1 /******************************************************************************
2 *
3 * Copyright 2003-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 #define LOG_TAG "smp_act"
20
21 #include <string.h>
22 #include "btif_api.h"
23 #include "btif_common.h"
24 #include "btif_storage.h"
25 #include "device/include/interop.h"
26 #include "internal_include/bt_target.h"
27 #include "main/shim/shim.h"
28 #include "osi/include/log.h"
29 #include "stack/btm/btm_dev.h"
30 #include "stack/btm/btm_sec.h"
31 #include "stack/include/acl_api.h"
32 #include "stack/include/l2c_api.h"
33 #include "stack/include/smp_api_types.h"
34 #include "stack/smp/p_256_ecc_pp.h"
35 #include "stack/smp/smp_int.h"
36 #include "types/raw_address.h"
37
38 extern tBTM_CB btm_cb;
39
40 #define SMP_KEY_DIST_TYPE_MAX 4
41
42 const tSMP_ACT smp_distribute_act[] = {
43 smp_generate_ltk, /* SMP_SEC_KEY_TYPE_ENC - '1' bit index */
44 smp_send_id_info, /* SMP_SEC_KEY_TYPE_ID - '1' bit index */
45 smp_generate_csrk, /* SMP_SEC_KEY_TYPE_CSRK - '1' bit index */
46 smp_set_derive_link_key /* SMP_SEC_KEY_TYPE_LK - '1' bit index */
47 };
48
pts_test_send_authentication_complete_failure(tSMP_CB * p_cb)49 static bool pts_test_send_authentication_complete_failure(tSMP_CB* p_cb) {
50 tSMP_STATUS reason = p_cb->cert_failure;
51 if (reason == SMP_PAIR_AUTH_FAIL || reason == SMP_PAIR_FAIL_UNKNOWN ||
52 reason == SMP_PAIR_NOT_SUPPORT || reason == SMP_PASSKEY_ENTRY_FAIL ||
53 reason == SMP_REPEATED_ATTEMPTS) {
54 tSMP_INT_DATA smp_int_data;
55 smp_int_data.status = reason;
56 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
57 return true;
58 }
59 return false;
60 }
61
62 /*******************************************************************************
63 * Function smp_update_key_mask
64 * Description This function updates the key mask for sending or receiving.
65 ******************************************************************************/
smp_update_key_mask(tSMP_CB * p_cb,uint8_t key_type,bool recv)66 static void smp_update_key_mask(tSMP_CB* p_cb, uint8_t key_type, bool recv) {
67 SMP_TRACE_DEBUG(
68 "%s before update role=%d recv=%d local_i_key = %02x, local_r_key = %02x",
69 __func__, p_cb->role, recv, p_cb->local_i_key, p_cb->local_r_key);
70
71 if (((p_cb->le_secure_connections_mode_is_used) || (p_cb->smp_over_br)) &&
72 ((key_type == SMP_SEC_KEY_TYPE_ENC) ||
73 (key_type == SMP_SEC_KEY_TYPE_LK))) {
74 /* in LE SC mode LTK, CSRK and BR/EDR LK are derived locally instead of
75 ** being exchanged with the peer */
76 p_cb->local_i_key &= ~key_type;
77 p_cb->local_r_key &= ~key_type;
78 } else if (p_cb->role == HCI_ROLE_PERIPHERAL) {
79 if (recv)
80 p_cb->local_i_key &= ~key_type;
81 else
82 p_cb->local_r_key &= ~key_type;
83 } else {
84 if (recv)
85 p_cb->local_r_key &= ~key_type;
86 else
87 p_cb->local_i_key &= ~key_type;
88 }
89
90 SMP_TRACE_DEBUG("updated local_i_key = %02x, local_r_key = %02x",
91 p_cb->local_i_key, p_cb->local_r_key);
92 }
93
94 /*******************************************************************************
95 * Function smp_send_app_cback
96 * Description notifies application about the events the application is
97 * interested in
98 ******************************************************************************/
smp_send_app_cback(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)99 void smp_send_app_cback(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
100 tSMP_EVT_DATA cb_data;
101 tBTM_STATUS callback_rc;
102 uint8_t remote_lmp_version = 0;
103 if (p_cb->p_callback && p_cb->cb_evt != 0) {
104 switch (p_cb->cb_evt) {
105 case SMP_IO_CAP_REQ_EVT:
106 cb_data.io_req.auth_req = p_cb->peer_auth_req;
107 cb_data.io_req.oob_data = SMP_OOB_NONE;
108 cb_data.io_req.io_cap = btif_storage_get_local_io_caps_ble();
109 cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE;
110 cb_data.io_req.init_keys = p_cb->local_i_key;
111 cb_data.io_req.resp_keys = p_cb->local_r_key;
112 LOG_DEBUG("Notify app io_cap = %hhu", cb_data.io_req.io_cap);
113 break;
114
115 case SMP_NC_REQ_EVT:
116 cb_data.passkey = p_data->passkey;
117 break;
118 case SMP_SC_OOB_REQ_EVT:
119 cb_data.req_oob_type = p_data->req_oob_type;
120 break;
121 case SMP_SC_LOC_OOB_DATA_UP_EVT:
122 cb_data.loc_oob_data = p_cb->sc_oob_data.loc_oob_data;
123 break;
124
125 case SMP_BR_KEYS_REQ_EVT:
126 cb_data.io_req.auth_req = 0;
127 cb_data.io_req.oob_data = SMP_OOB_NONE;
128 cb_data.io_req.io_cap = 0;
129 cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE;
130 cb_data.io_req.init_keys = SMP_BR_SEC_DEFAULT_KEY;
131 cb_data.io_req.resp_keys = SMP_BR_SEC_DEFAULT_KEY;
132 break;
133
134 default:
135 LOG_ERROR("Unexpected event:%hhu", p_cb->cb_evt);
136 break;
137 }
138
139 callback_rc =
140 (*p_cb->p_callback)(p_cb->cb_evt, p_cb->pairing_bda, &cb_data);
141
142 if (callback_rc == BTM_SUCCESS) {
143 switch (p_cb->cb_evt) {
144 case SMP_IO_CAP_REQ_EVT:
145 p_cb->loc_auth_req = cb_data.io_req.auth_req;
146 p_cb->local_io_capability = cb_data.io_req.io_cap;
147 p_cb->loc_oob_flag = cb_data.io_req.oob_data;
148 p_cb->loc_enc_size = cb_data.io_req.max_key_size;
149 p_cb->local_i_key = cb_data.io_req.init_keys;
150 p_cb->local_r_key = cb_data.io_req.resp_keys;
151
152 if (!(p_cb->loc_auth_req & SMP_AUTH_BOND)) {
153 LOG_INFO("Non bonding: No keys will be exchanged");
154 p_cb->local_i_key = 0;
155 p_cb->local_r_key = 0;
156 }
157
158 LOG_DEBUG(
159 "Remote request IO capabilities precondition auth_req: 0x%02x,"
160 " io_cap: %d loc_oob_flag: %d loc_enc_size: %d, "
161 "local_i_key: 0x%02x, local_r_key: 0x%02x",
162 p_cb->loc_auth_req, p_cb->local_io_capability, p_cb->loc_oob_flag,
163 p_cb->loc_enc_size, p_cb->local_i_key, p_cb->local_r_key);
164
165 p_cb->secure_connections_only_mode_required =
166 (btm_cb.security_mode == BTM_SEC_MODE_SC) ? true : false;
167 /* just for PTS, force SC bit */
168 if (p_cb->secure_connections_only_mode_required) {
169 p_cb->loc_auth_req |= SMP_SC_SUPPORT_BIT;
170 }
171
172 if (!BTM_ReadRemoteVersion(p_cb->pairing_bda, &remote_lmp_version,
173 nullptr, nullptr)) {
174 LOG_WARN(
175 "SMP Unable to determine remote security authentication "
176 "remote_lmp_version:%hu",
177 remote_lmp_version);
178 }
179
180 if (!bluetooth::shim::is_gd_acl_enabled()) {
181 if (!p_cb->secure_connections_only_mode_required &&
182 (!(p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) ||
183 remote_lmp_version < HCI_PROTO_VERSION_4_2 ||
184 interop_match_addr(INTEROP_DISABLE_LE_SECURE_CONNECTIONS,
185 (const RawAddress*)&p_cb->pairing_bda))) {
186 p_cb->loc_auth_req &= ~SMP_SC_SUPPORT_BIT;
187 p_cb->loc_auth_req &= ~SMP_KP_SUPPORT_BIT;
188 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
189 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
190 }
191
192 if (remote_lmp_version < HCI_PROTO_VERSION_5_0) {
193 p_cb->loc_auth_req &= ~SMP_H7_SUPPORT_BIT;
194 }
195 }
196
197 LOG_DEBUG(
198 "Remote request IO capabilities postcondition auth_req: 0x%02x,"
199 " local_i_key: 0x%02x, local_r_key: 0x%02x",
200 p_cb->loc_auth_req, p_cb->local_i_key, p_cb->local_r_key);
201
202 smp_sm_event(p_cb, SMP_IO_RSP_EVT, NULL);
203 break;
204
205 case SMP_BR_KEYS_REQ_EVT:
206 p_cb->loc_enc_size = cb_data.io_req.max_key_size;
207 p_cb->local_i_key = cb_data.io_req.init_keys;
208 p_cb->local_r_key = cb_data.io_req.resp_keys;
209 p_cb->loc_auth_req |= SMP_H7_SUPPORT_BIT;
210
211 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
212 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
213
214 LOG_DEBUG(
215 "for SMP over BR max_key_size: 0x%02x, local_i_key: 0x%02x, "
216 "local_r_key: 0x%02x, p_cb->loc_auth_req: 0x%02x",
217 p_cb->loc_enc_size, p_cb->local_i_key, p_cb->local_r_key,
218 p_cb->loc_auth_req);
219
220 smp_br_state_machine_event(p_cb, SMP_BR_KEYS_RSP_EVT, NULL);
221 break;
222
223 // Expected, but nothing to do
224 case SMP_SC_LOC_OOB_DATA_UP_EVT:
225 break;
226
227 default:
228 LOG_ERROR("Unexpected event: %hhu", p_cb->cb_evt);
229 }
230 }
231 }
232
233 if (!p_cb->cb_evt && p_cb->discard_sec_req) {
234 p_cb->discard_sec_req = false;
235 smp_sm_event(p_cb, SMP_DISCARD_SEC_REQ_EVT, NULL);
236 }
237 }
238
239 /*******************************************************************************
240 * Function smp_send_pair_fail
241 * Description pairing failure to peer device if needed.
242 ******************************************************************************/
smp_send_pair_fail(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)243 void smp_send_pair_fail(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
244 p_cb->status = p_data->status;
245 p_cb->failure = p_data->status;
246
247 SMP_TRACE_DEBUG("%s: status=%d failure=%d ", __func__, p_cb->status,
248 p_cb->failure);
249
250 if (p_cb->status <= SMP_MAX_FAIL_RSN_PER_SPEC &&
251 p_cb->status != SMP_SUCCESS) {
252 smp_send_cmd(SMP_OPCODE_PAIRING_FAILED, p_cb);
253 p_cb->wait_for_authorization_complete = true;
254 }
255 }
256
257 /*******************************************************************************
258 * Function smp_send_pair_req
259 * Description actions related to sending pairing request
260 ******************************************************************************/
smp_send_pair_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)261 void smp_send_pair_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
262 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
263 SMP_TRACE_DEBUG("%s", __func__);
264
265 /* erase all keys when central sends pairing req*/
266 if (p_dev_rec) btm_sec_clear_ble_keys(p_dev_rec);
267 /* do not manipulate the key, let app decide,
268 leave out to BTM to mandate key distribution for bonding case */
269 smp_send_cmd(SMP_OPCODE_PAIRING_REQ, p_cb);
270 }
271
272 /*******************************************************************************
273 * Function smp_send_pair_rsp
274 * Description actions related to sending pairing response
275 ******************************************************************************/
smp_send_pair_rsp(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)276 void smp_send_pair_rsp(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
277 SMP_TRACE_DEBUG("%s", __func__);
278
279 p_cb->local_i_key &= p_cb->peer_i_key;
280 p_cb->local_r_key &= p_cb->peer_r_key;
281
282 if (smp_send_cmd(SMP_OPCODE_PAIRING_RSP, p_cb)) {
283 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB)
284 smp_use_oob_private_key(p_cb, NULL);
285 else
286 smp_decide_association_model(p_cb, NULL);
287 }
288 }
289
290 /*******************************************************************************
291 * Function smp_send_confirm
292 * Description send confirmation to the peer
293 ******************************************************************************/
smp_send_confirm(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)294 void smp_send_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
295 SMP_TRACE_DEBUG("%s", __func__);
296 smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);
297 }
298
299 /*******************************************************************************
300 * Function smp_send_init
301 * Description process pairing initializer to peripheral device
302 ******************************************************************************/
smp_send_init(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)303 void smp_send_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
304 SMP_TRACE_DEBUG("%s", __func__);
305 smp_send_cmd(SMP_OPCODE_INIT, p_cb);
306 }
307
308 /*******************************************************************************
309 * Function smp_send_rand
310 * Description send pairing random to the peer
311 ******************************************************************************/
smp_send_rand(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)312 void smp_send_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
313 SMP_TRACE_DEBUG("%s", __func__);
314 smp_send_cmd(SMP_OPCODE_RAND, p_cb);
315 }
316
317 /*******************************************************************************
318 * Function smp_send_pair_public_key
319 * Description send pairing public key command to the peer
320 ******************************************************************************/
smp_send_pair_public_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)321 void smp_send_pair_public_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
322 SMP_TRACE_DEBUG("%s", __func__);
323 smp_send_cmd(SMP_OPCODE_PAIR_PUBLIC_KEY, p_cb);
324 }
325
326 /*******************************************************************************
327 * Function SMP_SEND_COMMITMENT
328 * Description send commitment command to the peer
329 ******************************************************************************/
smp_send_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)330 void smp_send_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
331 SMP_TRACE_DEBUG("%s", __func__);
332 smp_send_cmd(SMP_OPCODE_PAIR_COMMITM, p_cb);
333 }
334
335 /*******************************************************************************
336 * Function smp_send_dhkey_check
337 * Description send DHKey Check command to the peer
338 ******************************************************************************/
smp_send_dhkey_check(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)339 void smp_send_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
340 SMP_TRACE_DEBUG("%s", __func__);
341 smp_send_cmd(SMP_OPCODE_PAIR_DHKEY_CHECK, p_cb);
342 }
343
344 /*******************************************************************************
345 * Function smp_send_keypress_notification
346 * Description send Keypress Notification command to the peer
347 ******************************************************************************/
smp_send_keypress_notification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)348 void smp_send_keypress_notification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
349 p_cb->local_keypress_notification = p_data->status;
350 smp_send_cmd(SMP_OPCODE_PAIR_KEYPR_NOTIF, p_cb);
351 }
352
353 /*******************************************************************************
354 * Function smp_send_enc_info
355 * Description send encryption information command.
356 ******************************************************************************/
smp_send_enc_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)357 void smp_send_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
358 tBTM_LE_KEY_VALUE le_key;
359
360 SMP_TRACE_DEBUG("%s: p_cb->loc_enc_size = %d", __func__, p_cb->loc_enc_size);
361 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
362
363 smp_send_cmd(SMP_OPCODE_ENCRYPT_INFO, p_cb);
364 smp_send_cmd(SMP_OPCODE_CENTRAL_ID, p_cb);
365
366 /* save the DIV and key size information when acting as peripheral device */
367 le_key.lenc_key.ltk = p_cb->ltk;
368 le_key.lenc_key.div = p_cb->div;
369 le_key.lenc_key.key_size = p_cb->loc_enc_size;
370 le_key.lenc_key.sec_level = p_cb->sec_level;
371
372 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
373 (p_cb->loc_auth_req & SMP_AUTH_BOND))
374 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, &le_key, true);
375
376 SMP_TRACE_WARNING("%s", __func__);
377
378 smp_key_distribution(p_cb, NULL);
379 }
380
381 /*******************************************************************************
382 * Function smp_send_id_info
383 * Description send ID information command.
384 ******************************************************************************/
smp_send_id_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)385 void smp_send_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
386 tBTM_LE_KEY_VALUE le_key;
387 SMP_TRACE_DEBUG("%s", __func__);
388 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, false);
389
390 smp_send_cmd(SMP_OPCODE_IDENTITY_INFO, p_cb);
391 smp_send_cmd(SMP_OPCODE_ID_ADDR, p_cb);
392
393 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
394 (p_cb->loc_auth_req & SMP_AUTH_BOND))
395 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LID, &le_key, true);
396
397 smp_key_distribution_by_transport(p_cb, NULL);
398 }
399
400 /** send CSRK command. */
smp_send_csrk_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)401 void smp_send_csrk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
402 tBTM_LE_KEY_VALUE key;
403 SMP_TRACE_DEBUG("%s", __func__);
404 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, false);
405
406 if (smp_send_cmd(SMP_OPCODE_SIGN_INFO, p_cb)) {
407 key.lcsrk_key.div = p_cb->div;
408 key.lcsrk_key.sec_level = p_cb->sec_level;
409 key.lcsrk_key.counter = 0; /* initialize the local counter */
410 key.lcsrk_key.csrk = p_cb->csrk;
411 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LCSRK, &key, true);
412 }
413
414 smp_key_distribution_by_transport(p_cb, NULL);
415 }
416
417 /*******************************************************************************
418 * Function smp_send_ltk_reply
419 * Description send LTK reply
420 ******************************************************************************/
smp_send_ltk_reply(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)421 void smp_send_ltk_reply(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
422 SMP_TRACE_DEBUG("%s", __func__);
423
424 Octet16 stk;
425 memcpy(stk.data(), p_data->key.p_data, stk.size());
426 /* send stk as LTK response */
427 btm_ble_ltk_request_reply(p_cb->pairing_bda, true, stk);
428 }
429
430 /*******************************************************************************
431 * Function smp_proc_sec_req
432 * Description process security request.
433 ******************************************************************************/
smp_proc_sec_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)434 void smp_proc_sec_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
435 tBTM_LE_AUTH_REQ auth_req = *(tBTM_LE_AUTH_REQ*)p_data->p_data;
436 tBTM_BLE_SEC_REQ_ACT sec_req_act;
437
438 SMP_TRACE_DEBUG("%s: auth_req=0x%x", __func__, auth_req);
439
440 p_cb->cb_evt = SMP_EVT_NONE;
441
442 btm_ble_link_sec_check(p_cb->pairing_bda, auth_req, &sec_req_act);
443
444 SMP_TRACE_DEBUG("%s: sec_req_act=0x%x", __func__, sec_req_act);
445
446 switch (sec_req_act) {
447 case BTM_BLE_SEC_REQ_ACT_ENCRYPT:
448 SMP_TRACE_DEBUG("%s: BTM_BLE_SEC_REQ_ACT_ENCRYPT", __func__);
449 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
450 break;
451
452 case BTM_BLE_SEC_REQ_ACT_PAIR:
453 p_cb->secure_connections_only_mode_required =
454 (btm_cb.security_mode == BTM_SEC_MODE_SC) ? true : false;
455
456 /* respond to non SC pairing request as failure in SC only mode */
457 if (p_cb->secure_connections_only_mode_required &&
458 (auth_req & SMP_SC_SUPPORT_BIT) == 0) {
459 tSMP_INT_DATA smp_int_data;
460 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
461 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
462 } else {
463 /* initialize local i/r key to be default keys */
464 p_cb->peer_auth_req = auth_req;
465 p_cb->local_r_key = p_cb->local_i_key = SMP_SEC_DEFAULT_KEY;
466 p_cb->cb_evt = SMP_SEC_REQUEST_EVT;
467 }
468 break;
469
470 case BTM_BLE_SEC_REQ_ACT_DISCARD:
471 p_cb->discard_sec_req = true;
472 break;
473
474 default:
475 /* do nothing */
476 break;
477 }
478 }
479
480 /*******************************************************************************
481 * Function smp_proc_sec_grant
482 * Description process security grant.
483 ******************************************************************************/
smp_proc_sec_grant(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)484 void smp_proc_sec_grant(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
485 uint8_t res = p_data->status;
486 SMP_TRACE_DEBUG("%s", __func__);
487 if (res != SMP_SUCCESS) {
488 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, p_data);
489 } else /*otherwise, start pairing */
490 {
491 /* send IO request callback */
492 p_cb->cb_evt = SMP_IO_CAP_REQ_EVT;
493 }
494 }
495
496 /*******************************************************************************
497 * Function smp_proc_pair_fail
498 * Description process pairing failure from peer device
499 ******************************************************************************/
smp_proc_pair_fail(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)500 void smp_proc_pair_fail(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
501 SMP_TRACE_DEBUG("%s", __func__);
502
503 if (p_cb->rcvd_cmd_len < 2) {
504 android_errorWriteLog(0x534e4554, "111214739");
505 SMP_TRACE_WARNING("%s: rcvd_cmd_len %d too short: must be at least 2",
506 __func__, p_cb->rcvd_cmd_len);
507 p_cb->status = SMP_INVALID_PARAMETERS;
508 } else {
509 p_cb->status = p_data->status;
510 }
511
512 /* Cancel pending auth complete timer if set */
513 alarm_cancel(p_cb->delayed_auth_timer_ent);
514 }
515
516 /*******************************************************************************
517 * Function smp_proc_pair_cmd
518 * Description Process the SMP pairing request/response from peer device
519 ******************************************************************************/
smp_proc_pair_cmd(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)520 void smp_proc_pair_cmd(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
521 uint8_t* p = p_data->p_data;
522 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
523
524 SMP_TRACE_DEBUG("%s: pairing_bda=%s", __func__,
525 p_cb->pairing_bda.ToString().c_str());
526
527 /* erase all keys if it is peripheral proc pairing req */
528 if (p_dev_rec && (p_cb->role == HCI_ROLE_PERIPHERAL))
529 btm_sec_clear_ble_keys(p_dev_rec);
530
531 p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
532
533 if (smp_command_has_invalid_length(p_cb)) {
534 tSMP_INT_DATA smp_int_data;
535 smp_int_data.status = SMP_INVALID_PARAMETERS;
536 android_errorWriteLog(0x534e4554, "111850706");
537 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
538 return;
539 }
540
541 STREAM_TO_UINT8(p_cb->peer_io_caps, p);
542 STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
543 STREAM_TO_UINT8(p_cb->peer_auth_req, p);
544 STREAM_TO_UINT8(p_cb->peer_enc_size, p);
545 STREAM_TO_UINT8(p_cb->peer_i_key, p);
546 STREAM_TO_UINT8(p_cb->peer_r_key, p);
547
548 if (smp_command_has_invalid_parameters(p_cb)) {
549 tSMP_INT_DATA smp_int_data;
550 smp_int_data.status = SMP_INVALID_PARAMETERS;
551 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
552 return;
553 }
554
555 // PTS Testing failure modes
556 if (pts_test_send_authentication_complete_failure(p_cb)) return;
557
558 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
559 if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD)) {
560 /* peer (central) started pairing sending Pairing Request */
561 p_cb->local_i_key = p_cb->peer_i_key;
562 p_cb->local_r_key = p_cb->peer_r_key;
563
564 p_cb->cb_evt = SMP_SEC_REQUEST_EVT;
565 } else /* update local i/r key according to pairing request */
566 {
567 /* pairing started with this side (peripheral) sending Security Request */
568 p_cb->local_i_key &= p_cb->peer_i_key;
569 p_cb->local_r_key &= p_cb->peer_r_key;
570 p_cb->selected_association_model = smp_select_association_model(p_cb);
571
572 if (p_cb->secure_connections_only_mode_required &&
573 (!(p_cb->le_secure_connections_mode_is_used) ||
574 (p_cb->selected_association_model ==
575 SMP_MODEL_SEC_CONN_JUSTWORKS))) {
576 SMP_TRACE_ERROR(
577 "%s: pairing failed - peripheral requires secure connection only "
578 "mode",
579 __func__);
580 tSMP_INT_DATA smp_int_data;
581 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
582 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
583 return;
584 }
585
586 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
587 if (smp_request_oob_data(p_cb)) return;
588 } else {
589 smp_send_pair_rsp(p_cb, NULL);
590 }
591 }
592 } else /* Central receives pairing response */
593 {
594 p_cb->selected_association_model = smp_select_association_model(p_cb);
595
596 if (p_cb->secure_connections_only_mode_required &&
597 (!(p_cb->le_secure_connections_mode_is_used) ||
598 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) {
599 SMP_TRACE_ERROR(
600 "Central requires secure connection only mode "
601 "but it can't be provided -> Central fails pairing");
602 tSMP_INT_DATA smp_int_data;
603 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
604 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
605 return;
606 }
607
608 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
609 if (smp_request_oob_data(p_cb)) return;
610 } else {
611 smp_decide_association_model(p_cb, NULL);
612 }
613 }
614 }
615
616 /** process pairing confirm from peer device */
smp_proc_confirm(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)617 void smp_proc_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
618 SMP_TRACE_DEBUG("%s", __func__);
619
620 if (smp_command_has_invalid_parameters(p_cb)) {
621 tSMP_INT_DATA smp_int_data;
622 smp_int_data.status = SMP_INVALID_PARAMETERS;
623 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
624 return;
625 }
626
627 if (p_data) {
628 uint8_t* p = p_data->p_data;
629 if (p != NULL) {
630 /* save the SConfirm for comparison later */
631 STREAM_TO_ARRAY(p_cb->rconfirm.data(), p, OCTET16_LEN);
632 }
633 }
634
635 p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM;
636 }
637
638 /** process pairing initializer from peer device */
smp_proc_init(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)639 void smp_proc_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
640 uint8_t* p = p_data->p_data;
641
642 SMP_TRACE_DEBUG("%s", __func__);
643
644 if (smp_command_has_invalid_parameters(p_cb)) {
645 tSMP_INT_DATA smp_int_data;
646 smp_int_data.status = SMP_INVALID_PARAMETERS;
647 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
648 return;
649 }
650
651 /* save the SRand for comparison */
652 STREAM_TO_ARRAY(p_cb->rrand.data(), p, OCTET16_LEN);
653 }
654
655 /*******************************************************************************
656 * Function smp_proc_rand
657 * Description process pairing random (nonce) from peer device
658 ******************************************************************************/
smp_proc_rand(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)659 void smp_proc_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
660 uint8_t* p = p_data->p_data;
661
662 SMP_TRACE_DEBUG("%s", __func__);
663
664 if (smp_command_has_invalid_parameters(p_cb)) {
665 tSMP_INT_DATA smp_int_data;
666 smp_int_data.status = SMP_INVALID_PARAMETERS;
667 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
668 return;
669 }
670
671 /* save the SRand for comparison */
672 STREAM_TO_ARRAY(p_cb->rrand.data(), p, OCTET16_LEN);
673 }
674
675 /*******************************************************************************
676 * Function smp_process_pairing_public_key
677 * Description process pairing public key command from the peer device
678 * - saves the peer public key;
679 * - sets the flag indicating that the peer public key is received;
680 * - calls smp_wait_for_both_public_keys(...).
681 *
682 ******************************************************************************/
smp_process_pairing_public_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)683 void smp_process_pairing_public_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
684 uint8_t* p = p_data->p_data;
685
686 SMP_TRACE_DEBUG("%s", __func__);
687
688 if (smp_command_has_invalid_parameters(p_cb)) {
689 tSMP_INT_DATA smp_int_data;
690 smp_int_data.status = SMP_INVALID_PARAMETERS;
691 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
692 return;
693 }
694
695 STREAM_TO_ARRAY(p_cb->peer_publ_key.x, p, BT_OCTET32_LEN);
696 STREAM_TO_ARRAY(p_cb->peer_publ_key.y, p, BT_OCTET32_LEN);
697
698 Point pt;
699 memcpy(pt.x, p_cb->peer_publ_key.x, BT_OCTET32_LEN);
700 memcpy(pt.y, p_cb->peer_publ_key.y, BT_OCTET32_LEN);
701
702 if (!memcmp(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, BT_OCTET32_LEN)) {
703 android_errorWriteLog(0x534e4554, "174886838");
704 SMP_TRACE_WARNING("Remote and local public keys can't match");
705 tSMP_INT_DATA smp;
706 smp.status = SMP_PAIR_AUTH_FAIL;
707 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp);
708 return;
709 }
710
711 if (!ECC_ValidatePoint(pt)) {
712 android_errorWriteLog(0x534e4554, "72377774");
713 tSMP_INT_DATA smp;
714 smp.status = SMP_PAIR_AUTH_FAIL;
715 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp);
716 return;
717 }
718
719 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY;
720
721 smp_wait_for_both_public_keys(p_cb, NULL);
722 }
723
724 /*******************************************************************************
725 * Function smp_process_pairing_commitment
726 * Description process pairing commitment from peer device
727 ******************************************************************************/
smp_process_pairing_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)728 void smp_process_pairing_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
729 uint8_t* p = p_data->p_data;
730
731 SMP_TRACE_DEBUG("%s", __func__);
732
733 if (smp_command_has_invalid_parameters(p_cb)) {
734 tSMP_INT_DATA smp_int_data;
735 smp_int_data.status = SMP_INVALID_PARAMETERS;
736 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
737 return;
738 }
739
740 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_COMM;
741
742 if (p != NULL) {
743 STREAM_TO_ARRAY(p_cb->remote_commitment.data(), p, OCTET16_LEN);
744 }
745 }
746
747 /*******************************************************************************
748 * Function smp_process_dhkey_check
749 * Description process DHKey Check from peer device
750 ******************************************************************************/
smp_process_dhkey_check(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)751 void smp_process_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
752 uint8_t* p = p_data->p_data;
753
754 SMP_TRACE_DEBUG("%s", __func__);
755
756 if (smp_command_has_invalid_parameters(p_cb)) {
757 tSMP_INT_DATA smp_int_data;
758 smp_int_data.status = SMP_INVALID_PARAMETERS;
759 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
760 return;
761 }
762
763 if (p != NULL) {
764 STREAM_TO_ARRAY(p_cb->remote_dhkey_check.data(), p, OCTET16_LEN);
765 }
766
767 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_DHK_CHK;
768 }
769
770 /*******************************************************************************
771 * Function smp_process_keypress_notification
772 * Description process pairing keypress notification from peer device
773 ******************************************************************************/
smp_process_keypress_notification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)774 void smp_process_keypress_notification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
775 uint8_t* p = p_data->p_data;
776
777 SMP_TRACE_DEBUG("%s", __func__);
778 p_cb->status = p_data->status;
779
780 if (smp_command_has_invalid_parameters(p_cb)) {
781 tSMP_INT_DATA smp_int_data;
782 smp_int_data.status = SMP_INVALID_PARAMETERS;
783 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
784 return;
785 }
786
787 if (p != NULL) {
788 STREAM_TO_UINT8(p_cb->peer_keypress_notification, p);
789 } else {
790 p_cb->peer_keypress_notification = SMP_SC_KEY_OUT_OF_RANGE;
791 }
792 p_cb->cb_evt = SMP_PEER_KEYPR_NOT_EVT;
793 }
794
795 /*******************************************************************************
796 * Function smp_br_process_pairing_command
797 * Description Process the SMP pairing request/response from peer device via
798 * BR/EDR transport.
799 ******************************************************************************/
smp_br_process_pairing_command(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)800 void smp_br_process_pairing_command(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
801 uint8_t* p = p_data->p_data;
802 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
803
804 SMP_TRACE_DEBUG("%s", __func__);
805 /* rejecting BR pairing request over non-SC BR link */
806 if (!p_dev_rec->new_encryption_key_is_p256 &&
807 p_cb->role == HCI_ROLE_PERIPHERAL) {
808 tSMP_INT_DATA smp_int_data;
809 smp_int_data.status = SMP_XTRANS_DERIVE_NOT_ALLOW;
810 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
811 return;
812 }
813
814 /* erase all keys if it is peripheral proc pairing req*/
815 if (p_dev_rec && (p_cb->role == HCI_ROLE_PERIPHERAL))
816 btm_sec_clear_ble_keys(p_dev_rec);
817
818 p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
819
820 if (smp_command_has_invalid_length(p_cb)) {
821 tSMP_INT_DATA smp_int_data;
822 smp_int_data.status = SMP_INVALID_PARAMETERS;
823 android_errorWriteLog(0x534e4554, "111213909");
824 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
825 return;
826 }
827
828 STREAM_TO_UINT8(p_cb->peer_io_caps, p);
829 STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
830 STREAM_TO_UINT8(p_cb->peer_auth_req, p);
831 STREAM_TO_UINT8(p_cb->peer_enc_size, p);
832 STREAM_TO_UINT8(p_cb->peer_i_key, p);
833 STREAM_TO_UINT8(p_cb->peer_r_key, p);
834
835 if (smp_command_has_invalid_parameters(p_cb)) {
836 tSMP_INT_DATA smp_int_data;
837 smp_int_data.status = SMP_INVALID_PARAMETERS;
838 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
839 return;
840 }
841
842 /* peer (central) started pairing sending Pairing Request */
843 /* or being central device always use received i/r key as keys to distribute
844 */
845 p_cb->local_i_key = p_cb->peer_i_key;
846 p_cb->local_r_key = p_cb->peer_r_key;
847
848 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
849 p_dev_rec->new_encryption_key_is_p256 = false;
850 /* shortcut to skip Security Grant step */
851 p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT;
852 } else {
853 /* Central receives pairing response */
854 SMP_TRACE_DEBUG(
855 "%s central rcvs valid PAIRING RESPONSE."
856 " Supposed to move to key distribution phase. ",
857 __func__);
858 }
859
860 /* auth_req received via BR/EDR SM channel is set to 0,
861 but everything derived/exchanged has to be saved */
862 p_cb->peer_auth_req |= SMP_AUTH_BOND;
863 p_cb->loc_auth_req |= SMP_AUTH_BOND;
864 }
865
866 /*******************************************************************************
867 * Function smp_br_process_security_grant
868 * Description process security grant in case of pairing over BR/EDR transport.
869 ******************************************************************************/
smp_br_process_security_grant(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)870 void smp_br_process_security_grant(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
871 SMP_TRACE_DEBUG("%s", __func__);
872 if (p_data->status != SMP_SUCCESS) {
873 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, p_data);
874 } else {
875 /* otherwise, start pairing; send IO request callback */
876 p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT;
877 }
878 }
879
880 /*******************************************************************************
881 * Function smp_br_check_authorization_request
882 * Description sets the SMP kes to be derived/distribute over BR/EDR transport
883 * before starting the distribution/derivation
884 ******************************************************************************/
smp_br_check_authorization_request(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)885 void smp_br_check_authorization_request(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
886 SMP_TRACE_DEBUG("%s rcvs i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
887 __func__, p_cb->local_i_key, p_cb->local_r_key);
888
889 /* In LE SC mode LK field is ignored when BR/EDR transport is used */
890 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
891 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
892
893 /* In LE SC mode only IRK, IAI, CSRK are exchanged with the peer.
894 ** Set local_r_key on central to expect only these keys. */
895 if (p_cb->role == HCI_ROLE_CENTRAL) {
896 p_cb->local_r_key &= (SMP_SEC_KEY_TYPE_ID | SMP_SEC_KEY_TYPE_CSRK);
897 }
898
899 /* Check if H7 function needs to be used for key derivation*/
900 if ((p_cb->loc_auth_req & SMP_H7_SUPPORT_BIT) &&
901 (p_cb->peer_auth_req & SMP_H7_SUPPORT_BIT)) {
902 p_cb->key_derivation_h7_used = TRUE;
903 }
904 SMP_TRACE_DEBUG("%s: use h7 = %d", __func__, p_cb->key_derivation_h7_used);
905
906 SMP_TRACE_DEBUG(
907 "%s rcvs upgrades: i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
908 __func__, p_cb->local_i_key, p_cb->local_r_key);
909
910 if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) ||
911 (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/
912 (p_cb->local_i_key || p_cb->local_r_key)) {
913 smp_br_state_machine_event(p_cb, SMP_BR_BOND_REQ_EVT, NULL);
914
915 /* if no peer key is expected, start central key distribution */
916 if (p_cb->role == HCI_ROLE_CENTRAL && p_cb->local_r_key == 0)
917 smp_key_distribution_by_transport(p_cb, NULL);
918 } else {
919 tSMP_INT_DATA smp_int_data;
920 smp_int_data.status = SMP_SUCCESS;
921 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
922 }
923 }
924
925 /*******************************************************************************
926 * Function smp_br_select_next_key
927 * Description selects the next key to derive/send when BR/EDR transport is
928 * used.
929 ******************************************************************************/
smp_br_select_next_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)930 void smp_br_select_next_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
931 SMP_TRACE_DEBUG("%s role=%d (0-central) r_keys=0x%x i_keys=0x%x", __func__,
932 p_cb->role, p_cb->local_r_key, p_cb->local_i_key);
933
934 if (p_cb->role == HCI_ROLE_PERIPHERAL ||
935 (!p_cb->local_r_key && p_cb->role == HCI_ROLE_CENTRAL)) {
936 smp_key_pick_key(p_cb, p_data);
937 }
938
939 if (!p_cb->local_i_key && !p_cb->local_r_key) {
940 /* state check to prevent re-entrance */
941 if (smp_get_br_state() == SMP_BR_STATE_BOND_PENDING) {
942 if (p_cb->total_tx_unacked == 0) {
943 tSMP_INT_DATA smp_int_data;
944 smp_int_data.status = SMP_SUCCESS;
945 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
946 } else {
947 p_cb->wait_for_authorization_complete = true;
948 }
949 }
950 }
951 }
952
953 /** process encryption information from peer device */
smp_proc_enc_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)954 void smp_proc_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
955 uint8_t* p = p_data->p_data;
956
957 SMP_TRACE_DEBUG("%s", __func__);
958
959 if (smp_command_has_invalid_parameters(p_cb)) {
960 tSMP_INT_DATA smp_int_data;
961 smp_int_data.status = SMP_INVALID_PARAMETERS;
962 android_errorWriteLog(0x534e4554, "111937065");
963 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
964 return;
965 }
966
967 STREAM_TO_ARRAY(p_cb->ltk.data(), p, OCTET16_LEN);
968
969 smp_key_distribution(p_cb, NULL);
970 }
971
972 /** process central ID from peripheral device */
smp_proc_central_id(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)973 void smp_proc_central_id(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
974 uint8_t* p = p_data->p_data;
975 tBTM_LE_KEY_VALUE le_key;
976
977 SMP_TRACE_DEBUG("%s", __func__);
978
979 if (p_cb->rcvd_cmd_len < 11) { // 1(Code) + 2(EDIV) + 8(Rand)
980 android_errorWriteLog(0x534e4554, "111937027");
981 SMP_TRACE_ERROR("%s: Invalid command length: %d, should be at least 11",
982 __func__, p_cb->rcvd_cmd_len);
983 return;
984 }
985
986 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, true);
987
988 STREAM_TO_UINT16(le_key.penc_key.ediv, p);
989 STREAM_TO_ARRAY(le_key.penc_key.rand, p, BT_OCTET8_LEN);
990
991 /* store the encryption keys from peer device */
992 le_key.penc_key.ltk = p_cb->ltk;
993 le_key.penc_key.sec_level = p_cb->sec_level;
994 le_key.penc_key.key_size = p_cb->loc_enc_size;
995
996 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
997 (p_cb->loc_auth_req & SMP_AUTH_BOND))
998 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, &le_key, true);
999
1000 smp_key_distribution(p_cb, NULL);
1001 }
1002
1003 /** process identity information from peer device */
smp_proc_id_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1004 void smp_proc_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1005 uint8_t* p = p_data->p_data;
1006
1007 SMP_TRACE_DEBUG("%s", __func__);
1008
1009 if (smp_command_has_invalid_parameters(p_cb)) {
1010 tSMP_INT_DATA smp_int_data;
1011 smp_int_data.status = SMP_INVALID_PARAMETERS;
1012 android_errorWriteLog(0x534e4554, "111937065");
1013 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1014 return;
1015 }
1016
1017 STREAM_TO_ARRAY(p_cb->tk.data(), p, OCTET16_LEN); /* reuse TK for IRK */
1018 smp_key_distribution_by_transport(p_cb, NULL);
1019 }
1020
1021 /** process identity address from peer device */
smp_proc_id_addr(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1022 void smp_proc_id_addr(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1023 uint8_t* p = p_data->p_data;
1024 tBTM_LE_KEY_VALUE pid_key;
1025
1026 SMP_TRACE_DEBUG("%s", __func__);
1027
1028 if (smp_command_has_invalid_parameters(p_cb)) {
1029 tSMP_INT_DATA smp_int_data;
1030 smp_int_data.status = SMP_INVALID_PARAMETERS;
1031 android_errorWriteLog(0x534e4554, "111214770");
1032 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1033 return;
1034 }
1035
1036 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, true);
1037
1038 STREAM_TO_UINT8(pid_key.pid_key.identity_addr_type, p);
1039 STREAM_TO_BDADDR(pid_key.pid_key.identity_addr, p);
1040 pid_key.pid_key.irk = p_cb->tk;
1041
1042 /* to use as BD_ADDR for lk derived from ltk */
1043 p_cb->id_addr_rcvd = true;
1044 p_cb->id_addr_type = pid_key.pid_key.identity_addr_type;
1045 p_cb->id_addr = pid_key.pid_key.identity_addr;
1046
1047 /* store the ID key from peer device */
1048 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
1049 (p_cb->loc_auth_req & SMP_AUTH_BOND))
1050 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PID, &pid_key, true);
1051 smp_key_distribution_by_transport(p_cb, NULL);
1052 }
1053
1054 /* process security information from peer device */
smp_proc_srk_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1055 void smp_proc_srk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1056 tBTM_LE_KEY_VALUE le_key;
1057
1058 SMP_TRACE_DEBUG("%s", __func__);
1059
1060 if (smp_command_has_invalid_parameters(p_cb)) {
1061 tSMP_INT_DATA smp_int_data;
1062 smp_int_data.status = SMP_INVALID_PARAMETERS;
1063 android_errorWriteLog(0x534e4554, "111214470");
1064 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1065 return;
1066 }
1067
1068 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, true);
1069
1070 /* save CSRK to security record */
1071 le_key.pcsrk_key.sec_level = p_cb->sec_level;
1072
1073 /* get peer CSRK */
1074 maybe_non_aligned_memcpy(le_key.pcsrk_key.csrk.data(), p_data->p_data,
1075 OCTET16_LEN);
1076
1077 /* initialize the peer counter */
1078 le_key.pcsrk_key.counter = 0;
1079
1080 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
1081 (p_cb->loc_auth_req & SMP_AUTH_BOND))
1082 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PCSRK, &le_key, true);
1083 smp_key_distribution_by_transport(p_cb, NULL);
1084 }
1085
1086 /*******************************************************************************
1087 * Function smp_proc_compare
1088 * Description process compare value
1089 ******************************************************************************/
smp_proc_compare(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1090 void smp_proc_compare(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1091 SMP_TRACE_DEBUG("%s", __func__);
1092 if (!memcmp(p_cb->rconfirm.data(), p_data->key.p_data, OCTET16_LEN)) {
1093 /* compare the max encryption key size, and save the smaller one for the
1094 * link */
1095 if (p_cb->peer_enc_size < p_cb->loc_enc_size)
1096 p_cb->loc_enc_size = p_cb->peer_enc_size;
1097
1098 if (p_cb->role == HCI_ROLE_PERIPHERAL)
1099 smp_sm_event(p_cb, SMP_RAND_EVT, NULL);
1100 else {
1101 /* central device always use received i/r key as keys to distribute */
1102 p_cb->local_i_key = p_cb->peer_i_key;
1103 p_cb->local_r_key = p_cb->peer_r_key;
1104
1105 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
1106 }
1107
1108 } else {
1109 tSMP_INT_DATA smp_int_data;
1110 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1111 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1112 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1113 }
1114 }
1115
1116 /*******************************************************************************
1117 * Function smp_proc_sl_key
1118 * Description process key ready events.
1119 ******************************************************************************/
smp_proc_sl_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1120 void smp_proc_sl_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1121 uint8_t key_type = p_data->key.key_type;
1122
1123 SMP_TRACE_DEBUG("%s", __func__);
1124 if (key_type == SMP_KEY_TYPE_TK) {
1125 smp_generate_srand_mrand_confirm(p_cb, NULL);
1126 } else if (key_type == SMP_KEY_TYPE_CFM) {
1127 smp_set_state(SMP_STATE_WAIT_CONFIRM);
1128
1129 if (p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM)
1130 smp_sm_event(p_cb, SMP_CONFIRM_EVT, NULL);
1131 }
1132 }
1133
1134 /*******************************************************************************
1135 * Function smp_start_enc
1136 * Description start encryption
1137 ******************************************************************************/
smp_start_enc(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1138 void smp_start_enc(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1139 tBTM_STATUS cmd;
1140
1141 SMP_TRACE_DEBUG("%s", __func__);
1142 if (p_data != NULL) {
1143 cmd = btm_ble_start_encrypt(p_cb->pairing_bda, true,
1144 (Octet16*)p_data->key.p_data);
1145 } else {
1146 cmd = btm_ble_start_encrypt(p_cb->pairing_bda, false, NULL);
1147 }
1148
1149 if (cmd != BTM_CMD_STARTED && cmd != BTM_BUSY) {
1150 tSMP_INT_DATA smp_int_data;
1151 smp_int_data.status = SMP_ENC_FAIL;
1152 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1153 }
1154 }
1155
1156 /*******************************************************************************
1157 * Function smp_proc_discard
1158 * Description processing for discard security request
1159 ******************************************************************************/
smp_proc_discard(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1160 void smp_proc_discard(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1161 SMP_TRACE_DEBUG("%s", __func__);
1162 if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD))
1163 smp_reset_control_value(p_cb);
1164 }
1165
1166 /*******************************************************************************
1167 * Function smp_enc_cmpl
1168 * Description encryption success
1169 ******************************************************************************/
smp_enc_cmpl(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1170 void smp_enc_cmpl(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1171 uint8_t enc_enable = p_data->status;
1172
1173 SMP_TRACE_DEBUG("%s", __func__);
1174 tSMP_INT_DATA smp_int_data;
1175 smp_int_data.status = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1176 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1177 }
1178
1179 /*******************************************************************************
1180 * Function smp_check_auth_req
1181 * Description check authentication request
1182 ******************************************************************************/
smp_check_auth_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1183 void smp_check_auth_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1184 uint8_t enc_enable = p_data->status;
1185
1186 SMP_TRACE_DEBUG(
1187 "%s rcvs enc_enable=%d i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
1188 __func__, enc_enable, p_cb->local_i_key, p_cb->local_r_key);
1189 if (enc_enable == 1) {
1190 if (p_cb->le_secure_connections_mode_is_used) {
1191 /* In LE SC mode LTK is used instead of STK and has to be always saved */
1192 p_cb->local_i_key |= SMP_SEC_KEY_TYPE_ENC;
1193 p_cb->local_r_key |= SMP_SEC_KEY_TYPE_ENC;
1194
1195 /* In LE SC mode LK is derived from LTK only if both sides request it */
1196 if (!(p_cb->local_i_key & SMP_SEC_KEY_TYPE_LK) ||
1197 !(p_cb->local_r_key & SMP_SEC_KEY_TYPE_LK)) {
1198 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
1199 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
1200 }
1201
1202 /* In LE SC mode only IRK, IAI, CSRK are exchanged with the peer.
1203 ** Set local_r_key on central to expect only these keys.
1204 */
1205 if (p_cb->role == HCI_ROLE_CENTRAL) {
1206 p_cb->local_r_key &= (SMP_SEC_KEY_TYPE_ID | SMP_SEC_KEY_TYPE_CSRK);
1207 }
1208 } else {
1209 /* in legacy mode derivation of BR/EDR LK is not supported */
1210 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
1211 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
1212 }
1213 SMP_TRACE_DEBUG(
1214 "%s rcvs upgrades: i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
1215 __func__, p_cb->local_i_key, p_cb->local_r_key);
1216
1217 if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) ||
1218 (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/
1219 (p_cb->local_i_key || p_cb->local_r_key)) {
1220 smp_sm_event(p_cb, SMP_BOND_REQ_EVT, NULL);
1221 } else {
1222 tSMP_INT_DATA smp_int_data;
1223 smp_int_data.status = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1224 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1225 }
1226 } else if (enc_enable == 0) {
1227 tSMP_INT_DATA smp_int_data;
1228 smp_int_data.status = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1229 /* if failed for encryption after pairing, send callback */
1230 if (p_cb->flags & SMP_PAIR_FLAG_ENC_AFTER_PAIR)
1231 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1232 /* if enc failed for old security information */
1233 /* if central device, clean up and abck to idle; peripheral device do
1234 * nothing */
1235 else if (p_cb->role == HCI_ROLE_CENTRAL) {
1236 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1237 }
1238 }
1239 }
1240
1241 /*******************************************************************************
1242 * Function smp_key_pick_key
1243 * Description Pick a key distribution function based on the key mask.
1244 ******************************************************************************/
smp_key_pick_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1245 void smp_key_pick_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1246 uint8_t key_to_dist = (p_cb->role == HCI_ROLE_PERIPHERAL) ? p_cb->local_r_key
1247 : p_cb->local_i_key;
1248 uint8_t i = 0;
1249
1250 SMP_TRACE_DEBUG("%s key_to_dist=0x%x", __func__, key_to_dist);
1251 while (i < SMP_KEY_DIST_TYPE_MAX) {
1252 SMP_TRACE_DEBUG("key to send = %02x, i = %d", key_to_dist, i);
1253
1254 if (key_to_dist & (1 << i)) {
1255 SMP_TRACE_DEBUG("smp_distribute_act[%d]", i);
1256 (*smp_distribute_act[i])(p_cb, p_data);
1257 break;
1258 }
1259 i++;
1260 }
1261 }
1262 /*******************************************************************************
1263 * Function smp_key_distribution
1264 * Description start key distribution if required.
1265 ******************************************************************************/
smp_key_distribution(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1266 void smp_key_distribution(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1267 SMP_TRACE_DEBUG("%s role=%d (0-central) r_keys=0x%x i_keys=0x%x", __func__,
1268 p_cb->role, p_cb->local_r_key, p_cb->local_i_key);
1269
1270 if (p_cb->role == HCI_ROLE_PERIPHERAL ||
1271 (!p_cb->local_r_key && p_cb->role == HCI_ROLE_CENTRAL)) {
1272 smp_key_pick_key(p_cb, p_data);
1273 }
1274
1275 if (!p_cb->local_i_key && !p_cb->local_r_key) {
1276 /* state check to prevent re-entrant */
1277 if (smp_get_state() == SMP_STATE_BOND_PENDING) {
1278 if (p_cb->derive_lk) {
1279 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
1280 if (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED) &&
1281 (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)) {
1282 SMP_TRACE_DEBUG(
1283 "%s BR key is higher security than existing LE keys, don't "
1284 "derive LK from LTK",
1285 __func__);
1286 android_errorWriteLog(0x534e4554, "158854097");
1287 } else {
1288 smp_derive_link_key_from_long_term_key(p_cb, NULL);
1289 }
1290 p_cb->derive_lk = false;
1291 }
1292
1293 if (p_cb->total_tx_unacked == 0) {
1294 /*
1295 * Instead of declaring authorization complete immediately,
1296 * delay the event from being sent by SMP_DELAYED_AUTH_TIMEOUT_MS.
1297 * This allows the peripheral to send over Pairing Failed if the
1298 * last key is rejected. During this waiting window, the
1299 * state should remain in SMP_STATE_BOND_PENDING.
1300 */
1301 if (!alarm_is_scheduled(p_cb->delayed_auth_timer_ent)) {
1302 SMP_TRACE_DEBUG("%s delaying auth complete.", __func__);
1303 alarm_set_on_mloop(p_cb->delayed_auth_timer_ent,
1304 SMP_DELAYED_AUTH_TIMEOUT_MS,
1305 smp_delayed_auth_complete_timeout, NULL);
1306 }
1307 } else {
1308 p_cb->wait_for_authorization_complete = true;
1309 }
1310 }
1311 }
1312 }
1313
1314 /*******************************************************************************
1315 * Function smp_decide_association_model
1316 * Description This function is called to select assoc model to be used for
1317 * STK generation and to start STK generation process.
1318 *
1319 ******************************************************************************/
smp_decide_association_model(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1320 void smp_decide_association_model(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1321 tSMP_EVENT int_evt = SMP_NOP_EVT;
1322 tSMP_INT_DATA smp_int_data;
1323
1324 SMP_TRACE_DEBUG("%s Association Model = %d", __func__,
1325 p_cb->selected_association_model);
1326
1327 switch (p_cb->selected_association_model) {
1328 case SMP_MODEL_ENCRYPTION_ONLY: /* TK = 0, go calculate Confirm */
1329 if (p_cb->role == HCI_ROLE_CENTRAL &&
1330 ((p_cb->peer_auth_req & SMP_AUTH_YN_BIT) != 0) &&
1331 ((p_cb->loc_auth_req & SMP_AUTH_YN_BIT) == 0)) {
1332 SMP_TRACE_ERROR(
1333 "IO capability does not meet authentication requirement");
1334 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
1335 int_evt = SMP_AUTH_CMPL_EVT;
1336 } else {
1337 if (!is_atv_device() &&
1338 (p_cb->local_io_capability == SMP_IO_CAP_IO ||
1339 p_cb->local_io_capability == SMP_IO_CAP_KBDISP)) {
1340 /* display consent dialog if this device has a display */
1341 SMP_TRACE_DEBUG("ENCRYPTION_ONLY showing Consent Dialog");
1342 p_cb->cb_evt = SMP_CONSENT_REQ_EVT;
1343 smp_set_state(SMP_STATE_WAIT_NONCE);
1344 smp_sm_event(p_cb, SMP_SC_DSPL_NC_EVT, NULL);
1345 } else {
1346 p_cb->sec_level = SMP_SEC_UNAUTHENTICATE;
1347 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_UNAUTHENTICATE) ",
1348 p_cb->sec_level);
1349
1350 tSMP_KEY key;
1351 key.key_type = SMP_KEY_TYPE_TK;
1352 key.p_data = p_cb->tk.data();
1353 smp_int_data.key = key;
1354
1355 p_cb->tk = {0};
1356 /* TK, ready */
1357 int_evt = SMP_KEY_READY_EVT;
1358 }
1359 }
1360 break;
1361
1362 case SMP_MODEL_PASSKEY:
1363 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1364 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ",
1365 p_cb->sec_level);
1366
1367 p_cb->cb_evt = SMP_PASSKEY_REQ_EVT;
1368 int_evt = SMP_TK_REQ_EVT;
1369 break;
1370
1371 case SMP_MODEL_OOB:
1372 SMP_TRACE_ERROR("Association Model = SMP_MODEL_OOB");
1373 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1374 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ",
1375 p_cb->sec_level);
1376
1377 p_cb->cb_evt = SMP_OOB_REQ_EVT;
1378 int_evt = SMP_TK_REQ_EVT;
1379 break;
1380
1381 case SMP_MODEL_KEY_NOTIF:
1382 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1383 SMP_TRACE_DEBUG("Need to generate Passkey");
1384
1385 /* generate passkey and notify application */
1386 smp_generate_passkey(p_cb, NULL);
1387 break;
1388
1389 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1390 case SMP_MODEL_SEC_CONN_NUM_COMP:
1391 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1392 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1393 case SMP_MODEL_SEC_CONN_OOB:
1394 int_evt = SMP_PUBL_KEY_EXCH_REQ_EVT;
1395 break;
1396
1397 case SMP_MODEL_OUT_OF_RANGE:
1398 SMP_TRACE_ERROR("Association Model = SMP_MODEL_OUT_OF_RANGE (failed)");
1399 smp_int_data.status = SMP_UNKNOWN_IO_CAP;
1400 int_evt = SMP_AUTH_CMPL_EVT;
1401 break;
1402
1403 default:
1404 SMP_TRACE_ERROR(
1405 "Association Model = %d (SOMETHING IS WRONG WITH THE CODE)",
1406 p_cb->selected_association_model);
1407 smp_int_data.status = SMP_UNKNOWN_IO_CAP;
1408 int_evt = SMP_AUTH_CMPL_EVT;
1409 }
1410
1411 SMP_TRACE_EVENT("sec_level=%d ", p_cb->sec_level);
1412 if (int_evt) smp_sm_event(p_cb, int_evt, &smp_int_data);
1413 }
1414
1415 /*******************************************************************************
1416 * Function smp_process_io_response
1417 * Description process IO response for a peripheral device.
1418 ******************************************************************************/
smp_process_io_response(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1419 void smp_process_io_response(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1420 SMP_TRACE_DEBUG("%s", __func__);
1421 if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD) {
1422 /* pairing started by local (peripheral) Security Request */
1423 smp_set_state(SMP_STATE_SEC_REQ_PENDING);
1424 smp_send_cmd(SMP_OPCODE_SEC_REQ, p_cb);
1425 } else /* plan to send pairing respond */
1426 {
1427 /* pairing started by peer (central) Pairing Request */
1428 p_cb->selected_association_model = smp_select_association_model(p_cb);
1429
1430 if (p_cb->secure_connections_only_mode_required &&
1431 (!(p_cb->le_secure_connections_mode_is_used) ||
1432 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) {
1433 SMP_TRACE_ERROR(
1434 "Peripheral requires secure connection only mode "
1435 "but it can't be provided -> Peripheral fails pairing");
1436 tSMP_INT_DATA smp_int_data;
1437 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
1438 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1439 return;
1440 }
1441
1442 // If we are doing SMP_MODEL_SEC_CONN_OOB we don't need to request OOB data
1443 // locally if loc_oob_flag == 0x00 b/c there is no OOB data to give. In the
1444 // event the loc_oob_flag is present value, we should request the OOB data
1445 // locally; otherwise fail.
1446 // If we are the initiator the OOB data has already been stored and will be
1447 // collected in the statemachine later.
1448 //
1449 // loc_oob_flag could be one of the following tSMP_OOB_FLAG enum values:
1450 // SMP_OOB_NONE = 0
1451 // SMP_OOB_PRESENT = 1
1452 // SMP_OOB_UNKNOWN = 2
1453 //
1454 // The only time Android cares about needing to provide the peer oob data
1455 // here would be in the advertiser situation or role. If the
1456 // device is doing the connecting it will not need to get the data again as
1457 // it was already provided in the initiation call.
1458 //
1459 // loc_oob_flag should only equal SMP_OOB_PRESENT when PEER DATA exists and
1460 // device is the advertiser as opposed to being the connector.
1461 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
1462 switch (p_cb->loc_oob_flag) {
1463 case SMP_OOB_NONE:
1464 LOG_INFO("SMP_MODEL_SEC_CONN_OOB with SMP_OOB_NONE");
1465 smp_send_pair_rsp(p_cb, NULL);
1466 break;
1467 case SMP_OOB_PRESENT:
1468 LOG_INFO("SMP_MODEL_SEC_CONN_OOB with SMP_OOB_PRESENT");
1469 if (smp_request_oob_data(p_cb)) return;
1470 break;
1471 case SMP_OOB_UNKNOWN:
1472 LOG_WARN("SMP_MODEL_SEC_CONN_OOB with SMP_OOB_UNKNOWN");
1473 tSMP_INT_DATA smp_int_data;
1474 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
1475 smp_send_pair_fail(p_cb, &smp_int_data);
1476 return;
1477 }
1478 }
1479
1480 // PTS Testing failure modes
1481 if (pts_test_send_authentication_complete_failure(p_cb)) return;
1482
1483 smp_send_pair_rsp(p_cb, NULL);
1484 }
1485 }
1486
1487 /*******************************************************************************
1488 * Function smp_br_process_peripheral_keys_response
1489 * Description process application keys response for a peripheral device
1490 * (BR/EDR transport).
1491 ******************************************************************************/
smp_br_process_peripheral_keys_response(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1492 void smp_br_process_peripheral_keys_response(tSMP_CB* p_cb,
1493 tSMP_INT_DATA* p_data) {
1494 smp_br_send_pair_response(p_cb, NULL);
1495 }
1496
1497 /*******************************************************************************
1498 * Function smp_br_send_pair_response
1499 * Description actions related to sending pairing response over BR/EDR
1500 * transport.
1501 ******************************************************************************/
smp_br_send_pair_response(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1502 void smp_br_send_pair_response(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1503 SMP_TRACE_DEBUG("%s", __func__);
1504
1505 p_cb->local_i_key &= p_cb->peer_i_key;
1506 p_cb->local_r_key &= p_cb->peer_r_key;
1507
1508 smp_send_cmd(SMP_OPCODE_PAIRING_RSP, p_cb);
1509 }
1510
1511 /*******************************************************************************
1512 * Function smp_pairing_cmpl
1513 * Description This function is called to send the pairing complete
1514 * callback and remove the connection if needed.
1515 ******************************************************************************/
smp_pairing_cmpl(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1516 void smp_pairing_cmpl(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1517 if (p_cb->total_tx_unacked == 0) {
1518 /* process the pairing complete */
1519 smp_proc_pairing_cmpl(p_cb);
1520 }
1521 }
1522
1523 /*******************************************************************************
1524 * Function smp_pair_terminate
1525 * Description This function is called to send the pairing complete
1526 * callback and remove the connection if needed.
1527 ******************************************************************************/
smp_pair_terminate(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1528 void smp_pair_terminate(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1529 SMP_TRACE_DEBUG("%s", __func__);
1530 p_cb->status = SMP_CONN_TOUT;
1531 smp_proc_pairing_cmpl(p_cb);
1532 }
1533
1534 /*******************************************************************************
1535 * Function smp_idle_terminate
1536 * Description This function calledin idle state to determine to send
1537 * authentication complete or not.
1538 ******************************************************************************/
smp_idle_terminate(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1539 void smp_idle_terminate(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1540 if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD) {
1541 SMP_TRACE_DEBUG("Pairing terminated at IDLE state.");
1542 p_cb->status = SMP_FAIL;
1543 smp_proc_pairing_cmpl(p_cb);
1544 }
1545 }
1546
1547 /*******************************************************************************
1548 * Function smp_both_have_public_keys
1549 * Description The function is called when both local and peer public keys are
1550 * saved.
1551 * Actions:
1552 * - invokes DHKey computation;
1553 * - on peripheral side invokes sending local public key to the
1554 *peer.
1555 * - invokes SC phase 1 process.
1556 ******************************************************************************/
smp_both_have_public_keys(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1557 void smp_both_have_public_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1558 SMP_TRACE_DEBUG("%s", __func__);
1559
1560 /* invokes DHKey computation */
1561 smp_compute_dhkey(p_cb);
1562
1563 /* on peripheral side invokes sending local public key to the peer */
1564 if (p_cb->role == HCI_ROLE_PERIPHERAL) smp_send_pair_public_key(p_cb, NULL);
1565
1566 smp_sm_event(p_cb, SMP_SC_DHKEY_CMPLT_EVT, NULL);
1567 }
1568
1569 /*******************************************************************************
1570 * Function smp_start_secure_connection_phase1
1571 * Description Start Secure Connection phase1 i.e. invokes initialization of
1572 * Secure Connection phase 1 parameters and starts building/sending
1573 * to the peer messages appropriate for the role and association
1574 * model.
1575 ******************************************************************************/
smp_start_secure_connection_phase1(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1576 void smp_start_secure_connection_phase1(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1577 SMP_TRACE_DEBUG("%s", __func__);
1578
1579 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
1580 p_cb->sec_level = SMP_SEC_UNAUTHENTICATE;
1581 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_UNAUTHENTICATE) ",
1582 p_cb->sec_level);
1583 } else {
1584 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1585 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ",
1586 p_cb->sec_level);
1587 }
1588
1589 switch (p_cb->selected_association_model) {
1590 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1591 case SMP_MODEL_SEC_CONN_NUM_COMP:
1592 p_cb->local_random = {0};
1593 smp_start_nonce_generation(p_cb);
1594 break;
1595 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1596 /* user has to provide passkey */
1597 p_cb->cb_evt = SMP_PASSKEY_REQ_EVT;
1598 smp_sm_event(p_cb, SMP_TK_REQ_EVT, NULL);
1599 break;
1600 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1601 /* passkey has to be provided to user */
1602 SMP_TRACE_DEBUG("Need to generate SC Passkey");
1603 smp_generate_passkey(p_cb, NULL);
1604 break;
1605 case SMP_MODEL_SEC_CONN_OOB:
1606 /* use the available OOB information */
1607 smp_process_secure_connection_oob_data(p_cb, NULL);
1608 break;
1609 default:
1610 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
1611 p_cb->selected_association_model);
1612 break;
1613 }
1614 }
1615
1616 /*******************************************************************************
1617 * Function smp_process_local_nonce
1618 * Description The function processes new local nonce.
1619 *
1620 * Note It is supposed to be called in SC phase1.
1621 ******************************************************************************/
smp_process_local_nonce(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1622 void smp_process_local_nonce(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1623 SMP_TRACE_DEBUG("%s", __func__);
1624
1625 switch (p_cb->selected_association_model) {
1626 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1627 case SMP_MODEL_SEC_CONN_NUM_COMP:
1628 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
1629 /* peripheral calculates and sends local commitment */
1630 smp_calculate_local_commitment(p_cb);
1631 smp_send_commitment(p_cb, NULL);
1632 /* peripheral has to wait for peer nonce */
1633 smp_set_state(SMP_STATE_WAIT_NONCE);
1634 } else /* i.e. central */
1635 {
1636 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_COMM) {
1637 /* peripheral commitment is already received, send local nonce, wait
1638 * for remote nonce*/
1639 SMP_TRACE_DEBUG(
1640 "central in assoc mode = %d "
1641 "already rcvd peripheral commitment - race condition",
1642 p_cb->selected_association_model);
1643 p_cb->flags &= ~SMP_PAIR_FLAG_HAVE_PEER_COMM;
1644 smp_send_rand(p_cb, NULL);
1645 smp_set_state(SMP_STATE_WAIT_NONCE);
1646 }
1647 }
1648 break;
1649 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1650 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1651 smp_calculate_local_commitment(p_cb);
1652
1653 if (p_cb->role == HCI_ROLE_CENTRAL) {
1654 smp_send_commitment(p_cb, NULL);
1655 } else /* peripheral */
1656 {
1657 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_COMM) {
1658 /* central commitment is already received */
1659 smp_send_commitment(p_cb, NULL);
1660 smp_set_state(SMP_STATE_WAIT_NONCE);
1661 }
1662 }
1663 break;
1664 case SMP_MODEL_SEC_CONN_OOB:
1665 if (p_cb->role == HCI_ROLE_CENTRAL) {
1666 smp_send_rand(p_cb, NULL);
1667 }
1668
1669 smp_set_state(SMP_STATE_WAIT_NONCE);
1670 break;
1671 default:
1672 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
1673 p_cb->selected_association_model);
1674 break;
1675 }
1676 }
1677
1678 /*******************************************************************************
1679 * Function smp_process_peer_nonce
1680 * Description The function processes newly received and saved in CB peer
1681 * nonce. The actions depend on the selected association model and
1682 * the role.
1683 *
1684 * Note It is supposed to be called in SC phase1.
1685 ******************************************************************************/
smp_process_peer_nonce(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1686 void smp_process_peer_nonce(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1687 SMP_TRACE_DEBUG("%s start ", __func__);
1688
1689 // PTS Testing failure modes
1690 if (p_cb->cert_failure == SMP_CONFIRM_VALUE_ERR) {
1691 SMP_TRACE_ERROR("%s failure case = %d", __func__, p_cb->cert_failure);
1692 tSMP_INT_DATA smp_int_data;
1693 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1694 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1695 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1696 return;
1697 }
1698 // PTS Testing failure modes (for LT)
1699 if ((p_cb->cert_failure == SMP_NUMERIC_COMPAR_FAIL) &&
1700 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) &&
1701 (p_cb->role == HCI_ROLE_PERIPHERAL)) {
1702 SMP_TRACE_ERROR("%s failure case = %d", __func__, p_cb->cert_failure);
1703 tSMP_INT_DATA smp_int_data;
1704 smp_int_data.status = SMP_NUMERIC_COMPAR_FAIL;
1705 p_cb->failure = SMP_NUMERIC_COMPAR_FAIL;
1706 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1707 return;
1708 }
1709
1710 switch (p_cb->selected_association_model) {
1711 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1712 case SMP_MODEL_SEC_CONN_NUM_COMP:
1713 /* in these models only central receives commitment */
1714 if (p_cb->role == HCI_ROLE_CENTRAL) {
1715 if (!smp_check_commitment(p_cb)) {
1716 tSMP_INT_DATA smp_int_data;
1717 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1718 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1719 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1720 break;
1721 }
1722 } else {
1723 /* peripheral sends local nonce */
1724 smp_send_rand(p_cb, NULL);
1725 }
1726
1727 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
1728 if (!is_atv_device() &&
1729 (p_cb->local_io_capability == SMP_IO_CAP_IO ||
1730 p_cb->local_io_capability == SMP_IO_CAP_KBDISP)) {
1731 /* display consent dialog */
1732 SMP_TRACE_DEBUG("JUST WORKS showing Consent Dialog");
1733 p_cb->cb_evt = SMP_CONSENT_REQ_EVT;
1734 smp_set_state(SMP_STATE_WAIT_NONCE);
1735 smp_sm_event(p_cb, SMP_SC_DSPL_NC_EVT, NULL);
1736 } else {
1737 /* go directly to phase 2 */
1738 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1739 }
1740 } else /* numeric comparison */
1741 {
1742 smp_set_state(SMP_STATE_WAIT_NONCE);
1743 smp_sm_event(p_cb, SMP_SC_CALC_NC_EVT, NULL);
1744 }
1745 break;
1746 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1747 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1748 if (!smp_check_commitment(p_cb) &&
1749 p_cb->cert_failure != SMP_NUMERIC_COMPAR_FAIL) {
1750 tSMP_INT_DATA smp_int_data;
1751 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1752 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1753 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1754 break;
1755 }
1756
1757 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
1758 smp_send_rand(p_cb, NULL);
1759 }
1760
1761 if (++p_cb->round < 20) {
1762 smp_set_state(SMP_STATE_SEC_CONN_PHS1_START);
1763 p_cb->flags &= ~SMP_PAIR_FLAG_HAVE_PEER_COMM;
1764 smp_start_nonce_generation(p_cb);
1765 break;
1766 }
1767
1768 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1769 break;
1770 case SMP_MODEL_SEC_CONN_OOB:
1771 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
1772 smp_send_rand(p_cb, NULL);
1773 }
1774
1775 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1776 break;
1777 default:
1778 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
1779 p_cb->selected_association_model);
1780 break;
1781 }
1782
1783 SMP_TRACE_DEBUG("%s end ", __func__);
1784 }
1785
1786 /*******************************************************************************
1787 * Function smp_match_dhkey_checks
1788 * Description checks if the calculated peer DHKey Check value is the same as
1789 * received from the peer DHKey check value.
1790 ******************************************************************************/
smp_match_dhkey_checks(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1791 void smp_match_dhkey_checks(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1792 SMP_TRACE_DEBUG("%s", __func__);
1793
1794 if (memcmp(p_data->key.p_data, p_cb->remote_dhkey_check.data(),
1795 OCTET16_LEN)) {
1796 SMP_TRACE_WARNING("dhkey chcks do no match");
1797 tSMP_INT_DATA smp_int_data;
1798 smp_int_data.status = SMP_DHKEY_CHK_FAIL;
1799 p_cb->failure = SMP_DHKEY_CHK_FAIL;
1800 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1801 return;
1802 }
1803
1804 SMP_TRACE_EVENT("dhkey chcks match");
1805
1806 /* compare the max encryption key size, and save the smaller one for the link
1807 */
1808 if (p_cb->peer_enc_size < p_cb->loc_enc_size)
1809 p_cb->loc_enc_size = p_cb->peer_enc_size;
1810
1811 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
1812 smp_sm_event(p_cb, SMP_PAIR_DHKEY_CHCK_EVT, NULL);
1813 } else {
1814 /* central device always use received i/r key as keys to distribute */
1815 p_cb->local_i_key = p_cb->peer_i_key;
1816 p_cb->local_r_key = p_cb->peer_r_key;
1817 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
1818 }
1819 }
1820
1821 /*******************************************************************************
1822 * Function smp_move_to_secure_connections_phase2
1823 * Description Signal State Machine to start SC phase 2 initialization (to
1824 * compute local DHKey Check value).
1825 *
1826 * Note SM is supposed to be in the state SMP_STATE_SEC_CONN_PHS2_START.
1827 ******************************************************************************/
smp_move_to_secure_connections_phase2(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1828 void smp_move_to_secure_connections_phase2(tSMP_CB* p_cb,
1829 tSMP_INT_DATA* p_data) {
1830 SMP_TRACE_DEBUG("%s", __func__);
1831 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1832 }
1833
1834 /*******************************************************************************
1835 * Function smp_phase_2_dhkey_checks_are_present
1836 * Description generates event if dhkey check from the peer is already
1837 * received.
1838 *
1839 * Note It is supposed to be used on peripheral to prevent race
1840 *condition. It is supposed to be called after peripheral dhkey check is
1841 * calculated.
1842 ******************************************************************************/
smp_phase_2_dhkey_checks_are_present(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1843 void smp_phase_2_dhkey_checks_are_present(tSMP_CB* p_cb,
1844 tSMP_INT_DATA* p_data) {
1845 SMP_TRACE_DEBUG("%s", __func__);
1846
1847 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_DHK_CHK)
1848 smp_sm_event(p_cb, SMP_SC_2_DHCK_CHKS_PRES_EVT, NULL);
1849 }
1850
1851 /*******************************************************************************
1852 * Function smp_wait_for_both_public_keys
1853 * Description generates SMP_BOTH_PUBL_KEYS_RCVD_EVT event when both local and
1854 * central public keys are available.
1855 *
1856 * Note on the peripheral it is used to prevent race condition.
1857 *
1858 ******************************************************************************/
smp_wait_for_both_public_keys(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1859 void smp_wait_for_both_public_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1860 SMP_TRACE_DEBUG("%s", __func__);
1861
1862 if ((p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY) &&
1863 (p_cb->flags & SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY)) {
1864 if ((p_cb->role == HCI_ROLE_PERIPHERAL) &&
1865 ((p_cb->req_oob_type == SMP_OOB_LOCAL) ||
1866 (p_cb->req_oob_type == SMP_OOB_BOTH))) {
1867 smp_set_state(SMP_STATE_PUBLIC_KEY_EXCH);
1868 }
1869 smp_sm_event(p_cb, SMP_BOTH_PUBL_KEYS_RCVD_EVT, NULL);
1870 }
1871 }
1872
1873 /*******************************************************************************
1874 * Function smp_start_passkey_verification
1875 * Description Starts SC passkey entry verification.
1876 ******************************************************************************/
smp_start_passkey_verification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1877 void smp_start_passkey_verification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1878 uint8_t* p = NULL;
1879
1880 SMP_TRACE_DEBUG("%s", __func__);
1881 p = p_cb->local_random.data();
1882 UINT32_TO_STREAM(p, p_data->passkey);
1883
1884 p = p_cb->peer_random.data();
1885 UINT32_TO_STREAM(p, p_data->passkey);
1886
1887 p_cb->round = 0;
1888 smp_start_nonce_generation(p_cb);
1889 }
1890
1891 /*******************************************************************************
1892 * Function smp_process_secure_connection_oob_data
1893 * Description Processes local/peer SC OOB data received from somewhere.
1894 ******************************************************************************/
smp_process_secure_connection_oob_data(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1895 void smp_process_secure_connection_oob_data(tSMP_CB* p_cb,
1896 tSMP_INT_DATA* p_data) {
1897 SMP_TRACE_DEBUG("%s", __func__);
1898
1899 tSMP_SC_OOB_DATA* p_sc_oob_data = &p_cb->sc_oob_data;
1900 if (p_sc_oob_data->loc_oob_data.present) {
1901 p_cb->local_random = p_sc_oob_data->loc_oob_data.randomizer;
1902 } else {
1903 SMP_TRACE_EVENT("%s: local OOB randomizer is absent", __func__);
1904 p_cb->local_random = {0};
1905 }
1906
1907 if (!p_sc_oob_data->peer_oob_data.present) {
1908 SMP_TRACE_EVENT("%s: peer OOB data is absent", __func__);
1909 p_cb->peer_random = {0};
1910 } else {
1911 p_cb->peer_random = p_sc_oob_data->peer_oob_data.randomizer;
1912 p_cb->remote_commitment = p_sc_oob_data->peer_oob_data.commitment;
1913
1914 /* check commitment */
1915 if (!smp_check_commitment(p_cb)) {
1916 tSMP_INT_DATA smp_int_data;
1917 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1918 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1919 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1920 return;
1921 }
1922
1923 if (p_cb->peer_oob_flag != SMP_OOB_PRESENT) {
1924 /* the peer doesn't have local randomiser */
1925 SMP_TRACE_EVENT(
1926 "%s: peer didn't receive local OOB data, set local randomizer to 0",
1927 __func__);
1928 p_cb->local_random = {0};
1929 }
1930 }
1931
1932 print128(p_cb->local_random, (const uint8_t*)"local OOB randomizer");
1933 print128(p_cb->peer_random, (const uint8_t*)"peer OOB randomizer");
1934 smp_start_nonce_generation(p_cb);
1935 }
1936
1937 /*******************************************************************************
1938 * Function smp_set_local_oob_keys
1939 * Description Saves calculated private/public keys in
1940 * sc_oob_data.loc_oob_data, starts nonce generation
1941 * (to be saved in sc_oob_data.loc_oob_data.randomizer).
1942 ******************************************************************************/
smp_set_local_oob_keys(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1943 void smp_set_local_oob_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1944 SMP_TRACE_DEBUG("%s", __func__);
1945
1946 memcpy(p_cb->sc_oob_data.loc_oob_data.private_key_used, p_cb->private_key,
1947 BT_OCTET32_LEN);
1948 p_cb->sc_oob_data.loc_oob_data.publ_key_used = p_cb->loc_publ_key;
1949 smp_start_nonce_generation(p_cb);
1950 }
1951
1952 /*******************************************************************************
1953 * Function smp_set_local_oob_random_commitment
1954 * Description Saves calculated randomizer and commitment in
1955 * sc_oob_data.loc_oob_data, passes sc_oob_data.loc_oob_data up
1956 * for safekeeping.
1957 ******************************************************************************/
smp_set_local_oob_random_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1958 void smp_set_local_oob_random_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1959 SMP_TRACE_DEBUG("%s", __func__);
1960 p_cb->sc_oob_data.loc_oob_data.randomizer = p_cb->rand;
1961
1962 p_cb->sc_oob_data.loc_oob_data.commitment =
1963 crypto_toolbox::f4(p_cb->sc_oob_data.loc_oob_data.publ_key_used.x,
1964 p_cb->sc_oob_data.loc_oob_data.publ_key_used.x,
1965 p_cb->sc_oob_data.loc_oob_data.randomizer, 0);
1966
1967 p_cb->sc_oob_data.loc_oob_data.present = true;
1968
1969 /* pass created OOB data up */
1970 p_cb->cb_evt = SMP_SC_LOC_OOB_DATA_UP_EVT;
1971 smp_send_app_cback(p_cb, NULL);
1972
1973 // Store the data for later use when we are paired with
1974 // Event though the doc above says to pass up for safe keeping it never gets
1975 // kept safe. Additionally, when we need the data to make a decision we
1976 // wouldn't have it. This will save the sc_oob_data in the smp_keys.cc such
1977 // that when we receive a request to create new keys we check to see if the
1978 // sc_oob_data exists and utilize the keys that are stored there otherwise the
1979 // connector will fail commitment check and dhkey exchange.
1980 smp_save_local_oob_data(p_cb);
1981
1982 smp_cb_cleanup(p_cb);
1983 }
1984
1985 /*******************************************************************************
1986 *
1987 * Function smp_link_encrypted
1988 *
1989 * Description This function is called when link is encrypted and notified
1990 * to the peripheral device. Proceed to to send LTK, DIV and ER
1991 *to central if bonding the devices.
1992 *
1993 *
1994 * Returns void
1995 *
1996 ******************************************************************************/
smp_link_encrypted(const RawAddress & bda,uint8_t encr_enable)1997 void smp_link_encrypted(const RawAddress& bda, uint8_t encr_enable) {
1998 tSMP_CB* p_cb = &smp_cb;
1999
2000 SMP_TRACE_DEBUG("%s: encr_enable=%d", __func__, encr_enable);
2001
2002 if (smp_cb.pairing_bda == bda) {
2003 /* encryption completed with STK, remember the key size now, could be
2004 * overwritten when key exchange happens */
2005 if (p_cb->loc_enc_size != 0 && encr_enable) {
2006 /* update the link encryption key size if a SMP pairing just performed */
2007 btm_ble_update_sec_key_size(bda, p_cb->loc_enc_size);
2008 }
2009
2010 tSMP_INT_DATA smp_int_data = {
2011 // TODO This is not a tSMP_STATUS
2012 .status = static_cast<tSMP_STATUS>(encr_enable),
2013 };
2014
2015 smp_sm_event(&smp_cb, SMP_ENCRYPTED_EVT, &smp_int_data);
2016 }
2017 }
2018
smp_cancel_start_encryption_attempt()2019 void smp_cancel_start_encryption_attempt() {
2020 SMP_TRACE_ERROR("%s: Encryption request cancelled", __func__);
2021 smp_sm_event(&smp_cb, SMP_DISCARD_SEC_REQ_EVT, NULL);
2022 }
2023
2024 /*******************************************************************************
2025 *
2026 * Function smp_proc_ltk_request
2027 *
2028 * Description This function is called when LTK request is received from
2029 * controller.
2030 *
2031 * Returns void
2032 *
2033 ******************************************************************************/
smp_proc_ltk_request(const RawAddress & bda)2034 bool smp_proc_ltk_request(const RawAddress& bda) {
2035 SMP_TRACE_DEBUG("%s state = %d", __func__, smp_cb.state);
2036 bool match = false;
2037
2038 if (bda == smp_cb.pairing_bda) {
2039 match = true;
2040 } else {
2041 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda);
2042 if (p_dev_rec != NULL && p_dev_rec->ble.pseudo_addr == smp_cb.pairing_bda &&
2043 p_dev_rec->ble.pseudo_addr != RawAddress::kEmpty) {
2044 match = true;
2045 }
2046 }
2047
2048 if (match && smp_cb.state == SMP_STATE_ENCRYPTION_PENDING) {
2049 smp_sm_event(&smp_cb, SMP_ENC_REQ_EVT, NULL);
2050 return true;
2051 }
2052
2053 return false;
2054 }
2055
2056 /*******************************************************************************
2057 *
2058 * Function smp_process_secure_connection_long_term_key
2059 *
2060 * Description This function is called to process SC LTK.
2061 * SC LTK is calculated and used instead of STK.
2062 * Here SC LTK is saved in BLE DB.
2063 *
2064 * Returns void
2065 *
2066 ******************************************************************************/
smp_process_secure_connection_long_term_key(void)2067 void smp_process_secure_connection_long_term_key(void) {
2068 tSMP_CB* p_cb = &smp_cb;
2069
2070 SMP_TRACE_DEBUG("%s", __func__);
2071 smp_save_secure_connections_long_term_key(p_cb);
2072
2073 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
2074 smp_key_distribution(p_cb, NULL);
2075 }
2076
2077 /*******************************************************************************
2078 *
2079 * Function smp_set_derive_link_key
2080 *
2081 * Description This function is called to set flag that indicates that
2082 * BR/EDR LK has to be derived from LTK after all keys are
2083 * distributed.
2084 *
2085 * Returns void
2086 *
2087 ******************************************************************************/
smp_set_derive_link_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2088 void smp_set_derive_link_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
2089 SMP_TRACE_DEBUG("%s", __func__);
2090 p_cb->derive_lk = true;
2091 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_LK, false);
2092 smp_key_distribution(p_cb, NULL);
2093 }
2094
2095 /*******************************************************************************
2096 *
2097 * Function smp_derive_link_key_from_long_term_key
2098 *
2099 * Description This function is called to derive BR/EDR LK from LTK.
2100 *
2101 * Returns void
2102 *
2103 ******************************************************************************/
smp_derive_link_key_from_long_term_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2104 void smp_derive_link_key_from_long_term_key(tSMP_CB* p_cb,
2105 tSMP_INT_DATA* p_data) {
2106 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
2107
2108 SMP_TRACE_DEBUG("%s", __func__);
2109 if (!smp_calculate_link_key_from_long_term_key(p_cb)) {
2110 SMP_TRACE_ERROR("%s failed", __func__);
2111 tSMP_INT_DATA smp_int_data;
2112 smp_int_data.status = status;
2113 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
2114 return;
2115 }
2116 }
2117
2118 /*******************************************************************************
2119 *
2120 * Function smp_br_process_link_key
2121 *
2122 * Description This function is called to process BR/EDR LK:
2123 * - to derive SMP LTK from BR/EDR LK;
2124 * - to save SMP LTK.
2125 *
2126 * Returns void
2127 *
2128 ******************************************************************************/
smp_br_process_link_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2129 void smp_br_process_link_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
2130 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
2131
2132 SMP_TRACE_DEBUG("%s", __func__);
2133 if (!smp_calculate_long_term_key_from_link_key(p_cb)) {
2134 SMP_TRACE_ERROR("%s: failed", __func__);
2135 tSMP_INT_DATA smp_int_data;
2136 smp_int_data.status = status;
2137 smp_sm_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
2138 return;
2139 }
2140
2141 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
2142 if (p_dev_rec) {
2143 SMP_TRACE_DEBUG("%s: dev_type = %d ", __func__, p_dev_rec->device_type);
2144 p_dev_rec->device_type |= BT_DEVICE_TYPE_BLE;
2145 } else {
2146 SMP_TRACE_ERROR("%s failed to find Security Record", __func__);
2147 }
2148
2149 SMP_TRACE_DEBUG("%s: LTK derivation from LK successfully completed",
2150 __func__);
2151 smp_save_secure_connections_long_term_key(p_cb);
2152 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
2153 smp_br_select_next_key(p_cb, NULL);
2154 }
2155
2156 /*******************************************************************************
2157 * Function smp_key_distribution_by_transport
2158 * Description depending on the transport used at the moment calls either
2159 * smp_key_distribution(...) or smp_br_key_distribution(...).
2160 ******************************************************************************/
smp_key_distribution_by_transport(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2161 void smp_key_distribution_by_transport(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
2162 SMP_TRACE_DEBUG("%s", __func__);
2163 if (p_cb->smp_over_br) {
2164 smp_br_select_next_key(p_cb, NULL);
2165 } else {
2166 smp_key_distribution(p_cb, NULL);
2167 }
2168 }
2169
2170 /*******************************************************************************
2171 * Function smp_br_pairing_complete
2172 * Description This function is called to send the pairing complete
2173 * callback and remove the connection if needed.
2174 ******************************************************************************/
smp_br_pairing_complete(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2175 void smp_br_pairing_complete(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
2176 SMP_TRACE_DEBUG("%s", __func__);
2177
2178 if (p_cb->total_tx_unacked == 0) {
2179 /* process the pairing complete */
2180 smp_proc_pairing_cmpl(p_cb);
2181 }
2182 }
2183