1 /******************************************************************************
2  *
3  *  Copyright (C) 2003-2012 Broadcom Corporation
4  *
5  *  Licensed under the Apache License, Version 2.0 (the "License");
6  *  you may not use this file except in compliance with the License.
7  *  You may obtain a copy of the License at:
8  *
9  *  http://www.apache.org/licenses/LICENSE-2.0
10  *
11  *  Unless required by applicable law or agreed to in writing, software
12  *  distributed under the License is distributed on an "AS IS" BASIS,
13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  *  See the License for the specific language governing permissions and
15  *  limitations under the License.
16  *
17  ******************************************************************************/
18 
19 #include <string.h>
20 #include "btif_common.h"
21 #include "device/include/interop.h"
22 #include "include/bt_target.h"
23 #include "stack/btm/btm_int.h"
24 #include "stack/include/l2c_api.h"
25 #include "stack/smp/smp_int.h"
26 #include "utils/include/bt_utils.h"
27 
28 extern fixed_queue_t* btu_general_alarm_queue;
29 
30 #define SMP_KEY_DIST_TYPE_MAX 4
31 const tSMP_ACT smp_distribute_act[] = {smp_generate_ltk, smp_send_id_info,
32                                        smp_generate_csrk,
33                                        smp_set_derive_link_key};
34 
lmp_version_below(BD_ADDR bda,uint8_t version)35 static bool lmp_version_below(BD_ADDR bda, uint8_t version) {
36   tACL_CONN* acl = btm_bda_to_acl(bda, BT_TRANSPORT_LE);
37   if (acl == NULL || acl->lmp_version == 0) {
38     SMP_TRACE_WARNING("%s cannot retrieve LMP version...", __func__);
39     return false;
40   }
41   SMP_TRACE_WARNING("%s LMP version %d < %d", __func__, acl->lmp_version,
42                     version);
43   return acl->lmp_version < version;
44 }
45 
pts_test_send_authentication_complete_failure(tSMP_CB * p_cb)46 static bool pts_test_send_authentication_complete_failure(tSMP_CB* p_cb) {
47   uint8_t reason = 0;
48 
49   if (p_cb->cert_failure < 2 || p_cb->cert_failure > 6) return false;
50 
51   SMP_TRACE_ERROR("%s failure case = %d", __func__, p_cb->cert_failure);
52 
53   switch (p_cb->cert_failure) {
54     case 2:
55       reason = SMP_PAIR_AUTH_FAIL;
56       smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
57       break;
58     case 3:
59       reason = SMP_PAIR_FAIL_UNKNOWN;
60       smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
61       break;
62     case 4:
63       reason = SMP_PAIR_NOT_SUPPORT;
64       smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
65       break;
66     case 5:
67       reason = SMP_PASSKEY_ENTRY_FAIL;
68       smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
69       break;
70     case 6:
71       reason = SMP_REPEATED_ATTEMPTS;
72       smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
73       break;
74   }
75 
76   return true;
77   ;
78 }
79 
80 /*******************************************************************************
81  * Function         smp_update_key_mask
82  * Description      This function updates the key mask for sending or receiving.
83  ******************************************************************************/
smp_update_key_mask(tSMP_CB * p_cb,uint8_t key_type,bool recv)84 static void smp_update_key_mask(tSMP_CB* p_cb, uint8_t key_type, bool recv) {
85   SMP_TRACE_DEBUG(
86       "%s before update role=%d recv=%d local_i_key = %02x, local_r_key = %02x",
87       __func__, p_cb->role, recv, p_cb->local_i_key, p_cb->local_r_key);
88 
89   if (((p_cb->le_secure_connections_mode_is_used) || (p_cb->smp_over_br)) &&
90       ((key_type == SMP_SEC_KEY_TYPE_ENC) ||
91        (key_type == SMP_SEC_KEY_TYPE_LK))) {
92     /* in LE SC mode LTK, CSRK and BR/EDR LK are derived locally instead of
93     ** being exchanged with the peer */
94     p_cb->local_i_key &= ~key_type;
95     p_cb->local_r_key &= ~key_type;
96   } else if (p_cb->role == HCI_ROLE_SLAVE) {
97     if (recv)
98       p_cb->local_i_key &= ~key_type;
99     else
100       p_cb->local_r_key &= ~key_type;
101   } else {
102     if (recv)
103       p_cb->local_r_key &= ~key_type;
104     else
105       p_cb->local_i_key &= ~key_type;
106   }
107 
108   SMP_TRACE_DEBUG("updated local_i_key = %02x, local_r_key = %02x",
109                   p_cb->local_i_key, p_cb->local_r_key);
110 }
111 
112 /*******************************************************************************
113  * Function     smp_send_app_cback
114  * Description  notifies application about the events the application is
115  *              interested in
116  ******************************************************************************/
smp_send_app_cback(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)117 void smp_send_app_cback(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
118   tSMP_EVT_DATA cb_data;
119   tSMP_STATUS callback_rc;
120   SMP_TRACE_DEBUG("%s p_cb->cb_evt=%d", __func__, p_cb->cb_evt);
121   if (p_cb->p_callback && p_cb->cb_evt != 0) {
122     switch (p_cb->cb_evt) {
123       case SMP_IO_CAP_REQ_EVT:
124         cb_data.io_req.auth_req = p_cb->peer_auth_req;
125         cb_data.io_req.oob_data = SMP_OOB_NONE;
126         cb_data.io_req.io_cap = SMP_DEFAULT_IO_CAPS;
127         cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE;
128         cb_data.io_req.init_keys = p_cb->local_i_key;
129         cb_data.io_req.resp_keys = p_cb->local_r_key;
130         SMP_TRACE_WARNING("io_cap = %d", cb_data.io_req.io_cap);
131         break;
132 
133       case SMP_NC_REQ_EVT:
134         cb_data.passkey = p_data->passkey;
135         break;
136       case SMP_SC_OOB_REQ_EVT:
137         cb_data.req_oob_type = p_data->req_oob_type;
138         break;
139       case SMP_SC_LOC_OOB_DATA_UP_EVT:
140         cb_data.loc_oob_data = p_cb->sc_oob_data.loc_oob_data;
141         break;
142 
143       case SMP_BR_KEYS_REQ_EVT:
144         cb_data.io_req.auth_req = 0;
145         cb_data.io_req.oob_data = SMP_OOB_NONE;
146         cb_data.io_req.io_cap = 0;
147         cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE;
148         cb_data.io_req.init_keys = SMP_BR_SEC_DEFAULT_KEY;
149         cb_data.io_req.resp_keys = SMP_BR_SEC_DEFAULT_KEY;
150         break;
151 
152       default:
153         break;
154     }
155 
156     callback_rc =
157         (*p_cb->p_callback)(p_cb->cb_evt, p_cb->pairing_bda, &cb_data);
158 
159     SMP_TRACE_DEBUG("%s: callback_rc=%d  p_cb->cb_evt=%d", __func__,
160                     callback_rc, p_cb->cb_evt);
161 
162     if (callback_rc == SMP_SUCCESS) {
163       switch (p_cb->cb_evt) {
164         case SMP_IO_CAP_REQ_EVT:
165           p_cb->loc_auth_req = cb_data.io_req.auth_req;
166           p_cb->local_io_capability = cb_data.io_req.io_cap;
167           p_cb->loc_oob_flag = cb_data.io_req.oob_data;
168           p_cb->loc_enc_size = cb_data.io_req.max_key_size;
169           p_cb->local_i_key = cb_data.io_req.init_keys;
170           p_cb->local_r_key = cb_data.io_req.resp_keys;
171 
172           if (!(p_cb->loc_auth_req & SMP_AUTH_BOND)) {
173             SMP_TRACE_WARNING("Non bonding: No keys will be exchanged");
174             p_cb->local_i_key = 0;
175             p_cb->local_r_key = 0;
176           }
177 
178           SMP_TRACE_WARNING(
179               "rcvd auth_req: 0x%02x, io_cap: %d \
180                         loc_oob_flag: %d loc_enc_size: %d,"
181               "local_i_key: 0x%02x, local_r_key: 0x%02x",
182               p_cb->loc_auth_req, p_cb->local_io_capability, p_cb->loc_oob_flag,
183               p_cb->loc_enc_size, p_cb->local_i_key, p_cb->local_r_key);
184 
185           p_cb->secure_connections_only_mode_required =
186               (btm_cb.security_mode == BTM_SEC_MODE_SC) ? true : false;
187 
188           if (p_cb->secure_connections_only_mode_required) {
189             p_cb->loc_auth_req |= SMP_SC_SUPPORT_BIT;
190           }
191 
192           if (!(p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) ||
193               lmp_version_below(p_cb->pairing_bda, HCI_PROTO_VERSION_4_2) ||
194               interop_match_addr(INTEROP_DISABLE_LE_SECURE_CONNECTIONS,
195                                  (const bt_bdaddr_t*)&p_cb->pairing_bda)) {
196             p_cb->loc_auth_req &= ~SMP_KP_SUPPORT_BIT;
197             p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
198             p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
199           }
200 
201           SMP_TRACE_WARNING(
202               "set auth_req: 0x%02x, local_i_key: 0x%02x, local_r_key: 0x%02x",
203               p_cb->loc_auth_req, p_cb->local_i_key, p_cb->local_r_key);
204 
205           smp_sm_event(p_cb, SMP_IO_RSP_EVT, NULL);
206           break;
207 
208         case SMP_BR_KEYS_REQ_EVT:
209           p_cb->loc_enc_size = cb_data.io_req.max_key_size;
210           p_cb->local_i_key = cb_data.io_req.init_keys;
211           p_cb->local_r_key = cb_data.io_req.resp_keys;
212           p_cb->loc_auth_req |= SMP_H7_SUPPORT_BIT;
213 
214           p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
215           p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
216 
217           SMP_TRACE_WARNING(
218               "for SMP over BR max_key_size: 0x%02x,\
219                         local_i_key: 0x%02x, local_r_key: 0x%02x, p_cb->loc_auth_req: 0x%02x",
220               p_cb->loc_enc_size, p_cb->local_i_key, p_cb->local_r_key,
221               p_cb->loc_auth_req);
222 
223           smp_br_state_machine_event(p_cb, SMP_BR_KEYS_RSP_EVT, NULL);
224           break;
225       }
226     }
227   }
228 
229   if (!p_cb->cb_evt && p_cb->discard_sec_req) {
230     p_cb->discard_sec_req = false;
231     smp_sm_event(p_cb, SMP_DISCARD_SEC_REQ_EVT, NULL);
232   }
233 
234   SMP_TRACE_DEBUG("%s return", __func__);
235 }
236 
237 /*******************************************************************************
238  * Function     smp_send_pair_fail
239  * Description  pairing failure to peer device if needed.
240  ******************************************************************************/
smp_send_pair_fail(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)241 void smp_send_pair_fail(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
242   p_cb->status = *(uint8_t*)p_data;
243   p_cb->failure = *(uint8_t*)p_data;
244 
245   SMP_TRACE_DEBUG("%s status=%d failure=%d ", __func__, p_cb->status,
246                   p_cb->failure);
247 
248   if (p_cb->status <= SMP_MAX_FAIL_RSN_PER_SPEC &&
249       p_cb->status != SMP_SUCCESS) {
250     smp_send_cmd(SMP_OPCODE_PAIRING_FAILED, p_cb);
251     p_cb->wait_for_authorization_complete = true;
252   }
253 }
254 
255 /*******************************************************************************
256  * Function     smp_send_pair_req
257  * Description  actions related to sending pairing request
258  ******************************************************************************/
smp_send_pair_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)259 void smp_send_pair_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
260   tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
261   SMP_TRACE_DEBUG("%s", __func__);
262 
263   /* erase all keys when master sends pairing req*/
264   if (p_dev_rec) btm_sec_clear_ble_keys(p_dev_rec);
265   /* do not manipulate the key, let app decide,
266      leave out to BTM to mandate key distribution for bonding case */
267   smp_send_cmd(SMP_OPCODE_PAIRING_REQ, p_cb);
268 }
269 
270 /*******************************************************************************
271  * Function     smp_send_pair_rsp
272  * Description  actions related to sending pairing response
273  ******************************************************************************/
smp_send_pair_rsp(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)274 void smp_send_pair_rsp(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
275   SMP_TRACE_DEBUG("%s", __func__);
276 
277   p_cb->local_i_key &= p_cb->peer_i_key;
278   p_cb->local_r_key &= p_cb->peer_r_key;
279 
280   if (smp_send_cmd(SMP_OPCODE_PAIRING_RSP, p_cb)) {
281     if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB)
282       smp_use_oob_private_key(p_cb, NULL);
283     else
284       smp_decide_association_model(p_cb, NULL);
285   }
286 }
287 
288 /*******************************************************************************
289  * Function     smp_send_confirm
290  * Description  send confirmation to the peer
291  ******************************************************************************/
smp_send_confirm(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)292 void smp_send_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
293   SMP_TRACE_DEBUG("%s", __func__);
294   smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);
295 }
296 
297 /*******************************************************************************
298  * Function     smp_send_init
299  * Description  process pairing initializer to slave device
300  ******************************************************************************/
smp_send_init(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)301 void smp_send_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
302   SMP_TRACE_DEBUG("%s", __func__);
303   smp_send_cmd(SMP_OPCODE_INIT, p_cb);
304 }
305 
306 /*******************************************************************************
307  * Function     smp_send_rand
308  * Description  send pairing random to the peer
309  ******************************************************************************/
smp_send_rand(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)310 void smp_send_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
311   SMP_TRACE_DEBUG("%s", __func__);
312   smp_send_cmd(SMP_OPCODE_RAND, p_cb);
313 }
314 
315 /*******************************************************************************
316  * Function     smp_send_pair_public_key
317  * Description  send pairing public key command to the peer
318  ******************************************************************************/
smp_send_pair_public_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)319 void smp_send_pair_public_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
320   SMP_TRACE_DEBUG("%s", __func__);
321   smp_send_cmd(SMP_OPCODE_PAIR_PUBLIC_KEY, p_cb);
322 }
323 
324 /*******************************************************************************
325  * Function     SMP_SEND_COMMITMENT
326  * Description send commitment command to the peer
327  ******************************************************************************/
smp_send_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)328 void smp_send_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
329   SMP_TRACE_DEBUG("%s", __func__);
330   smp_send_cmd(SMP_OPCODE_PAIR_COMMITM, p_cb);
331 }
332 
333 /*******************************************************************************
334  * Function     smp_send_dhkey_check
335  * Description send DHKey Check command to the peer
336  ******************************************************************************/
smp_send_dhkey_check(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)337 void smp_send_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
338   SMP_TRACE_DEBUG("%s", __func__);
339   smp_send_cmd(SMP_OPCODE_PAIR_DHKEY_CHECK, p_cb);
340 }
341 
342 /*******************************************************************************
343  * Function     smp_send_keypress_notification
344  * Description send Keypress Notification command to the peer
345  ******************************************************************************/
smp_send_keypress_notification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)346 void smp_send_keypress_notification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
347   p_cb->local_keypress_notification = *(uint8_t*)p_data;
348   smp_send_cmd(SMP_OPCODE_PAIR_KEYPR_NOTIF, p_cb);
349 }
350 
351 /*******************************************************************************
352  * Function     smp_send_enc_info
353  * Description  send encryption information command.
354  ******************************************************************************/
smp_send_enc_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)355 void smp_send_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
356   tBTM_LE_LENC_KEYS le_key;
357 
358   SMP_TRACE_DEBUG("%s p_cb->loc_enc_size = %d", __func__, p_cb->loc_enc_size);
359   smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
360 
361   smp_send_cmd(SMP_OPCODE_ENCRYPT_INFO, p_cb);
362   smp_send_cmd(SMP_OPCODE_MASTER_ID, p_cb);
363 
364   /* save the DIV and key size information when acting as slave device */
365   memcpy(le_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
366   le_key.div = p_cb->div;
367   le_key.key_size = p_cb->loc_enc_size;
368   le_key.sec_level = p_cb->sec_level;
369 
370   if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
371       (p_cb->loc_auth_req & SMP_AUTH_BOND))
372     btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC,
373                         (tBTM_LE_KEY_VALUE*)&le_key, true);
374 
375   SMP_TRACE_WARNING("%s", __func__);
376 
377   smp_key_distribution(p_cb, NULL);
378 }
379 
380 /*******************************************************************************
381  * Function     smp_send_id_info
382  * Description  send ID information command.
383  ******************************************************************************/
smp_send_id_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)384 void smp_send_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
385   tBTM_LE_KEY_VALUE le_key;
386   SMP_TRACE_DEBUG("%s", __func__);
387   smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, false);
388 
389   smp_send_cmd(SMP_OPCODE_IDENTITY_INFO, p_cb);
390   smp_send_cmd(SMP_OPCODE_ID_ADDR, p_cb);
391 
392   if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
393       (p_cb->loc_auth_req & SMP_AUTH_BOND))
394     btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LID, &le_key, true);
395 
396   SMP_TRACE_WARNING("%s", __func__);
397   smp_key_distribution_by_transport(p_cb, NULL);
398 }
399 
400 /*******************************************************************************
401  * Function     smp_send_csrk_info
402  * Description  send CSRK command.
403  ******************************************************************************/
smp_send_csrk_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)404 void smp_send_csrk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
405   tBTM_LE_LCSRK_KEYS key;
406   SMP_TRACE_DEBUG("%s", __func__);
407   smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, false);
408 
409   if (smp_send_cmd(SMP_OPCODE_SIGN_INFO, p_cb)) {
410     key.div = p_cb->div;
411     key.sec_level = p_cb->sec_level;
412     key.counter = 0; /* initialize the local counter */
413     memcpy(key.csrk, p_cb->csrk, BT_OCTET16_LEN);
414     btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LCSRK,
415                         (tBTM_LE_KEY_VALUE*)&key, true);
416   }
417 
418   smp_key_distribution_by_transport(p_cb, NULL);
419 }
420 
421 /*******************************************************************************
422  * Function     smp_send_ltk_reply
423  * Description  send LTK reply
424  ******************************************************************************/
smp_send_ltk_reply(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)425 void smp_send_ltk_reply(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
426   SMP_TRACE_DEBUG("%s", __func__);
427   /* send stk as LTK response */
428   btm_ble_ltk_request_reply(p_cb->pairing_bda, true, p_data->key.p_data);
429 }
430 
431 /*******************************************************************************
432  * Function     smp_proc_sec_req
433  * Description  process security request.
434  ******************************************************************************/
smp_proc_sec_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)435 void smp_proc_sec_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
436   tBTM_LE_AUTH_REQ auth_req = *(tBTM_LE_AUTH_REQ*)p_data;
437   tBTM_BLE_SEC_REQ_ACT sec_req_act;
438   uint8_t reason;
439 
440   SMP_TRACE_DEBUG("%s auth_req=0x%x", __func__, auth_req);
441 
442   p_cb->cb_evt = 0;
443 
444   btm_ble_link_sec_check(p_cb->pairing_bda, auth_req, &sec_req_act);
445 
446   SMP_TRACE_DEBUG("%s sec_req_act=0x%x", __func__, sec_req_act);
447 
448   switch (sec_req_act) {
449     case BTM_BLE_SEC_REQ_ACT_ENCRYPT:
450       SMP_TRACE_DEBUG("%s BTM_BLE_SEC_REQ_ACT_ENCRYPT", __func__);
451       smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
452       break;
453 
454     case BTM_BLE_SEC_REQ_ACT_PAIR:
455       p_cb->secure_connections_only_mode_required =
456           (btm_cb.security_mode == BTM_SEC_MODE_SC) ? true : false;
457 
458       /* respond to non SC pairing request as failure in SC only mode */
459       if (p_cb->secure_connections_only_mode_required &&
460           (auth_req & SMP_SC_SUPPORT_BIT) == 0) {
461         reason = SMP_PAIR_AUTH_FAIL;
462         smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
463       } else {
464         /* initialize local i/r key to be default keys */
465         p_cb->peer_auth_req = auth_req;
466         p_cb->local_r_key = p_cb->local_i_key = SMP_SEC_DEFAULT_KEY;
467         p_cb->cb_evt = SMP_SEC_REQUEST_EVT;
468       }
469       break;
470 
471     case BTM_BLE_SEC_REQ_ACT_DISCARD:
472       p_cb->discard_sec_req = true;
473       break;
474 
475     default:
476       /* do nothing */
477       break;
478   }
479 }
480 
481 /*******************************************************************************
482  * Function     smp_proc_sec_grant
483  * Description  process security grant.
484  ******************************************************************************/
smp_proc_sec_grant(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)485 void smp_proc_sec_grant(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
486   uint8_t res = *(uint8_t*)p_data;
487   SMP_TRACE_DEBUG("%s", __func__);
488   if (res != SMP_SUCCESS) {
489     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, p_data);
490   } else /*otherwise, start pairing */
491   {
492     /* send IO request callback */
493     p_cb->cb_evt = SMP_IO_CAP_REQ_EVT;
494   }
495 }
496 
497 /*******************************************************************************
498  * Function     smp_proc_pair_fail
499  * Description  process pairing failure from peer device
500  ******************************************************************************/
smp_proc_pair_fail(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)501 void smp_proc_pair_fail(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
502   SMP_TRACE_DEBUG("%s", __func__);
503   p_cb->status = *(uint8_t*)p_data;
504 
505   /* Cancel pending auth complete timer if set */
506   alarm_cancel(p_cb->delayed_auth_timer_ent);
507 }
508 
509 /*******************************************************************************
510  * Function     smp_proc_pair_cmd
511  * Description  Process the SMP pairing request/response from peer device
512  ******************************************************************************/
smp_proc_pair_cmd(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)513 void smp_proc_pair_cmd(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
514   uint8_t* p = (uint8_t*)p_data;
515   uint8_t reason = SMP_ENC_KEY_SIZE;
516   tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
517 
518   SMP_TRACE_DEBUG("%s", __func__);
519   /* erase all keys if it is slave proc pairing req*/
520   if (p_dev_rec && (p_cb->role == HCI_ROLE_SLAVE))
521     btm_sec_clear_ble_keys(p_dev_rec);
522 
523   p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
524 
525   STREAM_TO_UINT8(p_cb->peer_io_caps, p);
526   STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
527   STREAM_TO_UINT8(p_cb->peer_auth_req, p);
528   STREAM_TO_UINT8(p_cb->peer_enc_size, p);
529   STREAM_TO_UINT8(p_cb->peer_i_key, p);
530   STREAM_TO_UINT8(p_cb->peer_r_key, p);
531 
532   if (smp_command_has_invalid_parameters(p_cb)) {
533     reason = SMP_INVALID_PARAMETERS;
534     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
535     return;
536   }
537 
538   // PTS Testing failure modes
539   if (pts_test_send_authentication_complete_failure(p_cb)) return;
540 
541   if (p_cb->role == HCI_ROLE_SLAVE) {
542     if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD)) {
543       /* peer (master) started pairing sending Pairing Request */
544       p_cb->local_i_key = p_cb->peer_i_key;
545       p_cb->local_r_key = p_cb->peer_r_key;
546 
547       p_cb->cb_evt = SMP_SEC_REQUEST_EVT;
548     } else /* update local i/r key according to pairing request */
549     {
550       /* pairing started with this side (slave) sending Security Request */
551       p_cb->local_i_key &= p_cb->peer_i_key;
552       p_cb->local_r_key &= p_cb->peer_r_key;
553       p_cb->selected_association_model = smp_select_association_model(p_cb);
554 
555       if (p_cb->secure_connections_only_mode_required &&
556           (!(p_cb->le_secure_connections_mode_is_used) ||
557            (p_cb->selected_association_model ==
558             SMP_MODEL_SEC_CONN_JUSTWORKS))) {
559         SMP_TRACE_ERROR(
560             "%s pairing failed - slave requires secure connection only mode",
561             __func__);
562         reason = SMP_PAIR_AUTH_FAIL;
563         smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
564         return;
565       }
566 
567       if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
568         if (smp_request_oob_data(p_cb)) return;
569       } else {
570         smp_send_pair_rsp(p_cb, NULL);
571       }
572     }
573   } else /* Master receives pairing response */
574   {
575     p_cb->selected_association_model = smp_select_association_model(p_cb);
576 
577     if (p_cb->secure_connections_only_mode_required &&
578         (!(p_cb->le_secure_connections_mode_is_used) ||
579          (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) {
580       SMP_TRACE_ERROR(
581           "Master requires secure connection only mode \
582                 but it can't be provided -> Master fails pairing");
583       reason = SMP_PAIR_AUTH_FAIL;
584       smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
585       return;
586     }
587 
588     if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
589       if (smp_request_oob_data(p_cb)) return;
590     } else {
591       smp_decide_association_model(p_cb, NULL);
592     }
593   }
594 }
595 
596 /*******************************************************************************
597  * Function     smp_proc_confirm
598  * Description  process pairing confirm from peer device
599  ******************************************************************************/
smp_proc_confirm(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)600 void smp_proc_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
601   uint8_t* p = (uint8_t*)p_data;
602   uint8_t reason = SMP_INVALID_PARAMETERS;
603 
604   SMP_TRACE_DEBUG("%s", __func__);
605 
606   if (smp_command_has_invalid_parameters(p_cb)) {
607     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
608     return;
609   }
610 
611   if (p != NULL) {
612     /* save the SConfirm for comparison later */
613     STREAM_TO_ARRAY(p_cb->rconfirm, p, BT_OCTET16_LEN);
614   }
615 
616   p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM;
617 }
618 
619 /*******************************************************************************
620  * Function     smp_proc_init
621  * Description  process pairing initializer from peer device
622  ******************************************************************************/
smp_proc_init(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)623 void smp_proc_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
624   uint8_t* p = (uint8_t*)p_data;
625   uint8_t reason = SMP_INVALID_PARAMETERS;
626 
627   SMP_TRACE_DEBUG("%s", __func__);
628 
629   if (smp_command_has_invalid_parameters(p_cb)) {
630     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
631     return;
632   }
633 
634   /* save the SRand for comparison */
635   STREAM_TO_ARRAY(p_cb->rrand, p, BT_OCTET16_LEN);
636 }
637 
638 /*******************************************************************************
639  * Function     smp_proc_rand
640  * Description  process pairing random (nonce) from peer device
641  ******************************************************************************/
smp_proc_rand(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)642 void smp_proc_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
643   uint8_t* p = (uint8_t*)p_data;
644   uint8_t reason = SMP_INVALID_PARAMETERS;
645 
646   SMP_TRACE_DEBUG("%s", __func__);
647 
648   if (smp_command_has_invalid_parameters(p_cb)) {
649     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
650     return;
651   }
652 
653   /* save the SRand for comparison */
654   STREAM_TO_ARRAY(p_cb->rrand, p, BT_OCTET16_LEN);
655 }
656 
657 /*******************************************************************************
658  * Function     smp_process_pairing_public_key
659  * Description  process pairing public key command from the peer device
660  *              - saves the peer public key;
661  *              - sets the flag indicating that the peer public key is received;
662  *              - calls smp_wait_for_both_public_keys(...).
663  *
664  ******************************************************************************/
smp_process_pairing_public_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)665 void smp_process_pairing_public_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
666   uint8_t* p = (uint8_t*)p_data;
667   uint8_t reason = SMP_INVALID_PARAMETERS;
668 
669   SMP_TRACE_DEBUG("%s", __func__);
670 
671   if (smp_command_has_invalid_parameters(p_cb)) {
672     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
673     return;
674   }
675 
676   STREAM_TO_ARRAY(p_cb->peer_publ_key.x, p, BT_OCTET32_LEN);
677   STREAM_TO_ARRAY(p_cb->peer_publ_key.y, p, BT_OCTET32_LEN);
678   p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY;
679 
680   smp_wait_for_both_public_keys(p_cb, NULL);
681 }
682 
683 /*******************************************************************************
684  * Function     smp_process_pairing_commitment
685  * Description  process pairing commitment from peer device
686  ******************************************************************************/
smp_process_pairing_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)687 void smp_process_pairing_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
688   uint8_t* p = (uint8_t*)p_data;
689   uint8_t reason = SMP_INVALID_PARAMETERS;
690 
691   SMP_TRACE_DEBUG("%s", __func__);
692 
693   if (smp_command_has_invalid_parameters(p_cb)) {
694     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
695     return;
696   }
697 
698   p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_COMM;
699 
700   if (p != NULL) {
701     STREAM_TO_ARRAY(p_cb->remote_commitment, p, BT_OCTET16_LEN);
702   }
703 }
704 
705 /*******************************************************************************
706  * Function     smp_process_dhkey_check
707  * Description  process DHKey Check from peer device
708  ******************************************************************************/
smp_process_dhkey_check(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)709 void smp_process_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
710   uint8_t* p = (uint8_t*)p_data;
711   uint8_t reason = SMP_INVALID_PARAMETERS;
712 
713   SMP_TRACE_DEBUG("%s", __func__);
714 
715   if (smp_command_has_invalid_parameters(p_cb)) {
716     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
717     return;
718   }
719 
720   if (p != NULL) {
721     STREAM_TO_ARRAY(p_cb->remote_dhkey_check, p, BT_OCTET16_LEN);
722   }
723 
724   p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_DHK_CHK;
725 }
726 
727 /*******************************************************************************
728  * Function     smp_process_keypress_notification
729  * Description  process pairing keypress notification from peer device
730  ******************************************************************************/
smp_process_keypress_notification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)731 void smp_process_keypress_notification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
732   uint8_t* p = (uint8_t*)p_data;
733   uint8_t reason = SMP_INVALID_PARAMETERS;
734 
735   SMP_TRACE_DEBUG("%s", __func__);
736   p_cb->status = *(uint8_t*)p_data;
737 
738   if (smp_command_has_invalid_parameters(p_cb)) {
739     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
740     return;
741   }
742 
743   if (p != NULL) {
744     STREAM_TO_UINT8(p_cb->peer_keypress_notification, p);
745   } else {
746     p_cb->peer_keypress_notification = BTM_SP_KEY_OUT_OF_RANGE;
747   }
748   p_cb->cb_evt = SMP_PEER_KEYPR_NOT_EVT;
749 }
750 
751 /*******************************************************************************
752  * Function     smp_br_process_pairing_command
753  * Description  Process the SMP pairing request/response from peer device via
754  *              BR/EDR transport.
755  ******************************************************************************/
smp_br_process_pairing_command(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)756 void smp_br_process_pairing_command(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
757   uint8_t* p = (uint8_t*)p_data;
758   uint8_t reason = SMP_ENC_KEY_SIZE;
759   tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
760 
761   SMP_TRACE_DEBUG("%s", __func__);
762   /* rejecting BR pairing request over non-SC BR link */
763   if (!p_dev_rec->new_encryption_key_is_p256 && p_cb->role == HCI_ROLE_SLAVE) {
764     reason = SMP_XTRANS_DERIVE_NOT_ALLOW;
765     smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason);
766     return;
767   }
768 
769   /* erase all keys if it is slave proc pairing req*/
770   if (p_dev_rec && (p_cb->role == HCI_ROLE_SLAVE))
771     btm_sec_clear_ble_keys(p_dev_rec);
772 
773   p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
774 
775   STREAM_TO_UINT8(p_cb->peer_io_caps, p);
776   STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
777   STREAM_TO_UINT8(p_cb->peer_auth_req, p);
778   STREAM_TO_UINT8(p_cb->peer_enc_size, p);
779   STREAM_TO_UINT8(p_cb->peer_i_key, p);
780   STREAM_TO_UINT8(p_cb->peer_r_key, p);
781 
782   if (smp_command_has_invalid_parameters(p_cb)) {
783     reason = SMP_INVALID_PARAMETERS;
784     smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason);
785     return;
786   }
787 
788   /* peer (master) started pairing sending Pairing Request */
789   /* or being master device always use received i/r key as keys to distribute */
790   p_cb->local_i_key = p_cb->peer_i_key;
791   p_cb->local_r_key = p_cb->peer_r_key;
792 
793   if (p_cb->role == HCI_ROLE_SLAVE) {
794     p_dev_rec->new_encryption_key_is_p256 = false;
795     /* shortcut to skip Security Grant step */
796     p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT;
797   } else /* Master receives pairing response */
798   {
799     SMP_TRACE_DEBUG(
800         "%s master rcvs valid PAIRING RESPONSE."
801         " Supposed to move to key distribution phase. ",
802         __func__);
803   }
804 
805   /* auth_req received via BR/EDR SM channel is set to 0,
806      but everything derived/exchanged has to be saved */
807   p_cb->peer_auth_req |= SMP_AUTH_BOND;
808   p_cb->loc_auth_req |= SMP_AUTH_BOND;
809 }
810 
811 /*******************************************************************************
812  * Function     smp_br_process_security_grant
813  * Description  process security grant in case of pairing over BR/EDR transport.
814  ******************************************************************************/
smp_br_process_security_grant(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)815 void smp_br_process_security_grant(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
816   uint8_t res = *(uint8_t*)p_data;
817   SMP_TRACE_DEBUG("%s", __func__);
818   if (res != SMP_SUCCESS) {
819     smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, p_data);
820   } else /*otherwise, start pairing */
821   {
822     /* send IO request callback */
823     p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT;
824   }
825 }
826 
827 /*******************************************************************************
828  * Function     smp_br_check_authorization_request
829  * Description  sets the SMP kes to be derived/distribute over BR/EDR transport
830  *              before starting the distribution/derivation
831  ******************************************************************************/
smp_br_check_authorization_request(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)832 void smp_br_check_authorization_request(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
833   uint8_t reason = SMP_SUCCESS;
834 
835   SMP_TRACE_DEBUG(
836       "%s rcvs i_keys=0x%x r_keys=0x%x "
837       "(i-initiator r-responder)",
838       __func__, p_cb->local_i_key, p_cb->local_r_key);
839 
840   /* In LE SC mode LK field is ignored when BR/EDR transport is used */
841   p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
842   p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
843 
844   /* In LE SC mode only IRK, IAI, CSRK are exchanged with the peer.
845   ** Set local_r_key on master to expect only these keys. */
846   if (p_cb->role == HCI_ROLE_MASTER) {
847     p_cb->local_r_key &= (SMP_SEC_KEY_TYPE_ID | SMP_SEC_KEY_TYPE_CSRK);
848   }
849 
850   /* Check if H7 function needs to be used for key derivation*/
851   if ((p_cb->loc_auth_req & SMP_H7_SUPPORT_BIT) &&
852       (p_cb->peer_auth_req & SMP_H7_SUPPORT_BIT)) {
853     p_cb->key_derivation_h7_used = TRUE;
854   }
855   SMP_TRACE_DEBUG("%s: use h7 = %d", __func__, p_cb->key_derivation_h7_used);
856 
857   SMP_TRACE_DEBUG(
858       "%s rcvs upgrades: i_keys=0x%x r_keys=0x%x "
859       "(i-initiator r-responder)",
860       __func__, p_cb->local_i_key, p_cb->local_r_key);
861 
862   if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) ||
863           (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/
864       (p_cb->local_i_key || p_cb->local_r_key)) {
865     smp_br_state_machine_event(p_cb, SMP_BR_BOND_REQ_EVT, NULL);
866 
867     /* if no peer key is expected, start master key distribution */
868     if (p_cb->role == HCI_ROLE_MASTER && p_cb->local_r_key == 0)
869       smp_key_distribution_by_transport(p_cb, NULL);
870   } else {
871     smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason);
872   }
873 }
874 
875 /*******************************************************************************
876  * Function     smp_br_select_next_key
877  * Description  selects the next key to derive/send when BR/EDR transport is
878  *              used.
879  ******************************************************************************/
smp_br_select_next_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)880 void smp_br_select_next_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
881   uint8_t reason = SMP_SUCCESS;
882   SMP_TRACE_DEBUG("%s role=%d (0-master) r_keys=0x%x i_keys=0x%x", __func__,
883                   p_cb->role, p_cb->local_r_key, p_cb->local_i_key);
884 
885   if (p_cb->role == HCI_ROLE_SLAVE ||
886       (!p_cb->local_r_key && p_cb->role == HCI_ROLE_MASTER)) {
887     smp_key_pick_key(p_cb, p_data);
888   }
889 
890   if (!p_cb->local_i_key && !p_cb->local_r_key) {
891     /* state check to prevent re-entrance */
892     if (smp_get_br_state() == SMP_BR_STATE_BOND_PENDING) {
893       if (p_cb->total_tx_unacked == 0)
894         smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason);
895       else
896         p_cb->wait_for_authorization_complete = true;
897     }
898   }
899 }
900 
901 /*******************************************************************************
902  * Function     smp_proc_enc_info
903  * Description  process encryption information from peer device
904  ******************************************************************************/
smp_proc_enc_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)905 void smp_proc_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
906   uint8_t* p = (uint8_t*)p_data;
907 
908   SMP_TRACE_DEBUG("%s", __func__);
909   STREAM_TO_ARRAY(p_cb->ltk, p, BT_OCTET16_LEN);
910 
911   smp_key_distribution(p_cb, NULL);
912 }
913 /*******************************************************************************
914  * Function     smp_proc_master_id
915  * Description  process master ID from slave device
916  ******************************************************************************/
smp_proc_master_id(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)917 void smp_proc_master_id(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
918   uint8_t* p = (uint8_t*)p_data;
919   tBTM_LE_PENC_KEYS le_key;
920 
921   SMP_TRACE_DEBUG("%s", __func__);
922   smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, true);
923 
924   STREAM_TO_UINT16(le_key.ediv, p);
925   STREAM_TO_ARRAY(le_key.rand, p, BT_OCTET8_LEN);
926 
927   /* store the encryption keys from peer device */
928   memcpy(le_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
929   le_key.sec_level = p_cb->sec_level;
930   le_key.key_size = p_cb->loc_enc_size;
931 
932   if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
933       (p_cb->loc_auth_req & SMP_AUTH_BOND))
934     btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC,
935                         (tBTM_LE_KEY_VALUE*)&le_key, true);
936 
937   smp_key_distribution(p_cb, NULL);
938 }
939 
940 /*******************************************************************************
941  * Function     smp_proc_enc_info
942  * Description  process identity information from peer device
943  ******************************************************************************/
smp_proc_id_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)944 void smp_proc_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
945   uint8_t* p = (uint8_t*)p_data;
946 
947   SMP_TRACE_DEBUG("%s", __func__);
948   STREAM_TO_ARRAY(p_cb->tk, p, BT_OCTET16_LEN); /* reuse TK for IRK */
949   smp_key_distribution_by_transport(p_cb, NULL);
950 }
951 
952 /*******************************************************************************
953  * Function     smp_proc_id_addr
954  * Description  process identity address from peer device
955  ******************************************************************************/
smp_proc_id_addr(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)956 void smp_proc_id_addr(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
957   uint8_t* p = (uint8_t*)p_data;
958   tBTM_LE_PID_KEYS pid_key;
959 
960   SMP_TRACE_DEBUG("%s", __func__);
961   smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, true);
962 
963   STREAM_TO_UINT8(pid_key.addr_type, p);
964   STREAM_TO_BDADDR(pid_key.static_addr, p);
965   memcpy(pid_key.irk, p_cb->tk, BT_OCTET16_LEN);
966 
967   /* to use as BD_ADDR for lk derived from ltk */
968   p_cb->id_addr_rcvd = true;
969   p_cb->id_addr_type = pid_key.addr_type;
970   memcpy(p_cb->id_addr, pid_key.static_addr, BD_ADDR_LEN);
971 
972   /* store the ID key from peer device */
973   if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
974       (p_cb->loc_auth_req & SMP_AUTH_BOND))
975     btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PID,
976                         (tBTM_LE_KEY_VALUE*)&pid_key, true);
977   smp_key_distribution_by_transport(p_cb, NULL);
978 }
979 
980 /*******************************************************************************
981  * Function     smp_proc_srk_info
982  * Description  process security information from peer device
983  ******************************************************************************/
smp_proc_srk_info(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)984 void smp_proc_srk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
985   tBTM_LE_PCSRK_KEYS le_key;
986 
987   SMP_TRACE_DEBUG("%s", __func__);
988   smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, true);
989 
990   /* save CSRK to security record */
991   le_key.sec_level = p_cb->sec_level;
992   maybe_non_aligned_memcpy(le_key.csrk, p_data,
993                            BT_OCTET16_LEN);    /* get peer CSRK */
994   le_key.counter = 0;                          /* initialize the peer counter */
995 
996   if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
997       (p_cb->loc_auth_req & SMP_AUTH_BOND))
998     btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PCSRK,
999                         (tBTM_LE_KEY_VALUE*)&le_key, true);
1000   smp_key_distribution_by_transport(p_cb, NULL);
1001 }
1002 
1003 /*******************************************************************************
1004  * Function     smp_proc_compare
1005  * Description  process compare value
1006  ******************************************************************************/
smp_proc_compare(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1007 void smp_proc_compare(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1008   uint8_t reason;
1009 
1010   SMP_TRACE_DEBUG("%s", __func__);
1011   if (!memcmp(p_cb->rconfirm, p_data->key.p_data, BT_OCTET16_LEN)) {
1012     /* compare the max encryption key size, and save the smaller one for the
1013      * link */
1014     if (p_cb->peer_enc_size < p_cb->loc_enc_size)
1015       p_cb->loc_enc_size = p_cb->peer_enc_size;
1016 
1017     if (p_cb->role == HCI_ROLE_SLAVE)
1018       smp_sm_event(p_cb, SMP_RAND_EVT, NULL);
1019     else {
1020       /* master device always use received i/r key as keys to distribute */
1021       p_cb->local_i_key = p_cb->peer_i_key;
1022       p_cb->local_r_key = p_cb->peer_r_key;
1023 
1024       smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
1025     }
1026 
1027   } else {
1028     reason = p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1029     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1030   }
1031 }
1032 
1033 /*******************************************************************************
1034  * Function     smp_proc_sl_key
1035  * Description  process key ready events.
1036  ******************************************************************************/
smp_proc_sl_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1037 void smp_proc_sl_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1038   uint8_t key_type = p_data->key.key_type;
1039 
1040   SMP_TRACE_DEBUG("%s", __func__);
1041   if (key_type == SMP_KEY_TYPE_TK) {
1042     smp_generate_srand_mrand_confirm(p_cb, NULL);
1043   } else if (key_type == SMP_KEY_TYPE_CFM) {
1044     smp_set_state(SMP_STATE_WAIT_CONFIRM);
1045 
1046     if (p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM)
1047       smp_sm_event(p_cb, SMP_CONFIRM_EVT, NULL);
1048   }
1049 }
1050 
1051 /*******************************************************************************
1052  * Function     smp_start_enc
1053  * Description  start encryption
1054  ******************************************************************************/
smp_start_enc(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1055 void smp_start_enc(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1056   tBTM_STATUS cmd;
1057   uint8_t reason = SMP_ENC_FAIL;
1058 
1059   SMP_TRACE_DEBUG("%s", __func__);
1060   if (p_data != NULL)
1061     cmd = btm_ble_start_encrypt(p_cb->pairing_bda, true, p_data->key.p_data);
1062   else
1063     cmd = btm_ble_start_encrypt(p_cb->pairing_bda, false, NULL);
1064 
1065   if (cmd != BTM_CMD_STARTED && cmd != BTM_BUSY)
1066     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1067 }
1068 
1069 /*******************************************************************************
1070  * Function     smp_proc_discard
1071  * Description   processing for discard security request
1072  ******************************************************************************/
smp_proc_discard(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1073 void smp_proc_discard(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1074   SMP_TRACE_DEBUG("%s", __func__);
1075   if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD))
1076     smp_reset_control_value(p_cb);
1077 }
1078 
1079 /*******************************************************************************
1080  * Function     smp_enc_cmpl
1081  * Description   encryption success
1082  ******************************************************************************/
smp_enc_cmpl(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1083 void smp_enc_cmpl(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1084   uint8_t enc_enable = *(uint8_t*)p_data;
1085   uint8_t reason = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1086 
1087   SMP_TRACE_DEBUG("%s", __func__);
1088   smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1089 }
1090 
1091 /*******************************************************************************
1092  * Function     smp_check_auth_req
1093  * Description  check authentication request
1094  ******************************************************************************/
smp_check_auth_req(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1095 void smp_check_auth_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1096   uint8_t enc_enable = *(uint8_t*)p_data;
1097   uint8_t reason = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1098 
1099   SMP_TRACE_DEBUG(
1100       "%s rcvs enc_enable=%d i_keys=0x%x r_keys=0x%x "
1101       "(i-initiator r-responder)",
1102       __func__, enc_enable, p_cb->local_i_key, p_cb->local_r_key);
1103   if (enc_enable == 1) {
1104     if (p_cb->le_secure_connections_mode_is_used) {
1105       /* In LE SC mode LTK is used instead of STK and has to be always saved */
1106       p_cb->local_i_key |= SMP_SEC_KEY_TYPE_ENC;
1107       p_cb->local_r_key |= SMP_SEC_KEY_TYPE_ENC;
1108 
1109       /* In LE SC mode LK is derived from LTK only if both sides request it */
1110       if (!(p_cb->local_i_key & SMP_SEC_KEY_TYPE_LK) ||
1111           !(p_cb->local_r_key & SMP_SEC_KEY_TYPE_LK)) {
1112         p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
1113         p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
1114       }
1115 
1116       /* In LE SC mode only IRK, IAI, CSRK are exchanged with the peer.
1117       ** Set local_r_key on master to expect only these keys.
1118       */
1119       if (p_cb->role == HCI_ROLE_MASTER) {
1120         p_cb->local_r_key &= (SMP_SEC_KEY_TYPE_ID | SMP_SEC_KEY_TYPE_CSRK);
1121       }
1122     } else {
1123       /* in legacy mode derivation of BR/EDR LK is not supported */
1124       p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
1125       p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
1126     }
1127     SMP_TRACE_DEBUG(
1128         "%s rcvs upgrades: i_keys=0x%x r_keys=0x%x "
1129         "(i-initiator r-responder)",
1130         __func__, p_cb->local_i_key, p_cb->local_r_key);
1131 
1132     if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) ||
1133          (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/
1134         (p_cb->local_i_key || p_cb->local_r_key)) {
1135       smp_sm_event(p_cb, SMP_BOND_REQ_EVT, NULL);
1136     } else
1137       smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1138   } else if (enc_enable == 0) {
1139     /* if failed for encryption after pairing, send callback */
1140     if (p_cb->flags & SMP_PAIR_FLAG_ENC_AFTER_PAIR)
1141       smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1142     /* if enc failed for old security information */
1143     /* if master device, clean up and abck to idle; slave device do nothing */
1144     else if (p_cb->role == HCI_ROLE_MASTER) {
1145       smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1146     }
1147   }
1148 }
1149 
1150 /*******************************************************************************
1151  * Function     smp_key_pick_key
1152  * Description  Pick a key distribution function based on the key mask.
1153  ******************************************************************************/
smp_key_pick_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1154 void smp_key_pick_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1155   uint8_t key_to_dist =
1156       (p_cb->role == HCI_ROLE_SLAVE) ? p_cb->local_r_key : p_cb->local_i_key;
1157   uint8_t i = 0;
1158 
1159   SMP_TRACE_DEBUG("%s key_to_dist=0x%x", __func__, key_to_dist);
1160   while (i < SMP_KEY_DIST_TYPE_MAX) {
1161     SMP_TRACE_DEBUG("key to send = %02x, i = %d", key_to_dist, i);
1162 
1163     if (key_to_dist & (1 << i)) {
1164       SMP_TRACE_DEBUG("smp_distribute_act[%d]", i);
1165       (*smp_distribute_act[i])(p_cb, p_data);
1166       break;
1167     }
1168     i++;
1169   }
1170 }
1171 /*******************************************************************************
1172  * Function     smp_key_distribution
1173  * Description  start key distribution if required.
1174  ******************************************************************************/
smp_key_distribution(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1175 void smp_key_distribution(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1176   SMP_TRACE_DEBUG("%s role=%d (0-master) r_keys=0x%x i_keys=0x%x", __func__,
1177                   p_cb->role, p_cb->local_r_key, p_cb->local_i_key);
1178 
1179   if (p_cb->role == HCI_ROLE_SLAVE ||
1180       (!p_cb->local_r_key && p_cb->role == HCI_ROLE_MASTER)) {
1181     smp_key_pick_key(p_cb, p_data);
1182   }
1183 
1184   if (!p_cb->local_i_key && !p_cb->local_r_key) {
1185     /* state check to prevent re-entrant */
1186     if (smp_get_state() == SMP_STATE_BOND_PENDING) {
1187       if (p_cb->derive_lk) {
1188         smp_derive_link_key_from_long_term_key(p_cb, NULL);
1189         p_cb->derive_lk = false;
1190       }
1191 
1192       if (p_cb->total_tx_unacked == 0) {
1193         /*
1194          * Instead of declaring authorization complete immediately,
1195          * delay the event from being sent by SMP_DELAYED_AUTH_TIMEOUT_MS.
1196          * This allows the slave to send over Pairing Failed if the
1197          * last key is rejected.  During this waiting window, the
1198          * state should remain in SMP_STATE_BOND_PENDING.
1199          */
1200         if (!alarm_is_scheduled(p_cb->delayed_auth_timer_ent)) {
1201           SMP_TRACE_DEBUG("%s delaying auth complete.", __func__);
1202           alarm_set_on_queue(
1203               p_cb->delayed_auth_timer_ent, SMP_DELAYED_AUTH_TIMEOUT_MS,
1204               smp_delayed_auth_complete_timeout, NULL, btu_general_alarm_queue);
1205         }
1206       } else {
1207         p_cb->wait_for_authorization_complete = true;
1208       }
1209     }
1210   }
1211 }
1212 
1213 /*******************************************************************************
1214  * Function         smp_decide_association_model
1215  * Description      This function is called to select assoc model to be used for
1216  *                  STK generation and to start STK generation process.
1217  *
1218  ******************************************************************************/
smp_decide_association_model(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1219 void smp_decide_association_model(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1220   uint8_t failure = SMP_UNKNOWN_IO_CAP;
1221   uint8_t int_evt = 0;
1222   tSMP_KEY key;
1223   tSMP_INT_DATA* p = NULL;
1224 
1225   SMP_TRACE_DEBUG("%s Association Model = %d", __func__,
1226                   p_cb->selected_association_model);
1227 
1228   switch (p_cb->selected_association_model) {
1229     case SMP_MODEL_ENCRYPTION_ONLY: /* TK = 0, go calculate Confirm */
1230       if (p_cb->role == HCI_ROLE_MASTER &&
1231           ((p_cb->peer_auth_req & SMP_AUTH_YN_BIT) != 0) &&
1232           ((p_cb->loc_auth_req & SMP_AUTH_YN_BIT) == 0)) {
1233         SMP_TRACE_ERROR(
1234             "IO capability does not meet authentication requirement");
1235         failure = SMP_PAIR_AUTH_FAIL;
1236         p = (tSMP_INT_DATA*)&failure;
1237         int_evt = SMP_AUTH_CMPL_EVT;
1238       } else {
1239         p_cb->sec_level = SMP_SEC_UNAUTHENTICATE;
1240         SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_UNAUTHENTICATE) ",
1241                         p_cb->sec_level);
1242 
1243         key.key_type = SMP_KEY_TYPE_TK;
1244         key.p_data = p_cb->tk;
1245         p = (tSMP_INT_DATA*)&key;
1246 
1247         memset(p_cb->tk, 0, BT_OCTET16_LEN);
1248         /* TK, ready  */
1249         int_evt = SMP_KEY_READY_EVT;
1250       }
1251       break;
1252 
1253     case SMP_MODEL_PASSKEY:
1254       p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1255       SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ",
1256                       p_cb->sec_level);
1257 
1258       p_cb->cb_evt = SMP_PASSKEY_REQ_EVT;
1259       int_evt = SMP_TK_REQ_EVT;
1260       break;
1261 
1262     case SMP_MODEL_OOB:
1263       SMP_TRACE_ERROR("Association Model = SMP_MODEL_OOB");
1264       p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1265       SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ",
1266                       p_cb->sec_level);
1267 
1268       p_cb->cb_evt = SMP_OOB_REQ_EVT;
1269       int_evt = SMP_TK_REQ_EVT;
1270       break;
1271 
1272     case SMP_MODEL_KEY_NOTIF:
1273       p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1274       SMP_TRACE_DEBUG("Need to generate Passkey");
1275 
1276       /* generate passkey and notify application */
1277       smp_generate_passkey(p_cb, NULL);
1278       break;
1279 
1280     case SMP_MODEL_SEC_CONN_JUSTWORKS:
1281     case SMP_MODEL_SEC_CONN_NUM_COMP:
1282     case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1283     case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1284     case SMP_MODEL_SEC_CONN_OOB:
1285       int_evt = SMP_PUBL_KEY_EXCH_REQ_EVT;
1286       break;
1287 
1288     case SMP_MODEL_OUT_OF_RANGE:
1289       SMP_TRACE_ERROR("Association Model = SMP_MODEL_OUT_OF_RANGE (failed)");
1290       p = (tSMP_INT_DATA*)&failure;
1291       int_evt = SMP_AUTH_CMPL_EVT;
1292       break;
1293 
1294     default:
1295       SMP_TRACE_ERROR(
1296           "Association Model = %d (SOMETHING IS WRONG WITH THE CODE)",
1297           p_cb->selected_association_model);
1298       p = (tSMP_INT_DATA*)&failure;
1299       int_evt = SMP_AUTH_CMPL_EVT;
1300   }
1301 
1302   SMP_TRACE_EVENT("sec_level=%d ", p_cb->sec_level);
1303   if (int_evt) smp_sm_event(p_cb, int_evt, p);
1304 }
1305 
1306 /*******************************************************************************
1307  * Function     smp_process_io_response
1308  * Description  process IO response for a slave device.
1309  ******************************************************************************/
smp_process_io_response(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1310 void smp_process_io_response(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1311   uint8_t reason = SMP_PAIR_AUTH_FAIL;
1312 
1313   SMP_TRACE_DEBUG("%s", __func__);
1314   if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD) {
1315     /* pairing started by local (slave) Security Request */
1316     smp_set_state(SMP_STATE_SEC_REQ_PENDING);
1317     smp_send_cmd(SMP_OPCODE_SEC_REQ, p_cb);
1318   } else /* plan to send pairing respond */
1319   {
1320     /* pairing started by peer (master) Pairing Request */
1321     p_cb->selected_association_model = smp_select_association_model(p_cb);
1322 
1323     if (p_cb->secure_connections_only_mode_required &&
1324         (!(p_cb->le_secure_connections_mode_is_used) ||
1325          (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) {
1326       SMP_TRACE_ERROR(
1327           "Slave requires secure connection only mode \
1328                               but it can't be provided -> Slave fails pairing");
1329       smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1330       return;
1331     }
1332 
1333     if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
1334       if (smp_request_oob_data(p_cb)) return;
1335     }
1336 
1337     // PTS Testing failure modes
1338     if (pts_test_send_authentication_complete_failure(p_cb)) return;
1339 
1340     smp_send_pair_rsp(p_cb, NULL);
1341   }
1342 }
1343 
1344 /*******************************************************************************
1345  * Function     smp_br_process_slave_keys_response
1346  * Description  process application keys response for a slave device
1347  *              (BR/EDR transport).
1348  ******************************************************************************/
smp_br_process_slave_keys_response(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1349 void smp_br_process_slave_keys_response(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1350   smp_br_send_pair_response(p_cb, NULL);
1351 }
1352 
1353 /*******************************************************************************
1354  * Function     smp_br_send_pair_response
1355  * Description  actions related to sending pairing response over BR/EDR
1356  *              transport.
1357  ******************************************************************************/
smp_br_send_pair_response(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1358 void smp_br_send_pair_response(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1359   SMP_TRACE_DEBUG("%s", __func__);
1360 
1361   p_cb->local_i_key &= p_cb->peer_i_key;
1362   p_cb->local_r_key &= p_cb->peer_r_key;
1363 
1364   smp_send_cmd(SMP_OPCODE_PAIRING_RSP, p_cb);
1365 }
1366 
1367 /*******************************************************************************
1368  * Function         smp_pairing_cmpl
1369  * Description      This function is called to send the pairing complete
1370  *                  callback and remove the connection if needed.
1371  ******************************************************************************/
smp_pairing_cmpl(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1372 void smp_pairing_cmpl(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1373   if (p_cb->total_tx_unacked == 0) {
1374     /* process the pairing complete */
1375     smp_proc_pairing_cmpl(p_cb);
1376   }
1377 }
1378 
1379 /*******************************************************************************
1380  * Function         smp_pair_terminate
1381  * Description      This function is called to send the pairing complete
1382  *                  callback and remove the connection if needed.
1383  ******************************************************************************/
smp_pair_terminate(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1384 void smp_pair_terminate(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1385   SMP_TRACE_DEBUG("%s", __func__);
1386   p_cb->status = SMP_CONN_TOUT;
1387   smp_proc_pairing_cmpl(p_cb);
1388 }
1389 
1390 /*******************************************************************************
1391  * Function         smp_idle_terminate
1392  * Description      This function calledin idle state to determine to send
1393  *                  authentication complete or not.
1394  ******************************************************************************/
smp_idle_terminate(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1395 void smp_idle_terminate(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1396   if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD) {
1397     SMP_TRACE_DEBUG("Pairing terminated at IDLE state.");
1398     p_cb->status = SMP_FAIL;
1399     smp_proc_pairing_cmpl(p_cb);
1400   }
1401 }
1402 
1403 /*******************************************************************************
1404  * Function     smp_fast_conn_param
1405  * Description  apply default connection parameter for pairing process
1406  ******************************************************************************/
smp_fast_conn_param(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1407 void smp_fast_conn_param(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1408   /* Disable L2CAP connection parameter updates while bonding since
1409      some peripherals are not able to revert to fast connection parameters
1410      during the start of service discovery. Connection paramter updates
1411      get enabled again once service discovery completes. */
1412   L2CA_EnableUpdateBleConnParams(p_cb->pairing_bda, false);
1413 }
1414 
1415 /*******************************************************************************
1416  * Function     smp_both_have_public_keys
1417  * Description  The function is called when both local and peer public keys are
1418  *              saved.
1419  *              Actions:
1420  *              - invokes DHKey computation;
1421  *              - on slave side invokes sending local public key to the peer.
1422  *              - invokes SC phase 1 process.
1423  ******************************************************************************/
smp_both_have_public_keys(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1424 void smp_both_have_public_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1425   SMP_TRACE_DEBUG("%s", __func__);
1426 
1427   /* invokes DHKey computation */
1428   smp_compute_dhkey(p_cb);
1429 
1430   /* on slave side invokes sending local public key to the peer */
1431   if (p_cb->role == HCI_ROLE_SLAVE) smp_send_pair_public_key(p_cb, NULL);
1432 
1433   smp_sm_event(p_cb, SMP_SC_DHKEY_CMPLT_EVT, NULL);
1434 }
1435 
1436 /*******************************************************************************
1437  * Function     smp_start_secure_connection_phase1
1438  * Description  Start Secure Connection phase1 i.e. invokes initialization of
1439  *              Secure Connection phase 1 parameters and starts building/sending
1440  *              to the peer messages appropriate for the role and association
1441  *              model.
1442  ******************************************************************************/
smp_start_secure_connection_phase1(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1443 void smp_start_secure_connection_phase1(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1444   SMP_TRACE_DEBUG("%s", __func__);
1445 
1446   if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
1447     p_cb->sec_level = SMP_SEC_UNAUTHENTICATE;
1448     SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_UNAUTHENTICATE) ",
1449                     p_cb->sec_level);
1450   } else {
1451     p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1452     SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ",
1453                     p_cb->sec_level);
1454   }
1455 
1456   switch (p_cb->selected_association_model) {
1457     case SMP_MODEL_SEC_CONN_JUSTWORKS:
1458     case SMP_MODEL_SEC_CONN_NUM_COMP:
1459       memset(p_cb->local_random, 0, BT_OCTET16_LEN);
1460       smp_start_nonce_generation(p_cb);
1461       break;
1462     case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1463       /* user has to provide passkey */
1464       p_cb->cb_evt = SMP_PASSKEY_REQ_EVT;
1465       smp_sm_event(p_cb, SMP_TK_REQ_EVT, NULL);
1466       break;
1467     case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1468       /* passkey has to be provided to user */
1469       SMP_TRACE_DEBUG("Need to generate SC Passkey");
1470       smp_generate_passkey(p_cb, NULL);
1471       break;
1472     case SMP_MODEL_SEC_CONN_OOB:
1473       /* use the available OOB information */
1474       smp_process_secure_connection_oob_data(p_cb, NULL);
1475       break;
1476     default:
1477       SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
1478                       p_cb->selected_association_model);
1479       break;
1480   }
1481 }
1482 
1483 /*******************************************************************************
1484  * Function     smp_process_local_nonce
1485  * Description  The function processes new local nonce.
1486  *
1487  * Note         It is supposed to be called in SC phase1.
1488  ******************************************************************************/
smp_process_local_nonce(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1489 void smp_process_local_nonce(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1490   SMP_TRACE_DEBUG("%s", __func__);
1491 
1492   switch (p_cb->selected_association_model) {
1493     case SMP_MODEL_SEC_CONN_JUSTWORKS:
1494     case SMP_MODEL_SEC_CONN_NUM_COMP:
1495       if (p_cb->role == HCI_ROLE_SLAVE) {
1496         /* slave calculates and sends local commitment */
1497         smp_calculate_local_commitment(p_cb);
1498         smp_send_commitment(p_cb, NULL);
1499         /* slave has to wait for peer nonce */
1500         smp_set_state(SMP_STATE_WAIT_NONCE);
1501       } else /* i.e. master */
1502       {
1503         if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_COMM) {
1504           /* slave commitment is already received, send local nonce, wait for
1505            * remote nonce*/
1506           SMP_TRACE_DEBUG(
1507               "master in assoc mode = %d \
1508                     already rcvd slave commitment - race condition",
1509               p_cb->selected_association_model);
1510           p_cb->flags &= ~SMP_PAIR_FLAG_HAVE_PEER_COMM;
1511           smp_send_rand(p_cb, NULL);
1512           smp_set_state(SMP_STATE_WAIT_NONCE);
1513         }
1514       }
1515       break;
1516     case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1517     case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1518       smp_calculate_local_commitment(p_cb);
1519 
1520       if (p_cb->role == HCI_ROLE_MASTER) {
1521         smp_send_commitment(p_cb, NULL);
1522       } else /* slave */
1523       {
1524         if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_COMM) {
1525           /* master commitment is already received */
1526           smp_send_commitment(p_cb, NULL);
1527           smp_set_state(SMP_STATE_WAIT_NONCE);
1528         }
1529       }
1530       break;
1531     case SMP_MODEL_SEC_CONN_OOB:
1532       if (p_cb->role == HCI_ROLE_MASTER) {
1533         smp_send_rand(p_cb, NULL);
1534       }
1535 
1536       smp_set_state(SMP_STATE_WAIT_NONCE);
1537       break;
1538     default:
1539       SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
1540                       p_cb->selected_association_model);
1541       break;
1542   }
1543 }
1544 
1545 /*******************************************************************************
1546  * Function     smp_process_peer_nonce
1547  * Description  The function processes newly received and saved in CB peer
1548  *              nonce. The actions depend on the selected association model and
1549  *              the role.
1550  *
1551  * Note         It is supposed to be called in SC phase1.
1552  ******************************************************************************/
smp_process_peer_nonce(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1553 void smp_process_peer_nonce(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1554   uint8_t reason;
1555 
1556   SMP_TRACE_DEBUG("%s start ", __func__);
1557 
1558   // PTS Testing failure modes
1559   if (p_cb->cert_failure == 1) {
1560     SMP_TRACE_ERROR("%s failure case = %d", __func__, p_cb->cert_failure);
1561     reason = p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1562     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1563     return;
1564   }
1565 
1566   switch (p_cb->selected_association_model) {
1567     case SMP_MODEL_SEC_CONN_JUSTWORKS:
1568     case SMP_MODEL_SEC_CONN_NUM_COMP:
1569       /* in these models only master receives commitment */
1570       if (p_cb->role == HCI_ROLE_MASTER) {
1571         if (!smp_check_commitment(p_cb)) {
1572           reason = p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1573           smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1574           break;
1575         }
1576       } else {
1577         /* slave sends local nonce */
1578         smp_send_rand(p_cb, NULL);
1579       }
1580 
1581       if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
1582         /* go directly to phase 2 */
1583         smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1584       } else /* numeric comparison */
1585       {
1586         smp_set_state(SMP_STATE_WAIT_NONCE);
1587         smp_sm_event(p_cb, SMP_SC_CALC_NC_EVT, NULL);
1588       }
1589       break;
1590     case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1591     case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1592       if (!smp_check_commitment(p_cb) && p_cb->cert_failure != 9) {
1593         reason = p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1594         smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1595         break;
1596       }
1597 
1598       if (p_cb->role == HCI_ROLE_SLAVE) {
1599         smp_send_rand(p_cb, NULL);
1600       }
1601 
1602       if (++p_cb->round < 20) {
1603         smp_set_state(SMP_STATE_SEC_CONN_PHS1_START);
1604         p_cb->flags &= ~SMP_PAIR_FLAG_HAVE_PEER_COMM;
1605         smp_start_nonce_generation(p_cb);
1606         break;
1607       }
1608 
1609       smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1610       break;
1611     case SMP_MODEL_SEC_CONN_OOB:
1612       if (p_cb->role == HCI_ROLE_SLAVE) {
1613         smp_send_rand(p_cb, NULL);
1614       }
1615 
1616       smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1617       break;
1618     default:
1619       SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
1620                       p_cb->selected_association_model);
1621       break;
1622   }
1623 
1624   SMP_TRACE_DEBUG("%s end ", __func__);
1625 }
1626 
1627 /*******************************************************************************
1628  * Function     smp_match_dhkey_checks
1629  * Description  checks if the calculated peer DHKey Check value is the same as
1630  *              received from the peer DHKey check value.
1631  ******************************************************************************/
smp_match_dhkey_checks(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1632 void smp_match_dhkey_checks(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1633   uint8_t reason = SMP_DHKEY_CHK_FAIL;
1634 
1635   SMP_TRACE_DEBUG("%s", __func__);
1636 
1637   if (memcmp(p_data->key.p_data, p_cb->remote_dhkey_check, BT_OCTET16_LEN)) {
1638     SMP_TRACE_WARNING("dhkey chcks do no match");
1639     p_cb->failure = reason;
1640     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1641     return;
1642   }
1643 
1644   SMP_TRACE_EVENT("dhkey chcks match");
1645 
1646   /* compare the max encryption key size, and save the smaller one for the link
1647    */
1648   if (p_cb->peer_enc_size < p_cb->loc_enc_size)
1649     p_cb->loc_enc_size = p_cb->peer_enc_size;
1650 
1651   if (p_cb->role == HCI_ROLE_SLAVE) {
1652     smp_sm_event(p_cb, SMP_PAIR_DHKEY_CHCK_EVT, NULL);
1653   } else {
1654     /* master device always use received i/r key as keys to distribute */
1655     p_cb->local_i_key = p_cb->peer_i_key;
1656     p_cb->local_r_key = p_cb->peer_r_key;
1657     smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
1658   }
1659 }
1660 
1661 /*******************************************************************************
1662  * Function     smp_move_to_secure_connections_phase2
1663  * Description  Signal State Machine to start SC phase 2 initialization (to
1664  *              compute local DHKey Check value).
1665  *
1666  * Note         SM is supposed to be in the state SMP_STATE_SEC_CONN_PHS2_START.
1667  ******************************************************************************/
smp_move_to_secure_connections_phase2(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1668 void smp_move_to_secure_connections_phase2(tSMP_CB* p_cb,
1669                                            tSMP_INT_DATA* p_data) {
1670   SMP_TRACE_DEBUG("%s", __func__);
1671   smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1672 }
1673 
1674 /*******************************************************************************
1675  * Function     smp_phase_2_dhkey_checks_are_present
1676  * Description  generates event if dhkey check from the peer is already
1677  *              received.
1678  *
1679  * Note         It is supposed to be used on slave to prevent race condition.
1680  *              It is supposed to be called after slave dhkey check is
1681  *              calculated.
1682  ******************************************************************************/
smp_phase_2_dhkey_checks_are_present(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1683 void smp_phase_2_dhkey_checks_are_present(tSMP_CB* p_cb,
1684                                           tSMP_INT_DATA* p_data) {
1685   SMP_TRACE_DEBUG("%s", __func__);
1686 
1687   if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_DHK_CHK)
1688     smp_sm_event(p_cb, SMP_SC_2_DHCK_CHKS_PRES_EVT, NULL);
1689 }
1690 
1691 /*******************************************************************************
1692  * Function     smp_wait_for_both_public_keys
1693  * Description  generates SMP_BOTH_PUBL_KEYS_RCVD_EVT event when both local and
1694  *              master public keys are available.
1695  *
1696  * Note         on the slave it is used to prevent race condition.
1697  *
1698  ******************************************************************************/
smp_wait_for_both_public_keys(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1699 void smp_wait_for_both_public_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1700   SMP_TRACE_DEBUG("%s", __func__);
1701 
1702   if ((p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY) &&
1703       (p_cb->flags & SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY)) {
1704     if ((p_cb->role == HCI_ROLE_SLAVE) &&
1705         ((p_cb->req_oob_type == SMP_OOB_LOCAL) ||
1706          (p_cb->req_oob_type == SMP_OOB_BOTH))) {
1707       smp_set_state(SMP_STATE_PUBLIC_KEY_EXCH);
1708     }
1709     smp_sm_event(p_cb, SMP_BOTH_PUBL_KEYS_RCVD_EVT, NULL);
1710   }
1711 }
1712 
1713 /*******************************************************************************
1714  * Function     smp_start_passkey_verification
1715  * Description  Starts SC passkey entry verification.
1716  ******************************************************************************/
smp_start_passkey_verification(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1717 void smp_start_passkey_verification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1718   uint8_t* p = NULL;
1719 
1720   SMP_TRACE_DEBUG("%s", __func__);
1721   p = p_cb->local_random;
1722   UINT32_TO_STREAM(p, p_data->passkey);
1723 
1724   p = p_cb->peer_random;
1725   UINT32_TO_STREAM(p, p_data->passkey);
1726 
1727   p_cb->round = 0;
1728   smp_start_nonce_generation(p_cb);
1729 }
1730 
1731 /*******************************************************************************
1732  * Function     smp_process_secure_connection_oob_data
1733  * Description  Processes local/peer SC OOB data received from somewhere.
1734  ******************************************************************************/
smp_process_secure_connection_oob_data(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1735 void smp_process_secure_connection_oob_data(tSMP_CB* p_cb,
1736                                             tSMP_INT_DATA* p_data) {
1737   SMP_TRACE_DEBUG("%s", __func__);
1738 
1739   tSMP_SC_OOB_DATA* p_sc_oob_data = &p_cb->sc_oob_data;
1740   if (p_sc_oob_data->loc_oob_data.present) {
1741     memcpy(p_cb->local_random, p_sc_oob_data->loc_oob_data.randomizer,
1742            sizeof(p_cb->local_random));
1743   } else {
1744     SMP_TRACE_EVENT("%s: local OOB randomizer is absent", __func__);
1745     memset(p_cb->local_random, 0, sizeof(p_cb->local_random));
1746   }
1747 
1748   if (!p_sc_oob_data->peer_oob_data.present) {
1749     SMP_TRACE_EVENT("%s: peer OOB data is absent", __func__);
1750     memset(p_cb->peer_random, 0, sizeof(p_cb->peer_random));
1751   } else {
1752     memcpy(p_cb->peer_random, p_sc_oob_data->peer_oob_data.randomizer,
1753            sizeof(p_cb->peer_random));
1754     memcpy(p_cb->remote_commitment, p_sc_oob_data->peer_oob_data.commitment,
1755            sizeof(p_cb->remote_commitment));
1756 
1757     uint8_t reason = SMP_CONFIRM_VALUE_ERR;
1758     /* check commitment */
1759     if (!smp_check_commitment(p_cb)) {
1760       p_cb->failure = reason;
1761       smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1762       return;
1763     }
1764 
1765     if (p_cb->peer_oob_flag != SMP_OOB_PRESENT) {
1766       /* the peer doesn't have local randomiser */
1767       SMP_TRACE_EVENT(
1768           "%s: peer didn't receive local OOB data, set local randomizer to 0",
1769           __func__);
1770       memset(p_cb->local_random, 0, sizeof(p_cb->local_random));
1771     }
1772   }
1773 
1774   print128(p_cb->local_random, (const uint8_t*)"local OOB randomizer");
1775   print128(p_cb->peer_random, (const uint8_t*)"peer OOB randomizer");
1776   smp_start_nonce_generation(p_cb);
1777 }
1778 
1779 /*******************************************************************************
1780  * Function     smp_set_local_oob_keys
1781  * Description  Saves calculated private/public keys in
1782  *              sc_oob_data.loc_oob_data, starts nonce generation
1783  *              (to be saved in sc_oob_data.loc_oob_data.randomizer).
1784  ******************************************************************************/
smp_set_local_oob_keys(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1785 void smp_set_local_oob_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1786   SMP_TRACE_DEBUG("%s", __func__);
1787 
1788   memcpy(p_cb->sc_oob_data.loc_oob_data.private_key_used, p_cb->private_key,
1789          BT_OCTET32_LEN);
1790   p_cb->sc_oob_data.loc_oob_data.publ_key_used = p_cb->loc_publ_key;
1791   smp_start_nonce_generation(p_cb);
1792 }
1793 
1794 /*******************************************************************************
1795  * Function     smp_set_local_oob_random_commitment
1796  * Description  Saves calculated randomizer and commitment in
1797  *              sc_oob_data.loc_oob_data, passes sc_oob_data.loc_oob_data up
1798  *              for safekeeping.
1799  ******************************************************************************/
smp_set_local_oob_random_commitment(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1800 void smp_set_local_oob_random_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1801   SMP_TRACE_DEBUG("%s", __func__);
1802   memcpy(p_cb->sc_oob_data.loc_oob_data.randomizer, p_cb->rand, BT_OCTET16_LEN);
1803 
1804   smp_calculate_f4(p_cb->sc_oob_data.loc_oob_data.publ_key_used.x,
1805                    p_cb->sc_oob_data.loc_oob_data.publ_key_used.x,
1806                    p_cb->sc_oob_data.loc_oob_data.randomizer, 0,
1807                    p_cb->sc_oob_data.loc_oob_data.commitment);
1808 
1809 #if (SMP_DEBUG == TRUE)
1810   uint8_t* p_print = NULL;
1811   SMP_TRACE_DEBUG("local SC OOB data set:");
1812   p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.addr_sent_to;
1813   smp_debug_print_nbyte_little_endian(p_print, "addr_sent_to",
1814                                       sizeof(tBLE_BD_ADDR));
1815   p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.private_key_used;
1816   smp_debug_print_nbyte_little_endian(p_print, "private_key_used",
1817                                       BT_OCTET32_LEN);
1818   p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.publ_key_used.x;
1819   smp_debug_print_nbyte_little_endian(p_print, "publ_key_used.x",
1820                                       BT_OCTET32_LEN);
1821   p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.publ_key_used.y;
1822   smp_debug_print_nbyte_little_endian(p_print, "publ_key_used.y",
1823                                       BT_OCTET32_LEN);
1824   p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.randomizer;
1825   smp_debug_print_nbyte_little_endian(p_print, "randomizer", BT_OCTET16_LEN);
1826   p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.commitment;
1827   smp_debug_print_nbyte_little_endian(p_print, "commitment", BT_OCTET16_LEN);
1828   SMP_TRACE_DEBUG("");
1829 #endif
1830 
1831   /* pass created OOB data up */
1832   p_cb->cb_evt = SMP_SC_LOC_OOB_DATA_UP_EVT;
1833   smp_send_app_cback(p_cb, NULL);
1834 
1835   smp_cb_cleanup(p_cb);
1836 }
1837 
1838 /*******************************************************************************
1839  *
1840  * Function         smp_link_encrypted
1841  *
1842  * Description      This function is called when link is encrypted and notified
1843  *                  to the slave device. Proceed to to send LTK, DIV and ER to
1844  *                  master if bonding the devices.
1845  *
1846  *
1847  * Returns          void
1848  *
1849  ******************************************************************************/
smp_link_encrypted(BD_ADDR bda,uint8_t encr_enable)1850 void smp_link_encrypted(BD_ADDR bda, uint8_t encr_enable) {
1851   tSMP_CB* p_cb = &smp_cb;
1852 
1853   SMP_TRACE_DEBUG("%s encr_enable=%d", __func__, encr_enable);
1854 
1855   if (memcmp(&smp_cb.pairing_bda[0], bda, BD_ADDR_LEN) == 0) {
1856     /* encryption completed with STK, remmeber the key size now, could be
1857     * overwite
1858     *  when key exchange happens                                        */
1859     if (p_cb->loc_enc_size != 0 && encr_enable) {
1860       /* update the link encryption key size if a SMP pairing just performed */
1861       btm_ble_update_sec_key_size(bda, p_cb->loc_enc_size);
1862     }
1863 
1864     smp_sm_event(&smp_cb, SMP_ENCRYPTED_EVT, &encr_enable);
1865   }
1866 }
1867 
1868 /*******************************************************************************
1869  *
1870  * Function         smp_proc_ltk_request
1871  *
1872  * Description      This function is called when LTK request is received from
1873  *                  controller.
1874  *
1875  * Returns          void
1876  *
1877  ******************************************************************************/
smp_proc_ltk_request(BD_ADDR bda)1878 bool smp_proc_ltk_request(BD_ADDR bda) {
1879   SMP_TRACE_DEBUG("%s state = %d", __func__, smp_cb.state);
1880   bool match = false;
1881 
1882   if (!memcmp(bda, smp_cb.pairing_bda, BD_ADDR_LEN)) {
1883     match = true;
1884   } else {
1885     BD_ADDR dummy_bda = {0};
1886     tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda);
1887     if (p_dev_rec != NULL &&
1888         0 == memcmp(p_dev_rec->ble.pseudo_addr, smp_cb.pairing_bda,
1889                     BD_ADDR_LEN) &&
1890         0 != memcmp(p_dev_rec->ble.pseudo_addr, dummy_bda, BD_ADDR_LEN)) {
1891       match = true;
1892     }
1893   }
1894 
1895   if (match && smp_cb.state == SMP_STATE_ENCRYPTION_PENDING) {
1896     smp_sm_event(&smp_cb, SMP_ENC_REQ_EVT, NULL);
1897     return true;
1898   }
1899 
1900   return false;
1901 }
1902 
1903 /*******************************************************************************
1904  *
1905  * Function         smp_process_secure_connection_long_term_key
1906  *
1907  * Description      This function is called to process SC LTK.
1908  *                  SC LTK is calculated and used instead of STK.
1909  *                  Here SC LTK is saved in BLE DB.
1910  *
1911  * Returns          void
1912  *
1913  ******************************************************************************/
smp_process_secure_connection_long_term_key(void)1914 void smp_process_secure_connection_long_term_key(void) {
1915   tSMP_CB* p_cb = &smp_cb;
1916 
1917   SMP_TRACE_DEBUG("%s", __func__);
1918   smp_save_secure_connections_long_term_key(p_cb);
1919 
1920   smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
1921   smp_key_distribution(p_cb, NULL);
1922 }
1923 
1924 /*******************************************************************************
1925  *
1926  * Function         smp_set_derive_link_key
1927  *
1928  * Description      This function is called to set flag that indicates that
1929  *                  BR/EDR LK has to be derived from LTK after all keys are
1930  *                  distributed.
1931  *
1932  * Returns          void
1933  *
1934  ******************************************************************************/
smp_set_derive_link_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1935 void smp_set_derive_link_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1936   SMP_TRACE_DEBUG("%s", __func__);
1937   p_cb->derive_lk = true;
1938   smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_LK, false);
1939   smp_key_distribution(p_cb, NULL);
1940 }
1941 
1942 /*******************************************************************************
1943  *
1944  * Function         smp_derive_link_key_from_long_term_key
1945  *
1946  * Description      This function is called to derive BR/EDR LK from LTK.
1947  *
1948  * Returns          void
1949  *
1950  ******************************************************************************/
smp_derive_link_key_from_long_term_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1951 void smp_derive_link_key_from_long_term_key(tSMP_CB* p_cb,
1952                                             tSMP_INT_DATA* p_data) {
1953   tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
1954 
1955   SMP_TRACE_DEBUG("%s", __func__);
1956   if (!smp_calculate_link_key_from_long_term_key(p_cb)) {
1957     SMP_TRACE_ERROR("%s failed", __func__);
1958     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status);
1959     return;
1960   }
1961 }
1962 
1963 /*******************************************************************************
1964  *
1965  * Function         smp_br_process_link_key
1966  *
1967  * Description      This function is called to process BR/EDR LK:
1968  *                  - to derive SMP LTK from BR/EDR LK;
1969 *8                  - to save SMP LTK.
1970  *
1971  * Returns          void
1972  *
1973  ******************************************************************************/
smp_br_process_link_key(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1974 void smp_br_process_link_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1975   tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
1976 
1977   SMP_TRACE_DEBUG("%s", __func__);
1978   if (!smp_calculate_long_term_key_from_link_key(p_cb)) {
1979     SMP_TRACE_ERROR("%s failed", __func__);
1980     smp_sm_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &status);
1981     return;
1982   }
1983 
1984   SMP_TRACE_DEBUG("%s: LTK derivation from LK successfully completed",
1985                   __func__);
1986   smp_save_secure_connections_long_term_key(p_cb);
1987   smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
1988   smp_br_select_next_key(p_cb, NULL);
1989 }
1990 
1991 /*******************************************************************************
1992  * Function     smp_key_distribution_by_transport
1993  * Description  depending on the transport used at the moment calls either
1994  *              smp_key_distribution(...) or smp_br_key_distribution(...).
1995  ******************************************************************************/
smp_key_distribution_by_transport(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)1996 void smp_key_distribution_by_transport(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1997   SMP_TRACE_DEBUG("%s", __func__);
1998   if (p_cb->smp_over_br) {
1999     smp_br_select_next_key(p_cb, NULL);
2000   } else {
2001     smp_key_distribution(p_cb, NULL);
2002   }
2003 }
2004 
2005 /*******************************************************************************
2006  * Function         smp_br_pairing_complete
2007  * Description      This function is called to send the pairing complete
2008  *                  callback and remove the connection if needed.
2009  ******************************************************************************/
smp_br_pairing_complete(tSMP_CB * p_cb,tSMP_INT_DATA * p_data)2010 void smp_br_pairing_complete(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
2011   SMP_TRACE_DEBUG("%s", __func__);
2012 
2013   if (p_cb->total_tx_unacked == 0) {
2014     /* process the pairing complete */
2015     smp_proc_pairing_cmpl(p_cb);
2016   }
2017 }
2018