1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 *****************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for the SMP L2CAP utility functions
22 *
23 ******************************************************************************/
24 #include "bt_target.h"
25
26 #include <ctype.h>
27 #include <string.h>
28 #include "bt_types.h"
29 #include "bt_utils.h"
30 #include "btm_ble_api.h"
31 #include "btm_int.h"
32 #include "device/include/controller.h"
33 #include "hcidefs.h"
34 #include "l2c_api.h"
35 #include "l2c_int.h"
36 #include "osi/include/osi.h"
37 #include "smp_int.h"
38
39 #define SMP_PAIRING_REQ_SIZE 7
40 #define SMP_CONFIRM_CMD_SIZE (BT_OCTET16_LEN + 1)
41 #define SMP_RAND_CMD_SIZE (BT_OCTET16_LEN + 1)
42 #define SMP_INIT_CMD_SIZE (BT_OCTET16_LEN + 1)
43 #define SMP_ENC_INFO_SIZE (BT_OCTET16_LEN + 1)
44 #define SMP_MASTER_ID_SIZE (BT_OCTET8_LEN + 2 + 1)
45 #define SMP_ID_INFO_SIZE (BT_OCTET16_LEN + 1)
46 #define SMP_ID_ADDR_SIZE (BD_ADDR_LEN + 1 + 1)
47 #define SMP_SIGN_INFO_SIZE (BT_OCTET16_LEN + 1)
48 #define SMP_PAIR_FAIL_SIZE 2
49 #define SMP_SECURITY_REQUEST_SIZE 2
50 #define SMP_PAIR_PUBL_KEY_SIZE (1 /* opcode */ + (2 * BT_OCTET32_LEN))
51 #define SMP_PAIR_COMMITM_SIZE (1 /* opcode */ + BT_OCTET16_LEN /*Commitment*/)
52 #define SMP_PAIR_DHKEY_CHECK_SIZE \
53 (1 /* opcode */ + BT_OCTET16_LEN /*DHKey Check*/)
54 #define SMP_PAIR_KEYPR_NOTIF_SIZE (1 /* opcode */ + 1 /*Notif Type*/)
55
56 /* SMP command sizes per spec */
57 static const uint8_t smp_cmd_size_per_spec[] = {
58 0,
59 SMP_PAIRING_REQ_SIZE, /* 0x01: pairing request */
60 SMP_PAIRING_REQ_SIZE, /* 0x02: pairing response */
61 SMP_CONFIRM_CMD_SIZE, /* 0x03: pairing confirm */
62 SMP_RAND_CMD_SIZE, /* 0x04: pairing random */
63 SMP_PAIR_FAIL_SIZE, /* 0x05: pairing failed */
64 SMP_ENC_INFO_SIZE, /* 0x06: encryption information */
65 SMP_MASTER_ID_SIZE, /* 0x07: master identification */
66 SMP_ID_INFO_SIZE, /* 0x08: identity information */
67 SMP_ID_ADDR_SIZE, /* 0x09: identity address information */
68 SMP_SIGN_INFO_SIZE, /* 0x0A: signing information */
69 SMP_SECURITY_REQUEST_SIZE, /* 0x0B: security request */
70 SMP_PAIR_PUBL_KEY_SIZE, /* 0x0C: pairing public key */
71 SMP_PAIR_DHKEY_CHECK_SIZE, /* 0x0D: pairing dhkey check */
72 SMP_PAIR_KEYPR_NOTIF_SIZE, /* 0x0E: pairing keypress notification */
73 SMP_PAIR_COMMITM_SIZE /* 0x0F: pairing commitment */
74 };
75
76 static bool smp_parameter_unconditionally_valid(tSMP_CB* p_cb);
77 static bool smp_parameter_unconditionally_invalid(tSMP_CB* p_cb);
78
79 /* type for SMP command length validation functions */
80 typedef bool (*tSMP_CMD_LEN_VALID)(tSMP_CB* p_cb);
81
82 static bool smp_command_has_valid_fixed_length(tSMP_CB* p_cb);
83
84 static const tSMP_CMD_LEN_VALID smp_cmd_len_is_valid[] = {
85 smp_parameter_unconditionally_invalid,
86 smp_command_has_valid_fixed_length, /* 0x01: pairing request */
87 smp_command_has_valid_fixed_length, /* 0x02: pairing response */
88 smp_command_has_valid_fixed_length, /* 0x03: pairing confirm */
89 smp_command_has_valid_fixed_length, /* 0x04: pairing random */
90 smp_command_has_valid_fixed_length, /* 0x05: pairing failed */
91 smp_command_has_valid_fixed_length, /* 0x06: encryption information */
92 smp_command_has_valid_fixed_length, /* 0x07: master identification */
93 smp_command_has_valid_fixed_length, /* 0x08: identity information */
94 smp_command_has_valid_fixed_length, /* 0x09: identity address information */
95 smp_command_has_valid_fixed_length, /* 0x0A: signing information */
96 smp_command_has_valid_fixed_length, /* 0x0B: security request */
97 smp_command_has_valid_fixed_length, /* 0x0C: pairing public key */
98 smp_command_has_valid_fixed_length, /* 0x0D: pairing dhkey check */
99 smp_command_has_valid_fixed_length, /* 0x0E: pairing keypress notification*/
100 smp_command_has_valid_fixed_length /* 0x0F: pairing commitment */
101 };
102
103 /* type for SMP command parameter ranges validation functions */
104 typedef bool (*tSMP_CMD_PARAM_RANGES_VALID)(tSMP_CB* p_cb);
105
106 static bool smp_pairing_request_response_parameters_are_valid(tSMP_CB* p_cb);
107 static bool smp_pairing_keypress_notification_is_valid(tSMP_CB* p_cb);
108
109 static const tSMP_CMD_PARAM_RANGES_VALID smp_cmd_param_ranges_are_valid[] = {
110 smp_parameter_unconditionally_invalid,
111 smp_pairing_request_response_parameters_are_valid, /* 0x01: pairing
112 request */
113 smp_pairing_request_response_parameters_are_valid, /* 0x02: pairing
114 response */
115 smp_parameter_unconditionally_valid, /* 0x03: pairing confirm */
116 smp_parameter_unconditionally_valid, /* 0x04: pairing random */
117 smp_parameter_unconditionally_valid, /* 0x05: pairing failed */
118 smp_parameter_unconditionally_valid, /* 0x06: encryption information */
119 smp_parameter_unconditionally_valid, /* 0x07: master identification */
120 smp_parameter_unconditionally_valid, /* 0x08: identity information */
121 smp_parameter_unconditionally_valid, /* 0x09: identity address
122 information */
123 smp_parameter_unconditionally_valid, /* 0x0A: signing information */
124 smp_parameter_unconditionally_valid, /* 0x0B: security request */
125 smp_parameter_unconditionally_valid, /* 0x0C: pairing public key */
126 smp_parameter_unconditionally_valid, /* 0x0D: pairing dhkey check */
127 smp_pairing_keypress_notification_is_valid, /* 0x0E: pairing keypress
128 notification */
129 smp_parameter_unconditionally_valid /* 0x0F: pairing commitment */
130 };
131
132 /* type for action functions */
133 typedef BT_HDR* (*tSMP_CMD_ACT)(uint8_t cmd_code, tSMP_CB* p_cb);
134
135 static BT_HDR* smp_build_pairing_cmd(uint8_t cmd_code, tSMP_CB* p_cb);
136 static BT_HDR* smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code,
137 tSMP_CB* p_cb);
138 static BT_HDR* smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb);
139 static BT_HDR* smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code,
140 tSMP_CB* p_cb);
141 static BT_HDR* smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code,
142 tSMP_CB* p_cb);
143 static BT_HDR* smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code,
144 tSMP_CB* p_cb);
145 static BT_HDR* smp_build_security_request(UNUSED_ATTR uint8_t cmd_code,
146 tSMP_CB* p_cb);
147 static BT_HDR* smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code,
148 tSMP_CB* p_cb);
149 static BT_HDR* smp_build_master_id_cmd(UNUSED_ATTR uint8_t cmd_code,
150 tSMP_CB* p_cb);
151 static BT_HDR* smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code,
152 tSMP_CB* p_cb);
153 static BT_HDR* smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code,
154 tSMP_CB* p_cb);
155 static BT_HDR* smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code,
156 tSMP_CB* p_cb);
157 static BT_HDR* smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code,
158 tSMP_CB* p_cb);
159 static BT_HDR* smp_build_pairing_keypress_notification_cmd(
160 UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb);
161
162 static const tSMP_CMD_ACT smp_cmd_build_act[] = {
163 NULL, smp_build_pairing_cmd, /* 0x01: pairing request */
164 smp_build_pairing_cmd, /* 0x02: pairing response */
165 smp_build_confirm_cmd, /* 0x03: pairing confirm */
166 smp_build_rand_cmd, /* 0x04: pairing random */
167 smp_build_pairing_fail, /* 0x05: pairing failure */
168 smp_build_encrypt_info_cmd, /* 0x06: encryption information */
169 smp_build_master_id_cmd, /* 0x07: master identification */
170 smp_build_identity_info_cmd, /* 0x08: identity information */
171 smp_build_id_addr_cmd, /* 0x09: identity address information */
172 smp_build_signing_info_cmd, /* 0x0A: signing information */
173 smp_build_security_request, /* 0x0B: security request */
174 smp_build_pair_public_key_cmd, /* 0x0C: pairing public key */
175 smp_build_pair_dhkey_check_cmd, /* 0x0D: pairing DHKey check */
176 smp_build_pairing_keypress_notification_cmd, /* 0x0E: pairing keypress
177 notification */
178 smp_build_pairing_commitment_cmd /* 0x0F: pairing commitment */
179 };
180
181 static const uint8_t smp_association_table[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] =
182 {
183 /* display only */ /* Display Yes/No */ /* keyboard only */
184 /* No Input/Output */ /* keyboard display */
185
186 /* initiator */
187 /* model = tbl[peer_io_caps][loc_io_caps] */
188 /* Display Only */
189 {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
190 SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
191
192 /* Display Yes/No */
193 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
194 SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
195
196 /* Keyboard only */
197 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY,
198 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
199
200 /* No Input No Output */
201 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
202 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
203 SMP_MODEL_ENCRYPTION_ONLY},
204
205 /* keyboard display */
206 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY,
207 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}},
208
209 /* responder */
210 /* model = tbl[loc_io_caps][peer_io_caps] */
211 /* Display Only */
212 {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
213 SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
214
215 /* Display Yes/No */
216 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
217 SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
218
219 /* keyboard only */
220 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY,
221 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
222
223 /* No Input No Output */
224 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
225 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
226 SMP_MODEL_ENCRYPTION_ONLY},
227
228 /* keyboard display */
229 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_KEY_NOTIF,
230 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}}};
231
232 static const uint8_t
233 smp_association_table_sc[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] = {
234 /* display only */ /* Display Yes/No */ /* keyboard only */
235 /* No InputOutput */ /* keyboard display */
236
237 /* initiator */
238 /* model = tbl[peer_io_caps][loc_io_caps] */
239
240 /* Display Only */
241 {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
242 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
243 SMP_MODEL_SEC_CONN_PASSKEY_ENT},
244
245 /* Display Yes/No */
246 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP,
247 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
248 SMP_MODEL_SEC_CONN_NUM_COMP},
249
250 /* keyboard only */
251 {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_PASSKEY_DISP,
252 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
253 SMP_MODEL_SEC_CONN_PASSKEY_DISP},
254
255 /* No Input No Output */
256 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
257 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
258 SMP_MODEL_SEC_CONN_JUSTWORKS},
259
260 /* keyboard display */
261 {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_NUM_COMP,
262 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
263 SMP_MODEL_SEC_CONN_NUM_COMP}},
264
265 /* responder */
266 /* model = tbl[loc_io_caps][peer_io_caps] */
267
268 /* Display Only */
269 {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
270 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
271 SMP_MODEL_SEC_CONN_PASSKEY_DISP},
272
273 /* Display Yes/No */
274 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP,
275 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
276 SMP_MODEL_SEC_CONN_NUM_COMP},
277
278 /* keyboard only */
279 {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_PASSKEY_ENT,
280 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
281 SMP_MODEL_SEC_CONN_PASSKEY_ENT},
282
283 /* No Input No Output */
284 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
285 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
286 SMP_MODEL_SEC_CONN_JUSTWORKS},
287
288 /* keyboard display */
289 {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_NUM_COMP,
290 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
291 SMP_MODEL_SEC_CONN_NUM_COMP}}};
292
293 static tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB* p_cb);
294 static tSMP_ASSO_MODEL smp_select_association_model_secure_connections(
295 tSMP_CB* p_cb);
296
297 /*******************************************************************************
298 *
299 * Function smp_send_msg_to_L2CAP
300 *
301 * Description Send message to L2CAP.
302 *
303 ******************************************************************************/
smp_send_msg_to_L2CAP(const RawAddress & rem_bda,BT_HDR * p_toL2CAP)304 bool smp_send_msg_to_L2CAP(const RawAddress& rem_bda, BT_HDR* p_toL2CAP) {
305 uint16_t l2cap_ret;
306 uint16_t fixed_cid = L2CAP_SMP_CID;
307
308 if (smp_cb.smp_over_br) {
309 fixed_cid = L2CAP_SMP_BR_CID;
310 }
311
312 SMP_TRACE_EVENT("%s", __func__);
313 smp_cb.total_tx_unacked += 1;
314
315 l2cap_ret = L2CA_SendFixedChnlData(fixed_cid, rem_bda, p_toL2CAP);
316 if (l2cap_ret == L2CAP_DW_FAILED) {
317 smp_cb.total_tx_unacked -= 1;
318 SMP_TRACE_ERROR("SMP failed to pass msg to L2CAP");
319 return false;
320 } else
321 return true;
322 }
323
324 /*******************************************************************************
325 *
326 * Function smp_send_cmd
327 *
328 * Description send a SMP command on L2CAP channel.
329 *
330 ******************************************************************************/
smp_send_cmd(uint8_t cmd_code,tSMP_CB * p_cb)331 bool smp_send_cmd(uint8_t cmd_code, tSMP_CB* p_cb) {
332 BT_HDR* p_buf;
333 bool sent = false;
334
335 SMP_TRACE_EVENT("%s: on l2cap cmd_code=0x%x, pairing_bda=%s", __func__,
336 cmd_code, p_cb->pairing_bda.ToString().c_str());
337
338 if (cmd_code <= (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */) &&
339 smp_cmd_build_act[cmd_code] != NULL) {
340 p_buf = (*smp_cmd_build_act[cmd_code])(cmd_code, p_cb);
341
342 if (p_buf != NULL && smp_send_msg_to_L2CAP(p_cb->pairing_bda, p_buf)) {
343 sent = true;
344 alarm_set_on_mloop(p_cb->smp_rsp_timer_ent, SMP_WAIT_FOR_RSP_TIMEOUT_MS,
345 smp_rsp_timeout, NULL);
346 }
347 }
348
349 if (!sent) {
350 tSMP_INT_DATA smp_int_data;
351 smp_int_data.status = SMP_PAIR_INTERNAL_ERR;
352 if (p_cb->smp_over_br) {
353 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
354 } else {
355 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
356 }
357 }
358 return sent;
359 }
360
361 /*******************************************************************************
362 *
363 * Function smp_rsp_timeout
364 *
365 * Description Called when SMP wait for SMP command response timer expires
366 *
367 * Returns void
368 *
369 ******************************************************************************/
smp_rsp_timeout(UNUSED_ATTR void * data)370 void smp_rsp_timeout(UNUSED_ATTR void* data) {
371 tSMP_CB* p_cb = &smp_cb;
372
373 SMP_TRACE_EVENT("%s state:%d br_state:%d", __func__, p_cb->state,
374 p_cb->br_state);
375
376 tSMP_INT_DATA smp_int_data;
377 smp_int_data.status = SMP_RSP_TIMEOUT;
378 if (p_cb->smp_over_br) {
379 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
380 } else {
381 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
382 }
383 }
384
385 /*******************************************************************************
386 *
387 * Function smp_delayed_auth_complete_timeout
388 *
389 * Description Called when no pairing failed command received within
390 * timeout period.
391 *
392 * Returns void
393 *
394 ******************************************************************************/
smp_delayed_auth_complete_timeout(UNUSED_ATTR void * data)395 void smp_delayed_auth_complete_timeout(UNUSED_ATTR void* data) {
396 /*
397 * Waited for potential pair failure. Send SMP_AUTH_CMPL_EVT if
398 * the state is still in bond pending.
399 */
400 if (smp_get_state() == SMP_STATE_BOND_PENDING) {
401 SMP_TRACE_EVENT("%s sending delayed auth complete.", __func__);
402 tSMP_INT_DATA smp_int_data;
403 smp_int_data.status = SMP_SUCCESS;
404 smp_sm_event(&smp_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
405 }
406 }
407
408 /*******************************************************************************
409 *
410 * Function smp_build_pairing_req_cmd
411 *
412 * Description Build pairing request command.
413 *
414 ******************************************************************************/
smp_build_pairing_cmd(uint8_t cmd_code,tSMP_CB * p_cb)415 BT_HDR* smp_build_pairing_cmd(uint8_t cmd_code, tSMP_CB* p_cb) {
416 uint8_t* p;
417 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIRING_REQ_SIZE +
418 L2CAP_MIN_OFFSET);
419
420 SMP_TRACE_EVENT("%s", __func__);
421
422 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
423 UINT8_TO_STREAM(p, cmd_code);
424 UINT8_TO_STREAM(p, p_cb->local_io_capability);
425 UINT8_TO_STREAM(p, p_cb->loc_oob_flag);
426 UINT8_TO_STREAM(p, p_cb->loc_auth_req);
427 UINT8_TO_STREAM(p, p_cb->loc_enc_size);
428 UINT8_TO_STREAM(p, p_cb->local_i_key);
429 UINT8_TO_STREAM(p, p_cb->local_r_key);
430
431 p_buf->offset = L2CAP_MIN_OFFSET;
432 /* 1B ERR_RSP op code + 1B cmd_op_code + 2B handle + 1B status */
433 p_buf->len = SMP_PAIRING_REQ_SIZE;
434
435 return p_buf;
436 }
437
438 /*******************************************************************************
439 *
440 * Function smp_build_confirm_cmd
441 *
442 * Description Build confirm request command.
443 *
444 ******************************************************************************/
smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)445 static BT_HDR* smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code,
446 tSMP_CB* p_cb) {
447 uint8_t* p;
448 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_CONFIRM_CMD_SIZE +
449 L2CAP_MIN_OFFSET);
450
451 SMP_TRACE_EVENT("%s", __func__);
452
453 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
454
455 UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM);
456 ARRAY_TO_STREAM(p, p_cb->confirm, BT_OCTET16_LEN);
457
458 p_buf->offset = L2CAP_MIN_OFFSET;
459 p_buf->len = SMP_CONFIRM_CMD_SIZE;
460
461 return p_buf;
462 }
463
464 /*******************************************************************************
465 *
466 * Function smp_build_rand_cmd
467 *
468 * Description Build Random command.
469 *
470 ******************************************************************************/
smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)471 static BT_HDR* smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb) {
472 uint8_t* p;
473 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_RAND_CMD_SIZE +
474 L2CAP_MIN_OFFSET);
475
476 SMP_TRACE_EVENT("%s", __func__);
477
478 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
479 UINT8_TO_STREAM(p, SMP_OPCODE_RAND);
480 ARRAY_TO_STREAM(p, p_cb->rand, BT_OCTET16_LEN);
481
482 p_buf->offset = L2CAP_MIN_OFFSET;
483 p_buf->len = SMP_RAND_CMD_SIZE;
484
485 return p_buf;
486 }
487
488 /*******************************************************************************
489 *
490 * Function smp_build_encrypt_info_cmd
491 *
492 * Description Build security information command.
493 *
494 ******************************************************************************/
smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)495 static BT_HDR* smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code,
496 tSMP_CB* p_cb) {
497 uint8_t* p;
498 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ENC_INFO_SIZE +
499 L2CAP_MIN_OFFSET);
500
501 SMP_TRACE_EVENT("%s", __func__);
502
503 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
504 UINT8_TO_STREAM(p, SMP_OPCODE_ENCRYPT_INFO);
505 ARRAY_TO_STREAM(p, p_cb->ltk, BT_OCTET16_LEN);
506
507 p_buf->offset = L2CAP_MIN_OFFSET;
508 p_buf->len = SMP_ENC_INFO_SIZE;
509
510 return p_buf;
511 }
512
513 /*******************************************************************************
514 *
515 * Function smp_build_master_id_cmd
516 *
517 * Description Build security information command.
518 *
519 ******************************************************************************/
smp_build_master_id_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)520 static BT_HDR* smp_build_master_id_cmd(UNUSED_ATTR uint8_t cmd_code,
521 tSMP_CB* p_cb) {
522 uint8_t* p;
523 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_MASTER_ID_SIZE +
524 L2CAP_MIN_OFFSET);
525
526 SMP_TRACE_EVENT("%s", __func__);
527
528 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
529 UINT8_TO_STREAM(p, SMP_OPCODE_MASTER_ID);
530 UINT16_TO_STREAM(p, p_cb->ediv);
531 ARRAY_TO_STREAM(p, p_cb->enc_rand, BT_OCTET8_LEN);
532
533 p_buf->offset = L2CAP_MIN_OFFSET;
534 p_buf->len = SMP_MASTER_ID_SIZE;
535
536 return p_buf;
537 }
538
539 /*******************************************************************************
540 *
541 * Function smp_build_identity_info_cmd
542 *
543 * Description Build identity information command.
544 *
545 ******************************************************************************/
smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code,UNUSED_ATTR tSMP_CB * p_cb)546 static BT_HDR* smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code,
547 UNUSED_ATTR tSMP_CB* p_cb) {
548 uint8_t* p;
549 BT_OCTET16 irk;
550 BT_HDR* p_buf =
551 (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ID_INFO_SIZE + L2CAP_MIN_OFFSET);
552
553 SMP_TRACE_EVENT("%s", __func__);
554
555 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
556
557 BTM_GetDeviceIDRoot(irk);
558
559 UINT8_TO_STREAM(p, SMP_OPCODE_IDENTITY_INFO);
560 ARRAY_TO_STREAM(p, irk, BT_OCTET16_LEN);
561
562 p_buf->offset = L2CAP_MIN_OFFSET;
563 p_buf->len = SMP_ID_INFO_SIZE;
564
565 return p_buf;
566 }
567
568 /*******************************************************************************
569 *
570 * Function smp_build_id_addr_cmd
571 *
572 * Description Build identity address information command.
573 *
574 ******************************************************************************/
smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code,UNUSED_ATTR tSMP_CB * p_cb)575 static BT_HDR* smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code,
576 UNUSED_ATTR tSMP_CB* p_cb) {
577 uint8_t* p;
578 BT_HDR* p_buf =
579 (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ID_ADDR_SIZE + L2CAP_MIN_OFFSET);
580
581 SMP_TRACE_EVENT("%s", __func__);
582
583 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
584 UINT8_TO_STREAM(p, SMP_OPCODE_ID_ADDR);
585 UINT8_TO_STREAM(p, 0);
586 BDADDR_TO_STREAM(p, *controller_get_interface()->get_address());
587
588 p_buf->offset = L2CAP_MIN_OFFSET;
589 p_buf->len = SMP_ID_ADDR_SIZE;
590
591 return p_buf;
592 }
593
594 /*******************************************************************************
595 *
596 * Function smp_build_signing_info_cmd
597 *
598 * Description Build signing information command.
599 *
600 ******************************************************************************/
smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)601 static BT_HDR* smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code,
602 tSMP_CB* p_cb) {
603 uint8_t* p;
604 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_SIGN_INFO_SIZE +
605 L2CAP_MIN_OFFSET);
606
607 SMP_TRACE_EVENT("%s", __func__);
608
609 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
610 UINT8_TO_STREAM(p, SMP_OPCODE_SIGN_INFO);
611 ARRAY_TO_STREAM(p, p_cb->csrk, BT_OCTET16_LEN);
612
613 p_buf->offset = L2CAP_MIN_OFFSET;
614 p_buf->len = SMP_SIGN_INFO_SIZE;
615
616 return p_buf;
617 }
618
619 /*******************************************************************************
620 *
621 * Function smp_build_pairing_fail
622 *
623 * Description Build Pairing Fail command.
624 *
625 ******************************************************************************/
smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)626 static BT_HDR* smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code,
627 tSMP_CB* p_cb) {
628 uint8_t* p;
629 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_FAIL_SIZE +
630 L2CAP_MIN_OFFSET);
631
632 SMP_TRACE_EVENT("%s", __func__);
633
634 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
635 UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED);
636 UINT8_TO_STREAM(p, p_cb->failure);
637
638 p_buf->offset = L2CAP_MIN_OFFSET;
639 p_buf->len = SMP_PAIR_FAIL_SIZE;
640
641 return p_buf;
642 }
643
644 /*******************************************************************************
645 *
646 * Function smp_build_security_request
647 *
648 * Description Build security request command.
649 *
650 ******************************************************************************/
smp_build_security_request(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)651 static BT_HDR* smp_build_security_request(UNUSED_ATTR uint8_t cmd_code,
652 tSMP_CB* p_cb) {
653 uint8_t* p;
654 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + 2 + L2CAP_MIN_OFFSET);
655
656 SMP_TRACE_EVENT("%s", __func__);
657
658 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
659 UINT8_TO_STREAM(p, SMP_OPCODE_SEC_REQ);
660 UINT8_TO_STREAM(p, p_cb->loc_auth_req);
661
662 p_buf->offset = L2CAP_MIN_OFFSET;
663 p_buf->len = SMP_SECURITY_REQUEST_SIZE;
664
665 SMP_TRACE_EVENT("opcode=%d auth_req=0x%x", SMP_OPCODE_SEC_REQ,
666 p_cb->loc_auth_req);
667
668 return p_buf;
669 }
670
671 /*******************************************************************************
672 *
673 * Function smp_build_pair_public_key_cmd
674 *
675 * Description Build pairing public key command.
676 *
677 ******************************************************************************/
smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)678 static BT_HDR* smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code,
679 tSMP_CB* p_cb) {
680 uint8_t* p;
681 uint8_t publ_key[2 * BT_OCTET32_LEN];
682 uint8_t* p_publ_key = publ_key;
683 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_PUBL_KEY_SIZE +
684 L2CAP_MIN_OFFSET);
685
686 SMP_TRACE_EVENT("%s", __func__);
687
688 memcpy(p_publ_key, p_cb->loc_publ_key.x, BT_OCTET32_LEN);
689 memcpy(p_publ_key + BT_OCTET32_LEN, p_cb->loc_publ_key.y, BT_OCTET32_LEN);
690
691 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
692 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_PUBLIC_KEY);
693 ARRAY_TO_STREAM(p, p_publ_key, 2 * BT_OCTET32_LEN);
694
695 p_buf->offset = L2CAP_MIN_OFFSET;
696 p_buf->len = SMP_PAIR_PUBL_KEY_SIZE;
697
698 return p_buf;
699 }
700
701 /*******************************************************************************
702 *
703 * Function smp_build_pairing_commitment_cmd
704 *
705 * Description Build pairing commitment command.
706 *
707 ******************************************************************************/
smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)708 static BT_HDR* smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code,
709 tSMP_CB* p_cb) {
710 uint8_t* p;
711 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_COMMITM_SIZE +
712 L2CAP_MIN_OFFSET);
713
714 SMP_TRACE_EVENT("%s", __func__);
715
716 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
717 UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM);
718 ARRAY_TO_STREAM(p, p_cb->commitment, BT_OCTET16_LEN);
719
720 p_buf->offset = L2CAP_MIN_OFFSET;
721 p_buf->len = SMP_PAIR_COMMITM_SIZE;
722
723 return p_buf;
724 }
725
726 /*******************************************************************************
727 *
728 * Function smp_build_pair_dhkey_check_cmd
729 *
730 * Description Build pairing DHKey check command.
731 *
732 ******************************************************************************/
smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)733 static BT_HDR* smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code,
734 tSMP_CB* p_cb) {
735 uint8_t* p;
736 BT_HDR* p_buf = (BT_HDR*)osi_malloc(
737 sizeof(BT_HDR) + SMP_PAIR_DHKEY_CHECK_SIZE + L2CAP_MIN_OFFSET);
738
739 SMP_TRACE_EVENT("%s", __func__);
740
741 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
742 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_DHKEY_CHECK);
743 ARRAY_TO_STREAM(p, p_cb->dhkey_check, BT_OCTET16_LEN);
744
745 p_buf->offset = L2CAP_MIN_OFFSET;
746 p_buf->len = SMP_PAIR_DHKEY_CHECK_SIZE;
747
748 return p_buf;
749 }
750
751 /*******************************************************************************
752 *
753 * Function smp_build_pairing_keypress_notification_cmd
754 *
755 * Description Build keypress notification command.
756 *
757 ******************************************************************************/
smp_build_pairing_keypress_notification_cmd(UNUSED_ATTR uint8_t cmd_code,tSMP_CB * p_cb)758 static BT_HDR* smp_build_pairing_keypress_notification_cmd(
759 UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb) {
760 uint8_t* p;
761 BT_HDR* p_buf = (BT_HDR*)osi_malloc(
762 sizeof(BT_HDR) + SMP_PAIR_KEYPR_NOTIF_SIZE + L2CAP_MIN_OFFSET);
763
764 SMP_TRACE_EVENT("%s", __func__);
765
766 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
767 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_KEYPR_NOTIF);
768 UINT8_TO_STREAM(p, p_cb->local_keypress_notification);
769
770 p_buf->offset = L2CAP_MIN_OFFSET;
771 p_buf->len = SMP_PAIR_KEYPR_NOTIF_SIZE;
772
773 return p_buf;
774 }
775
776 /*******************************************************************************
777 *
778 * Function smp_convert_string_to_tk
779 *
780 * Description This function is called to convert a 6 to 16 digits numeric
781 * character string into SMP TK.
782 *
783 *
784 * Returns void
785 *
786 ******************************************************************************/
smp_convert_string_to_tk(BT_OCTET16 tk,uint32_t passkey)787 void smp_convert_string_to_tk(BT_OCTET16 tk, uint32_t passkey) {
788 uint8_t* p = tk;
789 tSMP_KEY key;
790 SMP_TRACE_EVENT("smp_convert_string_to_tk");
791 UINT32_TO_STREAM(p, passkey);
792
793 key.key_type = SMP_KEY_TYPE_TK;
794 key.p_data = tk;
795
796 tSMP_INT_DATA smp_int_data;
797 smp_int_data.key = key;
798 smp_sm_event(&smp_cb, SMP_KEY_READY_EVT, &smp_int_data);
799 }
800
801 /*******************************************************************************
802 *
803 * Function smp_mask_enc_key
804 *
805 * Description This function is called to mask off the encryption key based
806 * on the maximum encryption key size.
807 *
808 *
809 * Returns void
810 *
811 ******************************************************************************/
smp_mask_enc_key(uint8_t loc_enc_size,uint8_t * p_data)812 void smp_mask_enc_key(uint8_t loc_enc_size, uint8_t* p_data) {
813 SMP_TRACE_EVENT("smp_mask_enc_key");
814 if (loc_enc_size < BT_OCTET16_LEN) {
815 for (; loc_enc_size < BT_OCTET16_LEN; loc_enc_size++)
816 *(p_data + loc_enc_size) = 0;
817 }
818 return;
819 }
820
821 /*******************************************************************************
822 *
823 * Function smp_xor_128
824 *
825 * Description utility function to do an biteise exclusive-OR of two bit
826 * strings of the length of BT_OCTET16_LEN.
827 *
828 * Returns void
829 *
830 ******************************************************************************/
smp_xor_128(BT_OCTET16 a,BT_OCTET16 b)831 void smp_xor_128(BT_OCTET16 a, BT_OCTET16 b) {
832 uint8_t i, *aa = a, *bb = b;
833
834 SMP_TRACE_EVENT("smp_xor_128");
835 for (i = 0; i < BT_OCTET16_LEN; i++) {
836 aa[i] = aa[i] ^ bb[i];
837 }
838 }
839
840 /*******************************************************************************
841 *
842 * Function smp_cb_cleanup
843 *
844 * Description Clean up SMP control block
845 *
846 * Returns void
847 *
848 ******************************************************************************/
smp_cb_cleanup(tSMP_CB * p_cb)849 void smp_cb_cleanup(tSMP_CB* p_cb) {
850 tSMP_CALLBACK* p_callback = p_cb->p_callback;
851 uint8_t trace_level = p_cb->trace_level;
852 alarm_t* smp_rsp_timer_ent = p_cb->smp_rsp_timer_ent;
853 alarm_t* delayed_auth_timer_ent = p_cb->delayed_auth_timer_ent;
854
855 SMP_TRACE_EVENT("smp_cb_cleanup");
856
857 alarm_cancel(p_cb->smp_rsp_timer_ent);
858 alarm_cancel(p_cb->delayed_auth_timer_ent);
859 memset(p_cb, 0, sizeof(tSMP_CB));
860 p_cb->p_callback = p_callback;
861 p_cb->trace_level = trace_level;
862 p_cb->smp_rsp_timer_ent = smp_rsp_timer_ent;
863 p_cb->delayed_auth_timer_ent = delayed_auth_timer_ent;
864 }
865
866 /*******************************************************************************
867 *
868 * Function smp_remove_fixed_channel
869 *
870 * Description This function is called to remove the fixed channel
871 *
872 * Returns void
873 *
874 ******************************************************************************/
smp_remove_fixed_channel(tSMP_CB * p_cb)875 void smp_remove_fixed_channel(tSMP_CB* p_cb) {
876 SMP_TRACE_DEBUG("%s", __func__);
877
878 if (p_cb->smp_over_br)
879 L2CA_RemoveFixedChnl(L2CAP_SMP_BR_CID, p_cb->pairing_bda);
880 else
881 L2CA_RemoveFixedChnl(L2CAP_SMP_CID, p_cb->pairing_bda);
882 }
883
884 /*******************************************************************************
885 *
886 * Function smp_reset_control_value
887 *
888 * Description This function is called to reset the control block value
889 * when the pairing procedure finished.
890 *
891 *
892 * Returns void
893 *
894 ******************************************************************************/
smp_reset_control_value(tSMP_CB * p_cb)895 void smp_reset_control_value(tSMP_CB* p_cb) {
896 SMP_TRACE_EVENT("%s", __func__);
897
898 alarm_cancel(p_cb->smp_rsp_timer_ent);
899 p_cb->flags = 0;
900 /* set the link idle timer to drop the link when pairing is done
901 usually service discovery will follow authentication complete, to avoid
902 racing condition for a link down/up, set link idle timer to be
903 SMP_LINK_TOUT_MIN to guarantee SMP key exchange */
904 L2CA_SetIdleTimeoutByBdAddr(p_cb->pairing_bda, SMP_LINK_TOUT_MIN,
905 BT_TRANSPORT_LE);
906
907 /* We can tell L2CAP to remove the fixed channel (if it has one) */
908 smp_remove_fixed_channel(p_cb);
909 smp_cb_cleanup(p_cb);
910 }
911
912 /*******************************************************************************
913 *
914 * Function smp_proc_pairing_cmpl
915 *
916 * Description This function is called to process pairing complete
917 *
918 *
919 * Returns void
920 *
921 ******************************************************************************/
smp_proc_pairing_cmpl(tSMP_CB * p_cb)922 void smp_proc_pairing_cmpl(tSMP_CB* p_cb) {
923 tSMP_EVT_DATA evt_data = {0};
924 tSMP_CALLBACK* p_callback = p_cb->p_callback;
925
926 SMP_TRACE_DEBUG("%s: pairing_bda=%s", __func__,
927 p_cb->pairing_bda.ToString().c_str());
928
929 evt_data.cmplt.reason = p_cb->status;
930 evt_data.cmplt.smp_over_br = p_cb->smp_over_br;
931
932 if (p_cb->status == SMP_SUCCESS) evt_data.cmplt.sec_level = p_cb->sec_level;
933
934 evt_data.cmplt.is_pair_cancel = false;
935
936 if (p_cb->is_pair_cancel) evt_data.cmplt.is_pair_cancel = true;
937
938 SMP_TRACE_DEBUG("send SMP_COMPLT_EVT reason=0x%0x sec_level=0x%0x",
939 evt_data.cmplt.reason, evt_data.cmplt.sec_level);
940
941 RawAddress pairing_bda = p_cb->pairing_bda;
942
943 smp_reset_control_value(p_cb);
944
945 if (p_callback) (*p_callback)(SMP_COMPLT_EVT, pairing_bda, &evt_data);
946 }
947
948 /*******************************************************************************
949 *
950 * Function smp_command_has_invalid_parameters
951 *
952 * Description Checks if the received SMP command has invalid parameters
953 * i.e. if the command length is valid and the command
954 * parameters are inside specified range.
955 * It returns true if the command has invalid parameters.
956 *
957 * Returns true if the command has invalid parameters, false otherwise.
958 *
959 ******************************************************************************/
smp_command_has_invalid_parameters(tSMP_CB * p_cb)960 bool smp_command_has_invalid_parameters(tSMP_CB* p_cb) {
961 uint8_t cmd_code = p_cb->rcvd_cmd_code;
962
963 if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) ||
964 (cmd_code < SMP_OPCODE_MIN)) {
965 SMP_TRACE_WARNING("%s: Received command with RESERVED code 0x%02x",
966 __func__, cmd_code);
967 return true;
968 }
969
970 if (!(*smp_cmd_len_is_valid[cmd_code])(p_cb)) {
971 SMP_TRACE_WARNING("%s: Command length not valid for cmd_code 0x%02x",
972 __func__, cmd_code);
973 return true;
974 }
975
976 if (!(*smp_cmd_param_ranges_are_valid[cmd_code])(p_cb)) {
977 SMP_TRACE_WARNING("%s: Parameter ranges not valid code 0x%02x", __func__,
978 cmd_code);
979 return true;
980 }
981
982 return false;
983 }
984
985 /*******************************************************************************
986 *
987 * Function smp_command_has_valid_fixed_length
988 *
989 * Description Checks if the received command size is equal to the size
990 * according to specs.
991 *
992 * Returns true if the command size is as expected, false otherwise.
993 *
994 * Note The command is expected to have fixed length.
995 ******************************************************************************/
smp_command_has_valid_fixed_length(tSMP_CB * p_cb)996 bool smp_command_has_valid_fixed_length(tSMP_CB* p_cb) {
997 uint8_t cmd_code = p_cb->rcvd_cmd_code;
998
999 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, cmd_code);
1000
1001 if (p_cb->rcvd_cmd_len != smp_cmd_size_per_spec[cmd_code]) {
1002 SMP_TRACE_WARNING(
1003 "Rcvd from the peer cmd 0x%02x with invalid length "
1004 "0x%02x (per spec the length is 0x%02x).",
1005 cmd_code, p_cb->rcvd_cmd_len, smp_cmd_size_per_spec[cmd_code]);
1006 return false;
1007 }
1008
1009 return true;
1010 }
1011
1012 /*******************************************************************************
1013 *
1014 * Function smp_pairing_request_response_parameters_are_valid
1015 *
1016 * Description Validates parameter ranges in the received SMP command
1017 * pairing request or pairing response.
1018 * The parameters to validate:
1019 * IO capability,
1020 * OOB data flag,
1021 * Bonding_flags in AuthReq
1022 * Maximum encryption key size.
1023 * Returns false if at least one of these parameters is out of
1024 * range.
1025 *
1026 ******************************************************************************/
smp_pairing_request_response_parameters_are_valid(tSMP_CB * p_cb)1027 bool smp_pairing_request_response_parameters_are_valid(tSMP_CB* p_cb) {
1028 uint8_t io_caps = p_cb->peer_io_caps;
1029 uint8_t oob_flag = p_cb->peer_oob_flag;
1030 uint8_t bond_flag =
1031 p_cb->peer_auth_req & 0x03; // 0x03 is gen bond with appropriate mask
1032 uint8_t enc_size = p_cb->peer_enc_size;
1033
1034 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code);
1035
1036 if (io_caps >= BTM_IO_CAP_MAX) {
1037 SMP_TRACE_WARNING(
1038 "Rcvd from the peer cmd 0x%02x with IO Capability "
1039 "value (0x%02x) out of range).",
1040 p_cb->rcvd_cmd_code, io_caps);
1041 return false;
1042 }
1043
1044 if (!((oob_flag == SMP_OOB_NONE) || (oob_flag == SMP_OOB_PRESENT))) {
1045 SMP_TRACE_WARNING(
1046 "Rcvd from the peer cmd 0x%02x with OOB data flag value "
1047 "(0x%02x) out of range).",
1048 p_cb->rcvd_cmd_code, oob_flag);
1049 return false;
1050 }
1051
1052 if (!((bond_flag == SMP_AUTH_NO_BOND) || (bond_flag == SMP_AUTH_BOND))) {
1053 SMP_TRACE_WARNING(
1054 "Rcvd from the peer cmd 0x%02x with Bonding_Flags value (0x%02x) "
1055 "out of range).",
1056 p_cb->rcvd_cmd_code, bond_flag);
1057 return false;
1058 }
1059
1060 if ((enc_size < SMP_ENCR_KEY_SIZE_MIN) ||
1061 (enc_size > SMP_ENCR_KEY_SIZE_MAX)) {
1062 SMP_TRACE_WARNING(
1063 "Rcvd from the peer cmd 0x%02x with Maximum Encryption "
1064 "Key value (0x%02x) out of range).",
1065 p_cb->rcvd_cmd_code, enc_size);
1066 return false;
1067 }
1068
1069 return true;
1070 }
1071
1072 /*******************************************************************************
1073 *
1074 * Function smp_pairing_keypress_notification_is_valid
1075 *
1076 * Description Validates Notification Type parameter range in the received
1077 * SMP command pairing keypress notification.
1078 * Returns false if this parameter is out of range.
1079 *
1080 ******************************************************************************/
smp_pairing_keypress_notification_is_valid(tSMP_CB * p_cb)1081 bool smp_pairing_keypress_notification_is_valid(tSMP_CB* p_cb) {
1082 tBTM_SP_KEY_TYPE keypress_notification = p_cb->peer_keypress_notification;
1083
1084 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code);
1085
1086 if (keypress_notification >= BTM_SP_KEY_OUT_OF_RANGE) {
1087 SMP_TRACE_WARNING(
1088 "Rcvd from the peer cmd 0x%02x with Pairing Keypress "
1089 "Notification value (0x%02x) out of range).",
1090 p_cb->rcvd_cmd_code, keypress_notification);
1091 return false;
1092 }
1093
1094 return true;
1095 }
1096
1097 /*******************************************************************************
1098 *
1099 * Function smp_parameter_unconditionally_valid
1100 *
1101 * Description Always returns true.
1102 *
1103 ******************************************************************************/
smp_parameter_unconditionally_valid(UNUSED_ATTR tSMP_CB * p_cb)1104 bool smp_parameter_unconditionally_valid(UNUSED_ATTR tSMP_CB* p_cb) {
1105 return true;
1106 }
1107
1108 /*******************************************************************************
1109 *
1110 * Function smp_parameter_unconditionally_invalid
1111 *
1112 * Description Always returns false.
1113 *
1114 ******************************************************************************/
smp_parameter_unconditionally_invalid(UNUSED_ATTR tSMP_CB * p_cb)1115 bool smp_parameter_unconditionally_invalid(UNUSED_ATTR tSMP_CB* p_cb) {
1116 return false;
1117 }
1118
1119 /*******************************************************************************
1120 *
1121 * Function smp_reject_unexpected_pairing_command
1122 *
1123 * Description send pairing failure to an unexpected pairing command during
1124 * an active pairing process.
1125 *
1126 * Returns void
1127 *
1128 ******************************************************************************/
smp_reject_unexpected_pairing_command(const RawAddress & bd_addr)1129 void smp_reject_unexpected_pairing_command(const RawAddress& bd_addr) {
1130 uint8_t* p;
1131 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_FAIL_SIZE +
1132 L2CAP_MIN_OFFSET);
1133
1134 SMP_TRACE_DEBUG("%s", __func__);
1135
1136 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
1137 UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED);
1138 UINT8_TO_STREAM(p, SMP_PAIR_NOT_SUPPORT);
1139
1140 p_buf->offset = L2CAP_MIN_OFFSET;
1141 p_buf->len = SMP_PAIR_FAIL_SIZE;
1142
1143 smp_send_msg_to_L2CAP(bd_addr, p_buf);
1144 }
1145
1146 /*******************************************************************************
1147 * Function smp_select_association_model
1148 *
1149 * Description This function selects association model to use for STK
1150 * generation. Selection is based on both sides' io capability,
1151 * oob data flag and authentication request.
1152 *
1153 * Note If Secure Connections Only mode is required locally then we
1154 * come to this point only if both sides support Secure
1155 * Connections mode, i.e.
1156 * if p_cb->secure_connections_only_mode_required = true
1157 * then we come to this point only if
1158 * (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) ==
1159 * (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) ==
1160 * SMP_SC_SUPPORT_BIT
1161 *
1162 ******************************************************************************/
smp_select_association_model(tSMP_CB * p_cb)1163 tSMP_ASSO_MODEL smp_select_association_model(tSMP_CB* p_cb) {
1164 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1165 p_cb->le_secure_connections_mode_is_used = false;
1166
1167 SMP_TRACE_EVENT("%s", __func__);
1168 SMP_TRACE_DEBUG("%s p_cb->peer_io_caps = %d p_cb->local_io_capability = %d",
1169 __func__, p_cb->peer_io_caps, p_cb->local_io_capability);
1170 SMP_TRACE_DEBUG("%s p_cb->peer_oob_flag = %d p_cb->loc_oob_flag = %d",
1171 __func__, p_cb->peer_oob_flag, p_cb->loc_oob_flag);
1172 SMP_TRACE_DEBUG("%s p_cb->peer_auth_req = 0x%02x p_cb->loc_auth_req = 0x%02x",
1173 __func__, p_cb->peer_auth_req, p_cb->loc_auth_req);
1174 SMP_TRACE_DEBUG(
1175 "%s p_cb->secure_connections_only_mode_required = %s", __func__,
1176 p_cb->secure_connections_only_mode_required ? "true" : "false");
1177
1178 if ((p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) &&
1179 (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT)) {
1180 p_cb->le_secure_connections_mode_is_used = true;
1181 }
1182
1183 if ((p_cb->peer_auth_req & SMP_H7_SUPPORT_BIT) &&
1184 (p_cb->loc_auth_req & SMP_H7_SUPPORT_BIT)) {
1185 p_cb->key_derivation_h7_used = TRUE;
1186 }
1187
1188 SMP_TRACE_DEBUG("use_sc_process = %d, h7 use = %d",
1189 p_cb->le_secure_connections_mode_is_used,
1190 p_cb->key_derivation_h7_used);
1191
1192 if (p_cb->le_secure_connections_mode_is_used) {
1193 model = smp_select_association_model_secure_connections(p_cb);
1194 } else {
1195 model = smp_select_legacy_association_model(p_cb);
1196 }
1197 return model;
1198 }
1199
1200 /*******************************************************************************
1201 * Function smp_select_legacy_association_model
1202 *
1203 * Description This function is called to select association mode if at
1204 * least one side doesn't support secure connections.
1205 *
1206 ******************************************************************************/
smp_select_legacy_association_model(tSMP_CB * p_cb)1207 tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB* p_cb) {
1208 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1209
1210 SMP_TRACE_DEBUG("%s", __func__);
1211 /* if OOB data is present on both devices, then use OOB association model */
1212 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT &&
1213 p_cb->loc_oob_flag == SMP_OOB_PRESENT)
1214 return SMP_MODEL_OOB;
1215
1216 /* else if neither device requires MITM, then use Just Works association model
1217 */
1218 if (SMP_NO_MITM_REQUIRED(p_cb->peer_auth_req) &&
1219 SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req))
1220 return SMP_MODEL_ENCRYPTION_ONLY;
1221
1222 /* otherwise use IO capability to select association model */
1223 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX &&
1224 p_cb->local_io_capability < SMP_IO_CAP_MAX) {
1225 if (p_cb->role == HCI_ROLE_MASTER) {
1226 model = smp_association_table[p_cb->role][p_cb->peer_io_caps]
1227 [p_cb->local_io_capability];
1228 } else {
1229 model = smp_association_table[p_cb->role][p_cb->local_io_capability]
1230 [p_cb->peer_io_caps];
1231 }
1232 }
1233
1234 return model;
1235 }
1236
1237 /*******************************************************************************
1238 * Function smp_select_association_model_secure_connections
1239 *
1240 * Description This function is called to select association mode if both
1241 * sides support secure connections.
1242 *
1243 ******************************************************************************/
smp_select_association_model_secure_connections(tSMP_CB * p_cb)1244 tSMP_ASSO_MODEL smp_select_association_model_secure_connections(tSMP_CB* p_cb) {
1245 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1246
1247 SMP_TRACE_DEBUG("%s", __func__);
1248 /* if OOB data is present on at least one device, then use OOB association
1249 * model */
1250 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT ||
1251 p_cb->loc_oob_flag == SMP_OOB_PRESENT)
1252 return SMP_MODEL_SEC_CONN_OOB;
1253
1254 /* else if neither device requires MITM, then use Just Works association model
1255 */
1256 if (SMP_NO_MITM_REQUIRED(p_cb->peer_auth_req) &&
1257 SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req))
1258 return SMP_MODEL_SEC_CONN_JUSTWORKS;
1259
1260 /* otherwise use IO capability to select association model */
1261 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX &&
1262 p_cb->local_io_capability < SMP_IO_CAP_MAX) {
1263 if (p_cb->role == HCI_ROLE_MASTER) {
1264 model = smp_association_table_sc[p_cb->role][p_cb->peer_io_caps]
1265 [p_cb->local_io_capability];
1266 } else {
1267 model = smp_association_table_sc[p_cb->role][p_cb->local_io_capability]
1268 [p_cb->peer_io_caps];
1269 }
1270 }
1271
1272 return model;
1273 }
1274
1275 /*******************************************************************************
1276 * Function smp_reverse_array
1277 *
1278 * Description This function reverses array bytes
1279 *
1280 ******************************************************************************/
smp_reverse_array(uint8_t * arr,uint8_t len)1281 void smp_reverse_array(uint8_t* arr, uint8_t len) {
1282 uint8_t i = 0, tmp;
1283
1284 SMP_TRACE_DEBUG("smp_reverse_array");
1285
1286 for (i = 0; i < len / 2; i++) {
1287 tmp = arr[i];
1288 arr[i] = arr[len - 1 - i];
1289 arr[len - 1 - i] = tmp;
1290 }
1291 }
1292
1293 /*******************************************************************************
1294 * Function smp_calculate_random_input
1295 *
1296 * Description This function returns random input value to be used in
1297 * commitment calculation for SC passkey entry association mode
1298 * (if bit["round"] in "random" array == 1 then returns 0x81
1299 * else returns 0x80).
1300 *
1301 * Returns ri value
1302 *
1303 ******************************************************************************/
smp_calculate_random_input(uint8_t * random,uint8_t round)1304 uint8_t smp_calculate_random_input(uint8_t* random, uint8_t round) {
1305 uint8_t i = round / 8;
1306 uint8_t j = round % 8;
1307 uint8_t ri;
1308
1309 SMP_TRACE_DEBUG("random: 0x%02x, round: %d, i: %d, j: %d", random[i], round,
1310 i, j);
1311 ri = ((random[i] >> j) & 1) | 0x80;
1312 SMP_TRACE_DEBUG("%s ri=0x%02x", __func__, ri);
1313 return ri;
1314 }
1315
1316 /*******************************************************************************
1317 * Function smp_collect_local_io_capabilities
1318 *
1319 * Description This function puts into IOcap array local device
1320 * IOCapability, OOB data, AuthReq.
1321 *
1322 * Returns void
1323 *
1324 ******************************************************************************/
smp_collect_local_io_capabilities(uint8_t * iocap,tSMP_CB * p_cb)1325 void smp_collect_local_io_capabilities(uint8_t* iocap, tSMP_CB* p_cb) {
1326 SMP_TRACE_DEBUG("%s", __func__);
1327
1328 iocap[0] = p_cb->local_io_capability;
1329 iocap[1] = p_cb->loc_oob_flag;
1330 iocap[2] = p_cb->loc_auth_req;
1331 }
1332
1333 /*******************************************************************************
1334 * Function smp_collect_peer_io_capabilities
1335 *
1336 * Description This function puts into IOcap array peer device
1337 * IOCapability, OOB data, AuthReq.
1338 *
1339 * Returns void
1340 *
1341 ******************************************************************************/
smp_collect_peer_io_capabilities(uint8_t * iocap,tSMP_CB * p_cb)1342 void smp_collect_peer_io_capabilities(uint8_t* iocap, tSMP_CB* p_cb) {
1343 SMP_TRACE_DEBUG("%s", __func__);
1344
1345 iocap[0] = p_cb->peer_io_caps;
1346 iocap[1] = p_cb->peer_oob_flag;
1347 iocap[2] = p_cb->peer_auth_req;
1348 }
1349
1350 /*******************************************************************************
1351 * Function smp_collect_local_ble_address
1352 *
1353 * Description Put the the local device LE address into the le_addr array:
1354 * le_addr[0-5] = local BD ADDR,
1355 * le_addr[6] = local le address type (PUBLIC/RANDOM).
1356 *
1357 * Returns void
1358 *
1359 ******************************************************************************/
smp_collect_local_ble_address(uint8_t * le_addr,tSMP_CB * p_cb)1360 void smp_collect_local_ble_address(uint8_t* le_addr, tSMP_CB* p_cb) {
1361 tBLE_ADDR_TYPE addr_type = 0;
1362 RawAddress bda;
1363 uint8_t* p = le_addr;
1364
1365 SMP_TRACE_DEBUG("%s", __func__);
1366
1367 BTM_ReadConnectionAddr(p_cb->pairing_bda, bda, &addr_type);
1368 BDADDR_TO_STREAM(p, bda);
1369 UINT8_TO_STREAM(p, addr_type);
1370 }
1371
1372 /*******************************************************************************
1373 * Function smp_collect_peer_ble_address
1374 *
1375 * Description Put the peer device LE addr into the le_addr array:
1376 * le_addr[0-5] = peer BD ADDR,
1377 * le_addr[6] = peer le address type (PUBLIC/RANDOM).
1378 *
1379 * Returns void
1380 *
1381 ******************************************************************************/
smp_collect_peer_ble_address(uint8_t * le_addr,tSMP_CB * p_cb)1382 void smp_collect_peer_ble_address(uint8_t* le_addr, tSMP_CB* p_cb) {
1383 tBLE_ADDR_TYPE addr_type = 0;
1384 RawAddress bda;
1385 uint8_t* p = le_addr;
1386
1387 SMP_TRACE_DEBUG("%s", __func__);
1388
1389 if (!BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, bda, &addr_type)) {
1390 SMP_TRACE_ERROR(
1391 "can not collect peer le addr information for unknown device");
1392 return;
1393 }
1394
1395 BDADDR_TO_STREAM(p, bda);
1396 UINT8_TO_STREAM(p, addr_type);
1397 }
1398
1399 /*******************************************************************************
1400 * Function smp_check_commitment
1401 *
1402 * Description This function compares peer commitment values:
1403 * - expected (i.e. calculated locally),
1404 * - received from the peer.
1405 *
1406 * Returns true if the values are the same
1407 * false otherwise
1408 *
1409 ******************************************************************************/
smp_check_commitment(tSMP_CB * p_cb)1410 bool smp_check_commitment(tSMP_CB* p_cb) {
1411 BT_OCTET16 expected;
1412
1413 SMP_TRACE_DEBUG("%s", __func__);
1414
1415 smp_calculate_peer_commitment(p_cb, expected);
1416 print128(expected, (const uint8_t*)"calculated peer commitment");
1417 print128(p_cb->remote_commitment, (const uint8_t*)"received peer commitment");
1418
1419 if (memcmp(p_cb->remote_commitment, expected, BT_OCTET16_LEN)) {
1420 SMP_TRACE_WARNING("%s: Commitment check fails", __func__);
1421 return false;
1422 }
1423
1424 SMP_TRACE_DEBUG("%s: Commitment check succeeds", __func__);
1425 return true;
1426 }
1427
1428 /*******************************************************************************
1429 *
1430 * Function smp_save_secure_connections_long_term_key
1431 *
1432 * Description The function saves SC LTK as BLE key for future use as local
1433 * and/or peer key.
1434 *
1435 * Returns void
1436 *
1437 ******************************************************************************/
smp_save_secure_connections_long_term_key(tSMP_CB * p_cb)1438 void smp_save_secure_connections_long_term_key(tSMP_CB* p_cb) {
1439 tBTM_LE_LENC_KEYS lle_key;
1440 tBTM_LE_PENC_KEYS ple_key;
1441
1442 SMP_TRACE_DEBUG("%s-Save LTK as local LTK key", __func__);
1443 memcpy(lle_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
1444 lle_key.div = 0;
1445 lle_key.key_size = p_cb->loc_enc_size;
1446 lle_key.sec_level = p_cb->sec_level;
1447 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC,
1448 (tBTM_LE_KEY_VALUE*)&lle_key, true);
1449
1450 SMP_TRACE_DEBUG("%s-Save LTK as peer LTK key", __func__);
1451 ple_key.ediv = 0;
1452 memset(ple_key.rand, 0, BT_OCTET8_LEN);
1453 memcpy(ple_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
1454 ple_key.sec_level = p_cb->sec_level;
1455 ple_key.key_size = p_cb->loc_enc_size;
1456 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC,
1457 (tBTM_LE_KEY_VALUE*)&ple_key, true);
1458 }
1459
1460 /*******************************************************************************
1461 *
1462 * Function smp_calculate_f5_mackey_and_long_term_key
1463 *
1464 * Description The function calculates MacKey and LTK and saves them in CB.
1465 * To calculate MacKey and LTK it calls smp_calc_f5(...).
1466 * MacKey is used in dhkey calculation, LTK is used to encrypt
1467 * the link.
1468 *
1469 * Returns false if out of resources, true otherwise.
1470 *
1471 ******************************************************************************/
smp_calculate_f5_mackey_and_long_term_key(tSMP_CB * p_cb)1472 bool smp_calculate_f5_mackey_and_long_term_key(tSMP_CB* p_cb) {
1473 uint8_t a[7];
1474 uint8_t b[7];
1475 uint8_t* p_na;
1476 uint8_t* p_nb;
1477
1478 SMP_TRACE_DEBUG("%s", __func__);
1479
1480 if (p_cb->role == HCI_ROLE_MASTER) {
1481 smp_collect_local_ble_address(a, p_cb);
1482 smp_collect_peer_ble_address(b, p_cb);
1483 p_na = p_cb->rand;
1484 p_nb = p_cb->rrand;
1485 } else {
1486 smp_collect_local_ble_address(b, p_cb);
1487 smp_collect_peer_ble_address(a, p_cb);
1488 p_na = p_cb->rrand;
1489 p_nb = p_cb->rand;
1490 }
1491
1492 if (!smp_calculate_f5(p_cb->dhkey, p_na, p_nb, a, b, p_cb->mac_key,
1493 p_cb->ltk)) {
1494 SMP_TRACE_ERROR("%s failed", __func__);
1495 return false;
1496 }
1497
1498 SMP_TRACE_EVENT("%s is completed", __func__);
1499 return true;
1500 }
1501
1502 /*******************************************************************************
1503 *
1504 * Function smp_request_oob_data
1505 *
1506 * Description Requests application to provide OOB data.
1507 *
1508 * Returns true - OOB data has to be provided by application
1509 * false - otherwise (unexpected)
1510 *
1511 ******************************************************************************/
smp_request_oob_data(tSMP_CB * p_cb)1512 bool smp_request_oob_data(tSMP_CB* p_cb) {
1513 tSMP_OOB_DATA_TYPE req_oob_type = SMP_OOB_INVALID_TYPE;
1514
1515 SMP_TRACE_DEBUG("%s", __func__);
1516
1517 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT &&
1518 p_cb->loc_oob_flag == SMP_OOB_PRESENT) {
1519 /* both local and peer rcvd data OOB */
1520 req_oob_type = SMP_OOB_BOTH;
1521 } else if (p_cb->peer_oob_flag == SMP_OOB_PRESENT) {
1522 /* peer rcvd OOB local data, local didn't receive OOB peer data */
1523 req_oob_type = SMP_OOB_LOCAL;
1524 } else if (p_cb->loc_oob_flag == SMP_OOB_PRESENT) {
1525 req_oob_type = SMP_OOB_PEER;
1526 }
1527
1528 SMP_TRACE_DEBUG("req_oob_type = %d", req_oob_type);
1529
1530 if (req_oob_type == SMP_OOB_INVALID_TYPE) return false;
1531
1532 p_cb->req_oob_type = req_oob_type;
1533 p_cb->cb_evt = SMP_SC_OOB_REQ_EVT;
1534 tSMP_INT_DATA smp_int_data;
1535 smp_int_data.req_oob_type = req_oob_type;
1536 smp_sm_event(p_cb, SMP_TK_REQ_EVT, &smp_int_data);
1537
1538 return true;
1539 }
1540