1 /******************************************************************************
3 * Copyright 1999-2012 Broadcom Corporation
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
17 *****************************************************************************/
19 /******************************************************************************
21 * This file contains functions for the SMP L2CAP utility functions
23 ******************************************************************************/
24 #include "bt_target.h"
30 #include "btm_ble_api.h"
32 #include "device/include/controller.h"
36 #include "osi/include/osi.h"
39 #define SMP_PAIRING_REQ_SIZE 7
40 #define SMP_CONFIRM_CMD_SIZE (BT_OCTET16_LEN + 1)
41 #define SMP_RAND_CMD_SIZE (BT_OCTET16_LEN + 1)
42 #define SMP_INIT_CMD_SIZE (BT_OCTET16_LEN + 1)
43 #define SMP_ENC_INFO_SIZE (BT_OCTET16_LEN + 1)
44 #define SMP_MASTER_ID_SIZE (BT_OCTET8_LEN + 2 + 1)
45 #define SMP_ID_INFO_SIZE (BT_OCTET16_LEN + 1)
46 #define SMP_ID_ADDR_SIZE (BD_ADDR_LEN + 1 + 1)
47 #define SMP_SIGN_INFO_SIZE (BT_OCTET16_LEN + 1)
48 #define SMP_PAIR_FAIL_SIZE 2
49 #define SMP_SECURITY_REQUEST_SIZE 2
50 #define SMP_PAIR_PUBL_KEY_SIZE (1 /* opcode */ + (2 * BT_OCTET32_LEN))
51 #define SMP_PAIR_COMMITM_SIZE (1 /* opcode */ + BT_OCTET16_LEN /*Commitment*/)
52 #define SMP_PAIR_DHKEY_CHECK_SIZE \
53 (1 /* opcode */ + BT_OCTET16_LEN /*DHKey Check*/)
54 #define SMP_PAIR_KEYPR_NOTIF_SIZE (1 /* opcode */ + 1 /*Notif Type*/)
56 /* SMP command sizes per spec */
57 static const uint8_t smp_cmd_size_per_spec[] = {
59 SMP_PAIRING_REQ_SIZE, /* 0x01: pairing request */
60 SMP_PAIRING_REQ_SIZE, /* 0x02: pairing response */
61 SMP_CONFIRM_CMD_SIZE, /* 0x03: pairing confirm */
62 SMP_RAND_CMD_SIZE, /* 0x04: pairing random */
63 SMP_PAIR_FAIL_SIZE, /* 0x05: pairing failed */
64 SMP_ENC_INFO_SIZE, /* 0x06: encryption information */
65 SMP_MASTER_ID_SIZE, /* 0x07: master identification */
66 SMP_ID_INFO_SIZE, /* 0x08: identity information */
67 SMP_ID_ADDR_SIZE, /* 0x09: identity address information */
68 SMP_SIGN_INFO_SIZE, /* 0x0A: signing information */
69 SMP_SECURITY_REQUEST_SIZE, /* 0x0B: security request */
70 SMP_PAIR_PUBL_KEY_SIZE, /* 0x0C: pairing public key */
71 SMP_PAIR_DHKEY_CHECK_SIZE, /* 0x0D: pairing dhkey check */
72 SMP_PAIR_KEYPR_NOTIF_SIZE, /* 0x0E: pairing keypress notification */
73 SMP_PAIR_COMMITM_SIZE /* 0x0F: pairing commitment */
76 static bool smp_parameter_unconditionally_valid(tSMP_CB* p_cb);
77 static bool smp_parameter_unconditionally_invalid(tSMP_CB* p_cb);
79 /* type for SMP command length validation functions */
80 typedef bool (*tSMP_CMD_LEN_VALID)(tSMP_CB* p_cb);
82 static bool smp_command_has_valid_fixed_length(tSMP_CB* p_cb);
84 static const tSMP_CMD_LEN_VALID smp_cmd_len_is_valid[] = {
85 smp_parameter_unconditionally_invalid,
86 smp_command_has_valid_fixed_length, /* 0x01: pairing request */
87 smp_command_has_valid_fixed_length, /* 0x02: pairing response */
88 smp_command_has_valid_fixed_length, /* 0x03: pairing confirm */
89 smp_command_has_valid_fixed_length, /* 0x04: pairing random */
90 smp_command_has_valid_fixed_length, /* 0x05: pairing failed */
91 smp_command_has_valid_fixed_length, /* 0x06: encryption information */
92 smp_command_has_valid_fixed_length, /* 0x07: master identification */
93 smp_command_has_valid_fixed_length, /* 0x08: identity information */
94 smp_command_has_valid_fixed_length, /* 0x09: identity address information */
95 smp_command_has_valid_fixed_length, /* 0x0A: signing information */
96 smp_command_has_valid_fixed_length, /* 0x0B: security request */
97 smp_command_has_valid_fixed_length, /* 0x0C: pairing public key */
98 smp_command_has_valid_fixed_length, /* 0x0D: pairing dhkey check */
99 smp_command_has_valid_fixed_length, /* 0x0E: pairing keypress notification*/
100 smp_command_has_valid_fixed_length /* 0x0F: pairing commitment */
103 /* type for SMP command parameter ranges validation functions */
104 typedef bool (*tSMP_CMD_PARAM_RANGES_VALID)(tSMP_CB* p_cb);
106 static bool smp_pairing_request_response_parameters_are_valid(tSMP_CB* p_cb);
107 static bool smp_pairing_keypress_notification_is_valid(tSMP_CB* p_cb);
109 static const tSMP_CMD_PARAM_RANGES_VALID smp_cmd_param_ranges_are_valid[] = {
110 smp_parameter_unconditionally_invalid,
111 smp_pairing_request_response_parameters_are_valid, /* 0x01: pairing
113 smp_pairing_request_response_parameters_are_valid, /* 0x02: pairing
115 smp_parameter_unconditionally_valid, /* 0x03: pairing confirm */
116 smp_parameter_unconditionally_valid, /* 0x04: pairing random */
117 smp_parameter_unconditionally_valid, /* 0x05: pairing failed */
118 smp_parameter_unconditionally_valid, /* 0x06: encryption information */
119 smp_parameter_unconditionally_valid, /* 0x07: master identification */
120 smp_parameter_unconditionally_valid, /* 0x08: identity information */
121 smp_parameter_unconditionally_valid, /* 0x09: identity address
123 smp_parameter_unconditionally_valid, /* 0x0A: signing information */
124 smp_parameter_unconditionally_valid, /* 0x0B: security request */
125 smp_parameter_unconditionally_valid, /* 0x0C: pairing public key */
126 smp_parameter_unconditionally_valid, /* 0x0D: pairing dhkey check */
127 smp_pairing_keypress_notification_is_valid, /* 0x0E: pairing keypress
129 smp_parameter_unconditionally_valid /* 0x0F: pairing commitment */
132 /* type for action functions */
133 typedef BT_HDR* (*tSMP_CMD_ACT)(uint8_t cmd_code, tSMP_CB* p_cb);
135 static BT_HDR* smp_build_pairing_cmd(uint8_t cmd_code, tSMP_CB* p_cb);
136 static BT_HDR* smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code,
138 static BT_HDR* smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb);
139 static BT_HDR* smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code,
141 static BT_HDR* smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code,
143 static BT_HDR* smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code,
145 static BT_HDR* smp_build_security_request(UNUSED_ATTR uint8_t cmd_code,
147 static BT_HDR* smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code,
149 static BT_HDR* smp_build_master_id_cmd(UNUSED_ATTR uint8_t cmd_code,
151 static BT_HDR* smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code,
153 static BT_HDR* smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code,
155 static BT_HDR* smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code,
157 static BT_HDR* smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code,
159 static BT_HDR* smp_build_pairing_keypress_notification_cmd(
160 UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb);
162 static const tSMP_CMD_ACT smp_cmd_build_act[] = {
163 NULL, smp_build_pairing_cmd, /* 0x01: pairing request */
164 smp_build_pairing_cmd, /* 0x02: pairing response */
165 smp_build_confirm_cmd, /* 0x03: pairing confirm */
166 smp_build_rand_cmd, /* 0x04: pairing random */
167 smp_build_pairing_fail, /* 0x05: pairing failure */
168 smp_build_encrypt_info_cmd, /* 0x06: encryption information */
169 smp_build_master_id_cmd, /* 0x07: master identification */
170 smp_build_identity_info_cmd, /* 0x08: identity information */
171 smp_build_id_addr_cmd, /* 0x09: identity address information */
172 smp_build_signing_info_cmd, /* 0x0A: signing information */
173 smp_build_security_request, /* 0x0B: security request */
174 smp_build_pair_public_key_cmd, /* 0x0C: pairing public key */
175 smp_build_pair_dhkey_check_cmd, /* 0x0D: pairing DHKey check */
176 smp_build_pairing_keypress_notification_cmd, /* 0x0E: pairing keypress
178 smp_build_pairing_commitment_cmd /* 0x0F: pairing commitment */
181 static const uint8_t smp_association_table[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] =
183 /* display only */ /* Display Yes/No */ /* keyboard only */
184 /* No Input/Output */ /* keyboard display */
187 /* model = tbl[peer_io_caps][loc_io_caps] */
189 {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
190 SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
193 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
194 SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
197 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY,
198 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
200 /* No Input No Output */
201 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
202 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
203 SMP_MODEL_ENCRYPTION_ONLY},
205 /* keyboard display */
206 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY,
207 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}},
210 /* model = tbl[loc_io_caps][peer_io_caps] */
212 {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
213 SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
216 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
217 SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
220 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY,
221 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
223 /* No Input No Output */
224 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
225 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
226 SMP_MODEL_ENCRYPTION_ONLY},
228 /* keyboard display */
229 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_KEY_NOTIF,
230 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}}};
233 smp_association_table_sc[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] = {
234 /* display only */ /* Display Yes/No */ /* keyboard only */
235 /* No InputOutput */ /* keyboard display */
238 /* model = tbl[peer_io_caps][loc_io_caps] */
241 {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
242 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
243 SMP_MODEL_SEC_CONN_PASSKEY_ENT},
246 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP,
247 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
248 SMP_MODEL_SEC_CONN_NUM_COMP},
251 {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_PASSKEY_DISP,
252 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
253 SMP_MODEL_SEC_CONN_PASSKEY_DISP},
255 /* No Input No Output */
256 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
257 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
258 SMP_MODEL_SEC_CONN_JUSTWORKS},
260 /* keyboard display */
261 {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_NUM_COMP,
262 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
263 SMP_MODEL_SEC_CONN_NUM_COMP}},
266 /* model = tbl[loc_io_caps][peer_io_caps] */
269 {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
270 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
271 SMP_MODEL_SEC_CONN_PASSKEY_DISP},
274 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP,
275 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
276 SMP_MODEL_SEC_CONN_NUM_COMP},
279 {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_PASSKEY_ENT,
280 SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
281 SMP_MODEL_SEC_CONN_PASSKEY_ENT},
283 /* No Input No Output */
284 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
285 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
286 SMP_MODEL_SEC_CONN_JUSTWORKS},
288 /* keyboard display */
289 {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_NUM_COMP,
290 SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
291 SMP_MODEL_SEC_CONN_NUM_COMP}}};
293 static tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB* p_cb);
294 static tSMP_ASSO_MODEL smp_select_association_model_secure_connections(
297 /*******************************************************************************
299 * Function smp_send_msg_to_L2CAP
301 * Description Send message to L2CAP.
303 ******************************************************************************/
304 bool smp_send_msg_to_L2CAP(const RawAddress& rem_bda, BT_HDR* p_toL2CAP) {
306 uint16_t fixed_cid = L2CAP_SMP_CID;
308 if (smp_cb.smp_over_br) {
309 fixed_cid = L2CAP_SMP_BR_CID;
312 SMP_TRACE_EVENT("%s", __func__);
313 smp_cb.total_tx_unacked += 1;
315 l2cap_ret = L2CA_SendFixedChnlData(fixed_cid, rem_bda, p_toL2CAP);
316 if (l2cap_ret == L2CAP_DW_FAILED) {
317 smp_cb.total_tx_unacked -= 1;
318 SMP_TRACE_ERROR("SMP failed to pass msg to L2CAP");
324 /*******************************************************************************
326 * Function smp_send_cmd
328 * Description send a SMP command on L2CAP channel.
330 ******************************************************************************/
331 bool smp_send_cmd(uint8_t cmd_code, tSMP_CB* p_cb) {
334 SMP_TRACE_EVENT("smp_send_cmd on l2cap cmd_code=0x%x", cmd_code);
335 if (cmd_code <= (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */) &&
336 smp_cmd_build_act[cmd_code] != NULL) {
337 p_buf = (*smp_cmd_build_act[cmd_code])(cmd_code, p_cb);
339 if (p_buf != NULL && smp_send_msg_to_L2CAP(p_cb->pairing_bda, p_buf)) {
341 alarm_set_on_mloop(p_cb->smp_rsp_timer_ent, SMP_WAIT_FOR_RSP_TIMEOUT_MS,
342 smp_rsp_timeout, NULL);
347 tSMP_INT_DATA smp_int_data;
348 smp_int_data.status = SMP_PAIR_INTERNAL_ERR;
349 if (p_cb->smp_over_br) {
350 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
352 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
358 /*******************************************************************************
360 * Function smp_rsp_timeout
362 * Description Called when SMP wait for SMP command response timer expires
366 ******************************************************************************/
367 void smp_rsp_timeout(UNUSED_ATTR void* data) {
368 tSMP_CB* p_cb = &smp_cb;
370 SMP_TRACE_EVENT("%s state:%d br_state:%d", __func__, p_cb->state,
373 tSMP_INT_DATA smp_int_data;
374 smp_int_data.status = SMP_RSP_TIMEOUT;
375 if (p_cb->smp_over_br) {
376 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
378 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
382 /*******************************************************************************
384 * Function smp_delayed_auth_complete_timeout
386 * Description Called when no pairing failed command received within
391 ******************************************************************************/
392 void smp_delayed_auth_complete_timeout(UNUSED_ATTR void* data) {
394 * Waited for potential pair failure. Send SMP_AUTH_CMPL_EVT if
395 * the state is still in bond pending.
397 if (smp_get_state() == SMP_STATE_BOND_PENDING) {
398 SMP_TRACE_EVENT("%s sending delayed auth complete.", __func__);
399 tSMP_INT_DATA smp_int_data;
400 smp_int_data.status = SMP_SUCCESS;
401 smp_sm_event(&smp_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
405 /*******************************************************************************
407 * Function smp_build_pairing_req_cmd
409 * Description Build pairing request command.
411 ******************************************************************************/
412 BT_HDR* smp_build_pairing_cmd(uint8_t cmd_code, tSMP_CB* p_cb) {
414 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIRING_REQ_SIZE +
417 SMP_TRACE_EVENT("%s", __func__);
419 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
420 UINT8_TO_STREAM(p, cmd_code);
421 UINT8_TO_STREAM(p, p_cb->local_io_capability);
422 UINT8_TO_STREAM(p, p_cb->loc_oob_flag);
423 UINT8_TO_STREAM(p, p_cb->loc_auth_req);
424 UINT8_TO_STREAM(p, p_cb->loc_enc_size);
425 UINT8_TO_STREAM(p, p_cb->local_i_key);
426 UINT8_TO_STREAM(p, p_cb->local_r_key);
428 p_buf->offset = L2CAP_MIN_OFFSET;
429 /* 1B ERR_RSP op code + 1B cmd_op_code + 2B handle + 1B status */
430 p_buf->len = SMP_PAIRING_REQ_SIZE;
435 /*******************************************************************************
437 * Function smp_build_confirm_cmd
439 * Description Build confirm request command.
441 ******************************************************************************/
442 static BT_HDR* smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code,
445 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_CONFIRM_CMD_SIZE +
448 SMP_TRACE_EVENT("%s", __func__);
450 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
452 UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM);
453 ARRAY_TO_STREAM(p, p_cb->confirm, BT_OCTET16_LEN);
455 p_buf->offset = L2CAP_MIN_OFFSET;
456 p_buf->len = SMP_CONFIRM_CMD_SIZE;
461 /*******************************************************************************
463 * Function smp_build_rand_cmd
465 * Description Build Random command.
467 ******************************************************************************/
468 static BT_HDR* smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb) {
470 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_RAND_CMD_SIZE +
473 SMP_TRACE_EVENT("%s", __func__);
475 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
476 UINT8_TO_STREAM(p, SMP_OPCODE_RAND);
477 ARRAY_TO_STREAM(p, p_cb->rand, BT_OCTET16_LEN);
479 p_buf->offset = L2CAP_MIN_OFFSET;
480 p_buf->len = SMP_RAND_CMD_SIZE;
485 /*******************************************************************************
487 * Function smp_build_encrypt_info_cmd
489 * Description Build security information command.
491 ******************************************************************************/
492 static BT_HDR* smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code,
495 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ENC_INFO_SIZE +
498 SMP_TRACE_EVENT("%s", __func__);
500 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
501 UINT8_TO_STREAM(p, SMP_OPCODE_ENCRYPT_INFO);
502 ARRAY_TO_STREAM(p, p_cb->ltk, BT_OCTET16_LEN);
504 p_buf->offset = L2CAP_MIN_OFFSET;
505 p_buf->len = SMP_ENC_INFO_SIZE;
510 /*******************************************************************************
512 * Function smp_build_master_id_cmd
514 * Description Build security information command.
516 ******************************************************************************/
517 static BT_HDR* smp_build_master_id_cmd(UNUSED_ATTR uint8_t cmd_code,
520 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_MASTER_ID_SIZE +
523 SMP_TRACE_EVENT("%s", __func__);
525 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
526 UINT8_TO_STREAM(p, SMP_OPCODE_MASTER_ID);
527 UINT16_TO_STREAM(p, p_cb->ediv);
528 ARRAY_TO_STREAM(p, p_cb->enc_rand, BT_OCTET8_LEN);
530 p_buf->offset = L2CAP_MIN_OFFSET;
531 p_buf->len = SMP_MASTER_ID_SIZE;
536 /*******************************************************************************
538 * Function smp_build_identity_info_cmd
540 * Description Build identity information command.
542 ******************************************************************************/
543 static BT_HDR* smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code,
544 UNUSED_ATTR tSMP_CB* p_cb) {
548 (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ID_INFO_SIZE + L2CAP_MIN_OFFSET);
550 SMP_TRACE_EVENT("%s", __func__);
552 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
554 BTM_GetDeviceIDRoot(irk);
556 UINT8_TO_STREAM(p, SMP_OPCODE_IDENTITY_INFO);
557 ARRAY_TO_STREAM(p, irk, BT_OCTET16_LEN);
559 p_buf->offset = L2CAP_MIN_OFFSET;
560 p_buf->len = SMP_ID_INFO_SIZE;
565 /*******************************************************************************
567 * Function smp_build_id_addr_cmd
569 * Description Build identity address information command.
571 ******************************************************************************/
572 static BT_HDR* smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code,
573 UNUSED_ATTR tSMP_CB* p_cb) {
576 (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ID_ADDR_SIZE + L2CAP_MIN_OFFSET);
578 SMP_TRACE_EVENT("%s", __func__);
580 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
581 UINT8_TO_STREAM(p, SMP_OPCODE_ID_ADDR);
582 UINT8_TO_STREAM(p, 0);
583 BDADDR_TO_STREAM(p, *controller_get_interface()->get_address());
585 p_buf->offset = L2CAP_MIN_OFFSET;
586 p_buf->len = SMP_ID_ADDR_SIZE;
591 /*******************************************************************************
593 * Function smp_build_signing_info_cmd
595 * Description Build signing information command.
597 ******************************************************************************/
598 static BT_HDR* smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code,
601 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_SIGN_INFO_SIZE +
604 SMP_TRACE_EVENT("%s", __func__);
606 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
607 UINT8_TO_STREAM(p, SMP_OPCODE_SIGN_INFO);
608 ARRAY_TO_STREAM(p, p_cb->csrk, BT_OCTET16_LEN);
610 p_buf->offset = L2CAP_MIN_OFFSET;
611 p_buf->len = SMP_SIGN_INFO_SIZE;
616 /*******************************************************************************
618 * Function smp_build_pairing_fail
620 * Description Build Pairing Fail command.
622 ******************************************************************************/
623 static BT_HDR* smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code,
626 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_FAIL_SIZE +
629 SMP_TRACE_EVENT("%s", __func__);
631 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
632 UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED);
633 UINT8_TO_STREAM(p, p_cb->failure);
635 p_buf->offset = L2CAP_MIN_OFFSET;
636 p_buf->len = SMP_PAIR_FAIL_SIZE;
641 /*******************************************************************************
643 * Function smp_build_security_request
645 * Description Build security request command.
647 ******************************************************************************/
648 static BT_HDR* smp_build_security_request(UNUSED_ATTR uint8_t cmd_code,
651 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + 2 + L2CAP_MIN_OFFSET);
653 SMP_TRACE_EVENT("%s", __func__);
655 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
656 UINT8_TO_STREAM(p, SMP_OPCODE_SEC_REQ);
657 UINT8_TO_STREAM(p, p_cb->loc_auth_req);
659 p_buf->offset = L2CAP_MIN_OFFSET;
660 p_buf->len = SMP_SECURITY_REQUEST_SIZE;
662 SMP_TRACE_EVENT("opcode=%d auth_req=0x%x", SMP_OPCODE_SEC_REQ,
668 /*******************************************************************************
670 * Function smp_build_pair_public_key_cmd
672 * Description Build pairing public key command.
674 ******************************************************************************/
675 static BT_HDR* smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code,
678 uint8_t publ_key[2 * BT_OCTET32_LEN];
679 uint8_t* p_publ_key = publ_key;
680 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_PUBL_KEY_SIZE +
683 SMP_TRACE_EVENT("%s", __func__);
685 memcpy(p_publ_key, p_cb->loc_publ_key.x, BT_OCTET32_LEN);
686 memcpy(p_publ_key + BT_OCTET32_LEN, p_cb->loc_publ_key.y, BT_OCTET32_LEN);
688 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
689 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_PUBLIC_KEY);
690 ARRAY_TO_STREAM(p, p_publ_key, 2 * BT_OCTET32_LEN);
692 p_buf->offset = L2CAP_MIN_OFFSET;
693 p_buf->len = SMP_PAIR_PUBL_KEY_SIZE;
698 /*******************************************************************************
700 * Function smp_build_pairing_commitment_cmd
702 * Description Build pairing commitment command.
704 ******************************************************************************/
705 static BT_HDR* smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code,
708 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_COMMITM_SIZE +
711 SMP_TRACE_EVENT("%s", __func__);
713 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
714 UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM);
715 ARRAY_TO_STREAM(p, p_cb->commitment, BT_OCTET16_LEN);
717 p_buf->offset = L2CAP_MIN_OFFSET;
718 p_buf->len = SMP_PAIR_COMMITM_SIZE;
723 /*******************************************************************************
725 * Function smp_build_pair_dhkey_check_cmd
727 * Description Build pairing DHKey check command.
729 ******************************************************************************/
730 static BT_HDR* smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code,
733 BT_HDR* p_buf = (BT_HDR*)osi_malloc(
734 sizeof(BT_HDR) + SMP_PAIR_DHKEY_CHECK_SIZE + L2CAP_MIN_OFFSET);
736 SMP_TRACE_EVENT("%s", __func__);
738 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
739 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_DHKEY_CHECK);
740 ARRAY_TO_STREAM(p, p_cb->dhkey_check, BT_OCTET16_LEN);
742 p_buf->offset = L2CAP_MIN_OFFSET;
743 p_buf->len = SMP_PAIR_DHKEY_CHECK_SIZE;
748 /*******************************************************************************
750 * Function smp_build_pairing_keypress_notification_cmd
752 * Description Build keypress notification command.
754 ******************************************************************************/
755 static BT_HDR* smp_build_pairing_keypress_notification_cmd(
756 UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb) {
758 BT_HDR* p_buf = (BT_HDR*)osi_malloc(
759 sizeof(BT_HDR) + SMP_PAIR_KEYPR_NOTIF_SIZE + L2CAP_MIN_OFFSET);
761 SMP_TRACE_EVENT("%s", __func__);
763 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
764 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_KEYPR_NOTIF);
765 UINT8_TO_STREAM(p, p_cb->local_keypress_notification);
767 p_buf->offset = L2CAP_MIN_OFFSET;
768 p_buf->len = SMP_PAIR_KEYPR_NOTIF_SIZE;
773 /*******************************************************************************
775 * Function smp_convert_string_to_tk
777 * Description This function is called to convert a 6 to 16 digits numeric
778 * character string into SMP TK.
783 ******************************************************************************/
784 void smp_convert_string_to_tk(BT_OCTET16 tk, uint32_t passkey) {
787 SMP_TRACE_EVENT("smp_convert_string_to_tk");
788 UINT32_TO_STREAM(p, passkey);
790 key.key_type = SMP_KEY_TYPE_TK;
793 tSMP_INT_DATA smp_int_data;
794 smp_int_data.key = key;
795 smp_sm_event(&smp_cb, SMP_KEY_READY_EVT, &smp_int_data);
798 /*******************************************************************************
800 * Function smp_mask_enc_key
802 * Description This function is called to mask off the encryption key based
803 * on the maximum encryption key size.
808 ******************************************************************************/
809 void smp_mask_enc_key(uint8_t loc_enc_size, uint8_t* p_data) {
810 SMP_TRACE_EVENT("smp_mask_enc_key");
811 if (loc_enc_size < BT_OCTET16_LEN) {
812 for (; loc_enc_size < BT_OCTET16_LEN; loc_enc_size++)
813 *(p_data + loc_enc_size) = 0;
818 /*******************************************************************************
820 * Function smp_xor_128
822 * Description utility function to do an biteise exclusive-OR of two bit
823 * strings of the length of BT_OCTET16_LEN.
827 ******************************************************************************/
828 void smp_xor_128(BT_OCTET16 a, BT_OCTET16 b) {
829 uint8_t i, *aa = a, *bb = b;
831 SMP_TRACE_EVENT("smp_xor_128");
832 for (i = 0; i < BT_OCTET16_LEN; i++) {
833 aa[i] = aa[i] ^ bb[i];
837 /*******************************************************************************
839 * Function smp_cb_cleanup
841 * Description Clean up SMP control block
845 ******************************************************************************/
846 void smp_cb_cleanup(tSMP_CB* p_cb) {
847 tSMP_CALLBACK* p_callback = p_cb->p_callback;
848 uint8_t trace_level = p_cb->trace_level;
849 alarm_t* smp_rsp_timer_ent = p_cb->smp_rsp_timer_ent;
850 alarm_t* delayed_auth_timer_ent = p_cb->delayed_auth_timer_ent;
852 SMP_TRACE_EVENT("smp_cb_cleanup");
854 alarm_cancel(p_cb->smp_rsp_timer_ent);
855 alarm_cancel(p_cb->delayed_auth_timer_ent);
856 memset(p_cb, 0, sizeof(tSMP_CB));
857 p_cb->p_callback = p_callback;
858 p_cb->trace_level = trace_level;
859 p_cb->smp_rsp_timer_ent = smp_rsp_timer_ent;
860 p_cb->delayed_auth_timer_ent = delayed_auth_timer_ent;
863 /*******************************************************************************
865 * Function smp_remove_fixed_channel
867 * Description This function is called to remove the fixed channel
871 ******************************************************************************/
872 void smp_remove_fixed_channel(tSMP_CB* p_cb) {
873 SMP_TRACE_DEBUG("%s", __func__);
875 if (p_cb->smp_over_br)
876 L2CA_RemoveFixedChnl(L2CAP_SMP_BR_CID, p_cb->pairing_bda);
878 L2CA_RemoveFixedChnl(L2CAP_SMP_CID, p_cb->pairing_bda);
881 /*******************************************************************************
883 * Function smp_reset_control_value
885 * Description This function is called to reset the control block value
886 * when the pairing procedure finished.
891 ******************************************************************************/
892 void smp_reset_control_value(tSMP_CB* p_cb) {
893 SMP_TRACE_EVENT("%s", __func__);
895 alarm_cancel(p_cb->smp_rsp_timer_ent);
897 /* set the link idle timer to drop the link when pairing is done
898 usually service discovery will follow authentication complete, to avoid
899 racing condition for a link down/up, set link idle timer to be
900 SMP_LINK_TOUT_MIN to guarantee SMP key exchange */
901 L2CA_SetIdleTimeoutByBdAddr(p_cb->pairing_bda, SMP_LINK_TOUT_MIN,
904 /* We can tell L2CAP to remove the fixed channel (if it has one) */
905 smp_remove_fixed_channel(p_cb);
906 smp_cb_cleanup(p_cb);
909 /*******************************************************************************
911 * Function smp_proc_pairing_cmpl
913 * Description This function is called to process pairing complete
918 ******************************************************************************/
919 void smp_proc_pairing_cmpl(tSMP_CB* p_cb) {
920 tSMP_EVT_DATA evt_data = {0};
921 tSMP_CALLBACK* p_callback = p_cb->p_callback;
923 SMP_TRACE_DEBUG("smp_proc_pairing_cmpl ");
925 evt_data.cmplt.reason = p_cb->status;
926 evt_data.cmplt.smp_over_br = p_cb->smp_over_br;
928 if (p_cb->status == SMP_SUCCESS) evt_data.cmplt.sec_level = p_cb->sec_level;
930 evt_data.cmplt.is_pair_cancel = false;
932 if (p_cb->is_pair_cancel) evt_data.cmplt.is_pair_cancel = true;
934 SMP_TRACE_DEBUG("send SMP_COMPLT_EVT reason=0x%0x sec_level=0x%0x",
935 evt_data.cmplt.reason, evt_data.cmplt.sec_level);
937 RawAddress pairing_bda = p_cb->pairing_bda;
939 smp_reset_control_value(p_cb);
941 if (p_callback) (*p_callback)(SMP_COMPLT_EVT, pairing_bda, &evt_data);
944 /*******************************************************************************
946 * Function smp_command_has_invalid_parameters
948 * Description Checks if the received SMP command has invalid parameters
949 * i.e. if the command length is valid and the command
950 * parameters are inside specified range.
951 * It returns true if the command has invalid parameters.
953 * Returns true if the command has invalid parameters, false otherwise.
955 ******************************************************************************/
956 bool smp_command_has_invalid_parameters(tSMP_CB* p_cb) {
957 uint8_t cmd_code = p_cb->rcvd_cmd_code;
959 if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) ||
960 (cmd_code < SMP_OPCODE_MIN)) {
961 SMP_TRACE_WARNING("%s: Received command with RESERVED code 0x%02x",
966 if (!(*smp_cmd_len_is_valid[cmd_code])(p_cb)) {
967 SMP_TRACE_WARNING("%s: Command length not valid for cmd_code 0x%02x",
972 if (!(*smp_cmd_param_ranges_are_valid[cmd_code])(p_cb)) {
973 SMP_TRACE_WARNING("%s: Parameter ranges not valid code 0x%02x", __func__,
981 /*******************************************************************************
983 * Function smp_command_has_valid_fixed_length
985 * Description Checks if the received command size is equal to the size
986 * according to specs.
988 * Returns true if the command size is as expected, false otherwise.
990 * Note The command is expected to have fixed length.
991 ******************************************************************************/
992 bool smp_command_has_valid_fixed_length(tSMP_CB* p_cb) {
993 uint8_t cmd_code = p_cb->rcvd_cmd_code;
995 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, cmd_code);
997 if (p_cb->rcvd_cmd_len != smp_cmd_size_per_spec[cmd_code]) {
999 "Rcvd from the peer cmd 0x%02x with invalid length "
1000 "0x%02x (per spec the length is 0x%02x).",
1001 cmd_code, p_cb->rcvd_cmd_len, smp_cmd_size_per_spec[cmd_code]);
1008 /*******************************************************************************
1010 * Function smp_pairing_request_response_parameters_are_valid
1012 * Description Validates parameter ranges in the received SMP command
1013 * pairing request or pairing response.
1014 * The parameters to validate:
1017 * Bonding_flags in AuthReq
1018 * Maximum encryption key size.
1019 * Returns false if at least one of these parameters is out of
1022 ******************************************************************************/
1023 bool smp_pairing_request_response_parameters_are_valid(tSMP_CB* p_cb) {
1024 uint8_t io_caps = p_cb->peer_io_caps;
1025 uint8_t oob_flag = p_cb->peer_oob_flag;
1027 p_cb->peer_auth_req & 0x03; // 0x03 is gen bond with appropriate mask
1028 uint8_t enc_size = p_cb->peer_enc_size;
1030 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code);
1032 if (io_caps >= BTM_IO_CAP_MAX) {
1034 "Rcvd from the peer cmd 0x%02x with IO Capability "
1035 "value (0x%02x) out of range).",
1036 p_cb->rcvd_cmd_code, io_caps);
1040 if (!((oob_flag == SMP_OOB_NONE) || (oob_flag == SMP_OOB_PRESENT))) {
1042 "Rcvd from the peer cmd 0x%02x with OOB data flag value "
1043 "(0x%02x) out of range).",
1044 p_cb->rcvd_cmd_code, oob_flag);
1048 if (!((bond_flag == SMP_AUTH_NO_BOND) || (bond_flag == SMP_AUTH_BOND))) {
1050 "Rcvd from the peer cmd 0x%02x with Bonding_Flags value (0x%02x) "
1052 p_cb->rcvd_cmd_code, bond_flag);
1056 if ((enc_size < SMP_ENCR_KEY_SIZE_MIN) ||
1057 (enc_size > SMP_ENCR_KEY_SIZE_MAX)) {
1059 "Rcvd from the peer cmd 0x%02x with Maximum Encryption "
1060 "Key value (0x%02x) out of range).",
1061 p_cb->rcvd_cmd_code, enc_size);
1068 /*******************************************************************************
1070 * Function smp_pairing_keypress_notification_is_valid
1072 * Description Validates Notification Type parameter range in the received
1073 * SMP command pairing keypress notification.
1074 * Returns false if this parameter is out of range.
1076 ******************************************************************************/
1077 bool smp_pairing_keypress_notification_is_valid(tSMP_CB* p_cb) {
1078 tBTM_SP_KEY_TYPE keypress_notification = p_cb->peer_keypress_notification;
1080 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code);
1082 if (keypress_notification >= BTM_SP_KEY_OUT_OF_RANGE) {
1084 "Rcvd from the peer cmd 0x%02x with Pairing Keypress "
1085 "Notification value (0x%02x) out of range).",
1086 p_cb->rcvd_cmd_code, keypress_notification);
1093 /*******************************************************************************
1095 * Function smp_parameter_unconditionally_valid
1097 * Description Always returns true.
1099 ******************************************************************************/
1100 bool smp_parameter_unconditionally_valid(UNUSED_ATTR tSMP_CB* p_cb) {
1104 /*******************************************************************************
1106 * Function smp_parameter_unconditionally_invalid
1108 * Description Always returns false.
1110 ******************************************************************************/
1111 bool smp_parameter_unconditionally_invalid(UNUSED_ATTR tSMP_CB* p_cb) {
1115 /*******************************************************************************
1117 * Function smp_reject_unexpected_pairing_command
1119 * Description send pairing failure to an unexpected pairing command during
1120 * an active pairing process.
1124 ******************************************************************************/
1125 void smp_reject_unexpected_pairing_command(const RawAddress& bd_addr) {
1127 BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_FAIL_SIZE +
1130 SMP_TRACE_DEBUG("%s", __func__);
1132 p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
1133 UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED);
1134 UINT8_TO_STREAM(p, SMP_PAIR_NOT_SUPPORT);
1136 p_buf->offset = L2CAP_MIN_OFFSET;
1137 p_buf->len = SMP_PAIR_FAIL_SIZE;
1139 smp_send_msg_to_L2CAP(bd_addr, p_buf);
1142 /*******************************************************************************
1143 * Function smp_select_association_model
1145 * Description This function selects association model to use for STK
1146 * generation. Selection is based on both sides' io capability,
1147 * oob data flag and authentication request.
1149 * Note If Secure Connections Only mode is required locally then we
1150 * come to this point only if both sides support Secure
1151 * Connections mode, i.e.
1152 * if p_cb->secure_connections_only_mode_required = true
1153 * then we come to this point only if
1154 * (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) ==
1155 * (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) ==
1156 * SMP_SC_SUPPORT_BIT
1158 ******************************************************************************/
1159 tSMP_ASSO_MODEL smp_select_association_model(tSMP_CB* p_cb) {
1160 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1161 p_cb->le_secure_connections_mode_is_used = false;
1163 SMP_TRACE_EVENT("%s", __func__);
1164 SMP_TRACE_DEBUG("%s p_cb->peer_io_caps = %d p_cb->local_io_capability = %d",
1165 __func__, p_cb->peer_io_caps, p_cb->local_io_capability);
1166 SMP_TRACE_DEBUG("%s p_cb->peer_oob_flag = %d p_cb->loc_oob_flag = %d",
1167 __func__, p_cb->peer_oob_flag, p_cb->loc_oob_flag);
1168 SMP_TRACE_DEBUG("%s p_cb->peer_auth_req = 0x%02x p_cb->loc_auth_req = 0x%02x",
1169 __func__, p_cb->peer_auth_req, p_cb->loc_auth_req);
1171 "%s p_cb->secure_connections_only_mode_required = %s", __func__,
1172 p_cb->secure_connections_only_mode_required ? "true" : "false");
1174 if ((p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) &&
1175 (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT)) {
1176 p_cb->le_secure_connections_mode_is_used = true;
1179 if ((p_cb->peer_auth_req & SMP_H7_SUPPORT_BIT) &&
1180 (p_cb->loc_auth_req & SMP_H7_SUPPORT_BIT)) {
1181 p_cb->key_derivation_h7_used = TRUE;
1184 SMP_TRACE_DEBUG("use_sc_process = %d, h7 use = %d",
1185 p_cb->le_secure_connections_mode_is_used,
1186 p_cb->key_derivation_h7_used);
1188 if (p_cb->le_secure_connections_mode_is_used) {
1189 model = smp_select_association_model_secure_connections(p_cb);
1191 model = smp_select_legacy_association_model(p_cb);
1196 /*******************************************************************************
1197 * Function smp_select_legacy_association_model
1199 * Description This function is called to select association mode if at
1200 * least one side doesn't support secure connections.
1202 ******************************************************************************/
1203 tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB* p_cb) {
1204 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1206 SMP_TRACE_DEBUG("%s", __func__);
1207 /* if OOB data is present on both devices, then use OOB association model */
1208 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT &&
1209 p_cb->loc_oob_flag == SMP_OOB_PRESENT)
1210 return SMP_MODEL_OOB;
1212 /* else if neither device requires MITM, then use Just Works association model
1214 if (SMP_NO_MITM_REQUIRED(p_cb->peer_auth_req) &&
1215 SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req))
1216 return SMP_MODEL_ENCRYPTION_ONLY;
1218 /* otherwise use IO capability to select association model */
1219 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX &&
1220 p_cb->local_io_capability < SMP_IO_CAP_MAX) {
1221 if (p_cb->role == HCI_ROLE_MASTER) {
1222 model = smp_association_table[p_cb->role][p_cb->peer_io_caps]
1223 [p_cb->local_io_capability];
1225 model = smp_association_table[p_cb->role][p_cb->local_io_capability]
1226 [p_cb->peer_io_caps];
1233 /*******************************************************************************
1234 * Function smp_select_association_model_secure_connections
1236 * Description This function is called to select association mode if both
1237 * sides support secure connections.
1239 ******************************************************************************/
1240 tSMP_ASSO_MODEL smp_select_association_model_secure_connections(tSMP_CB* p_cb) {
1241 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1243 SMP_TRACE_DEBUG("%s", __func__);
1244 /* if OOB data is present on at least one device, then use OOB association
1246 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT ||
1247 p_cb->loc_oob_flag == SMP_OOB_PRESENT)
1248 return SMP_MODEL_SEC_CONN_OOB;
1250 /* else if neither device requires MITM, then use Just Works association model
1252 if (SMP_NO_MITM_REQUIRED(p_cb->peer_auth_req) &&
1253 SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req))
1254 return SMP_MODEL_SEC_CONN_JUSTWORKS;
1256 /* otherwise use IO capability to select association model */
1257 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX &&
1258 p_cb->local_io_capability < SMP_IO_CAP_MAX) {
1259 if (p_cb->role == HCI_ROLE_MASTER) {
1260 model = smp_association_table_sc[p_cb->role][p_cb->peer_io_caps]
1261 [p_cb->local_io_capability];
1263 model = smp_association_table_sc[p_cb->role][p_cb->local_io_capability]
1264 [p_cb->peer_io_caps];
1271 /*******************************************************************************
1272 * Function smp_reverse_array
1274 * Description This function reverses array bytes
1276 ******************************************************************************/
1277 void smp_reverse_array(uint8_t* arr, uint8_t len) {
1280 SMP_TRACE_DEBUG("smp_reverse_array");
1282 for (i = 0; i < len / 2; i++) {
1284 arr[i] = arr[len - 1 - i];
1285 arr[len - 1 - i] = tmp;
1289 /*******************************************************************************
1290 * Function smp_calculate_random_input
1292 * Description This function returns random input value to be used in
1293 * commitment calculation for SC passkey entry association mode
1294 * (if bit["round"] in "random" array == 1 then returns 0x81
1295 * else returns 0x80).
1299 ******************************************************************************/
1300 uint8_t smp_calculate_random_input(uint8_t* random, uint8_t round) {
1301 uint8_t i = round / 8;
1302 uint8_t j = round % 8;
1305 SMP_TRACE_DEBUG("random: 0x%02x, round: %d, i: %d, j: %d", random[i], round,
1307 ri = ((random[i] >> j) & 1) | 0x80;
1308 SMP_TRACE_DEBUG("%s ri=0x%02x", __func__, ri);
1312 /*******************************************************************************
1313 * Function smp_collect_local_io_capabilities
1315 * Description This function puts into IOcap array local device
1316 * IOCapability, OOB data, AuthReq.
1320 ******************************************************************************/
1321 void smp_collect_local_io_capabilities(uint8_t* iocap, tSMP_CB* p_cb) {
1322 SMP_TRACE_DEBUG("%s", __func__);
1324 iocap[0] = p_cb->local_io_capability;
1325 iocap[1] = p_cb->loc_oob_flag;
1326 iocap[2] = p_cb->loc_auth_req;
1329 /*******************************************************************************
1330 * Function smp_collect_peer_io_capabilities
1332 * Description This function puts into IOcap array peer device
1333 * IOCapability, OOB data, AuthReq.
1337 ******************************************************************************/
1338 void smp_collect_peer_io_capabilities(uint8_t* iocap, tSMP_CB* p_cb) {
1339 SMP_TRACE_DEBUG("%s", __func__);
1341 iocap[0] = p_cb->peer_io_caps;
1342 iocap[1] = p_cb->peer_oob_flag;
1343 iocap[2] = p_cb->peer_auth_req;
1346 /*******************************************************************************
1347 * Function smp_collect_local_ble_address
1349 * Description Put the the local device LE address into the le_addr array:
1350 * le_addr[0-5] = local BD ADDR,
1351 * le_addr[6] = local le address type (PUBLIC/RANDOM).
1355 ******************************************************************************/
1356 void smp_collect_local_ble_address(uint8_t* le_addr, tSMP_CB* p_cb) {
1357 tBLE_ADDR_TYPE addr_type = 0;
1359 uint8_t* p = le_addr;
1361 SMP_TRACE_DEBUG("%s", __func__);
1363 BTM_ReadConnectionAddr(p_cb->pairing_bda, bda, &addr_type);
1364 BDADDR_TO_STREAM(p, bda);
1365 UINT8_TO_STREAM(p, addr_type);
1368 /*******************************************************************************
1369 * Function smp_collect_peer_ble_address
1371 * Description Put the peer device LE addr into the le_addr array:
1372 * le_addr[0-5] = peer BD ADDR,
1373 * le_addr[6] = peer le address type (PUBLIC/RANDOM).
1377 ******************************************************************************/
1378 void smp_collect_peer_ble_address(uint8_t* le_addr, tSMP_CB* p_cb) {
1379 tBLE_ADDR_TYPE addr_type = 0;
1381 uint8_t* p = le_addr;
1383 SMP_TRACE_DEBUG("%s", __func__);
1385 if (!BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, bda, &addr_type)) {
1387 "can not collect peer le addr information for unknown device");
1391 BDADDR_TO_STREAM(p, bda);
1392 UINT8_TO_STREAM(p, addr_type);
1395 /*******************************************************************************
1396 * Function smp_check_commitment
1398 * Description This function compares peer commitment values:
1399 * - expected (i.e. calculated locally),
1400 * - received from the peer.
1402 * Returns true if the values are the same
1405 ******************************************************************************/
1406 bool smp_check_commitment(tSMP_CB* p_cb) {
1407 BT_OCTET16 expected;
1409 SMP_TRACE_DEBUG("%s", __func__);
1411 smp_calculate_peer_commitment(p_cb, expected);
1412 print128(expected, (const uint8_t*)"calculated peer commitment");
1413 print128(p_cb->remote_commitment, (const uint8_t*)"received peer commitment");
1415 if (memcmp(p_cb->remote_commitment, expected, BT_OCTET16_LEN)) {
1416 SMP_TRACE_WARNING("%s: Commitment check fails", __func__);
1420 SMP_TRACE_DEBUG("%s: Commitment check succeeds", __func__);
1424 /*******************************************************************************
1426 * Function smp_save_secure_connections_long_term_key
1428 * Description The function saves SC LTK as BLE key for future use as local
1433 ******************************************************************************/
1434 void smp_save_secure_connections_long_term_key(tSMP_CB* p_cb) {
1435 tBTM_LE_LENC_KEYS lle_key;
1436 tBTM_LE_PENC_KEYS ple_key;
1438 SMP_TRACE_DEBUG("%s-Save LTK as local LTK key", __func__);
1439 memcpy(lle_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
1441 lle_key.key_size = p_cb->loc_enc_size;
1442 lle_key.sec_level = p_cb->sec_level;
1443 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC,
1444 (tBTM_LE_KEY_VALUE*)&lle_key, true);
1446 SMP_TRACE_DEBUG("%s-Save LTK as peer LTK key", __func__);
1448 memset(ple_key.rand, 0, BT_OCTET8_LEN);
1449 memcpy(ple_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
1450 ple_key.sec_level = p_cb->sec_level;
1451 ple_key.key_size = p_cb->loc_enc_size;
1452 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC,
1453 (tBTM_LE_KEY_VALUE*)&ple_key, true);
1456 /*******************************************************************************
1458 * Function smp_calculate_f5_mackey_and_long_term_key
1460 * Description The function calculates MacKey and LTK and saves them in CB.
1461 * To calculate MacKey and LTK it calls smp_calc_f5(...).
1462 * MacKey is used in dhkey calculation, LTK is used to encrypt
1465 * Returns false if out of resources, true otherwise.
1467 ******************************************************************************/
1468 bool smp_calculate_f5_mackey_and_long_term_key(tSMP_CB* p_cb) {
1474 SMP_TRACE_DEBUG("%s", __func__);
1476 if (p_cb->role == HCI_ROLE_MASTER) {
1477 smp_collect_local_ble_address(a, p_cb);
1478 smp_collect_peer_ble_address(b, p_cb);
1482 smp_collect_local_ble_address(b, p_cb);
1483 smp_collect_peer_ble_address(a, p_cb);
1488 if (!smp_calculate_f5(p_cb->dhkey, p_na, p_nb, a, b, p_cb->mac_key,
1490 SMP_TRACE_ERROR("%s failed", __func__);
1494 SMP_TRACE_EVENT("%s is completed", __func__);
1498 /*******************************************************************************
1500 * Function smp_request_oob_data
1502 * Description Requests application to provide OOB data.
1504 * Returns true - OOB data has to be provided by application
1505 * false - otherwise (unexpected)
1507 ******************************************************************************/
1508 bool smp_request_oob_data(tSMP_CB* p_cb) {
1509 tSMP_OOB_DATA_TYPE req_oob_type = SMP_OOB_INVALID_TYPE;
1511 SMP_TRACE_DEBUG("%s", __func__);
1513 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT &&
1514 p_cb->loc_oob_flag == SMP_OOB_PRESENT) {
1515 /* both local and peer rcvd data OOB */
1516 req_oob_type = SMP_OOB_BOTH;
1517 } else if (p_cb->peer_oob_flag == SMP_OOB_PRESENT) {
1518 /* peer rcvd OOB local data, local didn't receive OOB peer data */
1519 req_oob_type = SMP_OOB_LOCAL;
1520 } else if (p_cb->loc_oob_flag == SMP_OOB_PRESENT) {
1521 req_oob_type = SMP_OOB_PEER;
1524 SMP_TRACE_DEBUG("req_oob_type = %d", req_oob_type);
1526 if (req_oob_type == SMP_OOB_INVALID_TYPE) return false;
1528 p_cb->req_oob_type = req_oob_type;
1529 p_cb->cb_evt = SMP_SC_OOB_REQ_EVT;
1530 tSMP_INT_DATA smp_int_data;
1531 smp_int_data.req_oob_type = req_oob_type;
1532 smp_sm_event(p_cb, SMP_TK_REQ_EVT, &smp_int_data);