xref: /btstack/src/btstack_crypto.c (revision 88949f844376f979826afad7a30727a235ee4f0c)
1 /*
2  * Copyright (C) 2017 BlueKitchen GmbH
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  *
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. Neither the name of the copyright holders nor the names of
14  *    contributors may be used to endorse or promote products derived
15  *    from this software without specific prior written permission.
16  *
17  * THIS SOFTWARE IS PROVIDED BY MATTHIAS RINGWALD AND CONTRIBUTORS
18  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
19  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
20  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL MATTHIAS
21  * RINGWALD OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
22  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
23  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
24  * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
25  * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
26  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
27  * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28  * SUCH DAMAGE.
29  *
30  */
31 
32 #define __BTSTACK_FILE__ "btstack_crypto.c"
33 
34 /*
35  * btstack_crypto.h
36  *
37  * Central place for all crypto-related functions with completion callbacks to allow
38  * using of MCU crypto peripherals or the Bluetooth controller
39  */
40 
41 #include "btstack_crypto.h"
42 
43 #include "btstack_debug.h"
44 #include "btstack_event.h"
45 #include "btstack_linked_list.h"
46 #include "btstack_util.h"
47 #include "hci.h"
48 
49 // backwards-compatitility ENABLE_MICRO_ECC_FOR_LE_SECURE_CONNECTIONS -> ENABLE_MICRO_ECC_P256
50 #if defined(ENABLE_MICRO_ECC_FOR_LE_SECURE_CONNECTIONS) && !defined(ENABLE_MICRO_ECC_P256)
51 #define ENABLE_MICRO_ECC_P256
52 #endif
53 
54 // configure ECC implementations
55 #if defined(ENABLE_MICRO_ECC_P256) && defined(HAVE_MBEDTLS_ECC_P256)
56 #error "If you have mbedTLS (HAVE_MBEDTLS_ECC_P256), please disable uECC (ENABLE_MICRO_ECC_P256) in bstack_config.h"
57 #endif
58 
59 // Software ECC-P256 implementation provided by micro-ecc
60 #ifdef ENABLE_MICRO_ECC_P256
61 #define ENABLE_ECC_P256
62 #define USE_MICRO_ECC_P256
63 #define USE_SOFTWARE_ECC_P256_IMPLEMENTATION
64 #include "uECC.h"
65 #endif
66 
67 // Software ECC-P256 implementation provided by mbedTLS
68 #ifdef HAVE_MBEDTLS_ECC_P256
69 #define ENABLE_ECC_P256
70 #define USE_MBEDTLS_ECC_P256
71 #define USE_SOFTWARE_ECC_P256_IMPLEMENTATION
72 #include "mbedtls/config.h"
73 #include "mbedtls/platform.h"
74 #include "mbedtls/ecp.h"
75 #endif
76 
77 #if defined(ENABLE_LE_SECURE_CONNECTIONS) && !defined(ENABLE_ECC_P256)
78 #define ENABLE_ECC_P256
79 #endif
80 
81 // Software AES128
82 #ifdef HAVE_AES128
83 #define USE_BTSTACK_AES128
84 void btstack_aes128_calc(const uint8_t * key, const uint8_t * plaintext, uint8_t * result);
85 #endif
86 
87 // degbugging
88 // #define DEBUG_CCM
89 
90 typedef enum {
91     CMAC_IDLE,
92     CMAC_CALC_SUBKEYS,
93     CMAC_W4_SUBKEYS,
94     CMAC_CALC_MI,
95     CMAC_W4_MI,
96     CMAC_CALC_MLAST,
97     CMAC_W4_MLAST
98 } btstack_crypto_cmac_state_t;
99 
100 typedef enum {
101     ECC_P256_KEY_GENERATION_IDLE,
102     ECC_P256_KEY_GENERATION_GENERATING_RANDOM,
103     ECC_P256_KEY_GENERATION_ACTIVE,
104     ECC_P256_KEY_GENERATION_W4_KEY,
105     ECC_P256_KEY_GENERATION_DONE,
106 } btstack_crypto_ecc_p256_key_generation_state_t;
107 
108 static void btstack_crypto_run(void);
109 
110 const static uint8_t zero[16] = { 0 };
111 
112 static uint8_t btstack_crypto_initialized;
113 static btstack_linked_list_t btstack_crypto_operations;
114 static btstack_packet_callback_registration_t hci_event_callback_registration;
115 static uint8_t btstack_crypto_wait_for_hci_result;
116 
117 // state for AES-CMAC
118 static btstack_crypto_cmac_state_t btstack_crypto_cmac_state;
119 static sm_key_t btstack_crypto_cmac_k;
120 static sm_key_t btstack_crypto_cmac_x;
121 static sm_key_t btstack_crypto_cmac_m_last;
122 static uint8_t  btstack_crypto_cmac_block_current;
123 static uint8_t  btstack_crypto_cmac_block_count;
124 
125 // state for AES-CCM
126 #ifndef USE_BTSTACK_AES128
127 static uint8_t btstack_crypto_ccm_s[16];
128 #endif
129 
130 #ifdef ENABLE_ECC_P256
131 
132 static uint8_t  btstack_crypto_ecc_p256_public_key[64];
133 static uint8_t  btstack_crypto_ecc_p256_random[64];
134 static uint8_t  btstack_crypto_ecc_p256_random_len;
135 static uint8_t  btstack_crypto_ecc_p256_random_offset;
136 static btstack_crypto_ecc_p256_key_generation_state_t btstack_crypto_ecc_p256_key_generation_state;
137 
138 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION
139 static uint8_t btstack_crypto_ecc_p256_d[32];
140 #endif
141 
142 // Software ECDH implementation provided by mbedtls
143 #ifdef USE_MBEDTLS_ECC_P256
144 static mbedtls_ecp_group   mbedtls_ec_group;
145 #endif
146 
147 #endif /* ENABLE_ECC_P256 */
148 
149 static void btstack_crypto_done(btstack_crypto_t * btstack_crypto){
150     btstack_linked_list_pop(&btstack_crypto_operations);
151     (*btstack_crypto->context_callback.callback)(btstack_crypto->context_callback.context);
152 }
153 
154 static inline void btstack_crypto_cmac_next_state(void){
155     btstack_crypto_cmac_state = (btstack_crypto_cmac_state_t) (((int)btstack_crypto_cmac_state) + 1);
156 }
157 
158 static int btstack_crypto_cmac_last_block_complete(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac){
159 	uint16_t len = btstack_crypto_cmac->size;
160     if (len == 0) return 0;
161     return (len & 0x0f) == 0;
162 }
163 
164 static void btstack_crypto_aes128_start(const sm_key_t key, const sm_key_t plaintext){
165  	uint8_t key_flipped[16];
166  	uint8_t plaintext_flipped[16];
167     reverse_128(key, key_flipped);
168     reverse_128(plaintext, plaintext_flipped);
169  	btstack_crypto_wait_for_hci_result = 1;
170     hci_send_cmd(&hci_le_encrypt, key_flipped, plaintext_flipped);
171 }
172 
173 static uint8_t btstack_crypto_cmac_get_byte(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac, uint16_t pos){
174 	if (btstack_crypto_cmac->btstack_crypto.operation == BTSTACK_CRYPTO_CMAC_GENERATOR){
175 		return (*btstack_crypto_cmac->data.get_byte_callback)(pos);
176 	} else {
177 		return btstack_crypto_cmac->data.message[pos];
178 	}
179 }
180 
181 static void btstack_crypto_cmac_handle_aes_engine_ready(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac){
182     switch (btstack_crypto_cmac_state){
183         case CMAC_CALC_SUBKEYS: {
184             sm_key_t const_zero;
185             memset(const_zero, 0, 16);
186             btstack_crypto_cmac_next_state();
187             btstack_crypto_aes128_start(btstack_crypto_cmac_k, const_zero);
188             break;
189         }
190         case CMAC_CALC_MI: {
191             int j;
192             sm_key_t y;
193             for (j=0;j<16;j++){
194                 y[j] = btstack_crypto_cmac_x[j] ^ btstack_crypto_cmac_get_byte(btstack_crypto_cmac, btstack_crypto_cmac_block_current*16 + j);
195             }
196             btstack_crypto_cmac_block_current++;
197             btstack_crypto_cmac_next_state();
198             btstack_crypto_aes128_start(btstack_crypto_cmac_k, y);
199             break;
200         }
201         case CMAC_CALC_MLAST: {
202             int i;
203             sm_key_t y;
204             for (i=0;i<16;i++){
205                 y[i] = btstack_crypto_cmac_x[i] ^ btstack_crypto_cmac_m_last[i];
206             }
207             btstack_crypto_cmac_block_current++;
208             btstack_crypto_cmac_next_state();
209             btstack_crypto_aes128_start(btstack_crypto_cmac_k, y);
210             break;
211         }
212         default:
213             log_info("btstack_crypto_cmac_handle_aes_engine_ready called in state %u", btstack_crypto_cmac_state);
214             break;
215     }
216 }
217 
218 static void btstack_crypto_cmac_shift_left_by_one_bit_inplace(int len, uint8_t * data){
219     int i;
220     int carry = 0;
221     for (i=len-1; i >= 0 ; i--){
222         int new_carry = data[i] >> 7;
223         data[i] = data[i] << 1 | carry;
224         carry = new_carry;
225     }
226 }
227 
228 static void btstack_crypto_cmac_handle_encryption_result(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac, sm_key_t data){
229     switch (btstack_crypto_cmac_state){
230         case CMAC_W4_SUBKEYS: {
231             sm_key_t k1;
232             memcpy(k1, data, 16);
233             btstack_crypto_cmac_shift_left_by_one_bit_inplace(16, k1);
234             if (data[0] & 0x80){
235                 k1[15] ^= 0x87;
236             }
237             sm_key_t k2;
238             memcpy(k2, k1, 16);
239             btstack_crypto_cmac_shift_left_by_one_bit_inplace(16, k2);
240             if (k1[0] & 0x80){
241                 k2[15] ^= 0x87;
242             }
243 
244             log_info_key("k", btstack_crypto_cmac_k);
245             log_info_key("k1", k1);
246             log_info_key("k2", k2);
247 
248             // step 4: set m_last
249             int i;
250             if (btstack_crypto_cmac_last_block_complete(btstack_crypto_cmac)){
251                 for (i=0;i<16;i++){
252                     btstack_crypto_cmac_m_last[i] = btstack_crypto_cmac_get_byte(btstack_crypto_cmac, btstack_crypto_cmac->size - 16 + i) ^ k1[i];
253                 }
254             } else {
255                 int valid_octets_in_last_block = btstack_crypto_cmac->size & 0x0f;
256                 for (i=0;i<16;i++){
257                     if (i < valid_octets_in_last_block){
258                         btstack_crypto_cmac_m_last[i] = btstack_crypto_cmac_get_byte(btstack_crypto_cmac, (btstack_crypto_cmac->size & 0xfff0) + i) ^ k2[i];
259                         continue;
260                     }
261                     if (i == valid_octets_in_last_block){
262                         btstack_crypto_cmac_m_last[i] = 0x80 ^ k2[i];
263                         continue;
264                     }
265                     btstack_crypto_cmac_m_last[i] = k2[i];
266                 }
267             }
268 
269             // next
270             btstack_crypto_cmac_state = btstack_crypto_cmac_block_current < btstack_crypto_cmac_block_count - 1 ? CMAC_CALC_MI : CMAC_CALC_MLAST;
271             break;
272         }
273         case CMAC_W4_MI:
274             memcpy(btstack_crypto_cmac_x, data, 16);
275             btstack_crypto_cmac_state = btstack_crypto_cmac_block_current < btstack_crypto_cmac_block_count - 1 ? CMAC_CALC_MI : CMAC_CALC_MLAST;
276             break;
277         case CMAC_W4_MLAST:
278             // done
279             log_info("Setting CMAC Engine to IDLE");
280             btstack_crypto_cmac_state = CMAC_IDLE;
281             log_info_key("CMAC", data);
282             memcpy(btstack_crypto_cmac->hash, data, 16);
283 			btstack_linked_list_pop(&btstack_crypto_operations);
284 			(*btstack_crypto_cmac->btstack_crypto.context_callback.callback)(btstack_crypto_cmac->btstack_crypto.context_callback.context);
285             break;
286         default:
287             log_info("btstack_crypto_cmac_handle_encryption_result called in state %u", btstack_crypto_cmac_state);
288             break;
289     }
290 }
291 
292 static void btstack_crypto_cmac_start(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac){
293 
294     memcpy(btstack_crypto_cmac_k, btstack_crypto_cmac->key, 16);
295     memset(btstack_crypto_cmac_x, 0, 16);
296     btstack_crypto_cmac_block_current = 0;
297 
298     // step 2: n := ceil(len/const_Bsize);
299     btstack_crypto_cmac_block_count = (btstack_crypto_cmac->size + 15) / 16;
300 
301     // step 3: ..
302     if (btstack_crypto_cmac_block_count==0){
303         btstack_crypto_cmac_block_count = 1;
304     }
305     log_info("btstack_crypto_cmac_start: len %u, block count %u", btstack_crypto_cmac->size, btstack_crypto_cmac_block_count);
306 
307     // first, we need to compute l for k1, k2, and m_last
308     btstack_crypto_cmac_state = CMAC_CALC_SUBKEYS;
309 
310     // let's go
311     btstack_crypto_cmac_handle_aes_engine_ready(btstack_crypto_cmac);
312 }
313 
314 #ifndef USE_BTSTACK_AES128
315 
316 /*
317   To encrypt the message data we use Counter (CTR) mode.  We first
318   define the key stream blocks by:
319 
320       S_i := E( K, A_i )   for i=0, 1, 2, ...
321 
322   The values A_i are formatted as follows, where the Counter field i is
323   encoded in most-significant-byte first order:
324 
325   Octet Number   Contents
326   ------------   ---------
327   0              Flags
328   1 ... 15-L     Nonce N
329   16-L ... 15    Counter i
330 
331   Bit Number   Contents
332   ----------   ----------------------
333   7            Reserved (always zero)
334   6            Reserved (always zero)
335   5 ... 3      Zero
336   2 ... 0      L'
337 */
338 
339 static void btstack_crypto_ccm_setup_a_i(btstack_crypto_ccm_t * btstack_crypto_ccm, uint16_t counter){
340     btstack_crypto_ccm_s[0] = 1;  // L' = L - 1
341     memcpy(&btstack_crypto_ccm_s[1], btstack_crypto_ccm->nonce, 13);
342     big_endian_store_16(btstack_crypto_ccm_s, 14, counter);
343 #ifdef DEBUG_CCM
344     printf("ststack_crypto_ccm_setup_a_%u\n", counter);
345     printf("%16s: ", "ai");
346     printf_hexdump(btstack_crypto_ccm_s, 16);
347 #endif
348 }
349 
350 /*
351  The first step is to compute the authentication field T.  This is
352    done using CBC-MAC [MAC].  We first define a sequence of blocks B_0,
353    B_1, ..., B_n and then apply CBC-MAC to these blocks.
354 
355    The first block B_0 is formatted as follows, where l(m) is encoded in
356    most-significant-byte first order:
357 
358       Octet Number   Contents
359       ------------   ---------
360       0              Flags
361       1 ... 15-L     Nonce N
362       16-L ... 15    l(m)
363 
364    Within the first block B_0, the Flags field is formatted as follows:
365 
366       Bit Number   Contents
367       ----------   ----------------------
368       7            Reserved (always zero)
369       6            Adata
370       5 ... 3      M'
371       2 ... 0      L'
372  */
373 
374 static void btstack_crypto_ccm_setup_b_0(btstack_crypto_ccm_t * btstack_crypto_ccm, uint8_t * b0){
375     uint8_t m_prime = (btstack_crypto_ccm->auth_len - 2) / 2;
376     uint8_t Adata   = btstack_crypto_ccm->aad_len ? 1 : 0;
377     b0[0] = (Adata << 6) | (m_prime << 3) | 1 ;  // Adata, M', L' = L - 1
378     memcpy(&b0[1], btstack_crypto_ccm->nonce, 13);
379     big_endian_store_16(b0, 14, btstack_crypto_ccm->message_len);
380 #ifdef DEBUG_CCM
381     printf("%16s: ", "B0");
382     printf_hexdump(b0, 16);
383 #endif
384 }
385 #endif
386 
387 #ifdef ENABLE_ECC_P256
388 
389 static void btstack_crypto_log_ec_publickey(const uint8_t * ec_q){
390     log_info("Elliptic curve: X");
391     log_info_hexdump(&ec_q[0],32);
392     log_info("Elliptic curve: Y");
393     log_info_hexdump(&ec_q[32],32);
394 }
395 
396 #if (defined(USE_MICRO_ECC_P256) && !defined(WICED_VERSION)) || defined(USE_MBEDTLS_ECC_P256)
397 // @return OK
398 static int sm_generate_f_rng(unsigned char * buffer, unsigned size){
399     if (btstack_crypto_ecc_p256_key_generation_state != ECC_P256_KEY_GENERATION_ACTIVE) return 0;
400     log_info("sm_generate_f_rng: size %u - offset %u", (int) size, btstack_crypto_ecc_p256_random_offset);
401     while (size) {
402         *buffer++ = btstack_crypto_ecc_p256_random[btstack_crypto_ecc_p256_random_offset++];
403         size--;
404     }
405     return 1;
406 }
407 #endif
408 #ifdef USE_MBEDTLS_ECC_P256
409 // @return error - just wrap sm_generate_f_rng
410 static int sm_generate_f_rng_mbedtls(void * context, unsigned char * buffer, size_t size){
411     UNUSED(context);
412     return sm_generate_f_rng(buffer, size) == 0;
413 }
414 #endif /* USE_MBEDTLS_ECC_P256 */
415 
416 static void btstack_crypto_ecc_p256_generate_key_software(void){
417 
418     btstack_crypto_ecc_p256_random_offset = 0;
419 
420     // generate EC key
421 #ifdef USE_MICRO_ECC_P256
422 
423 #ifndef WICED_VERSION
424     log_info("set uECC RNG for initial key generation with 64 random bytes");
425     // micro-ecc from WICED SDK uses its wiced_crypto_get_random by default - no need to set it
426     uECC_set_rng(&sm_generate_f_rng);
427 #endif /* WICED_VERSION */
428 
429 #if uECC_SUPPORTS_secp256r1
430     // standard version
431     uECC_make_key(btstack_crypto_ecc_p256_public_key, btstack_crypto_ecc_p256_d, uECC_secp256r1());
432 
433     // disable RNG again, as returning no randmon data lets shared key generation fail
434     log_info("disable uECC RNG in standard version after key generation");
435     uECC_set_rng(NULL);
436 #else
437     // static version
438     uECC_make_key(btstack_crypto_ecc_p256_public_key, btstack_crypto_ecc_p256_d);
439 #endif
440 #endif /* USE_MICRO_ECC_P256 */
441 
442 #ifdef USE_MBEDTLS_ECC_P256
443     mbedtls_mpi d;
444     mbedtls_ecp_point P;
445     mbedtls_mpi_init(&d);
446     mbedtls_ecp_point_init(&P);
447     int res = mbedtls_ecp_gen_keypair(&mbedtls_ec_group, &d, &P, &sm_generate_f_rng_mbedtls, NULL);
448     log_info("gen keypair %x", res);
449     mbedtls_mpi_write_binary(&P.X, &btstack_crypto_ecc_p256_public_key[0],  32);
450     mbedtls_mpi_write_binary(&P.Y, &btstack_crypto_ecc_p256_public_key[32], 32);
451     mbedtls_mpi_write_binary(&d, btstack_crypto_ecc_p256_d, 32);
452     mbedtls_ecp_point_free(&P);
453     mbedtls_mpi_free(&d);
454 #endif  /* USE_MBEDTLS_ECC_P256 */
455 }
456 
457 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION
458 static void btstack_crypto_ecc_p256_calculate_dhkey_software(btstack_crypto_ecc_p256_t * btstack_crypto_ec_p192){
459     memset(btstack_crypto_ec_p192->dhkey, 0, 32);
460 
461 #ifdef USE_MICRO_ECC_P256
462 #if uECC_SUPPORTS_secp256r1
463     // standard version
464     uECC_shared_secret(btstack_crypto_ec_p192->public_key, btstack_crypto_ecc_p256_d, btstack_crypto_ec_p192->dhkey, uECC_secp256r1());
465 #else
466     // static version
467     uECC_shared_secret(btstack_crypto_ec_p192->public_key, btstack_crypto_ecc_p256_d, btstack_crypto_ec_p192->dhkey);
468 #endif
469 #endif
470 
471 #ifdef USE_MBEDTLS_ECC_P256
472     // da * Pb
473     mbedtls_mpi d;
474     mbedtls_ecp_point Q;
475     mbedtls_ecp_point DH;
476     mbedtls_mpi_init(&d);
477     mbedtls_ecp_point_init(&Q);
478     mbedtls_ecp_point_init(&DH);
479     mbedtls_mpi_read_binary(&d, btstack_crypto_ecc_p256_d, 32);
480     mbedtls_mpi_read_binary(&Q.X, &btstack_crypto_ec_p192->public_key[0] , 32);
481     mbedtls_mpi_read_binary(&Q.Y, &btstack_crypto_ec_p192->public_key[32], 32);
482     mbedtls_mpi_lset(&Q.Z, 1);
483     mbedtls_ecp_mul(&mbedtls_ec_group, &DH, &d, &Q, NULL, NULL);
484     mbedtls_mpi_write_binary(&DH.X, btstack_crypto_ec_p192->dhkey, 32);
485     mbedtls_ecp_point_free(&DH);
486     mbedtls_mpi_free(&d);
487     mbedtls_ecp_point_free(&Q);
488 #endif
489 
490     log_info("dhkey");
491     log_info_hexdump(btstack_crypto_ec_p192->dhkey, 32);
492 }
493 #endif
494 
495 #endif
496 
497 #ifdef USE_BTSTACK_AES128
498 // CCM not implemented using software AES128 yet
499 #else
500 
501 static void btstack_crypto_ccm_calc_s0(btstack_crypto_ccm_t * btstack_crypto_ccm){
502 #ifdef DEBUG_CCM
503     printf("btstack_crypto_ccm_calc_s0\n");
504 #endif
505     btstack_crypto_ccm->state = CCM_W4_S0;
506     btstack_crypto_ccm_setup_a_i(btstack_crypto_ccm, 0);
507     btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm_s);
508 }
509 
510 static void btstack_crypto_ccm_calc_sn(btstack_crypto_ccm_t * btstack_crypto_ccm){
511 #ifdef DEBUG_CCM
512     printf("btstack_crypto_ccm_calc_s%u\n", btstack_crypto_ccm->counter);
513 #endif
514     btstack_crypto_ccm->state = CCM_W4_SN;
515     btstack_crypto_ccm_setup_a_i(btstack_crypto_ccm, btstack_crypto_ccm->counter);
516     btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm_s);
517 }
518 
519 static void btstack_crypto_ccm_calc_x1(btstack_crypto_ccm_t * btstack_crypto_ccm){
520     uint8_t btstack_crypto_ccm_buffer[16];
521     btstack_crypto_ccm->state = CCM_W4_X1;
522     btstack_crypto_ccm_setup_b_0(btstack_crypto_ccm, btstack_crypto_ccm_buffer);
523     btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm_buffer);
524 }
525 
526 static void btstack_crypto_ccm_calc_xn(btstack_crypto_ccm_t * btstack_crypto_ccm, const uint8_t * plaintext){
527     int i;
528     int bytes_to_decrypt;
529     uint8_t btstack_crypto_ccm_buffer[16];
530     btstack_crypto_ccm->state = CCM_W4_XN;
531 
532 #ifdef DEBUG_CCM
533     printf("%16s: ", "bn");
534     printf_hexdump(plaintext, 16);
535 #endif
536     bytes_to_decrypt = btstack_min(btstack_crypto_ccm->block_len, 16);
537     i = 0;
538     while (i < bytes_to_decrypt){
539         btstack_crypto_ccm_buffer[i] =  btstack_crypto_ccm->x_i[i] ^ plaintext[i];
540         i++;
541     }
542     memcpy(&btstack_crypto_ccm_buffer[i], &btstack_crypto_ccm->x_i[i], 16 - bytes_to_decrypt);
543 #ifdef DEBUG_CCM
544     printf("%16s: ", "Xn XOR bn");
545     printf_hexdump(btstack_crypto_ccm_buffer, 16);
546 #endif
547 
548     btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm_buffer);
549 }
550 #endif
551 
552 static void btstack_crypto_ccm_calc_aad_xn(btstack_crypto_ccm_t * btstack_crypto_ccm){
553     // store length
554     if (btstack_crypto_ccm->aad_offset == 0){
555         uint8_t len_buffer[2];
556         big_endian_store_16(len_buffer, 0, btstack_crypto_ccm->aad_len);
557         btstack_crypto_ccm->x_i[0] ^= len_buffer[0];
558         btstack_crypto_ccm->x_i[1] ^= len_buffer[1];
559         btstack_crypto_ccm->aad_remainder_len += 2;
560         btstack_crypto_ccm->aad_offset        += 2;
561     }
562 
563     // fill from input
564     uint16_t bytes_free = 16 - btstack_crypto_ccm->aad_remainder_len;
565     uint16_t bytes_to_copy = btstack_min(bytes_free, btstack_crypto_ccm->block_len);
566     while (bytes_to_copy){
567         btstack_crypto_ccm->x_i[btstack_crypto_ccm->aad_remainder_len++] ^= *btstack_crypto_ccm->input++;
568         btstack_crypto_ccm->aad_offset++;
569         btstack_crypto_ccm->block_len--;
570         bytes_to_copy--;
571         bytes_free--;
572     }
573 
574     // if last block, fill with zeros
575     if (btstack_crypto_ccm->aad_offset == (btstack_crypto_ccm->aad_len + 2)){
576         btstack_crypto_ccm->aad_remainder_len = 16;
577     }
578     // if not full, notify done
579     if (btstack_crypto_ccm->aad_remainder_len < 16){
580         btstack_crypto_done(&btstack_crypto_ccm->btstack_crypto);
581         return;
582     }
583 
584     // encrypt block
585 #ifdef DEBUG_CCM
586     printf("%16s: ", "Xn XOR Bn (aad)");
587     printf_hexdump(btstack_crypto_ccm->x_i, 16);
588 #endif
589 
590     btstack_crypto_ccm->aad_remainder_len = 0;
591     btstack_crypto_ccm->state = CCM_W4_AAD_XN;
592     btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm->x_i);
593 }
594 
595 static void btstack_crypto_ccm_handle_s0(btstack_crypto_ccm_t * btstack_crypto_ccm, const uint8_t * data){
596     // data is little-endian, flip on the fly
597     int i;
598     for (i=0;i<16;i++){
599         btstack_crypto_ccm->x_i[i] = btstack_crypto_ccm->x_i[i] ^ data[15-i];
600     }
601     btstack_crypto_done(&btstack_crypto_ccm->btstack_crypto);
602 }
603 
604 static void btstack_crypto_ccm_handle_sn(btstack_crypto_ccm_t * btstack_crypto_ccm, const uint8_t * data){
605     // data is little-endian, flip on the fly
606     int i;
607     uint16_t bytes_to_process = btstack_min(btstack_crypto_ccm->block_len, 16);
608     for (i=0;i<bytes_to_process;i++){
609         btstack_crypto_ccm->output[i] = btstack_crypto_ccm->input[i] ^ data[15-i];
610     }
611 }
612 
613 static void btstack_crypto_ccm_next_block(btstack_crypto_ccm_t * btstack_crypto_ccm, btstack_crypto_ccm_state_t state_when_done){
614     uint16_t bytes_to_process = btstack_min(btstack_crypto_ccm->block_len, 16);
615     // next block
616     btstack_crypto_ccm->counter++;
617     btstack_crypto_ccm->input       += bytes_to_process;
618     btstack_crypto_ccm->output      += bytes_to_process;
619     btstack_crypto_ccm->block_len   -= bytes_to_process;
620     btstack_crypto_ccm->message_len -= bytes_to_process;
621 #ifdef DEBUG_CCM
622     printf("btstack_crypto_ccm_next_block (message len %u, block_len %u)\n", btstack_crypto_ccm->message_len, btstack_crypto_ccm->block_len);
623 #endif
624     if (btstack_crypto_ccm->message_len == 0){
625         btstack_crypto_ccm->state = CCM_CALCULATE_S0;
626     } else {
627         btstack_crypto_ccm->state = state_when_done;
628         if (btstack_crypto_ccm->block_len == 0){
629             btstack_crypto_done(&btstack_crypto_ccm->btstack_crypto);
630         }
631     }
632 }
633 
634 static void btstack_crypto_run(void){
635 
636     btstack_crypto_aes128_t        * btstack_crypto_aes128;
637     btstack_crypto_ccm_t           * btstack_crypto_ccm;
638     btstack_crypto_aes128_cmac_t   * btstack_crypto_cmac;
639 #ifdef ENABLE_ECC_P256
640     btstack_crypto_ecc_p256_t      * btstack_crypto_ec_p192;
641 #endif
642 
643     // stack up and running?
644     if (hci_get_state() != HCI_STATE_WORKING) return;
645 
646 	// already active?
647 	if (btstack_crypto_wait_for_hci_result) return;
648 
649 	// anything to do?
650 	if (btstack_linked_list_empty(&btstack_crypto_operations)) return;
651 
652     // can send a command?
653     if (!hci_can_send_command_packet_now()) return;
654 
655 	btstack_crypto_t * btstack_crypto = (btstack_crypto_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations);
656 	switch (btstack_crypto->operation){
657 		case BTSTACK_CRYPTO_RANDOM:
658 			btstack_crypto_wait_for_hci_result = 1;
659 		    hci_send_cmd(&hci_le_rand);
660 		    break;
661 		case BTSTACK_CRYPTO_AES128:
662             btstack_crypto_aes128 = (btstack_crypto_aes128_t *) btstack_crypto;
663 #ifdef USE_BTSTACK_AES128
664             btstack_aes128_calc(btstack_crypto_aes128->key, btstack_crypto_aes128->plaintext, btstack_crypto_aes128->ciphertext);
665             btstack_crypto_done(btstack_crypto);
666 #else
667             btstack_crypto_aes128_start(btstack_crypto_aes128->key, btstack_crypto_aes128->plaintext);
668 #endif
669 		    break;
670 		case BTSTACK_CRYPTO_CMAC_MESSAGE:
671 		case BTSTACK_CRYPTO_CMAC_GENERATOR:
672 			btstack_crypto_wait_for_hci_result = 1;
673 			btstack_crypto_cmac = (btstack_crypto_aes128_cmac_t *) btstack_crypto;
674 			if (btstack_crypto_cmac_state == CMAC_IDLE){
675 				btstack_crypto_cmac_start(btstack_crypto_cmac);
676 			} else {
677 				btstack_crypto_cmac_handle_aes_engine_ready(btstack_crypto_cmac);
678 			}
679 			break;
680 
681         case BTSTACK_CRYPTO_CCM_DIGEST_BLOCK:
682         case BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK:
683         case BTSTACK_CRYPTO_CCM_DECRYPT_BLOCK:
684 #ifdef USE_BTSTACK_AES128
685             UNUSED(btstack_crypto_ccm);
686             log_error("ccm not implemented for software aes128 yet");
687 #else
688             btstack_crypto_ccm = (btstack_crypto_ccm_t *) btstack_crypto;
689             switch (btstack_crypto_ccm->state){
690                 case CCM_CALCULATE_AAD_XN:
691                     btstack_crypto_ccm_calc_aad_xn(btstack_crypto_ccm);
692                     break;
693                 case CCM_CALCULATE_X1:
694                     btstack_crypto_ccm_calc_x1(btstack_crypto_ccm);
695                     break;
696                 case CCM_CALCULATE_S0:
697                     btstack_crypto_ccm_calc_s0(btstack_crypto_ccm);
698                     break;
699                 case CCM_CALCULATE_SN:
700                     btstack_crypto_ccm_calc_sn(btstack_crypto_ccm);
701                     break;
702                 case CCM_CALCULATE_XN:
703                     btstack_crypto_ccm_calc_xn(btstack_crypto_ccm, btstack_crypto->operation == BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK ? btstack_crypto_ccm->input : btstack_crypto_ccm->output);
704                     break;
705                 default:
706                     break;
707             }
708 #endif
709             break;
710 
711 #ifdef ENABLE_ECC_P256
712         case BTSTACK_CRYPTO_ECC_P256_GENERATE_KEY:
713             btstack_crypto_ec_p192 = (btstack_crypto_ecc_p256_t *) btstack_crypto;
714             switch (btstack_crypto_ecc_p256_key_generation_state){
715                 case ECC_P256_KEY_GENERATION_DONE:
716                     // done
717                     btstack_crypto_log_ec_publickey(btstack_crypto_ecc_p256_public_key);
718                     memcpy(btstack_crypto_ec_p192->public_key, btstack_crypto_ecc_p256_public_key, 64);
719                     btstack_linked_list_pop(&btstack_crypto_operations);
720                     (*btstack_crypto_ec_p192->btstack_crypto.context_callback.callback)(btstack_crypto_ec_p192->btstack_crypto.context_callback.context);
721                     break;
722                 case ECC_P256_KEY_GENERATION_IDLE:
723 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION
724                     log_info("start ecc random");
725                     btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_GENERATING_RANDOM;
726                     btstack_crypto_ecc_p256_random_offset = 0;
727                     btstack_crypto_wait_for_hci_result = 1;
728                     hci_send_cmd(&hci_le_rand);
729 #else
730                     btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_W4_KEY;
731                     btstack_crypto_wait_for_hci_result = 1;
732                     hci_send_cmd(&hci_le_read_local_p256_public_key);
733 #endif
734                     break;
735 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION
736                 case ECC_P256_KEY_GENERATION_GENERATING_RANDOM:
737                     log_info("more ecc random");
738                     btstack_crypto_wait_for_hci_result = 1;
739                     hci_send_cmd(&hci_le_rand);
740                     break;
741 #endif
742                 default:
743                     break;
744             }
745             break;
746         case BTSTACK_CRYPTO_ECC_P256_CALCULATE_DHKEY:
747             btstack_crypto_ec_p192 = (btstack_crypto_ecc_p256_t *) btstack_crypto;
748 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION
749             btstack_crypto_ecc_p256_calculate_dhkey_software(btstack_crypto_ec_p192);
750             // done
751             btstack_linked_list_pop(&btstack_crypto_operations);
752             (*btstack_crypto_ec_p192->btstack_crypto.context_callback.callback)(btstack_crypto_ec_p192->btstack_crypto.context_callback.context);
753 #else
754             btstack_crypto_wait_for_hci_result = 1;
755             hci_send_cmd(&hci_le_generate_dhkey, &btstack_crypto_ec_p192->public_key[0], &btstack_crypto_ec_p192->public_key[32]);
756 #endif
757             break;
758 
759 #endif /* ENABLE_ECC_P256 */
760 
761         default:
762             break;
763     }
764 }
765 
766 static void btstack_crypto_handle_random_data(const uint8_t * data, uint16_t len){
767     btstack_crypto_random_t * btstack_crypto_random;
768     btstack_crypto_t * btstack_crypto = (btstack_crypto_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations);
769     uint16_t bytes_to_copy;
770 	if (!btstack_crypto) return;
771     switch (btstack_crypto->operation){
772         case BTSTACK_CRYPTO_RANDOM:
773             btstack_crypto_random = (btstack_crypto_random_t*) btstack_crypto;
774             bytes_to_copy = btstack_min(btstack_crypto_random->size, len);
775             memcpy(btstack_crypto_random->buffer, data, bytes_to_copy);
776             btstack_crypto_random->buffer += bytes_to_copy;
777             btstack_crypto_random->size   -= bytes_to_copy;
778             // data processed, more?
779             if (!btstack_crypto_random->size) {
780                 // done
781                 btstack_linked_list_pop(&btstack_crypto_operations);
782                 (*btstack_crypto_random->btstack_crypto.context_callback.callback)(btstack_crypto_random->btstack_crypto.context_callback.context);
783             }
784             break;
785 #ifdef ENABLE_ECC_P256
786         case BTSTACK_CRYPTO_ECC_P256_GENERATE_KEY:
787             memcpy(&btstack_crypto_ecc_p256_random[btstack_crypto_ecc_p256_random_len], data, 8);
788             btstack_crypto_ecc_p256_random_len += 8;
789             if (btstack_crypto_ecc_p256_random_len >= 64) {
790                 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_ACTIVE;
791                 btstack_crypto_ecc_p256_generate_key_software();
792                 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_DONE;
793             }
794             break;
795 #endif
796         default:
797             break;
798     }
799 	// more work?
800 	btstack_crypto_run();
801 }
802 
803 static void btstack_crypto_handle_encryption_result(const uint8_t * data){
804 	btstack_crypto_aes128_t      * btstack_crypto_aes128;
805 	btstack_crypto_aes128_cmac_t * btstack_crypto_cmac;
806     btstack_crypto_ccm_t         * btstack_crypto_ccm;
807 	uint8_t result[16];
808 
809     btstack_crypto_t * btstack_crypto = (btstack_crypto_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations);
810 	if (!btstack_crypto) return;
811 	switch (btstack_crypto->operation){
812 		case BTSTACK_CRYPTO_AES128:
813 			btstack_crypto_aes128 = (btstack_crypto_aes128_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations);
814 		    reverse_128(data, btstack_crypto_aes128->ciphertext);
815             btstack_crypto_done(btstack_crypto);
816 			break;
817 		case BTSTACK_CRYPTO_CMAC_GENERATOR:
818 		case BTSTACK_CRYPTO_CMAC_MESSAGE:
819 			btstack_crypto_cmac = (btstack_crypto_aes128_cmac_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations);
820 		    reverse_128(data, result);
821 		    btstack_crypto_cmac_handle_encryption_result(btstack_crypto_cmac, result);
822 			break;
823         case BTSTACK_CRYPTO_CCM_DIGEST_BLOCK:
824             btstack_crypto_ccm = (btstack_crypto_ccm_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations);
825             switch (btstack_crypto_ccm->state){
826                 case CCM_W4_X1:
827                     reverse_128(data, btstack_crypto_ccm->x_i);
828 #ifdef DEBUG_CCM
829     printf("%16s: ", "X1");
830     printf_hexdump(btstack_crypto_ccm->x_i, 16);
831 #endif
832                     btstack_crypto_ccm->aad_remainder_len = 0;
833                     btstack_crypto_ccm->state = CCM_CALCULATE_AAD_XN;
834                     break;
835                 case CCM_W4_AAD_XN:
836                     reverse_128(data, btstack_crypto_ccm->x_i);
837 #ifdef DEBUG_CCM
838     printf("%16s: ", "Xn+1 AAD");
839     printf_hexdump(btstack_crypto_ccm->x_i, 16);
840 #endif
841                     // more aad?
842                     if (btstack_crypto_ccm->aad_offset < (btstack_crypto_ccm->aad_len + 2)){
843                         btstack_crypto_ccm->state = CCM_CALCULATE_AAD_XN;
844                     } else {
845                         // done
846                         btstack_crypto_done(btstack_crypto);
847                     }
848                     break;
849                 default:
850                     break;
851             }
852             break;
853         case BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK:
854             btstack_crypto_ccm = (btstack_crypto_ccm_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations);
855             switch (btstack_crypto_ccm->state){
856                 case CCM_W4_X1:
857                     reverse_128(data, btstack_crypto_ccm->x_i);
858 #ifdef DEBUG_CCM
859     printf("%16s: ", "X1");
860     printf_hexdump(btstack_crypto_ccm->x_i, 16);
861 #endif
862                     btstack_crypto_ccm->state = CCM_CALCULATE_XN;
863                     break;
864                 case CCM_W4_XN:
865                     reverse_128(data, btstack_crypto_ccm->x_i);
866 #ifdef DEBUG_CCM
867     printf("%16s: ", "Xn+1");
868     printf_hexdump(btstack_crypto_ccm->x_i, 16);
869 #endif
870                     btstack_crypto_ccm->state = CCM_CALCULATE_SN;
871                     break;
872                 case CCM_W4_S0:
873 #ifdef DEBUG_CCM
874     reverse_128(data, result);
875     printf("%16s: ", "X0");
876     printf_hexdump(btstack_crypto_ccm->x_i, 16);
877 #endif
878                     btstack_crypto_ccm_handle_s0(btstack_crypto_ccm, data);
879                     break;
880                 case CCM_W4_SN:
881 #ifdef DEBUG_CCM
882     reverse_128(data, result);
883     printf("%16s: ", "Sn");
884     printf_hexdump(btstack_crypto_ccm->x_i, 16);
885 #endif
886                     btstack_crypto_ccm_handle_sn(btstack_crypto_ccm, data);
887                     btstack_crypto_ccm_next_block(btstack_crypto_ccm, CCM_CALCULATE_XN);
888                     break;
889                 default:
890                     break;
891             }
892             break;
893         case BTSTACK_CRYPTO_CCM_DECRYPT_BLOCK:
894             btstack_crypto_ccm = (btstack_crypto_ccm_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations);
895             switch (btstack_crypto_ccm->state){
896                 case CCM_W4_X1:
897                     reverse_128(data, btstack_crypto_ccm->x_i);
898 #ifdef DEBUG_CCM
899     printf("%16s: ", "X1");
900     printf_hexdump(btstack_crypto_ccm->x_i, 16);
901 #endif
902                     btstack_crypto_ccm->state = CCM_CALCULATE_SN;
903                     break;
904                 case CCM_W4_XN:
905                     reverse_128(data, btstack_crypto_ccm->x_i);
906 #ifdef DEBUG_CCM
907     printf("%16s: ", "Xn+1");
908     printf_hexdump(btstack_crypto_ccm->x_i, 16);
909 #endif
910                     btstack_crypto_ccm_next_block(btstack_crypto_ccm, CCM_CALCULATE_SN);
911                     break;
912                 case CCM_W4_S0:
913                     btstack_crypto_ccm_handle_s0(btstack_crypto_ccm, data);
914                     break;
915                 case CCM_W4_SN:
916                     btstack_crypto_ccm_handle_sn(btstack_crypto_ccm, data);
917                     btstack_crypto_ccm->state = CCM_CALCULATE_XN;
918                     break;
919                 default:
920                     break;
921             }
922             break;
923 		default:
924 			break;
925 	}
926 }
927 
928 static void btstack_crypto_event_handler(uint8_t packet_type, uint16_t cid, uint8_t *packet, uint16_t size){
929     UNUSED(cid);         // ok: there is no channel
930     UNUSED(size);        // ok: fixed format events read from HCI buffer
931 
932 #ifdef ENABLE_ECC_P256
933 #ifndef USE_SOFTWARE_ECC_P256_IMPLEMENTATION
934     btstack_crypto_ecc_p256_t * btstack_crypto_ec_p192;
935 #endif
936 #endif
937 
938     if (packet_type != HCI_EVENT_PACKET)  return;
939 
940     switch (hci_event_packet_get_type(packet)){
941         case HCI_EVENT_COMMAND_COMPLETE:
942     	    if (HCI_EVENT_IS_COMMAND_COMPLETE(packet, hci_le_encrypt)){
943                 if (hci_get_state() != HCI_STATE_WORKING) return;
944                 if (!btstack_crypto_wait_for_hci_result) return;
945                 btstack_crypto_wait_for_hci_result = 0;
946     	        btstack_crypto_handle_encryption_result(&packet[6]);
947     	    }
948     	    if (HCI_EVENT_IS_COMMAND_COMPLETE(packet, hci_le_rand)){
949                 if (hci_get_state() != HCI_STATE_WORKING) return;
950                 if (!btstack_crypto_wait_for_hci_result) return;
951                 btstack_crypto_wait_for_hci_result = 0;
952     	        btstack_crypto_handle_random_data(&packet[6], 8);
953     	    }
954             if (HCI_EVENT_IS_COMMAND_COMPLETE(packet, hci_read_local_supported_commands)){
955                 int ecdh_operations_supported = (packet[OFFSET_OF_DATA_IN_COMMAND_COMPLETE+1+34] & 0x06) == 0x06;
956                 log_info("controller supports ECDH operation: %u", ecdh_operations_supported);
957 #ifdef ENABLE_ECC_P256
958 #ifndef USE_SOFTWARE_ECC_P256_IMPLEMENTATION
959                 if (!ecdh_operations_supported){
960                     // mbedTLS can also be used if already available (and malloc is supported)
961                     log_error("ECC-P256 support enabled, but HCI Controller doesn't support it. Please add ENABLE_MICRO_ECC_FOR_LE_SECURE_CONNECTIONS to btstack_config.h");
962                 }
963 #endif
964 #endif
965             }
966             break;
967 
968 #ifdef ENABLE_ECC_P256
969 #ifndef USE_SOFTWARE_ECC_P256_IMPLEMENTATION
970         case HCI_EVENT_LE_META:
971             btstack_crypto_ec_p192 = (btstack_crypto_ecc_p256_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations);
972             if (!btstack_crypto_ec_p192) break;
973             switch (hci_event_le_meta_get_subevent_code(packet)){
974                 case HCI_SUBEVENT_LE_READ_LOCAL_P256_PUBLIC_KEY_COMPLETE:
975                     if (btstack_crypto_ec_p192->btstack_crypto.operation != BTSTACK_CRYPTO_ECC_P256_GENERATE_KEY) break;
976                     if (!btstack_crypto_wait_for_hci_result) return;
977                     btstack_crypto_wait_for_hci_result = 0;
978                     if (hci_subevent_le_read_local_p256_public_key_complete_get_status(packet)){
979                         log_error("Read Local P256 Public Key failed");
980                     }
981                     hci_subevent_le_read_local_p256_public_key_complete_get_dhkey_x(packet, &btstack_crypto_ecc_p256_public_key[0]);
982                     hci_subevent_le_read_local_p256_public_key_complete_get_dhkey_y(packet, &btstack_crypto_ecc_p256_public_key[32]);
983                     btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_DONE;
984                     break;
985                 case HCI_SUBEVENT_LE_GENERATE_DHKEY_COMPLETE:
986                     if (btstack_crypto_ec_p192->btstack_crypto.operation != BTSTACK_CRYPTO_ECC_P256_CALCULATE_DHKEY) break;
987                     if (!btstack_crypto_wait_for_hci_result) return;
988                     btstack_crypto_wait_for_hci_result = 0;
989                     if (hci_subevent_le_generate_dhkey_complete_get_status(packet)){
990                         log_error("Generate DHKEY failed -> abort");
991                     }
992                     hci_subevent_le_generate_dhkey_complete_get_dhkey(packet, btstack_crypto_ec_p192->dhkey);
993                     // done
994                     btstack_linked_list_pop(&btstack_crypto_operations);
995                     (*btstack_crypto_ec_p192->btstack_crypto.context_callback.callback)(btstack_crypto_ec_p192->btstack_crypto.context_callback.context);
996                     break;
997                 default:
998                     break;
999             }
1000             break;
1001 #endif
1002 #endif
1003         default:
1004             break;
1005     }
1006 
1007     // try processing
1008 	btstack_crypto_run();
1009 }
1010 
1011 void btstack_crypto_init(void){
1012 	if (btstack_crypto_initialized) return;
1013 	btstack_crypto_initialized = 1;
1014 
1015 	// register with HCI
1016     hci_event_callback_registration.callback = &btstack_crypto_event_handler;
1017     hci_add_event_handler(&hci_event_callback_registration);
1018 
1019 #ifdef USE_MBEDTLS_ECC_P256
1020 	mbedtls_ecp_group_init(&mbedtls_ec_group);
1021 	mbedtls_ecp_group_load(&mbedtls_ec_group, MBEDTLS_ECP_DP_SECP256R1);
1022 #endif
1023 }
1024 
1025 void btstack_crypto_random_generate(btstack_crypto_random_t * request, uint8_t * buffer, uint16_t size, void (* callback)(void * arg), void * callback_arg){
1026 	request->btstack_crypto.context_callback.callback  = callback;
1027 	request->btstack_crypto.context_callback.context   = callback_arg;
1028 	request->btstack_crypto.operation         		   = BTSTACK_CRYPTO_RANDOM;
1029 	request->buffer = buffer;
1030 	request->size   = size;
1031 	btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request);
1032 	btstack_crypto_run();
1033 }
1034 
1035 void btstack_crypto_aes128_encrypt(btstack_crypto_aes128_t * request, const uint8_t * key, const uint8_t * plaintext, uint8_t * ciphertext, void (* callback)(void * arg), void * callback_arg){
1036 	request->btstack_crypto.context_callback.callback  = callback;
1037 	request->btstack_crypto.context_callback.context   = callback_arg;
1038 	request->btstack_crypto.operation         		   = BTSTACK_CRYPTO_AES128;
1039 	request->key 									   = key;
1040 	request->plaintext      					       = plaintext;
1041 	request->ciphertext 							   = ciphertext;
1042 	btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request);
1043 	btstack_crypto_run();
1044 }
1045 
1046 void btstack_crypto_aes128_cmac_generator(btstack_crypto_aes128_cmac_t * request, const uint8_t * key, uint16_t size, uint8_t (*get_byte_callback)(uint16_t pos), uint8_t * hash, void (* callback)(void * arg), void * callback_arg){
1047 	request->btstack_crypto.context_callback.callback  = callback;
1048 	request->btstack_crypto.context_callback.context   = callback_arg;
1049 	request->btstack_crypto.operation         		   = BTSTACK_CRYPTO_CMAC_GENERATOR;
1050 	request->key 									   = key;
1051 	request->size 									   = size;
1052 	request->data.get_byte_callback					   = get_byte_callback;
1053 	request->hash 									   = hash;
1054 	btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request);
1055 	btstack_crypto_run();
1056 }
1057 
1058 void btstack_crypto_aes128_cmac_message(btstack_crypto_aes128_cmac_t * request, const uint8_t * key, uint16_t size, const uint8_t * message, uint8_t * hash, void (* callback)(void * arg), void * callback_arg){
1059 	request->btstack_crypto.context_callback.callback  = callback;
1060 	request->btstack_crypto.context_callback.context   = callback_arg;
1061 	request->btstack_crypto.operation         		   = BTSTACK_CRYPTO_CMAC_MESSAGE;
1062 	request->key 									   = key;
1063 	request->size 									   = size;
1064 	request->data.message      						   = message;
1065 	request->hash 									   = hash;
1066 	btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request);
1067 	btstack_crypto_run();
1068 }
1069 
1070 void btstack_crypto_aes128_cmac_zero(btstack_crypto_aes128_cmac_t * request, uint16_t len, const uint8_t * message,  uint8_t * hash, void (* callback)(void * arg), void * callback_arg){
1071     request->btstack_crypto.context_callback.callback  = callback;
1072     request->btstack_crypto.context_callback.context   = callback_arg;
1073     request->btstack_crypto.operation                  = BTSTACK_CRYPTO_CMAC_MESSAGE;
1074     request->key                                       = zero;
1075     request->size                                      = len;
1076     request->data.message                              = message;
1077     request->hash                                      = hash;
1078     btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request);
1079     btstack_crypto_run();
1080 }
1081 
1082 #ifdef ENABLE_ECC_P256
1083 void btstack_crypto_ecc_p256_generate_key(btstack_crypto_ecc_p256_t * request, uint8_t * public_key, void (* callback)(void * arg), void * callback_arg){
1084     // reset key generation
1085     if (btstack_crypto_ecc_p256_key_generation_state == ECC_P256_KEY_GENERATION_DONE){
1086         btstack_crypto_ecc_p256_random_len = 0;
1087         btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_IDLE;
1088     }
1089     request->btstack_crypto.context_callback.callback  = callback;
1090     request->btstack_crypto.context_callback.context   = callback_arg;
1091     request->btstack_crypto.operation                  = BTSTACK_CRYPTO_ECC_P256_GENERATE_KEY;
1092     request->public_key                                = public_key;
1093     btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request);
1094     btstack_crypto_run();
1095 }
1096 
1097 void btstack_crypto_ecc_p256_calculate_dhkey(btstack_crypto_ecc_p256_t * request, const uint8_t * public_key, uint8_t * dhkey, void (* callback)(void * arg), void * callback_arg){
1098     request->btstack_crypto.context_callback.callback  = callback;
1099     request->btstack_crypto.context_callback.context   = callback_arg;
1100     request->btstack_crypto.operation                  = BTSTACK_CRYPTO_ECC_P256_CALCULATE_DHKEY;
1101     request->public_key                                = (uint8_t *) public_key;
1102     request->dhkey                                     = dhkey;
1103     btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request);
1104     btstack_crypto_run();
1105 }
1106 
1107 int btstack_crypto_ecc_p256_validate_public_key(const uint8_t * public_key){
1108 
1109     // validate public key using micro-ecc
1110     int err = 0;
1111 
1112 #ifdef USE_MICRO_ECC_P256
1113 #if uECC_SUPPORTS_secp256r1
1114     // standard version
1115     err = uECC_valid_public_key(public_key, uECC_secp256r1()) == 0;
1116 #else
1117     // static version
1118     err = uECC_valid_public_key(public_key) == 0;
1119 #endif
1120 #endif
1121 
1122 #ifdef USE_MBEDTLS_ECC_P256
1123     mbedtls_ecp_point Q;
1124     mbedtls_ecp_point_init( &Q );
1125     mbedtls_mpi_read_binary(&Q.X, &public_key[0], 32);
1126     mbedtls_mpi_read_binary(&Q.Y, &public_key[32], 32);
1127     mbedtls_mpi_lset(&Q.Z, 1);
1128     err = mbedtls_ecp_check_pubkey(&mbedtls_ec_group, &Q);
1129     mbedtls_ecp_point_free( & Q);
1130 #endif
1131 
1132     if (err){
1133         log_error("public key invalid %x", err);
1134     }
1135     return  err;
1136 }
1137 #endif
1138 
1139 void btstack_crypto_ccm_init(btstack_crypto_ccm_t * request, const uint8_t * key, const uint8_t * nonce, uint16_t message_len, uint16_t additional_authenticated_data_len, uint8_t auth_len){
1140     request->key         = key;
1141     request->nonce       = nonce;
1142     request->message_len = message_len;
1143     request->aad_len     = additional_authenticated_data_len;
1144     request->aad_offset  = 0;
1145     request->auth_len    = auth_len;
1146     request->counter     = 1;
1147     request->state       = CCM_CALCULATE_X1;
1148 }
1149 
1150 void btstack_crypto_ccm_digest(btstack_crypto_ccm_t * request, uint8_t * additional_authenticated_data, uint16_t additional_authenticated_data_len, void (* callback)(void * arg), void * callback_arg){
1151     // not implemented yet
1152     request->btstack_crypto.context_callback.callback  = callback;
1153     request->btstack_crypto.context_callback.context   = callback_arg;
1154     request->btstack_crypto.operation                  = BTSTACK_CRYPTO_CCM_DIGEST_BLOCK;
1155     request->block_len                                 = additional_authenticated_data_len;
1156     request->input                                     = additional_authenticated_data;
1157     btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request);
1158     btstack_crypto_run();
1159 }
1160 
1161 void btstack_crypto_ccm_get_authentication_value(btstack_crypto_ccm_t * request, uint8_t * authentication_value){
1162     memcpy(authentication_value, request->x_i, request->auth_len);
1163 }
1164 
1165 void btstack_crypto_ccm_encrypt_block(btstack_crypto_ccm_t * request, uint16_t block_len, const uint8_t * plaintext, uint8_t * ciphertext, void (* callback)(void * arg), void * callback_arg){
1166 #ifdef DEBUG_CCM
1167     printf("\nbtstack_crypto_ccm_encrypt_block, len %u\n", block_len);
1168 #endif
1169     request->btstack_crypto.context_callback.callback  = callback;
1170     request->btstack_crypto.context_callback.context   = callback_arg;
1171     request->btstack_crypto.operation                  = BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK;
1172     request->block_len                                 = block_len;
1173     request->input                                     = plaintext;
1174     request->output                                    = ciphertext;
1175     if (request->state != CCM_CALCULATE_X1){
1176         request->state  = CCM_CALCULATE_XN;
1177     }
1178     btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request);
1179     btstack_crypto_run();
1180 }
1181 
1182 void btstack_crypto_ccm_decrypt_block(btstack_crypto_ccm_t * request, uint16_t block_len, const uint8_t * ciphertext, uint8_t * plaintext, void (* callback)(void * arg), void * callback_arg){
1183     request->btstack_crypto.context_callback.callback  = callback;
1184     request->btstack_crypto.context_callback.context   = callback_arg;
1185     request->btstack_crypto.operation                  = BTSTACK_CRYPTO_CCM_DECRYPT_BLOCK;
1186     request->block_len                                 = block_len;
1187     request->input                                     = ciphertext;
1188     request->output                                    = plaintext;
1189     if (request->state != CCM_CALCULATE_X1){
1190         request->state  = CCM_CALCULATE_SN;
1191     }
1192     btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request);
1193     btstack_crypto_run();
1194 }
1195 
1196