1 /* 2 * Copyright (C) 2014 BlueKitchen GmbH 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the copyright holders nor the names of 14 * contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 4. Any redistribution, use, or modification is done solely for 17 * personal benefit and not for any commercial purpose or for 18 * monetary gain. 19 * 20 * THIS SOFTWARE IS PROVIDED BY BLUEKITCHEN GMBH AND CONTRIBUTORS 21 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BLUEKITCHEN 24 * GMBH OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 26 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 27 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 28 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF 30 * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 * 33 * Please inquire about commercial licensing options at 34 * [email protected] 35 * 36 */ 37 38 #define BTSTACK_FILE__ "sm.c" 39 40 #include <string.h> 41 #include <inttypes.h> 42 43 #include "ble/le_device_db.h" 44 #include "ble/core.h" 45 #include "ble/sm.h" 46 #include "bluetooth_company_id.h" 47 #include "btstack_bool.h" 48 #include "btstack_crypto.h" 49 #include "btstack_debug.h" 50 #include "btstack_event.h" 51 #include "btstack_linked_list.h" 52 #include "btstack_memory.h" 53 #include "btstack_tlv.h" 54 #include "gap.h" 55 #include "hci.h" 56 #include "hci_dump.h" 57 #include "l2cap.h" 58 59 #if !defined(ENABLE_LE_PERIPHERAL) && !defined(ENABLE_LE_CENTRAL) 60 #error "LE Security Manager used, but neither ENABLE_LE_PERIPHERAL nor ENABLE_LE_CENTRAL defined. Please add at least one to btstack_config.h." 61 #endif 62 63 #if defined(ENABLE_CROSS_TRANSPORT_KEY_DERIVATION) && (!defined(ENABLE_CLASSIC) || !defined(ENABLE_LE_SECURE_CONNECTIONS)) 64 #error "Cross Transport Key Derivation requires support for LE Secure Connections and BR/EDR (Classic)" 65 #endif 66 67 // assert SM Public Key can be sent/received 68 #ifdef ENABLE_LE_SECURE_CONNECTIONS 69 #if HCI_ACL_PAYLOAD_SIZE < 69 70 #error "HCI_ACL_PAYLOAD_SIZE must be at least 69 bytes when using LE Secure Conection. Please increase HCI_ACL_PAYLOAD_SIZE or disable ENABLE_LE_SECURE_CONNECTIONS" 71 #endif 72 #endif 73 74 #if defined(ENABLE_LE_PERIPHERAL) && defined(ENABLE_LE_CENTRAL) 75 #define IS_RESPONDER(role) ((role) == HCI_ROLE_SLAVE) 76 #else 77 #ifdef ENABLE_LE_CENTRAL 78 // only central - never responder (avoid 'unused variable' warnings) 79 #define IS_RESPONDER(role) (0 && ((role) == HCI_ROLE_SLAVE)) 80 #else 81 // only peripheral - always responder (avoid 'unused variable' warnings) 82 #define IS_RESPONDER(role) (1 || ((role) == HCI_ROLE_SLAVE)) 83 #endif 84 #endif 85 86 #if defined(ENABLE_LE_SIGNED_WRITE) || defined(ENABLE_LE_SECURE_CONNECTIONS) 87 #define USE_CMAC_ENGINE 88 #endif 89 90 91 #define BTSTACK_TAG32(A,B,C,D) (((A) << 24) | ((B) << 16) | ((C) << 8) | (D)) 92 93 // 94 // SM internal types and globals 95 // 96 97 typedef enum { 98 DKG_W4_WORKING, 99 DKG_CALC_IRK, 100 DKG_CALC_DHK, 101 DKG_READY 102 } derived_key_generation_t; 103 104 typedef enum { 105 RAU_IDLE, 106 RAU_GET_RANDOM, 107 RAU_W4_RANDOM, 108 RAU_GET_ENC, 109 RAU_W4_ENC, 110 } random_address_update_t; 111 112 typedef enum { 113 CMAC_IDLE, 114 CMAC_CALC_SUBKEYS, 115 CMAC_W4_SUBKEYS, 116 CMAC_CALC_MI, 117 CMAC_W4_MI, 118 CMAC_CALC_MLAST, 119 CMAC_W4_MLAST 120 } cmac_state_t; 121 122 typedef enum { 123 JUST_WORKS, 124 PK_RESP_INPUT, // Initiator displays PK, responder inputs PK 125 PK_INIT_INPUT, // Responder displays PK, initiator inputs PK 126 PK_BOTH_INPUT, // Only input on both, both input PK 127 NUMERIC_COMPARISON, // Only numerical compparison (yes/no) on on both sides 128 OOB // OOB available on one (SC) or both sides (legacy) 129 } stk_generation_method_t; 130 131 typedef enum { 132 SM_USER_RESPONSE_IDLE, 133 SM_USER_RESPONSE_PENDING, 134 SM_USER_RESPONSE_CONFIRM, 135 SM_USER_RESPONSE_PASSKEY, 136 SM_USER_RESPONSE_DECLINE 137 } sm_user_response_t; 138 139 typedef enum { 140 SM_AES128_IDLE, 141 SM_AES128_ACTIVE 142 } sm_aes128_state_t; 143 144 typedef enum { 145 ADDRESS_RESOLUTION_IDLE, 146 ADDRESS_RESOLUTION_GENERAL, 147 ADDRESS_RESOLUTION_FOR_CONNECTION, 148 } address_resolution_mode_t; 149 150 typedef enum { 151 ADDRESS_RESOLUTION_SUCCEEDED, 152 ADDRESS_RESOLUTION_FAILED, 153 } address_resolution_event_t; 154 155 typedef enum { 156 EC_KEY_GENERATION_IDLE, 157 EC_KEY_GENERATION_ACTIVE, 158 EC_KEY_GENERATION_DONE, 159 } ec_key_generation_state_t; 160 161 typedef enum { 162 SM_STATE_VAR_DHKEY_NEEDED = 1 << 0, 163 SM_STATE_VAR_DHKEY_CALCULATED = 1 << 1, 164 SM_STATE_VAR_DHKEY_COMMAND_RECEIVED = 1 << 2, 165 } sm_state_var_t; 166 167 typedef enum { 168 SM_SC_OOB_IDLE, 169 SM_SC_OOB_W4_RANDOM, 170 SM_SC_OOB_W2_CALC_CONFIRM, 171 SM_SC_OOB_W4_CONFIRM, 172 } sm_sc_oob_state_t; 173 174 typedef uint8_t sm_key24_t[3]; 175 typedef uint8_t sm_key56_t[7]; 176 typedef uint8_t sm_key256_t[32]; 177 178 // 179 // GLOBAL DATA 180 // 181 182 static bool sm_initialized; 183 184 static bool test_use_fixed_local_csrk; 185 static bool test_use_fixed_local_irk; 186 187 #ifdef ENABLE_TESTING_SUPPORT 188 static uint8_t test_pairing_failure; 189 #endif 190 191 // configuration 192 static uint8_t sm_accepted_stk_generation_methods; 193 static uint8_t sm_max_encryption_key_size; 194 static uint8_t sm_min_encryption_key_size; 195 static uint8_t sm_auth_req = 0; 196 static uint8_t sm_io_capabilities = IO_CAPABILITY_NO_INPUT_NO_OUTPUT; 197 static uint32_t sm_fixed_passkey_in_display_role; 198 static bool sm_reconstruct_ltk_without_le_device_db_entry; 199 200 #ifdef ENABLE_LE_PERIPHERAL 201 static bool sm_slave_request_security; 202 #endif 203 204 #ifdef ENABLE_LE_SECURE_CONNECTIONS 205 static bool sm_sc_only_mode; 206 static uint8_t sm_sc_oob_random[16]; 207 static void (*sm_sc_oob_callback)(const uint8_t * confirm_value, const uint8_t * random_value); 208 static sm_sc_oob_state_t sm_sc_oob_state; 209 #ifdef ENABLE_LE_SECURE_CONNECTIONS_DEBUG_KEY 210 static bool sm_sc_debug_keys_enabled; 211 #endif 212 #endif 213 214 215 static bool sm_persistent_keys_random_active; 216 static const btstack_tlv_t * sm_tlv_impl; 217 static void * sm_tlv_context; 218 219 // Security Manager Master Keys, please use sm_set_er(er) and sm_set_ir(ir) with your own 128 bit random values 220 static sm_key_t sm_persistent_er; 221 static sm_key_t sm_persistent_ir; 222 223 // derived from sm_persistent_ir 224 static sm_key_t sm_persistent_dhk; 225 static sm_key_t sm_persistent_irk; 226 static derived_key_generation_t dkg_state; 227 228 // derived from sm_persistent_er 229 // .. 230 231 // random address update 232 static random_address_update_t rau_state; 233 static bd_addr_t sm_random_address; 234 235 #ifdef USE_CMAC_ENGINE 236 // CMAC Calculation: General 237 static btstack_crypto_aes128_cmac_t sm_cmac_request; 238 static void (*sm_cmac_done_callback)(uint8_t hash[8]); 239 static uint8_t sm_cmac_active; 240 static uint8_t sm_cmac_hash[16]; 241 #endif 242 243 // CMAC for ATT Signed Writes 244 #ifdef ENABLE_LE_SIGNED_WRITE 245 static uint16_t sm_cmac_signed_write_message_len; 246 static uint8_t sm_cmac_signed_write_header[3]; 247 static const uint8_t * sm_cmac_signed_write_message; 248 static uint8_t sm_cmac_signed_write_sign_counter[4]; 249 #endif 250 251 // CMAC for Secure Connection functions 252 #ifdef ENABLE_LE_SECURE_CONNECTIONS 253 static sm_connection_t * sm_cmac_connection; 254 static uint8_t sm_cmac_sc_buffer[80]; 255 #endif 256 257 // resolvable private address lookup / CSRK calculation 258 static int sm_address_resolution_test; 259 static uint8_t sm_address_resolution_addr_type; 260 static bd_addr_t sm_address_resolution_address; 261 static void * sm_address_resolution_context; 262 static address_resolution_mode_t sm_address_resolution_mode; 263 static btstack_linked_list_t sm_address_resolution_general_queue; 264 265 // aes128 crypto engine. 266 static sm_aes128_state_t sm_aes128_state; 267 268 // crypto 269 static btstack_crypto_random_t sm_crypto_random_request; 270 static btstack_crypto_aes128_t sm_crypto_aes128_request; 271 #ifdef ENABLE_LE_SECURE_CONNECTIONS 272 static btstack_crypto_ecc_p256_t sm_crypto_ecc_p256_request; 273 #endif 274 275 // temp storage for random data 276 static uint8_t sm_random_data[8]; 277 static uint8_t sm_aes128_key[16]; 278 static uint8_t sm_aes128_plaintext[16]; 279 static uint8_t sm_aes128_ciphertext[16]; 280 281 // to receive events 282 static btstack_packet_callback_registration_t hci_event_callback_registration; 283 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 284 static btstack_packet_callback_registration_t l2cap_event_callback_registration; 285 #endif 286 287 /* to dispatch sm event */ 288 static btstack_linked_list_t sm_event_handlers; 289 290 /* to schedule calls to sm_run */ 291 static btstack_timer_source_t sm_run_timer; 292 293 // LE Secure Connections 294 #ifdef ENABLE_LE_SECURE_CONNECTIONS 295 static ec_key_generation_state_t ec_key_generation_state; 296 static uint8_t ec_q[64]; 297 #endif 298 299 // 300 // Volume 3, Part H, Chapter 24 301 // "Security shall be initiated by the Security Manager in the device in the master role. 302 // The device in the slave role shall be the responding device." 303 // -> master := initiator, slave := responder 304 // 305 306 // data needed for security setup 307 typedef struct sm_setup_context { 308 309 btstack_timer_source_t sm_timeout; 310 311 // user response, (Phase 1 and/or 2) 312 uint8_t sm_user_response; 313 uint8_t sm_keypress_notification; // bitmap: passkey started, digit entered, digit erased, passkey cleared, passkey complete, 3 bit count 314 315 // defines which keys will be send after connection is encrypted - calculated during Phase 1, used Phase 3 316 uint8_t sm_key_distribution_send_set; 317 uint8_t sm_key_distribution_sent_set; 318 uint8_t sm_key_distribution_expected_set; 319 uint8_t sm_key_distribution_received_set; 320 321 // Phase 2 (Pairing over SMP) 322 stk_generation_method_t sm_stk_generation_method; 323 sm_key_t sm_tk; 324 uint8_t sm_have_oob_data; 325 bool sm_use_secure_connections; 326 327 sm_key_t sm_c1_t3_value; // c1 calculation 328 sm_pairing_packet_t sm_m_preq; // pairing request - needed only for c1 329 sm_pairing_packet_t sm_s_pres; // pairing response - needed only for c1 330 sm_key_t sm_local_random; 331 sm_key_t sm_local_confirm; 332 sm_key_t sm_peer_random; 333 sm_key_t sm_peer_confirm; 334 uint8_t sm_m_addr_type; // address and type can be removed 335 uint8_t sm_s_addr_type; // '' 336 bd_addr_t sm_m_address; // '' 337 bd_addr_t sm_s_address; // '' 338 sm_key_t sm_ltk; 339 340 uint8_t sm_state_vars; 341 #ifdef ENABLE_LE_SECURE_CONNECTIONS 342 uint8_t sm_peer_q[64]; // also stores random for EC key generation during init 343 sm_key_t sm_peer_nonce; // might be combined with sm_peer_random 344 sm_key_t sm_local_nonce; // might be combined with sm_local_random 345 uint8_t sm_dhkey[32]; 346 sm_key_t sm_peer_dhkey_check; 347 sm_key_t sm_local_dhkey_check; 348 sm_key_t sm_ra; 349 sm_key_t sm_rb; 350 sm_key_t sm_t; // used for f5 and h6 351 sm_key_t sm_mackey; 352 uint8_t sm_passkey_bit; // also stores number of generated random bytes for EC key generation 353 #endif 354 355 // Phase 3 356 357 // key distribution, we generate 358 uint16_t sm_local_y; 359 uint16_t sm_local_div; 360 uint16_t sm_local_ediv; 361 uint8_t sm_local_rand[8]; 362 sm_key_t sm_local_ltk; 363 sm_key_t sm_local_csrk; 364 sm_key_t sm_local_irk; 365 // sm_local_address/addr_type not needed 366 367 // key distribution, received from peer 368 uint16_t sm_peer_y; 369 uint16_t sm_peer_div; 370 uint16_t sm_peer_ediv; 371 uint8_t sm_peer_rand[8]; 372 sm_key_t sm_peer_ltk; 373 sm_key_t sm_peer_irk; 374 sm_key_t sm_peer_csrk; 375 uint8_t sm_peer_addr_type; 376 bd_addr_t sm_peer_address; 377 #ifdef ENABLE_LE_SIGNED_WRITE 378 int sm_le_device_index; 379 #endif 380 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 381 link_key_t sm_link_key; 382 link_key_type_t sm_link_key_type; 383 #endif 384 } sm_setup_context_t; 385 386 // 387 static sm_setup_context_t the_setup; 388 static sm_setup_context_t * setup = &the_setup; 389 390 // active connection - the one for which the_setup is used for 391 static uint16_t sm_active_connection_handle = HCI_CON_HANDLE_INVALID; 392 393 // @return 1 if oob data is available 394 // stores oob data in provided 16 byte buffer if not null 395 static int (*sm_get_oob_data)(uint8_t addres_type, bd_addr_t addr, uint8_t * oob_data) = NULL; 396 static int (*sm_get_sc_oob_data)(uint8_t addres_type, bd_addr_t addr, uint8_t * oob_sc_peer_confirm, uint8_t * oob_sc_peer_random); 397 static bool (*sm_get_ltk_callback)(hci_con_handle_t con_handle, uint8_t addres_type, bd_addr_t addr, uint8_t * ltk); 398 399 static void sm_run(void); 400 static void sm_state_reset(void); 401 static void sm_done_for_handle(hci_con_handle_t con_handle); 402 static sm_connection_t * sm_get_connection_for_handle(hci_con_handle_t con_handle); 403 static void sm_cache_ltk(sm_connection_t * connection, const sm_key_t ltk); 404 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 405 static sm_connection_t * sm_get_connection_for_bd_addr_and_type(bd_addr_t address, bd_addr_type_t addr_type); 406 #endif 407 static inline int sm_calc_actual_encryption_key_size(int other); 408 static int sm_validate_stk_generation_method(void); 409 static void sm_handle_encryption_result_address_resolution(void *arg); 410 static void sm_handle_encryption_result_dkg_dhk(void *arg); 411 static void sm_handle_encryption_result_dkg_irk(void *arg); 412 static void sm_handle_encryption_result_enc_a(void *arg); 413 static void sm_handle_encryption_result_enc_b(void *arg); 414 static void sm_handle_encryption_result_enc_c(void *arg); 415 static void sm_handle_encryption_result_enc_csrk(void *arg); 416 static void sm_handle_encryption_result_enc_d(void * arg); 417 static void sm_handle_encryption_result_enc_ph3_ltk(void *arg); 418 static void sm_handle_encryption_result_enc_ph3_y(void *arg); 419 #ifdef ENABLE_LE_PERIPHERAL 420 static void sm_handle_encryption_result_enc_ph4_ltk(void *arg); 421 static void sm_handle_encryption_result_enc_ph4_y(void *arg); 422 #endif 423 static void sm_handle_encryption_result_enc_stk(void *arg); 424 static void sm_handle_encryption_result_rau(void *arg); 425 static void sm_handle_random_result_ph2_tk(void * arg); 426 static void sm_handle_random_result_rau(void * arg); 427 #ifdef ENABLE_LE_SECURE_CONNECTIONS 428 static void sm_cmac_message_start(const sm_key_t key, uint16_t message_len, const uint8_t * message, void (*done_callback)(uint8_t * hash)); 429 static void sm_ec_generate_new_key(void); 430 static void sm_handle_random_result_sc_next_w2_cmac_for_confirmation(void * arg); 431 static void sm_handle_random_result_sc_next_send_pairing_random(void * arg); 432 static bool sm_passkey_entry(stk_generation_method_t method); 433 #endif 434 static void sm_pairing_complete(sm_connection_t * sm_conn, uint8_t status, uint8_t reason); 435 436 static void log_info_hex16(const char * name, uint16_t value){ 437 log_info("%-6s 0x%04x", name, value); 438 } 439 440 // static inline uint8_t sm_pairing_packet_get_code(sm_pairing_packet_t packet){ 441 // return packet[0]; 442 // } 443 static inline uint8_t sm_pairing_packet_get_io_capability(sm_pairing_packet_t packet){ 444 return packet[1]; 445 } 446 static inline uint8_t sm_pairing_packet_get_oob_data_flag(sm_pairing_packet_t packet){ 447 return packet[2]; 448 } 449 static inline uint8_t sm_pairing_packet_get_auth_req(sm_pairing_packet_t packet){ 450 return packet[3]; 451 } 452 static inline uint8_t sm_pairing_packet_get_max_encryption_key_size(sm_pairing_packet_t packet){ 453 return packet[4]; 454 } 455 static inline uint8_t sm_pairing_packet_get_initiator_key_distribution(sm_pairing_packet_t packet){ 456 return packet[5]; 457 } 458 static inline uint8_t sm_pairing_packet_get_responder_key_distribution(sm_pairing_packet_t packet){ 459 return packet[6]; 460 } 461 462 static inline void sm_pairing_packet_set_code(sm_pairing_packet_t packet, uint8_t code){ 463 packet[0] = code; 464 } 465 static inline void sm_pairing_packet_set_io_capability(sm_pairing_packet_t packet, uint8_t io_capability){ 466 packet[1] = io_capability; 467 } 468 static inline void sm_pairing_packet_set_oob_data_flag(sm_pairing_packet_t packet, uint8_t oob_data_flag){ 469 packet[2] = oob_data_flag; 470 } 471 static inline void sm_pairing_packet_set_auth_req(sm_pairing_packet_t packet, uint8_t auth_req){ 472 packet[3] = auth_req; 473 } 474 static inline void sm_pairing_packet_set_max_encryption_key_size(sm_pairing_packet_t packet, uint8_t max_encryption_key_size){ 475 packet[4] = max_encryption_key_size; 476 } 477 static inline void sm_pairing_packet_set_initiator_key_distribution(sm_pairing_packet_t packet, uint8_t initiator_key_distribution){ 478 packet[5] = initiator_key_distribution; 479 } 480 static inline void sm_pairing_packet_set_responder_key_distribution(sm_pairing_packet_t packet, uint8_t responder_key_distribution){ 481 packet[6] = responder_key_distribution; 482 } 483 484 static bool sm_is_null_random(uint8_t random[8]){ 485 return btstack_is_null(random, 8); 486 } 487 488 static bool sm_is_null_key(uint8_t * key){ 489 return btstack_is_null(key, 16); 490 } 491 492 #ifdef ENABLE_LE_SECURE_CONNECTIONS 493 static bool sm_is_ff(const uint8_t * buffer, uint16_t size){ 494 uint16_t i; 495 for (i=0; i < size ; i++){ 496 if (buffer[i] != 0xff) { 497 return false; 498 } 499 } 500 return true; 501 } 502 #endif 503 504 // sm_trigger_run allows to schedule callback from main run loop // reduces stack depth 505 static void sm_run_timer_handler(btstack_timer_source_t * ts){ 506 UNUSED(ts); 507 sm_run(); 508 } 509 static void sm_trigger_run(void){ 510 if (!sm_initialized) return; 511 (void)btstack_run_loop_remove_timer(&sm_run_timer); 512 btstack_run_loop_set_timer(&sm_run_timer, 0); 513 btstack_run_loop_add_timer(&sm_run_timer); 514 } 515 516 // Key utils 517 static void sm_reset_tk(void){ 518 int i; 519 for (i=0;i<16;i++){ 520 setup->sm_tk[i] = 0; 521 } 522 } 523 524 // "For example, if a 128-bit encryption key is 0x123456789ABCDEF0123456789ABCDEF0 525 // and it is reduced to 7 octets (56 bits), then the resulting key is 0x0000000000000000003456789ABCDEF0."" 526 static void sm_truncate_key(sm_key_t key, int max_encryption_size){ 527 int i; 528 for (i = max_encryption_size ; i < 16 ; i++){ 529 key[15-i] = 0; 530 } 531 } 532 533 // ER / IR checks 534 static void sm_er_ir_set_default(void){ 535 int i; 536 for (i=0;i<16;i++){ 537 sm_persistent_er[i] = 0x30 + i; 538 sm_persistent_ir[i] = 0x90 + i; 539 } 540 } 541 542 static bool sm_er_is_default(void){ 543 int i; 544 for (i=0;i<16;i++){ 545 if (sm_persistent_er[i] != (0x30+i)) return true; 546 } 547 return false; 548 } 549 550 static bool sm_ir_is_default(void){ 551 int i; 552 for (i=0;i<16;i++){ 553 if (sm_persistent_ir[i] != (0x90+i)) return true; 554 } 555 return false; 556 } 557 558 static void sm_dispatch_event(uint8_t packet_type, uint16_t channel, uint8_t * packet, uint16_t size){ 559 UNUSED(channel); 560 561 // log event 562 hci_dump_packet(packet_type, 1, packet, size); 563 // dispatch to all event handlers 564 btstack_linked_list_iterator_t it; 565 btstack_linked_list_iterator_init(&it, &sm_event_handlers); 566 while (btstack_linked_list_iterator_has_next(&it)){ 567 btstack_packet_callback_registration_t * entry = (btstack_packet_callback_registration_t*) btstack_linked_list_iterator_next(&it); 568 entry->callback(packet_type, 0, packet, size); 569 } 570 } 571 572 static void sm_setup_event_base(uint8_t * event, int event_size, uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address){ 573 event[0] = type; 574 event[1] = event_size - 2; 575 little_endian_store_16(event, 2, con_handle); 576 event[4] = addr_type; 577 reverse_bd_addr(address, &event[5]); 578 } 579 580 static void sm_notify_client_base(uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address){ 581 uint8_t event[11]; 582 sm_setup_event_base(event, sizeof(event), type, con_handle, addr_type, address); 583 sm_dispatch_event(HCI_EVENT_PACKET, 0, event, sizeof(event)); 584 } 585 586 static void sm_notify_client_index(uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address, uint16_t index){ 587 // fetch addr and addr type from db, only called for valid entries 588 bd_addr_t identity_address; 589 int identity_address_type; 590 le_device_db_info(index, &identity_address_type, identity_address, NULL); 591 592 uint8_t event[20]; 593 sm_setup_event_base(event, sizeof(event), type, con_handle, addr_type, address); 594 event[11] = identity_address_type; 595 reverse_bd_addr(identity_address, &event[12]); 596 little_endian_store_16(event, 18, index); 597 sm_dispatch_event(HCI_EVENT_PACKET, 0, event, sizeof(event)); 598 } 599 600 static void sm_notify_client_status(uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address, uint8_t status){ 601 uint8_t event[12]; 602 sm_setup_event_base(event, sizeof(event), type, con_handle, addr_type, address); 603 event[11] = status; 604 sm_dispatch_event(HCI_EVENT_PACKET, 0, (uint8_t*) &event, sizeof(event)); 605 } 606 607 608 static void sm_reencryption_started(sm_connection_t * sm_conn){ 609 610 if (sm_conn->sm_reencryption_active) return; 611 612 sm_conn->sm_reencryption_active = true; 613 614 int identity_addr_type; 615 bd_addr_t identity_addr; 616 if (sm_conn->sm_le_db_index >= 0){ 617 // fetch addr and addr type from db, only called for valid entries 618 le_device_db_info(sm_conn->sm_le_db_index, &identity_addr_type, identity_addr, NULL); 619 } else { 620 // for legacy pairing with LTK re-construction, use current peer addr 621 identity_addr_type = sm_conn->sm_peer_addr_type; 622 // cppcheck-suppress uninitvar ; identity_addr is reported as uninitialized although it's the destination of the memcpy 623 memcpy(identity_addr, sm_conn->sm_peer_address, 6); 624 } 625 626 sm_notify_client_base(SM_EVENT_REENCRYPTION_STARTED, sm_conn->sm_handle, identity_addr_type, identity_addr); 627 } 628 629 static void sm_reencryption_complete(sm_connection_t * sm_conn, uint8_t status){ 630 631 if (!sm_conn->sm_reencryption_active) return; 632 633 sm_conn->sm_reencryption_active = false; 634 635 int identity_addr_type; 636 bd_addr_t identity_addr; 637 if (sm_conn->sm_le_db_index >= 0){ 638 // fetch addr and addr type from db, only called for valid entries 639 le_device_db_info(sm_conn->sm_le_db_index, &identity_addr_type, identity_addr, NULL); 640 } else { 641 // for legacy pairing with LTK re-construction, use current peer addr 642 identity_addr_type = sm_conn->sm_peer_addr_type; 643 // cppcheck-suppress uninitvar ; identity_addr is reported as uninitialized although it's the destination of the memcpy 644 memcpy(identity_addr, sm_conn->sm_peer_address, 6); 645 } 646 647 sm_notify_client_status(SM_EVENT_REENCRYPTION_COMPLETE, sm_conn->sm_handle, identity_addr_type, identity_addr, status); 648 } 649 650 static void sm_pairing_started(sm_connection_t * sm_conn){ 651 652 if (sm_conn->sm_pairing_active) return; 653 654 sm_conn->sm_pairing_active = true; 655 656 uint8_t event[11]; 657 sm_setup_event_base(event, sizeof(event), SM_EVENT_PAIRING_STARTED, sm_conn->sm_handle, setup->sm_peer_addr_type, setup->sm_peer_address); 658 sm_dispatch_event(HCI_EVENT_PACKET, 0, (uint8_t*) &event, sizeof(event)); 659 } 660 661 static void sm_pairing_complete(sm_connection_t * sm_conn, uint8_t status, uint8_t reason){ 662 663 if (!sm_conn->sm_pairing_active) return; 664 665 sm_conn->sm_pairing_active = false; 666 667 uint8_t event[13]; 668 sm_setup_event_base(event, sizeof(event), SM_EVENT_PAIRING_COMPLETE, sm_conn->sm_handle, setup->sm_peer_addr_type, setup->sm_peer_address); 669 event[11] = status; 670 event[12] = reason; 671 sm_dispatch_event(HCI_EVENT_PACKET, 0, (uint8_t*) &event, sizeof(event)); 672 } 673 674 // SMP Timeout implementation 675 676 // Upon transmission of the Pairing Request command or reception of the Pairing Request command, 677 // the Security Manager Timer shall be reset and started. 678 // 679 // The Security Manager Timer shall be reset when an L2CAP SMP command is queued for transmission. 680 // 681 // If the Security Manager Timer reaches 30 seconds, the procedure shall be considered to have failed, 682 // and the local higher layer shall be notified. No further SMP commands shall be sent over the L2CAP 683 // Security Manager Channel. A new SM procedure shall only be performed when a new physical link has been 684 // established. 685 686 static void sm_timeout_handler(btstack_timer_source_t * timer){ 687 log_info("SM timeout"); 688 sm_connection_t * sm_conn = (sm_connection_t*) btstack_run_loop_get_timer_context(timer); 689 sm_conn->sm_engine_state = SM_GENERAL_TIMEOUT; 690 sm_reencryption_complete(sm_conn, ERROR_CODE_CONNECTION_TIMEOUT); 691 sm_pairing_complete(sm_conn, ERROR_CODE_CONNECTION_TIMEOUT, 0); 692 sm_done_for_handle(sm_conn->sm_handle); 693 694 // trigger handling of next ready connection 695 sm_run(); 696 } 697 static void sm_timeout_start(sm_connection_t * sm_conn){ 698 btstack_run_loop_remove_timer(&setup->sm_timeout); 699 btstack_run_loop_set_timer_context(&setup->sm_timeout, sm_conn); 700 btstack_run_loop_set_timer_handler(&setup->sm_timeout, sm_timeout_handler); 701 btstack_run_loop_set_timer(&setup->sm_timeout, 30000); // 30 seconds sm timeout 702 btstack_run_loop_add_timer(&setup->sm_timeout); 703 } 704 static void sm_timeout_stop(void){ 705 btstack_run_loop_remove_timer(&setup->sm_timeout); 706 } 707 static void sm_timeout_reset(sm_connection_t * sm_conn){ 708 sm_timeout_stop(); 709 sm_timeout_start(sm_conn); 710 } 711 712 // end of sm timeout 713 714 // GAP Random Address updates 715 static gap_random_address_type_t gap_random_adress_type; 716 static btstack_timer_source_t gap_random_address_update_timer; 717 static uint32_t gap_random_adress_update_period; 718 719 static void gap_random_address_trigger(void){ 720 log_info("gap_random_address_trigger, state %u", rau_state); 721 if (rau_state != RAU_IDLE) return; 722 rau_state = RAU_GET_RANDOM; 723 sm_trigger_run(); 724 } 725 726 static void gap_random_address_update_handler(btstack_timer_source_t * timer){ 727 UNUSED(timer); 728 729 log_info("GAP Random Address Update due"); 730 btstack_run_loop_set_timer(&gap_random_address_update_timer, gap_random_adress_update_period); 731 btstack_run_loop_add_timer(&gap_random_address_update_timer); 732 gap_random_address_trigger(); 733 } 734 735 static void gap_random_address_update_start(void){ 736 btstack_run_loop_set_timer_handler(&gap_random_address_update_timer, gap_random_address_update_handler); 737 btstack_run_loop_set_timer(&gap_random_address_update_timer, gap_random_adress_update_period); 738 btstack_run_loop_add_timer(&gap_random_address_update_timer); 739 } 740 741 static void gap_random_address_update_stop(void){ 742 btstack_run_loop_remove_timer(&gap_random_address_update_timer); 743 } 744 745 // ah(k,r) helper 746 // r = padding || r 747 // r - 24 bit value 748 static void sm_ah_r_prime(uint8_t r[3], uint8_t * r_prime){ 749 // r'= padding || r 750 memset(r_prime, 0, 16); 751 (void)memcpy(&r_prime[13], r, 3); 752 } 753 754 // d1 helper 755 // d' = padding || r || d 756 // d,r - 16 bit values 757 static void sm_d1_d_prime(uint16_t d, uint16_t r, uint8_t * d1_prime){ 758 // d'= padding || r || d 759 memset(d1_prime, 0, 16); 760 big_endian_store_16(d1_prime, 12, r); 761 big_endian_store_16(d1_prime, 14, d); 762 } 763 764 // calculate arguments for first AES128 operation in C1 function 765 static void sm_c1_t1(sm_key_t r, uint8_t preq[7], uint8_t pres[7], uint8_t iat, uint8_t rat, uint8_t * t1){ 766 767 // p1 = pres || preq || rat’ || iat’ 768 // "The octet of iat’ becomes the least significant octet of p1 and the most signifi- 769 // cant octet of pres becomes the most significant octet of p1. 770 // For example, if the 8-bit iat’ is 0x01, the 8-bit rat’ is 0x00, the 56-bit preq 771 // is 0x07071000000101 and the 56 bit pres is 0x05000800000302 then 772 // p1 is 0x05000800000302070710000001010001." 773 774 sm_key_t p1; 775 reverse_56(pres, &p1[0]); 776 reverse_56(preq, &p1[7]); 777 p1[14] = rat; 778 p1[15] = iat; 779 log_info_key("p1", p1); 780 log_info_key("r", r); 781 782 // t1 = r xor p1 783 int i; 784 for (i=0;i<16;i++){ 785 t1[i] = r[i] ^ p1[i]; 786 } 787 log_info_key("t1", t1); 788 } 789 790 // calculate arguments for second AES128 operation in C1 function 791 static void sm_c1_t3(sm_key_t t2, bd_addr_t ia, bd_addr_t ra, uint8_t * t3){ 792 // p2 = padding || ia || ra 793 // "The least significant octet of ra becomes the least significant octet of p2 and 794 // the most significant octet of padding becomes the most significant octet of p2. 795 // For example, if 48-bit ia is 0xA1A2A3A4A5A6 and the 48-bit ra is 796 // 0xB1B2B3B4B5B6 then p2 is 0x00000000A1A2A3A4A5A6B1B2B3B4B5B6. 797 798 sm_key_t p2; 799 // cppcheck-suppress uninitvar ; p2 is reported as uninitialized 800 memset(p2, 0, 16); 801 (void)memcpy(&p2[4], ia, 6); 802 (void)memcpy(&p2[10], ra, 6); 803 log_info_key("p2", p2); 804 805 // c1 = e(k, t2_xor_p2) 806 int i; 807 for (i=0;i<16;i++){ 808 t3[i] = t2[i] ^ p2[i]; 809 } 810 log_info_key("t3", t3); 811 } 812 813 static void sm_s1_r_prime(sm_key_t r1, sm_key_t r2, uint8_t * r_prime){ 814 log_info_key("r1", r1); 815 log_info_key("r2", r2); 816 (void)memcpy(&r_prime[8], &r2[8], 8); 817 (void)memcpy(&r_prime[0], &r1[8], 8); 818 } 819 820 821 // decide on stk generation based on 822 // - pairing request 823 // - io capabilities 824 // - OOB data availability 825 static void sm_setup_tk(void){ 826 827 // horizontal: initiator capabilities 828 // vertial: responder capabilities 829 static const stk_generation_method_t stk_generation_method [5] [5] = { 830 { JUST_WORKS, JUST_WORKS, PK_INIT_INPUT, JUST_WORKS, PK_INIT_INPUT }, 831 { JUST_WORKS, JUST_WORKS, PK_INIT_INPUT, JUST_WORKS, PK_INIT_INPUT }, 832 { PK_RESP_INPUT, PK_RESP_INPUT, PK_BOTH_INPUT, JUST_WORKS, PK_RESP_INPUT }, 833 { JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS }, 834 { PK_RESP_INPUT, PK_RESP_INPUT, PK_INIT_INPUT, JUST_WORKS, PK_RESP_INPUT }, 835 }; 836 837 // uses numeric comparison if one side has DisplayYesNo and KeyboardDisplay combinations 838 #ifdef ENABLE_LE_SECURE_CONNECTIONS 839 static const stk_generation_method_t stk_generation_method_with_secure_connection[5][5] = { 840 { JUST_WORKS, JUST_WORKS, PK_INIT_INPUT, JUST_WORKS, PK_INIT_INPUT }, 841 { JUST_WORKS, NUMERIC_COMPARISON, PK_INIT_INPUT, JUST_WORKS, NUMERIC_COMPARISON }, 842 { PK_RESP_INPUT, PK_RESP_INPUT, PK_BOTH_INPUT, JUST_WORKS, PK_RESP_INPUT }, 843 { JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS }, 844 { PK_RESP_INPUT, NUMERIC_COMPARISON, PK_INIT_INPUT, JUST_WORKS, NUMERIC_COMPARISON }, 845 }; 846 #endif 847 848 // default: just works 849 setup->sm_stk_generation_method = JUST_WORKS; 850 851 #ifdef ENABLE_LE_SECURE_CONNECTIONS 852 setup->sm_use_secure_connections = ( sm_pairing_packet_get_auth_req(setup->sm_m_preq) 853 & sm_pairing_packet_get_auth_req(setup->sm_s_pres) 854 & SM_AUTHREQ_SECURE_CONNECTION ) != 0u; 855 #else 856 setup->sm_use_secure_connections = false; 857 #endif 858 log_info("Secure pairing: %u", setup->sm_use_secure_connections); 859 860 861 // decide if OOB will be used based on SC vs. Legacy and oob flags 862 bool use_oob; 863 if (setup->sm_use_secure_connections){ 864 // In LE Secure Connections pairing, the out of band method is used if at least 865 // one device has the peer device's out of band authentication data available. 866 use_oob = (sm_pairing_packet_get_oob_data_flag(setup->sm_m_preq) | sm_pairing_packet_get_oob_data_flag(setup->sm_s_pres)) != 0; 867 } else { 868 // In LE legacy pairing, the out of band method is used if both the devices have 869 // the other device's out of band authentication data available. 870 use_oob = (sm_pairing_packet_get_oob_data_flag(setup->sm_m_preq) & sm_pairing_packet_get_oob_data_flag(setup->sm_s_pres)) != 0; 871 } 872 if (use_oob){ 873 log_info("SM: have OOB data"); 874 log_info_key("OOB", setup->sm_tk); 875 setup->sm_stk_generation_method = OOB; 876 return; 877 } 878 879 // If both devices have not set the MITM option in the Authentication Requirements 880 // Flags, then the IO capabilities shall be ignored and the Just Works association 881 // model shall be used. 882 if (((sm_pairing_packet_get_auth_req(setup->sm_m_preq) & SM_AUTHREQ_MITM_PROTECTION) == 0u) 883 && ((sm_pairing_packet_get_auth_req(setup->sm_s_pres) & SM_AUTHREQ_MITM_PROTECTION) == 0u)){ 884 log_info("SM: MITM not required by both -> JUST WORKS"); 885 return; 886 } 887 888 // Reset TK as it has been setup in sm_init_setup 889 sm_reset_tk(); 890 891 // Also use just works if unknown io capabilites 892 if ((sm_pairing_packet_get_io_capability(setup->sm_m_preq) > IO_CAPABILITY_KEYBOARD_DISPLAY) || (sm_pairing_packet_get_io_capability(setup->sm_s_pres) > IO_CAPABILITY_KEYBOARD_DISPLAY)){ 893 return; 894 } 895 896 // Otherwise the IO capabilities of the devices shall be used to determine the 897 // pairing method as defined in Table 2.4. 898 // see http://stackoverflow.com/a/1052837/393697 for how to specify pointer to 2-dimensional array 899 const stk_generation_method_t (*generation_method)[5] = stk_generation_method; 900 901 #ifdef ENABLE_LE_SECURE_CONNECTIONS 902 // table not define by default 903 if (setup->sm_use_secure_connections){ 904 generation_method = stk_generation_method_with_secure_connection; 905 } 906 #endif 907 setup->sm_stk_generation_method = generation_method[sm_pairing_packet_get_io_capability(setup->sm_s_pres)][sm_pairing_packet_get_io_capability(setup->sm_m_preq)]; 908 909 log_info("sm_setup_tk: master io cap: %u, slave io cap: %u -> method %u", 910 sm_pairing_packet_get_io_capability(setup->sm_m_preq), sm_pairing_packet_get_io_capability(setup->sm_s_pres), setup->sm_stk_generation_method); 911 } 912 913 static int sm_key_distribution_flags_for_set(uint8_t key_set){ 914 int flags = 0; 915 if ((key_set & SM_KEYDIST_ENC_KEY) != 0u){ 916 flags |= SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION; 917 flags |= SM_KEYDIST_FLAG_MASTER_IDENTIFICATION; 918 } 919 if ((key_set & SM_KEYDIST_ID_KEY) != 0u){ 920 flags |= SM_KEYDIST_FLAG_IDENTITY_INFORMATION; 921 flags |= SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION; 922 } 923 if ((key_set & SM_KEYDIST_SIGN) != 0u){ 924 flags |= SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION; 925 } 926 return flags; 927 } 928 929 static void sm_setup_key_distribution(uint8_t keys_to_send, uint8_t keys_to_receive){ 930 setup->sm_key_distribution_received_set = 0; 931 setup->sm_key_distribution_expected_set = sm_key_distribution_flags_for_set(keys_to_receive); 932 setup->sm_key_distribution_send_set = sm_key_distribution_flags_for_set(keys_to_send); 933 setup->sm_key_distribution_sent_set = 0; 934 #ifdef ENABLE_LE_SIGNED_WRITE 935 setup->sm_le_device_index = -1; 936 #endif 937 } 938 939 // CSRK Key Lookup 940 941 942 static bool sm_address_resolution_idle(void){ 943 return sm_address_resolution_mode == ADDRESS_RESOLUTION_IDLE; 944 } 945 946 static void sm_address_resolution_start_lookup(uint8_t addr_type, hci_con_handle_t con_handle, bd_addr_t addr, address_resolution_mode_t mode, void * context){ 947 (void)memcpy(sm_address_resolution_address, addr, 6); 948 sm_address_resolution_addr_type = addr_type; 949 sm_address_resolution_test = 0; 950 sm_address_resolution_mode = mode; 951 sm_address_resolution_context = context; 952 sm_notify_client_base(SM_EVENT_IDENTITY_RESOLVING_STARTED, con_handle, addr_type, addr); 953 } 954 955 int sm_address_resolution_lookup(uint8_t address_type, bd_addr_t address){ 956 // check if already in list 957 btstack_linked_list_iterator_t it; 958 sm_lookup_entry_t * entry; 959 btstack_linked_list_iterator_init(&it, &sm_address_resolution_general_queue); 960 while(btstack_linked_list_iterator_has_next(&it)){ 961 entry = (sm_lookup_entry_t *) btstack_linked_list_iterator_next(&it); 962 if (entry->address_type != address_type) continue; 963 if (memcmp(entry->address, address, 6) != 0) continue; 964 // already in list 965 return BTSTACK_BUSY; 966 } 967 entry = btstack_memory_sm_lookup_entry_get(); 968 if (!entry) return BTSTACK_MEMORY_ALLOC_FAILED; 969 entry->address_type = (bd_addr_type_t) address_type; 970 (void)memcpy(entry->address, address, 6); 971 btstack_linked_list_add(&sm_address_resolution_general_queue, (btstack_linked_item_t *) entry); 972 sm_trigger_run(); 973 return 0; 974 } 975 976 // CMAC calculation using AES Engineq 977 #ifdef USE_CMAC_ENGINE 978 979 static void sm_cmac_done_trampoline(void * arg){ 980 UNUSED(arg); 981 sm_cmac_active = 0; 982 (*sm_cmac_done_callback)(sm_cmac_hash); 983 sm_trigger_run(); 984 } 985 986 int sm_cmac_ready(void){ 987 return sm_cmac_active == 0u; 988 } 989 #endif 990 991 #ifdef ENABLE_LE_SECURE_CONNECTIONS 992 // generic cmac calculation 993 static void sm_cmac_message_start(const sm_key_t key, uint16_t message_len, const uint8_t * message, void (*done_callback)(uint8_t * hash)){ 994 sm_cmac_active = 1; 995 sm_cmac_done_callback = done_callback; 996 btstack_crypto_aes128_cmac_message(&sm_cmac_request, key, message_len, message, sm_cmac_hash, sm_cmac_done_trampoline, NULL); 997 } 998 #endif 999 1000 // cmac for ATT Message signing 1001 #ifdef ENABLE_LE_SIGNED_WRITE 1002 1003 static void sm_cmac_generator_start(const sm_key_t key, uint16_t message_len, uint8_t (*get_byte_callback)(uint16_t offset), void (*done_callback)(uint8_t * hash)){ 1004 sm_cmac_active = 1; 1005 sm_cmac_done_callback = done_callback; 1006 btstack_crypto_aes128_cmac_generator(&sm_cmac_request, key, message_len, get_byte_callback, sm_cmac_hash, sm_cmac_done_trampoline, NULL); 1007 } 1008 1009 static uint8_t sm_cmac_signed_write_message_get_byte(uint16_t offset){ 1010 if (offset >= sm_cmac_signed_write_message_len) { 1011 log_error("sm_cmac_signed_write_message_get_byte. out of bounds, access %u, len %u", offset, sm_cmac_signed_write_message_len); 1012 return 0; 1013 } 1014 1015 offset = sm_cmac_signed_write_message_len - 1 - offset; 1016 1017 // sm_cmac_signed_write_header[3] | message[] | sm_cmac_signed_write_sign_counter[4] 1018 if (offset < 3){ 1019 return sm_cmac_signed_write_header[offset]; 1020 } 1021 int actual_message_len_incl_header = sm_cmac_signed_write_message_len - 4; 1022 if (offset < actual_message_len_incl_header){ 1023 return sm_cmac_signed_write_message[offset - 3]; 1024 } 1025 return sm_cmac_signed_write_sign_counter[offset - actual_message_len_incl_header]; 1026 } 1027 1028 void sm_cmac_signed_write_start(const sm_key_t k, uint8_t opcode, hci_con_handle_t con_handle, uint16_t message_len, const uint8_t * message, uint32_t sign_counter, void (*done_handler)(uint8_t * hash)){ 1029 // ATT Message Signing 1030 sm_cmac_signed_write_header[0] = opcode; 1031 little_endian_store_16(sm_cmac_signed_write_header, 1, con_handle); 1032 little_endian_store_32(sm_cmac_signed_write_sign_counter, 0, sign_counter); 1033 uint16_t total_message_len = 3 + message_len + 4; // incl. virtually prepended att opcode, handle and appended sign_counter in LE 1034 sm_cmac_signed_write_message = message; 1035 sm_cmac_signed_write_message_len = total_message_len; 1036 sm_cmac_generator_start(k, total_message_len, &sm_cmac_signed_write_message_get_byte, done_handler); 1037 } 1038 #endif 1039 1040 static void sm_trigger_user_response_basic(sm_connection_t * sm_conn, uint8_t event_type){ 1041 setup->sm_user_response = SM_USER_RESPONSE_PENDING; 1042 uint8_t event[12]; 1043 sm_setup_event_base(event, sizeof(event), event_type, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address); 1044 event[11] = setup->sm_use_secure_connections ? 1 : 0; 1045 sm_dispatch_event(HCI_EVENT_PACKET, 0, event, sizeof(event)); 1046 } 1047 1048 static void sm_trigger_user_response_passkey(sm_connection_t * sm_conn, uint8_t event_type){ 1049 uint8_t event[16]; 1050 uint32_t passkey = big_endian_read_32(setup->sm_tk, 12); 1051 sm_setup_event_base(event, sizeof(event), event_type, sm_conn->sm_handle, 1052 sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address); 1053 event[11] = setup->sm_use_secure_connections ? 1 : 0; 1054 little_endian_store_32(event, 12, passkey); 1055 sm_dispatch_event(HCI_EVENT_PACKET, 0, event, sizeof(event)); 1056 } 1057 1058 static void sm_trigger_user_response(sm_connection_t * sm_conn){ 1059 // notify client for: JUST WORKS confirm, Numeric comparison confirm, PASSKEY display or input 1060 setup->sm_user_response = SM_USER_RESPONSE_IDLE; 1061 sm_conn->sm_pairing_active = true; 1062 switch (setup->sm_stk_generation_method){ 1063 case PK_RESP_INPUT: 1064 if (IS_RESPONDER(sm_conn->sm_role)){ 1065 sm_trigger_user_response_basic(sm_conn, SM_EVENT_PASSKEY_INPUT_NUMBER); 1066 } else { 1067 sm_trigger_user_response_passkey(sm_conn, SM_EVENT_PASSKEY_DISPLAY_NUMBER); 1068 } 1069 break; 1070 case PK_INIT_INPUT: 1071 if (IS_RESPONDER(sm_conn->sm_role)){ 1072 sm_trigger_user_response_passkey(sm_conn, SM_EVENT_PASSKEY_DISPLAY_NUMBER); 1073 } else { 1074 sm_trigger_user_response_basic(sm_conn, SM_EVENT_PASSKEY_INPUT_NUMBER); 1075 } 1076 break; 1077 case PK_BOTH_INPUT: 1078 sm_trigger_user_response_basic(sm_conn, SM_EVENT_PASSKEY_INPUT_NUMBER); 1079 break; 1080 case NUMERIC_COMPARISON: 1081 sm_trigger_user_response_passkey(sm_conn, SM_EVENT_NUMERIC_COMPARISON_REQUEST); 1082 break; 1083 case JUST_WORKS: 1084 sm_trigger_user_response_basic(sm_conn, SM_EVENT_JUST_WORKS_REQUEST); 1085 break; 1086 case OOB: 1087 // client already provided OOB data, let's skip notification. 1088 break; 1089 default: 1090 btstack_assert(false); 1091 break; 1092 } 1093 } 1094 1095 static bool sm_key_distribution_all_received(void) { 1096 log_debug("sm_key_distribution_all_received: received 0x%02x, expecting 0x%02x", setup->sm_key_distribution_received_set, setup->sm_key_distribution_expected_set); 1097 return (setup->sm_key_distribution_expected_set & setup->sm_key_distribution_received_set) == setup->sm_key_distribution_expected_set; 1098 } 1099 1100 static void sm_done_for_handle(hci_con_handle_t con_handle){ 1101 if (sm_active_connection_handle == con_handle){ 1102 sm_timeout_stop(); 1103 sm_active_connection_handle = HCI_CON_HANDLE_INVALID; 1104 log_info("sm: connection 0x%x released setup context", con_handle); 1105 1106 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1107 // generate new ec key after each pairing (that used it) 1108 if (setup->sm_use_secure_connections){ 1109 sm_ec_generate_new_key(); 1110 } 1111 #endif 1112 } 1113 } 1114 1115 static void sm_master_pairing_success(sm_connection_t *connection) {// master -> all done 1116 connection->sm_engine_state = SM_INITIATOR_CONNECTED; 1117 sm_pairing_complete(connection, ERROR_CODE_SUCCESS, 0); 1118 sm_done_for_handle(connection->sm_handle); 1119 } 1120 1121 static int sm_key_distribution_flags_for_auth_req(void){ 1122 1123 int flags = SM_KEYDIST_ID_KEY; 1124 if ((sm_auth_req & SM_AUTHREQ_BONDING) != 0u){ 1125 // encryption and signing information only if bonding requested 1126 flags |= SM_KEYDIST_ENC_KEY; 1127 #ifdef ENABLE_LE_SIGNED_WRITE 1128 flags |= SM_KEYDIST_SIGN; 1129 #endif 1130 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 1131 // LinkKey for CTKD requires SC and BR/EDR Support 1132 if (hci_classic_supported() && ((sm_auth_req & SM_AUTHREQ_SECURE_CONNECTION) != 0)){ 1133 flags |= SM_KEYDIST_LINK_KEY; 1134 } 1135 #endif 1136 } 1137 return flags; 1138 } 1139 1140 static void sm_reset_setup(void){ 1141 // fill in sm setup 1142 setup->sm_state_vars = 0; 1143 setup->sm_keypress_notification = 0; 1144 setup->sm_have_oob_data = 0; 1145 sm_reset_tk(); 1146 } 1147 1148 static void sm_init_setup(sm_connection_t * sm_conn){ 1149 // fill in sm setup 1150 setup->sm_peer_addr_type = sm_conn->sm_peer_addr_type; 1151 (void)memcpy(setup->sm_peer_address, sm_conn->sm_peer_address, 6); 1152 1153 // query client for Legacy Pairing OOB data 1154 if (sm_get_oob_data != NULL) { 1155 setup->sm_have_oob_data = (*sm_get_oob_data)(sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, setup->sm_tk); 1156 } 1157 1158 // if available and SC supported, also ask for SC OOB Data 1159 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1160 memset(setup->sm_ra, 0, 16); 1161 memset(setup->sm_rb, 0, 16); 1162 if (setup->sm_have_oob_data && (sm_auth_req & SM_AUTHREQ_SECURE_CONNECTION)){ 1163 if (sm_get_sc_oob_data != NULL){ 1164 if (IS_RESPONDER(sm_conn->sm_role)){ 1165 setup->sm_have_oob_data = (*sm_get_sc_oob_data)( 1166 sm_conn->sm_peer_addr_type, 1167 sm_conn->sm_peer_address, 1168 setup->sm_peer_confirm, 1169 setup->sm_ra); 1170 } else { 1171 setup->sm_have_oob_data = (*sm_get_sc_oob_data)( 1172 sm_conn->sm_peer_addr_type, 1173 sm_conn->sm_peer_address, 1174 setup->sm_peer_confirm, 1175 setup->sm_rb); 1176 } 1177 } else { 1178 setup->sm_have_oob_data = 0; 1179 } 1180 } 1181 #endif 1182 1183 sm_pairing_packet_t * local_packet; 1184 if (IS_RESPONDER(sm_conn->sm_role)){ 1185 // slave 1186 local_packet = &setup->sm_s_pres; 1187 setup->sm_m_addr_type = sm_conn->sm_peer_addr_type; 1188 setup->sm_s_addr_type = sm_conn->sm_own_addr_type; 1189 (void)memcpy(setup->sm_m_address, sm_conn->sm_peer_address, 6); 1190 (void)memcpy(setup->sm_s_address, sm_conn->sm_own_address, 6); 1191 } else { 1192 // master 1193 local_packet = &setup->sm_m_preq; 1194 setup->sm_s_addr_type = sm_conn->sm_peer_addr_type; 1195 setup->sm_m_addr_type = sm_conn->sm_own_addr_type; 1196 (void)memcpy(setup->sm_s_address, sm_conn->sm_peer_address, 6); 1197 (void)memcpy(setup->sm_m_address, sm_conn->sm_own_address, 6); 1198 1199 uint8_t key_distribution_flags = sm_key_distribution_flags_for_auth_req(); 1200 sm_pairing_packet_set_initiator_key_distribution(setup->sm_m_preq, key_distribution_flags); 1201 sm_pairing_packet_set_responder_key_distribution(setup->sm_m_preq, key_distribution_flags); 1202 } 1203 1204 log_info("our address %s type %u", bd_addr_to_str(sm_conn->sm_own_address), sm_conn->sm_own_addr_type); 1205 log_info("peer address %s type %u", bd_addr_to_str(sm_conn->sm_peer_address), sm_conn->sm_peer_addr_type); 1206 1207 uint8_t auth_req = sm_auth_req & ~SM_AUTHREQ_CT2; 1208 uint8_t max_encryption_key_size = sm_max_encryption_key_size; 1209 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1210 // enable SC for SC only mode 1211 if (sm_sc_only_mode){ 1212 auth_req |= SM_AUTHREQ_SECURE_CONNECTION; 1213 max_encryption_key_size = 16; 1214 } 1215 #endif 1216 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 1217 // set CT2 if SC + Bonding + CTKD 1218 const uint8_t auth_req_for_ct2 = SM_AUTHREQ_SECURE_CONNECTION | SM_AUTHREQ_BONDING; 1219 if ((auth_req & auth_req_for_ct2) == auth_req_for_ct2){ 1220 auth_req |= SM_AUTHREQ_CT2; 1221 } 1222 #endif 1223 sm_pairing_packet_set_io_capability(*local_packet, sm_io_capabilities); 1224 sm_pairing_packet_set_oob_data_flag(*local_packet, setup->sm_have_oob_data); 1225 sm_pairing_packet_set_auth_req(*local_packet, auth_req); 1226 sm_pairing_packet_set_max_encryption_key_size(*local_packet, max_encryption_key_size); 1227 } 1228 1229 static int sm_stk_generation_init(sm_connection_t * sm_conn){ 1230 1231 sm_pairing_packet_t * remote_packet; 1232 uint8_t keys_to_send; 1233 uint8_t keys_to_receive; 1234 if (IS_RESPONDER(sm_conn->sm_role)){ 1235 // slave / responder 1236 remote_packet = &setup->sm_m_preq; 1237 keys_to_send = sm_pairing_packet_get_responder_key_distribution(setup->sm_m_preq); 1238 keys_to_receive = sm_pairing_packet_get_initiator_key_distribution(setup->sm_m_preq); 1239 } else { 1240 // master / initiator 1241 remote_packet = &setup->sm_s_pres; 1242 keys_to_send = sm_pairing_packet_get_initiator_key_distribution(setup->sm_s_pres); 1243 keys_to_receive = sm_pairing_packet_get_responder_key_distribution(setup->sm_s_pres); 1244 } 1245 1246 // check key size 1247 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1248 // SC Only mandates 128 bit key size 1249 if (sm_sc_only_mode && (sm_pairing_packet_get_max_encryption_key_size(*remote_packet) < 16)) { 1250 return SM_REASON_ENCRYPTION_KEY_SIZE; 1251 } 1252 #endif 1253 sm_conn->sm_actual_encryption_key_size = sm_calc_actual_encryption_key_size(sm_pairing_packet_get_max_encryption_key_size(*remote_packet)); 1254 if (sm_conn->sm_actual_encryption_key_size == 0u) return SM_REASON_ENCRYPTION_KEY_SIZE; 1255 1256 // decide on STK generation method / SC 1257 sm_setup_tk(); 1258 log_info("SMP: generation method %u", setup->sm_stk_generation_method); 1259 1260 // check if STK generation method is acceptable by client 1261 if (!sm_validate_stk_generation_method()) return SM_REASON_AUTHENTHICATION_REQUIREMENTS; 1262 1263 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1264 // Check LE SC Only mode 1265 if (sm_sc_only_mode && (setup->sm_use_secure_connections == false)){ 1266 log_info("SC Only mode active but SC not possible"); 1267 return SM_REASON_AUTHENTHICATION_REQUIREMENTS; 1268 } 1269 1270 // LTK (= encryption information & master identification) only used exchanged for LE Legacy Connection 1271 if (setup->sm_use_secure_connections){ 1272 keys_to_send &= ~SM_KEYDIST_ENC_KEY; 1273 keys_to_receive &= ~SM_KEYDIST_ENC_KEY; 1274 } 1275 #endif 1276 1277 // identical to responder 1278 sm_setup_key_distribution(keys_to_send, keys_to_receive); 1279 1280 // JUST WORKS doens't provide authentication 1281 sm_conn->sm_connection_authenticated = (setup->sm_stk_generation_method == JUST_WORKS) ? 0 : 1; 1282 1283 return 0; 1284 } 1285 1286 static void sm_address_resolution_handle_event(address_resolution_event_t event){ 1287 1288 // cache and reset context 1289 int matched_device_id = sm_address_resolution_test; 1290 address_resolution_mode_t mode = sm_address_resolution_mode; 1291 void * context = sm_address_resolution_context; 1292 1293 // reset context 1294 sm_address_resolution_mode = ADDRESS_RESOLUTION_IDLE; 1295 sm_address_resolution_context = NULL; 1296 sm_address_resolution_test = -1; 1297 1298 hci_con_handle_t con_handle = HCI_CON_HANDLE_INVALID; 1299 sm_connection_t * sm_connection; 1300 sm_key_t ltk; 1301 bool have_ltk; 1302 int authenticated; 1303 #ifdef ENABLE_LE_CENTRAL 1304 bool trigger_pairing; 1305 #endif 1306 1307 switch (mode){ 1308 case ADDRESS_RESOLUTION_GENERAL: 1309 break; 1310 case ADDRESS_RESOLUTION_FOR_CONNECTION: 1311 sm_connection = (sm_connection_t *) context; 1312 con_handle = sm_connection->sm_handle; 1313 1314 // have ltk -> start encryption / send security request 1315 // Core 5, Vol 3, Part C, 10.3.2 Initiating a Service Request 1316 // "When a bond has been created between two devices, any reconnection should result in the local device 1317 // enabling or requesting encryption with the remote device before initiating any service request." 1318 1319 switch (event){ 1320 case ADDRESS_RESOLUTION_SUCCEEDED: 1321 sm_connection->sm_irk_lookup_state = IRK_LOOKUP_SUCCEEDED; 1322 sm_connection->sm_le_db_index = matched_device_id; 1323 log_info("ADDRESS_RESOLUTION_SUCCEEDED, index %d", sm_connection->sm_le_db_index); 1324 1325 le_device_db_encryption_get(sm_connection->sm_le_db_index, NULL, NULL, ltk, NULL, &authenticated, NULL, NULL); 1326 have_ltk = !sm_is_null_key(ltk); 1327 1328 if (IS_RESPONDER(sm_connection->sm_role)) { 1329 #ifdef ENABLE_LE_PERIPHERAL 1330 // IRK required before, continue 1331 if (sm_connection->sm_engine_state == SM_RESPONDER_PH0_RECEIVED_LTK_W4_IRK){ 1332 sm_connection->sm_engine_state = SM_RESPONDER_PH0_RECEIVED_LTK_REQUEST; 1333 break; 1334 } 1335 if (sm_connection->sm_engine_state == SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED_W4_IRK){ 1336 sm_connection->sm_engine_state = SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED; 1337 break; 1338 } 1339 bool trigger_security_request = sm_connection->sm_pairing_requested || sm_slave_request_security; 1340 sm_connection->sm_pairing_requested = false; 1341 #ifdef ENABLE_LE_PROACTIVE_AUTHENTICATION 1342 // trigger security request for Proactive Authentication if LTK available 1343 trigger_security_request = trigger_security_request || have_ltk; 1344 #endif 1345 1346 log_info("peripheral: pairing request local %u, have_ltk %u => trigger_security_request %u", 1347 (int) sm_connection->sm_pairing_requested, (int) have_ltk, trigger_security_request); 1348 1349 if (trigger_security_request){ 1350 sm_connection->sm_engine_state = SM_RESPONDER_SEND_SECURITY_REQUEST; 1351 if (have_ltk){ 1352 sm_reencryption_started(sm_connection); 1353 } else { 1354 sm_pairing_started(sm_connection); 1355 } 1356 sm_trigger_run(); 1357 } 1358 #endif 1359 } else { 1360 1361 #ifdef ENABLE_LE_CENTRAL 1362 // check if pairing already requested and reset requests 1363 trigger_pairing = sm_connection->sm_pairing_requested || sm_connection->sm_security_request_received; 1364 bool auth_required = sm_auth_req & SM_AUTHREQ_MITM_PROTECTION; 1365 1366 log_info("central: pairing request local %u, remote %u => trigger_pairing %u. have_ltk %u", 1367 (int) sm_connection->sm_pairing_requested, (int) sm_connection->sm_security_request_received, (int) trigger_pairing, (int) have_ltk); 1368 sm_connection->sm_security_request_received = false; 1369 sm_connection->sm_pairing_requested = false; 1370 bool trigger_reencryption = false; 1371 1372 if (have_ltk){ 1373 if (trigger_pairing){ 1374 // if pairing is requested, re-encryption is sufficient, if ltk is already authenticated or we don't require authentication 1375 trigger_reencryption = (authenticated != 0) || (auth_required == false); 1376 } else { 1377 #ifdef ENABLE_LE_PROACTIVE_AUTHENTICATION 1378 trigger_reencryption = true; 1379 #else 1380 log_info("central: defer enabling encryption for bonded device"); 1381 #endif 1382 } 1383 } 1384 1385 if (trigger_reencryption){ 1386 log_info("central: enable encryption for bonded device"); 1387 sm_connection->sm_engine_state = SM_INITIATOR_PH4_HAS_LTK; 1388 break; 1389 } 1390 1391 // pairing_request -> send pairing request 1392 if (trigger_pairing){ 1393 sm_connection->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 1394 break; 1395 } 1396 #endif 1397 } 1398 break; 1399 case ADDRESS_RESOLUTION_FAILED: 1400 sm_connection->sm_irk_lookup_state = IRK_LOOKUP_FAILED; 1401 if (IS_RESPONDER(sm_connection->sm_role)) { 1402 #ifdef ENABLE_LE_PERIPHERAL 1403 // LTK request received before, IRK required -> negative LTK reply 1404 if (sm_connection->sm_engine_state == SM_RESPONDER_PH0_RECEIVED_LTK_W4_IRK){ 1405 sm_connection->sm_engine_state = SM_RESPONDER_PH0_SEND_LTK_REQUESTED_NEGATIVE_REPLY; 1406 } 1407 // send security request if requested 1408 bool trigger_security_request = sm_connection->sm_pairing_requested || sm_slave_request_security; 1409 sm_connection->sm_pairing_requested = false; 1410 if (trigger_security_request){ 1411 sm_connection->sm_engine_state = SM_RESPONDER_SEND_SECURITY_REQUEST; 1412 sm_pairing_started(sm_connection); 1413 } 1414 break; 1415 #endif 1416 } 1417 #ifdef ENABLE_LE_CENTRAL 1418 if ((sm_connection->sm_pairing_requested == false) && (sm_connection->sm_security_request_received == false)) break; 1419 sm_connection->sm_security_request_received = false; 1420 sm_connection->sm_pairing_requested = false; 1421 sm_connection->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 1422 #endif 1423 break; 1424 1425 default: 1426 btstack_assert(false); 1427 break; 1428 } 1429 break; 1430 default: 1431 break; 1432 } 1433 1434 switch (event){ 1435 case ADDRESS_RESOLUTION_SUCCEEDED: 1436 sm_notify_client_index(SM_EVENT_IDENTITY_RESOLVING_SUCCEEDED, con_handle, sm_address_resolution_addr_type, sm_address_resolution_address, matched_device_id); 1437 break; 1438 case ADDRESS_RESOLUTION_FAILED: 1439 sm_notify_client_base(SM_EVENT_IDENTITY_RESOLVING_FAILED, con_handle, sm_address_resolution_addr_type, sm_address_resolution_address); 1440 break; 1441 default: 1442 btstack_assert(false); 1443 break; 1444 } 1445 } 1446 1447 static void sm_store_bonding_information(sm_connection_t * sm_conn){ 1448 int le_db_index = -1; 1449 1450 // lookup device based on IRK 1451 if ((setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_IDENTITY_INFORMATION) != 0u){ 1452 int i; 1453 for (i=0; i < le_device_db_max_count(); i++){ 1454 sm_key_t irk; 1455 bd_addr_t address; 1456 int address_type = BD_ADDR_TYPE_UNKNOWN; 1457 le_device_db_info(i, &address_type, address, irk); 1458 // skip unused entries 1459 if (address_type == BD_ADDR_TYPE_UNKNOWN) continue; 1460 // compare Identity Address 1461 if (memcmp(address, setup->sm_peer_address, 6) != 0) continue; 1462 // compare Identity Resolving Key 1463 if (memcmp(irk, setup->sm_peer_irk, 16) != 0) continue; 1464 1465 log_info("sm: device found for IRK, updating"); 1466 le_db_index = i; 1467 break; 1468 } 1469 } else { 1470 // assert IRK is set to zero 1471 memset(setup->sm_peer_irk, 0, 16); 1472 } 1473 1474 // if not found, lookup via public address if possible 1475 log_info("sm peer addr type %u, peer addres %s", setup->sm_peer_addr_type, bd_addr_to_str(setup->sm_peer_address)); 1476 if ((le_db_index < 0) && (setup->sm_peer_addr_type == BD_ADDR_TYPE_LE_PUBLIC)){ 1477 int i; 1478 for (i=0; i < le_device_db_max_count(); i++){ 1479 bd_addr_t address; 1480 int address_type = BD_ADDR_TYPE_UNKNOWN; 1481 le_device_db_info(i, &address_type, address, NULL); 1482 // skip unused entries 1483 if (address_type == BD_ADDR_TYPE_UNKNOWN) continue; 1484 log_info("device %u, sm peer addr type %u, peer addres %s", i, address_type, bd_addr_to_str(address)); 1485 if ((address_type == BD_ADDR_TYPE_LE_PUBLIC) && (memcmp(address, setup->sm_peer_address, 6) == 0)){ 1486 log_info("sm: device found for public address, updating"); 1487 le_db_index = i; 1488 break; 1489 } 1490 } 1491 } 1492 1493 // if not found, add to db 1494 bool new_to_le_device_db = false; 1495 if (le_db_index < 0) { 1496 le_db_index = le_device_db_add(setup->sm_peer_addr_type, setup->sm_peer_address, setup->sm_peer_irk); 1497 new_to_le_device_db = true; 1498 } 1499 1500 if (le_db_index >= 0){ 1501 1502 #ifdef ENABLE_LE_PRIVACY_ADDRESS_RESOLUTION 1503 if (!new_to_le_device_db){ 1504 hci_remove_le_device_db_entry_from_resolving_list(le_db_index); 1505 } 1506 hci_load_le_device_db_entry_into_resolving_list(le_db_index); 1507 #else 1508 UNUSED(new_to_le_device_db); 1509 #endif 1510 1511 sm_notify_client_index(SM_EVENT_IDENTITY_CREATED, sm_conn->sm_handle, setup->sm_peer_addr_type, setup->sm_peer_address, le_db_index); 1512 sm_conn->sm_irk_lookup_state = IRK_LOOKUP_SUCCEEDED; 1513 sm_conn->sm_le_db_index = le_db_index; 1514 1515 #ifdef ENABLE_LE_SIGNED_WRITE 1516 // store local CSRK 1517 setup->sm_le_device_index = le_db_index; 1518 if ((setup->sm_key_distribution_sent_set) & SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION){ 1519 log_info("sm: store local CSRK"); 1520 le_device_db_local_csrk_set(le_db_index, setup->sm_local_csrk); 1521 le_device_db_local_counter_set(le_db_index, 0); 1522 } 1523 1524 // store remote CSRK 1525 if (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION){ 1526 log_info("sm: store remote CSRK"); 1527 le_device_db_remote_csrk_set(le_db_index, setup->sm_peer_csrk); 1528 le_device_db_remote_counter_set(le_db_index, 0); 1529 } 1530 #endif 1531 // store encryption information for secure connections: LTK generated by ECDH 1532 if (setup->sm_use_secure_connections){ 1533 log_info("sm: store SC LTK (key size %u, authenticated %u)", sm_conn->sm_actual_encryption_key_size, sm_conn->sm_connection_authenticated); 1534 uint8_t zero_rand[8]; 1535 memset(zero_rand, 0, 8); 1536 le_device_db_encryption_set(le_db_index, 0, zero_rand, setup->sm_ltk, sm_conn->sm_actual_encryption_key_size, 1537 sm_conn->sm_connection_authenticated, sm_conn->sm_connection_authorization_state == AUTHORIZATION_GRANTED, 1); 1538 } 1539 1540 // store encryption information for legacy pairing: peer LTK, EDIV, RAND 1541 else if ( (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION) 1542 && (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_MASTER_IDENTIFICATION )){ 1543 log_info("sm: set encryption information (key size %u, authenticated %u)", sm_conn->sm_actual_encryption_key_size, sm_conn->sm_connection_authenticated); 1544 le_device_db_encryption_set(le_db_index, setup->sm_peer_ediv, setup->sm_peer_rand, setup->sm_peer_ltk, 1545 sm_conn->sm_actual_encryption_key_size, sm_conn->sm_connection_authenticated, sm_conn->sm_connection_authorization_state == AUTHORIZATION_GRANTED, 0); 1546 1547 } 1548 } 1549 } 1550 1551 static void sm_pairing_error(sm_connection_t * sm_conn, uint8_t reason){ 1552 sm_conn->sm_pairing_failed_reason = reason; 1553 sm_conn->sm_engine_state = SM_GENERAL_SEND_PAIRING_FAILED; 1554 } 1555 1556 static int sm_le_device_db_index_lookup(bd_addr_type_t address_type, bd_addr_t address){ 1557 int i; 1558 for (i=0; i < le_device_db_max_count(); i++){ 1559 bd_addr_t db_address; 1560 int db_address_type = BD_ADDR_TYPE_UNKNOWN; 1561 le_device_db_info(i, &db_address_type, db_address, NULL); 1562 // skip unused entries 1563 if (address_type == BD_ADDR_TYPE_UNKNOWN) continue; 1564 if ((address_type == (unsigned int)db_address_type) && (memcmp(address, db_address, 6) == 0)){ 1565 return i; 1566 } 1567 } 1568 return -1; 1569 } 1570 1571 static void sm_remove_le_device_db_entry(uint16_t i) { 1572 le_device_db_remove(i); 1573 #ifdef ENABLE_LE_PRIVACY_ADDRESS_RESOLUTION 1574 // to remove an entry from the resolving list requires its identity address, which was already deleted 1575 // fully reload resolving list instead 1576 gap_load_resolving_list_from_le_device_db(); 1577 #endif 1578 } 1579 1580 static uint8_t sm_key_distribution_validate_received(sm_connection_t * sm_conn){ 1581 // if identity is provided, abort if we have bonding with same address but different irk 1582 if ((setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_IDENTITY_INFORMATION) != 0u){ 1583 int index = sm_le_device_db_index_lookup(BD_ADDR_TYPE_LE_PUBLIC, setup->sm_peer_address); 1584 if (index >= 0){ 1585 sm_key_t irk; 1586 le_device_db_info(index, NULL, NULL, irk); 1587 if (memcmp(irk, setup->sm_peer_irk, 16) != 0){ 1588 // IRK doesn't match, delete bonding information 1589 log_info("New IRK for %s (type %u) does not match stored IRK -> delete bonding information", bd_addr_to_str(sm_conn->sm_peer_address), sm_conn->sm_peer_addr_type); 1590 sm_remove_le_device_db_entry(index); 1591 } 1592 } 1593 } 1594 return 0; 1595 } 1596 1597 static void sm_key_distribution_handle_all_received(sm_connection_t * sm_conn){ 1598 1599 // abort pairing if received keys are not valid 1600 uint8_t reason = sm_key_distribution_validate_received(sm_conn); 1601 if (reason != 0){ 1602 sm_pairing_error(sm_conn, reason); 1603 return; 1604 } 1605 1606 // only store pairing information if both sides are bondable, i.e., the bonadble flag is set 1607 bool bonding_enabled = (sm_pairing_packet_get_auth_req(setup->sm_m_preq) 1608 & sm_pairing_packet_get_auth_req(setup->sm_s_pres) 1609 & SM_AUTHREQ_BONDING ) != 0u; 1610 1611 if (bonding_enabled){ 1612 sm_store_bonding_information(sm_conn); 1613 } else { 1614 log_info("Ignoring received keys, bonding not enabled"); 1615 } 1616 } 1617 1618 static inline void sm_pdu_received_in_wrong_state(sm_connection_t * sm_conn){ 1619 sm_pairing_error(sm_conn, SM_REASON_UNSPECIFIED_REASON); 1620 } 1621 1622 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1623 1624 static void sm_sc_prepare_dhkey_check(sm_connection_t * sm_conn); 1625 static bool sm_passkey_used(stk_generation_method_t method); 1626 static bool sm_just_works_or_numeric_comparison(stk_generation_method_t method); 1627 1628 static void sm_sc_start_calculating_local_confirm(sm_connection_t * sm_conn){ 1629 if (setup->sm_stk_generation_method == OOB){ 1630 sm_conn->sm_engine_state = SM_SC_W2_CMAC_FOR_CONFIRMATION; 1631 } else { 1632 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_nonce, 16, &sm_handle_random_result_sc_next_w2_cmac_for_confirmation, (void *)(uintptr_t) sm_conn->sm_handle); 1633 } 1634 } 1635 1636 static void sm_sc_state_after_receiving_random(sm_connection_t * sm_conn){ 1637 if (IS_RESPONDER(sm_conn->sm_role)){ 1638 // Responder 1639 if (setup->sm_stk_generation_method == OOB){ 1640 // generate Nb 1641 log_info("Generate Nb"); 1642 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_nonce, 16, &sm_handle_random_result_sc_next_send_pairing_random, (void *)(uintptr_t) sm_conn->sm_handle); 1643 } else { 1644 sm_conn->sm_engine_state = SM_SC_SEND_PAIRING_RANDOM; 1645 } 1646 } else { 1647 // Initiator role 1648 switch (setup->sm_stk_generation_method){ 1649 case JUST_WORKS: 1650 sm_sc_prepare_dhkey_check(sm_conn); 1651 break; 1652 1653 case NUMERIC_COMPARISON: 1654 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_G2; 1655 break; 1656 case PK_INIT_INPUT: 1657 case PK_RESP_INPUT: 1658 case PK_BOTH_INPUT: 1659 if (setup->sm_passkey_bit < 20u) { 1660 sm_sc_start_calculating_local_confirm(sm_conn); 1661 } else { 1662 sm_sc_prepare_dhkey_check(sm_conn); 1663 } 1664 break; 1665 case OOB: 1666 sm_sc_prepare_dhkey_check(sm_conn); 1667 break; 1668 default: 1669 btstack_assert(false); 1670 break; 1671 } 1672 } 1673 } 1674 1675 static void sm_sc_cmac_done(uint8_t * hash){ 1676 log_info("sm_sc_cmac_done: "); 1677 log_info_hexdump(hash, 16); 1678 1679 if (sm_sc_oob_state == SM_SC_OOB_W4_CONFIRM){ 1680 sm_sc_oob_state = SM_SC_OOB_IDLE; 1681 (*sm_sc_oob_callback)(hash, sm_sc_oob_random); 1682 return; 1683 } 1684 1685 sm_connection_t * sm_conn = sm_cmac_connection; 1686 sm_cmac_connection = NULL; 1687 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 1688 link_key_type_t link_key_type; 1689 #endif 1690 1691 switch (sm_conn->sm_engine_state){ 1692 case SM_SC_W4_CMAC_FOR_CONFIRMATION: 1693 (void)memcpy(setup->sm_local_confirm, hash, 16); 1694 sm_conn->sm_engine_state = SM_SC_SEND_CONFIRMATION; 1695 break; 1696 case SM_SC_W4_CMAC_FOR_CHECK_CONFIRMATION: 1697 // check 1698 if (0 != memcmp(hash, setup->sm_peer_confirm, 16)){ 1699 sm_pairing_error(sm_conn, SM_REASON_CONFIRM_VALUE_FAILED); 1700 break; 1701 } 1702 sm_sc_state_after_receiving_random(sm_conn); 1703 break; 1704 case SM_SC_W4_CALCULATE_G2: { 1705 uint32_t vab = big_endian_read_32(hash, 12) % 1000000; 1706 big_endian_store_32(setup->sm_tk, 12, vab); 1707 sm_conn->sm_engine_state = SM_SC_W4_USER_RESPONSE; 1708 sm_trigger_user_response(sm_conn); 1709 break; 1710 } 1711 case SM_SC_W4_CALCULATE_F5_SALT: 1712 (void)memcpy(setup->sm_t, hash, 16); 1713 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F5_MACKEY; 1714 break; 1715 case SM_SC_W4_CALCULATE_F5_MACKEY: 1716 (void)memcpy(setup->sm_mackey, hash, 16); 1717 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F5_LTK; 1718 break; 1719 case SM_SC_W4_CALCULATE_F5_LTK: 1720 // truncate sm_ltk, but keep full LTK for cross-transport key derivation in sm_local_ltk 1721 // Errata Service Release to the Bluetooth Specification: ESR09 1722 // E6405 – Cross transport key derivation from a key of size less than 128 bits 1723 // Note: When the BR/EDR link key is being derived from the LTK, the derivation is done before the LTK gets masked." 1724 (void)memcpy(setup->sm_ltk, hash, 16); 1725 (void)memcpy(setup->sm_local_ltk, hash, 16); 1726 sm_truncate_key(setup->sm_ltk, sm_conn->sm_actual_encryption_key_size); 1727 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F6_FOR_DHKEY_CHECK; 1728 break; 1729 case SM_SC_W4_CALCULATE_F6_FOR_DHKEY_CHECK: 1730 (void)memcpy(setup->sm_local_dhkey_check, hash, 16); 1731 if (IS_RESPONDER(sm_conn->sm_role)){ 1732 // responder 1733 if ((setup->sm_state_vars & SM_STATE_VAR_DHKEY_COMMAND_RECEIVED) != 0u){ 1734 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK; 1735 } else { 1736 sm_conn->sm_engine_state = SM_SC_W4_DHKEY_CHECK_COMMAND; 1737 } 1738 } else { 1739 sm_conn->sm_engine_state = SM_SC_SEND_DHKEY_CHECK_COMMAND; 1740 } 1741 break; 1742 case SM_SC_W4_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK: 1743 if (0 != memcmp(hash, setup->sm_peer_dhkey_check, 16) ){ 1744 sm_pairing_error(sm_conn, SM_REASON_DHKEY_CHECK_FAILED); 1745 break; 1746 } 1747 if (IS_RESPONDER(sm_conn->sm_role)){ 1748 // responder 1749 sm_conn->sm_engine_state = SM_SC_SEND_DHKEY_CHECK_COMMAND; 1750 } else { 1751 // initiator 1752 sm_conn->sm_engine_state = SM_INITIATOR_PH3_SEND_START_ENCRYPTION; 1753 } 1754 break; 1755 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 1756 case SM_SC_W4_CALCULATE_ILK: 1757 (void)memcpy(setup->sm_t, hash, 16); 1758 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_BR_EDR_LINK_KEY; 1759 break; 1760 case SM_SC_W4_CALCULATE_BR_EDR_LINK_KEY: 1761 reverse_128(hash, setup->sm_t); 1762 link_key_type = sm_conn->sm_connection_authenticated ? 1763 AUTHENTICATED_COMBINATION_KEY_GENERATED_FROM_P256 : UNAUTHENTICATED_COMBINATION_KEY_GENERATED_FROM_P256; 1764 log_info("Derived classic link key from LE using h6, type %u", (int) link_key_type); 1765 gap_store_link_key_for_bd_addr(setup->sm_peer_address, setup->sm_t, link_key_type); 1766 if (IS_RESPONDER(sm_conn->sm_role)){ 1767 sm_conn->sm_engine_state = SM_RESPONDER_IDLE; 1768 } else { 1769 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 1770 } 1771 sm_pairing_complete(sm_conn, ERROR_CODE_SUCCESS, 0); 1772 sm_done_for_handle(sm_conn->sm_handle); 1773 break; 1774 case SM_BR_EDR_W4_CALCULATE_ILK: 1775 (void)memcpy(setup->sm_t, hash, 16); 1776 sm_conn->sm_engine_state = SM_BR_EDR_W2_CALCULATE_LE_LTK; 1777 break; 1778 case SM_BR_EDR_W4_CALCULATE_LE_LTK: 1779 log_info("Derived LE LTK from BR/EDR Link Key"); 1780 log_info_key("Link Key", hash); 1781 (void)memcpy(setup->sm_ltk, hash, 16); 1782 sm_truncate_key(setup->sm_ltk, sm_conn->sm_actual_encryption_key_size); 1783 sm_conn->sm_connection_authenticated = setup->sm_link_key_type == AUTHENTICATED_COMBINATION_KEY_GENERATED_FROM_P256; 1784 sm_store_bonding_information(sm_conn); 1785 sm_done_for_handle(sm_conn->sm_handle); 1786 break; 1787 #endif 1788 default: 1789 log_error("sm_sc_cmac_done in state %u", sm_conn->sm_engine_state); 1790 break; 1791 } 1792 sm_trigger_run(); 1793 } 1794 1795 static void f4_engine(sm_connection_t * sm_conn, const sm_key256_t u, const sm_key256_t v, const sm_key_t x, uint8_t z){ 1796 const uint16_t message_len = 65; 1797 sm_cmac_connection = sm_conn; 1798 (void)memcpy(sm_cmac_sc_buffer, u, 32); 1799 (void)memcpy(sm_cmac_sc_buffer + 32, v, 32); 1800 sm_cmac_sc_buffer[64] = z; 1801 log_info("f4 key"); 1802 log_info_hexdump(x, 16); 1803 log_info("f4 message"); 1804 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1805 sm_cmac_message_start(x, message_len, sm_cmac_sc_buffer, &sm_sc_cmac_done); 1806 } 1807 1808 static const uint8_t f5_key_id[] = { 0x62, 0x74, 0x6c, 0x65 }; 1809 static const uint8_t f5_length[] = { 0x01, 0x00}; 1810 1811 static void f5_calculate_salt(sm_connection_t * sm_conn){ 1812 1813 static const sm_key_t f5_salt = { 0x6C ,0x88, 0x83, 0x91, 0xAA, 0xF5, 0xA5, 0x38, 0x60, 0x37, 0x0B, 0xDB, 0x5A, 0x60, 0x83, 0xBE}; 1814 1815 log_info("f5_calculate_salt"); 1816 // calculate salt for f5 1817 const uint16_t message_len = 32; 1818 sm_cmac_connection = sm_conn; 1819 (void)memcpy(sm_cmac_sc_buffer, setup->sm_dhkey, message_len); 1820 sm_cmac_message_start(f5_salt, message_len, sm_cmac_sc_buffer, &sm_sc_cmac_done); 1821 } 1822 1823 static inline void f5_mackkey(sm_connection_t * sm_conn, sm_key_t t, const sm_key_t n1, const sm_key_t n2, const sm_key56_t a1, const sm_key56_t a2){ 1824 const uint16_t message_len = 53; 1825 sm_cmac_connection = sm_conn; 1826 1827 // f5(W, N1, N2, A1, A2) = AES-CMACT (Counter = 0 || keyID || N1 || N2|| A1|| A2 || Length = 256) -- this is the MacKey 1828 sm_cmac_sc_buffer[0] = 0; 1829 (void)memcpy(sm_cmac_sc_buffer + 01, f5_key_id, 4); 1830 (void)memcpy(sm_cmac_sc_buffer + 05, n1, 16); 1831 (void)memcpy(sm_cmac_sc_buffer + 21, n2, 16); 1832 (void)memcpy(sm_cmac_sc_buffer + 37, a1, 7); 1833 (void)memcpy(sm_cmac_sc_buffer + 44, a2, 7); 1834 (void)memcpy(sm_cmac_sc_buffer + 51, f5_length, 2); 1835 log_info("f5 key"); 1836 log_info_hexdump(t, 16); 1837 log_info("f5 message for MacKey"); 1838 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1839 sm_cmac_message_start(t, message_len, sm_cmac_sc_buffer, &sm_sc_cmac_done); 1840 } 1841 1842 static void f5_calculate_mackey(sm_connection_t * sm_conn){ 1843 sm_key56_t bd_addr_master, bd_addr_slave; 1844 bd_addr_master[0] = setup->sm_m_addr_type; 1845 bd_addr_slave[0] = setup->sm_s_addr_type; 1846 (void)memcpy(&bd_addr_master[1], setup->sm_m_address, 6); 1847 (void)memcpy(&bd_addr_slave[1], setup->sm_s_address, 6); 1848 if (IS_RESPONDER(sm_conn->sm_role)){ 1849 // responder 1850 f5_mackkey(sm_conn, setup->sm_t, setup->sm_peer_nonce, setup->sm_local_nonce, bd_addr_master, bd_addr_slave); 1851 } else { 1852 // initiator 1853 f5_mackkey(sm_conn, setup->sm_t, setup->sm_local_nonce, setup->sm_peer_nonce, bd_addr_master, bd_addr_slave); 1854 } 1855 } 1856 1857 // note: must be called right after f5_mackey, as sm_cmac_buffer[1..52] will be reused 1858 static inline void f5_ltk(sm_connection_t * sm_conn, sm_key_t t){ 1859 const uint16_t message_len = 53; 1860 sm_cmac_connection = sm_conn; 1861 sm_cmac_sc_buffer[0] = 1; 1862 // 1..52 setup before 1863 log_info("f5 key"); 1864 log_info_hexdump(t, 16); 1865 log_info("f5 message for LTK"); 1866 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1867 sm_cmac_message_start(t, message_len, sm_cmac_sc_buffer, &sm_sc_cmac_done); 1868 } 1869 1870 static void f5_calculate_ltk(sm_connection_t * sm_conn){ 1871 f5_ltk(sm_conn, setup->sm_t); 1872 } 1873 1874 static void f6_setup(const sm_key_t n1, const sm_key_t n2, const sm_key_t r, const sm_key24_t io_cap, const sm_key56_t a1, const sm_key56_t a2){ 1875 (void)memcpy(sm_cmac_sc_buffer, n1, 16); 1876 (void)memcpy(sm_cmac_sc_buffer + 16, n2, 16); 1877 (void)memcpy(sm_cmac_sc_buffer + 32, r, 16); 1878 (void)memcpy(sm_cmac_sc_buffer + 48, io_cap, 3); 1879 (void)memcpy(sm_cmac_sc_buffer + 51, a1, 7); 1880 (void)memcpy(sm_cmac_sc_buffer + 58, a2, 7); 1881 } 1882 1883 static void f6_engine(sm_connection_t * sm_conn, const sm_key_t w){ 1884 const uint16_t message_len = 65; 1885 sm_cmac_connection = sm_conn; 1886 log_info("f6 key"); 1887 log_info_hexdump(w, 16); 1888 log_info("f6 message"); 1889 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1890 sm_cmac_message_start(w, 65, sm_cmac_sc_buffer, &sm_sc_cmac_done); 1891 } 1892 1893 // g2(U, V, X, Y) = AES-CMACX(U || V || Y) mod 2^32 1894 // - U is 256 bits 1895 // - V is 256 bits 1896 // - X is 128 bits 1897 // - Y is 128 bits 1898 static void g2_engine(sm_connection_t * sm_conn, const sm_key256_t u, const sm_key256_t v, const sm_key_t x, const sm_key_t y){ 1899 const uint16_t message_len = 80; 1900 sm_cmac_connection = sm_conn; 1901 (void)memcpy(sm_cmac_sc_buffer, u, 32); 1902 (void)memcpy(sm_cmac_sc_buffer + 32, v, 32); 1903 (void)memcpy(sm_cmac_sc_buffer + 64, y, 16); 1904 log_info("g2 key"); 1905 log_info_hexdump(x, 16); 1906 log_info("g2 message"); 1907 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1908 sm_cmac_message_start(x, message_len, sm_cmac_sc_buffer, &sm_sc_cmac_done); 1909 } 1910 1911 static void g2_calculate(sm_connection_t * sm_conn) { 1912 // calc Va if numeric comparison 1913 if (IS_RESPONDER(sm_conn->sm_role)){ 1914 // responder 1915 g2_engine(sm_conn, setup->sm_peer_q, ec_q, setup->sm_peer_nonce, setup->sm_local_nonce);; 1916 } else { 1917 // initiator 1918 g2_engine(sm_conn, ec_q, setup->sm_peer_q, setup->sm_local_nonce, setup->sm_peer_nonce); 1919 } 1920 } 1921 1922 static void sm_sc_calculate_local_confirm(sm_connection_t * sm_conn){ 1923 uint8_t z = 0; 1924 if (sm_passkey_entry(setup->sm_stk_generation_method)){ 1925 // some form of passkey 1926 uint32_t pk = big_endian_read_32(setup->sm_tk, 12); 1927 z = 0x80u | ((pk >> setup->sm_passkey_bit) & 1u); 1928 setup->sm_passkey_bit++; 1929 } 1930 f4_engine(sm_conn, ec_q, setup->sm_peer_q, setup->sm_local_nonce, z); 1931 } 1932 1933 static void sm_sc_calculate_remote_confirm(sm_connection_t * sm_conn){ 1934 // OOB 1935 if (setup->sm_stk_generation_method == OOB){ 1936 if (IS_RESPONDER(sm_conn->sm_role)){ 1937 f4_engine(sm_conn, setup->sm_peer_q, setup->sm_peer_q, setup->sm_ra, 0); 1938 } else { 1939 f4_engine(sm_conn, setup->sm_peer_q, setup->sm_peer_q, setup->sm_rb, 0); 1940 } 1941 return; 1942 } 1943 1944 uint8_t z = 0; 1945 if (sm_passkey_entry(setup->sm_stk_generation_method)){ 1946 // some form of passkey 1947 uint32_t pk = big_endian_read_32(setup->sm_tk, 12); 1948 // sm_passkey_bit was increased before sending confirm value 1949 z = 0x80u | ((pk >> (setup->sm_passkey_bit-1u)) & 1u); 1950 } 1951 f4_engine(sm_conn, setup->sm_peer_q, ec_q, setup->sm_peer_nonce, z); 1952 } 1953 1954 static void sm_sc_prepare_dhkey_check(sm_connection_t * sm_conn){ 1955 log_info("sm_sc_prepare_dhkey_check, DHKEY calculated %u", (setup->sm_state_vars & SM_STATE_VAR_DHKEY_CALCULATED) != 0 ? 1 : 0); 1956 1957 if ((setup->sm_state_vars & SM_STATE_VAR_DHKEY_CALCULATED) != 0u){ 1958 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F5_SALT; 1959 } else { 1960 sm_conn->sm_engine_state = SM_SC_W4_CALCULATE_DHKEY; 1961 } 1962 } 1963 1964 static void sm_sc_dhkey_calculated(void * arg){ 1965 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 1966 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 1967 if (sm_conn == NULL) return; 1968 1969 // check for invalid public key detected by Controller 1970 if (sm_is_ff(setup->sm_dhkey, 32)){ 1971 log_info("sm: peer public key invalid"); 1972 sm_pairing_error(sm_conn, SM_REASON_DHKEY_CHECK_FAILED); 1973 return; 1974 } 1975 1976 log_info("dhkey"); 1977 log_info_hexdump(&setup->sm_dhkey[0], 32); 1978 setup->sm_state_vars |= SM_STATE_VAR_DHKEY_CALCULATED; 1979 // trigger next step 1980 if (sm_conn->sm_engine_state == SM_SC_W4_CALCULATE_DHKEY){ 1981 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F5_SALT; 1982 } 1983 sm_trigger_run(); 1984 } 1985 1986 static void sm_sc_calculate_f6_for_dhkey_check(sm_connection_t * sm_conn){ 1987 // calculate DHKCheck 1988 sm_key56_t bd_addr_master, bd_addr_slave; 1989 bd_addr_master[0] = setup->sm_m_addr_type; 1990 bd_addr_slave[0] = setup->sm_s_addr_type; 1991 (void)memcpy(&bd_addr_master[1], setup->sm_m_address, 6); 1992 (void)memcpy(&bd_addr_slave[1], setup->sm_s_address, 6); 1993 uint8_t iocap_a[3]; 1994 iocap_a[0] = sm_pairing_packet_get_auth_req(setup->sm_m_preq); 1995 iocap_a[1] = sm_pairing_packet_get_oob_data_flag(setup->sm_m_preq); 1996 iocap_a[2] = sm_pairing_packet_get_io_capability(setup->sm_m_preq); 1997 uint8_t iocap_b[3]; 1998 iocap_b[0] = sm_pairing_packet_get_auth_req(setup->sm_s_pres); 1999 iocap_b[1] = sm_pairing_packet_get_oob_data_flag(setup->sm_s_pres); 2000 iocap_b[2] = sm_pairing_packet_get_io_capability(setup->sm_s_pres); 2001 if (IS_RESPONDER(sm_conn->sm_role)){ 2002 // responder 2003 f6_setup(setup->sm_local_nonce, setup->sm_peer_nonce, setup->sm_ra, iocap_b, bd_addr_slave, bd_addr_master); 2004 f6_engine(sm_conn, setup->sm_mackey); 2005 } else { 2006 // initiator 2007 f6_setup( setup->sm_local_nonce, setup->sm_peer_nonce, setup->sm_rb, iocap_a, bd_addr_master, bd_addr_slave); 2008 f6_engine(sm_conn, setup->sm_mackey); 2009 } 2010 } 2011 2012 static void sm_sc_calculate_f6_to_verify_dhkey_check(sm_connection_t * sm_conn){ 2013 // validate E = f6() 2014 sm_key56_t bd_addr_master, bd_addr_slave; 2015 bd_addr_master[0] = setup->sm_m_addr_type; 2016 bd_addr_slave[0] = setup->sm_s_addr_type; 2017 (void)memcpy(&bd_addr_master[1], setup->sm_m_address, 6); 2018 (void)memcpy(&bd_addr_slave[1], setup->sm_s_address, 6); 2019 2020 uint8_t iocap_a[3]; 2021 iocap_a[0] = sm_pairing_packet_get_auth_req(setup->sm_m_preq); 2022 iocap_a[1] = sm_pairing_packet_get_oob_data_flag(setup->sm_m_preq); 2023 iocap_a[2] = sm_pairing_packet_get_io_capability(setup->sm_m_preq); 2024 uint8_t iocap_b[3]; 2025 iocap_b[0] = sm_pairing_packet_get_auth_req(setup->sm_s_pres); 2026 iocap_b[1] = sm_pairing_packet_get_oob_data_flag(setup->sm_s_pres); 2027 iocap_b[2] = sm_pairing_packet_get_io_capability(setup->sm_s_pres); 2028 if (IS_RESPONDER(sm_conn->sm_role)){ 2029 // responder 2030 f6_setup(setup->sm_peer_nonce, setup->sm_local_nonce, setup->sm_rb, iocap_a, bd_addr_master, bd_addr_slave); 2031 f6_engine(sm_conn, setup->sm_mackey); 2032 } else { 2033 // initiator 2034 f6_setup(setup->sm_peer_nonce, setup->sm_local_nonce, setup->sm_ra, iocap_b, bd_addr_slave, bd_addr_master); 2035 f6_engine(sm_conn, setup->sm_mackey); 2036 } 2037 } 2038 2039 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 2040 2041 // 2042 // Link Key Conversion Function h6 2043 // 2044 // h6(W, keyID) = AES-CMAC_W(keyID) 2045 // - W is 128 bits 2046 // - keyID is 32 bits 2047 static void h6_engine(sm_connection_t * sm_conn, const sm_key_t w, const uint32_t key_id){ 2048 const uint16_t message_len = 4; 2049 sm_cmac_connection = sm_conn; 2050 big_endian_store_32(sm_cmac_sc_buffer, 0, key_id); 2051 log_info("h6 key"); 2052 log_info_hexdump(w, 16); 2053 log_info("h6 message"); 2054 log_info_hexdump(sm_cmac_sc_buffer, message_len); 2055 sm_cmac_message_start(w, message_len, sm_cmac_sc_buffer, &sm_sc_cmac_done); 2056 } 2057 // 2058 // Link Key Conversion Function h7 2059 // 2060 // h7(SALT, W) = AES-CMAC_SALT(W) 2061 // - SALT is 128 bits 2062 // - W is 128 bits 2063 static void h7_engine(sm_connection_t * sm_conn, const sm_key_t salt, const sm_key_t w) { 2064 const uint16_t message_len = 16; 2065 sm_cmac_connection = sm_conn; 2066 log_info("h7 key"); 2067 log_info_hexdump(salt, 16); 2068 log_info("h7 message"); 2069 log_info_hexdump(w, 16); 2070 sm_cmac_message_start(salt, message_len, w, &sm_sc_cmac_done); 2071 } 2072 2073 // For SC, setup->sm_local_ltk holds full LTK (sm_ltk is already truncated) 2074 // Errata Service Release to the Bluetooth Specification: ESR09 2075 // E6405 – Cross transport key derivation from a key of size less than 128 bits 2076 // "Note: When the BR/EDR link key is being derived from the LTK, the derivation is done before the LTK gets masked." 2077 2078 static void h6_calculate_ilk_from_le_ltk(sm_connection_t * sm_conn){ 2079 h6_engine(sm_conn, setup->sm_local_ltk, 0x746D7031); // "tmp1" 2080 } 2081 2082 static void h6_calculate_ilk_from_br_edr(sm_connection_t * sm_conn){ 2083 h6_engine(sm_conn, setup->sm_link_key, 0x746D7032); // "tmp2" 2084 } 2085 2086 static void h6_calculate_br_edr_link_key(sm_connection_t * sm_conn){ 2087 h6_engine(sm_conn, setup->sm_t, 0x6c656272); // "lebr" 2088 } 2089 2090 static void h6_calculate_le_ltk(sm_connection_t * sm_conn){ 2091 h6_engine(sm_conn, setup->sm_t, 0x62726C65); // "brle" 2092 } 2093 2094 static void h7_calculate_ilk_from_le_ltk(sm_connection_t * sm_conn){ 2095 const uint8_t salt[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x74, 0x6D, 0x70, 0x31}; // "tmp1" 2096 h7_engine(sm_conn, salt, setup->sm_local_ltk); 2097 } 2098 2099 static void h7_calculate_ilk_from_br_edr(sm_connection_t * sm_conn){ 2100 const uint8_t salt[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x74, 0x6D, 0x70, 0x32}; // "tmp2" 2101 h7_engine(sm_conn, salt, setup->sm_link_key); 2102 } 2103 2104 static void sm_ctkd_fetch_br_edr_link_key(sm_connection_t * sm_conn){ 2105 hci_connection_t * hci_connection = hci_connection_for_handle(sm_conn->sm_handle); 2106 btstack_assert(hci_connection != NULL); 2107 reverse_128(hci_connection->link_key, setup->sm_link_key); 2108 setup->sm_link_key_type = hci_connection->link_key_type; 2109 } 2110 2111 static void sm_ctkd_start_from_br_edr(sm_connection_t * sm_conn){ 2112 // only derive LTK if EncKey is set by both 2113 bool derive_ltk = (sm_pairing_packet_get_initiator_key_distribution(setup->sm_s_pres) & 2114 sm_pairing_packet_get_responder_key_distribution(setup->sm_s_pres) & SM_KEYDIST_ENC_KEY) != 0; 2115 if (derive_ltk){ 2116 bool use_h7 = (sm_pairing_packet_get_auth_req(setup->sm_m_preq) & sm_pairing_packet_get_auth_req(setup->sm_s_pres) & SM_AUTHREQ_CT2) != 0; 2117 sm_conn->sm_engine_state = use_h7 ? SM_BR_EDR_W2_CALCULATE_ILK_USING_H7 : SM_BR_EDR_W2_CALCULATE_ILK_USING_H6; 2118 } else { 2119 sm_done_for_handle(sm_conn->sm_handle); 2120 } 2121 } 2122 2123 #endif 2124 2125 #endif 2126 2127 // key management legacy connections: 2128 // - potentially two different LTKs based on direction. each device stores LTK provided by peer 2129 // - master stores LTK, EDIV, RAND. responder optionally stored master LTK (only if it needs to reconnect) 2130 // - initiators reconnects: initiator uses stored LTK, EDIV, RAND generated by responder 2131 // - responder reconnects: responder uses LTK receveived from master 2132 2133 // key management secure connections: 2134 // - both devices store same LTK from ECDH key exchange. 2135 2136 #if defined(ENABLE_LE_SECURE_CONNECTIONS) || defined(ENABLE_LE_CENTRAL) 2137 static void sm_load_security_info(sm_connection_t * sm_connection){ 2138 int encryption_key_size; 2139 int authenticated; 2140 int authorized; 2141 int secure_connection; 2142 2143 // fetch data from device db - incl. authenticated/authorized/key size. Note all sm_connection_X require encryption enabled 2144 le_device_db_encryption_get(sm_connection->sm_le_db_index, &setup->sm_peer_ediv, setup->sm_peer_rand, setup->sm_peer_ltk, 2145 &encryption_key_size, &authenticated, &authorized, &secure_connection); 2146 log_info("db index %u, key size %u, authenticated %u, authorized %u, secure connetion %u", sm_connection->sm_le_db_index, encryption_key_size, authenticated, authorized, secure_connection); 2147 sm_connection->sm_actual_encryption_key_size = encryption_key_size; 2148 sm_connection->sm_connection_authenticated = authenticated; 2149 sm_connection->sm_connection_authorization_state = authorized ? AUTHORIZATION_GRANTED : AUTHORIZATION_UNKNOWN; 2150 sm_connection->sm_connection_sc = secure_connection != 0; 2151 } 2152 #endif 2153 2154 #ifdef ENABLE_LE_PERIPHERAL 2155 static void sm_start_calculating_ltk_from_ediv_and_rand(sm_connection_t * sm_connection){ 2156 (void)memcpy(setup->sm_local_rand, sm_connection->sm_local_rand, 8); 2157 setup->sm_local_ediv = sm_connection->sm_local_ediv; 2158 // re-establish used key encryption size 2159 // no db for encryption size hack: encryption size is stored in lowest nibble of setup->sm_local_rand 2160 sm_connection->sm_actual_encryption_key_size = (setup->sm_local_rand[7u] & 0x0fu) + 1u; 2161 // no db for authenticated flag hack: flag is stored in bit 4 of LSB 2162 sm_connection->sm_connection_authenticated = (setup->sm_local_rand[7u] & 0x10u) >> 4u; 2163 // Legacy paring -> not SC 2164 sm_connection->sm_connection_sc = false; 2165 log_info("sm: received ltk request with key size %u, authenticated %u", 2166 sm_connection->sm_actual_encryption_key_size, sm_connection->sm_connection_authenticated); 2167 } 2168 #endif 2169 2170 // distributed key generation 2171 static bool sm_run_dpkg(void){ 2172 switch (dkg_state){ 2173 case DKG_CALC_IRK: 2174 // already busy? 2175 if (sm_aes128_state == SM_AES128_IDLE) { 2176 log_info("DKG_CALC_IRK started"); 2177 // IRK = d1(IR, 1, 0) 2178 sm_d1_d_prime(1, 0, sm_aes128_plaintext); // plaintext = d1 prime 2179 sm_aes128_state = SM_AES128_ACTIVE; 2180 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_persistent_ir, sm_aes128_plaintext, sm_persistent_irk, sm_handle_encryption_result_dkg_irk, NULL); 2181 return true; 2182 } 2183 break; 2184 case DKG_CALC_DHK: 2185 // already busy? 2186 if (sm_aes128_state == SM_AES128_IDLE) { 2187 log_info("DKG_CALC_DHK started"); 2188 // DHK = d1(IR, 3, 0) 2189 sm_d1_d_prime(3, 0, sm_aes128_plaintext); // plaintext = d1 prime 2190 sm_aes128_state = SM_AES128_ACTIVE; 2191 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_persistent_ir, sm_aes128_plaintext, sm_persistent_dhk, sm_handle_encryption_result_dkg_dhk, NULL); 2192 return true; 2193 } 2194 break; 2195 default: 2196 break; 2197 } 2198 return false; 2199 } 2200 2201 // random address updates 2202 static bool sm_run_rau(void){ 2203 switch (rau_state){ 2204 case RAU_GET_RANDOM: 2205 rau_state = RAU_W4_RANDOM; 2206 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_address, 6, &sm_handle_random_result_rau, NULL); 2207 return true; 2208 case RAU_GET_ENC: 2209 // already busy? 2210 if (sm_aes128_state == SM_AES128_IDLE) { 2211 sm_ah_r_prime(sm_random_address, sm_aes128_plaintext); 2212 sm_aes128_state = SM_AES128_ACTIVE; 2213 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_persistent_irk, sm_aes128_plaintext, sm_aes128_ciphertext, sm_handle_encryption_result_rau, NULL); 2214 return true; 2215 } 2216 break; 2217 default: 2218 break; 2219 } 2220 return false; 2221 } 2222 2223 // device lookup with IRK 2224 static bool sm_run_irk_lookup(void){ 2225 btstack_linked_list_iterator_t it; 2226 2227 // -- if IRK lookup ready, find connection that require csrk lookup 2228 if (sm_address_resolution_idle()){ 2229 hci_connections_get_iterator(&it); 2230 while(btstack_linked_list_iterator_has_next(&it)){ 2231 hci_connection_t * hci_connection = (hci_connection_t *) btstack_linked_list_iterator_next(&it); 2232 sm_connection_t * sm_connection = &hci_connection->sm_connection; 2233 if (sm_connection->sm_irk_lookup_state == IRK_LOOKUP_W4_READY){ 2234 // and start lookup 2235 sm_address_resolution_start_lookup(sm_connection->sm_peer_addr_type, sm_connection->sm_handle, sm_connection->sm_peer_address, ADDRESS_RESOLUTION_FOR_CONNECTION, sm_connection); 2236 sm_connection->sm_irk_lookup_state = IRK_LOOKUP_STARTED; 2237 break; 2238 } 2239 } 2240 } 2241 2242 // -- if csrk lookup ready, resolved addresses for received addresses 2243 if (sm_address_resolution_idle()) { 2244 if (!btstack_linked_list_empty(&sm_address_resolution_general_queue)){ 2245 sm_lookup_entry_t * entry = (sm_lookup_entry_t *) sm_address_resolution_general_queue; 2246 btstack_linked_list_remove(&sm_address_resolution_general_queue, (btstack_linked_item_t *) entry); 2247 sm_address_resolution_start_lookup(entry->address_type, 0, entry->address, ADDRESS_RESOLUTION_GENERAL, NULL); 2248 btstack_memory_sm_lookup_entry_free(entry); 2249 } 2250 } 2251 2252 // -- Continue with device lookup by public or resolvable private address 2253 if (!sm_address_resolution_idle()){ 2254 while (sm_address_resolution_test < le_device_db_max_count()){ 2255 int addr_type = BD_ADDR_TYPE_UNKNOWN; 2256 bd_addr_t addr; 2257 sm_key_t irk; 2258 le_device_db_info(sm_address_resolution_test, &addr_type, addr, irk); 2259 2260 // skip unused entries 2261 if (addr_type == BD_ADDR_TYPE_UNKNOWN){ 2262 sm_address_resolution_test++; 2263 continue; 2264 } 2265 2266 log_info("LE Device Lookup: device %u of %u - type %u, %s", sm_address_resolution_test, 2267 le_device_db_max_count(), addr_type, bd_addr_to_str(addr)); 2268 2269 // map resolved identity addresses to regular addresses 2270 int regular_addr_type = sm_address_resolution_addr_type & 1; 2271 if ((regular_addr_type == addr_type) && (memcmp(addr, sm_address_resolution_address, 6) == 0)){ 2272 log_info("LE Device Lookup: found by { addr_type, address} "); 2273 sm_address_resolution_handle_event(ADDRESS_RESOLUTION_SUCCEEDED); 2274 break; 2275 } 2276 2277 // if connection type is not random (i.e. public or resolved identity), it must be a different entry 2278 if (sm_address_resolution_addr_type != BD_ADDR_TYPE_LE_RANDOM){ 2279 sm_address_resolution_test++; 2280 continue; 2281 } 2282 2283 // skip AH if no IRK 2284 if (sm_is_null_key(irk)){ 2285 sm_address_resolution_test++; 2286 continue; 2287 } 2288 2289 if (sm_aes128_state == SM_AES128_ACTIVE) break; 2290 2291 log_info("LE Device Lookup: calculate AH"); 2292 log_info_key("IRK", irk); 2293 2294 (void)memcpy(sm_aes128_key, irk, 16); 2295 sm_ah_r_prime(sm_address_resolution_address, sm_aes128_plaintext); 2296 sm_aes128_state = SM_AES128_ACTIVE; 2297 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_aes128_key, sm_aes128_plaintext, sm_aes128_ciphertext, sm_handle_encryption_result_address_resolution, NULL); 2298 return true; 2299 } 2300 2301 if (sm_address_resolution_test >= le_device_db_max_count()){ 2302 log_info("LE Device Lookup: not found"); 2303 sm_address_resolution_handle_event(ADDRESS_RESOLUTION_FAILED); 2304 } 2305 } 2306 return false; 2307 } 2308 2309 // SC OOB 2310 static bool sm_run_oob(void){ 2311 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2312 switch (sm_sc_oob_state){ 2313 case SM_SC_OOB_W2_CALC_CONFIRM: 2314 if (!sm_cmac_ready()) break; 2315 sm_sc_oob_state = SM_SC_OOB_W4_CONFIRM; 2316 f4_engine(NULL, ec_q, ec_q, sm_sc_oob_random, 0); 2317 return true; 2318 default: 2319 break; 2320 } 2321 #endif 2322 return false; 2323 } 2324 2325 static void sm_send_connectionless(sm_connection_t * sm_connection, const uint8_t * buffer, uint16_t size){ 2326 l2cap_send_connectionless(sm_connection->sm_handle, sm_connection->sm_cid, (uint8_t*) buffer, size); 2327 } 2328 2329 // handle basic actions that don't requires the full context 2330 static bool sm_run_basic(void){ 2331 btstack_linked_list_iterator_t it; 2332 hci_connections_get_iterator(&it); 2333 while(btstack_linked_list_iterator_has_next(&it)){ 2334 hci_connection_t * hci_connection = (hci_connection_t *) btstack_linked_list_iterator_next(&it); 2335 sm_connection_t * sm_connection = &hci_connection->sm_connection; 2336 switch(sm_connection->sm_engine_state){ 2337 2338 // general 2339 case SM_GENERAL_SEND_PAIRING_FAILED: { 2340 uint8_t buffer[2]; 2341 buffer[0] = SM_CODE_PAIRING_FAILED; 2342 buffer[1] = sm_connection->sm_pairing_failed_reason; 2343 sm_connection->sm_engine_state = sm_connection->sm_role ? SM_RESPONDER_IDLE : SM_INITIATOR_CONNECTED; 2344 sm_send_connectionless(sm_connection, (uint8_t*) buffer, sizeof(buffer)); 2345 sm_pairing_complete(sm_connection, ERROR_CODE_AUTHENTICATION_FAILURE, sm_connection->sm_pairing_failed_reason); 2346 sm_done_for_handle(sm_connection->sm_handle); 2347 break; 2348 } 2349 2350 // responder side 2351 case SM_RESPONDER_PH0_SEND_LTK_REQUESTED_NEGATIVE_REPLY: 2352 sm_connection->sm_engine_state = SM_RESPONDER_IDLE; 2353 hci_send_cmd(&hci_le_long_term_key_negative_reply, sm_connection->sm_handle); 2354 return true; 2355 2356 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2357 case SM_SC_RECEIVED_LTK_REQUEST: 2358 switch (sm_connection->sm_irk_lookup_state){ 2359 case IRK_LOOKUP_FAILED: 2360 log_info("LTK Request: IRK Lookup Failed)"); 2361 sm_connection->sm_engine_state = SM_RESPONDER_IDLE; 2362 hci_send_cmd(&hci_le_long_term_key_negative_reply, sm_connection->sm_handle); 2363 return true; 2364 default: 2365 break; 2366 } 2367 break; 2368 #endif 2369 default: 2370 break; 2371 } 2372 } 2373 return false; 2374 } 2375 2376 static void sm_run_activate_connection(void){ 2377 // Find connections that requires setup context and make active if no other is locked 2378 btstack_linked_list_iterator_t it; 2379 hci_connections_get_iterator(&it); 2380 while((sm_active_connection_handle == HCI_CON_HANDLE_INVALID) && btstack_linked_list_iterator_has_next(&it)){ 2381 hci_connection_t * hci_connection = (hci_connection_t *) btstack_linked_list_iterator_next(&it); 2382 sm_connection_t * sm_connection = &hci_connection->sm_connection; 2383 // - if no connection locked and we're ready/waiting for setup context, fetch it and start 2384 bool done = true; 2385 int err; 2386 UNUSED(err); 2387 2388 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2389 // assert ec key is ready 2390 if ( (sm_connection->sm_engine_state == SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED) 2391 || (sm_connection->sm_engine_state == SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST) 2392 || (sm_connection->sm_engine_state == SM_RESPONDER_SEND_SECURITY_REQUEST)){ 2393 if (ec_key_generation_state == EC_KEY_GENERATION_IDLE){ 2394 sm_ec_generate_new_key(); 2395 } 2396 if (ec_key_generation_state != EC_KEY_GENERATION_DONE){ 2397 continue; 2398 } 2399 } 2400 #endif 2401 2402 switch (sm_connection->sm_engine_state) { 2403 #ifdef ENABLE_LE_PERIPHERAL 2404 case SM_RESPONDER_SEND_SECURITY_REQUEST: 2405 case SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED: 2406 case SM_RESPONDER_PH0_RECEIVED_LTK_REQUEST: 2407 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2408 case SM_SC_RECEIVED_LTK_REQUEST: 2409 #endif 2410 #endif 2411 #ifdef ENABLE_LE_CENTRAL 2412 case SM_INITIATOR_PH4_HAS_LTK: 2413 case SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST: 2414 #endif 2415 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 2416 case SM_BR_EDR_RESPONDER_PAIRING_REQUEST_RECEIVED: 2417 case SM_BR_EDR_INITIATOR_SEND_PAIRING_REQUEST: 2418 #endif 2419 // just lock context 2420 break; 2421 default: 2422 done = false; 2423 break; 2424 } 2425 if (done){ 2426 sm_active_connection_handle = sm_connection->sm_handle; 2427 log_info("sm: connection 0x%04x locked setup context as %s, state %u", sm_active_connection_handle, sm_connection->sm_role ? "responder" : "initiator", sm_connection->sm_engine_state); 2428 } 2429 } 2430 } 2431 2432 static void sm_run_send_keypress_notification(sm_connection_t * connection){ 2433 int i; 2434 uint8_t flags = setup->sm_keypress_notification & 0x1fu; 2435 uint8_t num_actions = setup->sm_keypress_notification >> 5; 2436 uint8_t action = 0; 2437 for (i=SM_KEYPRESS_PASSKEY_ENTRY_STARTED;i<=SM_KEYPRESS_PASSKEY_ENTRY_COMPLETED;i++){ 2438 if ((flags & (1u<<i)) != 0u){ 2439 bool clear_flag = true; 2440 switch (i){ 2441 case SM_KEYPRESS_PASSKEY_ENTRY_STARTED: 2442 case SM_KEYPRESS_PASSKEY_CLEARED: 2443 case SM_KEYPRESS_PASSKEY_ENTRY_COMPLETED: 2444 default: 2445 break; 2446 case SM_KEYPRESS_PASSKEY_DIGIT_ENTERED: 2447 case SM_KEYPRESS_PASSKEY_DIGIT_ERASED: 2448 num_actions--; 2449 clear_flag = num_actions == 0u; 2450 break; 2451 } 2452 if (clear_flag){ 2453 flags &= ~(1<<i); 2454 } 2455 action = i; 2456 break; 2457 } 2458 } 2459 setup->sm_keypress_notification = (num_actions << 5) | flags; 2460 2461 // send keypress notification 2462 uint8_t buffer[2]; 2463 buffer[0] = SM_CODE_KEYPRESS_NOTIFICATION; 2464 buffer[1] = action; 2465 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2466 2467 // try 2468 l2cap_request_can_send_fix_channel_now_event(sm_active_connection_handle, connection->sm_cid); 2469 } 2470 2471 static void sm_run_distribute_keys(sm_connection_t * connection){ 2472 if ((setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION) != 0u){ 2473 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION; 2474 setup->sm_key_distribution_sent_set |= SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION; 2475 uint8_t buffer[17]; 2476 buffer[0] = SM_CODE_ENCRYPTION_INFORMATION; 2477 reverse_128(setup->sm_ltk, &buffer[1]); 2478 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2479 sm_timeout_reset(connection); 2480 return; 2481 } 2482 if ((setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_MASTER_IDENTIFICATION) != 0u){ 2483 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_MASTER_IDENTIFICATION; 2484 setup->sm_key_distribution_sent_set |= SM_KEYDIST_FLAG_MASTER_IDENTIFICATION; 2485 uint8_t buffer[11]; 2486 buffer[0] = SM_CODE_MASTER_IDENTIFICATION; 2487 little_endian_store_16(buffer, 1, setup->sm_local_ediv); 2488 reverse_64(setup->sm_local_rand, &buffer[3]); 2489 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2490 sm_timeout_reset(connection); 2491 return; 2492 } 2493 if ((setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_IDENTITY_INFORMATION) != 0u){ 2494 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_IDENTITY_INFORMATION; 2495 setup->sm_key_distribution_sent_set |= SM_KEYDIST_FLAG_IDENTITY_INFORMATION; 2496 uint8_t buffer[17]; 2497 buffer[0] = SM_CODE_IDENTITY_INFORMATION; 2498 reverse_128(sm_persistent_irk, &buffer[1]); 2499 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2500 sm_timeout_reset(connection); 2501 return; 2502 } 2503 if ((setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION) != 0u){ 2504 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION; 2505 setup->sm_key_distribution_sent_set |= SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION; 2506 bd_addr_t local_address; 2507 uint8_t buffer[8]; 2508 buffer[0] = SM_CODE_IDENTITY_ADDRESS_INFORMATION; 2509 switch (gap_random_address_get_mode()){ 2510 case GAP_RANDOM_ADDRESS_TYPE_OFF: 2511 case GAP_RANDOM_ADDRESS_TYPE_STATIC: 2512 // public or static random 2513 gap_le_get_own_address(&buffer[1], local_address); 2514 break; 2515 case GAP_RANDOM_ADDRESS_NON_RESOLVABLE: 2516 case GAP_RANDOM_ADDRESS_RESOLVABLE: 2517 // fallback to public 2518 gap_local_bd_addr(local_address); 2519 buffer[1] = 0; 2520 break; 2521 default: 2522 btstack_assert(false); 2523 break; 2524 } 2525 reverse_bd_addr(local_address, &buffer[2]); 2526 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2527 sm_timeout_reset(connection); 2528 return; 2529 } 2530 if ((setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION) != 0u){ 2531 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION; 2532 setup->sm_key_distribution_sent_set |= SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION; 2533 2534 #ifdef ENABLE_LE_SIGNED_WRITE 2535 // hack to reproduce test runs 2536 if (test_use_fixed_local_csrk){ 2537 memset(setup->sm_local_csrk, 0xcc, 16); 2538 } 2539 2540 // store local CSRK 2541 if (setup->sm_le_device_index >= 0){ 2542 log_info("sm: store local CSRK"); 2543 le_device_db_local_csrk_set(setup->sm_le_device_index, setup->sm_local_csrk); 2544 le_device_db_local_counter_set(setup->sm_le_device_index, 0); 2545 } 2546 #endif 2547 2548 uint8_t buffer[17]; 2549 buffer[0] = SM_CODE_SIGNING_INFORMATION; 2550 reverse_128(setup->sm_local_csrk, &buffer[1]); 2551 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2552 sm_timeout_reset(connection); 2553 return; 2554 } 2555 btstack_assert(false); 2556 } 2557 2558 static bool sm_ctkd_from_le(sm_connection_t *sm_connection) { 2559 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 2560 // requirements to derive link key from LE: 2561 // - use secure connections 2562 if (setup->sm_use_secure_connections == 0) return false; 2563 // - bonding needs to be enabled: 2564 bool bonding_enabled = (sm_pairing_packet_get_auth_req(setup->sm_m_preq) & sm_pairing_packet_get_auth_req(setup->sm_s_pres) & SM_AUTHREQ_BONDING ) != 0u; 2565 if (!bonding_enabled) return false; 2566 // - need identity address / public addr 2567 bool have_identity_address_info = ((setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION) != 0) || (setup->sm_peer_addr_type == 0); 2568 if (!have_identity_address_info) return false; 2569 // - there is no stored BR/EDR link key or the derived key has at least the same level of authentication (bail if stored key has higher authentication) 2570 // this requirement is motivated by BLURtooth paper. The paper recommends to not overwrite keys at all. 2571 // If SC is authenticated, we consider it safe to overwrite a stored key. 2572 // If stored link key is not authenticated, it could already be compromised by a MITM attack. Allowing overwrite by unauthenticated derived key does not make it worse. 2573 uint8_t link_key[16]; 2574 link_key_type_t link_key_type; 2575 bool have_link_key = gap_get_link_key_for_bd_addr(setup->sm_peer_address, link_key, &link_key_type); 2576 bool link_key_authenticated = gap_authenticated_for_link_key_type(link_key_type); 2577 bool derived_key_authenticated = sm_connection->sm_connection_authenticated != 0; 2578 if (have_link_key && link_key_authenticated && !derived_key_authenticated) { 2579 return false; 2580 } 2581 // get started (all of the above are true) 2582 return true; 2583 #else 2584 UNUSED(sm_connection); 2585 return false; 2586 #endif 2587 } 2588 2589 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 2590 static bool sm_ctkd_from_classic(sm_connection_t * sm_connection){ 2591 hci_connection_t * hci_connection = hci_connection_for_handle(sm_connection->sm_handle); 2592 btstack_assert(hci_connection != NULL); 2593 // requirements to derive ltk from BR/EDR: 2594 // - BR/EDR uses secure connections 2595 if (gap_secure_connection_for_link_key_type(hci_connection->link_key_type) == false) return false; 2596 // - bonding needs to be enabled: 2597 bool bonding_enabled = (sm_pairing_packet_get_auth_req(setup->sm_m_preq) & sm_pairing_packet_get_auth_req(setup->sm_s_pres) & SM_AUTHREQ_BONDING ) != 0u; 2598 if (!bonding_enabled) return false; 2599 // - there is no stored LTK or the derived key has at least the same level of authentication (bail if LTK is authenticated but Link Key isn't) 2600 bool link_key_authenticated = gap_authenticated_for_link_key_type(hci_connection->link_key_type); 2601 if (link_key_authenticated) return true; 2602 int index = sm_le_device_db_index_lookup(BD_ADDR_TYPE_LE_PUBLIC, hci_connection->address); 2603 if (index >= 0){ 2604 int ltk_authenticated; 2605 sm_key_t ltk; 2606 le_device_db_encryption_get(sm_connection->sm_le_db_index, NULL, NULL, ltk, NULL, <k_authenticated, NULL, NULL); 2607 bool have_ltk = !sm_is_null_key(ltk); 2608 if (have_ltk && ltk_authenticated) return false; 2609 } 2610 return true; 2611 } 2612 #endif 2613 2614 static void sm_key_distribution_complete_responder(sm_connection_t * connection){ 2615 if (sm_ctkd_from_le(connection)){ 2616 bool use_h7 = (sm_pairing_packet_get_auth_req(setup->sm_m_preq) & sm_pairing_packet_get_auth_req(setup->sm_s_pres) & SM_AUTHREQ_CT2) != 0; 2617 connection->sm_engine_state = use_h7 ? SM_SC_W2_CALCULATE_ILK_USING_H7 : SM_SC_W2_CALCULATE_ILK_USING_H6; 2618 } else { 2619 connection->sm_engine_state = SM_RESPONDER_IDLE; 2620 sm_pairing_complete(connection, ERROR_CODE_SUCCESS, 0); 2621 sm_done_for_handle(connection->sm_handle); 2622 } 2623 } 2624 2625 static void sm_key_distribution_complete_initiator(sm_connection_t * connection){ 2626 if (sm_ctkd_from_le(connection)){ 2627 bool use_h7 = (sm_pairing_packet_get_auth_req(setup->sm_m_preq) & sm_pairing_packet_get_auth_req(setup->sm_s_pres) & SM_AUTHREQ_CT2) != 0; 2628 connection->sm_engine_state = use_h7 ? SM_SC_W2_CALCULATE_ILK_USING_H7 : SM_SC_W2_CALCULATE_ILK_USING_H6; 2629 } else { 2630 sm_master_pairing_success(connection); 2631 } 2632 } 2633 2634 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2635 static void sm_run_state_sc_send_confirmation(sm_connection_t *connection) { 2636 uint8_t buffer[17]; 2637 buffer[0] = SM_CODE_PAIRING_CONFIRM; 2638 reverse_128(setup->sm_local_confirm, &buffer[1]); 2639 if (IS_RESPONDER(connection->sm_role)){ 2640 connection->sm_engine_state = SM_SC_W4_PAIRING_RANDOM; 2641 } else { 2642 connection->sm_engine_state = SM_SC_W4_CONFIRMATION; 2643 } 2644 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2645 sm_timeout_reset(connection); 2646 } 2647 2648 static void sm_run_state_sc_send_pairing_random(sm_connection_t *connection) { 2649 uint8_t buffer[17]; 2650 buffer[0] = SM_CODE_PAIRING_RANDOM; 2651 reverse_128(setup->sm_local_nonce, &buffer[1]); 2652 log_info("stk method %u, bit num: %u", setup->sm_stk_generation_method, setup->sm_passkey_bit); 2653 if (sm_passkey_entry(setup->sm_stk_generation_method) && (setup->sm_passkey_bit < 20u)){ 2654 log_info("SM_SC_SEND_PAIRING_RANDOM A"); 2655 if (IS_RESPONDER(connection->sm_role)){ 2656 // responder 2657 connection->sm_engine_state = SM_SC_W4_CONFIRMATION; 2658 } else { 2659 // initiator 2660 connection->sm_engine_state = SM_SC_W4_PAIRING_RANDOM; 2661 } 2662 } else { 2663 log_info("SM_SC_SEND_PAIRING_RANDOM B"); 2664 if (IS_RESPONDER(connection->sm_role)){ 2665 // responder 2666 if (setup->sm_stk_generation_method == NUMERIC_COMPARISON){ 2667 log_info("SM_SC_SEND_PAIRING_RANDOM B1"); 2668 connection->sm_engine_state = SM_SC_W2_CALCULATE_G2; 2669 } else { 2670 log_info("SM_SC_SEND_PAIRING_RANDOM B2"); 2671 sm_sc_prepare_dhkey_check(connection); 2672 } 2673 } else { 2674 // initiator 2675 connection->sm_engine_state = SM_SC_W4_PAIRING_RANDOM; 2676 } 2677 } 2678 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2679 sm_timeout_reset(connection); 2680 } 2681 2682 static void sm_run_state_sc_send_dhkey_check_command(sm_connection_t *connection) { 2683 uint8_t buffer[17]; 2684 buffer[0] = SM_CODE_PAIRING_DHKEY_CHECK; 2685 reverse_128(setup->sm_local_dhkey_check, &buffer[1]); 2686 2687 if (IS_RESPONDER(connection->sm_role)){ 2688 connection->sm_engine_state = SM_SC_W4_LTK_REQUEST_SC; 2689 } else { 2690 connection->sm_engine_state = SM_SC_W4_DHKEY_CHECK_COMMAND; 2691 } 2692 2693 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2694 sm_timeout_reset(connection); 2695 } 2696 2697 static void sm_run_state_sc_send_public_key_command(sm_connection_t *connection) { 2698 bool trigger_user_response = false; 2699 bool trigger_start_calculating_local_confirm = false; 2700 uint8_t buffer[65]; 2701 buffer[0] = SM_CODE_PAIRING_PUBLIC_KEY; 2702 // 2703 reverse_256(&ec_q[0], &buffer[1]); 2704 reverse_256(&ec_q[32], &buffer[33]); 2705 2706 #ifdef ENABLE_TESTING_SUPPORT 2707 if (test_pairing_failure == SM_REASON_DHKEY_CHECK_FAILED){ 2708 log_info("testing_support: invalidating public key"); 2709 // flip single bit of public key coordinate 2710 buffer[1] ^= 1; 2711 } 2712 #endif 2713 2714 // stk generation method 2715 // passkey entry: notify app to show passkey or to request passkey 2716 switch (setup->sm_stk_generation_method){ 2717 case JUST_WORKS: 2718 case NUMERIC_COMPARISON: 2719 if (IS_RESPONDER(connection->sm_role)){ 2720 // responder 2721 trigger_start_calculating_local_confirm = true; 2722 connection->sm_engine_state = SM_SC_W4_LOCAL_NONCE; 2723 } else { 2724 // initiator 2725 connection->sm_engine_state = SM_SC_W4_PUBLIC_KEY_COMMAND; 2726 } 2727 break; 2728 case PK_INIT_INPUT: 2729 case PK_RESP_INPUT: 2730 case PK_BOTH_INPUT: 2731 // use random TK for display 2732 (void)memcpy(setup->sm_ra, setup->sm_tk, 16); 2733 (void)memcpy(setup->sm_rb, setup->sm_tk, 16); 2734 setup->sm_passkey_bit = 0; 2735 2736 if (IS_RESPONDER(connection->sm_role)){ 2737 // responder 2738 connection->sm_engine_state = SM_SC_W4_CONFIRMATION; 2739 } else { 2740 // initiator 2741 connection->sm_engine_state = SM_SC_W4_PUBLIC_KEY_COMMAND; 2742 } 2743 trigger_user_response = true; 2744 break; 2745 case OOB: 2746 if (IS_RESPONDER(connection->sm_role)){ 2747 // responder 2748 connection->sm_engine_state = SM_SC_W4_PAIRING_RANDOM; 2749 } else { 2750 // initiator 2751 connection->sm_engine_state = SM_SC_W4_PUBLIC_KEY_COMMAND; 2752 } 2753 break; 2754 default: 2755 btstack_assert(false); 2756 break; 2757 } 2758 2759 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2760 sm_timeout_reset(connection); 2761 2762 // trigger user response and calc confirm after sending pdu 2763 if (trigger_user_response){ 2764 sm_trigger_user_response(connection); 2765 } 2766 if (trigger_start_calculating_local_confirm){ 2767 sm_sc_start_calculating_local_confirm(connection); 2768 } 2769 } 2770 #endif 2771 2772 static bool sm_run_non_connection_logic(void){ 2773 bool done;; 2774 2775 done = sm_run_dpkg(); 2776 if (done) return true; 2777 2778 done = sm_run_rau(); 2779 if (done) return true; 2780 2781 done = sm_run_irk_lookup(); 2782 if (done) return true; 2783 2784 done = sm_run_oob(); 2785 return done; 2786 } 2787 2788 static void sm_run(void){ 2789 2790 // assert that stack has already bootet 2791 if (hci_get_state() != HCI_STATE_WORKING) return; 2792 2793 // assert that we can send at least commands 2794 if (!hci_can_send_command_packet_now()) return; 2795 2796 // pause until IR/ER are ready 2797 if (sm_persistent_keys_random_active) return; 2798 2799 // non-connection related behaviour 2800 bool done = sm_run_non_connection_logic(); 2801 if (done) return; 2802 2803 // assert that we can send at least commands - cmd might have been sent by crypto engine 2804 if (!hci_can_send_command_packet_now()) return; 2805 2806 // handle basic actions that don't requires the full context 2807 done = sm_run_basic(); 2808 if (done) return; 2809 2810 // 2811 // active connection handling 2812 // -- use loop to handle next connection if lock on setup context is released 2813 2814 while (true) { 2815 2816 sm_run_activate_connection(); 2817 2818 if (sm_active_connection_handle == HCI_CON_HANDLE_INVALID) return; 2819 2820 // 2821 // active connection handling 2822 // 2823 2824 sm_connection_t * connection = sm_get_connection_for_handle(sm_active_connection_handle); 2825 if (!connection) { 2826 log_info("no connection for handle 0x%04x", sm_active_connection_handle); 2827 return; 2828 } 2829 2830 // assert that we could send a SM PDU - not needed for all of the following 2831 if (!l2cap_can_send_fixed_channel_packet_now(sm_active_connection_handle, connection->sm_cid)) { 2832 log_info("cannot send now, requesting can send now event"); 2833 l2cap_request_can_send_fix_channel_now_event(sm_active_connection_handle, connection->sm_cid); 2834 return; 2835 } 2836 2837 // send keypress notifications 2838 if (setup->sm_keypress_notification != 0u){ 2839 sm_run_send_keypress_notification(connection); 2840 return; 2841 } 2842 2843 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2844 // assert that sm cmac engine is ready 2845 if (sm_cmac_ready() == false){ 2846 break; 2847 } 2848 #endif 2849 2850 int key_distribution_flags; 2851 UNUSED(key_distribution_flags); 2852 #ifdef ENABLE_LE_PERIPHERAL 2853 int err; 2854 bool have_ltk; 2855 uint8_t ltk[16]; 2856 #endif 2857 2858 log_info("sm_run: state %u", connection->sm_engine_state); 2859 switch (connection->sm_engine_state){ 2860 2861 // secure connections, initiator + responding states 2862 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2863 case SM_SC_W2_CMAC_FOR_CONFIRMATION: 2864 connection->sm_engine_state = SM_SC_W4_CMAC_FOR_CONFIRMATION; 2865 sm_sc_calculate_local_confirm(connection); 2866 break; 2867 case SM_SC_W2_CMAC_FOR_CHECK_CONFIRMATION: 2868 connection->sm_engine_state = SM_SC_W4_CMAC_FOR_CHECK_CONFIRMATION; 2869 sm_sc_calculate_remote_confirm(connection); 2870 break; 2871 case SM_SC_W2_CALCULATE_F6_FOR_DHKEY_CHECK: 2872 connection->sm_engine_state = SM_SC_W4_CALCULATE_F6_FOR_DHKEY_CHECK; 2873 sm_sc_calculate_f6_for_dhkey_check(connection); 2874 break; 2875 case SM_SC_W2_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK: 2876 connection->sm_engine_state = SM_SC_W4_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK; 2877 sm_sc_calculate_f6_to_verify_dhkey_check(connection); 2878 break; 2879 case SM_SC_W2_CALCULATE_F5_SALT: 2880 connection->sm_engine_state = SM_SC_W4_CALCULATE_F5_SALT; 2881 f5_calculate_salt(connection); 2882 break; 2883 case SM_SC_W2_CALCULATE_F5_MACKEY: 2884 connection->sm_engine_state = SM_SC_W4_CALCULATE_F5_MACKEY; 2885 f5_calculate_mackey(connection); 2886 break; 2887 case SM_SC_W2_CALCULATE_F5_LTK: 2888 connection->sm_engine_state = SM_SC_W4_CALCULATE_F5_LTK; 2889 f5_calculate_ltk(connection); 2890 break; 2891 case SM_SC_W2_CALCULATE_G2: 2892 connection->sm_engine_state = SM_SC_W4_CALCULATE_G2; 2893 g2_calculate(connection); 2894 break; 2895 #endif 2896 2897 #ifdef ENABLE_LE_CENTRAL 2898 // initiator side 2899 2900 case SM_INITIATOR_PH4_HAS_LTK: { 2901 sm_reset_setup(); 2902 sm_load_security_info(connection); 2903 2904 sm_key_t peer_ltk_flipped; 2905 reverse_128(setup->sm_peer_ltk, peer_ltk_flipped); 2906 connection->sm_engine_state = SM_PH4_W4_CONNECTION_ENCRYPTED; 2907 log_info("sm: hci_le_start_encryption ediv 0x%04x", setup->sm_peer_ediv); 2908 uint32_t rand_high = big_endian_read_32(setup->sm_peer_rand, 0); 2909 uint32_t rand_low = big_endian_read_32(setup->sm_peer_rand, 4); 2910 hci_send_cmd(&hci_le_start_encryption, connection->sm_handle,rand_low, rand_high, setup->sm_peer_ediv, peer_ltk_flipped); 2911 2912 // notify after sending 2913 sm_reencryption_started(connection); 2914 return; 2915 } 2916 2917 case SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST: 2918 sm_reset_setup(); 2919 sm_init_setup(connection); 2920 2921 sm_pairing_packet_set_code(setup->sm_m_preq, SM_CODE_PAIRING_REQUEST); 2922 connection->sm_engine_state = SM_INITIATOR_PH1_W4_PAIRING_RESPONSE; 2923 sm_send_connectionless(connection, (uint8_t*) &setup->sm_m_preq, sizeof(sm_pairing_packet_t)); 2924 sm_timeout_reset(connection); 2925 2926 // notify after sending 2927 sm_pairing_started(connection); 2928 break; 2929 #endif 2930 2931 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2932 case SM_SC_SEND_PUBLIC_KEY_COMMAND: 2933 sm_run_state_sc_send_public_key_command(connection); 2934 break; 2935 case SM_SC_SEND_CONFIRMATION: 2936 sm_run_state_sc_send_confirmation(connection); 2937 break; 2938 case SM_SC_SEND_PAIRING_RANDOM: 2939 sm_run_state_sc_send_pairing_random(connection); 2940 break; 2941 case SM_SC_SEND_DHKEY_CHECK_COMMAND: 2942 sm_run_state_sc_send_dhkey_check_command(connection); 2943 break; 2944 #endif 2945 2946 #ifdef ENABLE_LE_PERIPHERAL 2947 2948 case SM_RESPONDER_SEND_SECURITY_REQUEST: { 2949 const uint8_t buffer[2] = {SM_CODE_SECURITY_REQUEST, sm_auth_req}; 2950 connection->sm_engine_state = SM_RESPONDER_PH1_W4_PAIRING_REQUEST; 2951 sm_send_connectionless(connection, (uint8_t *) buffer, sizeof(buffer)); 2952 sm_timeout_start(connection); 2953 break; 2954 } 2955 2956 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2957 case SM_SC_RECEIVED_LTK_REQUEST: 2958 switch (connection->sm_irk_lookup_state){ 2959 case IRK_LOOKUP_SUCCEEDED: 2960 // assuming Secure Connection, we have a stored LTK and the EDIV/RAND are null 2961 // start using context by loading security info 2962 sm_reset_setup(); 2963 sm_load_security_info(connection); 2964 if ((setup->sm_peer_ediv == 0u) && sm_is_null_random(setup->sm_peer_rand) && !sm_is_null_key(setup->sm_peer_ltk)){ 2965 (void)memcpy(setup->sm_ltk, setup->sm_peer_ltk, 16); 2966 connection->sm_engine_state = SM_RESPONDER_PH4_SEND_LTK_REPLY; 2967 sm_reencryption_started(connection); 2968 sm_trigger_run(); 2969 break; 2970 } 2971 log_info("LTK Request: ediv & random are empty, but no stored LTK (IRK Lookup Succeeded)"); 2972 connection->sm_engine_state = SM_RESPONDER_IDLE; 2973 hci_send_cmd(&hci_le_long_term_key_negative_reply, connection->sm_handle); 2974 return; 2975 default: 2976 // just wait until IRK lookup is completed 2977 break; 2978 } 2979 break; 2980 #endif /* ENABLE_LE_SECURE_CONNECTIONS */ 2981 2982 case SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED: 2983 sm_reset_setup(); 2984 2985 // handle Pairing Request with LTK available 2986 switch (connection->sm_irk_lookup_state) { 2987 case IRK_LOOKUP_SUCCEEDED: 2988 le_device_db_encryption_get(connection->sm_le_db_index, NULL, NULL, ltk, NULL, NULL, NULL, NULL); 2989 have_ltk = !sm_is_null_key(ltk); 2990 if (have_ltk){ 2991 log_info("pairing request but LTK available"); 2992 // emit re-encryption start/fail sequence 2993 sm_reencryption_started(connection); 2994 sm_reencryption_complete(connection, ERROR_CODE_PIN_OR_KEY_MISSING); 2995 } 2996 break; 2997 default: 2998 break; 2999 } 3000 3001 sm_init_setup(connection); 3002 3003 // recover pairing request 3004 (void)memcpy(&setup->sm_m_preq, &connection->sm_m_preq, sizeof(sm_pairing_packet_t)); 3005 err = sm_stk_generation_init(connection); 3006 3007 #ifdef ENABLE_TESTING_SUPPORT 3008 if ((0 < test_pairing_failure) && (test_pairing_failure < SM_REASON_DHKEY_CHECK_FAILED)){ 3009 log_info("testing_support: respond with pairing failure %u", test_pairing_failure); 3010 err = test_pairing_failure; 3011 } 3012 #endif 3013 if (err != 0){ 3014 // emit pairing started/failed sequence 3015 sm_pairing_started(connection); 3016 sm_pairing_error(connection, err); 3017 sm_trigger_run(); 3018 break; 3019 } 3020 3021 sm_timeout_start(connection); 3022 3023 // generate random number first, if we need to show passkey, otherwise send response 3024 if (setup->sm_stk_generation_method == PK_INIT_INPUT){ 3025 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 8, &sm_handle_random_result_ph2_tk, (void *)(uintptr_t) connection->sm_handle); 3026 break; 3027 } 3028 3029 /* fall through */ 3030 3031 case SM_RESPONDER_PH1_SEND_PAIRING_RESPONSE: 3032 sm_pairing_packet_set_code(setup->sm_s_pres,SM_CODE_PAIRING_RESPONSE); 3033 3034 // start with initiator key dist flags 3035 key_distribution_flags = sm_key_distribution_flags_for_auth_req(); 3036 3037 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3038 // LTK (= encryption information & master identification) only exchanged for LE Legacy Connection 3039 if (setup->sm_use_secure_connections){ 3040 key_distribution_flags &= ~SM_KEYDIST_ENC_KEY; 3041 } 3042 #endif 3043 // setup in response 3044 sm_pairing_packet_set_initiator_key_distribution(setup->sm_s_pres, sm_pairing_packet_get_initiator_key_distribution(setup->sm_m_preq) & key_distribution_flags); 3045 sm_pairing_packet_set_responder_key_distribution(setup->sm_s_pres, sm_pairing_packet_get_responder_key_distribution(setup->sm_m_preq) & key_distribution_flags); 3046 3047 // update key distribution after ENC was dropped 3048 sm_setup_key_distribution(sm_pairing_packet_get_responder_key_distribution(setup->sm_s_pres), sm_pairing_packet_get_initiator_key_distribution(setup->sm_s_pres)); 3049 3050 if (setup->sm_use_secure_connections){ 3051 connection->sm_engine_state = SM_SC_W4_PUBLIC_KEY_COMMAND; 3052 } else { 3053 connection->sm_engine_state = SM_RESPONDER_PH1_W4_PAIRING_CONFIRM; 3054 } 3055 3056 sm_send_connectionless(connection, (uint8_t*) &setup->sm_s_pres, sizeof(sm_pairing_packet_t)); 3057 sm_timeout_reset(connection); 3058 3059 // notify after sending 3060 sm_pairing_started(connection); 3061 3062 // SC Numeric Comparison will trigger user response after public keys & nonces have been exchanged 3063 if (!setup->sm_use_secure_connections || (setup->sm_stk_generation_method == JUST_WORKS)){ 3064 sm_trigger_user_response(connection); 3065 } 3066 return; 3067 #endif 3068 3069 case SM_PH2_SEND_PAIRING_RANDOM: { 3070 uint8_t buffer[17]; 3071 buffer[0] = SM_CODE_PAIRING_RANDOM; 3072 reverse_128(setup->sm_local_random, &buffer[1]); 3073 if (IS_RESPONDER(connection->sm_role)){ 3074 connection->sm_engine_state = SM_RESPONDER_PH2_W4_LTK_REQUEST; 3075 } else { 3076 connection->sm_engine_state = SM_INITIATOR_PH2_W4_PAIRING_RANDOM; 3077 } 3078 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 3079 sm_timeout_reset(connection); 3080 break; 3081 } 3082 3083 case SM_PH2_C1_GET_ENC_A: 3084 // already busy? 3085 if (sm_aes128_state == SM_AES128_ACTIVE) break; 3086 // calculate confirm using aes128 engine - step 1 3087 sm_c1_t1(setup->sm_local_random, (uint8_t*) &setup->sm_m_preq, (uint8_t*) &setup->sm_s_pres, setup->sm_m_addr_type, setup->sm_s_addr_type, sm_aes128_plaintext); 3088 connection->sm_engine_state = SM_PH2_C1_W4_ENC_A; 3089 sm_aes128_state = SM_AES128_ACTIVE; 3090 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, setup->sm_tk, sm_aes128_plaintext, sm_aes128_ciphertext, sm_handle_encryption_result_enc_a, (void *)(uintptr_t) connection->sm_handle); 3091 break; 3092 3093 case SM_PH2_C1_GET_ENC_C: 3094 // already busy? 3095 if (sm_aes128_state == SM_AES128_ACTIVE) break; 3096 // calculate m_confirm using aes128 engine - step 1 3097 sm_c1_t1(setup->sm_peer_random, (uint8_t*) &setup->sm_m_preq, (uint8_t*) &setup->sm_s_pres, setup->sm_m_addr_type, setup->sm_s_addr_type, sm_aes128_plaintext); 3098 connection->sm_engine_state = SM_PH2_C1_W4_ENC_C; 3099 sm_aes128_state = SM_AES128_ACTIVE; 3100 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, setup->sm_tk, sm_aes128_plaintext, sm_aes128_ciphertext, sm_handle_encryption_result_enc_c, (void *)(uintptr_t) connection->sm_handle); 3101 break; 3102 3103 case SM_PH2_CALC_STK: 3104 // already busy? 3105 if (sm_aes128_state == SM_AES128_ACTIVE) break; 3106 // calculate STK 3107 if (IS_RESPONDER(connection->sm_role)){ 3108 sm_s1_r_prime(setup->sm_local_random, setup->sm_peer_random, sm_aes128_plaintext); 3109 } else { 3110 sm_s1_r_prime(setup->sm_peer_random, setup->sm_local_random, sm_aes128_plaintext); 3111 } 3112 connection->sm_engine_state = SM_PH2_W4_STK; 3113 sm_aes128_state = SM_AES128_ACTIVE; 3114 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, setup->sm_tk, sm_aes128_plaintext, setup->sm_ltk, sm_handle_encryption_result_enc_stk, (void *)(uintptr_t) connection->sm_handle); 3115 break; 3116 3117 case SM_PH3_Y_GET_ENC: 3118 // already busy? 3119 if (sm_aes128_state == SM_AES128_ACTIVE) break; 3120 // PH3B2 - calculate Y from - enc 3121 3122 // dm helper (was sm_dm_r_prime) 3123 // r' = padding || r 3124 // r - 64 bit value 3125 memset(&sm_aes128_plaintext[0], 0, 8); 3126 (void)memcpy(&sm_aes128_plaintext[8], setup->sm_local_rand, 8); 3127 3128 // Y = dm(DHK, Rand) 3129 connection->sm_engine_state = SM_PH3_Y_W4_ENC; 3130 sm_aes128_state = SM_AES128_ACTIVE; 3131 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_persistent_dhk, sm_aes128_plaintext, sm_aes128_ciphertext, sm_handle_encryption_result_enc_ph3_y, (void *)(uintptr_t) connection->sm_handle); 3132 break; 3133 3134 case SM_PH2_C1_SEND_PAIRING_CONFIRM: { 3135 uint8_t buffer[17]; 3136 buffer[0] = SM_CODE_PAIRING_CONFIRM; 3137 reverse_128(setup->sm_local_confirm, &buffer[1]); 3138 if (IS_RESPONDER(connection->sm_role)){ 3139 connection->sm_engine_state = SM_RESPONDER_PH2_W4_PAIRING_RANDOM; 3140 } else { 3141 connection->sm_engine_state = SM_INITIATOR_PH2_W4_PAIRING_CONFIRM; 3142 } 3143 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 3144 sm_timeout_reset(connection); 3145 return; 3146 } 3147 #ifdef ENABLE_LE_PERIPHERAL 3148 case SM_RESPONDER_PH2_SEND_LTK_REPLY: { 3149 // cache key before using 3150 sm_cache_ltk(connection, setup->sm_ltk); 3151 sm_key_t stk_flipped; 3152 reverse_128(setup->sm_ltk, stk_flipped); 3153 connection->sm_engine_state = SM_PH2_W4_CONNECTION_ENCRYPTED; 3154 hci_send_cmd(&hci_le_long_term_key_request_reply, connection->sm_handle, stk_flipped); 3155 return; 3156 } 3157 case SM_RESPONDER_PH4_SEND_LTK_REPLY: { 3158 // allow to override LTK 3159 if (sm_get_ltk_callback != NULL){ 3160 (void)(*sm_get_ltk_callback)(connection->sm_handle, connection->sm_peer_addr_type, connection->sm_peer_address, setup->sm_ltk); 3161 } 3162 // cache key before using 3163 sm_cache_ltk(connection, setup->sm_ltk); 3164 sm_key_t ltk_flipped; 3165 reverse_128(setup->sm_ltk, ltk_flipped); 3166 connection->sm_engine_state = SM_PH4_W4_CONNECTION_ENCRYPTED; 3167 hci_send_cmd(&hci_le_long_term_key_request_reply, connection->sm_handle, ltk_flipped); 3168 return; 3169 } 3170 3171 case SM_RESPONDER_PH0_RECEIVED_LTK_REQUEST: 3172 // already busy? 3173 if (sm_aes128_state == SM_AES128_ACTIVE) break; 3174 log_info("LTK Request: recalculating with ediv 0x%04x", setup->sm_local_ediv); 3175 3176 sm_reset_setup(); 3177 sm_start_calculating_ltk_from_ediv_and_rand(connection); 3178 3179 sm_reencryption_started(connection); 3180 3181 // dm helper (was sm_dm_r_prime) 3182 // r' = padding || r 3183 // r - 64 bit value 3184 memset(&sm_aes128_plaintext[0], 0, 8); 3185 (void)memcpy(&sm_aes128_plaintext[8], setup->sm_local_rand, 8); 3186 3187 // Y = dm(DHK, Rand) 3188 connection->sm_engine_state = SM_RESPONDER_PH4_Y_W4_ENC; 3189 sm_aes128_state = SM_AES128_ACTIVE; 3190 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_persistent_dhk, sm_aes128_plaintext, sm_aes128_ciphertext, sm_handle_encryption_result_enc_ph4_y, (void *)(uintptr_t) connection->sm_handle); 3191 return; 3192 #endif 3193 #ifdef ENABLE_LE_CENTRAL 3194 case SM_INITIATOR_PH3_SEND_START_ENCRYPTION: { 3195 sm_key_t stk_flipped; 3196 reverse_128(setup->sm_ltk, stk_flipped); 3197 connection->sm_engine_state = SM_PH2_W4_CONNECTION_ENCRYPTED; 3198 hci_send_cmd(&hci_le_start_encryption, connection->sm_handle, 0, 0, 0, stk_flipped); 3199 return; 3200 } 3201 #endif 3202 3203 case SM_PH3_DISTRIBUTE_KEYS: 3204 // send next key 3205 if (setup->sm_key_distribution_send_set != 0){ 3206 sm_run_distribute_keys(connection); 3207 } 3208 3209 // more to send? 3210 if (setup->sm_key_distribution_send_set != 0){ 3211 return; 3212 } 3213 3214 // keys are sent 3215 if (IS_RESPONDER(connection->sm_role)){ 3216 // slave -> receive master keys if any 3217 if (sm_key_distribution_all_received()){ 3218 sm_key_distribution_handle_all_received(connection); 3219 sm_key_distribution_complete_responder(connection); 3220 // start CTKD right away 3221 continue; 3222 } else { 3223 connection->sm_engine_state = SM_PH3_RECEIVE_KEYS; 3224 } 3225 } else { 3226 sm_master_pairing_success(connection); 3227 } 3228 break; 3229 3230 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 3231 case SM_BR_EDR_INITIATOR_SEND_PAIRING_REQUEST: 3232 // fill in sm setup (lite version of sm_init_setup) 3233 sm_reset_setup(); 3234 setup->sm_peer_addr_type = connection->sm_peer_addr_type; 3235 setup->sm_m_addr_type = connection->sm_peer_addr_type; 3236 setup->sm_s_addr_type = connection->sm_own_addr_type; 3237 (void) memcpy(setup->sm_peer_address, connection->sm_peer_address, 6); 3238 (void) memcpy(setup->sm_m_address, connection->sm_peer_address, 6); 3239 (void) memcpy(setup->sm_s_address, connection->sm_own_address, 6); 3240 setup->sm_use_secure_connections = true; 3241 sm_ctkd_fetch_br_edr_link_key(connection); 3242 3243 // Enc Key and IRK if requested 3244 key_distribution_flags = SM_KEYDIST_ID_KEY | SM_KEYDIST_ENC_KEY; 3245 #ifdef ENABLE_LE_SIGNED_WRITE 3246 // Plus signing key if supported 3247 key_distribution_flags |= SM_KEYDIST_ID_KEY; 3248 #endif 3249 sm_pairing_packet_set_code(setup->sm_m_preq, SM_CODE_PAIRING_REQUEST); 3250 sm_pairing_packet_set_io_capability(setup->sm_m_preq, 0); 3251 sm_pairing_packet_set_oob_data_flag(setup->sm_m_preq, 0); 3252 sm_pairing_packet_set_auth_req(setup->sm_m_preq, SM_AUTHREQ_CT2); 3253 sm_pairing_packet_set_max_encryption_key_size(setup->sm_m_preq, sm_max_encryption_key_size); 3254 sm_pairing_packet_set_initiator_key_distribution(setup->sm_m_preq, key_distribution_flags); 3255 sm_pairing_packet_set_responder_key_distribution(setup->sm_m_preq, key_distribution_flags); 3256 3257 // set state and send pairing response 3258 sm_timeout_start(connection); 3259 connection->sm_engine_state = SM_BR_EDR_INITIATOR_W4_PAIRING_RESPONSE; 3260 sm_send_connectionless(connection, (uint8_t *) &setup->sm_m_preq, sizeof(sm_pairing_packet_t)); 3261 break; 3262 3263 case SM_BR_EDR_RESPONDER_PAIRING_REQUEST_RECEIVED: 3264 // fill in sm setup (lite version of sm_init_setup) 3265 sm_reset_setup(); 3266 setup->sm_peer_addr_type = connection->sm_peer_addr_type; 3267 setup->sm_m_addr_type = connection->sm_peer_addr_type; 3268 setup->sm_s_addr_type = connection->sm_own_addr_type; 3269 (void) memcpy(setup->sm_peer_address, connection->sm_peer_address, 6); 3270 (void) memcpy(setup->sm_m_address, connection->sm_peer_address, 6); 3271 (void) memcpy(setup->sm_s_address, connection->sm_own_address, 6); 3272 setup->sm_use_secure_connections = true; 3273 sm_ctkd_fetch_br_edr_link_key(connection); 3274 (void) memcpy(&setup->sm_m_preq, &connection->sm_m_preq, sizeof(sm_pairing_packet_t)); 3275 3276 // Enc Key and IRK if requested 3277 key_distribution_flags = SM_KEYDIST_ID_KEY | SM_KEYDIST_ENC_KEY; 3278 #ifdef ENABLE_LE_SIGNED_WRITE 3279 // Plus signing key if supported 3280 key_distribution_flags |= SM_KEYDIST_ID_KEY; 3281 #endif 3282 // drop flags not requested by initiator 3283 key_distribution_flags &= sm_pairing_packet_get_initiator_key_distribution(connection->sm_m_preq); 3284 3285 // If Secure Connections pairing has been initiated over BR/EDR, the following fields of the SM Pairing Request PDU are reserved for future use: 3286 // - the IO Capability field, 3287 // - the OOB data flag field, and 3288 // - all bits in the Auth Req field except the CT2 bit. 3289 sm_pairing_packet_set_code(setup->sm_s_pres, SM_CODE_PAIRING_RESPONSE); 3290 sm_pairing_packet_set_io_capability(setup->sm_s_pres, 0); 3291 sm_pairing_packet_set_oob_data_flag(setup->sm_s_pres, 0); 3292 sm_pairing_packet_set_auth_req(setup->sm_s_pres, SM_AUTHREQ_CT2); 3293 sm_pairing_packet_set_max_encryption_key_size(setup->sm_s_pres, connection->sm_actual_encryption_key_size); 3294 sm_pairing_packet_set_initiator_key_distribution(setup->sm_s_pres, key_distribution_flags); 3295 sm_pairing_packet_set_responder_key_distribution(setup->sm_s_pres, key_distribution_flags); 3296 3297 // configure key distribution, LTK is derived locally 3298 key_distribution_flags &= ~SM_KEYDIST_ENC_KEY; 3299 sm_setup_key_distribution(key_distribution_flags, key_distribution_flags); 3300 3301 // set state and send pairing response 3302 sm_timeout_start(connection); 3303 connection->sm_engine_state = SM_BR_EDR_DISTRIBUTE_KEYS; 3304 sm_send_connectionless(connection, (uint8_t *) &setup->sm_s_pres, sizeof(sm_pairing_packet_t)); 3305 break; 3306 case SM_BR_EDR_DISTRIBUTE_KEYS: 3307 if (setup->sm_key_distribution_send_set != 0) { 3308 sm_run_distribute_keys(connection); 3309 return; 3310 } 3311 // keys are sent 3312 if (IS_RESPONDER(connection->sm_role)) { 3313 // responder -> receive master keys if there are any 3314 if (!sm_key_distribution_all_received()){ 3315 connection->sm_engine_state = SM_BR_EDR_RECEIVE_KEYS; 3316 break; 3317 } 3318 } 3319 // otherwise start CTKD right away (responder and no keys to receive / initiator) 3320 sm_ctkd_start_from_br_edr(connection); 3321 continue; 3322 case SM_SC_W2_CALCULATE_ILK_USING_H6: 3323 connection->sm_engine_state = SM_SC_W4_CALCULATE_ILK; 3324 h6_calculate_ilk_from_le_ltk(connection); 3325 break; 3326 case SM_SC_W2_CALCULATE_BR_EDR_LINK_KEY: 3327 connection->sm_engine_state = SM_SC_W4_CALCULATE_BR_EDR_LINK_KEY; 3328 h6_calculate_br_edr_link_key(connection); 3329 break; 3330 case SM_SC_W2_CALCULATE_ILK_USING_H7: 3331 connection->sm_engine_state = SM_SC_W4_CALCULATE_ILK; 3332 h7_calculate_ilk_from_le_ltk(connection); 3333 break; 3334 case SM_BR_EDR_W2_CALCULATE_ILK_USING_H6: 3335 connection->sm_engine_state = SM_BR_EDR_W4_CALCULATE_ILK; 3336 h6_calculate_ilk_from_br_edr(connection); 3337 break; 3338 case SM_BR_EDR_W2_CALCULATE_LE_LTK: 3339 connection->sm_engine_state = SM_BR_EDR_W4_CALCULATE_LE_LTK; 3340 h6_calculate_le_ltk(connection); 3341 break; 3342 case SM_BR_EDR_W2_CALCULATE_ILK_USING_H7: 3343 connection->sm_engine_state = SM_BR_EDR_W4_CALCULATE_ILK; 3344 h7_calculate_ilk_from_br_edr(connection); 3345 break; 3346 #endif 3347 3348 default: 3349 break; 3350 } 3351 3352 // check again if active connection was released 3353 if (sm_active_connection_handle != HCI_CON_HANDLE_INVALID) break; 3354 } 3355 } 3356 3357 // sm_aes128_state stays active 3358 static void sm_handle_encryption_result_enc_a(void *arg){ 3359 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3360 sm_aes128_state = SM_AES128_IDLE; 3361 3362 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3363 if (connection == NULL) return; 3364 3365 sm_c1_t3(sm_aes128_ciphertext, setup->sm_m_address, setup->sm_s_address, setup->sm_c1_t3_value); 3366 sm_aes128_state = SM_AES128_ACTIVE; 3367 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, setup->sm_tk, setup->sm_c1_t3_value, setup->sm_local_confirm, sm_handle_encryption_result_enc_b, (void *)(uintptr_t) connection->sm_handle); 3368 } 3369 3370 static void sm_handle_encryption_result_enc_b(void *arg){ 3371 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3372 sm_aes128_state = SM_AES128_IDLE; 3373 3374 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3375 if (connection == NULL) return; 3376 3377 log_info_key("c1!", setup->sm_local_confirm); 3378 connection->sm_engine_state = SM_PH2_C1_SEND_PAIRING_CONFIRM; 3379 sm_trigger_run(); 3380 } 3381 3382 // sm_aes128_state stays active 3383 static void sm_handle_encryption_result_enc_c(void *arg){ 3384 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3385 sm_aes128_state = SM_AES128_IDLE; 3386 3387 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3388 if (connection == NULL) return; 3389 3390 sm_c1_t3(sm_aes128_ciphertext, setup->sm_m_address, setup->sm_s_address, setup->sm_c1_t3_value); 3391 sm_aes128_state = SM_AES128_ACTIVE; 3392 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, setup->sm_tk, setup->sm_c1_t3_value, sm_aes128_ciphertext, sm_handle_encryption_result_enc_d, (void *)(uintptr_t) connection->sm_handle); 3393 } 3394 3395 static void sm_handle_encryption_result_enc_d(void * arg){ 3396 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3397 sm_aes128_state = SM_AES128_IDLE; 3398 3399 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3400 if (connection == NULL) return; 3401 3402 log_info_key("c1!", sm_aes128_ciphertext); 3403 if (memcmp(setup->sm_peer_confirm, sm_aes128_ciphertext, 16) != 0){ 3404 sm_pairing_error(connection, SM_REASON_CONFIRM_VALUE_FAILED); 3405 sm_trigger_run(); 3406 return; 3407 } 3408 if (IS_RESPONDER(connection->sm_role)){ 3409 connection->sm_engine_state = SM_PH2_SEND_PAIRING_RANDOM; 3410 sm_trigger_run(); 3411 } else { 3412 sm_s1_r_prime(setup->sm_peer_random, setup->sm_local_random, sm_aes128_plaintext); 3413 sm_aes128_state = SM_AES128_ACTIVE; 3414 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, setup->sm_tk, sm_aes128_plaintext, setup->sm_ltk, sm_handle_encryption_result_enc_stk, (void *)(uintptr_t) connection->sm_handle); 3415 } 3416 } 3417 3418 static void sm_handle_encryption_result_enc_stk(void *arg){ 3419 sm_aes128_state = SM_AES128_IDLE; 3420 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3421 3422 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3423 if (connection == NULL) return; 3424 3425 sm_truncate_key(setup->sm_ltk, connection->sm_actual_encryption_key_size); 3426 log_info_key("stk", setup->sm_ltk); 3427 if (IS_RESPONDER(connection->sm_role)){ 3428 connection->sm_engine_state = SM_RESPONDER_PH2_SEND_LTK_REPLY; 3429 } else { 3430 connection->sm_engine_state = SM_INITIATOR_PH3_SEND_START_ENCRYPTION; 3431 } 3432 sm_trigger_run(); 3433 } 3434 3435 // sm_aes128_state stays active 3436 static void sm_handle_encryption_result_enc_ph3_y(void *arg){ 3437 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3438 sm_aes128_state = SM_AES128_IDLE; 3439 3440 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3441 if (connection == NULL) return; 3442 3443 setup->sm_local_y = big_endian_read_16(sm_aes128_ciphertext, 14); 3444 log_info_hex16("y", setup->sm_local_y); 3445 // PH3B3 - calculate EDIV 3446 setup->sm_local_ediv = setup->sm_local_y ^ setup->sm_local_div; 3447 log_info_hex16("ediv", setup->sm_local_ediv); 3448 // PH3B4 - calculate LTK - enc 3449 // LTK = d1(ER, DIV, 0)) 3450 sm_d1_d_prime(setup->sm_local_div, 0, sm_aes128_plaintext); 3451 sm_aes128_state = SM_AES128_ACTIVE; 3452 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_persistent_er, sm_aes128_plaintext, setup->sm_ltk, sm_handle_encryption_result_enc_ph3_ltk, (void *)(uintptr_t) connection->sm_handle); 3453 } 3454 3455 #ifdef ENABLE_LE_PERIPHERAL 3456 // sm_aes128_state stays active 3457 static void sm_handle_encryption_result_enc_ph4_y(void *arg){ 3458 sm_aes128_state = SM_AES128_IDLE; 3459 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3460 3461 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3462 if (connection == NULL) return; 3463 3464 setup->sm_local_y = big_endian_read_16(sm_aes128_ciphertext, 14); 3465 log_info_hex16("y", setup->sm_local_y); 3466 3467 // PH3B3 - calculate DIV 3468 setup->sm_local_div = setup->sm_local_y ^ setup->sm_local_ediv; 3469 log_info_hex16("ediv", setup->sm_local_ediv); 3470 // PH3B4 - calculate LTK - enc 3471 // LTK = d1(ER, DIV, 0)) 3472 sm_d1_d_prime(setup->sm_local_div, 0, sm_aes128_plaintext); 3473 sm_aes128_state = SM_AES128_ACTIVE; 3474 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_persistent_er, sm_aes128_plaintext, setup->sm_ltk, sm_handle_encryption_result_enc_ph4_ltk, (void *)(uintptr_t) connection->sm_handle); 3475 } 3476 #endif 3477 3478 // sm_aes128_state stays active 3479 static void sm_handle_encryption_result_enc_ph3_ltk(void *arg){ 3480 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3481 sm_aes128_state = SM_AES128_IDLE; 3482 3483 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3484 if (connection == NULL) return; 3485 3486 log_info_key("ltk", setup->sm_ltk); 3487 // calc CSRK next 3488 sm_d1_d_prime(setup->sm_local_div, 1, sm_aes128_plaintext); 3489 sm_aes128_state = SM_AES128_ACTIVE; 3490 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_persistent_er, sm_aes128_plaintext, setup->sm_local_csrk, sm_handle_encryption_result_enc_csrk, (void *)(uintptr_t) connection->sm_handle); 3491 } 3492 3493 static void sm_handle_encryption_result_enc_csrk(void *arg){ 3494 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3495 sm_aes128_state = SM_AES128_IDLE; 3496 3497 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3498 if (connection == NULL) return; 3499 3500 sm_aes128_state = SM_AES128_IDLE; 3501 log_info_key("csrk", setup->sm_local_csrk); 3502 if (setup->sm_key_distribution_send_set != 0u){ 3503 connection->sm_engine_state = SM_PH3_DISTRIBUTE_KEYS; 3504 } else { 3505 // no keys to send, just continue 3506 if (IS_RESPONDER(connection->sm_role)){ 3507 if (sm_key_distribution_all_received()){ 3508 sm_key_distribution_handle_all_received(connection); 3509 sm_key_distribution_complete_responder(connection); 3510 } else { 3511 // slave -> receive master keys 3512 connection->sm_engine_state = SM_PH3_RECEIVE_KEYS; 3513 } 3514 } else { 3515 sm_key_distribution_complete_initiator(connection); 3516 } 3517 } 3518 sm_trigger_run(); 3519 } 3520 3521 #ifdef ENABLE_LE_PERIPHERAL 3522 static void sm_handle_encryption_result_enc_ph4_ltk(void *arg){ 3523 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3524 sm_aes128_state = SM_AES128_IDLE; 3525 3526 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3527 if (connection == NULL) return; 3528 3529 sm_truncate_key(setup->sm_ltk, connection->sm_actual_encryption_key_size); 3530 log_info_key("ltk", setup->sm_ltk); 3531 connection->sm_engine_state = SM_RESPONDER_PH4_SEND_LTK_REPLY; 3532 sm_trigger_run(); 3533 } 3534 #endif 3535 3536 static void sm_handle_encryption_result_address_resolution(void *arg){ 3537 UNUSED(arg); 3538 sm_aes128_state = SM_AES128_IDLE; 3539 3540 // compare calulated address against connecting device 3541 uint8_t * hash = &sm_aes128_ciphertext[13]; 3542 if (memcmp(&sm_address_resolution_address[3], hash, 3) == 0){ 3543 log_info("LE Device Lookup: matched resolvable private address"); 3544 sm_address_resolution_handle_event(ADDRESS_RESOLUTION_SUCCEEDED); 3545 sm_trigger_run(); 3546 return; 3547 } 3548 // no match, try next 3549 sm_address_resolution_test++; 3550 sm_trigger_run(); 3551 } 3552 3553 static void sm_handle_encryption_result_dkg_irk(void *arg){ 3554 UNUSED(arg); 3555 sm_aes128_state = SM_AES128_IDLE; 3556 3557 log_info_key("irk", sm_persistent_irk); 3558 dkg_state = DKG_CALC_DHK; 3559 sm_trigger_run(); 3560 } 3561 3562 static void sm_handle_encryption_result_dkg_dhk(void *arg){ 3563 UNUSED(arg); 3564 sm_aes128_state = SM_AES128_IDLE; 3565 3566 log_info_key("dhk", sm_persistent_dhk); 3567 dkg_state = DKG_READY; 3568 sm_trigger_run(); 3569 } 3570 3571 static void sm_handle_encryption_result_rau(void *arg){ 3572 UNUSED(arg); 3573 sm_aes128_state = SM_AES128_IDLE; 3574 3575 (void)memcpy(&sm_random_address[3], &sm_aes128_ciphertext[13], 3); 3576 rau_state = RAU_IDLE; 3577 hci_le_random_address_set(sm_random_address); 3578 3579 sm_trigger_run(); 3580 } 3581 3582 static void sm_handle_random_result_rau(void * arg){ 3583 UNUSED(arg); 3584 // non-resolvable vs. resolvable 3585 switch (gap_random_adress_type){ 3586 case GAP_RANDOM_ADDRESS_RESOLVABLE: 3587 // resolvable: use random as prand and calc address hash 3588 // "The two most significant bits of prand shall be equal to ‘0’ and ‘1" 3589 sm_random_address[0u] &= 0x3fu; 3590 sm_random_address[0u] |= 0x40u; 3591 rau_state = RAU_GET_ENC; 3592 break; 3593 case GAP_RANDOM_ADDRESS_NON_RESOLVABLE: 3594 default: 3595 // "The two most significant bits of the address shall be equal to ‘0’"" 3596 sm_random_address[0u] &= 0x3fu; 3597 rau_state = RAU_IDLE; 3598 hci_le_random_address_set(sm_random_address); 3599 break; 3600 } 3601 sm_trigger_run(); 3602 } 3603 3604 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3605 static void sm_handle_random_result_sc_next_send_pairing_random(void * arg){ 3606 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3607 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3608 if (connection == NULL) return; 3609 3610 connection->sm_engine_state = SM_SC_SEND_PAIRING_RANDOM; 3611 sm_trigger_run(); 3612 } 3613 3614 static void sm_handle_random_result_sc_next_w2_cmac_for_confirmation(void * arg){ 3615 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3616 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3617 if (connection == NULL) return; 3618 3619 connection->sm_engine_state = SM_SC_W2_CMAC_FOR_CONFIRMATION; 3620 sm_trigger_run(); 3621 } 3622 #endif 3623 3624 static void sm_handle_random_result_ph2_random(void * arg){ 3625 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3626 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3627 if (connection == NULL) return; 3628 3629 connection->sm_engine_state = SM_PH2_C1_GET_ENC_A; 3630 sm_trigger_run(); 3631 } 3632 3633 static void sm_handle_random_result_ph2_tk(void * arg){ 3634 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3635 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3636 if (connection == NULL) return; 3637 3638 sm_reset_tk(); 3639 uint32_t tk; 3640 if (sm_fixed_passkey_in_display_role == 0xffffffffU){ 3641 // map random to 0-999999 without speding much cycles on a modulus operation 3642 tk = little_endian_read_32(sm_random_data,0); 3643 tk = tk & 0xfffff; // 1048575 3644 if (tk >= 999999u){ 3645 tk = tk - 999999u; 3646 } 3647 } else { 3648 // override with pre-defined passkey 3649 tk = sm_fixed_passkey_in_display_role; 3650 } 3651 big_endian_store_32(setup->sm_tk, 12, tk); 3652 if (IS_RESPONDER(connection->sm_role)){ 3653 connection->sm_engine_state = SM_RESPONDER_PH1_SEND_PAIRING_RESPONSE; 3654 } else { 3655 if (setup->sm_use_secure_connections){ 3656 connection->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 3657 } else { 3658 connection->sm_engine_state = SM_PH1_W4_USER_RESPONSE; 3659 sm_trigger_user_response(connection); 3660 // response_idle == nothing <--> sm_trigger_user_response() did not require response 3661 if (setup->sm_user_response == SM_USER_RESPONSE_IDLE){ 3662 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_random, 16, &sm_handle_random_result_ph2_random, (void *)(uintptr_t) connection->sm_handle); 3663 } 3664 } 3665 } 3666 sm_trigger_run(); 3667 } 3668 3669 static void sm_handle_random_result_ph3_div(void * arg){ 3670 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3671 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3672 if (connection == NULL) return; 3673 3674 // use 16 bit from random value as div 3675 setup->sm_local_div = big_endian_read_16(sm_random_data, 0); 3676 log_info_hex16("div", setup->sm_local_div); 3677 connection->sm_engine_state = SM_PH3_Y_GET_ENC; 3678 sm_trigger_run(); 3679 } 3680 3681 static void sm_handle_random_result_ph3_random(void * arg){ 3682 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3683 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3684 if (connection == NULL) return; 3685 3686 reverse_64(sm_random_data, setup->sm_local_rand); 3687 // no db for encryption size hack: encryption size is stored in lowest nibble of setup->sm_local_rand 3688 setup->sm_local_rand[7u] = (setup->sm_local_rand[7u] & 0xf0u) + (connection->sm_actual_encryption_key_size - 1u); 3689 // no db for authenticated flag hack: store flag in bit 4 of LSB 3690 setup->sm_local_rand[7u] = (setup->sm_local_rand[7u] & 0xefu) + (connection->sm_connection_authenticated << 4u); 3691 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 2, &sm_handle_random_result_ph3_div, (void *)(uintptr_t) connection->sm_handle); 3692 } 3693 static void sm_validate_er_ir(void){ 3694 // warn about default ER/IR 3695 bool warning = false; 3696 if (sm_ir_is_default()){ 3697 warning = true; 3698 log_error("Persistent IR not set with sm_set_ir. Use of private addresses will cause pairing issues"); 3699 } 3700 if (sm_er_is_default()){ 3701 warning = true; 3702 log_error("Persistent ER not set with sm_set_er. Legacy Pairing LTK is not secure"); 3703 } 3704 if (warning) { 3705 log_error("Please configure btstack_tlv to let BTstack setup ER and IR keys"); 3706 } 3707 } 3708 3709 static void sm_handle_random_result_ir(void *arg){ 3710 sm_persistent_keys_random_active = false; 3711 if (arg != NULL){ 3712 // key generated, store in tlv 3713 int status = sm_tlv_impl->store_tag(sm_tlv_context, BTSTACK_TAG32('S','M','I','R'), sm_persistent_ir, 16u); 3714 log_info("Generated IR key. Store in TLV status: %d", status); 3715 UNUSED(status); 3716 } 3717 log_info_key("IR", sm_persistent_ir); 3718 dkg_state = DKG_CALC_IRK; 3719 3720 if (test_use_fixed_local_irk){ 3721 log_info_key("IRK", sm_persistent_irk); 3722 dkg_state = DKG_CALC_DHK; 3723 } 3724 3725 sm_trigger_run(); 3726 } 3727 3728 static void sm_handle_random_result_er(void *arg){ 3729 sm_persistent_keys_random_active = false; 3730 if (arg != 0){ 3731 // key generated, store in tlv 3732 int status = sm_tlv_impl->store_tag(sm_tlv_context, BTSTACK_TAG32('S','M','E','R'), sm_persistent_er, 16u); 3733 log_info("Generated ER key. Store in TLV status: %d", status); 3734 UNUSED(status); 3735 } 3736 log_info_key("ER", sm_persistent_er); 3737 3738 // try load ir 3739 int key_size = sm_tlv_impl->get_tag(sm_tlv_context, BTSTACK_TAG32('S','M','I','R'), sm_persistent_ir, 16u); 3740 if (key_size == 16){ 3741 // ok, let's continue 3742 log_info("IR from TLV"); 3743 sm_handle_random_result_ir( NULL ); 3744 } else { 3745 // invalid, generate new random one 3746 sm_persistent_keys_random_active = true; 3747 btstack_crypto_random_generate(&sm_crypto_random_request, sm_persistent_ir, 16, &sm_handle_random_result_ir, &sm_persistent_ir); 3748 } 3749 } 3750 3751 static void sm_connection_init(sm_connection_t * sm_conn, hci_con_handle_t con_handle, uint8_t role, uint8_t peer_addr_type, bd_addr_t peer_address){ 3752 3753 // connection info 3754 sm_conn->sm_handle = con_handle; 3755 sm_conn->sm_role = role; 3756 sm_conn->sm_peer_addr_type = peer_addr_type; 3757 memcpy(sm_conn->sm_peer_address, peer_address, 6); 3758 3759 // security properties 3760 sm_conn->sm_connection_encrypted = 0; 3761 sm_conn->sm_connection_authenticated = 0; 3762 sm_conn->sm_connection_authorization_state = AUTHORIZATION_UNKNOWN; 3763 sm_conn->sm_le_db_index = -1; 3764 sm_conn->sm_reencryption_active = false; 3765 3766 // prepare CSRK lookup (does not involve setup) 3767 sm_conn->sm_irk_lookup_state = IRK_LOOKUP_W4_READY; 3768 3769 sm_conn->sm_engine_state = SM_GENERAL_IDLE; 3770 } 3771 3772 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 3773 static void sm_event_handle_classic_encryption_event(sm_connection_t * sm_conn, hci_con_handle_t con_handle){ 3774 // CTKD requires BR/EDR Secure Connection 3775 if (sm_conn->sm_connection_encrypted != 2) return; 3776 // prepare for pairing request 3777 if (IS_RESPONDER(sm_conn->sm_role)){ 3778 sm_conn->sm_engine_state = SM_BR_EDR_RESPONDER_W4_PAIRING_REQUEST; 3779 } else if (sm_conn->sm_pairing_requested){ 3780 // check if remote supports fixed channels 3781 bool defer = true; 3782 const hci_connection_t * hci_connection = hci_connection_for_handle(con_handle); 3783 if (hci_connection->l2cap_state.information_state == L2CAP_INFORMATION_STATE_DONE){ 3784 // check if remote supports SMP over BR/EDR 3785 if ((hci_connection->l2cap_state.fixed_channels_supported & (1 << L2CAP_CID_BR_EDR_SECURITY_MANAGER)) != 0){ 3786 log_info("CTKD: SM_BR_EDR_INITIATOR_SEND_PAIRING_REQUEST"); 3787 sm_conn->sm_engine_state = SM_BR_EDR_INITIATOR_SEND_PAIRING_REQUEST; 3788 } else { 3789 defer = false; 3790 } 3791 } else { 3792 // wait for fixed channel info 3793 log_info("CTKD: SM_BR_EDR_INITIATOR_W4_FIXED_CHANNEL_MASK"); 3794 sm_conn->sm_engine_state = SM_BR_EDR_INITIATOR_W4_FIXED_CHANNEL_MASK; 3795 } 3796 if (defer){ 3797 hci_dedicated_bonding_defer_disconnect(con_handle, true); 3798 } 3799 } 3800 } 3801 #endif 3802 3803 static void sm_event_packet_handler (uint8_t packet_type, uint16_t channel, uint8_t *packet, uint16_t size){ 3804 3805 UNUSED(channel); // ok: there is no channel 3806 UNUSED(size); // ok: fixed format HCI events 3807 3808 sm_connection_t * sm_conn; 3809 hci_con_handle_t con_handle; 3810 uint8_t status; 3811 bd_addr_t addr; 3812 bd_addr_type_t addr_type; 3813 3814 switch (packet_type) { 3815 3816 case HCI_EVENT_PACKET: 3817 switch (hci_event_packet_get_type(packet)) { 3818 3819 case BTSTACK_EVENT_STATE: 3820 switch (btstack_event_state_get_state(packet)){ 3821 case HCI_STATE_WORKING: 3822 log_info("HCI Working!"); 3823 // setup IR/ER with TLV 3824 btstack_tlv_get_instance(&sm_tlv_impl, &sm_tlv_context); 3825 if (sm_tlv_impl != NULL){ 3826 int key_size = sm_tlv_impl->get_tag(sm_tlv_context, BTSTACK_TAG32('S','M','E','R'), sm_persistent_er, 16u); 3827 if (key_size == 16){ 3828 // ok, let's continue 3829 log_info("ER from TLV"); 3830 sm_handle_random_result_er( NULL ); 3831 } else { 3832 // invalid, generate random one 3833 sm_persistent_keys_random_active = true; 3834 btstack_crypto_random_generate(&sm_crypto_random_request, sm_persistent_er, 16, &sm_handle_random_result_er, &sm_persistent_er); 3835 } 3836 } else { 3837 sm_validate_er_ir(); 3838 dkg_state = DKG_CALC_IRK; 3839 3840 if (test_use_fixed_local_irk){ 3841 log_info_key("IRK", sm_persistent_irk); 3842 dkg_state = DKG_CALC_DHK; 3843 } 3844 } 3845 3846 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3847 // trigger ECC key generation 3848 if (ec_key_generation_state == EC_KEY_GENERATION_IDLE){ 3849 sm_ec_generate_new_key(); 3850 } 3851 #endif 3852 3853 // restart random address updates after power cycle 3854 if (gap_random_adress_type == GAP_RANDOM_ADDRESS_TYPE_STATIC){ 3855 gap_random_address_set(sm_random_address); 3856 } else { 3857 gap_random_address_set_mode(gap_random_adress_type); 3858 } 3859 break; 3860 3861 case HCI_STATE_OFF: 3862 case HCI_STATE_HALTING: 3863 log_info("SM: reset state"); 3864 // stop random address update 3865 gap_random_address_update_stop(); 3866 // reset state 3867 sm_state_reset(); 3868 break; 3869 3870 default: 3871 break; 3872 } 3873 break; 3874 3875 #ifdef ENABLE_CLASSIC 3876 case HCI_EVENT_CONNECTION_COMPLETE: 3877 // ignore if connection failed 3878 if (hci_event_connection_complete_get_status(packet)) return; 3879 3880 con_handle = hci_event_connection_complete_get_connection_handle(packet); 3881 sm_conn = sm_get_connection_for_handle(con_handle); 3882 if (!sm_conn) break; 3883 3884 hci_event_connection_complete_get_bd_addr(packet, addr); 3885 sm_connection_init(sm_conn, 3886 con_handle, 3887 (uint8_t) gap_get_role(con_handle), 3888 BD_ADDR_TYPE_LE_PUBLIC, 3889 addr); 3890 // classic connection corresponds to public le address 3891 sm_conn->sm_own_addr_type = BD_ADDR_TYPE_LE_PUBLIC; 3892 gap_local_bd_addr(sm_conn->sm_own_address); 3893 sm_conn->sm_cid = L2CAP_CID_BR_EDR_SECURITY_MANAGER; 3894 sm_conn->sm_engine_state = SM_BR_EDR_W4_ENCRYPTION_COMPLETE; 3895 break; 3896 #endif 3897 3898 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 3899 case HCI_EVENT_SIMPLE_PAIRING_COMPLETE: 3900 if (hci_event_simple_pairing_complete_get_status(packet) != ERROR_CODE_SUCCESS) break; 3901 hci_event_simple_pairing_complete_get_bd_addr(packet, addr); 3902 sm_conn = sm_get_connection_for_bd_addr_and_type(addr, BD_ADDR_TYPE_ACL); 3903 if (sm_conn == NULL) break; 3904 sm_conn->sm_pairing_requested = true; 3905 break; 3906 #endif 3907 3908 case HCI_EVENT_META_GAP: 3909 switch (hci_event_gap_meta_get_subevent_code(packet)) { 3910 case GAP_SUBEVENT_LE_CONNECTION_COMPLETE: 3911 // ignore if connection failed 3912 if (gap_subevent_le_connection_complete_get_status(packet) != ERROR_CODE_SUCCESS) break; 3913 3914 con_handle = gap_subevent_le_connection_complete_get_connection_handle(packet); 3915 sm_conn = sm_get_connection_for_handle(con_handle); 3916 if (!sm_conn) break; 3917 3918 // Get current peer address 3919 addr_type = gap_subevent_le_connection_complete_get_peer_address_type(packet); 3920 if (hci_is_le_identity_address_type(addr_type)){ 3921 addr_type = BD_ADDR_TYPE_LE_RANDOM; 3922 gap_subevent_le_connection_complete_get_peer_resolvable_private_address(packet, addr); 3923 } else { 3924 gap_subevent_le_connection_complete_get_peer_address(packet, addr); 3925 } 3926 sm_connection_init(sm_conn, 3927 con_handle, 3928 gap_subevent_le_connection_complete_get_role(packet), 3929 addr_type, 3930 addr); 3931 sm_conn->sm_cid = L2CAP_CID_SECURITY_MANAGER_PROTOCOL; 3932 3933 // track our addr used for this connection and set state 3934 #ifdef ENABLE_LE_PERIPHERAL 3935 if (gap_subevent_le_connection_complete_get_role(packet) != 0){ 3936 // responder - use own address from advertisements 3937 gap_le_get_own_advertisements_address(&sm_conn->sm_own_addr_type, sm_conn->sm_own_address); 3938 sm_conn->sm_engine_state = SM_RESPONDER_IDLE; 3939 } 3940 #endif 3941 #ifdef ENABLE_LE_CENTRAL 3942 if (gap_subevent_le_connection_complete_get_role(packet) == 0){ 3943 // initiator - use own address from create connection 3944 gap_le_get_own_connection_address(&sm_conn->sm_own_addr_type, sm_conn->sm_own_address); 3945 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 3946 } 3947 #endif 3948 break; 3949 default: 3950 break; 3951 } 3952 break; 3953 case HCI_EVENT_LE_META: 3954 switch (hci_event_le_meta_get_subevent_code(packet)) { 3955 case HCI_SUBEVENT_LE_LONG_TERM_KEY_REQUEST: 3956 con_handle = hci_subevent_le_long_term_key_request_get_connection_handle(packet); 3957 sm_conn = sm_get_connection_for_handle(con_handle); 3958 if (!sm_conn) break; 3959 3960 log_info("LTK Request: state %u", sm_conn->sm_engine_state); 3961 if (sm_conn->sm_engine_state == SM_RESPONDER_PH2_W4_LTK_REQUEST){ 3962 sm_conn->sm_engine_state = SM_PH2_CALC_STK; 3963 break; 3964 } 3965 if (sm_conn->sm_engine_state == SM_SC_W4_LTK_REQUEST_SC){ 3966 // PH2 SEND LTK as we need to exchange keys in PH3 3967 sm_conn->sm_engine_state = SM_RESPONDER_PH2_SEND_LTK_REPLY; 3968 break; 3969 } 3970 3971 // store rand and ediv 3972 reverse_64(&packet[5], sm_conn->sm_local_rand); 3973 sm_conn->sm_local_ediv = hci_subevent_le_long_term_key_request_get_encryption_diversifier(packet); 3974 3975 // For Legacy Pairing (<=> EDIV != 0 || RAND != NULL), we need to recalculated our LTK as a 3976 // potentially stored LTK is from the master 3977 if ((sm_conn->sm_local_ediv != 0u) || !sm_is_null_random(sm_conn->sm_local_rand)){ 3978 if (sm_reconstruct_ltk_without_le_device_db_entry){ 3979 sm_conn->sm_engine_state = SM_RESPONDER_PH0_RECEIVED_LTK_REQUEST; 3980 break; 3981 } 3982 // additionally check if remote is in LE Device DB if requested 3983 switch(sm_conn->sm_irk_lookup_state){ 3984 case IRK_LOOKUP_FAILED: 3985 log_info("LTK Request: device not in device db"); 3986 sm_conn->sm_engine_state = SM_RESPONDER_PH0_SEND_LTK_REQUESTED_NEGATIVE_REPLY; 3987 break; 3988 case IRK_LOOKUP_SUCCEEDED: 3989 sm_conn->sm_engine_state = SM_RESPONDER_PH0_RECEIVED_LTK_REQUEST; 3990 break; 3991 default: 3992 // wait for irk look doen 3993 sm_conn->sm_engine_state = SM_RESPONDER_PH0_RECEIVED_LTK_W4_IRK; 3994 break; 3995 } 3996 break; 3997 } 3998 3999 #ifdef ENABLE_LE_SECURE_CONNECTIONS 4000 sm_conn->sm_engine_state = SM_SC_RECEIVED_LTK_REQUEST; 4001 #else 4002 log_info("LTK Request: ediv & random are empty, but LE Secure Connections not supported"); 4003 sm_conn->sm_engine_state = SM_RESPONDER_PH0_SEND_LTK_REQUESTED_NEGATIVE_REPLY; 4004 #endif 4005 break; 4006 4007 default: 4008 break; 4009 } 4010 break; 4011 4012 case HCI_EVENT_ENCRYPTION_CHANGE: 4013 case HCI_EVENT_ENCRYPTION_CHANGE_V2: 4014 con_handle = hci_event_encryption_change_get_connection_handle(packet); 4015 sm_conn = sm_get_connection_for_handle(con_handle); 4016 if (!sm_conn) break; 4017 4018 sm_conn->sm_connection_encrypted = hci_event_encryption_change_get_encryption_enabled(packet); 4019 log_info("Encryption state change: %u, key size %u", sm_conn->sm_connection_encrypted, 4020 sm_conn->sm_actual_encryption_key_size); 4021 log_info("event handler, state %u", sm_conn->sm_engine_state); 4022 4023 switch (sm_conn->sm_engine_state){ 4024 4025 case SM_PH4_W4_CONNECTION_ENCRYPTED: 4026 // encryption change event concludes re-encryption for bonded devices (even if it fails) 4027 if (sm_conn->sm_connection_encrypted != 0u) { 4028 status = ERROR_CODE_SUCCESS; 4029 if (IS_RESPONDER(sm_conn->sm_role)){ 4030 sm_conn->sm_engine_state = SM_RESPONDER_IDLE; 4031 } else { 4032 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 4033 } 4034 } else { 4035 status = hci_event_encryption_change_get_status(packet); 4036 // set state to 'RE-ENCRYPTION FAILED' to allow pairing but prevent other interactions 4037 // also, gap_reconnect_security_setup_active will return true 4038 sm_conn->sm_engine_state = SM_GENERAL_REENCRYPTION_FAILED; 4039 } 4040 4041 // emit re-encryption complete 4042 sm_reencryption_complete(sm_conn, status); 4043 4044 // notify client, if pairing was requested before 4045 if (sm_conn->sm_pairing_requested){ 4046 sm_conn->sm_pairing_requested = false; 4047 sm_pairing_complete(sm_conn, status, 0); 4048 } 4049 4050 sm_done_for_handle(sm_conn->sm_handle); 4051 break; 4052 4053 case SM_PH2_W4_CONNECTION_ENCRYPTED: 4054 if (!sm_conn->sm_connection_encrypted) break; 4055 // handler for HCI_EVENT_ENCRYPTION_KEY_REFRESH_COMPLETE 4056 // contains the same code for this state 4057 sm_conn->sm_connection_sc = setup->sm_use_secure_connections; 4058 if (IS_RESPONDER(sm_conn->sm_role)){ 4059 // slave 4060 if (sm_conn->sm_connection_sc){ 4061 sm_conn->sm_engine_state = SM_PH3_DISTRIBUTE_KEYS; 4062 } else { 4063 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 8, &sm_handle_random_result_ph3_random, (void *)(uintptr_t) sm_conn->sm_handle); 4064 } 4065 } else { 4066 // master 4067 if (sm_key_distribution_all_received()){ 4068 // skip receiving keys as there are none 4069 sm_key_distribution_handle_all_received(sm_conn); 4070 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 8, &sm_handle_random_result_ph3_random, (void *)(uintptr_t) sm_conn->sm_handle); 4071 } else { 4072 sm_conn->sm_engine_state = SM_PH3_RECEIVE_KEYS; 4073 } 4074 } 4075 break; 4076 4077 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 4078 case SM_BR_EDR_W4_ENCRYPTION_COMPLETE: 4079 sm_event_handle_classic_encryption_event(sm_conn, con_handle); 4080 break; 4081 #endif 4082 default: 4083 break; 4084 } 4085 break; 4086 4087 case HCI_EVENT_ENCRYPTION_KEY_REFRESH_COMPLETE: 4088 con_handle = little_endian_read_16(packet, 3); 4089 sm_conn = sm_get_connection_for_handle(con_handle); 4090 if (!sm_conn) break; 4091 4092 log_info("Encryption key refresh complete, key size %u", sm_conn->sm_actual_encryption_key_size); 4093 log_info("event handler, state %u", sm_conn->sm_engine_state); 4094 // continue if part of initial pairing 4095 switch (sm_conn->sm_engine_state){ 4096 case SM_PH4_W4_CONNECTION_ENCRYPTED: 4097 if (IS_RESPONDER(sm_conn->sm_role)){ 4098 sm_conn->sm_engine_state = SM_RESPONDER_IDLE; 4099 } else { 4100 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 4101 } 4102 sm_done_for_handle(sm_conn->sm_handle); 4103 break; 4104 case SM_PH2_W4_CONNECTION_ENCRYPTED: 4105 // handler for HCI_EVENT_ENCRYPTION_CHANGE 4106 // contains the same code for this state 4107 sm_conn->sm_connection_sc = setup->sm_use_secure_connections; 4108 if (IS_RESPONDER(sm_conn->sm_role)){ 4109 // slave 4110 if (sm_conn->sm_connection_sc){ 4111 sm_conn->sm_engine_state = SM_PH3_DISTRIBUTE_KEYS; 4112 } else { 4113 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 8, &sm_handle_random_result_ph3_random, (void *)(uintptr_t) sm_conn->sm_handle); 4114 } 4115 } else { 4116 // master 4117 if (sm_key_distribution_all_received()){ 4118 // skip receiving keys as there are none 4119 sm_key_distribution_handle_all_received(sm_conn); 4120 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 8, &sm_handle_random_result_ph3_random, (void *)(uintptr_t) sm_conn->sm_handle); 4121 } else { 4122 sm_conn->sm_engine_state = SM_PH3_RECEIVE_KEYS; 4123 } 4124 } 4125 break; 4126 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 4127 case SM_BR_EDR_W4_ENCRYPTION_COMPLETE: 4128 sm_event_handle_classic_encryption_event(sm_conn, con_handle); 4129 break; 4130 #endif 4131 default: 4132 break; 4133 } 4134 break; 4135 4136 4137 case HCI_EVENT_DISCONNECTION_COMPLETE: 4138 con_handle = little_endian_read_16(packet, 3); 4139 sm_done_for_handle(con_handle); 4140 sm_conn = sm_get_connection_for_handle(con_handle); 4141 if (!sm_conn) break; 4142 4143 // pairing failed, if it was ongoing 4144 switch (sm_conn->sm_engine_state){ 4145 case SM_GENERAL_IDLE: 4146 case SM_INITIATOR_CONNECTED: 4147 case SM_RESPONDER_IDLE: 4148 break; 4149 default: 4150 sm_reencryption_complete(sm_conn, ERROR_CODE_REMOTE_USER_TERMINATED_CONNECTION); 4151 sm_pairing_complete(sm_conn, ERROR_CODE_REMOTE_USER_TERMINATED_CONNECTION, 0); 4152 break; 4153 } 4154 4155 sm_conn->sm_engine_state = SM_GENERAL_IDLE; 4156 sm_conn->sm_handle = 0; 4157 break; 4158 4159 case HCI_EVENT_COMMAND_COMPLETE: 4160 if (hci_event_command_complete_get_command_opcode(packet) == HCI_OPCODE_HCI_READ_BD_ADDR) { 4161 // set local addr for le device db 4162 reverse_bd_addr(&packet[OFFSET_OF_DATA_IN_COMMAND_COMPLETE + 1], addr); 4163 le_device_db_set_local_bd_addr(addr); 4164 } 4165 break; 4166 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 4167 case L2CAP_EVENT_INFORMATION_RESPONSE: 4168 con_handle = l2cap_event_information_response_get_con_handle(packet); 4169 sm_conn = sm_get_connection_for_handle(con_handle); 4170 if (!sm_conn) break; 4171 if (sm_conn->sm_engine_state == SM_BR_EDR_INITIATOR_W4_FIXED_CHANNEL_MASK){ 4172 // check if remote supports SMP over BR/EDR 4173 const hci_connection_t * hci_connection = hci_connection_for_handle(con_handle); 4174 if ((hci_connection->l2cap_state.fixed_channels_supported & (1 << L2CAP_CID_BR_EDR_SECURITY_MANAGER)) != 0){ 4175 sm_conn->sm_engine_state = SM_BR_EDR_INITIATOR_SEND_PAIRING_REQUEST; 4176 } else { 4177 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 4178 hci_dedicated_bonding_defer_disconnect(con_handle, false); 4179 } 4180 } 4181 break; 4182 #endif 4183 default: 4184 break; 4185 } 4186 break; 4187 default: 4188 break; 4189 } 4190 4191 sm_run(); 4192 } 4193 4194 static inline int sm_calc_actual_encryption_key_size(int other){ 4195 if (other < sm_min_encryption_key_size) return 0; 4196 if (other < sm_max_encryption_key_size) return other; 4197 return sm_max_encryption_key_size; 4198 } 4199 4200 4201 #ifdef ENABLE_LE_SECURE_CONNECTIONS 4202 static bool sm_just_works_or_numeric_comparison(stk_generation_method_t method){ 4203 switch (method){ 4204 case JUST_WORKS: 4205 case NUMERIC_COMPARISON: 4206 return true; 4207 default: 4208 return false; 4209 } 4210 } 4211 // responder 4212 4213 static bool sm_passkey_used(stk_generation_method_t method){ 4214 switch (method){ 4215 case PK_RESP_INPUT: 4216 return true; 4217 default: 4218 return 0; 4219 } 4220 } 4221 4222 static bool sm_passkey_entry(stk_generation_method_t method){ 4223 switch (method){ 4224 case PK_RESP_INPUT: 4225 case PK_INIT_INPUT: 4226 case PK_BOTH_INPUT: 4227 return true; 4228 default: 4229 return false; 4230 } 4231 } 4232 4233 #endif 4234 4235 /** 4236 * @return ok 4237 */ 4238 static int sm_validate_stk_generation_method(void){ 4239 // check if STK generation method is acceptable by client 4240 switch (setup->sm_stk_generation_method){ 4241 case JUST_WORKS: 4242 return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_JUST_WORKS) != 0u; 4243 case PK_RESP_INPUT: 4244 case PK_INIT_INPUT: 4245 case PK_BOTH_INPUT: 4246 return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_PASSKEY) != 0u; 4247 case OOB: 4248 return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_OOB) != 0u; 4249 case NUMERIC_COMPARISON: 4250 return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_NUMERIC_COMPARISON) != 0u; 4251 default: 4252 return 0; 4253 } 4254 } 4255 4256 #ifdef ENABLE_LE_CENTRAL 4257 static void sm_initiator_connected_handle_security_request(sm_connection_t * sm_conn, const uint8_t *packet){ 4258 #ifdef ENABLE_LE_SECURE_CONNECTIONS 4259 if (sm_sc_only_mode){ 4260 uint8_t auth_req = packet[1]; 4261 if ((auth_req & SM_AUTHREQ_SECURE_CONNECTION) == 0){ 4262 sm_pairing_error(sm_conn, SM_REASON_AUTHENTHICATION_REQUIREMENTS); 4263 return; 4264 } 4265 } 4266 #else 4267 UNUSED(packet); 4268 #endif 4269 4270 int have_ltk; 4271 uint8_t ltk[16]; 4272 4273 // IRK complete? 4274 switch (sm_conn->sm_irk_lookup_state){ 4275 case IRK_LOOKUP_FAILED: 4276 // start pairing 4277 sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 4278 break; 4279 case IRK_LOOKUP_SUCCEEDED: 4280 le_device_db_encryption_get(sm_conn->sm_le_db_index, NULL, NULL, ltk, NULL, NULL, NULL, NULL); 4281 have_ltk = !sm_is_null_key(ltk); 4282 log_info("central: security request - have_ltk %u, encryption %u", have_ltk, sm_conn->sm_connection_encrypted); 4283 if (have_ltk && (sm_conn->sm_connection_encrypted == 0)){ 4284 // start re-encrypt if we have LTK and the connection is not already encrypted 4285 sm_conn->sm_engine_state = SM_INITIATOR_PH4_HAS_LTK; 4286 } else { 4287 // start pairing 4288 sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 4289 } 4290 break; 4291 default: 4292 // otherwise, store security request 4293 sm_conn->sm_security_request_received = true; 4294 break; 4295 } 4296 } 4297 #endif 4298 4299 static uint8_t sm_pdu_validate_and_get_opcode(uint8_t packet_type, const uint8_t *packet, uint16_t size){ 4300 4301 // size of complete sm_pdu used to validate input 4302 static const uint8_t sm_pdu_size[] = { 4303 0, // 0x00 invalid opcode 4304 7, // 0x01 pairing request 4305 7, // 0x02 pairing response 4306 17, // 0x03 pairing confirm 4307 17, // 0x04 pairing random 4308 2, // 0x05 pairing failed 4309 17, // 0x06 encryption information 4310 11, // 0x07 master identification 4311 17, // 0x08 identification information 4312 8, // 0x09 identify address information 4313 17, // 0x0a signing information 4314 2, // 0x0b security request 4315 65, // 0x0c pairing public key 4316 17, // 0x0d pairing dhk check 4317 2, // 0x0e keypress notification 4318 }; 4319 4320 if (packet_type != SM_DATA_PACKET) return 0; 4321 if (size == 0u) return 0; 4322 4323 uint8_t sm_pdu_code = packet[0]; 4324 4325 // validate pdu size 4326 if (sm_pdu_code >= sizeof(sm_pdu_size)) return 0; 4327 if (sm_pdu_size[sm_pdu_code] != size) return 0; 4328 4329 return sm_pdu_code; 4330 } 4331 4332 static void sm_pdu_handler(uint8_t packet_type, hci_con_handle_t con_handle, uint8_t *packet, uint16_t size){ 4333 4334 if ((packet_type == HCI_EVENT_PACKET) && (packet[0] == L2CAP_EVENT_CAN_SEND_NOW)){ 4335 sm_run(); 4336 } 4337 4338 uint8_t sm_pdu_code = sm_pdu_validate_and_get_opcode(packet_type, packet, size); 4339 if (sm_pdu_code == 0) return; 4340 4341 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 4342 if (!sm_conn) return; 4343 4344 if (sm_pdu_code == SM_CODE_PAIRING_FAILED){ 4345 sm_reencryption_complete(sm_conn, ERROR_CODE_AUTHENTICATION_FAILURE); 4346 sm_pairing_complete(sm_conn, ERROR_CODE_AUTHENTICATION_FAILURE, packet[1]); 4347 sm_done_for_handle(con_handle); 4348 sm_conn->sm_engine_state = sm_conn->sm_role ? SM_RESPONDER_IDLE : SM_INITIATOR_CONNECTED; 4349 return; 4350 } 4351 4352 log_debug("sm_pdu_handler: state %u, pdu 0x%02x", sm_conn->sm_engine_state, sm_pdu_code); 4353 4354 int err; 4355 uint8_t max_encryption_key_size; 4356 UNUSED(err); 4357 4358 if (sm_pdu_code == SM_CODE_KEYPRESS_NOTIFICATION){ 4359 uint8_t buffer[5]; 4360 buffer[0] = SM_EVENT_KEYPRESS_NOTIFICATION; 4361 buffer[1] = 3; 4362 little_endian_store_16(buffer, 2, con_handle); 4363 buffer[4] = packet[1]; 4364 sm_dispatch_event(HCI_EVENT_PACKET, 0, buffer, sizeof(buffer)); 4365 return; 4366 } 4367 4368 switch (sm_conn->sm_engine_state){ 4369 4370 // a sm timeout requires a new physical connection 4371 case SM_GENERAL_TIMEOUT: 4372 return; 4373 4374 #ifdef ENABLE_LE_CENTRAL 4375 4376 // Initiator 4377 case SM_INITIATOR_CONNECTED: 4378 if ((sm_pdu_code != SM_CODE_SECURITY_REQUEST) || (sm_conn->sm_role)){ 4379 sm_pdu_received_in_wrong_state(sm_conn); 4380 break; 4381 } 4382 sm_initiator_connected_handle_security_request(sm_conn, packet); 4383 break; 4384 4385 case SM_INITIATOR_PH1_W4_PAIRING_RESPONSE: 4386 // Core 5, Vol 3, Part H, 2.4.6: 4387 // "The master shall ignore the slave’s Security Request if the master has sent a Pairing Request 4388 // without receiving a Pairing Response from the slave or if the master has initiated encryption mode setup." 4389 if (sm_pdu_code == SM_CODE_SECURITY_REQUEST){ 4390 log_info("Ignoring Security Request"); 4391 break; 4392 } 4393 4394 // all other pdus are incorrect 4395 if (sm_pdu_code != SM_CODE_PAIRING_RESPONSE){ 4396 sm_pdu_received_in_wrong_state(sm_conn); 4397 break; 4398 } 4399 4400 // store pairing request 4401 (void)memcpy(&setup->sm_s_pres, packet, 4402 sizeof(sm_pairing_packet_t)); 4403 4404 // validate encryption key size 4405 max_encryption_key_size = sm_pairing_packet_get_max_encryption_key_size(setup->sm_s_pres); 4406 if ((max_encryption_key_size < 7) || (max_encryption_key_size > 16)){ 4407 sm_pairing_error(sm_conn, SM_REASON_INVALID_PARAMETERS); 4408 break; 4409 } 4410 4411 err = sm_stk_generation_init(sm_conn); 4412 4413 #ifdef ENABLE_TESTING_SUPPORT 4414 if (0 < test_pairing_failure && test_pairing_failure < SM_REASON_DHKEY_CHECK_FAILED){ 4415 log_info("testing_support: abort with pairing failure %u", test_pairing_failure); 4416 err = test_pairing_failure; 4417 } 4418 #endif 4419 4420 if (err != 0){ 4421 sm_pairing_error(sm_conn, err); 4422 break; 4423 } 4424 4425 // generate random number first, if we need to show passkey 4426 if (setup->sm_stk_generation_method == PK_RESP_INPUT){ 4427 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 8, &sm_handle_random_result_ph2_tk, (void *)(uintptr_t) sm_conn->sm_handle); 4428 break; 4429 } 4430 4431 #ifdef ENABLE_LE_SECURE_CONNECTIONS 4432 if (setup->sm_use_secure_connections){ 4433 // SC Numeric Comparison will trigger user response after public keys & nonces have been exchanged 4434 if (setup->sm_stk_generation_method == JUST_WORKS){ 4435 sm_conn->sm_engine_state = SM_PH1_W4_USER_RESPONSE; 4436 sm_trigger_user_response(sm_conn); 4437 if (setup->sm_user_response == SM_USER_RESPONSE_IDLE){ 4438 sm_conn->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 4439 } 4440 } else { 4441 sm_conn->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 4442 } 4443 break; 4444 } 4445 #endif 4446 sm_conn->sm_engine_state = SM_PH1_W4_USER_RESPONSE; 4447 sm_trigger_user_response(sm_conn); 4448 // response_idle == nothing <--> sm_trigger_user_response() did not require response 4449 if (setup->sm_user_response == SM_USER_RESPONSE_IDLE){ 4450 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_random, 16, &sm_handle_random_result_ph2_random, (void *)(uintptr_t) sm_conn->sm_handle); 4451 } 4452 break; 4453 4454 case SM_INITIATOR_PH2_W4_PAIRING_CONFIRM: 4455 if (sm_pdu_code != SM_CODE_PAIRING_CONFIRM){ 4456 sm_pdu_received_in_wrong_state(sm_conn); 4457 break; 4458 } 4459 4460 // store s_confirm 4461 reverse_128(&packet[1], setup->sm_peer_confirm); 4462 4463 // abort if s_confirm matches m_confirm 4464 if (memcmp(setup->sm_local_confirm, setup->sm_peer_confirm, 16) == 0){ 4465 sm_pdu_received_in_wrong_state(sm_conn); 4466 break; 4467 } 4468 4469 #ifdef ENABLE_TESTING_SUPPORT 4470 if (test_pairing_failure == SM_REASON_CONFIRM_VALUE_FAILED){ 4471 log_info("testing_support: reset confirm value"); 4472 memset(setup->sm_peer_confirm, 0, 16); 4473 } 4474 #endif 4475 sm_conn->sm_engine_state = SM_PH2_SEND_PAIRING_RANDOM; 4476 break; 4477 4478 case SM_INITIATOR_PH2_W4_PAIRING_RANDOM: 4479 if (sm_pdu_code != SM_CODE_PAIRING_RANDOM){ 4480 sm_pdu_received_in_wrong_state(sm_conn); 4481 break;; 4482 } 4483 4484 // received random value 4485 reverse_128(&packet[1], setup->sm_peer_random); 4486 sm_conn->sm_engine_state = SM_PH2_C1_GET_ENC_C; 4487 break; 4488 4489 case SM_PH4_W4_CONNECTION_ENCRYPTED: 4490 // ignore Security Request, see SM_INITIATOR_PH1_W4_PAIRING_RESPONSE above 4491 if (sm_pdu_code != SM_CODE_SECURITY_REQUEST){ 4492 sm_pdu_received_in_wrong_state(sm_conn); 4493 } 4494 break; 4495 #endif 4496 4497 #ifdef ENABLE_LE_PERIPHERAL 4498 // Responder 4499 case SM_RESPONDER_IDLE: 4500 case SM_RESPONDER_SEND_SECURITY_REQUEST: 4501 case SM_RESPONDER_PH1_W4_PAIRING_REQUEST: 4502 if (sm_pdu_code != SM_CODE_PAIRING_REQUEST){ 4503 sm_pdu_received_in_wrong_state(sm_conn); 4504 break;; 4505 } 4506 4507 // store pairing request 4508 (void)memcpy(&sm_conn->sm_m_preq, packet, sizeof(sm_pairing_packet_t)); 4509 4510 // validation encryption key size 4511 max_encryption_key_size = sm_pairing_packet_get_max_encryption_key_size(sm_conn->sm_m_preq); 4512 if ((max_encryption_key_size < 7) || (max_encryption_key_size > 16)){ 4513 sm_pairing_error(sm_conn, SM_REASON_INVALID_PARAMETERS); 4514 break; 4515 } 4516 4517 // check if IRK completed 4518 switch (sm_conn->sm_irk_lookup_state){ 4519 case IRK_LOOKUP_SUCCEEDED: 4520 case IRK_LOOKUP_FAILED: 4521 sm_conn->sm_engine_state = SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED; 4522 break; 4523 default: 4524 sm_conn->sm_engine_state = SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED_W4_IRK; 4525 break; 4526 } 4527 break; 4528 #endif 4529 4530 #ifdef ENABLE_LE_SECURE_CONNECTIONS 4531 case SM_SC_W4_PUBLIC_KEY_COMMAND: 4532 if (sm_pdu_code != SM_CODE_PAIRING_PUBLIC_KEY){ 4533 sm_pdu_received_in_wrong_state(sm_conn); 4534 break; 4535 } 4536 4537 // store public key for DH Key calculation 4538 reverse_256(&packet[01], &setup->sm_peer_q[0]); 4539 reverse_256(&packet[33], &setup->sm_peer_q[32]); 4540 4541 // CVE-2020-26558: abort pairing if remote uses the same public key 4542 if (memcmp(&setup->sm_peer_q, ec_q, 64) == 0){ 4543 log_info("Remote PK matches ours"); 4544 sm_pairing_error(sm_conn, SM_REASON_DHKEY_CHECK_FAILED); 4545 break; 4546 } 4547 4548 // validate public key 4549 err = btstack_crypto_ecc_p256_validate_public_key(setup->sm_peer_q); 4550 if (err != 0){ 4551 log_info("sm: peer public key invalid %x", err); 4552 sm_pairing_error(sm_conn, SM_REASON_DHKEY_CHECK_FAILED); 4553 break; 4554 } 4555 4556 // start calculating dhkey 4557 btstack_crypto_ecc_p256_calculate_dhkey(&sm_crypto_ecc_p256_request, setup->sm_peer_q, setup->sm_dhkey, sm_sc_dhkey_calculated, (void*)(uintptr_t) sm_conn->sm_handle); 4558 4559 4560 log_info("public key received, generation method %u", setup->sm_stk_generation_method); 4561 if (IS_RESPONDER(sm_conn->sm_role)){ 4562 // responder 4563 sm_conn->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 4564 } else { 4565 // initiator 4566 // stk generation method 4567 // passkey entry: notify app to show passkey or to request passkey 4568 switch (setup->sm_stk_generation_method){ 4569 case JUST_WORKS: 4570 case NUMERIC_COMPARISON: 4571 sm_conn->sm_engine_state = SM_SC_W4_CONFIRMATION; 4572 break; 4573 case PK_RESP_INPUT: 4574 sm_sc_start_calculating_local_confirm(sm_conn); 4575 break; 4576 case PK_INIT_INPUT: 4577 case PK_BOTH_INPUT: 4578 if (setup->sm_user_response != SM_USER_RESPONSE_PASSKEY){ 4579 sm_conn->sm_engine_state = SM_SC_W4_USER_RESPONSE; 4580 break; 4581 } 4582 sm_sc_start_calculating_local_confirm(sm_conn); 4583 break; 4584 case OOB: 4585 // generate Nx 4586 log_info("Generate Na"); 4587 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_nonce, 16, &sm_handle_random_result_sc_next_send_pairing_random, (void*)(uintptr_t) sm_conn->sm_handle); 4588 break; 4589 default: 4590 btstack_assert(false); 4591 break; 4592 } 4593 } 4594 break; 4595 4596 case SM_SC_W4_CONFIRMATION: 4597 if (sm_pdu_code != SM_CODE_PAIRING_CONFIRM){ 4598 sm_pdu_received_in_wrong_state(sm_conn); 4599 break; 4600 } 4601 // received confirm value 4602 reverse_128(&packet[1], setup->sm_peer_confirm); 4603 4604 #ifdef ENABLE_TESTING_SUPPORT 4605 if (test_pairing_failure == SM_REASON_CONFIRM_VALUE_FAILED){ 4606 log_info("testing_support: reset confirm value"); 4607 memset(setup->sm_peer_confirm, 0, 16); 4608 } 4609 #endif 4610 if (IS_RESPONDER(sm_conn->sm_role)){ 4611 // responder 4612 if (sm_passkey_used(setup->sm_stk_generation_method)){ 4613 if (setup->sm_user_response != SM_USER_RESPONSE_PASSKEY){ 4614 // still waiting for passkey 4615 sm_conn->sm_engine_state = SM_SC_W4_USER_RESPONSE; 4616 break; 4617 } 4618 } 4619 sm_sc_start_calculating_local_confirm(sm_conn); 4620 } else { 4621 // initiator 4622 if (sm_just_works_or_numeric_comparison(setup->sm_stk_generation_method)){ 4623 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_nonce, 16, &sm_handle_random_result_sc_next_send_pairing_random, (void*)(uintptr_t) sm_conn->sm_handle); 4624 } else { 4625 sm_conn->sm_engine_state = SM_SC_SEND_PAIRING_RANDOM; 4626 } 4627 } 4628 break; 4629 4630 case SM_SC_W4_PAIRING_RANDOM: 4631 if (sm_pdu_code != SM_CODE_PAIRING_RANDOM){ 4632 sm_pdu_received_in_wrong_state(sm_conn); 4633 break; 4634 } 4635 4636 // received random value 4637 reverse_128(&packet[1], setup->sm_peer_nonce); 4638 4639 // validate confirm value if Cb = f4(Pkb, Pka, Nb, z) 4640 // only check for JUST WORK/NC in initiator role OR passkey entry 4641 log_info("SM_SC_W4_PAIRING_RANDOM, responder: %u, just works: %u, passkey used %u, passkey entry %u", 4642 IS_RESPONDER(sm_conn->sm_role), sm_just_works_or_numeric_comparison(setup->sm_stk_generation_method), 4643 sm_passkey_used(setup->sm_stk_generation_method), sm_passkey_entry(setup->sm_stk_generation_method)); 4644 if ( (!IS_RESPONDER(sm_conn->sm_role) && sm_just_works_or_numeric_comparison(setup->sm_stk_generation_method)) 4645 || (sm_passkey_entry(setup->sm_stk_generation_method)) ) { 4646 sm_conn->sm_engine_state = SM_SC_W2_CMAC_FOR_CHECK_CONFIRMATION; 4647 break; 4648 } 4649 4650 // OOB 4651 if (setup->sm_stk_generation_method == OOB){ 4652 4653 // setup local random, set to zero if remote did not receive our data 4654 log_info("Received nonce, setup local random ra/rb for dhkey check"); 4655 if (IS_RESPONDER(sm_conn->sm_role)){ 4656 if (sm_pairing_packet_get_oob_data_flag(setup->sm_m_preq) == 0u){ 4657 log_info("Reset rb as A does not have OOB data"); 4658 memset(setup->sm_rb, 0, 16); 4659 } else { 4660 (void)memcpy(setup->sm_rb, sm_sc_oob_random, 16); 4661 log_info("Use stored rb"); 4662 log_info_hexdump(setup->sm_rb, 16); 4663 } 4664 } else { 4665 if (sm_pairing_packet_get_oob_data_flag(setup->sm_s_pres) == 0u){ 4666 log_info("Reset ra as B does not have OOB data"); 4667 memset(setup->sm_ra, 0, 16); 4668 } else { 4669 (void)memcpy(setup->sm_ra, sm_sc_oob_random, 16); 4670 log_info("Use stored ra"); 4671 log_info_hexdump(setup->sm_ra, 16); 4672 } 4673 } 4674 4675 // validate confirm value if Cb = f4(PKb, Pkb, rb, 0) for OOB if data received 4676 if (setup->sm_have_oob_data){ 4677 sm_conn->sm_engine_state = SM_SC_W2_CMAC_FOR_CHECK_CONFIRMATION; 4678 break; 4679 } 4680 } 4681 4682 // TODO: we only get here for Responder role with JW/NC 4683 sm_sc_state_after_receiving_random(sm_conn); 4684 break; 4685 4686 case SM_SC_W2_CALCULATE_G2: 4687 case SM_SC_W4_CALCULATE_G2: 4688 case SM_SC_W4_CALCULATE_DHKEY: 4689 case SM_SC_W2_CALCULATE_F5_SALT: 4690 case SM_SC_W4_CALCULATE_F5_SALT: 4691 case SM_SC_W2_CALCULATE_F5_MACKEY: 4692 case SM_SC_W4_CALCULATE_F5_MACKEY: 4693 case SM_SC_W2_CALCULATE_F5_LTK: 4694 case SM_SC_W4_CALCULATE_F5_LTK: 4695 case SM_SC_W2_CALCULATE_F6_FOR_DHKEY_CHECK: 4696 case SM_SC_W4_DHKEY_CHECK_COMMAND: 4697 case SM_SC_W4_CALCULATE_F6_FOR_DHKEY_CHECK: 4698 case SM_SC_W4_USER_RESPONSE: 4699 if (sm_pdu_code != SM_CODE_PAIRING_DHKEY_CHECK){ 4700 sm_pdu_received_in_wrong_state(sm_conn); 4701 break; 4702 } 4703 // store DHKey Check 4704 setup->sm_state_vars |= SM_STATE_VAR_DHKEY_COMMAND_RECEIVED; 4705 reverse_128(&packet[01], setup->sm_peer_dhkey_check); 4706 4707 // have we been only waiting for dhkey check command? 4708 if (sm_conn->sm_engine_state == SM_SC_W4_DHKEY_CHECK_COMMAND){ 4709 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK; 4710 } 4711 break; 4712 #endif 4713 4714 #ifdef ENABLE_LE_PERIPHERAL 4715 case SM_RESPONDER_PH1_W4_PAIRING_CONFIRM: 4716 if (sm_pdu_code != SM_CODE_PAIRING_CONFIRM){ 4717 sm_pdu_received_in_wrong_state(sm_conn); 4718 break; 4719 } 4720 4721 // received confirm value 4722 reverse_128(&packet[1], setup->sm_peer_confirm); 4723 4724 #ifdef ENABLE_TESTING_SUPPORT 4725 if (test_pairing_failure == SM_REASON_CONFIRM_VALUE_FAILED){ 4726 log_info("testing_support: reset confirm value"); 4727 memset(setup->sm_peer_confirm, 0, 16); 4728 } 4729 #endif 4730 // notify client to hide shown passkey 4731 if (setup->sm_stk_generation_method == PK_INIT_INPUT){ 4732 sm_notify_client_base(SM_EVENT_PASSKEY_DISPLAY_CANCEL, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address); 4733 } 4734 4735 // handle user cancel pairing? 4736 if (setup->sm_user_response == SM_USER_RESPONSE_DECLINE){ 4737 sm_pairing_error(sm_conn, SM_REASON_PASSKEY_ENTRY_FAILED); 4738 break; 4739 } 4740 4741 // wait for user action? 4742 if (setup->sm_user_response == SM_USER_RESPONSE_PENDING){ 4743 sm_conn->sm_engine_state = SM_PH1_W4_USER_RESPONSE; 4744 break; 4745 } 4746 4747 // calculate and send local_confirm 4748 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_random, 16, &sm_handle_random_result_ph2_random, (void *)(uintptr_t) sm_conn->sm_handle); 4749 break; 4750 4751 case SM_RESPONDER_PH2_W4_PAIRING_RANDOM: 4752 if (sm_pdu_code != SM_CODE_PAIRING_RANDOM){ 4753 sm_pdu_received_in_wrong_state(sm_conn); 4754 break;; 4755 } 4756 4757 // received random value 4758 reverse_128(&packet[1], setup->sm_peer_random); 4759 sm_conn->sm_engine_state = SM_PH2_C1_GET_ENC_C; 4760 break; 4761 #endif 4762 4763 case SM_PH2_W4_CONNECTION_ENCRYPTED: 4764 case SM_PH3_RECEIVE_KEYS: 4765 switch(sm_pdu_code){ 4766 case SM_CODE_ENCRYPTION_INFORMATION: 4767 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION; 4768 reverse_128(&packet[1], setup->sm_peer_ltk); 4769 break; 4770 4771 case SM_CODE_MASTER_IDENTIFICATION: 4772 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_MASTER_IDENTIFICATION; 4773 setup->sm_peer_ediv = little_endian_read_16(packet, 1); 4774 reverse_64(&packet[3], setup->sm_peer_rand); 4775 break; 4776 4777 case SM_CODE_IDENTITY_INFORMATION: 4778 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_IDENTITY_INFORMATION; 4779 reverse_128(&packet[1], setup->sm_peer_irk); 4780 break; 4781 4782 case SM_CODE_IDENTITY_ADDRESS_INFORMATION: 4783 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION; 4784 setup->sm_peer_addr_type = packet[1]; 4785 reverse_bd_addr(&packet[2], setup->sm_peer_address); 4786 break; 4787 4788 case SM_CODE_SIGNING_INFORMATION: 4789 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION; 4790 reverse_128(&packet[1], setup->sm_peer_csrk); 4791 break; 4792 default: 4793 // Unexpected PDU 4794 log_info("Unexpected PDU %u in SM_PH3_RECEIVE_KEYS", packet[0]); 4795 break; 4796 } 4797 // done with key distribution? 4798 if (sm_key_distribution_all_received()){ 4799 4800 sm_key_distribution_handle_all_received(sm_conn); 4801 4802 if (IS_RESPONDER(sm_conn->sm_role)){ 4803 sm_key_distribution_complete_responder(sm_conn); 4804 } else { 4805 if (setup->sm_use_secure_connections){ 4806 sm_conn->sm_engine_state = SM_PH3_DISTRIBUTE_KEYS; 4807 } else { 4808 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 8, &sm_handle_random_result_ph3_random, (void *)(uintptr_t) sm_conn->sm_handle); 4809 } 4810 } 4811 } 4812 break; 4813 4814 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 4815 4816 case SM_BR_EDR_W4_ENCRYPTION_COMPLETE: 4817 // GAP/DM/LEP/BI-02-C - reject CTKD if P-192 encryption is used 4818 if (sm_pdu_code == SM_CODE_PAIRING_REQUEST){ 4819 sm_pairing_error(sm_conn, SM_REASON_CROSS_TRANSPORT_KEY_DERIVATION_NOT_ALLOWED); 4820 } 4821 break; 4822 4823 case SM_BR_EDR_INITIATOR_W4_PAIRING_RESPONSE: 4824 4825 // dedicated bonding complete 4826 hci_dedicated_bonding_defer_disconnect(sm_conn->sm_handle, false); 4827 4828 if (sm_pdu_code != SM_CODE_PAIRING_RESPONSE){ 4829 sm_pdu_received_in_wrong_state(sm_conn); 4830 break; 4831 } 4832 // store pairing response 4833 (void)memcpy(&setup->sm_s_pres, packet, sizeof(sm_pairing_packet_t)); 4834 4835 // validate encryption key size 4836 max_encryption_key_size = sm_pairing_packet_get_max_encryption_key_size(setup->sm_s_pres); 4837 if ((max_encryption_key_size < 7) || (max_encryption_key_size > 16)){ 4838 sm_pairing_error(sm_conn, SM_REASON_INVALID_PARAMETERS); 4839 break; 4840 } 4841 sm_conn->sm_actual_encryption_key_size = sm_calc_actual_encryption_key_size(max_encryption_key_size); 4842 // SC Only mandates 128 bit key size 4843 if (sm_sc_only_mode && (sm_conn->sm_actual_encryption_key_size < 16)) { 4844 sm_conn->sm_actual_encryption_key_size = 0; 4845 } 4846 if (sm_conn->sm_actual_encryption_key_size == 0){ 4847 sm_pairing_error(sm_conn, SM_REASON_ENCRYPTION_KEY_SIZE); 4848 break; 4849 } 4850 4851 // prepare key exchange, LTK is derived locally 4852 sm_setup_key_distribution(sm_pairing_packet_get_initiator_key_distribution(setup->sm_s_pres) & ~SM_KEYDIST_ENC_KEY, 4853 sm_pairing_packet_get_responder_key_distribution(setup->sm_s_pres) & ~SM_KEYDIST_ENC_KEY); 4854 4855 // skip receive if there are none 4856 if (sm_key_distribution_all_received()){ 4857 // distribute keys in run handles 'no keys to send' 4858 sm_conn->sm_engine_state = SM_BR_EDR_DISTRIBUTE_KEYS; 4859 } else { 4860 sm_conn->sm_engine_state = SM_BR_EDR_RECEIVE_KEYS; 4861 } 4862 break; 4863 4864 case SM_BR_EDR_RESPONDER_W4_PAIRING_REQUEST: 4865 if (sm_pdu_code != SM_CODE_PAIRING_REQUEST){ 4866 sm_pdu_received_in_wrong_state(sm_conn); 4867 break; 4868 } 4869 4870 // store pairing request 4871 (void)memcpy(&sm_conn->sm_m_preq, packet, sizeof(sm_pairing_packet_t)); 4872 4873 // validate encryption key size 4874 max_encryption_key_size = sm_pairing_packet_get_max_encryption_key_size(setup->sm_m_preq); 4875 if ((max_encryption_key_size < 7) || (max_encryption_key_size > 16)){ 4876 sm_pairing_error(sm_conn, SM_REASON_INVALID_PARAMETERS); 4877 break; 4878 } 4879 sm_conn->sm_actual_encryption_key_size = sm_calc_actual_encryption_key_size(max_encryption_key_size); 4880 // SC Only mandates 128 bit key size 4881 if (sm_sc_only_mode && (sm_conn->sm_actual_encryption_key_size < 16)) { 4882 sm_conn->sm_actual_encryption_key_size = 0; 4883 } 4884 if (sm_conn->sm_actual_encryption_key_size == 0){ 4885 sm_pairing_error(sm_conn, SM_REASON_ENCRYPTION_KEY_SIZE); 4886 break; 4887 } 4888 // trigger response 4889 if (sm_ctkd_from_classic(sm_conn)){ 4890 sm_conn->sm_engine_state = SM_BR_EDR_RESPONDER_PAIRING_REQUEST_RECEIVED; 4891 } else { 4892 sm_pairing_error(sm_conn, SM_REASON_CROSS_TRANSPORT_KEY_DERIVATION_NOT_ALLOWED); 4893 } 4894 break; 4895 4896 case SM_BR_EDR_RECEIVE_KEYS: 4897 switch(sm_pdu_code){ 4898 case SM_CODE_IDENTITY_INFORMATION: 4899 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_IDENTITY_INFORMATION; 4900 reverse_128(&packet[1], setup->sm_peer_irk); 4901 break; 4902 case SM_CODE_IDENTITY_ADDRESS_INFORMATION: 4903 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION; 4904 setup->sm_peer_addr_type = packet[1]; 4905 reverse_bd_addr(&packet[2], setup->sm_peer_address); 4906 break; 4907 case SM_CODE_SIGNING_INFORMATION: 4908 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION; 4909 reverse_128(&packet[1], setup->sm_peer_csrk); 4910 break; 4911 default: 4912 // Unexpected PDU 4913 log_info("Unexpected PDU %u in SM_PH3_RECEIVE_KEYS", packet[0]); 4914 break; 4915 } 4916 4917 // all keys received 4918 if (sm_key_distribution_all_received()){ 4919 if (IS_RESPONDER(sm_conn->sm_role)){ 4920 // responder -> keys exchanged, derive LE LTK 4921 sm_ctkd_start_from_br_edr(sm_conn); 4922 } else { 4923 // initiator -> send our keys if any 4924 sm_conn->sm_engine_state = SM_BR_EDR_DISTRIBUTE_KEYS; 4925 } 4926 } 4927 break; 4928 #endif 4929 4930 default: 4931 // Unexpected PDU 4932 log_info("Unexpected PDU %u in state %u", packet[0], sm_conn->sm_engine_state); 4933 sm_pdu_received_in_wrong_state(sm_conn); 4934 break; 4935 } 4936 4937 // try to send next pdu 4938 sm_trigger_run(); 4939 } 4940 4941 // Security Manager Client API 4942 void sm_register_oob_data_callback( int (*get_oob_data_callback)(uint8_t address_type, bd_addr_t addr, uint8_t * oob_data)){ 4943 sm_get_oob_data = get_oob_data_callback; 4944 } 4945 4946 void sm_register_sc_oob_data_callback( int (*get_sc_oob_data_callback)(uint8_t address_type, bd_addr_t addr, uint8_t * oob_sc_peer_confirm, uint8_t * oob_sc_peer_random)){ 4947 sm_get_sc_oob_data = get_sc_oob_data_callback; 4948 } 4949 4950 void sm_register_ltk_callback( bool (*get_ltk_callback)(hci_con_handle_t con_handle, uint8_t address_type, bd_addr_t addr, uint8_t * ltk)){ 4951 sm_get_ltk_callback = get_ltk_callback; 4952 } 4953 4954 void sm_add_event_handler(btstack_packet_callback_registration_t * callback_handler){ 4955 btstack_linked_list_add_tail(&sm_event_handlers, (btstack_linked_item_t*) callback_handler); 4956 } 4957 4958 void sm_remove_event_handler(btstack_packet_callback_registration_t * callback_handler){ 4959 btstack_linked_list_remove(&sm_event_handlers, (btstack_linked_item_t*) callback_handler); 4960 } 4961 4962 void sm_set_accepted_stk_generation_methods(uint8_t accepted_stk_generation_methods){ 4963 sm_accepted_stk_generation_methods = accepted_stk_generation_methods; 4964 } 4965 4966 void sm_set_encryption_key_size_range(uint8_t min_size, uint8_t max_size){ 4967 sm_min_encryption_key_size = min_size; 4968 sm_max_encryption_key_size = max_size; 4969 } 4970 4971 void sm_set_authentication_requirements(uint8_t auth_req){ 4972 #ifndef ENABLE_LE_SECURE_CONNECTIONS 4973 if (auth_req & SM_AUTHREQ_SECURE_CONNECTION){ 4974 log_error("ENABLE_LE_SECURE_CONNECTIONS not defined, but requested by app. Dropping SC flag"); 4975 auth_req &= ~SM_AUTHREQ_SECURE_CONNECTION; 4976 } 4977 #endif 4978 sm_auth_req = auth_req; 4979 } 4980 4981 void sm_set_io_capabilities(io_capability_t io_capability){ 4982 sm_io_capabilities = io_capability; 4983 } 4984 4985 #ifdef ENABLE_LE_PERIPHERAL 4986 void sm_set_request_security(bool enable){ 4987 sm_slave_request_security = enable; 4988 } 4989 #endif 4990 4991 void sm_set_er(sm_key_t er){ 4992 (void)memcpy(sm_persistent_er, er, 16); 4993 } 4994 4995 void sm_set_ir(sm_key_t ir){ 4996 (void)memcpy(sm_persistent_ir, ir, 16); 4997 } 4998 4999 // Testing support only 5000 void sm_test_set_irk(sm_key_t irk){ 5001 (void)memcpy(sm_persistent_irk, irk, 16); 5002 dkg_state = DKG_CALC_DHK; 5003 test_use_fixed_local_irk = true; 5004 } 5005 5006 void sm_test_use_fixed_local_csrk(void){ 5007 test_use_fixed_local_csrk = true; 5008 } 5009 5010 #ifdef ENABLE_LE_SECURE_CONNECTIONS 5011 static void sm_ec_generated(void * arg){ 5012 UNUSED(arg); 5013 ec_key_generation_state = EC_KEY_GENERATION_DONE; 5014 // trigger pairing if pending for ec key 5015 sm_trigger_run(); 5016 } 5017 static void sm_ec_generate_new_key(void) { 5018 log_info("sm: generate new ec key"); 5019 #ifdef ENABLE_LE_SECURE_CONNECTIONS_DEBUG_KEY 5020 // LE Secure Connections Debug Key 5021 const uint8_t debug_key_public[64] = { 5022 0x20, 0xb0, 0x03, 0xd2, 0xf2, 0x97, 0xbe, 0x2c, 0x5e, 0x2c, 0x83, 0xa7, 0xe9, 0xf9, 0xa5, 0xb9, 5023 0xef, 0xf4, 0x91, 0x11, 0xac, 0xf4, 0xfd, 0xdb, 0xcc, 0x03, 0x01, 0x48, 0x0e, 0x35, 0x9d, 0xe6, 5024 0xdc, 0x80, 0x9c, 0x49, 0x65, 0x2a, 0xeb, 0x6d, 0x63, 0x32, 0x9a, 0xbf, 0x5a, 0x52, 0x15, 0x5c, 5025 0x76, 0x63, 0x45, 0xc2, 0x8f, 0xed, 0x30, 0x24, 0x74, 0x1c, 0x8e, 0xd0, 0x15, 0x89, 0xd2, 0x8b 5026 }; 5027 const uint8_t debug_key_private[32] = { 5028 0x3f, 0x49, 0xf6, 0xd4, 0xa3, 0xc5, 0x5f, 0x38, 0x74, 0xc9, 0xb3, 0xe3, 0xd2, 0x10, 0x3f, 0x50, 5029 0x4a, 0xff, 0x60, 0x7b, 0xeb, 0x40, 0xb7, 0x99, 0x58, 0x99, 0xb8, 0xa6, 0xcd, 0x3c, 0x1a, 0xbd 5030 }; 5031 if (sm_sc_debug_keys_enabled) { 5032 memcpy(ec_q, debug_key_public, 64); 5033 btstack_crypto_ecc_p256_set_key(debug_key_public, debug_key_private); 5034 ec_key_generation_state = EC_KEY_GENERATION_DONE; 5035 } else 5036 #endif 5037 { 5038 ec_key_generation_state = EC_KEY_GENERATION_ACTIVE; 5039 btstack_crypto_ecc_p256_generate_key(&sm_crypto_ecc_p256_request, ec_q, &sm_ec_generated, NULL); 5040 } 5041 } 5042 #endif 5043 5044 #ifdef ENABLE_TESTING_SUPPORT 5045 void sm_test_set_pairing_failure(int reason){ 5046 test_pairing_failure = reason; 5047 } 5048 #endif 5049 5050 static void sm_state_reset(void) { 5051 #ifdef USE_CMAC_ENGINE 5052 sm_cmac_active = 0; 5053 #endif 5054 dkg_state = DKG_W4_WORKING; 5055 rau_state = RAU_IDLE; 5056 sm_aes128_state = SM_AES128_IDLE; 5057 sm_address_resolution_test = -1; // no private address to resolve yet 5058 sm_address_resolution_mode = ADDRESS_RESOLUTION_IDLE; 5059 sm_address_resolution_general_queue = NULL; 5060 sm_active_connection_handle = HCI_CON_HANDLE_INVALID; 5061 sm_persistent_keys_random_active = false; 5062 #ifdef ENABLE_LE_SECURE_CONNECTIONS 5063 ec_key_generation_state = EC_KEY_GENERATION_IDLE; 5064 #endif 5065 } 5066 5067 void sm_init(void){ 5068 5069 if (sm_initialized) return; 5070 5071 // set default ER and IR values (should be unique - set by app or sm later using TLV) 5072 sm_er_ir_set_default(); 5073 5074 // defaults 5075 sm_accepted_stk_generation_methods = SM_STK_GENERATION_METHOD_JUST_WORKS 5076 | SM_STK_GENERATION_METHOD_OOB 5077 | SM_STK_GENERATION_METHOD_PASSKEY 5078 | SM_STK_GENERATION_METHOD_NUMERIC_COMPARISON; 5079 5080 sm_max_encryption_key_size = 16; 5081 sm_min_encryption_key_size = 7; 5082 5083 sm_fixed_passkey_in_display_role = 0xffffffffU; 5084 sm_reconstruct_ltk_without_le_device_db_entry = true; 5085 5086 gap_random_adress_update_period = 15 * 60 * 1000L; 5087 5088 test_use_fixed_local_csrk = false; 5089 5090 // other 5091 btstack_run_loop_set_timer_handler(&sm_run_timer, &sm_run_timer_handler); 5092 5093 // register for HCI Events 5094 hci_event_callback_registration.callback = &sm_event_packet_handler; 5095 hci_add_event_handler(&hci_event_callback_registration); 5096 5097 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 5098 // register for L2CAP events 5099 l2cap_event_callback_registration.callback = &sm_event_packet_handler; 5100 l2cap_add_event_handler(&l2cap_event_callback_registration); 5101 #endif 5102 5103 // 5104 btstack_crypto_init(); 5105 5106 // init le_device_db 5107 le_device_db_init(); 5108 5109 // and L2CAP PDUs + L2CAP_EVENT_CAN_SEND_NOW 5110 l2cap_register_fixed_channel(sm_pdu_handler, L2CAP_CID_SECURITY_MANAGER_PROTOCOL); 5111 #ifdef ENABLE_CLASSIC 5112 l2cap_register_fixed_channel(sm_pdu_handler, L2CAP_CID_BR_EDR_SECURITY_MANAGER); 5113 #endif 5114 5115 // state 5116 sm_state_reset(); 5117 5118 sm_initialized = true; 5119 } 5120 5121 void sm_deinit(void){ 5122 sm_initialized = false; 5123 btstack_run_loop_remove_timer(&sm_run_timer); 5124 #if defined(ENABLE_LE_SECURE_CONNECTIONS) && defined (ENABLE_LE_SECURE_CONNECTION_DEBUG_KEY) 5125 sm_sc_debug_keys_enabled = false; 5126 #endif 5127 } 5128 5129 void sm_use_fixed_passkey_in_display_role(uint32_t passkey){ 5130 sm_fixed_passkey_in_display_role = passkey; 5131 } 5132 5133 void sm_allow_ltk_reconstruction_without_le_device_db_entry(int allow){ 5134 sm_reconstruct_ltk_without_le_device_db_entry = allow != 0; 5135 } 5136 5137 static sm_connection_t * sm_get_connection_for_handle(hci_con_handle_t con_handle){ 5138 hci_connection_t * hci_con = hci_connection_for_handle(con_handle); 5139 if (!hci_con) return NULL; 5140 return &hci_con->sm_connection; 5141 } 5142 5143 static void sm_cache_ltk(sm_connection_t * connection, const sm_key_t ltk){ 5144 hci_connection_t * hci_con = hci_connection_for_handle(connection->sm_handle); 5145 btstack_assert(hci_con != NULL); 5146 memcpy(hci_con->link_key, ltk, 16); 5147 hci_con->link_key_type = 1; 5148 } 5149 5150 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 5151 static sm_connection_t * sm_get_connection_for_bd_addr_and_type(bd_addr_t address, bd_addr_type_t addr_type){ 5152 hci_connection_t * hci_con = hci_connection_for_bd_addr_and_type(address, addr_type); 5153 if (!hci_con) return NULL; 5154 return &hci_con->sm_connection; 5155 } 5156 #endif 5157 5158 // @deprecated: map onto sm_request_pairing 5159 void sm_send_security_request(hci_con_handle_t con_handle){ 5160 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5161 if (!sm_conn) return; 5162 if (!IS_RESPONDER(sm_conn->sm_role)) return; 5163 sm_request_pairing(con_handle); 5164 } 5165 5166 // request pairing 5167 void sm_request_pairing(hci_con_handle_t con_handle){ 5168 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5169 if (!sm_conn) return; // wrong connection 5170 5171 bool have_ltk; 5172 uint8_t ltk[16]; 5173 bool auth_required; 5174 int authenticated; 5175 bool trigger_reencryption; 5176 log_info("sm_request_pairing in role %u, state %u", sm_conn->sm_role, sm_conn->sm_engine_state); 5177 if (IS_RESPONDER(sm_conn->sm_role)){ 5178 switch (sm_conn->sm_engine_state){ 5179 case SM_GENERAL_IDLE: 5180 case SM_RESPONDER_IDLE: 5181 switch (sm_conn->sm_irk_lookup_state){ 5182 case IRK_LOOKUP_SUCCEEDED: 5183 le_device_db_encryption_get(sm_conn->sm_le_db_index, NULL, NULL, ltk, NULL, NULL, NULL, NULL); 5184 have_ltk = !sm_is_null_key(ltk); 5185 log_info("have ltk %u", have_ltk); 5186 if (have_ltk){ 5187 sm_conn->sm_pairing_requested = true; 5188 sm_conn->sm_engine_state = SM_RESPONDER_SEND_SECURITY_REQUEST; 5189 sm_reencryption_started(sm_conn); 5190 break; 5191 } 5192 /* fall through */ 5193 5194 case IRK_LOOKUP_FAILED: 5195 sm_conn->sm_pairing_requested = true; 5196 sm_conn->sm_engine_state = SM_RESPONDER_SEND_SECURITY_REQUEST; 5197 sm_pairing_started(sm_conn); 5198 break; 5199 default: 5200 log_info("irk lookup pending"); 5201 sm_conn->sm_pairing_requested = true; 5202 break; 5203 } 5204 break; 5205 default: 5206 break; 5207 } 5208 } else { 5209 // used as a trigger to start central/master/initiator security procedures 5210 switch (sm_conn->sm_engine_state){ 5211 case SM_INITIATOR_CONNECTED: 5212 switch (sm_conn->sm_irk_lookup_state){ 5213 case IRK_LOOKUP_SUCCEEDED: 5214 le_device_db_encryption_get(sm_conn->sm_le_db_index, NULL, NULL, ltk, NULL, &authenticated, NULL, NULL); 5215 have_ltk = !sm_is_null_key(ltk); 5216 auth_required = sm_auth_req & SM_AUTHREQ_MITM_PROTECTION; 5217 // re-encrypt is sufficient if we have ltk and that is either already authenticated or we don't require authentication 5218 trigger_reencryption = have_ltk && ((authenticated != 0) || (auth_required == false)); 5219 log_info("have ltk %u, authenticated %u, auth required %u => reencrypt %u", have_ltk, authenticated, auth_required, trigger_reencryption); 5220 if (trigger_reencryption){ 5221 sm_conn->sm_pairing_requested = true; 5222 sm_conn->sm_engine_state = SM_INITIATOR_PH4_HAS_LTK; 5223 break; 5224 } 5225 /* fall through */ 5226 5227 case IRK_LOOKUP_FAILED: 5228 sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 5229 break; 5230 default: 5231 log_info("irk lookup pending"); 5232 sm_conn->sm_pairing_requested = true; 5233 break; 5234 } 5235 break; 5236 case SM_GENERAL_REENCRYPTION_FAILED: 5237 sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 5238 break; 5239 case SM_GENERAL_IDLE: 5240 sm_conn->sm_pairing_requested = true; 5241 break; 5242 default: 5243 break; 5244 } 5245 } 5246 sm_trigger_run(); 5247 } 5248 5249 // called by client app on authorization request 5250 void sm_authorization_decline(hci_con_handle_t con_handle){ 5251 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5252 if (!sm_conn) return; // wrong connection 5253 sm_conn->sm_connection_authorization_state = AUTHORIZATION_DECLINED; 5254 sm_notify_client_status(SM_EVENT_AUTHORIZATION_RESULT, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, 0); 5255 } 5256 5257 void sm_authorization_grant(hci_con_handle_t con_handle){ 5258 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5259 if (!sm_conn) return; // wrong connection 5260 sm_conn->sm_connection_authorization_state = AUTHORIZATION_GRANTED; 5261 sm_notify_client_status(SM_EVENT_AUTHORIZATION_RESULT, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, 1); 5262 } 5263 5264 // GAP Bonding API 5265 5266 void sm_bonding_decline(hci_con_handle_t con_handle){ 5267 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5268 if (!sm_conn) return; // wrong connection 5269 setup->sm_user_response = SM_USER_RESPONSE_DECLINE; 5270 log_info("decline, state %u", sm_conn->sm_engine_state); 5271 switch(sm_conn->sm_engine_state){ 5272 #ifdef ENABLE_LE_SECURE_CONNECTIONS 5273 case SM_SC_W4_USER_RESPONSE: 5274 case SM_SC_W4_CONFIRMATION: 5275 case SM_SC_W4_PUBLIC_KEY_COMMAND: 5276 #endif 5277 case SM_PH1_W4_USER_RESPONSE: 5278 switch (setup->sm_stk_generation_method){ 5279 case PK_RESP_INPUT: 5280 case PK_INIT_INPUT: 5281 case PK_BOTH_INPUT: 5282 sm_pairing_error(sm_conn, SM_REASON_PASSKEY_ENTRY_FAILED); 5283 break; 5284 case NUMERIC_COMPARISON: 5285 sm_pairing_error(sm_conn, SM_REASON_NUMERIC_COMPARISON_FAILED); 5286 break; 5287 case JUST_WORKS: 5288 case OOB: 5289 sm_pairing_error(sm_conn, SM_REASON_UNSPECIFIED_REASON); 5290 break; 5291 default: 5292 btstack_assert(false); 5293 break; 5294 } 5295 break; 5296 default: 5297 break; 5298 } 5299 sm_trigger_run(); 5300 } 5301 5302 void sm_just_works_confirm(hci_con_handle_t con_handle){ 5303 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5304 if (!sm_conn) return; // wrong connection 5305 setup->sm_user_response = SM_USER_RESPONSE_CONFIRM; 5306 if (sm_conn->sm_engine_state == SM_PH1_W4_USER_RESPONSE){ 5307 if (setup->sm_use_secure_connections){ 5308 sm_conn->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 5309 } else { 5310 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_random, 16, &sm_handle_random_result_ph2_random, (void *)(uintptr_t) sm_conn->sm_handle); 5311 } 5312 } 5313 5314 #ifdef ENABLE_LE_SECURE_CONNECTIONS 5315 if (sm_conn->sm_engine_state == SM_SC_W4_USER_RESPONSE){ 5316 sm_sc_prepare_dhkey_check(sm_conn); 5317 } 5318 #endif 5319 5320 sm_trigger_run(); 5321 } 5322 5323 void sm_numeric_comparison_confirm(hci_con_handle_t con_handle){ 5324 // for now, it's the same 5325 sm_just_works_confirm(con_handle); 5326 } 5327 5328 void sm_passkey_input(hci_con_handle_t con_handle, uint32_t passkey){ 5329 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5330 if (!sm_conn) return; // wrong connection 5331 sm_reset_tk(); 5332 big_endian_store_32(setup->sm_tk, 12, passkey); 5333 setup->sm_user_response = SM_USER_RESPONSE_PASSKEY; 5334 if (sm_conn->sm_engine_state == SM_PH1_W4_USER_RESPONSE){ 5335 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_random, 16, &sm_handle_random_result_ph2_random, (void *)(uintptr_t) sm_conn->sm_handle); 5336 } 5337 #ifdef ENABLE_LE_SECURE_CONNECTIONS 5338 (void)memcpy(setup->sm_ra, setup->sm_tk, 16); 5339 (void)memcpy(setup->sm_rb, setup->sm_tk, 16); 5340 if (sm_conn->sm_engine_state == SM_SC_W4_USER_RESPONSE){ 5341 sm_sc_start_calculating_local_confirm(sm_conn); 5342 } 5343 #endif 5344 sm_trigger_run(); 5345 } 5346 5347 void sm_keypress_notification(hci_con_handle_t con_handle, uint8_t action){ 5348 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5349 if (!sm_conn) return; // wrong connection 5350 if (action > SM_KEYPRESS_PASSKEY_ENTRY_COMPLETED) return; 5351 uint8_t num_actions = setup->sm_keypress_notification >> 5; 5352 uint8_t flags = setup->sm_keypress_notification & 0x1fu; 5353 switch (action){ 5354 case SM_KEYPRESS_PASSKEY_ENTRY_STARTED: 5355 case SM_KEYPRESS_PASSKEY_ENTRY_COMPLETED: 5356 flags |= (1u << action); 5357 break; 5358 case SM_KEYPRESS_PASSKEY_CLEARED: 5359 // clear counter, keypress & erased flags + set passkey cleared 5360 flags = (flags & 0x19u) | (1u << SM_KEYPRESS_PASSKEY_CLEARED); 5361 break; 5362 case SM_KEYPRESS_PASSKEY_DIGIT_ENTERED: 5363 if ((flags & (1u << SM_KEYPRESS_PASSKEY_DIGIT_ERASED)) != 0u){ 5364 // erase actions queued 5365 num_actions--; 5366 if (num_actions == 0u){ 5367 // clear counter, keypress & erased flags 5368 flags &= 0x19u; 5369 } 5370 break; 5371 } 5372 num_actions++; 5373 flags |= (1u << SM_KEYPRESS_PASSKEY_DIGIT_ENTERED); 5374 break; 5375 case SM_KEYPRESS_PASSKEY_DIGIT_ERASED: 5376 if ((flags & (1u << SM_KEYPRESS_PASSKEY_DIGIT_ENTERED)) != 0u){ 5377 // enter actions queued 5378 num_actions--; 5379 if (num_actions == 0u){ 5380 // clear counter, keypress & erased flags 5381 flags &= 0x19u; 5382 } 5383 break; 5384 } 5385 num_actions++; 5386 flags |= (1u << SM_KEYPRESS_PASSKEY_DIGIT_ERASED); 5387 break; 5388 default: 5389 break; 5390 } 5391 setup->sm_keypress_notification = (num_actions << 5) | flags; 5392 sm_trigger_run(); 5393 } 5394 5395 #ifdef ENABLE_LE_SECURE_CONNECTIONS 5396 static void sm_handle_random_result_oob(void * arg){ 5397 UNUSED(arg); 5398 sm_sc_oob_state = SM_SC_OOB_W2_CALC_CONFIRM; 5399 sm_trigger_run(); 5400 } 5401 uint8_t sm_generate_sc_oob_data(void (*callback)(const uint8_t * confirm_value, const uint8_t * random_value)){ 5402 5403 static btstack_crypto_random_t sm_crypto_random_oob_request; 5404 5405 if (sm_sc_oob_state != SM_SC_OOB_IDLE) return ERROR_CODE_COMMAND_DISALLOWED; 5406 sm_sc_oob_callback = callback; 5407 sm_sc_oob_state = SM_SC_OOB_W4_RANDOM; 5408 btstack_crypto_random_generate(&sm_crypto_random_oob_request, sm_sc_oob_random, 16, &sm_handle_random_result_oob, NULL); 5409 return 0; 5410 } 5411 #endif 5412 5413 /** 5414 * @brief Get Identity Resolving state 5415 * @param con_handle 5416 * @return irk_lookup_state_t 5417 */ 5418 irk_lookup_state_t sm_identity_resolving_state(hci_con_handle_t con_handle){ 5419 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5420 if (!sm_conn) return IRK_LOOKUP_IDLE; 5421 return sm_conn->sm_irk_lookup_state; 5422 } 5423 5424 /** 5425 * @brief Identify device in LE Device DB 5426 * @param handle 5427 * @return index from le_device_db or -1 if not found/identified 5428 */ 5429 int sm_le_device_index(hci_con_handle_t con_handle ){ 5430 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5431 if (!sm_conn) return -1; 5432 return sm_conn->sm_le_db_index; 5433 } 5434 5435 uint8_t sm_get_ltk(hci_con_handle_t con_handle, sm_key_t ltk){ 5436 hci_connection_t * hci_connection = hci_connection_for_handle(con_handle); 5437 if (hci_connection == NULL){ 5438 return ERROR_CODE_UNKNOWN_CONNECTION_IDENTIFIER; 5439 } 5440 if (hci_connection->link_key_type == 0){ 5441 return ERROR_CODE_PIN_OR_KEY_MISSING; 5442 } 5443 memcpy(ltk, hci_connection->link_key, 16); 5444 return ERROR_CODE_SUCCESS; 5445 } 5446 5447 static int gap_random_address_type_requires_updates(void){ 5448 switch (gap_random_adress_type){ 5449 case GAP_RANDOM_ADDRESS_TYPE_OFF: 5450 case GAP_RANDOM_ADDRESS_TYPE_STATIC: 5451 return 0; 5452 default: 5453 return 1; 5454 } 5455 } 5456 5457 static uint8_t own_address_type(void){ 5458 switch (gap_random_adress_type){ 5459 case GAP_RANDOM_ADDRESS_TYPE_OFF: 5460 return BD_ADDR_TYPE_LE_PUBLIC; 5461 default: 5462 return BD_ADDR_TYPE_LE_RANDOM; 5463 } 5464 } 5465 5466 // GAP LE API 5467 void gap_random_address_set_mode(gap_random_address_type_t random_address_type){ 5468 gap_random_address_update_stop(); 5469 gap_random_adress_type = random_address_type; 5470 hci_le_set_own_address_type(own_address_type()); 5471 if (!gap_random_address_type_requires_updates()) return; 5472 gap_random_address_update_start(); 5473 gap_random_address_trigger(); 5474 } 5475 5476 gap_random_address_type_t gap_random_address_get_mode(void){ 5477 return gap_random_adress_type; 5478 } 5479 5480 void gap_random_address_set_update_period(int period_ms){ 5481 gap_random_adress_update_period = period_ms; 5482 if (!gap_random_address_type_requires_updates()) return; 5483 gap_random_address_update_stop(); 5484 gap_random_address_update_start(); 5485 } 5486 5487 void gap_random_address_set(const bd_addr_t addr){ 5488 gap_random_address_set_mode(GAP_RANDOM_ADDRESS_TYPE_STATIC); 5489 (void)memcpy(sm_random_address, addr, 6); 5490 // assert msb bits are set to '11' 5491 sm_random_address[0] |= 0xc0; 5492 hci_le_random_address_set(sm_random_address); 5493 } 5494 5495 #ifdef ENABLE_LE_PERIPHERAL 5496 /* 5497 * @brief Set Advertisement Paramters 5498 * @param adv_int_min 5499 * @param adv_int_max 5500 * @param adv_type 5501 * @param direct_address_type 5502 * @param direct_address 5503 * @param channel_map 5504 * @param filter_policy 5505 * 5506 * @note own_address_type is used from gap_random_address_set_mode 5507 */ 5508 void gap_advertisements_set_params(uint16_t adv_int_min, uint16_t adv_int_max, uint8_t adv_type, 5509 uint8_t direct_address_typ, bd_addr_t direct_address, uint8_t channel_map, uint8_t filter_policy){ 5510 hci_le_advertisements_set_params(adv_int_min, adv_int_max, adv_type, 5511 direct_address_typ, direct_address, channel_map, filter_policy); 5512 } 5513 #endif 5514 5515 bool gap_reconnect_security_setup_active(hci_con_handle_t con_handle){ 5516 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5517 // wrong connection 5518 if (!sm_conn) return false; 5519 // already encrypted 5520 if (sm_conn->sm_connection_encrypted) return false; 5521 // irk status? 5522 switch(sm_conn->sm_irk_lookup_state){ 5523 case IRK_LOOKUP_FAILED: 5524 // done, cannot setup encryption 5525 return false; 5526 case IRK_LOOKUP_SUCCEEDED: 5527 break; 5528 default: 5529 // IR Lookup pending 5530 return true; 5531 } 5532 // IRK Lookup Succeeded, re-encryption should be initiated. When done, state gets reset or indicates failure 5533 if (sm_conn->sm_engine_state == SM_GENERAL_REENCRYPTION_FAILED) return false; 5534 if (sm_conn->sm_role != 0){ 5535 return sm_conn->sm_engine_state != SM_RESPONDER_IDLE; 5536 } else { 5537 return sm_conn->sm_engine_state != SM_INITIATOR_CONNECTED; 5538 } 5539 } 5540 5541 void sm_set_secure_connections_only_mode(bool enable){ 5542 #ifdef ENABLE_LE_SECURE_CONNECTIONS 5543 sm_sc_only_mode = enable; 5544 #else 5545 // SC Only mode not possible without support for SC 5546 btstack_assert(enable == false); 5547 #endif 5548 } 5549 5550 #if defined(ENABLE_LE_SECURE_CONNECTIONS) && defined (ENABLE_LE_SECURE_CONNECTION_DEBUG_KEY) 5551 void sm_test_enable_secure_connections_debug_keys(void) { 5552 log_info("Enable LE Secure Connection Debug Keys for testing"); 5553 sm_sc_debug_keys_enabled = true; 5554 // set debug key 5555 sm_ec_generate_new_key(); 5556 } 5557 #endif 5558 5559 const uint8_t * gap_get_persistent_irk(void){ 5560 return sm_persistent_irk; 5561 } 5562 5563 void gap_delete_bonding(bd_addr_type_t address_type, bd_addr_t address){ 5564 int index = sm_le_device_db_index_lookup(address_type, address); 5565 if (index >= 0){ 5566 sm_remove_le_device_db_entry(index); 5567 } 5568 } 5569