13deb3ec6SMatthias Ringwald /* 23deb3ec6SMatthias Ringwald * Copyright (C) 2014 BlueKitchen GmbH 33deb3ec6SMatthias Ringwald * 43deb3ec6SMatthias Ringwald * Redistribution and use in source and binary forms, with or without 53deb3ec6SMatthias Ringwald * modification, are permitted provided that the following conditions 63deb3ec6SMatthias Ringwald * are met: 73deb3ec6SMatthias Ringwald * 83deb3ec6SMatthias Ringwald * 1. Redistributions of source code must retain the above copyright 93deb3ec6SMatthias Ringwald * notice, this list of conditions and the following disclaimer. 103deb3ec6SMatthias Ringwald * 2. Redistributions in binary form must reproduce the above copyright 113deb3ec6SMatthias Ringwald * notice, this list of conditions and the following disclaimer in the 123deb3ec6SMatthias Ringwald * documentation and/or other materials provided with the distribution. 133deb3ec6SMatthias Ringwald * 3. Neither the name of the copyright holders nor the names of 143deb3ec6SMatthias Ringwald * contributors may be used to endorse or promote products derived 153deb3ec6SMatthias Ringwald * from this software without specific prior written permission. 163deb3ec6SMatthias Ringwald * 4. Any redistribution, use, or modification is done solely for 173deb3ec6SMatthias Ringwald * personal benefit and not for any commercial purpose or for 183deb3ec6SMatthias Ringwald * monetary gain. 193deb3ec6SMatthias Ringwald * 203deb3ec6SMatthias Ringwald * THIS SOFTWARE IS PROVIDED BY BLUEKITCHEN GMBH AND CONTRIBUTORS 213deb3ec6SMatthias Ringwald * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 223deb3ec6SMatthias Ringwald * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 233deb3ec6SMatthias Ringwald * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL MATTHIAS 243deb3ec6SMatthias Ringwald * RINGWALD OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 253deb3ec6SMatthias Ringwald * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 263deb3ec6SMatthias Ringwald * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 273deb3ec6SMatthias Ringwald * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 283deb3ec6SMatthias Ringwald * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 293deb3ec6SMatthias Ringwald * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF 303deb3ec6SMatthias Ringwald * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 313deb3ec6SMatthias Ringwald * SUCH DAMAGE. 323deb3ec6SMatthias Ringwald * 333deb3ec6SMatthias Ringwald * Please inquire about commercial licensing options at 343deb3ec6SMatthias Ringwald * [email protected] 353deb3ec6SMatthias Ringwald * 363deb3ec6SMatthias Ringwald */ 373deb3ec6SMatthias Ringwald 383deb3ec6SMatthias Ringwald #ifndef __SM_H 393deb3ec6SMatthias Ringwald #define __SM_H 403deb3ec6SMatthias Ringwald 413deb3ec6SMatthias Ringwald #include <stdint.h> 42*3edc84c5SMatthias Ringwald #include "utils.h" 433deb3ec6SMatthias Ringwald 443deb3ec6SMatthias Ringwald #if defined __cplusplus 453deb3ec6SMatthias Ringwald extern "C" { 463deb3ec6SMatthias Ringwald #endif 473deb3ec6SMatthias Ringwald 483deb3ec6SMatthias Ringwald 493deb3ec6SMatthias Ringwald // Bluetooth Spec definitions 503deb3ec6SMatthias Ringwald typedef enum { 513deb3ec6SMatthias Ringwald SM_CODE_PAIRING_REQUEST = 0X01, 523deb3ec6SMatthias Ringwald SM_CODE_PAIRING_RESPONSE, 533deb3ec6SMatthias Ringwald SM_CODE_PAIRING_CONFIRM, 543deb3ec6SMatthias Ringwald SM_CODE_PAIRING_RANDOM, 553deb3ec6SMatthias Ringwald SM_CODE_PAIRING_FAILED, 563deb3ec6SMatthias Ringwald SM_CODE_ENCRYPTION_INFORMATION, 573deb3ec6SMatthias Ringwald SM_CODE_MASTER_IDENTIFICATION, 583deb3ec6SMatthias Ringwald SM_CODE_IDENTITY_INFORMATION, 593deb3ec6SMatthias Ringwald SM_CODE_IDENTITY_ADDRESS_INFORMATION, 603deb3ec6SMatthias Ringwald SM_CODE_SIGNING_INFORMATION, 613deb3ec6SMatthias Ringwald SM_CODE_SECURITY_REQUEST 623deb3ec6SMatthias Ringwald } SECURITY_MANAGER_COMMANDS; 633deb3ec6SMatthias Ringwald 643deb3ec6SMatthias Ringwald // IO Capability Values 653deb3ec6SMatthias Ringwald typedef enum { 663deb3ec6SMatthias Ringwald IO_CAPABILITY_DISPLAY_ONLY = 0, 673deb3ec6SMatthias Ringwald IO_CAPABILITY_DISPLAY_YES_NO, 683deb3ec6SMatthias Ringwald IO_CAPABILITY_KEYBOARD_ONLY, 693deb3ec6SMatthias Ringwald IO_CAPABILITY_NO_INPUT_NO_OUTPUT, 703deb3ec6SMatthias Ringwald IO_CAPABILITY_KEYBOARD_DISPLAY, // not used by secure simple pairing 713deb3ec6SMatthias Ringwald } io_capability_t; 723deb3ec6SMatthias Ringwald 733deb3ec6SMatthias Ringwald 743deb3ec6SMatthias Ringwald // Authentication requirement flags 753deb3ec6SMatthias Ringwald #define SM_AUTHREQ_NO_BONDING 0x00 763deb3ec6SMatthias Ringwald #define SM_AUTHREQ_BONDING 0x01 773deb3ec6SMatthias Ringwald #define SM_AUTHREQ_MITM_PROTECTION 0x04 783deb3ec6SMatthias Ringwald 793deb3ec6SMatthias Ringwald // Key distribution flags used by spec 803deb3ec6SMatthias Ringwald #define SM_KEYDIST_ENC_KEY 0X01 813deb3ec6SMatthias Ringwald #define SM_KEYDIST_ID_KEY 0x02 823deb3ec6SMatthias Ringwald #define SM_KEYDIST_SIGN 0x04 833deb3ec6SMatthias Ringwald 843deb3ec6SMatthias Ringwald // Key distribution flags used internally 853deb3ec6SMatthias Ringwald #define SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION 0x01 863deb3ec6SMatthias Ringwald #define SM_KEYDIST_FLAG_MASTER_IDENTIFICATION 0x02 873deb3ec6SMatthias Ringwald #define SM_KEYDIST_FLAG_IDENTITY_INFORMATION 0x04 883deb3ec6SMatthias Ringwald #define SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION 0x08 893deb3ec6SMatthias Ringwald #define SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION 0x10 903deb3ec6SMatthias Ringwald 913deb3ec6SMatthias Ringwald // STK Generation Methods 923deb3ec6SMatthias Ringwald #define SM_STK_GENERATION_METHOD_JUST_WORKS 0x01 933deb3ec6SMatthias Ringwald #define SM_STK_GENERATION_METHOD_OOB 0x02 943deb3ec6SMatthias Ringwald #define SM_STK_GENERATION_METHOD_PASSKEY 0x04 953deb3ec6SMatthias Ringwald 963deb3ec6SMatthias Ringwald // Pairing Failed Reasons 973deb3ec6SMatthias Ringwald #define SM_REASON_RESERVED 0x00 983deb3ec6SMatthias Ringwald #define SM_REASON_PASSKEYT_ENTRY_FAILED 0x01 993deb3ec6SMatthias Ringwald #define SM_REASON_OOB_NOT_AVAILABLE 0x02 1003deb3ec6SMatthias Ringwald #define SM_REASON_AUTHENTHICATION_REQUIREMENTS 0x03 1013deb3ec6SMatthias Ringwald #define SM_REASON_CONFIRM_VALUE_FAILED 0x04 1023deb3ec6SMatthias Ringwald #define SM_REASON_PAIRING_NOT_SUPPORTED 0x05 1033deb3ec6SMatthias Ringwald #define SM_REASON_ENCRYPTION_KEY_SIZE 0x06 1043deb3ec6SMatthias Ringwald #define SM_REASON_COMMAND_NOT_SUPPORTED 0x07 1053deb3ec6SMatthias Ringwald #define SM_REASON_UNSPECIFIED_REASON 0x08 1063deb3ec6SMatthias Ringwald #define SM_REASON_REPEATED_ATTEMPTS 0x09 1073deb3ec6SMatthias Ringwald // also, invalid parameters 1083deb3ec6SMatthias Ringwald // and reserved 1093deb3ec6SMatthias Ringwald 1103deb3ec6SMatthias Ringwald // Only for PTS testing 1113deb3ec6SMatthias Ringwald void sm_test_set_irk(sm_key_t irk); 1123deb3ec6SMatthias Ringwald 1133deb3ec6SMatthias Ringwald typedef struct { 1143deb3ec6SMatthias Ringwald linked_item_t item; 1153deb3ec6SMatthias Ringwald bd_addr_t address; 1163deb3ec6SMatthias Ringwald bd_addr_type_t address_type; 1173deb3ec6SMatthias Ringwald } sm_lookup_entry_t; 1183deb3ec6SMatthias Ringwald 1193deb3ec6SMatthias Ringwald /* API_START */ 1203deb3ec6SMatthias Ringwald 1213deb3ec6SMatthias Ringwald /** 1223deb3ec6SMatthias Ringwald * @brief Initializes the Security Manager, connects to L2CAP 1233deb3ec6SMatthias Ringwald */ 1243deb3ec6SMatthias Ringwald void sm_init(void); 1253deb3ec6SMatthias Ringwald 1263deb3ec6SMatthias Ringwald /** 1273deb3ec6SMatthias Ringwald * @brief Set secret ER key for key generation as described in Core V4.0, Vol 3, Part G, 5.2.2 1283deb3ec6SMatthias Ringwald * @param er 1293deb3ec6SMatthias Ringwald */ 1303deb3ec6SMatthias Ringwald void sm_set_er(sm_key_t er); 1313deb3ec6SMatthias Ringwald 1323deb3ec6SMatthias Ringwald /** 1333deb3ec6SMatthias Ringwald * @brief Set secret IR key for key generation as described in Core V4.0, Vol 3, Part G, 5.2.2 1343deb3ec6SMatthias Ringwald */ 1353deb3ec6SMatthias Ringwald void sm_set_ir(sm_key_t ir); 1363deb3ec6SMatthias Ringwald 1373deb3ec6SMatthias Ringwald /** 1383deb3ec6SMatthias Ringwald * 1393deb3ec6SMatthias Ringwald * @brief Registers OOB Data Callback. The callback should set the oob_data and return 1 if OOB data is availble 1403deb3ec6SMatthias Ringwald * @param get_oob_data_callback 1413deb3ec6SMatthias Ringwald */ 1423deb3ec6SMatthias Ringwald void sm_register_oob_data_callback( int (*get_oob_data_callback)(uint8_t addres_type, bd_addr_t addr, uint8_t * oob_data)); 1433deb3ec6SMatthias Ringwald 1443deb3ec6SMatthias Ringwald /** 1453deb3ec6SMatthias Ringwald * 1463deb3ec6SMatthias Ringwald * @brief Registers packet handler. Called by att_server.c 1473deb3ec6SMatthias Ringwald */ 1483deb3ec6SMatthias Ringwald void sm_register_packet_handler(btstack_packet_handler_t handler); 1493deb3ec6SMatthias Ringwald 1503deb3ec6SMatthias Ringwald /** 1513deb3ec6SMatthias Ringwald * @brief Limit the STK generation methods. Bonding is stopped if the resulting one isn't in the list 1523deb3ec6SMatthias Ringwald * @param OR combination of SM_STK_GENERATION_METHOD_ 1533deb3ec6SMatthias Ringwald */ 1543deb3ec6SMatthias Ringwald void sm_set_accepted_stk_generation_methods(uint8_t accepted_stk_generation_methods); 1553deb3ec6SMatthias Ringwald 1563deb3ec6SMatthias Ringwald /** 1573deb3ec6SMatthias Ringwald * @brief Set the accepted encryption key size range. Bonding is stopped if the result isn't within the range 1583deb3ec6SMatthias Ringwald * @param min_size (default 7) 1593deb3ec6SMatthias Ringwald * @param max_size (default 16) 1603deb3ec6SMatthias Ringwald */ 1613deb3ec6SMatthias Ringwald void sm_set_encryption_key_size_range(uint8_t min_size, uint8_t max_size); 1623deb3ec6SMatthias Ringwald 1633deb3ec6SMatthias Ringwald /** 1643deb3ec6SMatthias Ringwald * @brief Sets the requested authentication requirements, bonding yes/no, MITM yes/no 1653deb3ec6SMatthias Ringwald * @param OR combination of SM_AUTHREQ_ flags 1663deb3ec6SMatthias Ringwald */ 1673deb3ec6SMatthias Ringwald void sm_set_authentication_requirements(uint8_t auth_req); 1683deb3ec6SMatthias Ringwald 1693deb3ec6SMatthias Ringwald /** 1703deb3ec6SMatthias Ringwald * @brief Sets the available IO Capabilities 1713deb3ec6SMatthias Ringwald * @param IO_CAPABILITY_ 1723deb3ec6SMatthias Ringwald */ 1733deb3ec6SMatthias Ringwald void sm_set_io_capabilities(io_capability_t io_capability); 1743deb3ec6SMatthias Ringwald 1753deb3ec6SMatthias Ringwald /** 1763deb3ec6SMatthias Ringwald * @brief Let Peripheral request an encrypted connection right after connecting 1773deb3ec6SMatthias Ringwald * @note Not used normally. Bonding is triggered by access to protected attributes in ATT Server 1783deb3ec6SMatthias Ringwald */ 1793deb3ec6SMatthias Ringwald void sm_set_request_security(int enable); 1803deb3ec6SMatthias Ringwald 1813deb3ec6SMatthias Ringwald /** 1823deb3ec6SMatthias Ringwald * @brief Trigger Security Request 1833deb3ec6SMatthias Ringwald * @note Not used normally. Bonding is triggered by access to protected attributes in ATT Server 1843deb3ec6SMatthias Ringwald */ 1853deb3ec6SMatthias Ringwald void sm_send_security_request(uint16_t handle); 1863deb3ec6SMatthias Ringwald 1873deb3ec6SMatthias Ringwald /** 1883deb3ec6SMatthias Ringwald * @brief Decline bonding triggered by event before 1893deb3ec6SMatthias Ringwald * @param addr_type and address 1903deb3ec6SMatthias Ringwald */ 1913deb3ec6SMatthias Ringwald void sm_bonding_decline(uint16_t handle); 1923deb3ec6SMatthias Ringwald 1933deb3ec6SMatthias Ringwald /** 1943deb3ec6SMatthias Ringwald * @brief Confirm Just Works bonding 1953deb3ec6SMatthias Ringwald * @param addr_type and address 1963deb3ec6SMatthias Ringwald */ 1973deb3ec6SMatthias Ringwald void sm_just_works_confirm(uint16_t handle); 1983deb3ec6SMatthias Ringwald 1993deb3ec6SMatthias Ringwald /** 2003deb3ec6SMatthias Ringwald * @brief Reports passkey input by user 2013deb3ec6SMatthias Ringwald * @param addr_type and address 2023deb3ec6SMatthias Ringwald * @param passkey in [0..999999] 2033deb3ec6SMatthias Ringwald */ 2043deb3ec6SMatthias Ringwald void sm_passkey_input(uint16_t handle, uint32_t passkey); 2053deb3ec6SMatthias Ringwald 2063deb3ec6SMatthias Ringwald /** 2073deb3ec6SMatthias Ringwald * 2083deb3ec6SMatthias Ringwald * @brief Get encryption key size. 2093deb3ec6SMatthias Ringwald * @param addr_type and address 2103deb3ec6SMatthias Ringwald * @return 0 if not encrypted, 7-16 otherwise 2113deb3ec6SMatthias Ringwald */ 2123deb3ec6SMatthias Ringwald int sm_encryption_key_size(uint16_t handle); 2133deb3ec6SMatthias Ringwald 2143deb3ec6SMatthias Ringwald /** 2153deb3ec6SMatthias Ringwald * @brief Get authentication property. 2163deb3ec6SMatthias Ringwald * @param addr_type and address 2173deb3ec6SMatthias Ringwald * @return 1 if bonded with OOB/Passkey (AND MITM protection) 2183deb3ec6SMatthias Ringwald */ 2193deb3ec6SMatthias Ringwald int sm_authenticated(uint16_t handle); 2203deb3ec6SMatthias Ringwald 2213deb3ec6SMatthias Ringwald /** 2223deb3ec6SMatthias Ringwald * @brief Queries authorization state. 2233deb3ec6SMatthias Ringwald * @param addr_type and address 2243deb3ec6SMatthias Ringwald * @return authorization_state for the current session 2253deb3ec6SMatthias Ringwald */ 2263deb3ec6SMatthias Ringwald authorization_state_t sm_authorization_state(uint16_t handle); 2273deb3ec6SMatthias Ringwald 2283deb3ec6SMatthias Ringwald /** 2293deb3ec6SMatthias Ringwald * @brief Used by att_server.c to request user authorization. 2303deb3ec6SMatthias Ringwald * @param addr_type and address 2313deb3ec6SMatthias Ringwald */ 2323deb3ec6SMatthias Ringwald void sm_request_pairing(uint16_t handle); 2333deb3ec6SMatthias Ringwald 2343deb3ec6SMatthias Ringwald /** 2353deb3ec6SMatthias Ringwald * @brief Report user authorization decline. 2363deb3ec6SMatthias Ringwald * @param addr_type and address 2373deb3ec6SMatthias Ringwald */ 2383deb3ec6SMatthias Ringwald void sm_authorization_decline(uint16_t handle); 2393deb3ec6SMatthias Ringwald 2403deb3ec6SMatthias Ringwald /** 2413deb3ec6SMatthias Ringwald * @brief Report user authorization grant. 2423deb3ec6SMatthias Ringwald * @param addr_type and address 2433deb3ec6SMatthias Ringwald */ 2443deb3ec6SMatthias Ringwald void sm_authorization_grant(uint16_t handle); 2453deb3ec6SMatthias Ringwald 2463deb3ec6SMatthias Ringwald /** 2473deb3ec6SMatthias Ringwald * @brief Support for signed writes, used by att_server. 2483deb3ec6SMatthias Ringwald * @note Message and result are in little endian to allows passing in ATT PDU without flipping. 2493deb3ec6SMatthias Ringwald * @note calculated hash in done_callback is big endian 2503deb3ec6SMatthias Ringwald */ 2513deb3ec6SMatthias Ringwald int sm_cmac_ready(void); 2523deb3ec6SMatthias Ringwald void sm_cmac_start(sm_key_t k, uint8_t opcode, uint16_t attribute_handle, uint16_t message_len, uint8_t * message, uint32_t sign_counter, void (*done_handler)(uint8_t hash[8])); 2533deb3ec6SMatthias Ringwald 2543deb3ec6SMatthias Ringwald /* 2553deb3ec6SMatthias Ringwald * @brief Match address against bonded devices 2563deb3ec6SMatthias Ringwald * @return 0 if successfully added to lookup queue 2573deb3ec6SMatthias Ringwald * @note Triggers SM_IDENTITY_RESOLVING_* events 2583deb3ec6SMatthias Ringwald */ 2593deb3ec6SMatthias Ringwald int sm_address_resolution_lookup(uint8_t addr_type, bd_addr_t addr); 2603deb3ec6SMatthias Ringwald 2613deb3ec6SMatthias Ringwald /** 2623deb3ec6SMatthias Ringwald * @brief Identify device in LE Device DB. 2633deb3ec6SMatthias Ringwald * @param handle 2643deb3ec6SMatthias Ringwald * @return index from le_device_db or -1 if not found/identified 2653deb3ec6SMatthias Ringwald */ 2663deb3ec6SMatthias Ringwald int sm_le_device_index(uint16_t handle ); 2673deb3ec6SMatthias Ringwald /* API_END */ 2683deb3ec6SMatthias Ringwald 2693deb3ec6SMatthias Ringwald // testing only 2703deb3ec6SMatthias Ringwald void sm_test_use_fixed_local_csrk(void); 2713deb3ec6SMatthias Ringwald 2723deb3ec6SMatthias Ringwald #if defined __cplusplus 2733deb3ec6SMatthias Ringwald } 2743deb3ec6SMatthias Ringwald #endif 2753deb3ec6SMatthias Ringwald 2763deb3ec6SMatthias Ringwald #endif // __SM_H 277