1 /******************************************************************************
3 * Copyright (C) 2003-2012 Broadcom Corporation
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
17 ******************************************************************************/
20 #include "btif_common.h"
21 #include "device/include/interop.h"
22 #include "include/bt_target.h"
23 #include "stack/btm/btm_int.h"
24 #include "stack/include/l2c_api.h"
25 #include "stack/smp/smp_int.h"
26 #include "utils/include/bt_utils.h"
28 #define SMP_KEY_DIST_TYPE_MAX 4
30 const tSMP_ACT smp_distribute_act[] = {smp_generate_ltk, smp_send_id_info,
32 smp_set_derive_link_key};
34 static bool lmp_version_below(const RawAddress& bda, uint8_t version) {
35 tACL_CONN* acl = btm_bda_to_acl(bda, BT_TRANSPORT_LE);
36 if (acl == NULL || acl->lmp_version == 0) {
37 SMP_TRACE_WARNING("%s cannot retrieve LMP version...", __func__);
40 SMP_TRACE_WARNING("%s LMP version %d < %d", __func__, acl->lmp_version,
42 return acl->lmp_version < version;
45 static bool pts_test_send_authentication_complete_failure(tSMP_CB* p_cb) {
46 uint8_t reason = p_cb->cert_failure;
47 if (reason == SMP_PAIR_AUTH_FAIL || reason == SMP_PAIR_FAIL_UNKNOWN ||
48 reason == SMP_PAIR_NOT_SUPPORT || reason == SMP_PASSKEY_ENTRY_FAIL ||
49 reason == SMP_REPEATED_ATTEMPTS) {
50 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
56 /*******************************************************************************
57 * Function smp_update_key_mask
58 * Description This function updates the key mask for sending or receiving.
59 ******************************************************************************/
60 static void smp_update_key_mask(tSMP_CB* p_cb, uint8_t key_type, bool recv) {
62 "%s before update role=%d recv=%d local_i_key = %02x, local_r_key = %02x",
63 __func__, p_cb->role, recv, p_cb->local_i_key, p_cb->local_r_key);
65 if (((p_cb->le_secure_connections_mode_is_used) || (p_cb->smp_over_br)) &&
66 ((key_type == SMP_SEC_KEY_TYPE_ENC) ||
67 (key_type == SMP_SEC_KEY_TYPE_LK))) {
68 /* in LE SC mode LTK, CSRK and BR/EDR LK are derived locally instead of
69 ** being exchanged with the peer */
70 p_cb->local_i_key &= ~key_type;
71 p_cb->local_r_key &= ~key_type;
72 } else if (p_cb->role == HCI_ROLE_SLAVE) {
74 p_cb->local_i_key &= ~key_type;
76 p_cb->local_r_key &= ~key_type;
79 p_cb->local_r_key &= ~key_type;
81 p_cb->local_i_key &= ~key_type;
84 SMP_TRACE_DEBUG("updated local_i_key = %02x, local_r_key = %02x",
85 p_cb->local_i_key, p_cb->local_r_key);
88 /*******************************************************************************
89 * Function smp_send_app_cback
90 * Description notifies application about the events the application is
92 ******************************************************************************/
93 void smp_send_app_cback(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
94 tSMP_EVT_DATA cb_data;
95 tSMP_STATUS callback_rc;
96 SMP_TRACE_DEBUG("%s p_cb->cb_evt=%d", __func__, p_cb->cb_evt);
97 if (p_cb->p_callback && p_cb->cb_evt != 0) {
98 switch (p_cb->cb_evt) {
99 case SMP_IO_CAP_REQ_EVT:
100 cb_data.io_req.auth_req = p_cb->peer_auth_req;
101 cb_data.io_req.oob_data = SMP_OOB_NONE;
102 cb_data.io_req.io_cap = SMP_DEFAULT_IO_CAPS;
103 cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE;
104 cb_data.io_req.init_keys = p_cb->local_i_key;
105 cb_data.io_req.resp_keys = p_cb->local_r_key;
106 SMP_TRACE_WARNING("io_cap = %d", cb_data.io_req.io_cap);
110 cb_data.passkey = p_data->passkey;
112 case SMP_SC_OOB_REQ_EVT:
113 cb_data.req_oob_type = p_data->req_oob_type;
115 case SMP_SC_LOC_OOB_DATA_UP_EVT:
116 cb_data.loc_oob_data = p_cb->sc_oob_data.loc_oob_data;
119 case SMP_BR_KEYS_REQ_EVT:
120 cb_data.io_req.auth_req = 0;
121 cb_data.io_req.oob_data = SMP_OOB_NONE;
122 cb_data.io_req.io_cap = 0;
123 cb_data.io_req.max_key_size = SMP_MAX_ENC_KEY_SIZE;
124 cb_data.io_req.init_keys = SMP_BR_SEC_DEFAULT_KEY;
125 cb_data.io_req.resp_keys = SMP_BR_SEC_DEFAULT_KEY;
133 (*p_cb->p_callback)(p_cb->cb_evt, p_cb->pairing_bda, &cb_data);
135 SMP_TRACE_DEBUG("%s: callback_rc=%d p_cb->cb_evt=%d", __func__,
136 callback_rc, p_cb->cb_evt);
138 if (callback_rc == SMP_SUCCESS) {
139 switch (p_cb->cb_evt) {
140 case SMP_IO_CAP_REQ_EVT:
141 p_cb->loc_auth_req = cb_data.io_req.auth_req;
142 p_cb->local_io_capability = cb_data.io_req.io_cap;
143 p_cb->loc_oob_flag = cb_data.io_req.oob_data;
144 p_cb->loc_enc_size = cb_data.io_req.max_key_size;
145 p_cb->local_i_key = cb_data.io_req.init_keys;
146 p_cb->local_r_key = cb_data.io_req.resp_keys;
148 if (!(p_cb->loc_auth_req & SMP_AUTH_BOND)) {
149 SMP_TRACE_WARNING("Non bonding: No keys will be exchanged");
150 p_cb->local_i_key = 0;
151 p_cb->local_r_key = 0;
155 "rcvd auth_req: 0x%02x, io_cap: %d "
156 "loc_oob_flag: %d loc_enc_size: %d, "
157 "local_i_key: 0x%02x, local_r_key: 0x%02x",
158 p_cb->loc_auth_req, p_cb->local_io_capability, p_cb->loc_oob_flag,
159 p_cb->loc_enc_size, p_cb->local_i_key, p_cb->local_r_key);
161 p_cb->secure_connections_only_mode_required =
162 (btm_cb.security_mode == BTM_SEC_MODE_SC) ? true : false;
164 if (p_cb->secure_connections_only_mode_required) {
165 p_cb->loc_auth_req |= SMP_SC_SUPPORT_BIT;
168 if (!(p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) ||
169 lmp_version_below(p_cb->pairing_bda, HCI_PROTO_VERSION_4_2) ||
170 interop_match_addr(INTEROP_DISABLE_LE_SECURE_CONNECTIONS,
171 (const RawAddress*)&p_cb->pairing_bda)) {
172 p_cb->loc_auth_req &= ~SMP_KP_SUPPORT_BIT;
173 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
174 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
177 if (lmp_version_below(p_cb->pairing_bda, HCI_PROTO_VERSION_5_0)) {
178 p_cb->loc_auth_req &= ~SMP_H7_SUPPORT_BIT;
182 "set auth_req: 0x%02x, local_i_key: 0x%02x, local_r_key: 0x%02x",
183 p_cb->loc_auth_req, p_cb->local_i_key, p_cb->local_r_key);
185 smp_sm_event(p_cb, SMP_IO_RSP_EVT, NULL);
188 case SMP_BR_KEYS_REQ_EVT:
189 p_cb->loc_enc_size = cb_data.io_req.max_key_size;
190 p_cb->local_i_key = cb_data.io_req.init_keys;
191 p_cb->local_r_key = cb_data.io_req.resp_keys;
192 p_cb->loc_auth_req |= SMP_H7_SUPPORT_BIT;
194 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
195 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
198 "for SMP over BR max_key_size: 0x%02x, local_i_key: 0x%02x, "
199 "local_r_key: 0x%02x, p_cb->loc_auth_req: 0x%02x",
200 p_cb->loc_enc_size, p_cb->local_i_key, p_cb->local_r_key,
203 smp_br_state_machine_event(p_cb, SMP_BR_KEYS_RSP_EVT, NULL);
209 if (!p_cb->cb_evt && p_cb->discard_sec_req) {
210 p_cb->discard_sec_req = false;
211 smp_sm_event(p_cb, SMP_DISCARD_SEC_REQ_EVT, NULL);
214 SMP_TRACE_DEBUG("%s: return", __func__);
217 /*******************************************************************************
218 * Function smp_send_pair_fail
219 * Description pairing failure to peer device if needed.
220 ******************************************************************************/
221 void smp_send_pair_fail(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
222 p_cb->status = *(uint8_t*)p_data;
223 p_cb->failure = *(uint8_t*)p_data;
225 SMP_TRACE_DEBUG("%s: status=%d failure=%d ", __func__, p_cb->status,
228 if (p_cb->status <= SMP_MAX_FAIL_RSN_PER_SPEC &&
229 p_cb->status != SMP_SUCCESS) {
230 smp_send_cmd(SMP_OPCODE_PAIRING_FAILED, p_cb);
231 p_cb->wait_for_authorization_complete = true;
235 /*******************************************************************************
236 * Function smp_send_pair_req
237 * Description actions related to sending pairing request
238 ******************************************************************************/
239 void smp_send_pair_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
240 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
241 SMP_TRACE_DEBUG("%s", __func__);
243 /* erase all keys when master sends pairing req*/
244 if (p_dev_rec) btm_sec_clear_ble_keys(p_dev_rec);
245 /* do not manipulate the key, let app decide,
246 leave out to BTM to mandate key distribution for bonding case */
247 smp_send_cmd(SMP_OPCODE_PAIRING_REQ, p_cb);
250 /*******************************************************************************
251 * Function smp_send_pair_rsp
252 * Description actions related to sending pairing response
253 ******************************************************************************/
254 void smp_send_pair_rsp(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
255 SMP_TRACE_DEBUG("%s", __func__);
257 p_cb->local_i_key &= p_cb->peer_i_key;
258 p_cb->local_r_key &= p_cb->peer_r_key;
260 if (smp_send_cmd(SMP_OPCODE_PAIRING_RSP, p_cb)) {
261 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB)
262 smp_use_oob_private_key(p_cb, NULL);
264 smp_decide_association_model(p_cb, NULL);
268 /*******************************************************************************
269 * Function smp_send_confirm
270 * Description send confirmation to the peer
271 ******************************************************************************/
272 void smp_send_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
273 SMP_TRACE_DEBUG("%s", __func__);
274 smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);
277 /*******************************************************************************
278 * Function smp_send_init
279 * Description process pairing initializer to slave device
280 ******************************************************************************/
281 void smp_send_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
282 SMP_TRACE_DEBUG("%s", __func__);
283 smp_send_cmd(SMP_OPCODE_INIT, p_cb);
286 /*******************************************************************************
287 * Function smp_send_rand
288 * Description send pairing random to the peer
289 ******************************************************************************/
290 void smp_send_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
291 SMP_TRACE_DEBUG("%s", __func__);
292 smp_send_cmd(SMP_OPCODE_RAND, p_cb);
295 /*******************************************************************************
296 * Function smp_send_pair_public_key
297 * Description send pairing public key command to the peer
298 ******************************************************************************/
299 void smp_send_pair_public_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
300 SMP_TRACE_DEBUG("%s", __func__);
301 smp_send_cmd(SMP_OPCODE_PAIR_PUBLIC_KEY, p_cb);
304 /*******************************************************************************
305 * Function SMP_SEND_COMMITMENT
306 * Description send commitment command to the peer
307 ******************************************************************************/
308 void smp_send_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
309 SMP_TRACE_DEBUG("%s", __func__);
310 smp_send_cmd(SMP_OPCODE_PAIR_COMMITM, p_cb);
313 /*******************************************************************************
314 * Function smp_send_dhkey_check
315 * Description send DHKey Check command to the peer
316 ******************************************************************************/
317 void smp_send_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
318 SMP_TRACE_DEBUG("%s", __func__);
319 smp_send_cmd(SMP_OPCODE_PAIR_DHKEY_CHECK, p_cb);
322 /*******************************************************************************
323 * Function smp_send_keypress_notification
324 * Description send Keypress Notification command to the peer
325 ******************************************************************************/
326 void smp_send_keypress_notification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
327 p_cb->local_keypress_notification = *(uint8_t*)p_data;
328 smp_send_cmd(SMP_OPCODE_PAIR_KEYPR_NOTIF, p_cb);
331 /*******************************************************************************
332 * Function smp_send_enc_info
333 * Description send encryption information command.
334 ******************************************************************************/
335 void smp_send_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
336 tBTM_LE_LENC_KEYS le_key;
338 SMP_TRACE_DEBUG("%s: p_cb->loc_enc_size = %d", __func__, p_cb->loc_enc_size);
339 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
341 smp_send_cmd(SMP_OPCODE_ENCRYPT_INFO, p_cb);
342 smp_send_cmd(SMP_OPCODE_MASTER_ID, p_cb);
344 /* save the DIV and key size information when acting as slave device */
345 memcpy(le_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
346 le_key.div = p_cb->div;
347 le_key.key_size = p_cb->loc_enc_size;
348 le_key.sec_level = p_cb->sec_level;
350 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
351 (p_cb->loc_auth_req & SMP_AUTH_BOND))
352 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC,
353 (tBTM_LE_KEY_VALUE*)&le_key, true);
355 SMP_TRACE_WARNING("%s", __func__);
357 smp_key_distribution(p_cb, NULL);
360 /*******************************************************************************
361 * Function smp_send_id_info
362 * Description send ID information command.
363 ******************************************************************************/
364 void smp_send_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
365 tBTM_LE_KEY_VALUE le_key;
366 SMP_TRACE_DEBUG("%s", __func__);
367 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, false);
369 smp_send_cmd(SMP_OPCODE_IDENTITY_INFO, p_cb);
370 smp_send_cmd(SMP_OPCODE_ID_ADDR, p_cb);
372 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
373 (p_cb->loc_auth_req & SMP_AUTH_BOND))
374 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LID, &le_key, true);
376 SMP_TRACE_WARNING("%s", __func__);
377 smp_key_distribution_by_transport(p_cb, NULL);
380 /*******************************************************************************
381 * Function smp_send_csrk_info
382 * Description send CSRK command.
383 ******************************************************************************/
384 void smp_send_csrk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
385 tBTM_LE_LCSRK_KEYS key;
386 SMP_TRACE_DEBUG("%s", __func__);
387 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, false);
389 if (smp_send_cmd(SMP_OPCODE_SIGN_INFO, p_cb)) {
391 key.sec_level = p_cb->sec_level;
392 key.counter = 0; /* initialize the local counter */
393 memcpy(key.csrk, p_cb->csrk, BT_OCTET16_LEN);
394 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LCSRK,
395 (tBTM_LE_KEY_VALUE*)&key, true);
398 smp_key_distribution_by_transport(p_cb, NULL);
401 /*******************************************************************************
402 * Function smp_send_ltk_reply
403 * Description send LTK reply
404 ******************************************************************************/
405 void smp_send_ltk_reply(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
406 SMP_TRACE_DEBUG("%s", __func__);
407 /* send stk as LTK response */
408 btm_ble_ltk_request_reply(p_cb->pairing_bda, true, p_data->key.p_data);
411 /*******************************************************************************
412 * Function smp_proc_sec_req
413 * Description process security request.
414 ******************************************************************************/
415 void smp_proc_sec_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
416 tBTM_LE_AUTH_REQ auth_req = *(tBTM_LE_AUTH_REQ*)p_data;
417 tBTM_BLE_SEC_REQ_ACT sec_req_act;
420 SMP_TRACE_DEBUG("%s: auth_req=0x%x", __func__, auth_req);
424 btm_ble_link_sec_check(p_cb->pairing_bda, auth_req, &sec_req_act);
426 SMP_TRACE_DEBUG("%s: sec_req_act=0x%x", __func__, sec_req_act);
428 switch (sec_req_act) {
429 case BTM_BLE_SEC_REQ_ACT_ENCRYPT:
430 SMP_TRACE_DEBUG("%s: BTM_BLE_SEC_REQ_ACT_ENCRYPT", __func__);
431 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
434 case BTM_BLE_SEC_REQ_ACT_PAIR:
435 p_cb->secure_connections_only_mode_required =
436 (btm_cb.security_mode == BTM_SEC_MODE_SC) ? true : false;
438 /* respond to non SC pairing request as failure in SC only mode */
439 if (p_cb->secure_connections_only_mode_required &&
440 (auth_req & SMP_SC_SUPPORT_BIT) == 0) {
441 reason = SMP_PAIR_AUTH_FAIL;
442 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
444 /* initialize local i/r key to be default keys */
445 p_cb->peer_auth_req = auth_req;
446 p_cb->local_r_key = p_cb->local_i_key = SMP_SEC_DEFAULT_KEY;
447 p_cb->cb_evt = SMP_SEC_REQUEST_EVT;
451 case BTM_BLE_SEC_REQ_ACT_DISCARD:
452 p_cb->discard_sec_req = true;
461 /*******************************************************************************
462 * Function smp_proc_sec_grant
463 * Description process security grant.
464 ******************************************************************************/
465 void smp_proc_sec_grant(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
466 uint8_t res = *(uint8_t*)p_data;
467 SMP_TRACE_DEBUG("%s", __func__);
468 if (res != SMP_SUCCESS) {
469 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, p_data);
470 } else /*otherwise, start pairing */
472 /* send IO request callback */
473 p_cb->cb_evt = SMP_IO_CAP_REQ_EVT;
477 /*******************************************************************************
478 * Function smp_proc_pair_fail
479 * Description process pairing failure from peer device
480 ******************************************************************************/
481 void smp_proc_pair_fail(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
482 SMP_TRACE_DEBUG("%s", __func__);
483 p_cb->status = *(uint8_t*)p_data;
485 /* Cancel pending auth complete timer if set */
486 alarm_cancel(p_cb->delayed_auth_timer_ent);
489 /*******************************************************************************
490 * Function smp_proc_pair_cmd
491 * Description Process the SMP pairing request/response from peer device
492 ******************************************************************************/
493 void smp_proc_pair_cmd(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
494 uint8_t* p = (uint8_t*)p_data;
495 uint8_t reason = SMP_ENC_KEY_SIZE;
496 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
498 SMP_TRACE_DEBUG("%s", __func__);
499 /* erase all keys if it is slave proc pairing req */
500 if (p_dev_rec && (p_cb->role == HCI_ROLE_SLAVE))
501 btm_sec_clear_ble_keys(p_dev_rec);
503 p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
505 STREAM_TO_UINT8(p_cb->peer_io_caps, p);
506 STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
507 STREAM_TO_UINT8(p_cb->peer_auth_req, p);
508 STREAM_TO_UINT8(p_cb->peer_enc_size, p);
509 STREAM_TO_UINT8(p_cb->peer_i_key, p);
510 STREAM_TO_UINT8(p_cb->peer_r_key, p);
512 if (smp_command_has_invalid_parameters(p_cb)) {
513 reason = SMP_INVALID_PARAMETERS;
514 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
518 // PTS Testing failure modes
519 if (pts_test_send_authentication_complete_failure(p_cb)) return;
521 if (p_cb->role == HCI_ROLE_SLAVE) {
522 if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD)) {
523 /* peer (master) started pairing sending Pairing Request */
524 p_cb->local_i_key = p_cb->peer_i_key;
525 p_cb->local_r_key = p_cb->peer_r_key;
527 p_cb->cb_evt = SMP_SEC_REQUEST_EVT;
528 } else /* update local i/r key according to pairing request */
530 /* pairing started with this side (slave) sending Security Request */
531 p_cb->local_i_key &= p_cb->peer_i_key;
532 p_cb->local_r_key &= p_cb->peer_r_key;
533 p_cb->selected_association_model = smp_select_association_model(p_cb);
535 if (p_cb->secure_connections_only_mode_required &&
536 (!(p_cb->le_secure_connections_mode_is_used) ||
537 (p_cb->selected_association_model ==
538 SMP_MODEL_SEC_CONN_JUSTWORKS))) {
540 "%s: pairing failed - slave requires secure connection only mode",
542 reason = SMP_PAIR_AUTH_FAIL;
543 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
547 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
548 if (smp_request_oob_data(p_cb)) return;
550 smp_send_pair_rsp(p_cb, NULL);
553 } else /* Master receives pairing response */
555 p_cb->selected_association_model = smp_select_association_model(p_cb);
557 if (p_cb->secure_connections_only_mode_required &&
558 (!(p_cb->le_secure_connections_mode_is_used) ||
559 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) {
561 "Master requires secure connection only mode "
562 "but it can't be provided -> Master fails pairing");
563 reason = SMP_PAIR_AUTH_FAIL;
564 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
568 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
569 if (smp_request_oob_data(p_cb)) return;
571 smp_decide_association_model(p_cb, NULL);
576 /*******************************************************************************
577 * Function smp_proc_confirm
578 * Description process pairing confirm from peer device
579 ******************************************************************************/
580 void smp_proc_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
581 uint8_t* p = (uint8_t*)p_data;
582 uint8_t reason = SMP_INVALID_PARAMETERS;
584 SMP_TRACE_DEBUG("%s", __func__);
586 if (smp_command_has_invalid_parameters(p_cb)) {
587 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
592 /* save the SConfirm for comparison later */
593 STREAM_TO_ARRAY(p_cb->rconfirm, p, BT_OCTET16_LEN);
596 p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM;
599 /*******************************************************************************
600 * Function smp_proc_init
601 * Description process pairing initializer from peer device
602 ******************************************************************************/
603 void smp_proc_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
604 uint8_t* p = (uint8_t*)p_data;
605 uint8_t reason = SMP_INVALID_PARAMETERS;
607 SMP_TRACE_DEBUG("%s", __func__);
609 if (smp_command_has_invalid_parameters(p_cb)) {
610 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
614 /* save the SRand for comparison */
615 STREAM_TO_ARRAY(p_cb->rrand, p, BT_OCTET16_LEN);
618 /*******************************************************************************
619 * Function smp_proc_rand
620 * Description process pairing random (nonce) from peer device
621 ******************************************************************************/
622 void smp_proc_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
623 uint8_t* p = (uint8_t*)p_data;
624 uint8_t reason = SMP_INVALID_PARAMETERS;
626 SMP_TRACE_DEBUG("%s", __func__);
628 if (smp_command_has_invalid_parameters(p_cb)) {
629 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
633 /* save the SRand for comparison */
634 STREAM_TO_ARRAY(p_cb->rrand, p, BT_OCTET16_LEN);
637 /*******************************************************************************
638 * Function smp_process_pairing_public_key
639 * Description process pairing public key command from the peer device
640 * - saves the peer public key;
641 * - sets the flag indicating that the peer public key is received;
642 * - calls smp_wait_for_both_public_keys(...).
644 ******************************************************************************/
645 void smp_process_pairing_public_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
646 uint8_t* p = (uint8_t*)p_data;
647 uint8_t reason = SMP_INVALID_PARAMETERS;
649 SMP_TRACE_DEBUG("%s", __func__);
651 if (smp_command_has_invalid_parameters(p_cb)) {
652 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
656 STREAM_TO_ARRAY(p_cb->peer_publ_key.x, p, BT_OCTET32_LEN);
657 STREAM_TO_ARRAY(p_cb->peer_publ_key.y, p, BT_OCTET32_LEN);
658 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY;
660 smp_wait_for_both_public_keys(p_cb, NULL);
663 /*******************************************************************************
664 * Function smp_process_pairing_commitment
665 * Description process pairing commitment from peer device
666 ******************************************************************************/
667 void smp_process_pairing_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
668 uint8_t* p = (uint8_t*)p_data;
669 uint8_t reason = SMP_INVALID_PARAMETERS;
671 SMP_TRACE_DEBUG("%s", __func__);
673 if (smp_command_has_invalid_parameters(p_cb)) {
674 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
678 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_COMM;
681 STREAM_TO_ARRAY(p_cb->remote_commitment, p, BT_OCTET16_LEN);
685 /*******************************************************************************
686 * Function smp_process_dhkey_check
687 * Description process DHKey Check from peer device
688 ******************************************************************************/
689 void smp_process_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
690 uint8_t* p = (uint8_t*)p_data;
691 uint8_t reason = SMP_INVALID_PARAMETERS;
693 SMP_TRACE_DEBUG("%s", __func__);
695 if (smp_command_has_invalid_parameters(p_cb)) {
696 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
701 STREAM_TO_ARRAY(p_cb->remote_dhkey_check, p, BT_OCTET16_LEN);
704 p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_DHK_CHK;
707 /*******************************************************************************
708 * Function smp_process_keypress_notification
709 * Description process pairing keypress notification from peer device
710 ******************************************************************************/
711 void smp_process_keypress_notification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
712 uint8_t* p = (uint8_t*)p_data;
713 uint8_t reason = SMP_INVALID_PARAMETERS;
715 SMP_TRACE_DEBUG("%s", __func__);
716 p_cb->status = *(uint8_t*)p_data;
718 if (smp_command_has_invalid_parameters(p_cb)) {
719 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
724 STREAM_TO_UINT8(p_cb->peer_keypress_notification, p);
726 p_cb->peer_keypress_notification = BTM_SP_KEY_OUT_OF_RANGE;
728 p_cb->cb_evt = SMP_PEER_KEYPR_NOT_EVT;
731 /*******************************************************************************
732 * Function smp_br_process_pairing_command
733 * Description Process the SMP pairing request/response from peer device via
735 ******************************************************************************/
736 void smp_br_process_pairing_command(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
737 uint8_t* p = (uint8_t*)p_data;
738 uint8_t reason = SMP_ENC_KEY_SIZE;
739 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_cb->pairing_bda);
741 SMP_TRACE_DEBUG("%s", __func__);
742 /* rejecting BR pairing request over non-SC BR link */
743 if (!p_dev_rec->new_encryption_key_is_p256 && p_cb->role == HCI_ROLE_SLAVE) {
744 reason = SMP_XTRANS_DERIVE_NOT_ALLOW;
745 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason);
749 /* erase all keys if it is slave proc pairing req*/
750 if (p_dev_rec && (p_cb->role == HCI_ROLE_SLAVE))
751 btm_sec_clear_ble_keys(p_dev_rec);
753 p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
755 STREAM_TO_UINT8(p_cb->peer_io_caps, p);
756 STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
757 STREAM_TO_UINT8(p_cb->peer_auth_req, p);
758 STREAM_TO_UINT8(p_cb->peer_enc_size, p);
759 STREAM_TO_UINT8(p_cb->peer_i_key, p);
760 STREAM_TO_UINT8(p_cb->peer_r_key, p);
762 if (smp_command_has_invalid_parameters(p_cb)) {
763 reason = SMP_INVALID_PARAMETERS;
764 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason);
768 /* peer (master) started pairing sending Pairing Request */
769 /* or being master device always use received i/r key as keys to distribute */
770 p_cb->local_i_key = p_cb->peer_i_key;
771 p_cb->local_r_key = p_cb->peer_r_key;
773 if (p_cb->role == HCI_ROLE_SLAVE) {
774 p_dev_rec->new_encryption_key_is_p256 = false;
775 /* shortcut to skip Security Grant step */
776 p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT;
778 /* Master receives pairing response */
780 "%s master rcvs valid PAIRING RESPONSE."
781 " Supposed to move to key distribution phase. ",
785 /* auth_req received via BR/EDR SM channel is set to 0,
786 but everything derived/exchanged has to be saved */
787 p_cb->peer_auth_req |= SMP_AUTH_BOND;
788 p_cb->loc_auth_req |= SMP_AUTH_BOND;
791 /*******************************************************************************
792 * Function smp_br_process_security_grant
793 * Description process security grant in case of pairing over BR/EDR transport.
794 ******************************************************************************/
795 void smp_br_process_security_grant(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
796 uint8_t res = *(uint8_t*)p_data;
797 SMP_TRACE_DEBUG("%s", __func__);
798 if (res != SMP_SUCCESS) {
799 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, p_data);
801 /* otherwise, start pairing; send IO request callback */
802 p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT;
806 /*******************************************************************************
807 * Function smp_br_check_authorization_request
808 * Description sets the SMP kes to be derived/distribute over BR/EDR transport
809 * before starting the distribution/derivation
810 ******************************************************************************/
811 void smp_br_check_authorization_request(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
812 uint8_t reason = SMP_SUCCESS;
814 SMP_TRACE_DEBUG("%s rcvs i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
815 __func__, p_cb->local_i_key, p_cb->local_r_key);
817 /* In LE SC mode LK field is ignored when BR/EDR transport is used */
818 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
819 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
821 /* In LE SC mode only IRK, IAI, CSRK are exchanged with the peer.
822 ** Set local_r_key on master to expect only these keys. */
823 if (p_cb->role == HCI_ROLE_MASTER) {
824 p_cb->local_r_key &= (SMP_SEC_KEY_TYPE_ID | SMP_SEC_KEY_TYPE_CSRK);
827 /* Check if H7 function needs to be used for key derivation*/
828 if ((p_cb->loc_auth_req & SMP_H7_SUPPORT_BIT) &&
829 (p_cb->peer_auth_req & SMP_H7_SUPPORT_BIT)) {
830 p_cb->key_derivation_h7_used = TRUE;
832 SMP_TRACE_DEBUG("%s: use h7 = %d", __func__, p_cb->key_derivation_h7_used);
835 "%s rcvs upgrades: i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
836 __func__, p_cb->local_i_key, p_cb->local_r_key);
838 if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) ||
839 (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/
840 (p_cb->local_i_key || p_cb->local_r_key)) {
841 smp_br_state_machine_event(p_cb, SMP_BR_BOND_REQ_EVT, NULL);
843 /* if no peer key is expected, start master key distribution */
844 if (p_cb->role == HCI_ROLE_MASTER && p_cb->local_r_key == 0)
845 smp_key_distribution_by_transport(p_cb, NULL);
847 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason);
851 /*******************************************************************************
852 * Function smp_br_select_next_key
853 * Description selects the next key to derive/send when BR/EDR transport is
855 ******************************************************************************/
856 void smp_br_select_next_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
857 uint8_t reason = SMP_SUCCESS;
858 SMP_TRACE_DEBUG("%s role=%d (0-master) r_keys=0x%x i_keys=0x%x", __func__,
859 p_cb->role, p_cb->local_r_key, p_cb->local_i_key);
861 if (p_cb->role == HCI_ROLE_SLAVE ||
862 (!p_cb->local_r_key && p_cb->role == HCI_ROLE_MASTER)) {
863 smp_key_pick_key(p_cb, p_data);
866 if (!p_cb->local_i_key && !p_cb->local_r_key) {
867 /* state check to prevent re-entrance */
868 if (smp_get_br_state() == SMP_BR_STATE_BOND_PENDING) {
869 if (p_cb->total_tx_unacked == 0)
870 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason);
872 p_cb->wait_for_authorization_complete = true;
877 /*******************************************************************************
878 * Function smp_proc_enc_info
879 * Description process encryption information from peer device
880 ******************************************************************************/
881 void smp_proc_enc_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
882 uint8_t* p = (uint8_t*)p_data;
884 SMP_TRACE_DEBUG("%s", __func__);
885 STREAM_TO_ARRAY(p_cb->ltk, p, BT_OCTET16_LEN);
887 smp_key_distribution(p_cb, NULL);
889 /*******************************************************************************
890 * Function smp_proc_master_id
891 * Description process master ID from slave device
892 ******************************************************************************/
893 void smp_proc_master_id(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
894 uint8_t* p = (uint8_t*)p_data;
895 tBTM_LE_PENC_KEYS le_key;
897 SMP_TRACE_DEBUG("%s", __func__);
898 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, true);
900 STREAM_TO_UINT16(le_key.ediv, p);
901 STREAM_TO_ARRAY(le_key.rand, p, BT_OCTET8_LEN);
903 /* store the encryption keys from peer device */
904 memcpy(le_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
905 le_key.sec_level = p_cb->sec_level;
906 le_key.key_size = p_cb->loc_enc_size;
908 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
909 (p_cb->loc_auth_req & SMP_AUTH_BOND))
910 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC,
911 (tBTM_LE_KEY_VALUE*)&le_key, true);
913 smp_key_distribution(p_cb, NULL);
916 /*******************************************************************************
917 * Function smp_proc_enc_info
918 * Description process identity information from peer device
919 ******************************************************************************/
920 void smp_proc_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
921 uint8_t* p = (uint8_t*)p_data;
923 SMP_TRACE_DEBUG("%s", __func__);
924 STREAM_TO_ARRAY(p_cb->tk, p, BT_OCTET16_LEN); /* reuse TK for IRK */
925 smp_key_distribution_by_transport(p_cb, NULL);
928 /*******************************************************************************
929 * Function smp_proc_id_addr
930 * Description process identity address from peer device
931 ******************************************************************************/
932 void smp_proc_id_addr(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
933 uint8_t* p = (uint8_t*)p_data;
934 tBTM_LE_PID_KEYS pid_key;
936 SMP_TRACE_DEBUG("%s", __func__);
937 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, true);
939 STREAM_TO_UINT8(pid_key.addr_type, p);
940 STREAM_TO_BDADDR(pid_key.static_addr, p);
941 memcpy(pid_key.irk, p_cb->tk, BT_OCTET16_LEN);
943 /* to use as BD_ADDR for lk derived from ltk */
944 p_cb->id_addr_rcvd = true;
945 p_cb->id_addr_type = pid_key.addr_type;
946 p_cb->id_addr = pid_key.static_addr;
948 /* store the ID key from peer device */
949 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
950 (p_cb->loc_auth_req & SMP_AUTH_BOND))
951 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PID,
952 (tBTM_LE_KEY_VALUE*)&pid_key, true);
953 smp_key_distribution_by_transport(p_cb, NULL);
956 /*******************************************************************************
957 * Function smp_proc_srk_info
958 * Description process security information from peer device
959 ******************************************************************************/
960 void smp_proc_srk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
961 tBTM_LE_PCSRK_KEYS le_key;
963 SMP_TRACE_DEBUG("%s", __func__);
964 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, true);
966 /* save CSRK to security record */
967 le_key.sec_level = p_cb->sec_level;
970 maybe_non_aligned_memcpy(le_key.csrk, p_data, BT_OCTET16_LEN);
972 /* initialize the peer counter */
975 if ((p_cb->peer_auth_req & SMP_AUTH_BOND) &&
976 (p_cb->loc_auth_req & SMP_AUTH_BOND))
977 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PCSRK,
978 (tBTM_LE_KEY_VALUE*)&le_key, true);
979 smp_key_distribution_by_transport(p_cb, NULL);
982 /*******************************************************************************
983 * Function smp_proc_compare
984 * Description process compare value
985 ******************************************************************************/
986 void smp_proc_compare(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
989 SMP_TRACE_DEBUG("%s", __func__);
990 if (!memcmp(p_cb->rconfirm, p_data->key.p_data, BT_OCTET16_LEN)) {
991 /* compare the max encryption key size, and save the smaller one for the
993 if (p_cb->peer_enc_size < p_cb->loc_enc_size)
994 p_cb->loc_enc_size = p_cb->peer_enc_size;
996 if (p_cb->role == HCI_ROLE_SLAVE)
997 smp_sm_event(p_cb, SMP_RAND_EVT, NULL);
999 /* master device always use received i/r key as keys to distribute */
1000 p_cb->local_i_key = p_cb->peer_i_key;
1001 p_cb->local_r_key = p_cb->peer_r_key;
1003 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
1007 reason = p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1008 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1012 /*******************************************************************************
1013 * Function smp_proc_sl_key
1014 * Description process key ready events.
1015 ******************************************************************************/
1016 void smp_proc_sl_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1017 uint8_t key_type = p_data->key.key_type;
1019 SMP_TRACE_DEBUG("%s", __func__);
1020 if (key_type == SMP_KEY_TYPE_TK) {
1021 smp_generate_srand_mrand_confirm(p_cb, NULL);
1022 } else if (key_type == SMP_KEY_TYPE_CFM) {
1023 smp_set_state(SMP_STATE_WAIT_CONFIRM);
1025 if (p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM)
1026 smp_sm_event(p_cb, SMP_CONFIRM_EVT, NULL);
1030 /*******************************************************************************
1031 * Function smp_start_enc
1032 * Description start encryption
1033 ******************************************************************************/
1034 void smp_start_enc(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1036 uint8_t reason = SMP_ENC_FAIL;
1038 SMP_TRACE_DEBUG("%s", __func__);
1040 cmd = btm_ble_start_encrypt(p_cb->pairing_bda, true, p_data->key.p_data);
1042 cmd = btm_ble_start_encrypt(p_cb->pairing_bda, false, NULL);
1044 if (cmd != BTM_CMD_STARTED && cmd != BTM_BUSY)
1045 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1048 /*******************************************************************************
1049 * Function smp_proc_discard
1050 * Description processing for discard security request
1051 ******************************************************************************/
1052 void smp_proc_discard(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1053 SMP_TRACE_DEBUG("%s", __func__);
1054 if (!(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD))
1055 smp_reset_control_value(p_cb);
1058 /*******************************************************************************
1059 * Function smp_enc_cmpl
1060 * Description encryption success
1061 ******************************************************************************/
1062 void smp_enc_cmpl(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1063 uint8_t enc_enable = *(uint8_t*)p_data;
1064 uint8_t reason = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1066 SMP_TRACE_DEBUG("%s", __func__);
1067 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1070 /*******************************************************************************
1071 * Function smp_check_auth_req
1072 * Description check authentication request
1073 ******************************************************************************/
1074 void smp_check_auth_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1075 uint8_t enc_enable = *(uint8_t*)p_data;
1076 uint8_t reason = enc_enable ? SMP_SUCCESS : SMP_ENC_FAIL;
1079 "%s rcvs enc_enable=%d i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
1080 __func__, enc_enable, p_cb->local_i_key, p_cb->local_r_key);
1081 if (enc_enable == 1) {
1082 if (p_cb->le_secure_connections_mode_is_used) {
1083 /* In LE SC mode LTK is used instead of STK and has to be always saved */
1084 p_cb->local_i_key |= SMP_SEC_KEY_TYPE_ENC;
1085 p_cb->local_r_key |= SMP_SEC_KEY_TYPE_ENC;
1087 /* In LE SC mode LK is derived from LTK only if both sides request it */
1088 if (!(p_cb->local_i_key & SMP_SEC_KEY_TYPE_LK) ||
1089 !(p_cb->local_r_key & SMP_SEC_KEY_TYPE_LK)) {
1090 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
1091 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
1094 /* In LE SC mode only IRK, IAI, CSRK are exchanged with the peer.
1095 ** Set local_r_key on master to expect only these keys.
1097 if (p_cb->role == HCI_ROLE_MASTER) {
1098 p_cb->local_r_key &= (SMP_SEC_KEY_TYPE_ID | SMP_SEC_KEY_TYPE_CSRK);
1101 /* in legacy mode derivation of BR/EDR LK is not supported */
1102 p_cb->local_i_key &= ~SMP_SEC_KEY_TYPE_LK;
1103 p_cb->local_r_key &= ~SMP_SEC_KEY_TYPE_LK;
1106 "%s rcvs upgrades: i_keys=0x%x r_keys=0x%x (i-initiator r-responder)",
1107 __func__, p_cb->local_i_key, p_cb->local_r_key);
1109 if (/*((p_cb->peer_auth_req & SMP_AUTH_BOND) ||
1110 (p_cb->loc_auth_req & SMP_AUTH_BOND)) &&*/
1111 (p_cb->local_i_key || p_cb->local_r_key)) {
1112 smp_sm_event(p_cb, SMP_BOND_REQ_EVT, NULL);
1114 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1115 } else if (enc_enable == 0) {
1116 /* if failed for encryption after pairing, send callback */
1117 if (p_cb->flags & SMP_PAIR_FLAG_ENC_AFTER_PAIR)
1118 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1119 /* if enc failed for old security information */
1120 /* if master device, clean up and abck to idle; slave device do nothing */
1121 else if (p_cb->role == HCI_ROLE_MASTER) {
1122 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1127 /*******************************************************************************
1128 * Function smp_key_pick_key
1129 * Description Pick a key distribution function based on the key mask.
1130 ******************************************************************************/
1131 void smp_key_pick_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1132 uint8_t key_to_dist =
1133 (p_cb->role == HCI_ROLE_SLAVE) ? p_cb->local_r_key : p_cb->local_i_key;
1136 SMP_TRACE_DEBUG("%s key_to_dist=0x%x", __func__, key_to_dist);
1137 while (i < SMP_KEY_DIST_TYPE_MAX) {
1138 SMP_TRACE_DEBUG("key to send = %02x, i = %d", key_to_dist, i);
1140 if (key_to_dist & (1 << i)) {
1141 SMP_TRACE_DEBUG("smp_distribute_act[%d]", i);
1142 (*smp_distribute_act[i])(p_cb, p_data);
1148 /*******************************************************************************
1149 * Function smp_key_distribution
1150 * Description start key distribution if required.
1151 ******************************************************************************/
1152 void smp_key_distribution(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1153 SMP_TRACE_DEBUG("%s role=%d (0-master) r_keys=0x%x i_keys=0x%x", __func__,
1154 p_cb->role, p_cb->local_r_key, p_cb->local_i_key);
1156 if (p_cb->role == HCI_ROLE_SLAVE ||
1157 (!p_cb->local_r_key && p_cb->role == HCI_ROLE_MASTER)) {
1158 smp_key_pick_key(p_cb, p_data);
1161 if (!p_cb->local_i_key && !p_cb->local_r_key) {
1162 /* state check to prevent re-entrant */
1163 if (smp_get_state() == SMP_STATE_BOND_PENDING) {
1164 if (p_cb->derive_lk) {
1165 smp_derive_link_key_from_long_term_key(p_cb, NULL);
1166 p_cb->derive_lk = false;
1169 if (p_cb->total_tx_unacked == 0) {
1171 * Instead of declaring authorization complete immediately,
1172 * delay the event from being sent by SMP_DELAYED_AUTH_TIMEOUT_MS.
1173 * This allows the slave to send over Pairing Failed if the
1174 * last key is rejected. During this waiting window, the
1175 * state should remain in SMP_STATE_BOND_PENDING.
1177 if (!alarm_is_scheduled(p_cb->delayed_auth_timer_ent)) {
1178 SMP_TRACE_DEBUG("%s delaying auth complete.", __func__);
1179 alarm_set_on_mloop(p_cb->delayed_auth_timer_ent,
1180 SMP_DELAYED_AUTH_TIMEOUT_MS,
1181 smp_delayed_auth_complete_timeout, NULL);
1184 p_cb->wait_for_authorization_complete = true;
1190 /*******************************************************************************
1191 * Function smp_decide_association_model
1192 * Description This function is called to select assoc model to be used for
1193 * STK generation and to start STK generation process.
1195 ******************************************************************************/
1196 void smp_decide_association_model(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1197 uint8_t failure = SMP_UNKNOWN_IO_CAP;
1198 uint8_t int_evt = 0;
1200 tSMP_INT_DATA* p = NULL;
1202 SMP_TRACE_DEBUG("%s Association Model = %d", __func__,
1203 p_cb->selected_association_model);
1205 switch (p_cb->selected_association_model) {
1206 case SMP_MODEL_ENCRYPTION_ONLY: /* TK = 0, go calculate Confirm */
1207 if (p_cb->role == HCI_ROLE_MASTER &&
1208 ((p_cb->peer_auth_req & SMP_AUTH_YN_BIT) != 0) &&
1209 ((p_cb->loc_auth_req & SMP_AUTH_YN_BIT) == 0)) {
1211 "IO capability does not meet authentication requirement");
1212 failure = SMP_PAIR_AUTH_FAIL;
1213 p = (tSMP_INT_DATA*)&failure;
1214 int_evt = SMP_AUTH_CMPL_EVT;
1216 p_cb->sec_level = SMP_SEC_UNAUTHENTICATE;
1217 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_UNAUTHENTICATE) ",
1220 key.key_type = SMP_KEY_TYPE_TK;
1221 key.p_data = p_cb->tk;
1222 p = (tSMP_INT_DATA*)&key;
1224 memset(p_cb->tk, 0, BT_OCTET16_LEN);
1226 int_evt = SMP_KEY_READY_EVT;
1230 case SMP_MODEL_PASSKEY:
1231 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1232 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ",
1235 p_cb->cb_evt = SMP_PASSKEY_REQ_EVT;
1236 int_evt = SMP_TK_REQ_EVT;
1240 SMP_TRACE_ERROR("Association Model = SMP_MODEL_OOB");
1241 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1242 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ",
1245 p_cb->cb_evt = SMP_OOB_REQ_EVT;
1246 int_evt = SMP_TK_REQ_EVT;
1249 case SMP_MODEL_KEY_NOTIF:
1250 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1251 SMP_TRACE_DEBUG("Need to generate Passkey");
1253 /* generate passkey and notify application */
1254 smp_generate_passkey(p_cb, NULL);
1257 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1258 case SMP_MODEL_SEC_CONN_NUM_COMP:
1259 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1260 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1261 case SMP_MODEL_SEC_CONN_OOB:
1262 int_evt = SMP_PUBL_KEY_EXCH_REQ_EVT;
1265 case SMP_MODEL_OUT_OF_RANGE:
1266 SMP_TRACE_ERROR("Association Model = SMP_MODEL_OUT_OF_RANGE (failed)");
1267 p = (tSMP_INT_DATA*)&failure;
1268 int_evt = SMP_AUTH_CMPL_EVT;
1273 "Association Model = %d (SOMETHING IS WRONG WITH THE CODE)",
1274 p_cb->selected_association_model);
1275 p = (tSMP_INT_DATA*)&failure;
1276 int_evt = SMP_AUTH_CMPL_EVT;
1279 SMP_TRACE_EVENT("sec_level=%d ", p_cb->sec_level);
1280 if (int_evt) smp_sm_event(p_cb, int_evt, p);
1283 /*******************************************************************************
1284 * Function smp_process_io_response
1285 * Description process IO response for a slave device.
1286 ******************************************************************************/
1287 void smp_process_io_response(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1288 uint8_t reason = SMP_PAIR_AUTH_FAIL;
1290 SMP_TRACE_DEBUG("%s", __func__);
1291 if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD) {
1292 /* pairing started by local (slave) Security Request */
1293 smp_set_state(SMP_STATE_SEC_REQ_PENDING);
1294 smp_send_cmd(SMP_OPCODE_SEC_REQ, p_cb);
1295 } else /* plan to send pairing respond */
1297 /* pairing started by peer (master) Pairing Request */
1298 p_cb->selected_association_model = smp_select_association_model(p_cb);
1300 if (p_cb->secure_connections_only_mode_required &&
1301 (!(p_cb->le_secure_connections_mode_is_used) ||
1302 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS))) {
1304 "Slave requires secure connection only mode "
1305 "but it can't be provided -> Slave fails pairing");
1306 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1310 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
1311 if (smp_request_oob_data(p_cb)) return;
1314 // PTS Testing failure modes
1315 if (pts_test_send_authentication_complete_failure(p_cb)) return;
1317 smp_send_pair_rsp(p_cb, NULL);
1321 /*******************************************************************************
1322 * Function smp_br_process_slave_keys_response
1323 * Description process application keys response for a slave device
1324 * (BR/EDR transport).
1325 ******************************************************************************/
1326 void smp_br_process_slave_keys_response(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1327 smp_br_send_pair_response(p_cb, NULL);
1330 /*******************************************************************************
1331 * Function smp_br_send_pair_response
1332 * Description actions related to sending pairing response over BR/EDR
1334 ******************************************************************************/
1335 void smp_br_send_pair_response(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1336 SMP_TRACE_DEBUG("%s", __func__);
1338 p_cb->local_i_key &= p_cb->peer_i_key;
1339 p_cb->local_r_key &= p_cb->peer_r_key;
1341 smp_send_cmd(SMP_OPCODE_PAIRING_RSP, p_cb);
1344 /*******************************************************************************
1345 * Function smp_pairing_cmpl
1346 * Description This function is called to send the pairing complete
1347 * callback and remove the connection if needed.
1348 ******************************************************************************/
1349 void smp_pairing_cmpl(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1350 if (p_cb->total_tx_unacked == 0) {
1351 /* process the pairing complete */
1352 smp_proc_pairing_cmpl(p_cb);
1356 /*******************************************************************************
1357 * Function smp_pair_terminate
1358 * Description This function is called to send the pairing complete
1359 * callback and remove the connection if needed.
1360 ******************************************************************************/
1361 void smp_pair_terminate(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1362 SMP_TRACE_DEBUG("%s", __func__);
1363 p_cb->status = SMP_CONN_TOUT;
1364 smp_proc_pairing_cmpl(p_cb);
1367 /*******************************************************************************
1368 * Function smp_idle_terminate
1369 * Description This function calledin idle state to determine to send
1370 * authentication complete or not.
1371 ******************************************************************************/
1372 void smp_idle_terminate(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1373 if (p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD) {
1374 SMP_TRACE_DEBUG("Pairing terminated at IDLE state.");
1375 p_cb->status = SMP_FAIL;
1376 smp_proc_pairing_cmpl(p_cb);
1380 /*******************************************************************************
1381 * Function smp_fast_conn_param
1382 * Description apply default connection parameter for pairing process
1383 ******************************************************************************/
1384 void smp_fast_conn_param(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1385 /* Disable L2CAP connection parameter updates while bonding since
1386 some peripherals are not able to revert to fast connection parameters
1387 during the start of service discovery. Connection paramter updates
1388 get enabled again once service discovery completes. */
1389 L2CA_EnableUpdateBleConnParams(p_cb->pairing_bda, false);
1392 /*******************************************************************************
1393 * Function smp_both_have_public_keys
1394 * Description The function is called when both local and peer public keys are
1397 * - invokes DHKey computation;
1398 * - on slave side invokes sending local public key to the peer.
1399 * - invokes SC phase 1 process.
1400 ******************************************************************************/
1401 void smp_both_have_public_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1402 SMP_TRACE_DEBUG("%s", __func__);
1404 /* invokes DHKey computation */
1405 smp_compute_dhkey(p_cb);
1407 /* on slave side invokes sending local public key to the peer */
1408 if (p_cb->role == HCI_ROLE_SLAVE) smp_send_pair_public_key(p_cb, NULL);
1410 smp_sm_event(p_cb, SMP_SC_DHKEY_CMPLT_EVT, NULL);
1413 /*******************************************************************************
1414 * Function smp_start_secure_connection_phase1
1415 * Description Start Secure Connection phase1 i.e. invokes initialization of
1416 * Secure Connection phase 1 parameters and starts building/sending
1417 * to the peer messages appropriate for the role and association
1419 ******************************************************************************/
1420 void smp_start_secure_connection_phase1(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1421 SMP_TRACE_DEBUG("%s", __func__);
1423 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
1424 p_cb->sec_level = SMP_SEC_UNAUTHENTICATE;
1425 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_UNAUTHENTICATE) ",
1428 p_cb->sec_level = SMP_SEC_AUTHENTICATED;
1429 SMP_TRACE_EVENT("p_cb->sec_level =%d (SMP_SEC_AUTHENTICATED) ",
1433 switch (p_cb->selected_association_model) {
1434 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1435 case SMP_MODEL_SEC_CONN_NUM_COMP:
1436 memset(p_cb->local_random, 0, BT_OCTET16_LEN);
1437 smp_start_nonce_generation(p_cb);
1439 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1440 /* user has to provide passkey */
1441 p_cb->cb_evt = SMP_PASSKEY_REQ_EVT;
1442 smp_sm_event(p_cb, SMP_TK_REQ_EVT, NULL);
1444 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1445 /* passkey has to be provided to user */
1446 SMP_TRACE_DEBUG("Need to generate SC Passkey");
1447 smp_generate_passkey(p_cb, NULL);
1449 case SMP_MODEL_SEC_CONN_OOB:
1450 /* use the available OOB information */
1451 smp_process_secure_connection_oob_data(p_cb, NULL);
1454 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
1455 p_cb->selected_association_model);
1460 /*******************************************************************************
1461 * Function smp_process_local_nonce
1462 * Description The function processes new local nonce.
1464 * Note It is supposed to be called in SC phase1.
1465 ******************************************************************************/
1466 void smp_process_local_nonce(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1467 SMP_TRACE_DEBUG("%s", __func__);
1469 switch (p_cb->selected_association_model) {
1470 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1471 case SMP_MODEL_SEC_CONN_NUM_COMP:
1472 if (p_cb->role == HCI_ROLE_SLAVE) {
1473 /* slave calculates and sends local commitment */
1474 smp_calculate_local_commitment(p_cb);
1475 smp_send_commitment(p_cb, NULL);
1476 /* slave has to wait for peer nonce */
1477 smp_set_state(SMP_STATE_WAIT_NONCE);
1478 } else /* i.e. master */
1480 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_COMM) {
1481 /* slave commitment is already received, send local nonce, wait for
1484 "master in assoc mode = %d "
1485 "already rcvd slave commitment - race condition",
1486 p_cb->selected_association_model);
1487 p_cb->flags &= ~SMP_PAIR_FLAG_HAVE_PEER_COMM;
1488 smp_send_rand(p_cb, NULL);
1489 smp_set_state(SMP_STATE_WAIT_NONCE);
1493 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1494 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1495 smp_calculate_local_commitment(p_cb);
1497 if (p_cb->role == HCI_ROLE_MASTER) {
1498 smp_send_commitment(p_cb, NULL);
1501 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_COMM) {
1502 /* master commitment is already received */
1503 smp_send_commitment(p_cb, NULL);
1504 smp_set_state(SMP_STATE_WAIT_NONCE);
1508 case SMP_MODEL_SEC_CONN_OOB:
1509 if (p_cb->role == HCI_ROLE_MASTER) {
1510 smp_send_rand(p_cb, NULL);
1513 smp_set_state(SMP_STATE_WAIT_NONCE);
1516 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
1517 p_cb->selected_association_model);
1522 /*******************************************************************************
1523 * Function smp_process_peer_nonce
1524 * Description The function processes newly received and saved in CB peer
1525 * nonce. The actions depend on the selected association model and
1528 * Note It is supposed to be called in SC phase1.
1529 ******************************************************************************/
1530 void smp_process_peer_nonce(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1533 SMP_TRACE_DEBUG("%s start ", __func__);
1535 // PTS Testing failure modes
1536 if (p_cb->cert_failure == SMP_CONFIRM_VALUE_ERR) {
1537 SMP_TRACE_ERROR("%s failure case = %d", __func__, p_cb->cert_failure);
1538 reason = p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1539 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1542 // PTS Testing failure modes (for LT)
1543 if ((p_cb->cert_failure == SMP_NUMERIC_COMPAR_FAIL) &&
1544 (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) &&
1545 (p_cb->role == HCI_ROLE_SLAVE)) {
1546 SMP_TRACE_ERROR("%s failure case = %d", __func__, p_cb->cert_failure);
1547 reason = p_cb->failure = SMP_NUMERIC_COMPAR_FAIL;
1548 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1552 switch (p_cb->selected_association_model) {
1553 case SMP_MODEL_SEC_CONN_JUSTWORKS:
1554 case SMP_MODEL_SEC_CONN_NUM_COMP:
1555 /* in these models only master receives commitment */
1556 if (p_cb->role == HCI_ROLE_MASTER) {
1557 if (!smp_check_commitment(p_cb)) {
1558 reason = p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1559 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1563 /* slave sends local nonce */
1564 smp_send_rand(p_cb, NULL);
1567 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_JUSTWORKS) {
1568 /* go directly to phase 2 */
1569 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1570 } else /* numeric comparison */
1572 smp_set_state(SMP_STATE_WAIT_NONCE);
1573 smp_sm_event(p_cb, SMP_SC_CALC_NC_EVT, NULL);
1576 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
1577 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
1578 if (!smp_check_commitment(p_cb) &&
1579 p_cb->cert_failure != SMP_NUMERIC_COMPAR_FAIL) {
1580 reason = p_cb->failure = SMP_CONFIRM_VALUE_ERR;
1581 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1585 if (p_cb->role == HCI_ROLE_SLAVE) {
1586 smp_send_rand(p_cb, NULL);
1589 if (++p_cb->round < 20) {
1590 smp_set_state(SMP_STATE_SEC_CONN_PHS1_START);
1591 p_cb->flags &= ~SMP_PAIR_FLAG_HAVE_PEER_COMM;
1592 smp_start_nonce_generation(p_cb);
1596 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1598 case SMP_MODEL_SEC_CONN_OOB:
1599 if (p_cb->role == HCI_ROLE_SLAVE) {
1600 smp_send_rand(p_cb, NULL);
1603 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1606 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
1607 p_cb->selected_association_model);
1611 SMP_TRACE_DEBUG("%s end ", __func__);
1614 /*******************************************************************************
1615 * Function smp_match_dhkey_checks
1616 * Description checks if the calculated peer DHKey Check value is the same as
1617 * received from the peer DHKey check value.
1618 ******************************************************************************/
1619 void smp_match_dhkey_checks(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1620 uint8_t reason = SMP_DHKEY_CHK_FAIL;
1622 SMP_TRACE_DEBUG("%s", __func__);
1624 if (memcmp(p_data->key.p_data, p_cb->remote_dhkey_check, BT_OCTET16_LEN)) {
1625 SMP_TRACE_WARNING("dhkey chcks do no match");
1626 p_cb->failure = reason;
1627 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1631 SMP_TRACE_EVENT("dhkey chcks match");
1633 /* compare the max encryption key size, and save the smaller one for the link
1635 if (p_cb->peer_enc_size < p_cb->loc_enc_size)
1636 p_cb->loc_enc_size = p_cb->peer_enc_size;
1638 if (p_cb->role == HCI_ROLE_SLAVE) {
1639 smp_sm_event(p_cb, SMP_PAIR_DHKEY_CHCK_EVT, NULL);
1641 /* master device always use received i/r key as keys to distribute */
1642 p_cb->local_i_key = p_cb->peer_i_key;
1643 p_cb->local_r_key = p_cb->peer_r_key;
1644 smp_sm_event(p_cb, SMP_ENC_REQ_EVT, NULL);
1648 /*******************************************************************************
1649 * Function smp_move_to_secure_connections_phase2
1650 * Description Signal State Machine to start SC phase 2 initialization (to
1651 * compute local DHKey Check value).
1653 * Note SM is supposed to be in the state SMP_STATE_SEC_CONN_PHS2_START.
1654 ******************************************************************************/
1655 void smp_move_to_secure_connections_phase2(tSMP_CB* p_cb,
1656 tSMP_INT_DATA* p_data) {
1657 SMP_TRACE_DEBUG("%s", __func__);
1658 smp_sm_event(p_cb, SMP_SC_PHASE1_CMPLT_EVT, NULL);
1661 /*******************************************************************************
1662 * Function smp_phase_2_dhkey_checks_are_present
1663 * Description generates event if dhkey check from the peer is already
1666 * Note It is supposed to be used on slave to prevent race condition.
1667 * It is supposed to be called after slave dhkey check is
1669 ******************************************************************************/
1670 void smp_phase_2_dhkey_checks_are_present(tSMP_CB* p_cb,
1671 tSMP_INT_DATA* p_data) {
1672 SMP_TRACE_DEBUG("%s", __func__);
1674 if (p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_DHK_CHK)
1675 smp_sm_event(p_cb, SMP_SC_2_DHCK_CHKS_PRES_EVT, NULL);
1678 /*******************************************************************************
1679 * Function smp_wait_for_both_public_keys
1680 * Description generates SMP_BOTH_PUBL_KEYS_RCVD_EVT event when both local and
1681 * master public keys are available.
1683 * Note on the slave it is used to prevent race condition.
1685 ******************************************************************************/
1686 void smp_wait_for_both_public_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1687 SMP_TRACE_DEBUG("%s", __func__);
1689 if ((p_cb->flags & SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY) &&
1690 (p_cb->flags & SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY)) {
1691 if ((p_cb->role == HCI_ROLE_SLAVE) &&
1692 ((p_cb->req_oob_type == SMP_OOB_LOCAL) ||
1693 (p_cb->req_oob_type == SMP_OOB_BOTH))) {
1694 smp_set_state(SMP_STATE_PUBLIC_KEY_EXCH);
1696 smp_sm_event(p_cb, SMP_BOTH_PUBL_KEYS_RCVD_EVT, NULL);
1700 /*******************************************************************************
1701 * Function smp_start_passkey_verification
1702 * Description Starts SC passkey entry verification.
1703 ******************************************************************************/
1704 void smp_start_passkey_verification(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1707 SMP_TRACE_DEBUG("%s", __func__);
1708 p = p_cb->local_random;
1709 UINT32_TO_STREAM(p, p_data->passkey);
1711 p = p_cb->peer_random;
1712 UINT32_TO_STREAM(p, p_data->passkey);
1715 smp_start_nonce_generation(p_cb);
1718 /*******************************************************************************
1719 * Function smp_process_secure_connection_oob_data
1720 * Description Processes local/peer SC OOB data received from somewhere.
1721 ******************************************************************************/
1722 void smp_process_secure_connection_oob_data(tSMP_CB* p_cb,
1723 tSMP_INT_DATA* p_data) {
1724 SMP_TRACE_DEBUG("%s", __func__);
1726 tSMP_SC_OOB_DATA* p_sc_oob_data = &p_cb->sc_oob_data;
1727 if (p_sc_oob_data->loc_oob_data.present) {
1728 memcpy(p_cb->local_random, p_sc_oob_data->loc_oob_data.randomizer,
1729 sizeof(p_cb->local_random));
1731 SMP_TRACE_EVENT("%s: local OOB randomizer is absent", __func__);
1732 memset(p_cb->local_random, 0, sizeof(p_cb->local_random));
1735 if (!p_sc_oob_data->peer_oob_data.present) {
1736 SMP_TRACE_EVENT("%s: peer OOB data is absent", __func__);
1737 memset(p_cb->peer_random, 0, sizeof(p_cb->peer_random));
1739 memcpy(p_cb->peer_random, p_sc_oob_data->peer_oob_data.randomizer,
1740 sizeof(p_cb->peer_random));
1741 memcpy(p_cb->remote_commitment, p_sc_oob_data->peer_oob_data.commitment,
1742 sizeof(p_cb->remote_commitment));
1744 uint8_t reason = SMP_CONFIRM_VALUE_ERR;
1745 /* check commitment */
1746 if (!smp_check_commitment(p_cb)) {
1747 p_cb->failure = reason;
1748 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
1752 if (p_cb->peer_oob_flag != SMP_OOB_PRESENT) {
1753 /* the peer doesn't have local randomiser */
1755 "%s: peer didn't receive local OOB data, set local randomizer to 0",
1757 memset(p_cb->local_random, 0, sizeof(p_cb->local_random));
1761 print128(p_cb->local_random, (const uint8_t*)"local OOB randomizer");
1762 print128(p_cb->peer_random, (const uint8_t*)"peer OOB randomizer");
1763 smp_start_nonce_generation(p_cb);
1766 /*******************************************************************************
1767 * Function smp_set_local_oob_keys
1768 * Description Saves calculated private/public keys in
1769 * sc_oob_data.loc_oob_data, starts nonce generation
1770 * (to be saved in sc_oob_data.loc_oob_data.randomizer).
1771 ******************************************************************************/
1772 void smp_set_local_oob_keys(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1773 SMP_TRACE_DEBUG("%s", __func__);
1775 memcpy(p_cb->sc_oob_data.loc_oob_data.private_key_used, p_cb->private_key,
1777 p_cb->sc_oob_data.loc_oob_data.publ_key_used = p_cb->loc_publ_key;
1778 smp_start_nonce_generation(p_cb);
1781 /*******************************************************************************
1782 * Function smp_set_local_oob_random_commitment
1783 * Description Saves calculated randomizer and commitment in
1784 * sc_oob_data.loc_oob_data, passes sc_oob_data.loc_oob_data up
1786 ******************************************************************************/
1787 void smp_set_local_oob_random_commitment(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1788 SMP_TRACE_DEBUG("%s", __func__);
1789 memcpy(p_cb->sc_oob_data.loc_oob_data.randomizer, p_cb->rand, BT_OCTET16_LEN);
1791 smp_calculate_f4(p_cb->sc_oob_data.loc_oob_data.publ_key_used.x,
1792 p_cb->sc_oob_data.loc_oob_data.publ_key_used.x,
1793 p_cb->sc_oob_data.loc_oob_data.randomizer, 0,
1794 p_cb->sc_oob_data.loc_oob_data.commitment);
1796 #if (SMP_DEBUG == TRUE)
1797 uint8_t* p_print = NULL;
1798 SMP_TRACE_DEBUG("local SC OOB data set:");
1799 p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.addr_sent_to;
1800 smp_debug_print_nbyte_little_endian(p_print, "addr_sent_to",
1801 sizeof(tBLE_BD_ADDR));
1802 p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.private_key_used;
1803 smp_debug_print_nbyte_little_endian(p_print, "private_key_used",
1805 p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.publ_key_used.x;
1806 smp_debug_print_nbyte_little_endian(p_print, "publ_key_used.x",
1808 p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.publ_key_used.y;
1809 smp_debug_print_nbyte_little_endian(p_print, "publ_key_used.y",
1811 p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.randomizer;
1812 smp_debug_print_nbyte_little_endian(p_print, "randomizer", BT_OCTET16_LEN);
1813 p_print = (uint8_t*)&p_cb->sc_oob_data.loc_oob_data.commitment;
1814 smp_debug_print_nbyte_little_endian(p_print, "commitment", BT_OCTET16_LEN);
1815 SMP_TRACE_DEBUG("");
1818 /* pass created OOB data up */
1819 p_cb->cb_evt = SMP_SC_LOC_OOB_DATA_UP_EVT;
1820 smp_send_app_cback(p_cb, NULL);
1822 smp_cb_cleanup(p_cb);
1825 /*******************************************************************************
1827 * Function smp_link_encrypted
1829 * Description This function is called when link is encrypted and notified
1830 * to the slave device. Proceed to to send LTK, DIV and ER to
1831 * master if bonding the devices.
1836 ******************************************************************************/
1837 void smp_link_encrypted(const RawAddress& bda, uint8_t encr_enable) {
1838 tSMP_CB* p_cb = &smp_cb;
1840 SMP_TRACE_DEBUG("%s: encr_enable=%d", __func__, encr_enable);
1842 if (smp_cb.pairing_bda == bda) {
1843 /* encryption completed with STK, remember the key size now, could be
1844 * overwritten when key exchange happens */
1845 if (p_cb->loc_enc_size != 0 && encr_enable) {
1846 /* update the link encryption key size if a SMP pairing just performed */
1847 btm_ble_update_sec_key_size(bda, p_cb->loc_enc_size);
1850 smp_sm_event(&smp_cb, SMP_ENCRYPTED_EVT, &encr_enable);
1854 /*******************************************************************************
1856 * Function smp_proc_ltk_request
1858 * Description This function is called when LTK request is received from
1863 ******************************************************************************/
1864 bool smp_proc_ltk_request(const RawAddress& bda) {
1865 SMP_TRACE_DEBUG("%s state = %d", __func__, smp_cb.state);
1868 if (bda == smp_cb.pairing_bda) {
1871 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda);
1872 if (p_dev_rec != NULL && p_dev_rec->ble.pseudo_addr == smp_cb.pairing_bda &&
1873 p_dev_rec->ble.pseudo_addr != RawAddress::kEmpty) {
1878 if (match && smp_cb.state == SMP_STATE_ENCRYPTION_PENDING) {
1879 smp_sm_event(&smp_cb, SMP_ENC_REQ_EVT, NULL);
1886 /*******************************************************************************
1888 * Function smp_process_secure_connection_long_term_key
1890 * Description This function is called to process SC LTK.
1891 * SC LTK is calculated and used instead of STK.
1892 * Here SC LTK is saved in BLE DB.
1896 ******************************************************************************/
1897 void smp_process_secure_connection_long_term_key(void) {
1898 tSMP_CB* p_cb = &smp_cb;
1900 SMP_TRACE_DEBUG("%s", __func__);
1901 smp_save_secure_connections_long_term_key(p_cb);
1903 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
1904 smp_key_distribution(p_cb, NULL);
1907 /*******************************************************************************
1909 * Function smp_set_derive_link_key
1911 * Description This function is called to set flag that indicates that
1912 * BR/EDR LK has to be derived from LTK after all keys are
1917 ******************************************************************************/
1918 void smp_set_derive_link_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1919 SMP_TRACE_DEBUG("%s", __func__);
1920 p_cb->derive_lk = true;
1921 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_LK, false);
1922 smp_key_distribution(p_cb, NULL);
1925 /*******************************************************************************
1927 * Function smp_derive_link_key_from_long_term_key
1929 * Description This function is called to derive BR/EDR LK from LTK.
1933 ******************************************************************************/
1934 void smp_derive_link_key_from_long_term_key(tSMP_CB* p_cb,
1935 tSMP_INT_DATA* p_data) {
1936 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
1938 SMP_TRACE_DEBUG("%s", __func__);
1939 if (!smp_calculate_link_key_from_long_term_key(p_cb)) {
1940 SMP_TRACE_ERROR("%s failed", __func__);
1941 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status);
1946 /*******************************************************************************
1948 * Function smp_br_process_link_key
1950 * Description This function is called to process BR/EDR LK:
1951 * - to derive SMP LTK from BR/EDR LK;
1952 * - to save SMP LTK.
1956 ******************************************************************************/
1957 void smp_br_process_link_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1958 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
1960 SMP_TRACE_DEBUG("%s", __func__);
1961 if (!smp_calculate_long_term_key_from_link_key(p_cb)) {
1962 SMP_TRACE_ERROR("%s: failed", __func__);
1963 smp_sm_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &status);
1967 SMP_TRACE_DEBUG("%s: LTK derivation from LK successfully completed",
1969 smp_save_secure_connections_long_term_key(p_cb);
1970 smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, false);
1971 smp_br_select_next_key(p_cb, NULL);
1974 /*******************************************************************************
1975 * Function smp_key_distribution_by_transport
1976 * Description depending on the transport used at the moment calls either
1977 * smp_key_distribution(...) or smp_br_key_distribution(...).
1978 ******************************************************************************/
1979 void smp_key_distribution_by_transport(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1980 SMP_TRACE_DEBUG("%s", __func__);
1981 if (p_cb->smp_over_br) {
1982 smp_br_select_next_key(p_cb, NULL);
1984 smp_key_distribution(p_cb, NULL);
1988 /*******************************************************************************
1989 * Function smp_br_pairing_complete
1990 * Description This function is called to send the pairing complete
1991 * callback and remove the connection if needed.
1992 ******************************************************************************/
1993 void smp_br_pairing_complete(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
1994 SMP_TRACE_DEBUG("%s", __func__);
1996 if (p_cb->total_tx_unacked == 0) {
1997 /* process the pairing complete */
1998 smp_proc_pairing_cmpl(p_cb);