1 /*
2 * Copyright (C) 2017 BlueKitchen GmbH
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 *
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the copyright holders nor the names of
14 * contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY BLUEKITCHEN GMBH AND CONTRIBUTORS
18 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
19 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
20 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BLUEKITCHEN
21 * GMBH OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
23 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
24 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
25 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
26 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
27 * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 * SUCH DAMAGE.
29 *
30 */
31
32 #define BTSTACK_FILE__ "btstack_crypto.c"
33
34 /*
35 * btstack_crypto.h
36 *
37 * Central place for all crypto-related functions with completion callbacks to allow
38 * using of MCU crypto peripherals or the Bluetooth controller
39 */
40
41 #include "btstack_crypto.h"
42
43 #include "btstack_debug.h"
44 #include "btstack_event.h"
45 #include "btstack_linked_list.h"
46 #include "btstack_util.h"
47 #include "btstack_bool.h"
48 #include "hci.h"
49
50 //
51 // AES128 Configuration
52 //
53
54 // By default, AES128 is computed by Bluetooth Controller using HCI Command/Event asynchronously
55 // as fallback/alternative, a software implementation can be used
56 // configure ECC implementations
57 #if defined(HAVE_AES128) && defined(ENABLE_SOFTWARE_AES128)
58 #error "If you have custom AES128 implementation (HAVE_AES128), please disable software AES128 (ENABLE_SOFTWARE_AES128) in bstack_config.h"
59 #endif
60
61 #ifdef ENABLE_SOFTWARE_AES128
62 #define HAVE_AES128
63 #include "rijndael.h"
64 #endif
65
66 #ifdef HAVE_AES128
67 #define USE_BTSTACK_AES128
68 #endif
69
70 //
71 // ECC Configuration
72 //
73
74 // backwards-compatitility ENABLE_MICRO_ECC_FOR_LE_SECURE_CONNECTIONS -> ENABLE_MICRO_ECC_P256
75 #if defined(ENABLE_MICRO_ECC_FOR_LE_SECURE_CONNECTIONS) && !defined(ENABLE_MICRO_ECC_P256)
76 #define ENABLE_MICRO_ECC_P256
77 #endif
78
79 // configure ECC implementations
80 #if defined(ENABLE_MICRO_ECC_P256) && defined(HAVE_MBEDTLS_ECC_P256)
81 #error "If you have mbedTLS (HAVE_MBEDTLS_ECC_P256), please disable uECC (ENABLE_MICRO_ECC_P256) in bstack_config.h"
82 #endif
83
84 // Software ECC-P256 implementation provided by micro-ecc
85 #ifdef ENABLE_MICRO_ECC_P256
86 #define ENABLE_ECC_P256
87 #define USE_MICRO_ECC_P256
88 #define USE_SOFTWARE_ECC_P256_IMPLEMENTATION
89 #include "uECC.h"
90 #endif
91
92 // Software ECC-P256 implementation provided by mbedTLS, allow config via MBEDTLS_CONFIG_FILE
93 #ifdef HAVE_MBEDTLS_ECC_P256
94 #define ENABLE_ECC_P256
95 #define USE_MBEDTLS_ECC_P256
96 #define USE_SOFTWARE_ECC_P256_IMPLEMENTATION
97 #ifdef MBEDTLS_CONFIG_FILE
98 // cppcheck-suppress preprocessorErrorDirective
99 #include MBEDTLS_CONFIG_FILE
100 #else
101 #include "mbedtls/mbedtls_config.h"
102 #endif
103 #include "mbedtls/platform.h"
104 #include "mbedtls/ecp.h"
105 #endif
106
107 #if defined(ENABLE_LE_SECURE_CONNECTIONS) && !defined(ENABLE_ECC_P256)
108 #define ENABLE_ECC_P256
109 #endif
110
111 // debugging
112 // #define DEBUG_CCM
113
114 typedef enum {
115 CMAC_IDLE,
116 CMAC_CALC_SUBKEYS,
117 CMAC_W4_SUBKEYS,
118 CMAC_CALC_MI,
119 CMAC_W4_MI,
120 CMAC_CALC_MLAST,
121 CMAC_W4_MLAST
122 } btstack_crypto_cmac_state_t;
123
124 typedef enum {
125 ECC_P256_KEY_GENERATION_IDLE,
126 ECC_P256_KEY_GENERATION_GENERATING_RANDOM,
127 ECC_P256_KEY_GENERATION_ACTIVE,
128 ECC_P256_KEY_GENERATION_W4_KEY,
129 ECC_P256_KEY_GENERATION_DONE,
130 } btstack_crypto_ecc_p256_key_generation_state_t;
131
132 static void btstack_crypto_run(void);
133 static void btstack_crypto_state_reset(void);
134
135 static const uint8_t zero[16] = { 0 };
136
137 static bool btstack_crypto_initialized;
138 static bool btstack_crypto_wait_for_hci_result;
139 static btstack_linked_list_t btstack_crypto_operations;
140 static btstack_packet_callback_registration_t hci_event_callback_registration;
141
142 // state for AES-CMAC
143 #ifndef USE_BTSTACK_AES128
144 static btstack_crypto_cmac_state_t btstack_crypto_cmac_state;
145 static sm_key_t btstack_crypto_cmac_k;
146 static sm_key_t btstack_crypto_cmac_x;
147 static sm_key_t btstack_crypto_cmac_subkey;
148 static uint8_t btstack_crypto_cmac_block_current;
149 static uint8_t btstack_crypto_cmac_block_count;
150 #endif
151
152 // state for AES-CCM
153 static uint8_t btstack_crypto_ccm_s[16];
154
155 #ifdef ENABLE_ECC_P256
156
157 static uint8_t btstack_crypto_ecc_p256_public_key[64];
158 static uint8_t btstack_crypto_ecc_p256_random[64];
159 static uint8_t btstack_crypto_ecc_p256_random_len;
160 static uint8_t btstack_crypto_ecc_p256_random_offset;
161 static btstack_crypto_ecc_p256_key_generation_state_t btstack_crypto_ecc_p256_key_generation_state;
162
163 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION
164 static uint8_t btstack_crypto_ecc_p256_d[32];
165 #endif
166
167 // Software ECDH implementation provided by mbedtls
168 #ifdef USE_MBEDTLS_ECC_P256
169 static mbedtls_ecp_group mbedtls_ec_group;
170 #endif
171
172 #endif /* ENABLE_ECC_P256 */
173
174 #ifdef ENABLE_SOFTWARE_AES128
175 // AES128 using public domain rijndael implementation
btstack_aes128_calc(const uint8_t * key,const uint8_t * plaintext,uint8_t * ciphertext)176 void btstack_aes128_calc(const uint8_t * key, const uint8_t * plaintext, uint8_t * ciphertext){
177 uint32_t rk[RKLENGTH(KEYBITS)];
178 int nrounds = rijndaelSetupEncrypt(rk, &key[0], KEYBITS);
179 rijndaelEncrypt(rk, nrounds, plaintext, ciphertext);
180 }
181 #endif
182
btstack_crypto_done(btstack_crypto_t * btstack_crypto)183 static void btstack_crypto_done(btstack_crypto_t * btstack_crypto){
184 btstack_linked_list_pop(&btstack_crypto_operations);
185 (*btstack_crypto->context_callback.callback)(btstack_crypto->context_callback.context);
186 }
187
btstack_crypto_cmac_shift_left_by_one_bit_inplace(int len,uint8_t * data)188 static void btstack_crypto_cmac_shift_left_by_one_bit_inplace(int len, uint8_t * data){
189 int i;
190 int carry = 0;
191 for (i=len-1; i >= 0 ; i--){
192 int new_carry = data[i] >> 7;
193 data[i] = (data[i] << 1) | carry;
194 carry = new_carry;
195 }
196 }
197
btstack_crypto_cmac_get_byte(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac,uint16_t pos)198 static uint8_t btstack_crypto_cmac_get_byte(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac, uint16_t pos){
199 if (btstack_crypto_cmac->btstack_crypto.operation == BTSTACK_CRYPTO_CMAC_GENERATOR){
200 return (*btstack_crypto_cmac->data.get_byte_callback)(pos);
201 } else {
202 return btstack_crypto_cmac->data.message[pos];
203 }
204 }
205
206 #ifdef USE_BTSTACK_AES128
207
btstack_crypto_cmac_calc_subkeys(sm_key_t k0,sm_key_t k1,sm_key_t k2)208 static void btstack_crypto_cmac_calc_subkeys(sm_key_t k0, sm_key_t k1, sm_key_t k2){
209 memcpy(k1, k0, 16);
210 btstack_crypto_cmac_shift_left_by_one_bit_inplace(16, k1);
211 if (k0[0] & 0x80){
212 k1[15] ^= 0x87;
213 }
214 memcpy(k2, k1, 16);
215 btstack_crypto_cmac_shift_left_by_one_bit_inplace(16, k2);
216 if (k1[0] & 0x80){
217 k2[15] ^= 0x87;
218 }
219 }
220
btstack_crypto_cmac_calc(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac)221 static void btstack_crypto_cmac_calc(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac) {
222 sm_key_t k0, k1, k2;
223 uint16_t i;
224
225 btstack_aes128_calc(btstack_crypto_cmac->key, zero, k0);
226 btstack_crypto_cmac_calc_subkeys(k0, k1, k2);
227
228 uint16_t cmac_block_count = (btstack_crypto_cmac->size + 15) / 16;
229
230 // step 3: ..
231 if (cmac_block_count==0){
232 cmac_block_count = 1;
233 }
234
235 // Step 5
236 sm_key_t cmac_x;
237 memset(cmac_x, 0, 16);
238
239 // Step 6
240 sm_key_t cmac_y;
241 int block;
242 for (block = 0 ; block < cmac_block_count-1 ; block++){
243 for (i=0;i<16;i++){
244 cmac_y[i] = cmac_x[i] ^ btstack_crypto_cmac_get_byte(btstack_crypto_cmac, (block*16) + i);
245 }
246 btstack_aes128_calc(btstack_crypto_cmac->key, cmac_y, cmac_x);
247 }
248
249 // step 4: set m_last
250 sm_key_t cmac_m_last;
251 bool last_block_complete = btstack_crypto_cmac->size != 0 && (btstack_crypto_cmac->size & 0x0f) == 0;
252 if (last_block_complete){
253 for (i=0;i<16;i++){
254 cmac_m_last[i] = btstack_crypto_cmac_get_byte(btstack_crypto_cmac, btstack_crypto_cmac->size - 16 + i) ^ k1[i];
255 }
256 } else {
257 uint16_t valid_octets_in_last_block = btstack_crypto_cmac->size & 0x0f;
258 for (i=0;i<16;i++){
259 if (i < valid_octets_in_last_block){
260 cmac_m_last[i] = btstack_crypto_cmac_get_byte(btstack_crypto_cmac, (btstack_crypto_cmac->size & 0xfff0) + i) ^ k2[i];
261 continue;
262 }
263 if (i == valid_octets_in_last_block){
264 cmac_m_last[i] = 0x80 ^ k2[i];
265 continue;
266 }
267 cmac_m_last[i] = k2[i];
268 }
269 }
270
271 for (i=0;i<16;i++){
272 cmac_y[i] = cmac_x[i] ^ cmac_m_last[i];
273 }
274
275 // Step 7
276 btstack_aes128_calc(btstack_crypto_cmac->key, cmac_y, btstack_crypto_cmac->hash);
277 }
278 #else
279
btstack_crypto_aes128_start(const sm_key_t key,const sm_key_t plaintext)280 static void btstack_crypto_aes128_start(const sm_key_t key, const sm_key_t plaintext){
281 uint8_t key_flipped[16];
282 uint8_t plaintext_flipped[16];
283 reverse_128(key, key_flipped);
284 reverse_128(plaintext, plaintext_flipped);
285 btstack_crypto_wait_for_hci_result = 1;
286 hci_send_cmd(&hci_le_encrypt, key_flipped, plaintext_flipped);
287 }
288
btstack_crypto_cmac_next_state(void)289 static inline void btstack_crypto_cmac_next_state(void){
290 btstack_crypto_cmac_state = (btstack_crypto_cmac_state_t) (((int)btstack_crypto_cmac_state) + 1);
291 }
292
btstack_crypto_cmac_last_block_complete(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac)293 static int btstack_crypto_cmac_last_block_complete(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac){
294 uint16_t len = btstack_crypto_cmac->size;
295 if (len == 0u) return 0u;
296 return (len & 0x0fu) == 0u;
297 }
298
btstack_crypto_cmac_handle_aes_engine_ready(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac)299 static void btstack_crypto_cmac_handle_aes_engine_ready(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac){
300 switch (btstack_crypto_cmac_state){
301 case CMAC_CALC_SUBKEYS: {
302 btstack_crypto_cmac_next_state();
303 btstack_crypto_aes128_start(btstack_crypto_cmac_k, zero);
304 break;
305 }
306 case CMAC_CALC_MI: {
307 int j;
308 sm_key_t y;
309 for (j=0;j<16;j++){
310 y[j] = btstack_crypto_cmac_x[j] ^ btstack_crypto_cmac_get_byte(btstack_crypto_cmac, (btstack_crypto_cmac_block_current*16u) + j);
311 }
312 btstack_crypto_cmac_block_current++;
313 btstack_crypto_cmac_next_state();
314 btstack_crypto_aes128_start(btstack_crypto_cmac_k, y);
315 break;
316 }
317 case CMAC_CALC_MLAST: {
318 sm_key_t k1;
319 (void)memcpy(k1, btstack_crypto_cmac_subkey, 16);
320 btstack_crypto_cmac_shift_left_by_one_bit_inplace(16, k1);
321 if (btstack_crypto_cmac_subkey[0u] & 0x80u){
322 k1[15u] ^= 0x87u;
323 }
324 sm_key_t k2;
325 (void)memcpy(k2, k1, 16);
326 btstack_crypto_cmac_shift_left_by_one_bit_inplace(16, k2);
327 if (k1[0u] & 0x80u){
328 k2[15u] ^= 0x87u;
329 }
330
331 log_info_key("k", btstack_crypto_cmac_k);
332 log_info_key("k1", k1);
333 log_info_key("k2", k2);
334
335 // step 4: set m_last
336 int i;
337 sm_key_t btstack_crypto_cmac_m_last;
338 if (btstack_crypto_cmac_last_block_complete(btstack_crypto_cmac)){
339 for (i=0;i<16;i++){
340 btstack_crypto_cmac_m_last[i] = btstack_crypto_cmac_get_byte(btstack_crypto_cmac, btstack_crypto_cmac->size - 16u + i) ^ k1[i];
341 }
342 } else {
343 int valid_octets_in_last_block = btstack_crypto_cmac->size & 0x0fu;
344 for (i=0;i<16;i++){
345 if (i < valid_octets_in_last_block){
346 btstack_crypto_cmac_m_last[i] = btstack_crypto_cmac_get_byte(btstack_crypto_cmac, (btstack_crypto_cmac->size & 0xfff0u) + i) ^ k2[i];
347 continue;
348 }
349 if (i == valid_octets_in_last_block){
350 btstack_crypto_cmac_m_last[i] = 0x80u ^ k2[i];
351 continue;
352 }
353 btstack_crypto_cmac_m_last[i] = k2[i];
354 }
355 }
356 sm_key_t y;
357 for (i=0;i<16;i++){
358 y[i] = btstack_crypto_cmac_x[i] ^ btstack_crypto_cmac_m_last[i];
359 }
360 btstack_crypto_cmac_block_current++;
361 btstack_crypto_cmac_next_state();
362 btstack_crypto_aes128_start(btstack_crypto_cmac_k, y);
363 break;
364 }
365 default:
366 log_info("btstack_crypto_cmac_handle_aes_engine_ready called in state %u", btstack_crypto_cmac_state);
367 break;
368 }
369 }
370
btstack_crypto_cmac_handle_encryption_result(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac,sm_key_t data)371 static void btstack_crypto_cmac_handle_encryption_result(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac, sm_key_t data){
372 switch (btstack_crypto_cmac_state){
373 case CMAC_W4_SUBKEYS:
374 (void)memcpy(btstack_crypto_cmac_subkey, data, 16);
375 // next
376 btstack_crypto_cmac_state = (btstack_crypto_cmac_block_current < (btstack_crypto_cmac_block_count - 1u)) ? CMAC_CALC_MI : CMAC_CALC_MLAST;
377 break;
378 case CMAC_W4_MI:
379 (void)memcpy(btstack_crypto_cmac_x, data, 16);
380 btstack_crypto_cmac_state = (btstack_crypto_cmac_block_current < (btstack_crypto_cmac_block_count - 1u)) ? CMAC_CALC_MI : CMAC_CALC_MLAST;
381 break;
382 case CMAC_W4_MLAST:
383 // done
384 log_info("Setting CMAC Engine to IDLE");
385 btstack_crypto_cmac_state = CMAC_IDLE;
386 log_info_key("CMAC", data);
387 (void)memcpy(btstack_crypto_cmac->hash, data, 16);
388 btstack_linked_list_pop(&btstack_crypto_operations);
389 (*btstack_crypto_cmac->btstack_crypto.context_callback.callback)(btstack_crypto_cmac->btstack_crypto.context_callback.context);
390 break;
391 default:
392 log_info("btstack_crypto_cmac_handle_encryption_result called in state %u", btstack_crypto_cmac_state);
393 break;
394 }
395 }
396
btstack_crypto_cmac_start(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac)397 static void btstack_crypto_cmac_start(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac){
398
399 (void)memcpy(btstack_crypto_cmac_k, btstack_crypto_cmac->key, 16);
400 memset(btstack_crypto_cmac_x, 0, 16);
401 btstack_crypto_cmac_block_current = 0;
402
403 // step 2: n := ceil(len/const_Bsize);
404 btstack_crypto_cmac_block_count = (btstack_crypto_cmac->size + 15u) / 16u;
405
406 // step 3: ..
407 if (btstack_crypto_cmac_block_count==0u){
408 btstack_crypto_cmac_block_count = 1;
409 }
410 log_info("btstack_crypto_cmac_start: len %u, block count %u", btstack_crypto_cmac->size, btstack_crypto_cmac_block_count);
411
412 // first, we need to compute l for k1, k2, and m_last
413 btstack_crypto_cmac_state = CMAC_CALC_SUBKEYS;
414
415 // let's go
416 btstack_crypto_cmac_handle_aes_engine_ready(btstack_crypto_cmac);
417 }
418 #endif
419
420 /*
421 To encrypt the message data we use Counter (CTR) mode. We first
422 define the key stream blocks by:
423
424 S_i := E( K, A_i ) for i=0, 1, 2, ...
425
426 The values A_i are formatted as follows, where the Counter field i is
427 encoded in most-significant-byte first order:
428
429 Octet Number Contents
430 ------------ ---------
431 0 Flags
432 1 ... 15-L Nonce N
433 16-L ... 15 Counter i
434
435 Bit Number Contents
436 ---------- ----------------------
437 7 Reserved (always zero)
438 6 Reserved (always zero)
439 5 ... 3 Zero
440 2 ... 0 L'
441 */
442
btstack_crypto_ccm_setup_a_i(btstack_crypto_ccm_t * btstack_crypto_ccm,uint16_t counter)443 static void btstack_crypto_ccm_setup_a_i(btstack_crypto_ccm_t * btstack_crypto_ccm, uint16_t counter){
444 btstack_crypto_ccm_s[0] = 1; // L' = L - 1
445 (void)memcpy(&btstack_crypto_ccm_s[1], btstack_crypto_ccm->nonce, 13);
446 big_endian_store_16(btstack_crypto_ccm_s, 14, counter);
447 #ifdef DEBUG_CCM
448 printf("btstack_crypto_ccm_setup_a_%u\n", counter);
449 printf("%16s: ", "ai");
450 printf_hexdump(btstack_crypto_ccm_s, 16);
451 #endif
452 }
453
454 /*
455 The first step is to compute the authentication field T. This is
456 done using CBC-MAC [MAC]. We first define a sequence of blocks B_0,
457 B_1, ..., B_n and then apply CBC-MAC to these blocks.
458
459 The first block B_0 is formatted as follows, where l(m) is encoded in
460 most-significant-byte first order:
461
462 Octet Number Contents
463 ------------ ---------
464 0 Flags
465 1 ... 15-L Nonce N
466 16-L ... 15 l(m)
467
468 Within the first block B_0, the Flags field is formatted as follows:
469
470 Bit Number Contents
471 ---------- ----------------------
472 7 Reserved (always zero)
473 6 Adata
474 5 ... 3 M'
475 2 ... 0 L'
476 */
477
btstack_crypto_ccm_setup_b_0(btstack_crypto_ccm_t * btstack_crypto_ccm,uint8_t * b0)478 static void btstack_crypto_ccm_setup_b_0(btstack_crypto_ccm_t * btstack_crypto_ccm, uint8_t * b0){
479 uint8_t m_prime = (btstack_crypto_ccm->auth_len - 2u) / 2u;
480 uint8_t Adata = btstack_crypto_ccm->aad_len ? 1 : 0;
481 b0[0u] = (Adata << 6u) | (m_prime << 3u) | 1u ; // Adata, M', L' = L - 1
482 (void)memcpy(&b0[1], btstack_crypto_ccm->nonce, 13);
483 big_endian_store_16(b0, 14, btstack_crypto_ccm->message_len);
484 #ifdef DEBUG_CCM
485 printf("%16s: ", "B0");
486 printf_hexdump(b0, 16);
487 #endif
488 }
489
490 #ifdef ENABLE_ECC_P256
491
btstack_crypto_log_ec_publickey(const uint8_t * ec_q)492 static void btstack_crypto_log_ec_publickey(const uint8_t * ec_q){
493 log_info("Elliptic curve: X");
494 log_info_hexdump(&ec_q[0],32);
495 log_info("Elliptic curve: Y");
496 log_info_hexdump(&ec_q[32],32);
497 }
498
499 #if (defined(USE_MICRO_ECC_P256) && !defined(WICED_VERSION)) || defined(USE_MBEDTLS_ECC_P256)
500 // @return OK
sm_generate_f_rng(unsigned char * buffer,unsigned size)501 static int sm_generate_f_rng(unsigned char * buffer, unsigned size){
502 if (btstack_crypto_ecc_p256_key_generation_state != ECC_P256_KEY_GENERATION_ACTIVE) return 0;
503 log_info("sm_generate_f_rng: size %u - offset %u", (int) size, btstack_crypto_ecc_p256_random_offset);
504 btstack_assert((btstack_crypto_ecc_p256_random_offset + size) <= btstack_crypto_ecc_p256_random_len);
505 uint16_t remaining_size = size;
506 uint8_t * buffer_ptr = buffer;
507 while (remaining_size) {
508 *buffer_ptr++ = btstack_crypto_ecc_p256_random[btstack_crypto_ecc_p256_random_offset++];
509 remaining_size--;
510 }
511 return 1;
512 }
513 #endif
514 #ifdef USE_MBEDTLS_ECC_P256
515 // @return error - just wrap sm_generate_f_rng
sm_generate_f_rng_mbedtls(void * context,unsigned char * buffer,size_t size)516 static int sm_generate_f_rng_mbedtls(void * context, unsigned char * buffer, size_t size){
517 UNUSED(context);
518 return sm_generate_f_rng(buffer, size) == 0;
519 }
520 #endif /* USE_MBEDTLS_ECC_P256 */
521
btstack_crypto_ecc_p256_generate_key_software(void)522 static void btstack_crypto_ecc_p256_generate_key_software(void){
523
524 btstack_crypto_ecc_p256_random_offset = 0;
525
526 // generate EC key
527 #ifdef USE_MICRO_ECC_P256
528
529 #ifndef WICED_VERSION
530 log_info("set uECC RNG for initial key generation with 64 random bytes");
531 // micro-ecc from WICED SDK uses its wiced_crypto_get_random by default - no need to set it
532 uECC_set_rng(&sm_generate_f_rng);
533 #endif /* WICED_VERSION */
534
535 #if uECC_SUPPORTS_secp256r1
536 // standard version
537 uECC_make_key(btstack_crypto_ecc_p256_public_key, btstack_crypto_ecc_p256_d, uECC_secp256r1());
538
539 // disable RNG again, as returning no randmon data lets shared key generation fail
540 log_info("disable uECC RNG in standard version after key generation");
541 uECC_set_rng(NULL);
542 #else
543 // static version
544 uECC_make_key(btstack_crypto_ecc_p256_public_key, btstack_crypto_ecc_p256_d);
545 #endif
546 #endif /* USE_MICRO_ECC_P256 */
547
548 #ifdef USE_MBEDTLS_ECC_P256
549 mbedtls_mpi d;
550 mbedtls_ecp_point P;
551 mbedtls_mpi_init(&d);
552 mbedtls_ecp_point_init(&P);
553 int res = mbedtls_ecp_gen_keypair(&mbedtls_ec_group, &d, &P, &sm_generate_f_rng_mbedtls, NULL);
554 log_info("gen keypair %x", res);
555 mbedtls_mpi_write_binary(&P.X, &btstack_crypto_ecc_p256_public_key[0], 32);
556 mbedtls_mpi_write_binary(&P.Y, &btstack_crypto_ecc_p256_public_key[32], 32);
557 mbedtls_mpi_write_binary(&d, btstack_crypto_ecc_p256_d, 32);
558 mbedtls_ecp_point_free(&P);
559 mbedtls_mpi_free(&d);
560 #endif /* USE_MBEDTLS_ECC_P256 */
561 }
562
563 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION
btstack_crypto_ecc_p256_calculate_dhkey_software(btstack_crypto_ecc_p256_t * btstack_crypto_ec_p192)564 static void btstack_crypto_ecc_p256_calculate_dhkey_software(btstack_crypto_ecc_p256_t * btstack_crypto_ec_p192){
565 memset(btstack_crypto_ec_p192->dhkey, 0, 32);
566
567 #ifdef USE_MICRO_ECC_P256
568 #if uECC_SUPPORTS_secp256r1
569 // standard version
570 uECC_shared_secret(btstack_crypto_ec_p192->public_key, btstack_crypto_ecc_p256_d, btstack_crypto_ec_p192->dhkey, uECC_secp256r1());
571 #else
572 // static version
573 uECC_shared_secret(btstack_crypto_ec_p192->public_key, btstack_crypto_ecc_p256_d, btstack_crypto_ec_p192->dhkey);
574 #endif
575 #endif
576
577 #ifdef USE_MBEDTLS_ECC_P256
578 // da * Pb
579 mbedtls_mpi d;
580 mbedtls_ecp_point Q;
581 mbedtls_ecp_point DH;
582 mbedtls_mpi_init(&d);
583 mbedtls_ecp_point_init(&Q);
584 mbedtls_ecp_point_init(&DH);
585 mbedtls_mpi_read_binary(&d, btstack_crypto_ecc_p256_d, 32);
586 mbedtls_mpi_read_binary(&Q.X, &btstack_crypto_ec_p192->public_key[0] , 32);
587 mbedtls_mpi_read_binary(&Q.Y, &btstack_crypto_ec_p192->public_key[32], 32);
588 mbedtls_mpi_lset(&Q.Z, 1);
589 mbedtls_ecp_mul(&mbedtls_ec_group, &DH, &d, &Q, NULL, NULL);
590 mbedtls_mpi_write_binary(&DH.X, btstack_crypto_ec_p192->dhkey, 32);
591 mbedtls_ecp_point_free(&DH);
592 mbedtls_mpi_free(&d);
593 mbedtls_ecp_point_free(&Q);
594 #endif
595
596 log_info("dhkey");
597 log_info_hexdump(btstack_crypto_ec_p192->dhkey, 32);
598 }
599 #endif
600
601 #endif
602
btstack_crypto_ccm_next_block(btstack_crypto_ccm_t * btstack_crypto_ccm,btstack_crypto_ccm_state_t state_when_done)603 static void btstack_crypto_ccm_next_block(btstack_crypto_ccm_t * btstack_crypto_ccm, btstack_crypto_ccm_state_t state_when_done){
604 uint16_t bytes_to_process = btstack_min(btstack_crypto_ccm->block_len, 16);
605 // next block
606 btstack_crypto_ccm->counter++;
607 btstack_crypto_ccm->input += bytes_to_process;
608 btstack_crypto_ccm->output += bytes_to_process;
609 btstack_crypto_ccm->block_len -= bytes_to_process;
610 btstack_crypto_ccm->message_len -= bytes_to_process;
611 #ifdef DEBUG_CCM
612 printf("btstack_crypto_ccm_next_block (message len %u, block_len %u)\n", btstack_crypto_ccm->message_len, btstack_crypto_ccm->block_len);
613 #endif
614 if (btstack_crypto_ccm->message_len == 0u){
615 btstack_crypto_ccm->state = CCM_CALCULATE_S0;
616 } else {
617 btstack_crypto_ccm->state = state_when_done;
618 if (btstack_crypto_ccm->block_len == 0u){
619 btstack_crypto_done(&btstack_crypto_ccm->btstack_crypto);
620 }
621 }
622 }
623
624 // If Controller is used for AES128, data is little endian
btstack_crypto_ccm_handle_s0(btstack_crypto_ccm_t * btstack_crypto_ccm,const uint8_t * data)625 static void btstack_crypto_ccm_handle_s0(btstack_crypto_ccm_t * btstack_crypto_ccm, const uint8_t * data){
626 int i;
627 for (i=0;i<16;i++){
628 #ifdef USE_BTSTACK_AES128
629 btstack_crypto_ccm->x_i[i] = btstack_crypto_ccm->x_i[i] ^ data[i];
630 #else
631 btstack_crypto_ccm->x_i[i] = btstack_crypto_ccm->x_i[i] ^ data[15-i];
632 #endif
633 }
634 btstack_crypto_done(&btstack_crypto_ccm->btstack_crypto);
635 }
636
637 // If Controller is used for AES128, data is little endian
btstack_crypto_ccm_handle_sn(btstack_crypto_ccm_t * btstack_crypto_ccm,const uint8_t * data)638 static void btstack_crypto_ccm_handle_sn(btstack_crypto_ccm_t * btstack_crypto_ccm, const uint8_t * data){
639 int i;
640 uint16_t bytes_to_process = btstack_min(btstack_crypto_ccm->block_len, 16);
641 for (i=0;i<bytes_to_process;i++){
642 #ifdef USE_BTSTACK_AES128
643 btstack_crypto_ccm->output[i] = btstack_crypto_ccm->input[i] ^ data[i];
644 #else
645 btstack_crypto_ccm->output[i] = btstack_crypto_ccm->input[i] ^ data[15-i];
646 #endif
647 }
648 switch (btstack_crypto_ccm->btstack_crypto.operation){
649 case BTSTACK_CRYPTO_CCM_DECRYPT_BLOCK:
650 btstack_crypto_ccm->state = CCM_CALCULATE_XN;
651 break;
652 case BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK:
653 btstack_crypto_ccm_next_block(btstack_crypto_ccm, CCM_CALCULATE_XN);
654 break;
655 default:
656 btstack_assert(false);
657 break;
658 }
659 }
660
btstack_crypto_ccm_handle_aad_xn(btstack_crypto_ccm_t * btstack_crypto_ccm)661 static void btstack_crypto_ccm_handle_aad_xn(btstack_crypto_ccm_t * btstack_crypto_ccm) {
662 #ifdef DEBUG_CCM
663 printf("%16s: ", "Xn+1 AAD");
664 printf_hexdump(btstack_crypto_ccm->x_i, 16);
665 #endif
666 // more aad?
667 if (btstack_crypto_ccm->aad_offset < (btstack_crypto_ccm->aad_len + 2u)){
668 btstack_crypto_ccm->state = CCM_CALCULATE_AAD_XN;
669 } else {
670 // done
671 btstack_crypto_done((btstack_crypto_t *) btstack_crypto_ccm);
672 }
673 }
674
btstack_crypto_ccm_handle_x1(btstack_crypto_ccm_t * btstack_crypto_ccm)675 static void btstack_crypto_ccm_handle_x1(btstack_crypto_ccm_t * btstack_crypto_ccm) {
676 #ifdef DEBUG_CCM
677 printf("%16s: ", "Xi");
678 printf_hexdump(btstack_crypto_ccm->x_i, 16);
679 #endif
680 switch (btstack_crypto_ccm->btstack_crypto.operation){
681 case BTSTACK_CRYPTO_CCM_DIGEST_BLOCK:
682 btstack_crypto_ccm->aad_remainder_len = 0;
683 btstack_crypto_ccm->state = CCM_CALCULATE_AAD_XN;
684 break;
685 case BTSTACK_CRYPTO_CCM_DECRYPT_BLOCK:
686 btstack_crypto_ccm->state = CCM_CALCULATE_SN;
687 break;
688 case BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK:
689 btstack_crypto_ccm->state = CCM_CALCULATE_XN;
690 break;
691 default:
692 btstack_assert(false);
693 break;
694 }
695 }
696
btstack_crypto_ccm_handle_xn(btstack_crypto_ccm_t * btstack_crypto_ccm)697 static void btstack_crypto_ccm_handle_xn(btstack_crypto_ccm_t * btstack_crypto_ccm) {
698 #ifdef DEBUG_CCM
699 printf("%16s: ", "Xn+1");
700 printf_hexdump(btstack_crypto_ccm->x_i, 16);
701 #endif
702 switch (btstack_crypto_ccm->btstack_crypto.operation){
703 case BTSTACK_CRYPTO_CCM_DECRYPT_BLOCK:
704 btstack_crypto_ccm_next_block(btstack_crypto_ccm, CCM_CALCULATE_SN);
705 break;
706 case BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK:
707 btstack_crypto_ccm->state = CCM_CALCULATE_SN;
708 break;
709 default:
710 btstack_assert(false);
711 break;
712 }
713 }
714
btstack_crypto_ccm_calc_s0(btstack_crypto_ccm_t * btstack_crypto_ccm)715 static void btstack_crypto_ccm_calc_s0(btstack_crypto_ccm_t * btstack_crypto_ccm){
716 #ifdef DEBUG_CCM
717 printf("btstack_crypto_ccm_calc_s0\n");
718 #endif
719 btstack_crypto_ccm->state = CCM_W4_S0;
720 btstack_crypto_ccm_setup_a_i(btstack_crypto_ccm, 0);
721 #ifdef USE_BTSTACK_AES128
722 uint8_t data[16];
723 btstack_aes128_calc(btstack_crypto_ccm->key, btstack_crypto_ccm_s, data);
724 btstack_crypto_ccm_handle_s0(btstack_crypto_ccm, data);
725 #else
726 btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm_s);
727 #endif
728 }
729
btstack_crypto_ccm_calc_sn(btstack_crypto_ccm_t * btstack_crypto_ccm)730 static void btstack_crypto_ccm_calc_sn(btstack_crypto_ccm_t * btstack_crypto_ccm){
731 #ifdef DEBUG_CCM
732 printf("btstack_crypto_ccm_calc_s%u\n", btstack_crypto_ccm->counter);
733 #endif
734 btstack_crypto_ccm->state = CCM_W4_SN;
735 btstack_crypto_ccm_setup_a_i(btstack_crypto_ccm, btstack_crypto_ccm->counter);
736 #ifdef USE_BTSTACK_AES128
737 uint8_t data[16];
738 btstack_aes128_calc(btstack_crypto_ccm->key, btstack_crypto_ccm_s, data);
739 btstack_crypto_ccm_handle_sn(btstack_crypto_ccm, data);
740 #else
741 btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm_s);
742 #endif
743 }
744
btstack_crypto_ccm_calc_x1(btstack_crypto_ccm_t * btstack_crypto_ccm)745 static void btstack_crypto_ccm_calc_x1(btstack_crypto_ccm_t * btstack_crypto_ccm){
746 uint8_t btstack_crypto_ccm_buffer[16];
747 btstack_crypto_ccm->state = CCM_W4_X1;
748 btstack_crypto_ccm_setup_b_0(btstack_crypto_ccm, btstack_crypto_ccm_buffer);
749 #ifdef USE_BTSTACK_AES128
750 btstack_aes128_calc(btstack_crypto_ccm->key, btstack_crypto_ccm_buffer, btstack_crypto_ccm->x_i);
751 btstack_crypto_ccm_handle_x1(btstack_crypto_ccm);
752 #else
753 btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm_buffer);
754 #endif
755 }
756
btstack_crypto_ccm_calc_xn(btstack_crypto_ccm_t * btstack_crypto_ccm,const uint8_t * plaintext)757 static void btstack_crypto_ccm_calc_xn(btstack_crypto_ccm_t * btstack_crypto_ccm, const uint8_t * plaintext){
758 uint8_t btstack_crypto_ccm_buffer[16];
759 btstack_crypto_ccm->state = CCM_W4_XN;
760
761 #ifdef DEBUG_CCM
762 printf("%16s: ", "bn");
763 printf_hexdump(plaintext, 16);
764 #endif
765 uint8_t i;
766 uint16_t bytes_to_decrypt = btstack_crypto_ccm->block_len;
767 // use explicit min implementation as c-stat worried about out-of-bounds-reads
768 if (bytes_to_decrypt > 16u) {
769 bytes_to_decrypt = 16;
770 }
771 for (i = 0; i < bytes_to_decrypt ; i++){
772 btstack_crypto_ccm_buffer[i] = btstack_crypto_ccm->x_i[i] ^ plaintext[i];
773 }
774 (void)memcpy(&btstack_crypto_ccm_buffer[i], &btstack_crypto_ccm->x_i[i],
775 16u - bytes_to_decrypt);
776 #ifdef DEBUG_CCM
777 printf("%16s: ", "Xn XOR bn");
778 printf_hexdump(btstack_crypto_ccm_buffer, 16);
779 #endif
780
781 #ifdef USE_BTSTACK_AES128
782 btstack_aes128_calc(btstack_crypto_ccm->key, btstack_crypto_ccm_buffer, btstack_crypto_ccm->x_i);
783 btstack_crypto_ccm_handle_xn(btstack_crypto_ccm);
784 #else
785 btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm_buffer);
786 #endif
787 }
788
btstack_crypto_ccm_calc_aad_xn(btstack_crypto_ccm_t * btstack_crypto_ccm)789 static void btstack_crypto_ccm_calc_aad_xn(btstack_crypto_ccm_t * btstack_crypto_ccm){
790 // store length
791 if (btstack_crypto_ccm->aad_offset == 0u){
792 uint8_t len_buffer[2];
793 big_endian_store_16(len_buffer, 0, btstack_crypto_ccm->aad_len);
794 btstack_crypto_ccm->x_i[0] ^= len_buffer[0];
795 btstack_crypto_ccm->x_i[1] ^= len_buffer[1];
796 btstack_crypto_ccm->aad_remainder_len += 2u;
797 btstack_crypto_ccm->aad_offset += 2u;
798 }
799
800 // fill from input
801 uint16_t bytes_free = 16u - btstack_crypto_ccm->aad_remainder_len;
802 uint16_t bytes_to_copy = btstack_min(bytes_free, btstack_crypto_ccm->block_len);
803 while (bytes_to_copy){
804 btstack_crypto_ccm->x_i[btstack_crypto_ccm->aad_remainder_len++] ^= *btstack_crypto_ccm->input++;
805 btstack_crypto_ccm->aad_offset++;
806 btstack_crypto_ccm->block_len--;
807 bytes_to_copy--;
808 bytes_free--;
809 }
810
811 // if last block, fill with zeros
812 if (btstack_crypto_ccm->aad_offset == (btstack_crypto_ccm->aad_len + 2u)){
813 btstack_crypto_ccm->aad_remainder_len = 16;
814 }
815 // if not full, notify done
816 if (btstack_crypto_ccm->aad_remainder_len < 16u){
817 btstack_crypto_done(&btstack_crypto_ccm->btstack_crypto);
818 return;
819 }
820
821 // encrypt block
822 #ifdef DEBUG_CCM
823 printf("%16s: ", "Xn XOR Bn (aad)");
824 printf_hexdump(btstack_crypto_ccm->x_i, 16);
825 #endif
826
827 btstack_crypto_ccm->aad_remainder_len = 0;
828 btstack_crypto_ccm->state = CCM_W4_AAD_XN;
829 #ifdef USE_BTSTACK_AES128
830 btstack_aes128_calc(btstack_crypto_ccm->key, btstack_crypto_ccm->x_i, btstack_crypto_ccm->x_i);
831 btstack_crypto_ccm_handle_aad_xn(btstack_crypto_ccm);
832 #else
833 btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm->x_i);
834 #endif
835 }
836
btstack_crypto_run(void)837 static void btstack_crypto_run(void){
838
839 btstack_crypto_aes128_t * btstack_crypto_aes128;
840 btstack_crypto_ccm_t * btstack_crypto_ccm;
841 btstack_crypto_aes128_cmac_t * btstack_crypto_cmac;
842 #ifdef ENABLE_ECC_P256
843 btstack_crypto_ecc_p256_t * btstack_crypto_ec_p192;
844 #endif
845
846 // stack up and running?
847 if (hci_get_state() != HCI_STATE_WORKING) return;
848
849 // try to do as much as possible
850 while (true){
851
852 // anything to do?
853 if (btstack_linked_list_empty(&btstack_crypto_operations)) return;
854
855 // already active?
856 if (btstack_crypto_wait_for_hci_result) return;
857
858 // can send a command?
859 if (!hci_can_send_command_packet_now()) return;
860
861 // ok, find next task
862 btstack_crypto_t * btstack_crypto = (btstack_crypto_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations);
863 switch (btstack_crypto->operation){
864 case BTSTACK_CRYPTO_RANDOM:
865 btstack_crypto_wait_for_hci_result = true;
866 hci_send_cmd(&hci_le_rand);
867 break;
868 case BTSTACK_CRYPTO_AES128:
869 btstack_crypto_aes128 = (btstack_crypto_aes128_t *) btstack_crypto;
870 #ifdef USE_BTSTACK_AES128
871 btstack_aes128_calc(btstack_crypto_aes128->key, btstack_crypto_aes128->plaintext, btstack_crypto_aes128->ciphertext);
872 btstack_crypto_done(btstack_crypto);
873 #else
874 btstack_crypto_aes128_start(btstack_crypto_aes128->key, btstack_crypto_aes128->plaintext);
875 #endif
876 break;
877
878 case BTSTACK_CRYPTO_CMAC_MESSAGE:
879 case BTSTACK_CRYPTO_CMAC_GENERATOR:
880 btstack_crypto_cmac = (btstack_crypto_aes128_cmac_t *) btstack_crypto;
881 #ifdef USE_BTSTACK_AES128
882 btstack_crypto_cmac_calc( btstack_crypto_cmac );
883 btstack_crypto_done(btstack_crypto);
884 #else
885 btstack_crypto_wait_for_hci_result = 1;
886 if (btstack_crypto_cmac_state == CMAC_IDLE){
887 btstack_crypto_cmac_start(btstack_crypto_cmac);
888 } else {
889 btstack_crypto_cmac_handle_aes_engine_ready(btstack_crypto_cmac);
890 }
891 #endif
892 break;
893
894 case BTSTACK_CRYPTO_CCM_DIGEST_BLOCK:
895 case BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK:
896 case BTSTACK_CRYPTO_CCM_DECRYPT_BLOCK:
897 btstack_crypto_ccm = (btstack_crypto_ccm_t *) btstack_crypto;
898 switch (btstack_crypto_ccm->state){
899 case CCM_CALCULATE_AAD_XN:
900 #ifdef DEBUG_CCM
901 printf("CCM_CALCULATE_AAD_XN\n");
902 #endif
903 btstack_crypto_ccm_calc_aad_xn(btstack_crypto_ccm);
904 break;
905 case CCM_CALCULATE_X1:
906 #ifdef DEBUG_CCM
907 printf("CCM_CALCULATE_X1\n");
908 #endif
909 btstack_crypto_ccm_calc_x1(btstack_crypto_ccm);
910 break;
911 case CCM_CALCULATE_S0:
912 #ifdef DEBUG_CCM
913 printf("CCM_CALCULATE_S0\n");
914 #endif
915 btstack_crypto_ccm_calc_s0(btstack_crypto_ccm);
916 break;
917 case CCM_CALCULATE_SN:
918 #ifdef DEBUG_CCM
919 printf("CCM_CALCULATE_SN\n");
920 #endif
921 btstack_crypto_ccm_calc_sn(btstack_crypto_ccm);
922 break;
923 case CCM_CALCULATE_XN:
924 #ifdef DEBUG_CCM
925 printf("CCM_CALCULATE_XN\n");
926 #endif
927 btstack_crypto_ccm_calc_xn(btstack_crypto_ccm, (btstack_crypto->operation == BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK) ? btstack_crypto_ccm->input : btstack_crypto_ccm->output);
928 break;
929 default:
930 break;
931 }
932 break;
933
934 #ifdef ENABLE_ECC_P256
935 case BTSTACK_CRYPTO_ECC_P256_GENERATE_KEY:
936 btstack_crypto_ec_p192 = (btstack_crypto_ecc_p256_t *) btstack_crypto;
937 switch (btstack_crypto_ecc_p256_key_generation_state){
938 case ECC_P256_KEY_GENERATION_DONE:
939 // done
940 btstack_crypto_log_ec_publickey(btstack_crypto_ecc_p256_public_key);
941 (void)memcpy(btstack_crypto_ec_p192->public_key,
942 btstack_crypto_ecc_p256_public_key, 64);
943 btstack_linked_list_pop(&btstack_crypto_operations);
944 (*btstack_crypto_ec_p192->btstack_crypto.context_callback.callback)(btstack_crypto_ec_p192->btstack_crypto.context_callback.context);
945 break;
946 case ECC_P256_KEY_GENERATION_IDLE:
947 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION
948 log_info("start ecc random");
949 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_GENERATING_RANDOM;
950 btstack_crypto_ecc_p256_random_len = 0;
951 btstack_crypto_wait_for_hci_result = true;
952 hci_send_cmd(&hci_le_rand);
953 #else
954 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_W4_KEY;
955 btstack_crypto_wait_for_hci_result = 1;
956 hci_send_cmd(&hci_le_read_local_p256_public_key);
957 #endif
958 break;
959 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION
960 case ECC_P256_KEY_GENERATION_GENERATING_RANDOM:
961 log_info("more ecc random");
962 btstack_crypto_wait_for_hci_result = true;
963 hci_send_cmd(&hci_le_rand);
964 break;
965 #endif
966 default:
967 break;
968 }
969 break;
970 case BTSTACK_CRYPTO_ECC_P256_CALCULATE_DHKEY:
971 btstack_crypto_ec_p192 = (btstack_crypto_ecc_p256_t *) btstack_crypto;
972 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION
973 btstack_crypto_ecc_p256_calculate_dhkey_software(btstack_crypto_ec_p192);
974 // done
975 btstack_linked_list_pop(&btstack_crypto_operations);
976 (*btstack_crypto_ec_p192->btstack_crypto.context_callback.callback)(btstack_crypto_ec_p192->btstack_crypto.context_callback.context);
977 #else
978 btstack_crypto_wait_for_hci_result = 1;
979 hci_send_cmd(&hci_le_generate_dhkey, &btstack_crypto_ec_p192->public_key[0], &btstack_crypto_ec_p192->public_key[32]);
980 #endif
981 break;
982
983 #endif /* ENABLE_ECC_P256 */
984
985 default:
986 break;
987 }
988 }
989 }
990
btstack_crypto_handle_random_data(const uint8_t * data,uint16_t len)991 static void btstack_crypto_handle_random_data(const uint8_t * data, uint16_t len){
992 btstack_crypto_random_t * btstack_crypto_random;
993 btstack_crypto_t * btstack_crypto = (btstack_crypto_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations);
994 uint16_t bytes_to_copy;
995 if (!btstack_crypto) return;
996 switch (btstack_crypto->operation){
997 case BTSTACK_CRYPTO_RANDOM:
998 btstack_crypto_random = (btstack_crypto_random_t*) btstack_crypto;
999 bytes_to_copy = btstack_min(btstack_crypto_random->size, len);
1000 (void)memcpy(btstack_crypto_random->buffer, data, bytes_to_copy);
1001 btstack_crypto_random->buffer += bytes_to_copy;
1002 btstack_crypto_random->size -= bytes_to_copy;
1003 // data processed, more?
1004 if (!btstack_crypto_random->size) {
1005 // done
1006 btstack_linked_list_pop(&btstack_crypto_operations);
1007 (*btstack_crypto_random->btstack_crypto.context_callback.callback)(btstack_crypto_random->btstack_crypto.context_callback.context);
1008 }
1009 break;
1010 #ifdef ENABLE_ECC_P256
1011 case BTSTACK_CRYPTO_ECC_P256_GENERATE_KEY:
1012 btstack_assert((btstack_crypto_ecc_p256_random_len + 8) <= 64);
1013 (void)memcpy(&btstack_crypto_ecc_p256_random[btstack_crypto_ecc_p256_random_len], data, 8);
1014 btstack_crypto_ecc_p256_random_len += 8u;
1015 if (btstack_crypto_ecc_p256_random_len >= 64u) {
1016 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_ACTIVE;
1017 btstack_crypto_ecc_p256_generate_key_software();
1018 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_DONE;
1019 }
1020 break;
1021 #endif
1022 default:
1023 break;
1024 }
1025 // more work?
1026 btstack_crypto_run();
1027 }
1028
1029 #ifndef USE_BTSTACK_AES128
btstack_crypto_handle_encryption_result(const uint8_t * data)1030 static void btstack_crypto_handle_encryption_result(const uint8_t * data){
1031 btstack_crypto_aes128_t * btstack_crypto_aes128;
1032 btstack_crypto_aes128_cmac_t * btstack_crypto_cmac;
1033 btstack_crypto_ccm_t * btstack_crypto_ccm;
1034 uint8_t result[16];
1035
1036 btstack_crypto_t * btstack_crypto = (btstack_crypto_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations);
1037 if (!btstack_crypto) return;
1038 switch (btstack_crypto->operation){
1039 case BTSTACK_CRYPTO_AES128:
1040 btstack_crypto_aes128 = (btstack_crypto_aes128_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations);
1041 reverse_128(data, btstack_crypto_aes128->ciphertext);
1042 btstack_crypto_done(btstack_crypto);
1043 break;
1044 case BTSTACK_CRYPTO_CMAC_GENERATOR:
1045 case BTSTACK_CRYPTO_CMAC_MESSAGE:
1046 btstack_crypto_cmac = (btstack_crypto_aes128_cmac_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations);
1047 reverse_128(data, result);
1048 btstack_crypto_cmac_handle_encryption_result(btstack_crypto_cmac, result);
1049 break;
1050 case BTSTACK_CRYPTO_CCM_DIGEST_BLOCK:
1051 case BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK:
1052 case BTSTACK_CRYPTO_CCM_DECRYPT_BLOCK:
1053 btstack_crypto_ccm = (btstack_crypto_ccm_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations);
1054 switch (btstack_crypto_ccm->state){
1055 case CCM_W4_X1:
1056 reverse_128(data, btstack_crypto_ccm->x_i);
1057 btstack_crypto_ccm_handle_x1(btstack_crypto_ccm);
1058 break;
1059 case CCM_W4_XN:
1060 reverse_128(data, btstack_crypto_ccm->x_i);
1061 btstack_crypto_ccm_handle_xn(btstack_crypto_ccm);
1062 break;
1063 case CCM_W4_AAD_XN:
1064 reverse_128(data, btstack_crypto_ccm->x_i);
1065 btstack_crypto_ccm_handle_aad_xn(btstack_crypto_ccm);
1066 break;
1067 case CCM_W4_S0:
1068 btstack_crypto_ccm_handle_s0(btstack_crypto_ccm, data);
1069 break;
1070 case CCM_W4_SN:
1071 btstack_crypto_ccm_handle_sn(btstack_crypto_ccm, data);
1072 break;
1073 default:
1074 break;
1075 }
1076 break;
1077 default:
1078 break;
1079 }
1080 }
1081 #endif
1082
btstack_crypto_event_handler(uint8_t packet_type,uint16_t cid,uint8_t * packet,uint16_t size)1083 static void btstack_crypto_event_handler(uint8_t packet_type, uint16_t cid, uint8_t *packet, uint16_t size){
1084 UNUSED(cid); // ok: there is no channel
1085 UNUSED(size); // ok: fixed format events read from HCI buffer
1086
1087 #ifdef ENABLE_ECC_P256
1088 #ifndef USE_SOFTWARE_ECC_P256_IMPLEMENTATION
1089 btstack_crypto_ecc_p256_t * btstack_crypto_ec_p192;
1090 #endif
1091 #endif
1092 bool ecdh_operations_supported;
1093
1094 if (packet_type != HCI_EVENT_PACKET) return;
1095
1096 switch (hci_event_packet_get_type(packet)){
1097 case BTSTACK_EVENT_STATE:
1098 switch(btstack_event_state_get_state(packet)){
1099 case HCI_STATE_HALTING:
1100 // as stack is shutting down, reset state
1101 btstack_crypto_state_reset();
1102 break;
1103 default:
1104 break;
1105 }
1106 if (btstack_event_state_get_state(packet) != HCI_STATE_HALTING) break;
1107 break;
1108
1109 case HCI_EVENT_COMMAND_COMPLETE:
1110 switch (hci_event_command_complete_get_command_opcode(packet)){
1111 #ifndef USE_BTSTACK_AES128
1112 case HCI_OPCODE_HCI_LE_ENCRYPT:
1113 if (!btstack_crypto_wait_for_hci_result) return;
1114 btstack_crypto_wait_for_hci_result = 0;
1115 btstack_crypto_handle_encryption_result(&packet[6]);
1116 break;
1117 #endif
1118 case HCI_OPCODE_HCI_LE_RAND:
1119 if (!btstack_crypto_wait_for_hci_result) return;
1120 btstack_crypto_wait_for_hci_result = false;
1121 btstack_crypto_handle_random_data(&packet[6], 8);
1122 break;
1123 case HCI_OPCODE_HCI_READ_LOCAL_SUPPORTED_COMMANDS:
1124 ecdh_operations_supported = (packet[OFFSET_OF_DATA_IN_COMMAND_COMPLETE+1u+34u] & 0x06u) == 0x06u;
1125 UNUSED(ecdh_operations_supported);
1126 log_info("controller supports ECDH operation: %u", ecdh_operations_supported);
1127 #ifdef ENABLE_ECC_P256
1128 #ifndef USE_SOFTWARE_ECC_P256_IMPLEMENTATION
1129 // Assert controller supports ECDH operation if we don't implement them ourselves
1130 // Please add ENABLE_MICRO_ECC_FOR_LE_SECURE_CONNECTIONS to btstack_config.h and add 3rd-party/micro-ecc to your port
1131 btstack_assert(ecdh_operations_supported != 0);
1132 #endif
1133 #endif
1134 break;
1135 default:
1136 break;
1137 }
1138 break;
1139
1140 #ifdef ENABLE_ECC_P256
1141 #ifndef USE_SOFTWARE_ECC_P256_IMPLEMENTATION
1142 case HCI_EVENT_LE_META:
1143 btstack_crypto_ec_p192 = (btstack_crypto_ecc_p256_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations);
1144 if (!btstack_crypto_ec_p192) break;
1145 switch (hci_event_le_meta_get_subevent_code(packet)){
1146 case HCI_SUBEVENT_LE_READ_LOCAL_P256_PUBLIC_KEY_COMPLETE:
1147 if (btstack_crypto_ec_p192->btstack_crypto.operation != BTSTACK_CRYPTO_ECC_P256_GENERATE_KEY) break;
1148 if (!btstack_crypto_wait_for_hci_result) return;
1149 btstack_crypto_wait_for_hci_result = 0;
1150 if (hci_subevent_le_read_local_p256_public_key_complete_get_status(packet)){
1151 log_error("Read Local P256 Public Key failed");
1152 }
1153 hci_subevent_le_read_local_p256_public_key_complete_get_dhkey_x(packet, &btstack_crypto_ecc_p256_public_key[0]);
1154 hci_subevent_le_read_local_p256_public_key_complete_get_dhkey_y(packet, &btstack_crypto_ecc_p256_public_key[32]);
1155 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_DONE;
1156 break;
1157 case HCI_SUBEVENT_LE_GENERATE_DHKEY_COMPLETE:
1158 if (btstack_crypto_ec_p192->btstack_crypto.operation != BTSTACK_CRYPTO_ECC_P256_CALCULATE_DHKEY) break;
1159 if (!btstack_crypto_wait_for_hci_result) return;
1160 btstack_crypto_wait_for_hci_result = 0;
1161 if (hci_subevent_le_generate_dhkey_complete_get_status(packet)){
1162 log_error("Generate DHKEY failed -> abort");
1163 // set DHKEY to 0xff..ff
1164 memset(btstack_crypto_ec_p192->dhkey, 0xff, 32);
1165 } else {
1166 hci_subevent_le_generate_dhkey_complete_get_dhkey(packet, btstack_crypto_ec_p192->dhkey);
1167 }
1168 // done
1169 btstack_linked_list_pop(&btstack_crypto_operations);
1170 (*btstack_crypto_ec_p192->btstack_crypto.context_callback.callback)(btstack_crypto_ec_p192->btstack_crypto.context_callback.context);
1171 break;
1172 default:
1173 break;
1174 }
1175 break;
1176 #endif
1177 #endif
1178 default:
1179 break;
1180 }
1181
1182 // try processing
1183 btstack_crypto_run();
1184 }
1185
btstack_crypto_random_generate(btstack_crypto_random_t * request,uint8_t * buffer,uint16_t size,void (* callback)(void * arg),void * callback_arg)1186 void btstack_crypto_random_generate(btstack_crypto_random_t * request, uint8_t * buffer, uint16_t size, void (* callback)(void * arg), void * callback_arg){
1187 request->btstack_crypto.context_callback.callback = callback;
1188 request->btstack_crypto.context_callback.context = callback_arg;
1189 request->btstack_crypto.operation = BTSTACK_CRYPTO_RANDOM;
1190 request->buffer = buffer;
1191 request->size = size;
1192 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request);
1193 btstack_crypto_run();
1194 }
1195
btstack_crypto_aes128_encrypt(btstack_crypto_aes128_t * request,const uint8_t * key,const uint8_t * plaintext,uint8_t * ciphertext,void (* callback)(void * arg),void * callback_arg)1196 void btstack_crypto_aes128_encrypt(btstack_crypto_aes128_t * request, const uint8_t * key, const uint8_t * plaintext, uint8_t * ciphertext, void (* callback)(void * arg), void * callback_arg){
1197 request->btstack_crypto.context_callback.callback = callback;
1198 request->btstack_crypto.context_callback.context = callback_arg;
1199 request->btstack_crypto.operation = BTSTACK_CRYPTO_AES128;
1200 request->key = key;
1201 request->plaintext = plaintext;
1202 request->ciphertext = ciphertext;
1203 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request);
1204 btstack_crypto_run();
1205 }
1206
btstack_crypto_aes128_cmac_generator(btstack_crypto_aes128_cmac_t * request,const uint8_t * key,uint16_t size,uint8_t (* get_byte_callback)(uint16_t pos),uint8_t * hash,void (* callback)(void * arg),void * callback_arg)1207 void btstack_crypto_aes128_cmac_generator(btstack_crypto_aes128_cmac_t * request, const uint8_t * key, uint16_t size, uint8_t (*get_byte_callback)(uint16_t pos), uint8_t * hash, void (* callback)(void * arg), void * callback_arg){
1208 request->btstack_crypto.context_callback.callback = callback;
1209 request->btstack_crypto.context_callback.context = callback_arg;
1210 request->btstack_crypto.operation = BTSTACK_CRYPTO_CMAC_GENERATOR;
1211 request->key = key;
1212 request->size = size;
1213 request->data.get_byte_callback = get_byte_callback;
1214 request->hash = hash;
1215 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request);
1216 btstack_crypto_run();
1217 }
1218
btstack_crypto_aes128_cmac_message(btstack_crypto_aes128_cmac_t * request,const uint8_t * key,uint16_t size,const uint8_t * message,uint8_t * hash,void (* callback)(void * arg),void * callback_arg)1219 void btstack_crypto_aes128_cmac_message(btstack_crypto_aes128_cmac_t * request, const uint8_t * key, uint16_t size, const uint8_t * message, uint8_t * hash, void (* callback)(void * arg), void * callback_arg){
1220 request->btstack_crypto.context_callback.callback = callback;
1221 request->btstack_crypto.context_callback.context = callback_arg;
1222 request->btstack_crypto.operation = BTSTACK_CRYPTO_CMAC_MESSAGE;
1223 request->key = key;
1224 request->size = size;
1225 request->data.message = message;
1226 request->hash = hash;
1227 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request);
1228 btstack_crypto_run();
1229 }
1230
btstack_crypto_aes128_cmac_zero(btstack_crypto_aes128_cmac_t * request,uint16_t size,const uint8_t * message,uint8_t * hash,void (* callback)(void * arg),void * callback_arg)1231 void btstack_crypto_aes128_cmac_zero(btstack_crypto_aes128_cmac_t * request, uint16_t size, const uint8_t * message, uint8_t * hash, void (* callback)(void * arg), void * callback_arg){
1232 request->btstack_crypto.context_callback.callback = callback;
1233 request->btstack_crypto.context_callback.context = callback_arg;
1234 request->btstack_crypto.operation = BTSTACK_CRYPTO_CMAC_MESSAGE;
1235 request->key = zero;
1236 request->size = size;
1237 request->data.message = message;
1238 request->hash = hash;
1239 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request);
1240 btstack_crypto_run();
1241 }
1242
1243 #ifdef ENABLE_ECC_P256
btstack_crypto_ecc_p256_generate_key(btstack_crypto_ecc_p256_t * request,uint8_t * public_key,void (* callback)(void * arg),void * callback_arg)1244 void btstack_crypto_ecc_p256_generate_key(btstack_crypto_ecc_p256_t * request, uint8_t * public_key, void (* callback)(void * arg), void * callback_arg){
1245 // reset key generation
1246 if (btstack_crypto_ecc_p256_key_generation_state == ECC_P256_KEY_GENERATION_DONE){
1247 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_IDLE;
1248 }
1249 request->btstack_crypto.context_callback.callback = callback;
1250 request->btstack_crypto.context_callback.context = callback_arg;
1251 request->btstack_crypto.operation = BTSTACK_CRYPTO_ECC_P256_GENERATE_KEY;
1252 request->public_key = public_key;
1253 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request);
1254 btstack_crypto_run();
1255 }
1256
btstack_crypto_ecc_p256_calculate_dhkey(btstack_crypto_ecc_p256_t * request,const uint8_t * public_key,uint8_t * dhkey,void (* callback)(void * arg),void * callback_arg)1257 void btstack_crypto_ecc_p256_calculate_dhkey(btstack_crypto_ecc_p256_t * request, const uint8_t * public_key, uint8_t * dhkey, void (* callback)(void * arg), void * callback_arg){
1258 request->btstack_crypto.context_callback.callback = callback;
1259 request->btstack_crypto.context_callback.context = callback_arg;
1260 request->btstack_crypto.operation = BTSTACK_CRYPTO_ECC_P256_CALCULATE_DHKEY;
1261 request->public_key = (uint8_t *) public_key;
1262 request->dhkey = dhkey;
1263 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request);
1264 btstack_crypto_run();
1265 }
1266
btstack_crypto_ecc_p256_validate_public_key(const uint8_t * public_key)1267 int btstack_crypto_ecc_p256_validate_public_key(const uint8_t * public_key){
1268
1269 int err = 0;
1270
1271 #ifdef USE_MICRO_ECC_P256
1272 // validate public key using micro-ecc
1273
1274 #if uECC_SUPPORTS_secp256r1
1275 // standard version
1276 err = uECC_valid_public_key(public_key, uECC_secp256r1()) == 0;
1277 #else
1278 // static version
1279 err = uECC_valid_public_key(public_key) == 0;
1280 #endif
1281 #endif
1282
1283 #ifdef USE_MBEDTLS_ECC_P256
1284 // validate public using mbedtls_ecc
1285
1286 mbedtls_ecp_point Q;
1287 mbedtls_ecp_point_init( &Q );
1288 mbedtls_mpi_read_binary(&Q.X, &public_key[0], 32);
1289 mbedtls_mpi_read_binary(&Q.Y, &public_key[32], 32);
1290 mbedtls_mpi_lset(&Q.Z, 1);
1291 err = mbedtls_ecp_check_pubkey(&mbedtls_ec_group, &Q);
1292 mbedtls_ecp_point_free( & Q);
1293 #endif
1294
1295 if (err != 0){
1296 log_info("public key invalid %x", err);
1297 }
1298 return err;
1299 }
1300 #endif
1301
btstack_crypto_ccm_init(btstack_crypto_ccm_t * request,const uint8_t * key,const uint8_t * nonce,uint16_t message_len,uint16_t additional_authenticated_data_len,uint8_t auth_len)1302 void btstack_crypto_ccm_init(btstack_crypto_ccm_t * request, const uint8_t * key, const uint8_t * nonce, uint16_t message_len, uint16_t additional_authenticated_data_len, uint8_t auth_len){
1303 request->key = key;
1304 request->nonce = nonce;
1305 request->message_len = message_len;
1306 request->aad_len = additional_authenticated_data_len;
1307 request->aad_offset = 0;
1308 request->auth_len = auth_len;
1309 request->counter = 1;
1310 request->state = CCM_CALCULATE_X1;
1311 }
1312
btstack_crypto_ccm_digest(btstack_crypto_ccm_t * request,uint8_t * additional_authenticated_data,uint16_t additional_authenticated_data_len,void (* callback)(void * arg),void * callback_arg)1313 void btstack_crypto_ccm_digest(btstack_crypto_ccm_t * request, uint8_t * additional_authenticated_data, uint16_t additional_authenticated_data_len, void (* callback)(void * arg), void * callback_arg){
1314 // not implemented yet
1315 request->btstack_crypto.context_callback.callback = callback;
1316 request->btstack_crypto.context_callback.context = callback_arg;
1317 request->btstack_crypto.operation = BTSTACK_CRYPTO_CCM_DIGEST_BLOCK;
1318 request->block_len = additional_authenticated_data_len;
1319 request->input = additional_authenticated_data;
1320 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request);
1321 btstack_crypto_run();
1322 }
1323
btstack_crypto_ccm_get_authentication_value(btstack_crypto_ccm_t * request,uint8_t * authentication_value)1324 void btstack_crypto_ccm_get_authentication_value(btstack_crypto_ccm_t * request, uint8_t * authentication_value){
1325 (void)memcpy(authentication_value, request->x_i, request->auth_len);
1326 }
1327
btstack_crypto_ccm_encrypt_block(btstack_crypto_ccm_t * request,uint16_t len,const uint8_t * plaintext,uint8_t * ciphertext,void (* callback)(void * arg),void * callback_arg)1328 void btstack_crypto_ccm_encrypt_block(btstack_crypto_ccm_t * request, uint16_t len, const uint8_t * plaintext, uint8_t * ciphertext, void (* callback)(void * arg), void * callback_arg){
1329 #ifdef DEBUG_CCM
1330 printf("\nbtstack_crypto_ccm_encrypt_block, len %u\n", len);
1331 #endif
1332 request->btstack_crypto.context_callback.callback = callback;
1333 request->btstack_crypto.context_callback.context = callback_arg;
1334 request->btstack_crypto.operation = BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK;
1335 request->block_len = len;
1336 request->input = plaintext;
1337 request->output = ciphertext;
1338 if (request->state != CCM_CALCULATE_X1){
1339 request->state = CCM_CALCULATE_XN;
1340 }
1341 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request);
1342 btstack_crypto_run();
1343 }
1344
btstack_crypto_ccm_decrypt_block(btstack_crypto_ccm_t * request,uint16_t len,const uint8_t * ciphertext,uint8_t * plaintext,void (* callback)(void * arg),void * callback_arg)1345 void btstack_crypto_ccm_decrypt_block(btstack_crypto_ccm_t * request, uint16_t len, const uint8_t * ciphertext, uint8_t * plaintext, void (* callback)(void * arg), void * callback_arg){
1346 request->btstack_crypto.context_callback.callback = callback;
1347 request->btstack_crypto.context_callback.context = callback_arg;
1348 request->btstack_crypto.operation = BTSTACK_CRYPTO_CCM_DECRYPT_BLOCK;
1349 request->block_len = len;
1350 request->input = ciphertext;
1351 request->output = plaintext;
1352 if (request->state != CCM_CALCULATE_X1){
1353 request->state = CCM_CALCULATE_SN;
1354 }
1355 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request);
1356 btstack_crypto_run();
1357 }
1358
1359
btstack_crypto_state_reset(void)1360 static void btstack_crypto_state_reset(void) {
1361 #ifndef USE_BTSTACK_AES128
1362 btstack_crypto_cmac_state = CMAC_IDLE;
1363 #endif
1364 #ifdef ENABLE_ECC_P256
1365 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_IDLE;
1366 #endif
1367 btstack_crypto_wait_for_hci_result = false;
1368 btstack_crypto_operations = NULL;
1369 }
1370
btstack_crypto_init(void)1371 void btstack_crypto_init(void){
1372 if (btstack_crypto_initialized) return;
1373 btstack_crypto_initialized = true;
1374
1375 // register with HCI
1376 hci_event_callback_registration.callback = &btstack_crypto_event_handler;
1377 hci_add_event_handler(&hci_event_callback_registration);
1378
1379 #ifdef USE_MBEDTLS_ECC_P256
1380 mbedtls_ecp_group_init(&mbedtls_ec_group);
1381 mbedtls_ecp_group_load(&mbedtls_ec_group, MBEDTLS_ECP_DP_SECP256R1);
1382 #endif
1383
1384 // reset state
1385 btstack_crypto_state_reset();
1386 }
1387
1388 // De-Init
btstack_crypto_deinit(void)1389 void btstack_crypto_deinit(void) {
1390 btstack_crypto_initialized = false;
1391 }
1392
1393 // PTS only
btstack_crypto_ecc_p256_set_key(const uint8_t * public_key,const uint8_t * private_key)1394 void btstack_crypto_ecc_p256_set_key(const uint8_t * public_key, const uint8_t * private_key){
1395 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION
1396 (void)memcpy(btstack_crypto_ecc_p256_d, private_key, 32);
1397 (void)memcpy(btstack_crypto_ecc_p256_public_key, public_key, 64);
1398 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_DONE;
1399 #else
1400 UNUSED(public_key);
1401 UNUSED(private_key);
1402 #endif
1403 }
1404
1405 // Unit testing
btstack_crypto_idle(void)1406 int btstack_crypto_idle(void){
1407 return btstack_linked_list_empty(&btstack_crypto_operations);
1408 }
btstack_crypto_reset(void)1409 void btstack_crypto_reset(void){
1410 btstack_crypto_deinit();
1411 btstack_crypto_init();
1412 }
1413