1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 *****************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for the SMP L2CAP utility functions
22 *
23 ******************************************************************************/
24 #define LOG_TAG "smp"
25
26 #include <bluetooth/log.h>
27 #include <com_android_bluetooth_flags.h>
28
29 #include <cstdint>
30 #include <cstring>
31
32 #include "crypto_toolbox/crypto_toolbox.h"
33 #include "hci/controller_interface.h"
34 #include "internal_include/bt_target.h"
35 #include "internal_include/stack_config.h"
36 #include "main/shim/entry.h"
37 #include "main/shim/helpers.h"
38 #include "osi/include/allocator.h"
39 #include "p_256_ecc_pp.h"
40 #include "smp_int.h"
41 #include "stack/btm/btm_ble_sec.h"
42 #include "stack/btm/btm_dev.h"
43 #include "stack/include/acl_api.h"
44 #include "stack/include/bt_hdr.h"
45 #include "stack/include/bt_octets.h"
46 #include "stack/include/bt_types.h"
47 #include "stack/include/btm_ble_api.h"
48 #include "stack/include/btm_ble_sec_api.h"
49 #include "stack/include/btm_log_history.h"
50 #include "stack/include/l2c_api.h"
51 #include "stack/include/l2cdefs.h"
52 #include "stack/include/smp_status.h"
53 #include "stack/include/stack_metrics_logging.h"
54 #include "types/raw_address.h"
55
56 #define SMP_PAIRING_REQ_SIZE 7
57 #define SMP_CONFIRM_CMD_SIZE (OCTET16_LEN + 1)
58 #define SMP_RAND_CMD_SIZE (OCTET16_LEN + 1)
59 #define SMP_INIT_CMD_SIZE (OCTET16_LEN + 1)
60 #define SMP_ENC_INFO_SIZE (OCTET16_LEN + 1)
61 #define SMP_CENTRAL_ID_SIZE (BT_OCTET8_LEN + 2 + 1)
62 #define SMP_ID_INFO_SIZE (OCTET16_LEN + 1)
63 #define SMP_ID_ADDR_SIZE (BD_ADDR_LEN + 1 + 1)
64 #define SMP_SIGN_INFO_SIZE (OCTET16_LEN + 1)
65 #define SMP_PAIR_FAIL_SIZE 2
66 #define SMP_SECURITY_REQUEST_SIZE 2
67 #define SMP_PAIR_PUBL_KEY_SIZE (1 /* opcode */ + (2 * BT_OCTET32_LEN))
68 #define SMP_PAIR_COMMITM_SIZE (1 /* opcode */ + OCTET16_LEN /*Commitment*/)
69 #define SMP_PAIR_DHKEY_CHECK_SIZE \
70 (1 /* opcode */ + OCTET16_LEN /*DHKey \
71 Check*/)
72 #define SMP_PAIR_KEYPR_NOTIF_SIZE (1 /* opcode */ + 1 /*Notif Type*/)
73
74 using namespace bluetooth;
75
76 namespace {
77 constexpr char kBtmLogTag[] = "SMP";
78 }
79
80 /* SMP command sizes per spec */
81 static const uint8_t smp_cmd_size_per_spec[] = {
82 0,
83 SMP_PAIRING_REQ_SIZE, /* 0x01: pairing request */
84 SMP_PAIRING_REQ_SIZE, /* 0x02: pairing response */
85 SMP_CONFIRM_CMD_SIZE, /* 0x03: pairing confirm */
86 SMP_RAND_CMD_SIZE, /* 0x04: pairing random */
87 SMP_PAIR_FAIL_SIZE, /* 0x05: pairing failed */
88 SMP_ENC_INFO_SIZE, /* 0x06: encryption information */
89 SMP_CENTRAL_ID_SIZE, /* 0x07: central identification */
90 SMP_ID_INFO_SIZE, /* 0x08: identity information */
91 SMP_ID_ADDR_SIZE, /* 0x09: identity address information */
92 SMP_SIGN_INFO_SIZE, /* 0x0A: signing information */
93 SMP_SECURITY_REQUEST_SIZE, /* 0x0B: security request */
94 SMP_PAIR_PUBL_KEY_SIZE, /* 0x0C: pairing public key */
95 SMP_PAIR_DHKEY_CHECK_SIZE, /* 0x0D: pairing dhkey check */
96 SMP_PAIR_KEYPR_NOTIF_SIZE, /* 0x0E: pairing keypress notification */
97 SMP_PAIR_COMMITM_SIZE /* 0x0F: pairing commitment */
98 };
99
100 static bool smp_parameter_unconditionally_valid(tSMP_CB* p_cb);
101 static bool smp_parameter_unconditionally_invalid(tSMP_CB* p_cb);
102
103 /* type for SMP command length validation functions */
104 typedef bool (*tSMP_CMD_LEN_VALID)(tSMP_CB* p_cb);
105
106 static bool smp_command_has_valid_fixed_length(tSMP_CB* p_cb);
107
108 static const tSMP_CMD_LEN_VALID smp_cmd_len_is_valid[] = {
109 smp_parameter_unconditionally_invalid,
110 smp_command_has_valid_fixed_length, /* 0x01: pairing request */
111 smp_command_has_valid_fixed_length, /* 0x02: pairing response */
112 smp_command_has_valid_fixed_length, /* 0x03: pairing confirm */
113 smp_command_has_valid_fixed_length, /* 0x04: pairing random */
114 smp_command_has_valid_fixed_length, /* 0x05: pairing failed */
115 smp_command_has_valid_fixed_length, /* 0x06: encryption information */
116 smp_command_has_valid_fixed_length, /* 0x07: central identification */
117 smp_command_has_valid_fixed_length, /* 0x08: identity information */
118 smp_command_has_valid_fixed_length, /* 0x09: identity address information */
119 smp_command_has_valid_fixed_length, /* 0x0A: signing information */
120 smp_command_has_valid_fixed_length, /* 0x0B: security request */
121 smp_command_has_valid_fixed_length, /* 0x0C: pairing public key */
122 smp_command_has_valid_fixed_length, /* 0x0D: pairing dhkey check */
123 smp_command_has_valid_fixed_length, /* 0x0E: pairing keypress notification*/
124 smp_command_has_valid_fixed_length /* 0x0F: pairing commitment */
125 };
126
127 /* type for SMP command parameter ranges validation functions */
128 typedef bool (*tSMP_CMD_PARAM_RANGES_VALID)(tSMP_CB* p_cb);
129
130 static bool smp_pairing_request_response_parameters_are_valid(tSMP_CB* p_cb);
131 static bool smp_pairing_keypress_notification_is_valid(tSMP_CB* p_cb);
132
133 static const tSMP_CMD_PARAM_RANGES_VALID smp_cmd_param_ranges_are_valid[] = {
134 smp_parameter_unconditionally_invalid,
135 smp_pairing_request_response_parameters_are_valid, /* 0x01: pairing
136 request */
137 smp_pairing_request_response_parameters_are_valid, /* 0x02: pairing
138 response */
139 smp_parameter_unconditionally_valid, /* 0x03: pairing confirm */
140 smp_parameter_unconditionally_valid, /* 0x04: pairing random */
141 smp_parameter_unconditionally_valid, /* 0x05: pairing failed */
142 smp_parameter_unconditionally_valid, /* 0x06: encryption information */
143 smp_parameter_unconditionally_valid, /* 0x07: central identification */
144 smp_parameter_unconditionally_valid, /* 0x08: identity information */
145 smp_parameter_unconditionally_valid, /* 0x09: identity address
146 information */
147 smp_parameter_unconditionally_valid, /* 0x0A: signing information */
148 smp_parameter_unconditionally_valid, /* 0x0B: security request */
149 smp_parameter_unconditionally_valid, /* 0x0C: pairing public key */
150 smp_parameter_unconditionally_valid, /* 0x0D: pairing dhkey check */
151 smp_pairing_keypress_notification_is_valid, /* 0x0E: pairing keypress
152 notification */
153 smp_parameter_unconditionally_valid /* 0x0F: pairing commitment */
154 };
155
156 /* type for action functions */
157 typedef BT_HDR* (*tSMP_CMD_ACT)(uint8_t cmd_code, tSMP_CB* p_cb);
158
159 static BT_HDR* smp_build_pairing_cmd(uint8_t cmd_code, tSMP_CB* p_cb);
160 static BT_HDR* smp_build_confirm_cmd(uint8_t cmd_code, tSMP_CB* p_cb);
161 static BT_HDR* smp_build_rand_cmd(uint8_t cmd_code, tSMP_CB* p_cb);
162 static BT_HDR* smp_build_pairing_fail(uint8_t cmd_code, tSMP_CB* p_cb);
163 static BT_HDR* smp_build_identity_info_cmd(uint8_t cmd_code, tSMP_CB* p_cb);
164 static BT_HDR* smp_build_encrypt_info_cmd(uint8_t cmd_code, tSMP_CB* p_cb);
165 static BT_HDR* smp_build_security_request(uint8_t cmd_code, tSMP_CB* p_cb);
166 static BT_HDR* smp_build_signing_info_cmd(uint8_t cmd_code, tSMP_CB* p_cb);
167 static BT_HDR* smp_build_central_id_cmd(uint8_t cmd_code, tSMP_CB* p_cb);
168 static BT_HDR* smp_build_id_addr_cmd(uint8_t cmd_code, tSMP_CB* p_cb);
169 static BT_HDR* smp_build_pair_public_key_cmd(uint8_t cmd_code, tSMP_CB* p_cb);
170 static BT_HDR* smp_build_pairing_commitment_cmd(uint8_t cmd_code,
171 tSMP_CB* p_cb);
172 static BT_HDR* smp_build_pair_dhkey_check_cmd(uint8_t cmd_code, tSMP_CB* p_cb);
173 static BT_HDR* smp_build_pairing_keypress_notification_cmd(uint8_t cmd_code,
174 tSMP_CB* p_cb);
175
176 static const tSMP_CMD_ACT smp_cmd_build_act[] = {
177 NULL,
178 smp_build_pairing_cmd, /* 0x01: pairing request */
179 smp_build_pairing_cmd, /* 0x02: pairing response */
180 smp_build_confirm_cmd, /* 0x03: pairing confirm */
181 smp_build_rand_cmd, /* 0x04: pairing random */
182 smp_build_pairing_fail, /* 0x05: pairing failure */
183 smp_build_encrypt_info_cmd, /* 0x06: encryption information */
184 smp_build_central_id_cmd, /* 0x07: central identification */
185 smp_build_identity_info_cmd, /* 0x08: identity information */
186 smp_build_id_addr_cmd, /* 0x09: identity address information */
187 smp_build_signing_info_cmd, /* 0x0A: signing information */
188 smp_build_security_request, /* 0x0B: security request */
189 smp_build_pair_public_key_cmd, /* 0x0C: pairing public key */
190 smp_build_pair_dhkey_check_cmd, /* 0x0D: pairing DHKey check */
191 smp_build_pairing_keypress_notification_cmd, /* 0x0E: pairing keypress
192 notification */
193 smp_build_pairing_commitment_cmd /* 0x0F: pairing commitment */
194 };
195
196 static const tSMP_ASSO_MODEL
197 smp_association_table[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] = {
198 /* display only */ /* Display Yes/No */ /* keyboard only */
199 /* No Input/Output */ /* keyboard display */
200
201 /* initiator */
202 /* model = tbl[peer_io_caps][loc_io_caps] */
203 /* Display Only */
204 {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
205 SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
206
207 /* Display Yes/No */
208 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
209 SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
210
211 /* Keyboard only */
212 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY,
213 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
214
215 /* No Input No Output */
216 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
217 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
218 SMP_MODEL_ENCRYPTION_ONLY},
219
220 /* keyboard display */
221 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY,
222 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}},
223
224 /* responder */
225 /* model = tbl[loc_io_caps][peer_io_caps] */
226 /* Display Only */
227 {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
228 SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
229
230 /* Display Yes/No */
231 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
232 SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
233
234 /* keyboard only */
235 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY,
236 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
237
238 /* No Input No Output */
239 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
240 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
241 SMP_MODEL_ENCRYPTION_ONLY},
242
243 /* keyboard display */
244 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_KEY_NOTIF,
245 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}}};
246
247 static const tSMP_ASSO_MODEL
248 smp_association_table_sc[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] = {
249 /* display only */ /* Display Yes/No */ /* keyboard only */
250 /* No InputOutput */ /* keyboard display */
251
252 /* initiator */
253 /* model = tbl[peer_io_caps][loc_io_caps] */
254
255 /* Display Only */
256 {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
257 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
258 SMP_MODEL_SEC_CONN_PASSKEY_ENT},
259
260 /* Display Yes/No */
261 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP,
262 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
263 SMP_MODEL_SEC_CONN_NUM_COMP},
264
265 /* keyboard only */
266 {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_PASSKEY_DISP,
267 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
268 SMP_MODEL_SEC_CONN_PASSKEY_DISP},
269
270 /* No Input No Output */
271 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
272 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
273 SMP_MODEL_SEC_CONN_JUSTWORKS},
274
275 /* keyboard display */
276 {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_NUM_COMP,
277 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
278 SMP_MODEL_SEC_CONN_NUM_COMP}},
279
280 /* responder */
281 /* model = tbl[loc_io_caps][peer_io_caps] */
282
283 /* Display Only */
284 {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
285 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
286 SMP_MODEL_SEC_CONN_PASSKEY_DISP},
287
288 /* Display Yes/No */
289 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP,
290 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
291 SMP_MODEL_SEC_CONN_NUM_COMP},
292
293 /* keyboard only */
294 {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_PASSKEY_ENT,
295 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
296 SMP_MODEL_SEC_CONN_PASSKEY_ENT},
297
298 /* No Input No Output */
299 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
300 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
301 SMP_MODEL_SEC_CONN_JUSTWORKS},
302
303 /* keyboard display */
304 {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_NUM_COMP,
305 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
306 SMP_MODEL_SEC_CONN_NUM_COMP}}};
307
308 static tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB* p_cb);
309 static tSMP_ASSO_MODEL smp_select_association_model_secure_connections(
310 tSMP_CB* p_cb);
311
312 /**
313 * Log metrics data for SMP command
314 *
315 * @param bd_addr current pairing address
316 * @param is_outgoing whether this command is outgoing
317 * @param p_buf buffer to the beginning of SMP command
318 * @param buf_len length available to read for p_buf
319 */
smp_log_metrics(const RawAddress & bd_addr,bool is_outgoing,const uint8_t * p_buf,size_t buf_len,bool is_over_br)320 void smp_log_metrics(const RawAddress& bd_addr, bool is_outgoing,
321 const uint8_t* p_buf, size_t buf_len, bool is_over_br) {
322 if (buf_len < 1) {
323 log::warn("buffer is too small");
324 return;
325 }
326 uint8_t raw_cmd;
327 STREAM_TO_UINT8(raw_cmd, p_buf);
328 buf_len--;
329 uint8_t failure_reason = 0;
330 if (raw_cmd == SMP_OPCODE_PAIRING_FAILED && buf_len >= 1) {
331 STREAM_TO_UINT8(failure_reason, p_buf);
332 }
333 if (smp_cb.is_pair_cancel) {
334 failure_reason = SMP_USER_CANCELLED; // Tracking pairing cancellations
335 }
336 uint16_t metric_cmd =
337 is_over_br ? SMP_METRIC_COMMAND_BR_FLAG : SMP_METRIC_COMMAND_LE_FLAG;
338 metric_cmd |= static_cast<uint16_t>(raw_cmd);
339 android::bluetooth::DirectionEnum direction =
340 is_outgoing ? android::bluetooth::DirectionEnum::DIRECTION_OUTGOING
341 : android::bluetooth::DirectionEnum::DIRECTION_INCOMING;
342 log_smp_pairing_event(bd_addr, metric_cmd, direction,
343 static_cast<uint16_t>(failure_reason));
344 }
345
346 /*******************************************************************************
347 *
348 * Function smp_send_msg_to_L2CAP
349 *
350 * Description Send message to L2CAP.
351 *
352 ******************************************************************************/
smp_send_msg_to_L2CAP(const RawAddress & rem_bda,BT_HDR * p_toL2CAP)353 bool smp_send_msg_to_L2CAP(const RawAddress& rem_bda, BT_HDR* p_toL2CAP) {
354 uint16_t l2cap_ret;
355 uint16_t fixed_cid = L2CAP_SMP_CID;
356
357 if (smp_cb.smp_over_br) {
358 fixed_cid = L2CAP_SMP_BR_CID;
359 }
360
361 log::verbose("rem_bda:{}, over_bredr:{}", rem_bda, smp_cb.smp_over_br);
362
363 smp_log_metrics(rem_bda, true /* outgoing */,
364 p_toL2CAP->data + p_toL2CAP->offset, p_toL2CAP->len,
365 smp_cb.smp_over_br /* is_over_br */);
366
367 if (com::android::bluetooth::flags::l2cap_tx_complete_cb_info()) {
368 /* Unacked needs to be incremented before calling SendFixedChnlData */
369 smp_cb.total_tx_unacked++;
370 l2cap_ret = L2CA_SendFixedChnlData(fixed_cid, rem_bda, p_toL2CAP);
371 if (l2cap_ret == L2CAP_DW_FAILED) {
372 smp_cb.total_tx_unacked--;
373 log::error("SMP failed to pass msg to L2CAP");
374 return false;
375 }
376 log::verbose("l2cap_tx_complete_cb_info is enabled");
377 return true;
378 }
379
380 l2cap_ret = L2CA_SendFixedChnlData(fixed_cid, rem_bda, p_toL2CAP);
381 if (l2cap_ret == L2CAP_DW_FAILED) {
382 log::error("SMP failed to pass msg to L2CAP");
383 return false;
384 } else {
385 tSMP_CB* p_cb = &smp_cb;
386
387 log::verbose("l2cap_tx_complete_cb_info is disabled");
388 if (p_cb->wait_for_authorization_complete) {
389 tSMP_INT_DATA smp_int_data;
390 smp_int_data.status = SMP_SUCCESS;
391 if (fixed_cid == L2CAP_SMP_CID) {
392 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
393 } else {
394 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
395 }
396 }
397 return true;
398 }
399 }
400
401 /*******************************************************************************
402 *
403 * Function smp_send_cmd
404 *
405 * Description send a SMP command on L2CAP channel.
406 *
407 ******************************************************************************/
smp_send_cmd(uint8_t cmd_code,tSMP_CB * p_cb)408 bool smp_send_cmd(uint8_t cmd_code, tSMP_CB* p_cb) {
409 BT_HDR* p_buf;
410 bool sent = false;
411
412 log::debug("Sending SMP command:{}[0x{:x}] pairing_bda={}",
413 smp_opcode_text(static_cast<tSMP_OPCODE>(cmd_code)), cmd_code,
414 p_cb->pairing_bda);
415
416 if (cmd_code <= (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */) &&
417 smp_cmd_build_act[cmd_code] != NULL) {
418 p_buf = (*smp_cmd_build_act[cmd_code])(cmd_code, p_cb);
419
420 if (p_buf != NULL && smp_send_msg_to_L2CAP(p_cb->pairing_bda, p_buf)) {
421 sent = true;
422 alarm_set_on_mloop(p_cb->smp_rsp_timer_ent, SMP_WAIT_FOR_RSP_TIMEOUT_MS,
423 smp_rsp_timeout, NULL);
424 }
425 }
426
427 if (!sent) {
428 tSMP_INT_DATA smp_int_data;
429 smp_int_data.status = SMP_PAIR_INTERNAL_ERR;
430 if (p_cb->smp_over_br) {
431 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
432 } else {
433 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
434 }
435 }
436 return sent;
437 }
438
439 /*******************************************************************************
440 *
441 * Function smp_rsp_timeout
442 *
443 * Description Called when SMP wait for SMP command response timer expires
444 *
445 * Returns void
446 *
447 ******************************************************************************/
smp_rsp_timeout(void *)448 void smp_rsp_timeout(void* /* data */) {
449 tSMP_CB* p_cb = &smp_cb;
450
451 log::verbose("state:{} br_state:{}", p_cb->state, p_cb->br_state);
452
453 tSMP_INT_DATA smp_int_data;
454 smp_int_data.status = SMP_RSP_TIMEOUT;
455 if (p_cb->smp_over_br) {
456 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
457 } else {
458 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
459 }
460 }
461
462 /*******************************************************************************
463 *
464 * Function smp_delayed_auth_complete_timeout
465 *
466 * Description Called when no pairing failed command received within
467 * timeout period.
468 *
469 * Returns void
470 *
471 ******************************************************************************/
smp_delayed_auth_complete_timeout(void *)472 void smp_delayed_auth_complete_timeout(void* /* data */) {
473 /*
474 * Waited for potential pair failure. Send SMP_AUTH_CMPL_EVT if
475 * the state is still in bond pending.
476 */
477 if (smp_get_state() == SMP_STATE_BOND_PENDING) {
478 log::verbose("sending delayed auth complete.");
479 tSMP_INT_DATA smp_int_data;
480 smp_int_data.status = SMP_SUCCESS;
481 smp_sm_event(&smp_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
482 }
483 }
484
485 /*******************************************************************************
486 *
487 * Function smp_build_pairing_req_cmd
488 *
489 * Description Build pairing request command.
490 *
491 ******************************************************************************/
smp_build_pairing_cmd(uint8_t cmd_code,tSMP_CB * p_cb)492 BT_HDR* smp_build_pairing_cmd(uint8_t cmd_code, tSMP_CB* p_cb) {
493 uint8_t* p;
494 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIRING_REQ_SIZE +
495 L2CAP_MIN_OFFSET);
496
497 log::verbose("building cmd:{}",
498 smp_opcode_text(static_cast<tSMP_OPCODE>(cmd_code)));
499
500 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
501 UINT8_TO_STREAM(p, cmd_code);
502 UINT8_TO_STREAM(p, p_cb->local_io_capability);
503 UINT8_TO_STREAM(p, p_cb->loc_oob_flag);
504 UINT8_TO_STREAM(p, p_cb->loc_auth_req);
505 UINT8_TO_STREAM(p, p_cb->loc_enc_size);
506 UINT8_TO_STREAM(p, p_cb->local_i_key);
507 UINT8_TO_STREAM(p, p_cb->local_r_key);
508
509 p_buf->offset = L2CAP_MIN_OFFSET;
510 /* 1B ERR_RSP op code + 1B cmd_op_code + 2B handle + 1B status */
511 p_buf->len = SMP_PAIRING_REQ_SIZE;
512
513 return p_buf;
514 }
515
516 /*******************************************************************************
517 *
518 * Function smp_build_confirm_cmd
519 *
520 * Description Build confirm request command.
521 *
522 ******************************************************************************/
smp_build_confirm_cmd(uint8_t,tSMP_CB * p_cb)523 static BT_HDR* smp_build_confirm_cmd(uint8_t /* cmd_code */, tSMP_CB* p_cb) {
524 uint8_t* p;
525 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_CONFIRM_CMD_SIZE +
526 L2CAP_MIN_OFFSET);
527
528 log::verbose("addr:{}", p_cb->pairing_bda);
529
530 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
531
532 UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM);
533 ARRAY_TO_STREAM(p, p_cb->confirm, OCTET16_LEN);
534
535 p_buf->offset = L2CAP_MIN_OFFSET;
536 p_buf->len = SMP_CONFIRM_CMD_SIZE;
537
538 return p_buf;
539 }
540
541 /*******************************************************************************
542 *
543 * Function smp_build_rand_cmd
544 *
545 * Description Build Random command.
546 *
547 ******************************************************************************/
smp_build_rand_cmd(uint8_t,tSMP_CB * p_cb)548 static BT_HDR* smp_build_rand_cmd(uint8_t /* cmd_code */, tSMP_CB* p_cb) {
549 uint8_t* p;
550 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_RAND_CMD_SIZE +
551 L2CAP_MIN_OFFSET);
552
553 log::verbose("addr:{}", p_cb->pairing_bda);
554
555 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
556 UINT8_TO_STREAM(p, SMP_OPCODE_RAND);
557 ARRAY_TO_STREAM(p, p_cb->rand, OCTET16_LEN);
558
559 p_buf->offset = L2CAP_MIN_OFFSET;
560 p_buf->len = SMP_RAND_CMD_SIZE;
561
562 return p_buf;
563 }
564
565 /*******************************************************************************
566 *
567 * Function smp_build_encrypt_info_cmd
568 *
569 * Description Build security information command.
570 *
571 ******************************************************************************/
smp_build_encrypt_info_cmd(uint8_t,tSMP_CB * p_cb)572 static BT_HDR* smp_build_encrypt_info_cmd(uint8_t /* cmd_code */,
573 tSMP_CB* p_cb) {
574 uint8_t* p;
575 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ENC_INFO_SIZE +
576 L2CAP_MIN_OFFSET);
577
578 log::verbose("addr:{}", p_cb->pairing_bda);
579
580 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
581 UINT8_TO_STREAM(p, SMP_OPCODE_ENCRYPT_INFO);
582 ARRAY_TO_STREAM(p, p_cb->ltk, OCTET16_LEN);
583
584 p_buf->offset = L2CAP_MIN_OFFSET;
585 p_buf->len = SMP_ENC_INFO_SIZE;
586
587 return p_buf;
588 }
589
590 /*******************************************************************************
591 *
592 * Function smp_build_central_id_cmd
593 *
594 * Description Build security information command.
595 *
596 ******************************************************************************/
smp_build_central_id_cmd(uint8_t,tSMP_CB * p_cb)597 static BT_HDR* smp_build_central_id_cmd(uint8_t /* cmd_code */, tSMP_CB* p_cb) {
598 uint8_t* p;
599 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_CENTRAL_ID_SIZE +
600 L2CAP_MIN_OFFSET);
601
602 log::verbose("addr:{}", p_cb->pairing_bda);
603
604 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
605 UINT8_TO_STREAM(p, SMP_OPCODE_CENTRAL_ID);
606 UINT16_TO_STREAM(p, p_cb->ediv);
607 ARRAY_TO_STREAM(p, p_cb->enc_rand, BT_OCTET8_LEN);
608
609 p_buf->offset = L2CAP_MIN_OFFSET;
610 p_buf->len = SMP_CENTRAL_ID_SIZE;
611
612 return p_buf;
613 }
614
615 /*******************************************************************************
616 *
617 * Function smp_build_identity_info_cmd
618 *
619 * Description Build identity information command.
620 *
621 ******************************************************************************/
smp_build_identity_info_cmd(uint8_t,tSMP_CB * p_cb)622 static BT_HDR* smp_build_identity_info_cmd(uint8_t /* cmd_code */,
623 tSMP_CB* p_cb) {
624 uint8_t* p;
625 BT_HDR* p_buf =
626 (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ID_INFO_SIZE + L2CAP_MIN_OFFSET);
627
628 log::verbose("addr:{}", p_cb->pairing_bda);
629
630 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
631
632 const Octet16& irk = BTM_GetDeviceIDRoot();
633
634 UINT8_TO_STREAM(p, SMP_OPCODE_IDENTITY_INFO);
635 ARRAY_TO_STREAM(p, irk.data(), OCTET16_LEN);
636
637 p_buf->offset = L2CAP_MIN_OFFSET;
638 p_buf->len = SMP_ID_INFO_SIZE;
639
640 return p_buf;
641 }
642
643 /*******************************************************************************
644 *
645 * Function smp_build_id_addr_cmd
646 *
647 * Description Build identity address information command.
648 *
649 ******************************************************************************/
smp_build_id_addr_cmd(uint8_t,tSMP_CB * p_cb)650 static BT_HDR* smp_build_id_addr_cmd(uint8_t /* cmd_code */, tSMP_CB* p_cb) {
651 uint8_t* p;
652 BT_HDR* p_buf =
653 (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ID_ADDR_SIZE + L2CAP_MIN_OFFSET);
654
655 log::verbose("addr:{}", p_cb->pairing_bda);
656
657 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
658 UINT8_TO_STREAM(p, SMP_OPCODE_ID_ADDR);
659 UINT8_TO_STREAM(p, 0);
660 BDADDR_TO_STREAM(p, bluetooth::ToRawAddress(
661 bluetooth::shim::GetController()->GetMacAddress()));
662
663 p_buf->offset = L2CAP_MIN_OFFSET;
664 p_buf->len = SMP_ID_ADDR_SIZE;
665
666 return p_buf;
667 }
668
669 /*******************************************************************************
670 *
671 * Function smp_build_signing_info_cmd
672 *
673 * Description Build signing information command.
674 *
675 ******************************************************************************/
smp_build_signing_info_cmd(uint8_t,tSMP_CB * p_cb)676 static BT_HDR* smp_build_signing_info_cmd(uint8_t /* cmd_code */,
677 tSMP_CB* p_cb) {
678 uint8_t* p;
679 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_SIGN_INFO_SIZE +
680 L2CAP_MIN_OFFSET);
681
682 log::verbose("addr:{}", p_cb->pairing_bda);
683
684 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
685 UINT8_TO_STREAM(p, SMP_OPCODE_SIGN_INFO);
686 ARRAY_TO_STREAM(p, p_cb->csrk, OCTET16_LEN);
687
688 p_buf->offset = L2CAP_MIN_OFFSET;
689 p_buf->len = SMP_SIGN_INFO_SIZE;
690
691 return p_buf;
692 }
693
694 /*******************************************************************************
695 *
696 * Function smp_build_pairing_fail
697 *
698 * Description Build Pairing Fail command.
699 *
700 ******************************************************************************/
smp_build_pairing_fail(uint8_t,tSMP_CB * p_cb)701 static BT_HDR* smp_build_pairing_fail(uint8_t /* cmd_code */, tSMP_CB* p_cb) {
702 uint8_t* p;
703 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_FAIL_SIZE +
704 L2CAP_MIN_OFFSET);
705
706 log::verbose("addr:{}", p_cb->pairing_bda);
707
708 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
709 UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED);
710 UINT8_TO_STREAM(p, p_cb->failure);
711
712 p_buf->offset = L2CAP_MIN_OFFSET;
713 p_buf->len = SMP_PAIR_FAIL_SIZE;
714
715 return p_buf;
716 }
717
718 /*******************************************************************************
719 *
720 * Function smp_build_security_request
721 *
722 * Description Build security request command.
723 *
724 ******************************************************************************/
smp_build_security_request(uint8_t,tSMP_CB * p_cb)725 static BT_HDR* smp_build_security_request(uint8_t /* cmd_code */,
726 tSMP_CB* p_cb) {
727 uint8_t* p;
728 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + 2 + L2CAP_MIN_OFFSET);
729
730 log::verbose("addr:{}", p_cb->pairing_bda);
731
732 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
733 UINT8_TO_STREAM(p, SMP_OPCODE_SEC_REQ);
734 UINT8_TO_STREAM(p, p_cb->loc_auth_req);
735
736 p_buf->offset = L2CAP_MIN_OFFSET;
737 p_buf->len = SMP_SECURITY_REQUEST_SIZE;
738
739 log::verbose("opcode={} auth_req=0x{:x}", SMP_OPCODE_SEC_REQ,
740 p_cb->loc_auth_req);
741
742 return p_buf;
743 }
744
745 /*******************************************************************************
746 *
747 * Function smp_build_pair_public_key_cmd
748 *
749 * Description Build pairing public key command.
750 *
751 ******************************************************************************/
smp_build_pair_public_key_cmd(uint8_t,tSMP_CB * p_cb)752 static BT_HDR* smp_build_pair_public_key_cmd(uint8_t /* cmd_code */,
753 tSMP_CB* p_cb) {
754 uint8_t* p;
755 uint8_t publ_key[2 * BT_OCTET32_LEN];
756 uint8_t* p_publ_key = publ_key;
757 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_PUBL_KEY_SIZE +
758 L2CAP_MIN_OFFSET);
759
760 log::verbose("addr:{}", p_cb->pairing_bda);
761
762 memcpy(p_publ_key, p_cb->loc_publ_key.x, BT_OCTET32_LEN);
763 memcpy(p_publ_key + BT_OCTET32_LEN, p_cb->loc_publ_key.y, BT_OCTET32_LEN);
764
765 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
766 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_PUBLIC_KEY);
767 ARRAY_TO_STREAM(p, p_publ_key, 2 * BT_OCTET32_LEN);
768
769 p_buf->offset = L2CAP_MIN_OFFSET;
770 p_buf->len = SMP_PAIR_PUBL_KEY_SIZE;
771
772 return p_buf;
773 }
774
775 /*******************************************************************************
776 *
777 * Function smp_build_pairing_commitment_cmd
778 *
779 * Description Build pairing commitment command.
780 *
781 ******************************************************************************/
smp_build_pairing_commitment_cmd(uint8_t,tSMP_CB * p_cb)782 static BT_HDR* smp_build_pairing_commitment_cmd(uint8_t /* cmd_code */,
783 tSMP_CB* p_cb) {
784 uint8_t* p;
785 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_COMMITM_SIZE +
786 L2CAP_MIN_OFFSET);
787
788 log::verbose("addr:{}", p_cb->pairing_bda);
789
790 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
791 UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM);
792 ARRAY_TO_STREAM(p, p_cb->commitment, OCTET16_LEN);
793
794 p_buf->offset = L2CAP_MIN_OFFSET;
795 p_buf->len = SMP_PAIR_COMMITM_SIZE;
796
797 return p_buf;
798 }
799
800 /*******************************************************************************
801 *
802 * Function smp_build_pair_dhkey_check_cmd
803 *
804 * Description Build pairing DHKey check command.
805 *
806 ******************************************************************************/
smp_build_pair_dhkey_check_cmd(uint8_t,tSMP_CB * p_cb)807 static BT_HDR* smp_build_pair_dhkey_check_cmd(uint8_t /* cmd_code */,
808 tSMP_CB* p_cb) {
809 uint8_t* p;
810 BT_HDR* p_buf = (BT_HDR*)osi_malloc(
811 sizeof(BT_HDR) + SMP_PAIR_DHKEY_CHECK_SIZE + L2CAP_MIN_OFFSET);
812
813 log::verbose("addr:{}", p_cb->pairing_bda);
814
815 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
816 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_DHKEY_CHECK);
817 ARRAY_TO_STREAM(p, p_cb->dhkey_check, OCTET16_LEN);
818
819 p_buf->offset = L2CAP_MIN_OFFSET;
820 p_buf->len = SMP_PAIR_DHKEY_CHECK_SIZE;
821
822 return p_buf;
823 }
824
825 /*******************************************************************************
826 *
827 * Function smp_build_pairing_keypress_notification_cmd
828 *
829 * Description Build keypress notification command.
830 *
831 ******************************************************************************/
smp_build_pairing_keypress_notification_cmd(uint8_t,tSMP_CB * p_cb)832 static BT_HDR* smp_build_pairing_keypress_notification_cmd(
833 uint8_t /* cmd_code */, tSMP_CB* p_cb) {
834 uint8_t* p;
835 BT_HDR* p_buf = (BT_HDR*)osi_malloc(
836 sizeof(BT_HDR) + SMP_PAIR_KEYPR_NOTIF_SIZE + L2CAP_MIN_OFFSET);
837
838 log::verbose("addr:{}", p_cb->pairing_bda);
839
840 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
841 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_KEYPR_NOTIF);
842 UINT8_TO_STREAM(p, p_cb->local_keypress_notification);
843
844 p_buf->offset = L2CAP_MIN_OFFSET;
845 p_buf->len = SMP_PAIR_KEYPR_NOTIF_SIZE;
846
847 return p_buf;
848 }
849
850 /** This function is called to convert a 6 to 16 digits numeric character string
851 * into SMP TK. */
smp_convert_string_to_tk(Octet16 * tk,uint32_t passkey)852 void smp_convert_string_to_tk(Octet16* tk, uint32_t passkey) {
853 uint8_t* p = tk->data();
854 tSMP_KEY key;
855 log::verbose("smp_convert_string_to_tk");
856 UINT32_TO_STREAM(p, passkey);
857
858 key.key_type = SMP_KEY_TYPE_TK;
859 key.p_data = tk->data();
860
861 tSMP_INT_DATA smp_int_data;
862 smp_int_data.key = key;
863 smp_sm_event(&smp_cb, SMP_KEY_READY_EVT, &smp_int_data);
864 }
865
866 /** This function is called to mask off the encryption key based on the maximum
867 * encryption key size. */
smp_mask_enc_key(uint8_t loc_enc_size,Octet16 * p_data)868 void smp_mask_enc_key(uint8_t loc_enc_size, Octet16* p_data) {
869 log::verbose("smp_mask_enc_key");
870 if (loc_enc_size < OCTET16_LEN) {
871 for (; loc_enc_size < OCTET16_LEN; loc_enc_size++)
872 (*p_data)[loc_enc_size] = 0;
873 }
874 return;
875 }
876
877 /** utility function to do an biteise exclusive-OR of two bit strings of the
878 * length of OCTET16_LEN. Result is stored in first argument.
879 */
smp_xor_128(Octet16 * a,const Octet16 & b)880 void smp_xor_128(Octet16* a, const Octet16& b) {
881 log::assert_that(a != nullptr, "assert failed: a != nullptr");
882 uint8_t i, *aa = a->data();
883 const uint8_t* bb = b.data();
884
885 for (i = 0; i < OCTET16_LEN; i++) {
886 aa[i] = aa[i] ^ bb[i];
887 }
888 }
889
init(uint8_t security_mode)890 void tSMP_CB::init(uint8_t security_mode) {
891 *this = {};
892
893 init_security_mode = security_mode;
894 smp_cb.smp_rsp_timer_ent = alarm_new("smp.smp_rsp_timer_ent");
895 smp_cb.delayed_auth_timer_ent = alarm_new("smp.delayed_auth_timer_ent");
896
897 log::verbose("init_security_mode:{}", init_security_mode);
898
899 smp_l2cap_if_init();
900 /* initialization of P-256 parameters */
901 p_256_init_curve();
902
903 /* Initialize failure case for certification */
904 smp_cb.cert_failure = static_cast<tSMP_STATUS>(
905 stack_config_get_interface()->get_pts_smp_failure_case());
906 if (smp_cb.cert_failure)
907 log::error("PTS FAILURE MODE IN EFFECT (CASE {})", smp_cb.cert_failure);
908 }
909
910 /*******************************************************************************
911 *
912 * Function reset
913 *
914 * Description reset SMP control block
915 *
916 * Returns void
917 *
918 ******************************************************************************/
reset()919 void tSMP_CB::reset() {
920 tSMP_CALLBACK* p_callback = this->p_callback;
921 uint8_t init_security_mode = this->init_security_mode;
922 alarm_t* smp_rsp_timer_ent = this->smp_rsp_timer_ent;
923 alarm_t* delayed_auth_timer_ent = this->delayed_auth_timer_ent;
924
925 log::verbose("resetting SMP_CB");
926
927 alarm_cancel(this->smp_rsp_timer_ent);
928 alarm_cancel(this->delayed_auth_timer_ent);
929
930 *this = {};
931 this->init_security_mode = init_security_mode;
932
933 this->p_callback = p_callback;
934 this->init_security_mode = init_security_mode;
935 this->smp_rsp_timer_ent = smp_rsp_timer_ent;
936 this->delayed_auth_timer_ent = delayed_auth_timer_ent;
937 }
938
939 /*******************************************************************************
940 *
941 * Function smp_remove_fixed_channel
942 *
943 * Description This function is called to remove the fixed channel
944 *
945 * Returns void
946 *
947 ******************************************************************************/
smp_remove_fixed_channel(tSMP_CB * p_cb)948 void smp_remove_fixed_channel(tSMP_CB* p_cb) {
949 log::verbose("addr:{}", p_cb->pairing_bda);
950
951 if (p_cb->smp_over_br) {
952 if (!L2CA_RemoveFixedChnl(L2CAP_SMP_BR_CID, p_cb->pairing_bda)) {
953 log::error("Unable to remove L2CAP fixed channel peer:{} cid:{}",
954 p_cb->pairing_bda, L2CAP_SMP_BR_CID);
955 }
956 } else {
957 if (!L2CA_RemoveFixedChnl(L2CAP_SMP_CID, p_cb->pairing_bda)) {
958 log::error("Unable to remove L2CAP fixed channel peer:{} cid:{}",
959 p_cb->pairing_bda, L2CAP_SMP_CID);
960 }
961 }
962 }
963
964 /*******************************************************************************
965 *
966 * Function smp_reset_control_value
967 *
968 * Description This function is called to reset the control block value
969 * when the pairing procedure finished.
970 *
971 *
972 * Returns void
973 *
974 ******************************************************************************/
smp_reset_control_value(tSMP_CB * p_cb)975 void smp_reset_control_value(tSMP_CB* p_cb) {
976 log::verbose("reset smp_cb");
977
978 alarm_cancel(p_cb->smp_rsp_timer_ent);
979 p_cb->flags = 0;
980 /* set the link idle timer to drop the link when pairing is done
981 usually service discovery will follow authentication complete, to avoid
982 racing condition for a link down/up, set link idle timer to be
983 SMP_LINK_TOUT_MIN to guarantee SMP key exchange */
984 if (!L2CA_SetIdleTimeoutByBdAddr(p_cb->pairing_bda, SMP_LINK_TOUT_MIN,
985 BT_TRANSPORT_LE)) {
986 log::warn(
987 "Unable to set L2CAP idle timeout peer:{} transport:{} timeout:{}",
988 p_cb->pairing_bda, BT_TRANSPORT_LE, SMP_LINK_TOUT_MIN);
989 }
990
991 /* We can tell L2CAP to remove the fixed channel (if it has one) */
992 smp_remove_fixed_channel(p_cb);
993 p_cb->reset();
994 }
995
996 /*******************************************************************************
997 *
998 * Function smp_proc_pairing_cmpl
999 *
1000 * Description This function is called to process pairing complete
1001 *
1002 *
1003 * Returns void
1004 *
1005 ******************************************************************************/
smp_proc_pairing_cmpl(tSMP_CB * p_cb)1006 void smp_proc_pairing_cmpl(tSMP_CB* p_cb) {
1007 tSMP_CALLBACK* p_callback = p_cb->p_callback;
1008 const RawAddress pairing_bda = p_cb->pairing_bda;
1009
1010 const tSMP_EVT_DATA evt_data = {
1011 .cmplt =
1012 {
1013 .reason = p_cb->status,
1014 .sec_level = (p_cb->status == SMP_SUCCESS) ? p_cb->sec_level
1015 : SMP_SEC_NONE,
1016 .is_pair_cancel = p_cb->is_pair_cancel,
1017 .smp_over_br = p_cb->smp_over_br,
1018 },
1019 };
1020
1021 if (p_cb->status == SMP_SUCCESS) {
1022 log::debug(
1023 "Pairing process has completed successfully remote:{} "
1024 "sec_level:0x{:0x}",
1025 p_cb->pairing_bda, evt_data.cmplt.sec_level);
1026 BTM_LogHistory(kBtmLogTag, pairing_bda, "Pairing success");
1027 } else {
1028 log::warn(
1029 "Pairing process has failed to remote:{} smp_reason:{} "
1030 "sec_level:0x{:0x}",
1031 p_cb->pairing_bda, smp_status_text(evt_data.cmplt.reason),
1032 evt_data.cmplt.sec_level);
1033 BTM_LogHistory(
1034 kBtmLogTag, pairing_bda, "Pairing failed",
1035 base::StringPrintf("reason:%s",
1036 smp_status_text(evt_data.cmplt.reason).c_str()));
1037 }
1038
1039 // Log pairing complete event
1040 {
1041 auto direction =
1042 p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD
1043 ? android::bluetooth::DirectionEnum::DIRECTION_OUTGOING
1044 : android::bluetooth::DirectionEnum::DIRECTION_INCOMING;
1045 uint16_t metric_cmd = p_cb->smp_over_br
1046 ? SMP_METRIC_COMMAND_BR_PAIRING_CMPL
1047 : SMP_METRIC_COMMAND_LE_PAIRING_CMPL;
1048 uint16_t metric_status = p_cb->status;
1049 if (metric_status > SMP_MAX_FAIL_RSN_PER_SPEC) {
1050 metric_status |= SMP_METRIC_STATUS_INTERNAL_FLAG;
1051 }
1052 log_smp_pairing_event(p_cb->pairing_bda, metric_cmd, direction,
1053 metric_status);
1054 }
1055
1056 if (p_cb->status == SMP_SUCCESS && p_cb->smp_over_br) {
1057 btm_dev_consolidate_existing_connections(pairing_bda);
1058 }
1059
1060 smp_reset_control_value(p_cb);
1061
1062 if (p_callback) (*p_callback)(SMP_COMPLT_EVT, pairing_bda, &evt_data);
1063 }
1064
1065 /*******************************************************************************
1066 *
1067 * Function smp_command_has_invalid_length
1068 *
1069 * Description Checks if the received SMP command has invalid length
1070 * It returns true if the command has invalid length.
1071 *
1072 * Returns true if the command has invalid length, false otherwise.
1073 *
1074 ******************************************************************************/
smp_command_has_invalid_length(tSMP_CB * p_cb)1075 bool smp_command_has_invalid_length(tSMP_CB* p_cb) {
1076 uint8_t cmd_code = p_cb->rcvd_cmd_code;
1077
1078 if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) ||
1079 (cmd_code < SMP_OPCODE_MIN)) {
1080 log::warn("Received command with RESERVED code 0x{:02x}", cmd_code);
1081 return true;
1082 }
1083
1084 if (!smp_command_has_valid_fixed_length(p_cb)) {
1085 return true;
1086 }
1087
1088 return false;
1089 }
1090
1091 /*******************************************************************************
1092 *
1093 * Function smp_command_has_invalid_parameters
1094 *
1095 * Description Checks if the received SMP command has invalid parameters
1096 * i.e. if the command length is valid and the command
1097 * parameters are inside specified range.
1098 * It returns true if the command has invalid parameters.
1099 *
1100 * Returns true if the command has invalid parameters, false otherwise.
1101 *
1102 ******************************************************************************/
smp_command_has_invalid_parameters(tSMP_CB * p_cb)1103 bool smp_command_has_invalid_parameters(tSMP_CB* p_cb) {
1104 uint8_t cmd_code = p_cb->rcvd_cmd_code;
1105
1106 if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) ||
1107 (cmd_code < SMP_OPCODE_MIN)) {
1108 log::warn("Received command with RESERVED code 0x{:02x}", cmd_code);
1109 return true;
1110 }
1111
1112 if (!(*smp_cmd_len_is_valid[cmd_code])(p_cb)) {
1113 log::warn("Command length not valid for cmd_code 0x{:02x}", cmd_code);
1114 return true;
1115 }
1116
1117 if (!(*smp_cmd_param_ranges_are_valid[cmd_code])(p_cb)) {
1118 log::warn("Parameter ranges not valid code 0x{:02x}", cmd_code);
1119 return true;
1120 }
1121
1122 return false;
1123 }
1124
1125 /*******************************************************************************
1126 *
1127 * Function smp_command_has_valid_fixed_length
1128 *
1129 * Description Checks if the received command size is equal to the size
1130 * according to specs.
1131 *
1132 * Returns true if the command size is as expected, false otherwise.
1133 *
1134 * Note The command is expected to have fixed length.
1135 ******************************************************************************/
smp_command_has_valid_fixed_length(tSMP_CB * p_cb)1136 bool smp_command_has_valid_fixed_length(tSMP_CB* p_cb) {
1137 uint8_t cmd_code = p_cb->rcvd_cmd_code;
1138
1139 log::verbose("cmd code 0x{:02x}", cmd_code);
1140
1141 if (p_cb->rcvd_cmd_len != smp_cmd_size_per_spec[cmd_code]) {
1142 log::warn(
1143 "Rcvd from the peer cmd 0x{:02x} with invalid length 0x{:02x} (per "
1144 "spec the length is 0x{:02x}).",
1145 cmd_code, p_cb->rcvd_cmd_len, smp_cmd_size_per_spec[cmd_code]);
1146 return false;
1147 }
1148
1149 return true;
1150 }
1151
1152 /*******************************************************************************
1153 *
1154 * Function smp_pairing_request_response_parameters_are_valid
1155 *
1156 * Description Validates parameter ranges in the received SMP command
1157 * pairing request or pairing response.
1158 * The parameters to validate:
1159 * IO capability,
1160 * OOB data flag,
1161 * Bonding_flags in AuthReq
1162 * Maximum encryption key size.
1163 * Returns false if at least one of these parameters is out of
1164 * range.
1165 *
1166 ******************************************************************************/
smp_pairing_request_response_parameters_are_valid(tSMP_CB * p_cb)1167 bool smp_pairing_request_response_parameters_are_valid(tSMP_CB* p_cb) {
1168 uint8_t io_caps = p_cb->peer_io_caps;
1169 uint8_t oob_flag = p_cb->peer_oob_flag;
1170 uint8_t bond_flag =
1171 p_cb->peer_auth_req & 0x03; // 0x03 is gen bond with appropriate mask
1172 uint8_t enc_size = p_cb->peer_enc_size;
1173
1174 log::verbose("cmd code 0x{:02x}", p_cb->rcvd_cmd_code);
1175
1176 if (io_caps >= BTM_IO_CAP_MAX) {
1177 log::warn(
1178 "Rcvd from the peer cmd 0x{:02x} with IO Capability value (0x{:02x}) "
1179 "out of range).",
1180 p_cb->rcvd_cmd_code, io_caps);
1181 return false;
1182 }
1183
1184 if (!((oob_flag == SMP_OOB_NONE) || (oob_flag == SMP_OOB_PRESENT))) {
1185 log::warn(
1186 "Rcvd from the peer cmd 0x{:02x} with OOB data flag value (0x{:02x}) "
1187 "out of range).",
1188 p_cb->rcvd_cmd_code, oob_flag);
1189 return false;
1190 }
1191
1192 if (!((bond_flag == SMP_AUTH_NO_BOND) || (bond_flag == SMP_AUTH_BOND))) {
1193 log::warn(
1194 "Rcvd from the peer cmd 0x{:02x} with Bonding_Flags value (0x{:02x}) "
1195 "out of range).",
1196 p_cb->rcvd_cmd_code, bond_flag);
1197 return false;
1198 }
1199
1200 if ((enc_size < SMP_ENCR_KEY_SIZE_MIN) ||
1201 (enc_size > SMP_ENCR_KEY_SIZE_MAX)) {
1202 log::warn(
1203 "Rcvd from the peer cmd 0x{:02x} with Maximum Encryption Key value "
1204 "(0x{:02x}) out of range).",
1205 p_cb->rcvd_cmd_code, enc_size);
1206 return false;
1207 }
1208
1209 return true;
1210 }
1211
1212 /*******************************************************************************
1213 *
1214 * Function smp_pairing_keypress_notification_is_valid
1215 *
1216 * Description Validates Notification Type parameter range in the received
1217 * SMP command pairing keypress notification.
1218 * Returns false if this parameter is out of range.
1219 *
1220 ******************************************************************************/
smp_pairing_keypress_notification_is_valid(tSMP_CB * p_cb)1221 bool smp_pairing_keypress_notification_is_valid(tSMP_CB* p_cb) {
1222 tSMP_SC_KEY_TYPE keypress_notification = p_cb->peer_keypress_notification;
1223
1224 log::verbose("cmd code 0x{:02x}", p_cb->rcvd_cmd_code);
1225
1226 if (keypress_notification >= SMP_SC_KEY_OUT_OF_RANGE) {
1227 log::warn(
1228 "Rcvd from the peer cmd 0x{:02x} with Pairing Keypress Notification "
1229 "value (0x{:02x}) out of range).",
1230 p_cb->rcvd_cmd_code, keypress_notification);
1231 return false;
1232 }
1233
1234 return true;
1235 }
1236
1237 /*******************************************************************************
1238 *
1239 * Function smp_parameter_unconditionally_valid
1240 *
1241 * Description Always returns true.
1242 *
1243 ******************************************************************************/
smp_parameter_unconditionally_valid(tSMP_CB *)1244 bool smp_parameter_unconditionally_valid(tSMP_CB* /* p_cb */) { return true; }
1245
1246 /*******************************************************************************
1247 *
1248 * Function smp_parameter_unconditionally_invalid
1249 *
1250 * Description Always returns false.
1251 *
1252 ******************************************************************************/
smp_parameter_unconditionally_invalid(tSMP_CB *)1253 bool smp_parameter_unconditionally_invalid(tSMP_CB* /* p_cb */) {
1254 return false;
1255 }
1256
1257 /*******************************************************************************
1258 *
1259 * Function smp_reject_unexpected_pairing_command
1260 *
1261 * Description send pairing failure to an unexpected pairing command during
1262 * an active pairing process.
1263 *
1264 * Returns void
1265 *
1266 ******************************************************************************/
smp_reject_unexpected_pairing_command(const RawAddress & bd_addr)1267 void smp_reject_unexpected_pairing_command(const RawAddress& bd_addr) {
1268 uint8_t* p;
1269 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_FAIL_SIZE +
1270 L2CAP_MIN_OFFSET);
1271
1272 log::verbose("bd_addr:{}", bd_addr);
1273
1274 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
1275 UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED);
1276 UINT8_TO_STREAM(p, SMP_PAIR_NOT_SUPPORT);
1277
1278 p_buf->offset = L2CAP_MIN_OFFSET;
1279 p_buf->len = SMP_PAIR_FAIL_SIZE;
1280
1281 smp_send_msg_to_L2CAP(bd_addr, p_buf);
1282 }
1283
1284 /*******************************************************************************
1285 * Function smp_select_association_model
1286 *
1287 * Description This function selects association model to use for STK
1288 * generation. Selection is based on both sides' io capability,
1289 * oob data flag and authentication request.
1290 *
1291 * Note If Secure Connections Only mode is required locally then we
1292 * come to this point only if both sides support Secure
1293 * Connections mode, i.e.
1294 * if p_cb->sc_only_mode_locally_required = true
1295 * then we come to this point only if
1296 * (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) ==
1297 * (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) ==
1298 * SMP_SC_SUPPORT_BIT
1299 *
1300 ******************************************************************************/
smp_select_association_model(tSMP_CB * p_cb)1301 tSMP_ASSO_MODEL smp_select_association_model(tSMP_CB* p_cb) {
1302 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1303 p_cb->sc_mode_required_by_peer = false;
1304
1305 log::verbose("p_cb->peer_io_caps = {} p_cb->local_io_capability = {}",
1306 p_cb->peer_io_caps, p_cb->local_io_capability);
1307 log::verbose("p_cb->peer_oob_flag = {} p_cb->loc_oob_flag = {}",
1308 p_cb->peer_oob_flag, p_cb->loc_oob_flag);
1309 log::verbose("p_cb->peer_auth_req = 0x{:02x} p_cb->loc_auth_req = 0x{:02x}",
1310 p_cb->peer_auth_req, p_cb->loc_auth_req);
1311 log::verbose("p_cb->sc_only_mode_locally_required = {}",
1312 p_cb->sc_only_mode_locally_required);
1313
1314 if ((p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) &&
1315 (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT)) {
1316 p_cb->sc_mode_required_by_peer = true;
1317 }
1318
1319 if ((p_cb->peer_auth_req & SMP_H7_SUPPORT_BIT) &&
1320 (p_cb->loc_auth_req & SMP_H7_SUPPORT_BIT)) {
1321 p_cb->key_derivation_h7_used = TRUE;
1322 }
1323
1324 log::verbose("use_sc_process = {}, h7 use = {}",
1325 p_cb->sc_mode_required_by_peer, p_cb->key_derivation_h7_used);
1326
1327 if (p_cb->sc_mode_required_by_peer) {
1328 model = smp_select_association_model_secure_connections(p_cb);
1329 } else {
1330 model = smp_select_legacy_association_model(p_cb);
1331 }
1332 return model;
1333 }
1334
1335 /*******************************************************************************
1336 * Function smp_select_legacy_association_model
1337 *
1338 * Description This function is called to select association mode if at
1339 * least one side doesn't support secure connections.
1340 *
1341 ******************************************************************************/
smp_select_legacy_association_model(tSMP_CB * p_cb)1342 tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB* p_cb) {
1343 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1344
1345 log::verbose("addr:{}", p_cb->pairing_bda);
1346 /* if OOB data is present on both devices, then use OOB association model */
1347 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT &&
1348 p_cb->loc_oob_flag == SMP_OOB_PRESENT)
1349 return SMP_MODEL_OOB;
1350
1351 /* else if neither device requires MITM, then use Just Works association model
1352 */
1353 if (SMP_NO_MITM_REQUIRED(p_cb->peer_auth_req) &&
1354 SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req))
1355 return SMP_MODEL_ENCRYPTION_ONLY;
1356
1357 /* otherwise use IO capability to select association model */
1358 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX &&
1359 p_cb->local_io_capability < SMP_IO_CAP_MAX) {
1360 if (p_cb->role == HCI_ROLE_CENTRAL) {
1361 model = smp_association_table[p_cb->role][p_cb->peer_io_caps]
1362 [p_cb->local_io_capability];
1363 } else {
1364 model = smp_association_table[p_cb->role][p_cb->local_io_capability]
1365 [p_cb->peer_io_caps];
1366 }
1367 }
1368
1369 return model;
1370 }
1371
1372 /*******************************************************************************
1373 * Function smp_select_association_model_secure_connections
1374 *
1375 * Description This function is called to select association mode if both
1376 * sides support secure connections.
1377 *
1378 ******************************************************************************/
smp_select_association_model_secure_connections(tSMP_CB * p_cb)1379 tSMP_ASSO_MODEL smp_select_association_model_secure_connections(tSMP_CB* p_cb) {
1380 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1381
1382 log::verbose("addr:{}", p_cb->pairing_bda);
1383 /* if OOB data is present on at least one device, then use OOB association
1384 * model */
1385 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT ||
1386 p_cb->loc_oob_flag == SMP_OOB_PRESENT)
1387 return SMP_MODEL_SEC_CONN_OOB;
1388
1389 /* else if neither device requires MITM, then use Just Works association model
1390 */
1391 if (SMP_NO_MITM_REQUIRED(p_cb->peer_auth_req) &&
1392 SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req))
1393 return SMP_MODEL_SEC_CONN_JUSTWORKS;
1394
1395 /* otherwise use IO capability to select association model */
1396 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX &&
1397 p_cb->local_io_capability < SMP_IO_CAP_MAX) {
1398 if (p_cb->role == HCI_ROLE_CENTRAL) {
1399 model = smp_association_table_sc[p_cb->role][p_cb->peer_io_caps]
1400 [p_cb->local_io_capability];
1401 } else {
1402 model = smp_association_table_sc[p_cb->role][p_cb->local_io_capability]
1403 [p_cb->peer_io_caps];
1404 }
1405 }
1406
1407 return model;
1408 }
1409
1410 /*******************************************************************************
1411 * Function smp_calculate_random_input
1412 *
1413 * Description This function returns random input value to be used in
1414 * commitment calculation for SC passkey entry association mode
1415 * (if bit["round"] in "random" array == 1 then returns 0x81
1416 * else returns 0x80).
1417 *
1418 * Returns ri value
1419 *
1420 ******************************************************************************/
smp_calculate_random_input(uint8_t * random,uint8_t round)1421 uint8_t smp_calculate_random_input(uint8_t* random, uint8_t round) {
1422 uint8_t i = round / 8;
1423 uint8_t j = round % 8;
1424 uint8_t ri;
1425
1426 ri = ((random[i] >> j) & 1) | 0x80;
1427 log::verbose("random:0x{:02x}, round:{}, i:{}, j:{}, ri:0x{:02x}", random[i],
1428 round, i, j, ri);
1429 return ri;
1430 }
1431
1432 /*******************************************************************************
1433 * Function smp_collect_local_io_capabilities
1434 *
1435 * Description This function puts into IOcap array local device
1436 * IOCapability, OOB data, AuthReq.
1437 *
1438 * Returns void
1439 *
1440 ******************************************************************************/
smp_collect_local_io_capabilities(uint8_t * iocap,tSMP_CB * p_cb)1441 void smp_collect_local_io_capabilities(uint8_t* iocap, tSMP_CB* p_cb) {
1442 log::verbose("addr:{}", p_cb->pairing_bda);
1443
1444 iocap[0] = p_cb->local_io_capability;
1445 iocap[1] = p_cb->loc_oob_flag;
1446 iocap[2] = p_cb->loc_auth_req;
1447 }
1448
1449 /*******************************************************************************
1450 * Function smp_collect_peer_io_capabilities
1451 *
1452 * Description This function puts into IOcap array peer device
1453 * IOCapability, OOB data, AuthReq.
1454 *
1455 * Returns void
1456 *
1457 ******************************************************************************/
smp_collect_peer_io_capabilities(uint8_t * iocap,tSMP_CB * p_cb)1458 void smp_collect_peer_io_capabilities(uint8_t* iocap, tSMP_CB* p_cb) {
1459 log::verbose("addr:{}", p_cb->pairing_bda);
1460
1461 iocap[0] = p_cb->peer_io_caps;
1462 iocap[1] = p_cb->peer_oob_flag;
1463 iocap[2] = p_cb->peer_auth_req;
1464 }
1465
1466 /*******************************************************************************
1467 * Function smp_collect_local_ble_address
1468 *
1469 * Description Put the the local device LE address into the le_addr array:
1470 * le_addr[0-5] = local BD ADDR,
1471 * le_addr[6] = local le address type (PUBLIC/RANDOM).
1472 *
1473 * Returns void
1474 *
1475 ******************************************************************************/
smp_collect_local_ble_address(uint8_t * le_addr,tSMP_CB * p_cb)1476 void smp_collect_local_ble_address(uint8_t* le_addr, tSMP_CB* p_cb) {
1477 tBLE_ADDR_TYPE addr_type = BLE_ADDR_PUBLIC;
1478 RawAddress bda;
1479 uint8_t* p = le_addr;
1480
1481 log::verbose("addr:{}", p_cb->pairing_bda);
1482
1483 BTM_ReadConnectionAddr(p_cb->pairing_bda, bda, &addr_type, true);
1484 BDADDR_TO_STREAM(p, bda);
1485 UINT8_TO_STREAM(p, addr_type);
1486 }
1487
1488 /*******************************************************************************
1489 * Function smp_collect_peer_ble_address
1490 *
1491 * Description Put the peer device LE addr into the le_addr array:
1492 * le_addr[0-5] = peer BD ADDR,
1493 * le_addr[6] = peer le address type (PUBLIC/RANDOM).
1494 *
1495 * Returns void
1496 *
1497 ******************************************************************************/
smp_collect_peer_ble_address(uint8_t * le_addr,tSMP_CB * p_cb)1498 void smp_collect_peer_ble_address(uint8_t* le_addr, tSMP_CB* p_cb) {
1499 tBLE_ADDR_TYPE addr_type = BLE_ADDR_PUBLIC;
1500 RawAddress bda;
1501 uint8_t* p = le_addr;
1502
1503 log::verbose("addr:{}", p_cb->pairing_bda);
1504
1505 if (!BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, bda, &addr_type, true)) {
1506 log::error("can not collect peer le addr information for unknown device");
1507 return;
1508 }
1509
1510 BDADDR_TO_STREAM(p, bda);
1511 UINT8_TO_STREAM(p, addr_type);
1512 }
1513
1514 /*******************************************************************************
1515 * Function smp_check_commitment
1516 *
1517 * Description This function compares peer commitment values:
1518 * - expected (i.e. calculated locally),
1519 * - received from the peer.
1520 *
1521 * Returns true if the values are the same
1522 * false otherwise
1523 *
1524 ******************************************************************************/
smp_check_commitment(tSMP_CB * p_cb)1525 bool smp_check_commitment(tSMP_CB* p_cb) {
1526 log::verbose("addr:{}", p_cb->pairing_bda);
1527
1528 Octet16 expected = smp_calculate_peer_commitment(p_cb);
1529 print128(expected, "calculated peer commitment");
1530 print128(p_cb->remote_commitment, "received peer commitment");
1531
1532 if (memcmp(p_cb->remote_commitment.data(), expected.data(), OCTET16_LEN)) {
1533 log::warn("Commitment check fails");
1534 return false;
1535 }
1536
1537 return true;
1538 }
1539
1540 /*******************************************************************************
1541 *
1542 * Function smp_save_secure_connections_long_term_key
1543 *
1544 * Description The function saves SC LTK as BLE key for future use as local
1545 * and/or peer key.
1546 *
1547 * Returns void
1548 *
1549 ******************************************************************************/
smp_save_secure_connections_long_term_key(tSMP_CB * p_cb)1550 void smp_save_secure_connections_long_term_key(tSMP_CB* p_cb) {
1551 log::verbose("Save LTK as local and peer key");
1552 tBTM_LE_KEY_VALUE lle_key = {
1553 .lenc_key =
1554 {
1555 .ltk = p_cb->ltk,
1556 .div = 0,
1557 .key_size = p_cb->loc_enc_size,
1558 .sec_level = p_cb->sec_level,
1559 },
1560 };
1561 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, &lle_key, true);
1562
1563 tBTM_LE_KEY_VALUE ple_key = {
1564 .penc_key =
1565 {
1566 .ltk = p_cb->ltk,
1567 .ediv = 0,
1568 .sec_level = p_cb->sec_level,
1569 .key_size = p_cb->loc_enc_size,
1570 },
1571 };
1572 memset(ple_key.penc_key.rand, 0, BT_OCTET8_LEN);
1573 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, &ple_key, true);
1574 }
1575
1576 /** The function calculates MacKey and LTK and saves them in CB. To calculate
1577 * MacKey and LTK it calls smp_calc_f5(...). MacKey is used in dhkey
1578 * calculation, LTK is used to encrypt the link. */
smp_calculate_f5_mackey_and_long_term_key(tSMP_CB * p_cb)1579 void smp_calculate_f5_mackey_and_long_term_key(tSMP_CB* p_cb) {
1580 uint8_t a[7];
1581 uint8_t b[7];
1582 Octet16 na;
1583 Octet16 nb;
1584
1585 log::verbose("addr:{}", p_cb->pairing_bda);
1586
1587 if (p_cb->role == HCI_ROLE_CENTRAL) {
1588 smp_collect_local_ble_address(a, p_cb);
1589 smp_collect_peer_ble_address(b, p_cb);
1590 na = p_cb->rand;
1591 nb = p_cb->rrand;
1592 } else {
1593 smp_collect_local_ble_address(b, p_cb);
1594 smp_collect_peer_ble_address(a, p_cb);
1595 na = p_cb->rrand;
1596 nb = p_cb->rand;
1597 }
1598
1599 crypto_toolbox::f5(p_cb->dhkey, na, nb, a, b, &p_cb->mac_key, &p_cb->ltk);
1600 }
1601
1602 /*******************************************************************************
1603 *
1604 * Function smp_request_oob_data
1605 *
1606 * Description Requests application to provide OOB data.
1607 *
1608 * Returns true - OOB data has to be provided by application
1609 * false - otherwise (unexpected)
1610 *
1611 ******************************************************************************/
smp_request_oob_data(tSMP_CB * p_cb)1612 bool smp_request_oob_data(tSMP_CB* p_cb) {
1613 tSMP_OOB_DATA_TYPE req_oob_type = SMP_OOB_INVALID_TYPE;
1614
1615 log::verbose("addr:{}", p_cb->pairing_bda);
1616
1617 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT &&
1618 p_cb->loc_oob_flag == SMP_OOB_PRESENT) {
1619 /* both local and peer rcvd data OOB */
1620 req_oob_type = SMP_OOB_BOTH;
1621 } else if (p_cb->peer_oob_flag == SMP_OOB_PRESENT) {
1622 /* peer rcvd OOB local data, local didn't receive OOB peer data */
1623 req_oob_type = SMP_OOB_LOCAL;
1624 } else if (p_cb->loc_oob_flag == SMP_OOB_PRESENT) {
1625 req_oob_type = SMP_OOB_PEER;
1626 }
1627
1628 log::verbose("req_oob_type={}", req_oob_type);
1629
1630 if (req_oob_type == SMP_OOB_INVALID_TYPE) return false;
1631
1632 p_cb->req_oob_type = req_oob_type;
1633 p_cb->cb_evt = SMP_SC_OOB_REQ_EVT;
1634 tSMP_INT_DATA smp_int_data;
1635 smp_int_data.req_oob_type = req_oob_type;
1636 smp_sm_event(p_cb, SMP_TK_REQ_EVT, &smp_int_data);
1637
1638 return true;
1639 }
1640
print128(const Octet16 & x,const char * key_name)1641 void print128(const Octet16& x, const char* key_name) {
1642 uint8_t* p = (uint8_t*)x.data();
1643
1644 log::info("{}(MSB~LSB):", key_name);
1645 for (int i = 0; i < 4; i++) {
1646 log::info("{:02x}:{:02x}:{:02x}:{:02x}", p[OCTET16_LEN - i * 4 - 1],
1647 p[OCTET16_LEN - i * 4 - 2], p[OCTET16_LEN - i * 4 - 3],
1648 p[OCTET16_LEN - i * 4 - 4]);
1649 }
1650 }
1651