1 /* 2 * Copyright (C) 2014 BlueKitchen GmbH 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the copyright holders nor the names of 14 * contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 4. Any redistribution, use, or modification is done solely for 17 * personal benefit and not for any commercial purpose or for 18 * monetary gain. 19 * 20 * THIS SOFTWARE IS PROVIDED BY BLUEKITCHEN GMBH AND CONTRIBUTORS 21 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BLUEKITCHEN 24 * GMBH OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 26 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 27 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 28 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF 30 * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 * 33 * Please inquire about commercial licensing options at 34 * [email protected] 35 * 36 */ 37 38 #define BTSTACK_FILE__ "sm.c" 39 40 #include <string.h> 41 #include <inttypes.h> 42 43 #include "ble/le_device_db.h" 44 #include "ble/core.h" 45 #include "ble/sm.h" 46 #include "bluetooth_company_id.h" 47 #include "btstack_bool.h" 48 #include "btstack_crypto.h" 49 #include "btstack_debug.h" 50 #include "btstack_event.h" 51 #include "btstack_linked_list.h" 52 #include "btstack_memory.h" 53 #include "btstack_tlv.h" 54 #include "gap.h" 55 #include "hci.h" 56 #include "hci_dump.h" 57 #include "l2cap.h" 58 59 #if !defined(ENABLE_LE_PERIPHERAL) && !defined(ENABLE_LE_CENTRAL) 60 #error "LE Security Manager used, but neither ENABLE_LE_PERIPHERAL nor ENABLE_LE_CENTRAL defined. Please add at least one to btstack_config.h." 61 #endif 62 63 #if defined(ENABLE_CROSS_TRANSPORT_KEY_DERIVATION) && (!defined(ENABLE_CLASSIC) || !defined(ENABLE_LE_SECURE_CONNECTIONS)) 64 #error "Cross Transport Key Derivation requires support for LE Secure Connections and BR/EDR (Classic)" 65 #endif 66 67 // assert SM Public Key can be sent/received 68 #ifdef ENABLE_LE_SECURE_CONNECTIONS 69 #if HCI_ACL_PAYLOAD_SIZE < 69 70 #error "HCI_ACL_PAYLOAD_SIZE must be at least 69 bytes when using LE Secure Conection. Please increase HCI_ACL_PAYLOAD_SIZE or disable ENABLE_LE_SECURE_CONNECTIONS" 71 #endif 72 #endif 73 74 #if defined(ENABLE_LE_PERIPHERAL) && defined(ENABLE_LE_CENTRAL) 75 #define IS_RESPONDER(role) ((role) == HCI_ROLE_SLAVE) 76 #else 77 #ifdef ENABLE_LE_CENTRAL 78 // only central - never responder (avoid 'unused variable' warnings) 79 #define IS_RESPONDER(role) (0 && ((role) == HCI_ROLE_SLAVE)) 80 #else 81 // only peripheral - always responder (avoid 'unused variable' warnings) 82 #define IS_RESPONDER(role) (1 || ((role) == HCI_ROLE_SLAVE)) 83 #endif 84 #endif 85 86 #if defined(ENABLE_LE_SIGNED_WRITE) || defined(ENABLE_LE_SECURE_CONNECTIONS) 87 #define USE_CMAC_ENGINE 88 #endif 89 90 91 #define BTSTACK_TAG32(A,B,C,D) (((A) << 24) | ((B) << 16) | ((C) << 8) | (D)) 92 93 // 94 // SM internal types and globals 95 // 96 97 typedef enum { 98 DKG_W4_WORKING, 99 DKG_CALC_IRK, 100 DKG_CALC_DHK, 101 DKG_READY 102 } derived_key_generation_t; 103 104 typedef enum { 105 RAU_IDLE, 106 RAU_GET_RANDOM, 107 RAU_W4_RANDOM, 108 RAU_GET_ENC, 109 RAU_W4_ENC, 110 } random_address_update_t; 111 112 typedef enum { 113 CMAC_IDLE, 114 CMAC_CALC_SUBKEYS, 115 CMAC_W4_SUBKEYS, 116 CMAC_CALC_MI, 117 CMAC_W4_MI, 118 CMAC_CALC_MLAST, 119 CMAC_W4_MLAST 120 } cmac_state_t; 121 122 typedef enum { 123 JUST_WORKS, 124 PK_RESP_INPUT, // Initiator displays PK, responder inputs PK 125 PK_INIT_INPUT, // Responder displays PK, initiator inputs PK 126 PK_BOTH_INPUT, // Only input on both, both input PK 127 NUMERIC_COMPARISON, // Only numerical compparison (yes/no) on on both sides 128 OOB // OOB available on one (SC) or both sides (legacy) 129 } stk_generation_method_t; 130 131 typedef enum { 132 SM_USER_RESPONSE_IDLE, 133 SM_USER_RESPONSE_PENDING, 134 SM_USER_RESPONSE_CONFIRM, 135 SM_USER_RESPONSE_PASSKEY, 136 SM_USER_RESPONSE_DECLINE 137 } sm_user_response_t; 138 139 typedef enum { 140 SM_AES128_IDLE, 141 SM_AES128_ACTIVE 142 } sm_aes128_state_t; 143 144 typedef enum { 145 ADDRESS_RESOLUTION_IDLE, 146 ADDRESS_RESOLUTION_GENERAL, 147 ADDRESS_RESOLUTION_FOR_CONNECTION, 148 } address_resolution_mode_t; 149 150 typedef enum { 151 ADDRESS_RESOLUTION_SUCCEEDED, 152 ADDRESS_RESOLUTION_FAILED, 153 } address_resolution_event_t; 154 155 typedef enum { 156 EC_KEY_GENERATION_IDLE, 157 EC_KEY_GENERATION_ACTIVE, 158 EC_KEY_GENERATION_DONE, 159 } ec_key_generation_state_t; 160 161 typedef enum { 162 SM_STATE_VAR_DHKEY_NEEDED = 1 << 0, 163 SM_STATE_VAR_DHKEY_CALCULATED = 1 << 1, 164 SM_STATE_VAR_DHKEY_COMMAND_RECEIVED = 1 << 2, 165 } sm_state_var_t; 166 167 typedef enum { 168 SM_SC_OOB_IDLE, 169 SM_SC_OOB_W4_RANDOM, 170 SM_SC_OOB_W2_CALC_CONFIRM, 171 SM_SC_OOB_W4_CONFIRM, 172 } sm_sc_oob_state_t; 173 174 typedef uint8_t sm_key24_t[3]; 175 typedef uint8_t sm_key56_t[7]; 176 typedef uint8_t sm_key256_t[32]; 177 178 // 179 // GLOBAL DATA 180 // 181 182 static bool sm_initialized; 183 184 static bool test_use_fixed_local_csrk; 185 static bool test_use_fixed_local_irk; 186 187 #ifdef ENABLE_TESTING_SUPPORT 188 static uint8_t test_pairing_failure; 189 #endif 190 191 // configuration 192 static uint8_t sm_accepted_stk_generation_methods; 193 static uint8_t sm_max_encryption_key_size; 194 static uint8_t sm_min_encryption_key_size; 195 static uint8_t sm_auth_req = 0; 196 static uint8_t sm_io_capabilities = IO_CAPABILITY_NO_INPUT_NO_OUTPUT; 197 static uint32_t sm_fixed_passkey_in_display_role; 198 static bool sm_reconstruct_ltk_without_le_device_db_entry; 199 200 #ifdef ENABLE_LE_PERIPHERAL 201 static bool sm_slave_request_security; 202 #endif 203 204 #ifdef ENABLE_LE_SECURE_CONNECTIONS 205 static bool sm_sc_only_mode; 206 static uint8_t sm_sc_oob_random[16]; 207 static void (*sm_sc_oob_callback)(const uint8_t * confirm_value, const uint8_t * random_value); 208 static sm_sc_oob_state_t sm_sc_oob_state; 209 #ifdef ENABLE_LE_SECURE_CONNECTIONS_DEBUG_KEY 210 static bool sm_sc_debug_keys_enabled; 211 #endif 212 #endif 213 214 215 static bool sm_persistent_keys_random_active; 216 static const btstack_tlv_t * sm_tlv_impl; 217 static void * sm_tlv_context; 218 219 // Security Manager Master Keys, please use sm_set_er(er) and sm_set_ir(ir) with your own 128 bit random values 220 static sm_key_t sm_persistent_er; 221 static sm_key_t sm_persistent_ir; 222 223 // derived from sm_persistent_ir 224 static sm_key_t sm_persistent_dhk; 225 static sm_key_t sm_persistent_irk; 226 static derived_key_generation_t dkg_state; 227 228 // derived from sm_persistent_er 229 // .. 230 231 // random address update 232 static random_address_update_t rau_state; 233 static bd_addr_t sm_random_address; 234 235 #ifdef USE_CMAC_ENGINE 236 // CMAC Calculation: General 237 static btstack_crypto_aes128_cmac_t sm_cmac_request; 238 static void (*sm_cmac_done_callback)(uint8_t hash[8]); 239 static uint8_t sm_cmac_active; 240 static uint8_t sm_cmac_hash[16]; 241 #endif 242 243 // CMAC for ATT Signed Writes 244 #ifdef ENABLE_LE_SIGNED_WRITE 245 static uint16_t sm_cmac_signed_write_message_len; 246 static uint8_t sm_cmac_signed_write_header[3]; 247 static const uint8_t * sm_cmac_signed_write_message; 248 static uint8_t sm_cmac_signed_write_sign_counter[4]; 249 #endif 250 251 // CMAC for Secure Connection functions 252 #ifdef ENABLE_LE_SECURE_CONNECTIONS 253 static sm_connection_t * sm_cmac_connection; 254 static uint8_t sm_cmac_sc_buffer[80]; 255 #endif 256 257 // resolvable private address lookup / CSRK calculation 258 static int sm_address_resolution_test; 259 static uint8_t sm_address_resolution_addr_type; 260 static bd_addr_t sm_address_resolution_address; 261 static void * sm_address_resolution_context; 262 static address_resolution_mode_t sm_address_resolution_mode; 263 static btstack_linked_list_t sm_address_resolution_general_queue; 264 265 // aes128 crypto engine. 266 static sm_aes128_state_t sm_aes128_state; 267 268 // crypto 269 static btstack_crypto_random_t sm_crypto_random_request; 270 static btstack_crypto_aes128_t sm_crypto_aes128_request; 271 #ifdef ENABLE_LE_SECURE_CONNECTIONS 272 static btstack_crypto_ecc_p256_t sm_crypto_ecc_p256_request; 273 #endif 274 275 // temp storage for random data 276 static uint8_t sm_random_data[8]; 277 static uint8_t sm_aes128_key[16]; 278 static uint8_t sm_aes128_plaintext[16]; 279 static uint8_t sm_aes128_ciphertext[16]; 280 281 // to receive events 282 static btstack_packet_callback_registration_t hci_event_callback_registration; 283 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 284 static btstack_packet_callback_registration_t l2cap_event_callback_registration; 285 #endif 286 287 /* to dispatch sm event */ 288 static btstack_linked_list_t sm_event_handlers; 289 290 /* to schedule calls to sm_run */ 291 static btstack_timer_source_t sm_run_timer; 292 293 // LE Secure Connections 294 #ifdef ENABLE_LE_SECURE_CONNECTIONS 295 static ec_key_generation_state_t ec_key_generation_state; 296 static uint8_t ec_q[64]; 297 #endif 298 299 // 300 // Volume 3, Part H, Chapter 24 301 // "Security shall be initiated by the Security Manager in the device in the master role. 302 // The device in the slave role shall be the responding device." 303 // -> master := initiator, slave := responder 304 // 305 306 // data needed for security setup 307 typedef struct sm_setup_context { 308 309 btstack_timer_source_t sm_timeout; 310 311 // user response, (Phase 1 and/or 2) 312 uint8_t sm_user_response; 313 uint8_t sm_keypress_notification; // bitmap: passkey started, digit entered, digit erased, passkey cleared, passkey complete, 3 bit count 314 315 // defines which keys will be send after connection is encrypted - calculated during Phase 1, used Phase 3 316 uint8_t sm_key_distribution_send_set; 317 uint8_t sm_key_distribution_sent_set; 318 uint8_t sm_key_distribution_expected_set; 319 uint8_t sm_key_distribution_received_set; 320 321 // Phase 2 (Pairing over SMP) 322 stk_generation_method_t sm_stk_generation_method; 323 sm_key_t sm_tk; 324 uint8_t sm_have_oob_data; 325 bool sm_use_secure_connections; 326 327 sm_key_t sm_c1_t3_value; // c1 calculation 328 sm_pairing_packet_t sm_m_preq; // pairing request - needed only for c1 329 sm_pairing_packet_t sm_s_pres; // pairing response - needed only for c1 330 sm_key_t sm_local_random; 331 sm_key_t sm_local_confirm; 332 sm_key_t sm_peer_random; 333 sm_key_t sm_peer_confirm; 334 uint8_t sm_m_addr_type; // address and type can be removed 335 uint8_t sm_s_addr_type; // '' 336 bd_addr_t sm_m_address; // '' 337 bd_addr_t sm_s_address; // '' 338 sm_key_t sm_ltk; 339 340 uint8_t sm_state_vars; 341 #ifdef ENABLE_LE_SECURE_CONNECTIONS 342 uint8_t sm_peer_q[64]; // also stores random for EC key generation during init 343 sm_key_t sm_peer_nonce; // might be combined with sm_peer_random 344 sm_key_t sm_local_nonce; // might be combined with sm_local_random 345 uint8_t sm_dhkey[32]; 346 sm_key_t sm_peer_dhkey_check; 347 sm_key_t sm_local_dhkey_check; 348 sm_key_t sm_ra; 349 sm_key_t sm_rb; 350 sm_key_t sm_t; // used for f5 and h6 351 sm_key_t sm_mackey; 352 uint8_t sm_passkey_bit; // also stores number of generated random bytes for EC key generation 353 #endif 354 355 // Phase 3 356 357 // key distribution, we generate 358 uint16_t sm_local_y; 359 uint16_t sm_local_div; 360 uint16_t sm_local_ediv; 361 uint8_t sm_local_rand[8]; 362 sm_key_t sm_local_ltk; 363 sm_key_t sm_local_csrk; 364 sm_key_t sm_local_irk; 365 // sm_local_address/addr_type not needed 366 367 // key distribution, received from peer 368 uint16_t sm_peer_y; 369 uint16_t sm_peer_div; 370 uint16_t sm_peer_ediv; 371 uint8_t sm_peer_rand[8]; 372 sm_key_t sm_peer_ltk; 373 sm_key_t sm_peer_irk; 374 sm_key_t sm_peer_csrk; 375 uint8_t sm_peer_addr_type; 376 bd_addr_t sm_peer_address; 377 #ifdef ENABLE_LE_SIGNED_WRITE 378 int sm_le_device_index; 379 #endif 380 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 381 link_key_t sm_link_key; 382 link_key_type_t sm_link_key_type; 383 #endif 384 } sm_setup_context_t; 385 386 // 387 static sm_setup_context_t the_setup; 388 static sm_setup_context_t * setup = &the_setup; 389 390 // active connection - the one for which the_setup is used for 391 static uint16_t sm_active_connection_handle = HCI_CON_HANDLE_INVALID; 392 393 // @return 1 if oob data is available 394 // stores oob data in provided 16 byte buffer if not null 395 static int (*sm_get_oob_data)(uint8_t addres_type, bd_addr_t addr, uint8_t * oob_data) = NULL; 396 static int (*sm_get_sc_oob_data)(uint8_t addres_type, bd_addr_t addr, uint8_t * oob_sc_peer_confirm, uint8_t * oob_sc_peer_random); 397 static bool (*sm_get_ltk_callback)(hci_con_handle_t con_handle, uint8_t addres_type, bd_addr_t addr, uint8_t * ltk); 398 399 static void sm_run(void); 400 static void sm_state_reset(void); 401 static void sm_done_for_handle(hci_con_handle_t con_handle); 402 static sm_connection_t * sm_get_connection_for_handle(hci_con_handle_t con_handle); 403 static void sm_cache_ltk(sm_connection_t * connection, const sm_key_t ltk); 404 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 405 static sm_connection_t * sm_get_connection_for_bd_addr_and_type(bd_addr_t address, bd_addr_type_t addr_type); 406 #endif 407 static inline int sm_calc_actual_encryption_key_size(int other); 408 static int sm_validate_stk_generation_method(void); 409 static void sm_handle_encryption_result_address_resolution(void *arg); 410 static void sm_handle_encryption_result_dkg_dhk(void *arg); 411 static void sm_handle_encryption_result_dkg_irk(void *arg); 412 static void sm_handle_encryption_result_enc_a(void *arg); 413 static void sm_handle_encryption_result_enc_b(void *arg); 414 static void sm_handle_encryption_result_enc_c(void *arg); 415 static void sm_handle_encryption_result_enc_csrk(void *arg); 416 static void sm_handle_encryption_result_enc_d(void * arg); 417 static void sm_handle_encryption_result_enc_ph3_ltk(void *arg); 418 static void sm_handle_encryption_result_enc_ph3_y(void *arg); 419 #ifdef ENABLE_LE_PERIPHERAL 420 static void sm_handle_encryption_result_enc_ph4_ltk(void *arg); 421 static void sm_handle_encryption_result_enc_ph4_y(void *arg); 422 #endif 423 static void sm_handle_encryption_result_enc_stk(void *arg); 424 static void sm_handle_encryption_result_rau(void *arg); 425 static void sm_handle_random_result_ph2_tk(void * arg); 426 static void sm_handle_random_result_rau(void * arg); 427 #ifdef ENABLE_LE_SECURE_CONNECTIONS 428 static void sm_cmac_message_start(const sm_key_t key, uint16_t message_len, const uint8_t * message, void (*done_callback)(uint8_t * hash)); 429 static void sm_ec_generate_new_key(void); 430 static void sm_handle_random_result_sc_next_w2_cmac_for_confirmation(void * arg); 431 static void sm_handle_random_result_sc_next_send_pairing_random(void * arg); 432 static bool sm_passkey_entry(stk_generation_method_t method); 433 #endif 434 static void sm_pairing_complete(sm_connection_t * sm_conn, uint8_t status, uint8_t reason); 435 436 static void log_info_hex16(const char * name, uint16_t value){ 437 log_info("%-6s 0x%04x", name, value); 438 } 439 440 // static inline uint8_t sm_pairing_packet_get_code(sm_pairing_packet_t packet){ 441 // return packet[0]; 442 // } 443 static inline uint8_t sm_pairing_packet_get_io_capability(sm_pairing_packet_t packet){ 444 return packet[1]; 445 } 446 static inline uint8_t sm_pairing_packet_get_oob_data_flag(sm_pairing_packet_t packet){ 447 return packet[2]; 448 } 449 static inline uint8_t sm_pairing_packet_get_auth_req(sm_pairing_packet_t packet){ 450 return packet[3]; 451 } 452 static inline uint8_t sm_pairing_packet_get_max_encryption_key_size(sm_pairing_packet_t packet){ 453 return packet[4]; 454 } 455 static inline uint8_t sm_pairing_packet_get_initiator_key_distribution(sm_pairing_packet_t packet){ 456 return packet[5]; 457 } 458 static inline uint8_t sm_pairing_packet_get_responder_key_distribution(sm_pairing_packet_t packet){ 459 return packet[6]; 460 } 461 462 static inline void sm_pairing_packet_set_code(sm_pairing_packet_t packet, uint8_t code){ 463 packet[0] = code; 464 } 465 static inline void sm_pairing_packet_set_io_capability(sm_pairing_packet_t packet, uint8_t io_capability){ 466 packet[1] = io_capability; 467 } 468 static inline void sm_pairing_packet_set_oob_data_flag(sm_pairing_packet_t packet, uint8_t oob_data_flag){ 469 packet[2] = oob_data_flag; 470 } 471 static inline void sm_pairing_packet_set_auth_req(sm_pairing_packet_t packet, uint8_t auth_req){ 472 packet[3] = auth_req; 473 } 474 static inline void sm_pairing_packet_set_max_encryption_key_size(sm_pairing_packet_t packet, uint8_t max_encryption_key_size){ 475 packet[4] = max_encryption_key_size; 476 } 477 static inline void sm_pairing_packet_set_initiator_key_distribution(sm_pairing_packet_t packet, uint8_t initiator_key_distribution){ 478 packet[5] = initiator_key_distribution; 479 } 480 static inline void sm_pairing_packet_set_responder_key_distribution(sm_pairing_packet_t packet, uint8_t responder_key_distribution){ 481 packet[6] = responder_key_distribution; 482 } 483 484 static bool sm_is_null_random(uint8_t random[8]){ 485 return btstack_is_null(random, 8); 486 } 487 488 static bool sm_is_null_key(uint8_t * key){ 489 return btstack_is_null(key, 16); 490 } 491 492 #ifdef ENABLE_LE_SECURE_CONNECTIONS 493 static bool sm_is_ff(const uint8_t * buffer, uint16_t size){ 494 uint16_t i; 495 for (i=0; i < size ; i++){ 496 if (buffer[i] != 0xff) { 497 return false; 498 } 499 } 500 return true; 501 } 502 #endif 503 504 // sm_trigger_run allows to schedule callback from main run loop // reduces stack depth 505 static void sm_run_timer_handler(btstack_timer_source_t * ts){ 506 UNUSED(ts); 507 sm_run(); 508 } 509 static void sm_trigger_run(void){ 510 if (!sm_initialized) return; 511 (void)btstack_run_loop_remove_timer(&sm_run_timer); 512 btstack_run_loop_set_timer(&sm_run_timer, 0); 513 btstack_run_loop_add_timer(&sm_run_timer); 514 } 515 516 // Key utils 517 static void sm_reset_tk(void){ 518 int i; 519 for (i=0;i<16;i++){ 520 setup->sm_tk[i] = 0; 521 } 522 } 523 524 // "For example, if a 128-bit encryption key is 0x123456789ABCDEF0123456789ABCDEF0 525 // and it is reduced to 7 octets (56 bits), then the resulting key is 0x0000000000000000003456789ABCDEF0."" 526 static void sm_truncate_key(sm_key_t key, int max_encryption_size){ 527 int i; 528 for (i = max_encryption_size ; i < 16 ; i++){ 529 key[15-i] = 0; 530 } 531 } 532 533 // ER / IR checks 534 static void sm_er_ir_set_default(void){ 535 int i; 536 for (i=0;i<16;i++){ 537 sm_persistent_er[i] = 0x30 + i; 538 sm_persistent_ir[i] = 0x90 + i; 539 } 540 } 541 542 static bool sm_er_is_default(void){ 543 int i; 544 for (i=0;i<16;i++){ 545 if (sm_persistent_er[i] != (0x30+i)) return true; 546 } 547 return false; 548 } 549 550 static bool sm_ir_is_default(void){ 551 int i; 552 for (i=0;i<16;i++){ 553 if (sm_persistent_ir[i] != (0x90+i)) return true; 554 } 555 return false; 556 } 557 558 static void sm_dispatch_event(uint8_t packet_type, uint16_t channel, uint8_t * packet, uint16_t size){ 559 UNUSED(channel); 560 561 // log event 562 hci_dump_packet(packet_type, 1, packet, size); 563 // dispatch to all event handlers 564 btstack_linked_list_iterator_t it; 565 btstack_linked_list_iterator_init(&it, &sm_event_handlers); 566 while (btstack_linked_list_iterator_has_next(&it)){ 567 btstack_packet_callback_registration_t * entry = (btstack_packet_callback_registration_t*) btstack_linked_list_iterator_next(&it); 568 entry->callback(packet_type, 0, packet, size); 569 } 570 } 571 572 static void sm_setup_event_base(uint8_t * event, int event_size, uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address){ 573 event[0] = type; 574 event[1] = event_size - 2; 575 little_endian_store_16(event, 2, con_handle); 576 event[4] = addr_type; 577 reverse_bd_addr(address, &event[5]); 578 } 579 580 static void sm_notify_client_base(uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address){ 581 uint8_t event[11]; 582 sm_setup_event_base(event, sizeof(event), type, con_handle, addr_type, address); 583 sm_dispatch_event(HCI_EVENT_PACKET, 0, event, sizeof(event)); 584 } 585 586 static void sm_notify_client_index(uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address, uint16_t index){ 587 // fetch addr and addr type from db, only called for valid entries 588 bd_addr_t identity_address; 589 int identity_address_type; 590 le_device_db_info(index, &identity_address_type, identity_address, NULL); 591 592 uint8_t event[20]; 593 sm_setup_event_base(event, sizeof(event), type, con_handle, addr_type, address); 594 event[11] = identity_address_type; 595 reverse_bd_addr(identity_address, &event[12]); 596 little_endian_store_16(event, 18, index); 597 sm_dispatch_event(HCI_EVENT_PACKET, 0, event, sizeof(event)); 598 } 599 600 static void sm_notify_client_status(uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address, uint8_t status){ 601 uint8_t event[12]; 602 sm_setup_event_base(event, sizeof(event), type, con_handle, addr_type, address); 603 event[11] = status; 604 sm_dispatch_event(HCI_EVENT_PACKET, 0, (uint8_t*) &event, sizeof(event)); 605 } 606 607 608 static void sm_reencryption_started(sm_connection_t * sm_conn){ 609 610 if (sm_conn->sm_reencryption_active) return; 611 612 sm_conn->sm_reencryption_active = true; 613 614 int identity_addr_type; 615 bd_addr_t identity_addr; 616 if (sm_conn->sm_le_db_index >= 0){ 617 // fetch addr and addr type from db, only called for valid entries 618 le_device_db_info(sm_conn->sm_le_db_index, &identity_addr_type, identity_addr, NULL); 619 } else { 620 // for legacy pairing with LTK re-construction, use current peer addr 621 identity_addr_type = sm_conn->sm_peer_addr_type; 622 // cppcheck-suppress uninitvar ; identity_addr is reported as uninitialized although it's the destination of the memcpy 623 memcpy(identity_addr, sm_conn->sm_peer_address, 6); 624 } 625 626 sm_notify_client_base(SM_EVENT_REENCRYPTION_STARTED, sm_conn->sm_handle, identity_addr_type, identity_addr); 627 } 628 629 static void sm_reencryption_complete(sm_connection_t * sm_conn, uint8_t status){ 630 631 if (!sm_conn->sm_reencryption_active) return; 632 633 sm_conn->sm_reencryption_active = false; 634 635 int identity_addr_type; 636 bd_addr_t identity_addr; 637 if (sm_conn->sm_le_db_index >= 0){ 638 // fetch addr and addr type from db, only called for valid entries 639 le_device_db_info(sm_conn->sm_le_db_index, &identity_addr_type, identity_addr, NULL); 640 } else { 641 // for legacy pairing with LTK re-construction, use current peer addr 642 identity_addr_type = sm_conn->sm_peer_addr_type; 643 // cppcheck-suppress uninitvar ; identity_addr is reported as uninitialized although it's the destination of the memcpy 644 memcpy(identity_addr, sm_conn->sm_peer_address, 6); 645 } 646 647 sm_notify_client_status(SM_EVENT_REENCRYPTION_COMPLETE, sm_conn->sm_handle, identity_addr_type, identity_addr, status); 648 } 649 650 static void sm_pairing_started(sm_connection_t * sm_conn){ 651 652 if (sm_conn->sm_pairing_active) return; 653 654 sm_conn->sm_pairing_active = true; 655 656 uint8_t event[11]; 657 sm_setup_event_base(event, sizeof(event), SM_EVENT_PAIRING_STARTED, sm_conn->sm_handle, setup->sm_peer_addr_type, setup->sm_peer_address); 658 sm_dispatch_event(HCI_EVENT_PACKET, 0, (uint8_t*) &event, sizeof(event)); 659 } 660 661 static void sm_pairing_complete(sm_connection_t * sm_conn, uint8_t status, uint8_t reason){ 662 663 if (!sm_conn->sm_pairing_active) return; 664 665 sm_conn->sm_pairing_active = false; 666 667 uint8_t event[13]; 668 sm_setup_event_base(event, sizeof(event), SM_EVENT_PAIRING_COMPLETE, sm_conn->sm_handle, setup->sm_peer_addr_type, setup->sm_peer_address); 669 event[11] = status; 670 event[12] = reason; 671 sm_dispatch_event(HCI_EVENT_PACKET, 0, (uint8_t*) &event, sizeof(event)); 672 } 673 674 // SMP Timeout implementation 675 676 // Upon transmission of the Pairing Request command or reception of the Pairing Request command, 677 // the Security Manager Timer shall be reset and started. 678 // 679 // The Security Manager Timer shall be reset when an L2CAP SMP command is queued for transmission. 680 // 681 // If the Security Manager Timer reaches 30 seconds, the procedure shall be considered to have failed, 682 // and the local higher layer shall be notified. No further SMP commands shall be sent over the L2CAP 683 // Security Manager Channel. A new SM procedure shall only be performed when a new physical link has been 684 // established. 685 686 static void sm_timeout_handler(btstack_timer_source_t * timer){ 687 log_info("SM timeout"); 688 sm_connection_t * sm_conn = (sm_connection_t*) btstack_run_loop_get_timer_context(timer); 689 sm_conn->sm_engine_state = SM_GENERAL_TIMEOUT; 690 sm_reencryption_complete(sm_conn, ERROR_CODE_CONNECTION_TIMEOUT); 691 sm_pairing_complete(sm_conn, ERROR_CODE_CONNECTION_TIMEOUT, 0); 692 sm_done_for_handle(sm_conn->sm_handle); 693 694 // trigger handling of next ready connection 695 sm_run(); 696 } 697 static void sm_timeout_start(sm_connection_t * sm_conn){ 698 btstack_run_loop_remove_timer(&setup->sm_timeout); 699 btstack_run_loop_set_timer_context(&setup->sm_timeout, sm_conn); 700 btstack_run_loop_set_timer_handler(&setup->sm_timeout, sm_timeout_handler); 701 btstack_run_loop_set_timer(&setup->sm_timeout, 30000); // 30 seconds sm timeout 702 btstack_run_loop_add_timer(&setup->sm_timeout); 703 } 704 static void sm_timeout_stop(void){ 705 btstack_run_loop_remove_timer(&setup->sm_timeout); 706 } 707 static void sm_timeout_reset(sm_connection_t * sm_conn){ 708 sm_timeout_stop(); 709 sm_timeout_start(sm_conn); 710 } 711 712 // end of sm timeout 713 714 // GAP Random Address updates 715 static gap_random_address_type_t gap_random_adress_type; 716 static btstack_timer_source_t gap_random_address_update_timer; 717 static uint32_t gap_random_adress_update_period; 718 719 static void gap_random_address_trigger(void){ 720 log_info("gap_random_address_trigger, state %u", rau_state); 721 if (rau_state != RAU_IDLE) return; 722 rau_state = RAU_GET_RANDOM; 723 sm_trigger_run(); 724 } 725 726 static void gap_random_address_update_handler(btstack_timer_source_t * timer){ 727 UNUSED(timer); 728 729 log_info("GAP Random Address Update due"); 730 btstack_run_loop_set_timer(&gap_random_address_update_timer, gap_random_adress_update_period); 731 btstack_run_loop_add_timer(&gap_random_address_update_timer); 732 gap_random_address_trigger(); 733 } 734 735 static void gap_random_address_update_start(void){ 736 btstack_run_loop_set_timer_handler(&gap_random_address_update_timer, gap_random_address_update_handler); 737 btstack_run_loop_set_timer(&gap_random_address_update_timer, gap_random_adress_update_period); 738 btstack_run_loop_add_timer(&gap_random_address_update_timer); 739 } 740 741 static void gap_random_address_update_stop(void){ 742 btstack_run_loop_remove_timer(&gap_random_address_update_timer); 743 } 744 745 // ah(k,r) helper 746 // r = padding || r 747 // r - 24 bit value 748 static void sm_ah_r_prime(uint8_t r[3], uint8_t * r_prime){ 749 // r'= padding || r 750 memset(r_prime, 0, 16); 751 (void)memcpy(&r_prime[13], r, 3); 752 } 753 754 // d1 helper 755 // d' = padding || r || d 756 // d,r - 16 bit values 757 static void sm_d1_d_prime(uint16_t d, uint16_t r, uint8_t * d1_prime){ 758 // d'= padding || r || d 759 memset(d1_prime, 0, 16); 760 big_endian_store_16(d1_prime, 12, r); 761 big_endian_store_16(d1_prime, 14, d); 762 } 763 764 // calculate arguments for first AES128 operation in C1 function 765 static void sm_c1_t1(sm_key_t r, uint8_t preq[7], uint8_t pres[7], uint8_t iat, uint8_t rat, uint8_t * t1){ 766 767 // p1 = pres || preq || rat’ || iat’ 768 // "The octet of iat’ becomes the least significant octet of p1 and the most signifi- 769 // cant octet of pres becomes the most significant octet of p1. 770 // For example, if the 8-bit iat’ is 0x01, the 8-bit rat’ is 0x00, the 56-bit preq 771 // is 0x07071000000101 and the 56 bit pres is 0x05000800000302 then 772 // p1 is 0x05000800000302070710000001010001." 773 774 sm_key_t p1; 775 reverse_56(pres, &p1[0]); 776 reverse_56(preq, &p1[7]); 777 p1[14] = rat; 778 p1[15] = iat; 779 log_info_key("p1", p1); 780 log_info_key("r", r); 781 782 // t1 = r xor p1 783 int i; 784 for (i=0;i<16;i++){ 785 t1[i] = r[i] ^ p1[i]; 786 } 787 log_info_key("t1", t1); 788 } 789 790 // calculate arguments for second AES128 operation in C1 function 791 static void sm_c1_t3(sm_key_t t2, bd_addr_t ia, bd_addr_t ra, uint8_t * t3){ 792 // p2 = padding || ia || ra 793 // "The least significant octet of ra becomes the least significant octet of p2 and 794 // the most significant octet of padding becomes the most significant octet of p2. 795 // For example, if 48-bit ia is 0xA1A2A3A4A5A6 and the 48-bit ra is 796 // 0xB1B2B3B4B5B6 then p2 is 0x00000000A1A2A3A4A5A6B1B2B3B4B5B6. 797 798 sm_key_t p2; 799 // cppcheck-suppress uninitvar ; p2 is reported as uninitialized 800 memset(p2, 0, 16); 801 (void)memcpy(&p2[4], ia, 6); 802 (void)memcpy(&p2[10], ra, 6); 803 log_info_key("p2", p2); 804 805 // c1 = e(k, t2_xor_p2) 806 int i; 807 for (i=0;i<16;i++){ 808 t3[i] = t2[i] ^ p2[i]; 809 } 810 log_info_key("t3", t3); 811 } 812 813 static void sm_s1_r_prime(sm_key_t r1, sm_key_t r2, uint8_t * r_prime){ 814 log_info_key("r1", r1); 815 log_info_key("r2", r2); 816 (void)memcpy(&r_prime[8], &r2[8], 8); 817 (void)memcpy(&r_prime[0], &r1[8], 8); 818 } 819 820 821 // decide on stk generation based on 822 // - pairing request 823 // - io capabilities 824 // - OOB data availability 825 static void sm_setup_tk(void){ 826 827 // horizontal: initiator capabilities 828 // vertial: responder capabilities 829 static const stk_generation_method_t stk_generation_method [5] [5] = { 830 { JUST_WORKS, JUST_WORKS, PK_INIT_INPUT, JUST_WORKS, PK_INIT_INPUT }, 831 { JUST_WORKS, JUST_WORKS, PK_INIT_INPUT, JUST_WORKS, PK_INIT_INPUT }, 832 { PK_RESP_INPUT, PK_RESP_INPUT, PK_BOTH_INPUT, JUST_WORKS, PK_RESP_INPUT }, 833 { JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS }, 834 { PK_RESP_INPUT, PK_RESP_INPUT, PK_INIT_INPUT, JUST_WORKS, PK_RESP_INPUT }, 835 }; 836 837 // uses numeric comparison if one side has DisplayYesNo and KeyboardDisplay combinations 838 #ifdef ENABLE_LE_SECURE_CONNECTIONS 839 static const stk_generation_method_t stk_generation_method_with_secure_connection[5][5] = { 840 { JUST_WORKS, JUST_WORKS, PK_INIT_INPUT, JUST_WORKS, PK_INIT_INPUT }, 841 { JUST_WORKS, NUMERIC_COMPARISON, PK_INIT_INPUT, JUST_WORKS, NUMERIC_COMPARISON }, 842 { PK_RESP_INPUT, PK_RESP_INPUT, PK_BOTH_INPUT, JUST_WORKS, PK_RESP_INPUT }, 843 { JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS }, 844 { PK_RESP_INPUT, NUMERIC_COMPARISON, PK_INIT_INPUT, JUST_WORKS, NUMERIC_COMPARISON }, 845 }; 846 #endif 847 848 // default: just works 849 setup->sm_stk_generation_method = JUST_WORKS; 850 851 #ifdef ENABLE_LE_SECURE_CONNECTIONS 852 setup->sm_use_secure_connections = ( sm_pairing_packet_get_auth_req(setup->sm_m_preq) 853 & sm_pairing_packet_get_auth_req(setup->sm_s_pres) 854 & SM_AUTHREQ_SECURE_CONNECTION ) != 0u; 855 #else 856 setup->sm_use_secure_connections = false; 857 #endif 858 log_info("Secure pairing: %u", setup->sm_use_secure_connections); 859 860 861 // decide if OOB will be used based on SC vs. Legacy and oob flags 862 bool use_oob; 863 if (setup->sm_use_secure_connections){ 864 // In LE Secure Connections pairing, the out of band method is used if at least 865 // one device has the peer device's out of band authentication data available. 866 use_oob = (sm_pairing_packet_get_oob_data_flag(setup->sm_m_preq) | sm_pairing_packet_get_oob_data_flag(setup->sm_s_pres)) != 0; 867 } else { 868 // In LE legacy pairing, the out of band method is used if both the devices have 869 // the other device's out of band authentication data available. 870 use_oob = (sm_pairing_packet_get_oob_data_flag(setup->sm_m_preq) & sm_pairing_packet_get_oob_data_flag(setup->sm_s_pres)) != 0; 871 } 872 if (use_oob){ 873 log_info("SM: have OOB data"); 874 log_info_key("OOB", setup->sm_tk); 875 setup->sm_stk_generation_method = OOB; 876 return; 877 } 878 879 // If both devices have not set the MITM option in the Authentication Requirements 880 // Flags, then the IO capabilities shall be ignored and the Just Works association 881 // model shall be used. 882 if (((sm_pairing_packet_get_auth_req(setup->sm_m_preq) & SM_AUTHREQ_MITM_PROTECTION) == 0u) 883 && ((sm_pairing_packet_get_auth_req(setup->sm_s_pres) & SM_AUTHREQ_MITM_PROTECTION) == 0u)){ 884 log_info("SM: MITM not required by both -> JUST WORKS"); 885 return; 886 } 887 888 // Reset TK as it has been setup in sm_init_setup 889 sm_reset_tk(); 890 891 // Also use just works if unknown io capabilites 892 if ((sm_pairing_packet_get_io_capability(setup->sm_m_preq) > IO_CAPABILITY_KEYBOARD_DISPLAY) || (sm_pairing_packet_get_io_capability(setup->sm_s_pres) > IO_CAPABILITY_KEYBOARD_DISPLAY)){ 893 return; 894 } 895 896 // Otherwise the IO capabilities of the devices shall be used to determine the 897 // pairing method as defined in Table 2.4. 898 // see http://stackoverflow.com/a/1052837/393697 for how to specify pointer to 2-dimensional array 899 const stk_generation_method_t (*generation_method)[5] = stk_generation_method; 900 901 #ifdef ENABLE_LE_SECURE_CONNECTIONS 902 // table not define by default 903 if (setup->sm_use_secure_connections){ 904 generation_method = stk_generation_method_with_secure_connection; 905 } 906 #endif 907 setup->sm_stk_generation_method = generation_method[sm_pairing_packet_get_io_capability(setup->sm_s_pres)][sm_pairing_packet_get_io_capability(setup->sm_m_preq)]; 908 909 log_info("sm_setup_tk: master io cap: %u, slave io cap: %u -> method %u", 910 sm_pairing_packet_get_io_capability(setup->sm_m_preq), sm_pairing_packet_get_io_capability(setup->sm_s_pres), setup->sm_stk_generation_method); 911 } 912 913 static int sm_key_distribution_flags_for_set(uint8_t key_set){ 914 int flags = 0; 915 if ((key_set & SM_KEYDIST_ENC_KEY) != 0u){ 916 flags |= SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION; 917 flags |= SM_KEYDIST_FLAG_MASTER_IDENTIFICATION; 918 } 919 if ((key_set & SM_KEYDIST_ID_KEY) != 0u){ 920 flags |= SM_KEYDIST_FLAG_IDENTITY_INFORMATION; 921 flags |= SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION; 922 } 923 if ((key_set & SM_KEYDIST_SIGN) != 0u){ 924 flags |= SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION; 925 } 926 return flags; 927 } 928 929 static void sm_setup_key_distribution(uint8_t keys_to_send, uint8_t keys_to_receive){ 930 setup->sm_key_distribution_received_set = 0; 931 setup->sm_key_distribution_expected_set = sm_key_distribution_flags_for_set(keys_to_receive); 932 setup->sm_key_distribution_send_set = sm_key_distribution_flags_for_set(keys_to_send); 933 setup->sm_key_distribution_sent_set = 0; 934 #ifdef ENABLE_LE_SIGNED_WRITE 935 setup->sm_le_device_index = -1; 936 #endif 937 } 938 939 // CSRK Key Lookup 940 941 942 static bool sm_address_resolution_idle(void){ 943 return sm_address_resolution_mode == ADDRESS_RESOLUTION_IDLE; 944 } 945 946 static void sm_address_resolution_start_lookup(uint8_t addr_type, hci_con_handle_t con_handle, bd_addr_t addr, address_resolution_mode_t mode, void * context){ 947 (void)memcpy(sm_address_resolution_address, addr, 6); 948 sm_address_resolution_addr_type = addr_type; 949 sm_address_resolution_test = 0; 950 sm_address_resolution_mode = mode; 951 sm_address_resolution_context = context; 952 sm_notify_client_base(SM_EVENT_IDENTITY_RESOLVING_STARTED, con_handle, addr_type, addr); 953 } 954 955 int sm_address_resolution_lookup(uint8_t address_type, bd_addr_t address){ 956 // check if already in list 957 btstack_linked_list_iterator_t it; 958 sm_lookup_entry_t * entry; 959 btstack_linked_list_iterator_init(&it, &sm_address_resolution_general_queue); 960 while(btstack_linked_list_iterator_has_next(&it)){ 961 entry = (sm_lookup_entry_t *) btstack_linked_list_iterator_next(&it); 962 if (entry->address_type != address_type) continue; 963 if (memcmp(entry->address, address, 6) != 0) continue; 964 // already in list 965 return BTSTACK_BUSY; 966 } 967 entry = btstack_memory_sm_lookup_entry_get(); 968 if (!entry) return BTSTACK_MEMORY_ALLOC_FAILED; 969 entry->address_type = (bd_addr_type_t) address_type; 970 (void)memcpy(entry->address, address, 6); 971 btstack_linked_list_add(&sm_address_resolution_general_queue, (btstack_linked_item_t *) entry); 972 sm_trigger_run(); 973 return 0; 974 } 975 976 // CMAC calculation using AES Engineq 977 #ifdef USE_CMAC_ENGINE 978 979 static void sm_cmac_done_trampoline(void * arg){ 980 UNUSED(arg); 981 sm_cmac_active = 0; 982 (*sm_cmac_done_callback)(sm_cmac_hash); 983 sm_trigger_run(); 984 } 985 986 int sm_cmac_ready(void){ 987 return sm_cmac_active == 0u; 988 } 989 #endif 990 991 #ifdef ENABLE_LE_SECURE_CONNECTIONS 992 // generic cmac calculation 993 static void sm_cmac_message_start(const sm_key_t key, uint16_t message_len, const uint8_t * message, void (*done_callback)(uint8_t * hash)){ 994 sm_cmac_active = 1; 995 sm_cmac_done_callback = done_callback; 996 btstack_crypto_aes128_cmac_message(&sm_cmac_request, key, message_len, message, sm_cmac_hash, sm_cmac_done_trampoline, NULL); 997 } 998 #endif 999 1000 // cmac for ATT Message signing 1001 #ifdef ENABLE_LE_SIGNED_WRITE 1002 1003 static void sm_cmac_generator_start(const sm_key_t key, uint16_t message_len, uint8_t (*get_byte_callback)(uint16_t offset), void (*done_callback)(uint8_t * hash)){ 1004 sm_cmac_active = 1; 1005 sm_cmac_done_callback = done_callback; 1006 btstack_crypto_aes128_cmac_generator(&sm_cmac_request, key, message_len, get_byte_callback, sm_cmac_hash, sm_cmac_done_trampoline, NULL); 1007 } 1008 1009 static uint8_t sm_cmac_signed_write_message_get_byte(uint16_t offset){ 1010 if (offset >= sm_cmac_signed_write_message_len) { 1011 log_error("sm_cmac_signed_write_message_get_byte. out of bounds, access %u, len %u", offset, sm_cmac_signed_write_message_len); 1012 return 0; 1013 } 1014 1015 offset = sm_cmac_signed_write_message_len - 1 - offset; 1016 1017 // sm_cmac_signed_write_header[3] | message[] | sm_cmac_signed_write_sign_counter[4] 1018 if (offset < 3){ 1019 return sm_cmac_signed_write_header[offset]; 1020 } 1021 int actual_message_len_incl_header = sm_cmac_signed_write_message_len - 4; 1022 if (offset < actual_message_len_incl_header){ 1023 return sm_cmac_signed_write_message[offset - 3]; 1024 } 1025 return sm_cmac_signed_write_sign_counter[offset - actual_message_len_incl_header]; 1026 } 1027 1028 void sm_cmac_signed_write_start(const sm_key_t k, uint8_t opcode, hci_con_handle_t con_handle, uint16_t message_len, const uint8_t * message, uint32_t sign_counter, void (*done_handler)(uint8_t * hash)){ 1029 // ATT Message Signing 1030 sm_cmac_signed_write_header[0] = opcode; 1031 little_endian_store_16(sm_cmac_signed_write_header, 1, con_handle); 1032 little_endian_store_32(sm_cmac_signed_write_sign_counter, 0, sign_counter); 1033 uint16_t total_message_len = 3 + message_len + 4; // incl. virtually prepended att opcode, handle and appended sign_counter in LE 1034 sm_cmac_signed_write_message = message; 1035 sm_cmac_signed_write_message_len = total_message_len; 1036 sm_cmac_generator_start(k, total_message_len, &sm_cmac_signed_write_message_get_byte, done_handler); 1037 } 1038 #endif 1039 1040 static void sm_trigger_user_response_basic(sm_connection_t * sm_conn, uint8_t event_type){ 1041 setup->sm_user_response = SM_USER_RESPONSE_PENDING; 1042 uint8_t event[12]; 1043 sm_setup_event_base(event, sizeof(event), event_type, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address); 1044 event[11] = setup->sm_use_secure_connections ? 1 : 0; 1045 sm_dispatch_event(HCI_EVENT_PACKET, 0, event, sizeof(event)); 1046 } 1047 1048 static void sm_trigger_user_response_passkey(sm_connection_t * sm_conn, uint8_t event_type){ 1049 uint8_t event[16]; 1050 uint32_t passkey = big_endian_read_32(setup->sm_tk, 12); 1051 sm_setup_event_base(event, sizeof(event), event_type, sm_conn->sm_handle, 1052 sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address); 1053 event[11] = setup->sm_use_secure_connections ? 1 : 0; 1054 little_endian_store_32(event, 12, passkey); 1055 sm_dispatch_event(HCI_EVENT_PACKET, 0, event, sizeof(event)); 1056 } 1057 1058 static void sm_trigger_user_response(sm_connection_t * sm_conn){ 1059 // notify client for: JUST WORKS confirm, Numeric comparison confirm, PASSKEY display or input 1060 setup->sm_user_response = SM_USER_RESPONSE_IDLE; 1061 sm_conn->sm_pairing_active = true; 1062 switch (setup->sm_stk_generation_method){ 1063 case PK_RESP_INPUT: 1064 if (IS_RESPONDER(sm_conn->sm_role)){ 1065 sm_trigger_user_response_basic(sm_conn, SM_EVENT_PASSKEY_INPUT_NUMBER); 1066 } else { 1067 sm_trigger_user_response_passkey(sm_conn, SM_EVENT_PASSKEY_DISPLAY_NUMBER); 1068 } 1069 break; 1070 case PK_INIT_INPUT: 1071 if (IS_RESPONDER(sm_conn->sm_role)){ 1072 sm_trigger_user_response_passkey(sm_conn, SM_EVENT_PASSKEY_DISPLAY_NUMBER); 1073 } else { 1074 sm_trigger_user_response_basic(sm_conn, SM_EVENT_PASSKEY_INPUT_NUMBER); 1075 } 1076 break; 1077 case PK_BOTH_INPUT: 1078 sm_trigger_user_response_basic(sm_conn, SM_EVENT_PASSKEY_INPUT_NUMBER); 1079 break; 1080 case NUMERIC_COMPARISON: 1081 sm_trigger_user_response_passkey(sm_conn, SM_EVENT_NUMERIC_COMPARISON_REQUEST); 1082 break; 1083 case JUST_WORKS: 1084 sm_trigger_user_response_basic(sm_conn, SM_EVENT_JUST_WORKS_REQUEST); 1085 break; 1086 case OOB: 1087 // client already provided OOB data, let's skip notification. 1088 break; 1089 default: 1090 btstack_assert(false); 1091 break; 1092 } 1093 } 1094 1095 static bool sm_key_distribution_all_received(void) { 1096 log_debug("sm_key_distribution_all_received: received 0x%02x, expecting 0x%02x", setup->sm_key_distribution_received_set, setup->sm_key_distribution_expected_set); 1097 return (setup->sm_key_distribution_expected_set & setup->sm_key_distribution_received_set) == setup->sm_key_distribution_expected_set; 1098 } 1099 1100 static void sm_done_for_handle(hci_con_handle_t con_handle){ 1101 if (sm_active_connection_handle == con_handle){ 1102 sm_timeout_stop(); 1103 sm_active_connection_handle = HCI_CON_HANDLE_INVALID; 1104 log_info("sm: connection 0x%x released setup context", con_handle); 1105 1106 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1107 // generate new ec key after each pairing (that used it) 1108 if (setup->sm_use_secure_connections){ 1109 sm_ec_generate_new_key(); 1110 } 1111 #endif 1112 } 1113 } 1114 1115 static void sm_master_pairing_success(sm_connection_t *connection) {// master -> all done 1116 connection->sm_engine_state = SM_INITIATOR_CONNECTED; 1117 sm_pairing_complete(connection, ERROR_CODE_SUCCESS, 0); 1118 sm_done_for_handle(connection->sm_handle); 1119 } 1120 1121 static int sm_key_distribution_flags_for_auth_req(void){ 1122 1123 int flags = SM_KEYDIST_ID_KEY; 1124 if ((sm_auth_req & SM_AUTHREQ_BONDING) != 0u){ 1125 // encryption and signing information only if bonding requested 1126 flags |= SM_KEYDIST_ENC_KEY; 1127 #ifdef ENABLE_LE_SIGNED_WRITE 1128 flags |= SM_KEYDIST_SIGN; 1129 #endif 1130 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 1131 // LinkKey for CTKD requires SC and BR/EDR Support 1132 if (hci_classic_supported() && ((sm_auth_req & SM_AUTHREQ_SECURE_CONNECTION) != 0)){ 1133 flags |= SM_KEYDIST_LINK_KEY; 1134 } 1135 #endif 1136 } 1137 return flags; 1138 } 1139 1140 static void sm_reset_setup(void){ 1141 // fill in sm setup 1142 setup->sm_state_vars = 0; 1143 setup->sm_keypress_notification = 0; 1144 setup->sm_have_oob_data = 0; 1145 sm_reset_tk(); 1146 } 1147 1148 static void sm_init_setup(sm_connection_t * sm_conn){ 1149 // fill in sm setup 1150 setup->sm_peer_addr_type = sm_conn->sm_peer_addr_type; 1151 (void)memcpy(setup->sm_peer_address, sm_conn->sm_peer_address, 6); 1152 1153 // query client for Legacy Pairing OOB data 1154 if (sm_get_oob_data != NULL) { 1155 setup->sm_have_oob_data = (*sm_get_oob_data)(sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, setup->sm_tk); 1156 } 1157 1158 // if available and SC supported, also ask for SC OOB Data 1159 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1160 memset(setup->sm_ra, 0, 16); 1161 memset(setup->sm_rb, 0, 16); 1162 if (setup->sm_have_oob_data && (sm_auth_req & SM_AUTHREQ_SECURE_CONNECTION)){ 1163 if (sm_get_sc_oob_data != NULL){ 1164 if (IS_RESPONDER(sm_conn->sm_role)){ 1165 setup->sm_have_oob_data = (*sm_get_sc_oob_data)( 1166 sm_conn->sm_peer_addr_type, 1167 sm_conn->sm_peer_address, 1168 setup->sm_peer_confirm, 1169 setup->sm_ra); 1170 } else { 1171 setup->sm_have_oob_data = (*sm_get_sc_oob_data)( 1172 sm_conn->sm_peer_addr_type, 1173 sm_conn->sm_peer_address, 1174 setup->sm_peer_confirm, 1175 setup->sm_rb); 1176 } 1177 } else { 1178 setup->sm_have_oob_data = 0; 1179 } 1180 } 1181 #endif 1182 1183 sm_pairing_packet_t * local_packet; 1184 if (IS_RESPONDER(sm_conn->sm_role)){ 1185 // slave 1186 local_packet = &setup->sm_s_pres; 1187 setup->sm_m_addr_type = sm_conn->sm_peer_addr_type; 1188 setup->sm_s_addr_type = sm_conn->sm_own_addr_type; 1189 (void)memcpy(setup->sm_m_address, sm_conn->sm_peer_address, 6); 1190 (void)memcpy(setup->sm_s_address, sm_conn->sm_own_address, 6); 1191 } else { 1192 // master 1193 local_packet = &setup->sm_m_preq; 1194 setup->sm_s_addr_type = sm_conn->sm_peer_addr_type; 1195 setup->sm_m_addr_type = sm_conn->sm_own_addr_type; 1196 (void)memcpy(setup->sm_s_address, sm_conn->sm_peer_address, 6); 1197 (void)memcpy(setup->sm_m_address, sm_conn->sm_own_address, 6); 1198 1199 uint8_t key_distribution_flags = sm_key_distribution_flags_for_auth_req(); 1200 sm_pairing_packet_set_initiator_key_distribution(setup->sm_m_preq, key_distribution_flags); 1201 sm_pairing_packet_set_responder_key_distribution(setup->sm_m_preq, key_distribution_flags); 1202 } 1203 1204 log_info("our address %s type %u", bd_addr_to_str(sm_conn->sm_own_address), sm_conn->sm_own_addr_type); 1205 log_info("peer address %s type %u", bd_addr_to_str(sm_conn->sm_peer_address), sm_conn->sm_peer_addr_type); 1206 1207 uint8_t auth_req = sm_auth_req & ~SM_AUTHREQ_CT2; 1208 uint8_t max_encryption_key_size = sm_max_encryption_key_size; 1209 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1210 // enable SC for SC only mode 1211 if (sm_sc_only_mode){ 1212 auth_req |= SM_AUTHREQ_SECURE_CONNECTION; 1213 max_encryption_key_size = 16; 1214 } 1215 #endif 1216 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 1217 // set CT2 if SC + Bonding + CTKD 1218 const uint8_t auth_req_for_ct2 = SM_AUTHREQ_SECURE_CONNECTION | SM_AUTHREQ_BONDING; 1219 if ((auth_req & auth_req_for_ct2) == auth_req_for_ct2){ 1220 auth_req |= SM_AUTHREQ_CT2; 1221 } 1222 #endif 1223 sm_pairing_packet_set_io_capability(*local_packet, sm_io_capabilities); 1224 sm_pairing_packet_set_oob_data_flag(*local_packet, setup->sm_have_oob_data); 1225 sm_pairing_packet_set_auth_req(*local_packet, auth_req); 1226 sm_pairing_packet_set_max_encryption_key_size(*local_packet, max_encryption_key_size); 1227 } 1228 1229 static int sm_stk_generation_init(sm_connection_t * sm_conn){ 1230 1231 sm_pairing_packet_t * remote_packet; 1232 uint8_t keys_to_send; 1233 uint8_t keys_to_receive; 1234 if (IS_RESPONDER(sm_conn->sm_role)){ 1235 // slave / responder 1236 remote_packet = &setup->sm_m_preq; 1237 keys_to_send = sm_pairing_packet_get_responder_key_distribution(setup->sm_m_preq); 1238 keys_to_receive = sm_pairing_packet_get_initiator_key_distribution(setup->sm_m_preq); 1239 } else { 1240 // master / initiator 1241 remote_packet = &setup->sm_s_pres; 1242 keys_to_send = sm_pairing_packet_get_initiator_key_distribution(setup->sm_s_pres); 1243 keys_to_receive = sm_pairing_packet_get_responder_key_distribution(setup->sm_s_pres); 1244 } 1245 1246 // check key size 1247 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1248 // SC Only mandates 128 bit key size 1249 if (sm_sc_only_mode && (sm_pairing_packet_get_max_encryption_key_size(*remote_packet) < 16)) { 1250 return SM_REASON_ENCRYPTION_KEY_SIZE; 1251 } 1252 #endif 1253 sm_conn->sm_actual_encryption_key_size = sm_calc_actual_encryption_key_size(sm_pairing_packet_get_max_encryption_key_size(*remote_packet)); 1254 if (sm_conn->sm_actual_encryption_key_size == 0u) return SM_REASON_ENCRYPTION_KEY_SIZE; 1255 1256 // decide on STK generation method / SC 1257 sm_setup_tk(); 1258 log_info("SMP: generation method %u", setup->sm_stk_generation_method); 1259 1260 // check if STK generation method is acceptable by client 1261 if (!sm_validate_stk_generation_method()) return SM_REASON_AUTHENTHICATION_REQUIREMENTS; 1262 1263 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1264 // Check LE SC Only mode 1265 if (sm_sc_only_mode && (setup->sm_use_secure_connections == false)){ 1266 log_info("SC Only mode active but SC not possible"); 1267 return SM_REASON_AUTHENTHICATION_REQUIREMENTS; 1268 } 1269 1270 // LTK (= encryption information & master identification) only used exchanged for LE Legacy Connection 1271 if (setup->sm_use_secure_connections){ 1272 keys_to_send &= ~SM_KEYDIST_ENC_KEY; 1273 keys_to_receive &= ~SM_KEYDIST_ENC_KEY; 1274 } 1275 #endif 1276 1277 // identical to responder 1278 sm_setup_key_distribution(keys_to_send, keys_to_receive); 1279 1280 // JUST WORKS doens't provide authentication 1281 sm_conn->sm_connection_authenticated = (setup->sm_stk_generation_method == JUST_WORKS) ? 0 : 1; 1282 1283 return 0; 1284 } 1285 1286 static void sm_address_resolution_handle_event(address_resolution_event_t event){ 1287 1288 // cache and reset context 1289 int matched_device_id = sm_address_resolution_test; 1290 address_resolution_mode_t mode = sm_address_resolution_mode; 1291 void * context = sm_address_resolution_context; 1292 1293 // reset context 1294 sm_address_resolution_mode = ADDRESS_RESOLUTION_IDLE; 1295 sm_address_resolution_context = NULL; 1296 sm_address_resolution_test = -1; 1297 1298 hci_con_handle_t con_handle = HCI_CON_HANDLE_INVALID; 1299 sm_connection_t * sm_connection; 1300 sm_key_t ltk; 1301 bool have_ltk; 1302 int authenticated; 1303 #ifdef ENABLE_LE_CENTRAL 1304 bool trigger_pairing; 1305 #endif 1306 1307 switch (mode){ 1308 case ADDRESS_RESOLUTION_GENERAL: 1309 break; 1310 case ADDRESS_RESOLUTION_FOR_CONNECTION: 1311 sm_connection = (sm_connection_t *) context; 1312 con_handle = sm_connection->sm_handle; 1313 1314 // have ltk -> start encryption / send security request 1315 // Core 5, Vol 3, Part C, 10.3.2 Initiating a Service Request 1316 // "When a bond has been created between two devices, any reconnection should result in the local device 1317 // enabling or requesting encryption with the remote device before initiating any service request." 1318 1319 switch (event){ 1320 case ADDRESS_RESOLUTION_SUCCEEDED: 1321 sm_connection->sm_irk_lookup_state = IRK_LOOKUP_SUCCEEDED; 1322 sm_connection->sm_le_db_index = matched_device_id; 1323 log_info("ADDRESS_RESOLUTION_SUCCEEDED, index %d", sm_connection->sm_le_db_index); 1324 1325 le_device_db_encryption_get(sm_connection->sm_le_db_index, NULL, NULL, ltk, NULL, &authenticated, NULL, NULL); 1326 have_ltk = !sm_is_null_key(ltk); 1327 1328 if (IS_RESPONDER(sm_connection->sm_role)) { 1329 #ifdef ENABLE_LE_PERIPHERAL 1330 // IRK required before, continue 1331 if (sm_connection->sm_engine_state == SM_RESPONDER_PH0_RECEIVED_LTK_W4_IRK){ 1332 sm_connection->sm_engine_state = SM_RESPONDER_PH0_RECEIVED_LTK_REQUEST; 1333 break; 1334 } 1335 if (sm_connection->sm_engine_state == SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED_W4_IRK){ 1336 sm_connection->sm_engine_state = SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED; 1337 break; 1338 } 1339 bool trigger_security_request = sm_connection->sm_pairing_requested || sm_slave_request_security; 1340 sm_connection->sm_pairing_requested = false; 1341 #ifdef ENABLE_LE_PROACTIVE_AUTHENTICATION 1342 // trigger security request for Proactive Authentication if LTK available 1343 trigger_security_request = trigger_security_request || have_ltk; 1344 #endif 1345 1346 log_info("peripheral: pairing request local %u, have_ltk %u => trigger_security_request %u", 1347 (int) sm_connection->sm_pairing_requested, (int) have_ltk, trigger_security_request); 1348 1349 if (trigger_security_request){ 1350 sm_connection->sm_engine_state = SM_RESPONDER_SEND_SECURITY_REQUEST; 1351 if (have_ltk){ 1352 sm_reencryption_started(sm_connection); 1353 } else { 1354 sm_pairing_started(sm_connection); 1355 } 1356 sm_trigger_run(); 1357 } 1358 #endif 1359 } else { 1360 1361 #ifdef ENABLE_LE_CENTRAL 1362 // check if pairing already requested and reset requests 1363 trigger_pairing = sm_connection->sm_pairing_requested || sm_connection->sm_security_request_received; 1364 bool auth_required = sm_auth_req & SM_AUTHREQ_MITM_PROTECTION; 1365 1366 log_info("central: pairing request local %u, remote %u => trigger_pairing %u. have_ltk %u", 1367 (int) sm_connection->sm_pairing_requested, (int) sm_connection->sm_security_request_received, (int) trigger_pairing, (int) have_ltk); 1368 sm_connection->sm_security_request_received = false; 1369 sm_connection->sm_pairing_requested = false; 1370 bool trigger_reencryption = false; 1371 1372 if (have_ltk){ 1373 if (trigger_pairing){ 1374 // if pairing is requested, re-encryption is sufficient, if ltk is already authenticated or we don't require authentication 1375 trigger_reencryption = (authenticated != 0) || (auth_required == false); 1376 } else { 1377 #ifdef ENABLE_LE_PROACTIVE_AUTHENTICATION 1378 trigger_reencryption = true; 1379 #else 1380 log_info("central: defer enabling encryption for bonded device"); 1381 #endif 1382 } 1383 } 1384 1385 if (trigger_reencryption){ 1386 log_info("central: enable encryption for bonded device"); 1387 sm_connection->sm_engine_state = SM_INITIATOR_PH4_HAS_LTK; 1388 break; 1389 } 1390 1391 // pairing_request -> send pairing request 1392 if (trigger_pairing){ 1393 sm_connection->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 1394 break; 1395 } 1396 #endif 1397 } 1398 break; 1399 case ADDRESS_RESOLUTION_FAILED: 1400 sm_connection->sm_irk_lookup_state = IRK_LOOKUP_FAILED; 1401 if (IS_RESPONDER(sm_connection->sm_role)) { 1402 #ifdef ENABLE_LE_PERIPHERAL 1403 // LTK request received before, IRK required -> negative LTK reply 1404 if (sm_connection->sm_engine_state == SM_RESPONDER_PH0_RECEIVED_LTK_W4_IRK){ 1405 sm_connection->sm_engine_state = SM_RESPONDER_PH0_SEND_LTK_REQUESTED_NEGATIVE_REPLY; 1406 } 1407 // send security request if requested 1408 bool trigger_security_request = sm_connection->sm_pairing_requested || sm_slave_request_security; 1409 sm_connection->sm_pairing_requested = false; 1410 if (trigger_security_request){ 1411 sm_connection->sm_engine_state = SM_RESPONDER_SEND_SECURITY_REQUEST; 1412 sm_pairing_started(sm_connection); 1413 } 1414 break; 1415 #endif 1416 } 1417 #ifdef ENABLE_LE_CENTRAL 1418 if ((sm_connection->sm_pairing_requested == false) && (sm_connection->sm_security_request_received == false)) break; 1419 sm_connection->sm_security_request_received = false; 1420 sm_connection->sm_pairing_requested = false; 1421 sm_connection->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 1422 #endif 1423 break; 1424 1425 default: 1426 btstack_assert(false); 1427 break; 1428 } 1429 break; 1430 default: 1431 break; 1432 } 1433 1434 switch (event){ 1435 case ADDRESS_RESOLUTION_SUCCEEDED: 1436 sm_notify_client_index(SM_EVENT_IDENTITY_RESOLVING_SUCCEEDED, con_handle, sm_address_resolution_addr_type, sm_address_resolution_address, matched_device_id); 1437 break; 1438 case ADDRESS_RESOLUTION_FAILED: 1439 sm_notify_client_base(SM_EVENT_IDENTITY_RESOLVING_FAILED, con_handle, sm_address_resolution_addr_type, sm_address_resolution_address); 1440 break; 1441 default: 1442 btstack_assert(false); 1443 break; 1444 } 1445 } 1446 1447 static void sm_store_bonding_information(sm_connection_t * sm_conn){ 1448 int le_db_index = -1; 1449 1450 // lookup device based on IRK 1451 if ((setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_IDENTITY_INFORMATION) != 0u){ 1452 int i; 1453 for (i=0; i < le_device_db_max_count(); i++){ 1454 sm_key_t irk; 1455 bd_addr_t address; 1456 int address_type = BD_ADDR_TYPE_UNKNOWN; 1457 le_device_db_info(i, &address_type, address, irk); 1458 // skip unused entries 1459 if (address_type == BD_ADDR_TYPE_UNKNOWN) continue; 1460 // compare Identity Address 1461 if (memcmp(address, setup->sm_peer_address, 6) != 0) continue; 1462 // compare Identity Resolving Key 1463 if (memcmp(irk, setup->sm_peer_irk, 16) != 0) continue; 1464 1465 log_info("sm: device found for IRK, updating"); 1466 le_db_index = i; 1467 break; 1468 } 1469 } else { 1470 // assert IRK is set to zero 1471 memset(setup->sm_peer_irk, 0, 16); 1472 } 1473 1474 // if not found, lookup via public address if possible 1475 log_info("sm peer addr type %u, peer addres %s", setup->sm_peer_addr_type, bd_addr_to_str(setup->sm_peer_address)); 1476 if ((le_db_index < 0) && (setup->sm_peer_addr_type == BD_ADDR_TYPE_LE_PUBLIC)){ 1477 int i; 1478 for (i=0; i < le_device_db_max_count(); i++){ 1479 bd_addr_t address; 1480 int address_type = BD_ADDR_TYPE_UNKNOWN; 1481 le_device_db_info(i, &address_type, address, NULL); 1482 // skip unused entries 1483 if (address_type == BD_ADDR_TYPE_UNKNOWN) continue; 1484 log_info("device %u, sm peer addr type %u, peer addres %s", i, address_type, bd_addr_to_str(address)); 1485 if ((address_type == BD_ADDR_TYPE_LE_PUBLIC) && (memcmp(address, setup->sm_peer_address, 6) == 0)){ 1486 log_info("sm: device found for public address, updating"); 1487 le_db_index = i; 1488 break; 1489 } 1490 } 1491 } 1492 1493 // if not found, add to db 1494 bool new_to_le_device_db = false; 1495 if (le_db_index < 0) { 1496 le_db_index = le_device_db_add(setup->sm_peer_addr_type, setup->sm_peer_address, setup->sm_peer_irk); 1497 new_to_le_device_db = true; 1498 } 1499 1500 if (le_db_index >= 0){ 1501 1502 #ifdef ENABLE_LE_PRIVACY_ADDRESS_RESOLUTION 1503 if (!new_to_le_device_db){ 1504 hci_remove_le_device_db_entry_from_resolving_list(le_db_index); 1505 } 1506 hci_load_le_device_db_entry_into_resolving_list(le_db_index); 1507 #else 1508 UNUSED(new_to_le_device_db); 1509 #endif 1510 1511 sm_notify_client_index(SM_EVENT_IDENTITY_CREATED, sm_conn->sm_handle, setup->sm_peer_addr_type, setup->sm_peer_address, le_db_index); 1512 sm_conn->sm_irk_lookup_state = IRK_LOOKUP_SUCCEEDED; 1513 sm_conn->sm_le_db_index = le_db_index; 1514 1515 #ifdef ENABLE_LE_SIGNED_WRITE 1516 // store local CSRK 1517 setup->sm_le_device_index = le_db_index; 1518 if ((setup->sm_key_distribution_sent_set) & SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION){ 1519 log_info("sm: store local CSRK"); 1520 le_device_db_local_csrk_set(le_db_index, setup->sm_local_csrk); 1521 le_device_db_local_counter_set(le_db_index, 0); 1522 } 1523 1524 // store remote CSRK 1525 if (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION){ 1526 log_info("sm: store remote CSRK"); 1527 le_device_db_remote_csrk_set(le_db_index, setup->sm_peer_csrk); 1528 le_device_db_remote_counter_set(le_db_index, 0); 1529 } 1530 #endif 1531 // store encryption information for secure connections: LTK generated by ECDH 1532 if (setup->sm_use_secure_connections){ 1533 log_info("sm: store SC LTK (key size %u, authenticated %u)", sm_conn->sm_actual_encryption_key_size, sm_conn->sm_connection_authenticated); 1534 uint8_t zero_rand[8]; 1535 memset(zero_rand, 0, 8); 1536 le_device_db_encryption_set(le_db_index, 0, zero_rand, setup->sm_ltk, sm_conn->sm_actual_encryption_key_size, 1537 sm_conn->sm_connection_authenticated, sm_conn->sm_connection_authorization_state == AUTHORIZATION_GRANTED, 1); 1538 } 1539 1540 // store encryption information for legacy pairing: peer LTK, EDIV, RAND 1541 else if ( (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION) 1542 && (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_MASTER_IDENTIFICATION )){ 1543 log_info("sm: set encryption information (key size %u, authenticated %u)", sm_conn->sm_actual_encryption_key_size, sm_conn->sm_connection_authenticated); 1544 le_device_db_encryption_set(le_db_index, setup->sm_peer_ediv, setup->sm_peer_rand, setup->sm_peer_ltk, 1545 sm_conn->sm_actual_encryption_key_size, sm_conn->sm_connection_authenticated, sm_conn->sm_connection_authorization_state == AUTHORIZATION_GRANTED, 0); 1546 1547 } 1548 } 1549 } 1550 1551 static void sm_pairing_error(sm_connection_t * sm_conn, uint8_t reason){ 1552 sm_conn->sm_pairing_failed_reason = reason; 1553 sm_conn->sm_engine_state = SM_GENERAL_SEND_PAIRING_FAILED; 1554 } 1555 1556 static int sm_le_device_db_index_lookup(bd_addr_type_t address_type, bd_addr_t address){ 1557 int i; 1558 for (i=0; i < le_device_db_max_count(); i++){ 1559 bd_addr_t db_address; 1560 int db_address_type = BD_ADDR_TYPE_UNKNOWN; 1561 le_device_db_info(i, &db_address_type, db_address, NULL); 1562 // skip unused entries 1563 if (address_type == BD_ADDR_TYPE_UNKNOWN) continue; 1564 if ((address_type == (unsigned int)db_address_type) && (memcmp(address, db_address, 6) == 0)){ 1565 return i; 1566 } 1567 } 1568 return -1; 1569 } 1570 1571 static void sm_remove_le_device_db_entry(uint16_t i) { 1572 le_device_db_remove(i); 1573 #ifdef ENABLE_LE_PRIVACY_ADDRESS_RESOLUTION 1574 // to remove an entry from the resolving list requires its identity address, which was already deleted 1575 // fully reload resolving list instead 1576 gap_load_resolving_list_from_le_device_db(); 1577 #endif 1578 } 1579 1580 static uint8_t sm_key_distribution_validate_received(sm_connection_t * sm_conn){ 1581 // if identity is provided, abort if we have bonding with same address but different irk 1582 if ((setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_IDENTITY_INFORMATION) != 0u){ 1583 int index = sm_le_device_db_index_lookup(BD_ADDR_TYPE_LE_PUBLIC, setup->sm_peer_address); 1584 if (index >= 0){ 1585 sm_key_t irk; 1586 le_device_db_info(index, NULL, NULL, irk); 1587 if (memcmp(irk, setup->sm_peer_irk, 16) != 0){ 1588 // IRK doesn't match, delete bonding information 1589 log_info("New IRK for %s (type %u) does not match stored IRK -> delete bonding information", bd_addr_to_str(sm_conn->sm_peer_address), sm_conn->sm_peer_addr_type); 1590 sm_remove_le_device_db_entry(index); 1591 } 1592 } 1593 } 1594 return 0; 1595 } 1596 1597 static void sm_key_distribution_handle_all_received(sm_connection_t * sm_conn){ 1598 1599 // abort pairing if received keys are not valid 1600 uint8_t reason = sm_key_distribution_validate_received(sm_conn); 1601 if (reason != 0){ 1602 sm_pairing_error(sm_conn, reason); 1603 return; 1604 } 1605 1606 // only store pairing information if both sides are bondable, i.e., the bonadble flag is set 1607 bool bonding_enabled = (sm_pairing_packet_get_auth_req(setup->sm_m_preq) 1608 & sm_pairing_packet_get_auth_req(setup->sm_s_pres) 1609 & SM_AUTHREQ_BONDING ) != 0u; 1610 1611 if (bonding_enabled){ 1612 sm_store_bonding_information(sm_conn); 1613 } else { 1614 log_info("Ignoring received keys, bonding not enabled"); 1615 } 1616 } 1617 1618 static inline void sm_pdu_received_in_wrong_state(sm_connection_t * sm_conn){ 1619 sm_pairing_error(sm_conn, SM_REASON_UNSPECIFIED_REASON); 1620 } 1621 1622 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1623 1624 static void sm_sc_prepare_dhkey_check(sm_connection_t * sm_conn); 1625 static bool sm_passkey_used(stk_generation_method_t method); 1626 static bool sm_just_works_or_numeric_comparison(stk_generation_method_t method); 1627 1628 static void sm_sc_start_calculating_local_confirm(sm_connection_t * sm_conn){ 1629 if (setup->sm_stk_generation_method == OOB){ 1630 sm_conn->sm_engine_state = SM_SC_W2_CMAC_FOR_CONFIRMATION; 1631 } else { 1632 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_nonce, 16, &sm_handle_random_result_sc_next_w2_cmac_for_confirmation, (void *)(uintptr_t) sm_conn->sm_handle); 1633 } 1634 } 1635 1636 static void sm_sc_state_after_receiving_random(sm_connection_t * sm_conn){ 1637 if (IS_RESPONDER(sm_conn->sm_role)){ 1638 // Responder 1639 if (setup->sm_stk_generation_method == OOB){ 1640 // generate Nb 1641 log_info("Generate Nb"); 1642 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_nonce, 16, &sm_handle_random_result_sc_next_send_pairing_random, (void *)(uintptr_t) sm_conn->sm_handle); 1643 } else { 1644 sm_conn->sm_engine_state = SM_SC_SEND_PAIRING_RANDOM; 1645 } 1646 } else { 1647 // Initiator role 1648 switch (setup->sm_stk_generation_method){ 1649 case JUST_WORKS: 1650 sm_sc_prepare_dhkey_check(sm_conn); 1651 break; 1652 1653 case NUMERIC_COMPARISON: 1654 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_G2; 1655 break; 1656 case PK_INIT_INPUT: 1657 case PK_RESP_INPUT: 1658 case PK_BOTH_INPUT: 1659 if (setup->sm_passkey_bit < 20u) { 1660 sm_sc_start_calculating_local_confirm(sm_conn); 1661 } else { 1662 sm_sc_prepare_dhkey_check(sm_conn); 1663 } 1664 break; 1665 case OOB: 1666 sm_sc_prepare_dhkey_check(sm_conn); 1667 break; 1668 default: 1669 btstack_assert(false); 1670 break; 1671 } 1672 } 1673 } 1674 1675 static void sm_sc_cmac_done(uint8_t * hash){ 1676 log_info("sm_sc_cmac_done: "); 1677 log_info_hexdump(hash, 16); 1678 1679 if (sm_sc_oob_state == SM_SC_OOB_W4_CONFIRM){ 1680 sm_sc_oob_state = SM_SC_OOB_IDLE; 1681 (*sm_sc_oob_callback)(hash, sm_sc_oob_random); 1682 return; 1683 } 1684 1685 sm_connection_t * sm_conn = sm_cmac_connection; 1686 sm_cmac_connection = NULL; 1687 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 1688 link_key_type_t link_key_type; 1689 #endif 1690 1691 switch (sm_conn->sm_engine_state){ 1692 case SM_SC_W4_CMAC_FOR_CONFIRMATION: 1693 (void)memcpy(setup->sm_local_confirm, hash, 16); 1694 sm_conn->sm_engine_state = SM_SC_SEND_CONFIRMATION; 1695 break; 1696 case SM_SC_W4_CMAC_FOR_CHECK_CONFIRMATION: 1697 // check 1698 if (0 != memcmp(hash, setup->sm_peer_confirm, 16)){ 1699 sm_pairing_error(sm_conn, SM_REASON_CONFIRM_VALUE_FAILED); 1700 break; 1701 } 1702 sm_sc_state_after_receiving_random(sm_conn); 1703 break; 1704 case SM_SC_W4_CALCULATE_G2: { 1705 uint32_t vab = big_endian_read_32(hash, 12) % 1000000; 1706 big_endian_store_32(setup->sm_tk, 12, vab); 1707 sm_conn->sm_engine_state = SM_SC_W4_USER_RESPONSE; 1708 sm_trigger_user_response(sm_conn); 1709 break; 1710 } 1711 case SM_SC_W4_CALCULATE_F5_SALT: 1712 (void)memcpy(setup->sm_t, hash, 16); 1713 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F5_MACKEY; 1714 break; 1715 case SM_SC_W4_CALCULATE_F5_MACKEY: 1716 (void)memcpy(setup->sm_mackey, hash, 16); 1717 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F5_LTK; 1718 break; 1719 case SM_SC_W4_CALCULATE_F5_LTK: 1720 // truncate sm_ltk, but keep full LTK for cross-transport key derivation in sm_local_ltk 1721 // Errata Service Release to the Bluetooth Specification: ESR09 1722 // E6405 – Cross transport key derivation from a key of size less than 128 bits 1723 // Note: When the BR/EDR link key is being derived from the LTK, the derivation is done before the LTK gets masked." 1724 (void)memcpy(setup->sm_ltk, hash, 16); 1725 (void)memcpy(setup->sm_local_ltk, hash, 16); 1726 sm_truncate_key(setup->sm_ltk, sm_conn->sm_actual_encryption_key_size); 1727 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F6_FOR_DHKEY_CHECK; 1728 break; 1729 case SM_SC_W4_CALCULATE_F6_FOR_DHKEY_CHECK: 1730 (void)memcpy(setup->sm_local_dhkey_check, hash, 16); 1731 if (IS_RESPONDER(sm_conn->sm_role)){ 1732 // responder 1733 if ((setup->sm_state_vars & SM_STATE_VAR_DHKEY_COMMAND_RECEIVED) != 0u){ 1734 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK; 1735 } else { 1736 sm_conn->sm_engine_state = SM_SC_W4_DHKEY_CHECK_COMMAND; 1737 } 1738 } else { 1739 sm_conn->sm_engine_state = SM_SC_SEND_DHKEY_CHECK_COMMAND; 1740 } 1741 break; 1742 case SM_SC_W4_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK: 1743 if (0 != memcmp(hash, setup->sm_peer_dhkey_check, 16) ){ 1744 sm_pairing_error(sm_conn, SM_REASON_DHKEY_CHECK_FAILED); 1745 break; 1746 } 1747 if (IS_RESPONDER(sm_conn->sm_role)){ 1748 // responder 1749 sm_conn->sm_engine_state = SM_SC_SEND_DHKEY_CHECK_COMMAND; 1750 } else { 1751 // initiator 1752 sm_conn->sm_engine_state = SM_INITIATOR_PH3_SEND_START_ENCRYPTION; 1753 } 1754 break; 1755 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 1756 case SM_SC_W4_CALCULATE_ILK: 1757 (void)memcpy(setup->sm_t, hash, 16); 1758 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_BR_EDR_LINK_KEY; 1759 break; 1760 case SM_SC_W4_CALCULATE_BR_EDR_LINK_KEY: 1761 reverse_128(hash, setup->sm_t); 1762 link_key_type = sm_conn->sm_connection_authenticated ? 1763 AUTHENTICATED_COMBINATION_KEY_GENERATED_FROM_P256 : UNAUTHENTICATED_COMBINATION_KEY_GENERATED_FROM_P256; 1764 log_info("Derived classic link key from LE using h6, type %u", (int) link_key_type); 1765 gap_store_link_key_for_bd_addr(setup->sm_peer_address, setup->sm_t, link_key_type); 1766 if (IS_RESPONDER(sm_conn->sm_role)){ 1767 sm_conn->sm_engine_state = SM_RESPONDER_IDLE; 1768 } else { 1769 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 1770 } 1771 sm_pairing_complete(sm_conn, ERROR_CODE_SUCCESS, 0); 1772 sm_done_for_handle(sm_conn->sm_handle); 1773 break; 1774 case SM_BR_EDR_W4_CALCULATE_ILK: 1775 (void)memcpy(setup->sm_t, hash, 16); 1776 sm_conn->sm_engine_state = SM_BR_EDR_W2_CALCULATE_LE_LTK; 1777 break; 1778 case SM_BR_EDR_W4_CALCULATE_LE_LTK: 1779 log_info("Derived LE LTK from BR/EDR Link Key"); 1780 log_info_key("Link Key", hash); 1781 (void)memcpy(setup->sm_ltk, hash, 16); 1782 sm_truncate_key(setup->sm_ltk, sm_conn->sm_actual_encryption_key_size); 1783 sm_conn->sm_connection_authenticated = setup->sm_link_key_type == AUTHENTICATED_COMBINATION_KEY_GENERATED_FROM_P256; 1784 sm_store_bonding_information(sm_conn); 1785 sm_done_for_handle(sm_conn->sm_handle); 1786 break; 1787 #endif 1788 default: 1789 log_error("sm_sc_cmac_done in state %u", sm_conn->sm_engine_state); 1790 break; 1791 } 1792 sm_trigger_run(); 1793 } 1794 1795 static void f4_engine(sm_connection_t * sm_conn, const sm_key256_t u, const sm_key256_t v, const sm_key_t x, uint8_t z){ 1796 const uint16_t message_len = 65; 1797 sm_cmac_connection = sm_conn; 1798 (void)memcpy(sm_cmac_sc_buffer, u, 32); 1799 (void)memcpy(sm_cmac_sc_buffer + 32, v, 32); 1800 sm_cmac_sc_buffer[64] = z; 1801 log_info("f4 key"); 1802 log_info_hexdump(x, 16); 1803 log_info("f4 message"); 1804 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1805 sm_cmac_message_start(x, message_len, sm_cmac_sc_buffer, &sm_sc_cmac_done); 1806 } 1807 1808 static const uint8_t f5_key_id[] = { 0x62, 0x74, 0x6c, 0x65 }; 1809 static const uint8_t f5_length[] = { 0x01, 0x00}; 1810 1811 static void f5_calculate_salt(sm_connection_t * sm_conn){ 1812 1813 static const sm_key_t f5_salt = { 0x6C ,0x88, 0x83, 0x91, 0xAA, 0xF5, 0xA5, 0x38, 0x60, 0x37, 0x0B, 0xDB, 0x5A, 0x60, 0x83, 0xBE}; 1814 1815 log_info("f5_calculate_salt"); 1816 // calculate salt for f5 1817 const uint16_t message_len = 32; 1818 sm_cmac_connection = sm_conn; 1819 (void)memcpy(sm_cmac_sc_buffer, setup->sm_dhkey, message_len); 1820 sm_cmac_message_start(f5_salt, message_len, sm_cmac_sc_buffer, &sm_sc_cmac_done); 1821 } 1822 1823 static inline void f5_mackkey(sm_connection_t * sm_conn, sm_key_t t, const sm_key_t n1, const sm_key_t n2, const sm_key56_t a1, const sm_key56_t a2){ 1824 const uint16_t message_len = 53; 1825 sm_cmac_connection = sm_conn; 1826 1827 // f5(W, N1, N2, A1, A2) = AES-CMACT (Counter = 0 || keyID || N1 || N2|| A1|| A2 || Length = 256) -- this is the MacKey 1828 sm_cmac_sc_buffer[0] = 0; 1829 (void)memcpy(sm_cmac_sc_buffer + 01, f5_key_id, 4); 1830 (void)memcpy(sm_cmac_sc_buffer + 05, n1, 16); 1831 (void)memcpy(sm_cmac_sc_buffer + 21, n2, 16); 1832 (void)memcpy(sm_cmac_sc_buffer + 37, a1, 7); 1833 (void)memcpy(sm_cmac_sc_buffer + 44, a2, 7); 1834 (void)memcpy(sm_cmac_sc_buffer + 51, f5_length, 2); 1835 log_info("f5 key"); 1836 log_info_hexdump(t, 16); 1837 log_info("f5 message for MacKey"); 1838 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1839 sm_cmac_message_start(t, message_len, sm_cmac_sc_buffer, &sm_sc_cmac_done); 1840 } 1841 1842 static void f5_calculate_mackey(sm_connection_t * sm_conn){ 1843 sm_key56_t bd_addr_master, bd_addr_slave; 1844 bd_addr_master[0] = setup->sm_m_addr_type; 1845 bd_addr_slave[0] = setup->sm_s_addr_type; 1846 (void)memcpy(&bd_addr_master[1], setup->sm_m_address, 6); 1847 (void)memcpy(&bd_addr_slave[1], setup->sm_s_address, 6); 1848 if (IS_RESPONDER(sm_conn->sm_role)){ 1849 // responder 1850 f5_mackkey(sm_conn, setup->sm_t, setup->sm_peer_nonce, setup->sm_local_nonce, bd_addr_master, bd_addr_slave); 1851 } else { 1852 // initiator 1853 f5_mackkey(sm_conn, setup->sm_t, setup->sm_local_nonce, setup->sm_peer_nonce, bd_addr_master, bd_addr_slave); 1854 } 1855 } 1856 1857 // note: must be called right after f5_mackey, as sm_cmac_buffer[1..52] will be reused 1858 static inline void f5_ltk(sm_connection_t * sm_conn, sm_key_t t){ 1859 const uint16_t message_len = 53; 1860 sm_cmac_connection = sm_conn; 1861 sm_cmac_sc_buffer[0] = 1; 1862 // 1..52 setup before 1863 log_info("f5 key"); 1864 log_info_hexdump(t, 16); 1865 log_info("f5 message for LTK"); 1866 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1867 sm_cmac_message_start(t, message_len, sm_cmac_sc_buffer, &sm_sc_cmac_done); 1868 } 1869 1870 static void f5_calculate_ltk(sm_connection_t * sm_conn){ 1871 f5_ltk(sm_conn, setup->sm_t); 1872 } 1873 1874 static void f6_setup(const sm_key_t n1, const sm_key_t n2, const sm_key_t r, const sm_key24_t io_cap, const sm_key56_t a1, const sm_key56_t a2){ 1875 (void)memcpy(sm_cmac_sc_buffer, n1, 16); 1876 (void)memcpy(sm_cmac_sc_buffer + 16, n2, 16); 1877 (void)memcpy(sm_cmac_sc_buffer + 32, r, 16); 1878 (void)memcpy(sm_cmac_sc_buffer + 48, io_cap, 3); 1879 (void)memcpy(sm_cmac_sc_buffer + 51, a1, 7); 1880 (void)memcpy(sm_cmac_sc_buffer + 58, a2, 7); 1881 } 1882 1883 static void f6_engine(sm_connection_t * sm_conn, const sm_key_t w){ 1884 const uint16_t message_len = 65; 1885 sm_cmac_connection = sm_conn; 1886 log_info("f6 key"); 1887 log_info_hexdump(w, 16); 1888 log_info("f6 message"); 1889 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1890 sm_cmac_message_start(w, 65, sm_cmac_sc_buffer, &sm_sc_cmac_done); 1891 } 1892 1893 // g2(U, V, X, Y) = AES-CMACX(U || V || Y) mod 2^32 1894 // - U is 256 bits 1895 // - V is 256 bits 1896 // - X is 128 bits 1897 // - Y is 128 bits 1898 static void g2_engine(sm_connection_t * sm_conn, const sm_key256_t u, const sm_key256_t v, const sm_key_t x, const sm_key_t y){ 1899 const uint16_t message_len = 80; 1900 sm_cmac_connection = sm_conn; 1901 (void)memcpy(sm_cmac_sc_buffer, u, 32); 1902 (void)memcpy(sm_cmac_sc_buffer + 32, v, 32); 1903 (void)memcpy(sm_cmac_sc_buffer + 64, y, 16); 1904 log_info("g2 key"); 1905 log_info_hexdump(x, 16); 1906 log_info("g2 message"); 1907 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1908 sm_cmac_message_start(x, message_len, sm_cmac_sc_buffer, &sm_sc_cmac_done); 1909 } 1910 1911 static void g2_calculate(sm_connection_t * sm_conn) { 1912 // calc Va if numeric comparison 1913 if (IS_RESPONDER(sm_conn->sm_role)){ 1914 // responder 1915 g2_engine(sm_conn, setup->sm_peer_q, ec_q, setup->sm_peer_nonce, setup->sm_local_nonce);; 1916 } else { 1917 // initiator 1918 g2_engine(sm_conn, ec_q, setup->sm_peer_q, setup->sm_local_nonce, setup->sm_peer_nonce); 1919 } 1920 } 1921 1922 static void sm_sc_calculate_local_confirm(sm_connection_t * sm_conn){ 1923 uint8_t z = 0; 1924 if (sm_passkey_entry(setup->sm_stk_generation_method)){ 1925 // some form of passkey 1926 uint32_t pk = big_endian_read_32(setup->sm_tk, 12); 1927 z = 0x80u | ((pk >> setup->sm_passkey_bit) & 1u); 1928 setup->sm_passkey_bit++; 1929 } 1930 f4_engine(sm_conn, ec_q, setup->sm_peer_q, setup->sm_local_nonce, z); 1931 } 1932 1933 static void sm_sc_calculate_remote_confirm(sm_connection_t * sm_conn){ 1934 // OOB 1935 if (setup->sm_stk_generation_method == OOB){ 1936 if (IS_RESPONDER(sm_conn->sm_role)){ 1937 f4_engine(sm_conn, setup->sm_peer_q, setup->sm_peer_q, setup->sm_ra, 0); 1938 } else { 1939 f4_engine(sm_conn, setup->sm_peer_q, setup->sm_peer_q, setup->sm_rb, 0); 1940 } 1941 return; 1942 } 1943 1944 uint8_t z = 0; 1945 if (sm_passkey_entry(setup->sm_stk_generation_method)){ 1946 // some form of passkey 1947 uint32_t pk = big_endian_read_32(setup->sm_tk, 12); 1948 // sm_passkey_bit was increased before sending confirm value 1949 z = 0x80u | ((pk >> (setup->sm_passkey_bit-1u)) & 1u); 1950 } 1951 f4_engine(sm_conn, setup->sm_peer_q, ec_q, setup->sm_peer_nonce, z); 1952 } 1953 1954 static void sm_sc_prepare_dhkey_check(sm_connection_t * sm_conn){ 1955 log_info("sm_sc_prepare_dhkey_check, DHKEY calculated %u", (setup->sm_state_vars & SM_STATE_VAR_DHKEY_CALCULATED) != 0 ? 1 : 0); 1956 1957 if ((setup->sm_state_vars & SM_STATE_VAR_DHKEY_CALCULATED) != 0u){ 1958 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F5_SALT; 1959 } else { 1960 sm_conn->sm_engine_state = SM_SC_W4_CALCULATE_DHKEY; 1961 } 1962 } 1963 1964 static void sm_sc_dhkey_calculated(void * arg){ 1965 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 1966 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 1967 if (sm_conn == NULL) return; 1968 1969 // check for invalid public key detected by Controller 1970 if (sm_is_ff(setup->sm_dhkey, 32)){ 1971 log_info("sm: peer public key invalid"); 1972 sm_pairing_error(sm_conn, SM_REASON_DHKEY_CHECK_FAILED); 1973 return; 1974 } 1975 1976 log_info("dhkey"); 1977 log_info_hexdump(&setup->sm_dhkey[0], 32); 1978 setup->sm_state_vars |= SM_STATE_VAR_DHKEY_CALCULATED; 1979 // trigger next step 1980 if (sm_conn->sm_engine_state == SM_SC_W4_CALCULATE_DHKEY){ 1981 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F5_SALT; 1982 } 1983 sm_trigger_run(); 1984 } 1985 1986 static void sm_sc_calculate_f6_for_dhkey_check(sm_connection_t * sm_conn){ 1987 // calculate DHKCheck 1988 sm_key56_t bd_addr_master, bd_addr_slave; 1989 bd_addr_master[0] = setup->sm_m_addr_type; 1990 bd_addr_slave[0] = setup->sm_s_addr_type; 1991 (void)memcpy(&bd_addr_master[1], setup->sm_m_address, 6); 1992 (void)memcpy(&bd_addr_slave[1], setup->sm_s_address, 6); 1993 uint8_t iocap_a[3]; 1994 iocap_a[0] = sm_pairing_packet_get_auth_req(setup->sm_m_preq); 1995 iocap_a[1] = sm_pairing_packet_get_oob_data_flag(setup->sm_m_preq); 1996 iocap_a[2] = sm_pairing_packet_get_io_capability(setup->sm_m_preq); 1997 uint8_t iocap_b[3]; 1998 iocap_b[0] = sm_pairing_packet_get_auth_req(setup->sm_s_pres); 1999 iocap_b[1] = sm_pairing_packet_get_oob_data_flag(setup->sm_s_pres); 2000 iocap_b[2] = sm_pairing_packet_get_io_capability(setup->sm_s_pres); 2001 if (IS_RESPONDER(sm_conn->sm_role)){ 2002 // responder 2003 f6_setup(setup->sm_local_nonce, setup->sm_peer_nonce, setup->sm_ra, iocap_b, bd_addr_slave, bd_addr_master); 2004 f6_engine(sm_conn, setup->sm_mackey); 2005 } else { 2006 // initiator 2007 f6_setup( setup->sm_local_nonce, setup->sm_peer_nonce, setup->sm_rb, iocap_a, bd_addr_master, bd_addr_slave); 2008 f6_engine(sm_conn, setup->sm_mackey); 2009 } 2010 } 2011 2012 static void sm_sc_calculate_f6_to_verify_dhkey_check(sm_connection_t * sm_conn){ 2013 // validate E = f6() 2014 sm_key56_t bd_addr_master, bd_addr_slave; 2015 bd_addr_master[0] = setup->sm_m_addr_type; 2016 bd_addr_slave[0] = setup->sm_s_addr_type; 2017 (void)memcpy(&bd_addr_master[1], setup->sm_m_address, 6); 2018 (void)memcpy(&bd_addr_slave[1], setup->sm_s_address, 6); 2019 2020 uint8_t iocap_a[3]; 2021 iocap_a[0] = sm_pairing_packet_get_auth_req(setup->sm_m_preq); 2022 iocap_a[1] = sm_pairing_packet_get_oob_data_flag(setup->sm_m_preq); 2023 iocap_a[2] = sm_pairing_packet_get_io_capability(setup->sm_m_preq); 2024 uint8_t iocap_b[3]; 2025 iocap_b[0] = sm_pairing_packet_get_auth_req(setup->sm_s_pres); 2026 iocap_b[1] = sm_pairing_packet_get_oob_data_flag(setup->sm_s_pres); 2027 iocap_b[2] = sm_pairing_packet_get_io_capability(setup->sm_s_pres); 2028 if (IS_RESPONDER(sm_conn->sm_role)){ 2029 // responder 2030 f6_setup(setup->sm_peer_nonce, setup->sm_local_nonce, setup->sm_rb, iocap_a, bd_addr_master, bd_addr_slave); 2031 f6_engine(sm_conn, setup->sm_mackey); 2032 } else { 2033 // initiator 2034 f6_setup(setup->sm_peer_nonce, setup->sm_local_nonce, setup->sm_ra, iocap_b, bd_addr_slave, bd_addr_master); 2035 f6_engine(sm_conn, setup->sm_mackey); 2036 } 2037 } 2038 2039 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 2040 2041 // 2042 // Link Key Conversion Function h6 2043 // 2044 // h6(W, keyID) = AES-CMAC_W(keyID) 2045 // - W is 128 bits 2046 // - keyID is 32 bits 2047 static void h6_engine(sm_connection_t * sm_conn, const sm_key_t w, const uint32_t key_id){ 2048 const uint16_t message_len = 4; 2049 sm_cmac_connection = sm_conn; 2050 big_endian_store_32(sm_cmac_sc_buffer, 0, key_id); 2051 log_info("h6 key"); 2052 log_info_hexdump(w, 16); 2053 log_info("h6 message"); 2054 log_info_hexdump(sm_cmac_sc_buffer, message_len); 2055 sm_cmac_message_start(w, message_len, sm_cmac_sc_buffer, &sm_sc_cmac_done); 2056 } 2057 // 2058 // Link Key Conversion Function h7 2059 // 2060 // h7(SALT, W) = AES-CMAC_SALT(W) 2061 // - SALT is 128 bits 2062 // - W is 128 bits 2063 static void h7_engine(sm_connection_t * sm_conn, const sm_key_t salt, const sm_key_t w) { 2064 const uint16_t message_len = 16; 2065 sm_cmac_connection = sm_conn; 2066 log_info("h7 key"); 2067 log_info_hexdump(salt, 16); 2068 log_info("h7 message"); 2069 log_info_hexdump(w, 16); 2070 sm_cmac_message_start(salt, message_len, w, &sm_sc_cmac_done); 2071 } 2072 2073 // For SC, setup->sm_local_ltk holds full LTK (sm_ltk is already truncated) 2074 // Errata Service Release to the Bluetooth Specification: ESR09 2075 // E6405 – Cross transport key derivation from a key of size less than 128 bits 2076 // "Note: When the BR/EDR link key is being derived from the LTK, the derivation is done before the LTK gets masked." 2077 2078 static void h6_calculate_ilk_from_le_ltk(sm_connection_t * sm_conn){ 2079 h6_engine(sm_conn, setup->sm_local_ltk, 0x746D7031); // "tmp1" 2080 } 2081 2082 static void h6_calculate_ilk_from_br_edr(sm_connection_t * sm_conn){ 2083 h6_engine(sm_conn, setup->sm_link_key, 0x746D7032); // "tmp2" 2084 } 2085 2086 static void h6_calculate_br_edr_link_key(sm_connection_t * sm_conn){ 2087 h6_engine(sm_conn, setup->sm_t, 0x6c656272); // "lebr" 2088 } 2089 2090 static void h6_calculate_le_ltk(sm_connection_t * sm_conn){ 2091 h6_engine(sm_conn, setup->sm_t, 0x62726C65); // "brle" 2092 } 2093 2094 static void h7_calculate_ilk_from_le_ltk(sm_connection_t * sm_conn){ 2095 const uint8_t salt[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x74, 0x6D, 0x70, 0x31}; // "tmp1" 2096 h7_engine(sm_conn, salt, setup->sm_local_ltk); 2097 } 2098 2099 static void h7_calculate_ilk_from_br_edr(sm_connection_t * sm_conn){ 2100 const uint8_t salt[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x74, 0x6D, 0x70, 0x32}; // "tmp2" 2101 h7_engine(sm_conn, salt, setup->sm_link_key); 2102 } 2103 2104 static void sm_ctkd_fetch_br_edr_link_key(sm_connection_t * sm_conn){ 2105 hci_connection_t * hci_connection = hci_connection_for_handle(sm_conn->sm_handle); 2106 btstack_assert(hci_connection != NULL); 2107 reverse_128(hci_connection->link_key, setup->sm_link_key); 2108 setup->sm_link_key_type = hci_connection->link_key_type; 2109 } 2110 2111 static void sm_ctkd_start_from_br_edr(sm_connection_t * sm_conn){ 2112 // only derive LTK if EncKey is set by both 2113 bool derive_ltk = (sm_pairing_packet_get_initiator_key_distribution(setup->sm_s_pres) & 2114 sm_pairing_packet_get_responder_key_distribution(setup->sm_s_pres) & SM_KEYDIST_ENC_KEY) != 0; 2115 if (derive_ltk){ 2116 bool use_h7 = (sm_pairing_packet_get_auth_req(setup->sm_m_preq) & sm_pairing_packet_get_auth_req(setup->sm_s_pres) & SM_AUTHREQ_CT2) != 0; 2117 sm_conn->sm_engine_state = use_h7 ? SM_BR_EDR_W2_CALCULATE_ILK_USING_H7 : SM_BR_EDR_W2_CALCULATE_ILK_USING_H6; 2118 } else { 2119 sm_done_for_handle(sm_conn->sm_handle); 2120 } 2121 } 2122 2123 #endif 2124 2125 #endif 2126 2127 // key management legacy connections: 2128 // - potentially two different LTKs based on direction. each device stores LTK provided by peer 2129 // - master stores LTK, EDIV, RAND. responder optionally stored master LTK (only if it needs to reconnect) 2130 // - initiators reconnects: initiator uses stored LTK, EDIV, RAND generated by responder 2131 // - responder reconnects: responder uses LTK receveived from master 2132 2133 // key management secure connections: 2134 // - both devices store same LTK from ECDH key exchange. 2135 2136 #if defined(ENABLE_LE_SECURE_CONNECTIONS) || defined(ENABLE_LE_CENTRAL) 2137 static void sm_load_security_info(sm_connection_t * sm_connection){ 2138 int encryption_key_size; 2139 int authenticated; 2140 int authorized; 2141 int secure_connection; 2142 2143 // fetch data from device db - incl. authenticated/authorized/key size. Note all sm_connection_X require encryption enabled 2144 le_device_db_encryption_get(sm_connection->sm_le_db_index, &setup->sm_peer_ediv, setup->sm_peer_rand, setup->sm_peer_ltk, 2145 &encryption_key_size, &authenticated, &authorized, &secure_connection); 2146 log_info("db index %u, key size %u, authenticated %u, authorized %u, secure connetion %u", sm_connection->sm_le_db_index, encryption_key_size, authenticated, authorized, secure_connection); 2147 sm_connection->sm_actual_encryption_key_size = encryption_key_size; 2148 sm_connection->sm_connection_authenticated = authenticated; 2149 sm_connection->sm_connection_authorization_state = authorized ? AUTHORIZATION_GRANTED : AUTHORIZATION_UNKNOWN; 2150 sm_connection->sm_connection_sc = secure_connection != 0; 2151 } 2152 #endif 2153 2154 #ifdef ENABLE_LE_PERIPHERAL 2155 static void sm_start_calculating_ltk_from_ediv_and_rand(sm_connection_t * sm_connection){ 2156 (void)memcpy(setup->sm_local_rand, sm_connection->sm_local_rand, 8); 2157 setup->sm_local_ediv = sm_connection->sm_local_ediv; 2158 // re-establish used key encryption size 2159 // no db for encryption size hack: encryption size is stored in lowest nibble of setup->sm_local_rand 2160 sm_connection->sm_actual_encryption_key_size = (setup->sm_local_rand[7u] & 0x0fu) + 1u; 2161 // no db for authenticated flag hack: flag is stored in bit 4 of LSB 2162 sm_connection->sm_connection_authenticated = (setup->sm_local_rand[7u] & 0x10u) >> 4u; 2163 // Legacy paring -> not SC 2164 sm_connection->sm_connection_sc = false; 2165 log_info("sm: received ltk request with key size %u, authenticated %u", 2166 sm_connection->sm_actual_encryption_key_size, sm_connection->sm_connection_authenticated); 2167 } 2168 #endif 2169 2170 // distributed key generation 2171 static bool sm_run_dpkg(void){ 2172 switch (dkg_state){ 2173 case DKG_CALC_IRK: 2174 // already busy? 2175 if (sm_aes128_state == SM_AES128_IDLE) { 2176 log_info("DKG_CALC_IRK started"); 2177 // IRK = d1(IR, 1, 0) 2178 sm_d1_d_prime(1, 0, sm_aes128_plaintext); // plaintext = d1 prime 2179 sm_aes128_state = SM_AES128_ACTIVE; 2180 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_persistent_ir, sm_aes128_plaintext, sm_persistent_irk, sm_handle_encryption_result_dkg_irk, NULL); 2181 return true; 2182 } 2183 break; 2184 case DKG_CALC_DHK: 2185 // already busy? 2186 if (sm_aes128_state == SM_AES128_IDLE) { 2187 log_info("DKG_CALC_DHK started"); 2188 // DHK = d1(IR, 3, 0) 2189 sm_d1_d_prime(3, 0, sm_aes128_plaintext); // plaintext = d1 prime 2190 sm_aes128_state = SM_AES128_ACTIVE; 2191 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_persistent_ir, sm_aes128_plaintext, sm_persistent_dhk, sm_handle_encryption_result_dkg_dhk, NULL); 2192 return true; 2193 } 2194 break; 2195 default: 2196 break; 2197 } 2198 return false; 2199 } 2200 2201 // random address updates 2202 static bool sm_run_rau(void){ 2203 switch (rau_state){ 2204 case RAU_GET_RANDOM: 2205 rau_state = RAU_W4_RANDOM; 2206 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_address, 6, &sm_handle_random_result_rau, NULL); 2207 return true; 2208 case RAU_GET_ENC: 2209 // already busy? 2210 if (sm_aes128_state == SM_AES128_IDLE) { 2211 sm_ah_r_prime(sm_random_address, sm_aes128_plaintext); 2212 sm_aes128_state = SM_AES128_ACTIVE; 2213 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_persistent_irk, sm_aes128_plaintext, sm_aes128_ciphertext, sm_handle_encryption_result_rau, NULL); 2214 return true; 2215 } 2216 break; 2217 default: 2218 break; 2219 } 2220 return false; 2221 } 2222 2223 // device lookup with IRK 2224 static bool sm_run_irk_lookup(void){ 2225 btstack_linked_list_iterator_t it; 2226 2227 // -- if IRK lookup ready, find connection that require csrk lookup 2228 if (sm_address_resolution_idle()){ 2229 hci_connections_get_iterator(&it); 2230 while(btstack_linked_list_iterator_has_next(&it)){ 2231 hci_connection_t * hci_connection = (hci_connection_t *) btstack_linked_list_iterator_next(&it); 2232 sm_connection_t * sm_connection = &hci_connection->sm_connection; 2233 if (sm_connection->sm_irk_lookup_state == IRK_LOOKUP_W4_READY){ 2234 // and start lookup 2235 sm_address_resolution_start_lookup(sm_connection->sm_peer_addr_type, sm_connection->sm_handle, sm_connection->sm_peer_address, ADDRESS_RESOLUTION_FOR_CONNECTION, sm_connection); 2236 sm_connection->sm_irk_lookup_state = IRK_LOOKUP_STARTED; 2237 break; 2238 } 2239 } 2240 } 2241 2242 // -- if csrk lookup ready, resolved addresses for received addresses 2243 if (sm_address_resolution_idle()) { 2244 if (!btstack_linked_list_empty(&sm_address_resolution_general_queue)){ 2245 sm_lookup_entry_t * entry = (sm_lookup_entry_t *) sm_address_resolution_general_queue; 2246 btstack_linked_list_remove(&sm_address_resolution_general_queue, (btstack_linked_item_t *) entry); 2247 sm_address_resolution_start_lookup(entry->address_type, 0, entry->address, ADDRESS_RESOLUTION_GENERAL, NULL); 2248 btstack_memory_sm_lookup_entry_free(entry); 2249 } 2250 } 2251 2252 // -- Continue with device lookup by public or resolvable private address 2253 if (!sm_address_resolution_idle()){ 2254 while (sm_address_resolution_test < le_device_db_max_count()){ 2255 int addr_type = BD_ADDR_TYPE_UNKNOWN; 2256 bd_addr_t addr; 2257 sm_key_t irk; 2258 le_device_db_info(sm_address_resolution_test, &addr_type, addr, irk); 2259 2260 // skip unused entries 2261 if (addr_type == BD_ADDR_TYPE_UNKNOWN){ 2262 sm_address_resolution_test++; 2263 continue; 2264 } 2265 2266 log_info("LE Device Lookup: device %u of %u - type %u, %s", sm_address_resolution_test, 2267 le_device_db_max_count(), addr_type, bd_addr_to_str(addr)); 2268 2269 // map resolved identity addresses to regular addresses 2270 int regular_addr_type = sm_address_resolution_addr_type & 1; 2271 if ((regular_addr_type == addr_type) && (memcmp(addr, sm_address_resolution_address, 6) == 0)){ 2272 log_info("LE Device Lookup: found by { addr_type, address} "); 2273 sm_address_resolution_handle_event(ADDRESS_RESOLUTION_SUCCEEDED); 2274 break; 2275 } 2276 2277 // if connection type is not random (i.e. public or resolved identity), it must be a different entry 2278 if (sm_address_resolution_addr_type != BD_ADDR_TYPE_LE_RANDOM){ 2279 sm_address_resolution_test++; 2280 continue; 2281 } 2282 2283 // skip AH if no IRK 2284 if (sm_is_null_key(irk)){ 2285 sm_address_resolution_test++; 2286 continue; 2287 } 2288 2289 if (sm_aes128_state == SM_AES128_ACTIVE) break; 2290 2291 log_info("LE Device Lookup: calculate AH"); 2292 log_info_key("IRK", irk); 2293 2294 (void)memcpy(sm_aes128_key, irk, 16); 2295 sm_ah_r_prime(sm_address_resolution_address, sm_aes128_plaintext); 2296 sm_aes128_state = SM_AES128_ACTIVE; 2297 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_aes128_key, sm_aes128_plaintext, sm_aes128_ciphertext, sm_handle_encryption_result_address_resolution, NULL); 2298 return true; 2299 } 2300 2301 if (sm_address_resolution_test >= le_device_db_max_count()){ 2302 log_info("LE Device Lookup: not found"); 2303 sm_address_resolution_handle_event(ADDRESS_RESOLUTION_FAILED); 2304 } 2305 } 2306 return false; 2307 } 2308 2309 // SC OOB 2310 static bool sm_run_oob(void){ 2311 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2312 switch (sm_sc_oob_state){ 2313 case SM_SC_OOB_W2_CALC_CONFIRM: 2314 if (!sm_cmac_ready()) break; 2315 sm_sc_oob_state = SM_SC_OOB_W4_CONFIRM; 2316 f4_engine(NULL, ec_q, ec_q, sm_sc_oob_random, 0); 2317 return true; 2318 default: 2319 break; 2320 } 2321 #endif 2322 return false; 2323 } 2324 2325 static void sm_send_connectionless(sm_connection_t * sm_connection, const uint8_t * buffer, uint16_t size){ 2326 l2cap_send_connectionless(sm_connection->sm_handle, sm_connection->sm_cid, (uint8_t*) buffer, size); 2327 } 2328 2329 // handle basic actions that don't requires the full context 2330 static bool sm_run_basic(void){ 2331 btstack_linked_list_iterator_t it; 2332 hci_connections_get_iterator(&it); 2333 while(btstack_linked_list_iterator_has_next(&it)){ 2334 hci_connection_t * hci_connection = (hci_connection_t *) btstack_linked_list_iterator_next(&it); 2335 sm_connection_t * sm_connection = &hci_connection->sm_connection; 2336 switch(sm_connection->sm_engine_state){ 2337 2338 // general 2339 case SM_GENERAL_SEND_PAIRING_FAILED: { 2340 uint8_t buffer[2]; 2341 buffer[0] = SM_CODE_PAIRING_FAILED; 2342 buffer[1] = sm_connection->sm_pairing_failed_reason; 2343 sm_connection->sm_engine_state = sm_connection->sm_role ? SM_RESPONDER_IDLE : SM_INITIATOR_CONNECTED; 2344 sm_send_connectionless(sm_connection, (uint8_t*) buffer, sizeof(buffer)); 2345 sm_pairing_complete(sm_connection, ERROR_CODE_AUTHENTICATION_FAILURE, sm_connection->sm_pairing_failed_reason); 2346 sm_done_for_handle(sm_connection->sm_handle); 2347 break; 2348 } 2349 2350 // responder side 2351 case SM_RESPONDER_PH0_SEND_LTK_REQUESTED_NEGATIVE_REPLY: 2352 sm_connection->sm_engine_state = SM_RESPONDER_IDLE; 2353 hci_send_cmd(&hci_le_long_term_key_negative_reply, sm_connection->sm_handle); 2354 return true; 2355 2356 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2357 case SM_SC_RECEIVED_LTK_REQUEST: 2358 switch (sm_connection->sm_irk_lookup_state){ 2359 case IRK_LOOKUP_FAILED: 2360 log_info("LTK Request: IRK Lookup Failed)"); 2361 sm_connection->sm_engine_state = SM_RESPONDER_IDLE; 2362 hci_send_cmd(&hci_le_long_term_key_negative_reply, sm_connection->sm_handle); 2363 return true; 2364 default: 2365 break; 2366 } 2367 break; 2368 #endif 2369 default: 2370 break; 2371 } 2372 } 2373 return false; 2374 } 2375 2376 static void sm_run_activate_connection(void){ 2377 // Find connections that requires setup context and make active if no other is locked 2378 btstack_linked_list_iterator_t it; 2379 hci_connections_get_iterator(&it); 2380 while((sm_active_connection_handle == HCI_CON_HANDLE_INVALID) && btstack_linked_list_iterator_has_next(&it)){ 2381 hci_connection_t * hci_connection = (hci_connection_t *) btstack_linked_list_iterator_next(&it); 2382 sm_connection_t * sm_connection = &hci_connection->sm_connection; 2383 // - if no connection locked and we're ready/waiting for setup context, fetch it and start 2384 bool done = true; 2385 int err; 2386 UNUSED(err); 2387 2388 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2389 // assert ec key is ready 2390 if ( (sm_connection->sm_engine_state == SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED) 2391 || (sm_connection->sm_engine_state == SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST) 2392 || (sm_connection->sm_engine_state == SM_RESPONDER_SEND_SECURITY_REQUEST)){ 2393 if (ec_key_generation_state == EC_KEY_GENERATION_IDLE){ 2394 sm_ec_generate_new_key(); 2395 } 2396 if (ec_key_generation_state != EC_KEY_GENERATION_DONE){ 2397 continue; 2398 } 2399 } 2400 #endif 2401 2402 switch (sm_connection->sm_engine_state) { 2403 #ifdef ENABLE_LE_PERIPHERAL 2404 case SM_RESPONDER_SEND_SECURITY_REQUEST: 2405 case SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED: 2406 case SM_RESPONDER_PH0_RECEIVED_LTK_REQUEST: 2407 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2408 case SM_SC_RECEIVED_LTK_REQUEST: 2409 #endif 2410 #endif 2411 #ifdef ENABLE_LE_CENTRAL 2412 case SM_INITIATOR_PH4_HAS_LTK: 2413 case SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST: 2414 #endif 2415 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 2416 case SM_BR_EDR_RESPONDER_PAIRING_REQUEST_RECEIVED: 2417 case SM_BR_EDR_INITIATOR_SEND_PAIRING_REQUEST: 2418 #endif 2419 // just lock context 2420 break; 2421 default: 2422 done = false; 2423 break; 2424 } 2425 if (done){ 2426 sm_active_connection_handle = sm_connection->sm_handle; 2427 log_info("sm: connection 0x%04x locked setup context as %s, state %u", sm_active_connection_handle, sm_connection->sm_role ? "responder" : "initiator", sm_connection->sm_engine_state); 2428 } 2429 } 2430 } 2431 2432 static void sm_run_send_keypress_notification(sm_connection_t * connection){ 2433 int i; 2434 uint8_t flags = setup->sm_keypress_notification & 0x1fu; 2435 uint8_t num_actions = setup->sm_keypress_notification >> 5; 2436 uint8_t action = 0; 2437 for (i=SM_KEYPRESS_PASSKEY_ENTRY_STARTED;i<=SM_KEYPRESS_PASSKEY_ENTRY_COMPLETED;i++){ 2438 if ((flags & (1u<<i)) != 0u){ 2439 bool clear_flag = true; 2440 switch (i){ 2441 case SM_KEYPRESS_PASSKEY_ENTRY_STARTED: 2442 case SM_KEYPRESS_PASSKEY_CLEARED: 2443 case SM_KEYPRESS_PASSKEY_ENTRY_COMPLETED: 2444 default: 2445 break; 2446 case SM_KEYPRESS_PASSKEY_DIGIT_ENTERED: 2447 case SM_KEYPRESS_PASSKEY_DIGIT_ERASED: 2448 num_actions--; 2449 clear_flag = num_actions == 0u; 2450 break; 2451 } 2452 if (clear_flag){ 2453 flags &= ~(1<<i); 2454 } 2455 action = i; 2456 break; 2457 } 2458 } 2459 setup->sm_keypress_notification = (num_actions << 5) | flags; 2460 2461 // send keypress notification 2462 uint8_t buffer[2]; 2463 buffer[0] = SM_CODE_KEYPRESS_NOTIFICATION; 2464 buffer[1] = action; 2465 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2466 2467 // try 2468 l2cap_request_can_send_fix_channel_now_event(sm_active_connection_handle, connection->sm_cid); 2469 } 2470 2471 static void sm_run_distribute_keys(sm_connection_t * connection){ 2472 if ((setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION) != 0u){ 2473 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION; 2474 setup->sm_key_distribution_sent_set |= SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION; 2475 uint8_t buffer[17]; 2476 buffer[0] = SM_CODE_ENCRYPTION_INFORMATION; 2477 reverse_128(setup->sm_ltk, &buffer[1]); 2478 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2479 sm_timeout_reset(connection); 2480 return; 2481 } 2482 if ((setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_MASTER_IDENTIFICATION) != 0u){ 2483 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_MASTER_IDENTIFICATION; 2484 setup->sm_key_distribution_sent_set |= SM_KEYDIST_FLAG_MASTER_IDENTIFICATION; 2485 uint8_t buffer[11]; 2486 buffer[0] = SM_CODE_MASTER_IDENTIFICATION; 2487 little_endian_store_16(buffer, 1, setup->sm_local_ediv); 2488 reverse_64(setup->sm_local_rand, &buffer[3]); 2489 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2490 sm_timeout_reset(connection); 2491 return; 2492 } 2493 if ((setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_IDENTITY_INFORMATION) != 0u){ 2494 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_IDENTITY_INFORMATION; 2495 setup->sm_key_distribution_sent_set |= SM_KEYDIST_FLAG_IDENTITY_INFORMATION; 2496 uint8_t buffer[17]; 2497 buffer[0] = SM_CODE_IDENTITY_INFORMATION; 2498 reverse_128(sm_persistent_irk, &buffer[1]); 2499 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2500 sm_timeout_reset(connection); 2501 return; 2502 } 2503 if ((setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION) != 0u){ 2504 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION; 2505 setup->sm_key_distribution_sent_set |= SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION; 2506 bd_addr_t local_address; 2507 uint8_t buffer[8]; 2508 buffer[0] = SM_CODE_IDENTITY_ADDRESS_INFORMATION; 2509 switch (gap_random_address_get_mode()){ 2510 case GAP_RANDOM_ADDRESS_TYPE_OFF: 2511 case GAP_RANDOM_ADDRESS_TYPE_STATIC: 2512 // public or static random 2513 gap_le_get_own_address(&buffer[1], local_address); 2514 break; 2515 case GAP_RANDOM_ADDRESS_NON_RESOLVABLE: 2516 case GAP_RANDOM_ADDRESS_RESOLVABLE: 2517 // fallback to public 2518 gap_local_bd_addr(local_address); 2519 buffer[1] = 0; 2520 break; 2521 default: 2522 btstack_assert(false); 2523 break; 2524 } 2525 reverse_bd_addr(local_address, &buffer[2]); 2526 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2527 sm_timeout_reset(connection); 2528 return; 2529 } 2530 if ((setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION) != 0u){ 2531 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION; 2532 setup->sm_key_distribution_sent_set |= SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION; 2533 2534 #ifdef ENABLE_LE_SIGNED_WRITE 2535 // hack to reproduce test runs 2536 if (test_use_fixed_local_csrk){ 2537 memset(setup->sm_local_csrk, 0xcc, 16); 2538 } 2539 2540 // store local CSRK 2541 if (setup->sm_le_device_index >= 0){ 2542 log_info("sm: store local CSRK"); 2543 le_device_db_local_csrk_set(setup->sm_le_device_index, setup->sm_local_csrk); 2544 le_device_db_local_counter_set(setup->sm_le_device_index, 0); 2545 } 2546 #endif 2547 2548 uint8_t buffer[17]; 2549 buffer[0] = SM_CODE_SIGNING_INFORMATION; 2550 reverse_128(setup->sm_local_csrk, &buffer[1]); 2551 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2552 sm_timeout_reset(connection); 2553 return; 2554 } 2555 btstack_assert(false); 2556 } 2557 2558 static bool sm_ctkd_from_le(sm_connection_t *sm_connection) { 2559 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 2560 // requirements to derive link key from LE: 2561 // - use secure connections 2562 if (setup->sm_use_secure_connections == 0) return false; 2563 // - bonding needs to be enabled: 2564 bool bonding_enabled = (sm_pairing_packet_get_auth_req(setup->sm_m_preq) & sm_pairing_packet_get_auth_req(setup->sm_s_pres) & SM_AUTHREQ_BONDING ) != 0u; 2565 if (!bonding_enabled) return false; 2566 // - need identity address / public addr 2567 bool have_identity_address_info = ((setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION) != 0) || (setup->sm_peer_addr_type == 0); 2568 if (!have_identity_address_info) return false; 2569 // - there is no stored BR/EDR link key or the derived key has at least the same level of authentication (bail if stored key has higher authentication) 2570 // this requirement is motivated by BLURtooth paper. The paper recommends to not overwrite keys at all. 2571 // If SC is authenticated, we consider it safe to overwrite a stored key. 2572 // If stored link key is not authenticated, it could already be compromised by a MITM attack. Allowing overwrite by unauthenticated derived key does not make it worse. 2573 uint8_t link_key[16]; 2574 link_key_type_t link_key_type; 2575 bool have_link_key = gap_get_link_key_for_bd_addr(setup->sm_peer_address, link_key, &link_key_type); 2576 bool link_key_authenticated = gap_authenticated_for_link_key_type(link_key_type); 2577 bool derived_key_authenticated = sm_connection->sm_connection_authenticated != 0; 2578 if (have_link_key && link_key_authenticated && !derived_key_authenticated) { 2579 return false; 2580 } 2581 // get started (all of the above are true) 2582 return true; 2583 #else 2584 UNUSED(sm_connection); 2585 return false; 2586 #endif 2587 } 2588 2589 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 2590 static bool sm_ctkd_from_classic(sm_connection_t * sm_connection){ 2591 hci_connection_t * hci_connection = hci_connection_for_handle(sm_connection->sm_handle); 2592 btstack_assert(hci_connection != NULL); 2593 // requirements to derive ltk from BR/EDR: 2594 // - BR/EDR uses secure connections 2595 if (gap_secure_connection_for_link_key_type(hci_connection->link_key_type) == false) return false; 2596 // - bonding needs to be enabled: 2597 bool bonding_enabled = (sm_pairing_packet_get_auth_req(setup->sm_m_preq) & sm_pairing_packet_get_auth_req(setup->sm_s_pres) & SM_AUTHREQ_BONDING ) != 0u; 2598 if (!bonding_enabled) return false; 2599 // - there is no stored LTK or the derived key has at least the same level of authentication (bail if LTK is authenticated but Link Key isn't) 2600 bool link_key_authenticated = gap_authenticated_for_link_key_type(hci_connection->link_key_type); 2601 if (link_key_authenticated) return true; 2602 int index = sm_le_device_db_index_lookup(BD_ADDR_TYPE_LE_PUBLIC, hci_connection->address); 2603 if (index >= 0){ 2604 int ltk_authenticated; 2605 sm_key_t ltk; 2606 le_device_db_encryption_get(sm_connection->sm_le_db_index, NULL, NULL, ltk, NULL, <k_authenticated, NULL, NULL); 2607 bool have_ltk = !sm_is_null_key(ltk); 2608 if (have_ltk && ltk_authenticated) return false; 2609 } 2610 return true; 2611 } 2612 #endif 2613 2614 static void sm_key_distribution_complete_responder(sm_connection_t * connection){ 2615 if (sm_ctkd_from_le(connection)){ 2616 bool use_h7 = (sm_pairing_packet_get_auth_req(setup->sm_m_preq) & sm_pairing_packet_get_auth_req(setup->sm_s_pres) & SM_AUTHREQ_CT2) != 0; 2617 connection->sm_engine_state = use_h7 ? SM_SC_W2_CALCULATE_ILK_USING_H7 : SM_SC_W2_CALCULATE_ILK_USING_H6; 2618 } else { 2619 connection->sm_engine_state = SM_RESPONDER_IDLE; 2620 sm_pairing_complete(connection, ERROR_CODE_SUCCESS, 0); 2621 sm_done_for_handle(connection->sm_handle); 2622 } 2623 } 2624 2625 static void sm_key_distribution_complete_initiator(sm_connection_t * connection){ 2626 if (sm_ctkd_from_le(connection)){ 2627 bool use_h7 = (sm_pairing_packet_get_auth_req(setup->sm_m_preq) & sm_pairing_packet_get_auth_req(setup->sm_s_pres) & SM_AUTHREQ_CT2) != 0; 2628 connection->sm_engine_state = use_h7 ? SM_SC_W2_CALCULATE_ILK_USING_H7 : SM_SC_W2_CALCULATE_ILK_USING_H6; 2629 } else { 2630 sm_master_pairing_success(connection); 2631 } 2632 } 2633 2634 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2635 static void sm_run_state_sc_send_confirmation(sm_connection_t *connection) { 2636 uint8_t buffer[17]; 2637 buffer[0] = SM_CODE_PAIRING_CONFIRM; 2638 reverse_128(setup->sm_local_confirm, &buffer[1]); 2639 if (IS_RESPONDER(connection->sm_role)){ 2640 connection->sm_engine_state = SM_SC_W4_PAIRING_RANDOM; 2641 } else { 2642 connection->sm_engine_state = SM_SC_W4_CONFIRMATION; 2643 } 2644 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2645 sm_timeout_reset(connection); 2646 } 2647 2648 static void sm_run_state_sc_send_pairing_random(sm_connection_t *connection) { 2649 uint8_t buffer[17]; 2650 buffer[0] = SM_CODE_PAIRING_RANDOM; 2651 reverse_128(setup->sm_local_nonce, &buffer[1]); 2652 log_info("stk method %u, bit num: %u", setup->sm_stk_generation_method, setup->sm_passkey_bit); 2653 if (sm_passkey_entry(setup->sm_stk_generation_method) && (setup->sm_passkey_bit < 20u)){ 2654 log_info("SM_SC_SEND_PAIRING_RANDOM A"); 2655 if (IS_RESPONDER(connection->sm_role)){ 2656 // responder 2657 connection->sm_engine_state = SM_SC_W4_CONFIRMATION; 2658 } else { 2659 // initiator 2660 connection->sm_engine_state = SM_SC_W4_PAIRING_RANDOM; 2661 } 2662 } else { 2663 log_info("SM_SC_SEND_PAIRING_RANDOM B"); 2664 if (IS_RESPONDER(connection->sm_role)){ 2665 // responder 2666 if (setup->sm_stk_generation_method == NUMERIC_COMPARISON){ 2667 log_info("SM_SC_SEND_PAIRING_RANDOM B1"); 2668 connection->sm_engine_state = SM_SC_W2_CALCULATE_G2; 2669 } else { 2670 log_info("SM_SC_SEND_PAIRING_RANDOM B2"); 2671 sm_sc_prepare_dhkey_check(connection); 2672 } 2673 } else { 2674 // initiator 2675 connection->sm_engine_state = SM_SC_W4_PAIRING_RANDOM; 2676 } 2677 } 2678 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2679 sm_timeout_reset(connection); 2680 } 2681 2682 static void sm_run_state_sc_send_dhkey_check_command(sm_connection_t *connection) { 2683 uint8_t buffer[17]; 2684 buffer[0] = SM_CODE_PAIRING_DHKEY_CHECK; 2685 reverse_128(setup->sm_local_dhkey_check, &buffer[1]); 2686 2687 if (IS_RESPONDER(connection->sm_role)){ 2688 connection->sm_engine_state = SM_SC_W4_LTK_REQUEST_SC; 2689 } else { 2690 connection->sm_engine_state = SM_SC_W4_DHKEY_CHECK_COMMAND; 2691 } 2692 2693 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2694 sm_timeout_reset(connection); 2695 } 2696 2697 static void sm_run_state_sc_send_public_key_command(sm_connection_t *connection) { 2698 bool trigger_user_response = false; 2699 bool trigger_start_calculating_local_confirm = false; 2700 uint8_t buffer[65]; 2701 buffer[0] = SM_CODE_PAIRING_PUBLIC_KEY; 2702 // 2703 reverse_256(&ec_q[0], &buffer[1]); 2704 reverse_256(&ec_q[32], &buffer[33]); 2705 2706 #ifdef ENABLE_TESTING_SUPPORT 2707 if (test_pairing_failure == SM_REASON_DHKEY_CHECK_FAILED){ 2708 log_info("testing_support: invalidating public key"); 2709 // flip single bit of public key coordinate 2710 buffer[1] ^= 1; 2711 } 2712 #endif 2713 2714 // stk generation method 2715 // passkey entry: notify app to show passkey or to request passkey 2716 switch (setup->sm_stk_generation_method){ 2717 case JUST_WORKS: 2718 case NUMERIC_COMPARISON: 2719 if (IS_RESPONDER(connection->sm_role)){ 2720 // responder 2721 trigger_start_calculating_local_confirm = true; 2722 connection->sm_engine_state = SM_SC_W4_LOCAL_NONCE; 2723 } else { 2724 // initiator 2725 connection->sm_engine_state = SM_SC_W4_PUBLIC_KEY_COMMAND; 2726 } 2727 break; 2728 case PK_INIT_INPUT: 2729 case PK_RESP_INPUT: 2730 case PK_BOTH_INPUT: 2731 // use random TK for display 2732 (void)memcpy(setup->sm_ra, setup->sm_tk, 16); 2733 (void)memcpy(setup->sm_rb, setup->sm_tk, 16); 2734 setup->sm_passkey_bit = 0; 2735 2736 if (IS_RESPONDER(connection->sm_role)){ 2737 // responder 2738 connection->sm_engine_state = SM_SC_W4_CONFIRMATION; 2739 } else { 2740 // initiator 2741 connection->sm_engine_state = SM_SC_W4_PUBLIC_KEY_COMMAND; 2742 } 2743 trigger_user_response = true; 2744 break; 2745 case OOB: 2746 if (IS_RESPONDER(connection->sm_role)){ 2747 // responder 2748 connection->sm_engine_state = SM_SC_W4_PAIRING_RANDOM; 2749 } else { 2750 // initiator 2751 connection->sm_engine_state = SM_SC_W4_PUBLIC_KEY_COMMAND; 2752 } 2753 break; 2754 default: 2755 btstack_assert(false); 2756 break; 2757 } 2758 2759 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 2760 sm_timeout_reset(connection); 2761 2762 // trigger user response and calc confirm after sending pdu 2763 if (trigger_user_response){ 2764 sm_trigger_user_response(connection); 2765 } 2766 if (trigger_start_calculating_local_confirm){ 2767 sm_sc_start_calculating_local_confirm(connection); 2768 } 2769 } 2770 #endif 2771 2772 static bool sm_run_non_connection_logic(void){ 2773 bool done;; 2774 2775 done = sm_run_dpkg(); 2776 if (done) return true; 2777 2778 done = sm_run_rau(); 2779 if (done) return true; 2780 2781 done = sm_run_irk_lookup(); 2782 if (done) return true; 2783 2784 done = sm_run_oob(); 2785 return done; 2786 } 2787 2788 static void sm_run(void){ 2789 2790 // assert that stack has already bootet 2791 if (hci_get_state() != HCI_STATE_WORKING) return; 2792 2793 // assert that we can send at least commands 2794 if (!hci_can_send_command_packet_now()) return; 2795 2796 // pause until IR/ER are ready 2797 if (sm_persistent_keys_random_active) return; 2798 2799 // non-connection related behaviour 2800 bool done = sm_run_non_connection_logic(); 2801 if (done) return; 2802 2803 // assert that we can send at least commands - cmd might have been sent by crypto engine 2804 if (!hci_can_send_command_packet_now()) return; 2805 2806 // handle basic actions that don't requires the full context 2807 done = sm_run_basic(); 2808 if (done) return; 2809 2810 // 2811 // active connection handling 2812 // -- use loop to handle next connection if lock on setup context is released 2813 2814 while (true) { 2815 2816 sm_run_activate_connection(); 2817 2818 if (sm_active_connection_handle == HCI_CON_HANDLE_INVALID) return; 2819 2820 // 2821 // active connection handling 2822 // 2823 2824 sm_connection_t * connection = sm_get_connection_for_handle(sm_active_connection_handle); 2825 if (!connection) { 2826 log_info("no connection for handle 0x%04x", sm_active_connection_handle); 2827 return; 2828 } 2829 2830 // assert that we could send a SM PDU - not needed for all of the following 2831 if (!l2cap_can_send_fixed_channel_packet_now(sm_active_connection_handle, connection->sm_cid)) { 2832 log_info("cannot send now, requesting can send now event"); 2833 l2cap_request_can_send_fix_channel_now_event(sm_active_connection_handle, connection->sm_cid); 2834 return; 2835 } 2836 2837 // send keypress notifications 2838 if (setup->sm_keypress_notification != 0u){ 2839 sm_run_send_keypress_notification(connection); 2840 return; 2841 } 2842 2843 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2844 // assert that sm cmac engine is ready 2845 if (sm_cmac_ready() == false){ 2846 break; 2847 } 2848 #endif 2849 2850 int key_distribution_flags; 2851 UNUSED(key_distribution_flags); 2852 #ifdef ENABLE_LE_PERIPHERAL 2853 int err; 2854 bool have_ltk; 2855 uint8_t ltk[16]; 2856 #endif 2857 2858 log_info("sm_run: state %u", connection->sm_engine_state); 2859 switch (connection->sm_engine_state){ 2860 2861 // secure connections, initiator + responding states 2862 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2863 case SM_SC_W2_CMAC_FOR_CONFIRMATION: 2864 connection->sm_engine_state = SM_SC_W4_CMAC_FOR_CONFIRMATION; 2865 sm_sc_calculate_local_confirm(connection); 2866 break; 2867 case SM_SC_W2_CMAC_FOR_CHECK_CONFIRMATION: 2868 connection->sm_engine_state = SM_SC_W4_CMAC_FOR_CHECK_CONFIRMATION; 2869 sm_sc_calculate_remote_confirm(connection); 2870 break; 2871 case SM_SC_W2_CALCULATE_F6_FOR_DHKEY_CHECK: 2872 connection->sm_engine_state = SM_SC_W4_CALCULATE_F6_FOR_DHKEY_CHECK; 2873 sm_sc_calculate_f6_for_dhkey_check(connection); 2874 break; 2875 case SM_SC_W2_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK: 2876 connection->sm_engine_state = SM_SC_W4_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK; 2877 sm_sc_calculate_f6_to_verify_dhkey_check(connection); 2878 break; 2879 case SM_SC_W2_CALCULATE_F5_SALT: 2880 connection->sm_engine_state = SM_SC_W4_CALCULATE_F5_SALT; 2881 f5_calculate_salt(connection); 2882 break; 2883 case SM_SC_W2_CALCULATE_F5_MACKEY: 2884 connection->sm_engine_state = SM_SC_W4_CALCULATE_F5_MACKEY; 2885 f5_calculate_mackey(connection); 2886 break; 2887 case SM_SC_W2_CALCULATE_F5_LTK: 2888 connection->sm_engine_state = SM_SC_W4_CALCULATE_F5_LTK; 2889 f5_calculate_ltk(connection); 2890 break; 2891 case SM_SC_W2_CALCULATE_G2: 2892 connection->sm_engine_state = SM_SC_W4_CALCULATE_G2; 2893 g2_calculate(connection); 2894 break; 2895 #endif 2896 2897 #ifdef ENABLE_LE_CENTRAL 2898 // initiator side 2899 2900 case SM_INITIATOR_PH4_HAS_LTK: { 2901 sm_reset_setup(); 2902 sm_load_security_info(connection); 2903 2904 // cache key before using 2905 sm_cache_ltk(connection, setup->sm_peer_ltk); 2906 2907 sm_key_t peer_ltk_flipped; 2908 reverse_128(setup->sm_peer_ltk, peer_ltk_flipped); 2909 connection->sm_engine_state = SM_PH4_W4_CONNECTION_ENCRYPTED; 2910 log_info("sm: hci_le_start_encryption ediv 0x%04x", setup->sm_peer_ediv); 2911 uint32_t rand_high = big_endian_read_32(setup->sm_peer_rand, 0); 2912 uint32_t rand_low = big_endian_read_32(setup->sm_peer_rand, 4); 2913 hci_send_cmd(&hci_le_start_encryption, connection->sm_handle,rand_low, rand_high, setup->sm_peer_ediv, peer_ltk_flipped); 2914 2915 // notify after sending 2916 sm_reencryption_started(connection); 2917 return; 2918 } 2919 2920 case SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST: 2921 sm_reset_setup(); 2922 sm_init_setup(connection); 2923 2924 sm_pairing_packet_set_code(setup->sm_m_preq, SM_CODE_PAIRING_REQUEST); 2925 connection->sm_engine_state = SM_INITIATOR_PH1_W4_PAIRING_RESPONSE; 2926 sm_send_connectionless(connection, (uint8_t*) &setup->sm_m_preq, sizeof(sm_pairing_packet_t)); 2927 sm_timeout_reset(connection); 2928 2929 // notify after sending 2930 sm_pairing_started(connection); 2931 break; 2932 #endif 2933 2934 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2935 case SM_SC_SEND_PUBLIC_KEY_COMMAND: 2936 sm_run_state_sc_send_public_key_command(connection); 2937 break; 2938 case SM_SC_SEND_CONFIRMATION: 2939 sm_run_state_sc_send_confirmation(connection); 2940 break; 2941 case SM_SC_SEND_PAIRING_RANDOM: 2942 sm_run_state_sc_send_pairing_random(connection); 2943 break; 2944 case SM_SC_SEND_DHKEY_CHECK_COMMAND: 2945 sm_run_state_sc_send_dhkey_check_command(connection); 2946 break; 2947 #endif 2948 2949 #ifdef ENABLE_LE_PERIPHERAL 2950 2951 case SM_RESPONDER_SEND_SECURITY_REQUEST: { 2952 const uint8_t buffer[2] = {SM_CODE_SECURITY_REQUEST, sm_auth_req}; 2953 connection->sm_engine_state = SM_RESPONDER_PH1_W4_PAIRING_REQUEST; 2954 sm_send_connectionless(connection, (uint8_t *) buffer, sizeof(buffer)); 2955 sm_timeout_start(connection); 2956 break; 2957 } 2958 2959 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2960 case SM_SC_RECEIVED_LTK_REQUEST: 2961 switch (connection->sm_irk_lookup_state){ 2962 case IRK_LOOKUP_SUCCEEDED: 2963 // assuming Secure Connection, we have a stored LTK and the EDIV/RAND are null 2964 // start using context by loading security info 2965 sm_reset_setup(); 2966 sm_load_security_info(connection); 2967 if ((setup->sm_peer_ediv == 0u) && sm_is_null_random(setup->sm_peer_rand) && !sm_is_null_key(setup->sm_peer_ltk)){ 2968 (void)memcpy(setup->sm_ltk, setup->sm_peer_ltk, 16); 2969 connection->sm_engine_state = SM_RESPONDER_PH4_SEND_LTK_REPLY; 2970 sm_reencryption_started(connection); 2971 sm_trigger_run(); 2972 break; 2973 } 2974 log_info("LTK Request: ediv & random are empty, but no stored LTK (IRK Lookup Succeeded)"); 2975 connection->sm_engine_state = SM_RESPONDER_IDLE; 2976 hci_send_cmd(&hci_le_long_term_key_negative_reply, connection->sm_handle); 2977 return; 2978 default: 2979 // just wait until IRK lookup is completed 2980 break; 2981 } 2982 break; 2983 #endif /* ENABLE_LE_SECURE_CONNECTIONS */ 2984 2985 case SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED: 2986 sm_reset_setup(); 2987 2988 // handle Pairing Request with LTK available 2989 switch (connection->sm_irk_lookup_state) { 2990 case IRK_LOOKUP_SUCCEEDED: 2991 le_device_db_encryption_get(connection->sm_le_db_index, NULL, NULL, ltk, NULL, NULL, NULL, NULL); 2992 have_ltk = !sm_is_null_key(ltk); 2993 if (have_ltk){ 2994 log_info("pairing request but LTK available"); 2995 // emit re-encryption start/fail sequence 2996 sm_reencryption_started(connection); 2997 sm_reencryption_complete(connection, ERROR_CODE_PIN_OR_KEY_MISSING); 2998 } 2999 break; 3000 default: 3001 break; 3002 } 3003 3004 sm_init_setup(connection); 3005 3006 // recover pairing request 3007 (void)memcpy(&setup->sm_m_preq, &connection->sm_m_preq, sizeof(sm_pairing_packet_t)); 3008 err = sm_stk_generation_init(connection); 3009 3010 #ifdef ENABLE_TESTING_SUPPORT 3011 if ((0 < test_pairing_failure) && (test_pairing_failure < SM_REASON_DHKEY_CHECK_FAILED)){ 3012 log_info("testing_support: respond with pairing failure %u", test_pairing_failure); 3013 err = test_pairing_failure; 3014 } 3015 #endif 3016 if (err != 0){ 3017 // emit pairing started/failed sequence 3018 sm_pairing_started(connection); 3019 sm_pairing_error(connection, err); 3020 sm_trigger_run(); 3021 break; 3022 } 3023 3024 sm_timeout_start(connection); 3025 3026 // generate random number first, if we need to show passkey, otherwise send response 3027 if (setup->sm_stk_generation_method == PK_INIT_INPUT){ 3028 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 8, &sm_handle_random_result_ph2_tk, (void *)(uintptr_t) connection->sm_handle); 3029 break; 3030 } 3031 3032 /* fall through */ 3033 3034 case SM_RESPONDER_PH1_SEND_PAIRING_RESPONSE: 3035 sm_pairing_packet_set_code(setup->sm_s_pres,SM_CODE_PAIRING_RESPONSE); 3036 3037 // start with initiator key dist flags 3038 key_distribution_flags = sm_key_distribution_flags_for_auth_req(); 3039 3040 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3041 // LTK (= encryption information & master identification) only exchanged for LE Legacy Connection 3042 if (setup->sm_use_secure_connections){ 3043 key_distribution_flags &= ~SM_KEYDIST_ENC_KEY; 3044 } 3045 #endif 3046 // setup in response 3047 sm_pairing_packet_set_initiator_key_distribution(setup->sm_s_pres, sm_pairing_packet_get_initiator_key_distribution(setup->sm_m_preq) & key_distribution_flags); 3048 sm_pairing_packet_set_responder_key_distribution(setup->sm_s_pres, sm_pairing_packet_get_responder_key_distribution(setup->sm_m_preq) & key_distribution_flags); 3049 3050 // update key distribution after ENC was dropped 3051 sm_setup_key_distribution(sm_pairing_packet_get_responder_key_distribution(setup->sm_s_pres), sm_pairing_packet_get_initiator_key_distribution(setup->sm_s_pres)); 3052 3053 if (setup->sm_use_secure_connections){ 3054 connection->sm_engine_state = SM_SC_W4_PUBLIC_KEY_COMMAND; 3055 } else { 3056 connection->sm_engine_state = SM_RESPONDER_PH1_W4_PAIRING_CONFIRM; 3057 } 3058 3059 sm_send_connectionless(connection, (uint8_t*) &setup->sm_s_pres, sizeof(sm_pairing_packet_t)); 3060 sm_timeout_reset(connection); 3061 3062 // notify after sending 3063 sm_pairing_started(connection); 3064 3065 // SC Numeric Comparison will trigger user response after public keys & nonces have been exchanged 3066 if (!setup->sm_use_secure_connections || (setup->sm_stk_generation_method == JUST_WORKS)){ 3067 sm_trigger_user_response(connection); 3068 } 3069 return; 3070 #endif 3071 3072 case SM_PH2_SEND_PAIRING_RANDOM: { 3073 uint8_t buffer[17]; 3074 buffer[0] = SM_CODE_PAIRING_RANDOM; 3075 reverse_128(setup->sm_local_random, &buffer[1]); 3076 if (IS_RESPONDER(connection->sm_role)){ 3077 connection->sm_engine_state = SM_RESPONDER_PH2_W4_LTK_REQUEST; 3078 } else { 3079 connection->sm_engine_state = SM_INITIATOR_PH2_W4_PAIRING_RANDOM; 3080 } 3081 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 3082 sm_timeout_reset(connection); 3083 break; 3084 } 3085 3086 case SM_PH2_C1_GET_ENC_A: 3087 // already busy? 3088 if (sm_aes128_state == SM_AES128_ACTIVE) break; 3089 // calculate confirm using aes128 engine - step 1 3090 sm_c1_t1(setup->sm_local_random, (uint8_t*) &setup->sm_m_preq, (uint8_t*) &setup->sm_s_pres, setup->sm_m_addr_type, setup->sm_s_addr_type, sm_aes128_plaintext); 3091 connection->sm_engine_state = SM_PH2_C1_W4_ENC_A; 3092 sm_aes128_state = SM_AES128_ACTIVE; 3093 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, setup->sm_tk, sm_aes128_plaintext, sm_aes128_ciphertext, sm_handle_encryption_result_enc_a, (void *)(uintptr_t) connection->sm_handle); 3094 break; 3095 3096 case SM_PH2_C1_GET_ENC_C: 3097 // already busy? 3098 if (sm_aes128_state == SM_AES128_ACTIVE) break; 3099 // calculate m_confirm using aes128 engine - step 1 3100 sm_c1_t1(setup->sm_peer_random, (uint8_t*) &setup->sm_m_preq, (uint8_t*) &setup->sm_s_pres, setup->sm_m_addr_type, setup->sm_s_addr_type, sm_aes128_plaintext); 3101 connection->sm_engine_state = SM_PH2_C1_W4_ENC_C; 3102 sm_aes128_state = SM_AES128_ACTIVE; 3103 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, setup->sm_tk, sm_aes128_plaintext, sm_aes128_ciphertext, sm_handle_encryption_result_enc_c, (void *)(uintptr_t) connection->sm_handle); 3104 break; 3105 3106 case SM_PH2_CALC_STK: 3107 // already busy? 3108 if (sm_aes128_state == SM_AES128_ACTIVE) break; 3109 // calculate STK 3110 if (IS_RESPONDER(connection->sm_role)){ 3111 sm_s1_r_prime(setup->sm_local_random, setup->sm_peer_random, sm_aes128_plaintext); 3112 } else { 3113 sm_s1_r_prime(setup->sm_peer_random, setup->sm_local_random, sm_aes128_plaintext); 3114 } 3115 connection->sm_engine_state = SM_PH2_W4_STK; 3116 sm_aes128_state = SM_AES128_ACTIVE; 3117 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, setup->sm_tk, sm_aes128_plaintext, setup->sm_ltk, sm_handle_encryption_result_enc_stk, (void *)(uintptr_t) connection->sm_handle); 3118 break; 3119 3120 case SM_PH3_Y_GET_ENC: 3121 // already busy? 3122 if (sm_aes128_state == SM_AES128_ACTIVE) break; 3123 // PH3B2 - calculate Y from - enc 3124 3125 // dm helper (was sm_dm_r_prime) 3126 // r' = padding || r 3127 // r - 64 bit value 3128 memset(&sm_aes128_plaintext[0], 0, 8); 3129 (void)memcpy(&sm_aes128_plaintext[8], setup->sm_local_rand, 8); 3130 3131 // Y = dm(DHK, Rand) 3132 connection->sm_engine_state = SM_PH3_Y_W4_ENC; 3133 sm_aes128_state = SM_AES128_ACTIVE; 3134 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_persistent_dhk, sm_aes128_plaintext, sm_aes128_ciphertext, sm_handle_encryption_result_enc_ph3_y, (void *)(uintptr_t) connection->sm_handle); 3135 break; 3136 3137 case SM_PH2_C1_SEND_PAIRING_CONFIRM: { 3138 uint8_t buffer[17]; 3139 buffer[0] = SM_CODE_PAIRING_CONFIRM; 3140 reverse_128(setup->sm_local_confirm, &buffer[1]); 3141 if (IS_RESPONDER(connection->sm_role)){ 3142 connection->sm_engine_state = SM_RESPONDER_PH2_W4_PAIRING_RANDOM; 3143 } else { 3144 connection->sm_engine_state = SM_INITIATOR_PH2_W4_PAIRING_CONFIRM; 3145 } 3146 sm_send_connectionless(connection, (uint8_t*) buffer, sizeof(buffer)); 3147 sm_timeout_reset(connection); 3148 return; 3149 } 3150 #ifdef ENABLE_LE_PERIPHERAL 3151 case SM_RESPONDER_PH2_SEND_LTK_REPLY: { 3152 // cache key before using 3153 sm_cache_ltk(connection, setup->sm_ltk); 3154 sm_key_t stk_flipped; 3155 reverse_128(setup->sm_ltk, stk_flipped); 3156 connection->sm_engine_state = SM_PH2_W4_CONNECTION_ENCRYPTED; 3157 hci_send_cmd(&hci_le_long_term_key_request_reply, connection->sm_handle, stk_flipped); 3158 return; 3159 } 3160 case SM_RESPONDER_PH4_SEND_LTK_REPLY: { 3161 // allow to override LTK 3162 if (sm_get_ltk_callback != NULL){ 3163 (void)(*sm_get_ltk_callback)(connection->sm_handle, connection->sm_peer_addr_type, connection->sm_peer_address, setup->sm_ltk); 3164 } 3165 // cache key before using 3166 sm_cache_ltk(connection, setup->sm_ltk); 3167 sm_key_t ltk_flipped; 3168 reverse_128(setup->sm_ltk, ltk_flipped); 3169 connection->sm_engine_state = SM_PH4_W4_CONNECTION_ENCRYPTED; 3170 hci_send_cmd(&hci_le_long_term_key_request_reply, connection->sm_handle, ltk_flipped); 3171 return; 3172 } 3173 3174 case SM_RESPONDER_PH0_RECEIVED_LTK_REQUEST: 3175 // already busy? 3176 if (sm_aes128_state == SM_AES128_ACTIVE) break; 3177 log_info("LTK Request: recalculating with ediv 0x%04x", setup->sm_local_ediv); 3178 3179 sm_reset_setup(); 3180 sm_start_calculating_ltk_from_ediv_and_rand(connection); 3181 3182 sm_reencryption_started(connection); 3183 3184 // dm helper (was sm_dm_r_prime) 3185 // r' = padding || r 3186 // r - 64 bit value 3187 memset(&sm_aes128_plaintext[0], 0, 8); 3188 (void)memcpy(&sm_aes128_plaintext[8], setup->sm_local_rand, 8); 3189 3190 // Y = dm(DHK, Rand) 3191 connection->sm_engine_state = SM_RESPONDER_PH4_Y_W4_ENC; 3192 sm_aes128_state = SM_AES128_ACTIVE; 3193 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_persistent_dhk, sm_aes128_plaintext, sm_aes128_ciphertext, sm_handle_encryption_result_enc_ph4_y, (void *)(uintptr_t) connection->sm_handle); 3194 return; 3195 #endif 3196 #ifdef ENABLE_LE_CENTRAL 3197 case SM_INITIATOR_PH3_SEND_START_ENCRYPTION: { 3198 // cache key before using 3199 sm_cache_ltk(connection, setup->sm_ltk); 3200 3201 sm_key_t stk_flipped; 3202 reverse_128(setup->sm_ltk, stk_flipped); 3203 connection->sm_engine_state = SM_PH2_W4_CONNECTION_ENCRYPTED; 3204 hci_send_cmd(&hci_le_start_encryption, connection->sm_handle, 0, 0, 0, stk_flipped); 3205 return; 3206 } 3207 #endif 3208 3209 case SM_PH3_DISTRIBUTE_KEYS: 3210 // send next key 3211 if (setup->sm_key_distribution_send_set != 0){ 3212 sm_run_distribute_keys(connection); 3213 } 3214 3215 // more to send? 3216 if (setup->sm_key_distribution_send_set != 0){ 3217 return; 3218 } 3219 3220 // keys are sent 3221 if (IS_RESPONDER(connection->sm_role)){ 3222 // slave -> receive master keys if any 3223 if (sm_key_distribution_all_received()){ 3224 sm_key_distribution_handle_all_received(connection); 3225 sm_key_distribution_complete_responder(connection); 3226 // start CTKD right away 3227 continue; 3228 } else { 3229 connection->sm_engine_state = SM_PH3_RECEIVE_KEYS; 3230 } 3231 } else { 3232 sm_master_pairing_success(connection); 3233 } 3234 break; 3235 3236 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 3237 case SM_BR_EDR_INITIATOR_SEND_PAIRING_REQUEST: 3238 // fill in sm setup (lite version of sm_init_setup) 3239 sm_reset_setup(); 3240 setup->sm_peer_addr_type = connection->sm_peer_addr_type; 3241 setup->sm_m_addr_type = connection->sm_peer_addr_type; 3242 setup->sm_s_addr_type = connection->sm_own_addr_type; 3243 (void) memcpy(setup->sm_peer_address, connection->sm_peer_address, 6); 3244 (void) memcpy(setup->sm_m_address, connection->sm_peer_address, 6); 3245 (void) memcpy(setup->sm_s_address, connection->sm_own_address, 6); 3246 setup->sm_use_secure_connections = true; 3247 sm_ctkd_fetch_br_edr_link_key(connection); 3248 3249 // Enc Key and IRK if requested 3250 key_distribution_flags = SM_KEYDIST_ID_KEY | SM_KEYDIST_ENC_KEY; 3251 #ifdef ENABLE_LE_SIGNED_WRITE 3252 // Plus signing key if supported 3253 key_distribution_flags |= SM_KEYDIST_ID_KEY; 3254 #endif 3255 sm_pairing_packet_set_code(setup->sm_m_preq, SM_CODE_PAIRING_REQUEST); 3256 sm_pairing_packet_set_io_capability(setup->sm_m_preq, 0); 3257 sm_pairing_packet_set_oob_data_flag(setup->sm_m_preq, 0); 3258 sm_pairing_packet_set_auth_req(setup->sm_m_preq, SM_AUTHREQ_CT2); 3259 sm_pairing_packet_set_max_encryption_key_size(setup->sm_m_preq, sm_max_encryption_key_size); 3260 sm_pairing_packet_set_initiator_key_distribution(setup->sm_m_preq, key_distribution_flags); 3261 sm_pairing_packet_set_responder_key_distribution(setup->sm_m_preq, key_distribution_flags); 3262 3263 // set state and send pairing response 3264 sm_timeout_start(connection); 3265 connection->sm_engine_state = SM_BR_EDR_INITIATOR_W4_PAIRING_RESPONSE; 3266 sm_send_connectionless(connection, (uint8_t *) &setup->sm_m_preq, sizeof(sm_pairing_packet_t)); 3267 break; 3268 3269 case SM_BR_EDR_RESPONDER_PAIRING_REQUEST_RECEIVED: 3270 // fill in sm setup (lite version of sm_init_setup) 3271 sm_reset_setup(); 3272 setup->sm_peer_addr_type = connection->sm_peer_addr_type; 3273 setup->sm_m_addr_type = connection->sm_peer_addr_type; 3274 setup->sm_s_addr_type = connection->sm_own_addr_type; 3275 (void) memcpy(setup->sm_peer_address, connection->sm_peer_address, 6); 3276 (void) memcpy(setup->sm_m_address, connection->sm_peer_address, 6); 3277 (void) memcpy(setup->sm_s_address, connection->sm_own_address, 6); 3278 setup->sm_use_secure_connections = true; 3279 sm_ctkd_fetch_br_edr_link_key(connection); 3280 (void) memcpy(&setup->sm_m_preq, &connection->sm_m_preq, sizeof(sm_pairing_packet_t)); 3281 3282 // Enc Key and IRK if requested 3283 key_distribution_flags = SM_KEYDIST_ID_KEY | SM_KEYDIST_ENC_KEY; 3284 #ifdef ENABLE_LE_SIGNED_WRITE 3285 // Plus signing key if supported 3286 key_distribution_flags |= SM_KEYDIST_ID_KEY; 3287 #endif 3288 // drop flags not requested by initiator 3289 key_distribution_flags &= sm_pairing_packet_get_initiator_key_distribution(connection->sm_m_preq); 3290 3291 // If Secure Connections pairing has been initiated over BR/EDR, the following fields of the SM Pairing Request PDU are reserved for future use: 3292 // - the IO Capability field, 3293 // - the OOB data flag field, and 3294 // - all bits in the Auth Req field except the CT2 bit. 3295 sm_pairing_packet_set_code(setup->sm_s_pres, SM_CODE_PAIRING_RESPONSE); 3296 sm_pairing_packet_set_io_capability(setup->sm_s_pres, 0); 3297 sm_pairing_packet_set_oob_data_flag(setup->sm_s_pres, 0); 3298 sm_pairing_packet_set_auth_req(setup->sm_s_pres, SM_AUTHREQ_CT2); 3299 sm_pairing_packet_set_max_encryption_key_size(setup->sm_s_pres, connection->sm_actual_encryption_key_size); 3300 sm_pairing_packet_set_initiator_key_distribution(setup->sm_s_pres, key_distribution_flags); 3301 sm_pairing_packet_set_responder_key_distribution(setup->sm_s_pres, key_distribution_flags); 3302 3303 // configure key distribution, LTK is derived locally 3304 key_distribution_flags &= ~SM_KEYDIST_ENC_KEY; 3305 sm_setup_key_distribution(key_distribution_flags, key_distribution_flags); 3306 3307 // set state and send pairing response 3308 sm_timeout_start(connection); 3309 connection->sm_engine_state = SM_BR_EDR_DISTRIBUTE_KEYS; 3310 sm_send_connectionless(connection, (uint8_t *) &setup->sm_s_pres, sizeof(sm_pairing_packet_t)); 3311 break; 3312 case SM_BR_EDR_DISTRIBUTE_KEYS: 3313 if (setup->sm_key_distribution_send_set != 0) { 3314 sm_run_distribute_keys(connection); 3315 return; 3316 } 3317 // keys are sent 3318 if (IS_RESPONDER(connection->sm_role)) { 3319 // responder -> receive master keys if there are any 3320 if (!sm_key_distribution_all_received()){ 3321 connection->sm_engine_state = SM_BR_EDR_RECEIVE_KEYS; 3322 break; 3323 } 3324 } 3325 // otherwise start CTKD right away (responder and no keys to receive / initiator) 3326 sm_ctkd_start_from_br_edr(connection); 3327 continue; 3328 case SM_SC_W2_CALCULATE_ILK_USING_H6: 3329 connection->sm_engine_state = SM_SC_W4_CALCULATE_ILK; 3330 h6_calculate_ilk_from_le_ltk(connection); 3331 break; 3332 case SM_SC_W2_CALCULATE_BR_EDR_LINK_KEY: 3333 connection->sm_engine_state = SM_SC_W4_CALCULATE_BR_EDR_LINK_KEY; 3334 h6_calculate_br_edr_link_key(connection); 3335 break; 3336 case SM_SC_W2_CALCULATE_ILK_USING_H7: 3337 connection->sm_engine_state = SM_SC_W4_CALCULATE_ILK; 3338 h7_calculate_ilk_from_le_ltk(connection); 3339 break; 3340 case SM_BR_EDR_W2_CALCULATE_ILK_USING_H6: 3341 connection->sm_engine_state = SM_BR_EDR_W4_CALCULATE_ILK; 3342 h6_calculate_ilk_from_br_edr(connection); 3343 break; 3344 case SM_BR_EDR_W2_CALCULATE_LE_LTK: 3345 connection->sm_engine_state = SM_BR_EDR_W4_CALCULATE_LE_LTK; 3346 h6_calculate_le_ltk(connection); 3347 break; 3348 case SM_BR_EDR_W2_CALCULATE_ILK_USING_H7: 3349 connection->sm_engine_state = SM_BR_EDR_W4_CALCULATE_ILK; 3350 h7_calculate_ilk_from_br_edr(connection); 3351 break; 3352 #endif 3353 3354 default: 3355 break; 3356 } 3357 3358 // check again if active connection was released 3359 if (sm_active_connection_handle != HCI_CON_HANDLE_INVALID) break; 3360 } 3361 } 3362 3363 // sm_aes128_state stays active 3364 static void sm_handle_encryption_result_enc_a(void *arg){ 3365 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3366 sm_aes128_state = SM_AES128_IDLE; 3367 3368 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3369 if (connection == NULL) return; 3370 3371 sm_c1_t3(sm_aes128_ciphertext, setup->sm_m_address, setup->sm_s_address, setup->sm_c1_t3_value); 3372 sm_aes128_state = SM_AES128_ACTIVE; 3373 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, setup->sm_tk, setup->sm_c1_t3_value, setup->sm_local_confirm, sm_handle_encryption_result_enc_b, (void *)(uintptr_t) connection->sm_handle); 3374 } 3375 3376 static void sm_handle_encryption_result_enc_b(void *arg){ 3377 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3378 sm_aes128_state = SM_AES128_IDLE; 3379 3380 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3381 if (connection == NULL) return; 3382 3383 log_info_key("c1!", setup->sm_local_confirm); 3384 connection->sm_engine_state = SM_PH2_C1_SEND_PAIRING_CONFIRM; 3385 sm_trigger_run(); 3386 } 3387 3388 // sm_aes128_state stays active 3389 static void sm_handle_encryption_result_enc_c(void *arg){ 3390 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3391 sm_aes128_state = SM_AES128_IDLE; 3392 3393 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3394 if (connection == NULL) return; 3395 3396 sm_c1_t3(sm_aes128_ciphertext, setup->sm_m_address, setup->sm_s_address, setup->sm_c1_t3_value); 3397 sm_aes128_state = SM_AES128_ACTIVE; 3398 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, setup->sm_tk, setup->sm_c1_t3_value, sm_aes128_ciphertext, sm_handle_encryption_result_enc_d, (void *)(uintptr_t) connection->sm_handle); 3399 } 3400 3401 static void sm_handle_encryption_result_enc_d(void * arg){ 3402 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3403 sm_aes128_state = SM_AES128_IDLE; 3404 3405 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3406 if (connection == NULL) return; 3407 3408 log_info_key("c1!", sm_aes128_ciphertext); 3409 if (memcmp(setup->sm_peer_confirm, sm_aes128_ciphertext, 16) != 0){ 3410 sm_pairing_error(connection, SM_REASON_CONFIRM_VALUE_FAILED); 3411 sm_trigger_run(); 3412 return; 3413 } 3414 if (IS_RESPONDER(connection->sm_role)){ 3415 connection->sm_engine_state = SM_PH2_SEND_PAIRING_RANDOM; 3416 sm_trigger_run(); 3417 } else { 3418 sm_s1_r_prime(setup->sm_peer_random, setup->sm_local_random, sm_aes128_plaintext); 3419 sm_aes128_state = SM_AES128_ACTIVE; 3420 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, setup->sm_tk, sm_aes128_plaintext, setup->sm_ltk, sm_handle_encryption_result_enc_stk, (void *)(uintptr_t) connection->sm_handle); 3421 } 3422 } 3423 3424 static void sm_handle_encryption_result_enc_stk(void *arg){ 3425 sm_aes128_state = SM_AES128_IDLE; 3426 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3427 3428 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3429 if (connection == NULL) return; 3430 3431 sm_truncate_key(setup->sm_ltk, connection->sm_actual_encryption_key_size); 3432 log_info_key("stk", setup->sm_ltk); 3433 if (IS_RESPONDER(connection->sm_role)){ 3434 connection->sm_engine_state = SM_RESPONDER_PH2_SEND_LTK_REPLY; 3435 } else { 3436 connection->sm_engine_state = SM_INITIATOR_PH3_SEND_START_ENCRYPTION; 3437 } 3438 sm_trigger_run(); 3439 } 3440 3441 // sm_aes128_state stays active 3442 static void sm_handle_encryption_result_enc_ph3_y(void *arg){ 3443 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3444 sm_aes128_state = SM_AES128_IDLE; 3445 3446 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3447 if (connection == NULL) return; 3448 3449 setup->sm_local_y = big_endian_read_16(sm_aes128_ciphertext, 14); 3450 log_info_hex16("y", setup->sm_local_y); 3451 // PH3B3 - calculate EDIV 3452 setup->sm_local_ediv = setup->sm_local_y ^ setup->sm_local_div; 3453 log_info_hex16("ediv", setup->sm_local_ediv); 3454 // PH3B4 - calculate LTK - enc 3455 // LTK = d1(ER, DIV, 0)) 3456 sm_d1_d_prime(setup->sm_local_div, 0, sm_aes128_plaintext); 3457 sm_aes128_state = SM_AES128_ACTIVE; 3458 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_persistent_er, sm_aes128_plaintext, setup->sm_ltk, sm_handle_encryption_result_enc_ph3_ltk, (void *)(uintptr_t) connection->sm_handle); 3459 } 3460 3461 #ifdef ENABLE_LE_PERIPHERAL 3462 // sm_aes128_state stays active 3463 static void sm_handle_encryption_result_enc_ph4_y(void *arg){ 3464 sm_aes128_state = SM_AES128_IDLE; 3465 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3466 3467 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3468 if (connection == NULL) return; 3469 3470 setup->sm_local_y = big_endian_read_16(sm_aes128_ciphertext, 14); 3471 log_info_hex16("y", setup->sm_local_y); 3472 3473 // PH3B3 - calculate DIV 3474 setup->sm_local_div = setup->sm_local_y ^ setup->sm_local_ediv; 3475 log_info_hex16("ediv", setup->sm_local_ediv); 3476 // PH3B4 - calculate LTK - enc 3477 // LTK = d1(ER, DIV, 0)) 3478 sm_d1_d_prime(setup->sm_local_div, 0, sm_aes128_plaintext); 3479 sm_aes128_state = SM_AES128_ACTIVE; 3480 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_persistent_er, sm_aes128_plaintext, setup->sm_ltk, sm_handle_encryption_result_enc_ph4_ltk, (void *)(uintptr_t) connection->sm_handle); 3481 } 3482 #endif 3483 3484 // sm_aes128_state stays active 3485 static void sm_handle_encryption_result_enc_ph3_ltk(void *arg){ 3486 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3487 sm_aes128_state = SM_AES128_IDLE; 3488 3489 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3490 if (connection == NULL) return; 3491 3492 log_info_key("ltk", setup->sm_ltk); 3493 // calc CSRK next 3494 sm_d1_d_prime(setup->sm_local_div, 1, sm_aes128_plaintext); 3495 sm_aes128_state = SM_AES128_ACTIVE; 3496 btstack_crypto_aes128_encrypt(&sm_crypto_aes128_request, sm_persistent_er, sm_aes128_plaintext, setup->sm_local_csrk, sm_handle_encryption_result_enc_csrk, (void *)(uintptr_t) connection->sm_handle); 3497 } 3498 3499 static void sm_handle_encryption_result_enc_csrk(void *arg){ 3500 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3501 sm_aes128_state = SM_AES128_IDLE; 3502 3503 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3504 if (connection == NULL) return; 3505 3506 sm_aes128_state = SM_AES128_IDLE; 3507 log_info_key("csrk", setup->sm_local_csrk); 3508 if (setup->sm_key_distribution_send_set != 0u){ 3509 connection->sm_engine_state = SM_PH3_DISTRIBUTE_KEYS; 3510 } else { 3511 // no keys to send, just continue 3512 if (IS_RESPONDER(connection->sm_role)){ 3513 if (sm_key_distribution_all_received()){ 3514 sm_key_distribution_handle_all_received(connection); 3515 sm_key_distribution_complete_responder(connection); 3516 } else { 3517 // slave -> receive master keys 3518 connection->sm_engine_state = SM_PH3_RECEIVE_KEYS; 3519 } 3520 } else { 3521 sm_key_distribution_complete_initiator(connection); 3522 } 3523 } 3524 sm_trigger_run(); 3525 } 3526 3527 #ifdef ENABLE_LE_PERIPHERAL 3528 static void sm_handle_encryption_result_enc_ph4_ltk(void *arg){ 3529 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3530 sm_aes128_state = SM_AES128_IDLE; 3531 3532 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3533 if (connection == NULL) return; 3534 3535 sm_truncate_key(setup->sm_ltk, connection->sm_actual_encryption_key_size); 3536 log_info_key("ltk", setup->sm_ltk); 3537 connection->sm_engine_state = SM_RESPONDER_PH4_SEND_LTK_REPLY; 3538 sm_trigger_run(); 3539 } 3540 #endif 3541 3542 static void sm_handle_encryption_result_address_resolution(void *arg){ 3543 UNUSED(arg); 3544 sm_aes128_state = SM_AES128_IDLE; 3545 3546 // compare calulated address against connecting device 3547 uint8_t * hash = &sm_aes128_ciphertext[13]; 3548 if (memcmp(&sm_address_resolution_address[3], hash, 3) == 0){ 3549 log_info("LE Device Lookup: matched resolvable private address"); 3550 sm_address_resolution_handle_event(ADDRESS_RESOLUTION_SUCCEEDED); 3551 sm_trigger_run(); 3552 return; 3553 } 3554 // no match, try next 3555 sm_address_resolution_test++; 3556 sm_trigger_run(); 3557 } 3558 3559 static void sm_handle_encryption_result_dkg_irk(void *arg){ 3560 UNUSED(arg); 3561 sm_aes128_state = SM_AES128_IDLE; 3562 3563 log_info_key("irk", sm_persistent_irk); 3564 dkg_state = DKG_CALC_DHK; 3565 sm_trigger_run(); 3566 } 3567 3568 static void sm_handle_encryption_result_dkg_dhk(void *arg){ 3569 UNUSED(arg); 3570 sm_aes128_state = SM_AES128_IDLE; 3571 3572 log_info_key("dhk", sm_persistent_dhk); 3573 dkg_state = DKG_READY; 3574 sm_trigger_run(); 3575 } 3576 3577 static void sm_handle_encryption_result_rau(void *arg){ 3578 UNUSED(arg); 3579 sm_aes128_state = SM_AES128_IDLE; 3580 3581 (void)memcpy(&sm_random_address[3], &sm_aes128_ciphertext[13], 3); 3582 rau_state = RAU_IDLE; 3583 hci_le_random_address_set(sm_random_address); 3584 3585 sm_trigger_run(); 3586 } 3587 3588 static void sm_handle_random_result_rau(void * arg){ 3589 UNUSED(arg); 3590 // non-resolvable vs. resolvable 3591 switch (gap_random_adress_type){ 3592 case GAP_RANDOM_ADDRESS_RESOLVABLE: 3593 // resolvable: use random as prand and calc address hash 3594 // "The two most significant bits of prand shall be equal to ‘0’ and ‘1" 3595 sm_random_address[0u] &= 0x3fu; 3596 sm_random_address[0u] |= 0x40u; 3597 rau_state = RAU_GET_ENC; 3598 break; 3599 case GAP_RANDOM_ADDRESS_NON_RESOLVABLE: 3600 default: 3601 // "The two most significant bits of the address shall be equal to ‘0’"" 3602 sm_random_address[0u] &= 0x3fu; 3603 rau_state = RAU_IDLE; 3604 hci_le_random_address_set(sm_random_address); 3605 break; 3606 } 3607 sm_trigger_run(); 3608 } 3609 3610 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3611 static void sm_handle_random_result_sc_next_send_pairing_random(void * arg){ 3612 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3613 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3614 if (connection == NULL) return; 3615 3616 connection->sm_engine_state = SM_SC_SEND_PAIRING_RANDOM; 3617 sm_trigger_run(); 3618 } 3619 3620 static void sm_handle_random_result_sc_next_w2_cmac_for_confirmation(void * arg){ 3621 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3622 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3623 if (connection == NULL) return; 3624 3625 connection->sm_engine_state = SM_SC_W2_CMAC_FOR_CONFIRMATION; 3626 sm_trigger_run(); 3627 } 3628 #endif 3629 3630 static void sm_handle_random_result_ph2_random(void * arg){ 3631 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3632 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3633 if (connection == NULL) return; 3634 3635 connection->sm_engine_state = SM_PH2_C1_GET_ENC_A; 3636 sm_trigger_run(); 3637 } 3638 3639 static void sm_handle_random_result_ph2_tk(void * arg){ 3640 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3641 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3642 if (connection == NULL) return; 3643 3644 sm_reset_tk(); 3645 uint32_t tk; 3646 if (sm_fixed_passkey_in_display_role == 0xffffffffU){ 3647 // map random to 0-999999 without speding much cycles on a modulus operation 3648 tk = little_endian_read_32(sm_random_data,0); 3649 tk = tk & 0xfffff; // 1048575 3650 if (tk >= 999999u){ 3651 tk = tk - 999999u; 3652 } 3653 } else { 3654 // override with pre-defined passkey 3655 tk = sm_fixed_passkey_in_display_role; 3656 } 3657 big_endian_store_32(setup->sm_tk, 12, tk); 3658 if (IS_RESPONDER(connection->sm_role)){ 3659 connection->sm_engine_state = SM_RESPONDER_PH1_SEND_PAIRING_RESPONSE; 3660 } else { 3661 if (setup->sm_use_secure_connections){ 3662 connection->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 3663 } else { 3664 connection->sm_engine_state = SM_PH1_W4_USER_RESPONSE; 3665 sm_trigger_user_response(connection); 3666 // response_idle == nothing <--> sm_trigger_user_response() did not require response 3667 if (setup->sm_user_response == SM_USER_RESPONSE_IDLE){ 3668 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_random, 16, &sm_handle_random_result_ph2_random, (void *)(uintptr_t) connection->sm_handle); 3669 } 3670 } 3671 } 3672 sm_trigger_run(); 3673 } 3674 3675 static void sm_handle_random_result_ph3_div(void * arg){ 3676 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3677 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3678 if (connection == NULL) return; 3679 3680 // use 16 bit from random value as div 3681 setup->sm_local_div = big_endian_read_16(sm_random_data, 0); 3682 log_info_hex16("div", setup->sm_local_div); 3683 connection->sm_engine_state = SM_PH3_Y_GET_ENC; 3684 sm_trigger_run(); 3685 } 3686 3687 static void sm_handle_random_result_ph3_random(void * arg){ 3688 hci_con_handle_t con_handle = (hci_con_handle_t) (uintptr_t) arg; 3689 sm_connection_t * connection = sm_get_connection_for_handle(con_handle); 3690 if (connection == NULL) return; 3691 3692 reverse_64(sm_random_data, setup->sm_local_rand); 3693 // no db for encryption size hack: encryption size is stored in lowest nibble of setup->sm_local_rand 3694 setup->sm_local_rand[7u] = (setup->sm_local_rand[7u] & 0xf0u) + (connection->sm_actual_encryption_key_size - 1u); 3695 // no db for authenticated flag hack: store flag in bit 4 of LSB 3696 setup->sm_local_rand[7u] = (setup->sm_local_rand[7u] & 0xefu) + (connection->sm_connection_authenticated << 4u); 3697 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 2, &sm_handle_random_result_ph3_div, (void *)(uintptr_t) connection->sm_handle); 3698 } 3699 static void sm_validate_er_ir(void){ 3700 // warn about default ER/IR 3701 bool warning = false; 3702 if (sm_ir_is_default()){ 3703 warning = true; 3704 log_error("Persistent IR not set with sm_set_ir. Use of private addresses will cause pairing issues"); 3705 } 3706 if (sm_er_is_default()){ 3707 warning = true; 3708 log_error("Persistent ER not set with sm_set_er. Legacy Pairing LTK is not secure"); 3709 } 3710 if (warning) { 3711 log_error("Please configure btstack_tlv to let BTstack setup ER and IR keys"); 3712 } 3713 } 3714 3715 static void sm_handle_random_result_ir(void *arg){ 3716 sm_persistent_keys_random_active = false; 3717 if (arg != NULL){ 3718 // key generated, store in tlv 3719 int status = sm_tlv_impl->store_tag(sm_tlv_context, BTSTACK_TAG32('S','M','I','R'), sm_persistent_ir, 16u); 3720 log_info("Generated IR key. Store in TLV status: %d", status); 3721 UNUSED(status); 3722 } 3723 log_info_key("IR", sm_persistent_ir); 3724 dkg_state = DKG_CALC_IRK; 3725 3726 if (test_use_fixed_local_irk){ 3727 log_info_key("IRK", sm_persistent_irk); 3728 dkg_state = DKG_CALC_DHK; 3729 } 3730 3731 sm_trigger_run(); 3732 } 3733 3734 static void sm_handle_random_result_er(void *arg){ 3735 sm_persistent_keys_random_active = false; 3736 if (arg != 0){ 3737 // key generated, store in tlv 3738 int status = sm_tlv_impl->store_tag(sm_tlv_context, BTSTACK_TAG32('S','M','E','R'), sm_persistent_er, 16u); 3739 log_info("Generated ER key. Store in TLV status: %d", status); 3740 UNUSED(status); 3741 } 3742 log_info_key("ER", sm_persistent_er); 3743 3744 // try load ir 3745 int key_size = sm_tlv_impl->get_tag(sm_tlv_context, BTSTACK_TAG32('S','M','I','R'), sm_persistent_ir, 16u); 3746 if (key_size == 16){ 3747 // ok, let's continue 3748 log_info("IR from TLV"); 3749 sm_handle_random_result_ir( NULL ); 3750 } else { 3751 // invalid, generate new random one 3752 sm_persistent_keys_random_active = true; 3753 btstack_crypto_random_generate(&sm_crypto_random_request, sm_persistent_ir, 16, &sm_handle_random_result_ir, &sm_persistent_ir); 3754 } 3755 } 3756 3757 static void sm_connection_init(sm_connection_t * sm_conn, hci_con_handle_t con_handle, uint8_t role, uint8_t peer_addr_type, bd_addr_t peer_address){ 3758 3759 // connection info 3760 sm_conn->sm_handle = con_handle; 3761 sm_conn->sm_role = role; 3762 sm_conn->sm_peer_addr_type = peer_addr_type; 3763 memcpy(sm_conn->sm_peer_address, peer_address, 6); 3764 3765 // security properties 3766 sm_conn->sm_connection_encrypted = 0; 3767 sm_conn->sm_connection_authenticated = 0; 3768 sm_conn->sm_connection_authorization_state = AUTHORIZATION_UNKNOWN; 3769 sm_conn->sm_le_db_index = -1; 3770 sm_conn->sm_reencryption_active = false; 3771 3772 // prepare CSRK lookup (does not involve setup) 3773 sm_conn->sm_irk_lookup_state = IRK_LOOKUP_W4_READY; 3774 3775 sm_conn->sm_engine_state = SM_GENERAL_IDLE; 3776 } 3777 3778 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 3779 static void sm_event_handle_classic_encryption_event(sm_connection_t * sm_conn, hci_con_handle_t con_handle){ 3780 // CTKD requires BR/EDR Secure Connection 3781 if (sm_conn->sm_connection_encrypted != 2) return; 3782 // prepare for pairing request 3783 if (IS_RESPONDER(sm_conn->sm_role)){ 3784 sm_conn->sm_engine_state = SM_BR_EDR_RESPONDER_W4_PAIRING_REQUEST; 3785 } else if (sm_conn->sm_pairing_requested){ 3786 // check if remote supports fixed channels 3787 bool defer = true; 3788 const hci_connection_t * hci_connection = hci_connection_for_handle(con_handle); 3789 if (hci_connection->l2cap_state.information_state == L2CAP_INFORMATION_STATE_DONE){ 3790 // check if remote supports SMP over BR/EDR 3791 if ((hci_connection->l2cap_state.fixed_channels_supported & (1 << L2CAP_CID_BR_EDR_SECURITY_MANAGER)) != 0){ 3792 log_info("CTKD: SM_BR_EDR_INITIATOR_SEND_PAIRING_REQUEST"); 3793 sm_conn->sm_engine_state = SM_BR_EDR_INITIATOR_SEND_PAIRING_REQUEST; 3794 } else { 3795 defer = false; 3796 } 3797 } else { 3798 // wait for fixed channel info 3799 log_info("CTKD: SM_BR_EDR_INITIATOR_W4_FIXED_CHANNEL_MASK"); 3800 sm_conn->sm_engine_state = SM_BR_EDR_INITIATOR_W4_FIXED_CHANNEL_MASK; 3801 } 3802 if (defer){ 3803 hci_dedicated_bonding_defer_disconnect(con_handle, true); 3804 } 3805 } 3806 } 3807 #endif 3808 3809 static void sm_event_packet_handler (uint8_t packet_type, uint16_t channel, uint8_t *packet, uint16_t size){ 3810 3811 UNUSED(channel); // ok: there is no channel 3812 UNUSED(size); // ok: fixed format HCI events 3813 3814 sm_connection_t * sm_conn; 3815 hci_con_handle_t con_handle; 3816 uint8_t status; 3817 bd_addr_t addr; 3818 bd_addr_type_t addr_type; 3819 3820 switch (packet_type) { 3821 3822 case HCI_EVENT_PACKET: 3823 switch (hci_event_packet_get_type(packet)) { 3824 3825 case BTSTACK_EVENT_STATE: 3826 switch (btstack_event_state_get_state(packet)){ 3827 case HCI_STATE_WORKING: 3828 log_info("HCI Working!"); 3829 // setup IR/ER with TLV 3830 btstack_tlv_get_instance(&sm_tlv_impl, &sm_tlv_context); 3831 if (sm_tlv_impl != NULL){ 3832 int key_size = sm_tlv_impl->get_tag(sm_tlv_context, BTSTACK_TAG32('S','M','E','R'), sm_persistent_er, 16u); 3833 if (key_size == 16){ 3834 // ok, let's continue 3835 log_info("ER from TLV"); 3836 sm_handle_random_result_er( NULL ); 3837 } else { 3838 // invalid, generate random one 3839 sm_persistent_keys_random_active = true; 3840 btstack_crypto_random_generate(&sm_crypto_random_request, sm_persistent_er, 16, &sm_handle_random_result_er, &sm_persistent_er); 3841 } 3842 } else { 3843 sm_validate_er_ir(); 3844 dkg_state = DKG_CALC_IRK; 3845 3846 if (test_use_fixed_local_irk){ 3847 log_info_key("IRK", sm_persistent_irk); 3848 dkg_state = DKG_CALC_DHK; 3849 } 3850 } 3851 3852 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3853 // trigger ECC key generation 3854 if (ec_key_generation_state == EC_KEY_GENERATION_IDLE){ 3855 sm_ec_generate_new_key(); 3856 } 3857 #endif 3858 3859 // restart random address updates after power cycle 3860 if (gap_random_adress_type == GAP_RANDOM_ADDRESS_TYPE_STATIC){ 3861 gap_random_address_set(sm_random_address); 3862 } else { 3863 gap_random_address_set_mode(gap_random_adress_type); 3864 } 3865 break; 3866 3867 case HCI_STATE_OFF: 3868 case HCI_STATE_HALTING: 3869 log_info("SM: reset state"); 3870 // stop random address update 3871 gap_random_address_update_stop(); 3872 // reset state 3873 sm_state_reset(); 3874 break; 3875 3876 default: 3877 break; 3878 } 3879 break; 3880 3881 #ifdef ENABLE_CLASSIC 3882 case HCI_EVENT_CONNECTION_COMPLETE: 3883 // ignore if connection failed 3884 if (hci_event_connection_complete_get_status(packet)) return; 3885 3886 con_handle = hci_event_connection_complete_get_connection_handle(packet); 3887 sm_conn = sm_get_connection_for_handle(con_handle); 3888 if (!sm_conn) break; 3889 3890 hci_event_connection_complete_get_bd_addr(packet, addr); 3891 sm_connection_init(sm_conn, 3892 con_handle, 3893 (uint8_t) gap_get_role(con_handle), 3894 BD_ADDR_TYPE_LE_PUBLIC, 3895 addr); 3896 // classic connection corresponds to public le address 3897 sm_conn->sm_own_addr_type = BD_ADDR_TYPE_LE_PUBLIC; 3898 gap_local_bd_addr(sm_conn->sm_own_address); 3899 sm_conn->sm_cid = L2CAP_CID_BR_EDR_SECURITY_MANAGER; 3900 sm_conn->sm_engine_state = SM_BR_EDR_W4_ENCRYPTION_COMPLETE; 3901 break; 3902 #endif 3903 3904 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 3905 case HCI_EVENT_SIMPLE_PAIRING_COMPLETE: 3906 if (hci_event_simple_pairing_complete_get_status(packet) != ERROR_CODE_SUCCESS) break; 3907 hci_event_simple_pairing_complete_get_bd_addr(packet, addr); 3908 sm_conn = sm_get_connection_for_bd_addr_and_type(addr, BD_ADDR_TYPE_ACL); 3909 if (sm_conn == NULL) break; 3910 sm_conn->sm_pairing_requested = true; 3911 break; 3912 #endif 3913 3914 case HCI_EVENT_META_GAP: 3915 switch (hci_event_gap_meta_get_subevent_code(packet)) { 3916 case GAP_SUBEVENT_LE_CONNECTION_COMPLETE: 3917 // ignore if connection failed 3918 if (gap_subevent_le_connection_complete_get_status(packet) != ERROR_CODE_SUCCESS) break; 3919 3920 con_handle = gap_subevent_le_connection_complete_get_connection_handle(packet); 3921 sm_conn = sm_get_connection_for_handle(con_handle); 3922 if (!sm_conn) break; 3923 3924 // Get current peer address 3925 addr_type = gap_subevent_le_connection_complete_get_peer_address_type(packet); 3926 if (hci_is_le_identity_address_type(addr_type)){ 3927 addr_type = BD_ADDR_TYPE_LE_RANDOM; 3928 gap_subevent_le_connection_complete_get_peer_resolvable_private_address(packet, addr); 3929 } else { 3930 gap_subevent_le_connection_complete_get_peer_address(packet, addr); 3931 } 3932 sm_connection_init(sm_conn, 3933 con_handle, 3934 gap_subevent_le_connection_complete_get_role(packet), 3935 addr_type, 3936 addr); 3937 sm_conn->sm_cid = L2CAP_CID_SECURITY_MANAGER_PROTOCOL; 3938 3939 // track our addr used for this connection and set state 3940 #ifdef ENABLE_LE_PERIPHERAL 3941 if (gap_subevent_le_connection_complete_get_role(packet) != 0){ 3942 // responder - use own address from advertisements 3943 #ifdef ENABLE_LE_EXTENDED_ADVERTISING 3944 if (hci_le_extended_advertising_supported()){ 3945 // cache local resolvable address 3946 // note: will be overwritten if random or private address was used in adv set by HCI_SUBEVENT_LE_ADVERTISING_SET_TERMINATED 3947 sm_conn->sm_own_addr_type = BD_ADDR_TYPE_LE_RANDOM; 3948 gap_subevent_le_connection_complete_get_local_resolvable_private_address(packet,sm_conn->sm_own_address); 3949 } else 3950 #endif 3951 { 3952 gap_le_get_own_advertisements_address(&sm_conn->sm_own_addr_type, sm_conn->sm_own_address); 3953 } 3954 sm_conn->sm_engine_state = SM_RESPONDER_IDLE; 3955 } 3956 #endif 3957 #ifdef ENABLE_LE_CENTRAL 3958 if (gap_subevent_le_connection_complete_get_role(packet) == 0){ 3959 // initiator - use own address from create connection 3960 gap_le_get_own_connection_address(&sm_conn->sm_own_addr_type, sm_conn->sm_own_address); 3961 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 3962 } 3963 #endif 3964 break; 3965 default: 3966 break; 3967 } 3968 break; 3969 case HCI_EVENT_LE_META: 3970 switch (hci_event_le_meta_get_subevent_code(packet)) { 3971 #ifdef ENABLE_LE_PERIPHERAL 3972 #ifdef ENABLE_LE_EXTENDED_ADVERTISING 3973 case HCI_SUBEVENT_LE_ADVERTISING_SET_TERMINATED: 3974 if (hci_subevent_le_advertising_set_terminated_get_status(packet) == ERROR_CODE_SUCCESS){ 3975 uint8_t advertising_handle = hci_subevent_le_advertising_set_terminated_get_advertising_handle(packet); 3976 con_handle = hci_subevent_le_advertising_set_terminated_get_connection_handle(packet); 3977 sm_conn = sm_get_connection_for_handle(con_handle); 3978 gap_le_get_own_advertising_set_address(&sm_conn->sm_own_addr_type, sm_conn->sm_own_address, advertising_handle); 3979 log_info("Adv set %u terminated -> use addr type %u, addr %s for con handle 0x%04x", advertising_handle, sm_conn->sm_own_addr_type, 3980 bd_addr_to_str(sm_conn->sm_own_address), con_handle); 3981 } 3982 break; 3983 #endif 3984 #endif 3985 case HCI_SUBEVENT_LE_LONG_TERM_KEY_REQUEST: 3986 con_handle = hci_subevent_le_long_term_key_request_get_connection_handle(packet); 3987 sm_conn = sm_get_connection_for_handle(con_handle); 3988 if (!sm_conn) break; 3989 3990 log_info("LTK Request: state %u", sm_conn->sm_engine_state); 3991 if (sm_conn->sm_engine_state == SM_RESPONDER_PH2_W4_LTK_REQUEST){ 3992 sm_conn->sm_engine_state = SM_PH2_CALC_STK; 3993 break; 3994 } 3995 if (sm_conn->sm_engine_state == SM_SC_W4_LTK_REQUEST_SC){ 3996 // PH2 SEND LTK as we need to exchange keys in PH3 3997 sm_conn->sm_engine_state = SM_RESPONDER_PH2_SEND_LTK_REPLY; 3998 break; 3999 } 4000 4001 // store rand and ediv 4002 reverse_64(&packet[5], sm_conn->sm_local_rand); 4003 sm_conn->sm_local_ediv = hci_subevent_le_long_term_key_request_get_encryption_diversifier(packet); 4004 4005 // For Legacy Pairing (<=> EDIV != 0 || RAND != NULL), we need to recalculated our LTK as a 4006 // potentially stored LTK is from the master 4007 if ((sm_conn->sm_local_ediv != 0u) || !sm_is_null_random(sm_conn->sm_local_rand)){ 4008 if (sm_reconstruct_ltk_without_le_device_db_entry){ 4009 sm_conn->sm_engine_state = SM_RESPONDER_PH0_RECEIVED_LTK_REQUEST; 4010 break; 4011 } 4012 // additionally check if remote is in LE Device DB if requested 4013 switch(sm_conn->sm_irk_lookup_state){ 4014 case IRK_LOOKUP_FAILED: 4015 log_info("LTK Request: device not in device db"); 4016 sm_conn->sm_engine_state = SM_RESPONDER_PH0_SEND_LTK_REQUESTED_NEGATIVE_REPLY; 4017 break; 4018 case IRK_LOOKUP_SUCCEEDED: 4019 sm_conn->sm_engine_state = SM_RESPONDER_PH0_RECEIVED_LTK_REQUEST; 4020 break; 4021 default: 4022 // wait for irk look doen 4023 sm_conn->sm_engine_state = SM_RESPONDER_PH0_RECEIVED_LTK_W4_IRK; 4024 break; 4025 } 4026 break; 4027 } 4028 4029 #ifdef ENABLE_LE_SECURE_CONNECTIONS 4030 sm_conn->sm_engine_state = SM_SC_RECEIVED_LTK_REQUEST; 4031 #else 4032 log_info("LTK Request: ediv & random are empty, but LE Secure Connections not supported"); 4033 sm_conn->sm_engine_state = SM_RESPONDER_PH0_SEND_LTK_REQUESTED_NEGATIVE_REPLY; 4034 #endif 4035 break; 4036 4037 default: 4038 break; 4039 } 4040 break; 4041 4042 case HCI_EVENT_ENCRYPTION_CHANGE: 4043 case HCI_EVENT_ENCRYPTION_CHANGE_V2: 4044 con_handle = hci_event_encryption_change_get_connection_handle(packet); 4045 sm_conn = sm_get_connection_for_handle(con_handle); 4046 if (!sm_conn) break; 4047 4048 sm_conn->sm_connection_encrypted = hci_event_encryption_change_get_encryption_enabled(packet); 4049 log_info("Encryption state change: %u, key size %u", sm_conn->sm_connection_encrypted, 4050 sm_conn->sm_actual_encryption_key_size); 4051 log_info("event handler, state %u", sm_conn->sm_engine_state); 4052 4053 switch (sm_conn->sm_engine_state){ 4054 4055 case SM_PH4_W4_CONNECTION_ENCRYPTED: 4056 // encryption change event concludes re-encryption for bonded devices (even if it fails) 4057 if (sm_conn->sm_connection_encrypted != 0u) { 4058 status = ERROR_CODE_SUCCESS; 4059 if (IS_RESPONDER(sm_conn->sm_role)){ 4060 sm_conn->sm_engine_state = SM_RESPONDER_IDLE; 4061 } else { 4062 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 4063 } 4064 } else { 4065 status = hci_event_encryption_change_get_status(packet); 4066 // set state to 'RE-ENCRYPTION FAILED' to allow pairing but prevent other interactions 4067 // also, gap_reconnect_security_setup_active will return true 4068 sm_conn->sm_engine_state = SM_GENERAL_REENCRYPTION_FAILED; 4069 } 4070 4071 // emit re-encryption complete 4072 sm_reencryption_complete(sm_conn, status); 4073 4074 // notify client, if pairing was requested before 4075 if (sm_conn->sm_pairing_requested){ 4076 sm_conn->sm_pairing_requested = false; 4077 sm_pairing_complete(sm_conn, status, 0); 4078 } 4079 4080 sm_done_for_handle(sm_conn->sm_handle); 4081 break; 4082 4083 case SM_PH2_W4_CONNECTION_ENCRYPTED: 4084 if (!sm_conn->sm_connection_encrypted) break; 4085 // handler for HCI_EVENT_ENCRYPTION_KEY_REFRESH_COMPLETE 4086 // contains the same code for this state 4087 sm_conn->sm_connection_sc = setup->sm_use_secure_connections; 4088 if (IS_RESPONDER(sm_conn->sm_role)){ 4089 // slave 4090 if (sm_conn->sm_connection_sc){ 4091 sm_conn->sm_engine_state = SM_PH3_DISTRIBUTE_KEYS; 4092 } else { 4093 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 8, &sm_handle_random_result_ph3_random, (void *)(uintptr_t) sm_conn->sm_handle); 4094 } 4095 } else { 4096 // master 4097 if (sm_key_distribution_all_received()){ 4098 // skip receiving keys as there are none 4099 sm_key_distribution_handle_all_received(sm_conn); 4100 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 8, &sm_handle_random_result_ph3_random, (void *)(uintptr_t) sm_conn->sm_handle); 4101 } else { 4102 sm_conn->sm_engine_state = SM_PH3_RECEIVE_KEYS; 4103 } 4104 } 4105 break; 4106 4107 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 4108 case SM_BR_EDR_W4_ENCRYPTION_COMPLETE: 4109 sm_event_handle_classic_encryption_event(sm_conn, con_handle); 4110 break; 4111 #endif 4112 default: 4113 break; 4114 } 4115 break; 4116 4117 case HCI_EVENT_ENCRYPTION_KEY_REFRESH_COMPLETE: 4118 con_handle = little_endian_read_16(packet, 3); 4119 sm_conn = sm_get_connection_for_handle(con_handle); 4120 if (!sm_conn) break; 4121 4122 log_info("Encryption key refresh complete, key size %u", sm_conn->sm_actual_encryption_key_size); 4123 log_info("event handler, state %u", sm_conn->sm_engine_state); 4124 // continue if part of initial pairing 4125 switch (sm_conn->sm_engine_state){ 4126 case SM_PH4_W4_CONNECTION_ENCRYPTED: 4127 if (IS_RESPONDER(sm_conn->sm_role)){ 4128 sm_conn->sm_engine_state = SM_RESPONDER_IDLE; 4129 } else { 4130 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 4131 } 4132 sm_done_for_handle(sm_conn->sm_handle); 4133 break; 4134 case SM_PH2_W4_CONNECTION_ENCRYPTED: 4135 // handler for HCI_EVENT_ENCRYPTION_CHANGE 4136 // contains the same code for this state 4137 sm_conn->sm_connection_sc = setup->sm_use_secure_connections; 4138 if (IS_RESPONDER(sm_conn->sm_role)){ 4139 // slave 4140 if (sm_conn->sm_connection_sc){ 4141 sm_conn->sm_engine_state = SM_PH3_DISTRIBUTE_KEYS; 4142 } else { 4143 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 8, &sm_handle_random_result_ph3_random, (void *)(uintptr_t) sm_conn->sm_handle); 4144 } 4145 } else { 4146 // master 4147 if (sm_key_distribution_all_received()){ 4148 // skip receiving keys as there are none 4149 sm_key_distribution_handle_all_received(sm_conn); 4150 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 8, &sm_handle_random_result_ph3_random, (void *)(uintptr_t) sm_conn->sm_handle); 4151 } else { 4152 sm_conn->sm_engine_state = SM_PH3_RECEIVE_KEYS; 4153 } 4154 } 4155 break; 4156 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 4157 case SM_BR_EDR_W4_ENCRYPTION_COMPLETE: 4158 sm_event_handle_classic_encryption_event(sm_conn, con_handle); 4159 break; 4160 #endif 4161 default: 4162 break; 4163 } 4164 break; 4165 4166 4167 case HCI_EVENT_DISCONNECTION_COMPLETE: 4168 con_handle = little_endian_read_16(packet, 3); 4169 sm_done_for_handle(con_handle); 4170 sm_conn = sm_get_connection_for_handle(con_handle); 4171 if (!sm_conn) break; 4172 4173 // pairing failed, if it was ongoing 4174 switch (sm_conn->sm_engine_state){ 4175 case SM_GENERAL_IDLE: 4176 case SM_INITIATOR_CONNECTED: 4177 case SM_RESPONDER_IDLE: 4178 break; 4179 default: 4180 sm_reencryption_complete(sm_conn, ERROR_CODE_REMOTE_USER_TERMINATED_CONNECTION); 4181 sm_pairing_complete(sm_conn, ERROR_CODE_REMOTE_USER_TERMINATED_CONNECTION, 0); 4182 break; 4183 } 4184 4185 sm_conn->sm_engine_state = SM_GENERAL_IDLE; 4186 sm_conn->sm_handle = 0; 4187 break; 4188 4189 case HCI_EVENT_COMMAND_COMPLETE: 4190 if (hci_event_command_complete_get_command_opcode(packet) == HCI_OPCODE_HCI_READ_BD_ADDR) { 4191 // set local addr for le device db 4192 reverse_bd_addr(&packet[OFFSET_OF_DATA_IN_COMMAND_COMPLETE + 1], addr); 4193 le_device_db_set_local_bd_addr(addr); 4194 } 4195 break; 4196 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 4197 case L2CAP_EVENT_INFORMATION_RESPONSE: 4198 con_handle = l2cap_event_information_response_get_con_handle(packet); 4199 sm_conn = sm_get_connection_for_handle(con_handle); 4200 if (!sm_conn) break; 4201 if (sm_conn->sm_engine_state == SM_BR_EDR_INITIATOR_W4_FIXED_CHANNEL_MASK){ 4202 // check if remote supports SMP over BR/EDR 4203 const hci_connection_t * hci_connection = hci_connection_for_handle(con_handle); 4204 if ((hci_connection->l2cap_state.fixed_channels_supported & (1 << L2CAP_CID_BR_EDR_SECURITY_MANAGER)) != 0){ 4205 sm_conn->sm_engine_state = SM_BR_EDR_INITIATOR_SEND_PAIRING_REQUEST; 4206 } else { 4207 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 4208 hci_dedicated_bonding_defer_disconnect(con_handle, false); 4209 } 4210 } 4211 break; 4212 #endif 4213 default: 4214 break; 4215 } 4216 break; 4217 default: 4218 break; 4219 } 4220 4221 sm_run(); 4222 } 4223 4224 static inline int sm_calc_actual_encryption_key_size(int other){ 4225 if (other < sm_min_encryption_key_size) return 0; 4226 if (other < sm_max_encryption_key_size) return other; 4227 return sm_max_encryption_key_size; 4228 } 4229 4230 4231 #ifdef ENABLE_LE_SECURE_CONNECTIONS 4232 static bool sm_just_works_or_numeric_comparison(stk_generation_method_t method){ 4233 switch (method){ 4234 case JUST_WORKS: 4235 case NUMERIC_COMPARISON: 4236 return true; 4237 default: 4238 return false; 4239 } 4240 } 4241 // responder 4242 4243 static bool sm_passkey_used(stk_generation_method_t method){ 4244 switch (method){ 4245 case PK_RESP_INPUT: 4246 return true; 4247 default: 4248 return 0; 4249 } 4250 } 4251 4252 static bool sm_passkey_entry(stk_generation_method_t method){ 4253 switch (method){ 4254 case PK_RESP_INPUT: 4255 case PK_INIT_INPUT: 4256 case PK_BOTH_INPUT: 4257 return true; 4258 default: 4259 return false; 4260 } 4261 } 4262 4263 #endif 4264 4265 /** 4266 * @return ok 4267 */ 4268 static int sm_validate_stk_generation_method(void){ 4269 // check if STK generation method is acceptable by client 4270 switch (setup->sm_stk_generation_method){ 4271 case JUST_WORKS: 4272 return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_JUST_WORKS) != 0u; 4273 case PK_RESP_INPUT: 4274 case PK_INIT_INPUT: 4275 case PK_BOTH_INPUT: 4276 return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_PASSKEY) != 0u; 4277 case OOB: 4278 return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_OOB) != 0u; 4279 case NUMERIC_COMPARISON: 4280 return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_NUMERIC_COMPARISON) != 0u; 4281 default: 4282 return 0; 4283 } 4284 } 4285 4286 #ifdef ENABLE_LE_CENTRAL 4287 static void sm_initiator_connected_handle_security_request(sm_connection_t * sm_conn, const uint8_t *packet){ 4288 #ifdef ENABLE_LE_SECURE_CONNECTIONS 4289 if (sm_sc_only_mode){ 4290 uint8_t auth_req = packet[1]; 4291 if ((auth_req & SM_AUTHREQ_SECURE_CONNECTION) == 0){ 4292 sm_pairing_error(sm_conn, SM_REASON_AUTHENTHICATION_REQUIREMENTS); 4293 return; 4294 } 4295 } 4296 #else 4297 UNUSED(packet); 4298 #endif 4299 4300 int have_ltk; 4301 uint8_t ltk[16]; 4302 4303 // IRK complete? 4304 switch (sm_conn->sm_irk_lookup_state){ 4305 case IRK_LOOKUP_FAILED: 4306 // start pairing 4307 sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 4308 break; 4309 case IRK_LOOKUP_SUCCEEDED: 4310 le_device_db_encryption_get(sm_conn->sm_le_db_index, NULL, NULL, ltk, NULL, NULL, NULL, NULL); 4311 have_ltk = !sm_is_null_key(ltk); 4312 log_info("central: security request - have_ltk %u, encryption %u", have_ltk, sm_conn->sm_connection_encrypted); 4313 if (have_ltk && (sm_conn->sm_connection_encrypted == 0)){ 4314 // start re-encrypt if we have LTK and the connection is not already encrypted 4315 sm_conn->sm_engine_state = SM_INITIATOR_PH4_HAS_LTK; 4316 } else { 4317 // start pairing 4318 sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 4319 } 4320 break; 4321 default: 4322 // otherwise, store security request 4323 sm_conn->sm_security_request_received = true; 4324 break; 4325 } 4326 } 4327 #endif 4328 4329 static uint8_t sm_pdu_validate_and_get_opcode(uint8_t packet_type, const uint8_t *packet, uint16_t size){ 4330 4331 // size of complete sm_pdu used to validate input 4332 static const uint8_t sm_pdu_size[] = { 4333 0, // 0x00 invalid opcode 4334 7, // 0x01 pairing request 4335 7, // 0x02 pairing response 4336 17, // 0x03 pairing confirm 4337 17, // 0x04 pairing random 4338 2, // 0x05 pairing failed 4339 17, // 0x06 encryption information 4340 11, // 0x07 master identification 4341 17, // 0x08 identification information 4342 8, // 0x09 identify address information 4343 17, // 0x0a signing information 4344 2, // 0x0b security request 4345 65, // 0x0c pairing public key 4346 17, // 0x0d pairing dhk check 4347 2, // 0x0e keypress notification 4348 }; 4349 4350 if (packet_type != SM_DATA_PACKET) return 0; 4351 if (size == 0u) return 0; 4352 4353 uint8_t sm_pdu_code = packet[0]; 4354 4355 // validate pdu size 4356 if (sm_pdu_code >= sizeof(sm_pdu_size)) return 0; 4357 if (sm_pdu_size[sm_pdu_code] != size) return 0; 4358 4359 return sm_pdu_code; 4360 } 4361 4362 static void sm_pdu_handler(uint8_t packet_type, hci_con_handle_t con_handle, uint8_t *packet, uint16_t size){ 4363 4364 if ((packet_type == HCI_EVENT_PACKET) && (packet[0] == L2CAP_EVENT_CAN_SEND_NOW)){ 4365 sm_run(); 4366 } 4367 4368 uint8_t sm_pdu_code = sm_pdu_validate_and_get_opcode(packet_type, packet, size); 4369 if (sm_pdu_code == 0) return; 4370 4371 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 4372 if (!sm_conn) return; 4373 4374 if (sm_pdu_code == SM_CODE_PAIRING_FAILED){ 4375 sm_reencryption_complete(sm_conn, ERROR_CODE_AUTHENTICATION_FAILURE); 4376 sm_pairing_complete(sm_conn, ERROR_CODE_AUTHENTICATION_FAILURE, packet[1]); 4377 sm_done_for_handle(con_handle); 4378 sm_conn->sm_engine_state = sm_conn->sm_role ? SM_RESPONDER_IDLE : SM_INITIATOR_CONNECTED; 4379 return; 4380 } 4381 4382 log_debug("sm_pdu_handler: state %u, pdu 0x%02x", sm_conn->sm_engine_state, sm_pdu_code); 4383 4384 int err; 4385 uint8_t max_encryption_key_size; 4386 UNUSED(err); 4387 4388 if (sm_pdu_code == SM_CODE_KEYPRESS_NOTIFICATION){ 4389 uint8_t buffer[5]; 4390 buffer[0] = SM_EVENT_KEYPRESS_NOTIFICATION; 4391 buffer[1] = 3; 4392 little_endian_store_16(buffer, 2, con_handle); 4393 buffer[4] = packet[1]; 4394 sm_dispatch_event(HCI_EVENT_PACKET, 0, buffer, sizeof(buffer)); 4395 return; 4396 } 4397 4398 switch (sm_conn->sm_engine_state){ 4399 4400 // a sm timeout requires a new physical connection 4401 case SM_GENERAL_TIMEOUT: 4402 return; 4403 4404 #ifdef ENABLE_LE_CENTRAL 4405 4406 // Initiator 4407 case SM_INITIATOR_CONNECTED: 4408 if ((sm_pdu_code != SM_CODE_SECURITY_REQUEST) || (sm_conn->sm_role)){ 4409 sm_pdu_received_in_wrong_state(sm_conn); 4410 break; 4411 } 4412 sm_initiator_connected_handle_security_request(sm_conn, packet); 4413 break; 4414 4415 case SM_INITIATOR_PH1_W4_PAIRING_RESPONSE: 4416 // Core 5, Vol 3, Part H, 2.4.6: 4417 // "The master shall ignore the slave’s Security Request if the master has sent a Pairing Request 4418 // without receiving a Pairing Response from the slave or if the master has initiated encryption mode setup." 4419 if (sm_pdu_code == SM_CODE_SECURITY_REQUEST){ 4420 log_info("Ignoring Security Request"); 4421 break; 4422 } 4423 4424 // all other pdus are incorrect 4425 if (sm_pdu_code != SM_CODE_PAIRING_RESPONSE){ 4426 sm_pdu_received_in_wrong_state(sm_conn); 4427 break; 4428 } 4429 4430 // store pairing request 4431 (void)memcpy(&setup->sm_s_pres, packet, 4432 sizeof(sm_pairing_packet_t)); 4433 4434 // validate encryption key size 4435 max_encryption_key_size = sm_pairing_packet_get_max_encryption_key_size(setup->sm_s_pres); 4436 if ((max_encryption_key_size < 7) || (max_encryption_key_size > 16)){ 4437 sm_pairing_error(sm_conn, SM_REASON_INVALID_PARAMETERS); 4438 break; 4439 } 4440 4441 err = sm_stk_generation_init(sm_conn); 4442 4443 #ifdef ENABLE_TESTING_SUPPORT 4444 if (0 < test_pairing_failure && test_pairing_failure < SM_REASON_DHKEY_CHECK_FAILED){ 4445 log_info("testing_support: abort with pairing failure %u", test_pairing_failure); 4446 err = test_pairing_failure; 4447 } 4448 #endif 4449 4450 if (err != 0){ 4451 sm_pairing_error(sm_conn, err); 4452 break; 4453 } 4454 4455 // generate random number first, if we need to show passkey 4456 if (setup->sm_stk_generation_method == PK_RESP_INPUT){ 4457 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 8, &sm_handle_random_result_ph2_tk, (void *)(uintptr_t) sm_conn->sm_handle); 4458 break; 4459 } 4460 4461 #ifdef ENABLE_LE_SECURE_CONNECTIONS 4462 if (setup->sm_use_secure_connections){ 4463 // SC Numeric Comparison will trigger user response after public keys & nonces have been exchanged 4464 if (setup->sm_stk_generation_method == JUST_WORKS){ 4465 sm_conn->sm_engine_state = SM_PH1_W4_USER_RESPONSE; 4466 sm_trigger_user_response(sm_conn); 4467 if (setup->sm_user_response == SM_USER_RESPONSE_IDLE){ 4468 sm_conn->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 4469 } 4470 } else { 4471 sm_conn->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 4472 } 4473 break; 4474 } 4475 #endif 4476 sm_conn->sm_engine_state = SM_PH1_W4_USER_RESPONSE; 4477 sm_trigger_user_response(sm_conn); 4478 // response_idle == nothing <--> sm_trigger_user_response() did not require response 4479 if (setup->sm_user_response == SM_USER_RESPONSE_IDLE){ 4480 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_random, 16, &sm_handle_random_result_ph2_random, (void *)(uintptr_t) sm_conn->sm_handle); 4481 } 4482 break; 4483 4484 case SM_INITIATOR_PH2_W4_PAIRING_CONFIRM: 4485 if (sm_pdu_code != SM_CODE_PAIRING_CONFIRM){ 4486 sm_pdu_received_in_wrong_state(sm_conn); 4487 break; 4488 } 4489 4490 // store s_confirm 4491 reverse_128(&packet[1], setup->sm_peer_confirm); 4492 4493 // abort if s_confirm matches m_confirm 4494 if (memcmp(setup->sm_local_confirm, setup->sm_peer_confirm, 16) == 0){ 4495 sm_pdu_received_in_wrong_state(sm_conn); 4496 break; 4497 } 4498 4499 #ifdef ENABLE_TESTING_SUPPORT 4500 if (test_pairing_failure == SM_REASON_CONFIRM_VALUE_FAILED){ 4501 log_info("testing_support: reset confirm value"); 4502 memset(setup->sm_peer_confirm, 0, 16); 4503 } 4504 #endif 4505 sm_conn->sm_engine_state = SM_PH2_SEND_PAIRING_RANDOM; 4506 break; 4507 4508 case SM_INITIATOR_PH2_W4_PAIRING_RANDOM: 4509 if (sm_pdu_code != SM_CODE_PAIRING_RANDOM){ 4510 sm_pdu_received_in_wrong_state(sm_conn); 4511 break;; 4512 } 4513 4514 // received random value 4515 reverse_128(&packet[1], setup->sm_peer_random); 4516 sm_conn->sm_engine_state = SM_PH2_C1_GET_ENC_C; 4517 break; 4518 4519 case SM_INITIATOR_PH4_HAS_LTK: 4520 case SM_PH4_W4_CONNECTION_ENCRYPTED: 4521 // ignore Security Request, see SM_INITIATOR_PH1_W4_PAIRING_RESPONSE above 4522 if (sm_pdu_code != SM_CODE_SECURITY_REQUEST){ 4523 sm_pdu_received_in_wrong_state(sm_conn); 4524 } 4525 break; 4526 #endif 4527 4528 #ifdef ENABLE_LE_PERIPHERAL 4529 // Responder 4530 case SM_RESPONDER_IDLE: 4531 case SM_RESPONDER_SEND_SECURITY_REQUEST: 4532 case SM_RESPONDER_PH1_W4_PAIRING_REQUEST: 4533 if (sm_pdu_code != SM_CODE_PAIRING_REQUEST){ 4534 sm_pdu_received_in_wrong_state(sm_conn); 4535 break;; 4536 } 4537 4538 // store pairing request 4539 (void)memcpy(&sm_conn->sm_m_preq, packet, sizeof(sm_pairing_packet_t)); 4540 4541 // validation encryption key size 4542 max_encryption_key_size = sm_pairing_packet_get_max_encryption_key_size(sm_conn->sm_m_preq); 4543 if ((max_encryption_key_size < 7) || (max_encryption_key_size > 16)){ 4544 sm_pairing_error(sm_conn, SM_REASON_INVALID_PARAMETERS); 4545 break; 4546 } 4547 4548 // check if IRK completed 4549 switch (sm_conn->sm_irk_lookup_state){ 4550 case IRK_LOOKUP_SUCCEEDED: 4551 case IRK_LOOKUP_FAILED: 4552 sm_conn->sm_engine_state = SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED; 4553 break; 4554 default: 4555 sm_conn->sm_engine_state = SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED_W4_IRK; 4556 break; 4557 } 4558 break; 4559 #endif 4560 4561 #ifdef ENABLE_LE_SECURE_CONNECTIONS 4562 case SM_SC_W4_PUBLIC_KEY_COMMAND: 4563 if (sm_pdu_code != SM_CODE_PAIRING_PUBLIC_KEY){ 4564 sm_pdu_received_in_wrong_state(sm_conn); 4565 break; 4566 } 4567 4568 // store public key for DH Key calculation 4569 reverse_256(&packet[01], &setup->sm_peer_q[0]); 4570 reverse_256(&packet[33], &setup->sm_peer_q[32]); 4571 4572 // CVE-2020-26558: abort pairing if remote uses the same public key 4573 if (memcmp(&setup->sm_peer_q, ec_q, 64) == 0){ 4574 log_info("Remote PK matches ours"); 4575 sm_pairing_error(sm_conn, SM_REASON_DHKEY_CHECK_FAILED); 4576 break; 4577 } 4578 4579 // validate public key 4580 err = btstack_crypto_ecc_p256_validate_public_key(setup->sm_peer_q); 4581 if (err != 0){ 4582 log_info("sm: peer public key invalid %x", err); 4583 sm_pairing_error(sm_conn, SM_REASON_DHKEY_CHECK_FAILED); 4584 break; 4585 } 4586 4587 // start calculating dhkey 4588 btstack_crypto_ecc_p256_calculate_dhkey(&sm_crypto_ecc_p256_request, setup->sm_peer_q, setup->sm_dhkey, sm_sc_dhkey_calculated, (void*)(uintptr_t) sm_conn->sm_handle); 4589 4590 4591 log_info("public key received, generation method %u", setup->sm_stk_generation_method); 4592 if (IS_RESPONDER(sm_conn->sm_role)){ 4593 // responder 4594 sm_conn->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 4595 } else { 4596 // initiator 4597 // stk generation method 4598 // passkey entry: notify app to show passkey or to request passkey 4599 switch (setup->sm_stk_generation_method){ 4600 case JUST_WORKS: 4601 case NUMERIC_COMPARISON: 4602 sm_conn->sm_engine_state = SM_SC_W4_CONFIRMATION; 4603 break; 4604 case PK_RESP_INPUT: 4605 sm_sc_start_calculating_local_confirm(sm_conn); 4606 break; 4607 case PK_INIT_INPUT: 4608 case PK_BOTH_INPUT: 4609 if (setup->sm_user_response != SM_USER_RESPONSE_PASSKEY){ 4610 sm_conn->sm_engine_state = SM_SC_W4_USER_RESPONSE; 4611 break; 4612 } 4613 sm_sc_start_calculating_local_confirm(sm_conn); 4614 break; 4615 case OOB: 4616 // generate Nx 4617 log_info("Generate Na"); 4618 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_nonce, 16, &sm_handle_random_result_sc_next_send_pairing_random, (void*)(uintptr_t) sm_conn->sm_handle); 4619 break; 4620 default: 4621 btstack_assert(false); 4622 break; 4623 } 4624 } 4625 break; 4626 4627 case SM_SC_W4_CONFIRMATION: 4628 if (sm_pdu_code != SM_CODE_PAIRING_CONFIRM){ 4629 sm_pdu_received_in_wrong_state(sm_conn); 4630 break; 4631 } 4632 // received confirm value 4633 reverse_128(&packet[1], setup->sm_peer_confirm); 4634 4635 #ifdef ENABLE_TESTING_SUPPORT 4636 if (test_pairing_failure == SM_REASON_CONFIRM_VALUE_FAILED){ 4637 log_info("testing_support: reset confirm value"); 4638 memset(setup->sm_peer_confirm, 0, 16); 4639 } 4640 #endif 4641 if (IS_RESPONDER(sm_conn->sm_role)){ 4642 // responder 4643 if (sm_passkey_used(setup->sm_stk_generation_method)){ 4644 if (setup->sm_user_response != SM_USER_RESPONSE_PASSKEY){ 4645 // still waiting for passkey 4646 sm_conn->sm_engine_state = SM_SC_W4_USER_RESPONSE; 4647 break; 4648 } 4649 } 4650 sm_sc_start_calculating_local_confirm(sm_conn); 4651 } else { 4652 // initiator 4653 if (sm_just_works_or_numeric_comparison(setup->sm_stk_generation_method)){ 4654 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_nonce, 16, &sm_handle_random_result_sc_next_send_pairing_random, (void*)(uintptr_t) sm_conn->sm_handle); 4655 } else { 4656 sm_conn->sm_engine_state = SM_SC_SEND_PAIRING_RANDOM; 4657 } 4658 } 4659 break; 4660 4661 case SM_SC_W4_PAIRING_RANDOM: 4662 if (sm_pdu_code != SM_CODE_PAIRING_RANDOM){ 4663 sm_pdu_received_in_wrong_state(sm_conn); 4664 break; 4665 } 4666 4667 // received random value 4668 reverse_128(&packet[1], setup->sm_peer_nonce); 4669 4670 // validate confirm value if Cb = f4(Pkb, Pka, Nb, z) 4671 // only check for JUST WORK/NC in initiator role OR passkey entry 4672 log_info("SM_SC_W4_PAIRING_RANDOM, responder: %u, just works: %u, passkey used %u, passkey entry %u", 4673 IS_RESPONDER(sm_conn->sm_role), sm_just_works_or_numeric_comparison(setup->sm_stk_generation_method), 4674 sm_passkey_used(setup->sm_stk_generation_method), sm_passkey_entry(setup->sm_stk_generation_method)); 4675 if ( (!IS_RESPONDER(sm_conn->sm_role) && sm_just_works_or_numeric_comparison(setup->sm_stk_generation_method)) 4676 || (sm_passkey_entry(setup->sm_stk_generation_method)) ) { 4677 sm_conn->sm_engine_state = SM_SC_W2_CMAC_FOR_CHECK_CONFIRMATION; 4678 break; 4679 } 4680 4681 // OOB 4682 if (setup->sm_stk_generation_method == OOB){ 4683 4684 // setup local random, set to zero if remote did not receive our data 4685 log_info("Received nonce, setup local random ra/rb for dhkey check"); 4686 if (IS_RESPONDER(sm_conn->sm_role)){ 4687 if (sm_pairing_packet_get_oob_data_flag(setup->sm_m_preq) == 0u){ 4688 log_info("Reset rb as A does not have OOB data"); 4689 memset(setup->sm_rb, 0, 16); 4690 } else { 4691 (void)memcpy(setup->sm_rb, sm_sc_oob_random, 16); 4692 log_info("Use stored rb"); 4693 log_info_hexdump(setup->sm_rb, 16); 4694 } 4695 } else { 4696 if (sm_pairing_packet_get_oob_data_flag(setup->sm_s_pres) == 0u){ 4697 log_info("Reset ra as B does not have OOB data"); 4698 memset(setup->sm_ra, 0, 16); 4699 } else { 4700 (void)memcpy(setup->sm_ra, sm_sc_oob_random, 16); 4701 log_info("Use stored ra"); 4702 log_info_hexdump(setup->sm_ra, 16); 4703 } 4704 } 4705 4706 // validate confirm value if Cb = f4(PKb, Pkb, rb, 0) for OOB if data received 4707 if (setup->sm_have_oob_data){ 4708 sm_conn->sm_engine_state = SM_SC_W2_CMAC_FOR_CHECK_CONFIRMATION; 4709 break; 4710 } 4711 } 4712 4713 // TODO: we only get here for Responder role with JW/NC 4714 sm_sc_state_after_receiving_random(sm_conn); 4715 break; 4716 4717 case SM_SC_W2_CALCULATE_G2: 4718 case SM_SC_W4_CALCULATE_G2: 4719 case SM_SC_W4_CALCULATE_DHKEY: 4720 case SM_SC_W2_CALCULATE_F5_SALT: 4721 case SM_SC_W4_CALCULATE_F5_SALT: 4722 case SM_SC_W2_CALCULATE_F5_MACKEY: 4723 case SM_SC_W4_CALCULATE_F5_MACKEY: 4724 case SM_SC_W2_CALCULATE_F5_LTK: 4725 case SM_SC_W4_CALCULATE_F5_LTK: 4726 case SM_SC_W2_CALCULATE_F6_FOR_DHKEY_CHECK: 4727 case SM_SC_W4_DHKEY_CHECK_COMMAND: 4728 case SM_SC_W4_CALCULATE_F6_FOR_DHKEY_CHECK: 4729 case SM_SC_W4_USER_RESPONSE: 4730 if (sm_pdu_code != SM_CODE_PAIRING_DHKEY_CHECK){ 4731 sm_pdu_received_in_wrong_state(sm_conn); 4732 break; 4733 } 4734 // store DHKey Check 4735 setup->sm_state_vars |= SM_STATE_VAR_DHKEY_COMMAND_RECEIVED; 4736 reverse_128(&packet[01], setup->sm_peer_dhkey_check); 4737 4738 // have we been only waiting for dhkey check command? 4739 if (sm_conn->sm_engine_state == SM_SC_W4_DHKEY_CHECK_COMMAND){ 4740 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK; 4741 } 4742 break; 4743 #endif 4744 4745 #ifdef ENABLE_LE_PERIPHERAL 4746 case SM_RESPONDER_PH1_W4_PAIRING_CONFIRM: 4747 if (sm_pdu_code != SM_CODE_PAIRING_CONFIRM){ 4748 sm_pdu_received_in_wrong_state(sm_conn); 4749 break; 4750 } 4751 4752 // received confirm value 4753 reverse_128(&packet[1], setup->sm_peer_confirm); 4754 4755 #ifdef ENABLE_TESTING_SUPPORT 4756 if (test_pairing_failure == SM_REASON_CONFIRM_VALUE_FAILED){ 4757 log_info("testing_support: reset confirm value"); 4758 memset(setup->sm_peer_confirm, 0, 16); 4759 } 4760 #endif 4761 // notify client to hide shown passkey 4762 if (setup->sm_stk_generation_method == PK_INIT_INPUT){ 4763 sm_notify_client_base(SM_EVENT_PASSKEY_DISPLAY_CANCEL, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address); 4764 } 4765 4766 // handle user cancel pairing? 4767 if (setup->sm_user_response == SM_USER_RESPONSE_DECLINE){ 4768 sm_pairing_error(sm_conn, SM_REASON_PASSKEY_ENTRY_FAILED); 4769 break; 4770 } 4771 4772 // wait for user action? 4773 if (setup->sm_user_response == SM_USER_RESPONSE_PENDING){ 4774 sm_conn->sm_engine_state = SM_PH1_W4_USER_RESPONSE; 4775 break; 4776 } 4777 4778 // calculate and send local_confirm 4779 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_random, 16, &sm_handle_random_result_ph2_random, (void *)(uintptr_t) sm_conn->sm_handle); 4780 break; 4781 4782 case SM_RESPONDER_PH2_W4_PAIRING_RANDOM: 4783 if (sm_pdu_code != SM_CODE_PAIRING_RANDOM){ 4784 sm_pdu_received_in_wrong_state(sm_conn); 4785 break;; 4786 } 4787 4788 // received random value 4789 reverse_128(&packet[1], setup->sm_peer_random); 4790 sm_conn->sm_engine_state = SM_PH2_C1_GET_ENC_C; 4791 break; 4792 #endif 4793 4794 case SM_PH2_W4_CONNECTION_ENCRYPTED: 4795 case SM_PH3_RECEIVE_KEYS: 4796 switch(sm_pdu_code){ 4797 case SM_CODE_ENCRYPTION_INFORMATION: 4798 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION; 4799 reverse_128(&packet[1], setup->sm_peer_ltk); 4800 break; 4801 4802 case SM_CODE_MASTER_IDENTIFICATION: 4803 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_MASTER_IDENTIFICATION; 4804 setup->sm_peer_ediv = little_endian_read_16(packet, 1); 4805 reverse_64(&packet[3], setup->sm_peer_rand); 4806 break; 4807 4808 case SM_CODE_IDENTITY_INFORMATION: 4809 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_IDENTITY_INFORMATION; 4810 reverse_128(&packet[1], setup->sm_peer_irk); 4811 break; 4812 4813 case SM_CODE_IDENTITY_ADDRESS_INFORMATION: 4814 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION; 4815 setup->sm_peer_addr_type = packet[1]; 4816 reverse_bd_addr(&packet[2], setup->sm_peer_address); 4817 break; 4818 4819 case SM_CODE_SIGNING_INFORMATION: 4820 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION; 4821 reverse_128(&packet[1], setup->sm_peer_csrk); 4822 break; 4823 default: 4824 // Unexpected PDU 4825 log_info("Unexpected PDU %u in SM_PH3_RECEIVE_KEYS", packet[0]); 4826 break; 4827 } 4828 // done with key distribution? 4829 if (sm_key_distribution_all_received()){ 4830 4831 sm_key_distribution_handle_all_received(sm_conn); 4832 4833 if (IS_RESPONDER(sm_conn->sm_role)){ 4834 sm_key_distribution_complete_responder(sm_conn); 4835 } else { 4836 if (setup->sm_use_secure_connections){ 4837 sm_conn->sm_engine_state = SM_PH3_DISTRIBUTE_KEYS; 4838 } else { 4839 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 8, &sm_handle_random_result_ph3_random, (void *)(uintptr_t) sm_conn->sm_handle); 4840 } 4841 } 4842 } 4843 break; 4844 4845 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 4846 4847 case SM_BR_EDR_W4_ENCRYPTION_COMPLETE: 4848 // GAP/DM/LEP/BI-02-C - reject CTKD if P-192 encryption is used 4849 if (sm_pdu_code == SM_CODE_PAIRING_REQUEST){ 4850 sm_pairing_error(sm_conn, SM_REASON_CROSS_TRANSPORT_KEY_DERIVATION_NOT_ALLOWED); 4851 } 4852 break; 4853 4854 case SM_BR_EDR_INITIATOR_W4_PAIRING_RESPONSE: 4855 4856 // dedicated bonding complete 4857 hci_dedicated_bonding_defer_disconnect(sm_conn->sm_handle, false); 4858 4859 if (sm_pdu_code != SM_CODE_PAIRING_RESPONSE){ 4860 sm_pdu_received_in_wrong_state(sm_conn); 4861 break; 4862 } 4863 // store pairing response 4864 (void)memcpy(&setup->sm_s_pres, packet, sizeof(sm_pairing_packet_t)); 4865 4866 // validate encryption key size 4867 max_encryption_key_size = sm_pairing_packet_get_max_encryption_key_size(setup->sm_s_pres); 4868 if ((max_encryption_key_size < 7) || (max_encryption_key_size > 16)){ 4869 sm_pairing_error(sm_conn, SM_REASON_INVALID_PARAMETERS); 4870 break; 4871 } 4872 sm_conn->sm_actual_encryption_key_size = sm_calc_actual_encryption_key_size(max_encryption_key_size); 4873 // SC Only mandates 128 bit key size 4874 if (sm_sc_only_mode && (sm_conn->sm_actual_encryption_key_size < 16)) { 4875 sm_conn->sm_actual_encryption_key_size = 0; 4876 } 4877 if (sm_conn->sm_actual_encryption_key_size == 0){ 4878 sm_pairing_error(sm_conn, SM_REASON_ENCRYPTION_KEY_SIZE); 4879 break; 4880 } 4881 4882 // prepare key exchange, LTK is derived locally 4883 sm_setup_key_distribution(sm_pairing_packet_get_initiator_key_distribution(setup->sm_s_pres) & ~SM_KEYDIST_ENC_KEY, 4884 sm_pairing_packet_get_responder_key_distribution(setup->sm_s_pres) & ~SM_KEYDIST_ENC_KEY); 4885 4886 // skip receive if there are none 4887 if (sm_key_distribution_all_received()){ 4888 // distribute keys in run handles 'no keys to send' 4889 sm_conn->sm_engine_state = SM_BR_EDR_DISTRIBUTE_KEYS; 4890 } else { 4891 sm_conn->sm_engine_state = SM_BR_EDR_RECEIVE_KEYS; 4892 } 4893 break; 4894 4895 case SM_BR_EDR_RESPONDER_W4_PAIRING_REQUEST: 4896 if (sm_pdu_code != SM_CODE_PAIRING_REQUEST){ 4897 sm_pdu_received_in_wrong_state(sm_conn); 4898 break; 4899 } 4900 4901 // store pairing request 4902 (void)memcpy(&sm_conn->sm_m_preq, packet, sizeof(sm_pairing_packet_t)); 4903 4904 // validate encryption key size 4905 max_encryption_key_size = sm_pairing_packet_get_max_encryption_key_size(setup->sm_m_preq); 4906 if ((max_encryption_key_size < 7) || (max_encryption_key_size > 16)){ 4907 sm_pairing_error(sm_conn, SM_REASON_INVALID_PARAMETERS); 4908 break; 4909 } 4910 sm_conn->sm_actual_encryption_key_size = sm_calc_actual_encryption_key_size(max_encryption_key_size); 4911 // SC Only mandates 128 bit key size 4912 if (sm_sc_only_mode && (sm_conn->sm_actual_encryption_key_size < 16)) { 4913 sm_conn->sm_actual_encryption_key_size = 0; 4914 } 4915 if (sm_conn->sm_actual_encryption_key_size == 0){ 4916 sm_pairing_error(sm_conn, SM_REASON_ENCRYPTION_KEY_SIZE); 4917 break; 4918 } 4919 // trigger response 4920 if (sm_ctkd_from_classic(sm_conn)){ 4921 sm_conn->sm_engine_state = SM_BR_EDR_RESPONDER_PAIRING_REQUEST_RECEIVED; 4922 } else { 4923 sm_pairing_error(sm_conn, SM_REASON_CROSS_TRANSPORT_KEY_DERIVATION_NOT_ALLOWED); 4924 } 4925 break; 4926 4927 case SM_BR_EDR_RECEIVE_KEYS: 4928 switch(sm_pdu_code){ 4929 case SM_CODE_IDENTITY_INFORMATION: 4930 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_IDENTITY_INFORMATION; 4931 reverse_128(&packet[1], setup->sm_peer_irk); 4932 break; 4933 case SM_CODE_IDENTITY_ADDRESS_INFORMATION: 4934 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION; 4935 setup->sm_peer_addr_type = packet[1]; 4936 reverse_bd_addr(&packet[2], setup->sm_peer_address); 4937 break; 4938 case SM_CODE_SIGNING_INFORMATION: 4939 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION; 4940 reverse_128(&packet[1], setup->sm_peer_csrk); 4941 break; 4942 default: 4943 // Unexpected PDU 4944 log_info("Unexpected PDU %u in SM_PH3_RECEIVE_KEYS", packet[0]); 4945 break; 4946 } 4947 4948 // all keys received 4949 if (sm_key_distribution_all_received()){ 4950 if (IS_RESPONDER(sm_conn->sm_role)){ 4951 // responder -> keys exchanged, derive LE LTK 4952 sm_ctkd_start_from_br_edr(sm_conn); 4953 } else { 4954 // initiator -> send our keys if any 4955 sm_conn->sm_engine_state = SM_BR_EDR_DISTRIBUTE_KEYS; 4956 } 4957 } 4958 break; 4959 #endif 4960 4961 default: 4962 // Unexpected PDU 4963 log_info("Unexpected PDU %u in state %u", packet[0], sm_conn->sm_engine_state); 4964 sm_pdu_received_in_wrong_state(sm_conn); 4965 break; 4966 } 4967 4968 // try to send next pdu 4969 sm_trigger_run(); 4970 } 4971 4972 // Security Manager Client API 4973 void sm_register_oob_data_callback( int (*get_oob_data_callback)(uint8_t address_type, bd_addr_t addr, uint8_t * oob_data)){ 4974 sm_get_oob_data = get_oob_data_callback; 4975 } 4976 4977 void sm_register_sc_oob_data_callback( int (*get_sc_oob_data_callback)(uint8_t address_type, bd_addr_t addr, uint8_t * oob_sc_peer_confirm, uint8_t * oob_sc_peer_random)){ 4978 sm_get_sc_oob_data = get_sc_oob_data_callback; 4979 } 4980 4981 void sm_register_ltk_callback( bool (*get_ltk_callback)(hci_con_handle_t con_handle, uint8_t address_type, bd_addr_t addr, uint8_t * ltk)){ 4982 sm_get_ltk_callback = get_ltk_callback; 4983 } 4984 4985 void sm_add_event_handler(btstack_packet_callback_registration_t * callback_handler){ 4986 btstack_linked_list_add_tail(&sm_event_handlers, (btstack_linked_item_t*) callback_handler); 4987 } 4988 4989 void sm_remove_event_handler(btstack_packet_callback_registration_t * callback_handler){ 4990 btstack_linked_list_remove(&sm_event_handlers, (btstack_linked_item_t*) callback_handler); 4991 } 4992 4993 void sm_set_accepted_stk_generation_methods(uint8_t accepted_stk_generation_methods){ 4994 sm_accepted_stk_generation_methods = accepted_stk_generation_methods; 4995 } 4996 4997 void sm_set_encryption_key_size_range(uint8_t min_size, uint8_t max_size){ 4998 sm_min_encryption_key_size = min_size; 4999 sm_max_encryption_key_size = max_size; 5000 } 5001 5002 void sm_set_authentication_requirements(uint8_t auth_req){ 5003 #ifndef ENABLE_LE_SECURE_CONNECTIONS 5004 if (auth_req & SM_AUTHREQ_SECURE_CONNECTION){ 5005 log_error("ENABLE_LE_SECURE_CONNECTIONS not defined, but requested by app. Dropping SC flag"); 5006 auth_req &= ~SM_AUTHREQ_SECURE_CONNECTION; 5007 } 5008 #endif 5009 sm_auth_req = auth_req; 5010 } 5011 5012 void sm_set_io_capabilities(io_capability_t io_capability){ 5013 sm_io_capabilities = io_capability; 5014 } 5015 5016 #ifdef ENABLE_LE_PERIPHERAL 5017 void sm_set_request_security(bool enable){ 5018 sm_slave_request_security = enable; 5019 } 5020 #endif 5021 5022 void sm_set_er(sm_key_t er){ 5023 (void)memcpy(sm_persistent_er, er, 16); 5024 } 5025 5026 void sm_set_ir(sm_key_t ir){ 5027 (void)memcpy(sm_persistent_ir, ir, 16); 5028 } 5029 5030 // Testing support only 5031 void sm_test_set_irk(sm_key_t irk){ 5032 (void)memcpy(sm_persistent_irk, irk, 16); 5033 dkg_state = DKG_CALC_DHK; 5034 test_use_fixed_local_irk = true; 5035 } 5036 5037 void sm_test_use_fixed_local_csrk(void){ 5038 test_use_fixed_local_csrk = true; 5039 } 5040 5041 #ifdef ENABLE_LE_SECURE_CONNECTIONS 5042 static void sm_ec_generated(void * arg){ 5043 UNUSED(arg); 5044 ec_key_generation_state = EC_KEY_GENERATION_DONE; 5045 // trigger pairing if pending for ec key 5046 sm_trigger_run(); 5047 } 5048 static void sm_ec_generate_new_key(void) { 5049 log_info("sm: generate new ec key"); 5050 #ifdef ENABLE_LE_SECURE_CONNECTIONS_DEBUG_KEY 5051 // LE Secure Connections Debug Key 5052 const uint8_t debug_key_public[64] = { 5053 0x20, 0xb0, 0x03, 0xd2, 0xf2, 0x97, 0xbe, 0x2c, 0x5e, 0x2c, 0x83, 0xa7, 0xe9, 0xf9, 0xa5, 0xb9, 5054 0xef, 0xf4, 0x91, 0x11, 0xac, 0xf4, 0xfd, 0xdb, 0xcc, 0x03, 0x01, 0x48, 0x0e, 0x35, 0x9d, 0xe6, 5055 0xdc, 0x80, 0x9c, 0x49, 0x65, 0x2a, 0xeb, 0x6d, 0x63, 0x32, 0x9a, 0xbf, 0x5a, 0x52, 0x15, 0x5c, 5056 0x76, 0x63, 0x45, 0xc2, 0x8f, 0xed, 0x30, 0x24, 0x74, 0x1c, 0x8e, 0xd0, 0x15, 0x89, 0xd2, 0x8b 5057 }; 5058 const uint8_t debug_key_private[32] = { 5059 0x3f, 0x49, 0xf6, 0xd4, 0xa3, 0xc5, 0x5f, 0x38, 0x74, 0xc9, 0xb3, 0xe3, 0xd2, 0x10, 0x3f, 0x50, 5060 0x4a, 0xff, 0x60, 0x7b, 0xeb, 0x40, 0xb7, 0x99, 0x58, 0x99, 0xb8, 0xa6, 0xcd, 0x3c, 0x1a, 0xbd 5061 }; 5062 if (sm_sc_debug_keys_enabled) { 5063 memcpy(ec_q, debug_key_public, 64); 5064 btstack_crypto_ecc_p256_set_key(debug_key_public, debug_key_private); 5065 ec_key_generation_state = EC_KEY_GENERATION_DONE; 5066 } else 5067 #endif 5068 { 5069 ec_key_generation_state = EC_KEY_GENERATION_ACTIVE; 5070 btstack_crypto_ecc_p256_generate_key(&sm_crypto_ecc_p256_request, ec_q, &sm_ec_generated, NULL); 5071 } 5072 } 5073 #endif 5074 5075 #ifdef ENABLE_TESTING_SUPPORT 5076 void sm_test_set_pairing_failure(int reason){ 5077 test_pairing_failure = reason; 5078 } 5079 #endif 5080 5081 static void sm_state_reset(void) { 5082 #ifdef USE_CMAC_ENGINE 5083 sm_cmac_active = 0; 5084 #endif 5085 dkg_state = DKG_W4_WORKING; 5086 rau_state = RAU_IDLE; 5087 sm_aes128_state = SM_AES128_IDLE; 5088 sm_address_resolution_test = -1; // no private address to resolve yet 5089 sm_address_resolution_mode = ADDRESS_RESOLUTION_IDLE; 5090 sm_address_resolution_general_queue = NULL; 5091 sm_active_connection_handle = HCI_CON_HANDLE_INVALID; 5092 sm_persistent_keys_random_active = false; 5093 #ifdef ENABLE_LE_SECURE_CONNECTIONS 5094 ec_key_generation_state = EC_KEY_GENERATION_IDLE; 5095 #endif 5096 } 5097 5098 void sm_init(void){ 5099 5100 if (sm_initialized) return; 5101 5102 // set default ER and IR values (should be unique - set by app or sm later using TLV) 5103 sm_er_ir_set_default(); 5104 5105 // defaults 5106 sm_accepted_stk_generation_methods = SM_STK_GENERATION_METHOD_JUST_WORKS 5107 | SM_STK_GENERATION_METHOD_OOB 5108 | SM_STK_GENERATION_METHOD_PASSKEY 5109 | SM_STK_GENERATION_METHOD_NUMERIC_COMPARISON; 5110 5111 sm_max_encryption_key_size = 16; 5112 sm_min_encryption_key_size = 7; 5113 5114 sm_fixed_passkey_in_display_role = 0xffffffffU; 5115 sm_reconstruct_ltk_without_le_device_db_entry = true; 5116 5117 gap_random_adress_update_period = 15 * 60 * 1000L; 5118 5119 test_use_fixed_local_csrk = false; 5120 5121 // other 5122 btstack_run_loop_set_timer_handler(&sm_run_timer, &sm_run_timer_handler); 5123 5124 // register for HCI Events 5125 hci_event_callback_registration.callback = &sm_event_packet_handler; 5126 hci_add_event_handler(&hci_event_callback_registration); 5127 5128 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 5129 // register for L2CAP events 5130 l2cap_event_callback_registration.callback = &sm_event_packet_handler; 5131 l2cap_add_event_handler(&l2cap_event_callback_registration); 5132 #endif 5133 5134 // 5135 btstack_crypto_init(); 5136 5137 // init le_device_db 5138 le_device_db_init(); 5139 5140 // and L2CAP PDUs + L2CAP_EVENT_CAN_SEND_NOW 5141 l2cap_register_fixed_channel(sm_pdu_handler, L2CAP_CID_SECURITY_MANAGER_PROTOCOL); 5142 #ifdef ENABLE_CLASSIC 5143 l2cap_register_fixed_channel(sm_pdu_handler, L2CAP_CID_BR_EDR_SECURITY_MANAGER); 5144 #endif 5145 5146 // state 5147 sm_state_reset(); 5148 5149 sm_initialized = true; 5150 } 5151 5152 void sm_deinit(void){ 5153 sm_initialized = false; 5154 btstack_run_loop_remove_timer(&sm_run_timer); 5155 #if defined(ENABLE_LE_SECURE_CONNECTIONS) && defined (ENABLE_LE_SECURE_CONNECTION_DEBUG_KEY) 5156 sm_sc_debug_keys_enabled = false; 5157 #endif 5158 } 5159 5160 void sm_use_fixed_passkey_in_display_role(uint32_t passkey){ 5161 sm_fixed_passkey_in_display_role = passkey; 5162 } 5163 5164 void sm_allow_ltk_reconstruction_without_le_device_db_entry(int allow){ 5165 sm_reconstruct_ltk_without_le_device_db_entry = allow != 0; 5166 } 5167 5168 static sm_connection_t * sm_get_connection_for_handle(hci_con_handle_t con_handle){ 5169 hci_connection_t * hci_con = hci_connection_for_handle(con_handle); 5170 if (!hci_con) return NULL; 5171 return &hci_con->sm_connection; 5172 } 5173 5174 static void sm_cache_ltk(sm_connection_t * connection, const sm_key_t ltk){ 5175 hci_connection_t * hci_con = hci_connection_for_handle(connection->sm_handle); 5176 btstack_assert(hci_con != NULL); 5177 memcpy(hci_con->link_key, ltk, 16); 5178 hci_con->link_key_type = COMBINATION_KEY; 5179 } 5180 5181 #ifdef ENABLE_CROSS_TRANSPORT_KEY_DERIVATION 5182 static sm_connection_t * sm_get_connection_for_bd_addr_and_type(bd_addr_t address, bd_addr_type_t addr_type){ 5183 hci_connection_t * hci_con = hci_connection_for_bd_addr_and_type(address, addr_type); 5184 if (!hci_con) return NULL; 5185 return &hci_con->sm_connection; 5186 } 5187 #endif 5188 5189 // @deprecated: map onto sm_request_pairing 5190 void sm_send_security_request(hci_con_handle_t con_handle){ 5191 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5192 if (!sm_conn) return; 5193 if (!IS_RESPONDER(sm_conn->sm_role)) return; 5194 sm_request_pairing(con_handle); 5195 } 5196 5197 // request pairing 5198 void sm_request_pairing(hci_con_handle_t con_handle){ 5199 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5200 if (!sm_conn) return; // wrong connection 5201 5202 bool have_ltk; 5203 uint8_t ltk[16]; 5204 bool auth_required; 5205 int authenticated; 5206 bool trigger_reencryption; 5207 log_info("sm_request_pairing in role %u, state %u", sm_conn->sm_role, sm_conn->sm_engine_state); 5208 if (IS_RESPONDER(sm_conn->sm_role)){ 5209 switch (sm_conn->sm_engine_state){ 5210 case SM_GENERAL_IDLE: 5211 case SM_RESPONDER_IDLE: 5212 switch (sm_conn->sm_irk_lookup_state){ 5213 case IRK_LOOKUP_SUCCEEDED: 5214 le_device_db_encryption_get(sm_conn->sm_le_db_index, NULL, NULL, ltk, NULL, NULL, NULL, NULL); 5215 have_ltk = !sm_is_null_key(ltk); 5216 log_info("have ltk %u", have_ltk); 5217 if (have_ltk){ 5218 sm_conn->sm_pairing_requested = true; 5219 sm_conn->sm_engine_state = SM_RESPONDER_SEND_SECURITY_REQUEST; 5220 sm_reencryption_started(sm_conn); 5221 break; 5222 } 5223 /* fall through */ 5224 5225 case IRK_LOOKUP_FAILED: 5226 sm_conn->sm_pairing_requested = true; 5227 sm_conn->sm_engine_state = SM_RESPONDER_SEND_SECURITY_REQUEST; 5228 sm_pairing_started(sm_conn); 5229 break; 5230 default: 5231 log_info("irk lookup pending"); 5232 sm_conn->sm_pairing_requested = true; 5233 break; 5234 } 5235 break; 5236 default: 5237 break; 5238 } 5239 } else { 5240 // used as a trigger to start central/master/initiator security procedures 5241 switch (sm_conn->sm_engine_state){ 5242 case SM_INITIATOR_CONNECTED: 5243 switch (sm_conn->sm_irk_lookup_state){ 5244 case IRK_LOOKUP_SUCCEEDED: 5245 le_device_db_encryption_get(sm_conn->sm_le_db_index, NULL, NULL, ltk, NULL, &authenticated, NULL, NULL); 5246 have_ltk = !sm_is_null_key(ltk); 5247 auth_required = sm_auth_req & SM_AUTHREQ_MITM_PROTECTION; 5248 // re-encrypt is sufficient if we have ltk and that is either already authenticated or we don't require authentication 5249 trigger_reencryption = have_ltk && ((authenticated != 0) || (auth_required == false)); 5250 log_info("have ltk %u, authenticated %u, auth required %u => reencrypt %u", have_ltk, authenticated, auth_required, trigger_reencryption); 5251 if (trigger_reencryption){ 5252 sm_conn->sm_pairing_requested = true; 5253 sm_conn->sm_engine_state = SM_INITIATOR_PH4_HAS_LTK; 5254 break; 5255 } 5256 /* fall through */ 5257 5258 case IRK_LOOKUP_FAILED: 5259 sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 5260 break; 5261 default: 5262 log_info("irk lookup pending"); 5263 sm_conn->sm_pairing_requested = true; 5264 break; 5265 } 5266 break; 5267 case SM_GENERAL_REENCRYPTION_FAILED: 5268 sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 5269 break; 5270 case SM_GENERAL_IDLE: 5271 sm_conn->sm_pairing_requested = true; 5272 break; 5273 default: 5274 break; 5275 } 5276 } 5277 sm_trigger_run(); 5278 } 5279 5280 // called by client app on authorization request 5281 void sm_authorization_decline(hci_con_handle_t con_handle){ 5282 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5283 if (!sm_conn) return; // wrong connection 5284 sm_conn->sm_connection_authorization_state = AUTHORIZATION_DECLINED; 5285 sm_notify_client_status(SM_EVENT_AUTHORIZATION_RESULT, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, 0); 5286 } 5287 5288 void sm_authorization_grant(hci_con_handle_t con_handle){ 5289 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5290 if (!sm_conn) return; // wrong connection 5291 sm_conn->sm_connection_authorization_state = AUTHORIZATION_GRANTED; 5292 sm_notify_client_status(SM_EVENT_AUTHORIZATION_RESULT, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, 1); 5293 } 5294 5295 // GAP Bonding API 5296 5297 void sm_bonding_decline(hci_con_handle_t con_handle){ 5298 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5299 if (!sm_conn) return; // wrong connection 5300 setup->sm_user_response = SM_USER_RESPONSE_DECLINE; 5301 log_info("decline, state %u", sm_conn->sm_engine_state); 5302 switch(sm_conn->sm_engine_state){ 5303 #ifdef ENABLE_LE_SECURE_CONNECTIONS 5304 case SM_SC_W4_USER_RESPONSE: 5305 case SM_SC_W4_CONFIRMATION: 5306 case SM_SC_W4_PUBLIC_KEY_COMMAND: 5307 #endif 5308 case SM_PH1_W4_USER_RESPONSE: 5309 switch (setup->sm_stk_generation_method){ 5310 case PK_RESP_INPUT: 5311 case PK_INIT_INPUT: 5312 case PK_BOTH_INPUT: 5313 sm_pairing_error(sm_conn, SM_REASON_PASSKEY_ENTRY_FAILED); 5314 break; 5315 case NUMERIC_COMPARISON: 5316 sm_pairing_error(sm_conn, SM_REASON_NUMERIC_COMPARISON_FAILED); 5317 break; 5318 case JUST_WORKS: 5319 case OOB: 5320 sm_pairing_error(sm_conn, SM_REASON_UNSPECIFIED_REASON); 5321 break; 5322 default: 5323 btstack_assert(false); 5324 break; 5325 } 5326 break; 5327 default: 5328 break; 5329 } 5330 sm_trigger_run(); 5331 } 5332 5333 void sm_just_works_confirm(hci_con_handle_t con_handle){ 5334 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5335 if (!sm_conn) return; // wrong connection 5336 setup->sm_user_response = SM_USER_RESPONSE_CONFIRM; 5337 if (sm_conn->sm_engine_state == SM_PH1_W4_USER_RESPONSE){ 5338 if (setup->sm_use_secure_connections){ 5339 sm_conn->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 5340 } else { 5341 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_random, 16, &sm_handle_random_result_ph2_random, (void *)(uintptr_t) sm_conn->sm_handle); 5342 } 5343 } 5344 5345 #ifdef ENABLE_LE_SECURE_CONNECTIONS 5346 if (sm_conn->sm_engine_state == SM_SC_W4_USER_RESPONSE){ 5347 sm_sc_prepare_dhkey_check(sm_conn); 5348 } 5349 #endif 5350 5351 sm_trigger_run(); 5352 } 5353 5354 void sm_numeric_comparison_confirm(hci_con_handle_t con_handle){ 5355 // for now, it's the same 5356 sm_just_works_confirm(con_handle); 5357 } 5358 5359 void sm_passkey_input(hci_con_handle_t con_handle, uint32_t passkey){ 5360 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5361 if (!sm_conn) return; // wrong connection 5362 sm_reset_tk(); 5363 big_endian_store_32(setup->sm_tk, 12, passkey); 5364 setup->sm_user_response = SM_USER_RESPONSE_PASSKEY; 5365 if (sm_conn->sm_engine_state == SM_PH1_W4_USER_RESPONSE){ 5366 btstack_crypto_random_generate(&sm_crypto_random_request, setup->sm_local_random, 16, &sm_handle_random_result_ph2_random, (void *)(uintptr_t) sm_conn->sm_handle); 5367 } 5368 #ifdef ENABLE_LE_SECURE_CONNECTIONS 5369 (void)memcpy(setup->sm_ra, setup->sm_tk, 16); 5370 (void)memcpy(setup->sm_rb, setup->sm_tk, 16); 5371 if (sm_conn->sm_engine_state == SM_SC_W4_USER_RESPONSE){ 5372 sm_sc_start_calculating_local_confirm(sm_conn); 5373 } 5374 #endif 5375 sm_trigger_run(); 5376 } 5377 5378 void sm_keypress_notification(hci_con_handle_t con_handle, uint8_t action){ 5379 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5380 if (!sm_conn) return; // wrong connection 5381 if (action > SM_KEYPRESS_PASSKEY_ENTRY_COMPLETED) return; 5382 uint8_t num_actions = setup->sm_keypress_notification >> 5; 5383 uint8_t flags = setup->sm_keypress_notification & 0x1fu; 5384 switch (action){ 5385 case SM_KEYPRESS_PASSKEY_ENTRY_STARTED: 5386 case SM_KEYPRESS_PASSKEY_ENTRY_COMPLETED: 5387 flags |= (1u << action); 5388 break; 5389 case SM_KEYPRESS_PASSKEY_CLEARED: 5390 // clear counter, keypress & erased flags + set passkey cleared 5391 flags = (flags & 0x19u) | (1u << SM_KEYPRESS_PASSKEY_CLEARED); 5392 break; 5393 case SM_KEYPRESS_PASSKEY_DIGIT_ENTERED: 5394 if ((flags & (1u << SM_KEYPRESS_PASSKEY_DIGIT_ERASED)) != 0u){ 5395 // erase actions queued 5396 num_actions--; 5397 if (num_actions == 0u){ 5398 // clear counter, keypress & erased flags 5399 flags &= 0x19u; 5400 } 5401 break; 5402 } 5403 num_actions++; 5404 flags |= (1u << SM_KEYPRESS_PASSKEY_DIGIT_ENTERED); 5405 break; 5406 case SM_KEYPRESS_PASSKEY_DIGIT_ERASED: 5407 if ((flags & (1u << SM_KEYPRESS_PASSKEY_DIGIT_ENTERED)) != 0u){ 5408 // enter actions queued 5409 num_actions--; 5410 if (num_actions == 0u){ 5411 // clear counter, keypress & erased flags 5412 flags &= 0x19u; 5413 } 5414 break; 5415 } 5416 num_actions++; 5417 flags |= (1u << SM_KEYPRESS_PASSKEY_DIGIT_ERASED); 5418 break; 5419 default: 5420 break; 5421 } 5422 setup->sm_keypress_notification = (num_actions << 5) | flags; 5423 sm_trigger_run(); 5424 } 5425 5426 #ifdef ENABLE_LE_SECURE_CONNECTIONS 5427 static void sm_handle_random_result_oob(void * arg){ 5428 UNUSED(arg); 5429 sm_sc_oob_state = SM_SC_OOB_W2_CALC_CONFIRM; 5430 sm_trigger_run(); 5431 } 5432 uint8_t sm_generate_sc_oob_data(void (*callback)(const uint8_t * confirm_value, const uint8_t * random_value)){ 5433 5434 static btstack_crypto_random_t sm_crypto_random_oob_request; 5435 5436 if (sm_sc_oob_state != SM_SC_OOB_IDLE) return ERROR_CODE_COMMAND_DISALLOWED; 5437 sm_sc_oob_callback = callback; 5438 sm_sc_oob_state = SM_SC_OOB_W4_RANDOM; 5439 btstack_crypto_random_generate(&sm_crypto_random_oob_request, sm_sc_oob_random, 16, &sm_handle_random_result_oob, NULL); 5440 return 0; 5441 } 5442 #endif 5443 5444 /** 5445 * @brief Get Identity Resolving state 5446 * @param con_handle 5447 * @return irk_lookup_state_t 5448 */ 5449 irk_lookup_state_t sm_identity_resolving_state(hci_con_handle_t con_handle){ 5450 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5451 if (!sm_conn) return IRK_LOOKUP_IDLE; 5452 return sm_conn->sm_irk_lookup_state; 5453 } 5454 5455 /** 5456 * @brief Identify device in LE Device DB 5457 * @param handle 5458 * @return index from le_device_db or -1 if not found/identified 5459 */ 5460 int sm_le_device_index(hci_con_handle_t con_handle ){ 5461 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5462 if (!sm_conn) return -1; 5463 return sm_conn->sm_le_db_index; 5464 } 5465 5466 uint8_t sm_get_ltk(hci_con_handle_t con_handle, sm_key_t ltk){ 5467 hci_connection_t * hci_connection = hci_connection_for_handle(con_handle); 5468 if (hci_connection == NULL){ 5469 return ERROR_CODE_UNKNOWN_CONNECTION_IDENTIFIER; 5470 } 5471 if (hci_connection->link_key_type == INVALID_LINK_KEY){ 5472 return ERROR_CODE_PIN_OR_KEY_MISSING; 5473 } 5474 memcpy(ltk, hci_connection->link_key, 16); 5475 return ERROR_CODE_SUCCESS; 5476 } 5477 5478 static int gap_random_address_type_requires_updates(void){ 5479 switch (gap_random_adress_type){ 5480 case GAP_RANDOM_ADDRESS_TYPE_OFF: 5481 case GAP_RANDOM_ADDRESS_TYPE_STATIC: 5482 return 0; 5483 default: 5484 return 1; 5485 } 5486 } 5487 5488 static uint8_t own_address_type(void){ 5489 switch (gap_random_adress_type){ 5490 case GAP_RANDOM_ADDRESS_TYPE_OFF: 5491 return BD_ADDR_TYPE_LE_PUBLIC; 5492 default: 5493 return BD_ADDR_TYPE_LE_RANDOM; 5494 } 5495 } 5496 5497 // GAP LE API 5498 void gap_random_address_set_mode(gap_random_address_type_t random_address_type){ 5499 gap_random_address_update_stop(); 5500 gap_random_adress_type = random_address_type; 5501 hci_le_set_own_address_type(own_address_type()); 5502 if (!gap_random_address_type_requires_updates()) return; 5503 gap_random_address_update_start(); 5504 gap_random_address_trigger(); 5505 } 5506 5507 gap_random_address_type_t gap_random_address_get_mode(void){ 5508 return gap_random_adress_type; 5509 } 5510 5511 void gap_random_address_set_update_period(int period_ms){ 5512 gap_random_adress_update_period = period_ms; 5513 if (!gap_random_address_type_requires_updates()) return; 5514 gap_random_address_update_stop(); 5515 gap_random_address_update_start(); 5516 } 5517 5518 void gap_random_address_set(const bd_addr_t addr){ 5519 gap_random_address_set_mode(GAP_RANDOM_ADDRESS_TYPE_STATIC); 5520 (void)memcpy(sm_random_address, addr, 6); 5521 // assert msb bits are set to '11' 5522 sm_random_address[0] |= 0xc0; 5523 hci_le_random_address_set(sm_random_address); 5524 } 5525 5526 #ifdef ENABLE_LE_PERIPHERAL 5527 /* 5528 * @brief Set Advertisement Paramters 5529 * @param adv_int_min 5530 * @param adv_int_max 5531 * @param adv_type 5532 * @param direct_address_type 5533 * @param direct_address 5534 * @param channel_map 5535 * @param filter_policy 5536 * 5537 * @note own_address_type is used from gap_random_address_set_mode 5538 */ 5539 void gap_advertisements_set_params(uint16_t adv_int_min, uint16_t adv_int_max, uint8_t adv_type, 5540 uint8_t direct_address_typ, bd_addr_t direct_address, uint8_t channel_map, uint8_t filter_policy){ 5541 hci_le_advertisements_set_params(adv_int_min, adv_int_max, adv_type, 5542 direct_address_typ, direct_address, channel_map, filter_policy); 5543 } 5544 #endif 5545 5546 bool gap_reconnect_security_setup_active(hci_con_handle_t con_handle){ 5547 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 5548 // wrong connection 5549 if (!sm_conn) return false; 5550 // already encrypted 5551 if (sm_conn->sm_connection_encrypted) return false; 5552 // irk status? 5553 switch(sm_conn->sm_irk_lookup_state){ 5554 case IRK_LOOKUP_FAILED: 5555 // done, cannot setup encryption 5556 return false; 5557 case IRK_LOOKUP_SUCCEEDED: 5558 break; 5559 default: 5560 // IR Lookup pending 5561 return true; 5562 } 5563 // IRK Lookup Succeeded, re-encryption should be initiated. When done, state gets reset or indicates failure 5564 if (sm_conn->sm_engine_state == SM_GENERAL_REENCRYPTION_FAILED) return false; 5565 if (sm_conn->sm_role != 0){ 5566 return sm_conn->sm_engine_state != SM_RESPONDER_IDLE; 5567 } else { 5568 return sm_conn->sm_engine_state != SM_INITIATOR_CONNECTED; 5569 } 5570 } 5571 5572 void sm_set_secure_connections_only_mode(bool enable){ 5573 #ifdef ENABLE_LE_SECURE_CONNECTIONS 5574 sm_sc_only_mode = enable; 5575 #else 5576 // SC Only mode not possible without support for SC 5577 btstack_assert(enable == false); 5578 #endif 5579 } 5580 5581 #if defined(ENABLE_LE_SECURE_CONNECTIONS) && defined (ENABLE_LE_SECURE_CONNECTION_DEBUG_KEY) 5582 void sm_test_enable_secure_connections_debug_keys(void) { 5583 log_info("Enable LE Secure Connection Debug Keys for testing"); 5584 sm_sc_debug_keys_enabled = true; 5585 // set debug key 5586 sm_ec_generate_new_key(); 5587 } 5588 #endif 5589 5590 const uint8_t * gap_get_persistent_irk(void){ 5591 return sm_persistent_irk; 5592 } 5593 5594 void gap_delete_bonding(bd_addr_type_t address_type, bd_addr_t address){ 5595 int index = sm_le_device_db_index_lookup(address_type, address); 5596 if (index >= 0){ 5597 sm_remove_le_device_db_entry(index); 5598 } 5599 } 5600