1 /* 2 * Copyright (C) 2014 BlueKitchen GmbH 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the copyright holders nor the names of 14 * contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 4. Any redistribution, use, or modification is done solely for 17 * personal benefit and not for any commercial purpose or for 18 * monetary gain. 19 * 20 * THIS SOFTWARE IS PROVIDED BY BLUEKITCHEN GMBH AND CONTRIBUTORS 21 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL MATTHIAS 24 * RINGWALD OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 26 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 27 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 28 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF 30 * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 * 33 * Please inquire about commercial licensing options at 34 * [email protected] 35 * 36 */ 37 38 #include <stdio.h> 39 #include <string.h> 40 #include <inttypes.h> 41 42 #include "ble/le_device_db.h" 43 #include "ble/core.h" 44 #include "ble/sm.h" 45 #include "btstack_debug.h" 46 #include "btstack_event.h" 47 #include "btstack_linked_list.h" 48 #include "btstack_memory.h" 49 #include "gap.h" 50 #include "hci.h" 51 #include "hci_dump.h" 52 #include "l2cap.h" 53 54 #ifdef ENABLE_LE_SECURE_CONNECTIONS 55 #ifdef HAVE_HCI_CONTROLLER_DHKEY_SUPPORT 56 #error "Support for DHKEY Support in HCI Controller not implemented yet. Please use software implementation" 57 #else 58 #define USE_MBEDTLS_FOR_ECDH 59 #endif 60 #endif 61 62 63 // Software ECDH implementation provided by mbedtls 64 #ifdef USE_MBEDTLS_FOR_ECDH 65 #include "mbedtls/config.h" 66 #include "mbedtls/platform.h" 67 #include "mbedtls/ecp.h" 68 #include "sm_mbedtls_allocator.h" 69 #endif 70 71 // 72 // SM internal types and globals 73 // 74 75 typedef enum { 76 DKG_W4_WORKING, 77 DKG_CALC_IRK, 78 DKG_W4_IRK, 79 DKG_CALC_DHK, 80 DKG_W4_DHK, 81 DKG_READY 82 } derived_key_generation_t; 83 84 typedef enum { 85 RAU_W4_WORKING, 86 RAU_IDLE, 87 RAU_GET_RANDOM, 88 RAU_W4_RANDOM, 89 RAU_GET_ENC, 90 RAU_W4_ENC, 91 RAU_SET_ADDRESS, 92 } random_address_update_t; 93 94 typedef enum { 95 CMAC_IDLE, 96 CMAC_CALC_SUBKEYS, 97 CMAC_W4_SUBKEYS, 98 CMAC_CALC_MI, 99 CMAC_W4_MI, 100 CMAC_CALC_MLAST, 101 CMAC_W4_MLAST 102 } cmac_state_t; 103 104 typedef enum { 105 JUST_WORKS, 106 PK_RESP_INPUT, // Initiator displays PK, responder inputs PK 107 PK_INIT_INPUT, // Responder displays PK, initiator inputs PK 108 OK_BOTH_INPUT, // Only input on both, both input PK 109 NK_BOTH_INPUT, // Only numerical compparison (yes/no) on on both sides 110 OOB // OOB available on both sides 111 } stk_generation_method_t; 112 113 typedef enum { 114 SM_USER_RESPONSE_IDLE, 115 SM_USER_RESPONSE_PENDING, 116 SM_USER_RESPONSE_CONFIRM, 117 SM_USER_RESPONSE_PASSKEY, 118 SM_USER_RESPONSE_DECLINE 119 } sm_user_response_t; 120 121 typedef enum { 122 SM_AES128_IDLE, 123 SM_AES128_ACTIVE 124 } sm_aes128_state_t; 125 126 typedef enum { 127 ADDRESS_RESOLUTION_IDLE, 128 ADDRESS_RESOLUTION_GENERAL, 129 ADDRESS_RESOLUTION_FOR_CONNECTION, 130 } address_resolution_mode_t; 131 132 typedef enum { 133 ADDRESS_RESOLUTION_SUCEEDED, 134 ADDRESS_RESOLUTION_FAILED, 135 } address_resolution_event_t; 136 137 typedef enum { 138 EC_KEY_GENERATION_IDLE, 139 EC_KEY_GENERATION_ACTIVE, 140 EC_KEY_GENERATION_W4_KEY, 141 EC_KEY_GENERATION_DONE, 142 } ec_key_generation_state_t; 143 144 typedef enum { 145 SM_STATE_VAR_DHKEY_COMMAND_RECEIVED = 1 << 0 146 } sm_state_var_t; 147 148 // 149 // GLOBAL DATA 150 // 151 152 static uint8_t test_use_fixed_local_csrk; 153 154 // configuration 155 static uint8_t sm_accepted_stk_generation_methods; 156 static uint8_t sm_max_encryption_key_size; 157 static uint8_t sm_min_encryption_key_size; 158 static uint8_t sm_auth_req = 0; 159 static uint8_t sm_io_capabilities = IO_CAPABILITY_NO_INPUT_NO_OUTPUT; 160 static uint8_t sm_slave_request_security; 161 #ifdef ENABLE_LE_SECURE_CONNECTIONS 162 static uint8_t sm_have_ec_keypair; 163 #endif 164 165 // Security Manager Master Keys, please use sm_set_er(er) and sm_set_ir(ir) with your own 128 bit random values 166 static sm_key_t sm_persistent_er; 167 static sm_key_t sm_persistent_ir; 168 169 // derived from sm_persistent_ir 170 static sm_key_t sm_persistent_dhk; 171 static sm_key_t sm_persistent_irk; 172 static uint8_t sm_persistent_irk_ready = 0; // used for testing 173 static derived_key_generation_t dkg_state; 174 175 // derived from sm_persistent_er 176 // .. 177 178 // random address update 179 static random_address_update_t rau_state; 180 static bd_addr_t sm_random_address; 181 static uint8_t sm_random_address_set; 182 183 // CMAC Calculation: General 184 static cmac_state_t sm_cmac_state; 185 static uint16_t sm_cmac_message_len; 186 static sm_key_t sm_cmac_k; 187 static sm_key_t sm_cmac_x; 188 static sm_key_t sm_cmac_m_last; 189 static uint8_t sm_cmac_block_current; 190 static uint8_t sm_cmac_block_count; 191 static uint8_t (*sm_cmac_get_byte)(uint16_t offset); 192 static void (*sm_cmac_done_handler)(uint8_t * hash); 193 194 // CMAC for ATT Signed Writes 195 static uint8_t sm_cmac_header[3]; 196 static const uint8_t * sm_cmac_message; 197 static uint8_t sm_cmac_sign_counter[4]; 198 199 // CMAC for Secure Connection functions 200 #ifdef ENABLE_LE_SECURE_CONNECTIONS 201 static sm_connection_t * sm_cmac_connection; 202 static uint8_t sm_cmac_sc_buffer[80]; 203 #endif 204 205 // resolvable private address lookup / CSRK calculation 206 static int sm_address_resolution_test; 207 static int sm_address_resolution_ah_calculation_active; 208 static uint8_t sm_address_resolution_addr_type; 209 static bd_addr_t sm_address_resolution_address; 210 static void * sm_address_resolution_context; 211 static address_resolution_mode_t sm_address_resolution_mode; 212 static btstack_linked_list_t sm_address_resolution_general_queue; 213 214 // aes128 crypto engine. store current sm_connection_t in sm_aes128_context 215 static sm_aes128_state_t sm_aes128_state; 216 static void * sm_aes128_context; 217 218 // random engine. store context (ususally sm_connection_t) 219 static void * sm_random_context; 220 221 // to receive hci events 222 static btstack_packet_callback_registration_t hci_event_callback_registration; 223 224 /* to dispatch sm event */ 225 static btstack_linked_list_t sm_event_handlers; 226 227 // LE Secure Connections 228 #ifdef ENABLE_LE_SECURE_CONNECTIONS 229 static ec_key_generation_state_t ec_key_generation_state; 230 static uint8_t ec_d[32]; 231 static uint8_t ec_qx[32]; 232 static uint8_t ec_qy[32]; 233 #endif 234 235 // Software ECDH implementation provided by mbedtls 236 #ifdef USE_MBEDTLS_FOR_ECDH 237 // group is always valid 238 static mbedtls_ecp_group mbedtls_ec_group; 239 #ifndef HAVE_MALLOC 240 // COMP Method with Window 2 241 // 1300 bytes with 23 allocations 242 // #define MBEDTLS_ALLOC_BUFFER_SIZE (1300+23*sizeof(void *)) 243 // NAIVE Method with safe cond assignments (without safe cond, order changes and allocations fail) 244 #define MBEDTLS_ALLOC_BUFFER_SIZE (700+18*sizeof(void *)) 245 static uint8_t mbedtls_memory_buffer[MBEDTLS_ALLOC_BUFFER_SIZE]; 246 #endif 247 #endif 248 249 // 250 // Volume 3, Part H, Chapter 24 251 // "Security shall be initiated by the Security Manager in the device in the master role. 252 // The device in the slave role shall be the responding device." 253 // -> master := initiator, slave := responder 254 // 255 256 // data needed for security setup 257 typedef struct sm_setup_context { 258 259 btstack_timer_source_t sm_timeout; 260 261 // used in all phases 262 uint8_t sm_pairing_failed_reason; 263 264 // user response, (Phase 1 and/or 2) 265 uint8_t sm_user_response; 266 uint8_t sm_keypress_notification; 267 268 // defines which keys will be send after connection is encrypted - calculated during Phase 1, used Phase 3 269 int sm_key_distribution_send_set; 270 int sm_key_distribution_received_set; 271 272 // Phase 2 (Pairing over SMP) 273 stk_generation_method_t sm_stk_generation_method; 274 sm_key_t sm_tk; 275 uint8_t sm_use_secure_connections; 276 277 sm_key_t sm_c1_t3_value; // c1 calculation 278 sm_pairing_packet_t sm_m_preq; // pairing request - needed only for c1 279 sm_pairing_packet_t sm_s_pres; // pairing response - needed only for c1 280 sm_key_t sm_local_random; 281 sm_key_t sm_local_confirm; 282 sm_key_t sm_peer_random; 283 sm_key_t sm_peer_confirm; 284 uint8_t sm_m_addr_type; // address and type can be removed 285 uint8_t sm_s_addr_type; // '' 286 bd_addr_t sm_m_address; // '' 287 bd_addr_t sm_s_address; // '' 288 sm_key_t sm_ltk; 289 290 uint8_t sm_state_vars; 291 #ifdef ENABLE_LE_SECURE_CONNECTIONS 292 uint8_t sm_peer_qx[32]; // also stores random for EC key generation during init 293 uint8_t sm_peer_qy[32]; // '' 294 sm_key_t sm_peer_nonce; // might be combined with sm_peer_random 295 sm_key_t sm_local_nonce; // might be combined with sm_local_random 296 sm_key_t sm_peer_dhkey_check; 297 sm_key_t sm_local_dhkey_check; 298 sm_key_t sm_ra; 299 sm_key_t sm_rb; 300 sm_key_t sm_t; // used for f5 and h6 301 sm_key_t sm_mackey; 302 uint8_t sm_passkey_bit; // also stores number of generated random bytes for EC key generation 303 #endif 304 305 // Phase 3 306 307 // key distribution, we generate 308 uint16_t sm_local_y; 309 uint16_t sm_local_div; 310 uint16_t sm_local_ediv; 311 uint8_t sm_local_rand[8]; 312 sm_key_t sm_local_ltk; 313 sm_key_t sm_local_csrk; 314 sm_key_t sm_local_irk; 315 // sm_local_address/addr_type not needed 316 317 // key distribution, received from peer 318 uint16_t sm_peer_y; 319 uint16_t sm_peer_div; 320 uint16_t sm_peer_ediv; 321 uint8_t sm_peer_rand[8]; 322 sm_key_t sm_peer_ltk; 323 sm_key_t sm_peer_irk; 324 sm_key_t sm_peer_csrk; 325 uint8_t sm_peer_addr_type; 326 bd_addr_t sm_peer_address; 327 328 } sm_setup_context_t; 329 330 // 331 static sm_setup_context_t the_setup; 332 static sm_setup_context_t * setup = &the_setup; 333 334 // active connection - the one for which the_setup is used for 335 static uint16_t sm_active_connection = 0; 336 337 // @returns 1 if oob data is available 338 // stores oob data in provided 16 byte buffer if not null 339 static int (*sm_get_oob_data)(uint8_t addres_type, bd_addr_t addr, uint8_t * oob_data) = NULL; 340 341 // horizontal: initiator capabilities 342 // vertial: responder capabilities 343 static const stk_generation_method_t stk_generation_method [5] [5] = { 344 { JUST_WORKS, JUST_WORKS, PK_INIT_INPUT, JUST_WORKS, PK_INIT_INPUT }, 345 { JUST_WORKS, JUST_WORKS, PK_INIT_INPUT, JUST_WORKS, PK_INIT_INPUT }, 346 { PK_RESP_INPUT, PK_RESP_INPUT, OK_BOTH_INPUT, JUST_WORKS, PK_RESP_INPUT }, 347 { JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS }, 348 { PK_RESP_INPUT, PK_RESP_INPUT, PK_INIT_INPUT, JUST_WORKS, PK_RESP_INPUT }, 349 }; 350 351 // uses numeric comparison if one side has DisplayYesNo and KeyboardDisplay combinations 352 #ifdef ENABLE_LE_SECURE_CONNECTIONS 353 static const stk_generation_method_t stk_generation_method_with_secure_connection[5][5] = { 354 { JUST_WORKS, JUST_WORKS, PK_INIT_INPUT, JUST_WORKS, PK_INIT_INPUT }, 355 { JUST_WORKS, NK_BOTH_INPUT, PK_INIT_INPUT, JUST_WORKS, NK_BOTH_INPUT }, 356 { PK_RESP_INPUT, PK_RESP_INPUT, OK_BOTH_INPUT, JUST_WORKS, PK_RESP_INPUT }, 357 { JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS }, 358 { PK_RESP_INPUT, NK_BOTH_INPUT, PK_INIT_INPUT, JUST_WORKS, NK_BOTH_INPUT }, 359 }; 360 #endif 361 362 static void sm_run(void); 363 static void sm_done_for_handle(hci_con_handle_t con_handle); 364 static sm_connection_t * sm_get_connection_for_handle(hci_con_handle_t con_handle); 365 static inline int sm_calc_actual_encryption_key_size(int other); 366 static int sm_validate_stk_generation_method(void); 367 static void sm_shift_left_by_one_bit_inplace(int len, uint8_t * data); 368 369 static void log_info_hex16(const char * name, uint16_t value){ 370 log_info("%-6s 0x%04x", name, value); 371 } 372 373 // @returns 1 if all bytes are 0 374 static int sm_is_null(uint8_t * data, int size){ 375 int i; 376 for (i=0; i < size ; i++){ 377 if (data[i]) return 0; 378 } 379 return 1; 380 } 381 382 static int sm_is_null_random(uint8_t random[8]){ 383 return sm_is_null(random, 8); 384 } 385 386 static int sm_is_null_key(uint8_t * key){ 387 return sm_is_null(key, 16); 388 } 389 390 // Key utils 391 static void sm_reset_tk(void){ 392 int i; 393 for (i=0;i<16;i++){ 394 setup->sm_tk[i] = 0; 395 } 396 } 397 398 // "For example, if a 128-bit encryption key is 0x123456789ABCDEF0123456789ABCDEF0 399 // and it is reduced to 7 octets (56 bits), then the resulting key is 0x0000000000000000003456789ABCDEF0."" 400 static void sm_truncate_key(sm_key_t key, int max_encryption_size){ 401 int i; 402 for (i = max_encryption_size ; i < 16 ; i++){ 403 key[15-i] = 0; 404 } 405 } 406 407 // SMP Timeout implementation 408 409 // Upon transmission of the Pairing Request command or reception of the Pairing Request command, 410 // the Security Manager Timer shall be reset and started. 411 // 412 // The Security Manager Timer shall be reset when an L2CAP SMP command is queued for transmission. 413 // 414 // If the Security Manager Timer reaches 30 seconds, the procedure shall be considered to have failed, 415 // and the local higher layer shall be notified. No further SMP commands shall be sent over the L2CAP 416 // Security Manager Channel. A new SM procedure shall only be performed when a new physical link has been 417 // established. 418 419 static void sm_timeout_handler(btstack_timer_source_t * timer){ 420 log_info("SM timeout"); 421 sm_connection_t * sm_conn = (sm_connection_t*) btstack_run_loop_get_timer_context(timer); 422 sm_conn->sm_engine_state = SM_GENERAL_TIMEOUT; 423 sm_done_for_handle(sm_conn->sm_handle); 424 425 // trigger handling of next ready connection 426 sm_run(); 427 } 428 static void sm_timeout_start(sm_connection_t * sm_conn){ 429 btstack_run_loop_remove_timer(&setup->sm_timeout); 430 btstack_run_loop_set_timer_context(&setup->sm_timeout, sm_conn); 431 btstack_run_loop_set_timer_handler(&setup->sm_timeout, sm_timeout_handler); 432 btstack_run_loop_set_timer(&setup->sm_timeout, 30000); // 30 seconds sm timeout 433 btstack_run_loop_add_timer(&setup->sm_timeout); 434 } 435 static void sm_timeout_stop(void){ 436 btstack_run_loop_remove_timer(&setup->sm_timeout); 437 } 438 static void sm_timeout_reset(sm_connection_t * sm_conn){ 439 sm_timeout_stop(); 440 sm_timeout_start(sm_conn); 441 } 442 443 // end of sm timeout 444 445 // GAP Random Address updates 446 static gap_random_address_type_t gap_random_adress_type; 447 static btstack_timer_source_t gap_random_address_update_timer; 448 static uint32_t gap_random_adress_update_period; 449 450 static void gap_random_address_trigger(void){ 451 if (rau_state != RAU_IDLE) return; 452 log_info("gap_random_address_trigger"); 453 rau_state = RAU_GET_RANDOM; 454 sm_run(); 455 } 456 457 static void gap_random_address_update_handler(btstack_timer_source_t * timer){ 458 log_info("GAP Random Address Update due"); 459 btstack_run_loop_set_timer(&gap_random_address_update_timer, gap_random_adress_update_period); 460 btstack_run_loop_add_timer(&gap_random_address_update_timer); 461 gap_random_address_trigger(); 462 } 463 464 static void gap_random_address_update_start(void){ 465 btstack_run_loop_set_timer_handler(&gap_random_address_update_timer, gap_random_address_update_handler); 466 btstack_run_loop_set_timer(&gap_random_address_update_timer, gap_random_adress_update_period); 467 btstack_run_loop_add_timer(&gap_random_address_update_timer); 468 } 469 470 static void gap_random_address_update_stop(void){ 471 btstack_run_loop_remove_timer(&gap_random_address_update_timer); 472 } 473 474 475 static void sm_random_start(void * context){ 476 sm_random_context = context; 477 hci_send_cmd(&hci_le_rand); 478 } 479 480 // pre: sm_aes128_state != SM_AES128_ACTIVE, hci_can_send_command == 1 481 // context is made availabe to aes128 result handler by this 482 static void sm_aes128_start(sm_key_t key, sm_key_t plaintext, void * context){ 483 sm_aes128_state = SM_AES128_ACTIVE; 484 sm_key_t key_flipped, plaintext_flipped; 485 reverse_128(key, key_flipped); 486 reverse_128(plaintext, plaintext_flipped); 487 sm_aes128_context = context; 488 hci_send_cmd(&hci_le_encrypt, key_flipped, plaintext_flipped); 489 } 490 491 // ah(k,r) helper 492 // r = padding || r 493 // r - 24 bit value 494 static void sm_ah_r_prime(uint8_t r[3], uint8_t * r_prime){ 495 // r'= padding || r 496 memset(r_prime, 0, 16); 497 memcpy(&r_prime[13], r, 3); 498 } 499 500 // d1 helper 501 // d' = padding || r || d 502 // d,r - 16 bit values 503 static void sm_d1_d_prime(uint16_t d, uint16_t r, uint8_t * d1_prime){ 504 // d'= padding || r || d 505 memset(d1_prime, 0, 16); 506 big_endian_store_16(d1_prime, 12, r); 507 big_endian_store_16(d1_prime, 14, d); 508 } 509 510 // dm helper 511 // r’ = padding || r 512 // r - 64 bit value 513 static void sm_dm_r_prime(uint8_t r[8], uint8_t * r_prime){ 514 memset(r_prime, 0, 16); 515 memcpy(&r_prime[8], r, 8); 516 } 517 518 // calculate arguments for first AES128 operation in C1 function 519 static void sm_c1_t1(sm_key_t r, uint8_t preq[7], uint8_t pres[7], uint8_t iat, uint8_t rat, uint8_t * t1){ 520 521 // p1 = pres || preq || rat’ || iat’ 522 // "The octet of iat’ becomes the least significant octet of p1 and the most signifi- 523 // cant octet of pres becomes the most significant octet of p1. 524 // For example, if the 8-bit iat’ is 0x01, the 8-bit rat’ is 0x00, the 56-bit preq 525 // is 0x07071000000101 and the 56 bit pres is 0x05000800000302 then 526 // p1 is 0x05000800000302070710000001010001." 527 528 sm_key_t p1; 529 reverse_56(pres, &p1[0]); 530 reverse_56(preq, &p1[7]); 531 p1[14] = rat; 532 p1[15] = iat; 533 log_info_key("p1", p1); 534 log_info_key("r", r); 535 536 // t1 = r xor p1 537 int i; 538 for (i=0;i<16;i++){ 539 t1[i] = r[i] ^ p1[i]; 540 } 541 log_info_key("t1", t1); 542 } 543 544 // calculate arguments for second AES128 operation in C1 function 545 static void sm_c1_t3(sm_key_t t2, bd_addr_t ia, bd_addr_t ra, uint8_t * t3){ 546 // p2 = padding || ia || ra 547 // "The least significant octet of ra becomes the least significant octet of p2 and 548 // the most significant octet of padding becomes the most significant octet of p2. 549 // For example, if 48-bit ia is 0xA1A2A3A4A5A6 and the 48-bit ra is 550 // 0xB1B2B3B4B5B6 then p2 is 0x00000000A1A2A3A4A5A6B1B2B3B4B5B6. 551 552 sm_key_t p2; 553 memset(p2, 0, 16); 554 memcpy(&p2[4], ia, 6); 555 memcpy(&p2[10], ra, 6); 556 log_info_key("p2", p2); 557 558 // c1 = e(k, t2_xor_p2) 559 int i; 560 for (i=0;i<16;i++){ 561 t3[i] = t2[i] ^ p2[i]; 562 } 563 log_info_key("t3", t3); 564 } 565 566 static void sm_s1_r_prime(sm_key_t r1, sm_key_t r2, uint8_t * r_prime){ 567 log_info_key("r1", r1); 568 log_info_key("r2", r2); 569 memcpy(&r_prime[8], &r2[8], 8); 570 memcpy(&r_prime[0], &r1[8], 8); 571 } 572 573 #ifdef ENABLE_LE_SECURE_CONNECTIONS 574 // Software implementations of crypto toolbox for LE Secure Connection 575 // TODO: replace with code to use AES Engine of HCI Controller 576 typedef uint8_t sm_key24_t[3]; 577 typedef uint8_t sm_key56_t[7]; 578 typedef uint8_t sm_key256_t[32]; 579 580 #if 0 581 static void aes128_calc_cyphertext(const uint8_t key[16], const uint8_t plaintext[16], uint8_t cyphertext[16]){ 582 uint32_t rk[RKLENGTH(KEYBITS)]; 583 int nrounds = rijndaelSetupEncrypt(rk, &key[0], KEYBITS); 584 rijndaelEncrypt(rk, nrounds, plaintext, cyphertext); 585 } 586 587 static void calc_subkeys(sm_key_t k0, sm_key_t k1, sm_key_t k2){ 588 memcpy(k1, k0, 16); 589 sm_shift_left_by_one_bit_inplace(16, k1); 590 if (k0[0] & 0x80){ 591 k1[15] ^= 0x87; 592 } 593 memcpy(k2, k1, 16); 594 sm_shift_left_by_one_bit_inplace(16, k2); 595 if (k1[0] & 0x80){ 596 k2[15] ^= 0x87; 597 } 598 } 599 600 static void aes_cmac(sm_key_t aes_cmac, const sm_key_t key, const uint8_t * data, int cmac_message_len){ 601 sm_key_t k0, k1, k2, zero; 602 memset(zero, 0, 16); 603 604 aes128_calc_cyphertext(key, zero, k0); 605 calc_subkeys(k0, k1, k2); 606 607 int cmac_block_count = (cmac_message_len + 15) / 16; 608 609 // step 3: .. 610 if (cmac_block_count==0){ 611 cmac_block_count = 1; 612 } 613 614 // step 4: set m_last 615 sm_key_t cmac_m_last; 616 int sm_cmac_last_block_complete = cmac_message_len != 0 && (cmac_message_len & 0x0f) == 0; 617 int i; 618 if (sm_cmac_last_block_complete){ 619 for (i=0;i<16;i++){ 620 cmac_m_last[i] = data[cmac_message_len - 16 + i] ^ k1[i]; 621 } 622 } else { 623 int valid_octets_in_last_block = cmac_message_len & 0x0f; 624 for (i=0;i<16;i++){ 625 if (i < valid_octets_in_last_block){ 626 cmac_m_last[i] = data[(cmac_message_len & 0xfff0) + i] ^ k2[i]; 627 continue; 628 } 629 if (i == valid_octets_in_last_block){ 630 cmac_m_last[i] = 0x80 ^ k2[i]; 631 continue; 632 } 633 cmac_m_last[i] = k2[i]; 634 } 635 } 636 637 // printf("sm_cmac_start: len %u, block count %u\n", cmac_message_len, cmac_block_count); 638 // LOG_KEY(cmac_m_last); 639 640 // Step 5 641 sm_key_t cmac_x; 642 memset(cmac_x, 0, 16); 643 644 // Step 6 645 sm_key_t sm_cmac_y; 646 for (int block = 0 ; block < cmac_block_count-1 ; block++){ 647 for (i=0;i<16;i++){ 648 sm_cmac_y[i] = cmac_x[i] ^ data[block * 16 + i]; 649 } 650 aes128_calc_cyphertext(key, sm_cmac_y, cmac_x); 651 } 652 for (i=0;i<16;i++){ 653 sm_cmac_y[i] = cmac_x[i] ^ cmac_m_last[i]; 654 } 655 656 // Step 7 657 aes128_calc_cyphertext(key, sm_cmac_y, aes_cmac); 658 } 659 #endif 660 #endif 661 662 static void sm_setup_event_base(uint8_t * event, int event_size, uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address){ 663 event[0] = type; 664 event[1] = event_size - 2; 665 little_endian_store_16(event, 2, con_handle); 666 event[4] = addr_type; 667 reverse_bd_addr(address, &event[5]); 668 } 669 670 static void sm_dispatch_event(uint8_t packet_type, uint16_t channel, uint8_t * packet, uint16_t size){ 671 // log event 672 hci_dump_packet(packet_type, 1, packet, size); 673 // dispatch to all event handlers 674 btstack_linked_list_iterator_t it; 675 btstack_linked_list_iterator_init(&it, &sm_event_handlers); 676 while (btstack_linked_list_iterator_has_next(&it)){ 677 btstack_packet_callback_registration_t * entry = (btstack_packet_callback_registration_t*) btstack_linked_list_iterator_next(&it); 678 entry->callback(packet_type, 0, packet, size); 679 } 680 } 681 682 static void sm_notify_client_base(uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address){ 683 uint8_t event[11]; 684 sm_setup_event_base(event, sizeof(event), type, con_handle, addr_type, address); 685 sm_dispatch_event(HCI_EVENT_PACKET, 0, event, sizeof(event)); 686 } 687 688 static void sm_notify_client_passkey(uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address, uint32_t passkey){ 689 uint8_t event[15]; 690 sm_setup_event_base(event, sizeof(event), type, con_handle, addr_type, address); 691 little_endian_store_32(event, 11, passkey); 692 sm_dispatch_event(HCI_EVENT_PACKET, 0, event, sizeof(event)); 693 } 694 695 static void sm_notify_client_index(uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address, uint16_t index){ 696 // fetch addr and addr type from db 697 bd_addr_t identity_address; 698 int identity_address_type; 699 le_device_db_info(index, &identity_address_type, identity_address, NULL); 700 701 uint8_t event[18]; 702 sm_setup_event_base(event, sizeof(event), type, con_handle, addr_type, address); 703 event[11] = identity_address_type; 704 reverse_bd_addr(identity_address, &event[12]); 705 sm_dispatch_event(HCI_EVENT_PACKET, 0, event, sizeof(event)); 706 } 707 708 static void sm_notify_client_authorization(uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address, uint8_t result){ 709 710 uint8_t event[18]; 711 sm_setup_event_base(event, sizeof(event), type, con_handle, addr_type, address); 712 event[11] = result; 713 sm_dispatch_event(HCI_EVENT_PACKET, 0, (uint8_t*) &event, sizeof(event)); 714 } 715 716 // decide on stk generation based on 717 // - pairing request 718 // - io capabilities 719 // - OOB data availability 720 static void sm_setup_tk(void){ 721 722 // default: just works 723 setup->sm_stk_generation_method = JUST_WORKS; 724 725 #ifdef ENABLE_LE_SECURE_CONNECTIONS 726 setup->sm_use_secure_connections = ( sm_pairing_packet_get_auth_req(setup->sm_m_preq) 727 & sm_pairing_packet_get_auth_req(setup->sm_s_pres) 728 & SM_AUTHREQ_SECURE_CONNECTION ) != 0; 729 memset(setup->sm_ra, 0, 16); 730 memset(setup->sm_rb, 0, 16); 731 #else 732 setup->sm_use_secure_connections = 0; 733 #endif 734 735 // If both devices have not set the MITM option in the Authentication Requirements 736 // Flags, then the IO capabilities shall be ignored and the Just Works association 737 // model shall be used. 738 if (((sm_pairing_packet_get_auth_req(setup->sm_m_preq) & SM_AUTHREQ_MITM_PROTECTION) == 0) 739 && ((sm_pairing_packet_get_auth_req(setup->sm_s_pres) & SM_AUTHREQ_MITM_PROTECTION) == 0)){ 740 log_info("SM: MITM not required by both -> JUST WORKS"); 741 return; 742 } 743 744 // TODO: with LE SC, OOB is used to transfer data OOB during pairing, single device with OOB is sufficient 745 746 // If both devices have out of band authentication data, then the Authentication 747 // Requirements Flags shall be ignored when selecting the pairing method and the 748 // Out of Band pairing method shall be used. 749 if (sm_pairing_packet_get_oob_data_flag(setup->sm_m_preq) 750 && sm_pairing_packet_get_oob_data_flag(setup->sm_s_pres)){ 751 log_info("SM: have OOB data"); 752 log_info_key("OOB", setup->sm_tk); 753 setup->sm_stk_generation_method = OOB; 754 return; 755 } 756 757 // Reset TK as it has been setup in sm_init_setup 758 sm_reset_tk(); 759 760 // Also use just works if unknown io capabilites 761 if ((sm_pairing_packet_get_io_capability(setup->sm_m_preq) > IO_CAPABILITY_KEYBOARD_DISPLAY) || (sm_pairing_packet_get_io_capability(setup->sm_s_pres) > IO_CAPABILITY_KEYBOARD_DISPLAY)){ 762 return; 763 } 764 765 // Otherwise the IO capabilities of the devices shall be used to determine the 766 // pairing method as defined in Table 2.4. 767 // see http://stackoverflow.com/a/1052837/393697 for how to specify pointer to 2-dimensional array 768 const stk_generation_method_t (*generation_method)[5] = stk_generation_method; 769 770 #ifdef ENABLE_LE_SECURE_CONNECTIONS 771 // table not define by default 772 if (setup->sm_use_secure_connections){ 773 generation_method = stk_generation_method_with_secure_connection; 774 } 775 #endif 776 setup->sm_stk_generation_method = generation_method[sm_pairing_packet_get_io_capability(setup->sm_s_pres)][sm_pairing_packet_get_io_capability(setup->sm_m_preq)]; 777 778 log_info("sm_setup_tk: master io cap: %u, slave io cap: %u -> method %u", 779 sm_pairing_packet_get_io_capability(setup->sm_m_preq), sm_pairing_packet_get_io_capability(setup->sm_s_pres), setup->sm_stk_generation_method); 780 } 781 782 static int sm_key_distribution_flags_for_set(uint8_t key_set){ 783 int flags = 0; 784 if (key_set & SM_KEYDIST_ENC_KEY){ 785 flags |= SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION; 786 flags |= SM_KEYDIST_FLAG_MASTER_IDENTIFICATION; 787 } 788 if (key_set & SM_KEYDIST_ID_KEY){ 789 flags |= SM_KEYDIST_FLAG_IDENTITY_INFORMATION; 790 flags |= SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION; 791 } 792 if (key_set & SM_KEYDIST_SIGN){ 793 flags |= SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION; 794 } 795 return flags; 796 } 797 798 static void sm_setup_key_distribution(uint8_t key_set){ 799 setup->sm_key_distribution_received_set = 0; 800 setup->sm_key_distribution_send_set = sm_key_distribution_flags_for_set(key_set); 801 } 802 803 // CSRK Key Lookup 804 805 806 static int sm_address_resolution_idle(void){ 807 return sm_address_resolution_mode == ADDRESS_RESOLUTION_IDLE; 808 } 809 810 static void sm_address_resolution_start_lookup(uint8_t addr_type, hci_con_handle_t con_handle, bd_addr_t addr, address_resolution_mode_t mode, void * context){ 811 memcpy(sm_address_resolution_address, addr, 6); 812 sm_address_resolution_addr_type = addr_type; 813 sm_address_resolution_test = 0; 814 sm_address_resolution_mode = mode; 815 sm_address_resolution_context = context; 816 sm_notify_client_base(SM_EVENT_IDENTITY_RESOLVING_STARTED, con_handle, addr_type, addr); 817 } 818 819 int sm_address_resolution_lookup(uint8_t address_type, bd_addr_t address){ 820 // check if already in list 821 btstack_linked_list_iterator_t it; 822 sm_lookup_entry_t * entry; 823 btstack_linked_list_iterator_init(&it, &sm_address_resolution_general_queue); 824 while(btstack_linked_list_iterator_has_next(&it)){ 825 entry = (sm_lookup_entry_t *) btstack_linked_list_iterator_next(&it); 826 if (entry->address_type != address_type) continue; 827 if (memcmp(entry->address, address, 6)) continue; 828 // already in list 829 return BTSTACK_BUSY; 830 } 831 entry = btstack_memory_sm_lookup_entry_get(); 832 if (!entry) return BTSTACK_MEMORY_ALLOC_FAILED; 833 entry->address_type = (bd_addr_type_t) address_type; 834 memcpy(entry->address, address, 6); 835 btstack_linked_list_add(&sm_address_resolution_general_queue, (btstack_linked_item_t *) entry); 836 sm_run(); 837 return 0; 838 } 839 840 // CMAC Implementation using AES128 engine 841 static void sm_shift_left_by_one_bit_inplace(int len, uint8_t * data){ 842 int i; 843 int carry = 0; 844 for (i=len-1; i >= 0 ; i--){ 845 int new_carry = data[i] >> 7; 846 data[i] = data[i] << 1 | carry; 847 carry = new_carry; 848 } 849 } 850 851 // while x_state++ for an enum is possible in C, it isn't in C++. we use this helpers to avoid compile errors for now 852 static inline void sm_next_responding_state(sm_connection_t * sm_conn){ 853 sm_conn->sm_engine_state = (security_manager_state_t) (((int)sm_conn->sm_engine_state) + 1); 854 } 855 static inline void dkg_next_state(void){ 856 dkg_state = (derived_key_generation_t) (((int)dkg_state) + 1); 857 } 858 static inline void rau_next_state(void){ 859 rau_state = (random_address_update_t) (((int)rau_state) + 1); 860 } 861 862 // CMAC calculation using AES Engine 863 864 static inline void sm_cmac_next_state(void){ 865 sm_cmac_state = (cmac_state_t) (((int)sm_cmac_state) + 1); 866 } 867 868 static int sm_cmac_last_block_complete(void){ 869 if (sm_cmac_message_len == 0) return 0; 870 return (sm_cmac_message_len & 0x0f) == 0; 871 } 872 873 int sm_cmac_ready(void){ 874 return sm_cmac_state == CMAC_IDLE; 875 } 876 877 // generic cmac calculation 878 void sm_cmac_general_start(const sm_key_t key, uint16_t message_len, uint8_t (*get_byte_callback)(uint16_t offset), void (*done_callback)(uint8_t hash[8])){ 879 // Generalized CMAC 880 memcpy(sm_cmac_k, key, 16); 881 memset(sm_cmac_x, 0, 16); 882 sm_cmac_block_current = 0; 883 sm_cmac_message_len = message_len; 884 sm_cmac_done_handler = done_callback; 885 sm_cmac_get_byte = get_byte_callback; 886 887 // step 2: n := ceil(len/const_Bsize); 888 sm_cmac_block_count = (sm_cmac_message_len + 15) / 16; 889 890 // step 3: .. 891 if (sm_cmac_block_count==0){ 892 sm_cmac_block_count = 1; 893 } 894 log_info("sm_cmac_general_start: len %u, block count %u", sm_cmac_message_len, sm_cmac_block_count); 895 896 // first, we need to compute l for k1, k2, and m_last 897 sm_cmac_state = CMAC_CALC_SUBKEYS; 898 899 // let's go 900 sm_run(); 901 } 902 903 // cmac for ATT Message signing 904 static uint8_t sm_cmac_signed_write_message_get_byte(uint16_t offset){ 905 if (offset >= sm_cmac_message_len) { 906 log_error("sm_cmac_signed_write_message_get_byte. out of bounds, access %u, len %u", offset, sm_cmac_message_len); 907 return 0; 908 } 909 910 offset = sm_cmac_message_len - 1 - offset; 911 912 // sm_cmac_header[3] | message[] | sm_cmac_sign_counter[4] 913 if (offset < 3){ 914 return sm_cmac_header[offset]; 915 } 916 int actual_message_len_incl_header = sm_cmac_message_len - 4; 917 if (offset < actual_message_len_incl_header){ 918 return sm_cmac_message[offset - 3]; 919 } 920 return sm_cmac_sign_counter[offset - actual_message_len_incl_header]; 921 } 922 923 void sm_cmac_signed_write_start(const sm_key_t k, uint8_t opcode, hci_con_handle_t con_handle, uint16_t message_len, const uint8_t * message, uint32_t sign_counter, void (*done_handler)(uint8_t * hash)){ 924 // ATT Message Signing 925 sm_cmac_header[0] = opcode; 926 little_endian_store_16(sm_cmac_header, 1, con_handle); 927 little_endian_store_32(sm_cmac_sign_counter, 0, sign_counter); 928 uint16_t total_message_len = 3 + message_len + 4; // incl. virtually prepended att opcode, handle and appended sign_counter in LE 929 sm_cmac_message = message; 930 sm_cmac_general_start(k, total_message_len, &sm_cmac_signed_write_message_get_byte, done_handler); 931 } 932 933 934 static void sm_cmac_handle_aes_engine_ready(void){ 935 switch (sm_cmac_state){ 936 case CMAC_CALC_SUBKEYS: { 937 sm_key_t const_zero; 938 memset(const_zero, 0, 16); 939 sm_cmac_next_state(); 940 sm_aes128_start(sm_cmac_k, const_zero, NULL); 941 break; 942 } 943 case CMAC_CALC_MI: { 944 int j; 945 sm_key_t y; 946 for (j=0;j<16;j++){ 947 y[j] = sm_cmac_x[j] ^ sm_cmac_get_byte(sm_cmac_block_current*16 + j); 948 } 949 sm_cmac_block_current++; 950 sm_cmac_next_state(); 951 sm_aes128_start(sm_cmac_k, y, NULL); 952 break; 953 } 954 case CMAC_CALC_MLAST: { 955 int i; 956 sm_key_t y; 957 for (i=0;i<16;i++){ 958 y[i] = sm_cmac_x[i] ^ sm_cmac_m_last[i]; 959 } 960 log_info_key("Y", y); 961 sm_cmac_block_current++; 962 sm_cmac_next_state(); 963 sm_aes128_start(sm_cmac_k, y, NULL); 964 break; 965 } 966 default: 967 log_info("sm_cmac_handle_aes_engine_ready called in state %u", sm_cmac_state); 968 break; 969 } 970 } 971 972 static void sm_cmac_handle_encryption_result(sm_key_t data){ 973 switch (sm_cmac_state){ 974 case CMAC_W4_SUBKEYS: { 975 sm_key_t k1; 976 memcpy(k1, data, 16); 977 sm_shift_left_by_one_bit_inplace(16, k1); 978 if (data[0] & 0x80){ 979 k1[15] ^= 0x87; 980 } 981 sm_key_t k2; 982 memcpy(k2, k1, 16); 983 sm_shift_left_by_one_bit_inplace(16, k2); 984 if (k1[0] & 0x80){ 985 k2[15] ^= 0x87; 986 } 987 988 log_info_key("k", sm_cmac_k); 989 log_info_key("k1", k1); 990 log_info_key("k2", k2); 991 992 // step 4: set m_last 993 int i; 994 if (sm_cmac_last_block_complete()){ 995 for (i=0;i<16;i++){ 996 sm_cmac_m_last[i] = sm_cmac_get_byte(sm_cmac_message_len - 16 + i) ^ k1[i]; 997 } 998 } else { 999 int valid_octets_in_last_block = sm_cmac_message_len & 0x0f; 1000 for (i=0;i<16;i++){ 1001 if (i < valid_octets_in_last_block){ 1002 sm_cmac_m_last[i] = sm_cmac_get_byte((sm_cmac_message_len & 0xfff0) + i) ^ k2[i]; 1003 continue; 1004 } 1005 if (i == valid_octets_in_last_block){ 1006 sm_cmac_m_last[i] = 0x80 ^ k2[i]; 1007 continue; 1008 } 1009 sm_cmac_m_last[i] = k2[i]; 1010 } 1011 } 1012 1013 // next 1014 sm_cmac_state = sm_cmac_block_current < sm_cmac_block_count - 1 ? CMAC_CALC_MI : CMAC_CALC_MLAST; 1015 break; 1016 } 1017 case CMAC_W4_MI: 1018 memcpy(sm_cmac_x, data, 16); 1019 sm_cmac_state = sm_cmac_block_current < sm_cmac_block_count - 1 ? CMAC_CALC_MI : CMAC_CALC_MLAST; 1020 break; 1021 case CMAC_W4_MLAST: 1022 // done 1023 log_info("Setting CMAC Engine to IDLE"); 1024 sm_cmac_state = CMAC_IDLE; 1025 log_info_key("CMAC", data); 1026 sm_cmac_done_handler(data); 1027 break; 1028 default: 1029 log_info("sm_cmac_handle_encryption_result called in state %u", sm_cmac_state); 1030 break; 1031 } 1032 } 1033 1034 static void sm_trigger_user_response(sm_connection_t * sm_conn){ 1035 // notify client for: JUST WORKS confirm, Numeric comparison confirm, PASSKEY display or input 1036 setup->sm_user_response = SM_USER_RESPONSE_IDLE; 1037 switch (setup->sm_stk_generation_method){ 1038 case PK_RESP_INPUT: 1039 if (sm_conn->sm_role){ 1040 setup->sm_user_response = SM_USER_RESPONSE_PENDING; 1041 sm_notify_client_base(SM_EVENT_PASSKEY_INPUT_NUMBER, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address); 1042 } else { 1043 sm_notify_client_passkey(SM_EVENT_PASSKEY_DISPLAY_NUMBER, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, big_endian_read_32(setup->sm_tk, 12)); 1044 } 1045 break; 1046 case PK_INIT_INPUT: 1047 if (sm_conn->sm_role){ 1048 sm_notify_client_passkey(SM_EVENT_PASSKEY_DISPLAY_NUMBER, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, big_endian_read_32(setup->sm_tk, 12)); 1049 } else { 1050 setup->sm_user_response = SM_USER_RESPONSE_PENDING; 1051 sm_notify_client_base(SM_EVENT_PASSKEY_INPUT_NUMBER, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address); 1052 } 1053 break; 1054 case OK_BOTH_INPUT: 1055 setup->sm_user_response = SM_USER_RESPONSE_PENDING; 1056 sm_notify_client_base(SM_EVENT_PASSKEY_INPUT_NUMBER, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address); 1057 break; 1058 case NK_BOTH_INPUT: 1059 setup->sm_user_response = SM_USER_RESPONSE_PENDING; 1060 sm_notify_client_passkey(SM_EVENT_NUMERIC_COMPARISON_REQUEST, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, big_endian_read_32(setup->sm_tk, 12)); 1061 break; 1062 case JUST_WORKS: 1063 setup->sm_user_response = SM_USER_RESPONSE_PENDING; 1064 sm_notify_client_base(SM_EVENT_JUST_WORKS_REQUEST, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address); 1065 break; 1066 case OOB: 1067 // client already provided OOB data, let's skip notification. 1068 break; 1069 } 1070 } 1071 1072 static int sm_key_distribution_all_received(sm_connection_t * sm_conn){ 1073 int recv_flags; 1074 if (sm_conn->sm_role){ 1075 // slave / responder 1076 recv_flags = sm_key_distribution_flags_for_set(sm_pairing_packet_get_initiator_key_distribution(setup->sm_s_pres)); 1077 } else { 1078 // master / initiator 1079 recv_flags = sm_key_distribution_flags_for_set(sm_pairing_packet_get_responder_key_distribution(setup->sm_s_pres)); 1080 } 1081 log_debug("sm_key_distribution_all_received: received 0x%02x, expecting 0x%02x", setup->sm_key_distribution_received_set, recv_flags); 1082 return recv_flags == setup->sm_key_distribution_received_set; 1083 } 1084 1085 static void sm_done_for_handle(hci_con_handle_t con_handle){ 1086 if (sm_active_connection == con_handle){ 1087 sm_timeout_stop(); 1088 sm_active_connection = 0; 1089 log_info("sm: connection 0x%x released setup context", con_handle); 1090 } 1091 } 1092 1093 static int sm_key_distribution_flags_for_auth_req(void){ 1094 int flags = SM_KEYDIST_ID_KEY | SM_KEYDIST_SIGN; 1095 if (sm_auth_req & SM_AUTHREQ_BONDING){ 1096 // encryption information only if bonding requested 1097 flags |= SM_KEYDIST_ENC_KEY; 1098 } 1099 return flags; 1100 } 1101 1102 static void sm_reset_setup(void){ 1103 // fill in sm setup 1104 setup->sm_state_vars = 0; 1105 setup->sm_keypress_notification = 0xff; 1106 sm_reset_tk(); 1107 } 1108 1109 static void sm_init_setup(sm_connection_t * sm_conn){ 1110 1111 // fill in sm setup 1112 setup->sm_peer_addr_type = sm_conn->sm_peer_addr_type; 1113 memcpy(setup->sm_peer_address, sm_conn->sm_peer_address, 6); 1114 1115 // query client for OOB data 1116 int have_oob_data = 0; 1117 if (sm_get_oob_data) { 1118 have_oob_data = (*sm_get_oob_data)(sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, setup->sm_tk); 1119 } 1120 1121 sm_pairing_packet_t * local_packet; 1122 if (sm_conn->sm_role){ 1123 // slave 1124 local_packet = &setup->sm_s_pres; 1125 gap_advertisements_get_address(&setup->sm_s_addr_type, setup->sm_s_address); 1126 setup->sm_m_addr_type = sm_conn->sm_peer_addr_type; 1127 memcpy(setup->sm_m_address, sm_conn->sm_peer_address, 6); 1128 } else { 1129 // master 1130 local_packet = &setup->sm_m_preq; 1131 gap_advertisements_get_address(&setup->sm_m_addr_type, setup->sm_m_address); 1132 setup->sm_s_addr_type = sm_conn->sm_peer_addr_type; 1133 memcpy(setup->sm_s_address, sm_conn->sm_peer_address, 6); 1134 1135 int key_distribution_flags = sm_key_distribution_flags_for_auth_req(); 1136 sm_pairing_packet_set_initiator_key_distribution(setup->sm_m_preq, key_distribution_flags); 1137 sm_pairing_packet_set_responder_key_distribution(setup->sm_m_preq, key_distribution_flags); 1138 } 1139 1140 uint8_t auth_req = sm_auth_req; 1141 sm_pairing_packet_set_io_capability(*local_packet, sm_io_capabilities); 1142 sm_pairing_packet_set_oob_data_flag(*local_packet, have_oob_data); 1143 sm_pairing_packet_set_auth_req(*local_packet, auth_req); 1144 sm_pairing_packet_set_max_encryption_key_size(*local_packet, sm_max_encryption_key_size); 1145 } 1146 1147 static int sm_stk_generation_init(sm_connection_t * sm_conn){ 1148 1149 sm_pairing_packet_t * remote_packet; 1150 int remote_key_request; 1151 if (sm_conn->sm_role){ 1152 // slave / responder 1153 remote_packet = &setup->sm_m_preq; 1154 remote_key_request = sm_pairing_packet_get_responder_key_distribution(setup->sm_m_preq); 1155 } else { 1156 // master / initiator 1157 remote_packet = &setup->sm_s_pres; 1158 remote_key_request = sm_pairing_packet_get_initiator_key_distribution(setup->sm_s_pres); 1159 } 1160 1161 // check key size 1162 sm_conn->sm_actual_encryption_key_size = sm_calc_actual_encryption_key_size(sm_pairing_packet_get_max_encryption_key_size(*remote_packet)); 1163 if (sm_conn->sm_actual_encryption_key_size == 0) return SM_REASON_ENCRYPTION_KEY_SIZE; 1164 1165 // decide on STK generation method 1166 sm_setup_tk(); 1167 log_info("SMP: generation method %u", setup->sm_stk_generation_method); 1168 1169 // check if STK generation method is acceptable by client 1170 if (!sm_validate_stk_generation_method()) return SM_REASON_AUTHENTHICATION_REQUIREMENTS; 1171 1172 // identical to responder 1173 sm_setup_key_distribution(remote_key_request); 1174 1175 // JUST WORKS doens't provide authentication 1176 sm_conn->sm_connection_authenticated = setup->sm_stk_generation_method == JUST_WORKS ? 0 : 1; 1177 1178 return 0; 1179 } 1180 1181 static void sm_address_resolution_handle_event(address_resolution_event_t event){ 1182 1183 // cache and reset context 1184 int matched_device_id = sm_address_resolution_test; 1185 address_resolution_mode_t mode = sm_address_resolution_mode; 1186 void * context = sm_address_resolution_context; 1187 1188 // reset context 1189 sm_address_resolution_mode = ADDRESS_RESOLUTION_IDLE; 1190 sm_address_resolution_context = NULL; 1191 sm_address_resolution_test = -1; 1192 hci_con_handle_t con_handle = 0; 1193 1194 sm_connection_t * sm_connection; 1195 sm_key_t ltk; 1196 switch (mode){ 1197 case ADDRESS_RESOLUTION_GENERAL: 1198 break; 1199 case ADDRESS_RESOLUTION_FOR_CONNECTION: 1200 sm_connection = (sm_connection_t *) context; 1201 con_handle = sm_connection->sm_handle; 1202 switch (event){ 1203 case ADDRESS_RESOLUTION_SUCEEDED: 1204 sm_connection->sm_irk_lookup_state = IRK_LOOKUP_SUCCEEDED; 1205 sm_connection->sm_le_db_index = matched_device_id; 1206 log_info("ADDRESS_RESOLUTION_SUCEEDED, index %d", sm_connection->sm_le_db_index); 1207 if (sm_connection->sm_role) break; 1208 if (!sm_connection->sm_bonding_requested && !sm_connection->sm_security_request_received) break; 1209 sm_connection->sm_security_request_received = 0; 1210 sm_connection->sm_bonding_requested = 0; 1211 le_device_db_encryption_get(sm_connection->sm_le_db_index, NULL, NULL, ltk, NULL, NULL, NULL); 1212 if (!sm_is_null_key(ltk)){ 1213 sm_connection->sm_engine_state = SM_INITIATOR_PH0_HAS_LTK; 1214 } else { 1215 sm_connection->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 1216 } 1217 break; 1218 case ADDRESS_RESOLUTION_FAILED: 1219 sm_connection->sm_irk_lookup_state = IRK_LOOKUP_FAILED; 1220 if (sm_connection->sm_role) break; 1221 if (!sm_connection->sm_bonding_requested && !sm_connection->sm_security_request_received) break; 1222 sm_connection->sm_security_request_received = 0; 1223 sm_connection->sm_bonding_requested = 0; 1224 sm_connection->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 1225 break; 1226 } 1227 break; 1228 default: 1229 break; 1230 } 1231 1232 switch (event){ 1233 case ADDRESS_RESOLUTION_SUCEEDED: 1234 sm_notify_client_index(SM_EVENT_IDENTITY_RESOLVING_SUCCEEDED, con_handle, sm_address_resolution_addr_type, sm_address_resolution_address, matched_device_id); 1235 break; 1236 case ADDRESS_RESOLUTION_FAILED: 1237 sm_notify_client_base(SM_EVENT_IDENTITY_RESOLVING_FAILED, con_handle, sm_address_resolution_addr_type, sm_address_resolution_address); 1238 break; 1239 } 1240 } 1241 1242 static void sm_key_distribution_handle_all_received(sm_connection_t * sm_conn){ 1243 1244 int le_db_index = -1; 1245 1246 // lookup device based on IRK 1247 if (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_IDENTITY_INFORMATION){ 1248 int i; 1249 for (i=0; i < le_device_db_count(); i++){ 1250 sm_key_t irk; 1251 bd_addr_t address; 1252 int address_type; 1253 le_device_db_info(i, &address_type, address, irk); 1254 if (memcmp(irk, setup->sm_peer_irk, 16) == 0){ 1255 log_info("sm: device found for IRK, updating"); 1256 le_db_index = i; 1257 break; 1258 } 1259 } 1260 } 1261 1262 // if not found, lookup via public address if possible 1263 log_info("sm peer addr type %u, peer addres %s", setup->sm_peer_addr_type, bd_addr_to_str(setup->sm_peer_address)); 1264 if (le_db_index < 0 && setup->sm_peer_addr_type == BD_ADDR_TYPE_LE_PUBLIC){ 1265 int i; 1266 for (i=0; i < le_device_db_count(); i++){ 1267 bd_addr_t address; 1268 int address_type; 1269 le_device_db_info(i, &address_type, address, NULL); 1270 log_info("device %u, sm peer addr type %u, peer addres %s", i, address_type, bd_addr_to_str(address)); 1271 if (address_type == BD_ADDR_TYPE_LE_PUBLIC && memcmp(address, setup->sm_peer_address, 6) == 0){ 1272 log_info("sm: device found for public address, updating"); 1273 le_db_index = i; 1274 break; 1275 } 1276 } 1277 } 1278 1279 // if not found, add to db 1280 if (le_db_index < 0) { 1281 le_db_index = le_device_db_add(setup->sm_peer_addr_type, setup->sm_peer_address, setup->sm_peer_irk); 1282 } 1283 1284 sm_notify_client_index(SM_EVENT_IDENTITY_CREATED, sm_conn->sm_handle, setup->sm_peer_addr_type, setup->sm_peer_address, le_db_index); 1285 1286 if (le_db_index >= 0){ 1287 1288 // store local CSRK 1289 if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION){ 1290 log_info("sm: store local CSRK"); 1291 le_device_db_local_csrk_set(le_db_index, setup->sm_local_csrk); 1292 le_device_db_local_counter_set(le_db_index, 0); 1293 } 1294 1295 // store remote CSRK 1296 if (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION){ 1297 log_info("sm: store remote CSRK"); 1298 le_device_db_remote_csrk_set(le_db_index, setup->sm_peer_csrk); 1299 le_device_db_remote_counter_set(le_db_index, 0); 1300 } 1301 1302 // store encryption information for secure connections: LTK generated by ECDH 1303 if (setup->sm_use_secure_connections){ 1304 log_info("sm: store SC LTK (key size %u, authenticatd %u)", sm_conn->sm_actual_encryption_key_size, sm_conn->sm_connection_authenticated); 1305 uint8_t zero_rand[8]; 1306 memset(zero_rand, 0, 8); 1307 le_device_db_encryption_set(le_db_index, 0, zero_rand, setup->sm_ltk, sm_conn->sm_actual_encryption_key_size, 1308 sm_conn->sm_connection_authenticated, sm_conn->sm_connection_authorization_state == AUTHORIZATION_GRANTED); 1309 } 1310 1311 // store encryption infromation for legacy pairing: peer LTK, EDIV, RAND 1312 else if ( (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION) 1313 && (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_MASTER_IDENTIFICATION )){ 1314 log_info("sm: set encryption information (key size %u, authenticatd %u)", sm_conn->sm_actual_encryption_key_size, sm_conn->sm_connection_authenticated); 1315 le_device_db_encryption_set(le_db_index, setup->sm_peer_ediv, setup->sm_peer_rand, setup->sm_peer_ltk, 1316 sm_conn->sm_actual_encryption_key_size, sm_conn->sm_connection_authenticated, sm_conn->sm_connection_authorization_state == AUTHORIZATION_GRANTED); 1317 1318 } 1319 } 1320 1321 // keep le_db_index 1322 sm_conn->sm_le_db_index = le_db_index; 1323 } 1324 1325 static void sm_pairing_error(sm_connection_t * sm_conn, uint8_t reason){ 1326 setup->sm_pairing_failed_reason = reason; 1327 sm_conn->sm_engine_state = SM_GENERAL_SEND_PAIRING_FAILED; 1328 } 1329 1330 static inline void sm_pdu_received_in_wrong_state(sm_connection_t * sm_conn){ 1331 sm_pairing_error(sm_conn, SM_REASON_UNSPECIFIED_REASON); 1332 } 1333 1334 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1335 1336 static void sm_sc_prepare_dhkey_check(sm_connection_t * sm_conn); 1337 static int sm_passkey_used(stk_generation_method_t method); 1338 static int sm_just_works_or_numeric_comparison(stk_generation_method_t method); 1339 1340 static void sm_log_ec_keypair(void){ 1341 log_info("Elliptic curve: X"); 1342 log_info_hexdump(ec_qx,32); 1343 log_info("Elliptic curve: Y"); 1344 log_info_hexdump(ec_qy,32); 1345 } 1346 1347 static void sm_sc_start_calculating_local_confirm(sm_connection_t * sm_conn){ 1348 if (sm_passkey_used(setup->sm_stk_generation_method)){ 1349 sm_conn->sm_engine_state = SM_SC_W2_GET_RANDOM_A; 1350 } else { 1351 sm_conn->sm_engine_state = SM_SC_W2_CMAC_FOR_CONFIRMATION; 1352 } 1353 } 1354 1355 static void sm_sc_state_after_receiving_random(sm_connection_t * sm_conn){ 1356 if (sm_conn->sm_role){ 1357 // Responder 1358 sm_conn->sm_engine_state = SM_SC_SEND_PAIRING_RANDOM; 1359 } else { 1360 // Initiator role 1361 switch (setup->sm_stk_generation_method){ 1362 case JUST_WORKS: 1363 sm_sc_prepare_dhkey_check(sm_conn); 1364 break; 1365 1366 case NK_BOTH_INPUT: 1367 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_G2; 1368 break; 1369 case PK_INIT_INPUT: 1370 case PK_RESP_INPUT: 1371 case OK_BOTH_INPUT: 1372 if (setup->sm_passkey_bit < 20) { 1373 sm_sc_start_calculating_local_confirm(sm_conn); 1374 } else { 1375 sm_sc_prepare_dhkey_check(sm_conn); 1376 } 1377 break; 1378 case OOB: 1379 // TODO: implement SC OOB 1380 break; 1381 } 1382 } 1383 } 1384 1385 static uint8_t sm_sc_cmac_get_byte(uint16_t offset){ 1386 return sm_cmac_sc_buffer[offset]; 1387 } 1388 1389 static void sm_sc_cmac_done(uint8_t * hash){ 1390 log_info("sm_sc_cmac_done: "); 1391 log_info_hexdump(hash, 16); 1392 1393 sm_connection_t * sm_conn = sm_cmac_connection; 1394 sm_cmac_connection = NULL; 1395 link_key_type_t link_key_type; 1396 1397 switch (sm_conn->sm_engine_state){ 1398 case SM_SC_W4_CMAC_FOR_CONFIRMATION: 1399 memcpy(setup->sm_local_confirm, hash, 16); 1400 sm_conn->sm_engine_state = SM_SC_SEND_CONFIRMATION; 1401 break; 1402 case SM_SC_W4_CMAC_FOR_CHECK_CONFIRMATION: 1403 // check 1404 if (0 != memcmp(hash, setup->sm_peer_confirm, 16)){ 1405 sm_pairing_error(sm_conn, SM_REASON_CONFIRM_VALUE_FAILED); 1406 break; 1407 } 1408 sm_sc_state_after_receiving_random(sm_conn); 1409 break; 1410 case SM_SC_W4_CALCULATE_G2: { 1411 uint32_t vab = big_endian_read_32(hash, 12) % 1000000; 1412 big_endian_store_32(setup->sm_tk, 12, vab); 1413 sm_conn->sm_engine_state = SM_SC_W4_USER_RESPONSE; 1414 sm_trigger_user_response(sm_conn); 1415 break; 1416 } 1417 case SM_SC_W4_CALCULATE_F5_SALT: 1418 memcpy(setup->sm_t, hash, 16); 1419 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F5_MACKEY; 1420 break; 1421 case SM_SC_W4_CALCULATE_F5_MACKEY: 1422 memcpy(setup->sm_mackey, hash, 16); 1423 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F5_LTK; 1424 break; 1425 case SM_SC_W4_CALCULATE_F5_LTK: 1426 // truncate sm_ltk, but keep full LTK for cross-transport key derivation in sm_local_ltk 1427 // Errata Service Release to the Bluetooth Specification: ESR09 1428 // E6405 – Cross transport key derivation from a key of size less than 128 bits 1429 // Note: When the BR/EDR link key is being derived from the LTK, the derivation is done before the LTK gets masked." 1430 memcpy(setup->sm_ltk, hash, 16); 1431 memcpy(setup->sm_local_ltk, hash, 16); 1432 sm_truncate_key(setup->sm_ltk, sm_conn->sm_actual_encryption_key_size); 1433 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F6_FOR_DHKEY_CHECK; 1434 break; 1435 case SM_SC_W4_CALCULATE_F6_FOR_DHKEY_CHECK: 1436 memcpy(setup->sm_local_dhkey_check, hash, 16); 1437 if (sm_conn->sm_role){ 1438 // responder 1439 if (setup->sm_state_vars & SM_STATE_VAR_DHKEY_COMMAND_RECEIVED){ 1440 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK; 1441 } else { 1442 sm_conn->sm_engine_state = SM_SC_W4_DHKEY_CHECK_COMMAND; 1443 } 1444 } else { 1445 sm_conn->sm_engine_state = SM_SC_SEND_DHKEY_CHECK_COMMAND; 1446 } 1447 break; 1448 case SM_SC_W4_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK: 1449 if (0 != memcmp(hash, setup->sm_peer_dhkey_check, 16) ){ 1450 sm_pairing_error(sm_conn, SM_REASON_DHKEY_CHECK_FAILED); 1451 break; 1452 } 1453 if (sm_conn->sm_role){ 1454 // responder 1455 sm_conn->sm_engine_state = SM_SC_SEND_DHKEY_CHECK_COMMAND; 1456 } else { 1457 // initiator 1458 sm_conn->sm_engine_state = SM_INITIATOR_PH3_SEND_START_ENCRYPTION; 1459 } 1460 break; 1461 case SM_SC_W4_CALCULATE_H6_ILK: 1462 memcpy(setup->sm_t, hash, 16); 1463 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_H6_BR_EDR_LINK_KEY; 1464 break; 1465 case SM_SC_W4_CALCULATE_H6_BR_EDR_LINK_KEY: 1466 reverse_128(hash, setup->sm_t); 1467 link_key_type = sm_conn->sm_connection_authenticated ? 1468 AUTHENTICATED_COMBINATION_KEY_GENERATED_FROM_P256 : UNAUTHENTICATED_COMBINATION_KEY_GENERATED_FROM_P256; 1469 if (sm_conn->sm_role){ 1470 #ifdef ENABLE_CLASSIC 1471 gap_store_link_key_for_bd_addr(setup->sm_m_address, setup->sm_t, link_key_type); 1472 #endif 1473 sm_conn->sm_engine_state = SM_RESPONDER_IDLE; 1474 } else { 1475 #ifdef ENABLE_CLASSIC 1476 gap_store_link_key_for_bd_addr(setup->sm_s_address, setup->sm_t, link_key_type); 1477 #endif 1478 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 1479 } 1480 sm_done_for_handle(sm_conn->sm_handle); 1481 break; 1482 default: 1483 log_error("sm_sc_cmac_done in state %u", sm_conn->sm_engine_state); 1484 break; 1485 } 1486 sm_run(); 1487 } 1488 1489 static void f4_engine(sm_connection_t * sm_conn, const sm_key256_t u, const sm_key256_t v, const sm_key_t x, uint8_t z){ 1490 const uint16_t message_len = 65; 1491 sm_cmac_connection = sm_conn; 1492 memcpy(sm_cmac_sc_buffer, u, 32); 1493 memcpy(sm_cmac_sc_buffer+32, v, 32); 1494 sm_cmac_sc_buffer[64] = z; 1495 log_info("f4 key"); 1496 log_info_hexdump(x, 16); 1497 log_info("f4 message"); 1498 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1499 sm_cmac_general_start(x, message_len, &sm_sc_cmac_get_byte, &sm_sc_cmac_done); 1500 } 1501 1502 static const sm_key_t f5_salt = { 0x6C ,0x88, 0x83, 0x91, 0xAA, 0xF5, 0xA5, 0x38, 0x60, 0x37, 0x0B, 0xDB, 0x5A, 0x60, 0x83, 0xBE}; 1503 static const uint8_t f5_key_id[] = { 0x62, 0x74, 0x6c, 0x65 }; 1504 static const uint8_t f5_length[] = { 0x01, 0x00}; 1505 1506 static void sm_sc_calculate_dhkey(sm_key256_t dhkey){ 1507 #ifdef USE_MBEDTLS_FOR_ECDH 1508 // da * Pb 1509 mbedtls_mpi d; 1510 mbedtls_ecp_point Q; 1511 mbedtls_ecp_point DH; 1512 mbedtls_mpi_init(&d); 1513 mbedtls_ecp_point_init(&Q); 1514 mbedtls_ecp_point_init(&DH); 1515 mbedtls_mpi_read_binary(&d, ec_d, 32); 1516 mbedtls_mpi_read_binary(&Q.X, setup->sm_peer_qx, 32); 1517 mbedtls_mpi_read_binary(&Q.Y, setup->sm_peer_qy, 32); 1518 mbedtls_mpi_lset(&Q.Z, 1); 1519 mbedtls_ecp_mul(&mbedtls_ec_group, &DH, &d, &Q, NULL, NULL); 1520 mbedtls_mpi_write_binary(&DH.X, dhkey, 32); 1521 mbedtls_ecp_point_free(&DH); 1522 mbedtls_mpi_free(&d); 1523 mbedtls_ecp_point_free(&Q); 1524 #endif 1525 log_info("dhkey"); 1526 log_info_hexdump(dhkey, 32); 1527 } 1528 1529 static void f5_calculate_salt(sm_connection_t * sm_conn){ 1530 // calculate DHKEY 1531 sm_key256_t dhkey; 1532 sm_sc_calculate_dhkey(dhkey); 1533 1534 // calculate salt for f5 1535 const uint16_t message_len = 32; 1536 sm_cmac_connection = sm_conn; 1537 memcpy(sm_cmac_sc_buffer, dhkey, message_len); 1538 sm_cmac_general_start(f5_salt, message_len, &sm_sc_cmac_get_byte, &sm_sc_cmac_done); 1539 } 1540 1541 static inline void f5_mackkey(sm_connection_t * sm_conn, sm_key_t t, const sm_key_t n1, const sm_key_t n2, const sm_key56_t a1, const sm_key56_t a2){ 1542 const uint16_t message_len = 53; 1543 sm_cmac_connection = sm_conn; 1544 1545 // f5(W, N1, N2, A1, A2) = AES-CMACT (Counter = 0 || keyID || N1 || N2|| A1|| A2 || Length = 256) -- this is the MacKey 1546 sm_cmac_sc_buffer[0] = 0; 1547 memcpy(sm_cmac_sc_buffer+01, f5_key_id, 4); 1548 memcpy(sm_cmac_sc_buffer+05, n1, 16); 1549 memcpy(sm_cmac_sc_buffer+21, n2, 16); 1550 memcpy(sm_cmac_sc_buffer+37, a1, 7); 1551 memcpy(sm_cmac_sc_buffer+44, a2, 7); 1552 memcpy(sm_cmac_sc_buffer+51, f5_length, 2); 1553 log_info("f5 key"); 1554 log_info_hexdump(t, 16); 1555 log_info("f5 message for MacKey"); 1556 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1557 sm_cmac_general_start(t, message_len, &sm_sc_cmac_get_byte, &sm_sc_cmac_done); 1558 } 1559 1560 static void f5_calculate_mackey(sm_connection_t * sm_conn){ 1561 sm_key56_t bd_addr_master, bd_addr_slave; 1562 bd_addr_master[0] = setup->sm_m_addr_type; 1563 bd_addr_slave[0] = setup->sm_s_addr_type; 1564 memcpy(&bd_addr_master[1], setup->sm_m_address, 6); 1565 memcpy(&bd_addr_slave[1], setup->sm_s_address, 6); 1566 if (sm_conn->sm_role){ 1567 // responder 1568 f5_mackkey(sm_conn, setup->sm_t, setup->sm_peer_nonce, setup->sm_local_nonce, bd_addr_master, bd_addr_slave); 1569 } else { 1570 // initiator 1571 f5_mackkey(sm_conn, setup->sm_t, setup->sm_local_nonce, setup->sm_peer_nonce, bd_addr_master, bd_addr_slave); 1572 } 1573 } 1574 1575 // note: must be called right after f5_mackey, as sm_cmac_buffer[1..52] will be reused 1576 static inline void f5_ltk(sm_connection_t * sm_conn, sm_key_t t){ 1577 const uint16_t message_len = 53; 1578 sm_cmac_connection = sm_conn; 1579 sm_cmac_sc_buffer[0] = 1; 1580 // 1..52 setup before 1581 log_info("f5 key"); 1582 log_info_hexdump(t, 16); 1583 log_info("f5 message for LTK"); 1584 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1585 sm_cmac_general_start(t, message_len, &sm_sc_cmac_get_byte, &sm_sc_cmac_done); 1586 } 1587 1588 static void f5_calculate_ltk(sm_connection_t * sm_conn){ 1589 f5_ltk(sm_conn, setup->sm_t); 1590 } 1591 1592 static void f6_engine(sm_connection_t * sm_conn, const sm_key_t w, const sm_key_t n1, const sm_key_t n2, const sm_key_t r, const sm_key24_t io_cap, const sm_key56_t a1, const sm_key56_t a2){ 1593 const uint16_t message_len = 65; 1594 sm_cmac_connection = sm_conn; 1595 memcpy(sm_cmac_sc_buffer, n1, 16); 1596 memcpy(sm_cmac_sc_buffer+16, n2, 16); 1597 memcpy(sm_cmac_sc_buffer+32, r, 16); 1598 memcpy(sm_cmac_sc_buffer+48, io_cap, 3); 1599 memcpy(sm_cmac_sc_buffer+51, a1, 7); 1600 memcpy(sm_cmac_sc_buffer+58, a2, 7); 1601 log_info("f6 key"); 1602 log_info_hexdump(w, 16); 1603 log_info("f6 message"); 1604 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1605 sm_cmac_general_start(w, 65, &sm_sc_cmac_get_byte, &sm_sc_cmac_done); 1606 } 1607 1608 // g2(U, V, X, Y) = AES-CMACX(U || V || Y) mod 2^32 1609 // - U is 256 bits 1610 // - V is 256 bits 1611 // - X is 128 bits 1612 // - Y is 128 bits 1613 static void g2_engine(sm_connection_t * sm_conn, const sm_key256_t u, const sm_key256_t v, const sm_key_t x, const sm_key_t y){ 1614 const uint16_t message_len = 80; 1615 sm_cmac_connection = sm_conn; 1616 memcpy(sm_cmac_sc_buffer, u, 32); 1617 memcpy(sm_cmac_sc_buffer+32, v, 32); 1618 memcpy(sm_cmac_sc_buffer+64, y, 16); 1619 log_info("g2 key"); 1620 log_info_hexdump(x, 16); 1621 log_info("g2 message"); 1622 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1623 sm_cmac_general_start(x, message_len, &sm_sc_cmac_get_byte, &sm_sc_cmac_done); 1624 } 1625 1626 static void g2_calculate(sm_connection_t * sm_conn) { 1627 // calc Va if numeric comparison 1628 if (sm_conn->sm_role){ 1629 // responder 1630 g2_engine(sm_conn, setup->sm_peer_qx, ec_qx, setup->sm_peer_nonce, setup->sm_local_nonce);; 1631 } else { 1632 // initiator 1633 g2_engine(sm_conn, ec_qx, setup->sm_peer_qx, setup->sm_local_nonce, setup->sm_peer_nonce); 1634 } 1635 } 1636 1637 static void sm_sc_calculate_local_confirm(sm_connection_t * sm_conn){ 1638 uint8_t z = 0; 1639 if (setup->sm_stk_generation_method != JUST_WORKS && setup->sm_stk_generation_method != NK_BOTH_INPUT){ 1640 // some form of passkey 1641 uint32_t pk = big_endian_read_32(setup->sm_tk, 12); 1642 z = 0x80 | ((pk >> setup->sm_passkey_bit) & 1); 1643 setup->sm_passkey_bit++; 1644 } 1645 f4_engine(sm_conn, ec_qx, setup->sm_peer_qx, setup->sm_local_nonce, z); 1646 } 1647 1648 static void sm_sc_calculate_remote_confirm(sm_connection_t * sm_conn){ 1649 uint8_t z = 0; 1650 if (setup->sm_stk_generation_method != JUST_WORKS && setup->sm_stk_generation_method != NK_BOTH_INPUT){ 1651 // some form of passkey 1652 uint32_t pk = big_endian_read_32(setup->sm_tk, 12); 1653 // sm_passkey_bit was increased before sending confirm value 1654 z = 0x80 | ((pk >> (setup->sm_passkey_bit-1)) & 1); 1655 } 1656 f4_engine(sm_conn, setup->sm_peer_qx, ec_qx, setup->sm_peer_nonce, z); 1657 } 1658 1659 static void sm_sc_prepare_dhkey_check(sm_connection_t * sm_conn){ 1660 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F5_SALT; 1661 } 1662 1663 static void sm_sc_calculate_f6_for_dhkey_check(sm_connection_t * sm_conn){ 1664 // calculate DHKCheck 1665 sm_key56_t bd_addr_master, bd_addr_slave; 1666 bd_addr_master[0] = setup->sm_m_addr_type; 1667 bd_addr_slave[0] = setup->sm_s_addr_type; 1668 memcpy(&bd_addr_master[1], setup->sm_m_address, 6); 1669 memcpy(&bd_addr_slave[1], setup->sm_s_address, 6); 1670 uint8_t iocap_a[3]; 1671 iocap_a[0] = sm_pairing_packet_get_auth_req(setup->sm_m_preq); 1672 iocap_a[1] = sm_pairing_packet_get_oob_data_flag(setup->sm_m_preq); 1673 iocap_a[2] = sm_pairing_packet_get_io_capability(setup->sm_m_preq); 1674 uint8_t iocap_b[3]; 1675 iocap_b[0] = sm_pairing_packet_get_auth_req(setup->sm_s_pres); 1676 iocap_b[1] = sm_pairing_packet_get_oob_data_flag(setup->sm_s_pres); 1677 iocap_b[2] = sm_pairing_packet_get_io_capability(setup->sm_s_pres); 1678 if (sm_conn->sm_role){ 1679 // responder 1680 f6_engine(sm_conn, setup->sm_mackey, setup->sm_local_nonce, setup->sm_peer_nonce, setup->sm_ra, iocap_b, bd_addr_slave, bd_addr_master); 1681 } else { 1682 // initiator 1683 f6_engine(sm_conn, setup->sm_mackey, setup->sm_local_nonce, setup->sm_peer_nonce, setup->sm_rb, iocap_a, bd_addr_master, bd_addr_slave); 1684 } 1685 } 1686 1687 static void sm_sc_calculate_f6_to_verify_dhkey_check(sm_connection_t * sm_conn){ 1688 // validate E = f6() 1689 sm_key56_t bd_addr_master, bd_addr_slave; 1690 bd_addr_master[0] = setup->sm_m_addr_type; 1691 bd_addr_slave[0] = setup->sm_s_addr_type; 1692 memcpy(&bd_addr_master[1], setup->sm_m_address, 6); 1693 memcpy(&bd_addr_slave[1], setup->sm_s_address, 6); 1694 1695 uint8_t iocap_a[3]; 1696 iocap_a[0] = sm_pairing_packet_get_auth_req(setup->sm_m_preq); 1697 iocap_a[1] = sm_pairing_packet_get_oob_data_flag(setup->sm_m_preq); 1698 iocap_a[2] = sm_pairing_packet_get_io_capability(setup->sm_m_preq); 1699 uint8_t iocap_b[3]; 1700 iocap_b[0] = sm_pairing_packet_get_auth_req(setup->sm_s_pres); 1701 iocap_b[1] = sm_pairing_packet_get_oob_data_flag(setup->sm_s_pres); 1702 iocap_b[2] = sm_pairing_packet_get_io_capability(setup->sm_s_pres); 1703 if (sm_conn->sm_role){ 1704 // responder 1705 f6_engine(sm_conn, setup->sm_mackey, setup->sm_peer_nonce, setup->sm_local_nonce, setup->sm_rb, iocap_a, bd_addr_master, bd_addr_slave); 1706 } else { 1707 // initiator 1708 f6_engine(sm_conn, setup->sm_mackey, setup->sm_peer_nonce, setup->sm_local_nonce, setup->sm_ra, iocap_b, bd_addr_slave, bd_addr_master); 1709 } 1710 } 1711 1712 1713 // 1714 // Link Key Conversion Function h6 1715 // 1716 // h6(W, keyID) = AES-CMACW(keyID) 1717 // - W is 128 bits 1718 // - keyID is 32 bits 1719 static void h6_engine(sm_connection_t * sm_conn, const sm_key_t w, const uint32_t key_id){ 1720 const uint16_t message_len = 4; 1721 sm_cmac_connection = sm_conn; 1722 big_endian_store_32(sm_cmac_sc_buffer, 0, key_id); 1723 log_info("h6 key"); 1724 log_info_hexdump(w, 16); 1725 log_info("h6 message"); 1726 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1727 sm_cmac_general_start(w, message_len, &sm_sc_cmac_get_byte, &sm_sc_cmac_done); 1728 } 1729 1730 // For SC, setup->sm_local_ltk holds full LTK (sm_ltk is already truncated) 1731 // Errata Service Release to the Bluetooth Specification: ESR09 1732 // E6405 – Cross transport key derivation from a key of size less than 128 bits 1733 // "Note: When the BR/EDR link key is being derived from the LTK, the derivation is done before the LTK gets masked." 1734 static void h6_calculate_ilk(sm_connection_t * sm_conn){ 1735 h6_engine(sm_conn, setup->sm_local_ltk, 0x746D7031); // "tmp1" 1736 } 1737 1738 static void h6_calculate_br_edr_link_key(sm_connection_t * sm_conn){ 1739 h6_engine(sm_conn, setup->sm_t, 0x6c656272); // "lebr" 1740 } 1741 1742 #endif 1743 1744 // key management legacy connections: 1745 // - potentially two different LTKs based on direction. each device stores LTK provided by peer 1746 // - master stores LTK, EDIV, RAND. responder optionally stored master LTK (only if it needs to reconnect) 1747 // - initiators reconnects: initiator uses stored LTK, EDIV, RAND generated by responder 1748 // - responder reconnects: responder uses LTK receveived from master 1749 1750 // key management secure connections: 1751 // - both devices store same LTK from ECDH key exchange. 1752 1753 static void sm_load_security_info(sm_connection_t * sm_connection){ 1754 int encryption_key_size; 1755 int authenticated; 1756 int authorized; 1757 1758 // fetch data from device db - incl. authenticated/authorized/key size. Note all sm_connection_X require encryption enabled 1759 le_device_db_encryption_get(sm_connection->sm_le_db_index, &setup->sm_peer_ediv, setup->sm_peer_rand, setup->sm_peer_ltk, 1760 &encryption_key_size, &authenticated, &authorized); 1761 log_info("db index %u, key size %u, authenticated %u, authorized %u", sm_connection->sm_le_db_index, encryption_key_size, authenticated, authorized); 1762 sm_connection->sm_actual_encryption_key_size = encryption_key_size; 1763 sm_connection->sm_connection_authenticated = authenticated; 1764 sm_connection->sm_connection_authorization_state = authorized ? AUTHORIZATION_GRANTED : AUTHORIZATION_UNKNOWN; 1765 } 1766 1767 static void sm_start_calculating_ltk_from_ediv_and_rand(sm_connection_t * sm_connection){ 1768 memcpy(setup->sm_local_rand, sm_connection->sm_local_rand, 8); 1769 setup->sm_local_ediv = sm_connection->sm_local_ediv; 1770 // re-establish used key encryption size 1771 // no db for encryption size hack: encryption size is stored in lowest nibble of setup->sm_local_rand 1772 sm_connection->sm_actual_encryption_key_size = (setup->sm_local_rand[7] & 0x0f) + 1; 1773 // no db for authenticated flag hack: flag is stored in bit 4 of LSB 1774 sm_connection->sm_connection_authenticated = (setup->sm_local_rand[7] & 0x10) >> 4; 1775 log_info("sm: received ltk request with key size %u, authenticated %u", 1776 sm_connection->sm_actual_encryption_key_size, sm_connection->sm_connection_authenticated); 1777 sm_connection->sm_engine_state = SM_RESPONDER_PH4_Y_GET_ENC; 1778 } 1779 1780 static void sm_run(void){ 1781 1782 btstack_linked_list_iterator_t it; 1783 1784 // assert that we can send at least commands 1785 if (!hci_can_send_command_packet_now()) return; 1786 1787 // 1788 // non-connection related behaviour 1789 // 1790 1791 // distributed key generation 1792 switch (dkg_state){ 1793 case DKG_CALC_IRK: 1794 // already busy? 1795 if (sm_aes128_state == SM_AES128_IDLE) { 1796 // IRK = d1(IR, 1, 0) 1797 sm_key_t d1_prime; 1798 sm_d1_d_prime(1, 0, d1_prime); // plaintext 1799 dkg_next_state(); 1800 sm_aes128_start(sm_persistent_ir, d1_prime, NULL); 1801 return; 1802 } 1803 break; 1804 case DKG_CALC_DHK: 1805 // already busy? 1806 if (sm_aes128_state == SM_AES128_IDLE) { 1807 // DHK = d1(IR, 3, 0) 1808 sm_key_t d1_prime; 1809 sm_d1_d_prime(3, 0, d1_prime); // plaintext 1810 dkg_next_state(); 1811 sm_aes128_start(sm_persistent_ir, d1_prime, NULL); 1812 return; 1813 } 1814 break; 1815 default: 1816 break; 1817 } 1818 1819 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1820 if (ec_key_generation_state == EC_KEY_GENERATION_ACTIVE){ 1821 #ifdef USE_MBEDTLS_FOR_ECDH 1822 sm_random_start(NULL); 1823 #else 1824 ec_key_generation_state = EC_KEY_GENERATION_W4_KEY; 1825 hci_send_cmd(&hci_le_read_local_p256_public_key); 1826 #endif 1827 return; 1828 } 1829 #endif 1830 1831 // random address updates 1832 switch (rau_state){ 1833 case RAU_GET_RANDOM: 1834 rau_next_state(); 1835 sm_random_start(NULL); 1836 return; 1837 case RAU_GET_ENC: 1838 // already busy? 1839 if (sm_aes128_state == SM_AES128_IDLE) { 1840 sm_key_t r_prime; 1841 sm_ah_r_prime(sm_random_address, r_prime); 1842 rau_next_state(); 1843 sm_aes128_start(sm_persistent_irk, r_prime, NULL); 1844 return; 1845 } 1846 break; 1847 case RAU_SET_ADDRESS: 1848 log_info("New random address: %s", bd_addr_to_str(sm_random_address)); 1849 rau_state = RAU_IDLE; 1850 hci_send_cmd(&hci_le_set_random_address, sm_random_address); 1851 return; 1852 default: 1853 break; 1854 } 1855 1856 // CMAC 1857 switch (sm_cmac_state){ 1858 case CMAC_CALC_SUBKEYS: 1859 case CMAC_CALC_MI: 1860 case CMAC_CALC_MLAST: 1861 // already busy? 1862 if (sm_aes128_state == SM_AES128_ACTIVE) break; 1863 sm_cmac_handle_aes_engine_ready(); 1864 return; 1865 default: 1866 break; 1867 } 1868 1869 // CSRK Lookup 1870 // -- if csrk lookup ready, find connection that require csrk lookup 1871 if (sm_address_resolution_idle()){ 1872 hci_connections_get_iterator(&it); 1873 while(btstack_linked_list_iterator_has_next(&it)){ 1874 hci_connection_t * hci_connection = (hci_connection_t *) btstack_linked_list_iterator_next(&it); 1875 sm_connection_t * sm_connection = &hci_connection->sm_connection; 1876 if (sm_connection->sm_irk_lookup_state == IRK_LOOKUP_W4_READY){ 1877 // and start lookup 1878 sm_address_resolution_start_lookup(sm_connection->sm_peer_addr_type, sm_connection->sm_handle, sm_connection->sm_peer_address, ADDRESS_RESOLUTION_FOR_CONNECTION, sm_connection); 1879 sm_connection->sm_irk_lookup_state = IRK_LOOKUP_STARTED; 1880 break; 1881 } 1882 } 1883 } 1884 1885 // -- if csrk lookup ready, resolved addresses for received addresses 1886 if (sm_address_resolution_idle()) { 1887 if (!btstack_linked_list_empty(&sm_address_resolution_general_queue)){ 1888 sm_lookup_entry_t * entry = (sm_lookup_entry_t *) sm_address_resolution_general_queue; 1889 btstack_linked_list_remove(&sm_address_resolution_general_queue, (btstack_linked_item_t *) entry); 1890 sm_address_resolution_start_lookup(entry->address_type, 0, entry->address, ADDRESS_RESOLUTION_GENERAL, NULL); 1891 btstack_memory_sm_lookup_entry_free(entry); 1892 } 1893 } 1894 1895 // -- Continue with CSRK device lookup by public or resolvable private address 1896 if (!sm_address_resolution_idle()){ 1897 log_info("LE Device Lookup: device %u/%u", sm_address_resolution_test, le_device_db_count()); 1898 while (sm_address_resolution_test < le_device_db_count()){ 1899 int addr_type; 1900 bd_addr_t addr; 1901 sm_key_t irk; 1902 le_device_db_info(sm_address_resolution_test, &addr_type, addr, irk); 1903 log_info("device type %u, addr: %s", addr_type, bd_addr_to_str(addr)); 1904 1905 if (sm_address_resolution_addr_type == addr_type && memcmp(addr, sm_address_resolution_address, 6) == 0){ 1906 log_info("LE Device Lookup: found CSRK by { addr_type, address} "); 1907 sm_address_resolution_handle_event(ADDRESS_RESOLUTION_SUCEEDED); 1908 break; 1909 } 1910 1911 if (sm_address_resolution_addr_type == 0){ 1912 sm_address_resolution_test++; 1913 continue; 1914 } 1915 1916 if (sm_aes128_state == SM_AES128_ACTIVE) break; 1917 1918 log_info("LE Device Lookup: calculate AH"); 1919 log_info_key("IRK", irk); 1920 1921 sm_key_t r_prime; 1922 sm_ah_r_prime(sm_address_resolution_address, r_prime); 1923 sm_address_resolution_ah_calculation_active = 1; 1924 sm_aes128_start(irk, r_prime, sm_address_resolution_context); // keep context 1925 return; 1926 } 1927 1928 if (sm_address_resolution_test >= le_device_db_count()){ 1929 log_info("LE Device Lookup: not found"); 1930 sm_address_resolution_handle_event(ADDRESS_RESOLUTION_FAILED); 1931 } 1932 } 1933 1934 // handle basic actions that don't requires the full context 1935 hci_connections_get_iterator(&it); 1936 while(!sm_active_connection && btstack_linked_list_iterator_has_next(&it)){ 1937 hci_connection_t * hci_connection = (hci_connection_t *) btstack_linked_list_iterator_next(&it); 1938 sm_connection_t * sm_connection = &hci_connection->sm_connection; 1939 switch(sm_connection->sm_engine_state){ 1940 // responder side 1941 case SM_RESPONDER_PH0_SEND_LTK_REQUESTED_NEGATIVE_REPLY: 1942 sm_connection->sm_engine_state = SM_RESPONDER_IDLE; 1943 hci_send_cmd(&hci_le_long_term_key_negative_reply, sm_connection->sm_handle); 1944 return; 1945 1946 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1947 case SM_SC_RECEIVED_LTK_REQUEST: 1948 switch (sm_connection->sm_irk_lookup_state){ 1949 case IRK_LOOKUP_FAILED: 1950 log_info("LTK Request: ediv & random are empty, but no stored LTK (IRK Lookup Failed)"); 1951 sm_connection->sm_engine_state = SM_RESPONDER_IDLE; 1952 hci_send_cmd(&hci_le_long_term_key_negative_reply, sm_connection->sm_handle); 1953 return; 1954 default: 1955 break; 1956 } 1957 break; 1958 #endif 1959 default: 1960 break; 1961 } 1962 } 1963 1964 // 1965 // active connection handling 1966 // -- use loop to handle next connection if lock on setup context is released 1967 1968 while (1) { 1969 1970 // Find connections that requires setup context and make active if no other is locked 1971 hci_connections_get_iterator(&it); 1972 while(!sm_active_connection && btstack_linked_list_iterator_has_next(&it)){ 1973 hci_connection_t * hci_connection = (hci_connection_t *) btstack_linked_list_iterator_next(&it); 1974 sm_connection_t * sm_connection = &hci_connection->sm_connection; 1975 // - if no connection locked and we're ready/waiting for setup context, fetch it and start 1976 int done = 1; 1977 int err; 1978 switch (sm_connection->sm_engine_state) { 1979 case SM_RESPONDER_SEND_SECURITY_REQUEST: 1980 // send packet if possible, 1981 if (l2cap_can_send_fixed_channel_packet_now(sm_connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL)){ 1982 const uint8_t buffer[2] = { SM_CODE_SECURITY_REQUEST, SM_AUTHREQ_BONDING}; 1983 sm_connection->sm_engine_state = SM_RESPONDER_PH1_W4_PAIRING_REQUEST; 1984 l2cap_send_connectionless(sm_connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 1985 } else { 1986 l2cap_request_can_send_fix_channel_now_event(sm_connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL); 1987 } 1988 // don't lock sxetup context yet 1989 done = 0; 1990 break; 1991 case SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED: 1992 sm_reset_setup(); 1993 sm_init_setup(sm_connection); 1994 // recover pairing request 1995 memcpy(&setup->sm_m_preq, &sm_connection->sm_m_preq, sizeof(sm_pairing_packet_t)); 1996 err = sm_stk_generation_init(sm_connection); 1997 if (err){ 1998 setup->sm_pairing_failed_reason = err; 1999 sm_connection->sm_engine_state = SM_GENERAL_SEND_PAIRING_FAILED; 2000 break; 2001 } 2002 sm_timeout_start(sm_connection); 2003 // generate random number first, if we need to show passkey 2004 if (setup->sm_stk_generation_method == PK_INIT_INPUT){ 2005 sm_connection->sm_engine_state = SM_PH2_GET_RANDOM_TK; 2006 break; 2007 } 2008 sm_connection->sm_engine_state = SM_RESPONDER_PH1_SEND_PAIRING_RESPONSE; 2009 break; 2010 case SM_INITIATOR_PH0_HAS_LTK: 2011 sm_reset_setup(); 2012 sm_load_security_info(sm_connection); 2013 sm_connection->sm_engine_state = SM_INITIATOR_PH0_SEND_START_ENCRYPTION; 2014 break; 2015 case SM_RESPONDER_PH0_RECEIVED_LTK_REQUEST: 2016 sm_reset_setup(); 2017 sm_start_calculating_ltk_from_ediv_and_rand(sm_connection); 2018 break; 2019 case SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST: 2020 sm_reset_setup(); 2021 sm_init_setup(sm_connection); 2022 sm_timeout_start(sm_connection); 2023 sm_connection->sm_engine_state = SM_INITIATOR_PH1_SEND_PAIRING_REQUEST; 2024 break; 2025 2026 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2027 case SM_SC_RECEIVED_LTK_REQUEST: 2028 switch (sm_connection->sm_irk_lookup_state){ 2029 case IRK_LOOKUP_SUCCEEDED: 2030 // assuming Secure Connection, we have a stored LTK and the EDIV/RAND are null 2031 // start using context by loading security info 2032 sm_reset_setup(); 2033 sm_load_security_info(sm_connection); 2034 if (setup->sm_peer_ediv == 0 && sm_is_null_random(setup->sm_peer_rand) && !sm_is_null_key(setup->sm_peer_ltk)){ 2035 memcpy(setup->sm_ltk, setup->sm_peer_ltk, 16); 2036 sm_connection->sm_engine_state = SM_RESPONDER_PH4_SEND_LTK_REPLY; 2037 break; 2038 } 2039 log_info("LTK Request: ediv & random are empty, but no stored LTK (IRK Lookup Succeeded)"); 2040 sm_connection->sm_engine_state = SM_RESPONDER_IDLE; 2041 hci_send_cmd(&hci_le_long_term_key_negative_reply, sm_connection->sm_handle); 2042 // don't lock setup context yet 2043 return; 2044 default: 2045 // just wait until IRK lookup is completed 2046 // don't lock setup context yet 2047 done = 0; 2048 break; 2049 } 2050 break; 2051 #endif 2052 default: 2053 done = 0; 2054 break; 2055 } 2056 if (done){ 2057 sm_active_connection = sm_connection->sm_handle; 2058 log_info("sm: connection 0x%04x locked setup context as %s", sm_active_connection, sm_connection->sm_role ? "responder" : "initiator"); 2059 } 2060 } 2061 2062 // 2063 // active connection handling 2064 // 2065 2066 if (sm_active_connection == 0) return; 2067 2068 // assert that we could send a SM PDU - not needed for all of the following 2069 if (!l2cap_can_send_fixed_channel_packet_now(sm_active_connection, L2CAP_CID_SECURITY_MANAGER_PROTOCOL)) { 2070 l2cap_request_can_send_fix_channel_now_event(sm_active_connection, L2CAP_CID_SECURITY_MANAGER_PROTOCOL); 2071 return; 2072 } 2073 2074 sm_connection_t * connection = sm_get_connection_for_handle(sm_active_connection); 2075 if (!connection) return; 2076 2077 // send keypress notifications 2078 if (setup->sm_keypress_notification != 0xff){ 2079 uint8_t buffer[2]; 2080 buffer[0] = SM_CODE_KEYPRESS_NOTIFICATION; 2081 buffer[1] = setup->sm_keypress_notification; 2082 setup->sm_keypress_notification = 0xff; 2083 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2084 return; 2085 } 2086 2087 sm_key_t plaintext; 2088 int key_distribution_flags; 2089 2090 log_info("sm_run: state %u", connection->sm_engine_state); 2091 2092 switch (connection->sm_engine_state){ 2093 2094 // general 2095 case SM_GENERAL_SEND_PAIRING_FAILED: { 2096 uint8_t buffer[2]; 2097 buffer[0] = SM_CODE_PAIRING_FAILED; 2098 buffer[1] = setup->sm_pairing_failed_reason; 2099 connection->sm_engine_state = connection->sm_role ? SM_RESPONDER_IDLE : SM_INITIATOR_CONNECTED; 2100 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2101 sm_done_for_handle(connection->sm_handle); 2102 break; 2103 } 2104 2105 // responding state 2106 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2107 case SM_SC_W2_GET_RANDOM_A: 2108 sm_random_start(connection); 2109 connection->sm_engine_state = SM_SC_W4_GET_RANDOM_A; 2110 break; 2111 case SM_SC_W2_GET_RANDOM_B: 2112 sm_random_start(connection); 2113 connection->sm_engine_state = SM_SC_W4_GET_RANDOM_B; 2114 break; 2115 case SM_SC_W2_CMAC_FOR_CONFIRMATION: 2116 if (!sm_cmac_ready()) break; 2117 connection->sm_engine_state = SM_SC_W4_CMAC_FOR_CONFIRMATION; 2118 sm_sc_calculate_local_confirm(connection); 2119 break; 2120 case SM_SC_W2_CMAC_FOR_CHECK_CONFIRMATION: 2121 if (!sm_cmac_ready()) break; 2122 connection->sm_engine_state = SM_SC_W4_CMAC_FOR_CHECK_CONFIRMATION; 2123 sm_sc_calculate_remote_confirm(connection); 2124 break; 2125 case SM_SC_W2_CALCULATE_F6_FOR_DHKEY_CHECK: 2126 if (!sm_cmac_ready()) break; 2127 connection->sm_engine_state = SM_SC_W4_CALCULATE_F6_FOR_DHKEY_CHECK; 2128 sm_sc_calculate_f6_for_dhkey_check(connection); 2129 break; 2130 case SM_SC_W2_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK: 2131 if (!sm_cmac_ready()) break; 2132 connection->sm_engine_state = SM_SC_W4_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK; 2133 sm_sc_calculate_f6_to_verify_dhkey_check(connection); 2134 break; 2135 case SM_SC_W2_CALCULATE_F5_SALT: 2136 if (!sm_cmac_ready()) break; 2137 connection->sm_engine_state = SM_SC_W4_CALCULATE_F5_SALT; 2138 f5_calculate_salt(connection); 2139 break; 2140 case SM_SC_W2_CALCULATE_F5_MACKEY: 2141 if (!sm_cmac_ready()) break; 2142 connection->sm_engine_state = SM_SC_W4_CALCULATE_F5_MACKEY; 2143 f5_calculate_mackey(connection); 2144 break; 2145 case SM_SC_W2_CALCULATE_F5_LTK: 2146 if (!sm_cmac_ready()) break; 2147 connection->sm_engine_state = SM_SC_W4_CALCULATE_F5_LTK; 2148 f5_calculate_ltk(connection); 2149 break; 2150 case SM_SC_W2_CALCULATE_G2: 2151 if (!sm_cmac_ready()) break; 2152 connection->sm_engine_state = SM_SC_W4_CALCULATE_G2; 2153 g2_calculate(connection); 2154 break; 2155 case SM_SC_W2_CALCULATE_H6_ILK: 2156 if (!sm_cmac_ready()) break; 2157 connection->sm_engine_state = SM_SC_W4_CALCULATE_H6_ILK; 2158 h6_calculate_ilk(connection); 2159 break; 2160 case SM_SC_W2_CALCULATE_H6_BR_EDR_LINK_KEY: 2161 if (!sm_cmac_ready()) break; 2162 connection->sm_engine_state = SM_SC_W4_CALCULATE_H6_BR_EDR_LINK_KEY; 2163 h6_calculate_br_edr_link_key(connection); 2164 break; 2165 #endif 2166 2167 // initiator side 2168 case SM_INITIATOR_PH0_SEND_START_ENCRYPTION: { 2169 sm_key_t peer_ltk_flipped; 2170 reverse_128(setup->sm_peer_ltk, peer_ltk_flipped); 2171 connection->sm_engine_state = SM_INITIATOR_PH0_W4_CONNECTION_ENCRYPTED; 2172 log_info("sm: hci_le_start_encryption ediv 0x%04x", setup->sm_peer_ediv); 2173 uint32_t rand_high = big_endian_read_32(setup->sm_peer_rand, 0); 2174 uint32_t rand_low = big_endian_read_32(setup->sm_peer_rand, 4); 2175 hci_send_cmd(&hci_le_start_encryption, connection->sm_handle,rand_low, rand_high, setup->sm_peer_ediv, peer_ltk_flipped); 2176 return; 2177 } 2178 2179 case SM_INITIATOR_PH1_SEND_PAIRING_REQUEST: 2180 sm_pairing_packet_set_code(setup->sm_m_preq, SM_CODE_PAIRING_REQUEST); 2181 connection->sm_engine_state = SM_INITIATOR_PH1_W4_PAIRING_RESPONSE; 2182 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) &setup->sm_m_preq, sizeof(sm_pairing_packet_t)); 2183 sm_timeout_reset(connection); 2184 break; 2185 2186 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2187 2188 case SM_SC_SEND_PUBLIC_KEY_COMMAND: { 2189 uint8_t buffer[65]; 2190 buffer[0] = SM_CODE_PAIRING_PUBLIC_KEY; 2191 // 2192 reverse_256(ec_qx, &buffer[1]); 2193 reverse_256(ec_qy, &buffer[33]); 2194 2195 // stk generation method 2196 // passkey entry: notify app to show passkey or to request passkey 2197 switch (setup->sm_stk_generation_method){ 2198 case JUST_WORKS: 2199 case NK_BOTH_INPUT: 2200 if (connection->sm_role){ 2201 // responder 2202 sm_sc_start_calculating_local_confirm(connection); 2203 } else { 2204 // initiator 2205 connection->sm_engine_state = SM_SC_W4_PUBLIC_KEY_COMMAND; 2206 } 2207 break; 2208 case PK_INIT_INPUT: 2209 case PK_RESP_INPUT: 2210 case OK_BOTH_INPUT: 2211 // use random TK for display 2212 memcpy(setup->sm_ra, setup->sm_tk, 16); 2213 memcpy(setup->sm_rb, setup->sm_tk, 16); 2214 setup->sm_passkey_bit = 0; 2215 2216 if (connection->sm_role){ 2217 // responder 2218 connection->sm_engine_state = SM_SC_W4_CONFIRMATION; 2219 } else { 2220 // initiator 2221 connection->sm_engine_state = SM_SC_W4_PUBLIC_KEY_COMMAND; 2222 } 2223 sm_trigger_user_response(connection); 2224 break; 2225 case OOB: 2226 // TODO: implement SC OOB 2227 break; 2228 } 2229 2230 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2231 sm_timeout_reset(connection); 2232 break; 2233 } 2234 case SM_SC_SEND_CONFIRMATION: { 2235 uint8_t buffer[17]; 2236 buffer[0] = SM_CODE_PAIRING_CONFIRM; 2237 reverse_128(setup->sm_local_confirm, &buffer[1]); 2238 if (connection->sm_role){ 2239 connection->sm_engine_state = SM_SC_W4_PAIRING_RANDOM; 2240 } else { 2241 connection->sm_engine_state = SM_SC_W4_CONFIRMATION; 2242 } 2243 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2244 sm_timeout_reset(connection); 2245 break; 2246 } 2247 case SM_SC_SEND_PAIRING_RANDOM: { 2248 uint8_t buffer[17]; 2249 buffer[0] = SM_CODE_PAIRING_RANDOM; 2250 reverse_128(setup->sm_local_nonce, &buffer[1]); 2251 if (setup->sm_stk_generation_method != JUST_WORKS && setup->sm_stk_generation_method != NK_BOTH_INPUT && setup->sm_passkey_bit < 20){ 2252 if (connection->sm_role){ 2253 // responder 2254 connection->sm_engine_state = SM_SC_W4_CONFIRMATION; 2255 } else { 2256 // initiator 2257 connection->sm_engine_state = SM_SC_W4_PAIRING_RANDOM; 2258 } 2259 } else { 2260 if (connection->sm_role){ 2261 // responder 2262 if (setup->sm_stk_generation_method == NK_BOTH_INPUT){ 2263 connection->sm_engine_state = SM_SC_W2_CALCULATE_G2; 2264 } else { 2265 sm_sc_prepare_dhkey_check(connection); 2266 } 2267 } else { 2268 // initiator 2269 connection->sm_engine_state = SM_SC_W4_PAIRING_RANDOM; 2270 } 2271 } 2272 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2273 sm_timeout_reset(connection); 2274 break; 2275 } 2276 case SM_SC_SEND_DHKEY_CHECK_COMMAND: { 2277 uint8_t buffer[17]; 2278 buffer[0] = SM_CODE_PAIRING_DHKEY_CHECK; 2279 reverse_128(setup->sm_local_dhkey_check, &buffer[1]); 2280 2281 if (connection->sm_role){ 2282 connection->sm_engine_state = SM_SC_W4_LTK_REQUEST_SC; 2283 } else { 2284 connection->sm_engine_state = SM_SC_W4_DHKEY_CHECK_COMMAND; 2285 } 2286 2287 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2288 sm_timeout_reset(connection); 2289 break; 2290 } 2291 2292 #endif 2293 case SM_RESPONDER_PH1_SEND_PAIRING_RESPONSE: 2294 // echo initiator for now 2295 sm_pairing_packet_set_code(setup->sm_s_pres,SM_CODE_PAIRING_RESPONSE); 2296 key_distribution_flags = sm_key_distribution_flags_for_auth_req(); 2297 2298 if (setup->sm_use_secure_connections){ 2299 connection->sm_engine_state = SM_SC_W4_PUBLIC_KEY_COMMAND; 2300 // skip LTK/EDIV for SC 2301 log_info("sm: dropping encryption information flag"); 2302 key_distribution_flags &= ~SM_KEYDIST_ENC_KEY; 2303 } else { 2304 connection->sm_engine_state = SM_RESPONDER_PH1_W4_PAIRING_CONFIRM; 2305 } 2306 2307 sm_pairing_packet_set_initiator_key_distribution(setup->sm_s_pres, sm_pairing_packet_get_initiator_key_distribution(setup->sm_m_preq) & key_distribution_flags); 2308 sm_pairing_packet_set_responder_key_distribution(setup->sm_s_pres, sm_pairing_packet_get_responder_key_distribution(setup->sm_m_preq) & key_distribution_flags); 2309 // update key distribution after ENC was dropped 2310 sm_setup_key_distribution(sm_pairing_packet_get_responder_key_distribution(setup->sm_s_pres)); 2311 2312 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) &setup->sm_s_pres, sizeof(sm_pairing_packet_t)); 2313 sm_timeout_reset(connection); 2314 // SC Numeric Comparison will trigger user response after public keys & nonces have been exchanged 2315 if (!setup->sm_use_secure_connections || setup->sm_stk_generation_method == JUST_WORKS){ 2316 sm_trigger_user_response(connection); 2317 } 2318 return; 2319 2320 case SM_PH2_SEND_PAIRING_RANDOM: { 2321 uint8_t buffer[17]; 2322 buffer[0] = SM_CODE_PAIRING_RANDOM; 2323 reverse_128(setup->sm_local_random, &buffer[1]); 2324 if (connection->sm_role){ 2325 connection->sm_engine_state = SM_RESPONDER_PH2_W4_LTK_REQUEST; 2326 } else { 2327 connection->sm_engine_state = SM_INITIATOR_PH2_W4_PAIRING_RANDOM; 2328 } 2329 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2330 sm_timeout_reset(connection); 2331 break; 2332 } 2333 2334 case SM_PH2_GET_RANDOM_TK: 2335 case SM_PH2_C1_GET_RANDOM_A: 2336 case SM_PH2_C1_GET_RANDOM_B: 2337 case SM_PH3_GET_RANDOM: 2338 case SM_PH3_GET_DIV: 2339 sm_next_responding_state(connection); 2340 sm_random_start(connection); 2341 return; 2342 2343 case SM_PH2_C1_GET_ENC_B: 2344 case SM_PH2_C1_GET_ENC_D: 2345 // already busy? 2346 if (sm_aes128_state == SM_AES128_ACTIVE) break; 2347 sm_next_responding_state(connection); 2348 sm_aes128_start(setup->sm_tk, setup->sm_c1_t3_value, connection); 2349 return; 2350 2351 case SM_PH3_LTK_GET_ENC: 2352 case SM_RESPONDER_PH4_LTK_GET_ENC: 2353 // already busy? 2354 if (sm_aes128_state == SM_AES128_IDLE) { 2355 sm_key_t d_prime; 2356 sm_d1_d_prime(setup->sm_local_div, 0, d_prime); 2357 sm_next_responding_state(connection); 2358 sm_aes128_start(sm_persistent_er, d_prime, connection); 2359 return; 2360 } 2361 break; 2362 2363 case SM_PH3_CSRK_GET_ENC: 2364 // already busy? 2365 if (sm_aes128_state == SM_AES128_IDLE) { 2366 sm_key_t d_prime; 2367 sm_d1_d_prime(setup->sm_local_div, 1, d_prime); 2368 sm_next_responding_state(connection); 2369 sm_aes128_start(sm_persistent_er, d_prime, connection); 2370 return; 2371 } 2372 break; 2373 2374 case SM_PH2_C1_GET_ENC_C: 2375 // already busy? 2376 if (sm_aes128_state == SM_AES128_ACTIVE) break; 2377 // calculate m_confirm using aes128 engine - step 1 2378 sm_c1_t1(setup->sm_peer_random, (uint8_t*) &setup->sm_m_preq, (uint8_t*) &setup->sm_s_pres, setup->sm_m_addr_type, setup->sm_s_addr_type, plaintext); 2379 sm_next_responding_state(connection); 2380 sm_aes128_start(setup->sm_tk, plaintext, connection); 2381 break; 2382 case SM_PH2_C1_GET_ENC_A: 2383 // already busy? 2384 if (sm_aes128_state == SM_AES128_ACTIVE) break; 2385 // calculate confirm using aes128 engine - step 1 2386 sm_c1_t1(setup->sm_local_random, (uint8_t*) &setup->sm_m_preq, (uint8_t*) &setup->sm_s_pres, setup->sm_m_addr_type, setup->sm_s_addr_type, plaintext); 2387 sm_next_responding_state(connection); 2388 sm_aes128_start(setup->sm_tk, plaintext, connection); 2389 break; 2390 case SM_PH2_CALC_STK: 2391 // already busy? 2392 if (sm_aes128_state == SM_AES128_ACTIVE) break; 2393 // calculate STK 2394 if (connection->sm_role){ 2395 sm_s1_r_prime(setup->sm_local_random, setup->sm_peer_random, plaintext); 2396 } else { 2397 sm_s1_r_prime(setup->sm_peer_random, setup->sm_local_random, plaintext); 2398 } 2399 sm_next_responding_state(connection); 2400 sm_aes128_start(setup->sm_tk, plaintext, connection); 2401 break; 2402 case SM_PH3_Y_GET_ENC: 2403 // already busy? 2404 if (sm_aes128_state == SM_AES128_ACTIVE) break; 2405 // PH3B2 - calculate Y from - enc 2406 // Y = dm(DHK, Rand) 2407 sm_dm_r_prime(setup->sm_local_rand, plaintext); 2408 sm_next_responding_state(connection); 2409 sm_aes128_start(sm_persistent_dhk, plaintext, connection); 2410 return; 2411 case SM_PH2_C1_SEND_PAIRING_CONFIRM: { 2412 uint8_t buffer[17]; 2413 buffer[0] = SM_CODE_PAIRING_CONFIRM; 2414 reverse_128(setup->sm_local_confirm, &buffer[1]); 2415 if (connection->sm_role){ 2416 connection->sm_engine_state = SM_RESPONDER_PH2_W4_PAIRING_RANDOM; 2417 } else { 2418 connection->sm_engine_state = SM_INITIATOR_PH2_W4_PAIRING_CONFIRM; 2419 } 2420 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2421 sm_timeout_reset(connection); 2422 return; 2423 } 2424 case SM_RESPONDER_PH2_SEND_LTK_REPLY: { 2425 sm_key_t stk_flipped; 2426 reverse_128(setup->sm_ltk, stk_flipped); 2427 connection->sm_engine_state = SM_PH2_W4_CONNECTION_ENCRYPTED; 2428 hci_send_cmd(&hci_le_long_term_key_request_reply, connection->sm_handle, stk_flipped); 2429 return; 2430 } 2431 case SM_INITIATOR_PH3_SEND_START_ENCRYPTION: { 2432 sm_key_t stk_flipped; 2433 reverse_128(setup->sm_ltk, stk_flipped); 2434 connection->sm_engine_state = SM_PH2_W4_CONNECTION_ENCRYPTED; 2435 hci_send_cmd(&hci_le_start_encryption, connection->sm_handle, 0, 0, 0, stk_flipped); 2436 return; 2437 } 2438 case SM_RESPONDER_PH4_SEND_LTK_REPLY: { 2439 sm_key_t ltk_flipped; 2440 reverse_128(setup->sm_ltk, ltk_flipped); 2441 connection->sm_engine_state = SM_RESPONDER_IDLE; 2442 hci_send_cmd(&hci_le_long_term_key_request_reply, connection->sm_handle, ltk_flipped); 2443 return; 2444 } 2445 case SM_RESPONDER_PH4_Y_GET_ENC: 2446 // already busy? 2447 if (sm_aes128_state == SM_AES128_ACTIVE) break; 2448 log_info("LTK Request: recalculating with ediv 0x%04x", setup->sm_local_ediv); 2449 // Y = dm(DHK, Rand) 2450 sm_dm_r_prime(setup->sm_local_rand, plaintext); 2451 sm_next_responding_state(connection); 2452 sm_aes128_start(sm_persistent_dhk, plaintext, connection); 2453 return; 2454 2455 case SM_PH3_DISTRIBUTE_KEYS: 2456 if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION){ 2457 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION; 2458 uint8_t buffer[17]; 2459 buffer[0] = SM_CODE_ENCRYPTION_INFORMATION; 2460 reverse_128(setup->sm_ltk, &buffer[1]); 2461 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2462 sm_timeout_reset(connection); 2463 return; 2464 } 2465 if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_MASTER_IDENTIFICATION){ 2466 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_MASTER_IDENTIFICATION; 2467 uint8_t buffer[11]; 2468 buffer[0] = SM_CODE_MASTER_IDENTIFICATION; 2469 little_endian_store_16(buffer, 1, setup->sm_local_ediv); 2470 reverse_64(setup->sm_local_rand, &buffer[3]); 2471 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2472 sm_timeout_reset(connection); 2473 return; 2474 } 2475 if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_IDENTITY_INFORMATION){ 2476 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_IDENTITY_INFORMATION; 2477 uint8_t buffer[17]; 2478 buffer[0] = SM_CODE_IDENTITY_INFORMATION; 2479 reverse_128(sm_persistent_irk, &buffer[1]); 2480 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2481 sm_timeout_reset(connection); 2482 return; 2483 } 2484 if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION){ 2485 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION; 2486 bd_addr_t local_address; 2487 uint8_t buffer[8]; 2488 buffer[0] = SM_CODE_IDENTITY_ADDRESS_INFORMATION; 2489 gap_advertisements_get_address(&buffer[1], local_address); 2490 reverse_bd_addr(local_address, &buffer[2]); 2491 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2492 sm_timeout_reset(connection); 2493 return; 2494 } 2495 if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION){ 2496 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION; 2497 2498 // hack to reproduce test runs 2499 if (test_use_fixed_local_csrk){ 2500 memset(setup->sm_local_csrk, 0xcc, 16); 2501 } 2502 2503 uint8_t buffer[17]; 2504 buffer[0] = SM_CODE_SIGNING_INFORMATION; 2505 reverse_128(setup->sm_local_csrk, &buffer[1]); 2506 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2507 sm_timeout_reset(connection); 2508 return; 2509 } 2510 2511 // keys are sent 2512 if (connection->sm_role){ 2513 // slave -> receive master keys if any 2514 if (sm_key_distribution_all_received(connection)){ 2515 sm_key_distribution_handle_all_received(connection); 2516 connection->sm_engine_state = SM_RESPONDER_IDLE; 2517 sm_done_for_handle(connection->sm_handle); 2518 } else { 2519 connection->sm_engine_state = SM_PH3_RECEIVE_KEYS; 2520 } 2521 } else { 2522 // master -> all done 2523 connection->sm_engine_state = SM_INITIATOR_CONNECTED; 2524 sm_done_for_handle(connection->sm_handle); 2525 } 2526 break; 2527 2528 default: 2529 break; 2530 } 2531 2532 // check again if active connection was released 2533 if (sm_active_connection) break; 2534 } 2535 } 2536 2537 // note: aes engine is ready as we just got the aes result 2538 static void sm_handle_encryption_result(uint8_t * data){ 2539 2540 sm_aes128_state = SM_AES128_IDLE; 2541 2542 if (sm_address_resolution_ah_calculation_active){ 2543 sm_address_resolution_ah_calculation_active = 0; 2544 // compare calulated address against connecting device 2545 uint8_t hash[3]; 2546 reverse_24(data, hash); 2547 if (memcmp(&sm_address_resolution_address[3], hash, 3) == 0){ 2548 log_info("LE Device Lookup: matched resolvable private address"); 2549 sm_address_resolution_handle_event(ADDRESS_RESOLUTION_SUCEEDED); 2550 return; 2551 } 2552 // no match, try next 2553 sm_address_resolution_test++; 2554 return; 2555 } 2556 2557 switch (dkg_state){ 2558 case DKG_W4_IRK: 2559 reverse_128(data, sm_persistent_irk); 2560 log_info_key("irk", sm_persistent_irk); 2561 dkg_next_state(); 2562 return; 2563 case DKG_W4_DHK: 2564 reverse_128(data, sm_persistent_dhk); 2565 log_info_key("dhk", sm_persistent_dhk); 2566 dkg_next_state(); 2567 // SM Init Finished 2568 return; 2569 default: 2570 break; 2571 } 2572 2573 switch (rau_state){ 2574 case RAU_W4_ENC: 2575 reverse_24(data, &sm_random_address[3]); 2576 rau_next_state(); 2577 return; 2578 default: 2579 break; 2580 } 2581 2582 switch (sm_cmac_state){ 2583 case CMAC_W4_SUBKEYS: 2584 case CMAC_W4_MI: 2585 case CMAC_W4_MLAST: 2586 { 2587 sm_key_t t; 2588 reverse_128(data, t); 2589 sm_cmac_handle_encryption_result(t); 2590 } 2591 return; 2592 default: 2593 break; 2594 } 2595 2596 // retrieve sm_connection provided to sm_aes128_start_encryption 2597 sm_connection_t * connection = (sm_connection_t*) sm_aes128_context; 2598 if (!connection) return; 2599 switch (connection->sm_engine_state){ 2600 case SM_PH2_C1_W4_ENC_A: 2601 case SM_PH2_C1_W4_ENC_C: 2602 { 2603 sm_key_t t2; 2604 reverse_128(data, t2); 2605 sm_c1_t3(t2, setup->sm_m_address, setup->sm_s_address, setup->sm_c1_t3_value); 2606 } 2607 sm_next_responding_state(connection); 2608 return; 2609 case SM_PH2_C1_W4_ENC_B: 2610 reverse_128(data, setup->sm_local_confirm); 2611 log_info_key("c1!", setup->sm_local_confirm); 2612 connection->sm_engine_state = SM_PH2_C1_SEND_PAIRING_CONFIRM; 2613 return; 2614 case SM_PH2_C1_W4_ENC_D: 2615 { 2616 sm_key_t peer_confirm_test; 2617 reverse_128(data, peer_confirm_test); 2618 log_info_key("c1!", peer_confirm_test); 2619 if (memcmp(setup->sm_peer_confirm, peer_confirm_test, 16) != 0){ 2620 setup->sm_pairing_failed_reason = SM_REASON_CONFIRM_VALUE_FAILED; 2621 connection->sm_engine_state = SM_GENERAL_SEND_PAIRING_FAILED; 2622 return; 2623 } 2624 if (connection->sm_role){ 2625 connection->sm_engine_state = SM_PH2_SEND_PAIRING_RANDOM; 2626 } else { 2627 connection->sm_engine_state = SM_PH2_CALC_STK; 2628 } 2629 } 2630 return; 2631 case SM_PH2_W4_STK: 2632 reverse_128(data, setup->sm_ltk); 2633 sm_truncate_key(setup->sm_ltk, connection->sm_actual_encryption_key_size); 2634 log_info_key("stk", setup->sm_ltk); 2635 if (connection->sm_role){ 2636 connection->sm_engine_state = SM_RESPONDER_PH2_SEND_LTK_REPLY; 2637 } else { 2638 connection->sm_engine_state = SM_INITIATOR_PH3_SEND_START_ENCRYPTION; 2639 } 2640 return; 2641 case SM_PH3_Y_W4_ENC:{ 2642 sm_key_t y128; 2643 reverse_128(data, y128); 2644 setup->sm_local_y = big_endian_read_16(y128, 14); 2645 log_info_hex16("y", setup->sm_local_y); 2646 // PH3B3 - calculate EDIV 2647 setup->sm_local_ediv = setup->sm_local_y ^ setup->sm_local_div; 2648 log_info_hex16("ediv", setup->sm_local_ediv); 2649 // PH3B4 - calculate LTK - enc 2650 // LTK = d1(ER, DIV, 0)) 2651 connection->sm_engine_state = SM_PH3_LTK_GET_ENC; 2652 return; 2653 } 2654 case SM_RESPONDER_PH4_Y_W4_ENC:{ 2655 sm_key_t y128; 2656 reverse_128(data, y128); 2657 setup->sm_local_y = big_endian_read_16(y128, 14); 2658 log_info_hex16("y", setup->sm_local_y); 2659 2660 // PH3B3 - calculate DIV 2661 setup->sm_local_div = setup->sm_local_y ^ setup->sm_local_ediv; 2662 log_info_hex16("ediv", setup->sm_local_ediv); 2663 // PH3B4 - calculate LTK - enc 2664 // LTK = d1(ER, DIV, 0)) 2665 connection->sm_engine_state = SM_RESPONDER_PH4_LTK_GET_ENC; 2666 return; 2667 } 2668 case SM_PH3_LTK_W4_ENC: 2669 reverse_128(data, setup->sm_ltk); 2670 log_info_key("ltk", setup->sm_ltk); 2671 // calc CSRK next 2672 connection->sm_engine_state = SM_PH3_CSRK_GET_ENC; 2673 return; 2674 case SM_PH3_CSRK_W4_ENC: 2675 reverse_128(data, setup->sm_local_csrk); 2676 log_info_key("csrk", setup->sm_local_csrk); 2677 if (setup->sm_key_distribution_send_set){ 2678 connection->sm_engine_state = SM_PH3_DISTRIBUTE_KEYS; 2679 } else { 2680 // no keys to send, just continue 2681 if (connection->sm_role){ 2682 // slave -> receive master keys 2683 connection->sm_engine_state = SM_PH3_RECEIVE_KEYS; 2684 } else { 2685 if (setup->sm_use_secure_connections && (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION)){ 2686 connection->sm_engine_state = SM_SC_W2_CALCULATE_H6_ILK; 2687 } else { 2688 // master -> all done 2689 connection->sm_engine_state = SM_INITIATOR_CONNECTED; 2690 sm_done_for_handle(connection->sm_handle); 2691 } 2692 } 2693 } 2694 return; 2695 case SM_RESPONDER_PH4_LTK_W4_ENC: 2696 reverse_128(data, setup->sm_ltk); 2697 sm_truncate_key(setup->sm_ltk, connection->sm_actual_encryption_key_size); 2698 log_info_key("ltk", setup->sm_ltk); 2699 connection->sm_engine_state = SM_RESPONDER_PH4_SEND_LTK_REPLY; 2700 return; 2701 default: 2702 break; 2703 } 2704 } 2705 2706 #ifdef USE_MBEDTLS_FOR_ECDH 2707 2708 static int sm_generate_f_rng(void * context, unsigned char * buffer, size_t size){ 2709 int offset = setup->sm_passkey_bit; 2710 log_info("sm_generate_f_rng: size %u - offset %u", (int) size, offset); 2711 while (size) { 2712 if (offset < 32){ 2713 *buffer++ = setup->sm_peer_qx[offset++]; 2714 } else { 2715 *buffer++ = setup->sm_peer_qx[offset++ - 32]; 2716 } 2717 size--; 2718 } 2719 setup->sm_passkey_bit = offset; 2720 return 0; 2721 } 2722 #endif 2723 2724 // note: random generator is ready. this doesn NOT imply that aes engine is unused! 2725 static void sm_handle_random_result(uint8_t * data){ 2726 2727 #ifdef USE_MBEDTLS_FOR_ECDH 2728 if (ec_key_generation_state == EC_KEY_GENERATION_ACTIVE){ 2729 int num_bytes = setup->sm_passkey_bit; 2730 if (num_bytes < 32){ 2731 memcpy(&setup->sm_peer_qx[num_bytes], data, 8); 2732 } else { 2733 memcpy(&setup->sm_peer_qx[num_bytes-32], data, 8); 2734 } 2735 num_bytes += 8; 2736 setup->sm_passkey_bit = num_bytes; 2737 2738 if (num_bytes >= 64){ 2739 2740 // generate EC key 2741 setup->sm_passkey_bit = 0; 2742 mbedtls_mpi d; 2743 mbedtls_ecp_point P; 2744 mbedtls_mpi_init(&d); 2745 mbedtls_ecp_point_init(&P); 2746 int res = mbedtls_ecp_gen_keypair(&mbedtls_ec_group, &d, &P, &sm_generate_f_rng, NULL); 2747 log_info("gen keypair %x", res); 2748 mbedtls_mpi_write_binary(&P.X, ec_qx, 32); 2749 mbedtls_mpi_write_binary(&P.Y, ec_qy, 32); 2750 mbedtls_mpi_write_binary(&d, ec_d, 32); 2751 mbedtls_ecp_point_free(&P); 2752 mbedtls_mpi_free(&d); 2753 ec_key_generation_state = EC_KEY_GENERATION_DONE; 2754 log_info("Elliptic curve: d"); 2755 log_info_hexdump(ec_d,32); 2756 sm_log_ec_keypair(); 2757 2758 #if 0 2759 int i; 2760 sm_key256_t dhkey; 2761 for (i=0;i<10;i++){ 2762 // printf("test dhkey check\n"); 2763 memcpy(setup->sm_peer_qx, ec_qx, 32); 2764 memcpy(setup->sm_peer_qy, ec_qy, 32); 2765 sm_sc_calculate_dhkey(dhkey); 2766 // printf("test dhkey check end\n"); 2767 } 2768 #endif 2769 2770 } 2771 } 2772 #endif 2773 2774 switch (rau_state){ 2775 case RAU_W4_RANDOM: 2776 // non-resolvable vs. resolvable 2777 switch (gap_random_adress_type){ 2778 case GAP_RANDOM_ADDRESS_RESOLVABLE: 2779 // resolvable: use random as prand and calc address hash 2780 // "The two most significant bits of prand shall be equal to ‘0’ and ‘1" 2781 memcpy(sm_random_address, data, 3); 2782 sm_random_address[0] &= 0x3f; 2783 sm_random_address[0] |= 0x40; 2784 rau_state = RAU_GET_ENC; 2785 break; 2786 case GAP_RANDOM_ADDRESS_NON_RESOLVABLE: 2787 default: 2788 // "The two most significant bits of the address shall be equal to ‘0’"" 2789 memcpy(sm_random_address, data, 6); 2790 sm_random_address[0] &= 0x3f; 2791 rau_state = RAU_SET_ADDRESS; 2792 break; 2793 } 2794 return; 2795 default: 2796 break; 2797 } 2798 2799 // retrieve sm_connection provided to sm_random_start 2800 sm_connection_t * connection = (sm_connection_t *) sm_random_context; 2801 if (!connection) return; 2802 switch (connection->sm_engine_state){ 2803 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2804 case SM_SC_W4_GET_RANDOM_A: 2805 memcpy(&setup->sm_local_nonce[0], data, 8); 2806 connection->sm_engine_state = SM_SC_W2_GET_RANDOM_B; 2807 break; 2808 case SM_SC_W4_GET_RANDOM_B: 2809 memcpy(&setup->sm_local_nonce[8], data, 8); 2810 // initiator & jw/nc -> send pairing random 2811 if (connection->sm_role == 0 && sm_just_works_or_numeric_comparison(setup->sm_stk_generation_method)){ 2812 connection->sm_engine_state = SM_SC_SEND_PAIRING_RANDOM; 2813 break; 2814 } else { 2815 connection->sm_engine_state = SM_SC_W2_CMAC_FOR_CONFIRMATION; 2816 } 2817 break; 2818 #endif 2819 2820 case SM_PH2_W4_RANDOM_TK: 2821 { 2822 // map random to 0-999999 without speding much cycles on a modulus operation 2823 uint32_t tk = little_endian_read_32(data,0); 2824 tk = tk & 0xfffff; // 1048575 2825 if (tk >= 999999){ 2826 tk = tk - 999999; 2827 } 2828 sm_reset_tk(); 2829 big_endian_store_32(setup->sm_tk, 12, tk); 2830 if (connection->sm_role){ 2831 connection->sm_engine_state = SM_RESPONDER_PH1_SEND_PAIRING_RESPONSE; 2832 } else { 2833 if (setup->sm_use_secure_connections){ 2834 connection->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 2835 } else { 2836 connection->sm_engine_state = SM_PH1_W4_USER_RESPONSE; 2837 sm_trigger_user_response(connection); 2838 // response_idle == nothing <--> sm_trigger_user_response() did not require response 2839 if (setup->sm_user_response == SM_USER_RESPONSE_IDLE){ 2840 connection->sm_engine_state = SM_PH2_C1_GET_RANDOM_A; 2841 } 2842 } 2843 } 2844 return; 2845 } 2846 case SM_PH2_C1_W4_RANDOM_A: 2847 memcpy(&setup->sm_local_random[0], data, 8); // random endinaness 2848 connection->sm_engine_state = SM_PH2_C1_GET_RANDOM_B; 2849 return; 2850 case SM_PH2_C1_W4_RANDOM_B: 2851 memcpy(&setup->sm_local_random[8], data, 8); // random endinaness 2852 connection->sm_engine_state = SM_PH2_C1_GET_ENC_A; 2853 return; 2854 case SM_PH3_W4_RANDOM: 2855 reverse_64(data, setup->sm_local_rand); 2856 // no db for encryption size hack: encryption size is stored in lowest nibble of setup->sm_local_rand 2857 setup->sm_local_rand[7] = (setup->sm_local_rand[7] & 0xf0) + (connection->sm_actual_encryption_key_size - 1); 2858 // no db for authenticated flag hack: store flag in bit 4 of LSB 2859 setup->sm_local_rand[7] = (setup->sm_local_rand[7] & 0xef) + (connection->sm_connection_authenticated << 4); 2860 connection->sm_engine_state = SM_PH3_GET_DIV; 2861 return; 2862 case SM_PH3_W4_DIV: 2863 // use 16 bit from random value as div 2864 setup->sm_local_div = big_endian_read_16(data, 0); 2865 log_info_hex16("div", setup->sm_local_div); 2866 connection->sm_engine_state = SM_PH3_Y_GET_ENC; 2867 return; 2868 default: 2869 break; 2870 } 2871 } 2872 2873 static void sm_event_packet_handler (uint8_t packet_type, uint16_t channel, uint8_t *packet, uint16_t size){ 2874 2875 sm_connection_t * sm_conn; 2876 hci_con_handle_t con_handle; 2877 2878 switch (packet_type) { 2879 2880 case HCI_EVENT_PACKET: 2881 switch (hci_event_packet_get_type(packet)) { 2882 2883 case BTSTACK_EVENT_STATE: 2884 // bt stack activated, get started 2885 if (btstack_event_state_get_state(packet) == HCI_STATE_WORKING){ 2886 log_info("HCI Working!"); 2887 2888 // set local addr for le device db 2889 bd_addr_t local_bd_addr; 2890 gap_local_bd_addr(local_bd_addr); 2891 le_device_db_set_local_bd_addr(local_bd_addr); 2892 2893 dkg_state = sm_persistent_irk_ready ? DKG_CALC_DHK : DKG_CALC_IRK; 2894 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2895 if (!sm_have_ec_keypair){ 2896 setup->sm_passkey_bit = 0; 2897 ec_key_generation_state = EC_KEY_GENERATION_ACTIVE; 2898 } 2899 #endif 2900 // trigger Random Address generation if requested before 2901 if (gap_random_adress_type == GAP_RANDOM_ADDRESS_TYPE_OFF) { 2902 if (sm_random_address_set){ 2903 rau_state = RAU_SET_ADDRESS; 2904 } else { 2905 rau_state = RAU_IDLE; 2906 } 2907 } else { 2908 rau_state = RAU_GET_RANDOM; 2909 } 2910 sm_run(); 2911 } 2912 break; 2913 2914 case HCI_EVENT_LE_META: 2915 switch (packet[2]) { 2916 case HCI_SUBEVENT_LE_CONNECTION_COMPLETE: 2917 2918 log_info("sm: connected"); 2919 2920 if (packet[3]) return; // connection failed 2921 2922 con_handle = little_endian_read_16(packet, 4); 2923 sm_conn = sm_get_connection_for_handle(con_handle); 2924 if (!sm_conn) break; 2925 2926 sm_conn->sm_handle = con_handle; 2927 sm_conn->sm_role = packet[6]; 2928 sm_conn->sm_peer_addr_type = packet[7]; 2929 reverse_bd_addr(&packet[8], sm_conn->sm_peer_address); 2930 2931 log_info("New sm_conn, role %s", sm_conn->sm_role ? "slave" : "master"); 2932 2933 // reset security properties 2934 sm_conn->sm_connection_encrypted = 0; 2935 sm_conn->sm_connection_authenticated = 0; 2936 sm_conn->sm_connection_authorization_state = AUTHORIZATION_UNKNOWN; 2937 sm_conn->sm_le_db_index = -1; 2938 2939 // prepare CSRK lookup (does not involve setup) 2940 sm_conn->sm_irk_lookup_state = IRK_LOOKUP_W4_READY; 2941 2942 // just connected -> everything else happens in sm_run() 2943 if (sm_conn->sm_role){ 2944 // slave - state already could be SM_RESPONDER_SEND_SECURITY_REQUEST instead 2945 if (sm_conn->sm_engine_state == SM_GENERAL_IDLE){ 2946 if (sm_slave_request_security) { 2947 // request security if requested by app 2948 sm_conn->sm_engine_state = SM_RESPONDER_SEND_SECURITY_REQUEST; 2949 } else { 2950 // otherwise, wait for pairing request 2951 sm_conn->sm_engine_state = SM_RESPONDER_IDLE; 2952 } 2953 } 2954 break; 2955 } else { 2956 // master 2957 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 2958 } 2959 break; 2960 2961 case HCI_SUBEVENT_LE_LONG_TERM_KEY_REQUEST: 2962 con_handle = little_endian_read_16(packet, 3); 2963 sm_conn = sm_get_connection_for_handle(con_handle); 2964 if (!sm_conn) break; 2965 2966 log_info("LTK Request: state %u", sm_conn->sm_engine_state); 2967 if (sm_conn->sm_engine_state == SM_RESPONDER_PH2_W4_LTK_REQUEST){ 2968 sm_conn->sm_engine_state = SM_PH2_CALC_STK; 2969 break; 2970 } 2971 if (sm_conn->sm_engine_state == SM_SC_W4_LTK_REQUEST_SC){ 2972 // PH2 SEND LTK as we need to exchange keys in PH3 2973 sm_conn->sm_engine_state = SM_RESPONDER_PH2_SEND_LTK_REPLY; 2974 break; 2975 } 2976 2977 // store rand and ediv 2978 reverse_64(&packet[5], sm_conn->sm_local_rand); 2979 sm_conn->sm_local_ediv = little_endian_read_16(packet, 13); 2980 2981 // For Legacy Pairing (<=> EDIV != 0 || RAND != NULL), we need to recalculated our LTK as a 2982 // potentially stored LTK is from the master 2983 if (sm_conn->sm_local_ediv != 0 || !sm_is_null_random(sm_conn->sm_local_rand)){ 2984 sm_conn->sm_engine_state = SM_RESPONDER_PH0_RECEIVED_LTK_REQUEST; 2985 break; 2986 } 2987 2988 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2989 sm_conn->sm_engine_state = SM_SC_RECEIVED_LTK_REQUEST; 2990 #else 2991 log_info("LTK Request: ediv & random are empty, but LE Secure Connections not supported"); 2992 sm_conn->sm_engine_state = SM_RESPONDER_PH0_SEND_LTK_REQUESTED_NEGATIVE_REPLY; 2993 #endif 2994 break; 2995 2996 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2997 case HCI_SUBEVENT_LE_READ_LOCAL_P256_PUBLIC_KEY_COMPLETE: 2998 if (hci_subevent_le_read_local_p256_public_key_complete_get_status(packet)){ 2999 log_error("Read Local P256 Public Key failed"); 3000 break; 3001 } 3002 hci_subevent_le_read_local_p256_public_key_complete_get_dhkey_x(packet, ec_qx); 3003 hci_subevent_le_read_local_p256_public_key_complete_get_dhkey_y(packet, ec_qy); 3004 ec_key_generation_state = EC_KEY_GENERATION_DONE; 3005 sm_log_ec_keypair(); 3006 break; 3007 #endif 3008 default: 3009 break; 3010 } 3011 break; 3012 3013 case HCI_EVENT_ENCRYPTION_CHANGE: 3014 con_handle = little_endian_read_16(packet, 3); 3015 sm_conn = sm_get_connection_for_handle(con_handle); 3016 if (!sm_conn) break; 3017 3018 sm_conn->sm_connection_encrypted = packet[5]; 3019 log_info("Encryption state change: %u, key size %u", sm_conn->sm_connection_encrypted, 3020 sm_conn->sm_actual_encryption_key_size); 3021 log_info("event handler, state %u", sm_conn->sm_engine_state); 3022 if (!sm_conn->sm_connection_encrypted) break; 3023 // continue if part of initial pairing 3024 switch (sm_conn->sm_engine_state){ 3025 case SM_INITIATOR_PH0_W4_CONNECTION_ENCRYPTED: 3026 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 3027 sm_done_for_handle(sm_conn->sm_handle); 3028 break; 3029 case SM_PH2_W4_CONNECTION_ENCRYPTED: 3030 if (sm_conn->sm_role){ 3031 // slave 3032 if (setup->sm_use_secure_connections){ 3033 sm_conn->sm_engine_state = SM_PH3_DISTRIBUTE_KEYS; 3034 } else { 3035 sm_conn->sm_engine_state = SM_PH3_GET_RANDOM; 3036 } 3037 } else { 3038 // master 3039 if (sm_key_distribution_all_received(sm_conn)){ 3040 // skip receiving keys as there are none 3041 sm_key_distribution_handle_all_received(sm_conn); 3042 sm_conn->sm_engine_state = SM_PH3_GET_RANDOM; 3043 } else { 3044 sm_conn->sm_engine_state = SM_PH3_RECEIVE_KEYS; 3045 } 3046 } 3047 break; 3048 default: 3049 break; 3050 } 3051 break; 3052 3053 case HCI_EVENT_ENCRYPTION_KEY_REFRESH_COMPLETE: 3054 con_handle = little_endian_read_16(packet, 3); 3055 sm_conn = sm_get_connection_for_handle(con_handle); 3056 if (!sm_conn) break; 3057 3058 log_info("Encryption key refresh complete, key size %u", sm_conn->sm_actual_encryption_key_size); 3059 log_info("event handler, state %u", sm_conn->sm_engine_state); 3060 // continue if part of initial pairing 3061 switch (sm_conn->sm_engine_state){ 3062 case SM_INITIATOR_PH0_W4_CONNECTION_ENCRYPTED: 3063 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 3064 sm_done_for_handle(sm_conn->sm_handle); 3065 break; 3066 case SM_PH2_W4_CONNECTION_ENCRYPTED: 3067 if (sm_conn->sm_role){ 3068 // slave 3069 sm_conn->sm_engine_state = SM_PH3_GET_RANDOM; 3070 } else { 3071 // master 3072 sm_conn->sm_engine_state = SM_PH3_RECEIVE_KEYS; 3073 } 3074 break; 3075 default: 3076 break; 3077 } 3078 break; 3079 3080 3081 case HCI_EVENT_DISCONNECTION_COMPLETE: 3082 con_handle = little_endian_read_16(packet, 3); 3083 sm_done_for_handle(con_handle); 3084 sm_conn = sm_get_connection_for_handle(con_handle); 3085 if (!sm_conn) break; 3086 3087 // delete stored bonding on disconnect with authentication failure in ph0 3088 if (sm_conn->sm_role == 0 3089 && sm_conn->sm_engine_state == SM_INITIATOR_PH0_W4_CONNECTION_ENCRYPTED 3090 && packet[2] == ERROR_CODE_AUTHENTICATION_FAILURE){ 3091 le_device_db_remove(sm_conn->sm_le_db_index); 3092 } 3093 3094 sm_conn->sm_engine_state = SM_GENERAL_IDLE; 3095 sm_conn->sm_handle = 0; 3096 break; 3097 3098 case HCI_EVENT_COMMAND_COMPLETE: 3099 if (HCI_EVENT_IS_COMMAND_COMPLETE(packet, hci_le_encrypt)){ 3100 sm_handle_encryption_result(&packet[6]); 3101 break; 3102 } 3103 if (HCI_EVENT_IS_COMMAND_COMPLETE(packet, hci_le_rand)){ 3104 sm_handle_random_result(&packet[6]); 3105 break; 3106 } 3107 break; 3108 default: 3109 break; 3110 } 3111 break; 3112 default: 3113 break; 3114 } 3115 3116 sm_run(); 3117 } 3118 3119 static inline int sm_calc_actual_encryption_key_size(int other){ 3120 if (other < sm_min_encryption_key_size) return 0; 3121 if (other < sm_max_encryption_key_size) return other; 3122 return sm_max_encryption_key_size; 3123 } 3124 3125 3126 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3127 static int sm_just_works_or_numeric_comparison(stk_generation_method_t method){ 3128 switch (method){ 3129 case JUST_WORKS: 3130 case NK_BOTH_INPUT: 3131 return 1; 3132 default: 3133 return 0; 3134 } 3135 } 3136 // responder 3137 3138 static int sm_passkey_used(stk_generation_method_t method){ 3139 switch (method){ 3140 case PK_RESP_INPUT: 3141 return 1; 3142 default: 3143 return 0; 3144 } 3145 } 3146 #endif 3147 3148 /** 3149 * @return ok 3150 */ 3151 static int sm_validate_stk_generation_method(void){ 3152 // check if STK generation method is acceptable by client 3153 switch (setup->sm_stk_generation_method){ 3154 case JUST_WORKS: 3155 return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_JUST_WORKS) != 0; 3156 case PK_RESP_INPUT: 3157 case PK_INIT_INPUT: 3158 case OK_BOTH_INPUT: 3159 return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_PASSKEY) != 0; 3160 case OOB: 3161 return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_OOB) != 0; 3162 case NK_BOTH_INPUT: 3163 return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_NUMERIC_COMPARISON) != 0; 3164 return 1; 3165 default: 3166 return 0; 3167 } 3168 } 3169 3170 static void sm_pdu_handler(uint8_t packet_type, hci_con_handle_t con_handle, uint8_t *packet, uint16_t size){ 3171 3172 if (packet_type == HCI_EVENT_PACKET && packet[0] == L2CAP_EVENT_CAN_SEND_NOW){ 3173 sm_run(); 3174 } 3175 3176 if (packet_type != SM_DATA_PACKET) return; 3177 3178 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3179 if (!sm_conn) return; 3180 3181 if (packet[0] == SM_CODE_PAIRING_FAILED){ 3182 sm_conn->sm_engine_state = sm_conn->sm_role ? SM_RESPONDER_IDLE : SM_INITIATOR_CONNECTED; 3183 return; 3184 } 3185 3186 log_debug("sm_pdu_handler: state %u, pdu 0x%02x", sm_conn->sm_engine_state, packet[0]); 3187 3188 int err; 3189 3190 if (packet[0] == SM_CODE_KEYPRESS_NOTIFICATION){ 3191 uint8_t buffer[5]; 3192 buffer[0] = SM_EVENT_KEYPRESS_NOTIFICATION; 3193 buffer[1] = 3; 3194 little_endian_store_16(buffer, 2, con_handle); 3195 buffer[4] = packet[1]; 3196 sm_dispatch_event(HCI_EVENT_PACKET, 0, buffer, sizeof(buffer)); 3197 return; 3198 } 3199 3200 switch (sm_conn->sm_engine_state){ 3201 3202 // a sm timeout requries a new physical connection 3203 case SM_GENERAL_TIMEOUT: 3204 return; 3205 3206 // Initiator 3207 case SM_INITIATOR_CONNECTED: 3208 if ((packet[0] != SM_CODE_SECURITY_REQUEST) || (sm_conn->sm_role)){ 3209 sm_pdu_received_in_wrong_state(sm_conn); 3210 break; 3211 } 3212 if (sm_conn->sm_irk_lookup_state == IRK_LOOKUP_FAILED){ 3213 sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 3214 break; 3215 } 3216 if (sm_conn->sm_irk_lookup_state == IRK_LOOKUP_SUCCEEDED){ 3217 sm_key_t ltk; 3218 le_device_db_encryption_get(sm_conn->sm_le_db_index, NULL, NULL, ltk, NULL, NULL, NULL); 3219 if (!sm_is_null_key(ltk)){ 3220 log_info("sm: Setting up previous ltk/ediv/rand for device index %u", sm_conn->sm_le_db_index); 3221 sm_conn->sm_engine_state = SM_INITIATOR_PH0_HAS_LTK; 3222 } else { 3223 sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 3224 } 3225 break; 3226 } 3227 // otherwise, store security request 3228 sm_conn->sm_security_request_received = 1; 3229 break; 3230 3231 case SM_INITIATOR_PH1_W4_PAIRING_RESPONSE: 3232 if (packet[0] != SM_CODE_PAIRING_RESPONSE){ 3233 sm_pdu_received_in_wrong_state(sm_conn); 3234 break; 3235 } 3236 // store pairing request 3237 memcpy(&setup->sm_s_pres, packet, sizeof(sm_pairing_packet_t)); 3238 err = sm_stk_generation_init(sm_conn); 3239 if (err){ 3240 setup->sm_pairing_failed_reason = err; 3241 sm_conn->sm_engine_state = SM_GENERAL_SEND_PAIRING_FAILED; 3242 break; 3243 } 3244 3245 // generate random number first, if we need to show passkey 3246 if (setup->sm_stk_generation_method == PK_RESP_INPUT){ 3247 sm_conn->sm_engine_state = SM_PH2_GET_RANDOM_TK; 3248 break; 3249 } 3250 3251 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3252 if (setup->sm_use_secure_connections){ 3253 // SC Numeric Comparison will trigger user response after public keys & nonces have been exchanged 3254 if (setup->sm_stk_generation_method == JUST_WORKS){ 3255 sm_conn->sm_engine_state = SM_PH1_W4_USER_RESPONSE; 3256 sm_trigger_user_response(sm_conn); 3257 if (setup->sm_user_response == SM_USER_RESPONSE_IDLE){ 3258 sm_conn->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 3259 } 3260 } else { 3261 sm_conn->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 3262 } 3263 break; 3264 } 3265 #endif 3266 sm_conn->sm_engine_state = SM_PH1_W4_USER_RESPONSE; 3267 sm_trigger_user_response(sm_conn); 3268 // response_idle == nothing <--> sm_trigger_user_response() did not require response 3269 if (setup->sm_user_response == SM_USER_RESPONSE_IDLE){ 3270 sm_conn->sm_engine_state = SM_PH2_C1_GET_RANDOM_A; 3271 } 3272 break; 3273 3274 case SM_INITIATOR_PH2_W4_PAIRING_CONFIRM: 3275 if (packet[0] != SM_CODE_PAIRING_CONFIRM){ 3276 sm_pdu_received_in_wrong_state(sm_conn); 3277 break; 3278 } 3279 3280 // store s_confirm 3281 reverse_128(&packet[1], setup->sm_peer_confirm); 3282 sm_conn->sm_engine_state = SM_PH2_SEND_PAIRING_RANDOM; 3283 break; 3284 3285 case SM_INITIATOR_PH2_W4_PAIRING_RANDOM: 3286 if (packet[0] != SM_CODE_PAIRING_RANDOM){ 3287 sm_pdu_received_in_wrong_state(sm_conn); 3288 break;; 3289 } 3290 3291 // received random value 3292 reverse_128(&packet[1], setup->sm_peer_random); 3293 sm_conn->sm_engine_state = SM_PH2_C1_GET_ENC_C; 3294 break; 3295 3296 // Responder 3297 case SM_RESPONDER_IDLE: 3298 case SM_RESPONDER_SEND_SECURITY_REQUEST: 3299 case SM_RESPONDER_PH1_W4_PAIRING_REQUEST: 3300 if (packet[0] != SM_CODE_PAIRING_REQUEST){ 3301 sm_pdu_received_in_wrong_state(sm_conn); 3302 break;; 3303 } 3304 3305 // store pairing request 3306 memcpy(&sm_conn->sm_m_preq, packet, sizeof(sm_pairing_packet_t)); 3307 sm_conn->sm_engine_state = SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED; 3308 break; 3309 3310 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3311 case SM_SC_W4_PUBLIC_KEY_COMMAND: 3312 if (packet[0] != SM_CODE_PAIRING_PUBLIC_KEY){ 3313 sm_pdu_received_in_wrong_state(sm_conn); 3314 break; 3315 } 3316 3317 // store public key for DH Key calculation 3318 reverse_256(&packet[01], setup->sm_peer_qx); 3319 reverse_256(&packet[33], setup->sm_peer_qy); 3320 3321 #ifdef USE_MBEDTLS_FOR_ECDH 3322 // validate public key 3323 mbedtls_ecp_point Q; 3324 mbedtls_ecp_point_init( &Q ); 3325 mbedtls_mpi_read_binary(&Q.X, setup->sm_peer_qx, 32); 3326 mbedtls_mpi_read_binary(&Q.Y, setup->sm_peer_qy, 32); 3327 mbedtls_mpi_lset(&Q.Z, 1); 3328 err = mbedtls_ecp_check_pubkey(&mbedtls_ec_group, &Q); 3329 mbedtls_ecp_point_free( & Q); 3330 if (err){ 3331 log_error("sm: peer public key invalid %x", err); 3332 // uses "unspecified reason", there is no "public key invalid" error code 3333 sm_pdu_received_in_wrong_state(sm_conn); 3334 break; 3335 } 3336 3337 #endif 3338 if (sm_conn->sm_role){ 3339 // responder 3340 sm_conn->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 3341 } else { 3342 // initiator 3343 // stk generation method 3344 // passkey entry: notify app to show passkey or to request passkey 3345 switch (setup->sm_stk_generation_method){ 3346 case JUST_WORKS: 3347 case NK_BOTH_INPUT: 3348 sm_conn->sm_engine_state = SM_SC_W4_CONFIRMATION; 3349 break; 3350 case PK_RESP_INPUT: 3351 sm_sc_start_calculating_local_confirm(sm_conn); 3352 break; 3353 case PK_INIT_INPUT: 3354 case OK_BOTH_INPUT: 3355 if (setup->sm_user_response != SM_USER_RESPONSE_PASSKEY){ 3356 sm_conn->sm_engine_state = SM_SC_W4_USER_RESPONSE; 3357 break; 3358 } 3359 sm_sc_start_calculating_local_confirm(sm_conn); 3360 break; 3361 case OOB: 3362 // TODO: implement SC OOB 3363 break; 3364 } 3365 } 3366 break; 3367 3368 case SM_SC_W4_CONFIRMATION: 3369 if (packet[0] != SM_CODE_PAIRING_CONFIRM){ 3370 sm_pdu_received_in_wrong_state(sm_conn); 3371 break; 3372 } 3373 // received confirm value 3374 reverse_128(&packet[1], setup->sm_peer_confirm); 3375 3376 if (sm_conn->sm_role){ 3377 // responder 3378 if (sm_passkey_used(setup->sm_stk_generation_method)){ 3379 if (setup->sm_user_response != SM_USER_RESPONSE_PASSKEY){ 3380 // still waiting for passkey 3381 sm_conn->sm_engine_state = SM_SC_W4_USER_RESPONSE; 3382 break; 3383 } 3384 } 3385 sm_sc_start_calculating_local_confirm(sm_conn); 3386 } else { 3387 // initiator 3388 if (sm_just_works_or_numeric_comparison(setup->sm_stk_generation_method)){ 3389 sm_conn->sm_engine_state = SM_SC_W2_GET_RANDOM_A; 3390 } else { 3391 sm_conn->sm_engine_state = SM_SC_SEND_PAIRING_RANDOM; 3392 } 3393 } 3394 break; 3395 3396 case SM_SC_W4_PAIRING_RANDOM: 3397 if (packet[0] != SM_CODE_PAIRING_RANDOM){ 3398 sm_pdu_received_in_wrong_state(sm_conn); 3399 break; 3400 } 3401 3402 // received random value 3403 reverse_128(&packet[1], setup->sm_peer_nonce); 3404 3405 // validate confirm value if Cb = f4(Pkb, Pka, Nb, z) 3406 // only check for JUST WORK/NC in initiator role AND passkey entry 3407 if (sm_conn->sm_role || sm_passkey_used(setup->sm_stk_generation_method)) { 3408 sm_conn->sm_engine_state = SM_SC_W2_CMAC_FOR_CHECK_CONFIRMATION; 3409 } 3410 3411 sm_sc_state_after_receiving_random(sm_conn); 3412 break; 3413 3414 case SM_SC_W2_CALCULATE_G2: 3415 case SM_SC_W4_CALCULATE_G2: 3416 case SM_SC_W2_CALCULATE_F5_SALT: 3417 case SM_SC_W4_CALCULATE_F5_SALT: 3418 case SM_SC_W2_CALCULATE_F5_MACKEY: 3419 case SM_SC_W4_CALCULATE_F5_MACKEY: 3420 case SM_SC_W2_CALCULATE_F5_LTK: 3421 case SM_SC_W4_CALCULATE_F5_LTK: 3422 case SM_SC_W2_CALCULATE_F6_FOR_DHKEY_CHECK: 3423 case SM_SC_W4_DHKEY_CHECK_COMMAND: 3424 case SM_SC_W4_CALCULATE_F6_FOR_DHKEY_CHECK: 3425 if (packet[0] != SM_CODE_PAIRING_DHKEY_CHECK){ 3426 sm_pdu_received_in_wrong_state(sm_conn); 3427 break; 3428 } 3429 // store DHKey Check 3430 setup->sm_state_vars |= SM_STATE_VAR_DHKEY_COMMAND_RECEIVED; 3431 reverse_128(&packet[01], setup->sm_peer_dhkey_check); 3432 3433 // have we been only waiting for dhkey check command? 3434 if (sm_conn->sm_engine_state == SM_SC_W4_DHKEY_CHECK_COMMAND){ 3435 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK; 3436 } 3437 break; 3438 #endif 3439 3440 case SM_RESPONDER_PH1_W4_PAIRING_CONFIRM: 3441 if (packet[0] != SM_CODE_PAIRING_CONFIRM){ 3442 sm_pdu_received_in_wrong_state(sm_conn); 3443 break; 3444 } 3445 3446 // received confirm value 3447 reverse_128(&packet[1], setup->sm_peer_confirm); 3448 3449 // notify client to hide shown passkey 3450 if (setup->sm_stk_generation_method == PK_INIT_INPUT){ 3451 sm_notify_client_base(SM_EVENT_PASSKEY_DISPLAY_CANCEL, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address); 3452 } 3453 3454 // handle user cancel pairing? 3455 if (setup->sm_user_response == SM_USER_RESPONSE_DECLINE){ 3456 setup->sm_pairing_failed_reason = SM_REASON_PASSKEYT_ENTRY_FAILED; 3457 sm_conn->sm_engine_state = SM_GENERAL_SEND_PAIRING_FAILED; 3458 break; 3459 } 3460 3461 // wait for user action? 3462 if (setup->sm_user_response == SM_USER_RESPONSE_PENDING){ 3463 sm_conn->sm_engine_state = SM_PH1_W4_USER_RESPONSE; 3464 break; 3465 } 3466 3467 // calculate and send local_confirm 3468 sm_conn->sm_engine_state = SM_PH2_C1_GET_RANDOM_A; 3469 break; 3470 3471 case SM_RESPONDER_PH2_W4_PAIRING_RANDOM: 3472 if (packet[0] != SM_CODE_PAIRING_RANDOM){ 3473 sm_pdu_received_in_wrong_state(sm_conn); 3474 break;; 3475 } 3476 3477 // received random value 3478 reverse_128(&packet[1], setup->sm_peer_random); 3479 sm_conn->sm_engine_state = SM_PH2_C1_GET_ENC_C; 3480 break; 3481 3482 case SM_PH3_RECEIVE_KEYS: 3483 switch(packet[0]){ 3484 case SM_CODE_ENCRYPTION_INFORMATION: 3485 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION; 3486 reverse_128(&packet[1], setup->sm_peer_ltk); 3487 break; 3488 3489 case SM_CODE_MASTER_IDENTIFICATION: 3490 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_MASTER_IDENTIFICATION; 3491 setup->sm_peer_ediv = little_endian_read_16(packet, 1); 3492 reverse_64(&packet[3], setup->sm_peer_rand); 3493 break; 3494 3495 case SM_CODE_IDENTITY_INFORMATION: 3496 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_IDENTITY_INFORMATION; 3497 reverse_128(&packet[1], setup->sm_peer_irk); 3498 break; 3499 3500 case SM_CODE_IDENTITY_ADDRESS_INFORMATION: 3501 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION; 3502 setup->sm_peer_addr_type = packet[1]; 3503 reverse_bd_addr(&packet[2], setup->sm_peer_address); 3504 break; 3505 3506 case SM_CODE_SIGNING_INFORMATION: 3507 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION; 3508 reverse_128(&packet[1], setup->sm_peer_csrk); 3509 break; 3510 default: 3511 // Unexpected PDU 3512 log_info("Unexpected PDU %u in SM_PH3_RECEIVE_KEYS", packet[0]); 3513 break; 3514 } 3515 // done with key distribution? 3516 if (sm_key_distribution_all_received(sm_conn)){ 3517 3518 sm_key_distribution_handle_all_received(sm_conn); 3519 3520 if (sm_conn->sm_role){ 3521 if (setup->sm_use_secure_connections && (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION)){ 3522 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_H6_ILK; 3523 } else { 3524 sm_conn->sm_engine_state = SM_RESPONDER_IDLE; 3525 sm_done_for_handle(sm_conn->sm_handle); 3526 } 3527 } else { 3528 if (setup->sm_use_secure_connections){ 3529 sm_conn->sm_engine_state = SM_PH3_DISTRIBUTE_KEYS; 3530 } else { 3531 sm_conn->sm_engine_state = SM_PH3_GET_RANDOM; 3532 } 3533 } 3534 } 3535 break; 3536 default: 3537 // Unexpected PDU 3538 log_info("Unexpected PDU %u in state %u", packet[0], sm_conn->sm_engine_state); 3539 break; 3540 } 3541 3542 // try to send preparared packet 3543 sm_run(); 3544 } 3545 3546 // Security Manager Client API 3547 void sm_register_oob_data_callback( int (*get_oob_data_callback)(uint8_t addres_type, bd_addr_t addr, uint8_t * oob_data)){ 3548 sm_get_oob_data = get_oob_data_callback; 3549 } 3550 3551 void sm_add_event_handler(btstack_packet_callback_registration_t * callback_handler){ 3552 btstack_linked_list_add_tail(&sm_event_handlers, (btstack_linked_item_t*) callback_handler); 3553 } 3554 3555 void sm_set_accepted_stk_generation_methods(uint8_t accepted_stk_generation_methods){ 3556 sm_accepted_stk_generation_methods = accepted_stk_generation_methods; 3557 } 3558 3559 void sm_set_encryption_key_size_range(uint8_t min_size, uint8_t max_size){ 3560 sm_min_encryption_key_size = min_size; 3561 sm_max_encryption_key_size = max_size; 3562 } 3563 3564 void sm_set_authentication_requirements(uint8_t auth_req){ 3565 sm_auth_req = auth_req; 3566 } 3567 3568 void sm_set_io_capabilities(io_capability_t io_capability){ 3569 sm_io_capabilities = io_capability; 3570 } 3571 3572 void sm_set_request_security(int enable){ 3573 sm_slave_request_security = enable; 3574 } 3575 3576 void sm_set_er(sm_key_t er){ 3577 memcpy(sm_persistent_er, er, 16); 3578 } 3579 3580 void sm_set_ir(sm_key_t ir){ 3581 memcpy(sm_persistent_ir, ir, 16); 3582 } 3583 3584 // Testing support only 3585 void sm_test_set_irk(sm_key_t irk){ 3586 memcpy(sm_persistent_irk, irk, 16); 3587 sm_persistent_irk_ready = 1; 3588 } 3589 3590 void sm_test_use_fixed_local_csrk(void){ 3591 test_use_fixed_local_csrk = 1; 3592 } 3593 3594 void sm_init(void){ 3595 // set some (BTstack default) ER and IR 3596 int i; 3597 sm_key_t er; 3598 sm_key_t ir; 3599 for (i=0;i<16;i++){ 3600 er[i] = 0x30 + i; 3601 ir[i] = 0x90 + i; 3602 } 3603 sm_set_er(er); 3604 sm_set_ir(ir); 3605 // defaults 3606 sm_accepted_stk_generation_methods = SM_STK_GENERATION_METHOD_JUST_WORKS 3607 | SM_STK_GENERATION_METHOD_OOB 3608 | SM_STK_GENERATION_METHOD_PASSKEY 3609 | SM_STK_GENERATION_METHOD_NUMERIC_COMPARISON; 3610 3611 sm_max_encryption_key_size = 16; 3612 sm_min_encryption_key_size = 7; 3613 3614 sm_cmac_state = CMAC_IDLE; 3615 dkg_state = DKG_W4_WORKING; 3616 rau_state = RAU_W4_WORKING; 3617 sm_aes128_state = SM_AES128_IDLE; 3618 sm_address_resolution_test = -1; // no private address to resolve yet 3619 sm_address_resolution_ah_calculation_active = 0; 3620 sm_address_resolution_mode = ADDRESS_RESOLUTION_IDLE; 3621 sm_address_resolution_general_queue = NULL; 3622 3623 gap_random_adress_update_period = 15 * 60 * 1000L; 3624 sm_random_address_set = 0; 3625 sm_active_connection = 0; 3626 3627 test_use_fixed_local_csrk = 0; 3628 3629 // register for HCI Events from HCI 3630 hci_event_callback_registration.callback = &sm_event_packet_handler; 3631 hci_add_event_handler(&hci_event_callback_registration); 3632 3633 // and L2CAP PDUs + L2CAP_EVENT_CAN_SEND_NOW 3634 l2cap_register_fixed_channel(sm_pdu_handler, L2CAP_CID_SECURITY_MANAGER_PROTOCOL); 3635 3636 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3637 ec_key_generation_state = EC_KEY_GENERATION_IDLE; 3638 #endif 3639 3640 #ifdef USE_MBEDTLS_FOR_ECDH 3641 3642 #ifndef HAVE_MALLOC 3643 sm_mbedtls_allocator_init(mbedtls_memory_buffer, sizeof(mbedtls_memory_buffer)); 3644 #endif 3645 mbedtls_ecp_group_init(&mbedtls_ec_group); 3646 mbedtls_ecp_group_load(&mbedtls_ec_group, MBEDTLS_ECP_DP_SECP256R1); 3647 #if 0 3648 // test 3649 sm_test_use_fixed_ec_keypair(); 3650 if (sm_have_ec_keypair){ 3651 printf("test dhkey check\n"); 3652 sm_key256_t dhkey; 3653 memcpy(setup->sm_peer_qx, ec_qx, 32); 3654 memcpy(setup->sm_peer_qy, ec_qy, 32); 3655 sm_sc_calculate_dhkey(dhkey); 3656 } 3657 #endif 3658 #endif 3659 } 3660 3661 void sm_use_fixed_ec_keypair(uint8_t * qx, uint8_t * qy, uint8_t * d){ 3662 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3663 memcpy(ec_qx, qx, 32); 3664 memcpy(ec_qy, qy, 32); 3665 memcpy(ec_d, d, 32); 3666 sm_have_ec_keypair = 1; 3667 ec_key_generation_state = EC_KEY_GENERATION_DONE; 3668 #endif 3669 } 3670 3671 void sm_test_use_fixed_ec_keypair(void){ 3672 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3673 #ifdef USE_MBEDTLS_FOR_ECDH 3674 // use test keypair from spec 3675 mbedtls_mpi x; 3676 mbedtls_mpi_init(&x); 3677 mbedtls_mpi_read_string( &x, 16, "3f49f6d4a3c55f3874c9b3e3d2103f504aff607beb40b7995899b8a6cd3c1abd"); 3678 mbedtls_mpi_write_binary(&x, ec_d, 32); 3679 mbedtls_mpi_read_string( &x, 16, "20b003d2f297be2c5e2c83a7e9f9a5b9eff49111acf4fddbcc0301480e359de6"); 3680 mbedtls_mpi_write_binary(&x, ec_qx, 32); 3681 mbedtls_mpi_read_string( &x, 16, "dc809c49652aeb6d63329abf5a52155c766345c28fed3024741c8ed01589d28b"); 3682 mbedtls_mpi_write_binary(&x, ec_qy, 32); 3683 mbedtls_mpi_free(&x); 3684 #endif 3685 sm_have_ec_keypair = 1; 3686 ec_key_generation_state = EC_KEY_GENERATION_DONE; 3687 #endif 3688 } 3689 3690 static sm_connection_t * sm_get_connection_for_handle(hci_con_handle_t con_handle){ 3691 hci_connection_t * hci_con = hci_connection_for_handle(con_handle); 3692 if (!hci_con) return NULL; 3693 return &hci_con->sm_connection; 3694 } 3695 3696 // @returns 0 if not encrypted, 7-16 otherwise 3697 int sm_encryption_key_size(hci_con_handle_t con_handle){ 3698 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3699 if (!sm_conn) return 0; // wrong connection 3700 if (!sm_conn->sm_connection_encrypted) return 0; 3701 return sm_conn->sm_actual_encryption_key_size; 3702 } 3703 3704 int sm_authenticated(hci_con_handle_t con_handle){ 3705 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3706 if (!sm_conn) return 0; // wrong connection 3707 if (!sm_conn->sm_connection_encrypted) return 0; // unencrypted connection cannot be authenticated 3708 return sm_conn->sm_connection_authenticated; 3709 } 3710 3711 authorization_state_t sm_authorization_state(hci_con_handle_t con_handle){ 3712 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3713 if (!sm_conn) return AUTHORIZATION_UNKNOWN; // wrong connection 3714 if (!sm_conn->sm_connection_encrypted) return AUTHORIZATION_UNKNOWN; // unencrypted connection cannot be authorized 3715 if (!sm_conn->sm_connection_authenticated) return AUTHORIZATION_UNKNOWN; // unauthenticatd connection cannot be authorized 3716 return sm_conn->sm_connection_authorization_state; 3717 } 3718 3719 static void sm_send_security_request_for_connection(sm_connection_t * sm_conn){ 3720 switch (sm_conn->sm_engine_state){ 3721 case SM_GENERAL_IDLE: 3722 case SM_RESPONDER_IDLE: 3723 sm_conn->sm_engine_state = SM_RESPONDER_SEND_SECURITY_REQUEST; 3724 sm_run(); 3725 break; 3726 default: 3727 break; 3728 } 3729 } 3730 3731 /** 3732 * @brief Trigger Security Request 3733 */ 3734 void sm_send_security_request(hci_con_handle_t con_handle){ 3735 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3736 if (!sm_conn) return; 3737 sm_send_security_request_for_connection(sm_conn); 3738 } 3739 3740 // request pairing 3741 void sm_request_pairing(hci_con_handle_t con_handle){ 3742 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3743 if (!sm_conn) return; // wrong connection 3744 3745 log_info("sm_request_pairing in role %u, state %u", sm_conn->sm_role, sm_conn->sm_engine_state); 3746 if (sm_conn->sm_role){ 3747 sm_send_security_request_for_connection(sm_conn); 3748 } else { 3749 // used as a trigger to start central/master/initiator security procedures 3750 uint16_t ediv; 3751 sm_key_t ltk; 3752 if (sm_conn->sm_engine_state == SM_INITIATOR_CONNECTED){ 3753 switch (sm_conn->sm_irk_lookup_state){ 3754 case IRK_LOOKUP_FAILED: 3755 sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 3756 break; 3757 case IRK_LOOKUP_SUCCEEDED: 3758 le_device_db_encryption_get(sm_conn->sm_le_db_index, &ediv, NULL, ltk, NULL, NULL, NULL); 3759 if (!sm_is_null_key(ltk) || ediv){ 3760 log_info("sm: Setting up previous ltk/ediv/rand for device index %u", sm_conn->sm_le_db_index); 3761 sm_conn->sm_engine_state = SM_INITIATOR_PH0_HAS_LTK; 3762 } else { 3763 sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 3764 } 3765 break; 3766 default: 3767 sm_conn->sm_bonding_requested = 1; 3768 break; 3769 } 3770 } else if (sm_conn->sm_engine_state == SM_GENERAL_IDLE){ 3771 sm_conn->sm_bonding_requested = 1; 3772 } 3773 } 3774 sm_run(); 3775 } 3776 3777 // called by client app on authorization request 3778 void sm_authorization_decline(hci_con_handle_t con_handle){ 3779 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3780 if (!sm_conn) return; // wrong connection 3781 sm_conn->sm_connection_authorization_state = AUTHORIZATION_DECLINED; 3782 sm_notify_client_authorization(SM_EVENT_AUTHORIZATION_RESULT, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, 0); 3783 } 3784 3785 void sm_authorization_grant(hci_con_handle_t con_handle){ 3786 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3787 if (!sm_conn) return; // wrong connection 3788 sm_conn->sm_connection_authorization_state = AUTHORIZATION_GRANTED; 3789 sm_notify_client_authorization(SM_EVENT_AUTHORIZATION_RESULT, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, 1); 3790 } 3791 3792 // GAP Bonding API 3793 3794 void sm_bonding_decline(hci_con_handle_t con_handle){ 3795 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3796 if (!sm_conn) return; // wrong connection 3797 setup->sm_user_response = SM_USER_RESPONSE_DECLINE; 3798 3799 if (sm_conn->sm_engine_state == SM_PH1_W4_USER_RESPONSE){ 3800 switch (setup->sm_stk_generation_method){ 3801 case PK_RESP_INPUT: 3802 case PK_INIT_INPUT: 3803 case OK_BOTH_INPUT: 3804 sm_pairing_error(sm_conn, SM_GENERAL_SEND_PAIRING_FAILED); 3805 break; 3806 case NK_BOTH_INPUT: 3807 sm_pairing_error(sm_conn, SM_REASON_NUMERIC_COMPARISON_FAILED); 3808 break; 3809 case JUST_WORKS: 3810 case OOB: 3811 sm_pairing_error(sm_conn, SM_REASON_UNSPECIFIED_REASON); 3812 break; 3813 } 3814 } 3815 sm_run(); 3816 } 3817 3818 void sm_just_works_confirm(hci_con_handle_t con_handle){ 3819 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3820 if (!sm_conn) return; // wrong connection 3821 setup->sm_user_response = SM_USER_RESPONSE_CONFIRM; 3822 if (sm_conn->sm_engine_state == SM_PH1_W4_USER_RESPONSE){ 3823 if (setup->sm_use_secure_connections){ 3824 sm_conn->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 3825 } else { 3826 sm_conn->sm_engine_state = SM_PH2_C1_GET_RANDOM_A; 3827 } 3828 } 3829 3830 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3831 if (sm_conn->sm_engine_state == SM_SC_W4_USER_RESPONSE){ 3832 sm_sc_prepare_dhkey_check(sm_conn); 3833 } 3834 #endif 3835 3836 sm_run(); 3837 } 3838 3839 void sm_numeric_comparison_confirm(hci_con_handle_t con_handle){ 3840 // for now, it's the same 3841 sm_just_works_confirm(con_handle); 3842 } 3843 3844 void sm_passkey_input(hci_con_handle_t con_handle, uint32_t passkey){ 3845 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3846 if (!sm_conn) return; // wrong connection 3847 sm_reset_tk(); 3848 big_endian_store_32(setup->sm_tk, 12, passkey); 3849 setup->sm_user_response = SM_USER_RESPONSE_PASSKEY; 3850 if (sm_conn->sm_engine_state == SM_PH1_W4_USER_RESPONSE){ 3851 sm_conn->sm_engine_state = SM_PH2_C1_GET_RANDOM_A; 3852 } 3853 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3854 memcpy(setup->sm_ra, setup->sm_tk, 16); 3855 memcpy(setup->sm_rb, setup->sm_tk, 16); 3856 if (sm_conn->sm_engine_state == SM_SC_W4_USER_RESPONSE){ 3857 sm_sc_start_calculating_local_confirm(sm_conn); 3858 } 3859 #endif 3860 sm_run(); 3861 } 3862 3863 void sm_keypress_notification(hci_con_handle_t con_handle, uint8_t action){ 3864 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3865 if (!sm_conn) return; // wrong connection 3866 if (action > SM_KEYPRESS_PASSKEY_ENTRY_COMPLETED) return; 3867 setup->sm_keypress_notification = action; 3868 sm_run(); 3869 } 3870 3871 /** 3872 * @brief Identify device in LE Device DB 3873 * @param handle 3874 * @returns index from le_device_db or -1 if not found/identified 3875 */ 3876 int sm_le_device_index(hci_con_handle_t con_handle ){ 3877 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3878 if (!sm_conn) return -1; 3879 return sm_conn->sm_le_db_index; 3880 } 3881 3882 // GAP LE API 3883 void gap_random_address_set_mode(gap_random_address_type_t random_address_type){ 3884 gap_random_address_update_stop(); 3885 gap_random_adress_type = random_address_type; 3886 if (random_address_type == GAP_RANDOM_ADDRESS_TYPE_OFF) return; 3887 gap_random_address_update_start(); 3888 gap_random_address_trigger(); 3889 } 3890 3891 gap_random_address_type_t gap_random_address_get_mode(void){ 3892 return gap_random_adress_type; 3893 } 3894 3895 void gap_random_address_set_update_period(int period_ms){ 3896 gap_random_adress_update_period = period_ms; 3897 if (gap_random_adress_type == GAP_RANDOM_ADDRESS_TYPE_OFF) return; 3898 gap_random_address_update_stop(); 3899 gap_random_address_update_start(); 3900 } 3901 3902 void gap_random_address_set(bd_addr_t addr){ 3903 gap_random_address_set_mode(GAP_RANDOM_ADDRESS_TYPE_OFF); 3904 memcpy(sm_random_address, addr, 6); 3905 sm_random_address_set = 1; 3906 if (rau_state == RAU_W4_WORKING) return; 3907 rau_state = RAU_SET_ADDRESS; 3908 sm_run(); 3909 } 3910 3911 /* 3912 * @brief Set Advertisement Paramters 3913 * @param adv_int_min 3914 * @param adv_int_max 3915 * @param adv_type 3916 * @param direct_address_type 3917 * @param direct_address 3918 * @param channel_map 3919 * @param filter_policy 3920 * 3921 * @note own_address_type is used from gap_random_address_set_mode 3922 */ 3923 void gap_advertisements_set_params(uint16_t adv_int_min, uint16_t adv_int_max, uint8_t adv_type, 3924 uint8_t direct_address_typ, bd_addr_t direct_address, uint8_t channel_map, uint8_t filter_policy){ 3925 hci_le_advertisements_set_params(adv_int_min, adv_int_max, adv_type, gap_random_adress_type == 0 ? 0 : 1, 3926 direct_address_typ, direct_address, channel_map, filter_policy); 3927 } 3928 3929