• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /******************************************************************************
2  *
3  *  Copyright 2003-2014 Broadcom Corporation
4  *
5  *  Licensed under the Apache License, Version 2.0 (the "License");
6  *  you may not use this file except in compliance with the License.
7  *  You may obtain a copy of the License at:
8  *
9  *  http://www.apache.org/licenses/LICENSE-2.0
10  *
11  *  Unless required by applicable law or agreed to in writing, software
12  *  distributed under the License is distributed on an "AS IS" BASIS,
13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  *  See the License for the specific language governing permissions and
15  *  limitations under the License.
16  *
17  ******************************************************************************/
18 
19 /******************************************************************************
20  *
21  *  This file contains the action functions for device manager state
22  *  machine.
23  *
24  ******************************************************************************/
25 
26 #define LOG_TAG "bt_bta_dm"
27 
28 #include <base/bind.h>
29 #include <base/callback.h>
30 #include <base/logging.h>
31 #include <string.h>
32 
33 #include "bt_common.h"
34 #include "bt_target.h"
35 #include "bt_types.h"
36 #include "bta_api.h"
37 #include "bta_dm_api.h"
38 #include "bta_dm_co.h"
39 #include "bta_dm_int.h"
40 #include "bta_sys.h"
41 #include "btif_storage.h"
42 #include "btm_api.h"
43 #include "btm_int.h"
44 #include "btu.h"
45 #include "gap_api.h" /* For GAP_BleReadPeerPrefConnParams */
46 #include "l2c_api.h"
47 #include "osi/include/log.h"
48 #include "osi/include/osi.h"
49 #include "sdp_api.h"
50 #include "stack/gatt/connection_manager.h"
51 #include "stack/include/gatt_api.h"
52 #include "utl.h"
53 
54 #if (GAP_INCLUDED == TRUE)
55 #include "gap_api.h"
56 #endif
57 
58 using bluetooth::Uuid;
59 
60 static void bta_dm_inq_results_cb(tBTM_INQ_RESULTS* p_inq, uint8_t* p_eir,
61                                   uint16_t eir_len);
62 static void bta_dm_inq_cmpl_cb(void* p_result);
63 static void bta_dm_service_search_remname_cback(const RawAddress& bd_addr,
64                                                 DEV_CLASS dc, BD_NAME bd_name);
65 static void bta_dm_remname_cback(void* p);
66 static void bta_dm_find_services(const RawAddress& bd_addr);
67 static void bta_dm_discover_next_device(void);
68 static void bta_dm_sdp_callback(uint16_t sdp_status);
69 static uint8_t bta_dm_authorize_cback(const RawAddress& bd_addr,
70                                       DEV_CLASS dev_class, BD_NAME bd_name,
71                                       uint8_t* service_name, uint8_t service_id,
72                                       bool is_originator);
73 static uint8_t bta_dm_pin_cback(const RawAddress& bd_addr, DEV_CLASS dev_class,
74                                 BD_NAME bd_name, bool min_16_digit);
75 static uint8_t bta_dm_new_link_key_cback(const RawAddress& bd_addr,
76                                          DEV_CLASS dev_class, BD_NAME bd_name,
77                                          const LinkKey& key, uint8_t key_type);
78 static uint8_t bta_dm_authentication_complete_cback(const RawAddress& bd_addr,
79                                                     DEV_CLASS dev_class,
80                                                     BD_NAME bd_name,
81                                                     int result);
82 static void bta_dm_local_name_cback(void* p_name);
83 static bool bta_dm_check_av(uint16_t event);
84 static void bta_dm_bl_change_cback(tBTM_BL_EVENT_DATA* p_data);
85 
86 static void bta_dm_policy_cback(tBTA_SYS_CONN_STATUS status, uint8_t id,
87                                 uint8_t app_id, const RawAddress& peer_addr);
88 
89 /* Extended Inquiry Response */
90 static uint8_t bta_dm_sp_cback(tBTM_SP_EVT event, tBTM_SP_EVT_DATA* p_data);
91 
92 static void bta_dm_set_eir(char* local_name);
93 
94 static void bta_dm_eir_search_services(tBTM_INQ_RESULTS* p_result,
95                                        tBTA_SERVICE_MASK* p_services_to_search,
96                                        tBTA_SERVICE_MASK* p_services_found);
97 
98 static void bta_dm_search_timer_cback(void* data);
99 static void bta_dm_disable_conn_down_timer_cback(void* data);
100 static void bta_dm_rm_cback(tBTA_SYS_CONN_STATUS status, uint8_t id,
101                             uint8_t app_id, const RawAddress& peer_addr);
102 static void bta_dm_adjust_roles(bool delay_role_switch);
103 static char* bta_dm_get_remname(void);
104 static void bta_dm_bond_cancel_complete_cback(tBTM_STATUS result);
105 
106 static bool bta_dm_read_remote_device_name(const RawAddress& bd_addr,
107                                            tBT_TRANSPORT transport);
108 static void bta_dm_discover_device(const RawAddress& remote_bd_addr);
109 
110 static void bta_dm_sys_hw_cback(tBTA_SYS_HW_EVT status);
111 static void bta_dm_disable_search_and_disc(void);
112 
113 static uint8_t bta_dm_ble_smp_cback(tBTM_LE_EVT event, const RawAddress& bda,
114                                     tBTM_LE_EVT_DATA* p_data);
115 static void bta_dm_ble_id_key_cback(uint8_t key_type,
116                                     tBTM_BLE_LOCAL_KEYS* p_key);
117 static void bta_dm_gattc_register(void);
118 static void btm_dm_start_gatt_discovery(const RawAddress& bd_addr);
119 static void bta_dm_cancel_gatt_discovery(const RawAddress& bd_addr);
120 static void bta_dm_gattc_callback(tBTA_GATTC_EVT event, tBTA_GATTC* p_data);
121 extern tBTA_DM_CONTRL_STATE bta_dm_pm_obtain_controller_state(void);
122 
123 #if (BLE_VND_INCLUDED == TRUE)
124 static void bta_dm_ctrl_features_rd_cmpl_cback(tBTM_STATUS result);
125 #endif
126 
127 #ifndef BTA_DM_BLE_ADV_CHNL_MAP
128 #define BTA_DM_BLE_ADV_CHNL_MAP \
129   (BTM_BLE_ADV_CHNL_37 | BTM_BLE_ADV_CHNL_38 | BTM_BLE_ADV_CHNL_39)
130 #endif
131 
132 /* Disable timer interval (in milliseconds) */
133 #ifndef BTA_DM_DISABLE_TIMER_MS
134 #define BTA_DM_DISABLE_TIMER_MS 5000
135 #endif
136 
137 /* Disable timer retrial interval (in milliseconds) */
138 #ifndef BTA_DM_DISABLE_TIMER_RETRIAL_MS
139 #define BTA_DM_DISABLE_TIMER_RETRIAL_MS 1500
140 #endif
141 
142 /* Disable connection down timer (in milliseconds) */
143 #ifndef BTA_DM_DISABLE_CONN_DOWN_TIMER_MS
144 #define BTA_DM_DISABLE_CONN_DOWN_TIMER_MS 1000
145 #endif
146 
147 /* Switch delay timer (in milliseconds) */
148 #ifndef BTA_DM_SWITCH_DELAY_TIMER_MS
149 #define BTA_DM_SWITCH_DELAY_TIMER_MS 500
150 #endif
151 
152 static void bta_dm_reset_sec_dev_pending(const RawAddress& remote_bd_addr);
153 static void bta_dm_remove_sec_dev_entry(const RawAddress& remote_bd_addr);
154 static void bta_dm_observe_results_cb(tBTM_INQ_RESULTS* p_inq, uint8_t* p_eir,
155                                       uint16_t eir_len);
156 static void bta_dm_observe_cmpl_cb(void* p_result);
157 static void bta_dm_delay_role_switch_cback(void* data);
158 static void bta_dm_disable_timer_cback(void* data);
159 
160 const uint16_t bta_service_id_to_uuid_lkup_tbl[BTA_MAX_SERVICE_ID] = {
161     UUID_SERVCLASS_PNP_INFORMATION,       /* Reserved */
162     UUID_SERVCLASS_SERIAL_PORT,           /* BTA_SPP_SERVICE_ID */
163     UUID_SERVCLASS_DIALUP_NETWORKING,     /* BTA_DUN_SERVICE_ID */
164     UUID_SERVCLASS_AUDIO_SOURCE,          /* BTA_A2DP_SOURCE_SERVICE_ID */
165     UUID_SERVCLASS_LAN_ACCESS_USING_PPP,  /* BTA_LAP_SERVICE_ID */
166     UUID_SERVCLASS_HEADSET,               /* BTA_HSP_HS_SERVICE_ID */
167     UUID_SERVCLASS_HF_HANDSFREE,          /* BTA_HFP_HS_SERVICE_ID */
168     UUID_SERVCLASS_OBEX_OBJECT_PUSH,      /* BTA_OPP_SERVICE_ID */
169     UUID_SERVCLASS_OBEX_FILE_TRANSFER,    /* BTA_FTP_SERVICE_ID */
170     UUID_SERVCLASS_CORDLESS_TELEPHONY,    /* BTA_CTP_SERVICE_ID */
171     UUID_SERVCLASS_INTERCOM,              /* BTA_ICP_SERVICE_ID */
172     UUID_SERVCLASS_IRMC_SYNC,             /* BTA_SYNC_SERVICE_ID */
173     UUID_SERVCLASS_DIRECT_PRINTING,       /* BTA_BPP_SERVICE_ID */
174     UUID_SERVCLASS_IMAGING_RESPONDER,     /* BTA_BIP_SERVICE_ID */
175     UUID_SERVCLASS_PANU,                  /* BTA_PANU_SERVICE_ID */
176     UUID_SERVCLASS_NAP,                   /* BTA_NAP_SERVICE_ID */
177     UUID_SERVCLASS_GN,                    /* BTA_GN_SERVICE_ID */
178     UUID_SERVCLASS_SAP,                   /* BTA_SAP_SERVICE_ID */
179     UUID_SERVCLASS_AUDIO_SINK,            /* BTA_A2DP_SERVICE_ID */
180     UUID_SERVCLASS_AV_REMOTE_CONTROL,     /* BTA_AVRCP_SERVICE_ID */
181     UUID_SERVCLASS_HUMAN_INTERFACE,       /* BTA_HID_SERVICE_ID */
182     UUID_SERVCLASS_VIDEO_SINK,            /* BTA_VDP_SERVICE_ID */
183     UUID_SERVCLASS_PBAP_PSE,              /* BTA_PBAP_SERVICE_ID */
184     UUID_SERVCLASS_HEADSET_AUDIO_GATEWAY, /* BTA_HSP_SERVICE_ID */
185     UUID_SERVCLASS_AG_HANDSFREE,          /* BTA_HFP_SERVICE_ID */
186     UUID_SERVCLASS_MESSAGE_ACCESS,        /* BTA_MAP_SERVICE_ID */
187     UUID_SERVCLASS_MESSAGE_NOTIFICATION,  /* BTA_MN_SERVICE_ID */
188     UUID_SERVCLASS_HDP_PROFILE,           /* BTA_HDP_SERVICE_ID */
189     UUID_SERVCLASS_PBAP_PCE,              /* BTA_PCE_SERVICE_ID */
190     UUID_PROTOCOL_ATT                     /* BTA_GATT_SERVICE_ID */
191 };
192 
193 /*
194  * NOTE : The number of element in bta_service_id_to_btm_srv_id_lkup_tbl should
195  * be matching with the value BTA_MAX_SERVICE_ID in bta_api.h
196  *
197  * i.e., If you add new Service ID for BTA, the correct security ID of the new
198  * service from Security service definitions (btm_api.h) should be added to
199  * this lookup table.
200  */
201 const uint32_t bta_service_id_to_btm_srv_id_lkup_tbl[BTA_MAX_SERVICE_ID] = {
202     0,                             /* Reserved */
203     BTM_SEC_SERVICE_SERIAL_PORT,   /* BTA_SPP_SERVICE_ID */
204     BTM_SEC_SERVICE_DUN,           /* BTA_DUN_SERVICE_ID */
205     BTM_SEC_SERVICE_AVDTP,         /* BTA_AUDIO_SOURCE_SERVICE_ID */
206     BTM_SEC_SERVICE_LAN_ACCESS,    /* BTA_LAP_SERVICE_ID */
207     BTM_SEC_SERVICE_HEADSET_AG,    /* BTA_HSP_SERVICE_ID */
208     BTM_SEC_SERVICE_AG_HANDSFREE,  /* BTA_HFP_SERVICE_ID */
209     BTM_SEC_SERVICE_OBEX,          /* BTA_OPP_SERVICE_ID */
210     BTM_SEC_SERVICE_OBEX_FTP,      /* BTA_FTP_SERVICE_ID */
211     BTM_SEC_SERVICE_CORDLESS,      /* BTA_CTP_SERVICE_ID */
212     BTM_SEC_SERVICE_INTERCOM,      /* BTA_ICP_SERVICE_ID */
213     BTM_SEC_SERVICE_IRMC_SYNC,     /* BTA_SYNC_SERVICE_ID */
214     BTM_SEC_SERVICE_BPP_JOB,       /* BTA_BPP_SERVICE_ID */
215     BTM_SEC_SERVICE_BIP,           /* BTA_BIP_SERVICE_ID */
216     BTM_SEC_SERVICE_BNEP_PANU,     /* BTA_PANU_SERVICE_ID */
217     BTM_SEC_SERVICE_BNEP_NAP,      /* BTA_NAP_SERVICE_ID */
218     BTM_SEC_SERVICE_BNEP_GN,       /* BTA_GN_SERVICE_ID */
219     BTM_SEC_SERVICE_SAP,           /* BTA_SAP_SERVICE_ID */
220     BTM_SEC_SERVICE_AVDTP,         /* BTA_A2DP_SERVICE_ID */
221     BTM_SEC_SERVICE_AVCTP,         /* BTA_AVRCP_SERVICE_ID */
222     BTM_SEC_SERVICE_HIDH_SEC_CTRL, /* BTA_HID_SERVICE_ID */
223     BTM_SEC_SERVICE_AVDTP,         /* BTA_VDP_SERVICE_ID */
224     BTM_SEC_SERVICE_PBAP,          /* BTA_PBAP_SERVICE_ID */
225     BTM_SEC_SERVICE_HEADSET,       /* BTA_HSP_HS_SERVICE_ID */
226     BTM_SEC_SERVICE_HF_HANDSFREE,  /* BTA_HFP_HS_SERVICE_ID */
227     BTM_SEC_SERVICE_MAP,           /* BTA_MAP_SERVICE_ID */
228     BTM_SEC_SERVICE_MAP,           /* BTA_MN_SERVICE_ID */
229     BTM_SEC_SERVICE_HDP_SNK,       /* BTA_HDP_SERVICE_ID */
230     BTM_SEC_SERVICE_PBAP,          /* BTA_PCE_SERVICE_ID */
231     BTM_SEC_SERVICE_ATT            /* BTA_GATT_SERVICE_ID */
232 };
233 
234 /* bta security callback */
235 const tBTM_APPL_INFO bta_security = {&bta_dm_authorize_cback,
236                                      &bta_dm_pin_cback,
237                                      &bta_dm_new_link_key_cback,
238                                      &bta_dm_authentication_complete_cback,
239                                      &bta_dm_bond_cancel_complete_cback,
240                                      &bta_dm_sp_cback,
241                                      &bta_dm_ble_smp_cback,
242                                      &bta_dm_ble_id_key_cback};
243 
244 #define MAX_DISC_RAW_DATA_BUF (4096)
245 uint8_t g_disc_raw_data_buf[MAX_DISC_RAW_DATA_BUF];
246 
247 extern DEV_CLASS local_device_default_class;
248 
249 // Stores the local Input/Output Capabilities of the Bluetooth device.
250 static uint8_t btm_local_io_caps;
251 
252 /** Initialises the BT device manager */
bta_dm_enable(tBTA_DM_SEC_CBACK * p_sec_cback)253 void bta_dm_enable(tBTA_DM_SEC_CBACK* p_sec_cback) {
254   /* if already in use, return an error */
255   if (bta_dm_cb.is_bta_dm_active) {
256     tBTA_DM_SEC enable_event;
257     APPL_TRACE_WARNING("%s Device already started by another application",
258                        __func__);
259     memset(&enable_event, 0, sizeof(tBTA_DM_SEC));
260     enable_event.enable.status = BTA_FAILURE;
261     if (p_sec_cback != NULL) p_sec_cback(BTA_DM_ENABLE_EVT, &enable_event);
262     return;
263   }
264 
265   /* first, register our callback to SYS HW manager */
266   bta_sys_hw_register(BTA_SYS_HW_BLUETOOTH, bta_dm_sys_hw_cback);
267 
268   /* make sure security callback is saved - if no callback, do not erase the
269   previous one,
270   it could be an error recovery mechanism */
271   if (p_sec_cback != NULL) bta_dm_cb.p_sec_cback = p_sec_cback;
272   /* notify BTA DM is now active */
273   bta_dm_cb.is_bta_dm_active = true;
274 
275   /* send a message to BTA SYS */
276   tBTA_SYS_HW_MSG* sys_enable_event =
277       (tBTA_SYS_HW_MSG*)osi_malloc(sizeof(tBTA_SYS_HW_MSG));
278   sys_enable_event->hdr.event = BTA_SYS_API_ENABLE_EVT;
279   sys_enable_event->hw_module = BTA_SYS_HW_BLUETOOTH;
280 
281   bta_sys_sendmsg(sys_enable_event);
282 
283   btm_local_io_caps = btif_storage_get_local_io_caps();
284 }
285 
286 /*******************************************************************************
287  *
288  * Function         bta_dm_init_cb
289  *
290  * Description      Initializes the bta_dm_cb control block
291  *
292  *
293  * Returns          void
294  *
295  ******************************************************************************/
bta_dm_init_cb(void)296 void bta_dm_init_cb(void) {
297   memset(&bta_dm_cb, 0, sizeof(bta_dm_cb));
298   bta_dm_cb.disable_timer = alarm_new("bta_dm.disable_timer");
299   bta_dm_cb.switch_delay_timer = alarm_new("bta_dm.switch_delay_timer");
300   for (size_t i = 0; i < BTA_DM_NUM_PM_TIMER; i++) {
301     for (size_t j = 0; j < BTA_DM_PM_MODE_TIMER_MAX; j++) {
302       bta_dm_cb.pm_timer[i].timer[j] = alarm_new("bta_dm.pm_timer");
303     }
304   }
305 }
306 
307 /*******************************************************************************
308  *
309  * Function         bta_dm_deinit_cb
310  *
311  * Description      De-initializes the bta_dm_cb control block
312  *
313  *
314  * Returns          void
315  *
316  ******************************************************************************/
bta_dm_deinit_cb(void)317 void bta_dm_deinit_cb(void) {
318   /*
319    * TODO: Should alarm_free() the bta_dm_cb timers during graceful
320    * shutdown.
321    */
322   alarm_free(bta_dm_cb.disable_timer);
323   alarm_free(bta_dm_cb.switch_delay_timer);
324   for (size_t i = 0; i < BTA_DM_NUM_PM_TIMER; i++) {
325     for (size_t j = 0; j < BTA_DM_PM_MODE_TIMER_MAX; j++) {
326       alarm_free(bta_dm_cb.pm_timer[i].timer[j]);
327     }
328   }
329   memset(&bta_dm_cb, 0, sizeof(bta_dm_cb));
330 }
331 
332 /*******************************************************************************
333  *
334  * Function         bta_dm_sys_hw_cback
335  *
336  * Description     callback register to SYS to get HW status updates
337  *
338  *
339  * Returns          void
340  *
341  ******************************************************************************/
bta_dm_sys_hw_cback(tBTA_SYS_HW_EVT status)342 static void bta_dm_sys_hw_cback(tBTA_SYS_HW_EVT status) {
343   DEV_CLASS dev_class;
344   tBTA_DM_SEC_CBACK* temp_cback;
345   uint8_t key_mask = 0;
346   tBTA_BLE_LOCAL_ID_KEYS id_key;
347 
348   APPL_TRACE_DEBUG("%s with event: %i", __func__, status);
349 
350   /* On H/W error evt, report to the registered DM application callback */
351   if (status == BTA_SYS_HW_ERROR_EVT) {
352     if (bta_dm_cb.p_sec_cback != NULL)
353       bta_dm_cb.p_sec_cback(BTA_DM_HW_ERROR_EVT, NULL);
354     return;
355   }
356 
357   if (status == BTA_SYS_HW_OFF_EVT) {
358     if (bta_dm_cb.p_sec_cback != NULL)
359       bta_dm_cb.p_sec_cback(BTA_DM_DISABLE_EVT, NULL);
360 
361     /* reinitialize the control block */
362     bta_dm_deinit_cb();
363 
364     /* hw is ready, go on with BTA DM initialization */
365     alarm_free(bta_dm_search_cb.search_timer);
366     alarm_free(bta_dm_search_cb.gatt_close_timer);
367     memset(&bta_dm_search_cb, 0, sizeof(bta_dm_search_cb));
368 
369     /* unregister from SYS */
370     bta_sys_hw_unregister(BTA_SYS_HW_BLUETOOTH);
371     /* notify BTA DM is now unactive */
372     bta_dm_cb.is_bta_dm_active = false;
373   } else if (status == BTA_SYS_HW_ON_EVT) {
374     /* FIXME: We should not unregister as the SYS shall invoke this callback on
375      * a H/W error.
376      * We need to revisit when this platform has more than one BLuetooth H/W
377      * chip
378      */
379     // bta_sys_hw_unregister( BTA_SYS_HW_BLUETOOTH);
380 
381     /* save security callback */
382     temp_cback = bta_dm_cb.p_sec_cback;
383     /* make sure the control block is properly initialized */
384     bta_dm_init_cb();
385     /* and retrieve the callback */
386     bta_dm_cb.p_sec_cback = temp_cback;
387     bta_dm_cb.is_bta_dm_active = true;
388 
389     /* hw is ready, go on with BTA DM initialization */
390     alarm_free(bta_dm_search_cb.search_timer);
391     alarm_free(bta_dm_search_cb.gatt_close_timer);
392     memset(&bta_dm_search_cb, 0, sizeof(bta_dm_search_cb));
393     /*
394      * TODO: Should alarm_free() the bta_dm_search_cb timers during
395      * graceful shutdown.
396      */
397     bta_dm_search_cb.search_timer = alarm_new("bta_dm_search.search_timer");
398     bta_dm_search_cb.gatt_close_timer =
399         alarm_new("bta_dm_search.gatt_close_timer");
400 
401     memset(&bta_dm_conn_srvcs, 0, sizeof(bta_dm_conn_srvcs));
402     memset(&bta_dm_di_cb, 0, sizeof(tBTA_DM_DI_CB));
403 
404     memcpy(dev_class, p_bta_dm_cfg->dev_class, sizeof(dev_class));
405     BTM_SetDeviceClass(dev_class);
406 
407     /* load BLE local information: ID keys, ER if available */
408     Octet16 er;
409     bta_dm_co_ble_load_local_keys(&key_mask, &er, &id_key);
410 
411     if (key_mask & BTA_BLE_LOCAL_KEY_TYPE_ER) {
412       BTM_BleLoadLocalKeys(BTA_BLE_LOCAL_KEY_TYPE_ER,
413                            (tBTM_BLE_LOCAL_KEYS*)&er);
414     }
415     if (key_mask & BTA_BLE_LOCAL_KEY_TYPE_ID) {
416       BTM_BleLoadLocalKeys(BTA_BLE_LOCAL_KEY_TYPE_ID,
417                            (tBTM_BLE_LOCAL_KEYS*)&id_key);
418     }
419     bta_dm_search_cb.conn_id = GATT_INVALID_CONN_ID;
420 
421     BTM_SecRegister(&bta_security);
422     BTM_SetDefaultLinkSuperTout(p_bta_dm_cfg->link_timeout);
423     BTM_WritePageTimeout(p_bta_dm_cfg->page_timeout);
424     bta_dm_cb.cur_policy = p_bta_dm_cfg->policy_settings;
425     BTM_SetDefaultLinkPolicy(bta_dm_cb.cur_policy);
426     BTM_RegBusyLevelNotif(bta_dm_bl_change_cback, NULL,
427                           BTM_BL_UPDATE_MASK | BTM_BL_ROLE_CHG_MASK);
428 
429 #if (BLE_VND_INCLUDED == TRUE)
430     BTM_BleReadControllerFeatures(bta_dm_ctrl_features_rd_cmpl_cback);
431 #else
432     /* If VSC multi adv commands are available, advertising will be initialized
433      * when capabilities are read. If they are not avaliable, initialize
434      * advertising here */
435     btm_ble_adv_init();
436 #endif
437 
438     /* Earlier, we used to invoke BTM_ReadLocalAddr which was just copying the
439        bd_addr
440        from the control block and invoking the callback which was sending the
441        DM_ENABLE_EVT.
442        But then we have a few HCI commands being invoked above which were still
443        in progress
444        when the ENABLE_EVT was sent. So modified this to fetch the local name
445        which forces
446        the DM_ENABLE_EVT to be sent only after all the init steps are complete
447        */
448     BTM_ReadLocalDeviceNameFromController(bta_dm_local_name_cback);
449 
450     bta_sys_rm_register(bta_dm_rm_cback);
451 
452     /* initialize bluetooth low power manager */
453     bta_dm_init_pm();
454 
455     bta_sys_policy_register(bta_dm_policy_cback);
456 
457     bta_dm_gattc_register();
458 
459   } else
460     APPL_TRACE_DEBUG(" --- ignored event");
461 }
462 
463 /** Disables the BT device manager */
bta_dm_disable()464 void bta_dm_disable() {
465   /* Set l2cap idle timeout to 0 (so BTE immediately disconnects ACL link after
466    * last channel is closed) */
467   L2CA_SetIdleTimeoutByBdAddr(RawAddress::kAny, 0, BT_TRANSPORT_BR_EDR);
468   L2CA_SetIdleTimeoutByBdAddr(RawAddress::kAny, 0, BT_TRANSPORT_LE);
469 
470   /* disable all active subsystems */
471   bta_sys_disable(BTA_SYS_HW_BLUETOOTH);
472 
473   BTM_SetDiscoverability(BTM_NON_DISCOVERABLE, 0, 0);
474   BTM_SetConnectability(BTM_NON_CONNECTABLE, 0, 0);
475 
476   bta_dm_disable_pm();
477   bta_dm_disable_search_and_disc();
478   bta_dm_cb.disabling = true;
479 
480   connection_manager::reset(false);
481 
482   if (BTM_GetNumAclLinks() == 0) {
483 #if (BTA_DISABLE_DELAY > 0)
484     /* If BTA_DISABLE_DELAY is defined and greater than zero, then delay the
485      * shutdown by
486      * BTA_DISABLE_DELAY milliseconds
487      */
488     APPL_TRACE_WARNING("%s BTA_DISABLE_DELAY set to %d ms", __func__,
489                        BTA_DISABLE_DELAY);
490     alarm_set_on_mloop(bta_dm_cb.disable_timer, BTA_DISABLE_DELAY,
491                        bta_dm_disable_conn_down_timer_cback, NULL);
492 #else
493     bta_dm_disable_conn_down_timer_cback(NULL);
494 #endif
495   } else {
496     alarm_set_on_mloop(bta_dm_cb.disable_timer, BTA_DM_DISABLE_TIMER_MS,
497                        bta_dm_disable_timer_cback, UINT_TO_PTR(0));
498   }
499 }
500 
501 /*******************************************************************************
502  *
503  * Function         bta_dm_disable_timer_cback
504  *
505  * Description      Called if the disable timer expires
506  *                  Used to close ACL connections which are still active
507  *
508  *
509  *
510  * Returns          void
511  *
512  ******************************************************************************/
bta_dm_disable_timer_cback(void * data)513 static void bta_dm_disable_timer_cback(void* data) {
514   uint8_t i;
515   tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR;
516   bool trigger_disc = false;
517   uint32_t param = PTR_TO_UINT(data);
518 
519   APPL_TRACE_EVENT("%s trial %u", __func__, param);
520 
521   if (BTM_GetNumAclLinks() && (param == 0)) {
522     for (i = 0; i < bta_dm_cb.device_list.count; i++) {
523       transport = bta_dm_cb.device_list.peer_device[i].transport;
524       btm_remove_acl(bta_dm_cb.device_list.peer_device[i].peer_bdaddr,
525                      transport);
526       trigger_disc = true;
527     }
528 
529     /* Retrigger disable timer in case ACL disconnect failed, DISABLE_EVT still
530        need
531         to be sent out to avoid jave layer disable timeout */
532     if (trigger_disc) {
533       alarm_set_on_mloop(bta_dm_cb.disable_timer,
534                          BTA_DM_DISABLE_TIMER_RETRIAL_MS,
535                          bta_dm_disable_timer_cback, UINT_TO_PTR(1));
536     }
537   } else {
538     bta_dm_cb.disabling = false;
539 
540     bta_sys_remove_uuid(UUID_SERVCLASS_PNP_INFORMATION);
541     bta_dm_cb.p_sec_cback(BTA_DM_DISABLE_EVT, NULL);
542   }
543 }
544 
545 /** Sets local device name */
bta_dm_set_dev_name(const std::vector<uint8_t> & name)546 void bta_dm_set_dev_name(const std::vector<uint8_t>& name) {
547   BTM_SetLocalDeviceName((char*)name.data());
548   bta_dm_set_eir((char*)name.data());
549 }
550 
551 /** Sets discoverability, connectability and pairability */
bta_dm_set_visibility(tBTA_DM_DISC disc_mode_param,tBTA_DM_CONN conn_mode_param,uint8_t pairable_mode,uint8_t conn_paired_only)552 void bta_dm_set_visibility(tBTA_DM_DISC disc_mode_param,
553                            tBTA_DM_CONN conn_mode_param, uint8_t pairable_mode,
554                            uint8_t conn_paired_only) {
555   uint16_t window, interval;
556   uint16_t le_disc_mode = BTM_BleReadDiscoverability();
557   uint16_t le_conn_mode = BTM_BleReadConnectability();
558   uint16_t disc_mode = BTM_ReadDiscoverability(&window, &interval);
559   uint16_t conn_mode = BTM_ReadConnectability(&window, &interval);
560 
561   /* set modes for Discoverability and connectability if not ignore */
562   if (disc_mode_param != (BTA_DM_IGNORE | BTA_DM_LE_IGNORE)) {
563     if ((disc_mode_param & BTA_DM_LE_IGNORE) == BTA_DM_LE_IGNORE)
564       disc_mode_param = ((disc_mode_param & ~BTA_DM_LE_IGNORE) | le_disc_mode);
565     if ((disc_mode_param & BTA_DM_IGNORE) == BTA_DM_IGNORE)
566       disc_mode_param = ((disc_mode_param & ~BTA_DM_IGNORE) | disc_mode);
567 
568     BTM_SetDiscoverability(disc_mode_param, bta_dm_cb.inquiry_scan_window,
569                            bta_dm_cb.inquiry_scan_interval);
570   }
571 
572   if (conn_mode_param != (BTA_DM_IGNORE | BTA_DM_LE_IGNORE)) {
573     if ((conn_mode_param & BTA_DM_LE_IGNORE) == BTA_DM_LE_IGNORE)
574       conn_mode_param = ((conn_mode_param & ~BTA_DM_LE_IGNORE) | le_conn_mode);
575     if ((conn_mode_param & BTA_DM_IGNORE) == BTA_DM_IGNORE)
576       conn_mode_param = ((conn_mode_param & ~BTA_DM_IGNORE) | conn_mode);
577 
578     BTM_SetConnectability(conn_mode_param, bta_dm_cb.page_scan_window,
579                           bta_dm_cb.page_scan_interval);
580   }
581 
582   /* Send False or True if not ignore */
583   if (pairable_mode != BTA_DM_IGNORE) {
584     if (pairable_mode == BTA_DM_NON_PAIRABLE)
585       bta_dm_cb.disable_pair_mode = true;
586     else
587       bta_dm_cb.disable_pair_mode = false;
588   }
589 
590   /* Send False or True if not ignore */
591   if (conn_paired_only != BTA_DM_IGNORE) {
592     if (conn_paired_only == BTA_DM_CONN_ALL)
593       bta_dm_cb.conn_paired_only = false;
594     else
595       bta_dm_cb.conn_paired_only = true;
596   }
597 
598   /* Change mode if either mode is not ignore */
599   if (pairable_mode != BTA_DM_IGNORE || conn_paired_only != BTA_DM_IGNORE)
600     BTM_SetPairableMode((bool)(!(bta_dm_cb.disable_pair_mode)),
601                         bta_dm_cb.conn_paired_only);
602 }
603 
604 /*******************************************************************************
605  *
606  * Function         bta_dm_process_remove_device
607  *
608  * Description      Removes device, Disconnects ACL link if required.
609  ***
610  ******************************************************************************/
bta_dm_process_remove_device(const RawAddress & bd_addr)611 void bta_dm_process_remove_device(const RawAddress& bd_addr) {
612   /* need to remove all pending background connection before unpair */
613   BTA_GATTC_CancelOpen(0, bd_addr, false);
614 
615   BTM_SecDeleteDevice(bd_addr);
616 
617   /* remove all cached GATT information */
618   BTA_GATTC_Refresh(bd_addr);
619 
620   if (bta_dm_cb.p_sec_cback) {
621     tBTA_DM_SEC sec_event;
622     sec_event.link_down.bd_addr = bd_addr;
623     ;
624     /* No connection, set status to success (acl disc code not valid) */
625     sec_event.link_down.status = HCI_SUCCESS;
626     bta_dm_cb.p_sec_cback(BTA_DM_DEV_UNPAIRED_EVT, &sec_event);
627   }
628 }
629 
630 /** Removes device, disconnects ACL link if required */
bta_dm_remove_device(const RawAddress & bd_addr)631 void bta_dm_remove_device(const RawAddress& bd_addr) {
632   /* If ACL exists for the device in the remove_bond message*/
633   bool is_bd_addr_connected =
634       BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_LE) ||
635       BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_BR_EDR);
636 
637   uint8_t other_transport = BT_TRANSPORT_INVALID;
638   if (is_bd_addr_connected) {
639     APPL_TRACE_DEBUG("%s: ACL Up count: %d", __func__,
640                      bta_dm_cb.device_list.count);
641 
642     /* Take the link down first, and mark the device for removal when
643      * disconnected */
644     for (int i = 0; i < bta_dm_cb.device_list.count; i++) {
645       auto& peer_device = bta_dm_cb.device_list.peer_device[i];
646       if (peer_device.peer_bdaddr == bd_addr) {
647         peer_device.conn_state = BTA_DM_UNPAIRING;
648 
649         /* Make sure device is not in white list before we disconnect */
650         GATT_CancelConnect(0, bd_addr, false);
651 
652         btm_remove_acl(bd_addr, peer_device.transport);
653         APPL_TRACE_DEBUG("%s: transport: %d", __func__, peer_device.transport);
654 
655         /* save the other transport to check if device is connected on
656          * other_transport */
657         if (peer_device.transport == BT_TRANSPORT_LE)
658           other_transport = BT_TRANSPORT_BR_EDR;
659         else
660           other_transport = BT_TRANSPORT_LE;
661 
662         break;
663       }
664     }
665   }
666 
667   RawAddress other_address = bd_addr;
668   RawAddress other_address2 = bd_addr;
669 
670   // If it is DUMO device and device is paired as different address, unpair that
671   // device
672   bool other_address_connected =
673       (other_transport)
674           ? BTM_ReadConnectedTransportAddress(&other_address, other_transport)
675           : (BTM_ReadConnectedTransportAddress(&other_address,
676                                                BT_TRANSPORT_BR_EDR) ||
677              BTM_ReadConnectedTransportAddress(&other_address2,
678                                                BT_TRANSPORT_LE));
679   if (other_address == bd_addr) other_address = other_address2;
680 
681   if (other_address_connected) {
682     /* Take the link down first, and mark the device for removal when
683      * disconnected */
684     for (int i = 0; i < bta_dm_cb.device_list.count; i++) {
685       auto& peer_device = bta_dm_cb.device_list.peer_device[i];
686       if (peer_device.peer_bdaddr == other_address) {
687         peer_device.conn_state = BTA_DM_UNPAIRING;
688 
689         /* Make sure device is not in white list before we disconnect */
690         GATT_CancelConnect(0, bd_addr, false);
691 
692         btm_remove_acl(other_address, peer_device.transport);
693         break;
694       }
695     }
696   }
697 
698   /* Delete the device mentioned in the msg */
699   if (!is_bd_addr_connected) {
700     bta_dm_process_remove_device(bd_addr);
701   }
702 
703   /* Delete the other paired device too */
704   if (!other_address_connected && !other_address.IsEmpty()) {
705     bta_dm_process_remove_device(other_address);
706   }
707 }
708 
709 /*******************************************************************************
710  *
711  * Function         bta_dm_add_device
712  *
713  * Description      This function adds a Link Key to an security database entry.
714  *                  It is normally called during host startup to restore all
715  *                  required information stored in the NVRAM.
716  ******************************************************************************/
bta_dm_add_device(std::unique_ptr<tBTA_DM_API_ADD_DEVICE> msg)717 void bta_dm_add_device(std::unique_ptr<tBTA_DM_API_ADD_DEVICE> msg) {
718   uint8_t* p_dc = NULL;
719   LinkKey* p_lc = NULL;
720   uint32_t trusted_services_mask[BTM_SEC_SERVICE_ARRAY_SIZE];
721   uint8_t index = 0;
722   uint8_t btm_mask_index = 0;
723 
724   memset(trusted_services_mask, 0, sizeof(trusted_services_mask));
725 
726   /* If not all zeros, the device class has been specified */
727   if (msg->dc_known) p_dc = (uint8_t*)msg->dc;
728 
729   if (msg->link_key_known) p_lc = &msg->link_key;
730 
731   if (msg->is_trusted) {
732     /* covert BTA service mask to BTM mask */
733     while (msg->tm && (index < BTA_MAX_SERVICE_ID)) {
734       if (msg->tm & (uint32_t)(1 << index)) {
735         btm_mask_index =
736             bta_service_id_to_btm_srv_id_lkup_tbl[index] / BTM_SEC_ARRAY_BITS;
737         trusted_services_mask[btm_mask_index] |=
738             (uint32_t)(1 << (bta_service_id_to_btm_srv_id_lkup_tbl[index] -
739                              (uint32_t)(btm_mask_index * 32)));
740 
741         msg->tm &= (uint32_t)(~(1 << index));
742       }
743       index++;
744     }
745   }
746 
747   if (!BTM_SecAddDevice(msg->bd_addr, p_dc, msg->bd_name, msg->features,
748                         trusted_services_mask, p_lc, msg->key_type, msg->io_cap,
749                         msg->pin_length)) {
750     LOG(ERROR) << "BTA_DM: Error adding device " << msg->bd_addr;
751   }
752 }
753 
754 /** This function forces to close the connection to a remote device and
755  * optionaly remove the device from security database if required. */
bta_dm_close_acl(const RawAddress & bd_addr,bool remove_dev,tBTA_TRANSPORT transport)756 void bta_dm_close_acl(const RawAddress& bd_addr, bool remove_dev,
757                       tBTA_TRANSPORT transport) {
758   uint8_t index;
759 
760   APPL_TRACE_DEBUG("bta_dm_close_acl");
761 
762   if (BTM_IsAclConnectionUp(bd_addr, transport)) {
763     for (index = 0; index < bta_dm_cb.device_list.count; index++) {
764       if (bta_dm_cb.device_list.peer_device[index].peer_bdaddr == bd_addr)
765         break;
766     }
767     if (index != bta_dm_cb.device_list.count) {
768       if (remove_dev)
769         bta_dm_cb.device_list.peer_device[index].remove_dev_pending = true;
770     } else {
771       APPL_TRACE_ERROR("unknown device, remove ACL failed");
772     }
773 
774     /* Make sure device is not in white list before we disconnect */
775     GATT_CancelConnect(0, bd_addr, false);
776 
777     /* Disconnect the ACL link */
778     btm_remove_acl(bd_addr, transport);
779   }
780   /* if to remove the device from security database ? do it now */
781   else if (remove_dev) {
782     if (!BTM_SecDeleteDevice(bd_addr)) {
783       APPL_TRACE_ERROR("delete device from security database failed.");
784     }
785     /* need to remove all pending background connection if any */
786     BTA_GATTC_CancelOpen(0, bd_addr, false);
787     /* remove all cached GATT information */
788     BTA_GATTC_Refresh(bd_addr);
789   }
790   /* otherwise, no action needed */
791 }
792 
793 // TODO: this is unused. remove?
794 /** This function forces to close all the ACL links specified by link type */
bta_dm_remove_all_acl(const tBTA_DM_LINK_TYPE link_type)795 void bta_dm_remove_all_acl(const tBTA_DM_LINK_TYPE link_type) {
796   tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR;
797 
798   APPL_TRACE_DEBUG("%s link type = %d", __func__, link_type);
799 
800   for (uint8_t i = 0; i < bta_dm_cb.device_list.count; i++) {
801     transport = bta_dm_cb.device_list.peer_device[i].transport;
802     if ((link_type == BTA_DM_LINK_TYPE_ALL) ||
803         ((link_type == BTA_DM_LINK_TYPE_LE) &&
804          (transport == BT_TRANSPORT_LE)) ||
805         ((link_type == BTA_DM_LINK_TYPE_BR_EDR) &&
806          (transport == BT_TRANSPORT_BR_EDR))) {
807       /* Disconnect the ACL link */
808       btm_remove_acl(bta_dm_cb.device_list.peer_device[i].peer_bdaddr,
809                      transport);
810     }
811   }
812 }
813 
814 /** Bonds with peer device */
bta_dm_bond(const RawAddress & bd_addr,tBTA_TRANSPORT transport)815 void bta_dm_bond(const RawAddress& bd_addr, tBTA_TRANSPORT transport) {
816   tBTM_STATUS status;
817   tBTA_DM_SEC sec_event;
818   char* p_name;
819 
820   if (transport == BTA_TRANSPORT_UNKNOWN)
821     status = BTM_SecBond(bd_addr, 0, NULL, 0);
822   else
823     status = BTM_SecBondByTransport(bd_addr, transport, 0, NULL, 0);
824 
825   if (bta_dm_cb.p_sec_cback && (status != BTM_CMD_STARTED)) {
826     memset(&sec_event, 0, sizeof(tBTA_DM_SEC));
827     sec_event.auth_cmpl.bd_addr = bd_addr;
828     p_name = BTM_SecReadDevName(bd_addr);
829     if (p_name != NULL) {
830       memcpy(sec_event.auth_cmpl.bd_name, p_name, (BD_NAME_LEN - 1));
831       sec_event.auth_cmpl.bd_name[BD_NAME_LEN - 1] = 0;
832     }
833 
834     /*      taken care of by memset [above]
835             sec_event.auth_cmpl.key_present = false;
836             sec_event.auth_cmpl.success = false;
837     */
838     sec_event.auth_cmpl.fail_reason = HCI_ERR_ILLEGAL_COMMAND;
839     if (status == BTM_SUCCESS) {
840       sec_event.auth_cmpl.success = true;
841     } else {
842       /* delete this device entry from Sec Dev DB */
843       bta_dm_remove_sec_dev_entry(bd_addr);
844     }
845     bta_dm_cb.p_sec_cback(BTA_DM_AUTH_CMPL_EVT, &sec_event);
846   }
847 }
848 
849 /** Cancels bonding with a peer device */
bta_dm_bond_cancel(const RawAddress & bd_addr)850 void bta_dm_bond_cancel(const RawAddress& bd_addr) {
851   tBTM_STATUS status;
852   tBTA_DM_SEC sec_event;
853 
854   APPL_TRACE_EVENT(" bta_dm_bond_cancel ");
855   status = BTM_SecBondCancel(bd_addr);
856 
857   if (bta_dm_cb.p_sec_cback &&
858       (status != BTM_CMD_STARTED && status != BTM_SUCCESS)) {
859     sec_event.bond_cancel_cmpl.result = BTA_FAILURE;
860 
861     bta_dm_cb.p_sec_cback(BTA_DM_BOND_CANCEL_CMPL_EVT, &sec_event);
862   }
863 }
864 
865 /** Send the pin_reply to a request from BTM */
bta_dm_pin_reply(std::unique_ptr<tBTA_DM_API_PIN_REPLY> msg)866 void bta_dm_pin_reply(std::unique_ptr<tBTA_DM_API_PIN_REPLY> msg) {
867   uint32_t trusted_mask[BTM_SEC_SERVICE_ARRAY_SIZE];
868 
869   uint32_t* current_trusted_mask = BTM_ReadTrustedMask(msg->bd_addr);
870   if (current_trusted_mask) {
871     memcpy(trusted_mask, current_trusted_mask, sizeof(trusted_mask));
872   } else {
873     memset(trusted_mask, 0, sizeof(trusted_mask));
874   }
875 
876   if (msg->accept) {
877     BTM_PINCodeReply(msg->bd_addr, BTM_SUCCESS, msg->pin_len, msg->p_pin,
878                      trusted_mask);
879   } else {
880     BTM_PINCodeReply(msg->bd_addr, BTM_NOT_AUTHORIZED, 0, NULL, trusted_mask);
881   }
882 }
883 
884 /*******************************************************************************
885  *
886  * Function         bta_dm_policy_cback
887  *
888  * Description      process the link policy changes
889  *
890  * Returns          void
891  *
892  ******************************************************************************/
bta_dm_policy_cback(tBTA_SYS_CONN_STATUS status,uint8_t id,uint8_t app_id,const RawAddress & peer_addr)893 static void bta_dm_policy_cback(tBTA_SYS_CONN_STATUS status, uint8_t id,
894                                 uint8_t app_id, const RawAddress& peer_addr) {
895   tBTA_DM_PEER_DEVICE* p_dev = NULL;
896   uint16_t policy = app_id;
897   uint32_t mask = (uint32_t)(1 << id);
898 
899   if (peer_addr != RawAddress::kEmpty) {
900     p_dev = bta_dm_find_peer_device(peer_addr);
901   }
902 
903   APPL_TRACE_DEBUG(" bta_dm_policy_cback cmd:%d, policy:0x%x", status, policy);
904   switch (status) {
905     case BTA_SYS_PLCY_SET:
906       if (!p_dev) return;
907       /* restore the default link policy */
908       p_dev->link_policy |= policy;
909       BTM_SetLinkPolicy(p_dev->peer_bdaddr, &(p_dev->link_policy));
910       break;
911 
912     case BTA_SYS_PLCY_CLR:
913       if (!p_dev) return;
914       /* clear the policy from the default link policy */
915       p_dev->link_policy &= (~policy);
916       BTM_SetLinkPolicy(p_dev->peer_bdaddr, &(p_dev->link_policy));
917 
918       if (policy & (HCI_ENABLE_SNIFF_MODE | HCI_ENABLE_PARK_MODE)) {
919         /* if clearing sniff/park, wake the link */
920         bta_dm_pm_active(p_dev->peer_bdaddr);
921       }
922       break;
923 
924     case BTA_SYS_PLCY_DEF_SET:
925       /* want to restore/set the role switch policy */
926       bta_dm_cb.role_policy_mask &= ~mask;
927       if (0 == bta_dm_cb.role_policy_mask) {
928         /* if nobody wants to insist on the role */
929         bta_dm_cb.cur_policy |= HCI_ENABLE_MASTER_SLAVE_SWITCH;
930         BTM_SetDefaultLinkPolicy(bta_dm_cb.cur_policy);
931       }
932       break;
933 
934     case BTA_SYS_PLCY_DEF_CLR:
935       /* want to remove the role switch policy */
936       bta_dm_cb.role_policy_mask |= mask;
937       bta_dm_cb.cur_policy &= ~HCI_ENABLE_MASTER_SLAVE_SWITCH;
938       BTM_SetDefaultLinkPolicy(bta_dm_cb.cur_policy);
939       break;
940   }
941 }
942 
943 /** Send the user confirm request reply in response to a request from BTM */
bta_dm_confirm(const RawAddress & bd_addr,bool accept)944 void bta_dm_confirm(const RawAddress& bd_addr, bool accept) {
945   BTM_ConfirmReqReply(accept ? BTM_SUCCESS : BTM_NOT_AUTHORIZED, bd_addr);
946 }
947 
948 /** respond to the IO capabilities request from BTM */
bta_dm_ci_io_req_act(const RawAddress & bd_addr,tBTA_IO_CAP io_cap,tBTA_OOB_DATA oob_data,tBTA_AUTH_REQ auth_req)949 void bta_dm_ci_io_req_act(const RawAddress& bd_addr, tBTA_IO_CAP io_cap,
950                           tBTA_OOB_DATA oob_data, tBTA_AUTH_REQ auth_req) {
951   BTM_IoCapRsp(bd_addr, io_cap, oob_data,
952                auth_req ? BTM_AUTH_AP_YES : BTM_AUTH_AP_NO);
953 }
954 
955 /** respond to the OOB data request for the remote device from BTM */
bta_dm_ci_rmt_oob_act(std::unique_ptr<tBTA_DM_CI_RMT_OOB> msg)956 void bta_dm_ci_rmt_oob_act(std::unique_ptr<tBTA_DM_CI_RMT_OOB> msg) {
957   BTM_RemoteOobDataReply(msg->accept ? BTM_SUCCESS : BTM_NOT_AUTHORIZED,
958                          msg->bd_addr, msg->c, msg->r);
959 }
960 
961 /*******************************************************************************
962  *
963  * Function         bta_dm_search_start
964  *
965  * Description      Starts an inquiry
966  *
967  *
968  * Returns          void
969  *
970  ******************************************************************************/
bta_dm_search_start(tBTA_DM_MSG * p_data)971 void bta_dm_search_start(tBTA_DM_MSG* p_data) {
972   tBTM_INQUIRY_CMPL result = {};
973 
974   size_t len = sizeof(Uuid) * p_data->search.num_uuid;
975   bta_dm_gattc_register();
976 
977   APPL_TRACE_DEBUG("%s avoid_scatter=%d", __func__,
978                    p_bta_dm_cfg->avoid_scatter);
979 
980   if (p_bta_dm_cfg->avoid_scatter &&
981       (p_data->search.rs_res == BTA_DM_RS_NONE) &&
982       bta_dm_check_av(BTA_DM_API_SEARCH_EVT)) {
983     LOG(INFO) << __func__ << ": delay search to avoid scatter";
984     memcpy(&bta_dm_cb.search_msg, &p_data->search, sizeof(tBTA_DM_API_SEARCH));
985     return;
986   }
987 
988   BTM_ClearInqDb(nullptr);
989   /* save search params */
990   bta_dm_search_cb.p_search_cback = p_data->search.p_cback;
991   bta_dm_search_cb.services = p_data->search.services;
992 
993   osi_free_and_reset((void**)&bta_dm_search_cb.p_srvc_uuid);
994 
995   if ((bta_dm_search_cb.num_uuid = p_data->search.num_uuid) != 0 &&
996       p_data->search.p_uuid != nullptr) {
997     bta_dm_search_cb.p_srvc_uuid = (Uuid*)osi_malloc(len);
998     *bta_dm_search_cb.p_srvc_uuid = *p_data->search.p_uuid;
999   }
1000   result.status = BTM_StartInquiry((tBTM_INQ_PARMS*)&p_data->search.inq_params,
1001                                    bta_dm_inq_results_cb, bta_dm_inq_cmpl_cb);
1002 
1003   APPL_TRACE_EVENT("%s status=%d", __func__, result.status);
1004   if (result.status != BTM_CMD_STARTED) {
1005     LOG(ERROR) << __func__ << ": BTM_StartInquiry returned "
1006                << std::to_string(result.status);
1007     result.num_resp = 0;
1008     bta_dm_inq_cmpl_cb((void*)&result);
1009   }
1010 }
1011 
1012 /*******************************************************************************
1013  *
1014  * Function         bta_dm_search_cancel
1015  *
1016  * Description      Cancels an ongoing search for devices
1017  *
1018  *
1019  * Returns          void
1020  *
1021  ******************************************************************************/
bta_dm_search_cancel(UNUSED_ATTR tBTA_DM_MSG * p_data)1022 void bta_dm_search_cancel(UNUSED_ATTR tBTA_DM_MSG* p_data) {
1023   tBTA_DM_MSG* p_msg;
1024 
1025   if (BTM_IsInquiryActive()) {
1026     if (BTM_CancelInquiry() == BTM_SUCCESS) {
1027       bta_dm_search_cancel_notify(NULL);
1028       p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
1029       p_msg->hdr.event = BTA_DM_SEARCH_CMPL_EVT;
1030       p_msg->hdr.layer_specific = BTA_DM_API_DISCOVER_EVT;
1031       bta_sys_sendmsg(p_msg);
1032     } else {
1033       /* flag a search cancel is pending */
1034       bta_dm_search_cb.cancel_pending = true;
1035     }
1036   }
1037   /* If no Service Search going on then issue cancel remote name in case it is
1038      active */
1039   else if (!bta_dm_search_cb.name_discover_done) {
1040     BTM_CancelRemoteDeviceName();
1041 
1042     p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
1043     p_msg->hdr.event = BTA_DM_SEARCH_CMPL_EVT;
1044     p_msg->hdr.layer_specific = BTA_DM_API_DISCOVER_EVT;
1045     bta_sys_sendmsg(p_msg);
1046   } else {
1047     p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
1048     p_msg->hdr.event = BTA_DM_INQUIRY_CMPL_EVT;
1049     p_msg->hdr.layer_specific = BTA_DM_API_DISCOVER_EVT;
1050     bta_sys_sendmsg(p_msg);
1051   }
1052 
1053   if (bta_dm_search_cb.gatt_disc_active) {
1054     bta_dm_cancel_gatt_discovery(bta_dm_search_cb.peer_bdaddr);
1055   }
1056 }
1057 
1058 /*******************************************************************************
1059  *
1060  * Function         bta_dm_discover
1061  *
1062  * Description      Discovers services on a remote device
1063  *
1064  *
1065  * Returns          void
1066  *
1067  ******************************************************************************/
bta_dm_discover(tBTA_DM_MSG * p_data)1068 void bta_dm_discover(tBTA_DM_MSG* p_data) {
1069   size_t len = sizeof(Uuid) * p_data->discover.num_uuid;
1070   APPL_TRACE_EVENT("%s services_to_search=0x%04X, sdp_search=%d", __func__,
1071                    p_data->discover.services, p_data->discover.sdp_search);
1072 
1073   /* save the search condition */
1074   bta_dm_search_cb.services = p_data->discover.services;
1075 
1076   bta_dm_gattc_register();
1077   osi_free_and_reset((void**)&bta_dm_search_cb.p_srvc_uuid);
1078   if ((bta_dm_search_cb.num_uuid = p_data->discover.num_uuid) != 0 &&
1079       p_data->discover.p_uuid != NULL) {
1080     bta_dm_search_cb.p_srvc_uuid = (Uuid*)osi_malloc(len);
1081     *bta_dm_search_cb.p_srvc_uuid = *p_data->discover.p_uuid;
1082   }
1083   bta_dm_search_cb.uuid_to_search = bta_dm_search_cb.num_uuid;
1084 
1085   bta_dm_search_cb.p_search_cback = p_data->discover.p_cback;
1086   bta_dm_search_cb.sdp_search = p_data->discover.sdp_search;
1087   bta_dm_search_cb.services_to_search = bta_dm_search_cb.services;
1088   bta_dm_search_cb.service_index = 0;
1089   bta_dm_search_cb.services_found = 0;
1090   bta_dm_search_cb.peer_name[0] = 0;
1091   bta_dm_search_cb.sdp_search = p_data->discover.sdp_search;
1092   bta_dm_search_cb.p_btm_inq_info = BTM_InqDbRead(p_data->discover.bd_addr);
1093   bta_dm_search_cb.transport = p_data->discover.transport;
1094 
1095   bta_dm_search_cb.name_discover_done = false;
1096   bta_dm_search_cb.uuid = p_data->discover.uuid;
1097   bta_dm_discover_device(p_data->discover.bd_addr);
1098 }
1099 
1100 /*******************************************************************************
1101  *
1102  * Function         bta_dm_di_disc_cmpl
1103  *
1104  * Description      Sends event to application when DI discovery complete
1105  *
1106  * Returns          void
1107  *
1108  ******************************************************************************/
bta_dm_di_disc_cmpl(tBTA_DM_MSG * p_data)1109 void bta_dm_di_disc_cmpl(tBTA_DM_MSG* p_data) {
1110   tBTA_DM_DI_DISC_CMPL di_disc;
1111 
1112   memset(&di_disc, 0, sizeof(tBTA_DM_DI_DISC_CMPL));
1113   di_disc.bd_addr = bta_dm_search_cb.peer_bdaddr;
1114 
1115   if ((p_data->hdr.offset == SDP_SUCCESS) ||
1116       (p_data->hdr.offset == SDP_DB_FULL)) {
1117     di_disc.num_record = SDP_GetNumDiRecords(bta_dm_di_cb.p_di_db);
1118   } else
1119     di_disc.result = BTA_FAILURE;
1120 
1121   bta_dm_di_cb.p_di_db = NULL;
1122   bta_dm_search_cb.p_search_cback(BTA_DM_DI_DISC_CMPL_EVT,
1123                                   (tBTA_DM_SEARCH*)&di_disc);
1124 }
1125 
1126 /*******************************************************************************
1127  *
1128  * Function         bta_dm_di_disc_callback
1129  *
1130  * Description      This function queries a remote device for DI information.
1131  *
1132  *
1133  * Returns          void
1134  *
1135  ******************************************************************************/
bta_dm_di_disc_callback(uint16_t result)1136 static void bta_dm_di_disc_callback(uint16_t result) {
1137   tBTA_DM_MSG* p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
1138 
1139   p_msg->hdr.event = BTA_DM_SEARCH_CMPL_EVT;
1140   p_msg->hdr.layer_specific = BTA_DM_API_DI_DISCOVER_EVT;
1141   p_msg->hdr.offset = result;
1142 
1143   bta_sys_sendmsg(p_msg);
1144 }
1145 
1146 /*******************************************************************************
1147  *
1148  * Function         bta_dm_disable_search_and_disc
1149  *
1150  * Description      Cancels an ongoing search or discovery for devices in case
1151  *                  of a Bluetooth disable
1152  *
1153  *
1154  * Returns          void
1155  *
1156  ******************************************************************************/
bta_dm_disable_search_and_disc(void)1157 static void bta_dm_disable_search_and_disc(void) {
1158   tBTA_DM_DI_DISC_CMPL di_disc;
1159 
1160   if (bta_dm_search_cb.state != BTA_DM_SEARCH_IDLE) bta_dm_search_cancel(NULL);
1161 
1162   if (bta_dm_di_cb.p_di_db != NULL) {
1163     memset(&di_disc, 0, sizeof(tBTA_DM_DI_DISC_CMPL));
1164     di_disc.bd_addr = bta_dm_search_cb.peer_bdaddr;
1165     di_disc.result = BTA_FAILURE;
1166 
1167     bta_dm_di_cb.p_di_db = NULL;
1168     bta_dm_search_cb.p_search_cback(BTA_DM_DI_DISC_CMPL_EVT, NULL);
1169   }
1170 }
1171 
1172 /*******************************************************************************
1173  *
1174  * Function         bta_dm_di_disc
1175  *
1176  * Description      This function queries a remote device for DI information.
1177  *
1178  *
1179  * Returns          void
1180  *
1181  ******************************************************************************/
bta_dm_di_disc(tBTA_DM_MSG * p_data)1182 void bta_dm_di_disc(tBTA_DM_MSG* p_data) {
1183   uint16_t result = BTA_FAILURE;
1184 
1185   bta_dm_search_cb.p_search_cback = p_data->di_disc.p_cback;
1186   bta_dm_search_cb.peer_bdaddr = p_data->di_disc.bd_addr;
1187   bta_dm_di_cb.p_di_db = p_data->di_disc.p_sdp_db;
1188 
1189   bta_dm_search_cb.p_sdp_db =
1190       (tSDP_DISCOVERY_DB*)osi_malloc(BTA_DM_SDP_DB_SIZE);
1191   if (SDP_DiDiscover(bta_dm_search_cb.peer_bdaddr, p_data->di_disc.p_sdp_db,
1192                      p_data->di_disc.len,
1193                      bta_dm_di_disc_callback) == SDP_SUCCESS) {
1194     result = BTA_SUCCESS;
1195   }
1196 
1197   if (result == BTA_FAILURE) {
1198     tBTA_DM_MSG* p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
1199 
1200     p_msg->hdr.event = BTA_DM_SEARCH_CMPL_EVT;
1201     p_msg->hdr.layer_specific = BTA_DM_API_DI_DISCOVER_EVT;
1202     p_data->hdr.offset = result;
1203     bta_sys_sendmsg(p_msg);
1204   }
1205 }
1206 
1207 /*******************************************************************************
1208  *
1209  * Function         bta_dm_read_remote_device_name
1210  *
1211  * Description      Initiate to get remote device name
1212  *
1213  * Returns          true if started to get remote name
1214  *
1215  ******************************************************************************/
bta_dm_read_remote_device_name(const RawAddress & bd_addr,tBT_TRANSPORT transport)1216 static bool bta_dm_read_remote_device_name(const RawAddress& bd_addr,
1217                                            tBT_TRANSPORT transport) {
1218   tBTM_STATUS btm_status;
1219 
1220   APPL_TRACE_DEBUG("%s", __func__);
1221 
1222   bta_dm_search_cb.peer_bdaddr = bd_addr;
1223   bta_dm_search_cb.peer_name[0] = 0;
1224 
1225   btm_status = BTM_ReadRemoteDeviceName(bta_dm_search_cb.peer_bdaddr,
1226                                         bta_dm_remname_cback, transport);
1227 
1228   if (btm_status == BTM_CMD_STARTED) {
1229     APPL_TRACE_DEBUG("%s: BTM_ReadRemoteDeviceName is started", __func__);
1230 
1231     return (true);
1232   } else if (btm_status == BTM_BUSY) {
1233     APPL_TRACE_DEBUG("%s: BTM_ReadRemoteDeviceName is busy", __func__);
1234 
1235     /* Remote name discovery is on going now so BTM cannot notify through
1236      * "bta_dm_remname_cback" */
1237     /* adding callback to get notified that current reading remore name done */
1238     BTM_SecAddRmtNameNotifyCallback(&bta_dm_service_search_remname_cback);
1239 
1240     return (true);
1241   } else {
1242     APPL_TRACE_WARNING("%s: BTM_ReadRemoteDeviceName returns 0x%02X", __func__,
1243                        btm_status);
1244 
1245     return (false);
1246   }
1247 }
1248 
1249 /*******************************************************************************
1250  *
1251  * Function         bta_dm_inq_cmpl
1252  *
1253  * Description      Process the inquiry complete event from BTM
1254  *
1255  * Returns          void
1256  *
1257  ******************************************************************************/
bta_dm_inq_cmpl(tBTA_DM_MSG * p_data)1258 void bta_dm_inq_cmpl(tBTA_DM_MSG* p_data) {
1259   tBTA_DM_SEARCH data;
1260 
1261   APPL_TRACE_DEBUG("bta_dm_inq_cmpl");
1262 
1263   data.inq_cmpl.num_resps = p_data->inq_cmpl.num;
1264   bta_dm_search_cb.p_search_cback(BTA_DM_INQ_CMPL_EVT, &data);
1265 
1266   bta_dm_search_cb.p_btm_inq_info = BTM_InqDbFirst();
1267   if (bta_dm_search_cb.p_btm_inq_info != NULL) {
1268     /* start name and service discovery from the first device on inquiry result
1269      */
1270     bta_dm_search_cb.name_discover_done = false;
1271     bta_dm_search_cb.peer_name[0] = 0;
1272     bta_dm_discover_device(
1273         bta_dm_search_cb.p_btm_inq_info->results.remote_bd_addr);
1274   } else {
1275     tBTA_DM_MSG* p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
1276 
1277     /* no devices, search complete */
1278     bta_dm_search_cb.services = 0;
1279 
1280     p_msg->hdr.event = BTA_DM_SEARCH_CMPL_EVT;
1281     p_msg->hdr.layer_specific = BTA_DM_API_DISCOVER_EVT;
1282     bta_sys_sendmsg(p_msg);
1283   }
1284 }
1285 
1286 /*******************************************************************************
1287  *
1288  * Function         bta_dm_rmt_name
1289  *
1290  * Description      Process the remote name result from BTM
1291  *
1292  * Returns          void
1293  *
1294  ******************************************************************************/
bta_dm_rmt_name(tBTA_DM_MSG * p_data)1295 void bta_dm_rmt_name(tBTA_DM_MSG* p_data) {
1296   APPL_TRACE_DEBUG("bta_dm_rmt_name");
1297 
1298   if (p_data->rem_name.result.disc_res.bd_name[0] &&
1299       bta_dm_search_cb.p_btm_inq_info) {
1300     bta_dm_search_cb.p_btm_inq_info->appl_knows_rem_name = true;
1301   }
1302 
1303   bta_dm_discover_device(bta_dm_search_cb.peer_bdaddr);
1304 }
1305 
1306 /*******************************************************************************
1307  *
1308  * Function         bta_dm_disc_rmt_name
1309  *
1310  * Description      Process the remote name result from BTM when application
1311  *                  wants to find the name for a bdaddr
1312  *
1313  * Returns          void
1314  *
1315  ******************************************************************************/
bta_dm_disc_rmt_name(tBTA_DM_MSG * p_data)1316 void bta_dm_disc_rmt_name(tBTA_DM_MSG* p_data) {
1317   tBTM_INQ_INFO* p_btm_inq_info;
1318 
1319   APPL_TRACE_DEBUG("bta_dm_disc_rmt_name");
1320 
1321   p_btm_inq_info = BTM_InqDbRead(p_data->rem_name.result.disc_res.bd_addr);
1322   if (p_btm_inq_info) {
1323     if (p_data->rem_name.result.disc_res.bd_name[0]) {
1324       p_btm_inq_info->appl_knows_rem_name = true;
1325     }
1326   }
1327 
1328   bta_dm_discover_device(p_data->rem_name.result.disc_res.bd_addr);
1329 }
1330 
1331 /*******************************************************************************
1332  *
1333  * Function         bta_dm_sdp_result
1334  *
1335  * Description      Process the discovery result from sdp
1336  *
1337  * Returns          void
1338  *
1339  ******************************************************************************/
bta_dm_sdp_result(tBTA_DM_MSG * p_data)1340 void bta_dm_sdp_result(tBTA_DM_MSG* p_data) {
1341   tSDP_DISC_REC* p_sdp_rec = NULL;
1342   tBTA_DM_MSG* p_msg;
1343   bool scn_found = false;
1344   uint16_t service = 0xFFFF;
1345   tSDP_PROTOCOL_ELEM pe;
1346 
1347   Uuid* p_uuid = bta_dm_search_cb.p_srvc_uuid;
1348   tBTA_DM_SEARCH result;
1349 
1350   std::vector<Uuid> uuid_list;
1351 
1352   if ((p_data->sdp_event.sdp_result == SDP_SUCCESS) ||
1353       (p_data->sdp_event.sdp_result == SDP_NO_RECS_MATCH) ||
1354       (p_data->sdp_event.sdp_result == SDP_DB_FULL)) {
1355     APPL_TRACE_DEBUG("sdp_result::0x%x", p_data->sdp_event.sdp_result);
1356     do {
1357       p_sdp_rec = NULL;
1358       if (bta_dm_search_cb.service_index == (BTA_USER_SERVICE_ID + 1)) {
1359         p_sdp_rec = SDP_FindServiceUUIDInDb(bta_dm_search_cb.p_sdp_db,
1360                                             bta_dm_search_cb.uuid, p_sdp_rec);
1361 
1362         if (p_sdp_rec && SDP_FindProtocolListElemInRec(
1363                              p_sdp_rec, UUID_PROTOCOL_RFCOMM, &pe)) {
1364           bta_dm_search_cb.peer_scn = (uint8_t)pe.params[0];
1365           scn_found = true;
1366         }
1367       } else {
1368         service =
1369             bta_service_id_to_uuid_lkup_tbl[bta_dm_search_cb.service_index - 1];
1370         p_sdp_rec =
1371             SDP_FindServiceInDb(bta_dm_search_cb.p_sdp_db, service, p_sdp_rec);
1372       }
1373       /* finished with BR/EDR services, now we check the result for GATT based
1374        * service UUID */
1375       if (bta_dm_search_cb.service_index == BTA_MAX_SERVICE_ID) {
1376         if (bta_dm_search_cb.uuid_to_search != 0 && p_uuid != NULL) {
1377           p_uuid +=
1378               (bta_dm_search_cb.num_uuid - bta_dm_search_cb.uuid_to_search);
1379           /* only support 16 bits UUID for now */
1380           service = p_uuid->As16Bit();
1381         }
1382         /* all GATT based services */
1383         do {
1384           /* find a service record, report it */
1385           p_sdp_rec =
1386               SDP_FindServiceInDb(bta_dm_search_cb.p_sdp_db, 0, p_sdp_rec);
1387           if (p_sdp_rec) {
1388             Uuid service_uuid;
1389             if (SDP_FindServiceUUIDInRec(p_sdp_rec, &service_uuid)) {
1390               /* send result back to app now, one by one */
1391               result.disc_ble_res.bd_addr = bta_dm_search_cb.peer_bdaddr;
1392               strlcpy((char*)result.disc_ble_res.bd_name, bta_dm_get_remname(),
1393                       BD_NAME_LEN);
1394 
1395               result.disc_ble_res.service = service_uuid;
1396               bta_dm_search_cb.p_search_cback(BTA_DM_DISC_BLE_RES_EVT, &result);
1397             }
1398           }
1399 
1400           if (bta_dm_search_cb.uuid_to_search > 0) break;
1401 
1402         } while (p_sdp_rec);
1403       } else {
1404         /* SDP_DB_FULL means some records with the
1405            required attributes were received */
1406         if (((p_data->sdp_event.sdp_result == SDP_DB_FULL) &&
1407              bta_dm_search_cb.services != BTA_ALL_SERVICE_MASK) ||
1408             (p_sdp_rec != NULL)) {
1409           if (service != UUID_SERVCLASS_PNP_INFORMATION) {
1410             bta_dm_search_cb.services_found |=
1411                 (tBTA_SERVICE_MASK)(BTA_SERVICE_ID_TO_SERVICE_MASK(
1412                     bta_dm_search_cb.service_index - 1));
1413             uint16_t tmp_svc =
1414                 bta_service_id_to_uuid_lkup_tbl[bta_dm_search_cb.service_index -
1415                                                 1];
1416             /* Add to the list of UUIDs */
1417             uuid_list.push_back(Uuid::From16Bit(tmp_svc));
1418           }
1419         }
1420       }
1421 
1422       if (bta_dm_search_cb.services == BTA_ALL_SERVICE_MASK &&
1423           bta_dm_search_cb.services_to_search == 0) {
1424         if (bta_dm_search_cb.service_index == BTA_BLE_SERVICE_ID &&
1425             bta_dm_search_cb.uuid_to_search > 0)
1426           bta_dm_search_cb.uuid_to_search--;
1427 
1428         if (bta_dm_search_cb.uuid_to_search == 0 ||
1429             bta_dm_search_cb.service_index != BTA_BLE_SERVICE_ID)
1430           bta_dm_search_cb.service_index++;
1431       } else /* regular one service per search or PNP search */
1432         break;
1433 
1434     } while (bta_dm_search_cb.service_index <= BTA_MAX_SERVICE_ID);
1435 
1436     APPL_TRACE_DEBUG("%s services_found = %04x", __func__,
1437                      bta_dm_search_cb.services_found);
1438 
1439     /* Collect the 128-bit services here and put them into the list */
1440     if (bta_dm_search_cb.services == BTA_ALL_SERVICE_MASK) {
1441       p_sdp_rec = NULL;
1442       do {
1443         /* find a service record, report it */
1444         p_sdp_rec =
1445             SDP_FindServiceInDb_128bit(bta_dm_search_cb.p_sdp_db, p_sdp_rec);
1446         if (p_sdp_rec) {
1447           // SDP_FindServiceUUIDInRec_128bit is used only once, refactor?
1448           Uuid temp_uuid;
1449           if (SDP_FindServiceUUIDInRec_128bit(p_sdp_rec, &temp_uuid)) {
1450             uuid_list.push_back(temp_uuid);
1451           }
1452         }
1453       } while (p_sdp_rec);
1454     }
1455     /* if there are more services to search for */
1456     if (bta_dm_search_cb.services_to_search) {
1457       /* Free up the p_sdp_db before checking the next one */
1458       bta_dm_free_sdp_db(NULL);
1459       bta_dm_find_services(bta_dm_search_cb.peer_bdaddr);
1460     } else {
1461       /* callbacks */
1462       /* start next bd_addr if necessary */
1463 
1464       BTM_SecDeleteRmtNameNotifyCallback(&bta_dm_service_search_remname_cback);
1465 
1466       p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
1467       p_msg->hdr.event = BTA_DM_DISCOVERY_RESULT_EVT;
1468       p_msg->disc_result.result.disc_res.result = BTA_SUCCESS;
1469       p_msg->disc_result.result.disc_res.p_raw_data = NULL;
1470       p_msg->disc_result.result.disc_res.raw_data_size = 0;
1471       p_msg->disc_result.result.disc_res.num_uuids = uuid_list.size();
1472       p_msg->disc_result.result.disc_res.p_uuid_list = NULL;
1473       if (uuid_list.size() > 0) {
1474         // TODO(jpawlowski): make p_uuid_list into vector, and just copy
1475         // vectors, but first get rid of bta_sys_sendmsg below.
1476         p_msg->disc_result.result.disc_res.p_uuid_list =
1477             (Uuid*)osi_malloc(uuid_list.size() * sizeof(Uuid));
1478         memcpy(p_msg->disc_result.result.disc_res.p_uuid_list, uuid_list.data(),
1479                uuid_list.size() * sizeof(Uuid));
1480       }
1481       // Copy the raw_data to the discovery result structure
1482       if (bta_dm_search_cb.p_sdp_db != NULL &&
1483           bta_dm_search_cb.p_sdp_db->raw_used != 0 &&
1484           bta_dm_search_cb.p_sdp_db->raw_data != NULL) {
1485         APPL_TRACE_DEBUG("%s raw_data used = 0x%x raw_data_ptr = 0x%x",
1486                          __func__, bta_dm_search_cb.p_sdp_db->raw_used,
1487                          bta_dm_search_cb.p_sdp_db->raw_data);
1488 
1489         p_msg->disc_result.result.disc_res.p_raw_data =
1490             (uint8_t*)osi_malloc(bta_dm_search_cb.p_sdp_db->raw_used);
1491         memcpy(p_msg->disc_result.result.disc_res.p_raw_data,
1492                bta_dm_search_cb.p_sdp_db->raw_data,
1493                bta_dm_search_cb.p_sdp_db->raw_used);
1494 
1495         p_msg->disc_result.result.disc_res.raw_data_size =
1496             bta_dm_search_cb.p_sdp_db->raw_used;
1497 
1498         bta_dm_search_cb.p_sdp_db->raw_data =
1499             NULL;  // no need to free this - it is a global assigned.
1500         bta_dm_search_cb.p_sdp_db->raw_used = 0;
1501         bta_dm_search_cb.p_sdp_db->raw_size = 0;
1502       } else {
1503         APPL_TRACE_DEBUG("%s raw data size is 0 or raw_data is null!!",
1504                          __func__);
1505       }
1506       /* Done with p_sdp_db. Free it */
1507       bta_dm_free_sdp_db(NULL);
1508       p_msg->disc_result.result.disc_res.services =
1509           bta_dm_search_cb.services_found;
1510 
1511       // Piggy back the SCN over result field
1512       if (scn_found) {
1513         p_msg->disc_result.result.disc_res.result =
1514             (3 + bta_dm_search_cb.peer_scn);
1515         p_msg->disc_result.result.disc_res.services |= BTA_USER_SERVICE_MASK;
1516 
1517         APPL_TRACE_EVENT(" Piggy back the SCN over result field  SCN=%d",
1518                          bta_dm_search_cb.peer_scn);
1519       }
1520       p_msg->disc_result.result.disc_res.bd_addr = bta_dm_search_cb.peer_bdaddr;
1521       strlcpy((char*)p_msg->disc_result.result.disc_res.bd_name,
1522               bta_dm_get_remname(), BD_NAME_LEN);
1523 
1524       bta_sys_sendmsg(p_msg);
1525     }
1526   } else {
1527     /* conn failed. No need for timer */
1528     if (p_data->sdp_event.sdp_result == SDP_CONN_FAILED ||
1529         p_data->sdp_event.sdp_result == SDP_CONN_REJECTED ||
1530         p_data->sdp_event.sdp_result == SDP_SECURITY_ERR)
1531       bta_dm_search_cb.wait_disc = false;
1532 
1533     /* not able to connect go to next device */
1534     if (bta_dm_search_cb.p_sdp_db)
1535       osi_free_and_reset((void**)&bta_dm_search_cb.p_sdp_db);
1536 
1537     BTM_SecDeleteRmtNameNotifyCallback(&bta_dm_service_search_remname_cback);
1538 
1539     p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
1540     p_msg->hdr.event = BTA_DM_DISCOVERY_RESULT_EVT;
1541     p_msg->disc_result.result.disc_res.result = BTA_FAILURE;
1542     p_msg->disc_result.result.disc_res.services =
1543         bta_dm_search_cb.services_found;
1544     p_msg->disc_result.result.disc_res.bd_addr = bta_dm_search_cb.peer_bdaddr;
1545     strlcpy((char*)p_msg->disc_result.result.disc_res.bd_name,
1546             bta_dm_get_remname(), BD_NAME_LEN);
1547 
1548     bta_sys_sendmsg(p_msg);
1549   }
1550 }
1551 
1552 /*******************************************************************************
1553  *
1554  * Function         bta_dm_search_cmpl
1555  *
1556  * Description      Sends event to application
1557  *
1558  * Returns          void
1559  *
1560  ******************************************************************************/
bta_dm_search_cmpl(tBTA_DM_MSG * p_data)1561 void bta_dm_search_cmpl(tBTA_DM_MSG* p_data) {
1562   APPL_TRACE_EVENT("%s", __func__);
1563 
1564   osi_free_and_reset((void**)&bta_dm_search_cb.p_srvc_uuid);
1565 
1566   if (p_data->hdr.layer_specific == BTA_DM_API_DI_DISCOVER_EVT)
1567     bta_dm_di_disc_cmpl(p_data);
1568   else
1569     bta_dm_search_cb.p_search_cback(BTA_DM_DISC_CMPL_EVT, NULL);
1570 }
1571 
1572 /*******************************************************************************
1573  *
1574  * Function         bta_dm_disc_result
1575  *
1576  * Description      Service discovery result when discovering services on a
1577  *                  device
1578  *
1579  * Returns          void
1580  *
1581  ******************************************************************************/
bta_dm_disc_result(tBTA_DM_MSG * p_data)1582 void bta_dm_disc_result(tBTA_DM_MSG* p_data) {
1583   APPL_TRACE_EVENT("%s", __func__);
1584 
1585   /* if any BR/EDR service discovery has been done, report the event */
1586   if ((bta_dm_search_cb.services &
1587        ((BTA_ALL_SERVICE_MASK | BTA_USER_SERVICE_MASK) &
1588         ~BTA_BLE_SERVICE_MASK)))
1589     bta_dm_search_cb.p_search_cback(BTA_DM_DISC_RES_EVT,
1590                                     &p_data->disc_result.result);
1591 
1592   tBTA_DM_MSG* p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
1593 
1594   /* send a message to change state */
1595   p_msg->hdr.event = BTA_DM_SEARCH_CMPL_EVT;
1596   p_msg->hdr.layer_specific = BTA_DM_API_DISCOVER_EVT;
1597   bta_sys_sendmsg(p_msg);
1598 }
1599 
1600 /*******************************************************************************
1601  *
1602  * Function         bta_dm_search_result
1603  *
1604  * Description      Service discovery result while searching for devices
1605  *
1606  * Returns          void
1607  *
1608  ******************************************************************************/
bta_dm_search_result(tBTA_DM_MSG * p_data)1609 void bta_dm_search_result(tBTA_DM_MSG* p_data) {
1610   APPL_TRACE_DEBUG("%s searching:0x%04x, result:0x%04x", __func__,
1611                    bta_dm_search_cb.services,
1612                    p_data->disc_result.result.disc_res.services);
1613 
1614   /* call back if application wants name discovery or found services that
1615    * application is searching */
1616   if ((!bta_dm_search_cb.services) ||
1617       ((bta_dm_search_cb.services) &&
1618        (p_data->disc_result.result.disc_res.services))) {
1619     bta_dm_search_cb.p_search_cback(BTA_DM_DISC_RES_EVT,
1620                                     &p_data->disc_result.result);
1621   }
1622 
1623   /* if searching did not initiate to create link */
1624   if (!bta_dm_search_cb.wait_disc) {
1625     /* if service searching is done with EIR, don't search next device */
1626     if (bta_dm_search_cb.p_btm_inq_info) bta_dm_discover_next_device();
1627   } else {
1628     /* wait until link is disconnected or timeout */
1629     bta_dm_search_cb.sdp_results = true;
1630     alarm_set_on_mloop(bta_dm_search_cb.search_timer,
1631                        1000 * (L2CAP_LINK_INACTIVITY_TOUT + 1),
1632                        bta_dm_search_timer_cback, NULL);
1633   }
1634 }
1635 
1636 /*******************************************************************************
1637  *
1638  * Function         bta_dm_search_timer_cback
1639  *
1640  * Description      Called when ACL disconnect time is over
1641  *
1642  *
1643  * Returns          void
1644  *
1645  ******************************************************************************/
bta_dm_search_timer_cback(UNUSED_ATTR void * data)1646 static void bta_dm_search_timer_cback(UNUSED_ATTR void* data) {
1647   APPL_TRACE_EVENT("%s", __func__);
1648   bta_dm_search_cb.wait_disc = false;
1649 
1650   /* proceed with next device */
1651   bta_dm_discover_next_device();
1652 }
1653 
1654 /*******************************************************************************
1655  *
1656  * Function         bta_dm_free_sdp_db
1657  *
1658  * Description      Frees SDP data base
1659  *
1660  * Returns          void
1661  *
1662  ******************************************************************************/
bta_dm_free_sdp_db(UNUSED_ATTR tBTA_DM_MSG * p_data)1663 void bta_dm_free_sdp_db(UNUSED_ATTR tBTA_DM_MSG* p_data) {
1664   osi_free_and_reset((void**)&bta_dm_search_cb.p_sdp_db);
1665 }
1666 
1667 /*******************************************************************************
1668  *
1669  * Function         bta_dm_queue_search
1670  *
1671  * Description      Queues search command while search is being cancelled
1672  *
1673  * Returns          void
1674  *
1675  ******************************************************************************/
bta_dm_queue_search(tBTA_DM_MSG * p_data)1676 void bta_dm_queue_search(tBTA_DM_MSG* p_data) {
1677   osi_free(bta_dm_search_cb.p_search_queue);
1678   bta_dm_search_cb.p_search_queue =
1679       (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_API_SEARCH));
1680   memcpy(bta_dm_search_cb.p_search_queue, p_data, sizeof(tBTA_DM_API_SEARCH));
1681 }
1682 
1683 /*******************************************************************************
1684  *
1685  * Function         bta_dm_queue_disc
1686  *
1687  * Description      Queues discovery command while search is being cancelled
1688  *
1689  * Returns          void
1690  *
1691  ******************************************************************************/
bta_dm_queue_disc(tBTA_DM_MSG * p_data)1692 void bta_dm_queue_disc(tBTA_DM_MSG* p_data) {
1693   osi_free(bta_dm_search_cb.p_search_queue);
1694   bta_dm_search_cb.p_search_queue =
1695       (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_API_DISCOVER));
1696   memcpy(bta_dm_search_cb.p_search_queue, p_data, sizeof(tBTA_DM_API_DISCOVER));
1697 }
1698 
1699 /*******************************************************************************
1700  *
1701  * Function         bta_dm_search_clear_queue
1702  *
1703  * Description      Clears the queue if API search cancel is called
1704  *
1705  * Returns          void
1706  *
1707  ******************************************************************************/
bta_dm_search_clear_queue(UNUSED_ATTR tBTA_DM_MSG * p_data)1708 void bta_dm_search_clear_queue(UNUSED_ATTR tBTA_DM_MSG* p_data) {
1709   osi_free_and_reset((void**)&bta_dm_search_cb.p_search_queue);
1710 }
1711 
1712 /*******************************************************************************
1713  *
1714  * Function         bta_dm_search_cancel_cmpl
1715  *
1716  * Description      Search cancel is complete
1717  *
1718  * Returns          void
1719  *
1720  ******************************************************************************/
bta_dm_search_cancel_cmpl(UNUSED_ATTR tBTA_DM_MSG * p_data)1721 void bta_dm_search_cancel_cmpl(UNUSED_ATTR tBTA_DM_MSG* p_data) {
1722   if (bta_dm_search_cb.p_search_queue) {
1723     bta_sys_sendmsg(bta_dm_search_cb.p_search_queue);
1724     bta_dm_search_cb.p_search_queue = NULL;
1725   }
1726 }
1727 
1728 /*******************************************************************************
1729  *
1730  * Function         bta_dm_search_cancel_transac_cmpl
1731  *
1732  * Description      Current Service Discovery or remote name procedure is
1733  *                  completed after search cancellation
1734  *
1735  * Returns          void
1736  *
1737  ******************************************************************************/
bta_dm_search_cancel_transac_cmpl(UNUSED_ATTR tBTA_DM_MSG * p_data)1738 void bta_dm_search_cancel_transac_cmpl(UNUSED_ATTR tBTA_DM_MSG* p_data) {
1739   osi_free_and_reset((void**)&bta_dm_search_cb.p_sdp_db);
1740   bta_dm_search_cancel_notify(NULL);
1741 }
1742 
1743 /*******************************************************************************
1744  *
1745  * Function         bta_dm_search_cancel_notify
1746  *
1747  * Description      Notify application that search has been cancelled
1748  *
1749  * Returns          void
1750  *
1751  ******************************************************************************/
bta_dm_search_cancel_notify(UNUSED_ATTR tBTA_DM_MSG * p_data)1752 void bta_dm_search_cancel_notify(UNUSED_ATTR tBTA_DM_MSG* p_data) {
1753   if (bta_dm_search_cb.p_search_cback) {
1754     bta_dm_search_cb.p_search_cback(BTA_DM_SEARCH_CANCEL_CMPL_EVT, NULL);
1755   }
1756   if (!bta_dm_search_cb.name_discover_done) {
1757     BTM_CancelRemoteDeviceName();
1758   }
1759   if (bta_dm_search_cb.gatt_disc_active) {
1760     bta_dm_cancel_gatt_discovery(bta_dm_search_cb.peer_bdaddr);
1761   }
1762 }
1763 
1764 /*******************************************************************************
1765  *
1766  * Function         bta_dm_find_services
1767  *
1768  * Description      Starts discovery on a device
1769  *
1770  * Returns          void
1771  *
1772  ******************************************************************************/
bta_dm_find_services(const RawAddress & bd_addr)1773 static void bta_dm_find_services(const RawAddress& bd_addr) {
1774 
1775   while (bta_dm_search_cb.service_index < BTA_MAX_SERVICE_ID) {
1776     Uuid uuid = Uuid::kEmpty;
1777     if (bta_dm_search_cb.services_to_search &
1778         (tBTA_SERVICE_MASK)(
1779             BTA_SERVICE_ID_TO_SERVICE_MASK(bta_dm_search_cb.service_index))) {
1780       bta_dm_search_cb.p_sdp_db =
1781           (tSDP_DISCOVERY_DB*)osi_malloc(BTA_DM_SDP_DB_SIZE);
1782       APPL_TRACE_DEBUG("bta_dm_search_cb.services = %04x***********",
1783                        bta_dm_search_cb.services);
1784       /* try to search all services by search based on L2CAP UUID */
1785       if (bta_dm_search_cb.services == BTA_ALL_SERVICE_MASK) {
1786         LOG_INFO(LOG_TAG, "%s services_to_search=%08x", __func__,
1787                  bta_dm_search_cb.services_to_search);
1788         if (bta_dm_search_cb.services_to_search & BTA_RES_SERVICE_MASK) {
1789           uuid = Uuid::From16Bit(bta_service_id_to_uuid_lkup_tbl[0]);
1790           bta_dm_search_cb.services_to_search &= ~BTA_RES_SERVICE_MASK;
1791         } else {
1792           uuid = Uuid::From16Bit(UUID_PROTOCOL_L2CAP);
1793           bta_dm_search_cb.services_to_search = 0;
1794         }
1795       } else {
1796         /* for LE only profile */
1797         if (bta_dm_search_cb.service_index == BTA_BLE_SERVICE_ID) {
1798           if (bta_dm_search_cb.uuid_to_search > 0 &&
1799               bta_dm_search_cb.p_srvc_uuid) {
1800             uuid = *(bta_dm_search_cb.p_srvc_uuid + bta_dm_search_cb.num_uuid -
1801                      bta_dm_search_cb.uuid_to_search);
1802 
1803             bta_dm_search_cb.uuid_to_search--;
1804           } else {
1805             uuid = Uuid::From16Bit(
1806                 bta_service_id_to_uuid_lkup_tbl[bta_dm_search_cb
1807                                                     .service_index]);
1808           }
1809 
1810           /* last one? clear the BLE service bit if all discovery has been done
1811            */
1812           if (bta_dm_search_cb.uuid_to_search == 0)
1813             bta_dm_search_cb.services_to_search &=
1814                 (tBTA_SERVICE_MASK)(~(BTA_SERVICE_ID_TO_SERVICE_MASK(
1815                     bta_dm_search_cb.service_index)));
1816 
1817         } else {
1818           /* remove the service from services to be searched  */
1819           bta_dm_search_cb.services_to_search &= (tBTA_SERVICE_MASK)(~(
1820               BTA_SERVICE_ID_TO_SERVICE_MASK(bta_dm_search_cb.service_index)));
1821           uuid = Uuid::From16Bit(
1822               bta_service_id_to_uuid_lkup_tbl[bta_dm_search_cb.service_index]);
1823         }
1824       }
1825 
1826       if (bta_dm_search_cb.service_index == BTA_USER_SERVICE_ID) {
1827         uuid = bta_dm_search_cb.uuid;
1828       }
1829 
1830       LOG_INFO(LOG_TAG, "%s search UUID = %s", __func__,
1831                uuid.ToString().c_str());
1832       SDP_InitDiscoveryDb(bta_dm_search_cb.p_sdp_db, BTA_DM_SDP_DB_SIZE, 1,
1833                           &uuid, 0, NULL);
1834 
1835       memset(g_disc_raw_data_buf, 0, sizeof(g_disc_raw_data_buf));
1836       bta_dm_search_cb.p_sdp_db->raw_data = g_disc_raw_data_buf;
1837 
1838       bta_dm_search_cb.p_sdp_db->raw_size = MAX_DISC_RAW_DATA_BUF;
1839 
1840       if (!SDP_ServiceSearchAttributeRequest(bd_addr, bta_dm_search_cb.p_sdp_db,
1841                                              &bta_dm_sdp_callback)) {
1842         /*
1843          * If discovery is not successful with this device, then
1844          * proceed with the next one.
1845          */
1846         osi_free_and_reset((void**)&bta_dm_search_cb.p_sdp_db);
1847         bta_dm_search_cb.service_index = BTA_MAX_SERVICE_ID;
1848 
1849       } else {
1850         if ((bta_dm_search_cb.service_index == BTA_BLE_SERVICE_ID &&
1851              bta_dm_search_cb.uuid_to_search == 0) ||
1852             bta_dm_search_cb.service_index != BTA_BLE_SERVICE_ID)
1853           bta_dm_search_cb.service_index++;
1854         return;
1855       }
1856     }
1857 
1858     bta_dm_search_cb.service_index++;
1859   }
1860 
1861   /* no more services to be discovered */
1862   if (bta_dm_search_cb.service_index >= BTA_MAX_SERVICE_ID) {
1863     tBTA_DM_MSG* p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
1864     /* initialize the data structure - includes p_raw_data and raw_data_size */
1865     memset(&(p_msg->disc_result.result), 0, sizeof(tBTA_DM_DISC_RES));
1866     p_msg->hdr.event = BTA_DM_DISCOVERY_RESULT_EVT;
1867     p_msg->disc_result.result.disc_res.services =
1868         bta_dm_search_cb.services_found;
1869     p_msg->disc_result.result.disc_res.bd_addr = bta_dm_search_cb.peer_bdaddr;
1870     strlcpy((char*)p_msg->disc_result.result.disc_res.bd_name,
1871             bta_dm_get_remname(), BD_NAME_LEN);
1872 
1873     bta_sys_sendmsg(p_msg);
1874   }
1875 }
1876 
1877 /*******************************************************************************
1878  *
1879  * Function         bta_dm_discover_next_device
1880  *
1881  * Description      Starts discovery on the next device in Inquiry data base
1882  *
1883  * Returns          void
1884  *
1885  ******************************************************************************/
bta_dm_discover_next_device(void)1886 static void bta_dm_discover_next_device(void) {
1887   APPL_TRACE_DEBUG("bta_dm_discover_next_device");
1888 
1889   /* searching next device on inquiry result */
1890   bta_dm_search_cb.p_btm_inq_info =
1891       BTM_InqDbNext(bta_dm_search_cb.p_btm_inq_info);
1892   if (bta_dm_search_cb.p_btm_inq_info != NULL) {
1893     bta_dm_search_cb.name_discover_done = false;
1894     bta_dm_search_cb.peer_name[0] = 0;
1895     bta_dm_discover_device(
1896         bta_dm_search_cb.p_btm_inq_info->results.remote_bd_addr);
1897   } else {
1898     tBTA_DM_MSG* p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
1899 
1900     /* no devices, search complete */
1901     bta_dm_search_cb.services = 0;
1902 
1903     p_msg->hdr.event = BTA_DM_SEARCH_CMPL_EVT;
1904     p_msg->hdr.layer_specific = BTA_DM_API_DISCOVER_EVT;
1905 
1906     bta_sys_sendmsg(p_msg);
1907   }
1908 }
1909 
1910 /*******************************************************************************
1911  *
1912  * Function         bta_dm_discover_device
1913  *
1914  * Description      Starts name and service discovery on the device
1915  *
1916  * Returns          void
1917  *
1918  ******************************************************************************/
bta_dm_discover_device(const RawAddress & remote_bd_addr)1919 static void bta_dm_discover_device(const RawAddress& remote_bd_addr) {
1920   tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR;
1921   if (bta_dm_search_cb.transport == BTA_TRANSPORT_UNKNOWN) {
1922     tBT_DEVICE_TYPE dev_type;
1923     tBLE_ADDR_TYPE addr_type;
1924 
1925     BTM_ReadDevInfo(remote_bd_addr, &dev_type, &addr_type);
1926     if (dev_type == BT_DEVICE_TYPE_BLE || addr_type == BLE_ADDR_RANDOM)
1927       transport = BT_TRANSPORT_LE;
1928   } else {
1929     transport = bta_dm_search_cb.transport;
1930   }
1931 
1932   /* Reset transport state for next discovery */
1933   bta_dm_search_cb.transport = BTA_TRANSPORT_UNKNOWN;
1934 
1935   VLOG(1) << __func__ << " BDA: " << remote_bd_addr;
1936 
1937   bta_dm_search_cb.peer_bdaddr = remote_bd_addr;
1938 
1939   APPL_TRACE_DEBUG(
1940       "%s name_discover_done = %d p_btm_inq_info 0x%x state = %d, transport=%d",
1941       __func__, bta_dm_search_cb.name_discover_done,
1942       bta_dm_search_cb.p_btm_inq_info, bta_dm_search_cb.state, transport);
1943 
1944   if (bta_dm_search_cb.p_btm_inq_info) {
1945     APPL_TRACE_DEBUG("%s appl_knows_rem_name %d", __func__,
1946                      bta_dm_search_cb.p_btm_inq_info->appl_knows_rem_name);
1947   }
1948   if ((bta_dm_search_cb.p_btm_inq_info) &&
1949       (bta_dm_search_cb.p_btm_inq_info->results.device_type ==
1950        BT_DEVICE_TYPE_BLE) &&
1951       (bta_dm_search_cb.state == BTA_DM_SEARCH_ACTIVE)) {
1952     /* Do not perform RNR for LE devices at inquiry complete*/
1953     bta_dm_search_cb.name_discover_done = true;
1954   }
1955   /* if name discovery is not done and application needs remote name */
1956   if ((!bta_dm_search_cb.name_discover_done) &&
1957       ((bta_dm_search_cb.p_btm_inq_info == NULL) ||
1958        (bta_dm_search_cb.p_btm_inq_info &&
1959         (!bta_dm_search_cb.p_btm_inq_info->appl_knows_rem_name)))) {
1960     if (bta_dm_read_remote_device_name(bta_dm_search_cb.peer_bdaddr, transport))
1961       return;
1962 
1963     /* starting name discovery failed */
1964     bta_dm_search_cb.name_discover_done = true;
1965   }
1966 
1967   /* if application wants to discover service */
1968   if (bta_dm_search_cb.services) {
1969     /* initialize variables */
1970     bta_dm_search_cb.service_index = 0;
1971     bta_dm_search_cb.services_found = 0;
1972     bta_dm_search_cb.services_to_search = bta_dm_search_cb.services;
1973     bta_dm_search_cb.uuid_to_search = bta_dm_search_cb.num_uuid;
1974     if ((bta_dm_search_cb.p_btm_inq_info != NULL) &&
1975         bta_dm_search_cb.services != BTA_USER_SERVICE_MASK &&
1976         (!bta_dm_search_cb.sdp_search)) {
1977       /* check if EIR provides the information of supported services */
1978       bta_dm_eir_search_services(&bta_dm_search_cb.p_btm_inq_info->results,
1979                                  &bta_dm_search_cb.services_to_search,
1980                                  &bta_dm_search_cb.services_found);
1981     }
1982 
1983     /* if seaching with EIR is not completed */
1984     if (bta_dm_search_cb.services_to_search) {
1985       /* check whether connection already exists to the device
1986          if connection exists, we don't have to wait for ACL
1987          link to go down to start search on next device */
1988       if (transport == BT_TRANSPORT_BR_EDR) {
1989         if (BTM_IsAclConnectionUp(bta_dm_search_cb.peer_bdaddr,
1990                                   BT_TRANSPORT_BR_EDR))
1991           bta_dm_search_cb.wait_disc = false;
1992         else
1993           bta_dm_search_cb.wait_disc = true;
1994       }
1995       if (bta_dm_search_cb.p_btm_inq_info) {
1996         APPL_TRACE_DEBUG(
1997             "%s p_btm_inq_info 0x%x results.device_type 0x%x "
1998             "services_to_search 0x%x",
1999             __func__, bta_dm_search_cb.p_btm_inq_info,
2000             bta_dm_search_cb.p_btm_inq_info->results.device_type,
2001             bta_dm_search_cb.services_to_search);
2002       }
2003 
2004       if (transport == BT_TRANSPORT_LE) {
2005         if (bta_dm_search_cb.services_to_search & BTA_BLE_SERVICE_MASK) {
2006           // set the raw data buffer here
2007           memset(g_disc_raw_data_buf, 0, sizeof(g_disc_raw_data_buf));
2008           bta_dm_search_cb.p_ble_rawdata = g_disc_raw_data_buf;
2009 
2010           bta_dm_search_cb.ble_raw_size = MAX_DISC_RAW_DATA_BUF;
2011           bta_dm_search_cb.ble_raw_used = 0;
2012 
2013           /* start GATT for service discovery */
2014           btm_dm_start_gatt_discovery(bta_dm_search_cb.peer_bdaddr);
2015           return;
2016         }
2017       } else {
2018         bta_dm_search_cb.sdp_results = false;
2019         bta_dm_find_services(bta_dm_search_cb.peer_bdaddr);
2020         return;
2021       }
2022     }
2023   }
2024 
2025   /* name discovery and service discovery are done for this device */
2026   tBTA_DM_MSG* p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
2027   p_msg->hdr.event = BTA_DM_DISCOVERY_RESULT_EVT;
2028   /* initialize the data structure - includes p_raw_data and raw_data_size */
2029   memset(&(p_msg->disc_result.result), 0, sizeof(tBTA_DM_DISC_RES));
2030   p_msg->disc_result.result.disc_res.result = BTA_SUCCESS;
2031   p_msg->disc_result.result.disc_res.services = bta_dm_search_cb.services_found;
2032   p_msg->disc_result.result.disc_res.bd_addr = bta_dm_search_cb.peer_bdaddr;
2033   strlcpy((char*)p_msg->disc_result.result.disc_res.bd_name,
2034           (char*)bta_dm_search_cb.peer_name, BD_NAME_LEN);
2035 
2036   bta_sys_sendmsg(p_msg);
2037 }
2038 
2039 /*******************************************************************************
2040  *
2041  * Function         bta_dm_sdp_callback
2042  *
2043  * Description      Callback from sdp with discovery status
2044  *
2045  * Returns          void
2046  *
2047  ******************************************************************************/
bta_dm_sdp_callback(uint16_t sdp_status)2048 static void bta_dm_sdp_callback(uint16_t sdp_status) {
2049   tBTA_DM_SDP_RESULT* p_msg =
2050       (tBTA_DM_SDP_RESULT*)osi_malloc(sizeof(tBTA_DM_SDP_RESULT));
2051 
2052   p_msg->hdr.event = BTA_DM_SDP_RESULT_EVT;
2053   p_msg->sdp_result = sdp_status;
2054 
2055   bta_sys_sendmsg(p_msg);
2056 }
2057 
2058 /*******************************************************************************
2059  *
2060  * Function         bta_dm_inq_results_cb
2061  *
2062  * Description      Inquiry results callback from BTM
2063  *
2064  * Returns          void
2065  *
2066  ******************************************************************************/
bta_dm_inq_results_cb(tBTM_INQ_RESULTS * p_inq,uint8_t * p_eir,uint16_t eir_len)2067 static void bta_dm_inq_results_cb(tBTM_INQ_RESULTS* p_inq, uint8_t* p_eir,
2068                                   uint16_t eir_len) {
2069   tBTA_DM_SEARCH result;
2070   tBTM_INQ_INFO* p_inq_info;
2071   uint16_t service_class;
2072 
2073   result.inq_res.bd_addr = p_inq->remote_bd_addr;
2074   memcpy(result.inq_res.dev_class, p_inq->dev_class, DEV_CLASS_LEN);
2075   BTM_COD_SERVICE_CLASS(service_class, p_inq->dev_class);
2076   result.inq_res.is_limited =
2077       (service_class & BTM_COD_SERVICE_LMTD_DISCOVER) ? true : false;
2078   result.inq_res.rssi = p_inq->rssi;
2079 
2080   result.inq_res.ble_addr_type = p_inq->ble_addr_type;
2081   result.inq_res.inq_result_type = p_inq->inq_result_type;
2082   result.inq_res.device_type = p_inq->device_type;
2083   result.inq_res.flag = p_inq->flag;
2084 
2085   /* application will parse EIR to find out remote device name */
2086   result.inq_res.p_eir = p_eir;
2087   result.inq_res.eir_len = eir_len;
2088 
2089   p_inq_info = BTM_InqDbRead(p_inq->remote_bd_addr);
2090   if (p_inq_info != NULL) {
2091     /* initialize remt_name_not_required to false so that we get the name by
2092      * default */
2093     result.inq_res.remt_name_not_required = false;
2094   }
2095 
2096   if (bta_dm_search_cb.p_search_cback)
2097     bta_dm_search_cb.p_search_cback(BTA_DM_INQ_RES_EVT, &result);
2098 
2099   if (p_inq_info) {
2100     /* application indicates if it knows the remote name, inside the callback
2101      copy that to the inquiry data base*/
2102     if (result.inq_res.remt_name_not_required)
2103       p_inq_info->appl_knows_rem_name = true;
2104   }
2105 }
2106 
2107 /*******************************************************************************
2108  *
2109  * Function         bta_dm_inq_cmpl_cb
2110  *
2111  * Description      Inquiry complete callback from BTM
2112  *
2113  * Returns          void
2114  *
2115  ******************************************************************************/
bta_dm_inq_cmpl_cb(void * p_result)2116 static void bta_dm_inq_cmpl_cb(void* p_result) {
2117   tBTA_DM_MSG* p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
2118 
2119   APPL_TRACE_DEBUG("%s", __func__);
2120 
2121   if (!bta_dm_search_cb.cancel_pending) {
2122     p_msg->inq_cmpl.hdr.event = BTA_DM_INQUIRY_CMPL_EVT;
2123     p_msg->inq_cmpl.num = ((tBTM_INQUIRY_CMPL*)p_result)->num_resp;
2124   } else {
2125     bta_dm_search_cb.cancel_pending = false;
2126     bta_dm_search_cancel_notify(NULL);
2127     p_msg->hdr.event = BTA_DM_SEARCH_CMPL_EVT;
2128     p_msg->hdr.layer_specific = BTA_DM_API_DISCOVER_EVT;
2129   }
2130 
2131   bta_sys_sendmsg(p_msg);
2132 }
2133 
2134 /*******************************************************************************
2135  *
2136  * Function         bta_dm_service_search_remname_cback
2137  *
2138  * Description      Remote name call back from BTM during service discovery
2139  *
2140  * Returns          void
2141  *
2142  ******************************************************************************/
bta_dm_service_search_remname_cback(const RawAddress & bd_addr,UNUSED_ATTR DEV_CLASS dc,BD_NAME bd_name)2143 static void bta_dm_service_search_remname_cback(const RawAddress& bd_addr,
2144                                                 UNUSED_ATTR DEV_CLASS dc,
2145                                                 BD_NAME bd_name) {
2146   tBTM_REMOTE_DEV_NAME rem_name;
2147   tBTM_STATUS btm_status;
2148 
2149   APPL_TRACE_DEBUG("%s name=<%s>", __func__, bd_name);
2150 
2151   /* if this is what we are looking for */
2152   if (bta_dm_search_cb.peer_bdaddr == bd_addr) {
2153     rem_name.length = strlen((char*)bd_name);
2154     if (rem_name.length > (BD_NAME_LEN - 1)) {
2155       rem_name.length = (BD_NAME_LEN - 1);
2156       rem_name.remote_bd_name[(BD_NAME_LEN - 1)] = 0;
2157     }
2158     strlcpy((char*)rem_name.remote_bd_name, (char*)bd_name, BD_NAME_LEN);
2159     rem_name.status = BTM_SUCCESS;
2160 
2161     bta_dm_remname_cback(&rem_name);
2162   } else {
2163     /* get name of device */
2164     btm_status =
2165         BTM_ReadRemoteDeviceName(bta_dm_search_cb.peer_bdaddr,
2166                                  bta_dm_remname_cback, BT_TRANSPORT_BR_EDR);
2167     if (btm_status == BTM_BUSY) {
2168       /* wait for next chance(notification of remote name discovery done) */
2169       APPL_TRACE_DEBUG("%s: BTM_ReadRemoteDeviceName is busy", __func__);
2170     } else if (btm_status != BTM_CMD_STARTED) {
2171       /* if failed to start getting remote name then continue */
2172       APPL_TRACE_WARNING("%s: BTM_ReadRemoteDeviceName returns 0x%02X",
2173                          __func__, btm_status);
2174 
2175       rem_name.length = 0;
2176       rem_name.remote_bd_name[0] = 0;
2177       rem_name.status = btm_status;
2178       bta_dm_remname_cback(&rem_name);
2179     }
2180   }
2181 }
2182 
2183 /*******************************************************************************
2184  *
2185  * Function         bta_dm_remname_cback
2186  *
2187  * Description      Remote name complete call back from BTM
2188  *
2189  * Returns          void
2190  *
2191  ******************************************************************************/
bta_dm_remname_cback(void * p)2192 static void bta_dm_remname_cback(void* p) {
2193   tBTM_REMOTE_DEV_NAME* p_remote_name = (tBTM_REMOTE_DEV_NAME*)p;
2194   APPL_TRACE_DEBUG("bta_dm_remname_cback len = %d name=<%s>",
2195                    p_remote_name->length, p_remote_name->remote_bd_name);
2196 
2197   /* remote name discovery is done but it could be failed */
2198   bta_dm_search_cb.name_discover_done = true;
2199   strlcpy((char*)bta_dm_search_cb.peer_name,
2200           (char*)p_remote_name->remote_bd_name, BD_NAME_LEN);
2201 
2202   BTM_SecDeleteRmtNameNotifyCallback(&bta_dm_service_search_remname_cback);
2203 
2204   if (bta_dm_search_cb.transport == BT_TRANSPORT_LE) {
2205     GAP_BleReadPeerPrefConnParams(bta_dm_search_cb.peer_bdaddr);
2206   }
2207 
2208   tBTA_DM_REM_NAME* p_msg =
2209       (tBTA_DM_REM_NAME*)osi_malloc(sizeof(tBTA_DM_REM_NAME));
2210   p_msg->result.disc_res.bd_addr = bta_dm_search_cb.peer_bdaddr;
2211   strlcpy((char*)p_msg->result.disc_res.bd_name,
2212           (char*)p_remote_name->remote_bd_name, BD_NAME_LEN);
2213   p_msg->hdr.event = BTA_DM_REMT_NAME_EVT;
2214 
2215   bta_sys_sendmsg(p_msg);
2216 }
2217 
2218 /*******************************************************************************
2219  *
2220  * Function         bta_dm_authorize_cback
2221  *
2222  * Description      cback requesting authorization
2223  *
2224  * Returns          void
2225  *
2226  ******************************************************************************/
bta_dm_authorize_cback(const RawAddress & bd_addr,DEV_CLASS dev_class,BD_NAME bd_name,UNUSED_ATTR uint8_t * service_name,uint8_t service_id,UNUSED_ATTR bool is_originator)2227 static uint8_t bta_dm_authorize_cback(const RawAddress& bd_addr,
2228                                       DEV_CLASS dev_class, BD_NAME bd_name,
2229                                       UNUSED_ATTR uint8_t* service_name,
2230                                       uint8_t service_id,
2231                                       UNUSED_ATTR bool is_originator) {
2232   tBTA_DM_SEC sec_event;
2233   uint8_t index = 1;
2234 
2235   sec_event.authorize.bd_addr = bd_addr;
2236   memcpy(sec_event.authorize.dev_class, dev_class, DEV_CLASS_LEN);
2237   strlcpy((char*)sec_event.authorize.bd_name, (char*)bd_name, BD_NAME_LEN);
2238 
2239 #if (BTA_JV_INCLUDED == TRUE)
2240   sec_event.authorize.service = service_id;
2241 #endif
2242 
2243   while (index < BTA_MAX_SERVICE_ID) {
2244     /* get the BTA service id corresponding to BTM id */
2245     if (bta_service_id_to_btm_srv_id_lkup_tbl[index] == service_id) {
2246       sec_event.authorize.service = index;
2247       break;
2248     }
2249     index++;
2250   }
2251 
2252   /* if supported service callback otherwise not authorized */
2253   if (bta_dm_cb.p_sec_cback && (index < BTA_MAX_SERVICE_ID
2254 #if (BTA_JV_INCLUDED == TRUE)
2255                                 /* pass through JV service ID */
2256                                 || (service_id >= BTA_FIRST_JV_SERVICE_ID &&
2257                                     service_id <= BTA_LAST_JV_SERVICE_ID)
2258 #endif
2259                                     )) {
2260     bta_dm_cb.p_sec_cback(BTA_DM_AUTHORIZE_EVT, &sec_event);
2261     return BTM_CMD_STARTED;
2262   } else {
2263     return BTM_NOT_AUTHORIZED;
2264   }
2265 }
2266 
2267 /*******************************************************************************
2268  *
2269  * Function         bta_dm_pinname_cback
2270  *
2271  * Description      Callback requesting pin_key
2272  *
2273  * Returns          void
2274  *
2275  ******************************************************************************/
bta_dm_pinname_cback(void * p_data)2276 static void bta_dm_pinname_cback(void* p_data) {
2277   tBTM_REMOTE_DEV_NAME* p_result = (tBTM_REMOTE_DEV_NAME*)p_data;
2278   tBTA_DM_SEC sec_event;
2279   uint32_t bytes_to_copy;
2280   tBTA_DM_SEC_EVT event = bta_dm_cb.pin_evt;
2281 
2282   if (BTA_DM_SP_CFM_REQ_EVT == event) {
2283     /* Retrieved saved device class and bd_addr */
2284     sec_event.cfm_req.bd_addr = bta_dm_cb.pin_bd_addr;
2285     BTA_COPY_DEVICE_CLASS(sec_event.cfm_req.dev_class, bta_dm_cb.pin_dev_class);
2286 
2287     if (p_result && p_result->status == BTM_SUCCESS) {
2288       bytes_to_copy = (p_result->length < (BD_NAME_LEN - 1))
2289                           ? p_result->length
2290                           : (BD_NAME_LEN - 1);
2291       memcpy(sec_event.cfm_req.bd_name, p_result->remote_bd_name,
2292              bytes_to_copy);
2293       sec_event.pin_req.bd_name[BD_NAME_LEN - 1] = 0;
2294     } else /* No name found */
2295       sec_event.cfm_req.bd_name[0] = 0;
2296 
2297     sec_event.key_notif.passkey =
2298         bta_dm_cb.num_val; /* get PIN code numeric number */
2299 
2300     /* 1 additional event data fields for this event */
2301     sec_event.cfm_req.just_works = bta_dm_cb.just_works;
2302     /* retrieve the loc and rmt caps */
2303     sec_event.cfm_req.loc_io_caps = bta_dm_cb.loc_io_caps;
2304     sec_event.cfm_req.rmt_io_caps = bta_dm_cb.rmt_io_caps;
2305     sec_event.cfm_req.loc_auth_req = bta_dm_cb.loc_auth_req;
2306     sec_event.cfm_req.rmt_auth_req = bta_dm_cb.rmt_auth_req;
2307 
2308   } else {
2309     /* Retrieved saved device class and bd_addr */
2310     sec_event.pin_req.bd_addr = bta_dm_cb.pin_bd_addr;
2311     BTA_COPY_DEVICE_CLASS(sec_event.pin_req.dev_class, bta_dm_cb.pin_dev_class);
2312 
2313     if (p_result && p_result->status == BTM_SUCCESS) {
2314       bytes_to_copy = (p_result->length < (BD_NAME_LEN - 1))
2315                           ? p_result->length
2316                           : (BD_NAME_LEN - 1);
2317       memcpy(sec_event.pin_req.bd_name, p_result->remote_bd_name,
2318              bytes_to_copy);
2319       sec_event.pin_req.bd_name[BD_NAME_LEN - 1] = 0;
2320     } else /* No name found */
2321       sec_event.pin_req.bd_name[0] = 0;
2322 
2323     event = bta_dm_cb.pin_evt;
2324     sec_event.key_notif.passkey =
2325         bta_dm_cb.num_val; /* get PIN code numeric number */
2326   }
2327 
2328   if (bta_dm_cb.p_sec_cback) bta_dm_cb.p_sec_cback(event, &sec_event);
2329 }
2330 
2331 /*******************************************************************************
2332  *
2333  * Function         bta_dm_pin_cback
2334  *
2335  * Description      Callback requesting pin_key
2336  *
2337  * Returns          void
2338  *
2339  ******************************************************************************/
bta_dm_pin_cback(const RawAddress & bd_addr,DEV_CLASS dev_class,BD_NAME bd_name,bool min_16_digit)2340 static uint8_t bta_dm_pin_cback(const RawAddress& bd_addr, DEV_CLASS dev_class,
2341                                 BD_NAME bd_name, bool min_16_digit) {
2342   tBTA_DM_SEC sec_event;
2343 
2344   if (!bta_dm_cb.p_sec_cback) return BTM_NOT_AUTHORIZED;
2345 
2346   /* If the device name is not known, save bdaddr and devclass and initiate a
2347    * name request */
2348   if (bd_name[0] == 0) {
2349     bta_dm_cb.pin_evt = BTA_DM_PIN_REQ_EVT;
2350     bta_dm_cb.pin_bd_addr = bd_addr;
2351     BTA_COPY_DEVICE_CLASS(bta_dm_cb.pin_dev_class, dev_class);
2352     if ((BTM_ReadRemoteDeviceName(bd_addr, bta_dm_pinname_cback,
2353                                   BT_TRANSPORT_BR_EDR)) == BTM_CMD_STARTED)
2354       return BTM_CMD_STARTED;
2355 
2356     APPL_TRACE_WARNING(
2357         " bta_dm_pin_cback() -> Failed to start Remote Name Request  ");
2358   }
2359 
2360   sec_event.pin_req.bd_addr = bd_addr;
2361   BTA_COPY_DEVICE_CLASS(sec_event.pin_req.dev_class, dev_class);
2362   strlcpy((char*)sec_event.pin_req.bd_name, (char*)bd_name, BD_NAME_LEN);
2363   sec_event.pin_req.min_16_digit = min_16_digit;
2364 
2365   bta_dm_cb.p_sec_cback(BTA_DM_PIN_REQ_EVT, &sec_event);
2366   return BTM_CMD_STARTED;
2367 }
2368 
2369 /*******************************************************************************
2370  *
2371  * Function         bta_dm_new_link_key_cback
2372  *
2373  * Description      Callback from BTM to notify new link key
2374  *
2375  * Returns          void
2376  *
2377  ******************************************************************************/
bta_dm_new_link_key_cback(const RawAddress & bd_addr,UNUSED_ATTR DEV_CLASS dev_class,BD_NAME bd_name,const LinkKey & key,uint8_t key_type)2378 static uint8_t bta_dm_new_link_key_cback(const RawAddress& bd_addr,
2379                                          UNUSED_ATTR DEV_CLASS dev_class,
2380                                          BD_NAME bd_name, const LinkKey& key,
2381                                          uint8_t key_type) {
2382   tBTA_DM_SEC sec_event;
2383   tBTA_DM_AUTH_CMPL* p_auth_cmpl;
2384   uint8_t event;
2385 
2386   memset(&sec_event, 0, sizeof(tBTA_DM_SEC));
2387 
2388   /* Not AMP Key type */
2389   if (key_type != HCI_LKEY_TYPE_AMP_WIFI && key_type != HCI_LKEY_TYPE_AMP_UWB) {
2390     event = BTA_DM_AUTH_CMPL_EVT;
2391     p_auth_cmpl = &sec_event.auth_cmpl;
2392 
2393     p_auth_cmpl->bd_addr = bd_addr;
2394 
2395     memcpy(p_auth_cmpl->bd_name, bd_name, (BD_NAME_LEN - 1));
2396     p_auth_cmpl->bd_name[BD_NAME_LEN - 1] = 0;
2397     p_auth_cmpl->key_present = true;
2398     p_auth_cmpl->key_type = key_type;
2399     p_auth_cmpl->success = true;
2400     p_auth_cmpl->key = key;
2401     sec_event.auth_cmpl.fail_reason = HCI_SUCCESS;
2402 
2403     // Report the BR link key based on the BR/EDR address and type
2404     BTM_ReadDevInfo(bd_addr, &sec_event.auth_cmpl.dev_type,
2405                     &sec_event.auth_cmpl.addr_type);
2406     if (bta_dm_cb.p_sec_cback) bta_dm_cb.p_sec_cback(event, &sec_event);
2407 
2408     // Setting remove_dev_pending flag to false, where it will avoid deleting
2409     // the
2410     // security device record when the ACL connection link goes down in case of
2411     // reconnection.
2412     if (bta_dm_cb.device_list.count)
2413       bta_dm_reset_sec_dev_pending(p_auth_cmpl->bd_addr);
2414   } else {
2415     APPL_TRACE_WARNING("%s() Received AMP Key", __func__);
2416   }
2417 
2418   return BTM_CMD_STARTED;
2419 }
2420 
2421 /*******************************************************************************
2422  *
2423  * Function         bta_dm_authentication_complete_cback
2424  *
2425  * Description      Authentication complete callback from BTM
2426  *
2427  * Returns          void
2428  *
2429  ******************************************************************************/
bta_dm_authentication_complete_cback(const RawAddress & bd_addr,UNUSED_ATTR DEV_CLASS dev_class,BD_NAME bd_name,int result)2430 static uint8_t bta_dm_authentication_complete_cback(
2431     const RawAddress& bd_addr, UNUSED_ATTR DEV_CLASS dev_class, BD_NAME bd_name,
2432     int result) {
2433   tBTA_DM_SEC sec_event;
2434 
2435   if (result != BTM_SUCCESS) {
2436     memset(&sec_event, 0, sizeof(tBTA_DM_SEC));
2437     sec_event.auth_cmpl.bd_addr = bd_addr;
2438 
2439     memcpy(sec_event.auth_cmpl.bd_name, bd_name, (BD_NAME_LEN - 1));
2440     sec_event.auth_cmpl.bd_name[BD_NAME_LEN - 1] = 0;
2441 
2442     // Report the BR link key based on the BR/EDR address and type
2443     BTM_ReadDevInfo(bd_addr, &sec_event.auth_cmpl.dev_type,
2444                     &sec_event.auth_cmpl.addr_type);
2445     sec_event.auth_cmpl.fail_reason = (uint8_t)result;
2446 
2447     if (bta_dm_cb.p_sec_cback)
2448       bta_dm_cb.p_sec_cback(BTA_DM_AUTH_CMPL_EVT, &sec_event);
2449 
2450     if (result == HCI_ERR_AUTH_FAILURE || result == HCI_ERR_KEY_MISSING ||
2451         result == HCI_ERR_HOST_REJECT_SECURITY ||
2452         result == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE) {
2453       APPL_TRACE_WARNING("%s deleting %s - result: 0x%02x", __func__,
2454                          bd_addr.ToString().c_str(), result);
2455       bta_dm_remove_sec_dev_entry(bd_addr);
2456     }
2457   }
2458 
2459   return BTM_SUCCESS;
2460 }
2461 
2462 /*******************************************************************************
2463  *
2464  * Function         bta_dm_sp_cback
2465  *
2466  * Description      simple pairing callback from BTM
2467  *
2468  * Returns          void
2469  *
2470  ******************************************************************************/
bta_dm_sp_cback(tBTM_SP_EVT event,tBTM_SP_EVT_DATA * p_data)2471 static uint8_t bta_dm_sp_cback(tBTM_SP_EVT event, tBTM_SP_EVT_DATA* p_data) {
2472   tBTM_STATUS status = BTM_CMD_STARTED;
2473   tBTA_DM_SEC sec_event;
2474   tBTA_DM_SEC_EVT pin_evt = BTA_DM_SP_KEY_NOTIF_EVT;
2475 
2476   APPL_TRACE_EVENT("bta_dm_sp_cback: %d", event);
2477   if (!bta_dm_cb.p_sec_cback) return BTM_NOT_AUTHORIZED;
2478 
2479   /* TODO_SP */
2480   switch (event) {
2481     case BTM_SP_IO_REQ_EVT:
2482       if (btm_local_io_caps != BTM_IO_CAP_NONE) {
2483         /* translate auth_req */
2484         bta_dm_co_io_req(p_data->io_req.bd_addr, &p_data->io_req.io_cap,
2485                          &p_data->io_req.oob_data, &p_data->io_req.auth_req,
2486                          p_data->io_req.is_orig);
2487       }
2488       APPL_TRACE_EVENT("io mitm: %d oob_data:%d", p_data->io_req.auth_req,
2489                        p_data->io_req.oob_data);
2490       break;
2491     case BTM_SP_IO_RSP_EVT:
2492       if (btm_local_io_caps != BTM_IO_CAP_NONE) {
2493         bta_dm_co_io_rsp(p_data->io_rsp.bd_addr, p_data->io_rsp.io_cap,
2494                          p_data->io_rsp.oob_data, p_data->io_rsp.auth_req);
2495       }
2496       break;
2497 
2498     case BTM_SP_CFM_REQ_EVT:
2499       pin_evt = BTA_DM_SP_CFM_REQ_EVT;
2500       bta_dm_cb.just_works = sec_event.cfm_req.just_works =
2501           p_data->cfm_req.just_works;
2502       sec_event.cfm_req.loc_auth_req = p_data->cfm_req.loc_auth_req;
2503       sec_event.cfm_req.rmt_auth_req = p_data->cfm_req.rmt_auth_req;
2504       sec_event.cfm_req.loc_io_caps = p_data->cfm_req.loc_io_caps;
2505       sec_event.cfm_req.rmt_io_caps = p_data->cfm_req.rmt_io_caps;
2506 
2507     /* continue to next case */
2508     /* Passkey entry mode, mobile device with output capability is very
2509         unlikely to receive key request, so skip this event */
2510     /*case BTM_SP_KEY_REQ_EVT: */
2511     case BTM_SP_KEY_NOTIF_EVT:
2512       if (btm_local_io_caps == BTM_IO_CAP_NONE &&
2513           BTM_SP_KEY_NOTIF_EVT == event) {
2514         status = BTM_NOT_AUTHORIZED;
2515         break;
2516       }
2517 
2518       bta_dm_cb.num_val = sec_event.key_notif.passkey =
2519           p_data->key_notif.passkey;
2520 
2521       if (BTM_SP_CFM_REQ_EVT == event) {
2522         /* Due to the switch case falling through below to BTM_SP_KEY_NOTIF_EVT,
2523            call remote name request using values from cfm_req */
2524         if (p_data->cfm_req.bd_name[0] == 0) {
2525           bta_dm_cb.pin_evt = pin_evt;
2526           bta_dm_cb.pin_bd_addr = p_data->cfm_req.bd_addr;
2527           bta_dm_cb.rmt_io_caps = sec_event.cfm_req.rmt_io_caps;
2528           bta_dm_cb.loc_io_caps = sec_event.cfm_req.loc_io_caps;
2529           bta_dm_cb.rmt_auth_req = sec_event.cfm_req.rmt_auth_req;
2530           bta_dm_cb.loc_auth_req = sec_event.cfm_req.loc_auth_req;
2531 
2532           BTA_COPY_DEVICE_CLASS(bta_dm_cb.pin_dev_class,
2533                                 p_data->cfm_req.dev_class);
2534           if ((BTM_ReadRemoteDeviceName(
2535                   p_data->cfm_req.bd_addr, bta_dm_pinname_cback,
2536                   BT_TRANSPORT_BR_EDR)) == BTM_CMD_STARTED)
2537             return BTM_CMD_STARTED;
2538           APPL_TRACE_WARNING(
2539               " bta_dm_sp_cback() -> Failed to start Remote Name Request  ");
2540         } else {
2541           /* Due to the switch case falling through below to
2542              BTM_SP_KEY_NOTIF_EVT,
2543              copy these values into key_notif from cfm_req */
2544           sec_event.key_notif.bd_addr = p_data->cfm_req.bd_addr;
2545           BTA_COPY_DEVICE_CLASS(sec_event.key_notif.dev_class,
2546                                 p_data->cfm_req.dev_class);
2547           strlcpy((char*)sec_event.key_notif.bd_name,
2548                   (char*)p_data->cfm_req.bd_name, BD_NAME_LEN);
2549         }
2550       }
2551 
2552       if (BTM_SP_KEY_NOTIF_EVT == event) {
2553         /* If the device name is not known, save bdaddr and devclass
2554            and initiate a name request with values from key_notif */
2555         if (p_data->key_notif.bd_name[0] == 0) {
2556           bta_dm_cb.pin_evt = pin_evt;
2557           bta_dm_cb.pin_bd_addr = p_data->key_notif.bd_addr;
2558           BTA_COPY_DEVICE_CLASS(bta_dm_cb.pin_dev_class,
2559                                 p_data->key_notif.dev_class);
2560           if ((BTM_ReadRemoteDeviceName(
2561                   p_data->key_notif.bd_addr, bta_dm_pinname_cback,
2562                   BT_TRANSPORT_BR_EDR)) == BTM_CMD_STARTED)
2563             return BTM_CMD_STARTED;
2564           APPL_TRACE_WARNING(
2565               " bta_dm_sp_cback() -> Failed to start Remote Name Request  ");
2566         } else {
2567           sec_event.key_notif.bd_addr = p_data->key_notif.bd_addr;
2568           BTA_COPY_DEVICE_CLASS(sec_event.key_notif.dev_class,
2569                                 p_data->key_notif.dev_class);
2570           strlcpy((char*)sec_event.key_notif.bd_name,
2571                   (char*)p_data->key_notif.bd_name, BD_NAME_LEN);
2572           sec_event.key_notif.bd_name[BD_NAME_LEN - 1] = 0;
2573         }
2574       }
2575 
2576       bta_dm_cb.p_sec_cback(pin_evt, &sec_event);
2577 
2578       break;
2579 
2580     case BTM_SP_LOC_OOB_EVT:
2581       bta_dm_co_loc_oob((bool)(p_data->loc_oob.status == BTM_SUCCESS),
2582                         p_data->loc_oob.c, p_data->loc_oob.r);
2583       break;
2584 
2585     case BTM_SP_RMT_OOB_EVT:
2586       /* If the device name is not known, save bdaddr and devclass and initiate
2587        * a name request */
2588       if (p_data->rmt_oob.bd_name[0] == 0) {
2589         bta_dm_cb.pin_evt = BTA_DM_SP_RMT_OOB_EVT;
2590         bta_dm_cb.pin_bd_addr = p_data->rmt_oob.bd_addr;
2591         BTA_COPY_DEVICE_CLASS(bta_dm_cb.pin_dev_class,
2592                               p_data->rmt_oob.dev_class);
2593         if ((BTM_ReadRemoteDeviceName(p_data->rmt_oob.bd_addr,
2594                                       bta_dm_pinname_cback,
2595                                       BT_TRANSPORT_BR_EDR)) == BTM_CMD_STARTED)
2596           return BTM_CMD_STARTED;
2597         APPL_TRACE_WARNING(
2598             " bta_dm_sp_cback() -> Failed to start Remote Name Request  ");
2599       }
2600 
2601       sec_event.rmt_oob.bd_addr = p_data->rmt_oob.bd_addr;
2602       BTA_COPY_DEVICE_CLASS(sec_event.rmt_oob.dev_class,
2603                             p_data->rmt_oob.dev_class);
2604       strlcpy((char*)sec_event.rmt_oob.bd_name, (char*)p_data->rmt_oob.bd_name,
2605               BD_NAME_LEN);
2606 
2607       bta_dm_cb.p_sec_cback(BTA_DM_SP_RMT_OOB_EVT, &sec_event);
2608 
2609       bta_dm_co_rmt_oob(p_data->rmt_oob.bd_addr);
2610       break;
2611 
2612     case BTM_SP_COMPLT_EVT:
2613       /* do not report this event - handled by link_key_callback or
2614        * auth_complete_callback */
2615       break;
2616 
2617     case BTM_SP_KEYPRESS_EVT:
2618       memcpy(&sec_event.key_press, &p_data->key_press,
2619              sizeof(tBTM_SP_KEYPRESS));
2620       bta_dm_cb.p_sec_cback(BTA_DM_SP_KEYPRESS_EVT, &sec_event);
2621       break;
2622 
2623     case BTM_SP_UPGRADE_EVT:
2624       bta_dm_co_lk_upgrade(p_data->upgrade.bd_addr, &p_data->upgrade.upgrade);
2625       break;
2626 
2627     default:
2628       status = BTM_NOT_AUTHORIZED;
2629       break;
2630   }
2631   APPL_TRACE_EVENT("dm status: %d", status);
2632   return status;
2633 }
2634 
2635 /*******************************************************************************
2636  *
2637  * Function         bta_dm_local_name_cback
2638  *
2639  * Description      Callback from btm after local name is read
2640  *
2641  *
2642  * Returns          void
2643  *
2644  ******************************************************************************/
bta_dm_local_name_cback(UNUSED_ATTR void * p_name)2645 static void bta_dm_local_name_cback(UNUSED_ATTR void* p_name) {
2646   tBTA_DM_SEC sec_event;
2647 
2648   sec_event.enable.status = BTA_SUCCESS;
2649 
2650   if (bta_dm_cb.p_sec_cback)
2651     bta_dm_cb.p_sec_cback(BTA_DM_ENABLE_EVT, &sec_event);
2652 }
2653 
send_busy_level_update(uint8_t busy_level,uint8_t busy_level_flags)2654 static void send_busy_level_update(uint8_t busy_level,
2655                                    uint8_t busy_level_flags) {
2656   if (!bta_dm_cb.p_sec_cback) return;
2657 
2658   tBTA_DM_SEC conn;
2659   memset(&conn, 0, sizeof(tBTA_DM_SEC));
2660   conn.busy_level.level = busy_level;
2661   conn.busy_level.level_flags = busy_level_flags;
2662   bta_dm_cb.p_sec_cback(BTA_DM_BUSY_LEVEL_EVT, &conn);
2663 }
2664 
handle_role_change(const RawAddress & bd_addr,uint8_t new_role,uint8_t hci_status)2665 static void handle_role_change(const RawAddress& bd_addr, uint8_t new_role,
2666                                uint8_t hci_status) {
2667   tBTA_DM_SEC conn;
2668   memset(&conn, 0, sizeof(tBTA_DM_SEC));
2669 
2670   tBTA_DM_PEER_DEVICE* p_dev = bta_dm_find_peer_device(bd_addr);
2671   if (!p_dev) return;
2672   LOG_INFO(LOG_TAG,
2673            "%s: peer %s info:0x%x new_role:0x%x dev count:%d hci_status=%d",
2674            __func__, bd_addr.ToString().c_str(), p_dev->info, new_role,
2675            bta_dm_cb.device_list.count, hci_status);
2676   if (p_dev->info & BTA_DM_DI_AV_ACTIVE) {
2677     bool need_policy_change = false;
2678 
2679     /* there's AV activity on this link */
2680     if (new_role == HCI_ROLE_SLAVE && bta_dm_cb.device_list.count > 1 &&
2681         hci_status == HCI_SUCCESS) {
2682       /* more than one connections and the AV connection is role switched
2683        * to slave
2684        * switch it back to master and remove the switch policy */
2685       BTM_SwitchRole(bd_addr, BTM_ROLE_MASTER, NULL);
2686       need_policy_change = true;
2687     } else if (p_bta_dm_cfg->avoid_scatter && (new_role == HCI_ROLE_MASTER)) {
2688       /* if the link updated to be master include AV activities, remove
2689        * the switch policy */
2690       need_policy_change = true;
2691     }
2692 
2693     if (need_policy_change) {
2694       bta_dm_policy_cback(BTA_SYS_PLCY_CLR, 0, HCI_ENABLE_MASTER_SLAVE_SWITCH,
2695                           p_dev->peer_bdaddr);
2696     }
2697   } else {
2698     /* there's AV no activity on this link and role switch happened
2699      * check if AV is active
2700      * if so, make sure the AV link is master */
2701     bta_dm_check_av(0);
2702   }
2703   bta_sys_notify_role_chg(bd_addr, new_role, hci_status);
2704   conn.role_chg.bd_addr = bd_addr;
2705   conn.role_chg.new_role = (uint8_t)new_role;
2706   if (bta_dm_cb.p_sec_cback) bta_dm_cb.p_sec_cback(BTA_DM_ROLE_CHG_EVT, &conn);
2707 }
2708 
bta_dm_acl_change(bool is_new,const RawAddress & bd_addr,tBT_TRANSPORT transport,uint16_t handle)2709 static void bta_dm_acl_change(bool is_new, const RawAddress& bd_addr,
2710                               tBT_TRANSPORT transport, uint16_t handle) {
2711   bool issue_unpair_cb = false;
2712 
2713   tBTA_DM_SEC conn;
2714   memset(&conn, 0, sizeof(tBTA_DM_SEC));
2715 
2716   if (is_new) {
2717     uint8_t i;
2718     for (i = 0; i < bta_dm_cb.device_list.count; i++) {
2719       if (bta_dm_cb.device_list.peer_device[i].peer_bdaddr == bd_addr &&
2720           bta_dm_cb.device_list.peer_device[i].conn_handle == handle)
2721         break;
2722     }
2723 
2724     if (i == bta_dm_cb.device_list.count) {
2725       if (bta_dm_cb.device_list.count < BTA_DM_NUM_PEER_DEVICE) {
2726         bta_dm_cb.device_list.peer_device[bta_dm_cb.device_list.count]
2727             .peer_bdaddr = bd_addr;
2728         bta_dm_cb.device_list.peer_device[bta_dm_cb.device_list.count]
2729             .link_policy = bta_dm_cb.cur_policy;
2730         bta_dm_cb.device_list.count++;
2731         bta_dm_cb.device_list.peer_device[i].conn_handle = handle;
2732         if (transport == BT_TRANSPORT_LE) bta_dm_cb.device_list.le_count++;
2733       } else {
2734         APPL_TRACE_ERROR("%s max active connection reached, no resources",
2735                          __func__);
2736         return;
2737       }
2738     }
2739 
2740     bta_dm_cb.device_list.peer_device[i].conn_state = BTA_DM_CONNECTED;
2741     bta_dm_cb.device_list.peer_device[i].pref_role = BTA_ANY_ROLE;
2742     conn.link_up.bd_addr = bd_addr;
2743     bta_dm_cb.device_list.peer_device[i].info = BTA_DM_DI_NONE;
2744     conn.link_up.link_type = transport;
2745     bta_dm_cb.device_list.peer_device[i].transport = transport;
2746 
2747     uint8_t* p;
2748     if (((NULL != (p = BTM_ReadLocalFeatures())) &&
2749          HCI_SNIFF_SUB_RATE_SUPPORTED(p)) &&
2750         ((NULL != (p = BTM_ReadRemoteFeatures(bd_addr))) &&
2751          HCI_SNIFF_SUB_RATE_SUPPORTED(p))) {
2752       /* both local and remote devices support SSR */
2753       bta_dm_cb.device_list.peer_device[i].info = BTA_DM_DI_USE_SSR;
2754     }
2755     APPL_TRACE_WARNING("%s info: 0x%x", __func__,
2756                        bta_dm_cb.device_list.peer_device[i].info);
2757 
2758     if (bta_dm_cb.p_sec_cback) bta_dm_cb.p_sec_cback(BTA_DM_LINK_UP_EVT, &conn);
2759   } else {
2760     for (uint8_t i = 0; i < bta_dm_cb.device_list.count; i++) {
2761       if (bta_dm_cb.device_list.peer_device[i].peer_bdaddr != bd_addr ||
2762           bta_dm_cb.device_list.peer_device[i].transport != transport)
2763         continue;
2764 
2765       if (bta_dm_cb.device_list.peer_device[i].conn_state == BTA_DM_UNPAIRING) {
2766         if (BTM_SecDeleteDevice(
2767                 bta_dm_cb.device_list.peer_device[i].peer_bdaddr))
2768           issue_unpair_cb = true;
2769 
2770         APPL_TRACE_DEBUG("%s: Unpairing: issue unpair CB = %d ", __func__,
2771                          issue_unpair_cb);
2772       }
2773 
2774       conn.link_down.is_removed =
2775           bta_dm_cb.device_list.peer_device[i].remove_dev_pending;
2776 
2777       // Iterate to the one before the last when shrinking the list,
2778       // otherwise we memcpy garbage data into the record.
2779       // Then clear out the last item in the list since we are shrinking.
2780       for (; i < bta_dm_cb.device_list.count - 1; i++) {
2781         memcpy(&bta_dm_cb.device_list.peer_device[i],
2782                &bta_dm_cb.device_list.peer_device[i + 1],
2783                sizeof(bta_dm_cb.device_list.peer_device[i]));
2784       }
2785       if (bta_dm_cb.device_list.count > 0) {
2786         int clear_index = bta_dm_cb.device_list.count - 1;
2787         memset(&bta_dm_cb.device_list.peer_device[clear_index], 0,
2788                sizeof(bta_dm_cb.device_list.peer_device[clear_index]));
2789       }
2790       break;
2791     }
2792     if (bta_dm_cb.device_list.count) bta_dm_cb.device_list.count--;
2793     if ((transport == BT_TRANSPORT_LE) && (bta_dm_cb.device_list.le_count))
2794       bta_dm_cb.device_list.le_count--;
2795     conn.link_down.link_type = transport;
2796 
2797     if ((transport == BT_TRANSPORT_BR_EDR) &&
2798         (bta_dm_search_cb.wait_disc &&
2799          bta_dm_search_cb.peer_bdaddr == bd_addr)) {
2800       bta_dm_search_cb.wait_disc = false;
2801 
2802       if (bta_dm_search_cb.sdp_results) {
2803         APPL_TRACE_EVENT(" timer stopped  ");
2804         alarm_cancel(bta_dm_search_cb.search_timer);
2805         bta_dm_discover_next_device();
2806       }
2807     }
2808 
2809     if (bta_dm_cb.disabling) {
2810       if (!BTM_GetNumAclLinks()) {
2811         /*
2812          * Start a timer to make sure that the profiles
2813          * get the disconnect event.
2814          */
2815         alarm_set_on_mloop(bta_dm_cb.disable_timer,
2816                            BTA_DM_DISABLE_CONN_DOWN_TIMER_MS,
2817                            bta_dm_disable_conn_down_timer_cback, NULL);
2818       }
2819     }
2820     if (conn.link_down.is_removed) {
2821       BTM_SecDeleteDevice(bd_addr);
2822       /* need to remove all pending background connection */
2823       BTA_GATTC_CancelOpen(0, bd_addr, false);
2824       /* remove all cached GATT information */
2825       BTA_GATTC_Refresh(bd_addr);
2826     }
2827 
2828     conn.link_down.bd_addr = bd_addr;
2829     conn.link_down.status = (uint8_t)btm_get_acl_disc_reason_code();
2830     if (bta_dm_cb.p_sec_cback) {
2831       bta_dm_cb.p_sec_cback(BTA_DM_LINK_DOWN_EVT, &conn);
2832       if (issue_unpair_cb)
2833         bta_dm_cb.p_sec_cback(BTA_DM_DEV_UNPAIRED_EVT, &conn);
2834     }
2835   }
2836 
2837   bta_dm_adjust_roles(true);
2838 }
2839 
2840 /** Callback from btm when acl connection goes up or down */
bta_dm_bl_change_cback(tBTM_BL_EVENT_DATA * p_data)2841 static void bta_dm_bl_change_cback(tBTM_BL_EVENT_DATA* p_data) {
2842   switch (p_data->event) {
2843     case BTM_BL_CONN_EVT:
2844       /* connection up */
2845       do_in_main_thread(
2846           FROM_HERE, base::Bind(bta_dm_acl_change, true, *p_data->conn.p_bda,
2847                                 p_data->conn.transport, p_data->conn.handle));
2848       break;
2849     case BTM_BL_DISCN_EVT:
2850       /* connection down */
2851       do_in_main_thread(
2852           FROM_HERE, base::Bind(bta_dm_acl_change, false, *p_data->discn.p_bda,
2853                                 p_data->discn.transport, p_data->discn.handle));
2854       break;
2855 
2856     case BTM_BL_UPDATE_EVT: {
2857       /* busy level update */
2858       do_in_main_thread(FROM_HERE, base::Bind(send_busy_level_update,
2859                                               p_data->update.busy_level,
2860                                               p_data->update.busy_level_flags));
2861       return;
2862     }
2863     case BTM_BL_ROLE_CHG_EVT: {
2864       const auto& tmp = p_data->role_chg;
2865       do_in_main_thread(FROM_HERE, base::Bind(handle_role_change, *tmp.p_bda,
2866                                               tmp.new_role, tmp.hci_status));
2867       return;
2868     }
2869 
2870     case BTM_BL_COLLISION_EVT:
2871       /* Collision report from Stack: Notify profiles */
2872       do_in_main_thread(
2873           FROM_HERE, base::Bind(bta_sys_notify_collision, *p_data->conn.p_bda));
2874       return;
2875   }
2876 }
2877 
2878 /*******************************************************************************
2879  *
2880  * Function         bta_dm_rs_cback
2881  *
2882  * Description      Receives the role switch complete event
2883  *
2884  * Returns
2885  *
2886  ******************************************************************************/
bta_dm_rs_cback(UNUSED_ATTR void * p1)2887 static void bta_dm_rs_cback(UNUSED_ATTR void* p1) {
2888   APPL_TRACE_WARNING("bta_dm_rs_cback:%d", bta_dm_cb.rs_event);
2889   if (bta_dm_cb.rs_event == BTA_DM_API_SEARCH_EVT) {
2890     bta_dm_cb.search_msg.rs_res =
2891         BTA_DM_RS_OK; /* do not care about the result for now */
2892     bta_dm_cb.rs_event = 0;
2893     bta_dm_search_start((tBTA_DM_MSG*)&bta_dm_cb.search_msg);
2894   }
2895 }
2896 
2897 /*******************************************************************************
2898  *
2899  * Function         bta_dm_check_av
2900  *
2901  * Description      This function checks if AV is active
2902  *                  if yes, make sure the AV link is master
2903  *
2904  * Returns          bool - true, if switch is in progress
2905  *
2906  ******************************************************************************/
bta_dm_check_av(uint16_t event)2907 static bool bta_dm_check_av(uint16_t event) {
2908   bool avoid_roleswitch = false;
2909   bool switching = false;
2910   uint8_t i;
2911   tBTA_DM_PEER_DEVICE* p_dev;
2912 
2913 #if (BTA_DM_AVOID_A2DP_ROLESWITCH_ON_INQUIRY == TRUE)
2914 
2915   /* avoid role switch upon inquiry if a2dp is actively streaming as it
2916      introduces an audioglitch due to FW scheduling delays (unavoidable) */
2917   if (event == BTA_DM_API_SEARCH_EVT) {
2918     avoid_roleswitch = true;
2919   }
2920 #endif
2921 
2922   APPL_TRACE_WARNING("bta_dm_check_av:%d", bta_dm_cb.cur_av_count);
2923   if (bta_dm_cb.cur_av_count) {
2924     for (i = 0; i < bta_dm_cb.device_list.count; i++) {
2925       p_dev = &bta_dm_cb.device_list.peer_device[i];
2926       APPL_TRACE_WARNING("[%d]: state:%d, info:x%x, avoid_rs %d", i,
2927                          p_dev->conn_state, p_dev->info, avoid_roleswitch);
2928       if ((p_dev->conn_state == BTA_DM_CONNECTED) &&
2929           (p_dev->info & BTA_DM_DI_AV_ACTIVE) && (!avoid_roleswitch)) {
2930         /* make master and take away the role switch policy */
2931         if (BTM_CMD_STARTED == BTM_SwitchRole(p_dev->peer_bdaddr,
2932                                               HCI_ROLE_MASTER,
2933                                               bta_dm_rs_cback)) {
2934           /* the role switch command is actually sent */
2935           bta_dm_cb.rs_event = event;
2936           switching = true;
2937         }
2938         /* else either already master or can not switch for some reasons */
2939         bta_dm_policy_cback(BTA_SYS_PLCY_CLR, 0, HCI_ENABLE_MASTER_SLAVE_SWITCH,
2940                             p_dev->peer_bdaddr);
2941         break;
2942       }
2943     }
2944   }
2945   return switching;
2946 }
2947 
2948 /*******************************************************************************
2949  *
2950  * Function         bta_dm_disable_conn_down_timer_cback
2951  *
2952  * Description      Sends disable event to application
2953  *
2954  *
2955  * Returns          void
2956  *
2957  ******************************************************************************/
bta_dm_disable_conn_down_timer_cback(UNUSED_ATTR void * data)2958 static void bta_dm_disable_conn_down_timer_cback(UNUSED_ATTR void* data) {
2959   tBTA_SYS_HW_MSG* sys_enable_event =
2960       (tBTA_SYS_HW_MSG*)osi_malloc(sizeof(tBTA_SYS_HW_MSG));
2961 
2962   /* disable the power managment module */
2963   bta_dm_disable_pm();
2964 
2965   /* register our callback to SYS HW manager */
2966   bta_sys_hw_register(BTA_SYS_HW_BLUETOOTH, bta_dm_sys_hw_cback);
2967 
2968   /* send a message to BTA SYS */
2969   sys_enable_event->hdr.event = BTA_SYS_API_DISABLE_EVT;
2970   sys_enable_event->hw_module = BTA_SYS_HW_BLUETOOTH;
2971   bta_sys_sendmsg(sys_enable_event);
2972 
2973   bta_dm_cb.disabling = false;
2974 }
2975 
2976 /*******************************************************************************
2977  *
2978  * Function         bta_dm_rm_cback
2979  *
2980  * Description      Role management callback from sys
2981  *
2982  *
2983  * Returns          void
2984  *
2985  ******************************************************************************/
bta_dm_rm_cback(tBTA_SYS_CONN_STATUS status,uint8_t id,uint8_t app_id,const RawAddress & peer_addr)2986 static void bta_dm_rm_cback(tBTA_SYS_CONN_STATUS status, uint8_t id,
2987                             uint8_t app_id, const RawAddress& peer_addr) {
2988   uint8_t j;
2989   tBTA_PREF_ROLES role;
2990   tBTA_DM_PEER_DEVICE* p_dev;
2991 
2992   p_dev = bta_dm_find_peer_device(peer_addr);
2993   if (status == BTA_SYS_CONN_OPEN) {
2994     if (p_dev) {
2995       /* Do not set to connected if we are in the middle of unpairing. When AV
2996        * stream is
2997        * started it fakes out a SYS_CONN_OPEN to potentially trigger a role
2998        * switch command.
2999        * But this should not be done if we are in the middle of unpairing.
3000        */
3001       if (p_dev->conn_state != BTA_DM_UNPAIRING)
3002         p_dev->conn_state = BTA_DM_CONNECTED;
3003 
3004       for (j = 1; j <= p_bta_dm_rm_cfg[0].app_id; j++) {
3005         if (((p_bta_dm_rm_cfg[j].app_id == app_id) ||
3006              (p_bta_dm_rm_cfg[j].app_id == BTA_ALL_APP_ID)) &&
3007             (p_bta_dm_rm_cfg[j].id == id)) {
3008           role = p_bta_dm_rm_cfg[j].cfg;
3009 
3010           if (role > p_dev->pref_role) p_dev->pref_role = role;
3011           break;
3012         }
3013       }
3014     }
3015   }
3016 
3017   if ((BTA_ID_AV == id) || (BTA_ID_AVK == id)) {
3018     if (status == BTA_SYS_CONN_BUSY) {
3019       if (p_dev) p_dev->info |= BTA_DM_DI_AV_ACTIVE;
3020       /* AV calls bta_sys_conn_open with the A2DP stream count as app_id */
3021       if (BTA_ID_AV == id) bta_dm_cb.cur_av_count = bta_dm_get_av_count();
3022     } else if (status == BTA_SYS_CONN_IDLE) {
3023       if (p_dev) p_dev->info &= ~BTA_DM_DI_AV_ACTIVE;
3024 
3025       /* get cur_av_count from connected services */
3026       if (BTA_ID_AV == id) bta_dm_cb.cur_av_count = bta_dm_get_av_count();
3027     }
3028     APPL_TRACE_WARNING("bta_dm_rm_cback:%d, status:%d", bta_dm_cb.cur_av_count,
3029                        status);
3030   }
3031 
3032   /* Don't adjust roles for each busy/idle state transition to avoid
3033      excessive switch requests when individual profile busy/idle status
3034      changes */
3035   if ((status != BTA_SYS_CONN_BUSY) && (status != BTA_SYS_CONN_IDLE))
3036     bta_dm_adjust_roles(false);
3037 }
3038 
3039 /*******************************************************************************
3040  *
3041  * Function         bta_dm_delay_role_switch_cback
3042  *
3043  * Description      Callback from btm to delay a role switch
3044  *
3045  * Returns          void
3046  *
3047  ******************************************************************************/
bta_dm_delay_role_switch_cback(UNUSED_ATTR void * data)3048 static void bta_dm_delay_role_switch_cback(UNUSED_ATTR void* data) {
3049   APPL_TRACE_EVENT("%s: initiating Delayed RS", __func__);
3050   bta_dm_adjust_roles(false);
3051 }
3052 
3053 /*******************************************************************************
3054  *
3055  * Function         bta_dm_reset_sec_dev_pending
3056  *
3057  * Description      Setting the remove device pending status to false from
3058  *                  security device DB, when the link key notification
3059  *                  event comes.
3060  *
3061  * Returns          void
3062  *
3063  ******************************************************************************/
bta_dm_reset_sec_dev_pending(const RawAddress & remote_bd_addr)3064 static void bta_dm_reset_sec_dev_pending(const RawAddress& remote_bd_addr) {
3065   for (size_t i = 0; i < bta_dm_cb.device_list.count; i++) {
3066     if (bta_dm_cb.device_list.peer_device[i].peer_bdaddr == remote_bd_addr) {
3067       bta_dm_cb.device_list.peer_device[i].remove_dev_pending = false;
3068       return;
3069     }
3070   }
3071 }
3072 
3073 /*******************************************************************************
3074  *
3075  * Function         bta_dm_remove_sec_dev_entry
3076  *
3077  * Description      Removes device entry from Security device DB if ACL
3078  connection with
3079  *                  remtoe device does not exist, else schedule for dev entry
3080  removal upon
3081                      ACL close
3082  *
3083  * Returns          void
3084  *
3085  ******************************************************************************/
bta_dm_remove_sec_dev_entry(const RawAddress & remote_bd_addr)3086 static void bta_dm_remove_sec_dev_entry(const RawAddress& remote_bd_addr) {
3087   if (BTM_IsAclConnectionUp(remote_bd_addr, BT_TRANSPORT_LE) ||
3088       BTM_IsAclConnectionUp(remote_bd_addr, BT_TRANSPORT_BR_EDR)) {
3089     APPL_TRACE_DEBUG(
3090         "%s ACL is not down. Schedule for  Dev Removal when ACL closes",
3091         __func__);
3092     BTM_SecClearSecurityFlags(remote_bd_addr);
3093     for (int i = 0; i < bta_dm_cb.device_list.count; i++) {
3094       if (bta_dm_cb.device_list.peer_device[i].peer_bdaddr == remote_bd_addr) {
3095         bta_dm_cb.device_list.peer_device[i].remove_dev_pending = TRUE;
3096         break;
3097       }
3098     }
3099   } else {
3100     // remote_bd_addr comes from security record, which is removed in
3101     // BTM_SecDeleteDevice.
3102     RawAddress addr_copy = remote_bd_addr;
3103     BTM_SecDeleteDevice(addr_copy);
3104     /* need to remove all pending background connection */
3105     BTA_GATTC_CancelOpen(0, addr_copy, false);
3106     /* remove all cached GATT information */
3107     BTA_GATTC_Refresh(addr_copy);
3108   }
3109 }
3110 
3111 /*******************************************************************************
3112  *
3113  * Function         bta_dm_adjust_roles
3114  *
3115  * Description      Adjust roles
3116  *
3117  *
3118  * Returns          void
3119  *
3120  ******************************************************************************/
bta_dm_adjust_roles(bool delay_role_switch)3121 static void bta_dm_adjust_roles(bool delay_role_switch) {
3122   uint8_t i;
3123   bool set_master_role = false;
3124   uint8_t br_count =
3125       bta_dm_cb.device_list.count - bta_dm_cb.device_list.le_count;
3126   if (br_count) {
3127     /* the configuration is no scatternet
3128      * or AV connection exists and there are more than one ACL link */
3129     if ((p_bta_dm_rm_cfg[0].cfg == BTA_DM_NO_SCATTERNET) ||
3130         (bta_dm_cb.cur_av_count && br_count > 1)) {
3131       L2CA_SetDesireRole(HCI_ROLE_MASTER);
3132       set_master_role = true;
3133     }
3134 
3135     for (i = 0; i < bta_dm_cb.device_list.count; i++) {
3136       if (bta_dm_cb.device_list.peer_device[i].conn_state == BTA_DM_CONNECTED &&
3137           bta_dm_cb.device_list.peer_device[i].transport ==
3138               BT_TRANSPORT_BR_EDR) {
3139         if (!set_master_role &&
3140             (bta_dm_cb.device_list.peer_device[i].pref_role != BTA_ANY_ROLE) &&
3141             (p_bta_dm_rm_cfg[0].cfg == BTA_DM_PARTIAL_SCATTERNET)) {
3142           L2CA_SetDesireRole(HCI_ROLE_MASTER);
3143           set_master_role = true;
3144         }
3145 
3146         if ((bta_dm_cb.device_list.peer_device[i].pref_role ==
3147              BTA_MASTER_ROLE_ONLY) ||
3148             (br_count > 1)) {
3149           /* Initiating immediate role switch with certain remote devices
3150             has caused issues due to role  switch colliding with link encryption
3151             setup and
3152             causing encryption (and in turn the link) to fail .  These device .
3153             Firmware
3154             versions are stored in a blacklist and role switch with these
3155             devices are
3156             delayed to avoid the collision with link encryption setup */
3157 
3158           if (bta_dm_cb.device_list.peer_device[i].pref_role !=
3159                   BTA_SLAVE_ROLE_ONLY &&
3160               !delay_role_switch) {
3161             BTM_SwitchRole(bta_dm_cb.device_list.peer_device[i].peer_bdaddr,
3162                            HCI_ROLE_MASTER, NULL);
3163           } else {
3164             alarm_set_on_mloop(bta_dm_cb.switch_delay_timer,
3165                                BTA_DM_SWITCH_DELAY_TIMER_MS,
3166                                bta_dm_delay_role_switch_cback, NULL);
3167           }
3168         }
3169       }
3170     }
3171 
3172     if (!set_master_role) {
3173       L2CA_SetDesireRole(L2CAP_DESIRED_LINK_ROLE);
3174     }
3175 
3176   } else {
3177     L2CA_SetDesireRole(L2CAP_DESIRED_LINK_ROLE);
3178   }
3179 }
3180 
3181 /*******************************************************************************
3182  *
3183  * Function         bta_dm_get_remname
3184  *
3185  * Description      Returns a pointer to the remote name stored in the DM
3186  *                  control block if it exists, or from the BTM memory.
3187  *
3188  * Returns          char * - Pointer to the remote device name
3189  ******************************************************************************/
bta_dm_get_remname(void)3190 static char* bta_dm_get_remname(void) {
3191   char* p_name = (char*)bta_dm_search_cb.peer_name;
3192   char* p_temp;
3193 
3194   /* If the name isn't already stored, try retrieving from BTM */
3195   if (*p_name == '\0') {
3196     p_temp = BTM_SecReadDevName(bta_dm_search_cb.peer_bdaddr);
3197     if (p_temp != NULL) p_name = p_temp;
3198   }
3199 
3200   return p_name;
3201 }
3202 
3203 /*******************************************************************************
3204  *
3205  * Function         bta_dm_bond_cancel_complete_cback
3206  *
3207  * Description      Authentication complete callback from BTM
3208  *
3209  * Returns          void
3210  *
3211  ******************************************************************************/
bta_dm_bond_cancel_complete_cback(tBTM_STATUS result)3212 static void bta_dm_bond_cancel_complete_cback(tBTM_STATUS result) {
3213   tBTA_DM_SEC sec_event;
3214 
3215   if (result == BTM_SUCCESS)
3216     sec_event.bond_cancel_cmpl.result = BTA_SUCCESS;
3217   else
3218     sec_event.bond_cancel_cmpl.result = BTA_FAILURE;
3219 
3220   if (bta_dm_cb.p_sec_cback) {
3221     bta_dm_cb.p_sec_cback(BTA_DM_BOND_CANCEL_CMPL_EVT, &sec_event);
3222   }
3223 }
3224 
3225 /*******************************************************************************
3226  *
3227  * Function         find_utf8_char_boundary
3228  *
3229  * Description      This function checks a UTF8 string |utf8str| starting at
3230  *                  |offset|, moving backwards and returns the offset of the
3231  *                  next valid UTF8 character boundary found.
3232  *
3233  * Returns          Offset of UTF8 character boundary
3234  *
3235  ******************************************************************************/
find_utf8_char_boundary(const char * utf8str,size_t offset)3236 static size_t find_utf8_char_boundary(const char* utf8str, size_t offset) {
3237   CHECK(utf8str);
3238   CHECK(offset > 0);
3239 
3240   while (--offset) {
3241     uint8_t ch = (uint8_t)utf8str[offset];
3242     if ((ch & 0x80) == 0x00)  // ASCII
3243       return offset + 1;
3244     if ((ch & 0xC0) == 0xC0)  // Multi-byte sequence start
3245       return offset;
3246   }
3247 
3248   return 0;
3249 }
3250 
3251 /*******************************************************************************
3252  *
3253  * Function         bta_dm_set_eir
3254  *
3255  * Description      This function creates EIR tagged data and writes it to
3256  *                  controller.
3257  *
3258  * Returns          None
3259  *
3260  ******************************************************************************/
bta_dm_set_eir(char * local_name)3261 static void bta_dm_set_eir(char* local_name) {
3262   uint8_t* p;
3263   uint8_t* p_length;
3264 #if (BTA_EIR_CANNED_UUID_LIST != TRUE)
3265   uint8_t* p_type;
3266   uint8_t max_num_uuid;
3267 #if (BTA_EIR_SERVER_NUM_CUSTOM_UUID > 0)
3268   uint8_t custom_uuid_idx;
3269 #endif  // BTA_EIR_SERVER_NUM_CUSTOM_UUID
3270 #endif  // BTA_EIR_CANNED_UUID_LIST
3271 #if (BTM_EIR_DEFAULT_FEC_REQUIRED == FALSE)
3272   uint8_t free_eir_length = HCI_EXT_INQ_RESPONSE_LEN;
3273 #else  // BTM_EIR_DEFAULT_FEC_REQUIRED
3274   uint8_t free_eir_length = HCI_DM5_PACKET_SIZE;
3275 #endif  // BTM_EIR_DEFAULT_FEC_REQUIRED
3276   uint8_t num_uuid;
3277   uint8_t data_type;
3278   uint8_t local_name_len;
3279 
3280   /* wait until complete to disable */
3281   if (alarm_is_scheduled(bta_dm_cb.disable_timer)) return;
3282 
3283 #if (BTA_EIR_CANNED_UUID_LIST != TRUE)
3284   /* if local name is not provided, get it from controller */
3285   if (local_name == NULL) {
3286     if (BTM_ReadLocalDeviceName(&local_name) != BTM_SUCCESS) {
3287       APPL_TRACE_ERROR("Fail to read local device name for EIR");
3288     }
3289   }
3290 #endif  // BTA_EIR_CANNED_UUID_LIST
3291 
3292   /* Allocate a buffer to hold HCI command */
3293   BT_HDR* p_buf = (BT_HDR*)osi_malloc(BTM_CMD_BUF_SIZE);
3294   p = (uint8_t*)p_buf + BTM_HCI_EIR_OFFSET;
3295 
3296   memset(p, 0x00, HCI_EXT_INQ_RESPONSE_LEN);
3297 
3298   APPL_TRACE_DEBUG("BTA is generating EIR");
3299 
3300   if (local_name)
3301     local_name_len = strlen(local_name);
3302   else
3303     local_name_len = 0;
3304 
3305   data_type = BTM_EIR_COMPLETE_LOCAL_NAME_TYPE;
3306   /* if local name is longer than minimum length of shortened name */
3307   /* check whether it needs to be shortened or not */
3308   if (local_name_len > p_bta_dm_eir_cfg->bta_dm_eir_min_name_len) {
3309 /* get number of UUID 16-bit list */
3310 #if (BTA_EIR_CANNED_UUID_LIST == TRUE)
3311     num_uuid = p_bta_dm_eir_cfg->bta_dm_eir_uuid16_len / Uuid::kNumBytes16;
3312 #else   // BTA_EIR_CANNED_UUID_LIST
3313     max_num_uuid = (free_eir_length - 2) / Uuid::kNumBytes16;
3314     data_type = BTM_GetEirSupportedServices(bta_dm_cb.eir_uuid, &p,
3315                                             max_num_uuid, &num_uuid);
3316     p = (uint8_t*)p_buf + BTM_HCI_EIR_OFFSET; /* reset p */
3317 #endif  // BTA_EIR_CANNED_UUID_LIST
3318 
3319     /* if UUID doesn't fit remaing space, shorten local name */
3320     if (local_name_len > (free_eir_length - 4 - num_uuid * Uuid::kNumBytes16)) {
3321       local_name_len = find_utf8_char_boundary(
3322           local_name, p_bta_dm_eir_cfg->bta_dm_eir_min_name_len);
3323       APPL_TRACE_WARNING("%s local name is shortened (%d)", __func__,
3324                          local_name_len);
3325       data_type = BTM_EIR_SHORTENED_LOCAL_NAME_TYPE;
3326     } else {
3327       data_type = BTM_EIR_COMPLETE_LOCAL_NAME_TYPE;
3328     }
3329   }
3330 
3331   UINT8_TO_STREAM(p, local_name_len + 1);
3332   UINT8_TO_STREAM(p, data_type);
3333 
3334   if (local_name != NULL) {
3335     memcpy(p, local_name, local_name_len);
3336     p += local_name_len;
3337   }
3338   free_eir_length -= local_name_len + 2;
3339 
3340 #if (BTA_EIR_CANNED_UUID_LIST == TRUE)
3341   /* if UUID list is provided as static data in configuration */
3342   if ((p_bta_dm_eir_cfg->bta_dm_eir_uuid16_len > 0) &&
3343       (p_bta_dm_eir_cfg->bta_dm_eir_uuid16)) {
3344     if (free_eir_length > Uuid::kNumBytes16 + 2) {
3345       free_eir_length -= 2;
3346 
3347       if (free_eir_length >= p_bta_dm_eir_cfg->bta_dm_eir_uuid16_len) {
3348         num_uuid = p_bta_dm_eir_cfg->bta_dm_eir_uuid16_len / Uuid::kNumBytes16;
3349         data_type = BTM_EIR_COMPLETE_16BITS_UUID_TYPE;
3350       } else /* not enough room for all UUIDs */
3351       {
3352         APPL_TRACE_WARNING("BTA EIR: UUID 16-bit list is truncated");
3353         num_uuid = free_eir_length / Uuid::kNumBytes16;
3354         data_type = BTM_EIR_MORE_16BITS_UUID_TYPE;
3355       }
3356       UINT8_TO_STREAM(p, num_uuid * Uuid::kNumBytes16 + 1);
3357       UINT8_TO_STREAM(p, data_type);
3358       memcpy(p, p_bta_dm_eir_cfg->bta_dm_eir_uuid16,
3359              num_uuid * Uuid::kNumBytes16);
3360       p += num_uuid * Uuid::kNumBytes16;
3361       free_eir_length -= num_uuid * Uuid::kNumBytes16;
3362     }
3363   }
3364 #else /* (BTA_EIR_CANNED_UUID_LIST == TRUE) */
3365   /* if UUID list is dynamic */
3366   if (free_eir_length >= 2) {
3367     p_length = p++;
3368     p_type = p++;
3369     num_uuid = 0;
3370 
3371     max_num_uuid = (free_eir_length - 2) / Uuid::kNumBytes16;
3372     data_type = BTM_GetEirSupportedServices(bta_dm_cb.eir_uuid, &p,
3373                                             max_num_uuid, &num_uuid);
3374 
3375     if (data_type == BTM_EIR_MORE_16BITS_UUID_TYPE) {
3376       APPL_TRACE_WARNING("BTA EIR: UUID 16-bit list is truncated");
3377     }
3378 #if (BTA_EIR_SERVER_NUM_CUSTOM_UUID > 0)
3379     else {
3380       for (custom_uuid_idx = 0;
3381            custom_uuid_idx < BTA_EIR_SERVER_NUM_CUSTOM_UUID;
3382            custom_uuid_idx++) {
3383         const Uuid& curr = bta_dm_cb.custom_uuid[custom_uuid_idx];
3384         if (curr.GetShortestRepresentationSize() == Uuid::kNumBytes16) {
3385           if (num_uuid < max_num_uuid) {
3386             UINT16_TO_STREAM(p, curr.As16Bit());
3387             num_uuid++;
3388           } else {
3389             data_type = BTM_EIR_MORE_16BITS_UUID_TYPE;
3390             APPL_TRACE_WARNING("BTA EIR: UUID 16-bit list is truncated");
3391             break;
3392           }
3393         }
3394       }
3395     }
3396 #endif /* (BTA_EIR_SERVER_NUM_CUSTOM_UUID > 0) */
3397 
3398     UINT8_TO_STREAM(p_length, num_uuid * Uuid::kNumBytes16 + 1);
3399     UINT8_TO_STREAM(p_type, data_type);
3400     free_eir_length -= num_uuid * Uuid::kNumBytes16 + 2;
3401   }
3402 #endif /* (BTA_EIR_CANNED_UUID_LIST == TRUE) */
3403 
3404 #if (BTA_EIR_CANNED_UUID_LIST != TRUE && BTA_EIR_SERVER_NUM_CUSTOM_UUID > 0)
3405   /* Adding 32-bit UUID list */
3406   if (free_eir_length >= 2) {
3407     p_length = p++;
3408     p_type = p++;
3409     num_uuid = 0;
3410     data_type = BTM_EIR_COMPLETE_32BITS_UUID_TYPE;
3411 
3412     max_num_uuid = (free_eir_length - 2) / Uuid::kNumBytes32;
3413 
3414     for (custom_uuid_idx = 0; custom_uuid_idx < BTA_EIR_SERVER_NUM_CUSTOM_UUID;
3415          custom_uuid_idx++) {
3416       const Uuid& curr = bta_dm_cb.custom_uuid[custom_uuid_idx];
3417       if (curr.GetShortestRepresentationSize() == Uuid::kNumBytes32) {
3418         if (num_uuid < max_num_uuid) {
3419           UINT32_TO_STREAM(p, curr.As32Bit());
3420           num_uuid++;
3421         } else {
3422           data_type = BTM_EIR_MORE_32BITS_UUID_TYPE;
3423           APPL_TRACE_WARNING("BTA EIR: UUID 32-bit list is truncated");
3424           break;
3425         }
3426       }
3427     }
3428 
3429     UINT8_TO_STREAM(p_length, num_uuid * Uuid::kNumBytes32 + 1);
3430     UINT8_TO_STREAM(p_type, data_type);
3431     free_eir_length -= num_uuid * Uuid::kNumBytes32 + 2;
3432   }
3433 
3434   /* Adding 128-bit UUID list */
3435   if (free_eir_length >= 2) {
3436     p_length = p++;
3437     p_type = p++;
3438     num_uuid = 0;
3439     data_type = BTM_EIR_COMPLETE_128BITS_UUID_TYPE;
3440 
3441     max_num_uuid = (free_eir_length - 2) / Uuid::kNumBytes128;
3442 
3443     for (custom_uuid_idx = 0; custom_uuid_idx < BTA_EIR_SERVER_NUM_CUSTOM_UUID;
3444          custom_uuid_idx++) {
3445       const Uuid& curr = bta_dm_cb.custom_uuid[custom_uuid_idx];
3446       if (curr.GetShortestRepresentationSize() == Uuid::kNumBytes128) {
3447         if (num_uuid < max_num_uuid) {
3448           ARRAY16_TO_STREAM(p, curr.To128BitBE().data());
3449           num_uuid++;
3450         } else {
3451           data_type = BTM_EIR_MORE_128BITS_UUID_TYPE;
3452           APPL_TRACE_WARNING("BTA EIR: UUID 128-bit list is truncated");
3453           break;
3454         }
3455       }
3456     }
3457 
3458     UINT8_TO_STREAM(p_length, num_uuid * Uuid::kNumBytes128 + 1);
3459     UINT8_TO_STREAM(p_type, data_type);
3460     free_eir_length -= num_uuid * Uuid::kNumBytes128 + 2;
3461   }
3462 #endif /* ( BTA_EIR_CANNED_UUID_LIST != TRUE \
3463           )&&(BTA_EIR_SERVER_NUM_CUSTOM_UUID > 0) */
3464 
3465   /* if Flags are provided in configuration */
3466   if ((p_bta_dm_eir_cfg->bta_dm_eir_flag_len > 0) &&
3467       (p_bta_dm_eir_cfg->bta_dm_eir_flags) &&
3468       (free_eir_length >= p_bta_dm_eir_cfg->bta_dm_eir_flag_len + 2)) {
3469     UINT8_TO_STREAM(p, p_bta_dm_eir_cfg->bta_dm_eir_flag_len + 1);
3470     UINT8_TO_STREAM(p, BTM_EIR_FLAGS_TYPE);
3471     memcpy(p, p_bta_dm_eir_cfg->bta_dm_eir_flags,
3472            p_bta_dm_eir_cfg->bta_dm_eir_flag_len);
3473     p += p_bta_dm_eir_cfg->bta_dm_eir_flag_len;
3474     free_eir_length -= p_bta_dm_eir_cfg->bta_dm_eir_flag_len + 2;
3475   }
3476 
3477   /* if Manufacturer Specific are provided in configuration */
3478   if ((p_bta_dm_eir_cfg->bta_dm_eir_manufac_spec_len > 0) &&
3479       (p_bta_dm_eir_cfg->bta_dm_eir_manufac_spec) &&
3480       (free_eir_length >= p_bta_dm_eir_cfg->bta_dm_eir_manufac_spec_len + 2)) {
3481     p_length = p;
3482 
3483     UINT8_TO_STREAM(p, p_bta_dm_eir_cfg->bta_dm_eir_manufac_spec_len + 1);
3484     UINT8_TO_STREAM(p, BTM_EIR_MANUFACTURER_SPECIFIC_TYPE);
3485     memcpy(p, p_bta_dm_eir_cfg->bta_dm_eir_manufac_spec,
3486            p_bta_dm_eir_cfg->bta_dm_eir_manufac_spec_len);
3487     p += p_bta_dm_eir_cfg->bta_dm_eir_manufac_spec_len;
3488     free_eir_length -= p_bta_dm_eir_cfg->bta_dm_eir_manufac_spec_len + 2;
3489 
3490   } else {
3491     p_length = NULL;
3492   }
3493 
3494   /* if Inquiry Tx Resp Power compiled */
3495   if ((p_bta_dm_eir_cfg->bta_dm_eir_inq_tx_power) && (free_eir_length >= 3)) {
3496     UINT8_TO_STREAM(p, 2); /* Length field */
3497     UINT8_TO_STREAM(p, BTM_EIR_TX_POWER_LEVEL_TYPE);
3498     UINT8_TO_STREAM(p, *(p_bta_dm_eir_cfg->bta_dm_eir_inq_tx_power));
3499     free_eir_length -= 3;
3500   }
3501 
3502   if (free_eir_length)
3503     UINT8_TO_STREAM(p, 0); /* terminator of significant part */
3504 
3505   BTM_WriteEIR(p_buf);
3506 }
3507 
3508 /*******************************************************************************
3509  *
3510  * Function         bta_dm_eir_search_services
3511  *
3512  * Description      This function searches services in received EIR
3513  *
3514  * Returns          None
3515  *
3516  ******************************************************************************/
bta_dm_eir_search_services(tBTM_INQ_RESULTS * p_result,tBTA_SERVICE_MASK * p_services_to_search,tBTA_SERVICE_MASK * p_services_found)3517 static void bta_dm_eir_search_services(tBTM_INQ_RESULTS* p_result,
3518                                        tBTA_SERVICE_MASK* p_services_to_search,
3519                                        tBTA_SERVICE_MASK* p_services_found) {
3520   tBTA_SERVICE_MASK service_index = 0;
3521   tBTM_EIR_SEARCH_RESULT result;
3522 
3523   VLOG(1) << "BTA searching services in EIR of BDA:"
3524           << p_result->remote_bd_addr;
3525 
3526   APPL_TRACE_DEBUG("    with services_to_search=0x%08X", *p_services_to_search);
3527 
3528   /* always do GATT based service discovery by SDP instead of from EIR    */
3529   /* if GATT based service is also to be put in EIR, need to modify this  */
3530   while (service_index < (BTA_MAX_SERVICE_ID - 1)) {
3531     if (*p_services_to_search &
3532         (tBTA_SERVICE_MASK)(BTA_SERVICE_ID_TO_SERVICE_MASK(service_index))) {
3533       result = BTM_HasInquiryEirService(
3534           p_result, bta_service_id_to_uuid_lkup_tbl[service_index]);
3535 
3536       /* Searching for HSP v1.2 only device */
3537       if ((result != BTM_EIR_FOUND) &&
3538           (bta_service_id_to_uuid_lkup_tbl[service_index] ==
3539            UUID_SERVCLASS_HEADSET)) {
3540         result = BTM_HasInquiryEirService(p_result, UUID_SERVCLASS_HEADSET_HS);
3541       }
3542 
3543       if (result == BTM_EIR_FOUND) {
3544         /* If Plug and Play service record, need to check to see if Broadcom
3545          * stack */
3546         /* However, EIR data doesn't have EXT_BRCM_VERSION so just skip it */
3547         if (bta_service_id_to_uuid_lkup_tbl[service_index] !=
3548             UUID_SERVCLASS_PNP_INFORMATION) {
3549           *p_services_found |= (tBTA_SERVICE_MASK)(
3550               BTA_SERVICE_ID_TO_SERVICE_MASK(service_index));
3551           /* remove the service from services to be searched  */
3552           *p_services_to_search &= (tBTA_SERVICE_MASK)(
3553               ~(BTA_SERVICE_ID_TO_SERVICE_MASK(service_index)));
3554         }
3555       } else if (result == BTM_EIR_NOT_FOUND) {
3556         /* remove the service from services to be searched  */
3557         *p_services_to_search &= (tBTA_SERVICE_MASK)(
3558             ~(BTA_SERVICE_ID_TO_SERVICE_MASK(service_index)));
3559       }
3560     }
3561 
3562     service_index++;
3563   }
3564 
3565   APPL_TRACE_ERROR(
3566       "BTA EIR search result, services_to_search=0x%08X, services_found=0x%08X",
3567       *p_services_to_search, *p_services_found);
3568 }
3569 
3570 #if (BTA_EIR_CANNED_UUID_LIST != TRUE)
3571 /*******************************************************************************
3572  *
3573  * Function         bta_dm_eir_update_uuid
3574  *
3575  * Description      This function adds or removes service UUID in EIR database.
3576  *
3577  * Returns          None
3578  *
3579  ******************************************************************************/
bta_dm_eir_update_uuid(uint16_t uuid16,bool adding)3580 void bta_dm_eir_update_uuid(uint16_t uuid16, bool adding) {
3581   /* if this UUID is not advertised in EIR */
3582   if (!BTM_HasEirService(p_bta_dm_eir_cfg->uuid_mask, uuid16)) return;
3583 
3584   if (adding) {
3585     APPL_TRACE_EVENT("Adding UUID=0x%04X into EIR", uuid16);
3586 
3587     BTM_AddEirService(bta_dm_cb.eir_uuid, uuid16);
3588   } else {
3589     APPL_TRACE_EVENT("Removing UUID=0x%04X from EIR", uuid16);
3590 
3591     BTM_RemoveEirService(bta_dm_cb.eir_uuid, uuid16);
3592   }
3593 
3594   bta_dm_set_eir(NULL);
3595 
3596   APPL_TRACE_EVENT("bta_dm_eir_update_uuid UUID bit mask=0x%08X %08X",
3597                    bta_dm_cb.eir_uuid[1], bta_dm_cb.eir_uuid[0]);
3598 }
3599 #endif
3600 
3601 /*******************************************************************************
3602  *
3603  * Function         bta_dm_encrypt_cback
3604  *
3605  * Description      link encryption complete callback.
3606  *
3607  * Returns         None
3608  *
3609  ******************************************************************************/
bta_dm_encrypt_cback(const RawAddress * bd_addr,tBT_TRANSPORT transport,UNUSED_ATTR void * p_ref_data,tBTM_STATUS result)3610 void bta_dm_encrypt_cback(const RawAddress* bd_addr, tBT_TRANSPORT transport,
3611                           UNUSED_ATTR void* p_ref_data, tBTM_STATUS result) {
3612   tBTA_STATUS bta_status = BTA_SUCCESS;
3613   tBTA_DM_ENCRYPT_CBACK* p_callback = NULL;
3614   uint8_t i;
3615 
3616   for (i = 0; i < bta_dm_cb.device_list.count; i++) {
3617     if (bta_dm_cb.device_list.peer_device[i].peer_bdaddr == *bd_addr &&
3618         bta_dm_cb.device_list.peer_device[i].conn_state == BTA_DM_CONNECTED)
3619       break;
3620   }
3621 
3622   if (i < bta_dm_cb.device_list.count) {
3623     p_callback = bta_dm_cb.device_list.peer_device[i].p_encrypt_cback;
3624     bta_dm_cb.device_list.peer_device[i].p_encrypt_cback = NULL;
3625   }
3626 
3627   switch (result) {
3628     case BTM_SUCCESS:
3629       break;
3630     case BTM_WRONG_MODE:
3631       bta_status = BTA_WRONG_MODE;
3632       break;
3633     case BTM_NO_RESOURCES:
3634       bta_status = BTA_NO_RESOURCES;
3635       break;
3636     case BTM_BUSY:
3637       bta_status = BTA_BUSY;
3638       break;
3639     default:
3640       bta_status = BTA_FAILURE;
3641       break;
3642   }
3643 
3644   APPL_TRACE_DEBUG("bta_dm_encrypt_cback status =%d p_callback=0x%x",
3645                    bta_status, p_callback);
3646 
3647   if (p_callback) {
3648     (*p_callback)(*bd_addr, transport, bta_status);
3649   }
3650 }
3651 
3652 /**This function to encrypt the link */
bta_dm_set_encryption(const RawAddress & bd_addr,tBTA_TRANSPORT transport,tBTA_DM_ENCRYPT_CBACK * p_callback,tBTA_DM_BLE_SEC_ACT sec_act)3653 void bta_dm_set_encryption(const RawAddress& bd_addr, tBTA_TRANSPORT transport,
3654                            tBTA_DM_ENCRYPT_CBACK* p_callback,
3655                            tBTA_DM_BLE_SEC_ACT sec_act) {
3656   uint8_t i;
3657 
3658   APPL_TRACE_DEBUG("bta_dm_set_encryption");  // todo
3659   if (!p_callback) {
3660     APPL_TRACE_ERROR("bta_dm_set_encryption callback is not provided");
3661     return;
3662   }
3663   for (i = 0; i < bta_dm_cb.device_list.count; i++) {
3664     if (bta_dm_cb.device_list.peer_device[i].peer_bdaddr == bd_addr &&
3665         bta_dm_cb.device_list.peer_device[i].conn_state == BTA_DM_CONNECTED)
3666       break;
3667   }
3668   if (i < bta_dm_cb.device_list.count) {
3669     if (bta_dm_cb.device_list.peer_device[i].p_encrypt_cback) {
3670       APPL_TRACE_ERROR("earlier enc was not done for same device");
3671       (*p_callback)(bd_addr, transport, BTA_BUSY);
3672       return;
3673     }
3674 
3675     if (BTM_SetEncryption(bd_addr, transport, bta_dm_encrypt_cback, NULL,
3676                           sec_act) == BTM_CMD_STARTED) {
3677       bta_dm_cb.device_list.peer_device[i].p_encrypt_cback = p_callback;
3678     }
3679   }
3680 }
3681 
bta_dm_check_if_only_hd_connected(const RawAddress & peer_addr)3682 bool bta_dm_check_if_only_hd_connected(const RawAddress& peer_addr) {
3683   APPL_TRACE_DEBUG("%s: count(%d)", __func__, bta_dm_conn_srvcs.count);
3684 
3685   for (uint8_t j = 0; j < bta_dm_conn_srvcs.count; j++) {
3686     // Check if profiles other than hid are connected
3687     if ((bta_dm_conn_srvcs.conn_srvc[j].id != BTA_ID_HD) &&
3688         bta_dm_conn_srvcs.conn_srvc[j].peer_bdaddr == peer_addr) {
3689       APPL_TRACE_DEBUG("%s: Another profile (id=%d) is connected", __func__,
3690                        bta_dm_conn_srvcs.conn_srvc[j].id);
3691       return false;
3692     }
3693   }
3694 
3695   return true;
3696 }
3697 
3698 /*******************************************************************************
3699  *
3700  * Function         bta_dm_observe_results_cb
3701  *
3702  * Description      Callback for BLE Observe result
3703  *
3704  *
3705  * Returns          void
3706  *
3707  ******************************************************************************/
bta_dm_observe_results_cb(tBTM_INQ_RESULTS * p_inq,uint8_t * p_eir,uint16_t eir_len)3708 static void bta_dm_observe_results_cb(tBTM_INQ_RESULTS* p_inq, uint8_t* p_eir,
3709                                       uint16_t eir_len) {
3710   tBTA_DM_SEARCH result;
3711   tBTM_INQ_INFO* p_inq_info;
3712   APPL_TRACE_DEBUG("bta_dm_observe_results_cb");
3713 
3714   result.inq_res.bd_addr = p_inq->remote_bd_addr;
3715   result.inq_res.rssi = p_inq->rssi;
3716   result.inq_res.ble_addr_type = p_inq->ble_addr_type;
3717   result.inq_res.inq_result_type = p_inq->inq_result_type;
3718   result.inq_res.device_type = p_inq->device_type;
3719   result.inq_res.flag = p_inq->flag;
3720   result.inq_res.ble_evt_type = p_inq->ble_evt_type;
3721   result.inq_res.ble_primary_phy = p_inq->ble_primary_phy;
3722   result.inq_res.ble_secondary_phy = p_inq->ble_secondary_phy;
3723   result.inq_res.ble_advertising_sid = p_inq->ble_advertising_sid;
3724   result.inq_res.ble_tx_power = p_inq->ble_tx_power;
3725   result.inq_res.ble_periodic_adv_int = p_inq->ble_periodic_adv_int;
3726 
3727   /* application will parse EIR to find out remote device name */
3728   result.inq_res.p_eir = p_eir;
3729   result.inq_res.eir_len = eir_len;
3730 
3731   p_inq_info = BTM_InqDbRead(p_inq->remote_bd_addr);
3732   if (p_inq_info != NULL) {
3733     /* initialize remt_name_not_required to false so that we get the name by
3734      * default */
3735     result.inq_res.remt_name_not_required = false;
3736   }
3737 
3738   if (bta_dm_search_cb.p_scan_cback)
3739     bta_dm_search_cb.p_scan_cback(BTA_DM_INQ_RES_EVT, &result);
3740 
3741   if (p_inq_info) {
3742     /* application indicates if it knows the remote name, inside the callback
3743      copy that to the inquiry data base*/
3744     if (result.inq_res.remt_name_not_required)
3745       p_inq_info->appl_knows_rem_name = true;
3746   }
3747 }
3748 
3749 /*******************************************************************************
3750  *
3751  * Function         bta_dm_observe_cmpl_cb
3752  *
3753  * Description      Callback for BLE Observe complete
3754  *
3755  *
3756  * Returns          void
3757  *
3758  ******************************************************************************/
bta_dm_observe_cmpl_cb(void * p_result)3759 static void bta_dm_observe_cmpl_cb(void* p_result) {
3760   tBTA_DM_SEARCH data;
3761 
3762   APPL_TRACE_DEBUG("bta_dm_observe_cmpl_cb");
3763 
3764   data.inq_cmpl.num_resps = ((tBTM_INQUIRY_CMPL*)p_result)->num_resp;
3765   if (bta_dm_search_cb.p_scan_cback) {
3766     bta_dm_search_cb.p_scan_cback(BTA_DM_INQ_CMPL_EVT, &data);
3767   }
3768 }
3769 
3770 /*******************************************************************************
3771  *
3772  * Function         bta_dm_ble_smp_cback
3773  *
3774  * Description      Callback for BLE SMP
3775  *
3776  *
3777  * Returns          void
3778  *
3779  ******************************************************************************/
bta_dm_ble_smp_cback(tBTM_LE_EVT event,const RawAddress & bda,tBTM_LE_EVT_DATA * p_data)3780 static uint8_t bta_dm_ble_smp_cback(tBTM_LE_EVT event, const RawAddress& bda,
3781                                     tBTM_LE_EVT_DATA* p_data) {
3782   tBTM_STATUS status = BTM_SUCCESS;
3783   tBTA_DM_SEC sec_event;
3784   char* p_name = NULL;
3785 
3786   if (!bta_dm_cb.p_sec_cback) return BTM_NOT_AUTHORIZED;
3787 
3788   memset(&sec_event, 0, sizeof(tBTA_DM_SEC));
3789   switch (event) {
3790     case BTM_LE_IO_REQ_EVT:
3791       bta_dm_co_ble_io_req(
3792           bda, &p_data->io_req.io_cap, &p_data->io_req.oob_data,
3793           &p_data->io_req.auth_req, &p_data->io_req.max_key_size,
3794           &p_data->io_req.init_keys, &p_data->io_req.resp_keys);
3795       APPL_TRACE_EVENT("io mitm: %d oob_data:%d", p_data->io_req.auth_req,
3796                        p_data->io_req.oob_data);
3797 
3798       break;
3799 
3800     case BTM_LE_SEC_REQUEST_EVT:
3801       sec_event.ble_req.bd_addr = bda;
3802       p_name = BTM_SecReadDevName(bda);
3803       if (p_name != NULL)
3804         strlcpy((char*)sec_event.ble_req.bd_name, p_name, BD_NAME_LEN);
3805       else
3806         sec_event.ble_req.bd_name[0] = 0;
3807       bta_dm_cb.p_sec_cback(BTA_DM_BLE_SEC_REQ_EVT, &sec_event);
3808       break;
3809 
3810     case BTM_LE_KEY_NOTIF_EVT:
3811       sec_event.key_notif.bd_addr = bda;
3812       p_name = BTM_SecReadDevName(bda);
3813       if (p_name != NULL)
3814         strlcpy((char*)sec_event.key_notif.bd_name, p_name, BD_NAME_LEN);
3815       else
3816         sec_event.key_notif.bd_name[0] = 0;
3817       sec_event.key_notif.passkey = p_data->key_notif;
3818       bta_dm_cb.p_sec_cback(BTA_DM_BLE_PASSKEY_NOTIF_EVT, &sec_event);
3819       break;
3820 
3821     case BTM_LE_KEY_REQ_EVT:
3822       sec_event.ble_req.bd_addr = bda;
3823       bta_dm_cb.p_sec_cback(BTA_DM_BLE_PASSKEY_REQ_EVT, &sec_event);
3824       break;
3825 
3826     case BTM_LE_OOB_REQ_EVT:
3827       sec_event.ble_req.bd_addr = bda;
3828       bta_dm_cb.p_sec_cback(BTA_DM_BLE_OOB_REQ_EVT, &sec_event);
3829       break;
3830 
3831     case BTM_LE_NC_REQ_EVT:
3832       sec_event.key_notif.bd_addr = bda;
3833       strlcpy((char*)sec_event.key_notif.bd_name, bta_dm_get_remname(),
3834               (BD_NAME_LEN));
3835       sec_event.key_notif.passkey = p_data->key_notif;
3836       bta_dm_cb.p_sec_cback(BTA_DM_BLE_NC_REQ_EVT, &sec_event);
3837       break;
3838 
3839     case BTM_LE_SC_OOB_REQ_EVT:
3840       sec_event.ble_req.bd_addr = bda;
3841       bta_dm_cb.p_sec_cback(BTA_DM_BLE_SC_OOB_REQ_EVT, &sec_event);
3842       break;
3843 
3844     case BTM_LE_KEY_EVT:
3845       sec_event.ble_key.bd_addr = bda;
3846       sec_event.ble_key.key_type = p_data->key.key_type;
3847       sec_event.ble_key.p_key_value = p_data->key.p_key_value;
3848       bta_dm_cb.p_sec_cback(BTA_DM_BLE_KEY_EVT, &sec_event);
3849       break;
3850 
3851     case BTM_LE_COMPLT_EVT:
3852       sec_event.auth_cmpl.bd_addr = bda;
3853       BTM_ReadDevInfo(bda, &sec_event.auth_cmpl.dev_type,
3854                       &sec_event.auth_cmpl.addr_type);
3855       p_name = BTM_SecReadDevName(bda);
3856       if (p_name != NULL)
3857         strlcpy((char*)sec_event.auth_cmpl.bd_name, p_name, (BD_NAME_LEN));
3858       else
3859         sec_event.auth_cmpl.bd_name[0] = 0;
3860 
3861       if (p_data->complt.reason != 0) {
3862         sec_event.auth_cmpl.fail_reason =
3863             BTA_DM_AUTH_CONVERT_SMP_CODE(((uint8_t)p_data->complt.reason));
3864 
3865         if (btm_sec_is_a_bonded_dev(bda) &&
3866             p_data->complt.reason == SMP_CONN_TOUT) {
3867           // Bonded device failed to encrypt - to test this remove battery from
3868           // HID device right after connection, but before encryption is
3869           // established
3870           LOG(INFO) << __func__
3871                     << ": bonded device disconnected when encrypting - no "
3872                        "reason to unbond";
3873         } else {
3874           /* delete this device entry from Sec Dev DB */
3875           bta_dm_remove_sec_dev_entry(bda);
3876         }
3877 
3878       } else {
3879         sec_event.auth_cmpl.success = true;
3880         if (!p_data->complt.smp_over_br)
3881           GATT_ConfigServiceChangeCCC(bda, true, BT_TRANSPORT_LE);
3882       }
3883 
3884       if (bta_dm_cb.p_sec_cback) {
3885         // bta_dm_cb.p_sec_cback(BTA_DM_AUTH_CMPL_EVT, &sec_event);
3886         bta_dm_cb.p_sec_cback(BTA_DM_BLE_AUTH_CMPL_EVT, &sec_event);
3887       }
3888       break;
3889 
3890     default:
3891       status = BTM_NOT_AUTHORIZED;
3892       break;
3893   }
3894   return status;
3895 }
3896 
3897 /*******************************************************************************
3898  *
3899  * Function         bta_dm_ble_id_key_cback
3900  *
3901  * Description      Callback for BLE local ID keys
3902  *
3903  *
3904  * Returns          void
3905  *
3906  ******************************************************************************/
bta_dm_ble_id_key_cback(uint8_t key_type,tBTM_BLE_LOCAL_KEYS * p_key)3907 static void bta_dm_ble_id_key_cback(uint8_t key_type,
3908                                     tBTM_BLE_LOCAL_KEYS* p_key) {
3909   uint8_t evt;
3910   tBTA_DM_SEC dm_key;
3911 
3912   switch (key_type) {
3913     case BTM_BLE_KEY_TYPE_ID:
3914     case BTM_BLE_KEY_TYPE_ER:
3915       if (bta_dm_cb.p_sec_cback) {
3916         memcpy(&dm_key.ble_id_keys, p_key, sizeof(tBTM_BLE_LOCAL_KEYS));
3917 
3918         evt = (key_type == BTM_BLE_KEY_TYPE_ID) ? BTA_DM_BLE_LOCAL_IR_EVT
3919                                                 : BTA_DM_BLE_LOCAL_ER_EVT;
3920         bta_dm_cb.p_sec_cback(evt, &dm_key);
3921       }
3922       break;
3923 
3924     default:
3925       APPL_TRACE_DEBUG("Unknown key type %d", key_type);
3926       break;
3927   }
3928   return;
3929 }
3930 
3931 /*******************************************************************************
3932  *
3933  * Function         bta_dm_add_blekey
3934  *
3935  * Description      This function adds an BLE Key to an security database entry.
3936  *                  This function shall only be called AFTER BTA_DmAddBleDevice
3937  *                  has been called.
3938  *                  It is normally called during host startup to restore all
3939  *                  required information stored in the NVRAM.
3940  *
3941  * Parameters:
3942  *
3943  ******************************************************************************/
bta_dm_add_blekey(const RawAddress & bd_addr,tBTA_LE_KEY_VALUE blekey,tBTA_LE_KEY_TYPE key_type)3944 void bta_dm_add_blekey(const RawAddress& bd_addr, tBTA_LE_KEY_VALUE blekey,
3945                        tBTA_LE_KEY_TYPE key_type) {
3946   if (!BTM_SecAddBleKey(bd_addr, (tBTM_LE_KEY_VALUE*)&blekey, key_type)) {
3947     LOG(ERROR) << "BTA_DM: Error adding BLE Key for device " << bd_addr;
3948   }
3949 }
3950 
3951 /*******************************************************************************
3952  *
3953  * Function         bta_dm_add_ble_device
3954  *
3955  * Description      This function adds an BLE device to an security database
3956  *                  entry.
3957  *                  It is normally called during host startup to restore all
3958  *                  required information stored in the NVRAM.
3959  *
3960  * Parameters:
3961  *
3962  ******************************************************************************/
bta_dm_add_ble_device(const RawAddress & bd_addr,tBLE_ADDR_TYPE addr_type,tBT_DEVICE_TYPE dev_type)3963 void bta_dm_add_ble_device(const RawAddress& bd_addr, tBLE_ADDR_TYPE addr_type,
3964                            tBT_DEVICE_TYPE dev_type) {
3965   if (!BTM_SecAddBleDevice(bd_addr, NULL, dev_type, addr_type)) {
3966     LOG(ERROR) << "BTA_DM: Error adding BLE Device for device " << bd_addr;
3967   }
3968 }
3969 
3970 /*******************************************************************************
3971  *
3972  * Function         bta_dm_add_ble_device
3973  *
3974  * Description      This function adds an BLE device to an security database
3975  *                  entry.
3976  *                  It is normally called during host startup to restore all
3977  *                  required information stored in the NVRAM.
3978  *
3979  * Parameters:
3980  *
3981  ******************************************************************************/
bta_dm_ble_passkey_reply(const RawAddress & bd_addr,bool accept,uint32_t passkey)3982 void bta_dm_ble_passkey_reply(const RawAddress& bd_addr, bool accept,
3983                               uint32_t passkey) {
3984   BTM_BlePasskeyReply(bd_addr, accept ? BTM_SUCCESS : BTM_NOT_AUTHORIZED,
3985                       passkey);
3986 }
3987 
3988 /** This is response to SM numeric comparison request submitted to application.
3989  */
bta_dm_ble_confirm_reply(const RawAddress & bd_addr,bool accept)3990 void bta_dm_ble_confirm_reply(const RawAddress& bd_addr, bool accept) {
3991   BTM_BleConfirmReply(bd_addr, accept ? BTM_SUCCESS : BTM_NOT_AUTHORIZED);
3992 }
3993 
3994 /** This function set the preferred connection parameters */
bta_dm_ble_set_conn_params(const RawAddress & bd_addr,uint16_t conn_int_min,uint16_t conn_int_max,uint16_t slave_latency,uint16_t supervision_tout)3995 void bta_dm_ble_set_conn_params(const RawAddress& bd_addr,
3996                                 uint16_t conn_int_min, uint16_t conn_int_max,
3997                                 uint16_t slave_latency,
3998                                 uint16_t supervision_tout) {
3999   L2CA_AdjustConnectionIntervals(&conn_int_min, &conn_int_max,
4000                                  BTM_BLE_CONN_INT_MIN);
4001 
4002   BTM_BleSetPrefConnParams(bd_addr, conn_int_min, conn_int_max, slave_latency,
4003                            supervision_tout);
4004 }
4005 
4006 /** This function set the preferred connection scan parameters */
bta_dm_ble_set_conn_scan_params(uint32_t scan_interval,uint32_t scan_window)4007 void bta_dm_ble_set_conn_scan_params(uint32_t scan_interval,
4008                                      uint32_t scan_window) {
4009   BTM_BleSetConnScanParams(scan_interval, scan_window);
4010 }
4011 
4012 /** This function update LE connection parameters */
bta_dm_ble_update_conn_params(const RawAddress & bd_addr,uint16_t min_int,uint16_t max_int,uint16_t latency,uint16_t timeout,uint16_t min_ce_len,uint16_t max_ce_len)4013 void bta_dm_ble_update_conn_params(const RawAddress& bd_addr, uint16_t min_int,
4014                                    uint16_t max_int, uint16_t latency,
4015                                    uint16_t timeout, uint16_t min_ce_len,
4016                                    uint16_t max_ce_len) {
4017   L2CA_AdjustConnectionIntervals(&min_int, &max_int, BTM_BLE_CONN_INT_MIN);
4018 
4019   if (!L2CA_UpdateBleConnParams(bd_addr, min_int, max_int, latency, timeout,
4020                                 min_ce_len, max_ce_len)) {
4021     APPL_TRACE_ERROR("Update connection parameters failed!");
4022   }
4023 }
4024 
4025 #if (BLE_PRIVACY_SPT == TRUE)
4026 /** This function set the local device LE privacy settings. */
bta_dm_ble_config_local_privacy(bool privacy_enable)4027 void bta_dm_ble_config_local_privacy(bool privacy_enable) {
4028   BTM_BleConfigPrivacy(privacy_enable);
4029 }
4030 #endif
4031 
bta_dm_ble_observe(bool start,uint8_t duration,tBTA_DM_SEARCH_CBACK * p_cback)4032 void bta_dm_ble_observe(bool start, uint8_t duration,
4033                         tBTA_DM_SEARCH_CBACK* p_cback) {
4034   if (!start) {
4035     bta_dm_search_cb.p_scan_cback = NULL;
4036     BTM_BleObserve(false, 0, NULL, NULL);
4037     return;
4038   }
4039 
4040   /*Save the  callback to be called when a scan results are available */
4041   bta_dm_search_cb.p_scan_cback = p_cback;
4042   tBTM_STATUS status = BTM_BleObserve(true, duration, bta_dm_observe_results_cb,
4043                                       bta_dm_observe_cmpl_cb);
4044   if (status != BTM_CMD_STARTED) {
4045     tBTA_DM_SEARCH data;
4046     APPL_TRACE_WARNING(" %s BTM_BleObserve  failed. status %d", __func__,
4047                        status);
4048     data.inq_cmpl.num_resps = 0;
4049     if (bta_dm_search_cb.p_scan_cback) {
4050       bta_dm_search_cb.p_scan_cback(BTA_DM_INQ_CMPL_EVT, &data);
4051     }
4052   }
4053 }
4054 
4055 /** This function set the maximum transmission packet size */
bta_dm_ble_set_data_length(const RawAddress & bd_addr,uint16_t tx_data_length)4056 void bta_dm_ble_set_data_length(const RawAddress& bd_addr,
4057                                 uint16_t tx_data_length) {
4058   if (BTM_SetBleDataLength(bd_addr, tx_data_length) != BTM_SUCCESS) {
4059     APPL_TRACE_ERROR("%s failed", __func__);
4060   }
4061 }
4062 
4063 /*******************************************************************************
4064  *
4065  * Function         bta_ble_enable_scan_cmpl
4066  *
4067  * Description      ADV payload filtering enable / disable complete callback
4068  *
4069  *
4070  * Returns          None
4071  *
4072  ******************************************************************************/
bta_ble_energy_info_cmpl(tBTM_BLE_TX_TIME_MS tx_time,tBTM_BLE_RX_TIME_MS rx_time,tBTM_BLE_IDLE_TIME_MS idle_time,tBTM_BLE_ENERGY_USED energy_used,tBTM_STATUS status)4073 static void bta_ble_energy_info_cmpl(tBTM_BLE_TX_TIME_MS tx_time,
4074                                      tBTM_BLE_RX_TIME_MS rx_time,
4075                                      tBTM_BLE_IDLE_TIME_MS idle_time,
4076                                      tBTM_BLE_ENERGY_USED energy_used,
4077                                      tBTM_STATUS status) {
4078   tBTA_STATUS st = (status == BTM_SUCCESS) ? BTA_SUCCESS : BTA_FAILURE;
4079   tBTA_DM_CONTRL_STATE ctrl_state = 0;
4080 
4081   if (BTA_SUCCESS == st) ctrl_state = bta_dm_pm_obtain_controller_state();
4082 
4083   if (bta_dm_cb.p_energy_info_cback)
4084     bta_dm_cb.p_energy_info_cback(tx_time, rx_time, idle_time, energy_used,
4085                                   ctrl_state, st);
4086 }
4087 
4088 /** This function obtains the energy info */
bta_dm_ble_get_energy_info(tBTA_BLE_ENERGY_INFO_CBACK * p_energy_info_cback)4089 void bta_dm_ble_get_energy_info(
4090     tBTA_BLE_ENERGY_INFO_CBACK* p_energy_info_cback) {
4091   bta_dm_cb.p_energy_info_cback = p_energy_info_cback;
4092   tBTM_STATUS btm_status = BTM_BleGetEnergyInfo(bta_ble_energy_info_cmpl);
4093   if (BTM_CMD_STARTED != btm_status)
4094     bta_ble_energy_info_cmpl(0, 0, 0, 0, btm_status);
4095 }
4096 
4097 #ifndef BTA_DM_GATT_CLOSE_DELAY_TOUT
4098 #define BTA_DM_GATT_CLOSE_DELAY_TOUT 1000
4099 #endif
4100 
4101 /*******************************************************************************
4102  *
4103  * Function         bta_dm_gattc_register
4104  *
4105  * Description      Register with GATTC in DM if BLE is needed.
4106  *
4107  *
4108  * Returns          void
4109  *
4110  ******************************************************************************/
bta_dm_gattc_register(void)4111 static void bta_dm_gattc_register(void) {
4112   if (bta_dm_search_cb.client_if == BTA_GATTS_INVALID_IF) {
4113     BTA_GATTC_AppRegister(bta_dm_gattc_callback,
4114                           base::Bind([](uint8_t client_id, uint8_t status) {
4115                             if (status == GATT_SUCCESS)
4116                               bta_dm_search_cb.client_if = client_id;
4117                             else
4118                               bta_dm_search_cb.client_if = BTA_GATTS_INVALID_IF;
4119 
4120                           }));
4121   }
4122 }
4123 
4124 /*******************************************************************************
4125  *
4126  * Function         btm_dm_start_disc_gatt_services
4127  *
4128  * Description      This function starts a GATT service search request.
4129  *
4130  * Parameters:
4131  *
4132  ******************************************************************************/
btm_dm_start_disc_gatt_services(uint16_t conn_id)4133 static void btm_dm_start_disc_gatt_services(uint16_t conn_id) {
4134   Uuid* p_uuid = bta_dm_search_cb.p_srvc_uuid + bta_dm_search_cb.num_uuid -
4135                  bta_dm_search_cb.uuid_to_search;
4136 
4137   /* always search for all services */
4138   BTA_GATTC_ServiceSearchRequest(conn_id, p_uuid);
4139 }
4140 
4141 /*******************************************************************************
4142  *
4143  * Function         bta_dm_gatt_disc_result
4144  *
4145  * Description      This function process the GATT service search result.
4146  *
4147  * Parameters:
4148  *
4149  ******************************************************************************/
bta_dm_gatt_disc_result(tBTA_GATT_ID service_id)4150 static void bta_dm_gatt_disc_result(tBTA_GATT_ID service_id) {
4151   tBTA_DM_SEARCH result;
4152 
4153   /*
4154    * This logic will not work for gatt case.  We are checking against the
4155    * bluetooth profiles here
4156    * just copy the GATTID in raw data field and send it across.
4157    */
4158 
4159   if (bta_dm_search_cb.ble_raw_used + sizeof(tBTA_GATT_ID) <
4160       bta_dm_search_cb.ble_raw_size) {
4161     APPL_TRACE_DEBUG(
4162         "ADDING BLE SERVICE uuid=%s, ble_ptr = 0x%x, ble_raw_used = 0x%x",
4163         service_id.uuid.ToString().c_str(), bta_dm_search_cb.p_ble_rawdata,
4164         bta_dm_search_cb.ble_raw_used);
4165 
4166     if (bta_dm_search_cb.p_ble_rawdata) {
4167       // TODO(jpawlowski): the p_ble_raw data is only sent to btif_dm.cc, but is
4168       // never used there. Get rid of this code completly, or implement the
4169       // TODOs from btif_dm.cc
4170       memcpy((bta_dm_search_cb.p_ble_rawdata + bta_dm_search_cb.ble_raw_used),
4171              &service_id, sizeof(service_id));
4172 
4173       bta_dm_search_cb.ble_raw_used += sizeof(service_id);
4174     } else {
4175       APPL_TRACE_ERROR("p_ble_rawdata is NULL");
4176     }
4177 
4178   } else {
4179     APPL_TRACE_ERROR(
4180         "%s out of room to accomodate more service ids ble_raw_size = %d "
4181         "ble_raw_used = %d",
4182         __func__, bta_dm_search_cb.ble_raw_size, bta_dm_search_cb.ble_raw_used);
4183   }
4184 
4185   LOG_INFO(LOG_TAG, "%s service_id_uuid_len=%zu", __func__,
4186            service_id.uuid.GetShortestRepresentationSize());
4187   if (bta_dm_search_cb.state != BTA_DM_SEARCH_IDLE) {
4188     /* send result back to app now, one by one */
4189     result.disc_ble_res.bd_addr = bta_dm_search_cb.peer_bdaddr;
4190     strlcpy((char*)result.disc_ble_res.bd_name, bta_dm_get_remname(),
4191             BD_NAME_LEN);
4192     result.disc_ble_res.service = service_id.uuid;
4193 
4194     bta_dm_search_cb.p_search_cback(BTA_DM_DISC_BLE_RES_EVT, &result);
4195   }
4196 }
4197 
4198 /*******************************************************************************
4199  *
4200  * Function         bta_dm_gatt_disc_complete
4201  *
4202  * Description      This function process the GATT service search complete.
4203  *
4204  * Parameters:
4205  *
4206  ******************************************************************************/
bta_dm_gatt_disc_complete(uint16_t conn_id,tGATT_STATUS status)4207 static void bta_dm_gatt_disc_complete(uint16_t conn_id, tGATT_STATUS status) {
4208   APPL_TRACE_DEBUG("%s conn_id = %d", __func__, conn_id);
4209 
4210   if (bta_dm_search_cb.uuid_to_search > 0) bta_dm_search_cb.uuid_to_search--;
4211 
4212   if (status == GATT_SUCCESS && bta_dm_search_cb.uuid_to_search > 0) {
4213     btm_dm_start_disc_gatt_services(conn_id);
4214   } else {
4215     tBTA_DM_MSG* p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
4216 
4217     bta_dm_search_cb.uuid_to_search = 0;
4218 
4219     /* no more services to be discovered */
4220     p_msg->hdr.event = BTA_DM_DISCOVERY_RESULT_EVT;
4221     p_msg->disc_result.result.disc_res.result =
4222         (status == GATT_SUCCESS) ? BTA_SUCCESS : BTA_FAILURE;
4223     APPL_TRACE_DEBUG("%s service found: 0x%08x", __func__,
4224                      bta_dm_search_cb.services_found);
4225     p_msg->disc_result.result.disc_res.services =
4226         bta_dm_search_cb.services_found;
4227     p_msg->disc_result.result.disc_res.num_uuids = 0;
4228     p_msg->disc_result.result.disc_res.p_uuid_list = NULL;
4229     p_msg->disc_result.result.disc_res.bd_addr = bta_dm_search_cb.peer_bdaddr;
4230     strlcpy((char*)p_msg->disc_result.result.disc_res.bd_name,
4231             bta_dm_get_remname(), BD_NAME_LEN);
4232 
4233     p_msg->disc_result.result.disc_res.device_type |= BT_DEVICE_TYPE_BLE;
4234     if (bta_dm_search_cb.ble_raw_used > 0) {
4235       p_msg->disc_result.result.disc_res.p_raw_data =
4236           (uint8_t*)osi_malloc(bta_dm_search_cb.ble_raw_used);
4237 
4238       memcpy(p_msg->disc_result.result.disc_res.p_raw_data,
4239              bta_dm_search_cb.p_ble_rawdata, bta_dm_search_cb.ble_raw_used);
4240 
4241       p_msg->disc_result.result.disc_res.raw_data_size =
4242           bta_dm_search_cb.ble_raw_used;
4243     } else {
4244       p_msg->disc_result.result.disc_res.p_raw_data = NULL;
4245       bta_dm_search_cb.p_ble_rawdata = 0;
4246     }
4247 
4248     bta_sys_sendmsg(p_msg);
4249 
4250     if (conn_id != GATT_INVALID_CONN_ID) {
4251       /* start a GATT channel close delay timer */
4252       bta_sys_start_timer(bta_dm_search_cb.gatt_close_timer,
4253                           BTA_DM_GATT_CLOSE_DELAY_TOUT,
4254                           BTA_DM_DISC_CLOSE_TOUT_EVT, 0);
4255       bta_dm_search_cb.pending_close_bda = bta_dm_search_cb.peer_bdaddr;
4256     }
4257     bta_dm_search_cb.gatt_disc_active = false;
4258   }
4259 }
4260 
4261 /*******************************************************************************
4262  *
4263  * Function         bta_dm_close_gatt_conn
4264  *
4265  * Description      This function close the GATT connection after delay
4266  *timeout.
4267  *
4268  * Parameters:
4269  *
4270  ******************************************************************************/
bta_dm_close_gatt_conn(UNUSED_ATTR tBTA_DM_MSG * p_data)4271 void bta_dm_close_gatt_conn(UNUSED_ATTR tBTA_DM_MSG* p_data) {
4272   if (bta_dm_search_cb.conn_id != GATT_INVALID_CONN_ID)
4273     BTA_GATTC_Close(bta_dm_search_cb.conn_id);
4274 
4275   bta_dm_search_cb.pending_close_bda = RawAddress::kEmpty;
4276   bta_dm_search_cb.conn_id = GATT_INVALID_CONN_ID;
4277 }
4278 /*******************************************************************************
4279  *
4280  * Function         btm_dm_start_gatt_discovery
4281  *
4282  * Description      This is GATT initiate the service search by open a GATT
4283  *                  connection first.
4284  *
4285  * Parameters:
4286  *
4287  ******************************************************************************/
btm_dm_start_gatt_discovery(const RawAddress & bd_addr)4288 void btm_dm_start_gatt_discovery(const RawAddress& bd_addr) {
4289   bta_dm_search_cb.gatt_disc_active = true;
4290 
4291   /* connection is already open */
4292   if (bta_dm_search_cb.pending_close_bda == bd_addr &&
4293       bta_dm_search_cb.conn_id != GATT_INVALID_CONN_ID) {
4294     bta_dm_search_cb.pending_close_bda = RawAddress::kEmpty;
4295     alarm_cancel(bta_dm_search_cb.gatt_close_timer);
4296     btm_dm_start_disc_gatt_services(bta_dm_search_cb.conn_id);
4297   } else {
4298     if (BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_LE)) {
4299       BTA_GATTC_Open(bta_dm_search_cb.client_if, bd_addr, true,
4300                      GATT_TRANSPORT_LE, true);
4301     } else {
4302       BTA_GATTC_Open(bta_dm_search_cb.client_if, bd_addr, true,
4303                      GATT_TRANSPORT_LE, false);
4304     }
4305   }
4306 }
4307 
4308 /*******************************************************************************
4309  *
4310  * Function         bta_dm_cancel_gatt_discovery
4311  *
4312  * Description      This is GATT cancel the GATT service search.
4313  *
4314  * Parameters:
4315  *
4316  ******************************************************************************/
bta_dm_cancel_gatt_discovery(const RawAddress & bd_addr)4317 static void bta_dm_cancel_gatt_discovery(const RawAddress& bd_addr) {
4318   if (bta_dm_search_cb.conn_id == GATT_INVALID_CONN_ID) {
4319     BTA_GATTC_CancelOpen(bta_dm_search_cb.client_if, bd_addr, true);
4320   }
4321 
4322   bta_dm_gatt_disc_complete(bta_dm_search_cb.conn_id, (tGATT_STATUS)GATT_ERROR);
4323 }
4324 
4325 /*******************************************************************************
4326  *
4327  * Function         bta_dm_proc_open_evt
4328  *
4329  * Description      process BTA_GATTC_OPEN_EVT in DM.
4330  *
4331  * Parameters:
4332  *
4333  ******************************************************************************/
bta_dm_proc_open_evt(tBTA_GATTC_OPEN * p_data)4334 void bta_dm_proc_open_evt(tBTA_GATTC_OPEN* p_data) {
4335   VLOG(1) << "DM Search state= " << bta_dm_search_cb.state
4336           << " search_cb.peer_dbaddr:" << bta_dm_search_cb.peer_bdaddr
4337           << " connected_bda=" << p_data->remote_bda.address;
4338 
4339   APPL_TRACE_DEBUG("BTA_GATTC_OPEN_EVT conn_id = %d client_if=%d status = %d",
4340                    p_data->conn_id, p_data->client_if, p_data->status);
4341 
4342   bta_dm_search_cb.conn_id = p_data->conn_id;
4343 
4344   if (p_data->status == GATT_SUCCESS) {
4345     btm_dm_start_disc_gatt_services(p_data->conn_id);
4346   } else {
4347     bta_dm_gatt_disc_complete(GATT_INVALID_CONN_ID, p_data->status);
4348   }
4349 }
4350 
4351 /*******************************************************************************
4352  *
4353  * Function         bta_dm_gattc_callback
4354  *
4355  * Description      This is GATT client callback function used in DM.
4356  *
4357  * Parameters:
4358  *
4359  ******************************************************************************/
bta_dm_gattc_callback(tBTA_GATTC_EVT event,tBTA_GATTC * p_data)4360 static void bta_dm_gattc_callback(tBTA_GATTC_EVT event, tBTA_GATTC* p_data) {
4361   APPL_TRACE_DEBUG("bta_dm_gattc_callback event = %d", event);
4362 
4363   switch (event) {
4364     case BTA_GATTC_OPEN_EVT:
4365       bta_dm_proc_open_evt(&p_data->open);
4366       break;
4367 
4368     case BTA_GATTC_SEARCH_RES_EVT:
4369       bta_dm_gatt_disc_result(p_data->srvc_res.service_uuid);
4370       break;
4371 
4372     case BTA_GATTC_SEARCH_CMPL_EVT:
4373       if (bta_dm_search_cb.state != BTA_DM_SEARCH_IDLE)
4374         bta_dm_gatt_disc_complete(p_data->search_cmpl.conn_id,
4375                                   p_data->search_cmpl.status);
4376       break;
4377 
4378     case BTA_GATTC_CLOSE_EVT:
4379       APPL_TRACE_DEBUG("BTA_GATTC_CLOSE_EVT reason = %d", p_data->close.reason);
4380       /* in case of disconnect before search is completed */
4381       if ((bta_dm_search_cb.state != BTA_DM_SEARCH_IDLE) &&
4382           (bta_dm_search_cb.state != BTA_DM_SEARCH_ACTIVE) &&
4383           p_data->close.remote_bda == bta_dm_search_cb.peer_bdaddr) {
4384         bta_dm_gatt_disc_complete((uint16_t)GATT_INVALID_CONN_ID,
4385                                   (tGATT_STATUS)GATT_ERROR);
4386       }
4387       break;
4388 
4389     default:
4390       break;
4391   }
4392 }
4393 
4394 #if (BLE_VND_INCLUDED == TRUE)
4395 /*******************************************************************************
4396  *
4397  * Function         bta_dm_ctrl_features_rd_cmpl_cback
4398  *
4399  * Description      callback to handle controller feature read complete
4400  *
4401  * Parameters:
4402  *
4403  ******************************************************************************/
bta_dm_ctrl_features_rd_cmpl_cback(tBTM_STATUS result)4404 static void bta_dm_ctrl_features_rd_cmpl_cback(tBTM_STATUS result) {
4405   APPL_TRACE_DEBUG("%s  status = %d ", __func__, result);
4406   if (result == BTM_SUCCESS) {
4407     if (bta_dm_cb.p_sec_cback)
4408       bta_dm_cb.p_sec_cback(BTA_DM_LE_FEATURES_READ, NULL);
4409   } else {
4410     APPL_TRACE_ERROR("%s Ctrl BLE feature read failed: status :%d", __func__,
4411                      result);
4412   }
4413 }
4414 #endif /* BLE_VND_INCLUDED */
4415