| sm.c (5b4dd5975845d06094c5245f38814b7f6eab087b) | sm.c (899e6e028aa68dd07d5aca8a384553a863d07499) |
|---|---|
| 1/* 2 * Copyright (C) 2014 BlueKitchen GmbH 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright --- 35 unchanged lines hidden (view full) --- 44#include "ble/core.h" 45#include "ble/sm.h" 46#include "bluetooth_company_id.h" 47#include "btstack_crypto.h" 48#include "btstack_debug.h" 49#include "btstack_event.h" 50#include "btstack_linked_list.h" 51#include "btstack_memory.h" | 1/* 2 * Copyright (C) 2014 BlueKitchen GmbH 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright --- 35 unchanged lines hidden (view full) --- 44#include "ble/core.h" 45#include "ble/sm.h" 46#include "bluetooth_company_id.h" 47#include "btstack_crypto.h" 48#include "btstack_debug.h" 49#include "btstack_event.h" 50#include "btstack_linked_list.h" 51#include "btstack_memory.h" |
| 52#include "btstack_tlv.h" |
|
| 52#include "gap.h" 53#include "hci.h" 54#include "hci_dump.h" 55#include "l2cap.h" 56 57#if !defined(ENABLE_LE_PERIPHERAL) && !defined(ENABLE_LE_CENTRAL) 58#error "LE Security Manager used, but neither ENABLE_LE_PERIPHERAL nor ENABLE_LE_CENTRAL defined. Please add at least one to btstack_config.h." 59#endif --- 16 unchanged lines hidden (view full) --- 76#define IS_RESPONDER(role) (1 || role) 77#endif 78#endif 79 80#if defined(ENABLE_LE_SIGNED_WRITE) || defined(ENABLE_LE_SECURE_CONNECTIONS) 81#define USE_CMAC_ENGINE 82#endif 83 | 53#include "gap.h" 54#include "hci.h" 55#include "hci_dump.h" 56#include "l2cap.h" 57 58#if !defined(ENABLE_LE_PERIPHERAL) && !defined(ENABLE_LE_CENTRAL) 59#error "LE Security Manager used, but neither ENABLE_LE_PERIPHERAL nor ENABLE_LE_CENTRAL defined. Please add at least one to btstack_config.h." 60#endif --- 16 unchanged lines hidden (view full) --- 77#define IS_RESPONDER(role) (1 || role) 78#endif 79#endif 80 81#if defined(ENABLE_LE_SIGNED_WRITE) || defined(ENABLE_LE_SECURE_CONNECTIONS) 82#define USE_CMAC_ENGINE 83#endif 84 |
| 85#define BTSTACK_TAG32(A,B,C,D) ((A << 24) | (B << 16) | (C << 8) | D) 86 |
|
| 84// 85// SM internal types and globals 86// 87 88typedef enum { 89 DKG_W4_WORKING, 90 DKG_CALC_IRK, 91 DKG_CALC_DHK, --- 96 unchanged lines hidden (view full) --- 188static uint8_t sm_reconstruct_ltk_without_le_device_db_entry; 189 190#ifdef ENABLE_LE_SECURE_CONNECTIONS 191static uint8_t sm_sc_oob_random[16]; 192static void (*sm_sc_oob_callback)(const uint8_t * confirm_value, const uint8_t * random_value); 193static sm_sc_oob_state_t sm_sc_oob_state; 194#endif 195 | 87// 88// SM internal types and globals 89// 90 91typedef enum { 92 DKG_W4_WORKING, 93 DKG_CALC_IRK, 94 DKG_CALC_DHK, --- 96 unchanged lines hidden (view full) --- 191static uint8_t sm_reconstruct_ltk_without_le_device_db_entry; 192 193#ifdef ENABLE_LE_SECURE_CONNECTIONS 194static uint8_t sm_sc_oob_random[16]; 195static void (*sm_sc_oob_callback)(const uint8_t * confirm_value, const uint8_t * random_value); 196static sm_sc_oob_state_t sm_sc_oob_state; 197#endif 198 |
| 199 200static uint8_t sm_persistent_keys_random_active; 201static const btstack_tlv_t * sm_tlv_impl; 202static void * sm_tlv_context; 203 |
|
| 196// Security Manager Master Keys, please use sm_set_er(er) and sm_set_ir(ir) with your own 128 bit random values 197static sm_key_t sm_persistent_er; 198static sm_key_t sm_persistent_ir; 199 200// derived from sm_persistent_ir 201static sm_key_t sm_persistent_dhk; 202static sm_key_t sm_persistent_irk; 203static derived_key_generation_t dkg_state; --- 290 unchanged lines hidden (view full) --- 494// and it is reduced to 7 octets (56 bits), then the resulting key is 0x0000000000000000003456789ABCDEF0."" 495static void sm_truncate_key(sm_key_t key, int max_encryption_size){ 496 int i; 497 for (i = max_encryption_size ; i < 16 ; i++){ 498 key[15-i] = 0; 499 } 500} 501 | 204// Security Manager Master Keys, please use sm_set_er(er) and sm_set_ir(ir) with your own 128 bit random values 205static sm_key_t sm_persistent_er; 206static sm_key_t sm_persistent_ir; 207 208// derived from sm_persistent_ir 209static sm_key_t sm_persistent_dhk; 210static sm_key_t sm_persistent_irk; 211static derived_key_generation_t dkg_state; --- 290 unchanged lines hidden (view full) --- 502// and it is reduced to 7 octets (56 bits), then the resulting key is 0x0000000000000000003456789ABCDEF0."" 503static void sm_truncate_key(sm_key_t key, int max_encryption_size){ 504 int i; 505 for (i = max_encryption_size ; i < 16 ; i++){ 506 key[15-i] = 0; 507 } 508} 509 |
| 510// ER / IR checks 511static int sm_er_ir_set_default(void){ 512 int i; 513 for (i=0;i<16;i++){ 514 sm_persistent_er[i] = 0x30 + i; 515 sm_persistent_ir[i] = 0x90 + i; 516 } 517} 518 519static int sm_er_is_default(void){ 520 int i; 521 for (i=0;i<16;i++){ 522 if (sm_persistent_er[i] != (0x30+i)) return 0; 523 } 524 return 1; 525} 526 527static int sm_ir_is_default(void){ 528 int i; 529 for (i=0;i<16;i++){ 530 if (sm_persistent_ir[i] != (0x90+i)) return 0; 531 } 532 return 1; 533} 534 |
|
| 502// SMP Timeout implementation 503 504// Upon transmission of the Pairing Request command or reception of the Pairing Request command, 505// the Security Manager Timer shall be reset and started. 506// 507// The Security Manager Timer shall be reset when an L2CAP SMP command is queued for transmission. 508// 509// If the Security Manager Timer reaches 30 seconds, the procedure shall be considered to have failed, --- 29 unchanged lines hidden (view full) --- 539// end of sm timeout 540 541// GAP Random Address updates 542static gap_random_address_type_t gap_random_adress_type; 543static btstack_timer_source_t gap_random_address_update_timer; 544static uint32_t gap_random_adress_update_period; 545 546static void gap_random_address_trigger(void){ | 535// SMP Timeout implementation 536 537// Upon transmission of the Pairing Request command or reception of the Pairing Request command, 538// the Security Manager Timer shall be reset and started. 539// 540// The Security Manager Timer shall be reset when an L2CAP SMP command is queued for transmission. 541// 542// If the Security Manager Timer reaches 30 seconds, the procedure shall be considered to have failed, --- 29 unchanged lines hidden (view full) --- 572// end of sm timeout 573 574// GAP Random Address updates 575static gap_random_address_type_t gap_random_adress_type; 576static btstack_timer_source_t gap_random_address_update_timer; 577static uint32_t gap_random_adress_update_period; 578 579static void gap_random_address_trigger(void){ |
| 547 log_info("gap_random_address_trigger"); | 580 log_info("gap_random_address_trigger, state %u", rau_state); |
| 548 if (rau_state != RAU_IDLE) return; 549 rau_state = RAU_GET_RANDOM; 550 sm_run(); 551} 552 553static void gap_random_address_update_handler(btstack_timer_source_t * timer){ 554 UNUSED(timer); 555 --- 1222 unchanged lines hidden (view full) --- 1778 btstack_linked_list_iterator_t it; 1779 1780 // assert that stack has already bootet 1781 if (hci_get_state() != HCI_STATE_WORKING) return; 1782 1783 // assert that we can send at least commands 1784 if (!hci_can_send_command_packet_now()) return; 1785 | 581 if (rau_state != RAU_IDLE) return; 582 rau_state = RAU_GET_RANDOM; 583 sm_run(); 584} 585 586static void gap_random_address_update_handler(btstack_timer_source_t * timer){ 587 UNUSED(timer); 588 --- 1222 unchanged lines hidden (view full) --- 1811 btstack_linked_list_iterator_t it; 1812 1813 // assert that stack has already bootet 1814 if (hci_get_state() != HCI_STATE_WORKING) return; 1815 1816 // assert that we can send at least commands 1817 if (!hci_can_send_command_packet_now()) return; 1818 |
| 1819 // pause until IR/ER are ready 1820 if (sm_persistent_keys_random_active) return; 1821 |
|
| 1786 // 1787 // non-connection related behaviour 1788 // 1789 1790 // distributed key generation 1791 switch (dkg_state){ 1792 case DKG_CALC_IRK: 1793 // already busy? --- 967 unchanged lines hidden (view full) --- 2761 sm_run(); 2762} 2763 2764static void sm_handle_encryption_result_dkg_dhk(void *arg){ 2765 UNUSED(arg); 2766 sm_aes128_state = SM_AES128_IDLE; 2767 log_info_key("dhk", sm_persistent_dhk); 2768 dkg_state = DKG_READY; | 1822 // 1823 // non-connection related behaviour 1824 // 1825 1826 // distributed key generation 1827 switch (dkg_state){ 1828 case DKG_CALC_IRK: 1829 // already busy? --- 967 unchanged lines hidden (view full) --- 2797 sm_run(); 2798} 2799 2800static void sm_handle_encryption_result_dkg_dhk(void *arg){ 2801 UNUSED(arg); 2802 sm_aes128_state = SM_AES128_IDLE; 2803 log_info_key("dhk", sm_persistent_dhk); 2804 dkg_state = DKG_READY; |
| 2769 // DKG calculation complete => SM Init Finished | |
| 2770 sm_run(); 2771} 2772 2773static void sm_handle_encryption_result_rau(void *arg){ 2774 UNUSED(arg); 2775 sm_aes128_state = SM_AES128_IDLE; 2776 memcpy(&sm_random_address[3], &sm_aes128_ciphertext[13], 3); 2777 rau_state = RAU_SET_ADDRESS; --- 94 unchanged lines hidden (view full) --- 2872 sm_connection_t * connection = (sm_connection_t*) arg; 2873 reverse_64(sm_random_data, setup->sm_local_rand); 2874 // no db for encryption size hack: encryption size is stored in lowest nibble of setup->sm_local_rand 2875 setup->sm_local_rand[7] = (setup->sm_local_rand[7] & 0xf0) + (connection->sm_actual_encryption_key_size - 1); 2876 // no db for authenticated flag hack: store flag in bit 4 of LSB 2877 setup->sm_local_rand[7] = (setup->sm_local_rand[7] & 0xef) + (connection->sm_connection_authenticated << 4); 2878 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 2, &sm_handle_random_result_ph3_div, connection); 2879} | 2805 sm_run(); 2806} 2807 2808static void sm_handle_encryption_result_rau(void *arg){ 2809 UNUSED(arg); 2810 sm_aes128_state = SM_AES128_IDLE; 2811 memcpy(&sm_random_address[3], &sm_aes128_ciphertext[13], 3); 2812 rau_state = RAU_SET_ADDRESS; --- 94 unchanged lines hidden (view full) --- 2907 sm_connection_t * connection = (sm_connection_t*) arg; 2908 reverse_64(sm_random_data, setup->sm_local_rand); 2909 // no db for encryption size hack: encryption size is stored in lowest nibble of setup->sm_local_rand 2910 setup->sm_local_rand[7] = (setup->sm_local_rand[7] & 0xf0) + (connection->sm_actual_encryption_key_size - 1); 2911 // no db for authenticated flag hack: store flag in bit 4 of LSB 2912 setup->sm_local_rand[7] = (setup->sm_local_rand[7] & 0xef) + (connection->sm_connection_authenticated << 4); 2913 btstack_crypto_random_generate(&sm_crypto_random_request, sm_random_data, 2, &sm_handle_random_result_ph3_div, connection); 2914} |
| 2915static void sm_validate_er_ir(void){ 2916 // warn about default ER/IR 2917 int warning = 0; 2918 if (sm_ir_is_default()){ 2919 warning = 1; 2920 log_error("Persistent IR not set with sm_set_ir. Use of private addresses will cause pairing issues"); 2921 } 2922 if (sm_er_is_default()){ 2923 warning = 1; 2924 log_error("Persistent ER not set with sm_set_er. Legacy Pairing LTK is not secure"); 2925 } 2926 log_error("Please configure btstack_tlv to let BTstack setup ER and IR keys"); 2927} |
|
| 2880 | 2928 |
| 2929static void sm_handle_random_result_ir(void *arg){ 2930 sm_persistent_keys_random_active = 0; 2931 if (arg){ 2932 // key generated, store in tlv 2933 int status = sm_tlv_impl->store_tag(sm_tlv_context, BTSTACK_TAG32('S','M','I','R'), sm_persistent_ir, 16); 2934 log_info("Generated IR key. Store in TLV status: %d", status); 2935 } 2936 log_info_key("IR", sm_persistent_ir); 2937 sm_run(); 2938} 2939 2940static void sm_handle_random_result_er(void *arg){ 2941 sm_persistent_keys_random_active = 0; 2942 if (arg){ 2943 // key generated, store in tlv 2944 int status = sm_tlv_impl->store_tag(sm_tlv_context, BTSTACK_TAG32('S','M','E','R'), sm_persistent_er, 16); 2945 log_info("Generated ER key. Store in TLV status: %d", status); 2946 } 2947 log_info_key("ER", sm_persistent_er); 2948 2949 // try load ir 2950 int key_size = sm_tlv_impl->get_tag(sm_tlv_context, BTSTACK_TAG32('S','M','I','R'), sm_persistent_ir, 16); 2951 if (key_size == 16){ 2952 // ok, let's continue 2953 log_info("IR from TLV"); 2954 sm_handle_random_result_ir( NULL ); 2955 } else { 2956 // invalid, generate new random one 2957 sm_persistent_keys_random_active = 1; 2958 btstack_crypto_random_generate(&sm_crypto_random_request, sm_persistent_ir, 16, &sm_handle_random_result_ir, &sm_persistent_ir); 2959 } 2960} 2961 |
|
| 2881static void sm_event_packet_handler (uint8_t packet_type, uint16_t channel, uint8_t *packet, uint16_t size){ 2882 2883 UNUSED(channel); // ok: there is no channel 2884 UNUSED(size); // ok: fixed format HCI events 2885 2886 sm_connection_t * sm_conn; 2887 hci_con_handle_t con_handle; 2888 2889 switch (packet_type) { 2890 2891 case HCI_EVENT_PACKET: 2892 switch (hci_event_packet_get_type(packet)) { 2893 2894 case BTSTACK_EVENT_STATE: 2895 // bt stack activated, get started 2896 if (btstack_event_state_get_state(packet) == HCI_STATE_WORKING){ 2897 log_info("HCI Working!"); | 2962static void sm_event_packet_handler (uint8_t packet_type, uint16_t channel, uint8_t *packet, uint16_t size){ 2963 2964 UNUSED(channel); // ok: there is no channel 2965 UNUSED(size); // ok: fixed format HCI events 2966 2967 sm_connection_t * sm_conn; 2968 hci_con_handle_t con_handle; 2969 2970 switch (packet_type) { 2971 2972 case HCI_EVENT_PACKET: 2973 switch (hci_event_packet_get_type(packet)) { 2974 2975 case BTSTACK_EVENT_STATE: 2976 // bt stack activated, get started 2977 if (btstack_event_state_get_state(packet) == HCI_STATE_WORKING){ 2978 log_info("HCI Working!"); |
| 2979 2980 // setup IR/ER with TLV 2981 btstack_tlv_get_instance(&sm_tlv_impl, &sm_tlv_context); 2982 if (sm_tlv_impl){ 2983 int key_size = sm_tlv_impl->get_tag(sm_tlv_context, BTSTACK_TAG32('S','M','E','R'), sm_persistent_er, 16); 2984 if (key_size == 16){ 2985 // ok, let's continue 2986 log_info("ER from TLV"); 2987 sm_handle_random_result_er( NULL ); 2988 } else { 2989 // invalid, generate random one 2990 sm_persistent_keys_random_active = 1; 2991 btstack_crypto_random_generate(&sm_crypto_random_request, sm_persistent_er, 16, &sm_handle_random_result_er, &sm_persistent_er); 2992 } 2993 } else { 2994 sm_validate_er_ir(); 2995 } |
|
| 2898 } 2899 break; 2900 2901 case HCI_EVENT_LE_META: 2902 switch (packet[2]) { 2903 case HCI_SUBEVENT_LE_CONNECTION_COMPLETE: 2904 2905 log_info("sm: connected"); --- 842 unchanged lines hidden (view full) --- 3748 3749#ifdef ENABLE_TESTING_SUPPORT 3750void sm_test_set_pairing_failure(int reason){ 3751 test_pairing_failure = reason; 3752} 3753#endif 3754 3755void sm_init(void){ | 2996 } 2997 break; 2998 2999 case HCI_EVENT_LE_META: 3000 switch (packet[2]) { 3001 case HCI_SUBEVENT_LE_CONNECTION_COMPLETE: 3002 3003 log_info("sm: connected"); --- 842 unchanged lines hidden (view full) --- 3846 3847#ifdef ENABLE_TESTING_SUPPORT 3848void sm_test_set_pairing_failure(int reason){ 3849 test_pairing_failure = reason; 3850} 3851#endif 3852 3853void sm_init(void){ |
| 3756 // set some (BTstack default) ER and IR 3757 int i; 3758 sm_key_t er; 3759 sm_key_t ir; 3760 for (i=0;i<16;i++){ 3761 er[i] = 0x30 + i; 3762 ir[i] = 0x90 + i; 3763 } 3764 sm_set_er(er); 3765 sm_set_ir(ir); | 3854 // set default ER and IR values (should be unique - set by app or sm later using TLV) 3855 sm_er_ir_set_default(); 3856 |
| 3766 // defaults 3767 sm_accepted_stk_generation_methods = SM_STK_GENERATION_METHOD_JUST_WORKS 3768 | SM_STK_GENERATION_METHOD_OOB 3769 | SM_STK_GENERATION_METHOD_PASSKEY 3770 | SM_STK_GENERATION_METHOD_NUMERIC_COMPARISON; 3771 3772 sm_max_encryption_key_size = 16; 3773 sm_min_encryption_key_size = 7; --- 368 unchanged lines hidden --- | 3857 // defaults 3858 sm_accepted_stk_generation_methods = SM_STK_GENERATION_METHOD_JUST_WORKS 3859 | SM_STK_GENERATION_METHOD_OOB 3860 | SM_STK_GENERATION_METHOD_PASSKEY 3861 | SM_STK_GENERATION_METHOD_NUMERIC_COMPARISON; 3862 3863 sm_max_encryption_key_size = 16; 3864 sm_min_encryption_key_size = 7; --- 368 unchanged lines hidden --- |