/*
* Copyright (C) 2014 BlueKitchen GmbH
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the copyright holders nor the names of
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
* 4. Any redistribution, use, or modification is done solely for
* personal benefit and not for any commercial purpose or for
* monetary gain.
*
* THIS SOFTWARE IS PROVIDED BY BLUEKITCHEN GMBH AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL MATTHIAS
* RINGWALD OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
* OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
* THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* Please inquire about commercial licensing options at
* contact@bluekitchen-gmbh.com
*
*/
#include <stdio.h>
#include <string.h>
#include <btstack/linked_list.h>
#include "debug.h"
#include "hci.h"
#include "l2cap.h"
#include "le_device_db.h"
#include "sm.h"
#include "gap_le.h"
//
// SM internal types and globals
//
typedef enum {
DKG_W4_WORKING,
DKG_CALC_IRK,
DKG_W4_IRK,
DKG_CALC_DHK,
DKG_W4_DHK,
DKG_READY
} derived_key_generation_t;
typedef enum {
RAU_W4_WORKING,
RAU_IDLE,
RAU_GET_RANDOM,
RAU_W4_RANDOM,
RAU_GET_ENC,
RAU_W4_ENC,
RAU_SET_ADDRESS,
} random_address_update_t;
typedef enum {
CMAC_IDLE,
CMAC_CALC_SUBKEYS,
CMAC_W4_SUBKEYS,
CMAC_CALC_MI,
CMAC_W4_MI,
CMAC_CALC_MLAST,
CMAC_W4_MLAST
} cmac_state_t;
typedef enum {
JUST_WORKS,
PK_RESP_INPUT, // Initiator displays PK, initiator inputs PK
PK_INIT_INPUT, // Responder displays PK, responder inputs PK
OK_BOTH_INPUT, // Only input on both, both input PK
OOB // OOB available on both sides
} stk_generation_method_t;
typedef enum {
SM_USER_RESPONSE_IDLE,
SM_USER_RESPONSE_PENDING,
SM_USER_RESPONSE_CONFIRM,
SM_USER_RESPONSE_PASSKEY,
SM_USER_RESPONSE_DECLINE
} sm_user_response_t;
typedef enum {
SM_AES128_IDLE,
SM_AES128_ACTIVE
} sm_aes128_state_t;
//
// GLOBAL DATA
//
// configuration
static uint8_t sm_accepted_stk_generation_methods;
static uint8_t sm_max_encryption_key_size;
static uint8_t sm_min_encryption_key_size;
static uint8_t sm_auth_req = 0;
static uint8_t sm_io_capabilities = IO_CAPABILITY_NO_INPUT_NO_OUTPUT;
static uint8_t sm_slave_request_security;
static uint8_t sm_authenticate_outgoing_connections = 0; // might go away
// Security Manager Master Keys, please use sm_set_er(er) and sm_set_ir(ir) with your own 128 bit random values
static sm_key_t sm_persistent_er;
static sm_key_t sm_persistent_ir;
// derived from sm_persistent_ir
static sm_key_t sm_persistent_dhk;
static sm_key_t sm_persistent_irk;
static uint8_t sm_persistent_irk_ready = 0; // used for testing
static derived_key_generation_t dkg_state;
// derived from sm_persistent_er
// ..
// random address update
static random_address_update_t rau_state;
static bd_addr_t sm_random_address;
// CMAC calculation
static cmac_state_t sm_cmac_state;
static sm_key_t sm_cmac_k;
static uint16_t sm_cmac_message_len;
static uint8_t * sm_cmac_message;
static uint8_t sm_cmac_sign_counter[4];
static sm_key_t sm_cmac_m_last;
static sm_key_t sm_cmac_x;
static uint8_t sm_cmac_block_current;
static uint8_t sm_cmac_block_count;
static void (*sm_cmac_done_handler)(uint8_t hash[8]);
// resolvable private address lookup
static int sm_central_device_test;
static int sm_central_device_matched;
static int sm_central_ah_calculation_active;
static uint8_t sm_central_device_addr_type;
static bd_addr_t sm_central_device_address;
// aes128 crypto engine. store current sm_connection_t in sm_aes128_connection_source
static sm_aes128_state_t sm_aes128_state;
static sm_connection_t * sm_aes128_connection_source;
// random engine. store current sm_connection_t in sm_random
static sm_connection_t * sm_random_connection_source;
// CSRK calculation
static sm_connection_t * sm_csrk_connection_source;
//
// Volume 3, Part H, Chapter 24
// "Security shall be initiated by the Security Manager in the device in the master role.
// The device in the slave role shall be the responding device."
// -> master := initiator, slave := responder
//
// data needed for security setup
typedef struct sm_setup_context {
timer_source_t sm_timeout;
// used in all phases
uint8_t sm_pairing_failed_reason;
// user response, (Phase 1 and/or 2)
uint8_t sm_user_response;
// defines which keys will be send after connection is encrypted - calculated during Phase 1, used Phase 3
int sm_key_distribution_send_set;
int sm_key_distribution_received_set;
// Phase 2 (Pairing over SMP)
stk_generation_method_t sm_stk_generation_method;
sm_key_t sm_tk;
sm_key_t sm_c1_t3_value; // c1 calculation
sm_pairing_packet_t sm_m_preq; // pairing request - needed only for c1
sm_pairing_packet_t sm_s_pres; // pairing response - needed only for c1
sm_key_t sm_local_random;
sm_key_t sm_local_confirm;
sm_key_t sm_peer_random;
sm_key_t sm_peer_confirm;
uint8_t sm_m_addr_type; // address and type can be removed
uint8_t sm_s_addr_type; // ''
bd_addr_t sm_m_address; // ''
bd_addr_t sm_s_address; // ''
sm_key_t sm_ltk;
// Phase 3
// key distribution, we generate
uint16_t sm_local_y;
uint16_t sm_local_div;
uint16_t sm_local_ediv;
uint8_t sm_local_rand[8];
sm_key_t sm_local_ltk;
sm_key_t sm_local_csrk;
sm_key_t sm_local_irk;
// sm_local_address/addr_type not needed
// key distribution, received from peer
uint16_t sm_peer_y;
uint16_t sm_peer_div;
uint16_t sm_peer_ediv;
uint8_t sm_peer_rand[8];
sm_key_t sm_peer_ltk;
sm_key_t sm_peer_irk;
sm_key_t sm_peer_csrk;
uint8_t sm_peer_addr_type;
bd_addr_t sm_peer_address;
} sm_setup_context_t;
//
static sm_setup_context_t the_setup;
static sm_setup_context_t * setup = &the_setup;
// active connection - the one for which the_setup is used for
static uint16_t sm_active_connection = 0;
// @returns 1 if oob data is available
// stores oob data in provided 16 byte buffer if not null
static int (*sm_get_oob_data)(uint8_t addres_type, bd_addr_t addr, uint8_t * oob_data) = NULL;
// used to notify applicationss that user interaction is neccessary, see sm_notify_t below
static btstack_packet_handler_t sm_client_packet_handler = NULL;
// horizontal: initiator capabilities
// vertial: responder capabilities
static const stk_generation_method_t stk_generation_method[5][5] = {
{ JUST_WORKS, JUST_WORKS, PK_INIT_INPUT, JUST_WORKS, PK_INIT_INPUT },
{ JUST_WORKS, JUST_WORKS, PK_INIT_INPUT, JUST_WORKS, PK_INIT_INPUT },
{ PK_RESP_INPUT, PK_RESP_INPUT, OK_BOTH_INPUT, JUST_WORKS, PK_RESP_INPUT },
{ JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS },
{ PK_RESP_INPUT, PK_RESP_INPUT, PK_INIT_INPUT, JUST_WORKS, PK_RESP_INPUT },
};
static void sm_run(void);
static void sm_done_for_handle(uint16_t handle);
static void sm_notify_client(uint8_t type, uint8_t addr_type, bd_addr_t address, uint32_t passkey, uint16_t index);
static sm_connection_t * sm_get_connection_for_handle(uint16_t handle);
static inline int sm_calc_actual_encryption_key_size(int other);
static int sm_validate_stk_generation_method(void);
static void log_info_hex16(const char * name, uint16_t value){
log_info("%-6s 0x%04x", name, value);
}
// @returns 1 if all bytes are 0
static int sm_is_null_random(uint8_t random[8]){
int i;
for (i=0; i < 8 ; i++){
if (random[i]) return 0;
}
return 1;
}
// Key utils
static void sm_reset_tk(){
int i;
for (i=0;i<16;i++){
setup->sm_tk[i] = 0;
}
}
// "For example, if a 128-bit encryption key is 0x123456789ABCDEF0123456789ABCDEF0
// and it is reduced to 7 octets (56 bits), then the resulting key is 0x0000000000000000003456789ABCDEF0.""
static void sm_truncate_key(sm_key_t key, int max_encryption_size){
int i;
for (i = max_encryption_size ; i < 16 ; i++){
key[15-i] = 0;
}
}
// SMP Timeout implementation
// Upon transmission of the Pairing Request command or reception of the Pairing Request command,
// the Security Manager Timer shall be reset and started.
//
// The Security Manager Timer shall be reset when an L2CAP SMP command is queued for transmission.
//
// If the Security Manager Timer reaches 30 seconds, the procedure shall be considered to have failed,
// and the local higher layer shall be notified. No further SMP commands shall be sent over the L2CAP
// Security Manager Channel. A new SM procedure shall only be performed when a new physical link has been
// established.
static void sm_timeout_handler(timer_source_t * timer){
log_info("SM timeout");
sm_connection_t * sm_conn = (sm_connection_t *) linked_item_get_user((linked_item_t*) timer);
sm_conn->sm_engine_state = SM_GENERAL_TIMEOUT;
sm_done_for_handle(sm_conn->sm_handle);
// trigger handling of next ready connection
sm_run();
}
static void sm_timeout_start(sm_connection_t * sm_conn){
run_loop_remove_timer(&setup->sm_timeout);
run_loop_set_timer_handler(&setup->sm_timeout, sm_timeout_handler);
run_loop_set_timer(&setup->sm_timeout, 30000); // 30 seconds sm timeout
linked_item_set_user((linked_item_t*) &setup->sm_timeout, sm_conn);
run_loop_add_timer(&setup->sm_timeout);
}
static void sm_timeout_stop(){
run_loop_remove_timer(&setup->sm_timeout);
}
static void sm_timeout_reset(sm_connection_t * sm_conn){
sm_timeout_stop();
sm_timeout_start(sm_conn);
}
// end of sm timeout
// GAP Random Address updates
static gap_random_address_type_t gap_random_adress_type;
static timer_source_t gap_random_address_update_timer;
static uint32_t gap_random_adress_update_period;
static void gap_random_address_trigger(){
if (rau_state != RAU_IDLE) return;
log_info("gap_random_address_trigger");
rau_state = RAU_GET_RANDOM;
sm_run();
}
static void gap_random_address_update_handler(timer_source_t * timer){
log_info("GAP Random Address Update due");
run_loop_set_timer(&gap_random_address_update_timer, gap_random_adress_update_period);
run_loop_add_timer(&gap_random_address_update_timer);
gap_random_address_trigger();
}
static void gap_random_address_update_start(){
run_loop_set_timer_handler(&gap_random_address_update_timer, gap_random_address_update_handler);
run_loop_set_timer(&gap_random_address_update_timer, gap_random_adress_update_period);
run_loop_add_timer(&gap_random_address_update_timer);
}
static void gap_random_address_update_stop(){
run_loop_remove_timer(&gap_random_address_update_timer);
}
static void sm_random_start(sm_connection_t * sm_conn){
sm_random_connection_source = sm_conn;
hci_send_cmd(&hci_le_rand);
}
// pre: sm_aes128_state != SM_AES128_ACTIVE, hci_can_send_command == 1
// sm_conn is made availabe to aes128 result handler by this
static void sm_aes128_start(sm_key_t key, sm_key_t plaintext, sm_connection_t * sm_conn){
sm_aes128_state = SM_AES128_ACTIVE;
sm_key_t key_flipped, plaintext_flipped;
swap128(key, key_flipped);
swap128(plaintext, plaintext_flipped);
sm_aes128_connection_source = sm_conn;
hci_send_cmd(&hci_le_encrypt, key_flipped, plaintext_flipped);
}
// ah(k,r) helper
// r = padding || r
// r - 24 bit value
static void sm_ah_r_prime(uint8_t r[3], sm_key_t r_prime){
// r'= padding || r
memset(r_prime, 0, 16);
memcpy(&r_prime[13], r, 3);
}
// d1 helper
// d' = padding || r || d
// d,r - 16 bit values
static void sm_d1_d_prime(uint16_t d, uint16_t r, sm_key_t d1_prime){
// d'= padding || r || d
memset(d1_prime, 0, 16);
net_store_16(d1_prime, 12, r);
net_store_16(d1_prime, 14, d);
}
// dm helper
// r’ = padding || r
// r - 64 bit value
static void sm_dm_r_prime(uint8_t r[8], sm_key_t r_prime){
memset(r_prime, 0, 16);
memcpy(&r_prime[8], r, 8);
}
// calculate arguments for first AES128 operation in C1 function
static void sm_c1_t1(sm_key_t r, uint8_t preq[7], uint8_t pres[7], uint8_t iat, uint8_t rat, sm_key_t t1){
// p1 = pres || preq || rat’ || iat’
// "The octet of iat’ becomes the least significant octet of p1 and the most signifi-
// cant octet of pres becomes the most significant octet of p1.
// For example, if the 8-bit iat’ is 0x01, the 8-bit rat’ is 0x00, the 56-bit preq
// is 0x07071000000101 and the 56 bit pres is 0x05000800000302 then
// p1 is 0x05000800000302070710000001010001."
sm_key_t p1;
swap56(pres, &p1[0]);
swap56(preq, &p1[7]);
p1[14] = rat;
p1[15] = iat;
log_key("p1", p1);
log_key("r", r);
// t1 = r xor p1
int i;
for (i=0;i<16;i++){
t1[i] = r[i] ^ p1[i];
}
log_key("t1", t1);
}
// calculate arguments for second AES128 operation in C1 function
static void sm_c1_t3(sm_key_t t2, bd_addr_t ia, bd_addr_t ra, sm_key_t t3){
// p2 = padding || ia || ra
// "The least significant octet of ra becomes the least significant octet of p2 and
// the most significant octet of padding becomes the most significant octet of p2.
// For example, if 48-bit ia is 0xA1A2A3A4A5A6 and the 48-bit ra is
// 0xB1B2B3B4B5B6 then p2 is 0x00000000A1A2A3A4A5A6B1B2B3B4B5B6.
sm_key_t p2;
memset(p2, 0, 16);
memcpy(&p2[4], ia, 6);
memcpy(&p2[10], ra, 6);
log_key("p2", p2);
// c1 = e(k, t2_xor_p2)
int i;
for (i=0;i<16;i++){
t3[i] = t2[i] ^ p2[i];
}
log_key("t3", t3);
}
static void sm_s1_r_prime(sm_key_t r1, sm_key_t r2, sm_key_t r_prime){
log_key("r1", r1);
log_key("r2", r2);
memcpy(&r_prime[8], &r2[8], 8);
memcpy(&r_prime[0], &r1[8], 8);
}
static void sm_notify_client(uint8_t type, uint8_t addr_type, bd_addr_t address, uint32_t passkey, uint16_t index){
sm_event_t event;
event.type = type;
event.addr_type = addr_type;
BD_ADDR_COPY(event.address, address);
event.passkey = passkey;
event.le_device_db_index = index;
log_info("sm_notify_client %02x, addres_type %u, address %s, num '%06u', index %u", event.type, event.addr_type, bd_addr_to_str(event.address), event.passkey, event.le_device_db_index);
if (!sm_client_packet_handler) return;
sm_client_packet_handler(HCI_EVENT_PACKET, 0, (uint8_t*) &event, sizeof(event));
}
static void sm_notify_client_authorization(uint8_t type, uint8_t addr_type, bd_addr_t address, uint8_t result){
sm_event_t event;
event.type = type;
event.addr_type = addr_type;
BD_ADDR_COPY(event.address, address);
event.authorization_result = result;
log_info("sm_notify_client_authorization %02x, address_type %u, address %s, result %u", event.type, event.addr_type, bd_addr_to_str(event.address), event.authorization_result);
if (!sm_client_packet_handler) return;
sm_client_packet_handler(HCI_EVENT_PACKET, 0, (uint8_t*) &event, sizeof(event));
}
// decide on stk generation based on
// - pairing request
// - io capabilities
// - OOB data availability
static void sm_setup_tk(){
// default: just works
setup->sm_stk_generation_method = JUST_WORKS;
// If both devices have out of band authentication data, then the Authentication
// Requirements Flags shall be ignored when selecting the pairing method and the
// Out of Band pairing method shall be used.
if (setup->sm_m_preq.oob_data_flag && setup->sm_s_pres.oob_data_flag){
log_info("SM: have OOB data");
log_key("OOB", setup->sm_tk);
setup->sm_stk_generation_method = OOB;
return;
}
// If both devices have not set the MITM option in the Authentication Requirements
// Flags, then the IO capabilities shall be ignored and the Just Works association
// model shall be used.
if ( ((setup->sm_m_preq.auth_req & SM_AUTHREQ_MITM_PROTECTION) == 0x00) && ((setup->sm_s_pres.auth_req & SM_AUTHREQ_MITM_PROTECTION) == 0)){
return;
}
// Also use just works if unknown io capabilites
if ((setup->sm_m_preq.io_capability > IO_CAPABILITY_KEYBOARD_DISPLAY) || (setup->sm_m_preq.io_capability > IO_CAPABILITY_KEYBOARD_DISPLAY)){
return;
}
// Otherwise the IO capabilities of the devices shall be used to determine the
// pairing method as defined in Table 2.4.
setup->sm_stk_generation_method = stk_generation_method[setup->sm_s_pres.io_capability][setup->sm_m_preq.io_capability];
log_info("sm_setup_tk: master io cap: %u, slave io cap: %u -> method %u",
setup->sm_m_preq.io_capability, setup->sm_s_pres.io_capability, setup->sm_stk_generation_method);
}
static int sm_key_distribution_flags_for_set(uint8_t key_set){
int flags = 0;
if (key_set & SM_KEYDIST_ENC_KEY){
flags |= SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION;
flags |= SM_KEYDIST_FLAG_MASTER_IDENTIFICATION;
}
if (key_set & SM_KEYDIST_ID_KEY){
flags |= SM_KEYDIST_FLAG_IDENTITY_INFORMATION;
flags |= SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION;
}
if (key_set & SM_KEYDIST_SIGN){
flags |= SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION;
}
return flags;
}
static void sm_setup_key_distribution(uint8_t key_set){
setup->sm_key_distribution_received_set = 0;
setup->sm_key_distribution_send_set = sm_key_distribution_flags_for_set(key_set);
}
// CSRK Key Lookup
/* static */ int sm_central_device_lookup_active(){
return sm_central_device_test >= 0;
}
static void sm_central_device_start_lookup(sm_connection_t * sm_conn, uint8_t addr_type, bd_addr_t addr){
memcpy(sm_central_device_address, addr, 6);
sm_central_device_addr_type = addr_type;
sm_central_device_test = 0;
sm_central_device_matched = -1;
sm_csrk_connection_source = sm_conn;
sm_notify_client(SM_IDENTITY_RESOLVING_STARTED, addr_type, addr, 0, 0);
}
// CMAC Implementation using AES128 engine
static void sm_shift_left_by_one_bit_inplace(int len, uint8_t * data){
int i;
int carry = 0;
for (i=len-1; i >= 0 ; i--){
int new_carry = data[i] >> 7;
data[i] = data[i] << 1 | carry;
carry = new_carry;
}
}
// while x_state++ for an enum is possible in C, it isn't in C++. we use this helpers to avoid compile errors for now
static inline void sm_next_responding_state(sm_connection_t * sm_conn){
sm_conn->sm_engine_state = (security_manager_state_t) (((int)sm_conn->sm_engine_state) + 1);
}
static inline void dkg_next_state(){
dkg_state = (derived_key_generation_t) (((int)dkg_state) + 1);
}
static inline void rau_next_state(){
rau_state = (random_address_update_t) (((int)rau_state) + 1);
}
static inline void sm_cmac_next_state(){
sm_cmac_state = (cmac_state_t) (((int)sm_cmac_state) + 1);
}
static int sm_cmac_last_block_complete(){
if (sm_cmac_message_len == 0) return 0;
return (sm_cmac_message_len & 0x0f) == 0;
}
static inline uint8_t sm_cmac_message_get_byte(int offset){
if (offset >= sm_cmac_message_len) {
log_error("sm_cmac_message_get_byte. out of bounds, access %u, len %u", offset, sm_cmac_message_len);
return 0;
}
int actual_len = sm_cmac_message_len - 4;
if (offset < actual_len) {
return sm_cmac_message[offset];
} else {
return sm_cmac_message[offset - actual_len];
}
}
void sm_cmac_start(sm_key_t k, uint16_t message_len, uint8_t * message, uint32_t sign_counter, void (*done_handler)(uint8_t hash[8])){
memcpy(sm_cmac_k, k, 16);
sm_cmac_message_len = message_len + 4; // incl. virtually appended sign_counter in LE
sm_cmac_message = message;
bt_store_32(sm_cmac_sign_counter, 0, sign_counter);
sm_cmac_done_handler = done_handler;
sm_cmac_block_current = 0;
memset(sm_cmac_x, 0, 16);
// step 2: n := ceil(len/const_Bsize);
sm_cmac_block_count = (sm_cmac_message_len + 15) / 16;
// step 3: ..
if (sm_cmac_block_count==0){
sm_cmac_block_count = 1;
}
// first, we need to compute l for k1, k2, and m_last
sm_cmac_state = CMAC_CALC_SUBKEYS;
// let's go
sm_run();
}
int sm_cmac_ready(){
return sm_cmac_state == CMAC_IDLE;
}
static void sm_cmac_handle_aes_engine_ready(){
switch (sm_cmac_state){
case CMAC_CALC_SUBKEYS: {
sm_key_t const_zero;
memset(const_zero, 0, 16);
sm_cmac_next_state();
sm_aes128_start(sm_cmac_k, const_zero, NULL);
break;
}
case CMAC_CALC_MI: {
int j;
sm_key_t y;
for (j=0;j<16;j++){
y[j] = sm_cmac_x[j] ^ sm_cmac_message_get_byte(sm_cmac_block_current*16 + j);
}
sm_cmac_block_current++;
sm_cmac_next_state();
sm_aes128_start(sm_cmac_k, y, NULL);
break;
}
case CMAC_CALC_MLAST: {
int i;
sm_key_t y;
for (i=0;i<16;i++){
y[i] = sm_cmac_x[i] ^ sm_cmac_m_last[i];
}
log_key("Y", y);
sm_cmac_block_current++;
sm_cmac_next_state();
sm_aes128_start(sm_cmac_k, y, NULL);
break;
}
default:
log_info("sm_cmac_handle_aes_engine_ready called in state %u", sm_cmac_state);
break;
}
}
static void sm_cmac_handle_encryption_result(sm_key_t data){
switch (sm_cmac_state){
case CMAC_W4_SUBKEYS: {
sm_key_t k1;
memcpy(k1, data, 16);
sm_shift_left_by_one_bit_inplace(16, k1);
if (data[0] & 0x80){
k1[15] ^= 0x87;
}
sm_key_t k2;
memcpy(k2, k1, 16);
sm_shift_left_by_one_bit_inplace(16, k2);
if (k1[0] & 0x80){
k2[15] ^= 0x87;
}
log_key("k", sm_cmac_k);
log_key("k1", k1);
log_key("k2", k2);
// step 4: set m_last
int i;
if (sm_cmac_last_block_complete()){
for (i=0;i<16;i++){
sm_cmac_m_last[i] = sm_cmac_message_get_byte(sm_cmac_message_len - 16 + i) ^ k1[i];
}
} else {
int valid_octets_in_last_block = sm_cmac_message_len & 0x0f;
for (i=0;i<16;i++){
if (i < valid_octets_in_last_block){
sm_cmac_m_last[i] = sm_cmac_message_get_byte((sm_cmac_message_len & 0xfff0) + i) ^ k2[i];
continue;
}
if (i == valid_octets_in_last_block){
sm_cmac_m_last[i] = 0x80 ^ k2[i];
continue;
}
sm_cmac_m_last[i] = k2[i];
}
}
// next
sm_cmac_state = sm_cmac_block_current < sm_cmac_block_count - 1 ? CMAC_CALC_MI : CMAC_CALC_MLAST;
break;
}
case CMAC_W4_MI:
memcpy(sm_cmac_x, data, 16);
sm_cmac_state = sm_cmac_block_current < sm_cmac_block_count - 1 ? CMAC_CALC_MI : CMAC_CALC_MLAST;
break;
case CMAC_W4_MLAST:
// done
log_key("CMAC", data);
sm_cmac_done_handler(data);
break;
default:
log_info("sm_cmac_handle_encryption_result called in state %u", sm_cmac_state);
break;
}
}
static void sm_trigger_user_response(sm_connection_t * sm_conn){
// notify client for: JUST WORKS confirm, PASSKEY display or input
setup->sm_user_response = SM_USER_RESPONSE_IDLE;
switch (setup->sm_stk_generation_method){
case PK_RESP_INPUT:
if (sm_conn->sm_role){
setup->sm_user_response = SM_USER_RESPONSE_PENDING;
sm_notify_client(SM_PASSKEY_INPUT_NUMBER, setup->sm_m_addr_type, setup->sm_m_address, 0, 0);
} else {
sm_notify_client(SM_PASSKEY_DISPLAY_NUMBER, setup->sm_m_addr_type, setup->sm_m_address, READ_NET_32(setup->sm_tk, 12), 0);
}
break;
case PK_INIT_INPUT:
if (sm_conn->sm_role){
sm_notify_client(SM_PASSKEY_DISPLAY_NUMBER, setup->sm_m_addr_type, setup->sm_m_address, READ_NET_32(setup->sm_tk, 12), 0);
} else {
setup->sm_user_response = SM_USER_RESPONSE_PENDING;
sm_notify_client(SM_PASSKEY_INPUT_NUMBER, setup->sm_m_addr_type, setup->sm_m_address, 0, 0);
}
break;
case JUST_WORKS:
switch (setup->sm_s_pres.io_capability){
case IO_CAPABILITY_KEYBOARD_DISPLAY:
case IO_CAPABILITY_DISPLAY_YES_NO:
setup->sm_user_response = SM_USER_RESPONSE_PENDING;
sm_notify_client(SM_JUST_WORKS_REQUEST, setup->sm_m_addr_type, setup->sm_m_address, READ_NET_32(setup->sm_tk, 12), 0);
break;
default:
// cannot ask user
break;
}
break;
default:
break;
}
}
static int sm_key_distribution_all_received(){
int recv_flags = sm_key_distribution_flags_for_set(setup->sm_m_preq.initiator_key_distribution);
return recv_flags == setup->sm_key_distribution_received_set;
}
static void sm_done_for_handle(uint16_t handle){
if (sm_active_connection == handle){
sm_timeout_stop();
sm_active_connection = 0;
log_info("sm: connection 0x%x released setup context", handle);
}
}
static void sm_init_setup(sm_connection_t * sm_conn){
// fill in sm setup
sm_reset_tk();
// query client for OOB data
int have_oob_data = 0;
if (sm_get_oob_data) {
have_oob_data = (*sm_get_oob_data)(sm_conn->sm_peer_addr_type, sm_conn->sm_peer_address, setup->sm_tk);
}
sm_pairing_packet_t * local_packet;
if (sm_conn->sm_role){
// slave
local_packet = &setup->sm_s_pres;
hci_le_advertisement_address(&setup->sm_s_addr_type, setup->sm_s_address);
setup->sm_m_addr_type = sm_conn->sm_peer_addr_type;
memcpy(setup->sm_m_address, sm_conn->sm_peer_address, 6);
} else {
// master
local_packet = &setup->sm_m_preq;
hci_le_advertisement_address(&setup->sm_m_addr_type, setup->sm_m_address);
setup->sm_s_addr_type = sm_conn->sm_peer_addr_type;
memcpy(setup->sm_s_address, sm_conn->sm_peer_address, 6);
setup->sm_m_preq.initiator_key_distribution = 0x07;
setup->sm_m_preq.responder_key_distribution = 0x07;
}
local_packet->io_capability = sm_io_capabilities;
local_packet->oob_data_flag = have_oob_data;
local_packet->auth_req = sm_auth_req;
local_packet->max_encryption_key_size = sm_max_encryption_key_size;
}
static int sm_stk_generation_init(sm_connection_t * sm_conn){
sm_pairing_packet_t * remote_packet;
int remote_key_request;
if (sm_conn->sm_role){
remote_packet = &setup->sm_m_preq;
remote_key_request = setup->sm_m_preq.responder_key_distribution;
} else {
remote_packet = &setup->sm_s_pres;
remote_key_request = setup->sm_s_pres.initiator_key_distribution;
}
// check key size
sm_conn->sm_actual_encryption_key_size = sm_calc_actual_encryption_key_size(remote_packet->max_encryption_key_size);
if (sm_conn->sm_actual_encryption_key_size == 0) return SM_REASON_ENCRYPTION_KEY_SIZE;
// setup key distribution
sm_setup_key_distribution(remote_key_request);
// identical to responder
// decide on STK generation method
sm_setup_tk();
log_info("SMP: generation method %u", setup->sm_stk_generation_method);
// check if STK generation method is acceptable by client
if (!sm_validate_stk_generation_method()) return SM_REASON_AUTHENTHICATION_REQUIREMENTS;
// JUST WORKS doens't provide authentication
sm_conn->sm_connection_authenticated = setup->sm_stk_generation_method == JUST_WORKS ? 0 : 1;
return 0;
}
static void sm_run(void){
linked_list_iterator_t it;
// assert that we can send at least commands
if (!hci_can_send_command_packet_now()) return;
//
// non-connection related behaviour
//
// distributed key generation
switch (dkg_state){
case DKG_CALC_IRK:
// already busy?
if (sm_aes128_state == SM_AES128_IDLE) {
// IRK = d1(IR, 1, 0)
sm_key_t d1_prime;
sm_d1_d_prime(1, 0, d1_prime); // plaintext
dkg_next_state();
sm_aes128_start(sm_persistent_ir, d1_prime, NULL);
return;
}
break;
case DKG_CALC_DHK:
// already busy?
if (sm_aes128_state == SM_AES128_IDLE) {
// DHK = d1(IR, 3, 0)
sm_key_t d1_prime;
sm_d1_d_prime(3, 0, d1_prime); // plaintext
dkg_next_state();
sm_aes128_start(sm_persistent_ir, d1_prime, NULL);
return;
}
break;
default:
break;
}
// random address updates
switch (rau_state){
case RAU_GET_RANDOM:
rau_next_state();
sm_random_start(NULL);
return;
case RAU_GET_ENC:
// already busy?
if (sm_aes128_state == SM_AES128_IDLE) {
sm_key_t r_prime;
sm_ah_r_prime(sm_random_address, r_prime);
rau_next_state();
sm_aes128_start(sm_persistent_irk, r_prime, NULL);
return;
}
break;
case RAU_SET_ADDRESS:
log_info("New random address: %s", bd_addr_to_str(sm_random_address));
rau_state = RAU_IDLE;
hci_send_cmd(&hci_le_set_random_address, sm_random_address);
return;
default:
break;
}
// CMAC
switch (sm_cmac_state){
case CMAC_CALC_SUBKEYS:
case CMAC_CALC_MI:
case CMAC_CALC_MLAST:
// already busy?
if (sm_aes128_state == SM_AES128_ACTIVE) break;
sm_cmac_handle_aes_engine_ready();
return;
default:
break;
}
// CSRK Lookup
// -- if csrk lookup ready, find connection that require csrk lookup
if (!sm_central_device_lookup_active()){
hci_connections_get_iterator(&it);
while(linked_list_iterator_has_next(&it)){
hci_connection_t * hci_connection = (hci_connection_t *) linked_list_iterator_next(&it);
sm_connection_t * sm_connection = &hci_connection->sm_connection;
if (sm_connection->sm_csrk_lookup_state == CSRK_LOOKUP_W4_READY){
// and start lookup
sm_central_device_start_lookup(sm_connection, sm_connection->sm_peer_addr_type, sm_connection->sm_peer_address);
sm_connection->sm_csrk_lookup_state = CSRK_LOOKUP_STARTED;
break;
}
}
}
// -- Continue with CSRK device lookup by public or resolvable private address
if (sm_central_device_test >= 0){
log_info("LE Device Lookup: device %u/%u", sm_central_device_test, le_device_db_count());
while (sm_central_device_test < le_device_db_count()){
int addr_type;
bd_addr_t addr;
sm_key_t irk;
le_device_db_info(sm_central_device_test, &addr_type, addr, irk);
log_info("device type %u, addr: %s", addr_type, bd_addr_to_str(addr));
if (sm_central_device_addr_type == addr_type && memcmp(addr, sm_central_device_address, 6) == 0){
log_info("LE Device Lookup: found CSRK by { addr_type, address} ");
sm_central_device_matched = sm_central_device_test;
sm_central_device_test = -1;
sm_notify_client(SM_IDENTITY_RESOLVING_SUCCEEDED, sm_central_device_addr_type, sm_central_device_address, 0, sm_central_device_matched);
// re-use stored LTK/EDIV/RAND if requested & we're master
// TODO: replace global with flag in sm_connection_t
if (sm_authenticate_outgoing_connections && sm_csrk_connection_source->sm_role == 0){
sm_csrk_connection_source->sm_engine_state = SM_INITIATOR_PH0_HAS_LTK;
log_info("sm: Setting up previous ltk/ediv/rand");
}
// ready for other requests
sm_csrk_connection_source->sm_csrk_lookup_state = CSRK_LOOKUP_IDLE;
sm_csrk_connection_source = NULL;
break;
}
if (sm_central_device_addr_type == 0){
sm_central_device_test++;
continue;
}
if (sm_aes128_state == SM_AES128_ACTIVE) break;
log_info("LE Device Lookup: calculate AH");
log_key("IRK", irk);
sm_key_t r_prime;
sm_ah_r_prime(sm_central_device_address, r_prime);
sm_central_ah_calculation_active = 1;
sm_aes128_start(irk, r_prime, sm_csrk_connection_source);
return;
}
if (sm_central_device_test >= le_device_db_count()){
log_info("LE Device Lookup: not found");
sm_central_device_test = -1;
sm_csrk_connection_source->sm_csrk_lookup_state = CSRK_LOOKUP_IDLE;
sm_csrk_connection_source = NULL;
sm_notify_client(SM_IDENTITY_RESOLVING_FAILED, sm_central_device_addr_type, sm_central_device_address, 0, 0);
}
}
//
// active connection handling
// -- use loop to handle next connection if lock on setup context is released
while (1) {
// Find connections that requires setup context and make active if no other is locked
hci_connections_get_iterator(&it);
while(!sm_active_connection && linked_list_iterator_has_next(&it)){
hci_connection_t * hci_connection = (hci_connection_t *) linked_list_iterator_next(&it);
sm_connection_t * sm_connection = &hci_connection->sm_connection;
// - if no connection locked and we're ready/waiting for setup context, fetch it and start
int done = 1;
int err;
switch (sm_connection->sm_engine_state) {
case SM_RESPONDER_SEND_SECURITY_REQUEST:
// send packet if possible,
if (l2cap_can_send_fixed_channel_packet_now(sm_connection->sm_handle)){
uint8_t buffer[2];
buffer[0] = SM_CODE_SECURITY_REQUEST;
buffer[1] = SM_AUTHREQ_BONDING;
sm_connection->sm_engine_state = SM_RESPONDER_PH1_W4_PAIRING_REQUEST;
l2cap_send_connectionless(sm_connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer));
}
// don't lock setup context yet
done = 0;
break;
case SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED:
sm_init_setup(sm_connection);
// recover pairing request
memcpy(&setup->sm_m_preq, &sm_connection->sm_m_preq, sizeof(sm_pairing_packet_t));
err = sm_stk_generation_init(sm_connection);
if (err){
setup->sm_pairing_failed_reason = err;
sm_connection->sm_engine_state = SM_GENERAL_SEND_PAIRING_FAILED;
break;
}
sm_timeout_start(sm_connection);
// generate random number first, if we need to show passkey
if (setup->sm_stk_generation_method == PK_INIT_INPUT){
sm_connection->sm_engine_state = SM_PH2_GET_RANDOM_TK;
break;
}
sm_connection->sm_engine_state = SM_RESPONDER_PH1_SEND_PAIRING_RESPONSE;
break;
case SM_INITIATOR_PH0_HAS_LTK:
// fetch data from device db
le_device_db_encryption_get(sm_connection->sm_le_db_index, &setup->sm_peer_ediv, setup->sm_peer_rand, setup->sm_peer_ltk);
sm_connection->sm_engine_state = SM_INITIATOR_PH0_SEND_START_ENCRYPTION;
break;
case SM_RESPONDER_PH0_RECEIVED_LTK:
// re-establish previously used LTK using Rand and EDIV
memcpy(setup->sm_local_rand, sm_connection->sm_local_rand, 8);
setup->sm_local_ediv = sm_connection->sm_local_ediv;
// re-establish used key encryption size
// no db for encryption size hack: encryption size is stored in lowest nibble of setup->sm_local_rand
sm_connection->sm_actual_encryption_key_size = (setup->sm_local_rand[7] & 0x0f) + 1;
// no db for authenticated flag hack: flag is stored in bit 4 of LSB
sm_connection->sm_connection_authenticated = (setup->sm_local_rand[7] & 0x10) >> 4;
log_info("sm: received ltk request with key size %u, authenticated %u",
sm_connection->sm_actual_encryption_key_size, sm_connection->sm_connection_authenticated);
sm_connection->sm_engine_state = SM_PH4_Y_GET_ENC;
break;
case SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST:
sm_init_setup(sm_connection);
sm_timeout_start(sm_connection);
sm_connection->sm_engine_state = SM_INITIATOR_PH1_SEND_PAIRING_REQUEST;
break;
default:
done = 0;
break;
}
if (done){
sm_active_connection = sm_connection->sm_handle;
log_info("sm: connection 0x%04x locked setup context as %s", sm_active_connection, sm_connection->sm_role ? "responder" : "initiator");
}
}
//
// active connection handling
//
if (sm_active_connection == 0) return;
// assert that we could send a SM PDU - not needed for all of the following
if (!l2cap_can_send_fixed_channel_packet_now(sm_active_connection)) return;
sm_connection_t * connection = sm_get_connection_for_handle(sm_active_connection);
if (!connection) return;
sm_key_t plaintext;
// responding state
switch (connection->sm_engine_state){
// general
case SM_GENERAL_SEND_PAIRING_FAILED: {
uint8_t buffer[2];
buffer[0] = SM_CODE_PAIRING_FAILED;
buffer[1] = setup->sm_pairing_failed_reason;
connection->sm_engine_state = SM_GENERAL_IDLE;
l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer));
sm_done_for_handle(connection->sm_handle);
break;
}
// initiator side
case SM_INITIATOR_PH0_SEND_START_ENCRYPTION: {
sm_key_t peer_ltk_flipped;
swap128(setup->sm_peer_ltk, peer_ltk_flipped);
connection->sm_engine_state = SM_INITIATOR_PH0_W4_CONNECTION_ENCRYPTED;
hci_send_cmd(&hci_le_start_encryption, connection->sm_handle, setup->sm_peer_rand, setup->sm_peer_ediv, peer_ltk_flipped);
return;
}
case SM_INITIATOR_PH1_SEND_PAIRING_REQUEST:
setup->sm_m_preq.code = SM_CODE_PAIRING_REQUEST;
connection->sm_engine_state = SM_INITIATOR_PH1_W4_PAIRING_RESPONSE;
l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) &setup->sm_m_preq, sizeof(sm_pairing_packet_t));
sm_timeout_reset(connection);
break;
// responder side
case SM_RESPONDER_PH0_SEND_LTK_REQUESTED_NEGATIVE_REPLY:
connection->sm_engine_state = SM_GENERAL_IDLE;
hci_send_cmd(&hci_le_long_term_key_negative_reply, connection->sm_handle);
return;
case SM_RESPONDER_PH1_SEND_PAIRING_RESPONSE:
// echo initiator for now
setup->sm_s_pres.code = SM_CODE_PAIRING_RESPONSE;
setup->sm_s_pres.initiator_key_distribution = setup->sm_m_preq.initiator_key_distribution;
setup->sm_s_pres.responder_key_distribution = setup->sm_m_preq.responder_key_distribution;
connection->sm_engine_state = SM_RESPONDER_PH1_W4_PAIRING_CONFIRM;
l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) &setup->sm_s_pres, sizeof(sm_pairing_packet_t));
sm_timeout_reset(connection);
sm_trigger_user_response(connection);
return;
case SM_PH2_SEND_PAIRING_RANDOM: {
uint8_t buffer[17];
buffer[0] = SM_CODE_PAIRING_RANDOM;
swap128(setup->sm_local_random, &buffer[1]);
if (connection->sm_role){
connection->sm_engine_state = SM_RESPONDER_PH2_W4_LTK_REQUEST;
} else {
connection->sm_engine_state = SM_INITIATOR_PH2_W4_PAIRING_RANDOM;
}
l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer));
sm_timeout_reset(connection);
break;
}
case SM_PH2_GET_RANDOM_TK:
case SM_PH2_C1_GET_RANDOM_A:
case SM_PH2_C1_GET_RANDOM_B:
case SM_PH3_GET_RANDOM:
case SM_PH3_GET_DIV:
sm_next_responding_state(connection);
sm_random_start(connection);
return;
case SM_PH2_C1_GET_ENC_B:
case SM_PH2_C1_GET_ENC_D:
// already busy?
if (sm_aes128_state == SM_AES128_ACTIVE) break;
sm_next_responding_state(connection);
sm_aes128_start(setup->sm_tk, setup->sm_c1_t3_value, connection);
return;
case SM_PH3_LTK_GET_ENC:
case SM_PH4_LTK_GET_ENC:
// already busy?
if (sm_aes128_state == SM_AES128_IDLE) {
sm_key_t d_prime;
sm_d1_d_prime(setup->sm_local_div, 0, d_prime);
sm_next_responding_state(connection);
sm_aes128_start(sm_persistent_er, d_prime, connection);
return;
}
break;
case SM_PH3_CSRK_GET_ENC:
// already busy?
if (sm_aes128_state == SM_AES128_IDLE) {
sm_key_t d_prime;
sm_d1_d_prime(setup->sm_local_div, 1, d_prime);
sm_next_responding_state(connection);
sm_aes128_start(sm_persistent_er, d_prime, connection);
return;
}
break;
case SM_PH2_C1_GET_ENC_C:
// already busy?
if (sm_aes128_state == SM_AES128_ACTIVE) break;
// calculate m_confirm using aes128 engine - step 1
sm_c1_t1(setup->sm_peer_random, (uint8_t*) &setup->sm_m_preq, (uint8_t*) &setup->sm_s_pres, setup->sm_m_addr_type, setup->sm_s_addr_type, plaintext);
sm_next_responding_state(connection);
sm_aes128_start(setup->sm_tk, plaintext, connection);
break;
case SM_PH2_C1_GET_ENC_A:
// already busy?
if (sm_aes128_state == SM_AES128_ACTIVE) break;
// calculate confirm using aes128 engine - step 1
sm_c1_t1(setup->sm_local_random, (uint8_t*) &setup->sm_m_preq, (uint8_t*) &setup->sm_s_pres, setup->sm_m_addr_type, setup->sm_s_addr_type, plaintext);
sm_next_responding_state(connection);
sm_aes128_start(setup->sm_tk, plaintext, connection);
break;
case SM_PH2_CALC_STK:
// already busy?
if (sm_aes128_state == SM_AES128_ACTIVE) break;
// calculate STK
if (connection->sm_role){
sm_s1_r_prime(setup->sm_local_random, setup->sm_peer_random, plaintext);
} else {
sm_s1_r_prime(setup->sm_peer_random, setup->sm_local_random, plaintext);
}
sm_next_responding_state(connection);
sm_aes128_start(setup->sm_tk, plaintext, connection);
break;
case SM_PH3_Y_GET_ENC:
// already busy?
if (sm_aes128_state == SM_AES128_ACTIVE) break;
// PH3B2 - calculate Y from - enc
// Y = dm(DHK, Rand)
sm_dm_r_prime(setup->sm_local_rand, plaintext);
sm_next_responding_state(connection);
sm_aes128_start(sm_persistent_dhk, plaintext, connection);
return;
case SM_PH2_C1_SEND_PAIRING_CONFIRM: {
uint8_t buffer[17];
buffer[0] = SM_CODE_PAIRING_CONFIRM;
swap128(setup->sm_local_confirm, &buffer[1]);
if (connection->sm_role){
connection->sm_engine_state = SM_RESPONDER_PH2_W4_PAIRING_RANDOM;
} else {
connection->sm_engine_state = SM_INITIATOR_PH2_W4_PAIRING_CONFIRM;
}
l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer));
sm_timeout_reset(connection);
return;
}
case SM_RESPONDER_PH2_SEND_LTK_REPLY: {
sm_key_t stk_flipped;
swap128(setup->sm_ltk, stk_flipped);
connection->sm_engine_state = SM_PH2_W4_CONNECTION_ENCRYPTED;
hci_send_cmd(&hci_le_long_term_key_request_reply, connection->sm_handle, stk_flipped);
return;
}
case SM_INITIATOR_PH3_SEND_START_ENCRYPTION: {
sm_key_t stk_flipped;
swap128(setup->sm_ltk, stk_flipped);
connection->sm_engine_state = SM_PH2_W4_CONNECTION_ENCRYPTED;
hci_send_cmd(&hci_le_start_encryption, connection->sm_handle, 0, 0, 0, stk_flipped);
return;
}
case SM_PH4_SEND_LTK: {
sm_key_t ltk_flipped;
swap128(setup->sm_ltk, ltk_flipped);
connection->sm_engine_state = SM_GENERAL_IDLE;
hci_send_cmd(&hci_le_long_term_key_request_reply, connection->sm_handle, ltk_flipped);
return;
}
case SM_PH4_Y_GET_ENC:
// already busy?
if (sm_aes128_state == SM_AES128_ACTIVE) break;
log_info("LTK Request: recalculating with ediv 0x%04x", setup->sm_local_ediv);
// Y = dm(DHK, Rand)
sm_dm_r_prime(setup->sm_local_rand, plaintext);
sm_next_responding_state(connection);
sm_aes128_start(sm_persistent_dhk, plaintext, connection);
return;
case SM_PH3_DISTRIBUTE_KEYS:
if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION){
setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION;
uint8_t buffer[17];
buffer[0] = SM_CODE_ENCRYPTION_INFORMATION;
swap128(setup->sm_ltk, &buffer[1]);
l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer));
sm_timeout_reset(connection);
return;
}
if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_MASTER_IDENTIFICATION){
setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_MASTER_IDENTIFICATION;
uint8_t buffer[11];
buffer[0] = SM_CODE_MASTER_IDENTIFICATION;
bt_store_16(buffer, 1, setup->sm_local_ediv);
swap64(setup->sm_local_rand, &buffer[3]);
l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer));
sm_timeout_reset(connection);
return;
}
if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_IDENTITY_INFORMATION){
setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_IDENTITY_INFORMATION;
uint8_t buffer[17];
buffer[0] = SM_CODE_IDENTITY_INFORMATION;
swap128(sm_persistent_irk, &buffer[1]);
l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer));
sm_timeout_reset(connection);
return;
}
if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION){
setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION;
bd_addr_t local_address;
uint8_t buffer[8];
buffer[0] = SM_CODE_IDENTITY_ADDRESS_INFORMATION;
hci_le_advertisement_address(&buffer[1], local_address);
bt_flip_addr(&buffer[2], local_address);
l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer));
sm_timeout_reset(connection);
return;
}
if (setup->sm_key_distribution_send_set & SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION){
setup->sm_key_distribution_send_set &= ~SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION;
uint8_t buffer[17];
buffer[0] = SM_CODE_SIGNING_INFORMATION;
swap128(setup->sm_local_csrk, &buffer[1]);
l2cap_send_connectionless(connection->sm_handle, L2CAP_CID_SECURITY_MANAGER_PROTOCOL, (uint8_t*) buffer, sizeof(buffer));
sm_timeout_reset(connection);
return;
}
// keys are sent
if (connection->sm_role){
// slave -> receive master keys
connection->sm_engine_state = SM_PH3_RECEIVE_KEYS;
} else {
// master -> all done
connection->sm_engine_state = SM_GENERAL_IDLE;
sm_done_for_handle(connection->sm_handle);
}
break;
default:
break;
}
// check again if active connection was released
if (sm_active_connection) break;
}
}
// note: aes engine is ready as we just got the aes result
static void sm_handle_encryption_result(uint8_t * data){
sm_aes128_state = SM_AES128_IDLE;
if (sm_central_ah_calculation_active){
sm_central_ah_calculation_active = 0;
// compare calulated address against connecting device
uint8_t hash[3];
swap24(data, hash);
if (memcmp(&sm_central_device_address[3], hash, 3) == 0){
// found
sm_central_device_matched = sm_central_device_test;
sm_central_device_test = -1;
sm_csrk_connection_source->sm_csrk_lookup_state = CSRK_LOOKUP_IDLE;
sm_csrk_connection_source = NULL;
sm_notify_client(SM_IDENTITY_RESOLVING_SUCCEEDED, sm_central_device_addr_type, sm_central_device_address, 0, sm_central_device_matched);
log_info("LE Device Lookup: matched resolvable private address");
return;
}
// no match
sm_central_device_test++;
return;
}
switch (dkg_state){
case DKG_W4_IRK:
swap128(data, sm_persistent_irk);
log_key("irk", sm_persistent_irk);
dkg_next_state();
return;
case DKG_W4_DHK:
swap128(data, sm_persistent_dhk);
log_key("dhk", sm_persistent_dhk);
dkg_next_state();
// SM INIT FINISHED, start application code - TODO untangle that
if (sm_client_packet_handler)
{
uint8_t event[] = { BTSTACK_EVENT_STATE, 1, HCI_STATE_WORKING };
sm_client_packet_handler(HCI_EVENT_PACKET, 0, (uint8_t*) event, sizeof(event));
}
return;
default:
break;
}
switch (rau_state){
case RAU_W4_ENC:
swap24(data, &sm_random_address[3]);
rau_next_state();
return;
default:
break;
}
switch (sm_cmac_state){
case CMAC_W4_SUBKEYS:
case CMAC_W4_MI:
case CMAC_W4_MLAST:
{
sm_key_t t;
swap128(data, t);
sm_cmac_handle_encryption_result(t);
}
return;
default:
break;
}
// retrieve sm_connection provided to sm_aes128_start_encryption
sm_connection_t * connection = sm_aes128_connection_source;
if (!connection) return;
switch (connection->sm_engine_state){
case SM_PH2_C1_W4_ENC_A:
case SM_PH2_C1_W4_ENC_C:
{
sm_key_t t2;
swap128(data, t2);
sm_c1_t3(t2, setup->sm_m_address, setup->sm_s_address, setup->sm_c1_t3_value);
}
sm_next_responding_state(connection);
return;
case SM_PH2_C1_W4_ENC_B:
swap128(data, setup->sm_local_confirm);
log_key("c1!", setup->sm_local_confirm);
connection->sm_engine_state = SM_PH2_C1_SEND_PAIRING_CONFIRM;
return;
case SM_PH2_C1_W4_ENC_D:
{
sm_key_t peer_confirm_test;
swap128(data, peer_confirm_test);
log_key("c1!", peer_confirm_test);
if (memcmp(setup->sm_peer_confirm, peer_confirm_test, 16) != 0){
setup->sm_pairing_failed_reason = SM_REASON_CONFIRM_VALUE_FAILED;
connection->sm_engine_state = SM_GENERAL_SEND_PAIRING_FAILED;
return;
}
if (connection->sm_role){
connection->sm_engine_state = SM_PH2_SEND_PAIRING_RANDOM;
} else {
connection->sm_engine_state = SM_PH2_CALC_STK;
}
}
return;
case SM_PH2_W4_STK:
swap128(data, setup->sm_ltk);
sm_truncate_key(setup->sm_ltk, connection->sm_actual_encryption_key_size);
log_key("stk", setup->sm_ltk);
if (connection->sm_role){
connection->sm_engine_state = SM_RESPONDER_PH2_SEND_LTK_REPLY;
} else {
connection->sm_engine_state = SM_INITIATOR_PH3_SEND_START_ENCRYPTION;
}
return;
case SM_PH3_Y_W4_ENC:{
sm_key_t y128;
swap128(data, y128);
setup->sm_local_y = READ_NET_16(y128, 14);
log_info_hex16("y", setup->sm_local_y);
// PH3B3 - calculate EDIV
setup->sm_local_ediv = setup->sm_local_y ^ setup->sm_local_div;
log_info_hex16("ediv", setup->sm_local_ediv);
// PH3B4 - calculate LTK - enc
// LTK = d1(ER, DIV, 0))
connection->sm_engine_state = SM_PH3_LTK_GET_ENC;
return;
}
case SM_PH4_Y_W4_ENC:{
sm_key_t y128;
swap128(data, y128);
setup->sm_local_y = READ_NET_16(y128, 14);
log_info_hex16("y", setup->sm_local_y);
// PH3B3 - calculate DIV
setup->sm_local_div = setup->sm_local_y ^ setup->sm_local_ediv;
log_info_hex16("ediv", setup->sm_local_ediv);
// PH3B4 - calculate LTK - enc
// LTK = d1(ER, DIV, 0))
connection->sm_engine_state = SM_PH4_LTK_GET_ENC;
return;
}
case SM_PH3_LTK_W4_ENC:
swap128(data, setup->sm_ltk);
log_key("ltk", setup->sm_ltk);
// calc CSRK next
connection->sm_engine_state = SM_PH3_CSRK_GET_ENC;
return;
case SM_PH3_CSRK_W4_ENC:
swap128(data, setup->sm_local_csrk);
log_key("csrk", setup->sm_local_csrk);
connection->sm_engine_state = SM_PH3_DISTRIBUTE_KEYS;
return;
case SM_PH4_LTK_W4_ENC:
swap128(data, setup->sm_ltk);
sm_truncate_key(setup->sm_ltk, connection->sm_actual_encryption_key_size);
log_key("ltk", setup->sm_ltk);
connection->sm_engine_state = SM_PH4_SEND_LTK;
return;
default:
break;
}
}
// note: random generator is ready. this doesn NOT imply that aes engine is unused!
static void sm_handle_random_result(uint8_t * data){
switch (rau_state){
case RAU_W4_RANDOM:
// non-resolvable vs. resolvable
switch (gap_random_adress_type){
case GAP_RANDOM_ADDRESS_RESOLVABLE:
// resolvable: use random as prand and calc address hash
// "The two most significant bits of prand shall be equal to ‘0’ and ‘1"
memcpy(sm_random_address, data, 3);
sm_random_address[0] &= 0x3f;
sm_random_address[0] |= 0x40;
rau_state = RAU_GET_ENC;
break;
case GAP_RANDOM_ADDRESS_NON_RESOLVABLE:
default:
// "The two most significant bits of the address shall be equal to ‘0’""
memcpy(sm_random_address, data, 6);
sm_random_address[0] &= 0x3f;
rau_state = RAU_SET_ADDRESS;
break;
}
return;
default:
break;
}
// retrieve sm_connection provided to sm_random_start
sm_connection_t * connection = sm_random_connection_source;
if (!connection) return;
switch (connection->sm_engine_state){
case SM_PH2_W4_RANDOM_TK:
{
// map random to 0-999999 without speding much cycles on a modulus operation
uint32_t tk = READ_BT_32(data,0);
tk = tk & 0xfffff; // 1048575
if (tk >= 999999){
tk = tk - 999999;
}
sm_reset_tk();
net_store_32(setup->sm_tk, 12, tk);
if (connection->sm_role){
connection->sm_engine_state = SM_RESPONDER_PH1_SEND_PAIRING_RESPONSE;
} else {
connection->sm_engine_state = SM_PH1_W4_USER_RESPONSE;
sm_trigger_user_response(connection);
}
return;
}
case SM_PH2_C1_W4_RANDOM_A:
memcpy(&setup->sm_local_random[0], data, 8); // random endinaness
connection->sm_engine_state = SM_PH2_C1_GET_RANDOM_B;
return;
case SM_PH2_C1_W4_RANDOM_B:
memcpy(&setup->sm_local_random[8], data, 8); // random endinaness
connection->sm_engine_state = SM_PH2_C1_GET_ENC_A;
return;
case SM_PH3_W4_RANDOM:
swap64(data, setup->sm_local_rand);
// no db for encryption size hack: encryption size is stored in lowest nibble of setup->sm_local_rand
setup->sm_local_rand[7] = (setup->sm_local_rand[7] & 0xf0) + (connection->sm_actual_encryption_key_size - 1);
// no db for authenticated flag hack: store flag in bit 4 of LSB
setup->sm_local_rand[7] = (setup->sm_local_rand[7] & 0xef) + (connection->sm_connection_authenticated << 4);
connection->sm_engine_state = SM_PH3_GET_DIV;
return;
case SM_PH3_W4_DIV:
// use 16 bit from random value as div
setup->sm_local_div = READ_NET_16(data, 0);
log_info_hex16("div", setup->sm_local_div);
connection->sm_engine_state = SM_PH3_Y_GET_ENC;
return;
default:
break;
}
}
static void sm_event_packet_handler (uint8_t packet_type, uint16_t channel, uint8_t *packet, uint16_t size){
sm_connection_t * sm_conn;
uint16_t handle;
switch (packet_type) {
case HCI_EVENT_PACKET:
switch (packet[0]) {
case BTSTACK_EVENT_STATE:
// bt stack activated, get started
if (packet[2] == HCI_STATE_WORKING) {
log_info("HCI Working!");
dkg_state = sm_persistent_irk_ready ? DKG_CALC_DHK : DKG_CALC_IRK;
rau_state = RAU_IDLE;
sm_run();
return; // don't notify app packet handler just yet
}
break;
case HCI_EVENT_LE_META:
switch (packet[2]) {
case HCI_SUBEVENT_LE_CONNECTION_COMPLETE:
log_info("sm: connected");
if (packet[3]) return; // connection failed
handle = READ_BT_16(packet, 4);
sm_conn = sm_get_connection_for_handle(handle);
if (!sm_conn) break;
sm_conn->sm_handle = handle;
sm_conn->sm_role = packet[6];
sm_conn->sm_peer_addr_type = packet[7];
bt_flip_addr(sm_conn->sm_peer_address, &packet[8]);
log_info("New sm_conn, role %s", sm_conn->sm_role ? "slave" : "master");
// reset security properties
sm_conn->sm_connection_encrypted = 0;
sm_conn->sm_connection_authenticated = 0;
sm_conn->sm_connection_authorization_state = AUTHORIZATION_UNKNOWN;
sm_conn->sm_le_db_index = -1;
// prepare CSRK lookup (does not involve setup)
sm_conn->sm_csrk_lookup_state = CSRK_LOOKUP_W4_READY;
// just connected -> everything else happens in sm_run()
if (sm_conn->sm_role){
// slave
if (sm_slave_request_security){
// request security if requested by app
sm_conn->sm_engine_state = SM_RESPONDER_SEND_SECURITY_REQUEST;
} else {
// otherwise, wait for pairing request
sm_conn->sm_engine_state = SM_RESPONDER_PH1_W4_PAIRING_REQUEST;
}
break;
} else {
// master
sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED;
}
break;
case HCI_SUBEVENT_LE_LONG_TERM_KEY_REQUEST:
handle = READ_BT_16(packet, 3);
sm_conn = sm_get_connection_for_handle(handle);
if (!sm_conn) break;
log_info("LTK Request: state %u", sm_conn->sm_engine_state);
if (sm_conn->sm_engine_state == SM_RESPONDER_PH2_W4_LTK_REQUEST){
sm_conn->sm_engine_state = SM_PH2_CALC_STK;
break;
}
// assume that we don't have a LTK for ediv == 0 and random == null
if (READ_BT_16(packet, 13) == 0 && sm_is_null_random(&packet[5])){
log_info("LTK Request: ediv & random are empty");
sm_conn->sm_engine_state = SM_RESPONDER_PH0_SEND_LTK_REQUESTED_NEGATIVE_REPLY;
break;
}
// store rand and ediv
swap64(&packet[5], sm_conn->sm_local_rand);
sm_conn->sm_local_ediv = READ_BT_16(packet, 13);
sm_conn->sm_engine_state = SM_RESPONDER_PH0_RECEIVED_LTK;
break;
default:
break;
}
break;
case HCI_EVENT_ENCRYPTION_CHANGE:
handle = READ_BT_16(packet, 3);
sm_conn = sm_get_connection_for_handle(handle);
if (!sm_conn) break;
sm_conn->sm_connection_encrypted = packet[5];
log_info("Encryption state change: %u, key size %u", sm_conn->sm_connection_encrypted,
sm_conn->sm_actual_encryption_key_size);
if (!sm_conn->sm_connection_encrypted) break;
// continue if part of initial pairing
switch (sm_conn->sm_engine_state){
case SM_INITIATOR_PH0_W4_CONNECTION_ENCRYPTED:
sm_conn->sm_engine_state = SM_GENERAL_IDLE;
sm_done_for_handle(sm_conn->sm_handle);
break;
case SM_PH2_W4_CONNECTION_ENCRYPTED:
if (sm_conn->sm_role){
sm_conn->sm_engine_state = SM_PH3_GET_RANDOM;
} else {
sm_conn->sm_engine_state = SM_PH3_RECEIVE_KEYS;
}
break;
default:
break;
}
break;
case HCI_EVENT_DISCONNECTION_COMPLETE:
handle = READ_BT_16(packet, 3);
sm_done_for_handle(handle);
sm_conn = sm_get_connection_for_handle(handle);
if (!sm_conn) break;
// delete stored bonding on disconnect with authentication failure in ph0
if (sm_conn->sm_role == 0
&& sm_conn->sm_engine_state == SM_INITIATOR_PH0_W4_CONNECTION_ENCRYPTED
&& packet[2] == ERROR_CODE_AUTHENTICATION_FAILURE){
le_device_db_remove(sm_conn->sm_le_db_index);
}
sm_conn->sm_engine_state = SM_GENERAL_IDLE;
sm_conn->sm_handle = 0;
break;
case HCI_EVENT_COMMAND_COMPLETE:
if (COMMAND_COMPLETE_EVENT(packet, hci_le_encrypt)){
sm_handle_encryption_result(&packet[6]);
break;
}
if (COMMAND_COMPLETE_EVENT(packet, hci_le_rand)){
sm_handle_random_result(&packet[6]);
break;
}
}
// forward packet to higher layer
if (sm_client_packet_handler){
sm_client_packet_handler(packet_type, 0, packet, size);
}
}
sm_run();
}
static inline int sm_calc_actual_encryption_key_size(int other){
if (other < sm_min_encryption_key_size) return 0;
if (other < sm_max_encryption_key_size) return other;
return sm_max_encryption_key_size;
}
/**
* @return ok
*/
static int sm_validate_stk_generation_method(){
// check if STK generation method is acceptable by client
switch (setup->sm_stk_generation_method){
case JUST_WORKS:
return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_JUST_WORKS) != 0;
case PK_RESP_INPUT:
case PK_INIT_INPUT:
case OK_BOTH_INPUT:
return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_PASSKEY) != 0;
case OOB:
return (sm_accepted_stk_generation_methods & SM_STK_GENERATION_METHOD_OOB) != 0;
default:
return 0;
}
}
// helper for sm_packet_handler, calls sm_run on exit
static void sm_pdu_received_in_wrong_state(sm_connection_t * sm_conn){
setup->sm_pairing_failed_reason = SM_REASON_UNSPECIFIED_REASON;
sm_conn->sm_engine_state = SM_GENERAL_IDLE;
sm_done_for_handle(sm_conn->sm_handle);
}
static void sm_packet_handler(uint8_t packet_type, uint16_t handle, uint8_t *packet, uint16_t size){
if (packet_type == HCI_EVENT_PACKET) {
sm_event_packet_handler(packet_type, handle, packet, size);
return;
}
if (packet_type != SM_DATA_PACKET) return;
sm_connection_t * sm_conn = sm_get_connection_for_handle(handle);
if (!sm_conn) return;
if (packet[0] == SM_CODE_PAIRING_FAILED){
sm_conn->sm_engine_state = SM_GENERAL_IDLE;
return;
}
log_debug("sm_packet_handler: state %u, pdu 0x%02x", sm_conn->sm_engine_state, packet[0]);
int err;
switch (sm_conn->sm_engine_state){
// a sm timeout requries a new physical connection
case SM_GENERAL_TIMEOUT:
return;
// Initiator
case SM_INITIATOR_PH1_W4_PAIRING_RESPONSE:
if (packet[0] != SM_CODE_PAIRING_RESPONSE){
sm_pdu_received_in_wrong_state(sm_conn);
break;
}
// store pairing request
memcpy(&setup->sm_s_pres, packet, sizeof(sm_pairing_packet_t));
err = sm_stk_generation_init(sm_conn);
if (err){
setup->sm_pairing_failed_reason = err;
sm_conn->sm_engine_state = SM_GENERAL_SEND_PAIRING_FAILED;
break;
}
// generate random number first, if we need to show passkey
if (setup->sm_stk_generation_method == PK_RESP_INPUT){
sm_conn->sm_engine_state = SM_PH2_GET_RANDOM_TK;
break;
}
sm_conn->sm_engine_state = SM_PH1_W4_USER_RESPONSE;
sm_trigger_user_response(sm_conn);
break;
case SM_INITIATOR_PH2_W4_PAIRING_CONFIRM:
if (packet[0] != SM_CODE_PAIRING_CONFIRM){
sm_pdu_received_in_wrong_state(sm_conn);
break;
}
// store s_confirm
swap128(&packet[1], setup->sm_peer_confirm);
sm_conn->sm_engine_state = SM_PH2_SEND_PAIRING_RANDOM;
break;
case SM_INITIATOR_PH2_W4_PAIRING_RANDOM:
if (packet[0] != SM_CODE_PAIRING_RANDOM){
sm_pdu_received_in_wrong_state(sm_conn);
break;;
}
// received random value
swap128(&packet[1], setup->sm_peer_random);
sm_conn->sm_engine_state = SM_PH2_C1_GET_ENC_C;
break;
// Responder
case SM_GENERAL_IDLE:
case SM_RESPONDER_SEND_SECURITY_REQUEST:
case SM_RESPONDER_PH1_W4_PAIRING_REQUEST:
if (packet[0] != SM_CODE_PAIRING_REQUEST){
sm_pdu_received_in_wrong_state(sm_conn);
break;;
}
// store pairing request
memcpy(&sm_conn->sm_m_preq, packet, sizeof(sm_pairing_packet_t));
sm_conn->sm_engine_state = SM_RESPONDER_PH1_PAIRING_REQUEST_RECEIVED;
break;
case SM_RESPONDER_PH1_W4_PAIRING_CONFIRM:
if (packet[0] != SM_CODE_PAIRING_CONFIRM){
sm_pdu_received_in_wrong_state(sm_conn);
break;;
}
// received confirm value
swap128(&packet[1], setup->sm_peer_confirm);
// notify client to hide shown passkey
if (setup->sm_stk_generation_method == PK_INIT_INPUT){
sm_notify_client(SM_PASSKEY_DISPLAY_CANCEL, setup->sm_m_addr_type, setup->sm_m_address, 0, 0);
}
// handle user cancel pairing?
if (setup->sm_user_response == SM_USER_RESPONSE_DECLINE){
setup->sm_pairing_failed_reason = SM_REASON_PASSKEYT_ENTRY_FAILED;
sm_conn->sm_engine_state = SM_GENERAL_SEND_PAIRING_FAILED;
break;
}
// wait for user action?
if (setup->sm_user_response == SM_USER_RESPONSE_PENDING){
sm_conn->sm_engine_state = SM_PH1_W4_USER_RESPONSE;
break;
}
// calculate and send local_confirm
sm_conn->sm_engine_state = SM_PH2_C1_GET_RANDOM_A;
break;
case SM_RESPONDER_PH2_W4_PAIRING_RANDOM:
if (packet[0] != SM_CODE_PAIRING_RANDOM){
sm_pdu_received_in_wrong_state(sm_conn);
break;;
}
// received random value
swap128(&packet[1], setup->sm_peer_random);
sm_conn->sm_engine_state = SM_PH2_C1_GET_ENC_C;
break;
case SM_PH3_RECEIVE_KEYS:
switch(packet[0]){
case SM_CODE_ENCRYPTION_INFORMATION:
setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION;
swap128(&packet[1], setup->sm_peer_ltk);
break;
case SM_CODE_MASTER_IDENTIFICATION:
setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_MASTER_IDENTIFICATION;
setup->sm_peer_ediv = READ_BT_16(packet, 1);
swap64(&packet[3], setup->sm_peer_rand);
break;
case SM_CODE_IDENTITY_INFORMATION:
setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_IDENTITY_INFORMATION;
swap128(&packet[1], setup->sm_peer_irk);
break;
case SM_CODE_IDENTITY_ADDRESS_INFORMATION:
setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_IDENTITY_ADDRESS_INFORMATION;
setup->sm_peer_addr_type = packet[1];
BD_ADDR_COPY(setup->sm_peer_address, &packet[2]);
break;
case SM_CODE_SIGNING_INFORMATION:
setup->sm_key_distribution_received_set |= SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION;
swap128(&packet[1], setup->sm_peer_csrk);
break;
default:
// Unexpected PDU
log_info("Unexpected PDU %u in SM_PH3_RECEIVE_KEYS", packet[0]);
break;
}
// done with key distribution?
if (sm_key_distribution_all_received()){
// store, if: it's a public address, or, we got an IRK
if (setup->sm_peer_addr_type == 0 || (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_IDENTITY_INFORMATION)) {
sm_conn->sm_le_db_index = le_device_db_add(setup->sm_peer_addr_type, setup->sm_peer_address, setup->sm_peer_irk);
}
if (sm_conn->sm_le_db_index >= 0){
le_device_db_local_counter_set(sm_conn->sm_le_db_index, 0);
// store CSRK
if (setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_SIGNING_IDENTIFICATION){
le_device_db_csrk_set(sm_conn->sm_le_db_index, setup->sm_peer_csrk);
le_device_db_remote_counter_set(sm_conn->sm_le_db_index, 0);
}
// store encryption information as Central
if (sm_conn->sm_role == 0
&& setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_ENCRYPTION_INFORMATION
&& setup->sm_key_distribution_received_set & SM_KEYDIST_FLAG_MASTER_IDENTIFICATION){
le_device_db_encryption_set(sm_conn->sm_le_db_index, setup->sm_peer_ediv, setup->sm_peer_rand, setup->sm_peer_ltk);
}
}
if (sm_conn->sm_role){
sm_conn->sm_engine_state = SM_GENERAL_IDLE;
sm_done_for_handle(sm_conn->sm_handle);
} else {
sm_conn->sm_engine_state = SM_PH3_GET_RANDOM;
}
}
break;
default:
// Unexpected PDU
log_info("Unexpected PDU %u in state %u", packet[0], sm_conn->sm_engine_state);
break;
}
// try to send preparared packet
sm_run();
}
// Security Manager Client API
void sm_register_oob_data_callback( int (*get_oob_data_callback)(uint8_t addres_type, bd_addr_t addr, uint8_t * oob_data)){
sm_get_oob_data = get_oob_data_callback;
}
void sm_register_packet_handler(btstack_packet_handler_t handler){
sm_client_packet_handler = handler;
}
void sm_set_accepted_stk_generation_methods(uint8_t accepted_stk_generation_methods){
sm_accepted_stk_generation_methods = accepted_stk_generation_methods;
}
void sm_set_encryption_key_size_range(uint8_t min_size, uint8_t max_size){
sm_min_encryption_key_size = min_size;
sm_max_encryption_key_size = max_size;
}
void sm_set_authentication_requirements(uint8_t auth_req){
sm_auth_req = auth_req;
}
void sm_set_io_capabilities(io_capability_t io_capability){
sm_io_capabilities = io_capability;
}
void sm_set_request_security(int enable){
sm_slave_request_security = enable;
}
void sm_set_er(sm_key_t er){
memcpy(sm_persistent_er, er, 16);
}
void sm_set_ir(sm_key_t ir){
memcpy(sm_persistent_ir, ir, 16);
}
// Testing support only
void sm_test_set_irk(sm_key_t irk){
memcpy(sm_persistent_irk, irk, 16);
sm_persistent_irk_ready = 1;
}
/**
* @brief Trigger Security Request
* @note Not used normally. Bonding is triggered by access to protected attributes in ATT Server
*/
void sm_send_security_request(uint16_t handle){
sm_connection_t * sm_conn = sm_get_connection_for_handle(handle);
if (sm_conn->sm_engine_state != SM_RESPONDER_PH1_W4_PAIRING_REQUEST) return;
sm_conn->sm_engine_state = SM_RESPONDER_SEND_SECURITY_REQUEST;
sm_run();
}
void sm_init(){
// set some (BTstack default) ER and IR
int i;
sm_key_t er;
sm_key_t ir;
for (i=0;i<16;i++){
er[i] = 0x30 + i;
ir[i] = 0x90 + i;
}
sm_set_er(er);
sm_set_ir(ir);
// defaults
sm_accepted_stk_generation_methods = SM_STK_GENERATION_METHOD_JUST_WORKS
| SM_STK_GENERATION_METHOD_OOB
| SM_STK_GENERATION_METHOD_PASSKEY;
sm_max_encryption_key_size = 16;
sm_min_encryption_key_size = 7;
sm_cmac_state = CMAC_IDLE;
dkg_state = DKG_W4_WORKING;
rau_state = RAU_W4_WORKING;
sm_aes128_state = SM_AES128_IDLE;
sm_central_device_test = -1; // no private address to resolve yet
sm_central_ah_calculation_active = 0;
gap_random_adress_update_period = 15 * 60 * 1000L;
sm_active_connection = 0;
// attach to lower layers
l2cap_register_fixed_channel(sm_packet_handler, L2CAP_CID_SECURITY_MANAGER_PROTOCOL);
}
static sm_connection_t * sm_get_connection_for_handle(uint16_t con_handle){
hci_connection_t * hci_con = hci_connection_for_handle((hci_con_handle_t) con_handle);
if (!hci_con) return NULL;
return &hci_con->sm_connection;
}
static sm_connection_t * sm_get_connection(uint8_t addr_type, bd_addr_t address){
hci_connection_t * hci_con = hci_connection_for_bd_addr_and_type(address, (bd_addr_type_t)addr_type);
if (!hci_con) return NULL;
return &hci_con->sm_connection;
}
// @returns 0 if not encrypted, 7-16 otherwise
int sm_encryption_key_size(uint8_t addr_type, bd_addr_t address){
sm_connection_t * sm_conn = sm_get_connection(addr_type, address);
if (!sm_conn) return 0; // wrong connection
if (!sm_conn->sm_connection_encrypted) return 0;
return sm_conn->sm_actual_encryption_key_size;
}
int sm_authenticated(uint8_t addr_type, bd_addr_t address){
sm_connection_t * sm_conn = sm_get_connection(addr_type, address);
if (!sm_conn) return 0; // wrong connection
if (!sm_conn->sm_connection_encrypted) return 0; // unencrypted connection cannot be authenticated
return sm_conn->sm_connection_authenticated;
}
authorization_state_t sm_authorization_state(uint8_t addr_type, bd_addr_t address){
sm_connection_t * sm_conn = sm_get_connection(addr_type, address);
if (!sm_conn) return AUTHORIZATION_UNKNOWN; // wrong connection
if (!sm_conn->sm_connection_encrypted) return AUTHORIZATION_UNKNOWN; // unencrypted connection cannot be authorized
if (!sm_conn->sm_connection_authenticated) return AUTHORIZATION_UNKNOWN; // unauthenticatd connection cannot be authorized
return sm_conn->sm_connection_authorization_state;
}
// request authorization
void sm_request_authorization(uint8_t addr_type, bd_addr_t address){
sm_connection_t * sm_conn = sm_get_connection(addr_type, address);
if (!sm_conn) return; // wrong connection
log_info("sm_request_authorization in role %u, state %u", sm_conn->sm_role, sm_conn->sm_engine_state);
if (sm_conn->sm_role){
// code has no effect so far
sm_conn->sm_connection_authorization_state = AUTHORIZATION_PENDING;
sm_notify_client(SM_AUTHORIZATION_REQUEST, setup->sm_m_addr_type, setup->sm_m_address, 0, 0);
} else {
// HACK
sm_authenticate_outgoing_connections = 1;
// used as a trigger to start central/master/initiator security procedures
if (sm_conn->sm_engine_state == SM_INITIATOR_CONNECTED){
sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST;
}
}
}
// called by client app on authorization request
void sm_authorization_decline(uint8_t addr_type, bd_addr_t address){
sm_connection_t * sm_conn = sm_get_connection(addr_type, address);
if (!sm_conn) return; // wrong connection
sm_conn->sm_connection_authorization_state = AUTHORIZATION_DECLINED;
sm_notify_client_authorization(SM_AUTHORIZATION_RESULT, setup->sm_m_addr_type, setup->sm_m_address, 0);
}
void sm_authorization_grant(uint8_t addr_type, bd_addr_t address){
sm_connection_t * sm_conn = sm_get_connection(addr_type, address);
if (!sm_conn) return; // wrong connection
sm_conn->sm_connection_authorization_state = AUTHORIZATION_GRANTED;
sm_notify_client_authorization(SM_AUTHORIZATION_RESULT, setup->sm_m_addr_type, setup->sm_m_address, 1);
}
// GAP Bonding API
void sm_bonding_decline(uint8_t addr_type, bd_addr_t address){
sm_connection_t * sm_conn = sm_get_connection(addr_type, address);
if (!sm_conn) return; // wrong connection
setup->sm_user_response = SM_USER_RESPONSE_DECLINE;
if (sm_conn->sm_engine_state == SM_PH1_W4_USER_RESPONSE){
sm_done_for_handle(sm_conn->sm_handle);
setup->sm_pairing_failed_reason = SM_REASON_PASSKEYT_ENTRY_FAILED;
sm_conn->sm_engine_state = SM_GENERAL_SEND_PAIRING_FAILED;
}
sm_run();
}
void sm_just_works_confirm(uint8_t addr_type, bd_addr_t address){
sm_connection_t * sm_conn = sm_get_connection(addr_type, address);
if (!sm_conn) return; // wrong connection
setup->sm_user_response = SM_USER_RESPONSE_CONFIRM;
if (sm_conn->sm_engine_state == SM_PH1_W4_USER_RESPONSE){
sm_conn->sm_engine_state = SM_PH2_C1_GET_RANDOM_A;
}
sm_run();
}
void sm_passkey_input(uint8_t addr_type, bd_addr_t address, uint32_t passkey){
sm_connection_t * sm_conn = sm_get_connection(addr_type, address);
if (!sm_conn) return; // wrong connection
sm_reset_tk();
net_store_32(setup->sm_tk, 12, passkey);
setup->sm_user_response = SM_USER_RESPONSE_PASSKEY;
if (sm_conn->sm_engine_state == SM_PH1_W4_USER_RESPONSE){
sm_conn->sm_engine_state = SM_PH2_C1_GET_RANDOM_A;
}
sm_run();
}
/**
* @brief Identify device in LE Device DB
* @param handle
* @returns index from le_device_db or -1 if not found/identified
*/
int sm_le_device_index(uint16_t handle ){
sm_connection_t * sm_conn = sm_get_connection_for_handle(handle);
if (!sm_conn) return -1;
return sm_conn->sm_le_db_index;
}
// GAP LE API
void gap_random_address_set_mode(gap_random_address_type_t random_address_type){
gap_random_address_update_stop();
gap_random_adress_type = random_address_type;
if (random_address_type == GAP_RANDOM_ADDRESS_TYPE_OFF) return;
gap_random_address_update_start();
gap_random_address_trigger();
}
void gap_random_address_set_update_period(int period_ms){
gap_random_adress_update_period = period_ms;
if (gap_random_adress_type == GAP_RANDOM_ADDRESS_TYPE_OFF) return;
gap_random_address_update_stop();
gap_random_address_update_start();
}