1 /******************************************************************************
2 *
3 * Copyright (C) 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 *****************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for the SMP L2CAP utility functions
22 *
23 ******************************************************************************/
24 #include "bt_target.h"
25
26 #include <ctype.h>
27 #include <string.h>
28 #include "bt_types.h"
29 #include "bt_utils.h"
30 #include "btm_ble_api.h"
31 #include "btm_int.h"
32 #include "device/include/controller.h"
33 #include "hcidefs.h"
34 #include "l2c_api.h"
35 #include "l2c_int.h"
36 #include "osi/include/osi.h"
37 #include "smp_int.h"
38
39 extern fixed_queue_t* btu_general_alarm_queue;
40
41 #define SMP_PAIRING_REQ_SIZE 7
42 #define SMP_CONFIRM_CMD_SIZE (BT_OCTET16_LEN + 1)
43 #define SMP_RAND_CMD_SIZE (BT_OCTET16_LEN + 1)
44 #define SMP_INIT_CMD_SIZE (BT_OCTET16_LEN + 1)
45 #define SMP_ENC_INFO_SIZE (BT_OCTET16_LEN + 1)
46 #define SMP_MASTER_ID_SIZE (BT_OCTET8_LEN + 2 + 1)
47 #define SMP_ID_INFO_SIZE (BT_OCTET16_LEN + 1)
48 #define SMP_ID_ADDR_SIZE (BD_ADDR_LEN + 1 + 1)
49 #define SMP_SIGN_INFO_SIZE (BT_OCTET16_LEN + 1)
50 #define SMP_PAIR_FAIL_SIZE 2
51 #define SMP_SECURITY_REQUEST_SIZE 2
52 #define SMP_PAIR_PUBL_KEY_SIZE (1 /* opcode */ + (2 * BT_OCTET32_LEN))
53 #define SMP_PAIR_COMMITM_SIZE (1 /* opcode */ + BT_OCTET16_LEN /*Commitment*/)
54 #define SMP_PAIR_DHKEY_CHECK_SIZE \
55 (1 /* opcode */ + BT_OCTET16_LEN /*DHKey Check*/)
56 #define SMP_PAIR_KEYPR_NOTIF_SIZE (1 /* opcode */ + 1 /*Notif Type*/)
57
58 /* SMP command sizes per spec */
59 static const uint8_t smp_cmd_size_per_spec[] = {
60 0,
61 SMP_PAIRING_REQ_SIZE, /* 0x01: pairing request */
62 SMP_PAIRING_REQ_SIZE, /* 0x02: pairing response */
63 SMP_CONFIRM_CMD_SIZE, /* 0x03: pairing confirm */
64 SMP_RAND_CMD_SIZE, /* 0x04: pairing random */
65 SMP_PAIR_FAIL_SIZE, /* 0x05: pairing failed */
66 SMP_ENC_INFO_SIZE, /* 0x06: encryption information */
67 SMP_MASTER_ID_SIZE, /* 0x07: master identification */
68 SMP_ID_INFO_SIZE, /* 0x08: identity information */
69 SMP_ID_ADDR_SIZE, /* 0x09: identity address information */
70 SMP_SIGN_INFO_SIZE, /* 0x0A: signing information */
71 SMP_SECURITY_REQUEST_SIZE, /* 0x0B: security request */
72 SMP_PAIR_PUBL_KEY_SIZE, /* 0x0C: pairing public key */
73 SMP_PAIR_DHKEY_CHECK_SIZE, /* 0x0D: pairing dhkey check */
74 SMP_PAIR_KEYPR_NOTIF_SIZE, /* 0x0E: pairing keypress notification */
75 SMP_PAIR_COMMITM_SIZE /* 0x0F: pairing commitment */
76 };
77
78 static bool smp_parameter_unconditionally_valid(tSMP_CB* p_cb);
79 static bool smp_parameter_unconditionally_invalid(tSMP_CB* p_cb);
80
81 /* type for SMP command length validation functions */
82 typedef bool (*tSMP_CMD_LEN_VALID)(tSMP_CB* p_cb);
83
84 static bool smp_command_has_valid_fixed_length(tSMP_CB* p_cb);
85
86 static const tSMP_CMD_LEN_VALID smp_cmd_len_is_valid[] = {
87 smp_parameter_unconditionally_invalid,
88 smp_command_has_valid_fixed_length, /* 0x01: pairing request */
89 smp_command_has_valid_fixed_length, /* 0x02: pairing response */
90 smp_command_has_valid_fixed_length, /* 0x03: pairing confirm */
91 smp_command_has_valid_fixed_length, /* 0x04: pairing random */
92 smp_command_has_valid_fixed_length, /* 0x05: pairing failed */
93 smp_command_has_valid_fixed_length, /* 0x06: encryption information */
94 smp_command_has_valid_fixed_length, /* 0x07: master identification */
95 smp_command_has_valid_fixed_length, /* 0x08: identity information */
96 smp_command_has_valid_fixed_length, /* 0x09: identity address information */
97 smp_command_has_valid_fixed_length, /* 0x0A: signing information */
98 smp_command_has_valid_fixed_length, /* 0x0B: security request */
99 smp_command_has_valid_fixed_length, /* 0x0C: pairing public key */
100 smp_command_has_valid_fixed_length, /* 0x0D: pairing dhkey check */
101 smp_command_has_valid_fixed_length, /* 0x0E: pairing keypress notification*/
102 smp_command_has_valid_fixed_length /* 0x0F: pairing commitment */
103 };
104
105 /* type for SMP command parameter ranges validation functions */
106 typedef bool (*tSMP_CMD_PARAM_RANGES_VALID)(tSMP_CB* p_cb);
107
108 static bool smp_pairing_request_response_parameters_are_valid(tSMP_CB* p_cb);
109 static bool smp_pairing_keypress_notification_is_valid(tSMP_CB* p_cb);
110
111 static const tSMP_CMD_PARAM_RANGES_VALID smp_cmd_param_ranges_are_valid[] = {
112 smp_parameter_unconditionally_invalid,
113 smp_pairing_request_response_parameters_are_valid, /* 0x01: pairing
114 request */
115 smp_pairing_request_response_parameters_are_valid, /* 0x02: pairing
116 response */
117 smp_parameter_unconditionally_valid, /* 0x03: pairing confirm */
118 smp_parameter_unconditionally_valid, /* 0x04: pairing random */
119 smp_parameter_unconditionally_valid, /* 0x05: pairing failed */
120 smp_parameter_unconditionally_valid, /* 0x06: encryption information */
121 smp_parameter_unconditionally_valid, /* 0x07: master identification */
122 smp_parameter_unconditionally_valid, /* 0x08: identity information */
123 smp_parameter_unconditionally_valid, /* 0x09: identity address
124 information */
125 smp_parameter_unconditionally_valid, /* 0x0A: signing information */
126 smp_parameter_unconditionally_valid, /* 0x0B: security request */
127 smp_parameter_unconditionally_valid, /* 0x0C: pairing public key */
128 smp_parameter_unconditionally_valid, /* 0x0D: pairing dhkey check */
129 smp_pairing_keypress_notification_is_valid, /* 0x0E: pairing keypress
130 notification */
131 smp_parameter_unconditionally_valid /* 0x0F: pairing commitment */
132 };
133
134 /* type for action functions */
135 typedef BT_HDR* (*tSMP_CMD_ACT)(uint8_t cmd_code, tSMP_CB* p_cb);
136
137 static BT_HDR* smp_build_pairing_cmd(uint8_t cmd_code, tSMP_CB* p_cb);
138 static BT_HDR* smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code,
139 tSMP_CB* p_cb);
140 static BT_HDR* smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb);
141 static BT_HDR* smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code,
142 tSMP_CB* p_cb);
143 static BT_HDR* smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code,
144 tSMP_CB* p_cb);
145 static BT_HDR* smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code,
146 tSMP_CB* p_cb);
147 static BT_HDR* smp_build_security_request(UNUSED_ATTR uint8_t cmd_code,
148 tSMP_CB* p_cb);
149 static BT_HDR* smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code,
150 tSMP_CB* p_cb);
151 static BT_HDR* smp_build_master_id_cmd(UNUSED_ATTR uint8_t cmd_code,
152 tSMP_CB* p_cb);
153 static BT_HDR* smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code,
154 tSMP_CB* p_cb);
155 static BT_HDR* smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code,
156 tSMP_CB* p_cb);
157 static BT_HDR* smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code,
158 tSMP_CB* p_cb);
159 static BT_HDR* smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code,
160 tSMP_CB* p_cb);
161 static BT_HDR* smp_build_pairing_keypress_notification_cmd(
162 UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb);
163
164 static const tSMP_CMD_ACT smp_cmd_build_act[] = {
165 NULL, smp_build_pairing_cmd, /* 0x01: pairing request */
166 smp_build_pairing_cmd, /* 0x02: pairing response */
167 smp_build_confirm_cmd, /* 0x03: pairing confirm */
168 smp_build_rand_cmd, /* 0x04: pairing random */
169 smp_build_pairing_fail, /* 0x05: pairing failure */
170 smp_build_encrypt_info_cmd, /* 0x06: encryption information */
171 smp_build_master_id_cmd, /* 0x07: master identification */
172 smp_build_identity_info_cmd, /* 0x08: identity information */
173 smp_build_id_addr_cmd, /* 0x09: identity address information */
174 smp_build_signing_info_cmd, /* 0x0A: signing information */
175 smp_build_security_request, /* 0x0B: security request */
176 smp_build_pair_public_key_cmd, /* 0x0C: pairing public key */
177 smp_build_pair_dhkey_check_cmd, /* 0x0D: pairing DHKey check */
178 smp_build_pairing_keypress_notification_cmd, /* 0x0E: pairing keypress
179 notification */
180 smp_build_pairing_commitment_cmd /* 0x0F: pairing commitment */
181 };
182
183 static const uint8_t smp_association_table[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] =
184 {
185 /* display only */ /* Display Yes/No */ /* keyboard only */
186 /* No Input/Output */ /* keyboard display */
187
188 /* initiator */
189 /* model = tbl[peer_io_caps][loc_io_caps] */
190 /* Display Only */
191 {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
192 SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
193
194 /* Display Yes/No */
195 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
196 SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
197
198 /* Keyboard only */
199 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY,
200 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
201
202 /* No Input No Output */
203 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
204 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
205 SMP_MODEL_ENCRYPTION_ONLY},
206
207 /* keyboard display */
208 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY,
209 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}},
210
211 /* responder */
212 /* model = tbl[loc_io_caps][peer_io_caps] */
213 /* Display Only */
214 {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
215 SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
216
217 /* Display Yes/No */
218 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
219 SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
220
221 /* keyboard only */
222 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY,
223 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
224
225 /* No Input No Output */
226 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
227 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
228 SMP_MODEL_ENCRYPTION_ONLY},
229
230 /* keyboard display */
231 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_KEY_NOTIF,
232 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}}};
233
234 static const uint8_t
235 smp_association_table_sc[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] = {
236 /* display only */ /* Display Yes/No */ /* keyboard only */
237 /* No InputOutput */ /* keyboard display */
238
239 /* initiator */
240 /* model = tbl[peer_io_caps][loc_io_caps] */
241
242 /* Display Only */
243 {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
244 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
245 SMP_MODEL_SEC_CONN_PASSKEY_ENT},
246
247 /* Display Yes/No */
248 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP,
249 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
250 SMP_MODEL_SEC_CONN_NUM_COMP},
251
252 /* keyboard only */
253 {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_PASSKEY_DISP,
254 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
255 SMP_MODEL_SEC_CONN_PASSKEY_DISP},
256
257 /* No Input No Output */
258 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
259 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
260 SMP_MODEL_SEC_CONN_JUSTWORKS},
261
262 /* keyboard display */
263 {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_NUM_COMP,
264 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
265 SMP_MODEL_SEC_CONN_NUM_COMP}},
266
267 /* responder */
268 /* model = tbl[loc_io_caps][peer_io_caps] */
269
270 /* Display Only */
271 {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
272 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
273 SMP_MODEL_SEC_CONN_PASSKEY_DISP},
274
275 /* Display Yes/No */
276 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP,
277 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
278 SMP_MODEL_SEC_CONN_NUM_COMP},
279
280 /* keyboard only */
281 {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_PASSKEY_ENT,
282 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
283 SMP_MODEL_SEC_CONN_PASSKEY_ENT},
284
285 /* No Input No Output */
286 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
287 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
288 SMP_MODEL_SEC_CONN_JUSTWORKS},
289
290 /* keyboard display */
291 {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_NUM_COMP,
292 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
293 SMP_MODEL_SEC_CONN_NUM_COMP}}};
294
295 static tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB* p_cb);
296 static tSMP_ASSO_MODEL smp_select_association_model_secure_connections(
297 tSMP_CB* p_cb);
298
299 /*******************************************************************************
300 *
301 * Function smp_send_msg_to_L2CAP
302 *
303 * Description Send message to L2CAP.
304 *
305 ******************************************************************************/
smp_send_msg_to_L2CAP(BD_ADDR rem_bda,BT_HDR * p_toL2CAP)306 bool smp_send_msg_to_L2CAP(BD_ADDR rem_bda, BT_HDR* p_toL2CAP) {
307 uint16_t l2cap_ret;
308 uint16_t fixed_cid = L2CAP_SMP_CID;
309
310 if (smp_cb.smp_over_br) {
311 fixed_cid = L2CAP_SMP_BR_CID;
312 }
313
314 SMP_TRACE_EVENT("%s", __func__);
315 smp_cb.total_tx_unacked += 1;
316
317 l2cap_ret = L2CA_SendFixedChnlData(fixed_cid, rem_bda, p_toL2CAP);
318 if (l2cap_ret == L2CAP_DW_FAILED) {
319 smp_cb.total_tx_unacked -= 1;
320 SMP_TRACE_ERROR("SMP failed to pass msg:0x%0x to L2CAP",
321 *((uint8_t*)(p_toL2CAP + 1) + p_toL2CAP->offset));
322 return false;
323 } else
324 return true;
325 }
326
327 /*******************************************************************************
328 *
329 * Function smp_send_cmd
330 *
331 * Description send a SMP command on L2CAP channel.
332 *
333 ******************************************************************************/
smp_send_cmd(uint8_t cmd_code,tSMP_CB * p_cb)334 bool smp_send_cmd(uint8_t cmd_code, tSMP_CB* p_cb) {
335 BT_HDR* p_buf;
336 bool sent = false;
337 uint8_t failure = SMP_PAIR_INTERNAL_ERR;
338 SMP_TRACE_EVENT("smp_send_cmd on l2cap cmd_code=0x%x", cmd_code);
339 if (cmd_code <= (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */) &&
340 smp_cmd_build_act[cmd_code] != NULL) {
341 p_buf = (*smp_cmd_build_act[cmd_code])(cmd_code, p_cb);
342
343 if (p_buf != NULL && smp_send_msg_to_L2CAP(p_cb->pairing_bda, p_buf)) {
344 sent = true;
345 alarm_set_on_queue(p_cb->smp_rsp_timer_ent, SMP_WAIT_FOR_RSP_TIMEOUT_MS,
346 smp_rsp_timeout, NULL, btu_general_alarm_queue);
347 }
348 }
349
350 if (!sent) {
351 if (p_cb->smp_over_br) {
352 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &failure);
353 } else {
354 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &failure);
355 }
356 }
357 return sent;
358 }
359
360 /*******************************************************************************
361 *
362 * Function smp_rsp_timeout
363 *
364 * Description Called when SMP wait for SMP command response timer expires
365 *
366 * Returns void
367 *
368 ******************************************************************************/
smp_rsp_timeout(UNUSED_ATTR void * data)369 void smp_rsp_timeout(UNUSED_ATTR void* data) {
370 tSMP_CB* p_cb = &smp_cb;
371 uint8_t failure = SMP_RSP_TIMEOUT;
372
373 SMP_TRACE_EVENT("%s state:%d br_state:%d", __func__, p_cb->state,
374 p_cb->br_state);
375
376 if (p_cb->smp_over_br) {
377 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &failure);
378 } else {
379 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &failure);
380 }
381 }
382
383 /*******************************************************************************
384 *
385 * Function smp_delayed_auth_complete_timeout
386 *
387 * Description Called when no pairing failed command received within
388 * timeout period.
389 *
390 * Returns void
391 *
392 ******************************************************************************/
smp_delayed_auth_complete_timeout(UNUSED_ATTR void * data)393 void smp_delayed_auth_complete_timeout(UNUSED_ATTR void* data) {
394 /*
395 * Waited for potential pair failure. Send SMP_AUTH_CMPL_EVT if
396 * the state is still in bond pending.
397 */
398 if (smp_get_state() == SMP_STATE_BOND_PENDING) {
399 uint8_t reason = SMP_SUCCESS;
400 SMP_TRACE_EVENT("%s sending delayed auth complete.", __func__);
401 smp_sm_event(&smp_cb, SMP_AUTH_CMPL_EVT, &reason);
402 }
403 }
404
405 /*******************************************************************************
406 *
407 * Function smp_build_pairing_req_cmd
408 *
409 * Description Build pairing request command.
410 *
411 ******************************************************************************/
smp_build_pairing_cmd(uint8_t cmd_code,tSMP_CB * p_cb)412 BT_HDR* smp_build_pairing_cmd(uint8_t cmd_code, tSMP_CB* p_cb) {
413 uint8_t* p;
414 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIRING_REQ_SIZE +
415 L2CAP_MIN_OFFSET);
416
417 SMP_TRACE_EVENT("%s", __func__);
418
419 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
420 UINT8_TO_STREAM(p, cmd_code);
421 UINT8_TO_STREAM(p, p_cb->local_io_capability);
422 UINT8_TO_STREAM(p, p_cb->loc_oob_flag);
423 UINT8_TO_STREAM(p, p_cb->loc_auth_req);
424 UINT8_TO_STREAM(p, p_cb->loc_enc_size);
425 UINT8_TO_STREAM(p, p_cb->local_i_key);
426 UINT8_TO_STREAM(p, p_cb->local_r_key);
427
428 p_buf->offset = L2CAP_MIN_OFFSET;
429 /* 1B ERR_RSP op code + 1B cmd_op_code + 2B handle + 1B status */
430 p_buf->len = SMP_PAIRING_REQ_SIZE;
431
432 return p_buf;
433 }
434
435 /*******************************************************************************
436 *
437 * Function smp_build_confirm_cmd
438 *
439 * Description Build confirm request command.
440 *
441 ******************************************************************************/
smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)442 static BT_HDR* smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code,
443 tSMP_CB* p_cb) {
444 uint8_t* p;
445 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_CONFIRM_CMD_SIZE +
446 L2CAP_MIN_OFFSET);
447
448 SMP_TRACE_EVENT("%s", __func__);
449
450 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
451
452 UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM);
453 ARRAY_TO_STREAM(p, p_cb->confirm, BT_OCTET16_LEN);
454
455 p_buf->offset = L2CAP_MIN_OFFSET;
456 p_buf->len = SMP_CONFIRM_CMD_SIZE;
457
458 return p_buf;
459 }
460
461 /*******************************************************************************
462 *
463 * Function smp_build_rand_cmd
464 *
465 * Description Build Random command.
466 *
467 ******************************************************************************/
smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)468 static BT_HDR* smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb) {
469 uint8_t* p;
470 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_RAND_CMD_SIZE +
471 L2CAP_MIN_OFFSET);
472
473 SMP_TRACE_EVENT("%s", __func__);
474
475 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
476 UINT8_TO_STREAM(p, SMP_OPCODE_RAND);
477 ARRAY_TO_STREAM(p, p_cb->rand, BT_OCTET16_LEN);
478
479 p_buf->offset = L2CAP_MIN_OFFSET;
480 p_buf->len = SMP_RAND_CMD_SIZE;
481
482 return p_buf;
483 }
484
485 /*******************************************************************************
486 *
487 * Function smp_build_encrypt_info_cmd
488 *
489 * Description Build security information command.
490 *
491 ******************************************************************************/
smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)492 static BT_HDR* smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code,
493 tSMP_CB* p_cb) {
494 uint8_t* p;
495 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ENC_INFO_SIZE +
496 L2CAP_MIN_OFFSET);
497
498 SMP_TRACE_EVENT("%s", __func__);
499
500 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
501 UINT8_TO_STREAM(p, SMP_OPCODE_ENCRYPT_INFO);
502 ARRAY_TO_STREAM(p, p_cb->ltk, BT_OCTET16_LEN);
503
504 p_buf->offset = L2CAP_MIN_OFFSET;
505 p_buf->len = SMP_ENC_INFO_SIZE;
506
507 return p_buf;
508 }
509
510 /*******************************************************************************
511 *
512 * Function smp_build_master_id_cmd
513 *
514 * Description Build security information command.
515 *
516 ******************************************************************************/
smp_build_master_id_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)517 static BT_HDR* smp_build_master_id_cmd(UNUSED_ATTR uint8_t cmd_code,
518 tSMP_CB* p_cb) {
519 uint8_t* p;
520 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_MASTER_ID_SIZE +
521 L2CAP_MIN_OFFSET);
522
523 SMP_TRACE_EVENT("%s", __func__);
524
525 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
526 UINT8_TO_STREAM(p, SMP_OPCODE_MASTER_ID);
527 UINT16_TO_STREAM(p, p_cb->ediv);
528 ARRAY_TO_STREAM(p, p_cb->enc_rand, BT_OCTET8_LEN);
529
530 p_buf->offset = L2CAP_MIN_OFFSET;
531 p_buf->len = SMP_MASTER_ID_SIZE;
532
533 return p_buf;
534 }
535
536 /*******************************************************************************
537 *
538 * Function smp_build_identity_info_cmd
539 *
540 * Description Build identity information command.
541 *
542 ******************************************************************************/
smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code,UNUSED_ATTR tSMP_CB * p_cb)543 static BT_HDR* smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code,
544 UNUSED_ATTR tSMP_CB* p_cb) {
545 uint8_t* p;
546 BT_OCTET16 irk;
547 BT_HDR* p_buf =
548 (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ID_INFO_SIZE + L2CAP_MIN_OFFSET);
549
550 SMP_TRACE_EVENT("%s", __func__);
551
552 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
553
554 BTM_GetDeviceIDRoot(irk);
555
556 UINT8_TO_STREAM(p, SMP_OPCODE_IDENTITY_INFO);
557 ARRAY_TO_STREAM(p, irk, BT_OCTET16_LEN);
558
559 p_buf->offset = L2CAP_MIN_OFFSET;
560 p_buf->len = SMP_ID_INFO_SIZE;
561
562 return p_buf;
563 }
564
565 /*******************************************************************************
566 *
567 * Function smp_build_id_addr_cmd
568 *
569 * Description Build identity address information command.
570 *
571 ******************************************************************************/
smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code,UNUSED_ATTR tSMP_CB * p_cb)572 static BT_HDR* smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code,
573 UNUSED_ATTR tSMP_CB* p_cb) {
574 uint8_t* p;
575 BT_HDR* p_buf =
576 (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ID_ADDR_SIZE + L2CAP_MIN_OFFSET);
577
578 SMP_TRACE_EVENT("%s", __func__);
579
580 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
581 UINT8_TO_STREAM(p, SMP_OPCODE_ID_ADDR);
582 UINT8_TO_STREAM(p, 0);
583 BDADDR_TO_STREAM(p, controller_get_interface()->get_address()->address);
584
585 p_buf->offset = L2CAP_MIN_OFFSET;
586 p_buf->len = SMP_ID_ADDR_SIZE;
587
588 return p_buf;
589 }
590
591 /*******************************************************************************
592 *
593 * Function smp_build_signing_info_cmd
594 *
595 * Description Build signing information command.
596 *
597 ******************************************************************************/
smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)598 static BT_HDR* smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code,
599 tSMP_CB* p_cb) {
600 uint8_t* p;
601 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_SIGN_INFO_SIZE +
602 L2CAP_MIN_OFFSET);
603
604 SMP_TRACE_EVENT("%s", __func__);
605
606 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
607 UINT8_TO_STREAM(p, SMP_OPCODE_SIGN_INFO);
608 ARRAY_TO_STREAM(p, p_cb->csrk, BT_OCTET16_LEN);
609
610 p_buf->offset = L2CAP_MIN_OFFSET;
611 p_buf->len = SMP_SIGN_INFO_SIZE;
612
613 return p_buf;
614 }
615
616 /*******************************************************************************
617 *
618 * Function smp_build_pairing_fail
619 *
620 * Description Build Pairing Fail command.
621 *
622 ******************************************************************************/
smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)623 static BT_HDR* smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code,
624 tSMP_CB* p_cb) {
625 uint8_t* p;
626 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_FAIL_SIZE +
627 L2CAP_MIN_OFFSET);
628
629 SMP_TRACE_EVENT("%s", __func__);
630
631 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
632 UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED);
633 UINT8_TO_STREAM(p, p_cb->failure);
634
635 p_buf->offset = L2CAP_MIN_OFFSET;
636 p_buf->len = SMP_PAIR_FAIL_SIZE;
637
638 return p_buf;
639 }
640
641 /*******************************************************************************
642 *
643 * Function smp_build_security_request
644 *
645 * Description Build security request command.
646 *
647 ******************************************************************************/
smp_build_security_request(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)648 static BT_HDR* smp_build_security_request(UNUSED_ATTR uint8_t cmd_code,
649 tSMP_CB* p_cb) {
650 uint8_t* p;
651 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + 2 + L2CAP_MIN_OFFSET);
652
653 SMP_TRACE_EVENT("%s", __func__);
654
655 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
656 UINT8_TO_STREAM(p, SMP_OPCODE_SEC_REQ);
657 UINT8_TO_STREAM(p, p_cb->loc_auth_req);
658
659 p_buf->offset = L2CAP_MIN_OFFSET;
660 p_buf->len = SMP_SECURITY_REQUEST_SIZE;
661
662 SMP_TRACE_EVENT("opcode=%d auth_req=0x%x", SMP_OPCODE_SEC_REQ,
663 p_cb->loc_auth_req);
664
665 return p_buf;
666 }
667
668 /*******************************************************************************
669 *
670 * Function smp_build_pair_public_key_cmd
671 *
672 * Description Build pairing public key command.
673 *
674 ******************************************************************************/
smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)675 static BT_HDR* smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code,
676 tSMP_CB* p_cb) {
677 uint8_t* p;
678 uint8_t publ_key[2 * BT_OCTET32_LEN];
679 uint8_t* p_publ_key = publ_key;
680 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_PUBL_KEY_SIZE +
681 L2CAP_MIN_OFFSET);
682
683 SMP_TRACE_EVENT("%s", __func__);
684
685 memcpy(p_publ_key, p_cb->loc_publ_key.x, BT_OCTET32_LEN);
686 memcpy(p_publ_key + BT_OCTET32_LEN, p_cb->loc_publ_key.y, BT_OCTET32_LEN);
687
688 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
689 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_PUBLIC_KEY);
690 ARRAY_TO_STREAM(p, p_publ_key, 2 * BT_OCTET32_LEN);
691
692 p_buf->offset = L2CAP_MIN_OFFSET;
693 p_buf->len = SMP_PAIR_PUBL_KEY_SIZE;
694
695 return p_buf;
696 }
697
698 /*******************************************************************************
699 *
700 * Function smp_build_pairing_commitment_cmd
701 *
702 * Description Build pairing commitment command.
703 *
704 ******************************************************************************/
smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)705 static BT_HDR* smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code,
706 tSMP_CB* p_cb) {
707 uint8_t* p;
708 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_COMMITM_SIZE +
709 L2CAP_MIN_OFFSET);
710
711 SMP_TRACE_EVENT("%s", __func__);
712
713 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
714 UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM);
715 ARRAY_TO_STREAM(p, p_cb->commitment, BT_OCTET16_LEN);
716
717 p_buf->offset = L2CAP_MIN_OFFSET;
718 p_buf->len = SMP_PAIR_COMMITM_SIZE;
719
720 return p_buf;
721 }
722
723 /*******************************************************************************
724 *
725 * Function smp_build_pair_dhkey_check_cmd
726 *
727 * Description Build pairing DHKey check command.
728 *
729 ******************************************************************************/
smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)730 static BT_HDR* smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code,
731 tSMP_CB* p_cb) {
732 uint8_t* p;
733 BT_HDR* p_buf = (BT_HDR*)osi_malloc(
734 sizeof(BT_HDR) + SMP_PAIR_DHKEY_CHECK_SIZE + L2CAP_MIN_OFFSET);
735
736 SMP_TRACE_EVENT("%s", __func__);
737
738 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
739 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_DHKEY_CHECK);
740 ARRAY_TO_STREAM(p, p_cb->dhkey_check, BT_OCTET16_LEN);
741
742 p_buf->offset = L2CAP_MIN_OFFSET;
743 p_buf->len = SMP_PAIR_DHKEY_CHECK_SIZE;
744
745 return p_buf;
746 }
747
748 /*******************************************************************************
749 *
750 * Function smp_build_pairing_keypress_notification_cmd
751 *
752 * Description Build keypress notification command.
753 *
754 ******************************************************************************/
smp_build_pairing_keypress_notification_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)755 static BT_HDR* smp_build_pairing_keypress_notification_cmd(
756 UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb) {
757 uint8_t* p;
758 BT_HDR* p_buf = (BT_HDR*)osi_malloc(
759 sizeof(BT_HDR) + SMP_PAIR_KEYPR_NOTIF_SIZE + L2CAP_MIN_OFFSET);
760
761 SMP_TRACE_EVENT("%s", __func__);
762
763 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
764 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_KEYPR_NOTIF);
765 UINT8_TO_STREAM(p, p_cb->local_keypress_notification);
766
767 p_buf->offset = L2CAP_MIN_OFFSET;
768 p_buf->len = SMP_PAIR_KEYPR_NOTIF_SIZE;
769
770 return p_buf;
771 }
772
773 /*******************************************************************************
774 *
775 * Function smp_convert_string_to_tk
776 *
777 * Description This function is called to convert a 6 to 16 digits numeric
778 * character string into SMP TK.
779 *
780 *
781 * Returns void
782 *
783 ******************************************************************************/
smp_convert_string_to_tk(BT_OCTET16 tk,uint32_t passkey)784 void smp_convert_string_to_tk(BT_OCTET16 tk, uint32_t passkey) {
785 uint8_t* p = tk;
786 tSMP_KEY key;
787 SMP_TRACE_EVENT("smp_convert_string_to_tk");
788 UINT32_TO_STREAM(p, passkey);
789
790 key.key_type = SMP_KEY_TYPE_TK;
791 key.p_data = tk;
792
793 smp_sm_event(&smp_cb, SMP_KEY_READY_EVT, &key);
794 }
795
796 /*******************************************************************************
797 *
798 * Function smp_mask_enc_key
799 *
800 * Description This function is called to mask off the encryption key based
801 * on the maximum encryption key size.
802 *
803 *
804 * Returns void
805 *
806 ******************************************************************************/
smp_mask_enc_key(uint8_t loc_enc_size,uint8_t * p_data)807 void smp_mask_enc_key(uint8_t loc_enc_size, uint8_t* p_data) {
808 SMP_TRACE_EVENT("smp_mask_enc_key");
809 if (loc_enc_size < BT_OCTET16_LEN) {
810 for (; loc_enc_size < BT_OCTET16_LEN; loc_enc_size++)
811 *(p_data + loc_enc_size) = 0;
812 }
813 return;
814 }
815
816 /*******************************************************************************
817 *
818 * Function smp_xor_128
819 *
820 * Description utility function to do an biteise exclusive-OR of two bit
821 * strings of the length of BT_OCTET16_LEN.
822 *
823 * Returns void
824 *
825 ******************************************************************************/
smp_xor_128(BT_OCTET16 a,BT_OCTET16 b)826 void smp_xor_128(BT_OCTET16 a, BT_OCTET16 b) {
827 uint8_t i, *aa = a, *bb = b;
828
829 SMP_TRACE_EVENT("smp_xor_128");
830 for (i = 0; i < BT_OCTET16_LEN; i++) {
831 aa[i] = aa[i] ^ bb[i];
832 }
833 }
834
835 /*******************************************************************************
836 *
837 * Function smp_cb_cleanup
838 *
839 * Description Clean up SMP control block
840 *
841 * Returns void
842 *
843 ******************************************************************************/
smp_cb_cleanup(tSMP_CB * p_cb)844 void smp_cb_cleanup(tSMP_CB* p_cb) {
845 tSMP_CALLBACK* p_callback = p_cb->p_callback;
846 uint8_t trace_level = p_cb->trace_level;
847 alarm_t* smp_rsp_timer_ent = p_cb->smp_rsp_timer_ent;
848 alarm_t* delayed_auth_timer_ent = p_cb->delayed_auth_timer_ent;
849
850 SMP_TRACE_EVENT("smp_cb_cleanup");
851
852 alarm_cancel(p_cb->smp_rsp_timer_ent);
853 alarm_cancel(p_cb->delayed_auth_timer_ent);
854 memset(p_cb, 0, sizeof(tSMP_CB));
855 p_cb->p_callback = p_callback;
856 p_cb->trace_level = trace_level;
857 p_cb->smp_rsp_timer_ent = smp_rsp_timer_ent;
858 p_cb->delayed_auth_timer_ent = delayed_auth_timer_ent;
859 }
860
861 /*******************************************************************************
862 *
863 * Function smp_remove_fixed_channel
864 *
865 * Description This function is called to remove the fixed channel
866 *
867 * Returns void
868 *
869 ******************************************************************************/
smp_remove_fixed_channel(tSMP_CB * p_cb)870 void smp_remove_fixed_channel(tSMP_CB* p_cb) {
871 SMP_TRACE_DEBUG("%s", __func__);
872
873 if (p_cb->smp_over_br)
874 L2CA_RemoveFixedChnl(L2CAP_SMP_BR_CID, p_cb->pairing_bda);
875 else
876 L2CA_RemoveFixedChnl(L2CAP_SMP_CID, p_cb->pairing_bda);
877 }
878
879 /*******************************************************************************
880 *
881 * Function smp_reset_control_value
882 *
883 * Description This function is called to reset the control block value
884 * when the pairing procedure finished.
885 *
886 *
887 * Returns void
888 *
889 ******************************************************************************/
smp_reset_control_value(tSMP_CB * p_cb)890 void smp_reset_control_value(tSMP_CB* p_cb) {
891 SMP_TRACE_EVENT("%s", __func__);
892
893 alarm_cancel(p_cb->smp_rsp_timer_ent);
894 p_cb->flags = 0;
895 /* set the link idle timer to drop the link when pairing is done
896 usually service discovery will follow authentication complete, to avoid
897 racing condition for a link down/up, set link idle timer to be
898 SMP_LINK_TOUT_MIN to guarantee SMP key exchange */
899 L2CA_SetIdleTimeoutByBdAddr(p_cb->pairing_bda, SMP_LINK_TOUT_MIN,
900 BT_TRANSPORT_LE);
901
902 /* We can tell L2CAP to remove the fixed channel (if it has one) */
903 smp_remove_fixed_channel(p_cb);
904 smp_cb_cleanup(p_cb);
905 }
906
907 /*******************************************************************************
908 *
909 * Function smp_proc_pairing_cmpl
910 *
911 * Description This function is called to process pairing complete
912 *
913 *
914 * Returns void
915 *
916 ******************************************************************************/
smp_proc_pairing_cmpl(tSMP_CB * p_cb)917 void smp_proc_pairing_cmpl(tSMP_CB* p_cb) {
918 tSMP_EVT_DATA evt_data = {0};
919 tSMP_CALLBACK* p_callback = p_cb->p_callback;
920 BD_ADDR pairing_bda;
921
922 SMP_TRACE_DEBUG("smp_proc_pairing_cmpl ");
923
924 evt_data.cmplt.reason = p_cb->status;
925 evt_data.cmplt.smp_over_br = p_cb->smp_over_br;
926
927 if (p_cb->status == SMP_SUCCESS) evt_data.cmplt.sec_level = p_cb->sec_level;
928
929 evt_data.cmplt.is_pair_cancel = false;
930
931 if (p_cb->is_pair_cancel) evt_data.cmplt.is_pair_cancel = true;
932
933 SMP_TRACE_DEBUG("send SMP_COMPLT_EVT reason=0x%0x sec_level=0x%0x",
934 evt_data.cmplt.reason, evt_data.cmplt.sec_level);
935
936 memcpy(pairing_bda, p_cb->pairing_bda, BD_ADDR_LEN);
937
938 smp_reset_control_value(p_cb);
939
940 if (p_callback) (*p_callback)(SMP_COMPLT_EVT, pairing_bda, &evt_data);
941 }
942
943 /*******************************************************************************
944 *
945 * Function smp_command_has_invalid_parameters
946 *
947 * Description Checks if the received SMP command has invalid parameters
948 * i.e. if the command length is valid and the command
949 * parameters are inside specified range.
950 * It returns true if the command has invalid parameters.
951 *
952 * Returns true if the command has invalid parameters, false otherwise.
953 *
954 ******************************************************************************/
smp_command_has_invalid_parameters(tSMP_CB * p_cb)955 bool smp_command_has_invalid_parameters(tSMP_CB* p_cb) {
956 uint8_t cmd_code = p_cb->rcvd_cmd_code;
957
958 if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) ||
959 (cmd_code < SMP_OPCODE_MIN)) {
960 SMP_TRACE_WARNING("%s: Received command with RESERVED code 0x%02x",
961 __func__, cmd_code);
962 return true;
963 }
964
965 if (!(*smp_cmd_len_is_valid[cmd_code])(p_cb)) {
966 SMP_TRACE_WARNING("%s: Command length not valid for cmd_code 0x%02x",
967 __func__, cmd_code);
968 return true;
969 }
970
971 if (!(*smp_cmd_param_ranges_are_valid[cmd_code])(p_cb)) {
972 SMP_TRACE_WARNING("%s: Parameter ranges not valid code 0x%02x", __func__,
973 cmd_code);
974 return true;
975 }
976
977 return false;
978 }
979
980 /*******************************************************************************
981 *
982 * Function smp_command_has_valid_fixed_length
983 *
984 * Description Checks if the received command size is equal to the size
985 * according to specs.
986 *
987 * Returns true if the command size is as expected, false otherwise.
988 *
989 * Note The command is expected to have fixed length.
990 ******************************************************************************/
smp_command_has_valid_fixed_length(tSMP_CB * p_cb)991 bool smp_command_has_valid_fixed_length(tSMP_CB* p_cb) {
992 uint8_t cmd_code = p_cb->rcvd_cmd_code;
993
994 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, cmd_code);
995
996 if (p_cb->rcvd_cmd_len != smp_cmd_size_per_spec[cmd_code]) {
997 SMP_TRACE_WARNING(
998 "Rcvd from the peer cmd 0x%02x with invalid length\
999 0x%02x (per spec the length is 0x%02x).",
1000 cmd_code, p_cb->rcvd_cmd_len, smp_cmd_size_per_spec[cmd_code]);
1001 return false;
1002 }
1003
1004 return true;
1005 }
1006
1007 /*******************************************************************************
1008 *
1009 * Function smp_pairing_request_response_parameters_are_valid
1010 *
1011 * Description Validates parameter ranges in the received SMP command
1012 * pairing request or pairing response.
1013 * The parameters to validate:
1014 * IO capability,
1015 * OOB data flag,
1016 * Bonding_flags in AuthReq
1017 * Maximum encryption key size.
1018 * Returns false if at least one of these parameters is out of
1019 * range.
1020 *
1021 ******************************************************************************/
smp_pairing_request_response_parameters_are_valid(tSMP_CB * p_cb)1022 bool smp_pairing_request_response_parameters_are_valid(tSMP_CB* p_cb) {
1023 uint8_t io_caps = p_cb->peer_io_caps;
1024 uint8_t oob_flag = p_cb->peer_oob_flag;
1025 uint8_t bond_flag =
1026 p_cb->peer_auth_req & 0x03; // 0x03 is gen bond with appropriate mask
1027 uint8_t enc_size = p_cb->peer_enc_size;
1028
1029 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code);
1030
1031 if (io_caps >= BTM_IO_CAP_MAX) {
1032 SMP_TRACE_WARNING(
1033 "Rcvd from the peer cmd 0x%02x with IO Capabilty \
1034 value (0x%02x) out of range).",
1035 p_cb->rcvd_cmd_code, io_caps);
1036 return false;
1037 }
1038
1039 if (!((oob_flag == SMP_OOB_NONE) || (oob_flag == SMP_OOB_PRESENT))) {
1040 SMP_TRACE_WARNING(
1041 "Rcvd from the peer cmd 0x%02x with OOB data flag value \
1042 (0x%02x) out of range).",
1043 p_cb->rcvd_cmd_code, oob_flag);
1044 return false;
1045 }
1046
1047 if (!((bond_flag == SMP_AUTH_NO_BOND) || (bond_flag == SMP_AUTH_BOND))) {
1048 SMP_TRACE_WARNING(
1049 "Rcvd from the peer cmd 0x%02x with Bonding_Flags value (0x%02x)\
1050 out of range).",
1051 p_cb->rcvd_cmd_code, bond_flag);
1052 return false;
1053 }
1054
1055 if ((enc_size < SMP_ENCR_KEY_SIZE_MIN) ||
1056 (enc_size > SMP_ENCR_KEY_SIZE_MAX)) {
1057 SMP_TRACE_WARNING(
1058 "Rcvd from the peer cmd 0x%02x with Maximum Encryption \
1059 Key value (0x%02x) out of range).",
1060 p_cb->rcvd_cmd_code, enc_size);
1061 return false;
1062 }
1063
1064 return true;
1065 }
1066
1067 /*******************************************************************************
1068 *
1069 * Function smp_pairing_keypress_notification_is_valid
1070 *
1071 * Description Validates Notification Type parameter range in the received
1072 * SMP command pairing keypress notification.
1073 * Returns false if this parameter is out of range.
1074 *
1075 ******************************************************************************/
smp_pairing_keypress_notification_is_valid(tSMP_CB * p_cb)1076 bool smp_pairing_keypress_notification_is_valid(tSMP_CB* p_cb) {
1077 tBTM_SP_KEY_TYPE keypress_notification = p_cb->peer_keypress_notification;
1078
1079 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code);
1080
1081 if (keypress_notification >= BTM_SP_KEY_OUT_OF_RANGE) {
1082 SMP_TRACE_WARNING(
1083 "Rcvd from the peer cmd 0x%02x with Pairing Keypress \
1084 Notification value (0x%02x) out of range).",
1085 p_cb->rcvd_cmd_code, keypress_notification);
1086 return false;
1087 }
1088
1089 return true;
1090 }
1091
1092 /*******************************************************************************
1093 *
1094 * Function smp_parameter_unconditionally_valid
1095 *
1096 * Description Always returns true.
1097 *
1098 ******************************************************************************/
smp_parameter_unconditionally_valid(UNUSED_ATTR tSMP_CB * p_cb)1099 bool smp_parameter_unconditionally_valid(UNUSED_ATTR tSMP_CB* p_cb) {
1100 return true;
1101 }
1102
1103 /*******************************************************************************
1104 *
1105 * Function smp_parameter_unconditionally_invalid
1106 *
1107 * Description Always returns false.
1108 *
1109 ******************************************************************************/
smp_parameter_unconditionally_invalid(UNUSED_ATTR tSMP_CB * p_cb)1110 bool smp_parameter_unconditionally_invalid(UNUSED_ATTR tSMP_CB* p_cb) {
1111 return false;
1112 }
1113
1114 /*******************************************************************************
1115 *
1116 * Function smp_reject_unexpected_pairing_command
1117 *
1118 * Description send pairing failure to an unexpected pairing command during
1119 * an active pairing process.
1120 *
1121 * Returns void
1122 *
1123 ******************************************************************************/
smp_reject_unexpected_pairing_command(BD_ADDR bd_addr)1124 void smp_reject_unexpected_pairing_command(BD_ADDR bd_addr) {
1125 uint8_t* p;
1126 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_FAIL_SIZE +
1127 L2CAP_MIN_OFFSET);
1128
1129 SMP_TRACE_DEBUG("%s", __func__);
1130
1131 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
1132 UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED);
1133 UINT8_TO_STREAM(p, SMP_PAIR_NOT_SUPPORT);
1134
1135 p_buf->offset = L2CAP_MIN_OFFSET;
1136 p_buf->len = SMP_PAIR_FAIL_SIZE;
1137
1138 smp_send_msg_to_L2CAP(bd_addr, p_buf);
1139 }
1140
1141 /*******************************************************************************
1142 * Function smp_select_association_model
1143 *
1144 * Description This function selects association model to use for STK
1145 * generation. Selection is based on both sides' io capability,
1146 * oob data flag and authentication request.
1147 *
1148 * Note If Secure Connections Only mode is required locally then we
1149 * come to this point only if both sides support Secure
1150 * Connections mode, i.e.
1151 * if p_cb->secure_connections_only_mode_required = true
1152 * then we come to this point only if
1153 * (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) ==
1154 * (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) ==
1155 * SMP_SC_SUPPORT_BIT
1156 *
1157 ******************************************************************************/
smp_select_association_model(tSMP_CB * p_cb)1158 tSMP_ASSO_MODEL smp_select_association_model(tSMP_CB* p_cb) {
1159 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1160 p_cb->le_secure_connections_mode_is_used = false;
1161
1162 SMP_TRACE_EVENT("%s", __func__);
1163 SMP_TRACE_DEBUG("%s p_cb->peer_io_caps = %d p_cb->local_io_capability = %d",
1164 __func__, p_cb->peer_io_caps, p_cb->local_io_capability);
1165 SMP_TRACE_DEBUG("%s p_cb->peer_oob_flag = %d p_cb->loc_oob_flag = %d",
1166 __func__, p_cb->peer_oob_flag, p_cb->loc_oob_flag);
1167 SMP_TRACE_DEBUG("%s p_cb->peer_auth_req = 0x%02x p_cb->loc_auth_req = 0x%02x",
1168 __func__, p_cb->peer_auth_req, p_cb->loc_auth_req);
1169 SMP_TRACE_DEBUG(
1170 "%s p_cb->secure_connections_only_mode_required = %s", __func__,
1171 p_cb->secure_connections_only_mode_required ? "true" : "false");
1172
1173 if ((p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) &&
1174 (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT)) {
1175 p_cb->le_secure_connections_mode_is_used = true;
1176 }
1177
1178 if ((p_cb->peer_auth_req & SMP_H7_SUPPORT_BIT) &&
1179 (p_cb->loc_auth_req & SMP_H7_SUPPORT_BIT)) {
1180 p_cb->key_derivation_h7_used = TRUE;
1181 }
1182
1183 SMP_TRACE_DEBUG("use_sc_process = %d, h7 use = %d",
1184 p_cb->le_secure_connections_mode_is_used,
1185 p_cb->key_derivation_h7_used);
1186
1187 if (p_cb->le_secure_connections_mode_is_used) {
1188 model = smp_select_association_model_secure_connections(p_cb);
1189 } else {
1190 model = smp_select_legacy_association_model(p_cb);
1191 }
1192 return model;
1193 }
1194
1195 /*******************************************************************************
1196 * Function smp_select_legacy_association_model
1197 *
1198 * Description This function is called to select association mode if at
1199 * least one side doesn't support secure connections.
1200 *
1201 ******************************************************************************/
smp_select_legacy_association_model(tSMP_CB * p_cb)1202 tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB* p_cb) {
1203 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1204
1205 SMP_TRACE_DEBUG("%s", __func__);
1206 /* if OOB data is present on both devices, then use OOB association model */
1207 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT &&
1208 p_cb->loc_oob_flag == SMP_OOB_PRESENT)
1209 return SMP_MODEL_OOB;
1210
1211 /* else if neither device requires MITM, then use Just Works association model
1212 */
1213 if (SMP_NO_MITM_REQUIRED(p_cb->peer_auth_req) &&
1214 SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req))
1215 return SMP_MODEL_ENCRYPTION_ONLY;
1216
1217 /* otherwise use IO capability to select association model */
1218 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX &&
1219 p_cb->local_io_capability < SMP_IO_CAP_MAX) {
1220 if (p_cb->role == HCI_ROLE_MASTER) {
1221 model = smp_association_table[p_cb->role][p_cb->peer_io_caps]
1222 [p_cb->local_io_capability];
1223 } else {
1224 model = smp_association_table[p_cb->role][p_cb->local_io_capability]
1225 [p_cb->peer_io_caps];
1226 }
1227 }
1228
1229 return model;
1230 }
1231
1232 /*******************************************************************************
1233 * Function smp_select_association_model_secure_connections
1234 *
1235 * Description This function is called to select association mode if both
1236 * sides support secure connections.
1237 *
1238 ******************************************************************************/
smp_select_association_model_secure_connections(tSMP_CB * p_cb)1239 tSMP_ASSO_MODEL smp_select_association_model_secure_connections(tSMP_CB* p_cb) {
1240 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1241
1242 SMP_TRACE_DEBUG("%s", __func__);
1243 /* if OOB data is present on at least one device, then use OOB association
1244 * model */
1245 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT ||
1246 p_cb->loc_oob_flag == SMP_OOB_PRESENT)
1247 return SMP_MODEL_SEC_CONN_OOB;
1248
1249 /* else if neither device requires MITM, then use Just Works association model
1250 */
1251 if (SMP_NO_MITM_REQUIRED(p_cb->peer_auth_req) &&
1252 SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req))
1253 return SMP_MODEL_SEC_CONN_JUSTWORKS;
1254
1255 /* otherwise use IO capability to select association model */
1256 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX &&
1257 p_cb->local_io_capability < SMP_IO_CAP_MAX) {
1258 if (p_cb->role == HCI_ROLE_MASTER) {
1259 model = smp_association_table_sc[p_cb->role][p_cb->peer_io_caps]
1260 [p_cb->local_io_capability];
1261 } else {
1262 model = smp_association_table_sc[p_cb->role][p_cb->local_io_capability]
1263 [p_cb->peer_io_caps];
1264 }
1265 }
1266
1267 return model;
1268 }
1269
1270 /*******************************************************************************
1271 * Function smp_reverse_array
1272 *
1273 * Description This function reverses array bytes
1274 *
1275 ******************************************************************************/
smp_reverse_array(uint8_t * arr,uint8_t len)1276 void smp_reverse_array(uint8_t* arr, uint8_t len) {
1277 uint8_t i = 0, tmp;
1278
1279 SMP_TRACE_DEBUG("smp_reverse_array");
1280
1281 for (i = 0; i < len / 2; i++) {
1282 tmp = arr[i];
1283 arr[i] = arr[len - 1 - i];
1284 arr[len - 1 - i] = tmp;
1285 }
1286 }
1287
1288 /*******************************************************************************
1289 * Function smp_calculate_random_input
1290 *
1291 * Description This function returns random input value to be used in
1292 * commitment calculation for SC passkey entry association mode
1293 * (if bit["round"] in "random" array == 1 then returns 0x81
1294 * else returns 0x80).
1295 *
1296 * Returns ri value
1297 *
1298 ******************************************************************************/
smp_calculate_random_input(uint8_t * random,uint8_t round)1299 uint8_t smp_calculate_random_input(uint8_t* random, uint8_t round) {
1300 uint8_t i = round / 8;
1301 uint8_t j = round % 8;
1302 uint8_t ri;
1303
1304 SMP_TRACE_DEBUG("random: 0x%02x, round: %d, i: %d, j: %d", random[i], round,
1305 i, j);
1306 ri = ((random[i] >> j) & 1) | 0x80;
1307 SMP_TRACE_DEBUG("%s ri=0x%02x", __func__, ri);
1308 return ri;
1309 }
1310
1311 /*******************************************************************************
1312 * Function smp_collect_local_io_capabilities
1313 *
1314 * Description This function puts into IOcap array local device
1315 * IOCapability, OOB data, AuthReq.
1316 *
1317 * Returns void
1318 *
1319 ******************************************************************************/
smp_collect_local_io_capabilities(uint8_t * iocap,tSMP_CB * p_cb)1320 void smp_collect_local_io_capabilities(uint8_t* iocap, tSMP_CB* p_cb) {
1321 SMP_TRACE_DEBUG("%s", __func__);
1322
1323 iocap[0] = p_cb->local_io_capability;
1324 iocap[1] = p_cb->loc_oob_flag;
1325 iocap[2] = p_cb->loc_auth_req;
1326 }
1327
1328 /*******************************************************************************
1329 * Function smp_collect_peer_io_capabilities
1330 *
1331 * Description This function puts into IOcap array peer device
1332 * IOCapability, OOB data, AuthReq.
1333 *
1334 * Returns void
1335 *
1336 ******************************************************************************/
smp_collect_peer_io_capabilities(uint8_t * iocap,tSMP_CB * p_cb)1337 void smp_collect_peer_io_capabilities(uint8_t* iocap, tSMP_CB* p_cb) {
1338 SMP_TRACE_DEBUG("%s", __func__);
1339
1340 iocap[0] = p_cb->peer_io_caps;
1341 iocap[1] = p_cb->peer_oob_flag;
1342 iocap[2] = p_cb->peer_auth_req;
1343 }
1344
1345 /*******************************************************************************
1346 * Function smp_collect_local_ble_address
1347 *
1348 * Description Put the the local device LE address into the le_addr array:
1349 * le_addr[0-5] = local BD ADDR,
1350 * le_addr[6] = local le address type (PUBLIC/RANDOM).
1351 *
1352 * Returns void
1353 *
1354 ******************************************************************************/
smp_collect_local_ble_address(uint8_t * le_addr,tSMP_CB * p_cb)1355 void smp_collect_local_ble_address(uint8_t* le_addr, tSMP_CB* p_cb) {
1356 tBLE_ADDR_TYPE addr_type = 0;
1357 BD_ADDR bda;
1358 uint8_t* p = le_addr;
1359
1360 SMP_TRACE_DEBUG("%s", __func__);
1361
1362 BTM_ReadConnectionAddr(p_cb->pairing_bda, bda, &addr_type);
1363 BDADDR_TO_STREAM(p, bda);
1364 UINT8_TO_STREAM(p, addr_type);
1365 }
1366
1367 /*******************************************************************************
1368 * Function smp_collect_peer_ble_address
1369 *
1370 * Description Put the peer device LE addr into the le_addr array:
1371 * le_addr[0-5] = peer BD ADDR,
1372 * le_addr[6] = peer le address type (PUBLIC/RANDOM).
1373 *
1374 * Returns void
1375 *
1376 ******************************************************************************/
smp_collect_peer_ble_address(uint8_t * le_addr,tSMP_CB * p_cb)1377 void smp_collect_peer_ble_address(uint8_t* le_addr, tSMP_CB* p_cb) {
1378 tBLE_ADDR_TYPE addr_type = 0;
1379 BD_ADDR bda;
1380 uint8_t* p = le_addr;
1381
1382 SMP_TRACE_DEBUG("%s", __func__);
1383
1384 if (!BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, bda, &addr_type)) {
1385 SMP_TRACE_ERROR(
1386 "can not collect peer le addr information for unknown device");
1387 return;
1388 }
1389
1390 BDADDR_TO_STREAM(p, bda);
1391 UINT8_TO_STREAM(p, addr_type);
1392 }
1393
1394 /*******************************************************************************
1395 * Function smp_check_commitment
1396 *
1397 * Description This function compares peer commitment values:
1398 * - expected (i.e. calculated locally),
1399 * - received from the peer.
1400 *
1401 * Returns true if the values are the same
1402 * false otherwise
1403 *
1404 ******************************************************************************/
smp_check_commitment(tSMP_CB * p_cb)1405 bool smp_check_commitment(tSMP_CB* p_cb) {
1406 BT_OCTET16 expected;
1407
1408 SMP_TRACE_DEBUG("%s", __func__);
1409
1410 smp_calculate_peer_commitment(p_cb, expected);
1411 print128(expected, (const uint8_t*)"calculated peer commitment");
1412 print128(p_cb->remote_commitment, (const uint8_t*)"received peer commitment");
1413
1414 if (memcmp(p_cb->remote_commitment, expected, BT_OCTET16_LEN)) {
1415 SMP_TRACE_WARNING("%s: Commitment check fails", __func__);
1416 return false;
1417 }
1418
1419 SMP_TRACE_DEBUG("%s: Commitment check succeeds", __func__);
1420 return true;
1421 }
1422
1423 /*******************************************************************************
1424 *
1425 * Function smp_save_secure_connections_long_term_key
1426 *
1427 * Description The function saves SC LTK as BLE key for future use as local
1428 * and/or peer key.
1429 *
1430 * Returns void
1431 *
1432 ******************************************************************************/
smp_save_secure_connections_long_term_key(tSMP_CB * p_cb)1433 void smp_save_secure_connections_long_term_key(tSMP_CB* p_cb) {
1434 tBTM_LE_LENC_KEYS lle_key;
1435 tBTM_LE_PENC_KEYS ple_key;
1436
1437 SMP_TRACE_DEBUG("%s-Save LTK as local LTK key", __func__);
1438 memcpy(lle_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
1439 lle_key.div = 0;
1440 lle_key.key_size = p_cb->loc_enc_size;
1441 lle_key.sec_level = p_cb->sec_level;
1442 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC,
1443 (tBTM_LE_KEY_VALUE*)&lle_key, true);
1444
1445 SMP_TRACE_DEBUG("%s-Save LTK as peer LTK key", __func__);
1446 ple_key.ediv = 0;
1447 memset(ple_key.rand, 0, BT_OCTET8_LEN);
1448 memcpy(ple_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
1449 ple_key.sec_level = p_cb->sec_level;
1450 ple_key.key_size = p_cb->loc_enc_size;
1451 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC,
1452 (tBTM_LE_KEY_VALUE*)&ple_key, true);
1453 }
1454
1455 /*******************************************************************************
1456 *
1457 * Function smp_calculate_f5_mackey_and_long_term_key
1458 *
1459 * Description The function calculates MacKey and LTK and saves them in CB.
1460 * To calculate MacKey and LTK it calls smp_calc_f5(...).
1461 * MacKey is used in dhkey calculation, LTK is used to encrypt
1462 * the link.
1463 *
1464 * Returns false if out of resources, true otherwise.
1465 *
1466 ******************************************************************************/
smp_calculate_f5_mackey_and_long_term_key(tSMP_CB * p_cb)1467 bool smp_calculate_f5_mackey_and_long_term_key(tSMP_CB* p_cb) {
1468 uint8_t a[7];
1469 uint8_t b[7];
1470 uint8_t* p_na;
1471 uint8_t* p_nb;
1472
1473 SMP_TRACE_DEBUG("%s", __func__);
1474
1475 if (p_cb->role == HCI_ROLE_MASTER) {
1476 smp_collect_local_ble_address(a, p_cb);
1477 smp_collect_peer_ble_address(b, p_cb);
1478 p_na = p_cb->rand;
1479 p_nb = p_cb->rrand;
1480 } else {
1481 smp_collect_local_ble_address(b, p_cb);
1482 smp_collect_peer_ble_address(a, p_cb);
1483 p_na = p_cb->rrand;
1484 p_nb = p_cb->rand;
1485 }
1486
1487 if (!smp_calculate_f5(p_cb->dhkey, p_na, p_nb, a, b, p_cb->mac_key,
1488 p_cb->ltk)) {
1489 SMP_TRACE_ERROR("%s failed", __func__);
1490 return false;
1491 }
1492
1493 SMP_TRACE_EVENT("%s is completed", __func__);
1494 return true;
1495 }
1496
1497 /*******************************************************************************
1498 *
1499 * Function smp_request_oob_data
1500 *
1501 * Description Requests application to provide OOB data.
1502 *
1503 * Returns true - OOB data has to be provided by application
1504 * false - otherwise (unexpected)
1505 *
1506 ******************************************************************************/
smp_request_oob_data(tSMP_CB * p_cb)1507 bool smp_request_oob_data(tSMP_CB* p_cb) {
1508 tSMP_OOB_DATA_TYPE req_oob_type = SMP_OOB_INVALID_TYPE;
1509
1510 SMP_TRACE_DEBUG("%s", __func__);
1511
1512 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT &&
1513 p_cb->loc_oob_flag == SMP_OOB_PRESENT) {
1514 /* both local and peer rcvd data OOB */
1515 req_oob_type = SMP_OOB_BOTH;
1516 } else if (p_cb->peer_oob_flag == SMP_OOB_PRESENT) {
1517 /* peer rcvd OOB local data, local didn't receive OOB peer data */
1518 req_oob_type = SMP_OOB_LOCAL;
1519 } else if (p_cb->loc_oob_flag == SMP_OOB_PRESENT) {
1520 req_oob_type = SMP_OOB_PEER;
1521 }
1522
1523 SMP_TRACE_DEBUG("req_oob_type = %d", req_oob_type);
1524
1525 if (req_oob_type == SMP_OOB_INVALID_TYPE) return false;
1526
1527 p_cb->req_oob_type = req_oob_type;
1528 p_cb->cb_evt = SMP_SC_OOB_REQ_EVT;
1529 smp_sm_event(p_cb, SMP_TK_REQ_EVT, &req_oob_type);
1530
1531 return true;
1532 }
1533