1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains security manager protocol utility functions
22 *
23 ******************************************************************************/
24 #define LOG_TAG "smp"
25
26 #include <base/functional/bind.h>
27 #include <base/functional/callback.h>
28 #include <bluetooth/log.h>
29
30 #include <algorithm>
31 #include <cstdint>
32 #include <cstring>
33
34 #include "crypto_toolbox/crypto_toolbox.h"
35 #include "hci/controller_interface.h"
36 #include "main/shim/entry.h"
37 #include "p_256_ecc_pp.h"
38 #include "smp_int.h"
39 #include "stack/btm/btm_ble_sec.h"
40 #include "stack/btm/btm_dev.h"
41 #include "stack/btm/btm_sec.h"
42 #include "stack/include/acl_api.h"
43 #include "stack/include/bt_octets.h"
44 #include "stack/include/bt_types.h"
45 #include "stack/include/btm_ble_api.h"
46 #include "stack/include/btm_ble_sec_api.h"
47 #include "stack/include/main_thread.h"
48 #include "types/raw_address.h"
49
50 using bluetooth::common::BindOnce;
51 using bluetooth::common::OnceCallback;
52 using crypto_toolbox::aes_128;
53 using namespace bluetooth;
54
55 #ifndef SMP_MAX_ENC_REPEAT
56 #define SMP_MAX_ENC_REPEAT 3
57 #endif
58
59 static void smp_process_stk(tSMP_CB* p_cb, Octet16* p);
60 static Octet16 smp_calculate_legacy_short_term_key(tSMP_CB* p_cb);
61 static void smp_process_private_key(tSMP_CB* p_cb);
62
63 static void send_ble_rand(OnceCallback<void(uint64_t)> callback);
64
65 #define SMP_PASSKEY_MASK 0x000fffff
66
67 // If there is data saved here, then use its info instead
68 // This needs to be cleared on a successfult pairing using the oob data
69 static tSMP_LOC_OOB_DATA saved_local_oob_data = {};
70
smp_save_local_oob_data(tSMP_CB * p_cb)71 void smp_save_local_oob_data(tSMP_CB* p_cb) {
72 saved_local_oob_data = p_cb->sc_oob_data.loc_oob_data;
73 }
74
smp_clear_local_oob_data()75 void smp_clear_local_oob_data() { saved_local_oob_data = {}; }
76
is_oob_data_empty(tSMP_LOC_OOB_DATA * data)77 static bool is_oob_data_empty(tSMP_LOC_OOB_DATA* data) {
78 tSMP_LOC_OOB_DATA empty_data = {};
79 return memcmp(data, &empty_data, sizeof(tSMP_LOC_OOB_DATA)) == 0;
80 }
81
smp_has_local_oob_data()82 bool smp_has_local_oob_data() { return !is_oob_data_empty(&saved_local_oob_data); }
83
smp_debug_print_nbyte_little_endian(uint8_t *,const char *,uint8_t)84 static void smp_debug_print_nbyte_little_endian(uint8_t* /* p */, const char* /* key_name */,
85 uint8_t /* len */) {}
86
smp_debug_print_nbyte_little_endian(const Octet16 & p,const char * key_name,uint8_t len)87 static void smp_debug_print_nbyte_little_endian(const Octet16& p, const char* key_name,
88 uint8_t len) {
89 smp_debug_print_nbyte_little_endian(const_cast<uint8_t*>(p.data()), key_name, len);
90 }
91
92 /** This function is called to process a passkey. */
smp_proc_passkey(tSMP_CB * p_cb,uint64_t rand)93 static void smp_proc_passkey(tSMP_CB* p_cb, uint64_t rand) {
94 uint8_t* tt = p_cb->tk.data();
95 uint32_t passkey = static_cast<uint32_t>(rand & SMP_PASSKEY_MASK);
96
97 log::verbose("addr:{}", p_cb->pairing_bda);
98
99 /* truncate by maximum value */
100 while (passkey > BTM_MAX_PASSKEY_VAL) {
101 passkey >>= 1;
102 }
103
104 /* save the TK */
105 p_cb->tk = {0};
106 UINT32_TO_STREAM(tt, passkey);
107
108 if (p_cb->p_callback) {
109 tSMP_EVT_DATA smp_evt_data = {
110 .passkey = passkey,
111 };
112 (*p_cb->p_callback)(SMP_PASSKEY_NOTIF_EVT, p_cb->pairing_bda, &smp_evt_data);
113 }
114
115 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_PASSKEY_DISP) {
116 tSMP_INT_DATA smp_int_data;
117 smp_int_data.passkey = passkey;
118 smp_sm_event(&smp_cb, SMP_KEY_READY_EVT, &smp_int_data);
119 } else {
120 tSMP_KEY key;
121 key.key_type = SMP_KEY_TYPE_TK;
122 key.p_data = p_cb->tk.data();
123 tSMP_INT_DATA smp_int_data;
124 smp_int_data.key = key;
125 smp_sm_event(p_cb, SMP_KEY_READY_EVT, &smp_int_data);
126 }
127 }
128
129 /*******************************************************************************
130 *
131 * Function smp_generate_passkey
132 *
133 * Description This function is called to generate passkey.
134 *
135 * Returns void
136 *
137 ******************************************************************************/
smp_generate_passkey(tSMP_CB * p_cb,tSMP_INT_DATA *)138 void smp_generate_passkey(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
139 log::verbose("addr:{}", p_cb->pairing_bda);
140 /* generate MRand or SRand */
141 send_ble_rand(BindOnce(&smp_proc_passkey, p_cb));
142 }
143
144 /*******************************************************************************
145 *
146 * Function smp_generate_stk
147 *
148 * Description This function is called to generate STK calculated by
149 * running AES with the TK value as key and a concatenation of
150 * the random values.
151 *
152 * Returns void
153 *
154 ******************************************************************************/
smp_generate_stk(tSMP_CB * p_cb,tSMP_INT_DATA *)155 void smp_generate_stk(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
156 Octet16 output;
157
158 log::verbose("addr:{}", p_cb->pairing_bda);
159
160 if (p_cb->sc_mode_required_by_peer) {
161 log::verbose("FOR LE SC LTK IS USED INSTEAD OF STK");
162 output = p_cb->ltk;
163 } else {
164 output = smp_calculate_legacy_short_term_key(p_cb);
165 }
166
167 smp_process_stk(p_cb, &output);
168 }
169
170 /**
171 * This function is called to calculate CSRK
172 */
smp_compute_csrk(uint16_t div,tSMP_CB * p_cb)173 static void smp_compute_csrk(uint16_t div, tSMP_CB* p_cb) {
174 Octet16 buffer{}; /* for (r || DIV) r=1*/
175 uint16_t r = 1;
176 uint8_t* p = buffer.data();
177
178 p_cb->div = div;
179
180 log::verbose("div=0x{:x}", p_cb->div);
181 const Octet16& er = BTM_GetDeviceEncRoot();
182 /* CSRK = d1(ER, DIV, 1) */
183 UINT16_TO_STREAM(p, p_cb->div);
184 UINT16_TO_STREAM(p, r);
185
186 p_cb->csrk = aes_128(er, buffer);
187 smp_send_csrk_info(p_cb, NULL);
188 }
189
190 /**
191 * This function is called to calculate CSRK, starting with DIV generation.
192 */
smp_generate_csrk(tSMP_CB * p_cb,tSMP_INT_DATA *)193 void smp_generate_csrk(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
194 bool div_status;
195
196 log::verbose("addr:{}", p_cb->pairing_bda);
197
198 div_status = btm_get_local_div(p_cb->pairing_bda, &p_cb->div);
199 if (div_status) {
200 smp_compute_csrk(p_cb->div, p_cb);
201 } else {
202 log::verbose("Generate DIV for CSRK");
203 send_ble_rand(BindOnce(
204 [](tSMP_CB* p_cb, uint64_t rand) {
205 uint16_t div = static_cast<uint16_t>(rand);
206 smp_compute_csrk(div, p_cb);
207 },
208 p_cb));
209 }
210 }
211
212 /*******************************************************************************
213 * Function smp_concatenate_local - LSB first
214 * add pairing command sent from local device into p1.
215 ******************************************************************************/
smp_concatenate_local(tSMP_CB * p_cb,uint8_t ** p_data,uint8_t op_code)216 static void smp_concatenate_local(tSMP_CB* p_cb, uint8_t** p_data, uint8_t op_code) {
217 uint8_t* p = *p_data;
218
219 log::verbose("addr:{}", p_cb->pairing_bda);
220 UINT8_TO_STREAM(p, op_code);
221 UINT8_TO_STREAM(p, p_cb->local_io_capability);
222 UINT8_TO_STREAM(p, p_cb->loc_oob_flag);
223 UINT8_TO_STREAM(p, p_cb->loc_auth_req);
224 UINT8_TO_STREAM(p, p_cb->loc_enc_size);
225 UINT8_TO_STREAM(p, p_cb->local_i_key);
226 UINT8_TO_STREAM(p, p_cb->local_r_key);
227
228 *p_data = p;
229 }
230
231 /*******************************************************************************
232 * Function smp_concatenate_peer - LSB first
233 * add pairing command received from peer device into p1.
234 ******************************************************************************/
smp_concatenate_peer(tSMP_CB * p_cb,uint8_t ** p_data,uint8_t op_code)235 static void smp_concatenate_peer(tSMP_CB* p_cb, uint8_t** p_data, uint8_t op_code) {
236 uint8_t* p = *p_data;
237
238 log::verbose("addr:{}", p_cb->pairing_bda);
239 UINT8_TO_STREAM(p, op_code);
240 UINT8_TO_STREAM(p, p_cb->peer_io_caps);
241 UINT8_TO_STREAM(p, p_cb->peer_oob_flag);
242 UINT8_TO_STREAM(p, p_cb->peer_auth_req);
243 UINT8_TO_STREAM(p, p_cb->peer_enc_size);
244 UINT8_TO_STREAM(p, p_cb->peer_i_key);
245 UINT8_TO_STREAM(p, p_cb->peer_r_key);
246
247 *p_data = p;
248 }
249
250 /** Generate Confirm/Compare Step1:
251 * p1 = (MSB) pres || preq || rat' || iat' (LSB)
252 * Fill in values LSB first thus
253 * p1 = iat' || rat' || preq || pres
254 */
smp_gen_p1_4_confirm(tSMP_CB * p_cb,tBLE_ADDR_TYPE remote_bd_addr_type)255 Octet16 smp_gen_p1_4_confirm(tSMP_CB* p_cb, tBLE_ADDR_TYPE remote_bd_addr_type) {
256 log::verbose("pairing_addr:{}, rmt_addr_type:{}", p_cb->pairing_bda,
257 AddressTypeText(remote_bd_addr_type));
258 Octet16 p1;
259 uint8_t* p = p1.data();
260 if (p_cb->role == HCI_ROLE_CENTRAL) {
261 /* iat': initiator's (local) address type */
262 UINT8_TO_STREAM(p, p_cb->addr_type);
263 /* rat': responder's (remote) address type */
264 UINT8_TO_STREAM(p, remote_bd_addr_type);
265 /* preq : Pairing Request (local) command */
266 smp_concatenate_local(p_cb, &p, SMP_OPCODE_PAIRING_REQ);
267 /* pres : Pairing Response (remote) command */
268 smp_concatenate_peer(p_cb, &p, SMP_OPCODE_PAIRING_RSP);
269 } else {
270 /* iat': initiator's (remote) address type */
271 UINT8_TO_STREAM(p, remote_bd_addr_type);
272 /* rat': responder's (local) address type */
273 UINT8_TO_STREAM(p, p_cb->addr_type);
274 /* preq : Pairing Request (remote) command */
275 smp_concatenate_peer(p_cb, &p, SMP_OPCODE_PAIRING_REQ);
276 /* pres : Pairing Response (local) command */
277 smp_concatenate_local(p_cb, &p, SMP_OPCODE_PAIRING_RSP);
278 }
279 smp_debug_print_nbyte_little_endian(p1, "p1 = iat' || rat' || preq || pres", 16);
280
281 return p1;
282 }
283
284 /** Generate Confirm/Compare Step2:
285 * p2 = (MSB) padding || ia || ra (LSB)
286 * Fill values LSB first and thus:
287 * p2 = ra || ia || padding
288 */
smp_gen_p2_4_confirm(tSMP_CB * p_cb,const RawAddress & remote_bda)289 Octet16 smp_gen_p2_4_confirm(tSMP_CB* p_cb, const RawAddress& remote_bda) {
290 log::verbose("addr:{}", p_cb->pairing_bda);
291 Octet16 p2{0};
292 uint8_t* p = p2.data();
293 /* 32-bit Padding */
294 memset(p, 0, OCTET16_LEN);
295 if (p_cb->role == HCI_ROLE_CENTRAL) {
296 /* ra : Responder's (remote) address */
297 BDADDR_TO_STREAM(p, remote_bda);
298 /* ia : Initiator's (local) address */
299 BDADDR_TO_STREAM(p, p_cb->local_bda);
300 } else {
301 /* ra : Responder's (local) address */
302 BDADDR_TO_STREAM(p, p_cb->local_bda);
303 /* ia : Initiator's (remote) address */
304 BDADDR_TO_STREAM(p, remote_bda);
305 }
306 smp_debug_print_nbyte_little_endian(p2, "p2 = ra || ia || padding", 16);
307 return p2;
308 }
309
310 /*******************************************************************************
311 *
312 * Function smp_calculate_confirm
313 *
314 * Description This function (c1) is called to calculate Confirm value.
315 *
316 * Returns tSMP_STATUS status of confirmation calculation
317 *
318 ******************************************************************************/
smp_calculate_confirm(tSMP_CB * p_cb,const Octet16 & rand,Octet16 * output)319 tSMP_STATUS smp_calculate_confirm(tSMP_CB* p_cb, const Octet16& rand, Octet16* output) {
320 log::verbose("addr:{}", p_cb->pairing_bda);
321 RawAddress remote_bda;
322 tBLE_ADDR_TYPE remote_bd_addr_type = BLE_ADDR_PUBLIC;
323 /* get remote connection specific bluetooth address */
324 if (!BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, remote_bda, &remote_bd_addr_type, true)) {
325 log::error("cannot obtain remote device address");
326 return SMP_PAIR_FAIL_UNKNOWN;
327 }
328 /* get local connection specific bluetooth address */
329 BTM_ReadConnectionAddr(p_cb->pairing_bda, p_cb->local_bda, &p_cb->addr_type, true);
330 /* generate p1 = pres || preq || rat' || iat' */
331 Octet16 p1 = smp_gen_p1_4_confirm(p_cb, remote_bd_addr_type);
332 /* p1' = rand XOR p1 */
333 smp_xor_128(&p1, rand);
334 smp_debug_print_nbyte_little_endian(p1, "p1' = p1 XOR r", 16);
335 /* calculate e1 = e(k, p1'), where k = TK */
336 smp_debug_print_nbyte_little_endian(p_cb->tk.data(), "TK", 16);
337 Octet16 e1 = aes_128(p_cb->tk, p1);
338 smp_debug_print_nbyte_little_endian(e1.data(), "e1 = e(k, p1')", 16);
339 /* generate p2 = padding || ia || ra */
340 Octet16 p2 = smp_gen_p2_4_confirm(p_cb, remote_bda);
341 /* calculate p2' = (p2 XOR e1) */
342 smp_xor_128(&p2, e1);
343 smp_debug_print_nbyte_little_endian(p2, "p2' = p2 XOR e1", 16);
344 /* calculate: c1 = e(k, p2') */
345 *output = aes_128(p_cb->tk, p2);
346 return SMP_SUCCESS;
347 }
348
349 /*******************************************************************************
350 *
351 * Function smp_generate_confirm
352 *
353 * Description This function is called when random number (MRand or SRand)
354 * is generated by the controller and the stack needs to
355 * calculate c1 value (MConfirm or SConfirm) for the first time
356 *
357 * Returns void
358 *
359 ******************************************************************************/
smp_generate_confirm(tSMP_CB * p_cb)360 static void smp_generate_confirm(tSMP_CB* p_cb) {
361 log::verbose("addr:{}", p_cb->pairing_bda);
362 smp_debug_print_nbyte_little_endian(p_cb->rand.data(), "local_rand", 16);
363 Octet16 output;
364 tSMP_STATUS status = smp_calculate_confirm(p_cb, p_cb->rand, &output);
365 if (status != SMP_SUCCESS) {
366 tSMP_INT_DATA smp_int_data;
367 smp_int_data.status = status;
368 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
369 return;
370 }
371 tSMP_KEY key;
372 p_cb->confirm = output;
373 smp_debug_print_nbyte_little_endian(p_cb->confirm, "Local Confirm generated", 16);
374 key.key_type = SMP_KEY_TYPE_CFM;
375 key.p_data = output.data();
376 tSMP_INT_DATA smp_int_data;
377 smp_int_data.key = key;
378 smp_sm_event(p_cb, SMP_KEY_READY_EVT, &smp_int_data);
379 }
380
381 /*******************************************************************************
382 *
383 * Function smp_generate_srand_mrand_confirm
384 *
385 * Description This function is called to start the second pairing phase by
386 * start generating random number.
387 *
388 *
389 * Returns void
390 *
391 ******************************************************************************/
smp_generate_srand_mrand_confirm(tSMP_CB * p_cb,tSMP_INT_DATA *)392 void smp_generate_srand_mrand_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
393 log::verbose("addr:{}", p_cb->pairing_bda);
394 /* generate MRand or SRand */
395 send_ble_rand(BindOnce(
396 [](tSMP_CB* p_cb, uint64_t rand) {
397 memcpy(p_cb->rand.data(), (uint8_t*)&rand, sizeof(uint64_t));
398 /* generate 64 MSB of MRand or SRand */
399 send_ble_rand(BindOnce(
400 [](tSMP_CB* p_cb, uint64_t rand) {
401 memcpy(p_cb->rand.data() + sizeof(uint64_t), (uint8_t*)&rand,
402 sizeof(uint64_t));
403 smp_generate_confirm(p_cb);
404 },
405 p_cb));
406 },
407 p_cb));
408 }
409
410 /*******************************************************************************
411 *
412 * Function smp_generate_compare
413 *
414 * Description This function is called when random number (MRand or SRand)
415 * is received from remote device and the c1 value (MConfirm
416 * or SConfirm) needs to be generated to authenticate remote
417 * device.
418 *
419 * Returns void
420 *
421 ******************************************************************************/
smp_generate_compare(tSMP_CB * p_cb,tSMP_INT_DATA *)422 void smp_generate_compare(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
423 log::verbose("addr:{}", p_cb->pairing_bda);
424 smp_debug_print_nbyte_little_endian(p_cb->rrand, "peer rand", 16);
425 Octet16 output;
426 tSMP_STATUS status = smp_calculate_confirm(p_cb, p_cb->rrand, &output);
427 if (status != SMP_SUCCESS) {
428 tSMP_INT_DATA smp_int_data;
429 smp_int_data.status = status;
430 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
431 return;
432 }
433 tSMP_KEY key;
434 smp_debug_print_nbyte_little_endian(output.data(), "Remote Confirm generated", 16);
435 key.key_type = SMP_KEY_TYPE_CMP;
436 key.p_data = output.data();
437 tSMP_INT_DATA smp_int_data;
438 smp_int_data.key = key;
439 smp_sm_event(p_cb, SMP_KEY_READY_EVT, &smp_int_data);
440 }
441
442 /** This function is called when STK is generated proceed to send the encrypt
443 * the link using STK. */
smp_process_stk(tSMP_CB * p_cb,Octet16 * p)444 static void smp_process_stk(tSMP_CB* p_cb, Octet16* p) {
445 tSMP_KEY key;
446
447 log::verbose("addr:{}", p_cb->pairing_bda);
448 smp_mask_enc_key(p_cb->loc_enc_size, p);
449
450 key.key_type = SMP_KEY_TYPE_STK;
451 key.p_data = p->data();
452
453 tSMP_INT_DATA smp_int_data;
454 smp_int_data.key = key;
455 smp_sm_event(p_cb, SMP_KEY_READY_EVT, &smp_int_data);
456 }
457
458 /** This function calculates EDIV = Y xor DIV */
smp_process_ediv(tSMP_CB * p_cb,Octet16 & p)459 static void smp_process_ediv(tSMP_CB* p_cb, Octet16& p) {
460 tSMP_KEY key;
461 uint8_t* pp = p.data();
462 uint16_t y;
463
464 log::verbose("addr:{}", p_cb->pairing_bda);
465 STREAM_TO_UINT16(y, pp);
466
467 /* EDIV = Y xor DIV */
468 p_cb->ediv = p_cb->div ^ y;
469 /* send LTK ready */
470 key.key_type = SMP_KEY_TYPE_LTK;
471 key.p_data = p.data();
472
473 tSMP_INT_DATA smp_int_data;
474 smp_int_data.key = key;
475 smp_sm_event(p_cb, SMP_KEY_READY_EVT, &smp_int_data);
476 }
477
478 /**
479 * This function is to proceed generate Y = E(DHK, Rand)
480 */
smp_generate_y(tSMP_CB * p_cb,uint64_t rand)481 static void smp_generate_y(tSMP_CB* p_cb, uint64_t rand) {
482 log::verbose("addr:{}", p_cb->pairing_bda);
483
484 const Octet16& dhk = BTM_GetDeviceDHK();
485
486 memcpy(p_cb->enc_rand, (uint8_t*)&rand, sizeof(uint64_t));
487 Octet16 rand16{};
488 memcpy(rand16.data(), (uint8_t*)&rand, sizeof(uint64_t));
489 Octet16 output = aes_128(dhk, rand16);
490 smp_process_ediv(p_cb, output);
491 }
492
493 /**
494 * Calculate LTK = d1(ER, DIV, 0)= e(ER, DIV)
495 */
smp_generate_ltk_cont(uint16_t div,tSMP_CB * p_cb)496 static void smp_generate_ltk_cont(uint16_t div, tSMP_CB* p_cb) {
497 p_cb->div = div;
498
499 log::verbose("addr:{}", p_cb->pairing_bda);
500 const Octet16& er = BTM_GetDeviceEncRoot();
501
502 /* LTK = d1(ER, DIV, 0)= e(ER, DIV)*/
503 Octet16 div16{};
504 div16.data()[0] = div & 0xff;
505 div16.data()[1] = div >> 8u;
506 Octet16 ltk = aes_128(er, div16);
507 /* mask the LTK */
508 smp_mask_enc_key(p_cb->loc_enc_size, <k);
509 p_cb->ltk = ltk;
510
511 /* generate EDIV and rand now */
512 send_ble_rand(BindOnce(&smp_generate_y, p_cb));
513 }
514
515 /*******************************************************************************
516 *
517 * Function smp_generate_ltk
518 *
519 * Description This function is called:
520 * - in legacy pairing - to calculate LTK, starting with DIV
521 * generation;
522 * - in LE Secure Connections pairing over LE transport - to
523 * process LTK already generated to encrypt LE link;
524 * - in LE Secure Connections pairing over BR/EDR transport -
525 * to start BR/EDR Link Key processing.
526 *
527 * Returns void
528 *
529 ******************************************************************************/
smp_generate_ltk(tSMP_CB * p_cb,tSMP_INT_DATA *)530 void smp_generate_ltk(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
531 log::verbose("addr:{}", p_cb->pairing_bda);
532
533 if (smp_get_br_state() == SMP_BR_STATE_BOND_PENDING) {
534 smp_br_process_link_key(p_cb, NULL);
535 return;
536 } else if (p_cb->sc_mode_required_by_peer) {
537 smp_process_secure_connection_long_term_key();
538 return;
539 }
540
541 bool div_status = btm_get_local_div(p_cb->pairing_bda, &p_cb->div);
542
543 if (div_status) {
544 smp_generate_ltk_cont(p_cb->div, p_cb);
545 } else {
546 log::verbose("Generate DIV for LTK");
547
548 /* generate MRand or SRand */
549 send_ble_rand(BindOnce(
550 [](tSMP_CB* p_cb, uint64_t rand) {
551 uint16_t div = static_cast<uint16_t>(rand);
552 smp_generate_ltk_cont(div, p_cb);
553 },
554 p_cb));
555 }
556 }
557
558 /* The function calculates legacy STK */
smp_calculate_legacy_short_term_key(tSMP_CB * p_cb)559 Octet16 smp_calculate_legacy_short_term_key(tSMP_CB* p_cb) {
560 log::verbose("addr:{}", p_cb->pairing_bda);
561
562 Octet16 text{};
563 if (p_cb->role == HCI_ROLE_CENTRAL) {
564 memcpy(text.data(), p_cb->rand.data(), BT_OCTET8_LEN);
565 memcpy(text.data() + BT_OCTET8_LEN, p_cb->rrand.data(), BT_OCTET8_LEN);
566 } else {
567 memcpy(text.data(), p_cb->rrand.data(), BT_OCTET8_LEN);
568 memcpy(text.data() + BT_OCTET8_LEN, p_cb->rand.data(), BT_OCTET8_LEN);
569 }
570
571 /* generate STK = Etk(rand|rrand)*/
572 return aes_128(p_cb->tk, text);
573 }
574
575 /*******************************************************************************
576 *
577 * Function smp_create_private_key
578 *
579 * Description This function is called to create private key used to
580 * calculate public key and DHKey.
581 * The function starts private key creation requesting
582 * for the controller to generate [0-7] octets of private key.
583 *
584 * Returns void
585 *
586 ******************************************************************************/
smp_create_private_key(tSMP_CB * p_cb,tSMP_INT_DATA *)587 void smp_create_private_key(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
588 log::verbose("addr:{}", p_cb->pairing_bda);
589
590 // Only use the stored OOB data if we are in an oob association model
591 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
592 log::warn("OOB Association Model");
593 // Make sure our data isn't empty, otherwise we generate new and eventually
594 // pairing will fail Not much we can do about it at this point, just have to
595 // generate new data The data will be cleared after the advertiser times
596 // out, so if the advertiser times out we want the pairing to fail anyway.
597 if (!is_oob_data_empty(&saved_local_oob_data)) {
598 log::warn("Found OOB data, loading keys");
599 for (int i = 0; i < BT_OCTET32_LEN; i++) {
600 p_cb->private_key[i] = saved_local_oob_data.private_key_used[i];
601 p_cb->loc_publ_key.x[i] = saved_local_oob_data.publ_key_used.x[i];
602 p_cb->loc_publ_key.y[i] = saved_local_oob_data.publ_key_used.y[i];
603 }
604 p_cb->sc_oob_data.loc_oob_data = saved_local_oob_data;
605 p_cb->local_random = saved_local_oob_data.randomizer;
606 smp_process_private_key(p_cb);
607 return;
608 }
609 log::warn("OOB Association Model with no saved data present");
610 }
611
612 send_ble_rand(BindOnce(
613 [](tSMP_CB* p_cb, uint64_t rand) {
614 memcpy(p_cb->private_key, (uint8_t*)&rand, sizeof(uint64_t));
615 send_ble_rand(BindOnce(
616 [](tSMP_CB* p_cb, uint64_t rand) {
617 memcpy(&p_cb->private_key[8], (uint8_t*)&rand, sizeof(uint64_t));
618 send_ble_rand(BindOnce(
619 [](tSMP_CB* p_cb, uint64_t rand) {
620 memcpy(&p_cb->private_key[16], (uint8_t*)&rand, sizeof(uint64_t));
621 send_ble_rand(BindOnce(
622 [](tSMP_CB* p_cb, uint64_t rand) {
623 memcpy(&p_cb->private_key[24], (uint8_t*)&rand,
624 sizeof(uint64_t));
625 smp_process_private_key(p_cb);
626 },
627 p_cb));
628 },
629 p_cb));
630 },
631 p_cb));
632 },
633 p_cb));
634 }
635
636 /*******************************************************************************
637 *
638 * Function smp_use_oob_private_key
639 *
640 * Description This function is called
641 * - to save the secret key used to calculate the public key
642 * used in calculations of commitment sent OOB to a peer
643 * - to use this secret key to recalculate the public key and
644 * start the process of sending this public key to the peer
645 * if secret/public keys have to be reused.
646 * If the keys aren't supposed to be reused, continue from the
647 * point from which request for OOB data was issued.
648 *
649 * Returns void
650 *
651 ******************************************************************************/
smp_use_oob_private_key(tSMP_CB * p_cb,tSMP_INT_DATA *)652 void smp_use_oob_private_key(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
653 log::info("req_oob_type:{}, role:{}", p_cb->req_oob_type, p_cb->role);
654
655 switch (p_cb->req_oob_type) {
656 case SMP_OOB_BOTH:
657 case SMP_OOB_LOCAL:
658 log::info("restore secret key");
659 // Only use the stored OOB data if we are in an oob association model
660 if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_OOB) {
661 log::info("OOB Association Model");
662 // Make sure our data isn't empty, otherwise we generate new and
663 // eventually pairing will fail Not much we can do about it at this
664 // point, just have to generate new data The data will be cleared after
665 // the advertiser times out, so if the advertiser times out we want the
666 // pairing to fail anyway.
667 if (!is_oob_data_empty(&saved_local_oob_data)) {
668 log::info("Found OOB data, loading keys");
669 for (int i = 0; i < BT_OCTET32_LEN; i++) {
670 p_cb->private_key[i] = saved_local_oob_data.private_key_used[i];
671 p_cb->loc_publ_key.x[i] = saved_local_oob_data.publ_key_used.x[i];
672 p_cb->loc_publ_key.y[i] = saved_local_oob_data.publ_key_used.y[i];
673 }
674 p_cb->sc_oob_data.loc_oob_data = saved_local_oob_data;
675 p_cb->local_random = saved_local_oob_data.randomizer;
676 smp_process_private_key(p_cb);
677 return;
678 }
679 log::info("OOB Association Model with no saved data present");
680 }
681
682 memcpy(p_cb->private_key, p_cb->sc_oob_data.loc_oob_data.private_key_used, BT_OCTET32_LEN);
683 smp_process_private_key(p_cb);
684 break;
685 default:
686 log::info("create secret key anew");
687 smp_set_state(SMP_STATE_PAIR_REQ_RSP);
688 smp_decide_association_model(p_cb, NULL);
689 break;
690 }
691 }
692
693 /*******************************************************************************
694 *
695 * Function smp_process_private_key
696 *
697 * Description This function processes private key.
698 * It calculates public key and notifies SM that private key /
699 * public key pair is created.
700 *
701 * Returns void
702 *
703 ******************************************************************************/
smp_process_private_key(tSMP_CB * p_cb)704 void smp_process_private_key(tSMP_CB* p_cb) {
705 Point public_key;
706 BT_OCTET32 private_key;
707
708 log::verbose("addr:{}", p_cb->pairing_bda);
709
710 memcpy(private_key, p_cb->private_key, BT_OCTET32_LEN);
711 ECC_PointMult(&public_key, &(curve_p256.G), (uint32_t*)private_key);
712 memcpy(p_cb->loc_publ_key.x, public_key.x, BT_OCTET32_LEN);
713 memcpy(p_cb->loc_publ_key.y, public_key.y, BT_OCTET32_LEN);
714
715 smp_debug_print_nbyte_little_endian(p_cb->private_key, "private", BT_OCTET32_LEN);
716 smp_debug_print_nbyte_little_endian(p_cb->loc_publ_key.x, "local public(x)", BT_OCTET32_LEN);
717 smp_debug_print_nbyte_little_endian(p_cb->loc_publ_key.y, "local public(y)", BT_OCTET32_LEN);
718 p_cb->flags |= SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY;
719 smp_sm_event(p_cb, SMP_LOC_PUBL_KEY_CRTD_EVT, NULL);
720 }
721
722 /*******************************************************************************
723 *
724 * Function smp_compute_dhkey
725 *
726 * Description The function:
727 * - calculates a new public key using as input local private
728 * key and peer public key;
729 * - saves the new public key x-coordinate as DHKey.
730 *
731 * Returns void
732 *
733 ******************************************************************************/
smp_compute_dhkey(tSMP_CB * p_cb)734 void smp_compute_dhkey(tSMP_CB* p_cb) {
735 Point peer_publ_key, new_publ_key;
736 BT_OCTET32 private_key;
737
738 log::verbose("addr:{}", p_cb->pairing_bda);
739
740 memcpy(private_key, p_cb->private_key, BT_OCTET32_LEN);
741 memcpy(peer_publ_key.x, p_cb->peer_publ_key.x, BT_OCTET32_LEN);
742 memcpy(peer_publ_key.y, p_cb->peer_publ_key.y, BT_OCTET32_LEN);
743
744 ECC_PointMult(&new_publ_key, &peer_publ_key, (uint32_t*)private_key);
745
746 memcpy(p_cb->dhkey, new_publ_key.x, BT_OCTET32_LEN);
747
748 smp_debug_print_nbyte_little_endian(p_cb->dhkey, "Old DHKey", BT_OCTET32_LEN);
749
750 smp_debug_print_nbyte_little_endian(p_cb->private_key, "private", BT_OCTET32_LEN);
751 smp_debug_print_nbyte_little_endian(p_cb->peer_publ_key.x, "rem public(x)", BT_OCTET32_LEN);
752 smp_debug_print_nbyte_little_endian(p_cb->peer_publ_key.y, "rem public(y)", BT_OCTET32_LEN);
753 smp_debug_print_nbyte_little_endian(p_cb->dhkey, "Reverted DHKey", BT_OCTET32_LEN);
754 }
755
756 /** The function calculates and saves local commmitment in CB. */
smp_calculate_local_commitment(tSMP_CB * p_cb)757 void smp_calculate_local_commitment(tSMP_CB* p_cb) {
758 uint8_t random_input;
759
760 log::verbose("addr:{}", p_cb->pairing_bda);
761
762 switch (p_cb->selected_association_model) {
763 case SMP_MODEL_SEC_CONN_JUSTWORKS:
764 case SMP_MODEL_SEC_CONN_NUM_COMP:
765 if (p_cb->role == HCI_ROLE_CENTRAL) {
766 log::warn(
767 "local commitment calc on central is not expected for Just "
768 "Works/Numeric Comparison models");
769 }
770 p_cb->commitment =
771 crypto_toolbox::f4(p_cb->loc_publ_key.x, p_cb->peer_publ_key.x, p_cb->rand, 0);
772 break;
773 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
774 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
775 random_input = smp_calculate_random_input(p_cb->local_random.data(), p_cb->round);
776 p_cb->commitment = crypto_toolbox::f4(p_cb->loc_publ_key.x, p_cb->peer_publ_key.x, p_cb->rand,
777 random_input);
778 break;
779 case SMP_MODEL_SEC_CONN_OOB:
780 log::warn("local commitment calc is expected for OOB model BEFORE pairing");
781 p_cb->commitment =
782 crypto_toolbox::f4(p_cb->loc_publ_key.x, p_cb->loc_publ_key.x, p_cb->local_random, 0);
783 break;
784 default:
785 log::error("Association Model={} is not used in LE SC", p_cb->selected_association_model);
786 return;
787 }
788 }
789
790 /** The function calculates peer commmitment */
smp_calculate_peer_commitment(tSMP_CB * p_cb)791 Octet16 smp_calculate_peer_commitment(tSMP_CB* p_cb) {
792 uint8_t ri;
793
794 log::verbose("addr:{}", p_cb->pairing_bda);
795 Octet16 output{0};
796 switch (p_cb->selected_association_model) {
797 case SMP_MODEL_SEC_CONN_JUSTWORKS:
798 case SMP_MODEL_SEC_CONN_NUM_COMP:
799 if (p_cb->role == HCI_ROLE_PERIPHERAL) {
800 log::warn(
801 "peer commitment calc on peripheral is not expected for Just "
802 "Works/Numeric Comparison models");
803 }
804 output = crypto_toolbox::f4(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, p_cb->rrand, 0);
805 break;
806 case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
807 case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
808 ri = smp_calculate_random_input(p_cb->peer_random.data(), p_cb->round);
809 output = crypto_toolbox::f4(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, p_cb->rrand, ri);
810 break;
811 case SMP_MODEL_SEC_CONN_OOB:
812 output = crypto_toolbox::f4(p_cb->peer_publ_key.x, p_cb->peer_publ_key.x, p_cb->peer_random,
813 0);
814 break;
815 default:
816 log::error("Association Model={} is not used in LE SC", p_cb->selected_association_model);
817 return output;
818 }
819
820 return output;
821 }
822
823 /*******************************************************************************
824 *
825 * Function smp_calculate_numeric_comparison_display_number
826 *
827 * Description The function calculates and saves number to display in
828 * numeric comparison association mode.
829 *
830 * Returns void
831 *
832 ******************************************************************************/
smp_calculate_numeric_comparison_display_number(tSMP_CB * p_cb,tSMP_INT_DATA *)833 void smp_calculate_numeric_comparison_display_number(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
834 log::verbose("addr:{}", p_cb->pairing_bda);
835
836 if (p_cb->role == HCI_ROLE_CENTRAL) {
837 p_cb->number_to_display = crypto_toolbox::g2(p_cb->loc_publ_key.x, p_cb->peer_publ_key.x,
838 p_cb->rand, p_cb->rrand);
839 } else {
840 p_cb->number_to_display = crypto_toolbox::g2(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x,
841 p_cb->rrand, p_cb->rand);
842 }
843
844 if (p_cb->number_to_display >= (BTM_MAX_PASSKEY_VAL + 1)) {
845 tSMP_INT_DATA smp_int_data;
846 smp_int_data.status = SMP_PAIR_FAIL_UNKNOWN;
847 p_cb->failure = SMP_PAIR_FAIL_UNKNOWN;
848 log::verbose("Number to display in numeric comparison={} too large", p_cb->number_to_display);
849 smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
850 return;
851 }
852
853 p_cb->cb_evt = SMP_NC_REQ_EVT;
854 tSMP_INT_DATA smp_int_data;
855 smp_int_data.passkey = p_cb->number_to_display;
856 smp_sm_event(p_cb, SMP_SC_DSPL_NC_EVT, &smp_int_data);
857 }
858
859 /*******************************************************************************
860 *
861 * Function smp_calculate_local_dhkey_check
862 *
863 * Description The function calculates and saves local device DHKey check
864 * value in CB.
865 * Before doing this it calls
866 * smp_calculate_f5_mackey_and_long_term_key(...).
867 * to calculate MacKey and LTK.
868 * MacKey is used in dhkey calculation.
869 *
870 * Returns void
871 *
872 ******************************************************************************/
smp_calculate_local_dhkey_check(tSMP_CB * p_cb,tSMP_INT_DATA *)873 void smp_calculate_local_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
874 uint8_t iocap[3], a[7], b[7];
875
876 log::verbose("addr:{}", p_cb->pairing_bda);
877
878 smp_calculate_f5_mackey_and_long_term_key(p_cb);
879
880 smp_collect_local_io_capabilities(iocap, p_cb);
881
882 smp_collect_local_ble_address(a, p_cb);
883 smp_collect_peer_ble_address(b, p_cb);
884 p_cb->dhkey_check = crypto_toolbox::f6(p_cb->mac_key, p_cb->rand, p_cb->rrand, p_cb->peer_random,
885 iocap, a, b);
886 }
887
888 /*******************************************************************************
889 *
890 * Function smp_calculate_peer_dhkey_check
891 *
892 * Description The function calculates peer device DHKey check value.
893 *
894 * Returns void
895 *
896 ******************************************************************************/
smp_calculate_peer_dhkey_check(tSMP_CB * p_cb,tSMP_INT_DATA *)897 void smp_calculate_peer_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* /* p_data */) {
898 uint8_t iocap[3], a[7], b[7];
899 tSMP_KEY key;
900
901 log::verbose("addr:{}", p_cb->pairing_bda);
902
903 smp_collect_peer_io_capabilities(iocap, p_cb);
904
905 smp_collect_local_ble_address(a, p_cb);
906 smp_collect_peer_ble_address(b, p_cb);
907 Octet16 param_buf = crypto_toolbox::f6(p_cb->mac_key, p_cb->rrand, p_cb->rand, p_cb->local_random,
908 iocap, b, a);
909 key.key_type = SMP_KEY_TYPE_PEER_DHK_CHCK;
910 key.p_data = param_buf.data();
911 tSMP_INT_DATA smp_int_data;
912 smp_int_data.key = key;
913 smp_sm_event(p_cb, SMP_SC_KEY_READY_EVT, &smp_int_data);
914 }
915
916 /*******************************************************************************
917 *
918 * Function smp_calculate_link_key_from_long_term_key
919 *
920 * Description The function calculates and saves BR/EDR link key derived
921 * from LE SC LTK.
922 *
923 * Returns false if out of resources, true in other cases.
924 *
925 ******************************************************************************/
smp_calculate_link_key_from_long_term_key(tSMP_CB * p_cb)926 bool smp_calculate_link_key_from_long_term_key(tSMP_CB* p_cb) {
927 tBTM_SEC_DEV_REC* p_dev_rec;
928 RawAddress bda_for_lk;
929 tBLE_ADDR_TYPE conn_addr_type;
930
931 log::verbose("addr:{}", p_cb->pairing_bda);
932
933 if (p_cb->id_addr_rcvd && p_cb->id_addr_type == BLE_ADDR_PUBLIC) {
934 log::verbose("Use rcvd identity address as BD_ADDR of LK rcvd identity address");
935 bda_for_lk = p_cb->id_addr;
936 } else if ((BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, bda_for_lk, &conn_addr_type, true)) &&
937 conn_addr_type == BLE_ADDR_PUBLIC) {
938 log::verbose("Use rcvd connection address as BD_ADDR of LK");
939 } else {
940 log::warn("Don't have peer public address to associate with LK");
941 return false;
942 }
943
944 p_dev_rec = btm_find_dev(p_cb->pairing_bda);
945 if (p_dev_rec == NULL) {
946 log::error("failed to find Security Record");
947 return false;
948 }
949
950 Octet16 link_key = crypto_toolbox::ltk_to_link_key(p_cb->ltk, p_cb->key_derivation_h7_used);
951
952 uint8_t link_key_type;
953 if (p_cb->init_security_mode == BTM_SEC_MODE_SC) {
954 /* Secure Connections Only Mode */
955 link_key_type = BTM_LKEY_TYPE_AUTH_COMB_P_256;
956 } else if (bluetooth::shim::GetController()->SupportsSecureConnections()) {
957 /* both transports are SC capable */
958 if (p_cb->sec_level == SMP_SEC_AUTHENTICATED) {
959 link_key_type = BTM_LKEY_TYPE_AUTH_COMB_P_256;
960 } else {
961 link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB_P_256;
962 }
963 } else if (p_cb->init_security_mode == BTM_SEC_MODE_SP) {
964 /* BR/EDR transport is SSP capable */
965 if (p_cb->sec_level == SMP_SEC_AUTHENTICATED) {
966 link_key_type = BTM_LKEY_TYPE_AUTH_COMB;
967 } else {
968 link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB;
969 }
970 } else {
971 log::error("failed to update link_key. Sec Mode={}, sm4=0x{:02x}", p_cb->init_security_mode,
972 p_dev_rec->sm4);
973 return false;
974 }
975
976 link_key_type += BTM_LTK_DERIVED_LKEY_OFFSET;
977
978 Octet16 notif_link_key;
979 std::reverse_copy(link_key.begin(), link_key.end(), notif_link_key.begin());
980 btm_sec_link_key_notification(bda_for_lk, notif_link_key, link_key_type);
981
982 return true;
983 }
984
985 /** The function calculates and saves SC LTK derived from BR/EDR link key. */
smp_calculate_long_term_key_from_link_key(tSMP_CB * p_cb)986 bool smp_calculate_long_term_key_from_link_key(tSMP_CB* p_cb) {
987 tBTM_SEC_DEV_REC* p_dev_rec;
988
989 log::verbose("addr:{}", p_cb->pairing_bda);
990
991 p_dev_rec = btm_find_dev(p_cb->pairing_bda);
992 if (p_dev_rec == NULL) {
993 log::error("ailed to find Security Record");
994 return false;
995 }
996
997 uint8_t br_link_key_type;
998 br_link_key_type = BTM_SecGetDeviceLinkKeyType(p_cb->pairing_bda);
999 if (br_link_key_type == BTM_LKEY_TYPE_IGNORE) {
1000 log::error("failed to retrieve BR link type");
1001 return false;
1002 }
1003
1004 if ((br_link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256) &&
1005 (br_link_key_type != BTM_LKEY_TYPE_UNAUTH_COMB_P_256)) {
1006 log::error("LE SC LTK can't be derived from LK {}", br_link_key_type);
1007 return false;
1008 }
1009
1010 Octet16 rev_link_key;
1011 std::reverse_copy(p_dev_rec->sec_rec.link_key.begin(), p_dev_rec->sec_rec.link_key.end(),
1012 rev_link_key.begin());
1013 p_cb->ltk = crypto_toolbox::link_key_to_ltk(rev_link_key, p_cb->key_derivation_h7_used);
1014
1015 p_cb->sec_level = (br_link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) ? SMP_SEC_AUTHENTICATED
1016 : SMP_SEC_UNAUTHENTICATE;
1017 return true;
1018 }
1019
1020 /**
1021 * This function generates nonce.
1022 */
smp_start_nonce_generation(tSMP_CB * p_cb)1023 void smp_start_nonce_generation(tSMP_CB* p_cb) {
1024 log::verbose("start generating nonce");
1025 send_ble_rand(BindOnce(
1026 [](tSMP_CB* p_cb, uint64_t rand) {
1027 memcpy(p_cb->rand.data(), (uint8_t*)&rand, sizeof(uint64_t));
1028 send_ble_rand(BindOnce(
1029 [](tSMP_CB* p_cb, uint64_t rand) {
1030 memcpy(p_cb->rand.data() + sizeof(uint64_t), (uint8_t*)&rand,
1031 sizeof(uint64_t));
1032 log::verbose("round {}, done", p_cb->round);
1033 /* notifies SM that it has new nonce. */
1034 smp_sm_event(p_cb, SMP_HAVE_LOC_NONCE_EVT, NULL);
1035 },
1036 p_cb));
1037 },
1038 p_cb));
1039 }
1040
send_ble_rand(OnceCallback<void (uint64_t)> callback)1041 static void send_ble_rand(OnceCallback<void(uint64_t)> callback) {
1042 bluetooth::shim::GetController()->LeRand(get_main_thread()->BindOnce(std::move(callback)));
1043 }
1044