1 /* 2 * Copyright (C) 2017 BlueKitchen GmbH 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the copyright holders nor the names of 14 * contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY MATTHIAS RINGWALD AND CONTRIBUTORS 18 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 19 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 20 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL MATTHIAS 21 * RINGWALD OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 23 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 24 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 25 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 26 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF 27 * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGE. 29 * 30 */ 31 32 #define __BTSTACK_FILE__ "btstack_crypto.c" 33 34 /* 35 * btstack_crypto.h 36 * 37 * Central place for all crypto-related functions with completion callbacks to allow 38 * using of MCU crypto peripherals or the Bluetooth controller 39 */ 40 41 #include "btstack_crypto.h" 42 43 #include "btstack_debug.h" 44 #include "btstack_event.h" 45 #include "btstack_linked_list.h" 46 #include "btstack_util.h" 47 #include "hci.h" 48 49 // backwards-compatitility ENABLE_MICRO_ECC_FOR_LE_SECURE_CONNECTIONS -> ENABLE_MICRO_ECC_P256 50 #if defined(ENABLE_MICRO_ECC_FOR_LE_SECURE_CONNECTIONS) && !defined(ENABLE_MICRO_ECC_P256) 51 #define ENABLE_MICRO_ECC_P256 52 #endif 53 54 // configure ECC implementations 55 #if defined(ENABLE_MICRO_ECC_P256) && defined(HAVE_MBEDTLS_ECC_P256) 56 #error "If you have mbedTLS (HAVE_MBEDTLS_ECC_P256), please disable uECC (ENABLE_MICRO_ECC_P256) in bstack_config.h" 57 #endif 58 59 // Software ECC-P256 implementation provided by micro-ecc 60 #ifdef ENABLE_MICRO_ECC_P256 61 #define ENABLE_ECC_P256 62 #define USE_MICRO_ECC_P256 63 #define USE_SOFTWARE_ECC_P256_IMPLEMENTATION 64 #include "uECC.h" 65 #endif 66 67 // Software ECC-P256 implementation provided by mbedTLS 68 #ifdef HAVE_MBEDTLS_ECC_P256 69 #define ENABLE_ECC_P256 70 #define USE_MBEDTLS_ECC_P256 71 #define USE_SOFTWARE_ECC_P256_IMPLEMENTATION 72 #include "mbedtls/config.h" 73 #include "mbedtls/platform.h" 74 #include "mbedtls/ecp.h" 75 #endif 76 77 #if defined(ENABLE_LE_SECURE_CONNECTIONS) && !defined(ENABLE_ECC_P256) 78 #define ENABLE_ECC_P256 79 #endif 80 81 // Software AES128 82 #ifdef HAVE_AES128 83 #define USE_BTSTACK_AES128 84 void btstack_aes128_calc(const uint8_t * key, const uint8_t * plaintext, uint8_t * result); 85 #endif 86 87 // degbugging 88 // #define DEBUG_CCM 89 90 typedef enum { 91 CMAC_IDLE, 92 CMAC_CALC_SUBKEYS, 93 CMAC_W4_SUBKEYS, 94 CMAC_CALC_MI, 95 CMAC_W4_MI, 96 CMAC_CALC_MLAST, 97 CMAC_W4_MLAST 98 } btstack_crypto_cmac_state_t; 99 100 typedef enum { 101 ECC_P256_KEY_GENERATION_IDLE, 102 ECC_P256_KEY_GENERATION_GENERATING_RANDOM, 103 ECC_P256_KEY_GENERATION_ACTIVE, 104 ECC_P256_KEY_GENERATION_W4_KEY, 105 ECC_P256_KEY_GENERATION_DONE, 106 } btstack_crypto_ecc_p256_key_generation_state_t; 107 108 static void btstack_crypto_run(void); 109 110 const static uint8_t zero[16] = { 0 }; 111 112 static uint8_t btstack_crypto_initialized; 113 static btstack_linked_list_t btstack_crypto_operations; 114 static btstack_packet_callback_registration_t hci_event_callback_registration; 115 static uint8_t btstack_crypto_wait_for_hci_result; 116 117 // state for AES-CMAC 118 static btstack_crypto_cmac_state_t btstack_crypto_cmac_state; 119 static sm_key_t btstack_crypto_cmac_k; 120 static sm_key_t btstack_crypto_cmac_x; 121 static sm_key_t btstack_crypto_cmac_m_last; 122 static uint8_t btstack_crypto_cmac_block_current; 123 static uint8_t btstack_crypto_cmac_block_count; 124 125 // state for AES-CCM 126 #ifndef USE_BTSTACK_AES128 127 static uint8_t btstack_crypto_ccm_s[16]; 128 #endif 129 130 #ifdef ENABLE_ECC_P256 131 132 static uint8_t btstack_crypto_ecc_p256_public_key[64]; 133 static uint8_t btstack_crypto_ecc_p256_random[64]; 134 static uint8_t btstack_crypto_ecc_p256_random_len; 135 static uint8_t btstack_crypto_ecc_p256_random_offset; 136 static btstack_crypto_ecc_p256_key_generation_state_t btstack_crypto_ecc_p256_key_generation_state; 137 138 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 139 static uint8_t btstack_crypto_ecc_p256_d[32]; 140 #endif 141 142 // Software ECDH implementation provided by mbedtls 143 #ifdef USE_MBEDTLS_ECC_P256 144 static mbedtls_ecp_group mbedtls_ec_group; 145 #endif 146 147 #endif /* ENABLE_ECC_P256 */ 148 149 static void btstack_crypto_done(btstack_crypto_t * btstack_crypto){ 150 btstack_linked_list_pop(&btstack_crypto_operations); 151 (*btstack_crypto->context_callback.callback)(btstack_crypto->context_callback.context); 152 } 153 154 static inline void btstack_crypto_cmac_next_state(void){ 155 btstack_crypto_cmac_state = (btstack_crypto_cmac_state_t) (((int)btstack_crypto_cmac_state) + 1); 156 } 157 158 static int btstack_crypto_cmac_last_block_complete(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac){ 159 uint16_t len = btstack_crypto_cmac->size; 160 if (len == 0) return 0; 161 return (len & 0x0f) == 0; 162 } 163 164 static void btstack_crypto_aes128_start(const sm_key_t key, const sm_key_t plaintext){ 165 uint8_t key_flipped[16]; 166 uint8_t plaintext_flipped[16]; 167 reverse_128(key, key_flipped); 168 reverse_128(plaintext, plaintext_flipped); 169 btstack_crypto_wait_for_hci_result = 1; 170 hci_send_cmd(&hci_le_encrypt, key_flipped, plaintext_flipped); 171 } 172 173 static uint8_t btstack_crypto_cmac_get_byte(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac, uint16_t pos){ 174 if (btstack_crypto_cmac->btstack_crypto.operation == BTSTACK_CRYPTO_CMAC_GENERATOR){ 175 return (*btstack_crypto_cmac->data.get_byte_callback)(pos); 176 } else { 177 return btstack_crypto_cmac->data.message[pos]; 178 } 179 } 180 181 static void btstack_crypto_cmac_handle_aes_engine_ready(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac){ 182 switch (btstack_crypto_cmac_state){ 183 case CMAC_CALC_SUBKEYS: { 184 sm_key_t const_zero; 185 memset(const_zero, 0, 16); 186 btstack_crypto_cmac_next_state(); 187 btstack_crypto_aes128_start(btstack_crypto_cmac_k, const_zero); 188 break; 189 } 190 case CMAC_CALC_MI: { 191 int j; 192 sm_key_t y; 193 for (j=0;j<16;j++){ 194 y[j] = btstack_crypto_cmac_x[j] ^ btstack_crypto_cmac_get_byte(btstack_crypto_cmac, btstack_crypto_cmac_block_current*16 + j); 195 } 196 btstack_crypto_cmac_block_current++; 197 btstack_crypto_cmac_next_state(); 198 btstack_crypto_aes128_start(btstack_crypto_cmac_k, y); 199 break; 200 } 201 case CMAC_CALC_MLAST: { 202 int i; 203 sm_key_t y; 204 for (i=0;i<16;i++){ 205 y[i] = btstack_crypto_cmac_x[i] ^ btstack_crypto_cmac_m_last[i]; 206 } 207 btstack_crypto_cmac_block_current++; 208 btstack_crypto_cmac_next_state(); 209 btstack_crypto_aes128_start(btstack_crypto_cmac_k, y); 210 break; 211 } 212 default: 213 log_info("btstack_crypto_cmac_handle_aes_engine_ready called in state %u", btstack_crypto_cmac_state); 214 break; 215 } 216 } 217 218 static void btstack_crypto_cmac_shift_left_by_one_bit_inplace(int len, uint8_t * data){ 219 int i; 220 int carry = 0; 221 for (i=len-1; i >= 0 ; i--){ 222 int new_carry = data[i] >> 7; 223 data[i] = data[i] << 1 | carry; 224 carry = new_carry; 225 } 226 } 227 228 static void btstack_crypto_cmac_handle_encryption_result(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac, sm_key_t data){ 229 switch (btstack_crypto_cmac_state){ 230 case CMAC_W4_SUBKEYS: { 231 sm_key_t k1; 232 memcpy(k1, data, 16); 233 btstack_crypto_cmac_shift_left_by_one_bit_inplace(16, k1); 234 if (data[0] & 0x80){ 235 k1[15] ^= 0x87; 236 } 237 sm_key_t k2; 238 memcpy(k2, k1, 16); 239 btstack_crypto_cmac_shift_left_by_one_bit_inplace(16, k2); 240 if (k1[0] & 0x80){ 241 k2[15] ^= 0x87; 242 } 243 244 log_info_key("k", btstack_crypto_cmac_k); 245 log_info_key("k1", k1); 246 log_info_key("k2", k2); 247 248 // step 4: set m_last 249 int i; 250 if (btstack_crypto_cmac_last_block_complete(btstack_crypto_cmac)){ 251 for (i=0;i<16;i++){ 252 btstack_crypto_cmac_m_last[i] = btstack_crypto_cmac_get_byte(btstack_crypto_cmac, btstack_crypto_cmac->size - 16 + i) ^ k1[i]; 253 } 254 } else { 255 int valid_octets_in_last_block = btstack_crypto_cmac->size & 0x0f; 256 for (i=0;i<16;i++){ 257 if (i < valid_octets_in_last_block){ 258 btstack_crypto_cmac_m_last[i] = btstack_crypto_cmac_get_byte(btstack_crypto_cmac, (btstack_crypto_cmac->size & 0xfff0) + i) ^ k2[i]; 259 continue; 260 } 261 if (i == valid_octets_in_last_block){ 262 btstack_crypto_cmac_m_last[i] = 0x80 ^ k2[i]; 263 continue; 264 } 265 btstack_crypto_cmac_m_last[i] = k2[i]; 266 } 267 } 268 269 // next 270 btstack_crypto_cmac_state = btstack_crypto_cmac_block_current < btstack_crypto_cmac_block_count - 1 ? CMAC_CALC_MI : CMAC_CALC_MLAST; 271 break; 272 } 273 case CMAC_W4_MI: 274 memcpy(btstack_crypto_cmac_x, data, 16); 275 btstack_crypto_cmac_state = btstack_crypto_cmac_block_current < btstack_crypto_cmac_block_count - 1 ? CMAC_CALC_MI : CMAC_CALC_MLAST; 276 break; 277 case CMAC_W4_MLAST: 278 // done 279 log_info("Setting CMAC Engine to IDLE"); 280 btstack_crypto_cmac_state = CMAC_IDLE; 281 log_info_key("CMAC", data); 282 memcpy(btstack_crypto_cmac->hash, data, 16); 283 btstack_linked_list_pop(&btstack_crypto_operations); 284 (*btstack_crypto_cmac->btstack_crypto.context_callback.callback)(btstack_crypto_cmac->btstack_crypto.context_callback.context); 285 break; 286 default: 287 log_info("btstack_crypto_cmac_handle_encryption_result called in state %u", btstack_crypto_cmac_state); 288 break; 289 } 290 } 291 292 static void btstack_crypto_cmac_start(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac){ 293 294 memcpy(btstack_crypto_cmac_k, btstack_crypto_cmac->key, 16); 295 memset(btstack_crypto_cmac_x, 0, 16); 296 btstack_crypto_cmac_block_current = 0; 297 298 // step 2: n := ceil(len/const_Bsize); 299 btstack_crypto_cmac_block_count = (btstack_crypto_cmac->size + 15) / 16; 300 301 // step 3: .. 302 if (btstack_crypto_cmac_block_count==0){ 303 btstack_crypto_cmac_block_count = 1; 304 } 305 log_info("btstack_crypto_cmac_start: len %u, block count %u", btstack_crypto_cmac->size, btstack_crypto_cmac_block_count); 306 307 // first, we need to compute l for k1, k2, and m_last 308 btstack_crypto_cmac_state = CMAC_CALC_SUBKEYS; 309 310 // let's go 311 btstack_crypto_cmac_handle_aes_engine_ready(btstack_crypto_cmac); 312 } 313 314 #ifndef USE_BTSTACK_AES128 315 316 /* 317 To encrypt the message data we use Counter (CTR) mode. We first 318 define the key stream blocks by: 319 320 S_i := E( K, A_i ) for i=0, 1, 2, ... 321 322 The values A_i are formatted as follows, where the Counter field i is 323 encoded in most-significant-byte first order: 324 325 Octet Number Contents 326 ------------ --------- 327 0 Flags 328 1 ... 15-L Nonce N 329 16-L ... 15 Counter i 330 331 Bit Number Contents 332 ---------- ---------------------- 333 7 Reserved (always zero) 334 6 Reserved (always zero) 335 5 ... 3 Zero 336 2 ... 0 L' 337 */ 338 339 static void btstack_crypto_ccm_setup_a_i(btstack_crypto_ccm_t * btstack_crypto_ccm, uint16_t counter){ 340 btstack_crypto_ccm_s[0] = 1; // L' = L - 1 341 memcpy(&btstack_crypto_ccm_s[1], btstack_crypto_ccm->nonce, 13); 342 big_endian_store_16(btstack_crypto_ccm_s, 14, counter); 343 #ifdef DEBUG_CCM 344 printf("tstack_crypto_ccm_setup_a_%u\n", counter); 345 printf("%16s: ", "ai"); 346 printf_hexdump(btstack_crypto_ccm_s, 16); 347 #endif 348 } 349 350 /* 351 The first step is to compute the authentication field T. This is 352 done using CBC-MAC [MAC]. We first define a sequence of blocks B_0, 353 B_1, ..., B_n and then apply CBC-MAC to these blocks. 354 355 The first block B_0 is formatted as follows, where l(m) is encoded in 356 most-significant-byte first order: 357 358 Octet Number Contents 359 ------------ --------- 360 0 Flags 361 1 ... 15-L Nonce N 362 16-L ... 15 l(m) 363 364 Within the first block B_0, the Flags field is formatted as follows: 365 366 Bit Number Contents 367 ---------- ---------------------- 368 7 Reserved (always zero) 369 6 Adata 370 5 ... 3 M' 371 2 ... 0 L' 372 */ 373 374 static void btstack_crypto_ccm_setup_b_0(btstack_crypto_ccm_t * btstack_crypto_ccm, uint8_t * b0){ 375 uint8_t m_prime = (btstack_crypto_ccm->auth_len - 2) / 2; 376 b0[0] = (m_prime << 3) | 1 ; // Adata = 0, M', L' = L - 1 377 memcpy(&b0[1], btstack_crypto_ccm->nonce, 13); 378 big_endian_store_16(b0, 14, btstack_crypto_ccm->message_len); 379 #ifdef DEBUG_CCM 380 printf("%16s: ", "B0"); 381 printf_hexdump(b0, 16); 382 #endif 383 } 384 #endif 385 386 #ifdef ENABLE_ECC_P256 387 388 static void btstack_crypto_log_ec_publickey(const uint8_t * ec_q){ 389 log_info("Elliptic curve: X"); 390 log_info_hexdump(&ec_q[0],32); 391 log_info("Elliptic curve: Y"); 392 log_info_hexdump(&ec_q[32],32); 393 } 394 395 #if (defined(USE_MICRO_ECC_P256) && !defined(WICED_VERSION)) || defined(USE_MBEDTLS_ECC_P256) 396 // @return OK 397 static int sm_generate_f_rng(unsigned char * buffer, unsigned size){ 398 if (btstack_crypto_ecc_p256_key_generation_state != ECC_P256_KEY_GENERATION_ACTIVE) return 0; 399 log_info("sm_generate_f_rng: size %u - offset %u", (int) size, btstack_crypto_ecc_p256_random_offset); 400 while (size) { 401 *buffer++ = btstack_crypto_ecc_p256_random[btstack_crypto_ecc_p256_random_offset++]; 402 size--; 403 } 404 return 1; 405 } 406 #endif 407 #ifdef USE_MBEDTLS_ECC_P256 408 // @return error - just wrap sm_generate_f_rng 409 static int sm_generate_f_rng_mbedtls(void * context, unsigned char * buffer, size_t size){ 410 UNUSED(context); 411 return sm_generate_f_rng(buffer, size) == 0; 412 } 413 #endif /* USE_MBEDTLS_ECC_P256 */ 414 415 static void btstack_crypto_ecc_p256_generate_key_software(void){ 416 417 btstack_crypto_ecc_p256_random_offset = 0; 418 419 // generate EC key 420 #ifdef USE_MICRO_ECC_P256 421 422 #ifndef WICED_VERSION 423 log_info("set uECC RNG for initial key generation with 64 random bytes"); 424 // micro-ecc from WICED SDK uses its wiced_crypto_get_random by default - no need to set it 425 uECC_set_rng(&sm_generate_f_rng); 426 #endif /* WICED_VERSION */ 427 428 #if uECC_SUPPORTS_secp256r1 429 // standard version 430 uECC_make_key(btstack_crypto_ecc_p256_public_key, btstack_crypto_ecc_p256_d, uECC_secp256r1()); 431 432 // disable RNG again, as returning no randmon data lets shared key generation fail 433 log_info("disable uECC RNG in standard version after key generation"); 434 uECC_set_rng(NULL); 435 #else 436 // static version 437 uECC_make_key(btstack_crypto_ecc_p256_public_key, btstack_crypto_ecc_p256_d); 438 #endif 439 #endif /* USE_MICRO_ECC_P256 */ 440 441 #ifdef USE_MBEDTLS_ECC_P256 442 mbedtls_mpi d; 443 mbedtls_ecp_point P; 444 mbedtls_mpi_init(&d); 445 mbedtls_ecp_point_init(&P); 446 int res = mbedtls_ecp_gen_keypair(&mbedtls_ec_group, &d, &P, &sm_generate_f_rng_mbedtls, NULL); 447 log_info("gen keypair %x", res); 448 mbedtls_mpi_write_binary(&P.X, &btstack_crypto_ecc_p256_public_key[0], 32); 449 mbedtls_mpi_write_binary(&P.Y, &btstack_crypto_ecc_p256_public_key[32], 32); 450 mbedtls_mpi_write_binary(&d, btstack_crypto_ecc_p256_d, 32); 451 mbedtls_ecp_point_free(&P); 452 mbedtls_mpi_free(&d); 453 #endif /* USE_MBEDTLS_ECC_P256 */ 454 } 455 456 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 457 static void btstack_crypto_ecc_p256_calculate_dhkey_software(btstack_crypto_ecc_p256_t * btstack_crypto_ec_p192){ 458 memset(btstack_crypto_ec_p192->dhkey, 0, 32); 459 460 #ifdef USE_MICRO_ECC_P256 461 #if uECC_SUPPORTS_secp256r1 462 // standard version 463 uECC_shared_secret(btstack_crypto_ec_p192->public_key, btstack_crypto_ecc_p256_d, btstack_crypto_ec_p192->dhkey, uECC_secp256r1()); 464 #else 465 // static version 466 uECC_shared_secret(btstack_crypto_ec_p192->public_key, btstack_crypto_ecc_p256_d, btstack_crypto_ec_p192->dhkey); 467 #endif 468 #endif 469 470 #ifdef USE_MBEDTLS_ECC_P256 471 // da * Pb 472 mbedtls_mpi d; 473 mbedtls_ecp_point Q; 474 mbedtls_ecp_point DH; 475 mbedtls_mpi_init(&d); 476 mbedtls_ecp_point_init(&Q); 477 mbedtls_ecp_point_init(&DH); 478 mbedtls_mpi_read_binary(&d, btstack_crypto_ecc_p256_d, 32); 479 mbedtls_mpi_read_binary(&Q.X, &btstack_crypto_ec_p192->public_key[0] , 32); 480 mbedtls_mpi_read_binary(&Q.Y, &btstack_crypto_ec_p192->public_key[32], 32); 481 mbedtls_mpi_lset(&Q.Z, 1); 482 mbedtls_ecp_mul(&mbedtls_ec_group, &DH, &d, &Q, NULL, NULL); 483 mbedtls_mpi_write_binary(&DH.X, btstack_crypto_ec_p192->dhkey, 32); 484 mbedtls_ecp_point_free(&DH); 485 mbedtls_mpi_free(&d); 486 mbedtls_ecp_point_free(&Q); 487 #endif 488 489 log_info("dhkey"); 490 log_info_hexdump(btstack_crypto_ec_p192->dhkey, 32); 491 } 492 #endif 493 494 #endif 495 496 #ifdef USE_BTSTACK_AES128 497 // CCM not implemented using software AES128 yet 498 #else 499 500 static void btstack_crypto_ccm_calc_s0(btstack_crypto_ccm_t * btstack_crypto_ccm){ 501 #ifdef DEBUG_CCM 502 printf("btstack_crypto_ccm_calc_s0\n"); 503 #endif 504 btstack_crypto_ccm->state = CCM_W4_S0; 505 btstack_crypto_ccm_setup_a_i(btstack_crypto_ccm, 0); 506 btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm_s); 507 } 508 509 static void btstack_crypto_ccm_calc_sn(btstack_crypto_ccm_t * btstack_crypto_ccm){ 510 #ifdef DEBUG_CCM 511 printf("btstack_crypto_ccm_calc_s%u\n", btstack_crypto_ccm->counter); 512 #endif 513 btstack_crypto_ccm->state = CCM_W4_SN; 514 btstack_crypto_ccm_setup_a_i(btstack_crypto_ccm, btstack_crypto_ccm->counter); 515 btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm_s); 516 } 517 518 static void btstack_crypto_ccm_calc_x1(btstack_crypto_ccm_t * btstack_crypto_ccm){ 519 uint8_t btstack_crypto_ccm_buffer[16]; 520 btstack_crypto_ccm->state = CCM_W4_X1; 521 btstack_crypto_ccm_setup_b_0(btstack_crypto_ccm, btstack_crypto_ccm_buffer); 522 btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm_buffer); 523 } 524 525 static void btstack_crypto_ccm_calc_xn(btstack_crypto_ccm_t * btstack_crypto_ccm, const uint8_t * plaintext){ 526 int i; 527 int bytes_to_decrypt; 528 uint8_t btstack_crypto_ccm_buffer[16]; 529 btstack_crypto_ccm->state = CCM_W4_XN; 530 531 #ifdef DEBUG_CCM 532 printf("%16s: ", "bn"); 533 printf_hexdump(plaintext, 16); 534 #endif 535 bytes_to_decrypt = btstack_min(btstack_crypto_ccm->block_len, 16); 536 i = 0; 537 while (i < bytes_to_decrypt){ 538 btstack_crypto_ccm_buffer[i] = btstack_crypto_ccm->x_i[i] ^ plaintext[i]; 539 i++; 540 } 541 memcpy(&btstack_crypto_ccm_buffer[i], &btstack_crypto_ccm->x_i[i], 16 - bytes_to_decrypt); 542 #ifdef DEBUG_CCM 543 printf("%16s: ", "Xn XOR bn"); 544 printf_hexdump(btstack_crypto_ccm_buffer, 16); 545 #endif 546 547 btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm_buffer); 548 } 549 #endif 550 551 static void btstack_crypto_ccm_handle_s0(btstack_crypto_ccm_t * btstack_crypto_ccm, const uint8_t * data){ 552 // data is little-endian, flip on the fly 553 int i; 554 for (i=0;i<16;i++){ 555 btstack_crypto_ccm->x_i[i] = btstack_crypto_ccm->x_i[i] ^ data[15-i]; 556 } 557 btstack_crypto_done(&btstack_crypto_ccm->btstack_crypto); 558 } 559 560 static void btstack_crypto_ccm_handle_sn(btstack_crypto_ccm_t * btstack_crypto_ccm, const uint8_t * data){ 561 // data is little-endian, flip on the fly 562 int i; 563 uint16_t bytes_to_process = btstack_min(btstack_crypto_ccm->block_len, 16); 564 for (i=0;i<bytes_to_process;i++){ 565 btstack_crypto_ccm->output[i] = btstack_crypto_ccm->input[i] ^ data[15-i]; 566 } 567 } 568 569 static void btstack_crypto_ccm_next_block(btstack_crypto_ccm_t * btstack_crypto_ccm, btstack_crypto_ccm_state_t state_when_done){ 570 #ifdef DEBUG_CCM 571 printf("btstack_crypto_ccm_next_block\n"); 572 #endif 573 uint16_t bytes_to_process = btstack_min(btstack_crypto_ccm->block_len, 16); 574 // next block 575 btstack_crypto_ccm->counter++; 576 btstack_crypto_ccm->input += bytes_to_process; 577 btstack_crypto_ccm->output += bytes_to_process; 578 btstack_crypto_ccm->block_len -= bytes_to_process; 579 btstack_crypto_ccm->message_len -= bytes_to_process; 580 if (btstack_crypto_ccm->message_len == 0){ 581 btstack_crypto_ccm->state = CCM_CALCULATE_S0; 582 } else { 583 btstack_crypto_ccm->state = state_when_done; 584 btstack_crypto_done(&btstack_crypto_ccm->btstack_crypto); 585 } 586 } 587 588 static void btstack_crypto_run(void){ 589 590 btstack_crypto_aes128_t * btstack_crypto_aes128; 591 btstack_crypto_ccm_t * btstack_crypto_ccm; 592 btstack_crypto_aes128_cmac_t * btstack_crypto_cmac; 593 #ifdef ENABLE_ECC_P256 594 btstack_crypto_ecc_p256_t * btstack_crypto_ec_p192; 595 #endif 596 597 // stack up and running? 598 if (hci_get_state() != HCI_STATE_WORKING) return; 599 600 // already active? 601 if (btstack_crypto_wait_for_hci_result) return; 602 603 // anything to do? 604 if (btstack_linked_list_empty(&btstack_crypto_operations)) return; 605 606 // can send a command? 607 if (!hci_can_send_command_packet_now()) return; 608 609 btstack_crypto_t * btstack_crypto = (btstack_crypto_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations); 610 switch (btstack_crypto->operation){ 611 case BTSTACK_CRYPTO_RANDOM: 612 btstack_crypto_wait_for_hci_result = 1; 613 hci_send_cmd(&hci_le_rand); 614 break; 615 case BTSTACK_CRYPTO_AES128: 616 btstack_crypto_aes128 = (btstack_crypto_aes128_t *) btstack_crypto; 617 #ifdef USE_BTSTACK_AES128 618 btstack_aes128_calc(btstack_crypto_aes128->key, btstack_crypto_aes128->plaintext, btstack_crypto_aes128->ciphertext); 619 btstack_crypto_done(btstack_crypto); 620 #else 621 btstack_crypto_aes128_start(btstack_crypto_aes128->key, btstack_crypto_aes128->plaintext); 622 #endif 623 break; 624 case BTSTACK_CRYPTO_CMAC_MESSAGE: 625 case BTSTACK_CRYPTO_CMAC_GENERATOR: 626 btstack_crypto_wait_for_hci_result = 1; 627 btstack_crypto_cmac = (btstack_crypto_aes128_cmac_t *) btstack_crypto; 628 if (btstack_crypto_cmac_state == CMAC_IDLE){ 629 btstack_crypto_cmac_start(btstack_crypto_cmac); 630 } else { 631 btstack_crypto_cmac_handle_aes_engine_ready(btstack_crypto_cmac); 632 } 633 break; 634 635 case BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK: 636 case BTSTACK_CRYPTO_CCM_DECRYPT_BLOCK: 637 #ifdef USE_BTSTACK_AES128 638 UNUSED(btstack_crypto_ccm); 639 log_error("ccm not implemented for software aes128 yet"); 640 #else 641 btstack_crypto_ccm = (btstack_crypto_ccm_t *) btstack_crypto; 642 switch (btstack_crypto_ccm->state){ 643 case CCM_CALCULATE_X1: 644 btstack_crypto_ccm_calc_x1(btstack_crypto_ccm); 645 break; 646 case CCM_CALCULATE_S0: 647 btstack_crypto_ccm_calc_s0(btstack_crypto_ccm); 648 break; 649 case CCM_CALCULATE_SN: 650 btstack_crypto_ccm_calc_sn(btstack_crypto_ccm); 651 break; 652 case CCM_CALCULATE_XN: 653 btstack_crypto_ccm_calc_xn(btstack_crypto_ccm, btstack_crypto->operation == BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK ? btstack_crypto_ccm->input : btstack_crypto_ccm->output); 654 break; 655 default: 656 break; 657 } 658 #endif 659 break; 660 661 #ifdef ENABLE_ECC_P256 662 case BTSTACK_CRYPTO_ECC_P256_GENERATE_KEY: 663 btstack_crypto_ec_p192 = (btstack_crypto_ecc_p256_t *) btstack_crypto; 664 switch (btstack_crypto_ecc_p256_key_generation_state){ 665 case ECC_P256_KEY_GENERATION_DONE: 666 // done 667 btstack_crypto_log_ec_publickey(btstack_crypto_ecc_p256_public_key); 668 memcpy(btstack_crypto_ec_p192->public_key, btstack_crypto_ecc_p256_public_key, 64); 669 btstack_linked_list_pop(&btstack_crypto_operations); 670 (*btstack_crypto_ec_p192->btstack_crypto.context_callback.callback)(btstack_crypto_ec_p192->btstack_crypto.context_callback.context); 671 break; 672 case ECC_P256_KEY_GENERATION_IDLE: 673 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 674 log_info("start ecc random"); 675 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_GENERATING_RANDOM; 676 btstack_crypto_ecc_p256_random_offset = 0; 677 btstack_crypto_wait_for_hci_result = 1; 678 hci_send_cmd(&hci_le_rand); 679 #else 680 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_W4_KEY; 681 btstack_crypto_wait_for_hci_result = 1; 682 hci_send_cmd(&hci_le_read_local_p256_public_key); 683 #endif 684 break; 685 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 686 case ECC_P256_KEY_GENERATION_GENERATING_RANDOM: 687 log_info("more ecc random"); 688 btstack_crypto_wait_for_hci_result = 1; 689 hci_send_cmd(&hci_le_rand); 690 break; 691 #endif 692 default: 693 break; 694 } 695 break; 696 case BTSTACK_CRYPTO_ECC_P256_CALCULATE_DHKEY: 697 btstack_crypto_ec_p192 = (btstack_crypto_ecc_p256_t *) btstack_crypto; 698 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 699 btstack_crypto_ecc_p256_calculate_dhkey_software(btstack_crypto_ec_p192); 700 // done 701 btstack_linked_list_pop(&btstack_crypto_operations); 702 (*btstack_crypto_ec_p192->btstack_crypto.context_callback.callback)(btstack_crypto_ec_p192->btstack_crypto.context_callback.context); 703 #else 704 btstack_crypto_wait_for_hci_result = 1; 705 hci_send_cmd(&hci_le_generate_dhkey, &btstack_crypto_ec_p192->public_key[0], &btstack_crypto_ec_p192->public_key[32]); 706 #endif 707 break; 708 709 #endif /* ENABLE_ECC_P256 */ 710 711 default: 712 break; 713 } 714 } 715 716 static void btstack_crypto_handle_random_data(const uint8_t * data, uint16_t len){ 717 btstack_crypto_random_t * btstack_crypto_random; 718 btstack_crypto_t * btstack_crypto = (btstack_crypto_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations); 719 uint16_t bytes_to_copy; 720 if (!btstack_crypto) return; 721 switch (btstack_crypto->operation){ 722 case BTSTACK_CRYPTO_RANDOM: 723 btstack_crypto_random = (btstack_crypto_random_t*) btstack_crypto; 724 bytes_to_copy = btstack_min(btstack_crypto_random->size, len); 725 memcpy(btstack_crypto_random->buffer, data, bytes_to_copy); 726 btstack_crypto_random->buffer += bytes_to_copy; 727 btstack_crypto_random->size -= bytes_to_copy; 728 // data processed, more? 729 if (!btstack_crypto_random->size) { 730 // done 731 btstack_linked_list_pop(&btstack_crypto_operations); 732 (*btstack_crypto_random->btstack_crypto.context_callback.callback)(btstack_crypto_random->btstack_crypto.context_callback.context); 733 } 734 break; 735 #ifdef ENABLE_ECC_P256 736 case BTSTACK_CRYPTO_ECC_P256_GENERATE_KEY: 737 memcpy(&btstack_crypto_ecc_p256_random[btstack_crypto_ecc_p256_random_len], data, 8); 738 btstack_crypto_ecc_p256_random_len += 8; 739 if (btstack_crypto_ecc_p256_random_len >= 64) { 740 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_ACTIVE; 741 btstack_crypto_ecc_p256_generate_key_software(); 742 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_DONE; 743 } 744 break; 745 #endif 746 default: 747 break; 748 } 749 // more work? 750 btstack_crypto_run(); 751 } 752 753 static void btstack_crypto_handle_encryption_result(const uint8_t * data){ 754 btstack_crypto_aes128_t * btstack_crypto_aes128; 755 btstack_crypto_aes128_cmac_t * btstack_crypto_cmac; 756 btstack_crypto_ccm_t * btstack_crypto_ccm; 757 uint8_t result[16]; 758 759 btstack_crypto_t * btstack_crypto = (btstack_crypto_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations); 760 if (!btstack_crypto) return; 761 switch (btstack_crypto->operation){ 762 case BTSTACK_CRYPTO_AES128: 763 btstack_crypto_aes128 = (btstack_crypto_aes128_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations); 764 reverse_128(data, btstack_crypto_aes128->ciphertext); 765 btstack_crypto_done(btstack_crypto); 766 break; 767 case BTSTACK_CRYPTO_CMAC_GENERATOR: 768 case BTSTACK_CRYPTO_CMAC_MESSAGE: 769 btstack_crypto_cmac = (btstack_crypto_aes128_cmac_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations); 770 reverse_128(data, result); 771 btstack_crypto_cmac_handle_encryption_result(btstack_crypto_cmac, result); 772 break; 773 case BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK: 774 btstack_crypto_ccm = (btstack_crypto_ccm_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations); 775 switch (btstack_crypto_ccm->state){ 776 case CCM_W4_X1: 777 reverse_128(data, btstack_crypto_ccm->x_i); 778 #ifdef DEBUG_CCM 779 printf("%16s: ", "X1"); 780 printf_hexdump(btstack_crypto_ccm->x_i, 16); 781 #endif 782 btstack_crypto_ccm->state = CCM_CALCULATE_XN; 783 break; 784 case CCM_W4_XN: 785 reverse_128(data, btstack_crypto_ccm->x_i); 786 #ifdef DEBUG_CCM 787 printf("%16s: ", "Xn+1"); 788 printf_hexdump(btstack_crypto_ccm->x_i, 16); 789 #endif 790 btstack_crypto_ccm->state = CCM_CALCULATE_SN; 791 break; 792 case CCM_W4_S0: 793 #ifdef DEBUG_CCM 794 reverse_128(data, result); 795 printf("%16s: ", "X0"); 796 printf_hexdump(btstack_crypto_ccm->x_i, 16); 797 #endif 798 btstack_crypto_ccm_handle_s0(btstack_crypto_ccm, data); 799 break; 800 case CCM_W4_SN: 801 #ifdef DEBUG_CCM 802 reverse_128(data, result); 803 printf("%16s: ", "Sn"); 804 printf_hexdump(btstack_crypto_ccm->x_i, 16); 805 #endif 806 btstack_crypto_ccm_handle_sn(btstack_crypto_ccm, data); 807 btstack_crypto_ccm_next_block(btstack_crypto_ccm, CCM_CALCULATE_XN); 808 break; 809 default: 810 break; 811 } 812 break; 813 case BTSTACK_CRYPTO_CCM_DECRYPT_BLOCK: 814 btstack_crypto_ccm = (btstack_crypto_ccm_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations); 815 switch (btstack_crypto_ccm->state){ 816 case CCM_W4_X1: 817 reverse_128(data, btstack_crypto_ccm->x_i); 818 #ifdef DEBUG_CCM 819 printf("%16s: ", "X1"); 820 printf_hexdump(btstack_crypto_ccm->x_i, 16); 821 #endif 822 btstack_crypto_ccm->state = CCM_CALCULATE_SN; 823 break; 824 case CCM_W4_XN: 825 reverse_128(data, btstack_crypto_ccm->x_i); 826 #ifdef DEBUG_CCM 827 printf("%16s: ", "Xn+1"); 828 printf_hexdump(btstack_crypto_ccm->x_i, 16); 829 #endif 830 btstack_crypto_ccm_next_block(btstack_crypto_ccm, CCM_CALCULATE_SN); 831 break; 832 case CCM_W4_S0: 833 btstack_crypto_ccm_handle_s0(btstack_crypto_ccm, data); 834 break; 835 case CCM_W4_SN: 836 btstack_crypto_ccm_handle_sn(btstack_crypto_ccm, data); 837 btstack_crypto_ccm->state = CCM_CALCULATE_XN; 838 break; 839 default: 840 break; 841 } 842 break; 843 default: 844 break; 845 } 846 } 847 848 static void btstack_crypto_event_handler(uint8_t packet_type, uint16_t cid, uint8_t *packet, uint16_t size){ 849 UNUSED(cid); // ok: there is no channel 850 UNUSED(size); // ok: fixed format events read from HCI buffer 851 852 #ifdef ENABLE_ECC_P256 853 #ifndef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 854 btstack_crypto_ecc_p256_t * btstack_crypto_ec_p192; 855 #endif 856 #endif 857 858 if (packet_type != HCI_EVENT_PACKET) return; 859 860 switch (hci_event_packet_get_type(packet)){ 861 case HCI_EVENT_COMMAND_COMPLETE: 862 if (HCI_EVENT_IS_COMMAND_COMPLETE(packet, hci_le_encrypt)){ 863 if (hci_get_state() != HCI_STATE_WORKING) return; 864 if (!btstack_crypto_wait_for_hci_result) return; 865 btstack_crypto_wait_for_hci_result = 0; 866 btstack_crypto_handle_encryption_result(&packet[6]); 867 } 868 if (HCI_EVENT_IS_COMMAND_COMPLETE(packet, hci_le_rand)){ 869 if (hci_get_state() != HCI_STATE_WORKING) return; 870 if (!btstack_crypto_wait_for_hci_result) return; 871 btstack_crypto_wait_for_hci_result = 0; 872 btstack_crypto_handle_random_data(&packet[6], 8); 873 } 874 if (HCI_EVENT_IS_COMMAND_COMPLETE(packet, hci_read_local_supported_commands)){ 875 int ecdh_operations_supported = (packet[OFFSET_OF_DATA_IN_COMMAND_COMPLETE+1+34] & 0x06) == 0x06; 876 log_info("controller supports ECDH operation: %u", ecdh_operations_supported); 877 #ifdef ENABLE_ECC_P256 878 #ifndef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 879 if (!ecdh_operations_supported){ 880 // mbedTLS can also be used if already available (and malloc is supported) 881 log_error("ECC-P256 support enabled, but HCI Controller doesn't support it. Please add ENABLE_MICRO_ECC_FOR_LE_SECURE_CONNECTIONS to btstack_config.h"); 882 } 883 #endif 884 #endif 885 } 886 break; 887 888 #ifdef ENABLE_ECC_P256 889 #ifndef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 890 case HCI_EVENT_LE_META: 891 btstack_crypto_ec_p192 = (btstack_crypto_ecc_p256_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations); 892 if (!btstack_crypto_ec_p192) break; 893 switch (hci_event_le_meta_get_subevent_code(packet)){ 894 case HCI_SUBEVENT_LE_READ_LOCAL_P256_PUBLIC_KEY_COMPLETE: 895 if (btstack_crypto_ec_p192->btstack_crypto.operation != BTSTACK_CRYPTO_ECC_P256_GENERATE_KEY) break; 896 if (!btstack_crypto_wait_for_hci_result) return; 897 btstack_crypto_wait_for_hci_result = 0; 898 if (hci_subevent_le_read_local_p256_public_key_complete_get_status(packet)){ 899 log_error("Read Local P256 Public Key failed"); 900 } 901 hci_subevent_le_read_local_p256_public_key_complete_get_dhkey_x(packet, &btstack_crypto_ecc_p256_public_key[0]); 902 hci_subevent_le_read_local_p256_public_key_complete_get_dhkey_y(packet, &btstack_crypto_ecc_p256_public_key[32]); 903 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_DONE; 904 break; 905 case HCI_SUBEVENT_LE_GENERATE_DHKEY_COMPLETE: 906 if (btstack_crypto_ec_p192->btstack_crypto.operation != BTSTACK_CRYPTO_ECC_P256_CALCULATE_DHKEY) break; 907 if (!btstack_crypto_wait_for_hci_result) return; 908 btstack_crypto_wait_for_hci_result = 0; 909 if (hci_subevent_le_generate_dhkey_complete_get_status(packet)){ 910 log_error("Generate DHKEY failed -> abort"); 911 } 912 hci_subevent_le_generate_dhkey_complete_get_dhkey(packet, btstack_crypto_ec_p192->dhkey); 913 // done 914 btstack_linked_list_pop(&btstack_crypto_operations); 915 (*btstack_crypto_ec_p192->btstack_crypto.context_callback.callback)(btstack_crypto_ec_p192->btstack_crypto.context_callback.context); 916 break; 917 default: 918 break; 919 } 920 break; 921 #endif 922 #endif 923 default: 924 break; 925 } 926 927 // try processing 928 btstack_crypto_run(); 929 } 930 931 void btstack_crypto_init(void){ 932 if (btstack_crypto_initialized) return; 933 btstack_crypto_initialized = 1; 934 935 // register with HCI 936 hci_event_callback_registration.callback = &btstack_crypto_event_handler; 937 hci_add_event_handler(&hci_event_callback_registration); 938 939 #ifdef USE_MBEDTLS_ECC_P256 940 mbedtls_ecp_group_init(&mbedtls_ec_group); 941 mbedtls_ecp_group_load(&mbedtls_ec_group, MBEDTLS_ECP_DP_SECP256R1); 942 #endif 943 } 944 945 void btstack_crypto_random_generate(btstack_crypto_random_t * request, uint8_t * buffer, uint16_t size, void (* callback)(void * arg), void * callback_arg){ 946 request->btstack_crypto.context_callback.callback = callback; 947 request->btstack_crypto.context_callback.context = callback_arg; 948 request->btstack_crypto.operation = BTSTACK_CRYPTO_RANDOM; 949 request->buffer = buffer; 950 request->size = size; 951 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 952 btstack_crypto_run(); 953 } 954 955 void btstack_crypto_aes128_encrypt(btstack_crypto_aes128_t * request, const uint8_t * key, const uint8_t * plaintext, uint8_t * ciphertext, void (* callback)(void * arg), void * callback_arg){ 956 request->btstack_crypto.context_callback.callback = callback; 957 request->btstack_crypto.context_callback.context = callback_arg; 958 request->btstack_crypto.operation = BTSTACK_CRYPTO_AES128; 959 request->key = key; 960 request->plaintext = plaintext; 961 request->ciphertext = ciphertext; 962 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 963 btstack_crypto_run(); 964 } 965 966 void btstack_crypto_aes128_cmac_generator(btstack_crypto_aes128_cmac_t * request, const uint8_t * key, uint16_t size, uint8_t (*get_byte_callback)(uint16_t pos), uint8_t * hash, void (* callback)(void * arg), void * callback_arg){ 967 request->btstack_crypto.context_callback.callback = callback; 968 request->btstack_crypto.context_callback.context = callback_arg; 969 request->btstack_crypto.operation = BTSTACK_CRYPTO_CMAC_GENERATOR; 970 request->key = key; 971 request->size = size; 972 request->data.get_byte_callback = get_byte_callback; 973 request->hash = hash; 974 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 975 btstack_crypto_run(); 976 } 977 978 void btstack_crypto_aes128_cmac_message(btstack_crypto_aes128_cmac_t * request, const uint8_t * key, uint16_t size, const uint8_t * message, uint8_t * hash, void (* callback)(void * arg), void * callback_arg){ 979 request->btstack_crypto.context_callback.callback = callback; 980 request->btstack_crypto.context_callback.context = callback_arg; 981 request->btstack_crypto.operation = BTSTACK_CRYPTO_CMAC_MESSAGE; 982 request->key = key; 983 request->size = size; 984 request->data.message = message; 985 request->hash = hash; 986 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 987 btstack_crypto_run(); 988 } 989 990 void btstack_crypto_aes128_cmac_zero(btstack_crypto_aes128_cmac_t * request, uint16_t len, const uint8_t * message, uint8_t * hash, void (* callback)(void * arg), void * callback_arg){ 991 request->btstack_crypto.context_callback.callback = callback; 992 request->btstack_crypto.context_callback.context = callback_arg; 993 request->btstack_crypto.operation = BTSTACK_CRYPTO_CMAC_MESSAGE; 994 request->key = zero; 995 request->size = len; 996 request->data.message = message; 997 request->hash = hash; 998 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 999 btstack_crypto_run(); 1000 } 1001 1002 #ifdef ENABLE_ECC_P256 1003 void btstack_crypto_ecc_p256_generate_key(btstack_crypto_ecc_p256_t * request, uint8_t * public_key, void (* callback)(void * arg), void * callback_arg){ 1004 // reset key generation 1005 if (btstack_crypto_ecc_p256_key_generation_state == ECC_P256_KEY_GENERATION_DONE){ 1006 btstack_crypto_ecc_p256_random_len = 0; 1007 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_IDLE; 1008 } 1009 request->btstack_crypto.context_callback.callback = callback; 1010 request->btstack_crypto.context_callback.context = callback_arg; 1011 request->btstack_crypto.operation = BTSTACK_CRYPTO_ECC_P256_GENERATE_KEY; 1012 request->public_key = public_key; 1013 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 1014 btstack_crypto_run(); 1015 } 1016 1017 void btstack_crypto_ecc_p256_calculate_dhkey(btstack_crypto_ecc_p256_t * request, const uint8_t * public_key, uint8_t * dhkey, void (* callback)(void * arg), void * callback_arg){ 1018 request->btstack_crypto.context_callback.callback = callback; 1019 request->btstack_crypto.context_callback.context = callback_arg; 1020 request->btstack_crypto.operation = BTSTACK_CRYPTO_ECC_P256_CALCULATE_DHKEY; 1021 request->public_key = (uint8_t *) public_key; 1022 request->dhkey = dhkey; 1023 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 1024 btstack_crypto_run(); 1025 } 1026 1027 int btstack_crypto_ecc_p256_validate_public_key(const uint8_t * public_key){ 1028 1029 // validate public key using micro-ecc 1030 int err = 0; 1031 1032 #ifdef USE_MICRO_ECC_P256 1033 #if uECC_SUPPORTS_secp256r1 1034 // standard version 1035 err = uECC_valid_public_key(public_key, uECC_secp256r1()) == 0; 1036 #else 1037 // static version 1038 err = uECC_valid_public_key(public_key) == 0; 1039 #endif 1040 #endif 1041 1042 #ifdef USE_MBEDTLS_ECC_P256 1043 mbedtls_ecp_point Q; 1044 mbedtls_ecp_point_init( &Q ); 1045 mbedtls_mpi_read_binary(&Q.X, &public_key[0], 32); 1046 mbedtls_mpi_read_binary(&Q.Y, &public_key[32], 32); 1047 mbedtls_mpi_lset(&Q.Z, 1); 1048 err = mbedtls_ecp_check_pubkey(&mbedtls_ec_group, &Q); 1049 mbedtls_ecp_point_free( & Q); 1050 #endif 1051 1052 if (err){ 1053 log_error("public key invalid %x", err); 1054 } 1055 return err; 1056 } 1057 #endif 1058 1059 void btstack_crypo_ccm_init(btstack_crypto_ccm_t * request, const uint8_t * key, const uint8_t * nonce, uint16_t message_len, uint8_t auth_len){ 1060 request->key = key; 1061 request->nonce = nonce; 1062 request->message_len = message_len; 1063 request->auth_len = auth_len; 1064 request->counter = 1; 1065 request->state = CCM_CALCULATE_X1; 1066 } 1067 1068 void btstack_crypo_ccm_get_authentication_value(btstack_crypto_ccm_t * request, uint8_t * authentication_value){ 1069 memcpy(authentication_value, request->x_i, 8); 1070 } 1071 1072 void btstack_crypto_ccm_encrypt_block(btstack_crypto_ccm_t * request, uint16_t block_len, const uint8_t * plaintext, uint8_t * ciphertext, void (* callback)(void * arg), void * callback_arg){ 1073 #ifdef DEBUG_CCM 1074 printf("\nbtstack_crypto_ccm_encrypt_block, len %u\n", block_len); 1075 #endif 1076 request->btstack_crypto.context_callback.callback = callback; 1077 request->btstack_crypto.context_callback.context = callback_arg; 1078 request->btstack_crypto.operation = BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK; 1079 request->block_len = block_len; 1080 request->input = plaintext; 1081 request->output = ciphertext; 1082 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 1083 btstack_crypto_run(); 1084 } 1085 1086 void btstack_crypto_ccm_decrypt_block(btstack_crypto_ccm_t * request, uint16_t block_len, const uint8_t * ciphertext, uint8_t * plaintext, void (* callback)(void * arg), void * callback_arg){ 1087 request->btstack_crypto.context_callback.callback = callback; 1088 request->btstack_crypto.context_callback.context = callback_arg; 1089 request->btstack_crypto.operation = BTSTACK_CRYPTO_CCM_DECRYPT_BLOCK; 1090 request->block_len = block_len; 1091 request->input = ciphertext; 1092 request->output = plaintext; 1093 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 1094 btstack_crypto_run(); 1095 } 1096 1097