1/****************************************************************************** 2 * 3 * Copyright (C) 1999-2012 Broadcom Corporation 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at: 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 ******************************************************************************/ 18 19/****************************************************************************** 20 * 21 * This file contains security manager protocol utility functions 22 * 23 ******************************************************************************/ 24#include "bt_target.h" 25 26#if SMP_INCLUDED == TRUE 27#if SMP_DEBUG == TRUE 28 #include <stdio.h> 29#endif 30#include <string.h> 31#include "bt_utils.h" 32#include "btm_ble_api.h" 33#include "smp_int.h" 34#include "btm_int.h" 35#include "btm_ble_int.h" 36#include "hcimsgs.h" 37#include "aes.h" 38#include "p_256_ecc_pp.h" 39#include "device/include/controller.h" 40 41#ifndef SMP_MAX_ENC_REPEAT 42 #define SMP_MAX_ENC_REPEAT 3 43#endif 44 45static void smp_rand_back(tBTM_RAND_ENC *p); 46static void smp_generate_confirm(tSMP_CB *p_cb, tSMP_INT_DATA *p_data); 47static void smp_generate_ltk_cont(tSMP_CB *p_cb, tSMP_INT_DATA *p_data); 48static void smp_generate_y(tSMP_CB *p_cb, tSMP_INT_DATA *p); 49static void smp_generate_rand_vector (tSMP_CB *p_cb, tSMP_INT_DATA *p); 50static void smp_process_stk(tSMP_CB *p_cb, tSMP_ENC *p); 51static void smp_calculate_comfirm_cont(tSMP_CB *p_cb, tSMP_ENC *p); 52static void smp_process_confirm(tSMP_CB *p_cb, tSMP_ENC *p); 53static void smp_process_compare(tSMP_CB *p_cb, tSMP_ENC *p); 54static void smp_process_ediv(tSMP_CB *p_cb, tSMP_ENC *p); 55static BOOLEAN smp_calculate_legacy_short_term_key(tSMP_CB *p_cb, tSMP_ENC *output); 56static void smp_continue_private_key_creation(tSMP_CB *p_cb, tBTM_RAND_ENC *p); 57static void smp_process_private_key(tSMP_CB *p_cb); 58static void smp_finish_nonce_generation(tSMP_CB *p_cb); 59static void smp_process_new_nonce(tSMP_CB *p_cb); 60 61#define SMP_PASSKEY_MASK 0xfff00000 62 63void smp_debug_print_nbyte_little_endian(UINT8 *p, const UINT8 *key_name, UINT8 len) 64{ 65#if SMP_DEBUG == TRUE 66 int ind, x; 67 int col_count = 32; 68 int row_count; 69 UINT8 p_buf[512]; 70 71 SMP_TRACE_WARNING("%s(LSB ~ MSB):", key_name); 72 memset(p_buf, 0, sizeof(p_buf)); 73 row_count = len % col_count ? len / col_count + 1: len / col_count; 74 75 ind = 0; 76 for (int row = 0; row < row_count; row++) 77 { 78 for (int column = 0, x = 0; (ind < len) && (column < col_count); column++, ind++) 79 { 80 x += sprintf((char *)&p_buf[x], "%02x ", p[ind]); 81 } 82 SMP_TRACE_WARNING(" [%03d]: %s", row * col_count, p_buf); 83 } 84#endif 85} 86 87void smp_debug_print_nbyte_big_endian (UINT8 *p, const UINT8 *key_name, UINT8 len) 88{ 89#if SMP_DEBUG == TRUE 90 UINT8 p_buf[512]; 91 92 SMP_TRACE_WARNING("%s(MSB ~ LSB):", key_name); 93 memset(p_buf, 0, sizeof(p_buf)); 94 95 int ind = 0; 96 int ncols = 32; /* num entries in one line */ 97 int nrows; /* num lines */ 98 int x; 99 100 nrows = len % ncols ? len / ncols + 1: len / ncols; 101 for (int row = 0; row < nrows; row++) 102 { 103 for (int col = 0, x = 0; (ind < len) && (col < ncols); col++, ind++) 104 { 105 x += sprintf ((char *)&p_buf[len-x-1], "%02x ", p[ind]); 106 } 107 SMP_TRACE_WARNING("[%03d]: %s", row * ncols, p_buf); 108 } 109#endif 110} 111 112/******************************************************************************* 113** 114** Function smp_encrypt_data 115** 116** Description This function is called to encrypt data. 117** It uses AES-128 encryption algorithm. 118** Plain_text is encrypted using key, the result is at p_out. 119** 120** Returns void 121** 122*******************************************************************************/ 123BOOLEAN smp_encrypt_data (UINT8 *key, UINT8 key_len, 124 UINT8 *plain_text, UINT8 pt_len, 125 tSMP_ENC *p_out) 126{ 127 aes_context ctx; 128 UINT8 *p_start = NULL; 129 UINT8 *p = NULL; 130 UINT8 *p_rev_data = NULL; /* input data in big endilan format */ 131 UINT8 *p_rev_key = NULL; /* input key in big endilan format */ 132 UINT8 *p_rev_output = NULL; /* encrypted output in big endilan format */ 133 134 SMP_TRACE_DEBUG ("%s", __func__); 135 if ( (p_out == NULL ) || (key_len != SMP_ENCRYT_KEY_SIZE) ) 136 { 137 SMP_TRACE_ERROR ("%s failed", __func__); 138 return FALSE; 139 } 140 141 p_start = (UINT8 *)osi_calloc(SMP_ENCRYT_DATA_SIZE * 4); 142 143 if (pt_len > SMP_ENCRYT_DATA_SIZE) 144 pt_len = SMP_ENCRYT_DATA_SIZE; 145 146 p = p_start; 147 ARRAY_TO_STREAM (p, plain_text, pt_len); /* byte 0 to byte 15 */ 148 p_rev_data = p = p_start + SMP_ENCRYT_DATA_SIZE; /* start at byte 16 */ 149 REVERSE_ARRAY_TO_STREAM (p, p_start, SMP_ENCRYT_DATA_SIZE); /* byte 16 to byte 31 */ 150 p_rev_key = p; /* start at byte 32 */ 151 REVERSE_ARRAY_TO_STREAM (p, key, SMP_ENCRYT_KEY_SIZE); /* byte 32 to byte 47 */ 152 153#if SMP_DEBUG == TRUE && SMP_DEBUG_VERBOSE == TRUE 154 smp_debug_print_nbyte_little_endian(key, (const UINT8 *)"Key", SMP_ENCRYT_KEY_SIZE); 155 smp_debug_print_nbyte_little_endian(p_start, (const UINT8 *)"Plain text", SMP_ENCRYT_DATA_SIZE); 156#endif 157 p_rev_output = p; 158 aes_set_key(p_rev_key, SMP_ENCRYT_KEY_SIZE, &ctx); 159 aes_encrypt(p_rev_data, p, &ctx); /* outputs in byte 48 to byte 63 */ 160 161 p = p_out->param_buf; 162 REVERSE_ARRAY_TO_STREAM (p, p_rev_output, SMP_ENCRYT_DATA_SIZE); 163#if SMP_DEBUG == TRUE && SMP_DEBUG_VERBOSE == TRUE 164 smp_debug_print_nbyte_little_endian(p_out->param_buf, (const UINT8 *)"Encrypted text", SMP_ENCRYT_KEY_SIZE); 165#endif 166 167 p_out->param_len = SMP_ENCRYT_KEY_SIZE; 168 p_out->status = HCI_SUCCESS; 169 p_out->opcode = HCI_BLE_ENCRYPT; 170 171 osi_free(p_start); 172 173 return TRUE; 174} 175 176/******************************************************************************* 177** 178** Function smp_generate_passkey 179** 180** Description This function is called to generate passkey. 181** 182** Returns void 183** 184*******************************************************************************/ 185void smp_generate_passkey(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 186{ 187 UNUSED(p_data); 188 189 SMP_TRACE_DEBUG ("%s", __func__); 190 p_cb->rand_enc_proc_state = SMP_GEN_TK; 191 192 /* generate MRand or SRand */ 193 if (!btsnd_hcic_ble_rand((void *)smp_rand_back)) 194 smp_rand_back(NULL); 195} 196 197/******************************************************************************* 198** 199** Function smp_proc_passkey 200** 201** Description This function is called to process a passkey. 202** 203** Returns void 204** 205*******************************************************************************/ 206void smp_proc_passkey(tSMP_CB *p_cb , tBTM_RAND_ENC *p) 207{ 208 UINT8 *tt = p_cb->tk; 209 tSMP_KEY key; 210 UINT32 passkey; /* 19655 test number; */ 211 UINT8 *pp = p->param_buf; 212 213 SMP_TRACE_DEBUG ("%s", __func__); 214 STREAM_TO_UINT32(passkey, pp); 215 passkey &= ~SMP_PASSKEY_MASK; 216 217 /* truncate by maximum value */ 218 while (passkey > BTM_MAX_PASSKEY_VAL) 219 passkey >>= 1; 220 221 /* save the TK */ 222 memset(p_cb->tk, 0, BT_OCTET16_LEN); 223 UINT32_TO_STREAM(tt, passkey); 224 225 key.key_type = SMP_KEY_TYPE_TK; 226 key.p_data = p_cb->tk; 227 228 if (p_cb->p_callback) 229 { 230 (*p_cb->p_callback)(SMP_PASSKEY_NOTIF_EVT, p_cb->pairing_bda, (tSMP_EVT_DATA *)&passkey); 231 } 232 233 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_PASSKEY_DISP) 234 { 235 smp_sm_event(&smp_cb, SMP_KEY_READY_EVT, &passkey); 236 } 237 else 238 { 239 smp_sm_event(p_cb, SMP_KEY_READY_EVT, (tSMP_INT_DATA *)&key); 240 } 241} 242 243/******************************************************************************* 244** 245** Function smp_generate_stk 246** 247** Description This function is called to generate STK calculated by running 248** AES with the TK value as key and a concatenation of the random 249** values. 250** 251** Returns void 252** 253*******************************************************************************/ 254void smp_generate_stk(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 255{ 256 UNUSED(p_data); 257 258 tSMP_ENC output; 259 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN; 260 261 SMP_TRACE_DEBUG ("%s", __func__); 262 263 if (p_cb->le_secure_connections_mode_is_used) 264 { 265 SMP_TRACE_WARNING ("FOR LE SC LTK IS USED INSTEAD OF STK"); 266 output.param_len = SMP_ENCRYT_KEY_SIZE; 267 output.status = HCI_SUCCESS; 268 output.opcode = HCI_BLE_ENCRYPT; 269 memcpy(output.param_buf, p_cb->ltk, SMP_ENCRYT_DATA_SIZE); 270 } 271 else if (!smp_calculate_legacy_short_term_key(p_cb, &output)) 272 { 273 SMP_TRACE_ERROR("%s failed", __func__); 274 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status); 275 return; 276 } 277 278 smp_process_stk(p_cb, &output); 279} 280 281/******************************************************************************* 282** 283** Function smp_generate_srand_mrand_confirm 284** 285** Description This function is called to start the second pairing phase by 286** start generating random number. 287** 288** 289** Returns void 290** 291*******************************************************************************/ 292void smp_generate_srand_mrand_confirm(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 293{ 294 UNUSED(p_data); 295 296 SMP_TRACE_DEBUG ("%s", __func__); 297 p_cb->rand_enc_proc_state = SMP_GEN_SRAND_MRAND; 298 /* generate MRand or SRand */ 299 if (!btsnd_hcic_ble_rand((void *)smp_rand_back)) 300 smp_rand_back(NULL); 301} 302 303/******************************************************************************* 304** 305** Function smp_generate_rand_cont 306** 307** Description This function is called to generate another 64 bits random for 308** MRand or Srand. 309** 310** Returns void 311** 312*******************************************************************************/ 313void smp_generate_rand_cont(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 314{ 315 UNUSED(p_data); 316 317 SMP_TRACE_DEBUG ("%s", __func__); 318 p_cb->rand_enc_proc_state = SMP_GEN_SRAND_MRAND_CONT; 319 /* generate 64 MSB of MRand or SRand */ 320 if (!btsnd_hcic_ble_rand((void *)smp_rand_back)) 321 smp_rand_back(NULL); 322} 323 324/******************************************************************************* 325** 326** Function smp_generate_ltk 327** 328** Description This function is called: 329** - in legacy pairing - to calculate LTK, starting with DIV 330** generation; 331** - in LE Secure Connections pairing over LE transport - to process LTK 332** already generated to encrypt LE link; 333** - in LE Secure Connections pairing over BR/EDR transport - to start 334** BR/EDR Link Key processing. 335** 336** Returns void 337** 338*******************************************************************************/ 339void smp_generate_ltk(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 340{ 341 UNUSED(p_data); 342 343 BOOLEAN div_status; 344 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 345 if (smp_get_br_state() == SMP_BR_STATE_BOND_PENDING) 346 { 347 smp_br_process_link_key(p_cb, NULL); 348 return; 349 } 350 else if (p_cb->le_secure_connections_mode_is_used) 351 { 352 smp_process_secure_connection_long_term_key(); 353 return; 354 } 355 356 div_status = btm_get_local_div(p_cb->pairing_bda, &p_cb->div); 357 358 if (div_status) 359 { 360 smp_generate_ltk_cont(p_cb, NULL); 361 } 362 else 363 { 364 SMP_TRACE_DEBUG ("Generate DIV for LTK"); 365 p_cb->rand_enc_proc_state = SMP_GEN_DIV_LTK; 366 /* generate MRand or SRand */ 367 if (!btsnd_hcic_ble_rand((void *)smp_rand_back)) 368 smp_rand_back(NULL); 369 } 370} 371 372/******************************************************************************* 373** 374** Function smp_compute_csrk 375** 376** Description This function is called to calculate CSRK 377** 378** 379** Returns void 380** 381*******************************************************************************/ 382void smp_compute_csrk(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 383{ 384 UNUSED(p_data); 385 386 BT_OCTET16 er; 387 UINT8 buffer[4]; /* for (r || DIV) r=1*/ 388 UINT16 r=1; 389 UINT8 *p=buffer; 390 tSMP_ENC output; 391 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN; 392 393 SMP_TRACE_DEBUG ("smp_compute_csrk div=%x", p_cb->div); 394 BTM_GetDeviceEncRoot(er); 395 /* CSRK = d1(ER, DIV, 1) */ 396 UINT16_TO_STREAM(p, p_cb->div); 397 UINT16_TO_STREAM(p, r); 398 399 if (!SMP_Encrypt(er, BT_OCTET16_LEN, buffer, 4, &output)) 400 { 401 SMP_TRACE_ERROR("smp_generate_csrk failed"); 402 if (p_cb->smp_over_br) 403 { 404 smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &status); 405 } 406 else 407 { 408 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status); 409 } 410 } 411 else 412 { 413 memcpy((void *)p_cb->csrk, output.param_buf, BT_OCTET16_LEN); 414 smp_send_csrk_info(p_cb, NULL); 415 } 416} 417 418/******************************************************************************* 419** 420** Function smp_generate_csrk 421** 422** Description This function is called to calculate CSRK, starting with DIV 423** generation. 424** 425** 426** Returns void 427** 428*******************************************************************************/ 429void smp_generate_csrk(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 430{ 431 UNUSED(p_data); 432 433 BOOLEAN div_status; 434 435 SMP_TRACE_DEBUG ("smp_generate_csrk"); 436 437 div_status = btm_get_local_div(p_cb->pairing_bda, &p_cb->div); 438 if (div_status) 439 { 440 smp_compute_csrk(p_cb, NULL); 441 } 442 else 443 { 444 SMP_TRACE_DEBUG ("Generate DIV for CSRK"); 445 p_cb->rand_enc_proc_state = SMP_GEN_DIV_CSRK; 446 if (!btsnd_hcic_ble_rand((void *)smp_rand_back)) 447 smp_rand_back(NULL); 448 } 449} 450 451/******************************************************************************* 452** Function smp_concatenate_peer 453** add pairing command sent from local device into p1. 454*******************************************************************************/ 455void smp_concatenate_local( tSMP_CB *p_cb, UINT8 **p_data, UINT8 op_code) 456{ 457 UINT8 *p = *p_data; 458 459 SMP_TRACE_DEBUG ("%s", __func__); 460 UINT8_TO_STREAM(p, op_code); 461 UINT8_TO_STREAM(p, p_cb->local_io_capability); 462 UINT8_TO_STREAM(p, p_cb->loc_oob_flag); 463 UINT8_TO_STREAM(p, p_cb->loc_auth_req); 464 UINT8_TO_STREAM(p, p_cb->loc_enc_size); 465 UINT8_TO_STREAM(p, p_cb->local_i_key); 466 UINT8_TO_STREAM(p, p_cb->local_r_key); 467 468 *p_data = p; 469} 470 471/******************************************************************************* 472** Function smp_concatenate_peer 473** add pairing command received from peer device into p1. 474*******************************************************************************/ 475void smp_concatenate_peer( tSMP_CB *p_cb, UINT8 **p_data, UINT8 op_code) 476{ 477 UINT8 *p = *p_data; 478 479 SMP_TRACE_DEBUG ("smp_concatenate_peer "); 480 UINT8_TO_STREAM(p, op_code); 481 UINT8_TO_STREAM(p, p_cb->peer_io_caps); 482 UINT8_TO_STREAM(p, p_cb->peer_oob_flag); 483 UINT8_TO_STREAM(p, p_cb->peer_auth_req); 484 UINT8_TO_STREAM(p, p_cb->peer_enc_size); 485 UINT8_TO_STREAM(p, p_cb->peer_i_key); 486 UINT8_TO_STREAM(p, p_cb->peer_r_key); 487 488 *p_data = p; 489} 490 491/******************************************************************************* 492** 493** Function smp_gen_p1_4_confirm 494** 495** Description Generate Confirm/Compare Step1: 496** p1 = pres || preq || rat' || iat' 497** 498** Returns void 499** 500*******************************************************************************/ 501void smp_gen_p1_4_confirm( tSMP_CB *p_cb, BT_OCTET16 p1) 502{ 503 UINT8 *p = (UINT8 *)p1; 504 tBLE_ADDR_TYPE addr_type = 0; 505 BD_ADDR remote_bda; 506 507 SMP_TRACE_DEBUG ("smp_gen_p1_4_confirm"); 508 509 if (!BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, remote_bda, &addr_type)) 510 { 511 SMP_TRACE_ERROR("can not generate confirm for unknown device"); 512 return; 513 } 514 515 BTM_ReadConnectionAddr( p_cb->pairing_bda, p_cb->local_bda, &p_cb->addr_type); 516 517 if (p_cb->role == HCI_ROLE_MASTER) 518 { 519 /* LSB : rat': initiator's(local) address type */ 520 UINT8_TO_STREAM(p, p_cb->addr_type); 521 /* LSB : iat': responder's address type */ 522 UINT8_TO_STREAM(p, addr_type); 523 /* concatinate preq */ 524 smp_concatenate_local(p_cb, &p, SMP_OPCODE_PAIRING_REQ); 525 /* concatinate pres */ 526 smp_concatenate_peer(p_cb, &p, SMP_OPCODE_PAIRING_RSP); 527 } 528 else 529 { 530 /* LSB : iat': initiator's address type */ 531 UINT8_TO_STREAM(p, addr_type); 532 /* LSB : rat': responder's(local) address type */ 533 UINT8_TO_STREAM(p, p_cb->addr_type); 534 /* concatinate preq */ 535 smp_concatenate_peer(p_cb, &p, SMP_OPCODE_PAIRING_REQ); 536 /* concatinate pres */ 537 smp_concatenate_local(p_cb, &p, SMP_OPCODE_PAIRING_RSP); 538 } 539#if SMP_DEBUG == TRUE 540 SMP_TRACE_DEBUG("p1 = pres || preq || rat' || iat'"); 541 smp_debug_print_nbyte_little_endian ((UINT8 *)p1, (const UINT8 *)"P1", 16); 542#endif 543} 544 545/******************************************************************************* 546** 547** Function smp_gen_p2_4_confirm 548** 549** Description Generate Confirm/Compare Step2: 550** p2 = padding || ia || ra 551** 552** Returns void 553** 554*******************************************************************************/ 555void smp_gen_p2_4_confirm( tSMP_CB *p_cb, BT_OCTET16 p2) 556{ 557 UINT8 *p = (UINT8 *)p2; 558 BD_ADDR remote_bda; 559 tBLE_ADDR_TYPE addr_type = 0; 560 561 if (!BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, remote_bda, &addr_type)) 562 { 563 SMP_TRACE_ERROR("can not generate confirm p2 for unknown device"); 564 return; 565 } 566 567 SMP_TRACE_DEBUG ("smp_gen_p2_4_confirm"); 568 569 memset(p, 0, sizeof(BT_OCTET16)); 570 571 if (p_cb->role == HCI_ROLE_MASTER) 572 { 573 /* LSB ra */ 574 BDADDR_TO_STREAM(p, remote_bda); 575 /* ia */ 576 BDADDR_TO_STREAM(p, p_cb->local_bda); 577 } 578 else 579 { 580 /* LSB ra */ 581 BDADDR_TO_STREAM(p, p_cb->local_bda); 582 /* ia */ 583 BDADDR_TO_STREAM(p, remote_bda); 584 } 585#if SMP_DEBUG == TRUE 586 SMP_TRACE_DEBUG("p2 = padding || ia || ra"); 587 smp_debug_print_nbyte_little_endian(p2, (const UINT8 *)"p2", 16); 588#endif 589} 590 591/******************************************************************************* 592** 593** Function smp_calculate_comfirm 594** 595** Description This function is called to calculate Confirm value. 596** 597** Returns void 598** 599*******************************************************************************/ 600void smp_calculate_comfirm (tSMP_CB *p_cb, BT_OCTET16 rand, BD_ADDR bda) 601{ 602 UNUSED(bda); 603 604 BT_OCTET16 p1; 605 tSMP_ENC output; 606 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN; 607 608 SMP_TRACE_DEBUG ("smp_calculate_comfirm "); 609 /* generate p1 = pres || preq || rat' || iat' */ 610 smp_gen_p1_4_confirm(p_cb, p1); 611 612 /* p1 = rand XOR p1 */ 613 smp_xor_128(p1, rand); 614 615 smp_debug_print_nbyte_little_endian ((UINT8 *)p1, (const UINT8 *)"P1' = r XOR p1", 16); 616 617 /* calculate e(k, r XOR p1), where k = TK */ 618 if (!SMP_Encrypt(p_cb->tk, BT_OCTET16_LEN, p1, BT_OCTET16_LEN, &output)) 619 { 620 SMP_TRACE_ERROR("smp_generate_csrk failed"); 621 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status); 622 } 623 else 624 { 625 smp_calculate_comfirm_cont(p_cb, &output); 626 } 627} 628 629/******************************************************************************* 630** 631** Function smp_calculate_comfirm_cont 632** 633** Description This function is called when SConfirm/MConfirm is generated 634** proceed to send the Confirm request/response to peer device. 635** 636** Returns void 637** 638*******************************************************************************/ 639static void smp_calculate_comfirm_cont(tSMP_CB *p_cb, tSMP_ENC *p) 640{ 641 BT_OCTET16 p2; 642 tSMP_ENC output; 643 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN; 644 645 SMP_TRACE_DEBUG ("smp_calculate_comfirm_cont "); 646#if SMP_DEBUG == TRUE 647 SMP_TRACE_DEBUG("Confirm step 1 p1' = e(k, r XOR p1) Generated"); 648 smp_debug_print_nbyte_little_endian (p->param_buf, (const UINT8 *)"C1", 16); 649#endif 650 651 smp_gen_p2_4_confirm(p_cb, p2); 652 653 /* calculate p2 = (p1' XOR p2) */ 654 smp_xor_128(p2, p->param_buf); 655 smp_debug_print_nbyte_little_endian ((UINT8 *)p2, (const UINT8 *)"p2' = C1 xor p2", 16); 656 657 /* calculate: Confirm = E(k, p1' XOR p2) */ 658 if (!SMP_Encrypt(p_cb->tk, BT_OCTET16_LEN, p2, BT_OCTET16_LEN, &output)) 659 { 660 SMP_TRACE_ERROR("smp_calculate_comfirm_cont failed"); 661 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status); 662 } 663 else 664 { 665 switch (p_cb->rand_enc_proc_state) 666 { 667 case SMP_GEN_CONFIRM: 668 smp_process_confirm(p_cb, &output); 669 break; 670 671 case SMP_GEN_COMPARE: 672 smp_process_compare(p_cb, &output); 673 break; 674 } 675 } 676} 677 678/******************************************************************************* 679** 680** Function smp_generate_confirm 681** 682** Description This function is called when a 48 bits random number is generated 683** as SRand or MRand, continue to calculate Sconfirm or MConfirm. 684** 685** Returns void 686** 687*******************************************************************************/ 688static void smp_generate_confirm(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 689{ 690 UNUSED(p_data); 691 692 SMP_TRACE_DEBUG ("%s", __func__); 693 p_cb->rand_enc_proc_state = SMP_GEN_CONFIRM; 694 smp_debug_print_nbyte_little_endian ((UINT8 *)p_cb->rand, (const UINT8 *)"local rand", 16); 695 smp_calculate_comfirm(p_cb, p_cb->rand, p_cb->pairing_bda); 696} 697 698/******************************************************************************* 699** 700** Function smp_generate_compare 701** 702** Description This function is called to generate SConfirm for Slave device, 703** or MSlave for Master device. This function can be also used for 704** generating Compare number for confirm value check. 705** 706** Returns void 707** 708*******************************************************************************/ 709void smp_generate_compare (tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 710{ 711 UNUSED(p_data); 712 713 SMP_TRACE_DEBUG ("smp_generate_compare "); 714 p_cb->rand_enc_proc_state = SMP_GEN_COMPARE; 715 smp_debug_print_nbyte_little_endian ((UINT8 *)p_cb->rrand, (const UINT8 *)"peer rand", 16); 716 smp_calculate_comfirm(p_cb, p_cb->rrand, p_cb->local_bda); 717} 718 719/******************************************************************************* 720** 721** Function smp_process_confirm 722** 723** Description This function is called when SConfirm/MConfirm is generated 724** proceed to send the Confirm request/response to peer device. 725** 726** Returns void 727** 728*******************************************************************************/ 729static void smp_process_confirm(tSMP_CB *p_cb, tSMP_ENC *p) 730{ 731 tSMP_KEY key; 732 733 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 734 memcpy(p_cb->confirm, p->param_buf, BT_OCTET16_LEN); 735 736#if (SMP_DEBUG == TRUE) 737 SMP_TRACE_DEBUG("Confirm Generated"); 738 smp_debug_print_nbyte_little_endian ((UINT8 *)p_cb->confirm, (const UINT8 *)"Confirm", 16); 739#endif 740 741 key.key_type = SMP_KEY_TYPE_CFM; 742 key.p_data = p->param_buf; 743 smp_sm_event(p_cb, SMP_KEY_READY_EVT, &key); 744} 745 746/******************************************************************************* 747** 748** Function smp_process_compare 749** 750** Description This function is called when Compare is generated using the 751** RRand and local BDA, TK information. 752** 753** Returns void 754** 755*******************************************************************************/ 756static void smp_process_compare(tSMP_CB *p_cb, tSMP_ENC *p) 757{ 758 tSMP_KEY key; 759 760 SMP_TRACE_DEBUG ("smp_process_compare "); 761#if (SMP_DEBUG == TRUE) 762 SMP_TRACE_DEBUG("Compare Generated"); 763 smp_debug_print_nbyte_little_endian (p->param_buf, (const UINT8 *)"Compare", 16); 764#endif 765 key.key_type = SMP_KEY_TYPE_CMP; 766 key.p_data = p->param_buf; 767 768 smp_sm_event(p_cb, SMP_KEY_READY_EVT, &key); 769} 770 771/******************************************************************************* 772** 773** Function smp_process_stk 774** 775** Description This function is called when STK is generated 776** proceed to send the encrypt the link using STK. 777** 778** Returns void 779** 780*******************************************************************************/ 781static void smp_process_stk(tSMP_CB *p_cb, tSMP_ENC *p) 782{ 783 tSMP_KEY key; 784 785 SMP_TRACE_DEBUG ("smp_process_stk "); 786#if (SMP_DEBUG == TRUE) 787 SMP_TRACE_ERROR("STK Generated"); 788#endif 789 smp_mask_enc_key(p_cb->loc_enc_size, p->param_buf); 790 791 key.key_type = SMP_KEY_TYPE_STK; 792 key.p_data = p->param_buf; 793 794 smp_sm_event(p_cb, SMP_KEY_READY_EVT, &key); 795} 796 797/******************************************************************************* 798** 799** Function smp_generate_ltk_cont 800** 801** Description This function is to calculate LTK = d1(ER, DIV, 0)= e(ER, DIV) 802** 803** Returns void 804** 805*******************************************************************************/ 806static void smp_generate_ltk_cont(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 807{ 808 UNUSED(p_data); 809 810 BT_OCTET16 er; 811 tSMP_ENC output; 812 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN; 813 814 SMP_TRACE_DEBUG ("%s", __func__); 815 BTM_GetDeviceEncRoot(er); 816 817 /* LTK = d1(ER, DIV, 0)= e(ER, DIV)*/ 818 if (!SMP_Encrypt(er, BT_OCTET16_LEN, (UINT8 *)&p_cb->div, 819 sizeof(UINT16), &output)) 820 { 821 SMP_TRACE_ERROR("%s failed", __func__); 822 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status); 823 } 824 else 825 { 826 /* mask the LTK */ 827 smp_mask_enc_key(p_cb->loc_enc_size, output.param_buf); 828 memcpy((void *)p_cb->ltk, output.param_buf, BT_OCTET16_LEN); 829 smp_generate_rand_vector(p_cb, NULL); 830 } 831} 832 833/******************************************************************************* 834** 835** Function smp_generate_y 836** 837** Description This function is to proceed generate Y = E(DHK, Rand) 838** 839** Returns void 840** 841*******************************************************************************/ 842static void smp_generate_y(tSMP_CB *p_cb, tSMP_INT_DATA *p) 843{ 844 UNUSED(p); 845 846 BT_OCTET16 dhk; 847 tSMP_ENC output; 848 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN; 849 850 851 SMP_TRACE_DEBUG ("smp_generate_y "); 852 BTM_GetDeviceDHK(dhk); 853 854 if (!SMP_Encrypt(dhk, BT_OCTET16_LEN, p_cb->enc_rand, 855 BT_OCTET8_LEN, &output)) 856 { 857 SMP_TRACE_ERROR("smp_generate_y failed"); 858 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status); 859 } 860 else 861 { 862 smp_process_ediv(p_cb, &output); 863 } 864} 865 866/******************************************************************************* 867** 868** Function smp_generate_rand_vector 869** 870** Description This function is called when LTK is generated, send state machine 871** event to SMP. 872** 873** Returns void 874** 875*******************************************************************************/ 876static void smp_generate_rand_vector (tSMP_CB *p_cb, tSMP_INT_DATA *p) 877{ 878 UNUSED(p); 879 880 /* generate EDIV and rand now */ 881 /* generate random vector */ 882 SMP_TRACE_DEBUG ("smp_generate_rand_vector "); 883 p_cb->rand_enc_proc_state = SMP_GEN_RAND_V; 884 if (!btsnd_hcic_ble_rand((void *)smp_rand_back)) 885 smp_rand_back(NULL); 886} 887 888/******************************************************************************* 889** 890** Function smp_process_ediv 891** 892** Description This function is to calculate EDIV = Y xor DIV 893** 894** Returns void 895** 896*******************************************************************************/ 897static void smp_process_ediv(tSMP_CB *p_cb, tSMP_ENC *p) 898{ 899 tSMP_KEY key; 900 UINT8 *pp= p->param_buf; 901 UINT16 y; 902 903 SMP_TRACE_DEBUG ("smp_process_ediv "); 904 STREAM_TO_UINT16(y, pp); 905 906 /* EDIV = Y xor DIV */ 907 p_cb->ediv = p_cb->div ^ y; 908 /* send LTK ready */ 909 SMP_TRACE_ERROR("LTK ready"); 910 key.key_type = SMP_KEY_TYPE_LTK; 911 key.p_data = p->param_buf; 912 913 smp_sm_event(p_cb, SMP_KEY_READY_EVT, &key); 914} 915 916/******************************************************************************* 917** 918** Function smp_calculate_legacy_short_term_key 919** 920** Description The function calculates legacy STK. 921** 922** Returns FALSE if out of resources, TRUE in other cases. 923** 924*******************************************************************************/ 925BOOLEAN smp_calculate_legacy_short_term_key(tSMP_CB *p_cb, tSMP_ENC *output) 926{ 927 BT_OCTET16 ptext; 928 UINT8 *p = ptext; 929 930 SMP_TRACE_DEBUG ("%s", __func__); 931 memset(p, 0, BT_OCTET16_LEN); 932 if (p_cb->role == HCI_ROLE_MASTER) 933 { 934 memcpy(p, p_cb->rand, BT_OCTET8_LEN); 935 memcpy(&p[BT_OCTET8_LEN], p_cb->rrand, BT_OCTET8_LEN); 936 } 937 else 938 { 939 memcpy(p, p_cb->rrand, BT_OCTET8_LEN); 940 memcpy(&p[BT_OCTET8_LEN], p_cb->rand, BT_OCTET8_LEN); 941 } 942 943 BOOLEAN encrypted; 944 /* generate STK = Etk(rand|rrand)*/ 945 encrypted = SMP_Encrypt( p_cb->tk, BT_OCTET16_LEN, ptext, BT_OCTET16_LEN, output); 946 if (!encrypted) 947 { 948 SMP_TRACE_ERROR("%s failed", __func__); 949 } 950 return encrypted; 951} 952 953/******************************************************************************* 954** 955** Function smp_create_private_key 956** 957** Description This function is called to create private key used to 958** calculate public key and DHKey. 959** The function starts private key creation requesting controller 960** to generate [0-7] octets of private key. 961** 962** Returns void 963** 964*******************************************************************************/ 965void smp_create_private_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 966{ 967 SMP_TRACE_DEBUG ("%s",__FUNCTION__); 968 p_cb->rand_enc_proc_state = SMP_GENERATE_PRIVATE_KEY_0_7; 969 if (!btsnd_hcic_ble_rand((void *)smp_rand_back)) 970 smp_rand_back(NULL); 971} 972 973/******************************************************************************* 974** 975** Function smp_use_oob_private_key 976** 977** Description This function is called 978** - to save the secret key used to calculate the public key used 979** in calculations of commitment sent OOB to a peer 980** - to use this secret key to recalculate the public key and 981** start the process of sending this public key to the peer 982** if secret/public keys have to be reused. 983** If the keys aren't supposed to be reused, continue from the 984** point from which request for OOB data was issued. 985** 986** Returns void 987** 988*******************************************************************************/ 989void smp_use_oob_private_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 990{ 991 SMP_TRACE_DEBUG ("%s req_oob_type: %d, role: %d", 992 __func__, p_cb->req_oob_type, p_cb->role); 993 994 switch (p_cb->req_oob_type) 995 { 996 case SMP_OOB_BOTH: 997 case SMP_OOB_LOCAL: 998 SMP_TRACE_DEBUG("%s restore secret key", __func__) 999 memcpy(p_cb->private_key, p_cb->sc_oob_data.loc_oob_data.private_key_used, BT_OCTET32_LEN); 1000 smp_process_private_key(p_cb); 1001 break; 1002 default: 1003 SMP_TRACE_DEBUG("%s create secret key anew", __func__); 1004 smp_set_state(SMP_STATE_PAIR_REQ_RSP); 1005 smp_decide_association_model(p_cb, NULL); 1006 break; 1007 } 1008} 1009 1010/******************************************************************************* 1011** 1012** Function smp_continue_private_key_creation 1013** 1014** Description This function is used to continue private key creation. 1015** 1016** Returns void 1017** 1018*******************************************************************************/ 1019void smp_continue_private_key_creation (tSMP_CB *p_cb, tBTM_RAND_ENC *p) 1020{ 1021 UINT8 state = p_cb->rand_enc_proc_state & ~0x80; 1022 SMP_TRACE_DEBUG ("%s state=0x%x", __func__, state); 1023 1024 switch (state) 1025 { 1026 case SMP_GENERATE_PRIVATE_KEY_0_7: 1027 memcpy((void *)p_cb->private_key, p->param_buf, p->param_len); 1028 p_cb->rand_enc_proc_state = SMP_GENERATE_PRIVATE_KEY_8_15; 1029 if (!btsnd_hcic_ble_rand((void *)smp_rand_back)) 1030 smp_rand_back(NULL); 1031 break; 1032 1033 case SMP_GENERATE_PRIVATE_KEY_8_15: 1034 memcpy((void *)&p_cb->private_key[8], p->param_buf, p->param_len); 1035 p_cb->rand_enc_proc_state = SMP_GENERATE_PRIVATE_KEY_16_23; 1036 if (!btsnd_hcic_ble_rand((void *)smp_rand_back)) 1037 smp_rand_back(NULL); 1038 break; 1039 1040 case SMP_GENERATE_PRIVATE_KEY_16_23: 1041 memcpy((void *)&p_cb->private_key[16], p->param_buf, p->param_len); 1042 p_cb->rand_enc_proc_state = SMP_GENERATE_PRIVATE_KEY_24_31; 1043 if (!btsnd_hcic_ble_rand((void *)smp_rand_back)) 1044 smp_rand_back(NULL); 1045 break; 1046 1047 case SMP_GENERATE_PRIVATE_KEY_24_31: 1048 memcpy((void *)&p_cb->private_key[24], p->param_buf, p->param_len); 1049 smp_process_private_key (p_cb); 1050 break; 1051 1052 default: 1053 break; 1054 } 1055 1056 return; 1057} 1058 1059/******************************************************************************* 1060** 1061** Function smp_process_private_key 1062** 1063** Description This function processes private key. 1064** It calculates public key and notifies SM that private key / 1065** public key pair is created. 1066** 1067** Returns void 1068** 1069*******************************************************************************/ 1070void smp_process_private_key(tSMP_CB *p_cb) 1071{ 1072 Point public_key; 1073 BT_OCTET32 private_key; 1074 1075 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 1076 1077 memcpy(private_key, p_cb->private_key, BT_OCTET32_LEN); 1078 ECC_PointMult(&public_key, &(curve_p256.G), (DWORD*) private_key, KEY_LENGTH_DWORDS_P256); 1079 memcpy(p_cb->loc_publ_key.x, public_key.x, BT_OCTET32_LEN); 1080 memcpy(p_cb->loc_publ_key.y, public_key.y, BT_OCTET32_LEN); 1081 1082 smp_debug_print_nbyte_little_endian (p_cb->private_key, (const UINT8 *)"private", 1083 BT_OCTET32_LEN); 1084 smp_debug_print_nbyte_little_endian (p_cb->loc_publ_key.x, (const UINT8 *)"local public(x)", 1085 BT_OCTET32_LEN); 1086 smp_debug_print_nbyte_little_endian (p_cb->loc_publ_key.y, (const UINT8 *)"local public(y)", 1087 BT_OCTET32_LEN); 1088 p_cb->flags |= SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY; 1089 smp_sm_event(p_cb, SMP_LOC_PUBL_KEY_CRTD_EVT, NULL); 1090} 1091 1092/******************************************************************************* 1093** 1094** Function smp_compute_dhkey 1095** 1096** Description The function: 1097** - calculates a new public key using as input local private 1098** key and peer public key; 1099** - saves the new public key x-coordinate as DHKey. 1100** 1101** Returns void 1102** 1103*******************************************************************************/ 1104void smp_compute_dhkey (tSMP_CB *p_cb) 1105{ 1106 Point peer_publ_key, new_publ_key; 1107 BT_OCTET32 private_key; 1108 1109 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 1110 1111 memcpy(private_key, p_cb->private_key, BT_OCTET32_LEN); 1112 memcpy(peer_publ_key.x, p_cb->peer_publ_key.x, BT_OCTET32_LEN); 1113 memcpy(peer_publ_key.y, p_cb->peer_publ_key.y, BT_OCTET32_LEN); 1114 1115 ECC_PointMult(&new_publ_key, &peer_publ_key, (DWORD*) private_key, KEY_LENGTH_DWORDS_P256); 1116 1117 memcpy(p_cb->dhkey, new_publ_key.x, BT_OCTET32_LEN); 1118 1119 smp_debug_print_nbyte_little_endian (p_cb->dhkey, (const UINT8 *)"Old DHKey", 1120 BT_OCTET32_LEN); 1121 1122 smp_debug_print_nbyte_little_endian (p_cb->private_key, (const UINT8 *)"private", 1123 BT_OCTET32_LEN); 1124 smp_debug_print_nbyte_little_endian (p_cb->peer_publ_key.x, (const UINT8 *)"rem public(x)", 1125 BT_OCTET32_LEN); 1126 smp_debug_print_nbyte_little_endian (p_cb->peer_publ_key.y, (const UINT8 *)"rem public(y)", 1127 BT_OCTET32_LEN); 1128 smp_debug_print_nbyte_little_endian (p_cb->dhkey, (const UINT8 *)"Reverted DHKey", 1129 BT_OCTET32_LEN); 1130} 1131 1132/******************************************************************************* 1133** 1134** Function smp_calculate_local_commitment 1135** 1136** Description The function calculates and saves local commmitment in CB. 1137** 1138** Returns void 1139** 1140*******************************************************************************/ 1141void smp_calculate_local_commitment(tSMP_CB *p_cb) 1142{ 1143 UINT8 random_input; 1144 1145 SMP_TRACE_DEBUG("%s", __FUNCTION__); 1146 1147 switch (p_cb->selected_association_model) 1148 { 1149 case SMP_MODEL_SEC_CONN_JUSTWORKS: 1150 case SMP_MODEL_SEC_CONN_NUM_COMP: 1151 if (p_cb->role == HCI_ROLE_MASTER) 1152 SMP_TRACE_WARNING ("local commitment calc on master is not expected \ 1153 for Just Works/Numeric Comparison models"); 1154 smp_calculate_f4(p_cb->loc_publ_key.x, p_cb->peer_publ_key.x, p_cb->rand, 0, 1155 p_cb->commitment); 1156 break; 1157 case SMP_MODEL_SEC_CONN_PASSKEY_ENT: 1158 case SMP_MODEL_SEC_CONN_PASSKEY_DISP: 1159 random_input = smp_calculate_random_input(p_cb->local_random, p_cb->round); 1160 smp_calculate_f4(p_cb->loc_publ_key.x, p_cb->peer_publ_key.x, p_cb->rand, 1161 random_input, p_cb->commitment); 1162 break; 1163 case SMP_MODEL_SEC_CONN_OOB: 1164 SMP_TRACE_WARNING ("local commitment calc is expected for OOB model BEFORE pairing"); 1165 smp_calculate_f4(p_cb->loc_publ_key.x, p_cb->loc_publ_key.x, p_cb->local_random, 0, 1166 p_cb->commitment); 1167 break; 1168 default: 1169 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC", 1170 p_cb->selected_association_model); 1171 return; 1172 } 1173 1174 SMP_TRACE_EVENT ("local commitment calculation is completed"); 1175} 1176 1177/******************************************************************************* 1178** 1179** Function smp_calculate_peer_commitment 1180** 1181** Description The function calculates and saves peer commmitment at the 1182** provided output buffer. 1183** 1184** Returns void 1185** 1186*******************************************************************************/ 1187void smp_calculate_peer_commitment(tSMP_CB *p_cb, BT_OCTET16 output_buf) 1188{ 1189 UINT8 ri; 1190 1191 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 1192 1193 switch (p_cb->selected_association_model) 1194 { 1195 case SMP_MODEL_SEC_CONN_JUSTWORKS: 1196 case SMP_MODEL_SEC_CONN_NUM_COMP: 1197 if (p_cb->role == HCI_ROLE_SLAVE) 1198 SMP_TRACE_WARNING ("peer commitment calc on slave is not expected \ 1199 for Just Works/Numeric Comparison models"); 1200 smp_calculate_f4(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, p_cb->rrand, 0, 1201 output_buf); 1202 break; 1203 case SMP_MODEL_SEC_CONN_PASSKEY_ENT: 1204 case SMP_MODEL_SEC_CONN_PASSKEY_DISP: 1205 ri = smp_calculate_random_input(p_cb->peer_random, p_cb->round); 1206 smp_calculate_f4(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, p_cb->rrand, ri, 1207 output_buf); 1208 break; 1209 case SMP_MODEL_SEC_CONN_OOB: 1210 smp_calculate_f4(p_cb->peer_publ_key.x, p_cb->peer_publ_key.x, p_cb->peer_random, 0, 1211 output_buf); 1212 break; 1213 default: 1214 SMP_TRACE_ERROR("Association Model = %d is not used in LE SC", 1215 p_cb->selected_association_model); 1216 return; 1217 } 1218 1219 SMP_TRACE_EVENT ("peer commitment calculation is completed"); 1220} 1221 1222/******************************************************************************* 1223** 1224** Function smp_calculate_f4 1225** 1226** Description The function calculates 1227** C = f4(U, V, X, Z) = AES-CMAC (U||V||Z) 1228** X 1229** where 1230** input: U is 256 bit, 1231** V is 256 bit, 1232** X is 128 bit, 1233** Z is 8 bit, 1234** output: C is 128 bit. 1235** 1236** Returns void 1237** 1238** Note The LSB is the first octet, the MSB is the last octet of 1239** the AES-CMAC input/output stream. 1240** 1241*******************************************************************************/ 1242void smp_calculate_f4(UINT8 *u, UINT8 *v, UINT8 *x, UINT8 z, UINT8 *c) 1243{ 1244 UINT8 msg_len = BT_OCTET32_LEN /* U size */ + BT_OCTET32_LEN /* V size */ + 1 /* Z size */; 1245 UINT8 msg[BT_OCTET32_LEN + BT_OCTET32_LEN + 1]; 1246 UINT8 key[BT_OCTET16_LEN]; 1247 UINT8 cmac[BT_OCTET16_LEN]; 1248 UINT8 *p = NULL; 1249#if SMP_DEBUG == TRUE 1250 UINT8 *p_prnt = NULL; 1251#endif 1252 1253 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 1254 1255#if SMP_DEBUG == TRUE 1256 p_prnt = u; 1257 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"U", BT_OCTET32_LEN); 1258 p_prnt = v; 1259 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"V", BT_OCTET32_LEN); 1260 p_prnt = x; 1261 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"X", BT_OCTET16_LEN); 1262 p_prnt = &z; 1263 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"Z", 1); 1264#endif 1265 1266 p = msg; 1267 UINT8_TO_STREAM(p, z); 1268 ARRAY_TO_STREAM(p, v, BT_OCTET32_LEN); 1269 ARRAY_TO_STREAM(p, u, BT_OCTET32_LEN); 1270#if SMP_DEBUG == TRUE 1271 p_prnt = msg; 1272 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"M", msg_len); 1273#endif 1274 1275 p = key; 1276 ARRAY_TO_STREAM(p, x, BT_OCTET16_LEN); 1277#if SMP_DEBUG == TRUE 1278 p_prnt = key; 1279 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"K", BT_OCTET16_LEN); 1280#endif 1281 1282 aes_cipher_msg_auth_code(key, msg, msg_len, BT_OCTET16_LEN, cmac); 1283#if SMP_DEBUG == TRUE 1284 p_prnt = cmac; 1285 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"AES_CMAC", BT_OCTET16_LEN); 1286#endif 1287 1288 p = c; 1289 ARRAY_TO_STREAM(p, cmac, BT_OCTET16_LEN); 1290} 1291 1292/******************************************************************************* 1293** 1294** Function smp_calculate_numeric_comparison_display_number 1295** 1296** Description The function calculates and saves number to display in numeric 1297** comparison association mode. 1298** 1299** Returns void 1300** 1301*******************************************************************************/ 1302void smp_calculate_numeric_comparison_display_number(tSMP_CB *p_cb, 1303 tSMP_INT_DATA *p_data) 1304{ 1305 SMP_TRACE_DEBUG ("%s", __func__); 1306 1307 if (p_cb->role == HCI_ROLE_MASTER) 1308 { 1309 p_cb->number_to_display = 1310 smp_calculate_g2(p_cb->loc_publ_key.x, p_cb->peer_publ_key.x, p_cb->rand, 1311 p_cb->rrand); 1312 } 1313 else 1314 { 1315 p_cb->number_to_display = 1316 smp_calculate_g2(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, p_cb->rrand, 1317 p_cb->rand); 1318 } 1319 1320 if (p_cb->number_to_display >= (BTM_MAX_PASSKEY_VAL + 1)) 1321 { 1322 UINT8 reason; 1323 reason = p_cb->failure = SMP_PAIR_FAIL_UNKNOWN; 1324 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); 1325 return; 1326 } 1327 1328 SMP_TRACE_EVENT("Number to display in numeric comparison = %d", p_cb->number_to_display); 1329 p_cb->cb_evt = SMP_NC_REQ_EVT; 1330 smp_sm_event(p_cb, SMP_SC_DSPL_NC_EVT, &p_cb->number_to_display); 1331 return; 1332} 1333 1334/******************************************************************************* 1335** 1336** Function smp_calculate_g2 1337** 1338** Description The function calculates 1339** g2(U, V, X, Y) = AES-CMAC (U||V||Y) mod 2**32 mod 10**6 1340** X 1341** and 1342** Vres = g2(U, V, X, Y) mod 10**6 1343** where 1344** input: U is 256 bit, 1345** V is 256 bit, 1346** X is 128 bit, 1347** Y is 128 bit, 1348** 1349** Returns Vres. 1350** Expected value has to be in the range [0 - 999999] i.e. [0 - 0xF423F]. 1351** Vres = 1000000 means that the calculation fails. 1352** 1353** Note The LSB is the first octet, the MSB is the last octet of 1354** the AES-CMAC input/output stream. 1355** 1356*******************************************************************************/ 1357UINT32 smp_calculate_g2(UINT8 *u, UINT8 *v, UINT8 *x, UINT8 *y) 1358{ 1359 UINT8 msg_len = BT_OCTET32_LEN /* U size */ + BT_OCTET32_LEN /* V size */ 1360 + BT_OCTET16_LEN /* Y size */; 1361 UINT8 msg[BT_OCTET32_LEN + BT_OCTET32_LEN + BT_OCTET16_LEN]; 1362 UINT8 key[BT_OCTET16_LEN]; 1363 UINT8 cmac[BT_OCTET16_LEN]; 1364 UINT8 *p = NULL; 1365 UINT32 vres; 1366#if SMP_DEBUG == TRUE 1367 UINT8 *p_prnt = NULL; 1368#endif 1369 1370 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 1371 1372 p = msg; 1373 ARRAY_TO_STREAM(p, y, BT_OCTET16_LEN); 1374 ARRAY_TO_STREAM(p, v, BT_OCTET32_LEN); 1375 ARRAY_TO_STREAM(p, u, BT_OCTET32_LEN); 1376#if SMP_DEBUG == TRUE 1377 p_prnt = u; 1378 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"U", BT_OCTET32_LEN); 1379 p_prnt = v; 1380 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"V", BT_OCTET32_LEN); 1381 p_prnt = x; 1382 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"X", BT_OCTET16_LEN); 1383 p_prnt = y; 1384 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"Y", BT_OCTET16_LEN); 1385#endif 1386 1387 p = key; 1388 ARRAY_TO_STREAM(p, x, BT_OCTET16_LEN); 1389#if SMP_DEBUG == TRUE 1390 p_prnt = key; 1391 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"K", BT_OCTET16_LEN); 1392#endif 1393 1394 if(!aes_cipher_msg_auth_code(key, msg, msg_len, BT_OCTET16_LEN, cmac)) 1395 { 1396 SMP_TRACE_ERROR("%s failed",__FUNCTION__); 1397 return (BTM_MAX_PASSKEY_VAL + 1); 1398 } 1399 1400#if SMP_DEBUG == TRUE 1401 p_prnt = cmac; 1402 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"AES-CMAC", BT_OCTET16_LEN); 1403#endif 1404 1405 /* vres = cmac mod 2**32 mod 10**6 */ 1406 p = &cmac[0]; 1407 STREAM_TO_UINT32(vres, p); 1408#if SMP_DEBUG == TRUE 1409 p_prnt = (UINT8 *) &vres; 1410 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"cmac mod 2**32", 4); 1411#endif 1412 1413 while (vres > BTM_MAX_PASSKEY_VAL) 1414 vres -= (BTM_MAX_PASSKEY_VAL + 1); 1415#if SMP_DEBUG == TRUE 1416 p_prnt = (UINT8 *) &vres; 1417 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"cmac mod 2**32 mod 10**6", 4); 1418#endif 1419 1420 SMP_TRACE_ERROR("Value for numeric comparison = %d", vres); 1421 return vres; 1422} 1423 1424/******************************************************************************* 1425** 1426** Function smp_calculate_f5 1427** 1428** Description The function provides two AES-CMAC that are supposed to be used as 1429** - MacKey (MacKey is used in pairing DHKey check calculation); 1430** - LTK (LTK is used to ecrypt the link after completion of Phase 2 1431** and on reconnection, to derive BR/EDR LK). 1432** The function inputs are W, N1, N2, A1, A2. 1433** F5 rules: 1434** - the value used as key in MacKey/LTK (T) is calculated 1435** (function smp_calculate_f5_key(...)); 1436** The formula is: 1437** T = AES-CMAC (W) 1438** salt 1439** where salt is internal parameter of smp_calculate_f5_key(...). 1440** - MacKey and LTK are calculated as AES-MAC values received with the 1441** key T calculated in the previous step and the plaintext message 1442** built from the external parameters N1, N2, A1, A2 and the internal 1443** parameters counter, keyID, length. 1444** The function smp_calculate_f5_mackey_or_long_term_key(...) is used in the 1445** calculations. 1446** The same formula is used in calculation of MacKey and LTK and the 1447** same parameter values except the value of the internal parameter 1448** counter: 1449** - in MacKey calculations the value is 0; 1450** - in LTK calculations the value is 1. 1451** MacKey = AES-CMAC (Counter=0||keyID||N1||N2||A1||A2||Length=256) 1452** T 1453** LTK = AES-CMAC (Counter=1||keyID||N1||N2||A1||A2||Length=256) 1454** T 1455** The parameters are 1456** input: 1457** W is 256 bits, 1458** N1 is 128 bits, 1459** N2 is 128 bits, 1460** A1 is 56 bit, 1461** A2 is 56 bit. 1462** internal: 1463** Counter is 8 bits, its value is 0 for MacKey, 1464** 1 for LTK; 1465** KeyId is 32 bits, its value is 1466** 0x62746c65 (MSB~LSB); 1467** Length is 16 bits, its value is 0x0100 1468** (MSB~LSB). 1469** output: 1470** MacKey is 128 bits; 1471** LTK is 128 bits 1472** 1473** Returns FALSE if out of resources, TRUE in other cases. 1474** 1475** Note The LSB is the first octet, the MSB is the last octet of 1476** the AES-CMAC input/output stream. 1477** 1478*******************************************************************************/ 1479BOOLEAN smp_calculate_f5(UINT8 *w, UINT8 *n1, UINT8 *n2, UINT8 *a1, UINT8 *a2, 1480 UINT8 *mac_key, UINT8 *ltk) 1481{ 1482 BT_OCTET16 t; /* AES-CMAC output in smp_calculate_f5_key(...), key in */ 1483 /* smp_calculate_f5_mackey_or_long_term_key(...) */ 1484#if SMP_DEBUG == TRUE 1485 UINT8 *p_prnt = NULL; 1486#endif 1487 /* internal parameters: */ 1488 1489 /* 1490 counter is 0 for MacKey, 1491 is 1 for LTK 1492 */ 1493 UINT8 counter_mac_key[1] = {0}; 1494 UINT8 counter_ltk[1] = {1}; 1495 /* 1496 keyID 62746c65 1497 */ 1498 UINT8 key_id[4] = {0x65, 0x6c, 0x74, 0x62}; 1499 /* 1500 length 0100 1501 */ 1502 UINT8 length[2] = {0x00, 0x01}; 1503 1504 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 1505#if SMP_DEBUG == TRUE 1506 p_prnt = w; 1507 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"W", BT_OCTET32_LEN); 1508 p_prnt = n1; 1509 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"N1", BT_OCTET16_LEN); 1510 p_prnt = n2; 1511 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"N2", BT_OCTET16_LEN); 1512 p_prnt = a1; 1513 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"A1", 7); 1514 p_prnt = a2; 1515 smp_debug_print_nbyte_little_endian (p_prnt,(const UINT8 *) "A2", 7); 1516#endif 1517 1518 if (!smp_calculate_f5_key(w, t)) 1519 { 1520 SMP_TRACE_ERROR("%s failed to calc T",__FUNCTION__); 1521 return FALSE; 1522 } 1523#if SMP_DEBUG == TRUE 1524 p_prnt = t; 1525 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"T", BT_OCTET16_LEN); 1526#endif 1527 1528 if (!smp_calculate_f5_mackey_or_long_term_key(t, counter_mac_key, key_id, n1, n2, a1, a2, 1529 length, mac_key)) 1530 { 1531 SMP_TRACE_ERROR("%s failed to calc MacKey", __FUNCTION__); 1532 return FALSE; 1533 } 1534#if SMP_DEBUG == TRUE 1535 p_prnt = mac_key; 1536 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"MacKey", BT_OCTET16_LEN); 1537#endif 1538 1539 if (!smp_calculate_f5_mackey_or_long_term_key(t, counter_ltk, key_id, n1, n2, a1, a2, 1540 length, ltk)) 1541 { 1542 SMP_TRACE_ERROR("%s failed to calc LTK",__FUNCTION__); 1543 return FALSE; 1544 } 1545#if SMP_DEBUG == TRUE 1546 p_prnt = ltk; 1547 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"LTK", BT_OCTET16_LEN); 1548#endif 1549 1550 return TRUE; 1551} 1552 1553/******************************************************************************* 1554** 1555** Function smp_calculate_f5_mackey_or_long_term_key 1556** 1557** Description The function calculates the value of MacKey or LTK by the rules 1558** defined for f5 function. 1559** At the moment exactly the same formula is used to calculate 1560** LTK and MacKey. 1561** The difference is the value of input parameter Counter: 1562** - in MacKey calculations the value is 0; 1563** - in LTK calculations the value is 1. 1564** The formula: 1565** mac = AES-CMAC (Counter||keyID||N1||N2||A1||A2||Length) 1566** T 1567** where 1568** input: T is 256 bits; 1569** Counter is 8 bits, its value is 0 for MacKey, 1570** 1 for LTK; 1571** keyID is 32 bits, its value is 0x62746c65; 1572** N1 is 128 bits; 1573** N2 is 128 bits; 1574** A1 is 56 bits; 1575** A2 is 56 bits; 1576** Length is 16 bits, its value is 0x0100 1577** output: LTK is 128 bit. 1578** 1579** Returns FALSE if out of resources, TRUE in other cases. 1580** 1581** Note The LSB is the first octet, the MSB is the last octet of 1582** the AES-CMAC input/output stream. 1583** 1584*******************************************************************************/ 1585BOOLEAN smp_calculate_f5_mackey_or_long_term_key(UINT8 *t, UINT8 *counter, 1586 UINT8 *key_id, UINT8 *n1, UINT8 *n2, UINT8 *a1, UINT8 *a2, 1587 UINT8 *length, UINT8 *mac) 1588{ 1589 UINT8 *p = NULL; 1590 UINT8 cmac[BT_OCTET16_LEN]; 1591 UINT8 key[BT_OCTET16_LEN]; 1592 UINT8 msg_len = 1 /* Counter size */ + 4 /* keyID size */ + 1593 BT_OCTET16_LEN /* N1 size */ + BT_OCTET16_LEN /* N2 size */ + 1594 7 /* A1 size*/ + 7 /* A2 size*/ + 2 /* Length size */; 1595 UINT8 msg[1 + 4 + BT_OCTET16_LEN + BT_OCTET16_LEN + 7 + 7 + 2]; 1596 BOOLEAN ret = TRUE; 1597#if SMP_DEBUG == TRUE 1598 UINT8 *p_prnt = NULL; 1599#endif 1600 1601 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 1602#if SMP_DEBUG == TRUE 1603 p_prnt = t; 1604 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"T", BT_OCTET16_LEN); 1605 p_prnt = counter; 1606 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"Counter", 1); 1607 p_prnt = key_id; 1608 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"KeyID", 4); 1609 p_prnt = n1; 1610 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"N1", BT_OCTET16_LEN); 1611 p_prnt = n2; 1612 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"N2", BT_OCTET16_LEN); 1613 p_prnt = a1; 1614 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"A1", 7); 1615 p_prnt = a2; 1616 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"A2", 7); 1617 p_prnt = length; 1618 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"Length", 2); 1619#endif 1620 1621 p = key; 1622 ARRAY_TO_STREAM(p, t, BT_OCTET16_LEN); 1623#if SMP_DEBUG == TRUE 1624 p_prnt = key; 1625 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"K", BT_OCTET16_LEN); 1626#endif 1627 p = msg; 1628 ARRAY_TO_STREAM(p, length, 2); 1629 ARRAY_TO_STREAM(p, a2, 7); 1630 ARRAY_TO_STREAM(p, a1, 7); 1631 ARRAY_TO_STREAM(p, n2, BT_OCTET16_LEN); 1632 ARRAY_TO_STREAM(p, n1, BT_OCTET16_LEN); 1633 ARRAY_TO_STREAM(p, key_id, 4); 1634 ARRAY_TO_STREAM(p, counter, 1); 1635#if SMP_DEBUG == TRUE 1636 p_prnt = msg; 1637 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"M", msg_len); 1638#endif 1639 1640 if (!aes_cipher_msg_auth_code(key, msg, msg_len, BT_OCTET16_LEN, cmac)) 1641 { 1642 SMP_TRACE_ERROR("%s failed", __FUNCTION__); 1643 ret = FALSE; 1644 } 1645 1646#if SMP_DEBUG == TRUE 1647 p_prnt = cmac; 1648 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"AES-CMAC", BT_OCTET16_LEN); 1649#endif 1650 1651 p = mac; 1652 ARRAY_TO_STREAM(p, cmac, BT_OCTET16_LEN); 1653 return ret; 1654} 1655 1656/******************************************************************************* 1657** 1658** Function smp_calculate_f5_key 1659** 1660** Description The function calculates key T used in calculation of 1661** MacKey and LTK (f5 output is defined as MacKey || LTK). 1662** T = AES-CMAC (W) 1663** salt 1664** where 1665** Internal: salt is 128 bit. 1666** input: W is 256 bit. 1667** Output: T is 128 bit. 1668** 1669** Returns FALSE if out of resources, TRUE in other cases. 1670** 1671** Note The LSB is the first octet, the MSB is the last octet of 1672** the AES-CMAC input/output stream. 1673** 1674*******************************************************************************/ 1675BOOLEAN smp_calculate_f5_key(UINT8 *w, UINT8 *t) 1676{ 1677 UINT8 *p = NULL; 1678 /* Please see 2.2.7 LE Secure Connections Key Generation Function f5 */ 1679 /* 1680 salt: 6C88 8391 AAF5 A538 6037 0BDB 5A60 83BE 1681 */ 1682 BT_OCTET16 salt = { 1683 0xBE, 0x83, 0x60, 0x5A, 0xDB, 0x0B, 0x37, 0x60, 1684 0x38, 0xA5, 0xF5, 0xAA, 0x91, 0x83, 0x88, 0x6C 1685 }; 1686#if SMP_DEBUG == TRUE 1687 UINT8 *p_prnt = NULL; 1688#endif 1689 1690 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 1691#if SMP_DEBUG == TRUE 1692 p_prnt = salt; 1693 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"salt", BT_OCTET16_LEN); 1694 p_prnt = w; 1695 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"W", BT_OCTET32_LEN); 1696#endif 1697 1698 BT_OCTET16 key; 1699 BT_OCTET32 msg; 1700 1701 p = key; 1702 ARRAY_TO_STREAM(p, salt, BT_OCTET16_LEN); 1703 p = msg; 1704 ARRAY_TO_STREAM(p, w, BT_OCTET32_LEN); 1705#if SMP_DEBUG == TRUE 1706 p_prnt = key; 1707 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"K", BT_OCTET16_LEN); 1708 p_prnt = msg; 1709 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"M", BT_OCTET32_LEN); 1710#endif 1711 1712 BT_OCTET16 cmac; 1713 BOOLEAN ret = TRUE; 1714 if (!aes_cipher_msg_auth_code(key, msg, BT_OCTET32_LEN, BT_OCTET16_LEN, cmac)) 1715 { 1716 SMP_TRACE_ERROR("%s failed", __FUNCTION__); 1717 ret = FALSE; 1718 } 1719 1720#if SMP_DEBUG == TRUE 1721 p_prnt = cmac; 1722 smp_debug_print_nbyte_little_endian (p_prnt, (const UINT8 *)"AES-CMAC", BT_OCTET16_LEN); 1723#endif 1724 1725 p = t; 1726 ARRAY_TO_STREAM(p, cmac, BT_OCTET16_LEN); 1727 return ret; 1728} 1729 1730/******************************************************************************* 1731** 1732** Function smp_calculate_local_dhkey_check 1733** 1734** Description The function calculates and saves local device DHKey check 1735** value in CB. 1736** Before doing this it calls smp_calculate_f5_mackey_and_long_term_key(...). 1737** to calculate MacKey and LTK. 1738** MacKey is used in dhkey calculation. 1739** 1740** Returns void 1741** 1742*******************************************************************************/ 1743void smp_calculate_local_dhkey_check(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 1744{ 1745 UINT8 iocap[3], a[7], b[7]; 1746 1747 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 1748 1749 smp_calculate_f5_mackey_and_long_term_key(p_cb); 1750 1751 smp_collect_local_io_capabilities(iocap, p_cb); 1752 1753 smp_collect_local_ble_address(a, p_cb); 1754 smp_collect_peer_ble_address(b, p_cb); 1755 smp_calculate_f6(p_cb->mac_key, p_cb->rand, p_cb->rrand, p_cb->peer_random, iocap, a, b, 1756 p_cb->dhkey_check); 1757 1758 SMP_TRACE_EVENT ("local DHKey check calculation is completed"); 1759} 1760 1761/******************************************************************************* 1762** 1763** Function smp_calculate_peer_dhkey_check 1764** 1765** Description The function calculates peer device DHKey check value. 1766** 1767** Returns void 1768** 1769*******************************************************************************/ 1770void smp_calculate_peer_dhkey_check(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 1771{ 1772 UINT8 iocap[3], a[7], b[7]; 1773 BT_OCTET16 param_buf; 1774 BOOLEAN ret; 1775 tSMP_KEY key; 1776 tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN; 1777 1778 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 1779 1780 smp_collect_peer_io_capabilities(iocap, p_cb); 1781 1782 smp_collect_local_ble_address(a, p_cb); 1783 smp_collect_peer_ble_address(b, p_cb); 1784 ret = smp_calculate_f6(p_cb->mac_key, p_cb->rrand, p_cb->rand, p_cb->local_random, iocap, 1785 b, a, param_buf); 1786 1787 if (ret) 1788 { 1789 SMP_TRACE_EVENT ("peer DHKey check calculation is completed"); 1790#if (SMP_DEBUG == TRUE) 1791 smp_debug_print_nbyte_little_endian (param_buf, (const UINT8 *)"peer DHKey check", 1792 BT_OCTET16_LEN); 1793#endif 1794 key.key_type = SMP_KEY_TYPE_PEER_DHK_CHCK; 1795 key.p_data = param_buf; 1796 smp_sm_event(p_cb, SMP_SC_KEY_READY_EVT, &key); 1797 } 1798 else 1799 { 1800 SMP_TRACE_EVENT ("peer DHKey check calculation failed"); 1801 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status); 1802 } 1803} 1804 1805/******************************************************************************* 1806** 1807** Function smp_calculate_f6 1808** 1809** Description The function calculates 1810** C = f6(W, N1, N2, R, IOcap, A1, A2) = AES-CMAC (N1||N2||R||IOcap||A1||A2) 1811** W 1812** where 1813** input: W is 128 bit, 1814** N1 is 128 bit, 1815** N2 is 128 bit, 1816** R is 128 bit, 1817** IOcap is 24 bit, 1818** A1 is 56 bit, 1819** A2 is 56 bit, 1820** output: C is 128 bit. 1821** 1822** Returns FALSE if out of resources, TRUE in other cases. 1823** 1824** Note The LSB is the first octet, the MSB is the last octet of 1825** the AES-CMAC input/output stream. 1826** 1827*******************************************************************************/ 1828BOOLEAN smp_calculate_f6(UINT8 *w, UINT8 *n1, UINT8 *n2, UINT8 *r, UINT8 *iocap, UINT8 *a1, 1829 UINT8 *a2, UINT8 *c) 1830{ 1831 UINT8 *p = NULL; 1832 UINT8 msg_len = BT_OCTET16_LEN /* N1 size */ + BT_OCTET16_LEN /* N2 size */ + 1833 BT_OCTET16_LEN /* R size */ + 3 /* IOcap size */ + 7 /* A1 size*/ 1834 + 7 /* A2 size*/; 1835 UINT8 msg[BT_OCTET16_LEN + BT_OCTET16_LEN + BT_OCTET16_LEN + 3 + 7 + 7]; 1836#if SMP_DEBUG == TRUE 1837 UINT8 *p_print = NULL; 1838#endif 1839 1840 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 1841#if SMP_DEBUG == TRUE 1842 p_print = w; 1843 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"W", BT_OCTET16_LEN); 1844 p_print = n1; 1845 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"N1", BT_OCTET16_LEN); 1846 p_print = n2; 1847 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"N2", BT_OCTET16_LEN); 1848 p_print = r; 1849 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"R", BT_OCTET16_LEN); 1850 p_print = iocap; 1851 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"IOcap", 3); 1852 p_print = a1; 1853 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"A1", 7); 1854 p_print = a2; 1855 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"A2", 7); 1856#endif 1857 1858 UINT8 cmac[BT_OCTET16_LEN]; 1859 UINT8 key[BT_OCTET16_LEN]; 1860 1861 p = key; 1862 ARRAY_TO_STREAM(p, w, BT_OCTET16_LEN); 1863#if SMP_DEBUG == TRUE 1864 p_print = key; 1865 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"K", BT_OCTET16_LEN); 1866#endif 1867 1868 p = msg; 1869 ARRAY_TO_STREAM(p, a2, 7); 1870 ARRAY_TO_STREAM(p, a1, 7); 1871 ARRAY_TO_STREAM(p, iocap, 3); 1872 ARRAY_TO_STREAM(p, r, BT_OCTET16_LEN); 1873 ARRAY_TO_STREAM(p, n2, BT_OCTET16_LEN); 1874 ARRAY_TO_STREAM(p, n1, BT_OCTET16_LEN); 1875#if SMP_DEBUG == TRUE 1876 p_print = msg; 1877 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"M", msg_len); 1878#endif 1879 1880 BOOLEAN ret = TRUE; 1881 if(!aes_cipher_msg_auth_code(key, msg, msg_len, BT_OCTET16_LEN, cmac)) 1882 { 1883 SMP_TRACE_ERROR("%s failed", __FUNCTION__); 1884 ret = FALSE; 1885 } 1886 1887#if SMP_DEBUG == TRUE 1888 p_print = cmac; 1889 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"AES-CMAC", BT_OCTET16_LEN); 1890#endif 1891 1892 p = c; 1893 ARRAY_TO_STREAM(p, cmac, BT_OCTET16_LEN); 1894 return ret; 1895} 1896 1897/******************************************************************************* 1898** 1899** Function smp_calculate_link_key_from_long_term_key 1900** 1901** Description The function calculates and saves BR/EDR link key derived from 1902** LE SC LTK. 1903** 1904** Returns FALSE if out of resources, TRUE in other cases. 1905** 1906*******************************************************************************/ 1907BOOLEAN smp_calculate_link_key_from_long_term_key(tSMP_CB *p_cb) 1908{ 1909 tBTM_SEC_DEV_REC *p_dev_rec; 1910 BD_ADDR bda_for_lk; 1911 tBLE_ADDR_TYPE conn_addr_type; 1912 1913 SMP_TRACE_DEBUG ("%s", __func__); 1914 1915 if (p_cb->id_addr_rcvd && p_cb->id_addr_type == BLE_ADDR_PUBLIC) 1916 { 1917 SMP_TRACE_DEBUG ("Use rcvd identity address as BD_ADDR of LK rcvd identity address"); 1918 memcpy(bda_for_lk, p_cb->id_addr, BD_ADDR_LEN); 1919 } 1920 else if ((BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, bda_for_lk, &conn_addr_type)) && 1921 conn_addr_type == BLE_ADDR_PUBLIC) 1922 { 1923 SMP_TRACE_DEBUG ("Use rcvd connection address as BD_ADDR of LK"); 1924 } 1925 else 1926 { 1927 SMP_TRACE_WARNING ("Don't have peer public address to associate with LK"); 1928 return FALSE; 1929 } 1930 1931 if ((p_dev_rec = btm_find_dev (p_cb->pairing_bda)) == NULL) 1932 { 1933 SMP_TRACE_ERROR("%s failed to find Security Record", __func__); 1934 return FALSE; 1935 } 1936 1937 BT_OCTET16 intermediate_link_key; 1938 BOOLEAN ret = TRUE; 1939 1940 ret = smp_calculate_h6(p_cb->ltk, (UINT8 *)"1pmt" /* reversed "tmp1" */,intermediate_link_key); 1941 if (!ret) 1942 { 1943 SMP_TRACE_ERROR("%s failed to derive intermediate_link_key", __func__); 1944 return ret; 1945 } 1946 1947 BT_OCTET16 link_key; 1948 ret = smp_calculate_h6(intermediate_link_key, (UINT8 *) "rbel" /* reversed "lebr" */, link_key); 1949 if (!ret) 1950 { 1951 SMP_TRACE_ERROR("%s failed", __func__); 1952 } 1953 else 1954 { 1955 UINT8 link_key_type; 1956 if (btm_cb.security_mode == BTM_SEC_MODE_SC) 1957 { 1958 /* Secure Connections Only Mode */ 1959 link_key_type = BTM_LKEY_TYPE_AUTH_COMB_P_256; 1960 } 1961 else if (controller_get_interface()->supports_secure_connections()) 1962 { 1963 /* both transports are SC capable */ 1964 if (p_cb->sec_level == SMP_SEC_AUTHENTICATED) 1965 link_key_type = BTM_LKEY_TYPE_AUTH_COMB_P_256; 1966 else 1967 link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB_P_256; 1968 } 1969 else if (btm_cb.security_mode == BTM_SEC_MODE_SP) 1970 { 1971 /* BR/EDR transport is SSP capable */ 1972 if (p_cb->sec_level == SMP_SEC_AUTHENTICATED) 1973 link_key_type = BTM_LKEY_TYPE_AUTH_COMB; 1974 else 1975 link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB; 1976 } 1977 else 1978 { 1979 SMP_TRACE_ERROR ("%s failed to update link_key. Sec Mode = %d, sm4 = 0x%02x", 1980 __func__, btm_cb.security_mode, p_dev_rec->sm4); 1981 return FALSE; 1982 } 1983 1984 link_key_type += BTM_LTK_DERIVED_LKEY_OFFSET; 1985 1986 UINT8 *p; 1987 BT_OCTET16 notif_link_key; 1988 p = notif_link_key; 1989 ARRAY16_TO_STREAM(p, link_key); 1990 1991 btm_sec_link_key_notification (bda_for_lk, notif_link_key, link_key_type); 1992 1993 SMP_TRACE_EVENT ("%s is completed", __func__); 1994 } 1995 1996 return ret; 1997} 1998 1999/******************************************************************************* 2000** 2001** Function smp_calculate_long_term_key_from_link_key 2002** 2003** Description The function calculates and saves SC LTK derived from BR/EDR 2004** link key. 2005** 2006** Returns FALSE if out of resources, TRUE in other cases. 2007** 2008*******************************************************************************/ 2009BOOLEAN smp_calculate_long_term_key_from_link_key(tSMP_CB *p_cb) 2010{ 2011 BOOLEAN ret = TRUE; 2012 tBTM_SEC_DEV_REC *p_dev_rec; 2013 UINT8 rev_link_key[16]; 2014 2015 SMP_TRACE_DEBUG ("%s", __FUNCTION__); 2016 2017 if ((p_dev_rec = btm_find_dev (p_cb->pairing_bda)) == NULL) 2018 { 2019 SMP_TRACE_ERROR("%s failed to find Security Record",__FUNCTION__); 2020 return FALSE; 2021 } 2022 2023 UINT8 br_link_key_type; 2024 if ((br_link_key_type = BTM_SecGetDeviceLinkKeyType (p_cb->pairing_bda)) 2025 == BTM_LKEY_TYPE_IGNORE) 2026 { 2027 SMP_TRACE_ERROR("%s failed to retrieve BR link type",__FUNCTION__); 2028 return FALSE; 2029 } 2030 2031 if ((br_link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256) && 2032 (br_link_key_type != BTM_LKEY_TYPE_UNAUTH_COMB_P_256)) 2033 { 2034 SMP_TRACE_ERROR("%s LE SC LTK can't be derived from LK %d", 2035 __FUNCTION__, br_link_key_type); 2036 return FALSE; 2037 } 2038 2039 UINT8 *p1; 2040 UINT8 *p2; 2041 p1 = rev_link_key; 2042 p2 = p_dev_rec->link_key; 2043 REVERSE_ARRAY_TO_STREAM(p1, p2, 16); 2044 2045 BT_OCTET16 intermediate_long_term_key; 2046 /* "tmp2" obtained from the spec */ 2047 ret = smp_calculate_h6(rev_link_key, (UINT8 *) "2pmt" /* reversed "tmp2" */, 2048 intermediate_long_term_key); 2049 2050 if (!ret) 2051 { 2052 SMP_TRACE_ERROR("%s failed to derive intermediate_long_term_key",__FUNCTION__); 2053 return ret; 2054 } 2055 2056 /* "brle" obtained from the spec */ 2057 ret = smp_calculate_h6(intermediate_long_term_key, (UINT8 *) "elrb" /* reversed "brle" */, 2058 p_cb->ltk); 2059 2060 if (!ret) 2061 { 2062 SMP_TRACE_ERROR("%s failed",__FUNCTION__); 2063 } 2064 else 2065 { 2066 p_cb->sec_level = (br_link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) 2067 ? SMP_SEC_AUTHENTICATED : SMP_SEC_UNAUTHENTICATE; 2068 SMP_TRACE_EVENT ("%s is completed",__FUNCTION__); 2069 } 2070 2071 return ret; 2072} 2073 2074/******************************************************************************* 2075** 2076** Function smp_calculate_h6 2077** 2078** Description The function calculates 2079** C = h6(W, KeyID) = AES-CMAC (KeyID) 2080** W 2081** where 2082** input: W is 128 bit, 2083** KeyId is 32 bit, 2084** output: C is 128 bit. 2085** 2086** Returns FALSE if out of resources, TRUE in other cases. 2087** 2088** Note The LSB is the first octet, the MSB is the last octet of 2089** the AES-CMAC input/output stream. 2090** 2091*******************************************************************************/ 2092BOOLEAN smp_calculate_h6(UINT8 *w, UINT8 *keyid, UINT8 *c) 2093{ 2094#if SMP_DEBUG == TRUE 2095 UINT8 *p_print = NULL; 2096#endif 2097 2098 SMP_TRACE_DEBUG ("%s",__FUNCTION__); 2099#if SMP_DEBUG == TRUE 2100 p_print = w; 2101 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"W", BT_OCTET16_LEN); 2102 p_print = keyid; 2103 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"keyID", 4); 2104#endif 2105 2106 UINT8 *p = NULL; 2107 UINT8 key[BT_OCTET16_LEN]; 2108 2109 p = key; 2110 ARRAY_TO_STREAM(p, w, BT_OCTET16_LEN); 2111 2112#if SMP_DEBUG == TRUE 2113 p_print = key; 2114 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"K", BT_OCTET16_LEN); 2115#endif 2116 2117 UINT8 msg_len = 4 /* KeyID size */; 2118 UINT8 msg[4]; 2119 2120 p = msg; 2121 ARRAY_TO_STREAM(p, keyid, 4); 2122 2123#if SMP_DEBUG == TRUE 2124 p_print = msg; 2125 smp_debug_print_nbyte_little_endian (p_print,(const UINT8 *) "M", msg_len); 2126#endif 2127 2128 BOOLEAN ret = TRUE; 2129 UINT8 cmac[BT_OCTET16_LEN]; 2130 if (!aes_cipher_msg_auth_code(key, msg, msg_len, BT_OCTET16_LEN, cmac)) 2131 { 2132 SMP_TRACE_ERROR("%s failed",__FUNCTION__); 2133 ret = FALSE; 2134 } 2135 2136#if SMP_DEBUG == TRUE 2137 p_print = cmac; 2138 smp_debug_print_nbyte_little_endian (p_print, (const UINT8 *)"AES-CMAC", BT_OCTET16_LEN); 2139#endif 2140 2141 p = c; 2142 ARRAY_TO_STREAM(p, cmac, BT_OCTET16_LEN); 2143 return ret; 2144} 2145 2146/******************************************************************************* 2147** 2148** Function smp_start_nonce_generation 2149** 2150** Description This function starts nonce generation. 2151** 2152** Returns void 2153** 2154*******************************************************************************/ 2155void smp_start_nonce_generation(tSMP_CB *p_cb) 2156{ 2157 SMP_TRACE_DEBUG("%s", __FUNCTION__); 2158 p_cb->rand_enc_proc_state = SMP_GEN_NONCE_0_7; 2159 if (!btsnd_hcic_ble_rand((void *)smp_rand_back)) 2160 smp_rand_back(NULL); 2161} 2162 2163/******************************************************************************* 2164** 2165** Function smp_finish_nonce_generation 2166** 2167** Description This function finishes nonce generation. 2168** 2169** Returns void 2170** 2171*******************************************************************************/ 2172void smp_finish_nonce_generation(tSMP_CB *p_cb) 2173{ 2174 SMP_TRACE_DEBUG("%s", __FUNCTION__); 2175 p_cb->rand_enc_proc_state = SMP_GEN_NONCE_8_15; 2176 if (!btsnd_hcic_ble_rand((void *)smp_rand_back)) 2177 smp_rand_back(NULL); 2178} 2179 2180/******************************************************************************* 2181** 2182** Function smp_process_new_nonce 2183** 2184** Description This function notifies SM that it has new nonce. 2185** 2186** Returns void 2187** 2188*******************************************************************************/ 2189void smp_process_new_nonce(tSMP_CB *p_cb) 2190{ 2191 SMP_TRACE_DEBUG ("%s round %d", __FUNCTION__, p_cb->round); 2192 smp_sm_event(p_cb, SMP_HAVE_LOC_NONCE_EVT, NULL); 2193} 2194 2195/******************************************************************************* 2196** 2197** Function smp_rand_back 2198** 2199** Description This function is to process the rand command finished, 2200** process the random/encrypted number for further action. 2201** 2202** Returns void 2203** 2204*******************************************************************************/ 2205static void smp_rand_back(tBTM_RAND_ENC *p) 2206{ 2207 tSMP_CB *p_cb = &smp_cb; 2208 UINT8 *pp = p->param_buf; 2209 UINT8 failure = SMP_PAIR_FAIL_UNKNOWN; 2210 UINT8 state = p_cb->rand_enc_proc_state & ~0x80; 2211 2212 SMP_TRACE_DEBUG ("%s state=0x%x", __FUNCTION__, state); 2213 if (p && p->status == HCI_SUCCESS) 2214 { 2215 switch (state) 2216 { 2217 case SMP_GEN_SRAND_MRAND: 2218 memcpy((void *)p_cb->rand, p->param_buf, p->param_len); 2219 smp_generate_rand_cont(p_cb, NULL); 2220 break; 2221 2222 case SMP_GEN_SRAND_MRAND_CONT: 2223 memcpy((void *)&p_cb->rand[8], p->param_buf, p->param_len); 2224 smp_generate_confirm(p_cb, NULL); 2225 break; 2226 2227 case SMP_GEN_DIV_LTK: 2228 STREAM_TO_UINT16(p_cb->div, pp); 2229 smp_generate_ltk_cont(p_cb, NULL); 2230 break; 2231 2232 case SMP_GEN_DIV_CSRK: 2233 STREAM_TO_UINT16(p_cb->div, pp); 2234 smp_compute_csrk(p_cb, NULL); 2235 break; 2236 2237 case SMP_GEN_TK: 2238 smp_proc_passkey(p_cb, p); 2239 break; 2240 2241 case SMP_GEN_RAND_V: 2242 memcpy(p_cb->enc_rand, p->param_buf, BT_OCTET8_LEN); 2243 smp_generate_y(p_cb, NULL); 2244 break; 2245 2246 case SMP_GENERATE_PRIVATE_KEY_0_7: 2247 case SMP_GENERATE_PRIVATE_KEY_8_15: 2248 case SMP_GENERATE_PRIVATE_KEY_16_23: 2249 case SMP_GENERATE_PRIVATE_KEY_24_31: 2250 smp_continue_private_key_creation(p_cb, p); 2251 break; 2252 2253 case SMP_GEN_NONCE_0_7: 2254 memcpy((void *)p_cb->rand, p->param_buf, p->param_len); 2255 smp_finish_nonce_generation(p_cb); 2256 break; 2257 2258 case SMP_GEN_NONCE_8_15: 2259 memcpy((void *)&p_cb->rand[8], p->param_buf, p->param_len); 2260 smp_process_new_nonce(p_cb); 2261 break; 2262 } 2263 2264 return; 2265 } 2266 2267 SMP_TRACE_ERROR("%s key generation failed: (%d)", __FUNCTION__, p_cb->rand_enc_proc_state); 2268 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &failure); 2269} 2270 2271#endif 2272 2273