s", __func__);
797
798 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
799 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_DHKEY_CHECK);
800 ARRAY_TO_STREAM(p, p_cb->dhkey_check, OCTET16_LEN);
801
802 p_buf->offset = L2CAP_MIN_OFFSET;
803 p_buf->len = SMP_PAIR_DHKEY_CHECK_SIZE;
804
805 return p_buf;
806 }
807
808 /*******************************************************************************
809 *
810 * Function smp_build_pairing_keypress_notification_cmd
811 *
812 * Description Build keypress notification command.
813 *
814 ******************************************************************************/
smp_build_pairing_keypress_notification_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)815 static BT_HDR* smp_build_pairing_keypress_notification_cmd(
816 UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb) {
817 uint8_t* p;
818 BT_HDR* p_buf = (BT_HDR*)osi_malloc(
819 sizeof(BT_HDR) + SMP_PAIR_KEYPR_NOTIF_SIZE + L2CAP_MIN_OFFSET);
820
821 SMP_TRACE_EVENT("%s", __func__);
822
823 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
824 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_KEYPR_NOTIF);
825 UINT8_TO_STREAM(p, p_cb->local_keypress_notification);
826
827 p_buf->offset = L2CAP_MIN_OFFSET;
828 p_buf->len = SMP_PAIR_KEYPR_NOTIF_SIZE;
829
830 return p_buf;
831 }
832
833 /** This function is called to convert a 6 to 16 digits numeric character string
834 * into SMP TK. */
smp_convert_string_to_tk(Octet16 * tk,uint32_t passkey)835 void smp_convert_string_to_tk(Octet16* tk, uint32_t passkey) {
836 uint8_t* p = tk->data();
837 tSMP_KEY key;
838 SMP_TRACE_EVENT("smp_convert_string_to_tk");
839 UINT32_TO_STREAM(p, passkey);
840
841 key.key_type = SMP_KEY_TYPE_TK;
842 key.p_data = tk->data();
843
844 tSMP_INT_DATA smp_int_data;
845 smp_int_data.key = key;
846 smp_sm_event(&smp_cb, SMP_KEY_READY_EVT, &smp_int_data);
847 }
848
849 /** This function is called to mask off the encryption key based on the maximum
850 * encryption key size. */
smp_mask_enc_key(uint8_t loc_enc_size,Octet16 * p_data)851 void smp_mask_enc_key(uint8_t loc_enc_size, Octet16* p_data) {
852 SMP_TRACE_EVENT("smp_mask_enc_key");
853 if (loc_enc_size < OCTET16_LEN) {
854 for (; loc_enc_size < OCTET16_LEN; loc_enc_size++)
855 (*p_data)[loc_enc_size] = 0;
856 }
857 return;
858 }
859
860 /** utility function to do an biteise exclusive-OR of two bit strings of the
861 * length of OCTET16_LEN. Result is stored in first argument.
862 */
smp_xor_128(Octet16 * a,const Octet16 & b)863 void smp_xor_128(Octet16* a, const Octet16& b) {
864 CHECK(a);
865 uint8_t i, *aa = a->data();
866 const uint8_t* bb = b.data();
867
868 for (i = 0; i < OCTET16_LEN; i++) {
869 aa[i] = aa[i] ^ bb[i];
870 }
871 }
872
873 /*******************************************************************************
874 *
875 * Function smp_cb_cleanup
876 *
877 * Description Clean up SMP control block
878 *
879 * Returns void
880 *
881 ******************************************************************************/
smp_cb_cleanup(tSMP_CB * p_cb)882 void smp_cb_cleanup(tSMP_CB* p_cb) {
883 tSMP_CALLBACK* p_callback = p_cb->p_callback;
884 uint8_t trace_level = p_cb->trace_level;
885 alarm_t* smp_rsp_timer_ent = p_cb->smp_rsp_timer_ent;
886 alarm_t* delayed_auth_timer_ent = p_cb->delayed_auth_timer_ent;
887
888 SMP_TRACE_EVENT("smp_cb_cleanup");
889
890 alarm_cancel(p_cb->smp_rsp_timer_ent);
891 alarm_cancel(p_cb->delayed_auth_timer_ent);
892 memset(p_cb, 0, sizeof(tSMP_CB));
893 p_cb->p_callback = p_callback;
894 p_cb->trace_level = trace_level;
895 p_cb->smp_rsp_timer_ent = smp_rsp_timer_ent;
896 p_cb->delayed_auth_timer_ent = delayed_auth_timer_ent;
897 }
898
899 /*******************************************************************************
900 *
901 * Function smp_remove_fixed_channel
902 *
903 * Description This function is called to remove the fixed channel
904 *
905 * Returns void
906 *
907 ******************************************************************************/
smp_remove_fixed_channel(tSMP_CB * p_cb)908 void smp_remove_fixed_channel(tSMP_CB* p_cb) {
909 SMP_TRACE_DEBUG("%s", __func__);
910
911 if (p_cb->smp_over_br)
912 L2CA_RemoveFixedChnl(L2CAP_SMP_BR_CID, p_cb->pairing_bda);
913 else
914 L2CA_RemoveFixedChnl(L2CAP_SMP_CID, p_cb->pairing_bda);
915 }
916
917 /*******************************************************************************
918 *
919 * Function smp_reset_control_value
920 *
921 * Description This function is called to reset the control block value
922 * when the pairing procedure finished.
923 *
924 *
925 * Returns void
926 *
927 ******************************************************************************/
smp_reset_control_value(tSMP_CB * p_cb)928 void smp_reset_control_value(tSMP_CB* p_cb) {
929 SMP_TRACE_EVENT("%s", __func__);
930
931 alarm_cancel(p_cb->smp_rsp_timer_ent);
932 p_cb->flags = 0;
933 /* set the link idle timer to drop the link when pairing is done
934 usually service discovery will follow authentication complete, to avoid
935 racing condition for a link down/up, set link idle timer to be
936 SMP_LINK_TOUT_MIN to guarantee SMP key exchange */
937 L2CA_SetIdleTimeoutByBdAddr(p_cb->pairing_bda, SMP_LINK_TOUT_MIN,
938 BT_TRANSPORT_LE);
939
940 /* We can tell L2CAP to remove the fixed channel (if it has one) */
941 smp_remove_fixed_channel(p_cb);
942 smp_cb_cleanup(p_cb);
943 }
944
945 /*******************************************************************************
946 *
947 * Function smp_proc_pairing_cmpl
948 *
949 * Description This function is called to process pairing complete
950 *
951 *
952 * Returns void
953 *
954 ******************************************************************************/
smp_proc_pairing_cmpl(tSMP_CB * p_cb)955 void smp_proc_pairing_cmpl(tSMP_CB* p_cb) {
956 tSMP_CALLBACK* p_callback = p_cb->p_callback;
957 const RawAddress pairing_bda = p_cb->pairing_bda;
958
959 const tSMP_EVT_DATA evt_data = {
960 .cmplt =
961 {
962 .reason = p_cb->status,
963 .sec_level = (p_cb->status == SMP_SUCCESS) ? p_cb->sec_level
964 : SMP_SEC_NONE,
965 .is_pair_cancel = p_cb->is_pair_cancel,
966 .smp_over_br = p_cb->smp_over_br,
967 },
968 };
969
970 if (p_cb->status == SMP_SUCCESS) {
971 LOG_DEBUG(
972 "Pairing process has completed successfully remote:%s sec_level:0x%0x",
973 ADDRESS_TO_LOGGABLE_CSTR(p_cb->pairing_bda), evt_data.cmplt.sec_level);
974 BTM_LogHistory(kBtmLogTag, pairing_bda, "Pairing success");
975 } else {
976 LOG_WARN(
977 "Pairing process has failed to remote:%s smp_reason:%s sec_level:0x%0x",
978 ADDRESS_TO_LOGGABLE_CSTR(p_cb->pairing_bda),
979 smp_status_text(evt_data.cmplt.reason).c_str(),
980 evt_data.cmplt.sec_level);
981 BTM_LogHistory(
982 kBtmLogTag, pairing_bda, "Pairing failed",
983 base::StringPrintf("reason:%s",
984 smp_status_text(evt_data.cmplt.reason).c_str()));
985 }
986
987 // Log pairing complete event
988 {
989 auto direction =
990 p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD
991 ? android::bluetooth::DirectionEnum::DIRECTION_OUTGOING
992 : android::bluetooth::DirectionEnum::DIRECTION_INCOMING;
993 uint16_t metric_cmd = p_cb->smp_over_br
994 ? SMP_METRIC_COMMAND_BR_PAIRING_CMPL
995 : SMP_METRIC_COMMAND_LE_PAIRING_CMPL;
996 uint16_t metric_status = p_cb->status;
997 if (metric_status > SMP_MAX_FAIL_RSN_PER_SPEC) {
998 metric_status |= SMP_METRIC_STATUS_INTERNAL_FLAG;
999 }
1000 log_smp_pairing_event(p_cb->pairing_bda, metric_cmd, direction,
1001 metric_status);
1002 }
1003
1004 if (p_cb->status == SMP_SUCCESS && p_cb->smp_over_br) {
1005 btm_dev_consolidate_existing_connections(pairing_bda);
1006 }
1007
1008 smp_reset_control_value(p_cb);
1009
1010 if (p_callback) (*p_callback)(SMP_COMPLT_EVT, pairing_bda, &evt_data);
1011 }
1012
1013 /*******************************************************************************
1014 *
1015 * Function smp_command_has_invalid_length
1016 *
1017 * Description Checks if the received SMP command has invalid length
1018 * It returns true if the command has invalid length.
1019 *
1020 * Returns true if the command has invalid length, false otherwise.
1021 *
1022 ******************************************************************************/
smp_command_has_invalid_length(tSMP_CB * p_cb)1023 bool smp_command_has_invalid_length(tSMP_CB* p_cb) {
1024 uint8_t cmd_code = p_cb->rcvd_cmd_code;
1025
1026 if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) ||
1027 (cmd_code < SMP_OPCODE_MIN)) {
1028 SMP_TRACE_WARNING("%s: Received command with RESERVED code 0x%02x",
1029 __func__, cmd_code);
1030 return true;
1031 }
1032
1033 if (!smp_command_has_valid_fixed_length(p_cb)) {
1034 return true;
1035 }
1036
1037 return false;
1038 }
1039
1040 /*******************************************************************************
1041 *
1042 * Function smp_command_has_invalid_parameters
1043 *
1044 * Description Checks if the received SMP command has invalid parameters
1045 * i.e. if the command length is valid and the command
1046 * parameters are inside specified range.
1047 * It returns true if the command has invalid parameters.
1048 *
1049 * Returns true if the command has invalid parameters, false otherwise.
1050 *
1051 ******************************************************************************/
smp_command_has_invalid_parameters(tSMP_CB * p_cb)1052 bool smp_command_has_invalid_parameters(tSMP_CB* p_cb) {
1053 uint8_t cmd_code = p_cb->rcvd_cmd_code;
1054
1055 if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) ||
1056 (cmd_code < SMP_OPCODE_MIN)) {
1057 SMP_TRACE_WARNING("%s: Received command with RESERVED code 0x%02x",
1058 __func__, cmd_code);
1059 return true;
1060 }
1061
1062 if (!(*smp_cmd_len_is_valid[cmd_code])(p_cb)) {
1063 SMP_TRACE_WARNING("%s: Command length not valid for cmd_code 0x%02x",
1064 __func__, cmd_code);
1065 return true;
1066 }
1067
1068 if (!(*smp_cmd_param_ranges_are_valid[cmd_code])(p_cb)) {
1069 SMP_TRACE_WARNING("%s: Parameter ranges not valid code 0x%02x", __func__,
1070 cmd_code);
1071 return true;
1072 }
1073
1074 return false;
1075 }
1076
1077 /*******************************************************************************
1078 *
1079 * Function smp_command_has_valid_fixed_length
1080 *
1081 * Description Checks if the received command size is equal to the size
1082 * according to specs.
1083 *
1084 * Returns true if the command size is as expected, false otherwise.
1085 *
1086 * Note The command is expected to have fixed length.
1087 ******************************************************************************/
smp_command_has_valid_fixed_length(tSMP_CB * p_cb)1088 bool smp_command_has_valid_fixed_length(tSMP_CB* p_cb) {
1089 uint8_t cmd_code = p_cb->rcvd_cmd_code;
1090
1091 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, cmd_code);
1092
1093 if (p_cb->rcvd_cmd_len != smp_cmd_size_per_spec[cmd_code]) {
1094 SMP_TRACE_WARNING(
1095 "Rcvd from the peer cmd 0x%02x with invalid length "
1096 "0x%02x (per spec the length is 0x%02x).",
1097 cmd_code, p_cb->rcvd_cmd_len, smp_cmd_size_per_spec[cmd_code]);
1098 return false;
1099 }
1100
1101 return true;
1102 }
1103
1104 /*******************************************************************************
1105 *
1106 * Function smp_pairing_request_response_parameters_are_valid
1107 *
1108 * Description Validates parameter ranges in the received SMP command
1109 * pairing request or pairing response.
1110 * The parameters to validate:
1111 * IO capability,
1112 * OOB data flag,
1113 * Bonding_flags in AuthReq
1114 * Maximum encryption key size.
1115 * Returns false if at least one of these parameters is out of
1116 * range.
1117 *
1118 ******************************************************************************/
smp_pairing_request_response_parameters_are_valid(tSMP_CB * p_cb)1119 bool smp_pairing_request_response_parameters_are_valid(tSMP_CB* p_cb) {
1120 uint8_t io_caps = p_cb->peer_io_caps;
1121 uint8_t oob_flag = p_cb->peer_oob_flag;
1122 uint8_t bond_flag =
1123 p_cb->peer_auth_req & 0x03; // 0x03 is gen bond with appropriate mask
1124 uint8_t enc_size = p_cb->peer_enc_size;
1125
1126 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code);
1127
1128 if (io_caps >= BTM_IO_CAP_MAX) {
1129 SMP_TRACE_WARNING(
1130 "Rcvd from the peer cmd 0x%02x with IO Capability "
1131 "value (0x%02x) out of range).",
1132 p_cb->rcvd_cmd_code, io_caps);
1133 return false;
1134 }
1135
1136 if (!((oob_flag == SMP_OOB_NONE) || (oob_flag == SMP_OOB_PRESENT))) {
1137 SMP_TRACE_WARNING(
1138 "Rcvd from the peer cmd 0x%02x with OOB data flag value "
1139 "(0x%02x) out of range).",
1140 p_cb->rcvd_cmd_code, oob_flag);
1141 return false;
1142 }
1143
1144 if (!((bond_flag == SMP_AUTH_NO_BOND) || (bond_flag == SMP_AUTH_BOND))) {
1145 SMP_TRACE_WARNING(
1146 "Rcvd from the peer cmd 0x%02x with Bonding_Flags value (0x%02x) "
1147 "out of range).",
1148 p_cb->rcvd_cmd_code, bond_flag);
1149 return false;
1150 }
1151
1152 if ((enc_size < SMP_ENCR_KEY_SIZE_MIN) ||
1153 (enc_size > SMP_ENCR_KEY_SIZE_MAX)) {
1154 SMP_TRACE_WARNING(
1155 "Rcvd from the peer cmd 0x%02x with Maximum Encryption "
1156 "Key value (0x%02x) out of range).",
1157 p_cb->rcvd_cmd_code, enc_size);
1158 return false;
1159 }
1160
1161 return true;
1162 }
1163
1164 /*******************************************************************************
1165 *
1166 * Function smp_pairing_keypress_notification_is_valid
1167 *
1168 * Description Validates Notification Type parameter range in the received
1169 * SMP command pairing keypress notification.
1170 * Returns false if this parameter is out of range.
1171 *
1172 ******************************************************************************/
smp_pairing_keypress_notification_is_valid(tSMP_CB * p_cb)1173 bool smp_pairing_keypress_notification_is_valid(tSMP_CB* p_cb) {
1174 tSMP_SC_KEY_TYPE keypress_notification = p_cb->peer_keypress_notification;
1175
1176 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code);
1177
1178 if (keypress_notification >= SMP_SC_KEY_OUT_OF_RANGE) {
1179 SMP_TRACE_WARNING(
1180 "Rcvd from the peer cmd 0x%02x with Pairing Keypress "
1181 "Notification value (0x%02x) out of range).",
1182 p_cb->rcvd_cmd_code, keypress_notification);
1183 return false;
1184 }
1185
1186 return true;
1187 }
1188
1189 /*******************************************************************************
1190 *
1191 * Function smp_parameter_unconditionally_valid
1192 *
1193 * Description Always returns true.
1194 *
1195 ******************************************************************************/
smp_parameter_unconditionally_valid(UNUSED_ATTR tSMP_CB * p_cb)1196 bool smp_parameter_unconditionally_valid(UNUSED_ATTR tSMP_CB* p_cb) {
1197 return true;
1198 }
1199
1200 /*******************************************************************************
1201 *
1202 * Function smp_parameter_unconditionally_invalid
1203 *
1204 * Description Always returns false.
1205 *
1206 ******************************************************************************/
smp_parameter_unconditionally_invalid(UNUSED_ATTR tSMP_CB * p_cb)1207 bool smp_parameter_unconditionally_invalid(UNUSED_ATTR tSMP_CB* p_cb) {
1208 return false;
1209 }
1210
1211 /*******************************************************************************
1212 *
1213 * Function smp_reject_unexpected_pairing_command
1214 *
1215 * Description send pairing failure to an unexpected pairing command during
1216 * an active pairing process.
1217 *
1218 * Returns void
1219 *
1220 ******************************************************************************/
smp_reject_unexpected_pairing_command(const RawAddress & bd_addr)1221 void smp_reject_unexpected_pairing_command(const RawAddress& bd_addr) {
1222 uint8_t* p;
1223 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_FAIL_SIZE +
1224 L2CAP_MIN_OFFSET);
1225
1226 SMP_TRACE_DEBUG("%s", __func__);
1227
1228 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
1229 UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED);
1230 UINT8_TO_STREAM(p, SMP_PAIR_NOT_SUPPORT);
1231
1232 p_buf->offset = L2CAP_MIN_OFFSET;
1233 p_buf->len = SMP_PAIR_FAIL_SIZE;
1234
1235 smp_send_msg_to_L2CAP(bd_addr, p_buf);
1236 }
1237
1238 /*******************************************************************************
1239 * Function smp_select_association_model
1240 *
1241 * Description This function selects association model to use for STK
1242 * generation. Selection is based on both sides' io capability,
1243 * oob data flag and authentication request.
1244 *
1245 * Note If Secure Connections Only mode is required locally then we
1246 * come to this point only if both sides support Secure
1247 * Connections mode, i.e.
1248 * if p_cb->secure_connections_only_mode_required = true
1249 * then we come to this point only if
1250 * (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) ==
1251 * (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) ==
1252 * SMP_SC_SUPPORT_BIT
1253 *
1254 ******************************************************************************/
smp_select_association_model(tSMP_CB * p_cb)1255 tSMP_ASSO_MODEL smp_select_association_model(tSMP_CB* p_cb) {
1256 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1257 p_cb->le_secure_connections_mode_is_used = false;
1258
1259 SMP_TRACE_EVENT("%s", __func__);
1260 SMP_TRACE_DEBUG("%s p_cb->peer_io_caps = %d p_cb->local_io_capability = %d",
1261 __func__, p_cb->peer_io_caps, p_cb->local_io_capability);
1262 SMP_TRACE_DEBUG("%s p_cb->peer_oob_flag = %d p_cb->loc_oob_flag = %d",
1263 __func__, p_cb->peer_oob_flag, p_cb->loc_oob_flag);
1264 SMP_TRACE_DEBUG("%s p_cb->peer_auth_req = 0x%02x p_cb->loc_auth_req = 0x%02x",
1265 __func__, p_cb->peer_auth_req, p_cb->loc_auth_req);
1266 SMP_TRACE_DEBUG(
1267 "%s p_cb->secure_connections_only_mode_required = %s", __func__,
1268 p_cb->secure_connections_only_mode_required ? "true" : "false");
1269
1270 if ((p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) &&
1271 (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT)) {
1272 p_cb->le_secure_connections_mode_is_used = true;
1273 }
1274
1275 if ((p_cb->peer_auth_req & SMP_H7_SUPPORT_BIT) &&
1276 (p_cb->loc_auth_req & SMP_H7_SUPPORT_BIT)) {
1277 p_cb->key_derivation_h7_used = TRUE;
1278 }
1279
1280 SMP_TRACE_DEBUG("use_sc_process = %d, h7 use = %d",
1281 p_cb->le_secure_connections_mode_is_used,
1282 p_cb->key_derivation_h7_used);
1283
1284 if (p_cb->le_secure_connections_mode_is_used) {
1285 model = smp_select_association_model_secure_connections(p_cb);
1286 } else {
1287 model = smp_select_legacy_association_model(p_cb);
1288 }
1289 return model;
1290 }
1291
1292 /*******************************************************************************
1293 * Function smp_select_legacy_association_model
1294 *
1295 * Description This function is called to select association mode if at
1296 * least one side doesn't support secure connections.
1297 *
1298 ******************************************************************************/
smp_select_legacy_association_model(tSMP_CB * p_cb)1299 tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB* p_cb) {
1300 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1301
1302 SMP_TRACE_DEBUG("%s", __func__);
1303 /* if OOB data is present on both devices, then use OOB association model */
1304 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT &&
1305 p_cb->loc_oob_flag == SMP_OOB_PRESENT)
1306 return SMP_MODEL_OOB;
1307
1308 /* else if neither device requires MITM, then use Just Works association model
1309 */
1310 if (SMP_NO_MITM_REQUIRED(p_cb->peer_auth_req) &&
1311 SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req))
1312 return SMP_MODEL_ENCRYPTION_ONLY;
1313
1314 /* otherwise use IO capability to select association model */
1315 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX &&
1316 p_cb->local_io_capability < SMP_IO_CAP_MAX) {
1317 if (p_cb->role == HCI_ROLE_CENTRAL) {
1318 model = smp_association_table[p_cb->role][p_cb->peer_io_caps]
1319 [p_cb->local_io_capability];
1320 } else {
1321 model = smp_association_table[p_cb->role][p_cb->local_io_capability]
1322 [p_cb->peer_io_caps];
1323 }
1324 }
1325
1326 return model;
1327 }
1328
1329 /*******************************************************************************
1330 * Function smp_select_association_model_secure_connections
1331 *
1332 * Description This function is called to select association mode if both
1333 * sides support secure connections.
1334 *
1335 ******************************************************************************/
smp_select_association_model_secure_connections(tSMP_CB * p_cb)1336 tSMP_ASSO_MODEL smp_select_association_model_secure_connections(tSMP_CB* p_cb) {
1337 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1338
1339 SMP_TRACE_DEBUG("%s", __func__);
1340 /* if OOB data is present on at least one device, then use OOB association
1341 * model */
1342 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT ||
1343 p_cb->loc_oob_flag == SMP_OOB_PRESENT)
1344 return SMP_MODEL_SEC_CONN_OOB;
1345
1346 /* else if neither device requires MITM, then use Just Works association model
1347 */
1348 if (SMP_NO_MITM_REQUIRED(p_cb->peer_auth_req) &&
1349 SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req))
1350 return SMP_MODEL_SEC_CONN_JUSTWORKS;
1351
1352 /* otherwise use IO capability to select association model */
1353 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX &&
1354 p_cb->local_io_capability < SMP_IO_CAP_MAX) {
1355 if (p_cb->role == HCI_ROLE_CENTRAL) {
1356 model = smp_association_table_sc[p_cb->role][p_cb->peer_io_caps]
1357 [p_cb->local_io_capability];
1358 } else {
1359 model = smp_association_table_sc[p_cb->role][p_cb->local_io_capability]
1360 [p_cb->peer_io_caps];
1361 }
1362 }
1363
1364 return model;
1365 }
1366
1367 /*******************************************************************************
1368 * Function smp_calculate_random_input
1369 *
1370 * Description This function returns random input value to be used in
1371 * commitment calculation for SC passkey entry association mode
1372 * (if bit["round"] in "random" array == 1 then returns 0x81
1373 * else returns 0x80).
1374 *
1375 * Returns ri value
1376 *
1377 ******************************************************************************/
smp_calculate_random_input(uint8_t * random,uint8_t round)1378 uint8_t smp_calculate_random_input(uint8_t* random, uint8_t round) {
1379 uint8_t i = round / 8;
1380 uint8_t j = round % 8;
1381 uint8_t ri;
1382
1383 SMP_TRACE_DEBUG("random: 0x%02x, round: %d, i: %d, j: %d", random[i], round,
1384 i, j);
1385 ri = ((random[i] >> j) & 1) | 0x80;
1386 SMP_TRACE_DEBUG("%s ri=0x%02x", __func__, ri);
1387 return ri;
1388 }
1389
1390 /*******************************************************************************
1391 * Function smp_collect_local_io_capabilities
1392 *
1393 * Description This function puts into IOcap array local device
1394 * IOCapability, OOB data, AuthReq.
1395 *
1396 * Returns void
1397 *
1398 ******************************************************************************/
smp_collect_local_io_capabilities(uint8_t * iocap,tSMP_CB * p_cb)1399 void smp_collect_local_io_capabilities(uint8_t* iocap, tSMP_CB* p_cb) {
1400 SMP_TRACE_DEBUG("%s", __func__);
1401
1402 iocap[0] = p_cb->local_io_capability;
1403 iocap[1] = p_cb->loc_oob_flag;
1404 iocap[2] = p_cb->loc_auth_req;
1405 }
1406
1407 /*******************************************************************************
1408 * Function smp_collect_peer_io_capabilities
1409 *
1410 * Description This function puts into IOcap array peer device
1411 * IOCapability, OOB data, AuthReq.
1412 *
1413 * Returns void
1414 *
1415 ******************************************************************************/
smp_collect_peer_io_capabilities(uint8_t * iocap,tSMP_CB * p_cb)1416 void smp_collect_peer_io_capabilities(uint8_t* iocap, tSMP_CB* p_cb) {
1417 SMP_TRACE_DEBUG("%s", __func__);
1418
1419 iocap[0] = p_cb->peer_io_caps;
1420 iocap[1] = p_cb->peer_oob_flag;
1421 iocap[2] = p_cb->peer_auth_req;
1422 }
1423
1424 /*******************************************************************************
1425 * Function smp_collect_local_ble_address
1426 *
1427 * Description Put the the local device LE address into the le_addr array:
1428 * le_addr[0-5] = local BD ADDR,
1429 * le_addr[6] = local le address type (PUBLIC/RANDOM).
1430 *
1431 * Returns void
1432 *
1433 ******************************************************************************/
smp_collect_local_ble_address(uint8_t * le_addr,tSMP_CB * p_cb)1434 void smp_collect_local_ble_address(uint8_t* le_addr, tSMP_CB* p_cb) {
1435 tBLE_ADDR_TYPE addr_type = BLE_ADDR_PUBLIC;
1436 RawAddress bda;
1437 uint8_t* p = le_addr;
1438
1439 SMP_TRACE_DEBUG("%s", __func__);
1440
1441 BTM_ReadConnectionAddr(p_cb->pairing_bda, bda, &addr_type);
1442 BDADDR_TO_STREAM(p, bda);
1443 UINT8_TO_STREAM(p, addr_type);
1444 }
1445
1446 /*******************************************************************************
1447 * Function smp_collect_peer_ble_address
1448 *
1449 * Description Put the peer device LE addr into the le_addr array:
1450 * le_addr[0-5] = peer BD ADDR,
1451 * le_addr[6] = peer le address type (PUBLIC/RANDOM).
1452 *
1453 * Returns void
1454 *
1455 ******************************************************************************/
smp_collect_peer_ble_address(uint8_t * le_addr,tSMP_CB * p_cb)1456 void smp_collect_peer_ble_address(uint8_t* le_addr, tSMP_CB* p_cb) {
1457 tBLE_ADDR_TYPE addr_type = BLE_ADDR_PUBLIC;
1458 RawAddress bda;
1459 uint8_t* p = le_addr;
1460
1461 SMP_TRACE_DEBUG("%s", __func__);
1462
1463 if (!BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, bda, &addr_type)) {
1464 SMP_TRACE_ERROR(
1465 "can not collect peer le addr information for unknown device");
1466 return;
1467 }
1468
1469 BDADDR_TO_STREAM(p, bda);
1470 UINT8_TO_STREAM(p, addr_type);
1471 }
1472
1473 /*******************************************************************************
1474 * Function smp_check_commitment
1475 *
1476 * Description This function compares peer commitment values:
1477 * - expected (i.e. calculated locally),
1478 * - received from the peer.
1479 *
1480 * Returns true if the values are the same
1481 * false otherwise
1482 *
1483 ******************************************************************************/
smp_check_commitment(tSMP_CB * p_cb)1484 bool smp_check_commitment(tSMP_CB* p_cb) {
1485
1486 SMP_TRACE_DEBUG("%s", __func__);
1487
1488 Octet16 expected = smp_calculate_peer_commitment(p_cb);
1489 print128(expected, (const uint8_t*)"calculated peer commitment");
1490 print128(p_cb->remote_commitment, (const uint8_t*)"received peer commitment");
1491
1492 if (memcmp(p_cb->remote_commitment.data(), expected.data(), OCTET16_LEN)) {
1493 SMP_TRACE_WARNING("%s: Commitment check fails", __func__);
1494 return false;
1495 }
1496
1497 SMP_TRACE_DEBUG("%s: Commitment check succeeds", __func__);
1498 return true;
1499 }
1500
1501 /*******************************************************************************
1502 *
1503 * Function smp_save_secure_connections_long_term_key
1504 *
1505 * Description The function saves SC LTK as BLE key for future use as local
1506 * and/or peer key.
1507 *
1508 * Returns void
1509 *
1510 ******************************************************************************/
smp_save_secure_connections_long_term_key(tSMP_CB * p_cb)1511 void smp_save_secure_connections_long_term_key(tSMP_CB* p_cb) {
1512
1513 SMP_TRACE_DEBUG("%s-Save LTK as local LTK key", __func__);
1514 tBTM_LE_KEY_VALUE lle_key = {
1515 .lenc_key =
1516 {
1517 .ltk = p_cb->ltk,
1518 .div = 0,
1519 .key_size = p_cb->loc_enc_size,
1520 .sec_level = p_cb->sec_level,
1521 },
1522 };
1523 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, &lle_key, true);
1524
1525 SMP_TRACE_DEBUG("%s-Save LTK as peer LTK key", __func__);
1526 tBTM_LE_KEY_VALUE ple_key = {
1527 .penc_key =
1528 {
1529 .ltk = p_cb->ltk,
1530 .sec_level = p_cb->sec_level,
1531 .key_size = p_cb->loc_enc_size,
1532 .ediv = 0,
1533 },
1534 };
1535 memset(ple_key.penc_key.rand, 0, BT_OCTET8_LEN);
1536 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, &ple_key, true);
1537 }
1538
1539 /** The function calculates MacKey and LTK and saves them in CB. To calculate
1540 * MacKey and LTK it calls smp_calc_f5(...). MacKey is used in dhkey
1541 * calculation, LTK is used to encrypt the link. */
smp_calculate_f5_mackey_and_long_term_key(tSMP_CB * p_cb)1542 void smp_calculate_f5_mackey_and_long_term_key(tSMP_CB* p_cb) {
1543 uint8_t a[7];
1544 uint8_t b[7];
1545 Octet16 na;
1546 Octet16 nb;
1547
1548 SMP_TRACE_DEBUG("%s", __func__);
1549
1550 if (p_cb->role == HCI_ROLE_CENTRAL) {
1551 smp_collect_local_ble_address(a, p_cb);
1552 smp_collect_peer_ble_address(b, p_cb);
1553 na = p_cb->rand;
1554 nb = p_cb->rrand;
1555 } else {
1556 smp_collect_local_ble_address(b, p_cb);
1557 smp_collect_peer_ble_address(a, p_cb);
1558 na = p_cb->rrand;
1559 nb = p_cb->rand;
1560 }
1561
1562 crypto_toolbox::f5(p_cb->dhkey, na, nb, a, b, &p_cb->mac_key, &p_cb->ltk);
1563
1564 SMP_TRACE_EVENT("%s is completed", __func__);
1565 }
1566
1567 /*******************************************************************************
1568 *
1569 * Function smp_request_oob_data
1570 *
1571 * Description Requests application to provide OOB data.
1572 *
1573 * Returns true - OOB data has to be provided by application
1574 * false - otherwise (unexpected)
1575 *
1576 ******************************************************************************/
smp_request_oob_data(tSMP_CB * p_cb)1577 bool smp_request_oob_data(tSMP_CB* p_cb) {
1578 tSMP_OOB_DATA_TYPE req_oob_type = SMP_OOB_INVALID_TYPE;
1579
1580 SMP_TRACE_DEBUG("%s", __func__);
1581
1582 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT &&
1583 p_cb->loc_oob_flag == SMP_OOB_PRESENT) {
1584 /* both local and peer rcvd data OOB */
1585 req_oob_type = SMP_OOB_BOTH;
1586 } else if (p_cb->peer_oob_flag == SMP_OOB_PRESENT) {
1587 /* peer rcvd OOB local data, local didn't receive OOB peer data */
1588 req_oob_type = SMP_OOB_LOCAL;
1589 } else if (p_cb->loc_oob_flag == SMP_OOB_PRESENT) {
1590 req_oob_type = SMP_OOB_PEER;
1591 }
1592
1593 SMP_TRACE_DEBUG("req_oob_type = %d", req_oob_type);
1594
1595 if (req_oob_type == SMP_OOB_INVALID_TYPE) return false;
1596
1597 p_cb->req_oob_type = req_oob_type;
1598 p_cb->cb_evt = SMP_SC_OOB_REQ_EVT;
1599 tSMP_INT_DATA smp_int_data;
1600 smp_int_data.req_oob_type = req_oob_type;
1601 smp_sm_event(p_cb, SMP_TK_REQ_EVT, &smp_int_data);
1602
1603 return true;
1604 }
1605
print128(const Octet16 & x,const uint8_t * key_name)1606 void print128(const Octet16& x, const uint8_t* key_name) {
1607 if (VLOG_IS_ON(2) && DLOG_IS_ON(INFO)) {
1608 uint8_t* p = (uint8_t*)x.data();
1609
1610 DVLOG(2) << key_name << " (MSB ~ LSB) = ";
1611 for (int i = 0; i < 4; i++) {
1612 DVLOG(2) << +p[OCTET16_LEN - i * 4 - 1] << +p[OCTET16_LEN - i * 4 - 2]
1613 << +p[OCTET16_LEN - i * 4 - 3] << +p[OCTET16_LEN - i * 4 - 4];
1614 }
1615 }
1616 }
1617