1 /* 2 * Copyright (C) 2014 BlueKitchen GmbH 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the copyright holders nor the names of 14 * contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 4. Any redistribution, use, or modification is done solely for 17 * personal benefit and not for any commercial purpose or for 18 * monetary gain. 19 * 20 * THIS SOFTWARE IS PROVIDED BY BLUEKITCHEN GMBH AND CONTRIBUTORS 21 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL MATTHIAS 24 * RINGWALD OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 26 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 27 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 28 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF 30 * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 * 33 * Please inquire about commercial licensing options at 34 * [email protected] 35 * 36 */ 37 38 #include <stdio.h> 39 #include <string.h> 40 #include <inttypes.h> 41 42 #include "ble/le_device_db.h" 43 #include "ble/core.h" 44 #include "ble/sm.h" 45 #include "btstack_debug.h" 46 #include "btstack_event.h" 47 #include "btstack_linked_list.h" 48 #include "btstack_memory.h" 49 #include "gap.h" 50 #include "hci.h" 51 #include "l2cap.h" 52 53 #ifdef ENABLE_LE_SECURE_CONNECTIONS 54 #ifdef HAVE_HCI_CONTROLLER_DHKEY_SUPPORT 55 #error "Support for DHKEY Support in HCI Controller not implemented yet. Please use software implementation" 56 #else 57 #define USE_MBEDTLS_FOR_ECDH 58 #endif 59 #endif 60 61 62 // Software ECDH implementation provided by mbedtls 63 #ifdef USE_MBEDTLS_FOR_ECDH 64 #include "mbedtls/config.h" 65 #include "mbedtls/platform.h" 66 #include "mbedtls/ecp.h" 67 #include "sm_mbedtls_allocator.h" 68 #endif 69 70 // 71 // SM internal types and globals 72 // 73 74 typedef enum { 75 DKG_W4_WORKING, 76 DKG_CALC_IRK, 77 DKG_W4_IRK, 78 DKG_CALC_DHK, 79 DKG_W4_DHK, 80 DKG_READY 81 } derived_key_generation_t; 82 83 typedef enum { 84 RAU_W4_WORKING, 85 RAU_IDLE, 86 RAU_GET_RANDOM, 87 RAU_W4_RANDOM, 88 RAU_GET_ENC, 89 RAU_W4_ENC, 90 RAU_SET_ADDRESS, 91 } random_address_update_t; 92 93 typedef enum { 94 CMAC_IDLE, 95 CMAC_CALC_SUBKEYS, 96 CMAC_W4_SUBKEYS, 97 CMAC_CALC_MI, 98 CMAC_W4_MI, 99 CMAC_CALC_MLAST, 100 CMAC_W4_MLAST 101 } cmac_state_t; 102 103 typedef enum { 104 JUST_WORKS, 105 PK_RESP_INPUT, // Initiator displays PK, responder inputs PK 106 PK_INIT_INPUT, // Responder displays PK, initiator inputs PK 107 OK_BOTH_INPUT, // Only input on both, both input PK 108 NK_BOTH_INPUT, // Only numerical compparison (yes/no) on on both sides 109 OOB // OOB available on both sides 110 } stk_generation_method_t; 111 112 typedef enum { 113 SM_USER_RESPONSE_IDLE, 114 SM_USER_RESPONSE_PENDING, 115 SM_USER_RESPONSE_CONFIRM, 116 SM_USER_RESPONSE_PASSKEY, 117 SM_USER_RESPONSE_DECLINE 118 } sm_user_response_t; 119 120 typedef enum { 121 SM_AES128_IDLE, 122 SM_AES128_ACTIVE 123 } sm_aes128_state_t; 124 125 typedef enum { 126 ADDRESS_RESOLUTION_IDLE, 127 ADDRESS_RESOLUTION_GENERAL, 128 ADDRESS_RESOLUTION_FOR_CONNECTION, 129 } address_resolution_mode_t; 130 131 typedef enum { 132 ADDRESS_RESOLUTION_SUCEEDED, 133 ADDRESS_RESOLUTION_FAILED, 134 } address_resolution_event_t; 135 136 typedef enum { 137 EC_KEY_GENERATION_IDLE, 138 EC_KEY_GENERATION_ACTIVE, 139 EC_KEY_GENERATION_DONE, 140 } ec_key_generation_state_t; 141 142 typedef enum { 143 SM_STATE_VAR_DHKEY_COMMAND_RECEIVED = 1 << 0 144 } sm_state_var_t; 145 146 // 147 // GLOBAL DATA 148 // 149 150 static uint8_t test_use_fixed_local_csrk; 151 152 // configuration 153 static uint8_t sm_accepted_stk_generation_methods; 154 static uint8_t sm_max_encryption_key_size; 155 static uint8_t sm_min_encryption_key_size; 156 static uint8_t sm_auth_req = 0; 157 static uint8_t sm_io_capabilities = IO_CAPABILITY_NO_INPUT_NO_OUTPUT; 158 static uint8_t sm_slave_request_security; 159 #ifdef ENABLE_LE_SECURE_CONNECTIONS 160 static uint8_t sm_have_ec_keypair; 161 #endif 162 163 // Security Manager Master Keys, please use sm_set_er(er) and sm_set_ir(ir) with your own 128 bit random values 164 static sm_key_t sm_persistent_er; 165 static sm_key_t sm_persistent_ir; 166 167 // derived from sm_persistent_ir 168 static sm_key_t sm_persistent_dhk; 169 static sm_key_t sm_persistent_irk; 170 static uint8_t sm_persistent_irk_ready = 0; // used for testing 171 static derived_key_generation_t dkg_state; 172 173 // derived from sm_persistent_er 174 // .. 175 176 // random address update 177 static random_address_update_t rau_state; 178 static bd_addr_t sm_random_address; 179 180 // CMAC Calculation: General 181 static cmac_state_t sm_cmac_state; 182 static uint16_t sm_cmac_message_len; 183 static sm_key_t sm_cmac_k; 184 static sm_key_t sm_cmac_x; 185 static sm_key_t sm_cmac_m_last; 186 static uint8_t sm_cmac_block_current; 187 static uint8_t sm_cmac_block_count; 188 static uint8_t (*sm_cmac_get_byte)(uint16_t offset); 189 static void (*sm_cmac_done_handler)(uint8_t * hash); 190 191 // CMAC for ATT Signed Writes 192 static uint8_t sm_cmac_header[3]; 193 static const uint8_t * sm_cmac_message; 194 static uint8_t sm_cmac_sign_counter[4]; 195 196 // CMAC for Secure Connection functions 197 #ifdef ENABLE_LE_SECURE_CONNECTIONS 198 static sm_connection_t * sm_cmac_connection; 199 static uint8_t sm_cmac_sc_buffer[80]; 200 #endif 201 202 // resolvable private address lookup / CSRK calculation 203 static int sm_address_resolution_test; 204 static int sm_address_resolution_ah_calculation_active; 205 static uint8_t sm_address_resolution_addr_type; 206 static bd_addr_t sm_address_resolution_address; 207 static void * sm_address_resolution_context; 208 static address_resolution_mode_t sm_address_resolution_mode; 209 static btstack_linked_list_t sm_address_resolution_general_queue; 210 211 // aes128 crypto engine. store current sm_connection_t in sm_aes128_context 212 static sm_aes128_state_t sm_aes128_state; 213 static void * sm_aes128_context; 214 215 // random engine. store context (ususally sm_connection_t) 216 static void * sm_random_context; 217 218 // to receive hci events 219 static btstack_packet_callback_registration_t hci_event_callback_registration; 220 221 /* to dispatch sm event */ 222 static btstack_linked_list_t sm_event_handlers; 223 224 225 // Software ECDH implementation provided by mbedtls 226 #ifdef USE_MBEDTLS_FOR_ECDH 227 // group is always valid 228 static mbedtls_ecp_group mbedtls_ec_group; 229 static ec_key_generation_state_t ec_key_generation_state; 230 static uint8_t ec_qx[32]; 231 static uint8_t ec_qy[32]; 232 static uint8_t ec_d[32]; 233 #ifndef HAVE_MALLOC 234 // 4304 bytes with 73 allocations 235 #define MBEDTLS_ALLOC_BUFFER_SIZE (1300+23*sizeof(void *)) 236 static uint8_t mbedtls_memory_buffer[MBEDTLS_ALLOC_BUFFER_SIZE]; 237 #endif 238 #endif 239 240 // 241 // Volume 3, Part H, Chapter 24 242 // "Security shall be initiated by the Security Manager in the device in the master role. 243 // The device in the slave role shall be the responding device." 244 // -> master := initiator, slave := responder 245 // 246 247 // data needed for security setup 248 typedef struct sm_setup_context { 249 250 btstack_timer_source_t sm_timeout; 251 252 // used in all phases 253 uint8_t sm_pairing_failed_reason; 254 255 // user response, (Phase 1 and/or 2) 256 uint8_t sm_user_response; 257 uint8_t sm_keypress_notification; 258 259 // defines which keys will be send after connection is encrypted - calculated during Phase 1, used Phase 3 260 int sm_key_distribution_send_set; 261 int sm_key_distribution_received_set; 262 263 // Phase 2 (Pairing over SMP) 264 stk_generation_method_t sm_stk_generation_method; 265 sm_key_t sm_tk; 266 uint8_t sm_use_secure_connections; 267 268 sm_key_t sm_c1_t3_value; // c1 calculation 269 sm_pairing_packet_t sm_m_preq; // pairing request - needed only for c1 270 sm_pairing_packet_t sm_s_pres; // pairing response - needed only for c1 271 sm_key_t sm_local_random; 272 sm_key_t sm_local_confirm; 273 sm_key_t sm_peer_random; 274 sm_key_t sm_peer_confirm; 275 uint8_t sm_m_addr_type; // address and type can be removed 276 uint8_t sm_s_addr_type; // '' 277 bd_addr_t sm_m_address; // '' 278 bd_addr_t sm_s_address; // '' 279 sm_key_t sm_ltk; 280 281 uint8_t sm_state_vars; 282 #ifdef ENABLE_LE_SECURE_CONNECTIONS 283 uint8_t sm_peer_qx[32]; // also stores random for EC key generation during init 284 uint8_t sm_peer_qy[32]; // '' 285 sm_key_t sm_peer_nonce; // might be combined with sm_peer_random 286 sm_key_t sm_local_nonce; // might be combined with sm_local_random 287 sm_key_t sm_peer_dhkey_check; 288 sm_key_t sm_local_dhkey_check; 289 sm_key_t sm_ra; 290 sm_key_t sm_rb; 291 sm_key_t sm_t; // used for f5 and h6 292 sm_key_t sm_mackey; 293 uint8_t sm_passkey_bit; // also stores number of generated random bytes for EC key generation 294 #endif 295 296 // Phase 3 297 298 // key distribution, we generate 299 uint16_t sm_local_y; 300 uint16_t sm_local_div; 301 uint16_t sm_local_ediv; 302 uint8_t sm_local_rand[8]; 303 sm_key_t sm_local_ltk; 304 sm_key_t sm_local_csrk; 305 sm_key_t sm_local_irk; 306 // sm_local_address/addr_type not needed 307 308 // key distribution, received from peer 309 uint16_t sm_peer_y; 310 uint16_t sm_peer_div; 311 uint16_t sm_peer_ediv; 312 uint8_t sm_peer_rand[8]; 313 sm_key_t sm_peer_ltk; 314 sm_key_t sm_peer_irk; 315 sm_key_t sm_peer_csrk; 316 uint8_t sm_peer_addr_type; 317 bd_addr_t sm_peer_address; 318 319 } sm_setup_context_t; 320 321 // 322 static sm_setup_context_t the_setup; 323 static sm_setup_context_t * setup = &the_setup; 324 325 // active connection - the one for which the_setup is used for 326 static uint16_t sm_active_connection = 0; 327 328 // @returns 1 if oob data is available 329 // stores oob data in provided 16 byte buffer if not null 330 static int (*sm_get_oob_data)(uint8_t addres_type, bd_addr_t addr, uint8_t * oob_data) = NULL; 331 332 // horizontal: initiator capabilities 333 // vertial: responder capabilities 334 static const stk_generation_method_t stk_generation_method [5] [5] = { 335 { JUST_WORKS, JUST_WORKS, PK_INIT_INPUT, JUST_WORKS, PK_INIT_INPUT }, 336 { JUST_WORKS, JUST_WORKS, PK_INIT_INPUT, JUST_WORKS, PK_INIT_INPUT }, 337 { PK_RESP_INPUT, PK_RESP_INPUT, OK_BOTH_INPUT, JUST_WORKS, PK_RESP_INPUT }, 338 { JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS }, 339 { PK_RESP_INPUT, PK_RESP_INPUT, PK_INIT_INPUT, JUST_WORKS, PK_RESP_INPUT }, 340 }; 341 342 // uses numeric comparison if one side has DisplayYesNo and KeyboardDisplay combinations 343 #ifdef ENABLE_LE_SECURE_CONNECTIONS 344 static const stk_generation_method_t stk_generation_method_with_secure_connection[5][5] = { 345 { JUST_WORKS, JUST_WORKS, PK_INIT_INPUT, JUST_WORKS, PK_INIT_INPUT }, 346 { JUST_WORKS, NK_BOTH_INPUT, PK_INIT_INPUT, JUST_WORKS, NK_BOTH_INPUT }, 347 { PK_RESP_INPUT, PK_RESP_INPUT, OK_BOTH_INPUT, JUST_WORKS, PK_RESP_INPUT }, 348 { JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS }, 349 { PK_RESP_INPUT, NK_BOTH_INPUT, PK_INIT_INPUT, JUST_WORKS, NK_BOTH_INPUT }, 350 }; 351 #endif 352 353 static void sm_run(void); 354 static void sm_done_for_handle(hci_con_handle_t con_handle); 355 static sm_connection_t * sm_get_connection_for_handle(hci_con_handle_t con_handle); 356 static inline int sm_calc_actual_encryption_key_size(int other); 357 static int sm_validate_stk_generation_method(void); 358 static void sm_shift_left_by_one_bit_inplace(int len, uint8_t * data); 359 360 static void log_info_hex16(const char * name, uint16_t value){ 361 log_info("%-6s 0x%04x", name, value); 362 } 363 364 // @returns 1 if all bytes are 0 365 static int sm_is_null(uint8_t * data, int size){ 366 int i; 367 for (i=0; i < size ; i++){ 368 if (data[i]) return 0; 369 } 370 return 1; 371 } 372 373 static int sm_is_null_random(uint8_t random[8]){ 374 return sm_is_null(random, 8); 375 } 376 377 static int sm_is_null_key(uint8_t * key){ 378 return sm_is_null(key, 16); 379 } 380 381 // Key utils 382 static void sm_reset_tk(void){ 383 int i; 384 for (i=0;i<16;i++){ 385 setup->sm_tk[i] = 0; 386 } 387 } 388 389 // "For example, if a 128-bit encryption key is 0x123456789ABCDEF0123456789ABCDEF0 390 // and it is reduced to 7 octets (56 bits), then the resulting key is 0x0000000000000000003456789ABCDEF0."" 391 static void sm_truncate_key(sm_key_t key, int max_encryption_size){ 392 int i; 393 for (i = max_encryption_size ; i < 16 ; i++){ 394 key[15-i] = 0; 395 } 396 } 397 398 // SMP Timeout implementation 399 400 // Upon transmission of the Pairing Request command or reception of the Pairing Request command, 401 // the Security Manager Timer shall be reset and started. 402 // 403 // The Security Manager Timer shall be reset when an L2CAP SMP command is queued for transmission. 404 // 405 // If the Security Manager Timer reaches 30 seconds, the procedure shall be considered to have failed, 406 // and the local higher layer shall be notified. No further SMP commands shall be sent over the L2CAP 407 // Security Manager Channel. A new SM procedure shall only be performed when a new physical link has been 408 // established. 409 410 static void sm_timeout_handler(btstack_timer_source_t * timer){ 411 log_info("SM timeout"); 412 sm_connection_t * sm_conn = (sm_connection_t*) btstack_run_loop_get_timer_context(timer); 413 sm_conn->sm_engine_state = SM_GENERAL_TIMEOUT; 414 sm_done_for_handle(sm_conn->sm_handle); 415 416 // trigger handling of next ready connection 417 sm_run(); 418 } 419 static void sm_timeout_start(sm_connection_t * sm_conn){ 420 btstack_run_loop_remove_timer(&setup->sm_timeout); 421 btstack_run_loop_set_timer_context(&setup->sm_timeout, sm_conn); 422 btstack_run_loop_set_timer_handler(&setup->sm_timeout, sm_timeout_handler); 423 btstack_run_loop_set_timer(&setup->sm_timeout, 30000); // 30 seconds sm timeout 424 btstack_run_loop_add_timer(&setup->sm_timeout); 425 } 426 static void sm_timeout_stop(void){ 427 btstack_run_loop_remove_timer(&setup->sm_timeout); 428 } 429 static void sm_timeout_reset(sm_connection_t * sm_conn){ 430 sm_timeout_stop(); 431 sm_timeout_start(sm_conn); 432 } 433 434 // end of sm timeout 435 436 // GAP Random Address updates 437 static gap_random_address_type_t gap_random_adress_type; 438 static btstack_timer_source_t gap_random_address_update_timer; 439 static uint32_t gap_random_adress_update_period; 440 441 static void gap_random_address_trigger(void){ 442 if (rau_state != RAU_IDLE) return; 443 log_info("gap_random_address_trigger"); 444 rau_state = RAU_GET_RANDOM; 445 sm_run(); 446 } 447 448 static void gap_random_address_update_handler(btstack_timer_source_t * timer){ 449 log_info("GAP Random Address Update due"); 450 btstack_run_loop_set_timer(&gap_random_address_update_timer, gap_random_adress_update_period); 451 btstack_run_loop_add_timer(&gap_random_address_update_timer); 452 gap_random_address_trigger(); 453 } 454 455 static void gap_random_address_update_start(void){ 456 btstack_run_loop_set_timer_handler(&gap_random_address_update_timer, gap_random_address_update_handler); 457 btstack_run_loop_set_timer(&gap_random_address_update_timer, gap_random_adress_update_period); 458 btstack_run_loop_add_timer(&gap_random_address_update_timer); 459 } 460 461 static void gap_random_address_update_stop(void){ 462 btstack_run_loop_remove_timer(&gap_random_address_update_timer); 463 } 464 465 466 static void sm_random_start(void * context){ 467 sm_random_context = context; 468 hci_send_cmd(&hci_le_rand); 469 } 470 471 // pre: sm_aes128_state != SM_AES128_ACTIVE, hci_can_send_command == 1 472 // context is made availabe to aes128 result handler by this 473 static void sm_aes128_start(sm_key_t key, sm_key_t plaintext, void * context){ 474 sm_aes128_state = SM_AES128_ACTIVE; 475 sm_key_t key_flipped, plaintext_flipped; 476 reverse_128(key, key_flipped); 477 reverse_128(plaintext, plaintext_flipped); 478 sm_aes128_context = context; 479 hci_send_cmd(&hci_le_encrypt, key_flipped, plaintext_flipped); 480 } 481 482 // ah(k,r) helper 483 // r = padding || r 484 // r - 24 bit value 485 static void sm_ah_r_prime(uint8_t r[3], sm_key_t r_prime){ 486 // r'= padding || r 487 memset(r_prime, 0, 16); 488 memcpy(&r_prime[13], r, 3); 489 } 490 491 // d1 helper 492 // d' = padding || r || d 493 // d,r - 16 bit values 494 static void sm_d1_d_prime(uint16_t d, uint16_t r, sm_key_t d1_prime){ 495 // d'= padding || r || d 496 memset(d1_prime, 0, 16); 497 big_endian_store_16(d1_prime, 12, r); 498 big_endian_store_16(d1_prime, 14, d); 499 } 500 501 // dm helper 502 // r’ = padding || r 503 // r - 64 bit value 504 static void sm_dm_r_prime(uint8_t r[8], sm_key_t r_prime){ 505 memset(r_prime, 0, 16); 506 memcpy(&r_prime[8], r, 8); 507 } 508 509 // calculate arguments for first AES128 operation in C1 function 510 static void sm_c1_t1(sm_key_t r, uint8_t preq[7], uint8_t pres[7], uint8_t iat, uint8_t rat, sm_key_t t1){ 511 512 // p1 = pres || preq || rat’ || iat’ 513 // "The octet of iat’ becomes the least significant octet of p1 and the most signifi- 514 // cant octet of pres becomes the most significant octet of p1. 515 // For example, if the 8-bit iat’ is 0x01, the 8-bit rat’ is 0x00, the 56-bit preq 516 // is 0x07071000000101 and the 56 bit pres is 0x05000800000302 then 517 // p1 is 0x05000800000302070710000001010001." 518 519 sm_key_t p1; 520 reverse_56(pres, &p1[0]); 521 reverse_56(preq, &p1[7]); 522 p1[14] = rat; 523 p1[15] = iat; 524 log_info_key("p1", p1); 525 log_info_key("r", r); 526 527 // t1 = r xor p1 528 int i; 529 for (i=0;i<16;i++){ 530 t1[i] = r[i] ^ p1[i]; 531 } 532 log_info_key("t1", t1); 533 } 534 535 // calculate arguments for second AES128 operation in C1 function 536 static void sm_c1_t3(sm_key_t t2, bd_addr_t ia, bd_addr_t ra, sm_key_t t3){ 537 // p2 = padding || ia || ra 538 // "The least significant octet of ra becomes the least significant octet of p2 and 539 // the most significant octet of padding becomes the most significant octet of p2. 540 // For example, if 48-bit ia is 0xA1A2A3A4A5A6 and the 48-bit ra is 541 // 0xB1B2B3B4B5B6 then p2 is 0x00000000A1A2A3A4A5A6B1B2B3B4B5B6. 542 543 sm_key_t p2; 544 memset(p2, 0, 16); 545 memcpy(&p2[4], ia, 6); 546 memcpy(&p2[10], ra, 6); 547 log_info_key("p2", p2); 548 549 // c1 = e(k, t2_xor_p2) 550 int i; 551 for (i=0;i<16;i++){ 552 t3[i] = t2[i] ^ p2[i]; 553 } 554 log_info_key("t3", t3); 555 } 556 557 static void sm_s1_r_prime(sm_key_t r1, sm_key_t r2, sm_key_t r_prime){ 558 log_info_key("r1", r1); 559 log_info_key("r2", r2); 560 memcpy(&r_prime[8], &r2[8], 8); 561 memcpy(&r_prime[0], &r1[8], 8); 562 } 563 564 #ifdef ENABLE_LE_SECURE_CONNECTIONS 565 // Software implementations of crypto toolbox for LE Secure Connection 566 // TODO: replace with code to use AES Engine of HCI Controller 567 typedef uint8_t sm_key24_t[3]; 568 typedef uint8_t sm_key56_t[7]; 569 typedef uint8_t sm_key256_t[32]; 570 571 #if 0 572 static void aes128_calc_cyphertext(const uint8_t key[16], const uint8_t plaintext[16], uint8_t cyphertext[16]){ 573 uint32_t rk[RKLENGTH(KEYBITS)]; 574 int nrounds = rijndaelSetupEncrypt(rk, &key[0], KEYBITS); 575 rijndaelEncrypt(rk, nrounds, plaintext, cyphertext); 576 } 577 578 static void calc_subkeys(sm_key_t k0, sm_key_t k1, sm_key_t k2){ 579 memcpy(k1, k0, 16); 580 sm_shift_left_by_one_bit_inplace(16, k1); 581 if (k0[0] & 0x80){ 582 k1[15] ^= 0x87; 583 } 584 memcpy(k2, k1, 16); 585 sm_shift_left_by_one_bit_inplace(16, k2); 586 if (k1[0] & 0x80){ 587 k2[15] ^= 0x87; 588 } 589 } 590 591 static void aes_cmac(sm_key_t aes_cmac, const sm_key_t key, const uint8_t * data, int cmac_message_len){ 592 sm_key_t k0, k1, k2, zero; 593 memset(zero, 0, 16); 594 595 aes128_calc_cyphertext(key, zero, k0); 596 calc_subkeys(k0, k1, k2); 597 598 int cmac_block_count = (cmac_message_len + 15) / 16; 599 600 // step 3: .. 601 if (cmac_block_count==0){ 602 cmac_block_count = 1; 603 } 604 605 // step 4: set m_last 606 sm_key_t cmac_m_last; 607 int sm_cmac_last_block_complete = cmac_message_len != 0 && (cmac_message_len & 0x0f) == 0; 608 int i; 609 if (sm_cmac_last_block_complete){ 610 for (i=0;i<16;i++){ 611 cmac_m_last[i] = data[cmac_message_len - 16 + i] ^ k1[i]; 612 } 613 } else { 614 int valid_octets_in_last_block = cmac_message_len & 0x0f; 615 for (i=0;i<16;i++){ 616 if (i < valid_octets_in_last_block){ 617 cmac_m_last[i] = data[(cmac_message_len & 0xfff0) + i] ^ k2[i]; 618 continue; 619 } 620 if (i == valid_octets_in_last_block){ 621 cmac_m_last[i] = 0x80 ^ k2[i]; 622 continue; 623 } 624 cmac_m_last[i] = k2[i]; 625 } 626 } 627 628 // printf("sm_cmac_start: len %u, block count %u\n", cmac_message_len, cmac_block_count); 629 // LOG_KEY(cmac_m_last); 630 631 // Step 5 632 sm_key_t cmac_x; 633 memset(cmac_x, 0, 16); 634 635 // Step 6 636 sm_key_t sm_cmac_y; 637 for (int block = 0 ; block < cmac_block_count-1 ; block++){ 638 for (i=0;i<16;i++){ 639 sm_cmac_y[i] = cmac_x[i] ^ data[block * 16 + i]; 640 } 641 aes128_calc_cyphertext(key, sm_cmac_y, cmac_x); 642 } 643 for (i=0;i<16;i++){ 644 sm_cmac_y[i] = cmac_x[i] ^ cmac_m_last[i]; 645 } 646 647 // Step 7 648 aes128_calc_cyphertext(key, sm_cmac_y, aes_cmac); 649 } 650 #endif 651 #endif 652 653 static void sm_setup_event_base(uint8_t * event, int event_size, uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address){ 654 event[0] = type; 655 event[1] = event_size - 2; 656 little_endian_store_16(event, 2, con_handle); 657 event[4] = addr_type; 658 reverse_bd_addr(address, &event[5]); 659 } 660 661 static void sm_dispatch_event(uint8_t packet_type, uint16_t channel, uint8_t * packet, uint16_t size){ 662 // dispatch to all event handlers 663 btstack_linked_list_iterator_t it; 664 btstack_linked_list_iterator_init(&it, &sm_event_handlers); 665 while (btstack_linked_list_iterator_has_next(&it)){ 666 btstack_packet_callback_registration_t * entry = (btstack_packet_callback_registration_t*) btstack_linked_list_iterator_next(&it); 667 entry->callback(packet_type, 0, packet, size); 668 } 669 } 670 671 static void sm_notify_client_base(uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address){ 672 uint8_t event[11]; 673 sm_setup_event_base(event, sizeof(event), type, con_handle, addr_type, address); 674 sm_dispatch_event(HCI_EVENT_PACKET, 0, event, sizeof(event)); 675 } 676 677 static void sm_notify_client_passkey(uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address, uint32_t passkey){ 678 uint8_t event[15]; 679 sm_setup_event_base(event, sizeof(event), type, con_handle, addr_type, address); 680 little_endian_store_32(event, 11, passkey); 681 sm_dispatch_event(HCI_EVENT_PACKET, 0, event, sizeof(event)); 682 } 683 684 static void sm_notify_client_index(uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address, uint16_t index){ 685 uint8_t event[13]; 686 sm_setup_event_base(event, sizeof(event), type, con_handle, addr_type, address); 687 little_endian_store_16(event, 11, index); 688 sm_dispatch_event(HCI_EVENT_PACKET, 0, event, sizeof(event)); 689 } 690 691 static void sm_notify_client_authorization(uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address, uint8_t result){ 692 693 uint8_t event[18]; 694 sm_setup_event_base(event, sizeof(event), type, con_handle, addr_type, address); 695 event[11] = result; 696 sm_dispatch_event(HCI_EVENT_PACKET, 0, (uint8_t*) &event, sizeof(event)); 697 } 698 699 // decide on stk generation based on 700 // - pairing request 701 // - io capabilities 702 // - OOB data availability 703 static void sm_setup_tk(void){ 704 705 // default: just works 706 setup->sm_stk_generation_method = JUST_WORKS; 707 708 #ifdef ENABLE_LE_SECURE_CONNECTIONS 709 setup->sm_use_secure_connections = ( sm_pairing_packet_get_auth_req(setup->sm_m_preq) 710 & sm_pairing_packet_get_auth_req(setup->sm_s_pres) 711 & SM_AUTHREQ_SECURE_CONNECTION ) != 0; 712 memset(setup->sm_ra, 0, 16); 713 memset(setup->sm_rb, 0, 16); 714 #else 715 setup->sm_use_secure_connections = 0; 716 #endif 717 718 // If both devices have not set the MITM option in the Authentication Requirements 719 // Flags, then the IO capabilities shall be ignored and the Just Works association 720 // model shall be used. 721 if (((sm_pairing_packet_get_auth_req(setup->sm_m_preq) & SM_AUTHREQ_MITM_PROTECTION) == 0) 722 && ((sm_pairing_packet_get_auth_req(setup->sm_s_pres) & SM_AUTHREQ_MITM_PROTECTION) == 0)){ 723 log_info("SM: MITM not required by both -> JUST WORKS"); 724 return; 725 } 726 727 // TODO: with LE SC, OOB is used to transfer data OOB during pairing, single device with OOB is sufficient 728 729 // If both devices have out of band authentication data, then the Authentication 730 // Requirements Flags shall be ignored when selecting the pairing method and the 731 // Out of Band pairing method shall be used. 732 if (sm_pairing_packet_get_oob_data_flag(setup->sm_m_preq) 733 && sm_pairing_packet_get_oob_data_flag(setup->sm_s_pres)){ 734 log_info("SM: have OOB data"); 735 log_info_key("OOB", setup->sm_tk); 736 setup->sm_stk_generation_method = OOB; 737 return; 738 } 739 740 // Reset TK as it has been setup in sm_init_setup 741 sm_reset_tk(); 742 743 // Also use just works if unknown io capabilites 744 if ((sm_pairing_packet_get_io_capability(setup->sm_m_preq) > IO_CAPABILITY_KEYBOARD_DISPLAY) || (sm_pairing_packet_get_io_capability(setup->sm_s_pres) > IO_CAPABILITY_KEYBOARD_DISPLAY)){ 745 return; 746 } 747 748 // Otherwise the IO capabilities of the devices shall be used to determine the 749 // pairing method as defined in Table 2.4. 750 // see http://stackoverflow.com/a/1052837/393697 for how to specify pointer to 2-dimensional array 751 const stk_generation_method_t (*generation_method)[5] = stk_generation_method; 752 753 #ifdef ENABLE_LE_SECURE_CONNECTIONS 754 // table not define by default 755 if (setup->sm_use_secure_connections){ 756 generation_method = stk_generation_method_with_secure_connection; 757 } 758 #endif 759 setup->sm_stk_generation_method = generation_method[sm_pairing_packet_get_io_capability(setup->sm_s_pres)][sm_pairing_packet_get_io_capability(setup->sm_m_preq)]; 760 761 log_info("sm_setup_tk: master io cap: %u, slave io cap: %u -> method %u", 762 sm_pairing_packet_get_io_capability(setup->sm_m_preq), sm_pairing_packet_get_io_capability(setup->sm_s_pres), setup->sm_stk_generation_method); 763 } 764 765 static int sm_key_distribution_flags_for_set(uint8_t key_set){ 766 int flags = 0; 767 if (key_set & SM_KEYDIST_ENC_KEY){ 768 flags |= SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION; 769 flags |= SM_KEYDIST_FLAG_MASTER_IDENTIFICATION; 770 } 771 if (key_set & SM_KEYDIST_ID_KEY){ 772 flags |= SM_KEYDIST_FLAG_IDENTITY_INFORMATION; 773 flags |= SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION; 774 } 775 if (key_set & SM_KEYDIST_SIGN){ 776 flags |= SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION; 777 } 778 return flags; 779 } 780 781 static void sm_setup_key_distribution(uint8_t key_set){ 782 setup->sm_key_distribution_received_set = 0; 783 setup->sm_key_distribution_send_set = sm_key_distribution_flags_for_set(key_set); 784 } 785 786 // CSRK Key Lookup 787 788 789 static int sm_address_resolution_idle(void){ 790 return sm_address_resolution_mode == ADDRESS_RESOLUTION_IDLE; 791 } 792 793 static void sm_address_resolution_start_lookup(uint8_t addr_type, hci_con_handle_t con_handle, bd_addr_t addr, address_resolution_mode_t mode, void * context){ 794 memcpy(sm_address_resolution_address, addr, 6); 795 sm_address_resolution_addr_type = addr_type; 796 sm_address_resolution_test = 0; 797 sm_address_resolution_mode = mode; 798 sm_address_resolution_context = context; 799 sm_notify_client_base(SM_EVENT_IDENTITY_RESOLVING_STARTED, con_handle, addr_type, addr); 800 } 801 802 int sm_address_resolution_lookup(uint8_t address_type, bd_addr_t address){ 803 // check if already in list 804 btstack_linked_list_iterator_t it; 805 sm_lookup_entry_t * entry; 806 btstack_linked_list_iterator_init(&it, &sm_address_resolution_general_queue); 807 while(btstack_linked_list_iterator_has_next(&it)){ 808 entry = (sm_lookup_entry_t *) btstack_linked_list_iterator_next(&it); 809 if (entry->address_type != address_type) continue; 810 if (memcmp(entry->address, address, 6)) continue; 811 // already in list 812 return BTSTACK_BUSY; 813 } 814 entry = btstack_memory_sm_lookup_entry_get(); 815 if (!entry) return BTSTACK_MEMORY_ALLOC_FAILED; 816 entry->address_type = (bd_addr_type_t) address_type; 817 memcpy(entry->address, address, 6); 818 btstack_linked_list_add(&sm_address_resolution_general_queue, (btstack_linked_item_t *) entry); 819 sm_run(); 820 return 0; 821 } 822 823 // CMAC Implementation using AES128 engine 824 static void sm_shift_left_by_one_bit_inplace(int len, uint8_t * data){ 825 int i; 826 int carry = 0; 827 for (i=len-1; i >= 0 ; i--){ 828 int new_carry = data[i] >> 7; 829 data[i] = data[i] << 1 | carry; 830 carry = new_carry; 831 } 832 } 833 834 // while x_state++ for an enum is possible in C, it isn't in C++. we use this helpers to avoid compile errors for now 835 static inline void sm_next_responding_state(sm_connection_t * sm_conn){ 836 sm_conn->sm_engine_state = (security_manager_state_t) (((int)sm_conn->sm_engine_state) + 1); 837 } 838 static inline void dkg_next_state(void){ 839 dkg_state = (derived_key_generation_t) (((int)dkg_state) + 1); 840 } 841 static inline void rau_next_state(void){ 842 rau_state = (random_address_update_t) (((int)rau_state) + 1); 843 } 844 845 // CMAC calculation using AES Engine 846 847 static inline void sm_cmac_next_state(void){ 848 sm_cmac_state = (cmac_state_t) (((int)sm_cmac_state) + 1); 849 } 850 851 static int sm_cmac_last_block_complete(void){ 852 if (sm_cmac_message_len == 0) return 0; 853 return (sm_cmac_message_len & 0x0f) == 0; 854 } 855 856 int sm_cmac_ready(void){ 857 return sm_cmac_state == CMAC_IDLE; 858 } 859 860 // generic cmac calculation 861 void sm_cmac_general_start(const sm_key_t key, uint16_t message_len, uint8_t (*get_byte_callback)(uint16_t offset), void (*done_callback)(uint8_t hash[8])){ 862 // Generalized CMAC 863 memcpy(sm_cmac_k, key, 16); 864 memset(sm_cmac_x, 0, 16); 865 sm_cmac_block_current = 0; 866 sm_cmac_message_len = message_len; 867 sm_cmac_done_handler = done_callback; 868 sm_cmac_get_byte = get_byte_callback; 869 870 // step 2: n := ceil(len/const_Bsize); 871 sm_cmac_block_count = (sm_cmac_message_len + 15) / 16; 872 873 // step 3: .. 874 if (sm_cmac_block_count==0){ 875 sm_cmac_block_count = 1; 876 } 877 log_info("sm_cmac_general_start: len %u, block count %u", sm_cmac_message_len, sm_cmac_block_count); 878 879 // first, we need to compute l for k1, k2, and m_last 880 sm_cmac_state = CMAC_CALC_SUBKEYS; 881 882 // let's go 883 sm_run(); 884 } 885 886 // cmac for ATT Message signing 887 static uint8_t sm_cmac_signed_write_message_get_byte(uint16_t offset){ 888 if (offset >= sm_cmac_message_len) { 889 log_error("sm_cmac_signed_write_message_get_byte. out of bounds, access %u, len %u", offset, sm_cmac_message_len); 890 return 0; 891 } 892 893 offset = sm_cmac_message_len - 1 - offset; 894 895 // sm_cmac_header[3] | message[] | sm_cmac_sign_counter[4] 896 if (offset < 3){ 897 return sm_cmac_header[offset]; 898 } 899 int actual_message_len_incl_header = sm_cmac_message_len - 4; 900 if (offset < actual_message_len_incl_header){ 901 return sm_cmac_message[offset - 3]; 902 } 903 return sm_cmac_sign_counter[offset - actual_message_len_incl_header]; 904 } 905 906 void sm_cmac_signed_write_start(const sm_key_t k, uint8_t opcode, hci_con_handle_t con_handle, uint16_t message_len, const uint8_t * message, uint32_t sign_counter, void (*done_handler)(uint8_t * hash)){ 907 // ATT Message Signing 908 sm_cmac_header[0] = opcode; 909 little_endian_store_16(sm_cmac_header, 1, con_handle); 910 little_endian_store_32(sm_cmac_sign_counter, 0, sign_counter); 911 uint16_t total_message_len = 3 + message_len + 4; // incl. virtually prepended att opcode, handle and appended sign_counter in LE 912 sm_cmac_message = message; 913 sm_cmac_general_start(k, total_message_len, &sm_cmac_signed_write_message_get_byte, done_handler); 914 } 915 916 917 static void sm_cmac_handle_aes_engine_ready(void){ 918 switch (sm_cmac_state){ 919 case CMAC_CALC_SUBKEYS: { 920 sm_key_t const_zero; 921 memset(const_zero, 0, 16); 922 sm_cmac_next_state(); 923 sm_aes128_start(sm_cmac_k, const_zero, NULL); 924 break; 925 } 926 case CMAC_CALC_MI: { 927 int j; 928 sm_key_t y; 929 for (j=0;j<16;j++){ 930 y[j] = sm_cmac_x[j] ^ sm_cmac_get_byte(sm_cmac_block_current*16 + j); 931 } 932 sm_cmac_block_current++; 933 sm_cmac_next_state(); 934 sm_aes128_start(sm_cmac_k, y, NULL); 935 break; 936 } 937 case CMAC_CALC_MLAST: { 938 int i; 939 sm_key_t y; 940 for (i=0;i<16;i++){ 941 y[i] = sm_cmac_x[i] ^ sm_cmac_m_last[i]; 942 } 943 log_info_key("Y", y); 944 sm_cmac_block_current++; 945 sm_cmac_next_state(); 946 sm_aes128_start(sm_cmac_k, y, NULL); 947 break; 948 } 949 default: 950 log_info("sm_cmac_handle_aes_engine_ready called in state %u", sm_cmac_state); 951 break; 952 } 953 } 954 955 static void sm_cmac_handle_encryption_result(sm_key_t data){ 956 switch (sm_cmac_state){ 957 case CMAC_W4_SUBKEYS: { 958 sm_key_t k1; 959 memcpy(k1, data, 16); 960 sm_shift_left_by_one_bit_inplace(16, k1); 961 if (data[0] & 0x80){ 962 k1[15] ^= 0x87; 963 } 964 sm_key_t k2; 965 memcpy(k2, k1, 16); 966 sm_shift_left_by_one_bit_inplace(16, k2); 967 if (k1[0] & 0x80){ 968 k2[15] ^= 0x87; 969 } 970 971 log_info_key("k", sm_cmac_k); 972 log_info_key("k1", k1); 973 log_info_key("k2", k2); 974 975 // step 4: set m_last 976 int i; 977 if (sm_cmac_last_block_complete()){ 978 for (i=0;i<16;i++){ 979 sm_cmac_m_last[i] = sm_cmac_get_byte(sm_cmac_message_len - 16 + i) ^ k1[i]; 980 } 981 } else { 982 int valid_octets_in_last_block = sm_cmac_message_len & 0x0f; 983 for (i=0;i<16;i++){ 984 if (i < valid_octets_in_last_block){ 985 sm_cmac_m_last[i] = sm_cmac_get_byte((sm_cmac_message_len & 0xfff0) + i) ^ k2[i]; 986 continue; 987 } 988 if (i == valid_octets_in_last_block){ 989 sm_cmac_m_last[i] = 0x80 ^ k2[i]; 990 continue; 991 } 992 sm_cmac_m_last[i] = k2[i]; 993 } 994 } 995 996 // next 997 sm_cmac_state = sm_cmac_block_current < sm_cmac_block_count - 1 ? CMAC_CALC_MI : CMAC_CALC_MLAST; 998 break; 999 } 1000 case CMAC_W4_MI: 1001 memcpy(sm_cmac_x, data, 16); 1002 sm_cmac_state = sm_cmac_block_current < sm_cmac_block_count - 1 ? CMAC_CALC_MI : CMAC_CALC_MLAST; 1003 break; 1004 case CMAC_W4_MLAST: 1005 // done 1006 log_info("Setting CMAC Engine to IDLE"); 1007 sm_cmac_state = CMAC_IDLE; 1008 log_info_key("CMAC", data); 1009 sm_cmac_done_handler(data); 1010 break; 1011 default: 1012 log_info("sm_cmac_handle_encryption_result called in state %u", sm_cmac_state); 1013 break; 1014 } 1015 } 1016 1017 static void sm_trigger_user_response(sm_connection_t * sm_conn){ 1018 // notify client for: JUST WORKS confirm, Numeric comparison confirm, PASSKEY display or input 1019 setup->sm_user_response = SM_USER_RESPONSE_IDLE; 1020 switch (setup->sm_stk_generation_method){ 1021 case PK_RESP_INPUT: 1022 if (sm_conn->sm_role){ 1023 setup->sm_user_response = SM_USER_RESPONSE_PENDING; 1024 sm_notify_client_base(SM_EVENT_PASSKEY_INPUT_NUMBER, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address); 1025 } else { 1026 sm_notify_client_passkey(SM_EVENT_PASSKEY_DISPLAY_NUMBER, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, big_endian_read_32(setup->sm_tk, 12)); 1027 } 1028 break; 1029 case PK_INIT_INPUT: 1030 if (sm_conn->sm_role){ 1031 sm_notify_client_passkey(SM_EVENT_PASSKEY_DISPLAY_NUMBER, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, big_endian_read_32(setup->sm_tk, 12)); 1032 } else { 1033 setup->sm_user_response = SM_USER_RESPONSE_PENDING; 1034 sm_notify_client_base(SM_EVENT_PASSKEY_INPUT_NUMBER, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address); 1035 } 1036 break; 1037 case OK_BOTH_INPUT: 1038 setup->sm_user_response = SM_USER_RESPONSE_PENDING; 1039 sm_notify_client_base(SM_EVENT_PASSKEY_INPUT_NUMBER, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address); 1040 break; 1041 case NK_BOTH_INPUT: 1042 setup->sm_user_response = SM_USER_RESPONSE_PENDING; 1043 sm_notify_client_passkey(SM_EVENT_NUMERIC_COMPARISON_REQUEST, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, big_endian_read_32(setup->sm_tk, 12)); 1044 break; 1045 case JUST_WORKS: 1046 setup->sm_user_response = SM_USER_RESPONSE_PENDING; 1047 sm_notify_client_base(SM_EVENT_JUST_WORKS_REQUEST, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address); 1048 break; 1049 case OOB: 1050 // client already provided OOB data, let's skip notification. 1051 break; 1052 } 1053 } 1054 1055 static int sm_key_distribution_all_received(sm_connection_t * sm_conn){ 1056 int recv_flags; 1057 if (sm_conn->sm_role){ 1058 // slave / responder 1059 recv_flags = sm_key_distribution_flags_for_set(sm_pairing_packet_get_initiator_key_distribution(setup->sm_s_pres)); 1060 } else { 1061 // master / initiator 1062 recv_flags = sm_key_distribution_flags_for_set(sm_pairing_packet_get_responder_key_distribution(setup->sm_s_pres)); 1063 } 1064 log_debug("sm_key_distribution_all_received: received 0x%02x, expecting 0x%02x", setup->sm_key_distribution_received_set, recv_flags); 1065 return recv_flags == setup->sm_key_distribution_received_set; 1066 } 1067 1068 static void sm_done_for_handle(hci_con_handle_t con_handle){ 1069 if (sm_active_connection == con_handle){ 1070 sm_timeout_stop(); 1071 sm_active_connection = 0; 1072 log_info("sm: connection 0x%x released setup context", con_handle); 1073 } 1074 } 1075 1076 static int sm_key_distribution_flags_for_auth_req(void){ 1077 int flags = SM_KEYDIST_ID_KEY | SM_KEYDIST_SIGN; 1078 if (sm_auth_req & SM_AUTHREQ_BONDING){ 1079 // encryption information only if bonding requested 1080 flags |= SM_KEYDIST_ENC_KEY; 1081 } 1082 return flags; 1083 } 1084 1085 static void sm_init_setup(sm_connection_t * sm_conn){ 1086 1087 // fill in sm setup 1088 setup->sm_state_vars = 0; 1089 setup->sm_keypress_notification = 0xff; 1090 sm_reset_tk(); 1091 setup->sm_peer_addr_type = sm_conn->sm_peer_addr_type; 1092 memcpy(setup->sm_peer_address, sm_conn->sm_peer_address, 6); 1093 1094 // query client for OOB data 1095 int have_oob_data = 0; 1096 if (sm_get_oob_data) { 1097 have_oob_data = (*sm_get_oob_data)(sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, setup->sm_tk); 1098 } 1099 1100 sm_pairing_packet_t * local_packet; 1101 if (sm_conn->sm_role){ 1102 // slave 1103 local_packet = &setup->sm_s_pres; 1104 gap_advertisements_get_address(&setup->sm_s_addr_type, setup->sm_s_address); 1105 setup->sm_m_addr_type = sm_conn->sm_peer_addr_type; 1106 memcpy(setup->sm_m_address, sm_conn->sm_peer_address, 6); 1107 } else { 1108 // master 1109 local_packet = &setup->sm_m_preq; 1110 gap_advertisements_get_address(&setup->sm_m_addr_type, setup->sm_m_address); 1111 setup->sm_s_addr_type = sm_conn->sm_peer_addr_type; 1112 memcpy(setup->sm_s_address, sm_conn->sm_peer_address, 6); 1113 1114 int key_distribution_flags = sm_key_distribution_flags_for_auth_req(); 1115 sm_pairing_packet_set_initiator_key_distribution(setup->sm_m_preq, key_distribution_flags); 1116 sm_pairing_packet_set_responder_key_distribution(setup->sm_m_preq, key_distribution_flags); 1117 } 1118 1119 uint8_t auth_req = sm_auth_req; 1120 sm_pairing_packet_set_io_capability(*local_packet, sm_io_capabilities); 1121 sm_pairing_packet_set_oob_data_flag(*local_packet, have_oob_data); 1122 sm_pairing_packet_set_auth_req(*local_packet, auth_req); 1123 sm_pairing_packet_set_max_encryption_key_size(*local_packet, sm_max_encryption_key_size); 1124 } 1125 1126 static int sm_stk_generation_init(sm_connection_t * sm_conn){ 1127 1128 sm_pairing_packet_t * remote_packet; 1129 int remote_key_request; 1130 if (sm_conn->sm_role){ 1131 // slave / responder 1132 remote_packet = &setup->sm_m_preq; 1133 remote_key_request = sm_pairing_packet_get_responder_key_distribution(setup->sm_m_preq); 1134 } else { 1135 // master / initiator 1136 remote_packet = &setup->sm_s_pres; 1137 remote_key_request = sm_pairing_packet_get_initiator_key_distribution(setup->sm_s_pres); 1138 } 1139 1140 // check key size 1141 sm_conn->sm_actual_encryption_key_size = sm_calc_actual_encryption_key_size(sm_pairing_packet_get_max_encryption_key_size(*remote_packet)); 1142 if (sm_conn->sm_actual_encryption_key_size == 0) return SM_REASON_ENCRYPTION_KEY_SIZE; 1143 1144 // decide on STK generation method 1145 sm_setup_tk(); 1146 log_info("SMP: generation method %u", setup->sm_stk_generation_method); 1147 1148 // check if STK generation method is acceptable by client 1149 if (!sm_validate_stk_generation_method()) return SM_REASON_AUTHENTHICATION_REQUIREMENTS; 1150 1151 // identical to responder 1152 sm_setup_key_distribution(remote_key_request); 1153 1154 // JUST WORKS doens't provide authentication 1155 sm_conn->sm_connection_authenticated = setup->sm_stk_generation_method == JUST_WORKS ? 0 : 1; 1156 1157 return 0; 1158 } 1159 1160 static void sm_address_resolution_handle_event(address_resolution_event_t event){ 1161 1162 // cache and reset context 1163 int matched_device_id = sm_address_resolution_test; 1164 address_resolution_mode_t mode = sm_address_resolution_mode; 1165 void * context = sm_address_resolution_context; 1166 1167 // reset context 1168 sm_address_resolution_mode = ADDRESS_RESOLUTION_IDLE; 1169 sm_address_resolution_context = NULL; 1170 sm_address_resolution_test = -1; 1171 hci_con_handle_t con_handle = 0; 1172 1173 sm_connection_t * sm_connection; 1174 uint16_t ediv; 1175 switch (mode){ 1176 case ADDRESS_RESOLUTION_GENERAL: 1177 break; 1178 case ADDRESS_RESOLUTION_FOR_CONNECTION: 1179 sm_connection = (sm_connection_t *) context; 1180 con_handle = sm_connection->sm_handle; 1181 switch (event){ 1182 case ADDRESS_RESOLUTION_SUCEEDED: 1183 sm_connection->sm_irk_lookup_state = IRK_LOOKUP_SUCCEEDED; 1184 sm_connection->sm_le_db_index = matched_device_id; 1185 log_info("ADDRESS_RESOLUTION_SUCEEDED, index %d", sm_connection->sm_le_db_index); 1186 if (sm_connection->sm_role) break; 1187 if (!sm_connection->sm_bonding_requested && !sm_connection->sm_security_request_received) break; 1188 sm_connection->sm_security_request_received = 0; 1189 sm_connection->sm_bonding_requested = 0; 1190 le_device_db_encryption_get(sm_connection->sm_le_db_index, &ediv, NULL, NULL, NULL, NULL, NULL); 1191 if (ediv){ 1192 sm_connection->sm_engine_state = SM_INITIATOR_PH0_HAS_LTK; 1193 } else { 1194 sm_connection->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 1195 } 1196 break; 1197 case ADDRESS_RESOLUTION_FAILED: 1198 sm_connection->sm_irk_lookup_state = IRK_LOOKUP_FAILED; 1199 if (sm_connection->sm_role) break; 1200 if (!sm_connection->sm_bonding_requested && !sm_connection->sm_security_request_received) break; 1201 sm_connection->sm_security_request_received = 0; 1202 sm_connection->sm_bonding_requested = 0; 1203 sm_connection->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 1204 break; 1205 } 1206 break; 1207 default: 1208 break; 1209 } 1210 1211 switch (event){ 1212 case ADDRESS_RESOLUTION_SUCEEDED: 1213 sm_notify_client_index(SM_EVENT_IDENTITY_RESOLVING_SUCCEEDED, con_handle, sm_address_resolution_addr_type, sm_address_resolution_address, matched_device_id); 1214 break; 1215 case ADDRESS_RESOLUTION_FAILED: 1216 sm_notify_client_base(SM_EVENT_IDENTITY_RESOLVING_FAILED, con_handle, sm_address_resolution_addr_type, sm_address_resolution_address); 1217 break; 1218 } 1219 } 1220 1221 static void sm_key_distribution_handle_all_received(sm_connection_t * sm_conn){ 1222 1223 int le_db_index = -1; 1224 1225 // lookup device based on IRK 1226 if (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_IDENTITY_INFORMATION){ 1227 int i; 1228 for (i=0; i < le_device_db_count(); i++){ 1229 sm_key_t irk; 1230 bd_addr_t address; 1231 int address_type; 1232 le_device_db_info(i, &address_type, address, irk); 1233 if (memcmp(irk, setup->sm_peer_irk, 16) == 0){ 1234 log_info("sm: device found for IRK, updating"); 1235 le_db_index = i; 1236 break; 1237 } 1238 } 1239 } 1240 1241 // if not found, lookup via public address if possible 1242 log_info("sm peer addr type %u, peer addres %s", setup->sm_peer_addr_type, bd_addr_to_str(setup->sm_peer_address)); 1243 if (le_db_index < 0 && setup->sm_peer_addr_type == BD_ADDR_TYPE_LE_PUBLIC){ 1244 int i; 1245 for (i=0; i < le_device_db_count(); i++){ 1246 bd_addr_t address; 1247 int address_type; 1248 le_device_db_info(i, &address_type, address, NULL); 1249 log_info("device %u, sm peer addr type %u, peer addres %s", i, address_type, bd_addr_to_str(address)); 1250 if (address_type == BD_ADDR_TYPE_LE_PUBLIC && memcmp(address, setup->sm_peer_address, 6) == 0){ 1251 log_info("sm: device found for public address, updating"); 1252 le_db_index = i; 1253 break; 1254 } 1255 } 1256 } 1257 1258 // if not found, add to db 1259 if (le_db_index < 0) { 1260 le_db_index = le_device_db_add(setup->sm_peer_addr_type, setup->sm_peer_address, setup->sm_peer_irk); 1261 } 1262 1263 if (le_db_index >= 0){ 1264 1265 // store local CSRK 1266 if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION){ 1267 log_info("sm: store local CSRK"); 1268 le_device_db_local_csrk_set(le_db_index, setup->sm_local_csrk); 1269 le_device_db_local_counter_set(le_db_index, 0); 1270 } 1271 1272 // store remote CSRK 1273 if (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION){ 1274 log_info("sm: store remote CSRK"); 1275 le_device_db_remote_csrk_set(le_db_index, setup->sm_peer_csrk); 1276 le_device_db_remote_counter_set(le_db_index, 0); 1277 } 1278 1279 // store encryption information if a) secure connections or b) peer LTK, EDIV, RAND have been received 1280 if ((setup->sm_use_secure_connections) 1281 || ( (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION) 1282 && (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_MASTER_IDENTIFICATION ))){ 1283 log_info("sm: set encryption information (key size %u, authenticatd %u)", sm_conn->sm_actual_encryption_key_size, sm_conn->sm_connection_authenticated); 1284 le_device_db_encryption_set(le_db_index, setup->sm_peer_ediv, setup->sm_peer_rand, setup->sm_peer_ltk, 1285 sm_conn->sm_actual_encryption_key_size, sm_conn->sm_connection_authenticated, sm_conn->sm_connection_authorization_state == AUTHORIZATION_GRANTED); 1286 } 1287 } 1288 1289 // keep le_db_index 1290 sm_conn->sm_le_db_index = le_db_index; 1291 } 1292 1293 static void sm_pairing_error(sm_connection_t * sm_conn, uint8_t reason){ 1294 setup->sm_pairing_failed_reason = reason; 1295 sm_conn->sm_engine_state = SM_GENERAL_SEND_PAIRING_FAILED; 1296 } 1297 1298 static inline void sm_pdu_received_in_wrong_state(sm_connection_t * sm_conn){ 1299 sm_pairing_error(sm_conn, SM_REASON_UNSPECIFIED_REASON); 1300 } 1301 1302 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1303 1304 static void sm_sc_prepare_dhkey_check(sm_connection_t * sm_conn); 1305 static int sm_passkey_used(stk_generation_method_t method); 1306 static int sm_just_works_or_numeric_comparison(stk_generation_method_t method); 1307 1308 static void sm_log_ec_keypair(void){ 1309 log_info("Elliptic curve: d"); 1310 log_info_hexdump(ec_d,32); 1311 log_info("Elliptic curve: X"); 1312 log_info_hexdump(ec_qx,32); 1313 log_info("Elliptic curve: Y"); 1314 log_info_hexdump(ec_qy,32); 1315 } 1316 1317 static void sm_sc_start_calculating_local_confirm(sm_connection_t * sm_conn){ 1318 if (sm_passkey_used(setup->sm_stk_generation_method)){ 1319 sm_conn->sm_engine_state = SM_SC_W2_GET_RANDOM_A; 1320 } else { 1321 sm_conn->sm_engine_state = SM_SC_W2_CMAC_FOR_CONFIRMATION; 1322 } 1323 } 1324 1325 static void sm_sc_state_after_receiving_random(sm_connection_t * sm_conn){ 1326 if (sm_conn->sm_role){ 1327 // Responder 1328 sm_conn->sm_engine_state = SM_SC_SEND_PAIRING_RANDOM; 1329 } else { 1330 // Initiator role 1331 switch (setup->sm_stk_generation_method){ 1332 case JUST_WORKS: 1333 sm_sc_prepare_dhkey_check(sm_conn); 1334 break; 1335 1336 case NK_BOTH_INPUT: 1337 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_G2; 1338 break; 1339 case PK_INIT_INPUT: 1340 case PK_RESP_INPUT: 1341 case OK_BOTH_INPUT: 1342 if (setup->sm_passkey_bit < 20) { 1343 sm_sc_start_calculating_local_confirm(sm_conn); 1344 } else { 1345 sm_sc_prepare_dhkey_check(sm_conn); 1346 } 1347 break; 1348 case OOB: 1349 // TODO: implement SC OOB 1350 break; 1351 } 1352 } 1353 } 1354 1355 static uint8_t sm_sc_cmac_get_byte(uint16_t offset){ 1356 return sm_cmac_sc_buffer[offset]; 1357 } 1358 1359 static void sm_sc_cmac_done(uint8_t * hash){ 1360 log_info("sm_sc_cmac_done: "); 1361 log_info_hexdump(hash, 16); 1362 1363 sm_connection_t * sm_conn = sm_cmac_connection; 1364 sm_cmac_connection = NULL; 1365 link_key_type_t link_key_type; 1366 1367 switch (sm_conn->sm_engine_state){ 1368 case SM_SC_W4_CMAC_FOR_CONFIRMATION: 1369 memcpy(setup->sm_local_confirm, hash, 16); 1370 sm_conn->sm_engine_state = SM_SC_SEND_CONFIRMATION; 1371 break; 1372 case SM_SC_W4_CMAC_FOR_CHECK_CONFIRMATION: 1373 // check 1374 if (0 != memcmp(hash, setup->sm_peer_confirm, 16)){ 1375 sm_pairing_error(sm_conn, SM_REASON_CONFIRM_VALUE_FAILED); 1376 break; 1377 } 1378 sm_sc_state_after_receiving_random(sm_conn); 1379 break; 1380 case SM_SC_W4_CALCULATE_G2: { 1381 uint32_t vab = big_endian_read_32(hash, 12) % 1000000; 1382 big_endian_store_32(setup->sm_tk, 12, vab); 1383 sm_conn->sm_engine_state = SM_SC_W4_USER_RESPONSE; 1384 sm_trigger_user_response(sm_conn); 1385 break; 1386 } 1387 case SM_SC_W4_CALCULATE_F5_SALT: 1388 memcpy(setup->sm_t, hash, 16); 1389 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F5_MACKEY; 1390 break; 1391 case SM_SC_W4_CALCULATE_F5_MACKEY: 1392 memcpy(setup->sm_mackey, hash, 16); 1393 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F5_LTK; 1394 break; 1395 case SM_SC_W4_CALCULATE_F5_LTK: 1396 // store data for later key storage 1397 setup->sm_peer_ediv = 0; 1398 memset(setup->sm_peer_rand, 0, 8); 1399 memcpy(setup->sm_peer_ltk, hash, 16); 1400 // store generated LTK and continue 1401 memcpy(setup->sm_ltk, hash, 16); 1402 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F6_FOR_DHKEY_CHECK; 1403 break; 1404 case SM_SC_W4_CALCULATE_F6_FOR_DHKEY_CHECK: 1405 memcpy(setup->sm_local_dhkey_check, hash, 16); 1406 if (sm_conn->sm_role){ 1407 // responder 1408 if (setup->sm_state_vars & SM_STATE_VAR_DHKEY_COMMAND_RECEIVED){ 1409 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK; 1410 } else { 1411 sm_conn->sm_engine_state = SM_SC_W4_DHKEY_CHECK_COMMAND; 1412 } 1413 } else { 1414 sm_conn->sm_engine_state = SM_SC_SEND_DHKEY_CHECK_COMMAND; 1415 } 1416 break; 1417 case SM_SC_W4_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK: 1418 if (0 != memcmp(hash, setup->sm_peer_dhkey_check, 16) ){ 1419 sm_pairing_error(sm_conn, SM_REASON_DHKEY_CHECK_FAILED); 1420 break; 1421 } 1422 if (sm_conn->sm_role){ 1423 // responder 1424 sm_conn->sm_engine_state = SM_SC_SEND_DHKEY_CHECK_COMMAND; 1425 } else { 1426 // initiator 1427 sm_conn->sm_engine_state = SM_INITIATOR_PH3_SEND_START_ENCRYPTION; 1428 } 1429 break; 1430 case SM_SC_W4_CALCULATE_H6_ILK: 1431 memcpy(setup->sm_t, hash, 16); 1432 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_H6_BR_EDR_LINK_KEY; 1433 break; 1434 case SM_SC_W4_CALCULATE_H6_BR_EDR_LINK_KEY: 1435 reverse_128(hash, setup->sm_t); 1436 link_key_type = sm_conn->sm_connection_authenticated ? 1437 AUTHENTICATED_COMBINATION_KEY_GENERATED_FROM_P256 : UNAUTHENTICATED_COMBINATION_KEY_GENERATED_FROM_P256; 1438 if (sm_conn->sm_role){ 1439 gap_store_link_key_for_bd_addr(setup->sm_m_address, setup->sm_t, link_key_type); 1440 sm_conn->sm_engine_state = SM_RESPONDER_IDLE; 1441 } else { 1442 gap_store_link_key_for_bd_addr(setup->sm_s_address, setup->sm_t, link_key_type); 1443 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 1444 } 1445 sm_done_for_handle(sm_conn->sm_handle); 1446 break; 1447 default: 1448 log_error("sm_sc_cmac_done in state %u", sm_conn->sm_engine_state); 1449 break; 1450 } 1451 sm_run(); 1452 } 1453 1454 static void f4_engine(sm_connection_t * sm_conn, const sm_key256_t u, const sm_key256_t v, const sm_key_t x, uint8_t z){ 1455 const uint16_t message_len = 65; 1456 sm_cmac_connection = sm_conn; 1457 memcpy(sm_cmac_sc_buffer, u, 32); 1458 memcpy(sm_cmac_sc_buffer+32, v, 32); 1459 sm_cmac_sc_buffer[64] = z; 1460 log_info("f4 key"); 1461 log_info_hexdump(x, 16); 1462 log_info("f4 message"); 1463 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1464 sm_cmac_general_start(x, message_len, &sm_sc_cmac_get_byte, &sm_sc_cmac_done); 1465 } 1466 1467 static const sm_key_t f5_salt = { 0x6C ,0x88, 0x83, 0x91, 0xAA, 0xF5, 0xA5, 0x38, 0x60, 0x37, 0x0B, 0xDB, 0x5A, 0x60, 0x83, 0xBE}; 1468 static const uint8_t f5_key_id[] = { 0x62, 0x74, 0x6c, 0x65 }; 1469 static const uint8_t f5_length[] = { 0x01, 0x00}; 1470 1471 static void sm_sc_calculate_dhkey(sm_key256_t dhkey){ 1472 #ifdef USE_MBEDTLS_FOR_ECDH 1473 // da * Pb 1474 mbedtls_mpi d; 1475 mbedtls_ecp_point Q; 1476 mbedtls_ecp_point DH; 1477 mbedtls_mpi_init(&d); 1478 mbedtls_ecp_point_init(&Q); 1479 mbedtls_ecp_point_init(&DH); 1480 mbedtls_mpi_read_binary(&d, ec_d, 32); 1481 mbedtls_mpi_read_binary(&Q.X, setup->sm_peer_qx, 32); 1482 mbedtls_mpi_read_binary(&Q.Y, setup->sm_peer_qy, 32); 1483 mbedtls_mpi_read_string(&Q.Z, 16, "1" ); 1484 mbedtls_ecp_mul(&mbedtls_ec_group, &DH, &d, &Q, NULL, NULL); 1485 mbedtls_mpi_write_binary(&DH.X, dhkey, 32); 1486 mbedtls_mpi_free(&d); 1487 mbedtls_ecp_point_free(&Q); 1488 mbedtls_ecp_point_free(&DH); 1489 #endif 1490 log_info("dhkey"); 1491 log_info_hexdump(dhkey, 32); 1492 } 1493 1494 static void f5_calculate_salt(sm_connection_t * sm_conn){ 1495 // calculate DHKEY 1496 sm_key256_t dhkey; 1497 sm_sc_calculate_dhkey(dhkey); 1498 1499 // calculate salt for f5 1500 const uint16_t message_len = 32; 1501 sm_cmac_connection = sm_conn; 1502 memcpy(sm_cmac_sc_buffer, dhkey, message_len); 1503 sm_cmac_general_start(f5_salt, message_len, &sm_sc_cmac_get_byte, &sm_sc_cmac_done); 1504 } 1505 1506 static inline void f5_mackkey(sm_connection_t * sm_conn, sm_key_t t, const sm_key_t n1, const sm_key_t n2, const sm_key56_t a1, const sm_key56_t a2){ 1507 const uint16_t message_len = 53; 1508 sm_cmac_connection = sm_conn; 1509 1510 // f5(W, N1, N2, A1, A2) = AES-CMACT (Counter = 0 || keyID || N1 || N2|| A1|| A2 || Length = 256) -- this is the MacKey 1511 sm_cmac_sc_buffer[0] = 0; 1512 memcpy(sm_cmac_sc_buffer+01, f5_key_id, 4); 1513 memcpy(sm_cmac_sc_buffer+05, n1, 16); 1514 memcpy(sm_cmac_sc_buffer+21, n2, 16); 1515 memcpy(sm_cmac_sc_buffer+37, a1, 7); 1516 memcpy(sm_cmac_sc_buffer+44, a2, 7); 1517 memcpy(sm_cmac_sc_buffer+51, f5_length, 2); 1518 log_info("f5 key"); 1519 log_info_hexdump(t, 16); 1520 log_info("f5 message for MacKey"); 1521 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1522 sm_cmac_general_start(t, message_len, &sm_sc_cmac_get_byte, &sm_sc_cmac_done); 1523 } 1524 1525 static void f5_calculate_mackey(sm_connection_t * sm_conn){ 1526 sm_key56_t bd_addr_master, bd_addr_slave; 1527 bd_addr_master[0] = setup->sm_m_addr_type; 1528 bd_addr_slave[0] = setup->sm_s_addr_type; 1529 memcpy(&bd_addr_master[1], setup->sm_m_address, 6); 1530 memcpy(&bd_addr_slave[1], setup->sm_s_address, 6); 1531 if (sm_conn->sm_role){ 1532 // responder 1533 f5_mackkey(sm_conn, setup->sm_t, setup->sm_peer_nonce, setup->sm_local_nonce, bd_addr_master, bd_addr_slave); 1534 } else { 1535 // initiator 1536 f5_mackkey(sm_conn, setup->sm_t, setup->sm_local_nonce, setup->sm_peer_nonce, bd_addr_master, bd_addr_slave); 1537 } 1538 } 1539 1540 // note: must be called right after f5_mackey, as sm_cmac_buffer[1..52] will be reused 1541 static inline void f5_ltk(sm_connection_t * sm_conn, sm_key_t t){ 1542 const uint16_t message_len = 53; 1543 sm_cmac_connection = sm_conn; 1544 sm_cmac_sc_buffer[0] = 1; 1545 // 1..52 setup before 1546 log_info("f5 key"); 1547 log_info_hexdump(t, 16); 1548 log_info("f5 message for LTK"); 1549 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1550 sm_cmac_general_start(t, message_len, &sm_sc_cmac_get_byte, &sm_sc_cmac_done); 1551 } 1552 1553 static void f5_calculate_ltk(sm_connection_t * sm_conn){ 1554 f5_ltk(sm_conn, setup->sm_t); 1555 } 1556 1557 static void f6_engine(sm_connection_t * sm_conn, const sm_key_t w, const sm_key_t n1, const sm_key_t n2, const sm_key_t r, const sm_key24_t io_cap, const sm_key56_t a1, const sm_key56_t a2){ 1558 const uint16_t message_len = 65; 1559 sm_cmac_connection = sm_conn; 1560 memcpy(sm_cmac_sc_buffer, n1, 16); 1561 memcpy(sm_cmac_sc_buffer+16, n2, 16); 1562 memcpy(sm_cmac_sc_buffer+32, r, 16); 1563 memcpy(sm_cmac_sc_buffer+48, io_cap, 3); 1564 memcpy(sm_cmac_sc_buffer+51, a1, 7); 1565 memcpy(sm_cmac_sc_buffer+58, a2, 7); 1566 log_info("f6 key"); 1567 log_info_hexdump(w, 16); 1568 log_info("f6 message"); 1569 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1570 sm_cmac_general_start(w, 65, &sm_sc_cmac_get_byte, &sm_sc_cmac_done); 1571 } 1572 1573 // g2(U, V, X, Y) = AES-CMACX(U || V || Y) mod 2^32 1574 // - U is 256 bits 1575 // - V is 256 bits 1576 // - X is 128 bits 1577 // - Y is 128 bits 1578 static void g2_engine(sm_connection_t * sm_conn, const sm_key256_t u, const sm_key256_t v, const sm_key_t x, const sm_key_t y){ 1579 const uint16_t message_len = 80; 1580 sm_cmac_connection = sm_conn; 1581 memcpy(sm_cmac_sc_buffer, u, 32); 1582 memcpy(sm_cmac_sc_buffer+32, v, 32); 1583 memcpy(sm_cmac_sc_buffer+64, y, 16); 1584 log_info("g2 key"); 1585 log_info_hexdump(x, 16); 1586 log_info("g2 message"); 1587 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1588 sm_cmac_general_start(x, message_len, &sm_sc_cmac_get_byte, &sm_sc_cmac_done); 1589 } 1590 1591 static void g2_calculate(sm_connection_t * sm_conn) { 1592 // calc Va if numeric comparison 1593 if (sm_conn->sm_role){ 1594 // responder 1595 g2_engine(sm_conn, setup->sm_peer_qx, ec_qx, setup->sm_peer_nonce, setup->sm_local_nonce);; 1596 } else { 1597 // initiator 1598 g2_engine(sm_conn, ec_qx, setup->sm_peer_qx, setup->sm_local_nonce, setup->sm_peer_nonce); 1599 } 1600 } 1601 1602 static void sm_sc_calculate_local_confirm(sm_connection_t * sm_conn){ 1603 uint8_t z = 0; 1604 if (setup->sm_stk_generation_method != JUST_WORKS && setup->sm_stk_generation_method != NK_BOTH_INPUT){ 1605 // some form of passkey 1606 uint32_t pk = big_endian_read_32(setup->sm_tk, 12); 1607 z = 0x80 | ((pk >> setup->sm_passkey_bit) & 1); 1608 setup->sm_passkey_bit++; 1609 } 1610 f4_engine(sm_conn, ec_qx, setup->sm_peer_qx, setup->sm_local_nonce, z); 1611 } 1612 1613 static void sm_sc_calculate_remote_confirm(sm_connection_t * sm_conn){ 1614 uint8_t z = 0; 1615 if (setup->sm_stk_generation_method != JUST_WORKS && setup->sm_stk_generation_method != NK_BOTH_INPUT){ 1616 // some form of passkey 1617 uint32_t pk = big_endian_read_32(setup->sm_tk, 12); 1618 // sm_passkey_bit was increased before sending confirm value 1619 z = 0x80 | ((pk >> (setup->sm_passkey_bit-1)) & 1); 1620 } 1621 f4_engine(sm_conn, setup->sm_peer_qx, ec_qx, setup->sm_peer_nonce, z); 1622 } 1623 1624 static void sm_sc_prepare_dhkey_check(sm_connection_t * sm_conn){ 1625 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F5_SALT; 1626 } 1627 1628 static void sm_sc_calculate_f6_for_dhkey_check(sm_connection_t * sm_conn){ 1629 // calculate DHKCheck 1630 sm_key56_t bd_addr_master, bd_addr_slave; 1631 bd_addr_master[0] = setup->sm_m_addr_type; 1632 bd_addr_slave[0] = setup->sm_s_addr_type; 1633 memcpy(&bd_addr_master[1], setup->sm_m_address, 6); 1634 memcpy(&bd_addr_slave[1], setup->sm_s_address, 6); 1635 uint8_t iocap_a[3]; 1636 iocap_a[0] = sm_pairing_packet_get_auth_req(setup->sm_m_preq); 1637 iocap_a[1] = sm_pairing_packet_get_oob_data_flag(setup->sm_m_preq); 1638 iocap_a[2] = sm_pairing_packet_get_io_capability(setup->sm_m_preq); 1639 uint8_t iocap_b[3]; 1640 iocap_b[0] = sm_pairing_packet_get_auth_req(setup->sm_s_pres); 1641 iocap_b[1] = sm_pairing_packet_get_oob_data_flag(setup->sm_s_pres); 1642 iocap_b[2] = sm_pairing_packet_get_io_capability(setup->sm_s_pres); 1643 if (sm_conn->sm_role){ 1644 // responder 1645 f6_engine(sm_conn, setup->sm_mackey, setup->sm_local_nonce, setup->sm_peer_nonce, setup->sm_ra, iocap_b, bd_addr_slave, bd_addr_master); 1646 } else { 1647 // initiator 1648 f6_engine(sm_conn, setup->sm_mackey, setup->sm_local_nonce, setup->sm_peer_nonce, setup->sm_rb, iocap_a, bd_addr_master, bd_addr_slave); 1649 } 1650 } 1651 1652 static void sm_sc_calculate_f6_to_verify_dhkey_check(sm_connection_t * sm_conn){ 1653 // validate E = f6() 1654 sm_key56_t bd_addr_master, bd_addr_slave; 1655 bd_addr_master[0] = setup->sm_m_addr_type; 1656 bd_addr_slave[0] = setup->sm_s_addr_type; 1657 memcpy(&bd_addr_master[1], setup->sm_m_address, 6); 1658 memcpy(&bd_addr_slave[1], setup->sm_s_address, 6); 1659 1660 uint8_t iocap_a[3]; 1661 iocap_a[0] = sm_pairing_packet_get_auth_req(setup->sm_m_preq); 1662 iocap_a[1] = sm_pairing_packet_get_oob_data_flag(setup->sm_m_preq); 1663 iocap_a[2] = sm_pairing_packet_get_io_capability(setup->sm_m_preq); 1664 uint8_t iocap_b[3]; 1665 iocap_b[0] = sm_pairing_packet_get_auth_req(setup->sm_s_pres); 1666 iocap_b[1] = sm_pairing_packet_get_oob_data_flag(setup->sm_s_pres); 1667 iocap_b[2] = sm_pairing_packet_get_io_capability(setup->sm_s_pres); 1668 if (sm_conn->sm_role){ 1669 // responder 1670 f6_engine(sm_conn, setup->sm_mackey, setup->sm_peer_nonce, setup->sm_local_nonce, setup->sm_rb, iocap_a, bd_addr_master, bd_addr_slave); 1671 } else { 1672 // initiator 1673 f6_engine(sm_conn, setup->sm_mackey, setup->sm_peer_nonce, setup->sm_local_nonce, setup->sm_ra, iocap_b, bd_addr_slave, bd_addr_master); 1674 } 1675 } 1676 1677 1678 // 1679 // Link Key Conversion Function h6 1680 // 1681 // h6(W, keyID) = AES-CMACW(keyID) 1682 // - W is 128 bits 1683 // - keyID is 32 bits 1684 static void h6_engine(sm_connection_t * sm_conn, const sm_key_t w, const uint32_t key_id){ 1685 const uint16_t message_len = 4; 1686 sm_cmac_connection = sm_conn; 1687 big_endian_store_32(sm_cmac_sc_buffer, 0, key_id); 1688 log_info("h6 key"); 1689 log_info_hexdump(w, 16); 1690 log_info("h6 message"); 1691 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1692 sm_cmac_general_start(w, message_len, &sm_sc_cmac_get_byte, &sm_sc_cmac_done); 1693 } 1694 1695 static void h6_calculate_ilk(sm_connection_t * sm_conn){ 1696 h6_engine(sm_conn, setup->sm_ltk, 0x746D7031); // "tmp1" 1697 } 1698 1699 static void h6_calculate_br_edr_link_key(sm_connection_t * sm_conn){ 1700 h6_engine(sm_conn, setup->sm_t, 0x6c656272); // "lebr" 1701 } 1702 1703 #endif 1704 1705 // key management legacy connections: 1706 // - potentially two different LTKs based on direction. each device stores LTK provided by peer 1707 // - master stores LTK, EDIV, RAND. responder optionally stored master LTK (only if it needs to reconnect) 1708 // - initiators reconnects: initiator uses stored LTK, EDIV, RAND generated by responder 1709 // - responder reconnects: responder uses LTK receveived from master 1710 1711 // key management secure connections: 1712 // - both devices store same LTK from ECDH key exchange. 1713 1714 static void sm_load_security_info(sm_connection_t * sm_connection){ 1715 int encryption_key_size; 1716 int authenticated; 1717 int authorized; 1718 1719 // fetch data from device db - incl. authenticated/authorized/key size. Note all sm_connection_X require encryption enabled 1720 le_device_db_encryption_get(sm_connection->sm_le_db_index, &setup->sm_peer_ediv, setup->sm_peer_rand, setup->sm_peer_ltk, 1721 &encryption_key_size, &authenticated, &authorized); 1722 log_info("db index %u, key size %u, authenticated %u, authorized %u", sm_connection->sm_le_db_index, encryption_key_size, authenticated, authorized); 1723 sm_connection->sm_actual_encryption_key_size = encryption_key_size; 1724 sm_connection->sm_connection_authenticated = authenticated; 1725 sm_connection->sm_connection_authorization_state = authorized ? AUTHORIZATION_GRANTED : AUTHORIZATION_UNKNOWN; 1726 } 1727 1728 static void sm_run(void){ 1729 1730 btstack_linked_list_iterator_t it; 1731 1732 // assert that we can send at least commands 1733 if (!hci_can_send_command_packet_now()) return; 1734 1735 // 1736 // non-connection related behaviour 1737 // 1738 1739 // distributed key generation 1740 switch (dkg_state){ 1741 case DKG_CALC_IRK: 1742 // already busy? 1743 if (sm_aes128_state == SM_AES128_IDLE) { 1744 // IRK = d1(IR, 1, 0) 1745 sm_key_t d1_prime; 1746 sm_d1_d_prime(1, 0, d1_prime); // plaintext 1747 dkg_next_state(); 1748 sm_aes128_start(sm_persistent_ir, d1_prime, NULL); 1749 return; 1750 } 1751 break; 1752 case DKG_CALC_DHK: 1753 // already busy? 1754 if (sm_aes128_state == SM_AES128_IDLE) { 1755 // DHK = d1(IR, 3, 0) 1756 sm_key_t d1_prime; 1757 sm_d1_d_prime(3, 0, d1_prime); // plaintext 1758 dkg_next_state(); 1759 sm_aes128_start(sm_persistent_ir, d1_prime, NULL); 1760 return; 1761 } 1762 break; 1763 default: 1764 break; 1765 } 1766 1767 #ifdef USE_MBEDTLS_FOR_ECDH 1768 if (ec_key_generation_state == EC_KEY_GENERATION_ACTIVE){ 1769 sm_random_start(NULL); 1770 return; 1771 } 1772 #endif 1773 1774 // random address updates 1775 switch (rau_state){ 1776 case RAU_GET_RANDOM: 1777 rau_next_state(); 1778 sm_random_start(NULL); 1779 return; 1780 case RAU_GET_ENC: 1781 // already busy? 1782 if (sm_aes128_state == SM_AES128_IDLE) { 1783 sm_key_t r_prime; 1784 sm_ah_r_prime(sm_random_address, r_prime); 1785 rau_next_state(); 1786 sm_aes128_start(sm_persistent_irk, r_prime, NULL); 1787 return; 1788 } 1789 break; 1790 case RAU_SET_ADDRESS: 1791 log_info("New random address: %s", bd_addr_to_str(sm_random_address)); 1792 rau_state = RAU_IDLE; 1793 hci_send_cmd(&hci_le_set_random_address, sm_random_address); 1794 return; 1795 default: 1796 break; 1797 } 1798 1799 // CMAC 1800 switch (sm_cmac_state){ 1801 case CMAC_CALC_SUBKEYS: 1802 case CMAC_CALC_MI: 1803 case CMAC_CALC_MLAST: 1804 // already busy? 1805 if (sm_aes128_state == SM_AES128_ACTIVE) break; 1806 sm_cmac_handle_aes_engine_ready(); 1807 return; 1808 default: 1809 break; 1810 } 1811 1812 // CSRK Lookup 1813 // -- if csrk lookup ready, find connection that require csrk lookup 1814 if (sm_address_resolution_idle()){ 1815 hci_connections_get_iterator(&it); 1816 while(btstack_linked_list_iterator_has_next(&it)){ 1817 hci_connection_t * hci_connection = (hci_connection_t *) btstack_linked_list_iterator_next(&it); 1818 sm_connection_t * sm_connection = &hci_connection->sm_connection; 1819 if (sm_connection->sm_irk_lookup_state == IRK_LOOKUP_W4_READY){ 1820 // and start lookup 1821 sm_address_resolution_start_lookup(sm_connection->sm_peer_addr_type, sm_connection->sm_handle, sm_connection->sm_peer_address, ADDRESS_RESOLUTION_FOR_CONNECTION, sm_connection); 1822 sm_connection->sm_irk_lookup_state = IRK_LOOKUP_STARTED; 1823 break; 1824 } 1825 } 1826 } 1827 1828 // -- if csrk lookup ready, resolved addresses for received addresses 1829 if (sm_address_resolution_idle()) { 1830 if (!btstack_linked_list_empty(&sm_address_resolution_general_queue)){ 1831 sm_lookup_entry_t * entry = (sm_lookup_entry_t *) sm_address_resolution_general_queue; 1832 btstack_linked_list_remove(&sm_address_resolution_general_queue, (btstack_linked_item_t *) entry); 1833 sm_address_resolution_start_lookup(entry->address_type, 0, entry->address, ADDRESS_RESOLUTION_GENERAL, NULL); 1834 btstack_memory_sm_lookup_entry_free(entry); 1835 } 1836 } 1837 1838 // -- Continue with CSRK device lookup by public or resolvable private address 1839 if (!sm_address_resolution_idle()){ 1840 log_info("LE Device Lookup: device %u/%u", sm_address_resolution_test, le_device_db_count()); 1841 while (sm_address_resolution_test < le_device_db_count()){ 1842 int addr_type; 1843 bd_addr_t addr; 1844 sm_key_t irk; 1845 le_device_db_info(sm_address_resolution_test, &addr_type, addr, irk); 1846 log_info("device type %u, addr: %s", addr_type, bd_addr_to_str(addr)); 1847 1848 if (sm_address_resolution_addr_type == addr_type && memcmp(addr, sm_address_resolution_address, 6) == 0){ 1849 log_info("LE Device Lookup: found CSRK by { addr_type, address} "); 1850 sm_address_resolution_handle_event(ADDRESS_RESOLUTION_SUCEEDED); 1851 break; 1852 } 1853 1854 if (sm_address_resolution_addr_type == 0){ 1855 sm_address_resolution_test++; 1856 continue; 1857 } 1858 1859 if (sm_aes128_state == SM_AES128_ACTIVE) break; 1860 1861 log_info("LE Device Lookup: calculate AH"); 1862 log_info_key("IRK", irk); 1863 1864 sm_key_t r_prime; 1865 sm_ah_r_prime(sm_address_resolution_address, r_prime); 1866 sm_address_resolution_ah_calculation_active = 1; 1867 sm_aes128_start(irk, r_prime, sm_address_resolution_context); // keep context 1868 return; 1869 } 1870 1871 if (sm_address_resolution_test >= le_device_db_count()){ 1872 log_info("LE Device Lookup: not found"); 1873 sm_address_resolution_handle_event(ADDRESS_RESOLUTION_FAILED); 1874 } 1875 } 1876 1877 1878 // 1879 // active connection handling 1880 // -- use loop to handle next connection if lock on setup context is released 1881 1882 while (1) { 1883 1884 // Find connections that requires setup context and make active if no other is locked 1885 hci_connections_get_iterator(&it); 1886 while(!sm_active_connection && btstack_linked_list_iterator_has_next(&it)){ 1887 hci_connection_t * hci_connection = (hci_connection_t *) btstack_linked_list_iterator_next(&it); 1888 sm_connection_t * sm_connection = &hci_connection->sm_connection; 1889 // - if no connection locked and we're ready/waiting for setup context, fetch it and start 1890 int done = 1; 1891 int err; 1892 switch (sm_connection->sm_engine_state) { 1893 case SM_RESPONDER_SEND_SECURITY_REQUEST: 1894 // send packet if possible, 1895 if (l2cap_can_send_fixed_channel_packet_now(sm_connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL)){ 1896 const uint8_t buffer[2] = { SM_CODE_SECURITY_REQUEST, SM_AUTHREQ_BONDING}; 1897 sm_connection->sm_engine_state = SM_RESPONDER_PH1_W4_PAIRING_REQUEST; 1898 l2cap_send_connectionless(sm_connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 1899 } else { 1900 l2cap_request_can_send_fix_channel_now_event(sm_connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL); 1901 } 1902 // don't lock sxetup context yet 1903 done = 0; 1904 break; 1905 case SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED: 1906 sm_init_setup(sm_connection); 1907 // recover pairing request 1908 memcpy(&setup->sm_m_preq, &sm_connection->sm_m_preq, sizeof(sm_pairing_packet_t)); 1909 err = sm_stk_generation_init(sm_connection); 1910 if (err){ 1911 setup->sm_pairing_failed_reason = err; 1912 sm_connection->sm_engine_state = SM_GENERAL_SEND_PAIRING_FAILED; 1913 break; 1914 } 1915 sm_timeout_start(sm_connection); 1916 // generate random number first, if we need to show passkey 1917 if (setup->sm_stk_generation_method == PK_INIT_INPUT){ 1918 sm_connection->sm_engine_state = SM_PH2_GET_RANDOM_TK; 1919 break; 1920 } 1921 sm_connection->sm_engine_state = SM_RESPONDER_PH1_SEND_PAIRING_RESPONSE; 1922 break; 1923 case SM_INITIATOR_PH0_HAS_LTK: 1924 sm_load_security_info(sm_connection); 1925 sm_connection->sm_engine_state = SM_INITIATOR_PH0_SEND_START_ENCRYPTION; 1926 break; 1927 case SM_RESPONDER_PH0_RECEIVED_LTK: 1928 switch (sm_connection->sm_irk_lookup_state){ 1929 case IRK_LOOKUP_SUCCEEDED:{ 1930 sm_load_security_info(sm_connection); 1931 sm_connection->sm_engine_state = SM_RESPONDER_PH2_SEND_LTK_REPLY; 1932 break; 1933 } 1934 case IRK_LOOKUP_FAILED: 1935 // assume that we don't have a LTK for ediv == 0 and random == null 1936 if (sm_connection->sm_local_ediv == 0 && sm_is_null_random(sm_connection->sm_local_rand)){ 1937 log_info("LTK Request: ediv & random are empty"); 1938 sm_connection->sm_engine_state = SM_RESPONDER_PH0_SEND_LTK_REQUESTED_NEGATIVE_REPLY; 1939 // TODO: no need to lock context yet -> done = 0; 1940 break; 1941 } 1942 // re-establish previously used LTK using Rand and EDIV 1943 memcpy(setup->sm_local_rand, sm_connection->sm_local_rand, 8); 1944 setup->sm_local_ediv = sm_connection->sm_local_ediv; 1945 // re-establish used key encryption size 1946 // no db for encryption size hack: encryption size is stored in lowest nibble of setup->sm_local_rand 1947 sm_connection->sm_actual_encryption_key_size = (setup->sm_local_rand[7] & 0x0f) + 1; 1948 // no db for authenticated flag hack: flag is stored in bit 4 of LSB 1949 sm_connection->sm_connection_authenticated = (setup->sm_local_rand[7] & 0x10) >> 4; 1950 log_info("sm: received ltk request with key size %u, authenticated %u", 1951 sm_connection->sm_actual_encryption_key_size, sm_connection->sm_connection_authenticated); 1952 sm_connection->sm_engine_state = SM_RESPONDER_PH4_Y_GET_ENC; 1953 break; 1954 default: 1955 // just wait until IRK lookup is completed 1956 // don't lock sxetup context yet 1957 done = 0; 1958 break; 1959 } 1960 break; 1961 case SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST: 1962 sm_init_setup(sm_connection); 1963 sm_timeout_start(sm_connection); 1964 sm_connection->sm_engine_state = SM_INITIATOR_PH1_SEND_PAIRING_REQUEST; 1965 break; 1966 default: 1967 done = 0; 1968 break; 1969 } 1970 if (done){ 1971 sm_active_connection = sm_connection->sm_handle; 1972 log_info("sm: connection 0x%04x locked setup context as %s", sm_active_connection, sm_connection->sm_role ? "responder" : "initiator"); 1973 } 1974 } 1975 1976 // 1977 // active connection handling 1978 // 1979 1980 if (sm_active_connection == 0) return; 1981 1982 // assert that we could send a SM PDU - not needed for all of the following 1983 if (!l2cap_can_send_fixed_channel_packet_now(sm_active_connection, L2CAP_CID_SECURITY_MANAGER_PROTOCOL)) { 1984 l2cap_request_can_send_fix_channel_now_event(sm_active_connection, L2CAP_CID_SECURITY_MANAGER_PROTOCOL); 1985 return; 1986 } 1987 1988 sm_connection_t * connection = sm_get_connection_for_handle(sm_active_connection); 1989 if (!connection) return; 1990 1991 // send keypress notifications 1992 if (setup->sm_keypress_notification != 0xff){ 1993 uint8_t buffer[2]; 1994 buffer[0] = SM_CODE_KEYPRESS_NOTIFICATION; 1995 buffer[1] = setup->sm_keypress_notification; 1996 setup->sm_keypress_notification = 0xff; 1997 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 1998 } 1999 2000 sm_key_t plaintext; 2001 int key_distribution_flags; 2002 2003 log_info("sm_run: state %u", connection->sm_engine_state); 2004 2005 // responding state 2006 switch (connection->sm_engine_state){ 2007 2008 // general 2009 case SM_GENERAL_SEND_PAIRING_FAILED: { 2010 uint8_t buffer[2]; 2011 buffer[0] = SM_CODE_PAIRING_FAILED; 2012 buffer[1] = setup->sm_pairing_failed_reason; 2013 connection->sm_engine_state = connection->sm_role ? SM_RESPONDER_IDLE : SM_INITIATOR_CONNECTED; 2014 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2015 sm_done_for_handle(connection->sm_handle); 2016 break; 2017 } 2018 2019 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2020 case SM_SC_W2_GET_RANDOM_A: 2021 sm_random_start(connection); 2022 connection->sm_engine_state = SM_SC_W4_GET_RANDOM_A; 2023 break; 2024 case SM_SC_W2_GET_RANDOM_B: 2025 sm_random_start(connection); 2026 connection->sm_engine_state = SM_SC_W4_GET_RANDOM_B; 2027 break; 2028 case SM_SC_W2_CMAC_FOR_CONFIRMATION: 2029 if (!sm_cmac_ready()) break; 2030 connection->sm_engine_state = SM_SC_W4_CMAC_FOR_CONFIRMATION; 2031 sm_sc_calculate_local_confirm(connection); 2032 break; 2033 case SM_SC_W2_CMAC_FOR_CHECK_CONFIRMATION: 2034 if (!sm_cmac_ready()) break; 2035 connection->sm_engine_state = SM_SC_W4_CMAC_FOR_CHECK_CONFIRMATION; 2036 sm_sc_calculate_remote_confirm(connection); 2037 break; 2038 case SM_SC_W2_CALCULATE_F6_FOR_DHKEY_CHECK: 2039 if (!sm_cmac_ready()) break; 2040 connection->sm_engine_state = SM_SC_W4_CALCULATE_F6_FOR_DHKEY_CHECK; 2041 sm_sc_calculate_f6_for_dhkey_check(connection); 2042 break; 2043 case SM_SC_W2_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK: 2044 if (!sm_cmac_ready()) break; 2045 connection->sm_engine_state = SM_SC_W4_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK; 2046 sm_sc_calculate_f6_to_verify_dhkey_check(connection); 2047 break; 2048 case SM_SC_W2_CALCULATE_F5_SALT: 2049 if (!sm_cmac_ready()) break; 2050 connection->sm_engine_state = SM_SC_W4_CALCULATE_F5_SALT; 2051 f5_calculate_salt(connection); 2052 break; 2053 case SM_SC_W2_CALCULATE_F5_MACKEY: 2054 if (!sm_cmac_ready()) break; 2055 connection->sm_engine_state = SM_SC_W4_CALCULATE_F5_MACKEY; 2056 f5_calculate_mackey(connection); 2057 break; 2058 case SM_SC_W2_CALCULATE_F5_LTK: 2059 if (!sm_cmac_ready()) break; 2060 connection->sm_engine_state = SM_SC_W4_CALCULATE_F5_LTK; 2061 f5_calculate_ltk(connection); 2062 break; 2063 case SM_SC_W2_CALCULATE_G2: 2064 if (!sm_cmac_ready()) break; 2065 connection->sm_engine_state = SM_SC_W4_CALCULATE_G2; 2066 g2_calculate(connection); 2067 break; 2068 case SM_SC_W2_CALCULATE_H6_ILK: 2069 if (!sm_cmac_ready()) break; 2070 connection->sm_engine_state = SM_SC_W4_CALCULATE_H6_ILK; 2071 h6_calculate_ilk(connection); 2072 break; 2073 case SM_SC_W2_CALCULATE_H6_BR_EDR_LINK_KEY: 2074 if (!sm_cmac_ready()) break; 2075 connection->sm_engine_state = SM_SC_W4_CALCULATE_H6_BR_EDR_LINK_KEY; 2076 h6_calculate_br_edr_link_key(connection); 2077 break; 2078 2079 #endif 2080 // initiator side 2081 case SM_INITIATOR_PH0_SEND_START_ENCRYPTION: { 2082 sm_key_t peer_ltk_flipped; 2083 reverse_128(setup->sm_peer_ltk, peer_ltk_flipped); 2084 connection->sm_engine_state = SM_INITIATOR_PH0_W4_CONNECTION_ENCRYPTED; 2085 log_info("sm: hci_le_start_encryption ediv 0x%04x", setup->sm_peer_ediv); 2086 uint32_t rand_high = big_endian_read_32(setup->sm_peer_rand, 0); 2087 uint32_t rand_low = big_endian_read_32(setup->sm_peer_rand, 4); 2088 hci_send_cmd(&hci_le_start_encryption, connection->sm_handle,rand_low, rand_high, setup->sm_peer_ediv, peer_ltk_flipped); 2089 return; 2090 } 2091 2092 case SM_INITIATOR_PH1_SEND_PAIRING_REQUEST: 2093 sm_pairing_packet_set_code(setup->sm_m_preq, SM_CODE_PAIRING_REQUEST); 2094 connection->sm_engine_state = SM_INITIATOR_PH1_W4_PAIRING_RESPONSE; 2095 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) &setup->sm_m_preq, sizeof(sm_pairing_packet_t)); 2096 sm_timeout_reset(connection); 2097 break; 2098 2099 // responder side 2100 case SM_RESPONDER_PH0_SEND_LTK_REQUESTED_NEGATIVE_REPLY: 2101 connection->sm_engine_state = SM_RESPONDER_IDLE; 2102 hci_send_cmd(&hci_le_long_term_key_negative_reply, connection->sm_handle); 2103 sm_done_for_handle(connection->sm_handle); 2104 return; 2105 2106 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2107 case SM_SC_SEND_PUBLIC_KEY_COMMAND: { 2108 uint8_t buffer[65]; 2109 buffer[0] = SM_CODE_PAIRING_PUBLIC_KEY; 2110 // 2111 reverse_256(ec_qx, &buffer[1]); 2112 reverse_256(ec_qy, &buffer[33]); 2113 2114 // stk generation method 2115 // passkey entry: notify app to show passkey or to request passkey 2116 switch (setup->sm_stk_generation_method){ 2117 case JUST_WORKS: 2118 case NK_BOTH_INPUT: 2119 if (connection->sm_role){ 2120 // responder 2121 sm_sc_start_calculating_local_confirm(connection); 2122 } else { 2123 // initiator 2124 connection->sm_engine_state = SM_SC_W4_PUBLIC_KEY_COMMAND; 2125 } 2126 break; 2127 case PK_INIT_INPUT: 2128 case PK_RESP_INPUT: 2129 case OK_BOTH_INPUT: 2130 // use random TK for display 2131 memcpy(setup->sm_ra, setup->sm_tk, 16); 2132 memcpy(setup->sm_rb, setup->sm_tk, 16); 2133 setup->sm_passkey_bit = 0; 2134 2135 if (connection->sm_role){ 2136 // responder 2137 connection->sm_engine_state = SM_SC_W4_CONFIRMATION; 2138 } else { 2139 // initiator 2140 connection->sm_engine_state = SM_SC_W4_PUBLIC_KEY_COMMAND; 2141 } 2142 sm_trigger_user_response(connection); 2143 break; 2144 case OOB: 2145 // TODO: implement SC OOB 2146 break; 2147 } 2148 2149 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2150 sm_timeout_reset(connection); 2151 break; 2152 } 2153 case SM_SC_SEND_CONFIRMATION: { 2154 uint8_t buffer[17]; 2155 buffer[0] = SM_CODE_PAIRING_CONFIRM; 2156 reverse_128(setup->sm_local_confirm, &buffer[1]); 2157 if (connection->sm_role){ 2158 connection->sm_engine_state = SM_SC_W4_PAIRING_RANDOM; 2159 } else { 2160 connection->sm_engine_state = SM_SC_W4_CONFIRMATION; 2161 } 2162 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2163 sm_timeout_reset(connection); 2164 break; 2165 } 2166 case SM_SC_SEND_PAIRING_RANDOM: { 2167 uint8_t buffer[17]; 2168 buffer[0] = SM_CODE_PAIRING_RANDOM; 2169 reverse_128(setup->sm_local_nonce, &buffer[1]); 2170 if (setup->sm_stk_generation_method != JUST_WORKS && setup->sm_stk_generation_method != NK_BOTH_INPUT && setup->sm_passkey_bit < 20){ 2171 if (connection->sm_role){ 2172 // responder 2173 connection->sm_engine_state = SM_SC_W4_CONFIRMATION; 2174 } else { 2175 // initiator 2176 connection->sm_engine_state = SM_SC_W4_PAIRING_RANDOM; 2177 } 2178 } else { 2179 if (connection->sm_role){ 2180 // responder 2181 if (setup->sm_stk_generation_method == NK_BOTH_INPUT){ 2182 connection->sm_engine_state = SM_SC_W2_CALCULATE_G2; 2183 } else { 2184 sm_sc_prepare_dhkey_check(connection); 2185 } 2186 } else { 2187 // initiator 2188 connection->sm_engine_state = SM_SC_W4_PAIRING_RANDOM; 2189 } 2190 } 2191 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2192 sm_timeout_reset(connection); 2193 break; 2194 } 2195 case SM_SC_SEND_DHKEY_CHECK_COMMAND: { 2196 uint8_t buffer[17]; 2197 buffer[0] = SM_CODE_PAIRING_DHKEY_CHECK; 2198 reverse_128(setup->sm_local_dhkey_check, &buffer[1]); 2199 2200 if (connection->sm_role){ 2201 connection->sm_engine_state = SM_SC_W4_LTK_REQUEST_SC; 2202 } else { 2203 connection->sm_engine_state = SM_SC_W4_DHKEY_CHECK_COMMAND; 2204 } 2205 2206 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2207 sm_timeout_reset(connection); 2208 break; 2209 } 2210 2211 #endif 2212 case SM_RESPONDER_PH1_SEND_PAIRING_RESPONSE: 2213 // echo initiator for now 2214 sm_pairing_packet_set_code(setup->sm_s_pres,SM_CODE_PAIRING_RESPONSE); 2215 key_distribution_flags = sm_key_distribution_flags_for_auth_req(); 2216 2217 if (setup->sm_use_secure_connections){ 2218 connection->sm_engine_state = SM_SC_W4_PUBLIC_KEY_COMMAND; 2219 // skip LTK/EDIV for SC 2220 log_info("sm: dropping encryption information flag"); 2221 key_distribution_flags &= ~SM_KEYDIST_ENC_KEY; 2222 } else { 2223 connection->sm_engine_state = SM_RESPONDER_PH1_W4_PAIRING_CONFIRM; 2224 } 2225 2226 sm_pairing_packet_set_initiator_key_distribution(setup->sm_s_pres, sm_pairing_packet_get_initiator_key_distribution(setup->sm_m_preq) & key_distribution_flags); 2227 sm_pairing_packet_set_responder_key_distribution(setup->sm_s_pres, sm_pairing_packet_get_responder_key_distribution(setup->sm_m_preq) & key_distribution_flags); 2228 // update key distribution after ENC was dropped 2229 sm_setup_key_distribution(sm_pairing_packet_get_responder_key_distribution(setup->sm_s_pres)); 2230 2231 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) &setup->sm_s_pres, sizeof(sm_pairing_packet_t)); 2232 sm_timeout_reset(connection); 2233 // SC Numeric Comparison will trigger user response after public keys & nonces have been exchanged 2234 if (!setup->sm_use_secure_connections || setup->sm_stk_generation_method == JUST_WORKS){ 2235 sm_trigger_user_response(connection); 2236 } 2237 return; 2238 2239 case SM_PH2_SEND_PAIRING_RANDOM: { 2240 uint8_t buffer[17]; 2241 buffer[0] = SM_CODE_PAIRING_RANDOM; 2242 reverse_128(setup->sm_local_random, &buffer[1]); 2243 if (connection->sm_role){ 2244 connection->sm_engine_state = SM_RESPONDER_PH2_W4_LTK_REQUEST; 2245 } else { 2246 connection->sm_engine_state = SM_INITIATOR_PH2_W4_PAIRING_RANDOM; 2247 } 2248 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2249 sm_timeout_reset(connection); 2250 break; 2251 } 2252 2253 case SM_PH2_GET_RANDOM_TK: 2254 case SM_PH2_C1_GET_RANDOM_A: 2255 case SM_PH2_C1_GET_RANDOM_B: 2256 case SM_PH3_GET_RANDOM: 2257 case SM_PH3_GET_DIV: 2258 sm_next_responding_state(connection); 2259 sm_random_start(connection); 2260 return; 2261 2262 case SM_PH2_C1_GET_ENC_B: 2263 case SM_PH2_C1_GET_ENC_D: 2264 // already busy? 2265 if (sm_aes128_state == SM_AES128_ACTIVE) break; 2266 sm_next_responding_state(connection); 2267 sm_aes128_start(setup->sm_tk, setup->sm_c1_t3_value, connection); 2268 return; 2269 2270 case SM_PH3_LTK_GET_ENC: 2271 case SM_RESPONDER_PH4_LTK_GET_ENC: 2272 // already busy? 2273 if (sm_aes128_state == SM_AES128_IDLE) { 2274 sm_key_t d_prime; 2275 sm_d1_d_prime(setup->sm_local_div, 0, d_prime); 2276 sm_next_responding_state(connection); 2277 sm_aes128_start(sm_persistent_er, d_prime, connection); 2278 return; 2279 } 2280 break; 2281 2282 case SM_PH3_CSRK_GET_ENC: 2283 // already busy? 2284 if (sm_aes128_state == SM_AES128_IDLE) { 2285 sm_key_t d_prime; 2286 sm_d1_d_prime(setup->sm_local_div, 1, d_prime); 2287 sm_next_responding_state(connection); 2288 sm_aes128_start(sm_persistent_er, d_prime, connection); 2289 return; 2290 } 2291 break; 2292 2293 case SM_PH2_C1_GET_ENC_C: 2294 // already busy? 2295 if (sm_aes128_state == SM_AES128_ACTIVE) break; 2296 // calculate m_confirm using aes128 engine - step 1 2297 sm_c1_t1(setup->sm_peer_random, (uint8_t*) &setup->sm_m_preq, (uint8_t*) &setup->sm_s_pres, setup->sm_m_addr_type, setup->sm_s_addr_type, plaintext); 2298 sm_next_responding_state(connection); 2299 sm_aes128_start(setup->sm_tk, plaintext, connection); 2300 break; 2301 case SM_PH2_C1_GET_ENC_A: 2302 // already busy? 2303 if (sm_aes128_state == SM_AES128_ACTIVE) break; 2304 // calculate confirm using aes128 engine - step 1 2305 sm_c1_t1(setup->sm_local_random, (uint8_t*) &setup->sm_m_preq, (uint8_t*) &setup->sm_s_pres, setup->sm_m_addr_type, setup->sm_s_addr_type, plaintext); 2306 sm_next_responding_state(connection); 2307 sm_aes128_start(setup->sm_tk, plaintext, connection); 2308 break; 2309 case SM_PH2_CALC_STK: 2310 // already busy? 2311 if (sm_aes128_state == SM_AES128_ACTIVE) break; 2312 // calculate STK 2313 if (connection->sm_role){ 2314 sm_s1_r_prime(setup->sm_local_random, setup->sm_peer_random, plaintext); 2315 } else { 2316 sm_s1_r_prime(setup->sm_peer_random, setup->sm_local_random, plaintext); 2317 } 2318 sm_next_responding_state(connection); 2319 sm_aes128_start(setup->sm_tk, plaintext, connection); 2320 break; 2321 case SM_PH3_Y_GET_ENC: 2322 // already busy? 2323 if (sm_aes128_state == SM_AES128_ACTIVE) break; 2324 // PH3B2 - calculate Y from - enc 2325 // Y = dm(DHK, Rand) 2326 sm_dm_r_prime(setup->sm_local_rand, plaintext); 2327 sm_next_responding_state(connection); 2328 sm_aes128_start(sm_persistent_dhk, plaintext, connection); 2329 return; 2330 case SM_PH2_C1_SEND_PAIRING_CONFIRM: { 2331 uint8_t buffer[17]; 2332 buffer[0] = SM_CODE_PAIRING_CONFIRM; 2333 reverse_128(setup->sm_local_confirm, &buffer[1]); 2334 if (connection->sm_role){ 2335 connection->sm_engine_state = SM_RESPONDER_PH2_W4_PAIRING_RANDOM; 2336 } else { 2337 connection->sm_engine_state = SM_INITIATOR_PH2_W4_PAIRING_CONFIRM; 2338 } 2339 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2340 sm_timeout_reset(connection); 2341 return; 2342 } 2343 case SM_RESPONDER_PH2_SEND_LTK_REPLY: { 2344 sm_key_t stk_flipped; 2345 reverse_128(setup->sm_ltk, stk_flipped); 2346 connection->sm_engine_state = SM_PH2_W4_CONNECTION_ENCRYPTED; 2347 hci_send_cmd(&hci_le_long_term_key_request_reply, connection->sm_handle, stk_flipped); 2348 return; 2349 } 2350 case SM_INITIATOR_PH3_SEND_START_ENCRYPTION: { 2351 sm_key_t stk_flipped; 2352 reverse_128(setup->sm_ltk, stk_flipped); 2353 connection->sm_engine_state = SM_PH2_W4_CONNECTION_ENCRYPTED; 2354 hci_send_cmd(&hci_le_start_encryption, connection->sm_handle, 0, 0, 0, stk_flipped); 2355 return; 2356 } 2357 case SM_RESPONDER_PH4_SEND_LTK: { 2358 sm_key_t ltk_flipped; 2359 reverse_128(setup->sm_ltk, ltk_flipped); 2360 connection->sm_engine_state = SM_RESPONDER_IDLE; 2361 hci_send_cmd(&hci_le_long_term_key_request_reply, connection->sm_handle, ltk_flipped); 2362 return; 2363 } 2364 case SM_RESPONDER_PH4_Y_GET_ENC: 2365 // already busy? 2366 if (sm_aes128_state == SM_AES128_ACTIVE) break; 2367 log_info("LTK Request: recalculating with ediv 0x%04x", setup->sm_local_ediv); 2368 // Y = dm(DHK, Rand) 2369 sm_dm_r_prime(setup->sm_local_rand, plaintext); 2370 sm_next_responding_state(connection); 2371 sm_aes128_start(sm_persistent_dhk, plaintext, connection); 2372 return; 2373 2374 case SM_PH3_DISTRIBUTE_KEYS: 2375 if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION){ 2376 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION; 2377 uint8_t buffer[17]; 2378 buffer[0] = SM_CODE_ENCRYPTION_INFORMATION; 2379 reverse_128(setup->sm_ltk, &buffer[1]); 2380 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2381 sm_timeout_reset(connection); 2382 return; 2383 } 2384 if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_MASTER_IDENTIFICATION){ 2385 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_MASTER_IDENTIFICATION; 2386 uint8_t buffer[11]; 2387 buffer[0] = SM_CODE_MASTER_IDENTIFICATION; 2388 little_endian_store_16(buffer, 1, setup->sm_local_ediv); 2389 reverse_64(setup->sm_local_rand, &buffer[3]); 2390 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2391 sm_timeout_reset(connection); 2392 return; 2393 } 2394 if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_IDENTITY_INFORMATION){ 2395 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_IDENTITY_INFORMATION; 2396 uint8_t buffer[17]; 2397 buffer[0] = SM_CODE_IDENTITY_INFORMATION; 2398 reverse_128(sm_persistent_irk, &buffer[1]); 2399 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2400 sm_timeout_reset(connection); 2401 return; 2402 } 2403 if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION){ 2404 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION; 2405 bd_addr_t local_address; 2406 uint8_t buffer[8]; 2407 buffer[0] = SM_CODE_IDENTITY_ADDRESS_INFORMATION; 2408 gap_advertisements_get_address(&buffer[1], local_address); 2409 reverse_bd_addr(local_address, &buffer[2]); 2410 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2411 sm_timeout_reset(connection); 2412 return; 2413 } 2414 if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION){ 2415 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION; 2416 2417 // hack to reproduce test runs 2418 if (test_use_fixed_local_csrk){ 2419 memset(setup->sm_local_csrk, 0xcc, 16); 2420 } 2421 2422 uint8_t buffer[17]; 2423 buffer[0] = SM_CODE_SIGNING_INFORMATION; 2424 reverse_128(setup->sm_local_csrk, &buffer[1]); 2425 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2426 sm_timeout_reset(connection); 2427 return; 2428 } 2429 2430 // keys are sent 2431 if (connection->sm_role){ 2432 // slave -> receive master keys if any 2433 if (sm_key_distribution_all_received(connection)){ 2434 sm_key_distribution_handle_all_received(connection); 2435 connection->sm_engine_state = SM_RESPONDER_IDLE; 2436 sm_done_for_handle(connection->sm_handle); 2437 } else { 2438 connection->sm_engine_state = SM_PH3_RECEIVE_KEYS; 2439 } 2440 } else { 2441 // master -> all done 2442 connection->sm_engine_state = SM_INITIATOR_CONNECTED; 2443 sm_done_for_handle(connection->sm_handle); 2444 } 2445 break; 2446 2447 default: 2448 break; 2449 } 2450 2451 // check again if active connection was released 2452 if (sm_active_connection) break; 2453 } 2454 } 2455 2456 // note: aes engine is ready as we just got the aes result 2457 static void sm_handle_encryption_result(uint8_t * data){ 2458 2459 sm_aes128_state = SM_AES128_IDLE; 2460 2461 if (sm_address_resolution_ah_calculation_active){ 2462 sm_address_resolution_ah_calculation_active = 0; 2463 // compare calulated address against connecting device 2464 uint8_t hash[3]; 2465 reverse_24(data, hash); 2466 if (memcmp(&sm_address_resolution_address[3], hash, 3) == 0){ 2467 log_info("LE Device Lookup: matched resolvable private address"); 2468 sm_address_resolution_handle_event(ADDRESS_RESOLUTION_SUCEEDED); 2469 return; 2470 } 2471 // no match, try next 2472 sm_address_resolution_test++; 2473 return; 2474 } 2475 2476 switch (dkg_state){ 2477 case DKG_W4_IRK: 2478 reverse_128(data, sm_persistent_irk); 2479 log_info_key("irk", sm_persistent_irk); 2480 dkg_next_state(); 2481 return; 2482 case DKG_W4_DHK: 2483 reverse_128(data, sm_persistent_dhk); 2484 log_info_key("dhk", sm_persistent_dhk); 2485 dkg_next_state(); 2486 // SM Init Finished 2487 return; 2488 default: 2489 break; 2490 } 2491 2492 switch (rau_state){ 2493 case RAU_W4_ENC: 2494 reverse_24(data, &sm_random_address[3]); 2495 rau_next_state(); 2496 return; 2497 default: 2498 break; 2499 } 2500 2501 switch (sm_cmac_state){ 2502 case CMAC_W4_SUBKEYS: 2503 case CMAC_W4_MI: 2504 case CMAC_W4_MLAST: 2505 { 2506 sm_key_t t; 2507 reverse_128(data, t); 2508 sm_cmac_handle_encryption_result(t); 2509 } 2510 return; 2511 default: 2512 break; 2513 } 2514 2515 // retrieve sm_connection provided to sm_aes128_start_encryption 2516 sm_connection_t * connection = (sm_connection_t*) sm_aes128_context; 2517 if (!connection) return; 2518 switch (connection->sm_engine_state){ 2519 case SM_PH2_C1_W4_ENC_A: 2520 case SM_PH2_C1_W4_ENC_C: 2521 { 2522 sm_key_t t2; 2523 reverse_128(data, t2); 2524 sm_c1_t3(t2, setup->sm_m_address, setup->sm_s_address, setup->sm_c1_t3_value); 2525 } 2526 sm_next_responding_state(connection); 2527 return; 2528 case SM_PH2_C1_W4_ENC_B: 2529 reverse_128(data, setup->sm_local_confirm); 2530 log_info_key("c1!", setup->sm_local_confirm); 2531 connection->sm_engine_state = SM_PH2_C1_SEND_PAIRING_CONFIRM; 2532 return; 2533 case SM_PH2_C1_W4_ENC_D: 2534 { 2535 sm_key_t peer_confirm_test; 2536 reverse_128(data, peer_confirm_test); 2537 log_info_key("c1!", peer_confirm_test); 2538 if (memcmp(setup->sm_peer_confirm, peer_confirm_test, 16) != 0){ 2539 setup->sm_pairing_failed_reason = SM_REASON_CONFIRM_VALUE_FAILED; 2540 connection->sm_engine_state = SM_GENERAL_SEND_PAIRING_FAILED; 2541 return; 2542 } 2543 if (connection->sm_role){ 2544 connection->sm_engine_state = SM_PH2_SEND_PAIRING_RANDOM; 2545 } else { 2546 connection->sm_engine_state = SM_PH2_CALC_STK; 2547 } 2548 } 2549 return; 2550 case SM_PH2_W4_STK: 2551 reverse_128(data, setup->sm_ltk); 2552 sm_truncate_key(setup->sm_ltk, connection->sm_actual_encryption_key_size); 2553 log_info_key("stk", setup->sm_ltk); 2554 if (connection->sm_role){ 2555 connection->sm_engine_state = SM_RESPONDER_PH2_SEND_LTK_REPLY; 2556 } else { 2557 connection->sm_engine_state = SM_INITIATOR_PH3_SEND_START_ENCRYPTION; 2558 } 2559 return; 2560 case SM_PH3_Y_W4_ENC:{ 2561 sm_key_t y128; 2562 reverse_128(data, y128); 2563 setup->sm_local_y = big_endian_read_16(y128, 14); 2564 log_info_hex16("y", setup->sm_local_y); 2565 // PH3B3 - calculate EDIV 2566 setup->sm_local_ediv = setup->sm_local_y ^ setup->sm_local_div; 2567 log_info_hex16("ediv", setup->sm_local_ediv); 2568 // PH3B4 - calculate LTK - enc 2569 // LTK = d1(ER, DIV, 0)) 2570 connection->sm_engine_state = SM_PH3_LTK_GET_ENC; 2571 return; 2572 } 2573 case SM_RESPONDER_PH4_Y_W4_ENC:{ 2574 sm_key_t y128; 2575 reverse_128(data, y128); 2576 setup->sm_local_y = big_endian_read_16(y128, 14); 2577 log_info_hex16("y", setup->sm_local_y); 2578 2579 // PH3B3 - calculate DIV 2580 setup->sm_local_div = setup->sm_local_y ^ setup->sm_local_ediv; 2581 log_info_hex16("ediv", setup->sm_local_ediv); 2582 // PH3B4 - calculate LTK - enc 2583 // LTK = d1(ER, DIV, 0)) 2584 connection->sm_engine_state = SM_RESPONDER_PH4_LTK_GET_ENC; 2585 return; 2586 } 2587 case SM_PH3_LTK_W4_ENC: 2588 reverse_128(data, setup->sm_ltk); 2589 log_info_key("ltk", setup->sm_ltk); 2590 // calc CSRK next 2591 connection->sm_engine_state = SM_PH3_CSRK_GET_ENC; 2592 return; 2593 case SM_PH3_CSRK_W4_ENC: 2594 reverse_128(data, setup->sm_local_csrk); 2595 log_info_key("csrk", setup->sm_local_csrk); 2596 if (setup->sm_key_distribution_send_set){ 2597 connection->sm_engine_state = SM_PH3_DISTRIBUTE_KEYS; 2598 } else { 2599 // no keys to send, just continue 2600 if (connection->sm_role){ 2601 // slave -> receive master keys 2602 connection->sm_engine_state = SM_PH3_RECEIVE_KEYS; 2603 } else { 2604 if (setup->sm_use_secure_connections && (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION)){ 2605 connection->sm_engine_state = SM_SC_W2_CALCULATE_H6_ILK; 2606 } else { 2607 // master -> all done 2608 connection->sm_engine_state = SM_INITIATOR_CONNECTED; 2609 sm_done_for_handle(connection->sm_handle); 2610 } 2611 } 2612 } 2613 return; 2614 case SM_RESPONDER_PH4_LTK_W4_ENC: 2615 reverse_128(data, setup->sm_ltk); 2616 sm_truncate_key(setup->sm_ltk, connection->sm_actual_encryption_key_size); 2617 log_info_key("ltk", setup->sm_ltk); 2618 connection->sm_engine_state = SM_RESPONDER_PH4_SEND_LTK; 2619 return; 2620 default: 2621 break; 2622 } 2623 } 2624 2625 #ifdef USE_MBEDTLS_FOR_ECDH 2626 2627 static int sm_generate_f_rng(void * context, unsigned char * buffer, size_t size){ 2628 int offset = setup->sm_passkey_bit; 2629 log_info("sm_generate_f_rng: size %u - offset %u", (int) size, offset); 2630 while (size) { 2631 if (offset < 32){ 2632 *buffer++ = setup->sm_peer_qx[offset++]; 2633 } else { 2634 *buffer++ = setup->sm_peer_qx[offset++ - 32]; 2635 } 2636 size--; 2637 } 2638 setup->sm_passkey_bit = offset; 2639 return 0; 2640 } 2641 #endif 2642 2643 // note: random generator is ready. this doesn NOT imply that aes engine is unused! 2644 static void sm_handle_random_result(uint8_t * data){ 2645 2646 #ifdef USE_MBEDTLS_FOR_ECDH 2647 if (ec_key_generation_state == EC_KEY_GENERATION_ACTIVE){ 2648 int num_bytes = setup->sm_passkey_bit; 2649 if (num_bytes < 32){ 2650 memcpy(&setup->sm_peer_qx[num_bytes], data, 8); 2651 } else { 2652 memcpy(&setup->sm_peer_qx[num_bytes-32], data, 8); 2653 } 2654 num_bytes += 8; 2655 setup->sm_passkey_bit = num_bytes; 2656 2657 if (num_bytes >= 64){ 2658 // generate EC key 2659 setup->sm_passkey_bit = 0; 2660 mbedtls_mpi d; 2661 mbedtls_ecp_point P; 2662 mbedtls_mpi_init(&d); 2663 mbedtls_ecp_point_init(&P); 2664 int res = mbedtls_ecp_gen_keypair(&mbedtls_ec_group, &d, &P, &sm_generate_f_rng, NULL); 2665 log_info("gen keypair %x", res); 2666 mbedtls_mpi_write_binary(&P.X, ec_qx, 32); 2667 mbedtls_mpi_write_binary(&P.Y, ec_qy, 32); 2668 mbedtls_mpi_write_binary(&d, ec_d, 32); 2669 mbedtls_ecp_point_free(&P); 2670 mbedtls_mpi_free(&d); 2671 ec_key_generation_state = EC_KEY_GENERATION_DONE; 2672 sm_log_ec_keypair(); 2673 2674 #if 0 2675 printf("test dhkey check\n"); 2676 sm_key256_t dhkey; 2677 memcpy(setup->sm_peer_qx, ec_qx, 32); 2678 memcpy(setup->sm_peer_qy, ec_qy, 32); 2679 sm_sc_calculate_dhkey(dhkey); 2680 #endif 2681 2682 } 2683 } 2684 #endif 2685 2686 switch (rau_state){ 2687 case RAU_W4_RANDOM: 2688 // non-resolvable vs. resolvable 2689 switch (gap_random_adress_type){ 2690 case GAP_RANDOM_ADDRESS_RESOLVABLE: 2691 // resolvable: use random as prand and calc address hash 2692 // "The two most significant bits of prand shall be equal to ‘0’ and ‘1" 2693 memcpy(sm_random_address, data, 3); 2694 sm_random_address[0] &= 0x3f; 2695 sm_random_address[0] |= 0x40; 2696 rau_state = RAU_GET_ENC; 2697 break; 2698 case GAP_RANDOM_ADDRESS_NON_RESOLVABLE: 2699 default: 2700 // "The two most significant bits of the address shall be equal to ‘0’"" 2701 memcpy(sm_random_address, data, 6); 2702 sm_random_address[0] &= 0x3f; 2703 rau_state = RAU_SET_ADDRESS; 2704 break; 2705 } 2706 return; 2707 default: 2708 break; 2709 } 2710 2711 // retrieve sm_connection provided to sm_random_start 2712 sm_connection_t * connection = (sm_connection_t *) sm_random_context; 2713 if (!connection) return; 2714 switch (connection->sm_engine_state){ 2715 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2716 case SM_SC_W4_GET_RANDOM_A: 2717 memcpy(&setup->sm_local_nonce[0], data, 8); 2718 connection->sm_engine_state = SM_SC_W2_GET_RANDOM_B; 2719 break; 2720 case SM_SC_W4_GET_RANDOM_B: 2721 memcpy(&setup->sm_local_nonce[8], data, 8); 2722 // initiator & jw/nc -> send pairing random 2723 if (connection->sm_role == 0 && sm_just_works_or_numeric_comparison(setup->sm_stk_generation_method)){ 2724 connection->sm_engine_state = SM_SC_SEND_PAIRING_RANDOM; 2725 break; 2726 } else { 2727 connection->sm_engine_state = SM_SC_W2_CMAC_FOR_CONFIRMATION; 2728 } 2729 break; 2730 #endif 2731 2732 case SM_PH2_W4_RANDOM_TK: 2733 { 2734 // map random to 0-999999 without speding much cycles on a modulus operation 2735 uint32_t tk = little_endian_read_32(data,0); 2736 tk = tk & 0xfffff; // 1048575 2737 if (tk >= 999999){ 2738 tk = tk - 999999; 2739 } 2740 sm_reset_tk(); 2741 big_endian_store_32(setup->sm_tk, 12, tk); 2742 if (connection->sm_role){ 2743 connection->sm_engine_state = SM_RESPONDER_PH1_SEND_PAIRING_RESPONSE; 2744 } else { 2745 if (setup->sm_use_secure_connections){ 2746 connection->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 2747 } else { 2748 connection->sm_engine_state = SM_PH1_W4_USER_RESPONSE; 2749 sm_trigger_user_response(connection); 2750 // response_idle == nothing <--> sm_trigger_user_response() did not require response 2751 if (setup->sm_user_response == SM_USER_RESPONSE_IDLE){ 2752 connection->sm_engine_state = SM_PH2_C1_GET_RANDOM_A; 2753 } 2754 } 2755 } 2756 return; 2757 } 2758 case SM_PH2_C1_W4_RANDOM_A: 2759 memcpy(&setup->sm_local_random[0], data, 8); // random endinaness 2760 connection->sm_engine_state = SM_PH2_C1_GET_RANDOM_B; 2761 return; 2762 case SM_PH2_C1_W4_RANDOM_B: 2763 memcpy(&setup->sm_local_random[8], data, 8); // random endinaness 2764 connection->sm_engine_state = SM_PH2_C1_GET_ENC_A; 2765 return; 2766 case SM_PH3_W4_RANDOM: 2767 reverse_64(data, setup->sm_local_rand); 2768 // no db for encryption size hack: encryption size is stored in lowest nibble of setup->sm_local_rand 2769 setup->sm_local_rand[7] = (setup->sm_local_rand[7] & 0xf0) + (connection->sm_actual_encryption_key_size - 1); 2770 // no db for authenticated flag hack: store flag in bit 4 of LSB 2771 setup->sm_local_rand[7] = (setup->sm_local_rand[7] & 0xef) + (connection->sm_connection_authenticated << 4); 2772 connection->sm_engine_state = SM_PH3_GET_DIV; 2773 return; 2774 case SM_PH3_W4_DIV: 2775 // use 16 bit from random value as div 2776 setup->sm_local_div = big_endian_read_16(data, 0); 2777 log_info_hex16("div", setup->sm_local_div); 2778 connection->sm_engine_state = SM_PH3_Y_GET_ENC; 2779 return; 2780 default: 2781 break; 2782 } 2783 } 2784 2785 static void sm_event_packet_handler (uint8_t packet_type, uint16_t channel, uint8_t *packet, uint16_t size){ 2786 2787 sm_connection_t * sm_conn; 2788 hci_con_handle_t con_handle; 2789 2790 switch (packet_type) { 2791 2792 case HCI_EVENT_PACKET: 2793 switch (hci_event_packet_get_type(packet)) { 2794 2795 case BTSTACK_EVENT_STATE: 2796 // bt stack activated, get started 2797 if (btstack_event_state_get_state(packet) == HCI_STATE_WORKING){ 2798 log_info("HCI Working!"); 2799 dkg_state = sm_persistent_irk_ready ? DKG_CALC_DHK : DKG_CALC_IRK; 2800 rau_state = RAU_IDLE; 2801 #ifdef USE_MBEDTLS_FOR_ECDH 2802 if (!sm_have_ec_keypair){ 2803 setup->sm_passkey_bit = 0; 2804 ec_key_generation_state = EC_KEY_GENERATION_ACTIVE; 2805 } 2806 #endif 2807 sm_run(); 2808 } 2809 break; 2810 2811 case HCI_EVENT_LE_META: 2812 switch (packet[2]) { 2813 case HCI_SUBEVENT_LE_CONNECTION_COMPLETE: 2814 2815 log_info("sm: connected"); 2816 2817 if (packet[3]) return; // connection failed 2818 2819 con_handle = little_endian_read_16(packet, 4); 2820 sm_conn = sm_get_connection_for_handle(con_handle); 2821 if (!sm_conn) break; 2822 2823 sm_conn->sm_handle = con_handle; 2824 sm_conn->sm_role = packet[6]; 2825 sm_conn->sm_peer_addr_type = packet[7]; 2826 reverse_bd_addr(&packet[8], 2827 sm_conn->sm_peer_address); 2828 2829 log_info("New sm_conn, role %s", sm_conn->sm_role ? "slave" : "master"); 2830 2831 // reset security properties 2832 sm_conn->sm_connection_encrypted = 0; 2833 sm_conn->sm_connection_authenticated = 0; 2834 sm_conn->sm_connection_authorization_state = AUTHORIZATION_UNKNOWN; 2835 sm_conn->sm_le_db_index = -1; 2836 2837 // prepare CSRK lookup (does not involve setup) 2838 sm_conn->sm_irk_lookup_state = IRK_LOOKUP_W4_READY; 2839 2840 // just connected -> everything else happens in sm_run() 2841 if (sm_conn->sm_role){ 2842 // slave - state already could be SM_RESPONDER_SEND_SECURITY_REQUEST instead 2843 if (sm_conn->sm_engine_state == SM_GENERAL_IDLE){ 2844 if (sm_slave_request_security) { 2845 // request security if requested by app 2846 sm_conn->sm_engine_state = SM_RESPONDER_SEND_SECURITY_REQUEST; 2847 } else { 2848 // otherwise, wait for pairing request 2849 sm_conn->sm_engine_state = SM_RESPONDER_IDLE; 2850 } 2851 } 2852 break; 2853 } else { 2854 // master 2855 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 2856 } 2857 break; 2858 2859 case HCI_SUBEVENT_LE_LONG_TERM_KEY_REQUEST: 2860 con_handle = little_endian_read_16(packet, 3); 2861 sm_conn = sm_get_connection_for_handle(con_handle); 2862 if (!sm_conn) break; 2863 2864 log_info("LTK Request: state %u", sm_conn->sm_engine_state); 2865 if (sm_conn->sm_engine_state == SM_RESPONDER_PH2_W4_LTK_REQUEST){ 2866 sm_conn->sm_engine_state = SM_PH2_CALC_STK; 2867 break; 2868 } 2869 if (sm_conn->sm_engine_state == SM_SC_W4_LTK_REQUEST_SC){ 2870 sm_conn->sm_engine_state = SM_RESPONDER_PH2_SEND_LTK_REPLY; 2871 break; 2872 } 2873 2874 // store rand and ediv 2875 reverse_64(&packet[5], sm_conn->sm_local_rand); 2876 sm_conn->sm_local_ediv = little_endian_read_16(packet, 13); 2877 sm_conn->sm_engine_state = SM_RESPONDER_PH0_RECEIVED_LTK; 2878 break; 2879 2880 default: 2881 break; 2882 } 2883 break; 2884 2885 case HCI_EVENT_ENCRYPTION_CHANGE: 2886 con_handle = little_endian_read_16(packet, 3); 2887 sm_conn = sm_get_connection_for_handle(con_handle); 2888 if (!sm_conn) break; 2889 2890 sm_conn->sm_connection_encrypted = packet[5]; 2891 log_info("Encryption state change: %u, key size %u", sm_conn->sm_connection_encrypted, 2892 sm_conn->sm_actual_encryption_key_size); 2893 log_info("event handler, state %u", sm_conn->sm_engine_state); 2894 if (!sm_conn->sm_connection_encrypted) break; 2895 // continue if part of initial pairing 2896 switch (sm_conn->sm_engine_state){ 2897 case SM_INITIATOR_PH0_W4_CONNECTION_ENCRYPTED: 2898 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 2899 sm_done_for_handle(sm_conn->sm_handle); 2900 break; 2901 case SM_PH2_W4_CONNECTION_ENCRYPTED: 2902 if (sm_conn->sm_role){ 2903 // slave 2904 if (setup->sm_use_secure_connections){ 2905 sm_conn->sm_engine_state = SM_PH3_DISTRIBUTE_KEYS; 2906 } else { 2907 sm_conn->sm_engine_state = SM_PH3_GET_RANDOM; 2908 } 2909 } else { 2910 // master 2911 if (sm_key_distribution_all_received(sm_conn)){ 2912 // skip receiving keys as there are none 2913 sm_key_distribution_handle_all_received(sm_conn); 2914 sm_conn->sm_engine_state = SM_PH3_GET_RANDOM; 2915 } else { 2916 sm_conn->sm_engine_state = SM_PH3_RECEIVE_KEYS; 2917 } 2918 } 2919 break; 2920 default: 2921 break; 2922 } 2923 break; 2924 2925 case HCI_EVENT_ENCRYPTION_KEY_REFRESH_COMPLETE: 2926 con_handle = little_endian_read_16(packet, 3); 2927 sm_conn = sm_get_connection_for_handle(con_handle); 2928 if (!sm_conn) break; 2929 2930 log_info("Encryption key refresh complete, key size %u", sm_conn->sm_actual_encryption_key_size); 2931 log_info("event handler, state %u", sm_conn->sm_engine_state); 2932 // continue if part of initial pairing 2933 switch (sm_conn->sm_engine_state){ 2934 case SM_INITIATOR_PH0_W4_CONNECTION_ENCRYPTED: 2935 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 2936 sm_done_for_handle(sm_conn->sm_handle); 2937 break; 2938 case SM_PH2_W4_CONNECTION_ENCRYPTED: 2939 if (sm_conn->sm_role){ 2940 // slave 2941 sm_conn->sm_engine_state = SM_PH3_GET_RANDOM; 2942 } else { 2943 // master 2944 sm_conn->sm_engine_state = SM_PH3_RECEIVE_KEYS; 2945 } 2946 break; 2947 default: 2948 break; 2949 } 2950 break; 2951 2952 2953 case HCI_EVENT_DISCONNECTION_COMPLETE: 2954 con_handle = little_endian_read_16(packet, 3); 2955 sm_done_for_handle(con_handle); 2956 sm_conn = sm_get_connection_for_handle(con_handle); 2957 if (!sm_conn) break; 2958 2959 // delete stored bonding on disconnect with authentication failure in ph0 2960 if (sm_conn->sm_role == 0 2961 && sm_conn->sm_engine_state == SM_INITIATOR_PH0_W4_CONNECTION_ENCRYPTED 2962 && packet[2] == ERROR_CODE_AUTHENTICATION_FAILURE){ 2963 le_device_db_remove(sm_conn->sm_le_db_index); 2964 } 2965 2966 sm_conn->sm_engine_state = SM_GENERAL_IDLE; 2967 sm_conn->sm_handle = 0; 2968 break; 2969 2970 case HCI_EVENT_COMMAND_COMPLETE: 2971 if (HCI_EVENT_IS_COMMAND_COMPLETE(packet, hci_le_encrypt)){ 2972 sm_handle_encryption_result(&packet[6]); 2973 break; 2974 } 2975 if (HCI_EVENT_IS_COMMAND_COMPLETE(packet, hci_le_rand)){ 2976 sm_handle_random_result(&packet[6]); 2977 break; 2978 } 2979 break; 2980 default: 2981 break; 2982 } 2983 break; 2984 default: 2985 break; 2986 } 2987 2988 sm_run(); 2989 } 2990 2991 static inline int sm_calc_actual_encryption_key_size(int other){ 2992 if (other < sm_min_encryption_key_size) return 0; 2993 if (other < sm_max_encryption_key_size) return other; 2994 return sm_max_encryption_key_size; 2995 } 2996 2997 2998 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2999 static int sm_just_works_or_numeric_comparison(stk_generation_method_t method){ 3000 switch (method){ 3001 case JUST_WORKS: 3002 case NK_BOTH_INPUT: 3003 return 1; 3004 default: 3005 return 0; 3006 } 3007 } 3008 // responder 3009 3010 static int sm_passkey_used(stk_generation_method_t method){ 3011 switch (method){ 3012 case PK_RESP_INPUT: 3013 return 1; 3014 default: 3015 return 0; 3016 } 3017 } 3018 #endif 3019 3020 /** 3021 * @return ok 3022 */ 3023 static int sm_validate_stk_generation_method(void){ 3024 // check if STK generation method is acceptable by client 3025 switch (setup->sm_stk_generation_method){ 3026 case JUST_WORKS: 3027 return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_JUST_WORKS) != 0; 3028 case PK_RESP_INPUT: 3029 case PK_INIT_INPUT: 3030 case OK_BOTH_INPUT: 3031 return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_PASSKEY) != 0; 3032 case OOB: 3033 return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_OOB) != 0; 3034 case NK_BOTH_INPUT: 3035 return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_NUMERIC_COMPARISON) != 0; 3036 return 1; 3037 default: 3038 return 0; 3039 } 3040 } 3041 3042 static void sm_pdu_handler(uint8_t packet_type, hci_con_handle_t con_handle, uint8_t *packet, uint16_t size){ 3043 3044 if (packet_type == HCI_EVENT_PACKET && packet[0] == L2CAP_EVENT_CAN_SEND_NOW){ 3045 sm_run(); 3046 } 3047 3048 if (packet_type != SM_DATA_PACKET) return; 3049 3050 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3051 if (!sm_conn) return; 3052 3053 if (packet[0] == SM_CODE_PAIRING_FAILED){ 3054 sm_conn->sm_engine_state = sm_conn->sm_role ? SM_RESPONDER_IDLE : SM_INITIATOR_CONNECTED; 3055 return; 3056 } 3057 3058 log_debug("sm_pdu_handler: state %u, pdu 0x%02x", sm_conn->sm_engine_state, packet[0]); 3059 3060 int err; 3061 3062 if (packet[0] == SM_CODE_KEYPRESS_NOTIFICATION){ 3063 uint8_t buffer[5]; 3064 buffer[0] = SM_EVENT_KEYPRESS_NOTIFICATION; 3065 buffer[1] = 3; 3066 little_endian_store_16(buffer, 2, con_handle); 3067 buffer[4] = packet[1]; 3068 sm_dispatch_event(HCI_EVENT_PACKET, 0, buffer, sizeof(buffer)); 3069 return; 3070 } 3071 3072 switch (sm_conn->sm_engine_state){ 3073 3074 // a sm timeout requries a new physical connection 3075 case SM_GENERAL_TIMEOUT: 3076 return; 3077 3078 // Initiator 3079 case SM_INITIATOR_CONNECTED: 3080 if ((packet[0] != SM_CODE_SECURITY_REQUEST) || (sm_conn->sm_role)){ 3081 sm_pdu_received_in_wrong_state(sm_conn); 3082 break; 3083 } 3084 if (sm_conn->sm_irk_lookup_state == IRK_LOOKUP_FAILED){ 3085 sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 3086 break; 3087 } 3088 if (sm_conn->sm_irk_lookup_state == IRK_LOOKUP_SUCCEEDED){ 3089 uint16_t ediv; 3090 sm_key_t ltk; 3091 le_device_db_encryption_get(sm_conn->sm_le_db_index, &ediv, NULL, ltk, NULL, NULL, NULL); 3092 if (!sm_is_null_key(ltk) || ediv){ 3093 log_info("sm: Setting up previous ltk/ediv/rand for device index %u", sm_conn->sm_le_db_index); 3094 sm_conn->sm_engine_state = SM_INITIATOR_PH0_HAS_LTK; 3095 } else { 3096 sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 3097 } 3098 break; 3099 } 3100 // otherwise, store security request 3101 sm_conn->sm_security_request_received = 1; 3102 break; 3103 3104 case SM_INITIATOR_PH1_W4_PAIRING_RESPONSE: 3105 if (packet[0] != SM_CODE_PAIRING_RESPONSE){ 3106 sm_pdu_received_in_wrong_state(sm_conn); 3107 break; 3108 } 3109 // store pairing request 3110 memcpy(&setup->sm_s_pres, packet, sizeof(sm_pairing_packet_t)); 3111 err = sm_stk_generation_init(sm_conn); 3112 if (err){ 3113 setup->sm_pairing_failed_reason = err; 3114 sm_conn->sm_engine_state = SM_GENERAL_SEND_PAIRING_FAILED; 3115 break; 3116 } 3117 3118 // generate random number first, if we need to show passkey 3119 if (setup->sm_stk_generation_method == PK_RESP_INPUT){ 3120 sm_conn->sm_engine_state = SM_PH2_GET_RANDOM_TK; 3121 break; 3122 } 3123 3124 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3125 if (setup->sm_use_secure_connections){ 3126 // SC Numeric Comparison will trigger user response after public keys & nonces have been exchanged 3127 if (setup->sm_stk_generation_method == JUST_WORKS){ 3128 sm_conn->sm_engine_state = SM_PH1_W4_USER_RESPONSE; 3129 sm_trigger_user_response(sm_conn); 3130 if (setup->sm_user_response == SM_USER_RESPONSE_IDLE){ 3131 sm_conn->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 3132 } 3133 } else { 3134 sm_conn->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 3135 } 3136 break; 3137 } 3138 #endif 3139 sm_conn->sm_engine_state = SM_PH1_W4_USER_RESPONSE; 3140 sm_trigger_user_response(sm_conn); 3141 // response_idle == nothing <--> sm_trigger_user_response() did not require response 3142 if (setup->sm_user_response == SM_USER_RESPONSE_IDLE){ 3143 sm_conn->sm_engine_state = SM_PH2_C1_GET_RANDOM_A; 3144 } 3145 break; 3146 3147 case SM_INITIATOR_PH2_W4_PAIRING_CONFIRM: 3148 if (packet[0] != SM_CODE_PAIRING_CONFIRM){ 3149 sm_pdu_received_in_wrong_state(sm_conn); 3150 break; 3151 } 3152 3153 // store s_confirm 3154 reverse_128(&packet[1], setup->sm_peer_confirm); 3155 sm_conn->sm_engine_state = SM_PH2_SEND_PAIRING_RANDOM; 3156 break; 3157 3158 case SM_INITIATOR_PH2_W4_PAIRING_RANDOM: 3159 if (packet[0] != SM_CODE_PAIRING_RANDOM){ 3160 sm_pdu_received_in_wrong_state(sm_conn); 3161 break;; 3162 } 3163 3164 // received random value 3165 reverse_128(&packet[1], setup->sm_peer_random); 3166 sm_conn->sm_engine_state = SM_PH2_C1_GET_ENC_C; 3167 break; 3168 3169 // Responder 3170 case SM_RESPONDER_IDLE: 3171 case SM_RESPONDER_SEND_SECURITY_REQUEST: 3172 case SM_RESPONDER_PH1_W4_PAIRING_REQUEST: 3173 if (packet[0] != SM_CODE_PAIRING_REQUEST){ 3174 sm_pdu_received_in_wrong_state(sm_conn); 3175 break;; 3176 } 3177 3178 // store pairing request 3179 memcpy(&sm_conn->sm_m_preq, packet, sizeof(sm_pairing_packet_t)); 3180 sm_conn->sm_engine_state = SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED; 3181 break; 3182 3183 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3184 case SM_SC_W4_PUBLIC_KEY_COMMAND: 3185 if (packet[0] != SM_CODE_PAIRING_PUBLIC_KEY){ 3186 sm_pdu_received_in_wrong_state(sm_conn); 3187 break; 3188 } 3189 3190 // store public key for DH Key calculation 3191 reverse_256(&packet[01], setup->sm_peer_qx); 3192 reverse_256(&packet[33], setup->sm_peer_qy); 3193 3194 #ifdef USE_MBEDTLS_FOR_ECDH 3195 // validate public key 3196 mbedtls_ecp_point Q; 3197 mbedtls_ecp_point_init( &Q ); 3198 mbedtls_mpi_read_binary(&Q.X, setup->sm_peer_qx, 32); 3199 mbedtls_mpi_read_binary(&Q.Y, setup->sm_peer_qy, 32); 3200 mbedtls_mpi_read_string(&Q.Z, 16, "1" ); 3201 err = mbedtls_ecp_check_pubkey(&mbedtls_ec_group, &Q); 3202 mbedtls_ecp_point_free( & Q); 3203 if (err){ 3204 log_error("sm: peer public key invalid %x", err); 3205 // uses "unspecified reason", there is no "public key invalid" error code 3206 sm_pdu_received_in_wrong_state(sm_conn); 3207 break; 3208 } 3209 3210 #endif 3211 if (sm_conn->sm_role){ 3212 // responder 3213 sm_conn->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 3214 } else { 3215 // initiator 3216 // stk generation method 3217 // passkey entry: notify app to show passkey or to request passkey 3218 switch (setup->sm_stk_generation_method){ 3219 case JUST_WORKS: 3220 case NK_BOTH_INPUT: 3221 sm_conn->sm_engine_state = SM_SC_W4_CONFIRMATION; 3222 break; 3223 case PK_RESP_INPUT: 3224 sm_sc_start_calculating_local_confirm(sm_conn); 3225 break; 3226 case PK_INIT_INPUT: 3227 case OK_BOTH_INPUT: 3228 if (setup->sm_user_response != SM_USER_RESPONSE_PASSKEY){ 3229 sm_conn->sm_engine_state = SM_SC_W4_USER_RESPONSE; 3230 break; 3231 } 3232 sm_sc_start_calculating_local_confirm(sm_conn); 3233 break; 3234 case OOB: 3235 // TODO: implement SC OOB 3236 break; 3237 } 3238 } 3239 break; 3240 3241 case SM_SC_W4_CONFIRMATION: 3242 if (packet[0] != SM_CODE_PAIRING_CONFIRM){ 3243 sm_pdu_received_in_wrong_state(sm_conn); 3244 break; 3245 } 3246 // received confirm value 3247 reverse_128(&packet[1], setup->sm_peer_confirm); 3248 3249 if (sm_conn->sm_role){ 3250 // responder 3251 if (sm_passkey_used(setup->sm_stk_generation_method)){ 3252 if (setup->sm_user_response != SM_USER_RESPONSE_PASSKEY){ 3253 // still waiting for passkey 3254 sm_conn->sm_engine_state = SM_SC_W4_USER_RESPONSE; 3255 break; 3256 } 3257 } 3258 sm_sc_start_calculating_local_confirm(sm_conn); 3259 } else { 3260 // initiator 3261 if (sm_just_works_or_numeric_comparison(setup->sm_stk_generation_method)){ 3262 sm_conn->sm_engine_state = SM_SC_W2_GET_RANDOM_A; 3263 } else { 3264 sm_conn->sm_engine_state = SM_SC_SEND_PAIRING_RANDOM; 3265 } 3266 } 3267 break; 3268 3269 case SM_SC_W4_PAIRING_RANDOM: 3270 if (packet[0] != SM_CODE_PAIRING_RANDOM){ 3271 sm_pdu_received_in_wrong_state(sm_conn); 3272 break; 3273 } 3274 3275 // received random value 3276 reverse_128(&packet[1], setup->sm_peer_nonce); 3277 3278 // validate confirm value if Cb = f4(Pkb, Pka, Nb, z) 3279 // only check for JUST WORK/NC in initiator role AND passkey entry 3280 if (sm_conn->sm_role || sm_passkey_used(setup->sm_stk_generation_method)) { 3281 sm_conn->sm_engine_state = SM_SC_W2_CMAC_FOR_CHECK_CONFIRMATION; 3282 } 3283 3284 sm_sc_state_after_receiving_random(sm_conn); 3285 break; 3286 3287 case SM_SC_W2_CALCULATE_G2: 3288 case SM_SC_W4_CALCULATE_G2: 3289 case SM_SC_W2_CALCULATE_F5_SALT: 3290 case SM_SC_W4_CALCULATE_F5_SALT: 3291 case SM_SC_W2_CALCULATE_F5_MACKEY: 3292 case SM_SC_W4_CALCULATE_F5_MACKEY: 3293 case SM_SC_W2_CALCULATE_F5_LTK: 3294 case SM_SC_W4_CALCULATE_F5_LTK: 3295 case SM_SC_W2_CALCULATE_F6_FOR_DHKEY_CHECK: 3296 case SM_SC_W4_DHKEY_CHECK_COMMAND: 3297 case SM_SC_W4_CALCULATE_F6_FOR_DHKEY_CHECK: 3298 if (packet[0] != SM_CODE_PAIRING_DHKEY_CHECK){ 3299 sm_pdu_received_in_wrong_state(sm_conn); 3300 break; 3301 } 3302 // store DHKey Check 3303 setup->sm_state_vars |= SM_STATE_VAR_DHKEY_COMMAND_RECEIVED; 3304 reverse_128(&packet[01], setup->sm_peer_dhkey_check); 3305 3306 // have we been only waiting for dhkey check command? 3307 if (sm_conn->sm_engine_state == SM_SC_W4_DHKEY_CHECK_COMMAND){ 3308 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK; 3309 } 3310 break; 3311 #endif 3312 3313 case SM_RESPONDER_PH1_W4_PAIRING_CONFIRM: 3314 if (packet[0] != SM_CODE_PAIRING_CONFIRM){ 3315 sm_pdu_received_in_wrong_state(sm_conn); 3316 break; 3317 } 3318 3319 // received confirm value 3320 reverse_128(&packet[1], setup->sm_peer_confirm); 3321 3322 // notify client to hide shown passkey 3323 if (setup->sm_stk_generation_method == PK_INIT_INPUT){ 3324 sm_notify_client_base(SM_EVENT_PASSKEY_DISPLAY_CANCEL, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address); 3325 } 3326 3327 // handle user cancel pairing? 3328 if (setup->sm_user_response == SM_USER_RESPONSE_DECLINE){ 3329 setup->sm_pairing_failed_reason = SM_REASON_PASSKEYT_ENTRY_FAILED; 3330 sm_conn->sm_engine_state = SM_GENERAL_SEND_PAIRING_FAILED; 3331 break; 3332 } 3333 3334 // wait for user action? 3335 if (setup->sm_user_response == SM_USER_RESPONSE_PENDING){ 3336 sm_conn->sm_engine_state = SM_PH1_W4_USER_RESPONSE; 3337 break; 3338 } 3339 3340 // calculate and send local_confirm 3341 sm_conn->sm_engine_state = SM_PH2_C1_GET_RANDOM_A; 3342 break; 3343 3344 case SM_RESPONDER_PH2_W4_PAIRING_RANDOM: 3345 if (packet[0] != SM_CODE_PAIRING_RANDOM){ 3346 sm_pdu_received_in_wrong_state(sm_conn); 3347 break;; 3348 } 3349 3350 // received random value 3351 reverse_128(&packet[1], setup->sm_peer_random); 3352 sm_conn->sm_engine_state = SM_PH2_C1_GET_ENC_C; 3353 break; 3354 3355 case SM_PH3_RECEIVE_KEYS: 3356 switch(packet[0]){ 3357 case SM_CODE_ENCRYPTION_INFORMATION: 3358 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION; 3359 reverse_128(&packet[1], setup->sm_peer_ltk); 3360 break; 3361 3362 case SM_CODE_MASTER_IDENTIFICATION: 3363 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_MASTER_IDENTIFICATION; 3364 setup->sm_peer_ediv = little_endian_read_16(packet, 1); 3365 reverse_64(&packet[3], setup->sm_peer_rand); 3366 break; 3367 3368 case SM_CODE_IDENTITY_INFORMATION: 3369 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_IDENTITY_INFORMATION; 3370 reverse_128(&packet[1], setup->sm_peer_irk); 3371 break; 3372 3373 case SM_CODE_IDENTITY_ADDRESS_INFORMATION: 3374 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION; 3375 setup->sm_peer_addr_type = packet[1]; 3376 reverse_bd_addr(&packet[2], setup->sm_peer_address); 3377 break; 3378 3379 case SM_CODE_SIGNING_INFORMATION: 3380 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION; 3381 reverse_128(&packet[1], setup->sm_peer_csrk); 3382 break; 3383 default: 3384 // Unexpected PDU 3385 log_info("Unexpected PDU %u in SM_PH3_RECEIVE_KEYS", packet[0]); 3386 break; 3387 } 3388 // done with key distribution? 3389 if (sm_key_distribution_all_received(sm_conn)){ 3390 3391 sm_key_distribution_handle_all_received(sm_conn); 3392 3393 if (sm_conn->sm_role){ 3394 if (setup->sm_use_secure_connections && (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION)){ 3395 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_H6_ILK; 3396 } else { 3397 sm_conn->sm_engine_state = SM_RESPONDER_IDLE; 3398 sm_done_for_handle(sm_conn->sm_handle); 3399 } 3400 } else { 3401 if (setup->sm_use_secure_connections){ 3402 sm_conn->sm_engine_state = SM_PH3_DISTRIBUTE_KEYS; 3403 } else { 3404 sm_conn->sm_engine_state = SM_PH3_GET_RANDOM; 3405 } 3406 } 3407 } 3408 break; 3409 default: 3410 // Unexpected PDU 3411 log_info("Unexpected PDU %u in state %u", packet[0], sm_conn->sm_engine_state); 3412 break; 3413 } 3414 3415 // try to send preparared packet 3416 sm_run(); 3417 } 3418 3419 // Security Manager Client API 3420 void sm_register_oob_data_callback( int (*get_oob_data_callback)(uint8_t addres_type, bd_addr_t addr, uint8_t * oob_data)){ 3421 sm_get_oob_data = get_oob_data_callback; 3422 } 3423 3424 void sm_add_event_handler(btstack_packet_callback_registration_t * callback_handler){ 3425 btstack_linked_list_add_tail(&sm_event_handlers, (btstack_linked_item_t*) callback_handler); 3426 } 3427 3428 void sm_set_accepted_stk_generation_methods(uint8_t accepted_stk_generation_methods){ 3429 sm_accepted_stk_generation_methods = accepted_stk_generation_methods; 3430 } 3431 3432 void sm_set_encryption_key_size_range(uint8_t min_size, uint8_t max_size){ 3433 sm_min_encryption_key_size = min_size; 3434 sm_max_encryption_key_size = max_size; 3435 } 3436 3437 void sm_set_authentication_requirements(uint8_t auth_req){ 3438 sm_auth_req = auth_req; 3439 } 3440 3441 void sm_set_io_capabilities(io_capability_t io_capability){ 3442 sm_io_capabilities = io_capability; 3443 } 3444 3445 void sm_set_request_security(int enable){ 3446 sm_slave_request_security = enable; 3447 } 3448 3449 void sm_set_er(sm_key_t er){ 3450 memcpy(sm_persistent_er, er, 16); 3451 } 3452 3453 void sm_set_ir(sm_key_t ir){ 3454 memcpy(sm_persistent_ir, ir, 16); 3455 } 3456 3457 // Testing support only 3458 void sm_test_set_irk(sm_key_t irk){ 3459 memcpy(sm_persistent_irk, irk, 16); 3460 sm_persistent_irk_ready = 1; 3461 } 3462 3463 void sm_test_use_fixed_local_csrk(void){ 3464 test_use_fixed_local_csrk = 1; 3465 } 3466 3467 void sm_init(void){ 3468 // set some (BTstack default) ER and IR 3469 int i; 3470 sm_key_t er; 3471 sm_key_t ir; 3472 for (i=0;i<16;i++){ 3473 er[i] = 0x30 + i; 3474 ir[i] = 0x90 + i; 3475 } 3476 sm_set_er(er); 3477 sm_set_ir(ir); 3478 // defaults 3479 sm_accepted_stk_generation_methods = SM_STK_GENERATION_METHOD_JUST_WORKS 3480 | SM_STK_GENERATION_METHOD_OOB 3481 | SM_STK_GENERATION_METHOD_PASSKEY 3482 | SM_STK_GENERATION_METHOD_NUMERIC_COMPARISON; 3483 3484 sm_max_encryption_key_size = 16; 3485 sm_min_encryption_key_size = 7; 3486 3487 sm_cmac_state = CMAC_IDLE; 3488 dkg_state = DKG_W4_WORKING; 3489 rau_state = RAU_W4_WORKING; 3490 sm_aes128_state = SM_AES128_IDLE; 3491 sm_address_resolution_test = -1; // no private address to resolve yet 3492 sm_address_resolution_ah_calculation_active = 0; 3493 sm_address_resolution_mode = ADDRESS_RESOLUTION_IDLE; 3494 sm_address_resolution_general_queue = NULL; 3495 3496 gap_random_adress_update_period = 15 * 60 * 1000L; 3497 3498 sm_active_connection = 0; 3499 3500 test_use_fixed_local_csrk = 0; 3501 3502 // register for HCI Events from HCI 3503 hci_event_callback_registration.callback = &sm_event_packet_handler; 3504 hci_add_event_handler(&hci_event_callback_registration); 3505 3506 // and L2CAP PDUs + L2CAP_EVENT_CAN_SEND_NOW 3507 l2cap_register_fixed_channel(sm_pdu_handler, L2CAP_CID_SECURITY_MANAGER_PROTOCOL); 3508 3509 #ifdef USE_MBEDTLS_FOR_ECDH 3510 ec_key_generation_state = EC_KEY_GENERATION_IDLE; 3511 3512 #ifndef HAVE_MALLOC 3513 sm_mbedtls_allocator_init(mbedtls_memory_buffer, sizeof(mbedtls_memory_buffer)); 3514 #endif 3515 mbedtls_ecp_group_init(&mbedtls_ec_group); 3516 mbedtls_ecp_group_load(&mbedtls_ec_group, MBEDTLS_ECP_DP_SECP256R1); 3517 3518 #if 0 3519 // test 3520 sm_test_use_fixed_ec_keypair(); 3521 if (sm_have_ec_keypair){ 3522 printf("test dhkey check\n"); 3523 sm_key256_t dhkey; 3524 memcpy(setup->sm_peer_qx, ec_qx, 32); 3525 memcpy(setup->sm_peer_qy, ec_qy, 32); 3526 sm_sc_calculate_dhkey(dhkey); 3527 } 3528 #endif 3529 #endif 3530 } 3531 3532 void sm_use_fixed_ec_keypair(uint8_t * qx, uint8_t * qy, uint8_t * d){ 3533 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3534 memcpy(ec_qx, qx, 32); 3535 memcpy(ec_qy, qy, 32); 3536 memcpy(ec_d, d, 32); 3537 sm_have_ec_keypair = 1; 3538 ec_key_generation_state = EC_KEY_GENERATION_DONE; 3539 #endif 3540 } 3541 3542 void sm_test_use_fixed_ec_keypair(void){ 3543 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3544 #ifdef USE_MBEDTLS_FOR_ECDH 3545 // use test keypair from spec 3546 mbedtls_mpi x; 3547 mbedtls_mpi_init(&x); 3548 mbedtls_mpi_read_string( &x, 16, "3f49f6d4a3c55f3874c9b3e3d2103f504aff607beb40b7995899b8a6cd3c1abd"); 3549 mbedtls_mpi_write_binary(&x, ec_d, 32); 3550 mbedtls_mpi_read_string( &x, 16, "20b003d2f297be2c5e2c83a7e9f9a5b9eff49111acf4fddbcc0301480e359de6"); 3551 mbedtls_mpi_write_binary(&x, ec_qx, 32); 3552 mbedtls_mpi_read_string( &x, 16, "dc809c49652aeb6d63329abf5a52155c766345c28fed3024741c8ed01589d28b"); 3553 mbedtls_mpi_write_binary(&x, ec_qy, 32); 3554 mbedtls_mpi_free(&x); 3555 #endif 3556 sm_have_ec_keypair = 1; 3557 ec_key_generation_state = EC_KEY_GENERATION_DONE; 3558 #endif 3559 } 3560 3561 static sm_connection_t * sm_get_connection_for_handle(hci_con_handle_t con_handle){ 3562 hci_connection_t * hci_con = hci_connection_for_handle(con_handle); 3563 if (!hci_con) return NULL; 3564 return &hci_con->sm_connection; 3565 } 3566 3567 // @returns 0 if not encrypted, 7-16 otherwise 3568 int sm_encryption_key_size(hci_con_handle_t con_handle){ 3569 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3570 if (!sm_conn) return 0; // wrong connection 3571 if (!sm_conn->sm_connection_encrypted) return 0; 3572 return sm_conn->sm_actual_encryption_key_size; 3573 } 3574 3575 int sm_authenticated(hci_con_handle_t con_handle){ 3576 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3577 if (!sm_conn) return 0; // wrong connection 3578 if (!sm_conn->sm_connection_encrypted) return 0; // unencrypted connection cannot be authenticated 3579 return sm_conn->sm_connection_authenticated; 3580 } 3581 3582 authorization_state_t sm_authorization_state(hci_con_handle_t con_handle){ 3583 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3584 if (!sm_conn) return AUTHORIZATION_UNKNOWN; // wrong connection 3585 if (!sm_conn->sm_connection_encrypted) return AUTHORIZATION_UNKNOWN; // unencrypted connection cannot be authorized 3586 if (!sm_conn->sm_connection_authenticated) return AUTHORIZATION_UNKNOWN; // unauthenticatd connection cannot be authorized 3587 return sm_conn->sm_connection_authorization_state; 3588 } 3589 3590 static void sm_send_security_request_for_connection(sm_connection_t * sm_conn){ 3591 switch (sm_conn->sm_engine_state){ 3592 case SM_GENERAL_IDLE: 3593 case SM_RESPONDER_IDLE: 3594 sm_conn->sm_engine_state = SM_RESPONDER_SEND_SECURITY_REQUEST; 3595 sm_run(); 3596 break; 3597 default: 3598 break; 3599 } 3600 } 3601 3602 /** 3603 * @brief Trigger Security Request 3604 */ 3605 void sm_send_security_request(hci_con_handle_t con_handle){ 3606 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3607 if (!sm_conn) return; 3608 sm_send_security_request_for_connection(sm_conn); 3609 } 3610 3611 // request pairing 3612 void sm_request_pairing(hci_con_handle_t con_handle){ 3613 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3614 if (!sm_conn) return; // wrong connection 3615 3616 log_info("sm_request_pairing in role %u, state %u", sm_conn->sm_role, sm_conn->sm_engine_state); 3617 if (sm_conn->sm_role){ 3618 sm_send_security_request_for_connection(sm_conn); 3619 } else { 3620 // used as a trigger to start central/master/initiator security procedures 3621 uint16_t ediv; 3622 sm_key_t ltk; 3623 if (sm_conn->sm_engine_state == SM_INITIATOR_CONNECTED){ 3624 switch (sm_conn->sm_irk_lookup_state){ 3625 case IRK_LOOKUP_FAILED: 3626 sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 3627 break; 3628 case IRK_LOOKUP_SUCCEEDED: 3629 le_device_db_encryption_get(sm_conn->sm_le_db_index, &ediv, NULL, ltk, NULL, NULL, NULL); 3630 if (!sm_is_null_key(ltk) || ediv){ 3631 log_info("sm: Setting up previous ltk/ediv/rand for device index %u", sm_conn->sm_le_db_index); 3632 sm_conn->sm_engine_state = SM_INITIATOR_PH0_HAS_LTK; 3633 } else { 3634 sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 3635 } 3636 break; 3637 default: 3638 sm_conn->sm_bonding_requested = 1; 3639 break; 3640 } 3641 } else if (sm_conn->sm_engine_state == SM_GENERAL_IDLE){ 3642 sm_conn->sm_bonding_requested = 1; 3643 } 3644 } 3645 sm_run(); 3646 } 3647 3648 // called by client app on authorization request 3649 void sm_authorization_decline(hci_con_handle_t con_handle){ 3650 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3651 if (!sm_conn) return; // wrong connection 3652 sm_conn->sm_connection_authorization_state = AUTHORIZATION_DECLINED; 3653 sm_notify_client_authorization(SM_EVENT_AUTHORIZATION_RESULT, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, 0); 3654 } 3655 3656 void sm_authorization_grant(hci_con_handle_t con_handle){ 3657 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3658 if (!sm_conn) return; // wrong connection 3659 sm_conn->sm_connection_authorization_state = AUTHORIZATION_GRANTED; 3660 sm_notify_client_authorization(SM_EVENT_AUTHORIZATION_RESULT, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, 1); 3661 } 3662 3663 // GAP Bonding API 3664 3665 void sm_bonding_decline(hci_con_handle_t con_handle){ 3666 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3667 if (!sm_conn) return; // wrong connection 3668 setup->sm_user_response = SM_USER_RESPONSE_DECLINE; 3669 3670 if (sm_conn->sm_engine_state == SM_PH1_W4_USER_RESPONSE){ 3671 switch (setup->sm_stk_generation_method){ 3672 case PK_RESP_INPUT: 3673 case PK_INIT_INPUT: 3674 case OK_BOTH_INPUT: 3675 sm_pairing_error(sm_conn, SM_GENERAL_SEND_PAIRING_FAILED); 3676 break; 3677 case NK_BOTH_INPUT: 3678 sm_pairing_error(sm_conn, SM_REASON_NUMERIC_COMPARISON_FAILED); 3679 break; 3680 case JUST_WORKS: 3681 case OOB: 3682 sm_pairing_error(sm_conn, SM_REASON_UNSPECIFIED_REASON); 3683 break; 3684 } 3685 } 3686 sm_run(); 3687 } 3688 3689 void sm_just_works_confirm(hci_con_handle_t con_handle){ 3690 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3691 if (!sm_conn) return; // wrong connection 3692 setup->sm_user_response = SM_USER_RESPONSE_CONFIRM; 3693 if (sm_conn->sm_engine_state == SM_PH1_W4_USER_RESPONSE){ 3694 if (setup->sm_use_secure_connections){ 3695 sm_conn->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 3696 } else { 3697 sm_conn->sm_engine_state = SM_PH2_C1_GET_RANDOM_A; 3698 } 3699 } 3700 3701 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3702 if (sm_conn->sm_engine_state == SM_SC_W4_USER_RESPONSE){ 3703 sm_sc_prepare_dhkey_check(sm_conn); 3704 } 3705 #endif 3706 3707 sm_run(); 3708 } 3709 3710 void sm_numeric_comparison_confirm(hci_con_handle_t con_handle){ 3711 // for now, it's the same 3712 sm_just_works_confirm(con_handle); 3713 } 3714 3715 void sm_passkey_input(hci_con_handle_t con_handle, uint32_t passkey){ 3716 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3717 if (!sm_conn) return; // wrong connection 3718 sm_reset_tk(); 3719 big_endian_store_32(setup->sm_tk, 12, passkey); 3720 setup->sm_user_response = SM_USER_RESPONSE_PASSKEY; 3721 if (sm_conn->sm_engine_state == SM_PH1_W4_USER_RESPONSE){ 3722 sm_conn->sm_engine_state = SM_PH2_C1_GET_RANDOM_A; 3723 } 3724 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3725 memcpy(setup->sm_ra, setup->sm_tk, 16); 3726 memcpy(setup->sm_rb, setup->sm_tk, 16); 3727 if (sm_conn->sm_engine_state == SM_SC_W4_USER_RESPONSE){ 3728 sm_sc_start_calculating_local_confirm(sm_conn); 3729 } 3730 #endif 3731 sm_run(); 3732 } 3733 3734 void sm_keypress_notification(hci_con_handle_t con_handle, uint8_t action){ 3735 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3736 if (!sm_conn) return; // wrong connection 3737 if (action > SM_KEYPRESS_PASSKEY_ENTRY_COMPLETED) return; 3738 setup->sm_keypress_notification = action; 3739 sm_run(); 3740 } 3741 3742 /** 3743 * @brief Identify device in LE Device DB 3744 * @param handle 3745 * @returns index from le_device_db or -1 if not found/identified 3746 */ 3747 int sm_le_device_index(hci_con_handle_t con_handle ){ 3748 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3749 if (!sm_conn) return -1; 3750 return sm_conn->sm_le_db_index; 3751 } 3752 3753 // GAP LE API 3754 void gap_random_address_set_mode(gap_random_address_type_t random_address_type){ 3755 gap_random_address_update_stop(); 3756 gap_random_adress_type = random_address_type; 3757 if (random_address_type == GAP_RANDOM_ADDRESS_TYPE_OFF) return; 3758 gap_random_address_update_start(); 3759 gap_random_address_trigger(); 3760 } 3761 3762 gap_random_address_type_t gap_random_address_get_mode(void){ 3763 return gap_random_adress_type; 3764 } 3765 3766 void gap_random_address_set_update_period(int period_ms){ 3767 gap_random_adress_update_period = period_ms; 3768 if (gap_random_adress_type == GAP_RANDOM_ADDRESS_TYPE_OFF) return; 3769 gap_random_address_update_stop(); 3770 gap_random_address_update_start(); 3771 } 3772 3773 void gap_random_address_set(bd_addr_t addr){ 3774 gap_random_address_set_mode(GAP_RANDOM_ADDRESS_TYPE_OFF); 3775 memcpy(sm_random_address, addr, 6); 3776 rau_state = RAU_SET_ADDRESS; 3777 sm_run(); 3778 } 3779 3780 /* 3781 * @brief Set Advertisement Paramters 3782 * @param adv_int_min 3783 * @param adv_int_max 3784 * @param adv_type 3785 * @param direct_address_type 3786 * @param direct_address 3787 * @param channel_map 3788 * @param filter_policy 3789 * 3790 * @note own_address_type is used from gap_random_address_set_mode 3791 */ 3792 void gap_advertisements_set_params(uint16_t adv_int_min, uint16_t adv_int_max, uint8_t adv_type, 3793 uint8_t direct_address_typ, bd_addr_t direct_address, uint8_t channel_map, uint8_t filter_policy){ 3794 hci_le_advertisements_set_params(adv_int_min, adv_int_max, adv_type, gap_random_adress_type, 3795 direct_address_typ, direct_address, channel_map, filter_policy); 3796 } 3797 3798