1 /* 2 * Copyright (C) 2014 BlueKitchen GmbH 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the copyright holders nor the names of 14 * contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 4. Any redistribution, use, or modification is done solely for 17 * personal benefit and not for any commercial purpose or for 18 * monetary gain. 19 * 20 * THIS SOFTWARE IS PROVIDED BY BLUEKITCHEN GMBH AND CONTRIBUTORS 21 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL MATTHIAS 24 * RINGWALD OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 26 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 27 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 28 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF 30 * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 * 33 * Please inquire about commercial licensing options at 34 * [email protected] 35 * 36 */ 37 38 #define __BTSTACK_FILE__ "sm.c" 39 40 #include <stdio.h> 41 #include <string.h> 42 #include <inttypes.h> 43 44 #include "ble/le_device_db.h" 45 #include "ble/core.h" 46 #include "ble/sm.h" 47 #include "bluetooth_company_id.h" 48 #include "btstack_debug.h" 49 #include "btstack_event.h" 50 #include "btstack_linked_list.h" 51 #include "btstack_memory.h" 52 #include "gap.h" 53 #include "hci.h" 54 #include "hci_dump.h" 55 #include "l2cap.h" 56 57 #if !defined(ENABLE_LE_PERIPHERAL) && !defined(ENABLE_LE_CENTRAL) 58 #error "LE Security Manager used, but neither ENABLE_LE_PERIPHERAL nor ENABLE_LE_CENTRAL defined. Please add at least one to btstack_config.h." 59 #endif 60 61 #if defined(ENABLE_LE_PERIPHERAL) && defined(ENABLE_LE_CENTRAL) 62 #define IS_RESPONDER(role) (role) 63 #else 64 #ifdef ENABLE_LE_CENTRAL 65 // only central - never responder (avoid 'unused variable' warnings) 66 #define IS_RESPONDER(role) (0 && role) 67 #else 68 // only peripheral - always responder (avoid 'unused variable' warnings) 69 #define IS_RESPONDER(role) (1 || role) 70 #endif 71 #endif 72 73 #ifdef ENABLE_LE_SECURE_CONNECTIONS 74 #ifdef HAVE_HCI_CONTROLLER_DHKEY_SUPPORT 75 #error "Support for DHKEY Support in HCI Controller not implemented yet. Please use software implementation" 76 #else 77 #define USE_MBEDTLS_FOR_ECDH 78 #endif 79 #endif 80 81 // Software ECDH implementation provided by mbedtls 82 #ifdef USE_MBEDTLS_FOR_ECDH 83 #include "mbedtls/config.h" 84 #include "mbedtls/platform.h" 85 #include "mbedtls/ecp.h" 86 #include "sm_mbedtls_allocator.h" 87 #endif 88 89 #if defined(ENABLE_LE_SIGNED_WRITE) || defined(ENABLE_LE_SECURE_CONNECTIONS) 90 #define ENABLE_CMAC_ENGINE 91 #endif 92 93 // 94 // SM internal types and globals 95 // 96 97 typedef enum { 98 DKG_W4_WORKING, 99 DKG_CALC_IRK, 100 DKG_W4_IRK, 101 DKG_CALC_DHK, 102 DKG_W4_DHK, 103 DKG_READY 104 } derived_key_generation_t; 105 106 typedef enum { 107 RAU_W4_WORKING, 108 RAU_IDLE, 109 RAU_GET_RANDOM, 110 RAU_W4_RANDOM, 111 RAU_GET_ENC, 112 RAU_W4_ENC, 113 RAU_SET_ADDRESS, 114 } random_address_update_t; 115 116 typedef enum { 117 CMAC_IDLE, 118 CMAC_CALC_SUBKEYS, 119 CMAC_W4_SUBKEYS, 120 CMAC_CALC_MI, 121 CMAC_W4_MI, 122 CMAC_CALC_MLAST, 123 CMAC_W4_MLAST 124 } cmac_state_t; 125 126 typedef enum { 127 JUST_WORKS, 128 PK_RESP_INPUT, // Initiator displays PK, responder inputs PK 129 PK_INIT_INPUT, // Responder displays PK, initiator inputs PK 130 OK_BOTH_INPUT, // Only input on both, both input PK 131 NK_BOTH_INPUT, // Only numerical compparison (yes/no) on on both sides 132 OOB // OOB available on both sides 133 } stk_generation_method_t; 134 135 typedef enum { 136 SM_USER_RESPONSE_IDLE, 137 SM_USER_RESPONSE_PENDING, 138 SM_USER_RESPONSE_CONFIRM, 139 SM_USER_RESPONSE_PASSKEY, 140 SM_USER_RESPONSE_DECLINE 141 } sm_user_response_t; 142 143 typedef enum { 144 SM_AES128_IDLE, 145 SM_AES128_ACTIVE 146 } sm_aes128_state_t; 147 148 typedef enum { 149 ADDRESS_RESOLUTION_IDLE, 150 ADDRESS_RESOLUTION_GENERAL, 151 ADDRESS_RESOLUTION_FOR_CONNECTION, 152 } address_resolution_mode_t; 153 154 typedef enum { 155 ADDRESS_RESOLUTION_SUCEEDED, 156 ADDRESS_RESOLUTION_FAILED, 157 } address_resolution_event_t; 158 159 typedef enum { 160 EC_KEY_GENERATION_IDLE, 161 EC_KEY_GENERATION_ACTIVE, 162 EC_KEY_GENERATION_W4_KEY, 163 EC_KEY_GENERATION_DONE, 164 } ec_key_generation_state_t; 165 166 typedef enum { 167 SM_STATE_VAR_DHKEY_COMMAND_RECEIVED = 1 << 0 168 } sm_state_var_t; 169 170 // 171 // GLOBAL DATA 172 // 173 174 static uint8_t test_use_fixed_local_csrk; 175 176 // configuration 177 static uint8_t sm_accepted_stk_generation_methods; 178 static uint8_t sm_max_encryption_key_size; 179 static uint8_t sm_min_encryption_key_size; 180 static uint8_t sm_auth_req = 0; 181 static uint8_t sm_io_capabilities = IO_CAPABILITY_NO_INPUT_NO_OUTPUT; 182 static uint8_t sm_slave_request_security; 183 #ifdef ENABLE_LE_SECURE_CONNECTIONS 184 static uint8_t sm_have_ec_keypair; 185 #endif 186 187 // Security Manager Master Keys, please use sm_set_er(er) and sm_set_ir(ir) with your own 128 bit random values 188 static sm_key_t sm_persistent_er; 189 static sm_key_t sm_persistent_ir; 190 191 // derived from sm_persistent_ir 192 static sm_key_t sm_persistent_dhk; 193 static sm_key_t sm_persistent_irk; 194 static uint8_t sm_persistent_irk_ready = 0; // used for testing 195 static derived_key_generation_t dkg_state; 196 197 // derived from sm_persistent_er 198 // .. 199 200 // random address update 201 static random_address_update_t rau_state; 202 static bd_addr_t sm_random_address; 203 204 // CMAC Calculation: General 205 #ifdef ENABLE_CMAC_ENGINE 206 static cmac_state_t sm_cmac_state; 207 static uint16_t sm_cmac_message_len; 208 static sm_key_t sm_cmac_k; 209 static sm_key_t sm_cmac_x; 210 static sm_key_t sm_cmac_m_last; 211 static uint8_t sm_cmac_block_current; 212 static uint8_t sm_cmac_block_count; 213 static uint8_t (*sm_cmac_get_byte)(uint16_t offset); 214 static void (*sm_cmac_done_handler)(uint8_t * hash); 215 #endif 216 217 // CMAC for ATT Signed Writes 218 #ifdef ENABLE_LE_SIGNED_WRITE 219 static uint8_t sm_cmac_header[3]; 220 static const uint8_t * sm_cmac_message; 221 static uint8_t sm_cmac_sign_counter[4]; 222 #endif 223 224 // CMAC for Secure Connection functions 225 #ifdef ENABLE_LE_SECURE_CONNECTIONS 226 static sm_connection_t * sm_cmac_connection; 227 static uint8_t sm_cmac_sc_buffer[80]; 228 #endif 229 230 // resolvable private address lookup / CSRK calculation 231 static int sm_address_resolution_test; 232 static int sm_address_resolution_ah_calculation_active; 233 static uint8_t sm_address_resolution_addr_type; 234 static bd_addr_t sm_address_resolution_address; 235 static void * sm_address_resolution_context; 236 static address_resolution_mode_t sm_address_resolution_mode; 237 static btstack_linked_list_t sm_address_resolution_general_queue; 238 239 // aes128 crypto engine. store current sm_connection_t in sm_aes128_context 240 static sm_aes128_state_t sm_aes128_state; 241 static void * sm_aes128_context; 242 243 // random engine. store context (ususally sm_connection_t) 244 static void * sm_random_context; 245 246 // to receive hci events 247 static btstack_packet_callback_registration_t hci_event_callback_registration; 248 249 /* to dispatch sm event */ 250 static btstack_linked_list_t sm_event_handlers; 251 252 // LE Secure Connections 253 #ifdef ENABLE_LE_SECURE_CONNECTIONS 254 static ec_key_generation_state_t ec_key_generation_state; 255 static uint8_t ec_d[32]; 256 static uint8_t ec_q[64]; 257 #endif 258 259 // Software ECDH implementation provided by mbedtls 260 #ifdef USE_MBEDTLS_FOR_ECDH 261 // group is always valid 262 static mbedtls_ecp_group mbedtls_ec_group; 263 #ifndef HAVE_MALLOC 264 // COMP Method with Window 2 265 // 1300 bytes with 23 allocations 266 // #define MBEDTLS_ALLOC_BUFFER_SIZE (1300+23*sizeof(void *)) 267 // NAIVE Method with safe cond assignments (without safe cond, order changes and allocations fail) 268 #define MBEDTLS_ALLOC_BUFFER_SIZE (700+18*sizeof(void *)) 269 static uint8_t mbedtls_memory_buffer[MBEDTLS_ALLOC_BUFFER_SIZE]; 270 #endif 271 #endif 272 273 // 274 // Volume 3, Part H, Chapter 24 275 // "Security shall be initiated by the Security Manager in the device in the master role. 276 // The device in the slave role shall be the responding device." 277 // -> master := initiator, slave := responder 278 // 279 280 // data needed for security setup 281 typedef struct sm_setup_context { 282 283 btstack_timer_source_t sm_timeout; 284 285 // used in all phases 286 uint8_t sm_pairing_failed_reason; 287 288 // user response, (Phase 1 and/or 2) 289 uint8_t sm_user_response; 290 uint8_t sm_keypress_notification; 291 292 // defines which keys will be send after connection is encrypted - calculated during Phase 1, used Phase 3 293 int sm_key_distribution_send_set; 294 int sm_key_distribution_received_set; 295 296 // Phase 2 (Pairing over SMP) 297 stk_generation_method_t sm_stk_generation_method; 298 sm_key_t sm_tk; 299 uint8_t sm_use_secure_connections; 300 301 sm_key_t sm_c1_t3_value; // c1 calculation 302 sm_pairing_packet_t sm_m_preq; // pairing request - needed only for c1 303 sm_pairing_packet_t sm_s_pres; // pairing response - needed only for c1 304 sm_key_t sm_local_random; 305 sm_key_t sm_local_confirm; 306 sm_key_t sm_peer_random; 307 sm_key_t sm_peer_confirm; 308 uint8_t sm_m_addr_type; // address and type can be removed 309 uint8_t sm_s_addr_type; // '' 310 bd_addr_t sm_m_address; // '' 311 bd_addr_t sm_s_address; // '' 312 sm_key_t sm_ltk; 313 314 uint8_t sm_state_vars; 315 #ifdef ENABLE_LE_SECURE_CONNECTIONS 316 uint8_t sm_peer_q[64]; // also stores random for EC key generation during init 317 sm_key_t sm_peer_nonce; // might be combined with sm_peer_random 318 sm_key_t sm_local_nonce; // might be combined with sm_local_random 319 sm_key_t sm_peer_dhkey_check; 320 sm_key_t sm_local_dhkey_check; 321 sm_key_t sm_ra; 322 sm_key_t sm_rb; 323 sm_key_t sm_t; // used for f5 and h6 324 sm_key_t sm_mackey; 325 uint8_t sm_passkey_bit; // also stores number of generated random bytes for EC key generation 326 #endif 327 328 // Phase 3 329 330 // key distribution, we generate 331 uint16_t sm_local_y; 332 uint16_t sm_local_div; 333 uint16_t sm_local_ediv; 334 uint8_t sm_local_rand[8]; 335 sm_key_t sm_local_ltk; 336 sm_key_t sm_local_csrk; 337 sm_key_t sm_local_irk; 338 // sm_local_address/addr_type not needed 339 340 // key distribution, received from peer 341 uint16_t sm_peer_y; 342 uint16_t sm_peer_div; 343 uint16_t sm_peer_ediv; 344 uint8_t sm_peer_rand[8]; 345 sm_key_t sm_peer_ltk; 346 sm_key_t sm_peer_irk; 347 sm_key_t sm_peer_csrk; 348 uint8_t sm_peer_addr_type; 349 bd_addr_t sm_peer_address; 350 351 } sm_setup_context_t; 352 353 // 354 static sm_setup_context_t the_setup; 355 static sm_setup_context_t * setup = &the_setup; 356 357 // active connection - the one for which the_setup is used for 358 static uint16_t sm_active_connection = 0; 359 360 // @returns 1 if oob data is available 361 // stores oob data in provided 16 byte buffer if not null 362 static int (*sm_get_oob_data)(uint8_t addres_type, bd_addr_t addr, uint8_t * oob_data) = NULL; 363 364 // horizontal: initiator capabilities 365 // vertial: responder capabilities 366 static const stk_generation_method_t stk_generation_method [5] [5] = { 367 { JUST_WORKS, JUST_WORKS, PK_INIT_INPUT, JUST_WORKS, PK_INIT_INPUT }, 368 { JUST_WORKS, JUST_WORKS, PK_INIT_INPUT, JUST_WORKS, PK_INIT_INPUT }, 369 { PK_RESP_INPUT, PK_RESP_INPUT, OK_BOTH_INPUT, JUST_WORKS, PK_RESP_INPUT }, 370 { JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS }, 371 { PK_RESP_INPUT, PK_RESP_INPUT, PK_INIT_INPUT, JUST_WORKS, PK_RESP_INPUT }, 372 }; 373 374 // uses numeric comparison if one side has DisplayYesNo and KeyboardDisplay combinations 375 #ifdef ENABLE_LE_SECURE_CONNECTIONS 376 static const stk_generation_method_t stk_generation_method_with_secure_connection[5][5] = { 377 { JUST_WORKS, JUST_WORKS, PK_INIT_INPUT, JUST_WORKS, PK_INIT_INPUT }, 378 { JUST_WORKS, NK_BOTH_INPUT, PK_INIT_INPUT, JUST_WORKS, NK_BOTH_INPUT }, 379 { PK_RESP_INPUT, PK_RESP_INPUT, OK_BOTH_INPUT, JUST_WORKS, PK_RESP_INPUT }, 380 { JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS }, 381 { PK_RESP_INPUT, NK_BOTH_INPUT, PK_INIT_INPUT, JUST_WORKS, NK_BOTH_INPUT }, 382 }; 383 #endif 384 385 static void sm_run(void); 386 static void sm_done_for_handle(hci_con_handle_t con_handle); 387 static sm_connection_t * sm_get_connection_for_handle(hci_con_handle_t con_handle); 388 static inline int sm_calc_actual_encryption_key_size(int other); 389 static int sm_validate_stk_generation_method(void); 390 391 static void log_info_hex16(const char * name, uint16_t value){ 392 log_info("%-6s 0x%04x", name, value); 393 } 394 395 // @returns 1 if all bytes are 0 396 static int sm_is_null(uint8_t * data, int size){ 397 int i; 398 for (i=0; i < size ; i++){ 399 if (data[i]) return 0; 400 } 401 return 1; 402 } 403 404 static int sm_is_null_random(uint8_t random[8]){ 405 return sm_is_null(random, 8); 406 } 407 408 static int sm_is_null_key(uint8_t * key){ 409 return sm_is_null(key, 16); 410 } 411 412 // Key utils 413 static void sm_reset_tk(void){ 414 int i; 415 for (i=0;i<16;i++){ 416 setup->sm_tk[i] = 0; 417 } 418 } 419 420 // "For example, if a 128-bit encryption key is 0x123456789ABCDEF0123456789ABCDEF0 421 // and it is reduced to 7 octets (56 bits), then the resulting key is 0x0000000000000000003456789ABCDEF0."" 422 static void sm_truncate_key(sm_key_t key, int max_encryption_size){ 423 int i; 424 for (i = max_encryption_size ; i < 16 ; i++){ 425 key[15-i] = 0; 426 } 427 } 428 429 // SMP Timeout implementation 430 431 // Upon transmission of the Pairing Request command or reception of the Pairing Request command, 432 // the Security Manager Timer shall be reset and started. 433 // 434 // The Security Manager Timer shall be reset when an L2CAP SMP command is queued for transmission. 435 // 436 // If the Security Manager Timer reaches 30 seconds, the procedure shall be considered to have failed, 437 // and the local higher layer shall be notified. No further SMP commands shall be sent over the L2CAP 438 // Security Manager Channel. A new SM procedure shall only be performed when a new physical link has been 439 // established. 440 441 static void sm_timeout_handler(btstack_timer_source_t * timer){ 442 log_info("SM timeout"); 443 sm_connection_t * sm_conn = (sm_connection_t*) btstack_run_loop_get_timer_context(timer); 444 sm_conn->sm_engine_state = SM_GENERAL_TIMEOUT; 445 sm_done_for_handle(sm_conn->sm_handle); 446 447 // trigger handling of next ready connection 448 sm_run(); 449 } 450 static void sm_timeout_start(sm_connection_t * sm_conn){ 451 btstack_run_loop_remove_timer(&setup->sm_timeout); 452 btstack_run_loop_set_timer_context(&setup->sm_timeout, sm_conn); 453 btstack_run_loop_set_timer_handler(&setup->sm_timeout, sm_timeout_handler); 454 btstack_run_loop_set_timer(&setup->sm_timeout, 30000); // 30 seconds sm timeout 455 btstack_run_loop_add_timer(&setup->sm_timeout); 456 } 457 static void sm_timeout_stop(void){ 458 btstack_run_loop_remove_timer(&setup->sm_timeout); 459 } 460 static void sm_timeout_reset(sm_connection_t * sm_conn){ 461 sm_timeout_stop(); 462 sm_timeout_start(sm_conn); 463 } 464 465 // end of sm timeout 466 467 // GAP Random Address updates 468 static gap_random_address_type_t gap_random_adress_type; 469 static btstack_timer_source_t gap_random_address_update_timer; 470 static uint32_t gap_random_adress_update_period; 471 472 static void gap_random_address_trigger(void){ 473 if (rau_state != RAU_IDLE) return; 474 log_info("gap_random_address_trigger"); 475 rau_state = RAU_GET_RANDOM; 476 sm_run(); 477 } 478 479 static void gap_random_address_update_handler(btstack_timer_source_t * timer){ 480 UNUSED(timer); 481 482 log_info("GAP Random Address Update due"); 483 btstack_run_loop_set_timer(&gap_random_address_update_timer, gap_random_adress_update_period); 484 btstack_run_loop_add_timer(&gap_random_address_update_timer); 485 gap_random_address_trigger(); 486 } 487 488 static void gap_random_address_update_start(void){ 489 btstack_run_loop_set_timer_handler(&gap_random_address_update_timer, gap_random_address_update_handler); 490 btstack_run_loop_set_timer(&gap_random_address_update_timer, gap_random_adress_update_period); 491 btstack_run_loop_add_timer(&gap_random_address_update_timer); 492 } 493 494 static void gap_random_address_update_stop(void){ 495 btstack_run_loop_remove_timer(&gap_random_address_update_timer); 496 } 497 498 499 static void sm_random_start(void * context){ 500 sm_random_context = context; 501 hci_send_cmd(&hci_le_rand); 502 } 503 504 // pre: sm_aes128_state != SM_AES128_ACTIVE, hci_can_send_command == 1 505 // context is made availabe to aes128 result handler by this 506 static void sm_aes128_start(sm_key_t key, sm_key_t plaintext, void * context){ 507 sm_aes128_state = SM_AES128_ACTIVE; 508 sm_key_t key_flipped, plaintext_flipped; 509 reverse_128(key, key_flipped); 510 reverse_128(plaintext, plaintext_flipped); 511 sm_aes128_context = context; 512 hci_send_cmd(&hci_le_encrypt, key_flipped, plaintext_flipped); 513 } 514 515 // ah(k,r) helper 516 // r = padding || r 517 // r - 24 bit value 518 static void sm_ah_r_prime(uint8_t r[3], uint8_t * r_prime){ 519 // r'= padding || r 520 memset(r_prime, 0, 16); 521 memcpy(&r_prime[13], r, 3); 522 } 523 524 // d1 helper 525 // d' = padding || r || d 526 // d,r - 16 bit values 527 static void sm_d1_d_prime(uint16_t d, uint16_t r, uint8_t * d1_prime){ 528 // d'= padding || r || d 529 memset(d1_prime, 0, 16); 530 big_endian_store_16(d1_prime, 12, r); 531 big_endian_store_16(d1_prime, 14, d); 532 } 533 534 // dm helper 535 // r’ = padding || r 536 // r - 64 bit value 537 static void sm_dm_r_prime(uint8_t r[8], uint8_t * r_prime){ 538 memset(r_prime, 0, 16); 539 memcpy(&r_prime[8], r, 8); 540 } 541 542 // calculate arguments for first AES128 operation in C1 function 543 static void sm_c1_t1(sm_key_t r, uint8_t preq[7], uint8_t pres[7], uint8_t iat, uint8_t rat, uint8_t * t1){ 544 545 // p1 = pres || preq || rat’ || iat’ 546 // "The octet of iat’ becomes the least significant octet of p1 and the most signifi- 547 // cant octet of pres becomes the most significant octet of p1. 548 // For example, if the 8-bit iat’ is 0x01, the 8-bit rat’ is 0x00, the 56-bit preq 549 // is 0x07071000000101 and the 56 bit pres is 0x05000800000302 then 550 // p1 is 0x05000800000302070710000001010001." 551 552 sm_key_t p1; 553 reverse_56(pres, &p1[0]); 554 reverse_56(preq, &p1[7]); 555 p1[14] = rat; 556 p1[15] = iat; 557 log_info_key("p1", p1); 558 log_info_key("r", r); 559 560 // t1 = r xor p1 561 int i; 562 for (i=0;i<16;i++){ 563 t1[i] = r[i] ^ p1[i]; 564 } 565 log_info_key("t1", t1); 566 } 567 568 // calculate arguments for second AES128 operation in C1 function 569 static void sm_c1_t3(sm_key_t t2, bd_addr_t ia, bd_addr_t ra, uint8_t * t3){ 570 // p2 = padding || ia || ra 571 // "The least significant octet of ra becomes the least significant octet of p2 and 572 // the most significant octet of padding becomes the most significant octet of p2. 573 // For example, if 48-bit ia is 0xA1A2A3A4A5A6 and the 48-bit ra is 574 // 0xB1B2B3B4B5B6 then p2 is 0x00000000A1A2A3A4A5A6B1B2B3B4B5B6. 575 576 sm_key_t p2; 577 memset(p2, 0, 16); 578 memcpy(&p2[4], ia, 6); 579 memcpy(&p2[10], ra, 6); 580 log_info_key("p2", p2); 581 582 // c1 = e(k, t2_xor_p2) 583 int i; 584 for (i=0;i<16;i++){ 585 t3[i] = t2[i] ^ p2[i]; 586 } 587 log_info_key("t3", t3); 588 } 589 590 static void sm_s1_r_prime(sm_key_t r1, sm_key_t r2, uint8_t * r_prime){ 591 log_info_key("r1", r1); 592 log_info_key("r2", r2); 593 memcpy(&r_prime[8], &r2[8], 8); 594 memcpy(&r_prime[0], &r1[8], 8); 595 } 596 597 #ifdef ENABLE_LE_SECURE_CONNECTIONS 598 // Software implementations of crypto toolbox for LE Secure Connection 599 // TODO: replace with code to use AES Engine of HCI Controller 600 typedef uint8_t sm_key24_t[3]; 601 typedef uint8_t sm_key56_t[7]; 602 typedef uint8_t sm_key256_t[32]; 603 604 #if 0 605 static void aes128_calc_cyphertext(const uint8_t key[16], const uint8_t plaintext[16], uint8_t cyphertext[16]){ 606 uint32_t rk[RKLENGTH(KEYBITS)]; 607 int nrounds = rijndaelSetupEncrypt(rk, &key[0], KEYBITS); 608 rijndaelEncrypt(rk, nrounds, plaintext, cyphertext); 609 } 610 611 static void calc_subkeys(sm_key_t k0, sm_key_t k1, sm_key_t k2){ 612 memcpy(k1, k0, 16); 613 sm_shift_left_by_one_bit_inplace(16, k1); 614 if (k0[0] & 0x80){ 615 k1[15] ^= 0x87; 616 } 617 memcpy(k2, k1, 16); 618 sm_shift_left_by_one_bit_inplace(16, k2); 619 if (k1[0] & 0x80){ 620 k2[15] ^= 0x87; 621 } 622 } 623 624 static void aes_cmac(sm_key_t aes_cmac, const sm_key_t key, const uint8_t * data, int cmac_message_len){ 625 sm_key_t k0, k1, k2, zero; 626 memset(zero, 0, 16); 627 628 aes128_calc_cyphertext(key, zero, k0); 629 calc_subkeys(k0, k1, k2); 630 631 int cmac_block_count = (cmac_message_len + 15) / 16; 632 633 // step 3: .. 634 if (cmac_block_count==0){ 635 cmac_block_count = 1; 636 } 637 638 // step 4: set m_last 639 sm_key_t cmac_m_last; 640 int sm_cmac_last_block_complete = cmac_message_len != 0 && (cmac_message_len & 0x0f) == 0; 641 int i; 642 if (sm_cmac_last_block_complete){ 643 for (i=0;i<16;i++){ 644 cmac_m_last[i] = data[cmac_message_len - 16 + i] ^ k1[i]; 645 } 646 } else { 647 int valid_octets_in_last_block = cmac_message_len & 0x0f; 648 for (i=0;i<16;i++){ 649 if (i < valid_octets_in_last_block){ 650 cmac_m_last[i] = data[(cmac_message_len & 0xfff0) + i] ^ k2[i]; 651 continue; 652 } 653 if (i == valid_octets_in_last_block){ 654 cmac_m_last[i] = 0x80 ^ k2[i]; 655 continue; 656 } 657 cmac_m_last[i] = k2[i]; 658 } 659 } 660 661 // printf("sm_cmac_start: len %u, block count %u\n", cmac_message_len, cmac_block_count); 662 // LOG_KEY(cmac_m_last); 663 664 // Step 5 665 sm_key_t cmac_x; 666 memset(cmac_x, 0, 16); 667 668 // Step 6 669 sm_key_t sm_cmac_y; 670 for (int block = 0 ; block < cmac_block_count-1 ; block++){ 671 for (i=0;i<16;i++){ 672 sm_cmac_y[i] = cmac_x[i] ^ data[block * 16 + i]; 673 } 674 aes128_calc_cyphertext(key, sm_cmac_y, cmac_x); 675 } 676 for (i=0;i<16;i++){ 677 sm_cmac_y[i] = cmac_x[i] ^ cmac_m_last[i]; 678 } 679 680 // Step 7 681 aes128_calc_cyphertext(key, sm_cmac_y, aes_cmac); 682 } 683 #endif 684 #endif 685 686 static void sm_setup_event_base(uint8_t * event, int event_size, uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address){ 687 event[0] = type; 688 event[1] = event_size - 2; 689 little_endian_store_16(event, 2, con_handle); 690 event[4] = addr_type; 691 reverse_bd_addr(address, &event[5]); 692 } 693 694 static void sm_dispatch_event(uint8_t packet_type, uint16_t channel, uint8_t * packet, uint16_t size){ 695 UNUSED(channel); 696 697 // log event 698 hci_dump_packet(packet_type, 1, packet, size); 699 // dispatch to all event handlers 700 btstack_linked_list_iterator_t it; 701 btstack_linked_list_iterator_init(&it, &sm_event_handlers); 702 while (btstack_linked_list_iterator_has_next(&it)){ 703 btstack_packet_callback_registration_t * entry = (btstack_packet_callback_registration_t*) btstack_linked_list_iterator_next(&it); 704 entry->callback(packet_type, 0, packet, size); 705 } 706 } 707 708 static void sm_notify_client_base(uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address){ 709 uint8_t event[11]; 710 sm_setup_event_base(event, sizeof(event), type, con_handle, addr_type, address); 711 sm_dispatch_event(HCI_EVENT_PACKET, 0, event, sizeof(event)); 712 } 713 714 static void sm_notify_client_passkey(uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address, uint32_t passkey){ 715 uint8_t event[15]; 716 sm_setup_event_base(event, sizeof(event), type, con_handle, addr_type, address); 717 little_endian_store_32(event, 11, passkey); 718 sm_dispatch_event(HCI_EVENT_PACKET, 0, event, sizeof(event)); 719 } 720 721 static void sm_notify_client_index(uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address, uint16_t index){ 722 // fetch addr and addr type from db 723 bd_addr_t identity_address; 724 int identity_address_type; 725 le_device_db_info(index, &identity_address_type, identity_address, NULL); 726 727 uint8_t event[19]; 728 sm_setup_event_base(event, sizeof(event), type, con_handle, addr_type, address); 729 event[11] = identity_address_type; 730 reverse_bd_addr(identity_address, &event[12]); 731 event[18] = index; 732 sm_dispatch_event(HCI_EVENT_PACKET, 0, event, sizeof(event)); 733 } 734 735 static void sm_notify_client_authorization(uint8_t type, hci_con_handle_t con_handle, uint8_t addr_type, bd_addr_t address, uint8_t result){ 736 737 uint8_t event[18]; 738 sm_setup_event_base(event, sizeof(event), type, con_handle, addr_type, address); 739 event[11] = result; 740 sm_dispatch_event(HCI_EVENT_PACKET, 0, (uint8_t*) &event, sizeof(event)); 741 } 742 743 // decide on stk generation based on 744 // - pairing request 745 // - io capabilities 746 // - OOB data availability 747 static void sm_setup_tk(void){ 748 749 // default: just works 750 setup->sm_stk_generation_method = JUST_WORKS; 751 752 #ifdef ENABLE_LE_SECURE_CONNECTIONS 753 setup->sm_use_secure_connections = ( sm_pairing_packet_get_auth_req(setup->sm_m_preq) 754 & sm_pairing_packet_get_auth_req(setup->sm_s_pres) 755 & SM_AUTHREQ_SECURE_CONNECTION ) != 0; 756 memset(setup->sm_ra, 0, 16); 757 memset(setup->sm_rb, 0, 16); 758 #else 759 setup->sm_use_secure_connections = 0; 760 #endif 761 762 // If both devices have not set the MITM option in the Authentication Requirements 763 // Flags, then the IO capabilities shall be ignored and the Just Works association 764 // model shall be used. 765 if (((sm_pairing_packet_get_auth_req(setup->sm_m_preq) & SM_AUTHREQ_MITM_PROTECTION) == 0) 766 && ((sm_pairing_packet_get_auth_req(setup->sm_s_pres) & SM_AUTHREQ_MITM_PROTECTION) == 0)){ 767 log_info("SM: MITM not required by both -> JUST WORKS"); 768 return; 769 } 770 771 // TODO: with LE SC, OOB is used to transfer data OOB during pairing, single device with OOB is sufficient 772 773 // If both devices have out of band authentication data, then the Authentication 774 // Requirements Flags shall be ignored when selecting the pairing method and the 775 // Out of Band pairing method shall be used. 776 if (sm_pairing_packet_get_oob_data_flag(setup->sm_m_preq) 777 && sm_pairing_packet_get_oob_data_flag(setup->sm_s_pres)){ 778 log_info("SM: have OOB data"); 779 log_info_key("OOB", setup->sm_tk); 780 setup->sm_stk_generation_method = OOB; 781 return; 782 } 783 784 // Reset TK as it has been setup in sm_init_setup 785 sm_reset_tk(); 786 787 // Also use just works if unknown io capabilites 788 if ((sm_pairing_packet_get_io_capability(setup->sm_m_preq) > IO_CAPABILITY_KEYBOARD_DISPLAY) || (sm_pairing_packet_get_io_capability(setup->sm_s_pres) > IO_CAPABILITY_KEYBOARD_DISPLAY)){ 789 return; 790 } 791 792 // Otherwise the IO capabilities of the devices shall be used to determine the 793 // pairing method as defined in Table 2.4. 794 // see http://stackoverflow.com/a/1052837/393697 for how to specify pointer to 2-dimensional array 795 const stk_generation_method_t (*generation_method)[5] = stk_generation_method; 796 797 #ifdef ENABLE_LE_SECURE_CONNECTIONS 798 // table not define by default 799 if (setup->sm_use_secure_connections){ 800 generation_method = stk_generation_method_with_secure_connection; 801 } 802 #endif 803 setup->sm_stk_generation_method = generation_method[sm_pairing_packet_get_io_capability(setup->sm_s_pres)][sm_pairing_packet_get_io_capability(setup->sm_m_preq)]; 804 805 log_info("sm_setup_tk: master io cap: %u, slave io cap: %u -> method %u", 806 sm_pairing_packet_get_io_capability(setup->sm_m_preq), sm_pairing_packet_get_io_capability(setup->sm_s_pres), setup->sm_stk_generation_method); 807 } 808 809 static int sm_key_distribution_flags_for_set(uint8_t key_set){ 810 int flags = 0; 811 if (key_set & SM_KEYDIST_ENC_KEY){ 812 flags |= SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION; 813 flags |= SM_KEYDIST_FLAG_MASTER_IDENTIFICATION; 814 } 815 if (key_set & SM_KEYDIST_ID_KEY){ 816 flags |= SM_KEYDIST_FLAG_IDENTITY_INFORMATION; 817 flags |= SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION; 818 } 819 if (key_set & SM_KEYDIST_SIGN){ 820 flags |= SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION; 821 } 822 return flags; 823 } 824 825 static void sm_setup_key_distribution(uint8_t key_set){ 826 setup->sm_key_distribution_received_set = 0; 827 setup->sm_key_distribution_send_set = sm_key_distribution_flags_for_set(key_set); 828 } 829 830 // CSRK Key Lookup 831 832 833 static int sm_address_resolution_idle(void){ 834 return sm_address_resolution_mode == ADDRESS_RESOLUTION_IDLE; 835 } 836 837 static void sm_address_resolution_start_lookup(uint8_t addr_type, hci_con_handle_t con_handle, bd_addr_t addr, address_resolution_mode_t mode, void * context){ 838 memcpy(sm_address_resolution_address, addr, 6); 839 sm_address_resolution_addr_type = addr_type; 840 sm_address_resolution_test = 0; 841 sm_address_resolution_mode = mode; 842 sm_address_resolution_context = context; 843 sm_notify_client_base(SM_EVENT_IDENTITY_RESOLVING_STARTED, con_handle, addr_type, addr); 844 } 845 846 int sm_address_resolution_lookup(uint8_t address_type, bd_addr_t address){ 847 // check if already in list 848 btstack_linked_list_iterator_t it; 849 sm_lookup_entry_t * entry; 850 btstack_linked_list_iterator_init(&it, &sm_address_resolution_general_queue); 851 while(btstack_linked_list_iterator_has_next(&it)){ 852 entry = (sm_lookup_entry_t *) btstack_linked_list_iterator_next(&it); 853 if (entry->address_type != address_type) continue; 854 if (memcmp(entry->address, address, 6)) continue; 855 // already in list 856 return BTSTACK_BUSY; 857 } 858 entry = btstack_memory_sm_lookup_entry_get(); 859 if (!entry) return BTSTACK_MEMORY_ALLOC_FAILED; 860 entry->address_type = (bd_addr_type_t) address_type; 861 memcpy(entry->address, address, 6); 862 btstack_linked_list_add(&sm_address_resolution_general_queue, (btstack_linked_item_t *) entry); 863 sm_run(); 864 return 0; 865 } 866 867 // while x_state++ for an enum is possible in C, it isn't in C++. we use this helpers to avoid compile errors for now 868 static inline void sm_next_responding_state(sm_connection_t * sm_conn){ 869 sm_conn->sm_engine_state = (security_manager_state_t) (((int)sm_conn->sm_engine_state) + 1); 870 } 871 static inline void dkg_next_state(void){ 872 dkg_state = (derived_key_generation_t) (((int)dkg_state) + 1); 873 } 874 static inline void rau_next_state(void){ 875 rau_state = (random_address_update_t) (((int)rau_state) + 1); 876 } 877 878 // CMAC calculation using AES Engine 879 #ifdef ENABLE_CMAC_ENGINE 880 881 static inline void sm_cmac_next_state(void){ 882 sm_cmac_state = (cmac_state_t) (((int)sm_cmac_state) + 1); 883 } 884 885 static int sm_cmac_last_block_complete(void){ 886 if (sm_cmac_message_len == 0) return 0; 887 return (sm_cmac_message_len & 0x0f) == 0; 888 } 889 890 int sm_cmac_ready(void){ 891 return sm_cmac_state == CMAC_IDLE; 892 } 893 894 // generic cmac calculation 895 void sm_cmac_general_start(const sm_key_t key, uint16_t message_len, uint8_t (*get_byte_callback)(uint16_t offset), void (*done_callback)(uint8_t hash[8])){ 896 // Generalized CMAC 897 memcpy(sm_cmac_k, key, 16); 898 memset(sm_cmac_x, 0, 16); 899 sm_cmac_block_current = 0; 900 sm_cmac_message_len = message_len; 901 sm_cmac_done_handler = done_callback; 902 sm_cmac_get_byte = get_byte_callback; 903 904 // step 2: n := ceil(len/const_Bsize); 905 sm_cmac_block_count = (sm_cmac_message_len + 15) / 16; 906 907 // step 3: .. 908 if (sm_cmac_block_count==0){ 909 sm_cmac_block_count = 1; 910 } 911 log_info("sm_cmac_general_start: len %u, block count %u", sm_cmac_message_len, sm_cmac_block_count); 912 913 // first, we need to compute l for k1, k2, and m_last 914 sm_cmac_state = CMAC_CALC_SUBKEYS; 915 916 // let's go 917 sm_run(); 918 } 919 #endif 920 921 // cmac for ATT Message signing 922 #ifdef ENABLE_LE_SIGNED_WRITE 923 static uint8_t sm_cmac_signed_write_message_get_byte(uint16_t offset){ 924 if (offset >= sm_cmac_message_len) { 925 log_error("sm_cmac_signed_write_message_get_byte. out of bounds, access %u, len %u", offset, sm_cmac_message_len); 926 return 0; 927 } 928 929 offset = sm_cmac_message_len - 1 - offset; 930 931 // sm_cmac_header[3] | message[] | sm_cmac_sign_counter[4] 932 if (offset < 3){ 933 return sm_cmac_header[offset]; 934 } 935 int actual_message_len_incl_header = sm_cmac_message_len - 4; 936 if (offset < actual_message_len_incl_header){ 937 return sm_cmac_message[offset - 3]; 938 } 939 return sm_cmac_sign_counter[offset - actual_message_len_incl_header]; 940 } 941 942 void sm_cmac_signed_write_start(const sm_key_t k, uint8_t opcode, hci_con_handle_t con_handle, uint16_t message_len, const uint8_t * message, uint32_t sign_counter, void (*done_handler)(uint8_t * hash)){ 943 // ATT Message Signing 944 sm_cmac_header[0] = opcode; 945 little_endian_store_16(sm_cmac_header, 1, con_handle); 946 little_endian_store_32(sm_cmac_sign_counter, 0, sign_counter); 947 uint16_t total_message_len = 3 + message_len + 4; // incl. virtually prepended att opcode, handle and appended sign_counter in LE 948 sm_cmac_message = message; 949 sm_cmac_general_start(k, total_message_len, &sm_cmac_signed_write_message_get_byte, done_handler); 950 } 951 #endif 952 953 #ifdef ENABLE_CMAC_ENGINE 954 static void sm_cmac_handle_aes_engine_ready(void){ 955 switch (sm_cmac_state){ 956 case CMAC_CALC_SUBKEYS: { 957 sm_key_t const_zero; 958 memset(const_zero, 0, 16); 959 sm_cmac_next_state(); 960 sm_aes128_start(sm_cmac_k, const_zero, NULL); 961 break; 962 } 963 case CMAC_CALC_MI: { 964 int j; 965 sm_key_t y; 966 for (j=0;j<16;j++){ 967 y[j] = sm_cmac_x[j] ^ sm_cmac_get_byte(sm_cmac_block_current*16 + j); 968 } 969 sm_cmac_block_current++; 970 sm_cmac_next_state(); 971 sm_aes128_start(sm_cmac_k, y, NULL); 972 break; 973 } 974 case CMAC_CALC_MLAST: { 975 int i; 976 sm_key_t y; 977 for (i=0;i<16;i++){ 978 y[i] = sm_cmac_x[i] ^ sm_cmac_m_last[i]; 979 } 980 log_info_key("Y", y); 981 sm_cmac_block_current++; 982 sm_cmac_next_state(); 983 sm_aes128_start(sm_cmac_k, y, NULL); 984 break; 985 } 986 default: 987 log_info("sm_cmac_handle_aes_engine_ready called in state %u", sm_cmac_state); 988 break; 989 } 990 } 991 992 // CMAC Implementation using AES128 engine 993 static void sm_shift_left_by_one_bit_inplace(int len, uint8_t * data){ 994 int i; 995 int carry = 0; 996 for (i=len-1; i >= 0 ; i--){ 997 int new_carry = data[i] >> 7; 998 data[i] = data[i] << 1 | carry; 999 carry = new_carry; 1000 } 1001 } 1002 1003 static void sm_cmac_handle_encryption_result(sm_key_t data){ 1004 switch (sm_cmac_state){ 1005 case CMAC_W4_SUBKEYS: { 1006 sm_key_t k1; 1007 memcpy(k1, data, 16); 1008 sm_shift_left_by_one_bit_inplace(16, k1); 1009 if (data[0] & 0x80){ 1010 k1[15] ^= 0x87; 1011 } 1012 sm_key_t k2; 1013 memcpy(k2, k1, 16); 1014 sm_shift_left_by_one_bit_inplace(16, k2); 1015 if (k1[0] & 0x80){ 1016 k2[15] ^= 0x87; 1017 } 1018 1019 log_info_key("k", sm_cmac_k); 1020 log_info_key("k1", k1); 1021 log_info_key("k2", k2); 1022 1023 // step 4: set m_last 1024 int i; 1025 if (sm_cmac_last_block_complete()){ 1026 for (i=0;i<16;i++){ 1027 sm_cmac_m_last[i] = sm_cmac_get_byte(sm_cmac_message_len - 16 + i) ^ k1[i]; 1028 } 1029 } else { 1030 int valid_octets_in_last_block = sm_cmac_message_len & 0x0f; 1031 for (i=0;i<16;i++){ 1032 if (i < valid_octets_in_last_block){ 1033 sm_cmac_m_last[i] = sm_cmac_get_byte((sm_cmac_message_len & 0xfff0) + i) ^ k2[i]; 1034 continue; 1035 } 1036 if (i == valid_octets_in_last_block){ 1037 sm_cmac_m_last[i] = 0x80 ^ k2[i]; 1038 continue; 1039 } 1040 sm_cmac_m_last[i] = k2[i]; 1041 } 1042 } 1043 1044 // next 1045 sm_cmac_state = sm_cmac_block_current < sm_cmac_block_count - 1 ? CMAC_CALC_MI : CMAC_CALC_MLAST; 1046 break; 1047 } 1048 case CMAC_W4_MI: 1049 memcpy(sm_cmac_x, data, 16); 1050 sm_cmac_state = sm_cmac_block_current < sm_cmac_block_count - 1 ? CMAC_CALC_MI : CMAC_CALC_MLAST; 1051 break; 1052 case CMAC_W4_MLAST: 1053 // done 1054 log_info("Setting CMAC Engine to IDLE"); 1055 sm_cmac_state = CMAC_IDLE; 1056 log_info_key("CMAC", data); 1057 sm_cmac_done_handler(data); 1058 break; 1059 default: 1060 log_info("sm_cmac_handle_encryption_result called in state %u", sm_cmac_state); 1061 break; 1062 } 1063 } 1064 #endif 1065 1066 static void sm_trigger_user_response(sm_connection_t * sm_conn){ 1067 // notify client for: JUST WORKS confirm, Numeric comparison confirm, PASSKEY display or input 1068 setup->sm_user_response = SM_USER_RESPONSE_IDLE; 1069 switch (setup->sm_stk_generation_method){ 1070 case PK_RESP_INPUT: 1071 if (IS_RESPONDER(sm_conn->sm_role)){ 1072 setup->sm_user_response = SM_USER_RESPONSE_PENDING; 1073 sm_notify_client_base(SM_EVENT_PASSKEY_INPUT_NUMBER, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address); 1074 } else { 1075 sm_notify_client_passkey(SM_EVENT_PASSKEY_DISPLAY_NUMBER, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, big_endian_read_32(setup->sm_tk, 12)); 1076 } 1077 break; 1078 case PK_INIT_INPUT: 1079 if (IS_RESPONDER(sm_conn->sm_role)){ 1080 sm_notify_client_passkey(SM_EVENT_PASSKEY_DISPLAY_NUMBER, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, big_endian_read_32(setup->sm_tk, 12)); 1081 } else { 1082 setup->sm_user_response = SM_USER_RESPONSE_PENDING; 1083 sm_notify_client_base(SM_EVENT_PASSKEY_INPUT_NUMBER, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address); 1084 } 1085 break; 1086 case OK_BOTH_INPUT: 1087 setup->sm_user_response = SM_USER_RESPONSE_PENDING; 1088 sm_notify_client_base(SM_EVENT_PASSKEY_INPUT_NUMBER, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address); 1089 break; 1090 case NK_BOTH_INPUT: 1091 setup->sm_user_response = SM_USER_RESPONSE_PENDING; 1092 sm_notify_client_passkey(SM_EVENT_NUMERIC_COMPARISON_REQUEST, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, big_endian_read_32(setup->sm_tk, 12)); 1093 break; 1094 case JUST_WORKS: 1095 setup->sm_user_response = SM_USER_RESPONSE_PENDING; 1096 sm_notify_client_base(SM_EVENT_JUST_WORKS_REQUEST, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address); 1097 break; 1098 case OOB: 1099 // client already provided OOB data, let's skip notification. 1100 break; 1101 } 1102 } 1103 1104 static int sm_key_distribution_all_received(sm_connection_t * sm_conn){ 1105 int recv_flags; 1106 if (IS_RESPONDER(sm_conn->sm_role)){ 1107 // slave / responder 1108 recv_flags = sm_key_distribution_flags_for_set(sm_pairing_packet_get_initiator_key_distribution(setup->sm_s_pres)); 1109 } else { 1110 // master / initiator 1111 recv_flags = sm_key_distribution_flags_for_set(sm_pairing_packet_get_responder_key_distribution(setup->sm_s_pres)); 1112 } 1113 log_debug("sm_key_distribution_all_received: received 0x%02x, expecting 0x%02x", setup->sm_key_distribution_received_set, recv_flags); 1114 return recv_flags == setup->sm_key_distribution_received_set; 1115 } 1116 1117 static void sm_done_for_handle(hci_con_handle_t con_handle){ 1118 if (sm_active_connection == con_handle){ 1119 sm_timeout_stop(); 1120 sm_active_connection = 0; 1121 log_info("sm: connection 0x%x released setup context", con_handle); 1122 } 1123 } 1124 1125 static int sm_key_distribution_flags_for_auth_req(void){ 1126 int flags = SM_KEYDIST_ID_KEY | SM_KEYDIST_SIGN; 1127 if (sm_auth_req & SM_AUTHREQ_BONDING){ 1128 // encryption information only if bonding requested 1129 flags |= SM_KEYDIST_ENC_KEY; 1130 } 1131 return flags; 1132 } 1133 1134 static void sm_reset_setup(void){ 1135 // fill in sm setup 1136 setup->sm_state_vars = 0; 1137 setup->sm_keypress_notification = 0xff; 1138 sm_reset_tk(); 1139 } 1140 1141 static void sm_init_setup(sm_connection_t * sm_conn){ 1142 1143 // fill in sm setup 1144 setup->sm_peer_addr_type = sm_conn->sm_peer_addr_type; 1145 memcpy(setup->sm_peer_address, sm_conn->sm_peer_address, 6); 1146 1147 // query client for OOB data 1148 int have_oob_data = 0; 1149 if (sm_get_oob_data) { 1150 have_oob_data = (*sm_get_oob_data)(sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, setup->sm_tk); 1151 } 1152 1153 sm_pairing_packet_t * local_packet; 1154 if (IS_RESPONDER(sm_conn->sm_role)){ 1155 // slave 1156 local_packet = &setup->sm_s_pres; 1157 gap_le_get_own_address(&setup->sm_s_addr_type, setup->sm_s_address); 1158 setup->sm_m_addr_type = sm_conn->sm_peer_addr_type; 1159 memcpy(setup->sm_m_address, sm_conn->sm_peer_address, 6); 1160 } else { 1161 // master 1162 local_packet = &setup->sm_m_preq; 1163 gap_le_get_own_address(&setup->sm_m_addr_type, setup->sm_m_address); 1164 setup->sm_s_addr_type = sm_conn->sm_peer_addr_type; 1165 memcpy(setup->sm_s_address, sm_conn->sm_peer_address, 6); 1166 1167 int key_distribution_flags = sm_key_distribution_flags_for_auth_req(); 1168 sm_pairing_packet_set_initiator_key_distribution(setup->sm_m_preq, key_distribution_flags); 1169 sm_pairing_packet_set_responder_key_distribution(setup->sm_m_preq, key_distribution_flags); 1170 } 1171 1172 uint8_t auth_req = sm_auth_req; 1173 sm_pairing_packet_set_io_capability(*local_packet, sm_io_capabilities); 1174 sm_pairing_packet_set_oob_data_flag(*local_packet, have_oob_data); 1175 sm_pairing_packet_set_auth_req(*local_packet, auth_req); 1176 sm_pairing_packet_set_max_encryption_key_size(*local_packet, sm_max_encryption_key_size); 1177 } 1178 1179 static int sm_stk_generation_init(sm_connection_t * sm_conn){ 1180 1181 sm_pairing_packet_t * remote_packet; 1182 int remote_key_request; 1183 if (IS_RESPONDER(sm_conn->sm_role)){ 1184 // slave / responder 1185 remote_packet = &setup->sm_m_preq; 1186 remote_key_request = sm_pairing_packet_get_responder_key_distribution(setup->sm_m_preq); 1187 } else { 1188 // master / initiator 1189 remote_packet = &setup->sm_s_pres; 1190 remote_key_request = sm_pairing_packet_get_initiator_key_distribution(setup->sm_s_pres); 1191 } 1192 1193 // check key size 1194 sm_conn->sm_actual_encryption_key_size = sm_calc_actual_encryption_key_size(sm_pairing_packet_get_max_encryption_key_size(*remote_packet)); 1195 if (sm_conn->sm_actual_encryption_key_size == 0) return SM_REASON_ENCRYPTION_KEY_SIZE; 1196 1197 // decide on STK generation method 1198 sm_setup_tk(); 1199 log_info("SMP: generation method %u", setup->sm_stk_generation_method); 1200 1201 // check if STK generation method is acceptable by client 1202 if (!sm_validate_stk_generation_method()) return SM_REASON_AUTHENTHICATION_REQUIREMENTS; 1203 1204 // identical to responder 1205 sm_setup_key_distribution(remote_key_request); 1206 1207 // JUST WORKS doens't provide authentication 1208 sm_conn->sm_connection_authenticated = setup->sm_stk_generation_method == JUST_WORKS ? 0 : 1; 1209 1210 return 0; 1211 } 1212 1213 static void sm_address_resolution_handle_event(address_resolution_event_t event){ 1214 1215 // cache and reset context 1216 int matched_device_id = sm_address_resolution_test; 1217 address_resolution_mode_t mode = sm_address_resolution_mode; 1218 void * context = sm_address_resolution_context; 1219 1220 // reset context 1221 sm_address_resolution_mode = ADDRESS_RESOLUTION_IDLE; 1222 sm_address_resolution_context = NULL; 1223 sm_address_resolution_test = -1; 1224 hci_con_handle_t con_handle = 0; 1225 1226 sm_connection_t * sm_connection; 1227 #ifdef ENABLE_LE_CENTRAL 1228 sm_key_t ltk; 1229 #endif 1230 switch (mode){ 1231 case ADDRESS_RESOLUTION_GENERAL: 1232 break; 1233 case ADDRESS_RESOLUTION_FOR_CONNECTION: 1234 sm_connection = (sm_connection_t *) context; 1235 con_handle = sm_connection->sm_handle; 1236 switch (event){ 1237 case ADDRESS_RESOLUTION_SUCEEDED: 1238 sm_connection->sm_irk_lookup_state = IRK_LOOKUP_SUCCEEDED; 1239 sm_connection->sm_le_db_index = matched_device_id; 1240 log_info("ADDRESS_RESOLUTION_SUCEEDED, index %d", sm_connection->sm_le_db_index); 1241 #ifdef ENABLE_LE_CENTRAL 1242 if (sm_connection->sm_role) break; 1243 if (!sm_connection->sm_bonding_requested && !sm_connection->sm_security_request_received) break; 1244 sm_connection->sm_security_request_received = 0; 1245 sm_connection->sm_bonding_requested = 0; 1246 le_device_db_encryption_get(sm_connection->sm_le_db_index, NULL, NULL, ltk, NULL, NULL, NULL); 1247 if (!sm_is_null_key(ltk)){ 1248 sm_connection->sm_engine_state = SM_INITIATOR_PH0_HAS_LTK; 1249 } else { 1250 sm_connection->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 1251 } 1252 #endif 1253 break; 1254 case ADDRESS_RESOLUTION_FAILED: 1255 sm_connection->sm_irk_lookup_state = IRK_LOOKUP_FAILED; 1256 #ifdef ENABLE_LE_CENTRAL 1257 if (sm_connection->sm_role) break; 1258 if (!sm_connection->sm_bonding_requested && !sm_connection->sm_security_request_received) break; 1259 sm_connection->sm_security_request_received = 0; 1260 sm_connection->sm_bonding_requested = 0; 1261 sm_connection->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 1262 #endif 1263 break; 1264 } 1265 break; 1266 default: 1267 break; 1268 } 1269 1270 switch (event){ 1271 case ADDRESS_RESOLUTION_SUCEEDED: 1272 sm_notify_client_index(SM_EVENT_IDENTITY_RESOLVING_SUCCEEDED, con_handle, sm_address_resolution_addr_type, sm_address_resolution_address, matched_device_id); 1273 break; 1274 case ADDRESS_RESOLUTION_FAILED: 1275 sm_notify_client_base(SM_EVENT_IDENTITY_RESOLVING_FAILED, con_handle, sm_address_resolution_addr_type, sm_address_resolution_address); 1276 break; 1277 } 1278 } 1279 1280 static void sm_key_distribution_handle_all_received(sm_connection_t * sm_conn){ 1281 1282 int le_db_index = -1; 1283 1284 // lookup device based on IRK 1285 if (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_IDENTITY_INFORMATION){ 1286 int i; 1287 for (i=0; i < le_device_db_count(); i++){ 1288 sm_key_t irk; 1289 bd_addr_t address; 1290 int address_type; 1291 le_device_db_info(i, &address_type, address, irk); 1292 if (memcmp(irk, setup->sm_peer_irk, 16) == 0){ 1293 log_info("sm: device found for IRK, updating"); 1294 le_db_index = i; 1295 break; 1296 } 1297 } 1298 } 1299 1300 // if not found, lookup via public address if possible 1301 log_info("sm peer addr type %u, peer addres %s", setup->sm_peer_addr_type, bd_addr_to_str(setup->sm_peer_address)); 1302 if (le_db_index < 0 && setup->sm_peer_addr_type == BD_ADDR_TYPE_LE_PUBLIC){ 1303 int i; 1304 for (i=0; i < le_device_db_count(); i++){ 1305 bd_addr_t address; 1306 int address_type; 1307 le_device_db_info(i, &address_type, address, NULL); 1308 log_info("device %u, sm peer addr type %u, peer addres %s", i, address_type, bd_addr_to_str(address)); 1309 if (address_type == BD_ADDR_TYPE_LE_PUBLIC && memcmp(address, setup->sm_peer_address, 6) == 0){ 1310 log_info("sm: device found for public address, updating"); 1311 le_db_index = i; 1312 break; 1313 } 1314 } 1315 } 1316 1317 // if not found, add to db 1318 if (le_db_index < 0) { 1319 le_db_index = le_device_db_add(setup->sm_peer_addr_type, setup->sm_peer_address, setup->sm_peer_irk); 1320 } 1321 1322 sm_notify_client_index(SM_EVENT_IDENTITY_CREATED, sm_conn->sm_handle, setup->sm_peer_addr_type, setup->sm_peer_address, le_db_index); 1323 1324 if (le_db_index >= 0){ 1325 1326 #ifdef ENABLE_LE_SIGNED_WRITE 1327 // store local CSRK 1328 if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION){ 1329 log_info("sm: store local CSRK"); 1330 le_device_db_local_csrk_set(le_db_index, setup->sm_local_csrk); 1331 le_device_db_local_counter_set(le_db_index, 0); 1332 } 1333 1334 // store remote CSRK 1335 if (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION){ 1336 log_info("sm: store remote CSRK"); 1337 le_device_db_remote_csrk_set(le_db_index, setup->sm_peer_csrk); 1338 le_device_db_remote_counter_set(le_db_index, 0); 1339 } 1340 #endif 1341 // store encryption information for secure connections: LTK generated by ECDH 1342 if (setup->sm_use_secure_connections){ 1343 log_info("sm: store SC LTK (key size %u, authenticatd %u)", sm_conn->sm_actual_encryption_key_size, sm_conn->sm_connection_authenticated); 1344 uint8_t zero_rand[8]; 1345 memset(zero_rand, 0, 8); 1346 le_device_db_encryption_set(le_db_index, 0, zero_rand, setup->sm_ltk, sm_conn->sm_actual_encryption_key_size, 1347 sm_conn->sm_connection_authenticated, sm_conn->sm_connection_authorization_state == AUTHORIZATION_GRANTED); 1348 } 1349 1350 // store encryption infromation for legacy pairing: peer LTK, EDIV, RAND 1351 else if ( (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION) 1352 && (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_MASTER_IDENTIFICATION )){ 1353 log_info("sm: set encryption information (key size %u, authenticatd %u)", sm_conn->sm_actual_encryption_key_size, sm_conn->sm_connection_authenticated); 1354 le_device_db_encryption_set(le_db_index, setup->sm_peer_ediv, setup->sm_peer_rand, setup->sm_peer_ltk, 1355 sm_conn->sm_actual_encryption_key_size, sm_conn->sm_connection_authenticated, sm_conn->sm_connection_authorization_state == AUTHORIZATION_GRANTED); 1356 1357 } 1358 } 1359 1360 // keep le_db_index 1361 sm_conn->sm_le_db_index = le_db_index; 1362 } 1363 1364 static void sm_pairing_error(sm_connection_t * sm_conn, uint8_t reason){ 1365 setup->sm_pairing_failed_reason = reason; 1366 sm_conn->sm_engine_state = SM_GENERAL_SEND_PAIRING_FAILED; 1367 } 1368 1369 static inline void sm_pdu_received_in_wrong_state(sm_connection_t * sm_conn){ 1370 sm_pairing_error(sm_conn, SM_REASON_UNSPECIFIED_REASON); 1371 } 1372 1373 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1374 1375 static void sm_sc_prepare_dhkey_check(sm_connection_t * sm_conn); 1376 static int sm_passkey_used(stk_generation_method_t method); 1377 static int sm_just_works_or_numeric_comparison(stk_generation_method_t method); 1378 1379 static void sm_log_ec_keypair(void){ 1380 log_info("Elliptic curve: X"); 1381 log_info_hexdump(&ec_q[0],32); 1382 log_info("Elliptic curve: Y"); 1383 log_info_hexdump(&ec_q[32],32); 1384 } 1385 1386 static void sm_sc_start_calculating_local_confirm(sm_connection_t * sm_conn){ 1387 if (sm_passkey_used(setup->sm_stk_generation_method)){ 1388 sm_conn->sm_engine_state = SM_SC_W2_GET_RANDOM_A; 1389 } else { 1390 sm_conn->sm_engine_state = SM_SC_W2_CMAC_FOR_CONFIRMATION; 1391 } 1392 } 1393 1394 static void sm_sc_state_after_receiving_random(sm_connection_t * sm_conn){ 1395 if (IS_RESPONDER(sm_conn->sm_role)){ 1396 // Responder 1397 sm_conn->sm_engine_state = SM_SC_SEND_PAIRING_RANDOM; 1398 } else { 1399 // Initiator role 1400 switch (setup->sm_stk_generation_method){ 1401 case JUST_WORKS: 1402 sm_sc_prepare_dhkey_check(sm_conn); 1403 break; 1404 1405 case NK_BOTH_INPUT: 1406 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_G2; 1407 break; 1408 case PK_INIT_INPUT: 1409 case PK_RESP_INPUT: 1410 case OK_BOTH_INPUT: 1411 if (setup->sm_passkey_bit < 20) { 1412 sm_sc_start_calculating_local_confirm(sm_conn); 1413 } else { 1414 sm_sc_prepare_dhkey_check(sm_conn); 1415 } 1416 break; 1417 case OOB: 1418 // TODO: implement SC OOB 1419 break; 1420 } 1421 } 1422 } 1423 1424 static uint8_t sm_sc_cmac_get_byte(uint16_t offset){ 1425 return sm_cmac_sc_buffer[offset]; 1426 } 1427 1428 static void sm_sc_cmac_done(uint8_t * hash){ 1429 log_info("sm_sc_cmac_done: "); 1430 log_info_hexdump(hash, 16); 1431 1432 sm_connection_t * sm_conn = sm_cmac_connection; 1433 sm_cmac_connection = NULL; 1434 link_key_type_t link_key_type; 1435 1436 switch (sm_conn->sm_engine_state){ 1437 case SM_SC_W4_CMAC_FOR_CONFIRMATION: 1438 memcpy(setup->sm_local_confirm, hash, 16); 1439 sm_conn->sm_engine_state = SM_SC_SEND_CONFIRMATION; 1440 break; 1441 case SM_SC_W4_CMAC_FOR_CHECK_CONFIRMATION: 1442 // check 1443 if (0 != memcmp(hash, setup->sm_peer_confirm, 16)){ 1444 sm_pairing_error(sm_conn, SM_REASON_CONFIRM_VALUE_FAILED); 1445 break; 1446 } 1447 sm_sc_state_after_receiving_random(sm_conn); 1448 break; 1449 case SM_SC_W4_CALCULATE_G2: { 1450 uint32_t vab = big_endian_read_32(hash, 12) % 1000000; 1451 big_endian_store_32(setup->sm_tk, 12, vab); 1452 sm_conn->sm_engine_state = SM_SC_W4_USER_RESPONSE; 1453 sm_trigger_user_response(sm_conn); 1454 break; 1455 } 1456 case SM_SC_W4_CALCULATE_F5_SALT: 1457 memcpy(setup->sm_t, hash, 16); 1458 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F5_MACKEY; 1459 break; 1460 case SM_SC_W4_CALCULATE_F5_MACKEY: 1461 memcpy(setup->sm_mackey, hash, 16); 1462 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F5_LTK; 1463 break; 1464 case SM_SC_W4_CALCULATE_F5_LTK: 1465 // truncate sm_ltk, but keep full LTK for cross-transport key derivation in sm_local_ltk 1466 // Errata Service Release to the Bluetooth Specification: ESR09 1467 // E6405 – Cross transport key derivation from a key of size less than 128 bits 1468 // Note: When the BR/EDR link key is being derived from the LTK, the derivation is done before the LTK gets masked." 1469 memcpy(setup->sm_ltk, hash, 16); 1470 memcpy(setup->sm_local_ltk, hash, 16); 1471 sm_truncate_key(setup->sm_ltk, sm_conn->sm_actual_encryption_key_size); 1472 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F6_FOR_DHKEY_CHECK; 1473 break; 1474 case SM_SC_W4_CALCULATE_F6_FOR_DHKEY_CHECK: 1475 memcpy(setup->sm_local_dhkey_check, hash, 16); 1476 if (IS_RESPONDER(sm_conn->sm_role)){ 1477 // responder 1478 if (setup->sm_state_vars & SM_STATE_VAR_DHKEY_COMMAND_RECEIVED){ 1479 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK; 1480 } else { 1481 sm_conn->sm_engine_state = SM_SC_W4_DHKEY_CHECK_COMMAND; 1482 } 1483 } else { 1484 sm_conn->sm_engine_state = SM_SC_SEND_DHKEY_CHECK_COMMAND; 1485 } 1486 break; 1487 case SM_SC_W4_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK: 1488 if (0 != memcmp(hash, setup->sm_peer_dhkey_check, 16) ){ 1489 sm_pairing_error(sm_conn, SM_REASON_DHKEY_CHECK_FAILED); 1490 break; 1491 } 1492 if (IS_RESPONDER(sm_conn->sm_role)){ 1493 // responder 1494 sm_conn->sm_engine_state = SM_SC_SEND_DHKEY_CHECK_COMMAND; 1495 } else { 1496 // initiator 1497 sm_conn->sm_engine_state = SM_INITIATOR_PH3_SEND_START_ENCRYPTION; 1498 } 1499 break; 1500 case SM_SC_W4_CALCULATE_H6_ILK: 1501 memcpy(setup->sm_t, hash, 16); 1502 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_H6_BR_EDR_LINK_KEY; 1503 break; 1504 case SM_SC_W4_CALCULATE_H6_BR_EDR_LINK_KEY: 1505 reverse_128(hash, setup->sm_t); 1506 link_key_type = sm_conn->sm_connection_authenticated ? 1507 AUTHENTICATED_COMBINATION_KEY_GENERATED_FROM_P256 : UNAUTHENTICATED_COMBINATION_KEY_GENERATED_FROM_P256; 1508 if (IS_RESPONDER(sm_conn->sm_role)){ 1509 #ifdef ENABLE_CLASSIC 1510 gap_store_link_key_for_bd_addr(setup->sm_m_address, setup->sm_t, link_key_type); 1511 #endif 1512 sm_conn->sm_engine_state = SM_RESPONDER_IDLE; 1513 } else { 1514 #ifdef ENABLE_CLASSIC 1515 gap_store_link_key_for_bd_addr(setup->sm_s_address, setup->sm_t, link_key_type); 1516 #endif 1517 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 1518 } 1519 sm_done_for_handle(sm_conn->sm_handle); 1520 break; 1521 default: 1522 log_error("sm_sc_cmac_done in state %u", sm_conn->sm_engine_state); 1523 break; 1524 } 1525 sm_run(); 1526 } 1527 1528 static void f4_engine(sm_connection_t * sm_conn, const sm_key256_t u, const sm_key256_t v, const sm_key_t x, uint8_t z){ 1529 const uint16_t message_len = 65; 1530 sm_cmac_connection = sm_conn; 1531 memcpy(sm_cmac_sc_buffer, u, 32); 1532 memcpy(sm_cmac_sc_buffer+32, v, 32); 1533 sm_cmac_sc_buffer[64] = z; 1534 log_info("f4 key"); 1535 log_info_hexdump(x, 16); 1536 log_info("f4 message"); 1537 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1538 sm_cmac_general_start(x, message_len, &sm_sc_cmac_get_byte, &sm_sc_cmac_done); 1539 } 1540 1541 static const sm_key_t f5_salt = { 0x6C ,0x88, 0x83, 0x91, 0xAA, 0xF5, 0xA5, 0x38, 0x60, 0x37, 0x0B, 0xDB, 0x5A, 0x60, 0x83, 0xBE}; 1542 static const uint8_t f5_key_id[] = { 0x62, 0x74, 0x6c, 0x65 }; 1543 static const uint8_t f5_length[] = { 0x01, 0x00}; 1544 1545 static void sm_sc_calculate_dhkey(sm_key256_t dhkey){ 1546 #ifdef USE_MBEDTLS_FOR_ECDH 1547 // da * Pb 1548 mbedtls_mpi d; 1549 mbedtls_ecp_point Q; 1550 mbedtls_ecp_point DH; 1551 mbedtls_mpi_init(&d); 1552 mbedtls_ecp_point_init(&Q); 1553 mbedtls_ecp_point_init(&DH); 1554 mbedtls_mpi_read_binary(&d, ec_d, 32); 1555 mbedtls_mpi_read_binary(&Q.X, &setup->sm_peer_q[0] , 32); 1556 mbedtls_mpi_read_binary(&Q.Y, &setup->sm_peer_q[32], 32); 1557 mbedtls_mpi_lset(&Q.Z, 1); 1558 mbedtls_ecp_mul(&mbedtls_ec_group, &DH, &d, &Q, NULL, NULL); 1559 mbedtls_mpi_write_binary(&DH.X, dhkey, 32); 1560 mbedtls_ecp_point_free(&DH); 1561 mbedtls_mpi_free(&d); 1562 mbedtls_ecp_point_free(&Q); 1563 #endif 1564 log_info("dhkey"); 1565 log_info_hexdump(dhkey, 32); 1566 } 1567 1568 static void f5_calculate_salt(sm_connection_t * sm_conn){ 1569 // calculate DHKEY 1570 sm_key256_t dhkey; 1571 sm_sc_calculate_dhkey(dhkey); 1572 1573 // calculate salt for f5 1574 const uint16_t message_len = 32; 1575 sm_cmac_connection = sm_conn; 1576 memcpy(sm_cmac_sc_buffer, dhkey, message_len); 1577 sm_cmac_general_start(f5_salt, message_len, &sm_sc_cmac_get_byte, &sm_sc_cmac_done); 1578 } 1579 1580 static inline void f5_mackkey(sm_connection_t * sm_conn, sm_key_t t, const sm_key_t n1, const sm_key_t n2, const sm_key56_t a1, const sm_key56_t a2){ 1581 const uint16_t message_len = 53; 1582 sm_cmac_connection = sm_conn; 1583 1584 // f5(W, N1, N2, A1, A2) = AES-CMACT (Counter = 0 || keyID || N1 || N2|| A1|| A2 || Length = 256) -- this is the MacKey 1585 sm_cmac_sc_buffer[0] = 0; 1586 memcpy(sm_cmac_sc_buffer+01, f5_key_id, 4); 1587 memcpy(sm_cmac_sc_buffer+05, n1, 16); 1588 memcpy(sm_cmac_sc_buffer+21, n2, 16); 1589 memcpy(sm_cmac_sc_buffer+37, a1, 7); 1590 memcpy(sm_cmac_sc_buffer+44, a2, 7); 1591 memcpy(sm_cmac_sc_buffer+51, f5_length, 2); 1592 log_info("f5 key"); 1593 log_info_hexdump(t, 16); 1594 log_info("f5 message for MacKey"); 1595 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1596 sm_cmac_general_start(t, message_len, &sm_sc_cmac_get_byte, &sm_sc_cmac_done); 1597 } 1598 1599 static void f5_calculate_mackey(sm_connection_t * sm_conn){ 1600 sm_key56_t bd_addr_master, bd_addr_slave; 1601 bd_addr_master[0] = setup->sm_m_addr_type; 1602 bd_addr_slave[0] = setup->sm_s_addr_type; 1603 memcpy(&bd_addr_master[1], setup->sm_m_address, 6); 1604 memcpy(&bd_addr_slave[1], setup->sm_s_address, 6); 1605 if (IS_RESPONDER(sm_conn->sm_role)){ 1606 // responder 1607 f5_mackkey(sm_conn, setup->sm_t, setup->sm_peer_nonce, setup->sm_local_nonce, bd_addr_master, bd_addr_slave); 1608 } else { 1609 // initiator 1610 f5_mackkey(sm_conn, setup->sm_t, setup->sm_local_nonce, setup->sm_peer_nonce, bd_addr_master, bd_addr_slave); 1611 } 1612 } 1613 1614 // note: must be called right after f5_mackey, as sm_cmac_buffer[1..52] will be reused 1615 static inline void f5_ltk(sm_connection_t * sm_conn, sm_key_t t){ 1616 const uint16_t message_len = 53; 1617 sm_cmac_connection = sm_conn; 1618 sm_cmac_sc_buffer[0] = 1; 1619 // 1..52 setup before 1620 log_info("f5 key"); 1621 log_info_hexdump(t, 16); 1622 log_info("f5 message for LTK"); 1623 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1624 sm_cmac_general_start(t, message_len, &sm_sc_cmac_get_byte, &sm_sc_cmac_done); 1625 } 1626 1627 static void f5_calculate_ltk(sm_connection_t * sm_conn){ 1628 f5_ltk(sm_conn, setup->sm_t); 1629 } 1630 1631 static void f6_engine(sm_connection_t * sm_conn, const sm_key_t w, const sm_key_t n1, const sm_key_t n2, const sm_key_t r, const sm_key24_t io_cap, const sm_key56_t a1, const sm_key56_t a2){ 1632 const uint16_t message_len = 65; 1633 sm_cmac_connection = sm_conn; 1634 memcpy(sm_cmac_sc_buffer, n1, 16); 1635 memcpy(sm_cmac_sc_buffer+16, n2, 16); 1636 memcpy(sm_cmac_sc_buffer+32, r, 16); 1637 memcpy(sm_cmac_sc_buffer+48, io_cap, 3); 1638 memcpy(sm_cmac_sc_buffer+51, a1, 7); 1639 memcpy(sm_cmac_sc_buffer+58, a2, 7); 1640 log_info("f6 key"); 1641 log_info_hexdump(w, 16); 1642 log_info("f6 message"); 1643 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1644 sm_cmac_general_start(w, 65, &sm_sc_cmac_get_byte, &sm_sc_cmac_done); 1645 } 1646 1647 // g2(U, V, X, Y) = AES-CMACX(U || V || Y) mod 2^32 1648 // - U is 256 bits 1649 // - V is 256 bits 1650 // - X is 128 bits 1651 // - Y is 128 bits 1652 static void g2_engine(sm_connection_t * sm_conn, const sm_key256_t u, const sm_key256_t v, const sm_key_t x, const sm_key_t y){ 1653 const uint16_t message_len = 80; 1654 sm_cmac_connection = sm_conn; 1655 memcpy(sm_cmac_sc_buffer, u, 32); 1656 memcpy(sm_cmac_sc_buffer+32, v, 32); 1657 memcpy(sm_cmac_sc_buffer+64, y, 16); 1658 log_info("g2 key"); 1659 log_info_hexdump(x, 16); 1660 log_info("g2 message"); 1661 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1662 sm_cmac_general_start(x, message_len, &sm_sc_cmac_get_byte, &sm_sc_cmac_done); 1663 } 1664 1665 static void g2_calculate(sm_connection_t * sm_conn) { 1666 // calc Va if numeric comparison 1667 if (IS_RESPONDER(sm_conn->sm_role)){ 1668 // responder 1669 g2_engine(sm_conn, setup->sm_peer_q, ec_q, setup->sm_peer_nonce, setup->sm_local_nonce);; 1670 } else { 1671 // initiator 1672 g2_engine(sm_conn, ec_q, setup->sm_peer_q, setup->sm_local_nonce, setup->sm_peer_nonce); 1673 } 1674 } 1675 1676 static void sm_sc_calculate_local_confirm(sm_connection_t * sm_conn){ 1677 uint8_t z = 0; 1678 if (setup->sm_stk_generation_method != JUST_WORKS && setup->sm_stk_generation_method != NK_BOTH_INPUT){ 1679 // some form of passkey 1680 uint32_t pk = big_endian_read_32(setup->sm_tk, 12); 1681 z = 0x80 | ((pk >> setup->sm_passkey_bit) & 1); 1682 setup->sm_passkey_bit++; 1683 } 1684 f4_engine(sm_conn, ec_q, setup->sm_peer_q, setup->sm_local_nonce, z); 1685 } 1686 1687 static void sm_sc_calculate_remote_confirm(sm_connection_t * sm_conn){ 1688 uint8_t z = 0; 1689 if (setup->sm_stk_generation_method != JUST_WORKS && setup->sm_stk_generation_method != NK_BOTH_INPUT){ 1690 // some form of passkey 1691 uint32_t pk = big_endian_read_32(setup->sm_tk, 12); 1692 // sm_passkey_bit was increased before sending confirm value 1693 z = 0x80 | ((pk >> (setup->sm_passkey_bit-1)) & 1); 1694 } 1695 f4_engine(sm_conn, setup->sm_peer_q, ec_q, setup->sm_peer_nonce, z); 1696 } 1697 1698 static void sm_sc_prepare_dhkey_check(sm_connection_t * sm_conn){ 1699 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F5_SALT; 1700 } 1701 1702 static void sm_sc_calculate_f6_for_dhkey_check(sm_connection_t * sm_conn){ 1703 // calculate DHKCheck 1704 sm_key56_t bd_addr_master, bd_addr_slave; 1705 bd_addr_master[0] = setup->sm_m_addr_type; 1706 bd_addr_slave[0] = setup->sm_s_addr_type; 1707 memcpy(&bd_addr_master[1], setup->sm_m_address, 6); 1708 memcpy(&bd_addr_slave[1], setup->sm_s_address, 6); 1709 uint8_t iocap_a[3]; 1710 iocap_a[0] = sm_pairing_packet_get_auth_req(setup->sm_m_preq); 1711 iocap_a[1] = sm_pairing_packet_get_oob_data_flag(setup->sm_m_preq); 1712 iocap_a[2] = sm_pairing_packet_get_io_capability(setup->sm_m_preq); 1713 uint8_t iocap_b[3]; 1714 iocap_b[0] = sm_pairing_packet_get_auth_req(setup->sm_s_pres); 1715 iocap_b[1] = sm_pairing_packet_get_oob_data_flag(setup->sm_s_pres); 1716 iocap_b[2] = sm_pairing_packet_get_io_capability(setup->sm_s_pres); 1717 if (IS_RESPONDER(sm_conn->sm_role)){ 1718 // responder 1719 f6_engine(sm_conn, setup->sm_mackey, setup->sm_local_nonce, setup->sm_peer_nonce, setup->sm_ra, iocap_b, bd_addr_slave, bd_addr_master); 1720 } else { 1721 // initiator 1722 f6_engine(sm_conn, setup->sm_mackey, setup->sm_local_nonce, setup->sm_peer_nonce, setup->sm_rb, iocap_a, bd_addr_master, bd_addr_slave); 1723 } 1724 } 1725 1726 static void sm_sc_calculate_f6_to_verify_dhkey_check(sm_connection_t * sm_conn){ 1727 // validate E = f6() 1728 sm_key56_t bd_addr_master, bd_addr_slave; 1729 bd_addr_master[0] = setup->sm_m_addr_type; 1730 bd_addr_slave[0] = setup->sm_s_addr_type; 1731 memcpy(&bd_addr_master[1], setup->sm_m_address, 6); 1732 memcpy(&bd_addr_slave[1], setup->sm_s_address, 6); 1733 1734 uint8_t iocap_a[3]; 1735 iocap_a[0] = sm_pairing_packet_get_auth_req(setup->sm_m_preq); 1736 iocap_a[1] = sm_pairing_packet_get_oob_data_flag(setup->sm_m_preq); 1737 iocap_a[2] = sm_pairing_packet_get_io_capability(setup->sm_m_preq); 1738 uint8_t iocap_b[3]; 1739 iocap_b[0] = sm_pairing_packet_get_auth_req(setup->sm_s_pres); 1740 iocap_b[1] = sm_pairing_packet_get_oob_data_flag(setup->sm_s_pres); 1741 iocap_b[2] = sm_pairing_packet_get_io_capability(setup->sm_s_pres); 1742 if (IS_RESPONDER(sm_conn->sm_role)){ 1743 // responder 1744 f6_engine(sm_conn, setup->sm_mackey, setup->sm_peer_nonce, setup->sm_local_nonce, setup->sm_rb, iocap_a, bd_addr_master, bd_addr_slave); 1745 } else { 1746 // initiator 1747 f6_engine(sm_conn, setup->sm_mackey, setup->sm_peer_nonce, setup->sm_local_nonce, setup->sm_ra, iocap_b, bd_addr_slave, bd_addr_master); 1748 } 1749 } 1750 1751 1752 // 1753 // Link Key Conversion Function h6 1754 // 1755 // h6(W, keyID) = AES-CMACW(keyID) 1756 // - W is 128 bits 1757 // - keyID is 32 bits 1758 static void h6_engine(sm_connection_t * sm_conn, const sm_key_t w, const uint32_t key_id){ 1759 const uint16_t message_len = 4; 1760 sm_cmac_connection = sm_conn; 1761 big_endian_store_32(sm_cmac_sc_buffer, 0, key_id); 1762 log_info("h6 key"); 1763 log_info_hexdump(w, 16); 1764 log_info("h6 message"); 1765 log_info_hexdump(sm_cmac_sc_buffer, message_len); 1766 sm_cmac_general_start(w, message_len, &sm_sc_cmac_get_byte, &sm_sc_cmac_done); 1767 } 1768 1769 // For SC, setup->sm_local_ltk holds full LTK (sm_ltk is already truncated) 1770 // Errata Service Release to the Bluetooth Specification: ESR09 1771 // E6405 – Cross transport key derivation from a key of size less than 128 bits 1772 // "Note: When the BR/EDR link key is being derived from the LTK, the derivation is done before the LTK gets masked." 1773 static void h6_calculate_ilk(sm_connection_t * sm_conn){ 1774 h6_engine(sm_conn, setup->sm_local_ltk, 0x746D7031); // "tmp1" 1775 } 1776 1777 static void h6_calculate_br_edr_link_key(sm_connection_t * sm_conn){ 1778 h6_engine(sm_conn, setup->sm_t, 0x6c656272); // "lebr" 1779 } 1780 1781 #endif 1782 1783 // key management legacy connections: 1784 // - potentially two different LTKs based on direction. each device stores LTK provided by peer 1785 // - master stores LTK, EDIV, RAND. responder optionally stored master LTK (only if it needs to reconnect) 1786 // - initiators reconnects: initiator uses stored LTK, EDIV, RAND generated by responder 1787 // - responder reconnects: responder uses LTK receveived from master 1788 1789 // key management secure connections: 1790 // - both devices store same LTK from ECDH key exchange. 1791 1792 #if defined(ENABLE_LE_SECURE_CONNECTIONS) || defined(ENABLE_LE_CENTRAL) 1793 static void sm_load_security_info(sm_connection_t * sm_connection){ 1794 int encryption_key_size; 1795 int authenticated; 1796 int authorized; 1797 1798 // fetch data from device db - incl. authenticated/authorized/key size. Note all sm_connection_X require encryption enabled 1799 le_device_db_encryption_get(sm_connection->sm_le_db_index, &setup->sm_peer_ediv, setup->sm_peer_rand, setup->sm_peer_ltk, 1800 &encryption_key_size, &authenticated, &authorized); 1801 log_info("db index %u, key size %u, authenticated %u, authorized %u", sm_connection->sm_le_db_index, encryption_key_size, authenticated, authorized); 1802 sm_connection->sm_actual_encryption_key_size = encryption_key_size; 1803 sm_connection->sm_connection_authenticated = authenticated; 1804 sm_connection->sm_connection_authorization_state = authorized ? AUTHORIZATION_GRANTED : AUTHORIZATION_UNKNOWN; 1805 } 1806 #endif 1807 1808 #ifdef ENABLE_LE_PERIPHERAL 1809 static void sm_start_calculating_ltk_from_ediv_and_rand(sm_connection_t * sm_connection){ 1810 memcpy(setup->sm_local_rand, sm_connection->sm_local_rand, 8); 1811 setup->sm_local_ediv = sm_connection->sm_local_ediv; 1812 // re-establish used key encryption size 1813 // no db for encryption size hack: encryption size is stored in lowest nibble of setup->sm_local_rand 1814 sm_connection->sm_actual_encryption_key_size = (setup->sm_local_rand[7] & 0x0f) + 1; 1815 // no db for authenticated flag hack: flag is stored in bit 4 of LSB 1816 sm_connection->sm_connection_authenticated = (setup->sm_local_rand[7] & 0x10) >> 4; 1817 log_info("sm: received ltk request with key size %u, authenticated %u", 1818 sm_connection->sm_actual_encryption_key_size, sm_connection->sm_connection_authenticated); 1819 sm_connection->sm_engine_state = SM_RESPONDER_PH4_Y_GET_ENC; 1820 } 1821 #endif 1822 1823 static void sm_run(void){ 1824 1825 btstack_linked_list_iterator_t it; 1826 1827 // assert that we can send at least commands 1828 if (!hci_can_send_command_packet_now()) return; 1829 1830 // 1831 // non-connection related behaviour 1832 // 1833 1834 // distributed key generation 1835 switch (dkg_state){ 1836 case DKG_CALC_IRK: 1837 // already busy? 1838 if (sm_aes128_state == SM_AES128_IDLE) { 1839 // IRK = d1(IR, 1, 0) 1840 sm_key_t d1_prime; 1841 sm_d1_d_prime(1, 0, d1_prime); // plaintext 1842 dkg_next_state(); 1843 sm_aes128_start(sm_persistent_ir, d1_prime, NULL); 1844 return; 1845 } 1846 break; 1847 case DKG_CALC_DHK: 1848 // already busy? 1849 if (sm_aes128_state == SM_AES128_IDLE) { 1850 // DHK = d1(IR, 3, 0) 1851 sm_key_t d1_prime; 1852 sm_d1_d_prime(3, 0, d1_prime); // plaintext 1853 dkg_next_state(); 1854 sm_aes128_start(sm_persistent_ir, d1_prime, NULL); 1855 return; 1856 } 1857 break; 1858 default: 1859 break; 1860 } 1861 1862 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1863 if (ec_key_generation_state == EC_KEY_GENERATION_ACTIVE){ 1864 #ifdef USE_MBEDTLS_FOR_ECDH 1865 sm_random_start(NULL); 1866 #else 1867 ec_key_generation_state = EC_KEY_GENERATION_W4_KEY; 1868 hci_send_cmd(&hci_le_read_local_p256_public_key); 1869 #endif 1870 return; 1871 } 1872 #endif 1873 1874 // random address updates 1875 switch (rau_state){ 1876 case RAU_GET_RANDOM: 1877 rau_next_state(); 1878 sm_random_start(NULL); 1879 return; 1880 case RAU_GET_ENC: 1881 // already busy? 1882 if (sm_aes128_state == SM_AES128_IDLE) { 1883 sm_key_t r_prime; 1884 sm_ah_r_prime(sm_random_address, r_prime); 1885 rau_next_state(); 1886 sm_aes128_start(sm_persistent_irk, r_prime, NULL); 1887 return; 1888 } 1889 break; 1890 case RAU_SET_ADDRESS: 1891 log_info("New random address: %s", bd_addr_to_str(sm_random_address)); 1892 rau_state = RAU_IDLE; 1893 hci_send_cmd(&hci_le_set_random_address, sm_random_address); 1894 return; 1895 default: 1896 break; 1897 } 1898 1899 #ifdef ENABLE_CMAC_ENGINE 1900 // CMAC 1901 switch (sm_cmac_state){ 1902 case CMAC_CALC_SUBKEYS: 1903 case CMAC_CALC_MI: 1904 case CMAC_CALC_MLAST: 1905 // already busy? 1906 if (sm_aes128_state == SM_AES128_ACTIVE) break; 1907 sm_cmac_handle_aes_engine_ready(); 1908 return; 1909 default: 1910 break; 1911 } 1912 #endif 1913 1914 // CSRK Lookup 1915 // -- if csrk lookup ready, find connection that require csrk lookup 1916 if (sm_address_resolution_idle()){ 1917 hci_connections_get_iterator(&it); 1918 while(btstack_linked_list_iterator_has_next(&it)){ 1919 hci_connection_t * hci_connection = (hci_connection_t *) btstack_linked_list_iterator_next(&it); 1920 sm_connection_t * sm_connection = &hci_connection->sm_connection; 1921 if (sm_connection->sm_irk_lookup_state == IRK_LOOKUP_W4_READY){ 1922 // and start lookup 1923 sm_address_resolution_start_lookup(sm_connection->sm_peer_addr_type, sm_connection->sm_handle, sm_connection->sm_peer_address, ADDRESS_RESOLUTION_FOR_CONNECTION, sm_connection); 1924 sm_connection->sm_irk_lookup_state = IRK_LOOKUP_STARTED; 1925 break; 1926 } 1927 } 1928 } 1929 1930 // -- if csrk lookup ready, resolved addresses for received addresses 1931 if (sm_address_resolution_idle()) { 1932 if (!btstack_linked_list_empty(&sm_address_resolution_general_queue)){ 1933 sm_lookup_entry_t * entry = (sm_lookup_entry_t *) sm_address_resolution_general_queue; 1934 btstack_linked_list_remove(&sm_address_resolution_general_queue, (btstack_linked_item_t *) entry); 1935 sm_address_resolution_start_lookup(entry->address_type, 0, entry->address, ADDRESS_RESOLUTION_GENERAL, NULL); 1936 btstack_memory_sm_lookup_entry_free(entry); 1937 } 1938 } 1939 1940 // -- Continue with CSRK device lookup by public or resolvable private address 1941 if (!sm_address_resolution_idle()){ 1942 log_info("LE Device Lookup: device %u/%u", sm_address_resolution_test, le_device_db_count()); 1943 while (sm_address_resolution_test < le_device_db_count()){ 1944 int addr_type; 1945 bd_addr_t addr; 1946 sm_key_t irk; 1947 le_device_db_info(sm_address_resolution_test, &addr_type, addr, irk); 1948 log_info("device type %u, addr: %s", addr_type, bd_addr_to_str(addr)); 1949 1950 if (sm_address_resolution_addr_type == addr_type && memcmp(addr, sm_address_resolution_address, 6) == 0){ 1951 log_info("LE Device Lookup: found CSRK by { addr_type, address} "); 1952 sm_address_resolution_handle_event(ADDRESS_RESOLUTION_SUCEEDED); 1953 break; 1954 } 1955 1956 if (sm_address_resolution_addr_type == 0){ 1957 sm_address_resolution_test++; 1958 continue; 1959 } 1960 1961 if (sm_aes128_state == SM_AES128_ACTIVE) break; 1962 1963 log_info("LE Device Lookup: calculate AH"); 1964 log_info_key("IRK", irk); 1965 1966 sm_key_t r_prime; 1967 sm_ah_r_prime(sm_address_resolution_address, r_prime); 1968 sm_address_resolution_ah_calculation_active = 1; 1969 sm_aes128_start(irk, r_prime, sm_address_resolution_context); // keep context 1970 return; 1971 } 1972 1973 if (sm_address_resolution_test >= le_device_db_count()){ 1974 log_info("LE Device Lookup: not found"); 1975 sm_address_resolution_handle_event(ADDRESS_RESOLUTION_FAILED); 1976 } 1977 } 1978 1979 // handle basic actions that don't requires the full context 1980 hci_connections_get_iterator(&it); 1981 while(!sm_active_connection && btstack_linked_list_iterator_has_next(&it)){ 1982 hci_connection_t * hci_connection = (hci_connection_t *) btstack_linked_list_iterator_next(&it); 1983 sm_connection_t * sm_connection = &hci_connection->sm_connection; 1984 switch(sm_connection->sm_engine_state){ 1985 // responder side 1986 case SM_RESPONDER_PH0_SEND_LTK_REQUESTED_NEGATIVE_REPLY: 1987 sm_connection->sm_engine_state = SM_RESPONDER_IDLE; 1988 hci_send_cmd(&hci_le_long_term_key_negative_reply, sm_connection->sm_handle); 1989 return; 1990 1991 #ifdef ENABLE_LE_SECURE_CONNECTIONS 1992 case SM_SC_RECEIVED_LTK_REQUEST: 1993 switch (sm_connection->sm_irk_lookup_state){ 1994 case IRK_LOOKUP_FAILED: 1995 log_info("LTK Request: ediv & random are empty, but no stored LTK (IRK Lookup Failed)"); 1996 sm_connection->sm_engine_state = SM_RESPONDER_IDLE; 1997 hci_send_cmd(&hci_le_long_term_key_negative_reply, sm_connection->sm_handle); 1998 return; 1999 default: 2000 break; 2001 } 2002 break; 2003 #endif 2004 default: 2005 break; 2006 } 2007 } 2008 2009 // 2010 // active connection handling 2011 // -- use loop to handle next connection if lock on setup context is released 2012 2013 while (1) { 2014 2015 // Find connections that requires setup context and make active if no other is locked 2016 hci_connections_get_iterator(&it); 2017 while(!sm_active_connection && btstack_linked_list_iterator_has_next(&it)){ 2018 hci_connection_t * hci_connection = (hci_connection_t *) btstack_linked_list_iterator_next(&it); 2019 sm_connection_t * sm_connection = &hci_connection->sm_connection; 2020 // - if no connection locked and we're ready/waiting for setup context, fetch it and start 2021 int done = 1; 2022 int err; 2023 UNUSED(err); 2024 switch (sm_connection->sm_engine_state) { 2025 #ifdef ENABLE_LE_PERIPHERAL 2026 case SM_RESPONDER_SEND_SECURITY_REQUEST: 2027 // send packet if possible, 2028 if (l2cap_can_send_fixed_channel_packet_now(sm_connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL)){ 2029 const uint8_t buffer[2] = { SM_CODE_SECURITY_REQUEST, SM_AUTHREQ_BONDING}; 2030 sm_connection->sm_engine_state = SM_RESPONDER_PH1_W4_PAIRING_REQUEST; 2031 l2cap_send_connectionless(sm_connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2032 } else { 2033 l2cap_request_can_send_fix_channel_now_event(sm_connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL); 2034 } 2035 // don't lock sxetup context yet 2036 done = 0; 2037 break; 2038 case SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED: 2039 sm_reset_setup(); 2040 sm_init_setup(sm_connection); 2041 // recover pairing request 2042 memcpy(&setup->sm_m_preq, &sm_connection->sm_m_preq, sizeof(sm_pairing_packet_t)); 2043 err = sm_stk_generation_init(sm_connection); 2044 if (err){ 2045 setup->sm_pairing_failed_reason = err; 2046 sm_connection->sm_engine_state = SM_GENERAL_SEND_PAIRING_FAILED; 2047 break; 2048 } 2049 sm_timeout_start(sm_connection); 2050 // generate random number first, if we need to show passkey 2051 if (setup->sm_stk_generation_method == PK_INIT_INPUT){ 2052 sm_connection->sm_engine_state = SM_PH2_GET_RANDOM_TK; 2053 break; 2054 } 2055 sm_connection->sm_engine_state = SM_RESPONDER_PH1_SEND_PAIRING_RESPONSE; 2056 break; 2057 case SM_RESPONDER_PH0_RECEIVED_LTK_REQUEST: 2058 sm_reset_setup(); 2059 sm_start_calculating_ltk_from_ediv_and_rand(sm_connection); 2060 break; 2061 #endif 2062 #ifdef ENABLE_LE_CENTRAL 2063 case SM_INITIATOR_PH0_HAS_LTK: 2064 sm_reset_setup(); 2065 sm_load_security_info(sm_connection); 2066 sm_connection->sm_engine_state = SM_INITIATOR_PH0_SEND_START_ENCRYPTION; 2067 break; 2068 case SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST: 2069 sm_reset_setup(); 2070 sm_init_setup(sm_connection); 2071 sm_timeout_start(sm_connection); 2072 sm_connection->sm_engine_state = SM_INITIATOR_PH1_SEND_PAIRING_REQUEST; 2073 break; 2074 #endif 2075 2076 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2077 case SM_SC_RECEIVED_LTK_REQUEST: 2078 switch (sm_connection->sm_irk_lookup_state){ 2079 case IRK_LOOKUP_SUCCEEDED: 2080 // assuming Secure Connection, we have a stored LTK and the EDIV/RAND are null 2081 // start using context by loading security info 2082 sm_reset_setup(); 2083 sm_load_security_info(sm_connection); 2084 if (setup->sm_peer_ediv == 0 && sm_is_null_random(setup->sm_peer_rand) && !sm_is_null_key(setup->sm_peer_ltk)){ 2085 memcpy(setup->sm_ltk, setup->sm_peer_ltk, 16); 2086 sm_connection->sm_engine_state = SM_RESPONDER_PH4_SEND_LTK_REPLY; 2087 break; 2088 } 2089 log_info("LTK Request: ediv & random are empty, but no stored LTK (IRK Lookup Succeeded)"); 2090 sm_connection->sm_engine_state = SM_RESPONDER_IDLE; 2091 hci_send_cmd(&hci_le_long_term_key_negative_reply, sm_connection->sm_handle); 2092 // don't lock setup context yet 2093 return; 2094 default: 2095 // just wait until IRK lookup is completed 2096 // don't lock setup context yet 2097 done = 0; 2098 break; 2099 } 2100 break; 2101 #endif 2102 default: 2103 done = 0; 2104 break; 2105 } 2106 if (done){ 2107 sm_active_connection = sm_connection->sm_handle; 2108 log_info("sm: connection 0x%04x locked setup context as %s", sm_active_connection, sm_connection->sm_role ? "responder" : "initiator"); 2109 } 2110 } 2111 2112 // 2113 // active connection handling 2114 // 2115 2116 if (sm_active_connection == 0) return; 2117 2118 // assert that we could send a SM PDU - not needed for all of the following 2119 if (!l2cap_can_send_fixed_channel_packet_now(sm_active_connection, L2CAP_CID_SECURITY_MANAGER_PROTOCOL)) { 2120 l2cap_request_can_send_fix_channel_now_event(sm_active_connection, L2CAP_CID_SECURITY_MANAGER_PROTOCOL); 2121 return; 2122 } 2123 2124 sm_connection_t * connection = sm_get_connection_for_handle(sm_active_connection); 2125 if (!connection) return; 2126 2127 // send keypress notifications 2128 if (setup->sm_keypress_notification != 0xff){ 2129 uint8_t buffer[2]; 2130 buffer[0] = SM_CODE_KEYPRESS_NOTIFICATION; 2131 buffer[1] = setup->sm_keypress_notification; 2132 setup->sm_keypress_notification = 0xff; 2133 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2134 return; 2135 } 2136 2137 sm_key_t plaintext; 2138 int key_distribution_flags; 2139 UNUSED(key_distribution_flags); 2140 2141 log_info("sm_run: state %u", connection->sm_engine_state); 2142 2143 switch (connection->sm_engine_state){ 2144 2145 // general 2146 case SM_GENERAL_SEND_PAIRING_FAILED: { 2147 uint8_t buffer[2]; 2148 buffer[0] = SM_CODE_PAIRING_FAILED; 2149 buffer[1] = setup->sm_pairing_failed_reason; 2150 connection->sm_engine_state = connection->sm_role ? SM_RESPONDER_IDLE : SM_INITIATOR_CONNECTED; 2151 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2152 sm_done_for_handle(connection->sm_handle); 2153 break; 2154 } 2155 2156 // responding state 2157 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2158 case SM_SC_W2_GET_RANDOM_A: 2159 sm_random_start(connection); 2160 connection->sm_engine_state = SM_SC_W4_GET_RANDOM_A; 2161 break; 2162 case SM_SC_W2_GET_RANDOM_B: 2163 sm_random_start(connection); 2164 connection->sm_engine_state = SM_SC_W4_GET_RANDOM_B; 2165 break; 2166 case SM_SC_W2_CMAC_FOR_CONFIRMATION: 2167 if (!sm_cmac_ready()) break; 2168 connection->sm_engine_state = SM_SC_W4_CMAC_FOR_CONFIRMATION; 2169 sm_sc_calculate_local_confirm(connection); 2170 break; 2171 case SM_SC_W2_CMAC_FOR_CHECK_CONFIRMATION: 2172 if (!sm_cmac_ready()) break; 2173 connection->sm_engine_state = SM_SC_W4_CMAC_FOR_CHECK_CONFIRMATION; 2174 sm_sc_calculate_remote_confirm(connection); 2175 break; 2176 case SM_SC_W2_CALCULATE_F6_FOR_DHKEY_CHECK: 2177 if (!sm_cmac_ready()) break; 2178 connection->sm_engine_state = SM_SC_W4_CALCULATE_F6_FOR_DHKEY_CHECK; 2179 sm_sc_calculate_f6_for_dhkey_check(connection); 2180 break; 2181 case SM_SC_W2_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK: 2182 if (!sm_cmac_ready()) break; 2183 connection->sm_engine_state = SM_SC_W4_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK; 2184 sm_sc_calculate_f6_to_verify_dhkey_check(connection); 2185 break; 2186 case SM_SC_W2_CALCULATE_F5_SALT: 2187 if (!sm_cmac_ready()) break; 2188 connection->sm_engine_state = SM_SC_W4_CALCULATE_F5_SALT; 2189 f5_calculate_salt(connection); 2190 break; 2191 case SM_SC_W2_CALCULATE_F5_MACKEY: 2192 if (!sm_cmac_ready()) break; 2193 connection->sm_engine_state = SM_SC_W4_CALCULATE_F5_MACKEY; 2194 f5_calculate_mackey(connection); 2195 break; 2196 case SM_SC_W2_CALCULATE_F5_LTK: 2197 if (!sm_cmac_ready()) break; 2198 connection->sm_engine_state = SM_SC_W4_CALCULATE_F5_LTK; 2199 f5_calculate_ltk(connection); 2200 break; 2201 case SM_SC_W2_CALCULATE_G2: 2202 if (!sm_cmac_ready()) break; 2203 connection->sm_engine_state = SM_SC_W4_CALCULATE_G2; 2204 g2_calculate(connection); 2205 break; 2206 case SM_SC_W2_CALCULATE_H6_ILK: 2207 if (!sm_cmac_ready()) break; 2208 connection->sm_engine_state = SM_SC_W4_CALCULATE_H6_ILK; 2209 h6_calculate_ilk(connection); 2210 break; 2211 case SM_SC_W2_CALCULATE_H6_BR_EDR_LINK_KEY: 2212 if (!sm_cmac_ready()) break; 2213 connection->sm_engine_state = SM_SC_W4_CALCULATE_H6_BR_EDR_LINK_KEY; 2214 h6_calculate_br_edr_link_key(connection); 2215 break; 2216 #endif 2217 2218 #ifdef ENABLE_LE_CENTRAL 2219 // initiator side 2220 case SM_INITIATOR_PH0_SEND_START_ENCRYPTION: { 2221 sm_key_t peer_ltk_flipped; 2222 reverse_128(setup->sm_peer_ltk, peer_ltk_flipped); 2223 connection->sm_engine_state = SM_INITIATOR_PH0_W4_CONNECTION_ENCRYPTED; 2224 log_info("sm: hci_le_start_encryption ediv 0x%04x", setup->sm_peer_ediv); 2225 uint32_t rand_high = big_endian_read_32(setup->sm_peer_rand, 0); 2226 uint32_t rand_low = big_endian_read_32(setup->sm_peer_rand, 4); 2227 hci_send_cmd(&hci_le_start_encryption, connection->sm_handle,rand_low, rand_high, setup->sm_peer_ediv, peer_ltk_flipped); 2228 return; 2229 } 2230 2231 case SM_INITIATOR_PH1_SEND_PAIRING_REQUEST: 2232 sm_pairing_packet_set_code(setup->sm_m_preq, SM_CODE_PAIRING_REQUEST); 2233 connection->sm_engine_state = SM_INITIATOR_PH1_W4_PAIRING_RESPONSE; 2234 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) &setup->sm_m_preq, sizeof(sm_pairing_packet_t)); 2235 sm_timeout_reset(connection); 2236 break; 2237 #endif 2238 2239 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2240 2241 case SM_SC_SEND_PUBLIC_KEY_COMMAND: { 2242 uint8_t buffer[65]; 2243 buffer[0] = SM_CODE_PAIRING_PUBLIC_KEY; 2244 // 2245 reverse_256(&ec_q[0], &buffer[1]); 2246 reverse_256(&ec_q[32], &buffer[33]); 2247 2248 // stk generation method 2249 // passkey entry: notify app to show passkey or to request passkey 2250 switch (setup->sm_stk_generation_method){ 2251 case JUST_WORKS: 2252 case NK_BOTH_INPUT: 2253 if (IS_RESPONDER(connection->sm_role)){ 2254 // responder 2255 sm_sc_start_calculating_local_confirm(connection); 2256 } else { 2257 // initiator 2258 connection->sm_engine_state = SM_SC_W4_PUBLIC_KEY_COMMAND; 2259 } 2260 break; 2261 case PK_INIT_INPUT: 2262 case PK_RESP_INPUT: 2263 case OK_BOTH_INPUT: 2264 // use random TK for display 2265 memcpy(setup->sm_ra, setup->sm_tk, 16); 2266 memcpy(setup->sm_rb, setup->sm_tk, 16); 2267 setup->sm_passkey_bit = 0; 2268 2269 if (IS_RESPONDER(connection->sm_role)){ 2270 // responder 2271 connection->sm_engine_state = SM_SC_W4_CONFIRMATION; 2272 } else { 2273 // initiator 2274 connection->sm_engine_state = SM_SC_W4_PUBLIC_KEY_COMMAND; 2275 } 2276 sm_trigger_user_response(connection); 2277 break; 2278 case OOB: 2279 // TODO: implement SC OOB 2280 break; 2281 } 2282 2283 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2284 sm_timeout_reset(connection); 2285 break; 2286 } 2287 case SM_SC_SEND_CONFIRMATION: { 2288 uint8_t buffer[17]; 2289 buffer[0] = SM_CODE_PAIRING_CONFIRM; 2290 reverse_128(setup->sm_local_confirm, &buffer[1]); 2291 if (IS_RESPONDER(connection->sm_role)){ 2292 connection->sm_engine_state = SM_SC_W4_PAIRING_RANDOM; 2293 } else { 2294 connection->sm_engine_state = SM_SC_W4_CONFIRMATION; 2295 } 2296 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2297 sm_timeout_reset(connection); 2298 break; 2299 } 2300 case SM_SC_SEND_PAIRING_RANDOM: { 2301 uint8_t buffer[17]; 2302 buffer[0] = SM_CODE_PAIRING_RANDOM; 2303 reverse_128(setup->sm_local_nonce, &buffer[1]); 2304 if (setup->sm_stk_generation_method != JUST_WORKS && setup->sm_stk_generation_method != NK_BOTH_INPUT && setup->sm_passkey_bit < 20){ 2305 if (IS_RESPONDER(connection->sm_role)){ 2306 // responder 2307 connection->sm_engine_state = SM_SC_W4_CONFIRMATION; 2308 } else { 2309 // initiator 2310 connection->sm_engine_state = SM_SC_W4_PAIRING_RANDOM; 2311 } 2312 } else { 2313 if (IS_RESPONDER(connection->sm_role)){ 2314 // responder 2315 if (setup->sm_stk_generation_method == NK_BOTH_INPUT){ 2316 connection->sm_engine_state = SM_SC_W2_CALCULATE_G2; 2317 } else { 2318 sm_sc_prepare_dhkey_check(connection); 2319 } 2320 } else { 2321 // initiator 2322 connection->sm_engine_state = SM_SC_W4_PAIRING_RANDOM; 2323 } 2324 } 2325 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2326 sm_timeout_reset(connection); 2327 break; 2328 } 2329 case SM_SC_SEND_DHKEY_CHECK_COMMAND: { 2330 uint8_t buffer[17]; 2331 buffer[0] = SM_CODE_PAIRING_DHKEY_CHECK; 2332 reverse_128(setup->sm_local_dhkey_check, &buffer[1]); 2333 2334 if (IS_RESPONDER(connection->sm_role)){ 2335 connection->sm_engine_state = SM_SC_W4_LTK_REQUEST_SC; 2336 } else { 2337 connection->sm_engine_state = SM_SC_W4_DHKEY_CHECK_COMMAND; 2338 } 2339 2340 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2341 sm_timeout_reset(connection); 2342 break; 2343 } 2344 2345 #endif 2346 2347 #ifdef ENABLE_LE_PERIPHERAL 2348 case SM_RESPONDER_PH1_SEND_PAIRING_RESPONSE: 2349 // echo initiator for now 2350 sm_pairing_packet_set_code(setup->sm_s_pres,SM_CODE_PAIRING_RESPONSE); 2351 key_distribution_flags = sm_key_distribution_flags_for_auth_req(); 2352 2353 if (setup->sm_use_secure_connections){ 2354 connection->sm_engine_state = SM_SC_W4_PUBLIC_KEY_COMMAND; 2355 // skip LTK/EDIV for SC 2356 log_info("sm: dropping encryption information flag"); 2357 key_distribution_flags &= ~SM_KEYDIST_ENC_KEY; 2358 } else { 2359 connection->sm_engine_state = SM_RESPONDER_PH1_W4_PAIRING_CONFIRM; 2360 } 2361 2362 sm_pairing_packet_set_initiator_key_distribution(setup->sm_s_pres, sm_pairing_packet_get_initiator_key_distribution(setup->sm_m_preq) & key_distribution_flags); 2363 sm_pairing_packet_set_responder_key_distribution(setup->sm_s_pres, sm_pairing_packet_get_responder_key_distribution(setup->sm_m_preq) & key_distribution_flags); 2364 // update key distribution after ENC was dropped 2365 sm_setup_key_distribution(sm_pairing_packet_get_responder_key_distribution(setup->sm_s_pres)); 2366 2367 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) &setup->sm_s_pres, sizeof(sm_pairing_packet_t)); 2368 sm_timeout_reset(connection); 2369 // SC Numeric Comparison will trigger user response after public keys & nonces have been exchanged 2370 if (!setup->sm_use_secure_connections || setup->sm_stk_generation_method == JUST_WORKS){ 2371 sm_trigger_user_response(connection); 2372 } 2373 return; 2374 #endif 2375 2376 case SM_PH2_SEND_PAIRING_RANDOM: { 2377 uint8_t buffer[17]; 2378 buffer[0] = SM_CODE_PAIRING_RANDOM; 2379 reverse_128(setup->sm_local_random, &buffer[1]); 2380 if (IS_RESPONDER(connection->sm_role)){ 2381 connection->sm_engine_state = SM_RESPONDER_PH2_W4_LTK_REQUEST; 2382 } else { 2383 connection->sm_engine_state = SM_INITIATOR_PH2_W4_PAIRING_RANDOM; 2384 } 2385 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2386 sm_timeout_reset(connection); 2387 break; 2388 } 2389 2390 case SM_PH2_GET_RANDOM_TK: 2391 case SM_PH2_C1_GET_RANDOM_A: 2392 case SM_PH2_C1_GET_RANDOM_B: 2393 case SM_PH3_GET_RANDOM: 2394 case SM_PH3_GET_DIV: 2395 sm_next_responding_state(connection); 2396 sm_random_start(connection); 2397 return; 2398 2399 case SM_PH2_C1_GET_ENC_B: 2400 case SM_PH2_C1_GET_ENC_D: 2401 // already busy? 2402 if (sm_aes128_state == SM_AES128_ACTIVE) break; 2403 sm_next_responding_state(connection); 2404 sm_aes128_start(setup->sm_tk, setup->sm_c1_t3_value, connection); 2405 return; 2406 2407 case SM_PH3_LTK_GET_ENC: 2408 case SM_RESPONDER_PH4_LTK_GET_ENC: 2409 // already busy? 2410 if (sm_aes128_state == SM_AES128_IDLE) { 2411 sm_key_t d_prime; 2412 sm_d1_d_prime(setup->sm_local_div, 0, d_prime); 2413 sm_next_responding_state(connection); 2414 sm_aes128_start(sm_persistent_er, d_prime, connection); 2415 return; 2416 } 2417 break; 2418 2419 case SM_PH3_CSRK_GET_ENC: 2420 // already busy? 2421 if (sm_aes128_state == SM_AES128_IDLE) { 2422 sm_key_t d_prime; 2423 sm_d1_d_prime(setup->sm_local_div, 1, d_prime); 2424 sm_next_responding_state(connection); 2425 sm_aes128_start(sm_persistent_er, d_prime, connection); 2426 return; 2427 } 2428 break; 2429 2430 case SM_PH2_C1_GET_ENC_C: 2431 // already busy? 2432 if (sm_aes128_state == SM_AES128_ACTIVE) break; 2433 // calculate m_confirm using aes128 engine - step 1 2434 sm_c1_t1(setup->sm_peer_random, (uint8_t*) &setup->sm_m_preq, (uint8_t*) &setup->sm_s_pres, setup->sm_m_addr_type, setup->sm_s_addr_type, plaintext); 2435 sm_next_responding_state(connection); 2436 sm_aes128_start(setup->sm_tk, plaintext, connection); 2437 break; 2438 case SM_PH2_C1_GET_ENC_A: 2439 // already busy? 2440 if (sm_aes128_state == SM_AES128_ACTIVE) break; 2441 // calculate confirm using aes128 engine - step 1 2442 sm_c1_t1(setup->sm_local_random, (uint8_t*) &setup->sm_m_preq, (uint8_t*) &setup->sm_s_pres, setup->sm_m_addr_type, setup->sm_s_addr_type, plaintext); 2443 sm_next_responding_state(connection); 2444 sm_aes128_start(setup->sm_tk, plaintext, connection); 2445 break; 2446 case SM_PH2_CALC_STK: 2447 // already busy? 2448 if (sm_aes128_state == SM_AES128_ACTIVE) break; 2449 // calculate STK 2450 if (IS_RESPONDER(connection->sm_role)){ 2451 sm_s1_r_prime(setup->sm_local_random, setup->sm_peer_random, plaintext); 2452 } else { 2453 sm_s1_r_prime(setup->sm_peer_random, setup->sm_local_random, plaintext); 2454 } 2455 sm_next_responding_state(connection); 2456 sm_aes128_start(setup->sm_tk, plaintext, connection); 2457 break; 2458 case SM_PH3_Y_GET_ENC: 2459 // already busy? 2460 if (sm_aes128_state == SM_AES128_ACTIVE) break; 2461 // PH3B2 - calculate Y from - enc 2462 // Y = dm(DHK, Rand) 2463 sm_dm_r_prime(setup->sm_local_rand, plaintext); 2464 sm_next_responding_state(connection); 2465 sm_aes128_start(sm_persistent_dhk, plaintext, connection); 2466 return; 2467 case SM_PH2_C1_SEND_PAIRING_CONFIRM: { 2468 uint8_t buffer[17]; 2469 buffer[0] = SM_CODE_PAIRING_CONFIRM; 2470 reverse_128(setup->sm_local_confirm, &buffer[1]); 2471 if (IS_RESPONDER(connection->sm_role)){ 2472 connection->sm_engine_state = SM_RESPONDER_PH2_W4_PAIRING_RANDOM; 2473 } else { 2474 connection->sm_engine_state = SM_INITIATOR_PH2_W4_PAIRING_CONFIRM; 2475 } 2476 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2477 sm_timeout_reset(connection); 2478 return; 2479 } 2480 #ifdef ENABLE_LE_PERIPHERAL 2481 case SM_RESPONDER_PH2_SEND_LTK_REPLY: { 2482 sm_key_t stk_flipped; 2483 reverse_128(setup->sm_ltk, stk_flipped); 2484 connection->sm_engine_state = SM_PH2_W4_CONNECTION_ENCRYPTED; 2485 hci_send_cmd(&hci_le_long_term_key_request_reply, connection->sm_handle, stk_flipped); 2486 return; 2487 } 2488 case SM_RESPONDER_PH4_SEND_LTK_REPLY: { 2489 sm_key_t ltk_flipped; 2490 reverse_128(setup->sm_ltk, ltk_flipped); 2491 connection->sm_engine_state = SM_RESPONDER_IDLE; 2492 hci_send_cmd(&hci_le_long_term_key_request_reply, connection->sm_handle, ltk_flipped); 2493 return; 2494 } 2495 case SM_RESPONDER_PH4_Y_GET_ENC: 2496 // already busy? 2497 if (sm_aes128_state == SM_AES128_ACTIVE) break; 2498 log_info("LTK Request: recalculating with ediv 0x%04x", setup->sm_local_ediv); 2499 // Y = dm(DHK, Rand) 2500 sm_dm_r_prime(setup->sm_local_rand, plaintext); 2501 sm_next_responding_state(connection); 2502 sm_aes128_start(sm_persistent_dhk, plaintext, connection); 2503 return; 2504 #endif 2505 #ifdef ENABLE_LE_CENTRAL 2506 case SM_INITIATOR_PH3_SEND_START_ENCRYPTION: { 2507 sm_key_t stk_flipped; 2508 reverse_128(setup->sm_ltk, stk_flipped); 2509 connection->sm_engine_state = SM_PH2_W4_CONNECTION_ENCRYPTED; 2510 hci_send_cmd(&hci_le_start_encryption, connection->sm_handle, 0, 0, 0, stk_flipped); 2511 return; 2512 } 2513 #endif 2514 2515 case SM_PH3_DISTRIBUTE_KEYS: 2516 if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION){ 2517 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION; 2518 uint8_t buffer[17]; 2519 buffer[0] = SM_CODE_ENCRYPTION_INFORMATION; 2520 reverse_128(setup->sm_ltk, &buffer[1]); 2521 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2522 sm_timeout_reset(connection); 2523 return; 2524 } 2525 if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_MASTER_IDENTIFICATION){ 2526 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_MASTER_IDENTIFICATION; 2527 uint8_t buffer[11]; 2528 buffer[0] = SM_CODE_MASTER_IDENTIFICATION; 2529 little_endian_store_16(buffer, 1, setup->sm_local_ediv); 2530 reverse_64(setup->sm_local_rand, &buffer[3]); 2531 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2532 sm_timeout_reset(connection); 2533 return; 2534 } 2535 if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_IDENTITY_INFORMATION){ 2536 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_IDENTITY_INFORMATION; 2537 uint8_t buffer[17]; 2538 buffer[0] = SM_CODE_IDENTITY_INFORMATION; 2539 reverse_128(sm_persistent_irk, &buffer[1]); 2540 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2541 sm_timeout_reset(connection); 2542 return; 2543 } 2544 if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION){ 2545 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION; 2546 bd_addr_t local_address; 2547 uint8_t buffer[8]; 2548 buffer[0] = SM_CODE_IDENTITY_ADDRESS_INFORMATION; 2549 gap_le_get_own_address(&buffer[1], local_address); 2550 reverse_bd_addr(local_address, &buffer[2]); 2551 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2552 sm_timeout_reset(connection); 2553 return; 2554 } 2555 if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION){ 2556 setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION; 2557 2558 // hack to reproduce test runs 2559 if (test_use_fixed_local_csrk){ 2560 memset(setup->sm_local_csrk, 0xcc, 16); 2561 } 2562 2563 uint8_t buffer[17]; 2564 buffer[0] = SM_CODE_SIGNING_INFORMATION; 2565 reverse_128(setup->sm_local_csrk, &buffer[1]); 2566 l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer)); 2567 sm_timeout_reset(connection); 2568 return; 2569 } 2570 2571 // keys are sent 2572 if (IS_RESPONDER(connection->sm_role)){ 2573 // slave -> receive master keys if any 2574 if (sm_key_distribution_all_received(connection)){ 2575 sm_key_distribution_handle_all_received(connection); 2576 connection->sm_engine_state = SM_RESPONDER_IDLE; 2577 sm_done_for_handle(connection->sm_handle); 2578 } else { 2579 connection->sm_engine_state = SM_PH3_RECEIVE_KEYS; 2580 } 2581 } else { 2582 // master -> all done 2583 connection->sm_engine_state = SM_INITIATOR_CONNECTED; 2584 sm_done_for_handle(connection->sm_handle); 2585 } 2586 break; 2587 2588 default: 2589 break; 2590 } 2591 2592 // check again if active connection was released 2593 if (sm_active_connection) break; 2594 } 2595 } 2596 2597 // note: aes engine is ready as we just got the aes result 2598 static void sm_handle_encryption_result(uint8_t * data){ 2599 2600 sm_aes128_state = SM_AES128_IDLE; 2601 2602 if (sm_address_resolution_ah_calculation_active){ 2603 sm_address_resolution_ah_calculation_active = 0; 2604 // compare calulated address against connecting device 2605 uint8_t hash[3]; 2606 reverse_24(data, hash); 2607 if (memcmp(&sm_address_resolution_address[3], hash, 3) == 0){ 2608 log_info("LE Device Lookup: matched resolvable private address"); 2609 sm_address_resolution_handle_event(ADDRESS_RESOLUTION_SUCEEDED); 2610 return; 2611 } 2612 // no match, try next 2613 sm_address_resolution_test++; 2614 return; 2615 } 2616 2617 switch (dkg_state){ 2618 case DKG_W4_IRK: 2619 reverse_128(data, sm_persistent_irk); 2620 log_info_key("irk", sm_persistent_irk); 2621 dkg_next_state(); 2622 return; 2623 case DKG_W4_DHK: 2624 reverse_128(data, sm_persistent_dhk); 2625 log_info_key("dhk", sm_persistent_dhk); 2626 dkg_next_state(); 2627 // SM Init Finished 2628 return; 2629 default: 2630 break; 2631 } 2632 2633 switch (rau_state){ 2634 case RAU_W4_ENC: 2635 reverse_24(data, &sm_random_address[3]); 2636 rau_next_state(); 2637 return; 2638 default: 2639 break; 2640 } 2641 2642 #ifdef ENABLE_CMAC_ENGINE 2643 switch (sm_cmac_state){ 2644 case CMAC_W4_SUBKEYS: 2645 case CMAC_W4_MI: 2646 case CMAC_W4_MLAST: 2647 { 2648 sm_key_t t; 2649 reverse_128(data, t); 2650 sm_cmac_handle_encryption_result(t); 2651 } 2652 return; 2653 default: 2654 break; 2655 } 2656 #endif 2657 2658 // retrieve sm_connection provided to sm_aes128_start_encryption 2659 sm_connection_t * connection = (sm_connection_t*) sm_aes128_context; 2660 if (!connection) return; 2661 switch (connection->sm_engine_state){ 2662 case SM_PH2_C1_W4_ENC_A: 2663 case SM_PH2_C1_W4_ENC_C: 2664 { 2665 sm_key_t t2; 2666 reverse_128(data, t2); 2667 sm_c1_t3(t2, setup->sm_m_address, setup->sm_s_address, setup->sm_c1_t3_value); 2668 } 2669 sm_next_responding_state(connection); 2670 return; 2671 case SM_PH2_C1_W4_ENC_B: 2672 reverse_128(data, setup->sm_local_confirm); 2673 log_info_key("c1!", setup->sm_local_confirm); 2674 connection->sm_engine_state = SM_PH2_C1_SEND_PAIRING_CONFIRM; 2675 return; 2676 case SM_PH2_C1_W4_ENC_D: 2677 { 2678 sm_key_t peer_confirm_test; 2679 reverse_128(data, peer_confirm_test); 2680 log_info_key("c1!", peer_confirm_test); 2681 if (memcmp(setup->sm_peer_confirm, peer_confirm_test, 16) != 0){ 2682 setup->sm_pairing_failed_reason = SM_REASON_CONFIRM_VALUE_FAILED; 2683 connection->sm_engine_state = SM_GENERAL_SEND_PAIRING_FAILED; 2684 return; 2685 } 2686 if (IS_RESPONDER(connection->sm_role)){ 2687 connection->sm_engine_state = SM_PH2_SEND_PAIRING_RANDOM; 2688 } else { 2689 connection->sm_engine_state = SM_PH2_CALC_STK; 2690 } 2691 } 2692 return; 2693 case SM_PH2_W4_STK: 2694 reverse_128(data, setup->sm_ltk); 2695 sm_truncate_key(setup->sm_ltk, connection->sm_actual_encryption_key_size); 2696 log_info_key("stk", setup->sm_ltk); 2697 if (IS_RESPONDER(connection->sm_role)){ 2698 connection->sm_engine_state = SM_RESPONDER_PH2_SEND_LTK_REPLY; 2699 } else { 2700 connection->sm_engine_state = SM_INITIATOR_PH3_SEND_START_ENCRYPTION; 2701 } 2702 return; 2703 case SM_PH3_Y_W4_ENC:{ 2704 sm_key_t y128; 2705 reverse_128(data, y128); 2706 setup->sm_local_y = big_endian_read_16(y128, 14); 2707 log_info_hex16("y", setup->sm_local_y); 2708 // PH3B3 - calculate EDIV 2709 setup->sm_local_ediv = setup->sm_local_y ^ setup->sm_local_div; 2710 log_info_hex16("ediv", setup->sm_local_ediv); 2711 // PH3B4 - calculate LTK - enc 2712 // LTK = d1(ER, DIV, 0)) 2713 connection->sm_engine_state = SM_PH3_LTK_GET_ENC; 2714 return; 2715 } 2716 case SM_RESPONDER_PH4_Y_W4_ENC:{ 2717 sm_key_t y128; 2718 reverse_128(data, y128); 2719 setup->sm_local_y = big_endian_read_16(y128, 14); 2720 log_info_hex16("y", setup->sm_local_y); 2721 2722 // PH3B3 - calculate DIV 2723 setup->sm_local_div = setup->sm_local_y ^ setup->sm_local_ediv; 2724 log_info_hex16("ediv", setup->sm_local_ediv); 2725 // PH3B4 - calculate LTK - enc 2726 // LTK = d1(ER, DIV, 0)) 2727 connection->sm_engine_state = SM_RESPONDER_PH4_LTK_GET_ENC; 2728 return; 2729 } 2730 case SM_PH3_LTK_W4_ENC: 2731 reverse_128(data, setup->sm_ltk); 2732 log_info_key("ltk", setup->sm_ltk); 2733 // calc CSRK next 2734 connection->sm_engine_state = SM_PH3_CSRK_GET_ENC; 2735 return; 2736 case SM_PH3_CSRK_W4_ENC: 2737 reverse_128(data, setup->sm_local_csrk); 2738 log_info_key("csrk", setup->sm_local_csrk); 2739 if (setup->sm_key_distribution_send_set){ 2740 connection->sm_engine_state = SM_PH3_DISTRIBUTE_KEYS; 2741 } else { 2742 // no keys to send, just continue 2743 if (IS_RESPONDER(connection->sm_role)){ 2744 // slave -> receive master keys 2745 connection->sm_engine_state = SM_PH3_RECEIVE_KEYS; 2746 } else { 2747 if (setup->sm_use_secure_connections && (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION)){ 2748 connection->sm_engine_state = SM_SC_W2_CALCULATE_H6_ILK; 2749 } else { 2750 // master -> all done 2751 connection->sm_engine_state = SM_INITIATOR_CONNECTED; 2752 sm_done_for_handle(connection->sm_handle); 2753 } 2754 } 2755 } 2756 return; 2757 #ifdef ENABLE_LE_PERIPHERAL 2758 case SM_RESPONDER_PH4_LTK_W4_ENC: 2759 reverse_128(data, setup->sm_ltk); 2760 sm_truncate_key(setup->sm_ltk, connection->sm_actual_encryption_key_size); 2761 log_info_key("ltk", setup->sm_ltk); 2762 connection->sm_engine_state = SM_RESPONDER_PH4_SEND_LTK_REPLY; 2763 return; 2764 #endif 2765 default: 2766 break; 2767 } 2768 } 2769 2770 #ifdef USE_MBEDTLS_FOR_ECDH 2771 2772 static int sm_generate_f_rng(void * context, unsigned char * buffer, size_t size){ 2773 UNUSED(context); 2774 2775 int offset = setup->sm_passkey_bit; 2776 log_info("sm_generate_f_rng: size %u - offset %u", (int) size, offset); 2777 while (size) { 2778 *buffer++ = setup->sm_peer_q[offset++]; 2779 size--; 2780 } 2781 setup->sm_passkey_bit = offset; 2782 return 0; 2783 } 2784 #endif 2785 2786 // note: random generator is ready. this doesn NOT imply that aes engine is unused! 2787 static void sm_handle_random_result(uint8_t * data){ 2788 2789 #ifdef USE_MBEDTLS_FOR_ECDH 2790 if (ec_key_generation_state == EC_KEY_GENERATION_ACTIVE){ 2791 int num_bytes = setup->sm_passkey_bit; 2792 memcpy(&setup->sm_peer_q[num_bytes], data, 8); 2793 num_bytes += 8; 2794 setup->sm_passkey_bit = num_bytes; 2795 2796 if (num_bytes >= 64){ 2797 2798 // generate EC key 2799 setup->sm_passkey_bit = 0; 2800 mbedtls_mpi d; 2801 mbedtls_ecp_point P; 2802 mbedtls_mpi_init(&d); 2803 mbedtls_ecp_point_init(&P); 2804 int res = mbedtls_ecp_gen_keypair(&mbedtls_ec_group, &d, &P, &sm_generate_f_rng, NULL); 2805 log_info("gen keypair %x", res); 2806 mbedtls_mpi_write_binary(&P.X, &ec_q[0], 32); 2807 mbedtls_mpi_write_binary(&P.Y, &ec_q[32], 32); 2808 mbedtls_mpi_write_binary(&d, ec_d, 32); 2809 mbedtls_ecp_point_free(&P); 2810 mbedtls_mpi_free(&d); 2811 ec_key_generation_state = EC_KEY_GENERATION_DONE; 2812 log_info("Elliptic curve: d"); 2813 log_info_hexdump(ec_d,32); 2814 sm_log_ec_keypair(); 2815 } 2816 } 2817 #endif 2818 2819 switch (rau_state){ 2820 case RAU_W4_RANDOM: 2821 // non-resolvable vs. resolvable 2822 switch (gap_random_adress_type){ 2823 case GAP_RANDOM_ADDRESS_RESOLVABLE: 2824 // resolvable: use random as prand and calc address hash 2825 // "The two most significant bits of prand shall be equal to ‘0’ and ‘1" 2826 memcpy(sm_random_address, data, 3); 2827 sm_random_address[0] &= 0x3f; 2828 sm_random_address[0] |= 0x40; 2829 rau_state = RAU_GET_ENC; 2830 break; 2831 case GAP_RANDOM_ADDRESS_NON_RESOLVABLE: 2832 default: 2833 // "The two most significant bits of the address shall be equal to ‘0’"" 2834 memcpy(sm_random_address, data, 6); 2835 sm_random_address[0] &= 0x3f; 2836 rau_state = RAU_SET_ADDRESS; 2837 break; 2838 } 2839 return; 2840 default: 2841 break; 2842 } 2843 2844 // retrieve sm_connection provided to sm_random_start 2845 sm_connection_t * connection = (sm_connection_t *) sm_random_context; 2846 if (!connection) return; 2847 switch (connection->sm_engine_state){ 2848 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2849 case SM_SC_W4_GET_RANDOM_A: 2850 memcpy(&setup->sm_local_nonce[0], data, 8); 2851 connection->sm_engine_state = SM_SC_W2_GET_RANDOM_B; 2852 break; 2853 case SM_SC_W4_GET_RANDOM_B: 2854 memcpy(&setup->sm_local_nonce[8], data, 8); 2855 // initiator & jw/nc -> send pairing random 2856 if (connection->sm_role == 0 && sm_just_works_or_numeric_comparison(setup->sm_stk_generation_method)){ 2857 connection->sm_engine_state = SM_SC_SEND_PAIRING_RANDOM; 2858 break; 2859 } else { 2860 connection->sm_engine_state = SM_SC_W2_CMAC_FOR_CONFIRMATION; 2861 } 2862 break; 2863 #endif 2864 2865 case SM_PH2_W4_RANDOM_TK: 2866 { 2867 // map random to 0-999999 without speding much cycles on a modulus operation 2868 uint32_t tk = little_endian_read_32(data,0); 2869 tk = tk & 0xfffff; // 1048575 2870 if (tk >= 999999){ 2871 tk = tk - 999999; 2872 } 2873 sm_reset_tk(); 2874 big_endian_store_32(setup->sm_tk, 12, tk); 2875 if (IS_RESPONDER(connection->sm_role)){ 2876 connection->sm_engine_state = SM_RESPONDER_PH1_SEND_PAIRING_RESPONSE; 2877 } else { 2878 if (setup->sm_use_secure_connections){ 2879 connection->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 2880 } else { 2881 connection->sm_engine_state = SM_PH1_W4_USER_RESPONSE; 2882 sm_trigger_user_response(connection); 2883 // response_idle == nothing <--> sm_trigger_user_response() did not require response 2884 if (setup->sm_user_response == SM_USER_RESPONSE_IDLE){ 2885 connection->sm_engine_state = SM_PH2_C1_GET_RANDOM_A; 2886 } 2887 } 2888 } 2889 return; 2890 } 2891 case SM_PH2_C1_W4_RANDOM_A: 2892 memcpy(&setup->sm_local_random[0], data, 8); // random endinaness 2893 connection->sm_engine_state = SM_PH2_C1_GET_RANDOM_B; 2894 return; 2895 case SM_PH2_C1_W4_RANDOM_B: 2896 memcpy(&setup->sm_local_random[8], data, 8); // random endinaness 2897 connection->sm_engine_state = SM_PH2_C1_GET_ENC_A; 2898 return; 2899 case SM_PH3_W4_RANDOM: 2900 reverse_64(data, setup->sm_local_rand); 2901 // no db for encryption size hack: encryption size is stored in lowest nibble of setup->sm_local_rand 2902 setup->sm_local_rand[7] = (setup->sm_local_rand[7] & 0xf0) + (connection->sm_actual_encryption_key_size - 1); 2903 // no db for authenticated flag hack: store flag in bit 4 of LSB 2904 setup->sm_local_rand[7] = (setup->sm_local_rand[7] & 0xef) + (connection->sm_connection_authenticated << 4); 2905 connection->sm_engine_state = SM_PH3_GET_DIV; 2906 return; 2907 case SM_PH3_W4_DIV: 2908 // use 16 bit from random value as div 2909 setup->sm_local_div = big_endian_read_16(data, 0); 2910 log_info_hex16("div", setup->sm_local_div); 2911 connection->sm_engine_state = SM_PH3_Y_GET_ENC; 2912 return; 2913 default: 2914 break; 2915 } 2916 } 2917 2918 static void sm_event_packet_handler (uint8_t packet_type, uint16_t channel, uint8_t *packet, uint16_t size){ 2919 2920 UNUSED(channel); 2921 UNUSED(size); 2922 2923 sm_connection_t * sm_conn; 2924 hci_con_handle_t con_handle; 2925 2926 switch (packet_type) { 2927 2928 case HCI_EVENT_PACKET: 2929 switch (hci_event_packet_get_type(packet)) { 2930 2931 case BTSTACK_EVENT_STATE: 2932 // bt stack activated, get started 2933 if (btstack_event_state_get_state(packet) == HCI_STATE_WORKING){ 2934 log_info("HCI Working!"); 2935 2936 // set local addr for le device db 2937 bd_addr_t local_bd_addr; 2938 gap_local_bd_addr(local_bd_addr); 2939 le_device_db_set_local_bd_addr(local_bd_addr); 2940 2941 dkg_state = sm_persistent_irk_ready ? DKG_CALC_DHK : DKG_CALC_IRK; 2942 #ifdef ENABLE_LE_SECURE_CONNECTIONS 2943 if (!sm_have_ec_keypair){ 2944 setup->sm_passkey_bit = 0; 2945 ec_key_generation_state = EC_KEY_GENERATION_ACTIVE; 2946 } 2947 #endif 2948 // trigger Random Address generation if requested before 2949 switch (gap_random_adress_type){ 2950 case GAP_RANDOM_ADDRESS_TYPE_OFF: 2951 rau_state = RAU_IDLE; 2952 break; 2953 case GAP_RANDOM_ADDRESS_TYPE_STATIC: 2954 rau_state = RAU_SET_ADDRESS; 2955 break; 2956 default: 2957 rau_state = RAU_GET_RANDOM; 2958 break; 2959 } 2960 sm_run(); 2961 } 2962 break; 2963 2964 case HCI_EVENT_LE_META: 2965 switch (packet[2]) { 2966 case HCI_SUBEVENT_LE_CONNECTION_COMPLETE: 2967 2968 log_info("sm: connected"); 2969 2970 if (packet[3]) return; // connection failed 2971 2972 con_handle = little_endian_read_16(packet, 4); 2973 sm_conn = sm_get_connection_for_handle(con_handle); 2974 if (!sm_conn) break; 2975 2976 sm_conn->sm_handle = con_handle; 2977 sm_conn->sm_role = packet[6]; 2978 sm_conn->sm_peer_addr_type = packet[7]; 2979 reverse_bd_addr(&packet[8], sm_conn->sm_peer_address); 2980 2981 log_info("New sm_conn, role %s", sm_conn->sm_role ? "slave" : "master"); 2982 2983 // reset security properties 2984 sm_conn->sm_connection_encrypted = 0; 2985 sm_conn->sm_connection_authenticated = 0; 2986 sm_conn->sm_connection_authorization_state = AUTHORIZATION_UNKNOWN; 2987 sm_conn->sm_le_db_index = -1; 2988 2989 // prepare CSRK lookup (does not involve setup) 2990 sm_conn->sm_irk_lookup_state = IRK_LOOKUP_W4_READY; 2991 2992 // just connected -> everything else happens in sm_run() 2993 if (IS_RESPONDER(sm_conn->sm_role)){ 2994 // slave - state already could be SM_RESPONDER_SEND_SECURITY_REQUEST instead 2995 if (sm_conn->sm_engine_state == SM_GENERAL_IDLE){ 2996 if (sm_slave_request_security) { 2997 // request security if requested by app 2998 sm_conn->sm_engine_state = SM_RESPONDER_SEND_SECURITY_REQUEST; 2999 } else { 3000 // otherwise, wait for pairing request 3001 sm_conn->sm_engine_state = SM_RESPONDER_IDLE; 3002 } 3003 } 3004 break; 3005 } else { 3006 // master 3007 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 3008 } 3009 break; 3010 3011 case HCI_SUBEVENT_LE_LONG_TERM_KEY_REQUEST: 3012 con_handle = little_endian_read_16(packet, 3); 3013 sm_conn = sm_get_connection_for_handle(con_handle); 3014 if (!sm_conn) break; 3015 3016 log_info("LTK Request: state %u", sm_conn->sm_engine_state); 3017 if (sm_conn->sm_engine_state == SM_RESPONDER_PH2_W4_LTK_REQUEST){ 3018 sm_conn->sm_engine_state = SM_PH2_CALC_STK; 3019 break; 3020 } 3021 if (sm_conn->sm_engine_state == SM_SC_W4_LTK_REQUEST_SC){ 3022 // PH2 SEND LTK as we need to exchange keys in PH3 3023 sm_conn->sm_engine_state = SM_RESPONDER_PH2_SEND_LTK_REPLY; 3024 break; 3025 } 3026 3027 // store rand and ediv 3028 reverse_64(&packet[5], sm_conn->sm_local_rand); 3029 sm_conn->sm_local_ediv = little_endian_read_16(packet, 13); 3030 3031 // For Legacy Pairing (<=> EDIV != 0 || RAND != NULL), we need to recalculated our LTK as a 3032 // potentially stored LTK is from the master 3033 if (sm_conn->sm_local_ediv != 0 || !sm_is_null_random(sm_conn->sm_local_rand)){ 3034 sm_conn->sm_engine_state = SM_RESPONDER_PH0_RECEIVED_LTK_REQUEST; 3035 break; 3036 } 3037 3038 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3039 sm_conn->sm_engine_state = SM_SC_RECEIVED_LTK_REQUEST; 3040 #else 3041 log_info("LTK Request: ediv & random are empty, but LE Secure Connections not supported"); 3042 sm_conn->sm_engine_state = SM_RESPONDER_PH0_SEND_LTK_REQUESTED_NEGATIVE_REPLY; 3043 #endif 3044 break; 3045 3046 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3047 case HCI_SUBEVENT_LE_READ_LOCAL_P256_PUBLIC_KEY_COMPLETE: 3048 if (hci_subevent_le_read_local_p256_public_key_complete_get_status(packet)){ 3049 log_error("Read Local P256 Public Key failed"); 3050 break; 3051 } 3052 hci_subevent_le_read_local_p256_public_key_complete_get_dhkey_x(packet, &ec_q[0]); 3053 hci_subevent_le_read_local_p256_public_key_complete_get_dhkey_y(packet, &ec_q[32]); 3054 ec_key_generation_state = EC_KEY_GENERATION_DONE; 3055 sm_log_ec_keypair(); 3056 break; 3057 #endif 3058 default: 3059 break; 3060 } 3061 break; 3062 3063 case HCI_EVENT_ENCRYPTION_CHANGE: 3064 con_handle = little_endian_read_16(packet, 3); 3065 sm_conn = sm_get_connection_for_handle(con_handle); 3066 if (!sm_conn) break; 3067 3068 sm_conn->sm_connection_encrypted = packet[5]; 3069 log_info("Encryption state change: %u, key size %u", sm_conn->sm_connection_encrypted, 3070 sm_conn->sm_actual_encryption_key_size); 3071 log_info("event handler, state %u", sm_conn->sm_engine_state); 3072 if (!sm_conn->sm_connection_encrypted) break; 3073 // continue if part of initial pairing 3074 switch (sm_conn->sm_engine_state){ 3075 case SM_INITIATOR_PH0_W4_CONNECTION_ENCRYPTED: 3076 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 3077 sm_done_for_handle(sm_conn->sm_handle); 3078 break; 3079 case SM_PH2_W4_CONNECTION_ENCRYPTED: 3080 if (IS_RESPONDER(sm_conn->sm_role)){ 3081 // slave 3082 if (setup->sm_use_secure_connections){ 3083 sm_conn->sm_engine_state = SM_PH3_DISTRIBUTE_KEYS; 3084 } else { 3085 sm_conn->sm_engine_state = SM_PH3_GET_RANDOM; 3086 } 3087 } else { 3088 // master 3089 if (sm_key_distribution_all_received(sm_conn)){ 3090 // skip receiving keys as there are none 3091 sm_key_distribution_handle_all_received(sm_conn); 3092 sm_conn->sm_engine_state = SM_PH3_GET_RANDOM; 3093 } else { 3094 sm_conn->sm_engine_state = SM_PH3_RECEIVE_KEYS; 3095 } 3096 } 3097 break; 3098 default: 3099 break; 3100 } 3101 break; 3102 3103 case HCI_EVENT_ENCRYPTION_KEY_REFRESH_COMPLETE: 3104 con_handle = little_endian_read_16(packet, 3); 3105 sm_conn = sm_get_connection_for_handle(con_handle); 3106 if (!sm_conn) break; 3107 3108 log_info("Encryption key refresh complete, key size %u", sm_conn->sm_actual_encryption_key_size); 3109 log_info("event handler, state %u", sm_conn->sm_engine_state); 3110 // continue if part of initial pairing 3111 switch (sm_conn->sm_engine_state){ 3112 case SM_INITIATOR_PH0_W4_CONNECTION_ENCRYPTED: 3113 sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; 3114 sm_done_for_handle(sm_conn->sm_handle); 3115 break; 3116 case SM_PH2_W4_CONNECTION_ENCRYPTED: 3117 if (IS_RESPONDER(sm_conn->sm_role)){ 3118 // slave 3119 sm_conn->sm_engine_state = SM_PH3_GET_RANDOM; 3120 } else { 3121 // master 3122 sm_conn->sm_engine_state = SM_PH3_RECEIVE_KEYS; 3123 } 3124 break; 3125 default: 3126 break; 3127 } 3128 break; 3129 3130 3131 case HCI_EVENT_DISCONNECTION_COMPLETE: 3132 con_handle = little_endian_read_16(packet, 3); 3133 sm_done_for_handle(con_handle); 3134 sm_conn = sm_get_connection_for_handle(con_handle); 3135 if (!sm_conn) break; 3136 3137 // delete stored bonding on disconnect with authentication failure in ph0 3138 if (sm_conn->sm_role == 0 3139 && sm_conn->sm_engine_state == SM_INITIATOR_PH0_W4_CONNECTION_ENCRYPTED 3140 && packet[2] == ERROR_CODE_AUTHENTICATION_FAILURE){ 3141 le_device_db_remove(sm_conn->sm_le_db_index); 3142 } 3143 3144 sm_conn->sm_engine_state = SM_GENERAL_IDLE; 3145 sm_conn->sm_handle = 0; 3146 break; 3147 3148 case HCI_EVENT_COMMAND_COMPLETE: 3149 if (HCI_EVENT_IS_COMMAND_COMPLETE(packet, hci_le_encrypt)){ 3150 sm_handle_encryption_result(&packet[6]); 3151 break; 3152 } 3153 if (HCI_EVENT_IS_COMMAND_COMPLETE(packet, hci_le_rand)){ 3154 sm_handle_random_result(&packet[6]); 3155 break; 3156 } 3157 if (HCI_EVENT_IS_COMMAND_COMPLETE(packet, hci_read_bd_addr)){ 3158 // Hack for Nordic nRF5 series that doesn't have public address: 3159 // - with patches from port/nrf5-zephyr, hci_read_bd_addr returns random static address 3160 // - we use this as default for advertisements/connections 3161 if (hci_get_manufacturer() == BLUETOOTH_COMPANY_ID_NORDIC_SEMICONDUCTOR_ASA){ 3162 log_info("nRF5: using (fake) public address as random static address"); 3163 bd_addr_t addr; 3164 reverse_bd_addr(&packet[OFFSET_OF_DATA_IN_COMMAND_COMPLETE + 1], addr); 3165 gap_random_address_set(addr); 3166 } 3167 } 3168 break; 3169 default: 3170 break; 3171 } 3172 break; 3173 default: 3174 break; 3175 } 3176 3177 sm_run(); 3178 } 3179 3180 static inline int sm_calc_actual_encryption_key_size(int other){ 3181 if (other < sm_min_encryption_key_size) return 0; 3182 if (other < sm_max_encryption_key_size) return other; 3183 return sm_max_encryption_key_size; 3184 } 3185 3186 3187 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3188 static int sm_just_works_or_numeric_comparison(stk_generation_method_t method){ 3189 switch (method){ 3190 case JUST_WORKS: 3191 case NK_BOTH_INPUT: 3192 return 1; 3193 default: 3194 return 0; 3195 } 3196 } 3197 // responder 3198 3199 static int sm_passkey_used(stk_generation_method_t method){ 3200 switch (method){ 3201 case PK_RESP_INPUT: 3202 return 1; 3203 default: 3204 return 0; 3205 } 3206 } 3207 #endif 3208 3209 /** 3210 * @return ok 3211 */ 3212 static int sm_validate_stk_generation_method(void){ 3213 // check if STK generation method is acceptable by client 3214 switch (setup->sm_stk_generation_method){ 3215 case JUST_WORKS: 3216 return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_JUST_WORKS) != 0; 3217 case PK_RESP_INPUT: 3218 case PK_INIT_INPUT: 3219 case OK_BOTH_INPUT: 3220 return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_PASSKEY) != 0; 3221 case OOB: 3222 return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_OOB) != 0; 3223 case NK_BOTH_INPUT: 3224 return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_NUMERIC_COMPARISON) != 0; 3225 return 1; 3226 default: 3227 return 0; 3228 } 3229 } 3230 3231 static void sm_pdu_handler(uint8_t packet_type, hci_con_handle_t con_handle, uint8_t *packet, uint16_t size){ 3232 3233 UNUSED(size); 3234 3235 if (packet_type == HCI_EVENT_PACKET && packet[0] == L2CAP_EVENT_CAN_SEND_NOW){ 3236 sm_run(); 3237 } 3238 3239 if (packet_type != SM_DATA_PACKET) return; 3240 3241 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3242 if (!sm_conn) return; 3243 3244 if (packet[0] == SM_CODE_PAIRING_FAILED){ 3245 sm_conn->sm_engine_state = sm_conn->sm_role ? SM_RESPONDER_IDLE : SM_INITIATOR_CONNECTED; 3246 return; 3247 } 3248 3249 log_debug("sm_pdu_handler: state %u, pdu 0x%02x", sm_conn->sm_engine_state, packet[0]); 3250 3251 int err; 3252 UNUSED(err); 3253 3254 if (packet[0] == SM_CODE_KEYPRESS_NOTIFICATION){ 3255 uint8_t buffer[5]; 3256 buffer[0] = SM_EVENT_KEYPRESS_NOTIFICATION; 3257 buffer[1] = 3; 3258 little_endian_store_16(buffer, 2, con_handle); 3259 buffer[4] = packet[1]; 3260 sm_dispatch_event(HCI_EVENT_PACKET, 0, buffer, sizeof(buffer)); 3261 return; 3262 } 3263 3264 switch (sm_conn->sm_engine_state){ 3265 3266 // a sm timeout requries a new physical connection 3267 case SM_GENERAL_TIMEOUT: 3268 return; 3269 3270 #ifdef ENABLE_LE_CENTRAL 3271 3272 // Initiator 3273 case SM_INITIATOR_CONNECTED: 3274 if ((packet[0] != SM_CODE_SECURITY_REQUEST) || (sm_conn->sm_role)){ 3275 sm_pdu_received_in_wrong_state(sm_conn); 3276 break; 3277 } 3278 if (sm_conn->sm_irk_lookup_state == IRK_LOOKUP_FAILED){ 3279 sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 3280 break; 3281 } 3282 if (sm_conn->sm_irk_lookup_state == IRK_LOOKUP_SUCCEEDED){ 3283 sm_key_t ltk; 3284 le_device_db_encryption_get(sm_conn->sm_le_db_index, NULL, NULL, ltk, NULL, NULL, NULL); 3285 if (!sm_is_null_key(ltk)){ 3286 log_info("sm: Setting up previous ltk/ediv/rand for device index %u", sm_conn->sm_le_db_index); 3287 sm_conn->sm_engine_state = SM_INITIATOR_PH0_HAS_LTK; 3288 } else { 3289 sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 3290 } 3291 break; 3292 } 3293 // otherwise, store security request 3294 sm_conn->sm_security_request_received = 1; 3295 break; 3296 3297 case SM_INITIATOR_PH1_W4_PAIRING_RESPONSE: 3298 if (packet[0] != SM_CODE_PAIRING_RESPONSE){ 3299 sm_pdu_received_in_wrong_state(sm_conn); 3300 break; 3301 } 3302 // store pairing request 3303 memcpy(&setup->sm_s_pres, packet, sizeof(sm_pairing_packet_t)); 3304 err = sm_stk_generation_init(sm_conn); 3305 if (err){ 3306 setup->sm_pairing_failed_reason = err; 3307 sm_conn->sm_engine_state = SM_GENERAL_SEND_PAIRING_FAILED; 3308 break; 3309 } 3310 3311 // generate random number first, if we need to show passkey 3312 if (setup->sm_stk_generation_method == PK_RESP_INPUT){ 3313 sm_conn->sm_engine_state = SM_PH2_GET_RANDOM_TK; 3314 break; 3315 } 3316 3317 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3318 if (setup->sm_use_secure_connections){ 3319 // SC Numeric Comparison will trigger user response after public keys & nonces have been exchanged 3320 if (setup->sm_stk_generation_method == JUST_WORKS){ 3321 sm_conn->sm_engine_state = SM_PH1_W4_USER_RESPONSE; 3322 sm_trigger_user_response(sm_conn); 3323 if (setup->sm_user_response == SM_USER_RESPONSE_IDLE){ 3324 sm_conn->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 3325 } 3326 } else { 3327 sm_conn->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 3328 } 3329 break; 3330 } 3331 #endif 3332 sm_conn->sm_engine_state = SM_PH1_W4_USER_RESPONSE; 3333 sm_trigger_user_response(sm_conn); 3334 // response_idle == nothing <--> sm_trigger_user_response() did not require response 3335 if (setup->sm_user_response == SM_USER_RESPONSE_IDLE){ 3336 sm_conn->sm_engine_state = SM_PH2_C1_GET_RANDOM_A; 3337 } 3338 break; 3339 3340 case SM_INITIATOR_PH2_W4_PAIRING_CONFIRM: 3341 if (packet[0] != SM_CODE_PAIRING_CONFIRM){ 3342 sm_pdu_received_in_wrong_state(sm_conn); 3343 break; 3344 } 3345 3346 // store s_confirm 3347 reverse_128(&packet[1], setup->sm_peer_confirm); 3348 sm_conn->sm_engine_state = SM_PH2_SEND_PAIRING_RANDOM; 3349 break; 3350 3351 case SM_INITIATOR_PH2_W4_PAIRING_RANDOM: 3352 if (packet[0] != SM_CODE_PAIRING_RANDOM){ 3353 sm_pdu_received_in_wrong_state(sm_conn); 3354 break;; 3355 } 3356 3357 // received random value 3358 reverse_128(&packet[1], setup->sm_peer_random); 3359 sm_conn->sm_engine_state = SM_PH2_C1_GET_ENC_C; 3360 break; 3361 #endif 3362 3363 #ifdef ENABLE_LE_PERIPHERAL 3364 // Responder 3365 case SM_RESPONDER_IDLE: 3366 case SM_RESPONDER_SEND_SECURITY_REQUEST: 3367 case SM_RESPONDER_PH1_W4_PAIRING_REQUEST: 3368 if (packet[0] != SM_CODE_PAIRING_REQUEST){ 3369 sm_pdu_received_in_wrong_state(sm_conn); 3370 break;; 3371 } 3372 3373 // store pairing request 3374 memcpy(&sm_conn->sm_m_preq, packet, sizeof(sm_pairing_packet_t)); 3375 sm_conn->sm_engine_state = SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED; 3376 break; 3377 #endif 3378 3379 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3380 case SM_SC_W4_PUBLIC_KEY_COMMAND: 3381 if (packet[0] != SM_CODE_PAIRING_PUBLIC_KEY){ 3382 sm_pdu_received_in_wrong_state(sm_conn); 3383 break; 3384 } 3385 3386 // store public key for DH Key calculation 3387 reverse_256(&packet[01], &setup->sm_peer_q[0]); 3388 reverse_256(&packet[33], &setup->sm_peer_q[32]); 3389 3390 #ifdef USE_MBEDTLS_FOR_ECDH 3391 // validate public key 3392 mbedtls_ecp_point Q; 3393 mbedtls_ecp_point_init( &Q ); 3394 mbedtls_mpi_read_binary(&Q.X, &setup->sm_peer_q[0], 32); 3395 mbedtls_mpi_read_binary(&Q.Y, &setup->sm_peer_q[32], 32); 3396 mbedtls_mpi_lset(&Q.Z, 1); 3397 err = mbedtls_ecp_check_pubkey(&mbedtls_ec_group, &Q); 3398 mbedtls_ecp_point_free( & Q); 3399 if (err){ 3400 log_error("sm: peer public key invalid %x", err); 3401 // uses "unspecified reason", there is no "public key invalid" error code 3402 sm_pdu_received_in_wrong_state(sm_conn); 3403 break; 3404 } 3405 3406 #endif 3407 if (IS_RESPONDER(sm_conn->sm_role)){ 3408 // responder 3409 sm_conn->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 3410 } else { 3411 // initiator 3412 // stk generation method 3413 // passkey entry: notify app to show passkey or to request passkey 3414 switch (setup->sm_stk_generation_method){ 3415 case JUST_WORKS: 3416 case NK_BOTH_INPUT: 3417 sm_conn->sm_engine_state = SM_SC_W4_CONFIRMATION; 3418 break; 3419 case PK_RESP_INPUT: 3420 sm_sc_start_calculating_local_confirm(sm_conn); 3421 break; 3422 case PK_INIT_INPUT: 3423 case OK_BOTH_INPUT: 3424 if (setup->sm_user_response != SM_USER_RESPONSE_PASSKEY){ 3425 sm_conn->sm_engine_state = SM_SC_W4_USER_RESPONSE; 3426 break; 3427 } 3428 sm_sc_start_calculating_local_confirm(sm_conn); 3429 break; 3430 case OOB: 3431 // TODO: implement SC OOB 3432 break; 3433 } 3434 } 3435 break; 3436 3437 case SM_SC_W4_CONFIRMATION: 3438 if (packet[0] != SM_CODE_PAIRING_CONFIRM){ 3439 sm_pdu_received_in_wrong_state(sm_conn); 3440 break; 3441 } 3442 // received confirm value 3443 reverse_128(&packet[1], setup->sm_peer_confirm); 3444 3445 if (IS_RESPONDER(sm_conn->sm_role)){ 3446 // responder 3447 if (sm_passkey_used(setup->sm_stk_generation_method)){ 3448 if (setup->sm_user_response != SM_USER_RESPONSE_PASSKEY){ 3449 // still waiting for passkey 3450 sm_conn->sm_engine_state = SM_SC_W4_USER_RESPONSE; 3451 break; 3452 } 3453 } 3454 sm_sc_start_calculating_local_confirm(sm_conn); 3455 } else { 3456 // initiator 3457 if (sm_just_works_or_numeric_comparison(setup->sm_stk_generation_method)){ 3458 sm_conn->sm_engine_state = SM_SC_W2_GET_RANDOM_A; 3459 } else { 3460 sm_conn->sm_engine_state = SM_SC_SEND_PAIRING_RANDOM; 3461 } 3462 } 3463 break; 3464 3465 case SM_SC_W4_PAIRING_RANDOM: 3466 if (packet[0] != SM_CODE_PAIRING_RANDOM){ 3467 sm_pdu_received_in_wrong_state(sm_conn); 3468 break; 3469 } 3470 3471 // received random value 3472 reverse_128(&packet[1], setup->sm_peer_nonce); 3473 3474 // validate confirm value if Cb = f4(Pkb, Pka, Nb, z) 3475 // only check for JUST WORK/NC in initiator role AND passkey entry 3476 if (sm_conn->sm_role || sm_passkey_used(setup->sm_stk_generation_method)) { 3477 sm_conn->sm_engine_state = SM_SC_W2_CMAC_FOR_CHECK_CONFIRMATION; 3478 } 3479 3480 sm_sc_state_after_receiving_random(sm_conn); 3481 break; 3482 3483 case SM_SC_W2_CALCULATE_G2: 3484 case SM_SC_W4_CALCULATE_G2: 3485 case SM_SC_W2_CALCULATE_F5_SALT: 3486 case SM_SC_W4_CALCULATE_F5_SALT: 3487 case SM_SC_W2_CALCULATE_F5_MACKEY: 3488 case SM_SC_W4_CALCULATE_F5_MACKEY: 3489 case SM_SC_W2_CALCULATE_F5_LTK: 3490 case SM_SC_W4_CALCULATE_F5_LTK: 3491 case SM_SC_W2_CALCULATE_F6_FOR_DHKEY_CHECK: 3492 case SM_SC_W4_DHKEY_CHECK_COMMAND: 3493 case SM_SC_W4_CALCULATE_F6_FOR_DHKEY_CHECK: 3494 if (packet[0] != SM_CODE_PAIRING_DHKEY_CHECK){ 3495 sm_pdu_received_in_wrong_state(sm_conn); 3496 break; 3497 } 3498 // store DHKey Check 3499 setup->sm_state_vars |= SM_STATE_VAR_DHKEY_COMMAND_RECEIVED; 3500 reverse_128(&packet[01], setup->sm_peer_dhkey_check); 3501 3502 // have we been only waiting for dhkey check command? 3503 if (sm_conn->sm_engine_state == SM_SC_W4_DHKEY_CHECK_COMMAND){ 3504 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_F6_TO_VERIFY_DHKEY_CHECK; 3505 } 3506 break; 3507 #endif 3508 3509 #ifdef ENABLE_LE_PERIPHERAL 3510 case SM_RESPONDER_PH1_W4_PAIRING_CONFIRM: 3511 if (packet[0] != SM_CODE_PAIRING_CONFIRM){ 3512 sm_pdu_received_in_wrong_state(sm_conn); 3513 break; 3514 } 3515 3516 // received confirm value 3517 reverse_128(&packet[1], setup->sm_peer_confirm); 3518 3519 // notify client to hide shown passkey 3520 if (setup->sm_stk_generation_method == PK_INIT_INPUT){ 3521 sm_notify_client_base(SM_EVENT_PASSKEY_DISPLAY_CANCEL, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address); 3522 } 3523 3524 // handle user cancel pairing? 3525 if (setup->sm_user_response == SM_USER_RESPONSE_DECLINE){ 3526 setup->sm_pairing_failed_reason = SM_REASON_PASSKEYT_ENTRY_FAILED; 3527 sm_conn->sm_engine_state = SM_GENERAL_SEND_PAIRING_FAILED; 3528 break; 3529 } 3530 3531 // wait for user action? 3532 if (setup->sm_user_response == SM_USER_RESPONSE_PENDING){ 3533 sm_conn->sm_engine_state = SM_PH1_W4_USER_RESPONSE; 3534 break; 3535 } 3536 3537 // calculate and send local_confirm 3538 sm_conn->sm_engine_state = SM_PH2_C1_GET_RANDOM_A; 3539 break; 3540 3541 case SM_RESPONDER_PH2_W4_PAIRING_RANDOM: 3542 if (packet[0] != SM_CODE_PAIRING_RANDOM){ 3543 sm_pdu_received_in_wrong_state(sm_conn); 3544 break;; 3545 } 3546 3547 // received random value 3548 reverse_128(&packet[1], setup->sm_peer_random); 3549 sm_conn->sm_engine_state = SM_PH2_C1_GET_ENC_C; 3550 break; 3551 #endif 3552 3553 case SM_PH3_RECEIVE_KEYS: 3554 switch(packet[0]){ 3555 case SM_CODE_ENCRYPTION_INFORMATION: 3556 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION; 3557 reverse_128(&packet[1], setup->sm_peer_ltk); 3558 break; 3559 3560 case SM_CODE_MASTER_IDENTIFICATION: 3561 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_MASTER_IDENTIFICATION; 3562 setup->sm_peer_ediv = little_endian_read_16(packet, 1); 3563 reverse_64(&packet[3], setup->sm_peer_rand); 3564 break; 3565 3566 case SM_CODE_IDENTITY_INFORMATION: 3567 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_IDENTITY_INFORMATION; 3568 reverse_128(&packet[1], setup->sm_peer_irk); 3569 break; 3570 3571 case SM_CODE_IDENTITY_ADDRESS_INFORMATION: 3572 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION; 3573 setup->sm_peer_addr_type = packet[1]; 3574 reverse_bd_addr(&packet[2], setup->sm_peer_address); 3575 break; 3576 3577 case SM_CODE_SIGNING_INFORMATION: 3578 setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION; 3579 reverse_128(&packet[1], setup->sm_peer_csrk); 3580 break; 3581 default: 3582 // Unexpected PDU 3583 log_info("Unexpected PDU %u in SM_PH3_RECEIVE_KEYS", packet[0]); 3584 break; 3585 } 3586 // done with key distribution? 3587 if (sm_key_distribution_all_received(sm_conn)){ 3588 3589 sm_key_distribution_handle_all_received(sm_conn); 3590 3591 if (IS_RESPONDER(sm_conn->sm_role)){ 3592 if (setup->sm_use_secure_connections && (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION)){ 3593 sm_conn->sm_engine_state = SM_SC_W2_CALCULATE_H6_ILK; 3594 } else { 3595 sm_conn->sm_engine_state = SM_RESPONDER_IDLE; 3596 sm_done_for_handle(sm_conn->sm_handle); 3597 } 3598 } else { 3599 if (setup->sm_use_secure_connections){ 3600 sm_conn->sm_engine_state = SM_PH3_DISTRIBUTE_KEYS; 3601 } else { 3602 sm_conn->sm_engine_state = SM_PH3_GET_RANDOM; 3603 } 3604 } 3605 } 3606 break; 3607 default: 3608 // Unexpected PDU 3609 log_info("Unexpected PDU %u in state %u", packet[0], sm_conn->sm_engine_state); 3610 break; 3611 } 3612 3613 // try to send preparared packet 3614 sm_run(); 3615 } 3616 3617 // Security Manager Client API 3618 void sm_register_oob_data_callback( int (*get_oob_data_callback)(uint8_t addres_type, bd_addr_t addr, uint8_t * oob_data)){ 3619 sm_get_oob_data = get_oob_data_callback; 3620 } 3621 3622 void sm_add_event_handler(btstack_packet_callback_registration_t * callback_handler){ 3623 btstack_linked_list_add_tail(&sm_event_handlers, (btstack_linked_item_t*) callback_handler); 3624 } 3625 3626 void sm_set_accepted_stk_generation_methods(uint8_t accepted_stk_generation_methods){ 3627 sm_accepted_stk_generation_methods = accepted_stk_generation_methods; 3628 } 3629 3630 void sm_set_encryption_key_size_range(uint8_t min_size, uint8_t max_size){ 3631 sm_min_encryption_key_size = min_size; 3632 sm_max_encryption_key_size = max_size; 3633 } 3634 3635 void sm_set_authentication_requirements(uint8_t auth_req){ 3636 sm_auth_req = auth_req; 3637 } 3638 3639 void sm_set_io_capabilities(io_capability_t io_capability){ 3640 sm_io_capabilities = io_capability; 3641 } 3642 3643 #ifdef ENABLE_LE_PERIPHERAL 3644 void sm_set_request_security(int enable){ 3645 sm_slave_request_security = enable; 3646 } 3647 #endif 3648 3649 void sm_set_er(sm_key_t er){ 3650 memcpy(sm_persistent_er, er, 16); 3651 } 3652 3653 void sm_set_ir(sm_key_t ir){ 3654 memcpy(sm_persistent_ir, ir, 16); 3655 } 3656 3657 // Testing support only 3658 void sm_test_set_irk(sm_key_t irk){ 3659 memcpy(sm_persistent_irk, irk, 16); 3660 sm_persistent_irk_ready = 1; 3661 } 3662 3663 void sm_test_use_fixed_local_csrk(void){ 3664 test_use_fixed_local_csrk = 1; 3665 } 3666 3667 void sm_init(void){ 3668 // set some (BTstack default) ER and IR 3669 int i; 3670 sm_key_t er; 3671 sm_key_t ir; 3672 for (i=0;i<16;i++){ 3673 er[i] = 0x30 + i; 3674 ir[i] = 0x90 + i; 3675 } 3676 sm_set_er(er); 3677 sm_set_ir(ir); 3678 // defaults 3679 sm_accepted_stk_generation_methods = SM_STK_GENERATION_METHOD_JUST_WORKS 3680 | SM_STK_GENERATION_METHOD_OOB 3681 | SM_STK_GENERATION_METHOD_PASSKEY 3682 | SM_STK_GENERATION_METHOD_NUMERIC_COMPARISON; 3683 3684 sm_max_encryption_key_size = 16; 3685 sm_min_encryption_key_size = 7; 3686 3687 #ifdef ENABLE_CMAC_ENGINE 3688 sm_cmac_state = CMAC_IDLE; 3689 #endif 3690 dkg_state = DKG_W4_WORKING; 3691 rau_state = RAU_W4_WORKING; 3692 sm_aes128_state = SM_AES128_IDLE; 3693 sm_address_resolution_test = -1; // no private address to resolve yet 3694 sm_address_resolution_ah_calculation_active = 0; 3695 sm_address_resolution_mode = ADDRESS_RESOLUTION_IDLE; 3696 sm_address_resolution_general_queue = NULL; 3697 3698 gap_random_adress_update_period = 15 * 60 * 1000L; 3699 sm_active_connection = 0; 3700 3701 test_use_fixed_local_csrk = 0; 3702 3703 // register for HCI Events from HCI 3704 hci_event_callback_registration.callback = &sm_event_packet_handler; 3705 hci_add_event_handler(&hci_event_callback_registration); 3706 3707 // and L2CAP PDUs + L2CAP_EVENT_CAN_SEND_NOW 3708 l2cap_register_fixed_channel(sm_pdu_handler, L2CAP_CID_SECURITY_MANAGER_PROTOCOL); 3709 3710 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3711 ec_key_generation_state = EC_KEY_GENERATION_IDLE; 3712 #endif 3713 3714 #ifdef USE_MBEDTLS_FOR_ECDH 3715 3716 #ifndef HAVE_MALLOC 3717 sm_mbedtls_allocator_init(mbedtls_memory_buffer, sizeof(mbedtls_memory_buffer)); 3718 #endif 3719 mbedtls_ecp_group_init(&mbedtls_ec_group); 3720 mbedtls_ecp_group_load(&mbedtls_ec_group, MBEDTLS_ECP_DP_SECP256R1); 3721 #if 0 3722 // test 3723 sm_test_use_fixed_ec_keypair(); 3724 if (sm_have_ec_keypair){ 3725 printf("test dhkey check\n"); 3726 sm_key256_t dhkey; 3727 memcpy(setup->sm_peer_q, ec_q, 64); 3728 sm_sc_calculate_dhkey(dhkey); 3729 } 3730 #endif 3731 #endif 3732 } 3733 3734 void sm_use_fixed_ec_keypair(uint8_t * qx, uint8_t * qy, uint8_t * d){ 3735 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3736 memcpy(&ec_q[0], qx, 32); 3737 memcpy(&ec_q[32], qy, 32); 3738 memcpy(ec_d, d, 32); 3739 sm_have_ec_keypair = 1; 3740 ec_key_generation_state = EC_KEY_GENERATION_DONE; 3741 #else 3742 UNUSED(qx); 3743 UNUSED(qy); 3744 UNUSED(d); 3745 #endif 3746 } 3747 3748 void sm_test_use_fixed_ec_keypair(void){ 3749 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3750 #ifdef USE_MBEDTLS_FOR_ECDH 3751 // use test keypair from spec 3752 mbedtls_mpi x; 3753 mbedtls_mpi_init(&x); 3754 mbedtls_mpi_read_string( &x, 16, "3f49f6d4a3c55f3874c9b3e3d2103f504aff607beb40b7995899b8a6cd3c1abd"); 3755 mbedtls_mpi_write_binary(&x, ec_d, 32); 3756 mbedtls_mpi_read_string( &x, 16, "20b003d2f297be2c5e2c83a7e9f9a5b9eff49111acf4fddbcc0301480e359de6"); 3757 mbedtls_mpi_write_binary(&x, &ec_q[0], 32); 3758 mbedtls_mpi_read_string( &x, 16, "dc809c49652aeb6d63329abf5a52155c766345c28fed3024741c8ed01589d28b"); 3759 mbedtls_mpi_write_binary(&x, &ec_q[32], 32); 3760 mbedtls_mpi_free(&x); 3761 #endif 3762 sm_have_ec_keypair = 1; 3763 ec_key_generation_state = EC_KEY_GENERATION_DONE; 3764 #endif 3765 } 3766 3767 static sm_connection_t * sm_get_connection_for_handle(hci_con_handle_t con_handle){ 3768 hci_connection_t * hci_con = hci_connection_for_handle(con_handle); 3769 if (!hci_con) return NULL; 3770 return &hci_con->sm_connection; 3771 } 3772 3773 // @returns 0 if not encrypted, 7-16 otherwise 3774 int sm_encryption_key_size(hci_con_handle_t con_handle){ 3775 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3776 if (!sm_conn) return 0; // wrong connection 3777 if (!sm_conn->sm_connection_encrypted) return 0; 3778 return sm_conn->sm_actual_encryption_key_size; 3779 } 3780 3781 int sm_authenticated(hci_con_handle_t con_handle){ 3782 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3783 if (!sm_conn) return 0; // wrong connection 3784 if (!sm_conn->sm_connection_encrypted) return 0; // unencrypted connection cannot be authenticated 3785 return sm_conn->sm_connection_authenticated; 3786 } 3787 3788 authorization_state_t sm_authorization_state(hci_con_handle_t con_handle){ 3789 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3790 if (!sm_conn) return AUTHORIZATION_UNKNOWN; // wrong connection 3791 if (!sm_conn->sm_connection_encrypted) return AUTHORIZATION_UNKNOWN; // unencrypted connection cannot be authorized 3792 if (!sm_conn->sm_connection_authenticated) return AUTHORIZATION_UNKNOWN; // unauthenticatd connection cannot be authorized 3793 return sm_conn->sm_connection_authorization_state; 3794 } 3795 3796 static void sm_send_security_request_for_connection(sm_connection_t * sm_conn){ 3797 switch (sm_conn->sm_engine_state){ 3798 case SM_GENERAL_IDLE: 3799 case SM_RESPONDER_IDLE: 3800 sm_conn->sm_engine_state = SM_RESPONDER_SEND_SECURITY_REQUEST; 3801 sm_run(); 3802 break; 3803 default: 3804 break; 3805 } 3806 } 3807 3808 /** 3809 * @brief Trigger Security Request 3810 */ 3811 void sm_send_security_request(hci_con_handle_t con_handle){ 3812 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3813 if (!sm_conn) return; 3814 sm_send_security_request_for_connection(sm_conn); 3815 } 3816 3817 // request pairing 3818 void sm_request_pairing(hci_con_handle_t con_handle){ 3819 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3820 if (!sm_conn) return; // wrong connection 3821 3822 log_info("sm_request_pairing in role %u, state %u", sm_conn->sm_role, sm_conn->sm_engine_state); 3823 if (IS_RESPONDER(sm_conn->sm_role)){ 3824 sm_send_security_request_for_connection(sm_conn); 3825 } else { 3826 // used as a trigger to start central/master/initiator security procedures 3827 uint16_t ediv; 3828 sm_key_t ltk; 3829 if (sm_conn->sm_engine_state == SM_INITIATOR_CONNECTED){ 3830 switch (sm_conn->sm_irk_lookup_state){ 3831 case IRK_LOOKUP_FAILED: 3832 sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 3833 break; 3834 case IRK_LOOKUP_SUCCEEDED: 3835 le_device_db_encryption_get(sm_conn->sm_le_db_index, &ediv, NULL, ltk, NULL, NULL, NULL); 3836 if (!sm_is_null_key(ltk) || ediv){ 3837 log_info("sm: Setting up previous ltk/ediv/rand for device index %u", sm_conn->sm_le_db_index); 3838 sm_conn->sm_engine_state = SM_INITIATOR_PH0_HAS_LTK; 3839 } else { 3840 sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; 3841 } 3842 break; 3843 default: 3844 sm_conn->sm_bonding_requested = 1; 3845 break; 3846 } 3847 } else if (sm_conn->sm_engine_state == SM_GENERAL_IDLE){ 3848 sm_conn->sm_bonding_requested = 1; 3849 } 3850 } 3851 sm_run(); 3852 } 3853 3854 // called by client app on authorization request 3855 void sm_authorization_decline(hci_con_handle_t con_handle){ 3856 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3857 if (!sm_conn) return; // wrong connection 3858 sm_conn->sm_connection_authorization_state = AUTHORIZATION_DECLINED; 3859 sm_notify_client_authorization(SM_EVENT_AUTHORIZATION_RESULT, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, 0); 3860 } 3861 3862 void sm_authorization_grant(hci_con_handle_t con_handle){ 3863 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3864 if (!sm_conn) return; // wrong connection 3865 sm_conn->sm_connection_authorization_state = AUTHORIZATION_GRANTED; 3866 sm_notify_client_authorization(SM_EVENT_AUTHORIZATION_RESULT, sm_conn->sm_handle, sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, 1); 3867 } 3868 3869 // GAP Bonding API 3870 3871 void sm_bonding_decline(hci_con_handle_t con_handle){ 3872 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3873 if (!sm_conn) return; // wrong connection 3874 setup->sm_user_response = SM_USER_RESPONSE_DECLINE; 3875 3876 if (sm_conn->sm_engine_state == SM_PH1_W4_USER_RESPONSE){ 3877 switch (setup->sm_stk_generation_method){ 3878 case PK_RESP_INPUT: 3879 case PK_INIT_INPUT: 3880 case OK_BOTH_INPUT: 3881 sm_pairing_error(sm_conn, SM_GENERAL_SEND_PAIRING_FAILED); 3882 break; 3883 case NK_BOTH_INPUT: 3884 sm_pairing_error(sm_conn, SM_REASON_NUMERIC_COMPARISON_FAILED); 3885 break; 3886 case JUST_WORKS: 3887 case OOB: 3888 sm_pairing_error(sm_conn, SM_REASON_UNSPECIFIED_REASON); 3889 break; 3890 } 3891 } 3892 sm_run(); 3893 } 3894 3895 void sm_just_works_confirm(hci_con_handle_t con_handle){ 3896 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3897 if (!sm_conn) return; // wrong connection 3898 setup->sm_user_response = SM_USER_RESPONSE_CONFIRM; 3899 if (sm_conn->sm_engine_state == SM_PH1_W4_USER_RESPONSE){ 3900 if (setup->sm_use_secure_connections){ 3901 sm_conn->sm_engine_state = SM_SC_SEND_PUBLIC_KEY_COMMAND; 3902 } else { 3903 sm_conn->sm_engine_state = SM_PH2_C1_GET_RANDOM_A; 3904 } 3905 } 3906 3907 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3908 if (sm_conn->sm_engine_state == SM_SC_W4_USER_RESPONSE){ 3909 sm_sc_prepare_dhkey_check(sm_conn); 3910 } 3911 #endif 3912 3913 sm_run(); 3914 } 3915 3916 void sm_numeric_comparison_confirm(hci_con_handle_t con_handle){ 3917 // for now, it's the same 3918 sm_just_works_confirm(con_handle); 3919 } 3920 3921 void sm_passkey_input(hci_con_handle_t con_handle, uint32_t passkey){ 3922 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3923 if (!sm_conn) return; // wrong connection 3924 sm_reset_tk(); 3925 big_endian_store_32(setup->sm_tk, 12, passkey); 3926 setup->sm_user_response = SM_USER_RESPONSE_PASSKEY; 3927 if (sm_conn->sm_engine_state == SM_PH1_W4_USER_RESPONSE){ 3928 sm_conn->sm_engine_state = SM_PH2_C1_GET_RANDOM_A; 3929 } 3930 #ifdef ENABLE_LE_SECURE_CONNECTIONS 3931 memcpy(setup->sm_ra, setup->sm_tk, 16); 3932 memcpy(setup->sm_rb, setup->sm_tk, 16); 3933 if (sm_conn->sm_engine_state == SM_SC_W4_USER_RESPONSE){ 3934 sm_sc_start_calculating_local_confirm(sm_conn); 3935 } 3936 #endif 3937 sm_run(); 3938 } 3939 3940 void sm_keypress_notification(hci_con_handle_t con_handle, uint8_t action){ 3941 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3942 if (!sm_conn) return; // wrong connection 3943 if (action > SM_KEYPRESS_PASSKEY_ENTRY_COMPLETED) return; 3944 setup->sm_keypress_notification = action; 3945 sm_run(); 3946 } 3947 3948 /** 3949 * @brief Identify device in LE Device DB 3950 * @param handle 3951 * @returns index from le_device_db or -1 if not found/identified 3952 */ 3953 int sm_le_device_index(hci_con_handle_t con_handle ){ 3954 sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); 3955 if (!sm_conn) return -1; 3956 return sm_conn->sm_le_db_index; 3957 } 3958 3959 static int gap_random_address_type_requires_updates(void){ 3960 if (gap_random_adress_type == GAP_RANDOM_ADDRESS_TYPE_OFF) return 0; 3961 if (gap_random_adress_type == GAP_RANDOM_ADDRESS_TYPE_OFF) return 0; 3962 return 1; 3963 } 3964 3965 static uint8_t own_address_type(void){ 3966 switch (gap_random_adress_type){ 3967 case GAP_RANDOM_ADDRESS_TYPE_OFF: 3968 return BD_ADDR_TYPE_LE_PUBLIC; 3969 default: 3970 return BD_ADDR_TYPE_LE_RANDOM; 3971 } 3972 } 3973 3974 // GAP LE API 3975 void gap_random_address_set_mode(gap_random_address_type_t random_address_type){ 3976 gap_random_address_update_stop(); 3977 gap_random_adress_type = random_address_type; 3978 hci_le_set_own_address_type(own_address_type()); 3979 if (!gap_random_address_type_requires_updates()) return; 3980 gap_random_address_update_start(); 3981 gap_random_address_trigger(); 3982 } 3983 3984 gap_random_address_type_t gap_random_address_get_mode(void){ 3985 return gap_random_adress_type; 3986 } 3987 3988 void gap_random_address_set_update_period(int period_ms){ 3989 gap_random_adress_update_period = period_ms; 3990 if (!gap_random_address_type_requires_updates()) return; 3991 gap_random_address_update_stop(); 3992 gap_random_address_update_start(); 3993 } 3994 3995 void gap_random_address_set(bd_addr_t addr){ 3996 gap_random_address_set_mode(GAP_RANDOM_ADDRESS_TYPE_STATIC); 3997 memcpy(sm_random_address, addr, 6); 3998 if (rau_state == RAU_W4_WORKING) return; 3999 rau_state = RAU_SET_ADDRESS; 4000 sm_run(); 4001 } 4002 4003 #ifdef ENABLE_LE_PERIPHERAL 4004 /* 4005 * @brief Set Advertisement Paramters 4006 * @param adv_int_min 4007 * @param adv_int_max 4008 * @param adv_type 4009 * @param direct_address_type 4010 * @param direct_address 4011 * @param channel_map 4012 * @param filter_policy 4013 * 4014 * @note own_address_type is used from gap_random_address_set_mode 4015 */ 4016 void gap_advertisements_set_params(uint16_t adv_int_min, uint16_t adv_int_max, uint8_t adv_type, 4017 uint8_t direct_address_typ, bd_addr_t direct_address, uint8_t channel_map, uint8_t filter_policy){ 4018 hci_le_advertisements_set_params(adv_int_min, adv_int_max, adv_type, 4019 direct_address_typ, direct_address, channel_map, filter_policy); 4020 } 4021 #endif 4022 4023