Updates the LE legacy pairing procedure as a result of errata ES-24491.
New part:
If the initiating device receives an LP_CONFIRM_R value that is equal to
the LP_CONFIRM_I value, the pairing process shall be aborted and fail
with "Confirm Value Failed" as reason.
Signed-off-by: Håvard Reierstad <haavard.reierstad@nordicsemi.no>
The LTK cannot be derived by LK when LK is not weaker than the old LTK.
Improve the function `smp_br_pairing_allowed()` to avoid the LTK be
overwrote when old LTK has MITM protection but new LK has not MITM
protection.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
BR_SEND_KEYS_SC should be used to determine the value of
Responder Key Distribution when sending pairing_response to
reply smp br pairing_request.
Signed-off-by: Mark Wang <yichang.wang@nxp.com>
When deriving the new LK, remove the old LK if it exists.
Store the derived LK if the flag `SMP_FLAG_BOND` of LE SMP is set.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
The flag `BT_LINK_KEY_SC` of LK will also be set when derive LK from
LTK.
It is a incorrect behavior.
The flag `BT_LINK_KEY_SC` should only be set if the flag `BT_KEYS_SC`
of LTK has been set.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
The flag `SMP_FLAG_BR_CONNECTED` is cleared by the function
`smp_br_reset()` and `smp_br_init`. But the flag
`SMP_FLAG_BR_CONNECTED` should not be cleared at this time.
Recovery the flag `SMP_FLAG_BR_CONNECTED` after the all flags of SMP
cleared.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
If the encrypt value of classic connection is
`BT_HCI_ENCRYPTION_ON_BR_AES_CCM`, set the flag `BT_KEYS_SC` for
the derived LTK.
Or, clear the flag `BT_KEYS_SC` for the derived LTK.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
In current implementation, the flag `local_dist` will be cleared when
the distributed key frame is performed if the local is the SMP
initiator. After the distributed key is sent out, the function
`smp_pairing_br_complete()` will be called if all bits of `local_dist`
are cleared.
It causes the function `smp_pairing_br_complete()` will be called
multiple times.
Add a flag `local_distributed` to flag the all sent keys. Add only the
flag `local_distributed` is not set, preform the key distribution
frame.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
The derived LE keys are not saved to NVM. And the IRK is not added to
controller resolving list. It causes two issues,
Issue 1, the LE connection connection cannot be established if the adv
address of peer is RPA.
Issue 2, the LE keys are missing after the power reset.
For issue 1, add a function `smp_br_id_add_replace` to add LE keys.
For issue 2, check the BR bondable flag `BT_CONN_BR_NOBOND` instead of
`SMP_FLAG_BOND`.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
Define macros for encryption value,
#define BT_HCI_ENCRYPTION_OFF 0x00
#define BT_HCI_ENCRYPTION_ON_LE_AES_CCM 0x01
#define BT_HCI_ENCRYPTION_ON_BR_E0 0x01
#define BT_HCI_ENCRYPTION_ON_BR_AES_CCM 0x02
Use the macros to replace the hard code.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
The LTK should not be generated from BR link key if there is a LTK
exists and BR LK is weaker.
Do not drive LTK from BR LK in the case.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
When `bt_le_oob_get_local` or `bt_le_ext_adv_oob_get_local` is called
and SMP is enabled, `bt_smp_le_oob_generate_sc_data` is called to
generate a Random Number and a Confirmation Value needed for OOB data.
These values are based on the device's public key.
The public key is generated only once when `bt_smp_init` is called.
If public key generation fails, the callback passed to `bt_pub_key_get`
is called with `pkey` set to NULL. The `bt_smp_pkey_ready` callback
gets called, but it doesn't release the `sc_local_pkey_ready` semaphore
thus leaving `bt_smp_le_oob_generate_sc_data` wait for semaphore with
`K_FOREVER`.
This commit replaces the semaphore with a conditional variable and
requests a public key again if the key is NULL thus solving 2 issues:
- handling the case where the callback was triggered notifying about the
completion of the public key request, but the key was not generated,
- handling the case where multiple threads trying to acquire the same
sempahore.
The timeout is used instead of K_FOREVER to avoid cases when callback
has never been triggered.
Signed-off-by: Pavel Vasilyev <pavel.vasilyev@nordicsemi.no>
Added a new function, bt_conn_is_type, that returns whether
the provided conn object is of the provided type.
This check is then used to ensure that the conn objects
supplied to other bt_conn function are of the right type.
The right type has also been documented for these functions.
This is an initial commit for a larger change in the BT Host,
as similar checks should be added to the L2CAP, GATT, ISO,
Audio and possibly Mesh APIs.
The type check could have been implemented by using the
bt_conn_get_info function, but that requires additional
function calls as well as memory allocation and copy.
Since bt_conn_is_type is designed to be widely used, it
was suited for its own function.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Remove the HCI command & event emulation layer for ECDH commands and
events. This means that we always do the necessary operations in the host.
The existing BT_ECC Kconfig option stays, but now gets automatically
enabled when necessary (e.g. based on the BT_SMP option), which is why this
commit removes so many explicit assignments in prj.conf files.
Signed-off-by: Johan Hedberg <johan.hedberg@silabs.com>
Currently, there are build warnings that are triggered when building
for BT central and legacy OOB pairing only:
CONFIG_BT_SMP_OOB_LEGACY_PAIR_ONLY=y
CONFIG_BT_CENTRAL=y
There was a PR that handled this issue in the past https://github.com/zephyrproject-rtos/zephyr/pull/74400.
Unfortunately, this PR even though it fixed the warnings it also
broke the BT peripheral and legacy OOB pairing only build:
CONFIG_BT_SMP_OOB_LEGACY_PAIR_ONLY=y
CONFIG_BT_PERIPHERAL=y
https://github.com/zephyrproject-rtos/zephyr/pull/82552 was merged in
order to fix the issue with the peripheral build configuration.
Unfortunately, this PR reintroduced the warnings for BT central and
legacy OOB pairing.
This commit brings changes to make sure that both the BT central and
peripheral builds with OOB legacy pairing are buildable and
warnings free.
Also in this commit, a new build test case is added for the BT central
and legacy OOB pairing along the existing BT peripheral test case
Signed-off-by: Sebastian Panceac <sebastian.panceac@ext.grandcentrix.net>
Add a separate test for public key validity. This needs to be done
synchronously so that we can respond with an early failure message to the
peer device.
Fixes#80218
Signed-off-by: Johan Hedberg <johan.hedberg@silabs.com>
The functions `le_sc_oob_config_set`, `generate_dhkey` and
`display_passkey` in `smp.c` were only defined when
`CONFIG_BT_SMP_OOB_LEGACY_PAIR_ONLY` was not defined. This created
issues at build time.
Remove the guard as the code calling those functions is not guarded
itself.
Signed-off-by: Théo Battrel <theo.battrel@nordicsemi.no>
In current, the bondable flag cannot be configured for each specific
BR connection.
But for LE conn, there is a function `bt_conn_set_bondable` for this
purpose.
Improve `bt_conn_set_bondable` to support BR conn.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
Add a function bt_l2cap_br_get_remote_fixed_chan to get the remote fixed
channels.
If the fixed channel CID 0x0007 is unsupported, skip the LTK derivation.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
In the handler of SMP_Pairing rsp, the encryption key
flag is cleared incorrectly.
It causes the LE LTK cannot be derived.
Do not modify the encryption key flag to fix the
issue.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
Add missing braces to comply with MISRA C:2012 Rule 15.6 and
also following Zephyr's style guideline.
Signed-off-by: Pisit Sawangvonganan <pisit@ndrsolution.com>
Move the network buffer header file from zephyr/net/buf.h to
zephyr/net_buf.h as the implementation now lives outside of the networking
subsystem.
Add (deprecated) zephyr/net/buf.h header to maintain compatibility with old
file path.
Signed-off-by: Henrik Brix Andersen <henrik@brixandersen.dk>
When developing Bluetooth applications, you typically run into
some errors. If you are an experienced Bluetooth developer,
you would typically have an HCI error lookup table in your memory.
Others might not.
This commit utilizes defines CONFIG_BT_DEBUG_HCI_ERR_TO_STR
and utilizes bt_hci_err_to_str() to print out HCI error strings
when enabled to improve the user experience.
Several alternatives where considered. This approach was chosen
as it had the best balance between readability, code size, and
implementation complexity.
The alternatives are listed below as a reference.
1. Macro defined format specifier:
```c
#define HCI_ERR_FMT "%s"
#define BT_HCI_ERR_TO_STR(err) (err)
#define HCI_ERR_FMT "%d"
#define BT_HCI_ERR_TO_STR(err) bt_hci_err_to_str((err))
LOG_INF("The event contained " HCI_ERR_FMT " as status",
BT_HCI_ERR_TO_STR(err));
```
Advantage: Space efficient: Code size does not increase
Disadvantage: Code becomes hard to read
2. Format specifier to always include both integer and string:
```c
static inline const char bt_hci_err_to_str(err)
{
return "";
}
LOG_INF("The event contained %s(0x%02x) as status",
bt_hci_err_to_str(err), err);
```
Advantage: Simple to use, implement, and read,
Disadvantage: Increases code size when CONFIG_BT_DEBUG_HCI_ERR_TO_STR
is disabled. The compiler seems unable to optimize away the unused
format specifier. Note: The size increase is only present when
logging is enabled.
3. Always print as string, allocate a stack variable when printing:
```c
const char *bt_hci_err_to_str(char *dst, size_t dst_size, uint8_t err)
{
snprintf(dst, dst_size, 0x%02x, err);
return dst;
}
LOG_INF("The event contained %s as status", BT_HCI_ERR_TO_STR(err));
```
Advantage: Very easy to read.
Disadvantage: Printing error codes becomes slow as it involves calling
snprint.
4. Implement a custom printf specifier, for example E.
This requires a global CONFIG_ERR_AS_STR as I assume we cannot have
one specifier for each type of error code.
Also, I assume we cannot start adding specifiers for each subsystem.
```c
#define BT_HCI_ERR_TO_STR(err) (err)
#define BT_HCI_ERR_TO_STR(err) bt_hci_err_to_str((err))
LOG_INF("The event contained %E as status", BT_HCI_ERR_TO_STR(err));
```
Advantage: Both efficient code and readable code.
Disadvantage: This requires a global CONFIG_ERR_AS_STR as I assume
we cannot have one specifier for each type of error code.
Also, I assume we cannot start adding specifiers for each subsystem.
That is, this approach is hard to implement correctly in a scalable
way.
Signed-off-by: Rubin Gerritsen <rubin.gerritsen@nordicsemi.no>
The BR SMP fixed channel BR/EDR Security Manager
(CID 0x0007) cannot be set in L2CAP Information
Response. It is caused by the invalid fix channel
definition used.
Move macro `BT_L2CAP_BR_CHANNEL_DEFINE` to
`l2cap_br_interface.h`, that the macro can be
accessed in smp.c. And remove duplicated
header file include `#include "classic/l2cap_
br_interface.h"` from smp.c.
Define fixed channel, BR/EDR Security Manager
(CID 0x0007), by using `BT_L2CAP_BR_CHANNEL_DEFINE`.
Fix the smp L2CAP channel of BR cannot be found
issue. Use `bt_l2cap_br_lookup_tx_cid` to get
the BR SMP L2CAP channel instead of using
`bt_l2cap_le_lookup_tx_cid`.
Fix the invalid SMP L2CAP channel used when
the BR smp failed.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
It was pointed out in a future PR that they should have
a corresponding experimental Kconfig entry.
See PR #73795.
This updates the APIs added in PR #73826 and PR #74295.
Signed-off-by: Rubin Gerritsen <rubin.gerritsen@nordicsemi.no>
Utilize a code spell-checking tool to scan for and correct spelling errors
in all files within the `include/zephyr/bluetooth` and `subsys/bluetooth`
Signed-off-by: Pisit Sawangvonganan <pisit@ndrsolution.com>
Utilize a code spell-checking tool to scan for and correct spelling errors
in all files within the subsys/bluetooth/host directory.
Signed-off-by: Pisit Sawangvonganan <pisit@ndrsolution.com>
This commit fixes compilation warnings that are present when compiling
with CONFIG_BT_SMP_OOB_LEGACY_PAIR_ONLY as can be seen in this
compiler log:
"""
In file included from /zephyr-sdk-0.16.1/arm-zephyr-eabi/picolibc/
include/string.h:215,
from /zephyr/subsys/bluetooth/host/smp.c:15:
In function '__memcpy_ichk',
inlined from 'sc_send_public_key' at /zephyr/subsys/bluetooth/host/
smp.c:3006:2:
/zephyr-sdk-0.16.1/arm-zephyr-eabi/picolibc/include/ssp/string.h:83:1:
warning: argument 2 null where non-null expected [-Wnonnull]
83 | __ssp_bos_icheck3_restrict(memcpy, void *, const void *)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
/zephyr-sdk-0.16.1/arm-zephyr-eabi/picolibc/include/ssp/string.h:83:1:
note: in a call to built-in function '__builtin_memcpy'
/zephyr/subsys/bluetooth/host/smp.c: In function 'smp_public_key':
/zephyr/subsys/bluetooth/host/smp.c:4214:21: warning: argument 2
null where non-null expected [-Wnonnull]
4214 | memcmp(smp->pkey, sc_public_key, BT_PUB_KEY_COORD_LEN) == 0) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/zephyr-sdk-0.16.1/arm-zephyr-eabi/picolibc/include/string.h:62:10: note:
in a call to function 'memcmp' declared 'nonnull'
62 | int memcmp (const void *, const void *, size_t);
| ^~~~~~
"""
The warning is caused by the potential use of NULL "sc_public_key"
global pointer that is not assigned a value in "smp_init()" if
CONFIG_BT_SMP_OOB_LEGACY_PAIR_ONLY is enabled. This commit
conditionally changes the behavior of function "smp_public_key()"
if CONFIG_BT_SMP_OOB_LEGACY_PAIR_ONLY is activated to simply return
and not use the "sc_public_key" variable. Other functions that are not
called anymore by "smp_public_key()" are also conditionally
deactivated when CONFIG_BT_SMP_OOB_LEGACY_PAIR_ONLY is enabled
Signed-off-by: Sebastian Panceac <sebastian.panceac@ext.grandcentrix.net>
This can be useful if application developers
want to print them in the applications.
Later we can also use them in
the host to improve debuggability.
Signed-off-by: Rubin Gerritsen <rubin.gerritsen@nordicsemi.no>
This API converts a SMP error code to a string.
This can be useful if application developers want
to print them in the applications.
BT_SMP_ERR_SUCCESS was added for completeness.
Later we can also use them in the host to improve debuggability.
Signed-off-by: Rubin Gerritsen <rubin.gerritsen@nordicsemi.no>
This API replaces `bt_l2cap_send()` and `bt_l2cap_send_cb()`.
The difference is that it takes the `struct bt_l2cap_le_chan` object
directly instead of a connection + CID.
We need the channel object in order to put the PDU on the TX queue. It
is inefficient to do a search for every PDU when the caller knows the
channel object's address and can just pass it down.
Signed-off-by: Jonathan Rico <jonathan.rico@nordicsemi.no>
Add functions to do XOR on arrays of memory, with one that
takes arbitrary sizes and one for 32 bits and 128 bits as
those are common sizes for this functionality.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Added run-time BT_CENTRAL role check for the path that was
central specific and did not have such check.
When multi-role BT device tried to pair without bonding (peripheral role)
while already previously bonded with the same device on another
Bluetooth identity, pairing failed.
It executed central-specific code, which should not be executed in case
when the device acts as peripheral (as it is even opt-out from code when
CONFIG_BT_CENTRAL is not enabled).
Signed-off-by: Mateusz Kapala <mateusz.kapala@nordicsemi.no>
If the bonding information has been cleared before pairing had a chance
to complete (probably by the application), indicate this by setting an
appropriate log message.
Also check that keys exist before calling `bt_keys_store`.
Fixes#59788 and #61465
Signed-off-by: Théo Battrel <theo.battrel@nordicsemi.no>
Fix an issue in the CCC configuration when the Peripheral device
maintains two or more distinct connections on different identities
with the same peer. The issue occurs when the local device performs
the pairing and the bonding procedure on a connection associated
with one of the Bluetooth identities. During the identity resolution,
the peer address field in the CCC descriptor is converted from the
RPA-type address to the Identity Address. However, the destination
address on the remaining connection objects associated with other
Bluetooth identities is not converted. Due to this, their CCC
configuration is reset and GATT indications and notification fail
to be sent even if the Central device subscribed to them.
Added necessary code to iterate over all connection objects during
the identity resolution phase and aligned their destination address
from the RPA-type to the Identity Address.
Signed-off-by: Kamil Piszczek <Kamil.Piszczek@nordicsemi.no>
Fix a bunch of mismatched CONTAINER_OF, few missing
k_work_delayable_from_work conversions but also many
bt_l2cap_le_chan/bt_l2cap_chan and few others.
Signed-off-by: Fabio Baltieri <fabiobaltieri@google.com>
Fix few instances of delayable work handlers using the k_work pointer
directly in a CONTAINER_OF pointing to a k_work_delayable.
This is harmless since the k_work is the first element in
k_work_delayable, but using k_work_delayable_from_work is the right way
of handling it.
Change a couple of explicit CONTAINER_OF doing the same work as the
macro in the process.
Signed-off-by: Fabio Baltieri <fabiobaltieri@google.com>
Fixes a coverity-reported issue by explicitly ignoring the return value
of the cas-operation. The return value is the old value, but we are not
interested in it in the situation when we just want to initialize a
value if it is in the uninitialized state.
Fixes: https://github.com/zephyrproject-rtos/zephyr/issues/60474
Signed-off-by: Aleksander Wasaznik <aleksander.wasaznik@nordicsemi.no>
The current API for changing the bondable mode uses the global flag.
With Zephyr support for multiple Bluetooth identities, the API for
changing the bondable mode should be more fine-grained.
The bondable requirements of one identity should not have an impact on
another identity which can have a different set of requirements.
This change introduces function to overlay bondable flag per
connection.
Signed-off-by: Mateusz Kapala <mateusz.kapala@nordicsemi.no>
If disconnection has been triggered in between the security update and
the call to `smp_pairing_complete` we need to abort the pairing.
The disconnection may have been triggered by `bt_unpair`, in that case
the keys will have been erased and it will lead to an assertion to
continue as if nothing happened.
To resolve this issue, at the beginning of `smp_pairing_complete` the
`status` is set to `BT_SMP_ERR_UNSPECIFIED` if there is no connection.
Signed-off-by: Théo Battrel <theo.battrel@nordicsemi.no>
Cast `dhkey` to `void*` to avoid a warning from the logging subsystem:
```
<wrn> cbprintf_package: (unsigned) char * used for %p argument.
It's recommended to cast it to void * because it may cause misbehavior
in certain configurations
```
Signed-off-by: Herman Berget <herman.berget@nordicsemi.no>