1 /* 2 * Copyright (C) 2017 BlueKitchen GmbH 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the copyright holders nor the names of 14 * contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY BLUEKITCHEN GMBH AND CONTRIBUTORS 18 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 19 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 20 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BLUEKITCHEN 21 * GMBH OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 23 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 24 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 25 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 26 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF 27 * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGE. 29 * 30 */ 31 32 #define BTSTACK_FILE__ "btstack_crypto.c" 33 34 /* 35 * btstack_crypto.h 36 * 37 * Central place for all crypto-related functions with completion callbacks to allow 38 * using of MCU crypto peripherals or the Bluetooth controller 39 */ 40 41 #include "btstack_crypto.h" 42 43 #include "btstack_debug.h" 44 #include "btstack_event.h" 45 #include "btstack_linked_list.h" 46 #include "btstack_util.h" 47 #include "btstack_bool.h" 48 #include "hci.h" 49 50 // 51 // AES128 Configuration 52 // 53 54 // By default, AES128 is computed by Bluetooth Controller using HCI Command/Event asynchronously 55 // as fallback/alternative, a software implementation can be used 56 // configure ECC implementations 57 #if defined(HAVE_AES128) && defined(ENABLE_SOFTWARE_AES128) 58 #error "If you have custom AES128 implementation (HAVE_AES128), please disable software AES128 (ENABLE_SOFTWARE_AES128) in bstack_config.h" 59 #endif 60 61 #ifdef ENABLE_SOFTWARE_AES128 62 #define HAVE_AES128 63 #include "rijndael.h" 64 #endif 65 66 #ifdef HAVE_AES128 67 #define USE_BTSTACK_AES128 68 #endif 69 70 // 71 // ECC Configuration 72 // 73 74 // backwards-compatitility ENABLE_MICRO_ECC_FOR_LE_SECURE_CONNECTIONS -> ENABLE_MICRO_ECC_P256 75 #if defined(ENABLE_MICRO_ECC_FOR_LE_SECURE_CONNECTIONS) && !defined(ENABLE_MICRO_ECC_P256) 76 #define ENABLE_MICRO_ECC_P256 77 #endif 78 79 // configure ECC implementations 80 #if defined(ENABLE_MICRO_ECC_P256) && defined(HAVE_MBEDTLS_ECC_P256) 81 #error "If you have mbedTLS (HAVE_MBEDTLS_ECC_P256), please disable uECC (ENABLE_MICRO_ECC_P256) in bstack_config.h" 82 #endif 83 84 // Software ECC-P256 implementation provided by micro-ecc 85 #ifdef ENABLE_MICRO_ECC_P256 86 #define ENABLE_ECC_P256 87 #define USE_MICRO_ECC_P256 88 #define USE_SOFTWARE_ECC_P256_IMPLEMENTATION 89 #include "uECC.h" 90 #endif 91 92 // Software ECC-P256 implementation provided by mbedTLS, allow config via MBEDTLS_CONFIG_FILE 93 #ifdef HAVE_MBEDTLS_ECC_P256 94 #define ENABLE_ECC_P256 95 #define USE_MBEDTLS_ECC_P256 96 #define USE_SOFTWARE_ECC_P256_IMPLEMENTATION 97 #ifdef MBEDTLS_CONFIG_FILE 98 // cppcheck-suppress preprocessorErrorDirective 99 #include MBEDTLS_CONFIG_FILE 100 #else 101 #include "mbedtls/mbedtls_config.h" 102 #endif 103 #include "mbedtls/platform.h" 104 #include "mbedtls/ecp.h" 105 #endif 106 107 #if defined(ENABLE_LE_SECURE_CONNECTIONS) && !defined(ENABLE_ECC_P256) 108 #define ENABLE_ECC_P256 109 #endif 110 111 // debugging 112 // #define DEBUG_CCM 113 114 typedef enum { 115 CMAC_IDLE, 116 CMAC_CALC_SUBKEYS, 117 CMAC_W4_SUBKEYS, 118 CMAC_CALC_MI, 119 CMAC_W4_MI, 120 CMAC_CALC_MLAST, 121 CMAC_W4_MLAST 122 } btstack_crypto_cmac_state_t; 123 124 typedef enum { 125 ECC_P256_KEY_GENERATION_IDLE, 126 ECC_P256_KEY_GENERATION_GENERATING_RANDOM, 127 ECC_P256_KEY_GENERATION_ACTIVE, 128 ECC_P256_KEY_GENERATION_W4_KEY, 129 ECC_P256_KEY_GENERATION_DONE, 130 } btstack_crypto_ecc_p256_key_generation_state_t; 131 132 static void btstack_crypto_run(void); 133 static void btstack_crypto_state_reset(void); 134 135 static const uint8_t zero[16] = { 0 }; 136 137 static bool btstack_crypto_initialized; 138 static bool btstack_crypto_wait_for_hci_result; 139 static btstack_linked_list_t btstack_crypto_operations; 140 static btstack_packet_callback_registration_t hci_event_callback_registration; 141 142 // state for AES-CMAC 143 #ifndef USE_BTSTACK_AES128 144 static btstack_crypto_cmac_state_t btstack_crypto_cmac_state; 145 static sm_key_t btstack_crypto_cmac_k; 146 static sm_key_t btstack_crypto_cmac_x; 147 static sm_key_t btstack_crypto_cmac_subkey; 148 static uint8_t btstack_crypto_cmac_block_current; 149 static uint8_t btstack_crypto_cmac_block_count; 150 #endif 151 152 // state for AES-CCM 153 static uint8_t btstack_crypto_ccm_s[16]; 154 155 #ifdef ENABLE_ECC_P256 156 157 static uint8_t btstack_crypto_ecc_p256_public_key[64]; 158 static uint8_t btstack_crypto_ecc_p256_random[64]; 159 static uint8_t btstack_crypto_ecc_p256_random_len; 160 static uint8_t btstack_crypto_ecc_p256_random_offset; 161 static btstack_crypto_ecc_p256_key_generation_state_t btstack_crypto_ecc_p256_key_generation_state; 162 163 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 164 static uint8_t btstack_crypto_ecc_p256_d[32]; 165 #endif 166 167 // Software ECDH implementation provided by mbedtls 168 #ifdef USE_MBEDTLS_ECC_P256 169 static mbedtls_ecp_group mbedtls_ec_group; 170 #endif 171 172 #endif /* ENABLE_ECC_P256 */ 173 174 #ifdef ENABLE_SOFTWARE_AES128 175 // AES128 using public domain rijndael implementation 176 void btstack_aes128_calc(const uint8_t * key, const uint8_t * plaintext, uint8_t * ciphertext){ 177 uint32_t rk[RKLENGTH(KEYBITS)]; 178 int nrounds = rijndaelSetupEncrypt(rk, &key[0], KEYBITS); 179 rijndaelEncrypt(rk, nrounds, plaintext, ciphertext); 180 } 181 #endif 182 183 static void btstack_crypto_done(btstack_crypto_t * btstack_crypto){ 184 btstack_linked_list_pop(&btstack_crypto_operations); 185 (*btstack_crypto->context_callback.callback)(btstack_crypto->context_callback.context); 186 } 187 188 static void btstack_crypto_cmac_shift_left_by_one_bit_inplace(int len, uint8_t * data){ 189 int i; 190 int carry = 0; 191 for (i=len-1; i >= 0 ; i--){ 192 int new_carry = data[i] >> 7; 193 data[i] = (data[i] << 1) | carry; 194 carry = new_carry; 195 } 196 } 197 198 static uint8_t btstack_crypto_cmac_get_byte(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac, uint16_t pos){ 199 if (btstack_crypto_cmac->btstack_crypto.operation == BTSTACK_CRYPTO_CMAC_GENERATOR){ 200 return (*btstack_crypto_cmac->data.get_byte_callback)(pos); 201 } else { 202 return btstack_crypto_cmac->data.message[pos]; 203 } 204 } 205 206 #ifdef USE_BTSTACK_AES128 207 208 static void btstack_crypto_cmac_calc_subkeys(sm_key_t k0, sm_key_t k1, sm_key_t k2){ 209 memcpy(k1, k0, 16); 210 btstack_crypto_cmac_shift_left_by_one_bit_inplace(16, k1); 211 if (k0[0] & 0x80){ 212 k1[15] ^= 0x87; 213 } 214 memcpy(k2, k1, 16); 215 btstack_crypto_cmac_shift_left_by_one_bit_inplace(16, k2); 216 if (k1[0] & 0x80){ 217 k2[15] ^= 0x87; 218 } 219 } 220 221 static void btstack_crypto_cmac_calc(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac) { 222 sm_key_t k0, k1, k2; 223 uint16_t i; 224 225 btstack_aes128_calc(btstack_crypto_cmac->key, zero, k0); 226 btstack_crypto_cmac_calc_subkeys(k0, k1, k2); 227 228 uint16_t cmac_block_count = (btstack_crypto_cmac->size + 15) / 16; 229 230 // step 3: .. 231 if (cmac_block_count==0){ 232 cmac_block_count = 1; 233 } 234 235 // Step 5 236 sm_key_t cmac_x; 237 memset(cmac_x, 0, 16); 238 239 // Step 6 240 sm_key_t cmac_y; 241 int block; 242 for (block = 0 ; block < cmac_block_count-1 ; block++){ 243 for (i=0;i<16;i++){ 244 cmac_y[i] = cmac_x[i] ^ btstack_crypto_cmac_get_byte(btstack_crypto_cmac, (block*16) + i); 245 } 246 btstack_aes128_calc(btstack_crypto_cmac->key, cmac_y, cmac_x); 247 } 248 249 // step 4: set m_last 250 sm_key_t cmac_m_last; 251 bool last_block_complete = btstack_crypto_cmac->size != 0 && (btstack_crypto_cmac->size & 0x0f) == 0; 252 if (last_block_complete){ 253 for (i=0;i<16;i++){ 254 cmac_m_last[i] = btstack_crypto_cmac_get_byte(btstack_crypto_cmac, btstack_crypto_cmac->size - 16 + i) ^ k1[i]; 255 } 256 } else { 257 uint16_t valid_octets_in_last_block = btstack_crypto_cmac->size & 0x0f; 258 for (i=0;i<16;i++){ 259 if (i < valid_octets_in_last_block){ 260 cmac_m_last[i] = btstack_crypto_cmac_get_byte(btstack_crypto_cmac, (btstack_crypto_cmac->size & 0xfff0) + i) ^ k2[i]; 261 continue; 262 } 263 if (i == valid_octets_in_last_block){ 264 cmac_m_last[i] = 0x80 ^ k2[i]; 265 continue; 266 } 267 cmac_m_last[i] = k2[i]; 268 } 269 } 270 271 for (i=0;i<16;i++){ 272 cmac_y[i] = cmac_x[i] ^ cmac_m_last[i]; 273 } 274 275 // Step 7 276 btstack_aes128_calc(btstack_crypto_cmac->key, cmac_y, btstack_crypto_cmac->hash); 277 } 278 #else 279 280 static void btstack_crypto_aes128_start(const sm_key_t key, const sm_key_t plaintext){ 281 uint8_t key_flipped[16]; 282 uint8_t plaintext_flipped[16]; 283 reverse_128(key, key_flipped); 284 reverse_128(plaintext, plaintext_flipped); 285 btstack_crypto_wait_for_hci_result = 1; 286 hci_send_cmd(&hci_le_encrypt, key_flipped, plaintext_flipped); 287 } 288 289 static inline void btstack_crypto_cmac_next_state(void){ 290 btstack_crypto_cmac_state = (btstack_crypto_cmac_state_t) (((int)btstack_crypto_cmac_state) + 1); 291 } 292 293 static int btstack_crypto_cmac_last_block_complete(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac){ 294 uint16_t len = btstack_crypto_cmac->size; 295 if (len == 0u) return 0u; 296 return (len & 0x0fu) == 0u; 297 } 298 299 static void btstack_crypto_cmac_handle_aes_engine_ready(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac){ 300 switch (btstack_crypto_cmac_state){ 301 case CMAC_CALC_SUBKEYS: { 302 btstack_crypto_cmac_next_state(); 303 btstack_crypto_aes128_start(btstack_crypto_cmac_k, zero); 304 break; 305 } 306 case CMAC_CALC_MI: { 307 int j; 308 sm_key_t y; 309 for (j=0;j<16;j++){ 310 y[j] = btstack_crypto_cmac_x[j] ^ btstack_crypto_cmac_get_byte(btstack_crypto_cmac, (btstack_crypto_cmac_block_current*16u) + j); 311 } 312 btstack_crypto_cmac_block_current++; 313 btstack_crypto_cmac_next_state(); 314 btstack_crypto_aes128_start(btstack_crypto_cmac_k, y); 315 break; 316 } 317 case CMAC_CALC_MLAST: { 318 sm_key_t k1; 319 (void)memcpy(k1, btstack_crypto_cmac_subkey, 16); 320 btstack_crypto_cmac_shift_left_by_one_bit_inplace(16, k1); 321 if (btstack_crypto_cmac_subkey[0u] & 0x80u){ 322 k1[15u] ^= 0x87u; 323 } 324 sm_key_t k2; 325 (void)memcpy(k2, k1, 16); 326 btstack_crypto_cmac_shift_left_by_one_bit_inplace(16, k2); 327 if (k1[0u] & 0x80u){ 328 k2[15u] ^= 0x87u; 329 } 330 331 log_info_key("k", btstack_crypto_cmac_k); 332 log_info_key("k1", k1); 333 log_info_key("k2", k2); 334 335 // step 4: set m_last 336 int i; 337 sm_key_t btstack_crypto_cmac_m_last; 338 if (btstack_crypto_cmac_last_block_complete(btstack_crypto_cmac)){ 339 for (i=0;i<16;i++){ 340 btstack_crypto_cmac_m_last[i] = btstack_crypto_cmac_get_byte(btstack_crypto_cmac, btstack_crypto_cmac->size - 16u + i) ^ k1[i]; 341 } 342 } else { 343 int valid_octets_in_last_block = btstack_crypto_cmac->size & 0x0fu; 344 for (i=0;i<16;i++){ 345 if (i < valid_octets_in_last_block){ 346 btstack_crypto_cmac_m_last[i] = btstack_crypto_cmac_get_byte(btstack_crypto_cmac, (btstack_crypto_cmac->size & 0xfff0u) + i) ^ k2[i]; 347 continue; 348 } 349 if (i == valid_octets_in_last_block){ 350 btstack_crypto_cmac_m_last[i] = 0x80u ^ k2[i]; 351 continue; 352 } 353 btstack_crypto_cmac_m_last[i] = k2[i]; 354 } 355 } 356 sm_key_t y; 357 for (i=0;i<16;i++){ 358 y[i] = btstack_crypto_cmac_x[i] ^ btstack_crypto_cmac_m_last[i]; 359 } 360 btstack_crypto_cmac_block_current++; 361 btstack_crypto_cmac_next_state(); 362 btstack_crypto_aes128_start(btstack_crypto_cmac_k, y); 363 break; 364 } 365 default: 366 log_info("btstack_crypto_cmac_handle_aes_engine_ready called in state %u", btstack_crypto_cmac_state); 367 break; 368 } 369 } 370 371 static void btstack_crypto_cmac_handle_encryption_result(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac, sm_key_t data){ 372 switch (btstack_crypto_cmac_state){ 373 case CMAC_W4_SUBKEYS: 374 (void)memcpy(btstack_crypto_cmac_subkey, data, 16); 375 // next 376 btstack_crypto_cmac_state = (btstack_crypto_cmac_block_current < (btstack_crypto_cmac_block_count - 1u)) ? CMAC_CALC_MI : CMAC_CALC_MLAST; 377 break; 378 case CMAC_W4_MI: 379 (void)memcpy(btstack_crypto_cmac_x, data, 16); 380 btstack_crypto_cmac_state = (btstack_crypto_cmac_block_current < (btstack_crypto_cmac_block_count - 1u)) ? CMAC_CALC_MI : CMAC_CALC_MLAST; 381 break; 382 case CMAC_W4_MLAST: 383 // done 384 log_info("Setting CMAC Engine to IDLE"); 385 btstack_crypto_cmac_state = CMAC_IDLE; 386 log_info_key("CMAC", data); 387 (void)memcpy(btstack_crypto_cmac->hash, data, 16); 388 btstack_linked_list_pop(&btstack_crypto_operations); 389 (*btstack_crypto_cmac->btstack_crypto.context_callback.callback)(btstack_crypto_cmac->btstack_crypto.context_callback.context); 390 break; 391 default: 392 log_info("btstack_crypto_cmac_handle_encryption_result called in state %u", btstack_crypto_cmac_state); 393 break; 394 } 395 } 396 397 static void btstack_crypto_cmac_start(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac){ 398 399 (void)memcpy(btstack_crypto_cmac_k, btstack_crypto_cmac->key, 16); 400 memset(btstack_crypto_cmac_x, 0, 16); 401 btstack_crypto_cmac_block_current = 0; 402 403 // step 2: n := ceil(len/const_Bsize); 404 btstack_crypto_cmac_block_count = (btstack_crypto_cmac->size + 15u) / 16u; 405 406 // step 3: .. 407 if (btstack_crypto_cmac_block_count==0u){ 408 btstack_crypto_cmac_block_count = 1; 409 } 410 log_info("btstack_crypto_cmac_start: len %u, block count %u", btstack_crypto_cmac->size, btstack_crypto_cmac_block_count); 411 412 // first, we need to compute l for k1, k2, and m_last 413 btstack_crypto_cmac_state = CMAC_CALC_SUBKEYS; 414 415 // let's go 416 btstack_crypto_cmac_handle_aes_engine_ready(btstack_crypto_cmac); 417 } 418 #endif 419 420 /* 421 To encrypt the message data we use Counter (CTR) mode. We first 422 define the key stream blocks by: 423 424 S_i := E( K, A_i ) for i=0, 1, 2, ... 425 426 The values A_i are formatted as follows, where the Counter field i is 427 encoded in most-significant-byte first order: 428 429 Octet Number Contents 430 ------------ --------- 431 0 Flags 432 1 ... 15-L Nonce N 433 16-L ... 15 Counter i 434 435 Bit Number Contents 436 ---------- ---------------------- 437 7 Reserved (always zero) 438 6 Reserved (always zero) 439 5 ... 3 Zero 440 2 ... 0 L' 441 */ 442 443 static void btstack_crypto_ccm_setup_a_i(btstack_crypto_ccm_t * btstack_crypto_ccm, uint16_t counter){ 444 btstack_crypto_ccm_s[0] = 1; // L' = L - 1 445 (void)memcpy(&btstack_crypto_ccm_s[1], btstack_crypto_ccm->nonce, 13); 446 big_endian_store_16(btstack_crypto_ccm_s, 14, counter); 447 #ifdef DEBUG_CCM 448 printf("btstack_crypto_ccm_setup_a_%u\n", counter); 449 printf("%16s: ", "ai"); 450 printf_hexdump(btstack_crypto_ccm_s, 16); 451 #endif 452 } 453 454 /* 455 The first step is to compute the authentication field T. This is 456 done using CBC-MAC [MAC]. We first define a sequence of blocks B_0, 457 B_1, ..., B_n and then apply CBC-MAC to these blocks. 458 459 The first block B_0 is formatted as follows, where l(m) is encoded in 460 most-significant-byte first order: 461 462 Octet Number Contents 463 ------------ --------- 464 0 Flags 465 1 ... 15-L Nonce N 466 16-L ... 15 l(m) 467 468 Within the first block B_0, the Flags field is formatted as follows: 469 470 Bit Number Contents 471 ---------- ---------------------- 472 7 Reserved (always zero) 473 6 Adata 474 5 ... 3 M' 475 2 ... 0 L' 476 */ 477 478 static void btstack_crypto_ccm_setup_b_0(btstack_crypto_ccm_t * btstack_crypto_ccm, uint8_t * b0){ 479 uint8_t m_prime = (btstack_crypto_ccm->auth_len - 2u) / 2u; 480 uint8_t Adata = btstack_crypto_ccm->aad_len ? 1 : 0; 481 b0[0u] = (Adata << 6u) | (m_prime << 3u) | 1u ; // Adata, M', L' = L - 1 482 (void)memcpy(&b0[1], btstack_crypto_ccm->nonce, 13); 483 big_endian_store_16(b0, 14, btstack_crypto_ccm->message_len); 484 #ifdef DEBUG_CCM 485 printf("%16s: ", "B0"); 486 printf_hexdump(b0, 16); 487 #endif 488 } 489 490 #ifdef ENABLE_ECC_P256 491 492 static void btstack_crypto_log_ec_publickey(const uint8_t * ec_q){ 493 log_info("Elliptic curve: X"); 494 log_info_hexdump(&ec_q[0],32); 495 log_info("Elliptic curve: Y"); 496 log_info_hexdump(&ec_q[32],32); 497 } 498 499 #if (defined(USE_MICRO_ECC_P256) && !defined(WICED_VERSION)) || defined(USE_MBEDTLS_ECC_P256) 500 // @return OK 501 static int sm_generate_f_rng(unsigned char * buffer, unsigned size){ 502 if (btstack_crypto_ecc_p256_key_generation_state != ECC_P256_KEY_GENERATION_ACTIVE) return 0; 503 log_info("sm_generate_f_rng: size %u - offset %u", (int) size, btstack_crypto_ecc_p256_random_offset); 504 btstack_assert((btstack_crypto_ecc_p256_random_offset + size) <= btstack_crypto_ecc_p256_random_len); 505 uint16_t remaining_size = size; 506 uint8_t * buffer_ptr = buffer; 507 while (remaining_size) { 508 *buffer_ptr++ = btstack_crypto_ecc_p256_random[btstack_crypto_ecc_p256_random_offset++]; 509 remaining_size--; 510 } 511 return 1; 512 } 513 #endif 514 #ifdef USE_MBEDTLS_ECC_P256 515 // @return error - just wrap sm_generate_f_rng 516 static int sm_generate_f_rng_mbedtls(void * context, unsigned char * buffer, size_t size){ 517 UNUSED(context); 518 return sm_generate_f_rng(buffer, size) == 0; 519 } 520 #endif /* USE_MBEDTLS_ECC_P256 */ 521 522 static void btstack_crypto_ecc_p256_generate_key_software(void){ 523 524 btstack_crypto_ecc_p256_random_offset = 0; 525 526 // generate EC key 527 #ifdef USE_MICRO_ECC_P256 528 529 #ifndef WICED_VERSION 530 log_info("set uECC RNG for initial key generation with 64 random bytes"); 531 // micro-ecc from WICED SDK uses its wiced_crypto_get_random by default - no need to set it 532 uECC_set_rng(&sm_generate_f_rng); 533 #endif /* WICED_VERSION */ 534 535 #if uECC_SUPPORTS_secp256r1 536 // standard version 537 uECC_make_key(btstack_crypto_ecc_p256_public_key, btstack_crypto_ecc_p256_d, uECC_secp256r1()); 538 539 // disable RNG again, as returning no randmon data lets shared key generation fail 540 log_info("disable uECC RNG in standard version after key generation"); 541 uECC_set_rng(NULL); 542 #else 543 // static version 544 uECC_make_key(btstack_crypto_ecc_p256_public_key, btstack_crypto_ecc_p256_d); 545 #endif 546 #endif /* USE_MICRO_ECC_P256 */ 547 548 #ifdef USE_MBEDTLS_ECC_P256 549 mbedtls_mpi d; 550 mbedtls_ecp_point P; 551 mbedtls_mpi_init(&d); 552 mbedtls_ecp_point_init(&P); 553 int res = mbedtls_ecp_gen_keypair(&mbedtls_ec_group, &d, &P, &sm_generate_f_rng_mbedtls, NULL); 554 log_info("gen keypair %x", res); 555 mbedtls_mpi_write_binary(&P.X, &btstack_crypto_ecc_p256_public_key[0], 32); 556 mbedtls_mpi_write_binary(&P.Y, &btstack_crypto_ecc_p256_public_key[32], 32); 557 mbedtls_mpi_write_binary(&d, btstack_crypto_ecc_p256_d, 32); 558 mbedtls_ecp_point_free(&P); 559 mbedtls_mpi_free(&d); 560 #endif /* USE_MBEDTLS_ECC_P256 */ 561 } 562 563 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 564 static void btstack_crypto_ecc_p256_calculate_dhkey_software(btstack_crypto_ecc_p256_t * btstack_crypto_ec_p192){ 565 memset(btstack_crypto_ec_p192->dhkey, 0, 32); 566 567 #ifdef USE_MICRO_ECC_P256 568 #if uECC_SUPPORTS_secp256r1 569 // standard version 570 uECC_shared_secret(btstack_crypto_ec_p192->public_key, btstack_crypto_ecc_p256_d, btstack_crypto_ec_p192->dhkey, uECC_secp256r1()); 571 #else 572 // static version 573 uECC_shared_secret(btstack_crypto_ec_p192->public_key, btstack_crypto_ecc_p256_d, btstack_crypto_ec_p192->dhkey); 574 #endif 575 #endif 576 577 #ifdef USE_MBEDTLS_ECC_P256 578 // da * Pb 579 mbedtls_mpi d; 580 mbedtls_ecp_point Q; 581 mbedtls_ecp_point DH; 582 mbedtls_mpi_init(&d); 583 mbedtls_ecp_point_init(&Q); 584 mbedtls_ecp_point_init(&DH); 585 mbedtls_mpi_read_binary(&d, btstack_crypto_ecc_p256_d, 32); 586 mbedtls_mpi_read_binary(&Q.X, &btstack_crypto_ec_p192->public_key[0] , 32); 587 mbedtls_mpi_read_binary(&Q.Y, &btstack_crypto_ec_p192->public_key[32], 32); 588 mbedtls_mpi_lset(&Q.Z, 1); 589 mbedtls_ecp_mul(&mbedtls_ec_group, &DH, &d, &Q, NULL, NULL); 590 mbedtls_mpi_write_binary(&DH.X, btstack_crypto_ec_p192->dhkey, 32); 591 mbedtls_ecp_point_free(&DH); 592 mbedtls_mpi_free(&d); 593 mbedtls_ecp_point_free(&Q); 594 #endif 595 596 log_info("dhkey"); 597 log_info_hexdump(btstack_crypto_ec_p192->dhkey, 32); 598 } 599 #endif 600 601 #endif 602 603 static void btstack_crypto_ccm_next_block(btstack_crypto_ccm_t * btstack_crypto_ccm, btstack_crypto_ccm_state_t state_when_done){ 604 uint16_t bytes_to_process = btstack_min(btstack_crypto_ccm->block_len, 16); 605 // next block 606 btstack_crypto_ccm->counter++; 607 btstack_crypto_ccm->input += bytes_to_process; 608 btstack_crypto_ccm->output += bytes_to_process; 609 btstack_crypto_ccm->block_len -= bytes_to_process; 610 btstack_crypto_ccm->message_len -= bytes_to_process; 611 #ifdef DEBUG_CCM 612 printf("btstack_crypto_ccm_next_block (message len %u, block_len %u)\n", btstack_crypto_ccm->message_len, btstack_crypto_ccm->block_len); 613 #endif 614 if (btstack_crypto_ccm->message_len == 0u){ 615 btstack_crypto_ccm->state = CCM_CALCULATE_S0; 616 } else { 617 btstack_crypto_ccm->state = state_when_done; 618 if (btstack_crypto_ccm->block_len == 0u){ 619 btstack_crypto_done(&btstack_crypto_ccm->btstack_crypto); 620 } 621 } 622 } 623 624 // If Controller is used for AES128, data is little endian 625 static void btstack_crypto_ccm_handle_s0(btstack_crypto_ccm_t * btstack_crypto_ccm, const uint8_t * data){ 626 int i; 627 for (i=0;i<16;i++){ 628 #ifdef USE_BTSTACK_AES128 629 btstack_crypto_ccm->x_i[i] = btstack_crypto_ccm->x_i[i] ^ data[i]; 630 #else 631 btstack_crypto_ccm->x_i[i] = btstack_crypto_ccm->x_i[i] ^ data[15-i]; 632 #endif 633 } 634 btstack_crypto_done(&btstack_crypto_ccm->btstack_crypto); 635 } 636 637 // If Controller is used for AES128, data is little endian 638 static void btstack_crypto_ccm_handle_sn(btstack_crypto_ccm_t * btstack_crypto_ccm, const uint8_t * data){ 639 int i; 640 uint16_t bytes_to_process = btstack_min(btstack_crypto_ccm->block_len, 16); 641 for (i=0;i<bytes_to_process;i++){ 642 #ifdef USE_BTSTACK_AES128 643 btstack_crypto_ccm->output[i] = btstack_crypto_ccm->input[i] ^ data[i]; 644 #else 645 btstack_crypto_ccm->output[i] = btstack_crypto_ccm->input[i] ^ data[15-i]; 646 #endif 647 } 648 switch (btstack_crypto_ccm->btstack_crypto.operation){ 649 case BTSTACK_CRYPTO_CCM_DECRYPT_BLOCK: 650 btstack_crypto_ccm->state = CCM_CALCULATE_XN; 651 break; 652 case BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK: 653 btstack_crypto_ccm_next_block(btstack_crypto_ccm, CCM_CALCULATE_XN); 654 break; 655 default: 656 btstack_assert(false); 657 break; 658 } 659 } 660 661 static void btstack_crypto_ccm_handle_aad_xn(btstack_crypto_ccm_t * btstack_crypto_ccm) { 662 #ifdef DEBUG_CCM 663 printf("%16s: ", "Xn+1 AAD"); 664 printf_hexdump(btstack_crypto_ccm->x_i, 16); 665 #endif 666 // more aad? 667 if (btstack_crypto_ccm->aad_offset < (btstack_crypto_ccm->aad_len + 2u)){ 668 btstack_crypto_ccm->state = CCM_CALCULATE_AAD_XN; 669 } else { 670 // done 671 btstack_crypto_done((btstack_crypto_t *) btstack_crypto_ccm); 672 } 673 } 674 675 static void btstack_crypto_ccm_handle_x1(btstack_crypto_ccm_t * btstack_crypto_ccm) { 676 #ifdef DEBUG_CCM 677 printf("%16s: ", "Xi"); 678 printf_hexdump(btstack_crypto_ccm->x_i, 16); 679 #endif 680 switch (btstack_crypto_ccm->btstack_crypto.operation){ 681 case BTSTACK_CRYPTO_CCM_DIGEST_BLOCK: 682 btstack_crypto_ccm->aad_remainder_len = 0; 683 btstack_crypto_ccm->state = CCM_CALCULATE_AAD_XN; 684 break; 685 case BTSTACK_CRYPTO_CCM_DECRYPT_BLOCK: 686 btstack_crypto_ccm->state = CCM_CALCULATE_SN; 687 break; 688 case BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK: 689 btstack_crypto_ccm->state = CCM_CALCULATE_XN; 690 break; 691 default: 692 btstack_assert(false); 693 break; 694 } 695 } 696 697 static void btstack_crypto_ccm_handle_xn(btstack_crypto_ccm_t * btstack_crypto_ccm) { 698 #ifdef DEBUG_CCM 699 printf("%16s: ", "Xn+1"); 700 printf_hexdump(btstack_crypto_ccm->x_i, 16); 701 #endif 702 switch (btstack_crypto_ccm->btstack_crypto.operation){ 703 case BTSTACK_CRYPTO_CCM_DECRYPT_BLOCK: 704 btstack_crypto_ccm_next_block(btstack_crypto_ccm, CCM_CALCULATE_SN); 705 break; 706 case BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK: 707 btstack_crypto_ccm->state = CCM_CALCULATE_SN; 708 break; 709 default: 710 btstack_assert(false); 711 break; 712 } 713 } 714 715 static void btstack_crypto_ccm_calc_s0(btstack_crypto_ccm_t * btstack_crypto_ccm){ 716 #ifdef DEBUG_CCM 717 printf("btstack_crypto_ccm_calc_s0\n"); 718 #endif 719 btstack_crypto_ccm->state = CCM_W4_S0; 720 btstack_crypto_ccm_setup_a_i(btstack_crypto_ccm, 0); 721 #ifdef USE_BTSTACK_AES128 722 uint8_t data[16]; 723 btstack_aes128_calc(btstack_crypto_ccm->key, btstack_crypto_ccm_s, data); 724 btstack_crypto_ccm_handle_s0(btstack_crypto_ccm, data); 725 #else 726 btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm_s); 727 #endif 728 } 729 730 static void btstack_crypto_ccm_calc_sn(btstack_crypto_ccm_t * btstack_crypto_ccm){ 731 #ifdef DEBUG_CCM 732 printf("btstack_crypto_ccm_calc_s%u\n", btstack_crypto_ccm->counter); 733 #endif 734 btstack_crypto_ccm->state = CCM_W4_SN; 735 btstack_crypto_ccm_setup_a_i(btstack_crypto_ccm, btstack_crypto_ccm->counter); 736 #ifdef USE_BTSTACK_AES128 737 uint8_t data[16]; 738 btstack_aes128_calc(btstack_crypto_ccm->key, btstack_crypto_ccm_s, data); 739 btstack_crypto_ccm_handle_sn(btstack_crypto_ccm, data); 740 #else 741 btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm_s); 742 #endif 743 } 744 745 static void btstack_crypto_ccm_calc_x1(btstack_crypto_ccm_t * btstack_crypto_ccm){ 746 uint8_t btstack_crypto_ccm_buffer[16]; 747 btstack_crypto_ccm->state = CCM_W4_X1; 748 btstack_crypto_ccm_setup_b_0(btstack_crypto_ccm, btstack_crypto_ccm_buffer); 749 #ifdef USE_BTSTACK_AES128 750 btstack_aes128_calc(btstack_crypto_ccm->key, btstack_crypto_ccm_buffer, btstack_crypto_ccm->x_i); 751 btstack_crypto_ccm_handle_x1(btstack_crypto_ccm); 752 #else 753 btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm_buffer); 754 #endif 755 } 756 757 static void btstack_crypto_ccm_calc_xn(btstack_crypto_ccm_t * btstack_crypto_ccm, const uint8_t * plaintext){ 758 uint8_t btstack_crypto_ccm_buffer[16]; 759 btstack_crypto_ccm->state = CCM_W4_XN; 760 761 #ifdef DEBUG_CCM 762 printf("%16s: ", "bn"); 763 printf_hexdump(plaintext, 16); 764 #endif 765 uint8_t i; 766 uint16_t bytes_to_decrypt = btstack_crypto_ccm->block_len; 767 // use explicit min implementation as c-stat worried about out-of-bounds-reads 768 if (bytes_to_decrypt > 16u) { 769 bytes_to_decrypt = 16; 770 } 771 for (i = 0; i < bytes_to_decrypt ; i++){ 772 btstack_crypto_ccm_buffer[i] = btstack_crypto_ccm->x_i[i] ^ plaintext[i]; 773 } 774 (void)memcpy(&btstack_crypto_ccm_buffer[i], &btstack_crypto_ccm->x_i[i], 775 16u - bytes_to_decrypt); 776 #ifdef DEBUG_CCM 777 printf("%16s: ", "Xn XOR bn"); 778 printf_hexdump(btstack_crypto_ccm_buffer, 16); 779 #endif 780 781 #ifdef USE_BTSTACK_AES128 782 btstack_aes128_calc(btstack_crypto_ccm->key, btstack_crypto_ccm_buffer, btstack_crypto_ccm->x_i); 783 btstack_crypto_ccm_handle_xn(btstack_crypto_ccm); 784 #else 785 btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm_buffer); 786 #endif 787 } 788 789 static void btstack_crypto_ccm_calc_aad_xn(btstack_crypto_ccm_t * btstack_crypto_ccm){ 790 // store length 791 if (btstack_crypto_ccm->aad_offset == 0u){ 792 uint8_t len_buffer[2]; 793 big_endian_store_16(len_buffer, 0, btstack_crypto_ccm->aad_len); 794 btstack_crypto_ccm->x_i[0] ^= len_buffer[0]; 795 btstack_crypto_ccm->x_i[1] ^= len_buffer[1]; 796 btstack_crypto_ccm->aad_remainder_len += 2u; 797 btstack_crypto_ccm->aad_offset += 2u; 798 } 799 800 // fill from input 801 uint16_t bytes_free = 16u - btstack_crypto_ccm->aad_remainder_len; 802 uint16_t bytes_to_copy = btstack_min(bytes_free, btstack_crypto_ccm->block_len); 803 while (bytes_to_copy){ 804 btstack_crypto_ccm->x_i[btstack_crypto_ccm->aad_remainder_len++] ^= *btstack_crypto_ccm->input++; 805 btstack_crypto_ccm->aad_offset++; 806 btstack_crypto_ccm->block_len--; 807 bytes_to_copy--; 808 bytes_free--; 809 } 810 811 // if last block, fill with zeros 812 if (btstack_crypto_ccm->aad_offset == (btstack_crypto_ccm->aad_len + 2u)){ 813 btstack_crypto_ccm->aad_remainder_len = 16; 814 } 815 // if not full, notify done 816 if (btstack_crypto_ccm->aad_remainder_len < 16u){ 817 btstack_crypto_done(&btstack_crypto_ccm->btstack_crypto); 818 return; 819 } 820 821 // encrypt block 822 #ifdef DEBUG_CCM 823 printf("%16s: ", "Xn XOR Bn (aad)"); 824 printf_hexdump(btstack_crypto_ccm->x_i, 16); 825 #endif 826 827 btstack_crypto_ccm->aad_remainder_len = 0; 828 btstack_crypto_ccm->state = CCM_W4_AAD_XN; 829 #ifdef USE_BTSTACK_AES128 830 btstack_aes128_calc(btstack_crypto_ccm->key, btstack_crypto_ccm->x_i, btstack_crypto_ccm->x_i); 831 btstack_crypto_ccm_handle_aad_xn(btstack_crypto_ccm); 832 #else 833 btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm->x_i); 834 #endif 835 } 836 837 static void btstack_crypto_run(void){ 838 839 btstack_crypto_aes128_t * btstack_crypto_aes128; 840 btstack_crypto_ccm_t * btstack_crypto_ccm; 841 btstack_crypto_aes128_cmac_t * btstack_crypto_cmac; 842 #ifdef ENABLE_ECC_P256 843 btstack_crypto_ecc_p256_t * btstack_crypto_ec_p192; 844 #endif 845 846 // stack up and running? 847 if (hci_get_state() != HCI_STATE_WORKING) return; 848 849 // try to do as much as possible 850 while (true){ 851 852 // anything to do? 853 if (btstack_linked_list_empty(&btstack_crypto_operations)) return; 854 855 // already active? 856 if (btstack_crypto_wait_for_hci_result) return; 857 858 // can send a command? 859 if (!hci_can_send_command_packet_now()) return; 860 861 // ok, find next task 862 btstack_crypto_t * btstack_crypto = (btstack_crypto_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations); 863 switch (btstack_crypto->operation){ 864 case BTSTACK_CRYPTO_RANDOM: 865 btstack_crypto_wait_for_hci_result = true; 866 hci_send_cmd(&hci_le_rand); 867 break; 868 case BTSTACK_CRYPTO_AES128: 869 btstack_crypto_aes128 = (btstack_crypto_aes128_t *) btstack_crypto; 870 #ifdef USE_BTSTACK_AES128 871 btstack_aes128_calc(btstack_crypto_aes128->key, btstack_crypto_aes128->plaintext, btstack_crypto_aes128->ciphertext); 872 btstack_crypto_done(btstack_crypto); 873 #else 874 btstack_crypto_aes128_start(btstack_crypto_aes128->key, btstack_crypto_aes128->plaintext); 875 #endif 876 break; 877 878 case BTSTACK_CRYPTO_CMAC_MESSAGE: 879 case BTSTACK_CRYPTO_CMAC_GENERATOR: 880 btstack_crypto_cmac = (btstack_crypto_aes128_cmac_t *) btstack_crypto; 881 #ifdef USE_BTSTACK_AES128 882 btstack_crypto_cmac_calc( btstack_crypto_cmac ); 883 btstack_crypto_done(btstack_crypto); 884 #else 885 btstack_crypto_wait_for_hci_result = 1; 886 if (btstack_crypto_cmac_state == CMAC_IDLE){ 887 btstack_crypto_cmac_start(btstack_crypto_cmac); 888 } else { 889 btstack_crypto_cmac_handle_aes_engine_ready(btstack_crypto_cmac); 890 } 891 #endif 892 break; 893 894 case BTSTACK_CRYPTO_CCM_DIGEST_BLOCK: 895 case BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK: 896 case BTSTACK_CRYPTO_CCM_DECRYPT_BLOCK: 897 btstack_crypto_ccm = (btstack_crypto_ccm_t *) btstack_crypto; 898 switch (btstack_crypto_ccm->state){ 899 case CCM_CALCULATE_AAD_XN: 900 #ifdef DEBUG_CCM 901 printf("CCM_CALCULATE_AAD_XN\n"); 902 #endif 903 btstack_crypto_ccm_calc_aad_xn(btstack_crypto_ccm); 904 break; 905 case CCM_CALCULATE_X1: 906 #ifdef DEBUG_CCM 907 printf("CCM_CALCULATE_X1\n"); 908 #endif 909 btstack_crypto_ccm_calc_x1(btstack_crypto_ccm); 910 break; 911 case CCM_CALCULATE_S0: 912 #ifdef DEBUG_CCM 913 printf("CCM_CALCULATE_S0\n"); 914 #endif 915 btstack_crypto_ccm_calc_s0(btstack_crypto_ccm); 916 break; 917 case CCM_CALCULATE_SN: 918 #ifdef DEBUG_CCM 919 printf("CCM_CALCULATE_SN\n"); 920 #endif 921 btstack_crypto_ccm_calc_sn(btstack_crypto_ccm); 922 break; 923 case CCM_CALCULATE_XN: 924 #ifdef DEBUG_CCM 925 printf("CCM_CALCULATE_XN\n"); 926 #endif 927 btstack_crypto_ccm_calc_xn(btstack_crypto_ccm, (btstack_crypto->operation == BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK) ? btstack_crypto_ccm->input : btstack_crypto_ccm->output); 928 break; 929 default: 930 break; 931 } 932 break; 933 934 #ifdef ENABLE_ECC_P256 935 case BTSTACK_CRYPTO_ECC_P256_GENERATE_KEY: 936 btstack_crypto_ec_p192 = (btstack_crypto_ecc_p256_t *) btstack_crypto; 937 switch (btstack_crypto_ecc_p256_key_generation_state){ 938 case ECC_P256_KEY_GENERATION_DONE: 939 // done 940 btstack_crypto_log_ec_publickey(btstack_crypto_ecc_p256_public_key); 941 (void)memcpy(btstack_crypto_ec_p192->public_key, 942 btstack_crypto_ecc_p256_public_key, 64); 943 btstack_linked_list_pop(&btstack_crypto_operations); 944 (*btstack_crypto_ec_p192->btstack_crypto.context_callback.callback)(btstack_crypto_ec_p192->btstack_crypto.context_callback.context); 945 break; 946 case ECC_P256_KEY_GENERATION_IDLE: 947 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 948 log_info("start ecc random"); 949 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_GENERATING_RANDOM; 950 btstack_crypto_ecc_p256_random_len = 0; 951 btstack_crypto_wait_for_hci_result = true; 952 hci_send_cmd(&hci_le_rand); 953 #else 954 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_W4_KEY; 955 btstack_crypto_wait_for_hci_result = 1; 956 hci_send_cmd(&hci_le_read_local_p256_public_key); 957 #endif 958 break; 959 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 960 case ECC_P256_KEY_GENERATION_GENERATING_RANDOM: 961 log_info("more ecc random"); 962 btstack_crypto_wait_for_hci_result = true; 963 hci_send_cmd(&hci_le_rand); 964 break; 965 #endif 966 default: 967 break; 968 } 969 break; 970 case BTSTACK_CRYPTO_ECC_P256_CALCULATE_DHKEY: 971 btstack_crypto_ec_p192 = (btstack_crypto_ecc_p256_t *) btstack_crypto; 972 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 973 btstack_crypto_ecc_p256_calculate_dhkey_software(btstack_crypto_ec_p192); 974 // done 975 btstack_linked_list_pop(&btstack_crypto_operations); 976 (*btstack_crypto_ec_p192->btstack_crypto.context_callback.callback)(btstack_crypto_ec_p192->btstack_crypto.context_callback.context); 977 #else 978 btstack_crypto_wait_for_hci_result = 1; 979 hci_send_cmd(&hci_le_generate_dhkey, &btstack_crypto_ec_p192->public_key[0], &btstack_crypto_ec_p192->public_key[32]); 980 #endif 981 break; 982 983 #endif /* ENABLE_ECC_P256 */ 984 985 default: 986 break; 987 } 988 } 989 } 990 991 static void btstack_crypto_handle_random_data(const uint8_t * data, uint16_t len){ 992 btstack_crypto_random_t * btstack_crypto_random; 993 btstack_crypto_t * btstack_crypto = (btstack_crypto_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations); 994 uint16_t bytes_to_copy; 995 if (!btstack_crypto) return; 996 switch (btstack_crypto->operation){ 997 case BTSTACK_CRYPTO_RANDOM: 998 btstack_crypto_random = (btstack_crypto_random_t*) btstack_crypto; 999 bytes_to_copy = btstack_min(btstack_crypto_random->size, len); 1000 (void)memcpy(btstack_crypto_random->buffer, data, bytes_to_copy); 1001 btstack_crypto_random->buffer += bytes_to_copy; 1002 btstack_crypto_random->size -= bytes_to_copy; 1003 // data processed, more? 1004 if (!btstack_crypto_random->size) { 1005 // done 1006 btstack_linked_list_pop(&btstack_crypto_operations); 1007 (*btstack_crypto_random->btstack_crypto.context_callback.callback)(btstack_crypto_random->btstack_crypto.context_callback.context); 1008 } 1009 break; 1010 #ifdef ENABLE_ECC_P256 1011 case BTSTACK_CRYPTO_ECC_P256_GENERATE_KEY: 1012 btstack_assert((btstack_crypto_ecc_p256_random_len + 8) <= 64); 1013 (void)memcpy(&btstack_crypto_ecc_p256_random[btstack_crypto_ecc_p256_random_len], data, 8); 1014 btstack_crypto_ecc_p256_random_len += 8u; 1015 if (btstack_crypto_ecc_p256_random_len >= 64u) { 1016 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_ACTIVE; 1017 btstack_crypto_ecc_p256_generate_key_software(); 1018 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_DONE; 1019 } 1020 break; 1021 #endif 1022 default: 1023 break; 1024 } 1025 // more work? 1026 btstack_crypto_run(); 1027 } 1028 1029 #ifndef USE_BTSTACK_AES128 1030 static void btstack_crypto_handle_encryption_result(const uint8_t * data){ 1031 btstack_crypto_aes128_t * btstack_crypto_aes128; 1032 btstack_crypto_aes128_cmac_t * btstack_crypto_cmac; 1033 btstack_crypto_ccm_t * btstack_crypto_ccm; 1034 uint8_t result[16]; 1035 1036 btstack_crypto_t * btstack_crypto = (btstack_crypto_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations); 1037 if (!btstack_crypto) return; 1038 switch (btstack_crypto->operation){ 1039 case BTSTACK_CRYPTO_AES128: 1040 btstack_crypto_aes128 = (btstack_crypto_aes128_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations); 1041 reverse_128(data, btstack_crypto_aes128->ciphertext); 1042 btstack_crypto_done(btstack_crypto); 1043 break; 1044 case BTSTACK_CRYPTO_CMAC_GENERATOR: 1045 case BTSTACK_CRYPTO_CMAC_MESSAGE: 1046 btstack_crypto_cmac = (btstack_crypto_aes128_cmac_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations); 1047 reverse_128(data, result); 1048 btstack_crypto_cmac_handle_encryption_result(btstack_crypto_cmac, result); 1049 break; 1050 case BTSTACK_CRYPTO_CCM_DIGEST_BLOCK: 1051 case BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK: 1052 case BTSTACK_CRYPTO_CCM_DECRYPT_BLOCK: 1053 btstack_crypto_ccm = (btstack_crypto_ccm_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations); 1054 switch (btstack_crypto_ccm->state){ 1055 case CCM_W4_X1: 1056 reverse_128(data, btstack_crypto_ccm->x_i); 1057 btstack_crypto_ccm_handle_x1(btstack_crypto_ccm); 1058 break; 1059 case CCM_W4_XN: 1060 reverse_128(data, btstack_crypto_ccm->x_i); 1061 btstack_crypto_ccm_handle_xn(btstack_crypto_ccm); 1062 break; 1063 case CCM_W4_AAD_XN: 1064 reverse_128(data, btstack_crypto_ccm->x_i); 1065 btstack_crypto_ccm_handle_aad_xn(btstack_crypto_ccm); 1066 break; 1067 case CCM_W4_S0: 1068 btstack_crypto_ccm_handle_s0(btstack_crypto_ccm, data); 1069 break; 1070 case CCM_W4_SN: 1071 btstack_crypto_ccm_handle_sn(btstack_crypto_ccm, data); 1072 break; 1073 default: 1074 break; 1075 } 1076 break; 1077 default: 1078 break; 1079 } 1080 } 1081 #endif 1082 1083 static void btstack_crypto_event_handler(uint8_t packet_type, uint16_t cid, uint8_t *packet, uint16_t size){ 1084 UNUSED(cid); // ok: there is no channel 1085 UNUSED(size); // ok: fixed format events read from HCI buffer 1086 1087 #ifdef ENABLE_ECC_P256 1088 #ifndef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 1089 btstack_crypto_ecc_p256_t * btstack_crypto_ec_p192; 1090 #endif 1091 #endif 1092 bool ecdh_operations_supported; 1093 1094 if (packet_type != HCI_EVENT_PACKET) return; 1095 1096 switch (hci_event_packet_get_type(packet)){ 1097 case BTSTACK_EVENT_STATE: 1098 switch(btstack_event_state_get_state(packet)){ 1099 case HCI_STATE_HALTING: 1100 // as stack is shutting down, reset state 1101 btstack_crypto_state_reset(); 1102 break; 1103 default: 1104 break; 1105 } 1106 if (btstack_event_state_get_state(packet) != HCI_STATE_HALTING) break; 1107 break; 1108 1109 case HCI_EVENT_COMMAND_COMPLETE: 1110 switch (hci_event_command_complete_get_command_opcode(packet)){ 1111 #ifndef USE_BTSTACK_AES128 1112 case HCI_OPCODE_HCI_LE_ENCRYPT: 1113 if (!btstack_crypto_wait_for_hci_result) return; 1114 btstack_crypto_wait_for_hci_result = 0; 1115 btstack_crypto_handle_encryption_result(&packet[6]); 1116 break; 1117 #endif 1118 case HCI_OPCODE_HCI_LE_RAND: 1119 if (!btstack_crypto_wait_for_hci_result) return; 1120 btstack_crypto_wait_for_hci_result = false; 1121 btstack_crypto_handle_random_data(&packet[6], 8); 1122 break; 1123 case HCI_OPCODE_HCI_READ_LOCAL_SUPPORTED_COMMANDS: 1124 ecdh_operations_supported = (packet[OFFSET_OF_DATA_IN_COMMAND_COMPLETE+1u+34u] & 0x06u) == 0x06u; 1125 UNUSED(ecdh_operations_supported); 1126 log_info("controller supports ECDH operation: %u", ecdh_operations_supported); 1127 #ifdef ENABLE_ECC_P256 1128 #ifndef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 1129 // Assert controller supports ECDH operation if we don't implement them ourselves 1130 // Please add ENABLE_MICRO_ECC_FOR_LE_SECURE_CONNECTIONS to btstack_config.h and add 3rd-party/micro-ecc to your port 1131 btstack_assert(ecdh_operations_supported != 0); 1132 #endif 1133 #endif 1134 break; 1135 default: 1136 break; 1137 } 1138 break; 1139 1140 #ifdef ENABLE_ECC_P256 1141 #ifndef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 1142 case HCI_EVENT_LE_META: 1143 btstack_crypto_ec_p192 = (btstack_crypto_ecc_p256_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations); 1144 if (!btstack_crypto_ec_p192) break; 1145 switch (hci_event_le_meta_get_subevent_code(packet)){ 1146 case HCI_SUBEVENT_LE_READ_LOCAL_P256_PUBLIC_KEY_COMPLETE: 1147 if (btstack_crypto_ec_p192->btstack_crypto.operation != BTSTACK_CRYPTO_ECC_P256_GENERATE_KEY) break; 1148 if (!btstack_crypto_wait_for_hci_result) return; 1149 btstack_crypto_wait_for_hci_result = 0; 1150 if (hci_subevent_le_read_local_p256_public_key_complete_get_status(packet)){ 1151 log_error("Read Local P256 Public Key failed"); 1152 } 1153 hci_subevent_le_read_local_p256_public_key_complete_get_dhkey_x(packet, &btstack_crypto_ecc_p256_public_key[0]); 1154 hci_subevent_le_read_local_p256_public_key_complete_get_dhkey_y(packet, &btstack_crypto_ecc_p256_public_key[32]); 1155 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_DONE; 1156 break; 1157 case HCI_SUBEVENT_LE_GENERATE_DHKEY_COMPLETE: 1158 if (btstack_crypto_ec_p192->btstack_crypto.operation != BTSTACK_CRYPTO_ECC_P256_CALCULATE_DHKEY) break; 1159 if (!btstack_crypto_wait_for_hci_result) return; 1160 btstack_crypto_wait_for_hci_result = 0; 1161 if (hci_subevent_le_generate_dhkey_complete_get_status(packet)){ 1162 log_error("Generate DHKEY failed -> abort"); 1163 // set DHKEY to 0xff..ff 1164 memset(btstack_crypto_ec_p192->dhkey, 0xff, 32); 1165 } else { 1166 hci_subevent_le_generate_dhkey_complete_get_dhkey(packet, btstack_crypto_ec_p192->dhkey); 1167 } 1168 // done 1169 btstack_linked_list_pop(&btstack_crypto_operations); 1170 (*btstack_crypto_ec_p192->btstack_crypto.context_callback.callback)(btstack_crypto_ec_p192->btstack_crypto.context_callback.context); 1171 break; 1172 default: 1173 break; 1174 } 1175 break; 1176 #endif 1177 #endif 1178 default: 1179 break; 1180 } 1181 1182 // try processing 1183 btstack_crypto_run(); 1184 } 1185 1186 void btstack_crypto_random_generate(btstack_crypto_random_t * request, uint8_t * buffer, uint16_t size, void (* callback)(void * arg), void * callback_arg){ 1187 request->btstack_crypto.context_callback.callback = callback; 1188 request->btstack_crypto.context_callback.context = callback_arg; 1189 request->btstack_crypto.operation = BTSTACK_CRYPTO_RANDOM; 1190 request->buffer = buffer; 1191 request->size = size; 1192 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 1193 btstack_crypto_run(); 1194 } 1195 1196 void btstack_crypto_aes128_encrypt(btstack_crypto_aes128_t * request, const uint8_t * key, const uint8_t * plaintext, uint8_t * ciphertext, void (* callback)(void * arg), void * callback_arg){ 1197 request->btstack_crypto.context_callback.callback = callback; 1198 request->btstack_crypto.context_callback.context = callback_arg; 1199 request->btstack_crypto.operation = BTSTACK_CRYPTO_AES128; 1200 request->key = key; 1201 request->plaintext = plaintext; 1202 request->ciphertext = ciphertext; 1203 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 1204 btstack_crypto_run(); 1205 } 1206 1207 void btstack_crypto_aes128_cmac_generator(btstack_crypto_aes128_cmac_t * request, const uint8_t * key, uint16_t size, uint8_t (*get_byte_callback)(uint16_t pos), uint8_t * hash, void (* callback)(void * arg), void * callback_arg){ 1208 request->btstack_crypto.context_callback.callback = callback; 1209 request->btstack_crypto.context_callback.context = callback_arg; 1210 request->btstack_crypto.operation = BTSTACK_CRYPTO_CMAC_GENERATOR; 1211 request->key = key; 1212 request->size = size; 1213 request->data.get_byte_callback = get_byte_callback; 1214 request->hash = hash; 1215 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 1216 btstack_crypto_run(); 1217 } 1218 1219 void btstack_crypto_aes128_cmac_message(btstack_crypto_aes128_cmac_t * request, const uint8_t * key, uint16_t size, const uint8_t * message, uint8_t * hash, void (* callback)(void * arg), void * callback_arg){ 1220 request->btstack_crypto.context_callback.callback = callback; 1221 request->btstack_crypto.context_callback.context = callback_arg; 1222 request->btstack_crypto.operation = BTSTACK_CRYPTO_CMAC_MESSAGE; 1223 request->key = key; 1224 request->size = size; 1225 request->data.message = message; 1226 request->hash = hash; 1227 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 1228 btstack_crypto_run(); 1229 } 1230 1231 void btstack_crypto_aes128_cmac_zero(btstack_crypto_aes128_cmac_t * request, uint16_t size, const uint8_t * message, uint8_t * hash, void (* callback)(void * arg), void * callback_arg){ 1232 request->btstack_crypto.context_callback.callback = callback; 1233 request->btstack_crypto.context_callback.context = callback_arg; 1234 request->btstack_crypto.operation = BTSTACK_CRYPTO_CMAC_MESSAGE; 1235 request->key = zero; 1236 request->size = size; 1237 request->data.message = message; 1238 request->hash = hash; 1239 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 1240 btstack_crypto_run(); 1241 } 1242 1243 #ifdef ENABLE_ECC_P256 1244 void btstack_crypto_ecc_p256_generate_key(btstack_crypto_ecc_p256_t * request, uint8_t * public_key, void (* callback)(void * arg), void * callback_arg){ 1245 // reset key generation 1246 if (btstack_crypto_ecc_p256_key_generation_state == ECC_P256_KEY_GENERATION_DONE){ 1247 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_IDLE; 1248 } 1249 request->btstack_crypto.context_callback.callback = callback; 1250 request->btstack_crypto.context_callback.context = callback_arg; 1251 request->btstack_crypto.operation = BTSTACK_CRYPTO_ECC_P256_GENERATE_KEY; 1252 request->public_key = public_key; 1253 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 1254 btstack_crypto_run(); 1255 } 1256 1257 void btstack_crypto_ecc_p256_calculate_dhkey(btstack_crypto_ecc_p256_t * request, const uint8_t * public_key, uint8_t * dhkey, void (* callback)(void * arg), void * callback_arg){ 1258 request->btstack_crypto.context_callback.callback = callback; 1259 request->btstack_crypto.context_callback.context = callback_arg; 1260 request->btstack_crypto.operation = BTSTACK_CRYPTO_ECC_P256_CALCULATE_DHKEY; 1261 request->public_key = (uint8_t *) public_key; 1262 request->dhkey = dhkey; 1263 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 1264 btstack_crypto_run(); 1265 } 1266 1267 int btstack_crypto_ecc_p256_validate_public_key(const uint8_t * public_key){ 1268 1269 int err = 0; 1270 1271 #ifdef USE_MICRO_ECC_P256 1272 // validate public key using micro-ecc 1273 1274 #if uECC_SUPPORTS_secp256r1 1275 // standard version 1276 err = uECC_valid_public_key(public_key, uECC_secp256r1()) == 0; 1277 #else 1278 // static version 1279 err = uECC_valid_public_key(public_key) == 0; 1280 #endif 1281 #endif 1282 1283 #ifdef USE_MBEDTLS_ECC_P256 1284 // validate public using mbedtls_ecc 1285 1286 mbedtls_ecp_point Q; 1287 mbedtls_ecp_point_init( &Q ); 1288 mbedtls_mpi_read_binary(&Q.X, &public_key[0], 32); 1289 mbedtls_mpi_read_binary(&Q.Y, &public_key[32], 32); 1290 mbedtls_mpi_lset(&Q.Z, 1); 1291 err = mbedtls_ecp_check_pubkey(&mbedtls_ec_group, &Q); 1292 mbedtls_ecp_point_free( & Q); 1293 #endif 1294 1295 if (err != 0){ 1296 log_info("public key invalid %x", err); 1297 } 1298 return err; 1299 } 1300 #endif 1301 1302 void btstack_crypto_ccm_init(btstack_crypto_ccm_t * request, const uint8_t * key, const uint8_t * nonce, uint16_t message_len, uint16_t additional_authenticated_data_len, uint8_t auth_len){ 1303 request->key = key; 1304 request->nonce = nonce; 1305 request->message_len = message_len; 1306 request->aad_len = additional_authenticated_data_len; 1307 request->aad_offset = 0; 1308 request->auth_len = auth_len; 1309 request->counter = 1; 1310 request->state = CCM_CALCULATE_X1; 1311 } 1312 1313 void btstack_crypto_ccm_digest(btstack_crypto_ccm_t * request, uint8_t * additional_authenticated_data, uint16_t additional_authenticated_data_len, void (* callback)(void * arg), void * callback_arg){ 1314 // not implemented yet 1315 request->btstack_crypto.context_callback.callback = callback; 1316 request->btstack_crypto.context_callback.context = callback_arg; 1317 request->btstack_crypto.operation = BTSTACK_CRYPTO_CCM_DIGEST_BLOCK; 1318 request->block_len = additional_authenticated_data_len; 1319 request->input = additional_authenticated_data; 1320 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 1321 btstack_crypto_run(); 1322 } 1323 1324 void btstack_crypto_ccm_get_authentication_value(btstack_crypto_ccm_t * request, uint8_t * authentication_value){ 1325 (void)memcpy(authentication_value, request->x_i, request->auth_len); 1326 } 1327 1328 void btstack_crypto_ccm_encrypt_block(btstack_crypto_ccm_t * request, uint16_t len, const uint8_t * plaintext, uint8_t * ciphertext, void (* callback)(void * arg), void * callback_arg){ 1329 #ifdef DEBUG_CCM 1330 printf("\nbtstack_crypto_ccm_encrypt_block, len %u\n", len); 1331 #endif 1332 request->btstack_crypto.context_callback.callback = callback; 1333 request->btstack_crypto.context_callback.context = callback_arg; 1334 request->btstack_crypto.operation = BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK; 1335 request->block_len = len; 1336 request->input = plaintext; 1337 request->output = ciphertext; 1338 if (request->state != CCM_CALCULATE_X1){ 1339 request->state = CCM_CALCULATE_XN; 1340 } 1341 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 1342 btstack_crypto_run(); 1343 } 1344 1345 void btstack_crypto_ccm_decrypt_block(btstack_crypto_ccm_t * request, uint16_t len, const uint8_t * ciphertext, uint8_t * plaintext, void (* callback)(void * arg), void * callback_arg){ 1346 request->btstack_crypto.context_callback.callback = callback; 1347 request->btstack_crypto.context_callback.context = callback_arg; 1348 request->btstack_crypto.operation = BTSTACK_CRYPTO_CCM_DECRYPT_BLOCK; 1349 request->block_len = len; 1350 request->input = ciphertext; 1351 request->output = plaintext; 1352 if (request->state != CCM_CALCULATE_X1){ 1353 request->state = CCM_CALCULATE_SN; 1354 } 1355 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 1356 btstack_crypto_run(); 1357 } 1358 1359 1360 static void btstack_crypto_state_reset(void) { 1361 #ifndef USE_BTSTACK_AES128 1362 btstack_crypto_cmac_state = CMAC_IDLE; 1363 #endif 1364 #ifdef ENABLE_ECC_P256 1365 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_IDLE; 1366 #endif 1367 btstack_crypto_wait_for_hci_result = false; 1368 btstack_crypto_operations = NULL; 1369 } 1370 1371 void btstack_crypto_init(void){ 1372 if (btstack_crypto_initialized) return; 1373 btstack_crypto_initialized = true; 1374 1375 // register with HCI 1376 hci_event_callback_registration.callback = &btstack_crypto_event_handler; 1377 hci_add_event_handler(&hci_event_callback_registration); 1378 1379 #ifdef USE_MBEDTLS_ECC_P256 1380 mbedtls_ecp_group_init(&mbedtls_ec_group); 1381 mbedtls_ecp_group_load(&mbedtls_ec_group, MBEDTLS_ECP_DP_SECP256R1); 1382 #endif 1383 1384 // reset state 1385 btstack_crypto_state_reset(); 1386 } 1387 1388 // De-Init 1389 void btstack_crypto_deinit(void) { 1390 btstack_crypto_initialized = false; 1391 } 1392 1393 // PTS only 1394 void btstack_crypto_ecc_p256_set_key(const uint8_t * public_key, const uint8_t * private_key){ 1395 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 1396 (void)memcpy(btstack_crypto_ecc_p256_d, private_key, 32); 1397 (void)memcpy(btstack_crypto_ecc_p256_public_key, public_key, 64); 1398 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_DONE; 1399 #else 1400 UNUSED(public_key); 1401 UNUSED(private_key); 1402 #endif 1403 } 1404 1405 // Unit testing 1406 int btstack_crypto_idle(void){ 1407 return btstack_linked_list_empty(&btstack_crypto_operations); 1408 } 1409 void btstack_crypto_reset(void){ 1410 btstack_crypto_deinit(); 1411 btstack_crypto_init(); 1412 } 1413