1 /******************************************************************************
2 *
3 * Copyright 2003-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 #define LOG_TAG "smp_act"
20
21 #include <bluetooth/log.h>
22 #include <com_android_bluetooth_flags.h>
23
24 #include <cstring>
25
26 #include "btif/include/btif_common.h"
27 #include "btif/include/core_callbacks.h"
28 #include "btif/include/stack_manager_t.h"
29 #include "crypto_toolbox/crypto_toolbox.h"
30 #include "device/include/interop.h"
31 #include "internal_include/bt_target.h"
32 #include "p_256_ecc_pp.h"
33 #include "smp_int.h"
34 #include "stack/btm/btm_ble_sec.h"
35 #include "stack/btm/btm_dev.h"
36 #include "stack/btm/btm_sec.h"
37 #include "stack/include/bt_octets.h"
38 #include "stack/include/bt_types.h"
39 #include "stack/include/btm_api.h"
40 #include "stack/include/btm_log_history.h"
41 #include "stack/include/smp_api_types.h"
42 #include "types/raw_address.h"
43
44 using namespace bluetooth;
45
46 namespace {
47 constexpr char kBtmLogTag[] = "SMP";
48 }
49
50 static void smp_key_distribution_by_transport(tSMP_CB* p_cb,
51 tSMP_INT_DATA* p_data);
52
53 #define SMP_KEY_DIST_TYPE_MAX 4
54
55 const tSMP_ACT smp_distribute_act[] = {
56 smp_generate_ltk, /* SMP_SEC_KEY_TYPE_ENC - '1' bit index */
57 smp_send_id_info, /* SMP_SEC_KEY_TYPE_ID - '1' bit index */
58 smp_generate_csrk, /* SMP_SEC_KEY_TYPE_CSRK - '1' bit index */
59 smp_set_derive_link_key /* SMP_SEC_KEY_TYPE_LK - '1' bit index */
60 };
61
pts_test_send_authentication_complete_failure(tSMP_CB * p_cb)62 static bool pts_test_send_authentication_complete_failure(tSMP_CB* p_cb) {
63 tSMP_STATUS reason = p_cb->cert_failure;
64 if (reason == SMP_PAIR_AUTH_FAIL || reason == SMP_PAIR_FAIL_UNKNOWN ||
65 reason == SMP_PAIR_NOT_SUPPORT || reason == SMP_PASSKEY_ENTRY_FAIL ||
66 reason == SMP_REPEATED_ATTEMPTS) {
67 tSMP_INT_DATA smp_int_data;
68 smp_int_data.status = reason;
69 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
70 return true;
71 }
72 return false;
73 }
74
75 /*******************************************************************************
76 * Function smp_update_key_mask
77 * Description This function updates the key mask for sending or receiving.
78 ******************************************************************************/
smp_update_key_mask(tSMP_CB * p_cb,uint8_t key_type,bool recv)79 static void smp_update_key_mask(tSMP_CB* p_cb, uint8_t key_type, bool recv) {
80 log::verbose(
81 "before update role={} recv={} local_i_key=0x{:02x}, "
82 "local_r_key=0x{:02x}",
83 p_cb->role, recv, p_cb->local_i_key, p_cb->local_r_key);
84
85 if (((p_cb->sc_mode_required_by_peer) || (p_cb->smp_over_br)) &&
86 ((key_type == SMP_SEC_KEY_TYPE_ENC) ||
87 (key_type == SMP_SEC_KEY_TYPE_LK))) {
88 /* in LE SC mode LTK, CSRK and BR/EDR LK are derived locally instead of
89 ** being exchanged with the peer */
90 p_cb->local_i_key &= ~key_type;
91 p_cb->local_r_key &= ~key_type;
92 } else if (p_cb->role == HCI_ROLE_PERIPHERAL) {
93 if (recv)
94 p_cb->local_i_key &= ~key_type;
95 else
96 p_cb->local_r_key &= ~key_type;
97 } else {
98 if (recv)
99 p_cb->local_r_key &= ~key_type;
100 else
101 p_cb->local_i_key &= ~key_type;
102 }
103
104 log::verbose("updated local_i_key=0x{:02x}, local_r_key=0x{:02x}",
105 p_cb->local_i_key, p_cb->local_r_key);
106 }
107
108 /*******************************************************************************
109 * Function smp_send_app_cback
110 * Description notifies application about the events the application is
111 * interested in
112 ******************************************************************************/
smp_send_app_cback(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)113 void smp_send_app_cback(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
114 tSMP_EVT_DATA cb_data;
115 tBTM_STATUS callback_rc;
116 uint8_t remote_lmp_version = 0;
117
118 log::debug("addr:{} event:{}", p_cb->pairing_bda,
119 smp_evt_to_text(p_cb->cb_evt));
120
121 if (p_cb->p_callback && p_cb->cb_evt != 0) {
122 switch (p_cb->cb_evt) {
123 case SMP_IO_CAP_REQ_EVT:
124 cb_data.io_req.auth_req = p_cb->peer_auth_req;
125 cb_data.io_req.oob_data = SMP_OOB_NONE;
126 cb_data.io_req.io_cap = SMP_IO_CAP_KBDISP;
127 cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE;
128 cb_data.io_req.init_keys = p_cb->local_i_key;
129 cb_data.io_req.resp_keys = p_cb->local_r_key;
130 log::debug("Notify app io_cap={}", cb_data.io_req.io_cap);
131 break;
132
133 case SMP_NC_REQ_EVT:
134 cb_data.passkey = p_data->passkey;
135 break;
136 case SMP_SC_OOB_REQ_EVT:
137 cb_data.req_oob_type = p_data->req_oob_type;
138 break;
139 case SMP_SC_LOC_OOB_DATA_UP_EVT:
140 cb_data.loc_oob_data = p_cb->sc_oob_data.loc_oob_data;
141 break;
142
143 case SMP_BR_KEYS_REQ_EVT:
144 cb_data.io_req.auth_req = 0;
145 cb_data.io_req.oob_data = SMP_OOB_NONE;
146 cb_data.io_req.io_cap = 0;
147 cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE;
148 cb_data.io_req.init_keys = SMP_BR_SEC_DEFAULT_KEY;
149 cb_data.io_req.resp_keys = SMP_BR_SEC_DEFAULT_KEY;
150 break;
151
152 case SMP_LE_ADDR_ASSOC_EVT:
153 cb_data.id_addr = p_cb->id_addr;
154 break;
155
156 default:
157 log::error("Unexpected event:{}", p_cb->cb_evt);
158 break;
159 }
160
161 callback_rc =
162 (*p_cb->p_callback)(p_cb->cb_evt, p_cb->pairing_bda, &cb_data);
163
164 if (callback_rc == BTM_SUCCESS) {
165 switch (p_cb->cb_evt) {
166 case SMP_IO_CAP_REQ_EVT:
167 p_cb->loc_auth_req = cb_data.io_req.auth_req;
168 p_cb->local_io_capability = cb_data.io_req.io_cap;
169 p_cb->loc_oob_flag = cb_data.io_req.oob_data;
170 p_cb->loc_enc_size = cb_data.io_req.max_key_size;
171 p_cb->local_i_key = cb_data.io_req.init_keys;
172 p_cb->local_r_key = cb_data.io_req.resp_keys;
173
174 if (!(p_cb->loc_auth_req & SMP_AUTH_BOND)) {
175 log::debug("Non bonding: No keys will be exchanged");
176 p_cb->local_i_key = 0;
177 p_cb->local_r_key = 0;
178 }
179
180 log::debug(
181 "Remote request IO capabilities precondition "
182 "auth_req:0x{:02x},io_cap:{} loc_oob_flag:{} loc_enc_size:{}, "
183 "local_i_key:0x{:02x}, local_r_key:0x{:02x}",
184 p_cb->loc_auth_req, p_cb->local_io_capability, p_cb->loc_oob_flag,
185 p_cb->loc_enc_size, p_cb->local_i_key, p_cb->local_r_key);
186
187 p_cb->sc_only_mode_locally_required =
188 (p_cb->init_security_mode == BTM_SEC_MODE_SC) ? true : false;
189 /* just for PTS, force SC bit */
190 if (p_cb->sc_only_mode_locally_required) {
191 p_cb->loc_auth_req |= SMP_SC_SUPPORT_BIT;
192 }
193
194 if (!BTM_ReadRemoteVersion(p_cb->pairing_bda, &remote_lmp_version,
195 nullptr, nullptr)) {
196 log::warn("SMP Unable to determine remote_lmp_version:{}",
197 remote_lmp_version);
198 }
199
200 if (!p_cb->sc_only_mode_locally_required &&
201 (!(p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) ||
202 (remote_lmp_version &&
203 remote_lmp_version < HCI_PROTO_VERSION_4_2) ||
204 interop_match_addr(INTEROP_DISABLE_LE_SECURE_CONNECTIONS,
205 (const RawAddress*)&p_cb->pairing_bda))) {
206 log::debug(
207 "Setting SC, H7 and LinkKey bits to false to support legacy "
208 "device with lmp version:{}",
209 remote_lmp_version);
210 p_cb->loc_auth_req &= ~SMP_SC_SUPPORT_BIT;
211 p_cb->loc_auth_req &= ~SMP_KP_SUPPORT_BIT;
212 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
213 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
214 }
215
216 if (remote_lmp_version &&
217 remote_lmp_version < HCI_PROTO_VERSION_5_0) {
218 p_cb->loc_auth_req &= ~SMP_H7_SUPPORT_BIT;
219 }
220
221 log::debug(
222 "Remote request IO capabilities postcondition "
223 "auth_req:0x{:02x},local_i_key:0x{:02x}, local_r_key:0x{:02x}",
224 p_cb->loc_auth_req, p_cb->local_i_key, p_cb->local_r_key);
225
226 smp_sm_event(p_cb, SMP_IO_RSP_EVT, NULL);
227 break;
228
229 case SMP_BR_KEYS_REQ_EVT:
230 p_cb->loc_enc_size = cb_data.io_req.max_key_size;
231 p_cb->local_i_key = cb_data.io_req.init_keys;
232 p_cb->local_r_key = cb_data.io_req.resp_keys;
233 p_cb->loc_auth_req |= SMP_H7_SUPPORT_BIT;
234
235 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
236 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
237
238 log::debug(
239 "for SMP over BR max_key_size:0x{:02x}, local_i_key:0x{:02x}, "
240 "local_r_key:0x{:02x}, p_cb->loc_auth_req:0x{:02x}",
241 p_cb->loc_enc_size, p_cb->local_i_key, p_cb->local_r_key,
242 p_cb->loc_auth_req);
243
244 smp_br_state_machine_event(p_cb, SMP_BR_KEYS_RSP_EVT, NULL);
245 break;
246
247 // Expected, but nothing to do
248 case SMP_NC_REQ_EVT:
249 case SMP_SC_OOB_REQ_EVT:
250 case SMP_SC_LOC_OOB_DATA_UP_EVT:
251 case SMP_LE_ADDR_ASSOC_EVT:
252 break;
253
254 default:
255 log::error("Unexpected event:{}", p_cb->cb_evt);
256 }
257 }
258 }
259
260 if (!p_cb->cb_evt && p_cb->discard_sec_req) {
261 p_cb->discard_sec_req = false;
262 smp_sm_event(p_cb, SMP_DISCARD_SEC_REQ_EVT, NULL);
263 }
264 }
265
266 /*******************************************************************************
267 * Function smp_send_pair_fail
268 * Description pairing failure to peer device if needed.
269 ******************************************************************************/
smp_send_pair_fail(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)270 void smp_send_pair_fail(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
271 p_cb->status = p_data->status;
272 p_cb->failure = p_data->status;
273
274 if (p_cb->status <= SMP_MAX_FAIL_RSN_PER_SPEC &&
275 p_cb->status != SMP_SUCCESS) {
276 log::error("Pairing failed smp_status:{}", smp_status_text(p_cb->status));
277 BTM_LogHistory(kBtmLogTag, p_cb->pairing_bda, "Pairing failed",
278 base::StringPrintf("smp_status:%s",
279 smp_status_text(p_cb->status).c_str()));
280 smp_send_cmd(SMP_OPCODE_PAIRING_FAILED, p_cb);
281 p_cb->wait_for_authorization_complete = true;
282 }
283 }
284
285 /*******************************************************************************
286 * Function smp_send_pair_req
287 * Description actions related to sending pairing request
288 ******************************************************************************/
smp_send_pair_req(tSMP_CB * p_cb,tSMP_INT_DATA *)289 void smp_send_pair_req(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
290 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
291 log::verbose("addr:{}", p_cb->pairing_bda);
292
293 /* erase all keys when central sends pairing req*/
294 if (p_dev_rec) btm_sec_clear_ble_keys(p_dev_rec);
295 /* do not manipulate the key, let app decide,
296 leave out to BTM to mandate key distribution for bonding case */
297 smp_send_cmd(SMP_OPCODE_PAIRING_REQ, p_cb);
298 }
299
300 /*******************************************************************************
301 * Function smp_send_pair_rsp
302 * Description actions related to sending pairing response
303 ******************************************************************************/
smp_send_pair_rsp(tSMP_CB * p_cb,tSMP_INT_DATA *)304 void smp_send_pair_rsp(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
305 log::verbose("addr:{}", p_cb->pairing_bda);
306
307 p_cb->local_i_key &= p_cb->peer_i_key;
308 p_cb->local_r_key &= p_cb->peer_r_key;
309
310 if (smp_send_cmd(SMP_OPCODE_PAIRING_RSP, p_cb)) {
311 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB)
312 smp_use_oob_private_key(p_cb, NULL);
313 else
314 smp_decide_association_model(p_cb, NULL);
315 }
316 }
317
318 /*******************************************************************************
319 * Function smp_send_confirm
320 * Description send confirmation to the peer
321 ******************************************************************************/
smp_send_confirm(tSMP_CB * p_cb,tSMP_INT_DATA *)322 void smp_send_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
323 log::verbose("addr:{}", p_cb->pairing_bda);
324 smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);
325 p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM_SENT;
326 }
327
328 /*******************************************************************************
329 * Function smp_send_rand
330 * Description send pairing random to the peer
331 ******************************************************************************/
smp_send_rand(tSMP_CB * p_cb,tSMP_INT_DATA *)332 void smp_send_rand(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
333 log::verbose("addr:{}", p_cb->pairing_bda);
334 smp_send_cmd(SMP_OPCODE_RAND, p_cb);
335 }
336
337 /*******************************************************************************
338 * Function smp_send_pair_public_key
339 * Description send pairing public key command to the peer
340 ******************************************************************************/
smp_send_pair_public_key(tSMP_CB * p_cb,tSMP_INT_DATA *)341 void smp_send_pair_public_key(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
342 log::verbose("addr:{}", p_cb->pairing_bda);
343 smp_send_cmd(SMP_OPCODE_PAIR_PUBLIC_KEY, p_cb);
344 }
345
346 /*******************************************************************************
347 * Function SMP_SEND_COMMITMENT
348 * Description send commitment command to the peer
349 ******************************************************************************/
smp_send_commitment(tSMP_CB * p_cb,tSMP_INT_DATA *)350 void smp_send_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
351 log::verbose("addr:{}", p_cb->pairing_bda);
352 smp_send_cmd(SMP_OPCODE_PAIR_COMMITM, p_cb);
353 }
354
355 /*******************************************************************************
356 * Function smp_send_dhkey_check
357 * Description send DHKey Check command to the peer
358 ******************************************************************************/
smp_send_dhkey_check(tSMP_CB * p_cb,tSMP_INT_DATA *)359 void smp_send_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
360 log::verbose("addr:{}", p_cb->pairing_bda);
361 smp_send_cmd(SMP_OPCODE_PAIR_DHKEY_CHECK, p_cb);
362 }
363
364 /*******************************************************************************
365 * Function smp_send_keypress_notification
366 * Description send Keypress Notification command to the peer
367 ******************************************************************************/
smp_send_keypress_notification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)368 void smp_send_keypress_notification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
369 p_cb->local_keypress_notification = p_data->status;
370 smp_send_cmd(SMP_OPCODE_PAIR_KEYPR_NOTIF, p_cb);
371 }
372
373 /*******************************************************************************
374 * Function smp_send_enc_info
375 * Description send encryption information command.
376 ******************************************************************************/
smp_send_enc_info(tSMP_CB * p_cb,tSMP_INT_DATA *)377 void smp_send_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
378 log::verbose("p_cb->loc_enc_size={}", p_cb->loc_enc_size);
379 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
380
381 smp_send_cmd(SMP_OPCODE_ENCRYPT_INFO, p_cb);
382 smp_send_cmd(SMP_OPCODE_CENTRAL_ID, p_cb);
383
384 /* save the DIV and key size information when acting as peripheral device */
385 tBTM_LE_KEY_VALUE le_key = {
386 .lenc_key =
387 {
388 .ltk = p_cb->ltk,
389 .div = p_cb->div,
390 .key_size = p_cb->loc_enc_size,
391 .sec_level = p_cb->sec_level,
392 },
393 };
394
395 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
396 (p_cb->loc_auth_req & SMP_AUTH_BOND))
397 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, &le_key, true);
398 smp_key_distribution(p_cb, NULL);
399 }
400
401 /*******************************************************************************
402 * Function smp_send_id_info
403 * Description send ID information command.
404 ******************************************************************************/
smp_send_id_info(tSMP_CB * p_cb,tSMP_INT_DATA *)405 void smp_send_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
406 log::verbose("addr:{}", p_cb->pairing_bda);
407 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, false);
408
409 smp_send_cmd(SMP_OPCODE_IDENTITY_INFO, p_cb);
410 smp_send_cmd(SMP_OPCODE_ID_ADDR, p_cb);
411
412 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
413 (p_cb->loc_auth_req & SMP_AUTH_BOND))
414 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LID, nullptr, true);
415
416 smp_key_distribution_by_transport(p_cb, NULL);
417 }
418
419 /** send CSRK command. */
smp_send_csrk_info(tSMP_CB * p_cb,tSMP_INT_DATA *)420 void smp_send_csrk_info(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
421 log::verbose("addr:{}", p_cb->pairing_bda);
422 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, false);
423
424 if (smp_send_cmd(SMP_OPCODE_SIGN_INFO, p_cb)) {
425 tBTM_LE_KEY_VALUE key = {
426 .lcsrk_key =
427 {
428 .counter = 0, /* initialize the local counter */
429 .div = p_cb->div,
430 .sec_level = p_cb->sec_level,
431 .csrk = p_cb->csrk,
432 },
433 };
434 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LCSRK, &key, true);
435 }
436
437 smp_key_distribution_by_transport(p_cb, NULL);
438 }
439
440 /*******************************************************************************
441 * Function smp_send_ltk_reply
442 * Description send LTK reply
443 ******************************************************************************/
smp_send_ltk_reply(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)444 void smp_send_ltk_reply(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
445 log::verbose("addr:{}", p_cb->pairing_bda);
446
447 Octet16 stk;
448 memcpy(stk.data(), p_data->key.p_data, stk.size());
449 /* send stk as LTK response */
450 btm_ble_ltk_request_reply(p_cb->pairing_bda, true, stk);
451 }
452
453 /*******************************************************************************
454 * Function smp_proc_sec_req
455 * Description process security request.
456 ******************************************************************************/
smp_proc_sec_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)457 void smp_proc_sec_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
458 if (smp_command_has_invalid_length(p_cb)) {
459 tSMP_INT_DATA smp_int_data;
460 smp_int_data.status = SMP_INVALID_PARAMETERS;
461 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
462 return;
463 }
464
465 tBTM_LE_AUTH_REQ auth_req = *(tBTM_LE_AUTH_REQ*)p_data->p_data;
466 tBTM_BLE_SEC_REQ_ACT sec_req_act;
467
468 log::verbose("auth_req=0x{:x}", auth_req);
469
470 p_cb->cb_evt = SMP_EVT_NONE;
471
472 btm_ble_link_sec_check(p_cb->pairing_bda, auth_req, &sec_req_act);
473
474 log::verbose("sec_req_act={}", sec_req_act);
475
476 switch (sec_req_act) {
477 case BTM_BLE_SEC_REQ_ACT_ENCRYPT:
478 log::verbose("BTM_BLE_SEC_REQ_ACT_ENCRYPT");
479 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
480 break;
481
482 case BTM_BLE_SEC_REQ_ACT_PAIR:
483 p_cb->sc_only_mode_locally_required =
484 (p_cb->init_security_mode == BTM_SEC_MODE_SC) ? true : false;
485
486 /* respond to non SC pairing request as failure in SC only mode */
487 if (p_cb->sc_only_mode_locally_required &&
488 (auth_req & SMP_SC_SUPPORT_BIT) == 0) {
489 tSMP_INT_DATA smp_int_data;
490 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
491 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
492 } else {
493 /* initialize local i/r key to be default keys */
494 p_cb->peer_auth_req = auth_req;
495 p_cb->local_r_key = p_cb->local_i_key = SMP_SEC_DEFAULT_KEY;
496 p_cb->cb_evt = SMP_SEC_REQUEST_EVT;
497 }
498 break;
499
500 case BTM_BLE_SEC_REQ_ACT_DISCARD:
501 p_cb->discard_sec_req = true;
502 break;
503
504 default:
505 /* do nothing */
506 break;
507 }
508 }
509
510 /*******************************************************************************
511 * Function smp_proc_sec_grant
512 * Description process security grant.
513 ******************************************************************************/
smp_proc_sec_grant(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)514 void smp_proc_sec_grant(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
515 uint8_t res = p_data->status;
516 log::verbose("addr:{}", p_cb->pairing_bda);
517 if (res != SMP_SUCCESS) {
518 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, p_data);
519 } else /*otherwise, start pairing */
520 {
521 /* send IO request callback */
522 p_cb->cb_evt = SMP_IO_CAP_REQ_EVT;
523 }
524 }
525
526 /*******************************************************************************
527 * Function smp_proc_pair_fail
528 * Description process pairing failure from peer device
529 ******************************************************************************/
smp_proc_pair_fail(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)530 void smp_proc_pair_fail(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
531 log::verbose("addr:{}", p_cb->pairing_bda);
532
533 if (p_cb->rcvd_cmd_len < 2) {
534 log::warn("rcvd_cmd_len {} too short: must be at least 2",
535 p_cb->rcvd_cmd_len);
536 p_cb->status = SMP_INVALID_PARAMETERS;
537 } else {
538 if (com::android::bluetooth::flags::
539 fix_pairing_failure_reason_from_remote()) {
540 p_cb->status = static_cast<tSMP_STATUS>(p_data->p_data[0]);
541 } else {
542 p_cb->status = p_data->status;
543 }
544 }
545
546 /* Cancel pending auth complete timer if set */
547 alarm_cancel(p_cb->delayed_auth_timer_ent);
548 }
549
550 /*******************************************************************************
551 * Function smp_proc_pair_cmd
552 * Description Process the SMP pairing request/response from peer device
553 ******************************************************************************/
smp_proc_pair_cmd(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)554 void smp_proc_pair_cmd(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
555 uint8_t* p = p_data->p_data;
556 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
557
558 log::verbose("pairing_bda={}", p_cb->pairing_bda);
559
560 /* erase all keys if it is peripheral proc pairing req */
561 if (p_dev_rec && (p_cb->role == HCI_ROLE_PERIPHERAL))
562 btm_sec_clear_ble_keys(p_dev_rec);
563
564 p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
565
566 if (smp_command_has_invalid_length(p_cb)) {
567 tSMP_INT_DATA smp_int_data;
568 smp_int_data.status = SMP_INVALID_PARAMETERS;
569 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
570 return;
571 }
572
573 STREAM_TO_UINT8(p_cb->peer_io_caps, p);
574 STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
575 STREAM_TO_UINT8(p_cb->peer_auth_req, p);
576 STREAM_TO_UINT8(p_cb->peer_enc_size, p);
577 STREAM_TO_UINT8(p_cb->peer_i_key, p);
578 STREAM_TO_UINT8(p_cb->peer_r_key, p);
579
580 tSMP_STATUS reason = p_cb->cert_failure;
581 if (reason == SMP_ENC_KEY_SIZE) {
582 tSMP_INT_DATA smp_int_data;
583 smp_int_data.status = reason;
584 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
585 return;
586 }
587
588 if (smp_command_has_invalid_parameters(p_cb)) {
589 tSMP_INT_DATA smp_int_data;
590 smp_int_data.status = SMP_INVALID_PARAMETERS;
591 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
592 return;
593 }
594
595 // PTS Testing failure modes
596 if (pts_test_send_authentication_complete_failure(p_cb)) return;
597
598 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
599 if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD)) {
600 /* peer (central) started pairing sending Pairing Request */
601 p_cb->local_i_key = p_cb->peer_i_key;
602 p_cb->local_r_key = p_cb->peer_r_key;
603
604 p_cb->cb_evt = SMP_IO_CAP_REQ_EVT;
605 } else /* update local i/r key according to pairing request */
606 {
607 /* pairing started with this side (peripheral) sending Security Request */
608 p_cb->local_i_key &= p_cb->peer_i_key;
609 p_cb->local_r_key &= p_cb->peer_r_key;
610 p_cb->selected_association_model = smp_select_association_model(p_cb);
611
612 if (p_cb->sc_only_mode_locally_required &&
613 (!(p_cb->sc_mode_required_by_peer) ||
614 (p_cb->selected_association_model ==
615 SMP_MODEL_SEC_CONN_JUSTWORKS))) {
616 log::error(
617 "pairing failed - peripheral requires secure connection only mode");
618 tSMP_INT_DATA smp_int_data;
619 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
620 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
621 return;
622 }
623
624 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
625 if (smp_request_oob_data(p_cb)) return;
626 } else {
627 smp_send_pair_rsp(p_cb, NULL);
628 }
629 }
630 } else /* Central receives pairing response */
631 {
632 p_cb->selected_association_model = smp_select_association_model(p_cb);
633
634 if (p_cb->sc_only_mode_locally_required &&
635 (!(p_cb->sc_mode_required_by_peer) ||
636 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) {
637 log::error(
638 "Central requires secure connection only mode but it can't be "
639 "provided -> Central fails pairing");
640 tSMP_INT_DATA smp_int_data;
641 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
642 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
643 return;
644 }
645
646 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
647 if (smp_request_oob_data(p_cb)) return;
648 } else {
649 smp_decide_association_model(p_cb, NULL);
650 }
651 }
652 }
653
654 /** process pairing confirm from peer device */
smp_proc_confirm(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)655 void smp_proc_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
656 log::verbose("pairing_bda={}", p_cb->pairing_bda);
657
658 if (smp_command_has_invalid_parameters(p_cb)) {
659 tSMP_INT_DATA smp_int_data;
660 smp_int_data.status = SMP_INVALID_PARAMETERS;
661 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
662 return;
663 }
664
665 if (p_data) {
666 uint8_t* p = p_data->p_data;
667 if (p != NULL) {
668 /* save the SConfirm for comparison later */
669 STREAM_TO_ARRAY(p_cb->rconfirm.data(), p, OCTET16_LEN);
670 }
671 }
672
673 p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM_RCVD;
674 }
675
676 /*******************************************************************************
677 * Function smp_proc_rand
678 * Description process pairing random (nonce) from peer device
679 ******************************************************************************/
smp_proc_rand(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)680 void smp_proc_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
681 uint8_t* p = p_data->p_data;
682
683 log::verbose("pairing_bda={}", p_cb->pairing_bda);
684
685 if (smp_command_has_invalid_parameters(p_cb)) {
686 tSMP_INT_DATA smp_int_data;
687 smp_int_data.status = SMP_INVALID_PARAMETERS;
688 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
689 return;
690 }
691
692 if (com::android::bluetooth::flags::fix_le_pairing_passkey_entry_bypass()) {
693 if (!((p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) &&
694 (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT)) &&
695 !(p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM_SENT)) {
696 // in legacy pairing, the peer should send its rand after
697 // we send our confirm
698 tSMP_INT_DATA smp_int_data{};
699 smp_int_data.status = SMP_INVALID_PARAMETERS;
700 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
701 return;
702 }
703 }
704
705 /* save the SRand for comparison */
706 STREAM_TO_ARRAY(p_cb->rrand.data(), p, OCTET16_LEN);
707 }
708
709 /*******************************************************************************
710 * Function smp_process_pairing_public_key
711 * Description process pairing public key command from the peer device
712 * - saves the peer public key;
713 * - sets the flag indicating that the peer public key is received;
714 * - calls smp_wait_for_both_public_keys(...).
715 *
716 ******************************************************************************/
smp_process_pairing_public_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)717 void smp_process_pairing_public_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
718 uint8_t* p = p_data->p_data;
719
720 log::verbose("addr:{}", p_cb->pairing_bda);
721
722 if (smp_command_has_invalid_parameters(p_cb)) {
723 tSMP_INT_DATA smp_int_data;
724 smp_int_data.status = SMP_INVALID_PARAMETERS;
725 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
726 return;
727 }
728
729 STREAM_TO_ARRAY(p_cb->peer_publ_key.x, p, BT_OCTET32_LEN);
730 STREAM_TO_ARRAY(p_cb->peer_publ_key.y, p, BT_OCTET32_LEN);
731
732 Point pt;
733 memcpy(pt.x, p_cb->peer_publ_key.x, BT_OCTET32_LEN);
734 memcpy(pt.y, p_cb->peer_publ_key.y, BT_OCTET32_LEN);
735
736 if (!memcmp(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, BT_OCTET32_LEN)) {
737 log::warn("Remote and local public keys can't match");
738 tSMP_INT_DATA smp;
739 smp.status = SMP_PAIR_AUTH_FAIL;
740 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp);
741 return;
742 }
743
744 if (!ECC_ValidatePoint(pt)) {
745 tSMP_INT_DATA smp;
746 smp.status = SMP_PAIR_AUTH_FAIL;
747 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp);
748 return;
749 }
750
751 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY;
752
753 smp_wait_for_both_public_keys(p_cb, NULL);
754 }
755
756 /*******************************************************************************
757 * Function smp_process_pairing_commitment
758 * Description process pairing commitment from peer device
759 ******************************************************************************/
smp_process_pairing_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)760 void smp_process_pairing_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
761 uint8_t* p = p_data->p_data;
762
763 log::verbose("addr:{}", p_cb->pairing_bda);
764
765 if (smp_command_has_invalid_parameters(p_cb)) {
766 tSMP_INT_DATA smp_int_data;
767 smp_int_data.status = SMP_INVALID_PARAMETERS;
768 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
769 return;
770 }
771
772 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_COMM;
773
774 if (p != NULL) {
775 STREAM_TO_ARRAY(p_cb->remote_commitment.data(), p, OCTET16_LEN);
776 }
777 }
778
779 /*******************************************************************************
780 * Function smp_process_dhkey_check
781 * Description process DHKey Check from peer device
782 ******************************************************************************/
smp_process_dhkey_check(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)783 void smp_process_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
784 uint8_t* p = p_data->p_data;
785
786 log::verbose("addr:{}", p_cb->pairing_bda);
787
788 if (smp_command_has_invalid_parameters(p_cb)) {
789 tSMP_INT_DATA smp_int_data;
790 smp_int_data.status = SMP_INVALID_PARAMETERS;
791 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
792 return;
793 }
794
795 if (p != NULL) {
796 STREAM_TO_ARRAY(p_cb->remote_dhkey_check.data(), p, OCTET16_LEN);
797 }
798
799 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_DHK_CHK;
800 }
801
802 /*******************************************************************************
803 * Function smp_process_keypress_notification
804 * Description process pairing keypress notification from peer device
805 ******************************************************************************/
smp_process_keypress_notification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)806 void smp_process_keypress_notification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
807 uint8_t* p = p_data->p_data;
808
809 log::verbose("addr:{}", p_cb->pairing_bda);
810 p_cb->status = p_data->status;
811
812 if (smp_command_has_invalid_parameters(p_cb)) {
813 tSMP_INT_DATA smp_int_data;
814 smp_int_data.status = SMP_INVALID_PARAMETERS;
815 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
816 return;
817 }
818
819 if (p != NULL) {
820 STREAM_TO_UINT8(p_cb->peer_keypress_notification, p);
821 } else {
822 p_cb->peer_keypress_notification = SMP_SC_KEY_OUT_OF_RANGE;
823 }
824 p_cb->cb_evt = SMP_PEER_KEYPR_NOT_EVT;
825 }
826
827 /*******************************************************************************
828 * Function smp_br_process_pairing_command
829 * Description Process the SMP pairing request/response from peer device via
830 * BR/EDR transport.
831 ******************************************************************************/
smp_br_process_pairing_command(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)832 void smp_br_process_pairing_command(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
833 uint8_t* p = p_data->p_data;
834 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
835
836 log::verbose("addr:{}", p_cb->pairing_bda);
837 /* rejecting BR pairing request over non-SC BR link */
838 if (!p_dev_rec->sec_rec.new_encryption_key_is_p256 &&
839 p_cb->role == HCI_ROLE_PERIPHERAL) {
840 tSMP_INT_DATA smp_int_data;
841 smp_int_data.status = SMP_XTRANS_DERIVE_NOT_ALLOW;
842 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
843 return;
844 }
845
846 /* erase all keys if it is peripheral proc pairing req*/
847 if (p_dev_rec && (p_cb->role == HCI_ROLE_PERIPHERAL))
848 btm_sec_clear_ble_keys(p_dev_rec);
849
850 p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
851
852 if (smp_command_has_invalid_length(p_cb)) {
853 tSMP_INT_DATA smp_int_data;
854 smp_int_data.status = SMP_INVALID_PARAMETERS;
855 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
856 return;
857 }
858
859 STREAM_TO_UINT8(p_cb->peer_io_caps, p);
860 STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
861 STREAM_TO_UINT8(p_cb->peer_auth_req, p);
862 STREAM_TO_UINT8(p_cb->peer_enc_size, p);
863 STREAM_TO_UINT8(p_cb->peer_i_key, p);
864 STREAM_TO_UINT8(p_cb->peer_r_key, p);
865
866 if (smp_command_has_invalid_parameters(p_cb)) {
867 tSMP_INT_DATA smp_int_data;
868 smp_int_data.status = SMP_INVALID_PARAMETERS;
869 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
870 return;
871 }
872
873 /* peer (central) started pairing sending Pairing Request */
874 /* or being central device always use received i/r key as keys to distribute
875 */
876 p_cb->local_i_key = p_cb->peer_i_key;
877 p_cb->local_r_key = p_cb->peer_r_key;
878
879 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
880 p_dev_rec->sec_rec.new_encryption_key_is_p256 = false;
881 /* shortcut to skip Security Grant step */
882 p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT;
883 } else {
884 /* Central receives pairing response */
885 log::verbose(
886 "central rcvs valid PAIRING RESPONSE. Supposed to move to key "
887 "distribution phase.");
888 }
889
890 /* auth_req received via BR/EDR SM channel is set to 0,
891 but everything derived/exchanged has to be saved */
892 p_cb->peer_auth_req |= SMP_AUTH_BOND;
893 p_cb->loc_auth_req |= SMP_AUTH_BOND;
894 }
895
896 /*******************************************************************************
897 * Function smp_br_process_security_grant
898 * Description process security grant in case of pairing over BR/EDR transport.
899 ******************************************************************************/
smp_br_process_security_grant(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)900 void smp_br_process_security_grant(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
901 log::verbose("addr:{}", p_cb->pairing_bda);
902 if (p_data->status != SMP_SUCCESS) {
903 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, p_data);
904 } else {
905 /* otherwise, start pairing; send IO request callback */
906 p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT;
907 }
908 }
909
910 /*******************************************************************************
911 * Function smp_br_check_authorization_request
912 * Description sets the SMP kes to be derived/distribute over BR/EDR transport
913 * before starting the distribution/derivation
914 ******************************************************************************/
smp_br_check_authorization_request(tSMP_CB * p_cb,tSMP_INT_DATA *)915 void smp_br_check_authorization_request(tSMP_CB* p_cb,
916 tSMP_INT_DATA* /* p_data */) {
917 log::verbose("rcvs i_keys=0x{:x} r_keys=0x{:x} (i-initiator r-responder)",
918 p_cb->local_i_key, p_cb->local_r_key);
919
920 /* In LE SC mode LK field is ignored when BR/EDR transport is used */
921 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
922 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
923
924 /* In LE SC mode only IRK, IAI, CSRK are exchanged with the peer.
925 ** Set local_r_key on central to expect only these keys. */
926 if (p_cb->role == HCI_ROLE_CENTRAL) {
927 p_cb->local_r_key &= (SMP_SEC_KEY_TYPE_ID | SMP_SEC_KEY_TYPE_CSRK);
928 }
929
930 /* Check if H7 function needs to be used for key derivation*/
931 if ((p_cb->loc_auth_req & SMP_H7_SUPPORT_BIT) &&
932 (p_cb->peer_auth_req & SMP_H7_SUPPORT_BIT)) {
933 p_cb->key_derivation_h7_used = TRUE;
934 }
935 log::verbose(
936 "use h7={}, i_keys=0x{:x} r_keys=0x{:x} (i-initiator r-responder)",
937 p_cb->key_derivation_h7_used, p_cb->local_i_key, p_cb->local_r_key);
938
939 if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) ||
940 (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/
941 (p_cb->local_i_key || p_cb->local_r_key)) {
942 smp_br_state_machine_event(p_cb, SMP_BR_BOND_REQ_EVT, NULL);
943
944 /* if no peer key is expected, start central key distribution */
945 if (p_cb->role == HCI_ROLE_CENTRAL && p_cb->local_r_key == 0)
946 smp_key_distribution_by_transport(p_cb, NULL);
947 } else {
948 tSMP_INT_DATA smp_int_data;
949 smp_int_data.status = SMP_SUCCESS;
950 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
951 }
952 }
953
954 /*******************************************************************************
955 * Function smp_br_select_next_key
956 * Description selects the next key to derive/send when BR/EDR transport is
957 * used.
958 ******************************************************************************/
smp_br_select_next_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)959 void smp_br_select_next_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
960 log::verbose("role={} (0-central) r_keys=0x{:x} i_keys=0x{:x}", p_cb->role,
961 p_cb->local_r_key, p_cb->local_i_key);
962
963 if (p_cb->role == HCI_ROLE_PERIPHERAL ||
964 (!p_cb->local_r_key && p_cb->role == HCI_ROLE_CENTRAL)) {
965 smp_key_pick_key(p_cb, p_data);
966 }
967
968 if (!p_cb->local_i_key && !p_cb->local_r_key) {
969 /* state check to prevent re-entrance */
970 if (smp_get_br_state() == SMP_BR_STATE_BOND_PENDING) {
971 if (p_cb->total_tx_unacked == 0) {
972 tSMP_INT_DATA smp_int_data;
973 smp_int_data.status = SMP_SUCCESS;
974 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
975 } else {
976 p_cb->wait_for_authorization_complete = true;
977 }
978 }
979 }
980 }
981
982 /** process encryption information from peer device */
smp_proc_enc_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)983 void smp_proc_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
984 uint8_t* p = p_data->p_data;
985
986 log::verbose("addr:{}", p_cb->pairing_bda);
987
988 if (smp_command_has_invalid_parameters(p_cb)) {
989 tSMP_INT_DATA smp_int_data;
990 smp_int_data.status = SMP_INVALID_PARAMETERS;
991 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
992 return;
993 }
994
995 STREAM_TO_ARRAY(p_cb->ltk.data(), p, OCTET16_LEN);
996
997 smp_key_distribution(p_cb, NULL);
998 }
999
1000 /** process central ID from peripheral device */
smp_proc_central_id(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1001 void smp_proc_central_id(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1002 uint8_t* p = p_data->p_data;
1003
1004 log::verbose("addr:{}", p_cb->pairing_bda);
1005
1006 if (p_cb->rcvd_cmd_len < 11) { // 1(Code) + 2(EDIV) + 8(Rand)
1007 log::error("Invalid command length:{}, should be at least 11",
1008 p_cb->rcvd_cmd_len);
1009 return;
1010 }
1011
1012 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, true);
1013
1014 tBTM_LE_KEY_VALUE le_key = {
1015 .penc_key = {},
1016 };
1017 STREAM_TO_UINT16(le_key.penc_key.ediv, p);
1018 STREAM_TO_ARRAY(le_key.penc_key.rand, p, BT_OCTET8_LEN);
1019
1020 /* store the encryption keys from peer device */
1021 le_key.penc_key.ltk = p_cb->ltk;
1022 le_key.penc_key.sec_level = p_cb->sec_level;
1023 le_key.penc_key.key_size = p_cb->loc_enc_size;
1024
1025 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
1026 (p_cb->loc_auth_req & SMP_AUTH_BOND))
1027 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, &le_key, true);
1028
1029 smp_key_distribution(p_cb, NULL);
1030 }
1031
1032 /** process identity information from peer device */
smp_proc_id_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1033 void smp_proc_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1034 uint8_t* p = p_data->p_data;
1035
1036 log::verbose("addr:{}", p_cb->pairing_bda);
1037
1038 if (smp_command_has_invalid_parameters(p_cb)) {
1039 tSMP_INT_DATA smp_int_data;
1040 smp_int_data.status = SMP_INVALID_PARAMETERS;
1041 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1042 return;
1043 }
1044
1045 STREAM_TO_ARRAY(p_cb->tk.data(), p, OCTET16_LEN); /* reuse TK for IRK */
1046 smp_key_distribution_by_transport(p_cb, NULL);
1047 }
1048
1049 /** process identity address from peer device */
smp_proc_id_addr(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1050 void smp_proc_id_addr(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1051 const uint8_t* p = p_data->p_data;
1052
1053 log::verbose("addr:{}", p_cb->pairing_bda);
1054
1055 if (smp_command_has_invalid_parameters(p_cb)) {
1056 tSMP_INT_DATA smp_int_data;
1057 smp_int_data.status = SMP_INVALID_PARAMETERS;
1058 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1059 return;
1060 }
1061
1062 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, true);
1063
1064 tBTM_LE_KEY_VALUE pid_key = {
1065 .pid_key = {},
1066 };
1067
1068 STREAM_TO_UINT8(pid_key.pid_key.identity_addr_type, p);
1069 STREAM_TO_BDADDR(pid_key.pid_key.identity_addr, p);
1070 pid_key.pid_key.irk = p_cb->tk;
1071
1072 /* to use as BD_ADDR for lk derived from ltk */
1073 p_cb->id_addr_rcvd = true;
1074 p_cb->id_addr_type = pid_key.pid_key.identity_addr_type;
1075 p_cb->id_addr = pid_key.pid_key.identity_addr;
1076
1077 /* store the ID key from peer device */
1078 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
1079 (p_cb->loc_auth_req & SMP_AUTH_BOND)) {
1080 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PID, &pid_key, true);
1081 p_cb->cb_evt = SMP_LE_ADDR_ASSOC_EVT;
1082 smp_send_app_cback(p_cb, NULL);
1083 }
1084 smp_key_distribution_by_transport(p_cb, NULL);
1085 }
1086
1087 /* process security information from peer device */
smp_proc_srk_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1088 void smp_proc_srk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1089 log::verbose("addr:{}", p_cb->pairing_bda);
1090
1091 if (smp_command_has_invalid_parameters(p_cb)) {
1092 tSMP_INT_DATA smp_int_data;
1093 smp_int_data.status = SMP_INVALID_PARAMETERS;
1094 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1095 return;
1096 }
1097
1098 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, true);
1099
1100 /* save CSRK to security record */
1101 tBTM_LE_KEY_VALUE le_key = {
1102 .pcsrk_key =
1103 {
1104 .sec_level = p_cb->sec_level,
1105 },
1106 };
1107
1108 /* get peer CSRK */
1109 maybe_non_aligned_memcpy(le_key.pcsrk_key.csrk.data(), p_data->p_data,
1110 OCTET16_LEN);
1111
1112 /* initialize the peer counter */
1113 le_key.pcsrk_key.counter = 0;
1114
1115 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
1116 (p_cb->loc_auth_req & SMP_AUTH_BOND))
1117 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PCSRK, &le_key, true);
1118 smp_key_distribution_by_transport(p_cb, NULL);
1119 }
1120
1121 /*******************************************************************************
1122 * Function smp_proc_compare
1123 * Description process compare value
1124 ******************************************************************************/
smp_proc_compare(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1125 void smp_proc_compare(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1126 log::verbose("addr:{}", p_cb->pairing_bda);
1127 if (!memcmp(p_cb->rconfirm.data(), p_data->key.p_data, OCTET16_LEN)) {
1128 /* compare the max encryption key size, and save the smaller one for the
1129 * link */
1130 if (p_cb->peer_enc_size < p_cb->loc_enc_size)
1131 p_cb->loc_enc_size = p_cb->peer_enc_size;
1132
1133 if (p_cb->role == HCI_ROLE_PERIPHERAL)
1134 smp_sm_event(p_cb, SMP_RAND_EVT, NULL);
1135 else {
1136 /* central device always use received i/r key as keys to distribute */
1137 p_cb->local_i_key = p_cb->peer_i_key;
1138 p_cb->local_r_key = p_cb->peer_r_key;
1139
1140 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
1141 }
1142
1143 } else {
1144 tSMP_INT_DATA smp_int_data;
1145 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1146 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1147 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1148 }
1149 }
1150
1151 /*******************************************************************************
1152 * Function smp_proc_sl_key
1153 * Description process key ready events.
1154 ******************************************************************************/
smp_proc_sl_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1155 void smp_proc_sl_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1156 uint8_t key_type = p_data->key.key_type;
1157
1158 log::verbose("addr:{}", p_cb->pairing_bda);
1159 if (key_type == SMP_KEY_TYPE_TK) {
1160 smp_generate_srand_mrand_confirm(p_cb, NULL);
1161 } else if (key_type == SMP_KEY_TYPE_CFM) {
1162 smp_set_state(SMP_STATE_WAIT_CONFIRM);
1163
1164 if (p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM_RCVD)
1165 smp_sm_event(p_cb, SMP_CONFIRM_EVT, NULL);
1166 }
1167 }
1168
1169 /*******************************************************************************
1170 * Function smp_start_enc
1171 * Description start encryption
1172 ******************************************************************************/
smp_start_enc(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1173 void smp_start_enc(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1174 tBTM_STATUS cmd;
1175
1176 log::verbose("addr:{}", p_cb->pairing_bda);
1177 if (p_data != NULL) {
1178 cmd = btm_ble_start_encrypt(p_cb->pairing_bda, true,
1179 (Octet16*)p_data->key.p_data);
1180 } else {
1181 cmd = btm_ble_start_encrypt(p_cb->pairing_bda, false, NULL);
1182 }
1183
1184 if (cmd != BTM_CMD_STARTED && cmd != BTM_BUSY) {
1185 tSMP_INT_DATA smp_int_data;
1186 smp_int_data.status = SMP_ENC_FAIL;
1187 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1188 }
1189 }
1190
1191 /*******************************************************************************
1192 * Function smp_proc_discard
1193 * Description processing for discard security request
1194 ******************************************************************************/
smp_proc_discard(tSMP_CB * p_cb,tSMP_INT_DATA *)1195 void smp_proc_discard(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
1196 log::verbose("addr:{}", p_cb->pairing_bda);
1197 if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD))
1198 smp_reset_control_value(p_cb);
1199 }
1200
1201 /*******************************************************************************
1202 * Function smp_enc_cmpl
1203 * Description encryption success
1204 ******************************************************************************/
smp_enc_cmpl(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1205 void smp_enc_cmpl(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1206 uint8_t enc_enable = p_data->status;
1207
1208 log::verbose("addr:{}", p_cb->pairing_bda);
1209 tSMP_INT_DATA smp_int_data;
1210 smp_int_data.status = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1211 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1212 }
1213
1214 /*******************************************************************************
1215 * Function smp_sirk_verify
1216 * Description verify if device belongs to csis group.
1217 ******************************************************************************/
smp_sirk_verify(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1218 void smp_sirk_verify(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1219 tBTM_STATUS callback_rc;
1220 log::debug("addr:{}", p_cb->pairing_bda);
1221
1222 if (p_data->status != SMP_SUCCESS) {
1223 log::debug(
1224 "Cancel device verification due to invalid status({}) while bonding.",
1225 p_data->status);
1226
1227 tSMP_INT_DATA smp_int_data;
1228 smp_int_data.status = SMP_SIRK_DEVICE_INVALID;
1229
1230 BTM_LogHistory(
1231 kBtmLogTag, p_cb->pairing_bda, "SIRK verification",
1232 base::StringPrintf("Verification failed, smp_status:%s",
1233 smp_status_text(smp_int_data.status).c_str()));
1234
1235 smp_sm_event(p_cb, SMP_SIRK_DEVICE_VALID_EVT, &smp_int_data);
1236
1237 return;
1238 }
1239
1240 if (p_cb->p_callback) {
1241 p_cb->cb_evt = SMP_SIRK_VERIFICATION_REQ_EVT;
1242 callback_rc = (*p_cb->p_callback)(p_cb->cb_evt, p_cb->pairing_bda, nullptr);
1243
1244 /* There is no member validator callback - device is by default valid */
1245 if (callback_rc == BTM_SUCCESS_NO_SECURITY) {
1246 BTM_LogHistory(kBtmLogTag, p_cb->pairing_bda, "SIRK verification",
1247 base::StringPrintf("Device validated due to no security"));
1248
1249 tSMP_INT_DATA smp_int_data;
1250 smp_int_data.status = SMP_SUCCESS;
1251 smp_sm_event(p_cb, SMP_SIRK_DEVICE_VALID_EVT, &smp_int_data);
1252 }
1253 } else {
1254 log::error("There are no registrated callbacks for SMP");
1255 }
1256 }
1257
1258 /*******************************************************************************
1259 * Function smp_check_auth_req
1260 * Description check authentication request
1261 ******************************************************************************/
smp_check_auth_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1262 void smp_check_auth_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1263 uint8_t enc_enable = p_data->status;
1264
1265 log::verbose(
1266 "rcvs enc_enable={} i_keys=0x{:x} r_keys=0x{:x} (i-initiator "
1267 "r-responder)",
1268 enc_enable, p_cb->local_i_key, p_cb->local_r_key);
1269 if (enc_enable == 1) {
1270 if (p_cb->sc_mode_required_by_peer) {
1271 /* In LE SC mode LTK is used instead of STK and has to be always saved */
1272 p_cb->local_i_key |= SMP_SEC_KEY_TYPE_ENC;
1273 p_cb->local_r_key |= SMP_SEC_KEY_TYPE_ENC;
1274
1275 /* In LE SC mode LK is derived from LTK only if both sides request it */
1276 if (!(p_cb->local_i_key & SMP_SEC_KEY_TYPE_LK) ||
1277 !(p_cb->local_r_key & SMP_SEC_KEY_TYPE_LK)) {
1278 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
1279 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
1280 }
1281
1282 /* In LE SC mode only IRK, IAI, CSRK are exchanged with the peer.
1283 ** Set local_r_key on central to expect only these keys.
1284 */
1285 if (p_cb->role == HCI_ROLE_CENTRAL) {
1286 p_cb->local_r_key &= (SMP_SEC_KEY_TYPE_ID | SMP_SEC_KEY_TYPE_CSRK);
1287 }
1288 } else {
1289 /* in legacy mode derivation of BR/EDR LK is not supported */
1290 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
1291 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
1292 }
1293 log::verbose(
1294 "rcvs upgrades:i_keys=0x{:x} r_keys=0x{:x} (i-initiator r-responder)",
1295 p_cb->local_i_key, p_cb->local_r_key);
1296
1297 if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) ||
1298 (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/
1299 (p_cb->local_i_key || p_cb->local_r_key)) {
1300 smp_sm_event(p_cb, SMP_BOND_REQ_EVT, NULL);
1301 } else {
1302 tSMP_INT_DATA smp_int_data;
1303 smp_int_data.status = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1304 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1305 }
1306 } else if (enc_enable == 0) {
1307 tSMP_INT_DATA smp_int_data;
1308 smp_int_data.status = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1309 /* if failed for encryption after pairing, send callback */
1310 if (p_cb->flags & SMP_PAIR_FLAG_ENC_AFTER_PAIR)
1311 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1312 /* if enc failed for old security information */
1313 /* if central device, clean up and abck to idle; peripheral device do
1314 * nothing */
1315 else if (p_cb->role == HCI_ROLE_CENTRAL) {
1316 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1317 }
1318 }
1319 }
1320
1321 /*******************************************************************************
1322 * Function smp_key_pick_key
1323 * Description Pick a key distribution function based on the key mask.
1324 ******************************************************************************/
smp_key_pick_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1325 void smp_key_pick_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1326 uint8_t key_to_dist = (p_cb->role == HCI_ROLE_PERIPHERAL) ? p_cb->local_r_key
1327 : p_cb->local_i_key;
1328 uint8_t i = 0;
1329
1330 log::verbose("key_to_dist=0x{:x}", key_to_dist);
1331 while (i < SMP_KEY_DIST_TYPE_MAX) {
1332 log::verbose("key to send=0x{:02x}, i={}", key_to_dist, i);
1333
1334 if (key_to_dist & (1 << i)) {
1335 log::verbose("smp_distribute_act[{}]", i);
1336 (*smp_distribute_act[i])(p_cb, p_data);
1337 break;
1338 }
1339 i++;
1340 }
1341 }
1342 /*******************************************************************************
1343 * Function smp_key_distribution
1344 * Description start key distribution if required.
1345 ******************************************************************************/
smp_key_distribution(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1346 void smp_key_distribution(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1347 log::verbose("role={} (0-central) r_keys=0x{:x} i_keys=0x{:x}", p_cb->role,
1348 p_cb->local_r_key, p_cb->local_i_key);
1349
1350 if (p_cb->role == HCI_ROLE_PERIPHERAL ||
1351 (!p_cb->local_r_key && p_cb->role == HCI_ROLE_CENTRAL)) {
1352 smp_key_pick_key(p_cb, p_data);
1353 }
1354
1355 if (!p_cb->local_i_key && !p_cb->local_r_key) {
1356 /* state check to prevent re-entrant */
1357 if (smp_get_state() == SMP_STATE_BOND_PENDING) {
1358 if (p_cb->derive_lk) {
1359 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
1360 if (!(p_dev_rec->sec_rec.sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED) &&
1361 (p_dev_rec->sec_rec.sec_flags & BTM_SEC_LINK_KEY_AUTHED)) {
1362 log::verbose(
1363 "BR key is higher security than existing LE keys, don't derive "
1364 "LK from LTK");
1365 } else {
1366 smp_derive_link_key_from_long_term_key(p_cb, NULL);
1367 }
1368 p_cb->derive_lk = false;
1369 }
1370
1371 if (p_cb->total_tx_unacked == 0) {
1372 /*
1373 * Instead of declaring authorization complete immediately,
1374 * delay the event from being sent by SMP_DELAYED_AUTH_TIMEOUT_MS.
1375 * This allows the peripheral to send over Pairing Failed if the
1376 * last key is rejected. During this waiting window, the
1377 * state should remain in SMP_STATE_BOND_PENDING.
1378 */
1379 if (!alarm_is_scheduled(p_cb->delayed_auth_timer_ent)) {
1380 log::verbose("delaying auth complete");
1381 alarm_set_on_mloop(p_cb->delayed_auth_timer_ent,
1382 SMP_DELAYED_AUTH_TIMEOUT_MS,
1383 smp_delayed_auth_complete_timeout, NULL);
1384 }
1385 } else {
1386 p_cb->wait_for_authorization_complete = true;
1387 }
1388 }
1389 }
1390 }
1391
1392 /*******************************************************************************
1393 * Function smp_decide_association_model
1394 * Description This function is called to select assoc model to be used for
1395 * STK generation and to start STK generation process.
1396 *
1397 ******************************************************************************/
smp_decide_association_model(tSMP_CB * p_cb,tSMP_INT_DATA *)1398 void smp_decide_association_model(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
1399 tSMP_EVENT int_evt = SMP_NOP_EVT;
1400 tSMP_INT_DATA smp_int_data;
1401
1402 log::verbose("Association Model={}", p_cb->selected_association_model);
1403
1404 switch (p_cb->selected_association_model) {
1405 case SMP_MODEL_ENCRYPTION_ONLY: /* TK = 0, go calculate Confirm */
1406 if (p_cb->role == HCI_ROLE_CENTRAL &&
1407 ((p_cb->peer_auth_req & SMP_AUTH_YN_BIT) != 0) &&
1408 ((p_cb->loc_auth_req & SMP_AUTH_YN_BIT) == 0)) {
1409 log::error("IO capability does not meet authentication requirement");
1410 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
1411 int_evt = SMP_AUTH_CMPL_EVT;
1412 } else {
1413 if (!GetInterfaceToProfiles()->config->isAndroidTVDevice() &&
1414 (p_cb->local_io_capability == SMP_IO_CAP_IO ||
1415 p_cb->local_io_capability == SMP_IO_CAP_KBDISP)) {
1416 /* display consent dialog if this device has a display */
1417 log::verbose("ENCRYPTION_ONLY showing Consent Dialog");
1418 p_cb->cb_evt = SMP_CONSENT_REQ_EVT;
1419 smp_set_state(SMP_STATE_WAIT_NONCE);
1420 smp_sm_event(p_cb, SMP_SC_DSPL_NC_EVT, NULL);
1421 } else {
1422 p_cb->sec_level = SMP_SEC_UNAUTHENTICATE;
1423 log::verbose("p_cb->sec_level={} (SMP_SEC_UNAUTHENTICATE)",
1424 p_cb->sec_level);
1425
1426 tSMP_KEY key;
1427 key.key_type = SMP_KEY_TYPE_TK;
1428 key.p_data = p_cb->tk.data();
1429 smp_int_data.key = key;
1430
1431 p_cb->tk = {0};
1432 /* TK, ready */
1433 int_evt = SMP_KEY_READY_EVT;
1434 }
1435 }
1436 break;
1437
1438 case SMP_MODEL_PASSKEY:
1439 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1440 log::verbose("p_cb->sec_level={}(SMP_SEC_AUTHENTICATED)",
1441 p_cb->sec_level);
1442
1443 p_cb->cb_evt = SMP_PASSKEY_REQ_EVT;
1444 int_evt = SMP_TK_REQ_EVT;
1445 break;
1446
1447 case SMP_MODEL_OOB:
1448 log::error("Association Model=SMP_MODEL_OOB");
1449 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1450 log::verbose("p_cb->sec_level={}(SMP_SEC_AUTHENTICATED)",
1451 p_cb->sec_level);
1452
1453 p_cb->cb_evt = SMP_OOB_REQ_EVT;
1454 int_evt = SMP_TK_REQ_EVT;
1455 break;
1456
1457 case SMP_MODEL_KEY_NOTIF:
1458 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1459 log::verbose("Need to generate Passkey");
1460
1461 /* generate passkey and notify application */
1462 smp_generate_passkey(p_cb, NULL);
1463 break;
1464
1465 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1466 case SMP_MODEL_SEC_CONN_NUM_COMP:
1467 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1468 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1469 case SMP_MODEL_SEC_CONN_OOB:
1470 int_evt = SMP_PUBL_KEY_EXCH_REQ_EVT;
1471 break;
1472
1473 case SMP_MODEL_OUT_OF_RANGE:
1474 log::error("Association Model=SMP_MODEL_OUT_OF_RANGE (failed)");
1475 smp_int_data.status = SMP_UNKNOWN_IO_CAP;
1476 int_evt = SMP_AUTH_CMPL_EVT;
1477 break;
1478
1479 default:
1480 log::error("Association Model={} (SOMETHING IS WRONG WITH THE CODE)",
1481 p_cb->selected_association_model);
1482 smp_int_data.status = SMP_UNKNOWN_IO_CAP;
1483 int_evt = SMP_AUTH_CMPL_EVT;
1484 }
1485
1486 log::verbose("sec_level={}", p_cb->sec_level);
1487 if (int_evt) smp_sm_event(p_cb, int_evt, &smp_int_data);
1488 }
1489
1490 /*******************************************************************************
1491 * Function smp_process_io_response
1492 * Description process IO response for a peripheral device.
1493 ******************************************************************************/
smp_process_io_response(tSMP_CB * p_cb,tSMP_INT_DATA *)1494 void smp_process_io_response(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
1495 log::verbose("addr:{}", p_cb->pairing_bda);
1496 if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD) {
1497 /* pairing started by local (peripheral) Security Request */
1498 smp_set_state(SMP_STATE_SEC_REQ_PENDING);
1499 smp_send_cmd(SMP_OPCODE_SEC_REQ, p_cb);
1500 } else /* plan to send pairing respond */
1501 {
1502 /* pairing started by peer (central) Pairing Request */
1503 p_cb->selected_association_model = smp_select_association_model(p_cb);
1504
1505 if (p_cb->sc_only_mode_locally_required &&
1506 (!(p_cb->sc_mode_required_by_peer) ||
1507 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) {
1508 log::error(
1509 "Peripheral requires secure connection only mode but it can't be "
1510 "provided -> Peripheral fails pairing");
1511 tSMP_INT_DATA smp_int_data;
1512 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
1513 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1514 return;
1515 }
1516
1517 // If we are doing SMP_MODEL_SEC_CONN_OOB we don't need to request OOB data
1518 // locally if loc_oob_flag == 0x00 b/c there is no OOB data to give. In the
1519 // event the loc_oob_flag is present value, we should request the OOB data
1520 // locally; otherwise fail.
1521 // If we are the initiator the OOB data has already been stored and will be
1522 // collected in the statemachine later.
1523 //
1524 // loc_oob_flag could be one of the following tSMP_OOB_FLAG enum values:
1525 // SMP_OOB_NONE = 0
1526 // SMP_OOB_PRESENT = 1
1527 // SMP_OOB_UNKNOWN = 2
1528 //
1529 // The only time Android cares about needing to provide the peer oob data
1530 // here would be in the advertiser situation or role. If the
1531 // device is doing the connecting it will not need to get the data again as
1532 // it was already provided in the initiation call.
1533 //
1534 // loc_oob_flag should only equal SMP_OOB_PRESENT when PEER DATA exists and
1535 // device is the advertiser as opposed to being the connector.
1536 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
1537 switch (p_cb->loc_oob_flag) {
1538 case SMP_OOB_NONE:
1539 log::info("SMP_MODEL_SEC_CONN_OOB with SMP_OOB_NONE");
1540 smp_send_pair_rsp(p_cb, NULL);
1541 break;
1542 case SMP_OOB_PRESENT:
1543 log::info("SMP_MODEL_SEC_CONN_OOB with SMP_OOB_PRESENT");
1544 if (smp_request_oob_data(p_cb)) return;
1545 break;
1546 case SMP_OOB_UNKNOWN:
1547 log::warn("SMP_MODEL_SEC_CONN_OOB with SMP_OOB_UNKNOWN");
1548 tSMP_INT_DATA smp_int_data;
1549 smp_int_data.status = SMP_PAIR_AUTH_FAIL;
1550 smp_send_pair_fail(p_cb, &smp_int_data);
1551 return;
1552 }
1553 }
1554
1555 // PTS Testing failure modes
1556 if (pts_test_send_authentication_complete_failure(p_cb)) return;
1557
1558 smp_send_pair_rsp(p_cb, NULL);
1559 }
1560 }
1561
1562 /*******************************************************************************
1563 * Function smp_br_process_peripheral_keys_response
1564 * Description process application keys response for a peripheral device
1565 * (BR/EDR transport).
1566 ******************************************************************************/
smp_br_process_peripheral_keys_response(tSMP_CB * p_cb,tSMP_INT_DATA *)1567 void smp_br_process_peripheral_keys_response(tSMP_CB* p_cb,
1568 tSMP_INT_DATA* /* p_data */) {
1569 smp_br_send_pair_response(p_cb, NULL);
1570 }
1571
1572 /*******************************************************************************
1573 * Function smp_br_send_pair_response
1574 * Description actions related to sending pairing response over BR/EDR
1575 * transport.
1576 ******************************************************************************/
smp_br_send_pair_response(tSMP_CB * p_cb,tSMP_INT_DATA *)1577 void smp_br_send_pair_response(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
1578 log::verbose("addr:{}", p_cb->pairing_bda);
1579
1580 p_cb->local_i_key &= p_cb->peer_i_key;
1581 p_cb->local_r_key &= p_cb->peer_r_key;
1582
1583 smp_send_cmd(SMP_OPCODE_PAIRING_RSP, p_cb);
1584 }
1585
1586 /*******************************************************************************
1587 * Function smp_pairing_cmpl
1588 * Description This function is called to send the pairing complete
1589 * callback and remove the connection if needed.
1590 ******************************************************************************/
smp_pairing_cmpl(tSMP_CB * p_cb,tSMP_INT_DATA *)1591 void smp_pairing_cmpl(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
1592 if (p_cb->total_tx_unacked == 0) {
1593 /* process the pairing complete */
1594 smp_proc_pairing_cmpl(p_cb);
1595 }
1596 }
1597
1598 /*******************************************************************************
1599 * Function smp_pair_terminate
1600 * Description This function is called to send the pairing complete
1601 * callback and remove the connection if needed.
1602 ******************************************************************************/
smp_pair_terminate(tSMP_CB * p_cb,tSMP_INT_DATA *)1603 void smp_pair_terminate(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
1604 log::verbose("addr:{}", p_cb->pairing_bda);
1605 p_cb->status = SMP_CONN_TOUT;
1606 smp_proc_pairing_cmpl(p_cb);
1607 }
1608
1609 /*******************************************************************************
1610 * Function smp_idle_terminate
1611 * Description This function calledin idle state to determine to send
1612 * authentication complete or not.
1613 ******************************************************************************/
smp_idle_terminate(tSMP_CB * p_cb,tSMP_INT_DATA *)1614 void smp_idle_terminate(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
1615 if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD) {
1616 log::verbose("Pairing terminated at IDLE state.");
1617 p_cb->status = SMP_FAIL;
1618 smp_proc_pairing_cmpl(p_cb);
1619 }
1620 }
1621
1622 /*******************************************************************************
1623 * Function smp_both_have_public_keys
1624 * Description The function is called when both local and peer public keys are
1625 * saved.
1626 * Actions:
1627 * - invokes DHKey computation;
1628 * - on peripheral side invokes sending local public key to the
1629 *peer.
1630 * - invokes SC phase 1 process.
1631 ******************************************************************************/
smp_both_have_public_keys(tSMP_CB * p_cb,tSMP_INT_DATA *)1632 void smp_both_have_public_keys(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
1633 log::verbose("addr:{}", p_cb->pairing_bda);
1634
1635 /* invokes DHKey computation */
1636 smp_compute_dhkey(p_cb);
1637
1638 /* on peripheral side invokes sending local public key to the peer */
1639 if (p_cb->role == HCI_ROLE_PERIPHERAL) smp_send_pair_public_key(p_cb, NULL);
1640
1641 smp_sm_event(p_cb, SMP_SC_DHKEY_CMPLT_EVT, NULL);
1642 }
1643
1644 /*******************************************************************************
1645 * Function smp_start_secure_connection_phase1
1646 * Description Start Secure Connection phase1 i.e. invokes initialization of
1647 * Secure Connection phase 1 parameters and starts building/sending
1648 * to the peer messages appropriate for the role and association
1649 * model.
1650 ******************************************************************************/
smp_start_secure_connection_phase1(tSMP_CB * p_cb,tSMP_INT_DATA *)1651 void smp_start_secure_connection_phase1(tSMP_CB* p_cb,
1652 tSMP_INT_DATA* /* p_data */) {
1653 log::verbose("addr:{}", p_cb->pairing_bda);
1654
1655 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
1656 p_cb->sec_level = SMP_SEC_UNAUTHENTICATE;
1657 log::verbose("p_cb->sec_level={} (SMP_SEC_UNAUTHENTICATE)",
1658 p_cb->sec_level);
1659 } else {
1660 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1661 log::verbose("p_cb->sec_level={} (SMP_SEC_AUTHENTICATED)", p_cb->sec_level);
1662 }
1663
1664 switch (p_cb->selected_association_model) {
1665 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1666 case SMP_MODEL_SEC_CONN_NUM_COMP:
1667 p_cb->local_random = {0};
1668 smp_start_nonce_generation(p_cb);
1669 break;
1670 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1671 /* user has to provide passkey */
1672 p_cb->cb_evt = SMP_PASSKEY_REQ_EVT;
1673 smp_sm_event(p_cb, SMP_TK_REQ_EVT, NULL);
1674 break;
1675 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1676 /* passkey has to be provided to user */
1677 log::verbose("Need to generate SC Passkey");
1678 smp_generate_passkey(p_cb, NULL);
1679 break;
1680 case SMP_MODEL_SEC_CONN_OOB:
1681 /* use the available OOB information */
1682 smp_process_secure_connection_oob_data(p_cb, NULL);
1683 break;
1684 default:
1685 log::error("Association Model={} is not used in LE SC",
1686 p_cb->selected_association_model);
1687 break;
1688 }
1689 }
1690
1691 /*******************************************************************************
1692 * Function smp_process_local_nonce
1693 * Description The function processes new local nonce.
1694 *
1695 * Note It is supposed to be called in SC phase1.
1696 ******************************************************************************/
smp_process_local_nonce(tSMP_CB * p_cb,tSMP_INT_DATA *)1697 void smp_process_local_nonce(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
1698 log::verbose("addr:{}", p_cb->pairing_bda);
1699
1700 switch (p_cb->selected_association_model) {
1701 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1702 case SMP_MODEL_SEC_CONN_NUM_COMP:
1703 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
1704 /* peripheral calculates and sends local commitment */
1705 smp_calculate_local_commitment(p_cb);
1706 smp_send_commitment(p_cb, NULL);
1707 /* peripheral has to wait for peer nonce */
1708 smp_set_state(SMP_STATE_WAIT_NONCE);
1709 } else /* i.e. central */
1710 {
1711 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_COMM) {
1712 /* peripheral commitment is already received, send local nonce, wait
1713 * for remote nonce*/
1714 log::verbose(
1715 "central in assoc mode={} already rcvd peripheral commitment - "
1716 "race condition",
1717 p_cb->selected_association_model);
1718 p_cb->flags &= ~SMP_PAIR_FLAG_HAVE_PEER_COMM;
1719 smp_send_rand(p_cb, NULL);
1720 smp_set_state(SMP_STATE_WAIT_NONCE);
1721 }
1722 }
1723 break;
1724 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1725 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1726 smp_calculate_local_commitment(p_cb);
1727
1728 if (p_cb->role == HCI_ROLE_CENTRAL) {
1729 smp_send_commitment(p_cb, NULL);
1730 } else /* peripheral */
1731 {
1732 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_COMM) {
1733 /* central commitment is already received */
1734 smp_send_commitment(p_cb, NULL);
1735 smp_set_state(SMP_STATE_WAIT_NONCE);
1736 }
1737 }
1738 break;
1739 case SMP_MODEL_SEC_CONN_OOB:
1740 if (p_cb->role == HCI_ROLE_CENTRAL) {
1741 smp_send_rand(p_cb, NULL);
1742 }
1743
1744 smp_set_state(SMP_STATE_WAIT_NONCE);
1745 break;
1746 default:
1747 log::error("Association Model={} is not used in LE SC",
1748 p_cb->selected_association_model);
1749 break;
1750 }
1751 }
1752
1753 /*******************************************************************************
1754 * Function smp_process_peer_nonce
1755 * Description The function processes newly received and saved in CB peer
1756 * nonce. The actions depend on the selected association model and
1757 * the role.
1758 *
1759 * Note It is supposed to be called in SC phase1.
1760 ******************************************************************************/
smp_process_peer_nonce(tSMP_CB * p_cb,tSMP_INT_DATA *)1761 void smp_process_peer_nonce(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
1762 log::verbose("addr:{}, selected_association_model:{}", p_cb->pairing_bda,
1763 p_cb->selected_association_model);
1764
1765 // PTS Testing failure modes
1766 if (p_cb->cert_failure == SMP_CONFIRM_VALUE_ERR) {
1767 log::error("failure case={}", p_cb->cert_failure);
1768 tSMP_INT_DATA smp_int_data;
1769 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1770 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1771 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1772 return;
1773 }
1774 // PTS Testing failure modes (for LT)
1775 if ((p_cb->cert_failure == SMP_NUMERIC_COMPAR_FAIL) &&
1776 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) &&
1777 (p_cb->role == HCI_ROLE_PERIPHERAL)) {
1778 log::error("failure case={}", p_cb->cert_failure);
1779 tSMP_INT_DATA smp_int_data;
1780 smp_int_data.status = SMP_NUMERIC_COMPAR_FAIL;
1781 p_cb->failure = SMP_NUMERIC_COMPAR_FAIL;
1782 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1783 return;
1784 }
1785
1786 switch (p_cb->selected_association_model) {
1787 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1788 case SMP_MODEL_SEC_CONN_NUM_COMP:
1789 /* in these models only central receives commitment */
1790 if (p_cb->role == HCI_ROLE_CENTRAL) {
1791 if (!smp_check_commitment(p_cb)) {
1792 tSMP_INT_DATA smp_int_data;
1793 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1794 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1795 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1796 break;
1797 }
1798 } else {
1799 /* peripheral sends local nonce */
1800 smp_send_rand(p_cb, NULL);
1801 }
1802
1803 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
1804 if (!GetInterfaceToProfiles()->config->isAndroidTVDevice() &&
1805 (p_cb->local_io_capability == SMP_IO_CAP_IO ||
1806 p_cb->local_io_capability == SMP_IO_CAP_KBDISP)) {
1807 /* display consent dialog */
1808 log::verbose("JUST WORKS showing Consent Dialog");
1809 p_cb->cb_evt = SMP_CONSENT_REQ_EVT;
1810 smp_set_state(SMP_STATE_WAIT_NONCE);
1811 smp_sm_event(p_cb, SMP_SC_DSPL_NC_EVT, NULL);
1812 } else {
1813 /* go directly to phase 2 */
1814 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1815 }
1816 } else /* numeric comparison */
1817 {
1818 smp_set_state(SMP_STATE_WAIT_NONCE);
1819 smp_sm_event(p_cb, SMP_SC_CALC_NC_EVT, NULL);
1820 }
1821 break;
1822 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1823 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1824 if (!smp_check_commitment(p_cb) &&
1825 p_cb->cert_failure != SMP_NUMERIC_COMPAR_FAIL) {
1826 tSMP_INT_DATA smp_int_data;
1827 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1828 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1829 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1830 break;
1831 }
1832
1833 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
1834 smp_send_rand(p_cb, NULL);
1835 }
1836
1837 if (++p_cb->round < 20) {
1838 smp_set_state(SMP_STATE_SEC_CONN_PHS1_START);
1839 p_cb->flags &= ~SMP_PAIR_FLAG_HAVE_PEER_COMM;
1840 smp_start_nonce_generation(p_cb);
1841 break;
1842 }
1843
1844 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1845 break;
1846 case SMP_MODEL_SEC_CONN_OOB:
1847 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
1848 smp_send_rand(p_cb, NULL);
1849 }
1850
1851 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1852 break;
1853 default:
1854 log::error("Association Model={} is not used in LE SC",
1855 p_cb->selected_association_model);
1856 break;
1857 }
1858 }
1859
1860 /*******************************************************************************
1861 * Function smp_match_dhkey_checks
1862 * Description checks if the calculated peer DHKey Check value is the same as
1863 * received from the peer DHKey check value.
1864 ******************************************************************************/
smp_match_dhkey_checks(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1865 void smp_match_dhkey_checks(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1866 log::verbose("addr:{}", p_cb->pairing_bda);
1867
1868 if (memcmp(p_data->key.p_data, p_cb->remote_dhkey_check.data(),
1869 OCTET16_LEN)) {
1870 log::warn("dhkey chcks do no match");
1871 tSMP_INT_DATA smp_int_data;
1872 smp_int_data.status = SMP_DHKEY_CHK_FAIL;
1873 p_cb->failure = SMP_DHKEY_CHK_FAIL;
1874 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1875 return;
1876 }
1877
1878 /* compare the max encryption key size, and save the smaller one for the link
1879 */
1880 if (p_cb->peer_enc_size < p_cb->loc_enc_size)
1881 p_cb->loc_enc_size = p_cb->peer_enc_size;
1882
1883 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
1884 smp_sm_event(p_cb, SMP_PAIR_DHKEY_CHCK_EVT, NULL);
1885 } else {
1886 /* central device always use received i/r key as keys to distribute */
1887 p_cb->local_i_key = p_cb->peer_i_key;
1888 p_cb->local_r_key = p_cb->peer_r_key;
1889 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
1890 }
1891 }
1892
1893 /*******************************************************************************
1894 * Function smp_move_to_secure_connections_phase2
1895 * Description Signal State Machine to start SC phase 2 initialization (to
1896 * compute local DHKey Check value).
1897 *
1898 * Note SM is supposed to be in the state SMP_STATE_SEC_CONN_PHS2_START.
1899 ******************************************************************************/
smp_move_to_secure_connections_phase2(tSMP_CB * p_cb,tSMP_INT_DATA *)1900 void smp_move_to_secure_connections_phase2(tSMP_CB* p_cb,
1901 tSMP_INT_DATA* /* p_data */) {
1902 log::verbose("addr:{}", p_cb->pairing_bda);
1903 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1904 }
1905
1906 /*******************************************************************************
1907 * Function smp_phase_2_dhkey_checks_are_present
1908 * Description generates event if dhkey check from the peer is already
1909 * received.
1910 *
1911 * Note It is supposed to be used on peripheral to prevent race
1912 *condition. It is supposed to be called after peripheral dhkey check is
1913 * calculated.
1914 ******************************************************************************/
smp_phase_2_dhkey_checks_are_present(tSMP_CB * p_cb,tSMP_INT_DATA *)1915 void smp_phase_2_dhkey_checks_are_present(tSMP_CB* p_cb,
1916 tSMP_INT_DATA* /* p_data */) {
1917 log::verbose("addr:{}", p_cb->pairing_bda);
1918
1919 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_DHK_CHK)
1920 smp_sm_event(p_cb, SMP_SC_2_DHCK_CHKS_PRES_EVT, NULL);
1921 }
1922
1923 /*******************************************************************************
1924 * Function smp_wait_for_both_public_keys
1925 * Description generates SMP_BOTH_PUBL_KEYS_RCVD_EVT event when both local and
1926 * central public keys are available.
1927 *
1928 * Note on the peripheral it is used to prevent race condition.
1929 *
1930 ******************************************************************************/
smp_wait_for_both_public_keys(tSMP_CB * p_cb,tSMP_INT_DATA *)1931 void smp_wait_for_both_public_keys(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
1932 log::verbose("addr:{}", p_cb->pairing_bda);
1933
1934 if ((p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY) &&
1935 (p_cb->flags & SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY)) {
1936 if ((p_cb->role == HCI_ROLE_PERIPHERAL) &&
1937 ((p_cb->req_oob_type == SMP_OOB_LOCAL) ||
1938 (p_cb->req_oob_type == SMP_OOB_BOTH))) {
1939 smp_set_state(SMP_STATE_PUBLIC_KEY_EXCH);
1940 }
1941 smp_sm_event(p_cb, SMP_BOTH_PUBL_KEYS_RCVD_EVT, NULL);
1942 }
1943 }
1944
1945 /*******************************************************************************
1946 * Function smp_start_passkey_verification
1947 * Description Starts SC passkey entry verification.
1948 ******************************************************************************/
smp_start_passkey_verification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1949 void smp_start_passkey_verification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1950 uint8_t* p = NULL;
1951
1952 log::verbose("addr:{}", p_cb->pairing_bda);
1953 p = p_cb->local_random.data();
1954 UINT32_TO_STREAM(p, p_data->passkey);
1955
1956 p = p_cb->peer_random.data();
1957 UINT32_TO_STREAM(p, p_data->passkey);
1958
1959 p_cb->round = 0;
1960 smp_start_nonce_generation(p_cb);
1961 }
1962
1963 /*******************************************************************************
1964 * Function smp_process_secure_connection_oob_data
1965 * Description Processes local/peer SC OOB data received from somewhere.
1966 ******************************************************************************/
smp_process_secure_connection_oob_data(tSMP_CB * p_cb,tSMP_INT_DATA *)1967 void smp_process_secure_connection_oob_data(tSMP_CB* p_cb,
1968 tSMP_INT_DATA* /* p_data */) {
1969 log::verbose("addr:{}", p_cb->pairing_bda);
1970
1971 tSMP_SC_OOB_DATA* p_sc_oob_data = &p_cb->sc_oob_data;
1972 if (p_sc_oob_data->loc_oob_data.present) {
1973 p_cb->local_random = p_sc_oob_data->loc_oob_data.randomizer;
1974 } else {
1975 log::verbose("local OOB randomizer is absent");
1976 p_cb->local_random = {0};
1977 }
1978
1979 if (!p_sc_oob_data->peer_oob_data.present) {
1980 log::verbose("peer OOB data is absent");
1981 p_cb->peer_random = {0};
1982 } else {
1983 p_cb->peer_random = p_sc_oob_data->peer_oob_data.randomizer;
1984 p_cb->remote_commitment = p_sc_oob_data->peer_oob_data.commitment;
1985
1986 /* check commitment */
1987 if (!smp_check_commitment(p_cb)) {
1988 tSMP_INT_DATA smp_int_data;
1989 smp_int_data.status = SMP_CONFIRM_VALUE_ERR;
1990 p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1991 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
1992 return;
1993 }
1994
1995 if (p_cb->peer_oob_flag != SMP_OOB_PRESENT) {
1996 /* the peer doesn't have local randomiser */
1997 log::verbose(
1998 "peer didn't receive local OOB data, set local randomizer to 0");
1999 p_cb->local_random = {0};
2000 }
2001 }
2002
2003 print128(p_cb->local_random, "local OOB randomizer");
2004 print128(p_cb->peer_random, "peer OOB randomizer");
2005 smp_start_nonce_generation(p_cb);
2006 }
2007
2008 /*******************************************************************************
2009 * Function smp_set_local_oob_keys
2010 * Description Saves calculated private/public keys in
2011 * sc_oob_data.loc_oob_data, starts nonce generation
2012 * (to be saved in sc_oob_data.loc_oob_data.randomizer).
2013 ******************************************************************************/
smp_set_local_oob_keys(tSMP_CB * p_cb,tSMP_INT_DATA *)2014 void smp_set_local_oob_keys(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
2015 log::verbose("addr:{}", p_cb->pairing_bda);
2016
2017 memcpy(p_cb->sc_oob_data.loc_oob_data.private_key_used, p_cb->private_key,
2018 BT_OCTET32_LEN);
2019 p_cb->sc_oob_data.loc_oob_data.publ_key_used = p_cb->loc_publ_key;
2020 smp_start_nonce_generation(p_cb);
2021 }
2022
2023 /*******************************************************************************
2024 * Function smp_set_local_oob_random_commitment
2025 * Description Saves calculated randomizer and commitment in
2026 * sc_oob_data.loc_oob_data, passes sc_oob_data.loc_oob_data up
2027 * for safekeeping.
2028 ******************************************************************************/
smp_set_local_oob_random_commitment(tSMP_CB * p_cb,tSMP_INT_DATA *)2029 void smp_set_local_oob_random_commitment(tSMP_CB* p_cb,
2030 tSMP_INT_DATA* /* p_data */) {
2031 log::verbose("{}", p_cb->pairing_bda);
2032 p_cb->sc_oob_data.loc_oob_data.randomizer = p_cb->rand;
2033
2034 p_cb->sc_oob_data.loc_oob_data.commitment =
2035 crypto_toolbox::f4(p_cb->sc_oob_data.loc_oob_data.publ_key_used.x,
2036 p_cb->sc_oob_data.loc_oob_data.publ_key_used.x,
2037 p_cb->sc_oob_data.loc_oob_data.randomizer, 0);
2038
2039 p_cb->sc_oob_data.loc_oob_data.present = true;
2040
2041 /* pass created OOB data up */
2042 p_cb->cb_evt = SMP_SC_LOC_OOB_DATA_UP_EVT;
2043 smp_send_app_cback(p_cb, NULL);
2044
2045 // Store the data for later use when we are paired with
2046 // Event though the doc above says to pass up for safe keeping it never gets
2047 // kept safe. Additionally, when we need the data to make a decision we
2048 // wouldn't have it. This will save the sc_oob_data in the smp_keys.cc such
2049 // that when we receive a request to create new keys we check to see if the
2050 // sc_oob_data exists and utilize the keys that are stored there otherwise the
2051 // connector will fail commitment check and dhkey exchange.
2052 smp_save_local_oob_data(p_cb);
2053
2054 p_cb->reset();
2055 }
2056
2057 /*******************************************************************************
2058 *
2059 * Function smp_link_encrypted
2060 *
2061 * Description This function is called when link is encrypted and notified
2062 * to the peripheral device. Proceed to to send LTK, DIV and ER
2063 *to central if bonding the devices.
2064 *
2065 *
2066 * Returns void
2067 *
2068 ******************************************************************************/
smp_link_encrypted(const RawAddress & bda,uint8_t encr_enable)2069 void smp_link_encrypted(const RawAddress& bda, uint8_t encr_enable) {
2070 tSMP_CB* p_cb = &smp_cb;
2071
2072 if (smp_cb.pairing_bda == bda) {
2073 log::debug("SMP encryption enable:{} device:{}", encr_enable, bda);
2074
2075 /* encryption completed with STK, remember the key size now, could be
2076 * overwritten when key exchange happens */
2077 if (p_cb->loc_enc_size != 0 && encr_enable) {
2078 /* update the link encryption key size if a SMP pairing just performed */
2079 btm_ble_update_sec_key_size(bda, p_cb->loc_enc_size);
2080 }
2081
2082 tSMP_INT_DATA smp_int_data = {
2083 // TODO This is not a tSMP_STATUS
2084 .status = static_cast<tSMP_STATUS>(encr_enable),
2085 };
2086
2087 smp_sm_event(&smp_cb, SMP_ENCRYPTED_EVT, &smp_int_data);
2088 } else {
2089 log::warn(
2090 "SMP state machine busy so skipping encryption enable:{} device:{}",
2091 encr_enable, bda);
2092 }
2093 }
2094
smp_cancel_start_encryption_attempt()2095 void smp_cancel_start_encryption_attempt() {
2096 log::error("Encryption request cancelled");
2097 smp_sm_event(&smp_cb, SMP_DISCARD_SEC_REQ_EVT, NULL);
2098 }
2099
2100 /*******************************************************************************
2101 *
2102 * Function smp_proc_ltk_request
2103 *
2104 * Description This function is called when LTK request is received from
2105 * controller.
2106 *
2107 * Returns void
2108 *
2109 ******************************************************************************/
smp_proc_ltk_request(const RawAddress & bda)2110 bool smp_proc_ltk_request(const RawAddress& bda) {
2111 log::verbose("addr:{},state={}", bda, smp_cb.state);
2112 bool match = false;
2113
2114 if (bda == smp_cb.pairing_bda) {
2115 match = true;
2116 } else {
2117 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda);
2118 if (p_dev_rec != NULL && p_dev_rec->ble.pseudo_addr == smp_cb.pairing_bda &&
2119 p_dev_rec->ble.pseudo_addr != RawAddress::kEmpty) {
2120 match = true;
2121 }
2122 }
2123
2124 if (match && smp_cb.state == SMP_STATE_ENCRYPTION_PENDING) {
2125 smp_sm_event(&smp_cb, SMP_ENC_REQ_EVT, NULL);
2126 return true;
2127 }
2128
2129 return false;
2130 }
2131
2132 /*******************************************************************************
2133 *
2134 * Function smp_process_secure_connection_long_term_key
2135 *
2136 * Description This function is called to process SC LTK.
2137 * SC LTK is calculated and used instead of STK.
2138 * Here SC LTK is saved in BLE DB.
2139 *
2140 * Returns void
2141 *
2142 ******************************************************************************/
smp_process_secure_connection_long_term_key(void)2143 void smp_process_secure_connection_long_term_key(void) {
2144 tSMP_CB* p_cb = &smp_cb;
2145
2146 log::verbose("addr:{}", p_cb->pairing_bda);
2147 smp_save_secure_connections_long_term_key(p_cb);
2148
2149 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
2150 smp_key_distribution(p_cb, NULL);
2151 }
2152
2153 /*******************************************************************************
2154 *
2155 * Function smp_set_derive_link_key
2156 *
2157 * Description This function is called to set flag that indicates that
2158 * BR/EDR LK has to be derived from LTK after all keys are
2159 * distributed.
2160 *
2161 * Returns void
2162 *
2163 ******************************************************************************/
smp_set_derive_link_key(tSMP_CB * p_cb,tSMP_INT_DATA *)2164 void smp_set_derive_link_key(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
2165 log::verbose("addr:{}", p_cb->pairing_bda);
2166 p_cb->derive_lk = true;
2167 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_LK, false);
2168 smp_key_distribution(p_cb, NULL);
2169 }
2170
2171 /*******************************************************************************
2172 *
2173 * Function smp_derive_link_key_from_long_term_key
2174 *
2175 * Description This function is called to derive BR/EDR LK from LTK.
2176 *
2177 * Returns void
2178 *
2179 ******************************************************************************/
smp_derive_link_key_from_long_term_key(tSMP_CB * p_cb,tSMP_INT_DATA *)2180 void smp_derive_link_key_from_long_term_key(tSMP_CB* p_cb,
2181 tSMP_INT_DATA* /* p_data */) {
2182 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
2183
2184 log::verbose("addr:{}", p_cb->pairing_bda);
2185 if (!smp_calculate_link_key_from_long_term_key(p_cb)) {
2186 log::error("calc link key failed");
2187 tSMP_INT_DATA smp_int_data;
2188 smp_int_data.status = status;
2189 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
2190 return;
2191 }
2192 }
2193
2194 /*******************************************************************************
2195 *
2196 * Function smp_br_process_link_key
2197 *
2198 * Description This function is called to process BR/EDR LK:
2199 * - to derive SMP LTK from BR/EDR LK;
2200 * - to save SMP LTK.
2201 *
2202 * Returns void
2203 *
2204 ******************************************************************************/
smp_br_process_link_key(tSMP_CB * p_cb,tSMP_INT_DATA *)2205 void smp_br_process_link_key(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
2206 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
2207
2208 log::verbose("addr:{}", p_cb->pairing_bda);
2209 if (!smp_calculate_long_term_key_from_link_key(p_cb)) {
2210 log::error("calc LTK failed");
2211 tSMP_INT_DATA smp_int_data;
2212 smp_int_data.status = status;
2213 smp_sm_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
2214 return;
2215 }
2216
2217 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
2218 if (p_dev_rec) {
2219 log::verbose("dev_type={}", p_dev_rec->device_type);
2220 p_dev_rec->device_type |= BT_DEVICE_TYPE_BLE;
2221 } else {
2222 log::error("failed to find Security Record");
2223 }
2224
2225 log::verbose("LTK derivation from LK successfully completed");
2226 smp_save_secure_connections_long_term_key(p_cb);
2227 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
2228 smp_br_select_next_key(p_cb, NULL);
2229 }
2230
2231 /*******************************************************************************
2232 * Function smp_key_distribution_by_transport
2233 * Description depending on the transport used at the moment calls either
2234 * smp_key_distribution(...) or smp_br_key_distribution(...).
2235 ******************************************************************************/
smp_key_distribution_by_transport(tSMP_CB * p_cb,tSMP_INT_DATA *)2236 static void smp_key_distribution_by_transport(tSMP_CB* p_cb,
2237 tSMP_INT_DATA* /* p_data */) {
2238 log::verbose("addr:{}", p_cb->pairing_bda);
2239 if (p_cb->smp_over_br) {
2240 smp_br_select_next_key(p_cb, NULL);
2241 } else {
2242 smp_key_distribution(p_cb, NULL);
2243 }
2244 }
2245
2246 /*******************************************************************************
2247 * Function smp_br_pairing_complete
2248 * Description This function is called to send the pairing complete
2249 * callback and remove the connection if needed.
2250 ******************************************************************************/
smp_br_pairing_complete(tSMP_CB * p_cb,tSMP_INT_DATA *)2251 void smp_br_pairing_complete(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
2252 log::verbose("addr:{}", p_cb->pairing_bda);
2253
2254 if (p_cb->total_tx_unacked == 0) {
2255 /* process the pairing complete */
2256 smp_proc_pairing_cmpl(p_cb);
2257 }
2258 }
2259