• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /******************************************************************************
2  *
3  *  Copyright (C) 1999-2012 Broadcom Corporation
4  *
5  *  Licensed under the Apache License, Version 2.0 (the "License");
6  *  you may not use this file except in compliance with the License.
7  *  You may obtain a copy of the License at:
8  *
9  *  http://www.apache.org/licenses/LICENSE-2.0
10  *
11  *  Unless required by applicable law or agreed to in writing, software
12  *  distributed under the License is distributed on an "AS IS" BASIS,
13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  *  See the License for the specific language governing permissions and
15  *  limitations under the License.
16  *
17 ******************************************************************************/
18 
19 /******************************************************************************
20  *
21  *  This file contains functions for the SMP L2CAP utility functions
22  *
23  ******************************************************************************/
24 #include "bt_target.h"
25 
26 #if SMP_INCLUDED == TRUE
27 
28 #include "bt_types.h"
29 #include "bt_utils.h"
30 #include <string.h>
31 #include <ctype.h>
32 #include "hcidefs.h"
33 #include "btm_ble_api.h"
34 #include "l2c_api.h"
35 #include "l2c_int.h"
36 #include "smp_int.h"
37 #include "device/include/controller.h"
38 #include "btm_int.h"
39 
40 
41 extern fixed_queue_t *btu_general_alarm_queue;
42 
43 #define SMP_PAIRING_REQ_SIZE    7
44 #define SMP_CONFIRM_CMD_SIZE    (BT_OCTET16_LEN + 1)
45 #define SMP_RAND_CMD_SIZE       (BT_OCTET16_LEN + 1)
46 #define SMP_INIT_CMD_SIZE       (BT_OCTET16_LEN + 1)
47 #define SMP_ENC_INFO_SIZE       (BT_OCTET16_LEN + 1)
48 #define SMP_MASTER_ID_SIZE      (BT_OCTET8_LEN + 2 + 1)
49 #define SMP_ID_INFO_SIZE        (BT_OCTET16_LEN + 1)
50 #define SMP_ID_ADDR_SIZE        (BD_ADDR_LEN + 1 + 1)
51 #define SMP_SIGN_INFO_SIZE      (BT_OCTET16_LEN + 1)
52 #define SMP_PAIR_FAIL_SIZE      2
53 #define SMP_SECURITY_REQUEST_SIZE  2
54 #define SMP_PAIR_PUBL_KEY_SIZE  (1 /* opcode */ + (2*BT_OCTET32_LEN))
55 #define SMP_PAIR_COMMITM_SIZE           (1 /* opcode */ + BT_OCTET16_LEN /*Commitment*/)
56 #define SMP_PAIR_DHKEY_CHECK_SIZE       (1 /* opcode */ + BT_OCTET16_LEN /*DHKey Check*/)
57 #define SMP_PAIR_KEYPR_NOTIF_SIZE       (1 /* opcode */ + 1 /*Notif Type*/)
58 
59 /* SMP command sizes per spec */
60 static const UINT8 smp_cmd_size_per_spec[] =
61 {
62     0,
63     SMP_PAIRING_REQ_SIZE,       /* 0x01: pairing request */
64     SMP_PAIRING_REQ_SIZE,       /* 0x02: pairing response */
65     SMP_CONFIRM_CMD_SIZE,       /* 0x03: pairing confirm */
66     SMP_RAND_CMD_SIZE,          /* 0x04: pairing random */
67     SMP_PAIR_FAIL_SIZE,         /* 0x05: pairing failed */
68     SMP_ENC_INFO_SIZE,          /* 0x06: encryption information */
69     SMP_MASTER_ID_SIZE,         /* 0x07: master identification */
70     SMP_ID_INFO_SIZE,           /* 0x08: identity information */
71     SMP_ID_ADDR_SIZE,           /* 0x09: identity address information */
72     SMP_SIGN_INFO_SIZE,         /* 0x0A: signing information */
73     SMP_SECURITY_REQUEST_SIZE,  /* 0x0B: security request */
74     SMP_PAIR_PUBL_KEY_SIZE,     /* 0x0C: pairing public key */
75     SMP_PAIR_DHKEY_CHECK_SIZE,  /* 0x0D: pairing dhkey check */
76     SMP_PAIR_KEYPR_NOTIF_SIZE,  /* 0x0E: pairing keypress notification */
77     SMP_PAIR_COMMITM_SIZE       /* 0x0F: pairing commitment */
78 };
79 
80 static BOOLEAN smp_parameter_unconditionally_valid(tSMP_CB *p_cb);
81 static BOOLEAN smp_parameter_unconditionally_invalid(tSMP_CB *p_cb);
82 
83 /* type for SMP command length validation functions */
84 typedef BOOLEAN (*tSMP_CMD_LEN_VALID)(tSMP_CB *p_cb);
85 
86 static BOOLEAN smp_command_has_valid_fixed_length(tSMP_CB *p_cb);
87 
88 static const tSMP_CMD_LEN_VALID smp_cmd_len_is_valid[] =
89 {
90     smp_parameter_unconditionally_invalid,
91     smp_command_has_valid_fixed_length, /* 0x01: pairing request */
92     smp_command_has_valid_fixed_length, /* 0x02: pairing response */
93     smp_command_has_valid_fixed_length, /* 0x03: pairing confirm */
94     smp_command_has_valid_fixed_length, /* 0x04: pairing random */
95     smp_command_has_valid_fixed_length, /* 0x05: pairing failed */
96     smp_command_has_valid_fixed_length, /* 0x06: encryption information */
97     smp_command_has_valid_fixed_length, /* 0x07: master identification */
98     smp_command_has_valid_fixed_length, /* 0x08: identity information */
99     smp_command_has_valid_fixed_length, /* 0x09: identity address information */
100     smp_command_has_valid_fixed_length, /* 0x0A: signing information */
101     smp_command_has_valid_fixed_length, /* 0x0B: security request */
102     smp_command_has_valid_fixed_length, /* 0x0C: pairing public key */
103     smp_command_has_valid_fixed_length, /* 0x0D: pairing dhkey check */
104     smp_command_has_valid_fixed_length, /* 0x0E: pairing keypress notification */
105     smp_command_has_valid_fixed_length  /* 0x0F: pairing commitment */
106 };
107 
108 /* type for SMP command parameter ranges validation functions */
109 typedef BOOLEAN (*tSMP_CMD_PARAM_RANGES_VALID)(tSMP_CB *p_cb);
110 
111 static BOOLEAN smp_pairing_request_response_parameters_are_valid(tSMP_CB *p_cb);
112 static BOOLEAN smp_pairing_keypress_notification_is_valid(tSMP_CB *p_cb);
113 
114 static const tSMP_CMD_PARAM_RANGES_VALID smp_cmd_param_ranges_are_valid[] =
115 {
116     smp_parameter_unconditionally_invalid,
117     smp_pairing_request_response_parameters_are_valid, /* 0x01: pairing request */
118     smp_pairing_request_response_parameters_are_valid, /* 0x02: pairing response */
119     smp_parameter_unconditionally_valid, /* 0x03: pairing confirm */
120     smp_parameter_unconditionally_valid, /* 0x04: pairing random */
121     smp_parameter_unconditionally_valid, /* 0x05: pairing failed */
122     smp_parameter_unconditionally_valid, /* 0x06: encryption information */
123     smp_parameter_unconditionally_valid, /* 0x07: master identification */
124     smp_parameter_unconditionally_valid, /* 0x08: identity information */
125     smp_parameter_unconditionally_valid, /* 0x09: identity address information */
126     smp_parameter_unconditionally_valid, /* 0x0A: signing information */
127     smp_parameter_unconditionally_valid, /* 0x0B: security request */
128     smp_parameter_unconditionally_valid, /* 0x0C: pairing public key */
129     smp_parameter_unconditionally_valid, /* 0x0D: pairing dhkey check */
130     smp_pairing_keypress_notification_is_valid, /* 0x0E: pairing keypress notification */
131     smp_parameter_unconditionally_valid /* 0x0F: pairing commitment */
132 };
133 
134 /* type for action functions */
135 typedef BT_HDR * (*tSMP_CMD_ACT)(UINT8 cmd_code, tSMP_CB *p_cb);
136 
137 static BT_HDR *smp_build_pairing_cmd(UINT8 cmd_code, tSMP_CB *p_cb);
138 static BT_HDR *smp_build_confirm_cmd(UINT8 cmd_code, tSMP_CB *p_cb);
139 static BT_HDR *smp_build_rand_cmd(UINT8 cmd_code, tSMP_CB *p_cb);
140 static BT_HDR *smp_build_pairing_fail(UINT8 cmd_code, tSMP_CB *p_cb);
141 static BT_HDR *smp_build_identity_info_cmd(UINT8 cmd_code, tSMP_CB *p_cb);
142 static BT_HDR *smp_build_encrypt_info_cmd(UINT8 cmd_code, tSMP_CB *p_cb);
143 static BT_HDR *smp_build_security_request(UINT8 cmd_code, tSMP_CB *p_cb);
144 static BT_HDR *smp_build_signing_info_cmd(UINT8 cmd_code, tSMP_CB *p_cb);
145 static BT_HDR *smp_build_master_id_cmd(UINT8 cmd_code, tSMP_CB *p_cb);
146 static BT_HDR *smp_build_id_addr_cmd(UINT8 cmd_code, tSMP_CB *p_cb);
147 static BT_HDR *smp_build_pair_public_key_cmd(UINT8 cmd_code, tSMP_CB *p_cb);
148 static BT_HDR *smp_build_pairing_commitment_cmd(UINT8 cmd_code, tSMP_CB *p_cb);
149 static BT_HDR *smp_build_pair_dhkey_check_cmd(UINT8 cmd_code, tSMP_CB *p_cb);
150 static BT_HDR *smp_build_pairing_keypress_notification_cmd(UINT8 cmd_code, tSMP_CB *p_cb);
151 
152 static const tSMP_CMD_ACT smp_cmd_build_act[] =
153 {
154     NULL,
155     smp_build_pairing_cmd,          /* 0x01: pairing request */
156     smp_build_pairing_cmd,          /* 0x02: pairing response */
157     smp_build_confirm_cmd,          /* 0x03: pairing confirm */
158     smp_build_rand_cmd,             /* 0x04: pairing random */
159     smp_build_pairing_fail,         /* 0x05: pairing failure */
160     smp_build_encrypt_info_cmd,     /* 0x06: encryption information */
161     smp_build_master_id_cmd,        /* 0x07: master identification */
162     smp_build_identity_info_cmd,    /* 0x08: identity information */
163     smp_build_id_addr_cmd,          /* 0x09: identity address information */
164     smp_build_signing_info_cmd,     /* 0x0A: signing information */
165     smp_build_security_request,     /* 0x0B: security request */
166     smp_build_pair_public_key_cmd,  /* 0x0C: pairing public key */
167     smp_build_pair_dhkey_check_cmd, /* 0x0D: pairing DHKey check */
168     smp_build_pairing_keypress_notification_cmd, /* 0x0E: pairing keypress notification */
169     smp_build_pairing_commitment_cmd /* 0x0F: pairing commitment */
170 };
171 
172 static const UINT8 smp_association_table[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] =
173 {
174     /* display only */    /* Display Yes/No */   /* keyboard only */
175                        /* No Input/Output */ /* keyboard display */
176 
177      /* initiator */
178      /* model = tbl[peer_io_caps][loc_io_caps] */
179      /* Display Only */
180     {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY,
181                                  SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
182 
183      /* Display Yes/No */
184      {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY,
185                                  SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
186 
187      /* Keyboard only */
188      {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY,
189                            SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
190 
191      /* No Input No Output */
192      {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
193                                  SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY},
194 
195      /* keyboard display */
196      {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY,
197                            SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}},
198 
199      /* responder */
200      /* model = tbl[loc_io_caps][peer_io_caps] */
201      /* Display Only */
202     {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF,
203                                  SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
204 
205       /* Display Yes/No */
206      {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF,
207                                  SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
208 
209       /* keyboard only */
210      {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY,
211                          SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
212 
213       /* No Input No Output */
214      {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
215                                  SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY},
216 
217       /* keyboard display */
218      {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_KEY_NOTIF,
219                          SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}}
220 };
221 
222 static const UINT8 smp_association_table_sc[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] =
223 {
224      /* display only */    /* Display Yes/No */   /* keyboard only */
225                                              /* No InputOutput */  /* keyboard display */
226 
227      /* initiator */
228      /* model = tbl[peer_io_caps][loc_io_caps] */
229 
230      /* Display Only */
231     {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_PASSKEY_ENT,
232                                     SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_PASSKEY_ENT},
233 
234      /* Display Yes/No */
235      {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP, SMP_MODEL_SEC_CONN_PASSKEY_ENT,
236                                     SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP},
237 
238      /* keyboard only */
239      {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_PASSKEY_ENT,
240                                        SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_PASSKEY_DISP},
241 
242      /* No Input No Output */
243      {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
244                                     SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS},
245 
246      /* keyboard display */
247      {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_NUM_COMP, SMP_MODEL_SEC_CONN_PASSKEY_ENT,
248                                        SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP}},
249 
250      /* responder */
251      /* model = tbl[loc_io_caps][peer_io_caps] */
252 
253      /* Display Only */
254     {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_PASSKEY_DISP,
255                                     SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_PASSKEY_DISP},
256 
257      /* Display Yes/No */
258      {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP, SMP_MODEL_SEC_CONN_PASSKEY_DISP,
259                                     SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP},
260 
261      /* keyboard only */
262      {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_PASSKEY_ENT,
263                                       SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_PASSKEY_ENT},
264 
265      /* No Input No Output */
266      {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
267                                     SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS},
268 
269      /* keyboard display */
270      {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_NUM_COMP, SMP_MODEL_SEC_CONN_PASSKEY_DISP,
271                        SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP}}
272 };
273 
274 static tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB *p_cb);
275 static tSMP_ASSO_MODEL smp_select_association_model_secure_connections(tSMP_CB *p_cb);
276 
277 /*******************************************************************************
278 **
279 ** Function         smp_send_msg_to_L2CAP
280 **
281 ** Description      Send message to L2CAP.
282 **
283 *******************************************************************************/
smp_send_msg_to_L2CAP(BD_ADDR rem_bda,BT_HDR * p_toL2CAP)284 BOOLEAN  smp_send_msg_to_L2CAP(BD_ADDR rem_bda, BT_HDR *p_toL2CAP)
285 {
286     UINT16 l2cap_ret;
287     UINT16 fixed_cid = L2CAP_SMP_CID;
288 
289     if (smp_cb.smp_over_br)
290     {
291         fixed_cid = L2CAP_SMP_BR_CID;
292     }
293 
294     SMP_TRACE_EVENT("%s", __FUNCTION__);
295     smp_cb.total_tx_unacked += 1;
296 
297     if ((l2cap_ret = L2CA_SendFixedChnlData (fixed_cid, rem_bda, p_toL2CAP)) == L2CAP_DW_FAILED)
298     {
299         smp_cb.total_tx_unacked -= 1;
300         SMP_TRACE_ERROR("SMP   failed to pass msg:0x%0x to L2CAP",
301                          *((UINT8 *)(p_toL2CAP + 1) + p_toL2CAP->offset));
302         return FALSE;
303     }
304     else
305         return TRUE;
306 }
307 
308 /*******************************************************************************
309 **
310 ** Function         smp_send_cmd
311 **
312 ** Description      send a SMP command on L2CAP channel.
313 **
314 *******************************************************************************/
smp_send_cmd(UINT8 cmd_code,tSMP_CB * p_cb)315 BOOLEAN smp_send_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
316 {
317     BT_HDR *p_buf;
318     BOOLEAN sent = FALSE;
319     UINT8 failure = SMP_PAIR_INTERNAL_ERR;
320     SMP_TRACE_EVENT("smp_send_cmd on l2cap cmd_code=0x%x", cmd_code);
321     if ( cmd_code <= (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */) &&
322          smp_cmd_build_act[cmd_code] != NULL)
323     {
324         p_buf = (*smp_cmd_build_act[cmd_code])(cmd_code, p_cb);
325 
326         if (p_buf != NULL &&
327             smp_send_msg_to_L2CAP(p_cb->pairing_bda, p_buf))
328         {
329             sent = TRUE;
330             alarm_set_on_queue(p_cb->smp_rsp_timer_ent,
331                                SMP_WAIT_FOR_RSP_TIMEOUT_MS, smp_rsp_timeout,
332                                NULL, btu_general_alarm_queue);
333         }
334     }
335 
336     if (!sent)
337     {
338         if (p_cb->smp_over_br)
339         {
340             smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &failure);
341         }
342         else
343         {
344             smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &failure);
345         }
346     }
347     return sent;
348 }
349 
350 /*******************************************************************************
351 **
352 ** Function         smp_rsp_timeout
353 **
354 ** Description      Called when SMP wait for SMP command response timer expires
355 **
356 ** Returns          void
357 **
358 *******************************************************************************/
smp_rsp_timeout(UNUSED_ATTR void * data)359 void smp_rsp_timeout(UNUSED_ATTR void *data)
360 {
361     tSMP_CB   *p_cb = &smp_cb;
362     UINT8 failure = SMP_RSP_TIMEOUT;
363 
364     SMP_TRACE_EVENT("%s state:%d br_state:%d", __FUNCTION__, p_cb->state, p_cb->br_state);
365 
366     if (p_cb->smp_over_br)
367     {
368         smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &failure);
369     }
370     else
371     {
372         smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &failure);
373     }
374 }
375 
376 /*******************************************************************************
377 **
378 ** Function         smp_delayed_auth_complete_timeout
379 **
380 ** Description      Called when no pairing failed command received within timeout
381 **                  period.
382 **
383 ** Returns          void
384 **
385 *******************************************************************************/
smp_delayed_auth_complete_timeout(UNUSED_ATTR void * data)386 void smp_delayed_auth_complete_timeout(UNUSED_ATTR void *data)
387 {
388     /*
389      * Waited for potential pair failure. Send SMP_AUTH_CMPL_EVT if
390      * the state is still in bond pending.
391      */
392     if (smp_get_state() == SMP_STATE_BOND_PENDING)
393     {
394         UINT8 reason = SMP_SUCCESS;
395         SMP_TRACE_EVENT("%s sending delayed auth complete.", __func__);
396         smp_sm_event(&smp_cb, SMP_AUTH_CMPL_EVT, &reason);
397     }
398 }
399 
400 /*******************************************************************************
401 **
402 ** Function         smp_build_pairing_req_cmd
403 **
404 ** Description      Build pairing request command.
405 **
406 *******************************************************************************/
smp_build_pairing_cmd(UINT8 cmd_code,tSMP_CB * p_cb)407 BT_HDR * smp_build_pairing_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
408 {
409     UINT8 *p;
410     BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
411                         SMP_PAIRING_REQ_SIZE + L2CAP_MIN_OFFSET);
412 
413     SMP_TRACE_EVENT("%s", __func__);
414 
415     p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
416     UINT8_TO_STREAM(p, cmd_code);
417     UINT8_TO_STREAM(p, p_cb->local_io_capability);
418     UINT8_TO_STREAM(p, p_cb->loc_oob_flag);
419     UINT8_TO_STREAM(p, p_cb->loc_auth_req);
420     UINT8_TO_STREAM(p, p_cb->loc_enc_size);
421     UINT8_TO_STREAM(p, p_cb->local_i_key);
422     UINT8_TO_STREAM(p, p_cb->local_r_key);
423 
424     p_buf->offset = L2CAP_MIN_OFFSET;
425     /* 1B ERR_RSP op code + 1B cmd_op_code + 2B handle + 1B status */
426     p_buf->len = SMP_PAIRING_REQ_SIZE;
427 
428     return p_buf;
429 }
430 
431 /*******************************************************************************
432 **
433 ** Function         smp_build_confirm_cmd
434 **
435 ** Description      Build confirm request command.
436 **
437 *******************************************************************************/
smp_build_confirm_cmd(UINT8 cmd_code,tSMP_CB * p_cb)438 static BT_HDR * smp_build_confirm_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
439 {
440     UINT8 *p;
441     BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
442                         SMP_CONFIRM_CMD_SIZE + L2CAP_MIN_OFFSET);
443 
444     UNUSED(cmd_code);
445     SMP_TRACE_EVENT("%s", __func__);
446 
447     p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
448 
449     UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM);
450     ARRAY_TO_STREAM(p, p_cb->confirm, BT_OCTET16_LEN);
451 
452     p_buf->offset = L2CAP_MIN_OFFSET;
453     p_buf->len = SMP_CONFIRM_CMD_SIZE;
454 
455     return p_buf;
456 }
457 
458 /*******************************************************************************
459 **
460 ** Function         smp_build_rand_cmd
461 **
462 ** Description      Build Random command.
463 **
464 *******************************************************************************/
smp_build_rand_cmd(UINT8 cmd_code,tSMP_CB * p_cb)465 static BT_HDR * smp_build_rand_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
466 {
467     UINT8 *p;
468     BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
469                         SMP_RAND_CMD_SIZE + L2CAP_MIN_OFFSET);
470 
471     UNUSED(cmd_code);
472     SMP_TRACE_EVENT("%s", __func__);
473 
474     p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
475     UINT8_TO_STREAM(p, SMP_OPCODE_RAND);
476     ARRAY_TO_STREAM(p, p_cb->rand, BT_OCTET16_LEN);
477 
478     p_buf->offset = L2CAP_MIN_OFFSET;
479     p_buf->len = SMP_RAND_CMD_SIZE;
480 
481     return p_buf;
482 }
483 
484 /*******************************************************************************
485 **
486 ** Function         smp_build_encrypt_info_cmd
487 **
488 ** Description      Build security information command.
489 **
490 *******************************************************************************/
smp_build_encrypt_info_cmd(UINT8 cmd_code,tSMP_CB * p_cb)491 static BT_HDR * smp_build_encrypt_info_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
492 {
493     UINT8 *p;
494     BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
495                         SMP_ENC_INFO_SIZE + L2CAP_MIN_OFFSET);
496 
497     UNUSED(cmd_code);
498     SMP_TRACE_EVENT("%s", __func__);
499 
500     p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
501     UINT8_TO_STREAM(p, SMP_OPCODE_ENCRYPT_INFO);
502     ARRAY_TO_STREAM(p, p_cb->ltk, BT_OCTET16_LEN);
503 
504     p_buf->offset = L2CAP_MIN_OFFSET;
505     p_buf->len = SMP_ENC_INFO_SIZE;
506 
507     return p_buf;
508 }
509 
510 /*******************************************************************************
511 **
512 ** Function         smp_build_master_id_cmd
513 **
514 ** Description      Build security information command.
515 **
516 *******************************************************************************/
smp_build_master_id_cmd(UINT8 cmd_code,tSMP_CB * p_cb)517 static BT_HDR * smp_build_master_id_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
518 {
519     UINT8 *p;
520     BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
521                         SMP_MASTER_ID_SIZE + L2CAP_MIN_OFFSET);
522 
523     UNUSED(cmd_code);
524     SMP_TRACE_EVENT("%s", __func__);
525 
526     p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
527     UINT8_TO_STREAM(p, SMP_OPCODE_MASTER_ID);
528     UINT16_TO_STREAM(p, p_cb->ediv);
529     ARRAY_TO_STREAM(p, p_cb->enc_rand, BT_OCTET8_LEN);
530 
531     p_buf->offset = L2CAP_MIN_OFFSET;
532     p_buf->len = SMP_MASTER_ID_SIZE;
533 
534     return p_buf;
535 }
536 
537 /*******************************************************************************
538 **
539 ** Function         smp_build_identity_info_cmd
540 **
541 ** Description      Build identity information command.
542 **
543 *******************************************************************************/
smp_build_identity_info_cmd(UINT8 cmd_code,tSMP_CB * p_cb)544 static BT_HDR * smp_build_identity_info_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
545 {
546     UINT8 *p;
547     BT_OCTET16 irk;
548     BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
549                         SMP_ID_INFO_SIZE + L2CAP_MIN_OFFSET);
550 
551     UNUSED(cmd_code);
552     UNUSED(p_cb);
553     SMP_TRACE_EVENT("%s", __func__);
554 
555     p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
556 
557     BTM_GetDeviceIDRoot(irk);
558 
559     UINT8_TO_STREAM(p, SMP_OPCODE_IDENTITY_INFO);
560     ARRAY_TO_STREAM(p,  irk, BT_OCTET16_LEN);
561 
562     p_buf->offset = L2CAP_MIN_OFFSET;
563     p_buf->len = SMP_ID_INFO_SIZE;
564 
565     return p_buf;
566 }
567 
568 /*******************************************************************************
569 **
570 ** Function         smp_build_id_addr_cmd
571 **
572 ** Description      Build identity address information command.
573 **
574 *******************************************************************************/
smp_build_id_addr_cmd(UINT8 cmd_code,tSMP_CB * p_cb)575 static BT_HDR * smp_build_id_addr_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
576 {
577     UINT8 *p;
578     BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
579                         SMP_ID_ADDR_SIZE + L2CAP_MIN_OFFSET);
580 
581     UNUSED(cmd_code);
582     UNUSED(p_cb);
583     SMP_TRACE_EVENT("%s", __func__);
584 
585     p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
586     UINT8_TO_STREAM(p, SMP_OPCODE_ID_ADDR);
587     UINT8_TO_STREAM(p, 0);
588     BDADDR_TO_STREAM(p, controller_get_interface()->get_address()->address);
589 
590     p_buf->offset = L2CAP_MIN_OFFSET;
591     p_buf->len = SMP_ID_ADDR_SIZE;
592 
593     return p_buf;
594 }
595 
596 /*******************************************************************************
597 **
598 ** Function         smp_build_signing_info_cmd
599 **
600 ** Description      Build signing information command.
601 **
602 *******************************************************************************/
smp_build_signing_info_cmd(UINT8 cmd_code,tSMP_CB * p_cb)603 static BT_HDR * smp_build_signing_info_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
604 {
605     UINT8 *p;
606     BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
607                         SMP_SIGN_INFO_SIZE + L2CAP_MIN_OFFSET);
608 
609     UNUSED(cmd_code);
610     SMP_TRACE_EVENT("%s", __func__);
611 
612     p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
613     UINT8_TO_STREAM(p, SMP_OPCODE_SIGN_INFO);
614     ARRAY_TO_STREAM(p, p_cb->csrk, BT_OCTET16_LEN);
615 
616     p_buf->offset = L2CAP_MIN_OFFSET;
617     p_buf->len = SMP_SIGN_INFO_SIZE;
618 
619     return p_buf;
620 }
621 
622 /*******************************************************************************
623 **
624 ** Function         smp_build_pairing_fail
625 **
626 ** Description      Build Pairing Fail command.
627 **
628 *******************************************************************************/
smp_build_pairing_fail(UINT8 cmd_code,tSMP_CB * p_cb)629 static BT_HDR * smp_build_pairing_fail(UINT8 cmd_code, tSMP_CB *p_cb)
630 {
631     UINT8 *p;
632     BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
633                         SMP_PAIR_FAIL_SIZE + L2CAP_MIN_OFFSET);
634 
635     UNUSED(cmd_code);
636     SMP_TRACE_EVENT("%s", __func__);
637 
638     p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
639     UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED);
640     UINT8_TO_STREAM(p, p_cb->failure);
641 
642     p_buf->offset = L2CAP_MIN_OFFSET;
643     p_buf->len = SMP_PAIR_FAIL_SIZE;
644 
645     return p_buf;
646 }
647 
648 /*******************************************************************************
649 **
650 ** Function         smp_build_security_request
651 **
652 ** Description      Build security request command.
653 **
654 *******************************************************************************/
smp_build_security_request(UINT8 cmd_code,tSMP_CB * p_cb)655 static BT_HDR *smp_build_security_request(UINT8 cmd_code, tSMP_CB *p_cb)
656 {
657     UINT8 *p;
658     BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
659                         2 + L2CAP_MIN_OFFSET);
660 
661     UNUSED(cmd_code);
662     SMP_TRACE_EVENT("%s", __func__);
663 
664     p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
665     UINT8_TO_STREAM(p, SMP_OPCODE_SEC_REQ);
666     UINT8_TO_STREAM(p, p_cb->loc_auth_req);
667 
668     p_buf->offset = L2CAP_MIN_OFFSET;
669     p_buf->len = SMP_SECURITY_REQUEST_SIZE;
670 
671     SMP_TRACE_EVENT("opcode=%d auth_req=0x%x",SMP_OPCODE_SEC_REQ,  p_cb->loc_auth_req );
672 
673     return p_buf;
674 }
675 
676 /*******************************************************************************
677 **
678 ** Function         smp_build_pair_public_key_cmd
679 **
680 ** Description      Build pairing public key command.
681 **
682 *******************************************************************************/
smp_build_pair_public_key_cmd(UINT8 cmd_code,tSMP_CB * p_cb)683 static BT_HDR *smp_build_pair_public_key_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
684 {
685     UINT8   *p;
686     UINT8   publ_key[2*BT_OCTET32_LEN];
687     UINT8   *p_publ_key = publ_key;
688     BT_HDR  *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
689                         SMP_PAIR_PUBL_KEY_SIZE + L2CAP_MIN_OFFSET);
690 
691     UNUSED(cmd_code);
692     SMP_TRACE_EVENT("%s", __func__);
693 
694     memcpy(p_publ_key, p_cb->loc_publ_key.x, BT_OCTET32_LEN);
695     memcpy(p_publ_key + BT_OCTET32_LEN, p_cb->loc_publ_key.y, BT_OCTET32_LEN);
696 
697     p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
698     UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_PUBLIC_KEY);
699     ARRAY_TO_STREAM(p, p_publ_key, 2*BT_OCTET32_LEN);
700 
701     p_buf->offset = L2CAP_MIN_OFFSET;
702     p_buf->len = SMP_PAIR_PUBL_KEY_SIZE;
703 
704     return p_buf;
705 }
706 
707 /*******************************************************************************
708 **
709 ** Function         smp_build_pairing_commitment_cmd
710 **
711 ** Description      Build pairing commitment command.
712 **
713 *******************************************************************************/
smp_build_pairing_commitment_cmd(UINT8 cmd_code,tSMP_CB * p_cb)714 static BT_HDR *smp_build_pairing_commitment_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
715 {
716     UINT8 *p;
717     BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
718                         SMP_PAIR_COMMITM_SIZE + L2CAP_MIN_OFFSET);
719 
720     UNUSED(cmd_code);
721     SMP_TRACE_EVENT("%s", __func__);
722 
723     p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
724     UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM);
725     ARRAY_TO_STREAM(p, p_cb->commitment, BT_OCTET16_LEN);
726 
727     p_buf->offset = L2CAP_MIN_OFFSET;
728     p_buf->len = SMP_PAIR_COMMITM_SIZE;
729 
730     return p_buf;
731 }
732 
733 /*******************************************************************************
734 **
735 ** Function         smp_build_pair_dhkey_check_cmd
736 **
737 ** Description      Build pairing DHKey check command.
738 **
739 *******************************************************************************/
smp_build_pair_dhkey_check_cmd(UINT8 cmd_code,tSMP_CB * p_cb)740 static BT_HDR *smp_build_pair_dhkey_check_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
741 {
742     UINT8 *p;
743     BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
744                         SMP_PAIR_DHKEY_CHECK_SIZE + L2CAP_MIN_OFFSET);
745 
746     UNUSED(cmd_code);
747     SMP_TRACE_EVENT("%s", __func__);
748 
749     p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
750     UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_DHKEY_CHECK);
751     ARRAY_TO_STREAM(p, p_cb->dhkey_check, BT_OCTET16_LEN);
752 
753     p_buf->offset = L2CAP_MIN_OFFSET;
754     p_buf->len = SMP_PAIR_DHKEY_CHECK_SIZE;
755 
756     return p_buf;
757 }
758 
759 /*******************************************************************************
760 **
761 ** Function         smp_build_pairing_keypress_notification_cmd
762 **
763 ** Description      Build keypress notification command.
764 **
765 *******************************************************************************/
smp_build_pairing_keypress_notification_cmd(UINT8 cmd_code,tSMP_CB * p_cb)766 static BT_HDR * smp_build_pairing_keypress_notification_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
767 {
768     UINT8       *p;
769     BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
770                         SMP_PAIR_KEYPR_NOTIF_SIZE + L2CAP_MIN_OFFSET);
771 
772     UNUSED(cmd_code);
773     SMP_TRACE_EVENT("%s", __func__);
774 
775     p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
776     UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_KEYPR_NOTIF);
777     UINT8_TO_STREAM(p, p_cb->local_keypress_notification);
778 
779     p_buf->offset = L2CAP_MIN_OFFSET;
780     p_buf->len = SMP_PAIR_KEYPR_NOTIF_SIZE;
781 
782     return p_buf;
783 }
784 
785 /*******************************************************************************
786 **
787 ** Function         smp_convert_string_to_tk
788 **
789 ** Description      This function is called to convert a 6 to 16 digits numeric
790 **                  character string into SMP TK.
791 **
792 **
793 ** Returns          void
794 **
795 *******************************************************************************/
smp_convert_string_to_tk(BT_OCTET16 tk,UINT32 passkey)796 void smp_convert_string_to_tk(BT_OCTET16 tk, UINT32 passkey)
797 {
798     UINT8   *p = tk;
799     tSMP_KEY    key;
800     SMP_TRACE_EVENT("smp_convert_string_to_tk");
801     UINT32_TO_STREAM(p, passkey);
802 
803     key.key_type    = SMP_KEY_TYPE_TK;
804     key.p_data      = tk;
805 
806     smp_sm_event(&smp_cb, SMP_KEY_READY_EVT, &key);
807 }
808 
809 /*******************************************************************************
810 **
811 ** Function         smp_mask_enc_key
812 **
813 ** Description      This function is called to mask off the encryption key based
814 **                  on the maximum encryption key size.
815 **
816 **
817 ** Returns          void
818 **
819 *******************************************************************************/
smp_mask_enc_key(UINT8 loc_enc_size,UINT8 * p_data)820 void smp_mask_enc_key(UINT8 loc_enc_size, UINT8 * p_data)
821 {
822     SMP_TRACE_EVENT("smp_mask_enc_key");
823     if (loc_enc_size < BT_OCTET16_LEN)
824     {
825         for (; loc_enc_size < BT_OCTET16_LEN; loc_enc_size ++)
826             * (p_data + loc_enc_size) = 0;
827     }
828     return;
829 }
830 
831 /*******************************************************************************
832 **
833 ** Function         smp_xor_128
834 **
835 ** Description      utility function to do an biteise exclusive-OR of two bit
836 **                  strings of the length of BT_OCTET16_LEN.
837 **
838 ** Returns          void
839 **
840 *******************************************************************************/
smp_xor_128(BT_OCTET16 a,BT_OCTET16 b)841 void smp_xor_128(BT_OCTET16 a, BT_OCTET16 b)
842 {
843     UINT8 i, *aa = a, *bb = b;
844 
845     SMP_TRACE_EVENT("smp_xor_128");
846     for (i = 0; i < BT_OCTET16_LEN; i++)
847     {
848         aa[i] = aa[i] ^ bb[i];
849     }
850 }
851 
852 /*******************************************************************************
853 **
854 ** Function         smp_cb_cleanup
855 **
856 ** Description      Clean up SMP control block
857 **
858 ** Returns          void
859 **
860 *******************************************************************************/
smp_cb_cleanup(tSMP_CB * p_cb)861 void smp_cb_cleanup(tSMP_CB   *p_cb)
862 {
863     tSMP_CALLBACK   *p_callback = p_cb->p_callback;
864     UINT8           trace_level = p_cb->trace_level;
865 
866     SMP_TRACE_EVENT("smp_cb_cleanup");
867 
868     alarm_free(p_cb->smp_rsp_timer_ent);
869     alarm_free(p_cb->delayed_auth_timer_ent);
870     memset(p_cb, 0, sizeof(tSMP_CB));
871     p_cb->p_callback = p_callback;
872     p_cb->trace_level = trace_level;
873     p_cb->smp_rsp_timer_ent = alarm_new("smp.smp_rsp_timer_ent");
874     p_cb->delayed_auth_timer_ent = alarm_new("smp.delayed_auth_timer_ent");
875 }
876 
877 /*******************************************************************************
878 **
879 ** Function         smp_remove_fixed_channel
880 **
881 ** Description      This function is called to remove the fixed channel
882 **
883 ** Returns          void
884 **
885 *******************************************************************************/
smp_remove_fixed_channel(tSMP_CB * p_cb)886 void smp_remove_fixed_channel(tSMP_CB *p_cb)
887 {
888     SMP_TRACE_DEBUG("%s", __func__);
889 
890     if (p_cb->smp_over_br)
891         L2CA_RemoveFixedChnl (L2CAP_SMP_BR_CID, p_cb->pairing_bda);
892     else
893         L2CA_RemoveFixedChnl (L2CAP_SMP_CID, p_cb->pairing_bda);
894 }
895 
896 /*******************************************************************************
897 **
898 ** Function         smp_reset_control_value
899 **
900 ** Description      This function is called to reset the control block value when
901 **                  pairing procedure finished.
902 **
903 **
904 ** Returns          void
905 **
906 *******************************************************************************/
smp_reset_control_value(tSMP_CB * p_cb)907 void smp_reset_control_value(tSMP_CB *p_cb)
908 {
909     SMP_TRACE_EVENT("%s", __func__);
910 
911     alarm_cancel(p_cb->smp_rsp_timer_ent);
912     p_cb->flags = 0;
913     /* set the link idle timer to drop the link when pairing is done
914        usually service discovery will follow authentication complete, to avoid
915        racing condition for a link down/up, set link idle timer to be
916        SMP_LINK_TOUT_MIN to guarantee SMP key exchange */
917     L2CA_SetIdleTimeoutByBdAddr(p_cb->pairing_bda, SMP_LINK_TOUT_MIN, BT_TRANSPORT_LE);
918 
919     /* We can tell L2CAP to remove the fixed channel (if it has one) */
920     smp_remove_fixed_channel(p_cb);
921     smp_cb_cleanup(p_cb);
922 }
923 
924 /*******************************************************************************
925 **
926 ** Function         smp_proc_pairing_cmpl
927 **
928 ** Description      This function is called to process pairing complete
929 **
930 **
931 ** Returns          void
932 **
933 *******************************************************************************/
smp_proc_pairing_cmpl(tSMP_CB * p_cb)934 void smp_proc_pairing_cmpl(tSMP_CB *p_cb)
935 {
936     tSMP_EVT_DATA   evt_data = {0};
937     tSMP_CALLBACK   *p_callback = p_cb->p_callback;
938     BD_ADDR         pairing_bda;
939 
940     SMP_TRACE_DEBUG ("smp_proc_pairing_cmpl ");
941 
942     evt_data.cmplt.reason = p_cb->status;
943     evt_data.cmplt.smp_over_br = p_cb->smp_over_br;
944 
945     if (p_cb->status == SMP_SUCCESS)
946         evt_data.cmplt.sec_level = p_cb->sec_level;
947 
948     evt_data.cmplt.is_pair_cancel  = FALSE;
949 
950     if (p_cb->is_pair_cancel)
951         evt_data.cmplt.is_pair_cancel = TRUE;
952 
953 
954     SMP_TRACE_DEBUG ("send SMP_COMPLT_EVT reason=0x%0x sec_level=0x%0x",
955                       evt_data.cmplt.reason,
956                       evt_data.cmplt.sec_level );
957 
958     memcpy (pairing_bda, p_cb->pairing_bda, BD_ADDR_LEN);
959 
960     smp_reset_control_value(p_cb);
961 
962     if (p_callback)
963         (*p_callback) (SMP_COMPLT_EVT, pairing_bda, &evt_data);
964 }
965 
966 /*******************************************************************************
967 **
968 ** Function         smp_command_has_invalid_parameters
969 **
970 ** Description      Checks if the received SMP command has invalid parameters i.e.
971 **                  if the command length is valid and the command parameters are
972 **                  inside specified range.
973 **                  It returns TRUE if the command has invalid parameters.
974 **
975 ** Returns          TRUE if the command has invalid parameters, FALSE otherwise.
976 **
977 *******************************************************************************/
smp_command_has_invalid_parameters(tSMP_CB * p_cb)978 BOOLEAN smp_command_has_invalid_parameters(tSMP_CB *p_cb)
979 {
980     UINT8 cmd_code = p_cb->rcvd_cmd_code;
981 
982     SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, cmd_code);
983 
984     if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) ||
985         (cmd_code < SMP_OPCODE_MIN))
986     {
987         SMP_TRACE_WARNING("Somehow received command with the RESERVED code 0x%02x", cmd_code);
988         return TRUE;
989     }
990 
991     if (!(*smp_cmd_len_is_valid[cmd_code])(p_cb))
992         return TRUE;
993 
994     if (!(*smp_cmd_param_ranges_are_valid[cmd_code])(p_cb))
995         return TRUE;
996 
997     return FALSE;
998 }
999 
1000 /*******************************************************************************
1001 **
1002 ** Function         smp_command_has_valid_fixed_length
1003 **
1004 ** Description      Checks if the received command size is equal to the size
1005 **                  according to specs.
1006 **
1007 ** Returns          TRUE if the command size is as expected, FALSE otherwise.
1008 **
1009 ** Note             The command is expected to have fixed length.
1010 *******************************************************************************/
smp_command_has_valid_fixed_length(tSMP_CB * p_cb)1011 BOOLEAN smp_command_has_valid_fixed_length(tSMP_CB *p_cb)
1012 {
1013     UINT8   cmd_code = p_cb->rcvd_cmd_code;
1014 
1015     SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, cmd_code);
1016 
1017     if (p_cb->rcvd_cmd_len != smp_cmd_size_per_spec[cmd_code])
1018     {
1019         SMP_TRACE_WARNING("Rcvd from the peer cmd 0x%02x with invalid length\
1020             0x%02x (per spec the length is 0x%02x).",
1021             cmd_code, p_cb->rcvd_cmd_len, smp_cmd_size_per_spec[cmd_code]);
1022         return FALSE;
1023     }
1024 
1025     return TRUE;
1026 }
1027 
1028 /*******************************************************************************
1029 **
1030 ** Function         smp_pairing_request_response_parameters_are_valid
1031 **
1032 ** Description      Validates parameter ranges in the received SMP command
1033 **                  pairing request or pairing response.
1034 **                  The parameters to validate:
1035 **                  IO capability,
1036 **                  OOB data flag,
1037 **                  Bonding_flags in AuthReq
1038 **                  Maximum encryption key size.
1039 **                  Returns FALSE if at least one of these parameters is out of range.
1040 **
1041 *******************************************************************************/
smp_pairing_request_response_parameters_are_valid(tSMP_CB * p_cb)1042 BOOLEAN smp_pairing_request_response_parameters_are_valid(tSMP_CB *p_cb)
1043 {
1044     UINT8   io_caps = p_cb->peer_io_caps;
1045     UINT8   oob_flag = p_cb->peer_oob_flag;
1046     UINT8   bond_flag = p_cb->peer_auth_req & 0x03; //0x03 is gen bond with appropriate mask
1047     UINT8   enc_size = p_cb->peer_enc_size;
1048 
1049     SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code);
1050 
1051     if (io_caps >= BTM_IO_CAP_MAX)
1052     {
1053         SMP_TRACE_WARNING("Rcvd from the peer cmd 0x%02x with IO Capabilty \
1054             value (0x%02x) out of range).",
1055             p_cb->rcvd_cmd_code, io_caps);
1056         return FALSE;
1057     }
1058 
1059     if (!((oob_flag == SMP_OOB_NONE) || (oob_flag == SMP_OOB_PRESENT)))
1060     {
1061         SMP_TRACE_WARNING("Rcvd from the peer cmd 0x%02x with OOB data flag value \
1062             (0x%02x) out of range).",
1063              p_cb->rcvd_cmd_code, oob_flag);
1064         return FALSE;
1065     }
1066 
1067     if (!((bond_flag == SMP_AUTH_NO_BOND) || (bond_flag == SMP_AUTH_BOND)))
1068     {
1069         SMP_TRACE_WARNING("Rcvd from the peer cmd 0x%02x with Bonding_Flags value (0x%02x)\
1070                            out of range).",
1071                            p_cb->rcvd_cmd_code, bond_flag);
1072         return FALSE;
1073     }
1074 
1075     if ((enc_size < SMP_ENCR_KEY_SIZE_MIN) || (enc_size > SMP_ENCR_KEY_SIZE_MAX))
1076     {
1077         SMP_TRACE_WARNING("Rcvd from the peer cmd 0x%02x with Maximum Encryption \
1078             Key value (0x%02x) out of range).",
1079             p_cb->rcvd_cmd_code, enc_size);
1080         return FALSE;
1081     }
1082 
1083     return TRUE;
1084 }
1085 
1086 /*******************************************************************************
1087 **
1088 ** Function         smp_pairing_keypress_notification_is_valid
1089 **
1090 ** Description      Validates Notification Type parameter range in the received SMP command
1091 **                  pairing keypress notification.
1092 **                  Returns FALSE if this parameter is out of range.
1093 **
1094 *******************************************************************************/
smp_pairing_keypress_notification_is_valid(tSMP_CB * p_cb)1095 BOOLEAN smp_pairing_keypress_notification_is_valid(tSMP_CB *p_cb)
1096 {
1097     tBTM_SP_KEY_TYPE keypress_notification = p_cb->peer_keypress_notification;
1098 
1099     SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code);
1100 
1101     if (keypress_notification >= BTM_SP_KEY_OUT_OF_RANGE)
1102     {
1103         SMP_TRACE_WARNING("Rcvd from the peer cmd 0x%02x with Pairing Keypress \
1104             Notification value (0x%02x) out of range).",
1105             p_cb->rcvd_cmd_code, keypress_notification);
1106         return FALSE;
1107     }
1108 
1109     return TRUE;
1110 }
1111 
1112 /*******************************************************************************
1113 **
1114 ** Function         smp_parameter_unconditionally_valid
1115 **
1116 ** Description      Always returns TRUE.
1117 **
1118 *******************************************************************************/
smp_parameter_unconditionally_valid(UNUSED_ATTR tSMP_CB * p_cb)1119 BOOLEAN smp_parameter_unconditionally_valid(UNUSED_ATTR tSMP_CB *p_cb)
1120 {
1121     return TRUE;
1122 }
1123 
1124 /*******************************************************************************
1125 **
1126 ** Function         smp_parameter_unconditionally_invalid
1127 **
1128 ** Description      Always returns FALSE.
1129 **
1130 *******************************************************************************/
smp_parameter_unconditionally_invalid(UNUSED_ATTR tSMP_CB * p_cb)1131 BOOLEAN smp_parameter_unconditionally_invalid(UNUSED_ATTR tSMP_CB *p_cb)
1132 {
1133     return FALSE;
1134 }
1135 
1136 /*******************************************************************************
1137 **
1138 ** Function         smp_reject_unexpected_pairing_command
1139 **
1140 ** Description      send pairing failure to an unexpected pairing command during
1141 **                  an active pairing process.
1142 **
1143 ** Returns          void
1144 **
1145 *******************************************************************************/
smp_reject_unexpected_pairing_command(BD_ADDR bd_addr)1146 void smp_reject_unexpected_pairing_command(BD_ADDR bd_addr)
1147 {
1148     UINT8 *p;
1149     BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
1150                         SMP_PAIR_FAIL_SIZE + L2CAP_MIN_OFFSET);
1151 
1152     SMP_TRACE_DEBUG("%s", __func__);
1153 
1154     p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
1155     UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED);
1156     UINT8_TO_STREAM(p, SMP_PAIR_NOT_SUPPORT);
1157 
1158     p_buf->offset = L2CAP_MIN_OFFSET;
1159     p_buf->len = SMP_PAIR_FAIL_SIZE;
1160 
1161     smp_send_msg_to_L2CAP(bd_addr, p_buf);
1162 }
1163 
1164 /*******************************************************************************
1165 ** Function         smp_select_association_model
1166 **
1167 ** Description      This function selects association model to use for STK
1168 **                  generation. Selection is based on both sides' io capability,
1169 **                  oob data flag and authentication request.
1170 **
1171 ** Note             If Secure Connections Only mode is required locally then we
1172 **                  come to this point only if both sides support Secure Connections
1173 **                  mode, i.e. if p_cb->secure_connections_only_mode_required = TRUE then we come
1174 **                  to this point only if
1175 **                      (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) ==
1176 **                      (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) ==
1177 **                      SMP_SC_SUPPORT_BIT
1178 **
1179 *******************************************************************************/
smp_select_association_model(tSMP_CB * p_cb)1180 tSMP_ASSO_MODEL smp_select_association_model(tSMP_CB *p_cb)
1181 {
1182     tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1183     p_cb->le_secure_connections_mode_is_used = FALSE;
1184 
1185     SMP_TRACE_EVENT("%s", __FUNCTION__);
1186     SMP_TRACE_DEBUG("%s p_cb->peer_io_caps = %d p_cb->local_io_capability = %d",
1187                        __FUNCTION__, p_cb->peer_io_caps, p_cb->local_io_capability);
1188     SMP_TRACE_DEBUG("%s p_cb->peer_oob_flag = %d p_cb->loc_oob_flag = %d",
1189                        __FUNCTION__, p_cb->peer_oob_flag, p_cb->loc_oob_flag);
1190     SMP_TRACE_DEBUG("%s p_cb->peer_auth_req = 0x%02x p_cb->loc_auth_req = 0x%02x",
1191                        __FUNCTION__, p_cb->peer_auth_req, p_cb->loc_auth_req);
1192     SMP_TRACE_DEBUG("%s p_cb->secure_connections_only_mode_required = %s",
1193                        __FUNCTION__, p_cb->secure_connections_only_mode_required ?
1194                                     "TRUE" : "FALSE");
1195 
1196     if ((p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) && (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT))
1197     {
1198         p_cb->le_secure_connections_mode_is_used = TRUE;
1199     }
1200 
1201     SMP_TRACE_DEBUG("use_sc_process = %d", p_cb->le_secure_connections_mode_is_used);
1202 
1203     if (p_cb->le_secure_connections_mode_is_used)
1204     {
1205         model = smp_select_association_model_secure_connections(p_cb);
1206     }
1207     else
1208     {
1209         model = smp_select_legacy_association_model(p_cb);
1210     }
1211     return model;
1212 }
1213 
1214 /*******************************************************************************
1215 ** Function         smp_select_legacy_association_model
1216 **
1217 ** Description      This function is called to select association mode if at least
1218 **                  one side doesn't support secure connections.
1219 **
1220 *******************************************************************************/
smp_select_legacy_association_model(tSMP_CB * p_cb)1221 tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB *p_cb)
1222 {
1223     tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1224 
1225     SMP_TRACE_DEBUG("%s", __func__);
1226     /* if OOB data is present on both devices, then use OOB association model */
1227     if (p_cb->peer_oob_flag == SMP_OOB_PRESENT && p_cb->loc_oob_flag == SMP_OOB_PRESENT)
1228         return SMP_MODEL_OOB;
1229 
1230     /* else if neither device requires MITM, then use Just Works association model */
1231     if (SMP_NO_MITM_REQUIRED (p_cb->peer_auth_req) && SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req))
1232         return SMP_MODEL_ENCRYPTION_ONLY;
1233 
1234     /* otherwise use IO capability to select association model */
1235     if (p_cb->peer_io_caps < SMP_IO_CAP_MAX && p_cb->local_io_capability < SMP_IO_CAP_MAX)
1236     {
1237         if (p_cb->role == HCI_ROLE_MASTER)
1238         {
1239             model = smp_association_table[p_cb->role][p_cb->peer_io_caps]
1240                                          [p_cb->local_io_capability];
1241         }
1242         else
1243         {
1244             model = smp_association_table[p_cb->role][p_cb->local_io_capability]
1245                                          [p_cb->peer_io_caps];
1246         }
1247     }
1248 
1249     return model;
1250 }
1251 
1252 /*******************************************************************************
1253 ** Function         smp_select_association_model_secure_connections
1254 **
1255 ** Description      This function is called to select association mode if both
1256 **                  sides support secure connections.
1257 **
1258 *******************************************************************************/
smp_select_association_model_secure_connections(tSMP_CB * p_cb)1259 tSMP_ASSO_MODEL smp_select_association_model_secure_connections(tSMP_CB *p_cb)
1260 {
1261     tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1262 
1263     SMP_TRACE_DEBUG("%s", __func__);
1264     /* if OOB data is present on at least one device, then use OOB association model */
1265     if (p_cb->peer_oob_flag == SMP_OOB_PRESENT || p_cb->loc_oob_flag == SMP_OOB_PRESENT)
1266         return SMP_MODEL_SEC_CONN_OOB;
1267 
1268     /* else if neither device requires MITM, then use Just Works association model */
1269     if (SMP_NO_MITM_REQUIRED (p_cb->peer_auth_req) && SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req))
1270         return SMP_MODEL_SEC_CONN_JUSTWORKS;
1271 
1272     /* otherwise use IO capability to select association model */
1273     if (p_cb->peer_io_caps < SMP_IO_CAP_MAX && p_cb->local_io_capability < SMP_IO_CAP_MAX)
1274     {
1275         if (p_cb->role == HCI_ROLE_MASTER)
1276         {
1277             model = smp_association_table_sc[p_cb->role][p_cb->peer_io_caps]
1278                                             [p_cb->local_io_capability];
1279         }
1280         else
1281         {
1282             model = smp_association_table_sc[p_cb->role][p_cb->local_io_capability]
1283                                             [p_cb->peer_io_caps];
1284         }
1285     }
1286 
1287     return model;
1288 }
1289 
1290 /*******************************************************************************
1291 ** Function         smp_reverse_array
1292 **
1293 ** Description      This function reverses array bytes
1294 **
1295 *******************************************************************************/
smp_reverse_array(UINT8 * arr,UINT8 len)1296 void smp_reverse_array(UINT8 *arr, UINT8 len)
1297 {
1298     UINT8 i =0, tmp;
1299 
1300     SMP_TRACE_DEBUG("smp_reverse_array");
1301 
1302     for (i = 0; i < len/2; i ++)
1303     {
1304         tmp = arr[i];
1305         arr[i] = arr[len -1 - i];
1306         arr[len -1 - i] = tmp;
1307     }
1308 }
1309 
1310 /*******************************************************************************
1311 ** Function         smp_calculate_random_input
1312 **
1313 ** Description      This function returns random input value to be used in commitment
1314 **                  calculation for SC passkey entry association mode
1315 **                  (if bit["round"] in "random" array == 1 then returns 0x81
1316 **                   else returns 0x80).
1317 **
1318 ** Returns          ri value
1319 **
1320 *******************************************************************************/
smp_calculate_random_input(UINT8 * random,UINT8 round)1321 UINT8 smp_calculate_random_input(UINT8 *random, UINT8 round)
1322 {
1323     UINT8 i = round/8;
1324     UINT8 j = round%8;
1325     UINT8 ri;
1326 
1327     SMP_TRACE_DEBUG("random: 0x%02x, round: %d, i: %d, j: %d", random[i], round, i, j);
1328     ri = ((random[i] >> j) & 1) | 0x80;
1329     SMP_TRACE_DEBUG("%s ri=0x%02x", __func__, ri);
1330     return ri;
1331 }
1332 
1333 /*******************************************************************************
1334 ** Function         smp_collect_local_io_capabilities
1335 **
1336 ** Description      This function puts into IOcap array local device
1337 **                  IOCapability, OOB data, AuthReq.
1338 **
1339 ** Returns          void
1340 **
1341 *******************************************************************************/
smp_collect_local_io_capabilities(UINT8 * iocap,tSMP_CB * p_cb)1342 void smp_collect_local_io_capabilities(UINT8 *iocap, tSMP_CB *p_cb)
1343 {
1344     SMP_TRACE_DEBUG("%s", __func__);
1345 
1346     iocap[0] = p_cb->local_io_capability;
1347     iocap[1] = p_cb->loc_oob_flag;
1348     iocap[2] = p_cb->loc_auth_req;
1349 }
1350 
1351 /*******************************************************************************
1352 ** Function         smp_collect_peer_io_capabilities
1353 **
1354 ** Description      This function puts into IOcap array peer device
1355 **                  IOCapability, OOB data, AuthReq.
1356 **
1357 ** Returns          void
1358 **
1359 *******************************************************************************/
smp_collect_peer_io_capabilities(UINT8 * iocap,tSMP_CB * p_cb)1360 void smp_collect_peer_io_capabilities(UINT8 *iocap, tSMP_CB *p_cb)
1361 {
1362     SMP_TRACE_DEBUG("%s", __func__);
1363 
1364     iocap[0] = p_cb->peer_io_caps;
1365     iocap[1] = p_cb->peer_oob_flag;
1366     iocap[2] = p_cb->peer_auth_req;
1367 }
1368 
1369 /*******************************************************************************
1370 ** Function         smp_collect_local_ble_address
1371 **
1372 ** Description      This function puts into le_addr array local device le address:
1373 **                  le_addr[0-5] = local BD ADDR,
1374 **                  le_addr[6] = local le address type (PUBLIC/RANDOM).
1375 **
1376 ** Returns          void
1377 **
1378 *******************************************************************************/
smp_collect_local_ble_address(UINT8 * le_addr,tSMP_CB * p_cb)1379 void smp_collect_local_ble_address(UINT8 *le_addr, tSMP_CB *p_cb)
1380 {
1381     tBLE_ADDR_TYPE  addr_type = 0;
1382     BD_ADDR         bda;
1383     UINT8           *p = le_addr;
1384 
1385     SMP_TRACE_DEBUG("%s", __func__);
1386 
1387     BTM_ReadConnectionAddr( p_cb->pairing_bda, bda, &addr_type);
1388     BDADDR_TO_STREAM(p, bda);
1389     UINT8_TO_STREAM(p, addr_type);
1390 }
1391 
1392 /*******************************************************************************
1393 ** Function         smp_collect_peer_ble_address
1394 **
1395 ** Description      This function puts into le_addr array peer device le address:
1396 **                  le_addr[0-5] = peer BD ADDR,
1397 **                  le_addr[6] = peer le address type (PUBLIC/RANDOM).
1398 **
1399 ** Returns          void
1400 **
1401 *******************************************************************************/
smp_collect_peer_ble_address(UINT8 * le_addr,tSMP_CB * p_cb)1402 void smp_collect_peer_ble_address(UINT8 *le_addr, tSMP_CB *p_cb)
1403 {
1404     tBLE_ADDR_TYPE  addr_type = 0;
1405     BD_ADDR         bda;
1406     UINT8           *p = le_addr;
1407 
1408     SMP_TRACE_DEBUG("%s", __func__);
1409 
1410     if (!BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, bda, &addr_type))
1411     {
1412         SMP_TRACE_ERROR("can not collect peer le addr information for unknown device");
1413         return;
1414     }
1415 
1416     BDADDR_TO_STREAM(p, bda);
1417     UINT8_TO_STREAM(p, addr_type);
1418 }
1419 
1420 /*******************************************************************************
1421 ** Function         smp_check_commitment
1422 **
1423 ** Description      This function compares peer commitment values:
1424 **                  - expected (i.e. calculated locally),
1425 **                  - received from the peer.
1426 **
1427 ** Returns          TRUE  if the values are the same
1428 **                  FALSE otherwise
1429 **
1430 *******************************************************************************/
smp_check_commitment(tSMP_CB * p_cb)1431 BOOLEAN smp_check_commitment(tSMP_CB *p_cb)
1432 {
1433     BT_OCTET16 expected;
1434 
1435     SMP_TRACE_DEBUG("%s", __func__);
1436 
1437     smp_calculate_peer_commitment(p_cb, expected);
1438     print128(expected, (const UINT8 *)"calculated peer commitment");
1439     print128(p_cb->remote_commitment, (const UINT8 *)"received peer commitment");
1440 
1441     if (memcmp(p_cb->remote_commitment, expected, BT_OCTET16_LEN))
1442     {
1443         SMP_TRACE_WARNING("Commitment check fails");
1444         return FALSE;
1445     }
1446 
1447     SMP_TRACE_DEBUG("Commitment check succeeds");
1448     return TRUE;
1449 }
1450 
1451 /*******************************************************************************
1452 **
1453 ** Function         smp_save_secure_connections_long_term_key
1454 **
1455 ** Description      The function saves SC LTK as BLE key for future use as local
1456 **                  and/or peer key.
1457 **
1458 ** Returns          void
1459 **
1460 *******************************************************************************/
smp_save_secure_connections_long_term_key(tSMP_CB * p_cb)1461 void smp_save_secure_connections_long_term_key(tSMP_CB *p_cb)
1462 {
1463     tBTM_LE_LENC_KEYS   lle_key;
1464     tBTM_LE_PENC_KEYS   ple_key;
1465 
1466     SMP_TRACE_DEBUG("%s-Save LTK as local LTK key", __func__);
1467     memcpy(lle_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
1468     lle_key.div = 0;
1469     lle_key.key_size = p_cb->loc_enc_size;
1470     lle_key.sec_level = p_cb->sec_level;
1471     btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, (tBTM_LE_KEY_VALUE *)&lle_key, TRUE);
1472 
1473     SMP_TRACE_DEBUG("%s-Save LTK as peer LTK key", __func__);
1474     ple_key.ediv = 0;
1475     memset(ple_key.rand, 0, BT_OCTET8_LEN);
1476     memcpy(ple_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
1477     ple_key.sec_level = p_cb->sec_level;
1478     ple_key.key_size  = p_cb->loc_enc_size;
1479     btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, (tBTM_LE_KEY_VALUE *)&ple_key, TRUE);
1480 }
1481 
1482 /*******************************************************************************
1483 **
1484 ** Function         smp_calculate_f5_mackey_and_long_term_key
1485 **
1486 ** Description      The function calculates MacKey and LTK and saves them in CB.
1487 **                  To calculate MacKey and LTK it calls smp_calc_f5(...).
1488 **                  MacKey is used in dhkey calculation, LTK is used to encrypt
1489 **                  the link.
1490 **
1491 ** Returns          FALSE if out of resources, TRUE otherwise.
1492 **
1493 *******************************************************************************/
smp_calculate_f5_mackey_and_long_term_key(tSMP_CB * p_cb)1494 BOOLEAN smp_calculate_f5_mackey_and_long_term_key(tSMP_CB *p_cb)
1495 {
1496     UINT8 a[7];
1497     UINT8 b[7];
1498     UINT8 *p_na;
1499     UINT8 *p_nb;
1500 
1501     SMP_TRACE_DEBUG("%s", __func__);
1502 
1503     if (p_cb->role == HCI_ROLE_MASTER)
1504     {
1505         smp_collect_local_ble_address(a, p_cb);
1506         smp_collect_peer_ble_address(b, p_cb);
1507         p_na = p_cb->rand;
1508         p_nb = p_cb->rrand;
1509     }
1510     else
1511     {
1512         smp_collect_local_ble_address(b, p_cb);
1513         smp_collect_peer_ble_address(a, p_cb);
1514         p_na = p_cb->rrand;
1515         p_nb = p_cb->rand;
1516     }
1517 
1518     if(!smp_calculate_f5(p_cb->dhkey, p_na, p_nb, a, b, p_cb->mac_key, p_cb->ltk))
1519     {
1520         SMP_TRACE_ERROR("%s failed", __func__);
1521         return FALSE;
1522     }
1523 
1524     SMP_TRACE_EVENT ("%s is completed", __func__);
1525     return TRUE;
1526 }
1527 
1528 /*******************************************************************************
1529 **
1530 ** Function         smp_request_oob_data
1531 **
1532 ** Description      Requests application to provide OOB data.
1533 **
1534 ** Returns          TRUE - OOB data has to be provided by application
1535 **                  FALSE - otherwise (unexpected)
1536 **
1537 *******************************************************************************/
smp_request_oob_data(tSMP_CB * p_cb)1538 BOOLEAN smp_request_oob_data(tSMP_CB *p_cb)
1539 {
1540     tSMP_OOB_DATA_TYPE req_oob_type = SMP_OOB_INVALID_TYPE;
1541 
1542     SMP_TRACE_DEBUG("%s", __func__);
1543 
1544     if (p_cb->peer_oob_flag == SMP_OOB_PRESENT && p_cb->loc_oob_flag == SMP_OOB_PRESENT)
1545     {
1546         /* both local and peer rcvd data OOB */
1547         req_oob_type = SMP_OOB_BOTH;
1548     }
1549     else if (p_cb->peer_oob_flag == SMP_OOB_PRESENT)
1550     {
1551         /* peer rcvd OOB local data, local didn't receive OOB peer data */
1552         req_oob_type = SMP_OOB_LOCAL;
1553     }
1554     else if (p_cb->loc_oob_flag == SMP_OOB_PRESENT)
1555     {
1556         req_oob_type = SMP_OOB_PEER;
1557     }
1558 
1559     SMP_TRACE_DEBUG("req_oob_type = %d", req_oob_type);
1560 
1561     if (req_oob_type == SMP_OOB_INVALID_TYPE)
1562         return FALSE;
1563 
1564     p_cb->req_oob_type = req_oob_type;
1565     p_cb->cb_evt = SMP_SC_OOB_REQ_EVT;
1566     smp_sm_event(p_cb, SMP_TK_REQ_EVT, &req_oob_type);
1567 
1568     return TRUE;
1569 }
1570 
1571 
1572 #endif
1573 
1574