android10/system/bt/stack/smp/smp_utils.cc

/******************************************************************************
 *
 *  Copyright 1999-2012 Broadcom Corporation
 *
 *  Licensed under the Apache License, Version 2.0 (the "License");
 *  you may not use this file except in compliance with the License.
 *  You may obtain a copy of the License at:
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
 *****************************************************************************/

/******************************************************************************
 *
 *  This file contains functions for the SMP L2CAP utility functions
 *
 ******************************************************************************/
#include "bt_target.h"

#include <ctype.h>
#include <string.h>
#include "bt_types.h"
#include "bt_utils.h"
#include "btm_ble_api.h"
#include "btm_int.h"
#include "common/metrics.h"
#include "device/include/controller.h"
#include "hcidefs.h"
#include "l2c_api.h"
#include "l2c_int.h"
#include "osi/include/osi.h"
#include "smp_int.h"

#define SMP_PAIRING_REQ_SIZE 7
#define SMP_CONFIRM_CMD_SIZE (OCTET16_LEN + 1)
#define SMP_RAND_CMD_SIZE (OCTET16_LEN + 1)
#define SMP_INIT_CMD_SIZE (OCTET16_LEN + 1)
#define SMP_ENC_INFO_SIZE (OCTET16_LEN + 1)
#define SMP_MASTER_ID_SIZE (BT_OCTET8_LEN + 2 + 1)
#define SMP_ID_INFO_SIZE (OCTET16_LEN + 1)
#define SMP_ID_ADDR_SIZE (BD_ADDR_LEN + 1 + 1)
#define SMP_SIGN_INFO_SIZE (OCTET16_LEN + 1)
#define SMP_PAIR_FAIL_SIZE 2
#define SMP_SECURITY_REQUEST_SIZE 2
#define SMP_PAIR_PUBL_KEY_SIZE (1 /* opcode */ + (2 * BT_OCTET32_LEN))
#define SMP_PAIR_COMMITM_SIZE (1 /* opcode */ + OCTET16_LEN /*Commitment*/)
#define SMP_PAIR_DHKEY_CHECK_SIZE \
  (1 /* opcode */ + OCTET16_LEN /*DHKey \
                                                                   Check*/)
#define SMP_PAIR_KEYPR_NOTIF_SIZE (1 /* opcode */ + 1 /*Notif Type*/)

/* SMP command sizes per spec */
static const uint8_t smp_cmd_size_per_spec[] = {
    0,
    SMP_PAIRING_REQ_SIZE,      /* 0x01: pairing request */
    SMP_PAIRING_REQ_SIZE,      /* 0x02: pairing response */
    SMP_CONFIRM_CMD_SIZE,      /* 0x03: pairing confirm */
    SMP_RAND_CMD_SIZE,         /* 0x04: pairing random */
    SMP_PAIR_FAIL_SIZE,        /* 0x05: pairing failed */
    SMP_ENC_INFO_SIZE,         /* 0x06: encryption information */
    SMP_MASTER_ID_SIZE,        /* 0x07: master identification */
    SMP_ID_INFO_SIZE,          /* 0x08: identity information */
    SMP_ID_ADDR_SIZE,          /* 0x09: identity address information */
    SMP_SIGN_INFO_SIZE,        /* 0x0A: signing information */
    SMP_SECURITY_REQUEST_SIZE, /* 0x0B: security request */
    SMP_PAIR_PUBL_KEY_SIZE,    /* 0x0C: pairing public key */
    SMP_PAIR_DHKEY_CHECK_SIZE, /* 0x0D: pairing dhkey check */
    SMP_PAIR_KEYPR_NOTIF_SIZE, /* 0x0E: pairing keypress notification */
    SMP_PAIR_COMMITM_SIZE      /* 0x0F: pairing commitment */
};

static bool smp_parameter_unconditionally_valid(tSMP_CB* p_cb);
static bool smp_parameter_unconditionally_invalid(tSMP_CB* p_cb);

/* type for SMP command length validation functions */
typedef bool (*tSMP_CMD_LEN_VALID)(tSMP_CB* p_cb);

static bool smp_command_has_valid_fixed_length(tSMP_CB* p_cb);

static const tSMP_CMD_LEN_VALID smp_cmd_len_is_valid[] = {
    smp_parameter_unconditionally_invalid,
    smp_command_has_valid_fixed_length, /* 0x01: pairing request */
    smp_command_has_valid_fixed_length, /* 0x02: pairing response */
    smp_command_has_valid_fixed_length, /* 0x03: pairing confirm */
    smp_command_has_valid_fixed_length, /* 0x04: pairing random */
    smp_command_has_valid_fixed_length, /* 0x05: pairing failed */
    smp_command_has_valid_fixed_length, /* 0x06: encryption information */
    smp_command_has_valid_fixed_length, /* 0x07: master identification */
    smp_command_has_valid_fixed_length, /* 0x08: identity information */
    smp_command_has_valid_fixed_length, /* 0x09: identity address information */
    smp_command_has_valid_fixed_length, /* 0x0A: signing information */
    smp_command_has_valid_fixed_length, /* 0x0B: security request */
    smp_command_has_valid_fixed_length, /* 0x0C: pairing public key */
    smp_command_has_valid_fixed_length, /* 0x0D: pairing dhkey check */
    smp_command_has_valid_fixed_length, /* 0x0E: pairing keypress notification*/
    smp_command_has_valid_fixed_length  /* 0x0F: pairing commitment */
};

/* type for SMP command parameter ranges validation functions */
typedef bool (*tSMP_CMD_PARAM_RANGES_VALID)(tSMP_CB* p_cb);

static bool smp_pairing_request_response_parameters_are_valid(tSMP_CB* p_cb);
static bool smp_pairing_keypress_notification_is_valid(tSMP_CB* p_cb);

static const tSMP_CMD_PARAM_RANGES_VALID smp_cmd_param_ranges_are_valid[] = {
    smp_parameter_unconditionally_invalid,
    smp_pairing_request_response_parameters_are_valid, /* 0x01: pairing
                                                          request */
    smp_pairing_request_response_parameters_are_valid, /* 0x02: pairing
                                                          response */
    smp_parameter_unconditionally_valid, /* 0x03: pairing confirm */
    smp_parameter_unconditionally_valid, /* 0x04: pairing random */
    smp_parameter_unconditionally_valid, /* 0x05: pairing failed */
    smp_parameter_unconditionally_valid, /* 0x06: encryption information */
    smp_parameter_unconditionally_valid, /* 0x07: master identification */
    smp_parameter_unconditionally_valid, /* 0x08: identity information */
    smp_parameter_unconditionally_valid, /* 0x09: identity address
                                            information */
    smp_parameter_unconditionally_valid, /* 0x0A: signing information */
    smp_parameter_unconditionally_valid, /* 0x0B: security request */
    smp_parameter_unconditionally_valid, /* 0x0C: pairing public key */
    smp_parameter_unconditionally_valid, /* 0x0D: pairing dhkey check */
    smp_pairing_keypress_notification_is_valid, /* 0x0E: pairing keypress
                                                   notification */
    smp_parameter_unconditionally_valid         /* 0x0F: pairing commitment */
};

/* type for action functions */
typedef BT_HDR* (*tSMP_CMD_ACT)(uint8_t cmd_code, tSMP_CB* p_cb);

static BT_HDR* smp_build_pairing_cmd(uint8_t cmd_code, tSMP_CB* p_cb);
static BT_HDR* smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code,
                                     tSMP_CB* p_cb);
static BT_HDR* smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb);
static BT_HDR* smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code,
                                      tSMP_CB* p_cb);
static BT_HDR* smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code,
                                           tSMP_CB* p_cb);
static BT_HDR* smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code,
                                          tSMP_CB* p_cb);
static BT_HDR* smp_build_security_request(UNUSED_ATTR uint8_t cmd_code,
                                          tSMP_CB* p_cb);
static BT_HDR* smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code,
                                          tSMP_CB* p_cb);
static BT_HDR* smp_build_master_id_cmd(UNUSED_ATTR uint8_t cmd_code,
                                       tSMP_CB* p_cb);
static BT_HDR* smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code,
                                     tSMP_CB* p_cb);
static BT_HDR* smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code,
                                             tSMP_CB* p_cb);
static BT_HDR* smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code,
                                                tSMP_CB* p_cb);
static BT_HDR* smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code,
                                              tSMP_CB* p_cb);
static BT_HDR* smp_build_pairing_keypress_notification_cmd(
    UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb);

static const tSMP_CMD_ACT smp_cmd_build_act[] = {
    NULL, smp_build_pairing_cmd,    /* 0x01: pairing request */
    smp_build_pairing_cmd,          /* 0x02: pairing response */
    smp_build_confirm_cmd,          /* 0x03: pairing confirm */
    smp_build_rand_cmd,             /* 0x04: pairing random */
    smp_build_pairing_fail,         /* 0x05: pairing failure */
    smp_build_encrypt_info_cmd,     /* 0x06: encryption information */
    smp_build_master_id_cmd,        /* 0x07: master identification */
    smp_build_identity_info_cmd,    /* 0x08: identity information */
    smp_build_id_addr_cmd,          /* 0x09: identity address information */
    smp_build_signing_info_cmd,     /* 0x0A: signing information */
    smp_build_security_request,     /* 0x0B: security request */
    smp_build_pair_public_key_cmd,  /* 0x0C: pairing public key */
    smp_build_pair_dhkey_check_cmd, /* 0x0D: pairing DHKey check */
    smp_build_pairing_keypress_notification_cmd, /* 0x0E: pairing keypress
                                                    notification */
    smp_build_pairing_commitment_cmd             /* 0x0F: pairing commitment */
};

static const uint8_t smp_association_table[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] =
    {
        /* display only */ /* Display Yes/No */ /* keyboard only */
        /* No Input/Output */                   /* keyboard display */

        /* initiator */
        /* model = tbl[peer_io_caps][loc_io_caps] */
        /* Display Only */
        {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
          SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},

         /* Display Yes/No */
         {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
          SMP_MODEL_PASSKEY, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},

         /* Keyboard only */
         {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY,
          SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},

         /* No Input No Output */
         {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
          SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
          SMP_MODEL_ENCRYPTION_ONLY},

         /* keyboard display */
         {SMP_MODEL_KEY_NOTIF, SMP_MODEL_KEY_NOTIF, SMP_MODEL_PASSKEY,
          SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF}},

        /* responder */
        /* model = tbl[loc_io_caps][peer_io_caps] */
        /* Display Only */
        {{SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
          SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},

         /* Display Yes/No */
         {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
          SMP_MODEL_KEY_NOTIF, SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_KEY_NOTIF},

         /* keyboard only */
         {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY,
          SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY},

         /* No Input No Output */
         {SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
          SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_ENCRYPTION_ONLY,
          SMP_MODEL_ENCRYPTION_ONLY},

         /* keyboard display */
         {SMP_MODEL_PASSKEY, SMP_MODEL_PASSKEY, SMP_MODEL_KEY_NOTIF,
          SMP_MODEL_ENCRYPTION_ONLY, SMP_MODEL_PASSKEY}}};

static const uint8_t
    smp_association_table_sc[2][SMP_IO_CAP_MAX][SMP_IO_CAP_MAX] = {
        /* display only */ /* Display Yes/No */ /* keyboard only */
        /* No InputOutput */                    /* keyboard display */

        /* initiator */
        /* model = tbl[peer_io_caps][loc_io_caps] */

        /* Display Only */
        {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
          SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
          SMP_MODEL_SEC_CONN_PASSKEY_ENT},

         /* Display Yes/No */
         {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP,
          SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
          SMP_MODEL_SEC_CONN_NUM_COMP},

         /* keyboard only */
         {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_PASSKEY_DISP,
          SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
          SMP_MODEL_SEC_CONN_PASSKEY_DISP},

         /* No Input No Output */
         {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
          SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
          SMP_MODEL_SEC_CONN_JUSTWORKS},

         /* keyboard display */
         {SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_NUM_COMP,
          SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
          SMP_MODEL_SEC_CONN_NUM_COMP}},

        /* responder */
        /* model = tbl[loc_io_caps][peer_io_caps] */

        /* Display Only */
        {{SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
          SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
          SMP_MODEL_SEC_CONN_PASSKEY_DISP},

         /* Display Yes/No */
         {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_NUM_COMP,
          SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
          SMP_MODEL_SEC_CONN_NUM_COMP},

         /* keyboard only */
         {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_PASSKEY_ENT,
          SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_JUSTWORKS,
          SMP_MODEL_SEC_CONN_PASSKEY_ENT},

         /* No Input No Output */
         {SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
          SMP_MODEL_SEC_CONN_JUSTWORKS, SMP_MODEL_SEC_CONN_JUSTWORKS,
          SMP_MODEL_SEC_CONN_JUSTWORKS},

         /* keyboard display */
         {SMP_MODEL_SEC_CONN_PASSKEY_ENT, SMP_MODEL_SEC_CONN_NUM_COMP,
          SMP_MODEL_SEC_CONN_PASSKEY_DISP, SMP_MODEL_SEC_CONN_JUSTWORKS,
          SMP_MODEL_SEC_CONN_NUM_COMP}}};

static tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB* p_cb);
static tSMP_ASSO_MODEL smp_select_association_model_secure_connections(
    tSMP_CB* p_cb);

/**
 * Log metrics data for SMP command
 *
 * @param bd_addr current pairing address
 * @param is_outgoing whether this command is outgoing
 * @param p_buf buffer to the beginning of SMP command
 * @param buf_len length available to read for p_buf
 */
void smp_log_metrics(const RawAddress& bd_addr, bool is_outgoing,
                     const uint8_t* p_buf, size_t buf_len) {
  if (buf_len < 1) {
    LOG(WARNING) << __func__ << ": buffer is too small, size is " << buf_len;
    return;
  }
  uint8_t cmd;
  STREAM_TO_UINT8(cmd, p_buf);
  buf_len--;
  uint8_t failure_reason = 0;
  if (cmd == SMP_OPCODE_PAIRING_FAILED && buf_len >= 1) {
    STREAM_TO_UINT8(failure_reason, p_buf);
  }
  android::bluetooth::DirectionEnum direction =
      is_outgoing ? android::bluetooth::DirectionEnum::DIRECTION_OUTGOING
                  : android::bluetooth::DirectionEnum::DIRECTION_INCOMING;
  bluetooth::common::LogSmpPairingEvent(bd_addr, cmd, direction,
                                        failure_reason);
}

/*******************************************************************************
 *
 * Function         smp_send_msg_to_L2CAP
 *
 * Description      Send message to L2CAP.
 *
 ******************************************************************************/
bool smp_send_msg_to_L2CAP(const RawAddress& rem_bda, BT_HDR* p_toL2CAP) {
  uint16_t l2cap_ret;
  uint16_t fixed_cid = L2CAP_SMP_CID;

  if (smp_cb.smp_over_br) {
    fixed_cid = L2CAP_SMP_BR_CID;
  }

  SMP_TRACE_EVENT("%s", __func__);
  smp_cb.total_tx_unacked += 1;

  smp_log_metrics(rem_bda, true /* outgoing */,
                  p_toL2CAP->data + p_toL2CAP->offset, p_toL2CAP->len);

  l2cap_ret = L2CA_SendFixedChnlData(fixed_cid, rem_bda, p_toL2CAP);
  if (l2cap_ret == L2CAP_DW_FAILED) {
    smp_cb.total_tx_unacked -= 1;
    SMP_TRACE_ERROR("SMP failed to pass msg to L2CAP");
    return false;
  } else
    return true;
}

/*******************************************************************************
 *
 * Function         smp_send_cmd
 *
 * Description      send a SMP command on L2CAP channel.
 *
 ******************************************************************************/
bool smp_send_cmd(uint8_t cmd_code, tSMP_CB* p_cb) {
  BT_HDR* p_buf;
  bool sent = false;

  SMP_TRACE_EVENT("%s: on l2cap cmd_code=0x%x, pairing_bda=%s", __func__,
                  cmd_code, p_cb->pairing_bda.ToString().c_str());

  if (cmd_code <= (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */) &&
      smp_cmd_build_act[cmd_code] != NULL) {
    p_buf = (*smp_cmd_build_act[cmd_code])(cmd_code, p_cb);

    if (p_buf != NULL && smp_send_msg_to_L2CAP(p_cb->pairing_bda, p_buf)) {
      sent = true;
      alarm_set_on_mloop(p_cb->smp_rsp_timer_ent, SMP_WAIT_FOR_RSP_TIMEOUT_MS,
                         smp_rsp_timeout, NULL);
    }
  }

  if (!sent) {
    tSMP_INT_DATA smp_int_data;
    smp_int_data.status = SMP_PAIR_INTERNAL_ERR;
    if (p_cb->smp_over_br) {
      smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
    } else {
      smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
    }
  }
  return sent;
}

/*******************************************************************************
 *
 * Function         smp_rsp_timeout
 *
 * Description      Called when SMP wait for SMP command response timer expires
 *
 * Returns          void
 *
 ******************************************************************************/
void smp_rsp_timeout(UNUSED_ATTR void* data) {
  tSMP_CB* p_cb = &smp_cb;

  SMP_TRACE_EVENT("%s state:%d br_state:%d", __func__, p_cb->state,
                  p_cb->br_state);

  tSMP_INT_DATA smp_int_data;
  smp_int_data.status = SMP_RSP_TIMEOUT;
  if (p_cb->smp_over_br) {
    smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
  } else {
    smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
  }
}

/*******************************************************************************
 *
 * Function         smp_delayed_auth_complete_timeout
 *
 * Description      Called when no pairing failed command received within
 *                  timeout period.
 *
 * Returns          void
 *
 ******************************************************************************/
void smp_delayed_auth_complete_timeout(UNUSED_ATTR void* data) {
  /*
   * Waited for potential pair failure. Send SMP_AUTH_CMPL_EVT if
   * the state is still in bond pending.
   */
  if (smp_get_state() == SMP_STATE_BOND_PENDING) {
    SMP_TRACE_EVENT("%s sending delayed auth complete.", __func__);
    tSMP_INT_DATA smp_int_data;
    smp_int_data.status = SMP_SUCCESS;
    smp_sm_event(&smp_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
  }
}

/*******************************************************************************
 *
 * Function         smp_build_pairing_req_cmd
 *
 * Description      Build pairing request command.
 *
 ******************************************************************************/
BT_HDR* smp_build_pairing_cmd(uint8_t cmd_code, tSMP_CB* p_cb) {
  uint8_t* p;
  BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIRING_REQ_SIZE +
                                      L2CAP_MIN_OFFSET);

  SMP_TRACE_EVENT("%s", __func__);

  p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
  UINT8_TO_STREAM(p, cmd_code);
  UINT8_TO_STREAM(p, p_cb->local_io_capability);
  UINT8_TO_STREAM(p, p_cb->loc_oob_flag);
  UINT8_TO_STREAM(p, p_cb->loc_auth_req);
  UINT8_TO_STREAM(p, p_cb->loc_enc_size);
  UINT8_TO_STREAM(p, p_cb->local_i_key);
  UINT8_TO_STREAM(p, p_cb->local_r_key);

  p_buf->offset = L2CAP_MIN_OFFSET;
  /* 1B ERR_RSP op code + 1B cmd_op_code + 2B handle + 1B status */
  p_buf->len = SMP_PAIRING_REQ_SIZE;

  return p_buf;
}

/*******************************************************************************
 *
 * Function         smp_build_confirm_cmd
 *
 * Description      Build confirm request command.
 *
 ******************************************************************************/
static BT_HDR* smp_build_confirm_cmd(UNUSED_ATTR uint8_t cmd_code,
                                     tSMP_CB* p_cb) {
  uint8_t* p;
  BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_CONFIRM_CMD_SIZE +
                                      L2CAP_MIN_OFFSET);

  SMP_TRACE_EVENT("%s", __func__);

  p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;

  UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM);
  ARRAY_TO_STREAM(p, p_cb->confirm, OCTET16_LEN);

  p_buf->offset = L2CAP_MIN_OFFSET;
  p_buf->len = SMP_CONFIRM_CMD_SIZE;

  return p_buf;
}

/*******************************************************************************
 *
 * Function         smp_build_rand_cmd
 *
 * Description      Build Random command.
 *
 ******************************************************************************/
static BT_HDR* smp_build_rand_cmd(UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb) {
  uint8_t* p;
  BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_RAND_CMD_SIZE +
                                      L2CAP_MIN_OFFSET);

  SMP_TRACE_EVENT("%s", __func__);

  p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
  UINT8_TO_STREAM(p, SMP_OPCODE_RAND);
  ARRAY_TO_STREAM(p, p_cb->rand, OCTET16_LEN);

  p_buf->offset = L2CAP_MIN_OFFSET;
  p_buf->len = SMP_RAND_CMD_SIZE;

  return p_buf;
}

/*******************************************************************************
 *
 * Function         smp_build_encrypt_info_cmd
 *
 * Description      Build security information command.
 *
 ******************************************************************************/
static BT_HDR* smp_build_encrypt_info_cmd(UNUSED_ATTR uint8_t cmd_code,
                                          tSMP_CB* p_cb) {
  uint8_t* p;
  BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ENC_INFO_SIZE +
                                      L2CAP_MIN_OFFSET);

  SMP_TRACE_EVENT("%s", __func__);

  p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
  UINT8_TO_STREAM(p, SMP_OPCODE_ENCRYPT_INFO);
  ARRAY_TO_STREAM(p, p_cb->ltk, OCTET16_LEN);

  p_buf->offset = L2CAP_MIN_OFFSET;
  p_buf->len = SMP_ENC_INFO_SIZE;

  return p_buf;
}

/*******************************************************************************
 *
 * Function         smp_build_master_id_cmd
 *
 * Description      Build security information command.
 *
 ******************************************************************************/
static BT_HDR* smp_build_master_id_cmd(UNUSED_ATTR uint8_t cmd_code,
                                       tSMP_CB* p_cb) {
  uint8_t* p;
  BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_MASTER_ID_SIZE +
                                      L2CAP_MIN_OFFSET);

  SMP_TRACE_EVENT("%s", __func__);

  p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
  UINT8_TO_STREAM(p, SMP_OPCODE_MASTER_ID);
  UINT16_TO_STREAM(p, p_cb->ediv);
  ARRAY_TO_STREAM(p, p_cb->enc_rand, BT_OCTET8_LEN);

  p_buf->offset = L2CAP_MIN_OFFSET;
  p_buf->len = SMP_MASTER_ID_SIZE;

  return p_buf;
}

/*******************************************************************************
 *
 * Function         smp_build_identity_info_cmd
 *
 * Description      Build identity information command.
 *
 ******************************************************************************/
static BT_HDR* smp_build_identity_info_cmd(UNUSED_ATTR uint8_t cmd_code,
                                           UNUSED_ATTR tSMP_CB* p_cb) {
  uint8_t* p;
  BT_HDR* p_buf =
      (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ID_INFO_SIZE + L2CAP_MIN_OFFSET);

  SMP_TRACE_EVENT("%s", __func__);

  p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;

  const Octet16& irk = BTM_GetDeviceIDRoot();

  UINT8_TO_STREAM(p, SMP_OPCODE_IDENTITY_INFO);
  ARRAY_TO_STREAM(p, irk.data(), OCTET16_LEN);

  p_buf->offset = L2CAP_MIN_OFFSET;
  p_buf->len = SMP_ID_INFO_SIZE;

  return p_buf;
}

/*******************************************************************************
 *
 * Function         smp_build_id_addr_cmd
 *
 * Description      Build identity address information command.
 *
 ******************************************************************************/
static BT_HDR* smp_build_id_addr_cmd(UNUSED_ATTR uint8_t cmd_code,
                                     UNUSED_ATTR tSMP_CB* p_cb) {
  uint8_t* p;
  BT_HDR* p_buf =
      (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_ID_ADDR_SIZE + L2CAP_MIN_OFFSET);

  SMP_TRACE_EVENT("%s", __func__);

  p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
  UINT8_TO_STREAM(p, SMP_OPCODE_ID_ADDR);
  UINT8_TO_STREAM(p, 0);
  BDADDR_TO_STREAM(p, *controller_get_interface()->get_address());

  p_buf->offset = L2CAP_MIN_OFFSET;
  p_buf->len = SMP_ID_ADDR_SIZE;

  return p_buf;
}

/*******************************************************************************
 *
 * Function         smp_build_signing_info_cmd
 *
 * Description      Build signing information command.
 *
 ******************************************************************************/
static BT_HDR* smp_build_signing_info_cmd(UNUSED_ATTR uint8_t cmd_code,
                                          tSMP_CB* p_cb) {
  uint8_t* p;
  BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_SIGN_INFO_SIZE +
                                      L2CAP_MIN_OFFSET);

  SMP_TRACE_EVENT("%s", __func__);

  p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
  UINT8_TO_STREAM(p, SMP_OPCODE_SIGN_INFO);
  ARRAY_TO_STREAM(p, p_cb->csrk, OCTET16_LEN);

  p_buf->offset = L2CAP_MIN_OFFSET;
  p_buf->len = SMP_SIGN_INFO_SIZE;

  return p_buf;
}

/*******************************************************************************
 *
 * Function         smp_build_pairing_fail
 *
 * Description      Build Pairing Fail command.
 *
 ******************************************************************************/
static BT_HDR* smp_build_pairing_fail(UNUSED_ATTR uint8_t cmd_code,
                                      tSMP_CB* p_cb) {
  uint8_t* p;
  BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_FAIL_SIZE +
                                      L2CAP_MIN_OFFSET);

  SMP_TRACE_EVENT("%s", __func__);

  p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
  UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED);
  UINT8_TO_STREAM(p, p_cb->failure);

  p_buf->offset = L2CAP_MIN_OFFSET;
  p_buf->len = SMP_PAIR_FAIL_SIZE;

  return p_buf;
}

/*******************************************************************************
 *
 * Function         smp_build_security_request
 *
 * Description      Build security request command.
 *
 ******************************************************************************/
static BT_HDR* smp_build_security_request(UNUSED_ATTR uint8_t cmd_code,
                                          tSMP_CB* p_cb) {
  uint8_t* p;
  BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + 2 + L2CAP_MIN_OFFSET);

  SMP_TRACE_EVENT("%s", __func__);

  p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
  UINT8_TO_STREAM(p, SMP_OPCODE_SEC_REQ);
  UINT8_TO_STREAM(p, p_cb->loc_auth_req);

  p_buf->offset = L2CAP_MIN_OFFSET;
  p_buf->len = SMP_SECURITY_REQUEST_SIZE;

  SMP_TRACE_EVENT("opcode=%d auth_req=0x%x", SMP_OPCODE_SEC_REQ,
                  p_cb->loc_auth_req);

  return p_buf;
}

/*******************************************************************************
 *
 * Function         smp_build_pair_public_key_cmd
 *
 * Description      Build pairing public key command.
 *
 ******************************************************************************/
static BT_HDR* smp_build_pair_public_key_cmd(UNUSED_ATTR uint8_t cmd_code,
                                             tSMP_CB* p_cb) {
  uint8_t* p;
  uint8_t publ_key[2 * BT_OCTET32_LEN];
  uint8_t* p_publ_key = publ_key;
  BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_PUBL_KEY_SIZE +
                                      L2CAP_MIN_OFFSET);

  SMP_TRACE_EVENT("%s", __func__);

  memcpy(p_publ_key, p_cb->loc_publ_key.x, BT_OCTET32_LEN);
  memcpy(p_publ_key + BT_OCTET32_LEN, p_cb->loc_publ_key.y, BT_OCTET32_LEN);

  p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
  UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_PUBLIC_KEY);
  ARRAY_TO_STREAM(p, p_publ_key, 2 * BT_OCTET32_LEN);

  p_buf->offset = L2CAP_MIN_OFFSET;
  p_buf->len = SMP_PAIR_PUBL_KEY_SIZE;

  return p_buf;
}

/*******************************************************************************
 *
 * Function         smp_build_pairing_commitment_cmd
 *
 * Description      Build pairing commitment command.
 *
 ******************************************************************************/
static BT_HDR* smp_build_pairing_commitment_cmd(UNUSED_ATTR uint8_t cmd_code,
                                                tSMP_CB* p_cb) {
  uint8_t* p;
  BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_COMMITM_SIZE +
                                      L2CAP_MIN_OFFSET);

  SMP_TRACE_EVENT("%s", __func__);

  p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
  UINT8_TO_STREAM(p, SMP_OPCODE_CONFIRM);
  ARRAY_TO_STREAM(p, p_cb->commitment, OCTET16_LEN);

  p_buf->offset = L2CAP_MIN_OFFSET;
  p_buf->len = SMP_PAIR_COMMITM_SIZE;

  return p_buf;
}

/*******************************************************************************
 *
 * Function         smp_build_pair_dhkey_check_cmd
 *
 * Description      Build pairing DHKey check command.
 *
 ******************************************************************************/
static BT_HDR* smp_build_pair_dhkey_check_cmd(UNUSED_ATTR uint8_t cmd_code,
                                              tSMP_CB* p_cb) {
  uint8_t* p;
  BT_HDR* p_buf = (BT_HDR*)osi_malloc(
      sizeof(BT_HDR) + SMP_PAIR_DHKEY_CHECK_SIZE + L2CAP_MIN_OFFSET);

  SMP_TRACE_EVENT("%s", __func__);

  p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
  UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_DHKEY_CHECK);
  ARRAY_TO_STREAM(p, p_cb->dhkey_check, OCTET16_LEN);

  p_buf->offset = L2CAP_MIN_OFFSET;
  p_buf->len = SMP_PAIR_DHKEY_CHECK_SIZE;

  return p_buf;
}

/*******************************************************************************
 *
 * Function         smp_build_pairing_keypress_notification_cmd
 *
 * Description      Build keypress notification command.
 *
 ******************************************************************************/
static BT_HDR* smp_build_pairing_keypress_notification_cmd(
    UNUSED_ATTR uint8_t cmd_code, tSMP_CB* p_cb) {
  uint8_t* p;
  BT_HDR* p_buf = (BT_HDR*)osi_malloc(
      sizeof(BT_HDR) + SMP_PAIR_KEYPR_NOTIF_SIZE + L2CAP_MIN_OFFSET);

  SMP_TRACE_EVENT("%s", __func__);

  p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
  UINT8_TO_STREAM(p, SMP_OPCODE_PAIR_KEYPR_NOTIF);
  UINT8_TO_STREAM(p, p_cb->local_keypress_notification);

  p_buf->offset = L2CAP_MIN_OFFSET;
  p_buf->len = SMP_PAIR_KEYPR_NOTIF_SIZE;

  return p_buf;
}

/** This function is called to convert a 6 to 16 digits numeric character string
 * into SMP TK. */
void smp_convert_string_to_tk(Octet16* tk, uint32_t passkey) {
  uint8_t* p = tk->data();
  tSMP_KEY key;
  SMP_TRACE_EVENT("smp_convert_string_to_tk");
  UINT32_TO_STREAM(p, passkey);

  key.key_type = SMP_KEY_TYPE_TK;
  key.p_data = tk->data();

  tSMP_INT_DATA smp_int_data;
  smp_int_data.key = key;
  smp_sm_event(&smp_cb, SMP_KEY_READY_EVT, &smp_int_data);
}

/** This function is called to mask off the encryption key based on the maximum
 * encryption key size. */
void smp_mask_enc_key(uint8_t loc_enc_size, Octet16* p_data) {
  SMP_TRACE_EVENT("smp_mask_enc_key");
  if (loc_enc_size < OCTET16_LEN) {
    for (; loc_enc_size < OCTET16_LEN; loc_enc_size++)
      (*p_data)[loc_enc_size] = 0;
  }
  return;
}

/** utility function to do an biteise exclusive-OR of two bit strings of the
 * length of OCTET16_LEN. Result is stored in first argument.
 */
void smp_xor_128(Octet16* a, const Octet16& b) {
  CHECK(a);
  uint8_t i, *aa = a->data();
  const uint8_t* bb = b.data();

  for (i = 0; i < OCTET16_LEN; i++) {
    aa[i] = aa[i] ^ bb[i];
  }
}

/*******************************************************************************
 *
 * Function         smp_cb_cleanup
 *
 * Description      Clean up SMP control block
 *
 * Returns          void
 *
 ******************************************************************************/
void smp_cb_cleanup(tSMP_CB* p_cb) {
  tSMP_CALLBACK* p_callback = p_cb->p_callback;
  uint8_t trace_level = p_cb->trace_level;
  alarm_t* smp_rsp_timer_ent = p_cb->smp_rsp_timer_ent;
  alarm_t* delayed_auth_timer_ent = p_cb->delayed_auth_timer_ent;

  SMP_TRACE_EVENT("smp_cb_cleanup");

  alarm_cancel(p_cb->smp_rsp_timer_ent);
  alarm_cancel(p_cb->delayed_auth_timer_ent);
  memset(p_cb, 0, sizeof(tSMP_CB));
  p_cb->p_callback = p_callback;
  p_cb->trace_level = trace_level;
  p_cb->smp_rsp_timer_ent = smp_rsp_timer_ent;
  p_cb->delayed_auth_timer_ent = delayed_auth_timer_ent;
}

/*******************************************************************************
 *
 * Function         smp_remove_fixed_channel
 *
 * Description      This function is called to remove the fixed channel
 *
 * Returns          void
 *
 ******************************************************************************/
void smp_remove_fixed_channel(tSMP_CB* p_cb) {
  SMP_TRACE_DEBUG("%s", __func__);

  if (p_cb->smp_over_br)
    L2CA_RemoveFixedChnl(L2CAP_SMP_BR_CID, p_cb->pairing_bda);
  else
    L2CA_RemoveFixedChnl(L2CAP_SMP_CID, p_cb->pairing_bda);
}

/*******************************************************************************
 *
 * Function         smp_reset_control_value
 *
 * Description      This function is called to reset the control block value
 *                  when the pairing procedure finished.
 *
 *
 * Returns          void
 *
 ******************************************************************************/
void smp_reset_control_value(tSMP_CB* p_cb) {
  SMP_TRACE_EVENT("%s", __func__);

  alarm_cancel(p_cb->smp_rsp_timer_ent);
  p_cb->flags = 0;
  /* set the link idle timer to drop the link when pairing is done
     usually service discovery will follow authentication complete, to avoid
     racing condition for a link down/up, set link idle timer to be
     SMP_LINK_TOUT_MIN to guarantee SMP key exchange */
  L2CA_SetIdleTimeoutByBdAddr(p_cb->pairing_bda, SMP_LINK_TOUT_MIN,
                              BT_TRANSPORT_LE);

  /* We can tell L2CAP to remove the fixed channel (if it has one) */
  smp_remove_fixed_channel(p_cb);
  smp_cb_cleanup(p_cb);
}

/*******************************************************************************
 *
 * Function         smp_proc_pairing_cmpl
 *
 * Description      This function is called to process pairing complete
 *
 *
 * Returns          void
 *
 ******************************************************************************/
void smp_proc_pairing_cmpl(tSMP_CB* p_cb) {
  tSMP_EVT_DATA evt_data = {0};
  tSMP_CALLBACK* p_callback = p_cb->p_callback;

  SMP_TRACE_DEBUG("%s: pairing_bda=%s", __func__,
                  p_cb->pairing_bda.ToString().c_str());

  evt_data.cmplt.reason = p_cb->status;
  evt_data.cmplt.smp_over_br = p_cb->smp_over_br;

  if (p_cb->status == SMP_SUCCESS) evt_data.cmplt.sec_level = p_cb->sec_level;

  evt_data.cmplt.is_pair_cancel = false;

  if (p_cb->is_pair_cancel) evt_data.cmplt.is_pair_cancel = true;

  SMP_TRACE_DEBUG("send SMP_COMPLT_EVT reason=0x%0x sec_level=0x%0x",
                  evt_data.cmplt.reason, evt_data.cmplt.sec_level);

  RawAddress pairing_bda = p_cb->pairing_bda;

  smp_reset_control_value(p_cb);

  if (p_callback) (*p_callback)(SMP_COMPLT_EVT, pairing_bda, &evt_data);
}

/*******************************************************************************
 *
 * Function         smp_command_has_invalid_length
 *
 * Description      Checks if the received SMP command has invalid length
 *                  It returns true if the command has invalid length.
 *
 * Returns          true if the command has invalid length, false otherwise.
 *
 ******************************************************************************/
bool smp_command_has_invalid_length(tSMP_CB* p_cb) {
  uint8_t cmd_code = p_cb->rcvd_cmd_code;

  if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) ||
      (cmd_code < SMP_OPCODE_MIN)) {
    SMP_TRACE_WARNING("%s: Received command with RESERVED code 0x%02x",
                      __func__, cmd_code);
    return true;
  }

  if (!smp_command_has_valid_fixed_length(p_cb)) {
    return true;
  }

  return false;
}

/*******************************************************************************
 *
 * Function         smp_command_has_invalid_parameters
 *
 * Description      Checks if the received SMP command has invalid parameters
 *                  i.e. if the command length is valid and the command
 *                  parameters are inside specified range.
 *                  It returns true if the command has invalid parameters.
 *
 * Returns          true if the command has invalid parameters, false otherwise.
 *
 ******************************************************************************/
bool smp_command_has_invalid_parameters(tSMP_CB* p_cb) {
  uint8_t cmd_code = p_cb->rcvd_cmd_code;

  if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) ||
      (cmd_code < SMP_OPCODE_MIN)) {
    SMP_TRACE_WARNING("%s: Received command with RESERVED code 0x%02x",
                      __func__, cmd_code);
    return true;
  }

  if (!(*smp_cmd_len_is_valid[cmd_code])(p_cb)) {
    SMP_TRACE_WARNING("%s: Command length not valid for cmd_code 0x%02x",
                      __func__, cmd_code);
    return true;
  }

  if (!(*smp_cmd_param_ranges_are_valid[cmd_code])(p_cb)) {
    SMP_TRACE_WARNING("%s: Parameter ranges not valid code 0x%02x", __func__,
                      cmd_code);
    return true;
  }

  return false;
}

/*******************************************************************************
 *
 * Function         smp_command_has_valid_fixed_length
 *
 * Description      Checks if the received command size is equal to the size
 *                  according to specs.
 *
 * Returns          true if the command size is as expected, false otherwise.
 *
 * Note             The command is expected to have fixed length.
 ******************************************************************************/
bool smp_command_has_valid_fixed_length(tSMP_CB* p_cb) {
  uint8_t cmd_code = p_cb->rcvd_cmd_code;

  SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, cmd_code);

  if (p_cb->rcvd_cmd_len != smp_cmd_size_per_spec[cmd_code]) {
    SMP_TRACE_WARNING(
        "Rcvd from the peer cmd 0x%02x with invalid length "
        "0x%02x (per spec the length is 0x%02x).",
        cmd_code, p_cb->rcvd_cmd_len, smp_cmd_size_per_spec[cmd_code]);
    return false;
  }

  return true;
}

/*******************************************************************************
 *
 * Function         smp_pairing_request_response_parameters_are_valid
 *
 * Description      Validates parameter ranges in the received SMP command
 *                  pairing request or pairing response.
 *                  The parameters to validate:
 *                  IO capability,
 *                  OOB data flag,
 *                  Bonding_flags in AuthReq
 *                  Maximum encryption key size.
 *                  Returns false if at least one of these parameters is out of
 *                  range.
 *
 ******************************************************************************/
bool smp_pairing_request_response_parameters_are_valid(tSMP_CB* p_cb) {
  uint8_t io_caps = p_cb->peer_io_caps;
  uint8_t oob_flag = p_cb->peer_oob_flag;
  uint8_t bond_flag =
      p_cb->peer_auth_req & 0x03;  // 0x03 is gen bond with appropriate mask
  uint8_t enc_size = p_cb->peer_enc_size;

  SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code);

  if (io_caps >= BTM_IO_CAP_MAX) {
    SMP_TRACE_WARNING(
        "Rcvd from the peer cmd 0x%02x with IO Capability "
        "value (0x%02x) out of range).",
        p_cb->rcvd_cmd_code, io_caps);
    return false;
  }

  if (!((oob_flag == SMP_OOB_NONE) || (oob_flag == SMP_OOB_PRESENT))) {
    SMP_TRACE_WARNING(
        "Rcvd from the peer cmd 0x%02x with OOB data flag value "
        "(0x%02x) out of range).",
        p_cb->rcvd_cmd_code, oob_flag);
    return false;
  }

  if (!((bond_flag == SMP_AUTH_NO_BOND) || (bond_flag == SMP_AUTH_BOND))) {
    SMP_TRACE_WARNING(
        "Rcvd from the peer cmd 0x%02x with Bonding_Flags value (0x%02x) "
        "out of range).",
        p_cb->rcvd_cmd_code, bond_flag);
    return false;
  }

  if ((enc_size < SMP_ENCR_KEY_SIZE_MIN) ||
      (enc_size > SMP_ENCR_KEY_SIZE_MAX)) {
    SMP_TRACE_WARNING(
        "Rcvd from the peer cmd 0x%02x with Maximum Encryption "
        "Key value (0x%02x) out of range).",
        p_cb->rcvd_cmd_code, enc_size);
    return false;
  }

  return true;
}

/*******************************************************************************
 *
 * Function         smp_pairing_keypress_notification_is_valid
 *
 * Description      Validates Notification Type parameter range in the received
 *                  SMP command pairing keypress notification.
 *                  Returns false if this parameter is out of range.
 *
 ******************************************************************************/
bool smp_pairing_keypress_notification_is_valid(tSMP_CB* p_cb) {
  tBTM_SP_KEY_TYPE keypress_notification = p_cb->peer_keypress_notification;

  SMP_TRACE_DEBUG("%s for cmd code 0x%02x", __func__, p_cb->rcvd_cmd_code);

  if (keypress_notification >= BTM_SP_KEY_OUT_OF_RANGE) {
    SMP_TRACE_WARNING(
        "Rcvd from the peer cmd 0x%02x with Pairing Keypress "
        "Notification value (0x%02x) out of range).",
        p_cb->rcvd_cmd_code, keypress_notification);
    return false;
  }

  return true;
}

/*******************************************************************************
 *
 * Function         smp_parameter_unconditionally_valid
 *
 * Description      Always returns true.
 *
 ******************************************************************************/
bool smp_parameter_unconditionally_valid(UNUSED_ATTR tSMP_CB* p_cb) {
  return true;
}

/*******************************************************************************
 *
 * Function         smp_parameter_unconditionally_invalid
 *
 * Description      Always returns false.
 *
 ******************************************************************************/
bool smp_parameter_unconditionally_invalid(UNUSED_ATTR tSMP_CB* p_cb) {
  return false;
}

/*******************************************************************************
 *
 * Function         smp_reject_unexpected_pairing_command
 *
 * Description      send pairing failure to an unexpected pairing command during
 *                  an active pairing process.
 *
 * Returns          void
 *
 ******************************************************************************/
void smp_reject_unexpected_pairing_command(const RawAddress& bd_addr) {
  uint8_t* p;
  BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_FAIL_SIZE +
                                      L2CAP_MIN_OFFSET);

  SMP_TRACE_DEBUG("%s", __func__);

  p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
  UINT8_TO_STREAM(p, SMP_OPCODE_PAIRING_FAILED);
  UINT8_TO_STREAM(p, SMP_PAIR_NOT_SUPPORT);

  p_buf->offset = L2CAP_MIN_OFFSET;
  p_buf->len = SMP_PAIR_FAIL_SIZE;

  smp_send_msg_to_L2CAP(bd_addr, p_buf);
}

/*******************************************************************************
 * Function         smp_select_association_model
 *
 * Description      This function selects association model to use for STK
 *                  generation. Selection is based on both sides' io capability,
 *                  oob data flag and authentication request.
 *
 * Note             If Secure Connections Only mode is required locally then we
 *                  come to this point only if both sides support Secure
 *                  Connections mode, i.e.
 *                  if p_cb->secure_connections_only_mode_required = true
 *                  then we come to this point only if
 *                      (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) ==
 *                      (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) ==
 *                      SMP_SC_SUPPORT_BIT
 *
 ******************************************************************************/
tSMP_ASSO_MODEL smp_select_association_model(tSMP_CB* p_cb) {
  tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;
  p_cb->le_secure_connections_mode_is_used = false;

  SMP_TRACE_EVENT("%s", __func__);
  SMP_TRACE_DEBUG("%s p_cb->peer_io_caps = %d p_cb->local_io_capability = %d",
                  __func__, p_cb->peer_io_caps, p_cb->local_io_capability);
  SMP_TRACE_DEBUG("%s p_cb->peer_oob_flag = %d p_cb->loc_oob_flag = %d",
                  __func__, p_cb->peer_oob_flag, p_cb->loc_oob_flag);
  SMP_TRACE_DEBUG("%s p_cb->peer_auth_req = 0x%02x p_cb->loc_auth_req = 0x%02x",
                  __func__, p_cb->peer_auth_req, p_cb->loc_auth_req);
  SMP_TRACE_DEBUG(
      "%s p_cb->secure_connections_only_mode_required = %s", __func__,
      p_cb->secure_connections_only_mode_required ? "true" : "false");

  if ((p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT) &&
      (p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT)) {
    p_cb->le_secure_connections_mode_is_used = true;
  }

  if ((p_cb->peer_auth_req & SMP_H7_SUPPORT_BIT) &&
      (p_cb->loc_auth_req & SMP_H7_SUPPORT_BIT)) {
    p_cb->key_derivation_h7_used = TRUE;
  }

  SMP_TRACE_DEBUG("use_sc_process = %d, h7 use = %d",
                  p_cb->le_secure_connections_mode_is_used,
                  p_cb->key_derivation_h7_used);

  if (p_cb->le_secure_connections_mode_is_used) {
    model = smp_select_association_model_secure_connections(p_cb);
  } else {
    model = smp_select_legacy_association_model(p_cb);
  }
  return model;
}

/*******************************************************************************
 * Function         smp_select_legacy_association_model
 *
 * Description      This function is called to select association mode if at
 *                  least one side doesn't support secure connections.
 *
 ******************************************************************************/
tSMP_ASSO_MODEL smp_select_legacy_association_model(tSMP_CB* p_cb) {
  tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;

  SMP_TRACE_DEBUG("%s", __func__);
  /* if OOB data is present on both devices, then use OOB association model */
  if (p_cb->peer_oob_flag == SMP_OOB_PRESENT &&
      p_cb->loc_oob_flag == SMP_OOB_PRESENT)
    return SMP_MODEL_OOB;

  /* else if neither device requires MITM, then use Just Works association model
   */
  if (SMP_NO_MITM_REQUIRED(p_cb->peer_auth_req) &&
      SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req))
    return SMP_MODEL_ENCRYPTION_ONLY;

  /* otherwise use IO capability to select association model */
  if (p_cb->peer_io_caps < SMP_IO_CAP_MAX &&
      p_cb->local_io_capability < SMP_IO_CAP_MAX) {
    if (p_cb->role == HCI_ROLE_MASTER) {
      model = smp_association_table[p_cb->role][p_cb->peer_io_caps]
                                   [p_cb->local_io_capability];
    } else {
      model = smp_association_table[p_cb->role][p_cb->local_io_capability]
                                   [p_cb->peer_io_caps];
    }
  }

  return model;
}

/*******************************************************************************
 * Function         smp_select_association_model_secure_connections
 *
 * Description      This function is called to select association mode if both
 *                  sides support secure connections.
 *
 ******************************************************************************/
tSMP_ASSO_MODEL smp_select_association_model_secure_connections(tSMP_CB* p_cb) {
  tSMP_ASSO_MODEL model = SMP_MODEL_OUT_OF_RANGE;

  SMP_TRACE_DEBUG("%s", __func__);
  /* if OOB data is present on at least one device, then use OOB association
   * model */
  if (p_cb->peer_oob_flag == SMP_OOB_PRESENT ||
      p_cb->loc_oob_flag == SMP_OOB_PRESENT)
    return SMP_MODEL_SEC_CONN_OOB;

  /* else if neither device requires MITM, then use Just Works association model
   */
  if (SMP_NO_MITM_REQUIRED(p_cb->peer_auth_req) &&
      SMP_NO_MITM_REQUIRED(p_cb->loc_auth_req))
    return SMP_MODEL_SEC_CONN_JUSTWORKS;

  /* otherwise use IO capability to select association model */
  if (p_cb->peer_io_caps < SMP_IO_CAP_MAX &&
      p_cb->local_io_capability < SMP_IO_CAP_MAX) {
    if (p_cb->role == HCI_ROLE_MASTER) {
      model = smp_association_table_sc[p_cb->role][p_cb->peer_io_caps]
                                      [p_cb->local_io_capability];
    } else {
      model = smp_association_table_sc[p_cb->role][p_cb->local_io_capability]
                                      [p_cb->peer_io_caps];
    }
  }

  return model;
}

/*******************************************************************************
 * Function         smp_reverse_array
 *
 * Description      This function reverses array bytes
 *
 ******************************************************************************/
void smp_reverse_array(uint8_t* arr, uint8_t len) {
  uint8_t i = 0, tmp;

  SMP_TRACE_DEBUG("smp_reverse_array");

  for (i = 0; i < len / 2; i++) {
    tmp = arr[i];
    arr[i] = arr[len - 1 - i];
    arr[len - 1 - i] = tmp;
  }
}

/*******************************************************************************
 * Function         smp_calculate_random_input
 *
 * Description      This function returns random input value to be used in
 *                  commitment calculation for SC passkey entry association mode
 *                  (if bit["round"] in "random" array == 1 then returns 0x81
 *                   else returns 0x80).
 *
 * Returns          ri value
 *
 ******************************************************************************/
uint8_t smp_calculate_random_input(uint8_t* random, uint8_t round) {
  uint8_t i = round / 8;
  uint8_t j = round % 8;
  uint8_t ri;

  SMP_TRACE_DEBUG("random: 0x%02x, round: %d, i: %d, j: %d", random[i], round,
                  i, j);
  ri = ((random[i] >> j) & 1) | 0x80;
  SMP_TRACE_DEBUG("%s ri=0x%02x", __func__, ri);
  return ri;
}

/*******************************************************************************
 * Function         smp_collect_local_io_capabilities
 *
 * Description      This function puts into IOcap array local device
 *                  IOCapability, OOB data, AuthReq.
 *
 * Returns          void
 *
 ******************************************************************************/
void smp_collect_local_io_capabilities(uint8_t* iocap, tSMP_CB* p_cb) {
  SMP_TRACE_DEBUG("%s", __func__);

  iocap[0] = p_cb->local_io_capability;
  iocap[1] = p_cb->loc_oob_flag;
  iocap[2] = p_cb->loc_auth_req;
}

/*******************************************************************************
 * Function         smp_collect_peer_io_capabilities
 *
 * Description      This function puts into IOcap array peer device
 *                  IOCapability, OOB data, AuthReq.
 *
 * Returns          void
 *
 ******************************************************************************/
void smp_collect_peer_io_capabilities(uint8_t* iocap, tSMP_CB* p_cb) {
  SMP_TRACE_DEBUG("%s", __func__);

  iocap[0] = p_cb->peer_io_caps;
  iocap[1] = p_cb->peer_oob_flag;
  iocap[2] = p_cb->peer_auth_req;
}

/*******************************************************************************
 * Function         smp_collect_local_ble_address
 *
 * Description      Put the the local device LE address into the le_addr array:
 *                  le_addr[0-5] = local BD ADDR,
 *                  le_addr[6] = local le address type (PUBLIC/RANDOM).
 *
 * Returns          void
 *
 ******************************************************************************/
void smp_collect_local_ble_address(uint8_t* le_addr, tSMP_CB* p_cb) {
  tBLE_ADDR_TYPE addr_type = 0;
  RawAddress bda;
  uint8_t* p = le_addr;

  SMP_TRACE_DEBUG("%s", __func__);

  BTM_ReadConnectionAddr(p_cb->pairing_bda, bda, &addr_type);
  BDADDR_TO_STREAM(p, bda);
  UINT8_TO_STREAM(p, addr_type);
}

/*******************************************************************************
 * Function         smp_collect_peer_ble_address
 *
 * Description      Put the peer device LE addr into the le_addr array:
 *                  le_addr[0-5] = peer BD ADDR,
 *                  le_addr[6] = peer le address type (PUBLIC/RANDOM).
 *
 * Returns          void
 *
 ******************************************************************************/
void smp_collect_peer_ble_address(uint8_t* le_addr, tSMP_CB* p_cb) {
  tBLE_ADDR_TYPE addr_type = 0;
  RawAddress bda;
  uint8_t* p = le_addr;

  SMP_TRACE_DEBUG("%s", __func__);

  if (!BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, bda, &addr_type)) {
    SMP_TRACE_ERROR(
        "can not collect peer le addr information for unknown device");
    return;
  }

  BDADDR_TO_STREAM(p, bda);
  UINT8_TO_STREAM(p, addr_type);
}

/*******************************************************************************
 * Function         smp_check_commitment
 *
 * Description      This function compares peer commitment values:
 *                  - expected (i.e. calculated locally),
 *                  - received from the peer.
 *
 * Returns          true  if the values are the same
 *                  false otherwise
 *
 ******************************************************************************/
bool smp_check_commitment(tSMP_CB* p_cb) {

  SMP_TRACE_DEBUG("%s", __func__);

  Octet16 expected = smp_calculate_peer_commitment(p_cb);
  print128(expected, (const uint8_t*)"calculated peer commitment");
  print128(p_cb->remote_commitment, (const uint8_t*)"received peer commitment");

  if (memcmp(p_cb->remote_commitment.data(), expected.data(), OCTET16_LEN)) {
    SMP_TRACE_WARNING("%s: Commitment check fails", __func__);
    return false;
  }

  SMP_TRACE_DEBUG("%s: Commitment check succeeds", __func__);
  return true;
}

/*******************************************************************************
 *
 * Function         smp_save_secure_connections_long_term_key
 *
 * Description      The function saves SC LTK as BLE key for future use as local
 *                  and/or peer key.
 *
 * Returns          void
 *
 ******************************************************************************/
void smp_save_secure_connections_long_term_key(tSMP_CB* p_cb) {
  tBTM_LE_KEY_VALUE lle_key;
  tBTM_LE_KEY_VALUE ple_key;

  SMP_TRACE_DEBUG("%s-Save LTK as local LTK key", __func__);
  lle_key.lenc_key.ltk = p_cb->ltk;
  lle_key.lenc_key.div = 0;
  lle_key.lenc_key.key_size = p_cb->loc_enc_size;
  lle_key.lenc_key.sec_level = p_cb->sec_level;
  btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, &lle_key, true);

  SMP_TRACE_DEBUG("%s-Save LTK as peer LTK key", __func__);
  ple_key.penc_key.ediv = 0;
  memset(ple_key.penc_key.rand, 0, BT_OCTET8_LEN);
  ple_key.penc_key.ltk = p_cb->ltk;
  ple_key.penc_key.sec_level = p_cb->sec_level;
  ple_key.penc_key.key_size = p_cb->loc_enc_size;
  btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, &ple_key, true);
}

/** The function calculates MacKey and LTK and saves them in CB. To calculate
 * MacKey and LTK it calls smp_calc_f5(...). MacKey is used in dhkey
 * calculation, LTK is used to encrypt the link. */
void smp_calculate_f5_mackey_and_long_term_key(tSMP_CB* p_cb) {
  uint8_t a[7];
  uint8_t b[7];
  Octet16 na;
  Octet16 nb;

  SMP_TRACE_DEBUG("%s", __func__);

  if (p_cb->role == HCI_ROLE_MASTER) {
    smp_collect_local_ble_address(a, p_cb);
    smp_collect_peer_ble_address(b, p_cb);
    na = p_cb->rand;
    nb = p_cb->rrand;
  } else {
    smp_collect_local_ble_address(b, p_cb);
    smp_collect_peer_ble_address(a, p_cb);
    na = p_cb->rrand;
    nb = p_cb->rand;
  }

  crypto_toolbox::f5(p_cb->dhkey, na, nb, a, b, &p_cb->mac_key, &p_cb->ltk);

  SMP_TRACE_EVENT("%s is completed", __func__);
}

/*******************************************************************************
 *
 * Function         smp_request_oob_data
 *
 * Description      Requests application to provide OOB data.
 *
 * Returns          true - OOB data has to be provided by application
 *                  false - otherwise (unexpected)
 *
 ******************************************************************************/
bool smp_request_oob_data(tSMP_CB* p_cb) {
  tSMP_OOB_DATA_TYPE req_oob_type = SMP_OOB_INVALID_TYPE;

  SMP_TRACE_DEBUG("%s", __func__);

  if (p_cb->peer_oob_flag == SMP_OOB_PRESENT &&
      p_cb->loc_oob_flag == SMP_OOB_PRESENT) {
    /* both local and peer rcvd data OOB */
    req_oob_type = SMP_OOB_BOTH;
  } else if (p_cb->peer_oob_flag == SMP_OOB_PRESENT) {
    /* peer rcvd OOB local data, local didn't receive OOB peer data */
    req_oob_type = SMP_OOB_LOCAL;
  } else if (p_cb->loc_oob_flag == SMP_OOB_PRESENT) {
    req_oob_type = SMP_OOB_PEER;
  }

  SMP_TRACE_DEBUG("req_oob_type = %d", req_oob_type);

  if (req_oob_type == SMP_OOB_INVALID_TYPE) return false;

  p_cb->req_oob_type = req_oob_type;
  p_cb->cb_evt = SMP_SC_OOB_REQ_EVT;
  tSMP_INT_DATA smp_int_data;
  smp_int_data.req_oob_type = req_oob_type;
  smp_sm_event(p_cb, SMP_TK_REQ_EVT, &smp_int_data);

  return true;
}

void print128(const Octet16& x, const uint8_t* key_name) {
  if (VLOG_IS_ON(2) && DLOG_IS_ON(INFO)) {
    uint8_t* p = (uint8_t*)x.data();

    DVLOG(2) << key_name << " (MSB ~ LSB) = ";
    for (int i = 0; i < 4; i++) {
      DVLOG(2) << +p[OCTET16_LEN - i * 4 - 1] << +p[OCTET16_LEN - i * 4 - 2]
               << +p[OCTET16_LEN - i * 4 - 3] << +p[OCTET16_LEN - i * 4 - 4];
    }
  }
}