1 /* 2 * Copyright (C) 2014 BlueKitchen GmbH 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the copyright holders nor the names of 14 * contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 4. Any redistribution, use, or modification is done solely for 17 * personal benefit and not for any commercial purpose or for 18 * monetary gain. 19 * 20 * THIS SOFTWARE IS PROVIDED BY BLUEKITCHEN GMBH AND CONTRIBUTORS 21 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BLUEKITCHEN 24 * GMBH OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 26 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 27 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 28 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF 30 * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 * 33 * Please inquire about commercial licensing options at 34 * [email protected] 35 * 36 */ 37 38 #define BTSTACK_FILE__ "sm.c" 39 40 #include <string.h> 41 #include <inttypes.h> 42 43 #include "ble/le_device_db.h" 44 #include "ble/core.h" 45 #include "ble/sm.h" 46 #include "bluetooth_company_id.h" 47 #include "btstack_bool.h" 48 #include "btstack_crypto.h" 49 #include "btstack_debug.h" 50 #include "btstack_event.h" 51 #include "btstack_linked_list.h" 52 #include "btstack_memory.h" 53 #include "btstack_tlv.h" 54 #include "gap.h" 55 #include "hci.h" 56 #include "hci_dump.h" 57 #include "l2cap.h" 58 59 #if !defined(ENABLE_LE_PERIPHERAL) && !defined(ENABLE_LE_CENTRAL) 60 #error "LE Security Manager used, but neither ENABLE_LE_PERIPHERAL nor ENABLE_LE_CENTRAL defined. Please add at least one to btstack_config.h." 61 #endif 62 63 #if defined(ENABLE_CROSS_TRANSPORT_KEY_DERIVATION) && (!defined(ENABLE_CLASSIC) || !defined(ENABLE_LE_SECURE_CONNECTIONS)) 64 #error "Cross Transport Key Derivation requires support for LE Secure Connections and BR/EDR (Classic)" 65 #endif 66 67 // assert SM Public Key can be sent/received 68 #ifdef ENABLE_LE_SECURE_CONNECTIONS 69 #if HCI_ACL_PAYLOAD_SIZE < 69 70 #error "HCI_ACL_PAYLOAD_SIZE must be at least 69 bytes when using LE Secure Conection. Please increase HCI_ACL_PAYLOAD_SIZE or disable ENABLE_LE_SECURE_CONNECTIONS" 71 #endif 72 #endif 73 74 #if defined(ENABLE_LE_PERIPHERAL) && defined(ENABLE_LE_CENTRAL) 75 #define IS_RESPONDER(role) (role) 76 #else 77 #ifdef ENABLE_LE_CENTRAL 78 // only central - never responder (avoid 'unused variable' warnings) 79 #define IS_RESPONDER(role) (0 && role) 80 #else 81 // only peripheral - always responder (avoid 'unused variable' warnings) 82 #define IS_RESPONDER(role) (1 || role) 83 #endif 84 #endif 85 86 #if defined(ENABLE_LE_SIGNED_WRITE) || defined(ENABLE_LE_SECURE_CONNECTIONS) 87 #define USE_CMAC_ENGINE 88 #endif 89 90 91 #define BTSTACK_TAG32(A,B,C,D) (((A) << 24) | ((B) << 16) | ((C) << 8) | (D)) 92 93 // 94 // SM internal types and globals 95 // 96 97 typedef enum { 98 DKG_W4_WORKING, 99 DKG_CALC_IRK, 100 DKG_CALC_DHK, 101 DKG_READY 102 } derived_key_generation_t; 103 104 typedef enum { 105 RAU_IDLE, 106 RAU_GET_RANDOM, 107 RAU_W4_RANDOM, 108 RAU_GET_ENC, 109 RAU_W4_ENC, 110 } random_address_update_t; 111 112 typedef enum { 113 CMAC_IDLE, 114 CMAC_CALC_SUBKEYS, 115 CMAC_W4_SUBKEYS, 116 CMAC_CALC_MI, 117 CMAC_W4_MI, 118 CMAC_CALC_MLAST, 119 CMAC_W4_MLAST 120 } cmac_state_t; 121 122 typedef enum { 123 JUST_WORKS, 124 PK_RESP_INPUT, // Initiator displays PK, responder inputs PK 125 PK_INIT_INPUT, // Responder displays PK, initiator inputs PK 126 PK_BOTH_INPUT, // Only input on both, both input PK 127 NUMERIC_COMPARISON, // Only numerical compparison (yes/no) on on both sides 128 OOB // OOB available on one (SC) or both sides (legacy) 129 } stk_generation_method_t; 130 131 typedef enum { 132 SM_USER_RESPONSE_IDLE, 133 SM_USER_RESPONSE_PENDING, 134 SM_USER_RESPONSE_CONFIRM, 135 SM_USER_RESPONSE_PASSKEY, 136 SM_USER_RESPONSE_DECLINE 137 } sm_user_response_t; 138 139 typedef enum { 140 SM_AES128_IDLE, 141 SM_AES128_ACTIVE 142 } sm_aes128_state_t; 143 144 typedef enum { 145 ADDRESS_RESOLUTION_IDLE, 146 ADDRESS_RESOLUTION_GENERAL, 147 ADDRESS_RESOLUTION_FOR_CONNECTION, 148 } address_resolution_mode_t; 149 150 typedef enum { 151 ADDRESS_RESOLUTION_SUCCEEDED, 152 ADDRESS_RESOLUTION_FAILED, 153 } address_resolution_event_t; 154 155 typedef enum { 156 EC_KEY_GENERATION_IDLE, 157 EC_KEY_GENERATION_ACTIVE, 158 EC_KEY_GENERATION_DONE, 159 } ec_key_generation_state_t; 160 161 typedef enum { 162 SM_STATE_VAR_DHKEY_NEEDED = 1 << 0, 163 SM_STATE_VAR_DHKEY_CALCULATED = 1 << 1, 164 SM_STATE_VAR_DHKEY_COMMAND_RECEIVED = 1 << 2, 165 } sm_state_var_t; 166 167 typedef enum { 168 SM_SC_OOB_IDLE, 169 SM_SC_OOB_W4_RANDOM, 170 SM_SC_OOB_W2_CALC_CONFIRM, 171 SM_SC_OOB_W4_CONFIRM, 172 } sm_sc_oob_state_t; 173 174 typedef uint8_t sm_key24_t[3]; 175 typedef uint8_t sm_key56_t[7]; 176 typedef uint8_t sm_key256_t[32]; 177 178 // 179 // GLOBAL DATA 180 // 181 182 static bool sm_initialized; 183 184 static bool test_use_fixed_local_csrk; 185 static bool test_use_fixed_local_irk; 186 187 #ifdef ENABLE_TESTING_SUPPORT 188 static uint8_t test_pairing_failure; 189 #endif 190 191 // configuration 192 static uint8_t sm_accepted_stk_generation_methods; 193 static uint8_t sm_max_encryption_key_size; 194 static uint8_t sm_min_encryption_key_size; 195 static uint8_t sm_auth_req = 0; 196 static uint8_t sm_io_capabilities = IO_CAPABILITY_NO_INPUT_NO_OUTPUT; 197 static uint32_t sm_fixed_passkey_in_display_role; 198 static bool sm_reconstruct_ltk_without_le_device_db_entry; 199 200 #ifdef ENABLE_LE_PERIPHERAL 201 static uint8_t sm_slave_request_security; 202 #endif 203 204 #ifdef ENABLE_LE_SECURE_CONNECTIONS 205 static bool sm_sc_only_mode; 206 static uint8_t sm_sc_oob_random[16]; 207 static void (*sm_sc_oob_callback)(const uint8_t * confirm_value, const uint8_t * random_value); 208 static sm_sc_oob_state_t sm_sc_oob_state; 209 #ifdef ENABLE_LE_SECURE_CONNECTIONS_DEBUG_KEY 210 static bool sm_sc_debug_keys_enabled; 211 #endif 212 #endif 213 214 215 static bool sm_persistent_keys_random_active; 216 static const btstack_tlv_t * sm_tlv_impl; 217 static void * sm_tlv_context; 218 219 // Security Manager Master Keys, please use sm_set_er(er) and sm_set_ir(ir) with your own 128 bit random values 220 static sm_key_t sm_persistent_er; 221 static sm_key_t sm_persistent_ir; 222 223 // derived from sm_persistent_ir 224 static sm_key_t sm_persistent_dhk; 225 static sm_key_t sm_persistent_irk; 226 static derived_key_generation_t dkg_state; 227 228 // derived from sm_persistent_er 229 // .. 230 231 // random address update 232 static random_address_update_t rau_state; 233 static bd_addr_t sm_random_address; 234 235 #ifdef USE_CMAC_ENGINE 236 // CMAC Calculation: General 237 static btstack_crypto_aes128_cmac_t sm_cmac_request; 238 static void (*sm_cmac_done_callback)(uint8_t hash[8]); 239 static uint8_t sm_cmac_active; 240 static uint8_t sm_cmac_hash[16]; 241 #endif 242 243 // CMAC for ATT Signed Writes 244 #ifdef ENABLE_LE_SIGNED_WRITE 245 static uint16_t sm_cmac_signed_write_message_len; 246 static uint8_t sm_cmac_signed_write_header[3]; 247 static const uint8_t * sm_cmac_signed_write_message; 248 static uint8_t sm_cmac_signed_write_sign_counter[4]; 249 #endif 250 251 // CMAC for Secure Connection functions 252 #ifdef ENABLE_LE_SECURE_CONNECTIONS 253 static sm_connection_t * sm_cmac_connection; 254 static uint8_t sm_cmac_sc_buffer[80]; 255 #endif 256 257 // resolvable private address lookup / CSRK calculation 258 static int sm_address_resolution_test; 259 static uint8_t sm_address_resolution_addr_type; 260 static bd_addr_t sm_address_resolution_address; 261 static void * sm_address_resolution_context; 262 static address_resolution_mode_t sm_address_resolution_mode; 263 static btstack_linked_list_t sm_address_resolution_general_queue; 264 265 // aes128 crypto engine. 266 static sm_aes128_state_t sm_aes128_state; 267 268 // crypto 269 static btstack_crypto_random_t sm_crypto_random_request; 270 static btstack_crypto_aes128_t sm_crypto_aes128_request; 271 #ifdef ENABLE_LE_SECURE_CONNECTIONS 272 static btstack_crypto_ecc_p256_t sm_crypto_ecc_p256_request; 273 #endif 274 275 // temp storage for random data 276 static uint8_t sm_random_data[8]; 277 static uint8_t sm_aes128_key[16]; 278 static uint8_t sm_aes128_plaintext[16]; 279 static uint8_t sm_aes128_ciphertext[16]; 280 281 // to receive events 282 static btstack_packet_callback_registration_t hci_event_callback_registration; 283 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 284 static btstack_packet_callback_registration_t l2cap_event_callback_registration; 285 #endif 286 287 /* to dispatch sm event */ 288 static btstack_linked_list_t sm_event_handlers; 289 290 /* to schedule calls to sm_run */ 291 static btstack_timer_source_t sm_run_timer; 292 293 // LE Secure Connections 294 #ifdef ENABLE_LE_SECURE_CONNECTIONS 295 static ec_key_generation_state_t ec_key_generation_state; 296 static uint8_t ec_q[64]; 297 #endif 298 299 // 300 // Volume 3, Part H, Chapter 24 301 // "Security shall be initiated by the Security Manager in the device in the master role. 302 // The device in the slave role shall be the responding device." 303 // -> master := initiator, slave := responder 304 // 305 306 // data needed for security setup 307 typedef struct sm_setup_context { 308 309 btstack_timer_source_t sm_timeout; 310 311 // user response, (Phase 1 and/or 2) 312 uint8_t sm_user_response; 313 uint8_t sm_keypress_notification; // bitmap: passkey started, digit entered, digit erased, passkey cleared, passkey complete, 3 bit count 314 315 // defines which keys will be send after connection is encrypted - calculated during Phase 1, used Phase 3 316 uint8_t sm_key_distribution_send_set; 317 uint8_t sm_key_distribution_sent_set; 318 uint8_t sm_key_distribution_expected_set; 319 uint8_t sm_key_distribution_received_set; 320 321 // Phase 2 (Pairing over SMP) 322 stk_generation_method_t sm_stk_generation_method; 323 sm_key_t sm_tk; 324 uint8_t sm_have_oob_data; 325 uint8_t sm_use_secure_connections; 326 327 sm_key_t sm_c1_t3_value; // c1 calculation 328 sm_pairing_packet_t sm_m_preq; // pairing request - needed only for c1 329 sm_pairing_packet_t sm_s_pres; // pairing response - needed only for c1 330 sm_key_t sm_local_random; 331 sm_key_t sm_local_confirm; 332 sm_key_t sm_peer_random; 333 sm_key_t sm_peer_confirm; 334 uint8_t sm_m_addr_type; // address and type can be removed 335 uint8_t sm_s_addr_type; // '' 336 bd_addr_t sm_m_address; // '' 337 bd_addr_t sm_s_address; // '' 338 sm_key_t sm_ltk; 339 340 uint8_t sm_state_vars; 341 #ifdef ENABLE_LE_SECURE_CONNECTIONS 342 uint8_t sm_peer_q[64]; // also stores random for EC key generation during init 343 sm_key_t sm_peer_nonce; // might be combined with sm_peer_random 344 sm_key_t sm_local_nonce; // might be combined with sm_local_random 345 uint8_t sm_dhkey[32]; 346 sm_key_t sm_peer_dhkey_check; 347 sm_key_t sm_local_dhkey_check; 348 sm_key_t sm_ra; 349 sm_key_t sm_rb; 350 sm_key_t sm_t; // used for f5 and h6 351 sm_key_t sm_mackey; 352 uint8_t sm_passkey_bit; // also stores number of generated random bytes for EC key generation 353 #endif 354 355 // Phase 3 356 357 // key distribution, we generate 358 uint16_t sm_local_y; 359 uint16_t sm_local_div; 360 uint16_t sm_local_ediv; 361 uint8_t sm_local_rand[8]; 362 sm_key_t sm_local_ltk; 363 sm_key_t sm_local_csrk; 364 sm_key_t sm_local_irk; 365 // sm_local_address/addr_type not needed 366 367 // key distribution, received from peer 368 uint16_t sm_peer_y; 369 uint16_t sm_peer_div; 370 uint16_t sm_peer_ediv; 371 uint8_t sm_peer_rand[8]; 372 sm_key_t sm_peer_ltk; 373 sm_key_t sm_peer_irk; 374 sm_key_t sm_peer_csrk; 375 uint8_t sm_peer_addr_type; 376 bd_addr_t sm_peer_address; 377 #ifdef ENABLE_LE_SIGNED_WRITE 378 int sm_le_device_index; 379 #endif 380 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 381 link_key_t sm_link_key; 382 link_key_type_t sm_link_key_type; 383 #endif 384 } sm_setup_context_t; 385 386 // 387 static sm_setup_context_t the_setup; 388 static sm_setup_context_t * setup = &the_setup; 389 390 // active connection - the one for which the_setup is used for 391 static uint16_t sm_active_connection_handle = HCI_CON_HANDLE_INVALID; 392 393 // @return 1 if oob data is available 394 // stores oob data in provided 16 byte buffer if not null 395 static int (*sm_get_oob_data)(uint8_t addres_type, bd_addr_t addr, uint8_t * oob_data) = NULL; 396 static int (*sm_get_sc_oob_data)(uint8_t addres_type, bd_addr_t addr, uint8_t * oob_sc_peer_confirm, uint8_t * oob_sc_peer_random); 397 static bool (*sm_get_ltk_callback)(hci_con_handle_t con_handle, uint8_t addres_type, bd_addr_t addr, uint8_t * ltk); 398 399 static void sm_run(void); 400 static void sm_state_reset(void); 401 static void sm_done_for_handle(hci_con_handle_t con_handle); 402 static sm_connection_t * sm_get_connection_for_handle(hci_con_handle_t con_handle); 403 static void sm_cache_ltk(sm_connection_t * connection, const sm_key_t ltk); 404 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 405 static sm_connection_t * sm_get_connection_for_bd_addr_and_type(bd_addr_t address, bd_addr_type_t addr_type); 406 #endif 407 static inline int sm_calc_actual_encryption_key_size(int other); 408 static int sm_validate_stk_generation_method(void); 409 static void sm_handle_encryption_result_address_resolution(void *arg); 410 static void sm_handle_encryption_result_dkg_dhk(void *arg); 411 static void sm_handle_encryption_result_dkg_irk(void *arg); 412 static void sm_handle_encryption_result_enc_a(void *arg); 413 static void sm_handle_encryption_result_enc_b(void *arg); 414 static void sm_handle_encryption_result_enc_c(void *arg); 415 static void sm_handle_encryption_result_enc_csrk(void *arg); 416 static void sm_handle_encryption_result_enc_d(void * arg); 417 static void sm_handle_encryption_result_enc_ph3_ltk(void *arg); 418 static void sm_handle_encryption_result_enc_ph3_y(void *arg); 419 #ifdef ENABLE_LE_PERIPHERAL 420 static void sm_handle_encryption_result_enc_ph4_ltk(void *arg); 421 static void sm_handle_encryption_result_enc_ph4_y(void *arg); 422 #endif 423 static void sm_handle_encryption_result_enc_stk(void *arg); 424 static void sm_handle_encryption_result_rau(void *arg); 425 static void sm_handle_random_result_ph2_tk(void * arg); 426 static void sm_handle_random_result_rau(void * arg); 427 #ifdef ENABLE_LE_SECURE_CONNECTIONS 428 static void sm_cmac_message_start(const sm_key_t key, uint16_t message_len, const uint8_t * message, void (*done_callback)(uint8_t * hash)); 429 static void sm_ec_generate_new_key(void); 430 static void sm_handle_random_result_sc_next_w2_cmac_for_confirmation(void * arg); 431 static void sm_handle_random_result_sc_next_send_pairing_random(void * arg); 432 static int sm_passkey_entry(stk_generation_method_t method); 433 #endif 434 static void sm_pairing_complete(sm_connection_t * sm_conn, uint8_t status, uint8_t reason); 435 436 static void log_info_hex16(const char * name, uint16_t value){ 437 log_info("%-6s 0x%04x", name, value); 438 } 439 440 // static inline uint8_t sm_pairing_packet_get_code(sm_pairing_packet_t packet){ 441 // return packet[0]; 442 // } 443 static inline uint8_t sm_pairing_packet_get_io_capability(sm_pairing_packet_t packet){ 444 return packet[1]; 445 } 446 static inline uint8_t sm_pairing_packet_get_oob_data_flag(sm_pairing_packet_t packet){ 447 return packet[2]; 448 } 449 static inline uint8_t sm_pairing_packet_get_auth_req(sm_pairing_packet_t packet){ 450 return packet[3]; 451 } 452 static inline uint8_t sm_pairing_packet_get_max_encryption_key_size(sm_pairing_packet_t packet){ 453 return packet[4]; 454 } 455 static inline uint8_t sm_pairing_packet_get_initiator_key_distribution(sm_pairing_packet_t packet){ 456 return packet[5]; 457 } 458 static inline uint8_t sm_pairing_packet_get_responder_key_distribution(sm_pairing_packet_t packet){ 459 return packet[6]; 460 } 461 462 static inline void sm_pairing_packet_set_code(sm_pairing_packet_t packet, uint8_t code){ 463 packet[0] = code; 464 } 465 static inline void sm_pairing_packet_set_io_capability(sm_pairing_packet_t packet, uint8_t io_capability){ 466 packet[1] = io_capability; 467 } 468 static inline void sm_pairing_packet_set_oob_data_flag(sm_pairing_packet_t packet, uint8_t oob_data_flag){ 469 packet[2] = oob_data_flag; 470 } 471 static inline void sm_pairing_packet_set_auth_req(sm_pairing_packet_t packet, uint8_t auth_req){ 472 packet[3] = auth_req; 473 } 474 static inline void sm_pairing_packet_set_max_encryption_key_size(sm_pairing_packet_t packet, uint8_t max_encryption_key_size){ 475 packet[4] = max_encryption_key_size; 476 } 477 static inline void sm_pairing_packet_set_initiator_key_distribution(sm_pairing_packet_t packet, uint8_t initiator_key_distribution){ 478 packet[5] = initiator_key_distribution; 479 } 480 static inline void sm_pairing_packet_set_responder_key_distribution(sm_pairing_packet_t packet, uint8_t responder_key_distribution){ 481 packet[6] = responder_key_distribution; 482 } 483 484 static bool sm_is_null_random(uint8_t random[8]){ 485 return btstack_is_null(random, 8); 486 } 487 488 static bool sm_is_null_key(uint8_t * key){ 489 return btstack_is_null(key, 16); 490 } 491 492 #ifdef ENABLE_LE_SECURE_CONNECTIONS 493 static bool sm_is_ff(const uint8_t * buffer, uint16_t size){ 494 uint16_t i; 495 for (i=0; i < size ; i++){ 496 if (buffer[i] != 0xff) { 497 return false; 498 } 499 } 500 return true; 501 } 502 #endif 503 504 // sm_trigger_run allows to schedule callback from main run loop // reduces stack depth 505 static void sm_run_timer_handler(btstack_timer_source_t * ts){ 506 UNUSED(ts); 507 sm_run(); 508 } 509 static void sm_trigger_run(void){ 510 if (!sm_initialized) return; 511 (void)btstack_run_loop_remove_timer(&sm_run_timer); 512 btstack_run_loop_set_timer(&sm_run_timer, 0); 513 btstack_run_loop_add_timer(&sm_run_timer); 514 } 515 516 // Key utils 517 static void sm_reset_tk(void){ 518 int i; 519 for (i=0;i<16;i++){ 520 setup->sm_tk[i] = 0; 521 } 522 } 523 524 // "For example, if a 128-bit encryption key is 0x123456789ABCDEF0123456789ABCDEF0 525 // and it is reduced to 7 octets (56 bits), then the resulting key is 0x0000000000000000003456789ABCDEF0."" 526 static void sm_truncate_key(sm_key_t key, int max_encryption_size){ 527 int i; 528 for (i = max_encryption_size ; i < 16 ; i++){ 529 key[15-i] = 0; 530 } 531 } 532 533 // ER / IR checks 534 static void sm_er_ir_set_default(void){ 535 int i; 536 for (i=0;i<16;i++){ 537 sm_persistent_er[i] = 0x30 + i; 538 sm_persistent_ir[i] = 0x90 + i; 539 } 540 } 541 542 static int sm_er_is_default(void){ 543 int i; 544 for (i=0;i<16;i++){ 545 if (sm_persistent_er[i] != (0x30+i)) return 0; 546 } 547 return 1; 548 } 549 550 static int sm_ir_is_default(void){ 551 int i; 552 for (i=0;i<16;i++){ 553 if (sm_persistent_ir[i] != (0x90+i)) return 0; 554 } 555 return 1; 556 } 557 558 static void sm_dispatch_event(uint8_t packet_type, uint16_t channel, uint8_t * packet, uint16_t size){ 559 UNUSED(channel); 560 561 // log event 562 hci_dump_packet(packet_type, 1, packet, size); 563 // dispatch to all event handlers 564 btstack_linked_list_iterator_t it; 565 btstack_linked_list_iterator_init(&it, &sm_event_handlers); 566 while (btstack_linked_list_iterator_has_next(&it)){ 567 btstack_packet_callback_registration_t * entry = (btstack_packet_callback_registration_t*) btstack_linked_list_iterator_next(&it); 568 entry->callback(packet_type, 0, packet, size); 569 } 570 } 571 572 static void sm_setup_event_base(uint8_t * event, int event_size, uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address){ 573 event[0] = type; 574 event[1] = event_size - 2; 575 little_endian_store_16(event, 2, con_handle); 576 event[4] = addr_type; 577 reverse_bd_addr(address, &event[5]); 578 } 579 580 static void sm_notify_client_base(uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address){ 581 uint8_t event[11]; 582 sm_setup_event_base(event, sizeof(event), type, con_handle, addr_type, address); 583 sm_dispatch_event(HCI_EVENT_PACKET, 0, event, sizeof(event)); 584 } 585 586 static void sm_notify_client_index(uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address, uint16_t index){ 587 // fetch addr and addr type from db, only called for valid entries 588 bd_addr_t identity_address; 589 int identity_address_type; 590 le_device_db_info(index, &identity_address_type, identity_address, NULL); 591 592 uint8_t event[20]; 593 sm_setup_event_base(event, sizeof(event), type, con_handle, addr_type, address); 594 event[11] = identity_address_type; 595 reverse_bd_addr(identity_address, &event[12]); 596 little_endian_store_16(event, 18, index); 597 sm_dispatch_event(HCI_EVENT_PACKET, 0, event, sizeof(event)); 598 } 599 600 static void sm_notify_client_status(uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address, uint8_t status){ 601 uint8_t event[12]; 602 sm_setup_event_base(event, sizeof(event), type, con_handle, addr_type, address); 603 event[11] = status; 604 sm_dispatch_event(HCI_EVENT_PACKET, 0, (uint8_t*) &event, sizeof(event)); 605 } 606 607 608 static void sm_reencryption_started(sm_connection_t * sm_conn){ 609 610 if (sm_conn->sm_reencryption_active) return; 611 612 sm_conn->sm_reencryption_active = true; 613 614 int identity_addr_type; 615 bd_addr_t identity_addr; 616 if (sm_conn->sm_le_db_index >= 0){ 617 // fetch addr and addr type from db, only called for valid entries 618 le_device_db_info(sm_conn->sm_le_db_index, &identity_addr_type, identity_addr, NULL); 619 } else { 620 // for legacy pairing with LTK re-construction, use current peer addr 621 identity_addr_type = sm_conn->sm_peer_addr_type; 622 // cppcheck-suppress uninitvar ; identity_addr is reported as uninitialized although it's the destination of the memcpy 623 memcpy(identity_addr, sm_conn->sm_peer_address, 6); 624 } 625 626 sm_notify_client_base(SM_EVENT_REENCRYPTION_STARTED, sm_conn->sm_handle, identity_addr_type, identity_addr); 627 } 628 629 static void sm_reencryption_complete(sm_connection_t * sm_conn, uint8_t status){ 630 631 if (!sm_conn->sm_reencryption_active) return; 632 633 sm_conn->sm_reencryption_active = false; 634 635 int identity_addr_type; 636 bd_addr_t identity_addr; 637 if (sm_conn->sm_le_db_index >= 0){ 638 // fetch addr and addr type from db, only called for valid entries 639 le_device_db_info(sm_conn->sm_le_db_index, &identity_addr_type, identity_addr, NULL); 640 } else { 641 // for legacy pairing with LTK re-construction, use current peer addr 642 identity_addr_type = sm_conn->sm_peer_addr_type; 643 // cppcheck-suppress uninitvar ; identity_addr is reported as uninitialized although it's the destination of the memcpy 644 memcpy(identity_addr, sm_conn->sm_peer_address, 6); 645 } 646 647 sm_notify_client_status(SM_EVENT_REENCRYPTION_COMPLETE, sm_conn->sm_handle, identity_addr_type, identity_addr, status); 648 } 649 650 static void sm_pairing_started(sm_connection_t * sm_conn){ 651 652 if (sm_conn->sm_pairing_active) return; 653 654 sm_conn->sm_pairing_active = true; 655 656 uint8_t event[11]; 657 sm_setup_event_base(event, sizeof(event), SM_EVENT_PAIRING_STARTED, sm_conn->sm_handle, setup->sm_peer_addr_type, setup->sm_peer_address); 658 sm_dispatch_event(HCI_EVENT_PACKET, 0, (uint8_t*) &event, sizeof(event)); 659 } 660 661 static void sm_pairing_complete(sm_connection_t * sm_conn, uint8_t status, uint8_t reason){ 662 663 if (!sm_conn->sm_pairing_active) return; 664 665 sm_conn->sm_pairing_active = false; 666 667 uint8_t event[13]; 668 sm_setup_event_base(event, sizeof(event), SM_EVENT_PAIRING_COMPLETE, sm_conn->sm_handle, setup->sm_peer_addr_type, setup->sm_peer_address); 669 event[11] = status; 670 event[12] = reason; 671 sm_dispatch_event(HCI_EVENT_PACKET, 0, (uint8_t*) &event, sizeof(event)); 672 } 673 674 // SMP Timeout implementation 675 676 // Upon transmission of the Pairing Request command or reception of the Pairing Request command, 677 // the Security Manager Timer shall be reset and started. 678 // 679 // The Security Manager Timer shall be reset when an L2CAP SMP command is queued for transmission. 680 // 681 // If the Security Manager Timer reaches 30 seconds, the procedure shall be considered to have failed, 682 // and the local higher layer shall be notified. No further SMP commands shall be sent over the L2CAP 683 // Security Manager Channel. A new SM procedure shall only be performed when a new physical link has been 684 // established. 685 686 static void sm_timeout_handler(btstack_timer_source_t * timer){ 687 log_info("SM timeout"); 688 sm_connection_t * sm_conn = (sm_connection_t*) btstack_run_loop_get_timer_context(timer); 689 sm_conn->sm_engine_state = SM_GENERAL_TIMEOUT; 690 sm_reencryption_complete(sm_conn, ERROR_CODE_CONNECTION_TIMEOUT); 691 sm_pairing_complete(sm_conn, ERROR_CODE_CONNECTION_TIMEOUT, 0); 692 sm_done_for_handle(sm_conn->sm_handle); 693 694 // trigger handling of next ready connection 695 sm_run(); 696 } 697 static void sm_timeout_start(sm_connection_t * sm_conn){ 698 btstack_run_loop_remove_timer(&setup->sm_timeout); 699 btstack_run_loop_set_timer_context(&setup->sm_timeout, sm_conn); 700 btstack_run_loop_set_timer_handler(&setup->sm_timeout, sm_timeout_handler); 701 btstack_run_loop_set_timer(&setup->sm_timeout, 30000); // 30 seconds sm timeout 702 btstack_run_loop_add_timer(&setup->sm_timeout); 703 } 704 static void sm_timeout_stop(void){ 705 btstack_run_loop_remove_timer(&setup->sm_timeout); 706 } 707 static void sm_timeout_reset(sm_connection_t * sm_conn){ 708 sm_timeout_stop(); 709 sm_timeout_start(sm_conn); 710 } 711 712 // end of sm timeout 713 714 // GAP Random Address updates 715 static gap_random_address_type_t gap_random_adress_type; 716 static btstack_timer_source_t gap_random_address_update_timer; 717 static uint32_t gap_random_adress_update_period; 718 719 static void gap_random_address_trigger(void){ 720 log_info("gap_random_address_trigger, state %u", rau_state); 721 if (rau_state != RAU_IDLE) return; 722 rau_state = RAU_GET_RANDOM; 723 sm_trigger_run(); 724 } 725 726 static void gap_random_address_update_handler(btstack_timer_source_t * timer){ 727 UNUSED(timer); 728 729 log_info("GAP Random Address Update due"); 730 btstack_run_loop_set_timer(&gap_random_address_update_timer, gap_random_adress_update_period); 731 btstack_run_loop_add_timer(&gap_random_address_update_timer); 732 gap_random_address_trigger(); 733 } 734 735 static void gap_random_address_update_start(void){ 736 btstack_run_loop_set_timer_handler(&gap_random_address_update_timer, gap_random_address_update_handler); 737 btstack_run_loop_set_timer(&gap_random_address_update_timer, gap_random_adress_update_period); 738 btstack_run_loop_add_timer(&gap_random_address_update_timer); 739 } 740 741 static void gap_random_address_update_stop(void){ 742 btstack_run_loop_remove_timer(&gap_random_address_update_timer); 743 } 744 745 // ah(k,r) helper 746 // r = padding || r 747 // r - 24 bit value 748 static void sm_ah_r_prime(uint8_t r[3], uint8_t * r_prime){ 749 // r'= padding || r 750 memset(r_prime, 0, 16); 751 (void)memcpy(&r_prime[13], r, 3); 752 } 753 754 // d1 helper 755 // d' = padding || r || d 756 // d,r - 16 bit values 757 static void sm_d1_d_prime(uint16_t d, uint16_t r, uint8_t * d1_prime){ 758 // d'= padding || r || d 759 memset(d1_prime, 0, 16); 760 big_endian_store_16(d1_prime, 12, r); 761 big_endian_store_16(d1_prime, 14, d); 762 } 763 764 // calculate arguments for first AES128 operation in C1 function 765 static void sm_c1_t1(sm_key_t r, uint8_t preq[7], uint8_t pres[7], uint8_t iat, uint8_t rat, uint8_t * t1){ 766 767 // p1 = pres || preq || rat’ || iat’ 768 // "The octet of iat’ becomes the least significant octet of p1 and the most signifi- 769 // cant octet of pres becomes the most significant octet of p1. 770 // For example, if the 8-bit iat’ is 0x01, the 8-bit rat’ is 0x00, the 56-bit preq 771 // is 0x07071000000101 and the 56 bit pres is 0x05000800000302 then 772 // p1 is 0x05000800000302070710000001010001." 773 774 sm_key_t p1; 775 reverse_56(pres, &p1[0]); 776 reverse_56(preq, &p1[7]); 777 p1[14] = rat; 778 p1[15] = iat; 779 log_info_key("p1", p1); 780 log_info_key("r", r); 781 782 // t1 = r xor p1 783 int i; 784 for (i=0;i<16;i++){ 785 t1[i] = r[i] ^ p1[i]; 786 } 787 log_info_key("t1", t1); 788 } 789 790 // calculate arguments for second AES128 operation in C1 function 791 static void sm_c1_t3(sm_key_t t2, bd_addr_t ia, bd_addr_t ra, uint8_t * t3){ 792 // p2 = padding || ia || ra 793 // "The least significant octet of ra becomes the least significant octet of p2 and 794 // the most significant octet of padding becomes the most significant octet of p2. 795 // For example, if 48-bit ia is 0xA1A2A3A4A5A6 and the 48-bit ra is 796 // 0xB1B2B3B4B5B6 then p2 is 0x00000000A1A2A3A4A5A6B1B2B3B4B5B6. 797 798 sm_key_t p2; 799 // cppcheck-suppress uninitvar ; p2 is reported as uninitialized 800 memset(p2, 0, 16); 801 (void)memcpy(&p2[4], ia, 6); 802 (void)memcpy(&p2[10], ra, 6); 803 log_info_key("p2", p2); 804 805 // c1 = e(k, t2_xor_p2) 806 int i; 807 for (i=0;i<16;i++){ 808 t3[i] = t2[i] ^ p2[i]; 809 } 810 log_info_key("t3", t3); 811 } 812 813 static void sm_s1_r_prime(sm_key_t r1, sm_key_t r2, uint8_t * r_prime){ 814 log_info_key("r1", r1); 815 log_info_key("r2", r2); 816 (void)memcpy(&r_prime[8], &r2[8], 8); 817 (void)memcpy(&r_prime[0], &r1[8], 8); 818 } 819 820 821 // decide on stk generation based on 822 // - pairing request 823 // - io capabilities 824 // - OOB data availability 825 static void sm_setup_tk(void){ 826 827 // horizontal: initiator capabilities 828 // vertial: responder capabilities 829 static const stk_generation_method_t stk_generation_method [5] [5] = { 830 { JUST_WORKS, JUST_WORKS, PK_INIT_INPUT, JUST_WORKS, PK_INIT_INPUT }, 831 { JUST_WORKS, JUST_WORKS, PK_INIT_INPUT, JUST_WORKS, PK_INIT_INPUT }, 832 { PK_RESP_INPUT, PK_RESP_INPUT, PK_BOTH_INPUT, JUST_WORKS, PK_RESP_INPUT }, 833 { JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS }, 834 { PK_RESP_INPUT, PK_RESP_INPUT, PK_INIT_INPUT, JUST_WORKS, PK_RESP_INPUT }, 835 }; 836 837 // uses numeric comparison if one side has DisplayYesNo and KeyboardDisplay combinations 838 #ifdef ENABLE_LE_SECURE_CONNECTIONS 839 static const stk_generation_method_t stk_generation_method_with_secure_connection[5][5] = { 840 { JUST_WORKS, JUST_WORKS, PK_INIT_INPUT, JUST_WORKS, PK_INIT_INPUT }, 841 { JUST_WORKS, NUMERIC_COMPARISON, PK_INIT_INPUT, JUST_WORKS, NUMERIC_COMPARISON }, 842 { PK_RESP_INPUT, PK_RESP_INPUT, PK_BOTH_INPUT, JUST_WORKS, PK_RESP_INPUT }, 843 { JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS }, 844 { PK_RESP_INPUT, NUMERIC_COMPARISON, PK_INIT_INPUT, JUST_WORKS, NUMERIC_COMPARISON }, 845 }; 846 #endif 847 848 // default: just works 849 setup->sm_stk_generation_method = JUST_WORKS; 850 851 #ifdef ENABLE_LE_SECURE_CONNECTIONS 852 setup->sm_use_secure_connections = ( sm_pairing_packet_get_auth_req(setup->sm_m_preq) 853 & sm_pairing_packet_get_auth_req(setup->sm_s_pres) 854 & SM_AUTHREQ_SECURE_CONNECTION ) != 0u; 855 #else 856 setup->sm_use_secure_connections = 0; 857 #endif 858 log_info("Secure pairing: %u", setup->sm_use_secure_connections); 859 860 861 // decide if OOB will be used based on SC vs. Legacy and oob flags 862 bool use_oob; 863 if (setup->sm_use_secure_connections){ 864 // In LE Secure Connections pairing, the out of band method is used if at least 865 // one device has the peer device's out of band authentication data available. 866 use_oob = (sm_pairing_packet_get_oob_data_flag(setup->sm_m_preq) | sm_pairing_packet_get_oob_data_flag(setup->sm_s_pres)) != 0; 867 } else { 868 // In LE legacy pairing, the out of band method is used if both the devices have 869 // the other device's out of band authentication data available. 870 use_oob = (sm_pairing_packet_get_oob_data_flag(setup->sm_m_preq) & sm_pairing_packet_get_oob_data_flag(setup->sm_s_pres)) != 0; 871 } 872 if (use_oob){ 873 log_info("SM: have OOB data"); 874 log_info_key("OOB", setup->sm_tk); 875 setup->sm_stk_generation_method = OOB; 876 return; 877 } 878 879 // If both devices have not set the MITM option in the Authentication Requirements 880 // Flags, then the IO capabilities shall be ignored and the Just Works association 881 // model shall be used. 882 if (((sm_pairing_packet_get_auth_req(setup->sm_m_preq) & SM_AUTHREQ_MITM_PROTECTION) == 0u) 883 && ((sm_pairing_packet_get_auth_req(setup->sm_s_pres) & SM_AUTHREQ_MITM_PROTECTION) == 0u)){ 884 log_info("SM: MITM not required by both -> JUST WORKS"); 885 return; 886 } 887 888 // Reset TK as it has been setup in sm_init_setup 889 sm_reset_tk(); 890 891 // Also use just works if unknown io capabilites 892 if ((sm_pairing_packet_get_io_capability(setup->sm_m_preq) > IO_CAPABILITY_KEYBOARD_DISPLAY) || (sm_pairing_packet_get_io_capability(setup->sm_s_pres) > IO_CAPABILITY_KEYBOARD_DISPLAY)){ 893 return; 894 } 895 896 // Otherwise the IO capabilities of the devices shall be used to determine the 897 // pairing method as defined in Table 2.4. 898 // see http://stackoverflow.com/a/1052837/393697 for how to specify pointer to 2-dimensional array 899 const stk_generation_method_t (*generation_method)[5] = stk_generation_method; 900 901 #ifdef ENABLE_LE_SECURE_CONNECTIONS 902 // table not define by default 903 if (setup->sm_use_secure_connections){ 904 generation_method = stk_generation_method_with_secure_connection; 905 } 906 #endif 907 setup->sm_stk_generation_method = generation_method[sm_pairing_packet_get_io_capability(setup->sm_s_pres)][sm_pairing_packet_get_io_capability(setup->sm_m_preq)]; 908 909 log_info("sm_setup_tk: master io cap: %u, slave io cap: %u -> method %u", 910 sm_pairing_packet_get_io_capability(setup->sm_m_preq), sm_pairing_packet_get_io_capability(setup->sm_s_pres), setup->sm_stk_generation_method); 911 } 912 913 static int sm_key_distribution_flags_for_set(uint8_t key_set){ 914 int flags = 0; 915 if (key_set & SM_KEYDIST_ENC_KEY){ 916 flags |= SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION; 917 flags |= SM_KEYDIST_FLAG_MASTER_IDENTIFICATION; 918 } 919 if (key_set & SM_KEYDIST_ID_KEY){ 920 flags |= SM_KEYDIST_FLAG_IDENTITY_INFORMATION; 921 flags |= SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION; 922 } 923 if (key_set & SM_KEYDIST_SIGN){ 924 flags |= SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION; 925 } 926 return flags; 927 } 928 929 static void sm_setup_key_distribution(uint8_t keys_to_send, uint8_t keys_to_receive){ 930 setup->sm_key_distribution_received_set = 0; 931 setup->sm_key_distribution_expected_set = sm_key_distribution_flags_for_set(keys_to_receive); 932 setup->sm_key_distribution_send_set = sm_key_distribution_flags_for_set(keys_to_send); 933 setup->sm_key_distribution_sent_set = 0; 934 #ifdef ENABLE_LE_SIGNED_WRITE 935 setup->sm_le_device_index = -1; 936 #endif 937 } 938 939 // CSRK Key Lookup 940 941 942 static int sm_address_resolution_idle(void){ 943 return sm_address_resolution_mode == ADDRESS_RESOLUTION_IDLE; 944 } 945 946 static void sm_address_resolution_start_lookup(uint8_t addr_type, hci_con_handle_t con_handle, bd_addr_t addr, address_resolution_mode_t mode, void * context){ 947 (void)memcpy(sm_address_resolution_address, addr, 6); 948 sm_address_resolution_addr_type = addr_type; 949 sm_address_resolution_test = 0; 950 sm_address_resolution_mode = mode; 951 sm_address_resolution_context = context; 952 sm_notify_client_base(SM_EVENT_IDENTITY_RESOLVING_STARTED, con_handle, addr_type, addr); 953 } 954 955 int sm_address_resolution_lookup(uint8_t address_type, bd_addr_t address){ 956 // check if already in list 957 btstack_linked_list_iterator_t it; 958 sm_lookup_entry_t * entry; 959 btstack_linked_list_iterator_init(&it, &sm_address_resolution_general_queue); 960 while(btstack_linked_list_iterator_has_next(&it)){ 961 entry = (sm_lookup_entry_t *) btstack_linked_list_iterator_next(&it); 962 if (entry->address_type != address_type) continue; 963 if (memcmp(entry->address, address, 6)) continue; 964 // already in list 965 return BTSTACK_BUSY; 966 } 967 entry = btstack_memory_sm_lookup_entry_get(); 968 if (!entry) return BTSTACK_MEMORY_ALLOC_FAILED; 969 entry->address_type = (bd_addr_type_t) address_type; 970 (void)memcpy(entry->address, address, 6); 971 btstack_linked_list_add(&sm_address_resolution_general_queue, (btstack_linked_item_t *) entry); 972 sm_trigger_run(); 973 return 0; 974 } 975 976 // CMAC calculation using AES Engineq 977 #ifdef USE_CMAC_ENGINE 978 979 static void sm_cmac_done_trampoline(void * arg){ 980 UNUSED(arg); 981 sm_cmac_active = 0; 982 (*sm_cmac_done_callback)(sm_cmac_hash); 983 sm_trigger_run(); 984 } 985 986 int sm_cmac_ready(void){ 987 return sm_cmac_active == 0u; 988 } 989 #endif 990 991 #ifdef ENABLE_LE_SECURE_CONNECTIONS 992 // generic cmac calculation 993 static void sm_cmac_message_start(const sm_key_t key, uint16_t message_len, const uint8_t * message, void (*done_callback)(uint8_t * hash)){ 994 sm_cmac_active = 1; 995 sm_cmac_done_callback = done_callback; 996 btstack_crypto_aes128_cmac_message(&sm_cmac_request, key, message_len, message, sm_cmac_hash, sm_cmac_done_trampoline, NULL); 997 } 998 #endif 999 1000 // cmac for ATT Message signing 1001 #ifdef ENABLE_LE_SIGNED_WRITE 1002 1003 static void sm_cmac_generator_start(const sm_key_t key, uint16_t message_len, uint8_t (*get_byte_callback)(uint16_t offset), void (*done_callback)(uint8_t * hash)){ 1004 sm_cmac_active = 1; 1005 sm_cmac_done_callback = done_callback; 1006 btstack_crypto_aes128_cmac_generator(&sm_cmac_request, key, message_len, get_byte_callback, sm_cmac_hash, sm_cmac_done_trampoline, NULL); 1007 } 1008 1009 static uint8_t sm_cmac_signed_write_message_get_byte(uint16_t offset){ 1010 if (offset >= sm_cmac_signed_write_message_len) { 1011 log_error("sm_cmac_signed_write_message_get_byte. out of bounds, access %u, len %u", offset, sm_cmac_signed_write_message_len); 1012 return 0; 1013 } 1014 1015 offset = sm_cmac_signed_write_message_len - 1 - offset; 1016 1017 // sm_cmac_signed_write_header[3] | message[] | sm_cmac_signed_write_sign_counter[4] 1018 if (offset < 3){ 1019 return sm_cmac_signed_write_header[offset]; 1020 } 1021 int actual_message_len_incl_header = sm_cmac_signed_write_message_len - 4; 1022 if (offset < actual_message_len_incl_header){ 1023 return sm_cmac_signed_write_message[offset - 3]; 1024 } 1025 return sm_cmac_signed_write_sign_counter[offset - actual_message_len_incl_header]; 1026 } 1027 1028 void sm_cmac_signed_write_start(const sm_key_t k, uint8_t opcode, hci_con_handle_t con_handle, uint16_t message_len, const uint8_t * message, uint32_t sign_counter, void (*done_handler)(uint8_t * hash)){ 1029 // ATT Message Signing 1030 sm_cmac_signed_write_header[0] = opcode; 1031 little_endian_store_16(sm_cmac_signed_write_header, 1, con_handle); 1032 little_endian_store_32(sm_cmac_signed_write_sign_counter, 0, sign_counter); 1033 uint16_t total_message_len = 3 + message_len + 4; // incl. virtually prepended att opcode, handle and appended sign_counter in LE 1034 sm_cmac_signed_write_message = message; 1035 sm_cmac_signed_write_message_len = total_message_len; 1036 sm_cmac_generator_start(k, total_message_len, &sm_cmac_signed_write_message_get_byte, done_handler); 1037 } 1038 #endif 1039 1040 static void sm_trigger_user_response_basic(sm_connection_t * sm_conn, uint8_t event_type){ 1041 setup->sm_user_response = SM_USER_RESPONSE_PENDING; 1042 uint8_t event[12]; 1043 sm_setup_event_base(event, sizeof(event), event_type, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address); 1044 event[11] = setup->sm_use_secure_connections ? 1 : 0; 1045 sm_dispatch_event(HCI_EVENT_PACKET, 0, event, sizeof(event)); 1046 } 1047 1048 static void sm_trigger_user_response_passkey(sm_connection_t * sm_conn, uint8_t event_type){ 1049 uint8_t event[16]; 1050 uint32_t passkey = big_endian_read_32(setup->sm_tk, 12); 1051 sm_setup_event_base(event, sizeof(event), event_type, sm_conn->sm_handle, 1052 sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address); 1053 event[11] = setup->sm_use_secure_connections ? 1 : 0; 1054 little_endian_store_32(event, 12, passkey); 1055 sm_dispatch_event(HCI_EVENT_PACKET, 0, event, sizeof(event)); 1056 } 1057 1058 static void sm_trigger_user_response(sm_connection_t * sm_conn){ 1059 // notify client for: JUST WORKS confirm, Numeric comparison confirm, PASSKEY display or input 1060 setup->sm_user_response = SM_USER_RESPONSE_IDLE; 1061 sm_conn->sm_pairing_active = true; 1062 switch (setup->sm_stk_generation_method){ 1063 case PK_RESP_INPUT: 1064 if (IS_RESPONDER(sm_conn->sm_role)){ 1065 sm_trigger_user_response_basic(sm_conn, SM_EVENT_PASSKEY_INPUT_NUMBER); 1066 } else { 1067 sm_trigger_user_response_passkey(sm_conn, SM_EVENT_PASSKEY_DISPLAY_NUMBER); 1068 } 1069 break; 1070 case PK_INIT_INPUT: 1071 if (IS_RESPONDER(sm_conn->sm_role)){ 1072 sm_trigger_user_response_passkey(sm_conn, SM_EVENT_PASSKEY_DISPLAY_NUMBER); 1073 } else { 1074 sm_trigger_user_response_basic(sm_conn, SM_EVENT_PASSKEY_INPUT_NUMBER); 1075 } 1076 break; 1077 case PK_BOTH_INPUT: 1078 sm_trigger_user_response_basic(sm_conn, SM_EVENT_PASSKEY_INPUT_NUMBER); 1079 break; 1080 case NUMERIC_COMPARISON: 1081 sm_trigger_user_response_passkey(sm_conn, SM_EVENT_NUMERIC_COMPARISON_REQUEST); 1082 break; 1083 case JUST_WORKS: 1084 sm_trigger_user_response_basic(sm_conn, SM_EVENT_JUST_WORKS_REQUEST); 1085 break; 1086 case OOB: 1087 // client already provided OOB data, let's skip notification. 1088 break; 1089 default: 1090 btstack_assert(false); 1091 break; 1092 } 1093 } 1094 1095 static bool sm_key_distribution_all_received(void) { 1096 log_debug("sm_key_distribution_all_received: received 0x%02x, expecting 0x%02x", setup->sm_key_distribution_received_set, setup->sm_key_distribution_expected_set); 1097 return (setup->sm_key_distribution_expected_set & setup->sm_key_distribution_received_set) == setup->sm_key_distribution_expected_set; 1098 } 1099 1100 static void sm_done_for_handle(hci_con_handle_t con_handle){ 1101 if (sm_active_connection_handle == con_handle){ 1102 sm_timeout_stop(); 1103 sm_active_connection_handle = HCI_CON_HANDLE_INVALID; 1104 log_info("sm: connection 0x%x released setup context", con_handle); 1105 1106 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1107 // generate new ec key after each pairing (that used it) 1108 if (setup->sm_use_secure_connections){ 1109 sm_ec_generate_new_key(); 1110 } 1111 #endif 1112 } 1113 } 1114 1115 static void sm_master_pairing_success(sm_connection_t *connection) {// master -> all done 1116 connection->sm_engine_state = SM_INITIATOR_CONNECTED; 1117 sm_pairing_complete(connection, ERROR_CODE_SUCCESS, 0); 1118 sm_done_for_handle(connection->sm_handle); 1119 } 1120 1121 static int sm_key_distribution_flags_for_auth_req(void){ 1122 1123 int flags = SM_KEYDIST_ID_KEY; 1124 if (sm_auth_req & SM_AUTHREQ_BONDING){ 1125 // encryption and signing information only if bonding requested 1126 flags |= SM_KEYDIST_ENC_KEY; 1127 #ifdef ENABLE_LE_SIGNED_WRITE 1128 flags |= SM_KEYDIST_SIGN; 1129 #endif 1130 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 1131 // LinkKey for CTKD requires SC 1132 if (sm_auth_req & SM_AUTHREQ_SECURE_CONNECTION){ 1133 flags |= SM_KEYDIST_LINK_KEY; 1134 } 1135 #endif 1136 } 1137 return flags; 1138 } 1139 1140 static void sm_reset_setup(void){ 1141 // fill in sm setup 1142 setup->sm_state_vars = 0; 1143 setup->sm_keypress_notification = 0; 1144 setup->sm_have_oob_data = 0; 1145 sm_reset_tk(); 1146 } 1147 1148 static void sm_init_setup(sm_connection_t * sm_conn){ 1149 // fill in sm setup 1150 setup->sm_peer_addr_type = sm_conn->sm_peer_addr_type; 1151 (void)memcpy(setup->sm_peer_address, sm_conn->sm_peer_address, 6); 1152 1153 // query client for Legacy Pairing OOB data 1154 if (sm_get_oob_data != NULL) { 1155 setup->sm_have_oob_data = (*sm_get_oob_data)(sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, setup->sm_tk); 1156 } 1157 1158 // if available and SC supported, also ask for SC OOB Data 1159 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1160 memset(setup->sm_ra, 0, 16); 1161 memset(setup->sm_rb, 0, 16); 1162 if (setup->sm_have_oob_data && (sm_auth_req & SM_AUTHREQ_SECURE_CONNECTION)){ 1163 if (sm_get_sc_oob_data != NULL){ 1164 if (IS_RESPONDER(sm_conn->sm_role)){ 1165 setup->sm_have_oob_data = (*sm_get_sc_oob_data)( 1166 sm_conn->sm_peer_addr_type, 1167 sm_conn->sm_peer_address, 1168 setup->sm_peer_confirm, 1169 setup->sm_ra); 1170 } else { 1171 setup->sm_have_oob_data = (*sm_get_sc_oob_data)( 1172 sm_conn->sm_peer_addr_type, 1173 sm_conn->sm_peer_address, 1174 setup->sm_peer_confirm, 1175 setup->sm_rb); 1176 } 1177 } else { 1178 setup->sm_have_oob_data = 0; 1179 } 1180 } 1181 #endif 1182 1183 sm_pairing_packet_t * local_packet; 1184 if (IS_RESPONDER(sm_conn->sm_role)){ 1185 // slave 1186 local_packet = &setup->sm_s_pres; 1187 setup->sm_m_addr_type = sm_conn->sm_peer_addr_type; 1188 setup->sm_s_addr_type = sm_conn->sm_own_addr_type; 1189 (void)memcpy(setup->sm_m_address, sm_conn->sm_peer_address, 6); 1190 (void)memcpy(setup->sm_s_address, sm_conn->sm_own_address, 6); 1191 } else { 1192 // master 1193 local_packet = &setup->sm_m_preq; 1194 setup->sm_s_addr_type = sm_conn->sm_peer_addr_type; 1195 setup->sm_m_addr_type = sm_conn->sm_own_addr_type; 1196 (void)memcpy(setup->sm_s_address, sm_conn->sm_peer_address, 6); 1197 (void)memcpy(setup->sm_m_address, sm_conn->sm_own_address, 6); 1198 1199 uint8_t key_distribution_flags = sm_key_distribution_flags_for_auth_req(); 1200 sm_pairing_packet_set_initiator_key_distribution(setup->sm_m_preq, key_distribution_flags); 1201 sm_pairing_packet_set_responder_key_distribution(setup->sm_m_preq, key_distribution_flags); 1202 } 1203 1204 uint8_t auth_req = sm_auth_req & ~SM_AUTHREQ_CT2; 1205 uint8_t max_encryption_key_size = sm_max_encryption_key_size; 1206 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1207 // enable SC for SC only mode 1208 if (sm_sc_only_mode){ 1209 auth_req |= SM_AUTHREQ_SECURE_CONNECTION; 1210 max_encryption_key_size = 16; 1211 } 1212 #endif 1213 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 1214 // set CT2 if SC + Bonding + CTKD 1215 const uint8_t auth_req_for_ct2 = SM_AUTHREQ_SECURE_CONNECTION | SM_AUTHREQ_BONDING; 1216 if ((auth_req & auth_req_for_ct2) == auth_req_for_ct2){ 1217 auth_req |= SM_AUTHREQ_CT2; 1218 } 1219 #endif 1220 sm_pairing_packet_set_io_capability(*local_packet, sm_io_capabilities); 1221 sm_pairing_packet_set_oob_data_flag(*local_packet, setup->sm_have_oob_data); 1222 sm_pairing_packet_set_auth_req(*local_packet, auth_req); 1223 sm_pairing_packet_set_max_encryption_key_size(*local_packet, max_encryption_key_size); 1224 } 1225 1226 static int sm_stk_generation_init(sm_connection_t * sm_conn){ 1227 1228 sm_pairing_packet_t * remote_packet; 1229 uint8_t keys_to_send; 1230 uint8_t keys_to_receive; 1231 if (IS_RESPONDER(sm_conn->sm_role)){ 1232 // slave / responder 1233 remote_packet = &setup->sm_m_preq; 1234 keys_to_send = sm_pairing_packet_get_responder_key_distribution(setup->sm_m_preq); 1235 keys_to_receive = sm_pairing_packet_get_initiator_key_distribution(setup->sm_m_preq); 1236 } else { 1237 // master / initiator 1238 remote_packet = &setup->sm_s_pres; 1239 keys_to_send = sm_pairing_packet_get_initiator_key_distribution(setup->sm_s_pres); 1240 keys_to_receive = sm_pairing_packet_get_responder_key_distribution(setup->sm_s_pres); 1241 } 1242 1243 // check key size 1244 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1245 // SC Only mandates 128 bit key size 1246 if (sm_sc_only_mode && (sm_pairing_packet_get_max_encryption_key_size(*remote_packet) < 16)) { 1247 return SM_REASON_ENCRYPTION_KEY_SIZE; 1248 } 1249 #endif 1250 sm_conn->sm_actual_encryption_key_size = sm_calc_actual_encryption_key_size(sm_pairing_packet_get_max_encryption_key_size(*remote_packet)); 1251 if (sm_conn->sm_actual_encryption_key_size == 0u) return SM_REASON_ENCRYPTION_KEY_SIZE; 1252 1253 // decide on STK generation method / SC 1254 sm_setup_tk(); 1255 log_info("SMP: generation method %u", setup->sm_stk_generation_method); 1256 1257 // check if STK generation method is acceptable by client 1258 if (!sm_validate_stk_generation_method()) return SM_REASON_AUTHENTHICATION_REQUIREMENTS; 1259 1260 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1261 // Check LE SC Only mode 1262 if (sm_sc_only_mode && (setup->sm_use_secure_connections == false)){ 1263 log_info("SC Only mode active but SC not possible"); 1264 return SM_REASON_AUTHENTHICATION_REQUIREMENTS; 1265 } 1266 1267 // LTK (= encryption information & master identification) only used exchanged for LE Legacy Connection 1268 if (setup->sm_use_secure_connections){ 1269 keys_to_send &= ~SM_KEYDIST_ENC_KEY; 1270 keys_to_receive &= ~SM_KEYDIST_ENC_KEY; 1271 } 1272 #endif 1273 1274 // identical to responder 1275 sm_setup_key_distribution(keys_to_send, keys_to_receive); 1276 1277 // JUST WORKS doens't provide authentication 1278 sm_conn->sm_connection_authenticated = (setup->sm_stk_generation_method == JUST_WORKS) ? 0 : 1; 1279 1280 return 0; 1281 } 1282 1283 static void sm_address_resolution_handle_event(address_resolution_event_t event){ 1284 1285 // cache and reset context 1286 int matched_device_id = sm_address_resolution_test; 1287 address_resolution_mode_t mode = sm_address_resolution_mode; 1288 void * context = sm_address_resolution_context; 1289 1290 // reset context 1291 sm_address_resolution_mode = ADDRESS_RESOLUTION_IDLE; 1292 sm_address_resolution_context = NULL; 1293 sm_address_resolution_test = -1; 1294 hci_con_handle_t con_handle = 0; 1295 1296 sm_connection_t * sm_connection; 1297 sm_key_t ltk; 1298 bool have_ltk; 1299 #ifdef ENABLE_LE_CENTRAL 1300 bool trigger_pairing; 1301 int authenticated; 1302 #endif 1303 switch (mode){ 1304 case ADDRESS_RESOLUTION_GENERAL: 1305 break; 1306 case ADDRESS_RESOLUTION_FOR_CONNECTION: 1307 sm_connection = (sm_connection_t *) context; 1308 con_handle = sm_connection->sm_handle; 1309 1310 // have ltk -> start encryption / send security request 1311 // Core 5, Vol 3, Part C, 10.3.2 Initiating a Service Request 1312 // "When a bond has been created between two devices, any reconnection should result in the local device 1313 // enabling or requesting encryption with the remote device before initiating any service request." 1314 1315 switch (event){ 1316 case ADDRESS_RESOLUTION_SUCCEEDED: 1317 sm_connection->sm_irk_lookup_state = IRK_LOOKUP_SUCCEEDED; 1318 sm_connection->sm_le_db_index = matched_device_id; 1319 log_info("ADDRESS_RESOLUTION_SUCCEEDED, index %d", sm_connection->sm_le_db_index); 1320 1321 le_device_db_encryption_get(sm_connection->sm_le_db_index, NULL, NULL, ltk, NULL, &authenticated, NULL, NULL); 1322 have_ltk = !sm_is_null_key(ltk); 1323 1324 if (sm_connection->sm_role) { 1325 #ifdef ENABLE_LE_PERIPHERAL 1326 // IRK required before, continue 1327 if (sm_connection->sm_engine_state == SM_RESPONDER_PH0_RECEIVED_LTK_W4_IRK){ 1328 sm_connection->sm_engine_state = SM_RESPONDER_PH0_RECEIVED_LTK_REQUEST; 1329 break; 1330 } 1331 if (sm_connection->sm_engine_state == SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED_W4_IRK){ 1332 sm_connection->sm_engine_state = SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED; 1333 break; 1334 } 1335 bool trigger_security_request = (sm_connection->sm_pairing_requested != 0) || (sm_slave_request_security != 0); 1336 sm_connection->sm_pairing_requested = 0; 1337 #ifdef ENABLE_LE_PROACTIVE_AUTHENTICATION 1338 // trigger security request for Proactive Authentication if LTK available 1339 trigger_security_request = trigger_security_request || have_ltk; 1340 #endif 1341 1342 log_info("peripheral: pairing request local %u, have_ltk %u => trigger_security_request %u", 1343 sm_connection->sm_pairing_requested, (int) have_ltk, trigger_security_request); 1344 1345 if (trigger_security_request){ 1346 sm_connection->sm_engine_state = SM_RESPONDER_SEND_SECURITY_REQUEST; 1347 if (have_ltk){ 1348 sm_reencryption_started(sm_connection); 1349 } else { 1350 sm_pairing_started(sm_connection); 1351 } 1352 sm_trigger_run(); 1353 } 1354 #endif 1355 } else { 1356 1357 #ifdef ENABLE_LE_CENTRAL 1358 // check if pairing already requested and reset requests 1359 trigger_pairing = sm_connection->sm_pairing_requested || sm_connection->sm_security_request_received; 1360 bool auth_required = sm_auth_req & SM_AUTHREQ_MITM_PROTECTION; 1361 1362 log_info("central: pairing request local %u, remote %u => trigger_pairing %u. have_ltk %u", 1363 sm_connection->sm_pairing_requested, sm_connection->sm_security_request_received, (int) trigger_pairing, (int) have_ltk); 1364 sm_connection->sm_security_request_received = 0; 1365 sm_connection->sm_pairing_requested = 0; 1366 bool trigger_reencryption = false; 1367 1368 if (have_ltk){ 1369 if (trigger_pairing){ 1370 // if pairing is requested, re-encryption is sufficient, if ltk is already authenticated or we don't require authentication 1371 trigger_reencryption = (authenticated != 0) || (auth_required == false); 1372 } else { 1373 #ifdef ENABLE_LE_PROACTIVE_AUTHENTICATION 1374 trigger_reencryption = true; 1375 #else 1376 log_info("central: defer enabling encryption for bonded device"); 1377 #endif 1378 } 1379 } 1380 1381 if (trigger_reencryption){ 1382 log_info("central: enable encryption for bonded device"); 1383 sm_connection->sm_engine_state = SM_INITIATOR_PH4_HAS_LTK; 1384 break; 1385 } 1386 1387 // pairing_request -> send pairing request 1388 if (trigger_pairing){ 1389 sm_connection->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 1390 break; 1391 } 1392 #endif 1393 } 1394 break; 1395 case ADDRESS_RESOLUTION_FAILED: 1396 sm_connection->sm_irk_lookup_state = IRK_LOOKUP_FAILED; 1397 if (sm_connection->sm_role) { 1398 #ifdef ENABLE_LE_PERIPHERAL 1399 // LTK request received before, IRK required -> negative LTK reply 1400 if (sm_connection->sm_engine_state == SM_RESPONDER_PH0_RECEIVED_LTK_W4_IRK){ 1401 sm_connection->sm_engine_state = SM_RESPONDER_PH0_SEND_LTK_REQUESTED_NEGATIVE_REPLY; 1402 } 1403 // send security request if requested 1404 bool trigger_security_request = (sm_connection->sm_pairing_requested != 0) || (sm_slave_request_security != 0); 1405 sm_connection->sm_pairing_requested = 0; 1406 if (trigger_security_request){ 1407 sm_connection->sm_engine_state = SM_RESPONDER_SEND_SECURITY_REQUEST; 1408 sm_pairing_started(sm_connection); 1409 } 1410 break; 1411 #endif 1412 } 1413 #ifdef ENABLE_LE_CENTRAL 1414 if (!sm_connection->sm_pairing_requested && !sm_connection->sm_security_request_received) break; 1415 sm_connection->sm_security_request_received = 0; 1416 sm_connection->sm_pairing_requested = 0; 1417 sm_connection->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 1418 #endif 1419 break; 1420 1421 default: 1422 btstack_assert(false); 1423 break; 1424 } 1425 break; 1426 default: 1427 break; 1428 } 1429 1430 switch (event){ 1431 case ADDRESS_RESOLUTION_SUCCEEDED: 1432 sm_notify_client_index(SM_EVENT_IDENTITY_RESOLVING_SUCCEEDED, con_handle, sm_address_resolution_addr_type, sm_address_resolution_address, matched_device_id); 1433 break; 1434 case ADDRESS_RESOLUTION_FAILED: 1435 sm_notify_client_base(SM_EVENT_IDENTITY_RESOLVING_FAILED, con_handle, sm_address_resolution_addr_type, sm_address_resolution_address); 1436 break; 1437 default: 1438 btstack_assert(false); 1439 break; 1440 } 1441 } 1442 1443 static void sm_store_bonding_information(sm_connection_t * sm_conn){ 1444 int le_db_index = -1; 1445 1446 // lookup device based on IRK 1447 if (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_IDENTITY_INFORMATION){ 1448 int i; 1449 for (i=0; i < le_device_db_max_count(); i++){ 1450 sm_key_t irk; 1451 bd_addr_t address; 1452 int address_type = BD_ADDR_TYPE_UNKNOWN; 1453 le_device_db_info(i, &address_type, address, irk); 1454 // skip unused entries 1455 if (address_type == BD_ADDR_TYPE_UNKNOWN) continue; 1456 // compare Identity Address 1457 if (memcmp(address, setup->sm_peer_address, 6) != 0) continue; 1458 // compare Identity Resolving Key 1459 if (memcmp(irk, setup->sm_peer_irk, 16) != 0) continue; 1460 1461 log_info("sm: device found for IRK, updating"); 1462 le_db_index = i; 1463 break; 1464 } 1465 } else { 1466 // assert IRK is set to zero 1467 memset(setup->sm_peer_irk, 0, 16); 1468 } 1469 1470 // if not found, lookup via public address if possible 1471 log_info("sm peer addr type %u, peer addres %s", setup->sm_peer_addr_type, bd_addr_to_str(setup->sm_peer_address)); 1472 if ((le_db_index < 0) && (setup->sm_peer_addr_type == BD_ADDR_TYPE_LE_PUBLIC)){ 1473 int i; 1474 for (i=0; i < le_device_db_max_count(); i++){ 1475 bd_addr_t address; 1476 int address_type = BD_ADDR_TYPE_UNKNOWN; 1477 le_device_db_info(i, &address_type, address, NULL); 1478 // skip unused entries 1479 if (address_type == BD_ADDR_TYPE_UNKNOWN) continue; 1480 log_info("device %u, sm peer addr type %u, peer addres %s", i, address_type, bd_addr_to_str(address)); 1481 if ((address_type == BD_ADDR_TYPE_LE_PUBLIC) && (memcmp(address, setup->sm_peer_address, 6) == 0)){ 1482 log_info("sm: device found for public address, updating"); 1483 le_db_index = i; 1484 break; 1485 } 1486 } 1487 } 1488 1489 // if not found, add to db 1490 bool new_to_le_device_db = false; 1491 if (le_db_index < 0) { 1492 le_db_index = le_device_db_add(setup->sm_peer_addr_type, setup->sm_peer_address, setup->sm_peer_irk); 1493 new_to_le_device_db = true; 1494 } 1495 1496 if (le_db_index >= 0){ 1497 1498 #ifdef ENABLE_LE_PRIVACY_ADDRESS_RESOLUTION 1499 if (!new_to_le_device_db){ 1500 hci_remove_le_device_db_entry_from_resolving_list(le_db_index); 1501 } 1502 hci_load_le_device_db_entry_into_resolving_list(le_db_index); 1503 #else 1504 UNUSED(new_to_le_device_db); 1505 #endif 1506 1507 sm_notify_client_index(SM_EVENT_IDENTITY_CREATED, sm_conn->sm_handle, setup->sm_peer_addr_type, setup->sm_peer_address, le_db_index); 1508 sm_conn->sm_irk_lookup_state = IRK_LOOKUP_SUCCEEDED; 1509 sm_conn->sm_le_db_index = le_db_index; 1510 1511 #ifdef ENABLE_LE_SIGNED_WRITE 1512 // store local CSRK 1513 setup->sm_le_device_index = le_db_index; 1514 if ((setup->sm_key_distribution_sent_set) & SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION){ 1515 log_info("sm: store local CSRK"); 1516 le_device_db_local_csrk_set(le_db_index, setup->sm_local_csrk); 1517 le_device_db_local_counter_set(le_db_index, 0); 1518 } 1519 1520 // store remote CSRK 1521 if (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION){ 1522 log_info("sm: store remote CSRK"); 1523 le_device_db_remote_csrk_set(le_db_index, setup->sm_peer_csrk); 1524 le_device_db_remote_counter_set(le_db_index, 0); 1525 } 1526 #endif 1527 // store encryption information for secure connections: LTK generated by ECDH 1528 if (setup->sm_use_secure_connections){ 1529 log_info("sm: store SC LTK (key size %u, authenticated %u)", sm_conn->sm_actual_encryption_key_size, sm_conn->sm_connection_authenticated); 1530 uint8_t zero_rand[8]; 1531 memset(zero_rand, 0, 8); 1532 le_device_db_encryption_set(le_db_index, 0, zero_rand, setup->sm_ltk, sm_conn->sm_actual_encryption_key_size, 1533 sm_conn->sm_connection_authenticated, sm_conn->sm_connection_authorization_state == AUTHORIZATION_GRANTED, 1); 1534 } 1535 1536 // store encryption information for legacy pairing: peer LTK, EDIV, RAND 1537 else if ( (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION) 1538 && (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_MASTER_IDENTIFICATION )){ 1539 log_info("sm: set encryption information (key size %u, authenticated %u)", sm_conn->sm_actual_encryption_key_size, sm_conn->sm_connection_authenticated); 1540 le_device_db_encryption_set(le_db_index, setup->sm_peer_ediv, setup->sm_peer_rand, setup->sm_peer_ltk, 1541 sm_conn->sm_actual_encryption_key_size, sm_conn->sm_connection_authenticated, sm_conn->sm_connection_authorization_state == AUTHORIZATION_GRANTED, 0); 1542 1543 } 1544 } 1545 } 1546 1547 static void sm_pairing_error(sm_connection_t * sm_conn, uint8_t reason){ 1548 sm_conn->sm_pairing_failed_reason = reason; 1549 sm_conn->sm_engine_state = SM_GENERAL_SEND_PAIRING_FAILED; 1550 } 1551 1552 static int sm_le_device_db_index_lookup(bd_addr_type_t address_type, bd_addr_t address){ 1553 int i; 1554 for (i=0; i < le_device_db_max_count(); i++){ 1555 bd_addr_t db_address; 1556 int db_address_type = BD_ADDR_TYPE_UNKNOWN; 1557 le_device_db_info(i, &db_address_type, db_address, NULL); 1558 // skip unused entries 1559 if (address_type == BD_ADDR_TYPE_UNKNOWN) continue; 1560 if ((address_type == db_address_type) && (memcmp(address, db_address, 6) == 0)){ 1561 return i; 1562 } 1563 } 1564 return -1; 1565 } 1566 1567 static void sm_remove_le_device_db_entry(uint16_t i) { 1568 le_device_db_remove(i); 1569 #ifdef ENABLE_LE_PRIVACY_ADDRESS_RESOLUTION 1570 // to remove an entry from the resolving list requires its identity address, which was already deleted 1571 // fully reload resolving list instead 1572 gap_load_resolving_list_from_le_device_db(); 1573 #endif 1574 } 1575 1576 static uint8_t sm_key_distribution_validate_received(sm_connection_t * sm_conn){ 1577 // if identity is provided, abort if we have bonding with same address but different irk 1578 if (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_IDENTITY_INFORMATION){ 1579 int index = sm_le_device_db_index_lookup(BD_ADDR_TYPE_LE_PUBLIC, setup->sm_peer_address); 1580 if (index >= 0){ 1581 sm_key_t irk; 1582 le_device_db_info(index, NULL, NULL, irk); 1583 if (memcmp(irk, setup->sm_peer_irk, 16) != 0){ 1584 // IRK doesn't match, delete bonding information 1585 log_info("New IRK for %s (type %u) does not match stored IRK -> delete bonding information", bd_addr_to_str(sm_conn->sm_peer_address), sm_conn->sm_peer_addr_type); 1586 sm_remove_le_device_db_entry(index); 1587 } 1588 } 1589 } 1590 return 0; 1591 } 1592 1593 static void sm_key_distribution_handle_all_received(sm_connection_t * sm_conn){ 1594 1595 // abort pairing if received keys are not valid 1596 uint8_t reason = sm_key_distribution_validate_received(sm_conn); 1597 if (reason != 0){ 1598 sm_pairing_error(sm_conn, reason); 1599 return; 1600 } 1601 1602 // only store pairing information if both sides are bondable, i.e., the bonadble flag is set 1603 bool bonding_enabled = (sm_pairing_packet_get_auth_req(setup->sm_m_preq) 1604 & sm_pairing_packet_get_auth_req(setup->sm_s_pres) 1605 & SM_AUTHREQ_BONDING ) != 0u; 1606 1607 if (bonding_enabled){ 1608 sm_store_bonding_information(sm_conn); 1609 } else { 1610 log_info("Ignoring received keys, bonding not enabled"); 1611 } 1612 } 1613 1614 static inline void sm_pdu_received_in_wrong_state(sm_connection_t * sm_conn){ 1615 sm_pairing_error(sm_conn, SM_REASON_UNSPECIFIED_REASON); 1616 } 1617 1618 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1619 1620 static void sm_sc_prepare_dhkey_check(sm_connection_t * sm_conn); 1621 static int sm_passkey_used(stk_generation_method_t method); 1622 static int sm_just_works_or_numeric_comparison(stk_generation_method_t method); 1623 1624 static void sm_sc_start_calculating_local_confirm(sm_connection_t * sm_conn){ 1625 if (setup->sm_stk_generation_method == OOB){ 1626 sm_conn->sm_engine_state = SM_SC_W2_CMAC_FOR_CONFIRMATION; 1627 } else { 1628 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_nonce, 16, &sm_handle_random_result_sc_next_w2_cmac_for_confirmation, (void *)(uintptr_t) sm_conn->sm_handle); 1629 } 1630 } 1631 1632 static void sm_sc_state_after_receiving_random(sm_connection_t * sm_conn){ 1633 if (IS_RESPONDER(sm_conn->sm_role)){ 1634 // Responder 1635 if (setup->sm_stk_generation_method == OOB){ 1636 // generate Nb 1637 log_info("Generate Nb"); 1638 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_nonce, 16, &sm_handle_random_result_sc_next_send_pairing_random, (void *)(uintptr_t) sm_conn->sm_handle); 1639 } else { 1640 sm_conn->sm_engine_state = SM_SC_SEND_PAIRING_RANDOM; 1641 } 1642 } else { 1643 // Initiator role 1644 switch (setup->sm_stk_generation_method){ 1645 case JUST_WORKS: 1646 sm_sc_prepare_dhkey_check(sm_conn); 1647 break; 1648 1649 case NUMERIC_COMPARISON: 1650 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_G2; 1651 break; 1652 case PK_INIT_INPUT: 1653 case PK_RESP_INPUT: 1654 case PK_BOTH_INPUT: 1655 if (setup->sm_passkey_bit < 20u) { 1656 sm_sc_start_calculating_local_confirm(sm_conn); 1657 } else { 1658 sm_sc_prepare_dhkey_check(sm_conn); 1659 } 1660 break; 1661 case OOB: 1662 sm_sc_prepare_dhkey_check(sm_conn); 1663 break; 1664 default: 1665 btstack_assert(false); 1666 break; 1667 } 1668 } 1669 } 1670 1671 static void sm_sc_cmac_done(uint8_t * hash){ 1672 log_info("sm_sc_cmac_done: "); 1673 log_info_hexdump(hash, 16); 1674 1675 if (sm_sc_oob_state == SM_SC_OOB_W4_CONFIRM){ 1676 sm_sc_oob_state = SM_SC_OOB_IDLE; 1677 (*sm_sc_oob_callback)(hash, sm_sc_oob_random); 1678 return; 1679 } 1680 1681 sm_connection_t * sm_conn = sm_cmac_connection; 1682 sm_cmac_connection = NULL; 1683 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 1684 link_key_type_t link_key_type; 1685 #endif 1686 1687 switch (sm_conn->sm_engine_state){ 1688 case SM_SC_W4_CMAC_FOR_CONFIRMATION: 1689 (void)memcpy(setup->sm_local_confirm, hash, 16); 1690 sm_conn->sm_engine_state = SM_SC_SEND_CONFIRMATION; 1691 break; 1692 case SM_SC_W4_CMAC_FOR_CHECK_CONFIRMATION: 1693 // check 1694 if (0 != memcmp(hash, setup->sm_peer_confirm, 16)){ 1695 sm_pairing_error(sm_conn, SM_REASON_CONFIRM_VALUE_FAILED); 1696 break; 1697 } 1698 sm_sc_state_after_receiving_random(sm_conn); 1699 break; 1700 case SM_SC_W4_CALCULATE_G2: { 1701 uint32_t vab = big_endian_read_32(hash, 12) % 1000000; 1702 big_endian_store_32(setup->sm_tk, 12, vab); 1703 sm_conn->sm_engine_state = SM_SC_W4_USER_RESPONSE; 1704 sm_trigger_user_response(sm_conn); 1705 break; 1706 } 1707 case SM_SC_W4_CALCULATE_F5_SALT: 1708 (void)memcpy(setup->sm_t, hash, 16); 1709 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F5_MACKEY; 1710 break; 1711 case SM_SC_W4_CALCULATE_F5_MACKEY: 1712 (void)memcpy(setup->sm_mackey, hash, 16); 1713 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F5_LTK; 1714 break; 1715 case SM_SC_W4_CALCULATE_F5_LTK: 1716 // truncate sm_ltk, but keep full LTK for cross-transport key derivation in sm_local_ltk 1717 // Errata Service Release to the Bluetooth Specification: ESR09 1718 // E6405 – Cross transport key derivation from a key of size less than 128 bits 1719 // Note: When the BR/EDR link key is being derived from the LTK, the derivation is done before the LTK gets masked." 1720 (void)memcpy(setup->sm_ltk, hash, 16); 1721 (void)memcpy(setup->sm_local_ltk, hash, 16); 1722 sm_truncate_key(setup->sm_ltk, sm_conn->sm_actual_encryption_key_size); 1723 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F6_FOR_DHKEY_CHECK; 1724 break; 1725 case SM_SC_W4_CALCULATE_F6_FOR_DHKEY_CHECK: 1726 (void)memcpy(setup->sm_local_dhkey_check, hash, 16); 1727 if (IS_RESPONDER(sm_conn->sm_role)){ 1728 // responder 1729 if (setup->sm_state_vars & SM_STATE_VAR_DHKEY_COMMAND_RECEIVED){ 1730 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK; 1731 } else { 1732 sm_conn->sm_engine_state = SM_SC_W4_DHKEY_CHECK_COMMAND; 1733 } 1734 } else { 1735 sm_conn->sm_engine_state = SM_SC_SEND_DHKEY_CHECK_COMMAND; 1736 } 1737 break; 1738 case SM_SC_W4_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK: 1739 if (0 != memcmp(hash, setup->sm_peer_dhkey_check, 16) ){ 1740 sm_pairing_error(sm_conn, SM_REASON_DHKEY_CHECK_FAILED); 1741 break; 1742 } 1743 if (IS_RESPONDER(sm_conn->sm_role)){ 1744 // responder 1745 sm_conn->sm_engine_state = SM_SC_SEND_DHKEY_CHECK_COMMAND; 1746 } else { 1747 // initiator 1748 sm_conn->sm_engine_state = SM_INITIATOR_PH3_SEND_START_ENCRYPTION; 1749 } 1750 break; 1751 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 1752 case SM_SC_W4_CALCULATE_ILK: 1753 (void)memcpy(setup->sm_t, hash, 16); 1754 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_BR_EDR_LINK_KEY; 1755 break; 1756 case SM_SC_W4_CALCULATE_BR_EDR_LINK_KEY: 1757 reverse_128(hash, setup->sm_t); 1758 link_key_type = sm_conn->sm_connection_authenticated ? 1759 AUTHENTICATED_COMBINATION_KEY_GENERATED_FROM_P256 : UNAUTHENTICATED_COMBINATION_KEY_GENERATED_FROM_P256; 1760 log_info("Derived classic link key from LE using h6, type %u", (int) link_key_type); 1761 gap_store_link_key_for_bd_addr(setup->sm_peer_address, setup->sm_t, link_key_type); 1762 if (IS_RESPONDER(sm_conn->sm_role)){ 1763 sm_conn->sm_engine_state = SM_RESPONDER_IDLE; 1764 } else { 1765 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 1766 } 1767 sm_pairing_complete(sm_conn, ERROR_CODE_SUCCESS, 0); 1768 sm_done_for_handle(sm_conn->sm_handle); 1769 break; 1770 case SM_BR_EDR_W4_CALCULATE_ILK: 1771 (void)memcpy(setup->sm_t, hash, 16); 1772 sm_conn->sm_engine_state = SM_BR_EDR_W2_CALCULATE_LE_LTK; 1773 break; 1774 case SM_BR_EDR_W4_CALCULATE_LE_LTK: 1775 log_info("Derived LE LTK from BR/EDR Link Key"); 1776 log_info_key("Link Key", hash); 1777 (void)memcpy(setup->sm_ltk, hash, 16); 1778 sm_truncate_key(setup->sm_ltk, sm_conn->sm_actual_encryption_key_size); 1779 sm_conn->sm_connection_authenticated = setup->sm_link_key_type == AUTHENTICATED_COMBINATION_KEY_GENERATED_FROM_P256; 1780 sm_store_bonding_information(sm_conn); 1781 sm_done_for_handle(sm_conn->sm_handle); 1782 break; 1783 #endif 1784 default: 1785 log_error("sm_sc_cmac_done in state %u", sm_conn->sm_engine_state); 1786 break; 1787 } 1788 sm_trigger_run(); 1789 } 1790 1791 static void f4_engine(sm_connection_t * sm_conn, const sm_key256_t u, const sm_key256_t v, const sm_key_t x, uint8_t z){ 1792 const uint16_t message_len = 65; 1793 sm_cmac_connection = sm_conn; 1794 (void)memcpy(sm_cmac_sc_buffer, u, 32); 1795 (void)memcpy(sm_cmac_sc_buffer + 32, v, 32); 1796 sm_cmac_sc_buffer[64] = z; 1797 log_info("f4 key"); 1798 log_info_hexdump(x, 16); 1799 log_info("f4 message"); 1800 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1801 sm_cmac_message_start(x, message_len, sm_cmac_sc_buffer, &sm_sc_cmac_done); 1802 } 1803 1804 static const uint8_t f5_key_id[] = { 0x62, 0x74, 0x6c, 0x65 }; 1805 static const uint8_t f5_length[] = { 0x01, 0x00}; 1806 1807 static void f5_calculate_salt(sm_connection_t * sm_conn){ 1808 1809 static const sm_key_t f5_salt = { 0x6C ,0x88, 0x83, 0x91, 0xAA, 0xF5, 0xA5, 0x38, 0x60, 0x37, 0x0B, 0xDB, 0x5A, 0x60, 0x83, 0xBE}; 1810 1811 log_info("f5_calculate_salt"); 1812 // calculate salt for f5 1813 const uint16_t message_len = 32; 1814 sm_cmac_connection = sm_conn; 1815 (void)memcpy(sm_cmac_sc_buffer, setup->sm_dhkey, message_len); 1816 sm_cmac_message_start(f5_salt, message_len, sm_cmac_sc_buffer, &sm_sc_cmac_done); 1817 } 1818 1819 static inline void f5_mackkey(sm_connection_t * sm_conn, sm_key_t t, const sm_key_t n1, const sm_key_t n2, const sm_key56_t a1, const sm_key56_t a2){ 1820 const uint16_t message_len = 53; 1821 sm_cmac_connection = sm_conn; 1822 1823 // f5(W, N1, N2, A1, A2) = AES-CMACT (Counter = 0 || keyID || N1 || N2|| A1|| A2 || Length = 256) -- this is the MacKey 1824 sm_cmac_sc_buffer[0] = 0; 1825 (void)memcpy(sm_cmac_sc_buffer + 01, f5_key_id, 4); 1826 (void)memcpy(sm_cmac_sc_buffer + 05, n1, 16); 1827 (void)memcpy(sm_cmac_sc_buffer + 21, n2, 16); 1828 (void)memcpy(sm_cmac_sc_buffer + 37, a1, 7); 1829 (void)memcpy(sm_cmac_sc_buffer + 44, a2, 7); 1830 (void)memcpy(sm_cmac_sc_buffer + 51, f5_length, 2); 1831 log_info("f5 key"); 1832 log_info_hexdump(t, 16); 1833 log_info("f5 message for MacKey"); 1834 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1835 sm_cmac_message_start(t, message_len, sm_cmac_sc_buffer, &sm_sc_cmac_done); 1836 } 1837 1838 static void f5_calculate_mackey(sm_connection_t * sm_conn){ 1839 sm_key56_t bd_addr_master, bd_addr_slave; 1840 bd_addr_master[0] = setup->sm_m_addr_type; 1841 bd_addr_slave[0] = setup->sm_s_addr_type; 1842 (void)memcpy(&bd_addr_master[1], setup->sm_m_address, 6); 1843 (void)memcpy(&bd_addr_slave[1], setup->sm_s_address, 6); 1844 if (IS_RESPONDER(sm_conn->sm_role)){ 1845 // responder 1846 f5_mackkey(sm_conn, setup->sm_t, setup->sm_peer_nonce, setup->sm_local_nonce, bd_addr_master, bd_addr_slave); 1847 } else { 1848 // initiator 1849 f5_mackkey(sm_conn, setup->sm_t, setup->sm_local_nonce, setup->sm_peer_nonce, bd_addr_master, bd_addr_slave); 1850 } 1851 } 1852 1853 // note: must be called right after f5_mackey, as sm_cmac_buffer[1..52] will be reused 1854 static inline void f5_ltk(sm_connection_t * sm_conn, sm_key_t t){ 1855 const uint16_t message_len = 53; 1856 sm_cmac_connection = sm_conn; 1857 sm_cmac_sc_buffer[0] = 1; 1858 // 1..52 setup before 1859 log_info("f5 key"); 1860 log_info_hexdump(t, 16); 1861 log_info("f5 message for LTK"); 1862 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1863 sm_cmac_message_start(t, message_len, sm_cmac_sc_buffer, &sm_sc_cmac_done); 1864 } 1865 1866 static void f5_calculate_ltk(sm_connection_t * sm_conn){ 1867 f5_ltk(sm_conn, setup->sm_t); 1868 } 1869 1870 static void f6_setup(const sm_key_t n1, const sm_key_t n2, const sm_key_t r, const sm_key24_t io_cap, const sm_key56_t a1, const sm_key56_t a2){ 1871 (void)memcpy(sm_cmac_sc_buffer, n1, 16); 1872 (void)memcpy(sm_cmac_sc_buffer + 16, n2, 16); 1873 (void)memcpy(sm_cmac_sc_buffer + 32, r, 16); 1874 (void)memcpy(sm_cmac_sc_buffer + 48, io_cap, 3); 1875 (void)memcpy(sm_cmac_sc_buffer + 51, a1, 7); 1876 (void)memcpy(sm_cmac_sc_buffer + 58, a2, 7); 1877 } 1878 1879 static void f6_engine(sm_connection_t * sm_conn, const sm_key_t w){ 1880 const uint16_t message_len = 65; 1881 sm_cmac_connection = sm_conn; 1882 log_info("f6 key"); 1883 log_info_hexdump(w, 16); 1884 log_info("f6 message"); 1885 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1886 sm_cmac_message_start(w, 65, sm_cmac_sc_buffer, &sm_sc_cmac_done); 1887 } 1888 1889 // g2(U, V, X, Y) = AES-CMACX(U || V || Y) mod 2^32 1890 // - U is 256 bits 1891 // - V is 256 bits 1892 // - X is 128 bits 1893 // - Y is 128 bits 1894 static void g2_engine(sm_connection_t * sm_conn, const sm_key256_t u, const sm_key256_t v, const sm_key_t x, const sm_key_t y){ 1895 const uint16_t message_len = 80; 1896 sm_cmac_connection = sm_conn; 1897 (void)memcpy(sm_cmac_sc_buffer, u, 32); 1898 (void)memcpy(sm_cmac_sc_buffer + 32, v, 32); 1899 (void)memcpy(sm_cmac_sc_buffer + 64, y, 16); 1900 log_info("g2 key"); 1901 log_info_hexdump(x, 16); 1902 log_info("g2 message"); 1903 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1904 sm_cmac_message_start(x, message_len, sm_cmac_sc_buffer, &sm_sc_cmac_done); 1905 } 1906 1907 static void g2_calculate(sm_connection_t * sm_conn) { 1908 // calc Va if numeric comparison 1909 if (IS_RESPONDER(sm_conn->sm_role)){ 1910 // responder 1911 g2_engine(sm_conn, setup->sm_peer_q, ec_q, setup->sm_peer_nonce, setup->sm_local_nonce);; 1912 } else { 1913 // initiator 1914 g2_engine(sm_conn, ec_q, setup->sm_peer_q, setup->sm_local_nonce, setup->sm_peer_nonce); 1915 } 1916 } 1917 1918 static void sm_sc_calculate_local_confirm(sm_connection_t * sm_conn){ 1919 uint8_t z = 0; 1920 if (sm_passkey_entry(setup->sm_stk_generation_method)){ 1921 // some form of passkey 1922 uint32_t pk = big_endian_read_32(setup->sm_tk, 12); 1923 z = 0x80u | ((pk >> setup->sm_passkey_bit) & 1u); 1924 setup->sm_passkey_bit++; 1925 } 1926 f4_engine(sm_conn, ec_q, setup->sm_peer_q, setup->sm_local_nonce, z); 1927 } 1928 1929 static void sm_sc_calculate_remote_confirm(sm_connection_t * sm_conn){ 1930 // OOB 1931 if (setup->sm_stk_generation_method == OOB){ 1932 if (IS_RESPONDER(sm_conn->sm_role)){ 1933 f4_engine(sm_conn, setup->sm_peer_q, setup->sm_peer_q, setup->sm_ra, 0); 1934 } else { 1935 f4_engine(sm_conn, setup->sm_peer_q, setup->sm_peer_q, setup->sm_rb, 0); 1936 } 1937 return; 1938 } 1939 1940 uint8_t z = 0; 1941 if (sm_passkey_entry(setup->sm_stk_generation_method)){ 1942 // some form of passkey 1943 uint32_t pk = big_endian_read_32(setup->sm_tk, 12); 1944 // sm_passkey_bit was increased before sending confirm value 1945 z = 0x80u | ((pk >> (setup->sm_passkey_bit-1u)) & 1u); 1946 } 1947 f4_engine(sm_conn, setup->sm_peer_q, ec_q, setup->sm_peer_nonce, z); 1948 } 1949 1950 static void sm_sc_prepare_dhkey_check(sm_connection_t * sm_conn){ 1951 log_info("sm_sc_prepare_dhkey_check, DHKEY calculated %u", (setup->sm_state_vars & SM_STATE_VAR_DHKEY_CALCULATED) ? 1 : 0); 1952 1953 if (setup->sm_state_vars & SM_STATE_VAR_DHKEY_CALCULATED){ 1954 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F5_SALT; 1955 return; 1956 } else { 1957 sm_conn->sm_engine_state = SM_SC_W4_CALCULATE_DHKEY; 1958 } 1959 } 1960 1961 static void sm_sc_dhkey_calculated(void * arg){ 1962 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 1963 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 1964 if (sm_conn == NULL) return; 1965 1966 // check for invalid public key detected by Controller 1967 if (sm_is_ff(setup->sm_dhkey, 32)){ 1968 log_info("sm: peer public key invalid"); 1969 sm_pairing_error(sm_conn, SM_REASON_DHKEY_CHECK_FAILED); 1970 return; 1971 } 1972 1973 log_info("dhkey"); 1974 log_info_hexdump(&setup->sm_dhkey[0], 32); 1975 setup->sm_state_vars |= SM_STATE_VAR_DHKEY_CALCULATED; 1976 // trigger next step 1977 if (sm_conn->sm_engine_state == SM_SC_W4_CALCULATE_DHKEY){ 1978 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F5_SALT; 1979 } 1980 sm_trigger_run(); 1981 } 1982 1983 static void sm_sc_calculate_f6_for_dhkey_check(sm_connection_t * sm_conn){ 1984 // calculate DHKCheck 1985 sm_key56_t bd_addr_master, bd_addr_slave; 1986 bd_addr_master[0] = setup->sm_m_addr_type; 1987 bd_addr_slave[0] = setup->sm_s_addr_type; 1988 (void)memcpy(&bd_addr_master[1], setup->sm_m_address, 6); 1989 (void)memcpy(&bd_addr_slave[1], setup->sm_s_address, 6); 1990 uint8_t iocap_a[3]; 1991 iocap_a[0] = sm_pairing_packet_get_auth_req(setup->sm_m_preq); 1992 iocap_a[1] = sm_pairing_packet_get_oob_data_flag(setup->sm_m_preq); 1993 iocap_a[2] = sm_pairing_packet_get_io_capability(setup->sm_m_preq); 1994 uint8_t iocap_b[3]; 1995 iocap_b[0] = sm_pairing_packet_get_auth_req(setup->sm_s_pres); 1996 iocap_b[1] = sm_pairing_packet_get_oob_data_flag(setup->sm_s_pres); 1997 iocap_b[2] = sm_pairing_packet_get_io_capability(setup->sm_s_pres); 1998 if (IS_RESPONDER(sm_conn->sm_role)){ 1999 // responder 2000 f6_setup(setup->sm_local_nonce, setup->sm_peer_nonce, setup->sm_ra, iocap_b, bd_addr_slave, bd_addr_master); 2001 f6_engine(sm_conn, setup->sm_mackey); 2002 } else { 2003 // initiator 2004 f6_setup( setup->sm_local_nonce, setup->sm_peer_nonce, setup->sm_rb, iocap_a, bd_addr_master, bd_addr_slave); 2005 f6_engine(sm_conn, setup->sm_mackey); 2006 } 2007 } 2008 2009 static void sm_sc_calculate_f6_to_verify_dhkey_check(sm_connection_t * sm_conn){ 2010 // validate E = f6() 2011 sm_key56_t bd_addr_master, bd_addr_slave; 2012 bd_addr_master[0] = setup->sm_m_addr_type; 2013 bd_addr_slave[0] = setup->sm_s_addr_type; 2014 (void)memcpy(&bd_addr_master[1], setup->sm_m_address, 6); 2015 (void)memcpy(&bd_addr_slave[1], setup->sm_s_address, 6); 2016 2017 uint8_t iocap_a[3]; 2018 iocap_a[0] = sm_pairing_packet_get_auth_req(setup->sm_m_preq); 2019 iocap_a[1] = sm_pairing_packet_get_oob_data_flag(setup->sm_m_preq); 2020 iocap_a[2] = sm_pairing_packet_get_io_capability(setup->sm_m_preq); 2021 uint8_t iocap_b[3]; 2022 iocap_b[0] = sm_pairing_packet_get_auth_req(setup->sm_s_pres); 2023 iocap_b[1] = sm_pairing_packet_get_oob_data_flag(setup->sm_s_pres); 2024 iocap_b[2] = sm_pairing_packet_get_io_capability(setup->sm_s_pres); 2025 if (IS_RESPONDER(sm_conn->sm_role)){ 2026 // responder 2027 f6_setup(setup->sm_peer_nonce, setup->sm_local_nonce, setup->sm_rb, iocap_a, bd_addr_master, bd_addr_slave); 2028 f6_engine(sm_conn, setup->sm_mackey); 2029 } else { 2030 // initiator 2031 f6_setup(setup->sm_peer_nonce, setup->sm_local_nonce, setup->sm_ra, iocap_b, bd_addr_slave, bd_addr_master); 2032 f6_engine(sm_conn, setup->sm_mackey); 2033 } 2034 } 2035 2036 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 2037 2038 // 2039 // Link Key Conversion Function h6 2040 // 2041 // h6(W, keyID) = AES-CMAC_W(keyID) 2042 // - W is 128 bits 2043 // - keyID is 32 bits 2044 static void h6_engine(sm_connection_t * sm_conn, const sm_key_t w, const uint32_t key_id){ 2045 const uint16_t message_len = 4; 2046 sm_cmac_connection = sm_conn; 2047 big_endian_store_32(sm_cmac_sc_buffer, 0, key_id); 2048 log_info("h6 key"); 2049 log_info_hexdump(w, 16); 2050 log_info("h6 message"); 2051 log_info_hexdump(sm_cmac_sc_buffer, message_len); 2052 sm_cmac_message_start(w, message_len, sm_cmac_sc_buffer, &sm_sc_cmac_done); 2053 } 2054 // 2055 // Link Key Conversion Function h7 2056 // 2057 // h7(SALT, W) = AES-CMAC_SALT(W) 2058 // - SALT is 128 bits 2059 // - W is 128 bits 2060 static void h7_engine(sm_connection_t * sm_conn, const sm_key_t salt, const sm_key_t w) { 2061 const uint16_t message_len = 16; 2062 sm_cmac_connection = sm_conn; 2063 log_info("h7 key"); 2064 log_info_hexdump(salt, 16); 2065 log_info("h7 message"); 2066 log_info_hexdump(w, 16); 2067 sm_cmac_message_start(salt, message_len, w, &sm_sc_cmac_done); 2068 } 2069 2070 // For SC, setup->sm_local_ltk holds full LTK (sm_ltk is already truncated) 2071 // Errata Service Release to the Bluetooth Specification: ESR09 2072 // E6405 – Cross transport key derivation from a key of size less than 128 bits 2073 // "Note: When the BR/EDR link key is being derived from the LTK, the derivation is done before the LTK gets masked." 2074 2075 static void h6_calculate_ilk_from_le_ltk(sm_connection_t * sm_conn){ 2076 h6_engine(sm_conn, setup->sm_local_ltk, 0x746D7031); // "tmp1" 2077 } 2078 2079 static void h6_calculate_ilk_from_br_edr(sm_connection_t * sm_conn){ 2080 h6_engine(sm_conn, setup->sm_link_key, 0x746D7032); // "tmp2" 2081 } 2082 2083 static void h6_calculate_br_edr_link_key(sm_connection_t * sm_conn){ 2084 h6_engine(sm_conn, setup->sm_t, 0x6c656272); // "lebr" 2085 } 2086 2087 static void h6_calculate_le_ltk(sm_connection_t * sm_conn){ 2088 h6_engine(sm_conn, setup->sm_t, 0x62726C65); // "brle" 2089 } 2090 2091 static void h7_calculate_ilk_from_le_ltk(sm_connection_t * sm_conn){ 2092 const uint8_t salt[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x74, 0x6D, 0x70, 0x31}; // "tmp1" 2093 h7_engine(sm_conn, salt, setup->sm_local_ltk); 2094 } 2095 2096 static void h7_calculate_ilk_from_br_edr(sm_connection_t * sm_conn){ 2097 const uint8_t salt[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x74, 0x6D, 0x70, 0x32}; // "tmp2" 2098 h7_engine(sm_conn, salt, setup->sm_link_key); 2099 } 2100 2101 static void sm_ctkd_fetch_br_edr_link_key(sm_connection_t * sm_conn){ 2102 hci_connection_t * hci_connection = hci_connection_for_handle(sm_conn->sm_handle); 2103 btstack_assert(hci_connection != NULL); 2104 reverse_128(hci_connection->link_key, setup->sm_link_key); 2105 setup->sm_link_key_type = hci_connection->link_key_type; 2106 } 2107 2108 static void sm_ctkd_start_from_br_edr(sm_connection_t * sm_conn){ 2109 // only derive LTK if EncKey is set by both 2110 bool derive_ltk = (sm_pairing_packet_get_initiator_key_distribution(setup->sm_s_pres) & 2111 sm_pairing_packet_get_responder_key_distribution(setup->sm_s_pres) & SM_KEYDIST_ENC_KEY) != 0; 2112 if (derive_ltk){ 2113 bool use_h7 = (sm_pairing_packet_get_auth_req(setup->sm_m_preq) & sm_pairing_packet_get_auth_req(setup->sm_s_pres) & SM_AUTHREQ_CT2) != 0; 2114 sm_conn->sm_engine_state = use_h7 ? SM_BR_EDR_W2_CALCULATE_ILK_USING_H7 : SM_BR_EDR_W2_CALCULATE_ILK_USING_H6; 2115 } else { 2116 sm_done_for_handle(sm_conn->sm_handle); 2117 } 2118 } 2119 2120 #endif 2121 2122 #endif 2123 2124 // key management legacy connections: 2125 // - potentially two different LTKs based on direction. each device stores LTK provided by peer 2126 // - master stores LTK, EDIV, RAND. responder optionally stored master LTK (only if it needs to reconnect) 2127 // - initiators reconnects: initiator uses stored LTK, EDIV, RAND generated by responder 2128 // - responder reconnects: responder uses LTK receveived from master 2129 2130 // key management secure connections: 2131 // - both devices store same LTK from ECDH key exchange. 2132 2133 #if defined(ENABLE_LE_SECURE_CONNECTIONS) || defined(ENABLE_LE_CENTRAL) 2134 static void sm_load_security_info(sm_connection_t * sm_connection){ 2135 int encryption_key_size; 2136 int authenticated; 2137 int authorized; 2138 int secure_connection; 2139 2140 // fetch data from device db - incl. authenticated/authorized/key size. Note all sm_connection_X require encryption enabled 2141 le_device_db_encryption_get(sm_connection->sm_le_db_index, &setup->sm_peer_ediv, setup->sm_peer_rand, setup->sm_peer_ltk, 2142 &encryption_key_size, &authenticated, &authorized, &secure_connection); 2143 log_info("db index %u, key size %u, authenticated %u, authorized %u, secure connetion %u", sm_connection->sm_le_db_index, encryption_key_size, authenticated, authorized, secure_connection); 2144 sm_connection->sm_actual_encryption_key_size = encryption_key_size; 2145 sm_connection->sm_connection_authenticated = authenticated; 2146 sm_connection->sm_connection_authorization_state = authorized ? AUTHORIZATION_GRANTED : AUTHORIZATION_UNKNOWN; 2147 sm_connection->sm_connection_sc = secure_connection; 2148 } 2149 #endif 2150 2151 #ifdef ENABLE_LE_PERIPHERAL 2152 static void sm_start_calculating_ltk_from_ediv_and_rand(sm_connection_t * sm_connection){ 2153 (void)memcpy(setup->sm_local_rand, sm_connection->sm_local_rand, 8); 2154 setup->sm_local_ediv = sm_connection->sm_local_ediv; 2155 // re-establish used key encryption size 2156 // no db for encryption size hack: encryption size is stored in lowest nibble of setup->sm_local_rand 2157 sm_connection->sm_actual_encryption_key_size = (setup->sm_local_rand[7u] & 0x0fu) + 1u; 2158 // no db for authenticated flag hack: flag is stored in bit 4 of LSB 2159 sm_connection->sm_connection_authenticated = (setup->sm_local_rand[7u] & 0x10u) >> 4u; 2160 // Legacy paring -> not SC 2161 sm_connection->sm_connection_sc = 0; 2162 log_info("sm: received ltk request with key size %u, authenticated %u", 2163 sm_connection->sm_actual_encryption_key_size, sm_connection->sm_connection_authenticated); 2164 } 2165 #endif 2166 2167 // distributed key generation 2168 static bool sm_run_dpkg(void){ 2169 switch (dkg_state){ 2170 case DKG_CALC_IRK: 2171 // already busy? 2172 if (sm_aes128_state == SM_AES128_IDLE) { 2173 log_info("DKG_CALC_IRK started"); 2174 // IRK = d1(IR, 1, 0) 2175 sm_d1_d_prime(1, 0, sm_aes128_plaintext); // plaintext = d1 prime 2176 sm_aes128_state = SM_AES128_ACTIVE; 2177 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_persistent_ir, sm_aes128_plaintext, sm_persistent_irk, sm_handle_encryption_result_dkg_irk, NULL); 2178 return true; 2179 } 2180 break; 2181 case DKG_CALC_DHK: 2182 // already busy? 2183 if (sm_aes128_state == SM_AES128_IDLE) { 2184 log_info("DKG_CALC_DHK started"); 2185 // DHK = d1(IR, 3, 0) 2186 sm_d1_d_prime(3, 0, sm_aes128_plaintext); // plaintext = d1 prime 2187 sm_aes128_state = SM_AES128_ACTIVE; 2188 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_persistent_ir, sm_aes128_plaintext, sm_persistent_dhk, sm_handle_encryption_result_dkg_dhk, NULL); 2189 return true; 2190 } 2191 break; 2192 default: 2193 break; 2194 } 2195 return false; 2196 } 2197 2198 // random address updates 2199 static bool sm_run_rau(void){ 2200 switch (rau_state){ 2201 case RAU_GET_RANDOM: 2202 rau_state = RAU_W4_RANDOM; 2203 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_address, 6, &sm_handle_random_result_rau, NULL); 2204 return true; 2205 case RAU_GET_ENC: 2206 // already busy? 2207 if (sm_aes128_state == SM_AES128_IDLE) { 2208 sm_ah_r_prime(sm_random_address, sm_aes128_plaintext); 2209 sm_aes128_state = SM_AES128_ACTIVE; 2210 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_persistent_irk, sm_aes128_plaintext, sm_aes128_ciphertext, sm_handle_encryption_result_rau, NULL); 2211 return true; 2212 } 2213 break; 2214 default: 2215 break; 2216 } 2217 return false; 2218 } 2219 2220 // CSRK Lookup 2221 static bool sm_run_csrk(void){ 2222 btstack_linked_list_iterator_t it; 2223 2224 // -- if csrk lookup ready, find connection that require csrk lookup 2225 if (sm_address_resolution_idle()){ 2226 hci_connections_get_iterator(&it); 2227 while(btstack_linked_list_iterator_has_next(&it)){ 2228 hci_connection_t * hci_connection = (hci_connection_t *) btstack_linked_list_iterator_next(&it); 2229 sm_connection_t * sm_connection = &hci_connection->sm_connection; 2230 if (sm_connection->sm_irk_lookup_state == IRK_LOOKUP_W4_READY){ 2231 // and start lookup 2232 sm_address_resolution_start_lookup(sm_connection->sm_peer_addr_type, sm_connection->sm_handle, sm_connection->sm_peer_address, ADDRESS_RESOLUTION_FOR_CONNECTION, sm_connection); 2233 sm_connection->sm_irk_lookup_state = IRK_LOOKUP_STARTED; 2234 break; 2235 } 2236 } 2237 } 2238 2239 // -- if csrk lookup ready, resolved addresses for received addresses 2240 if (sm_address_resolution_idle()) { 2241 if (!btstack_linked_list_empty(&sm_address_resolution_general_queue)){ 2242 sm_lookup_entry_t * entry = (sm_lookup_entry_t *) sm_address_resolution_general_queue; 2243 btstack_linked_list_remove(&sm_address_resolution_general_queue, (btstack_linked_item_t *) entry); 2244 sm_address_resolution_start_lookup(entry->address_type, 0, entry->address, ADDRESS_RESOLUTION_GENERAL, NULL); 2245 btstack_memory_sm_lookup_entry_free(entry); 2246 } 2247 } 2248 2249 // -- Continue with device lookup by public or resolvable private address 2250 if (!sm_address_resolution_idle()){ 2251 while (sm_address_resolution_test < le_device_db_max_count()){ 2252 int addr_type = BD_ADDR_TYPE_UNKNOWN; 2253 bd_addr_t addr; 2254 sm_key_t irk; 2255 le_device_db_info(sm_address_resolution_test, &addr_type, addr, irk); 2256 2257 // skip unused entries 2258 if (addr_type == BD_ADDR_TYPE_UNKNOWN){ 2259 sm_address_resolution_test++; 2260 continue; 2261 } 2262 2263 log_info("LE Device Lookup: device %u of %u", sm_address_resolution_test, le_device_db_max_count()); 2264 2265 if ((sm_address_resolution_addr_type == addr_type) && (memcmp(addr, sm_address_resolution_address, 6) == 0)){ 2266 log_info("LE Device Lookup: found by { addr_type, address} "); 2267 sm_address_resolution_handle_event(ADDRESS_RESOLUTION_SUCCEEDED); 2268 break; 2269 } 2270 2271 // if connection type is public, it must be a different one 2272 if (sm_address_resolution_addr_type == BD_ADDR_TYPE_LE_PUBLIC){ 2273 sm_address_resolution_test++; 2274 continue; 2275 } 2276 2277 // skip AH if no IRK 2278 if (sm_is_null_key(irk)){ 2279 sm_address_resolution_test++; 2280 continue; 2281 } 2282 2283 if (sm_aes128_state == SM_AES128_ACTIVE) break; 2284 2285 log_info("LE Device Lookup: calculate AH"); 2286 log_info_key("IRK", irk); 2287 2288 (void)memcpy(sm_aes128_key, irk, 16); 2289 sm_ah_r_prime(sm_address_resolution_address, sm_aes128_plaintext); 2290 sm_aes128_state = SM_AES128_ACTIVE; 2291 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_aes128_key, sm_aes128_plaintext, sm_aes128_ciphertext, sm_handle_encryption_result_address_resolution, NULL); 2292 return true; 2293 } 2294 2295 if (sm_address_resolution_test >= le_device_db_max_count()){ 2296 log_info("LE Device Lookup: not found"); 2297 sm_address_resolution_handle_event(ADDRESS_RESOLUTION_FAILED); 2298 } 2299 } 2300 return false; 2301 } 2302 2303 // SC OOB 2304 static bool sm_run_oob(void){ 2305 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2306 switch (sm_sc_oob_state){ 2307 case SM_SC_OOB_W2_CALC_CONFIRM: 2308 if (!sm_cmac_ready()) break; 2309 sm_sc_oob_state = SM_SC_OOB_W4_CONFIRM; 2310 f4_engine(NULL, ec_q, ec_q, sm_sc_oob_random, 0); 2311 return true; 2312 default: 2313 break; 2314 } 2315 #endif 2316 return false; 2317 } 2318 2319 static void sm_send_connectionless(sm_connection_t * sm_connection, const uint8_t * buffer, uint16_t size){ 2320 l2cap_send_connectionless(sm_connection->sm_handle, sm_connection->sm_cid, (uint8_t*) buffer, size); 2321 } 2322 2323 // handle basic actions that don't requires the full context 2324 static bool sm_run_basic(void){ 2325 btstack_linked_list_iterator_t it; 2326 hci_connections_get_iterator(&it); 2327 while(btstack_linked_list_iterator_has_next(&it)){ 2328 hci_connection_t * hci_connection = (hci_connection_t *) btstack_linked_list_iterator_next(&it); 2329 sm_connection_t * sm_connection = &hci_connection->sm_connection; 2330 switch(sm_connection->sm_engine_state){ 2331 2332 // general 2333 case SM_GENERAL_SEND_PAIRING_FAILED: { 2334 uint8_t buffer[2]; 2335 buffer[0] = SM_CODE_PAIRING_FAILED; 2336 buffer[1] = sm_connection->sm_pairing_failed_reason; 2337 sm_connection->sm_engine_state = sm_connection->sm_role ? SM_RESPONDER_IDLE : SM_INITIATOR_CONNECTED; 2338 sm_send_connectionless(sm_connection, (uint8_t*) buffer, sizeof(buffer)); 2339 sm_pairing_complete(sm_connection, ERROR_CODE_AUTHENTICATION_FAILURE, sm_connection->sm_pairing_failed_reason); 2340 sm_done_for_handle(sm_connection->sm_handle); 2341 break; 2342 } 2343 2344 // responder side 2345 case SM_RESPONDER_PH0_SEND_LTK_REQUESTED_NEGATIVE_REPLY: 2346 sm_connection->sm_engine_state = SM_RESPONDER_IDLE; 2347 hci_send_cmd(&hci_le_long_term_key_negative_reply, sm_connection->sm_handle); 2348 return true; 2349 2350 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2351 case SM_SC_RECEIVED_LTK_REQUEST: 2352 switch (sm_connection->sm_irk_lookup_state){ 2353 case IRK_LOOKUP_FAILED: 2354 log_info("LTK Request: IRK Lookup Failed)"); 2355 sm_connection->sm_engine_state = SM_RESPONDER_IDLE; 2356 hci_send_cmd(&hci_le_long_term_key_negative_reply, sm_connection->sm_handle); 2357 return true; 2358 default: 2359 break; 2360 } 2361 break; 2362 #endif 2363 default: 2364 break; 2365 } 2366 } 2367 return false; 2368 } 2369 2370 static void sm_run_activate_connection(void){ 2371 // Find connections that requires setup context and make active if no other is locked 2372 btstack_linked_list_iterator_t it; 2373 hci_connections_get_iterator(&it); 2374 while((sm_active_connection_handle == HCI_CON_HANDLE_INVALID) && btstack_linked_list_iterator_has_next(&it)){ 2375 hci_connection_t * hci_connection = (hci_connection_t *) btstack_linked_list_iterator_next(&it); 2376 sm_connection_t * sm_connection = &hci_connection->sm_connection; 2377 // - if no connection locked and we're ready/waiting for setup context, fetch it and start 2378 bool done = true; 2379 int err; 2380 UNUSED(err); 2381 2382 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2383 // assert ec key is ready 2384 if ( (sm_connection->sm_engine_state == SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED) 2385 || (sm_connection->sm_engine_state == SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST) 2386 || (sm_connection->sm_engine_state == SM_RESPONDER_SEND_SECURITY_REQUEST)){ 2387 if (ec_key_generation_state == EC_KEY_GENERATION_IDLE){ 2388 sm_ec_generate_new_key(); 2389 } 2390 if (ec_key_generation_state != EC_KEY_GENERATION_DONE){ 2391 continue; 2392 } 2393 } 2394 #endif 2395 2396 switch (sm_connection->sm_engine_state) { 2397 #ifdef ENABLE_LE_PERIPHERAL 2398 case SM_RESPONDER_SEND_SECURITY_REQUEST: 2399 case SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED: 2400 case SM_RESPONDER_PH0_RECEIVED_LTK_REQUEST: 2401 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2402 case SM_SC_RECEIVED_LTK_REQUEST: 2403 #endif 2404 #endif 2405 #ifdef ENABLE_LE_CENTRAL 2406 case SM_INITIATOR_PH4_HAS_LTK: 2407 case SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST: 2408 #endif 2409 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 2410 case SM_BR_EDR_RESPONDER_PAIRING_REQUEST_RECEIVED: 2411 case SM_BR_EDR_INITIATOR_SEND_PAIRING_REQUEST: 2412 #endif 2413 // just lock context 2414 break; 2415 default: 2416 done = false; 2417 break; 2418 } 2419 if (done){ 2420 sm_active_connection_handle = sm_connection->sm_handle; 2421 log_info("sm: connection 0x%04x locked setup context as %s, state %u", sm_active_connection_handle, sm_connection->sm_role ? "responder" : "initiator", sm_connection->sm_engine_state); 2422 } 2423 } 2424 } 2425 2426 static void sm_run_send_keypress_notification(sm_connection_t * connection){ 2427 int i; 2428 uint8_t flags = setup->sm_keypress_notification & 0x1fu; 2429 uint8_t num_actions = setup->sm_keypress_notification >> 5; 2430 uint8_t action = 0; 2431 for (i=SM_KEYPRESS_PASSKEY_ENTRY_STARTED;i<=SM_KEYPRESS_PASSKEY_ENTRY_COMPLETED;i++){ 2432 if (flags & (1u<<i)){ 2433 bool clear_flag = true; 2434 switch (i){ 2435 case SM_KEYPRESS_PASSKEY_ENTRY_STARTED: 2436 case SM_KEYPRESS_PASSKEY_CLEARED: 2437 case SM_KEYPRESS_PASSKEY_ENTRY_COMPLETED: 2438 default: 2439 break; 2440 case SM_KEYPRESS_PASSKEY_DIGIT_ENTERED: 2441 case SM_KEYPRESS_PASSKEY_DIGIT_ERASED: 2442 num_actions--; 2443 clear_flag = num_actions == 0u; 2444 break; 2445 } 2446 if (clear_flag){ 2447 flags &= ~(1<<i); 2448 } 2449 action = i; 2450 break; 2451 } 2452 } 2453 setup->sm_keypress_notification = (num_actions << 5) | flags; 2454 2455 // send keypress notification 2456 uint8_t buffer[2]; 2457 buffer[0] = SM_CODE_KEYPRESS_NOTIFICATION; 2458 buffer[1] = action; 2459 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2460 2461 // try 2462 l2cap_request_can_send_fix_channel_now_event(sm_active_connection_handle, connection->sm_cid); 2463 } 2464 2465 static void sm_run_distribute_keys(sm_connection_t * connection){ 2466 if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION){ 2467 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION; 2468 setup->sm_key_distribution_sent_set |= SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION; 2469 uint8_t buffer[17]; 2470 buffer[0] = SM_CODE_ENCRYPTION_INFORMATION; 2471 reverse_128(setup->sm_ltk, &buffer[1]); 2472 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2473 sm_timeout_reset(connection); 2474 return; 2475 } 2476 if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_MASTER_IDENTIFICATION){ 2477 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_MASTER_IDENTIFICATION; 2478 setup->sm_key_distribution_sent_set |= SM_KEYDIST_FLAG_MASTER_IDENTIFICATION; 2479 uint8_t buffer[11]; 2480 buffer[0] = SM_CODE_MASTER_IDENTIFICATION; 2481 little_endian_store_16(buffer, 1, setup->sm_local_ediv); 2482 reverse_64(setup->sm_local_rand, &buffer[3]); 2483 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2484 sm_timeout_reset(connection); 2485 return; 2486 } 2487 if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_IDENTITY_INFORMATION){ 2488 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_IDENTITY_INFORMATION; 2489 setup->sm_key_distribution_sent_set |= SM_KEYDIST_FLAG_IDENTITY_INFORMATION; 2490 uint8_t buffer[17]; 2491 buffer[0] = SM_CODE_IDENTITY_INFORMATION; 2492 reverse_128(sm_persistent_irk, &buffer[1]); 2493 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2494 sm_timeout_reset(connection); 2495 return; 2496 } 2497 if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION){ 2498 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION; 2499 setup->sm_key_distribution_sent_set |= SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION; 2500 bd_addr_t local_address; 2501 uint8_t buffer[8]; 2502 buffer[0] = SM_CODE_IDENTITY_ADDRESS_INFORMATION; 2503 switch (gap_random_address_get_mode()){ 2504 case GAP_RANDOM_ADDRESS_TYPE_OFF: 2505 case GAP_RANDOM_ADDRESS_TYPE_STATIC: 2506 // public or static random 2507 gap_le_get_own_address(&buffer[1], local_address); 2508 break; 2509 case GAP_RANDOM_ADDRESS_NON_RESOLVABLE: 2510 case GAP_RANDOM_ADDRESS_RESOLVABLE: 2511 // fallback to public 2512 gap_local_bd_addr(local_address); 2513 buffer[1] = 0; 2514 break; 2515 default: 2516 btstack_assert(false); 2517 break; 2518 } 2519 reverse_bd_addr(local_address, &buffer[2]); 2520 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2521 sm_timeout_reset(connection); 2522 return; 2523 } 2524 if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION){ 2525 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION; 2526 setup->sm_key_distribution_sent_set |= SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION; 2527 2528 #ifdef ENABLE_LE_SIGNED_WRITE 2529 // hack to reproduce test runs 2530 if (test_use_fixed_local_csrk){ 2531 memset(setup->sm_local_csrk, 0xcc, 16); 2532 } 2533 2534 // store local CSRK 2535 if (setup->sm_le_device_index >= 0){ 2536 log_info("sm: store local CSRK"); 2537 le_device_db_local_csrk_set(setup->sm_le_device_index, setup->sm_local_csrk); 2538 le_device_db_local_counter_set(setup->sm_le_device_index, 0); 2539 } 2540 #endif 2541 2542 uint8_t buffer[17]; 2543 buffer[0] = SM_CODE_SIGNING_INFORMATION; 2544 reverse_128(setup->sm_local_csrk, &buffer[1]); 2545 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2546 sm_timeout_reset(connection); 2547 return; 2548 } 2549 btstack_assert(false); 2550 } 2551 2552 static bool sm_ctkd_from_le(sm_connection_t *sm_connection) { 2553 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 2554 // requirements to derive link key from LE: 2555 // - use secure connections 2556 if (setup->sm_use_secure_connections == 0) return false; 2557 // - bonding needs to be enabled: 2558 bool bonding_enabled = (sm_pairing_packet_get_auth_req(setup->sm_m_preq) & sm_pairing_packet_get_auth_req(setup->sm_s_pres) & SM_AUTHREQ_BONDING ) != 0u; 2559 if (!bonding_enabled) return false; 2560 // - need identity address / public addr 2561 bool have_identity_address_info = ((setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION) != 0) || (setup->sm_peer_addr_type == 0); 2562 if (!have_identity_address_info) return false; 2563 // - there is no stored BR/EDR link key or the derived key has at least the same level of authentication (bail if stored key has higher authentication) 2564 // this requirement is motivated by BLURtooth paper. The paper recommends to not overwrite keys at all. 2565 // If SC is authenticated, we consider it safe to overwrite a stored key. 2566 // If stored link key is not authenticated, it could already be compromised by a MITM attack. Allowing overwrite by unauthenticated derived key does not make it worse. 2567 uint8_t link_key[16]; 2568 link_key_type_t link_key_type; 2569 bool have_link_key = gap_get_link_key_for_bd_addr(setup->sm_peer_address, link_key, &link_key_type); 2570 bool link_key_authenticated = gap_authenticated_for_link_key_type(link_key_type); 2571 bool derived_key_authenticated = sm_connection->sm_connection_authenticated != 0; 2572 if (have_link_key && link_key_authenticated && !derived_key_authenticated) { 2573 return false; 2574 } 2575 // get started (all of the above are true) 2576 return true; 2577 #else 2578 UNUSED(sm_connection); 2579 return false; 2580 #endif 2581 } 2582 2583 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 2584 static bool sm_ctkd_from_classic(sm_connection_t * sm_connection){ 2585 hci_connection_t * hci_connection = hci_connection_for_handle(sm_connection->sm_handle); 2586 btstack_assert(hci_connection != NULL); 2587 // requirements to derive ltk from BR/EDR: 2588 // - BR/EDR uses secure connections 2589 if (gap_secure_connection_for_link_key_type(hci_connection->link_key_type) == false) return false; 2590 // - bonding needs to be enabled: 2591 bool bonding_enabled = (sm_pairing_packet_get_auth_req(setup->sm_m_preq) & sm_pairing_packet_get_auth_req(setup->sm_s_pres) & SM_AUTHREQ_BONDING ) != 0u; 2592 if (!bonding_enabled) return false; 2593 // - there is no stored LTK or the derived key has at least the same level of authentication (bail if LTK is authenticated but Link Key isn't) 2594 bool link_key_authenticated = gap_authenticated_for_link_key_type(hci_connection->link_key_type); 2595 if (link_key_authenticated) return true; 2596 int index = sm_le_device_db_index_lookup(BD_ADDR_TYPE_LE_PUBLIC, hci_connection->address); 2597 if (index >= 0){ 2598 int ltk_authenticated; 2599 sm_key_t ltk; 2600 le_device_db_encryption_get(sm_connection->sm_le_db_index, NULL, NULL, ltk, NULL, <k_authenticated, NULL, NULL); 2601 bool have_ltk = !sm_is_null_key(ltk); 2602 if (have_ltk && ltk_authenticated) return false; 2603 } 2604 return true; 2605 } 2606 #endif 2607 2608 static void sm_key_distribution_complete_responder(sm_connection_t * connection){ 2609 if (sm_ctkd_from_le(connection)){ 2610 bool use_h7 = (sm_pairing_packet_get_auth_req(setup->sm_m_preq) & sm_pairing_packet_get_auth_req(setup->sm_s_pres) & SM_AUTHREQ_CT2) != 0; 2611 connection->sm_engine_state = use_h7 ? SM_SC_W2_CALCULATE_ILK_USING_H7 : SM_SC_W2_CALCULATE_ILK_USING_H6; 2612 } else { 2613 connection->sm_engine_state = SM_RESPONDER_IDLE; 2614 sm_pairing_complete(connection, ERROR_CODE_SUCCESS, 0); 2615 sm_done_for_handle(connection->sm_handle); 2616 } 2617 } 2618 2619 static void sm_key_distribution_complete_initiator(sm_connection_t * connection){ 2620 if (sm_ctkd_from_le(connection)){ 2621 bool use_h7 = (sm_pairing_packet_get_auth_req(setup->sm_m_preq) & sm_pairing_packet_get_auth_req(setup->sm_s_pres) & SM_AUTHREQ_CT2) != 0; 2622 connection->sm_engine_state = use_h7 ? SM_SC_W2_CALCULATE_ILK_USING_H7 : SM_SC_W2_CALCULATE_ILK_USING_H6; 2623 } else { 2624 sm_master_pairing_success(connection); 2625 } 2626 } 2627 2628 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2629 static void sm_run_state_sc_send_confirmation(sm_connection_t *connection) { 2630 uint8_t buffer[17]; 2631 buffer[0] = SM_CODE_PAIRING_CONFIRM; 2632 reverse_128(setup->sm_local_confirm, &buffer[1]); 2633 if (IS_RESPONDER(connection->sm_role)){ 2634 connection->sm_engine_state = SM_SC_W4_PAIRING_RANDOM; 2635 } else { 2636 connection->sm_engine_state = SM_SC_W4_CONFIRMATION; 2637 } 2638 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2639 sm_timeout_reset(connection); 2640 } 2641 2642 static void sm_run_state_sc_send_pairing_random(sm_connection_t *connection) { 2643 uint8_t buffer[17]; 2644 buffer[0] = SM_CODE_PAIRING_RANDOM; 2645 reverse_128(setup->sm_local_nonce, &buffer[1]); 2646 log_info("stk method %u, bit num: %u", setup->sm_stk_generation_method, setup->sm_passkey_bit); 2647 if (sm_passkey_entry(setup->sm_stk_generation_method) && (setup->sm_passkey_bit < 20u)){ 2648 log_info("SM_SC_SEND_PAIRING_RANDOM A"); 2649 if (IS_RESPONDER(connection->sm_role)){ 2650 // responder 2651 connection->sm_engine_state = SM_SC_W4_CONFIRMATION; 2652 } else { 2653 // initiator 2654 connection->sm_engine_state = SM_SC_W4_PAIRING_RANDOM; 2655 } 2656 } else { 2657 log_info("SM_SC_SEND_PAIRING_RANDOM B"); 2658 if (IS_RESPONDER(connection->sm_role)){ 2659 // responder 2660 if (setup->sm_stk_generation_method == NUMERIC_COMPARISON){ 2661 log_info("SM_SC_SEND_PAIRING_RANDOM B1"); 2662 connection->sm_engine_state = SM_SC_W2_CALCULATE_G2; 2663 } else { 2664 log_info("SM_SC_SEND_PAIRING_RANDOM B2"); 2665 sm_sc_prepare_dhkey_check(connection); 2666 } 2667 } else { 2668 // initiator 2669 connection->sm_engine_state = SM_SC_W4_PAIRING_RANDOM; 2670 } 2671 } 2672 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2673 sm_timeout_reset(connection); 2674 } 2675 2676 static void sm_run_state_sc_send_dhkey_check_command(sm_connection_t *connection) { 2677 uint8_t buffer[17]; 2678 buffer[0] = SM_CODE_PAIRING_DHKEY_CHECK; 2679 reverse_128(setup->sm_local_dhkey_check, &buffer[1]); 2680 2681 if (IS_RESPONDER(connection->sm_role)){ 2682 connection->sm_engine_state = SM_SC_W4_LTK_REQUEST_SC; 2683 } else { 2684 connection->sm_engine_state = SM_SC_W4_DHKEY_CHECK_COMMAND; 2685 } 2686 2687 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2688 sm_timeout_reset(connection); 2689 } 2690 2691 static void sm_run_state_sc_send_public_key_command(sm_connection_t *connection) { 2692 bool trigger_user_response = false; 2693 bool trigger_start_calculating_local_confirm = false; 2694 uint8_t buffer[65]; 2695 buffer[0] = SM_CODE_PAIRING_PUBLIC_KEY; 2696 // 2697 reverse_256(&ec_q[0], &buffer[1]); 2698 reverse_256(&ec_q[32], &buffer[33]); 2699 2700 #ifdef ENABLE_TESTING_SUPPORT 2701 if (test_pairing_failure == SM_REASON_DHKEY_CHECK_FAILED){ 2702 log_info("testing_support: invalidating public key"); 2703 // flip single bit of public key coordinate 2704 buffer[1] ^= 1; 2705 } 2706 #endif 2707 2708 // stk generation method 2709 // passkey entry: notify app to show passkey or to request passkey 2710 switch (setup->sm_stk_generation_method){ 2711 case JUST_WORKS: 2712 case NUMERIC_COMPARISON: 2713 if (IS_RESPONDER(connection->sm_role)){ 2714 // responder 2715 trigger_start_calculating_local_confirm = true; 2716 connection->sm_engine_state = SM_SC_W4_LOCAL_NONCE; 2717 } else { 2718 // initiator 2719 connection->sm_engine_state = SM_SC_W4_PUBLIC_KEY_COMMAND; 2720 } 2721 break; 2722 case PK_INIT_INPUT: 2723 case PK_RESP_INPUT: 2724 case PK_BOTH_INPUT: 2725 // use random TK for display 2726 (void)memcpy(setup->sm_ra, setup->sm_tk, 16); 2727 (void)memcpy(setup->sm_rb, setup->sm_tk, 16); 2728 setup->sm_passkey_bit = 0; 2729 2730 if (IS_RESPONDER(connection->sm_role)){ 2731 // responder 2732 connection->sm_engine_state = SM_SC_W4_CONFIRMATION; 2733 } else { 2734 // initiator 2735 connection->sm_engine_state = SM_SC_W4_PUBLIC_KEY_COMMAND; 2736 } 2737 trigger_user_response = true; 2738 break; 2739 case OOB: 2740 if (IS_RESPONDER(connection->sm_role)){ 2741 // responder 2742 connection->sm_engine_state = SM_SC_W4_PAIRING_RANDOM; 2743 } else { 2744 // initiator 2745 connection->sm_engine_state = SM_SC_W4_PUBLIC_KEY_COMMAND; 2746 } 2747 break; 2748 default: 2749 btstack_assert(false); 2750 break; 2751 } 2752 2753 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2754 sm_timeout_reset(connection); 2755 2756 // trigger user response and calc confirm after sending pdu 2757 if (trigger_user_response){ 2758 sm_trigger_user_response(connection); 2759 } 2760 if (trigger_start_calculating_local_confirm){ 2761 sm_sc_start_calculating_local_confirm(connection); 2762 } 2763 } 2764 #endif 2765 2766 static bool sm_run_non_connection_logic(void){ 2767 bool done;; 2768 2769 done = sm_run_dpkg(); 2770 if (done) return true; 2771 2772 done = sm_run_rau(); 2773 if (done) return true; 2774 2775 done = sm_run_csrk(); 2776 if (done) return true; 2777 2778 done = sm_run_oob(); 2779 return done; 2780 } 2781 2782 static void sm_run(void){ 2783 2784 // assert that stack has already bootet 2785 if (hci_get_state() != HCI_STATE_WORKING) return; 2786 2787 // assert that we can send at least commands 2788 if (!hci_can_send_command_packet_now()) return; 2789 2790 // pause until IR/ER are ready 2791 if (sm_persistent_keys_random_active) return; 2792 2793 // non-connection related behaviour 2794 bool done = sm_run_non_connection_logic(); 2795 if (done) return; 2796 2797 // assert that we can send at least commands - cmd might have been sent by crypto engine 2798 if (!hci_can_send_command_packet_now()) return; 2799 2800 // handle basic actions that don't requires the full context 2801 done = sm_run_basic(); 2802 if (done) return; 2803 2804 // 2805 // active connection handling 2806 // -- use loop to handle next connection if lock on setup context is released 2807 2808 while (true) { 2809 2810 sm_run_activate_connection(); 2811 2812 if (sm_active_connection_handle == HCI_CON_HANDLE_INVALID) return; 2813 2814 // 2815 // active connection handling 2816 // 2817 2818 sm_connection_t * connection = sm_get_connection_for_handle(sm_active_connection_handle); 2819 if (!connection) { 2820 log_info("no connection for handle 0x%04x", sm_active_connection_handle); 2821 return; 2822 } 2823 2824 // assert that we could send a SM PDU - not needed for all of the following 2825 if (!l2cap_can_send_fixed_channel_packet_now(sm_active_connection_handle, connection->sm_cid)) { 2826 log_info("cannot send now, requesting can send now event"); 2827 l2cap_request_can_send_fix_channel_now_event(sm_active_connection_handle, connection->sm_cid); 2828 return; 2829 } 2830 2831 // send keypress notifications 2832 if (setup->sm_keypress_notification){ 2833 sm_run_send_keypress_notification(connection); 2834 return; 2835 } 2836 2837 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2838 // assert that sm cmac engine is ready 2839 if (sm_cmac_ready() == false){ 2840 break; 2841 } 2842 #endif 2843 2844 int key_distribution_flags; 2845 UNUSED(key_distribution_flags); 2846 #ifdef ENABLE_LE_PERIPHERAL 2847 int err; 2848 bool have_ltk; 2849 uint8_t ltk[16]; 2850 #endif 2851 2852 log_info("sm_run: state %u", connection->sm_engine_state); 2853 switch (connection->sm_engine_state){ 2854 2855 // secure connections, initiator + responding states 2856 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2857 case SM_SC_W2_CMAC_FOR_CONFIRMATION: 2858 connection->sm_engine_state = SM_SC_W4_CMAC_FOR_CONFIRMATION; 2859 sm_sc_calculate_local_confirm(connection); 2860 break; 2861 case SM_SC_W2_CMAC_FOR_CHECK_CONFIRMATION: 2862 connection->sm_engine_state = SM_SC_W4_CMAC_FOR_CHECK_CONFIRMATION; 2863 sm_sc_calculate_remote_confirm(connection); 2864 break; 2865 case SM_SC_W2_CALCULATE_F6_FOR_DHKEY_CHECK: 2866 connection->sm_engine_state = SM_SC_W4_CALCULATE_F6_FOR_DHKEY_CHECK; 2867 sm_sc_calculate_f6_for_dhkey_check(connection); 2868 break; 2869 case SM_SC_W2_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK: 2870 connection->sm_engine_state = SM_SC_W4_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK; 2871 sm_sc_calculate_f6_to_verify_dhkey_check(connection); 2872 break; 2873 case SM_SC_W2_CALCULATE_F5_SALT: 2874 connection->sm_engine_state = SM_SC_W4_CALCULATE_F5_SALT; 2875 f5_calculate_salt(connection); 2876 break; 2877 case SM_SC_W2_CALCULATE_F5_MACKEY: 2878 connection->sm_engine_state = SM_SC_W4_CALCULATE_F5_MACKEY; 2879 f5_calculate_mackey(connection); 2880 break; 2881 case SM_SC_W2_CALCULATE_F5_LTK: 2882 connection->sm_engine_state = SM_SC_W4_CALCULATE_F5_LTK; 2883 f5_calculate_ltk(connection); 2884 break; 2885 case SM_SC_W2_CALCULATE_G2: 2886 connection->sm_engine_state = SM_SC_W4_CALCULATE_G2; 2887 g2_calculate(connection); 2888 break; 2889 #endif 2890 2891 #ifdef ENABLE_LE_CENTRAL 2892 // initiator side 2893 2894 case SM_INITIATOR_PH4_HAS_LTK: { 2895 sm_reset_setup(); 2896 sm_load_security_info(connection); 2897 2898 sm_key_t peer_ltk_flipped; 2899 reverse_128(setup->sm_peer_ltk, peer_ltk_flipped); 2900 connection->sm_engine_state = SM_PH4_W4_CONNECTION_ENCRYPTED; 2901 log_info("sm: hci_le_start_encryption ediv 0x%04x", setup->sm_peer_ediv); 2902 uint32_t rand_high = big_endian_read_32(setup->sm_peer_rand, 0); 2903 uint32_t rand_low = big_endian_read_32(setup->sm_peer_rand, 4); 2904 hci_send_cmd(&hci_le_start_encryption, connection->sm_handle,rand_low, rand_high, setup->sm_peer_ediv, peer_ltk_flipped); 2905 2906 // notify after sending 2907 sm_reencryption_started(connection); 2908 return; 2909 } 2910 2911 case SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST: 2912 sm_reset_setup(); 2913 sm_init_setup(connection); 2914 2915 sm_pairing_packet_set_code(setup->sm_m_preq, SM_CODE_PAIRING_REQUEST); 2916 connection->sm_engine_state = SM_INITIATOR_PH1_W4_PAIRING_RESPONSE; 2917 sm_send_connectionless(connection, (uint8_t*) &setup->sm_m_preq, sizeof(sm_pairing_packet_t)); 2918 sm_timeout_reset(connection); 2919 2920 // notify after sending 2921 sm_pairing_started(connection); 2922 break; 2923 #endif 2924 2925 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2926 case SM_SC_SEND_PUBLIC_KEY_COMMAND: 2927 sm_run_state_sc_send_public_key_command(connection); 2928 break; 2929 case SM_SC_SEND_CONFIRMATION: 2930 sm_run_state_sc_send_confirmation(connection); 2931 break; 2932 case SM_SC_SEND_PAIRING_RANDOM: 2933 sm_run_state_sc_send_pairing_random(connection); 2934 break; 2935 case SM_SC_SEND_DHKEY_CHECK_COMMAND: 2936 sm_run_state_sc_send_dhkey_check_command(connection); 2937 break; 2938 #endif 2939 2940 #ifdef ENABLE_LE_PERIPHERAL 2941 2942 case SM_RESPONDER_SEND_SECURITY_REQUEST: { 2943 const uint8_t buffer[2] = {SM_CODE_SECURITY_REQUEST, sm_auth_req}; 2944 connection->sm_engine_state = SM_RESPONDER_PH1_W4_PAIRING_REQUEST; 2945 sm_send_connectionless(connection, (uint8_t *) buffer, sizeof(buffer)); 2946 sm_timeout_start(connection); 2947 break; 2948 } 2949 2950 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2951 case SM_SC_RECEIVED_LTK_REQUEST: 2952 switch (connection->sm_irk_lookup_state){ 2953 case IRK_LOOKUP_SUCCEEDED: 2954 // assuming Secure Connection, we have a stored LTK and the EDIV/RAND are null 2955 // start using context by loading security info 2956 sm_reset_setup(); 2957 sm_load_security_info(connection); 2958 if ((setup->sm_peer_ediv == 0u) && sm_is_null_random(setup->sm_peer_rand) && !sm_is_null_key(setup->sm_peer_ltk)){ 2959 (void)memcpy(setup->sm_ltk, setup->sm_peer_ltk, 16); 2960 connection->sm_engine_state = SM_RESPONDER_PH4_SEND_LTK_REPLY; 2961 sm_reencryption_started(connection); 2962 sm_trigger_run(); 2963 break; 2964 } 2965 log_info("LTK Request: ediv & random are empty, but no stored LTK (IRK Lookup Succeeded)"); 2966 connection->sm_engine_state = SM_RESPONDER_IDLE; 2967 hci_send_cmd(&hci_le_long_term_key_negative_reply, connection->sm_handle); 2968 return; 2969 default: 2970 // just wait until IRK lookup is completed 2971 break; 2972 } 2973 break; 2974 #endif /* ENABLE_LE_SECURE_CONNECTIONS */ 2975 2976 case SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED: 2977 sm_reset_setup(); 2978 2979 // handle Pairing Request with LTK available 2980 switch (connection->sm_irk_lookup_state) { 2981 case IRK_LOOKUP_SUCCEEDED: 2982 le_device_db_encryption_get(connection->sm_le_db_index, NULL, NULL, ltk, NULL, NULL, NULL, NULL); 2983 have_ltk = !sm_is_null_key(ltk); 2984 if (have_ltk){ 2985 log_info("pairing request but LTK available"); 2986 // emit re-encryption start/fail sequence 2987 sm_reencryption_started(connection); 2988 sm_reencryption_complete(connection, ERROR_CODE_PIN_OR_KEY_MISSING); 2989 } 2990 break; 2991 default: 2992 break; 2993 } 2994 2995 sm_init_setup(connection); 2996 2997 // recover pairing request 2998 (void)memcpy(&setup->sm_m_preq, &connection->sm_m_preq, sizeof(sm_pairing_packet_t)); 2999 err = sm_stk_generation_init(connection); 3000 3001 #ifdef ENABLE_TESTING_SUPPORT 3002 if ((0 < test_pairing_failure) && (test_pairing_failure < SM_REASON_DHKEY_CHECK_FAILED)){ 3003 log_info("testing_support: respond with pairing failure %u", test_pairing_failure); 3004 err = test_pairing_failure; 3005 } 3006 #endif 3007 if (err != 0){ 3008 // emit pairing started/failed sequence 3009 sm_pairing_started(connection); 3010 sm_pairing_error(connection, err); 3011 sm_trigger_run(); 3012 break; 3013 } 3014 3015 sm_timeout_start(connection); 3016 3017 // generate random number first, if we need to show passkey, otherwise send response 3018 if (setup->sm_stk_generation_method == PK_INIT_INPUT){ 3019 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 8, &sm_handle_random_result_ph2_tk, (void *)(uintptr_t) connection->sm_handle); 3020 break; 3021 } 3022 3023 /* fall through */ 3024 3025 case SM_RESPONDER_PH1_SEND_PAIRING_RESPONSE: 3026 sm_pairing_packet_set_code(setup->sm_s_pres,SM_CODE_PAIRING_RESPONSE); 3027 3028 // start with initiator key dist flags 3029 key_distribution_flags = sm_key_distribution_flags_for_auth_req(); 3030 3031 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3032 // LTK (= encyrption information & master identification) only exchanged for LE Legacy Connection 3033 if (setup->sm_use_secure_connections){ 3034 key_distribution_flags &= ~SM_KEYDIST_ENC_KEY; 3035 } 3036 #endif 3037 // setup in response 3038 sm_pairing_packet_set_initiator_key_distribution(setup->sm_s_pres, sm_pairing_packet_get_initiator_key_distribution(setup->sm_m_preq) & key_distribution_flags); 3039 sm_pairing_packet_set_responder_key_distribution(setup->sm_s_pres, sm_pairing_packet_get_responder_key_distribution(setup->sm_m_preq) & key_distribution_flags); 3040 3041 // update key distribution after ENC was dropped 3042 sm_setup_key_distribution(sm_pairing_packet_get_responder_key_distribution(setup->sm_s_pres), sm_pairing_packet_get_initiator_key_distribution(setup->sm_s_pres)); 3043 3044 if (setup->sm_use_secure_connections){ 3045 connection->sm_engine_state = SM_SC_W4_PUBLIC_KEY_COMMAND; 3046 } else { 3047 connection->sm_engine_state = SM_RESPONDER_PH1_W4_PAIRING_CONFIRM; 3048 } 3049 3050 sm_send_connectionless(connection, (uint8_t*) &setup->sm_s_pres, sizeof(sm_pairing_packet_t)); 3051 sm_timeout_reset(connection); 3052 3053 // notify after sending 3054 sm_pairing_started(connection); 3055 3056 // SC Numeric Comparison will trigger user response after public keys & nonces have been exchanged 3057 if (!setup->sm_use_secure_connections || (setup->sm_stk_generation_method == JUST_WORKS)){ 3058 sm_trigger_user_response(connection); 3059 } 3060 return; 3061 #endif 3062 3063 case SM_PH2_SEND_PAIRING_RANDOM: { 3064 uint8_t buffer[17]; 3065 buffer[0] = SM_CODE_PAIRING_RANDOM; 3066 reverse_128(setup->sm_local_random, &buffer[1]); 3067 if (IS_RESPONDER(connection->sm_role)){ 3068 connection->sm_engine_state = SM_RESPONDER_PH2_W4_LTK_REQUEST; 3069 } else { 3070 connection->sm_engine_state = SM_INITIATOR_PH2_W4_PAIRING_RANDOM; 3071 } 3072 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 3073 sm_timeout_reset(connection); 3074 break; 3075 } 3076 3077 case SM_PH2_C1_GET_ENC_A: 3078 // already busy? 3079 if (sm_aes128_state == SM_AES128_ACTIVE) break; 3080 // calculate confirm using aes128 engine - step 1 3081 sm_c1_t1(setup->sm_local_random, (uint8_t*) &setup->sm_m_preq, (uint8_t*) &setup->sm_s_pres, setup->sm_m_addr_type, setup->sm_s_addr_type, sm_aes128_plaintext); 3082 connection->sm_engine_state = SM_PH2_C1_W4_ENC_A; 3083 sm_aes128_state = SM_AES128_ACTIVE; 3084 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, setup->sm_tk, sm_aes128_plaintext, sm_aes128_ciphertext, sm_handle_encryption_result_enc_a, (void *)(uintptr_t) connection->sm_handle); 3085 break; 3086 3087 case SM_PH2_C1_GET_ENC_C: 3088 // already busy? 3089 if (sm_aes128_state == SM_AES128_ACTIVE) break; 3090 // calculate m_confirm using aes128 engine - step 1 3091 sm_c1_t1(setup->sm_peer_random, (uint8_t*) &setup->sm_m_preq, (uint8_t*) &setup->sm_s_pres, setup->sm_m_addr_type, setup->sm_s_addr_type, sm_aes128_plaintext); 3092 connection->sm_engine_state = SM_PH2_C1_W4_ENC_C; 3093 sm_aes128_state = SM_AES128_ACTIVE; 3094 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, setup->sm_tk, sm_aes128_plaintext, sm_aes128_ciphertext, sm_handle_encryption_result_enc_c, (void *)(uintptr_t) connection->sm_handle); 3095 break; 3096 3097 case SM_PH2_CALC_STK: 3098 // already busy? 3099 if (sm_aes128_state == SM_AES128_ACTIVE) break; 3100 // calculate STK 3101 if (IS_RESPONDER(connection->sm_role)){ 3102 sm_s1_r_prime(setup->sm_local_random, setup->sm_peer_random, sm_aes128_plaintext); 3103 } else { 3104 sm_s1_r_prime(setup->sm_peer_random, setup->sm_local_random, sm_aes128_plaintext); 3105 } 3106 connection->sm_engine_state = SM_PH2_W4_STK; 3107 sm_aes128_state = SM_AES128_ACTIVE; 3108 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, setup->sm_tk, sm_aes128_plaintext, setup->sm_ltk, sm_handle_encryption_result_enc_stk, (void *)(uintptr_t) connection->sm_handle); 3109 break; 3110 3111 case SM_PH3_Y_GET_ENC: 3112 // already busy? 3113 if (sm_aes128_state == SM_AES128_ACTIVE) break; 3114 // PH3B2 - calculate Y from - enc 3115 3116 // dm helper (was sm_dm_r_prime) 3117 // r' = padding || r 3118 // r - 64 bit value 3119 memset(&sm_aes128_plaintext[0], 0, 8); 3120 (void)memcpy(&sm_aes128_plaintext[8], setup->sm_local_rand, 8); 3121 3122 // Y = dm(DHK, Rand) 3123 connection->sm_engine_state = SM_PH3_Y_W4_ENC; 3124 sm_aes128_state = SM_AES128_ACTIVE; 3125 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_persistent_dhk, sm_aes128_plaintext, sm_aes128_ciphertext, sm_handle_encryption_result_enc_ph3_y, (void *)(uintptr_t) connection->sm_handle); 3126 break; 3127 3128 case SM_PH2_C1_SEND_PAIRING_CONFIRM: { 3129 uint8_t buffer[17]; 3130 buffer[0] = SM_CODE_PAIRING_CONFIRM; 3131 reverse_128(setup->sm_local_confirm, &buffer[1]); 3132 if (IS_RESPONDER(connection->sm_role)){ 3133 connection->sm_engine_state = SM_RESPONDER_PH2_W4_PAIRING_RANDOM; 3134 } else { 3135 connection->sm_engine_state = SM_INITIATOR_PH2_W4_PAIRING_CONFIRM; 3136 } 3137 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 3138 sm_timeout_reset(connection); 3139 return; 3140 } 3141 #ifdef ENABLE_LE_PERIPHERAL 3142 case SM_RESPONDER_PH2_SEND_LTK_REPLY: { 3143 // cache key before using 3144 sm_cache_ltk(connection, setup->sm_ltk); 3145 sm_key_t stk_flipped; 3146 reverse_128(setup->sm_ltk, stk_flipped); 3147 connection->sm_engine_state = SM_PH2_W4_CONNECTION_ENCRYPTED; 3148 hci_send_cmd(&hci_le_long_term_key_request_reply, connection->sm_handle, stk_flipped); 3149 return; 3150 } 3151 case SM_RESPONDER_PH4_SEND_LTK_REPLY: { 3152 // allow to override LTK 3153 if (sm_get_ltk_callback != NULL){ 3154 (void)(*sm_get_ltk_callback)(connection->sm_handle, connection->sm_peer_addr_type, connection->sm_peer_address, setup->sm_ltk); 3155 } 3156 // cache key before using 3157 sm_cache_ltk(connection, setup->sm_ltk); 3158 sm_key_t ltk_flipped; 3159 reverse_128(setup->sm_ltk, ltk_flipped); 3160 connection->sm_engine_state = SM_PH4_W4_CONNECTION_ENCRYPTED; 3161 hci_send_cmd(&hci_le_long_term_key_request_reply, connection->sm_handle, ltk_flipped); 3162 return; 3163 } 3164 3165 case SM_RESPONDER_PH0_RECEIVED_LTK_REQUEST: 3166 // already busy? 3167 if (sm_aes128_state == SM_AES128_ACTIVE) break; 3168 log_info("LTK Request: recalculating with ediv 0x%04x", setup->sm_local_ediv); 3169 3170 sm_reset_setup(); 3171 sm_start_calculating_ltk_from_ediv_and_rand(connection); 3172 3173 sm_reencryption_started(connection); 3174 3175 // dm helper (was sm_dm_r_prime) 3176 // r' = padding || r 3177 // r - 64 bit value 3178 memset(&sm_aes128_plaintext[0], 0, 8); 3179 (void)memcpy(&sm_aes128_plaintext[8], setup->sm_local_rand, 8); 3180 3181 // Y = dm(DHK, Rand) 3182 connection->sm_engine_state = SM_RESPONDER_PH4_Y_W4_ENC; 3183 sm_aes128_state = SM_AES128_ACTIVE; 3184 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_persistent_dhk, sm_aes128_plaintext, sm_aes128_ciphertext, sm_handle_encryption_result_enc_ph4_y, (void *)(uintptr_t) connection->sm_handle); 3185 return; 3186 #endif 3187 #ifdef ENABLE_LE_CENTRAL 3188 case SM_INITIATOR_PH3_SEND_START_ENCRYPTION: { 3189 sm_key_t stk_flipped; 3190 reverse_128(setup->sm_ltk, stk_flipped); 3191 connection->sm_engine_state = SM_PH2_W4_CONNECTION_ENCRYPTED; 3192 hci_send_cmd(&hci_le_start_encryption, connection->sm_handle, 0, 0, 0, stk_flipped); 3193 return; 3194 } 3195 #endif 3196 3197 case SM_PH3_DISTRIBUTE_KEYS: 3198 // send next key 3199 if (setup->sm_key_distribution_send_set != 0){ 3200 sm_run_distribute_keys(connection); 3201 } 3202 3203 // more to send? 3204 if (setup->sm_key_distribution_send_set != 0){ 3205 return; 3206 } 3207 3208 // keys are sent 3209 if (IS_RESPONDER(connection->sm_role)){ 3210 // slave -> receive master keys if any 3211 if (sm_key_distribution_all_received()){ 3212 sm_key_distribution_handle_all_received(connection); 3213 sm_key_distribution_complete_responder(connection); 3214 // start CTKD right away 3215 continue; 3216 } else { 3217 connection->sm_engine_state = SM_PH3_RECEIVE_KEYS; 3218 } 3219 } else { 3220 sm_master_pairing_success(connection); 3221 } 3222 break; 3223 3224 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 3225 case SM_BR_EDR_INITIATOR_SEND_PAIRING_REQUEST: 3226 // fill in sm setup (lite version of sm_init_setup) 3227 sm_reset_setup(); 3228 setup->sm_peer_addr_type = connection->sm_peer_addr_type; 3229 setup->sm_m_addr_type = connection->sm_peer_addr_type; 3230 setup->sm_s_addr_type = connection->sm_own_addr_type; 3231 (void) memcpy(setup->sm_peer_address, connection->sm_peer_address, 6); 3232 (void) memcpy(setup->sm_m_address, connection->sm_peer_address, 6); 3233 (void) memcpy(setup->sm_s_address, connection->sm_own_address, 6); 3234 setup->sm_use_secure_connections = true; 3235 sm_ctkd_fetch_br_edr_link_key(connection); 3236 3237 // Enc Key and IRK if requested 3238 key_distribution_flags = SM_KEYDIST_ID_KEY | SM_KEYDIST_ENC_KEY; 3239 #ifdef ENABLE_LE_SIGNED_WRITE 3240 // Plus signing key if supported 3241 key_distribution_flags |= SM_KEYDIST_ID_KEY; 3242 #endif 3243 sm_pairing_packet_set_code(setup->sm_m_preq, SM_CODE_PAIRING_REQUEST); 3244 sm_pairing_packet_set_io_capability(setup->sm_m_preq, 0); 3245 sm_pairing_packet_set_oob_data_flag(setup->sm_m_preq, 0); 3246 sm_pairing_packet_set_auth_req(setup->sm_m_preq, SM_AUTHREQ_CT2); 3247 sm_pairing_packet_set_max_encryption_key_size(setup->sm_m_preq, sm_max_encryption_key_size); 3248 sm_pairing_packet_set_initiator_key_distribution(setup->sm_m_preq, key_distribution_flags); 3249 sm_pairing_packet_set_responder_key_distribution(setup->sm_m_preq, key_distribution_flags); 3250 3251 // set state and send pairing response 3252 sm_timeout_start(connection); 3253 connection->sm_engine_state = SM_BR_EDR_INITIATOR_W4_PAIRING_RESPONSE; 3254 sm_send_connectionless(connection, (uint8_t *) &setup->sm_m_preq, sizeof(sm_pairing_packet_t)); 3255 break; 3256 3257 case SM_BR_EDR_RESPONDER_PAIRING_REQUEST_RECEIVED: 3258 // fill in sm setup (lite version of sm_init_setup) 3259 sm_reset_setup(); 3260 setup->sm_peer_addr_type = connection->sm_peer_addr_type; 3261 setup->sm_m_addr_type = connection->sm_peer_addr_type; 3262 setup->sm_s_addr_type = connection->sm_own_addr_type; 3263 (void) memcpy(setup->sm_peer_address, connection->sm_peer_address, 6); 3264 (void) memcpy(setup->sm_m_address, connection->sm_peer_address, 6); 3265 (void) memcpy(setup->sm_s_address, connection->sm_own_address, 6); 3266 setup->sm_use_secure_connections = true; 3267 sm_ctkd_fetch_br_edr_link_key(connection); 3268 (void) memcpy(&setup->sm_m_preq, &connection->sm_m_preq, sizeof(sm_pairing_packet_t)); 3269 3270 // Enc Key and IRK if requested 3271 key_distribution_flags = SM_KEYDIST_ID_KEY | SM_KEYDIST_ENC_KEY; 3272 #ifdef ENABLE_LE_SIGNED_WRITE 3273 // Plus signing key if supported 3274 key_distribution_flags |= SM_KEYDIST_ID_KEY; 3275 #endif 3276 // drop flags not requested by initiator 3277 key_distribution_flags &= sm_pairing_packet_get_initiator_key_distribution(connection->sm_m_preq); 3278 3279 // If Secure Connections pairing has been initiated over BR/EDR, the following fields of the SM Pairing Request PDU are reserved for future use: 3280 // - the IO Capability field, 3281 // - the OOB data flag field, and 3282 // - all bits in the Auth Req field except the CT2 bit. 3283 sm_pairing_packet_set_code(setup->sm_s_pres, SM_CODE_PAIRING_RESPONSE); 3284 sm_pairing_packet_set_io_capability(setup->sm_s_pres, 0); 3285 sm_pairing_packet_set_oob_data_flag(setup->sm_s_pres, 0); 3286 sm_pairing_packet_set_auth_req(setup->sm_s_pres, SM_AUTHREQ_CT2); 3287 sm_pairing_packet_set_max_encryption_key_size(setup->sm_s_pres, connection->sm_actual_encryption_key_size); 3288 sm_pairing_packet_set_initiator_key_distribution(setup->sm_s_pres, key_distribution_flags); 3289 sm_pairing_packet_set_responder_key_distribution(setup->sm_s_pres, key_distribution_flags); 3290 3291 // configure key distribution, LTK is derived locally 3292 key_distribution_flags &= ~SM_KEYDIST_ENC_KEY; 3293 sm_setup_key_distribution(key_distribution_flags, key_distribution_flags); 3294 3295 // set state and send pairing response 3296 sm_timeout_start(connection); 3297 connection->sm_engine_state = SM_BR_EDR_DISTRIBUTE_KEYS; 3298 sm_send_connectionless(connection, (uint8_t *) &setup->sm_s_pres, sizeof(sm_pairing_packet_t)); 3299 break; 3300 case SM_BR_EDR_DISTRIBUTE_KEYS: 3301 if (setup->sm_key_distribution_send_set != 0) { 3302 sm_run_distribute_keys(connection); 3303 return; 3304 } 3305 // keys are sent 3306 if (IS_RESPONDER(connection->sm_role)) { 3307 // responder -> receive master keys if there are any 3308 if (!sm_key_distribution_all_received()){ 3309 connection->sm_engine_state = SM_BR_EDR_RECEIVE_KEYS; 3310 break; 3311 } 3312 } 3313 // otherwise start CTKD right away (responder and no keys to receive / initiator) 3314 sm_ctkd_start_from_br_edr(connection); 3315 continue; 3316 case SM_SC_W2_CALCULATE_ILK_USING_H6: 3317 connection->sm_engine_state = SM_SC_W4_CALCULATE_ILK; 3318 h6_calculate_ilk_from_le_ltk(connection); 3319 break; 3320 case SM_SC_W2_CALCULATE_BR_EDR_LINK_KEY: 3321 connection->sm_engine_state = SM_SC_W4_CALCULATE_BR_EDR_LINK_KEY; 3322 h6_calculate_br_edr_link_key(connection); 3323 break; 3324 case SM_SC_W2_CALCULATE_ILK_USING_H7: 3325 connection->sm_engine_state = SM_SC_W4_CALCULATE_ILK; 3326 h7_calculate_ilk_from_le_ltk(connection); 3327 break; 3328 case SM_BR_EDR_W2_CALCULATE_ILK_USING_H6: 3329 connection->sm_engine_state = SM_BR_EDR_W4_CALCULATE_ILK; 3330 h6_calculate_ilk_from_br_edr(connection); 3331 break; 3332 case SM_BR_EDR_W2_CALCULATE_LE_LTK: 3333 connection->sm_engine_state = SM_BR_EDR_W4_CALCULATE_LE_LTK; 3334 h6_calculate_le_ltk(connection); 3335 break; 3336 case SM_BR_EDR_W2_CALCULATE_ILK_USING_H7: 3337 connection->sm_engine_state = SM_BR_EDR_W4_CALCULATE_ILK; 3338 h7_calculate_ilk_from_br_edr(connection); 3339 break; 3340 #endif 3341 3342 default: 3343 break; 3344 } 3345 3346 // check again if active connection was released 3347 if (sm_active_connection_handle != HCI_CON_HANDLE_INVALID) break; 3348 } 3349 } 3350 3351 // sm_aes128_state stays active 3352 static void sm_handle_encryption_result_enc_a(void *arg){ 3353 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3354 sm_aes128_state = SM_AES128_IDLE; 3355 3356 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3357 if (connection == NULL) return; 3358 3359 sm_c1_t3(sm_aes128_ciphertext, setup->sm_m_address, setup->sm_s_address, setup->sm_c1_t3_value); 3360 sm_aes128_state = SM_AES128_ACTIVE; 3361 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, setup->sm_tk, setup->sm_c1_t3_value, setup->sm_local_confirm, sm_handle_encryption_result_enc_b, (void *)(uintptr_t) connection->sm_handle); 3362 } 3363 3364 static void sm_handle_encryption_result_enc_b(void *arg){ 3365 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3366 sm_aes128_state = SM_AES128_IDLE; 3367 3368 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3369 if (connection == NULL) return; 3370 3371 log_info_key("c1!", setup->sm_local_confirm); 3372 connection->sm_engine_state = SM_PH2_C1_SEND_PAIRING_CONFIRM; 3373 sm_trigger_run(); 3374 } 3375 3376 // sm_aes128_state stays active 3377 static void sm_handle_encryption_result_enc_c(void *arg){ 3378 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3379 sm_aes128_state = SM_AES128_IDLE; 3380 3381 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3382 if (connection == NULL) return; 3383 3384 sm_c1_t3(sm_aes128_ciphertext, setup->sm_m_address, setup->sm_s_address, setup->sm_c1_t3_value); 3385 sm_aes128_state = SM_AES128_ACTIVE; 3386 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, setup->sm_tk, setup->sm_c1_t3_value, sm_aes128_ciphertext, sm_handle_encryption_result_enc_d, (void *)(uintptr_t) connection->sm_handle); 3387 } 3388 3389 static void sm_handle_encryption_result_enc_d(void * arg){ 3390 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3391 sm_aes128_state = SM_AES128_IDLE; 3392 3393 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3394 if (connection == NULL) return; 3395 3396 log_info_key("c1!", sm_aes128_ciphertext); 3397 if (memcmp(setup->sm_peer_confirm, sm_aes128_ciphertext, 16) != 0){ 3398 sm_pairing_error(connection, SM_REASON_CONFIRM_VALUE_FAILED); 3399 sm_trigger_run(); 3400 return; 3401 } 3402 if (IS_RESPONDER(connection->sm_role)){ 3403 connection->sm_engine_state = SM_PH2_SEND_PAIRING_RANDOM; 3404 sm_trigger_run(); 3405 } else { 3406 sm_s1_r_prime(setup->sm_peer_random, setup->sm_local_random, sm_aes128_plaintext); 3407 sm_aes128_state = SM_AES128_ACTIVE; 3408 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, setup->sm_tk, sm_aes128_plaintext, setup->sm_ltk, sm_handle_encryption_result_enc_stk, (void *)(uintptr_t) connection->sm_handle); 3409 } 3410 } 3411 3412 static void sm_handle_encryption_result_enc_stk(void *arg){ 3413 sm_aes128_state = SM_AES128_IDLE; 3414 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3415 3416 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3417 if (connection == NULL) return; 3418 3419 sm_truncate_key(setup->sm_ltk, connection->sm_actual_encryption_key_size); 3420 log_info_key("stk", setup->sm_ltk); 3421 if (IS_RESPONDER(connection->sm_role)){ 3422 connection->sm_engine_state = SM_RESPONDER_PH2_SEND_LTK_REPLY; 3423 } else { 3424 connection->sm_engine_state = SM_INITIATOR_PH3_SEND_START_ENCRYPTION; 3425 } 3426 sm_trigger_run(); 3427 } 3428 3429 // sm_aes128_state stays active 3430 static void sm_handle_encryption_result_enc_ph3_y(void *arg){ 3431 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3432 sm_aes128_state = SM_AES128_IDLE; 3433 3434 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3435 if (connection == NULL) return; 3436 3437 setup->sm_local_y = big_endian_read_16(sm_aes128_ciphertext, 14); 3438 log_info_hex16("y", setup->sm_local_y); 3439 // PH3B3 - calculate EDIV 3440 setup->sm_local_ediv = setup->sm_local_y ^ setup->sm_local_div; 3441 log_info_hex16("ediv", setup->sm_local_ediv); 3442 // PH3B4 - calculate LTK - enc 3443 // LTK = d1(ER, DIV, 0)) 3444 sm_d1_d_prime(setup->sm_local_div, 0, sm_aes128_plaintext); 3445 sm_aes128_state = SM_AES128_ACTIVE; 3446 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_persistent_er, sm_aes128_plaintext, setup->sm_ltk, sm_handle_encryption_result_enc_ph3_ltk, (void *)(uintptr_t) connection->sm_handle); 3447 } 3448 3449 #ifdef ENABLE_LE_PERIPHERAL 3450 // sm_aes128_state stays active 3451 static void sm_handle_encryption_result_enc_ph4_y(void *arg){ 3452 sm_aes128_state = SM_AES128_IDLE; 3453 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3454 3455 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3456 if (connection == NULL) return; 3457 3458 setup->sm_local_y = big_endian_read_16(sm_aes128_ciphertext, 14); 3459 log_info_hex16("y", setup->sm_local_y); 3460 3461 // PH3B3 - calculate DIV 3462 setup->sm_local_div = setup->sm_local_y ^ setup->sm_local_ediv; 3463 log_info_hex16("ediv", setup->sm_local_ediv); 3464 // PH3B4 - calculate LTK - enc 3465 // LTK = d1(ER, DIV, 0)) 3466 sm_d1_d_prime(setup->sm_local_div, 0, sm_aes128_plaintext); 3467 sm_aes128_state = SM_AES128_ACTIVE; 3468 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_persistent_er, sm_aes128_plaintext, setup->sm_ltk, sm_handle_encryption_result_enc_ph4_ltk, (void *)(uintptr_t) connection->sm_handle); 3469 } 3470 #endif 3471 3472 // sm_aes128_state stays active 3473 static void sm_handle_encryption_result_enc_ph3_ltk(void *arg){ 3474 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3475 sm_aes128_state = SM_AES128_IDLE; 3476 3477 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3478 if (connection == NULL) return; 3479 3480 log_info_key("ltk", setup->sm_ltk); 3481 // calc CSRK next 3482 sm_d1_d_prime(setup->sm_local_div, 1, sm_aes128_plaintext); 3483 sm_aes128_state = SM_AES128_ACTIVE; 3484 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_persistent_er, sm_aes128_plaintext, setup->sm_local_csrk, sm_handle_encryption_result_enc_csrk, (void *)(uintptr_t) connection->sm_handle); 3485 } 3486 3487 static void sm_handle_encryption_result_enc_csrk(void *arg){ 3488 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3489 sm_aes128_state = SM_AES128_IDLE; 3490 3491 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3492 if (connection == NULL) return; 3493 3494 sm_aes128_state = SM_AES128_IDLE; 3495 log_info_key("csrk", setup->sm_local_csrk); 3496 if (setup->sm_key_distribution_send_set){ 3497 connection->sm_engine_state = SM_PH3_DISTRIBUTE_KEYS; 3498 } else { 3499 // no keys to send, just continue 3500 if (IS_RESPONDER(connection->sm_role)){ 3501 if (sm_key_distribution_all_received()){ 3502 sm_key_distribution_handle_all_received(connection); 3503 sm_key_distribution_complete_responder(connection); 3504 } else { 3505 // slave -> receive master keys 3506 connection->sm_engine_state = SM_PH3_RECEIVE_KEYS; 3507 } 3508 } else { 3509 sm_key_distribution_complete_initiator(connection); 3510 } 3511 } 3512 sm_trigger_run(); 3513 } 3514 3515 #ifdef ENABLE_LE_PERIPHERAL 3516 static void sm_handle_encryption_result_enc_ph4_ltk(void *arg){ 3517 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3518 sm_aes128_state = SM_AES128_IDLE; 3519 3520 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3521 if (connection == NULL) return; 3522 3523 sm_truncate_key(setup->sm_ltk, connection->sm_actual_encryption_key_size); 3524 log_info_key("ltk", setup->sm_ltk); 3525 connection->sm_engine_state = SM_RESPONDER_PH4_SEND_LTK_REPLY; 3526 sm_trigger_run(); 3527 } 3528 #endif 3529 3530 static void sm_handle_encryption_result_address_resolution(void *arg){ 3531 UNUSED(arg); 3532 sm_aes128_state = SM_AES128_IDLE; 3533 3534 // compare calulated address against connecting device 3535 uint8_t * hash = &sm_aes128_ciphertext[13]; 3536 if (memcmp(&sm_address_resolution_address[3], hash, 3) == 0){ 3537 log_info("LE Device Lookup: matched resolvable private address"); 3538 sm_address_resolution_handle_event(ADDRESS_RESOLUTION_SUCCEEDED); 3539 sm_trigger_run(); 3540 return; 3541 } 3542 // no match, try next 3543 sm_address_resolution_test++; 3544 sm_trigger_run(); 3545 } 3546 3547 static void sm_handle_encryption_result_dkg_irk(void *arg){ 3548 UNUSED(arg); 3549 sm_aes128_state = SM_AES128_IDLE; 3550 3551 log_info_key("irk", sm_persistent_irk); 3552 dkg_state = DKG_CALC_DHK; 3553 sm_trigger_run(); 3554 } 3555 3556 static void sm_handle_encryption_result_dkg_dhk(void *arg){ 3557 UNUSED(arg); 3558 sm_aes128_state = SM_AES128_IDLE; 3559 3560 log_info_key("dhk", sm_persistent_dhk); 3561 dkg_state = DKG_READY; 3562 sm_trigger_run(); 3563 } 3564 3565 static void sm_handle_encryption_result_rau(void *arg){ 3566 UNUSED(arg); 3567 sm_aes128_state = SM_AES128_IDLE; 3568 3569 (void)memcpy(&sm_random_address[3], &sm_aes128_ciphertext[13], 3); 3570 rau_state = RAU_IDLE; 3571 hci_le_random_address_set(sm_random_address); 3572 3573 sm_trigger_run(); 3574 } 3575 3576 static void sm_handle_random_result_rau(void * arg){ 3577 UNUSED(arg); 3578 // non-resolvable vs. resolvable 3579 switch (gap_random_adress_type){ 3580 case GAP_RANDOM_ADDRESS_RESOLVABLE: 3581 // resolvable: use random as prand and calc address hash 3582 // "The two most significant bits of prand shall be equal to ‘0’ and ‘1" 3583 sm_random_address[0u] &= 0x3fu; 3584 sm_random_address[0u] |= 0x40u; 3585 rau_state = RAU_GET_ENC; 3586 break; 3587 case GAP_RANDOM_ADDRESS_NON_RESOLVABLE: 3588 default: 3589 // "The two most significant bits of the address shall be equal to ‘0’"" 3590 sm_random_address[0u] &= 0x3fu; 3591 rau_state = RAU_IDLE; 3592 hci_le_random_address_set(sm_random_address); 3593 break; 3594 } 3595 sm_trigger_run(); 3596 } 3597 3598 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3599 static void sm_handle_random_result_sc_next_send_pairing_random(void * arg){ 3600 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3601 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3602 if (connection == NULL) return; 3603 3604 connection->sm_engine_state = SM_SC_SEND_PAIRING_RANDOM; 3605 sm_trigger_run(); 3606 } 3607 3608 static void sm_handle_random_result_sc_next_w2_cmac_for_confirmation(void * arg){ 3609 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3610 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3611 if (connection == NULL) return; 3612 3613 connection->sm_engine_state = SM_SC_W2_CMAC_FOR_CONFIRMATION; 3614 sm_trigger_run(); 3615 } 3616 #endif 3617 3618 static void sm_handle_random_result_ph2_random(void * arg){ 3619 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3620 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3621 if (connection == NULL) return; 3622 3623 connection->sm_engine_state = SM_PH2_C1_GET_ENC_A; 3624 sm_trigger_run(); 3625 } 3626 3627 static void sm_handle_random_result_ph2_tk(void * arg){ 3628 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3629 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3630 if (connection == NULL) return; 3631 3632 sm_reset_tk(); 3633 uint32_t tk; 3634 if (sm_fixed_passkey_in_display_role == 0xffffffffU){ 3635 // map random to 0-999999 without speding much cycles on a modulus operation 3636 tk = little_endian_read_32(sm_random_data,0); 3637 tk = tk & 0xfffff; // 1048575 3638 if (tk >= 999999u){ 3639 tk = tk - 999999u; 3640 } 3641 } else { 3642 // override with pre-defined passkey 3643 tk = sm_fixed_passkey_in_display_role; 3644 } 3645 big_endian_store_32(setup->sm_tk, 12, tk); 3646 if (IS_RESPONDER(connection->sm_role)){ 3647 connection->sm_engine_state = SM_RESPONDER_PH1_SEND_PAIRING_RESPONSE; 3648 } else { 3649 if (setup->sm_use_secure_connections){ 3650 connection->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 3651 } else { 3652 connection->sm_engine_state = SM_PH1_W4_USER_RESPONSE; 3653 sm_trigger_user_response(connection); 3654 // response_idle == nothing <--> sm_trigger_user_response() did not require response 3655 if (setup->sm_user_response == SM_USER_RESPONSE_IDLE){ 3656 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_random, 16, &sm_handle_random_result_ph2_random, (void *)(uintptr_t) connection->sm_handle); 3657 } 3658 } 3659 } 3660 sm_trigger_run(); 3661 } 3662 3663 static void sm_handle_random_result_ph3_div(void * arg){ 3664 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3665 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3666 if (connection == NULL) return; 3667 3668 // use 16 bit from random value as div 3669 setup->sm_local_div = big_endian_read_16(sm_random_data, 0); 3670 log_info_hex16("div", setup->sm_local_div); 3671 connection->sm_engine_state = SM_PH3_Y_GET_ENC; 3672 sm_trigger_run(); 3673 } 3674 3675 static void sm_handle_random_result_ph3_random(void * arg){ 3676 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3677 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3678 if (connection == NULL) return; 3679 3680 reverse_64(sm_random_data, setup->sm_local_rand); 3681 // no db for encryption size hack: encryption size is stored in lowest nibble of setup->sm_local_rand 3682 setup->sm_local_rand[7u] = (setup->sm_local_rand[7u] & 0xf0u) + (connection->sm_actual_encryption_key_size - 1u); 3683 // no db for authenticated flag hack: store flag in bit 4 of LSB 3684 setup->sm_local_rand[7u] = (setup->sm_local_rand[7u] & 0xefu) + (connection->sm_connection_authenticated << 4u); 3685 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 2, &sm_handle_random_result_ph3_div, (void *)(uintptr_t) connection->sm_handle); 3686 } 3687 static void sm_validate_er_ir(void){ 3688 // warn about default ER/IR 3689 bool warning = false; 3690 if (sm_ir_is_default()){ 3691 warning = true; 3692 log_error("Persistent IR not set with sm_set_ir. Use of private addresses will cause pairing issues"); 3693 } 3694 if (sm_er_is_default()){ 3695 warning = true; 3696 log_error("Persistent ER not set with sm_set_er. Legacy Pairing LTK is not secure"); 3697 } 3698 if (warning) { 3699 log_error("Please configure btstack_tlv to let BTstack setup ER and IR keys"); 3700 } 3701 } 3702 3703 static void sm_handle_random_result_ir(void *arg){ 3704 sm_persistent_keys_random_active = false; 3705 if (arg != NULL){ 3706 // key generated, store in tlv 3707 int status = sm_tlv_impl->store_tag(sm_tlv_context, BTSTACK_TAG32('S','M','I','R'), sm_persistent_ir, 16u); 3708 log_info("Generated IR key. Store in TLV status: %d", status); 3709 UNUSED(status); 3710 } 3711 log_info_key("IR", sm_persistent_ir); 3712 dkg_state = DKG_CALC_IRK; 3713 3714 if (test_use_fixed_local_irk){ 3715 log_info_key("IRK", sm_persistent_irk); 3716 dkg_state = DKG_CALC_DHK; 3717 } 3718 3719 sm_trigger_run(); 3720 } 3721 3722 static void sm_handle_random_result_er(void *arg){ 3723 sm_persistent_keys_random_active = false; 3724 if (arg != 0){ 3725 // key generated, store in tlv 3726 int status = sm_tlv_impl->store_tag(sm_tlv_context, BTSTACK_TAG32('S','M','E','R'), sm_persistent_er, 16u); 3727 log_info("Generated ER key. Store in TLV status: %d", status); 3728 UNUSED(status); 3729 } 3730 log_info_key("ER", sm_persistent_er); 3731 3732 // try load ir 3733 int key_size = sm_tlv_impl->get_tag(sm_tlv_context, BTSTACK_TAG32('S','M','I','R'), sm_persistent_ir, 16u); 3734 if (key_size == 16){ 3735 // ok, let's continue 3736 log_info("IR from TLV"); 3737 sm_handle_random_result_ir( NULL ); 3738 } else { 3739 // invalid, generate new random one 3740 sm_persistent_keys_random_active = true; 3741 btstack_crypto_random_generate(&sm_crypto_random_request, sm_persistent_ir, 16, &sm_handle_random_result_ir, &sm_persistent_ir); 3742 } 3743 } 3744 3745 static void sm_connection_init(sm_connection_t * sm_conn, hci_con_handle_t con_handle, uint8_t role, uint8_t addr_type, bd_addr_t address){ 3746 3747 // connection info 3748 sm_conn->sm_handle = con_handle; 3749 sm_conn->sm_role = role; 3750 sm_conn->sm_peer_addr_type = addr_type; 3751 memcpy(sm_conn->sm_peer_address, address, 6); 3752 3753 // security properties 3754 sm_conn->sm_connection_encrypted = 0; 3755 sm_conn->sm_connection_authenticated = 0; 3756 sm_conn->sm_connection_authorization_state = AUTHORIZATION_UNKNOWN; 3757 sm_conn->sm_le_db_index = -1; 3758 sm_conn->sm_reencryption_active = false; 3759 3760 // prepare CSRK lookup (does not involve setup) 3761 sm_conn->sm_irk_lookup_state = IRK_LOOKUP_W4_READY; 3762 3763 sm_conn->sm_engine_state = SM_GENERAL_IDLE; 3764 } 3765 3766 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 3767 static void sm_event_handle_classic_encryption_event(sm_connection_t * sm_conn, hci_con_handle_t con_handle){ 3768 // CTKD requires BR/EDR Secure Connection 3769 if (sm_conn->sm_connection_encrypted != 2) return; 3770 // prepare for pairing request 3771 if (IS_RESPONDER(sm_conn->sm_role)){ 3772 sm_conn->sm_engine_state = SM_BR_EDR_RESPONDER_W4_PAIRING_REQUEST; 3773 } else if (sm_conn->sm_pairing_requested){ 3774 // check if remote supports fixed channels 3775 bool defer = true; 3776 const hci_connection_t * hci_connection = hci_connection_for_handle(con_handle); 3777 if (hci_connection->l2cap_state.information_state == L2CAP_INFORMATION_STATE_DONE){ 3778 // check if remote supports SMP over BR/EDR 3779 if ((hci_connection->l2cap_state.fixed_channels_supported & (1 << L2CAP_CID_BR_EDR_SECURITY_MANAGER)) != 0){ 3780 log_info("CTKD: SM_BR_EDR_INITIATOR_SEND_PAIRING_REQUEST"); 3781 sm_conn->sm_engine_state = SM_BR_EDR_INITIATOR_SEND_PAIRING_REQUEST; 3782 } else { 3783 defer = false; 3784 } 3785 } else { 3786 // wait for fixed channel info 3787 log_info("CTKD: SM_BR_EDR_INITIATOR_W4_FIXED_CHANNEL_MASK"); 3788 sm_conn->sm_engine_state = SM_BR_EDR_INITIATOR_W4_FIXED_CHANNEL_MASK; 3789 } 3790 if (defer){ 3791 hci_dedicated_bonding_defer_disconnect(con_handle, true); 3792 } 3793 } 3794 } 3795 #endif 3796 3797 static void sm_event_packet_handler (uint8_t packet_type, uint16_t channel, uint8_t *packet, uint16_t size){ 3798 3799 UNUSED(channel); // ok: there is no channel 3800 UNUSED(size); // ok: fixed format HCI events 3801 3802 sm_connection_t * sm_conn; 3803 hci_con_handle_t con_handle; 3804 uint8_t status; 3805 bd_addr_t addr; 3806 3807 switch (packet_type) { 3808 3809 case HCI_EVENT_PACKET: 3810 switch (hci_event_packet_get_type(packet)) { 3811 3812 case BTSTACK_EVENT_STATE: 3813 switch (btstack_event_state_get_state(packet)){ 3814 case HCI_STATE_WORKING: 3815 log_info("HCI Working!"); 3816 // setup IR/ER with TLV 3817 btstack_tlv_get_instance(&sm_tlv_impl, &sm_tlv_context); 3818 if (sm_tlv_impl != NULL){ 3819 int key_size = sm_tlv_impl->get_tag(sm_tlv_context, BTSTACK_TAG32('S','M','E','R'), sm_persistent_er, 16u); 3820 if (key_size == 16){ 3821 // ok, let's continue 3822 log_info("ER from TLV"); 3823 sm_handle_random_result_er( NULL ); 3824 } else { 3825 // invalid, generate random one 3826 sm_persistent_keys_random_active = true; 3827 btstack_crypto_random_generate(&sm_crypto_random_request, sm_persistent_er, 16, &sm_handle_random_result_er, &sm_persistent_er); 3828 } 3829 } else { 3830 sm_validate_er_ir(); 3831 dkg_state = DKG_CALC_IRK; 3832 3833 if (test_use_fixed_local_irk){ 3834 log_info_key("IRK", sm_persistent_irk); 3835 dkg_state = DKG_CALC_DHK; 3836 } 3837 } 3838 3839 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3840 // trigger ECC key generation 3841 if (ec_key_generation_state == EC_KEY_GENERATION_IDLE){ 3842 sm_ec_generate_new_key(); 3843 } 3844 #endif 3845 3846 // restart random address updates after power cycle 3847 if (gap_random_adress_type == GAP_RANDOM_ADDRESS_TYPE_STATIC){ 3848 gap_random_address_set(sm_random_address); 3849 } else { 3850 gap_random_address_set_mode(gap_random_adress_type); 3851 } 3852 break; 3853 3854 case HCI_STATE_OFF: 3855 case HCI_STATE_HALTING: 3856 log_info("SM: reset state"); 3857 // stop random address update 3858 gap_random_address_update_stop(); 3859 // reset state 3860 sm_state_reset(); 3861 break; 3862 3863 default: 3864 break; 3865 } 3866 break; 3867 3868 #ifdef ENABLE_CLASSIC 3869 case HCI_EVENT_CONNECTION_COMPLETE: 3870 // ignore if connection failed 3871 if (hci_event_connection_complete_get_status(packet)) return; 3872 3873 con_handle = hci_event_connection_complete_get_connection_handle(packet); 3874 sm_conn = sm_get_connection_for_handle(con_handle); 3875 if (!sm_conn) break; 3876 3877 hci_event_connection_complete_get_bd_addr(packet, addr); 3878 sm_connection_init(sm_conn, 3879 con_handle, 3880 (uint8_t) gap_get_role(con_handle), 3881 BD_ADDR_TYPE_LE_PUBLIC, 3882 addr); 3883 // classic connection corresponds to public le address 3884 sm_conn->sm_own_addr_type = BD_ADDR_TYPE_LE_PUBLIC; 3885 gap_local_bd_addr(sm_conn->sm_own_address); 3886 sm_conn->sm_cid = L2CAP_CID_BR_EDR_SECURITY_MANAGER; 3887 sm_conn->sm_engine_state = SM_BR_EDR_W4_ENCRYPTION_COMPLETE; 3888 break; 3889 #endif 3890 3891 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 3892 case HCI_EVENT_SIMPLE_PAIRING_COMPLETE: 3893 if (hci_event_simple_pairing_complete_get_status(packet) != ERROR_CODE_SUCCESS) break; 3894 hci_event_simple_pairing_complete_get_bd_addr(packet, addr); 3895 sm_conn = sm_get_connection_for_bd_addr_and_type(addr, BD_ADDR_TYPE_ACL); 3896 if (sm_conn == NULL) break; 3897 sm_conn->sm_pairing_requested = 1; 3898 break; 3899 #endif 3900 3901 case HCI_EVENT_META_GAP: 3902 switch (hci_event_gap_meta_get_subevent_code(packet)) { 3903 case GAP_SUBEVENT_LE_CONNECTION_COMPLETE: 3904 // ignore if connection failed 3905 if (gap_subevent_le_connection_complete_get_status(packet) != ERROR_CODE_SUCCESS) break; 3906 3907 con_handle = gap_subevent_le_connection_complete_get_connection_handle(packet); 3908 sm_conn = sm_get_connection_for_handle(con_handle); 3909 if (!sm_conn) break; 3910 3911 gap_subevent_le_connection_complete_get_peer_address(packet, addr); 3912 sm_connection_init(sm_conn, 3913 con_handle, 3914 gap_subevent_le_connection_complete_get_role(packet), 3915 gap_subevent_le_connection_complete_get_peer_address_type(packet), 3916 addr); 3917 sm_conn->sm_cid = L2CAP_CID_SECURITY_MANAGER_PROTOCOL; 3918 3919 // track our addr used for this connection and set state 3920 #ifdef ENABLE_LE_PERIPHERAL 3921 if (gap_subevent_le_connection_complete_get_role(packet) != 0){ 3922 // responder - use own address from advertisements 3923 gap_le_get_own_advertisements_address(&sm_conn->sm_own_addr_type, sm_conn->sm_own_address); 3924 sm_conn->sm_engine_state = SM_RESPONDER_IDLE; 3925 } 3926 #endif 3927 #ifdef ENABLE_LE_CENTRAL 3928 if (gap_subevent_le_connection_complete_get_role(packet) == 0){ 3929 // initiator - use own address from create connection 3930 gap_le_get_own_connection_address(&sm_conn->sm_own_addr_type, sm_conn->sm_own_address); 3931 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 3932 } 3933 #endif 3934 break; 3935 default: 3936 break; 3937 } 3938 break; 3939 case HCI_EVENT_LE_META: 3940 switch (hci_event_le_meta_get_subevent_code(packet)) { 3941 case HCI_SUBEVENT_LE_LONG_TERM_KEY_REQUEST: 3942 con_handle = hci_subevent_le_long_term_key_request_get_connection_handle(packet); 3943 sm_conn = sm_get_connection_for_handle(con_handle); 3944 if (!sm_conn) break; 3945 3946 log_info("LTK Request: state %u", sm_conn->sm_engine_state); 3947 if (sm_conn->sm_engine_state == SM_RESPONDER_PH2_W4_LTK_REQUEST){ 3948 sm_conn->sm_engine_state = SM_PH2_CALC_STK; 3949 break; 3950 } 3951 if (sm_conn->sm_engine_state == SM_SC_W4_LTK_REQUEST_SC){ 3952 // PH2 SEND LTK as we need to exchange keys in PH3 3953 sm_conn->sm_engine_state = SM_RESPONDER_PH2_SEND_LTK_REPLY; 3954 break; 3955 } 3956 3957 // store rand and ediv 3958 reverse_64(&packet[5], sm_conn->sm_local_rand); 3959 sm_conn->sm_local_ediv = hci_subevent_le_long_term_key_request_get_encryption_diversifier(packet); 3960 3961 // For Legacy Pairing (<=> EDIV != 0 || RAND != NULL), we need to recalculated our LTK as a 3962 // potentially stored LTK is from the master 3963 if ((sm_conn->sm_local_ediv != 0u) || !sm_is_null_random(sm_conn->sm_local_rand)){ 3964 if (sm_reconstruct_ltk_without_le_device_db_entry){ 3965 sm_conn->sm_engine_state = SM_RESPONDER_PH0_RECEIVED_LTK_REQUEST; 3966 break; 3967 } 3968 // additionally check if remote is in LE Device DB if requested 3969 switch(sm_conn->sm_irk_lookup_state){ 3970 case IRK_LOOKUP_FAILED: 3971 log_info("LTK Request: device not in device db"); 3972 sm_conn->sm_engine_state = SM_RESPONDER_PH0_SEND_LTK_REQUESTED_NEGATIVE_REPLY; 3973 break; 3974 case IRK_LOOKUP_SUCCEEDED: 3975 sm_conn->sm_engine_state = SM_RESPONDER_PH0_RECEIVED_LTK_REQUEST; 3976 break; 3977 default: 3978 // wait for irk look doen 3979 sm_conn->sm_engine_state = SM_RESPONDER_PH0_RECEIVED_LTK_W4_IRK; 3980 break; 3981 } 3982 break; 3983 } 3984 3985 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3986 sm_conn->sm_engine_state = SM_SC_RECEIVED_LTK_REQUEST; 3987 #else 3988 log_info("LTK Request: ediv & random are empty, but LE Secure Connections not supported"); 3989 sm_conn->sm_engine_state = SM_RESPONDER_PH0_SEND_LTK_REQUESTED_NEGATIVE_REPLY; 3990 #endif 3991 break; 3992 3993 default: 3994 break; 3995 } 3996 break; 3997 3998 case HCI_EVENT_ENCRYPTION_CHANGE: 3999 case HCI_EVENT_ENCRYPTION_CHANGE_V2: 4000 con_handle = hci_event_encryption_change_get_connection_handle(packet); 4001 sm_conn = sm_get_connection_for_handle(con_handle); 4002 if (!sm_conn) break; 4003 4004 sm_conn->sm_connection_encrypted = hci_event_encryption_change_get_encryption_enabled(packet); 4005 log_info("Encryption state change: %u, key size %u", sm_conn->sm_connection_encrypted, 4006 sm_conn->sm_actual_encryption_key_size); 4007 log_info("event handler, state %u", sm_conn->sm_engine_state); 4008 4009 switch (sm_conn->sm_engine_state){ 4010 4011 case SM_PH4_W4_CONNECTION_ENCRYPTED: 4012 // encryption change event concludes re-encryption for bonded devices (even if it fails) 4013 if (sm_conn->sm_connection_encrypted) { 4014 status = ERROR_CODE_SUCCESS; 4015 if (sm_conn->sm_role){ 4016 sm_conn->sm_engine_state = SM_RESPONDER_IDLE; 4017 } else { 4018 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 4019 } 4020 } else { 4021 status = hci_event_encryption_change_get_status(packet); 4022 // set state to 'RE-ENCRYPTION FAILED' to allow pairing but prevent other interactions 4023 // also, gap_reconnect_security_setup_active will return true 4024 sm_conn->sm_engine_state = SM_GENERAL_REENCRYPTION_FAILED; 4025 } 4026 4027 // emit re-encryption complete 4028 sm_reencryption_complete(sm_conn, status); 4029 4030 // notify client, if pairing was requested before 4031 if (sm_conn->sm_pairing_requested){ 4032 sm_conn->sm_pairing_requested = 0; 4033 sm_pairing_complete(sm_conn, status, 0); 4034 } 4035 4036 sm_done_for_handle(sm_conn->sm_handle); 4037 break; 4038 4039 case SM_PH2_W4_CONNECTION_ENCRYPTED: 4040 if (!sm_conn->sm_connection_encrypted) break; 4041 // handler for HCI_EVENT_ENCRYPTION_KEY_REFRESH_COMPLETE 4042 // contains the same code for this state 4043 sm_conn->sm_connection_sc = setup->sm_use_secure_connections; 4044 if (IS_RESPONDER(sm_conn->sm_role)){ 4045 // slave 4046 if (sm_conn->sm_connection_sc){ 4047 sm_conn->sm_engine_state = SM_PH3_DISTRIBUTE_KEYS; 4048 } else { 4049 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 8, &sm_handle_random_result_ph3_random, (void *)(uintptr_t) sm_conn->sm_handle); 4050 } 4051 } else { 4052 // master 4053 if (sm_key_distribution_all_received()){ 4054 // skip receiving keys as there are none 4055 sm_key_distribution_handle_all_received(sm_conn); 4056 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 8, &sm_handle_random_result_ph3_random, (void *)(uintptr_t) sm_conn->sm_handle); 4057 } else { 4058 sm_conn->sm_engine_state = SM_PH3_RECEIVE_KEYS; 4059 } 4060 } 4061 break; 4062 4063 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 4064 case SM_BR_EDR_W4_ENCRYPTION_COMPLETE: 4065 sm_event_handle_classic_encryption_event(sm_conn, con_handle); 4066 break; 4067 #endif 4068 default: 4069 break; 4070 } 4071 break; 4072 4073 case HCI_EVENT_ENCRYPTION_KEY_REFRESH_COMPLETE: 4074 con_handle = little_endian_read_16(packet, 3); 4075 sm_conn = sm_get_connection_for_handle(con_handle); 4076 if (!sm_conn) break; 4077 4078 log_info("Encryption key refresh complete, key size %u", sm_conn->sm_actual_encryption_key_size); 4079 log_info("event handler, state %u", sm_conn->sm_engine_state); 4080 // continue if part of initial pairing 4081 switch (sm_conn->sm_engine_state){ 4082 case SM_PH4_W4_CONNECTION_ENCRYPTED: 4083 if (sm_conn->sm_role){ 4084 sm_conn->sm_engine_state = SM_RESPONDER_IDLE; 4085 } else { 4086 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 4087 } 4088 sm_done_for_handle(sm_conn->sm_handle); 4089 break; 4090 case SM_PH2_W4_CONNECTION_ENCRYPTED: 4091 // handler for HCI_EVENT_ENCRYPTION_CHANGE 4092 // contains the same code for this state 4093 sm_conn->sm_connection_sc = setup->sm_use_secure_connections; 4094 if (IS_RESPONDER(sm_conn->sm_role)){ 4095 // slave 4096 if (sm_conn->sm_connection_sc){ 4097 sm_conn->sm_engine_state = SM_PH3_DISTRIBUTE_KEYS; 4098 } else { 4099 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 8, &sm_handle_random_result_ph3_random, (void *)(uintptr_t) sm_conn->sm_handle); 4100 } 4101 } else { 4102 // master 4103 if (sm_key_distribution_all_received()){ 4104 // skip receiving keys as there are none 4105 sm_key_distribution_handle_all_received(sm_conn); 4106 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 8, &sm_handle_random_result_ph3_random, (void *)(uintptr_t) sm_conn->sm_handle); 4107 } else { 4108 sm_conn->sm_engine_state = SM_PH3_RECEIVE_KEYS; 4109 } 4110 } 4111 break; 4112 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 4113 case SM_BR_EDR_W4_ENCRYPTION_COMPLETE: 4114 sm_event_handle_classic_encryption_event(sm_conn, con_handle); 4115 break; 4116 #endif 4117 default: 4118 break; 4119 } 4120 break; 4121 4122 4123 case HCI_EVENT_DISCONNECTION_COMPLETE: 4124 con_handle = little_endian_read_16(packet, 3); 4125 sm_done_for_handle(con_handle); 4126 sm_conn = sm_get_connection_for_handle(con_handle); 4127 if (!sm_conn) break; 4128 4129 // pairing failed, if it was ongoing 4130 switch (sm_conn->sm_engine_state){ 4131 case SM_GENERAL_IDLE: 4132 case SM_INITIATOR_CONNECTED: 4133 case SM_RESPONDER_IDLE: 4134 break; 4135 default: 4136 sm_reencryption_complete(sm_conn, ERROR_CODE_REMOTE_USER_TERMINATED_CONNECTION); 4137 sm_pairing_complete(sm_conn, ERROR_CODE_REMOTE_USER_TERMINATED_CONNECTION, 0); 4138 break; 4139 } 4140 4141 sm_conn->sm_engine_state = SM_GENERAL_IDLE; 4142 sm_conn->sm_handle = 0; 4143 break; 4144 4145 case HCI_EVENT_COMMAND_COMPLETE: 4146 if (hci_event_command_complete_get_command_opcode(packet) == HCI_OPCODE_HCI_READ_BD_ADDR) { 4147 // set local addr for le device db 4148 reverse_bd_addr(&packet[OFFSET_OF_DATA_IN_COMMAND_COMPLETE + 1], addr); 4149 le_device_db_set_local_bd_addr(addr); 4150 } 4151 break; 4152 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 4153 case L2CAP_EVENT_INFORMATION_RESPONSE: 4154 con_handle = l2cap_event_information_response_get_con_handle(packet); 4155 sm_conn = sm_get_connection_for_handle(con_handle); 4156 if (!sm_conn) break; 4157 if (sm_conn->sm_engine_state == SM_BR_EDR_INITIATOR_W4_FIXED_CHANNEL_MASK){ 4158 // check if remote supports SMP over BR/EDR 4159 const hci_connection_t * hci_connection = hci_connection_for_handle(con_handle); 4160 if ((hci_connection->l2cap_state.fixed_channels_supported & (1 << L2CAP_CID_BR_EDR_SECURITY_MANAGER)) != 0){ 4161 sm_conn->sm_engine_state = SM_BR_EDR_INITIATOR_SEND_PAIRING_REQUEST; 4162 } else { 4163 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 4164 hci_dedicated_bonding_defer_disconnect(con_handle, false); 4165 } 4166 } 4167 break; 4168 #endif 4169 default: 4170 break; 4171 } 4172 break; 4173 default: 4174 break; 4175 } 4176 4177 sm_run(); 4178 } 4179 4180 static inline int sm_calc_actual_encryption_key_size(int other){ 4181 if (other < sm_min_encryption_key_size) return 0; 4182 if (other < sm_max_encryption_key_size) return other; 4183 return sm_max_encryption_key_size; 4184 } 4185 4186 4187 #ifdef ENABLE_LE_SECURE_CONNECTIONS 4188 static int sm_just_works_or_numeric_comparison(stk_generation_method_t method){ 4189 switch (method){ 4190 case JUST_WORKS: 4191 case NUMERIC_COMPARISON: 4192 return 1; 4193 default: 4194 return 0; 4195 } 4196 } 4197 // responder 4198 4199 static int sm_passkey_used(stk_generation_method_t method){ 4200 switch (method){ 4201 case PK_RESP_INPUT: 4202 return 1; 4203 default: 4204 return 0; 4205 } 4206 } 4207 4208 static int sm_passkey_entry(stk_generation_method_t method){ 4209 switch (method){ 4210 case PK_RESP_INPUT: 4211 case PK_INIT_INPUT: 4212 case PK_BOTH_INPUT: 4213 return 1; 4214 default: 4215 return 0; 4216 } 4217 } 4218 4219 #endif 4220 4221 /** 4222 * @return ok 4223 */ 4224 static int sm_validate_stk_generation_method(void){ 4225 // check if STK generation method is acceptable by client 4226 switch (setup->sm_stk_generation_method){ 4227 case JUST_WORKS: 4228 return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_JUST_WORKS) != 0u; 4229 case PK_RESP_INPUT: 4230 case PK_INIT_INPUT: 4231 case PK_BOTH_INPUT: 4232 return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_PASSKEY) != 0u; 4233 case OOB: 4234 return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_OOB) != 0u; 4235 case NUMERIC_COMPARISON: 4236 return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_NUMERIC_COMPARISON) != 0u; 4237 default: 4238 return 0; 4239 } 4240 } 4241 4242 #ifdef ENABLE_LE_CENTRAL 4243 static void sm_initiator_connected_handle_security_request(sm_connection_t * sm_conn, const uint8_t *packet){ 4244 #ifdef ENABLE_LE_SECURE_CONNECTIONS 4245 if (sm_sc_only_mode){ 4246 uint8_t auth_req = packet[1]; 4247 if ((auth_req & SM_AUTHREQ_SECURE_CONNECTION) == 0){ 4248 sm_pairing_error(sm_conn, SM_REASON_AUTHENTHICATION_REQUIREMENTS); 4249 return; 4250 } 4251 } 4252 #else 4253 UNUSED(packet); 4254 #endif 4255 4256 int have_ltk; 4257 uint8_t ltk[16]; 4258 4259 // IRK complete? 4260 switch (sm_conn->sm_irk_lookup_state){ 4261 case IRK_LOOKUP_FAILED: 4262 // start pairing 4263 sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 4264 break; 4265 case IRK_LOOKUP_SUCCEEDED: 4266 le_device_db_encryption_get(sm_conn->sm_le_db_index, NULL, NULL, ltk, NULL, NULL, NULL, NULL); 4267 have_ltk = !sm_is_null_key(ltk); 4268 log_info("central: security request - have_ltk %u, encryption %u", have_ltk, sm_conn->sm_connection_encrypted); 4269 if (have_ltk && (sm_conn->sm_connection_encrypted == 0)){ 4270 // start re-encrypt if we have LTK and the connection is not already encrypted 4271 sm_conn->sm_engine_state = SM_INITIATOR_PH4_HAS_LTK; 4272 } else { 4273 // start pairing 4274 sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 4275 } 4276 break; 4277 default: 4278 // otherwise, store security request 4279 sm_conn->sm_security_request_received = 1; 4280 break; 4281 } 4282 } 4283 #endif 4284 4285 static uint8_t sm_pdu_validate_and_get_opcode(uint8_t packet_type, const uint8_t *packet, uint16_t size){ 4286 4287 // size of complete sm_pdu used to validate input 4288 static const uint8_t sm_pdu_size[] = { 4289 0, // 0x00 invalid opcode 4290 7, // 0x01 pairing request 4291 7, // 0x02 pairing response 4292 17, // 0x03 pairing confirm 4293 17, // 0x04 pairing random 4294 2, // 0x05 pairing failed 4295 17, // 0x06 encryption information 4296 11, // 0x07 master identification 4297 17, // 0x08 identification information 4298 8, // 0x09 identify address information 4299 17, // 0x0a signing information 4300 2, // 0x0b security request 4301 65, // 0x0c pairing public key 4302 17, // 0x0d pairing dhk check 4303 2, // 0x0e keypress notification 4304 }; 4305 4306 if (packet_type != SM_DATA_PACKET) return 0; 4307 if (size == 0u) return 0; 4308 4309 uint8_t sm_pdu_code = packet[0]; 4310 4311 // validate pdu size 4312 if (sm_pdu_code >= sizeof(sm_pdu_size)) return 0; 4313 if (sm_pdu_size[sm_pdu_code] != size) return 0; 4314 4315 return sm_pdu_code; 4316 } 4317 4318 static void sm_pdu_handler(uint8_t packet_type, hci_con_handle_t con_handle, uint8_t *packet, uint16_t size){ 4319 4320 if ((packet_type == HCI_EVENT_PACKET) && (packet[0] == L2CAP_EVENT_CAN_SEND_NOW)){ 4321 sm_run(); 4322 } 4323 4324 uint8_t sm_pdu_code = sm_pdu_validate_and_get_opcode(packet_type, packet, size); 4325 if (sm_pdu_code == 0) return; 4326 4327 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 4328 if (!sm_conn) return; 4329 4330 if (sm_pdu_code == SM_CODE_PAIRING_FAILED){ 4331 sm_reencryption_complete(sm_conn, ERROR_CODE_AUTHENTICATION_FAILURE); 4332 sm_pairing_complete(sm_conn, ERROR_CODE_AUTHENTICATION_FAILURE, packet[1]); 4333 sm_done_for_handle(con_handle); 4334 sm_conn->sm_engine_state = sm_conn->sm_role ? SM_RESPONDER_IDLE : SM_INITIATOR_CONNECTED; 4335 return; 4336 } 4337 4338 log_debug("sm_pdu_handler: state %u, pdu 0x%02x", sm_conn->sm_engine_state, sm_pdu_code); 4339 4340 int err; 4341 UNUSED(err); 4342 4343 if (sm_pdu_code == SM_CODE_KEYPRESS_NOTIFICATION){ 4344 uint8_t buffer[5]; 4345 buffer[0] = SM_EVENT_KEYPRESS_NOTIFICATION; 4346 buffer[1] = 3; 4347 little_endian_store_16(buffer, 2, con_handle); 4348 buffer[4] = packet[1]; 4349 sm_dispatch_event(HCI_EVENT_PACKET, 0, buffer, sizeof(buffer)); 4350 return; 4351 } 4352 4353 switch (sm_conn->sm_engine_state){ 4354 4355 // a sm timeout requires a new physical connection 4356 case SM_GENERAL_TIMEOUT: 4357 return; 4358 4359 #ifdef ENABLE_LE_CENTRAL 4360 4361 // Initiator 4362 case SM_INITIATOR_CONNECTED: 4363 if ((sm_pdu_code != SM_CODE_SECURITY_REQUEST) || (sm_conn->sm_role)){ 4364 sm_pdu_received_in_wrong_state(sm_conn); 4365 break; 4366 } 4367 sm_initiator_connected_handle_security_request(sm_conn, packet); 4368 break; 4369 4370 case SM_INITIATOR_PH1_W4_PAIRING_RESPONSE: 4371 // Core 5, Vol 3, Part H, 2.4.6: 4372 // "The master shall ignore the slave’s Security Request if the master has sent a Pairing Request 4373 // without receiving a Pairing Response from the slave or if the master has initiated encryption mode setup." 4374 if (sm_pdu_code == SM_CODE_SECURITY_REQUEST){ 4375 log_info("Ignoring Security Request"); 4376 break; 4377 } 4378 4379 // all other pdus are incorrect 4380 if (sm_pdu_code != SM_CODE_PAIRING_RESPONSE){ 4381 sm_pdu_received_in_wrong_state(sm_conn); 4382 break; 4383 } 4384 4385 // store pairing request 4386 (void)memcpy(&setup->sm_s_pres, packet, 4387 sizeof(sm_pairing_packet_t)); 4388 err = sm_stk_generation_init(sm_conn); 4389 4390 #ifdef ENABLE_TESTING_SUPPORT 4391 if (0 < test_pairing_failure && test_pairing_failure < SM_REASON_DHKEY_CHECK_FAILED){ 4392 log_info("testing_support: abort with pairing failure %u", test_pairing_failure); 4393 err = test_pairing_failure; 4394 } 4395 #endif 4396 4397 if (err != 0){ 4398 sm_pairing_error(sm_conn, err); 4399 break; 4400 } 4401 4402 // generate random number first, if we need to show passkey 4403 if (setup->sm_stk_generation_method == PK_RESP_INPUT){ 4404 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 8, &sm_handle_random_result_ph2_tk, (void *)(uintptr_t) sm_conn->sm_handle); 4405 break; 4406 } 4407 4408 #ifdef ENABLE_LE_SECURE_CONNECTIONS 4409 if (setup->sm_use_secure_connections){ 4410 // SC Numeric Comparison will trigger user response after public keys & nonces have been exchanged 4411 if (setup->sm_stk_generation_method == JUST_WORKS){ 4412 sm_conn->sm_engine_state = SM_PH1_W4_USER_RESPONSE; 4413 sm_trigger_user_response(sm_conn); 4414 if (setup->sm_user_response == SM_USER_RESPONSE_IDLE){ 4415 sm_conn->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 4416 } 4417 } else { 4418 sm_conn->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 4419 } 4420 break; 4421 } 4422 #endif 4423 sm_conn->sm_engine_state = SM_PH1_W4_USER_RESPONSE; 4424 sm_trigger_user_response(sm_conn); 4425 // response_idle == nothing <--> sm_trigger_user_response() did not require response 4426 if (setup->sm_user_response == SM_USER_RESPONSE_IDLE){ 4427 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_random, 16, &sm_handle_random_result_ph2_random, (void *)(uintptr_t) sm_conn->sm_handle); 4428 } 4429 break; 4430 4431 case SM_INITIATOR_PH2_W4_PAIRING_CONFIRM: 4432 if (sm_pdu_code != SM_CODE_PAIRING_CONFIRM){ 4433 sm_pdu_received_in_wrong_state(sm_conn); 4434 break; 4435 } 4436 4437 // store s_confirm 4438 reverse_128(&packet[1], setup->sm_peer_confirm); 4439 4440 // abort if s_confirm matches m_confirm 4441 if (memcmp(setup->sm_local_confirm, setup->sm_peer_confirm, 16) == 0){ 4442 sm_pdu_received_in_wrong_state(sm_conn); 4443 break; 4444 } 4445 4446 #ifdef ENABLE_TESTING_SUPPORT 4447 if (test_pairing_failure == SM_REASON_CONFIRM_VALUE_FAILED){ 4448 log_info("testing_support: reset confirm value"); 4449 memset(setup->sm_peer_confirm, 0, 16); 4450 } 4451 #endif 4452 sm_conn->sm_engine_state = SM_PH2_SEND_PAIRING_RANDOM; 4453 break; 4454 4455 case SM_INITIATOR_PH2_W4_PAIRING_RANDOM: 4456 if (sm_pdu_code != SM_CODE_PAIRING_RANDOM){ 4457 sm_pdu_received_in_wrong_state(sm_conn); 4458 break;; 4459 } 4460 4461 // received random value 4462 reverse_128(&packet[1], setup->sm_peer_random); 4463 sm_conn->sm_engine_state = SM_PH2_C1_GET_ENC_C; 4464 break; 4465 4466 case SM_PH4_W4_CONNECTION_ENCRYPTED: 4467 // ignore Security Request, see SM_INITIATOR_PH1_W4_PAIRING_RESPONSE above 4468 if (sm_pdu_code != SM_CODE_SECURITY_REQUEST){ 4469 sm_pdu_received_in_wrong_state(sm_conn); 4470 } 4471 break; 4472 #endif 4473 4474 #ifdef ENABLE_LE_PERIPHERAL 4475 // Responder 4476 case SM_RESPONDER_IDLE: 4477 case SM_RESPONDER_SEND_SECURITY_REQUEST: 4478 case SM_RESPONDER_PH1_W4_PAIRING_REQUEST: 4479 if (sm_pdu_code != SM_CODE_PAIRING_REQUEST){ 4480 sm_pdu_received_in_wrong_state(sm_conn); 4481 break;; 4482 } 4483 4484 // store pairing request 4485 (void)memcpy(&sm_conn->sm_m_preq, packet, sizeof(sm_pairing_packet_t)); 4486 4487 // check if IRK completed 4488 switch (sm_conn->sm_irk_lookup_state){ 4489 case IRK_LOOKUP_SUCCEEDED: 4490 case IRK_LOOKUP_FAILED: 4491 sm_conn->sm_engine_state = SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED; 4492 break; 4493 default: 4494 sm_conn->sm_engine_state = SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED_W4_IRK; 4495 break; 4496 } 4497 break; 4498 #endif 4499 4500 #ifdef ENABLE_LE_SECURE_CONNECTIONS 4501 case SM_SC_W4_PUBLIC_KEY_COMMAND: 4502 if (sm_pdu_code != SM_CODE_PAIRING_PUBLIC_KEY){ 4503 sm_pdu_received_in_wrong_state(sm_conn); 4504 break; 4505 } 4506 4507 // store public key for DH Key calculation 4508 reverse_256(&packet[01], &setup->sm_peer_q[0]); 4509 reverse_256(&packet[33], &setup->sm_peer_q[32]); 4510 4511 // CVE-2020-26558: abort pairing if remote uses the same public key 4512 if (memcmp(&setup->sm_peer_q, ec_q, 64) == 0){ 4513 log_info("Remote PK matches ours"); 4514 sm_pairing_error(sm_conn, SM_REASON_DHKEY_CHECK_FAILED); 4515 break; 4516 } 4517 4518 // validate public key 4519 err = btstack_crypto_ecc_p256_validate_public_key(setup->sm_peer_q); 4520 if (err != 0){ 4521 log_info("sm: peer public key invalid %x", err); 4522 sm_pairing_error(sm_conn, SM_REASON_DHKEY_CHECK_FAILED); 4523 break; 4524 } 4525 4526 // start calculating dhkey 4527 btstack_crypto_ecc_p256_calculate_dhkey(&sm_crypto_ecc_p256_request, setup->sm_peer_q, setup->sm_dhkey, sm_sc_dhkey_calculated, (void*)(uintptr_t) sm_conn->sm_handle); 4528 4529 4530 log_info("public key received, generation method %u", setup->sm_stk_generation_method); 4531 if (IS_RESPONDER(sm_conn->sm_role)){ 4532 // responder 4533 sm_conn->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 4534 } else { 4535 // initiator 4536 // stk generation method 4537 // passkey entry: notify app to show passkey or to request passkey 4538 switch (setup->sm_stk_generation_method){ 4539 case JUST_WORKS: 4540 case NUMERIC_COMPARISON: 4541 sm_conn->sm_engine_state = SM_SC_W4_CONFIRMATION; 4542 break; 4543 case PK_RESP_INPUT: 4544 sm_sc_start_calculating_local_confirm(sm_conn); 4545 break; 4546 case PK_INIT_INPUT: 4547 case PK_BOTH_INPUT: 4548 if (setup->sm_user_response != SM_USER_RESPONSE_PASSKEY){ 4549 sm_conn->sm_engine_state = SM_SC_W4_USER_RESPONSE; 4550 break; 4551 } 4552 sm_sc_start_calculating_local_confirm(sm_conn); 4553 break; 4554 case OOB: 4555 // generate Nx 4556 log_info("Generate Na"); 4557 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_nonce, 16, &sm_handle_random_result_sc_next_send_pairing_random, (void*)(uintptr_t) sm_conn->sm_handle); 4558 break; 4559 default: 4560 btstack_assert(false); 4561 break; 4562 } 4563 } 4564 break; 4565 4566 case SM_SC_W4_CONFIRMATION: 4567 if (sm_pdu_code != SM_CODE_PAIRING_CONFIRM){ 4568 sm_pdu_received_in_wrong_state(sm_conn); 4569 break; 4570 } 4571 // received confirm value 4572 reverse_128(&packet[1], setup->sm_peer_confirm); 4573 4574 #ifdef ENABLE_TESTING_SUPPORT 4575 if (test_pairing_failure == SM_REASON_CONFIRM_VALUE_FAILED){ 4576 log_info("testing_support: reset confirm value"); 4577 memset(setup->sm_peer_confirm, 0, 16); 4578 } 4579 #endif 4580 if (IS_RESPONDER(sm_conn->sm_role)){ 4581 // responder 4582 if (sm_passkey_used(setup->sm_stk_generation_method)){ 4583 if (setup->sm_user_response != SM_USER_RESPONSE_PASSKEY){ 4584 // still waiting for passkey 4585 sm_conn->sm_engine_state = SM_SC_W4_USER_RESPONSE; 4586 break; 4587 } 4588 } 4589 sm_sc_start_calculating_local_confirm(sm_conn); 4590 } else { 4591 // initiator 4592 if (sm_just_works_or_numeric_comparison(setup->sm_stk_generation_method)){ 4593 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_nonce, 16, &sm_handle_random_result_sc_next_send_pairing_random, (void*)(uintptr_t) sm_conn->sm_handle); 4594 } else { 4595 sm_conn->sm_engine_state = SM_SC_SEND_PAIRING_RANDOM; 4596 } 4597 } 4598 break; 4599 4600 case SM_SC_W4_PAIRING_RANDOM: 4601 if (sm_pdu_code != SM_CODE_PAIRING_RANDOM){ 4602 sm_pdu_received_in_wrong_state(sm_conn); 4603 break; 4604 } 4605 4606 // received random value 4607 reverse_128(&packet[1], setup->sm_peer_nonce); 4608 4609 // validate confirm value if Cb = f4(Pkb, Pka, Nb, z) 4610 // only check for JUST WORK/NC in initiator role OR passkey entry 4611 log_info("SM_SC_W4_PAIRING_RANDOM, responder: %u, just works: %u, passkey used %u, passkey entry %u", 4612 IS_RESPONDER(sm_conn->sm_role), sm_just_works_or_numeric_comparison(setup->sm_stk_generation_method), 4613 sm_passkey_used(setup->sm_stk_generation_method), sm_passkey_entry(setup->sm_stk_generation_method)); 4614 if ( (!IS_RESPONDER(sm_conn->sm_role) && sm_just_works_or_numeric_comparison(setup->sm_stk_generation_method)) 4615 || (sm_passkey_entry(setup->sm_stk_generation_method)) ) { 4616 sm_conn->sm_engine_state = SM_SC_W2_CMAC_FOR_CHECK_CONFIRMATION; 4617 break; 4618 } 4619 4620 // OOB 4621 if (setup->sm_stk_generation_method == OOB){ 4622 4623 // setup local random, set to zero if remote did not receive our data 4624 log_info("Received nonce, setup local random ra/rb for dhkey check"); 4625 if (IS_RESPONDER(sm_conn->sm_role)){ 4626 if (sm_pairing_packet_get_oob_data_flag(setup->sm_m_preq) == 0u){ 4627 log_info("Reset rb as A does not have OOB data"); 4628 memset(setup->sm_rb, 0, 16); 4629 } else { 4630 (void)memcpy(setup->sm_rb, sm_sc_oob_random, 16); 4631 log_info("Use stored rb"); 4632 log_info_hexdump(setup->sm_rb, 16); 4633 } 4634 } else { 4635 if (sm_pairing_packet_get_oob_data_flag(setup->sm_s_pres) == 0u){ 4636 log_info("Reset ra as B does not have OOB data"); 4637 memset(setup->sm_ra, 0, 16); 4638 } else { 4639 (void)memcpy(setup->sm_ra, sm_sc_oob_random, 16); 4640 log_info("Use stored ra"); 4641 log_info_hexdump(setup->sm_ra, 16); 4642 } 4643 } 4644 4645 // validate confirm value if Cb = f4(PKb, Pkb, rb, 0) for OOB if data received 4646 if (setup->sm_have_oob_data){ 4647 sm_conn->sm_engine_state = SM_SC_W2_CMAC_FOR_CHECK_CONFIRMATION; 4648 break; 4649 } 4650 } 4651 4652 // TODO: we only get here for Responder role with JW/NC 4653 sm_sc_state_after_receiving_random(sm_conn); 4654 break; 4655 4656 case SM_SC_W2_CALCULATE_G2: 4657 case SM_SC_W4_CALCULATE_G2: 4658 case SM_SC_W4_CALCULATE_DHKEY: 4659 case SM_SC_W2_CALCULATE_F5_SALT: 4660 case SM_SC_W4_CALCULATE_F5_SALT: 4661 case SM_SC_W2_CALCULATE_F5_MACKEY: 4662 case SM_SC_W4_CALCULATE_F5_MACKEY: 4663 case SM_SC_W2_CALCULATE_F5_LTK: 4664 case SM_SC_W4_CALCULATE_F5_LTK: 4665 case SM_SC_W2_CALCULATE_F6_FOR_DHKEY_CHECK: 4666 case SM_SC_W4_DHKEY_CHECK_COMMAND: 4667 case SM_SC_W4_CALCULATE_F6_FOR_DHKEY_CHECK: 4668 case SM_SC_W4_USER_RESPONSE: 4669 if (sm_pdu_code != SM_CODE_PAIRING_DHKEY_CHECK){ 4670 sm_pdu_received_in_wrong_state(sm_conn); 4671 break; 4672 } 4673 // store DHKey Check 4674 setup->sm_state_vars |= SM_STATE_VAR_DHKEY_COMMAND_RECEIVED; 4675 reverse_128(&packet[01], setup->sm_peer_dhkey_check); 4676 4677 // have we been only waiting for dhkey check command? 4678 if (sm_conn->sm_engine_state == SM_SC_W4_DHKEY_CHECK_COMMAND){ 4679 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK; 4680 } 4681 break; 4682 #endif 4683 4684 #ifdef ENABLE_LE_PERIPHERAL 4685 case SM_RESPONDER_PH1_W4_PAIRING_CONFIRM: 4686 if (sm_pdu_code != SM_CODE_PAIRING_CONFIRM){ 4687 sm_pdu_received_in_wrong_state(sm_conn); 4688 break; 4689 } 4690 4691 // received confirm value 4692 reverse_128(&packet[1], setup->sm_peer_confirm); 4693 4694 #ifdef ENABLE_TESTING_SUPPORT 4695 if (test_pairing_failure == SM_REASON_CONFIRM_VALUE_FAILED){ 4696 log_info("testing_support: reset confirm value"); 4697 memset(setup->sm_peer_confirm, 0, 16); 4698 } 4699 #endif 4700 // notify client to hide shown passkey 4701 if (setup->sm_stk_generation_method == PK_INIT_INPUT){ 4702 sm_notify_client_base(SM_EVENT_PASSKEY_DISPLAY_CANCEL, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address); 4703 } 4704 4705 // handle user cancel pairing? 4706 if (setup->sm_user_response == SM_USER_RESPONSE_DECLINE){ 4707 sm_pairing_error(sm_conn, SM_REASON_PASSKEY_ENTRY_FAILED); 4708 break; 4709 } 4710 4711 // wait for user action? 4712 if (setup->sm_user_response == SM_USER_RESPONSE_PENDING){ 4713 sm_conn->sm_engine_state = SM_PH1_W4_USER_RESPONSE; 4714 break; 4715 } 4716 4717 // calculate and send local_confirm 4718 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_random, 16, &sm_handle_random_result_ph2_random, (void *)(uintptr_t) sm_conn->sm_handle); 4719 break; 4720 4721 case SM_RESPONDER_PH2_W4_PAIRING_RANDOM: 4722 if (sm_pdu_code != SM_CODE_PAIRING_RANDOM){ 4723 sm_pdu_received_in_wrong_state(sm_conn); 4724 break;; 4725 } 4726 4727 // received random value 4728 reverse_128(&packet[1], setup->sm_peer_random); 4729 sm_conn->sm_engine_state = SM_PH2_C1_GET_ENC_C; 4730 break; 4731 #endif 4732 4733 case SM_PH2_W4_CONNECTION_ENCRYPTED: 4734 case SM_PH3_RECEIVE_KEYS: 4735 switch(sm_pdu_code){ 4736 case SM_CODE_ENCRYPTION_INFORMATION: 4737 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION; 4738 reverse_128(&packet[1], setup->sm_peer_ltk); 4739 break; 4740 4741 case SM_CODE_MASTER_IDENTIFICATION: 4742 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_MASTER_IDENTIFICATION; 4743 setup->sm_peer_ediv = little_endian_read_16(packet, 1); 4744 reverse_64(&packet[3], setup->sm_peer_rand); 4745 break; 4746 4747 case SM_CODE_IDENTITY_INFORMATION: 4748 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_IDENTITY_INFORMATION; 4749 reverse_128(&packet[1], setup->sm_peer_irk); 4750 break; 4751 4752 case SM_CODE_IDENTITY_ADDRESS_INFORMATION: 4753 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION; 4754 setup->sm_peer_addr_type = packet[1]; 4755 reverse_bd_addr(&packet[2], setup->sm_peer_address); 4756 break; 4757 4758 case SM_CODE_SIGNING_INFORMATION: 4759 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION; 4760 reverse_128(&packet[1], setup->sm_peer_csrk); 4761 break; 4762 default: 4763 // Unexpected PDU 4764 log_info("Unexpected PDU %u in SM_PH3_RECEIVE_KEYS", packet[0]); 4765 break; 4766 } 4767 // done with key distribution? 4768 if (sm_key_distribution_all_received()){ 4769 4770 sm_key_distribution_handle_all_received(sm_conn); 4771 4772 if (IS_RESPONDER(sm_conn->sm_role)){ 4773 sm_key_distribution_complete_responder(sm_conn); 4774 } else { 4775 if (setup->sm_use_secure_connections){ 4776 sm_conn->sm_engine_state = SM_PH3_DISTRIBUTE_KEYS; 4777 } else { 4778 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 8, &sm_handle_random_result_ph3_random, (void *)(uintptr_t) sm_conn->sm_handle); 4779 } 4780 } 4781 } 4782 break; 4783 4784 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 4785 4786 case SM_BR_EDR_W4_ENCRYPTION_COMPLETE: 4787 // GAP/DM/LEP/BI-02-C - reject CTKD if P-192 encryption is used 4788 if (sm_pdu_code == SM_CODE_PAIRING_REQUEST){ 4789 sm_pairing_error(sm_conn, SM_REASON_CROSS_TRANSPORT_KEY_DERIVATION_NOT_ALLOWED); 4790 } 4791 break; 4792 4793 case SM_BR_EDR_INITIATOR_W4_PAIRING_RESPONSE: 4794 4795 // dedicated bonding complete 4796 hci_dedicated_bonding_defer_disconnect(sm_conn->sm_handle, false); 4797 4798 if (sm_pdu_code != SM_CODE_PAIRING_RESPONSE){ 4799 sm_pdu_received_in_wrong_state(sm_conn); 4800 break; 4801 } 4802 // store pairing response 4803 (void)memcpy(&setup->sm_s_pres, packet, sizeof(sm_pairing_packet_t)); 4804 4805 // validate encryption key size 4806 sm_conn->sm_actual_encryption_key_size = sm_calc_actual_encryption_key_size(sm_pairing_packet_get_max_encryption_key_size(setup->sm_s_pres)); 4807 // SC Only mandates 128 bit key size 4808 if (sm_sc_only_mode && (sm_conn->sm_actual_encryption_key_size < 16)) { 4809 sm_conn->sm_actual_encryption_key_size = 0; 4810 } 4811 if (sm_conn->sm_actual_encryption_key_size == 0){ 4812 sm_pairing_error(sm_conn, SM_REASON_ENCRYPTION_KEY_SIZE); 4813 break; 4814 } 4815 4816 // prepare key exchange, LTK is derived locally 4817 sm_setup_key_distribution(sm_pairing_packet_get_initiator_key_distribution(setup->sm_s_pres) & ~SM_KEYDIST_ENC_KEY, 4818 sm_pairing_packet_get_responder_key_distribution(setup->sm_s_pres) & ~SM_KEYDIST_ENC_KEY); 4819 4820 // skip receive if there are none 4821 if (sm_key_distribution_all_received()){ 4822 // distribute keys in run handles 'no keys to send' 4823 sm_conn->sm_engine_state = SM_BR_EDR_DISTRIBUTE_KEYS; 4824 } else { 4825 sm_conn->sm_engine_state = SM_BR_EDR_RECEIVE_KEYS; 4826 } 4827 break; 4828 4829 case SM_BR_EDR_RESPONDER_W4_PAIRING_REQUEST: 4830 if (sm_pdu_code != SM_CODE_PAIRING_REQUEST){ 4831 sm_pdu_received_in_wrong_state(sm_conn); 4832 break; 4833 } 4834 // store pairing request 4835 (void)memcpy(&sm_conn->sm_m_preq, packet, sizeof(sm_pairing_packet_t)); 4836 // validate encryption key size 4837 sm_conn->sm_actual_encryption_key_size = sm_calc_actual_encryption_key_size(sm_pairing_packet_get_max_encryption_key_size(sm_conn->sm_m_preq)); 4838 // SC Only mandates 128 bit key size 4839 if (sm_sc_only_mode && (sm_conn->sm_actual_encryption_key_size < 16)) { 4840 sm_conn->sm_actual_encryption_key_size = 0; 4841 } 4842 if (sm_conn->sm_actual_encryption_key_size == 0){ 4843 sm_pairing_error(sm_conn, SM_REASON_ENCRYPTION_KEY_SIZE); 4844 break; 4845 } 4846 // trigger response 4847 if (sm_ctkd_from_classic(sm_conn)){ 4848 sm_conn->sm_engine_state = SM_BR_EDR_RESPONDER_PAIRING_REQUEST_RECEIVED; 4849 } else { 4850 sm_pairing_error(sm_conn, SM_REASON_CROSS_TRANSPORT_KEY_DERIVATION_NOT_ALLOWED); 4851 } 4852 break; 4853 4854 case SM_BR_EDR_RECEIVE_KEYS: 4855 switch(sm_pdu_code){ 4856 case SM_CODE_IDENTITY_INFORMATION: 4857 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_IDENTITY_INFORMATION; 4858 reverse_128(&packet[1], setup->sm_peer_irk); 4859 break; 4860 case SM_CODE_IDENTITY_ADDRESS_INFORMATION: 4861 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION; 4862 setup->sm_peer_addr_type = packet[1]; 4863 reverse_bd_addr(&packet[2], setup->sm_peer_address); 4864 break; 4865 case SM_CODE_SIGNING_INFORMATION: 4866 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION; 4867 reverse_128(&packet[1], setup->sm_peer_csrk); 4868 break; 4869 default: 4870 // Unexpected PDU 4871 log_info("Unexpected PDU %u in SM_PH3_RECEIVE_KEYS", packet[0]); 4872 break; 4873 } 4874 4875 // all keys received 4876 if (sm_key_distribution_all_received()){ 4877 if (IS_RESPONDER(sm_conn->sm_role)){ 4878 // responder -> keys exchanged, derive LE LTK 4879 sm_ctkd_start_from_br_edr(sm_conn); 4880 } else { 4881 // initiator -> send our keys if any 4882 sm_conn->sm_engine_state = SM_BR_EDR_DISTRIBUTE_KEYS; 4883 } 4884 } 4885 break; 4886 #endif 4887 4888 default: 4889 // Unexpected PDU 4890 log_info("Unexpected PDU %u in state %u", packet[0], sm_conn->sm_engine_state); 4891 sm_pdu_received_in_wrong_state(sm_conn); 4892 break; 4893 } 4894 4895 // try to send next pdu 4896 sm_trigger_run(); 4897 } 4898 4899 // Security Manager Client API 4900 void sm_register_oob_data_callback( int (*get_oob_data_callback)(uint8_t address_type, bd_addr_t addr, uint8_t * oob_data)){ 4901 sm_get_oob_data = get_oob_data_callback; 4902 } 4903 4904 void sm_register_sc_oob_data_callback( int (*get_sc_oob_data_callback)(uint8_t address_type, bd_addr_t addr, uint8_t * oob_sc_peer_confirm, uint8_t * oob_sc_peer_random)){ 4905 sm_get_sc_oob_data = get_sc_oob_data_callback; 4906 } 4907 4908 void sm_register_ltk_callback( bool (*get_ltk_callback)(hci_con_handle_t con_handle, uint8_t address_type, bd_addr_t addr, uint8_t * ltk)){ 4909 sm_get_ltk_callback = get_ltk_callback; 4910 } 4911 4912 void sm_add_event_handler(btstack_packet_callback_registration_t * callback_handler){ 4913 btstack_linked_list_add_tail(&sm_event_handlers, (btstack_linked_item_t*) callback_handler); 4914 } 4915 4916 void sm_remove_event_handler(btstack_packet_callback_registration_t * callback_handler){ 4917 btstack_linked_list_remove(&sm_event_handlers, (btstack_linked_item_t*) callback_handler); 4918 } 4919 4920 void sm_set_accepted_stk_generation_methods(uint8_t accepted_stk_generation_methods){ 4921 sm_accepted_stk_generation_methods = accepted_stk_generation_methods; 4922 } 4923 4924 void sm_set_encryption_key_size_range(uint8_t min_size, uint8_t max_size){ 4925 sm_min_encryption_key_size = min_size; 4926 sm_max_encryption_key_size = max_size; 4927 } 4928 4929 void sm_set_authentication_requirements(uint8_t auth_req){ 4930 #ifndef ENABLE_LE_SECURE_CONNECTIONS 4931 if (auth_req & SM_AUTHREQ_SECURE_CONNECTION){ 4932 log_error("ENABLE_LE_SECURE_CONNECTIONS not defined, but requested by app. Dropping SC flag"); 4933 auth_req &= ~SM_AUTHREQ_SECURE_CONNECTION; 4934 } 4935 #endif 4936 sm_auth_req = auth_req; 4937 } 4938 4939 void sm_set_io_capabilities(io_capability_t io_capability){ 4940 sm_io_capabilities = io_capability; 4941 } 4942 4943 #ifdef ENABLE_LE_PERIPHERAL 4944 void sm_set_request_security(int enable){ 4945 sm_slave_request_security = enable; 4946 } 4947 #endif 4948 4949 void sm_set_er(sm_key_t er){ 4950 (void)memcpy(sm_persistent_er, er, 16); 4951 } 4952 4953 void sm_set_ir(sm_key_t ir){ 4954 (void)memcpy(sm_persistent_ir, ir, 16); 4955 } 4956 4957 // Testing support only 4958 void sm_test_set_irk(sm_key_t irk){ 4959 (void)memcpy(sm_persistent_irk, irk, 16); 4960 dkg_state = DKG_CALC_DHK; 4961 test_use_fixed_local_irk = true; 4962 } 4963 4964 void sm_test_use_fixed_local_csrk(void){ 4965 test_use_fixed_local_csrk = true; 4966 } 4967 4968 #ifdef ENABLE_LE_SECURE_CONNECTIONS 4969 static void sm_ec_generated(void * arg){ 4970 UNUSED(arg); 4971 ec_key_generation_state = EC_KEY_GENERATION_DONE; 4972 // trigger pairing if pending for ec key 4973 sm_trigger_run(); 4974 } 4975 static void sm_ec_generate_new_key(void) { 4976 log_info("sm: generate new ec key"); 4977 #ifdef ENABLE_LE_SECURE_CONNECTIONS_DEBUG_KEY 4978 // LE Secure Connections Debug Key 4979 const uint8_t debug_key_public[64] = { 4980 0x20, 0xb0, 0x03, 0xd2, 0xf2, 0x97, 0xbe, 0x2c, 0x5e, 0x2c, 0x83, 0xa7, 0xe9, 0xf9, 0xa5, 0xb9, 4981 0xef, 0xf4, 0x91, 0x11, 0xac, 0xf4, 0xfd, 0xdb, 0xcc, 0x03, 0x01, 0x48, 0x0e, 0x35, 0x9d, 0xe6, 4982 0xdc, 0x80, 0x9c, 0x49, 0x65, 0x2a, 0xeb, 0x6d, 0x63, 0x32, 0x9a, 0xbf, 0x5a, 0x52, 0x15, 0x5c, 4983 0x76, 0x63, 0x45, 0xc2, 0x8f, 0xed, 0x30, 0x24, 0x74, 0x1c, 0x8e, 0xd0, 0x15, 0x89, 0xd2, 0x8b 4984 }; 4985 const uint8_t debug_key_private[32] = { 4986 0x3f, 0x49, 0xf6, 0xd4, 0xa3, 0xc5, 0x5f, 0x38, 0x74, 0xc9, 0xb3, 0xe3, 0xd2, 0x10, 0x3f, 0x50, 4987 0x4a, 0xff, 0x60, 0x7b, 0xeb, 0x40, 0xb7, 0x99, 0x58, 0x99, 0xb8, 0xa6, 0xcd, 0x3c, 0x1a, 0xbd 4988 }; 4989 if (sm_sc_debug_keys_enabled) { 4990 memcpy(ec_q, debug_key_public, 64); 4991 btstack_crypto_ecc_p256_set_key(debug_key_public, debug_key_private); 4992 ec_key_generation_state = EC_KEY_GENERATION_DONE; 4993 } else 4994 #endif 4995 { 4996 ec_key_generation_state = EC_KEY_GENERATION_ACTIVE; 4997 btstack_crypto_ecc_p256_generate_key(&sm_crypto_ecc_p256_request, ec_q, &sm_ec_generated, NULL); 4998 } 4999 } 5000 #endif 5001 5002 #ifdef ENABLE_TESTING_SUPPORT 5003 void sm_test_set_pairing_failure(int reason){ 5004 test_pairing_failure = reason; 5005 } 5006 #endif 5007 5008 static void sm_state_reset(void) { 5009 #ifdef USE_CMAC_ENGINE 5010 sm_cmac_active = 0; 5011 #endif 5012 dkg_state = DKG_W4_WORKING; 5013 rau_state = RAU_IDLE; 5014 sm_aes128_state = SM_AES128_IDLE; 5015 sm_address_resolution_test = -1; // no private address to resolve yet 5016 sm_address_resolution_mode = ADDRESS_RESOLUTION_IDLE; 5017 sm_address_resolution_general_queue = NULL; 5018 sm_active_connection_handle = HCI_CON_HANDLE_INVALID; 5019 sm_persistent_keys_random_active = false; 5020 #ifdef ENABLE_LE_SECURE_CONNECTIONS 5021 ec_key_generation_state = EC_KEY_GENERATION_IDLE; 5022 #endif 5023 } 5024 5025 void sm_init(void){ 5026 5027 if (sm_initialized) return; 5028 5029 // set default ER and IR values (should be unique - set by app or sm later using TLV) 5030 sm_er_ir_set_default(); 5031 5032 // defaults 5033 sm_accepted_stk_generation_methods = SM_STK_GENERATION_METHOD_JUST_WORKS 5034 | SM_STK_GENERATION_METHOD_OOB 5035 | SM_STK_GENERATION_METHOD_PASSKEY 5036 | SM_STK_GENERATION_METHOD_NUMERIC_COMPARISON; 5037 5038 sm_max_encryption_key_size = 16; 5039 sm_min_encryption_key_size = 7; 5040 5041 sm_fixed_passkey_in_display_role = 0xffffffffU; 5042 sm_reconstruct_ltk_without_le_device_db_entry = true; 5043 5044 gap_random_adress_update_period = 15 * 60 * 1000L; 5045 5046 test_use_fixed_local_csrk = false; 5047 5048 // other 5049 btstack_run_loop_set_timer_handler(&sm_run_timer, &sm_run_timer_handler); 5050 5051 // register for HCI Events 5052 hci_event_callback_registration.callback = &sm_event_packet_handler; 5053 hci_add_event_handler(&hci_event_callback_registration); 5054 5055 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 5056 // register for L2CAP events 5057 l2cap_event_callback_registration.callback = &sm_event_packet_handler; 5058 l2cap_add_event_handler(&l2cap_event_callback_registration); 5059 #endif 5060 5061 // 5062 btstack_crypto_init(); 5063 5064 // init le_device_db 5065 le_device_db_init(); 5066 5067 // and L2CAP PDUs + L2CAP_EVENT_CAN_SEND_NOW 5068 l2cap_register_fixed_channel(sm_pdu_handler, L2CAP_CID_SECURITY_MANAGER_PROTOCOL); 5069 #ifdef ENABLE_CLASSIC 5070 l2cap_register_fixed_channel(sm_pdu_handler, L2CAP_CID_BR_EDR_SECURITY_MANAGER); 5071 #endif 5072 5073 // state 5074 sm_state_reset(); 5075 5076 sm_initialized = true; 5077 } 5078 5079 void sm_deinit(void){ 5080 sm_initialized = false; 5081 btstack_run_loop_remove_timer(&sm_run_timer); 5082 #if defined(ENABLE_LE_SECURE_CONNECTIONS) && defined (ENABLE_LE_SECURE_CONNECTION_DEBUG_KEY) 5083 sm_sc_debug_keys_enabled = false; 5084 #endif 5085 } 5086 5087 void sm_use_fixed_passkey_in_display_role(uint32_t passkey){ 5088 sm_fixed_passkey_in_display_role = passkey; 5089 } 5090 5091 void sm_allow_ltk_reconstruction_without_le_device_db_entry(int allow){ 5092 sm_reconstruct_ltk_without_le_device_db_entry = allow != 0; 5093 } 5094 5095 static sm_connection_t * sm_get_connection_for_handle(hci_con_handle_t con_handle){ 5096 hci_connection_t * hci_con = hci_connection_for_handle(con_handle); 5097 if (!hci_con) return NULL; 5098 return &hci_con->sm_connection; 5099 } 5100 5101 static void sm_cache_ltk(sm_connection_t * connection, const sm_key_t ltk){ 5102 hci_connection_t * hci_con = hci_connection_for_handle(connection->sm_handle); 5103 btstack_assert(hci_con != NULL); 5104 memcpy(hci_con->link_key, ltk, 16); 5105 hci_con->link_key_type = 1; 5106 } 5107 5108 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 5109 static sm_connection_t * sm_get_connection_for_bd_addr_and_type(bd_addr_t address, bd_addr_type_t addr_type){ 5110 hci_connection_t * hci_con = hci_connection_for_bd_addr_and_type(address, addr_type); 5111 if (!hci_con) return NULL; 5112 return &hci_con->sm_connection; 5113 } 5114 #endif 5115 5116 // @deprecated: map onto sm_request_pairing 5117 void sm_send_security_request(hci_con_handle_t con_handle){ 5118 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5119 if (!sm_conn) return; 5120 if (!IS_RESPONDER(sm_conn->sm_role)) return; 5121 sm_request_pairing(con_handle); 5122 } 5123 5124 // request pairing 5125 void sm_request_pairing(hci_con_handle_t con_handle){ 5126 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5127 if (!sm_conn) return; // wrong connection 5128 5129 bool have_ltk; 5130 uint8_t ltk[16]; 5131 bool auth_required; 5132 int authenticated; 5133 bool trigger_reencryption; 5134 log_info("sm_request_pairing in role %u, state %u", sm_conn->sm_role, sm_conn->sm_engine_state); 5135 if (IS_RESPONDER(sm_conn->sm_role)){ 5136 switch (sm_conn->sm_engine_state){ 5137 case SM_GENERAL_IDLE: 5138 case SM_RESPONDER_IDLE: 5139 switch (sm_conn->sm_irk_lookup_state){ 5140 case IRK_LOOKUP_SUCCEEDED: 5141 le_device_db_encryption_get(sm_conn->sm_le_db_index, NULL, NULL, ltk, NULL, NULL, NULL, NULL); 5142 have_ltk = !sm_is_null_key(ltk); 5143 log_info("have ltk %u", have_ltk); 5144 if (have_ltk){ 5145 sm_conn->sm_pairing_requested = 1; 5146 sm_conn->sm_engine_state = SM_RESPONDER_SEND_SECURITY_REQUEST; 5147 sm_reencryption_started(sm_conn); 5148 break; 5149 } 5150 /* fall through */ 5151 5152 case IRK_LOOKUP_FAILED: 5153 sm_conn->sm_pairing_requested = 1; 5154 sm_conn->sm_engine_state = SM_RESPONDER_SEND_SECURITY_REQUEST; 5155 sm_pairing_started(sm_conn); 5156 break; 5157 default: 5158 log_info("irk lookup pending"); 5159 sm_conn->sm_pairing_requested = 1; 5160 break; 5161 } 5162 break; 5163 default: 5164 break; 5165 } 5166 } else { 5167 // used as a trigger to start central/master/initiator security procedures 5168 switch (sm_conn->sm_engine_state){ 5169 case SM_INITIATOR_CONNECTED: 5170 switch (sm_conn->sm_irk_lookup_state){ 5171 case IRK_LOOKUP_SUCCEEDED: 5172 le_device_db_encryption_get(sm_conn->sm_le_db_index, NULL, NULL, ltk, NULL, &authenticated, NULL, NULL); 5173 have_ltk = !sm_is_null_key(ltk); 5174 auth_required = sm_auth_req & SM_AUTHREQ_MITM_PROTECTION; 5175 // re-encrypt is sufficient if we have ltk and that is either already authenticated or we don't require authentication 5176 trigger_reencryption = have_ltk && ((authenticated != 0) || (auth_required == false)); 5177 log_info("have ltk %u, authenticated %u, auth required %u => reencrypt %u", have_ltk, authenticated, auth_required, trigger_reencryption); 5178 if (trigger_reencryption){ 5179 sm_conn->sm_pairing_requested = 1; 5180 sm_conn->sm_engine_state = SM_INITIATOR_PH4_HAS_LTK; 5181 break; 5182 } 5183 /* fall through */ 5184 5185 case IRK_LOOKUP_FAILED: 5186 sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 5187 break; 5188 default: 5189 log_info("irk lookup pending"); 5190 sm_conn->sm_pairing_requested = 1; 5191 break; 5192 } 5193 break; 5194 case SM_GENERAL_REENCRYPTION_FAILED: 5195 sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 5196 break; 5197 case SM_GENERAL_IDLE: 5198 sm_conn->sm_pairing_requested = 1; 5199 break; 5200 default: 5201 break; 5202 } 5203 } 5204 sm_trigger_run(); 5205 } 5206 5207 // called by client app on authorization request 5208 void sm_authorization_decline(hci_con_handle_t con_handle){ 5209 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5210 if (!sm_conn) return; // wrong connection 5211 sm_conn->sm_connection_authorization_state = AUTHORIZATION_DECLINED; 5212 sm_notify_client_status(SM_EVENT_AUTHORIZATION_RESULT, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, 0); 5213 } 5214 5215 void sm_authorization_grant(hci_con_handle_t con_handle){ 5216 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5217 if (!sm_conn) return; // wrong connection 5218 sm_conn->sm_connection_authorization_state = AUTHORIZATION_GRANTED; 5219 sm_notify_client_status(SM_EVENT_AUTHORIZATION_RESULT, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, 1); 5220 } 5221 5222 // GAP Bonding API 5223 5224 void sm_bonding_decline(hci_con_handle_t con_handle){ 5225 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5226 if (!sm_conn) return; // wrong connection 5227 setup->sm_user_response = SM_USER_RESPONSE_DECLINE; 5228 log_info("decline, state %u", sm_conn->sm_engine_state); 5229 switch(sm_conn->sm_engine_state){ 5230 #ifdef ENABLE_LE_SECURE_CONNECTIONS 5231 case SM_SC_W4_USER_RESPONSE: 5232 case SM_SC_W4_CONFIRMATION: 5233 case SM_SC_W4_PUBLIC_KEY_COMMAND: 5234 #endif 5235 case SM_PH1_W4_USER_RESPONSE: 5236 switch (setup->sm_stk_generation_method){ 5237 case PK_RESP_INPUT: 5238 case PK_INIT_INPUT: 5239 case PK_BOTH_INPUT: 5240 sm_pairing_error(sm_conn, SM_REASON_PASSKEY_ENTRY_FAILED); 5241 break; 5242 case NUMERIC_COMPARISON: 5243 sm_pairing_error(sm_conn, SM_REASON_NUMERIC_COMPARISON_FAILED); 5244 break; 5245 case JUST_WORKS: 5246 case OOB: 5247 sm_pairing_error(sm_conn, SM_REASON_UNSPECIFIED_REASON); 5248 break; 5249 default: 5250 btstack_assert(false); 5251 break; 5252 } 5253 break; 5254 default: 5255 break; 5256 } 5257 sm_trigger_run(); 5258 } 5259 5260 void sm_just_works_confirm(hci_con_handle_t con_handle){ 5261 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5262 if (!sm_conn) return; // wrong connection 5263 setup->sm_user_response = SM_USER_RESPONSE_CONFIRM; 5264 if (sm_conn->sm_engine_state == SM_PH1_W4_USER_RESPONSE){ 5265 if (setup->sm_use_secure_connections){ 5266 sm_conn->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 5267 } else { 5268 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_random, 16, &sm_handle_random_result_ph2_random, (void *)(uintptr_t) sm_conn->sm_handle); 5269 } 5270 } 5271 5272 #ifdef ENABLE_LE_SECURE_CONNECTIONS 5273 if (sm_conn->sm_engine_state == SM_SC_W4_USER_RESPONSE){ 5274 sm_sc_prepare_dhkey_check(sm_conn); 5275 } 5276 #endif 5277 5278 sm_trigger_run(); 5279 } 5280 5281 void sm_numeric_comparison_confirm(hci_con_handle_t con_handle){ 5282 // for now, it's the same 5283 sm_just_works_confirm(con_handle); 5284 } 5285 5286 void sm_passkey_input(hci_con_handle_t con_handle, uint32_t passkey){ 5287 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5288 if (!sm_conn) return; // wrong connection 5289 sm_reset_tk(); 5290 big_endian_store_32(setup->sm_tk, 12, passkey); 5291 setup->sm_user_response = SM_USER_RESPONSE_PASSKEY; 5292 if (sm_conn->sm_engine_state == SM_PH1_W4_USER_RESPONSE){ 5293 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_random, 16, &sm_handle_random_result_ph2_random, (void *)(uintptr_t) sm_conn->sm_handle); 5294 } 5295 #ifdef ENABLE_LE_SECURE_CONNECTIONS 5296 (void)memcpy(setup->sm_ra, setup->sm_tk, 16); 5297 (void)memcpy(setup->sm_rb, setup->sm_tk, 16); 5298 if (sm_conn->sm_engine_state == SM_SC_W4_USER_RESPONSE){ 5299 sm_sc_start_calculating_local_confirm(sm_conn); 5300 } 5301 #endif 5302 sm_trigger_run(); 5303 } 5304 5305 void sm_keypress_notification(hci_con_handle_t con_handle, uint8_t action){ 5306 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5307 if (!sm_conn) return; // wrong connection 5308 if (action > SM_KEYPRESS_PASSKEY_ENTRY_COMPLETED) return; 5309 uint8_t num_actions = setup->sm_keypress_notification >> 5; 5310 uint8_t flags = setup->sm_keypress_notification & 0x1fu; 5311 switch (action){ 5312 case SM_KEYPRESS_PASSKEY_ENTRY_STARTED: 5313 case SM_KEYPRESS_PASSKEY_ENTRY_COMPLETED: 5314 flags |= (1u << action); 5315 break; 5316 case SM_KEYPRESS_PASSKEY_CLEARED: 5317 // clear counter, keypress & erased flags + set passkey cleared 5318 flags = (flags & 0x19u) | (1u << SM_KEYPRESS_PASSKEY_CLEARED); 5319 break; 5320 case SM_KEYPRESS_PASSKEY_DIGIT_ENTERED: 5321 if (flags & (1u << SM_KEYPRESS_PASSKEY_DIGIT_ERASED)){ 5322 // erase actions queued 5323 num_actions--; 5324 if (num_actions == 0u){ 5325 // clear counter, keypress & erased flags 5326 flags &= 0x19u; 5327 } 5328 break; 5329 } 5330 num_actions++; 5331 flags |= (1u << SM_KEYPRESS_PASSKEY_DIGIT_ENTERED); 5332 break; 5333 case SM_KEYPRESS_PASSKEY_DIGIT_ERASED: 5334 if (flags & (1u << SM_KEYPRESS_PASSKEY_DIGIT_ENTERED)){ 5335 // enter actions queued 5336 num_actions--; 5337 if (num_actions == 0u){ 5338 // clear counter, keypress & erased flags 5339 flags &= 0x19u; 5340 } 5341 break; 5342 } 5343 num_actions++; 5344 flags |= (1u << SM_KEYPRESS_PASSKEY_DIGIT_ERASED); 5345 break; 5346 default: 5347 break; 5348 } 5349 setup->sm_keypress_notification = (num_actions << 5) | flags; 5350 sm_trigger_run(); 5351 } 5352 5353 #ifdef ENABLE_LE_SECURE_CONNECTIONS 5354 static void sm_handle_random_result_oob(void * arg){ 5355 UNUSED(arg); 5356 sm_sc_oob_state = SM_SC_OOB_W2_CALC_CONFIRM; 5357 sm_trigger_run(); 5358 } 5359 uint8_t sm_generate_sc_oob_data(void (*callback)(const uint8_t * confirm_value, const uint8_t * random_value)){ 5360 5361 static btstack_crypto_random_t sm_crypto_random_oob_request; 5362 5363 if (sm_sc_oob_state != SM_SC_OOB_IDLE) return ERROR_CODE_COMMAND_DISALLOWED; 5364 sm_sc_oob_callback = callback; 5365 sm_sc_oob_state = SM_SC_OOB_W4_RANDOM; 5366 btstack_crypto_random_generate(&sm_crypto_random_oob_request, sm_sc_oob_random, 16, &sm_handle_random_result_oob, NULL); 5367 return 0; 5368 } 5369 #endif 5370 5371 /** 5372 * @brief Get Identity Resolving state 5373 * @param con_handle 5374 * @return irk_lookup_state_t 5375 */ 5376 irk_lookup_state_t sm_identity_resolving_state(hci_con_handle_t con_handle){ 5377 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5378 if (!sm_conn) return IRK_LOOKUP_IDLE; 5379 return sm_conn->sm_irk_lookup_state; 5380 } 5381 5382 /** 5383 * @brief Identify device in LE Device DB 5384 * @param handle 5385 * @return index from le_device_db or -1 if not found/identified 5386 */ 5387 int sm_le_device_index(hci_con_handle_t con_handle ){ 5388 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5389 if (!sm_conn) return -1; 5390 return sm_conn->sm_le_db_index; 5391 } 5392 5393 uint8_t sm_get_ltk(hci_con_handle_t con_handle, sm_key_t ltk){ 5394 hci_connection_t * hci_connection = hci_connection_for_handle(con_handle); 5395 if (hci_connection == NULL){ 5396 return ERROR_CODE_UNKNOWN_CONNECTION_IDENTIFIER; 5397 } 5398 if (hci_connection->link_key_type == 0){ 5399 return ERROR_CODE_PIN_OR_KEY_MISSING; 5400 } 5401 memcpy(ltk, hci_connection->link_key, 16); 5402 return ERROR_CODE_SUCCESS; 5403 } 5404 5405 static int gap_random_address_type_requires_updates(void){ 5406 switch (gap_random_adress_type){ 5407 case GAP_RANDOM_ADDRESS_TYPE_OFF: 5408 case GAP_RANDOM_ADDRESS_TYPE_STATIC: 5409 return 0; 5410 default: 5411 return 1; 5412 } 5413 } 5414 5415 static uint8_t own_address_type(void){ 5416 switch (gap_random_adress_type){ 5417 case GAP_RANDOM_ADDRESS_TYPE_OFF: 5418 return BD_ADDR_TYPE_LE_PUBLIC; 5419 default: 5420 return BD_ADDR_TYPE_LE_RANDOM; 5421 } 5422 } 5423 5424 // GAP LE API 5425 void gap_random_address_set_mode(gap_random_address_type_t random_address_type){ 5426 gap_random_address_update_stop(); 5427 gap_random_adress_type = random_address_type; 5428 hci_le_set_own_address_type(own_address_type()); 5429 if (!gap_random_address_type_requires_updates()) return; 5430 gap_random_address_update_start(); 5431 gap_random_address_trigger(); 5432 } 5433 5434 gap_random_address_type_t gap_random_address_get_mode(void){ 5435 return gap_random_adress_type; 5436 } 5437 5438 void gap_random_address_set_update_period(int period_ms){ 5439 gap_random_adress_update_period = period_ms; 5440 if (!gap_random_address_type_requires_updates()) return; 5441 gap_random_address_update_stop(); 5442 gap_random_address_update_start(); 5443 } 5444 5445 void gap_random_address_set(const bd_addr_t addr){ 5446 gap_random_address_set_mode(GAP_RANDOM_ADDRESS_TYPE_STATIC); 5447 (void)memcpy(sm_random_address, addr, 6); 5448 // assert msb bits are set to '11' 5449 sm_random_address[0] |= 0xc0; 5450 hci_le_random_address_set(sm_random_address); 5451 } 5452 5453 #ifdef ENABLE_LE_PERIPHERAL 5454 /* 5455 * @brief Set Advertisement Paramters 5456 * @param adv_int_min 5457 * @param adv_int_max 5458 * @param adv_type 5459 * @param direct_address_type 5460 * @param direct_address 5461 * @param channel_map 5462 * @param filter_policy 5463 * 5464 * @note own_address_type is used from gap_random_address_set_mode 5465 */ 5466 void gap_advertisements_set_params(uint16_t adv_int_min, uint16_t adv_int_max, uint8_t adv_type, 5467 uint8_t direct_address_typ, bd_addr_t direct_address, uint8_t channel_map, uint8_t filter_policy){ 5468 hci_le_advertisements_set_params(adv_int_min, adv_int_max, adv_type, 5469 direct_address_typ, direct_address, channel_map, filter_policy); 5470 } 5471 #endif 5472 5473 int gap_reconnect_security_setup_active(hci_con_handle_t con_handle){ 5474 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5475 // wrong connection 5476 if (!sm_conn) return 0; 5477 // already encrypted 5478 if (sm_conn->sm_connection_encrypted) return 0; 5479 // irk status? 5480 switch(sm_conn->sm_irk_lookup_state){ 5481 case IRK_LOOKUP_FAILED: 5482 // done, cannot setup encryption 5483 return 0; 5484 case IRK_LOOKUP_SUCCEEDED: 5485 break; 5486 default: 5487 // IR Lookup pending 5488 return 1; 5489 } 5490 // IRK Lookup Succeeded, re-encryption should be initiated. When done, state gets reset or indicates failure 5491 if (sm_conn->sm_engine_state == SM_GENERAL_REENCRYPTION_FAILED) return 0; 5492 if (sm_conn->sm_role){ 5493 return sm_conn->sm_engine_state != SM_RESPONDER_IDLE; 5494 } else { 5495 return sm_conn->sm_engine_state != SM_INITIATOR_CONNECTED; 5496 } 5497 } 5498 5499 void sm_set_secure_connections_only_mode(bool enable){ 5500 #ifdef ENABLE_LE_SECURE_CONNECTIONS 5501 sm_sc_only_mode = enable; 5502 #else 5503 // SC Only mode not possible without support for SC 5504 btstack_assert(enable == false); 5505 #endif 5506 } 5507 5508 #if defined(ENABLE_LE_SECURE_CONNECTIONS) && defined (ENABLE_LE_SECURE_CONNECTION_DEBUG_KEY) 5509 void sm_test_enable_secure_connections_debug_keys(void) { 5510 log_info("Enable LE Secure Connection Debug Keys for testing"); 5511 sm_sc_debug_keys_enabled = true; 5512 // set debug key 5513 sm_ec_generate_new_key(); 5514 } 5515 #endif 5516 5517 const uint8_t * gap_get_persistent_irk(void){ 5518 return sm_persistent_irk; 5519 } 5520 5521 void gap_delete_bonding(bd_addr_type_t address_type, bd_addr_t address){ 5522 int index = sm_le_device_db_index_lookup(address_type, address); 5523 if (index >= 0){ 5524 sm_remove_le_device_db_entry(index); 5525 } 5526 } 5527