1 /******************************************************************************
2 *
3 * Copyright 2003-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 #include <cutils/log.h>
20 #include <log/log.h>
21 #include <string.h>
22 #include "btif_common.h"
23 #include "btif_storage.h"
24 #include "device/include/interop.h"
25 #include "internal_include/bt_target.h"
26 #include "stack/btm/btm_int.h"
27 #include "stack/include/l2c_api.h"
28 #include "stack/smp/p_256_ecc_pp.h"
29 #include "stack/smp/smp_int.h"
30 #include "utils/include/bt_utils.h"
31
32 #define SMP_KEY_DIST_TYPE_MAX 4
33
34 const tSMP_ACT smp_distribute_act[] = {
35 smp_generate_ltk, /* SMP_SEC_KEY_TYPE_ENC - '1' bit index */
36 smp_send_id_info, /* SMP_SEC_KEY_TYPE_ID - '1' bit index */
37 smp_generate_csrk, /* SMP_SEC_KEY_TYPE_CSRK - '1' bit index */
38 smp_set_derive_link_key /* SMP_SEC_KEY_TYPE_LK - '1' bit index */
39 };
40
lmp_version_below(const RawAddress & bda,uint8_t version)41 static bool lmp_version_below(const RawAddress& bda, uint8_t version) {
42 tACL_CONN* acl = btm_bda_to_acl(bda, BT_TRANSPORT_LE);
43 if (acl == NULL || acl->lmp_version == 0) {
44 SMP_TRACE_WARNING("%s cannot retrieve LMP version...", __func__);
45 return false;
46 }
47 SMP_TRACE_WARNING("%s LMP version %d < %d", __func__, acl->lmp_version,
48 version);
49 return acl->lmp_version < version;
50 }
51
pts_test_send_authentication_complete_failure(tSMP_CB * p_cb)52 static bool pts_test_send_authentication_complete_failure(tSMP_CB* p_cb) {
53 uint8_t reason = p_cb->cert_failure;
54 if (reason == SMP_PAIR_AUTH_FAIL || reason == SMP_PAIR_FAIL_UNKNOWN ||
55 reason == SMP_PAIR_NOT_SUPPORT || reason == SMP_PASSKEY_ENTRY_FAIL ||
56 reason == SMP_REPEATED_ATTEMPTS) {
57 tSMP_INT_DATA smp_int_data;
58 smp_int_data.status = reason;
59 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
60 return true;
61 }
62 return false;
63 }
64
65 /*******************************************************************************
66 * Function smp_update_key_mask
67 * Description This function updates the key mask for sending or receiving.
68 ******************************************************************************/
smp_update_key_mask(tSMP_CB * p_cb,uint8_t key_type,bool recv)69 static void smp_update_key_mask(tSMP_CB* p_cb, uint8_t key_type, bool recv) {
70 SMP_TRACE_DEBUG(
71 "%s before update role=%d recv=%d local_i_key = %02x, local_r_key = %02x",
72 __func__, p_cb->role, recv, p_cb->local_i_key, p_cb->local_r_key);
73
74 if (((p_cb->le_secure_connections_mode_is_used) || (p_cb->smp_over_br)) &&
75 ((key_type == SMP_SEC_KEY_TYPE_ENC) ||
76 (key_type == SMP_SEC_KEY_TYPE_LK))) {
77 /* in LE SC mode LTK, CSRK and BR/EDR LK are derived locally instead of
78 ** being exchanged with the peer */
79 p_cb->local_i_key &= ~key_type;
80 p_cb->local_r_key &= ~key_type;
81 } else if (p_cb->role == HCI_ROLE_SLAVE) {
82 if (recv)
83 p_cb->local_i_key &= ~key_type;
84 else
85 p_cb->local_r_key &= ~key_type;
86 } else {
87 if (recv)
88 p_cb->local_r_key &= ~key_type;
89 else
90 p_cb->local_i_key &= ~key_type;
91 }
92
93 SMP_TRACE_DEBUG("updated local_i_key = %02x, local_r_key = %02x",
94 p_cb->local_i_key, p_cb->local_r_key);
95 }
96
97 /*******************************************************************************
98 * Function smp_send_app_cback
99 * Description notifies application about the events the application is
100 * interested in
101 ******************************************************************************/
smp_send_app_cback(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)102 void smp_send_app_cback(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
103 tSMP_EVT_DATA cb_data;
104 tSMP_STATUS callback_rc;
105 SMP_TRACE_DEBUG("%s p_cb->cb_evt=%d", __func__, p_cb->cb_evt);
106 if (p_cb->p_callback && p_cb->cb_evt != 0) {
107 switch (p_cb->cb_evt) {
108 case SMP_IO_CAP_REQ_EVT:
109 cb_data.io_req.auth_req = p_cb->peer_auth_req;
110 cb_data.io_req.oob_data = SMP_OOB_NONE;
111 cb_data.io_req.io_cap = btif_storage_get_local_io_caps_ble();
112 cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE;
113 cb_data.io_req.init_keys = p_cb->local_i_key;
114 cb_data.io_req.resp_keys = p_cb->local_r_key;
115 SMP_TRACE_WARNING("io_cap = %d", cb_data.io_req.io_cap);
116 break;
117
118 case SMP_NC_REQ_EVT:
119 cb_data.passkey = p_data->passkey;
120 break;
121 case SMP_SC_OOB_REQ_EVT:
122 cb_data.req_oob_type = p_data->req_oob_type;
123 break;
124 case SMP_SC_LOC_OOB_DATA_UP_EVT:
125 cb_data.loc_oob_data = p_cb->sc_oob_data.loc_oob_data;
126 break;
127
128 case SMP_BR_KEYS_REQ_EVT:
129 cb_data.io_req.auth_req = 0;
130 cb_data.io_req.oob_data = SMP_OOB_NONE;
131 cb_data.io_req.io_cap = 0;
132 cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE;
133 cb_data.io_req.init_keys = SMP_BR_SEC_DEFAULT_KEY;
134 cb_data.io_req.resp_keys = SMP_BR_SEC_DEFAULT_KEY;
135 break;
136
137 default:
138 break;
139 }
140
141 callback_rc =
142 (*p_cb->p_callback)(p_cb->cb_evt, p_cb->pairing_bda, &cb_data);
143
144 SMP_TRACE_DEBUG("%s: callback_rc=%d p_cb->cb_evt=%d", __func__,
145 callback_rc, p_cb->cb_evt);
146
147 if (callback_rc == SMP_SUCCESS) {
148 switch (p_cb->cb_evt) {
149 case SMP_IO_CAP_REQ_EVT:
150 p_cb->loc_auth_req = cb_data.io_req.auth_req;
151 p_cb->local_io_capability = cb_data.io_req.io_cap;
152 p_cb->loc_oob_flag = cb_data.io_req.oob_data;
153 p_cb->loc_enc_size = cb_data.io_req.max_key_size;
154 p_cb->local_i_key = cb_data.io_req.init_keys;
155 p_cb->local_r_key = cb_data.io_req.resp_keys;
156
157 if (!(p_cb->loc_auth_req & SMP_AUTH_BOND)) {
158 SMP_TRACE_WARNING("Non bonding: No keys will be exchanged");
159 p_cb->local_i_key = 0;
160 p_cb->local_r_key = 0;
161 }
162
163 SMP_TRACE_WARNING(
164 "rcvd auth_req: 0x%02x, io_cap: %d "
165 "loc_oob_flag: %d loc_enc_size: %d, "
166 "local_i_key: 0x%02x, local_r_key: 0x%02x",
167 p_cb->loc_auth_req, p_cb->local_io_capability, p_cb->loc_oob_flag,
168 p_cb->loc_enc_size, p_cb->local_i_key, p_cb->local_r_key);
169
170 p_cb->secure_connections_only_mode_required =
171 (btm_cb.security_mode == BTM_SEC_MODE_SC) ? true : false;
172 /* just for PTS, force SC bit */
173 if (p_cb->secure_connections_only_mode_required) {
174 p_cb->loc_auth_req |= SMP_SC_SUPPORT_BIT;
175 }
176
177 if (!p_cb->secure_connections_only_mode_required &&
178 (!(p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) ||
179 lmp_version_below(p_cb->pairing_bda, HCI_PROTO_VERSION_4_2) ||
180 interop_match_addr(INTEROP_DISABLE_LE_SECURE_CONNECTIONS,
181 (const RawAddress*)&p_cb->pairing_bda))) {
182 p_cb->loc_auth_req &= ~SMP_SC_SUPPORT_BIT;
183 p_cb->loc_auth_req &= ~SMP_KP_SUPPORT_BIT;
184 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
185 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
186 }
187
188 if (lmp_version_below(p_cb->pairing_bda, HCI_PROTO_VERSION_5_0)) {
189 p_cb->loc_auth_req &= ~SMP_H7_SUPPORT_BIT;
190 }
191
192 SMP_TRACE_WARNING(
193 "set auth_req: 0x%02x, local_i_key: 0x%02x, local_r_key: 0x%02x",
194 p_cb->loc_auth_req, p_cb->local_i_key, p_cb->local_r_key);
195
196 smp_sm_event(p_cb, SMP_IO_RSP_EVT, NULL);
197 break;
198
199 case SMP_BR_KEYS_REQ_EVT:
200 p_cb->loc_enc_size = cb_data.io_req.max_key_size;
201 p_cb->local_i_key = cb_data.io_req.init_keys;
202 p_cb->local_r_key = cb_data.io_req.resp_keys;
203 p_cb->loc_auth_req |= SMP_H7_SUPPORT_BIT;
204
205 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
206 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
207
208 SMP_TRACE_WARNING(
209 "for SMP over BR max_key_size: 0x%02x, local_i_key: 0x%02x, "
210 "local_r_key: 0x%02x, p_cb->loc_auth_req: 0x%02x",
211 p_cb->loc_enc_size, p_cb->local_i_key, p_cb->local_r_key,
212 p_cb->loc_auth_req);
213
214 smp_br_state_machine_event(p_cb, SMP_BR_KEYS_RSP_EVT, NULL);
215 break;
216 }
217 }
218 }
219
220 if (!p_cb->cb_evt && p_cb->discard_sec_req) {
221 p_cb->discard_sec_req = false;
222 smp_sm_event(p_cb, SMP_DISCARD_SEC_REQ_EVT, NULL);
223 }
224
225 SMP_TRACE_DEBUG("%s: return", __func__);
226 }
227
228 /*******************************************************************************
229 * Function smp_send_pair_fail
230 * Description pairing failure to peer device if needed.
231 ******************************************************************************/
smp_send_pair_fail(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)232 void smp_send_pair_fail(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
233 p_cb->status = p_data->status;
234 p_cb->failure = p_data->status;
235
236 SMP_TRACE_DEBUG("%s: status=%d failure=%d ", __func__, p_cb->status,
237 p_cb->failure);
238
239 if (p_cb->status <= SMP_MAX_FAIL_RSN_PER_SPEC &&
240 p_cb->status != SMP_SUCCESS) {
241 smp_send_cmd(SMP_OPCODE_PAIRING_FAILED, p_cb);
242 p_cb->wait_for_authorization_complete = true;
243 }
244 }
245
246 /*******************************************************************************
247 * Function smp_send_pair_req
248 * Description actions related to sending pairing request
249 ******************************************************************************/
smp_send_pair_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)250 void smp_send_pair_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
251 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
252 SMP_TRACE_DEBUG("%s", __func__);
253
254 /* erase all keys when master sends pairing req*/
255 if (p_dev_rec) btm_sec_clear_ble_keys(p_dev_rec);
256 /* do not manipulate the key, let app decide,
257 leave out to BTM to mandate key distribution for bonding case */
258 smp_send_cmd(SMP_OPCODE_PAIRING_REQ, p_cb);
259 }
260
261 /*******************************************************************************
262 * Function smp_send_pair_rsp
263 * Description actions related to sending pairing response
264 ******************************************************************************/
smp_send_pair_rsp(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)265 void smp_send_pair_rsp(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
266 SMP_TRACE_DEBUG("%s", __func__);
267
268 p_cb->local_i_key &= p_cb->peer_i_key;
269 p_cb->local_r_key &= p_cb->peer_r_key;
270
271 if (smp_send_cmd(SMP_OPCODE_PAIRING_RSP, p_cb)) {
272 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB)
273 smp_use_oob_private_key(p_cb, NULL);
274 else
275 smp_decide_association_model(p_cb, NULL);
276 }
277 }
278
279 /*******************************************************************************
280 * Function smp_send_confirm
281 * Description send confirmation to the peer
282 ******************************************************************************/
smp_send_confirm(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)283 void smp_send_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
284 SMP_TRACE_DEBUG("%s", __func__);
285 smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);
286 }
287
288 /*******************************************************************************
289 * Function smp_send_init
290 * Description process pairing initializer to slave device
291 ******************************************************************************/
smp_send_init(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)292 void smp_send_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
293 SMP_TRACE_DEBUG("%s", __func__);
294 smp_send_cmd(SMP_OPCODE_INIT, p_cb);
295 }
296
297 /*******************************************************************************
298 * Function smp_send_rand
299 * Description send pairing random to the peer
300 ******************************************************************************/
smp_send_rand(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)301 void smp_send_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
302 SMP_TRACE_DEBUG("%s", __func__);
303 smp_send_cmd(SMP_OPCODE_RAND, p_cb);
304 }
305
306 /*******************************************************************************
307 * Function smp_send_pair_public_key
308 * Description send pairing public key command to the peer
309 ******************************************************************************/
smp_send_pair_public_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)310 void smp_send_pair_public_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
311 SMP_TRACE_DEBUG("%s", __func__);
312 smp_send_cmd(SMP_OPCODE_PAIR_PUBLIC_KEY, p_cb);
313 }
314
315 /*******************************************************************************
316 * Function SMP_SEND_COMMITMENT
317 * Description send commitment command to the peer
318 ******************************************************************************/
smp_send_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)319 void smp_send_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
320 SMP_TRACE_DEBUG("%s", __func__);
321 smp_send_cmd(SMP_OPCODE_PAIR_COMMITM, p_cb);
322 }
323
324 /*******************************************************************************
325 * Function smp_send_dhkey_check
326 * Description send DHKey Check command to the peer
327 ******************************************************************************/
smp_send_dhkey_check(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)328 void smp_send_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
329 SMP_TRACE_DEBUG("%s", __func__);
330 smp_send_cmd(SMP_OPCODE_PAIR_DHKEY_CHECK, p_cb);
331 }
332
333 /*******************************************************************************
334 * Function smp_send_keypress_notification
335 * Description send Keypress Notification command to the peer
336 ******************************************************************************/
smp_send_keypress_notification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)337 void smp_send_keypress_notification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
338 p_cb->local_keypress_notification = p_data->status;
339 smp_send_cmd(SMP_OPCODE_PAIR_KEYPR_NOTIF, p_cb);
340 }
341
342 /*******************************************************************************
343 * Function smp_send_enc_info
344 * Description send encryption information command.
345 ******************************************************************************/
smp_send_enc_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)346 void smp_send_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
347 tBTM_LE_KEY_VALUE le_key;
348
349 SMP_TRACE_DEBUG("%s: p_cb->loc_enc_size = %d", __func__, p_cb->loc_enc_size);
350 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
351
352 smp_send_cmd(SMP_OPCODE_ENCRYPT_INFO, p_cb);
353 smp_send_cmd(SMP_OPCODE_MASTER_ID, p_cb);
354
355 /* save the DIV and key size information when acting as slave device */
356 le_key.lenc_key.ltk = p_cb->ltk;
357 le_key.lenc_key.div = p_cb->div;
358 le_key.lenc_key.key_size = p_cb->loc_enc_size;
359 le_key.lenc_key.sec_level = p_cb->sec_level;
360
361 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
362 (p_cb->loc_auth_req & SMP_AUTH_BOND))
363 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, &le_key, true);
364
365 SMP_TRACE_WARNING("%s", __func__);
366
367 smp_key_distribution(p_cb, NULL);
368 }
369
370 /*******************************************************************************
371 * Function smp_send_id_info
372 * Description send ID information command.
373 ******************************************************************************/
smp_send_id_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)374 void smp_send_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
375 tBTM_LE_KEY_VALUE le_key;
376 SMP_TRACE_DEBUG("%s", __func__);
377 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, false);
378
379 smp_send_cmd(SMP_OPCODE_IDENTITY_INFO, p_cb);
380 smp_send_cmd(SMP_OPCODE_ID_ADDR, p_cb);
381
382 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
383 (p_cb->loc_auth_req & SMP_AUTH_BOND))
384 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LID, &le_key, true);
385
386 SMP_TRACE_WARNING("%s", __func__);
387 smp_key_distribution_by_transport(p_cb, NULL);
388 }
389
390 /** send CSRK command. */
smp_send_csrk_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)391 void smp_send_csrk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
392 tBTM_LE_KEY_VALUE key;
393 SMP_TRACE_DEBUG("%s", __func__);
394 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, false);
395
396 if (smp_send_cmd(SMP_OPCODE_SIGN_INFO, p_cb)) {
397 key.lcsrk_key.div = p_cb->div;
398 key.lcsrk_key.sec_level = p_cb->sec_level;
399 key.lcsrk_key.counter = 0; /* initialize the local counter */
400 key.lcsrk_key.csrk = p_cb->csrk;
401 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LCSRK, &key, true);
402 }
403
404 smp_key_distribution_by_transport(p_cb, NULL);
405 }
406
407 /*******************************************************************************
408 * Function smp_send_ltk_reply
409 * Description send LTK reply
410 ******************************************************************************/
smp_send_ltk_reply(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)411 void smp_send_ltk_reply(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
412 SMP_TRACE_DEBUG("%s", __func__);
413
414 Octet16 stk;
415 memcpy(stk.data(), p_data->key.p_data, stk.size());
416 /* send stk as LTK response */
417 btm_ble_ltk_request_reply(p_cb->pairing_bda, true, stk);
418 }
419
420 /*******************************************************************************
421 * Function smp_proc_sec_req
422 * Description process security request.
423 ******************************************************************************/
smp_proc_sec_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)424 void smp_proc_sec_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
425 tBTM_LE_AUTH_REQ auth_req = *(tBTM_LE_AUTH_REQ*)p_data->p_data;
426 tBTM_BLE_SEC_REQ_ACT sec_req_act;
427
428 SMP_TRACE_DEBUG("%s: auth_req=0x%x", __func__, auth_req);
429
430 p_cb->cb_evt = 0;
431
432 btm_ble_link_sec_check(p_cb->pairing_bda, auth_req, &sec_req_act);
433
434 SMP_TRACE_DEBUG("%s: sec_req_act=0x%x", __func__, sec_req_act);
435
436 switch (sec_req_act) {
437 case BTM_BLE_SEC_REQ_ACT_ENCRYPT:
438 SMP_TRACE_DEBUG("%s: BTM_BLE_SEC_REQ_ACT_ENCRYPT", __func__);
439 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
440 break;
441
442 case BTM_BLE_SEC_REQ_ACT_PAIR:
443 p_cb->secure_connections_only_mode_required =
444 (btm_cb.security_mode == BTM_SEC_MODE_SC) ? true : false;
445
446 /* respond to non SC pairing request as failure in SC only mode */
447 if (p_cb->secure_connections_only_mode_required &&
448 (auth_req & SMP_SC_SUPPORT_BIT) == 0) {
449 tSMP_INT_DATA smp_int_data;
450 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
451 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
452 } else {
453 /* initialize local i/r key to be default keys */
454 p_cb->peer_auth_req = auth_req;
455 p_cb->local_r_key = p_cb->local_i_key = SMP_SEC_DEFAULT_KEY;
456 p_cb->cb_evt = SMP_SEC_REQUEST_EVT;
457 }
458 break;
459
460 case BTM_BLE_SEC_REQ_ACT_DISCARD:
461 p_cb->discard_sec_req = true;
462 break;
463
464 default:
465 /* do nothing */
466 break;
467 }
468 }
469
470 /*******************************************************************************
471 * Function smp_proc_sec_grant
472 * Description process security grant.
473 ******************************************************************************/
smp_proc_sec_grant(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)474 void smp_proc_sec_grant(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
475 uint8_t res = p_data->status;
476 SMP_TRACE_DEBUG("%s", __func__);
477 if (res != SMP_SUCCESS) {
478 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, p_data);
479 } else /*otherwise, start pairing */
480 {
481 /* send IO request callback */
482 p_cb->cb_evt = SMP_IO_CAP_REQ_EVT;
483 }
484 }
485
486 /*******************************************************************************
487 * Function smp_proc_pair_fail
488 * Description process pairing failure from peer device
489 ******************************************************************************/
smp_proc_pair_fail(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)490 void smp_proc_pair_fail(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
491 SMP_TRACE_DEBUG("%s", __func__);
492
493 if (p_cb->rcvd_cmd_len < 2) {
494 android_errorWriteLog(0x534e4554, "111214739");
495 SMP_TRACE_WARNING("%s: rcvd_cmd_len %d too short: must be at least 2",
496 __func__, p_cb->rcvd_cmd_len);
497 p_cb->status = SMP_INVALID_PARAMETERS;
498 } else {
499 p_cb->status = p_data->status;
500 }
501
502 /* Cancel pending auth complete timer if set */
503 alarm_cancel(p_cb->delayed_auth_timer_ent);
504 }
505
506 /*******************************************************************************
507 * Function smp_proc_pair_cmd
508 * Description Process the SMP pairing request/response from peer device
509 ******************************************************************************/
smp_proc_pair_cmd(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)510 void smp_proc_pair_cmd(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
511 uint8_t* p = p_data->p_data;
512 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
513
514 SMP_TRACE_DEBUG("%s: pairing_bda=%s", __func__,
515 p_cb->pairing_bda.ToString().c_str());
516
517 /* erase all keys if it is slave proc pairing req */
518 if (p_dev_rec && (p_cb->role == HCI_ROLE_SLAVE))
519 btm_sec_clear_ble_keys(p_dev_rec);
520
521 p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
522
523 if (smp_command_has_invalid_length(p_cb)) {
524 tSMP_INT_DATA smp_int_data;
525 smp_int_data.status = SMP_INVALID_PARAMETERS;
526 android_errorWriteLog(0x534e4554, "111850706");
527 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
528 return;
529 }
530
531 STREAM_TO_UINT8(p_cb->peer_io_caps, p);
532 STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
533 STREAM_TO_UINT8(p_cb->peer_auth_req, p);
534 STREAM_TO_UINT8(p_cb->peer_enc_size, p);
535 STREAM_TO_UINT8(p_cb->peer_i_key, p);
536 STREAM_TO_UINT8(p_cb->peer_r_key, p);
537
538 if (smp_command_has_invalid_parameters(p_cb)) {
539 tSMP_INT_DATA smp_int_data;
540 smp_int_data.status = SMP_INVALID_PARAMETERS;
541 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
542 return;
543 }
544
545 // PTS Testing failure modes
546 if (pts_test_send_authentication_complete_failure(p_cb)) return;
547
548 if (p_cb->role == HCI_ROLE_SLAVE) {
549 if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD)) {
550 /* peer (master) started pairing sending Pairing Request */
551 p_cb->local_i_key = p_cb->peer_i_key;
552 p_cb->local_r_key = p_cb->peer_r_key;
553
554 p_cb->cb_evt = SMP_SEC_REQUEST_EVT;
555 } else /* update local i/r key according to pairing request */
556 {
557 /* pairing started with this side (slave) sending Security Request */
558 p_cb->local_i_key &= p_cb->peer_i_key;
559 p_cb->local_r_key &= p_cb->peer_r_key;
560 p_cb->selected_association_model = smp_select_association_model(p_cb);
561
562 if (p_cb->secure_connections_only_mode_required &&
563 (!(p_cb->le_secure_connections_mode_is_used) ||
564 (p_cb->selected_association_model ==
565 SMP_MODEL_SEC_CONN_JUSTWORKS))) {
566 SMP_TRACE_ERROR(
567 "%s: pairing failed - slave requires secure connection only mode",
568 __func__);
569 tSMP_INT_DATA smp_int_data;
570 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
571 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
572 return;
573 }
574
575 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
576 if (smp_request_oob_data(p_cb)) return;
577 } else {
578 smp_send_pair_rsp(p_cb, NULL);
579 }
580 }
581 } else /* Master receives pairing response */
582 {
583 p_cb->selected_association_model = smp_select_association_model(p_cb);
584
585 if (p_cb->secure_connections_only_mode_required &&
586 (!(p_cb->le_secure_connections_mode_is_used) ||
587 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) {
588 SMP_TRACE_ERROR(
589 "Master requires secure connection only mode "
590 "but it can't be provided -> Master fails pairing");
591 tSMP_INT_DATA smp_int_data;
592 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
593 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
594 return;
595 }
596
597 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
598 if (smp_request_oob_data(p_cb)) return;
599 } else {
600 smp_decide_association_model(p_cb, NULL);
601 }
602 }
603 }
604
605 /** process pairing confirm from peer device */
smp_proc_confirm(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)606 void smp_proc_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
607 SMP_TRACE_DEBUG("%s", __func__);
608
609 if (smp_command_has_invalid_parameters(p_cb)) {
610 tSMP_INT_DATA smp_int_data;
611 smp_int_data.status = SMP_INVALID_PARAMETERS;
612 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
613 return;
614 }
615
616 if (p_data) {
617 uint8_t* p = p_data->p_data;
618 if (p != NULL) {
619 /* save the SConfirm for comparison later */
620 STREAM_TO_ARRAY(p_cb->rconfirm.data(), p, OCTET16_LEN);
621 }
622 }
623
624 p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM;
625 }
626
627 /** process pairing initializer from peer device */
smp_proc_init(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)628 void smp_proc_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
629 uint8_t* p = p_data->p_data;
630
631 SMP_TRACE_DEBUG("%s", __func__);
632
633 if (smp_command_has_invalid_parameters(p_cb)) {
634 tSMP_INT_DATA smp_int_data;
635 smp_int_data.status = SMP_INVALID_PARAMETERS;
636 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
637 return;
638 }
639
640 /* save the SRand for comparison */
641 STREAM_TO_ARRAY(p_cb->rrand.data(), p, OCTET16_LEN);
642 }
643
644 /*******************************************************************************
645 * Function smp_proc_rand
646 * Description process pairing random (nonce) from peer device
647 ******************************************************************************/
smp_proc_rand(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)648 void smp_proc_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
649 uint8_t* p = p_data->p_data;
650
651 SMP_TRACE_DEBUG("%s", __func__);
652
653 if (smp_command_has_invalid_parameters(p_cb)) {
654 tSMP_INT_DATA smp_int_data;
655 smp_int_data.status = SMP_INVALID_PARAMETERS;
656 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
657 return;
658 }
659
660 /* save the SRand for comparison */
661 STREAM_TO_ARRAY(p_cb->rrand.data(), p, OCTET16_LEN);
662 }
663
664 /*******************************************************************************
665 * Function smp_process_pairing_public_key
666 * Description process pairing public key command from the peer device
667 * - saves the peer public key;
668 * - sets the flag indicating that the peer public key is received;
669 * - calls smp_wait_for_both_public_keys(...).
670 *
671 ******************************************************************************/
smp_process_pairing_public_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)672 void smp_process_pairing_public_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
673 uint8_t* p = p_data->p_data;
674
675 SMP_TRACE_DEBUG("%s", __func__);
676
677 if (smp_command_has_invalid_parameters(p_cb)) {
678 tSMP_INT_DATA smp_int_data;
679 smp_int_data.status = SMP_INVALID_PARAMETERS;
680 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
681 return;
682 }
683
684 STREAM_TO_ARRAY(p_cb->peer_publ_key.x, p, BT_OCTET32_LEN);
685 STREAM_TO_ARRAY(p_cb->peer_publ_key.y, p, BT_OCTET32_LEN);
686
687 Point pt;
688 memcpy(pt.x, p_cb->peer_publ_key.x, BT_OCTET32_LEN);
689 memcpy(pt.y, p_cb->peer_publ_key.y, BT_OCTET32_LEN);
690
691 if (!ECC_ValidatePoint(pt)) {
692 android_errorWriteLog(0x534e4554, "72377774");
693 tSMP_INT_DATA smp;
694 smp.status = SMP_PAIR_AUTH_FAIL;
695 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp);
696 return;
697 }
698
699 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY;
700
701 smp_wait_for_both_public_keys(p_cb, NULL);
702 }
703
704 /*******************************************************************************
705 * Function smp_process_pairing_commitment
706 * Description process pairing commitment from peer device
707 ******************************************************************************/
smp_process_pairing_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)708 void smp_process_pairing_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
709 uint8_t* p = p_data->p_data;
710
711 SMP_TRACE_DEBUG("%s", __func__);
712
713 if (smp_command_has_invalid_parameters(p_cb)) {
714 tSMP_INT_DATA smp_int_data;
715 smp_int_data.status = SMP_INVALID_PARAMETERS;
716 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
717 return;
718 }
719
720 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_COMM;
721
722 if (p != NULL) {
723 STREAM_TO_ARRAY(p_cb->remote_commitment.data(), p, OCTET16_LEN);
724 }
725 }
726
727 /*******************************************************************************
728 * Function smp_process_dhkey_check
729 * Description process DHKey Check from peer device
730 ******************************************************************************/
smp_process_dhkey_check(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)731 void smp_process_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
732 uint8_t* p = p_data->p_data;
733
734 SMP_TRACE_DEBUG("%s", __func__);
735
736 if (smp_command_has_invalid_parameters(p_cb)) {
737 tSMP_INT_DATA smp_int_data;
738 smp_int_data.status = SMP_INVALID_PARAMETERS;
739 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
740 return;
741 }
742
743 if (p != NULL) {
744 STREAM_TO_ARRAY(p_cb->remote_dhkey_check.data(), p, OCTET16_LEN);
745 }
746
747 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_DHK_CHK;
748 }
749
750 /*******************************************************************************
751 * Function smp_process_keypress_notification
752 * Description process pairing keypress notification from peer device
753 ******************************************************************************/
smp_process_keypress_notification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)754 void smp_process_keypress_notification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
755 uint8_t* p = p_data->p_data;
756
757 SMP_TRACE_DEBUG("%s", __func__);
758 p_cb->status = p_data->status;
759
760 if (smp_command_has_invalid_parameters(p_cb)) {
761 tSMP_INT_DATA smp_int_data;
762 smp_int_data.status = SMP_INVALID_PARAMETERS;
763 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
764 return;
765 }
766
767 if (p != NULL) {
768 STREAM_TO_UINT8(p_cb->peer_keypress_notification, p);
769 } else {
770 p_cb->peer_keypress_notification = BTM_SP_KEY_OUT_OF_RANGE;
771 }
772 p_cb->cb_evt = SMP_PEER_KEYPR_NOT_EVT;
773 }
774
775 /*******************************************************************************
776 * Function smp_br_process_pairing_command
777 * Description Process the SMP pairing request/response from peer device via
778 * BR/EDR transport.
779 ******************************************************************************/
smp_br_process_pairing_command(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)780 void smp_br_process_pairing_command(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
781 uint8_t* p = p_data->p_data;
782 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
783
784 SMP_TRACE_DEBUG("%s", __func__);
785 /* rejecting BR pairing request over non-SC BR link */
786 if (!p_dev_rec->new_encryption_key_is_p256 && p_cb->role == HCI_ROLE_SLAVE) {
787 tSMP_INT_DATA smp_int_data;
788 smp_int_data.status = SMP_XTRANS_DERIVE_NOT_ALLOW;
789 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
790 return;
791 }
792
793 /* erase all keys if it is slave proc pairing req*/
794 if (p_dev_rec && (p_cb->role == HCI_ROLE_SLAVE))
795 btm_sec_clear_ble_keys(p_dev_rec);
796
797 p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
798
799 if (smp_command_has_invalid_length(p_cb)) {
800 tSMP_INT_DATA smp_int_data;
801 smp_int_data.status = SMP_INVALID_PARAMETERS;
802 android_errorWriteLog(0x534e4554, "111213909");
803 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
804 return;
805 }
806
807 STREAM_TO_UINT8(p_cb->peer_io_caps, p);
808 STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
809 STREAM_TO_UINT8(p_cb->peer_auth_req, p);
810 STREAM_TO_UINT8(p_cb->peer_enc_size, p);
811 STREAM_TO_UINT8(p_cb->peer_i_key, p);
812 STREAM_TO_UINT8(p_cb->peer_r_key, p);
813
814 if (smp_command_has_invalid_parameters(p_cb)) {
815 tSMP_INT_DATA smp_int_data;
816 smp_int_data.status = SMP_INVALID_PARAMETERS;
817 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
818 return;
819 }
820
821 /* peer (master) started pairing sending Pairing Request */
822 /* or being master device always use received i/r key as keys to distribute */
823 p_cb->local_i_key = p_cb->peer_i_key;
824 p_cb->local_r_key = p_cb->peer_r_key;
825
826 if (p_cb->role == HCI_ROLE_SLAVE) {
827 p_dev_rec->new_encryption_key_is_p256 = false;
828 /* shortcut to skip Security Grant step */
829 p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT;
830 } else {
831 /* Master receives pairing response */
832 SMP_TRACE_DEBUG(
833 "%s master rcvs valid PAIRING RESPONSE."
834 " Supposed to move to key distribution phase. ",
835 __func__);
836 }
837
838 /* auth_req received via BR/EDR SM channel is set to 0,
839 but everything derived/exchanged has to be saved */
840 p_cb->peer_auth_req |= SMP_AUTH_BOND;
841 p_cb->loc_auth_req |= SMP_AUTH_BOND;
842 }
843
844 /*******************************************************************************
845 * Function smp_br_process_security_grant
846 * Description process security grant in case of pairing over BR/EDR transport.
847 ******************************************************************************/
smp_br_process_security_grant(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)848 void smp_br_process_security_grant(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
849 SMP_TRACE_DEBUG("%s", __func__);
850 if (p_data->status != SMP_SUCCESS) {
851 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, p_data);
852 } else {
853 /* otherwise, start pairing; send IO request callback */
854 p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT;
855 }
856 }
857
858 /*******************************************************************************
859 * Function smp_br_check_authorization_request
860 * Description sets the SMP kes to be derived/distribute over BR/EDR transport
861 * before starting the distribution/derivation
862 ******************************************************************************/
smp_br_check_authorization_request(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)863 void smp_br_check_authorization_request(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
864 SMP_TRACE_DEBUG("%s rcvs i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
865 __func__, p_cb->local_i_key, p_cb->local_r_key);
866
867 /* In LE SC mode LK field is ignored when BR/EDR transport is used */
868 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
869 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
870
871 /* In LE SC mode only IRK, IAI, CSRK are exchanged with the peer.
872 ** Set local_r_key on master to expect only these keys. */
873 if (p_cb->role == HCI_ROLE_MASTER) {
874 p_cb->local_r_key &= (SMP_SEC_KEY_TYPE_ID | SMP_SEC_KEY_TYPE_CSRK);
875 }
876
877 /* Check if H7 function needs to be used for key derivation*/
878 if ((p_cb->loc_auth_req & SMP_H7_SUPPORT_BIT) &&
879 (p_cb->peer_auth_req & SMP_H7_SUPPORT_BIT)) {
880 p_cb->key_derivation_h7_used = TRUE;
881 }
882 SMP_TRACE_DEBUG("%s: use h7 = %d", __func__, p_cb->key_derivation_h7_used);
883
884 SMP_TRACE_DEBUG(
885 "%s rcvs upgrades: i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
886 __func__, p_cb->local_i_key, p_cb->local_r_key);
887
888 if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) ||
889 (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/
890 (p_cb->local_i_key || p_cb->local_r_key)) {
891 smp_br_state_machine_event(p_cb, SMP_BR_BOND_REQ_EVT, NULL);
892
893 /* if no peer key is expected, start master key distribution */
894 if (p_cb->role == HCI_ROLE_MASTER && p_cb->local_r_key == 0)
895 smp_key_distribution_by_transport(p_cb, NULL);
896 } else {
897 tSMP_INT_DATA smp_int_data;
898 smp_int_data.status = SMP_SUCCESS;
899 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
900 }
901 }
902
903 /*******************************************************************************
904 * Function smp_br_select_next_key
905 * Description selects the next key to derive/send when BR/EDR transport is
906 * used.
907 ******************************************************************************/
smp_br_select_next_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)908 void smp_br_select_next_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
909 SMP_TRACE_DEBUG("%s role=%d (0-master) r_keys=0x%x i_keys=0x%x", __func__,
910 p_cb->role, p_cb->local_r_key, p_cb->local_i_key);
911
912 if (p_cb->role == HCI_ROLE_SLAVE ||
913 (!p_cb->local_r_key && p_cb->role == HCI_ROLE_MASTER)) {
914 smp_key_pick_key(p_cb, p_data);
915 }
916
917 if (!p_cb->local_i_key && !p_cb->local_r_key) {
918 /* state check to prevent re-entrance */
919 if (smp_get_br_state() == SMP_BR_STATE_BOND_PENDING) {
920 if (p_cb->total_tx_unacked == 0) {
921 tSMP_INT_DATA smp_int_data;
922 smp_int_data.status = SMP_SUCCESS;
923 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
924 } else {
925 p_cb->wait_for_authorization_complete = true;
926 }
927 }
928 }
929 }
930
931 /** process encryption information from peer device */
smp_proc_enc_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)932 void smp_proc_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
933 uint8_t* p = p_data->p_data;
934
935 SMP_TRACE_DEBUG("%s", __func__);
936
937 if (smp_command_has_invalid_parameters(p_cb)) {
938 tSMP_INT_DATA smp_int_data;
939 smp_int_data.status = SMP_INVALID_PARAMETERS;
940 android_errorWriteLog(0x534e4554, "111937065");
941 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
942 return;
943 }
944
945 STREAM_TO_ARRAY(p_cb->ltk.data(), p, OCTET16_LEN);
946
947 smp_key_distribution(p_cb, NULL);
948 }
949
950 /** process master ID from slave device */
smp_proc_master_id(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)951 void smp_proc_master_id(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
952 uint8_t* p = p_data->p_data;
953 tBTM_LE_KEY_VALUE le_key;
954
955 SMP_TRACE_DEBUG("%s", __func__);
956
957 if (p_cb->rcvd_cmd_len < 11) { // 1(Code) + 2(EDIV) + 8(Rand)
958 android_errorWriteLog(0x534e4554, "111937027");
959 SMP_TRACE_ERROR("%s: Invalid command length: %d, should be at least 11",
960 __func__, p_cb->rcvd_cmd_len);
961 return;
962 }
963
964 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, true);
965
966 STREAM_TO_UINT16(le_key.penc_key.ediv, p);
967 STREAM_TO_ARRAY(le_key.penc_key.rand, p, BT_OCTET8_LEN);
968
969 /* store the encryption keys from peer device */
970 le_key.penc_key.ltk = p_cb->ltk;
971 le_key.penc_key.sec_level = p_cb->sec_level;
972 le_key.penc_key.key_size = p_cb->loc_enc_size;
973
974 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
975 (p_cb->loc_auth_req & SMP_AUTH_BOND))
976 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, &le_key, true);
977
978 smp_key_distribution(p_cb, NULL);
979 }
980
981 /** process identity information from peer device */
smp_proc_id_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)982 void smp_proc_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
983 uint8_t* p = p_data->p_data;
984
985 SMP_TRACE_DEBUG("%s", __func__);
986
987 if (smp_command_has_invalid_parameters(p_cb)) {
988 tSMP_INT_DATA smp_int_data;
989 smp_int_data.status = SMP_INVALID_PARAMETERS;
990 android_errorWriteLog(0x534e4554, "111937065");
991 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
992 return;
993 }
994
995 STREAM_TO_ARRAY(p_cb->tk.data(), p, OCTET16_LEN); /* reuse TK for IRK */
996 smp_key_distribution_by_transport(p_cb, NULL);
997 }
998
999 /** process identity address from peer device */
smp_proc_id_addr(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1000 void smp_proc_id_addr(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1001 uint8_t* p = p_data->p_data;
1002 tBTM_LE_KEY_VALUE pid_key;
1003
1004 SMP_TRACE_DEBUG("%s", __func__);
1005
1006 if (smp_command_has_invalid_parameters(p_cb)) {
1007 tSMP_INT_DATA smp_int_data;
1008 smp_int_data.status = SMP_INVALID_PARAMETERS;
1009 android_errorWriteLog(0x534e4554, "111214770");
1010 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1011 return;
1012 }
1013
1014 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, true);
1015
1016 STREAM_TO_UINT8(pid_key.pid_key.identity_addr_type, p);
1017 STREAM_TO_BDADDR(pid_key.pid_key.identity_addr, p);
1018 pid_key.pid_key.irk = p_cb->tk;
1019
1020 /* to use as BD_ADDR for lk derived from ltk */
1021 p_cb->id_addr_rcvd = true;
1022 p_cb->id_addr_type = pid_key.pid_key.identity_addr_type;
1023 p_cb->id_addr = pid_key.pid_key.identity_addr;
1024
1025 /* store the ID key from peer device */
1026 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
1027 (p_cb->loc_auth_req & SMP_AUTH_BOND))
1028 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PID, &pid_key, true);
1029 smp_key_distribution_by_transport(p_cb, NULL);
1030 }
1031
1032 /* process security information from peer device */
smp_proc_srk_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1033 void smp_proc_srk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1034 tBTM_LE_KEY_VALUE le_key;
1035
1036 SMP_TRACE_DEBUG("%s", __func__);
1037
1038 if (smp_command_has_invalid_parameters(p_cb)) {
1039 tSMP_INT_DATA smp_int_data;
1040 smp_int_data.status = SMP_INVALID_PARAMETERS;
1041 android_errorWriteLog(0x534e4554, "111214470");
1042 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1043 return;
1044 }
1045
1046 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, true);
1047
1048 /* save CSRK to security record */
1049 le_key.pcsrk_key.sec_level = p_cb->sec_level;
1050
1051 /* get peer CSRK */
1052 maybe_non_aligned_memcpy(le_key.pcsrk_key.csrk.data(), p_data->p_data,
1053 OCTET16_LEN);
1054
1055 /* initialize the peer counter */
1056 le_key.pcsrk_key.counter = 0;
1057
1058 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
1059 (p_cb->loc_auth_req & SMP_AUTH_BOND))
1060 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PCSRK, &le_key, true);
1061 smp_key_distribution_by_transport(p_cb, NULL);
1062 }
1063
1064 /*******************************************************************************
1065 * Function smp_proc_compare
1066 * Description process compare value
1067 ******************************************************************************/
smp_proc_compare(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1068 void smp_proc_compare(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1069 SMP_TRACE_DEBUG("%s", __func__);
1070 if (!memcmp(p_cb->rconfirm.data(), p_data->key.p_data, OCTET16_LEN)) {
1071 /* compare the max encryption key size, and save the smaller one for the
1072 * link */
1073 if (p_cb->peer_enc_size < p_cb->loc_enc_size)
1074 p_cb->loc_enc_size = p_cb->peer_enc_size;
1075
1076 if (p_cb->role == HCI_ROLE_SLAVE)
1077 smp_sm_event(p_cb, SMP_RAND_EVT, NULL);
1078 else {
1079 /* master device always use received i/r key as keys to distribute */
1080 p_cb->local_i_key = p_cb->peer_i_key;
1081 p_cb->local_r_key = p_cb->peer_r_key;
1082
1083 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
1084 }
1085
1086 } else {
1087 tSMP_INT_DATA smp_int_data;
1088 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1089 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1090 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1091 }
1092 }
1093
1094 /*******************************************************************************
1095 * Function smp_proc_sl_key
1096 * Description process key ready events.
1097 ******************************************************************************/
smp_proc_sl_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1098 void smp_proc_sl_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1099 uint8_t key_type = p_data->key.key_type;
1100
1101 SMP_TRACE_DEBUG("%s", __func__);
1102 if (key_type == SMP_KEY_TYPE_TK) {
1103 smp_generate_srand_mrand_confirm(p_cb, NULL);
1104 } else if (key_type == SMP_KEY_TYPE_CFM) {
1105 smp_set_state(SMP_STATE_WAIT_CONFIRM);
1106
1107 if (p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM)
1108 smp_sm_event(p_cb, SMP_CONFIRM_EVT, NULL);
1109 }
1110 }
1111
1112 /*******************************************************************************
1113 * Function smp_start_enc
1114 * Description start encryption
1115 ******************************************************************************/
smp_start_enc(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1116 void smp_start_enc(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1117 tBTM_STATUS cmd;
1118
1119 SMP_TRACE_DEBUG("%s", __func__);
1120 if (p_data != NULL) {
1121 cmd = btm_ble_start_encrypt(p_cb->pairing_bda, true,
1122 (Octet16*)p_data->key.p_data);
1123 } else {
1124 cmd = btm_ble_start_encrypt(p_cb->pairing_bda, false, NULL);
1125 }
1126
1127 if (cmd != BTM_CMD_STARTED && cmd != BTM_BUSY) {
1128 tSMP_INT_DATA smp_int_data;
1129 smp_int_data.status = SMP_ENC_FAIL;
1130 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1131 }
1132 }
1133
1134 /*******************************************************************************
1135 * Function smp_proc_discard
1136 * Description processing for discard security request
1137 ******************************************************************************/
smp_proc_discard(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1138 void smp_proc_discard(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1139 SMP_TRACE_DEBUG("%s", __func__);
1140 if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD))
1141 smp_reset_control_value(p_cb);
1142 }
1143
1144 /*******************************************************************************
1145 * Function smp_enc_cmpl
1146 * Description encryption success
1147 ******************************************************************************/
smp_enc_cmpl(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1148 void smp_enc_cmpl(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1149 uint8_t enc_enable = p_data->status;
1150
1151 SMP_TRACE_DEBUG("%s", __func__);
1152 tSMP_INT_DATA smp_int_data;
1153 smp_int_data.status = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1154 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1155 }
1156
1157 /*******************************************************************************
1158 * Function smp_check_auth_req
1159 * Description check authentication request
1160 ******************************************************************************/
smp_check_auth_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1161 void smp_check_auth_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1162 uint8_t enc_enable = p_data->status;
1163
1164 SMP_TRACE_DEBUG(
1165 "%s rcvs enc_enable=%d i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
1166 __func__, enc_enable, p_cb->local_i_key, p_cb->local_r_key);
1167 if (enc_enable == 1) {
1168 if (p_cb->le_secure_connections_mode_is_used) {
1169 /* In LE SC mode LTK is used instead of STK and has to be always saved */
1170 p_cb->local_i_key |= SMP_SEC_KEY_TYPE_ENC;
1171 p_cb->local_r_key |= SMP_SEC_KEY_TYPE_ENC;
1172
1173 /* In LE SC mode LK is derived from LTK only if both sides request it */
1174 if (!(p_cb->local_i_key & SMP_SEC_KEY_TYPE_LK) ||
1175 !(p_cb->local_r_key & SMP_SEC_KEY_TYPE_LK)) {
1176 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
1177 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
1178 }
1179
1180 /* In LE SC mode only IRK, IAI, CSRK are exchanged with the peer.
1181 ** Set local_r_key on master to expect only these keys.
1182 */
1183 if (p_cb->role == HCI_ROLE_MASTER) {
1184 p_cb->local_r_key &= (SMP_SEC_KEY_TYPE_ID | SMP_SEC_KEY_TYPE_CSRK);
1185 }
1186 } else {
1187 /* in legacy mode derivation of BR/EDR LK is not supported */
1188 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
1189 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
1190 }
1191 SMP_TRACE_DEBUG(
1192 "%s rcvs upgrades: i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
1193 __func__, p_cb->local_i_key, p_cb->local_r_key);
1194
1195 if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) ||
1196 (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/
1197 (p_cb->local_i_key || p_cb->local_r_key)) {
1198 smp_sm_event(p_cb, SMP_BOND_REQ_EVT, NULL);
1199 } else {
1200 tSMP_INT_DATA smp_int_data;
1201 smp_int_data.status = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1202 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1203 }
1204 } else if (enc_enable == 0) {
1205 tSMP_INT_DATA smp_int_data;
1206 smp_int_data.status = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1207 /* if failed for encryption after pairing, send callback */
1208 if (p_cb->flags & SMP_PAIR_FLAG_ENC_AFTER_PAIR)
1209 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1210 /* if enc failed for old security information */
1211 /* if master device, clean up and abck to idle; slave device do nothing */
1212 else if (p_cb->role == HCI_ROLE_MASTER) {
1213 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1214 }
1215 }
1216 }
1217
1218 /*******************************************************************************
1219 * Function smp_key_pick_key
1220 * Description Pick a key distribution function based on the key mask.
1221 ******************************************************************************/
smp_key_pick_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1222 void smp_key_pick_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1223 uint8_t key_to_dist =
1224 (p_cb->role == HCI_ROLE_SLAVE) ? p_cb->local_r_key : p_cb->local_i_key;
1225 uint8_t i = 0;
1226
1227 SMP_TRACE_DEBUG("%s key_to_dist=0x%x", __func__, key_to_dist);
1228 while (i < SMP_KEY_DIST_TYPE_MAX) {
1229 SMP_TRACE_DEBUG("key to send = %02x, i = %d", key_to_dist, i);
1230
1231 if (key_to_dist & (1 << i)) {
1232 SMP_TRACE_DEBUG("smp_distribute_act[%d]", i);
1233 (*smp_distribute_act[i])(p_cb, p_data);
1234 break;
1235 }
1236 i++;
1237 }
1238 }
1239 /*******************************************************************************
1240 * Function smp_key_distribution
1241 * Description start key distribution if required.
1242 ******************************************************************************/
smp_key_distribution(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1243 void smp_key_distribution(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1244 SMP_TRACE_DEBUG("%s role=%d (0-master) r_keys=0x%x i_keys=0x%x", __func__,
1245 p_cb->role, p_cb->local_r_key, p_cb->local_i_key);
1246
1247 if (p_cb->role == HCI_ROLE_SLAVE ||
1248 (!p_cb->local_r_key && p_cb->role == HCI_ROLE_MASTER)) {
1249 smp_key_pick_key(p_cb, p_data);
1250 }
1251
1252 if (!p_cb->local_i_key && !p_cb->local_r_key) {
1253 /* state check to prevent re-entrant */
1254 if (smp_get_state() == SMP_STATE_BOND_PENDING) {
1255 if (p_cb->derive_lk) {
1256 smp_derive_link_key_from_long_term_key(p_cb, NULL);
1257 p_cb->derive_lk = false;
1258 }
1259
1260 if (p_cb->total_tx_unacked == 0) {
1261 /*
1262 * Instead of declaring authorization complete immediately,
1263 * delay the event from being sent by SMP_DELAYED_AUTH_TIMEOUT_MS.
1264 * This allows the slave to send over Pairing Failed if the
1265 * last key is rejected. During this waiting window, the
1266 * state should remain in SMP_STATE_BOND_PENDING.
1267 */
1268 if (!alarm_is_scheduled(p_cb->delayed_auth_timer_ent)) {
1269 SMP_TRACE_DEBUG("%s delaying auth complete.", __func__);
1270 alarm_set_on_mloop(p_cb->delayed_auth_timer_ent,
1271 SMP_DELAYED_AUTH_TIMEOUT_MS,
1272 smp_delayed_auth_complete_timeout, NULL);
1273 }
1274 } else {
1275 p_cb->wait_for_authorization_complete = true;
1276 }
1277 }
1278 }
1279 }
1280
1281 /*******************************************************************************
1282 * Function smp_decide_association_model
1283 * Description This function is called to select assoc model to be used for
1284 * STK generation and to start STK generation process.
1285 *
1286 ******************************************************************************/
smp_decide_association_model(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1287 void smp_decide_association_model(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1288 uint8_t int_evt = 0;
1289 tSMP_INT_DATA smp_int_data;
1290
1291 SMP_TRACE_DEBUG("%s Association Model = %d", __func__,
1292 p_cb->selected_association_model);
1293
1294 switch (p_cb->selected_association_model) {
1295 case SMP_MODEL_ENCRYPTION_ONLY: /* TK = 0, go calculate Confirm */
1296 if (p_cb->role == HCI_ROLE_MASTER &&
1297 ((p_cb->peer_auth_req & SMP_AUTH_YN_BIT) != 0) &&
1298 ((p_cb->loc_auth_req & SMP_AUTH_YN_BIT) == 0)) {
1299 SMP_TRACE_ERROR(
1300 "IO capability does not meet authentication requirement");
1301 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
1302 int_evt = SMP_AUTH_CMPL_EVT;
1303 } else {
1304 p_cb->sec_level = SMP_SEC_UNAUTHENTICATE;
1305 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_UNAUTHENTICATE) ",
1306 p_cb->sec_level);
1307
1308 tSMP_KEY key;
1309 key.key_type = SMP_KEY_TYPE_TK;
1310 key.p_data = p_cb->tk.data();
1311 smp_int_data.key = key;
1312
1313 p_cb->tk = {0};
1314 /* TK, ready */
1315 int_evt = SMP_KEY_READY_EVT;
1316 }
1317 break;
1318
1319 case SMP_MODEL_PASSKEY:
1320 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1321 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ",
1322 p_cb->sec_level);
1323
1324 p_cb->cb_evt = SMP_PASSKEY_REQ_EVT;
1325 int_evt = SMP_TK_REQ_EVT;
1326 break;
1327
1328 case SMP_MODEL_OOB:
1329 SMP_TRACE_ERROR("Association Model = SMP_MODEL_OOB");
1330 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1331 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ",
1332 p_cb->sec_level);
1333
1334 p_cb->cb_evt = SMP_OOB_REQ_EVT;
1335 int_evt = SMP_TK_REQ_EVT;
1336 break;
1337
1338 case SMP_MODEL_KEY_NOTIF:
1339 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1340 SMP_TRACE_DEBUG("Need to generate Passkey");
1341
1342 /* generate passkey and notify application */
1343 smp_generate_passkey(p_cb, NULL);
1344 break;
1345
1346 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1347 case SMP_MODEL_SEC_CONN_NUM_COMP:
1348 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1349 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1350 case SMP_MODEL_SEC_CONN_OOB:
1351 int_evt = SMP_PUBL_KEY_EXCH_REQ_EVT;
1352 break;
1353
1354 case SMP_MODEL_OUT_OF_RANGE:
1355 SMP_TRACE_ERROR("Association Model = SMP_MODEL_OUT_OF_RANGE (failed)");
1356 smp_int_data.status = SMP_UNKNOWN_IO_CAP;
1357 int_evt = SMP_AUTH_CMPL_EVT;
1358 break;
1359
1360 default:
1361 SMP_TRACE_ERROR(
1362 "Association Model = %d (SOMETHING IS WRONG WITH THE CODE)",
1363 p_cb->selected_association_model);
1364 smp_int_data.status = SMP_UNKNOWN_IO_CAP;
1365 int_evt = SMP_AUTH_CMPL_EVT;
1366 }
1367
1368 SMP_TRACE_EVENT("sec_level=%d ", p_cb->sec_level);
1369 if (int_evt) smp_sm_event(p_cb, int_evt, &smp_int_data);
1370 }
1371
1372 /*******************************************************************************
1373 * Function smp_process_io_response
1374 * Description process IO response for a slave device.
1375 ******************************************************************************/
smp_process_io_response(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1376 void smp_process_io_response(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1377
1378 SMP_TRACE_DEBUG("%s", __func__);
1379 if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD) {
1380 /* pairing started by local (slave) Security Request */
1381 smp_set_state(SMP_STATE_SEC_REQ_PENDING);
1382 smp_send_cmd(SMP_OPCODE_SEC_REQ, p_cb);
1383 } else /* plan to send pairing respond */
1384 {
1385 /* pairing started by peer (master) Pairing Request */
1386 p_cb->selected_association_model = smp_select_association_model(p_cb);
1387
1388 if (p_cb->secure_connections_only_mode_required &&
1389 (!(p_cb->le_secure_connections_mode_is_used) ||
1390 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) {
1391 SMP_TRACE_ERROR(
1392 "Slave requires secure connection only mode "
1393 "but it can't be provided -> Slave fails pairing");
1394 tSMP_INT_DATA smp_int_data;
1395 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
1396 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1397 return;
1398 }
1399
1400 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
1401 if (smp_request_oob_data(p_cb)) return;
1402 }
1403
1404 // PTS Testing failure modes
1405 if (pts_test_send_authentication_complete_failure(p_cb)) return;
1406
1407 smp_send_pair_rsp(p_cb, NULL);
1408 }
1409 }
1410
1411 /*******************************************************************************
1412 * Function smp_br_process_slave_keys_response
1413 * Description process application keys response for a slave device
1414 * (BR/EDR transport).
1415 ******************************************************************************/
smp_br_process_slave_keys_response(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1416 void smp_br_process_slave_keys_response(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1417 smp_br_send_pair_response(p_cb, NULL);
1418 }
1419
1420 /*******************************************************************************
1421 * Function smp_br_send_pair_response
1422 * Description actions related to sending pairing response over BR/EDR
1423 * transport.
1424 ******************************************************************************/
smp_br_send_pair_response(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1425 void smp_br_send_pair_response(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1426 SMP_TRACE_DEBUG("%s", __func__);
1427
1428 p_cb->local_i_key &= p_cb->peer_i_key;
1429 p_cb->local_r_key &= p_cb->peer_r_key;
1430
1431 smp_send_cmd(SMP_OPCODE_PAIRING_RSP, p_cb);
1432 }
1433
1434 /*******************************************************************************
1435 * Function smp_pairing_cmpl
1436 * Description This function is called to send the pairing complete
1437 * callback and remove the connection if needed.
1438 ******************************************************************************/
smp_pairing_cmpl(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1439 void smp_pairing_cmpl(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1440 if (p_cb->total_tx_unacked == 0) {
1441 /* process the pairing complete */
1442 smp_proc_pairing_cmpl(p_cb);
1443 }
1444 }
1445
1446 /*******************************************************************************
1447 * Function smp_pair_terminate
1448 * Description This function is called to send the pairing complete
1449 * callback and remove the connection if needed.
1450 ******************************************************************************/
smp_pair_terminate(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1451 void smp_pair_terminate(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1452 SMP_TRACE_DEBUG("%s", __func__);
1453 p_cb->status = SMP_CONN_TOUT;
1454 smp_proc_pairing_cmpl(p_cb);
1455 }
1456
1457 /*******************************************************************************
1458 * Function smp_idle_terminate
1459 * Description This function calledin idle state to determine to send
1460 * authentication complete or not.
1461 ******************************************************************************/
smp_idle_terminate(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1462 void smp_idle_terminate(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1463 if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD) {
1464 SMP_TRACE_DEBUG("Pairing terminated at IDLE state.");
1465 p_cb->status = SMP_FAIL;
1466 smp_proc_pairing_cmpl(p_cb);
1467 }
1468 }
1469
1470 /*******************************************************************************
1471 * Function smp_both_have_public_keys
1472 * Description The function is called when both local and peer public keys are
1473 * saved.
1474 * Actions:
1475 * - invokes DHKey computation;
1476 * - on slave side invokes sending local public key to the peer.
1477 * - invokes SC phase 1 process.
1478 ******************************************************************************/
smp_both_have_public_keys(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1479 void smp_both_have_public_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1480 SMP_TRACE_DEBUG("%s", __func__);
1481
1482 /* invokes DHKey computation */
1483 smp_compute_dhkey(p_cb);
1484
1485 /* on slave side invokes sending local public key to the peer */
1486 if (p_cb->role == HCI_ROLE_SLAVE) smp_send_pair_public_key(p_cb, NULL);
1487
1488 smp_sm_event(p_cb, SMP_SC_DHKEY_CMPLT_EVT, NULL);
1489 }
1490
1491 /*******************************************************************************
1492 * Function smp_start_secure_connection_phase1
1493 * Description Start Secure Connection phase1 i.e. invokes initialization of
1494 * Secure Connection phase 1 parameters and starts building/sending
1495 * to the peer messages appropriate for the role and association
1496 * model.
1497 ******************************************************************************/
smp_start_secure_connection_phase1(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1498 void smp_start_secure_connection_phase1(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1499 SMP_TRACE_DEBUG("%s", __func__);
1500
1501 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
1502 p_cb->sec_level = SMP_SEC_UNAUTHENTICATE;
1503 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_UNAUTHENTICATE) ",
1504 p_cb->sec_level);
1505 } else {
1506 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1507 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ",
1508 p_cb->sec_level);
1509 }
1510
1511 switch (p_cb->selected_association_model) {
1512 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1513 case SMP_MODEL_SEC_CONN_NUM_COMP:
1514 p_cb->local_random = {0};
1515 smp_start_nonce_generation(p_cb);
1516 break;
1517 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1518 /* user has to provide passkey */
1519 p_cb->cb_evt = SMP_PASSKEY_REQ_EVT;
1520 smp_sm_event(p_cb, SMP_TK_REQ_EVT, NULL);
1521 break;
1522 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1523 /* passkey has to be provided to user */
1524 SMP_TRACE_DEBUG("Need to generate SC Passkey");
1525 smp_generate_passkey(p_cb, NULL);
1526 break;
1527 case SMP_MODEL_SEC_CONN_OOB:
1528 /* use the available OOB information */
1529 smp_process_secure_connection_oob_data(p_cb, NULL);
1530 break;
1531 default:
1532 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
1533 p_cb->selected_association_model);
1534 break;
1535 }
1536 }
1537
1538 /*******************************************************************************
1539 * Function smp_process_local_nonce
1540 * Description The function processes new local nonce.
1541 *
1542 * Note It is supposed to be called in SC phase1.
1543 ******************************************************************************/
smp_process_local_nonce(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1544 void smp_process_local_nonce(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1545 SMP_TRACE_DEBUG("%s", __func__);
1546
1547 switch (p_cb->selected_association_model) {
1548 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1549 case SMP_MODEL_SEC_CONN_NUM_COMP:
1550 if (p_cb->role == HCI_ROLE_SLAVE) {
1551 /* slave calculates and sends local commitment */
1552 smp_calculate_local_commitment(p_cb);
1553 smp_send_commitment(p_cb, NULL);
1554 /* slave has to wait for peer nonce */
1555 smp_set_state(SMP_STATE_WAIT_NONCE);
1556 } else /* i.e. master */
1557 {
1558 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_COMM) {
1559 /* slave commitment is already received, send local nonce, wait for
1560 * remote nonce*/
1561 SMP_TRACE_DEBUG(
1562 "master in assoc mode = %d "
1563 "already rcvd slave commitment - race condition",
1564 p_cb->selected_association_model);
1565 p_cb->flags &= ~SMP_PAIR_FLAG_HAVE_PEER_COMM;
1566 smp_send_rand(p_cb, NULL);
1567 smp_set_state(SMP_STATE_WAIT_NONCE);
1568 }
1569 }
1570 break;
1571 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1572 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1573 smp_calculate_local_commitment(p_cb);
1574
1575 if (p_cb->role == HCI_ROLE_MASTER) {
1576 smp_send_commitment(p_cb, NULL);
1577 } else /* slave */
1578 {
1579 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_COMM) {
1580 /* master commitment is already received */
1581 smp_send_commitment(p_cb, NULL);
1582 smp_set_state(SMP_STATE_WAIT_NONCE);
1583 }
1584 }
1585 break;
1586 case SMP_MODEL_SEC_CONN_OOB:
1587 if (p_cb->role == HCI_ROLE_MASTER) {
1588 smp_send_rand(p_cb, NULL);
1589 }
1590
1591 smp_set_state(SMP_STATE_WAIT_NONCE);
1592 break;
1593 default:
1594 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
1595 p_cb->selected_association_model);
1596 break;
1597 }
1598 }
1599
1600 /*******************************************************************************
1601 * Function smp_process_peer_nonce
1602 * Description The function processes newly received and saved in CB peer
1603 * nonce. The actions depend on the selected association model and
1604 * the role.
1605 *
1606 * Note It is supposed to be called in SC phase1.
1607 ******************************************************************************/
smp_process_peer_nonce(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1608 void smp_process_peer_nonce(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1609 SMP_TRACE_DEBUG("%s start ", __func__);
1610
1611 // PTS Testing failure modes
1612 if (p_cb->cert_failure == SMP_CONFIRM_VALUE_ERR) {
1613 SMP_TRACE_ERROR("%s failure case = %d", __func__, p_cb->cert_failure);
1614 tSMP_INT_DATA smp_int_data;
1615 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1616 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1617 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1618 return;
1619 }
1620 // PTS Testing failure modes (for LT)
1621 if ((p_cb->cert_failure == SMP_NUMERIC_COMPAR_FAIL) &&
1622 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) &&
1623 (p_cb->role == HCI_ROLE_SLAVE)) {
1624 SMP_TRACE_ERROR("%s failure case = %d", __func__, p_cb->cert_failure);
1625 tSMP_INT_DATA smp_int_data;
1626 smp_int_data.status = SMP_NUMERIC_COMPAR_FAIL;
1627 p_cb->failure = SMP_NUMERIC_COMPAR_FAIL;
1628 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1629 return;
1630 }
1631
1632 switch (p_cb->selected_association_model) {
1633 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1634 case SMP_MODEL_SEC_CONN_NUM_COMP:
1635 /* in these models only master receives commitment */
1636 if (p_cb->role == HCI_ROLE_MASTER) {
1637 if (!smp_check_commitment(p_cb)) {
1638 tSMP_INT_DATA smp_int_data;
1639 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1640 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1641 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1642 break;
1643 }
1644 } else {
1645 /* slave sends local nonce */
1646 smp_send_rand(p_cb, NULL);
1647 }
1648
1649 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
1650 /* go directly to phase 2 */
1651 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1652 } else /* numeric comparison */
1653 {
1654 smp_set_state(SMP_STATE_WAIT_NONCE);
1655 smp_sm_event(p_cb, SMP_SC_CALC_NC_EVT, NULL);
1656 }
1657 break;
1658 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1659 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1660 if (!smp_check_commitment(p_cb) &&
1661 p_cb->cert_failure != SMP_NUMERIC_COMPAR_FAIL) {
1662 tSMP_INT_DATA smp_int_data;
1663 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1664 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1665 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1666 break;
1667 }
1668
1669 if (p_cb->role == HCI_ROLE_SLAVE) {
1670 smp_send_rand(p_cb, NULL);
1671 }
1672
1673 if (++p_cb->round < 20) {
1674 smp_set_state(SMP_STATE_SEC_CONN_PHS1_START);
1675 p_cb->flags &= ~SMP_PAIR_FLAG_HAVE_PEER_COMM;
1676 smp_start_nonce_generation(p_cb);
1677 break;
1678 }
1679
1680 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1681 break;
1682 case SMP_MODEL_SEC_CONN_OOB:
1683 if (p_cb->role == HCI_ROLE_SLAVE) {
1684 smp_send_rand(p_cb, NULL);
1685 }
1686
1687 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1688 break;
1689 default:
1690 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
1691 p_cb->selected_association_model);
1692 break;
1693 }
1694
1695 SMP_TRACE_DEBUG("%s end ", __func__);
1696 }
1697
1698 /*******************************************************************************
1699 * Function smp_match_dhkey_checks
1700 * Description checks if the calculated peer DHKey Check value is the same as
1701 * received from the peer DHKey check value.
1702 ******************************************************************************/
smp_match_dhkey_checks(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1703 void smp_match_dhkey_checks(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1704 SMP_TRACE_DEBUG("%s", __func__);
1705
1706 if (memcmp(p_data->key.p_data, p_cb->remote_dhkey_check.data(),
1707 OCTET16_LEN)) {
1708 SMP_TRACE_WARNING("dhkey chcks do no match");
1709 tSMP_INT_DATA smp_int_data;
1710 smp_int_data.status = SMP_DHKEY_CHK_FAIL;
1711 p_cb->failure = SMP_DHKEY_CHK_FAIL;
1712 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1713 return;
1714 }
1715
1716 SMP_TRACE_EVENT("dhkey chcks match");
1717
1718 /* compare the max encryption key size, and save the smaller one for the link
1719 */
1720 if (p_cb->peer_enc_size < p_cb->loc_enc_size)
1721 p_cb->loc_enc_size = p_cb->peer_enc_size;
1722
1723 if (p_cb->role == HCI_ROLE_SLAVE) {
1724 smp_sm_event(p_cb, SMP_PAIR_DHKEY_CHCK_EVT, NULL);
1725 } else {
1726 /* master device always use received i/r key as keys to distribute */
1727 p_cb->local_i_key = p_cb->peer_i_key;
1728 p_cb->local_r_key = p_cb->peer_r_key;
1729 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
1730 }
1731 }
1732
1733 /*******************************************************************************
1734 * Function smp_move_to_secure_connections_phase2
1735 * Description Signal State Machine to start SC phase 2 initialization (to
1736 * compute local DHKey Check value).
1737 *
1738 * Note SM is supposed to be in the state SMP_STATE_SEC_CONN_PHS2_START.
1739 ******************************************************************************/
smp_move_to_secure_connections_phase2(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1740 void smp_move_to_secure_connections_phase2(tSMP_CB* p_cb,
1741 tSMP_INT_DATA* p_data) {
1742 SMP_TRACE_DEBUG("%s", __func__);
1743 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1744 }
1745
1746 /*******************************************************************************
1747 * Function smp_phase_2_dhkey_checks_are_present
1748 * Description generates event if dhkey check from the peer is already
1749 * received.
1750 *
1751 * Note It is supposed to be used on slave to prevent race condition.
1752 * It is supposed to be called after slave dhkey check is
1753 * calculated.
1754 ******************************************************************************/
smp_phase_2_dhkey_checks_are_present(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1755 void smp_phase_2_dhkey_checks_are_present(tSMP_CB* p_cb,
1756 tSMP_INT_DATA* p_data) {
1757 SMP_TRACE_DEBUG("%s", __func__);
1758
1759 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_DHK_CHK)
1760 smp_sm_event(p_cb, SMP_SC_2_DHCK_CHKS_PRES_EVT, NULL);
1761 }
1762
1763 /*******************************************************************************
1764 * Function smp_wait_for_both_public_keys
1765 * Description generates SMP_BOTH_PUBL_KEYS_RCVD_EVT event when both local and
1766 * master public keys are available.
1767 *
1768 * Note on the slave it is used to prevent race condition.
1769 *
1770 ******************************************************************************/
smp_wait_for_both_public_keys(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1771 void smp_wait_for_both_public_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1772 SMP_TRACE_DEBUG("%s", __func__);
1773
1774 if ((p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY) &&
1775 (p_cb->flags & SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY)) {
1776 if ((p_cb->role == HCI_ROLE_SLAVE) &&
1777 ((p_cb->req_oob_type == SMP_OOB_LOCAL) ||
1778 (p_cb->req_oob_type == SMP_OOB_BOTH))) {
1779 smp_set_state(SMP_STATE_PUBLIC_KEY_EXCH);
1780 }
1781 smp_sm_event(p_cb, SMP_BOTH_PUBL_KEYS_RCVD_EVT, NULL);
1782 }
1783 }
1784
1785 /*******************************************************************************
1786 * Function smp_start_passkey_verification
1787 * Description Starts SC passkey entry verification.
1788 ******************************************************************************/
smp_start_passkey_verification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1789 void smp_start_passkey_verification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1790 uint8_t* p = NULL;
1791
1792 SMP_TRACE_DEBUG("%s", __func__);
1793 p = p_cb->local_random.data();
1794 UINT32_TO_STREAM(p, p_data->passkey);
1795
1796 p = p_cb->peer_random.data();
1797 UINT32_TO_STREAM(p, p_data->passkey);
1798
1799 p_cb->round = 0;
1800 smp_start_nonce_generation(p_cb);
1801 }
1802
1803 /*******************************************************************************
1804 * Function smp_process_secure_connection_oob_data
1805 * Description Processes local/peer SC OOB data received from somewhere.
1806 ******************************************************************************/
smp_process_secure_connection_oob_data(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1807 void smp_process_secure_connection_oob_data(tSMP_CB* p_cb,
1808 tSMP_INT_DATA* p_data) {
1809 SMP_TRACE_DEBUG("%s", __func__);
1810
1811 tSMP_SC_OOB_DATA* p_sc_oob_data = &p_cb->sc_oob_data;
1812 if (p_sc_oob_data->loc_oob_data.present) {
1813 p_cb->local_random = p_sc_oob_data->loc_oob_data.randomizer;
1814 } else {
1815 SMP_TRACE_EVENT("%s: local OOB randomizer is absent", __func__);
1816 p_cb->local_random = {0};
1817 }
1818
1819 if (!p_sc_oob_data->peer_oob_data.present) {
1820 SMP_TRACE_EVENT("%s: peer OOB data is absent", __func__);
1821 p_cb->peer_random = {0};
1822 } else {
1823 p_cb->peer_random = p_sc_oob_data->peer_oob_data.randomizer;
1824 p_cb->remote_commitment = p_sc_oob_data->peer_oob_data.commitment;
1825
1826 /* check commitment */
1827 if (!smp_check_commitment(p_cb)) {
1828 tSMP_INT_DATA smp_int_data;
1829 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1830 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1831 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1832 return;
1833 }
1834
1835 if (p_cb->peer_oob_flag != SMP_OOB_PRESENT) {
1836 /* the peer doesn't have local randomiser */
1837 SMP_TRACE_EVENT(
1838 "%s: peer didn't receive local OOB data, set local randomizer to 0",
1839 __func__);
1840 p_cb->local_random = {0};
1841 }
1842 }
1843
1844 print128(p_cb->local_random, (const uint8_t*)"local OOB randomizer");
1845 print128(p_cb->peer_random, (const uint8_t*)"peer OOB randomizer");
1846 smp_start_nonce_generation(p_cb);
1847 }
1848
1849 /*******************************************************************************
1850 * Function smp_set_local_oob_keys
1851 * Description Saves calculated private/public keys in
1852 * sc_oob_data.loc_oob_data, starts nonce generation
1853 * (to be saved in sc_oob_data.loc_oob_data.randomizer).
1854 ******************************************************************************/
smp_set_local_oob_keys(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1855 void smp_set_local_oob_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1856 SMP_TRACE_DEBUG("%s", __func__);
1857
1858 memcpy(p_cb->sc_oob_data.loc_oob_data.private_key_used, p_cb->private_key,
1859 BT_OCTET32_LEN);
1860 p_cb->sc_oob_data.loc_oob_data.publ_key_used = p_cb->loc_publ_key;
1861 smp_start_nonce_generation(p_cb);
1862 }
1863
1864 /*******************************************************************************
1865 * Function smp_set_local_oob_random_commitment
1866 * Description Saves calculated randomizer and commitment in
1867 * sc_oob_data.loc_oob_data, passes sc_oob_data.loc_oob_data up
1868 * for safekeeping.
1869 ******************************************************************************/
smp_set_local_oob_random_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1870 void smp_set_local_oob_random_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1871 SMP_TRACE_DEBUG("%s", __func__);
1872 p_cb->sc_oob_data.loc_oob_data.randomizer = p_cb->rand;
1873
1874 p_cb->sc_oob_data.loc_oob_data.commitment =
1875 crypto_toolbox::f4(p_cb->sc_oob_data.loc_oob_data.publ_key_used.x,
1876 p_cb->sc_oob_data.loc_oob_data.publ_key_used.x,
1877 p_cb->sc_oob_data.loc_oob_data.randomizer, 0);
1878
1879 #if (SMP_DEBUG == TRUE)
1880 uint8_t* p_print = NULL;
1881 SMP_TRACE_DEBUG("local SC OOB data set:");
1882 p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.addr_sent_to;
1883 smp_debug_print_nbyte_little_endian(p_print, "addr_sent_to",
1884 sizeof(tBLE_BD_ADDR));
1885 p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.private_key_used;
1886 smp_debug_print_nbyte_little_endian(p_print, "private_key_used",
1887 BT_OCTET32_LEN);
1888 p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.publ_key_used.x;
1889 smp_debug_print_nbyte_little_endian(p_print, "publ_key_used.x",
1890 BT_OCTET32_LEN);
1891 p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.publ_key_used.y;
1892 smp_debug_print_nbyte_little_endian(p_print, "publ_key_used.y",
1893 BT_OCTET32_LEN);
1894 p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.randomizer;
1895 smp_debug_print_nbyte_little_endian(p_print, "randomizer", OCTET16_LEN);
1896 p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.commitment;
1897 smp_debug_print_nbyte_little_endian(p_print, "commitment", OCTET16_LEN);
1898 SMP_TRACE_DEBUG("");
1899 #endif
1900
1901 /* pass created OOB data up */
1902 p_cb->cb_evt = SMP_SC_LOC_OOB_DATA_UP_EVT;
1903 smp_send_app_cback(p_cb, NULL);
1904
1905 smp_cb_cleanup(p_cb);
1906 }
1907
1908 /*******************************************************************************
1909 *
1910 * Function smp_link_encrypted
1911 *
1912 * Description This function is called when link is encrypted and notified
1913 * to the slave device. Proceed to to send LTK, DIV and ER to
1914 * master if bonding the devices.
1915 *
1916 *
1917 * Returns void
1918 *
1919 ******************************************************************************/
smp_link_encrypted(const RawAddress & bda,uint8_t encr_enable)1920 void smp_link_encrypted(const RawAddress& bda, uint8_t encr_enable) {
1921 tSMP_CB* p_cb = &smp_cb;
1922
1923 SMP_TRACE_DEBUG("%s: encr_enable=%d", __func__, encr_enable);
1924
1925 if (smp_cb.pairing_bda == bda) {
1926 /* encryption completed with STK, remember the key size now, could be
1927 * overwritten when key exchange happens */
1928 if (p_cb->loc_enc_size != 0 && encr_enable) {
1929 /* update the link encryption key size if a SMP pairing just performed */
1930 btm_ble_update_sec_key_size(bda, p_cb->loc_enc_size);
1931 }
1932
1933 tSMP_INT_DATA smp_int_data;
1934 smp_int_data.status = encr_enable;
1935 smp_sm_event(&smp_cb, SMP_ENCRYPTED_EVT, &smp_int_data);
1936 }
1937 }
1938
smp_cancel_start_encryption_attempt()1939 void smp_cancel_start_encryption_attempt() {
1940 SMP_TRACE_ERROR("%s: Encryption request cancelled", __func__);
1941 smp_sm_event(&smp_cb, SMP_DISCARD_SEC_REQ_EVT, NULL);
1942 }
1943
1944 /*******************************************************************************
1945 *
1946 * Function smp_proc_ltk_request
1947 *
1948 * Description This function is called when LTK request is received from
1949 * controller.
1950 *
1951 * Returns void
1952 *
1953 ******************************************************************************/
smp_proc_ltk_request(const RawAddress & bda)1954 bool smp_proc_ltk_request(const RawAddress& bda) {
1955 SMP_TRACE_DEBUG("%s state = %d", __func__, smp_cb.state);
1956 bool match = false;
1957
1958 if (bda == smp_cb.pairing_bda) {
1959 match = true;
1960 } else {
1961 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda);
1962 if (p_dev_rec != NULL && p_dev_rec->ble.pseudo_addr == smp_cb.pairing_bda &&
1963 p_dev_rec->ble.pseudo_addr != RawAddress::kEmpty) {
1964 match = true;
1965 }
1966 }
1967
1968 if (match && smp_cb.state == SMP_STATE_ENCRYPTION_PENDING) {
1969 smp_sm_event(&smp_cb, SMP_ENC_REQ_EVT, NULL);
1970 return true;
1971 }
1972
1973 return false;
1974 }
1975
1976 /*******************************************************************************
1977 *
1978 * Function smp_process_secure_connection_long_term_key
1979 *
1980 * Description This function is called to process SC LTK.
1981 * SC LTK is calculated and used instead of STK.
1982 * Here SC LTK is saved in BLE DB.
1983 *
1984 * Returns void
1985 *
1986 ******************************************************************************/
smp_process_secure_connection_long_term_key(void)1987 void smp_process_secure_connection_long_term_key(void) {
1988 tSMP_CB* p_cb = &smp_cb;
1989
1990 SMP_TRACE_DEBUG("%s", __func__);
1991 smp_save_secure_connections_long_term_key(p_cb);
1992
1993 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
1994 smp_key_distribution(p_cb, NULL);
1995 }
1996
1997 /*******************************************************************************
1998 *
1999 * Function smp_set_derive_link_key
2000 *
2001 * Description This function is called to set flag that indicates that
2002 * BR/EDR LK has to be derived from LTK after all keys are
2003 * distributed.
2004 *
2005 * Returns void
2006 *
2007 ******************************************************************************/
smp_set_derive_link_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2008 void smp_set_derive_link_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
2009 SMP_TRACE_DEBUG("%s", __func__);
2010 p_cb->derive_lk = true;
2011 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_LK, false);
2012 smp_key_distribution(p_cb, NULL);
2013 }
2014
2015 /*******************************************************************************
2016 *
2017 * Function smp_derive_link_key_from_long_term_key
2018 *
2019 * Description This function is called to derive BR/EDR LK from LTK.
2020 *
2021 * Returns void
2022 *
2023 ******************************************************************************/
smp_derive_link_key_from_long_term_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2024 void smp_derive_link_key_from_long_term_key(tSMP_CB* p_cb,
2025 tSMP_INT_DATA* p_data) {
2026 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
2027
2028 SMP_TRACE_DEBUG("%s", __func__);
2029 if (!smp_calculate_link_key_from_long_term_key(p_cb)) {
2030 SMP_TRACE_ERROR("%s failed", __func__);
2031 tSMP_INT_DATA smp_int_data;
2032 smp_int_data.status = status;
2033 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
2034 return;
2035 }
2036 }
2037
2038 /*******************************************************************************
2039 *
2040 * Function smp_br_process_link_key
2041 *
2042 * Description This function is called to process BR/EDR LK:
2043 * - to derive SMP LTK from BR/EDR LK;
2044 * - to save SMP LTK.
2045 *
2046 * Returns void
2047 *
2048 ******************************************************************************/
smp_br_process_link_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2049 void smp_br_process_link_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
2050 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
2051
2052 SMP_TRACE_DEBUG("%s", __func__);
2053 if (!smp_calculate_long_term_key_from_link_key(p_cb)) {
2054 SMP_TRACE_ERROR("%s: failed", __func__);
2055 tSMP_INT_DATA smp_int_data;
2056 smp_int_data.status = status;
2057 smp_sm_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
2058 return;
2059 }
2060
2061 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
2062 if (p_dev_rec) {
2063 SMP_TRACE_DEBUG("%s: dev_type = %d ", __func__, p_dev_rec->device_type);
2064 p_dev_rec->device_type |= BT_DEVICE_TYPE_BLE;
2065 } else {
2066 SMP_TRACE_ERROR("%s failed to find Security Record", __func__);
2067 }
2068
2069 SMP_TRACE_DEBUG("%s: LTK derivation from LK successfully completed",
2070 __func__);
2071 smp_save_secure_connections_long_term_key(p_cb);
2072 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
2073 smp_br_select_next_key(p_cb, NULL);
2074 }
2075
2076 /*******************************************************************************
2077 * Function smp_key_distribution_by_transport
2078 * Description depending on the transport used at the moment calls either
2079 * smp_key_distribution(...) or smp_br_key_distribution(...).
2080 ******************************************************************************/
smp_key_distribution_by_transport(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2081 void smp_key_distribution_by_transport(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
2082 SMP_TRACE_DEBUG("%s", __func__);
2083 if (p_cb->smp_over_br) {
2084 smp_br_select_next_key(p_cb, NULL);
2085 } else {
2086 smp_key_distribution(p_cb, NULL);
2087 }
2088 }
2089
2090 /*******************************************************************************
2091 * Function smp_br_pairing_complete
2092 * Description This function is called to send the pairing complete
2093 * callback and remove the connection if needed.
2094 ******************************************************************************/
smp_br_pairing_complete(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2095 void smp_br_pairing_complete(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
2096 SMP_TRACE_DEBUG("%s", __func__);
2097
2098 if (p_cb->total_tx_unacked == 0) {
2099 /* process the pairing complete */
2100 smp_proc_pairing_cmpl(p_cb);
2101 }
2102 }
2103