1 /****************************************************************************** 2 * 3 * Copyright 1999-2012 Broadcom Corporation 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at: 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 ******************************************************************************/ 18 19 /****************************************************************************** 20 * 21 * This file contains security manager protocol utility functions 22 * 23 ******************************************************************************/ 24 #include "bt_target.h" 25 26 #include <base/bind.h> 27 #include <string.h> 28 #include "bt_utils.h" 29 #include "btm_ble_api.h" 30 #include "btm_ble_int.h" 31 #include "device/include/controller.h" 32 #include "hcimsgs.h" 33 #include "osi/include/osi.h" 34 #include "p_256_ecc_pp.h" 35 #include "smp_int.h" 36 #include "stack/btm/btm_dev.h" 37 #include "stack/btm/btm_sec.h" 38 #include "stack/crypto_toolbox/crypto_toolbox.h" 39 #include "stack/include/acl_api.h" 40 41 #include <algorithm> 42 43 extern tBTM_CB btm_cb; // TODO Remove 44 45 using base::Bind; 46 using crypto_toolbox::aes_128; 47 48 #ifndef SMP_MAX_ENC_REPEAT 49 #define SMP_MAX_ENC_REPEAT 3 50 #endif 51 52 static void smp_process_stk(tSMP_CB* p_cb, Octet16* p); 53 static Octet16 smp_calculate_legacy_short_term_key(tSMP_CB* p_cb); 54 static void smp_process_private_key(tSMP_CB* p_cb); 55 56 #define SMP_PASSKEY_MASK 0xfff00000 57 58 // If there is data saved here, then use its info instead 59 // This needs to be cleared on a successfult pairing using the oob data 60 static tSMP_LOC_OOB_DATA saved_local_oob_data = {}; 61 62 void smp_save_local_oob_data(tSMP_CB* p_cb) { 63 saved_local_oob_data = p_cb->sc_oob_data.loc_oob_data; 64 } 65 66 void smp_clear_local_oob_data() { saved_local_oob_data = {}; } 67 68 static bool is_empty(tSMP_LOC_OOB_DATA* data) { 69 tSMP_LOC_OOB_DATA empty_data = {}; 70 return memcmp(data, &empty_data, sizeof(tSMP_LOC_OOB_DATA)) == 0; 71 } 72 73 bool smp_has_local_oob_data() { return !is_empty(&saved_local_oob_data); } 74 75 void smp_debug_print_nbyte_little_endian(uint8_t* p, const char* key_name, 76 uint8_t len) {} 77 78 inline void smp_debug_print_nbyte_little_endian(const Octet16& p, 79 const char* key_name, 80 uint8_t len) { 81 smp_debug_print_nbyte_little_endian(const_cast<uint8_t*>(p.data()), key_name, 82 len); 83 } 84 85 void smp_debug_print_nbyte_big_endian(uint8_t* p, const char* key_name, 86 uint8_t len) {} 87 88 /** This function is called to process a passkey. */ 89 void smp_proc_passkey(tSMP_CB* p_cb, BT_OCTET8 rand) { 90 uint8_t* tt = p_cb->tk.data(); 91 uint32_t passkey; /* 19655 test number; */ 92 uint8_t* pp = rand; 93 94 SMP_TRACE_DEBUG("%s", __func__); 95 STREAM_TO_UINT32(passkey, pp); 96 passkey &= ~SMP_PASSKEY_MASK; 97 98 /* truncate by maximum value */ 99 while (passkey > BTM_MAX_PASSKEY_VAL) passkey >>= 1; 100 101 /* save the TK */ 102 p_cb->tk = {0}; 103 UINT32_TO_STREAM(tt, passkey); 104 105 if (p_cb->p_callback) { 106 tSMP_EVT_DATA smp_evt_data; 107 smp_evt_data.passkey = passkey; 108 (*p_cb->p_callback)(SMP_PASSKEY_NOTIF_EVT, p_cb->pairing_bda, 109 &smp_evt_data); 110 } 111 112 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_PASSKEY_DISP) { 113 tSMP_INT_DATA smp_int_data; 114 smp_int_data.passkey = passkey; 115 smp_sm_event(&smp_cb, SMP_KEY_READY_EVT, &smp_int_data); 116 } else { 117 tSMP_KEY key; 118 key.key_type = SMP_KEY_TYPE_TK; 119 key.p_data = p_cb->tk.data(); 120 tSMP_INT_DATA smp_int_data; 121 smp_int_data.key = key; 122 smp_sm_event(p_cb, SMP_KEY_READY_EVT, &smp_int_data); 123 } 124 } 125 126 /******************************************************************************* 127 * 128 * Function smp_generate_passkey 129 * 130 * Description This function is called to generate passkey. 131 * 132 * Returns void 133 * 134 ******************************************************************************/ 135 void smp_generate_passkey(tSMP_CB* p_cb, UNUSED_ATTR tSMP_INT_DATA* p_data) { 136 SMP_TRACE_DEBUG("%s", __func__); 137 /* generate MRand or SRand */ 138 btsnd_hcic_ble_rand(Bind(&smp_proc_passkey, p_cb)); 139 } 140 141 /******************************************************************************* 142 * 143 * Function smp_generate_stk 144 * 145 * Description This function is called to generate STK calculated by 146 * running AES with the TK value as key and a concatenation of 147 * the random values. 148 * 149 * Returns void 150 * 151 ******************************************************************************/ 152 void smp_generate_stk(tSMP_CB* p_cb, UNUSED_ATTR tSMP_INT_DATA* p_data) { 153 Octet16 output; 154 155 SMP_TRACE_DEBUG("%s", __func__); 156 157 if (p_cb->le_secure_connections_mode_is_used) { 158 SMP_TRACE_DEBUG("FOR LE SC LTK IS USED INSTEAD OF STK"); 159 output = p_cb->ltk; 160 } else { 161 output = smp_calculate_legacy_short_term_key(p_cb); 162 } 163 164 smp_process_stk(p_cb, &output); 165 } 166 167 /** 168 * This function is called to calculate CSRK 169 */ 170 void smp_compute_csrk(uint16_t div, tSMP_CB* p_cb) { 171 uint8_t buffer[4]; /* for (r || DIV) r=1*/ 172 uint16_t r = 1; 173 uint8_t* p = buffer; 174 175 p_cb->div = div; 176 177 SMP_TRACE_DEBUG("%s: div=%x", __func__, p_cb->div); 178 const Octet16& er = BTM_GetDeviceEncRoot(); 179 /* CSRK = d1(ER, DIV, 1) */ 180 UINT16_TO_STREAM(p, p_cb->div); 181 UINT16_TO_STREAM(p, r); 182 183 p_cb->csrk = aes_128(er, buffer, 4); 184 smp_send_csrk_info(p_cb, NULL); 185 } 186 187 /** 188 * This function is called to calculate CSRK, starting with DIV generation. 189 */ 190 void smp_generate_csrk(tSMP_CB* p_cb, UNUSED_ATTR tSMP_INT_DATA* p_data) { 191 bool div_status; 192 193 SMP_TRACE_DEBUG("smp_generate_csrk"); 194 195 div_status = btm_get_local_div(p_cb->pairing_bda, &p_cb->div); 196 if (div_status) { 197 smp_compute_csrk(p_cb->div, p_cb); 198 } else { 199 SMP_TRACE_DEBUG("Generate DIV for CSRK"); 200 btsnd_hcic_ble_rand(Bind( 201 [](tSMP_CB* p_cb, BT_OCTET8 rand) { 202 uint16_t div; 203 STREAM_TO_UINT16(div, rand); 204 smp_compute_csrk(div, p_cb); 205 }, 206 p_cb)); 207 } 208 } 209 210 /******************************************************************************* 211 * Function smp_concatenate_peer - LSB first 212 * add pairing command sent from local device into p1. 213 ******************************************************************************/ 214 void smp_concatenate_local(tSMP_CB* p_cb, uint8_t** p_data, uint8_t op_code) { 215 uint8_t* p = *p_data; 216 217 SMP_TRACE_DEBUG("%s", __func__); 218 UINT8_TO_STREAM(p, op_code); 219 UINT8_TO_STREAM(p, p_cb->local_io_capability); 220 UINT8_TO_STREAM(p, p_cb->loc_oob_flag); 221 UINT8_TO_STREAM(p, p_cb->loc_auth_req); 222 UINT8_TO_STREAM(p, p_cb->loc_enc_size); 223 UINT8_TO_STREAM(p, p_cb->local_i_key); 224 UINT8_TO_STREAM(p, p_cb->local_r_key); 225 226 *p_data = p; 227 } 228 229 /******************************************************************************* 230 * Function smp_concatenate_peer - LSB first 231 * add pairing command received from peer device into p1. 232 ******************************************************************************/ 233 void smp_concatenate_peer(tSMP_CB* p_cb, uint8_t** p_data, uint8_t op_code) { 234 uint8_t* p = *p_data; 235 236 SMP_TRACE_DEBUG("smp_concatenate_peer "); 237 UINT8_TO_STREAM(p, op_code); 238 UINT8_TO_STREAM(p, p_cb->peer_io_caps); 239 UINT8_TO_STREAM(p, p_cb->peer_oob_flag); 240 UINT8_TO_STREAM(p, p_cb->peer_auth_req); 241 UINT8_TO_STREAM(p, p_cb->peer_enc_size); 242 UINT8_TO_STREAM(p, p_cb->peer_i_key); 243 UINT8_TO_STREAM(p, p_cb->peer_r_key); 244 245 *p_data = p; 246 } 247 248 /** Generate Confirm/Compare Step1: 249 * p1 = (MSB) pres || preq || rat' || iat' (LSB) 250 * Fill in values LSB first thus 251 * p1 = iat' || rat' || preq || pres 252 */ 253 Octet16 smp_gen_p1_4_confirm(tSMP_CB* p_cb, 254 tBLE_ADDR_TYPE remote_bd_addr_type) { 255 SMP_TRACE_DEBUG("%s", __func__); 256 Octet16 p1; 257 uint8_t* p = p1.data(); 258 if (p_cb->role == HCI_ROLE_CENTRAL) { 259 /* iat': initiator's (local) address type */ 260 UINT8_TO_STREAM(p, p_cb->addr_type); 261 /* rat': responder's (remote) address type */ 262 UINT8_TO_STREAM(p, remote_bd_addr_type); 263 /* preq : Pairing Request (local) command */ 264 smp_concatenate_local(p_cb, &p, SMP_OPCODE_PAIRING_REQ); 265 /* pres : Pairing Response (remote) command */ 266 smp_concatenate_peer(p_cb, &p, SMP_OPCODE_PAIRING_RSP); 267 } else { 268 /* iat': initiator's (remote) address type */ 269 UINT8_TO_STREAM(p, remote_bd_addr_type); 270 /* rat': responder's (local) address type */ 271 UINT8_TO_STREAM(p, p_cb->addr_type); 272 /* preq : Pairing Request (remote) command */ 273 smp_concatenate_peer(p_cb, &p, SMP_OPCODE_PAIRING_REQ); 274 /* pres : Pairing Response (local) command */ 275 smp_concatenate_local(p_cb, &p, SMP_OPCODE_PAIRING_RSP); 276 } 277 smp_debug_print_nbyte_little_endian(p1, "p1 = iat' || rat' || preq || pres", 278 16); 279 280 return p1; 281 } 282 283 /** Generate Confirm/Compare Step2: 284 * p2 = (MSB) padding || ia || ra (LSB) 285 * Fill values LSB first and thus: 286 * p2 = ra || ia || padding 287 */ 288 Octet16 smp_gen_p2_4_confirm(tSMP_CB* p_cb, const RawAddress& remote_bda) { 289 SMP_TRACE_DEBUG("%s", __func__); 290 Octet16 p2{0}; 291 uint8_t* p = p2.data(); 292 /* 32-bit Padding */ 293 memset(p, 0, OCTET16_LEN); 294 if (p_cb->role == HCI_ROLE_CENTRAL) { 295 /* ra : Responder's (remote) address */ 296 BDADDR_TO_STREAM(p, remote_bda); 297 /* ia : Initiator's (local) address */ 298 BDADDR_TO_STREAM(p, p_cb->local_bda); 299 } else { 300 /* ra : Responder's (local) address */ 301 BDADDR_TO_STREAM(p, p_cb->local_bda); 302 /* ia : Initiator's (remote) address */ 303 BDADDR_TO_STREAM(p, remote_bda); 304 } 305 smp_debug_print_nbyte_little_endian(p2, "p2 = ra || ia || padding", 16); 306 return p2; 307 } 308 309 /******************************************************************************* 310 * 311 * Function smp_calculate_comfirm 312 * 313 * Description This function (c1) is called to calculate Confirm value. 314 * 315 * Returns tSMP_STATUS status of confirmation calculation 316 * 317 ******************************************************************************/ 318 tSMP_STATUS smp_calculate_comfirm(tSMP_CB* p_cb, const Octet16& rand, 319 Octet16* output) { 320 SMP_TRACE_DEBUG("%s", __func__); 321 RawAddress remote_bda; 322 tBLE_ADDR_TYPE remote_bd_addr_type = BLE_ADDR_PUBLIC; 323 /* get remote connection specific bluetooth address */ 324 if (!BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, remote_bda, 325 &remote_bd_addr_type)) { 326 SMP_TRACE_ERROR("%s: cannot obtain remote device address", __func__); 327 return SMP_PAIR_FAIL_UNKNOWN; 328 } 329 /* get local connection specific bluetooth address */ 330 BTM_ReadConnectionAddr(p_cb->pairing_bda, p_cb->local_bda, &p_cb->addr_type); 331 /* generate p1 = pres || preq || rat' || iat' */ 332 Octet16 p1 = smp_gen_p1_4_confirm(p_cb, remote_bd_addr_type); 333 /* p1' = rand XOR p1 */ 334 smp_xor_128(&p1, rand); 335 smp_debug_print_nbyte_little_endian(p1, "p1' = p1 XOR r", 16); 336 /* calculate e1 = e(k, p1'), where k = TK */ 337 smp_debug_print_nbyte_little_endian(p_cb->tk.data(), "TK", 16); 338 Octet16 e1 = aes_128(p_cb->tk, p1); 339 smp_debug_print_nbyte_little_endian(e1.data(), "e1 = e(k, p1')", 16); 340 /* generate p2 = padding || ia || ra */ 341 Octet16 p2 = smp_gen_p2_4_confirm(p_cb, remote_bda); 342 /* calculate p2' = (p2 XOR e1) */ 343 smp_xor_128(&p2, e1); 344 smp_debug_print_nbyte_little_endian(p2, "p2' = p2 XOR e1", 16); 345 /* calculate: c1 = e(k, p2') */ 346 *output = aes_128(p_cb->tk, p2); 347 return SMP_SUCCESS; 348 } 349 350 /******************************************************************************* 351 * 352 * Function smp_generate_confirm 353 * 354 * Description This function is called when random number (MRand or SRand) 355 * is generated by the controller and the stack needs to 356 * calculate c1 value (MConfirm or SConfirm) for the first time 357 * 358 * Returns void 359 * 360 ******************************************************************************/ 361 static void smp_generate_confirm(tSMP_CB* p_cb) { 362 SMP_TRACE_DEBUG("%s", __func__); 363 smp_debug_print_nbyte_little_endian(p_cb->rand.data(), "local_rand", 16); 364 Octet16 output; 365 tSMP_STATUS status = smp_calculate_comfirm(p_cb, p_cb->rand, &output); 366 if (status != SMP_SUCCESS) { 367 tSMP_INT_DATA smp_int_data; 368 smp_int_data.status = status; 369 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data); 370 return; 371 } 372 tSMP_KEY key; 373 p_cb->confirm = output; 374 smp_debug_print_nbyte_little_endian(p_cb->confirm, "Local Confirm generated", 375 16); 376 key.key_type = SMP_KEY_TYPE_CFM; 377 key.p_data = output.data(); 378 tSMP_INT_DATA smp_int_data; 379 smp_int_data.key = key; 380 smp_sm_event(p_cb, SMP_KEY_READY_EVT, &smp_int_data); 381 } 382 383 /******************************************************************************* 384 * 385 * Function smp_generate_srand_mrand_confirm 386 * 387 * Description This function is called to start the second pairing phase by 388 * start generating random number. 389 * 390 * 391 * Returns void 392 * 393 ******************************************************************************/ 394 void smp_generate_srand_mrand_confirm(tSMP_CB* p_cb, 395 UNUSED_ATTR tSMP_INT_DATA* p_data) { 396 SMP_TRACE_DEBUG("%s", __func__); 397 /* generate MRand or SRand */ 398 btsnd_hcic_ble_rand(Bind( 399 [](tSMP_CB* p_cb, BT_OCTET8 rand) { 400 memcpy(p_cb->rand.data(), rand, 8); 401 402 /* generate 64 MSB of MRand or SRand */ 403 btsnd_hcic_ble_rand(Bind( 404 [](tSMP_CB* p_cb, BT_OCTET8 rand) { 405 memcpy((void*)&p_cb->rand[8], rand, BT_OCTET8_LEN); 406 smp_generate_confirm(p_cb); 407 }, 408 p_cb)); 409 }, 410 p_cb)); 411 } 412 413 /******************************************************************************* 414 * 415 * Function smp_generate_compare 416 * 417 * Description This function is called when random number (MRand or SRand) 418 * is received from remote device and the c1 value (MConfirm 419 * or SConfirm) needs to be generated to authenticate remote 420 * device. 421 * 422 * Returns void 423 * 424 ******************************************************************************/ 425 void smp_generate_compare(tSMP_CB* p_cb, UNUSED_ATTR tSMP_INT_DATA* p_data) { 426 SMP_TRACE_DEBUG("smp_generate_compare "); 427 smp_debug_print_nbyte_little_endian(p_cb->rrand, "peer rand", 16); 428 Octet16 output; 429 tSMP_STATUS status = smp_calculate_comfirm(p_cb, p_cb->rrand, &output); 430 if (status != SMP_SUCCESS) { 431 tSMP_INT_DATA smp_int_data; 432 smp_int_data.status = status; 433 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data); 434 return; 435 } 436 tSMP_KEY key; 437 smp_debug_print_nbyte_little_endian(output.data(), "Remote Confirm generated", 438 16); 439 key.key_type = SMP_KEY_TYPE_CMP; 440 key.p_data = output.data(); 441 tSMP_INT_DATA smp_int_data; 442 smp_int_data.key = key; 443 smp_sm_event(p_cb, SMP_KEY_READY_EVT, &smp_int_data); 444 } 445 446 /** This function is called when STK is generated proceed to send the encrypt 447 * the link using STK. */ 448 static void smp_process_stk(tSMP_CB* p_cb, Octet16* p) { 449 tSMP_KEY key; 450 451 SMP_TRACE_DEBUG("smp_process_stk "); 452 smp_mask_enc_key(p_cb->loc_enc_size, p); 453 454 key.key_type = SMP_KEY_TYPE_STK; 455 key.p_data = p->data(); 456 457 tSMP_INT_DATA smp_int_data; 458 smp_int_data.key = key; 459 smp_sm_event(p_cb, SMP_KEY_READY_EVT, &smp_int_data); 460 } 461 462 /** This function calculates EDIV = Y xor DIV */ 463 static void smp_process_ediv(tSMP_CB* p_cb, Octet16& p) { 464 tSMP_KEY key; 465 uint8_t* pp = p.data(); 466 uint16_t y; 467 468 SMP_TRACE_DEBUG("smp_process_ediv "); 469 STREAM_TO_UINT16(y, pp); 470 471 /* EDIV = Y xor DIV */ 472 p_cb->ediv = p_cb->div ^ y; 473 /* send LTK ready */ 474 SMP_TRACE_ERROR("LTK ready"); 475 key.key_type = SMP_KEY_TYPE_LTK; 476 key.p_data = p.data(); 477 478 tSMP_INT_DATA smp_int_data; 479 smp_int_data.key = key; 480 smp_sm_event(p_cb, SMP_KEY_READY_EVT, &smp_int_data); 481 } 482 483 /** 484 * This function is to proceed generate Y = E(DHK, Rand) 485 */ 486 static void smp_generate_y(tSMP_CB* p_cb, BT_OCTET8 rand) { 487 SMP_TRACE_DEBUG("%s ", __func__); 488 489 const Octet16& dhk = BTM_GetDeviceDHK(); 490 491 memcpy(p_cb->enc_rand, rand, BT_OCTET8_LEN); 492 Octet16 output = aes_128(dhk, rand, BT_OCTET8_LEN); 493 smp_process_ediv(p_cb, output); 494 } 495 496 /** 497 * Calculate LTK = d1(ER, DIV, 0)= e(ER, DIV) 498 */ 499 static void smp_generate_ltk_cont(uint16_t div, tSMP_CB* p_cb) { 500 p_cb->div = div; 501 502 SMP_TRACE_DEBUG("%s", __func__); 503 const Octet16& er = BTM_GetDeviceEncRoot(); 504 505 /* LTK = d1(ER, DIV, 0)= e(ER, DIV)*/ 506 Octet16 ltk = aes_128(er, (uint8_t*)&p_cb->div, sizeof(uint16_t)); 507 /* mask the LTK */ 508 smp_mask_enc_key(p_cb->loc_enc_size, <k); 509 p_cb->ltk = ltk; 510 511 /* generate EDIV and rand now */ 512 btsnd_hcic_ble_rand(Bind(&smp_generate_y, p_cb)); 513 } 514 515 /******************************************************************************* 516 * 517 * Function smp_generate_ltk 518 * 519 * Description This function is called: 520 * - in legacy pairing - to calculate LTK, starting with DIV 521 * generation; 522 * - in LE Secure Connections pairing over LE transport - to 523 * process LTK already generated to encrypt LE link; 524 * - in LE Secure Connections pairing over BR/EDR transport - 525 * to start BR/EDR Link Key processing. 526 * 527 * Returns void 528 * 529 ******************************************************************************/ 530 void smp_generate_ltk(tSMP_CB* p_cb, UNUSED_ATTR tSMP_INT_DATA* p_data) { 531 SMP_TRACE_DEBUG("%s", __func__); 532 533 if (smp_get_br_state() == SMP_BR_STATE_BOND_PENDING) { 534 smp_br_process_link_key(p_cb, NULL); 535 return; 536 } else if (p_cb->le_secure_connections_mode_is_used) { 537 smp_process_secure_connection_long_term_key(); 538 return; 539 } 540 541 bool div_status = btm_get_local_div(p_cb->pairing_bda, &p_cb->div); 542 543 if (div_status) { 544 smp_generate_ltk_cont(p_cb->div, p_cb); 545 } else { 546 SMP_TRACE_DEBUG("%s: Generate DIV for LTK", __func__); 547 548 /* generate MRand or SRand */ 549 btsnd_hcic_ble_rand(Bind( 550 [](tSMP_CB* p_cb, BT_OCTET8 rand) { 551 uint16_t div; 552 STREAM_TO_UINT16(div, rand); 553 smp_generate_ltk_cont(div, p_cb); 554 }, 555 p_cb)); 556 } 557 } 558 559 /* The function calculates legacy STK */ 560 Octet16 smp_calculate_legacy_short_term_key(tSMP_CB* p_cb) { 561 SMP_TRACE_DEBUG("%s", __func__); 562 563 Octet16 text{0}; 564 if (p_cb->role == HCI_ROLE_CENTRAL) { 565 memcpy(text.data(), p_cb->rand.data(), BT_OCTET8_LEN); 566 memcpy(text.data() + BT_OCTET8_LEN, p_cb->rrand.data(), BT_OCTET8_LEN); 567 } else { 568 memcpy(text.data(), p_cb->rrand.data(), BT_OCTET8_LEN); 569 memcpy(text.data() + BT_OCTET8_LEN, p_cb->rand.data(), BT_OCTET8_LEN); 570 } 571 572 /* generate STK = Etk(rand|rrand)*/ 573 return aes_128(p_cb->tk, text); 574 } 575 576 /******************************************************************************* 577 * 578 * Function smp_create_private_key 579 * 580 * Description This function is called to create private key used to 581 * calculate public key and DHKey. 582 * The function starts private key creation requesting 583 * for the controller to generate [0-7] octets of private key. 584 * 585 * Returns void 586 * 587 ******************************************************************************/ 588 void smp_create_private_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 589 SMP_TRACE_DEBUG("%s", __func__); 590 591 // Only use the stored OOB data if we are in an oob association model 592 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) { 593 LOG_WARN("OOB Association Model"); 594 // Make sure our data isn't empty, otherwise we generate new and eventually 595 // pairing will fail Not much we can do about it at this point, just have to 596 // generate new data The data will be cleared after the advertiser times 597 // out, so if the advertiser times out we want the pairing to fail anyway. 598 if (!is_empty(&saved_local_oob_data)) { 599 LOG_WARN("Found OOB data, loading keys"); 600 for (int i = 0; i < BT_OCTET32_LEN; i++) { 601 p_cb->private_key[i] = saved_local_oob_data.private_key_used[i]; 602 p_cb->loc_publ_key.x[i] = saved_local_oob_data.publ_key_used.x[i]; 603 p_cb->loc_publ_key.y[i] = saved_local_oob_data.publ_key_used.y[i]; 604 } 605 p_cb->sc_oob_data.loc_oob_data = saved_local_oob_data; 606 p_cb->local_random = saved_local_oob_data.randomizer; 607 smp_process_private_key(p_cb); 608 return; 609 } 610 LOG_WARN("OOB Association Model with no saved data present"); 611 } 612 613 btsnd_hcic_ble_rand(Bind( 614 [](tSMP_CB* p_cb, BT_OCTET8 rand) { 615 memcpy((void*)p_cb->private_key, rand, BT_OCTET8_LEN); 616 btsnd_hcic_ble_rand(Bind( 617 [](tSMP_CB* p_cb, BT_OCTET8 rand) { 618 memcpy((void*)&p_cb->private_key[8], rand, BT_OCTET8_LEN); 619 btsnd_hcic_ble_rand(Bind( 620 [](tSMP_CB* p_cb, BT_OCTET8 rand) { 621 memcpy((void*)&p_cb->private_key[16], rand, BT_OCTET8_LEN); 622 btsnd_hcic_ble_rand(Bind( 623 [](tSMP_CB* p_cb, BT_OCTET8 rand) { 624 memcpy((void*)&p_cb->private_key[24], rand, 625 BT_OCTET8_LEN); 626 smp_process_private_key(p_cb); 627 }, 628 p_cb)); 629 }, 630 p_cb)); 631 }, 632 p_cb)); 633 }, 634 p_cb)); 635 } 636 637 /******************************************************************************* 638 * 639 * Function smp_use_oob_private_key 640 * 641 * Description This function is called 642 * - to save the secret key used to calculate the public key 643 * used in calculations of commitment sent OOB to a peer 644 * - to use this secret key to recalculate the public key and 645 * start the process of sending this public key to the peer 646 * if secret/public keys have to be reused. 647 * If the keys aren't supposed to be reused, continue from the 648 * point from which request for OOB data was issued. 649 * 650 * Returns void 651 * 652 ******************************************************************************/ 653 void smp_use_oob_private_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 654 LOG_INFO("req_oob_type: %d, role: %d", p_cb->req_oob_type, p_cb->role); 655 656 switch (p_cb->req_oob_type) { 657 case SMP_OOB_BOTH: 658 case SMP_OOB_LOCAL: 659 LOG_INFO("restore secret key"); 660 // Only use the stored OOB data if we are in an oob association model 661 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) { 662 LOG_INFO("OOB Association Model"); 663 // Make sure our data isn't empty, otherwise we generate new and 664 // eventually pairing will fail Not much we can do about it at this 665 // point, just have to generate new data The data will be cleared after 666 // the advertiser times out, so if the advertiser times out we want the 667 // pairing to fail anyway. 668 if (!is_empty(&saved_local_oob_data)) { 669 LOG_INFO("Found OOB data, loading keys"); 670 for (int i = 0; i < BT_OCTET32_LEN; i++) { 671 p_cb->private_key[i] = saved_local_oob_data.private_key_used[i]; 672 p_cb->loc_publ_key.x[i] = saved_local_oob_data.publ_key_used.x[i]; 673 p_cb->loc_publ_key.y[i] = saved_local_oob_data.publ_key_used.y[i]; 674 } 675 p_cb->sc_oob_data.loc_oob_data = saved_local_oob_data; 676 p_cb->local_random = saved_local_oob_data.randomizer; 677 smp_process_private_key(p_cb); 678 return; 679 } 680 LOG_INFO("OOB Association Model with no saved data present"); 681 } 682 683 memcpy(p_cb->private_key, p_cb->sc_oob_data.loc_oob_data.private_key_used, 684 BT_OCTET32_LEN); 685 smp_process_private_key(p_cb); 686 break; 687 default: 688 LOG_INFO("create secret key anew"); 689 smp_set_state(SMP_STATE_PAIR_REQ_RSP); 690 smp_decide_association_model(p_cb, NULL); 691 break; 692 } 693 } 694 695 /******************************************************************************* 696 * 697 * Function smp_process_private_key 698 * 699 * Description This function processes private key. 700 * It calculates public key and notifies SM that private key / 701 * public key pair is created. 702 * 703 * Returns void 704 * 705 ******************************************************************************/ 706 void smp_process_private_key(tSMP_CB* p_cb) { 707 Point public_key; 708 BT_OCTET32 private_key; 709 710 SMP_TRACE_DEBUG("%s", __func__); 711 712 memcpy(private_key, p_cb->private_key, BT_OCTET32_LEN); 713 ECC_PointMult(&public_key, &(curve_p256.G), (uint32_t*)private_key); 714 memcpy(p_cb->loc_publ_key.x, public_key.x, BT_OCTET32_LEN); 715 memcpy(p_cb->loc_publ_key.y, public_key.y, BT_OCTET32_LEN); 716 717 smp_debug_print_nbyte_little_endian(p_cb->private_key, "private", 718 BT_OCTET32_LEN); 719 smp_debug_print_nbyte_little_endian(p_cb->loc_publ_key.x, "local public(x)", 720 BT_OCTET32_LEN); 721 smp_debug_print_nbyte_little_endian(p_cb->loc_publ_key.y, "local public(y)", 722 BT_OCTET32_LEN); 723 p_cb->flags |= SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY; 724 smp_sm_event(p_cb, SMP_LOC_PUBL_KEY_CRTD_EVT, NULL); 725 } 726 727 /******************************************************************************* 728 * 729 * Function smp_compute_dhkey 730 * 731 * Description The function: 732 * - calculates a new public key using as input local private 733 * key and peer public key; 734 * - saves the new public key x-coordinate as DHKey. 735 * 736 * Returns void 737 * 738 ******************************************************************************/ 739 void smp_compute_dhkey(tSMP_CB* p_cb) { 740 Point peer_publ_key, new_publ_key; 741 BT_OCTET32 private_key; 742 743 SMP_TRACE_DEBUG("%s", __func__); 744 745 memcpy(private_key, p_cb->private_key, BT_OCTET32_LEN); 746 memcpy(peer_publ_key.x, p_cb->peer_publ_key.x, BT_OCTET32_LEN); 747 memcpy(peer_publ_key.y, p_cb->peer_publ_key.y, BT_OCTET32_LEN); 748 749 ECC_PointMult(&new_publ_key, &peer_publ_key, (uint32_t*)private_key); 750 751 memcpy(p_cb->dhkey, new_publ_key.x, BT_OCTET32_LEN); 752 753 smp_debug_print_nbyte_little_endian(p_cb->dhkey, "Old DHKey", BT_OCTET32_LEN); 754 755 smp_debug_print_nbyte_little_endian(p_cb->private_key, "private", 756 BT_OCTET32_LEN); 757 smp_debug_print_nbyte_little_endian(p_cb->peer_publ_key.x, "rem public(x)", 758 BT_OCTET32_LEN); 759 smp_debug_print_nbyte_little_endian(p_cb->peer_publ_key.y, "rem public(y)", 760 BT_OCTET32_LEN); 761 smp_debug_print_nbyte_little_endian(p_cb->dhkey, "Reverted DHKey", 762 BT_OCTET32_LEN); 763 } 764 765 /** The function calculates and saves local commmitment in CB. */ 766 void smp_calculate_local_commitment(tSMP_CB* p_cb) { 767 uint8_t random_input; 768 769 SMP_TRACE_DEBUG("%s", __func__); 770 771 switch (p_cb->selected_association_model) { 772 case SMP_MODEL_SEC_CONN_JUSTWORKS: 773 case SMP_MODEL_SEC_CONN_NUM_COMP: 774 if (p_cb->role == HCI_ROLE_CENTRAL) 775 SMP_TRACE_WARNING( 776 "local commitment calc on central is not expected " 777 "for Just Works/Numeric Comparison models"); 778 p_cb->commitment = crypto_toolbox::f4( 779 p_cb->loc_publ_key.x, p_cb->peer_publ_key.x, p_cb->rand, 0); 780 break; 781 case SMP_MODEL_SEC_CONN_PASSKEY_ENT: 782 case SMP_MODEL_SEC_CONN_PASSKEY_DISP: 783 random_input = 784 smp_calculate_random_input(p_cb->local_random.data(), p_cb->round); 785 p_cb->commitment = 786 crypto_toolbox::f4(p_cb->loc_publ_key.x, p_cb->peer_publ_key.x, 787 p_cb->rand, random_input); 788 break; 789 case SMP_MODEL_SEC_CONN_OOB: 790 SMP_TRACE_WARNING( 791 "local commitment calc is expected for OOB model BEFORE pairing"); 792 p_cb->commitment = crypto_toolbox::f4( 793 p_cb->loc_publ_key.x, p_cb->loc_publ_key.x, p_cb->local_random, 0); 794 break; 795 default: 796 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC", 797 p_cb->selected_association_model); 798 return; 799 } 800 801 SMP_TRACE_EVENT("local commitment calculation is completed"); 802 } 803 804 /** The function calculates peer commmitment */ 805 Octet16 smp_calculate_peer_commitment(tSMP_CB* p_cb) { 806 uint8_t ri; 807 808 SMP_TRACE_DEBUG("%s", __func__); 809 Octet16 output; 810 switch (p_cb->selected_association_model) { 811 case SMP_MODEL_SEC_CONN_JUSTWORKS: 812 case SMP_MODEL_SEC_CONN_NUM_COMP: 813 if (p_cb->role == HCI_ROLE_PERIPHERAL) 814 SMP_TRACE_WARNING( 815 "peer commitment calc on peripheral is not expected " 816 "for Just Works/Numeric Comparison models"); 817 output = crypto_toolbox::f4(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, 818 p_cb->rrand, 0); 819 break; 820 case SMP_MODEL_SEC_CONN_PASSKEY_ENT: 821 case SMP_MODEL_SEC_CONN_PASSKEY_DISP: 822 ri = smp_calculate_random_input(p_cb->peer_random.data(), p_cb->round); 823 output = crypto_toolbox::f4(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, 824 p_cb->rrand, ri); 825 break; 826 case SMP_MODEL_SEC_CONN_OOB: 827 output = crypto_toolbox::f4(p_cb->peer_publ_key.x, p_cb->peer_publ_key.x, 828 p_cb->peer_random, 0); 829 break; 830 default: 831 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC", 832 p_cb->selected_association_model); 833 return output; 834 } 835 836 SMP_TRACE_EVENT("peer commitment calculation is completed"); 837 return output; 838 } 839 840 /******************************************************************************* 841 * 842 * Function smp_calculate_numeric_comparison_display_number 843 * 844 * Description The function calculates and saves number to display in 845 * numeric comparison association mode. 846 * 847 * Returns void 848 * 849 ******************************************************************************/ 850 void smp_calculate_numeric_comparison_display_number(tSMP_CB* p_cb, 851 tSMP_INT_DATA* p_data) { 852 SMP_TRACE_DEBUG("%s", __func__); 853 854 if (p_cb->role == HCI_ROLE_CENTRAL) { 855 p_cb->number_to_display = crypto_toolbox::g2( 856 p_cb->loc_publ_key.x, p_cb->peer_publ_key.x, p_cb->rand, p_cb->rrand); 857 } else { 858 p_cb->number_to_display = crypto_toolbox::g2( 859 p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, p_cb->rrand, p_cb->rand); 860 } 861 862 if (p_cb->number_to_display >= (BTM_MAX_PASSKEY_VAL + 1)) { 863 tSMP_INT_DATA smp_int_data; 864 smp_int_data.status = SMP_PAIR_FAIL_UNKNOWN; 865 p_cb->failure = SMP_PAIR_FAIL_UNKNOWN; 866 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data); 867 return; 868 } 869 870 SMP_TRACE_EVENT("Number to display in numeric comparison = %d", 871 p_cb->number_to_display); 872 p_cb->cb_evt = SMP_NC_REQ_EVT; 873 tSMP_INT_DATA smp_int_data; 874 smp_int_data.passkey = p_cb->number_to_display; 875 smp_sm_event(p_cb, SMP_SC_DSPL_NC_EVT, &smp_int_data); 876 return; 877 } 878 879 /******************************************************************************* 880 * 881 * Function smp_calculate_local_dhkey_check 882 * 883 * Description The function calculates and saves local device DHKey check 884 * value in CB. 885 * Before doing this it calls 886 * smp_calculate_f5_mackey_and_long_term_key(...). 887 * to calculate MacKey and LTK. 888 * MacKey is used in dhkey calculation. 889 * 890 * Returns void 891 * 892 ******************************************************************************/ 893 void smp_calculate_local_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 894 uint8_t iocap[3], a[7], b[7]; 895 896 SMP_TRACE_DEBUG("%s", __func__); 897 898 smp_calculate_f5_mackey_and_long_term_key(p_cb); 899 900 smp_collect_local_io_capabilities(iocap, p_cb); 901 902 smp_collect_local_ble_address(a, p_cb); 903 smp_collect_peer_ble_address(b, p_cb); 904 p_cb->dhkey_check = crypto_toolbox::f6(p_cb->mac_key, p_cb->rand, p_cb->rrand, 905 p_cb->peer_random, iocap, a, b); 906 907 SMP_TRACE_EVENT("local DHKey check calculation is completed"); 908 } 909 910 /******************************************************************************* 911 * 912 * Function smp_calculate_peer_dhkey_check 913 * 914 * Description The function calculates peer device DHKey check value. 915 * 916 * Returns void 917 * 918 ******************************************************************************/ 919 void smp_calculate_peer_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 920 uint8_t iocap[3], a[7], b[7]; 921 tSMP_KEY key; 922 923 SMP_TRACE_DEBUG("%s", __func__); 924 925 smp_collect_peer_io_capabilities(iocap, p_cb); 926 927 smp_collect_local_ble_address(a, p_cb); 928 smp_collect_peer_ble_address(b, p_cb); 929 Octet16 param_buf = crypto_toolbox::f6(p_cb->mac_key, p_cb->rrand, p_cb->rand, 930 p_cb->local_random, iocap, b, a); 931 932 SMP_TRACE_EVENT("peer DHKey check calculation is completed"); 933 key.key_type = SMP_KEY_TYPE_PEER_DHK_CHCK; 934 key.p_data = param_buf.data(); 935 tSMP_INT_DATA smp_int_data; 936 smp_int_data.key = key; 937 smp_sm_event(p_cb, SMP_SC_KEY_READY_EVT, &smp_int_data); 938 } 939 940 /******************************************************************************* 941 * 942 * Function smp_calculate_link_key_from_long_term_key 943 * 944 * Description The function calculates and saves BR/EDR link key derived 945 * from LE SC LTK. 946 * 947 * Returns false if out of resources, true in other cases. 948 * 949 ******************************************************************************/ 950 bool smp_calculate_link_key_from_long_term_key(tSMP_CB* p_cb) { 951 tBTM_SEC_DEV_REC* p_dev_rec; 952 RawAddress bda_for_lk; 953 tBLE_ADDR_TYPE conn_addr_type; 954 955 SMP_TRACE_DEBUG("%s", __func__); 956 957 if (p_cb->id_addr_rcvd && p_cb->id_addr_type == BLE_ADDR_PUBLIC) { 958 SMP_TRACE_DEBUG( 959 "Use rcvd identity address as BD_ADDR of LK rcvd identity address"); 960 bda_for_lk = p_cb->id_addr; 961 } else if ((BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, bda_for_lk, 962 &conn_addr_type)) && 963 conn_addr_type == BLE_ADDR_PUBLIC) { 964 SMP_TRACE_DEBUG("Use rcvd connection address as BD_ADDR of LK"); 965 } else { 966 SMP_TRACE_WARNING("Don't have peer public address to associate with LK"); 967 return false; 968 } 969 970 p_dev_rec = btm_find_dev(p_cb->pairing_bda); 971 if (p_dev_rec == NULL) { 972 SMP_TRACE_ERROR("%s failed to find Security Record", __func__); 973 return false; 974 } 975 976 Octet16 link_key = 977 crypto_toolbox::ltk_to_link_key(p_cb->ltk, p_cb->key_derivation_h7_used); 978 979 uint8_t link_key_type; 980 if (btm_cb.security_mode == BTM_SEC_MODE_SC) { 981 /* Secure Connections Only Mode */ 982 link_key_type = BTM_LKEY_TYPE_AUTH_COMB_P_256; 983 } else if (controller_get_interface()->supports_secure_connections()) { 984 /* both transports are SC capable */ 985 if (p_cb->sec_level == SMP_SEC_AUTHENTICATED) 986 link_key_type = BTM_LKEY_TYPE_AUTH_COMB_P_256; 987 else 988 link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB_P_256; 989 } else if (btm_cb.security_mode == BTM_SEC_MODE_SP) { 990 /* BR/EDR transport is SSP capable */ 991 if (p_cb->sec_level == SMP_SEC_AUTHENTICATED) 992 link_key_type = BTM_LKEY_TYPE_AUTH_COMB; 993 else 994 link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB; 995 } else { 996 SMP_TRACE_ERROR("%s failed to update link_key. Sec Mode = %d, sm4 = 0x%02x", 997 __func__, btm_cb.security_mode, p_dev_rec->sm4); 998 return false; 999 } 1000 1001 link_key_type += BTM_LTK_DERIVED_LKEY_OFFSET; 1002 1003 Octet16 notif_link_key; 1004 std::reverse_copy(link_key.begin(), link_key.end(), notif_link_key.begin()); 1005 btm_sec_link_key_notification(bda_for_lk, notif_link_key, link_key_type); 1006 1007 SMP_TRACE_EVENT("%s is completed", __func__); 1008 1009 return true; 1010 } 1011 1012 /** The function calculates and saves SC LTK derived from BR/EDR link key. */ 1013 bool smp_calculate_long_term_key_from_link_key(tSMP_CB* p_cb) { 1014 tBTM_SEC_DEV_REC* p_dev_rec; 1015 1016 SMP_TRACE_DEBUG("%s", __func__); 1017 1018 p_dev_rec = btm_find_dev(p_cb->pairing_bda); 1019 if (p_dev_rec == NULL) { 1020 SMP_TRACE_ERROR("%s failed to find Security Record", __func__); 1021 return false; 1022 } 1023 1024 uint8_t br_link_key_type; 1025 br_link_key_type = BTM_SecGetDeviceLinkKeyType(p_cb->pairing_bda); 1026 if (br_link_key_type == BTM_LKEY_TYPE_IGNORE) { 1027 SMP_TRACE_ERROR("%s failed to retrieve BR link type", __func__); 1028 return false; 1029 } 1030 1031 if ((br_link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256) && 1032 (br_link_key_type != BTM_LKEY_TYPE_UNAUTH_COMB_P_256)) { 1033 SMP_TRACE_ERROR("%s LE SC LTK can't be derived from LK %d", __func__, 1034 br_link_key_type); 1035 return false; 1036 } 1037 1038 Octet16 rev_link_key; 1039 std::reverse_copy(p_dev_rec->link_key.begin(), p_dev_rec->link_key.end(), 1040 rev_link_key.begin()); 1041 p_cb->ltk = crypto_toolbox::link_key_to_ltk(rev_link_key, 1042 p_cb->key_derivation_h7_used); 1043 1044 p_cb->sec_level = (br_link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) 1045 ? SMP_SEC_AUTHENTICATED 1046 : SMP_SEC_UNAUTHENTICATE; 1047 SMP_TRACE_EVENT("%s is completed", __func__); 1048 return true; 1049 } 1050 1051 /** 1052 * This function generates nonce. 1053 */ 1054 void smp_start_nonce_generation(tSMP_CB* p_cb) { 1055 SMP_TRACE_DEBUG("%s", __func__); 1056 btsnd_hcic_ble_rand(Bind( 1057 [](tSMP_CB* p_cb, BT_OCTET8 rand) { 1058 memcpy(p_cb->rand.data(), rand, BT_OCTET8_LEN); 1059 btsnd_hcic_ble_rand(Bind( 1060 [](tSMP_CB* p_cb, BT_OCTET8 rand) { 1061 memcpy(p_cb->rand.data() + 8, rand, BT_OCTET8_LEN); 1062 SMP_TRACE_DEBUG("%s round %d", __func__, p_cb->round); 1063 /* notifies SM that it has new nonce. */ 1064 smp_sm_event(p_cb, SMP_HAVE_LOC_NONCE_EVT, NULL); 1065 }, 1066 p_cb)); 1067 }, 1068 p_cb)); 1069 } 1070