1 /******************************************************************************
2  *
3  *  Copyright 1999-2012 Broadcom Corporation
4  *
5  *  Licensed under the Apache License, Version 2.0 (the "License");
6  *  you may not use this file except in compliance with the License.
7  *  You may obtain a copy of the License at:
8  *
9  *  http://www.apache.org/licenses/LICENSE-2.0
10  *
11  *  Unless required by applicable law or agreed to in writing, software
12  *  distributed under the License is distributed on an "AS IS" BASIS,
13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  *  See the License for the specific language governing permissions and
15  *  limitations under the License.
16  *
17  *****************************************************************************/
18 
19 /******************************************************************************
20  *
21  *  This file contains functions for the SMP L2CAP utility functions
22  *
23  ******************************************************************************/
24 #include "bt_target.h"
25 
26 #include <ctype.h>
27 #include <string.h>
28 #include "bt_types.h"
29 #include "bt_utils.h"
30 #include "btm_ble_api.h"
31 #include "device/include/controller.h"
32 #include "hcidefs.h"
33 #include "l2c_api.h"
34 #include "osi/include/log.h"
35 #include "osi/include/osi.h"
36 #include "smp_int.h"
37 #include "stack/btm/btm_ble_int.h"
38 #include "stack/include/acl_api.h"
39 #include "stack/include/stack_metrics_logging.h"
40 
41 #define SMP_PAIRING_REQ_SIZE 7
42 #define SMP_CONFIRM_CMD_SIZE (OCTET16_LEN + 1)
43 #define SMP_RAND_CMD_SIZE (OCTET16_LEN + 1)
44 #define SMP_INIT_CMD_SIZE (OCTET16_LEN + 1)
45 #define SMP_ENC_INFO_SIZE (OCTET16_LEN + 1)
46 #define SMP_CENTRAL_ID_SIZE (BT_OCTET8_LEN + 2 + 1)
47 #define SMP_ID_INFO_SIZE (OCTET16_LEN + 1)
48 #define SMP_ID_ADDR_SIZE (BD_ADDR_LEN + 1 + 1)
49 #define SMP_SIGN_INFO_SIZE (OCTET16_LEN + 1)
50 #define SMP_PAIR_FAIL_SIZE 2
51 #define SMP_SECURITY_REQUEST_SIZE 2
52 #define SMP_PAIR_PUBL_KEY_SIZE (1 /* opcode */ + (2 * BT_OCTET32_LEN))
53 #define SMP_PAIR_COMMITM_SIZE (1 /* opcode */ + OCTET16_LEN /*Commitment*/)
54 #define SMP_PAIR_DHKEY_CHECK_SIZE \
55   (1 /* opcode */ + OCTET16_LEN /*DHKey \
56                                                                    Check*/)
57 #define SMP_PAIR_KEYPR_NOTIF_SIZE (1 /* opcode */ + 1 /*Notif Type*/)
58 
59 /* SMP command sizes per spec */
60 static const uint8_t smp_cmd_size_per_spec[] = {
61     0,
62     SMP_PAIRING_REQ_SIZE,      /* 0x01: pairing request */
63     SMP_PAIRING_REQ_SIZE,      /* 0x02: pairing response */
64     SMP_CONFIRM_CMD_SIZE,      /* 0x03: pairing confirm */
65     SMP_RAND_CMD_SIZE,         /* 0x04: pairing random */
66     SMP_PAIR_FAIL_SIZE,        /* 0x05: pairing failed */
67     SMP_ENC_INFO_SIZE,         /* 0x06: encryption information */
68     SMP_CENTRAL_ID_SIZE,       /* 0x07: central identification */
69     SMP_ID_INFO_SIZE,          /* 0x08: identity information */
70     SMP_ID_ADDR_SIZE,          /* 0x09: identity address information */
71     SMP_SIGN_INFO_SIZE,        /* 0x0A: signing information */
72     SMP_SECURITY_REQUEST_SIZE, /* 0x0B: security request */
73     SMP_PAIR_PUBL_KEY_SIZE,    /* 0x0C: pairing public key */
74     SMP_PAIR_DHKEY_CHECK_SIZE, /* 0x0D: pairing dhkey check */
75     SMP_PAIR_KEYPR_NOTIF_SIZE, /* 0x0E: pairing keypress notification */
76     SMP_PAIR_COMMITM_SIZE      /* 0x0F: pairing commitment */
77 };
78 
79 static bool smp_parameter_unconditionally_valid(tSMP_CB* p_cb);
80 static bool smp_parameter_unconditionally_invalid(tSMP_CB* p_cb);
81 
82 /* type for SMP command length validation functions */
83 typedef bool (*tSMP_CMD_LEN_VALID)(tSMP_CB* p_cb);
84 
85 static bool smp_command_has_valid_fixed_length(tSMP_CB* p_cb);
86 
87 static const tSMP_CMD_LEN_VALID smp_cmd_len_is_valid[] = {
88     smp_parameter_unconditionally_invalid,
89     smp_command_has_valid_fixed_length, /* 0x01: pairing request */
90     smp_command_has_valid_fixed_length, /* 0x02: pairing response */
91     smp_command_has_valid_fixed_length, /* 0x03: pairing confirm */
92     smp_command_has_valid_fixed_length, /* 0x04: pairing random */
93     smp_command_has_valid_fixed_length, /* 0x05: pairing failed */
94     smp_command_has_valid_fixed_length, /* 0x06: encryption information */
95     smp_command_has_valid_fixed_length, /* 0x07: central identification */
96     smp_command_has_valid_fixed_length, /* 0x08: identity information */
97     smp_command_has_valid_fixed_length, /* 0x09: identity address information */
98     smp_command_has_valid_fixed_length, /* 0x0A: signing information */
99     smp_command_has_valid_fixed_length, /* 0x0B: security request */
100     smp_command_has_valid_fixed_length, /* 0x0C: pairing public key */
101     smp_command_has_valid_fixed_length, /* 0x0D: pairing dhkey check */
102     smp_command_has_valid_fixed_length, /* 0x0E: pairing keypress notification*/
103     smp_command_has_valid_fixed_length  /* 0x0F: pairing commitment */
104 };
105 
106 /* type for SMP command parameter ranges validation functions */
107 typedef bool (*tSMP_CMD_PARAM_RANGES_VALID)(tSMP_CB* p_cb);
108 
109 static bool smp_pairing_request_response_parameters_are_valid(tSMP_CB* p_cb);
110 static bool smp_pairing_keypress_notification_is_valid(tSMP_CB* p_cb);
111 
112 static const tSMP_CMD_PARAM_RANGES_VALID smp_cmd_param_ranges_are_valid[] = {
113     smp_parameter_unconditionally_invalid,
114     smp_pairing_request_response_parameters_are_valid, /* 0x01: pairing
115                                                           request */
116     smp_pairing_request_response_parameters_are_valid, /* 0x02: pairing
117                                                           response */
118     smp_parameter_unconditionally_valid, /* 0x03: pairing confirm */
119     smp_parameter_unconditionally_valid, /* 0x04: pairing random */
120     smp_parameter_unconditionally_valid, /* 0x05: pairing failed */
121     smp_parameter_unconditionally_valid, /* 0x06: encryption information */
122     smp_parameter_unconditionally_valid, /* 0x07: central identification */
123     smp_parameter_unconditionally_valid, /* 0x08: identity information */
124     smp_parameter_unconditionally_valid, /* 0x09: identity address
125                                             information */
126     smp_parameter_unconditionally_valid, /* 0x0A: signing information */
127     smp_parameter_unconditionally_valid, /* 0x0B: security request */
128     smp_parameter_unconditionally_valid, /* 0x0C: pairing public key */
129     smp_parameter_unconditionally_valid, /* 0x0D: pairing dhkey check */
130     smp_pairing_keypress_notification_is_valid, /* 0x0E: pairing keypress
131                                                    notification */
132     smp_parameter_unconditionally_valid         /* 0x0F: pairing commitment */
133 };
134 
135 /* type for action functions */
136 typedef BT_HDR* (*tSMP_CMD_ACT)(uint8_t cmd_code, tSMP_CB* p_cb);
137 
138 static BT_HDR* smp_build_pairing_cmd(uint8_t cmd_code, tSMP_CB* p_cb);
139 static BT_HDR* smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code,
140                                      tSMP_CB* p_cb);
141 static BT_HDR* smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb);
142 static BT_HDR* smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code,
143                                       tSMP_CB* p_cb);
144 static BT_HDR* smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code,
145                                            tSMP_CB* p_cb);
146 static BT_HDR* smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code,
147                                           tSMP_CB* p_cb);
148 static BT_HDR* smp_build_security_request(UNUSED_ATTR uint8_t cmd_code,
149                                           tSMP_CB* p_cb);
150 static BT_HDR* smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code,
151                                           tSMP_CB* p_cb);
152 static BT_HDR* smp_build_central_id_cmd(UNUSED_ATTR uint8_t cmd_code,
153                                         tSMP_CB* p_cb);
154 static BT_HDR* smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code,
155                                      tSMP_CB* p_cb);
156 static BT_HDR* smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code,
157                                              tSMP_CB* p_cb);
158 static BT_HDR* smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code,
159                                                 tSMP_CB* p_cb);
160 static BT_HDR* smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code,
161                                               tSMP_CB* p_cb);
162 static BT_HDR* smp_build_pairing_keypress_notification_cmd(
163     UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb);
164 
165 static const tSMP_CMD_ACT smp_cmd_build_act[] = {
166     NULL,
167     smp_build_pairing_cmd,          /* 0x01: pairing request */
168     smp_build_pairing_cmd,          /* 0x02: pairing response */
169     smp_build_confirm_cmd,          /* 0x03: pairing confirm */
170     smp_build_rand_cmd,             /* 0x04: pairing random */
171     smp_build_pairing_fail,         /* 0x05: pairing failure */
172     smp_build_encrypt_info_cmd,     /* 0x06: encryption information */
173     smp_build_central_id_cmd,       /* 0x07: central identification */
174     smp_build_identity_info_cmd,    /* 0x08: identity information */
175     smp_build_id_addr_cmd,          /* 0x09: identity address information */
176     smp_build_signing_info_cmd,     /* 0x0A: signing information */
177     smp_build_security_request,     /* 0x0B: security request */
178     smp_build_pair_public_key_cmd,  /* 0x0C: pairing public key */
179     smp_build_pair_dhkey_check_cmd, /* 0x0D: pairing DHKey check */
180     smp_build_pairing_keypress_notification_cmd, /* 0x0E: pairing keypress
181                                                     notification */
182     smp_build_pairing_commitment_cmd             /* 0x0F: pairing commitment */
183 };
184 
185 static const tSMP_ASSO_MODEL
186     smp_association_table[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] = {
187         /* display only */ /* Display Yes/No */ /* keyboard only */
188         /* No Input/Output */                   /* keyboard display */
189 
190         /* initiator */
191         /* model = tbl[peer_io_caps][loc_io_caps] */
192         /* Display Only */
193         {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
194           SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
195 
196          /* Display Yes/No */
197          {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
198           SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
199 
200          /* Keyboard only */
201          {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY,
202           SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
203 
204          /* No Input No Output */
205          {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
206           SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
207           SMP_MODEL_ENCRYPTION_ONLY},
208 
209          /* keyboard display */
210          {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY,
211           SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}},
212 
213         /* responder */
214         /* model = tbl[loc_io_caps][peer_io_caps] */
215         /* Display Only */
216         {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
217           SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
218 
219          /* Display Yes/No */
220          {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
221           SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
222 
223          /* keyboard only */
224          {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY,
225           SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
226 
227          /* No Input No Output */
228          {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
229           SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
230           SMP_MODEL_ENCRYPTION_ONLY},
231 
232          /* keyboard display */
233          {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_KEY_NOTIF,
234           SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}}};
235 
236 static const tSMP_ASSO_MODEL
237     smp_association_table_sc[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] = {
238         /* display only */ /* Display Yes/No */ /* keyboard only */
239         /* No InputOutput */                    /* keyboard display */
240 
241         /* initiator */
242         /* model = tbl[peer_io_caps][loc_io_caps] */
243 
244         /* Display Only */
245         {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
246           SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
247           SMP_MODEL_SEC_CONN_PASSKEY_ENT},
248 
249          /* Display Yes/No */
250          {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP,
251           SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
252           SMP_MODEL_SEC_CONN_NUM_COMP},
253 
254          /* keyboard only */
255          {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_PASSKEY_DISP,
256           SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
257           SMP_MODEL_SEC_CONN_PASSKEY_DISP},
258 
259          /* No Input No Output */
260          {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
261           SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
262           SMP_MODEL_SEC_CONN_JUSTWORKS},
263 
264          /* keyboard display */
265          {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_NUM_COMP,
266           SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
267           SMP_MODEL_SEC_CONN_NUM_COMP}},
268 
269         /* responder */
270         /* model = tbl[loc_io_caps][peer_io_caps] */
271 
272         /* Display Only */
273         {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
274           SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
275           SMP_MODEL_SEC_CONN_PASSKEY_DISP},
276 
277          /* Display Yes/No */
278          {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP,
279           SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
280           SMP_MODEL_SEC_CONN_NUM_COMP},
281 
282          /* keyboard only */
283          {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_PASSKEY_ENT,
284           SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
285           SMP_MODEL_SEC_CONN_PASSKEY_ENT},
286 
287          /* No Input No Output */
288          {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
289           SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
290           SMP_MODEL_SEC_CONN_JUSTWORKS},
291 
292          /* keyboard display */
293          {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_NUM_COMP,
294           SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
295           SMP_MODEL_SEC_CONN_NUM_COMP}}};
296 
297 static tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB* p_cb);
298 static tSMP_ASSO_MODEL smp_select_association_model_secure_connections(
299     tSMP_CB* p_cb);
300 
301 /**
302  * Log metrics data for SMP command
303  *
304  * @param bd_addr current pairing address
305  * @param is_outgoing whether this command is outgoing
306  * @param p_buf buffer to the beginning of SMP command
307  * @param buf_len length available to read for p_buf
308  */
smp_log_metrics(const RawAddress & bd_addr,bool is_outgoing,const uint8_t * p_buf,size_t buf_len)309 void smp_log_metrics(const RawAddress& bd_addr, bool is_outgoing,
310                      const uint8_t* p_buf, size_t buf_len) {
311   if (buf_len < 1) {
312     LOG(WARNING) << __func__ << ": buffer is too small, size is " << buf_len;
313     return;
314   }
315   uint8_t cmd;
316   STREAM_TO_UINT8(cmd, p_buf);
317   buf_len--;
318   uint8_t failure_reason = 0;
319   if (cmd == SMP_OPCODE_PAIRING_FAILED && buf_len >= 1) {
320     STREAM_TO_UINT8(failure_reason, p_buf);
321   }
322   android::bluetooth::DirectionEnum direction =
323       is_outgoing ? android::bluetooth::DirectionEnum::DIRECTION_OUTGOING
324                   : android::bluetooth::DirectionEnum::DIRECTION_INCOMING;
325   log_smp_pairing_event(bd_addr, cmd, direction, failure_reason);
326 }
327 
328 /*******************************************************************************
329  *
330  * Function         smp_send_msg_to_L2CAP
331  *
332  * Description      Send message to L2CAP.
333  *
334  ******************************************************************************/
smp_send_msg_to_L2CAP(const RawAddress & rem_bda,BT_HDR * p_toL2CAP)335 bool smp_send_msg_to_L2CAP(const RawAddress& rem_bda, BT_HDR* p_toL2CAP) {
336   uint16_t l2cap_ret;
337   uint16_t fixed_cid = L2CAP_SMP_CID;
338 
339   if (smp_cb.smp_over_br) {
340     fixed_cid = L2CAP_SMP_BR_CID;
341   }
342 
343   SMP_TRACE_EVENT("%s", __func__);
344 
345   smp_log_metrics(rem_bda, true /* outgoing */,
346                   p_toL2CAP->data + p_toL2CAP->offset, p_toL2CAP->len);
347 
348   l2cap_ret = L2CA_SendFixedChnlData(fixed_cid, rem_bda, p_toL2CAP);
349   if (l2cap_ret == L2CAP_DW_FAILED) {
350     SMP_TRACE_ERROR("SMP failed to pass msg to L2CAP");
351     return false;
352   } else {
353     tSMP_CB* p_cb = &smp_cb;
354 
355     if (p_cb->wait_for_authorization_complete) {
356       tSMP_INT_DATA smp_int_data;
357       smp_int_data.status = SMP_SUCCESS;
358       if (fixed_cid == L2CAP_SMP_CID) {
359         smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
360       } else {
361         smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
362       }
363     }
364     return true;
365   }
366 }
367 
368 /*******************************************************************************
369  *
370  * Function         smp_send_cmd
371  *
372  * Description      send a SMP command on L2CAP channel.
373  *
374  ******************************************************************************/
smp_send_cmd(uint8_t cmd_code,tSMP_CB * p_cb)375 bool smp_send_cmd(uint8_t cmd_code, tSMP_CB* p_cb) {
376   BT_HDR* p_buf;
377   bool sent = false;
378 
379   LOG_DEBUG("Sending SMP command:%s[0x%x] pairing_bda=%s",
380             smp_opcode_text(static_cast<tSMP_OPCODE>(cmd_code)).c_str(),
381             cmd_code, PRIVATE_ADDRESS(p_cb->pairing_bda));
382 
383   if (cmd_code <= (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */) &&
384       smp_cmd_build_act[cmd_code] != NULL) {
385     p_buf = (*smp_cmd_build_act[cmd_code])(cmd_code, p_cb);
386 
387     if (p_buf != NULL && smp_send_msg_to_L2CAP(p_cb->pairing_bda, p_buf)) {
388       sent = true;
389       alarm_set_on_mloop(p_cb->smp_rsp_timer_ent, SMP_WAIT_FOR_RSP_TIMEOUT_MS,
390                          smp_rsp_timeout, NULL);
391     }
392   }
393 
394   if (!sent) {
395     tSMP_INT_DATA smp_int_data;
396     smp_int_data.status = SMP_PAIR_INTERNAL_ERR;
397     if (p_cb->smp_over_br) {
398       smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
399     } else {
400       smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
401     }
402   }
403   return sent;
404 }
405 
406 /*******************************************************************************
407  *
408  * Function         smp_rsp_timeout
409  *
410  * Description      Called when SMP wait for SMP command response timer expires
411  *
412  * Returns          void
413  *
414  ******************************************************************************/
smp_rsp_timeout(UNUSED_ATTR void * data)415 void smp_rsp_timeout(UNUSED_ATTR void* data) {
416   tSMP_CB* p_cb = &smp_cb;
417 
418   SMP_TRACE_EVENT("%s state:%d br_state:%d", __func__, p_cb->state,
419                   p_cb->br_state);
420 
421   tSMP_INT_DATA smp_int_data;
422   smp_int_data.status = SMP_RSP_TIMEOUT;
423   if (p_cb->smp_over_br) {
424     smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
425   } else {
426     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
427   }
428 }
429 
430 /*******************************************************************************
431  *
432  * Function         smp_delayed_auth_complete_timeout
433  *
434  * Description      Called when no pairing failed command received within
435  *                  timeout period.
436  *
437  * Returns          void
438  *
439  ******************************************************************************/
smp_delayed_auth_complete_timeout(UNUSED_ATTR void * data)440 void smp_delayed_auth_complete_timeout(UNUSED_ATTR void* data) {
441   /*
442    * Waited for potential pair failure. Send SMP_AUTH_CMPL_EVT if
443    * the state is still in bond pending.
444    */
445   if (smp_get_state() == SMP_STATE_BOND_PENDING) {
446     SMP_TRACE_EVENT("%s sending delayed auth complete.", __func__);
447     tSMP_INT_DATA smp_int_data;
448     smp_int_data.status = SMP_SUCCESS;
449     smp_sm_event(&smp_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
450   }
451 }
452 
453 /*******************************************************************************
454  *
455  * Function         smp_build_pairing_req_cmd
456  *
457  * Description      Build pairing request command.
458  *
459  ******************************************************************************/
smp_build_pairing_cmd(uint8_t cmd_code,tSMP_CB * p_cb)460 BT_HDR* smp_build_pairing_cmd(uint8_t cmd_code, tSMP_CB* p_cb) {
461   uint8_t* p;
462   BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIRING_REQ_SIZE +
463                                       L2CAP_MIN_OFFSET);
464 
465   SMP_TRACE_EVENT("%s", __func__);
466 
467   p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
468   UINT8_TO_STREAM(p, cmd_code);
469   UINT8_TO_STREAM(p, p_cb->local_io_capability);
470   UINT8_TO_STREAM(p, p_cb->loc_oob_flag);
471   UINT8_TO_STREAM(p, p_cb->loc_auth_req);
472   UINT8_TO_STREAM(p, p_cb->loc_enc_size);
473   UINT8_TO_STREAM(p, p_cb->local_i_key);
474   UINT8_TO_STREAM(p, p_cb->local_r_key);
475 
476   p_buf->offset = L2CAP_MIN_OFFSET;
477   /* 1B ERR_RSP op code + 1B cmd_op_code + 2B handle + 1B status */
478   p_buf->len = SMP_PAIRING_REQ_SIZE;
479 
480   return p_buf;
481 }
482 
483 /*******************************************************************************
484  *
485  * Function         smp_build_confirm_cmd
486  *
487  * Description      Build confirm request command.
488  *
489  ******************************************************************************/
smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)490 static BT_HDR* smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code,
491                                      tSMP_CB* p_cb) {
492   uint8_t* p;
493   BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_CONFIRM_CMD_SIZE +
494                                       L2CAP_MIN_OFFSET);
495 
496   SMP_TRACE_EVENT("%s", __func__);
497 
498   p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
499 
500   UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM);
501   ARRAY_TO_STREAM(p, p_cb->confirm, OCTET16_LEN);
502 
503   p_buf->offset = L2CAP_MIN_OFFSET;
504   p_buf->len = SMP_CONFIRM_CMD_SIZE;
505 
506   return p_buf;
507 }
508 
509 /*******************************************************************************
510  *
511  * Function         smp_build_rand_cmd
512  *
513  * Description      Build Random command.
514  *
515  ******************************************************************************/
smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)516 static BT_HDR* smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb) {
517   uint8_t* p;
518   BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_RAND_CMD_SIZE +
519                                       L2CAP_MIN_OFFSET);
520 
521   SMP_TRACE_EVENT("%s", __func__);
522 
523   p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
524   UINT8_TO_STREAM(p, SMP_OPCODE_RAND);
525   ARRAY_TO_STREAM(p, p_cb->rand, OCTET16_LEN);
526 
527   p_buf->offset = L2CAP_MIN_OFFSET;
528   p_buf->len = SMP_RAND_CMD_SIZE;
529 
530   return p_buf;
531 }
532 
533 /*******************************************************************************
534  *
535  * Function         smp_build_encrypt_info_cmd
536  *
537  * Description      Build security information command.
538  *
539  ******************************************************************************/
smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)540 static BT_HDR* smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code,
541                                           tSMP_CB* p_cb) {
542   uint8_t* p;
543   BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ENC_INFO_SIZE +
544                                       L2CAP_MIN_OFFSET);
545 
546   SMP_TRACE_EVENT("%s", __func__);
547 
548   p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
549   UINT8_TO_STREAM(p, SMP_OPCODE_ENCRYPT_INFO);
550   ARRAY_TO_STREAM(p, p_cb->ltk, OCTET16_LEN);
551 
552   p_buf->offset = L2CAP_MIN_OFFSET;
553   p_buf->len = SMP_ENC_INFO_SIZE;
554 
555   return p_buf;
556 }
557 
558 /*******************************************************************************
559  *
560  * Function         smp_build_central_id_cmd
561  *
562  * Description      Build security information command.
563  *
564  ******************************************************************************/
smp_build_central_id_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)565 static BT_HDR* smp_build_central_id_cmd(UNUSED_ATTR uint8_t cmd_code,
566                                         tSMP_CB* p_cb) {
567   uint8_t* p;
568   BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_CENTRAL_ID_SIZE +
569                                       L2CAP_MIN_OFFSET);
570 
571   SMP_TRACE_EVENT("%s", __func__);
572 
573   p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
574   UINT8_TO_STREAM(p, SMP_OPCODE_CENTRAL_ID);
575   UINT16_TO_STREAM(p, p_cb->ediv);
576   ARRAY_TO_STREAM(p, p_cb->enc_rand, BT_OCTET8_LEN);
577 
578   p_buf->offset = L2CAP_MIN_OFFSET;
579   p_buf->len = SMP_CENTRAL_ID_SIZE;
580 
581   return p_buf;
582 }
583 
584 /*******************************************************************************
585  *
586  * Function         smp_build_identity_info_cmd
587  *
588  * Description      Build identity information command.
589  *
590  ******************************************************************************/
smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code,UNUSED_ATTR tSMP_CB * p_cb)591 static BT_HDR* smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code,
592                                            UNUSED_ATTR tSMP_CB* p_cb) {
593   uint8_t* p;
594   BT_HDR* p_buf =
595       (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ID_INFO_SIZE + L2CAP_MIN_OFFSET);
596 
597   SMP_TRACE_EVENT("%s", __func__);
598 
599   p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
600 
601   const Octet16& irk = BTM_GetDeviceIDRoot();
602 
603   UINT8_TO_STREAM(p, SMP_OPCODE_IDENTITY_INFO);
604   ARRAY_TO_STREAM(p, irk.data(), OCTET16_LEN);
605 
606   p_buf->offset = L2CAP_MIN_OFFSET;
607   p_buf->len = SMP_ID_INFO_SIZE;
608 
609   return p_buf;
610 }
611 
612 /*******************************************************************************
613  *
614  * Function         smp_build_id_addr_cmd
615  *
616  * Description      Build identity address information command.
617  *
618  ******************************************************************************/
smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code,UNUSED_ATTR tSMP_CB * p_cb)619 static BT_HDR* smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code,
620                                      UNUSED_ATTR tSMP_CB* p_cb) {
621   uint8_t* p;
622   BT_HDR* p_buf =
623       (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ID_ADDR_SIZE + L2CAP_MIN_OFFSET);
624 
625   SMP_TRACE_EVENT("%s", __func__);
626 
627   p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
628   UINT8_TO_STREAM(p, SMP_OPCODE_ID_ADDR);
629   UINT8_TO_STREAM(p, 0);
630   BDADDR_TO_STREAM(p, *controller_get_interface()->get_address());
631 
632   p_buf->offset = L2CAP_MIN_OFFSET;
633   p_buf->len = SMP_ID_ADDR_SIZE;
634 
635   return p_buf;
636 }
637 
638 /*******************************************************************************
639  *
640  * Function         smp_build_signing_info_cmd
641  *
642  * Description      Build signing information command.
643  *
644  ******************************************************************************/
smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)645 static BT_HDR* smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code,
646                                           tSMP_CB* p_cb) {
647   uint8_t* p;
648   BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_SIGN_INFO_SIZE +
649                                       L2CAP_MIN_OFFSET);
650 
651   SMP_TRACE_EVENT("%s", __func__);
652 
653   p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
654   UINT8_TO_STREAM(p, SMP_OPCODE_SIGN_INFO);
655   ARRAY_TO_STREAM(p, p_cb->csrk, OCTET16_LEN);
656 
657   p_buf->offset = L2CAP_MIN_OFFSET;
658   p_buf->len = SMP_SIGN_INFO_SIZE;
659 
660   return p_buf;
661 }
662 
663 /*******************************************************************************
664  *
665  * Function         smp_build_pairing_fail
666  *
667  * Description      Build Pairing Fail command.
668  *
669  ******************************************************************************/
smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)670 static BT_HDR* smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code,
671                                       tSMP_CB* p_cb) {
672   uint8_t* p;
673   BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_FAIL_SIZE +
674                                       L2CAP_MIN_OFFSET);
675 
676   SMP_TRACE_EVENT("%s", __func__);
677 
678   p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
679   UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED);
680   UINT8_TO_STREAM(p, p_cb->failure);
681 
682   p_buf->offset = L2CAP_MIN_OFFSET;
683   p_buf->len = SMP_PAIR_FAIL_SIZE;
684 
685   return p_buf;
686 }
687 
688 /*******************************************************************************
689  *
690  * Function         smp_build_security_request
691  *
692  * Description      Build security request command.
693  *
694  ******************************************************************************/
smp_build_security_request(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)695 static BT_HDR* smp_build_security_request(UNUSED_ATTR uint8_t cmd_code,
696                                           tSMP_CB* p_cb) {
697   uint8_t* p;
698   BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + 2 + L2CAP_MIN_OFFSET);
699 
700   SMP_TRACE_EVENT("%s", __func__);
701 
702   p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
703   UINT8_TO_STREAM(p, SMP_OPCODE_SEC_REQ);
704   UINT8_TO_STREAM(p, p_cb->loc_auth_req);
705 
706   p_buf->offset = L2CAP_MIN_OFFSET;
707   p_buf->len = SMP_SECURITY_REQUEST_SIZE;
708 
709   SMP_TRACE_EVENT("opcode=%d auth_req=0x%x", SMP_OPCODE_SEC_REQ,
710                   p_cb->loc_auth_req);
711 
712   return p_buf;
713 }
714 
715 /*******************************************************************************
716  *
717  * Function         smp_build_pair_public_key_cmd
718  *
719  * Description      Build pairing public key command.
720  *
721  ******************************************************************************/
smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)722 static BT_HDR* smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code,
723                                              tSMP_CB* p_cb) {
724   uint8_t* p;
725   uint8_t publ_key[2 * BT_OCTET32_LEN];
726   uint8_t* p_publ_key = publ_key;
727   BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_PUBL_KEY_SIZE +
728                                       L2CAP_MIN_OFFSET);
729 
730   SMP_TRACE_EVENT("%s", __func__);
731 
732   memcpy(p_publ_key, p_cb->loc_publ_key.x, BT_OCTET32_LEN);
733   memcpy(p_publ_key + BT_OCTET32_LEN, p_cb->loc_publ_key.y, BT_OCTET32_LEN);
734 
735   p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
736   UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_PUBLIC_KEY);
737   ARRAY_TO_STREAM(p, p_publ_key, 2 * BT_OCTET32_LEN);
738 
739   p_buf->offset = L2CAP_MIN_OFFSET;
740   p_buf->len = SMP_PAIR_PUBL_KEY_SIZE;
741 
742   return p_buf;
743 }
744 
745 /*******************************************************************************
746  *
747  * Function         smp_build_pairing_commitment_cmd
748  *
749  * Description      Build pairing commitment command.
750  *
751  ******************************************************************************/
smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)752 static BT_HDR* smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code,
753                                                 tSMP_CB* p_cb) {
754   uint8_t* p;
755   BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_COMMITM_SIZE +
756                                       L2CAP_MIN_OFFSET);
757 
758   SMP_TRACE_EVENT("%s", __func__);
759 
760   p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
761   UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM);
762   ARRAY_TO_STREAM(p, p_cb->commitment, OCTET16_LEN);
763 
764   p_buf->offset = L2CAP_MIN_OFFSET;
765   p_buf->len = SMP_PAIR_COMMITM_SIZE;
766 
767   return p_buf;
768 }
769 
770 /*******************************************************************************
771  *
772  * Function         smp_build_pair_dhkey_check_cmd
773  *
774  * Description      Build pairing DHKey check command.
775  *
776  ******************************************************************************/
smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)777 static BT_HDR* smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code,
778                                               tSMP_CB* p_cb) {
779   uint8_t* p;
780   BT_HDR* p_buf = (BT_HDR*)osi_malloc(
781       sizeof(BT_HDR) + SMP_PAIR_DHKEY_CHECK_SIZE + L2CAP_MIN_OFFSET);
782 
783   SMP_TRACE_EVENT("%s", __func__);
784 
785   p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
786   UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_DHKEY_CHECK);
787   ARRAY_TO_STREAM(p, p_cb->dhkey_check, OCTET16_LEN);
788 
789   p_buf->offset = L2CAP_MIN_OFFSET;
790   p_buf->len = SMP_PAIR_DHKEY_CHECK_SIZE;
791 
792   return p_buf;
793 }
794 
795 /*******************************************************************************
796  *
797  * Function         smp_build_pairing_keypress_notification_cmd
798  *
799  * Description      Build keypress notification command.
800  *
801  ******************************************************************************/
smp_build_pairing_keypress_notification_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)802 static BT_HDR* smp_build_pairing_keypress_notification_cmd(
803     UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb) {
804   uint8_t* p;
805   BT_HDR* p_buf = (BT_HDR*)osi_malloc(
806       sizeof(BT_HDR) + SMP_PAIR_KEYPR_NOTIF_SIZE + L2CAP_MIN_OFFSET);
807 
808   SMP_TRACE_EVENT("%s", __func__);
809 
810   p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
811   UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_KEYPR_NOTIF);
812   UINT8_TO_STREAM(p, p_cb->local_keypress_notification);
813 
814   p_buf->offset = L2CAP_MIN_OFFSET;
815   p_buf->len = SMP_PAIR_KEYPR_NOTIF_SIZE;
816 
817   return p_buf;
818 }
819 
820 /** This function is called to convert a 6 to 16 digits numeric character string
821  * into SMP TK. */
smp_convert_string_to_tk(Octet16 * tk,uint32_t passkey)822 void smp_convert_string_to_tk(Octet16* tk, uint32_t passkey) {
823   uint8_t* p = tk->data();
824   tSMP_KEY key;
825   SMP_TRACE_EVENT("smp_convert_string_to_tk");
826   UINT32_TO_STREAM(p, passkey);
827 
828   key.key_type = SMP_KEY_TYPE_TK;
829   key.p_data = tk->data();
830 
831   tSMP_INT_DATA smp_int_data;
832   smp_int_data.key = key;
833   smp_sm_event(&smp_cb, SMP_KEY_READY_EVT, &smp_int_data);
834 }
835 
836 /** This function is called to mask off the encryption key based on the maximum
837  * encryption key size. */
smp_mask_enc_key(uint8_t loc_enc_size,Octet16 * p_data)838 void smp_mask_enc_key(uint8_t loc_enc_size, Octet16* p_data) {
839   SMP_TRACE_EVENT("smp_mask_enc_key");
840   if (loc_enc_size < OCTET16_LEN) {
841     for (; loc_enc_size < OCTET16_LEN; loc_enc_size++)
842       (*p_data)[loc_enc_size] = 0;
843   }
844   return;
845 }
846 
847 /** utility function to do an biteise exclusive-OR of two bit strings of the
848  * length of OCTET16_LEN. Result is stored in first argument.
849  */
smp_xor_128(Octet16 * a,const Octet16 & b)850 void smp_xor_128(Octet16* a, const Octet16& b) {
851   CHECK(a);
852   uint8_t i, *aa = a->data();
853   const uint8_t* bb = b.data();
854 
855   for (i = 0; i < OCTET16_LEN; i++) {
856     aa[i] = aa[i] ^ bb[i];
857   }
858 }
859 
860 /*******************************************************************************
861  *
862  * Function         smp_cb_cleanup
863  *
864  * Description      Clean up SMP control block
865  *
866  * Returns          void
867  *
868  ******************************************************************************/
smp_cb_cleanup(tSMP_CB * p_cb)869 void smp_cb_cleanup(tSMP_CB* p_cb) {
870   tSMP_CALLBACK* p_callback = p_cb->p_callback;
871   uint8_t trace_level = p_cb->trace_level;
872   alarm_t* smp_rsp_timer_ent = p_cb->smp_rsp_timer_ent;
873   alarm_t* delayed_auth_timer_ent = p_cb->delayed_auth_timer_ent;
874 
875   SMP_TRACE_EVENT("smp_cb_cleanup");
876 
877   alarm_cancel(p_cb->smp_rsp_timer_ent);
878   alarm_cancel(p_cb->delayed_auth_timer_ent);
879   memset(p_cb, 0, sizeof(tSMP_CB));
880   p_cb->p_callback = p_callback;
881   p_cb->trace_level = trace_level;
882   p_cb->smp_rsp_timer_ent = smp_rsp_timer_ent;
883   p_cb->delayed_auth_timer_ent = delayed_auth_timer_ent;
884 }
885 
886 /*******************************************************************************
887  *
888  * Function         smp_remove_fixed_channel
889  *
890  * Description      This function is called to remove the fixed channel
891  *
892  * Returns          void
893  *
894  ******************************************************************************/
smp_remove_fixed_channel(tSMP_CB * p_cb)895 void smp_remove_fixed_channel(tSMP_CB* p_cb) {
896   SMP_TRACE_DEBUG("%s", __func__);
897 
898   if (p_cb->smp_over_br)
899     L2CA_RemoveFixedChnl(L2CAP_SMP_BR_CID, p_cb->pairing_bda);
900   else
901     L2CA_RemoveFixedChnl(L2CAP_SMP_CID, p_cb->pairing_bda);
902 }
903 
904 /*******************************************************************************
905  *
906  * Function         smp_reset_control_value
907  *
908  * Description      This function is called to reset the control block value
909  *                  when the pairing procedure finished.
910  *
911  *
912  * Returns          void
913  *
914  ******************************************************************************/
smp_reset_control_value(tSMP_CB * p_cb)915 void smp_reset_control_value(tSMP_CB* p_cb) {
916   SMP_TRACE_EVENT("%s", __func__);
917 
918   alarm_cancel(p_cb->smp_rsp_timer_ent);
919   p_cb->flags = 0;
920   /* set the link idle timer to drop the link when pairing is done
921      usually service discovery will follow authentication complete, to avoid
922      racing condition for a link down/up, set link idle timer to be
923      SMP_LINK_TOUT_MIN to guarantee SMP key exchange */
924   L2CA_SetIdleTimeoutByBdAddr(p_cb->pairing_bda, SMP_LINK_TOUT_MIN,
925                               BT_TRANSPORT_LE);
926 
927   /* We can tell L2CAP to remove the fixed channel (if it has one) */
928   smp_remove_fixed_channel(p_cb);
929   smp_cb_cleanup(p_cb);
930 }
931 
932 /*******************************************************************************
933  *
934  * Function         smp_proc_pairing_cmpl
935  *
936  * Description      This function is called to process pairing complete
937  *
938  *
939  * Returns          void
940  *
941  ******************************************************************************/
smp_proc_pairing_cmpl(tSMP_CB * p_cb)942 void smp_proc_pairing_cmpl(tSMP_CB* p_cb) {
943   tSMP_EVT_DATA evt_data = {0};
944   tSMP_CALLBACK* p_callback = p_cb->p_callback;
945 
946   evt_data.cmplt.reason = p_cb->status;
947   evt_data.cmplt.smp_over_br = p_cb->smp_over_br;
948 
949   LOG_DEBUG(
950       "Pairing process has completed to remote:%s reason:0x%0x sec_level=0x%0x",
951       PRIVATE_ADDRESS(p_cb->pairing_bda), evt_data.cmplt.reason,
952       evt_data.cmplt.sec_level);
953 
954   if (p_cb->status == SMP_SUCCESS) evt_data.cmplt.sec_level = p_cb->sec_level;
955 
956   evt_data.cmplt.is_pair_cancel = false;
957 
958   if (p_cb->is_pair_cancel) evt_data.cmplt.is_pair_cancel = true;
959 
960   RawAddress pairing_bda = p_cb->pairing_bda;
961 
962   smp_reset_control_value(p_cb);
963 
964   if (p_callback) (*p_callback)(SMP_COMPLT_EVT, pairing_bda, &evt_data);
965 }
966 
967 /*******************************************************************************
968  *
969  * Function         smp_command_has_invalid_length
970  *
971  * Description      Checks if the received SMP command has invalid length
972  *                  It returns true if the command has invalid length.
973  *
974  * Returns          true if the command has invalid length, false otherwise.
975  *
976  ******************************************************************************/
smp_command_has_invalid_length(tSMP_CB * p_cb)977 bool smp_command_has_invalid_length(tSMP_CB* p_cb) {
978   uint8_t cmd_code = p_cb->rcvd_cmd_code;
979 
980   if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) ||
981       (cmd_code < SMP_OPCODE_MIN)) {
982     SMP_TRACE_WARNING("%s: Received command with RESERVED code 0x%02x",
983                       __func__, cmd_code);
984     return true;
985   }
986 
987   if (!smp_command_has_valid_fixed_length(p_cb)) {
988     return true;
989   }
990 
991   return false;
992 }
993 
994 /*******************************************************************************
995  *
996  * Function         smp_command_has_invalid_parameters
997  *
998  * Description      Checks if the received SMP command has invalid parameters
999  *                  i.e. if the command length is valid and the command
1000  *                  parameters are inside specified range.
1001  *                  It returns true if the command has invalid parameters.
1002  *
1003  * Returns          true if the command has invalid parameters, false otherwise.
1004  *
1005  ******************************************************************************/
smp_command_has_invalid_parameters(tSMP_CB * p_cb)1006 bool smp_command_has_invalid_parameters(tSMP_CB* p_cb) {
1007   uint8_t cmd_code = p_cb->rcvd_cmd_code;
1008 
1009   if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) ||
1010       (cmd_code < SMP_OPCODE_MIN)) {
1011     SMP_TRACE_WARNING("%s: Received command with RESERVED code 0x%02x",
1012                       __func__, cmd_code);
1013     return true;
1014   }
1015 
1016   if (!(*smp_cmd_len_is_valid[cmd_code])(p_cb)) {
1017     SMP_TRACE_WARNING("%s: Command length not valid for cmd_code 0x%02x",
1018                       __func__, cmd_code);
1019     return true;
1020   }
1021 
1022   if (!(*smp_cmd_param_ranges_are_valid[cmd_code])(p_cb)) {
1023     SMP_TRACE_WARNING("%s: Parameter ranges not valid code 0x%02x", __func__,
1024                       cmd_code);
1025     return true;
1026   }
1027 
1028   return false;
1029 }
1030 
1031 /*******************************************************************************
1032  *
1033  * Function         smp_command_has_valid_fixed_length
1034  *
1035  * Description      Checks if the received command size is equal to the size
1036  *                  according to specs.
1037  *
1038  * Returns          true if the command size is as expected, false otherwise.
1039  *
1040  * Note             The command is expected to have fixed length.
1041  ******************************************************************************/
smp_command_has_valid_fixed_length(tSMP_CB * p_cb)1042 bool smp_command_has_valid_fixed_length(tSMP_CB* p_cb) {
1043   uint8_t cmd_code = p_cb->rcvd_cmd_code;
1044 
1045   SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, cmd_code);
1046 
1047   if (p_cb->rcvd_cmd_len != smp_cmd_size_per_spec[cmd_code]) {
1048     SMP_TRACE_WARNING(
1049         "Rcvd from the peer cmd 0x%02x with invalid length "
1050         "0x%02x (per spec the length is 0x%02x).",
1051         cmd_code, p_cb->rcvd_cmd_len, smp_cmd_size_per_spec[cmd_code]);
1052     return false;
1053   }
1054 
1055   return true;
1056 }
1057 
1058 /*******************************************************************************
1059  *
1060  * Function         smp_pairing_request_response_parameters_are_valid
1061  *
1062  * Description      Validates parameter ranges in the received SMP command
1063  *                  pairing request or pairing response.
1064  *                  The parameters to validate:
1065  *                  IO capability,
1066  *                  OOB data flag,
1067  *                  Bonding_flags in AuthReq
1068  *                  Maximum encryption key size.
1069  *                  Returns false if at least one of these parameters is out of
1070  *                  range.
1071  *
1072  ******************************************************************************/
smp_pairing_request_response_parameters_are_valid(tSMP_CB * p_cb)1073 bool smp_pairing_request_response_parameters_are_valid(tSMP_CB* p_cb) {
1074   uint8_t io_caps = p_cb->peer_io_caps;
1075   uint8_t oob_flag = p_cb->peer_oob_flag;
1076   uint8_t bond_flag =
1077       p_cb->peer_auth_req & 0x03;  // 0x03 is gen bond with appropriate mask
1078   uint8_t enc_size = p_cb->peer_enc_size;
1079 
1080   SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code);
1081 
1082   if (io_caps >= BTM_IO_CAP_MAX) {
1083     SMP_TRACE_WARNING(
1084         "Rcvd from the peer cmd 0x%02x with IO Capability "
1085         "value (0x%02x) out of range).",
1086         p_cb->rcvd_cmd_code, io_caps);
1087     return false;
1088   }
1089 
1090   if (!((oob_flag == SMP_OOB_NONE) || (oob_flag == SMP_OOB_PRESENT))) {
1091     SMP_TRACE_WARNING(
1092         "Rcvd from the peer cmd 0x%02x with OOB data flag value "
1093         "(0x%02x) out of range).",
1094         p_cb->rcvd_cmd_code, oob_flag);
1095     return false;
1096   }
1097 
1098   if (!((bond_flag == SMP_AUTH_NO_BOND) || (bond_flag == SMP_AUTH_BOND))) {
1099     SMP_TRACE_WARNING(
1100         "Rcvd from the peer cmd 0x%02x with Bonding_Flags value (0x%02x) "
1101         "out of range).",
1102         p_cb->rcvd_cmd_code, bond_flag);
1103     return false;
1104   }
1105 
1106   if ((enc_size < SMP_ENCR_KEY_SIZE_MIN) ||
1107       (enc_size > SMP_ENCR_KEY_SIZE_MAX)) {
1108     SMP_TRACE_WARNING(
1109         "Rcvd from the peer cmd 0x%02x with Maximum Encryption "
1110         "Key value (0x%02x) out of range).",
1111         p_cb->rcvd_cmd_code, enc_size);
1112     return false;
1113   }
1114 
1115   return true;
1116 }
1117 
1118 /*******************************************************************************
1119  *
1120  * Function         smp_pairing_keypress_notification_is_valid
1121  *
1122  * Description      Validates Notification Type parameter range in the received
1123  *                  SMP command pairing keypress notification.
1124  *                  Returns false if this parameter is out of range.
1125  *
1126  ******************************************************************************/
smp_pairing_keypress_notification_is_valid(tSMP_CB * p_cb)1127 bool smp_pairing_keypress_notification_is_valid(tSMP_CB* p_cb) {
1128   tSMP_SC_KEY_TYPE keypress_notification = p_cb->peer_keypress_notification;
1129 
1130   SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code);
1131 
1132   if (keypress_notification >= SMP_SC_KEY_OUT_OF_RANGE) {
1133     SMP_TRACE_WARNING(
1134         "Rcvd from the peer cmd 0x%02x with Pairing Keypress "
1135         "Notification value (0x%02x) out of range).",
1136         p_cb->rcvd_cmd_code, keypress_notification);
1137     return false;
1138   }
1139 
1140   return true;
1141 }
1142 
1143 /*******************************************************************************
1144  *
1145  * Function         smp_parameter_unconditionally_valid
1146  *
1147  * Description      Always returns true.
1148  *
1149  ******************************************************************************/
smp_parameter_unconditionally_valid(UNUSED_ATTR tSMP_CB * p_cb)1150 bool smp_parameter_unconditionally_valid(UNUSED_ATTR tSMP_CB* p_cb) {
1151   return true;
1152 }
1153 
1154 /*******************************************************************************
1155  *
1156  * Function         smp_parameter_unconditionally_invalid
1157  *
1158  * Description      Always returns false.
1159  *
1160  ******************************************************************************/
smp_parameter_unconditionally_invalid(UNUSED_ATTR tSMP_CB * p_cb)1161 bool smp_parameter_unconditionally_invalid(UNUSED_ATTR tSMP_CB* p_cb) {
1162   return false;
1163 }
1164 
1165 /*******************************************************************************
1166  *
1167  * Function         smp_reject_unexpected_pairing_command
1168  *
1169  * Description      send pairing failure to an unexpected pairing command during
1170  *                  an active pairing process.
1171  *
1172  * Returns          void
1173  *
1174  ******************************************************************************/
smp_reject_unexpected_pairing_command(const RawAddress & bd_addr)1175 void smp_reject_unexpected_pairing_command(const RawAddress& bd_addr) {
1176   uint8_t* p;
1177   BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_FAIL_SIZE +
1178                                       L2CAP_MIN_OFFSET);
1179 
1180   SMP_TRACE_DEBUG("%s", __func__);
1181 
1182   p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
1183   UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED);
1184   UINT8_TO_STREAM(p, SMP_PAIR_NOT_SUPPORT);
1185 
1186   p_buf->offset = L2CAP_MIN_OFFSET;
1187   p_buf->len = SMP_PAIR_FAIL_SIZE;
1188 
1189   smp_send_msg_to_L2CAP(bd_addr, p_buf);
1190 }
1191 
1192 /*******************************************************************************
1193  * Function         smp_select_association_model
1194  *
1195  * Description      This function selects association model to use for STK
1196  *                  generation. Selection is based on both sides' io capability,
1197  *                  oob data flag and authentication request.
1198  *
1199  * Note             If Secure Connections Only mode is required locally then we
1200  *                  come to this point only if both sides support Secure
1201  *                  Connections mode, i.e.
1202  *                  if p_cb->secure_connections_only_mode_required = true
1203  *                  then we come to this point only if
1204  *                      (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) ==
1205  *                      (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) ==
1206  *                      SMP_SC_SUPPORT_BIT
1207  *
1208  ******************************************************************************/
smp_select_association_model(tSMP_CB * p_cb)1209 tSMP_ASSO_MODEL smp_select_association_model(tSMP_CB* p_cb) {
1210   tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1211   p_cb->le_secure_connections_mode_is_used = false;
1212 
1213   SMP_TRACE_EVENT("%s", __func__);
1214   SMP_TRACE_DEBUG("%s p_cb->peer_io_caps = %d p_cb->local_io_capability = %d",
1215                   __func__, p_cb->peer_io_caps, p_cb->local_io_capability);
1216   SMP_TRACE_DEBUG("%s p_cb->peer_oob_flag = %d p_cb->loc_oob_flag = %d",
1217                   __func__, p_cb->peer_oob_flag, p_cb->loc_oob_flag);
1218   SMP_TRACE_DEBUG("%s p_cb->peer_auth_req = 0x%02x p_cb->loc_auth_req = 0x%02x",
1219                   __func__, p_cb->peer_auth_req, p_cb->loc_auth_req);
1220   SMP_TRACE_DEBUG(
1221       "%s p_cb->secure_connections_only_mode_required = %s", __func__,
1222       p_cb->secure_connections_only_mode_required ? "true" : "false");
1223 
1224   if ((p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) &&
1225       (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT)) {
1226     p_cb->le_secure_connections_mode_is_used = true;
1227   }
1228 
1229   if ((p_cb->peer_auth_req & SMP_H7_SUPPORT_BIT) &&
1230       (p_cb->loc_auth_req & SMP_H7_SUPPORT_BIT)) {
1231     p_cb->key_derivation_h7_used = TRUE;
1232   }
1233 
1234   SMP_TRACE_DEBUG("use_sc_process = %d, h7 use = %d",
1235                   p_cb->le_secure_connections_mode_is_used,
1236                   p_cb->key_derivation_h7_used);
1237 
1238   if (p_cb->le_secure_connections_mode_is_used) {
1239     model = smp_select_association_model_secure_connections(p_cb);
1240   } else {
1241     model = smp_select_legacy_association_model(p_cb);
1242   }
1243   return model;
1244 }
1245 
1246 /*******************************************************************************
1247  * Function         smp_select_legacy_association_model
1248  *
1249  * Description      This function is called to select association mode if at
1250  *                  least one side doesn't support secure connections.
1251  *
1252  ******************************************************************************/
smp_select_legacy_association_model(tSMP_CB * p_cb)1253 tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB* p_cb) {
1254   tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1255 
1256   SMP_TRACE_DEBUG("%s", __func__);
1257   /* if OOB data is present on both devices, then use OOB association model */
1258   if (p_cb->peer_oob_flag == SMP_OOB_PRESENT &&
1259       p_cb->loc_oob_flag == SMP_OOB_PRESENT)
1260     return SMP_MODEL_OOB;
1261 
1262   /* else if neither device requires MITM, then use Just Works association model
1263    */
1264   if (SMP_NO_MITM_REQUIRED(p_cb->peer_auth_req) &&
1265       SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req))
1266     return SMP_MODEL_ENCRYPTION_ONLY;
1267 
1268   /* otherwise use IO capability to select association model */
1269   if (p_cb->peer_io_caps < SMP_IO_CAP_MAX &&
1270       p_cb->local_io_capability < SMP_IO_CAP_MAX) {
1271     if (p_cb->role == HCI_ROLE_CENTRAL) {
1272       model = smp_association_table[p_cb->role][p_cb->peer_io_caps]
1273                                    [p_cb->local_io_capability];
1274     } else {
1275       model = smp_association_table[p_cb->role][p_cb->local_io_capability]
1276                                    [p_cb->peer_io_caps];
1277     }
1278   }
1279 
1280   return model;
1281 }
1282 
1283 /*******************************************************************************
1284  * Function         smp_select_association_model_secure_connections
1285  *
1286  * Description      This function is called to select association mode if both
1287  *                  sides support secure connections.
1288  *
1289  ******************************************************************************/
smp_select_association_model_secure_connections(tSMP_CB * p_cb)1290 tSMP_ASSO_MODEL smp_select_association_model_secure_connections(tSMP_CB* p_cb) {
1291   tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1292 
1293   SMP_TRACE_DEBUG("%s", __func__);
1294   /* if OOB data is present on at least one device, then use OOB association
1295    * model */
1296   if (p_cb->peer_oob_flag == SMP_OOB_PRESENT ||
1297       p_cb->loc_oob_flag == SMP_OOB_PRESENT)
1298     return SMP_MODEL_SEC_CONN_OOB;
1299 
1300   /* else if neither device requires MITM, then use Just Works association model
1301    */
1302   if (SMP_NO_MITM_REQUIRED(p_cb->peer_auth_req) &&
1303       SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req))
1304     return SMP_MODEL_SEC_CONN_JUSTWORKS;
1305 
1306   /* otherwise use IO capability to select association model */
1307   if (p_cb->peer_io_caps < SMP_IO_CAP_MAX &&
1308       p_cb->local_io_capability < SMP_IO_CAP_MAX) {
1309     if (p_cb->role == HCI_ROLE_CENTRAL) {
1310       model = smp_association_table_sc[p_cb->role][p_cb->peer_io_caps]
1311                                       [p_cb->local_io_capability];
1312     } else {
1313       model = smp_association_table_sc[p_cb->role][p_cb->local_io_capability]
1314                                       [p_cb->peer_io_caps];
1315     }
1316   }
1317 
1318   return model;
1319 }
1320 
1321 /*******************************************************************************
1322  * Function         smp_calculate_random_input
1323  *
1324  * Description      This function returns random input value to be used in
1325  *                  commitment calculation for SC passkey entry association mode
1326  *                  (if bit["round"] in "random" array == 1 then returns 0x81
1327  *                   else returns 0x80).
1328  *
1329  * Returns          ri value
1330  *
1331  ******************************************************************************/
smp_calculate_random_input(uint8_t * random,uint8_t round)1332 uint8_t smp_calculate_random_input(uint8_t* random, uint8_t round) {
1333   uint8_t i = round / 8;
1334   uint8_t j = round % 8;
1335   uint8_t ri;
1336 
1337   SMP_TRACE_DEBUG("random: 0x%02x, round: %d, i: %d, j: %d", random[i], round,
1338                   i, j);
1339   ri = ((random[i] >> j) & 1) | 0x80;
1340   SMP_TRACE_DEBUG("%s ri=0x%02x", __func__, ri);
1341   return ri;
1342 }
1343 
1344 /*******************************************************************************
1345  * Function         smp_collect_local_io_capabilities
1346  *
1347  * Description      This function puts into IOcap array local device
1348  *                  IOCapability, OOB data, AuthReq.
1349  *
1350  * Returns          void
1351  *
1352  ******************************************************************************/
smp_collect_local_io_capabilities(uint8_t * iocap,tSMP_CB * p_cb)1353 void smp_collect_local_io_capabilities(uint8_t* iocap, tSMP_CB* p_cb) {
1354   SMP_TRACE_DEBUG("%s", __func__);
1355 
1356   iocap[0] = p_cb->local_io_capability;
1357   iocap[1] = p_cb->loc_oob_flag;
1358   iocap[2] = p_cb->loc_auth_req;
1359 }
1360 
1361 /*******************************************************************************
1362  * Function         smp_collect_peer_io_capabilities
1363  *
1364  * Description      This function puts into IOcap array peer device
1365  *                  IOCapability, OOB data, AuthReq.
1366  *
1367  * Returns          void
1368  *
1369  ******************************************************************************/
smp_collect_peer_io_capabilities(uint8_t * iocap,tSMP_CB * p_cb)1370 void smp_collect_peer_io_capabilities(uint8_t* iocap, tSMP_CB* p_cb) {
1371   SMP_TRACE_DEBUG("%s", __func__);
1372 
1373   iocap[0] = p_cb->peer_io_caps;
1374   iocap[1] = p_cb->peer_oob_flag;
1375   iocap[2] = p_cb->peer_auth_req;
1376 }
1377 
1378 /*******************************************************************************
1379  * Function         smp_collect_local_ble_address
1380  *
1381  * Description      Put the the local device LE address into the le_addr array:
1382  *                  le_addr[0-5] = local BD ADDR,
1383  *                  le_addr[6] = local le address type (PUBLIC/RANDOM).
1384  *
1385  * Returns          void
1386  *
1387  ******************************************************************************/
smp_collect_local_ble_address(uint8_t * le_addr,tSMP_CB * p_cb)1388 void smp_collect_local_ble_address(uint8_t* le_addr, tSMP_CB* p_cb) {
1389   tBLE_ADDR_TYPE addr_type = BLE_ADDR_PUBLIC;
1390   RawAddress bda;
1391   uint8_t* p = le_addr;
1392 
1393   SMP_TRACE_DEBUG("%s", __func__);
1394 
1395   BTM_ReadConnectionAddr(p_cb->pairing_bda, bda, &addr_type);
1396   BDADDR_TO_STREAM(p, bda);
1397   UINT8_TO_STREAM(p, addr_type);
1398 }
1399 
1400 /*******************************************************************************
1401  * Function         smp_collect_peer_ble_address
1402  *
1403  * Description      Put the peer device LE addr into the le_addr array:
1404  *                  le_addr[0-5] = peer BD ADDR,
1405  *                  le_addr[6] = peer le address type (PUBLIC/RANDOM).
1406  *
1407  * Returns          void
1408  *
1409  ******************************************************************************/
smp_collect_peer_ble_address(uint8_t * le_addr,tSMP_CB * p_cb)1410 void smp_collect_peer_ble_address(uint8_t* le_addr, tSMP_CB* p_cb) {
1411   tBLE_ADDR_TYPE addr_type = BLE_ADDR_PUBLIC;
1412   RawAddress bda;
1413   uint8_t* p = le_addr;
1414 
1415   SMP_TRACE_DEBUG("%s", __func__);
1416 
1417   if (!BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, bda, &addr_type)) {
1418     SMP_TRACE_ERROR(
1419         "can not collect peer le addr information for unknown device");
1420     return;
1421   }
1422 
1423   BDADDR_TO_STREAM(p, bda);
1424   UINT8_TO_STREAM(p, addr_type);
1425 }
1426 
1427 /*******************************************************************************
1428  * Function         smp_check_commitment
1429  *
1430  * Description      This function compares peer commitment values:
1431  *                  - expected (i.e. calculated locally),
1432  *                  - received from the peer.
1433  *
1434  * Returns          true  if the values are the same
1435  *                  false otherwise
1436  *
1437  ******************************************************************************/
smp_check_commitment(tSMP_CB * p_cb)1438 bool smp_check_commitment(tSMP_CB* p_cb) {
1439 
1440   SMP_TRACE_DEBUG("%s", __func__);
1441 
1442   Octet16 expected = smp_calculate_peer_commitment(p_cb);
1443   print128(expected, (const uint8_t*)"calculated peer commitment");
1444   print128(p_cb->remote_commitment, (const uint8_t*)"received peer commitment");
1445 
1446   if (memcmp(p_cb->remote_commitment.data(), expected.data(), OCTET16_LEN)) {
1447     SMP_TRACE_WARNING("%s: Commitment check fails", __func__);
1448     return false;
1449   }
1450 
1451   SMP_TRACE_DEBUG("%s: Commitment check succeeds", __func__);
1452   return true;
1453 }
1454 
1455 /*******************************************************************************
1456  *
1457  * Function         smp_save_secure_connections_long_term_key
1458  *
1459  * Description      The function saves SC LTK as BLE key for future use as local
1460  *                  and/or peer key.
1461  *
1462  * Returns          void
1463  *
1464  ******************************************************************************/
smp_save_secure_connections_long_term_key(tSMP_CB * p_cb)1465 void smp_save_secure_connections_long_term_key(tSMP_CB* p_cb) {
1466   tBTM_LE_KEY_VALUE lle_key;
1467   tBTM_LE_KEY_VALUE ple_key;
1468 
1469   SMP_TRACE_DEBUG("%s-Save LTK as local LTK key", __func__);
1470   lle_key.lenc_key.ltk = p_cb->ltk;
1471   lle_key.lenc_key.div = 0;
1472   lle_key.lenc_key.key_size = p_cb->loc_enc_size;
1473   lle_key.lenc_key.sec_level = p_cb->sec_level;
1474   btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, &lle_key, true);
1475 
1476   SMP_TRACE_DEBUG("%s-Save LTK as peer LTK key", __func__);
1477   ple_key.penc_key.ediv = 0;
1478   memset(ple_key.penc_key.rand, 0, BT_OCTET8_LEN);
1479   ple_key.penc_key.ltk = p_cb->ltk;
1480   ple_key.penc_key.sec_level = p_cb->sec_level;
1481   ple_key.penc_key.key_size = p_cb->loc_enc_size;
1482   btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, &ple_key, true);
1483 }
1484 
1485 /** The function calculates MacKey and LTK and saves them in CB. To calculate
1486  * MacKey and LTK it calls smp_calc_f5(...). MacKey is used in dhkey
1487  * calculation, LTK is used to encrypt the link. */
smp_calculate_f5_mackey_and_long_term_key(tSMP_CB * p_cb)1488 void smp_calculate_f5_mackey_and_long_term_key(tSMP_CB* p_cb) {
1489   uint8_t a[7];
1490   uint8_t b[7];
1491   Octet16 na;
1492   Octet16 nb;
1493 
1494   SMP_TRACE_DEBUG("%s", __func__);
1495 
1496   if (p_cb->role == HCI_ROLE_CENTRAL) {
1497     smp_collect_local_ble_address(a, p_cb);
1498     smp_collect_peer_ble_address(b, p_cb);
1499     na = p_cb->rand;
1500     nb = p_cb->rrand;
1501   } else {
1502     smp_collect_local_ble_address(b, p_cb);
1503     smp_collect_peer_ble_address(a, p_cb);
1504     na = p_cb->rrand;
1505     nb = p_cb->rand;
1506   }
1507 
1508   crypto_toolbox::f5(p_cb->dhkey, na, nb, a, b, &p_cb->mac_key, &p_cb->ltk);
1509 
1510   SMP_TRACE_EVENT("%s is completed", __func__);
1511 }
1512 
1513 /*******************************************************************************
1514  *
1515  * Function         smp_request_oob_data
1516  *
1517  * Description      Requests application to provide OOB data.
1518  *
1519  * Returns          true - OOB data has to be provided by application
1520  *                  false - otherwise (unexpected)
1521  *
1522  ******************************************************************************/
smp_request_oob_data(tSMP_CB * p_cb)1523 bool smp_request_oob_data(tSMP_CB* p_cb) {
1524   tSMP_OOB_DATA_TYPE req_oob_type = SMP_OOB_INVALID_TYPE;
1525 
1526   SMP_TRACE_DEBUG("%s", __func__);
1527 
1528   if (p_cb->peer_oob_flag == SMP_OOB_PRESENT &&
1529       p_cb->loc_oob_flag == SMP_OOB_PRESENT) {
1530     /* both local and peer rcvd data OOB */
1531     req_oob_type = SMP_OOB_BOTH;
1532   } else if (p_cb->peer_oob_flag == SMP_OOB_PRESENT) {
1533     /* peer rcvd OOB local data, local didn't receive OOB peer data */
1534     req_oob_type = SMP_OOB_LOCAL;
1535   } else if (p_cb->loc_oob_flag == SMP_OOB_PRESENT) {
1536     req_oob_type = SMP_OOB_PEER;
1537   }
1538 
1539   SMP_TRACE_DEBUG("req_oob_type = %d", req_oob_type);
1540 
1541   if (req_oob_type == SMP_OOB_INVALID_TYPE) return false;
1542 
1543   p_cb->req_oob_type = req_oob_type;
1544   p_cb->cb_evt = SMP_SC_OOB_REQ_EVT;
1545   tSMP_INT_DATA smp_int_data;
1546   smp_int_data.req_oob_type = req_oob_type;
1547   smp_sm_event(p_cb, SMP_TK_REQ_EVT, &smp_int_data);
1548 
1549   return true;
1550 }
1551 
print128(const Octet16 & x,const uint8_t * key_name)1552 void print128(const Octet16& x, const uint8_t* key_name) {
1553   if (VLOG_IS_ON(2) && DLOG_IS_ON(INFO)) {
1554     uint8_t* p = (uint8_t*)x.data();
1555 
1556     DVLOG(2) << key_name << " (MSB ~ LSB) = ";
1557     for (int i = 0; i < 4; i++) {
1558       DVLOG(2) << +p[OCTET16_LEN - i * 4 - 1] << +p[OCTET16_LEN - i * 4 - 2]
1559                << +p[OCTET16_LEN - i * 4 - 3] << +p[OCTET16_LEN - i * 4 - 4];
1560     }
1561   }
1562 }
1563