1 /* 2 * Copyright (C) 2017 BlueKitchen GmbH 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the copyright holders nor the names of 14 * contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY MATTHIAS RINGWALD AND CONTRIBUTORS 18 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 19 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 20 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL MATTHIAS 21 * RINGWALD OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 23 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 24 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 25 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 26 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF 27 * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGE. 29 * 30 */ 31 32 #define BTSTACK_FILE__ "btstack_crypto.c" 33 34 /* 35 * btstack_crypto.h 36 * 37 * Central place for all crypto-related functions with completion callbacks to allow 38 * using of MCU crypto peripherals or the Bluetooth controller 39 */ 40 41 #include "btstack_crypto.h" 42 43 #include "btstack_debug.h" 44 #include "btstack_event.h" 45 #include "btstack_linked_list.h" 46 #include "btstack_util.h" 47 #include "hci.h" 48 49 // 50 // AES128 Configuration 51 // 52 53 // By default, AES128 is computed by Bluetooth Controller using HCI Command/Event asynchronously 54 // as fallback/alternative, a software implementation can be used 55 // configure ECC implementations 56 #if defined(HAVE_AES128) && defined(ENABLE_SOFTWARE_AES128) 57 #error "If you have custom AES128 implementation (HAVE_AES128), please disable software AES128 (ENABLE_SOFTWARE_AES128) in bstack_config.h" 58 #endif 59 60 #ifdef ENABLE_SOFTWARE_AES128 61 #define HAVE_AES128 62 #include "rijndael.h" 63 #endif 64 65 #ifdef HAVE_AES128 66 #define USE_BTSTACK_AES128 67 #endif 68 69 // 70 // ECC Configuration 71 // 72 73 // backwards-compatitility ENABLE_MICRO_ECC_FOR_LE_SECURE_CONNECTIONS -> ENABLE_MICRO_ECC_P256 74 #if defined(ENABLE_MICRO_ECC_FOR_LE_SECURE_CONNECTIONS) && !defined(ENABLE_MICRO_ECC_P256) 75 #define ENABLE_MICRO_ECC_P256 76 #endif 77 78 // configure ECC implementations 79 #if defined(ENABLE_MICRO_ECC_P256) && defined(HAVE_MBEDTLS_ECC_P256) 80 #error "If you have mbedTLS (HAVE_MBEDTLS_ECC_P256), please disable uECC (ENABLE_MICRO_ECC_P256) in bstack_config.h" 81 #endif 82 83 // Software ECC-P256 implementation provided by micro-ecc 84 #ifdef ENABLE_MICRO_ECC_P256 85 #define ENABLE_ECC_P256 86 #define USE_MICRO_ECC_P256 87 #define USE_SOFTWARE_ECC_P256_IMPLEMENTATION 88 #include "uECC.h" 89 #endif 90 91 // Software ECC-P256 implementation provided by mbedTLS 92 #ifdef HAVE_MBEDTLS_ECC_P256 93 #define ENABLE_ECC_P256 94 #define USE_MBEDTLS_ECC_P256 95 #define USE_SOFTWARE_ECC_P256_IMPLEMENTATION 96 #include "mbedtls/config.h" 97 #include "mbedtls/platform.h" 98 #include "mbedtls/ecp.h" 99 #endif 100 101 #if defined(ENABLE_LE_SECURE_CONNECTIONS) && !defined(ENABLE_ECC_P256) 102 #define ENABLE_ECC_P256 103 #endif 104 105 // degbugging 106 // #define DEBUG_CCM 107 108 typedef enum { 109 CMAC_IDLE, 110 CMAC_CALC_SUBKEYS, 111 CMAC_W4_SUBKEYS, 112 CMAC_CALC_MI, 113 CMAC_W4_MI, 114 CMAC_CALC_MLAST, 115 CMAC_W4_MLAST 116 } btstack_crypto_cmac_state_t; 117 118 typedef enum { 119 ECC_P256_KEY_GENERATION_IDLE, 120 ECC_P256_KEY_GENERATION_GENERATING_RANDOM, 121 ECC_P256_KEY_GENERATION_ACTIVE, 122 ECC_P256_KEY_GENERATION_W4_KEY, 123 ECC_P256_KEY_GENERATION_DONE, 124 } btstack_crypto_ecc_p256_key_generation_state_t; 125 126 static void btstack_crypto_run(void); 127 128 static const uint8_t zero[16] = { 0 }; 129 130 static uint8_t btstack_crypto_initialized; 131 static btstack_linked_list_t btstack_crypto_operations; 132 static btstack_packet_callback_registration_t hci_event_callback_registration; 133 static uint8_t btstack_crypto_wait_for_hci_result; 134 135 // state for AES-CMAC 136 static btstack_crypto_cmac_state_t btstack_crypto_cmac_state; 137 static sm_key_t btstack_crypto_cmac_k; 138 static sm_key_t btstack_crypto_cmac_x; 139 static sm_key_t btstack_crypto_cmac_m_last; 140 static uint8_t btstack_crypto_cmac_block_current; 141 static uint8_t btstack_crypto_cmac_block_count; 142 143 // state for AES-CCM 144 #ifndef USE_BTSTACK_AES128 145 static uint8_t btstack_crypto_ccm_s[16]; 146 #endif 147 148 #ifdef ENABLE_ECC_P256 149 150 static uint8_t btstack_crypto_ecc_p256_public_key[64]; 151 static uint8_t btstack_crypto_ecc_p256_random[64]; 152 static uint8_t btstack_crypto_ecc_p256_random_len; 153 static uint8_t btstack_crypto_ecc_p256_random_offset; 154 static btstack_crypto_ecc_p256_key_generation_state_t btstack_crypto_ecc_p256_key_generation_state; 155 156 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 157 static uint8_t btstack_crypto_ecc_p256_d[32]; 158 #endif 159 160 // Software ECDH implementation provided by mbedtls 161 #ifdef USE_MBEDTLS_ECC_P256 162 static mbedtls_ecp_group mbedtls_ec_group; 163 #endif 164 165 #endif /* ENABLE_ECC_P256 */ 166 167 #ifdef ENABLE_SOFTWARE_AES128 168 // AES128 using public domain rijndael implementation 169 void btstack_aes128_calc(const uint8_t * key, const uint8_t * plaintext, uint8_t * ciphertext){ 170 uint32_t rk[RKLENGTH(KEYBITS)]; 171 int nrounds = rijndaelSetupEncrypt(rk, &key[0], KEYBITS); 172 rijndaelEncrypt(rk, nrounds, plaintext, ciphertext); 173 } 174 #endif 175 176 static void btstack_crypto_done(btstack_crypto_t * btstack_crypto){ 177 btstack_linked_list_pop(&btstack_crypto_operations); 178 (*btstack_crypto->context_callback.callback)(btstack_crypto->context_callback.context); 179 } 180 181 static inline void btstack_crypto_cmac_next_state(void){ 182 btstack_crypto_cmac_state = (btstack_crypto_cmac_state_t) (((int)btstack_crypto_cmac_state) + 1); 183 } 184 185 static int btstack_crypto_cmac_last_block_complete(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac){ 186 uint16_t len = btstack_crypto_cmac->size; 187 if (len == 0) return 0; 188 return (len & 0x0f) == 0; 189 } 190 191 static void btstack_crypto_aes128_start(const sm_key_t key, const sm_key_t plaintext){ 192 uint8_t key_flipped[16]; 193 uint8_t plaintext_flipped[16]; 194 reverse_128(key, key_flipped); 195 reverse_128(plaintext, plaintext_flipped); 196 btstack_crypto_wait_for_hci_result = 1; 197 hci_send_cmd(&hci_le_encrypt, key_flipped, plaintext_flipped); 198 } 199 200 static uint8_t btstack_crypto_cmac_get_byte(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac, uint16_t pos){ 201 if (btstack_crypto_cmac->btstack_crypto.operation == BTSTACK_CRYPTO_CMAC_GENERATOR){ 202 return (*btstack_crypto_cmac->data.get_byte_callback)(pos); 203 } else { 204 return btstack_crypto_cmac->data.message[pos]; 205 } 206 } 207 208 static void btstack_crypto_cmac_handle_aes_engine_ready(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac){ 209 switch (btstack_crypto_cmac_state){ 210 case CMAC_CALC_SUBKEYS: { 211 sm_key_t const_zero; 212 memset(const_zero, 0, 16); 213 btstack_crypto_cmac_next_state(); 214 btstack_crypto_aes128_start(btstack_crypto_cmac_k, const_zero); 215 break; 216 } 217 case CMAC_CALC_MI: { 218 int j; 219 sm_key_t y; 220 for (j=0;j<16;j++){ 221 y[j] = btstack_crypto_cmac_x[j] ^ btstack_crypto_cmac_get_byte(btstack_crypto_cmac, (btstack_crypto_cmac_block_current*16) + j); 222 } 223 btstack_crypto_cmac_block_current++; 224 btstack_crypto_cmac_next_state(); 225 btstack_crypto_aes128_start(btstack_crypto_cmac_k, y); 226 break; 227 } 228 case CMAC_CALC_MLAST: { 229 int i; 230 sm_key_t y; 231 for (i=0;i<16;i++){ 232 y[i] = btstack_crypto_cmac_x[i] ^ btstack_crypto_cmac_m_last[i]; 233 } 234 btstack_crypto_cmac_block_current++; 235 btstack_crypto_cmac_next_state(); 236 btstack_crypto_aes128_start(btstack_crypto_cmac_k, y); 237 break; 238 } 239 default: 240 log_info("btstack_crypto_cmac_handle_aes_engine_ready called in state %u", btstack_crypto_cmac_state); 241 break; 242 } 243 } 244 245 static void btstack_crypto_cmac_shift_left_by_one_bit_inplace(int len, uint8_t * data){ 246 int i; 247 int carry = 0; 248 for (i=len-1; i >= 0 ; i--){ 249 int new_carry = data[i] >> 7; 250 data[i] = (data[i] << 1) | carry; 251 carry = new_carry; 252 } 253 } 254 255 static void btstack_crypto_cmac_handle_encryption_result(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac, sm_key_t data){ 256 switch (btstack_crypto_cmac_state){ 257 case CMAC_W4_SUBKEYS: { 258 sm_key_t k1; 259 (void)memcpy(k1, data, 16); 260 btstack_crypto_cmac_shift_left_by_one_bit_inplace(16, k1); 261 if (data[0] & 0x80){ 262 k1[15] ^= 0x87; 263 } 264 sm_key_t k2; 265 (void)memcpy(k2, k1, 16); 266 btstack_crypto_cmac_shift_left_by_one_bit_inplace(16, k2); 267 if (k1[0] & 0x80){ 268 k2[15] ^= 0x87; 269 } 270 271 log_info_key("k", btstack_crypto_cmac_k); 272 log_info_key("k1", k1); 273 log_info_key("k2", k2); 274 275 // step 4: set m_last 276 int i; 277 if (btstack_crypto_cmac_last_block_complete(btstack_crypto_cmac)){ 278 for (i=0;i<16;i++){ 279 btstack_crypto_cmac_m_last[i] = btstack_crypto_cmac_get_byte(btstack_crypto_cmac, btstack_crypto_cmac->size - 16 + i) ^ k1[i]; 280 } 281 } else { 282 int valid_octets_in_last_block = btstack_crypto_cmac->size & 0x0f; 283 for (i=0;i<16;i++){ 284 if (i < valid_octets_in_last_block){ 285 btstack_crypto_cmac_m_last[i] = btstack_crypto_cmac_get_byte(btstack_crypto_cmac, (btstack_crypto_cmac->size & 0xfff0) + i) ^ k2[i]; 286 continue; 287 } 288 if (i == valid_octets_in_last_block){ 289 btstack_crypto_cmac_m_last[i] = 0x80 ^ k2[i]; 290 continue; 291 } 292 btstack_crypto_cmac_m_last[i] = k2[i]; 293 } 294 } 295 296 // next 297 btstack_crypto_cmac_state = (btstack_crypto_cmac_block_current < (btstack_crypto_cmac_block_count - 1)) ? CMAC_CALC_MI : CMAC_CALC_MLAST; 298 break; 299 } 300 case CMAC_W4_MI: 301 (void)memcpy(btstack_crypto_cmac_x, data, 16); 302 btstack_crypto_cmac_state = (btstack_crypto_cmac_block_current < (btstack_crypto_cmac_block_count - 1)) ? CMAC_CALC_MI : CMAC_CALC_MLAST; 303 break; 304 case CMAC_W4_MLAST: 305 // done 306 log_info("Setting CMAC Engine to IDLE"); 307 btstack_crypto_cmac_state = CMAC_IDLE; 308 log_info_key("CMAC", data); 309 (void)memcpy(btstack_crypto_cmac->hash, data, 16); 310 btstack_linked_list_pop(&btstack_crypto_operations); 311 (*btstack_crypto_cmac->btstack_crypto.context_callback.callback)(btstack_crypto_cmac->btstack_crypto.context_callback.context); 312 break; 313 default: 314 log_info("btstack_crypto_cmac_handle_encryption_result called in state %u", btstack_crypto_cmac_state); 315 break; 316 } 317 } 318 319 static void btstack_crypto_cmac_start(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac){ 320 321 (void)memcpy(btstack_crypto_cmac_k, btstack_crypto_cmac->key, 16); 322 memset(btstack_crypto_cmac_x, 0, 16); 323 btstack_crypto_cmac_block_current = 0; 324 325 // step 2: n := ceil(len/const_Bsize); 326 btstack_crypto_cmac_block_count = (btstack_crypto_cmac->size + 15) / 16; 327 328 // step 3: .. 329 if (btstack_crypto_cmac_block_count==0){ 330 btstack_crypto_cmac_block_count = 1; 331 } 332 log_info("btstack_crypto_cmac_start: len %u, block count %u", btstack_crypto_cmac->size, btstack_crypto_cmac_block_count); 333 334 // first, we need to compute l for k1, k2, and m_last 335 btstack_crypto_cmac_state = CMAC_CALC_SUBKEYS; 336 337 // let's go 338 btstack_crypto_cmac_handle_aes_engine_ready(btstack_crypto_cmac); 339 } 340 341 #ifndef USE_BTSTACK_AES128 342 343 /* 344 To encrypt the message data we use Counter (CTR) mode. We first 345 define the key stream blocks by: 346 347 S_i := E( K, A_i ) for i=0, 1, 2, ... 348 349 The values A_i are formatted as follows, where the Counter field i is 350 encoded in most-significant-byte first order: 351 352 Octet Number Contents 353 ------------ --------- 354 0 Flags 355 1 ... 15-L Nonce N 356 16-L ... 15 Counter i 357 358 Bit Number Contents 359 ---------- ---------------------- 360 7 Reserved (always zero) 361 6 Reserved (always zero) 362 5 ... 3 Zero 363 2 ... 0 L' 364 */ 365 366 static void btstack_crypto_ccm_setup_a_i(btstack_crypto_ccm_t * btstack_crypto_ccm, uint16_t counter){ 367 btstack_crypto_ccm_s[0] = 1; // L' = L - 1 368 (void)memcpy(&btstack_crypto_ccm_s[1], btstack_crypto_ccm->nonce, 13); 369 big_endian_store_16(btstack_crypto_ccm_s, 14, counter); 370 #ifdef DEBUG_CCM 371 printf("ststack_crypto_ccm_setup_a_%u\n", counter); 372 printf("%16s: ", "ai"); 373 printf_hexdump(btstack_crypto_ccm_s, 16); 374 #endif 375 } 376 377 /* 378 The first step is to compute the authentication field T. This is 379 done using CBC-MAC [MAC]. We first define a sequence of blocks B_0, 380 B_1, ..., B_n and then apply CBC-MAC to these blocks. 381 382 The first block B_0 is formatted as follows, where l(m) is encoded in 383 most-significant-byte first order: 384 385 Octet Number Contents 386 ------------ --------- 387 0 Flags 388 1 ... 15-L Nonce N 389 16-L ... 15 l(m) 390 391 Within the first block B_0, the Flags field is formatted as follows: 392 393 Bit Number Contents 394 ---------- ---------------------- 395 7 Reserved (always zero) 396 6 Adata 397 5 ... 3 M' 398 2 ... 0 L' 399 */ 400 401 static void btstack_crypto_ccm_setup_b_0(btstack_crypto_ccm_t * btstack_crypto_ccm, uint8_t * b0){ 402 uint8_t m_prime = (btstack_crypto_ccm->auth_len - 2) / 2; 403 uint8_t Adata = btstack_crypto_ccm->aad_len ? 1 : 0; 404 b0[0] = (Adata << 6) | (m_prime << 3) | 1 ; // Adata, M', L' = L - 1 405 (void)memcpy(&b0[1], btstack_crypto_ccm->nonce, 13); 406 big_endian_store_16(b0, 14, btstack_crypto_ccm->message_len); 407 #ifdef DEBUG_CCM 408 printf("%16s: ", "B0"); 409 printf_hexdump(b0, 16); 410 #endif 411 } 412 #endif 413 414 #ifdef ENABLE_ECC_P256 415 416 static void btstack_crypto_log_ec_publickey(const uint8_t * ec_q){ 417 log_info("Elliptic curve: X"); 418 log_info_hexdump(&ec_q[0],32); 419 log_info("Elliptic curve: Y"); 420 log_info_hexdump(&ec_q[32],32); 421 } 422 423 #if (defined(USE_MICRO_ECC_P256) && !defined(WICED_VERSION)) || defined(USE_MBEDTLS_ECC_P256) 424 // @return OK 425 static int sm_generate_f_rng(unsigned char * buffer, unsigned size){ 426 if (btstack_crypto_ecc_p256_key_generation_state != ECC_P256_KEY_GENERATION_ACTIVE) return 0; 427 log_info("sm_generate_f_rng: size %u - offset %u", (int) size, btstack_crypto_ecc_p256_random_offset); 428 while (size) { 429 *buffer++ = btstack_crypto_ecc_p256_random[btstack_crypto_ecc_p256_random_offset++]; 430 size--; 431 } 432 return 1; 433 } 434 #endif 435 #ifdef USE_MBEDTLS_ECC_P256 436 // @return error - just wrap sm_generate_f_rng 437 static int sm_generate_f_rng_mbedtls(void * context, unsigned char * buffer, size_t size){ 438 UNUSED(context); 439 return sm_generate_f_rng(buffer, size) == 0; 440 } 441 #endif /* USE_MBEDTLS_ECC_P256 */ 442 443 static void btstack_crypto_ecc_p256_generate_key_software(void){ 444 445 btstack_crypto_ecc_p256_random_offset = 0; 446 447 // generate EC key 448 #ifdef USE_MICRO_ECC_P256 449 450 #ifndef WICED_VERSION 451 log_info("set uECC RNG for initial key generation with 64 random bytes"); 452 // micro-ecc from WICED SDK uses its wiced_crypto_get_random by default - no need to set it 453 uECC_set_rng(&sm_generate_f_rng); 454 #endif /* WICED_VERSION */ 455 456 #if uECC_SUPPORTS_secp256r1 457 // standard version 458 uECC_make_key(btstack_crypto_ecc_p256_public_key, btstack_crypto_ecc_p256_d, uECC_secp256r1()); 459 460 // disable RNG again, as returning no randmon data lets shared key generation fail 461 log_info("disable uECC RNG in standard version after key generation"); 462 uECC_set_rng(NULL); 463 #else 464 // static version 465 uECC_make_key(btstack_crypto_ecc_p256_public_key, btstack_crypto_ecc_p256_d); 466 #endif 467 #endif /* USE_MICRO_ECC_P256 */ 468 469 #ifdef USE_MBEDTLS_ECC_P256 470 mbedtls_mpi d; 471 mbedtls_ecp_point P; 472 mbedtls_mpi_init(&d); 473 mbedtls_ecp_point_init(&P); 474 int res = mbedtls_ecp_gen_keypair(&mbedtls_ec_group, &d, &P, &sm_generate_f_rng_mbedtls, NULL); 475 log_info("gen keypair %x", res); 476 mbedtls_mpi_write_binary(&P.X, &btstack_crypto_ecc_p256_public_key[0], 32); 477 mbedtls_mpi_write_binary(&P.Y, &btstack_crypto_ecc_p256_public_key[32], 32); 478 mbedtls_mpi_write_binary(&d, btstack_crypto_ecc_p256_d, 32); 479 mbedtls_ecp_point_free(&P); 480 mbedtls_mpi_free(&d); 481 #endif /* USE_MBEDTLS_ECC_P256 */ 482 } 483 484 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 485 static void btstack_crypto_ecc_p256_calculate_dhkey_software(btstack_crypto_ecc_p256_t * btstack_crypto_ec_p192){ 486 memset(btstack_crypto_ec_p192->dhkey, 0, 32); 487 488 #ifdef USE_MICRO_ECC_P256 489 #if uECC_SUPPORTS_secp256r1 490 // standard version 491 uECC_shared_secret(btstack_crypto_ec_p192->public_key, btstack_crypto_ecc_p256_d, btstack_crypto_ec_p192->dhkey, uECC_secp256r1()); 492 #else 493 // static version 494 uECC_shared_secret(btstack_crypto_ec_p192->public_key, btstack_crypto_ecc_p256_d, btstack_crypto_ec_p192->dhkey); 495 #endif 496 #endif 497 498 #ifdef USE_MBEDTLS_ECC_P256 499 // da * Pb 500 mbedtls_mpi d; 501 mbedtls_ecp_point Q; 502 mbedtls_ecp_point DH; 503 mbedtls_mpi_init(&d); 504 mbedtls_ecp_point_init(&Q); 505 mbedtls_ecp_point_init(&DH); 506 mbedtls_mpi_read_binary(&d, btstack_crypto_ecc_p256_d, 32); 507 mbedtls_mpi_read_binary(&Q.X, &btstack_crypto_ec_p192->public_key[0] , 32); 508 mbedtls_mpi_read_binary(&Q.Y, &btstack_crypto_ec_p192->public_key[32], 32); 509 mbedtls_mpi_lset(&Q.Z, 1); 510 mbedtls_ecp_mul(&mbedtls_ec_group, &DH, &d, &Q, NULL, NULL); 511 mbedtls_mpi_write_binary(&DH.X, btstack_crypto_ec_p192->dhkey, 32); 512 mbedtls_ecp_point_free(&DH); 513 mbedtls_mpi_free(&d); 514 mbedtls_ecp_point_free(&Q); 515 #endif 516 517 log_info("dhkey"); 518 log_info_hexdump(btstack_crypto_ec_p192->dhkey, 32); 519 } 520 #endif 521 522 #endif 523 524 #ifdef USE_BTSTACK_AES128 525 // CCM not implemented using software AES128 yet 526 #else 527 528 static void btstack_crypto_ccm_calc_s0(btstack_crypto_ccm_t * btstack_crypto_ccm){ 529 #ifdef DEBUG_CCM 530 printf("btstack_crypto_ccm_calc_s0\n"); 531 #endif 532 btstack_crypto_ccm->state = CCM_W4_S0; 533 btstack_crypto_ccm_setup_a_i(btstack_crypto_ccm, 0); 534 btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm_s); 535 } 536 537 static void btstack_crypto_ccm_calc_sn(btstack_crypto_ccm_t * btstack_crypto_ccm){ 538 #ifdef DEBUG_CCM 539 printf("btstack_crypto_ccm_calc_s%u\n", btstack_crypto_ccm->counter); 540 #endif 541 btstack_crypto_ccm->state = CCM_W4_SN; 542 btstack_crypto_ccm_setup_a_i(btstack_crypto_ccm, btstack_crypto_ccm->counter); 543 btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm_s); 544 } 545 546 static void btstack_crypto_ccm_calc_x1(btstack_crypto_ccm_t * btstack_crypto_ccm){ 547 uint8_t btstack_crypto_ccm_buffer[16]; 548 btstack_crypto_ccm->state = CCM_W4_X1; 549 btstack_crypto_ccm_setup_b_0(btstack_crypto_ccm, btstack_crypto_ccm_buffer); 550 btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm_buffer); 551 } 552 553 static void btstack_crypto_ccm_calc_xn(btstack_crypto_ccm_t * btstack_crypto_ccm, const uint8_t * plaintext){ 554 uint8_t btstack_crypto_ccm_buffer[16]; 555 btstack_crypto_ccm->state = CCM_W4_XN; 556 557 #ifdef DEBUG_CCM 558 printf("%16s: ", "bn"); 559 printf_hexdump(plaintext, 16); 560 #endif 561 uint8_t i; 562 uint8_t bytes_to_decrypt = btstack_crypto_ccm->block_len; 563 // use explicit min implementation as c-stat worried about out-of-bounds-reads 564 if (bytes_to_decrypt > 16) { 565 bytes_to_decrypt = 16; 566 } 567 for (i = 0; i < bytes_to_decrypt ; i++){ 568 btstack_crypto_ccm_buffer[i] = btstack_crypto_ccm->x_i[i] ^ plaintext[i]; 569 } 570 (void)memcpy(&btstack_crypto_ccm_buffer[i], &btstack_crypto_ccm->x_i[i], 571 16 - bytes_to_decrypt); 572 #ifdef DEBUG_CCM 573 printf("%16s: ", "Xn XOR bn"); 574 printf_hexdump(btstack_crypto_ccm_buffer, 16); 575 #endif 576 577 btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm_buffer); 578 } 579 #endif 580 581 static void btstack_crypto_ccm_calc_aad_xn(btstack_crypto_ccm_t * btstack_crypto_ccm){ 582 // store length 583 if (btstack_crypto_ccm->aad_offset == 0){ 584 uint8_t len_buffer[2]; 585 big_endian_store_16(len_buffer, 0, btstack_crypto_ccm->aad_len); 586 btstack_crypto_ccm->x_i[0] ^= len_buffer[0]; 587 btstack_crypto_ccm->x_i[1] ^= len_buffer[1]; 588 btstack_crypto_ccm->aad_remainder_len += 2; 589 btstack_crypto_ccm->aad_offset += 2; 590 } 591 592 // fill from input 593 uint16_t bytes_free = 16 - btstack_crypto_ccm->aad_remainder_len; 594 uint16_t bytes_to_copy = btstack_min(bytes_free, btstack_crypto_ccm->block_len); 595 while (bytes_to_copy){ 596 btstack_crypto_ccm->x_i[btstack_crypto_ccm->aad_remainder_len++] ^= *btstack_crypto_ccm->input++; 597 btstack_crypto_ccm->aad_offset++; 598 btstack_crypto_ccm->block_len--; 599 bytes_to_copy--; 600 bytes_free--; 601 } 602 603 // if last block, fill with zeros 604 if (btstack_crypto_ccm->aad_offset == (btstack_crypto_ccm->aad_len + 2)){ 605 btstack_crypto_ccm->aad_remainder_len = 16; 606 } 607 // if not full, notify done 608 if (btstack_crypto_ccm->aad_remainder_len < 16){ 609 btstack_crypto_done(&btstack_crypto_ccm->btstack_crypto); 610 return; 611 } 612 613 // encrypt block 614 #ifdef DEBUG_CCM 615 printf("%16s: ", "Xn XOR Bn (aad)"); 616 printf_hexdump(btstack_crypto_ccm->x_i, 16); 617 #endif 618 619 btstack_crypto_ccm->aad_remainder_len = 0; 620 btstack_crypto_ccm->state = CCM_W4_AAD_XN; 621 btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm->x_i); 622 } 623 624 static void btstack_crypto_ccm_handle_s0(btstack_crypto_ccm_t * btstack_crypto_ccm, const uint8_t * data){ 625 // data is little-endian, flip on the fly 626 int i; 627 for (i=0;i<16;i++){ 628 btstack_crypto_ccm->x_i[i] = btstack_crypto_ccm->x_i[i] ^ data[15-i]; 629 } 630 btstack_crypto_done(&btstack_crypto_ccm->btstack_crypto); 631 } 632 633 static void btstack_crypto_ccm_handle_sn(btstack_crypto_ccm_t * btstack_crypto_ccm, const uint8_t * data){ 634 // data is little-endian, flip on the fly 635 int i; 636 uint16_t bytes_to_process = btstack_min(btstack_crypto_ccm->block_len, 16); 637 for (i=0;i<bytes_to_process;i++){ 638 btstack_crypto_ccm->output[i] = btstack_crypto_ccm->input[i] ^ data[15-i]; 639 } 640 } 641 642 static void btstack_crypto_ccm_next_block(btstack_crypto_ccm_t * btstack_crypto_ccm, btstack_crypto_ccm_state_t state_when_done){ 643 uint16_t bytes_to_process = btstack_min(btstack_crypto_ccm->block_len, 16); 644 // next block 645 btstack_crypto_ccm->counter++; 646 btstack_crypto_ccm->input += bytes_to_process; 647 btstack_crypto_ccm->output += bytes_to_process; 648 btstack_crypto_ccm->block_len -= bytes_to_process; 649 btstack_crypto_ccm->message_len -= bytes_to_process; 650 #ifdef DEBUG_CCM 651 printf("btstack_crypto_ccm_next_block (message len %u, block_len %u)\n", btstack_crypto_ccm->message_len, btstack_crypto_ccm->block_len); 652 #endif 653 if (btstack_crypto_ccm->message_len == 0){ 654 btstack_crypto_ccm->state = CCM_CALCULATE_S0; 655 } else { 656 btstack_crypto_ccm->state = state_when_done; 657 if (btstack_crypto_ccm->block_len == 0){ 658 btstack_crypto_done(&btstack_crypto_ccm->btstack_crypto); 659 } 660 } 661 } 662 663 static void btstack_crypto_run(void){ 664 665 btstack_crypto_aes128_t * btstack_crypto_aes128; 666 btstack_crypto_ccm_t * btstack_crypto_ccm; 667 btstack_crypto_aes128_cmac_t * btstack_crypto_cmac; 668 #ifdef ENABLE_ECC_P256 669 btstack_crypto_ecc_p256_t * btstack_crypto_ec_p192; 670 #endif 671 672 // stack up and running? 673 if (hci_get_state() != HCI_STATE_WORKING) return; 674 675 // try to do as much as possible 676 while (true){ 677 678 // anything to do? 679 if (btstack_linked_list_empty(&btstack_crypto_operations)) return; 680 681 // already active? 682 if (btstack_crypto_wait_for_hci_result) return; 683 684 // can send a command? 685 if (!hci_can_send_command_packet_now()) return; 686 687 // ok, find next task 688 btstack_crypto_t * btstack_crypto = (btstack_crypto_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations); 689 switch (btstack_crypto->operation){ 690 case BTSTACK_CRYPTO_RANDOM: 691 btstack_crypto_wait_for_hci_result = 1; 692 hci_send_cmd(&hci_le_rand); 693 break; 694 case BTSTACK_CRYPTO_AES128: 695 btstack_crypto_aes128 = (btstack_crypto_aes128_t *) btstack_crypto; 696 #ifdef USE_BTSTACK_AES128 697 btstack_aes128_calc(btstack_crypto_aes128->key, btstack_crypto_aes128->plaintext, btstack_crypto_aes128->ciphertext); 698 btstack_crypto_done(btstack_crypto); 699 #else 700 btstack_crypto_aes128_start(btstack_crypto_aes128->key, btstack_crypto_aes128->plaintext); 701 #endif 702 break; 703 case BTSTACK_CRYPTO_CMAC_MESSAGE: 704 case BTSTACK_CRYPTO_CMAC_GENERATOR: 705 btstack_crypto_wait_for_hci_result = 1; 706 btstack_crypto_cmac = (btstack_crypto_aes128_cmac_t *) btstack_crypto; 707 if (btstack_crypto_cmac_state == CMAC_IDLE){ 708 btstack_crypto_cmac_start(btstack_crypto_cmac); 709 } else { 710 btstack_crypto_cmac_handle_aes_engine_ready(btstack_crypto_cmac); 711 } 712 break; 713 714 case BTSTACK_CRYPTO_CCM_DIGEST_BLOCK: 715 case BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK: 716 case BTSTACK_CRYPTO_CCM_DECRYPT_BLOCK: 717 #ifdef USE_BTSTACK_AES128 718 UNUSED(btstack_crypto_ccm); 719 // NOTE: infinite output of this message 720 log_error("ccm not implemented for software aes128 yet"); 721 #else 722 btstack_crypto_ccm = (btstack_crypto_ccm_t *) btstack_crypto; 723 switch (btstack_crypto_ccm->state){ 724 case CCM_CALCULATE_AAD_XN: 725 btstack_crypto_ccm_calc_aad_xn(btstack_crypto_ccm); 726 break; 727 case CCM_CALCULATE_X1: 728 btstack_crypto_ccm_calc_x1(btstack_crypto_ccm); 729 break; 730 case CCM_CALCULATE_S0: 731 btstack_crypto_ccm_calc_s0(btstack_crypto_ccm); 732 break; 733 case CCM_CALCULATE_SN: 734 btstack_crypto_ccm_calc_sn(btstack_crypto_ccm); 735 break; 736 case CCM_CALCULATE_XN: 737 btstack_crypto_ccm_calc_xn(btstack_crypto_ccm, (btstack_crypto->operation == BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK) ? btstack_crypto_ccm->input : btstack_crypto_ccm->output); 738 break; 739 default: 740 break; 741 } 742 #endif 743 break; 744 745 #ifdef ENABLE_ECC_P256 746 case BTSTACK_CRYPTO_ECC_P256_GENERATE_KEY: 747 btstack_crypto_ec_p192 = (btstack_crypto_ecc_p256_t *) btstack_crypto; 748 switch (btstack_crypto_ecc_p256_key_generation_state){ 749 case ECC_P256_KEY_GENERATION_DONE: 750 // done 751 btstack_crypto_log_ec_publickey(btstack_crypto_ecc_p256_public_key); 752 (void)memcpy(btstack_crypto_ec_p192->public_key, 753 btstack_crypto_ecc_p256_public_key, 64); 754 btstack_linked_list_pop(&btstack_crypto_operations); 755 (*btstack_crypto_ec_p192->btstack_crypto.context_callback.callback)(btstack_crypto_ec_p192->btstack_crypto.context_callback.context); 756 break; 757 case ECC_P256_KEY_GENERATION_IDLE: 758 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 759 log_info("start ecc random"); 760 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_GENERATING_RANDOM; 761 btstack_crypto_ecc_p256_random_offset = 0; 762 btstack_crypto_wait_for_hci_result = 1; 763 hci_send_cmd(&hci_le_rand); 764 #else 765 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_W4_KEY; 766 btstack_crypto_wait_for_hci_result = 1; 767 hci_send_cmd(&hci_le_read_local_p256_public_key); 768 #endif 769 break; 770 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 771 case ECC_P256_KEY_GENERATION_GENERATING_RANDOM: 772 log_info("more ecc random"); 773 btstack_crypto_wait_for_hci_result = 1; 774 hci_send_cmd(&hci_le_rand); 775 break; 776 #endif 777 default: 778 break; 779 } 780 break; 781 case BTSTACK_CRYPTO_ECC_P256_CALCULATE_DHKEY: 782 btstack_crypto_ec_p192 = (btstack_crypto_ecc_p256_t *) btstack_crypto; 783 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 784 btstack_crypto_ecc_p256_calculate_dhkey_software(btstack_crypto_ec_p192); 785 // done 786 btstack_linked_list_pop(&btstack_crypto_operations); 787 (*btstack_crypto_ec_p192->btstack_crypto.context_callback.callback)(btstack_crypto_ec_p192->btstack_crypto.context_callback.context); 788 #else 789 btstack_crypto_wait_for_hci_result = 1; 790 hci_send_cmd(&hci_le_generate_dhkey, &btstack_crypto_ec_p192->public_key[0], &btstack_crypto_ec_p192->public_key[32]); 791 #endif 792 break; 793 794 #endif /* ENABLE_ECC_P256 */ 795 796 default: 797 break; 798 } 799 } 800 } 801 802 static void btstack_crypto_handle_random_data(const uint8_t * data, uint16_t len){ 803 btstack_crypto_random_t * btstack_crypto_random; 804 btstack_crypto_t * btstack_crypto = (btstack_crypto_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations); 805 uint16_t bytes_to_copy; 806 if (!btstack_crypto) return; 807 switch (btstack_crypto->operation){ 808 case BTSTACK_CRYPTO_RANDOM: 809 btstack_crypto_random = (btstack_crypto_random_t*) btstack_crypto; 810 bytes_to_copy = btstack_min(btstack_crypto_random->size, len); 811 (void)memcpy(btstack_crypto_random->buffer, data, bytes_to_copy); 812 btstack_crypto_random->buffer += bytes_to_copy; 813 btstack_crypto_random->size -= bytes_to_copy; 814 // data processed, more? 815 if (!btstack_crypto_random->size) { 816 // done 817 btstack_linked_list_pop(&btstack_crypto_operations); 818 (*btstack_crypto_random->btstack_crypto.context_callback.callback)(btstack_crypto_random->btstack_crypto.context_callback.context); 819 } 820 break; 821 #ifdef ENABLE_ECC_P256 822 case BTSTACK_CRYPTO_ECC_P256_GENERATE_KEY: 823 (void)memcpy(&btstack_crypto_ecc_p256_random[btstack_crypto_ecc_p256_random_len], 824 data, 8); 825 btstack_crypto_ecc_p256_random_len += 8; 826 if (btstack_crypto_ecc_p256_random_len >= 64) { 827 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_ACTIVE; 828 btstack_crypto_ecc_p256_generate_key_software(); 829 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_DONE; 830 } 831 break; 832 #endif 833 default: 834 break; 835 } 836 // more work? 837 btstack_crypto_run(); 838 } 839 840 static void btstack_crypto_handle_encryption_result(const uint8_t * data){ 841 btstack_crypto_aes128_t * btstack_crypto_aes128; 842 btstack_crypto_aes128_cmac_t * btstack_crypto_cmac; 843 btstack_crypto_ccm_t * btstack_crypto_ccm; 844 uint8_t result[16]; 845 846 btstack_crypto_t * btstack_crypto = (btstack_crypto_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations); 847 if (!btstack_crypto) return; 848 switch (btstack_crypto->operation){ 849 case BTSTACK_CRYPTO_AES128: 850 btstack_crypto_aes128 = (btstack_crypto_aes128_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations); 851 reverse_128(data, btstack_crypto_aes128->ciphertext); 852 btstack_crypto_done(btstack_crypto); 853 break; 854 case BTSTACK_CRYPTO_CMAC_GENERATOR: 855 case BTSTACK_CRYPTO_CMAC_MESSAGE: 856 btstack_crypto_cmac = (btstack_crypto_aes128_cmac_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations); 857 reverse_128(data, result); 858 btstack_crypto_cmac_handle_encryption_result(btstack_crypto_cmac, result); 859 break; 860 case BTSTACK_CRYPTO_CCM_DIGEST_BLOCK: 861 btstack_crypto_ccm = (btstack_crypto_ccm_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations); 862 switch (btstack_crypto_ccm->state){ 863 case CCM_W4_X1: 864 reverse_128(data, btstack_crypto_ccm->x_i); 865 #ifdef DEBUG_CCM 866 printf("%16s: ", "X1"); 867 printf_hexdump(btstack_crypto_ccm->x_i, 16); 868 #endif 869 btstack_crypto_ccm->aad_remainder_len = 0; 870 btstack_crypto_ccm->state = CCM_CALCULATE_AAD_XN; 871 break; 872 case CCM_W4_AAD_XN: 873 reverse_128(data, btstack_crypto_ccm->x_i); 874 #ifdef DEBUG_CCM 875 printf("%16s: ", "Xn+1 AAD"); 876 printf_hexdump(btstack_crypto_ccm->x_i, 16); 877 #endif 878 // more aad? 879 if (btstack_crypto_ccm->aad_offset < (btstack_crypto_ccm->aad_len + 2)){ 880 btstack_crypto_ccm->state = CCM_CALCULATE_AAD_XN; 881 } else { 882 // done 883 btstack_crypto_done(btstack_crypto); 884 } 885 break; 886 default: 887 break; 888 } 889 break; 890 case BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK: 891 btstack_crypto_ccm = (btstack_crypto_ccm_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations); 892 switch (btstack_crypto_ccm->state){ 893 case CCM_W4_X1: 894 reverse_128(data, btstack_crypto_ccm->x_i); 895 #ifdef DEBUG_CCM 896 printf("%16s: ", "X1"); 897 printf_hexdump(btstack_crypto_ccm->x_i, 16); 898 #endif 899 btstack_crypto_ccm->state = CCM_CALCULATE_XN; 900 break; 901 case CCM_W4_XN: 902 reverse_128(data, btstack_crypto_ccm->x_i); 903 #ifdef DEBUG_CCM 904 printf("%16s: ", "Xn+1"); 905 printf_hexdump(btstack_crypto_ccm->x_i, 16); 906 #endif 907 btstack_crypto_ccm->state = CCM_CALCULATE_SN; 908 break; 909 case CCM_W4_S0: 910 #ifdef DEBUG_CCM 911 reverse_128(data, result); 912 printf("%16s: ", "X0"); 913 printf_hexdump(btstack_crypto_ccm->x_i, 16); 914 #endif 915 btstack_crypto_ccm_handle_s0(btstack_crypto_ccm, data); 916 break; 917 case CCM_W4_SN: 918 #ifdef DEBUG_CCM 919 reverse_128(data, result); 920 printf("%16s: ", "Sn"); 921 printf_hexdump(btstack_crypto_ccm->x_i, 16); 922 #endif 923 btstack_crypto_ccm_handle_sn(btstack_crypto_ccm, data); 924 btstack_crypto_ccm_next_block(btstack_crypto_ccm, CCM_CALCULATE_XN); 925 break; 926 default: 927 break; 928 } 929 break; 930 case BTSTACK_CRYPTO_CCM_DECRYPT_BLOCK: 931 btstack_crypto_ccm = (btstack_crypto_ccm_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations); 932 switch (btstack_crypto_ccm->state){ 933 case CCM_W4_X1: 934 reverse_128(data, btstack_crypto_ccm->x_i); 935 #ifdef DEBUG_CCM 936 printf("%16s: ", "X1"); 937 printf_hexdump(btstack_crypto_ccm->x_i, 16); 938 #endif 939 btstack_crypto_ccm->state = CCM_CALCULATE_SN; 940 break; 941 case CCM_W4_XN: 942 reverse_128(data, btstack_crypto_ccm->x_i); 943 #ifdef DEBUG_CCM 944 printf("%16s: ", "Xn+1"); 945 printf_hexdump(btstack_crypto_ccm->x_i, 16); 946 #endif 947 btstack_crypto_ccm_next_block(btstack_crypto_ccm, CCM_CALCULATE_SN); 948 break; 949 case CCM_W4_S0: 950 btstack_crypto_ccm_handle_s0(btstack_crypto_ccm, data); 951 break; 952 case CCM_W4_SN: 953 btstack_crypto_ccm_handle_sn(btstack_crypto_ccm, data); 954 btstack_crypto_ccm->state = CCM_CALCULATE_XN; 955 break; 956 default: 957 break; 958 } 959 break; 960 default: 961 break; 962 } 963 } 964 965 static void btstack_crypto_event_handler(uint8_t packet_type, uint16_t cid, uint8_t *packet, uint16_t size){ 966 UNUSED(cid); // ok: there is no channel 967 UNUSED(size); // ok: fixed format events read from HCI buffer 968 969 #ifdef ENABLE_ECC_P256 970 #ifndef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 971 btstack_crypto_ecc_p256_t * btstack_crypto_ec_p192; 972 #endif 973 #endif 974 975 if (packet_type != HCI_EVENT_PACKET) return; 976 977 switch (hci_event_packet_get_type(packet)){ 978 case BTSTACK_EVENT_STATE: 979 log_info("BTSTACK_EVENT_STATE"); 980 if (btstack_event_state_get_state(packet) != HCI_STATE_HALTING) break; 981 if (!btstack_crypto_wait_for_hci_result) break; 982 // request stack to defer shutdown a bit 983 hci_halting_defer(); 984 break; 985 986 case HCI_EVENT_COMMAND_COMPLETE: 987 if (HCI_EVENT_IS_COMMAND_COMPLETE(packet, hci_le_encrypt)){ 988 if (!btstack_crypto_wait_for_hci_result) return; 989 btstack_crypto_wait_for_hci_result = 0; 990 btstack_crypto_handle_encryption_result(&packet[6]); 991 } 992 if (HCI_EVENT_IS_COMMAND_COMPLETE(packet, hci_le_rand)){ 993 if (!btstack_crypto_wait_for_hci_result) return; 994 btstack_crypto_wait_for_hci_result = 0; 995 btstack_crypto_handle_random_data(&packet[6], 8); 996 } 997 if (HCI_EVENT_IS_COMMAND_COMPLETE(packet, hci_read_local_supported_commands)){ 998 int ecdh_operations_supported = (packet[OFFSET_OF_DATA_IN_COMMAND_COMPLETE+1+34] & 0x06) == 0x06; 999 log_info("controller supports ECDH operation: %u", ecdh_operations_supported); 1000 #ifdef ENABLE_ECC_P256 1001 #ifndef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 1002 if (!ecdh_operations_supported){ 1003 // mbedTLS can also be used if already available (and malloc is supported) 1004 log_error("ECC-P256 support enabled, but HCI Controller doesn't support it. Please add ENABLE_MICRO_ECC_FOR_LE_SECURE_CONNECTIONS to btstack_config.h"); 1005 } 1006 #endif 1007 #endif 1008 } 1009 break; 1010 1011 #ifdef ENABLE_ECC_P256 1012 #ifndef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 1013 case HCI_EVENT_LE_META: 1014 btstack_crypto_ec_p192 = (btstack_crypto_ecc_p256_t*) btstack_linked_list_get_first_item(&btstack_crypto_operations); 1015 if (!btstack_crypto_ec_p192) break; 1016 switch (hci_event_le_meta_get_subevent_code(packet)){ 1017 case HCI_SUBEVENT_LE_READ_LOCAL_P256_PUBLIC_KEY_COMPLETE: 1018 if (btstack_crypto_ec_p192->btstack_crypto.operation != BTSTACK_CRYPTO_ECC_P256_GENERATE_KEY) break; 1019 if (!btstack_crypto_wait_for_hci_result) return; 1020 btstack_crypto_wait_for_hci_result = 0; 1021 if (hci_subevent_le_read_local_p256_public_key_complete_get_status(packet)){ 1022 log_error("Read Local P256 Public Key failed"); 1023 } 1024 hci_subevent_le_read_local_p256_public_key_complete_get_dhkey_x(packet, &btstack_crypto_ecc_p256_public_key[0]); 1025 hci_subevent_le_read_local_p256_public_key_complete_get_dhkey_y(packet, &btstack_crypto_ecc_p256_public_key[32]); 1026 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_DONE; 1027 break; 1028 case HCI_SUBEVENT_LE_GENERATE_DHKEY_COMPLETE: 1029 if (btstack_crypto_ec_p192->btstack_crypto.operation != BTSTACK_CRYPTO_ECC_P256_CALCULATE_DHKEY) break; 1030 if (!btstack_crypto_wait_for_hci_result) return; 1031 btstack_crypto_wait_for_hci_result = 0; 1032 if (hci_subevent_le_generate_dhkey_complete_get_status(packet)){ 1033 log_error("Generate DHKEY failed -> abort"); 1034 } 1035 hci_subevent_le_generate_dhkey_complete_get_dhkey(packet, btstack_crypto_ec_p192->dhkey); 1036 // done 1037 btstack_linked_list_pop(&btstack_crypto_operations); 1038 (*btstack_crypto_ec_p192->btstack_crypto.context_callback.callback)(btstack_crypto_ec_p192->btstack_crypto.context_callback.context); 1039 break; 1040 default: 1041 break; 1042 } 1043 break; 1044 #endif 1045 #endif 1046 default: 1047 break; 1048 } 1049 1050 // try processing 1051 btstack_crypto_run(); 1052 } 1053 1054 void btstack_crypto_init(void){ 1055 if (btstack_crypto_initialized) return; 1056 btstack_crypto_initialized = 1; 1057 1058 // register with HCI 1059 hci_event_callback_registration.callback = &btstack_crypto_event_handler; 1060 hci_add_event_handler(&hci_event_callback_registration); 1061 1062 #ifdef USE_MBEDTLS_ECC_P256 1063 mbedtls_ecp_group_init(&mbedtls_ec_group); 1064 mbedtls_ecp_group_load(&mbedtls_ec_group, MBEDTLS_ECP_DP_SECP256R1); 1065 #endif 1066 } 1067 1068 void btstack_crypto_random_generate(btstack_crypto_random_t * request, uint8_t * buffer, uint16_t size, void (* callback)(void * arg), void * callback_arg){ 1069 request->btstack_crypto.context_callback.callback = callback; 1070 request->btstack_crypto.context_callback.context = callback_arg; 1071 request->btstack_crypto.operation = BTSTACK_CRYPTO_RANDOM; 1072 request->buffer = buffer; 1073 request->size = size; 1074 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 1075 btstack_crypto_run(); 1076 } 1077 1078 void btstack_crypto_aes128_encrypt(btstack_crypto_aes128_t * request, const uint8_t * key, const uint8_t * plaintext, uint8_t * ciphertext, void (* callback)(void * arg), void * callback_arg){ 1079 request->btstack_crypto.context_callback.callback = callback; 1080 request->btstack_crypto.context_callback.context = callback_arg; 1081 request->btstack_crypto.operation = BTSTACK_CRYPTO_AES128; 1082 request->key = key; 1083 request->plaintext = plaintext; 1084 request->ciphertext = ciphertext; 1085 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 1086 btstack_crypto_run(); 1087 } 1088 1089 void btstack_crypto_aes128_cmac_generator(btstack_crypto_aes128_cmac_t * request, const uint8_t * key, uint16_t size, uint8_t (*get_byte_callback)(uint16_t pos), uint8_t * hash, void (* callback)(void * arg), void * callback_arg){ 1090 request->btstack_crypto.context_callback.callback = callback; 1091 request->btstack_crypto.context_callback.context = callback_arg; 1092 request->btstack_crypto.operation = BTSTACK_CRYPTO_CMAC_GENERATOR; 1093 request->key = key; 1094 request->size = size; 1095 request->data.get_byte_callback = get_byte_callback; 1096 request->hash = hash; 1097 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 1098 btstack_crypto_run(); 1099 } 1100 1101 void btstack_crypto_aes128_cmac_message(btstack_crypto_aes128_cmac_t * request, const uint8_t * key, uint16_t size, const uint8_t * message, uint8_t * hash, void (* callback)(void * arg), void * callback_arg){ 1102 request->btstack_crypto.context_callback.callback = callback; 1103 request->btstack_crypto.context_callback.context = callback_arg; 1104 request->btstack_crypto.operation = BTSTACK_CRYPTO_CMAC_MESSAGE; 1105 request->key = key; 1106 request->size = size; 1107 request->data.message = message; 1108 request->hash = hash; 1109 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 1110 btstack_crypto_run(); 1111 } 1112 1113 void btstack_crypto_aes128_cmac_zero(btstack_crypto_aes128_cmac_t * request, uint16_t len, const uint8_t * message, uint8_t * hash, void (* callback)(void * arg), void * callback_arg){ 1114 request->btstack_crypto.context_callback.callback = callback; 1115 request->btstack_crypto.context_callback.context = callback_arg; 1116 request->btstack_crypto.operation = BTSTACK_CRYPTO_CMAC_MESSAGE; 1117 request->key = zero; 1118 request->size = len; 1119 request->data.message = message; 1120 request->hash = hash; 1121 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 1122 btstack_crypto_run(); 1123 } 1124 1125 #ifdef ENABLE_ECC_P256 1126 void btstack_crypto_ecc_p256_generate_key(btstack_crypto_ecc_p256_t * request, uint8_t * public_key, void (* callback)(void * arg), void * callback_arg){ 1127 // reset key generation 1128 if (btstack_crypto_ecc_p256_key_generation_state == ECC_P256_KEY_GENERATION_DONE){ 1129 btstack_crypto_ecc_p256_random_len = 0; 1130 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_IDLE; 1131 } 1132 request->btstack_crypto.context_callback.callback = callback; 1133 request->btstack_crypto.context_callback.context = callback_arg; 1134 request->btstack_crypto.operation = BTSTACK_CRYPTO_ECC_P256_GENERATE_KEY; 1135 request->public_key = public_key; 1136 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 1137 btstack_crypto_run(); 1138 } 1139 1140 void btstack_crypto_ecc_p256_calculate_dhkey(btstack_crypto_ecc_p256_t * request, const uint8_t * public_key, uint8_t * dhkey, void (* callback)(void * arg), void * callback_arg){ 1141 request->btstack_crypto.context_callback.callback = callback; 1142 request->btstack_crypto.context_callback.context = callback_arg; 1143 request->btstack_crypto.operation = BTSTACK_CRYPTO_ECC_P256_CALCULATE_DHKEY; 1144 request->public_key = (uint8_t *) public_key; 1145 request->dhkey = dhkey; 1146 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 1147 btstack_crypto_run(); 1148 } 1149 1150 int btstack_crypto_ecc_p256_validate_public_key(const uint8_t * public_key){ 1151 1152 // validate public key using micro-ecc 1153 int err = 0; 1154 1155 #ifdef USE_MICRO_ECC_P256 1156 #if uECC_SUPPORTS_secp256r1 1157 // standard version 1158 err = uECC_valid_public_key(public_key, uECC_secp256r1()) == 0; 1159 #else 1160 // static version 1161 err = uECC_valid_public_key(public_key) == 0; 1162 #endif 1163 #endif 1164 1165 #ifdef USE_MBEDTLS_ECC_P256 1166 mbedtls_ecp_point Q; 1167 mbedtls_ecp_point_init( &Q ); 1168 mbedtls_mpi_read_binary(&Q.X, &public_key[0], 32); 1169 mbedtls_mpi_read_binary(&Q.Y, &public_key[32], 32); 1170 mbedtls_mpi_lset(&Q.Z, 1); 1171 err = mbedtls_ecp_check_pubkey(&mbedtls_ec_group, &Q); 1172 mbedtls_ecp_point_free( & Q); 1173 #endif 1174 1175 if (err){ 1176 log_error("public key invalid %x", err); 1177 } 1178 return err; 1179 } 1180 #endif 1181 1182 void btstack_crypto_ccm_init(btstack_crypto_ccm_t * request, const uint8_t * key, const uint8_t * nonce, uint16_t message_len, uint16_t additional_authenticated_data_len, uint8_t auth_len){ 1183 request->key = key; 1184 request->nonce = nonce; 1185 request->message_len = message_len; 1186 request->aad_len = additional_authenticated_data_len; 1187 request->aad_offset = 0; 1188 request->auth_len = auth_len; 1189 request->counter = 1; 1190 request->state = CCM_CALCULATE_X1; 1191 } 1192 1193 void btstack_crypto_ccm_digest(btstack_crypto_ccm_t * request, uint8_t * additional_authenticated_data, uint16_t additional_authenticated_data_len, void (* callback)(void * arg), void * callback_arg){ 1194 // not implemented yet 1195 request->btstack_crypto.context_callback.callback = callback; 1196 request->btstack_crypto.context_callback.context = callback_arg; 1197 request->btstack_crypto.operation = BTSTACK_CRYPTO_CCM_DIGEST_BLOCK; 1198 request->block_len = additional_authenticated_data_len; 1199 request->input = additional_authenticated_data; 1200 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 1201 btstack_crypto_run(); 1202 } 1203 1204 void btstack_crypto_ccm_get_authentication_value(btstack_crypto_ccm_t * request, uint8_t * authentication_value){ 1205 (void)memcpy(authentication_value, request->x_i, request->auth_len); 1206 } 1207 1208 void btstack_crypto_ccm_encrypt_block(btstack_crypto_ccm_t * request, uint16_t block_len, const uint8_t * plaintext, uint8_t * ciphertext, void (* callback)(void * arg), void * callback_arg){ 1209 #ifdef DEBUG_CCM 1210 printf("\nbtstack_crypto_ccm_encrypt_block, len %u\n", block_len); 1211 #endif 1212 request->btstack_crypto.context_callback.callback = callback; 1213 request->btstack_crypto.context_callback.context = callback_arg; 1214 request->btstack_crypto.operation = BTSTACK_CRYPTO_CCM_ENCRYPT_BLOCK; 1215 request->block_len = block_len; 1216 request->input = plaintext; 1217 request->output = ciphertext; 1218 if (request->state != CCM_CALCULATE_X1){ 1219 request->state = CCM_CALCULATE_XN; 1220 } 1221 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 1222 btstack_crypto_run(); 1223 } 1224 1225 void btstack_crypto_ccm_decrypt_block(btstack_crypto_ccm_t * request, uint16_t block_len, const uint8_t * ciphertext, uint8_t * plaintext, void (* callback)(void * arg), void * callback_arg){ 1226 request->btstack_crypto.context_callback.callback = callback; 1227 request->btstack_crypto.context_callback.context = callback_arg; 1228 request->btstack_crypto.operation = BTSTACK_CRYPTO_CCM_DECRYPT_BLOCK; 1229 request->block_len = block_len; 1230 request->input = ciphertext; 1231 request->output = plaintext; 1232 if (request->state != CCM_CALCULATE_X1){ 1233 request->state = CCM_CALCULATE_SN; 1234 } 1235 btstack_linked_list_add_tail(&btstack_crypto_operations, (btstack_linked_item_t*) request); 1236 btstack_crypto_run(); 1237 } 1238 1239 // PTS only 1240 void btstack_crypto_ecc_p256_set_key(const uint8_t * public_key, const uint8_t * private_key){ 1241 #ifdef USE_SOFTWARE_ECC_P256_IMPLEMENTATION 1242 (void)memcpy(btstack_crypto_ecc_p256_d, private_key, 32); 1243 (void)memcpy(btstack_crypto_ecc_p256_public_key, public_key, 64); 1244 btstack_crypto_ecc_p256_key_generation_state = ECC_P256_KEY_GENERATION_DONE; 1245 #else 1246 UNUSED(public_key); 1247 UNUSED(private_key); 1248 #endif 1249 } 1250 // Unit testing 1251 int btstack_crypto_idle(void){ 1252 return btstack_linked_list_empty(&btstack_crypto_operations); 1253 } 1254 void btstack_crypto_reset(void){ 1255 btstack_crypto_operations = NULL; 1256 btstack_crypto_wait_for_hci_result = 0; 1257 } 1258