1 /******************************************************************************
2 *
3 * Copyright (C) 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains security manager protocol utility functions
22 *
23 ******************************************************************************/
24 #include "bt_target.h"
25
26 #if (SMP_DEBUG == TRUE)
27 #include <stdio.h>
28 #endif
29 #include <base/bind.h>
30 #include <string.h>
31 #include "aes.h"
32 #include "bt_utils.h"
33 #include "btm_ble_api.h"
34 #include "btm_ble_int.h"
35 #include "btm_int.h"
36 #include "device/include/controller.h"
37 #include "hcimsgs.h"
38 #include "osi/include/osi.h"
39 #include "p_256_ecc_pp.h"
40 #include "smp_int.h"
41
42 using base::Bind;
43
44 #ifndef SMP_MAX_ENC_REPEAT
45 #define SMP_MAX_ENC_REPEAT 3
46 #endif
47
48 static void smp_process_stk(tSMP_CB* p_cb, tSMP_ENC* p);
49 static bool smp_calculate_legacy_short_term_key(tSMP_CB* p_cb,
50 tSMP_ENC* output);
51 static void smp_process_private_key(tSMP_CB* p_cb);
52
53 #define SMP_PASSKEY_MASK 0xfff00000
54
smp_debug_print_nbyte_little_endian(uint8_t * p,const char * key_name,uint8_t len)55 void smp_debug_print_nbyte_little_endian(uint8_t* p, const char* key_name,
56 uint8_t len) {
57 #if (SMP_DEBUG == TRUE)
58 int ind;
59 int col_count = 32;
60 int row_count;
61 uint8_t p_buf[512];
62
63 SMP_TRACE_DEBUG("%s(LSB ~ MSB):", key_name);
64 memset(p_buf, 0, sizeof(p_buf));
65 row_count = len % col_count ? len / col_count + 1 : len / col_count;
66
67 ind = 0;
68 for (int row = 0; row < row_count; row++) {
69 for (int column = 0, x = 0; (ind < len) && (column < col_count);
70 column++, ind++) {
71 x += snprintf((char*)&p_buf[x], sizeof(p_buf) - x, "%02x ", p[ind]);
72 }
73 SMP_TRACE_DEBUG(" [%03d]: %s", row * col_count, p_buf);
74 }
75 #endif
76 }
77
smp_debug_print_nbyte_big_endian(uint8_t * p,const char * key_name,uint8_t len)78 void smp_debug_print_nbyte_big_endian(uint8_t* p, const char* key_name,
79 uint8_t len) {
80 #if (SMP_DEBUG == TRUE)
81 uint8_t p_buf[512];
82
83 SMP_TRACE_DEBUG("%s(MSB ~ LSB):", key_name);
84 memset(p_buf, 0, sizeof(p_buf));
85
86 int ind = 0;
87 int ncols = 32; /* num entries in one line */
88 int nrows; /* num lines */
89
90 nrows = len % ncols ? len / ncols + 1 : len / ncols;
91 for (int row = 0; row < nrows; row++) {
92 for (int col = 0, x = 0; (ind < len) && (col < ncols); col++, ind++) {
93 x += snprintf((char*)&p_buf[len - x - 1], sizeof(p_buf) - (len - x - 1),
94 "%02x ", p[ind]);
95 }
96 SMP_TRACE_DEBUG("[%03d]: %s", row * ncols, p_buf);
97 }
98 #endif
99 }
100
101 /*******************************************************************************
102 *
103 * Function smp_encrypt_data
104 *
105 * Description This function is called to encrypt data.
106 * It uses AES-128 encryption algorithm.
107 * Plain_text is encrypted using key, the result is at p_out.
108 *
109 * Returns void
110 *
111 ******************************************************************************/
smp_encrypt_data(uint8_t * key,uint8_t key_len,uint8_t * plain_text,uint8_t pt_len,tSMP_ENC * p_out)112 bool smp_encrypt_data(uint8_t* key, uint8_t key_len, uint8_t* plain_text,
113 uint8_t pt_len, tSMP_ENC* p_out) {
114 aes_context ctx;
115 uint8_t* p_start = NULL;
116 uint8_t* p = NULL;
117 uint8_t* p_rev_data = NULL; /* input data in big endilan format */
118 uint8_t* p_rev_key = NULL; /* input key in big endilan format */
119 uint8_t* p_rev_output = NULL; /* encrypted output in big endilan format */
120
121 SMP_TRACE_DEBUG("%s", __func__);
122 if ((p_out == NULL) || (key_len != SMP_ENCRYT_KEY_SIZE)) {
123 SMP_TRACE_ERROR("%s failed", __func__);
124 return false;
125 }
126
127 p_start = (uint8_t*)osi_calloc(SMP_ENCRYT_DATA_SIZE * 4);
128
129 if (pt_len > SMP_ENCRYT_DATA_SIZE) pt_len = SMP_ENCRYT_DATA_SIZE;
130
131 p = p_start;
132 ARRAY_TO_STREAM(p, plain_text, pt_len); /* byte 0 to byte 15 */
133 p_rev_data = p = p_start + SMP_ENCRYT_DATA_SIZE; /* start at byte 16 */
134 REVERSE_ARRAY_TO_STREAM(p, p_start,
135 SMP_ENCRYT_DATA_SIZE); /* byte 16 to byte 31 */
136 p_rev_key = p; /* start at byte 32 */
137 REVERSE_ARRAY_TO_STREAM(p, key, SMP_ENCRYT_KEY_SIZE); /* byte 32 to byte 47 */
138
139 #if (SMP_DEBUG == TRUE && SMP_DEBUG_VERBOSE == TRUE)
140 smp_debug_print_nbyte_little_endian(key, "Key", SMP_ENCRYT_KEY_SIZE);
141 smp_debug_print_nbyte_little_endian(p_start, "Plain text",
142 SMP_ENCRYT_DATA_SIZE);
143 #endif
144 p_rev_output = p;
145 aes_set_key(p_rev_key, SMP_ENCRYT_KEY_SIZE, &ctx);
146 aes_encrypt(p_rev_data, p, &ctx); /* outputs in byte 48 to byte 63 */
147
148 p = p_out->param_buf;
149 REVERSE_ARRAY_TO_STREAM(p, p_rev_output, SMP_ENCRYT_DATA_SIZE);
150 #if (SMP_DEBUG == TRUE && SMP_DEBUG_VERBOSE == TRUE)
151 smp_debug_print_nbyte_little_endian(p_out->param_buf, "Encrypted text",
152 SMP_ENCRYT_KEY_SIZE);
153 #endif
154
155 p_out->param_len = SMP_ENCRYT_KEY_SIZE;
156 p_out->status = HCI_SUCCESS;
157 p_out->opcode = HCI_BLE_ENCRYPT;
158
159 osi_free(p_start);
160
161 return true;
162 }
163
164 /*******************************************************************************
165 *
166 * Function smp_proc_passkey
167 *
168 * Description This function is called to process a passkey.
169 *
170 * Returns void
171 *
172 ******************************************************************************/
smp_proc_passkey(tSMP_CB * p_cb,BT_OCTET8 rand)173 void smp_proc_passkey(tSMP_CB* p_cb, BT_OCTET8 rand) {
174 uint8_t* tt = p_cb->tk;
175 tSMP_KEY key;
176 uint32_t passkey; /* 19655 test number; */
177 uint8_t* pp = rand;
178
179 SMP_TRACE_DEBUG("%s", __func__);
180 STREAM_TO_UINT32(passkey, pp);
181 passkey &= ~SMP_PASSKEY_MASK;
182
183 /* truncate by maximum value */
184 while (passkey > BTM_MAX_PASSKEY_VAL) passkey >>= 1;
185
186 /* save the TK */
187 memset(p_cb->tk, 0, BT_OCTET16_LEN);
188 UINT32_TO_STREAM(tt, passkey);
189
190 key.key_type = SMP_KEY_TYPE_TK;
191 key.p_data = p_cb->tk;
192
193 if (p_cb->p_callback) {
194 (*p_cb->p_callback)(SMP_PASSKEY_NOTIF_EVT, p_cb->pairing_bda,
195 (tSMP_EVT_DATA*)&passkey);
196 }
197
198 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_PASSKEY_DISP) {
199 smp_sm_event(&smp_cb, SMP_KEY_READY_EVT, &passkey);
200 } else {
201 smp_sm_event(p_cb, SMP_KEY_READY_EVT, (tSMP_INT_DATA*)&key);
202 }
203 }
204
205 /*******************************************************************************
206 *
207 * Function smp_generate_passkey
208 *
209 * Description This function is called to generate passkey.
210 *
211 * Returns void
212 *
213 ******************************************************************************/
smp_generate_passkey(tSMP_CB * p_cb,UNUSED_ATTR tSMP_INT_DATA * p_data)214 void smp_generate_passkey(tSMP_CB* p_cb, UNUSED_ATTR tSMP_INT_DATA* p_data) {
215 SMP_TRACE_DEBUG("%s", __func__);
216 /* generate MRand or SRand */
217 btsnd_hcic_ble_rand(Bind(&smp_proc_passkey, p_cb));
218 }
219
220 /*******************************************************************************
221 *
222 * Function smp_generate_stk
223 *
224 * Description This function is called to generate STK calculated by
225 * running AES with the TK value as key and a concatenation of
226 * the random values.
227 *
228 * Returns void
229 *
230 ******************************************************************************/
smp_generate_stk(tSMP_CB * p_cb,UNUSED_ATTR tSMP_INT_DATA * p_data)231 void smp_generate_stk(tSMP_CB* p_cb, UNUSED_ATTR tSMP_INT_DATA* p_data) {
232 tSMP_ENC output;
233 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
234
235 SMP_TRACE_DEBUG("%s", __func__);
236
237 if (p_cb->le_secure_connections_mode_is_used) {
238 SMP_TRACE_WARNING("FOR LE SC LTK IS USED INSTEAD OF STK");
239 output.param_len = SMP_ENCRYT_KEY_SIZE;
240 output.status = HCI_SUCCESS;
241 output.opcode = HCI_BLE_ENCRYPT;
242 memcpy(output.param_buf, p_cb->ltk, SMP_ENCRYT_DATA_SIZE);
243 } else if (!smp_calculate_legacy_short_term_key(p_cb, &output)) {
244 SMP_TRACE_ERROR("%s failed", __func__);
245 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status);
246 return;
247 }
248
249 smp_process_stk(p_cb, &output);
250 }
251
252 /**
253 * This function is called to calculate CSRK
254 */
smp_compute_csrk(uint16_t div,tSMP_CB * p_cb)255 void smp_compute_csrk(uint16_t div, tSMP_CB* p_cb) {
256 BT_OCTET16 er;
257 uint8_t buffer[4]; /* for (r || DIV) r=1*/
258 uint16_t r = 1;
259 uint8_t* p = buffer;
260 tSMP_ENC output;
261 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
262
263 p_cb->div = div;
264
265 SMP_TRACE_DEBUG("%s: div=%x", __func__, p_cb->div);
266 BTM_GetDeviceEncRoot(er);
267 /* CSRK = d1(ER, DIV, 1) */
268 UINT16_TO_STREAM(p, p_cb->div);
269 UINT16_TO_STREAM(p, r);
270
271 if (!SMP_Encrypt(er, BT_OCTET16_LEN, buffer, 4, &output)) {
272 SMP_TRACE_ERROR("smp_generate_csrk failed");
273 if (p_cb->smp_over_br) {
274 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &status);
275 } else {
276 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status);
277 }
278 } else {
279 memcpy((void*)p_cb->csrk, output.param_buf, BT_OCTET16_LEN);
280 smp_send_csrk_info(p_cb, NULL);
281 }
282 }
283
284 /**
285 * This function is called to calculate CSRK, starting with DIV generation.
286 */
smp_generate_csrk(tSMP_CB * p_cb,UNUSED_ATTR tSMP_INT_DATA * p_data)287 void smp_generate_csrk(tSMP_CB* p_cb, UNUSED_ATTR tSMP_INT_DATA* p_data) {
288 bool div_status;
289
290 SMP_TRACE_DEBUG("smp_generate_csrk");
291
292 div_status = btm_get_local_div(p_cb->pairing_bda, &p_cb->div);
293 if (div_status) {
294 smp_compute_csrk(p_cb->div, p_cb);
295 } else {
296 SMP_TRACE_DEBUG("Generate DIV for CSRK");
297 btsnd_hcic_ble_rand(Bind(
298 [](tSMP_CB* p_cb, BT_OCTET8 rand) {
299 uint16_t div;
300 STREAM_TO_UINT16(div, rand);
301 smp_compute_csrk(div, p_cb);
302 },
303 p_cb));
304 }
305 }
306
307 /*******************************************************************************
308 * Function smp_concatenate_peer - LSB first
309 * add pairing command sent from local device into p1.
310 ******************************************************************************/
smp_concatenate_local(tSMP_CB * p_cb,uint8_t ** p_data,uint8_t op_code)311 void smp_concatenate_local(tSMP_CB* p_cb, uint8_t** p_data, uint8_t op_code) {
312 uint8_t* p = *p_data;
313
314 SMP_TRACE_DEBUG("%s", __func__);
315 UINT8_TO_STREAM(p, op_code);
316 UINT8_TO_STREAM(p, p_cb->local_io_capability);
317 UINT8_TO_STREAM(p, p_cb->loc_oob_flag);
318 UINT8_TO_STREAM(p, p_cb->loc_auth_req);
319 UINT8_TO_STREAM(p, p_cb->loc_enc_size);
320 UINT8_TO_STREAM(p, p_cb->local_i_key);
321 UINT8_TO_STREAM(p, p_cb->local_r_key);
322
323 *p_data = p;
324 }
325
326 /*******************************************************************************
327 * Function smp_concatenate_peer - LSB first
328 * add pairing command received from peer device into p1.
329 ******************************************************************************/
smp_concatenate_peer(tSMP_CB * p_cb,uint8_t ** p_data,uint8_t op_code)330 void smp_concatenate_peer(tSMP_CB* p_cb, uint8_t** p_data, uint8_t op_code) {
331 uint8_t* p = *p_data;
332
333 SMP_TRACE_DEBUG("smp_concatenate_peer ");
334 UINT8_TO_STREAM(p, op_code);
335 UINT8_TO_STREAM(p, p_cb->peer_io_caps);
336 UINT8_TO_STREAM(p, p_cb->peer_oob_flag);
337 UINT8_TO_STREAM(p, p_cb->peer_auth_req);
338 UINT8_TO_STREAM(p, p_cb->peer_enc_size);
339 UINT8_TO_STREAM(p, p_cb->peer_i_key);
340 UINT8_TO_STREAM(p, p_cb->peer_r_key);
341
342 *p_data = p;
343 }
344
345 /*******************************************************************************
346 *
347 * Function smp_gen_p1_4_confirm
348 *
349 * Description Generate Confirm/Compare Step1:
350 * p1 = (MSB) pres || preq || rat' || iat' (LSB)
351 * Fill in values LSB first thus
352 * p1 = iat' || rat' || preq || pres
353 *
354 * Returns void
355 *
356 ******************************************************************************/
smp_gen_p1_4_confirm(tSMP_CB * p_cb,tBLE_ADDR_TYPE remote_bd_addr_type,BT_OCTET16 p1)357 void smp_gen_p1_4_confirm(tSMP_CB* p_cb, tBLE_ADDR_TYPE remote_bd_addr_type,
358 BT_OCTET16 p1) {
359 SMP_TRACE_DEBUG("%s", __func__);
360 uint8_t* p = (uint8_t*)p1;
361 if (p_cb->role == HCI_ROLE_MASTER) {
362 /* iat': initiator's (local) address type */
363 UINT8_TO_STREAM(p, p_cb->addr_type);
364 /* rat': responder's (remote) address type */
365 UINT8_TO_STREAM(p, remote_bd_addr_type);
366 /* preq : Pairing Request (local) command */
367 smp_concatenate_local(p_cb, &p, SMP_OPCODE_PAIRING_REQ);
368 /* pres : Pairing Response (remote) command */
369 smp_concatenate_peer(p_cb, &p, SMP_OPCODE_PAIRING_RSP);
370 } else {
371 /* iat': initiator's (remote) address type */
372 UINT8_TO_STREAM(p, remote_bd_addr_type);
373 /* rat': responder's (local) address type */
374 UINT8_TO_STREAM(p, p_cb->addr_type);
375 /* preq : Pairing Request (remote) command */
376 smp_concatenate_peer(p_cb, &p, SMP_OPCODE_PAIRING_REQ);
377 /* pres : Pairing Response (local) command */
378 smp_concatenate_local(p_cb, &p, SMP_OPCODE_PAIRING_RSP);
379 }
380 smp_debug_print_nbyte_little_endian((uint8_t*)p1,
381 "p1 = iat' || rat' || preq || pres", 16);
382 }
383
384 /*******************************************************************************
385 *
386 * Function smp_gen_p2_4_confirm
387 *
388 * Description Generate Confirm/Compare Step2:
389 * p2 = (MSB) padding || ia || ra (LSB)
390 * Fill values LSB first and thus:
391 * p2 = ra || ia || padding
392 *
393 * Returns void
394 *
395 ******************************************************************************/
smp_gen_p2_4_confirm(tSMP_CB * p_cb,const RawAddress & remote_bda,BT_OCTET16 p2)396 void smp_gen_p2_4_confirm(tSMP_CB* p_cb, const RawAddress& remote_bda,
397 BT_OCTET16 p2) {
398 SMP_TRACE_DEBUG("%s", __func__);
399 uint8_t* p = (uint8_t*)p2;
400 /* 32-bit Padding */
401 memset(p, 0, sizeof(BT_OCTET16));
402 if (p_cb->role == HCI_ROLE_MASTER) {
403 /* ra : Responder's (remote) address */
404 BDADDR_TO_STREAM(p, remote_bda);
405 /* ia : Initiator's (local) address */
406 BDADDR_TO_STREAM(p, p_cb->local_bda);
407 } else {
408 /* ra : Responder's (local) address */
409 BDADDR_TO_STREAM(p, p_cb->local_bda);
410 /* ia : Initiator's (remote) address */
411 BDADDR_TO_STREAM(p, remote_bda);
412 }
413 smp_debug_print_nbyte_little_endian(p2, "p2 = ra || ia || padding", 16);
414 }
415
416 /*******************************************************************************
417 *
418 * Function smp_calculate_comfirm
419 *
420 * Description This function (c1) is called to calculate Confirm value.
421 *
422 * Returns tSMP_STATUS status of confirmation calculation
423 *
424 ******************************************************************************/
smp_calculate_comfirm(tSMP_CB * p_cb,BT_OCTET16 rand,tSMP_ENC * output)425 tSMP_STATUS smp_calculate_comfirm(tSMP_CB* p_cb, BT_OCTET16 rand,
426 tSMP_ENC* output) {
427 SMP_TRACE_DEBUG("%s", __func__);
428 RawAddress remote_bda;
429 tBLE_ADDR_TYPE remote_bd_addr_type = 0;
430 /* get remote connection specific bluetooth address */
431 if (!BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, remote_bda,
432 &remote_bd_addr_type)) {
433 SMP_TRACE_ERROR("%s: cannot obtain remote device address", __func__);
434 return SMP_PAIR_FAIL_UNKNOWN;
435 }
436 /* get local connection specific bluetooth address */
437 BTM_ReadConnectionAddr(p_cb->pairing_bda, p_cb->local_bda, &p_cb->addr_type);
438 /* generate p1 = pres || preq || rat' || iat' */
439 BT_OCTET16 p1;
440 smp_gen_p1_4_confirm(p_cb, remote_bd_addr_type, p1);
441 /* p1' = rand XOR p1 */
442 smp_xor_128(p1, rand);
443 smp_debug_print_nbyte_little_endian((uint8_t*)p1, "p1' = p1 XOR r", 16);
444 /* calculate e1 = e(k, p1'), where k = TK */
445 smp_debug_print_nbyte_little_endian(p_cb->tk, "TK", 16);
446 memset(output, 0, sizeof(tSMP_ENC));
447 if (!SMP_Encrypt(p_cb->tk, BT_OCTET16_LEN, p1, BT_OCTET16_LEN, output)) {
448 SMP_TRACE_ERROR("%s: failed encryption at e1 = e(k, p1')");
449 return SMP_PAIR_FAIL_UNKNOWN;
450 }
451 smp_debug_print_nbyte_little_endian(output->param_buf, "e1 = e(k, p1')", 16);
452 /* generate p2 = padding || ia || ra */
453 BT_OCTET16 p2;
454 smp_gen_p2_4_confirm(p_cb, remote_bda, p2);
455 /* calculate p2' = (p2 XOR e1) */
456 smp_xor_128(p2, output->param_buf);
457 smp_debug_print_nbyte_little_endian((uint8_t*)p2, "p2' = p2 XOR e1", 16);
458 /* calculate: c1 = e(k, p2') */
459 memset(output, 0, sizeof(tSMP_ENC));
460 if (!SMP_Encrypt(p_cb->tk, BT_OCTET16_LEN, p2, BT_OCTET16_LEN, output)) {
461 SMP_TRACE_ERROR("%s: failed encryption at e1 = e(k, p2')");
462 return SMP_PAIR_FAIL_UNKNOWN;
463 }
464 return SMP_SUCCESS;
465 }
466
467 /*******************************************************************************
468 *
469 * Function smp_generate_confirm
470 *
471 * Description This function is called when random number (MRand or SRand)
472 * is generated by the controller and the stack needs to
473 * calculate c1 value (MConfirm or SConfirm) for the first time
474 *
475 * Returns void
476 *
477 ******************************************************************************/
smp_generate_confirm(tSMP_CB * p_cb)478 static void smp_generate_confirm(tSMP_CB* p_cb) {
479 SMP_TRACE_DEBUG("%s", __func__);
480 smp_debug_print_nbyte_little_endian((uint8_t*)p_cb->rand, "local_rand", 16);
481 tSMP_ENC output;
482 tSMP_STATUS status = smp_calculate_comfirm(p_cb, p_cb->rand, &output);
483 if (status != SMP_SUCCESS) {
484 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status);
485 return;
486 }
487 tSMP_KEY key;
488 memcpy(p_cb->confirm, output.param_buf, BT_OCTET16_LEN);
489 smp_debug_print_nbyte_little_endian(p_cb->confirm, "Local Confirm generated",
490 16);
491 key.key_type = SMP_KEY_TYPE_CFM;
492 key.p_data = output.param_buf;
493 smp_sm_event(p_cb, SMP_KEY_READY_EVT, &key);
494 }
495
496 /*******************************************************************************
497 *
498 * Function smp_generate_srand_mrand_confirm
499 *
500 * Description This function is called to start the second pairing phase by
501 * start generating random number.
502 *
503 *
504 * Returns void
505 *
506 ******************************************************************************/
smp_generate_srand_mrand_confirm(tSMP_CB * p_cb,UNUSED_ATTR tSMP_INT_DATA * p_data)507 void smp_generate_srand_mrand_confirm(tSMP_CB* p_cb,
508 UNUSED_ATTR tSMP_INT_DATA* p_data) {
509 SMP_TRACE_DEBUG("%s", __func__);
510 /* generate MRand or SRand */
511 btsnd_hcic_ble_rand(Bind(
512 [](tSMP_CB* p_cb, BT_OCTET8 rand) {
513 memcpy((void*)p_cb->rand, rand, 8);
514
515 /* generate 64 MSB of MRand or SRand */
516 btsnd_hcic_ble_rand(Bind(
517 [](tSMP_CB* p_cb, BT_OCTET8 rand) {
518 memcpy((void*)&p_cb->rand[8], rand, BT_OCTET8_LEN);
519 smp_generate_confirm(p_cb);
520 },
521 p_cb));
522 },
523 p_cb));
524 }
525
526 /*******************************************************************************
527 *
528 * Function smp_generate_compare
529 *
530 * Description This function is called when random number (MRand or SRand)
531 * is received from remote device and the c1 value (MConfirm
532 * or SConfirm) needs to be generated to authenticate remote
533 * device.
534 *
535 * Returns void
536 *
537 ******************************************************************************/
smp_generate_compare(tSMP_CB * p_cb,UNUSED_ATTR tSMP_INT_DATA * p_data)538 void smp_generate_compare(tSMP_CB* p_cb, UNUSED_ATTR tSMP_INT_DATA* p_data) {
539 SMP_TRACE_DEBUG("smp_generate_compare ");
540 smp_debug_print_nbyte_little_endian((uint8_t*)p_cb->rrand, "peer rand", 16);
541 tSMP_ENC output;
542 tSMP_STATUS status = smp_calculate_comfirm(p_cb, p_cb->rrand, &output);
543 if (status != SMP_SUCCESS) {
544 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status);
545 return;
546 }
547 tSMP_KEY key;
548 smp_debug_print_nbyte_little_endian(output.param_buf,
549 "Remote Confirm generated", 16);
550 key.key_type = SMP_KEY_TYPE_CMP;
551 key.p_data = output.param_buf;
552 smp_sm_event(p_cb, SMP_KEY_READY_EVT, &key);
553 }
554
555 /*******************************************************************************
556 *
557 * Function smp_process_stk
558 *
559 * Description This function is called when STK is generated
560 * proceed to send the encrypt the link using STK.
561 *
562 * Returns void
563 *
564 ******************************************************************************/
smp_process_stk(tSMP_CB * p_cb,tSMP_ENC * p)565 static void smp_process_stk(tSMP_CB* p_cb, tSMP_ENC* p) {
566 tSMP_KEY key;
567
568 SMP_TRACE_DEBUG("smp_process_stk ");
569 #if (SMP_DEBUG == TRUE)
570 SMP_TRACE_ERROR("STK Generated");
571 #endif
572 smp_mask_enc_key(p_cb->loc_enc_size, p->param_buf);
573
574 key.key_type = SMP_KEY_TYPE_STK;
575 key.p_data = p->param_buf;
576
577 smp_sm_event(p_cb, SMP_KEY_READY_EVT, &key);
578 }
579
580 /**
581 * This function is to calculate EDIV = Y xor DIV
582 */
smp_process_ediv(tSMP_CB * p_cb,tSMP_ENC * p)583 static void smp_process_ediv(tSMP_CB* p_cb, tSMP_ENC* p) {
584 tSMP_KEY key;
585 uint8_t* pp = p->param_buf;
586 uint16_t y;
587
588 SMP_TRACE_DEBUG("smp_process_ediv ");
589 STREAM_TO_UINT16(y, pp);
590
591 /* EDIV = Y xor DIV */
592 p_cb->ediv = p_cb->div ^ y;
593 /* send LTK ready */
594 SMP_TRACE_ERROR("LTK ready");
595 key.key_type = SMP_KEY_TYPE_LTK;
596 key.p_data = p->param_buf;
597
598 smp_sm_event(p_cb, SMP_KEY_READY_EVT, &key);
599 }
600
601 /**
602 * This function is to proceed generate Y = E(DHK, Rand)
603 */
smp_generate_y(tSMP_CB * p_cb,BT_OCTET8 rand)604 static void smp_generate_y(tSMP_CB* p_cb, BT_OCTET8 rand) {
605 SMP_TRACE_DEBUG("%s ", __func__);
606
607 BT_OCTET16 dhk;
608 BTM_GetDeviceDHK(dhk);
609
610 memcpy(p_cb->enc_rand, rand, BT_OCTET8_LEN);
611 tSMP_ENC output;
612 if (!SMP_Encrypt(dhk, BT_OCTET16_LEN, rand, BT_OCTET8_LEN, &output)) {
613 SMP_TRACE_ERROR("%s failed", __func__);
614 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
615 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status);
616 } else {
617 smp_process_ediv(p_cb, &output);
618 }
619 }
620
621 /**
622 * Calculate LTK = d1(ER, DIV, 0)= e(ER, DIV)
623 */
smp_generate_ltk_cont(uint16_t div,tSMP_CB * p_cb)624 static void smp_generate_ltk_cont(uint16_t div, tSMP_CB* p_cb) {
625 p_cb->div = div;
626
627 SMP_TRACE_DEBUG("%s", __func__);
628 BT_OCTET16 er;
629 BTM_GetDeviceEncRoot(er);
630
631 tSMP_ENC output;
632 /* LTK = d1(ER, DIV, 0)= e(ER, DIV)*/
633 if (!SMP_Encrypt(er, BT_OCTET16_LEN, (uint8_t*)&p_cb->div, sizeof(uint16_t),
634 &output)) {
635 SMP_TRACE_ERROR("%s failed", __func__);
636 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
637 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status);
638 } else {
639 /* mask the LTK */
640 smp_mask_enc_key(p_cb->loc_enc_size, output.param_buf);
641 memcpy((void*)p_cb->ltk, output.param_buf, BT_OCTET16_LEN);
642
643 /* generate EDIV and rand now */
644 btsnd_hcic_ble_rand(Bind(&smp_generate_y, p_cb));
645 }
646 }
647
648 /*******************************************************************************
649 *
650 * Function smp_generate_ltk
651 *
652 * Description This function is called:
653 * - in legacy pairing - to calculate LTK, starting with DIV
654 * generation;
655 * - in LE Secure Connections pairing over LE transport - to
656 * process LTK already generated to encrypt LE link;
657 * - in LE Secure Connections pairing over BR/EDR transport -
658 * to start BR/EDR Link Key processing.
659 *
660 * Returns void
661 *
662 ******************************************************************************/
smp_generate_ltk(tSMP_CB * p_cb,UNUSED_ATTR tSMP_INT_DATA * p_data)663 void smp_generate_ltk(tSMP_CB* p_cb, UNUSED_ATTR tSMP_INT_DATA* p_data) {
664 SMP_TRACE_DEBUG("%s", __func__);
665
666 if (smp_get_br_state() == SMP_BR_STATE_BOND_PENDING) {
667 smp_br_process_link_key(p_cb, NULL);
668 return;
669 } else if (p_cb->le_secure_connections_mode_is_used) {
670 smp_process_secure_connection_long_term_key();
671 return;
672 }
673
674 bool div_status = btm_get_local_div(p_cb->pairing_bda, &p_cb->div);
675
676 if (div_status) {
677 smp_generate_ltk_cont(p_cb->div, p_cb);
678 } else {
679 SMP_TRACE_DEBUG("%s: Generate DIV for LTK", __func__);
680
681 /* generate MRand or SRand */
682 btsnd_hcic_ble_rand(Bind(
683 [](tSMP_CB* p_cb, BT_OCTET8 rand) {
684 uint16_t div;
685 STREAM_TO_UINT16(div, rand);
686 smp_generate_ltk_cont(div, p_cb);
687 },
688 p_cb));
689 }
690 }
691
692 /*******************************************************************************
693 *
694 * Function smp_calculate_legacy_short_term_key
695 *
696 * Description The function calculates legacy STK.
697 *
698 * Returns false if out of resources, true in other cases.
699 *
700 ******************************************************************************/
smp_calculate_legacy_short_term_key(tSMP_CB * p_cb,tSMP_ENC * output)701 bool smp_calculate_legacy_short_term_key(tSMP_CB* p_cb, tSMP_ENC* output) {
702 SMP_TRACE_DEBUG("%s", __func__);
703
704 BT_OCTET16 ptext;
705 uint8_t* p = ptext;
706 memset(p, 0, BT_OCTET16_LEN);
707 if (p_cb->role == HCI_ROLE_MASTER) {
708 memcpy(p, p_cb->rand, BT_OCTET8_LEN);
709 memcpy(&p[BT_OCTET8_LEN], p_cb->rrand, BT_OCTET8_LEN);
710 } else {
711 memcpy(p, p_cb->rrand, BT_OCTET8_LEN);
712 memcpy(&p[BT_OCTET8_LEN], p_cb->rand, BT_OCTET8_LEN);
713 }
714
715 /* generate STK = Etk(rand|rrand)*/
716 bool encrypted =
717 SMP_Encrypt(p_cb->tk, BT_OCTET16_LEN, ptext, BT_OCTET16_LEN, output);
718 if (!encrypted) {
719 SMP_TRACE_ERROR("%s failed", __func__);
720 }
721 return encrypted;
722 }
723
724 /*******************************************************************************
725 *
726 * Function smp_create_private_key
727 *
728 * Description This function is called to create private key used to
729 * calculate public key and DHKey.
730 * The function starts private key creation requesting
731 * for the controller to generate [0-7] octets of private key.
732 *
733 * Returns void
734 *
735 ******************************************************************************/
smp_create_private_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)736 void smp_create_private_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
737 SMP_TRACE_DEBUG("%s", __func__);
738
739 btsnd_hcic_ble_rand(Bind(
740 [](tSMP_CB* p_cb, BT_OCTET8 rand) {
741 memcpy((void*)p_cb->private_key, rand, BT_OCTET8_LEN);
742 btsnd_hcic_ble_rand(Bind(
743 [](tSMP_CB* p_cb, BT_OCTET8 rand) {
744 memcpy((void*)&p_cb->private_key[8], rand, BT_OCTET8_LEN);
745 btsnd_hcic_ble_rand(Bind(
746 [](tSMP_CB* p_cb, BT_OCTET8 rand) {
747 memcpy((void*)&p_cb->private_key[16], rand, BT_OCTET8_LEN);
748 btsnd_hcic_ble_rand(Bind(
749 [](tSMP_CB* p_cb, BT_OCTET8 rand) {
750 memcpy((void*)&p_cb->private_key[24], rand,
751 BT_OCTET8_LEN);
752 smp_process_private_key(p_cb);
753 },
754 p_cb));
755 },
756 p_cb));
757 },
758 p_cb));
759 },
760 p_cb));
761 }
762
763 /*******************************************************************************
764 *
765 * Function smp_use_oob_private_key
766 *
767 * Description This function is called
768 * - to save the secret key used to calculate the public key
769 * used in calculations of commitment sent OOB to a peer
770 * - to use this secret key to recalculate the public key and
771 * start the process of sending this public key to the peer
772 * if secret/public keys have to be reused.
773 * If the keys aren't supposed to be reused, continue from the
774 * point from which request for OOB data was issued.
775 *
776 * Returns void
777 *
778 ******************************************************************************/
smp_use_oob_private_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)779 void smp_use_oob_private_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
780 SMP_TRACE_DEBUG("%s req_oob_type: %d, role: %d", __func__, p_cb->req_oob_type,
781 p_cb->role);
782
783 switch (p_cb->req_oob_type) {
784 case SMP_OOB_BOTH:
785 case SMP_OOB_LOCAL:
786 SMP_TRACE_DEBUG("%s restore secret key", __func__)
787 memcpy(p_cb->private_key, p_cb->sc_oob_data.loc_oob_data.private_key_used,
788 BT_OCTET32_LEN);
789 smp_process_private_key(p_cb);
790 break;
791 default:
792 SMP_TRACE_DEBUG("%s create secret key anew", __func__);
793 smp_set_state(SMP_STATE_PAIR_REQ_RSP);
794 smp_decide_association_model(p_cb, NULL);
795 break;
796 }
797 }
798
799 /*******************************************************************************
800 *
801 * Function smp_process_private_key
802 *
803 * Description This function processes private key.
804 * It calculates public key and notifies SM that private key /
805 * public key pair is created.
806 *
807 * Returns void
808 *
809 ******************************************************************************/
smp_process_private_key(tSMP_CB * p_cb)810 void smp_process_private_key(tSMP_CB* p_cb) {
811 Point public_key;
812 BT_OCTET32 private_key;
813
814 SMP_TRACE_DEBUG("%s", __func__);
815
816 memcpy(private_key, p_cb->private_key, BT_OCTET32_LEN);
817 ECC_PointMult(&public_key, &(curve_p256.G), (uint32_t*)private_key,
818 KEY_LENGTH_DWORDS_P256);
819 memcpy(p_cb->loc_publ_key.x, public_key.x, BT_OCTET32_LEN);
820 memcpy(p_cb->loc_publ_key.y, public_key.y, BT_OCTET32_LEN);
821
822 smp_debug_print_nbyte_little_endian(p_cb->private_key, "private",
823 BT_OCTET32_LEN);
824 smp_debug_print_nbyte_little_endian(p_cb->loc_publ_key.x, "local public(x)",
825 BT_OCTET32_LEN);
826 smp_debug_print_nbyte_little_endian(p_cb->loc_publ_key.y, "local public(y)",
827 BT_OCTET32_LEN);
828 p_cb->flags |= SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY;
829 smp_sm_event(p_cb, SMP_LOC_PUBL_KEY_CRTD_EVT, NULL);
830 }
831
832 /*******************************************************************************
833 *
834 * Function smp_compute_dhkey
835 *
836 * Description The function:
837 * - calculates a new public key using as input local private
838 * key and peer public key;
839 * - saves the new public key x-coordinate as DHKey.
840 *
841 * Returns void
842 *
843 ******************************************************************************/
smp_compute_dhkey(tSMP_CB * p_cb)844 void smp_compute_dhkey(tSMP_CB* p_cb) {
845 Point peer_publ_key, new_publ_key;
846 BT_OCTET32 private_key;
847
848 SMP_TRACE_DEBUG("%s", __func__);
849
850 memcpy(private_key, p_cb->private_key, BT_OCTET32_LEN);
851 memcpy(peer_publ_key.x, p_cb->peer_publ_key.x, BT_OCTET32_LEN);
852 memcpy(peer_publ_key.y, p_cb->peer_publ_key.y, BT_OCTET32_LEN);
853
854 ECC_PointMult(&new_publ_key, &peer_publ_key, (uint32_t*)private_key,
855 KEY_LENGTH_DWORDS_P256);
856
857 memcpy(p_cb->dhkey, new_publ_key.x, BT_OCTET32_LEN);
858
859 smp_debug_print_nbyte_little_endian(p_cb->dhkey, "Old DHKey", BT_OCTET32_LEN);
860
861 smp_debug_print_nbyte_little_endian(p_cb->private_key, "private",
862 BT_OCTET32_LEN);
863 smp_debug_print_nbyte_little_endian(p_cb->peer_publ_key.x, "rem public(x)",
864 BT_OCTET32_LEN);
865 smp_debug_print_nbyte_little_endian(p_cb->peer_publ_key.y, "rem public(y)",
866 BT_OCTET32_LEN);
867 smp_debug_print_nbyte_little_endian(p_cb->dhkey, "Reverted DHKey",
868 BT_OCTET32_LEN);
869 }
870
871 /*******************************************************************************
872 *
873 * Function smp_calculate_local_commitment
874 *
875 * Description The function calculates and saves local commmitment in CB.
876 *
877 * Returns void
878 *
879 ******************************************************************************/
smp_calculate_local_commitment(tSMP_CB * p_cb)880 void smp_calculate_local_commitment(tSMP_CB* p_cb) {
881 uint8_t random_input;
882
883 SMP_TRACE_DEBUG("%s", __func__);
884
885 switch (p_cb->selected_association_model) {
886 case SMP_MODEL_SEC_CONN_JUSTWORKS:
887 case SMP_MODEL_SEC_CONN_NUM_COMP:
888 if (p_cb->role == HCI_ROLE_MASTER)
889 SMP_TRACE_WARNING(
890 "local commitment calc on master is not expected "
891 "for Just Works/Numeric Comparison models");
892 smp_calculate_f4(p_cb->loc_publ_key.x, p_cb->peer_publ_key.x, p_cb->rand,
893 0, p_cb->commitment);
894 break;
895 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
896 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
897 random_input =
898 smp_calculate_random_input(p_cb->local_random, p_cb->round);
899 smp_calculate_f4(p_cb->loc_publ_key.x, p_cb->peer_publ_key.x, p_cb->rand,
900 random_input, p_cb->commitment);
901 break;
902 case SMP_MODEL_SEC_CONN_OOB:
903 SMP_TRACE_WARNING(
904 "local commitment calc is expected for OOB model BEFORE pairing");
905 smp_calculate_f4(p_cb->loc_publ_key.x, p_cb->loc_publ_key.x,
906 p_cb->local_random, 0, p_cb->commitment);
907 break;
908 default:
909 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
910 p_cb->selected_association_model);
911 return;
912 }
913
914 SMP_TRACE_EVENT("local commitment calculation is completed");
915 }
916
917 /*******************************************************************************
918 *
919 * Function smp_calculate_peer_commitment
920 *
921 * Description The function calculates and saves peer commmitment at the
922 * provided output buffer.
923 *
924 * Returns void
925 *
926 ******************************************************************************/
smp_calculate_peer_commitment(tSMP_CB * p_cb,BT_OCTET16 output_buf)927 void smp_calculate_peer_commitment(tSMP_CB* p_cb, BT_OCTET16 output_buf) {
928 uint8_t ri;
929
930 SMP_TRACE_DEBUG("%s", __func__);
931
932 switch (p_cb->selected_association_model) {
933 case SMP_MODEL_SEC_CONN_JUSTWORKS:
934 case SMP_MODEL_SEC_CONN_NUM_COMP:
935 if (p_cb->role == HCI_ROLE_SLAVE)
936 SMP_TRACE_WARNING(
937 "peer commitment calc on slave is not expected "
938 "for Just Works/Numeric Comparison models");
939 smp_calculate_f4(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, p_cb->rrand,
940 0, output_buf);
941 break;
942 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
943 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
944 ri = smp_calculate_random_input(p_cb->peer_random, p_cb->round);
945 smp_calculate_f4(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, p_cb->rrand,
946 ri, output_buf);
947 break;
948 case SMP_MODEL_SEC_CONN_OOB:
949 smp_calculate_f4(p_cb->peer_publ_key.x, p_cb->peer_publ_key.x,
950 p_cb->peer_random, 0, output_buf);
951 break;
952 default:
953 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
954 p_cb->selected_association_model);
955 return;
956 }
957
958 SMP_TRACE_EVENT("peer commitment calculation is completed");
959 }
960
961 /*******************************************************************************
962 *
963 * Function smp_calculate_f4
964 *
965 * Description The function calculates
966 * C = f4(U, V, X, Z) = AES-CMAC (U||V||Z)
967 * X
968 * where
969 * input: U is 256 bit,
970 * V is 256 bit,
971 * X is 128 bit,
972 * Z is 8 bit,
973 * output: C is 128 bit.
974 *
975 * Returns void
976 *
977 * Note The LSB is the first octet, the MSB is the last octet of
978 * the AES-CMAC input/output stream.
979 *
980 ******************************************************************************/
smp_calculate_f4(uint8_t * u,uint8_t * v,uint8_t * x,uint8_t z,uint8_t * c)981 void smp_calculate_f4(uint8_t* u, uint8_t* v, uint8_t* x, uint8_t z,
982 uint8_t* c) {
983 uint8_t msg_len = BT_OCTET32_LEN /* U size */ + BT_OCTET32_LEN /* V size */ +
984 1 /* Z size */;
985 uint8_t msg[BT_OCTET32_LEN + BT_OCTET32_LEN + 1];
986 uint8_t key[BT_OCTET16_LEN];
987 uint8_t cmac[BT_OCTET16_LEN];
988 uint8_t* p = NULL;
989 #if (SMP_DEBUG == TRUE)
990 uint8_t* p_prnt = NULL;
991 #endif
992
993 SMP_TRACE_DEBUG("%s", __func__);
994
995 #if (SMP_DEBUG == TRUE)
996 p_prnt = u;
997 smp_debug_print_nbyte_little_endian(p_prnt, "U", BT_OCTET32_LEN);
998 p_prnt = v;
999 smp_debug_print_nbyte_little_endian(p_prnt, "V", BT_OCTET32_LEN);
1000 p_prnt = x;
1001 smp_debug_print_nbyte_little_endian(p_prnt, "X", BT_OCTET16_LEN);
1002 p_prnt = &z;
1003 smp_debug_print_nbyte_little_endian(p_prnt, "Z", 1);
1004 #endif
1005
1006 p = msg;
1007 UINT8_TO_STREAM(p, z);
1008 ARRAY_TO_STREAM(p, v, BT_OCTET32_LEN);
1009 ARRAY_TO_STREAM(p, u, BT_OCTET32_LEN);
1010 #if (SMP_DEBUG == TRUE)
1011 p_prnt = msg;
1012 smp_debug_print_nbyte_little_endian(p_prnt, "M", msg_len);
1013 #endif
1014
1015 p = key;
1016 ARRAY_TO_STREAM(p, x, BT_OCTET16_LEN);
1017 #if (SMP_DEBUG == TRUE)
1018 p_prnt = key;
1019 smp_debug_print_nbyte_little_endian(p_prnt, "K", BT_OCTET16_LEN);
1020 #endif
1021
1022 aes_cipher_msg_auth_code(key, msg, msg_len, BT_OCTET16_LEN, cmac);
1023 #if (SMP_DEBUG == TRUE)
1024 p_prnt = cmac;
1025 smp_debug_print_nbyte_little_endian(p_prnt, "AES_CMAC", BT_OCTET16_LEN);
1026 #endif
1027
1028 p = c;
1029 ARRAY_TO_STREAM(p, cmac, BT_OCTET16_LEN);
1030 }
1031
1032 /*******************************************************************************
1033 *
1034 * Function smp_calculate_numeric_comparison_display_number
1035 *
1036 * Description The function calculates and saves number to display in
1037 * numeric comparison association mode.
1038 *
1039 * Returns void
1040 *
1041 ******************************************************************************/
smp_calculate_numeric_comparison_display_number(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1042 void smp_calculate_numeric_comparison_display_number(tSMP_CB* p_cb,
1043 tSMP_INT_DATA* p_data) {
1044 SMP_TRACE_DEBUG("%s", __func__);
1045
1046 if (p_cb->role == HCI_ROLE_MASTER) {
1047 p_cb->number_to_display = smp_calculate_g2(
1048 p_cb->loc_publ_key.x, p_cb->peer_publ_key.x, p_cb->rand, p_cb->rrand);
1049 } else {
1050 p_cb->number_to_display = smp_calculate_g2(
1051 p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, p_cb->rrand, p_cb->rand);
1052 }
1053
1054 if (p_cb->number_to_display >= (BTM_MAX_PASSKEY_VAL + 1)) {
1055 uint8_t reason;
1056 reason = p_cb->failure = SMP_PAIR_FAIL_UNKNOWN;
1057 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1058 return;
1059 }
1060
1061 SMP_TRACE_EVENT("Number to display in numeric comparison = %d",
1062 p_cb->number_to_display);
1063 p_cb->cb_evt = SMP_NC_REQ_EVT;
1064 smp_sm_event(p_cb, SMP_SC_DSPL_NC_EVT, &p_cb->number_to_display);
1065 return;
1066 }
1067
1068 /*******************************************************************************
1069 *
1070 * Function smp_calculate_g2
1071 *
1072 * Description The function calculates
1073 * g2(U, V, X, Y) = AES-CMAC (U||V||Y) mod 2**32 mod 10**6
1074 * X
1075 * and
1076 * Vres = g2(U, V, X, Y) mod 10**6
1077 * where
1078 * input: U is 256 bit,
1079 * V is 256 bit,
1080 * X is 128 bit,
1081 * Y is 128 bit,
1082 *
1083 * Returns Vres.
1084 * Expected value has to be in the range [0 - 999999] i.e.
1085 * [0 - 0xF423F].
1086 * Vres = 1000000 means that the calculation fails.
1087 *
1088 * Note The LSB is the first octet, the MSB is the last octet of
1089 * the AES-CMAC input/output stream.
1090 *
1091 ******************************************************************************/
smp_calculate_g2(uint8_t * u,uint8_t * v,uint8_t * x,uint8_t * y)1092 uint32_t smp_calculate_g2(uint8_t* u, uint8_t* v, uint8_t* x, uint8_t* y) {
1093 uint8_t msg_len = BT_OCTET32_LEN /* U size */ + BT_OCTET32_LEN /* V size */
1094 + BT_OCTET16_LEN /* Y size */;
1095 uint8_t msg[BT_OCTET32_LEN + BT_OCTET32_LEN + BT_OCTET16_LEN];
1096 uint8_t key[BT_OCTET16_LEN];
1097 uint8_t cmac[BT_OCTET16_LEN];
1098 uint8_t* p = NULL;
1099 uint32_t vres;
1100 #if (SMP_DEBUG == TRUE)
1101 uint8_t* p_prnt = NULL;
1102 #endif
1103
1104 SMP_TRACE_DEBUG("%s", __func__);
1105
1106 p = msg;
1107 ARRAY_TO_STREAM(p, y, BT_OCTET16_LEN);
1108 ARRAY_TO_STREAM(p, v, BT_OCTET32_LEN);
1109 ARRAY_TO_STREAM(p, u, BT_OCTET32_LEN);
1110 #if (SMP_DEBUG == TRUE)
1111 p_prnt = u;
1112 smp_debug_print_nbyte_little_endian(p_prnt, "U", BT_OCTET32_LEN);
1113 p_prnt = v;
1114 smp_debug_print_nbyte_little_endian(p_prnt, "V", BT_OCTET32_LEN);
1115 p_prnt = x;
1116 smp_debug_print_nbyte_little_endian(p_prnt, "X", BT_OCTET16_LEN);
1117 p_prnt = y;
1118 smp_debug_print_nbyte_little_endian(p_prnt, "Y", BT_OCTET16_LEN);
1119 #endif
1120
1121 p = key;
1122 ARRAY_TO_STREAM(p, x, BT_OCTET16_LEN);
1123 #if (SMP_DEBUG == TRUE)
1124 p_prnt = key;
1125 smp_debug_print_nbyte_little_endian(p_prnt, "K", BT_OCTET16_LEN);
1126 #endif
1127
1128 if (!aes_cipher_msg_auth_code(key, msg, msg_len, BT_OCTET16_LEN, cmac)) {
1129 SMP_TRACE_ERROR("%s failed", __func__);
1130 return (BTM_MAX_PASSKEY_VAL + 1);
1131 }
1132
1133 #if (SMP_DEBUG == TRUE)
1134 p_prnt = cmac;
1135 smp_debug_print_nbyte_little_endian(p_prnt, "AES-CMAC", BT_OCTET16_LEN);
1136 #endif
1137
1138 /* vres = cmac mod 2**32 mod 10**6 */
1139 p = &cmac[0];
1140 STREAM_TO_UINT32(vres, p);
1141 #if (SMP_DEBUG == TRUE)
1142 p_prnt = (uint8_t*)&vres;
1143 smp_debug_print_nbyte_little_endian(p_prnt, "cmac mod 2**32", 4);
1144 #endif
1145
1146 while (vres > BTM_MAX_PASSKEY_VAL) vres -= (BTM_MAX_PASSKEY_VAL + 1);
1147 #if (SMP_DEBUG == TRUE)
1148 p_prnt = (uint8_t*)&vres;
1149 smp_debug_print_nbyte_little_endian(p_prnt, "cmac mod 2**32 mod 10**6", 4);
1150 #endif
1151
1152 SMP_TRACE_ERROR("Value for numeric comparison = %d", vres);
1153 return vres;
1154 }
1155
1156 /*******************************************************************************
1157 *
1158 * Function smp_calculate_f5
1159 *
1160 * Description The function provides two AES-CMAC that are supposed to be
1161 * used as
1162 * - MacKey (used in pairing DHKey check calculation);
1163 * - LTK (used to ecrypt the link after completion of Phase 2
1164 * and on reconnection, to derive BR/EDR LK).
1165 * The function inputs are W, N1, N2, A1, A2.
1166 * F5 rules:
1167 * - the value used as key in MacKey/LTK (T) is calculated
1168 * (function smp_calculate_f5_key(...));
1169 * The formula is:
1170 * T = AES-CMAC (W)
1171 * salt
1172 * where salt is internal parameter of
1173 * smp_calculate_f5_key(...).
1174 * - MacKey and LTK are calculated as AES-MAC values received
1175 * with the key T calculated in the previous step and the
1176 * plaintext message built from the external parameters N1,
1177 * N2, A1, A2 and the internal parameters counter, keyID,
1178 * length.
1179 * The function smp_calculate_f5_mackey_or_long_term_key(...)
1180 * is used in the calculations.
1181 * The same formula is used in calculation of MacKey and LTK
1182 * and the same parameter values except the value of the
1183 * internal parameter counter:
1184 * - in MacKey calculations the value is 0;
1185 * - in LTK calculations the value is 1.
1186 * MacKey =
1187 * AES-CMAC (Counter=0||keyID||N1||N2||A1||A2||Length=256)
1188 * T
1189 * LTK =
1190 * AES-CMAC (Counter=1||keyID||N1||N2||A1||A2||Length=256)
1191 * T
1192 * The parameters are
1193 * input:
1194 * W is 256 bits,
1195 * N1 is 128 bits,
1196 * N2 is 128 bits,
1197 * A1 is 56 bit,
1198 * A2 is 56 bit.
1199 * internal:
1200 * Counter is 8 bits, its value is 0 for MacKey,
1201 * 1 for LTK;
1202 * KeyId is 32 bits, its value is
1203 * 0x62746c65 (MSB~LSB);
1204 * Length is 16 bits, its value is 0x0100
1205 * (MSB~LSB).
1206 * output:
1207 * MacKey is 128 bits;
1208 * LTK is 128 bits
1209 *
1210 * Returns false if out of resources, true in other cases.
1211 *
1212 * Note The LSB is the first octet, the MSB is the last octet of
1213 * the AES-CMAC input/output stream.
1214 *
1215 ******************************************************************************/
smp_calculate_f5(uint8_t * w,uint8_t * n1,uint8_t * n2,uint8_t * a1,uint8_t * a2,uint8_t * mac_key,uint8_t * ltk)1216 bool smp_calculate_f5(uint8_t* w, uint8_t* n1, uint8_t* n2, uint8_t* a1,
1217 uint8_t* a2, uint8_t* mac_key, uint8_t* ltk) {
1218 BT_OCTET16 t; /* AES-CMAC output in smp_calculate_f5_key(...), key in */
1219 /* smp_calculate_f5_mackey_or_long_term_key(...) */
1220 #if (SMP_DEBUG == TRUE)
1221 uint8_t* p_prnt = NULL;
1222 #endif
1223 /* internal parameters: */
1224
1225 /*
1226 counter is 0 for MacKey,
1227 is 1 for LTK
1228 */
1229 uint8_t counter_mac_key[1] = {0};
1230 uint8_t counter_ltk[1] = {1};
1231 /*
1232 keyID 62746c65
1233 */
1234 uint8_t key_id[4] = {0x65, 0x6c, 0x74, 0x62};
1235 /*
1236 length 0100
1237 */
1238 uint8_t length[2] = {0x00, 0x01};
1239
1240 SMP_TRACE_DEBUG("%s", __func__);
1241 #if (SMP_DEBUG == TRUE)
1242 p_prnt = w;
1243 smp_debug_print_nbyte_little_endian(p_prnt, "W", BT_OCTET32_LEN);
1244 p_prnt = n1;
1245 smp_debug_print_nbyte_little_endian(p_prnt, "N1", BT_OCTET16_LEN);
1246 p_prnt = n2;
1247 smp_debug_print_nbyte_little_endian(p_prnt, "N2", BT_OCTET16_LEN);
1248 p_prnt = a1;
1249 smp_debug_print_nbyte_little_endian(p_prnt, "A1", 7);
1250 p_prnt = a2;
1251 smp_debug_print_nbyte_little_endian(p_prnt, "A2", 7);
1252 #endif
1253
1254 if (!smp_calculate_f5_key(w, t)) {
1255 SMP_TRACE_ERROR("%s failed to calc T", __func__);
1256 return false;
1257 }
1258 #if (SMP_DEBUG == TRUE)
1259 p_prnt = t;
1260 smp_debug_print_nbyte_little_endian(p_prnt, "T", BT_OCTET16_LEN);
1261 #endif
1262
1263 if (!smp_calculate_f5_mackey_or_long_term_key(t, counter_mac_key, key_id, n1,
1264 n2, a1, a2, length, mac_key)) {
1265 SMP_TRACE_ERROR("%s failed to calc MacKey", __func__);
1266 return false;
1267 }
1268 #if (SMP_DEBUG == TRUE)
1269 p_prnt = mac_key;
1270 smp_debug_print_nbyte_little_endian(p_prnt, "MacKey", BT_OCTET16_LEN);
1271 #endif
1272
1273 if (!smp_calculate_f5_mackey_or_long_term_key(t, counter_ltk, key_id, n1, n2,
1274 a1, a2, length, ltk)) {
1275 SMP_TRACE_ERROR("%s failed to calc LTK", __func__);
1276 return false;
1277 }
1278 #if (SMP_DEBUG == TRUE)
1279 p_prnt = ltk;
1280 smp_debug_print_nbyte_little_endian(p_prnt, "LTK", BT_OCTET16_LEN);
1281 #endif
1282
1283 return true;
1284 }
1285
1286 /*******************************************************************************
1287 *
1288 * Function smp_calculate_f5_mackey_or_long_term_key
1289 *
1290 * Description The function calculates the value of MacKey or LTK by the
1291 * rules defined for f5 function.
1292 * At the moment exactly the same formula is used to calculate
1293 * LTK and MacKey.
1294 * The difference is the value of input parameter Counter:
1295 * - in MacKey calculations the value is 0;
1296 * - in LTK calculations the value is 1.
1297 * The formula:
1298 * mac = AES-CMAC (Counter||keyID||N1||N2||A1||A2||Length)
1299 * T
1300 * where
1301 * input: T is 256 bits;
1302 * Counter is 8 bits, its value is 0 for MacKey,
1303 * 1 for LTK;
1304 * keyID is 32 bits, its value is 0x62746c65;
1305 * N1 is 128 bits;
1306 * N2 is 128 bits;
1307 * A1 is 56 bits;
1308 * A2 is 56 bits;
1309 * Length is 16 bits, its value is 0x0100
1310 * output: LTK is 128 bit.
1311 *
1312 * Returns false if out of resources, true in other cases.
1313 *
1314 * Note The LSB is the first octet, the MSB is the last octet of
1315 * the AES-CMAC input/output stream.
1316 *
1317 ******************************************************************************/
smp_calculate_f5_mackey_or_long_term_key(uint8_t * t,uint8_t * counter,uint8_t * key_id,uint8_t * n1,uint8_t * n2,uint8_t * a1,uint8_t * a2,uint8_t * length,uint8_t * mac)1318 bool smp_calculate_f5_mackey_or_long_term_key(uint8_t* t, uint8_t* counter,
1319 uint8_t* key_id, uint8_t* n1,
1320 uint8_t* n2, uint8_t* a1,
1321 uint8_t* a2, uint8_t* length,
1322 uint8_t* mac) {
1323 uint8_t* p = NULL;
1324 uint8_t cmac[BT_OCTET16_LEN];
1325 uint8_t key[BT_OCTET16_LEN];
1326 uint8_t msg_len = 1 /* Counter size */ + 4 /* keyID size */ +
1327 BT_OCTET16_LEN /* N1 size */ +
1328 BT_OCTET16_LEN /* N2 size */ + 7 /* A1 size*/ +
1329 7 /* A2 size*/ + 2 /* Length size */;
1330 uint8_t msg[1 + 4 + BT_OCTET16_LEN + BT_OCTET16_LEN + 7 + 7 + 2];
1331 bool ret = true;
1332 #if (SMP_DEBUG == TRUE)
1333 uint8_t* p_prnt = NULL;
1334 #endif
1335
1336 SMP_TRACE_DEBUG("%s", __func__);
1337 #if (SMP_DEBUG == TRUE)
1338 p_prnt = t;
1339 smp_debug_print_nbyte_little_endian(p_prnt, "T", BT_OCTET16_LEN);
1340 p_prnt = counter;
1341 smp_debug_print_nbyte_little_endian(p_prnt, "Counter", 1);
1342 p_prnt = key_id;
1343 smp_debug_print_nbyte_little_endian(p_prnt, "KeyID", 4);
1344 p_prnt = n1;
1345 smp_debug_print_nbyte_little_endian(p_prnt, "N1", BT_OCTET16_LEN);
1346 p_prnt = n2;
1347 smp_debug_print_nbyte_little_endian(p_prnt, "N2", BT_OCTET16_LEN);
1348 p_prnt = a1;
1349 smp_debug_print_nbyte_little_endian(p_prnt, "A1", 7);
1350 p_prnt = a2;
1351 smp_debug_print_nbyte_little_endian(p_prnt, "A2", 7);
1352 p_prnt = length;
1353 smp_debug_print_nbyte_little_endian(p_prnt, "Length", 2);
1354 #endif
1355
1356 p = key;
1357 ARRAY_TO_STREAM(p, t, BT_OCTET16_LEN);
1358 #if (SMP_DEBUG == TRUE)
1359 p_prnt = key;
1360 smp_debug_print_nbyte_little_endian(p_prnt, "K", BT_OCTET16_LEN);
1361 #endif
1362 p = msg;
1363 ARRAY_TO_STREAM(p, length, 2);
1364 ARRAY_TO_STREAM(p, a2, 7);
1365 ARRAY_TO_STREAM(p, a1, 7);
1366 ARRAY_TO_STREAM(p, n2, BT_OCTET16_LEN);
1367 ARRAY_TO_STREAM(p, n1, BT_OCTET16_LEN);
1368 ARRAY_TO_STREAM(p, key_id, 4);
1369 ARRAY_TO_STREAM(p, counter, 1);
1370 #if (SMP_DEBUG == TRUE)
1371 p_prnt = msg;
1372 smp_debug_print_nbyte_little_endian(p_prnt, "M", msg_len);
1373 #endif
1374
1375 if (!aes_cipher_msg_auth_code(key, msg, msg_len, BT_OCTET16_LEN, cmac)) {
1376 SMP_TRACE_ERROR("%s failed", __func__);
1377 ret = false;
1378 }
1379
1380 #if (SMP_DEBUG == TRUE)
1381 p_prnt = cmac;
1382 smp_debug_print_nbyte_little_endian(p_prnt, "AES-CMAC", BT_OCTET16_LEN);
1383 #endif
1384
1385 p = mac;
1386 ARRAY_TO_STREAM(p, cmac, BT_OCTET16_LEN);
1387 return ret;
1388 }
1389
1390 /*******************************************************************************
1391 *
1392 * Function smp_calculate_f5_key
1393 *
1394 * Description The function calculates key T used in calculation of
1395 * MacKey and LTK (f5 output is defined as MacKey || LTK).
1396 * T = AES-CMAC (W)
1397 * salt
1398 * where
1399 * Internal: salt is 128 bit.
1400 * input: W is 256 bit.
1401 * Output: T is 128 bit.
1402 *
1403 * Returns false if out of resources, true in other cases.
1404 *
1405 * Note The LSB is the first octet, the MSB is the last octet of
1406 * the AES-CMAC input/output stream.
1407 *
1408 ******************************************************************************/
smp_calculate_f5_key(uint8_t * w,uint8_t * t)1409 bool smp_calculate_f5_key(uint8_t* w, uint8_t* t) {
1410 uint8_t* p = NULL;
1411 /* Please see 2.2.7 LE Secure Connections Key Generation Function f5 */
1412 /*
1413 salt: 6C88 8391 AAF5 A538 6037 0BDB 5A60 83BE
1414 */
1415 BT_OCTET16 salt = {0xBE, 0x83, 0x60, 0x5A, 0xDB, 0x0B, 0x37, 0x60,
1416 0x38, 0xA5, 0xF5, 0xAA, 0x91, 0x83, 0x88, 0x6C};
1417 #if (SMP_DEBUG == TRUE)
1418 uint8_t* p_prnt = NULL;
1419 #endif
1420
1421 SMP_TRACE_DEBUG("%s", __func__);
1422 #if (SMP_DEBUG == TRUE)
1423 p_prnt = salt;
1424 smp_debug_print_nbyte_little_endian(p_prnt, "salt", BT_OCTET16_LEN);
1425 p_prnt = w;
1426 smp_debug_print_nbyte_little_endian(p_prnt, "W", BT_OCTET32_LEN);
1427 #endif
1428
1429 BT_OCTET16 key;
1430 BT_OCTET32 msg;
1431
1432 p = key;
1433 ARRAY_TO_STREAM(p, salt, BT_OCTET16_LEN);
1434 p = msg;
1435 ARRAY_TO_STREAM(p, w, BT_OCTET32_LEN);
1436 #if (SMP_DEBUG == TRUE)
1437 p_prnt = key;
1438 smp_debug_print_nbyte_little_endian(p_prnt, "K", BT_OCTET16_LEN);
1439 p_prnt = msg;
1440 smp_debug_print_nbyte_little_endian(p_prnt, "M", BT_OCTET32_LEN);
1441 #endif
1442
1443 BT_OCTET16 cmac;
1444 bool ret = true;
1445 if (!aes_cipher_msg_auth_code(key, msg, BT_OCTET32_LEN, BT_OCTET16_LEN,
1446 cmac)) {
1447 SMP_TRACE_ERROR("%s failed", __func__);
1448 ret = false;
1449 }
1450
1451 #if (SMP_DEBUG == TRUE)
1452 p_prnt = cmac;
1453 smp_debug_print_nbyte_little_endian(p_prnt, "AES-CMAC", BT_OCTET16_LEN);
1454 #endif
1455
1456 p = t;
1457 ARRAY_TO_STREAM(p, cmac, BT_OCTET16_LEN);
1458 return ret;
1459 }
1460
1461 /*******************************************************************************
1462 *
1463 * Function smp_calculate_local_dhkey_check
1464 *
1465 * Description The function calculates and saves local device DHKey check
1466 * value in CB.
1467 * Before doing this it calls
1468 * smp_calculate_f5_mackey_and_long_term_key(...).
1469 * to calculate MacKey and LTK.
1470 * MacKey is used in dhkey calculation.
1471 *
1472 * Returns void
1473 *
1474 ******************************************************************************/
smp_calculate_local_dhkey_check(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1475 void smp_calculate_local_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1476 uint8_t iocap[3], a[7], b[7];
1477
1478 SMP_TRACE_DEBUG("%s", __func__);
1479
1480 smp_calculate_f5_mackey_and_long_term_key(p_cb);
1481
1482 smp_collect_local_io_capabilities(iocap, p_cb);
1483
1484 smp_collect_local_ble_address(a, p_cb);
1485 smp_collect_peer_ble_address(b, p_cb);
1486 smp_calculate_f6(p_cb->mac_key, p_cb->rand, p_cb->rrand, p_cb->peer_random,
1487 iocap, a, b, p_cb->dhkey_check);
1488
1489 SMP_TRACE_EVENT("local DHKey check calculation is completed");
1490 }
1491
1492 /*******************************************************************************
1493 *
1494 * Function smp_calculate_peer_dhkey_check
1495 *
1496 * Description The function calculates peer device DHKey check value.
1497 *
1498 * Returns void
1499 *
1500 ******************************************************************************/
smp_calculate_peer_dhkey_check(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1501 void smp_calculate_peer_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1502 uint8_t iocap[3], a[7], b[7];
1503 BT_OCTET16 param_buf;
1504 bool ret;
1505 tSMP_KEY key;
1506 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
1507
1508 SMP_TRACE_DEBUG("%s", __func__);
1509
1510 smp_collect_peer_io_capabilities(iocap, p_cb);
1511
1512 smp_collect_local_ble_address(a, p_cb);
1513 smp_collect_peer_ble_address(b, p_cb);
1514 ret = smp_calculate_f6(p_cb->mac_key, p_cb->rrand, p_cb->rand,
1515 p_cb->local_random, iocap, b, a, param_buf);
1516
1517 if (ret) {
1518 SMP_TRACE_EVENT("peer DHKey check calculation is completed");
1519 #if (SMP_DEBUG == TRUE)
1520 smp_debug_print_nbyte_little_endian(param_buf, "peer DHKey check",
1521 BT_OCTET16_LEN);
1522 #endif
1523 key.key_type = SMP_KEY_TYPE_PEER_DHK_CHCK;
1524 key.p_data = param_buf;
1525 smp_sm_event(p_cb, SMP_SC_KEY_READY_EVT, &key);
1526 } else {
1527 SMP_TRACE_EVENT("peer DHKey check calculation failed");
1528 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status);
1529 }
1530 }
1531
1532 /*******************************************************************************
1533 *
1534 * Function smp_calculate_f6
1535 *
1536 * Description The function calculates
1537 * C = f6(W, N1, N2, R, IOcap, A1, A2) =
1538 * AES-CMAC (N1||N2||R||IOcap||A1||A2)
1539 * W
1540 * where
1541 * input: W is 128 bit,
1542 * N1 is 128 bit,
1543 * N2 is 128 bit,
1544 * R is 128 bit,
1545 * IOcap is 24 bit,
1546 * A1 is 56 bit,
1547 * A2 is 56 bit,
1548 * output: C is 128 bit.
1549 *
1550 * Returns false if out of resources, true in other cases.
1551 *
1552 * Note The LSB is the first octet, the MSB is the last octet of
1553 * the AES-CMAC input/output stream.
1554 *
1555 ******************************************************************************/
smp_calculate_f6(uint8_t * w,uint8_t * n1,uint8_t * n2,uint8_t * r,uint8_t * iocap,uint8_t * a1,uint8_t * a2,uint8_t * c)1556 bool smp_calculate_f6(uint8_t* w, uint8_t* n1, uint8_t* n2, uint8_t* r,
1557 uint8_t* iocap, uint8_t* a1, uint8_t* a2, uint8_t* c) {
1558 uint8_t* p = NULL;
1559 uint8_t msg_len = BT_OCTET16_LEN /* N1 size */ +
1560 BT_OCTET16_LEN /* N2 size */ + BT_OCTET16_LEN /* R size */ +
1561 3 /* IOcap size */ + 7 /* A1 size*/
1562 + 7 /* A2 size*/;
1563 uint8_t msg[BT_OCTET16_LEN + BT_OCTET16_LEN + BT_OCTET16_LEN + 3 + 7 + 7];
1564 #if (SMP_DEBUG == TRUE)
1565 uint8_t* p_print = NULL;
1566 #endif
1567
1568 SMP_TRACE_DEBUG("%s", __func__);
1569 #if (SMP_DEBUG == TRUE)
1570 p_print = w;
1571 smp_debug_print_nbyte_little_endian(p_print, "W", BT_OCTET16_LEN);
1572 p_print = n1;
1573 smp_debug_print_nbyte_little_endian(p_print, "N1", BT_OCTET16_LEN);
1574 p_print = n2;
1575 smp_debug_print_nbyte_little_endian(p_print, "N2", BT_OCTET16_LEN);
1576 p_print = r;
1577 smp_debug_print_nbyte_little_endian(p_print, "R", BT_OCTET16_LEN);
1578 p_print = iocap;
1579 smp_debug_print_nbyte_little_endian(p_print, "IOcap", 3);
1580 p_print = a1;
1581 smp_debug_print_nbyte_little_endian(p_print, "A1", 7);
1582 p_print = a2;
1583 smp_debug_print_nbyte_little_endian(p_print, "A2", 7);
1584 #endif
1585
1586 uint8_t cmac[BT_OCTET16_LEN];
1587 uint8_t key[BT_OCTET16_LEN];
1588
1589 p = key;
1590 ARRAY_TO_STREAM(p, w, BT_OCTET16_LEN);
1591 #if (SMP_DEBUG == TRUE)
1592 p_print = key;
1593 smp_debug_print_nbyte_little_endian(p_print, "K", BT_OCTET16_LEN);
1594 #endif
1595
1596 p = msg;
1597 ARRAY_TO_STREAM(p, a2, 7);
1598 ARRAY_TO_STREAM(p, a1, 7);
1599 ARRAY_TO_STREAM(p, iocap, 3);
1600 ARRAY_TO_STREAM(p, r, BT_OCTET16_LEN);
1601 ARRAY_TO_STREAM(p, n2, BT_OCTET16_LEN);
1602 ARRAY_TO_STREAM(p, n1, BT_OCTET16_LEN);
1603 #if (SMP_DEBUG == TRUE)
1604 p_print = msg;
1605 smp_debug_print_nbyte_little_endian(p_print, "M", msg_len);
1606 #endif
1607
1608 bool ret = true;
1609 if (!aes_cipher_msg_auth_code(key, msg, msg_len, BT_OCTET16_LEN, cmac)) {
1610 SMP_TRACE_ERROR("%s failed", __func__);
1611 ret = false;
1612 }
1613
1614 #if (SMP_DEBUG == TRUE)
1615 p_print = cmac;
1616 smp_debug_print_nbyte_little_endian(p_print, "AES-CMAC", BT_OCTET16_LEN);
1617 #endif
1618
1619 p = c;
1620 ARRAY_TO_STREAM(p, cmac, BT_OCTET16_LEN);
1621 return ret;
1622 }
1623
1624 /*******************************************************************************
1625 *
1626 * Function smp_calculate_link_key_from_long_term_key
1627 *
1628 * Description The function calculates and saves BR/EDR link key derived
1629 * from LE SC LTK.
1630 *
1631 * Returns false if out of resources, true in other cases.
1632 *
1633 ******************************************************************************/
smp_calculate_link_key_from_long_term_key(tSMP_CB * p_cb)1634 bool smp_calculate_link_key_from_long_term_key(tSMP_CB* p_cb) {
1635 tBTM_SEC_DEV_REC* p_dev_rec;
1636 RawAddress bda_for_lk;
1637 tBLE_ADDR_TYPE conn_addr_type;
1638 BT_OCTET16 salt = {0x31, 0x70, 0x6D, 0x74, 0x00, 0x00, 0x00, 0x00,
1639 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
1640
1641 SMP_TRACE_DEBUG("%s", __func__);
1642
1643 if (p_cb->id_addr_rcvd && p_cb->id_addr_type == BLE_ADDR_PUBLIC) {
1644 SMP_TRACE_DEBUG(
1645 "Use rcvd identity address as BD_ADDR of LK rcvd identity address");
1646 bda_for_lk = p_cb->id_addr;
1647 } else if ((BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, bda_for_lk,
1648 &conn_addr_type)) &&
1649 conn_addr_type == BLE_ADDR_PUBLIC) {
1650 SMP_TRACE_DEBUG("Use rcvd connection address as BD_ADDR of LK");
1651 } else {
1652 SMP_TRACE_WARNING("Don't have peer public address to associate with LK");
1653 return false;
1654 }
1655
1656 p_dev_rec = btm_find_dev(p_cb->pairing_bda);
1657 if (p_dev_rec == NULL) {
1658 SMP_TRACE_ERROR("%s failed to find Security Record", __func__);
1659 return false;
1660 }
1661
1662 BT_OCTET16 intermediate_link_key;
1663 bool ret = true;
1664
1665 if (p_cb->key_derivation_h7_used)
1666 ret = smp_calculate_h7((uint8_t*)salt, p_cb->ltk, intermediate_link_key);
1667 else
1668 ret = smp_calculate_h6(p_cb->ltk, (uint8_t*)"1pmt" /* reversed "tmp1" */,
1669 intermediate_link_key);
1670 if (!ret) {
1671 SMP_TRACE_ERROR("%s failed to derive intermediate_link_key", __func__);
1672 return ret;
1673 }
1674
1675 BT_OCTET16 link_key;
1676 ret = smp_calculate_h6(intermediate_link_key,
1677 (uint8_t*)"rbel" /* reversed "lebr" */, link_key);
1678 if (!ret) {
1679 SMP_TRACE_ERROR("%s failed", __func__);
1680 } else {
1681 uint8_t link_key_type;
1682 if (btm_cb.security_mode == BTM_SEC_MODE_SC) {
1683 /* Secure Connections Only Mode */
1684 link_key_type = BTM_LKEY_TYPE_AUTH_COMB_P_256;
1685 } else if (controller_get_interface()->supports_secure_connections()) {
1686 /* both transports are SC capable */
1687 if (p_cb->sec_level == SMP_SEC_AUTHENTICATED)
1688 link_key_type = BTM_LKEY_TYPE_AUTH_COMB_P_256;
1689 else
1690 link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB_P_256;
1691 } else if (btm_cb.security_mode == BTM_SEC_MODE_SP) {
1692 /* BR/EDR transport is SSP capable */
1693 if (p_cb->sec_level == SMP_SEC_AUTHENTICATED)
1694 link_key_type = BTM_LKEY_TYPE_AUTH_COMB;
1695 else
1696 link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB;
1697 } else {
1698 SMP_TRACE_ERROR(
1699 "%s failed to update link_key. Sec Mode = %d, sm4 = 0x%02x", __func__,
1700 btm_cb.security_mode, p_dev_rec->sm4);
1701 return false;
1702 }
1703
1704 link_key_type += BTM_LTK_DERIVED_LKEY_OFFSET;
1705
1706 uint8_t* p;
1707 BT_OCTET16 notif_link_key;
1708 p = notif_link_key;
1709 ARRAY16_TO_STREAM(p, link_key);
1710
1711 btm_sec_link_key_notification(bda_for_lk, notif_link_key, link_key_type);
1712
1713 SMP_TRACE_EVENT("%s is completed", __func__);
1714 }
1715
1716 return ret;
1717 }
1718
1719 /*******************************************************************************
1720 *
1721 * Function smp_calculate_long_term_key_from_link_key
1722 *
1723 * Description The function calculates and saves SC LTK derived from BR/EDR
1724 * link key.
1725 *
1726 * Returns false if out of resources, true in other cases.
1727 *
1728 ******************************************************************************/
smp_calculate_long_term_key_from_link_key(tSMP_CB * p_cb)1729 bool smp_calculate_long_term_key_from_link_key(tSMP_CB* p_cb) {
1730 bool ret = true;
1731 tBTM_SEC_DEV_REC* p_dev_rec;
1732 uint8_t rev_link_key[16];
1733 BT_OCTET16 salt = {0x32, 0x70, 0x6D, 0x74, 0x00, 0x00, 0x00, 0x00,
1734 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
1735
1736 SMP_TRACE_DEBUG("%s", __func__);
1737
1738 p_dev_rec = btm_find_dev(p_cb->pairing_bda);
1739 if (p_dev_rec == NULL) {
1740 SMP_TRACE_ERROR("%s failed to find Security Record", __func__);
1741 return false;
1742 }
1743
1744 uint8_t br_link_key_type;
1745 br_link_key_type = BTM_SecGetDeviceLinkKeyType(p_cb->pairing_bda);
1746 if (br_link_key_type == BTM_LKEY_TYPE_IGNORE) {
1747 SMP_TRACE_ERROR("%s failed to retrieve BR link type", __func__);
1748 return false;
1749 }
1750
1751 if ((br_link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256) &&
1752 (br_link_key_type != BTM_LKEY_TYPE_UNAUTH_COMB_P_256)) {
1753 SMP_TRACE_ERROR("%s LE SC LTK can't be derived from LK %d", __func__,
1754 br_link_key_type);
1755 return false;
1756 }
1757
1758 uint8_t* p1;
1759 uint8_t* p2;
1760 p1 = rev_link_key;
1761 p2 = p_dev_rec->link_key;
1762 REVERSE_ARRAY_TO_STREAM(p1, p2, 16);
1763
1764 BT_OCTET16 intermediate_long_term_key;
1765 if (p_cb->key_derivation_h7_used) {
1766 ret = smp_calculate_h7((uint8_t*)salt, rev_link_key,
1767 intermediate_long_term_key);
1768 } else {
1769 /* "tmp2" obtained from the spec */
1770 ret = smp_calculate_h6(rev_link_key, (uint8_t*)"2pmt" /* reversed "tmp2" */,
1771 intermediate_long_term_key);
1772 }
1773
1774 if (!ret) {
1775 SMP_TRACE_ERROR("%s failed to derive intermediate_long_term_key", __func__);
1776 return ret;
1777 }
1778
1779 /* "brle" obtained from the spec */
1780 ret = smp_calculate_h6(intermediate_long_term_key,
1781 (uint8_t*)"elrb" /* reversed "brle" */, p_cb->ltk);
1782
1783 if (!ret) {
1784 SMP_TRACE_ERROR("%s failed", __func__);
1785 } else {
1786 p_cb->sec_level = (br_link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256)
1787 ? SMP_SEC_AUTHENTICATED
1788 : SMP_SEC_UNAUTHENTICATE;
1789 SMP_TRACE_EVENT("%s is completed", __func__);
1790 }
1791
1792 return ret;
1793 }
1794
1795 /*******************************************************************************
1796 *
1797 * Function smp_calculate_h6
1798 *
1799 * Description The function calculates
1800 * C = h6(W, KeyID) = AES-CMAC (KeyID)
1801 * W
1802 * where
1803 * input: W is 128 bit,
1804 * KeyId is 32 bit,
1805 * output: C is 128 bit.
1806 *
1807 * Returns false if out of resources, true in other cases.
1808 *
1809 * Note The LSB is the first octet, the MSB is the last octet of
1810 * the AES-CMAC input/output stream.
1811 *
1812 ******************************************************************************/
smp_calculate_h6(uint8_t * w,uint8_t * keyid,uint8_t * c)1813 bool smp_calculate_h6(uint8_t* w, uint8_t* keyid, uint8_t* c) {
1814 #if (SMP_DEBUG == TRUE)
1815 uint8_t* p_print = NULL;
1816 #endif
1817
1818 SMP_TRACE_DEBUG("%s", __func__);
1819 #if (SMP_DEBUG == TRUE)
1820 p_print = w;
1821 smp_debug_print_nbyte_little_endian(p_print, "W", BT_OCTET16_LEN);
1822 p_print = keyid;
1823 smp_debug_print_nbyte_little_endian(p_print, "keyID", 4);
1824 #endif
1825
1826 uint8_t* p = NULL;
1827 uint8_t key[BT_OCTET16_LEN];
1828
1829 p = key;
1830 ARRAY_TO_STREAM(p, w, BT_OCTET16_LEN);
1831
1832 #if (SMP_DEBUG == TRUE)
1833 p_print = key;
1834 smp_debug_print_nbyte_little_endian(p_print, "K", BT_OCTET16_LEN);
1835 #endif
1836
1837 uint8_t msg_len = 4 /* KeyID size */;
1838 uint8_t msg[4];
1839
1840 p = msg;
1841 ARRAY_TO_STREAM(p, keyid, 4);
1842
1843 #if (SMP_DEBUG == TRUE)
1844 p_print = msg;
1845 smp_debug_print_nbyte_little_endian(p_print, "M", msg_len);
1846 #endif
1847
1848 bool ret = true;
1849 uint8_t cmac[BT_OCTET16_LEN];
1850 if (!aes_cipher_msg_auth_code(key, msg, msg_len, BT_OCTET16_LEN, cmac)) {
1851 SMP_TRACE_ERROR("%s failed", __func__);
1852 ret = false;
1853 }
1854
1855 #if (SMP_DEBUG == TRUE)
1856 p_print = cmac;
1857 smp_debug_print_nbyte_little_endian(p_print, "AES-CMAC", BT_OCTET16_LEN);
1858 #endif
1859
1860 p = c;
1861 ARRAY_TO_STREAM(p, cmac, BT_OCTET16_LEN);
1862 return ret;
1863 }
1864
1865 /*******************************************************************************
1866 **
1867 ** Function smp_calculate_h7
1868 **
1869 ** Description The function calculates
1870 ** C = h7(SALT, W) = AES-CMAC (W)
1871 ** SALT
1872 ** where
1873 ** input: W is 128 bit,
1874 ** SALT is 128 bit,
1875 ** output: C is 128 bit.
1876 **
1877 ** Returns FALSE if out of resources, TRUE in other cases.
1878 **
1879 ** Note The LSB is the first octet, the MSB is the last octet of
1880 ** the AES-CMAC input/output stream.
1881 **
1882 *******************************************************************************/
smp_calculate_h7(uint8_t * salt,uint8_t * w,uint8_t * c)1883 bool smp_calculate_h7(uint8_t* salt, uint8_t* w, uint8_t* c) {
1884 SMP_TRACE_DEBUG("%s", __FUNCTION__);
1885
1886 uint8_t key[BT_OCTET16_LEN];
1887 uint8_t* p = key;
1888 ARRAY_TO_STREAM(p, salt, BT_OCTET16_LEN);
1889
1890 uint8_t msg_len = BT_OCTET16_LEN /* msg size */;
1891 uint8_t msg[BT_OCTET16_LEN];
1892 p = msg;
1893 ARRAY_TO_STREAM(p, w, BT_OCTET16_LEN);
1894
1895 bool ret = true;
1896 uint8_t cmac[BT_OCTET16_LEN];
1897 if (!aes_cipher_msg_auth_code(key, msg, msg_len, BT_OCTET16_LEN, cmac)) {
1898 SMP_TRACE_ERROR("%s failed", __FUNCTION__);
1899 ret = false;
1900 }
1901
1902 p = c;
1903 ARRAY_TO_STREAM(p, cmac, BT_OCTET16_LEN);
1904 return ret;
1905 }
1906
1907 /**
1908 * This function generates nonce.
1909 */
smp_start_nonce_generation(tSMP_CB * p_cb)1910 void smp_start_nonce_generation(tSMP_CB* p_cb) {
1911 SMP_TRACE_DEBUG("%s", __func__);
1912 btsnd_hcic_ble_rand(Bind(
1913 [](tSMP_CB* p_cb, BT_OCTET8 rand) {
1914 memcpy((void*)p_cb->rand, rand, BT_OCTET8_LEN);
1915 btsnd_hcic_ble_rand(Bind(
1916 [](tSMP_CB* p_cb, BT_OCTET8 rand) {
1917 memcpy((void*)&p_cb->rand[8], rand, BT_OCTET8_LEN);
1918 SMP_TRACE_DEBUG("%s round %d", __func__, p_cb->round);
1919 /* notifies SM that it has new nonce. */
1920 smp_sm_event(p_cb, SMP_HAVE_LOC_NONCE_EVT, NULL);
1921 },
1922 p_cb));
1923 },
1924 p_cb));
1925 }
1926