1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for the Bluetooth Device Manager
22 *
23 ******************************************************************************/
24
25 #include <stddef.h>
26 #include <stdio.h>
27 #include <stdlib.h>
28 #include <string.h>
29
30 #include "bt_common.h"
31 #include "bt_types.h"
32 #include "btm_api.h"
33 #include "btm_int.h"
34 #include "btu.h"
35 #include "device/include/controller.h"
36 #include "hcidefs.h"
37 #include "hcimsgs.h"
38 #include "l2c_api.h"
39
40 /*******************************************************************************
41 *
42 * Function BTM_SecAddDevice
43 *
44 * Description Add/modify device. This function will be normally called
45 * during host startup to restore all required information
46 * stored in the NVRAM.
47 *
48 * Parameters: bd_addr - BD address of the peer
49 * dev_class - Device Class
50 * bd_name - Name of the peer device. NULL if unknown.
51 * features - Remote device's features (up to 3 pages).
52 * NULL if not known
53 * trusted_mask - Bitwise OR of services that do not
54 * require authorization.
55 * (array of uint32_t)
56 * link_key - Connection link key. NULL if unknown.
57 *
58 * Returns true if added OK, else false
59 *
60 ******************************************************************************/
BTM_SecAddDevice(const RawAddress & bd_addr,DEV_CLASS dev_class,BD_NAME bd_name,uint8_t * features,uint32_t trusted_mask[],LinkKey * p_link_key,uint8_t key_type,tBTM_IO_CAP io_cap,uint8_t pin_length)61 bool BTM_SecAddDevice(const RawAddress& bd_addr, DEV_CLASS dev_class,
62 BD_NAME bd_name, uint8_t* features,
63 uint32_t trusted_mask[], LinkKey* p_link_key,
64 uint8_t key_type, tBTM_IO_CAP io_cap,
65 uint8_t pin_length) {
66 BTM_TRACE_API("%s: link key type:%x", __func__, key_type);
67
68 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
69 if (!p_dev_rec) {
70 p_dev_rec = btm_sec_allocate_dev_rec();
71 BTM_TRACE_API("%s: allocated p_dev_rec=%p, bd_addr=%s", __func__, p_dev_rec,
72 bd_addr.ToString().c_str());
73
74 p_dev_rec->bd_addr = bd_addr;
75 p_dev_rec->hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_BR_EDR);
76
77 /* use default value for background connection params */
78 /* update conn params, use default value for background connection params */
79 memset(&p_dev_rec->conn_params, 0xff, sizeof(tBTM_LE_CONN_PRAMS));
80 } else {
81 /* "Bump" timestamp for existing record */
82 p_dev_rec->timestamp = btm_cb.dev_rec_count++;
83
84 /* TODO(eisenbach):
85 * Small refactor, but leaving original logic for now.
86 * On the surface, this does not make any sense at all. Why change the
87 * bond state for an existing device here? This logic should be verified
88 * as part of a larger refactor.
89 */
90 p_dev_rec->bond_type = BOND_TYPE_UNKNOWN;
91 }
92
93 if (dev_class) memcpy(p_dev_rec->dev_class, dev_class, DEV_CLASS_LEN);
94
95 memset(p_dev_rec->sec_bd_name, 0, sizeof(tBTM_BD_NAME));
96
97 if (bd_name && bd_name[0]) {
98 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
99 strlcpy((char*)p_dev_rec->sec_bd_name, (char*)bd_name,
100 BTM_MAX_REM_BD_NAME_LEN);
101 }
102
103 p_dev_rec->num_read_pages = 0;
104 if (features) {
105 bool found = false;
106 memcpy(p_dev_rec->feature_pages, features,
107 sizeof(p_dev_rec->feature_pages));
108 for (int i = HCI_EXT_FEATURES_PAGE_MAX; !found && i >= 0; i--) {
109 for (int j = 0; j < HCI_FEATURE_BYTES_PER_PAGE; j++) {
110 if (p_dev_rec->feature_pages[i][j] != 0) {
111 found = true;
112 p_dev_rec->num_read_pages = i + 1;
113 break;
114 }
115 }
116 }
117 } else {
118 memset(p_dev_rec->feature_pages, 0, sizeof(p_dev_rec->feature_pages));
119 }
120
121 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
122
123 if (p_link_key) {
124 VLOG(2) << __func__ << ": BDA: " << bd_addr;
125 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN;
126 p_dev_rec->link_key = *p_link_key;
127 p_dev_rec->link_key_type = key_type;
128 p_dev_rec->pin_code_length = pin_length;
129
130 if (pin_length >= 16 || key_type == BTM_LKEY_TYPE_AUTH_COMB ||
131 key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
132 // Set the flag if the link key was made by using either a 16 digit
133 // pin or MITM.
134 p_dev_rec->sec_flags |=
135 BTM_SEC_16_DIGIT_PIN_AUTHED | BTM_SEC_LINK_KEY_AUTHED;
136 }
137 }
138
139 #if (BTIF_MIXED_MODE_INCLUDED == TRUE)
140 if (key_type < BTM_MAX_PRE_SM4_LKEY_TYPE)
141 p_dev_rec->sm4 = BTM_SM4_KNOWN;
142 else
143 p_dev_rec->sm4 = BTM_SM4_TRUE;
144 #endif
145
146 p_dev_rec->rmt_io_caps = io_cap;
147 p_dev_rec->device_type |= BT_DEVICE_TYPE_BREDR;
148
149 return true;
150 }
151
wipe_secrets_and_remove(tBTM_SEC_DEV_REC * p_dev_rec)152 void wipe_secrets_and_remove(tBTM_SEC_DEV_REC* p_dev_rec) {
153 p_dev_rec->link_key.fill(0);
154 memset(&p_dev_rec->ble.keys, 0, sizeof(tBTM_SEC_BLE_KEYS));
155 list_remove(btm_cb.sec_dev_rec, p_dev_rec);
156 }
157
158 /** Free resources associated with the device associated with |bd_addr| address.
159 *
160 * *** WARNING ***
161 * tBTM_SEC_DEV_REC associated with bd_addr becomes invalid after this function
162 * is called, also any of it's fields. i.e. if you use p_dev_rec->bd_addr, it is
163 * no longer valid!
164 * *** WARNING ***
165 *
166 * Returns true if removed OK, false if not found or ACL link is active.
167 */
BTM_SecDeleteDevice(const RawAddress & bd_addr)168 bool BTM_SecDeleteDevice(const RawAddress& bd_addr) {
169 if (BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_LE) ||
170 BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_BR_EDR)) {
171 BTM_TRACE_WARNING("%s FAILED: Cannot Delete when connection is active",
172 __func__);
173 return false;
174 }
175
176 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
177 if (p_dev_rec != NULL) {
178 RawAddress bda = p_dev_rec->bd_addr;
179
180 /* Clear out any saved BLE keys */
181 btm_sec_clear_ble_keys(p_dev_rec);
182 wipe_secrets_and_remove(p_dev_rec);
183 /* Tell controller to get rid of the link key, if it has one stored */
184 BTM_DeleteStoredLinkKey(&bda, NULL);
185 }
186
187 return true;
188 }
189
190 /*******************************************************************************
191 *
192 * Function BTM_SecClearSecurityFlags
193 *
194 * Description Reset the security flags (mark as not-paired) for a given
195 * remove device.
196 *
197 ******************************************************************************/
BTM_SecClearSecurityFlags(const RawAddress & bd_addr)198 extern void BTM_SecClearSecurityFlags(const RawAddress& bd_addr) {
199 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
200 if (p_dev_rec == NULL) return;
201
202 p_dev_rec->sec_flags = 0;
203 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
204 p_dev_rec->sm4 = BTM_SM4_UNKNOWN;
205 }
206
207 /*******************************************************************************
208 *
209 * Function BTM_SecReadDevName
210 *
211 * Description Looks for the device name in the security database for the
212 * specified BD address.
213 *
214 * Returns Pointer to the name or NULL
215 *
216 ******************************************************************************/
BTM_SecReadDevName(const RawAddress & bd_addr)217 char* BTM_SecReadDevName(const RawAddress& bd_addr) {
218 char* p_name = NULL;
219 tBTM_SEC_DEV_REC* p_srec;
220
221 p_srec = btm_find_dev(bd_addr);
222 if (p_srec != NULL) p_name = (char*)p_srec->sec_bd_name;
223
224 return (p_name);
225 }
226
227 /*******************************************************************************
228 *
229 * Function btm_sec_alloc_dev
230 *
231 * Description Look for the record in the device database for the record
232 * with specified address
233 *
234 * Returns Pointer to the record or NULL
235 *
236 ******************************************************************************/
btm_sec_alloc_dev(const RawAddress & bd_addr)237 tBTM_SEC_DEV_REC* btm_sec_alloc_dev(const RawAddress& bd_addr) {
238 tBTM_INQ_INFO* p_inq_info;
239
240 tBTM_SEC_DEV_REC* p_dev_rec = btm_sec_allocate_dev_rec();
241
242 BTM_TRACE_EVENT("%s: allocated p_dev_rec=%p, bd_addr=%s", __func__, p_dev_rec,
243 bd_addr.ToString().c_str());
244
245 /* Check with the BT manager if details about remote device are known */
246 /* outgoing connection */
247 p_inq_info = BTM_InqDbRead(bd_addr);
248 if (p_inq_info != NULL) {
249 memcpy(p_dev_rec->dev_class, p_inq_info->results.dev_class, DEV_CLASS_LEN);
250
251 p_dev_rec->device_type = p_inq_info->results.device_type;
252 p_dev_rec->ble.ble_addr_type = p_inq_info->results.ble_addr_type;
253 } else if (bd_addr == btm_cb.connecting_bda)
254 memcpy(p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
255
256 /* update conn params, use default value for background connection params */
257 memset(&p_dev_rec->conn_params, 0xff, sizeof(tBTM_LE_CONN_PRAMS));
258
259 p_dev_rec->bd_addr = bd_addr;
260
261 p_dev_rec->ble_hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_LE);
262 p_dev_rec->hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_BR_EDR);
263
264 return (p_dev_rec);
265 }
266
267 /*******************************************************************************
268 *
269 * Function btm_dev_support_switch
270 *
271 * Description This function is called by the L2CAP to check if remote
272 * device supports role switch
273 *
274 * Parameters: bd_addr - Address of the peer device
275 *
276 * Returns true if device is known and role switch is supported
277 *
278 ******************************************************************************/
btm_dev_support_switch(const RawAddress & bd_addr)279 bool btm_dev_support_switch(const RawAddress& bd_addr) {
280 tBTM_SEC_DEV_REC* p_dev_rec;
281 uint8_t xx;
282 bool feature_empty = true;
283
284 /* Role switch is not allowed if a SCO is up */
285 if (btm_is_sco_active_by_bdaddr(bd_addr)) return (false);
286 p_dev_rec = btm_find_dev(bd_addr);
287 if (p_dev_rec &&
288 controller_get_interface()->supports_master_slave_role_switch()) {
289 if (HCI_SWITCH_SUPPORTED(p_dev_rec->feature_pages[0])) {
290 BTM_TRACE_DEBUG("btm_dev_support_switch return true (feature found)");
291 return (true);
292 }
293
294 /* If the feature field is all zero, we never received them */
295 for (xx = 0; xx < BD_FEATURES_LEN; xx++) {
296 if (p_dev_rec->feature_pages[0][xx] != 0x00) {
297 feature_empty = false; /* at least one is != 0 */
298 break;
299 }
300 }
301
302 /* If we don't know peer's capabilities, assume it supports Role-switch */
303 if (feature_empty) {
304 BTM_TRACE_DEBUG("btm_dev_support_switch return true (feature empty)");
305 return (true);
306 }
307 }
308
309 BTM_TRACE_DEBUG("btm_dev_support_switch return false");
310 return (false);
311 }
312
is_handle_equal(void * data,void * context)313 bool is_handle_equal(void* data, void* context) {
314 tBTM_SEC_DEV_REC* p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(data);
315 uint16_t* handle = static_cast<uint16_t*>(context);
316
317 if (p_dev_rec->hci_handle == *handle || p_dev_rec->ble_hci_handle == *handle)
318 return false;
319
320 return true;
321 }
322
323 /*******************************************************************************
324 *
325 * Function btm_find_dev_by_handle
326 *
327 * Description Look for the record in the device database for the record
328 * with specified handle
329 *
330 * Returns Pointer to the record or NULL
331 *
332 ******************************************************************************/
btm_find_dev_by_handle(uint16_t handle)333 tBTM_SEC_DEV_REC* btm_find_dev_by_handle(uint16_t handle) {
334 list_node_t* n = list_foreach(btm_cb.sec_dev_rec, is_handle_equal, &handle);
335 if (n) return static_cast<tBTM_SEC_DEV_REC*>(list_node(n));
336
337 return NULL;
338 }
339
is_address_equal(void * data,void * context)340 bool is_address_equal(void* data, void* context) {
341 tBTM_SEC_DEV_REC* p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(data);
342 const RawAddress* bd_addr = ((RawAddress*)context);
343
344 if (p_dev_rec->bd_addr == *bd_addr) return false;
345 // If a LE random address is looking for device record
346 if (p_dev_rec->ble.pseudo_addr == *bd_addr) return false;
347
348 if (btm_ble_addr_resolvable(*bd_addr, p_dev_rec)) return false;
349 return true;
350 }
351
352 /*******************************************************************************
353 *
354 * Function btm_find_dev
355 *
356 * Description Look for the record in the device database for the record
357 * with specified BD address
358 *
359 * Returns Pointer to the record or NULL
360 *
361 ******************************************************************************/
btm_find_dev(const RawAddress & bd_addr)362 tBTM_SEC_DEV_REC* btm_find_dev(const RawAddress& bd_addr) {
363 list_node_t* n =
364 list_foreach(btm_cb.sec_dev_rec, is_address_equal, (void*)&bd_addr);
365 if (n) return static_cast<tBTM_SEC_DEV_REC*>(list_node(n));
366
367 return NULL;
368 }
369
370 /*******************************************************************************
371 *
372 * Function btm_consolidate_dev
373 5**
374 * Description combine security records if identified as same peer
375 *
376 * Returns none
377 *
378 ******************************************************************************/
btm_consolidate_dev(tBTM_SEC_DEV_REC * p_target_rec)379 void btm_consolidate_dev(tBTM_SEC_DEV_REC* p_target_rec) {
380 tBTM_SEC_DEV_REC temp_rec = *p_target_rec;
381
382 BTM_TRACE_DEBUG("%s", __func__);
383
384 list_node_t* end = list_end(btm_cb.sec_dev_rec);
385 list_node_t* node = list_begin(btm_cb.sec_dev_rec);
386 while (node != end) {
387 tBTM_SEC_DEV_REC* p_dev_rec =
388 static_cast<tBTM_SEC_DEV_REC*>(list_node(node));
389
390 // we do list_remove in some cases, must grab next before removing
391 node = list_next(node);
392
393 if (p_target_rec == p_dev_rec) continue;
394
395 if (p_dev_rec->bd_addr == p_target_rec->bd_addr) {
396 memcpy(p_target_rec, p_dev_rec, sizeof(tBTM_SEC_DEV_REC));
397 p_target_rec->ble = temp_rec.ble;
398 p_target_rec->ble_hci_handle = temp_rec.ble_hci_handle;
399 p_target_rec->enc_key_size = temp_rec.enc_key_size;
400 p_target_rec->conn_params = temp_rec.conn_params;
401 p_target_rec->device_type |= temp_rec.device_type;
402 p_target_rec->sec_flags |= temp_rec.sec_flags;
403
404 p_target_rec->new_encryption_key_is_p256 =
405 temp_rec.new_encryption_key_is_p256;
406 p_target_rec->no_smp_on_br = temp_rec.no_smp_on_br;
407 p_target_rec->bond_type = temp_rec.bond_type;
408
409 /* remove the combined record */
410 wipe_secrets_and_remove(p_dev_rec);
411 // p_dev_rec gets freed in list_remove, we should not access it further
412 continue;
413 }
414
415 /* an RPA device entry is a duplicate of the target record */
416 if (btm_ble_addr_resolvable(p_dev_rec->bd_addr, p_target_rec)) {
417 if (p_target_rec->ble.pseudo_addr == p_dev_rec->bd_addr) {
418 p_target_rec->ble.ble_addr_type = p_dev_rec->ble.ble_addr_type;
419 p_target_rec->device_type |= p_dev_rec->device_type;
420
421 /* remove the combined record */
422 wipe_secrets_and_remove(p_dev_rec);
423 }
424 }
425 }
426 }
427
428 /*******************************************************************************
429 *
430 * Function btm_find_or_alloc_dev
431 *
432 * Description Look for the record in the device database for the record
433 * with specified BD address
434 *
435 * Returns Pointer to the record or NULL
436 *
437 ******************************************************************************/
btm_find_or_alloc_dev(const RawAddress & bd_addr)438 tBTM_SEC_DEV_REC* btm_find_or_alloc_dev(const RawAddress& bd_addr) {
439 tBTM_SEC_DEV_REC* p_dev_rec;
440 BTM_TRACE_EVENT("btm_find_or_alloc_dev");
441 p_dev_rec = btm_find_dev(bd_addr);
442 if (p_dev_rec == NULL) {
443 /* Allocate a new device record or reuse the oldest one */
444 p_dev_rec = btm_sec_alloc_dev(bd_addr);
445 }
446 return (p_dev_rec);
447 }
448
449 /*******************************************************************************
450 *
451 * Function btm_find_oldest_dev_rec
452 *
453 * Description Locates the oldest device in use. It first looks for
454 * the oldest non-paired device. If all devices are paired it
455 * returns the oldest paired device.
456 *
457 * Returns Pointer to the record or NULL
458 *
459 ******************************************************************************/
btm_find_oldest_dev_rec(void)460 static tBTM_SEC_DEV_REC* btm_find_oldest_dev_rec(void) {
461 tBTM_SEC_DEV_REC* p_oldest = NULL;
462 uint32_t ts_oldest = 0xFFFFFFFF;
463 tBTM_SEC_DEV_REC* p_oldest_paired = NULL;
464 uint32_t ts_oldest_paired = 0xFFFFFFFF;
465
466 list_node_t* end = list_end(btm_cb.sec_dev_rec);
467 for (list_node_t* node = list_begin(btm_cb.sec_dev_rec); node != end;
468 node = list_next(node)) {
469 tBTM_SEC_DEV_REC* p_dev_rec =
470 static_cast<tBTM_SEC_DEV_REC*>(list_node(node));
471
472 if ((p_dev_rec->sec_flags &
473 (BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LE_LINK_KEY_KNOWN)) == 0) {
474 // Device is not paired
475 if (p_dev_rec->timestamp < ts_oldest) {
476 p_oldest = p_dev_rec;
477 ts_oldest = p_dev_rec->timestamp;
478 }
479 } else {
480 // Paired device
481 if (p_dev_rec->timestamp < ts_oldest_paired) {
482 p_oldest_paired = p_dev_rec;
483 ts_oldest_paired = p_dev_rec->timestamp;
484 }
485 }
486 }
487
488 // If we did not find any non-paired devices, use the oldest paired one...
489 if (ts_oldest == 0xFFFFFFFF) p_oldest = p_oldest_paired;
490
491 return p_oldest;
492 }
493
494 /*******************************************************************************
495 *
496 * Function btm_sec_allocate_dev_rec
497 *
498 * Description Attempts to allocate a new device record. If we have
499 * exceeded the maximum number of allowable records to
500 * allocate, the oldest record will be deleted to make room
501 * for the new record.
502 *
503 * Returns Pointer to the newly allocated record
504 *
505 ******************************************************************************/
btm_sec_allocate_dev_rec(void)506 tBTM_SEC_DEV_REC* btm_sec_allocate_dev_rec(void) {
507 tBTM_SEC_DEV_REC* p_dev_rec = NULL;
508
509 if (list_length(btm_cb.sec_dev_rec) > BTM_SEC_MAX_DEVICE_RECORDS) {
510 p_dev_rec = btm_find_oldest_dev_rec();
511 wipe_secrets_and_remove(p_dev_rec);
512 }
513
514 p_dev_rec =
515 static_cast<tBTM_SEC_DEV_REC*>(osi_calloc(sizeof(tBTM_SEC_DEV_REC)));
516 list_append(btm_cb.sec_dev_rec, p_dev_rec);
517
518 // Initialize defaults
519 p_dev_rec->sec_flags = BTM_SEC_IN_USE;
520 p_dev_rec->bond_type = BOND_TYPE_UNKNOWN;
521 p_dev_rec->timestamp = btm_cb.dev_rec_count++;
522 p_dev_rec->rmt_io_caps = BTM_IO_CAP_UNKNOWN;
523
524 return p_dev_rec;
525 }
526
527 /*******************************************************************************
528 *
529 * Function btm_get_bond_type_dev
530 *
531 * Description Get the bond type for a device in the device database
532 * with specified BD address
533 *
534 * Returns The device bond type if known, otherwise BOND_TYPE_UNKNOWN
535 *
536 ******************************************************************************/
btm_get_bond_type_dev(const RawAddress & bd_addr)537 tBTM_BOND_TYPE btm_get_bond_type_dev(const RawAddress& bd_addr) {
538 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
539
540 if (p_dev_rec == NULL) return BOND_TYPE_UNKNOWN;
541
542 return p_dev_rec->bond_type;
543 }
544
545 /*******************************************************************************
546 *
547 * Function btm_set_bond_type_dev
548 *
549 * Description Set the bond type for a device in the device database
550 * with specified BD address
551 *
552 * Returns true on success, otherwise false
553 *
554 ******************************************************************************/
btm_set_bond_type_dev(const RawAddress & bd_addr,tBTM_BOND_TYPE bond_type)555 bool btm_set_bond_type_dev(const RawAddress& bd_addr,
556 tBTM_BOND_TYPE bond_type) {
557 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
558
559 if (p_dev_rec == NULL) return false;
560
561 p_dev_rec->bond_type = bond_type;
562 return true;
563 }
564