Beispiel #1
** Function         SMP_ConfirmReply
** Description      This function is called after Security Manager submitted
**                  numeric comparison request to the application.
** Parameters:      bd_addr      - Address of the device with which numeric
**                                 comparison was requested
**                  res          - comparison result SMP_SUCCESS if success
void SMP_ConfirmReply (BD_ADDR bd_addr, UINT8 res)
    tSMP_CB *p_cb = & smp_cb;

    SMP_TRACE_EVENT ("%s: Result:%d", __FUNCTION__, res);

    /* If timeout already expired or has been canceled, ignore the reply */
    if (p_cb->cb_evt != SMP_NC_REQ_EVT) {
        SMP_TRACE_WARNING ("%s() - Wrong State: %d", __FUNCTION__, p_cb->state);

    if (memcmp (bd_addr, p_cb->pairing_bda, BD_ADDR_LEN) != 0) {
        SMP_TRACE_ERROR ("%s() - Wrong BD Addr", __FUNCTION__);

    if (btm_find_dev (bd_addr) == NULL) {
        SMP_TRACE_ERROR ("%s() - no dev CB", __FUNCTION__);

    if (res != SMP_SUCCESS) {
        SMP_TRACE_WARNING ("%s() - Numeric Comparison fails", __FUNCTION__);
        /* send pairing failure */
        smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &failure);
    } else {
        smp_sm_event(p_cb, SMP_SC_NC_OK_EVT, NULL);
Beispiel #2
void print128(BT_OCTET16 x, const UINT8 *key_name)
    UINT8  *p = (UINT8 *)x;
    UINT8  i;

    SMP_TRACE_WARNING("%s(MSB ~ LSB) = ", key_name);

    for (i = 0; i < 4; i ++) {
        SMP_TRACE_WARNING("%02x %02x %02x %02x",
                          p[BT_OCTET16_LEN - i * 4 - 1], p[BT_OCTET16_LEN - i * 4 - 2],
                          p[BT_OCTET16_LEN - i * 4 - 3], p[BT_OCTET16_LEN - i * 4 - 4]);
Beispiel #3
** Function         SMP_CreateLocalSecureConnectionsOobData
** Description      This function is called to start creation of local SC OOB
**                  data set (tSMP_LOC_OOB_DATA).
** Parameters:      bd_addr      - Address of the device to send OOB data block to
**  Returns         Boolean - TRUE: creation of local SC OOB data set started.
BOOLEAN SMP_CreateLocalSecureConnectionsOobData (tBLE_BD_ADDR *addr_to_send_to)
    tSMP_CB *p_cb = &smp_cb;
    UINT8   *bd_addr;

    if (addr_to_send_to == NULL) {
        SMP_TRACE_ERROR ("%s addr_to_send_to is not provided", __FUNCTION__);
        return FALSE;

    bd_addr = addr_to_send_to->bda;

    SMP_TRACE_EVENT ("%s addr type: %u,  BDA: %08x%04x,  state: %u, br_state: %u",
                     __FUNCTION__, addr_to_send_to->type,
                     (bd_addr[0] << 24) + (bd_addr[1] << 16) + (bd_addr[2] << 8) + bd_addr[3],
                     (bd_addr[4] << 8) + bd_addr[5],

    if ((p_cb->state != SMP_STATE_IDLE) || (p_cb->smp_over_br)) {
        SMP_TRACE_WARNING ("%s creation of local OOB data set "\
                           "starts only in IDLE state", __FUNCTION__);
        return FALSE;

    p_cb->sc_oob_data.loc_oob_data.addr_sent_to = *addr_to_send_to;
    smp_sm_event(p_cb, SMP_CR_LOC_SC_OOB_DATA_EVT, NULL);

    return TRUE;
Beispiel #4
** Function         SMP_PasskeyReply
** Description      This function is called after Security Manager submitted
**                  passkey request to the application.
** Parameters:      bd_addr      - Address of the device for which passkey was requested
**                  res          - result of the operation SMP_SUCCESS if success
**                  passkey - numeric value in the range of
**                  BTM_MIN_PASSKEY_VAL(0) - BTM_MAX_PASSKEY_VAL(999999(0xF423F)).
void SMP_PasskeyReply (BD_ADDR bd_addr, UINT8 res, UINT32 passkey)
    tSMP_CB *p_cb = & smp_cb;

    SMP_TRACE_EVENT ("SMP_PasskeyReply: Key: %d  Result:%d",
                     passkey, res);

    /* If timeout already expired or has been canceled, ignore the reply */
    if (p_cb->cb_evt != SMP_PASSKEY_REQ_EVT) {
        SMP_TRACE_WARNING ("SMP_PasskeyReply() - Wrong State: %d", p_cb->state);

    if (memcmp (bd_addr, p_cb->pairing_bda, BD_ADDR_LEN) != 0) {
        SMP_TRACE_ERROR ("SMP_PasskeyReply() - Wrong BD Addr");

    if (btm_find_dev (bd_addr) == NULL) {
        SMP_TRACE_ERROR ("SMP_PasskeyReply() - no dev CB");

    if (passkey > BTM_MAX_PASSKEY_VAL || res != SMP_SUCCESS) {
        SMP_TRACE_WARNING ("SMP_PasskeyReply() - Wrong key len: %d or passkey entry fail", passkey);
        /* send pairing failure */
        smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &failure);

    } else if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_PASSKEY_ENT) {
        smp_sm_event(&smp_cb, SMP_SC_KEY_READY_EVT, &passkey);
    } else {
        smp_convert_string_to_tk(p_cb->tk, passkey);

Beispiel #5
** Function         smp_br_data_received
** Description      This function is called when data is received from L2CAP on
**                  SMP BR channel.
** Returns          void
static void smp_br_data_received(UINT16 channel, BD_ADDR bd_addr, BT_HDR *p_buf)
    tSMP_CB *p_cb = &smp_cb;
    UINT8   *p = (UINT8 *)(p_buf + 1) + p_buf->offset;
    UINT8   cmd ;
    SMP_TRACE_EVENT ("SMDBG l2c %s", __func__);

    STREAM_TO_UINT8(cmd, p);

    /* sanity check */
    if ((SMP_OPCODE_MAX < cmd) || (SMP_OPCODE_MIN > cmd))
        SMP_TRACE_WARNING( "Ignore received command with RESERVED code 0x%02x", cmd);

    /* reject the pairing request if there is an on-going SMP pairing */
    if (SMP_OPCODE_PAIRING_REQ == cmd)
        if ((p_cb->state == SMP_STATE_IDLE) && (p_cb->br_state == SMP_BR_STATE_IDLE))
            p_cb->role = HCI_ROLE_SLAVE;
            p_cb->smp_over_br = TRUE;
            memcpy(&p_cb->pairing_bda[0], bd_addr, BD_ADDR_LEN);
        else if (memcmp(&bd_addr[0], p_cb->pairing_bda, BD_ADDR_LEN))
            GKI_freebuf (p_buf);
        /* else, out of state pairing request received, passed into State Machine */

    if (memcmp(&bd_addr[0], p_cb->pairing_bda, BD_ADDR_LEN) == 0)
        btu_stop_timer (&p_cb->rsp_timer_ent);
        btu_start_timer (&p_cb->rsp_timer_ent, BTU_TTYPE_SMP_PAIRING_CMD,

        p_cb->rcvd_cmd_code = cmd;
        p_cb->rcvd_cmd_len = (UINT8) p_buf->len;
        smp_br_state_machine_event(p_cb, cmd, p);

    GKI_freebuf (p_buf);
Beispiel #6
** Function         AES_CMAC
** Description      This is the AES-CMAC Generation Function with tlen implemented.
** Parameters       key - CMAC key in little endian order, expect SRK when used by SMP.
**                  input - text to be signed in little endian byte order.
**                  length - length of the input in byte.
**                  tlen - lenth of mac desired
**                  p_signature - data pointer to where signed data to be stored, tlen long.
** Returns          void
BOOLEAN AES_CMAC ( BT_OCTET16 key, UINT8 *input, UINT16 length,
                UINT16 tlen, UINT8 *p_signature)
    UINT16  len, diff;
    UINT16  n = (length + BT_OCTET16_LEN - 1) / BT_OCTET16_LEN;       /* n is number of rounds */
    BOOLEAN ret = FALSE;


    if (n == 0)  n = 1;
    len = n * BT_OCTET16_LEN;

    SMP_TRACE_WARNING("AES128_CMAC started, allocate buffer size = %d", len);
    /* allocate a memory space of multiple of 16 bytes to hold text  */
    if ((cmac_cb.text = (UINT8 *)GKI_getbuf(len)) != NULL)
        cmac_cb.round = n;

        memset(cmac_cb.text, 0, len);
        diff = len - length;

        if (input != NULL && length > 0)
            memcpy(&cmac_cb.text[diff] , input, (int)length);
            cmac_cb.len = length;
            cmac_cb.len = 0;

        /* prepare calculation for subkey s and last block of data */
        if (cmac_generate_subkey(key))
            /* start calculation */
            ret = cmac_aes_k_calculate(key, p_signature, tlen);
        /* clean up */
        ret = FALSE;
        SMP_TRACE_ERROR("No resources");

    return ret;
Beispiel #7
** Function         smp_br_connect_callback
** Description      This callback function is called by L2CAP to indicate that
**                  SMP BR channel is
**                      connected (conn = TRUE)/disconnected (conn = FALSE).
static void smp_br_connect_callback(UINT16 channel, BD_ADDR bd_addr, BOOLEAN connected,
                                    UINT16 reason, tBT_TRANSPORT transport)
    tSMP_CB *p_cb = &smp_cb;
    tSMP_INT_DATA int_data;

    SMP_TRACE_EVENT ("%s", __func__);

    if (transport != BT_TRANSPORT_BR_EDR)
        SMP_TRACE_WARNING("%s is called on unexpected transport %d",
                           __func__, transport);

    if (!(memcmp(bd_addr, p_cb->pairing_bda, BD_ADDR_LEN) == 0))

    SMP_TRACE_EVENT ("%s for pairing BDA: %08x%04x  Event: %s",
                     (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8) + bd_addr[3],
                     (connected) ? "connected" : "disconnected");

    if (connected)
            p_cb->connect_initialized = TRUE;
            /* initialize local i/r key to be default keys */
            p_cb->local_r_key = p_cb->local_i_key =  SMP_BR_SEC_DEFAULT_KEY;
            p_cb->loc_auth_req = p_cb->peer_auth_req = 0;
            p_cb->cb_evt = SMP_BR_KEYS_REQ_EVT;
            smp_br_state_machine_event(p_cb, SMP_BR_L2CAP_CONN_EVT, NULL);
        int_data.reason = reason;
        /* Disconnected while doing security */
        smp_br_state_machine_event(p_cb, SMP_BR_L2CAP_DISCONN_EVT, &int_data);
Beispiel #8
** Function         cmac_prepare_last_block
** Description      This function proceeed to prepare the last block of message
**                  Mn depending on the size of the message.
** Returns          void
static void cmac_prepare_last_block (BT_OCTET16 k1, BT_OCTET16 k2)
//    UINT8       x[16] = {0};
    BOOLEAN      flag;

    SMP_TRACE_EVENT ("cmac_prepare_last_block ");
    /* last block is a complete block set flag to 1 */
    flag = ((cmac_cb.len % BT_OCTET16_LEN) == 0 && cmac_cb.len != 0)  ? TRUE : FALSE;

    SMP_TRACE_WARNING("flag = %d round = %d", flag, cmac_cb.round);

    if ( flag ) {
        /* last block is complete block */
        smp_xor_128(&cmac_cb.text[0], k1);
    } else { /* padding then xor with k2 */
        padding(&cmac_cb.text[0], (UINT8)(cmac_cb.len % 16));

        smp_xor_128(&cmac_cb.text[0], k2);
Beispiel #9
void test_cmac(void)
    SMP_TRACE_EVENT ("test_cmac ");
    UINT8 M[64] = {
        0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
        0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
        0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
        0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
        0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
        0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
        0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
        0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10

    UINT8 key[16] = {
        0x3c, 0x4f, 0xcf, 0x09, 0x88, 0x15, 0xf7, 0xab,
        0xa6, 0xd2, 0xae, 0x28, 0x16, 0x15, 0x7e, 0x2b
    UINT8 i =0, tmp;
    UINT16 len;

    len = 64;

    for (i = 0; i < len/2; i ++)
        tmp = M[i];
        M[i] = M[len -1 - i];
        M[len -1 - i] = tmp;

    memset(&cmac_cb, 0, sizeof(tCMAC_CB));

    SMP_TRACE_WARNING("\n Example 1: len = %d\n", len);

    AES_CMAC(key, M, len, 128, test_cmac_cback, 0);

Beispiel #10
** Function         smp_data_received
** Description      This function is called when data is received from L2CAP on
**                  SMP channel.
** Returns          void
static void smp_data_received(UINT16 channel, BD_ADDR bd_addr, BT_HDR *p_buf)
    tSMP_CB *p_cb = &smp_cb;
    UINT8   *p = (UINT8 *)(p_buf + 1) + p_buf->offset;
    UINT8   cmd ;

    STREAM_TO_UINT8(cmd, p);

    /* sanity check */
    if ((SMP_OPCODE_MAX < cmd) || (SMP_OPCODE_MIN > cmd))
        SMP_TRACE_WARNING( "Ignore received command with RESERVED code 0x%02x", cmd);
        GKI_freebuf (p_buf);

    /* reject the pairing request if there is an on-going SMP pairing */
        if ((p_cb->state == SMP_STATE_IDLE) && (p_cb->br_state == SMP_BR_STATE_IDLE) &&
            !(p_cb->flags & SMP_PAIR_FLAGS_WE_STARTED_DD))
            p_cb->role = L2CA_GetBleConnRole(bd_addr);
            memcpy(&p_cb->pairing_bda[0], bd_addr, BD_ADDR_LEN);
        else if (memcmp(&bd_addr[0], p_cb->pairing_bda, BD_ADDR_LEN))
            GKI_freebuf (p_buf);
        /* else, out of state pairing request/security request received, passed into SM */

    if (memcmp(&bd_addr[0], p_cb->pairing_bda, BD_ADDR_LEN) == 0)
        btu_stop_timer (&p_cb->rsp_timer_ent);
        btu_start_timer (&p_cb->rsp_timer_ent, BTU_TTYPE_SMP_PAIRING_CMD,

        if (cmd == SMP_OPCODE_CONFIRM)
            SMP_TRACE_DEBUG ("in %s cmd = 0x%02x, peer_auth_req = 0x%02x,"
                              "loc_auth_req = 0x%02x",
                              __FUNCTION__, cmd, p_cb->peer_auth_req, p_cb->loc_auth_req);

            if ((p_cb->peer_auth_req  & SMP_SC_SUPPORT_BIT) &&
                (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT))
                cmd = SMP_OPCODE_PAIR_COMMITM;

        p_cb->rcvd_cmd_code = cmd;
        p_cb->rcvd_cmd_len = (UINT8) p_buf->len;
        smp_sm_event(p_cb, cmd, p);

    GKI_freebuf (p_buf);