1 /******************************************************************************
2 *
3 * Copyright (C) 2003-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 #include "bt_target.h"
20
21 #if SMP_INCLUDED == TRUE
22
23 #include <string.h>
24 #include "btm_int.h"
25 #include "l2c_api.h"
26 #include "smp_int.h"
27
28
29 const UINT8 smp_association_table[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] =
30 {
31 /* initiator */
32 {{SMP_MODEL_ENC_ONLY, SMP_MODEL_ENC_ONLY, SMP_MODEL_PASSKEY, SMP_MODEL_ENC_ONLY, SMP_MODEL_PASSKEY}, /* Display Only */
33 {SMP_MODEL_ENC_ONLY, SMP_MODEL_ENC_ONLY, SMP_MODEL_PASSKEY, SMP_MODEL_ENC_ONLY, SMP_MODEL_PASSKEY}, /* SMP_CAP_IO = 1 */
34 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY, SMP_MODEL_ENC_ONLY, SMP_MODEL_KEY_NOTIF}, /* keyboard only */
35 {SMP_MODEL_ENC_ONLY, SMP_MODEL_ENC_ONLY, SMP_MODEL_ENC_ONLY, SMP_MODEL_ENC_ONLY, SMP_MODEL_ENC_ONLY},/* No Input No Output */
36 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY, SMP_MODEL_ENC_ONLY, SMP_MODEL_KEY_NOTIF}}, /* keyboard display */
37 /* responder */
38 {{SMP_MODEL_ENC_ONLY, SMP_MODEL_ENC_ONLY, SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENC_ONLY, SMP_MODEL_KEY_NOTIF}, /* Display Only */
39 {SMP_MODEL_ENC_ONLY, SMP_MODEL_ENC_ONLY, SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENC_ONLY, SMP_MODEL_KEY_NOTIF}, /* SMP_CAP_IO = 1 */
40 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_ENC_ONLY, SMP_MODEL_PASSKEY}, /* keyboard only */
41 {SMP_MODEL_ENC_ONLY, SMP_MODEL_ENC_ONLY, SMP_MODEL_ENC_ONLY, SMP_MODEL_ENC_ONLY, SMP_MODEL_ENC_ONLY},/* No Input No Output */
42 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENC_ONLY, SMP_MODEL_PASSKEY}} /* keyboard display */
43 /* display only */ /*SMP_CAP_IO = 1 */ /* keyboard only */ /* No InputOutput */ /* keyboard display */
44 };
45
46 const tSMP_ACT smp_distribute_act [] =
47 {
48 smp_generate_ltk,
49 smp_send_id_info,
50 smp_generate_csrk
51 };
52
53 /*******************************************************************************
54 ** Function smp_update_key_mask
55 ** Description This function updates the key mask for sending or receiving.
56 *******************************************************************************/
smp_update_key_mask(tSMP_CB * p_cb,UINT8 key_type,BOOLEAN recv)57 static void smp_update_key_mask (tSMP_CB *p_cb, UINT8 key_type, BOOLEAN recv)
58 {
59 SMP_TRACE_DEBUG0 ("smp_update_key_mask ");
60 SMP_TRACE_DEBUG4("before update role=%d recv=%d loc_i_key = %02x, loc_r_key = %02x", p_cb->role, recv, p_cb->loc_i_key, p_cb->loc_r_key);
61 if (p_cb->role == HCI_ROLE_SLAVE)
62 {
63 if (recv)
64 p_cb->loc_i_key &= ~key_type;
65 else
66 p_cb->loc_r_key &= ~key_type;
67 }
68 else
69 {
70 if (recv)
71 p_cb->loc_r_key &= ~key_type;
72 else
73 p_cb->loc_i_key &= ~key_type;
74 }
75
76 SMP_TRACE_DEBUG2("updated loc_i_key = %02x, loc_r_key = %02x", p_cb->loc_i_key, p_cb->loc_r_key);
77 }
78 /*******************************************************************************
79 ** Function smp_io_cap_req
80 ** Description send SMP IO request
81 *******************************************************************************/
smp_send_app_cback(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)82 void smp_send_app_cback(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
83 {
84 tSMP_EVT_DATA cb_data;
85 tSMP_STATUS callback_rc;
86 SMP_TRACE_DEBUG1 ("smp_send_app_cback p_cb->cb_evt=%d", p_cb->cb_evt );
87 if (p_cb->p_callback && p_cb->cb_evt != 0)
88 {
89 if (p_cb->cb_evt == SMP_IO_CAP_REQ_EVT)
90 {
91 cb_data.io_req.auth_req = p_cb->peer_auth_req;
92 cb_data.io_req.oob_data = SMP_OOB_NONE;
93 cb_data.io_req.io_cap = SMP_DEFAULT_IO_CAPS;
94 cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE;
95 cb_data.io_req.init_keys = p_cb->loc_i_key ;
96 cb_data.io_req.resp_keys = p_cb->loc_r_key ;
97
98 SMP_TRACE_WARNING1( "io_cap = %d",cb_data.io_req.io_cap);
99 }
100 callback_rc = (*p_cb->p_callback)(p_cb->cb_evt, p_cb->pairing_bda, &cb_data);
101
102 SMP_TRACE_DEBUG2 ("callback_rc=%d p_cb->cb_evt=%d",callback_rc, p_cb->cb_evt );
103
104 if (callback_rc == SMP_SUCCESS && p_cb->cb_evt == SMP_IO_CAP_REQ_EVT)
105 {
106 p_cb->loc_auth_req = cb_data.io_req.auth_req;
107 p_cb->loc_io_caps = cb_data.io_req.io_cap;
108 p_cb->loc_oob_flag = cb_data.io_req.oob_data;
109 p_cb->loc_enc_size = cb_data.io_req.max_key_size;
110 p_cb->loc_i_key = cb_data.io_req.init_keys;
111 p_cb->loc_r_key = cb_data.io_req.resp_keys;
112
113 SMP_TRACE_WARNING2( "new io_cap = %d p_cb->loc_enc_size = %d",p_cb->loc_io_caps, p_cb->loc_enc_size);
114
115 smp_sm_event(p_cb, SMP_IO_RSP_EVT, NULL);
116 }
117 }
118
119 if (!p_cb->cb_evt && p_cb->discard_sec_req)
120 {
121 p_cb->discard_sec_req = FALSE;
122 smp_sm_event(p_cb, SMP_DISCARD_SEC_REQ_EVT, NULL);
123 }
124 SMP_TRACE_DEBUG0 ("smp_send_app_cback return");
125 }
126 /*******************************************************************************
127 ** Function smp_send_pair_fail
128 ** Description pairing failure to peer device if needed.
129 *******************************************************************************/
smp_send_pair_fail(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)130 void smp_send_pair_fail(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
131 {
132 p_cb->status = *(UINT8 *)p_data;
133 p_cb->failure = *(UINT8 *)p_data;
134
135 SMP_TRACE_DEBUG2 ("smp_send_pair_fail status=%d failure=%d ",p_cb->status, p_cb->failure);
136
137 if (p_cb->status <= SMP_REPEATED_ATTEMPTS && p_cb->status != SMP_SUCCESS)
138 {
139 smp_send_cmd(SMP_OPCODE_PAIRING_FAILED, p_cb);
140 }
141 }
142
143 /*******************************************************************************
144 ** Function smp_send_pair_req
145 ** Description process pairing request to slave device
146 *******************************************************************************/
smp_send_pair_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)147 void smp_send_pair_req(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
148 {
149 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (p_cb->pairing_bda);
150 SMP_TRACE_DEBUG0 ("smp_send_pair_req ");
151
152 #if BLE_INCLUDED == TRUE
153 /* Disable L2CAP connection parameter updates while bonding since
154 some peripherals are not able to revert to fast connection parameters
155 during the start of service discovery. Connection paramter updates
156 get enabled again once service discovery completes. */
157 L2CA_EnableUpdateBleConnParams(p_cb->pairing_bda, FALSE);
158 #endif
159
160 /* erase all keys when master sends pairing req*/
161 if (p_dev_rec)
162 btm_sec_clear_ble_keys(p_dev_rec);
163 /* do not manipulate the key, let app decide,
164 leave out to BTM to mandate key distribution for bonding case */
165 smp_send_cmd(SMP_OPCODE_PAIRING_REQ, p_cb);
166 }
167 /*******************************************************************************
168 ** Function smp_send_pair_rsp
169 ** Description process pairing response to slave device
170 *******************************************************************************/
smp_send_pair_rsp(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)171 void smp_send_pair_rsp(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
172 {
173 SMP_TRACE_DEBUG0 ("smp_send_pair_rsp ");
174
175 p_cb->loc_i_key &= p_cb->peer_i_key;
176 p_cb->loc_r_key &= p_cb->peer_r_key;
177
178 if (smp_send_cmd (SMP_OPCODE_PAIRING_RSP, p_cb))
179 {
180 smp_decide_asso_model(p_cb, NULL);
181 }
182 }
183
184 /*******************************************************************************
185 ** Function smp_send_pair_request
186 ** Description process pairing request to slave device
187 *******************************************************************************/
smp_send_confirm(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)188 void smp_send_confirm(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
189 {
190 SMP_TRACE_DEBUG0 ("smp_send_confirm ");
191 smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);
192 }
193 /*******************************************************************************
194 ** Function smp_send_init
195 ** Description process pairing initializer to slave device
196 *******************************************************************************/
smp_send_init(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)197 void smp_send_init(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
198 {
199 SMP_TRACE_DEBUG0 ("smp_send_init ");
200
201 #if SMP_CONFORMANCE_TESTING == TRUE
202 if (p_cb->enable_test_rand_val)
203 {
204 SMP_TRACE_DEBUG0 ("Use rand value from script");
205 memcpy(p_cb->rand, p_cb->test_rand, BT_OCTET16_LEN);
206 }
207 #endif
208
209 smp_send_cmd(SMP_OPCODE_INIT, p_cb);
210 }
211 /*******************************************************************************
212 ** Function smp_send_enc_info
213 ** Description send security information command.
214 *******************************************************************************/
smp_send_enc_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)215 void smp_send_enc_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
216 {
217 tBTM_LE_LENC_KEYS le_key;
218
219 SMP_TRACE_DEBUG1 ("smp_send_enc_info p_cb->loc_enc_size = %d", p_cb->loc_enc_size);
220 smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_ENC, FALSE);
221
222 smp_send_cmd(SMP_OPCODE_ENCRYPT_INFO, p_cb);
223 smp_send_cmd(SMP_OPCODE_MASTER_ID, p_cb);
224
225 /* save the DIV and key size information when acting as slave device */
226 le_key.div = p_cb->div;
227 le_key.key_size = p_cb->loc_enc_size;
228 le_key.sec_level = p_cb->sec_level;
229 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, (tBTM_LE_KEY_VALUE *)&le_key, TRUE);
230
231 SMP_TRACE_WARNING0( "smp_send_enc_info");
232
233 smp_key_distribution(p_cb, NULL);
234 }
235 /*******************************************************************************
236 ** Function smp_send_id_info
237 ** Description send ID information command.
238 *******************************************************************************/
smp_send_id_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)239 void smp_send_id_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
240 {
241 SMP_TRACE_DEBUG0 ("smp_send_id_info ");
242 smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_ID, FALSE);
243
244 smp_send_cmd(SMP_OPCODE_IDENTITY_INFO, p_cb);
245 smp_send_cmd(SMP_OPCODE_ID_ADDR, p_cb);
246
247 SMP_TRACE_WARNING0( "smp_send_id_info");
248
249 smp_key_distribution(p_cb, NULL);
250 }
251 /*******************************************************************************
252 ** Function smp_send_csrk_info
253 ** Description send CSRK command.
254 *******************************************************************************/
smp_send_csrk_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)255 void smp_send_csrk_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
256 {
257 tBTM_LE_KEY_VALUE key;
258 SMP_TRACE_DEBUG0 ("smp_send_csrk_info ");
259 smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_CSRK, FALSE);
260
261 if (smp_send_cmd(SMP_OPCODE_SIGN_INFO, p_cb))
262 {
263 key.lcsrk_key.div = p_cb->div;
264 key.lcsrk_key.sec_level = p_cb->sec_level;
265 key.lcsrk_key.counter = 0; /* initialize the local counter */
266 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LCSRK, &key, TRUE);
267 }
268
269 smp_key_distribution(p_cb, NULL);
270 }
271
272 /*******************************************************************************
273 ** Function smp_send_ltk_reply
274 ** Description send LTK reply
275 *******************************************************************************/
smp_send_ltk_reply(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)276 void smp_send_ltk_reply(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
277 {
278 SMP_TRACE_DEBUG0 ("smp_send_ltk_reply ");
279 /* send stk as LTK response */
280 btm_ble_ltk_request_reply(p_cb->pairing_bda, TRUE, p_data->key.p_data);
281 }
282 /*******************************************************************************
283 ** Function smp_proc_sec_req
284 ** Description process security request.
285 *******************************************************************************/
smp_proc_sec_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)286 void smp_proc_sec_req(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
287 {
288 tBTM_LE_AUTH_REQ auth_req = *(tBTM_LE_AUTH_REQ *)p_data;
289 tBTM_BLE_SEC_REQ_ACT sec_req_act;
290
291
292 SMP_TRACE_DEBUG1 ("smp_proc_sec_req auth_req=0x%x",auth_req);
293
294 p_cb->cb_evt = 0;
295
296 btm_ble_link_sec_check(p_cb->pairing_bda, auth_req, &sec_req_act);
297
298 SMP_TRACE_DEBUG1 ("smp_proc_sec_req sec_req_act=0x%x",sec_req_act);
299
300 switch (sec_req_act)
301 {
302 case BTM_BLE_SEC_REQ_ACT_ENCRYPT:
303 SMP_TRACE_DEBUG0 ("smp_proc_sec_req BTM_BLE_SEC_REQ_ACT_ENCRYPT");
304 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
305 break;
306
307 case BTM_BLE_SEC_REQ_ACT_PAIR:
308 /* initialize local i/r key to be default keys */
309 SMP_TRACE_DEBUG0 ("smp_proc_sec_req BTM_BLE_SEC_REQ_ACT_PAIR");
310 p_cb->peer_auth_req = auth_req;
311 p_cb->loc_r_key = p_cb->loc_i_key = SMP_SEC_DEFAULT_KEY ;
312 p_cb->cb_evt = SMP_SEC_REQUEST_EVT;
313 break;
314
315 case BTM_BLE_SEC_REQ_ACT_DISCARD:
316 p_cb->discard_sec_req = TRUE;
317 break;
318
319 default:
320 /* do nothing */
321 break;
322 }
323 }
324 /*******************************************************************************
325 ** Function smp_proc_sec_grant
326 ** Description process security grant.
327 *******************************************************************************/
smp_proc_sec_grant(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)328 void smp_proc_sec_grant(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
329 {
330 UINT8 res= *(UINT8 *)p_data;
331 SMP_TRACE_DEBUG0 ("smp_proc_sec_grant ");
332 if (res != SMP_SUCCESS)
333 {
334 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, p_data);
335 }
336 else /*otherwise, start pairing */
337 {
338 /* send IO request callback */
339 p_cb->cb_evt = SMP_IO_CAP_REQ_EVT;
340 }
341 }
342 /*******************************************************************************
343 ** Function smp_proc_pair_fail
344 ** Description process pairing failure from peer device
345 *******************************************************************************/
smp_proc_pair_fail(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)346 void smp_proc_pair_fail(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
347 {
348 SMP_TRACE_DEBUG0 ("smp_proc_pair_fail ");
349 p_cb->status = *(UINT8 *)p_data;
350 }
351 /*******************************************************************************
352 ** Function smp_proc_pair_cmd
353 ** Description Process the SMP pairing request/response from peer device
354 *******************************************************************************/
smp_proc_pair_cmd(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)355 void smp_proc_pair_cmd(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
356 {
357 UINT8 *p = (UINT8 *)p_data;
358 UINT8 reason = SMP_ENC_KEY_SIZE;
359 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (p_cb->pairing_bda);
360
361 SMP_TRACE_DEBUG0 ("smp_proc_pair_cmd ");
362 /* erase all keys if it is slave proc pairing req*/
363 if (p_dev_rec && (p_cb->role == HCI_ROLE_SLAVE))
364 btm_sec_clear_ble_keys(p_dev_rec);
365
366 p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
367
368 STREAM_TO_UINT8(p_cb->peer_io_caps, p);
369 STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
370 STREAM_TO_UINT8(p_cb->peer_auth_req, p);
371 STREAM_TO_UINT8(p_cb->peer_enc_size, p);
372 STREAM_TO_UINT8(p_cb->peer_i_key, p);
373 STREAM_TO_UINT8(p_cb->peer_r_key, p);
374
375 #if SMP_CONFORMANCE_TESTING == TRUE
376 if (p_cb->enable_test_pair_fail)
377 {
378 SMP_TRACE_DEBUG0 ("Forced pair fair");
379 if (p_cb->peer_enc_size < SMP_MIN_ENC_KEY_SIZE)
380 {
381 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
382 }
383 else
384 {
385 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &(p_cb->pair_fail_status));
386 }
387 return;
388 }
389 #endif
390
391
392 if (p_cb->peer_enc_size < SMP_MIN_ENC_KEY_SIZE)
393 {
394 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
395 }
396 else if (p_cb->role == HCI_ROLE_SLAVE)
397 {
398 if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD))
399 {
400 p_cb->loc_i_key = p_cb->peer_i_key;
401 p_cb->loc_r_key = p_cb->peer_r_key;
402 }
403 else /* update local i/r key according to pairing request */
404 {
405 p_cb->loc_i_key &= p_cb->peer_i_key;
406 p_cb->loc_r_key &= p_cb->peer_r_key;
407 }
408
409 p_cb->cb_evt = SMP_SEC_REQUEST_EVT;
410 }
411 }
412 /*******************************************************************************
413 ** Function smp_proc_confirm
414 ** Description process pairing confirm from peer device
415 *******************************************************************************/
smp_proc_confirm(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)416 void smp_proc_confirm(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
417 {
418 UINT8 *p = (UINT8 *)p_data;
419
420 SMP_TRACE_DEBUG0 ("smp_proc_confirm ");
421 if (p != NULL)
422 {
423 /* save the SConfirm for comparison later */
424 STREAM_TO_ARRAY(p_cb->rconfirm, p, BT_OCTET16_LEN);
425 }
426
427 p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM;
428 }
429
430 /*******************************************************************************
431 ** Function smp_proc_init
432 ** Description process pairing initializer from peer device
433 *******************************************************************************/
smp_proc_init(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)434 void smp_proc_init(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
435 {
436 UINT8 *p = (UINT8 *)p_data;
437 SMP_TRACE_DEBUG0 ("smp_proc_init ");
438 /* save the SRand for comparison */
439 STREAM_TO_ARRAY(p_cb->rrand, p, BT_OCTET16_LEN);
440
441 }
442 /*******************************************************************************
443 ** Function smp_proc_enc_info
444 ** Description process encryption information from peer device
445 *******************************************************************************/
smp_proc_enc_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)446 void smp_proc_enc_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
447 {
448 UINT8 *p = (UINT8 *)p_data;
449
450 SMP_TRACE_DEBUG0 ("smp_proc_enc_info ");
451 STREAM_TO_ARRAY(p_cb->ltk, p, BT_OCTET16_LEN);
452
453 smp_key_distribution(p_cb, NULL);
454 }
455 /*******************************************************************************
456 ** Function smp_proc_master_id
457 ** Description process master ID from slave device
458 *******************************************************************************/
smp_proc_master_id(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)459 void smp_proc_master_id(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
460 {
461 UINT8 *p = (UINT8 *)p_data;
462 tBTM_LE_PENC_KEYS le_key;
463
464 SMP_TRACE_DEBUG0 (" smp_proc_master_id");
465 smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_ENC, TRUE);
466
467 STREAM_TO_UINT16(le_key.ediv, p);
468 STREAM_TO_ARRAY(le_key.rand, p, BT_OCTET8_LEN );
469
470 /* store the encryption keys from peer device */
471 memcpy(le_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
472 le_key.sec_level = p_cb->sec_level;
473 le_key.key_size = p_cb->loc_enc_size;
474 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, (tBTM_LE_KEY_VALUE *)&le_key, TRUE);
475
476 smp_key_distribution(p_cb, NULL);
477 }
478 /*******************************************************************************
479 ** Function smp_proc_enc_info
480 ** Description process identity information from peer device
481 *******************************************************************************/
smp_proc_id_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)482 void smp_proc_id_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
483 {
484 UINT8 *p = (UINT8 *)p_data;
485
486 SMP_TRACE_DEBUG0 ("smp_proc_id_info ");
487 STREAM_TO_ARRAY (p_cb->tk, p, BT_OCTET16_LEN); /* reuse TK for IRK */
488
489 smp_key_distribution(p_cb, NULL);
490 }
491 /*******************************************************************************
492 ** Function smp_proc_id_addr
493 ** Description process identity address from peer device
494 *******************************************************************************/
smp_proc_id_addr(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)495 void smp_proc_id_addr(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
496 {
497 UINT8 *p = (UINT8 *)p_data;
498 tBTM_LE_PID_KEYS pid_key;
499
500 SMP_TRACE_DEBUG0 ("smp_proc_id_addr ");
501 smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_ID, TRUE);
502
503 STREAM_TO_UINT8(pid_key.addr_type, p);
504 STREAM_TO_BDADDR(pid_key.static_addr, p);
505 memcpy(pid_key.irk, p_cb->tk, BT_OCTET16_LEN);
506
507 /* store the ID key from peer device */
508 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PID, (tBTM_LE_KEY_VALUE *)&pid_key, TRUE);
509
510 smp_key_distribution(p_cb, NULL);
511 }
512 /*******************************************************************************
513 ** Function smp_proc_srk_info
514 ** Description process security information from peer device
515 *******************************************************************************/
smp_proc_srk_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)516 void smp_proc_srk_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
517 {
518 tBTM_LE_PCSRK_KEYS le_key;
519
520 SMP_TRACE_DEBUG0 ("smp_proc_srk_info ");
521 smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_CSRK, TRUE);
522
523 /* save CSRK to security record */
524 le_key.sec_level = p_cb->sec_level;
525 memcpy (le_key.csrk, p_data, BT_OCTET16_LEN); /* get peer CSRK */
526 le_key.counter = 0; /* initialize the peer counter */
527 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PCSRK, (tBTM_LE_KEY_VALUE *)&le_key, TRUE);
528
529 smp_key_distribution(p_cb, NULL);
530 }
531
532 /*******************************************************************************
533 ** Function smp_proc_compare
534 ** Description process compare value
535 *******************************************************************************/
smp_proc_compare(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)536 void smp_proc_compare(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
537 {
538 UINT8 reason;
539
540 SMP_TRACE_DEBUG0 ("smp_proc_compare ");
541 if (
542 #if SMP_CONFORMANCE_TESTING == TRUE
543 p_cb->skip_test_compare_check ||
544 #endif
545 !memcmp(p_cb->rconfirm, p_data->key.p_data, BT_OCTET16_LEN))
546 {
547 /* compare the max encryption key size, and save the smaller one for the link */
548 if ( p_cb->peer_enc_size < p_cb->loc_enc_size)
549 p_cb->loc_enc_size = p_cb->peer_enc_size;
550
551 if (p_cb->role == HCI_ROLE_SLAVE)
552 smp_sm_event(p_cb, SMP_RAND_EVT, NULL);
553 else
554 {
555 /* master device always use received i/r key as keys to distribute */
556 p_cb->loc_i_key = p_cb->peer_i_key;
557 p_cb->loc_r_key = p_cb->peer_r_key;
558
559 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
560 }
561
562 }
563 else
564 {
565 reason = p_cb->failure = SMP_CONFIRM_VALUE_ERR;
566 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
567 }
568 }
569 /*******************************************************************************
570 ** Function smp_proc_sl_key
571 ** Description process key ready events.
572 *******************************************************************************/
smp_proc_sl_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)573 void smp_proc_sl_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
574 {
575 UINT8 key_type = p_data->key.key_type;
576
577 SMP_TRACE_DEBUG0 ("smp_proc_sl_keysmp_proc_sl_key ");
578 if (key_type == SMP_KEY_TYPE_TK)
579 {
580 smp_generate_confirm(p_cb, NULL);
581 }
582 else if (key_type == SMP_KEY_TYPE_CFM)
583 {
584 smp_set_state(SMP_ST_WAIT_CONFIRM);
585
586 if (p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM)
587 smp_sm_event(p_cb, SMP_CONFIRM_EVT, NULL);
588
589 }
590 }
591 /*******************************************************************************
592 ** Function smp_start_enc
593 ** Description start encryption
594 *******************************************************************************/
smp_start_enc(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)595 void smp_start_enc(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
596 {
597 BOOLEAN cmd;
598 UINT8 reason = SMP_ENC_FAIL;
599
600 SMP_TRACE_DEBUG0 ("smp_start_enc ");
601 if (p_data != NULL)
602 cmd = btm_ble_start_encrypt(p_cb->pairing_bda, TRUE, p_data->key.p_data);
603 else
604 cmd = btm_ble_start_encrypt(p_cb->pairing_bda, FALSE, NULL);
605
606 if (!cmd)
607 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
608
609 }
610
611 /*******************************************************************************
612 ** Function smp_proc_discard
613 ** Description processing for discard security request
614 *******************************************************************************/
smp_proc_discard(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)615 void smp_proc_discard(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
616 {
617 SMP_TRACE_DEBUG0 ("smp_proc_discard ");
618 smp_reset_control_value(p_cb);
619 }
620 /*******************************************************************************
621 ** Function smp_proc_release_delay
622 ** Description process the release delay request
623 *******************************************************************************/
smp_proc_release_delay(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)624 void smp_proc_release_delay(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
625 {
626 SMP_TRACE_DEBUG0 ("smp_proc_release_delay ");
627 btu_stop_timer (&p_cb->rsp_timer_ent);
628 btu_start_timer (&p_cb->rsp_timer_ent, BTU_TTYPE_SMP_PAIRING_CMD,
629 SMP_WAIT_FOR_REL_DELAY_TOUT);
630 }
631
632 /*******************************************************************************
633 ** Function smp_proc_release_delay_tout
634 ** Description processing the release delay timeout
635 *******************************************************************************/
smp_proc_release_delay_tout(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)636 void smp_proc_release_delay_tout(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
637 {
638 SMP_TRACE_DEBUG0 ("smp_proc_release_delay_tout ");
639 btu_stop_timer (&p_cb->rsp_timer_ent);
640 smp_proc_pairing_cmpl(p_cb);
641 }
642
643
644 /*******************************************************************************
645 ** Function smp_enc_cmpl
646 ** Description encryption success
647 *******************************************************************************/
smp_enc_cmpl(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)648 void smp_enc_cmpl(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
649 {
650 UINT8 enc_enable = *(UINT8 *)p_data;
651 UINT8 reason = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
652
653 SMP_TRACE_DEBUG0 ("smp_enc_cmpl ");
654 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
655 }
656
657
658 /*******************************************************************************
659 ** Function smp_check_auth_req
660 ** Description check authentication request
661 *******************************************************************************/
smp_check_auth_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)662 void smp_check_auth_req(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
663 {
664 UINT8 enc_enable = *(UINT8 *)p_data;
665 UINT8 reason = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
666
667 SMP_TRACE_DEBUG3 ("smp_check_auth_req enc_enable=%d i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
668 enc_enable, p_cb->loc_i_key, p_cb->loc_r_key);
669 if (enc_enable == 1)
670 {
671 if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) ||
672 (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/
673 (p_cb->loc_i_key || p_cb->loc_r_key))
674 {
675 smp_sm_event(p_cb, SMP_BOND_REQ_EVT, NULL);
676 }
677 else
678 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
679 }
680 else if (enc_enable == 0)
681 {
682 /* if failed for encryption after pairing, send callback */
683 if (p_cb->flags & SMP_PAIR_FLAG_ENC_AFTER_PAIR)
684 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
685 /* if enc failed for old security information */
686 /* if master device, clean up and abck to idle; slave device do nothing */
687 else if (p_cb->role == HCI_ROLE_MASTER)
688 {
689 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
690 }
691 }
692 }
693
694 /*******************************************************************************
695 ** Function smp_key_pick_key
696 ** Description Pick a key distribution function based on the key mask.
697 *******************************************************************************/
smp_key_pick_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)698 void smp_key_pick_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
699 {
700 UINT8 key_to_dist = (p_cb->role == HCI_ROLE_SLAVE) ? p_cb->loc_r_key : p_cb->loc_i_key;
701 UINT8 i = 0;
702
703 SMP_TRACE_DEBUG1 ("smp_key_pick_key key_to_dist=0x%x", key_to_dist);
704 while (i < 3)
705 {
706 SMP_TRACE_DEBUG2("key to send = %02x, i = %d", key_to_dist, i);
707
708 if (key_to_dist & (1 << i))
709 {
710 SMP_TRACE_DEBUG1 ("smp_distribute_act[%d]", i);
711 (* smp_distribute_act[i])(p_cb, p_data);
712 break;
713 }
714 i ++;
715 }
716 }
717 /*******************************************************************************
718 ** Function smp_key_distribution
719 ** Description start key distribution if required.
720 *******************************************************************************/
smp_key_distribution(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)721 void smp_key_distribution(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
722 {
723 UINT8 reason = SMP_SUCCESS;
724 SMP_TRACE_DEBUG3 ("smp_key_distribution role=%d (0-master) r_keys=0x%x i_keys=0x%x",
725 p_cb->role, p_cb->loc_r_key, p_cb->loc_i_key);
726
727 if (p_cb->role == HCI_ROLE_SLAVE||
728 (!p_cb->loc_r_key && p_cb->role == HCI_ROLE_MASTER))
729 {
730 smp_key_pick_key(p_cb, p_data);
731 }
732
733 if (!p_cb->loc_i_key && !p_cb->loc_r_key)
734 {
735 /* state check to prevent re-entrant */
736 if (smp_get_state() == SMP_ST_BOND_PENDING)
737 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
738 }
739 }
740 /*******************************************************************************
741 ** Function smp_decide_asso_model
742 ** Description This function is called to compare both sides' io capability
743 ** oob data flag and authentication request, and decide the
744 ** association model to use for the authentication.
745 *******************************************************************************/
smp_decide_asso_model(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)746 void smp_decide_asso_model(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
747 {
748 UINT8 failure = SMP_UNKNOWN_IO_CAP;
749 tSMP_ASSO_MODEL model = SMP_MODEL_MAX;
750 UINT8 int_evt = 0;
751 tSMP_KEY key;
752 tSMP_INT_DATA *p = NULL;
753
754 SMP_TRACE_DEBUG3 ("smp_decide_asso_model p_cb->peer_io_caps = %d p_cb->loc_io_caps = %d \
755 p_cb->peer_auth_req = %02x",
756 p_cb->peer_io_caps, p_cb->loc_io_caps, p_cb->peer_auth_req);
757
758 /* OOB data present on both devices, use OOB association model */
759 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT && p_cb->loc_oob_flag == SMP_OOB_PRESENT)
760 {
761 model = SMP_MODEL_OOB;
762 }
763 /* no MITM required, ignore IO cap, use encryption only */
764 else if (SMP_NO_MITM_REQUIRED (p_cb->peer_auth_req) &&
765 SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req))
766 {
767 model = SMP_MODEL_ENC_ONLY;
768 }
769 else/* use IO capability to decide assiciation model */
770 {
771 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX && p_cb->loc_io_caps < SMP_IO_CAP_MAX)
772 {
773 if (p_cb->role == HCI_ROLE_MASTER)
774 model = smp_association_table[p_cb->role][p_cb->peer_io_caps][p_cb->loc_io_caps];
775 else
776 model = smp_association_table[p_cb->role][p_cb->loc_io_caps][p_cb->peer_io_caps];
777 }
778 }
779
780 SMP_TRACE_DEBUG1("Association Model = %d", model);
781
782 if (model == SMP_MODEL_OOB)
783 {
784 SMP_TRACE_ERROR0("Association Model = SMP_MODEL_OOB");
785 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
786 SMP_TRACE_EVENT1 ("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ", p_cb->sec_level );
787 p_cb->cb_evt = SMP_OOB_REQ_EVT;
788
789 int_evt = SMP_TK_REQ_EVT;
790 }
791 else if (model == SMP_MODEL_PASSKEY)
792 {
793 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
794 SMP_TRACE_EVENT1 ("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ", p_cb->sec_level );
795
796 p_cb->cb_evt = SMP_PASSKEY_REQ_EVT;
797 int_evt = SMP_TK_REQ_EVT;
798 }
799 else if (model == SMP_MODEL_KEY_NOTIF)
800 {
801 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
802
803 SMP_TRACE_DEBUG0("Need to generate Passkey");
804 /* generate passkey and notify application */
805 smp_generate_passkey(p_cb, NULL);
806 }
807 else if (model == SMP_MODEL_ENC_ONLY) /* TK = 0, go calculate Confirm */
808 {
809 if (p_cb->role == HCI_ROLE_MASTER &&
810 ((p_cb->peer_auth_req & SMP_AUTH_YN_BIT) != 0) &&
811 ((p_cb->loc_auth_req & SMP_AUTH_YN_BIT) == 0))
812 {
813 SMP_TRACE_ERROR0("IO capability does not meet authentication requirement");
814 failure = SMP_PAIR_AUTH_FAIL;
815 p = (tSMP_INT_DATA *)&failure;
816 int_evt = SMP_AUTH_CMPL_EVT;
817 }
818 else
819 {
820 p_cb->sec_level = SMP_SEC_UNAUTHENTICATE;
821 SMP_TRACE_EVENT1 ("p_cb->sec_level =%d (SMP_SEC_UNAUTHENTICATE) ", p_cb->sec_level );
822
823 key.key_type = SMP_KEY_TYPE_TK;
824 key.p_data = p_cb->tk;
825 p = (tSMP_INT_DATA *)&key;
826
827 memset(p_cb->tk, 0, BT_OCTET16_LEN);
828 /* TK, ready */
829 int_evt = SMP_KEY_READY_EVT;
830 }
831 }
832 else if (model == SMP_MODEL_MAX)
833 {
834 SMP_TRACE_ERROR0("Association Model = SMP_MODEL_MAX (failed)");
835 p = (tSMP_INT_DATA *)&failure;
836 int_evt = SMP_AUTH_CMPL_EVT;
837 }
838
839 SMP_TRACE_EVENT1 ("sec_level=%d ", p_cb->sec_level );
840 if (int_evt)
841 smp_sm_event(p_cb, int_evt, p);
842 }
843
844 /*******************************************************************************
845 ** Function smp_proc_io_rsp
846 ** Description process IO response for a slave device.
847 *******************************************************************************/
smp_proc_io_rsp(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)848 void smp_proc_io_rsp(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
849 {
850 SMP_TRACE_DEBUG0 ("smp_proc_io_rsp ");
851 if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD)
852 {
853 smp_set_state(SMP_ST_SEC_REQ_PENDING);
854 smp_send_cmd(SMP_OPCODE_SEC_REQ, p_cb);
855 }
856 else /* respond to pairing request */
857 {
858 smp_send_pair_rsp(p_cb, NULL);
859 }
860 }
861 /*******************************************************************************
862 ** Function smp_pairing_cmpl
863 ** Description This function is called to send the pairing complete callback
864 ** and remove the connection if needed.
865 *******************************************************************************/
smp_pairing_cmpl(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)866 void smp_pairing_cmpl(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
867 {
868
869 SMP_TRACE_DEBUG0 ("smp_pairing_cmpl ");
870
871 if ((p_cb->status == SMP_SUCCESS) ||
872 (p_cb->status <= SMP_REPEATED_ATTEMPTS && p_cb->status != SMP_SUCCESS))
873 {
874 smp_sm_event(p_cb, SMP_RELEASE_DELAY_EVT, p_data);
875 }
876 else
877 {
878 /* this will transition to idle state right away */
879 smp_sm_event(p_cb, SMP_RELEASE_DELAY_TOUT_EVT, p_data);
880 }
881
882 }
883 /*******************************************************************************
884 ** Function smp_pair_terminate
885 ** Description This function is called to send the pairing complete callback
886 ** and remove the connection if needed.
887 *******************************************************************************/
smp_pair_terminate(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)888 void smp_pair_terminate(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
889 {
890 SMP_TRACE_DEBUG0 ("smp_pair_terminate ");
891
892 if (p_data->reason == L2CAP_CONN_CANCEL)
893 p_cb->status = SMP_CONN_TOUT;
894 else
895 p_cb->status = SMP_PAIR_FAIL_UNKNOWN;
896
897 smp_proc_pairing_cmpl(p_cb);
898 }
899 /*******************************************************************************
900 ** Function smp_idle_terminate
901 ** Description This function calledin idle state to determine to send authentication
902 ** complete or not.
903 *******************************************************************************/
smp_idle_terminate(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)904 void smp_idle_terminate(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
905 {
906 if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD)
907 {
908 SMP_TRACE_DEBUG0("Pairing terminated at IDLE state.");
909 p_cb->status = SMP_FAIL;
910 smp_proc_pairing_cmpl(p_cb);
911 }
912 }
913 /*******************************************************************************
914 **
915 ** Function smp_link_encrypted
916 **
917 ** Description This function is called when link is encrypted and notified to
918 ** slave device. Proceed to to send LTK, DIV and ER to master if
919 ** bonding the devices.
920 **
921 **
922 ** Returns void
923 **
924 *******************************************************************************/
smp_link_encrypted(BD_ADDR bda,UINT8 encr_enable)925 void smp_link_encrypted(BD_ADDR bda, UINT8 encr_enable)
926 {
927 tSMP_CB *p_cb = &smp_cb;
928
929 SMP_TRACE_DEBUG1 ("smp_link_encrypted encr_enable=%d",encr_enable);
930
931 if (memcmp(&smp_cb.pairing_bda[0], bda, BD_ADDR_LEN) == 0)
932 {
933 /* encryption completed with STK, remmeber the key size now, could be overwite
934 * when key exchange happens */
935 if (p_cb->loc_enc_size != 0 && encr_enable)
936 {
937 /* update the link encryption key size if a SMP pairing just performed */
938 btm_ble_update_sec_key_size(bda, p_cb->loc_enc_size);
939 }
940
941 smp_sm_event(&smp_cb, SMP_ENCRYPTED_EVT, &encr_enable);
942 }
943 }
944 /*******************************************************************************
945 **
946 ** Function smp_proc_ltk_request
947 **
948 ** Description This function is called when LTK request is received from
949 ** controller.
950 **
951 ** Returns void
952 **
953 *******************************************************************************/
smp_proc_ltk_request(BD_ADDR bda)954 BOOLEAN smp_proc_ltk_request(BD_ADDR bda)
955 {
956 SMP_TRACE_DEBUG1 ("smp_proc_ltk_request state = %d", smp_cb.state);
957 if ( smp_cb.state == SMP_ST_ENC_PENDING &&
958 !memcmp(bda, smp_cb.pairing_bda, BD_ADDR_LEN))
959 {
960 smp_sm_event(&smp_cb, SMP_ENC_REQ_EVT, NULL);
961
962 return TRUE;
963 }
964
965 return FALSE;
966 }
967 #endif
968
969