1 /******************************************************************************
2 *
3 * Copyright (C) 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * this file contains GATT authentication handling functions
22 *
23 ******************************************************************************/
24 #include "common/bt_target.h"
25 #include "osi/allocator.h"
26
27 #if BLE_INCLUDED == 1
28 #include <string.h>
29
30 #include "gatt_int.h"
31 #include "stack/gatt_api.h"
32 #include "btm_int.h"
33
34 /*******************************************************************************
35 **
36 ** Function gatt_sign_data
37 **
38 ** Description This function sign the data for write command.
39 **
40 ** Returns 1 if encrypted, otherwise 0.
41 **
42 *******************************************************************************/
43 #if (SMP_INCLUDED == 1)
gatt_sign_data(tGATT_CLCB * p_clcb)44 static BOOLEAN gatt_sign_data (tGATT_CLCB *p_clcb)
45 {
46 tGATT_VALUE *p_attr = (tGATT_VALUE *)p_clcb->p_attr_buf;
47 UINT8 *p_data = NULL, *p;
48 UINT16 payload_size = p_clcb->p_tcb->payload_size;
49 BOOLEAN status = 0;
50 UINT8 *p_signature;
51
52 /* do not need to mark channel securoty activity for data signing */
53 gatt_set_sec_act(p_clcb->p_tcb, GATT_SEC_OK);
54
55 p_data = (UINT8 *)osi_malloc((UINT16)(p_attr->len + 3)); /* 3 = 2 byte handle + opcode */
56
57 if (p_data != NULL) {
58 p = p_data;
59 UINT8_TO_STREAM(p, GATT_SIGN_CMD_WRITE);
60 UINT16_TO_STREAM(p, p_attr->handle);
61 ARRAY_TO_STREAM(p, p_attr->value, p_attr->len);
62
63 /* sign data length should be attribulte value length plus 2B handle + 1B op code */
64 if ((payload_size - GATT_AUTH_SIGN_LEN - 3) < p_attr->len) {
65 p_attr->len = payload_size - GATT_AUTH_SIGN_LEN - 3;
66 }
67
68 p_signature = p_attr->value + p_attr->len;
69 if (BTM_BleDataSignature(p_clcb->p_tcb->peer_bda,
70 p_data,
71 (UINT16)(p_attr->len + 3), /* 3 = 2 byte handle + opcode */
72 p_signature)) {
73 p_attr->len += BTM_BLE_AUTH_SIGN_LEN;
74 gatt_set_ch_state(p_clcb->p_tcb, GATT_CH_OPEN);
75 #if (GATTC_INCLUDED == 1)
76 gatt_act_write(p_clcb, GATT_SEC_SIGN_DATA);
77 #endif ///GATTC_INCLUDED == 1
78 } else {
79 gatt_end_operation(p_clcb, GATT_INTERNAL_ERROR, NULL);
80 }
81
82 osi_free(p_data);
83 }
84
85 return status;
86 }
87 #endif ///SMP_INCLUDED == 1
88
89 /*******************************************************************************
90 **
91 ** Function gatt_verify_signature
92 **
93 ** Description This function start to verify the sign data when receiving
94 ** the data from peer device.
95 **
96 ** Returns
97 **
98 *******************************************************************************/
99 #if (SMP_INCLUDED == 1)
gatt_verify_signature(tGATT_TCB * p_tcb,BT_HDR * p_buf)100 void gatt_verify_signature(tGATT_TCB *p_tcb, BT_HDR *p_buf)
101 {
102 UINT16 cmd_len;
103 #if (GATTS_INCLUDED == 1)
104 UINT8 op_code;
105 #endif ///GATTS_INCLUDED == 1
106 UINT8 *p, *p_orig = (UINT8 *)(p_buf + 1) + p_buf->offset;
107 UINT32 counter;
108
109 if (p_buf->len < GATT_AUTH_SIGN_LEN + 4) {
110 GATT_TRACE_ERROR("%s: Data length %u less than expected %u",
111 __func__, p_buf->len, GATT_AUTH_SIGN_LEN + 4);
112 return;
113 }
114 cmd_len = p_buf->len - GATT_AUTH_SIGN_LEN + 4;
115 p = p_orig + cmd_len - 4;
116 STREAM_TO_UINT32(counter, p);
117
118 if (BTM_BleVerifySignature(p_tcb->peer_bda, p_orig, cmd_len, counter, p)) {
119 #if (GATTS_INCLUDED == 1)
120 STREAM_TO_UINT8(op_code, p_orig);
121 gatt_server_handle_client_req (p_tcb, op_code, (UINT16)(p_buf->len - 1), p_orig);
122 #endif ///GATTS_INCLUDED == 1
123 } else {
124 /* if this is a bad signature, assume from attacker, ignore it */
125 GATT_TRACE_ERROR("Signature Verification Failed, data ignored");
126 }
127
128 return;
129 }
130 #endif ///SMP_INCLUDED == 1
131
132 /*******************************************************************************
133 **
134 ** Function gatt_sec_check_complete
135 **
136 ** Description security check complete and proceed to data sending action.
137 **
138 ** Returns void.
139 **
140 *******************************************************************************/
gatt_sec_check_complete(BOOLEAN sec_check_ok,tGATT_CLCB * p_clcb,UINT8 sec_act)141 void gatt_sec_check_complete(BOOLEAN sec_check_ok, tGATT_CLCB *p_clcb, UINT8 sec_act)
142 {
143 if (p_clcb && p_clcb->p_tcb &&
144 fixed_queue_is_empty(p_clcb->p_tcb->pending_enc_clcb)) {
145 gatt_set_sec_act(p_clcb->p_tcb, GATT_SEC_NONE);
146 }
147 #if (GATTC_INCLUDED == 1)
148 if (!sec_check_ok) {
149 gatt_end_operation(p_clcb, GATT_AUTH_FAIL, NULL);
150 } else if (p_clcb->operation == GATTC_OPTYPE_WRITE) {
151 gatt_act_write(p_clcb, sec_act);
152 } else if (p_clcb->operation == GATTC_OPTYPE_READ) {
153 gatt_act_read(p_clcb, p_clcb->counter);
154 }
155 #endif ///GATTC_INCLUDED == 1
156 }
157 /*******************************************************************************
158 **
159 ** Function gatt_enc_cmpl_cback
160 **
161 ** Description link encryption complete callback.
162 **
163 ** Returns
164 **
165 *******************************************************************************/
gatt_enc_cmpl_cback(BD_ADDR bd_addr,tBT_TRANSPORT transport,void * p_ref_data,tBTM_STATUS result)166 void gatt_enc_cmpl_cback(BD_ADDR bd_addr, tBT_TRANSPORT transport, void *p_ref_data, tBTM_STATUS result)
167 {
168 tGATT_TCB *p_tcb;
169 UINT8 sec_flag;
170 BOOLEAN status = 0;
171 UNUSED(p_ref_data);
172
173 GATT_TRACE_DEBUG("gatt_enc_cmpl_cback");
174 if ((p_tcb = gatt_find_tcb_by_addr(bd_addr, transport)) != NULL) {
175 if (gatt_get_sec_act(p_tcb) == GATT_SEC_ENC_PENDING) {
176 return;
177 }
178 tGATT_PENDING_ENC_CLCB *p_buf =
179 (tGATT_PENDING_ENC_CLCB *)fixed_queue_dequeue(p_tcb->pending_enc_clcb, 0);
180 if (p_buf != NULL) {
181 if (result == BTM_SUCCESS) {
182 if (gatt_get_sec_act(p_tcb) == GATT_SEC_ENCRYPT_MITM ) {
183 BTM_GetSecurityFlagsByTransport(bd_addr, &sec_flag, transport);
184
185 if (sec_flag & BTM_SEC_FLAG_LKEY_AUTHED) {
186 status = 1;
187 }
188 } else {
189 status = 1;
190 }
191 }
192 gatt_sec_check_complete(status , p_buf->p_clcb, p_tcb->sec_act);
193 osi_free(p_buf);
194 /* start all other pending operation in queue */
195 for (size_t count = fixed_queue_length(p_tcb->pending_enc_clcb);
196 count > 0; count--) {
197 p_buf = (tGATT_PENDING_ENC_CLCB *)fixed_queue_dequeue(p_tcb->pending_enc_clcb, 0);
198 if (p_buf != NULL) {
199 gatt_security_check_start(p_buf->p_clcb);
200 osi_free(p_buf);
201 } else {
202 break;
203 }
204 }
205 } else {
206 GATT_TRACE_ERROR("Unknown operation encryption completed");
207 }
208 } else {
209 GATT_TRACE_ERROR("enc callback for unknown bd_addr");
210 }
211 }
212
213 /*******************************************************************************
214 **
215 ** Function gatt_notify_enc_cmpl
216 **
217 ** Description link encryption complete notification for all encryption process
218 ** initiated outside GATT.
219 **
220 ** Returns
221 **
222 *******************************************************************************/
gatt_notify_enc_cmpl(BD_ADDR bd_addr)223 void gatt_notify_enc_cmpl(BD_ADDR bd_addr)
224 {
225 tGATT_TCB *p_tcb;
226 UINT8 i = 0;
227
228 if ((p_tcb = gatt_find_tcb_by_addr(bd_addr, BT_TRANSPORT_LE)) != NULL) {
229 for (i = 0; i < GATT_MAX_APPS; i++) {
230 if (gatt_cb.cl_rcb[i].in_use && gatt_cb.cl_rcb[i].app_cb.p_enc_cmpl_cb) {
231 (*gatt_cb.cl_rcb[i].app_cb.p_enc_cmpl_cb)(gatt_cb.cl_rcb[i].gatt_if, bd_addr);
232 }
233 }
234
235 if (gatt_get_sec_act(p_tcb) == GATT_SEC_ENC_PENDING) {
236 gatt_set_sec_act(p_tcb, GATT_SEC_NONE);
237
238 size_t count = fixed_queue_length(p_tcb->pending_enc_clcb);
239 for (; count > 0; count--) {
240 tGATT_PENDING_ENC_CLCB *p_buf =
241 (tGATT_PENDING_ENC_CLCB *)fixed_queue_dequeue(p_tcb->pending_enc_clcb, 0);
242 if (p_buf != NULL) {
243 gatt_security_check_start(p_buf->p_clcb);
244 osi_free(p_buf);
245 } else {
246 break;
247 }
248 }
249 }
250 } else {
251 GATT_TRACE_DEBUG("notify GATT for encryption completion of unknown device");
252 }
253 return;
254 }
255 /*******************************************************************************
256 **
257 ** Function gatt_set_sec_act
258 **
259 ** Description This function set the sec_act in clcb
260 **
261 ** Returns none
262 **
263 *******************************************************************************/
gatt_set_sec_act(tGATT_TCB * p_tcb,tGATT_SEC_ACTION sec_act)264 void gatt_set_sec_act(tGATT_TCB *p_tcb, tGATT_SEC_ACTION sec_act)
265 {
266 if (p_tcb) {
267 p_tcb->sec_act = sec_act;
268 }
269 }
270 /*******************************************************************************
271 **
272 ** Function gatt_get_sec_act
273 **
274 ** Description This function get the sec_act in clcb
275 **
276 ** Returns none
277 **
278 *******************************************************************************/
gatt_get_sec_act(tGATT_TCB * p_tcb)279 tGATT_SEC_ACTION gatt_get_sec_act(tGATT_TCB *p_tcb)
280 {
281 tGATT_SEC_ACTION sec_act = GATT_SEC_NONE;
282 if (p_tcb) {
283 sec_act = p_tcb->sec_act;
284 }
285 return sec_act;
286 }
287 /*******************************************************************************
288 **
289 ** Function gatt_determine_sec_act
290 **
291 ** Description This routine determine the security action based on auth_request and
292 ** current link status
293 **
294 ** Returns tGATT_SEC_ACTION security action
295 **
296 *******************************************************************************/
gatt_determine_sec_act(tGATT_CLCB * p_clcb)297 tGATT_SEC_ACTION gatt_determine_sec_act(tGATT_CLCB *p_clcb )
298 {
299 tGATT_SEC_ACTION act = GATT_SEC_OK;
300 UINT8 sec_flag;
301 tGATT_TCB *p_tcb = p_clcb->p_tcb;
302 tGATT_AUTH_REQ auth_req = p_clcb->auth_req;
303 BOOLEAN is_link_encrypted = 0;
304 BOOLEAN is_link_key_known = 0;
305 BOOLEAN is_key_mitm = 0;
306 #if (SMP_INCLUDED == 1)
307 UINT8 key_type;
308 tBTM_BLE_SEC_REQ_ACT sec_act = BTM_LE_SEC_NONE;
309 #endif ///SMP_INCLUDED == 1
310 if (auth_req == GATT_AUTH_REQ_NONE ) {
311 return act;
312 }
313
314 BTM_GetSecurityFlagsByTransport(p_tcb->peer_bda, &sec_flag, p_clcb->p_tcb->transport);
315 #if (SMP_INCLUDED == 1)
316 btm_ble_link_sec_check(p_tcb->peer_bda, auth_req, &sec_act);
317 #endif ///SMP_INCLUDED == 1
318 /* if a encryption is pending, need to wait */
319 if (
320 #if (SMP_INCLUDED == 1)
321 sec_act == BTM_BLE_SEC_REQ_ACT_DISCARD &&
322 #endif ///SMP_INCLUDED == 1
323 auth_req != GATT_AUTH_REQ_NONE) {
324 return GATT_SEC_ENC_PENDING;
325 }
326
327 if (sec_flag & (BTM_SEC_FLAG_ENCRYPTED | BTM_SEC_FLAG_LKEY_KNOWN)) {
328 if (sec_flag & BTM_SEC_FLAG_ENCRYPTED) {
329 is_link_encrypted = 1;
330 }
331
332 is_link_key_known = 1;
333
334 if (sec_flag & BTM_SEC_FLAG_LKEY_AUTHED) {
335 is_key_mitm = 1;
336 }
337 }
338
339 /* first check link key upgrade required or not */
340 switch (auth_req) {
341 case GATT_AUTH_REQ_MITM:
342 case GATT_AUTH_REQ_SIGNED_MITM:
343 if (!is_key_mitm) {
344 act = GATT_SEC_ENCRYPT_MITM;
345 }
346 break;
347
348 case GATT_AUTH_REQ_NO_MITM:
349 case GATT_AUTH_REQ_SIGNED_NO_MITM:
350 if (!is_link_key_known) {
351 act = GATT_SEC_ENCRYPT_NO_MITM;
352 }
353 break;
354 default:
355 break;
356 }
357
358 /* now check link needs to be encrypted or not if the link key upgrade is not required */
359 if (act == GATT_SEC_OK) {
360 if (p_tcb->transport == BT_TRANSPORT_LE &&
361 (p_clcb->operation == GATTC_OPTYPE_WRITE) &&
362 (p_clcb->op_subtype == GATT_WRITE_NO_RSP)) {
363 /* this is a write command request
364 check data signing required or not */
365 if (!is_link_encrypted) {
366 #if (SMP_INCLUDED == 1)
367 btm_ble_get_enc_key_type(p_tcb->peer_bda, &key_type);
368 #endif ///SMP_INCLUDED == 1
369 if (
370 #if (SMP_INCLUDED == 1)
371 (key_type & BTM_LE_KEY_LCSRK) &&
372 #endif ///SMP_INCLUDED == 1
373 ((auth_req == GATT_AUTH_REQ_SIGNED_NO_MITM) ||
374 (auth_req == GATT_AUTH_REQ_SIGNED_MITM))) {
375 act = GATT_SEC_SIGN_DATA;
376 } else {
377 act = GATT_SEC_ENCRYPT;
378 }
379 }
380 } else {
381 if (!is_link_encrypted) {
382 act = GATT_SEC_ENCRYPT;
383 }
384 }
385
386 }
387
388 return act ;
389
390 }
391
392
393
394 /*******************************************************************************
395 **
396 ** Function gatt_get_link_encrypt_status
397 **
398 ** Description This routine get the encryption status of the specified link
399 **
400 **
401 ** Returns tGATT_STATUS link encryption status
402 **
403 *******************************************************************************/
gatt_get_link_encrypt_status(tGATT_TCB * p_tcb)404 tGATT_STATUS gatt_get_link_encrypt_status(tGATT_TCB *p_tcb)
405 {
406 tGATT_STATUS encrypt_status = GATT_NOT_ENCRYPTED;
407 UINT8 sec_flag = 0;
408
409 BTM_GetSecurityFlagsByTransport(p_tcb->peer_bda, &sec_flag, p_tcb->transport);
410
411 if ((sec_flag & BTM_SEC_FLAG_ENCRYPTED) && (sec_flag & BTM_SEC_FLAG_LKEY_KNOWN)) {
412 encrypt_status = GATT_ENCRYPED_NO_MITM;
413 if (sec_flag & BTM_SEC_FLAG_LKEY_AUTHED) {
414 encrypt_status = GATT_ENCRYPED_MITM;
415 }
416 }
417
418 GATT_TRACE_DEBUG("gatt_get_link_encrypt_status status=0x%x", encrypt_status);
419 return encrypt_status ;
420 }
421
422
423 /*******************************************************************************
424 **
425 ** Function gatt_convert_sec_action
426 **
427 ** Description Convert GATT security action enum into equivalent BTM BLE security action enum
428 **
429 ** Returns BOOLEAN 1 - conversation is successful
430 **
431 *******************************************************************************/
gatt_convert_sec_action(tGATT_SEC_ACTION gatt_sec_act,tBTM_BLE_SEC_ACT * p_btm_sec_act)432 static BOOLEAN gatt_convert_sec_action(tGATT_SEC_ACTION gatt_sec_act, tBTM_BLE_SEC_ACT *p_btm_sec_act )
433 {
434 BOOLEAN status = 1;
435 switch (gatt_sec_act) {
436 case GATT_SEC_ENCRYPT:
437 *p_btm_sec_act = BTM_BLE_SEC_ENCRYPT;
438 break;
439 case GATT_SEC_ENCRYPT_NO_MITM:
440 *p_btm_sec_act = BTM_BLE_SEC_ENCRYPT_NO_MITM;
441 break;
442 case GATT_SEC_ENCRYPT_MITM:
443 *p_btm_sec_act = BTM_BLE_SEC_ENCRYPT_MITM;
444 break;
445 default:
446 status = 0;
447 break;
448 }
449
450 return status;
451 }
452 /*******************************************************************************
453 **
454 ** Function gatt_check_enc_req
455 **
456 ** Description check link security.
457 **
458 ** Returns 1 if encrypted, otherwise 0.
459 **
460 *******************************************************************************/
gatt_security_check_start(tGATT_CLCB * p_clcb)461 BOOLEAN gatt_security_check_start(tGATT_CLCB *p_clcb)
462 {
463 tGATT_TCB *p_tcb = p_clcb->p_tcb;
464 tGATT_SEC_ACTION gatt_sec_act;
465 tBTM_BLE_SEC_ACT btm_ble_sec_act;
466 BOOLEAN status = 1;
467 #if (SMP_INCLUDED == 1)
468 tBTM_STATUS btm_status;
469 #endif ///SMP_INCLUDED == 1
470 tGATT_SEC_ACTION sec_act_old = gatt_get_sec_act(p_tcb);
471
472 gatt_sec_act = gatt_determine_sec_act(p_clcb);
473
474 if (sec_act_old == GATT_SEC_NONE) {
475 gatt_set_sec_act(p_tcb, gatt_sec_act);
476 }
477
478 switch (gatt_sec_act ) {
479 case GATT_SEC_SIGN_DATA:
480 #if (SMP_INCLUDED == 1)
481 GATT_TRACE_DEBUG("gatt_security_check_start: Do data signing");
482 gatt_sign_data(p_clcb);
483 #endif ///SMP_INCLUDED == 1
484 break;
485 case GATT_SEC_ENCRYPT:
486 case GATT_SEC_ENCRYPT_NO_MITM:
487 case GATT_SEC_ENCRYPT_MITM:
488 if (sec_act_old < GATT_SEC_ENCRYPT) {
489 GATT_TRACE_DEBUG("gatt_security_check_start: Encrypt now or key upgreade first");
490 gatt_convert_sec_action(gatt_sec_act, &btm_ble_sec_act);
491 #if (SMP_INCLUDED == 1)
492 btm_status = BTM_SetEncryption(p_tcb->peer_bda, p_tcb->transport , gatt_enc_cmpl_cback, &btm_ble_sec_act);
493 if ( (btm_status != BTM_SUCCESS) && (btm_status != BTM_CMD_STARTED)) {
494 GATT_TRACE_ERROR("gatt_security_check_start BTM_SetEncryption failed btm_status=%d", btm_status);
495 status = 0;
496 }
497 #endif ///SMP_INCLUDED == 1
498 }
499 if (status) {
500 gatt_add_pending_enc_channel_clcb (p_tcb, p_clcb);
501 }
502 break;
503 case GATT_SEC_ENC_PENDING:
504 gatt_add_pending_enc_channel_clcb (p_tcb, p_clcb);
505 /* wait for link encrypotion to finish */
506 break;
507 default:
508 gatt_sec_check_complete(1, p_clcb, gatt_sec_act);
509 break;
510 }
511
512 if (status == 0) {
513 gatt_set_sec_act(p_tcb, GATT_SEC_NONE);
514 gatt_set_ch_state(p_tcb, GATT_CH_OPEN);
515 }
516
517 return status;
518 }
519
520
521 #endif /* BLE_INCLUDED */
522