1 /******************************************************************************
2 *
3 * Copyright 2003-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 #define LOG_TAG "smp_act"
20
21 #include <string.h>
22
23 #include "btif/include/btif_api.h"
24 #include "btif/include/btif_common.h"
25 #include "btif/include/core_callbacks.h"
26 #include "btif/include/stack_manager.h"
27 #include "device/include/interop.h"
28 #include "internal_include/bt_target.h"
29 #include "main/shim/shim.h"
30 #include "osi/include/log.h"
31 #include "stack/btm/btm_dev.h"
32 #include "stack/btm/btm_sec.h"
33 #include "stack/include/acl_api.h"
34 #include "stack/include/bt_octets.h"
35 #include "stack/include/btm_log_history.h"
36 #include "stack/include/l2c_api.h"
37 #include "stack/include/smp_api_types.h"
38 #include "stack/smp/p_256_ecc_pp.h"
39 #include "stack/smp/smp_int.h"
40 #include "types/raw_address.h"
41
42 extern tBTM_CB btm_cb;
43
44 namespace {
45 constexpr char kBtmLogTag[] = "SMP";
46 }
47
48 #define SMP_KEY_DIST_TYPE_MAX 4
49
50 const tSMP_ACT smp_distribute_act[] = {
51 smp_generate_ltk, /* SMP_SEC_KEY_TYPE_ENC - '1' bit index */
52 smp_send_id_info, /* SMP_SEC_KEY_TYPE_ID - '1' bit index */
53 smp_generate_csrk, /* SMP_SEC_KEY_TYPE_CSRK - '1' bit index */
54 smp_set_derive_link_key /* SMP_SEC_KEY_TYPE_LK - '1' bit index */
55 };
56
pts_test_send_authentication_complete_failure(tSMP_CB * p_cb)57 static bool pts_test_send_authentication_complete_failure(tSMP_CB* p_cb) {
58 tSMP_STATUS reason = p_cb->cert_failure;
59 if (reason == SMP_PAIR_AUTH_FAIL || reason == SMP_PAIR_FAIL_UNKNOWN ||
60 reason == SMP_PAIR_NOT_SUPPORT || reason == SMP_PASSKEY_ENTRY_FAIL ||
61 reason == SMP_REPEATED_ATTEMPTS) {
62 tSMP_INT_DATA smp_int_data;
63 smp_int_data.status = reason;
64 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
65 return true;
66 }
67 return false;
68 }
69
70 /*******************************************************************************
71 * Function smp_update_key_mask
72 * Description This function updates the key mask for sending or receiving.
73 ******************************************************************************/
smp_update_key_mask(tSMP_CB * p_cb,uint8_t key_type,bool recv)74 static void smp_update_key_mask(tSMP_CB* p_cb, uint8_t key_type, bool recv) {
75 SMP_TRACE_DEBUG(
76 "%s before update role=%d recv=%d local_i_key = %02x, local_r_key = %02x",
77 __func__, p_cb->role, recv, p_cb->local_i_key, p_cb->local_r_key);
78
79 if (((p_cb->le_secure_connections_mode_is_used) || (p_cb->smp_over_br)) &&
80 ((key_type == SMP_SEC_KEY_TYPE_ENC) ||
81 (key_type == SMP_SEC_KEY_TYPE_LK))) {
82 /* in LE SC mode LTK, CSRK and BR/EDR LK are derived locally instead of
83 ** being exchanged with the peer */
84 p_cb->local_i_key &= ~key_type;
85 p_cb->local_r_key &= ~key_type;
86 } else if (p_cb->role == HCI_ROLE_PERIPHERAL) {
87 if (recv)
88 p_cb->local_i_key &= ~key_type;
89 else
90 p_cb->local_r_key &= ~key_type;
91 } else {
92 if (recv)
93 p_cb->local_r_key &= ~key_type;
94 else
95 p_cb->local_i_key &= ~key_type;
96 }
97
98 SMP_TRACE_DEBUG("updated local_i_key = %02x, local_r_key = %02x",
99 p_cb->local_i_key, p_cb->local_r_key);
100 }
101
102 /*******************************************************************************
103 * Function smp_send_app_cback
104 * Description notifies application about the events the application is
105 * interested in
106 ******************************************************************************/
smp_send_app_cback(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)107 void smp_send_app_cback(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
108 tSMP_EVT_DATA cb_data;
109 tBTM_STATUS callback_rc;
110 uint8_t remote_lmp_version = 0;
111 if (p_cb->p_callback && p_cb->cb_evt != 0) {
112 switch (p_cb->cb_evt) {
113 case SMP_IO_CAP_REQ_EVT:
114 cb_data.io_req.auth_req = p_cb->peer_auth_req;
115 cb_data.io_req.oob_data = SMP_OOB_NONE;
116 cb_data.io_req.io_cap = SMP_IO_CAP_KBDISP;
117 cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE;
118 cb_data.io_req.init_keys = p_cb->local_i_key;
119 cb_data.io_req.resp_keys = p_cb->local_r_key;
120 LOG_DEBUG("Notify app io_cap = %hhu", cb_data.io_req.io_cap);
121 break;
122
123 case SMP_NC_REQ_EVT:
124 cb_data.passkey = p_data->passkey;
125 break;
126 case SMP_SC_OOB_REQ_EVT:
127 cb_data.req_oob_type = p_data->req_oob_type;
128 break;
129 case SMP_SC_LOC_OOB_DATA_UP_EVT:
130 cb_data.loc_oob_data = p_cb->sc_oob_data.loc_oob_data;
131 break;
132
133 case SMP_BR_KEYS_REQ_EVT:
134 cb_data.io_req.auth_req = 0;
135 cb_data.io_req.oob_data = SMP_OOB_NONE;
136 cb_data.io_req.io_cap = 0;
137 cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE;
138 cb_data.io_req.init_keys = SMP_BR_SEC_DEFAULT_KEY;
139 cb_data.io_req.resp_keys = SMP_BR_SEC_DEFAULT_KEY;
140 break;
141
142 case SMP_LE_ADDR_ASSOC_EVT:
143 cb_data.id_addr = p_cb->id_addr;
144 break;
145
146 default:
147 LOG_ERROR("Unexpected event:%hhu", p_cb->cb_evt);
148 break;
149 }
150
151 callback_rc =
152 (*p_cb->p_callback)(p_cb->cb_evt, p_cb->pairing_bda, &cb_data);
153
154 if (callback_rc == BTM_SUCCESS) {
155 switch (p_cb->cb_evt) {
156 case SMP_IO_CAP_REQ_EVT:
157 p_cb->loc_auth_req = cb_data.io_req.auth_req;
158 p_cb->local_io_capability = cb_data.io_req.io_cap;
159 p_cb->loc_oob_flag = cb_data.io_req.oob_data;
160 p_cb->loc_enc_size = cb_data.io_req.max_key_size;
161 p_cb->local_i_key = cb_data.io_req.init_keys;
162 p_cb->local_r_key = cb_data.io_req.resp_keys;
163
164 if (!(p_cb->loc_auth_req & SMP_AUTH_BOND)) {
165 LOG_INFO("Non bonding: No keys will be exchanged");
166 p_cb->local_i_key = 0;
167 p_cb->local_r_key = 0;
168 }
169
170 LOG_DEBUG(
171 "Remote request IO capabilities precondition auth_req: 0x%02x,"
172 " io_cap: %d loc_oob_flag: %d loc_enc_size: %d, "
173 "local_i_key: 0x%02x, local_r_key: 0x%02x",
174 p_cb->loc_auth_req, p_cb->local_io_capability, p_cb->loc_oob_flag,
175 p_cb->loc_enc_size, p_cb->local_i_key, p_cb->local_r_key);
176
177 p_cb->secure_connections_only_mode_required =
178 (btm_cb.security_mode == BTM_SEC_MODE_SC) ? true : false;
179 /* just for PTS, force SC bit */
180 if (p_cb->secure_connections_only_mode_required) {
181 p_cb->loc_auth_req |= SMP_SC_SUPPORT_BIT;
182 }
183
184 if (!BTM_ReadRemoteVersion(p_cb->pairing_bda, &remote_lmp_version,
185 nullptr, nullptr)) {
186 LOG_WARN(
187 "SMP Unable to determine remote security authentication "
188 "remote_lmp_version:%hu",
189 remote_lmp_version);
190 }
191
192 if (!p_cb->secure_connections_only_mode_required &&
193 (!(p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) ||
194 (remote_lmp_version &&
195 remote_lmp_version < HCI_PROTO_VERSION_4_2) ||
196 interop_match_addr(INTEROP_DISABLE_LE_SECURE_CONNECTIONS,
197 (const RawAddress*)&p_cb->pairing_bda))) {
198 LOG_DEBUG(
199 "Setting SC, H7 and LinkKey bits to false to support "
200 "legacy device with lmp version: %d",
201 remote_lmp_version);
202 p_cb->loc_auth_req &= ~SMP_SC_SUPPORT_BIT;
203 p_cb->loc_auth_req &= ~SMP_KP_SUPPORT_BIT;
204 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
205 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
206 }
207
208 if (remote_lmp_version &&
209 remote_lmp_version < HCI_PROTO_VERSION_5_0) {
210 p_cb->loc_auth_req &= ~SMP_H7_SUPPORT_BIT;
211 }
212
213 LOG_DEBUG(
214 "Remote request IO capabilities postcondition auth_req: 0x%02x,"
215 " local_i_key: 0x%02x, local_r_key: 0x%02x",
216 p_cb->loc_auth_req, p_cb->local_i_key, p_cb->local_r_key);
217
218 smp_sm_event(p_cb, SMP_IO_RSP_EVT, NULL);
219 break;
220
221 case SMP_BR_KEYS_REQ_EVT:
222 p_cb->loc_enc_size = cb_data.io_req.max_key_size;
223 p_cb->local_i_key = cb_data.io_req.init_keys;
224 p_cb->local_r_key = cb_data.io_req.resp_keys;
225 p_cb->loc_auth_req |= SMP_H7_SUPPORT_BIT;
226
227 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
228 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
229
230 LOG_DEBUG(
231 "for SMP over BR max_key_size: 0x%02x, local_i_key: 0x%02x, "
232 "local_r_key: 0x%02x, p_cb->loc_auth_req: 0x%02x",
233 p_cb->loc_enc_size, p_cb->local_i_key, p_cb->local_r_key,
234 p_cb->loc_auth_req);
235
236 smp_br_state_machine_event(p_cb, SMP_BR_KEYS_RSP_EVT, NULL);
237 break;
238
239 // Expected, but nothing to do
240 case SMP_NC_REQ_EVT:
241 case SMP_SC_OOB_REQ_EVT:
242 case SMP_SC_LOC_OOB_DATA_UP_EVT:
243 case SMP_LE_ADDR_ASSOC_EVT:
244 break;
245
246 default:
247 LOG_ERROR("Unexpected event: %hhu", p_cb->cb_evt);
248 }
249 }
250 }
251
252 if (!p_cb->cb_evt && p_cb->discard_sec_req) {
253 p_cb->discard_sec_req = false;
254 smp_sm_event(p_cb, SMP_DISCARD_SEC_REQ_EVT, NULL);
255 }
256 }
257
258 /*******************************************************************************
259 * Function smp_send_pair_fail
260 * Description pairing failure to peer device if needed.
261 ******************************************************************************/
smp_send_pair_fail(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)262 void smp_send_pair_fail(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
263 p_cb->status = p_data->status;
264 p_cb->failure = p_data->status;
265
266 if (p_cb->status <= SMP_MAX_FAIL_RSN_PER_SPEC &&
267 p_cb->status != SMP_SUCCESS) {
268 LOG_ERROR("Pairing failed smp_status:%s",
269 smp_status_text(p_cb->status).c_str());
270 BTM_LogHistory(kBtmLogTag, p_cb->pairing_bda, "Pairing failed",
271 base::StringPrintf("smp_status:%s",
272 smp_status_text(p_cb->status).c_str()));
273 smp_send_cmd(SMP_OPCODE_PAIRING_FAILED, p_cb);
274 p_cb->wait_for_authorization_complete = true;
275 }
276 }
277
278 /*******************************************************************************
279 * Function smp_send_pair_req
280 * Description actions related to sending pairing request
281 ******************************************************************************/
smp_send_pair_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)282 void smp_send_pair_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
283 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
284 SMP_TRACE_DEBUG("%s", __func__);
285
286 /* erase all keys when central sends pairing req*/
287 if (p_dev_rec) btm_sec_clear_ble_keys(p_dev_rec);
288 /* do not manipulate the key, let app decide,
289 leave out to BTM to mandate key distribution for bonding case */
290 smp_send_cmd(SMP_OPCODE_PAIRING_REQ, p_cb);
291 }
292
293 /*******************************************************************************
294 * Function smp_send_pair_rsp
295 * Description actions related to sending pairing response
296 ******************************************************************************/
smp_send_pair_rsp(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)297 void smp_send_pair_rsp(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
298 SMP_TRACE_DEBUG("%s", __func__);
299
300 p_cb->local_i_key &= p_cb->peer_i_key;
301 p_cb->local_r_key &= p_cb->peer_r_key;
302
303 if (smp_send_cmd(SMP_OPCODE_PAIRING_RSP, p_cb)) {
304 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB)
305 smp_use_oob_private_key(p_cb, NULL);
306 else
307 smp_decide_association_model(p_cb, NULL);
308 }
309 }
310
311 /*******************************************************************************
312 * Function smp_send_confirm
313 * Description send confirmation to the peer
314 ******************************************************************************/
smp_send_confirm(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)315 void smp_send_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
316 SMP_TRACE_DEBUG("%s", __func__);
317 smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);
318 }
319
320 /*******************************************************************************
321 * Function smp_send_init
322 * Description process pairing initializer to peripheral device
323 ******************************************************************************/
smp_send_init(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)324 void smp_send_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
325 SMP_TRACE_DEBUG("%s", __func__);
326 smp_send_cmd(SMP_OPCODE_INIT, p_cb);
327 }
328
329 /*******************************************************************************
330 * Function smp_send_rand
331 * Description send pairing random to the peer
332 ******************************************************************************/
smp_send_rand(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)333 void smp_send_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
334 SMP_TRACE_DEBUG("%s", __func__);
335 smp_send_cmd(SMP_OPCODE_RAND, p_cb);
336 }
337
338 /*******************************************************************************
339 * Function smp_send_pair_public_key
340 * Description send pairing public key command to the peer
341 ******************************************************************************/
smp_send_pair_public_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)342 void smp_send_pair_public_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
343 SMP_TRACE_DEBUG("%s", __func__);
344 smp_send_cmd(SMP_OPCODE_PAIR_PUBLIC_KEY, p_cb);
345 }
346
347 /*******************************************************************************
348 * Function SMP_SEND_COMMITMENT
349 * Description send commitment command to the peer
350 ******************************************************************************/
smp_send_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)351 void smp_send_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
352 SMP_TRACE_DEBUG("%s", __func__);
353 smp_send_cmd(SMP_OPCODE_PAIR_COMMITM, p_cb);
354 }
355
356 /*******************************************************************************
357 * Function smp_send_dhkey_check
358 * Description send DHKey Check command to the peer
359 ******************************************************************************/
smp_send_dhkey_check(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)360 void smp_send_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
361 SMP_TRACE_DEBUG("%s", __func__);
362 smp_send_cmd(SMP_OPCODE_PAIR_DHKEY_CHECK, p_cb);
363 }
364
365 /*******************************************************************************
366 * Function smp_send_keypress_notification
367 * Description send Keypress Notification command to the peer
368 ******************************************************************************/
smp_send_keypress_notification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)369 void smp_send_keypress_notification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
370 p_cb->local_keypress_notification = p_data->status;
371 smp_send_cmd(SMP_OPCODE_PAIR_KEYPR_NOTIF, p_cb);
372 }
373
374 /*******************************************************************************
375 * Function smp_send_enc_info
376 * Description send encryption information command.
377 ******************************************************************************/
smp_send_enc_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)378 void smp_send_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
379
380 SMP_TRACE_DEBUG("%s: p_cb->loc_enc_size = %d", __func__, p_cb->loc_enc_size);
381 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
382
383 smp_send_cmd(SMP_OPCODE_ENCRYPT_INFO, p_cb);
384 smp_send_cmd(SMP_OPCODE_CENTRAL_ID, p_cb);
385
386 /* save the DIV and key size information when acting as peripheral device */
387 tBTM_LE_KEY_VALUE le_key = {
388 .lenc_key =
389 {
390 .ltk = p_cb->ltk,
391 .div = p_cb->div,
392 .key_size = p_cb->loc_enc_size,
393 .sec_level = p_cb->sec_level,
394 },
395 };
396
397 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
398 (p_cb->loc_auth_req & SMP_AUTH_BOND))
399 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, &le_key, true);
400
401 SMP_TRACE_WARNING("%s", __func__);
402
403 smp_key_distribution(p_cb, NULL);
404 }
405
406 /*******************************************************************************
407 * Function smp_send_id_info
408 * Description send ID information command.
409 ******************************************************************************/
smp_send_id_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)410 void smp_send_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
411 SMP_TRACE_DEBUG("%s", __func__);
412 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, false);
413
414 smp_send_cmd(SMP_OPCODE_IDENTITY_INFO, p_cb);
415 smp_send_cmd(SMP_OPCODE_ID_ADDR, p_cb);
416
417 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
418 (p_cb->loc_auth_req & SMP_AUTH_BOND))
419 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LID, nullptr, true);
420
421 smp_key_distribution_by_transport(p_cb, NULL);
422 }
423
424 /** send CSRK command. */
smp_send_csrk_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)425 void smp_send_csrk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
426 SMP_TRACE_DEBUG("%s", __func__);
427 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, false);
428
429 if (smp_send_cmd(SMP_OPCODE_SIGN_INFO, p_cb)) {
430 tBTM_LE_KEY_VALUE key = {
431 .lcsrk_key =
432 {
433 .div = p_cb->div,
434 .sec_level = p_cb->sec_level,
435 .counter = 0, /* initialize the local counter */
436 .csrk = p_cb->csrk,
437 },
438 };
439 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LCSRK, &key, true);
440 }
441
442 smp_key_distribution_by_transport(p_cb, NULL);
443 }
444
445 /*******************************************************************************
446 * Function smp_send_ltk_reply
447 * Description send LTK reply
448 ******************************************************************************/
smp_send_ltk_reply(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)449 void smp_send_ltk_reply(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
450 SMP_TRACE_DEBUG("%s", __func__);
451
452 Octet16 stk;
453 memcpy(stk.data(), p_data->key.p_data, stk.size());
454 /* send stk as LTK response */
455 btm_ble_ltk_request_reply(p_cb->pairing_bda, true, stk);
456 }
457
458 /*******************************************************************************
459 * Function smp_proc_sec_req
460 * Description process security request.
461 ******************************************************************************/
smp_proc_sec_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)462 void smp_proc_sec_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
463 tBTM_LE_AUTH_REQ auth_req = *(tBTM_LE_AUTH_REQ*)p_data->p_data;
464 tBTM_BLE_SEC_REQ_ACT sec_req_act;
465
466 SMP_TRACE_DEBUG("%s: auth_req=0x%x", __func__, auth_req);
467
468 p_cb->cb_evt = SMP_EVT_NONE;
469
470 btm_ble_link_sec_check(p_cb->pairing_bda, auth_req, &sec_req_act);
471
472 SMP_TRACE_DEBUG("%s: sec_req_act=0x%x", __func__, sec_req_act);
473
474 switch (sec_req_act) {
475 case BTM_BLE_SEC_REQ_ACT_ENCRYPT:
476 SMP_TRACE_DEBUG("%s: BTM_BLE_SEC_REQ_ACT_ENCRYPT", __func__);
477 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
478 break;
479
480 case BTM_BLE_SEC_REQ_ACT_PAIR:
481 p_cb->secure_connections_only_mode_required =
482 (btm_cb.security_mode == BTM_SEC_MODE_SC) ? true : false;
483
484 /* respond to non SC pairing request as failure in SC only mode */
485 if (p_cb->secure_connections_only_mode_required &&
486 (auth_req & SMP_SC_SUPPORT_BIT) == 0) {
487 tSMP_INT_DATA smp_int_data;
488 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
489 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
490 } else {
491 /* initialize local i/r key to be default keys */
492 p_cb->peer_auth_req = auth_req;
493 p_cb->local_r_key = p_cb->local_i_key = SMP_SEC_DEFAULT_KEY;
494 p_cb->cb_evt = SMP_SEC_REQUEST_EVT;
495 }
496 break;
497
498 case BTM_BLE_SEC_REQ_ACT_DISCARD:
499 p_cb->discard_sec_req = true;
500 break;
501
502 default:
503 /* do nothing */
504 break;
505 }
506 }
507
508 /*******************************************************************************
509 * Function smp_proc_sec_grant
510 * Description process security grant.
511 ******************************************************************************/
smp_proc_sec_grant(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)512 void smp_proc_sec_grant(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
513 uint8_t res = p_data->status;
514 SMP_TRACE_DEBUG("%s", __func__);
515 if (res != SMP_SUCCESS) {
516 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, p_data);
517 } else /*otherwise, start pairing */
518 {
519 /* send IO request callback */
520 p_cb->cb_evt = SMP_IO_CAP_REQ_EVT;
521 }
522 }
523
524 /*******************************************************************************
525 * Function smp_proc_pair_fail
526 * Description process pairing failure from peer device
527 ******************************************************************************/
smp_proc_pair_fail(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)528 void smp_proc_pair_fail(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
529 SMP_TRACE_DEBUG("%s", __func__);
530
531 if (p_cb->rcvd_cmd_len < 2) {
532 SMP_TRACE_WARNING("%s: rcvd_cmd_len %d too short: must be at least 2",
533 __func__, p_cb->rcvd_cmd_len);
534 p_cb->status = SMP_INVALID_PARAMETERS;
535 } else {
536 p_cb->status = p_data->status;
537 }
538
539 /* Cancel pending auth complete timer if set */
540 alarm_cancel(p_cb->delayed_auth_timer_ent);
541 }
542
543 /*******************************************************************************
544 * Function smp_proc_pair_cmd
545 * Description Process the SMP pairing request/response from peer device
546 ******************************************************************************/
smp_proc_pair_cmd(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)547 void smp_proc_pair_cmd(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
548 uint8_t* p = p_data->p_data;
549 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
550
551 SMP_TRACE_DEBUG("%s: pairing_bda=%s", __func__,
552 ADDRESS_TO_LOGGABLE_CSTR(p_cb->pairing_bda));
553
554 /* erase all keys if it is peripheral proc pairing req */
555 if (p_dev_rec && (p_cb->role == HCI_ROLE_PERIPHERAL))
556 btm_sec_clear_ble_keys(p_dev_rec);
557
558 p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
559
560 if (smp_command_has_invalid_length(p_cb)) {
561 tSMP_INT_DATA smp_int_data;
562 smp_int_data.status = SMP_INVALID_PARAMETERS;
563 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
564 return;
565 }
566
567 STREAM_TO_UINT8(p_cb->peer_io_caps, p);
568 STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
569 STREAM_TO_UINT8(p_cb->peer_auth_req, p);
570 STREAM_TO_UINT8(p_cb->peer_enc_size, p);
571 STREAM_TO_UINT8(p_cb->peer_i_key, p);
572 STREAM_TO_UINT8(p_cb->peer_r_key, p);
573
574 tSMP_STATUS reason = p_cb->cert_failure;
575 if (reason == SMP_ENC_KEY_SIZE) {
576 tSMP_INT_DATA smp_int_data;
577 smp_int_data.status = reason;
578 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
579 return;
580 }
581
582 if (smp_command_has_invalid_parameters(p_cb)) {
583 tSMP_INT_DATA smp_int_data;
584 smp_int_data.status = SMP_INVALID_PARAMETERS;
585 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
586 return;
587 }
588
589 // PTS Testing failure modes
590 if (pts_test_send_authentication_complete_failure(p_cb)) return;
591
592 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
593 if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD)) {
594 /* peer (central) started pairing sending Pairing Request */
595 p_cb->local_i_key = p_cb->peer_i_key;
596 p_cb->local_r_key = p_cb->peer_r_key;
597
598 p_cb->cb_evt = SMP_IO_CAP_REQ_EVT;
599 } else /* update local i/r key according to pairing request */
600 {
601 /* pairing started with this side (peripheral) sending Security Request */
602 p_cb->local_i_key &= p_cb->peer_i_key;
603 p_cb->local_r_key &= p_cb->peer_r_key;
604 p_cb->selected_association_model = smp_select_association_model(p_cb);
605
606 if (p_cb->secure_connections_only_mode_required &&
607 (!(p_cb->le_secure_connections_mode_is_used) ||
608 (p_cb->selected_association_model ==
609 SMP_MODEL_SEC_CONN_JUSTWORKS))) {
610 SMP_TRACE_ERROR(
611 "%s: pairing failed - peripheral requires secure connection only "
612 "mode",
613 __func__);
614 tSMP_INT_DATA smp_int_data;
615 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
616 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
617 return;
618 }
619
620 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
621 if (smp_request_oob_data(p_cb)) return;
622 } else {
623 smp_send_pair_rsp(p_cb, NULL);
624 }
625 }
626 } else /* Central receives pairing response */
627 {
628 p_cb->selected_association_model = smp_select_association_model(p_cb);
629
630 if (p_cb->secure_connections_only_mode_required &&
631 (!(p_cb->le_secure_connections_mode_is_used) ||
632 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) {
633 SMP_TRACE_ERROR(
634 "Central requires secure connection only mode "
635 "but it can't be provided -> Central fails pairing");
636 tSMP_INT_DATA smp_int_data;
637 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
638 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
639 return;
640 }
641
642 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
643 if (smp_request_oob_data(p_cb)) return;
644 } else {
645 smp_decide_association_model(p_cb, NULL);
646 }
647 }
648 }
649
650 /** process pairing confirm from peer device */
smp_proc_confirm(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)651 void smp_proc_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
652 SMP_TRACE_DEBUG("%s", __func__);
653
654 if (smp_command_has_invalid_parameters(p_cb)) {
655 tSMP_INT_DATA smp_int_data;
656 smp_int_data.status = SMP_INVALID_PARAMETERS;
657 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
658 return;
659 }
660
661 if (p_data) {
662 uint8_t* p = p_data->p_data;
663 if (p != NULL) {
664 /* save the SConfirm for comparison later */
665 STREAM_TO_ARRAY(p_cb->rconfirm.data(), p, OCTET16_LEN);
666 }
667 }
668
669 p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM;
670 }
671
672 /** process pairing initializer from peer device */
smp_proc_init(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)673 void smp_proc_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
674 uint8_t* p = p_data->p_data;
675
676 SMP_TRACE_DEBUG("%s", __func__);
677
678 if (smp_command_has_invalid_parameters(p_cb)) {
679 tSMP_INT_DATA smp_int_data;
680 smp_int_data.status = SMP_INVALID_PARAMETERS;
681 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
682 return;
683 }
684
685 /* save the SRand for comparison */
686 STREAM_TO_ARRAY(p_cb->rrand.data(), p, OCTET16_LEN);
687 }
688
689 /*******************************************************************************
690 * Function smp_proc_rand
691 * Description process pairing random (nonce) from peer device
692 ******************************************************************************/
smp_proc_rand(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)693 void smp_proc_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
694 uint8_t* p = p_data->p_data;
695
696 SMP_TRACE_DEBUG("%s", __func__);
697
698 if (smp_command_has_invalid_parameters(p_cb)) {
699 tSMP_INT_DATA smp_int_data;
700 smp_int_data.status = SMP_INVALID_PARAMETERS;
701 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
702 return;
703 }
704
705 /* save the SRand for comparison */
706 STREAM_TO_ARRAY(p_cb->rrand.data(), p, OCTET16_LEN);
707 }
708
709 /*******************************************************************************
710 * Function smp_process_pairing_public_key
711 * Description process pairing public key command from the peer device
712 * - saves the peer public key;
713 * - sets the flag indicating that the peer public key is received;
714 * - calls smp_wait_for_both_public_keys(...).
715 *
716 ******************************************************************************/
smp_process_pairing_public_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)717 void smp_process_pairing_public_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
718 uint8_t* p = p_data->p_data;
719
720 SMP_TRACE_DEBUG("%s", __func__);
721
722 if (smp_command_has_invalid_parameters(p_cb)) {
723 tSMP_INT_DATA smp_int_data;
724 smp_int_data.status = SMP_INVALID_PARAMETERS;
725 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
726 return;
727 }
728
729 STREAM_TO_ARRAY(p_cb->peer_publ_key.x, p, BT_OCTET32_LEN);
730 STREAM_TO_ARRAY(p_cb->peer_publ_key.y, p, BT_OCTET32_LEN);
731
732 Point pt;
733 memcpy(pt.x, p_cb->peer_publ_key.x, BT_OCTET32_LEN);
734 memcpy(pt.y, p_cb->peer_publ_key.y, BT_OCTET32_LEN);
735
736 if (!memcmp(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, BT_OCTET32_LEN)) {
737 SMP_TRACE_WARNING("Remote and local public keys can't match");
738 tSMP_INT_DATA smp;
739 smp.status = SMP_PAIR_AUTH_FAIL;
740 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp);
741 return;
742 }
743
744 if (!ECC_ValidatePoint(pt)) {
745 tSMP_INT_DATA smp;
746 smp.status = SMP_PAIR_AUTH_FAIL;
747 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp);
748 return;
749 }
750
751 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY;
752
753 smp_wait_for_both_public_keys(p_cb, NULL);
754 }
755
756 /*******************************************************************************
757 * Function smp_process_pairing_commitment
758 * Description process pairing commitment from peer device
759 ******************************************************************************/
smp_process_pairing_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)760 void smp_process_pairing_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
761 uint8_t* p = p_data->p_data;
762
763 SMP_TRACE_DEBUG("%s", __func__);
764
765 if (smp_command_has_invalid_parameters(p_cb)) {
766 tSMP_INT_DATA smp_int_data;
767 smp_int_data.status = SMP_INVALID_PARAMETERS;
768 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
769 return;
770 }
771
772 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_COMM;
773
774 if (p != NULL) {
775 STREAM_TO_ARRAY(p_cb->remote_commitment.data(), p, OCTET16_LEN);
776 }
777 }
778
779 /*******************************************************************************
780 * Function smp_process_dhkey_check
781 * Description process DHKey Check from peer device
782 ******************************************************************************/
smp_process_dhkey_check(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)783 void smp_process_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
784 uint8_t* p = p_data->p_data;
785
786 SMP_TRACE_DEBUG("%s", __func__);
787
788 if (smp_command_has_invalid_parameters(p_cb)) {
789 tSMP_INT_DATA smp_int_data;
790 smp_int_data.status = SMP_INVALID_PARAMETERS;
791 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
792 return;
793 }
794
795 if (p != NULL) {
796 STREAM_TO_ARRAY(p_cb->remote_dhkey_check.data(), p, OCTET16_LEN);
797 }
798
799 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_DHK_CHK;
800 }
801
802 /*******************************************************************************
803 * Function smp_process_keypress_notification
804 * Description process pairing keypress notification from peer device
805 ******************************************************************************/
smp_process_keypress_notification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)806 void smp_process_keypress_notification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
807 uint8_t* p = p_data->p_data;
808
809 SMP_TRACE_DEBUG("%s", __func__);
810 p_cb->status = p_data->status;
811
812 if (smp_command_has_invalid_parameters(p_cb)) {
813 tSMP_INT_DATA smp_int_data;
814 smp_int_data.status = SMP_INVALID_PARAMETERS;
815 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
816 return;
817 }
818
819 if (p != NULL) {
820 STREAM_TO_UINT8(p_cb->peer_keypress_notification, p);
821 } else {
822 p_cb->peer_keypress_notification = SMP_SC_KEY_OUT_OF_RANGE;
823 }
824 p_cb->cb_evt = SMP_PEER_KEYPR_NOT_EVT;
825 }
826
827 /*******************************************************************************
828 * Function smp_br_process_pairing_command
829 * Description Process the SMP pairing request/response from peer device via
830 * BR/EDR transport.
831 ******************************************************************************/
smp_br_process_pairing_command(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)832 void smp_br_process_pairing_command(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
833 uint8_t* p = p_data->p_data;
834 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
835
836 SMP_TRACE_DEBUG("%s", __func__);
837 /* rejecting BR pairing request over non-SC BR link */
838 if (!p_dev_rec->new_encryption_key_is_p256 &&
839 p_cb->role == HCI_ROLE_PERIPHERAL) {
840 tSMP_INT_DATA smp_int_data;
841 smp_int_data.status = SMP_XTRANS_DERIVE_NOT_ALLOW;
842 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
843 return;
844 }
845
846 /* erase all keys if it is peripheral proc pairing req*/
847 if (p_dev_rec && (p_cb->role == HCI_ROLE_PERIPHERAL))
848 btm_sec_clear_ble_keys(p_dev_rec);
849
850 p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
851
852 if (smp_command_has_invalid_length(p_cb)) {
853 tSMP_INT_DATA smp_int_data;
854 smp_int_data.status = SMP_INVALID_PARAMETERS;
855 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
856 return;
857 }
858
859 STREAM_TO_UINT8(p_cb->peer_io_caps, p);
860 STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
861 STREAM_TO_UINT8(p_cb->peer_auth_req, p);
862 STREAM_TO_UINT8(p_cb->peer_enc_size, p);
863 STREAM_TO_UINT8(p_cb->peer_i_key, p);
864 STREAM_TO_UINT8(p_cb->peer_r_key, p);
865
866 if (smp_command_has_invalid_parameters(p_cb)) {
867 tSMP_INT_DATA smp_int_data;
868 smp_int_data.status = SMP_INVALID_PARAMETERS;
869 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
870 return;
871 }
872
873 /* peer (central) started pairing sending Pairing Request */
874 /* or being central device always use received i/r key as keys to distribute
875 */
876 p_cb->local_i_key = p_cb->peer_i_key;
877 p_cb->local_r_key = p_cb->peer_r_key;
878
879 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
880 p_dev_rec->new_encryption_key_is_p256 = false;
881 /* shortcut to skip Security Grant step */
882 p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT;
883 } else {
884 /* Central receives pairing response */
885 SMP_TRACE_DEBUG(
886 "%s central rcvs valid PAIRING RESPONSE."
887 " Supposed to move to key distribution phase. ",
888 __func__);
889 }
890
891 /* auth_req received via BR/EDR SM channel is set to 0,
892 but everything derived/exchanged has to be saved */
893 p_cb->peer_auth_req |= SMP_AUTH_BOND;
894 p_cb->loc_auth_req |= SMP_AUTH_BOND;
895 }
896
897 /*******************************************************************************
898 * Function smp_br_process_security_grant
899 * Description process security grant in case of pairing over BR/EDR transport.
900 ******************************************************************************/
smp_br_process_security_grant(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)901 void smp_br_process_security_grant(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
902 SMP_TRACE_DEBUG("%s", __func__);
903 if (p_data->status != SMP_SUCCESS) {
904 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, p_data);
905 } else {
906 /* otherwise, start pairing; send IO request callback */
907 p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT;
908 }
909 }
910
911 /*******************************************************************************
912 * Function smp_br_check_authorization_request
913 * Description sets the SMP kes to be derived/distribute over BR/EDR transport
914 * before starting the distribution/derivation
915 ******************************************************************************/
smp_br_check_authorization_request(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)916 void smp_br_check_authorization_request(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
917 SMP_TRACE_DEBUG("%s rcvs i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
918 __func__, p_cb->local_i_key, p_cb->local_r_key);
919
920 /* In LE SC mode LK field is ignored when BR/EDR transport is used */
921 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
922 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
923
924 /* In LE SC mode only IRK, IAI, CSRK are exchanged with the peer.
925 ** Set local_r_key on central to expect only these keys. */
926 if (p_cb->role == HCI_ROLE_CENTRAL) {
927 p_cb->local_r_key &= (SMP_SEC_KEY_TYPE_ID | SMP_SEC_KEY_TYPE_CSRK);
928 }
929
930 /* Check if H7 function needs to be used for key derivation*/
931 if ((p_cb->loc_auth_req & SMP_H7_SUPPORT_BIT) &&
932 (p_cb->peer_auth_req & SMP_H7_SUPPORT_BIT)) {
933 p_cb->key_derivation_h7_used = TRUE;
934 }
935 SMP_TRACE_DEBUG("%s: use h7 = %d", __func__, p_cb->key_derivation_h7_used);
936
937 SMP_TRACE_DEBUG(
938 "%s rcvs upgrades: i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
939 __func__, p_cb->local_i_key, p_cb->local_r_key);
940
941 if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) ||
942 (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/
943 (p_cb->local_i_key || p_cb->local_r_key)) {
944 smp_br_state_machine_event(p_cb, SMP_BR_BOND_REQ_EVT, NULL);
945
946 /* if no peer key is expected, start central key distribution */
947 if (p_cb->role == HCI_ROLE_CENTRAL && p_cb->local_r_key == 0)
948 smp_key_distribution_by_transport(p_cb, NULL);
949 } else {
950 tSMP_INT_DATA smp_int_data;
951 smp_int_data.status = SMP_SUCCESS;
952 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
953 }
954 }
955
956 /*******************************************************************************
957 * Function smp_br_select_next_key
958 * Description selects the next key to derive/send when BR/EDR transport is
959 * used.
960 ******************************************************************************/
smp_br_select_next_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)961 void smp_br_select_next_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
962 SMP_TRACE_DEBUG("%s role=%d (0-central) r_keys=0x%x i_keys=0x%x", __func__,
963 p_cb->role, p_cb->local_r_key, p_cb->local_i_key);
964
965 if (p_cb->role == HCI_ROLE_PERIPHERAL ||
966 (!p_cb->local_r_key && p_cb->role == HCI_ROLE_CENTRAL)) {
967 smp_key_pick_key(p_cb, p_data);
968 }
969
970 if (!p_cb->local_i_key && !p_cb->local_r_key) {
971 /* state check to prevent re-entrance */
972 if (smp_get_br_state() == SMP_BR_STATE_BOND_PENDING) {
973 if (p_cb->total_tx_unacked == 0) {
974 tSMP_INT_DATA smp_int_data;
975 smp_int_data.status = SMP_SUCCESS;
976 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
977 } else {
978 p_cb->wait_for_authorization_complete = true;
979 }
980 }
981 }
982 }
983
984 /** process encryption information from peer device */
smp_proc_enc_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)985 void smp_proc_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
986 uint8_t* p = p_data->p_data;
987
988 SMP_TRACE_DEBUG("%s", __func__);
989
990 if (smp_command_has_invalid_parameters(p_cb)) {
991 tSMP_INT_DATA smp_int_data;
992 smp_int_data.status = SMP_INVALID_PARAMETERS;
993 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
994 return;
995 }
996
997 STREAM_TO_ARRAY(p_cb->ltk.data(), p, OCTET16_LEN);
998
999 smp_key_distribution(p_cb, NULL);
1000 }
1001
1002 /** process central ID from peripheral device */
smp_proc_central_id(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1003 void smp_proc_central_id(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1004 uint8_t* p = p_data->p_data;
1005
1006 SMP_TRACE_DEBUG("%s", __func__);
1007
1008 if (p_cb->rcvd_cmd_len < 11) { // 1(Code) + 2(EDIV) + 8(Rand)
1009 SMP_TRACE_ERROR("%s: Invalid command length: %d, should be at least 11",
1010 __func__, p_cb->rcvd_cmd_len);
1011 return;
1012 }
1013
1014 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, true);
1015
1016 tBTM_LE_KEY_VALUE le_key = {
1017 .penc_key = {},
1018 };
1019 STREAM_TO_UINT16(le_key.penc_key.ediv, p);
1020 STREAM_TO_ARRAY(le_key.penc_key.rand, p, BT_OCTET8_LEN);
1021
1022 /* store the encryption keys from peer device */
1023 le_key.penc_key.ltk = p_cb->ltk;
1024 le_key.penc_key.sec_level = p_cb->sec_level;
1025 le_key.penc_key.key_size = p_cb->loc_enc_size;
1026
1027 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
1028 (p_cb->loc_auth_req & SMP_AUTH_BOND))
1029 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, &le_key, true);
1030
1031 smp_key_distribution(p_cb, NULL);
1032 }
1033
1034 /** process identity information from peer device */
smp_proc_id_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1035 void smp_proc_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1036 uint8_t* p = p_data->p_data;
1037
1038 SMP_TRACE_DEBUG("%s", __func__);
1039
1040 if (smp_command_has_invalid_parameters(p_cb)) {
1041 tSMP_INT_DATA smp_int_data;
1042 smp_int_data.status = SMP_INVALID_PARAMETERS;
1043 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1044 return;
1045 }
1046
1047 STREAM_TO_ARRAY(p_cb->tk.data(), p, OCTET16_LEN); /* reuse TK for IRK */
1048 smp_key_distribution_by_transport(p_cb, NULL);
1049 }
1050
1051 /** process identity address from peer device */
smp_proc_id_addr(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1052 void smp_proc_id_addr(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1053 const uint8_t* p = p_data->p_data;
1054
1055 SMP_TRACE_DEBUG("%s", __func__);
1056
1057 if (smp_command_has_invalid_parameters(p_cb)) {
1058 tSMP_INT_DATA smp_int_data;
1059 smp_int_data.status = SMP_INVALID_PARAMETERS;
1060 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1061 return;
1062 }
1063
1064 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, true);
1065
1066 tBTM_LE_KEY_VALUE pid_key = {
1067 .pid_key = {},
1068 };
1069
1070 STREAM_TO_UINT8(pid_key.pid_key.identity_addr_type, p);
1071 STREAM_TO_BDADDR(pid_key.pid_key.identity_addr, p);
1072 pid_key.pid_key.irk = p_cb->tk;
1073
1074 /* to use as BD_ADDR for lk derived from ltk */
1075 p_cb->id_addr_rcvd = true;
1076 p_cb->id_addr_type = pid_key.pid_key.identity_addr_type;
1077 p_cb->id_addr = pid_key.pid_key.identity_addr;
1078
1079 /* store the ID key from peer device */
1080 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
1081 (p_cb->loc_auth_req & SMP_AUTH_BOND)) {
1082 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PID, &pid_key, true);
1083 p_cb->cb_evt = SMP_LE_ADDR_ASSOC_EVT;
1084 smp_send_app_cback(p_cb, NULL);
1085 }
1086 smp_key_distribution_by_transport(p_cb, NULL);
1087 }
1088
1089 /* process security information from peer device */
smp_proc_srk_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1090 void smp_proc_srk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1091
1092 SMP_TRACE_DEBUG("%s", __func__);
1093
1094 if (smp_command_has_invalid_parameters(p_cb)) {
1095 tSMP_INT_DATA smp_int_data;
1096 smp_int_data.status = SMP_INVALID_PARAMETERS;
1097 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1098 return;
1099 }
1100
1101 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, true);
1102
1103 /* save CSRK to security record */
1104 tBTM_LE_KEY_VALUE le_key = {
1105 .pcsrk_key =
1106 {
1107 .sec_level = p_cb->sec_level,
1108 },
1109 };
1110
1111 /* get peer CSRK */
1112 maybe_non_aligned_memcpy(le_key.pcsrk_key.csrk.data(), p_data->p_data,
1113 OCTET16_LEN);
1114
1115 /* initialize the peer counter */
1116 le_key.pcsrk_key.counter = 0;
1117
1118 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
1119 (p_cb->loc_auth_req & SMP_AUTH_BOND))
1120 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PCSRK, &le_key, true);
1121 smp_key_distribution_by_transport(p_cb, NULL);
1122 }
1123
1124 /*******************************************************************************
1125 * Function smp_proc_compare
1126 * Description process compare value
1127 ******************************************************************************/
smp_proc_compare(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1128 void smp_proc_compare(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1129 SMP_TRACE_DEBUG("%s", __func__);
1130 if (!memcmp(p_cb->rconfirm.data(), p_data->key.p_data, OCTET16_LEN)) {
1131 /* compare the max encryption key size, and save the smaller one for the
1132 * link */
1133 if (p_cb->peer_enc_size < p_cb->loc_enc_size)
1134 p_cb->loc_enc_size = p_cb->peer_enc_size;
1135
1136 if (p_cb->role == HCI_ROLE_PERIPHERAL)
1137 smp_sm_event(p_cb, SMP_RAND_EVT, NULL);
1138 else {
1139 /* central device always use received i/r key as keys to distribute */
1140 p_cb->local_i_key = p_cb->peer_i_key;
1141 p_cb->local_r_key = p_cb->peer_r_key;
1142
1143 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
1144 }
1145
1146 } else {
1147 tSMP_INT_DATA smp_int_data;
1148 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1149 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1150 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1151 }
1152 }
1153
1154 /*******************************************************************************
1155 * Function smp_proc_sl_key
1156 * Description process key ready events.
1157 ******************************************************************************/
smp_proc_sl_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1158 void smp_proc_sl_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1159 uint8_t key_type = p_data->key.key_type;
1160
1161 SMP_TRACE_DEBUG("%s", __func__);
1162 if (key_type == SMP_KEY_TYPE_TK) {
1163 smp_generate_srand_mrand_confirm(p_cb, NULL);
1164 } else if (key_type == SMP_KEY_TYPE_CFM) {
1165 smp_set_state(SMP_STATE_WAIT_CONFIRM);
1166
1167 if (p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM)
1168 smp_sm_event(p_cb, SMP_CONFIRM_EVT, NULL);
1169 }
1170 }
1171
1172 /*******************************************************************************
1173 * Function smp_start_enc
1174 * Description start encryption
1175 ******************************************************************************/
smp_start_enc(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1176 void smp_start_enc(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1177 tBTM_STATUS cmd;
1178
1179 SMP_TRACE_DEBUG("%s", __func__);
1180 if (p_data != NULL) {
1181 cmd = btm_ble_start_encrypt(p_cb->pairing_bda, true,
1182 (Octet16*)p_data->key.p_data);
1183 } else {
1184 cmd = btm_ble_start_encrypt(p_cb->pairing_bda, false, NULL);
1185 }
1186
1187 if (cmd != BTM_CMD_STARTED && cmd != BTM_BUSY) {
1188 tSMP_INT_DATA smp_int_data;
1189 smp_int_data.status = SMP_ENC_FAIL;
1190 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1191 }
1192 }
1193
1194 /*******************************************************************************
1195 * Function smp_proc_discard
1196 * Description processing for discard security request
1197 ******************************************************************************/
smp_proc_discard(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1198 void smp_proc_discard(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1199 SMP_TRACE_DEBUG("%s", __func__);
1200 if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD))
1201 smp_reset_control_value(p_cb);
1202 }
1203
1204 /*******************************************************************************
1205 * Function smp_enc_cmpl
1206 * Description encryption success
1207 ******************************************************************************/
smp_enc_cmpl(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1208 void smp_enc_cmpl(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1209 uint8_t enc_enable = p_data->status;
1210
1211 SMP_TRACE_DEBUG("%s", __func__);
1212 tSMP_INT_DATA smp_int_data;
1213 smp_int_data.status = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1214 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1215 }
1216
1217 /*******************************************************************************
1218 * Function smp_check_auth_req
1219 * Description check authentication request
1220 ******************************************************************************/
smp_check_auth_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1221 void smp_check_auth_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1222 uint8_t enc_enable = p_data->status;
1223
1224 SMP_TRACE_DEBUG(
1225 "%s rcvs enc_enable=%d i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
1226 __func__, enc_enable, p_cb->local_i_key, p_cb->local_r_key);
1227 if (enc_enable == 1) {
1228 if (p_cb->le_secure_connections_mode_is_used) {
1229 /* In LE SC mode LTK is used instead of STK and has to be always saved */
1230 p_cb->local_i_key |= SMP_SEC_KEY_TYPE_ENC;
1231 p_cb->local_r_key |= SMP_SEC_KEY_TYPE_ENC;
1232
1233 /* In LE SC mode LK is derived from LTK only if both sides request it */
1234 if (!(p_cb->local_i_key & SMP_SEC_KEY_TYPE_LK) ||
1235 !(p_cb->local_r_key & SMP_SEC_KEY_TYPE_LK)) {
1236 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
1237 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
1238 }
1239
1240 /* In LE SC mode only IRK, IAI, CSRK are exchanged with the peer.
1241 ** Set local_r_key on central to expect only these keys.
1242 */
1243 if (p_cb->role == HCI_ROLE_CENTRAL) {
1244 p_cb->local_r_key &= (SMP_SEC_KEY_TYPE_ID | SMP_SEC_KEY_TYPE_CSRK);
1245 }
1246 } else {
1247 /* in legacy mode derivation of BR/EDR LK is not supported */
1248 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
1249 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
1250 }
1251 SMP_TRACE_DEBUG(
1252 "%s rcvs upgrades: i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
1253 __func__, p_cb->local_i_key, p_cb->local_r_key);
1254
1255 if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) ||
1256 (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/
1257 (p_cb->local_i_key || p_cb->local_r_key)) {
1258 smp_sm_event(p_cb, SMP_BOND_REQ_EVT, NULL);
1259 } else {
1260 tSMP_INT_DATA smp_int_data;
1261 smp_int_data.status = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1262 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1263 }
1264 } else if (enc_enable == 0) {
1265 tSMP_INT_DATA smp_int_data;
1266 smp_int_data.status = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1267 /* if failed for encryption after pairing, send callback */
1268 if (p_cb->flags & SMP_PAIR_FLAG_ENC_AFTER_PAIR)
1269 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1270 /* if enc failed for old security information */
1271 /* if central device, clean up and abck to idle; peripheral device do
1272 * nothing */
1273 else if (p_cb->role == HCI_ROLE_CENTRAL) {
1274 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1275 }
1276 }
1277 }
1278
1279 /*******************************************************************************
1280 * Function smp_key_pick_key
1281 * Description Pick a key distribution function based on the key mask.
1282 ******************************************************************************/
smp_key_pick_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1283 void smp_key_pick_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1284 uint8_t key_to_dist = (p_cb->role == HCI_ROLE_PERIPHERAL) ? p_cb->local_r_key
1285 : p_cb->local_i_key;
1286 uint8_t i = 0;
1287
1288 SMP_TRACE_DEBUG("%s key_to_dist=0x%x", __func__, key_to_dist);
1289 while (i < SMP_KEY_DIST_TYPE_MAX) {
1290 SMP_TRACE_DEBUG("key to send = %02x, i = %d", key_to_dist, i);
1291
1292 if (key_to_dist & (1 << i)) {
1293 SMP_TRACE_DEBUG("smp_distribute_act[%d]", i);
1294 (*smp_distribute_act[i])(p_cb, p_data);
1295 break;
1296 }
1297 i++;
1298 }
1299 }
1300 /*******************************************************************************
1301 * Function smp_key_distribution
1302 * Description start key distribution if required.
1303 ******************************************************************************/
smp_key_distribution(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1304 void smp_key_distribution(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1305 SMP_TRACE_DEBUG("%s role=%d (0-central) r_keys=0x%x i_keys=0x%x", __func__,
1306 p_cb->role, p_cb->local_r_key, p_cb->local_i_key);
1307
1308 if (p_cb->role == HCI_ROLE_PERIPHERAL ||
1309 (!p_cb->local_r_key && p_cb->role == HCI_ROLE_CENTRAL)) {
1310 smp_key_pick_key(p_cb, p_data);
1311 }
1312
1313 if (!p_cb->local_i_key && !p_cb->local_r_key) {
1314 /* state check to prevent re-entrant */
1315 if (smp_get_state() == SMP_STATE_BOND_PENDING) {
1316 if (p_cb->derive_lk) {
1317 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
1318 if (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED) &&
1319 (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)) {
1320 SMP_TRACE_DEBUG(
1321 "%s BR key is higher security than existing LE keys, don't "
1322 "derive LK from LTK",
1323 __func__);
1324 } else {
1325 smp_derive_link_key_from_long_term_key(p_cb, NULL);
1326 }
1327 p_cb->derive_lk = false;
1328 }
1329
1330 if (p_cb->total_tx_unacked == 0) {
1331 /*
1332 * Instead of declaring authorization complete immediately,
1333 * delay the event from being sent by SMP_DELAYED_AUTH_TIMEOUT_MS.
1334 * This allows the peripheral to send over Pairing Failed if the
1335 * last key is rejected. During this waiting window, the
1336 * state should remain in SMP_STATE_BOND_PENDING.
1337 */
1338 if (!alarm_is_scheduled(p_cb->delayed_auth_timer_ent)) {
1339 SMP_TRACE_DEBUG("%s delaying auth complete.", __func__);
1340 alarm_set_on_mloop(p_cb->delayed_auth_timer_ent,
1341 SMP_DELAYED_AUTH_TIMEOUT_MS,
1342 smp_delayed_auth_complete_timeout, NULL);
1343 }
1344 } else {
1345 p_cb->wait_for_authorization_complete = true;
1346 }
1347 }
1348 }
1349 }
1350
1351 /*******************************************************************************
1352 * Function smp_decide_association_model
1353 * Description This function is called to select assoc model to be used for
1354 * STK generation and to start STK generation process.
1355 *
1356 ******************************************************************************/
smp_decide_association_model(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1357 void smp_decide_association_model(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1358 tSMP_EVENT int_evt = SMP_NOP_EVT;
1359 tSMP_INT_DATA smp_int_data;
1360
1361 SMP_TRACE_DEBUG("%s Association Model = %d", __func__,
1362 p_cb->selected_association_model);
1363
1364 switch (p_cb->selected_association_model) {
1365 case SMP_MODEL_ENCRYPTION_ONLY: /* TK = 0, go calculate Confirm */
1366 if (p_cb->role == HCI_ROLE_CENTRAL &&
1367 ((p_cb->peer_auth_req & SMP_AUTH_YN_BIT) != 0) &&
1368 ((p_cb->loc_auth_req & SMP_AUTH_YN_BIT) == 0)) {
1369 SMP_TRACE_ERROR(
1370 "IO capability does not meet authentication requirement");
1371 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
1372 int_evt = SMP_AUTH_CMPL_EVT;
1373 } else {
1374 if (!GetInterfaceToProfiles()->config->isAndroidTVDevice() &&
1375 (p_cb->local_io_capability == SMP_IO_CAP_IO ||
1376 p_cb->local_io_capability == SMP_IO_CAP_KBDISP)) {
1377 /* display consent dialog if this device has a display */
1378 SMP_TRACE_DEBUG("ENCRYPTION_ONLY showing Consent Dialog");
1379 p_cb->cb_evt = SMP_CONSENT_REQ_EVT;
1380 smp_set_state(SMP_STATE_WAIT_NONCE);
1381 smp_sm_event(p_cb, SMP_SC_DSPL_NC_EVT, NULL);
1382 } else {
1383 p_cb->sec_level = SMP_SEC_UNAUTHENTICATE;
1384 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_UNAUTHENTICATE) ",
1385 p_cb->sec_level);
1386
1387 tSMP_KEY key;
1388 key.key_type = SMP_KEY_TYPE_TK;
1389 key.p_data = p_cb->tk.data();
1390 smp_int_data.key = key;
1391
1392 p_cb->tk = {0};
1393 /* TK, ready */
1394 int_evt = SMP_KEY_READY_EVT;
1395 }
1396 }
1397 break;
1398
1399 case SMP_MODEL_PASSKEY:
1400 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1401 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ",
1402 p_cb->sec_level);
1403
1404 p_cb->cb_evt = SMP_PASSKEY_REQ_EVT;
1405 int_evt = SMP_TK_REQ_EVT;
1406 break;
1407
1408 case SMP_MODEL_OOB:
1409 SMP_TRACE_ERROR("Association Model = SMP_MODEL_OOB");
1410 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1411 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ",
1412 p_cb->sec_level);
1413
1414 p_cb->cb_evt = SMP_OOB_REQ_EVT;
1415 int_evt = SMP_TK_REQ_EVT;
1416 break;
1417
1418 case SMP_MODEL_KEY_NOTIF:
1419 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1420 SMP_TRACE_DEBUG("Need to generate Passkey");
1421
1422 /* generate passkey and notify application */
1423 smp_generate_passkey(p_cb, NULL);
1424 break;
1425
1426 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1427 case SMP_MODEL_SEC_CONN_NUM_COMP:
1428 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1429 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1430 case SMP_MODEL_SEC_CONN_OOB:
1431 int_evt = SMP_PUBL_KEY_EXCH_REQ_EVT;
1432 break;
1433
1434 case SMP_MODEL_OUT_OF_RANGE:
1435 SMP_TRACE_ERROR("Association Model = SMP_MODEL_OUT_OF_RANGE (failed)");
1436 smp_int_data.status = SMP_UNKNOWN_IO_CAP;
1437 int_evt = SMP_AUTH_CMPL_EVT;
1438 break;
1439
1440 default:
1441 SMP_TRACE_ERROR(
1442 "Association Model = %d (SOMETHING IS WRONG WITH THE CODE)",
1443 p_cb->selected_association_model);
1444 smp_int_data.status = SMP_UNKNOWN_IO_CAP;
1445 int_evt = SMP_AUTH_CMPL_EVT;
1446 }
1447
1448 SMP_TRACE_EVENT("sec_level=%d ", p_cb->sec_level);
1449 if (int_evt) smp_sm_event(p_cb, int_evt, &smp_int_data);
1450 }
1451
1452 /*******************************************************************************
1453 * Function smp_process_io_response
1454 * Description process IO response for a peripheral device.
1455 ******************************************************************************/
smp_process_io_response(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1456 void smp_process_io_response(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1457 SMP_TRACE_DEBUG("%s", __func__);
1458 if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD) {
1459 /* pairing started by local (peripheral) Security Request */
1460 smp_set_state(SMP_STATE_SEC_REQ_PENDING);
1461 smp_send_cmd(SMP_OPCODE_SEC_REQ, p_cb);
1462 } else /* plan to send pairing respond */
1463 {
1464 /* pairing started by peer (central) Pairing Request */
1465 p_cb->selected_association_model = smp_select_association_model(p_cb);
1466
1467 if (p_cb->secure_connections_only_mode_required &&
1468 (!(p_cb->le_secure_connections_mode_is_used) ||
1469 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) {
1470 SMP_TRACE_ERROR(
1471 "Peripheral requires secure connection only mode "
1472 "but it can't be provided -> Peripheral fails pairing");
1473 tSMP_INT_DATA smp_int_data;
1474 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
1475 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1476 return;
1477 }
1478
1479 // If we are doing SMP_MODEL_SEC_CONN_OOB we don't need to request OOB data
1480 // locally if loc_oob_flag == 0x00 b/c there is no OOB data to give. In the
1481 // event the loc_oob_flag is present value, we should request the OOB data
1482 // locally; otherwise fail.
1483 // If we are the initiator the OOB data has already been stored and will be
1484 // collected in the statemachine later.
1485 //
1486 // loc_oob_flag could be one of the following tSMP_OOB_FLAG enum values:
1487 // SMP_OOB_NONE = 0
1488 // SMP_OOB_PRESENT = 1
1489 // SMP_OOB_UNKNOWN = 2
1490 //
1491 // The only time Android cares about needing to provide the peer oob data
1492 // here would be in the advertiser situation or role. If the
1493 // device is doing the connecting it will not need to get the data again as
1494 // it was already provided in the initiation call.
1495 //
1496 // loc_oob_flag should only equal SMP_OOB_PRESENT when PEER DATA exists and
1497 // device is the advertiser as opposed to being the connector.
1498 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
1499 switch (p_cb->loc_oob_flag) {
1500 case SMP_OOB_NONE:
1501 LOG_INFO("SMP_MODEL_SEC_CONN_OOB with SMP_OOB_NONE");
1502 smp_send_pair_rsp(p_cb, NULL);
1503 break;
1504 case SMP_OOB_PRESENT:
1505 LOG_INFO("SMP_MODEL_SEC_CONN_OOB with SMP_OOB_PRESENT");
1506 if (smp_request_oob_data(p_cb)) return;
1507 break;
1508 case SMP_OOB_UNKNOWN:
1509 LOG_WARN("SMP_MODEL_SEC_CONN_OOB with SMP_OOB_UNKNOWN");
1510 tSMP_INT_DATA smp_int_data;
1511 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
1512 smp_send_pair_fail(p_cb, &smp_int_data);
1513 return;
1514 }
1515 }
1516
1517 // PTS Testing failure modes
1518 if (pts_test_send_authentication_complete_failure(p_cb)) return;
1519
1520 smp_send_pair_rsp(p_cb, NULL);
1521 }
1522 }
1523
1524 /*******************************************************************************
1525 * Function smp_br_process_peripheral_keys_response
1526 * Description process application keys response for a peripheral device
1527 * (BR/EDR transport).
1528 ******************************************************************************/
smp_br_process_peripheral_keys_response(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1529 void smp_br_process_peripheral_keys_response(tSMP_CB* p_cb,
1530 tSMP_INT_DATA* p_data) {
1531 smp_br_send_pair_response(p_cb, NULL);
1532 }
1533
1534 /*******************************************************************************
1535 * Function smp_br_send_pair_response
1536 * Description actions related to sending pairing response over BR/EDR
1537 * transport.
1538 ******************************************************************************/
smp_br_send_pair_response(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1539 void smp_br_send_pair_response(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1540 SMP_TRACE_DEBUG("%s", __func__);
1541
1542 p_cb->local_i_key &= p_cb->peer_i_key;
1543 p_cb->local_r_key &= p_cb->peer_r_key;
1544
1545 smp_send_cmd(SMP_OPCODE_PAIRING_RSP, p_cb);
1546 }
1547
1548 /*******************************************************************************
1549 * Function smp_pairing_cmpl
1550 * Description This function is called to send the pairing complete
1551 * callback and remove the connection if needed.
1552 ******************************************************************************/
smp_pairing_cmpl(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1553 void smp_pairing_cmpl(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1554 if (p_cb->total_tx_unacked == 0) {
1555 /* process the pairing complete */
1556 smp_proc_pairing_cmpl(p_cb);
1557 }
1558 }
1559
1560 /*******************************************************************************
1561 * Function smp_pair_terminate
1562 * Description This function is called to send the pairing complete
1563 * callback and remove the connection if needed.
1564 ******************************************************************************/
smp_pair_terminate(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1565 void smp_pair_terminate(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1566 SMP_TRACE_DEBUG("%s", __func__);
1567 p_cb->status = SMP_CONN_TOUT;
1568 smp_proc_pairing_cmpl(p_cb);
1569 }
1570
1571 /*******************************************************************************
1572 * Function smp_idle_terminate
1573 * Description This function calledin idle state to determine to send
1574 * authentication complete or not.
1575 ******************************************************************************/
smp_idle_terminate(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1576 void smp_idle_terminate(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1577 if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD) {
1578 SMP_TRACE_DEBUG("Pairing terminated at IDLE state.");
1579 p_cb->status = SMP_FAIL;
1580 smp_proc_pairing_cmpl(p_cb);
1581 }
1582 }
1583
1584 /*******************************************************************************
1585 * Function smp_both_have_public_keys
1586 * Description The function is called when both local and peer public keys are
1587 * saved.
1588 * Actions:
1589 * - invokes DHKey computation;
1590 * - on peripheral side invokes sending local public key to the
1591 *peer.
1592 * - invokes SC phase 1 process.
1593 ******************************************************************************/
smp_both_have_public_keys(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1594 void smp_both_have_public_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1595 SMP_TRACE_DEBUG("%s", __func__);
1596
1597 /* invokes DHKey computation */
1598 smp_compute_dhkey(p_cb);
1599
1600 /* on peripheral side invokes sending local public key to the peer */
1601 if (p_cb->role == HCI_ROLE_PERIPHERAL) smp_send_pair_public_key(p_cb, NULL);
1602
1603 smp_sm_event(p_cb, SMP_SC_DHKEY_CMPLT_EVT, NULL);
1604 }
1605
1606 /*******************************************************************************
1607 * Function smp_start_secure_connection_phase1
1608 * Description Start Secure Connection phase1 i.e. invokes initialization of
1609 * Secure Connection phase 1 parameters and starts building/sending
1610 * to the peer messages appropriate for the role and association
1611 * model.
1612 ******************************************************************************/
smp_start_secure_connection_phase1(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1613 void smp_start_secure_connection_phase1(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1614 SMP_TRACE_DEBUG("%s", __func__);
1615
1616 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
1617 p_cb->sec_level = SMP_SEC_UNAUTHENTICATE;
1618 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_UNAUTHENTICATE) ",
1619 p_cb->sec_level);
1620 } else {
1621 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1622 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ",
1623 p_cb->sec_level);
1624 }
1625
1626 switch (p_cb->selected_association_model) {
1627 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1628 case SMP_MODEL_SEC_CONN_NUM_COMP:
1629 p_cb->local_random = {0};
1630 smp_start_nonce_generation(p_cb);
1631 break;
1632 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1633 /* user has to provide passkey */
1634 p_cb->cb_evt = SMP_PASSKEY_REQ_EVT;
1635 smp_sm_event(p_cb, SMP_TK_REQ_EVT, NULL);
1636 break;
1637 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1638 /* passkey has to be provided to user */
1639 SMP_TRACE_DEBUG("Need to generate SC Passkey");
1640 smp_generate_passkey(p_cb, NULL);
1641 break;
1642 case SMP_MODEL_SEC_CONN_OOB:
1643 /* use the available OOB information */
1644 smp_process_secure_connection_oob_data(p_cb, NULL);
1645 break;
1646 default:
1647 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
1648 p_cb->selected_association_model);
1649 break;
1650 }
1651 }
1652
1653 /*******************************************************************************
1654 * Function smp_process_local_nonce
1655 * Description The function processes new local nonce.
1656 *
1657 * Note It is supposed to be called in SC phase1.
1658 ******************************************************************************/
smp_process_local_nonce(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1659 void smp_process_local_nonce(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1660 SMP_TRACE_DEBUG("%s", __func__);
1661
1662 switch (p_cb->selected_association_model) {
1663 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1664 case SMP_MODEL_SEC_CONN_NUM_COMP:
1665 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
1666 /* peripheral calculates and sends local commitment */
1667 smp_calculate_local_commitment(p_cb);
1668 smp_send_commitment(p_cb, NULL);
1669 /* peripheral has to wait for peer nonce */
1670 smp_set_state(SMP_STATE_WAIT_NONCE);
1671 } else /* i.e. central */
1672 {
1673 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_COMM) {
1674 /* peripheral commitment is already received, send local nonce, wait
1675 * for remote nonce*/
1676 SMP_TRACE_DEBUG(
1677 "central in assoc mode = %d "
1678 "already rcvd peripheral commitment - race condition",
1679 p_cb->selected_association_model);
1680 p_cb->flags &= ~SMP_PAIR_FLAG_HAVE_PEER_COMM;
1681 smp_send_rand(p_cb, NULL);
1682 smp_set_state(SMP_STATE_WAIT_NONCE);
1683 }
1684 }
1685 break;
1686 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1687 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1688 smp_calculate_local_commitment(p_cb);
1689
1690 if (p_cb->role == HCI_ROLE_CENTRAL) {
1691 smp_send_commitment(p_cb, NULL);
1692 } else /* peripheral */
1693 {
1694 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_COMM) {
1695 /* central commitment is already received */
1696 smp_send_commitment(p_cb, NULL);
1697 smp_set_state(SMP_STATE_WAIT_NONCE);
1698 }
1699 }
1700 break;
1701 case SMP_MODEL_SEC_CONN_OOB:
1702 if (p_cb->role == HCI_ROLE_CENTRAL) {
1703 smp_send_rand(p_cb, NULL);
1704 }
1705
1706 smp_set_state(SMP_STATE_WAIT_NONCE);
1707 break;
1708 default:
1709 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
1710 p_cb->selected_association_model);
1711 break;
1712 }
1713 }
1714
1715 /*******************************************************************************
1716 * Function smp_process_peer_nonce
1717 * Description The function processes newly received and saved in CB peer
1718 * nonce. The actions depend on the selected association model and
1719 * the role.
1720 *
1721 * Note It is supposed to be called in SC phase1.
1722 ******************************************************************************/
smp_process_peer_nonce(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1723 void smp_process_peer_nonce(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1724 SMP_TRACE_DEBUG("%s start ", __func__);
1725
1726 // PTS Testing failure modes
1727 if (p_cb->cert_failure == SMP_CONFIRM_VALUE_ERR) {
1728 SMP_TRACE_ERROR("%s failure case = %d", __func__, p_cb->cert_failure);
1729 tSMP_INT_DATA smp_int_data;
1730 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1731 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1732 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1733 return;
1734 }
1735 // PTS Testing failure modes (for LT)
1736 if ((p_cb->cert_failure == SMP_NUMERIC_COMPAR_FAIL) &&
1737 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) &&
1738 (p_cb->role == HCI_ROLE_PERIPHERAL)) {
1739 SMP_TRACE_ERROR("%s failure case = %d", __func__, p_cb->cert_failure);
1740 tSMP_INT_DATA smp_int_data;
1741 smp_int_data.status = SMP_NUMERIC_COMPAR_FAIL;
1742 p_cb->failure = SMP_NUMERIC_COMPAR_FAIL;
1743 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1744 return;
1745 }
1746
1747 switch (p_cb->selected_association_model) {
1748 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1749 case SMP_MODEL_SEC_CONN_NUM_COMP:
1750 /* in these models only central receives commitment */
1751 if (p_cb->role == HCI_ROLE_CENTRAL) {
1752 if (!smp_check_commitment(p_cb)) {
1753 tSMP_INT_DATA smp_int_data;
1754 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1755 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1756 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1757 break;
1758 }
1759 } else {
1760 /* peripheral sends local nonce */
1761 smp_send_rand(p_cb, NULL);
1762 }
1763
1764 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
1765 if (!GetInterfaceToProfiles()->config->isAndroidTVDevice() &&
1766 (p_cb->local_io_capability == SMP_IO_CAP_IO ||
1767 p_cb->local_io_capability == SMP_IO_CAP_KBDISP)) {
1768 /* display consent dialog */
1769 SMP_TRACE_DEBUG("JUST WORKS showing Consent Dialog");
1770 p_cb->cb_evt = SMP_CONSENT_REQ_EVT;
1771 smp_set_state(SMP_STATE_WAIT_NONCE);
1772 smp_sm_event(p_cb, SMP_SC_DSPL_NC_EVT, NULL);
1773 } else {
1774 /* go directly to phase 2 */
1775 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1776 }
1777 } else /* numeric comparison */
1778 {
1779 smp_set_state(SMP_STATE_WAIT_NONCE);
1780 smp_sm_event(p_cb, SMP_SC_CALC_NC_EVT, NULL);
1781 }
1782 break;
1783 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1784 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1785 if (!smp_check_commitment(p_cb) &&
1786 p_cb->cert_failure != SMP_NUMERIC_COMPAR_FAIL) {
1787 tSMP_INT_DATA smp_int_data;
1788 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1789 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1790 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1791 break;
1792 }
1793
1794 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
1795 smp_send_rand(p_cb, NULL);
1796 }
1797
1798 if (++p_cb->round < 20) {
1799 smp_set_state(SMP_STATE_SEC_CONN_PHS1_START);
1800 p_cb->flags &= ~SMP_PAIR_FLAG_HAVE_PEER_COMM;
1801 smp_start_nonce_generation(p_cb);
1802 break;
1803 }
1804
1805 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1806 break;
1807 case SMP_MODEL_SEC_CONN_OOB:
1808 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
1809 smp_send_rand(p_cb, NULL);
1810 }
1811
1812 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1813 break;
1814 default:
1815 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
1816 p_cb->selected_association_model);
1817 break;
1818 }
1819
1820 SMP_TRACE_DEBUG("%s end ", __func__);
1821 }
1822
1823 /*******************************************************************************
1824 * Function smp_match_dhkey_checks
1825 * Description checks if the calculated peer DHKey Check value is the same as
1826 * received from the peer DHKey check value.
1827 ******************************************************************************/
smp_match_dhkey_checks(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1828 void smp_match_dhkey_checks(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1829 SMP_TRACE_DEBUG("%s", __func__);
1830
1831 if (memcmp(p_data->key.p_data, p_cb->remote_dhkey_check.data(),
1832 OCTET16_LEN)) {
1833 SMP_TRACE_WARNING("dhkey chcks do no match");
1834 tSMP_INT_DATA smp_int_data;
1835 smp_int_data.status = SMP_DHKEY_CHK_FAIL;
1836 p_cb->failure = SMP_DHKEY_CHK_FAIL;
1837 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1838 return;
1839 }
1840
1841 SMP_TRACE_EVENT("dhkey chcks match");
1842
1843 /* compare the max encryption key size, and save the smaller one for the link
1844 */
1845 if (p_cb->peer_enc_size < p_cb->loc_enc_size)
1846 p_cb->loc_enc_size = p_cb->peer_enc_size;
1847
1848 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
1849 smp_sm_event(p_cb, SMP_PAIR_DHKEY_CHCK_EVT, NULL);
1850 } else {
1851 /* central device always use received i/r key as keys to distribute */
1852 p_cb->local_i_key = p_cb->peer_i_key;
1853 p_cb->local_r_key = p_cb->peer_r_key;
1854 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
1855 }
1856 }
1857
1858 /*******************************************************************************
1859 * Function smp_move_to_secure_connections_phase2
1860 * Description Signal State Machine to start SC phase 2 initialization (to
1861 * compute local DHKey Check value).
1862 *
1863 * Note SM is supposed to be in the state SMP_STATE_SEC_CONN_PHS2_START.
1864 ******************************************************************************/
smp_move_to_secure_connections_phase2(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1865 void smp_move_to_secure_connections_phase2(tSMP_CB* p_cb,
1866 tSMP_INT_DATA* p_data) {
1867 SMP_TRACE_DEBUG("%s", __func__);
1868 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1869 }
1870
1871 /*******************************************************************************
1872 * Function smp_phase_2_dhkey_checks_are_present
1873 * Description generates event if dhkey check from the peer is already
1874 * received.
1875 *
1876 * Note It is supposed to be used on peripheral to prevent race
1877 *condition. It is supposed to be called after peripheral dhkey check is
1878 * calculated.
1879 ******************************************************************************/
smp_phase_2_dhkey_checks_are_present(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1880 void smp_phase_2_dhkey_checks_are_present(tSMP_CB* p_cb,
1881 tSMP_INT_DATA* p_data) {
1882 SMP_TRACE_DEBUG("%s", __func__);
1883
1884 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_DHK_CHK)
1885 smp_sm_event(p_cb, SMP_SC_2_DHCK_CHKS_PRES_EVT, NULL);
1886 }
1887
1888 /*******************************************************************************
1889 * Function smp_wait_for_both_public_keys
1890 * Description generates SMP_BOTH_PUBL_KEYS_RCVD_EVT event when both local and
1891 * central public keys are available.
1892 *
1893 * Note on the peripheral it is used to prevent race condition.
1894 *
1895 ******************************************************************************/
smp_wait_for_both_public_keys(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1896 void smp_wait_for_both_public_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1897 SMP_TRACE_DEBUG("%s", __func__);
1898
1899 if ((p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY) &&
1900 (p_cb->flags & SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY)) {
1901 if ((p_cb->role == HCI_ROLE_PERIPHERAL) &&
1902 ((p_cb->req_oob_type == SMP_OOB_LOCAL) ||
1903 (p_cb->req_oob_type == SMP_OOB_BOTH))) {
1904 smp_set_state(SMP_STATE_PUBLIC_KEY_EXCH);
1905 }
1906 smp_sm_event(p_cb, SMP_BOTH_PUBL_KEYS_RCVD_EVT, NULL);
1907 }
1908 }
1909
1910 /*******************************************************************************
1911 * Function smp_start_passkey_verification
1912 * Description Starts SC passkey entry verification.
1913 ******************************************************************************/
smp_start_passkey_verification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1914 void smp_start_passkey_verification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1915 uint8_t* p = NULL;
1916
1917 SMP_TRACE_DEBUG("%s", __func__);
1918 p = p_cb->local_random.data();
1919 UINT32_TO_STREAM(p, p_data->passkey);
1920
1921 p = p_cb->peer_random.data();
1922 UINT32_TO_STREAM(p, p_data->passkey);
1923
1924 p_cb->round = 0;
1925 smp_start_nonce_generation(p_cb);
1926 }
1927
1928 /*******************************************************************************
1929 * Function smp_process_secure_connection_oob_data
1930 * Description Processes local/peer SC OOB data received from somewhere.
1931 ******************************************************************************/
smp_process_secure_connection_oob_data(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1932 void smp_process_secure_connection_oob_data(tSMP_CB* p_cb,
1933 tSMP_INT_DATA* p_data) {
1934 SMP_TRACE_DEBUG("%s", __func__);
1935
1936 tSMP_SC_OOB_DATA* p_sc_oob_data = &p_cb->sc_oob_data;
1937 if (p_sc_oob_data->loc_oob_data.present) {
1938 p_cb->local_random = p_sc_oob_data->loc_oob_data.randomizer;
1939 } else {
1940 SMP_TRACE_EVENT("%s: local OOB randomizer is absent", __func__);
1941 p_cb->local_random = {0};
1942 }
1943
1944 if (!p_sc_oob_data->peer_oob_data.present) {
1945 SMP_TRACE_EVENT("%s: peer OOB data is absent", __func__);
1946 p_cb->peer_random = {0};
1947 } else {
1948 p_cb->peer_random = p_sc_oob_data->peer_oob_data.randomizer;
1949 p_cb->remote_commitment = p_sc_oob_data->peer_oob_data.commitment;
1950
1951 /* check commitment */
1952 if (!smp_check_commitment(p_cb)) {
1953 tSMP_INT_DATA smp_int_data;
1954 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1955 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1956 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1957 return;
1958 }
1959
1960 if (p_cb->peer_oob_flag != SMP_OOB_PRESENT) {
1961 /* the peer doesn't have local randomiser */
1962 SMP_TRACE_EVENT(
1963 "%s: peer didn't receive local OOB data, set local randomizer to 0",
1964 __func__);
1965 p_cb->local_random = {0};
1966 }
1967 }
1968
1969 print128(p_cb->local_random, (const uint8_t*)"local OOB randomizer");
1970 print128(p_cb->peer_random, (const uint8_t*)"peer OOB randomizer");
1971 smp_start_nonce_generation(p_cb);
1972 }
1973
1974 /*******************************************************************************
1975 * Function smp_set_local_oob_keys
1976 * Description Saves calculated private/public keys in
1977 * sc_oob_data.loc_oob_data, starts nonce generation
1978 * (to be saved in sc_oob_data.loc_oob_data.randomizer).
1979 ******************************************************************************/
smp_set_local_oob_keys(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1980 void smp_set_local_oob_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1981 SMP_TRACE_DEBUG("%s", __func__);
1982
1983 memcpy(p_cb->sc_oob_data.loc_oob_data.private_key_used, p_cb->private_key,
1984 BT_OCTET32_LEN);
1985 p_cb->sc_oob_data.loc_oob_data.publ_key_used = p_cb->loc_publ_key;
1986 smp_start_nonce_generation(p_cb);
1987 }
1988
1989 /*******************************************************************************
1990 * Function smp_set_local_oob_random_commitment
1991 * Description Saves calculated randomizer and commitment in
1992 * sc_oob_data.loc_oob_data, passes sc_oob_data.loc_oob_data up
1993 * for safekeeping.
1994 ******************************************************************************/
smp_set_local_oob_random_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1995 void smp_set_local_oob_random_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1996 SMP_TRACE_DEBUG("%s", __func__);
1997 p_cb->sc_oob_data.loc_oob_data.randomizer = p_cb->rand;
1998
1999 p_cb->sc_oob_data.loc_oob_data.commitment =
2000 crypto_toolbox::f4(p_cb->sc_oob_data.loc_oob_data.publ_key_used.x,
2001 p_cb->sc_oob_data.loc_oob_data.publ_key_used.x,
2002 p_cb->sc_oob_data.loc_oob_data.randomizer, 0);
2003
2004 p_cb->sc_oob_data.loc_oob_data.present = true;
2005
2006 /* pass created OOB data up */
2007 p_cb->cb_evt = SMP_SC_LOC_OOB_DATA_UP_EVT;
2008 smp_send_app_cback(p_cb, NULL);
2009
2010 // Store the data for later use when we are paired with
2011 // Event though the doc above says to pass up for safe keeping it never gets
2012 // kept safe. Additionally, when we need the data to make a decision we
2013 // wouldn't have it. This will save the sc_oob_data in the smp_keys.cc such
2014 // that when we receive a request to create new keys we check to see if the
2015 // sc_oob_data exists and utilize the keys that are stored there otherwise the
2016 // connector will fail commitment check and dhkey exchange.
2017 smp_save_local_oob_data(p_cb);
2018
2019 smp_cb_cleanup(p_cb);
2020 }
2021
2022 /*******************************************************************************
2023 *
2024 * Function smp_link_encrypted
2025 *
2026 * Description This function is called when link is encrypted and notified
2027 * to the peripheral device. Proceed to to send LTK, DIV and ER
2028 *to central if bonding the devices.
2029 *
2030 *
2031 * Returns void
2032 *
2033 ******************************************************************************/
smp_link_encrypted(const RawAddress & bda,uint8_t encr_enable)2034 void smp_link_encrypted(const RawAddress& bda, uint8_t encr_enable) {
2035 tSMP_CB* p_cb = &smp_cb;
2036
2037 if (smp_cb.pairing_bda == bda) {
2038 LOG_DEBUG("SMP encryption enable:%hhu device:%s", encr_enable,
2039 ADDRESS_TO_LOGGABLE_CSTR(bda));
2040
2041 /* encryption completed with STK, remember the key size now, could be
2042 * overwritten when key exchange happens */
2043 if (p_cb->loc_enc_size != 0 && encr_enable) {
2044 /* update the link encryption key size if a SMP pairing just performed */
2045 btm_ble_update_sec_key_size(bda, p_cb->loc_enc_size);
2046 }
2047
2048 tSMP_INT_DATA smp_int_data = {
2049 // TODO This is not a tSMP_STATUS
2050 .status = static_cast<tSMP_STATUS>(encr_enable),
2051 };
2052
2053 smp_sm_event(&smp_cb, SMP_ENCRYPTED_EVT, &smp_int_data);
2054 } else {
2055 LOG_WARN(
2056 "SMP state machine busy so skipping encryption enable:%hhu device:%s",
2057 encr_enable, ADDRESS_TO_LOGGABLE_CSTR(bda));
2058 }
2059 }
2060
smp_cancel_start_encryption_attempt()2061 void smp_cancel_start_encryption_attempt() {
2062 SMP_TRACE_ERROR("%s: Encryption request cancelled", __func__);
2063 smp_sm_event(&smp_cb, SMP_DISCARD_SEC_REQ_EVT, NULL);
2064 }
2065
2066 /*******************************************************************************
2067 *
2068 * Function smp_proc_ltk_request
2069 *
2070 * Description This function is called when LTK request is received from
2071 * controller.
2072 *
2073 * Returns void
2074 *
2075 ******************************************************************************/
smp_proc_ltk_request(const RawAddress & bda)2076 bool smp_proc_ltk_request(const RawAddress& bda) {
2077 SMP_TRACE_DEBUG("%s state = %d", __func__, smp_cb.state);
2078 bool match = false;
2079
2080 if (bda == smp_cb.pairing_bda) {
2081 match = true;
2082 } else {
2083 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda);
2084 if (p_dev_rec != NULL && p_dev_rec->ble.pseudo_addr == smp_cb.pairing_bda &&
2085 p_dev_rec->ble.pseudo_addr != RawAddress::kEmpty) {
2086 match = true;
2087 }
2088 }
2089
2090 if (match && smp_cb.state == SMP_STATE_ENCRYPTION_PENDING) {
2091 smp_sm_event(&smp_cb, SMP_ENC_REQ_EVT, NULL);
2092 return true;
2093 }
2094
2095 return false;
2096 }
2097
2098 /*******************************************************************************
2099 *
2100 * Function smp_process_secure_connection_long_term_key
2101 *
2102 * Description This function is called to process SC LTK.
2103 * SC LTK is calculated and used instead of STK.
2104 * Here SC LTK is saved in BLE DB.
2105 *
2106 * Returns void
2107 *
2108 ******************************************************************************/
smp_process_secure_connection_long_term_key(void)2109 void smp_process_secure_connection_long_term_key(void) {
2110 tSMP_CB* p_cb = &smp_cb;
2111
2112 SMP_TRACE_DEBUG("%s", __func__);
2113 smp_save_secure_connections_long_term_key(p_cb);
2114
2115 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
2116 smp_key_distribution(p_cb, NULL);
2117 }
2118
2119 /*******************************************************************************
2120 *
2121 * Function smp_set_derive_link_key
2122 *
2123 * Description This function is called to set flag that indicates that
2124 * BR/EDR LK has to be derived from LTK after all keys are
2125 * distributed.
2126 *
2127 * Returns void
2128 *
2129 ******************************************************************************/
smp_set_derive_link_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2130 void smp_set_derive_link_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
2131 SMP_TRACE_DEBUG("%s", __func__);
2132 p_cb->derive_lk = true;
2133 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_LK, false);
2134 smp_key_distribution(p_cb, NULL);
2135 }
2136
2137 /*******************************************************************************
2138 *
2139 * Function smp_derive_link_key_from_long_term_key
2140 *
2141 * Description This function is called to derive BR/EDR LK from LTK.
2142 *
2143 * Returns void
2144 *
2145 ******************************************************************************/
smp_derive_link_key_from_long_term_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2146 void smp_derive_link_key_from_long_term_key(tSMP_CB* p_cb,
2147 tSMP_INT_DATA* p_data) {
2148 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
2149
2150 SMP_TRACE_DEBUG("%s", __func__);
2151 if (!smp_calculate_link_key_from_long_term_key(p_cb)) {
2152 SMP_TRACE_ERROR("%s failed", __func__);
2153 tSMP_INT_DATA smp_int_data;
2154 smp_int_data.status = status;
2155 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
2156 return;
2157 }
2158 }
2159
2160 /*******************************************************************************
2161 *
2162 * Function smp_br_process_link_key
2163 *
2164 * Description This function is called to process BR/EDR LK:
2165 * - to derive SMP LTK from BR/EDR LK;
2166 * - to save SMP LTK.
2167 *
2168 * Returns void
2169 *
2170 ******************************************************************************/
smp_br_process_link_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2171 void smp_br_process_link_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
2172 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
2173
2174 SMP_TRACE_DEBUG("%s", __func__);
2175 if (!smp_calculate_long_term_key_from_link_key(p_cb)) {
2176 SMP_TRACE_ERROR("%s: failed", __func__);
2177 tSMP_INT_DATA smp_int_data;
2178 smp_int_data.status = status;
2179 smp_sm_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
2180 return;
2181 }
2182
2183 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
2184 if (p_dev_rec) {
2185 SMP_TRACE_DEBUG("%s: dev_type = %d ", __func__, p_dev_rec->device_type);
2186 p_dev_rec->device_type |= BT_DEVICE_TYPE_BLE;
2187 } else {
2188 SMP_TRACE_ERROR("%s failed to find Security Record", __func__);
2189 }
2190
2191 SMP_TRACE_DEBUG("%s: LTK derivation from LK successfully completed",
2192 __func__);
2193 smp_save_secure_connections_long_term_key(p_cb);
2194 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
2195 smp_br_select_next_key(p_cb, NULL);
2196 }
2197
2198 /*******************************************************************************
2199 * Function smp_key_distribution_by_transport
2200 * Description depending on the transport used at the moment calls either
2201 * smp_key_distribution(...) or smp_br_key_distribution(...).
2202 ******************************************************************************/
smp_key_distribution_by_transport(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2203 void smp_key_distribution_by_transport(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
2204 SMP_TRACE_DEBUG("%s", __func__);
2205 if (p_cb->smp_over_br) {
2206 smp_br_select_next_key(p_cb, NULL);
2207 } else {
2208 smp_key_distribution(p_cb, NULL);
2209 }
2210 }
2211
2212 /*******************************************************************************
2213 * Function smp_br_pairing_complete
2214 * Description This function is called to send the pairing complete
2215 * callback and remove the connection if needed.
2216 ******************************************************************************/
smp_br_pairing_complete(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2217 void smp_br_pairing_complete(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
2218 SMP_TRACE_DEBUG("%s", __func__);
2219
2220 if (p_cb->total_tx_unacked == 0) {
2221 /* process the pairing complete */
2222 smp_proc_pairing_cmpl(p_cb);
2223 }
2224 }
2225