Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / bt / 760f967f475046caef597a76fbe7e3cf4c511e25 / . / stack / smp / smp_keys.cc
blob: 5757bc0e9e096c1e32cf6bcc0b8835e09abaea63 [file] [log] [blame]
/******************************************************************************
*
* Copyright (C) 1999-2012 Broadcom Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
******************************************************************************/
/******************************************************************************
*
* This file contains security manager protocol utility functions
*
******************************************************************************/
#include "bt_target.h"
#if (SMP_DEBUG == TRUE)
#include <stdio.h>
#endif
#include <base/bind.h>
#include <string.h>
#include "aes.h"
#include "bt_utils.h"
#include "btm_ble_api.h"
#include "btm_ble_int.h"
#include "btm_int.h"
#include "device/include/controller.h"
#include "hcimsgs.h"
#include "osi/include/osi.h"
#include "p_256_ecc_pp.h"
#include "smp_int.h"
using base::Bind;
#ifndef SMP_MAX_ENC_REPEAT
#define SMP_MAX_ENC_REPEAT 3
#endif
static void smp_process_stk(tSMP_CB* p_cb, tSMP_ENC* p);
static bool smp_calculate_legacy_short_term_key(tSMP_CB* p_cb,
tSMP_ENC* output);
static void smp_process_private_key(tSMP_CB* p_cb);
#define SMP_PASSKEY_MASK 0xfff00000
void smp_debug_print_nbyte_little_endian(uint8_t* p, const char* key_name,
uint8_t len) {
#if (SMP_DEBUG == TRUE)
int ind;
int col_count = 32;
int row_count;
uint8_t p_buf[512];
SMP_TRACE_DEBUG("%s(LSB ~ MSB):", key_name);
memset(p_buf, 0, sizeof(p_buf));
row_count = len % col_count ? len / col_count + 1 : len / col_count;
ind = 0;
for (int row = 0; row < row_count; row++) {
for (int column = 0, x = 0; (ind < len) && (column < col_count);
column++, ind++) {
x += snprintf((char*)&p_buf[x], sizeof(p_buf) - x, "%02x ", p[ind]);
}
SMP_TRACE_DEBUG(" [%03d]: %s", row * col_count, p_buf);
}
#endif
}
void smp_debug_print_nbyte_big_endian(uint8_t* p, const char* key_name,
uint8_t len) {
#if (SMP_DEBUG == TRUE)
uint8_t p_buf[512];
SMP_TRACE_DEBUG("%s(MSB ~ LSB):", key_name);
memset(p_buf, 0, sizeof(p_buf));
int ind = 0;
int ncols = 32; /* num entries in one line */
int nrows; /* num lines */
nrows = len % ncols ? len / ncols + 1 : len / ncols;
for (int row = 0; row < nrows; row++) {
for (int col = 0, x = 0; (ind < len) && (col < ncols); col++, ind++) {
x += snprintf((char*)&p_buf[len - x - 1], sizeof(p_buf) - (len - x - 1),
"%02x ", p[ind]);
}
SMP_TRACE_DEBUG("[%03d]: %s", row * ncols, p_buf);
}
#endif
}
/*******************************************************************************
*
* Function smp_encrypt_data
*
* Description This function is called to encrypt data.
* It uses AES-128 encryption algorithm.
* Plain_text is encrypted using key, the result is at p_out.
*
* Returns void
*
******************************************************************************/
bool smp_encrypt_data(uint8_t* key, uint8_t key_len, uint8_t* plain_text,
uint8_t pt_len, tSMP_ENC* p_out) {
aes_context ctx;
uint8_t* p_start = NULL;
uint8_t* p = NULL;
uint8_t* p_rev_data = NULL; /* input data in big endilan format */
uint8_t* p_rev_key = NULL; /* input key in big endilan format */
uint8_t* p_rev_output = NULL; /* encrypted output in big endilan format */
SMP_TRACE_DEBUG("%s", __func__);
if ((p_out == NULL) || (key_len != SMP_ENCRYT_KEY_SIZE)) {
SMP_TRACE_ERROR("%s failed", __func__);
return false;
}
p_start = (uint8_t*)osi_calloc(SMP_ENCRYT_DATA_SIZE * 4);
if (pt_len > SMP_ENCRYT_DATA_SIZE) pt_len = SMP_ENCRYT_DATA_SIZE;
p = p_start;
ARRAY_TO_STREAM(p, plain_text, pt_len); /* byte 0 to byte 15 */
p_rev_data = p = p_start + SMP_ENCRYT_DATA_SIZE; /* start at byte 16 */
REVERSE_ARRAY_TO_STREAM(p, p_start,
SMP_ENCRYT_DATA_SIZE); /* byte 16 to byte 31 */
p_rev_key = p; /* start at byte 32 */
REVERSE_ARRAY_TO_STREAM(p, key, SMP_ENCRYT_KEY_SIZE); /* byte 32 to byte 47 */
#if (SMP_DEBUG == TRUE && SMP_DEBUG_VERBOSE == TRUE)
smp_debug_print_nbyte_little_endian(key, "Key", SMP_ENCRYT_KEY_SIZE);
smp_debug_print_nbyte_little_endian(p_start, "Plain text",
SMP_ENCRYT_DATA_SIZE);
#endif
p_rev_output = p;
aes_set_key(p_rev_key, SMP_ENCRYT_KEY_SIZE, &ctx);
aes_encrypt(p_rev_data, p, &ctx); /* outputs in byte 48 to byte 63 */
p = p_out->param_buf;
REVERSE_ARRAY_TO_STREAM(p, p_rev_output, SMP_ENCRYT_DATA_SIZE);
#if (SMP_DEBUG == TRUE && SMP_DEBUG_VERBOSE == TRUE)
smp_debug_print_nbyte_little_endian(p_out->param_buf, "Encrypted text",
SMP_ENCRYT_KEY_SIZE);
#endif
p_out->param_len = SMP_ENCRYT_KEY_SIZE;
p_out->status = HCI_SUCCESS;
p_out->opcode = HCI_BLE_ENCRYPT;
osi_free(p_start);
return true;
}
/*******************************************************************************
*
* Function smp_proc_passkey
*
* Description This function is called to process a passkey.
*
* Returns void
*
******************************************************************************/
void smp_proc_passkey(tSMP_CB* p_cb, BT_OCTET8 rand) {
uint8_t* tt = p_cb->tk;
tSMP_KEY key;
uint32_t passkey; /* 19655 test number; */
uint8_t* pp = rand;
SMP_TRACE_DEBUG("%s", __func__);
STREAM_TO_UINT32(passkey, pp);
passkey &= ~SMP_PASSKEY_MASK;
/* truncate by maximum value */
while (passkey > BTM_MAX_PASSKEY_VAL) passkey >>= 1;
/* save the TK */
memset(p_cb->tk, 0, BT_OCTET16_LEN);
UINT32_TO_STREAM(tt, passkey);
key.key_type = SMP_KEY_TYPE_TK;
key.p_data = p_cb->tk;
if (p_cb->p_callback) {
(*p_cb->p_callback)(SMP_PASSKEY_NOTIF_EVT, p_cb->pairing_bda,
(tSMP_EVT_DATA*)&passkey);
}
if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_PASSKEY_DISP) {
smp_sm_event(&smp_cb, SMP_KEY_READY_EVT, &passkey);
} else {
smp_sm_event(p_cb, SMP_KEY_READY_EVT, (tSMP_INT_DATA*)&key);
}
}
/*******************************************************************************
*
* Function smp_generate_passkey
*
* Description This function is called to generate passkey.
*
* Returns void
*
******************************************************************************/
void smp_generate_passkey(tSMP_CB* p_cb, UNUSED_ATTR tSMP_INT_DATA* p_data) {
SMP_TRACE_DEBUG("%s", __func__);
/* generate MRand or SRand */
btsnd_hcic_ble_rand(Bind(&smp_proc_passkey, p_cb));
}
/*******************************************************************************
*
* Function smp_generate_stk
*
* Description This function is called to generate STK calculated by
* running AES with the TK value as key and a concatenation of
* the random values.
*
* Returns void
*
******************************************************************************/
void smp_generate_stk(tSMP_CB* p_cb, UNUSED_ATTR tSMP_INT_DATA* p_data) {
tSMP_ENC output;
tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
SMP_TRACE_DEBUG("%s", __func__);
if (p_cb->le_secure_connections_mode_is_used) {
SMP_TRACE_WARNING("FOR LE SC LTK IS USED INSTEAD OF STK");
output.param_len = SMP_ENCRYT_KEY_SIZE;
output.status = HCI_SUCCESS;
output.opcode = HCI_BLE_ENCRYPT;
memcpy(output.param_buf, p_cb->ltk, SMP_ENCRYT_DATA_SIZE);
} else if (!smp_calculate_legacy_short_term_key(p_cb, &output)) {
SMP_TRACE_ERROR("%s failed", __func__);
smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status);
return;
}
smp_process_stk(p_cb, &output);
}
/**
* This function is called to calculate CSRK
*/
void smp_compute_csrk(uint16_t div, tSMP_CB* p_cb) {
BT_OCTET16 er;
uint8_t buffer[4]; /* for (r || DIV) r=1*/
uint16_t r = 1;
uint8_t* p = buffer;
tSMP_ENC output;
tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
p_cb->div = div;
SMP_TRACE_DEBUG("%s: div=%x", __func__, p_cb->div);
BTM_GetDeviceEncRoot(er);
/* CSRK = d1(ER, DIV, 1) */
UINT16_TO_STREAM(p, p_cb->div);
UINT16_TO_STREAM(p, r);
if (!SMP_Encrypt(er, BT_OCTET16_LEN, buffer, 4, &output)) {
SMP_TRACE_ERROR("smp_generate_csrk failed");
if (p_cb->smp_over_br) {
smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &status);
} else {
smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status);
}
} else {
memcpy((void*)p_cb->csrk, output.param_buf, BT_OCTET16_LEN);
smp_send_csrk_info(p_cb, NULL);
}
}
/**
* This function is called to calculate CSRK, starting with DIV generation.
*/
void smp_generate_csrk(tSMP_CB* p_cb, UNUSED_ATTR tSMP_INT_DATA* p_data) {
bool div_status;
SMP_TRACE_DEBUG("smp_generate_csrk");
div_status = btm_get_local_div(p_cb->pairing_bda, &p_cb->div);
if (div_status) {
smp_compute_csrk(p_cb->div, p_cb);
} else {
SMP_TRACE_DEBUG("Generate DIV for CSRK");
btsnd_hcic_ble_rand(Bind(
[](tSMP_CB* p_cb, BT_OCTET8 rand) {
uint16_t div;
STREAM_TO_UINT16(div, rand);
smp_compute_csrk(div, p_cb);
},
p_cb));
}
}
/*******************************************************************************
* Function smp_concatenate_peer - LSB first
* add pairing command sent from local device into p1.
******************************************************************************/
void smp_concatenate_local(tSMP_CB* p_cb, uint8_t** p_data, uint8_t op_code) {
uint8_t* p = *p_data;
SMP_TRACE_DEBUG("%s", __func__);
UINT8_TO_STREAM(p, op_code);
UINT8_TO_STREAM(p, p_cb->local_io_capability);
UINT8_TO_STREAM(p, p_cb->loc_oob_flag);
UINT8_TO_STREAM(p, p_cb->loc_auth_req);
UINT8_TO_STREAM(p, p_cb->loc_enc_size);
UINT8_TO_STREAM(p, p_cb->local_i_key);
UINT8_TO_STREAM(p, p_cb->local_r_key);
*p_data = p;
}
/*******************************************************************************
* Function smp_concatenate_peer - LSB first
* add pairing command received from peer device into p1.
******************************************************************************/
void smp_concatenate_peer(tSMP_CB* p_cb, uint8_t** p_data, uint8_t op_code) {
uint8_t* p = *p_data;
SMP_TRACE_DEBUG("smp_concatenate_peer ");
UINT8_TO_STREAM(p, op_code);
UINT8_TO_STREAM(p, p_cb->peer_io_caps);
UINT8_TO_STREAM(p, p_cb->peer_oob_flag);
UINT8_TO_STREAM(p, p_cb->peer_auth_req);
UINT8_TO_STREAM(p, p_cb->peer_enc_size);
UINT8_TO_STREAM(p, p_cb->peer_i_key);
UINT8_TO_STREAM(p, p_cb->peer_r_key);
*p_data = p;
}
/*******************************************************************************
*
* Function smp_gen_p1_4_confirm
*
* Description Generate Confirm/Compare Step1:
* p1 = (MSB) pres || preq || rat' || iat' (LSB)
* Fill in values LSB first thus
* p1 = iat' || rat' || preq || pres
*
* Returns void
*
******************************************************************************/
void smp_gen_p1_4_confirm(tSMP_CB* p_cb, tBLE_ADDR_TYPE remote_bd_addr_type,
BT_OCTET16 p1) {
SMP_TRACE_DEBUG("%s", __func__);
uint8_t* p = (uint8_t*)p1;
if (p_cb->role == HCI_ROLE_MASTER) {
/* iat': initiator's (local) address type */
UINT8_TO_STREAM(p, p_cb->addr_type);
/* rat': responder's (remote) address type */
UINT8_TO_STREAM(p, remote_bd_addr_type);
/* preq : Pairing Request (local) command */
smp_concatenate_local(p_cb, &p, SMP_OPCODE_PAIRING_REQ);
/* pres : Pairing Response (remote) command */
smp_concatenate_peer(p_cb, &p, SMP_OPCODE_PAIRING_RSP);
} else {
/* iat': initiator's (remote) address type */
UINT8_TO_STREAM(p, remote_bd_addr_type);
/* rat': responder's (local) address type */
UINT8_TO_STREAM(p, p_cb->addr_type);
/* preq : Pairing Request (remote) command */
smp_concatenate_peer(p_cb, &p, SMP_OPCODE_PAIRING_REQ);
/* pres : Pairing Response (local) command */
smp_concatenate_local(p_cb, &p, SMP_OPCODE_PAIRING_RSP);
}
smp_debug_print_nbyte_little_endian((uint8_t*)p1,
"p1 = iat' || rat' || preq || pres", 16);
}
/*******************************************************************************
*
* Function smp_gen_p2_4_confirm
*
* Description Generate Confirm/Compare Step2:
* p2 = (MSB) padding || ia || ra (LSB)
* Fill values LSB first and thus:
* p2 = ra || ia || padding
*
* Returns void
*
******************************************************************************/
void smp_gen_p2_4_confirm(tSMP_CB* p_cb, const bt_bdaddr_t& remote_bda,
BT_OCTET16 p2) {
SMP_TRACE_DEBUG("%s", __func__);
uint8_t* p = (uint8_t*)p2;
/* 32-bit Padding */
memset(p, 0, sizeof(BT_OCTET16));
if (p_cb->role == HCI_ROLE_MASTER) {
/* ra : Responder's (remote) address */
BDADDR_TO_STREAM(p, to_BD_ADDR(remote_bda));
/* ia : Initiator's (local) address */
BDADDR_TO_STREAM(p, to_BD_ADDR(p_cb->local_bda));
} else {
/* ra : Responder's (local) address */
BDADDR_TO_STREAM(p, to_BD_ADDR(p_cb->local_bda));
/* ia : Initiator's (remote) address */
BDADDR_TO_STREAM(p, to_BD_ADDR(remote_bda));
}
smp_debug_print_nbyte_little_endian(p2, "p2 = ra || ia || padding", 16);
}
/*******************************************************************************
*
* Function smp_calculate_comfirm
*
* Description This function (c1) is called to calculate Confirm value.
*
* Returns tSMP_STATUS status of confirmation calculation
*
******************************************************************************/
tSMP_STATUS smp_calculate_comfirm(tSMP_CB* p_cb, BT_OCTET16 rand,
tSMP_ENC* output) {
SMP_TRACE_DEBUG("%s", __func__);
bt_bdaddr_t remote_bda;
tBLE_ADDR_TYPE remote_bd_addr_type = 0;
/* get remote connection specific bluetooth address */
if (!BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, remote_bda,
&remote_bd_addr_type)) {
SMP_TRACE_ERROR("%s: cannot obtain remote device address", __func__);
return SMP_PAIR_FAIL_UNKNOWN;
}
/* get local connection specific bluetooth address */
BTM_ReadConnectionAddr(p_cb->pairing_bda, p_cb->local_bda, &p_cb->addr_type);
/* generate p1 = pres || preq || rat' || iat' */
BT_OCTET16 p1;
smp_gen_p1_4_confirm(p_cb, remote_bd_addr_type, p1);
/* p1' = rand XOR p1 */
smp_xor_128(p1, rand);
smp_debug_print_nbyte_little_endian((uint8_t*)p1, "p1' = p1 XOR r", 16);
/* calculate e1 = e(k, p1'), where k = TK */
smp_debug_print_nbyte_little_endian(p_cb->tk, "TK", 16);
memset(output, 0, sizeof(tSMP_ENC));
if (!SMP_Encrypt(p_cb->tk, BT_OCTET16_LEN, p1, BT_OCTET16_LEN, output)) {
SMP_TRACE_ERROR("%s: failed encryption at e1 = e(k, p1')");
return SMP_PAIR_FAIL_UNKNOWN;
}
smp_debug_print_nbyte_little_endian(output->param_buf, "e1 = e(k, p1')", 16);
/* generate p2 = padding || ia || ra */
BT_OCTET16 p2;
smp_gen_p2_4_confirm(p_cb, remote_bda, p2);
/* calculate p2' = (p2 XOR e1) */
smp_xor_128(p2, output->param_buf);
smp_debug_print_nbyte_little_endian((uint8_t*)p2, "p2' = p2 XOR e1", 16);
/* calculate: c1 = e(k, p2') */
memset(output, 0, sizeof(tSMP_ENC));
if (!SMP_Encrypt(p_cb->tk, BT_OCTET16_LEN, p2, BT_OCTET16_LEN, output)) {
SMP_TRACE_ERROR("%s: failed encryption at e1 = e(k, p2')");
return SMP_PAIR_FAIL_UNKNOWN;
}
return SMP_SUCCESS;
}
/*******************************************************************************
*
* Function smp_generate_confirm
*
* Description This function is called when random number (MRand or SRand)
* is generated by the controller and the stack needs to
* calculate c1 value (MConfirm or SConfirm) for the first time
*
* Returns void
*
******************************************************************************/
static void smp_generate_confirm(tSMP_CB* p_cb) {
SMP_TRACE_DEBUG("%s", __func__);
smp_debug_print_nbyte_little_endian((uint8_t*)p_cb->rand, "local_rand", 16);
tSMP_ENC output;
tSMP_STATUS status = smp_calculate_comfirm(p_cb, p_cb->rand, &output);
if (status != SMP_SUCCESS) {
smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status);
return;
}
tSMP_KEY key;
memcpy(p_cb->confirm, output.param_buf, BT_OCTET16_LEN);
smp_debug_print_nbyte_little_endian(p_cb->confirm, "Local Confirm generated",
16);
key.key_type = SMP_KEY_TYPE_CFM;
key.p_data = output.param_buf;
smp_sm_event(p_cb, SMP_KEY_READY_EVT, &key);
}
/*******************************************************************************
*
* Function smp_generate_srand_mrand_confirm
*
* Description This function is called to start the second pairing phase by
* start generating random number.
*
*
* Returns void
*
******************************************************************************/
void smp_generate_srand_mrand_confirm(tSMP_CB* p_cb,
UNUSED_ATTR tSMP_INT_DATA* p_data) {
SMP_TRACE_DEBUG("%s", __func__);
/* generate MRand or SRand */
btsnd_hcic_ble_rand(Bind(
[](tSMP_CB* p_cb, BT_OCTET8 rand) {
memcpy((void*)p_cb->rand, rand, 8);
/* generate 64 MSB of MRand or SRand */
btsnd_hcic_ble_rand(Bind(
[](tSMP_CB* p_cb, BT_OCTET8 rand) {
memcpy((void*)&p_cb->rand[8], rand, BT_OCTET8_LEN);
smp_generate_confirm(p_cb);
},
p_cb));
},
p_cb));
}
/*******************************************************************************
*
* Function smp_generate_compare
*
* Description This function is called when random number (MRand or SRand)
* is received from remote device and the c1 value (MConfirm
* or SConfirm) needs to be generated to authenticate remote
* device.
*
* Returns void
*
******************************************************************************/
void smp_generate_compare(tSMP_CB* p_cb, UNUSED_ATTR tSMP_INT_DATA* p_data) {
SMP_TRACE_DEBUG("smp_generate_compare ");
smp_debug_print_nbyte_little_endian((uint8_t*)p_cb->rrand, "peer rand", 16);
tSMP_ENC output;
tSMP_STATUS status = smp_calculate_comfirm(p_cb, p_cb->rrand, &output);
if (status != SMP_SUCCESS) {
smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status);
return;
}
tSMP_KEY key;
smp_debug_print_nbyte_little_endian(output.param_buf,
"Remote Confirm generated", 16);
key.key_type = SMP_KEY_TYPE_CMP;
key.p_data = output.param_buf;
smp_sm_event(p_cb, SMP_KEY_READY_EVT, &key);
}
/*******************************************************************************
*
* Function smp_process_stk
*
* Description This function is called when STK is generated
* proceed to send the encrypt the link using STK.
*
* Returns void
*
******************************************************************************/
static void smp_process_stk(tSMP_CB* p_cb, tSMP_ENC* p) {
tSMP_KEY key;
SMP_TRACE_DEBUG("smp_process_stk ");
#if (SMP_DEBUG == TRUE)
SMP_TRACE_ERROR("STK Generated");
#endif
smp_mask_enc_key(p_cb->loc_enc_size, p->param_buf);
key.key_type = SMP_KEY_TYPE_STK;
key.p_data = p->param_buf;
smp_sm_event(p_cb, SMP_KEY_READY_EVT, &key);
}
/**
* This function is to calculate EDIV = Y xor DIV
*/
static void smp_process_ediv(tSMP_CB* p_cb, tSMP_ENC* p) {
tSMP_KEY key;
uint8_t* pp = p->param_buf;
uint16_t y;
SMP_TRACE_DEBUG("smp_process_ediv ");
STREAM_TO_UINT16(y, pp);
/* EDIV = Y xor DIV */
p_cb->ediv = p_cb->div ^ y;
/* send LTK ready */
SMP_TRACE_ERROR("LTK ready");
key.key_type = SMP_KEY_TYPE_LTK;
key.p_data = p->param_buf;
smp_sm_event(p_cb, SMP_KEY_READY_EVT, &key);
}
/**
* This function is to proceed generate Y = E(DHK, Rand)
*/
static void smp_generate_y(tSMP_CB* p_cb, BT_OCTET8 rand) {
SMP_TRACE_DEBUG("%s ", __func__);
BT_OCTET16 dhk;
BTM_GetDeviceDHK(dhk);
memcpy(p_cb->enc_rand, rand, BT_OCTET8_LEN);
tSMP_ENC output;
if (!SMP_Encrypt(dhk, BT_OCTET16_LEN, rand, BT_OCTET8_LEN, &output)) {
SMP_TRACE_ERROR("%s failed", __func__);
tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status);
} else {
smp_process_ediv(p_cb, &output);
}
}
/**
* Calculate LTK = d1(ER, DIV, 0)= e(ER, DIV)
*/
static void smp_generate_ltk_cont(uint16_t div, tSMP_CB* p_cb) {
p_cb->div = div;
SMP_TRACE_DEBUG("%s", __func__);
BT_OCTET16 er;
BTM_GetDeviceEncRoot(er);
tSMP_ENC output;
/* LTK = d1(ER, DIV, 0)= e(ER, DIV)*/
if (!SMP_Encrypt(er, BT_OCTET16_LEN, (uint8_t*)&p_cb->div, sizeof(uint16_t),
&output)) {
SMP_TRACE_ERROR("%s failed", __func__);
tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status);
} else {
/* mask the LTK */
smp_mask_enc_key(p_cb->loc_enc_size, output.param_buf);
memcpy((void*)p_cb->ltk, output.param_buf, BT_OCTET16_LEN);
/* generate EDIV and rand now */
btsnd_hcic_ble_rand(Bind(&smp_generate_y, p_cb));
}
}
/*******************************************************************************
*
* Function smp_generate_ltk
*
* Description This function is called:
* - in legacy pairing - to calculate LTK, starting with DIV
* generation;
* - in LE Secure Connections pairing over LE transport - to
* process LTK already generated to encrypt LE link;
* - in LE Secure Connections pairing over BR/EDR transport -
* to start BR/EDR Link Key processing.
*
* Returns void
*
******************************************************************************/
void smp_generate_ltk(tSMP_CB* p_cb, UNUSED_ATTR tSMP_INT_DATA* p_data) {
SMP_TRACE_DEBUG("%s", __func__);
if (smp_get_br_state() == SMP_BR_STATE_BOND_PENDING) {
smp_br_process_link_key(p_cb, NULL);
return;
} else if (p_cb->le_secure_connections_mode_is_used) {
smp_process_secure_connection_long_term_key();
return;
}
bool div_status = btm_get_local_div(p_cb->pairing_bda, &p_cb->div);
if (div_status) {
smp_generate_ltk_cont(p_cb->div, p_cb);
} else {
SMP_TRACE_DEBUG("%s: Generate DIV for LTK", __func__);
/* generate MRand or SRand */
btsnd_hcic_ble_rand(Bind(
[](tSMP_CB* p_cb, BT_OCTET8 rand) {
uint16_t div;
STREAM_TO_UINT16(div, rand);
smp_generate_ltk_cont(div, p_cb);
},
p_cb));
}
}
/*******************************************************************************
*
* Function smp_calculate_legacy_short_term_key
*
* Description The function calculates legacy STK.
*
* Returns false if out of resources, true in other cases.
*
******************************************************************************/
bool smp_calculate_legacy_short_term_key(tSMP_CB* p_cb, tSMP_ENC* output) {
SMP_TRACE_DEBUG("%s", __func__);
BT_OCTET16 ptext;
uint8_t* p = ptext;
memset(p, 0, BT_OCTET16_LEN);
if (p_cb->role == HCI_ROLE_MASTER) {
memcpy(p, p_cb->rand, BT_OCTET8_LEN);
memcpy(&p[BT_OCTET8_LEN], p_cb->rrand, BT_OCTET8_LEN);
} else {
memcpy(p, p_cb->rrand, BT_OCTET8_LEN);
memcpy(&p[BT_OCTET8_LEN], p_cb->rand, BT_OCTET8_LEN);
}
/* generate STK = Etk(rand|rrand)*/
bool encrypted =
SMP_Encrypt(p_cb->tk, BT_OCTET16_LEN, ptext, BT_OCTET16_LEN, output);
if (!encrypted) {
SMP_TRACE_ERROR("%s failed", __func__);
}
return encrypted;
}
/*******************************************************************************
*
* Function smp_create_private_key
*
* Description This function is called to create private key used to
* calculate public key and DHKey.
* The function starts private key creation requesting
* for the controller to generate [0-7] octets of private key.
*
* Returns void
*
******************************************************************************/
void smp_create_private_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
SMP_TRACE_DEBUG("%s", __func__);
btsnd_hcic_ble_rand(Bind(
[](tSMP_CB* p_cb, BT_OCTET8 rand) {
memcpy((void*)p_cb->private_key, rand, BT_OCTET8_LEN);
btsnd_hcic_ble_rand(Bind(
[](tSMP_CB* p_cb, BT_OCTET8 rand) {
memcpy((void*)&p_cb->private_key[8], rand, BT_OCTET8_LEN);
btsnd_hcic_ble_rand(Bind(
[](tSMP_CB* p_cb, BT_OCTET8 rand) {
memcpy((void*)&p_cb->private_key[16], rand, BT_OCTET8_LEN);
btsnd_hcic_ble_rand(Bind(
[](tSMP_CB* p_cb, BT_OCTET8 rand) {
memcpy((void*)&p_cb->private_key[24], rand,
BT_OCTET8_LEN);
smp_process_private_key(p_cb);
},
p_cb));
},
p_cb));
},
p_cb));
},
p_cb));
}
/*******************************************************************************
*
* Function smp_use_oob_private_key
*
* Description This function is called
* - to save the secret key used to calculate the public key
* used in calculations of commitment sent OOB to a peer
* - to use this secret key to recalculate the public key and
* start the process of sending this public key to the peer
* if secret/public keys have to be reused.
* If the keys aren't supposed to be reused, continue from the
* point from which request for OOB data was issued.
*
* Returns void
*
******************************************************************************/
void smp_use_oob_private_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
SMP_TRACE_DEBUG("%s req_oob_type: %d, role: %d", __func__, p_cb->req_oob_type,
p_cb->role);
switch (p_cb->req_oob_type) {
case SMP_OOB_BOTH:
case SMP_OOB_LOCAL:
SMP_TRACE_DEBUG("%s restore secret key", __func__)
memcpy(p_cb->private_key, p_cb->sc_oob_data.loc_oob_data.private_key_used,
BT_OCTET32_LEN);
smp_process_private_key(p_cb);
break;
default:
SMP_TRACE_DEBUG("%s create secret key anew", __func__);
smp_set_state(SMP_STATE_PAIR_REQ_RSP);
smp_decide_association_model(p_cb, NULL);
break;
}
}
/*******************************************************************************
*
* Function smp_process_private_key
*
* Description This function processes private key.
* It calculates public key and notifies SM that private key /
* public key pair is created.
*
* Returns void
*
******************************************************************************/
void smp_process_private_key(tSMP_CB* p_cb) {
Point public_key;
BT_OCTET32 private_key;
SMP_TRACE_DEBUG("%s", __func__);
memcpy(private_key, p_cb->private_key, BT_OCTET32_LEN);
ECC_PointMult(&public_key, &(curve_p256.G), (uint32_t*)private_key,
KEY_LENGTH_DWORDS_P256);
memcpy(p_cb->loc_publ_key.x, public_key.x, BT_OCTET32_LEN);
memcpy(p_cb->loc_publ_key.y, public_key.y, BT_OCTET32_LEN);
smp_debug_print_nbyte_little_endian(p_cb->private_key, "private",
BT_OCTET32_LEN);
smp_debug_print_nbyte_little_endian(p_cb->loc_publ_key.x, "local public(x)",
BT_OCTET32_LEN);
smp_debug_print_nbyte_little_endian(p_cb->loc_publ_key.y, "local public(y)",
BT_OCTET32_LEN);
p_cb->flags |= SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY;
smp_sm_event(p_cb, SMP_LOC_PUBL_KEY_CRTD_EVT, NULL);
}
/*******************************************************************************
*
* Function smp_compute_dhkey
*
* Description The function:
* - calculates a new public key using as input local private
* key and peer public key;
* - saves the new public key x-coordinate as DHKey.
*
* Returns void
*
******************************************************************************/
void smp_compute_dhkey(tSMP_CB* p_cb) {
Point peer_publ_key, new_publ_key;
BT_OCTET32 private_key;
SMP_TRACE_DEBUG("%s", __func__);
memcpy(private_key, p_cb->private_key, BT_OCTET32_LEN);
memcpy(peer_publ_key.x, p_cb->peer_publ_key.x, BT_OCTET32_LEN);
memcpy(peer_publ_key.y, p_cb->peer_publ_key.y, BT_OCTET32_LEN);
ECC_PointMult(&new_publ_key, &peer_publ_key, (uint32_t*)private_key,
KEY_LENGTH_DWORDS_P256);
memcpy(p_cb->dhkey, new_publ_key.x, BT_OCTET32_LEN);
smp_debug_print_nbyte_little_endian(p_cb->dhkey, "Old DHKey", BT_OCTET32_LEN);
smp_debug_print_nbyte_little_endian(p_cb->private_key, "private",
BT_OCTET32_LEN);
smp_debug_print_nbyte_little_endian(p_cb->peer_publ_key.x, "rem public(x)",
BT_OCTET32_LEN);
smp_debug_print_nbyte_little_endian(p_cb->peer_publ_key.y, "rem public(y)",
BT_OCTET32_LEN);
smp_debug_print_nbyte_little_endian(p_cb->dhkey, "Reverted DHKey",
BT_OCTET32_LEN);
}
/*******************************************************************************
*
* Function smp_calculate_local_commitment
*
* Description The function calculates and saves local commmitment in CB.
*
* Returns void
*
******************************************************************************/
void smp_calculate_local_commitment(tSMP_CB* p_cb) {
uint8_t random_input;
SMP_TRACE_DEBUG("%s", __func__);
switch (p_cb->selected_association_model) {
case SMP_MODEL_SEC_CONN_JUSTWORKS:
case SMP_MODEL_SEC_CONN_NUM_COMP:
if (p_cb->role == HCI_ROLE_MASTER)
SMP_TRACE_WARNING(
"local commitment calc on master is not expected "
"for Just Works/Numeric Comparison models");
smp_calculate_f4(p_cb->loc_publ_key.x, p_cb->peer_publ_key.x, p_cb->rand,
0, p_cb->commitment);
break;
case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
random_input =
smp_calculate_random_input(p_cb->local_random, p_cb->round);
smp_calculate_f4(p_cb->loc_publ_key.x, p_cb->peer_publ_key.x, p_cb->rand,
random_input, p_cb->commitment);
break;
case SMP_MODEL_SEC_CONN_OOB:
SMP_TRACE_WARNING(
"local commitment calc is expected for OOB model BEFORE pairing");
smp_calculate_f4(p_cb->loc_publ_key.x, p_cb->loc_publ_key.x,
p_cb->local_random, 0, p_cb->commitment);
break;
default:
SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
p_cb->selected_association_model);
return;
}
SMP_TRACE_EVENT("local commitment calculation is completed");
}
/*******************************************************************************
*
* Function smp_calculate_peer_commitment
*
* Description The function calculates and saves peer commmitment at the
* provided output buffer.
*
* Returns void
*
******************************************************************************/
void smp_calculate_peer_commitment(tSMP_CB* p_cb, BT_OCTET16 output_buf) {
uint8_t ri;
SMP_TRACE_DEBUG("%s", __func__);
switch (p_cb->selected_association_model) {
case SMP_MODEL_SEC_CONN_JUSTWORKS:
case SMP_MODEL_SEC_CONN_NUM_COMP:
if (p_cb->role == HCI_ROLE_SLAVE)
SMP_TRACE_WARNING(
"peer commitment calc on slave is not expected "
"for Just Works/Numeric Comparison models");
smp_calculate_f4(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, p_cb->rrand,
0, output_buf);
break;
case SMP_MODEL_SEC_CONN_PASSKEY_ENT:
case SMP_MODEL_SEC_CONN_PASSKEY_DISP:
ri = smp_calculate_random_input(p_cb->peer_random, p_cb->round);
smp_calculate_f4(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, p_cb->rrand,
ri, output_buf);
break;
case SMP_MODEL_SEC_CONN_OOB:
smp_calculate_f4(p_cb->peer_publ_key.x, p_cb->peer_publ_key.x,
p_cb->peer_random, 0, output_buf);
break;
default:
SMP_TRACE_ERROR("Association Model = %d is not used in LE SC",
p_cb->selected_association_model);
return;
}
SMP_TRACE_EVENT("peer commitment calculation is completed");
}
/*******************************************************************************
*
* Function smp_calculate_f4
*
* Description The function calculates
* C = f4(U, V, X, Z) = AES-CMAC (U||V||Z)
* X
* where
* input: U is 256 bit,
* V is 256 bit,
* X is 128 bit,
* Z is 8 bit,
* output: C is 128 bit.
*
* Returns void
*
* Note The LSB is the first octet, the MSB is the last octet of
* the AES-CMAC input/output stream.
*
******************************************************************************/
void smp_calculate_f4(uint8_t* u, uint8_t* v, uint8_t* x, uint8_t z,
uint8_t* c) {
uint8_t msg_len = BT_OCTET32_LEN /* U size */ + BT_OCTET32_LEN /* V size */ +
1 /* Z size */;
uint8_t msg[BT_OCTET32_LEN + BT_OCTET32_LEN + 1];
uint8_t key[BT_OCTET16_LEN];
uint8_t cmac[BT_OCTET16_LEN];
uint8_t* p = NULL;
#if (SMP_DEBUG == TRUE)
uint8_t* p_prnt = NULL;
#endif
SMP_TRACE_DEBUG("%s", __func__);
#if (SMP_DEBUG == TRUE)
p_prnt = u;
smp_debug_print_nbyte_little_endian(p_prnt, "U", BT_OCTET32_LEN);
p_prnt = v;
smp_debug_print_nbyte_little_endian(p_prnt, "V", BT_OCTET32_LEN);
p_prnt = x;
smp_debug_print_nbyte_little_endian(p_prnt, "X", BT_OCTET16_LEN);
p_prnt = &z;
smp_debug_print_nbyte_little_endian(p_prnt, "Z", 1);
#endif
p = msg;
UINT8_TO_STREAM(p, z);
ARRAY_TO_STREAM(p, v, BT_OCTET32_LEN);
ARRAY_TO_STREAM(p, u, BT_OCTET32_LEN);
#if (SMP_DEBUG == TRUE)
p_prnt = msg;
smp_debug_print_nbyte_little_endian(p_prnt, "M", msg_len);
#endif
p = key;
ARRAY_TO_STREAM(p, x, BT_OCTET16_LEN);
#if (SMP_DEBUG == TRUE)
p_prnt = key;
smp_debug_print_nbyte_little_endian(p_prnt, "K", BT_OCTET16_LEN);
#endif
aes_cipher_msg_auth_code(key, msg, msg_len, BT_OCTET16_LEN, cmac);
#if (SMP_DEBUG == TRUE)
p_prnt = cmac;
smp_debug_print_nbyte_little_endian(p_prnt, "AES_CMAC", BT_OCTET16_LEN);
#endif
p = c;
ARRAY_TO_STREAM(p, cmac, BT_OCTET16_LEN);
}
/*******************************************************************************
*
* Function smp_calculate_numeric_comparison_display_number
*
* Description The function calculates and saves number to display in
* numeric comparison association mode.
*
* Returns void
*
******************************************************************************/
void smp_calculate_numeric_comparison_display_number(tSMP_CB* p_cb,
tSMP_INT_DATA* p_data) {
SMP_TRACE_DEBUG("%s", __func__);
if (p_cb->role == HCI_ROLE_MASTER) {
p_cb->number_to_display = smp_calculate_g2(
p_cb->loc_publ_key.x, p_cb->peer_publ_key.x, p_cb->rand, p_cb->rrand);
} else {
p_cb->number_to_display = smp_calculate_g2(
p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, p_cb->rrand, p_cb->rand);
}
if (p_cb->number_to_display >= (BTM_MAX_PASSKEY_VAL + 1)) {
uint8_t reason;
reason = p_cb->failure = SMP_PAIR_FAIL_UNKNOWN;
smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
return;
}
SMP_TRACE_EVENT("Number to display in numeric comparison = %d",
p_cb->number_to_display);
p_cb->cb_evt = SMP_NC_REQ_EVT;
smp_sm_event(p_cb, SMP_SC_DSPL_NC_EVT, &p_cb->number_to_display);
return;
}
/*******************************************************************************
*
* Function smp_calculate_g2
*
* Description The function calculates
* g2(U, V, X, Y) = AES-CMAC (U||V||Y) mod 2**32 mod 10**6
* X
* and
* Vres = g2(U, V, X, Y) mod 10**6
* where
* input: U is 256 bit,
* V is 256 bit,
* X is 128 bit,
* Y is 128 bit,
*
* Returns Vres.
* Expected value has to be in the range [0 - 999999] i.e.
* [0 - 0xF423F].
* Vres = 1000000 means that the calculation fails.
*
* Note The LSB is the first octet, the MSB is the last octet of
* the AES-CMAC input/output stream.
*
******************************************************************************/
uint32_t smp_calculate_g2(uint8_t* u, uint8_t* v, uint8_t* x, uint8_t* y) {
uint8_t msg_len = BT_OCTET32_LEN /* U size */ + BT_OCTET32_LEN /* V size */
+ BT_OCTET16_LEN /* Y size */;
uint8_t msg[BT_OCTET32_LEN + BT_OCTET32_LEN + BT_OCTET16_LEN];
uint8_t key[BT_OCTET16_LEN];
uint8_t cmac[BT_OCTET16_LEN];
uint8_t* p = NULL;
uint32_t vres;
#if (SMP_DEBUG == TRUE)
uint8_t* p_prnt = NULL;
#endif
SMP_TRACE_DEBUG("%s", __func__);
p = msg;
ARRAY_TO_STREAM(p, y, BT_OCTET16_LEN);
ARRAY_TO_STREAM(p, v, BT_OCTET32_LEN);
ARRAY_TO_STREAM(p, u, BT_OCTET32_LEN);
#if (SMP_DEBUG == TRUE)
p_prnt = u;
smp_debug_print_nbyte_little_endian(p_prnt, "U", BT_OCTET32_LEN);
p_prnt = v;
smp_debug_print_nbyte_little_endian(p_prnt, "V", BT_OCTET32_LEN);
p_prnt = x;
smp_debug_print_nbyte_little_endian(p_prnt, "X", BT_OCTET16_LEN);
p_prnt = y;
smp_debug_print_nbyte_little_endian(p_prnt, "Y", BT_OCTET16_LEN);
#endif
p = key;
ARRAY_TO_STREAM(p, x, BT_OCTET16_LEN);
#if (SMP_DEBUG == TRUE)
p_prnt = key;
smp_debug_print_nbyte_little_endian(p_prnt, "K", BT_OCTET16_LEN);
#endif
if (!aes_cipher_msg_auth_code(key, msg, msg_len, BT_OCTET16_LEN, cmac)) {
SMP_TRACE_ERROR("%s failed", __func__);
return (BTM_MAX_PASSKEY_VAL + 1);
}
#if (SMP_DEBUG == TRUE)
p_prnt = cmac;
smp_debug_print_nbyte_little_endian(p_prnt, "AES-CMAC", BT_OCTET16_LEN);
#endif
/* vres = cmac mod 2**32 mod 10**6 */
p = &cmac[0];
STREAM_TO_UINT32(vres, p);
#if (SMP_DEBUG == TRUE)
p_prnt = (uint8_t*)&vres;
smp_debug_print_nbyte_little_endian(p_prnt, "cmac mod 2**32", 4);
#endif
while (vres > BTM_MAX_PASSKEY_VAL) vres -= (BTM_MAX_PASSKEY_VAL + 1);
#if (SMP_DEBUG == TRUE)
p_prnt = (uint8_t*)&vres;
smp_debug_print_nbyte_little_endian(p_prnt, "cmac mod 2**32 mod 10**6", 4);
#endif
SMP_TRACE_ERROR("Value for numeric comparison = %d", vres);
return vres;
}
/*******************************************************************************
*
* Function smp_calculate_f5
*
* Description The function provides two AES-CMAC that are supposed to be
* used as
* - MacKey (used in pairing DHKey check calculation);
* - LTK (used to ecrypt the link after completion of Phase 2
* and on reconnection, to derive BR/EDR LK).
* The function inputs are W, N1, N2, A1, A2.
* F5 rules:
* - the value used as key in MacKey/LTK (T) is calculated
* (function smp_calculate_f5_key(...));
* The formula is:
* T = AES-CMAC (W)
* salt
* where salt is internal parameter of
* smp_calculate_f5_key(...).
* - MacKey and LTK are calculated as AES-MAC values received
* with the key T calculated in the previous step and the
* plaintext message built from the external parameters N1,
* N2, A1, A2 and the internal parameters counter, keyID,
* length.
* The function smp_calculate_f5_mackey_or_long_term_key(...)
* is used in the calculations.
* The same formula is used in calculation of MacKey and LTK
* and the same parameter values except the value of the
* internal parameter counter:
* - in MacKey calculations the value is 0;
* - in LTK calculations the value is 1.
* MacKey =
* AES-CMAC (Counter=0||keyID||N1||N2||A1||A2||Length=256)
* T
* LTK =
* AES-CMAC (Counter=1||keyID||N1||N2||A1||A2||Length=256)
* T
* The parameters are
* input:
* W is 256 bits,
* N1 is 128 bits,
* N2 is 128 bits,
* A1 is 56 bit,
* A2 is 56 bit.
* internal:
* Counter is 8 bits, its value is 0 for MacKey,
* 1 for LTK;
* KeyId is 32 bits, its value is
* 0x62746c65 (MSB~LSB);
* Length is 16 bits, its value is 0x0100
* (MSB~LSB).
* output:
* MacKey is 128 bits;
* LTK is 128 bits
*
* Returns false if out of resources, true in other cases.
*
* Note The LSB is the first octet, the MSB is the last octet of
* the AES-CMAC input/output stream.
*
******************************************************************************/
bool smp_calculate_f5(uint8_t* w, uint8_t* n1, uint8_t* n2, uint8_t* a1,
uint8_t* a2, uint8_t* mac_key, uint8_t* ltk) {
BT_OCTET16 t; /* AES-CMAC output in smp_calculate_f5_key(...), key in */
/* smp_calculate_f5_mackey_or_long_term_key(...) */
#if (SMP_DEBUG == TRUE)
uint8_t* p_prnt = NULL;
#endif
/* internal parameters: */
/*
counter is 0 for MacKey,
is 1 for LTK
*/
uint8_t counter_mac_key[1] = {0};
uint8_t counter_ltk[1] = {1};
/*
keyID 62746c65
*/
uint8_t key_id[4] = {0x65, 0x6c, 0x74, 0x62};
/*
length 0100
*/
uint8_t length[2] = {0x00, 0x01};
SMP_TRACE_DEBUG("%s", __func__);
#if (SMP_DEBUG == TRUE)
p_prnt = w;
smp_debug_print_nbyte_little_endian(p_prnt, "W", BT_OCTET32_LEN);
p_prnt = n1;
smp_debug_print_nbyte_little_endian(p_prnt, "N1", BT_OCTET16_LEN);
p_prnt = n2;
smp_debug_print_nbyte_little_endian(p_prnt, "N2", BT_OCTET16_LEN);
p_prnt = a1;
smp_debug_print_nbyte_little_endian(p_prnt, "A1", 7);
p_prnt = a2;
smp_debug_print_nbyte_little_endian(p_prnt, "A2", 7);
#endif
if (!smp_calculate_f5_key(w, t)) {
SMP_TRACE_ERROR("%s failed to calc T", __func__);
return false;
}
#if (SMP_DEBUG == TRUE)
p_prnt = t;
smp_debug_print_nbyte_little_endian(p_prnt, "T", BT_OCTET16_LEN);
#endif
if (!smp_calculate_f5_mackey_or_long_term_key(t, counter_mac_key, key_id, n1,
n2, a1, a2, length, mac_key)) {
SMP_TRACE_ERROR("%s failed to calc MacKey", __func__);
return false;
}
#if (SMP_DEBUG == TRUE)
p_prnt = mac_key;
smp_debug_print_nbyte_little_endian(p_prnt, "MacKey", BT_OCTET16_LEN);
#endif
if (!smp_calculate_f5_mackey_or_long_term_key(t, counter_ltk, key_id, n1, n2,
a1, a2, length, ltk)) {
SMP_TRACE_ERROR("%s failed to calc LTK", __func__);
return false;
}
#if (SMP_DEBUG == TRUE)
p_prnt = ltk;
smp_debug_print_nbyte_little_endian(p_prnt, "LTK", BT_OCTET16_LEN);
#endif
return true;
}
/*******************************************************************************
*
* Function smp_calculate_f5_mackey_or_long_term_key
*
* Description The function calculates the value of MacKey or LTK by the
* rules defined for f5 function.
* At the moment exactly the same formula is used to calculate
* LTK and MacKey.
* The difference is the value of input parameter Counter:
* - in MacKey calculations the value is 0;
* - in LTK calculations the value is 1.
* The formula:
* mac = AES-CMAC (Counter||keyID||N1||N2||A1||A2||Length)
* T
* where
* input: T is 256 bits;
* Counter is 8 bits, its value is 0 for MacKey,
* 1 for LTK;
* keyID is 32 bits, its value is 0x62746c65;
* N1 is 128 bits;
* N2 is 128 bits;
* A1 is 56 bits;
* A2 is 56 bits;
* Length is 16 bits, its value is 0x0100
* output: LTK is 128 bit.
*
* Returns false if out of resources, true in other cases.
*
* Note The LSB is the first octet, the MSB is the last octet of
* the AES-CMAC input/output stream.
*
******************************************************************************/
bool smp_calculate_f5_mackey_or_long_term_key(uint8_t* t, uint8_t* counter,
uint8_t* key_id, uint8_t* n1,
uint8_t* n2, uint8_t* a1,
uint8_t* a2, uint8_t* length,
uint8_t* mac) {
uint8_t* p = NULL;
uint8_t cmac[BT_OCTET16_LEN];
uint8_t key[BT_OCTET16_LEN];
uint8_t msg_len = 1 /* Counter size */ + 4 /* keyID size */ +
BT_OCTET16_LEN /* N1 size */ +
BT_OCTET16_LEN /* N2 size */ + 7 /* A1 size*/ +
7 /* A2 size*/ + 2 /* Length size */;
uint8_t msg[1 + 4 + BT_OCTET16_LEN + BT_OCTET16_LEN + 7 + 7 + 2];
bool ret = true;
#if (SMP_DEBUG == TRUE)
uint8_t* p_prnt = NULL;
#endif
SMP_TRACE_DEBUG("%s", __func__);
#if (SMP_DEBUG == TRUE)
p_prnt = t;
smp_debug_print_nbyte_little_endian(p_prnt, "T", BT_OCTET16_LEN);
p_prnt = counter;
smp_debug_print_nbyte_little_endian(p_prnt, "Counter", 1);
p_prnt = key_id;
smp_debug_print_nbyte_little_endian(p_prnt, "KeyID", 4);
p_prnt = n1;
smp_debug_print_nbyte_little_endian(p_prnt, "N1", BT_OCTET16_LEN);
p_prnt = n2;
smp_debug_print_nbyte_little_endian(p_prnt, "N2", BT_OCTET16_LEN);
p_prnt = a1;
smp_debug_print_nbyte_little_endian(p_prnt, "A1", 7);
p_prnt = a2;
smp_debug_print_nbyte_little_endian(p_prnt, "A2", 7);
p_prnt = length;
smp_debug_print_nbyte_little_endian(p_prnt, "Length", 2);
#endif
p = key;
ARRAY_TO_STREAM(p, t, BT_OCTET16_LEN);
#if (SMP_DEBUG == TRUE)
p_prnt = key;
smp_debug_print_nbyte_little_endian(p_prnt, "K", BT_OCTET16_LEN);
#endif
p = msg;
ARRAY_TO_STREAM(p, length, 2);
ARRAY_TO_STREAM(p, a2, 7);
ARRAY_TO_STREAM(p, a1, 7);
ARRAY_TO_STREAM(p, n2, BT_OCTET16_LEN);
ARRAY_TO_STREAM(p, n1, BT_OCTET16_LEN);
ARRAY_TO_STREAM(p, key_id, 4);
ARRAY_TO_STREAM(p, counter, 1);
#if (SMP_DEBUG == TRUE)
p_prnt = msg;
smp_debug_print_nbyte_little_endian(p_prnt, "M", msg_len);
#endif
if (!aes_cipher_msg_auth_code(key, msg, msg_len, BT_OCTET16_LEN, cmac)) {
SMP_TRACE_ERROR("%s failed", __func__);
ret = false;
}
#if (SMP_DEBUG == TRUE)
p_prnt = cmac;
smp_debug_print_nbyte_little_endian(p_prnt, "AES-CMAC", BT_OCTET16_LEN);
#endif
p = mac;
ARRAY_TO_STREAM(p, cmac, BT_OCTET16_LEN);
return ret;
}
/*******************************************************************************
*
* Function smp_calculate_f5_key
*
* Description The function calculates key T used in calculation of
* MacKey and LTK (f5 output is defined as MacKey || LTK).
* T = AES-CMAC (W)
* salt
* where
* Internal: salt is 128 bit.
* input: W is 256 bit.
* Output: T is 128 bit.
*
* Returns false if out of resources, true in other cases.
*
* Note The LSB is the first octet, the MSB is the last octet of
* the AES-CMAC input/output stream.
*
******************************************************************************/
bool smp_calculate_f5_key(uint8_t* w, uint8_t* t) {
uint8_t* p = NULL;
/* Please see 2.2.7 LE Secure Connections Key Generation Function f5 */
/*
salt: 6C88 8391 AAF5 A538 6037 0BDB 5A60 83BE
*/
BT_OCTET16 salt = {0xBE, 0x83, 0x60, 0x5A, 0xDB, 0x0B, 0x37, 0x60,
0x38, 0xA5, 0xF5, 0xAA, 0x91, 0x83, 0x88, 0x6C};
#if (SMP_DEBUG == TRUE)
uint8_t* p_prnt = NULL;
#endif
SMP_TRACE_DEBUG("%s", __func__);
#if (SMP_DEBUG == TRUE)
p_prnt = salt;
smp_debug_print_nbyte_little_endian(p_prnt, "salt", BT_OCTET16_LEN);
p_prnt = w;
smp_debug_print_nbyte_little_endian(p_prnt, "W", BT_OCTET32_LEN);
#endif
BT_OCTET16 key;
BT_OCTET32 msg;
p = key;
ARRAY_TO_STREAM(p, salt, BT_OCTET16_LEN);
p = msg;
ARRAY_TO_STREAM(p, w, BT_OCTET32_LEN);
#if (SMP_DEBUG == TRUE)
p_prnt = key;
smp_debug_print_nbyte_little_endian(p_prnt, "K", BT_OCTET16_LEN);
p_prnt = msg;
smp_debug_print_nbyte_little_endian(p_prnt, "M", BT_OCTET32_LEN);
#endif
BT_OCTET16 cmac;
bool ret = true;
if (!aes_cipher_msg_auth_code(key, msg, BT_OCTET32_LEN, BT_OCTET16_LEN,
cmac)) {
SMP_TRACE_ERROR("%s failed", __func__);
ret = false;
}
#if (SMP_DEBUG == TRUE)
p_prnt = cmac;
smp_debug_print_nbyte_little_endian(p_prnt, "AES-CMAC", BT_OCTET16_LEN);
#endif
p = t;
ARRAY_TO_STREAM(p, cmac, BT_OCTET16_LEN);
return ret;
}
/*******************************************************************************
*
* Function smp_calculate_local_dhkey_check
*
* Description The function calculates and saves local device DHKey check
* value in CB.
* Before doing this it calls
* smp_calculate_f5_mackey_and_long_term_key(...).
* to calculate MacKey and LTK.
* MacKey is used in dhkey calculation.
*
* Returns void
*
******************************************************************************/
void smp_calculate_local_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
uint8_t iocap[3], a[7], b[7];
SMP_TRACE_DEBUG("%s", __func__);
smp_calculate_f5_mackey_and_long_term_key(p_cb);
smp_collect_local_io_capabilities(iocap, p_cb);
smp_collect_local_ble_address(a, p_cb);
smp_collect_peer_ble_address(b, p_cb);
smp_calculate_f6(p_cb->mac_key, p_cb->rand, p_cb->rrand, p_cb->peer_random,
iocap, a, b, p_cb->dhkey_check);
SMP_TRACE_EVENT("local DHKey check calculation is completed");
}
/*******************************************************************************
*
* Function smp_calculate_peer_dhkey_check
*
* Description The function calculates peer device DHKey check value.
*
* Returns void
*
******************************************************************************/
void smp_calculate_peer_dhkey_check(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
uint8_t iocap[3], a[7], b[7];
BT_OCTET16 param_buf;
bool ret;
tSMP_KEY key;
tSMP_STATUS status = SMP_PAIR_FAIL_UNKNOWN;
SMP_TRACE_DEBUG("%s", __func__);
smp_collect_peer_io_capabilities(iocap, p_cb);
smp_collect_local_ble_address(a, p_cb);
smp_collect_peer_ble_address(b, p_cb);
ret = smp_calculate_f6(p_cb->mac_key, p_cb->rrand, p_cb->rand,
p_cb->local_random, iocap, b, a, param_buf);
if (ret) {
SMP_TRACE_EVENT("peer DHKey check calculation is completed");
#if (SMP_DEBUG == TRUE)
smp_debug_print_nbyte_little_endian(param_buf, "peer DHKey check",
BT_OCTET16_LEN);
#endif
key.key_type = SMP_KEY_TYPE_PEER_DHK_CHCK;
key.p_data = param_buf;
smp_sm_event(p_cb, SMP_SC_KEY_READY_EVT, &key);
} else {
SMP_TRACE_EVENT("peer DHKey check calculation failed");
smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status);
}
}
/*******************************************************************************
*
* Function smp_calculate_f6
*
* Description The function calculates
* C = f6(W, N1, N2, R, IOcap, A1, A2) =
* AES-CMAC (N1||N2||R||IOcap||A1||A2)
* W
* where
* input: W is 128 bit,
* N1 is 128 bit,
* N2 is 128 bit,
* R is 128 bit,
* IOcap is 24 bit,
* A1 is 56 bit,
* A2 is 56 bit,
* output: C is 128 bit.
*
* Returns false if out of resources, true in other cases.
*
* Note The LSB is the first octet, the MSB is the last octet of
* the AES-CMAC input/output stream.
*
******************************************************************************/
bool smp_calculate_f6(uint8_t* w, uint8_t* n1, uint8_t* n2, uint8_t* r,
uint8_t* iocap, uint8_t* a1, uint8_t* a2, uint8_t* c) {
uint8_t* p = NULL;
uint8_t msg_len = BT_OCTET16_LEN /* N1 size */ +
BT_OCTET16_LEN /* N2 size */ + BT_OCTET16_LEN /* R size */ +
3 /* IOcap size */ + 7 /* A1 size*/
+ 7 /* A2 size*/;
uint8_t msg[BT_OCTET16_LEN + BT_OCTET16_LEN + BT_OCTET16_LEN + 3 + 7 + 7];
#if (SMP_DEBUG == TRUE)
uint8_t* p_print = NULL;
#endif
SMP_TRACE_DEBUG("%s", __func__);
#if (SMP_DEBUG == TRUE)
p_print = w;
smp_debug_print_nbyte_little_endian(p_print, "W", BT_OCTET16_LEN);
p_print = n1;
smp_debug_print_nbyte_little_endian(p_print, "N1", BT_OCTET16_LEN);
p_print = n2;
smp_debug_print_nbyte_little_endian(p_print, "N2", BT_OCTET16_LEN);
p_print = r;
smp_debug_print_nbyte_little_endian(p_print, "R", BT_OCTET16_LEN);
p_print = iocap;
smp_debug_print_nbyte_little_endian(p_print, "IOcap", 3);
p_print = a1;
smp_debug_print_nbyte_little_endian(p_print, "A1", 7);
p_print = a2;
smp_debug_print_nbyte_little_endian(p_print, "A2", 7);
#endif
uint8_t cmac[BT_OCTET16_LEN];
uint8_t key[BT_OCTET16_LEN];
p = key;
ARRAY_TO_STREAM(p, w, BT_OCTET16_LEN);
#if (SMP_DEBUG == TRUE)
p_print = key;
smp_debug_print_nbyte_little_endian(p_print, "K", BT_OCTET16_LEN);
#endif
p = msg;
ARRAY_TO_STREAM(p, a2, 7);
ARRAY_TO_STREAM(p, a1, 7);
ARRAY_TO_STREAM(p, iocap, 3);
ARRAY_TO_STREAM(p, r, BT_OCTET16_LEN);
ARRAY_TO_STREAM(p, n2, BT_OCTET16_LEN);
ARRAY_TO_STREAM(p, n1, BT_OCTET16_LEN);
#if (SMP_DEBUG == TRUE)
p_print = msg;
smp_debug_print_nbyte_little_endian(p_print, "M", msg_len);
#endif
bool ret = true;
if (!aes_cipher_msg_auth_code(key, msg, msg_len, BT_OCTET16_LEN, cmac)) {
SMP_TRACE_ERROR("%s failed", __func__);
ret = false;
}
#if (SMP_DEBUG == TRUE)
p_print = cmac;
smp_debug_print_nbyte_little_endian(p_print, "AES-CMAC", BT_OCTET16_LEN);
#endif
p = c;
ARRAY_TO_STREAM(p, cmac, BT_OCTET16_LEN);
return ret;
}
/*******************************************************************************
*
* Function smp_calculate_link_key_from_long_term_key
*
* Description The function calculates and saves BR/EDR link key derived
* from LE SC LTK.
*
* Returns false if out of resources, true in other cases.
*
******************************************************************************/
bool smp_calculate_link_key_from_long_term_key(tSMP_CB* p_cb) {
tBTM_SEC_DEV_REC* p_dev_rec;
bt_bdaddr_t bda_for_lk;
tBLE_ADDR_TYPE conn_addr_type;
BT_OCTET16 salt = {0x31, 0x70, 0x6D, 0x74, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
SMP_TRACE_DEBUG("%s", __func__);
if (p_cb->id_addr_rcvd && p_cb->id_addr_type == BLE_ADDR_PUBLIC) {
SMP_TRACE_DEBUG(
"Use rcvd identity address as BD_ADDR of LK rcvd identity address");
bda_for_lk = p_cb->id_addr;
} else if ((BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, bda_for_lk,
&conn_addr_type)) &&
conn_addr_type == BLE_ADDR_PUBLIC) {
SMP_TRACE_DEBUG("Use rcvd connection address as BD_ADDR of LK");
} else {
SMP_TRACE_WARNING("Don't have peer public address to associate with LK");
return false;
}
p_dev_rec = btm_find_dev(p_cb->pairing_bda);
if (p_dev_rec == NULL) {
SMP_TRACE_ERROR("%s failed to find Security Record", __func__);
return false;
}
BT_OCTET16 intermediate_link_key;
bool ret = true;
if (p_cb->key_derivation_h7_used)
ret = smp_calculate_h7((uint8_t*)salt, p_cb->ltk, intermediate_link_key);
else
ret = smp_calculate_h6(p_cb->ltk, (uint8_t*)"1pmt" /* reversed "tmp1" */,
intermediate_link_key);
if (!ret) {
SMP_TRACE_ERROR("%s failed to derive intermediate_link_key", __func__);
return ret;
}
BT_OCTET16 link_key;
ret = smp_calculate_h6(intermediate_link_key,
(uint8_t*)"rbel" /* reversed "lebr" */, link_key);
if (!ret) {
SMP_TRACE_ERROR("%s failed", __func__);
} else {
uint8_t link_key_type;
if (btm_cb.security_mode == BTM_SEC_MODE_SC) {
/* Secure Connections Only Mode */
link_key_type = BTM_LKEY_TYPE_AUTH_COMB_P_256;
} else if (controller_get_interface()->supports_secure_connections()) {
/* both transports are SC capable */
if (p_cb->sec_level == SMP_SEC_AUTHENTICATED)
link_key_type = BTM_LKEY_TYPE_AUTH_COMB_P_256;
else
link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB_P_256;
} else if (btm_cb.security_mode == BTM_SEC_MODE_SP) {
/* BR/EDR transport is SSP capable */
if (p_cb->sec_level == SMP_SEC_AUTHENTICATED)
link_key_type = BTM_LKEY_TYPE_AUTH_COMB;
else
link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB;
} else {
SMP_TRACE_ERROR(
"%s failed to update link_key. Sec Mode = %d, sm4 = 0x%02x", __func__,
btm_cb.security_mode, p_dev_rec->sm4);
return false;
}
link_key_type += BTM_LTK_DERIVED_LKEY_OFFSET;
uint8_t* p;
BT_OCTET16 notif_link_key;
p = notif_link_key;
ARRAY16_TO_STREAM(p, link_key);
btm_sec_link_key_notification(bda_for_lk, notif_link_key, link_key_type);
SMP_TRACE_EVENT("%s is completed", __func__);
}
return ret;
}
/*******************************************************************************
*
* Function smp_calculate_long_term_key_from_link_key
*
* Description The function calculates and saves SC LTK derived from BR/EDR
* link key.
*
* Returns false if out of resources, true in other cases.
*
******************************************************************************/
bool smp_calculate_long_term_key_from_link_key(tSMP_CB* p_cb) {
bool ret = true;
tBTM_SEC_DEV_REC* p_dev_rec;
uint8_t rev_link_key[16];
BT_OCTET16 salt = {0x32, 0x70, 0x6D, 0x74, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
SMP_TRACE_DEBUG("%s", __func__);
p_dev_rec = btm_find_dev(p_cb->pairing_bda);
if (p_dev_rec == NULL) {
SMP_TRACE_ERROR("%s failed to find Security Record", __func__);
return false;
}
uint8_t br_link_key_type;
br_link_key_type = BTM_SecGetDeviceLinkKeyType(p_cb->pairing_bda);
if (br_link_key_type == BTM_LKEY_TYPE_IGNORE) {
SMP_TRACE_ERROR("%s failed to retrieve BR link type", __func__);
return false;
}
if ((br_link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256) &&
(br_link_key_type != BTM_LKEY_TYPE_UNAUTH_COMB_P_256)) {
SMP_TRACE_ERROR("%s LE SC LTK can't be derived from LK %d", __func__,
br_link_key_type);
return false;
}
uint8_t* p1;
uint8_t* p2;
p1 = rev_link_key;
p2 = p_dev_rec->link_key;
REVERSE_ARRAY_TO_STREAM(p1, p2, 16);
BT_OCTET16 intermediate_long_term_key;
if (p_cb->key_derivation_h7_used) {
ret = smp_calculate_h7((uint8_t*)salt, rev_link_key,
intermediate_long_term_key);
} else {
/* "tmp2" obtained from the spec */
ret = smp_calculate_h6(rev_link_key, (uint8_t*)"2pmt" /* reversed "tmp2" */,
intermediate_long_term_key);
}
if (!ret) {
SMP_TRACE_ERROR("%s failed to derive intermediate_long_term_key", __func__);
return ret;
}
/* "brle" obtained from the spec */
ret = smp_calculate_h6(intermediate_long_term_key,
(uint8_t*)"elrb" /* reversed "brle" */, p_cb->ltk);
if (!ret) {
SMP_TRACE_ERROR("%s failed", __func__);
} else {
p_cb->sec_level = (br_link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256)
? SMP_SEC_AUTHENTICATED
: SMP_SEC_UNAUTHENTICATE;
SMP_TRACE_EVENT("%s is completed", __func__);
}
return ret;
}
/*******************************************************************************
*
* Function smp_calculate_h6
*
* Description The function calculates
* C = h6(W, KeyID) = AES-CMAC (KeyID)
* W
* where
* input: W is 128 bit,
* KeyId is 32 bit,
* output: C is 128 bit.
*
* Returns false if out of resources, true in other cases.
*
* Note The LSB is the first octet, the MSB is the last octet of
* the AES-CMAC input/output stream.
*
******************************************************************************/
bool smp_calculate_h6(uint8_t* w, uint8_t* keyid, uint8_t* c) {
#if (SMP_DEBUG == TRUE)
uint8_t* p_print = NULL;
#endif
SMP_TRACE_DEBUG("%s", __func__);
#if (SMP_DEBUG == TRUE)
p_print = w;
smp_debug_print_nbyte_little_endian(p_print, "W", BT_OCTET16_LEN);
p_print = keyid;
smp_debug_print_nbyte_little_endian(p_print, "keyID", 4);
#endif
uint8_t* p = NULL;
uint8_t key[BT_OCTET16_LEN];
p = key;
ARRAY_TO_STREAM(p, w, BT_OCTET16_LEN);
#if (SMP_DEBUG == TRUE)
p_print = key;
smp_debug_print_nbyte_little_endian(p_print, "K", BT_OCTET16_LEN);
#endif
uint8_t msg_len = 4 /* KeyID size */;
uint8_t msg[4];
p = msg;
ARRAY_TO_STREAM(p, keyid, 4);
#if (SMP_DEBUG == TRUE)
p_print = msg;
smp_debug_print_nbyte_little_endian(p_print, "M", msg_len);
#endif
bool ret = true;
uint8_t cmac[BT_OCTET16_LEN];
if (!aes_cipher_msg_auth_code(key, msg, msg_len, BT_OCTET16_LEN, cmac)) {
SMP_TRACE_ERROR("%s failed", __func__);
ret = false;
}
#if (SMP_DEBUG == TRUE)
p_print = cmac;
smp_debug_print_nbyte_little_endian(p_print, "AES-CMAC", BT_OCTET16_LEN);
#endif
p = c;
ARRAY_TO_STREAM(p, cmac, BT_OCTET16_LEN);
return ret;
}
/*******************************************************************************
**
** Function smp_calculate_h7
**
** Description The function calculates
** C = h7(SALT, W) = AES-CMAC (W)
** SALT
** where
** input: W is 128 bit,
** SALT is 128 bit,
** output: C is 128 bit.
**
** Returns FALSE if out of resources, TRUE in other cases.
**
** Note The LSB is the first octet, the MSB is the last octet of
** the AES-CMAC input/output stream.
**
*******************************************************************************/
bool smp_calculate_h7(uint8_t* salt, uint8_t* w, uint8_t* c) {
SMP_TRACE_DEBUG("%s", __FUNCTION__);
uint8_t key[BT_OCTET16_LEN];
uint8_t* p = key;
ARRAY_TO_STREAM(p, salt, BT_OCTET16_LEN);
uint8_t msg_len = BT_OCTET16_LEN /* msg size */;
uint8_t msg[BT_OCTET16_LEN];
p = msg;
ARRAY_TO_STREAM(p, w, BT_OCTET16_LEN);
bool ret = true;
uint8_t cmac[BT_OCTET16_LEN];
if (!aes_cipher_msg_auth_code(key, msg, msg_len, BT_OCTET16_LEN, cmac)) {
SMP_TRACE_ERROR("%s failed", __FUNCTION__);
ret = false;
}
p = c;
ARRAY_TO_STREAM(p, cmac, BT_OCTET16_LEN);
return ret;
}
/**
* This function generates nonce.
*/
void smp_start_nonce_generation(tSMP_CB* p_cb) {
SMP_TRACE_DEBUG("%s", __func__);
btsnd_hcic_ble_rand(Bind(
[](tSMP_CB* p_cb, BT_OCTET8 rand) {
memcpy((void*)p_cb->rand, rand, BT_OCTET8_LEN);
btsnd_hcic_ble_rand(Bind(
[](tSMP_CB* p_cb, BT_OCTET8 rand) {
memcpy((void*)&p_cb->rand[8], rand, BT_OCTET8_LEN);
SMP_TRACE_DEBUG("%s round %d", __func__, p_cb->round);
/* notifies SM that it has new nonce. */
smp_sm_event(p_cb, SMP_HAVE_LOC_NONCE_EVT, NULL);
},
p_cb));
},
p_cb));
}