1 /******************************************************************************
3 * Copyright (C) 1999-2012 Broadcom Corporation
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
17 ******************************************************************************/
19 /******************************************************************************
21 * This file contains functions for the SMP L2CAP utility functions
23 ******************************************************************************/
24 #include "bt_target.h"
26 #if SMP_INCLUDED == TRUE
33 #include "btm_ble_api.h"
37 #include "device/include/controller.h"
41 extern fixed_queue_t *btu_general_alarm_queue;
43 #define SMP_PAIRING_REQ_SIZE 7
44 #define SMP_CONFIRM_CMD_SIZE (BT_OCTET16_LEN + 1)
45 #define SMP_RAND_CMD_SIZE (BT_OCTET16_LEN + 1)
46 #define SMP_INIT_CMD_SIZE (BT_OCTET16_LEN + 1)
47 #define SMP_ENC_INFO_SIZE (BT_OCTET16_LEN + 1)
48 #define SMP_MASTER_ID_SIZE (BT_OCTET8_LEN + 2 + 1)
49 #define SMP_ID_INFO_SIZE (BT_OCTET16_LEN + 1)
50 #define SMP_ID_ADDR_SIZE (BD_ADDR_LEN + 1 + 1)
51 #define SMP_SIGN_INFO_SIZE (BT_OCTET16_LEN + 1)
52 #define SMP_PAIR_FAIL_SIZE 2
53 #define SMP_SECURITY_REQUEST_SIZE 2
54 #define SMP_PAIR_PUBL_KEY_SIZE (1 /* opcode */ + (2*BT_OCTET32_LEN))
55 #define SMP_PAIR_COMMITM_SIZE (1 /* opcode */ + BT_OCTET16_LEN /*Commitment*/)
56 #define SMP_PAIR_DHKEY_CHECK_SIZE (1 /* opcode */ + BT_OCTET16_LEN /*DHKey Check*/)
57 #define SMP_PAIR_KEYPR_NOTIF_SIZE (1 /* opcode */ + 1 /*Notif Type*/)
59 /* SMP command sizes per spec */
60 static const UINT8 smp_cmd_size_per_spec[] =
63 SMP_PAIRING_REQ_SIZE, /* 0x01: pairing request */
64 SMP_PAIRING_REQ_SIZE, /* 0x02: pairing response */
65 SMP_CONFIRM_CMD_SIZE, /* 0x03: pairing confirm */
66 SMP_RAND_CMD_SIZE, /* 0x04: pairing random */
67 SMP_PAIR_FAIL_SIZE, /* 0x05: pairing failed */
68 SMP_ENC_INFO_SIZE, /* 0x06: encryption information */
69 SMP_MASTER_ID_SIZE, /* 0x07: master identification */
70 SMP_ID_INFO_SIZE, /* 0x08: identity information */
71 SMP_ID_ADDR_SIZE, /* 0x09: identity address information */
72 SMP_SIGN_INFO_SIZE, /* 0x0A: signing information */
73 SMP_SECURITY_REQUEST_SIZE, /* 0x0B: security request */
74 SMP_PAIR_PUBL_KEY_SIZE, /* 0x0C: pairing public key */
75 SMP_PAIR_DHKEY_CHECK_SIZE, /* 0x0D: pairing dhkey check */
76 SMP_PAIR_KEYPR_NOTIF_SIZE, /* 0x0E: pairing keypress notification */
77 SMP_PAIR_COMMITM_SIZE /* 0x0F: pairing commitment */
80 static BOOLEAN smp_parameter_unconditionally_valid(tSMP_CB *p_cb);
81 static BOOLEAN smp_parameter_unconditionally_invalid(tSMP_CB *p_cb);
83 /* type for SMP command length validation functions */
84 typedef BOOLEAN (*tSMP_CMD_LEN_VALID)(tSMP_CB *p_cb);
86 static BOOLEAN smp_command_has_valid_fixed_length(tSMP_CB *p_cb);
88 static const tSMP_CMD_LEN_VALID smp_cmd_len_is_valid[] =
90 smp_parameter_unconditionally_invalid,
91 smp_command_has_valid_fixed_length, /* 0x01: pairing request */
92 smp_command_has_valid_fixed_length, /* 0x02: pairing response */
93 smp_command_has_valid_fixed_length, /* 0x03: pairing confirm */
94 smp_command_has_valid_fixed_length, /* 0x04: pairing random */
95 smp_command_has_valid_fixed_length, /* 0x05: pairing failed */
96 smp_command_has_valid_fixed_length, /* 0x06: encryption information */
97 smp_command_has_valid_fixed_length, /* 0x07: master identification */
98 smp_command_has_valid_fixed_length, /* 0x08: identity information */
99 smp_command_has_valid_fixed_length, /* 0x09: identity address information */
100 smp_command_has_valid_fixed_length, /* 0x0A: signing information */
101 smp_command_has_valid_fixed_length, /* 0x0B: security request */
102 smp_command_has_valid_fixed_length, /* 0x0C: pairing public key */
103 smp_command_has_valid_fixed_length, /* 0x0D: pairing dhkey check */
104 smp_command_has_valid_fixed_length, /* 0x0E: pairing keypress notification */
105 smp_command_has_valid_fixed_length /* 0x0F: pairing commitment */
108 /* type for SMP command parameter ranges validation functions */
109 typedef BOOLEAN (*tSMP_CMD_PARAM_RANGES_VALID)(tSMP_CB *p_cb);
111 static BOOLEAN smp_pairing_request_response_parameters_are_valid(tSMP_CB *p_cb);
112 static BOOLEAN smp_pairing_keypress_notification_is_valid(tSMP_CB *p_cb);
114 static const tSMP_CMD_PARAM_RANGES_VALID smp_cmd_param_ranges_are_valid[] =
116 smp_parameter_unconditionally_invalid,
117 smp_pairing_request_response_parameters_are_valid, /* 0x01: pairing request */
118 smp_pairing_request_response_parameters_are_valid, /* 0x02: pairing response */
119 smp_parameter_unconditionally_valid, /* 0x03: pairing confirm */
120 smp_parameter_unconditionally_valid, /* 0x04: pairing random */
121 smp_parameter_unconditionally_valid, /* 0x05: pairing failed */
122 smp_parameter_unconditionally_valid, /* 0x06: encryption information */
123 smp_parameter_unconditionally_valid, /* 0x07: master identification */
124 smp_parameter_unconditionally_valid, /* 0x08: identity information */
125 smp_parameter_unconditionally_valid, /* 0x09: identity address information */
126 smp_parameter_unconditionally_valid, /* 0x0A: signing information */
127 smp_parameter_unconditionally_valid, /* 0x0B: security request */
128 smp_parameter_unconditionally_valid, /* 0x0C: pairing public key */
129 smp_parameter_unconditionally_valid, /* 0x0D: pairing dhkey check */
130 smp_pairing_keypress_notification_is_valid, /* 0x0E: pairing keypress notification */
131 smp_parameter_unconditionally_valid /* 0x0F: pairing commitment */
134 /* type for action functions */
135 typedef BT_HDR * (*tSMP_CMD_ACT)(UINT8 cmd_code, tSMP_CB *p_cb);
137 static BT_HDR *smp_build_pairing_cmd(UINT8 cmd_code, tSMP_CB *p_cb);
138 static BT_HDR *smp_build_confirm_cmd(UINT8 cmd_code, tSMP_CB *p_cb);
139 static BT_HDR *smp_build_rand_cmd(UINT8 cmd_code, tSMP_CB *p_cb);
140 static BT_HDR *smp_build_pairing_fail(UINT8 cmd_code, tSMP_CB *p_cb);
141 static BT_HDR *smp_build_identity_info_cmd(UINT8 cmd_code, tSMP_CB *p_cb);
142 static BT_HDR *smp_build_encrypt_info_cmd(UINT8 cmd_code, tSMP_CB *p_cb);
143 static BT_HDR *smp_build_security_request(UINT8 cmd_code, tSMP_CB *p_cb);
144 static BT_HDR *smp_build_signing_info_cmd(UINT8 cmd_code, tSMP_CB *p_cb);
145 static BT_HDR *smp_build_master_id_cmd(UINT8 cmd_code, tSMP_CB *p_cb);
146 static BT_HDR *smp_build_id_addr_cmd(UINT8 cmd_code, tSMP_CB *p_cb);
147 static BT_HDR *smp_build_pair_public_key_cmd(UINT8 cmd_code, tSMP_CB *p_cb);
148 static BT_HDR *smp_build_pairing_commitment_cmd(UINT8 cmd_code, tSMP_CB *p_cb);
149 static BT_HDR *smp_build_pair_dhkey_check_cmd(UINT8 cmd_code, tSMP_CB *p_cb);
150 static BT_HDR *smp_build_pairing_keypress_notification_cmd(UINT8 cmd_code, tSMP_CB *p_cb);
152 static const tSMP_CMD_ACT smp_cmd_build_act[] =
155 smp_build_pairing_cmd, /* 0x01: pairing request */
156 smp_build_pairing_cmd, /* 0x02: pairing response */
157 smp_build_confirm_cmd, /* 0x03: pairing confirm */
158 smp_build_rand_cmd, /* 0x04: pairing random */
159 smp_build_pairing_fail, /* 0x05: pairing failure */
160 smp_build_encrypt_info_cmd, /* 0x06: encryption information */
161 smp_build_master_id_cmd, /* 0x07: master identification */
162 smp_build_identity_info_cmd, /* 0x08: identity information */
163 smp_build_id_addr_cmd, /* 0x09: identity address information */
164 smp_build_signing_info_cmd, /* 0x0A: signing information */
165 smp_build_security_request, /* 0x0B: security request */
166 smp_build_pair_public_key_cmd, /* 0x0C: pairing public key */
167 smp_build_pair_dhkey_check_cmd, /* 0x0D: pairing DHKey check */
168 smp_build_pairing_keypress_notification_cmd, /* 0x0E: pairing keypress notification */
169 smp_build_pairing_commitment_cmd /* 0x0F: pairing commitment */
172 static const UINT8 smp_association_table[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] =
174 /* display only */ /* Display Yes/No */ /* keyboard only */
175 /* No Input/Output */ /* keyboard display */
178 /* model = tbl[peer_io_caps][loc_io_caps] */
180 {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY,
181 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
184 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY,
185 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
188 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY,
189 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
191 /* No Input No Output */
192 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
193 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY},
195 /* keyboard display */
196 {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY,
197 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}},
200 /* model = tbl[loc_io_caps][peer_io_caps] */
202 {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF,
203 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
206 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF,
207 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},
210 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY,
211 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},
213 /* No Input No Output */
214 {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
215 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY},
217 /* keyboard display */
218 {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_KEY_NOTIF,
219 SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}}
222 static const UINT8 smp_association_table_sc[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] =
224 /* display only */ /* Display Yes/No */ /* keyboard only */
225 /* No InputOutput */ /* keyboard display */
228 /* model = tbl[peer_io_caps][loc_io_caps] */
231 {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_PASSKEY_ENT,
232 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_PASSKEY_ENT},
235 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP, SMP_MODEL_SEC_CONN_PASSKEY_ENT,
236 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP},
239 {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_PASSKEY_ENT,
240 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_PASSKEY_DISP},
242 /* No Input No Output */
243 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
244 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS},
246 /* keyboard display */
247 {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_NUM_COMP, SMP_MODEL_SEC_CONN_PASSKEY_ENT,
248 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP}},
251 /* model = tbl[loc_io_caps][peer_io_caps] */
254 {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_PASSKEY_DISP,
255 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_PASSKEY_DISP},
258 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP, SMP_MODEL_SEC_CONN_PASSKEY_DISP,
259 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP},
262 {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_PASSKEY_ENT,
263 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_PASSKEY_ENT},
265 /* No Input No Output */
266 {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
267 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS},
269 /* keyboard display */
270 {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_NUM_COMP, SMP_MODEL_SEC_CONN_PASSKEY_DISP,
271 SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP}}
274 static tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB *p_cb);
275 static tSMP_ASSO_MODEL smp_select_association_model_secure_connections(tSMP_CB *p_cb);
277 /*******************************************************************************
279 ** Function smp_send_msg_to_L2CAP
281 ** Description Send message to L2CAP.
283 *******************************************************************************/
284 BOOLEAN smp_send_msg_to_L2CAP(BD_ADDR rem_bda, BT_HDR *p_toL2CAP)
287 UINT16 fixed_cid = L2CAP_SMP_CID;
289 if (smp_cb.smp_over_br)
291 fixed_cid = L2CAP_SMP_BR_CID;
294 SMP_TRACE_EVENT("%s", __FUNCTION__);
295 smp_cb.total_tx_unacked += 1;
297 if ((l2cap_ret = L2CA_SendFixedChnlData (fixed_cid, rem_bda, p_toL2CAP)) == L2CAP_DW_FAILED)
299 smp_cb.total_tx_unacked -= 1;
300 SMP_TRACE_ERROR("SMP failed to pass msg to L2CAP");
307 /*******************************************************************************
309 ** Function smp_send_cmd
311 ** Description send a SMP command on L2CAP channel.
313 *******************************************************************************/
314 BOOLEAN smp_send_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
317 BOOLEAN sent = FALSE;
318 UINT8 failure = SMP_PAIR_INTERNAL_ERR;
319 SMP_TRACE_EVENT("smp_send_cmd on l2cap cmd_code=0x%x", cmd_code);
320 if ( cmd_code <= (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */) &&
321 smp_cmd_build_act[cmd_code] != NULL)
323 p_buf = (*smp_cmd_build_act[cmd_code])(cmd_code, p_cb);
326 smp_send_msg_to_L2CAP(p_cb->pairing_bda, p_buf))
329 alarm_set_on_queue(p_cb->smp_rsp_timer_ent,
330 SMP_WAIT_FOR_RSP_TIMEOUT_MS, smp_rsp_timeout,
331 NULL, btu_general_alarm_queue);
337 if (p_cb->smp_over_br)
339 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &failure);
343 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &failure);
349 /*******************************************************************************
351 ** Function smp_rsp_timeout
353 ** Description Called when SMP wait for SMP command response timer expires
357 *******************************************************************************/
358 void smp_rsp_timeout(UNUSED_ATTR void *data)
360 tSMP_CB *p_cb = &smp_cb;
361 UINT8 failure = SMP_RSP_TIMEOUT;
363 SMP_TRACE_EVENT("%s state:%d br_state:%d", __FUNCTION__, p_cb->state, p_cb->br_state);
365 if (p_cb->smp_over_br)
367 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &failure);
371 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &failure);
375 /*******************************************************************************
377 ** Function smp_delayed_auth_complete_timeout
379 ** Description Called when no pairing failed command received within timeout
384 *******************************************************************************/
385 void smp_delayed_auth_complete_timeout(UNUSED_ATTR void *data)
388 * Waited for potential pair failure. Send SMP_AUTH_CMPL_EVT if
389 * the state is still in bond pending.
391 if (smp_get_state() == SMP_STATE_BOND_PENDING)
393 UINT8 reason = SMP_SUCCESS;
394 SMP_TRACE_EVENT("%s sending delayed auth complete.", __func__);
395 smp_sm_event(&smp_cb, SMP_AUTH_CMPL_EVT, &reason);
399 /*******************************************************************************
401 ** Function smp_build_pairing_req_cmd
403 ** Description Build pairing request command.
405 *******************************************************************************/
406 BT_HDR * smp_build_pairing_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
409 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
410 SMP_PAIRING_REQ_SIZE + L2CAP_MIN_OFFSET);
412 SMP_TRACE_EVENT("%s", __func__);
414 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
415 UINT8_TO_STREAM(p, cmd_code);
416 UINT8_TO_STREAM(p, p_cb->local_io_capability);
417 UINT8_TO_STREAM(p, p_cb->loc_oob_flag);
418 UINT8_TO_STREAM(p, p_cb->loc_auth_req);
419 UINT8_TO_STREAM(p, p_cb->loc_enc_size);
420 UINT8_TO_STREAM(p, p_cb->local_i_key);
421 UINT8_TO_STREAM(p, p_cb->local_r_key);
423 p_buf->offset = L2CAP_MIN_OFFSET;
424 /* 1B ERR_RSP op code + 1B cmd_op_code + 2B handle + 1B status */
425 p_buf->len = SMP_PAIRING_REQ_SIZE;
430 /*******************************************************************************
432 ** Function smp_build_confirm_cmd
434 ** Description Build confirm request command.
436 *******************************************************************************/
437 static BT_HDR * smp_build_confirm_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
440 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
441 SMP_CONFIRM_CMD_SIZE + L2CAP_MIN_OFFSET);
444 SMP_TRACE_EVENT("%s", __func__);
446 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
448 UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM);
449 ARRAY_TO_STREAM(p, p_cb->confirm, BT_OCTET16_LEN);
451 p_buf->offset = L2CAP_MIN_OFFSET;
452 p_buf->len = SMP_CONFIRM_CMD_SIZE;
457 /*******************************************************************************
459 ** Function smp_build_rand_cmd
461 ** Description Build Random command.
463 *******************************************************************************/
464 static BT_HDR * smp_build_rand_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
467 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
468 SMP_RAND_CMD_SIZE + L2CAP_MIN_OFFSET);
471 SMP_TRACE_EVENT("%s", __func__);
473 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
474 UINT8_TO_STREAM(p, SMP_OPCODE_RAND);
475 ARRAY_TO_STREAM(p, p_cb->rand, BT_OCTET16_LEN);
477 p_buf->offset = L2CAP_MIN_OFFSET;
478 p_buf->len = SMP_RAND_CMD_SIZE;
483 /*******************************************************************************
485 ** Function smp_build_encrypt_info_cmd
487 ** Description Build security information command.
489 *******************************************************************************/
490 static BT_HDR * smp_build_encrypt_info_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
493 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
494 SMP_ENC_INFO_SIZE + L2CAP_MIN_OFFSET);
497 SMP_TRACE_EVENT("%s", __func__);
499 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
500 UINT8_TO_STREAM(p, SMP_OPCODE_ENCRYPT_INFO);
501 ARRAY_TO_STREAM(p, p_cb->ltk, BT_OCTET16_LEN);
503 p_buf->offset = L2CAP_MIN_OFFSET;
504 p_buf->len = SMP_ENC_INFO_SIZE;
509 /*******************************************************************************
511 ** Function smp_build_master_id_cmd
513 ** Description Build security information command.
515 *******************************************************************************/
516 static BT_HDR * smp_build_master_id_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
519 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
520 SMP_MASTER_ID_SIZE + L2CAP_MIN_OFFSET);
523 SMP_TRACE_EVENT("%s", __func__);
525 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
526 UINT8_TO_STREAM(p, SMP_OPCODE_MASTER_ID);
527 UINT16_TO_STREAM(p, p_cb->ediv);
528 ARRAY_TO_STREAM(p, p_cb->enc_rand, BT_OCTET8_LEN);
530 p_buf->offset = L2CAP_MIN_OFFSET;
531 p_buf->len = SMP_MASTER_ID_SIZE;
536 /*******************************************************************************
538 ** Function smp_build_identity_info_cmd
540 ** Description Build identity information command.
542 *******************************************************************************/
543 static BT_HDR * smp_build_identity_info_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
547 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
548 SMP_ID_INFO_SIZE + L2CAP_MIN_OFFSET);
552 SMP_TRACE_EVENT("%s", __func__);
554 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
556 BTM_GetDeviceIDRoot(irk);
558 UINT8_TO_STREAM(p, SMP_OPCODE_IDENTITY_INFO);
559 ARRAY_TO_STREAM(p, irk, BT_OCTET16_LEN);
561 p_buf->offset = L2CAP_MIN_OFFSET;
562 p_buf->len = SMP_ID_INFO_SIZE;
567 /*******************************************************************************
569 ** Function smp_build_id_addr_cmd
571 ** Description Build identity address information command.
573 *******************************************************************************/
574 static BT_HDR * smp_build_id_addr_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
577 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
578 SMP_ID_ADDR_SIZE + L2CAP_MIN_OFFSET);
582 SMP_TRACE_EVENT("%s", __func__);
584 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
585 UINT8_TO_STREAM(p, SMP_OPCODE_ID_ADDR);
586 UINT8_TO_STREAM(p, 0);
587 BDADDR_TO_STREAM(p, controller_get_interface()->get_address()->address);
589 p_buf->offset = L2CAP_MIN_OFFSET;
590 p_buf->len = SMP_ID_ADDR_SIZE;
595 /*******************************************************************************
597 ** Function smp_build_signing_info_cmd
599 ** Description Build signing information command.
601 *******************************************************************************/
602 static BT_HDR * smp_build_signing_info_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
605 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
606 SMP_SIGN_INFO_SIZE + L2CAP_MIN_OFFSET);
609 SMP_TRACE_EVENT("%s", __func__);
611 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
612 UINT8_TO_STREAM(p, SMP_OPCODE_SIGN_INFO);
613 ARRAY_TO_STREAM(p, p_cb->csrk, BT_OCTET16_LEN);
615 p_buf->offset = L2CAP_MIN_OFFSET;
616 p_buf->len = SMP_SIGN_INFO_SIZE;
621 /*******************************************************************************
623 ** Function smp_build_pairing_fail
625 ** Description Build Pairing Fail command.
627 *******************************************************************************/
628 static BT_HDR * smp_build_pairing_fail(UINT8 cmd_code, tSMP_CB *p_cb)
631 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
632 SMP_PAIR_FAIL_SIZE + L2CAP_MIN_OFFSET);
635 SMP_TRACE_EVENT("%s", __func__);
637 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
638 UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED);
639 UINT8_TO_STREAM(p, p_cb->failure);
641 p_buf->offset = L2CAP_MIN_OFFSET;
642 p_buf->len = SMP_PAIR_FAIL_SIZE;
647 /*******************************************************************************
649 ** Function smp_build_security_request
651 ** Description Build security request command.
653 *******************************************************************************/
654 static BT_HDR *smp_build_security_request(UINT8 cmd_code, tSMP_CB *p_cb)
657 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
658 2 + L2CAP_MIN_OFFSET);
661 SMP_TRACE_EVENT("%s", __func__);
663 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
664 UINT8_TO_STREAM(p, SMP_OPCODE_SEC_REQ);
665 UINT8_TO_STREAM(p, p_cb->loc_auth_req);
667 p_buf->offset = L2CAP_MIN_OFFSET;
668 p_buf->len = SMP_SECURITY_REQUEST_SIZE;
670 SMP_TRACE_EVENT("opcode=%d auth_req=0x%x",SMP_OPCODE_SEC_REQ, p_cb->loc_auth_req );
675 /*******************************************************************************
677 ** Function smp_build_pair_public_key_cmd
679 ** Description Build pairing public key command.
681 *******************************************************************************/
682 static BT_HDR *smp_build_pair_public_key_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
685 UINT8 publ_key[2*BT_OCTET32_LEN];
686 UINT8 *p_publ_key = publ_key;
687 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
688 SMP_PAIR_PUBL_KEY_SIZE + L2CAP_MIN_OFFSET);
691 SMP_TRACE_EVENT("%s", __func__);
693 memcpy(p_publ_key, p_cb->loc_publ_key.x, BT_OCTET32_LEN);
694 memcpy(p_publ_key + BT_OCTET32_LEN, p_cb->loc_publ_key.y, BT_OCTET32_LEN);
696 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
697 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_PUBLIC_KEY);
698 ARRAY_TO_STREAM(p, p_publ_key, 2*BT_OCTET32_LEN);
700 p_buf->offset = L2CAP_MIN_OFFSET;
701 p_buf->len = SMP_PAIR_PUBL_KEY_SIZE;
706 /*******************************************************************************
708 ** Function smp_build_pairing_commitment_cmd
710 ** Description Build pairing commitment command.
712 *******************************************************************************/
713 static BT_HDR *smp_build_pairing_commitment_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
716 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
717 SMP_PAIR_COMMITM_SIZE + L2CAP_MIN_OFFSET);
720 SMP_TRACE_EVENT("%s", __func__);
722 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
723 UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM);
724 ARRAY_TO_STREAM(p, p_cb->commitment, BT_OCTET16_LEN);
726 p_buf->offset = L2CAP_MIN_OFFSET;
727 p_buf->len = SMP_PAIR_COMMITM_SIZE;
732 /*******************************************************************************
734 ** Function smp_build_pair_dhkey_check_cmd
736 ** Description Build pairing DHKey check command.
738 *******************************************************************************/
739 static BT_HDR *smp_build_pair_dhkey_check_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
742 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
743 SMP_PAIR_DHKEY_CHECK_SIZE + L2CAP_MIN_OFFSET);
746 SMP_TRACE_EVENT("%s", __func__);
748 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
749 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_DHKEY_CHECK);
750 ARRAY_TO_STREAM(p, p_cb->dhkey_check, BT_OCTET16_LEN);
752 p_buf->offset = L2CAP_MIN_OFFSET;
753 p_buf->len = SMP_PAIR_DHKEY_CHECK_SIZE;
758 /*******************************************************************************
760 ** Function smp_build_pairing_keypress_notification_cmd
762 ** Description Build keypress notification command.
764 *******************************************************************************/
765 static BT_HDR * smp_build_pairing_keypress_notification_cmd(UINT8 cmd_code, tSMP_CB *p_cb)
768 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
769 SMP_PAIR_KEYPR_NOTIF_SIZE + L2CAP_MIN_OFFSET);
772 SMP_TRACE_EVENT("%s", __func__);
774 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
775 UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_KEYPR_NOTIF);
776 UINT8_TO_STREAM(p, p_cb->local_keypress_notification);
778 p_buf->offset = L2CAP_MIN_OFFSET;
779 p_buf->len = SMP_PAIR_KEYPR_NOTIF_SIZE;
784 /*******************************************************************************
786 ** Function smp_convert_string_to_tk
788 ** Description This function is called to convert a 6 to 16 digits numeric
789 ** character string into SMP TK.
794 *******************************************************************************/
795 void smp_convert_string_to_tk(BT_OCTET16 tk, UINT32 passkey)
799 SMP_TRACE_EVENT("smp_convert_string_to_tk");
800 UINT32_TO_STREAM(p, passkey);
802 key.key_type = SMP_KEY_TYPE_TK;
805 smp_sm_event(&smp_cb, SMP_KEY_READY_EVT, &key);
808 /*******************************************************************************
810 ** Function smp_mask_enc_key
812 ** Description This function is called to mask off the encryption key based
813 ** on the maximum encryption key size.
818 *******************************************************************************/
819 void smp_mask_enc_key(UINT8 loc_enc_size, UINT8 * p_data)
821 SMP_TRACE_EVENT("smp_mask_enc_key");
822 if (loc_enc_size < BT_OCTET16_LEN)
824 for (; loc_enc_size < BT_OCTET16_LEN; loc_enc_size ++)
825 * (p_data + loc_enc_size) = 0;
830 /*******************************************************************************
832 ** Function smp_xor_128
834 ** Description utility function to do an biteise exclusive-OR of two bit
835 ** strings of the length of BT_OCTET16_LEN.
839 *******************************************************************************/
840 void smp_xor_128(BT_OCTET16 a, BT_OCTET16 b)
842 UINT8 i, *aa = a, *bb = b;
844 SMP_TRACE_EVENT("smp_xor_128");
845 for (i = 0; i < BT_OCTET16_LEN; i++)
847 aa[i] = aa[i] ^ bb[i];
851 /*******************************************************************************
853 ** Function smp_cb_cleanup
855 ** Description Clean up SMP control block
859 *******************************************************************************/
860 void smp_cb_cleanup(tSMP_CB *p_cb)
862 tSMP_CALLBACK *p_callback = p_cb->p_callback;
863 UINT8 trace_level = p_cb->trace_level;
865 SMP_TRACE_EVENT("smp_cb_cleanup");
867 alarm_free(p_cb->smp_rsp_timer_ent);
868 alarm_free(p_cb->delayed_auth_timer_ent);
869 memset(p_cb, 0, sizeof(tSMP_CB));
870 p_cb->p_callback = p_callback;
871 p_cb->trace_level = trace_level;
872 p_cb->smp_rsp_timer_ent = alarm_new("smp.smp_rsp_timer_ent");
873 p_cb->delayed_auth_timer_ent = alarm_new("smp.delayed_auth_timer_ent");
876 /*******************************************************************************
878 ** Function smp_remove_fixed_channel
880 ** Description This function is called to remove the fixed channel
884 *******************************************************************************/
885 void smp_remove_fixed_channel(tSMP_CB *p_cb)
887 SMP_TRACE_DEBUG("%s", __func__);
889 if (p_cb->smp_over_br)
890 L2CA_RemoveFixedChnl (L2CAP_SMP_BR_CID, p_cb->pairing_bda);
892 L2CA_RemoveFixedChnl (L2CAP_SMP_CID, p_cb->pairing_bda);
895 /*******************************************************************************
897 ** Function smp_reset_control_value
899 ** Description This function is called to reset the control block value when
900 ** pairing procedure finished.
905 *******************************************************************************/
906 void smp_reset_control_value(tSMP_CB *p_cb)
908 SMP_TRACE_EVENT("%s", __func__);
910 alarm_cancel(p_cb->smp_rsp_timer_ent);
912 /* set the link idle timer to drop the link when pairing is done
913 usually service discovery will follow authentication complete, to avoid
914 racing condition for a link down/up, set link idle timer to be
915 SMP_LINK_TOUT_MIN to guarantee SMP key exchange */
916 L2CA_SetIdleTimeoutByBdAddr(p_cb->pairing_bda, SMP_LINK_TOUT_MIN, BT_TRANSPORT_LE);
918 /* We can tell L2CAP to remove the fixed channel (if it has one) */
919 smp_remove_fixed_channel(p_cb);
920 smp_cb_cleanup(p_cb);
923 /*******************************************************************************
925 ** Function smp_proc_pairing_cmpl
927 ** Description This function is called to process pairing complete
932 *******************************************************************************/
933 void smp_proc_pairing_cmpl(tSMP_CB *p_cb)
935 tSMP_EVT_DATA evt_data = {0};
936 tSMP_CALLBACK *p_callback = p_cb->p_callback;
939 SMP_TRACE_DEBUG ("smp_proc_pairing_cmpl ");
941 evt_data.cmplt.reason = p_cb->status;
942 evt_data.cmplt.smp_over_br = p_cb->smp_over_br;
944 if (p_cb->status == SMP_SUCCESS)
945 evt_data.cmplt.sec_level = p_cb->sec_level;
947 evt_data.cmplt.is_pair_cancel = FALSE;
949 if (p_cb->is_pair_cancel)
950 evt_data.cmplt.is_pair_cancel = TRUE;
953 SMP_TRACE_DEBUG ("send SMP_COMPLT_EVT reason=0x%0x sec_level=0x%0x",
954 evt_data.cmplt.reason,
955 evt_data.cmplt.sec_level );
957 memcpy (pairing_bda, p_cb->pairing_bda, BD_ADDR_LEN);
959 smp_reset_control_value(p_cb);
962 (*p_callback) (SMP_COMPLT_EVT, pairing_bda, &evt_data);
965 /*******************************************************************************
967 ** Function smp_command_has_invalid_parameters
969 ** Description Checks if the received SMP command has invalid parameters i.e.
970 ** if the command length is valid and the command parameters are
971 ** inside specified range.
972 ** It returns TRUE if the command has invalid parameters.
974 ** Returns TRUE if the command has invalid parameters, FALSE otherwise.
976 *******************************************************************************/
977 BOOLEAN smp_command_has_invalid_parameters(tSMP_CB *p_cb)
979 UINT8 cmd_code = p_cb->rcvd_cmd_code;
981 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, cmd_code);
983 if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) ||
984 (cmd_code < SMP_OPCODE_MIN))
986 SMP_TRACE_WARNING("Somehow received command with the RESERVED code 0x%02x", cmd_code);
990 if (!(*smp_cmd_len_is_valid[cmd_code])(p_cb))
993 if (!(*smp_cmd_param_ranges_are_valid[cmd_code])(p_cb))
999 /*******************************************************************************
1001 ** Function smp_command_has_valid_fixed_length
1003 ** Description Checks if the received command size is equal to the size
1004 ** according to specs.
1006 ** Returns TRUE if the command size is as expected, FALSE otherwise.
1008 ** Note The command is expected to have fixed length.
1009 *******************************************************************************/
1010 BOOLEAN smp_command_has_valid_fixed_length(tSMP_CB *p_cb)
1012 UINT8 cmd_code = p_cb->rcvd_cmd_code;
1014 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, cmd_code);
1016 if (p_cb->rcvd_cmd_len != smp_cmd_size_per_spec[cmd_code])
1018 SMP_TRACE_WARNING("Rcvd from the peer cmd 0x%02x with invalid length\
1019 0x%02x (per spec the length is 0x%02x).",
1020 cmd_code, p_cb->rcvd_cmd_len, smp_cmd_size_per_spec[cmd_code]);
1027 /*******************************************************************************
1029 ** Function smp_pairing_request_response_parameters_are_valid
1031 ** Description Validates parameter ranges in the received SMP command
1032 ** pairing request or pairing response.
1033 ** The parameters to validate:
1036 ** Bonding_flags in AuthReq
1037 ** Maximum encryption key size.
1038 ** Returns FALSE if at least one of these parameters is out of range.
1040 *******************************************************************************/
1041 BOOLEAN smp_pairing_request_response_parameters_are_valid(tSMP_CB *p_cb)
1043 UINT8 io_caps = p_cb->peer_io_caps;
1044 UINT8 oob_flag = p_cb->peer_oob_flag;
1045 UINT8 bond_flag = p_cb->peer_auth_req & 0x03; //0x03 is gen bond with appropriate mask
1046 UINT8 enc_size = p_cb->peer_enc_size;
1048 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code);
1050 if (io_caps >= BTM_IO_CAP_MAX)
1052 SMP_TRACE_WARNING("Rcvd from the peer cmd 0x%02x with IO Capabilty \
1053 value (0x%02x) out of range).",
1054 p_cb->rcvd_cmd_code, io_caps);
1058 if (!((oob_flag == SMP_OOB_NONE) || (oob_flag == SMP_OOB_PRESENT)))
1060 SMP_TRACE_WARNING("Rcvd from the peer cmd 0x%02x with OOB data flag value \
1061 (0x%02x) out of range).",
1062 p_cb->rcvd_cmd_code, oob_flag);
1066 if (!((bond_flag == SMP_AUTH_NO_BOND) || (bond_flag == SMP_AUTH_BOND)))
1068 SMP_TRACE_WARNING("Rcvd from the peer cmd 0x%02x with Bonding_Flags value (0x%02x)\
1070 p_cb->rcvd_cmd_code, bond_flag);
1074 if ((enc_size < SMP_ENCR_KEY_SIZE_MIN) || (enc_size > SMP_ENCR_KEY_SIZE_MAX))
1076 SMP_TRACE_WARNING("Rcvd from the peer cmd 0x%02x with Maximum Encryption \
1077 Key value (0x%02x) out of range).",
1078 p_cb->rcvd_cmd_code, enc_size);
1085 /*******************************************************************************
1087 ** Function smp_pairing_keypress_notification_is_valid
1089 ** Description Validates Notification Type parameter range in the received SMP command
1090 ** pairing keypress notification.
1091 ** Returns FALSE if this parameter is out of range.
1093 *******************************************************************************/
1094 BOOLEAN smp_pairing_keypress_notification_is_valid(tSMP_CB *p_cb)
1096 tBTM_SP_KEY_TYPE keypress_notification = p_cb->peer_keypress_notification;
1098 SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code);
1100 if (keypress_notification >= BTM_SP_KEY_OUT_OF_RANGE)
1102 SMP_TRACE_WARNING("Rcvd from the peer cmd 0x%02x with Pairing Keypress \
1103 Notification value (0x%02x) out of range).",
1104 p_cb->rcvd_cmd_code, keypress_notification);
1111 /*******************************************************************************
1113 ** Function smp_parameter_unconditionally_valid
1115 ** Description Always returns TRUE.
1117 *******************************************************************************/
1118 BOOLEAN smp_parameter_unconditionally_valid(UNUSED_ATTR tSMP_CB *p_cb)
1123 /*******************************************************************************
1125 ** Function smp_parameter_unconditionally_invalid
1127 ** Description Always returns FALSE.
1129 *******************************************************************************/
1130 BOOLEAN smp_parameter_unconditionally_invalid(UNUSED_ATTR tSMP_CB *p_cb)
1135 /*******************************************************************************
1137 ** Function smp_reject_unexpected_pairing_command
1139 ** Description send pairing failure to an unexpected pairing command during
1140 ** an active pairing process.
1144 *******************************************************************************/
1145 void smp_reject_unexpected_pairing_command(BD_ADDR bd_addr)
1148 BT_HDR *p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) +
1149 SMP_PAIR_FAIL_SIZE + L2CAP_MIN_OFFSET);
1151 SMP_TRACE_DEBUG("%s", __func__);
1153 p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
1154 UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED);
1155 UINT8_TO_STREAM(p, SMP_PAIR_NOT_SUPPORT);
1157 p_buf->offset = L2CAP_MIN_OFFSET;
1158 p_buf->len = SMP_PAIR_FAIL_SIZE;
1160 smp_send_msg_to_L2CAP(bd_addr, p_buf);
1163 /*******************************************************************************
1164 ** Function smp_select_association_model
1166 ** Description This function selects association model to use for STK
1167 ** generation. Selection is based on both sides' io capability,
1168 ** oob data flag and authentication request.
1170 ** Note If Secure Connections Only mode is required locally then we
1171 ** come to this point only if both sides support Secure Connections
1172 ** mode, i.e. if p_cb->secure_connections_only_mode_required = TRUE then we come
1173 ** to this point only if
1174 ** (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) ==
1175 ** (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) ==
1176 ** SMP_SC_SUPPORT_BIT
1178 *******************************************************************************/
1179 tSMP_ASSO_MODEL smp_select_association_model(tSMP_CB *p_cb)
1181 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1182 p_cb->le_secure_connections_mode_is_used = FALSE;
1184 SMP_TRACE_EVENT("%s", __FUNCTION__);
1185 SMP_TRACE_DEBUG("%s p_cb->peer_io_caps = %d p_cb->local_io_capability = %d",
1186 __FUNCTION__, p_cb->peer_io_caps, p_cb->local_io_capability);
1187 SMP_TRACE_DEBUG("%s p_cb->peer_oob_flag = %d p_cb->loc_oob_flag = %d",
1188 __FUNCTION__, p_cb->peer_oob_flag, p_cb->loc_oob_flag);
1189 SMP_TRACE_DEBUG("%s p_cb->peer_auth_req = 0x%02x p_cb->loc_auth_req = 0x%02x",
1190 __FUNCTION__, p_cb->peer_auth_req, p_cb->loc_auth_req);
1191 SMP_TRACE_DEBUG("%s p_cb->secure_connections_only_mode_required = %s",
1192 __FUNCTION__, p_cb->secure_connections_only_mode_required ?
1195 if ((p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) && (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT))
1197 p_cb->le_secure_connections_mode_is_used = TRUE;
1200 SMP_TRACE_DEBUG("use_sc_process = %d", p_cb->le_secure_connections_mode_is_used);
1202 if (p_cb->le_secure_connections_mode_is_used)
1204 model = smp_select_association_model_secure_connections(p_cb);
1208 model = smp_select_legacy_association_model(p_cb);
1213 /*******************************************************************************
1214 ** Function smp_select_legacy_association_model
1216 ** Description This function is called to select association mode if at least
1217 ** one side doesn't support secure connections.
1219 *******************************************************************************/
1220 tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB *p_cb)
1222 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1224 SMP_TRACE_DEBUG("%s", __func__);
1225 /* if OOB data is present on both devices, then use OOB association model */
1226 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT && p_cb->loc_oob_flag == SMP_OOB_PRESENT)
1227 return SMP_MODEL_OOB;
1229 /* else if neither device requires MITM, then use Just Works association model */
1230 if (SMP_NO_MITM_REQUIRED (p_cb->peer_auth_req) && SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req))
1231 return SMP_MODEL_ENCRYPTION_ONLY;
1233 /* otherwise use IO capability to select association model */
1234 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX && p_cb->local_io_capability < SMP_IO_CAP_MAX)
1236 if (p_cb->role == HCI_ROLE_MASTER)
1238 model = smp_association_table[p_cb->role][p_cb->peer_io_caps]
1239 [p_cb->local_io_capability];
1243 model = smp_association_table[p_cb->role][p_cb->local_io_capability]
1244 [p_cb->peer_io_caps];
1251 /*******************************************************************************
1252 ** Function smp_select_association_model_secure_connections
1254 ** Description This function is called to select association mode if both
1255 ** sides support secure connections.
1257 *******************************************************************************/
1258 tSMP_ASSO_MODEL smp_select_association_model_secure_connections(tSMP_CB *p_cb)
1260 tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
1262 SMP_TRACE_DEBUG("%s", __func__);
1263 /* if OOB data is present on at least one device, then use OOB association model */
1264 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT || p_cb->loc_oob_flag == SMP_OOB_PRESENT)
1265 return SMP_MODEL_SEC_CONN_OOB;
1267 /* else if neither device requires MITM, then use Just Works association model */
1268 if (SMP_NO_MITM_REQUIRED (p_cb->peer_auth_req) && SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req))
1269 return SMP_MODEL_SEC_CONN_JUSTWORKS;
1271 /* otherwise use IO capability to select association model */
1272 if (p_cb->peer_io_caps < SMP_IO_CAP_MAX && p_cb->local_io_capability < SMP_IO_CAP_MAX)
1274 if (p_cb->role == HCI_ROLE_MASTER)
1276 model = smp_association_table_sc[p_cb->role][p_cb->peer_io_caps]
1277 [p_cb->local_io_capability];
1281 model = smp_association_table_sc[p_cb->role][p_cb->local_io_capability]
1282 [p_cb->peer_io_caps];
1289 /*******************************************************************************
1290 ** Function smp_reverse_array
1292 ** Description This function reverses array bytes
1294 *******************************************************************************/
1295 void smp_reverse_array(UINT8 *arr, UINT8 len)
1299 SMP_TRACE_DEBUG("smp_reverse_array");
1301 for (i = 0; i < len/2; i ++)
1304 arr[i] = arr[len -1 - i];
1305 arr[len -1 - i] = tmp;
1309 /*******************************************************************************
1310 ** Function smp_calculate_random_input
1312 ** Description This function returns random input value to be used in commitment
1313 ** calculation for SC passkey entry association mode
1314 ** (if bit["round"] in "random" array == 1 then returns 0x81
1315 ** else returns 0x80).
1319 *******************************************************************************/
1320 UINT8 smp_calculate_random_input(UINT8 *random, UINT8 round)
1326 SMP_TRACE_DEBUG("random: 0x%02x, round: %d, i: %d, j: %d", random[i], round, i, j);
1327 ri = ((random[i] >> j) & 1) | 0x80;
1328 SMP_TRACE_DEBUG("%s ri=0x%02x", __func__, ri);
1332 /*******************************************************************************
1333 ** Function smp_collect_local_io_capabilities
1335 ** Description This function puts into IOcap array local device
1336 ** IOCapability, OOB data, AuthReq.
1340 *******************************************************************************/
1341 void smp_collect_local_io_capabilities(UINT8 *iocap, tSMP_CB *p_cb)
1343 SMP_TRACE_DEBUG("%s", __func__);
1345 iocap[0] = p_cb->local_io_capability;
1346 iocap[1] = p_cb->loc_oob_flag;
1347 iocap[2] = p_cb->loc_auth_req;
1350 /*******************************************************************************
1351 ** Function smp_collect_peer_io_capabilities
1353 ** Description This function puts into IOcap array peer device
1354 ** IOCapability, OOB data, AuthReq.
1358 *******************************************************************************/
1359 void smp_collect_peer_io_capabilities(UINT8 *iocap, tSMP_CB *p_cb)
1361 SMP_TRACE_DEBUG("%s", __func__);
1363 iocap[0] = p_cb->peer_io_caps;
1364 iocap[1] = p_cb->peer_oob_flag;
1365 iocap[2] = p_cb->peer_auth_req;
1368 /*******************************************************************************
1369 ** Function smp_collect_local_ble_address
1371 ** Description This function puts into le_addr array local device le address:
1372 ** le_addr[0-5] = local BD ADDR,
1373 ** le_addr[6] = local le address type (PUBLIC/RANDOM).
1377 *******************************************************************************/
1378 void smp_collect_local_ble_address(UINT8 *le_addr, tSMP_CB *p_cb)
1380 tBLE_ADDR_TYPE addr_type = 0;
1384 SMP_TRACE_DEBUG("%s", __func__);
1386 BTM_ReadConnectionAddr( p_cb->pairing_bda, bda, &addr_type);
1387 BDADDR_TO_STREAM(p, bda);
1388 UINT8_TO_STREAM(p, addr_type);
1391 /*******************************************************************************
1392 ** Function smp_collect_peer_ble_address
1394 ** Description This function puts into le_addr array peer device le address:
1395 ** le_addr[0-5] = peer BD ADDR,
1396 ** le_addr[6] = peer le address type (PUBLIC/RANDOM).
1400 *******************************************************************************/
1401 void smp_collect_peer_ble_address(UINT8 *le_addr, tSMP_CB *p_cb)
1403 tBLE_ADDR_TYPE addr_type = 0;
1407 SMP_TRACE_DEBUG("%s", __func__);
1409 if (!BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, bda, &addr_type))
1411 SMP_TRACE_ERROR("can not collect peer le addr information for unknown device");
1415 BDADDR_TO_STREAM(p, bda);
1416 UINT8_TO_STREAM(p, addr_type);
1419 /*******************************************************************************
1420 ** Function smp_check_commitment
1422 ** Description This function compares peer commitment values:
1423 ** - expected (i.e. calculated locally),
1424 ** - received from the peer.
1426 ** Returns TRUE if the values are the same
1429 *******************************************************************************/
1430 BOOLEAN smp_check_commitment(tSMP_CB *p_cb)
1432 BT_OCTET16 expected;
1434 SMP_TRACE_DEBUG("%s", __func__);
1436 smp_calculate_peer_commitment(p_cb, expected);
1437 print128(expected, (const UINT8 *)"calculated peer commitment");
1438 print128(p_cb->remote_commitment, (const UINT8 *)"received peer commitment");
1440 if (memcmp(p_cb->remote_commitment, expected, BT_OCTET16_LEN))
1442 SMP_TRACE_WARNING("Commitment check fails");
1446 SMP_TRACE_DEBUG("Commitment check succeeds");
1450 /*******************************************************************************
1452 ** Function smp_save_secure_connections_long_term_key
1454 ** Description The function saves SC LTK as BLE key for future use as local
1459 *******************************************************************************/
1460 void smp_save_secure_connections_long_term_key(tSMP_CB *p_cb)
1462 tBTM_LE_LENC_KEYS lle_key;
1463 tBTM_LE_PENC_KEYS ple_key;
1465 SMP_TRACE_DEBUG("%s-Save LTK as local LTK key", __func__);
1466 memcpy(lle_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
1468 lle_key.key_size = p_cb->loc_enc_size;
1469 lle_key.sec_level = p_cb->sec_level;
1470 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, (tBTM_LE_KEY_VALUE *)&lle_key, TRUE);
1472 SMP_TRACE_DEBUG("%s-Save LTK as peer LTK key", __func__);
1474 memset(ple_key.rand, 0, BT_OCTET8_LEN);
1475 memcpy(ple_key.ltk, p_cb->ltk, BT_OCTET16_LEN);
1476 ple_key.sec_level = p_cb->sec_level;
1477 ple_key.key_size = p_cb->loc_enc_size;
1478 btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, (tBTM_LE_KEY_VALUE *)&ple_key, TRUE);
1481 /*******************************************************************************
1483 ** Function smp_calculate_f5_mackey_and_long_term_key
1485 ** Description The function calculates MacKey and LTK and saves them in CB.
1486 ** To calculate MacKey and LTK it calls smp_calc_f5(...).
1487 ** MacKey is used in dhkey calculation, LTK is used to encrypt
1490 ** Returns FALSE if out of resources, TRUE otherwise.
1492 *******************************************************************************/
1493 BOOLEAN smp_calculate_f5_mackey_and_long_term_key(tSMP_CB *p_cb)
1500 SMP_TRACE_DEBUG("%s", __func__);
1502 if (p_cb->role == HCI_ROLE_MASTER)
1504 smp_collect_local_ble_address(a, p_cb);
1505 smp_collect_peer_ble_address(b, p_cb);
1511 smp_collect_local_ble_address(b, p_cb);
1512 smp_collect_peer_ble_address(a, p_cb);
1517 if(!smp_calculate_f5(p_cb->dhkey, p_na, p_nb, a, b, p_cb->mac_key, p_cb->ltk))
1519 SMP_TRACE_ERROR("%s failed", __func__);
1523 SMP_TRACE_EVENT ("%s is completed", __func__);
1527 /*******************************************************************************
1529 ** Function smp_request_oob_data
1531 ** Description Requests application to provide OOB data.
1533 ** Returns TRUE - OOB data has to be provided by application
1534 ** FALSE - otherwise (unexpected)
1536 *******************************************************************************/
1537 BOOLEAN smp_request_oob_data(tSMP_CB *p_cb)
1539 tSMP_OOB_DATA_TYPE req_oob_type = SMP_OOB_INVALID_TYPE;
1541 SMP_TRACE_DEBUG("%s", __func__);
1543 if (p_cb->peer_oob_flag == SMP_OOB_PRESENT && p_cb->loc_oob_flag == SMP_OOB_PRESENT)
1545 /* both local and peer rcvd data OOB */
1546 req_oob_type = SMP_OOB_BOTH;
1548 else if (p_cb->peer_oob_flag == SMP_OOB_PRESENT)
1550 /* peer rcvd OOB local data, local didn't receive OOB peer data */
1551 req_oob_type = SMP_OOB_LOCAL;
1553 else if (p_cb->loc_oob_flag == SMP_OOB_PRESENT)
1555 req_oob_type = SMP_OOB_PEER;
1558 SMP_TRACE_DEBUG("req_oob_type = %d", req_oob_type);
1560 if (req_oob_type == SMP_OOB_INVALID_TYPE)
1563 p_cb->req_oob_type = req_oob_type;
1564 p_cb->cb_evt = SMP_SC_OOB_REQ_EVT;
1565 smp_sm_event(p_cb, SMP_TK_REQ_EVT, &req_oob_type);